Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Исследование файлов и каталогов
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Исследование файлов и каталого...
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Исследование файлов и каталогов

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the Native API. Adversaries may also leverage a Network Device CLI on network devices to gather file and directory information (e.g. dir, show flash, and/or nvram).(Citation: US-CERT-TA18-106A) Some files and directories may require elevated or specific user permissions to access.

ID: T1083
Тактика(-и): Discovery
Платформы: Linux, macOS, Network, Windows
Источники данных: Command: Command Execution, Process: OS API Execution, Process: Process Creation
Версия: 1.6
Дата создания: 31 May 2017
Последнее изменение: 16 Apr 2024

Примеры процедур
Название Описание
BLACKCOFFEE

BLACKCOFFEE has the capability to enumerate files.(Citation: FireEye APT17)
Orz

Orz can gather victim drive information.(Citation: Proofpoint Leviathan Oct 2017)
Attor

Attor has a plugin that enumerates files with specific extensions on all hard disk drives and stores file information in encrypted log files.(Citation: ESET Attor Oct 2019)
USBStealer

USBStealer searches victim drives for files matching certain extensions (“.skr”,“.pkr” or “.key”) or names.(Citation: ESET Sednit USBStealer 2014)(Citation: Kaspersky Sofacy)
SDBbot

SDBbot has the ability to get directory listings or drive information on a compromised host.(Citation: Proofpoint TA505 October 2019)
Kinsing

Kinsing has used the find command to search for specific files.(Citation: Aqua Kinsing April 2020)
Amadey

Amadey has searched for folders associated with antivirus software.(Citation: Korean FSI TA505 2020)
Woody RAT

Woody RAT can list all files and their associated attributes, including filename, type, owner, creation time, last access time, last write time, size, and permissions.(Citation: MalwareBytes WoodyRAT Aug 2022)

Ebury

Ebury can list directory entries.(Citation: ESET Ebury Oct 2017)

PlugX

PlugX has a module to enumerate drives and find files recursively.(Citation: CIRCL PlugX March 2013)(Citation: Proofpoint TA416 Europe March 2022)
Akira

Akira examines files prior to encryption to determine if they meet requirements for encryption and can be encrypted by the ransomware. These checks are performed through native Windows functions such as GetFileAttributesW.(Citation: Kersten Akira 2023)
Volgmer

Volgmer can list directories on a victim.(Citation: US-CERT Volgmer Nov 2017)
Volt Typhoon

Volt Typhoon has enumerated directories containing vulnerability testing and cyber related content and facilities data such as construction drawings.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)
P.A.S. Webshell

P.A.S. Webshell has the ability to list files and file characteristics including extension, size, ownership, and permissions.(Citation: ANSSI Sandworm January 2021)
Bazar

Bazar can enumerate the victim's desktop.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)
Crimson

Crimson contains commands to list files and directories, as well as search for files matching certain extensions from a defined list.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022)
SynAck

SynAck checks its directory location in an attempt to avoid launching in a sandbox.(Citation: SecureList SynAck Doppelgänging May 2018)(Citation: Kaspersky Lab SynAck May 2018)
Patchwork

A Patchwork payload has searched all fixed drives on the victim for files matching a specified list of extensions.(Citation: Cymmetria Patchwork)(Citation: TrendMicro Patchwork Dec 2017)
Sowbug

Sowbug identified and extracted all Word documents on a server by using a command containing * .doc and *.docx. The actors also searched for documents based on a specific date range and attempted to identify all installed software on a victim.(Citation: Symantec Sowbug Nov 2017)
yty

yty gathers information on victim’s drives and has a plugin for document listing.(Citation: ASERT Donot March 2018)
TAINTEDSCRIBE

TAINTEDSCRIBE can use DirectoryList to enumerate files in a specified directory.(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020)
ELMER

ELMER is capable of performing directory listings.(Citation: FireEye EPS Awakens Part 2)
SUGARDUMP

SUGARDUMP can search for and collect data from specific Chrome, Opera, Microsoft Edge, and Firefox files, including any folders that have the string `Profile` in its name.(Citation: Mandiant UNC3890 Aug 2022)

During C0015, the threat actors conducted a file listing discovery against multiple hosts to ensure locker encryption was successful.(Citation: DFIR Conti Bazar Nov 2021)
Fysbis

Fysbis has the ability to search for files.(Citation: Fysbis Dr Web Analysis)

Remsec

Remsec is capable of listing contents of folders on the victim. Remsec also searches for custom network encryption software on victims.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron Full Report)(Citation: Kaspersky ProjectSauron Technical Analysis)
KillDisk

KillDisk has used the FindNextFile command as part of its file deletion process.(Citation: Trend Micro KillDisk 2)

During Operation Honeybee, the threat actors used a malicious DLL to search for files with specific keywords.(Citation: McAfee Honeybee)
WinMM

WinMM sets a WH_CBT Windows hook to search for and capture files on the victim.(Citation: Baumgartner Naikon 2015)
Gamaredon Group

Gamaredon Group macros can scan for Microsoft Word and Excel files to inject with additional malicious macros. Gamaredon Group has also used its backdoors to automatically list interesting files (such as Office documents) found on a system.(Citation: ESET Gamaredon June 2020)(Citation: Unit 42 Gamaredon February 2022)

Turian

Turian can search for specific files and list directories.(Citation: ESET BackdoorDiplomacy Jun 2021)
POORAIM

POORAIM can conduct file browsing.(Citation: FireEye APT37 Feb 2018)
Micropsia

Micropsia can perform a recursive directory listing for all volume drives available on the victim's machine and can also fetch specific files by their paths.(Citation: Radware Micropsia July 2018)
Misdat

Misdat is capable of running commands to obtain a list of files and directories, as well as enumerating logical drives.(Citation: Cylance Dust Storm)
Winnti for Windows

Winnti for Windows can check for the presence of specific files prior to moving to the next phase of execution.(Citation: Novetta Winnti April 2015)
GeminiDuke

GeminiDuke collects information from the victim, including installed drivers, programs previously executed by users, programs and services configured to automatically run at startup, files and folders present in any user's home folder, files and folders present in any user's My Documents, programs installed to the Program Files folder, and recently accessed files, folders, and programs.(Citation: F-Secure The Dukes)
BoxCaon

BoxCaon has searched for files on the system, such as documents located in the desktop folder.(Citation: Checkpoint IndigoZebra July 2021)

During Operation CuckooBees, the threat actors used `dir c:\\` to search for files.(Citation: Cybereason OperationCuckooBees May 2022)
njRAT

njRAT can browse file systems using a file manager module.(Citation: Fidelis njRAT June 2013)
PinchDuke

PinchDuke searches for files created within a certain timeframe and whose file extension matches a predefined list.(Citation: F-Secure The Dukes)
WindTail

WindTail has the ability to enumerate the users home directory and the path to its own application bundle.(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)
Dragonfly

Dragonfly has used a batch script to gather folder and file names from victim hosts.(Citation: US-CERT TA18-074A)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)
AuditCred

AuditCred can search through folders and files on the system.(Citation: TrendMicro Lazarus Nov 2018)
Diavol

Diavol has a command to traverse the files and directories in a given path.(Citation: Fortinet Diavol July 2021)

Sliver

Sliver can enumerate files on a target system.(Citation: GitHub Sliver File System August 2021)
PowerDuke

PowerDuke has commands to get the current directory name as well as the size of a file. It also has commands to obtain information about logical drives, drive type, and free space.(Citation: Volexity PowerDuke November 2016)
BackConfig

BackConfig has the ability to identify folders and files related to previous infections.(Citation: Unit 42 BackConfig May 2020)

Bankshot

Bankshot searches for files on the victim's machine.(Citation: US-CERT Bankshot Dec 2017)
PingPull

PingPull can enumerate storage volumes and folder contents of a compromised host.(Citation: Unit 42 PingPull Jun 2022)
4H RAT

4H RAT has the capability to obtain file and directory listings.(Citation: CrowdStrike Putter Panda)
FALLCHILL

FALLCHILL can search files on a victim.(Citation: US-CERT FALLCHILL Nov 2017)
MarkiRAT

MarkiRAT can look for files carrying specific extensions such as: .rtf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pps, .ppsx, .txt, .gpg, .pkr, .kdbx, .key, and .jpb.(Citation: Kaspersky Ferocious Kitten Jun 2021)
Epic

Epic recursively searches for all .doc files on the system and collects a directory listing of the Desktop, %TEMP%, and %WINDOWS%\Temp directories.(Citation: Kaspersky Turla)(Citation: Kaspersky Turla Aug 2014)
Clambling

Clambling can browse directories on a compromised host.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)
down_new

down_new has the ability to list the directories on a compromised host.(Citation: Trend Micro Tick November 2019)
Ryuk

Ryuk has enumerated files and folders on all mounted drives.(Citation: CrowdStrike Ryuk January 2019)

QakBot

QakBot can identify whether it has been run previously on a host by checking for a specified folder.(Citation: ATT QakBot April 2021)
PoetRAT

PoetRAT has the ability to list files upon receiving the ls command from C2.(Citation: Talos PoetRAT April 2020)
WhisperGate

WhisperGate can locate files based on hardcoded file extensions.(Citation: Microsoft WhisperGate January 2022)(Citation: Unit 42 WhisperGate January 2022)(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022)
cmd

cmd can be used to find files and directories with native functionality such as dir commands.(Citation: TechNet Dir)
Seasalt

Seasalt has the capability to identify the drive type on a victim.(Citation: McAfee Oceansalt Oct 2018)
APT38

APT38 have enumerated files and directories, or searched in specific locations within a compromised host.(Citation: CISA AA20-239A BeagleBoyz August 2020)
APT28

APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection. The group also searched a compromised DCCC computer for specific terms.(Citation: Überwachung APT28 Forfiles June 2015)(Citation: DOJ GRU Indictment Jul 2018)
KEYMARBLE

KEYMARBLE has a command to search for files on the victim’s machine.(Citation: US-CERT KEYMARBLE Aug 2018)
Operation Wocao

Operation Wocao has gathered a recursive directory listing to find files and directories of interest.(Citation: FoxIT Wocao December 2019)
SHOTPUT

SHOTPUT has a command to obtain a directory listing.(Citation: Palo Alto CVE-2015-3113 July 2015)
WINERACK

WINERACK can enumerate files and directories.(Citation: FireEye APT37 Feb 2018)
Cardinal RAT

Cardinal RAT checks its current working directory upon execution and also contains watchdog functionality that ensures its executable is located in the correct path (else it will rewrite the payload).(Citation: PaloAlto CardinalRat Apr 2017)
OwaAuth

OwaAuth has a command to list its directory and logical drives.(Citation: Dell TG-3390)
RARSTONE

RARSTONE obtains installer properties from Uninstall Registry Key entries to obtain information about installed applications and how to uninstall certain applications.(Citation: Camba RARSTONE)
Kivars

Kivars has the ability to list drives on the infected host.(Citation: TrendMicro BlackTech June 2017)
BlackEnergy

BlackEnergy gathers a list of installed apps from the uninstall program Registry. It also gathers registered mail, browser, and instant messaging clients from the Registry. BlackEnergy has searched for given file types.(Citation: F-Secure BlackEnergy 2014)(Citation: Securelist BlackEnergy Nov 2014)
NightClub

NightClub can use a file monitor to identify .lnk, .doc, .docx, .xls, .xslx, and .pdf files.(Citation: MoustachedBouncer ESET August 2023)
LunarWeb

LunarWeb has the ability to retrieve directory listings.(Citation: ESET Turla Lunar toolset May 2024)
WannaCry

WannaCry searches for variety of user files by file extension before encrypting them using RSA and AES, including Office, PDF, image, audio, video, source code, archive/compression format, and key and certificate files.(Citation: LogRhythm WannaCry)(Citation: FireEye WannaCry 2017)
UNC2452

UNC2452 obtained information about the configured Exchange virtual directory using Get-WebServicesVirtualDirectory.(Citation: Volexity SolarWinds)
SoreFang

SoreFang has the ability to list directories.(Citation: CISA SoreFang July 2016)
AutoIt backdoor

AutoIt backdoor is capable of identifying documents on the victim with the following extensions: .doc; .pdf, .csv, .ppt, .docx, .pst, .xls, .xlsx, .pptx, and .jpeg.(Citation: Forcepoint Monsoon)
Caterpillar WebShell

Caterpillar WebShell can search for files in directories.(Citation: ClearSky Lebanese Cedar Jan 2021)

APT29

APT29 obtained information about the configured Exchange virtual directory using Get-WebServicesVirtualDirectory.(Citation: Volexity SolarWinds)
Inception

Inception used a file listing plugin to collect information about file and directories both on local and remote drives.(Citation: Symantec Inception Framework March 2018)
USBferry

USBferry can detect the victim's file or folder list.(Citation: TrendMicro Tropic Trooper May 2020)

Avaddon

Avaddon has searched for specific files prior to encryption.(Citation: Arxiv Avaddon Feb 2021)
Rclone

Rclone can list files and directories with the `ls`, `lsd`, and `lsl` commands.(Citation: Rclone)
SideTwist

SideTwist has the ability to search for specific files.(Citation: Check Point APT34 April 2021)
GrimAgent

GrimAgent has the ability to enumerate files and directories on a compromised host.(Citation: Group IB GrimAgent July 2021)
Skidmap

Skidmap has checked for the existence of specific files including /usr/sbin/setenforce and /etc/selinux/config. It also has the ability to monitor the cryptocurrency miner file and process. (Citation: Trend Micro Skidmap)

RedCurl

RedCurl has searched for and collected files on local and network drives.(Citation: therecord_redcurl)(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2)
zwShell

zwShell can browse the file system.(Citation: McAfee Night Dragon)
ZxShell

ZxShell has a command to open a file manager and explorer on the system.(Citation: Talos ZxShell Oct 2014)

CHIMNEYSWEEP

CHIMNEYSWEEP has the ability to enumerate directories for files that match a set list.(Citation: Mandiant ROADSWEEP August 2022)
DropBook

DropBook can collect the names of all files and folders in the Program Files directories.(Citation: Cybereason Molerats Dec 2020)(Citation: BleepingComputer Molerats Dec 2020)

TSCookie

TSCookie has the ability to discover drive information on the infected host.(Citation: JPCert TSCookie March 2018)
Kwampirs

Kwampirs collects a list of files and directories in C:\ with the command dir /s /a c:\ >> "C:\windows\TEMP\[RANDOM].tmp".(Citation: Symantec Orangeworm April 2018)
Ninja

Ninja has the ability to enumerate directory content.(Citation: Kaspersky ToddyCat June 2022)(Citation: Kaspersky ToddyCat Check Logs October 2023)
JPIN

JPIN can enumerate drives and their types. It can also change file permissions using cacls.exe.(Citation: Microsoft PLATINUM April 2016)
ZLib

ZLib has the ability to enumerate files and drives.(Citation: Cylance Dust Storm)
FLASHFLOOD

FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on the local system and removable media.(Citation: FireEye APT30)
Lokibot

Lokibot can search for specific files on an infected host.(Citation: Talos Lokibot Jan 2021)
HOPLIGHT

HOPLIGHT has been observed enumerating system drives and partitions.(Citation: US-CERT HOPLIGHT Apr 2019)

Chimera

Chimera has utilized multiple commands to identify data of interest in file and directory listings.(Citation: NCC Group Chimera January 2021)
BadPatch

BadPatch searches for files with specific file extensions.(Citation: Unit 42 BadPatch Oct 2017)
NETEAGLE

NETEAGLE allows adversaries to enumerate and modify the infected host's file system. It supports searching for directories, creating directories, listing directory contents, reading and writing to files, retrieving file attributes, and retrieving volume information.(Citation: FireEye APT30)
SysUpdate

SysUpdate can search files on a compromised host.(Citation: Trend Micro Iron Tiger April 2021)(Citation: Lunghi Iron Tiger Linux)
Latrodectus

Latrodectus can collect desktop filenames.(Citation: Latrodectus APR 2024)(Citation: Bitsight Latrodectus June 2024)(Citation: Elastic Latrodectus May 2024)
BabyShark

BabyShark has used dir to search for "programfiles" and "appdata".(Citation: Unit42 BabyShark Feb 2019)

admin@338

admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about files and directories: dir c:\ >> %temp%\download dir "c:\Documents and Settings" >> %temp%\download dir "c:\Program Files\" >> %temp%\download dir d:\ >> %temp%\download(Citation: FireEye admin@338)
MoonWind

MoonWind has a command to return a directory listing for a specified directory.(Citation: Palo Alto MoonWind March 2017)
Ke3chang

Ke3chang uses command-line interaction to search files and directories.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: Microsoft NICKEL December 2021)
MegaCortex

MegaCortex can parse the available drives and directories to determine which files to encrypt.(Citation: IBM MegaCortex)

Cuckoo Stealer

Cuckoo Stealer can search for files associated with specific applications.(Citation: Kandji Cuckoo April 2024)(Citation: SentinelOne Cuckoo Stealer May 2024)
Pteranodon

Pteranodon identifies files matching certain file extension and copies them to subdirectories it created.(Citation: Palo Alto Gamaredon Feb 2017)
CookieMiner

CookieMiner has looked for files in the user's home directory with "wallet" in their name using find.(Citation: Unit42 CookieMiner Jan 2019)
CrossRAT

CrossRAT can list all files on a system.(Citation: Lookout Dark Caracal Jan 2018)
DEATHRANSOM

DEATHRANSOM can use loop operations to enumerate directories on a compromised host.(Citation: FireEye FiveHands April 2021)
InnaputRAT

InnaputRAT enumerates directories and obtains file attributes on a system.(Citation: ASERT InnaputRAT April 2018)
SUNBURST

SUNBURST had commands to enumerate files and directories.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Analyzing Solorigate Dec 2020)
Cuba

Cuba can enumerate files by using a variety of functions.(Citation: McAfee Cuba April 2021)
Linfo

Linfo creates a backdoor through which remote attackers can list contents of drives and search for files.(Citation: Symantec Linfo May 2012)
CosmicDuke

CosmicDuke searches attached and mounted drives for file extensions and keywords that match a predefined list.(Citation: F-Secure Cosmicduke)
Sandworm Team

Sandworm Team has enumerated files on a compromised host.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Dragos Crashoverride 2018)
Spica

Spica can list filesystem contents on targeted systems.(Citation: Google TAG COLDRIVER January 2024)
Kazuar

Kazuar finds a specified directory, lists the files and metadata about those files.(Citation: Unit 42 Kazuar May 2017)
XAgentOSX

XAgentOSX contains the readFiles function to return a detailed listing (sometimes recursive) of a specified directory.(Citation: XAgentOSX 2017) XAgentOSX contains the showBackupIosFolder function to check for IOS device backups by running ls -la ~/Library/Application\ Support/MobileSync/Backup/.(Citation: XAgentOSX 2017)
HermeticWiper

HermeticWiper can enumerate common folders such as My Documents, Desktop, and AppData.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Qualys Hermetic Wiper March 2022)
Cyclops Blink

Cyclops Blink can use the Linux API `statvfs` to enumerate the current working directory.(Citation: NCSC Cyclops Blink February 2022)(Citation: Trend Micro Cyclops Blink March 2022)
FIVEHANDS

FIVEHANDS has the ability to enumerate files on a compromised host in order to encrypt files with specific extensions.(Citation: CISA AR21-126A FIVEHANDS May 2021)(Citation: NCC Group Fivehands June 2021)
Black Basta

Black Basta can enumerate specific files for encryption.(Citation: Cyble Black Basta May 2022)(Citation: Avertium Black Basta June 2022)(Citation: NCC Group Black Basta June 2022)(Citation: Uptycs Black Basta ESXi June 2022)(Citation: Deep Instinct Black Basta August 2022)(Citation: Palo Alto Networks Black Basta August 2022)(Citation: Trend Micro Black Basta Spotlight September 2022)(Citation: Check Point Black Basta October 2022)
Cobalt Strike

Cobalt Strike can explore files on a compromised system.(Citation: Cobalt Strike Manual 4.3 November 2020)
DarkWatchman

DarkWatchman has the ability to enumerate file and folder names.(Citation: Prevailion DarkWatchman 2021)
Industroyer

Industroyer’s data wiper component enumerates specific files on all the Windows drives.(Citation: ESET Industroyer)
Brave Prince

Brave Prince gathers file and directory information from the victim’s machine.(Citation: McAfee Gold Dragon)
OceanSalt

OceanSalt can extract drive information from the endpoint and search files on the system.(Citation: McAfee Oceansalt Oct 2018)
NETWIRE

NETWIRE has the ability to search for files on the compromised host.(Citation: Proofpoint NETWIRE December 2020)
Manjusaka

Manjusaka can gather information about specific files on the victim system.(Citation: Talos Manjusaka 2022)
Sidewinder

Sidewinder has used malware to collect information on files and directories.(Citation: ATT Sidewinder January 2021)
TINYTYPHON

TINYTYPHON searches through the drive containing the OS, then all drive letters C through to Z, for documents matching certain extensions.(Citation: Forcepoint Monsoon)
Octopus

Octopus can collect information on the Windows directory and searches for compressed RAR files on the host.(Citation: Securelist Octopus Oct 2018)(Citation: Security Affairs DustSquad Oct 2018)(Citation: ESET Nomadic Octopus 2018)
SUNSPOT

SUNSPOT enumerated the Orion software Visual Studio solution directory path.(Citation: CrowdStrike SUNSPOT Implant January 2021)
Zox

Zox can enumerate files on a compromised host.(Citation: Novetta-Axiom)
Elise

A variant of Elise executes dir C:\progra~1 when initially run.(Citation: Lotus Blossom Jun 2015)(Citation: Accenture Dragonfish Jan 2018)
Honeybee

Honeybee's service-based DLL implant traverses the FTP server’s directories looking for files with keyword matches for computer names or certain keywords.(Citation: McAfee Honeybee)
Bisonal

Bisonal can retrieve a file listing from the system.(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020)

MiniDuke

MiniDuke can enumerate local drives.(Citation: ESET Dukes October 2019)
Conti

Conti can discover files on a local system.(Citation: CarbonBlack Conti July 2020)
SLOTHFULMEDIA

SLOTHFULMEDIA can enumerate files and directories.(Citation: CISA MAR SLOTHFULMEDIA October 2020)
ADVSTORESHELL

ADVSTORESHELL can list files and directories.(Citation: ESET Sednit Part 2)(Citation: Bitdefender APT28 Dec 2015)
FinFisher

FinFisher enumerates directories and scans for certain files.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)
Pcexter

Pcexter has the ability to search for files in specified directories.(Citation: Kaspersky ToddyCat Check Logs October 2023)
LoFiSe

LoFiSe can monitor the file system to identify files less than 6.4 MB in size with file extensions including .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .rtf, .tif, .odt, .ods, .odp, .eml, and .msg.(Citation: Kaspersky ToddyCat Check Logs October 2023)
Avenger

Avenger has the ability to browse files in directories such as Program Files and the Desktop.(Citation: Trend Micro Tick November 2019)

COATHANGER

COATHANGER will survey the contents of system files during installation.(Citation: NCSC-NL COATHANGER Feb 2024)
CharmPower

CharmPower can enumerate drives and list the contents of the C: drive on a victim's computer.(Citation: Check Point APT35 CharmPower January 2022)
REvil

REvil has the ability to identify specific files and directories that are not to be encrypted.(Citation: Kaspersky Sodin July 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Secureworks REvil September 2019)

During the SolarWinds Compromise, APT29 obtained information about the configured Exchange virtual directory using `Get-WebServicesVirtualDirectory`.(Citation: Volexity SolarWinds)
Empire

Empire includes various modules for finding files of interest on hosts and network shares.(Citation: Github PowerShell Empire)
Pupy

Pupy can walk through directories and recursively search for strings in files.(Citation: GitHub Pupy)
Scattered Spider

Scattered Spider Spider enumerates a target organization for files and directories of interest, including source code.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: MSTIC Octo Tempest Operations October 2023)
Gelsemium

Gelsemium can retrieve data from specific Windows directories, as well as open random files as part of Virtualization/Sandbox Evasion.(Citation: ESET Gelsemium June 2021)
Aoqin Dragon

Aoqin Dragon has run scripts to identify file formats including Microsoft Word.(Citation: SentinelOne Aoqin Dragon June 2022)
Proxysvc

Proxysvc lists files in directories.(Citation: McAfee GhostSecret)
Tropic Trooper

Tropic Trooper has monitored files' modified time.(Citation: TrendMicro Tropic Trooper May 2020)

Dark Caracal

Dark Caracal collected file listings of all default Windows directories.(Citation: Lookout Dark Caracal Jan 2018)
GravityRAT

GravityRAT collects the volumes mapped on the system, and also steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf.(Citation: Talos GravityRAT)
Bandook

Bandook has a command to list files on a system.(Citation: CheckPoint Bandook Nov 2020)
MuddyWater

MuddyWater has used malware that checked if the ProgramData folder had folders or files with the keywords "Kasper," "Panda," or "ESET."(Citation: Securelist MuddyWater Oct 2018)
Trojan.Karagany

Trojan.Karagany can enumerate files and directories on a compromised host.(Citation: Secureworks Karagany July 2019)
PoshC2

PoshC2 can enumerate files on the local file system and includes a module for enumerating recently accessed files.(Citation: GitHub PoshC2)
3PARA RAT

3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory.(Citation: CrowdStrike Putter Panda)
DUSTTRAP

DUSTTRAP can enumerate files and directories.(Citation: Google Cloud APT41 2024)
NotPetya

NotPetya searches for files ending with dozens of different file extensions prior to encryption.(Citation: US District Court Indictment GRU Unit 74455 October 2020)
ThreatNeedle

ThreatNeedle can obtain file and directory information.(Citation: Kaspersky ThreatNeedle Feb 2021)
BoomBox

BoomBox can search for specific files and directories on a machine.(Citation: MSTIC Nobelium Toolset May 2021)
Samurai

Samurai can use a specific module for file enumeration.(Citation: Kaspersky ToddyCat June 2022)
jRAT

jRAT can browse file systems.(Citation: Kaspersky Adwind Feb 2016)(Citation: Symantec Frutas Feb 2013)
Clop

Clop has searched folders and subfolders for files to encrypt.(Citation: Mcafee Clop Aug 2019)
GoldenSpy

GoldenSpy has included a program "ExeProtector", which monitors for the existence of GoldenSpy on the infected system and redownloads if necessary.(Citation: Trustwave GoldenSpy June 2020)

OutSteel

OutSteel can search for specific file extensions, including zipped files.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
FYAnti

FYAnti can search the C:\Windows\Microsoft.NET\ directory for files of a specified size.(Citation: Securelist APT10 March 2021)
BADFLICK

BADFLICK has searched for files on the infected host.(Citation: Accenture MUDCARP March 2019)
CaddyWiper

CaddyWiper can enumerate all files and directories on a compromised host.(Citation: Malwarebytes IssacWiper CaddyWiper March 2022 )
Dragonfly 2.0

Dragonfly 2.0 used a batch script to gather folder and file names from victim hosts.(Citation: US-CERT TA18-074A)
Stuxnet

Stuxnet uses a driver to scan for specific filesystem driver objects.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)
CHOPSTICK

An older version of CHOPSTICK has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o.(Citation: ESET Sednit Part 2)
Zebrocy

Zebrocy searches for files that are 60mb and less and contain the following extensions: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .exe, .zip, and .rar. Zebrocy also runs the echo %APPDATA% command to list the contents of the directory.(Citation: Securelist Sofacy Feb 2018)(Citation: ESET Zebrocy Nov 2018)(Citation: ESET Zebrocy May 2019) Zebrocy can obtain the current execution path as well as perform drive enumeration.(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: CISA Zebrocy Oct 2020)

AvosLocker

AvosLocker has searched for files and directories on a compromised network.(Citation: Malwarebytes AvosLocker Jul 2021)(Citation: Trend Micro AvosLocker Apr 2022)
Magic Hound

Magic Hound malware can list a victim's logical drives and the type, as well the total/free space of the fixed devices. Other malware can list a directory's contents.(Citation: Unit 42 Magic Hound Feb 2017)
PLEAD

PLEAD has the ability to list drives and files on the compromised host.(Citation: TrendMicro BlackTech June 2017)(Citation: JPCert PLEAD Downloader June 2018)
Okrum

Okrum has used DriveLetterView to enumerate drive information.(Citation: ESET Okrum July 2019)
ObliqueRAT

ObliqueRAT has the ability to recursively enumerate files on an infected endpoint.(Citation: Talos Oblique RAT March 2021)
BBSRAT

BBSRAT can list file and directory information.(Citation: Palo Alto Networks BBSRAT)
StrongPity

StrongPity can parse the hard drive on a compromised host to identify specific file extensions.(Citation: Talos Promethium June 2020)
QuietSieve

QuietSieve can search files on the target host by extension, including doc, docx, xls, rtf, odt, txt, jpg, pdf, rar, zip, and 7z.(Citation: Microsoft Actinium February 2022)

ROKRAT

ROKRAT has the ability to gather a list of files and directories on the infected system.(Citation: Securelist ScarCruft May 2019)(Citation: NCCGroup RokRat Nov 2018)(Citation: Volexity InkySquid RokRAT August 2021)
TeamTNT

TeamTNT has used a script that checks `/proc/*/environ` for environment variables related to AWS.(Citation: Cisco Talos Intelligence Group)
HotCroissant

HotCroissant has the ability to retrieve a list of files in a given directory as well as drives and drive types.(Citation: Carbon Black HotCroissant April 2020)
Raspberry Robin

Raspberry Robin will check to see if the initial executing script is located on the user's Desktop as an anti-analysis check.(Citation: HP RaspberryRobin 2024)
Peppy

Peppy can identify specific files for exfiltration.(Citation: Proofpoint Operation Transparent Tribe March 2016)
Psylo

Psylo has commands to enumerate all storage devices and to find all files that start with a particular string.(Citation: Scarlet Mimic Jan 2016)
Doki

Doki has resolved the path of a process PID to use as a script argument.(Citation: Intezer Doki July 20)
ZIPLINE

ZIPLINE can find and append specific files on Ivanti Connect Secure VPNs based upon received commands.(Citation: Mandiant Cutting Edge January 2024)
Koadic

Koadic can obtain a list of directories.(Citation: MalwareBytes LazyScripter Feb 2021)
BlackMould

BlackMould has the ability to find files on the targeted system.(Citation: Microsoft GALLIUM December 2019)
CreepyDrive

CreepyDrive can specify the local file path to upload files from.(Citation: Microsoft POLONIUM June 2022)
LuminousMoth

LuminousMoth has used malware that scans for files in the Documents, Desktop, and Download folders and in other drives.(Citation: Kaspersky LuminousMoth July 2021)(Citation: Bitdefender LuminousMoth July 2021)

During Operation Wocao, threat actors gathered a recursive directory listing to find files and directories of interest.(Citation: FoxIT Wocao December 2019)
POWRUNER

POWRUNER may enumerate user directories on a victim.(Citation: FireEye APT34 Dec 2017)
KeyBoy

KeyBoy has a command to launch a file browser or explorer on the system.(Citation: PWC KeyBoys Feb 2017)
Dtrack

Dtrack can list files on available disk volumes.(Citation: Securelist Dtrack)(Citation: CyberBit Dtrack)
BACKSPACE

BACKSPACE allows adversaries to search for files.(Citation: FireEye APT30)
DDKONG

DDKONG lists files on the victim’s machine.(Citation: Rancor Unit42 June 2018)
Denis

Denis has several commands to search directories for files.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)
LunarMail

LunarMail can search its staging directory for output files it has produced.(Citation: ESET Turla Lunar toolset May 2024)
INC Ransomware

INC Ransomware can receive command line arguments to encrypt specific files and directories.(Citation: Cybereason INC Ransomware November 2023)(Citation: SentinelOne INC Ransomware)
OSX/Shlayer

OSX/Shlayer has used the command appDir="$(dirname $(dirname "$currentDir"))" and $(dirname "$(pwd -P)") to construct installation paths.(Citation: sentinelone shlayer to zshlayer)(Citation: 20 macOS Common Tools and Techniques)
Heyoka Backdoor

Heyoka Backdoor has the ability to search the compromised host for files.(Citation: SentinelOne Aoqin Dragon June 2022)
Forfiles

Forfiles can be used to locate certain types of files/directories in a system.(ex: locate all files with a specific extension, name, and/or age)(Citation: Überwachung APT28 Forfiles June 2015)
Cryptoistic

Cryptoistic can scan a directory to identify files for deletion.(Citation: SentinelOne Lazarus macOS July 2020)
DarkGate

Some versions of DarkGate search for the hard-coded folder C:\Program Files\e Carte Bleue.(Citation: Ensilo Darkgate 2018)
CORALDECK

CORALDECK searches for specified files.(Citation: FireEye APT37 Feb 2018)
HTTPBrowser

HTTPBrowser is capable of listing files, folders, and drives on a victim.(Citation: Dell TG-3390)(Citation: ZScaler Hacking Team)

During Operation Dream Job, Lazarus Group conducted word searches within documents on a compromised host in search of security and financial matters.(Citation: ClearSky Lazarus Aug 2020)
ChChes

ChChes collects the victim's %TEMP% directory path and version of Internet Explorer.(Citation: FireEye APT10 April 2017)
APT3

APT3 has a tool that looks for files and directories on the local file system.(Citation: FireEye Clandestine Fox)(Citation: evolution of pirpi)
APT32

APT32's backdoor possesses the capability to list files and directories on a machine. (Citation: ESET OceanLotus Mar 2019)

Mustang Panda

Mustang Panda has searched the entire target system for DOC, DOCX, PPT, PPTX, XLS, XLSX, and PDF files.(Citation: Avira Mustang Panda January 2020)
Pasam

Pasam creates a backdoor through which remote attackers can retrieve lists of files.(Citation: Symantec Pasam May 2012)
metaMain

metaMain can recursively enumerate files in an operator-provided directory.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022)
RainyDay

RainyDay can use a file exfiltration tool to collect recently changed files with specific extensions.(Citation: Bitdefender Naikon April 2021)
InvisiMole

InvisiMole can list information about files in a directory and recently opened or used documents. InvisiMole can also search for specific files by supplied file mask.(Citation: ESET InvisiMole June 2018)
Dust Storm

Dust Storm has used Android backdoors capable of enumerating specific files on the infected devices.(Citation: Cylance Dust Storm)

During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and browse the victim file system.(Citation: McAfee Night Dragon)
Gold Dragon

Gold Dragon lists the directories for Desktop, program files, and the user’s recently accessed files.(Citation: McAfee Gold Dragon)
Playcrypt

Playcrypt can avoid encrypting files with a .PLAY, .exe, .msi, .dll, .lnk, or .sys file extension.(Citation: Trend Micro Ransomware Spotlight Play July 2023)
AppleSeed

AppleSeed has the ability to search for .txt, .ppt, .hwp, .pdf, and .doc files in specified directories.(Citation: Malwarebytes Kimsuky June 2021)
CrackMapExec

CrackMapExec can discover specified filetypes and log files on a targeted system.(Citation: CME Github September 2018)
FoggyWeb

FoggyWeb's loader can check for the FoggyWeb backdoor .pri file on a compromised AD FS server.(Citation: MSTIC FoggyWeb September 2021)
Cannon

Cannon can obtain victim drive information as well as a list of folders in C:\Program Files.(Citation: Unit42 Cannon Nov 2018)
KGH_SPY

KGH_SPY can enumerate files and directories on a compromised host.(Citation: Cybereason Kimsuky November 2020)
Mispadu

Mispadu searches for various filesystem paths to determine what banking applications are installed on the victim’s machine.(Citation: ESET Security Mispadu Facebook Ads 2019)
WastedLocker

WastedLocker can enumerate files and directories just prior to encryption.(Citation: NCC Group WastedLocker June 2020)
NDiskMonitor

NDiskMonitor can obtain a list of all files and directories as well as logical drives.(Citation: TrendMicro Patchwork Dec 2017)
Ixeshe

Ixeshe can list file and directory information.(Citation: Trend Micro IXESHE 2012)
Backdoor.Oldrea

Backdoor.Oldrea collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files.(Citation: Symantec Dragonfly)
Derusbi

Derusbi is capable of obtaining directory, file, and drive listings.(Citation: Fidelis Turbo)(Citation: FireEye Periscope March 2018)
Siloscape

Siloscape searches for the Kubernetes config file and other related files using a regular expression.(Citation: Unit 42 Siloscape Jun 2021)

APT39

APT39 has used tools with the ability to search for files on a compromised host.(Citation: FBI FLASH APT39 September 2020)
ToddyCat

ToddyCat has run scripts to enumerate recently modified documents having either a .pdf, .doc, .docx, .xls or .xlsx extension.(Citation: Kaspersky ToddyCat Check Logs October 2023)
StrifeWater

StrifeWater can enumerate files on a compromised host.(Citation: Cybereason StrifeWater Feb 2022)
MobileOrder

MobileOrder has a command to upload to its C2 server information about files on the victim mobile device, including SD card size, installed app list, SMS content, contacts, and calling history.(Citation: Scarlet Mimic Jan 2016)
BLUELIGHT

BLUELIGHT can enumerate files and collect associated metadata.(Citation: Volexity InkySquid BLUELIGHT August 2021)
ccf32

ccf32 can parse collected files to identify specific file extensions.(Citation: Bitdefender FunnyDream Campaign November 2020)
Lazarus Group

Lazarus Group malware can use a common function to identify target files by their extension, and some also enumerate files and directories, including a Destover-like variant that lists files and gathers information for all drives.(Citation: Novetta Blockbuster)(Citation: McAfee GhostSecret)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)
SILENTTRINITY

SILENTTRINITY has several modules, such as `ls.py`, `pwd.py`, and `recentFiles.py`, to enumerate directories and files.(Citation: GitHub SILENTTRINITY Modules July 2019)

Darkhotel

Darkhotel has used malware that searched for files with specific patterns.(Citation: Microsoft DUBNIUM July 2016)
TajMahal

TajMahal has the ability to index files from drives, user profiles, and removable drives.(Citation: Kaspersky TajMahal April 2019)
Prestige

Prestige can traverse the file system to discover files to encrypt by identifying specific extensions defined in a hardcoded list.(Citation: Microsoft Prestige ransomware October 2022)
Play

Play has used the Grixba information stealer to list security files and processes.(Citation: Trend Micro Ransomware Spotlight Play July 2023)
SOUNDBITE

SOUNDBITE is capable of enumerating and manipulating files and directories.(Citation: FireEye APT32 May 2017)
RemoteUtilities

RemoteUtilities can enumerate files and directories on a target machine.(Citation: Trend Micro Muddy Water March 2021)
Hydraq

Hydraq creates a backdoor through which remote attackers can check for the existence of files, including its own components, as well as retrieve a list of logical drives.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010)
StreamEx

StreamEx has the ability to enumerate drive types.(Citation: Cylance Shell Crew Feb 2017)
Taidoor

Taidoor can search for specific files.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021)
menuPass

menuPass has searched compromised systems for folders of interest including those related to HR, audit and expense, and meeting memos.(Citation: Symantec Cicada November 2020)
BLINDINGCAN

BLINDINGCAN can search, read, write, move, and execute files.(Citation: US-CERT BLINDINGCAN Aug 2020)(Citation: NHS UK BLINDINGCAN Aug 2020)
TrickBot

TrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information.(Citation: S2 Grupo TrickBot June 2017)(Citation: Trend Micro Trickbot Nov 2018)
Remcos

Remcos can search for files on the infected machine.(Citation: Riskiq Remcos Jan 2018)
Mafalda

Mafalda can search for files and directories.(Citation: SentinelLabs Metador Sept 2022)
LookBack

LookBack can retrieve file listings from the victim machine.(Citation: Proofpoint LookBack Malware Aug 2019)
Aria-body

Aria-body has the ability to gather metadata from a file and to search for file and directory names.(Citation: CheckPoint Naikon May 2020)
Kasidet

Kasidet has the ability to search for a given filename on a victim.(Citation: Zscaler Kasidet)
Kimsuky

Kimsuky has the ability to enumerate all files and directories on an infected system.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)
Ramsay

Ramsay can collect directory and file lists.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)

IceApple

The IceApple Directory Lister module can list information about files and directories including creation time, last write time, name, and size.(Citation: CrowdStrike IceApple May 2022)
Action RAT

Action RAT has the ability to collect drive and file information on an infected machine.(Citation: MalwareBytes SideCopy Dec 2021)
HAFNIUM

HAFNIUM has searched file contents on a compromised host.(Citation: Rapid7 HAFNIUM Mar 2021)
Rising Sun

Rising Sun can enumerate information about files from the infected system, including file size, attributes, creation time, last access time, and write time. Rising Sun can enumerate the compilation timestamp of Windows executable files.(Citation: McAfee Sharpshooter December 2018)

SPACESHIP

SPACESHIP identifies files and directories for collection by searching for specific file extensions or file modification time.(Citation: FireEye APT30)
Penquin

Penquin can use the command code do_vslist to send file names, size, and status to C2.(Citation: Leonardo Turla Penquin May 2020)
Machete

Machete produces file listings in order to search for files to be exfiltrated.(Citation: ESET Machete July 2019)(Citation: Cylance Machete Mar 2017)(Citation: 360 Machete Sep 2020)
ROADSWEEP

ROADSWEEP can enumerate files on infected devices and avoid encrypting files with .exe, .dll, .sys, .lnk, or . lck extensions.(Citation: Mandiant ROADSWEEP August 2022)(Citation: CISA Iran Albanian Attacks September 2022)(Citation: Microsoft Albanian Government Attacks September 2022)
RTM

RTM can check for specific files and directories associated with virtualization and malware analysis.(Citation: Unit42 Redaman January 2019)
KONNI

A version of KONNI searches for filenames created with a previous version of the malware, suggesting different versions targeted the same victims and the versions may work together.(Citation: Talos Konni May 2017)
RedLeaves

RedLeaves can enumerate and search for files and directories.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: FireEye APT10 April 2017)
Confucius

Confucius has used a file stealer that checks the Document, Downloads, Desktop, and Picture folders for documents and images with specific extensions.(Citation: TrendMicro Confucius APT Aug 2021)
WarzoneRAT

WarzoneRAT can enumerate directories on a compromise host.(Citation: Check Point Warzone Feb 2020)
APT41

APT41 has executed file /bin/pwd on exploited victims, perhaps to return architecture related information.(Citation: FireEye APT41 March 2020)
Winnti Group

Winnti Group has used a program named ff.exe to search for specific documents on compromised hosts.(Citation: Kaspersky Winnti April 2013)
AcidRain

AcidRain identifies specific files and directories in the Linux operating system associated with storage devices.(Citation: AcidRain JAGS 2022)
Saint Bot

Saint Bot can search a compromised host for specific files.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
Nebulae

Nebulae can list files and directories on a compromised host.(Citation: Bitdefender Naikon April 2021)
FruitFly

FruitFly looks for specific files and file types.(Citation: objsee mac malware 2017)
XCSSET

XCSSET has used `mdfind` to enumerate a list of apps known to grant screen sharing permissions.(Citation: Application Bundle Manipulation Brandon Dalton)
Azorult

Azorult can recursively search for files in folders and collects files from the desktop with certain extensions.(Citation: Unit42 Azorult Nov 2018)

KV Botnet Activity gathers a list of filenames from the following locations during execution of the final botnet stage: \/usr\/sbin\/, \/usr\/bin\/, \/sbin\/, \/pfrm2.0\/bin\/, \/usr\/local\/bin\/.(Citation: Lumen KVBotnet 2023)
PACEMAKER

PACEMAKER can parse `/proc/"process_name"/cmdline` to look for the string `dswsd` within the command line.(Citation: Mandiant Pulse Secure Zero-Day April 2021)
Remexi

Remexi searches for files on the system. (Citation: Securelist Remexi Jan 2019)
Winter Vivern

Winter Vivern delivered malicious JavaScript payloads capable of listing folders and emails in exploited email servers.(Citation: ESET WinterVivern 2023)
Windigo

Windigo has used a script to check for the presence of files created by OpenSSH backdoors.(Citation: ESET ForSSHe December 2018)
SombRAT

SombRAT can execute enum to enumerate files in storage on a compromised system.(Citation: BlackBerry CostaRicto November 2020)
MultiLayer Wiper

MultiLayer Wiper generates a list of all files and paths on the fixed drives of an infected system, enumerating all files on the system except specific folders defined in a hardcoded list.(Citation: Unit42 Agrius 2023)
Cheerscrypt

Cheerscrypt can search for log and VMware-related files with .log, .vmdk, .vmem, .vswp, and .vmsn extensions.(Citation: Trend Micro Cheerscrypt May 2022)
APT18

APT18 can list files information for specific directories.(Citation: PaloAlto DNS Requests May 2016)
Prikormka

A module in Prikormka collects information about the paths, size, and creation time of files with specific file extensions, but not the actual content of the file.(Citation: ESET Operation Groundbait)
Dacls

Dacls can scan directories on a compromised host.(Citation: TrendMicro macOS Dacls May 2020)
Imminent Monitor

Imminent Monitor has a dynamic debugging feature to check whether it is located in the %TEMP% directory, otherwise it copies itself there.(Citation: QiAnXin APT-C-36 Feb2019)
Zeus Panda

Zeus Panda searches for specific directories on the victim’s machine.(Citation: GDATA Zeus Panda June 2017)
Rover

Rover automatically searches for files on local drives based on a predefined list of file extensions.(Citation: Palo Alto Rover)
FatDuke

FatDuke can enumerate directories on target machines.(Citation: ESET Dukes October 2019)
ShimRat

ShimRat can list directories.(Citation: FOX-IT May 2016 Mofang)
Pisloader

Pisloader has commands to list drives on the victim machine and to list file information for a given directory.(Citation: Palo Alto DNS Requests)
APT5

APT5 has used the BLOODMINE utility to discover files with .css, .jpg, .png, .gif, .ico, .js, and .jsp extensions in Pulse Secure Connect logs.(Citation: Mandiant Pulse Secure Update May 2021)
Raccoon Stealer

Raccoon Stealer identifies target files and directories for collection based on a configuration file.(Citation: S2W Racoon 2022)(Citation: Sekoia Raccoon2 2022)
LITTLELAMB.WOOLTEA

LITTLELAMB.WOOLTEA can monitor for system upgrade events by checking for the presence of `/tmp/data/root/dev`.(Citation: Mandiant Cutting Edge Part 3 February 2024)
Fox Kitten

Fox Kitten has used WizTree to obtain network files and directory listings.(Citation: CISA AA20-259A Iran-Based Actor September 2020)
MacMa

MacMa can search for a specific file on the compromised computer and can enumerate files in Desktop, Downloads, and Documents folders.(Citation: ESET DazzleSpy Jan 2022)
Royal

Royal can identify specific files and directories to exclude from the encryption process.(Citation: Cybereason Royal December 2022)(Citation: Kroll Royal Deep Dive February 2023)(Citation: Trend Micro Royal Linux ESXi February 2023)
Metamorfo

Metamorfo has searched the Program Files directories for specific folders and has searched for strings related to its mutexes.(Citation: Medium Metamorfo Apr 2020)(Citation: Fortinet Metamorfo Feb 2020)(Citation: FireEye Metamorfo Apr 2018)

SharpDisco

SharpDisco can identify recently opened files by using an LNK format parser to extract the original file path from LNK files found in either `%USERPROFILE%\Recent` (Windows XP) or `%APPDATA%\Microsoft\Windows\Recent` (newer Windows versions) .(Citation: MoustachedBouncer ESET August 2023)
BlackCat

BlackCat can enumerate files for encryption.(Citation: Microsoft BlackCat Jun 2022)
Smoke Loader

Smoke Loader recursively searches through directories for files.(Citation: Talos Smoke Loader July 2018)
UPPERCUT

UPPERCUT has the capability to gather the victim's current directory.(Citation: FireEye APT10 Sept 2018)
BADNEWS

BADNEWS identifies files with certain extensions from USB devices, then copies them to a predefined directory.(Citation: TrendMicro Patchwork Dec 2017)
Leafminer

Leafminer used a tool called MailSniper to search for files on the desktop and another utility called Sobolsoft to extract attachments from EML files.(Citation: Symantec Leafminer July 2018)
DustySky

DustySky scans the victim for files that contain certain keywords and document types including PDF, DOC, DOCX, XLS, and XLSX, from a list that is obtained from the C2 as a text file. It can also identify logical drives for the infected machine.(Citation: DustySky)(Citation: Kaspersky MoleRATs April 2019)
FIN13

FIN13 has used the Windows `dir` command to enumerate files and directories in a victim's network.(Citation: Mandiant FIN13 Aug 2022)
MESSAGETAP

MESSAGETAP checks for the existence of two configuration files (keyword_parm.txt and parm.txt) and attempts to read the files every 30 seconds.(Citation: FireEye MESSAGETAP October 2019)
Turla

Turla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, the Program Files directory, and Recent.(Citation: Kaspersky Turla)(Citation: ESET ComRAT May 2020) Turla RPC backdoors have also searched for files matching the lPH*.dll pattern.(Citation: ESET Turla PowerShell May 2019)
Babuk

Babuk has the ability to enumerate files on a targeted system.(Citation: McAfee Babuk February 2021)(Citation: Trend Micro Ransomware February 2021)
China Chopper

China Chopper's server component can list directory contents.(Citation: FireEye Periscope March 2018)(Citation: Rapid7 HAFNIUM Mar 2021)
FunnyDream

FunnyDream can identify files with .doc, .docx, .ppt, .pptx, .xls, .xlsx, and .pdf extensions and specific timestamps for collection.(Citation: Bitdefender FunnyDream Campaign November 2020)
BRONZE BUTLER

BRONZE BUTLER has collected a list of files from the victim and uploaded it to its C2 server, and then created a new list of specific files to steal.(Citation: Secureworks BRONZE BUTLER Oct 2017)
Uroburos

Uroburos can search for specific files on a compromised system.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
TYPEFRAME

TYPEFRAME can search directories for files on the victim’s machine.(Citation: US-CERT TYPEFRAME June 2018)

Контрмеры
Контрмера Описание
File and Directory Discovery Mitigation

File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Обнаружение

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. Further, Network Device CLI commands may also be used to gather file and directory information with built-in features native to the network device platform. Monitor CLI activity for unexpected or unauthorized use of commands being run by non-standard users from non-standard locations.

Ссылки

  1. Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.
  2. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  3. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
  4. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  5. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  6. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  7. US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
  8. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  9. FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.
  10. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  11. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  12. Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  13. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  14. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  15. Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021.
  16. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  17. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022.
  18. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
  19. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
  20. Max Kersten & Alexandre Mundo. (2023, November 29). Akira Ransomware. Retrieved April 4, 2024.
  21. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
  22. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  23. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
  24. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  25. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  26. N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022.
  27. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  28. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  29. Bettencourt, J. (2018, May 7). Kaspersky Lab finds new variant of SynAck ransomware using sophisticated Doppelgänging technique. Retrieved May 24, 2018.
  30. Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
  31. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  32. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  33. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  34. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
  35. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.
  36. Winters, R. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.
  37. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
  38. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  39. Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.
  40. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  41. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
  42. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  43. Gilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira. (2018, January 15). KillDisk Variant Hits Latin American Financial Groups. Retrieved January 12, 2021.
  44. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  45. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.
  46. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  47. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  48. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  49. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  50. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  51. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
  52. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  53. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
  54. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
  55. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  56. Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.
  57. Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019.
  58. Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.
  59. CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021.
  60. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
  61. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021.
  62. BishopFox. (2021, August 18). Sliver Filesystem. Retrieved September 22, 2021.
  63. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  64. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
  65. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  66. Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022.
  67. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  68. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.
  69. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
  70. Kaspersky Lab's Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018.
  71. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  72. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.
  73. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  74. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  75. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
  76. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
  77. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  78. S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022.
  79. MSTIC. (2022, January 15). Destructive malware targeting Ukrainian organizations. Retrieved March 10, 2022.
  80. Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022.
  81. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.
  82. Microsoft. (n.d.). Dir. Retrieved April 18, 2016.
  83. Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.
  84. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
  85. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  86. Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018.
  87. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  88. Falcone, R. and Wartell, R.. (2015, July 27). Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved January 22, 2016.
  89. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  90. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  91. Camba, A. (2013, February 27). BKDR_RARSTONE: New RAT to Watch Out For. Retrieved January 8, 2016.
  92. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
  93. Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
  94. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  95. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  96. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  97. Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
  98. Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.
  99. CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020.
  100. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  101. ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.
  102. Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020.
  103. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  104. Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.
  105. Nick Craig-Wood. (n.d.). Rclone syncs your files to cloud storage. Retrieved August 30, 2022.
  106. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
  107. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
  108. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  109. Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
  110. Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
  111. Antoniuk, D. (2023, July 17). RedCurl hackers return to spy on 'major Russian bank,' Australian company. Retrieved August 9, 2024.
  112. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  113. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  114. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  115. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020.
  116. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
  117. Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020.
  118. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  119. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  120. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
  121. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  122. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  123. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
  124. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  125. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  126. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  127. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  128. Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023.
  129. Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024.
  130. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
  131. Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024.
  132. Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019.
  133. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  134. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  135. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  136. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  137. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
  138. Stokes, P. (2024, May 9). macOS Cuckoo Stealer | Ensuring Detection and Defense as New Samples Rapidly Emerge. Retrieved August 20, 2024.
  139. Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024.
  140. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  141. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
  142. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  143. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
  144. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
  145. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  146. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  147. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
  148. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
  149. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
  150. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  151. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
  152. Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024.
  153. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  154. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  155. Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022.
  156. Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022.
  157. Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022.
  158. NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.
  159. Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021.
  160. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.
  161. Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023.
  162. Trend Micro. (2022, September 1). Ransomware Spotlight Black Basta. Retrieved March 8, 2023.
  163. Sharma, S. and Hegde, N. (2022, June 7). Black basta Ransomware Goes Cross-Platform, Now Targets ESXi Systems. Retrieved March 8, 2023.
  164. Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023.
  165. Elsad, A. (2022, August 25). Threat Assessment: Black Basta Ransomware. Retrieved March 8, 2023.
  166. Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved March 7, 2023.
  167. Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023.
  168. Avertium. (2022, June 1). AN IN-DEPTH LOOK AT BLACK BASTA RANSOMWARE. Retrieved March 7, 2023.
  169. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  170. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  171. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.
  172. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  173. Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021.
  174. Asheer Malhotra & Vitor Ventura. (2022, August 2). Manjusaka: A Chinese sibling of Sliver and Cobalt Strike. Retrieved September 4, 2024.
  175. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
  176. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
  177. Paganini, P. (2018, October 16). Russia-linked APT group DustSquad targets diplomatic entities in Central Asia. Retrieved August 24, 2021.
  178. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
  179. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
  180. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  181. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018.
  182. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  183. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  184. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.
  185. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  186. Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.
  187. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
  188. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  189. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  190. FinFisher. (n.d.). Retrieved September 12, 2024.
  191. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  192. Dutch Military Intelligence and Security Service (MIVD) & Dutch General Intelligence and Security Service (AIVD). (2024, February 6). Ministry of Defense of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT. Retrieved February 7, 2024.
  193. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
  194. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  195. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
  196. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
  197. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
  198. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
  199. Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.
  200. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  201. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  202. Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.
  203. CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.
  204. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  205. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
  206. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  207. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
  208. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
  209. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  210. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
  211. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  212. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  213. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
  214. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  215. Bingham, J. (2013, February 11). Cross-Platform Frutas RAT Builder and Back Door. Retrieved April 23, 2019.
  216. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  217. Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.
  218. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.
  219. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  220. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
  221. Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
  222. Threat Intelligence Team. (2022, March 18). Double header: IsaacWiper and CaddyWiper . Retrieved April 11, 2022.
  223. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22
  224. CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020.
  225. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
  226. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  227. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  228. Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.
  229. Trend Micro Research. (2022, April 4). Ransomware Spotlight AvosLocker. Retrieved January 11, 2023.
  230. Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023.
  231. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  232. Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.
  233. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  234. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.
  235. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
  236. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
  237. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
  238. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
  239. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.
  240. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  241. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
  242. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
  243. Patrick Schläpfer . (2024, April 10). Raspberry Robin Now Spreading Through Windows Script Files. Retrieved May 17, 2024.
  244. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  245. Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021.
  246. McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024.
  247. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  248. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
  249. Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.
  250. Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022.
  251. Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022.
  252. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  253. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  254. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
  255. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.
  256. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.
  257. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  258. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  259. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  260. SentinelOne. (n.d.). What Is Inc. Ransomware?. Retrieved June 5, 2024.
  261. Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024.
  262. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
  263. Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021.
  264. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
  265. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  266. Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016.
  267. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  268. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  269. Yates, M. (2017, June 18). APT3 Uncovered: The code evolution of Pirpi. Retrieved September 28, 2017.
  270. Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.
  271. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  272. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.
  273. Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018.
  274. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
  275. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
  276. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  277. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  278. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
  279. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  280. byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.
  281. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
  282. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  283. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  284. ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.
  285. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  286. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
  287. Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  288. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  289. Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
  290. Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.
  291. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  292. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022.
  293. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
  294. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  295. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  296. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
  297. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  298. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  299. Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021.
  300. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  301. MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.
  302. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  303. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  304. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  305. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  306. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
  307. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.
  308. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
  309. NHS Digital . (2020, August 20). BLINDINGCAN Remote Access Trojan. Retrieved August 20, 2020.
  310. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
  311. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
  312. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  313. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
  314. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.
  315. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
  316. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  317. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
  318. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
  319. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  320. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.
  321. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  322. CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022.
  323. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
  324. Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022.
  325. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  326. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
  327. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
  328. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
  329. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  330. MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.
  331. CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.
  332. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  333. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  334. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  335. Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021.
  336. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
  337. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
  338. Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
  339. Juan Andres Guerrero-Saade and Max van Amerongen, SentinelOne. (2022, March 31). AcidRain | A Modem Wiper Rains Down on Europe. Retrieved March 25, 2024.
  340. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  341. Brandon Dalton. (2022, August 9). A bundle of nerves: Tweaking macOS security controls to thwart application bundle manipulation. Retrieved September 27, 2022.
  342. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
  343. Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024.
  344. Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.
  345. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  346. Matthieu Faou. (2023, October 25). Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers. Retrieved July 29, 2024.
  347. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.
  348. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  349. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
  350. Dela Cruz, A. et al. (2022, May 25). New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code. Retrieved December 19, 2023.
  351. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.
  352. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  353. Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020.
  354. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
  355. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  356. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  357. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  358. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  359. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.
  360. S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024.
  361. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024.
  362. Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024.
  363. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  364. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
  365. Morales, N. et al. (2023, February 20). Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers. Retrieved March 30, 2023.
  366. Iacono, L. and Green, S. (2023, February 13). Royal Ransomware Deep Dive. Retrieved March 30, 2023.
  367. Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023.
  368. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  369. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
  370. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  371. Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.
  372. Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018.
  373. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  374. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  375. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  376. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  377. Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023.
  378. Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020.
  379. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  380. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  381. Centero, R. et al. (2021, February 5). New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker. Retrieved August 11, 2021.
  382. Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021.
  383. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  384. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  385. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.