Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Техника Исследование файлов и каталогов
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Исследование файлов и каталого...
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Исследование файлов и каталогов

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the Native API. Adversaries may also leverage a Network Device CLI on network devices to gather file and directory information (e.g. dir, show flash, and/or nvram).(Citation: US-CERT-TA18-106A) Some files and directories may require elevated or specific user permissions to access.

ID: T1083
Тактика(-и): Discovery
Платформы: ESXi, Linux, Network Devices, Windows, macOS
Источники данных: Command: Command Execution, Process: OS API Execution, Process: Process Creation
Версия: 1.7
Дата создания: 31 May 2017
Последнее изменение: 15 Apr 2025

Примеры процедур
Название Описание
TrickBot

TrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information.(Citation: S2 Grupo TrickBot June 2017)(Citation: Trend Micro Trickbot Nov 2018)
PowerDuke

PowerDuke has commands to get the current directory name as well as the size of a file. It also has commands to obtain information about logical drives, drive type, and free space.(Citation: Volexity PowerDuke November 2016)
BLINDINGCAN

BLINDINGCAN can search, read, write, move, and execute files.(Citation: US-CERT BLINDINGCAN Aug 2020)(Citation: NHS UK BLINDINGCAN Aug 2020)
Ninja

Ninja has the ability to enumerate directory content.(Citation: Kaspersky ToddyCat June 2022)(Citation: Kaspersky ToddyCat Check Logs October 2023)
RemoteUtilities

RemoteUtilities can enumerate files and directories on a target machine.(Citation: Trend Micro Muddy Water March 2021)
QuietSieve

QuietSieve can search files on the target host by extension, including doc, docx, xls, rtf, odt, txt, jpg, pdf, rar, zip, and 7z.(Citation: Microsoft Actinium February 2022)

SynAck

SynAck checks its directory location in an attempt to avoid launching in a sandbox.(Citation: SecureList SynAck Doppelgänging May 2018)(Citation: Kaspersky Lab SynAck May 2018)
AcidRain

AcidRain identifies specific files and directories in the Linux operating system associated with storage devices.(Citation: AcidRain JAGS 2022)
Amadey

Amadey has searched for folders associated with antivirus software.(Citation: Korean FSI TA505 2020)
Proxysvc

Proxysvc lists files in directories.(Citation: McAfee GhostSecret)
Orz

Orz can gather victim drive information.(Citation: Proofpoint Leviathan Oct 2017)
yty

yty gathers information on victim’s drives and has a plugin for document listing.(Citation: ASERT Donot March 2018)
Backdoor.Oldrea

Backdoor.Oldrea collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files.(Citation: Symantec Dragonfly)
Stuxnet

Stuxnet uses a driver to scan for specific filesystem driver objects.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)
AvosLocker

AvosLocker has searched for files and directories on a compromised network.(Citation: Malwarebytes AvosLocker Jul 2021)(Citation: Trend Micro AvosLocker Apr 2022)
POWRUNER

POWRUNER may enumerate user directories on a victim.(Citation: FireEye APT34 Dec 2017)
COATHANGER

COATHANGER will survey the contents of system files during installation.(Citation: NCSC-NL COATHANGER Feb 2024)
Smoke Loader

Smoke Loader recursively searches through directories for files.(Citation: Talos Smoke Loader July 2018)
WindTail

WindTail has the ability to enumerate the users home directory and the path to its own application bundle.(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)
Misdat

Misdat is capable of running commands to obtain a list of files and directories, as well as enumerating logical drives.(Citation: Cylance Dust Storm)
KEYMARBLE

KEYMARBLE has a command to search for files on the victim’s machine.(Citation: US-CERT KEYMARBLE Aug 2018)
Sliver

Sliver can enumerate files on a target system.(Citation: GitHub Sliver File System August 2021)
SILENTTRINITY

SILENTTRINITY has several modules, such as `ls.py`, `pwd.py`, and `recentFiles.py`, to enumerate directories and files.(Citation: GitHub SILENTTRINITY Modules July 2019)

ThreatNeedle

ThreatNeedle can obtain file and directory information.(Citation: Kaspersky ThreatNeedle Feb 2021)
RansomHub

RansomHub has the ability to only encrypt specific files.(Citation: Group-IB RansomHub FEB 2025)
ZLib

ZLib has the ability to enumerate files and drives.(Citation: Cylance Dust Storm)
RedLeaves

RedLeaves can enumerate and search for files and directories.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: FireEye APT10 April 2017)
LITTLELAMB.WOOLTEA

LITTLELAMB.WOOLTEA can monitor for system upgrade events by checking for the presence of `/tmp/data/root/dev`.(Citation: Mandiant Cutting Edge Part 3 February 2024)
Zeus Panda

Zeus Panda searches for specific directories on the victim’s machine.(Citation: GDATA Zeus Panda June 2017)
GeminiDuke

GeminiDuke collects information from the victim, including installed drivers, programs previously executed by users, programs and services configured to automatically run at startup, files and folders present in any user's home folder, files and folders present in any user's My Documents, programs installed to the Program Files folder, and recently accessed files, folders, and programs.(Citation: F-Secure The Dukes)
GravityRAT

GravityRAT collects the volumes mapped on the system, and also steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf.(Citation: Talos GravityRAT)
Prestige

Prestige can traverse the file system to discover files to encrypt by identifying specific extensions defined in a hardcoded list.(Citation: Microsoft Prestige ransomware October 2022)
Bankshot

Bankshot searches for files on the victim's machine.(Citation: US-CERT Bankshot Dec 2017)
SharpDisco

SharpDisco can identify recently opened files by using an LNK format parser to extract the original file path from LNK files found in either `%USERPROFILE%\Recent` (Windows XP) or `%APPDATA%\Microsoft\Windows\Recent` (newer Windows versions) .(Citation: MoustachedBouncer ESET August 2023)
StrongPity

StrongPity can parse the hard drive on a compromised host to identify specific file extensions.(Citation: Talos Promethium June 2020)
WinMM

WinMM sets a WH_CBT Windows hook to search for and capture files on the victim.(Citation: Baumgartner Naikon 2015)
Nebulae

Nebulae can list files and directories on a compromised host.(Citation: Bitdefender Naikon April 2021)
AuditCred

AuditCred can search through folders and files on the system.(Citation: TrendMicro Lazarus Nov 2018)
Kasidet

Kasidet has the ability to search for a given filename on a victim.(Citation: Zscaler Kasidet)
OceanSalt

OceanSalt can extract drive information from the endpoint and search files on the system.(Citation: McAfee Oceansalt Oct 2018)
Playcrypt

Playcrypt can avoid encrypting files with a .PLAY, .exe, .msi, .dll, .lnk, or .sys file extension.(Citation: Trend Micro Ransomware Spotlight Play July 2023)
Brave Prince

Brave Prince gathers file and directory information from the victim’s machine.(Citation: McAfee Gold Dragon)
RainyDay

RainyDay can use a file exfiltration tool to collect recently changed files with specific extensions.(Citation: Bitdefender Naikon April 2021)
AppleSeed

AppleSeed has the ability to search for .txt, .ppt, .hwp, .pdf, and .doc files in specified directories.(Citation: Malwarebytes Kimsuky June 2021)
NETWIRE

NETWIRE has the ability to search for files on the compromised host.(Citation: Proofpoint NETWIRE December 2020)
CosmicDuke

CosmicDuke searches attached and mounted drives for file extensions and keywords that match a predefined list.(Citation: F-Secure Cosmicduke)
Gomir

Gomir collects information about directory and file structures, including total number of subdirectories, total number of files, and total size of files on infected systems.(Citation: Symantec Troll Stealer 2024)
Aria-body

Aria-body has the ability to gather metadata from a file and to search for file and directory names.(Citation: CheckPoint Naikon May 2020)
BOLDMOVE

BOLDMOVE can list information of all files in the system recursively from the root directory or from a specified directory.(Citation: Google Cloud BOLDMOVE 2023)
Crimson

Crimson contains commands to list files and directories, as well as search for files matching certain extensions from a defined list.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022)
DUSTTRAP

DUSTTRAP can enumerate files and directories.(Citation: Google Cloud APT41 2024)
Empire

Empire includes various modules for finding files of interest on hosts and network shares.(Citation: Github PowerShell Empire)
Turian

Turian can search for specific files and list directories.(Citation: ESET BackdoorDiplomacy Jun 2021)
Machete

Machete produces file listings in order to search for files to be exfiltrated.(Citation: ESET Machete July 2019)(Citation: Cylance Machete Mar 2017)(Citation: 360 Machete Sep 2020)
Action RAT

Action RAT has the ability to collect drive and file information on an infected machine.(Citation: MalwareBytes SideCopy Dec 2021)
Avenger

Avenger has the ability to browse files in directories such as Program Files and the Desktop.(Citation: Trend Micro Tick November 2019)

Prikormka

A module in Prikormka collects information about the paths, size, and creation time of files with specific file extensions, but not the actual content of the file.(Citation: ESET Operation Groundbait)
PingPull

PingPull can enumerate storage volumes and folder contents of a compromised host.(Citation: Unit 42 PingPull Jun 2022)
Dacls

Dacls can scan directories on a compromised host.(Citation: TrendMicro macOS Dacls May 2020)
DropBook

DropBook can collect the names of all files and folders in the Program Files directories.(Citation: Cybereason Molerats Dec 2020)(Citation: BleepingComputer Molerats Dec 2020)

Woody RAT

Woody RAT can list all files and their associated attributes, including filename, type, owner, creation time, last access time, last write time, size, and permissions.(Citation: MalwareBytes WoodyRAT Aug 2022)

Mafalda

Mafalda can search for files and directories.(Citation: SentinelLabs Metador Sept 2022)
ELMER

ELMER is capable of performing directory listings.(Citation: FireEye EPS Awakens Part 2)
SombRAT

SombRAT can execute enum to enumerate files in storage on a compromised system.(Citation: BlackBerry CostaRicto November 2020)
ODAgent

ODAgent can identify the current working directory.(Citation: ESET OilRig Downloaders DEC 2023)
FLASHFLOOD

FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on the local system and removable media.(Citation: FireEye APT30)
FYAnti

FYAnti can search the C:\Windows\Microsoft.NET\ directory for files of a specified size.(Citation: Securelist APT10 March 2021)
LoFiSe

LoFiSe can monitor the file system to identify files less than 6.4 MB in size with file extensions including .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .rtf, .tif, .odt, .ods, .odp, .eml, and .msg.(Citation: Kaspersky ToddyCat Check Logs October 2023)
HOPLIGHT

HOPLIGHT has been observed enumerating system drives and partitions.(Citation: US-CERT HOPLIGHT Apr 2019)

Cuckoo Stealer

Cuckoo Stealer can search for files associated with specific applications.(Citation: Kandji Cuckoo April 2024)(Citation: SentinelOne Cuckoo Stealer May 2024)
MobileOrder

MobileOrder has a command to upload to its C2 server information about files on the victim mobile device, including SD card size, installed app list, SMS content, contacts, and calling history.(Citation: Scarlet Mimic Jan 2016)
WastedLocker

WastedLocker can enumerate files and directories just prior to encryption.(Citation: NCC Group WastedLocker June 2020)
InvisiMole

InvisiMole can list information about files in a directory and recently opened or used documents. InvisiMole can also search for specific files by supplied file mask.(Citation: ESET InvisiMole June 2018)
P.A.S. Webshell

P.A.S. Webshell has the ability to list files and file characteristics including extension, size, ownership, and permissions.(Citation: ANSSI Sandworm January 2021)
Volgmer

Volgmer can list directories on a victim.(Citation: US-CERT Volgmer Nov 2017)
WINERACK

WINERACK can enumerate files and directories.(Citation: FireEye APT37 Feb 2018)
WhisperGate

WhisperGate can locate files based on hardcoded file extensions.(Citation: Microsoft WhisperGate January 2022)(Citation: Unit 42 WhisperGate January 2022)(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022)
FruitFly

FruitFly looks for specific files and file types.(Citation: objsee mac malware 2017)
AcidPour

AcidPour can identify specific files and directories within the Linux operating system corresponding with storage devices for follow-on wiping activity, similar to AcidRain.(Citation: SentinelOne AcidPour 2024)
PoshC2

PoshC2 can enumerate files on the local file system and includes a module for enumerating recently accessed files.(Citation: GitHub PoshC2)
Skidmap

Skidmap has checked for the existence of specific files including /usr/sbin/setenforce and /etc/selinux/config. It also has the ability to monitor the cryptocurrency miner file and process. (Citation: Trend Micro Skidmap)

Okrum

Okrum has used DriveLetterView to enumerate drive information.(Citation: ESET Okrum July 2019)
Conti

Conti can discover files on a local system.(Citation: CarbonBlack Conti July 2020)
Raspberry Robin

Raspberry Robin will check to see if the initial executing script is located on the user's Desktop as an anti-analysis check.(Citation: HP RaspberryRobin 2024)
Mispadu

Mispadu searches for various filesystem paths to determine what banking applications are installed on the victim’s machine.(Citation: ESET Security Mispadu Facebook Ads 2019)
Megazord

Megazord can ignore specified directories for encryption.(Citation: Palo Alto Howling Scorpius DEC 2024)

Diavol

Diavol has a command to traverse the files and directories in a given path.(Citation: Fortinet Diavol July 2021)

Doki

Doki has resolved the path of a process PID to use as a script argument.(Citation: Intezer Doki July 20)
Siloscape

Siloscape searches for the Kubernetes config file and other related files using a regular expression.(Citation: Unit 42 Siloscape Jun 2021)

BlackCat

BlackCat can enumerate files for encryption.(Citation: Microsoft BlackCat Jun 2022)
Fysbis

Fysbis has the ability to search for files.(Citation: Fysbis Dr Web Analysis)

MarkiRAT

MarkiRAT can look for files carrying specific extensions such as: .rtf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pps, .ppsx, .txt, .gpg, .pkr, .kdbx, .key, and .jpb.(Citation: Kaspersky Ferocious Kitten Jun 2021)
Kazuar

Kazuar finds a specified directory, lists the files and metadata about those files.(Citation: Unit 42 Kazuar May 2017)
NETEAGLE

NETEAGLE allows adversaries to enumerate and modify the infected host's file system. It supports searching for directories, creating directories, listing directory contents, reading and writing to files, retrieving file attributes, and retrieving volume information.(Citation: FireEye APT30)
POORAIM

POORAIM can conduct file browsing.(Citation: FireEye APT37 Feb 2018)
CHIMNEYSWEEP

CHIMNEYSWEEP has the ability to enumerate directories for files that match a set list.(Citation: Mandiant ROADSWEEP August 2022)
FatDuke

FatDuke can enumerate directories on target machines.(Citation: ESET Dukes October 2019)
BlackEnergy

BlackEnergy gathers a list of installed apps from the uninstall program Registry. It also gathers registered mail, browser, and instant messaging clients from the Registry. BlackEnergy has searched for given file types.(Citation: F-Secure BlackEnergy 2014)(Citation: Securelist BlackEnergy Nov 2014)
zwShell

zwShell can browse the file system.(Citation: McAfee Night Dragon)
Rising Sun

Rising Sun can enumerate information about files from the infected system, including file size, attributes, creation time, last access time, and write time. Rising Sun can enumerate the compilation timestamp of Windows executable files.(Citation: McAfee Sharpshooter December 2018)

NotPetya

NotPetya searches for files ending with dozens of different file extensions prior to encryption.(Citation: US District Court Indictment GRU Unit 74455 October 2020)
ShimRat

ShimRat can list directories.(Citation: FOX-IT May 2016 Mofang)
BADFLICK

BADFLICK has searched for files on the infected host.(Citation: Accenture MUDCARP March 2019)
ObliqueRAT

ObliqueRAT has the ability to recursively enumerate files on an infected endpoint.(Citation: Talos Oblique RAT March 2021)
SHOTPUT

SHOTPUT has a command to obtain a directory listing.(Citation: Palo Alto CVE-2015-3113 July 2015)
Avaddon

Avaddon has searched for specific files prior to encryption.(Citation: Arxiv Avaddon Feb 2021)
Rclone

Rclone can list files and directories with the `ls`, `lsd`, and `lsl` commands.(Citation: Rclone)
XAgentOSX

XAgentOSX contains the readFiles function to return a detailed listing (sometimes recursive) of a specified directory.(Citation: XAgentOSX 2017) XAgentOSX contains the showBackupIosFolder function to check for IOS device backups by running ls -la ~/Library/Application\ Support/MobileSync/Backup/.(Citation: XAgentOSX 2017)
China Chopper

China Chopper's server component can list directory contents.(Citation: FireEye Periscope March 2018)(Citation: Rapid7 HAFNIUM Mar 2021)
LightSpy

LightSpy uses the `NSFileManager` to move, create and delete files. LightSpy can also use the assembly `bt` instruction to determine a file's executable permissions.(Citation: Huntress LightSpy macOS 2024)
Cheerscrypt

Cheerscrypt can search for log and VMware-related files with .log, .vmdk, .vmem, .vswp, and .vmsn extensions.(Citation: Trend Micro Cheerscrypt May 2022)
KeyBoy

KeyBoy has a command to launch a file browser or explorer on the system.(Citation: PWC KeyBoys Feb 2017)
MiniDuke

MiniDuke can enumerate local drives.(Citation: ESET Dukes October 2019)
Pteranodon

Pteranodon identifies files matching certain file extension and copies them to subdirectories it created.(Citation: Palo Alto Gamaredon Feb 2017)
ROKRAT

ROKRAT has the ability to gather a list of files and directories on the infected system.(Citation: Securelist ScarCruft May 2019)(Citation: NCCGroup RokRat Nov 2018)(Citation: Volexity InkySquid RokRAT August 2021)
Babuk

Babuk has the ability to enumerate files on a targeted system.(Citation: McAfee Babuk February 2021)(Citation: Trend Micro Ransomware February 2021)
Exbyte

Exbyte enumerates all document files on an infected machine, then creates a summary of these items including filename and directory location prior to exfiltration to cloud hosting services.(Citation: Symantec BlackByte 2022)
DarkWatchman

DarkWatchman has the ability to enumerate file and folder names.(Citation: Prevailion DarkWatchman 2021)
BlackMould

BlackMould has the ability to find files on the targeted system.(Citation: Microsoft GALLIUM December 2019)
PACEMAKER

PACEMAKER can parse `/proc/"process_name"/cmdline` to look for the string `dswsd` within the command line.(Citation: Mandiant Pulse Secure Zero-Day April 2021)
BBSRAT

BBSRAT can list file and directory information.(Citation: Palo Alto Networks BBSRAT)
PlugX

PlugX has a module to enumerate drives and find files recursively.(Citation: CIRCL PlugX March 2013)(Citation: Proofpoint TA416 Europe March 2022)
Bisonal

Bisonal can retrieve a file listing from the system.(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020)

MultiLayer Wiper

MultiLayer Wiper generates a list of all files and paths on the fixed drives of an infected system, enumerating all files on the system except specific folders defined in a hardcoded list.(Citation: Unit42 Agrius 2023)
DustySky

DustySky scans the victim for files that contain certain keywords and document types including PDF, DOC, DOCX, XLS, and XLSX, from a list that is obtained from the C2 as a text file. It can also identify logical drives for the infected machine.(Citation: DustySky)(Citation: Kaspersky MoleRATs April 2019)
Remsec

Remsec is capable of listing contents of folders on the victim. Remsec also searches for custom network encryption software on victims.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron Full Report)(Citation: Kaspersky ProjectSauron Technical Analysis)
Rover

Rover automatically searches for files on local drives based on a predefined list of file extensions.(Citation: Palo Alto Rover)
Epic

Epic recursively searches for all .doc files on the system and collects a directory listing of the Desktop, %TEMP%, and %WINDOWS%\Temp directories.(Citation: Kaspersky Turla)(Citation: Kaspersky Turla Aug 2014)
Peppy

Peppy can identify specific files for exfiltration.(Citation: Proofpoint Operation Transparent Tribe March 2016)
Cuba

Cuba can enumerate files by using a variety of functions.(Citation: McAfee Cuba April 2021)
DEATHRANSOM

DEATHRANSOM can use loop operations to enumerate directories on a compromised host.(Citation: FireEye FiveHands April 2021)
Clambling

Clambling can browse directories on a compromised host.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)
Akira

Akira examines files prior to encryption to determine if they meet requirements for encryption and can be encrypted by the ransomware. These checks are performed through native Windows functions such as GetFileAttributesW.(Citation: Kersten Akira 2023)(Citation: Cisco Akira Ransomware OCT 2024)
DarkGate

Some versions of DarkGate search for the hard-coded folder C:\Program Files\e Carte Bleue.(Citation: Ensilo Darkgate 2018)
LockBit 3.0

LockBit 3.0 can exclude files associated with core system functions from encryption.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)
FoggyWeb

FoggyWeb's loader can check for the FoggyWeb backdoor .pri file on a compromised AD FS server.(Citation: MSTIC FoggyWeb September 2021)
Hydraq

Hydraq creates a backdoor through which remote attackers can check for the existence of files, including its own components, as well as retrieve a list of logical drives.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010)
CreepyDrive

CreepyDrive can specify the local file path to upload files from.(Citation: Microsoft POLONIUM June 2022)
Caterpillar WebShell

Caterpillar WebShell can search for files in directories.(Citation: ClearSky Lebanese Cedar Jan 2021)

Elise

A variant of Elise executes dir C:\progra~1 when initially run.(Citation: Lotus Blossom Jun 2015)(Citation: Accenture Dragonfish Jan 2018)
USBferry

USBferry can detect the victim's file or folder list.(Citation: TrendMicro Tropic Trooper May 2020)

WannaCry

WannaCry searches for variety of user files by file extension before encrypting them using RSA and AES, including Office, PDF, image, audio, video, source code, archive/compression format, and key and certificate files.(Citation: LogRhythm WannaCry)(Citation: FireEye WannaCry 2017)
TSCookie

TSCookie has the ability to discover drive information on the infected host.(Citation: JPCert TSCookie March 2018)
Latrodectus

Latrodectus can collect desktop filenames.(Citation: Latrodectus APR 2024)(Citation: Bitsight Latrodectus June 2024)(Citation: Elastic Latrodectus May 2024)
Saint Bot

Saint Bot can search a compromised host for specific files.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
CharmPower

CharmPower can enumerate drives and list the contents of the C: drive on a victim's computer.(Citation: Check Point APT35 CharmPower January 2022)
TYPEFRAME

TYPEFRAME can search directories for files on the victim’s machine.(Citation: US-CERT TYPEFRAME June 2018)
3PARA RAT

3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory.(Citation: CrowdStrike Putter Panda)
Remcos

Remcos can search for files on the infected machine.(Citation: Riskiq Remcos Jan 2018)
TAINTEDSCRIBE

TAINTEDSCRIBE can use DirectoryList to enumerate files in a specified directory.(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020)
Royal

Royal can identify specific files and directories to exclude from the encryption process.(Citation: Cybereason Royal December 2022)(Citation: Kroll Royal Deep Dive February 2023)(Citation: Trend Micro Royal Linux ESXi February 2023)
Uroburos

Uroburos can search for specific files on a compromised system.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
Metamorfo

Metamorfo has searched the Program Files directories for specific folders and has searched for strings related to its mutexes.(Citation: Medium Metamorfo Apr 2020)(Citation: Fortinet Metamorfo Feb 2020)(Citation: FireEye Metamorfo Apr 2018)

Spica

Spica can list filesystem contents on targeted systems.(Citation: Google TAG COLDRIVER January 2024)
Trojan.Karagany

Trojan.Karagany can enumerate files and directories on a compromised host.(Citation: Secureworks Karagany July 2019)
Bandook

Bandook has a command to list files on a system.(Citation: CheckPoint Bandook Nov 2020)
TINYTYPHON

TINYTYPHON searches through the drive containing the OS, then all drive letters C through to Z, for documents matching certain extensions.(Citation: Forcepoint Monsoon)
KONNI

A version of KONNI searches for filenames created with a previous version of the malware, suggesting different versions targeted the same victims and the versions may work together.(Citation: Talos Konni May 2017)
CORALDECK

CORALDECK searches for specified files.(Citation: FireEye APT37 Feb 2018)
SPACESHIP

SPACESHIP identifies files and directories for collection by searching for specific file extensions or file modification time.(Citation: FireEye APT30)
BLUELIGHT

BLUELIGHT can enumerate files and collect associated metadata.(Citation: Volexity InkySquid BLUELIGHT August 2021)
KGH_SPY

KGH_SPY can enumerate files and directories on a compromised host.(Citation: Cybereason Kimsuky November 2020)
down_new

down_new has the ability to list the directories on a compromised host.(Citation: Trend Micro Tick November 2019)
Ixeshe

Ixeshe can list file and directory information.(Citation: Trend Micro IXESHE 2012)
Micropsia

Micropsia can perform a recursive directory listing for all volume drives available on the victim's machine and can also fetch specific files by their paths.(Citation: Radware Micropsia July 2018)
RARSTONE

RARSTONE obtains installer properties from Uninstall Registry Key entries to obtain information about installed applications and how to uninstall certain applications.(Citation: Camba RARSTONE)
Black Basta

Black Basta can enumerate specific files for encryption.(Citation: Cyble Black Basta May 2022)(Citation: Avertium Black Basta June 2022)(Citation: NCC Group Black Basta June 2022)(Citation: Uptycs Black Basta ESXi June 2022)(Citation: Deep Instinct Black Basta August 2022)(Citation: Palo Alto Networks Black Basta August 2022)(Citation: Trend Micro Black Basta Spotlight September 2022)(Citation: Check Point Black Basta October 2022)
4H RAT

4H RAT has the capability to obtain file and directory listings.(Citation: CrowdStrike Putter Panda)
Attor

Attor has a plugin that enumerates files with specific extensions on all hard disk drives and stores file information in encrypted log files.(Citation: ESET Attor Oct 2019)
Imminent Monitor

Imminent Monitor has a dynamic debugging feature to check whether it is located in the %TEMP% directory, otherwise it copies itself there.(Citation: QiAnXin APT-C-36 Feb2019)
MegaCortex

MegaCortex can parse the available drives and directories to determine which files to encrypt.(Citation: IBM MegaCortex)

Forfiles

Forfiles can be used to locate certain types of files/directories in a system.(ex: locate all files with a specific extension, name, and/or age)(Citation: Überwachung APT28 Forfiles June 2015)
StreamEx

StreamEx has the ability to enumerate drive types.(Citation: Cylance Shell Crew Feb 2017)
BoxCaon

BoxCaon has searched for files on the system, such as documents located in the desktop folder.(Citation: Checkpoint IndigoZebra July 2021)
NightClub

NightClub can use a file monitor to identify .lnk, .doc, .docx, .xls, .xslx, and .pdf files.(Citation: MoustachedBouncer ESET August 2023)
Akira _v2

Akira _v2 can target specific files and folders for encryption.(Citation: CISA Akira Ransomware APR 2024)(Citation: Cisco Akira Ransomware OCT 2024)(Citation: Palo Alto Howling Scorpius DEC 2024)
SDBbot

SDBbot has the ability to get directory listings or drive information on a compromised host.(Citation: Proofpoint TA505 October 2019)
RTM

RTM can check for specific files and directories associated with virtualization and malware analysis.(Citation: Unit42 Redaman January 2019)
Derusbi

Derusbi is capable of obtaining directory, file, and drive listings.(Citation: Fidelis Turbo)(Citation: FireEye Periscope March 2018)
Bazar

Bazar can enumerate the victim's desktop.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)
BadPatch

BadPatch searches for files with specific file extensions.(Citation: Unit 42 BadPatch Oct 2017)
MESSAGETAP

MESSAGETAP checks for the existence of two configuration files (keyword_parm.txt and parm.txt) and attempts to read the files every 30 seconds.(Citation: FireEye MESSAGETAP October 2019)
SUGARDUMP

SUGARDUMP can search for and collect data from specific Chrome, Opera, Microsoft Edge, and Firefox files, including any folders that have the string `Profile` in its name.(Citation: Mandiant UNC3890 Aug 2022)
SOUNDBITE

SOUNDBITE is capable of enumerating and manipulating files and directories.(Citation: FireEye APT32 May 2017)
MoonWind

MoonWind has a command to return a directory listing for a specified directory.(Citation: Palo Alto MoonWind March 2017)
Ryuk

Ryuk has enumerated files and folders on all mounted drives.(Citation: CrowdStrike Ryuk January 2019)

Cryptoistic

Cryptoistic can scan a directory to identify files for deletion.(Citation: SentinelOne Lazarus macOS July 2020)
HermeticWiper

HermeticWiper can enumerate common folders such as My Documents, Desktop, and AppData.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Qualys Hermetic Wiper March 2022)
ccf32

ccf32 can parse collected files to identify specific file extensions.(Citation: Bitdefender FunnyDream Campaign November 2020)
LockBit 2.0

LockBit 2.0 can exclude files associated with core system functions from encryption.(Citation: FBI Lockbit 2.0 FEB 2022)
Zebrocy

Zebrocy searches for files that are 60mb and less and contain the following extensions: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .exe, .zip, and .rar. Zebrocy also runs the echo %APPDATA% command to list the contents of the directory.(Citation: Securelist Sofacy Feb 2018)(Citation: ESET Zebrocy Nov 2018)(Citation: ESET Zebrocy May 2019) Zebrocy can obtain the current execution path as well as perform drive enumeration.(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: CISA Zebrocy Oct 2020)

FinFisher

FinFisher enumerates directories and scans for certain files.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)
LunarMail

LunarMail can search its staging directory for output files it has produced.(Citation: ESET Turla Lunar toolset May 2024)
CrossRAT

CrossRAT can list all files on a system.(Citation: Lookout Dark Caracal Jan 2018)
OwaAuth

OwaAuth has a command to list its directory and logical drives.(Citation: Dell TG-3390)
Cobalt Strike

Cobalt Strike can explore files on a compromised system.(Citation: Cobalt Strike Manual 4.3 November 2020)
SUNBURST

SUNBURST had commands to enumerate files and directories.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Analyzing Solorigate Dec 2020)
HotCroissant

HotCroissant has the ability to retrieve a list of files in a given directory as well as drives and drive types.(Citation: Carbon Black HotCroissant April 2020)
REvil

REvil has the ability to identify specific files and directories that are not to be encrypted.(Citation: Kaspersky Sodin July 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Secureworks REvil September 2019)
Samurai

Samurai can use a specific module for file enumeration.(Citation: Kaspersky ToddyCat June 2022)
PinchDuke

PinchDuke searches for files created within a certain timeframe and whose file extension matches a predefined list.(Citation: F-Secure The Dukes)
USBStealer

USBStealer searches victim drives for files matching certain extensions (“.skr”,“.pkr” or “.key”) or names.(Citation: ESET Sednit USBStealer 2014)(Citation: Kaspersky Sofacy)
Taidoor

Taidoor can search for specific files.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021)
Kivars

Kivars has the ability to list drives on the infected host.(Citation: TrendMicro BlackTech June 2017)
CaddyWiper

CaddyWiper can enumerate all files and directories on a compromised host.(Citation: Malwarebytes IssacWiper CaddyWiper March 2022 )
Cyclops Blink

Cyclops Blink can use the Linux API `statvfs` to enumerate the current working directory.(Citation: NCSC Cyclops Blink February 2022)(Citation: Trend Micro Cyclops Blink March 2022)
Seasalt

Seasalt has the capability to identify the drive type on a victim.(Citation: McAfee Oceansalt Oct 2018)
TajMahal

TajMahal has the ability to index files from drives, user profiles, and removable drives.(Citation: Kaspersky TajMahal April 2019)
Pasam

Pasam creates a backdoor through which remote attackers can retrieve lists of files.(Citation: Symantec Pasam May 2012)
PLEAD

PLEAD has the ability to list drives and files on the compromised host.(Citation: TrendMicro BlackTech June 2017)(Citation: JPCert PLEAD Downloader June 2018)
Raccoon Stealer

Raccoon Stealer identifies target files and directories for collection based on a configuration file.(Citation: S2W Racoon 2022)(Citation: Sekoia Raccoon2 2022)
Cardinal RAT

Cardinal RAT checks its current working directory upon execution and also contains watchdog functionality that ensures its executable is located in the correct path (else it will rewrite the payload).(Citation: PaloAlto CardinalRat Apr 2017)
Pisloader

Pisloader has commands to list drives on the victim machine and to list file information for a given directory.(Citation: Palo Alto DNS Requests)
GoldenSpy

GoldenSpy has included a program "ExeProtector", which monitors for the existence of GoldenSpy on the infected system and redownloads if necessary.(Citation: Trustwave GoldenSpy June 2020)

Gold Dragon

Gold Dragon lists the directories for Desktop, program files, and the user’s recently accessed files.(Citation: McAfee Gold Dragon)
Ramsay

Ramsay can collect directory and file lists.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)

cmd

cmd can be used to find files and directories with native functionality such as dir commands.(Citation: TechNet Dir)
MacMa

MacMa can search for a specific file on the compromised computer and can enumerate files in Desktop, Downloads, and Documents folders.(Citation: ESET DazzleSpy Jan 2022)
FunnyDream

FunnyDream can identify files with .doc, .docx, .ppt, .pptx, .xls, .xlsx, and .pdf extensions and specific timestamps for collection.(Citation: Bitdefender FunnyDream Campaign November 2020)
ROADSWEEP

ROADSWEEP can enumerate files on infected devices and avoid encrypting files with .exe, .dll, .sys, .lnk, or . lck extensions.(Citation: Mandiant ROADSWEEP August 2022)(Citation: CISA Iran Albanian Attacks September 2022)(Citation: Microsoft Albanian Government Attacks September 2022)
SUNSPOT

SUNSPOT enumerated the Orion software Visual Studio solution directory path.(Citation: CrowdStrike SUNSPOT Implant January 2021)
SysUpdate

SysUpdate can search files on a compromised host.(Citation: Trend Micro Iron Tiger April 2021)(Citation: Lunghi Iron Tiger Linux)
OutSteel

OutSteel can search for specific file extensions, including zipped files.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
BackConfig

BackConfig has the ability to identify folders and files related to previous infections.(Citation: Unit 42 BackConfig May 2020)

Kwampirs

Kwampirs collects a list of files and directories in C:\ with the command dir /s /a c:\ >> "C:\windows\TEMP\[RANDOM].tmp".(Citation: Symantec Orangeworm April 2018)
BoomBox

BoomBox can search for specific files and directories on a machine.(Citation: MSTIC Nobelium Toolset May 2021)
CrackMapExec

CrackMapExec can discover specified filetypes and log files on a targeted system.(Citation: CME Github September 2018)
Mango

Mango can enumerate the contents of current working or other specified directories.(Citation: ESET OilRig Campaigns Sep 2023)
Koadic

Koadic can obtain a list of directories.(Citation: MalwareBytes LazyScripter Feb 2021)
InnaputRAT

InnaputRAT enumerates directories and obtains file attributes on a system.(Citation: ASERT InnaputRAT April 2018)
GrimAgent

GrimAgent has the ability to enumerate files and directories on a compromised host.(Citation: Group IB GrimAgent July 2021)
LookBack

LookBack can retrieve file listings from the victim machine.(Citation: Proofpoint LookBack Malware Aug 2019)
Clop

Clop has searched folders and subfolders for files to encrypt.(Citation: Mcafee Clop Aug 2019)
Pupy

Pupy can walk through directories and recursively search for strings in files.(Citation: GitHub Pupy)
Lokibot

Lokibot can search for specific files on an infected host.(Citation: Talos Lokibot Jan 2021)
PoetRAT

PoetRAT has the ability to list files upon receiving the ls command from C2.(Citation: Talos PoetRAT April 2020)
CHOPSTICK

An older version of CHOPSTICK has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o.(Citation: ESET Sednit Part 2)
StealBit

StealBit can be configured to exfiltrate specific file types.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Cybereason StealBit Exfiltration Tool)
ZxShell

ZxShell has a command to open a file manager and explorer on the system.(Citation: Talos ZxShell Oct 2014)

NDiskMonitor

NDiskMonitor can obtain a list of all files and directories as well as logical drives.(Citation: TrendMicro Patchwork Dec 2017)
DDKONG

DDKONG lists files on the victim’s machine.(Citation: Rancor Unit42 June 2018)
Penquin

Penquin can use the command code do_vslist to send file names, size, and status to C2.(Citation: Leonardo Turla Penquin May 2020)
BabyShark

BabyShark has used dir to search for "programfiles" and "appdata".(Citation: Unit42 BabyShark Feb 2019)

Cannon

Cannon can obtain victim drive information as well as a list of folders in C:\Program Files.(Citation: Unit42 Cannon Nov 2018)
Winnti for Windows

Winnti for Windows can check for the presence of specific files prior to moving to the next phase of execution.(Citation: Novetta Winnti April 2015)
Troll Stealer

Troll Stealer can enumerate and collect items from local drives and folders.(Citation: S2W Troll Stealer 2024)
BLACKCOFFEE

BLACKCOFFEE has the capability to enumerate files.(Citation: FireEye APT17)
Ebury

Ebury can list directory entries.(Citation: ESET Ebury Oct 2017)

Kinsing

Kinsing has used the find command to search for specific files.(Citation: Aqua Kinsing April 2020)
njRAT

njRAT can browse file systems using a file manager module.(Citation: Fidelis njRAT June 2013)
ZIPLINE

ZIPLINE can find and append specific files on Ivanti Connect Secure VPNs based upon received commands.(Citation: Mandiant Cutting Edge January 2024)
ChChes

ChChes collects the victim's %TEMP% directory path and version of Internet Explorer.(Citation: FireEye APT10 April 2017)
Manjusaka

Manjusaka can gather information about specific files on the victim system.(Citation: Talos Manjusaka 2022)
IceApple

The IceApple Directory Lister module can list information about files and directories including creation time, last write time, name, and size.(Citation: CrowdStrike IceApple May 2022)
JPIN

JPIN can enumerate drives and their types. It can also change file permissions using cacls.exe.(Citation: Microsoft PLATINUM April 2016)
metaMain

metaMain can recursively enumerate files in an operator-provided directory.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022)
SideTwist

SideTwist has the ability to search for specific files.(Citation: Check Point APT34 April 2021)
Psylo

Psylo has commands to enumerate all storage devices and to find all files that start with a particular string.(Citation: Scarlet Mimic Jan 2016)
Heyoka Backdoor

Heyoka Backdoor has the ability to search the compromised host for files.(Citation: SentinelOne Aoqin Dragon June 2022)
HTTPBrowser

HTTPBrowser is capable of listing files, folders, and drives on a victim.(Citation: Dell TG-3390)(Citation: ZScaler Hacking Team)
LunarWeb

LunarWeb has the ability to retrieve directory listings.(Citation: ESET Turla Lunar toolset May 2024)
XCSSET

XCSSET has used `mdfind` to enumerate a list of apps known to grant screen sharing permissions and leverages a module to run the command `ls -la ~/Desktop`.(Citation: Application Bundle Manipulation Brandon Dalton)(Citation: Microsoft March 2025 XCSSET)

Octopus

Octopus can collect information on the Windows directory and searches for compressed RAR files on the host.(Citation: Securelist Octopus Oct 2018)(Citation: Security Affairs DustSquad Oct 2018)(Citation: ESET Nomadic Octopus 2018)
KillDisk

KillDisk has used the FindNextFile command as part of its file deletion process.(Citation: Trend Micro KillDisk 2)
SoreFang

SoreFang has the ability to list directories.(Citation: CISA SoreFang July 2016)
Industroyer

Industroyer’s data wiper component enumerates specific files on all the Windows drives.(Citation: ESET Industroyer)
Pcexter

Pcexter has the ability to search for files in specified directories.(Citation: Kaspersky ToddyCat Check Logs October 2023)
BADNEWS

BADNEWS identifies files with certain extensions from USB devices, then copies them to a predefined directory.(Citation: TrendMicro Patchwork Dec 2017)
Linfo

Linfo creates a backdoor through which remote attackers can list contents of drives and search for files.(Citation: Symantec Linfo May 2012)
Remexi

Remexi searches for files on the system. (Citation: Securelist Remexi Jan 2019)
QakBot

QakBot can identify whether it has been run previously on a host by checking for a specified folder.(Citation: ATT QakBot April 2021)
CookieMiner

CookieMiner has looked for files in the user's home directory with "wallet" in their name using find.(Citation: Unit42 CookieMiner Jan 2019)
Gelsemium

Gelsemium can retrieve data from specific Windows directories, as well as open random files as part of Virtualization/Sandbox Evasion.(Citation: ESET Gelsemium June 2021)
jRAT

jRAT can browse file systems.(Citation: Kaspersky Adwind Feb 2016)(Citation: Symantec Frutas Feb 2013)
OSX/Shlayer

OSX/Shlayer has used the command appDir="$(dirname $(dirname "$currentDir"))" and $(dirname "$(pwd -P)") to construct installation paths.(Citation: sentinelone shlayer to zshlayer)(Citation: 20 macOS Common Tools and Techniques)
Denis

Denis has several commands to search directories for files.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)
INC Ransomware

INC Ransomware can receive command line arguments to encrypt specific files and directories.(Citation: Cybereason INC Ransomware November 2023)(Citation: SentinelOne INC Ransomware)
FIVEHANDS

FIVEHANDS has the ability to enumerate files on a compromised host in order to encrypt files with specific extensions.(Citation: CISA AR21-126A FIVEHANDS May 2021)(Citation: NCC Group Fivehands June 2021)
AutoIt backdoor

AutoIt backdoor is capable of identifying documents on the victim with the following extensions: .doc; .pdf, .csv, .ppt, .docx, .pst, .xls, .xlsx, .pptx, and .jpeg.(Citation: Forcepoint Monsoon)
Dtrack

Dtrack can list files on available disk volumes.(Citation: Securelist Dtrack)(Citation: CyberBit Dtrack)
Azorult

Azorult can recursively search for files in folders and collects files from the desktop with certain extensions.(Citation: Unit42 Azorult Nov 2018)
BACKSPACE

BACKSPACE allows adversaries to search for files.(Citation: FireEye APT30)
Zox

Zox can enumerate files on a compromised host.(Citation: Novetta-Axiom)
UPPERCUT

UPPERCUT has the capability to gather the victim's current directory.(Citation: FireEye APT10 Sept 2018)
ADVSTORESHELL

ADVSTORESHELL can list files and directories.(Citation: ESET Sednit Part 2)(Citation: Bitdefender APT28 Dec 2015)
StrifeWater

StrifeWater can enumerate files on a compromised host.(Citation: Cybereason StrifeWater Feb 2022)
WarzoneRAT

WarzoneRAT can enumerate directories on a compromise host.(Citation: Check Point Warzone Feb 2020)
SLOTHFULMEDIA

SLOTHFULMEDIA can enumerate files and directories.(Citation: CISA MAR SLOTHFULMEDIA October 2020)
FALLCHILL

FALLCHILL can search files on a victim.(Citation: US-CERT FALLCHILL Nov 2017)
APT28

APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection. The group also searched a compromised DCCC computer for specific terms.(Citation: Überwachung APT28 Forfiles June 2015)(Citation: DOJ GRU Indictment Jul 2018)
Turla

Turla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, the Program Files directory, and Recent.(Citation: Kaspersky Turla)(Citation: ESET ComRAT May 2020) Turla RPC backdoors have also searched for files matching the lPH*.dll pattern.(Citation: ESET Turla PowerShell May 2019)
Tropic Trooper

Tropic Trooper has monitored files' modified time.(Citation: TrendMicro Tropic Trooper May 2020)

Operation Wocao

Operation Wocao has gathered a recursive directory listing to find files and directories of interest.(Citation: FoxIT Wocao December 2019)
Fox Kitten

Fox Kitten has used WizTree to obtain network files and directory listings.(Citation: CISA AA20-259A Iran-Based Actor September 2020)
Lazarus Group

Lazarus Group malware can use a common function to identify target files by their extension, and some also enumerate files and directories, including a Destover-like variant that lists files and gathers information for all drives.(Citation: Novetta Blockbuster)(Citation: McAfee GhostSecret)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)
Gamaredon Group

Gamaredon Group macros can scan for Microsoft Word and Excel files to inject with additional malicious macros. Gamaredon Group has also used its backdoors to automatically list interesting files (such as Office documents) found on a system.(Citation: ESET Gamaredon June 2020)(Citation: Unit 42 Gamaredon February 2022)

APT29

APT29 obtained information about the configured Exchange virtual directory using Get-WebServicesVirtualDirectory.(Citation: Volexity SolarWinds)
Scattered Spider

Scattered Spider Spider enumerates a target organization for files and directories of interest, including source code.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: MSTIC Octo Tempest Operations October 2023)
Darkhotel

Darkhotel has used malware that searched for files with specific patterns.(Citation: Microsoft DUBNIUM July 2016)
APT39

APT39 has used tools with the ability to search for files on a compromised host.(Citation: FBI FLASH APT39 September 2020)
APT38

APT38 have enumerated files and directories, or searched in specific locations within a compromised host.(Citation: CISA AA20-239A BeagleBoyz August 2020)
MuddyWater

MuddyWater has used malware that checked if the ProgramData folder had folders or files with the keywords "Kasper," "Panda," or "ESET."(Citation: Securelist MuddyWater Oct 2018)
Dragonfly 2.0

Dragonfly 2.0 used a batch script to gather folder and file names from victim hosts.(Citation: US-CERT TA18-074A)
BRONZE BUTLER

BRONZE BUTLER has collected a list of files from the victim and uploaded it to its C2 server, and then created a new list of specific files to steal.(Citation: Secureworks BRONZE BUTLER Oct 2017)
Honeybee

Honeybee's service-based DLL implant traverses the FTP server’s directories looking for files with keyword matches for computer names or certain keywords.(Citation: McAfee Honeybee)
Confucius

Confucius has used a file stealer that checks the Document, Downloads, Desktop, and Picture folders for documents and images with specific extensions.(Citation: TrendMicro Confucius APT Aug 2021)
APT32

APT32's backdoor possesses the capability to list files and directories on a machine. (Citation: ESET OceanLotus Mar 2019)

Dragonfly

Dragonfly has used a batch script to gather folder and file names from victim hosts.(Citation: US-CERT TA18-074A)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)
Sidewinder

Sidewinder has used malware to collect information on files and directories.(Citation: ATT Sidewinder January 2021)
LuminousMoth

LuminousMoth has used malware that scans for files in the Documents, Desktop, and Download folders and in other drives.(Citation: Kaspersky LuminousMoth July 2021)(Citation: Bitdefender LuminousMoth July 2021)
Inception

Inception used a file listing plugin to collect information about file and directories both on local and remote drives.(Citation: Symantec Inception Framework March 2018)
Chimera

Chimera has utilized multiple commands to identify data of interest in file and directory listings.(Citation: NCC Group Chimera January 2021)
Volt Typhoon

Volt Typhoon has enumerated directories containing vulnerability testing and cyber related content and facilities data such as construction drawings.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)
FIN13

FIN13 has used the Windows `dir` command to enumerate files and directories in a victim's network.(Citation: Mandiant FIN13 Aug 2022)
Kimsuky

Kimsuky has the ability to enumerate all files and directories on an infected system.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)
Dust Storm

Dust Storm has used Android backdoors capable of enumerating specific files on the infected devices.(Citation: Cylance Dust Storm)
Sandworm Team

Sandworm Team has enumerated files on a compromised host.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Dragos Crashoverride 2018)
APT18

APT18 can list files information for specific directories.(Citation: PaloAlto DNS Requests May 2016)
Velvet Ant

Velvet Ant has enumerated local files and folders on victim devices.(Citation: Sygnia VelvetAnt 2024A)
Magic Hound

Magic Hound malware can list a victim's logical drives and the type, as well the total/free space of the fixed devices. Other malware can list a directory's contents.(Citation: Unit 42 Magic Hound Feb 2017)
Winnti Group

Winnti Group has used a program named ff.exe to search for specific documents on compromised hosts.(Citation: Kaspersky Winnti April 2013)
menuPass

menuPass has searched compromised systems for folders of interest including those related to HR, audit and expense, and meeting memos.(Citation: Symantec Cicada November 2020)
Aoqin Dragon

Aoqin Dragon has run scripts to identify file formats including Microsoft Word.(Citation: SentinelOne Aoqin Dragon June 2022)
TeamTNT

TeamTNT has used a script that checks `/proc/*/environ` for environment variables related to AWS.(Citation: Cisco Talos Intelligence Group)
Windigo

Windigo has used a script to check for the presence of files created by OpenSSH backdoors.(Citation: ESET ForSSHe December 2018)
ToddyCat

ToddyCat has run scripts to enumerate recently modified documents having either a .pdf, .doc, .docx, .xls or .xlsx extension.(Citation: Kaspersky ToddyCat Check Logs October 2023)
Ke3chang

Ke3chang uses command-line interaction to search files and directories.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: Microsoft NICKEL December 2021)
Sowbug

Sowbug identified and extracted all Word documents on a server by using a command containing * .doc and *.docx. The actors also searched for documents based on a specific date range and attempted to identify all installed software on a victim.(Citation: Symantec Sowbug Nov 2017)
APT5

APT5 has used the BLOODMINE utility to discover files with .css, .jpg, .png, .gif, .ico, .js, and .jsp extensions in Pulse Secure Connect logs.(Citation: Mandiant Pulse Secure Update May 2021)
Patchwork

A Patchwork payload has searched all fixed drives on the victim for files matching a specified list of extensions.(Citation: Cymmetria Patchwork)(Citation: TrendMicro Patchwork Dec 2017)
Mustang Panda

Mustang Panda has searched the entire target system for DOC, DOCX, PPT, PPTX, XLS, XLSX, and PDF files.(Citation: Avira Mustang Panda January 2020)
RedCurl

RedCurl has searched for and collected files on local and network drives.(Citation: therecord_redcurl)(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2)
Leafminer

Leafminer used a tool called MailSniper to search for files on the desktop and another utility called Sobolsoft to extract attachments from EML files.(Citation: Symantec Leafminer July 2018)
Play

Play has used the Grixba information stealer to list security files and processes.(Citation: Trend Micro Ransomware Spotlight Play July 2023)
APT3

APT3 has a tool that looks for files and directories on the local file system.(Citation: FireEye Clandestine Fox)(Citation: evolution of pirpi)
Winter Vivern

Winter Vivern delivered malicious JavaScript payloads capable of listing folders and emails in exploited email servers.(Citation: ESET WinterVivern 2023)
Lotus Blossom

Lotus Blossom has used commands such as `dir` to examine the local filesystem of victim machines.(Citation: Cisco LotusBlossom 2025)
APT41

APT41 has executed file /bin/pwd on exploited victims, perhaps to return architecture related information.(Citation: FireEye APT41 March 2020)
Dark Caracal

Dark Caracal collected file listings of all default Windows directories.(Citation: Lookout Dark Caracal Jan 2018)
UNC2452

UNC2452 obtained information about the configured Exchange virtual directory using Get-WebServicesVirtualDirectory.(Citation: Volexity SolarWinds)
HAFNIUM

HAFNIUM has searched file contents on a compromised host.(Citation: Rapid7 HAFNIUM Mar 2021)
admin@338

admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about files and directories: dir c:\ >> %temp%\download dir "c:\Documents and Settings" >> %temp%\download dir "c:\Program Files\" >> %temp%\download dir d:\ >> %temp%\download(Citation: FireEye admin@338)

Контрмеры
Контрмера Описание
File and Directory Discovery Mitigation

File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Обнаружение

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. Further, Network Device CLI commands may also be used to gather file and directory information with built-in features native to the network device platform. Monitor CLI activity for unexpected or unauthorized use of commands being run by non-standard users from non-standard locations.

Ссылки

  1. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.
  2. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  3. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
  4. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  5. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
  6. CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.
  7. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
  8. Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025.
  9. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  10. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  11. Camba, A. (2013, February 27). BKDR_RARSTONE: New RAT to Watch Out For. Retrieved January 8, 2016.
  12. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.
  13. N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022.
  14. Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022.
  15. CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.
  16. CISA et al. (2024, April 18). #StopRansomware: Akira Ransomware. Retrieved December 10, 2024.
  17. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
  18. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
  19. Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.
  20. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.
  21. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  22. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
  23. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
  24. Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024.
  25. Nutland, J. and Szeliga, M. (2024, October 21). Akira ransomware continues to evolve. Retrieved December 10, 2024.
  26. Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.
  27. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  28. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.
  29. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
  30. Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023.
  31. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.
  32. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
  33. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.
  34. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
  35. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
  36. byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.
  37. Michael Dawson. (2021, August 30). Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware. Retrieved March 26, 2025.
  38. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  39. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  40. Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024.
  41. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  42. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  43. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  44. Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025.
  45. McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024.
  46. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  47. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
  48. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  49. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
  50. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
  51. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  52. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
  53. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  54. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
  55. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  56. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved November 17, 2024.
  57. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  58. Stokes, P. (2024, May 9). macOS Cuckoo Stealer | Ensuring Detection and Defense as New Samples Rapidly Emerge. Retrieved August 20, 2024.
  59. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
  60. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
  61. Nick Craig-Wood. (n.d.). Rclone syncs your files to cloud storage. Retrieved August 30, 2022.
  62. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
  63. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
  64. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
  65. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
  66. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  67. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
  68. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
  69. Elastic. (n.d.). ESXI Discovery via Grep. Retrieved March 27, 2025.
  70. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  71. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
  72. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  73. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  74. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  75. Cybereason Global SOC Team. (n.d.). THREAT ANALYSIS REPORT: Inside the LockBit Arsenal - The StealBit Exfiltration Tool. Retrieved January 29, 2025.
  76. Dutch Military Intelligence and Security Service (MIVD) & Dutch General Intelligence and Security Service (AIVD). (2024, February 6). Ministry of Defense of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT. Retrieved February 7, 2024.
  77. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
  78. Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021.
  79. Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024.
  80. Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023.
  81. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  82. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  83. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  84. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.
  85. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  86. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  87. Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.
  88. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  89. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
  90. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
  91. Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.
  92. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  93. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  94. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  95. Microsoft. (n.d.). Dir. Retrieved April 18, 2016.
  96. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  97. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  98. Gilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira. (2018, January 15). KillDisk Variant Hits Latin American Financial Groups. Retrieved January 12, 2021.
  99. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  100. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  101. Falcone, R. and Wartell, R.. (2015, July 27). Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved January 22, 2016.
  102. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  103. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
  104. Alfano, V. et al. (2025, February 12). RansomHub Never Sleeps Episode 1: The evolution of modern ransomware. Retrieved March 17, 2025.
  105. Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023.
  106. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
  107. Kaspersky Lab's Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018.
  108. Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.
  109. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
  110. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024.
  111. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  112. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  113. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  114. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
  115. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  116. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  117. Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020.
  118. Zemah, Y. (2024, December 2). Threat Assessment: Howling Scorpius (Akira Ransomware). Retrieved January 8, 2025.
  119. Winters, R. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.
  120. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  121. ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.
  122. Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019.
  123. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  124. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  125. Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024.
  126. Centero, R. et al. (2021, February 5). New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker. Retrieved August 11, 2021.
  127. Paganini, P. (2018, October 16). Russia-linked APT group DustSquad targets diplomatic entities in Central Asia. Retrieved August 24, 2021.
  128. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.
  129. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  130. Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022.
  131. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  132. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
  133. MSTIC. (2022, January 15). Destructive malware targeting Ukrainian organizations. Retrieved March 10, 2022.
  134. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  135. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  136. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  137. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
  138. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  139. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  140. Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  141. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024.
  142. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  143. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  144. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  145. Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.
  146. Sharma, S. and Hegde, N. (2022, June 7). Black basta Ransomware Goes Cross-Platform, Now Targets ESXi Systems. Retrieved March 8, 2023.
  147. Stuart Ashenbrenner, Alden Schmidt. (2024, April 25). LightSpy Malware Variant Targeting macOS. Retrieved January 3, 2025.
  148. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
  149. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  150. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.
  151. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  152. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
  153. Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022.
  154. Iacono, L. and Green, S. (2023, February 13). Royal Ransomware Deep Dive. Retrieved March 30, 2023.
  155. Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
  156. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  157. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.
  158. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  159. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.
  160. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  161. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
  162. Symantec Threat Hunter Team. (2024, May 16). Springtail: New Linux Backdoor Added to Toolkit. Retrieved January 17, 2025.
  163. Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019.
  164. Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021.
  165. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  166. Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022.
  167. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
  168. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.
  169. Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020.
  170. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024.
  171. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  172. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  173. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
  174. BishopFox. (2021, August 18). Sliver Filesystem. Retrieved September 22, 2021.
  175. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  176. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  177. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  178. Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016.
  179. Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023.
  180. Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023.
  181. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.
  182. FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025.
  183. Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
  184. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  185. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  186. MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.
  187. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  188. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  189. Trend Micro Research. (2022, April 4). Ransomware Spotlight AvosLocker. Retrieved January 11, 2023.
  190. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
  191. Bettencourt, J. (2018, May 7). Kaspersky Lab finds new variant of SynAck ransomware using sophisticated Doppelgänging technique. Retrieved May 24, 2018.
  192. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
  193. Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021.
  194. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  195. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  196. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
  197. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  198. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  199. FBI. (2022, February 4). Indicators of Compromise Associated with LockBit 2.0 Ransomware. Retrieved January 24, 2025.
  200. Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.
  201. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
  202. Antoniuk, D. (2023, July 17). RedCurl hackers return to spy on 'major Russian bank,' Australian company. Retrieved August 9, 2024.
  203. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  204. Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.
  205. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  206. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.
  207. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
  208. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  209. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
  210. FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved November 17, 2024.
  211. Elsad, A. (2022, August 25). Threat Assessment: Black Basta Ransomware. Retrieved March 8, 2023.
  212. S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024.
  213. Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024.
  214. Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021.
  215. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  216. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
  217. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  218. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
  219. Threat Intelligence Team. (2022, March 18). Double header: IsaacWiper and CaddyWiper . Retrieved April 11, 2022.
  220. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
  221. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
  222. Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021.
  223. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  224. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
  225. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
  226. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  227. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  228. Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.
  229. Sygnia Team. (2024, June 3). China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence. Retrieved March 14, 2025.
  230. Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved December 8, 2024.
  231. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
  232. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  233. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  234. Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022.
  235. Morales, N. et al. (2023, February 20). Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers. Retrieved March 30, 2023.
  236. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
  237. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
  238. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
  239. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  240. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  241. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
  242. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  243. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
  244. Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.
  245. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  246. Asheer Malhotra & Vitor Ventura. (2022, August 2). Manjusaka: A Chinese sibling of Sliver and Cobalt Strike. Retrieved September 4, 2024.
  247. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  248. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  249. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  250. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  251. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  252. FinFisher. (n.d.). Retrieved September 12, 2024.
  253. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  254. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
  255. Juan Andrés Guerrero-Saade & Tom Hegel. (2024, March 21). AcidPour | New Embedded Wiper Variant of AcidRain Appears in Ukraine. Retrieved November 25, 2024.
  256. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
  257. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  258. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  259. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  260. Elastic. (n.d.). ESXI Discovery via Find. Retrieved March 27, 2025.
  261. Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021.
  262. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
  263. Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020.
  264. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
  265. Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.
  266. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024.
  267. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  268. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  269. Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024.
  270. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  271. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  272. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  273. Trend Micro. (2022, September 1). Ransomware Spotlight Black Basta. Retrieved March 8, 2023.
  274. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  275. Max Kersten & Alexandre Mundo. (2023, November 29). Akira Ransomware. Retrieved April 4, 2024.
  276. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022.
  277. Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018.
  278. Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023.
  279. Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.
  280. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  281. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  282. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  283. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  284. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
  285. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.
  286. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  287. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  288. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
  289. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
  290. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  291. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
  292. S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022.
  293. Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.
  294. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.
  295. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  296. Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018.
  297. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  298. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
  299. NHS Digital . (2020, August 20). BLINDINGCAN Remote Access Trojan. Retrieved August 20, 2020.
  300. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  301. Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023.
  302. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  303. Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
  304. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  305. Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022.
  306. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  307. Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.
  308. US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
  309. NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.
  310. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  311. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  312. Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved November 17, 2024.
  313. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  314. Yates, M. (2017, June 18). APT3 Uncovered: The code evolution of Pirpi. Retrieved September 28, 2017.
  315. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
  316. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  317. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  318. Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022.
  319. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  320. Symantec Threat Hunter Team. (2022, October 21). Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool. Retrieved December 16, 2024.
  321. Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018.
  322. Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020.
  323. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  324. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  325. Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
  326. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
  327. Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.
  328. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  329. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
  330. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  331. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
  332. Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  333. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  334. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
  335. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.
  336. Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024.
  337. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  338. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  339. Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022.
  340. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.
  341. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  342. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  343. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
  344. Microsoft Threat Intelligence. (2025, March 11). New XCSSET malware adds new obfuscation, persistence techniques to infect Xcode projects. Retrieved April 2, 2025.
  345. Scott Henderson, Cristiana Kittner, Sarah Hawley & Mark Lechtik, Google Cloud. (2023, January 19). Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475). Retrieved December 31, 2024.
  346. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.
  347. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
  348. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  349. Patrick Schläpfer . (2024, April 10). Raspberry Robin Now Spreading Through Windows Script Files. Retrieved May 17, 2024.
  350. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021.
  351. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
  352. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.
  353. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  354. Bingham, J. (2013, February 11). Cross-Platform Frutas RAT Builder and Back Door. Retrieved April 23, 2019.
  355. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  356. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved November 17, 2024.
  357. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  358. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  359. Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024.
  360. Matthieu Faou. (2023, October 25). Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers. Retrieved July 29, 2024.
  361. Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.
  362. Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
  363. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  364. Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021.
  365. Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.
  366. Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
  367. MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.
  368. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  369. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022.
  370. Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
  371. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
  372. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  373. Avertium. (2022, June 1). AN IN-DEPTH LOOK AT BLACK BASTA RANSOMWARE. Retrieved March 7, 2023.
  374. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  375. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
  376. Juan Andres Guerrero-Saade and Max van Amerongen, SentinelOne. (2022, March 31). AcidRain | A Modem Wiper Rains Down on Europe. Retrieved March 25, 2024.
  377. Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021.
  378. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  379. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
  380. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
  381. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  382. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  383. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.
  384. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  385. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  386. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  387. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
  388. CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020.
  389. Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
  390. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 17, 2024.
  391. CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022.
  392. Brandon Dalton. (2022, August 9). A bundle of nerves: Tweaking macOS security controls to thwart application bundle manipulation. Retrieved September 27, 2022.
  393. CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020.
  394. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
  395. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
  396. ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.
  397. CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021.
  398. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020.
  399. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
  400. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
  401. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
  402. Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024.
  403. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
  404. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  405. Dela Cruz, A. et al. (2022, May 25). New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code. Retrieved December 19, 2023.
  406. SentinelOne. (n.d.). What Is Inc. Ransomware?. Retrieved June 5, 2024.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.