Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Техника Промежуточное хранение данных (локально)
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Промежуточное хранение данных...
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Data Staged:  Промежуточное хранение данных (локально)

ID Название
.001 Промежуточное хранение данных (локально)
.002 Промежуточное хранение данных (удаленно)

Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location. Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)

ID: T1074.001
Относится к технике:  T1074
Тактика(-и): Collection
Платформы: ESXi, Linux, Windows, macOS
Источники данных: Command: Command Execution, File: File Access, File: File Creation, Windows Registry: Windows Registry Key Modification
Версия: 1.2
Дата создания: 13 Mar 2020
Последнее изменение: 15 Apr 2025

Примеры процедур
Название Описание
Exaramel for Windows

Exaramel for Windows specifies a path to store files scheduled for exfiltration.(Citation: ESET TeleBots Oct 2018)

NOKKI

NOKKI can collect data from the victim and stage it in LOCALAPPDATA%\MicroSoft Updatea\uplog.tmp.(Citation: Unit 42 NOKKI Sept 2018)
KOPILUWAK

KOPILUWAK has piped the results from executed C2 commands to `%TEMP%\result2.dat` on the local machine.(Citation: Mandiant Suspected Turla Campaign February 2023)
VersaMem

VersaMem staged captured credentials locally at `/tmp/.temp.data`.(Citation: Lumen Versa 2024)
Ursnif

Ursnif has used tmp files to stage gathered information.(Citation: TrendMicro Ursnif Mar 2015)
FrameworkPOS

FrameworkPOS can identifiy payment card track data on the victim and copy it to a local file in a subdirectory of C:\Windows\.(Citation: FireEye FIN6 April 2016)
RainyDay

RainyDay can use a file exfiltration tool to copy files to C:\ProgramData\Adobe\temp prior to exfiltration.(Citation: Bitdefender Naikon April 2021)
AppleSeed

AppleSeed can stage files in a central location prior to exfiltration.(Citation: Malwarebytes Kimsuky June 2021)
NETWIRE

NETWIRE has the ability to write collected data to a file created in the ./LOGS directory.(Citation: FireEye NETWIRE March 2019)
Turian

Turian can store copied files in a specific directory prior to exfiltration.(Citation: ESET BackdoorDiplomacy Jun 2021)
Machete

Machete stores files and logs in a folder on the local drive.(Citation: ESET Machete July 2019)(Citation: Cylance Machete Mar 2017)
PowerLess

PowerLess can stage stolen browser data in `C:\\Windows\\Temp\\cup.tmp` and keylogger data in `C:\\Windows\\Temp\\Report.06E17A5A-7325-4325-8E5D-E172EBA7FC5BK`.(Citation: Cybereason PowerLess February 2022)
Prikormka

Prikormka creates a directory, %USERPROFILE%\AppData\Local\SKC\, which is used to store collected log files.(Citation: ESET Operation Groundbait)
Mafalda

Mafalda can place retrieved files into a destination directory.(Citation: SentinelLabs Metador Sept 2022)
AuTo Stealer

AuTo Stealer can store collected data from an infected host to a file named `Hostname_UserName.txt` prior to exfiltration.(Citation: MalwareBytes SideCopy Dec 2021)
SombRAT

SombRAT can store harvested data in a custom database under the %TEMP% directory.(Citation: BlackBerry CostaRicto November 2020)
FLASHFLOOD

FLASHFLOOD stages data it copies from the local system or removable drives in the "%WINDIR%\$NtUninstallKB885884$\" directory.(Citation: FireEye APT30)
LoFiSe

LoFiSe can save files to be evaluated for further exfiltration in the `C:\Programdata\Microsoft\` and `C:\windows\temp\` folders. (Citation: Kaspersky ToddyCat Check Logs October 2023)
Cuckoo Stealer

Cuckoo Stealer has staged collected application data from Safari, Notes, and Keychain to `/var/folder`.(Citation: Kandji Cuckoo April 2024)
InvisiMole

InvisiMole determines a working directory where it stores all the gathered data about the compromised machine.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)
MarkiRAT

MarkiRAT can store collected data locally in a created .nfo file.(Citation: Kaspersky Ferocious Kitten Jun 2021)
Kazuar

Kazuar stages command output and collected data in files before exfiltration.(Citation: Unit 42 Kazuar May 2017)
NavRAT

NavRAT writes multiple outputs to a TMP file using the >> method.(Citation: Talos NavRAT May 2018)
CHIMNEYSWEEP

CHIMNEYSWEEP can store captured screenshots to disk including to a covert store named `APPX.%x%x%x%x%x.tmp` where `%x` is a random value.(Citation: Mandiant ROADSWEEP August 2022)
Chrommme

Chrommme can store captured system information locally prior to exfiltration.(Citation: ESET Gelsemium June 2021)
ObliqueRAT

ObliqueRAT can copy specific files, webcam captures, and screenshots to local directories.(Citation: Talos Oblique RAT March 2021)
SocGholish

SocGholish can send output from `whoami` to a local temp file using the naming convention `rad<5-hex-chars>.tmp`.(Citation: Red Canary SocGholish March 2024)
PUNCHBUGGY

PUNCHBUGGY has saved information to a random temp file before exfil.(Citation: Morphisec ShellTea June 2019)
Pteranodon

Pteranodon creates various subdirectories under %Temp%\reports\% and copies files to those subdirectories. It also creates a folder at C:\Users\\AppData\Roaming\Microsoft\store to store screenshot JPEG files.(Citation: Palo Alto Gamaredon Feb 2017)
DarkWatchman

DarkWatchman can stage local data in the Windows Registry.(Citation: Prevailion DarkWatchman 2021)
Dyre

Dyre has the ability to create files in a TEMP folder to act as a database to store information.(Citation: Malwarebytes Dyreza November 2015)
PACEMAKER

PACEMAKER has written extracted data to `tmp/dsserver-check.statementcounters`.(Citation: Mandiant Pulse Secure Zero-Day April 2021)
Lumma Stealer

Lumma Stealer has configured a custom user data directory such as a folder within `%USERPROFILE%\AppData\Roaming` for staging data.(Citation: TrendMicro LummaStealer 2025)
DustySky

DustySky created folders in temp directories to host collected files before exfiltration.(Citation: Kaspersky MoleRATs April 2019)
Duqu

Modules can be pushed to and executed by Duqu that copy data to a staging area, compress it, and XOR encrypt it.(Citation: Symantec W32.Duqu)
Rover

Rover copies files from removable drives to C:\system.(Citation: Palo Alto Rover)
LightNeuron

LightNeuron can store email data in files and directories specified in its configuration, such as C:\Windows\ServiceProfiles\NetworkService\appdata\Local\Temp\.(Citation: ESET LightNeuron May 2019)
Elise

Elise creates a file in AppData\Local\Microsoft\Windows\Explorer and stores all harvested data in that file.(Citation: Accenture Dragonfish Jan 2018)
Sagerunex

Sagerunex gathers host information and stages it locally as a RAR file prior to exfiltration.(Citation: Cisco LotusBlossom 2025) Sagerunex stores logged data in an encrypted file located at `%TEMP%/TS_FB56.tmp` during execution.(Citation: Symantec Bilbug 2022)
Trojan.Karagany

Trojan.Karagany can create directories to store plugin output and stage data for exfiltration.(Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019)
SPACESHIP

SPACESHIP identifies files with certain extensions and copies them to a directory in the user's profile.(Citation: FireEye APT30)
KGH_SPY

KGH_SPY can save collected system information to a file named "info" before exfiltration.(Citation: Cybereason Kimsuky November 2020)
Catchamas

Catchamas stores the gathered data from the machine in .db files and .bmp files under four separate locations.(Citation: Symantec Catchamas April 2018)
OopsIE

OopsIE stages the output from command execution and collected files in specific folders before exfiltration.(Citation: Unit 42 OopsIE! Feb 2018)
Attor

Attor has staged collected data in a central upload directory prior to exfiltration.(Citation: ESET Attor Oct 2019)
BoxCaon

BoxCaon has created a working folder for collected files that it sends to the C2 server.(Citation: Checkpoint IndigoZebra July 2021)

NightClub

NightClub has copied captured files and keystrokes to the `%TEMP%` directory of compromised hosts.(Citation: MoustachedBouncer ESET August 2023)
Crutch

Crutch has staged stolen files in the C:\AMD\Temp directory.(Citation: ESET Crutch December 2020)
RawPOS

Data captured by RawPOS is placed in a temporary file under a directory named "memdump".(Citation: Kroll RawPOS Jan 2017)
BadPatch

BadPatch stores collected data in log files before exfiltration.(Citation: Unit 42 BadPatch Oct 2017)
MESSAGETAP

MESSAGETAP stored targeted SMS messages that matched its target list in CSV files on the compromised system.(Citation: FireEye MESSAGETAP October 2019)
SUGARDUMP

SUGARDUMP has stored collected data under `%%\\CrashLog.txt`.(Citation: Mandiant UNC3890 Aug 2022)
MoonWind

MoonWind saves information from its keylogging routine as a .zip file in the present working directory.(Citation: Palo Alto MoonWind March 2017)
ccf32

ccf32 can temporarily store files in a hidden directory on the local host.(Citation: Bitdefender FunnyDream Campaign November 2020)
Zebrocy

Zebrocy stores all collected information in a single file before exfiltration.(Citation: ESET Zebrocy Nov 2018)
LunarMail

LunarMail can create a directory in `%TEMP%\` to stage data prior to exfilration.(Citation: ESET Turla Lunar toolset May 2024)
SampleCheck5000

SampleCheck5000 can log the output from C2 commands in an encrypted and compressed format on disk prior to exfiltration.(Citation: ESET OilRig Downloaders DEC 2023)
Milan

Milan has saved files prior to upload from a compromised host to folders beginning with the characters `a9850d2f`.(Citation: ClearSky Siamesekitten August 2021)
USBStealer

USBStealer collects files matching certain criteria from the victim and stores them in a local directory for later exfiltration.(Citation: ESET Sednit USBStealer 2014)(Citation: Kaspersky Sofacy)
OilBooster

OilBooster can stage files in the `tempFiles` directory for exfiltration.(Citation: ESET OilRig Downloaders DEC 2023)
PoisonIvy

PoisonIvy stages collected data in a text file.(Citation: Symantec Darkmoon Aug 2005)
Carbon

Carbon creates a base directory that contains the files and folders that are collected.(Citation: ESET Carbon Mar 2017)
Calisto

Calisto uses a hidden directory named .calisto to store data from the victim’s machine before exfiltration.(Citation: Securelist Calisto July 2018)(Citation: Symantec Calisto July 2018)
Gold Dragon

Gold Dragon stores information gathered from the endpoint in a file named 1.hwp.(Citation: McAfee Gold Dragon)
Ramsay

Ramsay can stage data prior to exfiltration in %APPDATA%\Microsoft\UserSetting and %APPDATA%\Microsoft\UserSetting\MediaCache.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)

MacMa

MacMa has stored collected files locally before exfiltration.(Citation: Objective-See MacMa Nov 2021)
FunnyDream

FunnyDream can stage collected information including screen captures and logged keystrokes locally.(Citation: Bitdefender FunnyDream Campaign November 2020)
PUNCHTRACK

PUNCHTRACK aggregates collected data in a tmp file.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)
SLIGHTPULSE

SLIGHTPULSE has piped the output from executed commands to `/tmp/1`.(Citation: Mandiant Pulse Secure Zero-Day April 2021)
Troll Stealer

Troll Stealer encrypts gathered information on victim devices prior to exfiltrating it through command and control infrastructure.(Citation: S2W Troll Stealer 2024)
metaMain

metaMain has stored the collected system files in a working directory.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022)
Mis-Type

Mis-Type has temporarily stored collected information to the files `“%AppData%\{Unique Identifier}\HOSTRURKLSR”` and `“%AppData%\{Unique Identifier}\NEWERSSEMP”`.(Citation: Cylance Dust Storm)
Octopus

Octopus has stored collected information in the Application Data directory on a compromised host.(Citation: Securelist Octopus Oct 2018)(Citation: ESET Nomadic Octopus 2018)
STARWHALE

STARWHALE has stored collected data in a file called `stari.txt`.(Citation: Mandiant UNC3313 Feb 2022)
ECCENTRICBANDWAGON

ECCENTRICBANDWAGON has stored keystrokes and screenshots within the %temp%\GoogleChrome, %temp%\Downloads, and %temp%\TrendMicroUpdate directories.(Citation: CISA EB Aug 2020)
BADNEWS

BADNEWS copies documents under 15MB found on the victim system to is the user's %temp%\SMB\ folder. It also copies files from USB devices to a predefined directory.(Citation: Forcepoint Monsoon)(Citation: TrendMicro Patchwork Dec 2017)
Astaroth

Astaroth collects data in a plaintext file named r1.log before exfiltration. (Citation: Cofense Astaroth Sept 2018)
QakBot

QakBot has stored stolen emails and other data into new folders prior to exfiltration.(Citation: Kroll Qakbot June 2020)
Helminth

Helminth creates folders to store output from batch scripts prior to sending the information to its C2 server.(Citation: Palo Alto OilRig May 2016)
Dtrack

Dtrack can save collected data to disk, different file formats, and network shares.(Citation: Securelist Dtrack)(Citation: CyberBit Dtrack)
SLOWPULSE

SLOWPULSE can write logged ACE credentials to `/home/perl/PAUS.pm` in append mode, using the format string `%s:%s\n`.(Citation: Mandiant Pulse Secure Zero-Day April 2021)
ADVSTORESHELL

ADVSTORESHELL stores output from command execution in a .dat file in the %TEMP% directory.(Citation: ESET Sednit Part 2)
APT28

APT28 has stored captured credential information in a file named pi.log.(Citation: Microsoft SIR Vol 19)
Operation Wocao

Operation Wocao has staged archived files in a temporary directory prior to exfiltration.(Citation: FoxIT Wocao December 2019)

Lazarus Group

Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)
Indrik Spider

Indrik Spider has stored collected data in a .tmp file.(Citation: Symantec WastedLocker June 2020)
APT39

APT39 has utilized tools to aggregate data prior to exfiltration.(Citation: FBI FLASH APT39 September 2020)
MuddyWater

MuddyWater has stored a decoy PDF file within a victim's `%temp%` folder.(Citation: Talos MuddyWater Jan 2022)
Leviathan

Leviathan has used C:\Windows\Debug and C:\Perflogs as staging directories.(Citation: FireEye Periscope March 2018)(Citation: CISA AA21-200A APT40 July 2021)
Dragonfly 2.0

Dragonfly 2.0 created a directory named "out" in the user's %AppData% folder and copied files to it.(Citation: US-CERT TA18-074A)
Machete

Machete created their own directories to drop files into.(Citation: Cylance Machete Mar 2017)
Honeybee

Honeybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server.(Citation: McAfee Honeybee)
Wizard Spider

Wizard Spider has staged ZIP files in local directories such as, `C:\PerfLogs\1\` and `C:\User\1\` prior to exfiltration.(Citation: Mandiant FIN12 Oct 2021)
Threat Group-3390

Threat Group-3390 has locally staged encrypted archives for later exfiltration efforts.(Citation: SecureWorks BRONZE UNION June 2017)
Dragonfly

Dragonfly has created a directory named "out" in the user's %AppData% folder and copied files to it.(Citation: US-CERT TA18-074A)
Sidewinder

Sidewinder has collected stolen files in a temporary folder in preparation for exfiltration.(Citation: ATT Sidewinder January 2021)
TEMP.Veles

TEMP.Veles has created staging folders in directories that were infrequently used by legitimate users or processes.(Citation: FireEye TRITON 2019)
Chimera

Chimera has staged stolen data locally on compromised hosts.(Citation: NCC Group Chimera January 2021)
BackdoorDiplomacy

BackdoorDiplomacy has copied files of interest to the main drive's recycle bin.(Citation: ESET BackdoorDiplomacy Jun 2021)
Volt Typhoon

Volt Typhoon has saved stolen files including the `ntds.dit` database and the `SYSTEM` and `SECURITY` Registry hives locally to the `C:\Windows\Temp\` directory.(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023)
FIN13

FIN13 has utilized the following temporary folders on compromised Windows and Linux systems for their operations prior to exfiltration: `C:\Windows\Temp` and `/tmp`.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)
Kimsuky

Kimsuky has staged collected data files under C:\Program Files\Common Files\System\Ole DB\.(Citation: CISA AA20-301A Kimsuky)(Citation: Talos Kimsuky Nov 2021)
menuPass

menuPass stages data prior to exfiltration in multi-part archives, often saved in the Recycle Bin.(Citation: PWC Cloud Hopper April 2017)
TeamTNT

TeamTNT has aggregated collected credentials in text files before exfiltrating.(Citation: Cisco Talos Intelligence Group)
APT5

APT5 has staged data on compromised systems prior to exfiltration often in `C:\Users\Public`.(Citation: Mandiant Pulse Secure Update May 2021)
Storm-1811

Storm-1811 has locally staged captured credentials for subsequent manual exfiltration.(Citation: rapid7-email-bombing)
Patchwork

Patchwork copied all targeted files to a directory called index that was eventually uploaded to the C&C server.(Citation: TrendMicro Patchwork Dec 2017)
Mustang Panda

Mustang Panda has stored collected credential files in c:\windows\temp prior to exfiltration. Mustang Panda has also stored documents for exfiltration in a hidden folder on USB drives.(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Avira Mustang Panda January 2020)
APT3

APT3 has been known to stage files for exfiltration in a single location.(Citation: aptsim)
Agrius

Agrius has used the folder, C:\\windows\\temp\\s\\, to stage data for exfiltration.(Citation: Unit42 Agrius 2023)
GALLIUM

GALLIUM compressed and staged files in multi-part archives in the Recycle Bin prior to exfiltration.(Citation: Cybereason Soft Cell June 2019)
Lotus Blossom

Lotus Blossom has locally staged compressed and archived data for follow-on exfiltration.(Citation: Cisco LotusBlossom 2025)
FIN5

FIN5 scripts save memory dump data into a specific directory on hosts in the victim environment.(Citation: Mandiant FIN5 GrrCON Oct 2016)

Обнаружение

Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging. Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell. Consider monitoring accesses and modifications to local storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.

Ссылки

  1. hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020.
  2. Wardle, P. (2021, November 11). OSX.CDDS (OSX.MacMa). Retrieved June 30, 2022.
  3. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  4. Red Canary. (2024, March). Red Canary 2024 Threat Detection Report: SocGholish. Retrieved March 22, 2024.
  5. Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.
  6. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  7. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  8. Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved November 17, 2024.
  9. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
  10. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.
  11. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  12. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
  13. Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023.
  14. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved November 17, 2024.
  15. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.
  16. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
  17. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  18. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  19. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  20. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  21. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
  22. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
  23. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
  24. Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024.
  25. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  26. Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.
  27. Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024.
  28. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  29. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.
  30. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  31. Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021.
  32. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  33. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  34. Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025.
  35. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  36. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  37. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved September 25, 2024.
  38. NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.
  39. valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.
  40. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  41. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
  42. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
  43. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
  44. Black Lotus Labs. (2024, August 27). Taking The Crossroads: The Versa Director Zero-Day Exploitaiton. Retrieved August 27, 2024.
  45. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  46. Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024.
  47. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
  48. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  49. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  50. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  51. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.
  52. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  53. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  54. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  55. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  56. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
  57. Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.
  58. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
  59. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
  60. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  61. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  62. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  63. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
  64. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
  65. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  66. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
  67. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.
  68. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
  69. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  70. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  71. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  72. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  73. Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022.
  74. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  75. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved November 17, 2024.
  76. Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022.
  77. Buddy Tancio, Fe Cureg, and Jovit Samaniego, Trend Micro. (2025, January 30). Lumma Stealer’s GitHub-Based Delivery Explored via Managed Detection and Response. Retrieved March 22, 2025.
  78. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.
  79. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  80. Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.
  81. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
  82. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  83. Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021.
  84. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  85. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
  86. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  87. Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022.
  88. Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  89. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  90. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  91. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
  92. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
  93. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 17, 2024.
  94. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.
  95. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  96. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  97. Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.
  98. Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020.
  99. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.
  100. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  101. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  102. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
  103. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  104. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
  105. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  106. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  107. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  108. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  109. Nesbit, B. and Ackerman, D. (2017, January). Malware Analysis Report - RawPOS Malware: Deconstructing an Intruder’s Toolkit. Retrieved October 4, 2017.
  110. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  111. CISA et al. (2024, July 8). People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action. Retrieved February 3, 2025.
  112. Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  113. Symntec Threat Hunter Team. (2022, November 12). Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries. Retrieved March 15, 2025.
  114. Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025.
  115. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  116. Tyler McGraw, Thomas Elkins, and Evan McCann. (2024, May 10). Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators. Retrieved January 31, 2025.
  117. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  118. Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.
  119. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  120. Unit 42. (2024, April 12). Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 . Retrieved January 15, 2025.
  121. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  122. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  123. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  124. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved November 17, 2024.
  125. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  126. Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
  127. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.