Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Техника Match Legitimate Resource Name or Location
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Match Legitimate Resource Name...
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Masquerading:  Match Legitimate Resource Name or Location

ID Название
.001 Недействительная подпись кода
.002 Использование символа RLO
.003 Rename Legitimate Utilities
.004 Имитация задачи или службы
.005 Match Legitimate Resource Name or Location
.006 Пробел после имени файла
.007 Двойное расширение файла
.008 Masquerade File Type
.009 Break Process Trees
.010 Masquerade Account Name
.011 Overwrite Process Arguments

Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: `svchost.exe`). Alternatively, a Windows Registry key may be given a close approximation to a key used by a legitimate program. In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.(Citation: Aquasec Kubernetes Backdoor 2023)

ID: T1036.005
Относится к технике:  T1036
Тактика(-и): Defense Evasion
Платформы: Containers, ESXi, Linux, Windows, macOS
Источники данных: File: File Metadata, Image: Image Metadata, Process: Process Creation, Process: Process Metadata
Версия: 2.0
Дата создания: 10 Feb 2020
Последнее изменение: 15 Apr 2025

Примеры процедур
Название Описание
EKANS

EKANS has been disguised as update.exe to appear as a valid executable.(Citation: Dragos EKANS)
BLINDINGCAN

BLINDINGCAN has attempted to hide its payload by using legitimate file names such as "iconcache.db".(Citation: US-CERT BLINDINGCAN Aug 2020)
Ninja

Ninja has used legitimate looking filenames for its loader including update.dll and x64.dll.(Citation: Kaspersky ToddyCat Check Logs October 2023)
Bumblebee

Bumblebee has named component DLLs "RapportGP.dll" to match those used by the security company Trusteer.(Citation: Medium Ali Salem Bumblebee April 2022)
NOKKI

NOKKI is written to %LOCALAPPDATA%\MicroSoft Updatea\svServiceUpdate.exe prior being executed in a new process in an apparent attempt to masquerade as a legitimate folder and file.(Citation: Unit 42 NOKKI Sept 2018)
RotaJakiro

RotaJakiro has used the filename `systemd-daemon` in an attempt to appear legitimate.(Citation: netlab360 rotajakiro vs oceanlotus)
Chinoxy

Chinoxy has used the name `eoffice.exe` in attempt to appear as a legitimate file.(Citation: Bitdefender FunnyDream Campaign November 2020)
Misdat

Misdat saves itself as a file named `msdtc.exe`, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.(Citation: Cylance Dust Storm)(Citation: Microsoft DTC)
ShimRatReporter

ShimRatReporter spoofed itself as AlphaZawgyl_font.exe, a specialized Unicode font.(Citation: FOX-IT May 2016 Mofang)
Ursnif

Ursnif has used strings from legitimate system files and existing folders for its file, folder, and Registry entry names.(Citation: TrendMicro Ursnif Mar 2015)
ThreatNeedle

ThreatNeedle chooses its payload creation path from a randomly selected service name from netsvc.(Citation: Kaspersky ThreatNeedle Feb 2021)
ZLib

ZLib mimics the resource version information of legitimate Realtek Semiconductor, Nvidia, or Synaptics modules.(Citation: Cylance Dust Storm)
Felismus

Felismus has masqueraded as legitimate Adobe Content Management System files.(Citation: ATT Felismus)
StrongPity

StrongPity has been bundled with legitimate software installation files for disguise.(Citation: Talos Promethium June 2020)
Nebulae

Nebulae uses functions named StartUserModeBrowserInjection and StopUserModeBrowserInjection indicating that it's trying to imitate chrome_frame_helper.dll.(Citation: Bitdefender Naikon April 2021)
RainyDay

RainyDay has used names to mimic legitimate software including "vmtoolsd.exe" to spoof Vmtools.(Citation: Bitdefender Naikon April 2021)
AppleSeed

AppleSeed has the ability to rename its payload to ESTCommon.dll to masquerade as a DLL belonging to ESTsecurity.(Citation: Malwarebytes Kimsuky June 2021)
NETWIRE

NETWIRE has masqueraded as legitimate software including TeamViewer and macOS Finder.(Citation: Red Canary NETWIRE January 2020)
TinyTurla

TinyTurla has been deployed as `w64time.dll` to appear legitimate.(Citation: Talos TinyTurla September 2021)
PyDCrypt

PyDCrypt has dropped DCSrv under the `svchost.exe` name to disk.(Citation: Checkpoint MosesStaff Nov 2021)

J-magic

J-magic can rename itself as “[nfsiod 0]” to masquerade as the local Network File System (NFS) asynchronous I/O server.(Citation: Lumen J-Magic JAN 2025)
OLDBAIT

OLDBAIT installs itself in %ALLUSERPROFILE%\\Application Data\Microsoft\MediaPlayer\updatewindws.exe; the directory name is missing a space and the file name is missing the letter "o."(Citation: FireEye APT28)
Bad Rabbit

Bad Rabbit has masqueraded as a Flash Player installer through the executable file install_flash_player.exe.(Citation: ESET Bad Rabbit)(Citation: Secure List Bad Rabbit)
SslMM

To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or “MSN Talk” shortcut.(Citation: Baumgartner Naikon 2015)
TEARDROP

TEARDROP files had names that resembled legitimate Window file and directory names.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Deep Dive Solorigate January 2021)
Machete

Machete renamed payloads to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python executables.(Citation: ESET Machete July 2019)(Citation: Securelist Machete Aug 2014)
DUSTPAN

DUSTPAN is often disguised as a legitimate Windows binary such as `w3wp.exe` or `conn.exe`.(Citation: Google Cloud APT41 2024)
PcShare

PcShare has been named `wuauclt.exe` to appear as the legitimate Windows Update AutoUpdate Client.(Citation: Bitdefender FunnyDream Campaign November 2020)
Cuckoo Stealer

Cuckoo Stealer has copied and renamed itself to DumpMediaSpotifyMusicConverter.(Citation: Kandji Cuckoo April 2024)(Citation: SentinelOne Cuckoo Stealer May 2024)
InvisiMole

InvisiMole has disguised its droppers as legitimate software or documents, matching their original names and locations, and saved its files as mpr.dll in the Windows folder.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)
QUIETEXIT

QUIETEXIT has attempted to change its name to `cron` upon startup. During incident response, QUIETEXIT samples have been identified that were renamed to blend in with other legitimate files.(Citation: Mandiant APT29 Eye Spy Email Nov 22)
RDAT

RDAT has masqueraded as VMware.exe.(Citation: Unit42 RDAT July 2020)

Skidmap

Skidmap has created a fake rm binary to replace the legitimate Linux binary.(Citation: Trend Micro Skidmap)
TRANSLATEXT

TRANSLATEXT has been named `GoogleTranslate.crx` to masquerade as a legitimate Chrome extension.(Citation: Zscaler Kimsuky TRANSLATEXT)

Raindrop

Raindrop was installed under names that resembled legitimate Windows file and directory names.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)
Doki

Doki has disguised a file as a Linux kernel module.(Citation: Intezer Doki July 20)
Fysbis

Fysbis has masqueraded as trusted software rsyncd and dbus-inotifier.(Citation: Fysbis Dr Web Analysis)
IcedID

IcedID has modified legitimate .dll files to include malicious code.(Citation: Trendmicro_IcedID)
MarkiRAT

MarkiRAT can masquerade as update.exe and svehost.exe; it has also mimicked legitimate Telegram and Chrome files.(Citation: Kaspersky Ferocious Kitten Jun 2021)
DarkComet

DarkComet has dropped itself onto victim machines with file names such as WinDefender.Exe and winupdate.exe in an apparent attempt to masquerade as a legitimate file.(Citation: TrendMicro DarkComet Sept 2014)
DRATzarus

DRATzarus has been named `Flash.exe`, and its dropper has been named `IExplorer`.(Citation: ClearSky Lazarus Aug 2020)
SocGholish

SocGholish has been named `AutoUpdater.js` to mimic legitimate update files.(Citation: SocGholish-update)
Green Lambert

Green Lambert has been disguised as a Growl help file.(Citation: Objective See Green Lambert for OSX Oct 2021)(Citation: Glitch-Cat Green Lambert ATTCK Oct 2021)
PUNCHBUGGY

PUNCHBUGGY mimics filenames from %SYSTEM%\System32 to hide DLLs in %WINDIR% and/or %TEMP%.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)(Citation: Morphisec ShellTea June 2019)
GoldMax

GoldMax has used filenames that matched the system name, and appeared as a scheduled task impersonating systems management software within the corresponding ProgramData subfolder.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: CrowdStrike StellarParticle January 2022)
PlugX

PlugX has been disguised as legitimate Adobe and PotPlayer files.(Citation: Proofpoint TA416 Europe March 2022)
Bisonal

Bisonal has renamed malicious code to `msacm32.dll` to hide within a legitimate library; earlier versions were disguised as `winhelp`.(Citation: Talos Bisonal Mar 2020)

S-Type

S-Type may save itself as a file named `msdtc.exe`, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.(Citation: Cylance Dust Storm)(Citation: Microsoft DTC)
Remsec

The Remsec loader implements itself with the name Security Support Provider, a legitimate Windows function. Various Remsec .exe files mimic legitimate file names used by Microsoft, Symantec, Kaspersky, Hewlett-Packard, and VMWare. Remsec also disguised malicious modules using similar filenames as custom network encryption software on victims.(Citation: ComputerWeekly Strider)(Citation: Kaspersky ProjectSauron Full Report)
LightNeuron

LightNeuron has used filenames associated with Exchange and Outlook for binary and configuration files, such as winmail.dat.(Citation: ESET LightNeuron May 2019)
Cuba

Cuba has been disguised as legitimate 360 Total Security Antivirus and OpenVPN programs.(Citation: McAfee Cuba April 2021)

ThiefQuest

ThiefQuest prepends a copy of itself to the beginning of an executable file while maintaining the name of the executable.(Citation: wardle evilquest partii)(Citation: reed thiefquest ransomware analysis)
FoggyWeb

FoggyWeb can be disguised as a Visual Studio file such as `Windows.Data.TimeZones.zh-PH.pri` to evade detection. Also, FoggyWeb's loader can mimic a genuine `dll` file that carries out the same import functions as the legitimate Windows `version.dll` file.(Citation: MSTIC FoggyWeb September 2021)
Elise

If installing itself as a service fails, Elise instead writes itself as a file named svchost.exe saved in %APPDATA%\Microsoft\Network.(Citation: Lotus Blossom Jun 2015)
Brute Ratel C4

Brute Ratel C4 has used a payload file named OneDrive.update to appear benign.(Citation: Palo Alto Brute Ratel July 2022)
Latrodectus

Latrodectus has been packed to appear as a component to Bitdefender’s kernel-mode driver, TRUFOS.SYS.(Citation: Elastic Latrodectus May 2024)
Saint Bot

Saint Bot has been disguised as a legitimate executable, including as Windows SDK.(Citation: Malwarebytes Saint Bot April 2021)
Chaes

Chaes has used an unsigned, crafted DLL module named hha.dll that was designed to look like a legitimate 32-bit Windows DLL.(Citation: Cybereason Chaes Nov 2020)
Bundlore

Bundlore has disguised a malicious .app file as a Flash Player update.(Citation: MacKeeper Bundlore Apr 2019)
QUADAGENT

QUADAGENT used the PowerShell filenames Office365DCOMCheck.ps1 and SystemDiskClean.ps1.(Citation: Unit 42 QUADAGENT July 2018)
TAINTEDSCRIBE

The TAINTEDSCRIBE main executable has disguised itself as Microsoft’s Narrator.(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020)
Metamorfo

Metamorfo has disguised an MSI file as the Adobe Acrobat Reader Installer and has masqueraded payloads as OneDrive, WhatsApp, or Spotify, for example.(Citation: Medium Metamorfo Apr 2020)(Citation: ESET Casbaneiro Oct 2019)

PipeMon

PipeMon modules are stored on disk with seemingly benign names including use of a file extension associated with a popular word processor.(Citation: ESET PipeMon May 2020)
MagicRAT

MagicRAT stores configuration data in files and file paths mimicking legitimate operating system resources.(Citation: Cisco MagicRAT 2022)
KONNI

KONNI has created a shortcut called "Anti virus service.lnk" in an apparent attempt to masquerade as a legitimate file.(Citation: Talos Konni May 2017)
KGH_SPY

KGH_SPY has masqueraded as a legitimate Windows tool.(Citation: Cybereason Kimsuky November 2020)
Ixeshe

Ixeshe has used registry values and file names associated with Adobe software, such as AcroRd32.exe.(Citation: Trend Micro IXESHE 2012)
Black Basta

The Black Basta dropper has mimicked an application for creating USB bootable drivers.(Citation: Check Point Black Basta October 2022)
NightClub

NightClub has chosen file names to appear legitimate including EsetUpdate-0117583943.exe for its dropper.(Citation: MoustachedBouncer ESET August 2023)
TRITON

TRITON disguised itself as the legitimate Triconex Trilog application.(Citation: FireEye TRITON 2017)
StrelaStealer

StrelaStealer payloads have tailored filenames to include names identical to the name of the targeted organization or company.(Citation: IBM StrelaStealer 2024)
Grandoreiro

Grandoreiro has named malicious browser extensions and update files to appear legitimate.(Citation: IBM Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020)
Starloader

Starloader has masqueraded as legitimate software update packages such as Adobe Acrobat Reader and Intel.(Citation: Symantec Sowbug Nov 2017)
MCMD

MCMD has been named Readme.txt to appear legitimate.(Citation: Secureworks MCMD July 2019)
Sibot

Sibot has downloaded a DLL to the C:\windows\system32\drivers\ folder and renamed it with a .sys extension.(Citation: MSTIC NOBELIUM Mar 2021)
Tarrask

Tarrask has masqueraded as executable files such as `winupdate.exe`, `date.exe`, or `win.exe`.(Citation: Tarrask scheduled task)

GoBear

GoBear is installed through droppers masquerading as legitimate, signed software installers.(Citation: Symantec Troll Stealer 2024)
Shark

Shark binaries have been named `audioddg.pdb` and `Winlangdb.pdb` in order to appear legitimate.(Citation: ClearSky Siamesekitten August 2021)
Bazar

The Bazar loader has named malicious shortcuts "adobe" and mimicked communications software.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)(Citation: CrowdStrike Wizard Spider October 2020)
SUGARDUMP

SUGARDUMP has been named `CrashReporter.exe` to appear as a legitimate Mozilla executable.(Citation: Mandiant UNC3890 Aug 2022)
Ryuk

Ryuk has constructed legitimate appearing installation folder paths by calling GetWindowsDirectoryW and then inserting a null byte at the fourth character of the path. For Windows Vista or higher, the path would appear as C:\Users\Public.(Citation: CrowdStrike Ryuk January 2019)
HermeticWiper

HermeticWiper has used the name `postgressql.exe` to mask a malicious payload.(Citation: ESET Hermetic Wizard March 2022)
Pysa

Pysa has executed a malicious executable by naming it svchost.exe.(Citation: CERT-FR PYSA April 2020)
FinFisher

FinFisher renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)
OwaAuth

OwaAuth uses the filename owaauth.dll, which is a legitimate file that normally resides in %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\Auth\; the malicious file by the same name is saved in %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\bin\.(Citation: Dell TG-3390)
SUNBURST

SUNBURST created VBScripts that were named after existing services or folders to blend into legitimate activities.(Citation: Microsoft Deep Dive Solorigate January 2021)

REvil

REvil can mimic the names of known executables.(Citation: Picus Sodinokibi January 2020)
Samurai

Samurai has created the directory `%COMMONPROGRAMFILES%\Microsoft Shared\wmi\` to contain DLLs for loading successive stages.(Citation: Kaspersky ToddyCat June 2022)
USBStealer

USBStealer mimics a legitimate Russian program called USB Disk Security.(Citation: ESET Sednit USBStealer 2014)
SUPERNOVA

SUPERNOVA has masqueraded as a legitimate SolarWinds DLL.(Citation: Guidepoint SUPERNOVA Dec 2020)(Citation: Unit42 SUPERNOVA Dec 2020)
Cyclops Blink

Cyclops Blink can rename its running process to [kworker:0/1] to masquerade as a Linux kernel thread. Cyclops Blink has also named RC scripts used for persistence after WatchGuard artifacts.(Citation: NCSC Cyclops Blink February 2022)
Daserf

Daserf uses file and folder names related to legitimate programs in order to blend in, such as HP, Intel, Adobe, and perflogs.(Citation: Symantec Tick Apr 2016)
DanBot

DanBot files have been named `UltraVNC.exe` and `WINVNC.exe` to appear as legitimate VNC tools.(Citation: ClearSky Siamesekitten August 2021)
Calisto

Calisto's installation file is an unsigned DMG image under the guise of Intego’s security solution for mac.(Citation: Securelist Calisto July 2018)
GoldenSpy

GoldenSpy's setup file installs initial executables under the folder %WinDir%\System32\PluginManager.(Citation: Trustwave GoldenSpy June 2020)

Ramsay

Ramsay has masqueraded as a 7zip installer.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)

Carberp

Carberp has masqueraded as Windows system file names, as well as "chkntfs.exe" and "syscron.exe".(Citation: Prevx Carberp March 2011)(Citation: Trusteer Carberp October 2010)
SUNSPOT

SUNSPOT was identified on disk with a filename of taskhostsvc.exe and it created an encrypted log file at C:\Windows\Temp\vmware-vmdmp.log.(Citation: CrowdStrike SUNSPOT Implant January 2021)

OutSteel

OutSteel attempts to download and execute Saint Bot to a statically-defined location attempting to mimic svchost: %TEMP%\\svjhost.exe.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
BackConfig

BackConfig has hidden malicious payloads in %USERPROFILE%\Adobe\Driver\dwg\ and mimicked the legitimate DHCP service binary.(Citation: Unit 42 BackConfig May 2020)
PowGoop

PowGoop has used a DLL named Goopdate.dll to impersonate a legitimate Google update file.(Citation: DHS CISA AA22-055A MuddyWater February 2022)
InnaputRAT

InnaputRAT variants have attempted to appear legitimate by using the file names SafeApp.exe and NeutralApp.exe.(Citation: ASERT InnaputRAT April 2018)
LookBack

LookBack has a C2 proxy tool that masquerades as GUP.exe, which is software used by Notepad++.(Citation: Proofpoint LookBack Malware Aug 2019)
Penquin

Penquin has mimicked the Cron binary to hide itself on compromised systems.(Citation: Leonardo Turla Penquin May 2020)
Winnti for Windows

A Winnti for Windows implant file was named ASPNET_FILTER.DLL, mimicking the legitimate ASP.NET ISAPI filter DLL with the same name.(Citation: Microsoft Winnti Jan 2017)
Troll Stealer

Troll Stealer is typically installed via a dropper file that masquerades as a legitimate security program installation file.(Citation: S2W Troll Stealer 2024)(Citation: Symantec Troll Stealer 2024)
ChChes

ChChes copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe).(Citation: PWC Cloud Hopper Technical Annex April 2017)
ANDROMEDA

ANDROMEDA has been installed to `C:\Temp\TrustedInstaller.exe` to mimic a legitimate Windows installer service.(Citation: Mandiant Suspected Turla Campaign February 2023)
IceApple

IceApple .NET assemblies have used `App_Web_` in their file names to appear legitimate.(Citation: CrowdStrike IceApple May 2022)
KOCTOPUS

KOCTOPUS has been disguised as legitimate software programs associated with the travel and airline industries.(Citation: Arghire LazyScripter)

MechaFlounder

MechaFlounder has been downloaded as a file named lsass.exe, which matches the legitimate Windows file.(Citation: Unit 42 MechaFlounder March 2019)
HTTPBrowser

HTTPBrowser's installer contains a malicious file named navlu.dll to decrypt and run the RAT. navlu.dll is also the name of a legitimate Symantec DLL.(Citation: ZScaler Hacking Team)
Mis-Type

Mis-Type saves itself as a file named `msdtc.exe`, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.(Citation: Cylance Dust Storm)(Citation: Microsoft DTC)
Octopus

Octopus has been disguised as legitimate programs, such as Java and Telegram Messenger.(Citation: Securelist Octopus Oct 2018)(Citation: ESET Nomadic Octopus 2018)
BADNEWS

BADNEWS attempts to hide its payloads using legitimate filenames.(Citation: PaloAlto Patchwork Mar 2018)
Goopy

Goopy has impersonated the legitimate goopdate.dll, which was dropped on the target system with a legitimate GoogleUpdate.exe.(Citation: Cybereason Cobalt Kitty 2017)
Gelsemium

Gelsemium has named malicious binaries `serv.exe`, `winprint.dll`, and `chrome_elf.dll` and has set its persistence in the Registry with the key value Chrome Update to appear legitimate.(Citation: ESET Gelsemium June 2021)
OSX/Shlayer

OSX/Shlayer can masquerade as a Flash Player update.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018)
Dtrack

One of Dtrack can hide in replicas of legitimate programs like OllyDbg, 7-Zip, and FileZilla.(Citation: CyberBit Dtrack)
StrifeWater

StrifeWater has been named `calc.exe` to appear as a legitimate calculator program.(Citation: Cybereason StrifeWater Feb 2022)
SLOTHFULMEDIA

SLOTHFULMEDIA has mimicked the names of known executables, such as mediaplayer.exe.(Citation: CISA MAR SLOTHFULMEDIA October 2020)
Small Sieve

Small Sieve can use variations of Microsoft and Outlook spellings, such as "Microsift", in its file names to avoid detection.(Citation: NCSC GCHQ Small Sieve Jan 2022)
HermeticWizard

HermeticWizard has been named `exec_32.dll` to mimic a legitimate MS Outlook .dll.(Citation: ESET Hermetic Wizard March 2022)
APT28

APT28 has changed extensions on files containing exfiltrated data to make them appear benign, and renamed a web shell instance to appear as a legitimate OWA page.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
Turla

Turla has named components of LunarWeb to mimic Zabbix agent logs.(Citation: ESET Turla Lunar toolset May 2024)
Tropic Trooper

Tropic Trooper has hidden payloads in Flash directories and fake installer files.(Citation: TrendMicro Tropic Trooper May 2020)
Fox Kitten

Fox Kitten has named binaries and configuration files svhost and dllhost respectively to appear legitimate.(Citation: CISA AA20-259A Iran-Based Actor September 2020)
Lazarus Group

Lazarus Group has renamed malicious code to disguise it as Microsoft's narrator and other legitimate files.(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020)(Citation: Qualys LolZarus)
Gamaredon Group

Gamaredon Group has used legitimate process names to hide malware including svchosst.(Citation: Unit 42 Gamaredon February 2022)
APT29

APT29 has renamed malicious DLLs with legitimate names to appear benign; they have also created an Azure AD certificate with a Common Name that matched the display name of the compromised service principal.(Citation: SentinelOne NobleBaron June 2021)(Citation: Mandiant APT29 Microsoft 365 2022)
TA2541

TA2541 has used file names to mimic legitimate Windows files or system functionality.(Citation: Proofpoint TA2541 February 2022)
WIRTE

WIRTE has named a first stage dropper `Kaspersky Update Agent` in order to appear legitimate.(Citation: Kaspersky WIRTE November 2021)
Indrik Spider

Indrik Spider used fake updates for FlashPlayer plugin and Google Chrome as initial infection vectors.(Citation: Crowdstrike Indrik November 2018)
Whitefly

Whitefly has named the malicious DLL the same name as DLLs belonging to legitimate software from various security vendors.(Citation: Symantec Whitefly March 2019)
Darkhotel

Darkhotel has used malware that is disguised as a Secure Shell (SSH) tool.(Citation: Microsoft DUBNIUM June 2016)
APT1

The file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was used by APT1 as a name for malware.(Citation: Mandiant APT1)(Citation: Mandiant APT1 Appendix)
APT39

APT39 has used malware disguised as Mozilla Firefox and a tool named mfevtpse.exe to proxy C2 communications, closely mimicking a legitimate McAfee file mfevtps.exe.(Citation: BitDefender Chafer May 2020)(Citation: FBI FLASH APT39 September 2020)
Transparent Tribe

Transparent Tribe can mimic legitimate Windows directories by using the same icons and names.(Citation: Kaspersky Transparent Tribe August 2020)
MuddyWater

MuddyWater has disguised malicious executables and used filenames and Registry key names associated with Windows Defender.(Citation: FireEye MuddyWater Mar 2018)(Citation: Talos MuddyWater May 2019)(Citation: Anomali Static Kitten February 2021)
Ferocious Kitten

Ferocious Kitten has named malicious files update.exe and loaded them into the compromise host's “Public” folder.(Citation: Kaspersky Ferocious Kitten Jun 2021)
Rocke

Rocke has used shell scripts which download mining executables and saves them with the filename "java".(Citation: Talos Rocke August 2018)
Aquatic Panda

Aquatic Panda renamed or moved malicious binaries to legitimate locations to evade defenses and blend into victim environments.(Citation: Crowdstrike HuntReport 2022)
BRONZE BUTLER

BRONZE BUTLER has given malware the same name as an existing file on the file share server to cause users to unwittingly launch and install the malware on additional systems.(Citation: Secureworks BRONZE BUTLER Oct 2017)
Machete

Machete's Machete MSI installer has masqueraded as a legitimate Adobe Acrobat Reader installer.(Citation: 360 Machete Sep 2020)
SideCopy

SideCopy has used a legitimate DLL file name, `Duser.dll` to disguise a malicious remote access tool.(Citation: MalwareBytes SideCopy Dec 2021)
Poseidon Group

Poseidon Group tools attempt to spoof anti-virus processes as a means of self-defense.(Citation: Kaspersky Poseidon Group)
Silence

Silence has named its backdoor "WINWORD.exe".(Citation: Group IB Silence Sept 2018)
APT32

APT32 has renamed a NetCat binary to kb-10233.exe to masquerade as a Windows update. APT32 has also renamed a Cobalt Strike beacon payload to install_flashplayers.exe. (Citation: Cybereason Cobalt Kitty 2017)(Citation: Volexity Ocean Lotus November 2020)
INC Ransom

INC Ransom has named a PsExec executable winupd to mimic a legitimate Windows update file.(Citation: Huntress INC Ransom Group August 2023)(Citation: SOCRadar INC Ransom January 2024)
Sidewinder

Sidewinder has named malicious files rekeywiz.exe to match the name of a legitimate Windows executable.(Citation: Rewterz Sidewinder COVID-19 June 2020)
Naikon

Naikon has disguised malicious programs as Google Chrome, Adobe, and VMware executables.(Citation: Bitdefender Naikon April 2021)
Carbanak

Carbanak has named malware "svchost.exe," which is the name of the Windows shared service host program.(Citation: Kaspersky Carbanak)
OilRig

OilRig has named a downloaded copy of the Plink tunneling utility as \ProgramData\Adobe.exe.(Citation: Symantec Crambus OCT 2023)
TEMP.Veles

TEMP.Veles has renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files.(Citation: FireEye TRITON 2019)

LuminousMoth

LuminousMoth has disguised their exfiltration malware as `ZoomVideoApp.exe`.(Citation: Kaspersky LuminousMoth July 2021)
Chimera

Chimera has renamed malware to GoogleUpdate.exe and WinRAR to jucheck.exe, RecordedTV.ms, teredo.tmp, update.exe, and msadcs1.exe.(Citation: Cycraft Chimera April 2020)
FIN7

FIN7 has attempted to run Darkside ransomware with the filename sleep.exe.(Citation: CrowdStrike Carbon Spider August 2021)
BackdoorDiplomacy

BackdoorDiplomacy has dropped implants in folders named for legitimate software.(Citation: ESET BackdoorDiplomacy Jun 2021)
Volt Typhoon

Volt Typhoon has used legitimate looking filenames for compressed copies of the ntds.dit database and used names including cisco_up.exe, cl64.exe, vm3dservice.exe, watchdogd.exe, Win.exe, WmiPreSV.exe, and WmiPrvSE.exe for the Earthworm and Fast Reverse Proxy tools.(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023)(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)
FIN13

FIN13 has masqueraded WAR files to look like legitimate packages such as, wsexample.war, wsexamples.com, examples.war, and exampl3s.war.(Citation: Sygnia Elephant Beetle Jan 2022)
Kimsuky

Kimsuky has renamed malware to legitimate names such as ESTCommon.dll or patch.dll.(Citation: Kimsuky Malwarebytes)
Sandworm Team

Sandworm Team has avoided detection by naming a malicious binary explorer.exe.(Citation: ESET Telebots Dec 2016)(Citation: US District Court Indictment GRU Unit 74455 October 2020)
Velvet Ant

Velvet Ant used a malicious DLL, `iviewers.dll`, that mimics the legitimate "OLE/COM Object Viewer" within Windows.(Citation: Sygnia VelvetAnt 2024A)
Magic Hound

Magic Hound has used `dllhost.exe` to mask Fast Reverse Proxy (FRP) and `MicrosoftOutLookUpdater.exe` for Plink.(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021)(Citation: Microsoft Iranian Threat Actor Trends November 2021)
menuPass

menuPass has been seen changing malicious files to appear legitimate.(Citation: District Court of NY APT10 Indictment December 2018)
PROMETHIUM

PROMETHIUM has disguised malicious installer files by bundling them with legitimate software installers.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)
TeamTNT

TeamTNT has replaced .dockerd and .dockerenv with their own scripts and cryptocurrency mining software.(Citation: Cisco Talos Intelligence Group)
ToddyCat

ToddyCat has used the name `debug.exe` for malware components.(Citation: Kaspersky ToddyCat June 2022)
Ke3chang

Ke3chang has dropped their malware into legitimate installed software paths including: `C:\ProgramFiles\Realtek\Audio\HDA\AERTSr.exe`, `C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitRdr64.exe`, `C:\Program Files (x86)\Adobe\Flash Player\AddIns\airappinstaller\airappinstall.exe`, and `C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd64.exe`.(Citation: Microsoft NICKEL December 2021)
Sowbug

Sowbug named its tools to masquerade as Windows or Adobe Reader software, such as by using the file name adobecms.exe and the directory CSIDL_APPDATA\microsoft\security.(Citation: Symantec Sowbug Nov 2017)
APT5

APT5 has named exfiltration archives to mimic Windows Updates at times using filenames with a `KB.zip` pattern.(Citation: Mandiant Pulse Secure Update May 2021)
Storm-1811

Storm-1811 has disguised Cobalt Strike installers as a malicious DLL masquerading as part of a legitimate 7zip installation package.(Citation: rapid7-email-bombing)
Patchwork

Patchwork installed its payload in the startup programs folder as "Baidu Software Update." The group also adds its second stage payload to the startup programs as “Net Monitor."(Citation: Cymmetria Patchwork) They have also dropped QuasarRAT binaries as files named microsoft_network.exe and crome.exe.(Citation: Volexity Patchwork June 2018)
Mustang Panda

Mustang Panda has used names like `adobeupdate.dat` and `PotPlayerDB.dat` to disguise PlugX, and a file named `OneDrive.exe` to load a Cobalt Strike payload.(Citation: Recorded Future REDDELTA July 2020)
Ember Bear

Ember Bear has renamed tools to match legitimate utilities, such as renaming GOST tunneling instances to `java` in victim environments.(Citation: CISA GRU29155 2024)
RedCurl

RedCurl mimicked legitimate file names and scheduled tasks, e.g. ` MicrosoftCurrentupdatesCheck` and `MdMMaintenenceTask` to mask malicious files and scheduled tasks.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2)
Akira

Akira has used legitimate names and locations for files to evade defenses.(Citation: Cisco Akira Ransomware OCT 2024)
APT42

APT42 has masqueraded the VINETHORN payload as a VPN application.(Citation: Mandiant APT42-charms)

Mustard Tempest

Mustard Tempest has used the filename `AutoUpdater.js` to mimic legitimate update files and has also used the Cyrillic homoglyph characters С `(0xd0a1)` and а `(0xd0b0)`, to produce the filename `Сhrome.Updаte.zip`.(Citation: Red Canary SocGholish March 2024)(Citation: SocGholish-update)
Earth Lusca

Earth Lusca used the command `move [file path] c:\windows\system32\spool\prtprocs\x64\spool.dll` to move and register a malicious DLL name as a Windows print processor, which eventually was loaded by the Print Spooler service.(Citation: TrendMicro EarthLusca 2022)
Blue Mockingbird

Blue Mockingbird has masqueraded their XMRIG payload name by naming it wercplsupporte.dll after the legitimate wercplsupport.dll file.(Citation: RedCanary Mockingbird May 2020)
APT41

APT41 attempted to masquerade their files as popular anti-virus software.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)
UNC2452

UNC2452 renamed a version of AdFind to sqlceip.exe or csrss.exe in an attempt to appear as the SQL Server Telemetry Client or Client Service Runtime Process, respectively.(Citation: Volexity SolarWinds)(Citation: Microsoft Analyzing Solorigate Dec 2020)
admin@338

admin@338 actors used the following command to rename one of their tools to a benign file name: ren "%temp%\upload" audiodg.exe(Citation: FireEye admin@338)

Контрмеры
Контрмера Описание
Restrict File and Directory Permissions

Restricting file and directory permissions involves setting access controls at the file system level to limit which users, groups, or processes can read, write, or execute files. By configuring permissions appropriately, organizations can reduce the attack surface for adversaries seeking to access sensitive data, plant malicious code, or tamper with system files. Enforce Least Privilege Permissions: - Remove unnecessary write permissions on sensitive files and directories. - Use file ownership and groups to control access for specific roles. Example (Windows): Right-click the shared folder → Properties → Security tab → Adjust permissions for NTFS ACLs. Harden File Shares: - Disable anonymous access to shared folders. - Enforce NTFS permissions for shared folders on Windows. Example: Set permissions to restrict write access to critical files, such as system executables (e.g., `/bin` or `/sbin` on Linux). Use tools like `chown` and `chmod` to assign file ownership and limit access. On Linux, apply: `chmod 750 /etc/sensitive.conf` `chown root:admin /etc/sensitive.conf` File Integrity Monitoring (FIM): - Use tools like Tripwire, Wazuh, or OSSEC to monitor changes to critical file permissions. Audit File System Access: - Enable auditing to track permission changes or unauthorized access attempts. - Use auditd (Linux) or Event Viewer (Windows) to log activities. Restrict Startup Directories: - Configure permissions to prevent unauthorized writes to directories like `C:\ProgramData\Microsoft\Windows\Start Menu`. Example: Restrict write access to critical directories like `/etc/`, `/usr/local/`, and Windows directories such as `C:\Windows\System32`. - On Windows, use icacls to modify permissions: `icacls "C:\Windows\System32" /inheritance:r /grant:r SYSTEM:(OI)(CI)F` - On Linux, monitor permissions using tools like `lsattr` or `auditd`.
Execution Prevention

Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions. This mitigation can be implemented through the following measures: Application Control: - Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution. - Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml"`) Script Blocking: - Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources. - Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., `Set-ExecutionPolicy AllSigned`) Executable Blocking: - Use Case: Prevent execution of binaries from suspicious locations, such as `%TEMP%` or `%APPDATA%` directories. - Implementation: Block execution of `.exe`, `.bat`, or `.ps1` files from user-writable directories. Dynamic Analysis Prevention: - Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time. - Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.
Code Signing

Code Signing is a security process that ensures the authenticity and integrity of software by digitally signing executables, scripts, and other code artifacts. It prevents untrusted or malicious code from executing by verifying the digital signatures against trusted sources. Code signing protects against tampering, impersonation, and distribution of unauthorized or malicious software, forming a critical defense against supply chain and software exploitation attacks. This mitigation can be implemented through the following measures: Enforce Signed Code Execution: - Implementation: Configure operating systems (e.g., Windows with AppLocker or Linux with Secure Boot) to allow only signed code to execute. - Use Case: Prevent the execution of malicious PowerShell scripts by requiring all scripts to be signed with a trusted certificate. Vendor-Signed Driver Enforcement: - Implementation: Enable kernel-mode code signing to ensure that only drivers signed by trusted vendors can be loaded. - Use Case: A malicious driver attempting to modify system memory fails to load because it lacks a valid signature. Certificate Revocation Management: - Implementation: Use Online Certificate Status Protocol (OCSP) or Certificate Revocation Lists (CRLs) to block certificates associated with compromised or deprecated code. - Use Case: A compromised certificate used to sign a malicious update is revoked, preventing further execution of the software. Third-Party Software Verification: - Implementation: Require software from external vendors to be signed with valid certificates before deployment. - Use Case: An organization only deploys signed and verified third-party software to prevent supply chain attacks. Script Integrity in CI/CD Pipelines: - Implementation: Integrate code signing into CI/CD pipelines to sign and verify code artifacts before production release. - Use Case: A software company ensures that all production builds are signed, preventing tampered builds from reaching customers. **Key Components of Code Signing** - Digital Signature Verification: Verifies the authenticity of code by ensuring it was signed by a trusted entity. - Certificate Management: Uses Public Key Infrastructure (PKI) to manage signing certificates and revocation lists. - Enforced Policy for Unsigned Code: Prevents the execution of unsigned or untrusted binaries and scripts. - Hash Integrity Check: Confirms that code has not been altered since signing by comparing cryptographic hashes.

Обнаружение

Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect. If file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Elastic Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update) In containerized environments, use image IDs and layer hashes to compare images instead of relying only on their names.(Citation: Docker Images) Monitor for the unexpected creation of new resources within your cluster in Kubernetes, especially those created by atypical users.

Ссылки

  1. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  2. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  3. Michael Katchinskiy and Assaf Morag. (2023, April 21). First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved March 24, 2025.
  4. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  5. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  6. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  7. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  8. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
  9. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
  10. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  11. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
  12. Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021.
  13. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
  14. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.
  15. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022.
  16. Riley, W. (2020, December 1). SUPERNOVA SolarWinds .NET Webshell Analysis. Retrieved February 18, 2021.
  17. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  18. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  19. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
  20. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  21. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  22. US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020.
  23. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020..
  24. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
  25. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.
  26. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  27. Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024.
  28. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  29. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
  30. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
  31. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  32. Docker. (n.d.). Docker Images. Retrieved April 6, 2021.
  33. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  34. Golo Mühr, Joe Fasulo & Charlotte Hammond, IBM X-Force. (2024, November 12). Strela Stealer: Today’s invoice is tomorrow’s phish. Retrieved December 31, 2024.
  35. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.
  36. FinFisher. (n.d.). Retrieved September 12, 2024.
  37. Nutland, J. and Szeliga, M. (2024, October 21). Akira ransomware continues to evolve. Retrieved December 10, 2024.
  38. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  39. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  40. Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.
  41. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  42. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
  43. Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024.
  44. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  45. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  46. Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022.
  47. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
  48. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  49. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  50. Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.
  51. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  52. Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved November 17, 2024.
  53. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
  54. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved November 17, 2024.
  55. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
  56. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
  57. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
  58. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
  59. Microsoft. (2016, June 9). Reverse-engineering DUBNIUM. Retrieved March 31, 2021.
  60. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  61. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  62. NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022.
  63. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  64. Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 22, 2021.
  65. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
  66. Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.
  67. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  68. SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024.
  69. Cap, P., et al. (2017, January 25). Detecting threat actors in recent German industrial attacks with Windows Defender ATP. Retrieved February 8, 2017.
  70. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
  71. Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.
  72. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
  73. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  74. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
  75. Tyler McGraw, Thomas Elkins, and Evan McCann. (2024, May 10). Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators. Retrieved January 31, 2025.
  76. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
  77. Red Canary. (2024, March). Red Canary 2024 Threat Detection Report: SocGholish. Retrieved March 22, 2024.
  78. Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022.
  79. Park, S. (2024, June 27). Kimsuky deploys TRANSLATEXT to target South Korean academia. Retrieved October 14, 2024.
  80. Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020.
  81. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  82. Stokes, P. (2024, May 9). macOS Cuckoo Stealer | Ensuring Detection and Defense as New Samples Rapidly Emerge. Retrieved August 20, 2024.
  83. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
  84. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  85. Tennis, M. (2020, December 17). SUPERNOVA: A Novel .NET Webshell. Retrieved February 22, 2021.
  86. Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020.
  87. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  88. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  89. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  90. Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
  91. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
  92. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  93. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  94. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  95. Symantec Threat Hunter Team. (2023, October 19). Crambus: New Campaign Targets Middle Eastern Government. Retrieved November 27, 2024.
  96. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.
  97. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
  98. Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.
  99. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  100. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.
  101. Alex Turing. (2021, May 6). RotaJakiro, the Linux version of the OceanLotus. Retrieved June 14, 2023.
  102. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.
  103. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  104. MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.
  105. Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025.
  106. Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.
  107. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
  108. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  109. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
  110. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
  111. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  112. Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromises. Retrieved October 9, 2024.
  113. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
  114. Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024.
  115. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  116. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  117. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.
  118. Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
  119. Symantec Threat Hunter Team. (2024, May 16). Springtail: New Linux Backdoor Added to Toolkit. Retrieved January 17, 2025.
  120. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.
  121. Rewterz. (2020, June 22). Analysis on Sidewinder APT Group – COVID-19. Retrieved January 29, 2021.
  122. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
  123. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  124. NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.
  125. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
  126. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
  127. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024.
  128. Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020.
  129. Sygnia Team. (2024, June 3). China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence. Retrieved March 14, 2025.
  130. Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022.
  131. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  132. Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021.
  133. Black Lotus Labs. (2025, January 23). The J-Magic Show: Magic Packets and Where to find them. Retrieved February 17, 2025.
  134. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
  135. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
  136. DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
  137. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
  138. Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved September 12, 2024.
  139. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  140. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.
  141. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  142. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
  143. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  144. Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021.
  145. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.
  146. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  147. Hossein Jazi. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved January 10, 2024.
  148. Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021.
  149. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
  150. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.
  151. Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016.
  152. Kenefick , I. (2022, December 23). IcedID Botnet Distributors Abuse Google PPC to Distribute Malware. Retrieved July 24, 2024.
  153. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  154. Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.
  155. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
  156. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  157. Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020.
  158. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  159. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.
  160. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
  161. Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
  162. Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023.
  163. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.
  164. Microsoft. (2011, January 12). Distributed Transaction Coordinator. Retrieved February 25, 2016.
  165. Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.
  166. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  167. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  168. CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022.
  169. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  170. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
  171. CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021.
  172. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.
  173. Warwick Ashford. (2016, August 8). Strider cyber attack group deploying malware for espionage. Retrieved January 10, 2024.
  174. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
  175. NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.
  176. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
  177. Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.
  178. Long, Joshua. (2018, February 21). OSX/Shlayer: New Mac malware comes out of its shell. Retrieved August 28, 2019.
  179. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  180. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.
  181. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  182. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
  183. Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.
  184. Johnson, B, et. al. (2017, December 14). Attackers Deploy New ICS Attack Framework "TRITON" and Cause Operational Disruption to Critical Infrastructure. Retrieved January 6, 2021.
  185. Ionut Arghire. (2021, February 24). New ‘LazyScripter’ Hacking Group Targets Airlines. Retrieved January 10, 2024.
  186. M.Léveille, M-E.. (2017, October 24). Bad Rabbit: Not‑Petya is back with improved ransomware. Retrieved January 28, 2021.
  187. Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021.
  188. Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024.
  189. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  190. Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023.
  191. Julia Kisielius. (2017, April 25). The Felismus RAT: Powerful Threat, Mysterious Purpose. Retrieved November 17, 2024.
  192. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  193. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  194. CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.
  195. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
  196. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  197. Kaspersky Lab's Global Research and Analysis Team. (2016, February 9). Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage. Retrieved March 16, 2016.
  198. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.
  199. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
  200. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  201. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  202. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  203. Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023.
  204. Asheer Malhotra, Vitor Ventura & Jungsoo An, Cisco Talos. (2022, September 7). MagicRAT: Lazarus’ latest gateway into victim networks. Retrieved December 30, 2024.
  205. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  206. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
  207. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
  208. Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
  209. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  210. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  211. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
  212. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  213. CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024.
  214. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  215. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  216. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
  217. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
  218. Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.
  219. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
  220. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.