Исследование системы
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tools such as Systeminfo can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the systemsetup configuration tool on macOS. As an example, adversaries with user-level access can execute the df -aH command to obtain currently mounted disks and associated freely available space. Adversaries may also leverage a Network Device CLI on network devices to gather detailed system information (e.g. show version).(Citation: US-CERT-TA18-106A) On ESXi servers, threat actors may gather system information from various esxcli utilities, such as `system hostname get`, `system version get`, and `storage filesystem list` (to list storage volumes).(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)(Citation: Varonis)
Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)
System Information Discovery combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniques)
Примеры процедур |
|
| Название | Описание |
|---|---|
| TrickBot |
TrickBot gathers the OS version, machine name, CPU type, amount of RAM available, and UEFI/BIOS firmware information from the victim’s machine.(Citation: S2 Grupo TrickBot June 2017)(Citation: Fidelis TrickBot Oct 2016)(Citation: Cyberreason Anchor December 2019)(Citation: Eclypsium Trickboot December 2020) |
| PowerDuke |
PowerDuke has commands to get information about the victim's name, build, version, serial number, and memory usage.(Citation: Volexity PowerDuke November 2016) |
| BLINDINGCAN |
BLINDINGCAN has collected from a victim machine the system name, processor information, OS version, and disk information, including type and free space available.(Citation: US-CERT BLINDINGCAN Aug 2020) |
| Ninja |
Ninja can obtain the computer name and information on the OS and physical drives from targeted hosts.(Citation: Kaspersky ToddyCat June 2022)(Citation: Kaspersky ToddyCat Check Logs October 2023) |
| Pikabot |
Pikabot performs a variety of system checks and gathers system information, including commands such as |
| RCSession |
RCSession can gather system information from a compromised host.(Citation: Profero APT27 December 2020) |
| Spark |
Spark can collect the hostname, keyboard layout, and language from the system.(Citation: Unit42 Molerat Mar 2020) |
| SynAck |
SynAck gathers computer names, OS version info, and also checks installed keyboard layouts to estimate if it has been launched from a certain list of countries.(Citation: SecureList SynAck Doppelgänging May 2018) |
| Bumblebee |
Bumblebee can enumerate the OS version and domain on a targeted system.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022) |
| MURKYTOP |
MURKYTOP has the capability to retrieve information about the OS.(Citation: FireEye Periscope March 2018) |
| GRIFFON |
GRIFFON has used a reconnaissance module that can be used to retrieve information about a victim's computer, including the resolution of the workstation .(Citation: SecureList Griffon May 2019) |
| Amadey |
Amadey has collected the computer name and OS version from a compromised machine.(Citation: Korean FSI TA505 2020)(Citation: BlackBerry Amadey 2020) |
| Covenant |
Covenant implants can gather basic information on infected systems.(Citation: Github Covenant) |
| Proxysvc |
Proxysvc collects the OS version, country name, MAC address, computer name, physical memory statistics, and volume information for all drives on the system.(Citation: McAfee GhostSecret) |
| Orz |
Orz can gather the victim OS version and whether it is 64 or 32 bit.(Citation: Proofpoint Leviathan Oct 2017) |
| Torisma |
Torisma can use `GetlogicalDrives` to get a bitmask of all drives available on a compromised system. It can also use `GetDriveType` to determine if a new drive is a CD-ROM drive.(Citation: McAfee Lazarus Nov 2020) |
| NOKKI |
NOKKI can gather information on drives and the operating system on the victim’s machine.(Citation: Unit 42 NOKKI Sept 2018) |
| yty |
yty gathers the computer name, the serial number of the main disk volume, CPU information, Microsoft Windows version, and runs the command |
| Backdoor.Oldrea |
Backdoor.Oldrea collects information about the OS and computer name.(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021) |
| Stuxnet |
Stuxnet collects system information including computer and domain names, OS version, and S7P paths.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
| RotaJakiro |
RotaJakiro executes a set of commands to collect device information, including `uname`. Another example is the `cat /etc/*release | uniq` command used to collect the current OS distribution.(Citation: RotaJakiro 2021 netlab360 analysis) |
| Get2 |
Get2 has the ability to identify the computer name and Windows version of an infected host.(Citation: Proofpoint TA505 October 2019) |
| POWRUNER |
POWRUNER may collect information about the system by running |
| KOPILUWAK |
KOPILUWAK can discover logical drive information on compromised hosts.(Citation: Mandiant Suspected Turla Campaign February 2023) |
| SharpStage |
SharpStage has checked the system settings to see if Arabic is the configured language.(Citation: BleepingComputer Molerats Dec 2020) |
| Sardonic |
Sardonic has the ability to collect the computer name, CPU manufacturer name, and C:\ drive serial number from a compromised machine. Sardonic also has the ability to execute the `ver` and `systeminfo` commands.(Citation: Bitdefender Sardonic Aug 2021) |
| HALFBAKED |
HALFBAKED can obtain information about the OS, processor, and BIOS.(Citation: FireEye FIN7 April 2017) |
| Misdat |
The initial beacon packet for Misdat contains the operating system version of the victim.(Citation: Cylance Dust Storm) |
| Emissary |
Emissary has the capability to execute ver and systeminfo commands.(Citation: Emissary Trojan Feb 2016) |
| ShimRatReporter |
ShimRatReporter gathered the operating system name and specific Windows version of an infected machine.(Citation: FOX-IT May 2016 Mofang) |
| KEYMARBLE |
KEYMARBLE has the capability to collect the computer name, language settings, the OS version, CPU information, disk devices, and time elapsed since system start.(Citation: US-CERT KEYMARBLE Aug 2018) |
| BUBBLEWRAP |
BUBBLEWRAP collects system information, including the operating system version and hostname.(Citation: FireEye admin@338) |
| SILENTTRINITY |
SILENTTRINITY can collect information related to a compromised host, including OS version and a list of drives.(Citation: GitHub SILENTTRINITY Modules July 2019) |
| HAWKBALL |
HAWKBALL can collect the OS version, architecture information, and computer name.(Citation: FireEye HAWKBALL Jun 2019) |
| Ursnif |
Ursnif has used Systeminfo to gather system information.(Citation: TrendMicro Ursnif Mar 2015) |
| ThreatNeedle |
ThreatNeedle can collect system profile information from a compromised host.(Citation: Kaspersky ThreatNeedle Feb 2021) |
| Naid |
Naid collects a unique identifier (UID) from a compromised host.(Citation: Symantec Naid June 2012) |
| RansomHub |
RansomHub can retrieve information about virtual machines.(Citation: Group-IB RansomHub FEB 2025) |
| ZLib |
ZLib has the ability to enumerate system information.(Citation: Cylance Dust Storm) |
| RedLeaves |
RedLeaves can gather extended system information including the hostname, OS version number, platform, memory information, time elapsed since system startup, and CPU information.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Accenture Hogfish April 2018) |
| LITTLELAMB.WOOLTEA |
LITTLELAMB.WOOLTEA can check the type of Ivanti VPN device it is running on by executing `first_run()` to identify the first four bytes of the motherboard serial number.(Citation: Mandiant Cutting Edge Part 3 February 2024) |
| Felismus |
Felismus collects the system information, including hostname and OS version, and sends it to the C2 server.(Citation: Forcepoint Felismus Mar 2017) |
| Zeus Panda |
Zeus Panda collects the OS version, system architecture, computer name, product ID, install date, and information on the keyboard mapping to determine the language used on the system.(Citation: Talos Zeus Panda Nov 2017)(Citation: GDATA Zeus Panda June 2017) |
| CARROTBAT |
CARROTBAT has the ability to determine the operating system of the compromised host and whether Windows is being run with x86 or x64 architecture.(Citation: Unit 42 CARROTBAT November 2018)(Citation: Unit 42 CARROTBAT January 2020) |
| GravityRAT |
GravityRAT collects the MAC address, computer name, and CPU information.(Citation: Talos GravityRAT) |
| Bankshot |
Bankshot gathers system information, network addresses, disk type, disk free space, and the operation system version.(Citation: McAfee Bankshot)(Citation: US-CERT Bankshot Dec 2017) |
| SharpDisco |
SharpDisco can use a plugin to enumerate system drives.(Citation: MoustachedBouncer ESET August 2023) |
| StrongPity |
StrongPity can identify the hard disk volume serial number on a compromised host.(Citation: Talos Promethium June 2020) |
| HAPPYWORK |
can collect system information, including computer name, system manufacturer, IsDebuggerPresent state, and execution path.(Citation: FireEye APT37 Feb 2018) |
| PLAINTEE |
PLAINTEE collects general system enumeration data about the infected machine and checks the OS version.(Citation: Rancor Unit42 June 2018) |
| Pony |
Pony has collected the Service Pack, language, and region information to send to the C2.(Citation: Malwarebytes Pony April 2016) |
| WinMM |
WinMM collects the system name, OS version including service pack, and system install date and sends the information to the C2 server.(Citation: Baumgartner Naikon 2015) |
| Nebulae |
Nebulae can discover logical drive information including the drive type, free space, and volume information.(Citation: Bitdefender Naikon April 2021) |
| Kasidet |
Kasidet has the ability to obtain a victim's system name and operating system version.(Citation: Zscaler Kasidet) |
| OceanSalt |
OceanSalt can collect the computer name from the system.(Citation: McAfee Oceansalt Oct 2018) |
| Brave Prince |
Brave Prince collects hard drive content and system configuration information.(Citation: McAfee Gold Dragon) |
| AppleSeed |
AppleSeed can identify the OS version of a targeted system.(Citation: Malwarebytes Kimsuky June 2021) |
| macOS.OSAMiner |
macOS.OSAMiner can gather the device serial number and has checked to ensure there is enough disk space using the Unix utility `df`.(Citation: SentinelLabs reversing run-only applescripts 2021) |
| NETWIRE |
NETWIRE can discover and collect victim system information.(Citation: McAfee Netwire Mar 2015) |
| EnvyScout |
EnvyScout can determine whether the ISO payload was received by a Windows or iOS device.(Citation: MSTIC Nobelium Toolset May 2021) |
| SslMM |
SslMM sends information to its hard-coded C2, including OS version, service pack information, processor speed, system name, and OS install date.(Citation: Baumgartner Naikon 2015) |
| IMAPLoader |
IMAPLoader uses WMI queries to gather information about the victim machine.(Citation: PWC Yellow Liderc 2023) |
| Gomir |
Gomir collects information on infected systems such as hostname, username, CPU, and RAM information.(Citation: Symantec Troll Stealer 2024) |
| Aria-body |
Aria-body has the ability to identify the hostname, computer name, Windows version, processor speed, machine GUID, and disk information on a compromised host.(Citation: CheckPoint Naikon May 2020) |
| BOLDMOVE |
BOLDMOVE performs system survey actions following initial execution.(Citation: Google Cloud BOLDMOVE 2023) |
| Crimson |
Crimson contains a command to collect the victim PC name, disk drive information, and operating system.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022) |
| DUSTTRAP |
DUSTTRAP reads the value of the infected system's `HKLM\SYSTEM\Microsoft\Cryptography\MachineGUID` value.(Citation: Google Cloud APT41 2024) |
| Empire |
Empire can enumerate host system information like OS, architecture, domain name, applied patches, and more.(Citation: Github PowerShell Empire)(Citation: Talos Frankenstein June 2019) |
| Turian |
Turian can retrieve system information including OS version, memory usage, local hostname, and system adapter information.(Citation: ESET BackdoorDiplomacy Jun 2021) |
| BADHATCH |
BADHATCH can obtain current system information from a compromised machine such as the `SHELL PID`, `PSVERSION`, `HOSTNAME`, `LOGONSERVER`, `LASTBOOTUP`, drive information, OS type/version, bitness, and hostname.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021) |
| Machete |
Machete collects the hostname of the target computer.(Citation: ESET Machete July 2019) |
| Action RAT |
Action RAT has the ability to collect the hostname, OS version, and OS architecture of an infected host.(Citation: MalwareBytes SideCopy Dec 2021) |
| Avenger |
Avenger has the ability to identify the host volume ID and the OS architecture on a compromised host.(Citation: Trend Micro Tick November 2019) |
| Prikormka |
A module in Prikormka collects information from the victim about Windows OS version, computer name, battery info, and physical memory.(Citation: ESET Operation Groundbait) |
| dsquery |
dsquery has the ability to enumerate various information, such as the operating system and host name, for systems within a domain.(Citation: Mandiant APT41) |
| Gootloader |
Gootloader can inspect the User-Agent string in GET request header information to determine the operating system of targeted systems.(Citation: Sophos Gootloader) |
| PingPull |
PingPull can retrieve the hostname of a compromised host.(Citation: Unit 42 PingPull Jun 2022) |
| WellMess |
WellMess can identify the computer name of a compromised host.(Citation: PWC WellMess July 2020)(Citation: CISA WellMess July 2020) |
| DropBook |
DropBook has checked for the presence of Arabic language in the infected machine's settings.(Citation: Cybereason Molerats Dec 2020) |
| Woody RAT |
Woody RAT can retrieve the following information from an infected machine: OS, architecture, computer name, OS build version, environment variables, and storage drives.(Citation: MalwareBytes WoodyRAT Aug 2022) |
| Mafalda |
Mafalda can collect the computer name and enumerate all drives on a compromised host.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022) |
| KARAE |
KARAE can collect system information.(Citation: FireEye APT37 Feb 2018) |
| Squirrelwaffle |
Squirrelwaffle has gathered victim computer information and configurations.(Citation: ZScaler Squirrelwaffle Sep 2021) |
| AuTo Stealer |
AuTo Stealer has the ability to collect the hostname and OS information from an infected host.(Citation: MalwareBytes SideCopy Dec 2021) |
| ShrinkLocker |
ShrinkLocker uses WMI queries to gather various information about the victim machine and operating system.(Citation: Kaspersky ShrinkLocker 2024)(Citation: Splunk ShrinkLocker 2024) |
| Hildegard |
Hildegard has collected the host's OS, CPU, and memory information.(Citation: Unit 42 Hildegard Malware) |
| SLOWDRIFT |
SLOWDRIFT collects and sends system information to its C2.(Citation: FireEye APT37 Feb 2018) |
| SHUTTERSPEED |
SHUTTERSPEED can collect system information.(Citation: FireEye APT37 Feb 2018) |
| SombRAT |
SombRAT can execute |
| FlawedAmmyy |
FlawedAmmyy can collect the victim's operating system and computer name during the initial infection.(Citation: Proofpoint TA505 Mar 2018) |
| Snip3 |
Snip3 has the ability to query `Win32_ComputerSystem` for system information. (Citation: Morphisec Snip3 May 2021) |
| Rifdoor |
Rifdoor has the ability to identify the Windows version on the compromised host.(Citation: Carbon Black HotCroissant April 2020) |
| HOPLIGHT |
HOPLIGHT has been observed collecting victim machine information like OS version, volume information, and more.(Citation: US-CERT HOPLIGHT Apr 2019) |
| Cuckoo Stealer |
Cuckoo Stealer can gather information about the OS version and hardware on compromised hosts.(Citation: Kandji Cuckoo April 2024)(Citation: SentinelOne Cuckoo Stealer May 2024) |
| MobileOrder |
MobileOrder has a command to upload to its C2 server victim mobile device information, including IMEI, IMSI, SIM card serial number, phone number, Android version, and other information.(Citation: Scarlet Mimic Jan 2016) |
| InvisiMole |
InvisiMole can gather information on the mapped drives, OS version, computer name, DEP policy, memory size, and system volume serial number.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020) |
| Volgmer |
Volgmer can gather system information, the computer name, OS version, drive and serial information from the victim's machine.(Citation: US-CERT Volgmer Nov 2017)(Citation: US-CERT Volgmer 2 Nov 2017)(Citation: Symantec Volgmer Aug 2014) |
| WINERACK |
WINERACK can gather information about the host.(Citation: FireEye APT37 Feb 2018) |
| WhisperGate |
WhisperGate has the ability to enumerate fixed logical drives on a targeted system.(Citation: Cisco Ukraine Wipers January 2022) |
| ZeroT |
ZeroT gathers the victim's computer name, Windows version, and system language, and then sends it to its C2 server.(Citation: Proofpoint ZeroT Feb 2017) |
| AcidPour |
AcidPour can identify various system locations and mapped devices on Linux systems as a precursor to wiping activity.(Citation: SentinelOne AcidPour 2024) |
| PoshC2 |
PoshC2 contains modules, such as |
| Skidmap |
Skidmap has the ability to check whether the infected system’s OS is Debian or RHEL/CentOS to determine which cryptocurrency miner it should use.(Citation: Trend Micro Skidmap) |
| Okrum |
Okrum can collect computer name, locale information, and information about the OS and architecture.(Citation: ESET Okrum July 2019) |
| Bonadan |
Bonadan has discovered the OS version, CPU model, and RAM size of the system it has been installed on.(Citation: ESET ForSSHe December 2018) |
| Line Dancer |
Line Dancer can gather system configuration information by running the native `show configuration` command.(Citation: Cisco ArcaneDoor 2024) |
| Neoichor |
Neoichor can collect the OS version and computer name from a compromised host.(Citation: Microsoft NICKEL December 2021) |
| Raspberry Robin |
Raspberry Robin performs several system checks as part of anti-analysis mechanisms, including querying the operating system build number, processor vendor and type, video controller, and CPU temperature.(Citation: HP RaspberryRobin 2024) |
| Mispadu |
Mispadu collects the OS version, computer name, and language ID.(Citation: ESET Security Mispadu Facebook Ads 2019) |
| Diavol |
Diavol can collect the computer name and OS version from the system.(Citation: Fortinet Diavol July 2021) |
| BlackCat |
BlackCat can obtain the computer name and UUID, and enumerate local drives.(Citation: Microsoft BlackCat Jun 2022) |
| Fysbis |
Fysbis has used the command |
| IcedID |
IcedID has the ability to identify the computer name and OS version on a compromised host.(Citation: IBM IcedID November 2017)(Citation: DFIR_Quantum_Ransomware) |
| VERMIN |
VERMIN collects the OS name, machine name, and architecture information.(Citation: Unit 42 VERMIN Jan 2018) |
| Nightdoor |
Nightdoor gathers information on the victim system such as CPU and Computer name as well as device drivers. Nightdoor can also collect information about disk drives, their total and free space, and file system type.(Citation: ESET EvasivePanda 2024) |
| MarkiRAT |
MarkiRAT can obtain the computer name from a compromised host.(Citation: Kaspersky Ferocious Kitten Jun 2021) |
| PowerShower |
PowerShower has collected system information on the infected host.(Citation: Unit 42 Inception November 2018) |
| Kazuar |
Kazuar gathers information on the system and local drives.(Citation: Unit 42 Kazuar May 2017) |
| NavRAT |
NavRAT uses |
| DarkComet |
DarkComet can collect the computer name, RAM used, and operating system version from the victim’s machine.(Citation: TrendMicro DarkComet Sept 2014)(Citation: Malwarebytes DarkComet March 2018) |
| POORAIM |
POORAIM can identify system information, including battery status.(Citation: FireEye APT37 Feb 2018) |
| FatDuke |
FatDuke can collect the user name, Windows version, computer name, and available space on discs from a compromised host.(Citation: ESET Dukes October 2019) |
| Lucifer |
Lucifer can collect the computer name, system architecture, default language, and processor frequency of a compromised host.(Citation: Unit 42 Lucifer June 2020) |
| BlackEnergy |
BlackEnergy has used Systeminfo to gather the OS version, as well as information on the system configuration, BIOS, the motherboard, and the processor.(Citation: F-Secure BlackEnergy 2014)(Citation: Securelist BlackEnergy Nov 2014) |
| zwShell |
zwShell can obtain the victim PC name and OS version.(Citation: McAfee Night Dragon) |
| Rising Sun |
Rising Sun can detect the computer name, operating system, and drive information, including drive type, total number of bytes on disk, total number of free bytes on disk, and name of a specified volume.(Citation: McAfee Sharpshooter December 2018) |
| Chrommme |
Chrommme has the ability to list drives and obtain the computer name of a compromised host.(Citation: ESET Gelsemium June 2021) |
| BADFLICK |
BADFLICK has captured victim computer name, memory space, and CPU details.(Citation: Accenture MUDCARP March 2019) |
| ObliqueRAT |
ObliqueRAT has the ability to check for blocklisted computer names on infected endpoints.(Citation: Talos Oblique RAT March 2021) |
| SocGholish |
SocGholish has the ability to enumerate system information including the victim computer name.(Citation: SocGholish-update)(Citation: Red Canary SocGholish March 2024)(Citation: Secureworks Gold Prelude Profile) |
| SpicyOmelette |
SpicyOmelette can identify the system name of a compromised host.(Citation: Secureworks GOLD KINGSWOOD September 2018) |
| XAgentOSX |
XAgentOSX contains the getInstalledAPP function to run |
| Green Lambert |
Green Lambert can use `uname` to identify the operating system name, version, and processor type.(Citation: Objective See Green Lambert for OSX Oct 2021)(Citation: Glitch-Cat Green Lambert ATTCK Oct 2021) |
| LightSpy |
LightSpy's second stage implant uses the `DeviceInformation` class to collect system information, including CPU usage, battery statistics, memory allocations, screen size, etc.(Citation: Huntress LightSpy macOS 2024) |
| PUNCHBUGGY |
PUNCHBUGGY can gather system information such as computer names.(Citation: Morphisec ShellTea June 2019) |
| HELLOKITTY |
HELLOKITTY can enumerate logical drives on a target system.(Citation: FireEye FiveHands April 2021) |
| KeyBoy |
KeyBoy can gather extended system information, such as information about the operating system, disks, and memory.(Citation: PWC KeyBoys Feb 2017)(Citation: Rapid7 KeyBoy Jun 2013) |
| MiniDuke |
MiniDuke can gather the hostname on a compromised machine.(Citation: ESET Dukes October 2019) |
| Anchor |
Anchor can determine the hostname and linux version on a compromised host.(Citation: Medium Anchor DNS July 2020) |
| DarkTortilla |
DarkTortilla can obtain system information by querying the `Win32_ComputerSystem`, `Win32_BIOS`, `Win32_MotherboardDevice`, `Win32_PnPEntity`, and `Win32_DiskDrive` WMI objects.(Citation: Secureworks DarkTortilla Aug 2022) |
| ROKRAT |
ROKRAT can gather the hostname and the OS version to ensure it doesn’t run on a Windows XP or Windows Server 2003 systems.(Citation: Talos ROKRAT)(Citation: Talos ROKRAT 2)(Citation: Securelist ScarCruft May 2019)(Citation: NCCGroup RokRat Nov 2018)(Citation: Volexity InkySquid RokRAT August 2021)(Citation: Malwarebytes RokRAT VBA January 2021) |
| CORESHELL |
CORESHELL collects hostname, volume serial number and OS version data from the victim and sends the information to its C2 server.(Citation: FireEye APT28) |
| RunningRAT |
RunningRAT gathers the OS version, logical drives information, processor information, and volume information.(Citation: McAfee Gold Dragon) |
| Babuk |
Babuk can enumerate disk volumes, get disk information, and query service status.(Citation: McAfee Babuk February 2021) |
| DarkWatchman |
DarkWatchman can collect the OS version, system architecture, and computer name.(Citation: Prevailion DarkWatchman 2021) |
| Dyre |
Dyre has the ability to identify the computer name, OS version, and hardware configuration on a compromised host.(Citation: Malwarebytes Dyreza November 2015) |
| BlackMould |
BlackMould can enumerate local drives on a compromised host.(Citation: Microsoft GALLIUM December 2019) |
| Reaver |
Reaver collects system information from the victim, including CPU speed, computer name, volume serial number, ANSI code page, OEM code page identifier for the OS, Microsoft Windows version, and memory information.(Citation: Palo Alto Reaver Nov 2017) |
| Bisonal |
Bisonal has used commands and API calls to gather system information.(Citation: Unit 42 Bisonal July 2018)(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020) |
| S-Type |
The initial beacon packet for S-Type contains the operating system version and file system of the victim.(Citation: Cylance Dust Storm) |
| Lumma Stealer |
Lumma Stealer has gathered various system information from victim machines.(Citation: Cybereason LumaStealer Undated)(Citation: Fortinet LummaStealer 2024)(Citation: TrendMicro LummaStealer 2025) |
| DustySky |
DustySky extracts basic information about the operating system.(Citation: DustySky) |
| Remsec |
Remsec can obtain the OS version information, computer name, processor architecture, machine role, and OS edition.(Citation: Kaspersky ProjectSauron Technical Analysis) |
| Explosive |
Explosive has collected the computer name from the infected host.(Citation: CheckPoint Volatile Cedar March 2015) |
| AsyncRAT |
AsyncRAT can check the disk size through the values obtained with `DeviceInfo.`(Citation: Telefonica Snip3 December 2021) |
| Epic |
Epic collects the OS version, hardware information, computer name, available system memory status, disk space information, and system and user language settings.(Citation: Kaspersky Turla Aug 2014) |
| LightNeuron |
LightNeuron gathers the victim computer name using the Win32 API call |
| Cuba |
Cuba can enumerate local drives, disk type, and disk free space.(Citation: McAfee Cuba April 2021) |
| DEATHRANSOM |
DEATHRANSOM can enumerate logical drives on a target system.(Citation: FireEye FiveHands April 2021) |
| Clambling |
Clambling can discover the hostname, computer name, and Windows version of a targeted machine.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020) |
| Agent Tesla |
Agent Tesla can collect the system's computer name and also has the capability to collect information on the processor, memory, OS, and video card from the system.(Citation: Fortinet Agent Tesla April 2018)(Citation: Fortinet Agent Tesla June 2017)(Citation: Malwarebytes Agent Tesla April 2020) |
| Akira |
Akira uses the |
| DarkGate |
DarkGate uses the Delphi methods |
| Mongall |
Mongall can identify drives on compromised hosts and retrieve the hostname via `gethostbyname`.(Citation: SentinelOne Aoqin Dragon June 2022) |
| NanHaiShu |
NanHaiShu can gather the victim computer name and serial number.(Citation: Proofpoint Leviathan Oct 2017) |
| LockBit 3.0 |
LockBit 3.0 can enumerate system hostname, domain, and local drive configuration.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023) |
| SVCReady |
SVCReady has the ability to collect information such as computer name, computer manufacturer, BIOS, operating system, and firmware, including through the use of `systeminfo.exe`.(Citation: HP SVCReady Jun 2022) |
| Hydraq |
Hydraq creates a backdoor through which remote attackers can retrieve information such as computer name, OS version, processor speed, memory size, and CPU speed.(Citation: Symantec Hydraq Jan 2010) |
| SHARPSTATS |
SHARPSTATS has the ability to identify the IP address, machine name, and OS of the compromised host.(Citation: TrendMicro POWERSTATS V3 June 2019) |
| Ferocious |
Ferocious can use |
| Caterpillar WebShell |
Caterpillar WebShell has a module to gather information from the compromised asset, including the computer version, computer name, IIS version, and more.(Citation: ClearSky Lebanese Cedar Jan 2021) |
| Netwalker |
Netwalker can determine the system architecture it is running on to choose which version of the DLL to use.(Citation: TrendMicro Netwalker May 2020) |
| Elise |
Elise executes |
| Latrodectus |
Latrodectus can gather operating system information.(Citation: Latrodectus APR 2024)(Citation: Elastic Latrodectus May 2024)(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024) |
| Saint Bot |
Saint Bot can identify the OS version, CPU, and other details from a victim's machine.(Citation: Malwarebytes Saint Bot April 2021) |
| Pay2Key |
Pay2Key has the ability to gather the hostname of the victim machine.(Citation: Check Point Pay2Key November 2020) |
| Chaes |
Chaes has collected system information, including the machine name and OS version.(Citation: Cybereason Chaes Nov 2020) |
| CharmPower |
CharmPower can enumerate the OS version and computer name on a targeted system.(Citation: Check Point APT35 CharmPower January 2022) |
| TYPEFRAME |
TYPEFRAME can gather the disk volume information.(Citation: US-CERT TYPEFRAME June 2018) |
| Bundlore |
Bundlore will enumerate the macOS version to determine which follow-on behaviors to execute using |
| EVILNUM |
EVILNUM can obtain the computer name from the victim's system.(Citation: Prevailion EvilNum May 2020) |
| KOMPROGO |
KOMPROGO is capable of retrieving information about the infected system.(Citation: FireEye APT32 May 2017) |
| SMOKEDHAM |
SMOKEDHAM has used the |
| Sagerunex |
Sagerunex gathers information from the infected system such as hostname.(Citation: Cisco LotusBlossom 2025) |
| TAINTEDSCRIBE |
TAINTEDSCRIBE can use |
| Sys10 |
Sys10 collects the computer name, OS versioning information, and OS install date and sends the information to the C2.(Citation: Baumgartner Naikon 2015) |
| Systeminfo |
Systeminfo can be used to gather information about the operating system.(Citation: TechNet Systeminfo) |
| Royal |
Royal can use `GetNativeSystemInfo` and `GetLogicalDrives` to enumerate system processors and logical drives.(Citation: Cybereason Royal December 2022)(Citation: Trend Micro Royal Linux ESXi February 2023) |
| Uroburos |
Uroburos has the ability to gather basic system information and run the POSIX API `gethostbyname`.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023) |
| Metamorfo |
Metamorfo has collected the hostname and operating system version from the compromised host.(Citation: FireEye Metamorfo Apr 2018)(Citation: Fortinet Metamorfo Feb 2020)(Citation: ESET Casbaneiro Oct 2019) |
| Trojan.Karagany |
Trojan.Karagany can capture information regarding the victim's OS, security, and hardware configuration.(Citation: Secureworks Karagany July 2019) |
| Bandook |
Bandook can collect information about the drives available on the system.(Citation: CheckPoint Bandook Nov 2020) |
| PipeMon |
PipeMon can collect and send OS version and computer name as a part of its C2 beacon.(Citation: ESET PipeMon May 2020) |
| MagicRAT |
MagicRAT collects basic system information from victim machines.(Citation: Cisco MagicRAT 2022) |
| KONNI |
KONNI can gather the OS version, architecture information, connected drives, hostname, RAM size, and disk space information from the victim’s machine and has used |
| T9000 |
T9000 gathers and beacons the operating system build number and CPU Architecture (32-bit/64-bit) during installation.(Citation: Palo Alto T9000 Feb 2016) |
| gh0st RAT |
gh0st RAT has gathered system architecture, processor, OS configuration, and installed hardware information.(Citation: Gh0stRAT ATT March 2019) |
| Shamoon |
Shamoon obtains the victim's operating system version and keyboard layout and sends the information to the C2 server.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018) |
| MoleNet |
MoleNet can collect information about the about the system.(Citation: Cybereason Molerats Dec 2020) |
| JHUHUGIT |
JHUHUGIT obtains a build identifier as well as victim hard drive information from Windows registry key |
| BLUELIGHT |
BLUELIGHT has collected the computer name and OS version from victim machines.(Citation: Volexity InkySquid BLUELIGHT August 2021) |
| KGH_SPY |
KGH_SPY can collect drive information from a compromised host.(Citation: Cybereason Kimsuky November 2020) |
| down_new |
down_new has the ability to identify the system volume information of a compromised host.(Citation: Trend Micro Tick November 2019) |
| Ixeshe |
Ixeshe collects the computer name of the victim's system during the initial infection.(Citation: Trend Micro IXESHE 2012) |
| Micropsia |
Micropsia gathers the hostname and OS version from the victim’s machine.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018) |
| Kerrdown |
Kerrdown has the ability to determine if the compromised host is running a 32 or 64 bit OS architecture.(Citation: Unit 42 KerrDown February 2019) |
| Black Basta |
Black Basta can enumerate volumes and collect system boot configuration and CPU information.(Citation: Minerva Labs Black Basta May 2022)(Citation: Cyble Black Basta May 2022) |
| ZeroCleare |
ZeroCleare can use the `IOCTL_DISK_GET_DRIVE_GEOMETRY_EX`, `IOCTL_DISK_GET_DRIVE_GEOMETRY`, and `IOCTL_DISK_GET_LENGTH_INFO` system calls to compute disk size.(Citation: Mandiant ROADSWEEP August 2022) |
| StoneDrill |
StoneDrill has the capability to discover the system OS, Windows version, architecture and environment.(Citation: Kaspersky StoneDrill 2017) |
| OopsIE |
OopsIE checks for information on the CPU fan, temperature, mouse, hard disk, and motherboard as part of its anti-VM checks.(Citation: Unit 42 OilRig Sept 2018) |
| 4H RAT |
4H RAT sends an OS version identifier in its beacons.(Citation: CrowdStrike Putter Panda) |
| RogueRobin |
RogueRobin gathers BIOS versions and manufacturers, the number of CPU cores, the total physical memory, and the computer name.(Citation: Unit 42 DarkHydrus July 2018) |
| Attor |
Attor monitors the free disk space on the system.(Citation: ESET Attor Oct 2019) |
| LitePower |
LitePower has the ability to list local drives and enumerate the OS architecture.(Citation: Kaspersky WIRTE November 2021) |
| StreamEx |
StreamEx has the ability to enumerate system information.(Citation: Cylance Shell Crew Feb 2017) |
| SDBbot |
SDBbot has the ability to identify the OS version, OS bit information and computer name.(Citation: Proofpoint TA505 October 2019)(Citation: Korean FSI TA505 2020) |
| RTM |
RTM can obtain the computer name, OS version, and default language identifier.(Citation: ESET RTM Feb 2017) |
| Derusbi |
Derusbi gathers the name of the local host, version of GNU Compiler Collection (GCC), and the system information about the CPU, machine, and operating system.(Citation: Fidelis Turbo) |
| BlackByte Ransomware |
BlackByte Ransomware gathers victim system information to generate a unique victim identifier.(Citation: Trustwave BlackByte 2021) |
| SodaMaster |
SodaMaster can enumerate the host name and OS version on a target system.(Citation: Securelist APT10 March 2021) |
| StrelaStealer |
StrelaStealer variants collect victim system information for exfiltration.(Citation: IBM StrelaStealer 2024) |
| Grandoreiro |
Grandoreiro can collect the computer name and OS version from a compromised host.(Citation: ESET Grandoreiro April 2020) |
| LiteDuke |
LiteDuke can enumerate the CPUID and BIOS version on a compromised system.(Citation: ESET Dukes October 2019) |
| ZxxZ |
ZxxZ has collected the host name and operating system product name from a compromised machine.(Citation: Cisco Talos Bitter Bangladesh May 2022) |
| WINDSHIELD |
WINDSHIELD can gather the victim computer name.(Citation: FireEye APT32 May 2017) |
| Shark |
Shark can collect the GUID of a targeted machine.(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021) |
| Bazar |
Bazar can fingerprint architecture, computer name, and OS version on the compromised host. Bazar can also check if the Russian language is installed on the infected machine and terminate if it is found.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020) |
| Kobalos |
Kobalos can record the hostname and kernel version of the target machine.(Citation: ESET Kobalos Jan 2021) |
| BadPatch |
BadPatch collects the OS system, OS version, MAC address, and the computer name from the victim’s machine.(Citation: Unit 42 BadPatch Oct 2017) |
| RATANKBA |
RATANKBA gathers information about the OS architecture, OS name, and OS version/Service pack.(Citation: Lazarus RATANKBA)(Citation: RATANKBA) |
| XLoader |
XLoader can collect system information and supported language information from the victim machine.(Citation: Acronis XLoader 2021) |
| SOUNDBITE |
SOUNDBITE is capable of gathering system information.(Citation: FireEye APT32 May 2017) |
| BADCALL |
BADCALL collects the computer name and host name on the compromised system.(Citation: US-CERT BADCALL) |
| MoonWind |
MoonWind can obtain the victim hostname, Windows version, RAM amount, number of drives, and screen resolution.(Citation: Palo Alto MoonWind March 2017) |
| Ryuk |
Ryuk has called |
| HermeticWiper |
HermeticWiper can determine the OS version, bitness, and enumerate physical drives on a targeted host.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: ESET Hermetic Wizard March 2022)(Citation: Qualys Hermetic Wiper March 2022) |
| Final1stspy |
Final1stspy obtains victim Microsoft Windows version information and CPU architecture.(Citation: Unit 42 Nokki Oct 2018) |
| Kapeka |
Kapeka utilizes WinAPI calls and registry queries to gather system information.(Citation: WithSecure Kapeka 2024) |
| LockBit 2.0 |
LockBit 2.0 can enumerate system information including hostname, domain information, and local drive configuration.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Palo Alto Lockbit 2.0 JUN 2022) |
| Zebrocy |
Zebrocy collects the OS version, computer name and serial number for the storage volume C:\. Zebrocy also runs the |
| FinFisher |
FinFisher checks if the victim OS is 32 or 64-bit.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018) |
| SpeakUp |
SpeakUp uses the |
| LunarMail |
LunarMail can capture environmental variables on compromised hosts.(Citation: ESET Turla Lunar toolset May 2024) |
| Cadelspy |
Cadelspy has the ability to discover information about the compromised host.(Citation: Symantec Chafer Dec 2015) |
| SampleCheck5000 |
SampleCheck5000 can create unique victim identifiers by using the compromised system’s volume ID or computer name.(Citation: ESET OilRig Downloaders DEC 2023) |
| SUNBURST |
SUNBURST collected hostname and OS version.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Analyzing Solorigate Dec 2020) |
| Wingbird |
Wingbird checks the victim OS version after executing to determine where to drop files based on whether the victim is 32-bit or 64-bit.(Citation: Microsoft SIR Vol 21) |
| HotCroissant |
HotCroissant has the ability to determine if the current user is an administrator, Windows product name, processor name, screen resolution, and physical RAM of the infected host.(Citation: US-CERT HOTCROISSANT February 2020) |
| ServHelper |
ServHelper will attempt to enumerate Windows version and system architecture.(Citation: Proofpoint TA505 Jan 2019) |
| Unknown Logger |
Unknown Logger can obtain information about the victim computer name, physical memory, country, and date.(Citation: Forcepoint Monsoon) |
| REvil |
REvil can identify the username, machine name, system language, keyboard layout, OS version, and system drive information on a compromised host.(Citation: Kaspersky Sodin July 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)(Citation: Secureworks REvil September 2019) |
| Valak |
Valak can determine the Windows version and computer name on a compromised host.(Citation: Cybereason Valak May 2020)(Citation: SentinelOne Valak June 2020) |
| PinchDuke |
PinchDuke gathers system configuration information.(Citation: F-Secure The Dukes) |
| Milan |
Milan can enumerate the targeted machine's name and GUID.(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021) |
| OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D collects processor information, memory information, computer name, hardware UUID, serial number, and operating system version. OSX_OCEANLOTUS.D has used the |
| OilBooster |
OilBooster can identify the compromised system's hostname which is used to create a unique identifier.(Citation: ESET OilRig Downloaders DEC 2023) |
| CaddyWiper |
CaddyWiper can use `DsRoleGetPrimaryDomainInformation` to determine the role of the infected machine. CaddyWiper can also halt execution if the compromised host is identified as a domain controller.(Citation: Cisco CaddyWiper March 2022)(Citation: Malwarebytes IssacWiper CaddyWiper March 2022 ) |
| Cyclops Blink |
Cyclops Blink has the ability to query device information.(Citation: NCSC Cyclops Blink February 2022) |
| TajMahal |
TajMahal has the ability to identify hardware information, the computer name, and OS information on an infected host.(Citation: Kaspersky TajMahal April 2019) |
| Pasam |
Pasam creates a backdoor through which remote attackers can retrieve information such as hostname and free disk space.(Citation: Symantec Pasam May 2012) |
| Raccoon Stealer |
Raccoon Stealer gathers information on infected systems such as operating system, processor information, RAM, and display information.(Citation: S2W Racoon 2022)(Citation: Sekoia Raccoon2 2022) |
| Cardinal RAT |
Cardinal RAT can collect the hostname, Microsoft Windows version, and processor architecture from a victim machine.(Citation: PaloAlto CardinalRat Apr 2017) |
| BISCUIT |
BISCUIT has a command to collect the processor type, operation system, computer name, and whether the system is a laptop or PC.(Citation: Mandiant APT1) |
| Solar |
Solar can send basic information about the infected host to C2.(Citation: ESET OilRig Campaigns Sep 2023) |
| Pisloader |
Pisloader has a command to collect victim system information, including the system name and OS version.(Citation: Palo Alto DNS Requests) |
| GoldenSpy |
GoldenSpy has gathered operating system information.(Citation: Trustwave GoldenSpy June 2020) |
| Gold Dragon |
Gold Dragon collects endpoint information using the |
| Ramsay |
Ramsay can detect system information--including disk names, total space, and remaining space--to create a hardware profile GUID which acts as a system identifier for operators.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020) |
| cmd |
cmd can be used to find information about the operating system.(Citation: TechNet Dir) |
| Carberp |
Carberp has collected the operating system version from the infected system.(Citation: Prevx Carberp March 2011) |
| NKAbuse |
NKAbuse conducts multiple system checks and includes these in subsequent "heartbeat" messages to the malware's command and control server.(Citation: NKAbuse SL) |
| Revenge RAT |
Revenge RAT collects the CPU information, OS information, and system language.(Citation: Cylance Shaheen Nov 2018) |
| MacMa |
MacMa can collect information about a compromised computer, including: Hardware UUID, Mac serial number, macOS version, and disk sizes.(Citation: ESET DazzleSpy Jan 2022) |
| FunnyDream |
FunnyDream can enumerate all logical drives on a targeted machine.(Citation: Bitdefender FunnyDream Campaign November 2020) |
| ROADSWEEP |
ROADSWEEP can enumerate logical drives on targeted devices.(Citation: Mandiant ROADSWEEP August 2022)(Citation: Microsoft Albanian Government Attacks September 2022) |
| More_eggs |
More_eggs has the capability to gather the OS version and computer name.(Citation: Talos Cobalt Group July 2018)(Citation: Security Intelligence More Eggs Aug 2019) |
| SysUpdate |
SysUpdate can collect a system's architecture, operating system version, hostname, and drive information.(Citation: Trend Micro Iron Tiger April 2021)(Citation: Lunghi Iron Tiger Linux) |
| BackConfig |
BackConfig has the ability to gather the victim's computer name.(Citation: Unit 42 BackConfig May 2020) |
| Kwampirs |
Kwampirs collects OS version information such as registered owner details, manufacturer details, processor type, available storage, installed patches, hostname, version info, system date, and other system information by using the commands |
| BoomBox |
BoomBox can enumerate the hostname, domain, and IP of a compromised host.(Citation: MSTIC Nobelium Toolset May 2021) |
| DEADEYE |
DEADEYE can enumerate a victim computer's volume serial number and host name.(Citation: Mandiant APT41) |
| CrackMapExec |
CrackMapExec can enumerate the system drives and associated system name.(Citation: CME Github September 2018) |
| Mango |
Mango can collect the machine name of a compromised system which is later used as part of a unique victim identifier.(Citation: ESET OilRig Campaigns Sep 2023) |
| Koadic |
Koadic can obtain the OS version and build, computer name, and processor architecture from a compromised host.(Citation: MalwareBytes LazyScripter Feb 2021) |
| InnaputRAT |
InnaputRAT gathers volume drive information and system information.(Citation: ASERT InnaputRAT April 2018) |
| Kessel |
Kessel has collected the system architecture, OS version, and MAC address information.(Citation: ESET ForSSHe December 2018) |
| GrimAgent |
GrimAgent can collect the OS, and build version on a compromised host.(Citation: Group IB GrimAgent July 2021) |
| YAHOYAH |
YAHOYAH checks for the system’s Windows OS version and hostname.(Citation: TrendMicro TropicTrooper 2015) |
| Pupy |
Pupy can grab a system’s information including the OS version, architecture, etc.(Citation: GitHub Pupy) |
| Lokibot |
Lokibot has the ability to discover the computer name and Windows product name/version.(Citation: FSecure Lokibot November 2019) |
| Egregor |
Egregor can perform a language check of the infected system and can query the CPU information (cupid).(Citation: JoeSecurity Egregor 2020)(Citation: NHS Digital Egregor Nov 2020) |
| PoetRAT |
PoetRAT has the ability to gather information about the compromised host.(Citation: Talos PoetRAT April 2020) |
| StealBit |
StealBit can enumerate the computer name and domain membership of the compromised system.(Citation: Cybereason StealBit Exfiltration Tool) |
| FELIXROOT |
FELIXROOT collects the victim’s computer name, processor architecture, OS version, volume serial number, and system type.(Citation: FireEye FELIXROOT July 2018)(Citation: ESET GreyEnergy Oct 2018) |
| ZxShell |
ZxShell can collect the local hostname, operating system details, CPU speed, and total physical memory.(Citation: Talos ZxShell Oct 2014) |
| NDiskMonitor |
NDiskMonitor obtains the victim computer name and encrypts the information to send over its C2 channel.(Citation: TrendMicro Patchwork Dec 2017) |
| Penquin |
Penquin can report the file system type and disk space of a compromised host to C2.(Citation: Leonardo Turla Penquin May 2020) |
| BabyShark |
BabyShark has executed the |
| Cannon |
Cannon can gather system information from the victim’s machine such as the OS version, machine name, and drive information.(Citation: Unit42 Cannon Nov 2018)(Citation: Unit42 Sofacy Dec 2018) |
| build_downer |
build_downer has the ability to send system volume information to C2.(Citation: Trend Micro Tick November 2019) |
| Winnti for Windows |
Winnti for Windows can determine if the OS on a compromised host is newer than Windows XP.(Citation: Novetta Winnti April 2015) |
| Troll Stealer |
Troll Stealer can collect local system information.(Citation: S2W Troll Stealer 2024)(Citation: Symantec Troll Stealer 2024) |
| Meteor |
Meteor has the ability to discover the hostname of a compromised host.(Citation: Check Point Meteor Aug 2021) |
| njRAT |
njRAT enumerates the victim operating system and computer name during the initial infection.(Citation: Fidelis njRAT June 2013) |
| Maze |
Maze has checked the language of the infected system using the "GetUSerDefaultUILanguage" function.(Citation: McAfee Maze March 2020) |
| QuasarRAT |
QuasarRAT can gather system information from the victim’s machine including the OS type.(Citation: GitHub QuasarRAT) |
| TURNEDUP |
TURNEDUP is capable of gathering system information.(Citation: FireEye APT33 Sept 2017) |
| ChChes |
ChChes collects the victim hostname, window resolution, and Microsoft Windows version.(Citation: Palo Alto menuPass Feb 2017)(Citation: PWC Cloud Hopper Technical Annex April 2017) |
| POWERSTATS |
POWERSTATS can retrieve OS name/architecture and computer/domain name information from compromised hosts.(Citation: FireEye MuddyWater Mar 2018)(Citation: TrendMicro POWERSTATS V3 June 2019) |
| Manjusaka |
Manjusaka performs basic system profiling actions to fingerprint and register the victim system with the C2 controller.(Citation: Talos Manjusaka 2022) |
| IceApple |
The IceApple Server Variable Dumper module iterates over all server variables present for the current request and returns them to the adversary.(Citation: CrowdStrike IceApple May 2022) |
| JPIN |
JPIN can obtain system information such as OS version and disk space.(Citation: Microsoft PLATINUM April 2016) |
| metaMain |
metaMain can collect the computer name from a compromised host.(Citation: SentinelLabs Metador Technical Appendix Sept 2022) |
| SideTwist |
SideTwist can collect the computer name of a targeted system.(Citation: Check Point APT34 April 2021) |
| KOCTOPUS |
KOCTOPUS has checked the OS version using `wmic.exe` and the `find` command.(Citation: MalwareBytes LazyScripter Feb 2021) |
| Heyoka Backdoor |
Heyoka Backdoor can enumerate drives on a compromised host.(Citation: SentinelOne Aoqin Dragon June 2022) |
| Mis-Type |
The initial beacon packet for Mis-Type contains the operating system version and file system of the victim.(Citation: Cylance Dust Storm) |
| LunarWeb |
LunarWeb can use WMI queries and shell commands such as systeminfo.exe to collect the operating system, BIOS version, and domain name of the targeted system.(Citation: ESET Turla Lunar toolset May 2024) |
| XCSSET |
XCSSET identifies the macOS version and uses |
| Octopus |
Octopus can collect system drive information, the computer name, the size of the disk, OS version, and OS architecture information.(Citation: Securelist Octopus Oct 2018) |
| KillDisk |
KillDisk retrieves the hard disk name by calling the |
| AppleJeus |
AppleJeus has collected the victim host information after infection.(Citation: CISA AppleJeus Feb 2021) |
| SoreFang |
SoreFang can collect the hostname, operating system configuration, product ID, and disk space on victim machines by executing Systeminfo.(Citation: CISA SoreFang July 2016) |
| STARWHALE |
STARWHALE can gather the computer name of an infected host.(Citation: Mandiant UNC3313 Feb 2022)(Citation: DHS CISA AA22-055A MuddyWater February 2022) |
| MirageFox |
MirageFox can collect CPU and architecture information from the victim’s machine.(Citation: APT15 Intezer June 2018) |
| Industroyer |
Industroyer collects the victim machine’s Windows GUID.(Citation: Dragos Crashoverride 2017) |
| DownPaper |
DownPaper collects the victim host name and serial number, and then sends the information to the C2 server.(Citation: ClearSky Charming Kitten Dec 2017) |
| CozyCar |
A system info module in CozyCar gathers information on the victim host’s configuration.(Citation: F-Secure CozyDuke) |
| Kevin |
Kevin can enumerate the OS version and hostname of a targeted machine.(Citation: Kaspersky Lyceum October 2021) |
| Linfo |
Linfo creates a backdoor through which remote attackers can retrieve system information.(Citation: Symantec Linfo May 2012) |
| ShadowPad |
ShadowPad has discovered system information including memory status, CPU frequency, OS versions, and volume serial numbers.(Citation: Kaspersky ShadowPad Aug 2017) |
| Astaroth |
Astaroth collects the machine name and keyboard language from the system. (Citation: Cofense Astaroth Sept 2018)(Citation: Cybereason Astaroth Feb 2019) |
| QakBot |
QakBot can collect system information including the OS version and domain on a compromised host.(Citation: Crowdstrike Qakbot October 2020)(Citation: ATT QakBot April 2021)(Citation: Group IB Ransomware September 2020)(Citation: Microsoft Ransomware as a Service) |
| SYSCON |
SYSCON has the ability to use Systeminfo to identify system information.(Citation: Unit 42 CARROTBAT January 2020) |
| Gelsemium |
Gelsemium can determine the operating system and whether a targeted machine has a 32 or 64 bit architecture.(Citation: ESET Gelsemium June 2021) |
| jRAT |
jRAT collects information about the OS (version, build type, install date) as well as system up-time upon receiving a connection from a backdoor.(Citation: Symantec Frutas Feb 2013) |
| Dridex |
Dridex has collected the computer name and OS architecture information from the system.(Citation: Checkpoint Dridex Jan 2021) |
| OSX/Shlayer |
OSX/Shlayer has collected the IOPlatformUUID, session UID, and the OS version using the command |
| Denis |
Denis collects OS information and the computer name from the victim’s machine.(Citation: Securelist Denis April 2017)(Citation: Cybereason Cobalt Kitty 2017) |
| INC Ransomware |
INC Ransomware can discover and mount hidden drives to encrypt them.(Citation: Cybereason INC Ransomware November 2023) |
| Comnie |
Comnie collects the hostname of the victim machine.(Citation: Palo Alto Comnie) |
| OSInfo |
OSInfo discovers information about the infected machine.(Citation: Symantec Buckeye) |
| Lizar |
Lizar can collect the computer name from the machine,.(Citation: BiZone Lizar May 2021) |
| Dtrack |
Dtrack can collect the victim's computer name, hostname and adapter information to create a unique identifier.(Citation: Securelist Dtrack)(Citation: CyberBit Dtrack) |
| LoudMiner |
LoudMiner has monitored CPU usage.(Citation: ESET LoudMiner June 2019) |
| Azorult |
Azorult can collect the machine information, system architecture, the OS version, computer name, Windows product name, the number of CPU cores, video card information, and the system language.(Citation: Unit42 Azorult Nov 2018)(Citation: Proofpoint Azorult July 2018) |
| BACKSPACE |
During its initial execution, BACKSPACE extracts operating system information from the infected host.(Citation: FireEye APT30) |
| Zox |
Zox can enumerate attached drives.(Citation: Novetta-Axiom) |
| UPPERCUT |
UPPERCUT has the capability to gather the system’s hostname and OS version.(Citation: FireEye APT10 Sept 2018) |
| ADVSTORESHELL |
ADVSTORESHELL can run Systeminfo to gather information about the victim.(Citation: ESET Sednit Part 2)(Citation: Bitdefender APT28 Dec 2015) |
| StrifeWater |
StrifeWater can collect the OS version, architecture, and machine name to create a unique token for the infected host.(Citation: Cybereason StrifeWater Feb 2022) |
| WarzoneRAT |
WarzoneRAT can collect compromised host information, including OS version, PC name, RAM size, and CPU details.(Citation: Check Point Warzone Feb 2020) |
| SLOTHFULMEDIA |
SLOTHFULMEDIA has collected system name, OS version, adapter information, memory usage, and disk information from a victim machine.(Citation: CISA MAR SLOTHFULMEDIA October 2020) |
| FALLCHILL |
FALLCHILL can collect operating system (OS) version information, processor information, system name, and information about installed disks from the victim.(Citation: US-CERT FALLCHILL Nov 2017) |
| Frankenstein |
Frankenstein has enumerated hosts, looking for the system's machine name.(Citation: Talos Frankenstein June 2019) |
| Turla |
Turla surveys a system upon check-in to discover operating system configuration details using the |
| Tropic Trooper |
Tropic Trooper has detected a target system’s OS version and system volume information.(Citation: TrendMicro TropicTrooper 2015)(Citation: TrendMicro Tropic Trooper May 2020) |
| Operation Wocao |
Operation Wocao has discovered the local disks attached to the system and their hardware information including manufacturer and model, as well as the OS versions of systems connected to a targeted network.(Citation: FoxIT Wocao December 2019) |
| Lazarus Group |
Several Lazarus Group malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. A Destover-like variant used by Lazarus Group also collects disk space information and sends it to its C2 server.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: Novetta Blockbuster Loaders)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: McAfee GhostSecret)(Citation: Lazarus APT January 2022) |
| Gamaredon Group |
A Gamaredon Group file stealer can gather the victim's computer name and drive serial numbers to send to a C2 server.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: CERT-EE Gamaredon January 2021) |
| APT29 |
APT29 used |
| TA2541 |
TA2541 has collected system information prior to downloading malware on the targeted host.(Citation: Proofpoint TA2541 February 2022) |
| Darkhotel |
Darkhotel has collected the hostname, OS version, service pack version, and the processor architecture from the victim’s machine.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM July 2016) |
| APT38 |
APT38 has attempted to get detailed information about a compromised host, including the operating system, version, patches, hotfixes, and service packs.(Citation: CISA AA20-239A BeagleBoyz August 2020) |
| MuddyWater |
MuddyWater has used malware that can collect the victim’s OS version and machine name.(Citation: Securelist MuddyWater Oct 2018)(Citation: Talos MuddyWater May 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: Trend Micro Muddy Water March 2021)(Citation: Talos MuddyWater Jan 2022) |
| Rocke |
Rocke has used uname -m to collect the name and information about the infected system's kernel.(Citation: Anomali Rocke March 2019) |
| Aquatic Panda |
Aquatic Panda has used native OS commands to understand privilege levels and system details.(Citation: CrowdStrike AQUATIC PANDA December 2021) |
| Honeybee |
Honeybee gathers computer name and information using the |
| ZIRCONIUM |
ZIRCONIUM has used a tool to capture the processor architecture of a compromised host in order to register it with C2.(Citation: Zscaler APT31 Covid-19 October 2020) |
| BlackByte |
BlackByte used various system commands and tools to pull system information during operations.(Citation: FBI BlackByte 2022)(Citation: Symantec BlackByte 2022)(Citation: Microsoft BlackByte 2023) |
| SideCopy |
SideCopy has identified the OS version of a compromised host.(Citation: MalwareBytes SideCopy Dec 2021) |
| Wizard Spider |
Wizard Spider has used Systeminfo and similar commands to acquire detailed configuration information of a victim's machine. Wizard Spider has also utilized the PowerShell cmdlet `Get-ADComputer` to collect DNS hostnames, last logon dates, and operating system information from Active Directory.(Citation: DFIR Ryuk's Return October 2020)(Citation: Mandiant FIN12 Oct 2021) |
| Confucius |
Confucius has used a file stealer that can examine system drives, including those other than the C drive.(Citation: TrendMicro Confucius APT Aug 2021) |
| APT32 |
APT32 has collected the OS version and computer name from victims. One of the group's backdoors can also query the Windows Registry to gather system information, and another macOS backdoor performs a fingerprint of the machine on its first connection to the C&C server. APT32 executed shellcode to identify the name of the infected host.(Citation: ESET OceanLotus)(Citation: ESET OceanLotus Mar 2019)(Citation: ESET OceanLotus macOS April 2019)(Citation: FireEye APT32 April 2020) |
| Moses Staff |
Moses Staff collected information about the infected host, including the machine names and OS architecture.(Citation: Checkpoint MosesStaff Nov 2021) |
| Higaisa |
Higaisa collected the system volume serial number, GUID, and computer name.(Citation: PTSecurity Higaisa 2020)(Citation: Malwarebytes Higaisa 2020) |
| Sidewinder |
Sidewinder has used tools to collect the computer name, OS version, installed hotfixes, as well as information regarding the memory and processor on a compromised host.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder COVID-19 June 2020) |
| OilRig |
OilRig has run |
| APT19 |
APT19 collected system architecture information. APT19 used an HTTP malware variant and a Port 22 malware variant to gather the hostname and CPU information from the victim’s machine.(Citation: FireEye APT19)(Citation: Unit 42 C0d0so0 Jan 2016) |
| APT37 |
APT37 collects the computer name, the BIOS model, and execution path.(Citation: Talos Group123) |
| Inception |
Inception has used a reconnaissance module to gather information about the operating system and hardware on the infected host.(Citation: Symantec Inception Framework March 2018) |
| Chimera |
Chimera has used `fsutil fsinfo drives`, `systeminfo`, and `vssadmin list shadows` for system information including shadow volumes and drive information.(Citation: NCC Group Chimera January 2021) |
| HEXANE |
HEXANE has collected the hostname of a compromised machine.(Citation: Kaspersky Lyceum October 2021) |
| Volt Typhoon |
Volt Typhoon has discovered file system types, drive names, size, and free space on compromised systems.(Citation: Microsoft Volt Typhoon May 2023)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023)(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
| FIN13 |
FIN13 has collected local host information by utilizing Windows commands `systeminfo`, `fsutil`, and `fsinfo`. FIN13 has also utilized a compromised Symantex Altiris console and LanDesk account to retrieve host information.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022) |
| Kimsuky |
Kimsuky has enumerated drives, OS type, OS version, and other information using a script or the "systeminfo" command.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021) |
| Sandworm Team |
Sandworm Team used a backdoor to enumerate information about the infected system's operating system.(Citation: ESET Telebots July 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020) |
| APT18 |
APT18 can collect system information from the victim’s machine.(Citation: PaloAlto DNS Requests May 2016) |
| Magic Hound |
Magic Hound malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer/host name to send to the C2 server.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021) |
| TeamTNT |
TeamTNT has searched for system version, architecture, disk partition, logical volume, and hostname information.(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Cisco Talos Intelligence Group) |
| Windigo |
Windigo has used a script to detect which Linux distribution and version is currently installed on the system.(Citation: ESET ForSSHe December 2018) |
| ToddyCat |
ToddyCat has collected information on bootable drives including model, vendor, and serial numbers.(Citation: Kaspersky ToddyCat Check Logs October 2023) |
| Ke3chang |
Ke3chang performs operating system information discovery using |
| Sowbug |
Sowbug obtained OS version and hardware configuration from a victim.(Citation: Symantec Sowbug Nov 2017) |
| Windshift |
Windshift has used malware to identify the computer name of a compromised host.(Citation: BlackBerry Bahamut) |
| Patchwork |
Patchwork collected the victim computer name, OS version, and architecture type and sent the information to its C2 server. Patchwork also enumerated all available drives on the victim's machine.(Citation: Cymmetria Patchwork)(Citation: TrendMicro Patchwork Dec 2017) |
| Moonstone Sleet |
Moonstone Sleet has gathered information on victim systems.(Citation: Microsoft Moonstone Sleet 2024) |
| Mustang Panda |
Mustang Panda has gathered system information using |
| RedCurl |
RedCurl has collected information about the target system, such as system information and list of network connections.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) |
| APT42 |
APT42 has used malware, such as GHAMBAR and POWERPOST, to collect system information.(Citation: Mandiant APT42-charms) |
| Mustard Tempest |
Mustard Tempest has used implants to perform system reconnaissance on targeted systems.(Citation: Microsoft Ransomware as a Service) |
| Play |
Play has leveraged tools to enumerate system information.(Citation: Trend Micro Ransomware Spotlight Play July 2023) |
| APT3 |
APT3 has a tool that can obtain information about the local system.(Citation: Symantec Buckeye)(Citation: evolution of pirpi) |
| Winter Vivern |
Winter Vivern script execution includes basic victim information gathering steps which are then transmitted to command and control servers.(Citation: DomainTools WinterVivern 2021) |
| CURIUM |
CURIUM deploys information gathering tools focused on capturing IP configuration, running application, system information, and network connectivity information.(Citation: Symantec Tortoiseshell 2019) |
| Blue Mockingbird |
Blue Mockingbird has collected hardware details for the victim's system, including CPU and memory information.(Citation: RedCanary Mockingbird May 2020) |
| Daggerfly |
Daggerfly utilizes victim machine operating system information to create custom User Agent strings for subsequent command and control communication.(Citation: ESET EvasivePanda 2024) |
| APT41 |
APT41 uses multiple built-in commands such as |
| Malteiro |
Malteiro collects the machine information, system architecture, the OS version, computer name, and Windows product name.(Citation: SCILabs Malteiro 2021) |
| UNC2452 |
UNC2452 used |
| FIN8 |
FIN8 has used PowerShell Scripts to check the architecture of a compromised machine before the selection of a 32-bit or 64-bit version of a malicious .NET loader.(Citation: Symantec FIN8 Jul 2023) |
| admin@338 |
admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about the OS: |
| Stealth Falcon |
Stealth Falcon malware gathers system information via WMI, including the system directory, build number, serial number, version, manufacturer, model, and total physical memory.(Citation: Citizen Lab Stealth Falcon May 2016) |
Контрмеры |
|
| Контрмера | Описание |
|---|---|
| System Information Discovery Mitigation |
Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about the operating system and underlying hardware, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP) |
Обнаружение
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, Network Device CLI commands may also be used to gather detailed system information with built-in features native to the network device platform. Monitor CLI activity for unexpected or unauthorized use commands being run by non-standard users from non-standard locations. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations.
Ссылки
- USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.
- AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021.
- Amazon. (n.d.). describe-instance-information. Retrieved March 3, 2020.
- byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.
- Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.
- Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025.
- Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
- CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020.
- DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
- DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
- Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
- Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020.
- Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024.
- Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
- Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.
- CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020.
- Cisco Talos. (2024, April 24). ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices. Retrieved January 6, 2025.
- Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
- Asheer Malhotra, Vitor Ventura & Jungsoo An, Cisco Talos. (2022, September 7). MagicRAT: Lazarus’ latest gateway into victim networks. Retrieved December 30, 2024.
- CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
- Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
- CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
- Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
- Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.
- The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.
- The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
- Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
- Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018.
- Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
- Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
- Alfano, V. et al. (2025, February 12). RansomHub Never Sleeps Episode 1: The evolution of modern ransomware. Retrieved March 17, 2025.
- Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
- TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
- Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
- Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.
- Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
- McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018.
- Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
- M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
- Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
- Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
- Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.
- Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
- Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
- SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
- Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
- Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.
- Microsoft. (2019, March 1). Virtual Machines - Get. Retrieved October 8, 2019.
- Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024.
- Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
- Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.
- ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
- Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
- Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023.
- Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020.
- Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.
- Michael Dawson. (2021, August 30). Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware. Retrieved March 26, 2025.
- Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
- Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.
- Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.
- Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
- Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
- Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
- Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
- Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018.
- Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
- Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025.
- FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
- Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
- Eclypsium, Advanced Intelligence. (2020, December 1). TRICKBOT NOW OFFERS ‘TRICKBOOT’: PERSIST, BRICK, PROFIT. Retrieved March 15, 2021.
- Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
- CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022.
- Mercer, W., Rascagneres, P. (2017, November 28). ROKRAT Reloaded. Retrieved May 21, 2018.
- Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019.
- Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
- Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
- Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024.
- Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
- Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
- ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.
- Max Kersten & Alexandre Mundo. (2023, November 29). Akira Ransomware. Retrieved April 4, 2024.
- CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021.
- Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
- ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
- Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018.
- Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
- Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
- Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
- Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.
- Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
- Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.
- Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019.
- Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
- Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved November 17, 2024.
- Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
- Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
- MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
- Henderson, S., et al. (2020, April 22). Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage. Retrieved April 28, 2020.
- Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
- Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
- Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019.
- Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
- Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
- Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
- Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
- FBI. (2022, February 4). Indicators of Compromise Associated with LockBit 2.0 Ransomware. Retrieved January 24, 2025.
- Group IB. (2020, September). LOCK LIKE A PRO. Retrieved November 17, 2024.
- Cybereason Global SOC Team. (n.d.). THREAT ANALYSIS REPORT: Inside the LockBit Arsenal - The StealBit Exfiltration Tool. Retrieved January 29, 2025.
- Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
- Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023.
- Asheer Malhotra & Vitor Ventura. (2022, August 2). Manjusaka: A Chinese sibling of Sliver and Cobalt Strike. Retrieved September 4, 2024.
- Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
- Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
- Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
- Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
- Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.
- Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021.
- Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
- Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
- Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
- Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
- Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
- Stuart Ashenbrenner, Alden Schmidt. (2024, April 25). LightSpy Malware Variant Targeting macOS. Retrieved January 3, 2025.
- Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
- Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
- Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
- DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
- Insikt Group. (2025, January 9). Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain. Retrieved January 14, 2025.
- Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
- ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
- Splunk Threat Research Team , Teoderick Contreras. (2024, September 5). ShrinkLocker Malware: Abusing BitLocker to Lock Your Data. Retrieved December 7, 2024.
- GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
- FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025.
- Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
- Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.
- The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
- Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.
- MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
- O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
- Phile Stokes. (2018, September 20). On the Trail of OSX.FairyTale | Adware Playing at Malware. Retrieved August 24, 2021.
- Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy’s Linux Backdoor. Retrieved September 10, 2017.
- Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
- NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.
- Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022.
- ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
- Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
- Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.
- Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
- Microsoft. (n.d.). Systeminfo. Retrieved April 8, 2016.
- Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022.
- Neville, A. (2012, June 15). Trojan.Naid. Retrieved February 22, 2018.
- US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
- An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
- Bingham, J. (2013, February 11). Cross-Platform Frutas RAT Builder and Back Door. Retrieved April 23, 2019.
- US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
- US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
- ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
- Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
- Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
- Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
- Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.
- Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
- Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
- hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
- Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021.
- Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
- F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
- Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024.
- Google. (n.d.). Rest Resource: instance. Retrieved March 3, 2020.
- Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
- S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024.
- Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
- Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
- Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
- Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
- Cristian Souza, Eduardo Ovalle, Ashley Muñoz, & Christopher Zachor. (2024, May 23). ShrinkLocker: Turning BitLocker into ransomware. Retrieved December 7, 2024.
- Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
- Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
- FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
- Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.
- Brett Stone-Gross & Nikolaos Pantazopoulos. (2023, May 24). Technical Analysis of Pikabot. Retrieved July 12, 2024.
- Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021.
- Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved November 17, 2024.
- Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
- PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021.
- FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
- Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
- Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022.
- Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018.
- Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
- Secureworks. (n.d.). GOLD PRELUDE . Retrieved March 22, 2024.
- Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
- McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.
- Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
- Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
- Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
- Rodel Mendrez & Lloyd Macrohon. (2021, October 15). BlackByte Ransomware – Pt. 1 In-depth Analysis. Retrieved December 16, 2024.
- Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
- Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved November 17, 2024.
- Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
- Chad Anderson. (2021, April 27). Winter Vivern: A Look At Re-Crafted Government MalDocs Targeting Multiple Languages. Retrieved July 29, 2024.
- Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022.
- Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
- Buddy Tancio, Fe Cureg, and Jovit Samaniego, Trend Micro. (2025, January 30). Lumma Stealer’s GitHub-Based Delivery Explored via Managed Detection and Response. Retrieved March 22, 2025.
- Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.
- Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
- Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.
- Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
- Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
- Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
- Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
- Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024.
- Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.
- Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.
- Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
- Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024.
- US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
- Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
- ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
- Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.
- Elsad, A. et al. (2022, June 9). LockBit 2.0: How This RaaS Operates and How to Protect Against It. Retrieved January 24, 2025.