Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Техника Командная оболочка Windows
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Командная оболочка Windows
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Command and Scripting Interpreter:  Командная оболочка Windows

ID Название
.001 PowerShell
.002 AppleScript
.003 Командная оболочка Windows
.004 Командная оболочка Unix
.005 Visual Basic
.006 Python
.007 JavaScript/JScript
.008 Интерпретаторы командной строки сетевых устройств
.009 Cloud API
.010 AutoHotKey & AutoIT
.011 Lua
.012 Hypervisor CLI

Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via Remote Services such as SSH.(Citation: SSH in Windows) Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems. Adversaries may leverage cmd to execute various commands and payloads. Common uses include cmd to execute a single command, or abusing cmd interactively with input and output forwarded over a command and control channel.

ID: T1059.003
Относится к технике:  T1059
Тактика(-и): Execution
Платформы: Windows
Источники данных: Command: Command Execution, Process: Process Creation
Версия: 1.5
Дата создания: 09 Mar 2020
Последнее изменение: 15 Apr 2025

Примеры процедур
Название Описание
TrickBot

TrickBot has used macros in Excel documents to download and deploy the malware on the user’s machine.(Citation: TrendMicro Trickbot Feb 2019)
PowerDuke

PowerDuke runs cmd.exe /c and sends the output to its C2.(Citation: Volexity PowerDuke November 2016)
BLINDINGCAN

BLINDINGCAN has executed commands via cmd.exe.(Citation: US-CERT BLINDINGCAN Aug 2020)
Pikabot

Pikabot can execute Windows shell commands via cmd.exe.(Citation: Zscaler Pikabot 2023)
Wiarp

Wiarp creates a backdoor through which remote attackers can open a command line interface.(Citation: Symantec Wiarp May 2012)
RCSession

RCSession can use `cmd.exe` for execution on compromised hosts.(Citation: Trend Micro DRBControl February 2020)
Spark

Spark can use cmd.exe to run commands.(Citation: Unit42 Molerat Mar 2020)

Bumblebee

Bumblebee can use `cmd.exe` to drop and run files.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022)
MURKYTOP

MURKYTOP uses the command-line interface.(Citation: FireEye Periscope March 2018)
Exaramel for Windows

Exaramel for Windows has a command to launch a remote shell and executes commands on the victim’s machine.(Citation: ESET TeleBots Oct 2018)
Covenant

Covenant provides access to a Command Shell in Windows environments for follow-on command execution and tasking.(Citation: Github Covenant)
Proxysvc

Proxysvc executes a binary on the system and logs the results into a temp file by using: cmd.exe /c " > %temp%\PM* .tmp 2>&1".(Citation: McAfee GhostSecret)
Orz

Orz can execute shell commands.(Citation: Proofpoint Leviathan Oct 2017) Orz can execute commands with JavaScript.(Citation: Proofpoint Leviathan Oct 2017)
SEASHARPEE

SEASHARPEE can execute commands on victims.(Citation: FireEye APT34 Webinar Dec 2017)
POWRUNER

POWRUNER can execute commands from its C2 server.(Citation: FireEye APT34 Dec 2017)
RobbinHood

RobbinHood uses cmd.exe on the victim's computer.(Citation: CarbonBlack RobbinHood May 2019)
TDTESS

TDTESS provides a reverse shell on the victim.(Citation: ClearSky Wilted Tulip July 2017)
SharpStage

SharpStage can execute arbitrary commands with the command line.(Citation: Cybereason Molerats Dec 2020)(Citation: BleepingComputer Molerats Dec 2020)
Sardonic

Sardonic has the ability to run `cmd.exe` or other interactive processes on a compromised computer.(Citation: Symantec FIN8 Jul 2023)
Misdat

Misdat is capable of providing shell functionality to the attacker to execute commands.(Citation: Cylance Dust Storm)
adbupd

adbupd can run a copy of cmd.exe.(Citation: Microsoft PLATINUM April 2016)
Emissary

Emissary has the capability to create a remote shell and execute specified commands.(Citation: Lotus Blossom Dec 2015)
KEYMARBLE

KEYMARBLE can execute shell commands using cmd.exe.(Citation: US-CERT KEYMARBLE Aug 2018)
SILENTTRINITY

SILENTTRINITY can use `cmd.exe` to enable lateral movement using DCOM.(Citation: GitHub SILENTTRINITY Modules July 2019)
HAWKBALL

HAWKBALL has created a cmd.exe reverse shell, executed commands, and uploaded output via the command line.(Citation: FireEye HAWKBALL Jun 2019)
TAMECAT

TAMECAT has used `cmd.exe` to run the `curl` command.(Citation: Mandiant APT42-untangling)

RansomHub

RansomHub can use `cmd.exe` to execute multiple commands on infected hosts.(Citation: Group-IB RansomHub FEB 2025)
ZLib

ZLib has the ability to execute shell commands.(Citation: Cylance Dust Storm)
RedLeaves

RedLeaves can receive and execute commands with cmd.exe. It can also provide a reverse shell.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: FireEye APT10 April 2017)
Felismus

Felismus uses command line for execution.(Citation: Forcepoint Felismus Mar 2017)
Zeus Panda

Zeus Panda can launch an interface where it can execute several commands on the victim’s PC.(Citation: GDATA Zeus Panda June 2017)
CARROTBAT

CARROTBAT has the ability to execute command line arguments on a compromised host.(Citation: Unit 42 CARROTBAT January 2020)
GravityRAT

GravityRAT executes commands remotely on the infected host.(Citation: Talos GravityRAT)
WEBC2

WEBC2 can open an interactive command shell.(Citation: Mandiant APT1)
Bankshot

Bankshot uses the command-line interface to execute arbitrary commands.(Citation: McAfee Bankshot)(Citation: US-CERT Bankshot Dec 2017)
SharpDisco

SharpDisco can use `cmd.exe` to execute plugins and to send command output to specified SMB shares.(Citation: MoustachedBouncer ESET August 2023)
xCaon

xCaon has a command to start an interactive shell.(Citation: Checkpoint IndigoZebra July 2021)
PLAINTEE

PLAINTEE uses cmd.exe to execute commands on the victim’s machine.(Citation: Rancor Unit42 June 2018)
Pony

Pony has used batch scripts to delete itself after execution.(Citation: Malwarebytes Pony April 2016)

Nebulae

Nebulae can use CMD to execute a process.(Citation: Bitdefender Naikon April 2021)
AuditCred

AuditCred can open a reverse shell on the system to execute commands.(Citation: TrendMicro Lazarus Nov 2018)
Kasidet

Kasidet can execute commands using cmd.exe.(Citation: Zscaler Kasidet)
Hannotog

Hannotog can execute various `cmd.exe /c %s` commands.(Citation: Symantec Bilbug 2022)
OceanSalt

OceanSalt can create a reverse shell on the infected endpoint using cmd.exe.(Citation: McAfee Oceansalt Oct 2018) OceanSalt has been executed via malicious macros.(Citation: McAfee Oceansalt Oct 2018)
RainyDay

RainyDay can use the Windows Command Shell for execution.(Citation: Bitdefender Naikon April 2021)
NETWIRE

NETWIRE can issue commands using cmd.exe.(Citation: Red Canary NETWIRE January 2020)(Citation: Proofpoint NETWIRE December 2020)
TinyTurla

TinyTurla has been installed using a .bat file.(Citation: Talos TinyTurla September 2021)
PyDCrypt

PyDCrypt has used `cmd.exe` for execution.(Citation: Checkpoint MosesStaff Nov 2021)
EnvyScout

EnvyScout can use cmd.exe to execute malicious files on compromised hosts.(Citation: MSTIC Nobelium Toolset May 2021)
GreyEnergy

GreyEnergy uses cmd.exe to execute itself in-memory.(Citation: ESET GreyEnergy Oct 2018)
Emotet

Emotet has used cmd.exe to run a PowerShell script. (Citation: Picus Emotet Dec 2018)
SNUGRIDE

SNUGRIDE is capable of executing commands and spawning a reverse shell.(Citation: FireEye APT10 April 2017)
Crimson

Crimson has the ability to execute commands with the COMSPEC environment variable.(Citation: Kaspersky Transparent Tribe August 2020)
DUSTTRAP

DUSTTRAP can execute commands via `cmd.exe`.(Citation: Google Cloud APT41 2024)
Empire

Empire has modules for executing scripts.(Citation: Github PowerShell Empire)
Turian

Turian can create a remote shell and execute commands using cmd.(Citation: ESET BackdoorDiplomacy Jun 2021)
BADHATCH

BADHATCH can use `cmd.exe` to execute commands on a compromised host.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021)

Action RAT

Action RAT can use `cmd.exe` to execute commands on an infected host.(Citation: MalwareBytes SideCopy Dec 2021)
PingPull

PingPull can use `cmd.exe` to run various commands as a reverse shell.(Citation: Unit 42 PingPull Jun 2022)
WellMess

WellMess can execute command line scripts received from C2.(Citation: PWC WellMess July 2020)
PcShare

PcShare can execute `cmd` commands on a compromised host.(Citation: Bitdefender FunnyDream Campaign November 2020)
DropBook

DropBook can execute arbitrary shell commands on the victims' machines.(Citation: Cybereason Molerats Dec 2020)(Citation: BleepingComputer Molerats Dec 2020)

Woody RAT

Woody RAT can execute commands using `cmd.exe`.(Citation: MalwareBytes WoodyRAT Aug 2022)
Mafalda

Mafalda can execute shell commands using `cmd.exe`.(Citation: SentinelLabs Metador Technical Appendix Sept 2022)
Squirrelwaffle

Squirrelwaffle has used `cmd.exe` for execution.(Citation: Netskope Squirrelwaffle Oct 2021)
Umbreon

Umbreon provides access using both standard facilities like SSH and additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet(Citation: Umbreon Trend Micro)
AuTo Stealer

AuTo Stealer can use `cmd.exe` to execute a created batch file.(Citation: MalwareBytes SideCopy Dec 2021)
ODAgent

ODAgent can execute a specified command line passed via API.(Citation: ESET OilRig Downloaders DEC 2023)
FlawedAmmyy

FlawedAmmyy has used `cmd` to execute commands on a compromised host.(Citation: Korean FSI TA505 2020)
SUGARUSH

SUGARUSH has used `cmd` for execution on an infected host.(Citation: Mandiant UNC3890 Aug 2022)
HOPLIGHT

HOPLIGHT can launch cmd.exe to execute commands on the system.(Citation: US-CERT HOPLIGHT Apr 2019)

WastedLocker

WastedLocker has used cmd to execute commands on the system.(Citation: NCC Group WastedLocker June 2020)
InvisiMole

InvisiMole can launch a remote shell to execute commands.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)
Volgmer

Volgmer can execute commands on the victim's machine.(Citation: US-CERT Volgmer Nov 2017)(Citation: US-CERT Volgmer 2 Nov 2017)
WhisperGate

WhisperGate can use `cmd.exe` to execute commands.(Citation: Unit 42 WhisperGate January 2022)
RDAT

RDAT has executed commands using cmd.exe /c.(Citation: Unit42 RDAT July 2020)

Okrum

Okrum's backdoor has used cmd.exe to execute arbitrary commands as well as batch scripts to update itself to a newer version.(Citation: ESET Okrum July 2019)
SamSam

SamSam uses custom batch scripts to execute some of its components.(Citation: Sophos SamSam Apr 2018)
Conti

Conti can utilize command line options to allow an attacker control over how it scans and encrypts files.(Citation: CarbonBlack Conti July 2020)(Citation: DFIR Conti Bazar Nov 2021)
Raspberry Robin

Raspberry Robin uses cmd.exe to read and execute a file stored on an infected USB device as part of initial installation.(Citation: RedCanary RaspberryRobin 2022)
Megazord

Megazord can execute multiple commands post infection via `cmd.exe`.(Citation: Palo Alto Howling Scorpius DEC 2024)
TEXTMATE

TEXTMATE executes cmd.exe to provide a reverse shell to adversaries.(Citation: FireEye FIN7 March 2017)(Citation: Cisco DNSMessenger March 2017)
Siloscape

Siloscape can run cmd through an IRC channel.(Citation: Unit 42 Siloscape Jun 2021)
BlackCat

BlackCat can execute commands on a compromised network with the use of `cmd.exe`.(Citation: Microsoft BlackCat Jun 2022)
UBoatRAT

UBoatRAT can start a command shell.(Citation: PaloAlto UBoatRAT Nov 2017)
Nightdoor

Nightdoor creates a cmd.exe shell to send and receive commands from the command and control server via open pipes.(Citation: Symantec Daggerfly 2024)
MarkiRAT

MarkiRAT can utilize cmd.exe to execute commands in a victim's environment.(Citation: Kaspersky Ferocious Kitten Jun 2021)
Kazuar

Kazuar uses cmd.exe to execute commands on the victim’s machine.(Citation: Unit 42 Kazuar May 2017)
NavRAT

NavRAT leverages cmd.exe to perform discovery techniques.(Citation: Talos NavRAT May 2018) NavRAT loads malicious shellcode and executes it in memory.(Citation: Talos NavRAT May 2018)
DarkComet

DarkComet can launch a remote shell to execute commands on the victim’s machine.(Citation: Malwarebytes DarkComet March 2018)
NETEAGLE

NETEAGLE allows adversaries to execute shell commands on the infected host.(Citation: FireEye APT30)
Ragnar Locker

Ragnar Locker has used cmd.exe and batch scripts to execute commands.(Citation: Sophos Ragnar May 2020)
Lucifer

Lucifer can issue shell commands to download and execute additional payloads.(Citation: Unit 42 Lucifer June 2020)
zwShell

zwShell can launch command-line shells.(Citation: McAfee Night Dragon)
Rising Sun

Rising Sun has executed commands using `cmd.exe /c “ > <%temp%>\AM. tmp” 2>&1`.(Citation: McAfee Sharpshooter December 2018)

ShimRat

ShimRat can be issued a command shell function from the C2.(Citation: FOX-IT May 2016 Mofang)
Flagpro

Flagpro can use `cmd.exe` to execute commands received from C2.(Citation: NTT Security Flagpro new December 2021)
Hi-Zor

Hi-Zor has the ability to create a reverse shell.(Citation: Fidelis INOCNATION)
China Chopper

China Chopper's server component is capable of opening a command terminal.(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Lee 2013)(Citation: NCSC Joint Report Public Tools)
CALENDAR

CALENDAR has a command to run cmd.exe to execute commands.(Citation: Mandiant APT1 Appendix)
GoldMax

GoldMax can spawn a command shell, and execute native commands.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)
KeyBoy

KeyBoy can launch interactive shells for communicating with the victim machine.(Citation: PWC KeyBoys Feb 2017)(Citation: Rapid7 KeyBoy Jun 2013)
Anchor

Anchor has used cmd.exe to run its self deletion routine.(Citation: Cyberreason Anchor December 2019)
Pteranodon

Pteranodon can use `cmd.exe` for execution on victim systems.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: Symantec Shuckworm January 2022)
DarkTortilla

DarkTortilla can use `cmd.exe` to add registry keys for persistence.(Citation: Secureworks DarkTortilla Aug 2022)
RunningRAT

RunningRAT uses a batch file to kill a security program task and then attempts to remove itself.(Citation: McAfee Gold Dragon)
Babuk

Babuk has the ability to use the command line to control execution on compromised hosts.(Citation: Sogeti CERT ESEC Babuk March 2021)(Citation: McAfee Babuk February 2021)
DarkWatchman

DarkWatchman can use `cmd.exe` to execute commands.(Citation: Prevailion DarkWatchman 2021)
BlackMould

BlackMould can run cmd.exe with parameters.(Citation: Microsoft GALLIUM December 2019)
PlugX

PlugX allows actors to spawn a reverse shell on a victim.(Citation: Dell TG-3390)(Citation: CIRCL PlugX March 2013)
Bisonal

Bisonal has launched cmd.exe and used the ShellExecuteW() API function to execute commands on the system.(Citation: Unit 42 Bisonal July 2018)(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020)
MultiLayer Wiper

MultiLayer Wiper uses a batch script launched via a scheduled task to delete Windows Event Logs.(Citation: Unit42 Agrius 2023)
S-Type

S-Type has provided the ability to execute shell commands on a compromised host.(Citation: Cylance Dust Storm)
SeaDuke

SeaDuke is capable of executing commands.(Citation: Unit 42 SeaDuke 2015)
LightNeuron

LightNeuron is capable of executing commands via cmd.exe.(Citation: ESET LightNeuron May 2019)
Peppy

Peppy has the ability to execute shell commands.(Citation: Proofpoint Operation Transparent Tribe March 2016)
Cuba

Cuba has used cmd.exe /c and batch files for execution.(Citation: McAfee Cuba April 2021)

Clambling

Clambling can use cmd.exe for command execution.(Citation: Trend Micro DRBControl February 2020)
Akira

Akira executes from the Windows command line and can take various arguments for execution.(Citation: Kersten Akira 2023)
DarkGate

DarkGate uses a malicious Windows Batch script to run the Windows code utility to retrieve follow-on script payloads.(Citation: Trellix Darkgate 2023) DarkGate has also used `cmd.exe` to create a remote shell.(Citation: Rapid7 BlackBasta 2024)

Carbanak

Carbanak has a command to create a reverse shell.(Citation: FireEye CARBANAK June 2017)
XTunnel

XTunnel has been used to execute remote commands.(Citation: Crowdstrike DNC June 2016)
HOMEFRY

HOMEFRY uses a command-line interface.(Citation: FireEye Periscope March 2018)
Caterpillar WebShell

Caterpillar WebShell can run commands on the compromised asset with CMD functions.(Citation: ClearSky Lebanese Cedar Jan 2021)
Netwalker

Operators deploying Netwalker have used batch scripts to retrieve the Netwalker payload.(Citation: Sophos Netwalker May 2020)
USBferry

USBferry can execute various Windows commands.(Citation: TrendMicro Tropic Trooper May 2020)

Brute Ratel C4

Brute Ratel C4 can use cmd.exe for execution.(Citation: Palo Alto Brute Ratel July 2022)
TSCookie

TSCookie has the ability to execute shell commands on the infected host.(Citation: JPCert TSCookie March 2018)
Latrodectus

The Latrodectus command handler can use `cmdexe` to run multiple discovery commands.(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024)
Saint Bot

Saint Bot has used `cmd.exe` and `.bat` scripts for execution.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
Chaes

Chaes has used cmd to execute tasks on the system.(Citation: Cybereason Chaes Nov 2020)

CharmPower

The C# implementation of the CharmPower command execution module can use cmd.(Citation: Check Point APT35 CharmPower January 2022)
TYPEFRAME

TYPEFRAME can uninstall malware components using a batch script.(Citation: US-CERT TYPEFRAME June 2018) TYPEFRAME can execute commands using a shell.(Citation: US-CERT TYPEFRAME June 2018)
Remcos

Remcos can launch a remote command line to execute commands on the victim’s machine.(Citation: Fortinet Remcos Feb 2017)
KOMPROGO

KOMPROGO is capable of creating a reverse shell.(Citation: FireEye APT32 May 2017)
QUADAGENT

QUADAGENT uses cmd.exe to execute scripts and commands on the victim’s machine.(Citation: Unit 42 QUADAGENT July 2018)
TAINTEDSCRIBE

TAINTEDSCRIBE can enable Windows CLI access and execute files.(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020)
Uroburos

Uroburos has the ability to use the command line for execution on the targeted system.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
Out1

Out1 can use native command line for execution.(Citation: Trend Micro Muddy Water March 2021)
Metamorfo

Metamorfo has used cmd.exe /c to execute files.(Citation: Medium Metamorfo Apr 2020)

Trojan.Karagany

Trojan.Karagany can perform reconnaissance commands on a victim machine via a cmd.exe process.(Citation: Secureworks Karagany July 2019)
Bandook

Bandook is capable of spawning a Windows command shell.(Citation: EFF Manul Aug 2016)(Citation: CheckPoint Bandook Nov 2020)
MagicRAT

MagicRAT allows for the execution of arbitrary commands on the victim system.(Citation: Cisco MagicRAT 2022)
KONNI

KONNI has used cmd.exe to execute arbitrary commands on the infected host across different stages of the infection chain.(Citation: Talos Konni May 2017)(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021)

DnsSystem

DnsSystem can use `cmd.exe` for execution.(Citation: Zscaler Lyceum DnsSystem June 2022)
MoleNet

MoleNet can execute commands via the command line utility.(Citation: Cybereason Molerats Dec 2020)
JHUHUGIT

JHUHUGIT uses a .bat file to execute a .dll.(Citation: Talos Seduploader Oct 2017)
KGH_SPY

KGH_SPY has the ability to set a Registry key to run a cmd.exe command.(Citation: Cybereason Kimsuky November 2020)
Ixeshe

Ixeshe is capable of executing commands via cmd.(Citation: Trend Micro IXESHE 2012)
Micropsia

Micropsia creates a command-line shell using cmd.exe.(Citation: Radware Micropsia July 2018)
Black Basta

Black Basta can use `cmd.exe` to enable shadow copy deletion.(Citation: Deep Instinct Black Basta August 2022)
OopsIE

OopsIE uses the command prompt to execute commands on the victim's machine.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 OilRig Sept 2018)
4H RAT

4H RAT has the capability to create a remote shell.(Citation: CrowdStrike Putter Panda)
RogueRobin

RogueRobin uses Windows Script Components.(Citation: Unit42 DarkHydrus Jan 2019)(Citation: Unit 42 DarkHydrus July 2018)
DealersChoice

DealersChoice makes modifications to open-source scripts from GitHub and executes them on the victim’s machine.(Citation: Sofacy DealersChoice)
SQLRat

SQLRat has used SQL to execute JavaScript and VB scripts on the host system.(Citation: Flashpoint FIN 7 March 2019)
MegaCortex

MegaCortex has used .cmd scripts on the victim's system.(Citation: IBM MegaCortex)

StreamEx

StreamEx has the ability to remotely execute commands.(Citation: Cylance Shell Crew Feb 2017)
BoxCaon

BoxCaon can execute arbitrary commands and utilize the "ComSpec" environment variable.(Citation: Checkpoint IndigoZebra July 2021)
SDBbot

SDBbot has the ability to use the command shell to execute commands on a compromised host.(Citation: Proofpoint TA505 October 2019)
Mosquito

Mosquito executes cmd.exe and uses a pipe to read the results and send back the output to the C2 server.(Citation: ESET Turla Mosquito Jan 2018)
RTM

RTM uses the command line and rundll32.exe to execute.(Citation: ESET RTM Feb 2017)
Hikit

Hikit has the ability to create a remote shell and run given commands.(Citation: FireEye HIKIT Rootkit Part 2)
StrelaStealer

StrelaStealer has included BAT files in some instances for installation.(Citation: Fortgale StrelaStealer 2023)(Citation: IBM StrelaStealer 2024)
Sakula

Sakula calls cmd.exe to run various DLL files via rundll32 and also to perform file cleanup. Sakula also has the capability to invoke a reverse shell.(Citation: Dell Sakula)
MCMD

MCMD can launch a console process (cmd.exe) with redirected standard input and output.(Citation: Secureworks MCMD July 2019)
Tarrask

Tarrask may abuse the Windows schtasks command-line tool to create "hidden" scheduled tasks.(Citation: Tarrask scheduled task)
Shark

Shark has the ability to use `CMD` to execute commands.(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)
Bazar

Bazar can launch cmd.exe to perform reconnaissance commands.(Citation: Cybereason Bazar July 2020)(Citation: Zscaler Bazar September 2020)
RATANKBA

RATANKBA uses cmd.exe to execute commands.(Citation: Lazarus RATANKBA)(Citation: RATANKBA)
hcdLoader

hcdLoader provides command-line access to the compromised system.(Citation: Dell Lateral Movement)
MoonWind

MoonWind can execute commands via an interactive command shell.(Citation: Palo Alto MoonWind March 2017) MoonWind uses batch scripts for various purposes, including to restart and uninstall itself.(Citation: Palo Alto MoonWind March 2017)
Ryuk

Ryuk has used cmd.exe to create a Registry entry to establish persistence.(Citation: CrowdStrike Ryuk January 2019)
HermeticWiper

HermeticWiper can use `cmd.exe /Q/c move CSIDL_SYSTEM_DRIVE\temp\sys.tmp1 CSIDL_WINDOWS\policydefinitions\postgresql.exe 1> \\127.0.0.1\ADMIN$\_1636727589.6007507 2>&1` to deploy on an infected system.(Citation: ESET Hermetic Wizard March 2022)
ABK

ABK has the ability to use cmd to run a Portable Executable (PE) on the compromised host.(Citation: Trend Micro Tick November 2019)
ccf32

ccf32 has used `cmd.exe` for archiving data and deleting files.(Citation: Bitdefender FunnyDream Campaign November 2020)
Kapeka

Kapeka allows for arbitrary Windows command execution.(Citation: WithSecure Kapeka 2024)
LockBit 2.0

LockBit 2.0 can use the Windows command shell for multiple post-compromise actions on objective.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Palo Alto Lockbit 2.0 JUN 2022)(Citation: Cybereason Lockbit 2.0)
Zebrocy

Zebrocy uses cmd.exe to execute commands on the system.(Citation: ESET Zebrocy May 2019)(Citation: CISA Zebrocy Oct 2020)

Cobalt Strike

Cobalt Strike uses a command-line interface to interact with systems.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)(Citation: Trend Micro Black Basta October 2022)
Cobalt Strike

Cobalt Strike uses a command-line interface to interact with systems.(Citation: Cobalt Strike TTPs Dec 2017)
SampleCheck5000

SampleCheck5000 can call cmd.exe to execute C2 command line strings.(Citation: ESET OilRig Campaigns Sep 2023)(Citation: ESET OilRig Downloaders DEC 2023)
EvilBunny

EvilBunny has an integrated scripting engine to download and execute Lua scripts.(Citation: Cyphort EvilBunny Dec 2014)
Cobian RAT

Cobian RAT can launch a remote command shell interface for executing commands.(Citation: Zscaler Cobian Aug 2017)
HotCroissant

HotCroissant can remotely open applications on the infected host with the ShellExecuteA command.(Citation: Carbon Black HotCroissant April 2020)
ServHelper

ServHelper can execute shell commands against cmd.(Citation: Proofpoint TA505 Jan 2019)(Citation: Deep Instinct TA505 Apr 2019)
JCry

JCry has used cmd.exe to launch PowerShell.(Citation: Carbon Black JCry May 2019)

REvil

REvil can use the Windows command line to delete volume shadow copies and disable recovery.(Citation: Cylance Sodinokibi July 2019)(Citation: Talos Sodinokibi April 2019)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019)
Samurai

Samurai can use a remote command module for execution via the Windows command line.(Citation: Kaspersky ToddyCat June 2022)
Milan

Milan can use `cmd.exe` for discovery actions on a targeted system.(Citation: ClearSky Siamesekitten August 2021)
OilBooster

OilBooster has the ability to execute shell commands and exfiltrate the results.(Citation: ESET OilRig Downloaders DEC 2023)
Taidoor

Taidoor can copy cmd.exe into the system temp folder.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021)
PoisonIvy

PoisonIvy creates a backdoor through which remote attackers can open a command-line interface.(Citation: Symantec Darkmoon Aug 2005)
Seasalt

Seasalt uses cmd.exe to create a reverse shell on the infected endpoint.(Citation: Mandiant APT1 Appendix)
NanoCore

NanoCore can open a remote command-line interface and execute commands.(Citation: PaloAlto NanoCore Feb 2016) NanoCore uses JavaScript files.(Citation: Cofense NanoCore Mar 2018)
PLEAD

PLEAD has the ability to execute shell commands on the compromised host.(Citation: JPCert PLEAD Downloader June 2018)
IPsec Helper

IPsec Helper can run arbitrary commands passed to it through cmd.exe.(Citation: SentinelOne Agrius 2021)
Daserf

Daserf can execute shell commands.(Citation: Trend Micro Daserf Nov 2017)(Citation: Secureworks BRONZE BUTLER Oct 2017)
Cardinal RAT

Cardinal RAT can execute commands.(Citation: PaloAlto CardinalRat Apr 2017)
DanBot

DanBot has the ability to execute arbitrary commands via `cmd.exe`.(Citation: SecureWorks August 2019)(Citation: ClearSky Siamesekitten August 2021)
BISCUIT

BISCUIT has a command to launch a command shell on the system.(Citation: Mandiant APT1 Appendix)
Pisloader

Pisloader uses cmd.exe to set the Registry Run key value. It also has a command to spawn a command shell.(Citation: Palo Alto DNS Requests)
GoldenSpy

GoldenSpy can execute remote commands via the command-line interface.(Citation: Trustwave GoldenSpy June 2020)

Gold Dragon

Gold Dragon uses cmd.exe to execute commands for discovery.(Citation: McAfee Gold Dragon)
RGDoor

RGDoor uses cmd.exe to execute commands on the victim’s machine.(Citation: Unit 42 RGDoor Jan 2018)
cmd

cmd is used to execute programs and other actions at the command-line interface.(Citation: TechNet Cmd)
HARDRAIN

HARDRAIN uses cmd.exe to execute netshcommands.(Citation: US-CERT HARDRAIN March 2018)
Revenge RAT

Revenge RAT uses cmd.exe to execute commands and run scripts on the victim's machine.(Citation: Cofense RevengeRAT Feb 2019)
FunnyDream

FunnyDream can use `cmd.exe` for execution on remote hosts.(Citation: Bitdefender FunnyDream Campaign November 2020)
ROADSWEEP

ROADSWEEP can open cmd.exe to enable command execution.(Citation: Mandiant ROADSWEEP August 2022)(Citation: Microsoft Albanian Government Attacks September 2022)
More_eggs

More_eggs has used cmd.exe for execution.(Citation: Security Intelligence More Eggs Aug 2019)(Citation: ESET EvilNum July 2020)
TinyZBot

TinyZBot supports execution from the command-line.(Citation: Cylance Cleaver)
OutSteel

OutSteel has used `cmd.exe` to scan a compromised host for specific file extensions.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
BackConfig

BackConfig can download and run batch files to execute commands on a compromised host.(Citation: Unit 42 BackConfig May 2020)
DEADEYE

DEADEYE can run `cmd /c copy /y /b C:\Users\public\syslog_6-*.dat C:\Users\public\syslog.dll` to combine separated sections of code into a single DLL prior to execution.(Citation: Mandiant APT41)
Koadic

Koadic can open an interactive command-shell to perform command line functions on victim machines. Koadic performs most of its operations using Windows Script Host (Jscript) and to run arbitrary shellcode.(Citation: Github Koadic)(Citation: MalwareBytes LazyScripter Feb 2021)
InnaputRAT

InnaputRAT launches a shell to execute commands on the victim’s machine.(Citation: ASERT InnaputRAT April 2018)
GrimAgent

GrimAgent can use the Windows Command Shell to execute commands, including its own removal.(Citation: Group IB GrimAgent July 2021)
LookBack

LookBack executes the cmd.exe command.(Citation: Proofpoint LookBack Malware Aug 2019)
Clop

Clop can use cmd.exe to help execute commands on the system.(Citation: Cybereason Clop Dec 2020)

Lokibot

Lokibot has used cmd /c commands embedded within batch scripts.(Citation: Talos Lokibot Jan 2021)

Egregor

Egregor has used batch files for execution and can launch Internet Explorer from cmd.exe.(Citation: JoeSecurity Egregor 2020)(Citation: Cybereason Egregor Nov 2020)

PoetRAT

PoetRAT has called cmd through a Word document macro.(Citation: Talos PoetRAT October 2020)
FELIXROOT

FELIXROOT executes batch scripts on the victim’s machine, and can launch a reverse shell for command execution.(Citation: FireEye FELIXROOT July 2018)(Citation: ESET GreyEnergy Oct 2018)
ZxShell

ZxShell can launch a reverse command shell.(Citation: FireEye APT41 Aug 2019)(Citation: Talos ZxShell Oct 2014)(Citation: Secureworks BRONZEUNION Feb 2019)
CoinTicker

CoinTicker executes a bash script to establish a reverse shell.(Citation: CoinTicker 2019)
BabyShark

BabyShark has used cmd.exe to execute commands.(Citation: Unit42 BabyShark Feb 2019)

BONDUPDATER

BONDUPDATER can read batch commands in a file sent from its C2 server and execute them with cmd.exe.(Citation: Palo Alto OilRig Sep 2018)
Troll Stealer

Troll Stealer can create and execute Windows batch scripts.(Citation: S2W Troll Stealer 2024)
BLACKCOFFEE

BLACKCOFFEE has the capability to create a reverse shell.(Citation: FireEye APT17)
httpclient

httpclient opens cmd.exe on the victim.(Citation: CrowdStrike Putter Panda)
Meteor

Meteor can run `set.bat`, `update.bat`, `cache.bat`, `bcd.bat`, `msrun.bat`, and similar scripts.(Citation: Check Point Meteor Aug 2021)
njRAT

njRAT can launch a command shell interface for executing commands.(Citation: Fidelis njRAT June 2013)
Maze

The Maze encryption process has used batch scripts with various commands.(Citation: FireEye Maze May 2020)(Citation: Sophos Maze VM September 2020)
QuasarRAT

QuasarRAT can launch a remote shell to execute commands on the victim’s machine.(Citation: GitHub QuasarRAT)(Citation: CISA AR18-352A Quasar RAT December 2018)
ComRAT

ComRAT has used cmd.exe to execute commands.(Citation: ESET ComRAT May 2020)
TURNEDUP

TURNEDUP is capable of creating a reverse shell.(Citation: FireEye APT33 Sept 2017)
Manjusaka

Manjusaka can execute arbitrary commands passed to it from the C2 controller via `cmd.exe /c`.(Citation: Talos Manjusaka 2022)
JPIN

JPIN can use the command-line utility cacls.exe to change file permissions.(Citation: Microsoft PLATINUM April 2016)
SideTwist

SideTwist can execute shell commands on a compromised host.(Citation: Check Point APT34 April 2021)
KOCTOPUS

KOCTOPUS has used `cmd.exe` and batch files for execution.(Citation: MalwareBytes LazyScripter Feb 2021)
MechaFlounder

MechaFlounder has the ability to run commands on a compromised host.(Citation: Unit 42 MechaFlounder March 2019)
HTTPBrowser

HTTPBrowser is capable of spawning a reverse shell on a victim.(Citation: Dell TG-3390)
Mis-Type

Mis-Type has used `cmd.exe` to run commands on a compromised host.(Citation: Cylance Dust Storm)
LunarWeb

LunarWeb can run shell commands using a BAT file with a name matching `%TEMP%\<⁠random_9_alnum_chars>.batfile` or through cmd.exe with the `/c` and `/U` option for Unicode output.(Citation: ESET Turla Lunar toolset May 2024)
Dipsind

Dipsind can spawn remote shells.(Citation: Microsoft PLATINUM April 2016)
STARWHALE

STARWHALE has the ability to execute commands via `cmd.exe`.(Citation: Mandiant UNC3313 Feb 2022)
MirageFox

MirageFox has the capability to execute commands using cmd.exe.(Citation: APT15 Intezer June 2018)
DownPaper

DownPaper uses the command line.(Citation: ClearSky Charming Kitten Dec 2017)
CozyCar

A module in CozyCar allows arbitrary commands to be executed by invoking C:\Windows\System32\cmd.exe.(Citation: F-Secure CozyDuke)
Kevin

Kevin can use a renamed image of `cmd.exe` for execution.(Citation: Kaspersky Lyceum October 2021)
ECCENTRICBANDWAGON

ECCENTRICBANDWAGON can use cmd to execute commands on a victim’s machine.(Citation: CISA EB Aug 2020)
BADNEWS

BADNEWS is capable of executing commands via cmd.exe.(Citation: Forcepoint Monsoon)(Citation: TrendMicro Patchwork Dec 2017)
Linfo

Linfo creates a backdoor through which remote attackers can start a remote shell.(Citation: Symantec Linfo May 2012)
Goopy

Goopy has the ability to use cmd.exe to execute commands passed from an Outlook C2 channel.(Citation: Cybereason Cobalt Kitty 2017)

Remexi

Remexi silently executes received commands with cmd.exe.(Citation: Securelist Remexi Jan 2019)
Astaroth

Astaroth spawns a CMD process to execute commands. (Citation: Cybereason Astaroth Feb 2019)
QakBot

QakBot can use cmd.exe to launch itself and to execute multiple C2 commands.(Citation: Crowdstrike Qakbot October 2020)(Citation: ATT QakBot April 2021)(Citation: Kaspersky QakBot September 2021)(Citation: Trend Micro Black Basta October 2022)
SYSCON

SYSCON has the ability to execute commands through cmd on a compromised host.(Citation: Unit 42 CARROTBAT January 2020)
Gelsemium

Gelsemium can use a batch script to delete itself.(Citation: ESET Gelsemium June 2021)
jRAT

jRAT has command line access.(Citation: Kaspersky Adwind Feb 2016)
Helminth

Helminth can provide a remote shell. One version of Helminth uses batch scripting.(Citation: Palo Alto OilRig May 2016)
BBK

BBK has the ability to use cmd to run a Portable Executable (PE) on the compromised host.(Citation: Trend Micro Tick November 2019)
Denis

Denis can launch a remote shell to execute arbitrary commands on the victim’s machine.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)
Comnie

Comnie executes BAT scripts.(Citation: Palo Alto Comnie)
PHOREAL

PHOREAL is capable of creating reverse shell.(Citation: FireEye APT32 May 2017)
Lizar

Lizar has a command to open the command-line on the infected system.(Citation: Threatpost Lizar May 2021)(Citation: BiZone Lizar May 2021)

Dtrack

Dtrack has used cmd.exe to add a persistent service.(Citation: CyberBit Dtrack)
H1N1

H1N1 kills and disables services by using cmd.exe.(Citation: Cisco H1N1 Part 2)
Seth-Locker

Seth-Locker can execute commands via the command line shell.(Citation: Trend Micro Ransomware February 2021)
LoudMiner

LoudMiner used a batch script to run the Linux virtual machine as a service.(Citation: ESET LoudMiner June 2019)
BACKSPACE

Adversaries can direct BACKSPACE to execute from the command line on infected hosts, or have BACKSPACE create a reverse shell.(Citation: FireEye APT30)
UPPERCUT

UPPERCUT uses cmd.exe to execute commands on the victim’s machine.(Citation: FireEye APT10 Sept 2018)
ADVSTORESHELL

ADVSTORESHELL can create a remote shell and run a given command.(Citation: ESET Sednit Part 2)(Citation: Bitdefender APT28 Dec 2015)
StrifeWater

StrifeWater can execute shell commands using `cmd.exe`.(Citation: Cybereason StrifeWater Feb 2022)
Mivast

Mivast has the capability to open a remote shell and run basic commands.(Citation: Symantec Backdoor.Mivast)
HiddenWasp

HiddenWasp uses a script to automate tasks on the victim's machine and to assist in execution.(Citation: Intezer HiddenWasp Map 2019)
WarzoneRAT

WarzoneRAT can use `cmd.exe` to execute malicious code.(Citation: Check Point Warzone Feb 2020)
SLOTHFULMEDIA

SLOTHFULMEDIA can open a command line to execute commands.(Citation: CISA MAR SLOTHFULMEDIA October 2020)
Small Sieve

Small Sieve can use `cmd.exe` to execute commands on a victim's system.(Citation: NCSC GCHQ Small Sieve Jan 2022)
HermeticWizard

HermeticWizard can use `cmd.exe` for execution on compromised hosts.(Citation: ESET Hermetic Wizard March 2022)
Frankenstein

Frankenstein has run a command script to set up persistence as a scheduled task named "WinUpdate", as well as other encoded commands from the command-line.(Citation: Talos Frankenstein June 2019)
APT28

An APT28 loader Trojan uses a cmd.exe and batch script to run its payload.(Citation: Unit 42 Playbook Dec 2017) The group has also used macros to execute payloads.(Citation: Talos Seduploader Oct 2017)(Citation: Unit42 Cannon Nov 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: TrendMicro Pawn Storm Dec 2020)
Turla

Turla RPC backdoors have used cmd.exe to execute commands.(Citation: ESET Turla PowerShell May 2019)(Citation: Symantec Waterbug Jun 2019)
Tropic Trooper

Tropic Trooper has used Windows command scripts.(Citation: TrendMicro Tropic Trooper May 2020)

Operation Wocao

Operation Wocao has spawned a new cmd.exe process to execute commands.(Citation: FoxIT Wocao December 2019)

Fox Kitten

Fox Kitten has used cmd.exe likely as a password changing mechanism.(Citation: CISA AA20-259A Iran-Based Actor September 2020)
Lazarus Group

Lazarus Group malware uses cmd.exe to execute commands on a compromised host.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: US-CERT SHARPKNOT June 2018)(Citation: Qualys LolZarus) A Destover-like variant used by Lazarus Group uses a batch file mechanism to delete its binaries from the system.(Citation: McAfee GhostSecret)
Gamaredon Group

Gamaredon Group has used various batch scripts to establish C2 and download additional files. Gamaredon Group's backdoor malware has also been written to a batch file.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: ESET Gamaredon June 2020)(Citation: CERT-EE Gamaredon January 2021)(Citation: Unit 42 Gamaredon February 2022)
APT29

APT29 used cmd.exe to execute commands on remote machines.(Citation: Volexity SolarWinds)(Citation: Microsoft Analyzing Solorigate Dec 2020)
Indrik Spider

Indrik Spider has used batch scripts on victim's machines.(Citation: Crowdstrike Indrik November 2018)(Citation: Mandiant_UNC2165)
Darkhotel

Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.(Citation: Securelist Darkhotel Aug 2015)
APT1

APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution.(Citation: Mandiant APT1)
APT38

APT38 has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim’s machine.(Citation: FireEye APT38 Oct 2018) Additionally, APT38 has used batch scripts.(Citation: 1 - appv)

MuddyWater

MuddyWater has used a custom tool for creating reverse shells.(Citation: Symantec MuddyWater Dec 2018)
Leviathan

Leviathan uses a backdoor known as BADFLICK that is is capable of generating a reverse shell, and has used multiple types of scripting for execution, including JavaScript and JavaScript Scriptlets in XML.(Citation: Proofpoint Leviathan Oct 2017).(Citation: FireEye Periscope March 2018)
Dragonfly 2.0

Dragonfly 2.0 used various types of scripting to perform operations, including batch scripts.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)
Aquatic Panda

Aquatic Panda has attempted and failed to run Bash commands on a Windows host by passing them to cmd /C.(Citation: CrowdStrike AQUATIC PANDA December 2021)
BRONZE BUTLER

BRONZE BUTLER has used batch scripts and the command-line interface for execution.(Citation: Secureworks BRONZE BUTLER Oct 2017)
Machete

Machete has used batch files to initiate additional downloads of malicious files.(Citation: 360 Machete Sep 2020)
Honeybee

Several commands are supported by the Honeybee's implant via the command-line interface and there’s also a utility to execute any custom command on an infected endpoint.(Citation: McAfee Honeybee) Honeybee used batch scripting.(Citation: McAfee Honeybee)
ZIRCONIUM

ZIRCONIUM has used a tool to open a Windows Command Shell on a remote host.(Citation: Zscaler APT31 Covid-19 October 2020)
BlackByte

BlackByte executed ransomware using the Windows command shell.(Citation: FBI BlackByte 2022)
Silence

Silence has used Windows command-line to run commands.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)
Nomadic Octopus

Nomadic Octopus used cmd.exe /c within a malicious macro.(Citation: ESET Nomadic Octopus 2018)
Wizard Spider

Wizard Spider has used `cmd.exe` to execute commands on a victim's machine.(Citation: DFIR Ryuk's Return October 2020)(Citation: Mandiant FIN12 Oct 2021)
Threat Group-3390

Threat Group-3390 has used command-line interfaces for execution.(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Unit42 Emissary Panda May 2019)
APT32

APT32 has used cmd.exe for execution.(Citation: Cybereason Cobalt Kitty 2017)

Saint Bear

Saint Bear initial loaders will also drop a malicious Windows batch file, available via open source GitHub repositories, that disables Microsoft Defender functionality.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
Metador

Metador has used the Windows command line to execute commands.(Citation: SentinelLabs Metador Sept 2022)
Higaisa

Higaisa used cmd.exe for execution.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)(Citation: PTSecurity Higaisa 2020)
Dragonfly

Dragonfly has used various types of scripting to perform operations, including batch scripts.(Citation: US-CERT TA18-074A)
INC Ransom

INC Ransom has used `cmd.exe` to launch malicious payloads.(Citation: Huntress INC Ransom Group August 2023)
OilRig

OilRig has used macros to deliver malware such as QUADAGENT and OopsIE.(Citation: FireEye APT34 Dec 2017)(Citation: OilRig ISMAgent July 2017)(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Unit42 OilRig Nov 2018) OilRig has used batch scripts.(Citation: FireEye APT34 Dec 2017)(Citation: OilRig ISMAgent July 2017)(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Unit42 OilRig Nov 2018)
APT37

APT37 has used the command-line interface.(Citation: FireEye APT37 Feb 2018)(Citation: Talos Group123)
Chimera

Chimera has used the Windows Command Shell and batch scripts for execution on compromised hosts.(Citation: NCC Group Chimera January 2021)
FIN7

FIN7 used the command prompt to launch commands on the victim’s machine.(Citation: FireEye FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019)(Citation: Mandiant FIN7 Apr 2022)
Threat Group-1314

Threat Group-1314 actors spawned shells on remote systems on a victim network to execute commands.(Citation: Dell TG-1314)
Volt Typhoon

Volt Typhoon has used the Windows command line to perform hands-on-keyboard activities in targeted environments including for discovery.(Citation: Microsoft Volt Typhoon May 2023)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023)(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)

FIN13

FIN13 has leveraged `xp_cmdshell` and Windows Command Shell to execute commands on a compromised machine. FIN13 has also attempted to leverage the ‘xp_cmdshell’ SQL procedure to execute remote commands on internal MS-SQL servers.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)
Kimsuky

Kimsuky has executed Windows commands by using `cmd` and running batch scripts.(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)
Cinnamon Tempest

Cinnamon Tempest has executed ransomware using batch scripts deployed via GPO.(Citation: Microsoft Ransomware as a Service)
Sandworm Team

Sandworm Team has run the xp_cmdshell command in MS-SQL.(Citation: Dragos Crashoverride 2018)

APT18

APT18 uses cmd.exe to execute commands on the victim’s machine.(Citation: PaloAlto DNS Requests May 2016)(Citation: Anomali Evasive Maneuvers July 2015)
Magic Hound

Magic Hound has used the command-line interface for code execution.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021)
menuPass

menuPass executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands.(Citation: PWC Cloud Hopper April 2017)(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Github AD-Pentest-Script)(Citation: FireEye APT10 Sept 2018) menuPass has used malicious macros embedded inside Office documents to execute files.(Citation: Accenture Hogfish April 2018)(Citation: FireEye APT10 Sept 2018)
TeamTNT

TeamTNT has used batch scripts to download tools and executing cryptocurrency miners.(Citation: ATT TeamTNT Chimaera September 2020)
ToddyCat

ToddyCat has used .bat scripts and `cmd` for execution on compromised hosts.(Citation: Kaspersky ToddyCat Check Logs October 2023)
Ke3chang

Ke3chang has used batch scripts in its malware to install persistence mechanisms.(Citation: NCC Group APT15 Alive and Strong)
Sowbug

Sowbug has used command line during its intrusions.(Citation: Symantec Sowbug Nov 2017)
APT5

APT5 has used cmd.exe for execution on compromised systems.(Citation: Mandiant Pulse Secure Update May 2021)
Storm-1811

Storm-1811 has used multiple batch scripts during initial access and subsequent actions on victim machines.(Citation: Microsoft Storm-1811 2024)(Citation: rapid7-email-bombing)
Patchwork

Patchwork ran a reverse shell with Meterpreter.(Citation: Cymmetria Patchwork) Patchwork used JavaScript code and .SCT files on victim machines.(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)
Mustang Panda

Mustang Panda has executed HTA files via cmd.exe, and used batch scripts for collection.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Avira Mustang Panda January 2020)
Ember Bear

Ember Bear had used `cmd.exe` and Windows Script Host (wscript) to execute malicious code.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
RedCurl

RedCurl has used the Windows Command Prompt to execute commands.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2)(Citation: trendmicro_redcurl)
Play

Play has used a batch script to remove indicators of its presence on compromised hosts.(Citation: Trend Micro Ransomware Spotlight Play July 2023)
FIN10

FIN10 has executed malicious .bat files containing PowerShell commands.(Citation: FireEye FIN10 June 2017)
TA577

TA577 has used BAT files in malware execution chains.(Citation: Latrodectus APR 2024)
Gorgon Group

Gorgon Group malware can use cmd.exe to download and execute payloads and to execute commands on the system.(Citation: Unit 42 Gorgon Group Aug 2018)
Agrius

Agrius uses ASPXSpy web shells to enable follow-on command execution via cmd.exe.(Citation: SentinelOne Agrius 2021)
APT3

An APT3 downloader uses the Windows command "cmd.exe" /C whoami. The group also uses a tool to execute commands on remote computers.(Citation: FireEye Operation Double Tap)(Citation: Symantec Buckeye)
Winter Vivern

Winter Vivern distributed Windows batch scripts disguised as virus scanners to prompt download of malicious payloads using built-in system tools.(Citation: SentinelOne WinterVivern 2023)(Citation: CERT-UA WinterVivern 2023)
TA551

TA551 has used cmd.exe to execute commands.(Citation: Unit 42 TA551 Jan 2021)
GALLIUM

GALLIUM used the Windows command shell to execute commands.(Citation: Cybereason Soft Cell June 2019)
Blue Mockingbird

Blue Mockingbird has used batch script files to automate execution and deployment of payloads.(Citation: RedCanary Mockingbird May 2020)
FIN6

FIN6 has used kill.bat script to disable security tools.(Citation: FireEye FIN6 Apr 2019)
Cobalt Group

Cobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands.(Citation: Morphisec Cobalt Gang Oct 2018) The group has used an exploit toolkit known as Threadkit that launches .bat files.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: Group IB Cobalt Aug 2017)(Citation: Morphisec Cobalt Gang Oct 2018)(Citation: Unit 42 Cobalt Gang Oct 2018)(Citation: TrendMicro Cobalt Group Nov 2017)
APT41

APT41 used cmd.exe /c to execute commands on remote machines.(Citation: FireEye APT41 Aug 2019) APT41 used a batch file to install persistence for the Cobalt Strike BEACON loader.(Citation: FireEye APT41 March 2020)
Dark Caracal

Dark Caracal has used macros in Word documents that would download a second stage if executed.(Citation: Lookout Dark Caracal Jan 2018)
UNC2452

UNC2452 used cmd.exe to execute commands on remote machines.(Citation: Volexity SolarWinds)(Citation: Microsoft Analyzing Solorigate Dec 2020)
Suckfly

Several tools used by Suckfly have been command-line driven.(Citation: Symantec Suckfly May 2016)
FIN8

FIN8 has used a Batch file to automate frequently executed post compromise cleanup activities.(Citation: FireEye Know Your Enemy FIN8 Aug 2016) FIN8 has also executed commands remotely via `cmd.exe`.(Citation: FireEye Obfuscation June 2017)(Citation: Bitdefender FIN8 July 2021)(Citation: Symantec FIN8 Jul 2023)
TA505

TA505 has executed commands using cmd.exe.(Citation: Trend Micro TA505 June 2019)
HAFNIUM

HAFNIUM has used `cmd.exe` to execute commands on the victim's machine.(Citation: Rapid7 HAFNIUM Mar 2021)
LazyScripter

LazyScripter has used batch files to deploy open-source and multi-stage RATs.(Citation: MalwareBytes LazyScripter Feb 2021)
admin@338

Following exploitation with LOWBALL malware, admin@338 actors created a file containing a list of commands to be executed on the compromised computer.(Citation: FireEye admin@338)
Rancor

Rancor has used cmd.exe to execute commmands.(Citation: Rancor Unit42 June 2018)

Контрмеры
Контрмера Описание
Execution Prevention

Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions. This mitigation can be implemented through the following measures: Application Control: - Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution. - Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml"`) Script Blocking: - Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources. - Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., `Set-ExecutionPolicy AllSigned`) Executable Blocking: - Use Case: Prevent execution of binaries from suspicious locations, such as `%TEMP%` or `%APPDATA%` directories. - Implementation: Block execution of `.exe`, `.bat`, or `.ps1` files from user-writable directories. Dynamic Analysis Prevention: - Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time. - Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.

Обнаружение

Usage of the Windows command shell may be common on administrator, developer, or power user systems depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.

Ссылки

  1. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  2. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  3. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.
  4. Shelmire, A. (2015, July 06). Evasive Maneuvers by the Wekby group with custom ROP-packing and DNS covert channels. Retrieved November 15, 2018.
  5. SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024.
  6. Patel, K. (2018, March 02). The NanoCore RAT Has Resurfaced From the Sewers. Retrieved September 25, 2024.
  7. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
  8. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  9. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
  10. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  11. CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.
  12. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  13. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.
  14. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
  15. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
  16. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  17. Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.
  18. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.
  19. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.
  20. CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021.
  21. Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved November 17, 2024.
  22. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017.
  23. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.
  24. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020.
  25. Asheer Malhotra, Vitor Ventura & Jungsoo An, Cisco Talos. (2022, September 7). MagicRAT: Lazarus’ latest gateway into victim networks. Retrieved December 30, 2024.
  26. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
  27. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  28. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
  29. CERT-UA. (2023, February 1). UAC-0114 aka Winter Vivern to target Ukrainian and Polish GOV entities (CERT-UA#5909). Retrieved July 29, 2024.
  30. ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
  31. ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.
  32. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.
  33. CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020.
  34. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  35. Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved November 17, 2024.
  36. Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.
  37. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved September 16, 2024..
  38. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  39. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  40. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
  41. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  42. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  43. Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
  44. Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
  45. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  46. Max Kersten & Alexandre Mundo. (2023, November 29). Akira Ransomware. Retrieved April 4, 2024.
  47. Falcone, R. and Lee, B. (2017, July 27). OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group. Retrieved January 8, 2018.
  48. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  49. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
  50. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  51. cobbr. (2021, April 21). Covenant. Retrieved September 4, 2024.
  52. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  53. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  54. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
  55. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  56. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  57. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  58. GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019.
  59. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
  60. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  61. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  62. Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021.
  63. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  64. Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024.
  65. Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020.
  66. Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021.
  67. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  68. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
  69. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
  70. Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020.
  71. Microsoft. (2020, May 19). Tutorial: SSH in Windows Terminal. Retrieved July 26, 2021.
  72. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  73. Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024.
  74. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
  75. Galperin, E., Et al.. (2016, August). I Got a Letter From the Government the Other Day.... Retrieved April 25, 2018.
  76. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  77. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  78. Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
  79. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  80. Glyer, C., Kazanciyan, R. (2012, August 22). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved November 17, 2024.
  81. Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022.
  82. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024.
  83. Joe Security. (n.d.). Analysis Report fasm.dll. Retrieved November 17, 2024.
  84. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  85. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  86. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  87. Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022.
  88. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  89. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  90. Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021.
  91. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
  92. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.
  93. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.
  94. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  95. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  96. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  97. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
  98. Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022.
  99. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
  100. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  101. Lauren Podber and Stef Rand. (2022, May 5). Raspberry Robin gets the worm early. Retrieved May 17, 2024.
  102. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
  103. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  104. Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022.
  105. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.
  106. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  107. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  108. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
  109. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
  110. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  111. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved November 17, 2024.
  112. Seals, T. (2021, May 14). FIN7 Backdoor Masquerades as Ethical Hacking Tool. Retrieved February 2, 2022.
  113. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  114. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  115. Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
  116. Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019.
  117. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  118. McGraw, T. (2024, December 4). Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware. Retrieved December 9, 2024.
  119. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  120. Rochberger, L. (2020, November 26). Cybereason vs. Egregor Ransomware. Retrieved December 30, 2020.
  121. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  122. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  123. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
  124. Brett Stone-Gross & Nikolaos Pantazopoulos. (2023, May 24). Technical Analysis of Pikabot. Retrieved July 12, 2024.
  125. Tom Hegel. (2023, March 16). Winter Vivern | Uncovering a Wave of Global Espionage. Retrieved July 29, 2024.
  126. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  127. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  128. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.
  129. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.
  130. Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022.
  131. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.
  132. Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020.
  133. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
  134. Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022.
  135. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.
  136. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  137. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022.
  138. Rozmann, O., et al. (2024, May 1). Uncharmed: Untangling Iran's APT42 Operations. Retrieved October 9, 2024.
  139. Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020.
  140. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  141. Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.
  142. Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024.
  143. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
  144. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
  145. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
  146. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
  147. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
  148. US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018.
  149. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  150. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  151. Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018.
  152. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.
  153. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.
  154. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
  155. Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.
  156. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  157. Shinji Robert Arasawa, Joshua Aquino, Charles Steven Derion, Juhn Emmanuel Atanque, Francisrey Joshua Castillo, John Carlo Marquez, Henry Salcedo, John Rainier Navato, Arianne Dela Cruz, Raymart Yambot & Ian Kenefick. (2024, January 9). Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign. Retrieved July 17, 2024.
  158. Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021.
  159. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  160. Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8's Tooling. Retrieved September 8, 2021.
  161. FBI. (2022, February 4). Indicators of Compromise Associated with LockBit 2.0 Ransomware. Retrieved January 24, 2025.
  162. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  163. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
  164. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
  165. Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.
  166. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  167. Counter Threat Unit Research Team. (2019, February 27). A Peek into BRONZE UNION’s Toolbox. Retrieved September 24, 2019.
  168. SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.
  169. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  170. Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.
  171. US-CERT. (2018, March 09). Malware Analysis Report (MAR) - 10135536.11.WHITE. Retrieved June 13, 2018.
  172. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  173. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  174. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  175. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  176. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
  177. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
  178. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
  179. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  180. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
  181. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
  182. Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019.
  183. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  184. US Federal Bureau of Investigation & US Secret Service. (2022, February 11). Indicators of Compromise Associated with BlackByte Ransomware. Retrieved December 16, 2024.
  185. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  186. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
  187. Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022.
  188. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  189. Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.
  190. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  191. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  192. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
  193. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  194. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
  195. Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020.
  196. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
  197. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  198. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved November 17, 2024.
  199. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
  200. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  201. Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.
  202. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  203. Tyler McGraw, Thomas Elkins, and Evan McCann. (2024, May 10). Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators. Retrieved January 31, 2025.
  204. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  205. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  206. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  207. Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024.
  208. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024.
  209. Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023.
  210. Centero, R. et al. (2021, February 5). New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker. Retrieved August 11, 2021.
  211. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
  212. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
  213. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  214. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022.
  215. Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.
  216. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
  217. Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.
  218. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  219. Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024.
  220. Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019.
  221. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  222. NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.
  223. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  224. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  225. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
  226. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
  227. Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
  228. Golo Mühr, Joe Fasulo & Charlotte Hammond, IBM X-Force. (2024, November 12). Strela Stealer: Today’s invoice is tomorrow’s phish. Retrieved December 31, 2024.
  229. Twi1ight. (2015, July 11). AD-Pentest-Script - wmiexec.vbs. Retrieved June 29, 2017.
  230. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  231. Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
  232. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
  233. PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021.
  234. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  235. Unit 42. (2018, October 25). New Techniques to Uncover and Attribute Financial actors Commodity Builders and Infrastructure Revealed. Retrieved December 11, 2018.
  236. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
  237. O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
  238. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  239. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  240. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
  241. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  242. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024.
  243. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  244. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  245. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  246. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
  247. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
  248. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
  249. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  250. Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.
  251. Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016.
  252. Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.
  253. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  254. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  255. Symntec Threat Hunter Team. (2022, November 12). Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries. Retrieved March 15, 2025.
  256. Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
  257. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  258. Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.
  259. Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022.
  260. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  261. Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.
  262. Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.
  263. Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.
  264. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  265. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
  266. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.
  267. Dell SecureWorks Counter Threat Unit Special Operations Team. (2015, May 28). Living off the Land. Retrieved January 26, 2016.
  268. Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
  269. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  270. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  271. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  272. Alfano, V. et al. (2025, February 12). RansomHub Never Sleeps Episode 1: The evolution of modern ransomware. Retrieved March 17, 2025.
  273. FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved November 17, 2024.
  274. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  275. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
  276. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  277. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  278. Tancio et al. (2024, March 6). Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence. Retrieved August 9, 2024.
  279. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  280. Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019.
  281. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
  282. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved November 17, 2024.
  283. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  284. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
  285. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
  286. Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018.
  287. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  288. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved November 17, 2024.
  289. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
  290. Microsoft. (n.d.). Cmd. Retrieved April 18, 2016.
  291. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  292. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  293. Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.
  294. DiMaggio, J. (2016, May 17). Indian organizations targeted in Suckfly attacks. Retrieved August 3, 2016.
  295. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  296. Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.
  297. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  298. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  299. Cybereason Global SOC Team. (n.d.). THREAT ANALYSIS REPORT: LockBit 2.0 - All Paths Lead to Ransom. Retrieved January 24, 2025.
  300. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  301. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
  302. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  303. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  304. NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022.
  305. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
  306. Fernando Mercês. (2016, September 5). Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems. Retrieved March 5, 2018.
  307. Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved November 17, 2024.
  308. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  309. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
  310. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  311. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  312. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  313. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  314. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  315. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.
  316. FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved November 17, 2024.
  317. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
  318. Falcone, R., Wilhoit, K.. (2018, November 16). Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery. Retrieved April 23, 2019.
  319. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.
  320. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  321. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  322. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  323. Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025.
  324. Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.
  325. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
  326. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  327. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
  328. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.
  329. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  330. Fortgale. (2023, September 18). StrelaStealer Malware Analysis. Retrieved December 31, 2024.
  331. Palotay, D. and Mackenzie, P. (2018, April). SamSam Ransomware Chooses Its Targets Carefully. Retrieved April 15, 2019.
  332. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
  333. MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.
  334. Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024.
  335. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  336. Microsoft Threat Intelligence. (2024, May 15). Threat actors misusing Quick Assist in social engineering attacks leading to ransomware. Retrieved March 14, 2025.
  337. Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.
  338. Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
  339. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
  340. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.
  341. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
  342. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  343. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  344. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  345. Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020.
  346. Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.
  347. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
  348. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  349. Elsad, A. et al. (2022, June 9). LockBit 2.0: How This RaaS Operates and How to Protect Against It. Retrieved January 24, 2025.
  350. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
  351. Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024.
  352. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
  353. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  354. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  355. Zemah, Y. (2024, December 2). Threat Assessment: Howling Scorpius (Akira Ransomware). Retrieved January 8, 2025.
  356. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  357. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  358. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  359. Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
  360. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
  361. Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022.
  362. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  363. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
  364. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
  365. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
  366. Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.
  367. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
  368. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  369. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  370. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  371. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  372. Asheer Malhotra & Vitor Ventura. (2022, August 2). Manjusaka: A Chinese sibling of Sliver and Cobalt Strike. Retrieved September 4, 2024.
  373. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  374. Zhou, R. (2012, May 15). Backdoor.Wiarp. Retrieved February 22, 2018.
  375. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
  376. McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.
  377. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024.
  378. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  379. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  380. Mohammad Kazem Hassan Nejad, WithSecure. (2024, April 17). KAPEKA A novel backdoor spotted in Eastern Europe. Retrieved January 6, 2025.
  381. Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023.
  382. Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020.
  383. Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019.
  384. Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.
  385. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.
  386. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  387. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
  388. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  389. Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024.
  390. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  391. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.
  392. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.
  393. Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021.
  394. CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022.
  395. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved November 17, 2024.
  396. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  397. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  398. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.
  399. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
  400. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
  401. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
  402. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  403. Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024.
  404. Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019.
  405. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  406. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
  407. Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.
  408. Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018.
  409. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
  410. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  411. Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019.
  412. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.
  413. AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021.
  414. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved November 17, 2024.
  415. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
  416. Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.
  417. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
  418. Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.
  419. CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022.
  420. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
  421. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  422. Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.
  423. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
  424. Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016.
  425. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  426. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.