Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Техника Удаление файлов
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Удаление файлов
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Indicator Removal:  Удаление файлов

ID Название
.001 Очистка журналов событий Windows
.002 Очистка системных журналов Linux или Mac
.003 Очистка истории команд
.004 Удаление файлов
.005 Удаление подключений к общим сетевым ресурсам
.006 Изменение временных меток
.007 Очистка истории сетевых соединений и конфигураций
.008 Очистка почтового ящика
.009 Удаление индикаторов компрометации
.010 Relocate Malware

Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in Command and Scripting Interpreter functions include del on Windows, rm or unlink on Linux and macOS, and `rm` on ESXi.

ID: T1070.004
Относится к технике:  T1070
Тактика(-и): Defense Evasion
Платформы: ESXi, Linux, Windows, macOS
Источники данных: Command: Command Execution, File: File Deletion
Версия: 1.2
Дата создания: 31 Jan 2020
Последнее изменение: 15 Apr 2025

Примеры процедур
Название Описание
PowerDuke

PowerDuke has a command to write random data across a file and delete it.(Citation: Volexity PowerDuke November 2016)
BLINDINGCAN

BLINDINGCAN has deleted itself and associated artifacts from victim machines.(Citation: US-CERT BLINDINGCAN Aug 2020)
RCSession

RCSession can remove files from a targeted system.(Citation: Profero APT27 December 2020)
Bumblebee

Bumblebee can uninstall its loader through the use of a `Sdl` command.(Citation: Proofpoint Bumblebee April 2022)
MURKYTOP

MURKYTOP has the capability to delete local files.(Citation: FireEye Periscope March 2018)
RDFSNIFFER

RDFSNIFFER has the capability of deleting local files.(Citation: FireEye FIN7 Oct 2019)
NICECURL

NICECURL has a function to remove artifacts.(Citation: Mandiant APT42-untangling)

Proxysvc

Proxysvc can delete files indicated by the attacker and remove itself from disk using a batch file.(Citation: McAfee GhostSecret)
NOKKI

NOKKI can delete files to cover tracks.(Citation: Unit 42 NOKKI Sept 2018)
Backdoor.Oldrea

Backdoor.Oldrea contains a cleanup module that removes traces of itself from the victim.(Citation: Symantec Dragonfly)
Stuxnet

Stuxnet uses an RPC server that contains a routine for file deletion and also removes itself from the system through a DLL export by deleting specific files.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)
VersaMem

VersaMem deleted files related to initial installation such as temporary files related to the PID of the main web process.(Citation: Lumen Versa 2024)
TDTESS

TDTESS creates then deletes log files during installation of itself as a service.(Citation: ClearSky Wilted Tulip July 2017)
COATHANGER

COATHANGER removes files from victim environments following use in multiple instances.(Citation: NCSC-NL COATHANGER Feb 2024)
HALFBAKED

HALFBAKED can delete a specified file.(Citation: FireEye FIN7 April 2017)
WindTail

WindTail has the ability to receive and execute a self-delete command.(Citation: objective-see windtail2 jan 2019)
Misdat

Misdat is capable of deleting the backdoor file.(Citation: Cylance Dust Storm)
Exaramel for Linux

Exaramel for Linux can uninstall its persistence mechanism and delete its configuration file.(Citation: ANSSI Sandworm January 2021)
KEYMARBLE

KEYMARBLE has the capability to delete files off the victim’s machine.(Citation: US-CERT KEYMARBLE Aug 2018)
SILENTTRINITY

SILENTTRINITY can remove files from the compromised host.(Citation: GitHub SILENTTRINITY Modules July 2019)
HAWKBALL

HAWKBALL has the ability to delete files.(Citation: FireEye HAWKBALL Jun 2019)

Ursnif

Ursnif has deleted data staged in tmp files after exfiltration.(Citation: TrendMicro Ursnif Mar 2015)
RansomHub

RansomHub has the ability to self-delete.(Citation: Group-IB RansomHub FEB 2025)
RedLeaves

RedLeaves can delete specified files.(Citation: PWC Cloud Hopper Technical Annex April 2017)
Zeus Panda

Zeus Panda has a command to delete a file. It also can uninstall scripts and delete files to cover its track.(Citation: GDATA Zeus Panda June 2017)
CARROTBAT

CARROTBAT has the ability to delete downloaded files from a compromised host.(Citation: Unit 42 CARROTBAT November 2018)
Bankshot

Bankshot marks files to be deleted upon the next system reboot and uninstalls and removes itself from the system.(Citation: McAfee Bankshot)
StrongPity

StrongPity can delete previously exfiltrated files from the compromised host.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)
Pony

Pony has used scripts to delete itself after execution.(Citation: Malwarebytes Pony April 2016)

Nebulae

Nebulae has the ability to delete files and directories.(Citation: Bitdefender Naikon April 2021)
AuditCred

AuditCred can delete files from the system.(Citation: TrendMicro Lazarus Nov 2018)
UPSTYLE

UPSTYLE removes `bootstrap.min.css` after parsing command and control instructions, restoring the file to its original state.(Citation: Volexity UPSTYLE 2024)

OceanSalt

OceanSalt can delete files from the system.(Citation: McAfee Oceansalt Oct 2018)
RainyDay

RainyDay has the ability to uninstall itself by deleting its service and files.(Citation: Bitdefender Naikon April 2021)
AppleSeed

AppleSeed can delete files from a compromised host after they are exfiltrated.(Citation: Malwarebytes Kimsuky June 2021)
PyDCrypt

PyDCrypt will remove all created artifacts such as dropped executables.(Citation: Checkpoint MosesStaff Nov 2021)
GreyEnergy

GreyEnergy can securely delete a file by hooking into the DeleteFileA and DeleteFileW functions in the Windows API.(Citation: ESET GreyEnergy Oct 2018)
Gomir

Gomir deletes its original executable and terminates its original process after creating a systemd service.(Citation: Symantec Troll Stealer 2024)
Aria-body

Aria-body has the ability to delete files and directories on compromised hosts.(Citation: CheckPoint Naikon May 2020)
BOLDMOVE

BOLDMOVE can remove files on victim systems.(Citation: Google Cloud BOLDMOVE 2023)
Crimson

Crimson has the ability to delete files from a compromised host.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022)

BADHATCH

BADHATCH has the ability to delete PowerShell scripts from a compromised machine.(Citation: Gigamon BADHATCH Jul 2019)
Machete

Once a file is uploaded, Machete will delete it from the machine.(Citation: ESET Machete July 2019)

Prikormka

After encrypting its own log files, the log encryption module in Prikormka deletes the original, unencrypted files from the host.(Citation: ESET Operation Groundbait)
PcShare

PcShare has deleted its files and components from a compromised host.(Citation: Bitdefender FunnyDream Campaign November 2020)
Woody RAT

Woody RAT has the ability to delete itself from disk by creating a suspended notepad process and writing shellcode to delete a file into the suspended process using `NtWriteVirtualMemory`.(Citation: MalwareBytes WoodyRAT Aug 2022)

ShrinkLocker

ShrinkLocker can delete itself depending on various checks performed during execution.(Citation: Kaspersky ShrinkLocker 2024)
Hildegard

Hildegard has deleted scripts after execution.(Citation: Unit 42 Hildegard Malware)

SombRAT

SombRAT has the ability to run cancel or closeanddeletestorage to remove all files from storage and delete the storage temp file on a compromised host.(Citation: BlackBerry CostaRicto November 2020)
ODAgent

ODAgent can delete payloads and files used to pass C2 commands from remotely hosted cloud accounts.(Citation: ESET OilRig Downloaders DEC 2023)

BlackByte 2.0 Ransomware

BlackByte 2.0 Ransomware deletes itself following device encryption.(Citation: Microsoft BlackByte 2023)
FlawedAmmyy

FlawedAmmyy can execute batch scripts to delete files.(Citation: Korean FSI TA505 2020)
GuLoader

GuLoader can delete its executable from the AppData\Local\Temp directory on the compromised host.(Citation: Unit 42 NETWIRE April 2020)
ProLock

ProLock can remove files containing its payload after they are executed.(Citation: Group IB Ransomware September 2020)
InvisiMole

InvisiMole has deleted files and directories including XML and files successfully uploaded to C2 servers.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)
P.A.S. Webshell

P.A.S. Webshell can delete scripts from a subdirectory of /tmp after they are run.(Citation: ANSSI Sandworm January 2021)
Apostle

Apostle writes batch scripts to disk, such as system.bat and remover.bat, that perform various anti-analysis and anti-forensic tasks, before finally deleting themselves at the end of execution. Apostle attempts to delete itself after encryption or wiping operations are complete and before shutting down the victim machine.(Citation: SentinelOne Agrius 2021)
Volgmer

Volgmer can delete files and itself after infection to avoid analysis.(Citation: US-CERT Volgmer 2 Nov 2017)
WhisperGate

WhisperGate can delete tools from a compromised host after execution.(Citation: Cisco Ukraine Wipers January 2022)
FruitFly

FruitFly will delete files on the system.(Citation: objsee mac malware 2017)
AcidPour

AcidPour includes a self-delete function where the malware deletes itself from disk after execution and program load into memory.(Citation: SentinelOne AcidPour 2024)
RDAT

RDAT can issue SOAP requests to delete already processed C2 emails. RDAT can also delete itself from the infected system.(Citation: Unit42 RDAT July 2020)

Okrum

Okrum's backdoor deletes files after they have been successfully uploaded to C2 servers.(Citation: ESET Okrum July 2019)
SamSam

SamSam has been seen deleting its own files and payloads to make analysis of the attack more difficult.(Citation: Sophos SamSam Apr 2018)
Raspberry Robin

Raspberry Robin can delete its initial delivery script from disk during execution.(Citation: HP RaspberryRobin 2024)
Fysbis

Fysbis has the ability to delete files.(Citation: Fysbis Dr Web Analysis)
VERMIN

VERMIN can delete files on the victim’s machine.(Citation: Unit 42 VERMIN Jan 2018)
Nightdoor

Nightdoor can self-delete.(Citation: ESET EvasivePanda 2024)
CSPY Downloader

CSPY Downloader has the ability to self delete.(Citation: Cybereason Kimsuky November 2020)
PowerShower

PowerShower has the ability to remove all files created during the dropper process.(Citation: Unit 42 Inception November 2018)
Kazuar

Kazuar can delete files.(Citation: Unit 42 Kazuar May 2017)
FatDuke

FatDuke can secure delete its DLL.(Citation: ESET Dukes October 2019)
zwShell

zwShell has deleted itself after creating a service as well as deleted a temporary file when the system reboots.(Citation: McAfee Night Dragon)
Rising Sun

Rising Sun can delete files and artifacts it creates.(Citation: McAfee Sharpshooter December 2018)

ShimRat

ShimRat can uninstall itself from compromised hosts, as well create and modify directories, delete, move, copy, and rename files.(Citation: FOX-IT May 2016 Mofang)
Hi-Zor

Hi-Zor deletes its RAT installer file as it executes its DLL payload file.(Citation: Fidelis INOCNATION)
XAgentOSX

XAgentOSX contains the deletFileFromPath function to delete a specified file using the NSFileManager:removeFileAtPath method.(Citation: XAgentOSX 2017)
Green Lambert

Green Lambert can delete the original executable after initial installation in addition to unused functions.(Citation: Objective See Green Lambert for OSX Oct 2021)(Citation: Glitch-Cat Green Lambert ATTCK Oct 2021)

LockerGoga

LockerGoga has been observed deleting its original launcher after execution.(Citation: CarbonBlack LockerGoga 2019)
PUNCHBUGGY

PUNCHBUGGY can delete files written to disk.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)(Citation: Morphisec ShellTea June 2019)
HyperBro

HyperBro has the ability to delete a specified file.(Citation: Unit42 Emissary Panda May 2019)
Anchor

Anchor can self delete its dropper after the malware is successfully deployed.(Citation: Cyberreason Anchor December 2019)
Line Runner

Line Runner removes its initial ZIP delivery archive after processing the enclosed LUA script.(Citation: Cisco ArcaneDoor 2024)
Pteranodon

Pteranodon can delete files that may interfere with it executing. It also can delete temporary files and itself after the initial script executes.(Citation: Palo Alto Gamaredon Feb 2017)
ROKRAT

ROKRAT can request to delete files.(Citation: NCCGroup RokRat Nov 2018)

RunningRAT

RunningRAT contains code to delete files from the victim’s machine.(Citation: McAfee Gold Dragon)
Exbyte

Exbyte will self-delete if a hard-coded configuration file is not found.(Citation: Microsoft BlackByte 2023)
DarkWatchman

DarkWatchman has been observed deleting its original launcher after installation.(Citation: Prevailion DarkWatchman 2021)
BBSRAT

BBSRAT can delete files and directories.(Citation: Palo Alto Networks BBSRAT)
Reaver

Reaver deletes the original dropped file from the victim.(Citation: Palo Alto Reaver Nov 2017)
Bisonal

Bisonal will delete its dropper and VBS scripts from the victim’s machine.(Citation: Unit 42 Bisonal July 2018)(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020)
MultiLayer Wiper

MultiLayer Wiper uses a batch file, remover.bat to delete malware artifacts and the batch file itself during execution.(Citation: Unit42 Agrius 2023)
S-Type

S-Type has deleted files it has created on a compromised host.(Citation: Cylance Dust Storm)
SeaDuke

SeaDuke can securely delete files, including deleting itself from the victim.(Citation: Symantec Seaduke 2015)
DustySky

DustySky can delete files it creates from the infected system.(Citation: Kaspersky MoleRATs April 2019)
Remsec

Remsec is capable of deleting files on the victim. It also securely removes itself after collecting and exfiltrating data.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron Full Report)(Citation: Kaspersky ProjectSauron Technical Analysis)
Epic

Epic has a command to delete a file from the machine.(Citation: Kaspersky Turla Aug 2014)
LightNeuron

LightNeuron has a function to delete files.(Citation: ESET LightNeuron May 2019)
Cuba

Cuba can use the command cmd.exe /c del to delete its artifacts from the system.(Citation: McAfee Cuba April 2021)

DarkGate

DarkGate has deleted its staging directories.(Citation: Rapid7 BlackBasta 2024)

NanHaiShu

NanHaiShu launches a script to delete their original decoy file to cover tracks.(Citation: fsecure NanHaiShu July 2016)
LockBit 3.0

LockBit 3.0 can delete itself from disk.(Citation: Joint Cybersecurity Advisory LockBit JUN 2023)(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)
Carbanak

Carbanak has a command to delete files.(Citation: FireEye CARBANAK June 2017)
Hydraq

Hydraq creates a backdoor through which remote attackers can delete files.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010)
Ferocious

Ferocious can delete files from a compromised host.(Citation: Kaspersky WIRTE November 2021)
Elise

Elise is capable of launching a remote shell on the host to delete itself.(Citation: Accenture Dragonfish Jan 2018)
Gazer

Gazer has commands to delete files and persistence mechanisms from the victim.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017)
Latrodectus

Latrodectus has the ability to delete itself.(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024)

Saint Bot

Saint Bot can run a batch script named `del.bat` to remove any Saint Bot payload-linked files from a compromise system if anti-analysis or locale checks fail.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
Pay2Key

Pay2Key can remove its log file from disk.(Citation: Check Point Pay2Key November 2020)
CharmPower

CharmPower can delete created files from a compromised system.(Citation: Check Point APT35 CharmPower January 2022)
TYPEFRAME

TYPEFRAME can delete files off the system.(Citation: US-CERT TYPEFRAME June 2018)
Mori

Mori can delete its DLL file and related files by Registry value.(Citation: DHS CISA AA22-055A MuddyWater February 2022)
QUADAGENT

QUADAGENT has a command to delete its Registry key and scheduled task.(Citation: Unit 42 QUADAGENT July 2018)
TAINTEDSCRIBE

TAINTEDSCRIBE can delete files from a compromised host.(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020)
pngdowner

pngdowner deletes content from C2 communications that was saved to the user's temporary directory.(Citation: CrowdStrike Putter Panda)
Uroburos

Uroburos can run a `Clear Agents Track` command on an infected machine to delete Uroburos-related logs.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
Metamorfo

Metamorfo has deleted itself from the system after execution.(Citation: Medium Metamorfo Apr 2020)(Citation: Fortinet Metamorfo Feb 2020)
Trojan.Karagany

Trojan.Karagany has used plugins with a self-delete capability.(Citation: Secureworks Karagany July 2019)
Bandook

Bandook has a command to delete a file.(Citation: CheckPoint Bandook Nov 2020)
MagicRAT

MagicRAT can delete files on victim systems, including itself.(Citation: Cisco MagicRAT 2022)
KONNI

KONNI can delete files.(Citation: Talos Konni May 2017)
gh0st RAT

gh0st RAT has the capability to to delete files.(Citation: FireEye Hacking Team)(Citation: Gh0stRAT ATT March 2019)
JHUHUGIT

The JHUHUGIT dropper can delete itself from the victim. Another JHUHUGIT variant has the capability to delete specified files.(Citation: ESET Sednit Part 1)(Citation: Unit 42 Sofacy Feb 2018)
BLUELIGHT

BLUELIGHT can uninstall itself.(Citation: Volexity InkySquid BLUELIGHT August 2021)
Ixeshe

Ixeshe has a command to delete a file from the machine.(Citation: Trend Micro IXESHE 2012)
VBShower

VBShower has attempted to complicate forensic analysis by deleting all the files contained in %APPDATA%\..\Local\Temporary Internet Files\Content.Word and %APPDATA%\..\Local Settings\Temporary Internet Files\Content.Word\.(Citation: Kaspersky Cloud Atlas August 2019)
BPFDoor

After initial setup, BPFDoor's original execution process deletes the dropped binary and exits.(Citation: Sandfly BPFDoor 2022)

ZeroCleare

ZeroCleare has the ability to uninstall the RawDisk driver and delete the `rwdsk` file on disk.(Citation: Mandiant ROADSWEEP August 2022)(Citation: CISA Iran Albanian Attacks September 2022)
StoneDrill

StoneDrill has been observed deleting the temporary files once they fulfill their task.(Citation: Kaspersky StoneDrill 2017)

OopsIE

OopsIE has the capability to delete files and scripts from the victim's machine.(Citation: Unit 42 OilRig Sept 2018)
Attor

Attor’s plugin deletes the collected files and log files after exfiltration.(Citation: ESET Attor Oct 2019)
Imminent Monitor

Imminent Monitor has deleted files related to its dynamic debugger feature.(Citation: QiAnXin APT-C-36 Feb2019)
SQLRat

SQLRat has used been observed deleting scripts once used.(Citation: Flashpoint FIN 7 March 2019)

SDBbot

SDBbot has the ability to delete files from a compromised host.(Citation: Proofpoint TA505 October 2019)
Mosquito

Mosquito deletes files using DeleteFileW API call.(Citation: ESET Turla Mosquito Jan 2018)
RTM

RTM can delete all files created during its execution.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)
Derusbi

Derusbi is capable of deleting files. It has been observed loading a Linux Kernel Module (LKM) and then deleting it from the hard disk as well as overwriting the data with null bytes.(Citation: Fidelis Turbo)(Citation: FireEye Periscope March 2018)
Grandoreiro

Grandoreiro can delete .LNK files created in the Startup folder.(Citation: ESET Grandoreiro April 2020)
LiteDuke

LiteDuke can securely delete files by first writing random data to the file.(Citation: ESET Dukes October 2019)
Sakula

Some Sakula samples use cmd.exe to delete temporary files.(Citation: Dell Sakula)
Sibot

Sibot will delete itself if a certain server response is received.(Citation: MSTIC NOBELIUM Mar 2021)
WINDSHIELD

WINDSHIELD is capable of file deletion along with other file system interaction.(Citation: FireEye APT32 May 2017)
Drovorub

Drovorub can delete specific files from a compromised host.(Citation: NSA/FBI Drovorub August 2020)
Shark

Shark can delete files downloaded to the compromised host.(Citation: ClearSky Siamesekitten August 2021)
Bazar

Bazar can delete its loader using a batch file in the Windows temporary folder.(Citation: NCC Group Team9 June 2020)
MESSAGETAP

Once loaded into memory, MESSAGETAP deletes the keyword_parm.txt and parm.txt configuration files from disk. (Citation: FireEye MESSAGETAP October 2019)
XLoader

XLoader can delete malicious executables from compromised machines.(Citation: Acronis XLoader 2021)
MoonWind

MoonWind can delete itself or specified files.(Citation: Palo Alto MoonWind March 2017)
Cryptoistic

Cryptoistic has the ability delete files from a compromised host.(Citation: SentinelOne Lazarus macOS July 2020)
HermeticWiper

HermeticWiper has the ability to overwrite its own file with random bites.(Citation: Crowdstrike DriveSlayer February 2022)(Citation: ESET Hermetic Wizard March 2022)
Pysa

Pysa has deleted batch files after execution. (Citation: CERT-FR PYSA April 2020)

ccf32

ccf32 can delete files and folders from compromised machines.(Citation: Bitdefender FunnyDream Campaign November 2020)
LockBit 2.0

LockBit 2.0 can delete itself from disk after execution.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Palo Alto Lockbit 2.0 JUN 2022)(Citation: Cybereason Lockbit 2.0)
Zebrocy

Zebrocy has a command to delete files and directories.(Citation: ESET Zebrocy Nov 2018)(Citation: ESET Zebrocy May 2019)(Citation: CISA Zebrocy Oct 2020)
SpeakUp

SpeakUp deletes files to remove evidence on the machine. (Citation: CheckPoint SpeakUp Feb 2019)
LunarMail

LunarMail can delete the previously used staging directory and files on subsequent rounds of exfiltration and replace it with a new one.(Citation: ESET Turla Lunar toolset May 2024)
SUNBURST

SUNBURST had a command to delete files.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Analyzing Solorigate Dec 2020)
EvilBunny

EvilBunny has deleted the initial dropper after running through the environment checks.(Citation: Cyphort EvilBunny Dec 2014)
Wingbird

Wingbird deletes its payload along with the payload's parent process after it finishes copying files.(Citation: Microsoft SIR Vol 21)
HotCroissant

HotCroissant has the ability to clean up installed files, delete files, and delete itself from the victim’s machine.(Citation: Carbon Black HotCroissant April 2020)
ServHelper

ServHelper has a module to delete itself from the infected machine.(Citation: Proofpoint TA505 Jan 2019)(Citation: Deep Instinct TA505 Apr 2019)
REvil

REvil can mark its binary code for deletion after reboot.(Citation: Intel 471 REvil March 2020)
Milan

Milan can delete files via `C:\Windows\system32\cmd.exe /c ping 1.1.1.1 -n 1 -w 3000 > Nul & rmdir /s /q`.(Citation: ClearSky Siamesekitten August 2021)
USBStealer

USBStealer has several commands to delete files associated with the malware from the victim.(Citation: ESET Sednit USBStealer 2014)
OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D has a command to delete a file from the system. OSX_OCEANLOTUS.D deletes the app bundle and dropper after execution.(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)(Citation: Unit42 OceanLotus 2017)
Taidoor

Taidoor can use DeleteFileA to remove files from infected hosts.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021)
Cherry Picker

Recent versions of Cherry Picker delete files and registry keys created by the malware.(Citation: Trustwave Cherry Picker)
Kivars

Kivars has the ability to uninstall malware from the infected host.(Citation: TrendMicro BlackTech June 2017)
Seasalt

Seasalt has a command to delete a specified file.(Citation: Mandiant APT1 Appendix)
Pasam

Pasam creates a backdoor through which remote attackers can delete files.(Citation: Symantec Pasam May 2012)
PLEAD

PLEAD has the ability to delete files on the compromised host.(Citation: TrendMicro BlackTech June 2017)
Raccoon Stealer

Raccoon Stealer can remove files related to use and installation.(Citation: Sekoia Raccoon1 2022)
IPsec Helper

IPsec Helper can delete itself when given the appropriate command.(Citation: SentinelOne Agrius 2021)
Cardinal RAT

Cardinal RAT can uninstall itself, including deleting its executable.(Citation: PaloAlto CardinalRat Apr 2017)
DanBot

DanBot can delete its configuration file after installation.(Citation: ClearSky Siamesekitten August 2021)
Calisto

Calisto has the capability to use rm -rf to remove folders and files from the victim's machine.(Citation: Securelist Calisto July 2018)
Solar

Solar has the ability to delete staged files after they are uploaded to C2.(Citation: ESET OilRig Campaigns Sep 2023)
GoldenSpy

GoldenSpy's uninstaller can delete registry entries, files and folders, and finally itself once these tasks have been completed.(Citation: Trustwave GoldenSpy2 June 2020)
Gold Dragon

Gold Dragon deletes one of its files, 2.hwp, from the endpoint after establishing persistence.(Citation: McAfee Gold Dragon)
cmd

cmd can be used to delete files from the file system.(Citation: TechNet Del)
Pillowmint

Pillowmint has deleted the filepath %APPDATA%\Intel\devmonsrv.exe.(Citation: Trustwave Pillowmint June 2020)
MacMa

MacMa can delete itself from the compromised computer.(Citation: ESET DazzleSpy Jan 2022)
FunnyDream

FunnyDream can delete files including its dropper component.(Citation: Bitdefender FunnyDream Campaign November 2020)
ROADSWEEP

ROADSWEEP can use embedded scripts to remove itself from the infected host.(Citation: Mandiant ROADSWEEP August 2022)(Citation: Microsoft Albanian Government Attacks September 2022)
SUNSPOT

Following the successful injection of SUNBURST, SUNSPOT deleted a temporary file it created named InventoryManager.bk after restoring the original SolarWinds Orion source code to the software library.(Citation: CrowdStrike SUNSPOT Implant January 2021)
More_eggs

More_eggs can remove itself from a system.(Citation: Talos Cobalt Group July 2018)(Citation: Security Intelligence More Eggs Aug 2019)
SysUpdate

SysUpdate can delete its configuration file from the targeted system.(Citation: Trend Micro Iron Tiger April 2021)
OutSteel

OutSteel can delete itself following the successful execution of a follow-on payload.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
BackConfig

BackConfig has the ability to remove files and folders related to previous infections.(Citation: Unit 42 BackConfig May 2020)
Proton

Proton removes all files in the /tmp directory.(Citation: objsee mac malware 2017)
InnaputRAT

InnaputRAT has a command to delete files.(Citation: ASERT InnaputRAT April 2018)
GrimAgent

GrimAgent can delete old binaries on a compromised host.(Citation: Group IB GrimAgent July 2021)
LookBack

LookBack removes itself after execution and can delete files on the system.(Citation: Proofpoint LookBack Malware Aug 2019)
Lokibot

Lokibot will delete its dropped files after bypassing UAC.(Citation: Talos Lokibot Jan 2021)
PoetRAT

PoetRAT has the ability to overwrite scripts and delete itself if a sandbox environment is detected.(Citation: Talos PoetRAT April 2020)
StealBit

StealBit can self-delete its executable file from the compromised system.(Citation: Cybereason StealBit Exfiltration Tool)(Citation: FBI Lockbit 2.0 FEB 2022)
FELIXROOT

FELIXROOT deletes the .LNK file from the startup directory as well as the dropper components.(Citation: FireEye FELIXROOT July 2018)
ZxShell

ZxShell can delete files from the system.(Citation: FireEye APT41 Aug 2019)(Citation: Talos ZxShell Oct 2014)

Penquin

Penquin can delete downloaded executables after running them.(Citation: Leonardo Turla Penquin May 2020)
BabyShark

BabyShark has cleaned up all files associated with the secondary payload execution.(Citation: Unit42 BabyShark Apr 2019)
Winnti for Windows

Winnti for Windows can delete the DLLs for its various components from a compromised host.(Citation: Novetta Winnti April 2015)
Troll Stealer

Troll Stealer creates and can execute a BAT script that will delete the malware.(Citation: S2W Troll Stealer 2024)
BLACKCOFFEE

BLACKCOFFEE has the capability to delete files.(Citation: FireEye APT17)
Meteor

Meteor will delete the folder containing malicious scripts if it detects the hostname as `PIS-APP`, `PIS-MOB`, `WSUSPROXY`, or `PIS-DB`.(Citation: Check Point Meteor Aug 2021)
SDelete

SDelete deletes data in a way that makes it unrecoverable.(Citation: Microsoft SDelete July 2016)
njRAT

njRAT is capable of deleting files.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)
POWERSTATS

POWERSTATS can delete all files on the C:\, D:\, E:\ and, F:\ drives using PowerShell Remove-Item commands.(Citation: FireEye MuddyWater Mar 2018)
IceApple

IceApple can delete files and directories from targeted systems.(Citation: CrowdStrike IceApple May 2022)
JPIN

JPIN's installer/uninstaller component deletes itself if it encounters a version of Windows earlier than Windows XP or identifies security-related processes running.(Citation: Microsoft PLATINUM April 2016)
metaMain

metaMain has deleted collected items after uploading the content to its C2 server.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022)
Heyoka Backdoor

Heyoka Backdoor has the ability to delete folders and files from a targeted system.(Citation: SentinelOne Aoqin Dragon June 2022)
HTTPBrowser

HTTPBrowser deletes its original installer file once installation is complete.(Citation: ZScaler Hacking Team)
LunarWeb

LunarWeb can self-delete from a compromised host if safety checks of C2 connectivity fail.(Citation: ESET Turla Lunar toolset May 2024)
KillDisk

KillDisk has the ability to quit and delete itself.(Citation: ESET Telebots Dec 2016)
AppleJeus

AppleJeus has deleted the MSI file after installation.(Citation: CISA AppleJeus Feb 2021)
Kevin

Kevin can delete files created on the victim's machine.(Citation: Kaspersky Lyceum October 2021)
ECCENTRICBANDWAGON

ECCENTRICBANDWAGON can delete log files generated from the malware stored at C:\windows\temp\tmp0207.(Citation: CISA EB Aug 2020)
Linfo

Linfo creates a backdoor through which remote attackers can delete files.(Citation: Symantec Linfo May 2012)
QakBot

QakBot can delete folders and files including overwriting its executable with legitimate programs.(Citation: Kroll Qakbot June 2020)(Citation: Crowdstrike Qakbot October 2020)(Citation: ATT QakBot April 2021)(Citation: Group IB Ransomware September 2020)
Hancitor

Hancitor has deleted files using the VBA kill function.(Citation: FireEye Hancitor)
Gelsemium

Gelsemium can delete its dropper component from the targeted system.(Citation: ESET Gelsemium June 2021)
jRAT

jRAT has a function to delete files from the victim’s machine.(Citation: jRAT Symantec Aug 2018)
Komplex

The Komplex trojan supports file deletion.(Citation: Sofacy Komplex Trojan)
Denis

Denis has a command to delete files from the victim’s machine.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)
MacSpy

MacSpy deletes any temporary files it creates(Citation: alientvault macspy)
Dtrack

Dtrack can remove its persistence and delete itself.(Citation: Securelist Dtrack)
LoudMiner

LoudMiner deleted installation files after completion.(Citation: ESET LoudMiner June 2019)
Azorult

Azorult can delete files from victim machines.(Citation: Unit42 Azorult Nov 2018)
ADVSTORESHELL

ADVSTORESHELL can delete files and directories.(Citation: ESET Sednit Part 2)
StrifeWater

StrifeWater can self delete to cover its tracks.(Citation: Cybereason StrifeWater Feb 2022)
SLOTHFULMEDIA

SLOTHFULMEDIA has deleted itself and the 'index.dat' file on a compromised machine to remove recent Internet history from the system.(Citation: CISA MAR SLOTHFULMEDIA October 2020)
FALLCHILL

FALLCHILL can delete malware and associated artifacts from the victim.(Citation: US-CERT FALLCHILL Nov 2017)
APT28

APT28 has intentionally deleted computer files to cover their tracks, including with use of the program CCleaner.(Citation: DOJ GRU Indictment Jul 2018)
Tropic Trooper

Tropic Trooper has deleted dropper files on an infected system using command scripts.(Citation: TrendMicro Tropic Trooper May 2020)

Evilnum

Evilnum has deleted files used during infection.(Citation: ESET EvilNum July 2020)
The White Company

The White Company has the ability to delete its malware entirely from the target system.(Citation: Cylance Shaheen Nov 2018)
Operation Wocao

Operation Wocao has deleted logs and executable files used during an intrusion.(Citation: FoxIT Wocao December 2019)
Lazarus Group

Lazarus Group malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim. Lazarus Group also uses secure file deletion to delete files from the victim.(Citation: Novetta Blockbuster)(Citation: McAfee GhostSecret)
Gamaredon Group

Gamaredon Group tools can delete files used during an operation.(Citation: TrendMicro Gamaredon April 2020)(Citation: Symantec Shuckworm January 2022)(Citation: CERT-EE Gamaredon January 2021)
APT29

APT29 has used SDelete to remove artifacts from victim networks.(Citation: Mandiant No Easy Breach)
APT39

APT39 has used malware to delete files after they are deployed on a compromised host.(Citation: FBI FLASH APT39 September 2020)
APT38

APT38 has used a utility called CLOSESHAVE that can securely delete a file from the system. They have also removed malware, tools, or other non-native files used during the intrusion to reduce their footprint or as part of the post-intrusion cleanup process.(Citation: FireEye APT38 Oct 2018)(Citation: CISA AA20-239A BeagleBoyz August 2020)
Dragonfly 2.0

Dragonfly 2.0 deleted many of its files used during operations as part of cleanup, including removing applications and deleting screenshots.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)
Rocke

Rocke has deleted files on infected machines.(Citation: Anomali Rocke March 2019)

Aquatic Panda

Aquatic Panda has deleted malicious executables from compromised machines.(Citation: CrowdStrike AQUATIC PANDA December 2021)(Citation: Crowdstrike HuntReport 2022)
BRONZE BUTLER

The BRONZE BUTLER uploader or malware the uploader uses command to delete the RAR archives after they have been exfiltrated.(Citation: Secureworks BRONZE BUTLER Oct 2017)
Honeybee

Honeybee removes batch files to reduce fingerprint on the system as well as deletes the CAB file that gets encoded upon infection.(Citation: McAfee Honeybee)
BlackByte

BlackByte deleted ransomware executables post-encryption.(Citation: Picus BlackByte 2022)(Citation: Symantec BlackByte 2022)(Citation: Microsoft BlackByte 2023)(Citation: Cisco BlackByte 2024)
Silence

Silence has deleted artifacts, including scheduled tasks, communicates files from the C2 and other logs.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: Group IB Silence Sept 2018)

Wizard Spider

Wizard Spider has used file deletion to remove some modules and configurations from an infected host after use.(Citation: CrowdStrike Grim Spider May 2019)
Threat Group-3390

Threat Group-3390 has deleted existing logs and exfiltrated file archives from a victim.(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Trend Micro DRBControl February 2020)
APT32

APT32's macOS backdoor can receive a “delete” command.(Citation: ESET OceanLotus macOS April 2019)
Group5

Malware used by Group5 is capable of remotely deleting files from victims.(Citation: Citizen Lab Group5)
Metador

Metador has quickly deleted `cbd.exe` from a compromised host following the successful deployment of their malware.(Citation: SentinelLabs Metador Sept 2022)

Dragonfly

Dragonfly has deleted many of its files used during operations as part of cleanup, including removing applications and deleting screenshots.(Citation: US-CERT TA18-074A)
INC Ransom

INC Ransom has uninstalled tools from compromised endpoints after use.(Citation: Huntress INC Ransomware May 2024)
OilRig

OilRig has deleted files associated with their payload after execution.(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 OopsIE! Feb 2018)
TEMP.Veles

TEMP.Veles routinely deleted tools, logs, and other files after they were finished with them.(Citation: FireEye TRITON 2019)
Chimera

Chimera has performed file deletion to evade detection.(Citation: Cycraft Chimera April 2020)

Volt Typhoon

Volt Typhoon has run `rd /S` to delete their working directories and deleted systeminfo.dat from `C:\Users\Public\Documentsfiles`.(Citation: Secureworks BRONZE SILHOUETTE May 2023)(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)

Kimsuky

Kimsuky has deleted the exfiltrated data on disk after transmission. Kimsuky has also used an instrumentor script to terminate browser processes running on an infected system and then delete the cookie files on disk.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)
Sandworm Team

Sandworm Team has used backdoors that can delete files used in an attack from an infected system.(Citation: ESET Telebots Dec 2016)(Citation: ESET Telebots July 2017)(Citation: Mandiant-Sandworm-Ukraine-2022)

APT18

APT18 actors deleted tools and batch files from victim systems.(Citation: Dell Lateral Movement)
Magic Hound

Magic Hound has deleted and overwrote files to cover tracks.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: FireEye APT35 2018)(Citation: DFIR Phosphorus November 2021)
menuPass

A menuPass macro deletes files after it has decoded and decompressed them.(Citation: Accenture Hogfish April 2018)(Citation: District Court of NY APT10 Indictment December 2018)
TeamTNT

TeamTNT has used a payload that removes itself after running. TeamTNT also has deleted locally staged files for collecting credentials or scan results for local IP addresses after exfiltrating them.(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Cisco Talos Intelligence Group)
APT5

APT5 has deleted scripts and web shells to evade detection.(Citation: Mandiant Pulse Secure Zero-Day April 2021)(Citation: Mandiant Pulse Secure Update May 2021)
Patchwork

Patchwork removed certain files and replaced them so they could not be retrieved.(Citation: TrendMicro Patchwork Dec 2017)
Mustang Panda

Mustang Panda will delete their tools and files, and kill processes after their objectives are reached.(Citation: Secureworks BRONZE PRESIDENT December 2019)
Ember Bear

Ember Bear deletes files related to lateral movement to avoid detection.(Citation: Cadet Blizzard emerges as novel threat actor)
RedCurl

RedCurl has deleted files after execution.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2)(Citation: trendmicro_redcurl)
Play

Play has used tools including Wevtutil to remove malicious files from compromised hosts.(Citation: Trend Micro Ransomware Spotlight Play July 2023)
FIN10

FIN10 has used batch scripts and scheduled tasks to delete critical system files.(Citation: FireEye FIN10 June 2017)
APT3

APT3 has a tool that can delete files.(Citation: FireEye Clandestine Fox)
FIN6

FIN6 has removed files from victim machines.(Citation: FireEye FIN6 April 2016)
Cobalt Group

Cobalt Group deleted the DLL dropper from the victim’s machine to cover their tracks.(Citation: Talos Cobalt Group July 2018)
APT41

APT41 deleted files from the system.(Citation: FireEye APT41 Aug 2019)(Citation: Rostovcev APT41 2021)
UNC2452

UNC2452 routinely removed their tools, including custom backdoors, once remote access was achieved.(Citation: FireEye SUNBURST Backdoor December 2020)
FIN8

FIN8 has deleted tmp and prefetch files during post compromise cleanup activities. FIN8 has also deleted PowerShell scripts to evade detection on compromised machines.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)(Citation: Symantec FIN8 Jul 2023)
FIN5

FIN5 uses SDelete to clean up the environment and attempt to prevent detection.(Citation: Mandiant FIN5 GrrCON Oct 2016)

Контрмеры
Контрмера Описание
File Deletion Mitigation

Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to delete files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Обнаружение

It may be uncommon for events related to benign command-line functions such as DEL or third-party utilities or tools to be found in an environment, depending on the user base and how systems are typically used. Monitoring for command-line deletion functions to correlate with binaries or other files that an adversary may drop and remove may lead to detection of malicious activity. Another good practice is monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce. Some monitoring tools may collect command-line arguments, but may not capture DEL commands since DEL is a native function within cmd.exe.

Ссылки

  1. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.
  2. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  3. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  4. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
  5. Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016.
  6. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  7. James Nutland, Craig Jackson, Terryn Valikodath, & Brennan Evans. (2024, August 28). BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks. Retrieved December 16, 2024.
  8. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
  9. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
  10. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  11. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  12. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
  13. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  14. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
  15. CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021.
  16. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  17. Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021.
  18. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.
  19. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
  20. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022.
  21. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
  22. Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023.
  23. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  24. Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021.
  25. Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
  26. AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021.
  27. Cybereason Global SOC Team. (n.d.). THREAT ANALYSIS REPORT: LockBit 2.0 - All Paths Lead to Ransom. Retrieved January 24, 2025.
  28. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
  29. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.
  30. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
  31. Canadian Centre for Cyber Security. (2024, April 24). Cyber Activity Impacting CISCO ASA VPNs. Retrieved January 6, 2025.
  32. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  33. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
  34. CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022.
  35. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
  36. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
  37. Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved November 17, 2024.
  38. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
  39. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  40. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
  41. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  42. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  43. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
  44. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
  45. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
  46. Asheer Malhotra, Vitor Ventura & Jungsoo An, Cisco Talos. (2022, September 7). MagicRAT: Lazarus’ latest gateway into victim networks. Retrieved December 30, 2024.
  47. Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024.
  48. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  49. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
  50. Symantec Threat Hunter Team. (2024, May 16). Springtail: New Linux Backdoor Added to Toolkit. Retrieved January 17, 2025.
  51. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022.
  52. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  53. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
  54. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.
  55. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  56. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.
  57. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  58. Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020.
  59. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
  60. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
  61. Lim, M.. (2019, April 26). BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat . Retrieved October 7, 2019.
  62. Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020.
  63. Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.
  64. Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021.
  65. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  66. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  67. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  68. Elsad, A. et al. (2022, June 9). LockBit 2.0: How This RaaS Operates and How to Protect Against It. Retrieved January 24, 2025.
  69. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
  70. Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024.
  71. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  72. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved November 17, 2024.
  73. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
  74. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  75. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
  76. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
  77. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  78. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  79. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  80. Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020.
  81. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  82. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  83. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  84. Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025.
  85. Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.
  86. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  87. Carvey, H. (2024, May 1). LOLBin to INC Ransomware. Retrieved June 5, 2024.
  88. Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024.
  89. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  90. Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020.
  91. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
  92. Microsoft. (n.d.). Del. Retrieved April 22, 2016.
  93. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  94. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
  95. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  96. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
  97. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  98. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  99. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.
  100. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  101. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  102. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  103. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  104. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  105. Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
  106. Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.
  107. The Sandfly Security Team. (2022, May 11). BPFDoor - An Evasive Linux Backdoor Technical Analysis. Retrieved September 29, 2023.
  108. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  109. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
  110. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  111. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
  112. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  113. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
  114. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  115. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
  116. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  117. CISA et al. (2023, June 14). UNDERSTANDING RANSOMWARE THREAT ACTORS: LOCKBIT. Retrieved February 5, 2025.
  118. Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
  119. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
  120. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  121. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  122. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  123. Rozmann, O., et al. (2024, May 1). Uncharmed: Untangling Iran's APT42 Operations. Retrieved October 9, 2024.
  124. Merritt, E.. (2015, November 16). Shining the Spotlight on Cherry Picker PoS Malware. Retrieved April 20, 2016.
  125. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
  126. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
  127. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
  128. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
  129. Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018.
  130. McGraw, T. (2024, December 4). Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware. Retrieved December 9, 2024.
  131. Palotay, D. and Mackenzie, P. (2018, April). SamSam Ransomware Chooses Its Targets Carefully. Retrieved April 15, 2019.
  132. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  133. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  134. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024.
  135. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  136. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  137. Juan Andrés Guerrero-Saade & Tom Hegel. (2024, March 21). AcidPour | New Embedded Wiper Variant of AcidRain Appears in Ukraine. Retrieved November 25, 2024.
  138. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  139. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
  140. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  141. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  142. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  143. Quentin Bourgue, Pierre le Bourhis, & Sekoia TDR. (2022, June 28). Raccoon Stealer v2 - Part 1: The return of the dead. Retrieved August 1, 2024.
  144. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
  145. Dutch Military Intelligence and Security Service (MIVD) & Dutch General Intelligence and Security Service (AIVD). (2024, February 6). Ministry of Defense of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT. Retrieved February 7, 2024.
  146. Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.
  147. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  148. FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved November 17, 2024.
  149. FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025.
  150. FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved November 17, 2024.
  151. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.
  152. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  153. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  154. Alfano, V. et al. (2025, February 12). RansomHub Never Sleeps Episode 1: The evolution of modern ransomware. Retrieved March 17, 2025.
  155. Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019.
  156. NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
  157. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
  158. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
  159. Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
  160. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  161. Volexity Threat Research. (2024, April 12). Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400). Retrieved November 20, 2024.
  162. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  163. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
  164. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  165. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  166. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  167. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
  168. Huseyin Can Yuceel. (2022, February 21). TTPs used by BlackByte Ransomware Targeting Critical Infrastructure. Retrieved December 16, 2024.
  169. Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024.
  170. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.
  171. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  172. Patrick Schläpfer . (2024, April 10). Raspberry Robin Now Spreading Through Windows Script Files. Retrieved May 17, 2024.
  173. Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024.
  174. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
  175. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  176. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  177. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  178. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  179. Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022.
  180. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  181. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
  182. Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020.
  183. MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.
  184. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  185. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  186. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  187. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  188. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  189. Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
  190. Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
  191. Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
  192. Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.
  193. Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved November 17, 2024.
  194. Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
  195. Trustwave SpiderLabs. (2020, June 26). GoldenSpy: Chapter Two – The Uninstaller. Retrieved July 23, 2020.
  196. Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February 8, 2018.
  197. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  198. Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.
  199. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  200. Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  201. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  202. PETER EWANE. (2017, June 9). MacSpy: OS X RAT as a Service. Retrieved September 21, 2018.
  203. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  204. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
  205. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved November 17, 2024.
  206. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  207. Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved November 17, 2024.
  208. Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024.
  209. Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020.
  210. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  211. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
  212. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  213. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved November 17, 2024.
  214. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  215. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  216. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  217. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  218. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  219. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  220. Scott Henderson, Cristiana Kittner, Sarah Hawley & Mark Lechtik, Google Cloud. (2023, January 19). Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475). Retrieved December 31, 2024.
  221. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  222. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  223. FBI. (2022, February 4). Indicators of Compromise Associated with LockBit 2.0 Ransomware. Retrieved January 24, 2025.
  224. F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018.
  225. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  226. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
  227. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  228. Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.
  229. Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
  230. Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.
  231. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  232. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.
  233. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
  234. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  235. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  236. Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016.
  237. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  238. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved November 17, 2024.
  239. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  240. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  241. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
  242. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.
  243. Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020.
  244. Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.
  245. Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023.
  246. Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8's Tooling. Retrieved September 8, 2021.
  247. Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.
  248. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
  249. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  250. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.
  251. Tancio et al. (2024, March 6). Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence. Retrieved August 9, 2024.
  252. Kaspersky Lab's Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018.
  253. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  254. Black Lotus Labs. (2024, August 27). Taking The Crossroads: The Versa Director Zero-Day Exploitaiton. Retrieved August 27, 2024.
  255. Symantec Threat Hunter Team. (2022, October 21). Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool. Retrieved December 16, 2024.
  256. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
  257. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  258. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
  259. Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.
  260. Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024.
  261. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  262. Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.
  263. Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024.
  264. FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016.
  265. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  266. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  267. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
  268. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  269. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  270. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  271. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
  272. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
  273. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
  274. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.
  275. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  276. Cristian Souza, Eduardo Ovalle, Ashley Muñoz, & Christopher Zachor. (2024, May 23). ShrinkLocker: Turning BitLocker into ransomware. Retrieved December 7, 2024.
  277. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.
  278. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
  279. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
  280. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024.
  281. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  282. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
  283. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  284. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.
  285. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
  286. CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021.
  287. CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022.
  288. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  289. Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024.
  290. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
  291. CarbonBlack Threat Analysis Unit. (2019, March 22). TAU Threat Intelligence Notification – LockerGoga Ransomware. Retrieved April 16, 2019.
  292. Acronis. (2021, November 26). Trojan-as-a-service: From Formbook to XLoader. Retrieved March 11, 2025.
  293. CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020.
  294. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.
  295. CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024.
  296. Cisco Talos. (2024, April 24). ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices. Retrieved January 6, 2025.
  297. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  298. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024.
  299. CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.
  300. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.
  301. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.
  302. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
  303. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 17, 2024.
  304. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  305. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  306. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  307. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  308. Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.
  309. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  310. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  311. Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024.
  312. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  313. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.