Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Техника Деобфускация/декодирование файлов или информации
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Деобфускация/декодирование фай...
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Деобфускация/декодирование файлов или информации

Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system. One such example is the use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file.(Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows copy /b or type command to reassemble binary fragments into a malicious payload.(Citation: Carbon Black Obfuscation Sept 2016)(Citation: Sentinel One Tainted Love 2023) Sometimes a user's action may be required to open it for deobfuscation or decryption as part of User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary.(Citation: Volexity PowerDuke November 2016)

ID: T1140
Тактика(-и): Defense Evasion
Платформы: ESXi, Linux, Windows, macOS
Источники данных: File: File Modification, Process: Process Creation, Script: Script Execution
Версия: 1.4
Дата создания: 14 Dec 2017
Последнее изменение: 15 Apr 2025

Примеры процедур
Название Описание
TrickBot

TrickBot decodes the configuration data and modules.(Citation: Fidelis TrickBot Oct 2016)(Citation: Cyberreason Anchor December 2019)(Citation: Joe Sec Trickbot)
BLINDINGCAN

BLINDINGCAN has used AES and XOR to decrypt its DLLs.(Citation: US-CERT BLINDINGCAN Aug 2020)
Ninja

The Ninja loader component can decrypt and decompress the payload.(Citation: Kaspersky ToddyCat June 2022)(Citation: Kaspersky ToddyCat Check Logs October 2023)
Pikabot

Pikabot decrypts command and control URIs using ADVobfuscator, and decrypts IP addresses and port numbers with a custom algorithm.(Citation: Zscaler Pikabot 2023) Other versions of Pikabot decode chunks of stored stage 2 payload content in the initial payload .text section before consolidating them for further execution.(Citation: Elastic Pikabot 2024) Overall LunarMail is associated with multiple encoding and encryption mechanisms to obfuscate the malware's presence and avoid analysis or detection.(Citation: Logpoint Pikabot 2024)
Spark

Spark has used a custom XOR algorithm to decrypt the payload.(Citation: Unit42 Molerat Mar 2020)

Bumblebee

Bumblebee can deobfuscate C2 server responses and unpack its code on targeted hosts.(Citation: Proofpoint Bumblebee April 2022)(Citation: Medium Ali Salem Bumblebee April 2022)
Amadey

Amadey has decoded antivirus name strings.(Citation: Korean FSI TA505 2020)
Torisma

Torisma has used XOR and Base64 to decode C2 data.(Citation: McAfee Lazarus Nov 2020)
NOKKI

NOKKI uses a unique, custom de-obfuscation technique.(Citation: Unit 42 NOKKI Sept 2018)
Stuxnet

Stuxnet decrypts resources that are loaded into memory and executed.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)
RotaJakiro

RotaJakiro uses the AES algorithm, bit shifts in a function called `rotate`, and an XOR cipher to decrypt resources required for persistence, process guarding, and file locking. It also performs this same function on encrypted stack strings and the `head` and `key` sections in the network packet structure used for C2 communications.(Citation: RotaJakiro 2021 netlab360 analysis)
AvosLocker

AvosLocker has deobfuscated XOR-encoded strings.(Citation: Malwarebytes AvosLocker Jul 2021)
certutil

certutil has been used to decode binaries hidden inside certificate files as Base64 information.(Citation: Malwarebytes Targeted Attack against Saudi Arabia)
Chinoxy

The Chinoxy dropping function can initiate decryption of its config file.(Citation: Bitdefender FunnyDream Campaign November 2020)
SharpStage

SharpStage has decompressed data received from the C2 server.(Citation: BleepingComputer Molerats Dec 2020)
COATHANGER

COATHANGER decodes configuration items from a bundled file for command and control activity.(Citation: NCSC-NL COATHANGER Feb 2024)
Sardonic

Sardonic can first decrypt with the RC4 algorithm using a hardcoded decryption key before decompressing.(Citation: Symantec FIN8 Jul 2023)
Smoke Loader

Smoke Loader deobfuscates its code.(Citation: Talos Smoke Loader July 2018)
WindTail

WindTail has the ability to decrypt strings using hard-coded AES keys.(Citation: objective-see windtail1 dec 2018)
Exaramel for Linux

Exaramel for Linux can decrypt its configuration file.(Citation: ANSSI Sandworm January 2021)
PS1

PS1 can use an XOR key to decrypt a PowerShell loader and payload binary.(Citation: BlackBerry CostaRicto November 2020)
Ursnif

Ursnif has used crypto key information stored in the Registry to decrypt Tor clients dropped to disk.(Citation: ProofPoint Ursnif Aug 2016)
ThreatNeedle

ThreatNeedle can decrypt its payload using RC4, AES, or one-byte XORing.(Citation: Kaspersky ThreatNeedle Feb 2021)
RansomHub

RansomHub can use a provided passphrase to decrypt its configuration file.(Citation: Group-IB RansomHub FEB 2025)
Zeus Panda

Zeus Panda decrypts strings in the code during the execution process.(Citation: Talos Zeus Panda Nov 2017)
Bankshot

Bankshot decodes embedded XOR strings.(Citation: US-CERT Bankshot Dec 2017)
xCaon

xCaon has decoded strings from the C2 server before executing commands.(Citation: Checkpoint IndigoZebra July 2021)

AuditCred

AuditCred uses XOR and RC4 to perform decryption on the code functions.(Citation: TrendMicro Lazarus Nov 2018)
UPSTYLE

UPSTYLE encodes its main content prior to loading via Python as base64-encoded blobs.(Citation: Volexity UPSTYLE 2024)(Citation: Palo Alto MidnightEclipse APR 2024)
RainyDay

RainyDay can decrypt its payload via a XOR key.(Citation: Bitdefender Naikon April 2021)
Ecipekac

Ecipekac has the ability to decrypt fileless loader modules.(Citation: Securelist APT10 March 2021)
AppleSeed

AppleSeed can decode its payload prior to execution.(Citation: Malwarebytes Kimsuky June 2021)
BUSHWALK

BUSHWALK can Base64 decode and RC4 decrypt malicious payloads sent through a web request’s command parameter.(Citation: Mandiant Cutting Edge Part 2 January 2024)(Citation: Mandiant Cutting Edge Part 3 February 2024)
PyDCrypt

PyDCrypt has decrypted and dropped the DCSrv payload to disk.(Citation: Checkpoint MosesStaff Nov 2021)
PowerExchange

PowerExchange can decode and decrypt C2 commands received via email.(Citation: Symantec Crambus OCT 2023)
EnvyScout

EnvyScout can deobfuscate and write malicious ISO files to disk.(Citation: MSTIC Nobelium Toolset May 2021)
Aria-body

Aria-body has the ability to decrypt the loader configuration and payload DLL.(Citation: CheckPoint Naikon May 2020)
Emotet

Emotet has used a self-extracting RAR file to deliver modules to victims. Emotet has also extracted embedded executables from files using hard-coded buffer offsets.(Citation: Binary Defense Emotes Wi-Fi Spreader)
Crimson

Crimson can decode its encoded PE file prior to execution.(Citation: Proofpoint Operation Transparent Tribe March 2016)
TEARDROP

TEARDROP was decoded using a custom rolling XOR algorithm to execute a customized Cobalt Strike payload.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Check Point Sunburst Teardrop December 2020)(Citation: Microsoft Deep Dive Solorigate January 2021)
DUSTTRAP

DUSTTRAP deobfuscates embedded payloads.(Citation: Google Cloud APT41 2024)
Turian

Turian has the ability to use a XOR decryption key to extract C2 server domains and IP addresses.(Citation: ESET BackdoorDiplomacy Jun 2021)
Machete

Machete’s downloaded data is decrypted using AES.(Citation: ESET Machete July 2019)
PowerLess

PowerLess can use base64 and AES ECB decryption prior to execution of downloaded modules.(Citation: Cybereason PowerLess February 2022)
Action RAT

Action RAT can use Base64 to decode actor-controlled C2 server communications.(Citation: MalwareBytes SideCopy Dec 2021)
Avenger

Avenger has the ability to decrypt files downloaded from C2.(Citation: Trend Micro Tick November 2019)
DUSTPAN

DUSTPAN decodes and decrypts embedded payloads.(Citation: Google Cloud APT41 2024)
Gootloader

Gootloader has the ability to decode and decrypt malicious payloads prior to execution.(Citation: Sophos Gootloader)(Citation: SentinelOne Gootloader June 2021)
PingPull

PingPull can decrypt received data from its C2 server by using AES.(Citation: Unit 42 PingPull Jun 2022)
WellMess

WellMess can decode and decrypt data received from C2.(Citation: PWC WellMess July 2020)(Citation: PWC WellMess C2 August 2020)(Citation: CISA WellMess July 2020)
PcShare

PcShare has decrypted its strings by applying a XOR operation and a decompression using a custom implemented LZM algorithm.(Citation: Bitdefender FunnyDream Campaign November 2020)
DropBook

DropBook can unarchive data downloaded from the C2 to obtain the payload and persistence modules.(Citation: Cybereason Molerats Dec 2020)

Woody RAT

Woody RAT can deobfuscate Base64-encoded strings and scripts.(Citation: MalwareBytes WoodyRAT Aug 2022)
Mafalda

Mafalda can decrypt files and data.(Citation: SentinelLabs Metador Sept 2022)
Squirrelwaffle

Squirrelwaffle has decrypted files and payloads using a XOR-based algorithm.(Citation: ZScaler Squirrelwaffle Sep 2021)(Citation: Netskope Squirrelwaffle Oct 2021)
PolyglotDuke

PolyglotDuke can use a custom algorithm to decrypt strings used by the malware.(Citation: ESET Dukes October 2019)
Hildegard

Hildegard has decrypted ELF files with AES.(Citation: Unit 42 Hildegard Malware)
SombRAT

SombRAT can run upload to decrypt and upload files from storage.(Citation: BlackBerry CostaRicto November 2020)(Citation: CISA AR21-126A FIVEHANDS May 2021)
ODAgent

ODAgent can Base64-decode and XOR decrypt received C2 commands.(Citation: ESET OilRig Downloaders DEC 2023)
Snip3

Snip3 can decode its second-stage PowerShell script prior to execution.(Citation: Morphisec Snip3 May 2021)
FYAnti

FYAnti has the ability to decrypt an embedded .NET module.(Citation: Securelist APT10 March 2021)
Cuckoo Stealer

Cuckoo Stealer strings are deobfuscated prior to execution.(Citation: Kandji Cuckoo April 2024)(Citation: SentinelOne Cuckoo Stealer May 2024)
WastedLocker

WastedLocker's custom cryptor, CryptOne, used an XOR based algorithm to decrypt the payload.(Citation: NCC Group WastedLocker June 2020)
RegDuke

RegDuke can decrypt strings with a key either stored in the Registry or hardcoded in the code.(Citation: ESET Dukes October 2019)
InvisiMole

InvisiMole can decrypt, unpack and load a DLL from its resources, or from blobs encrypted with Data Protection API, two-key triple DES, and variations of the XOR cipher.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)
P.A.S. Webshell

P.A.S. Webshell can use a decryption mechanism to process a user supplied password and allow execution.(Citation: ANSSI Sandworm January 2021)
Apostle

Apostle compiled code is obfuscated in an unspecified fashion prior to delivery to victims.(Citation: SentinelOne Agrius 2021)
Volgmer

Volgmer deobfuscates its strings and APIs once its executed.(Citation: US-CERT Volgmer 2 Nov 2017)
WhisperGate

WhisperGate can deobfuscate downloaded files stored in reverse byte order and decrypt embedded resources using multiple XOR operations.(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022)
ZeroT

ZeroT shellcode decrypts and decompresses its RC4-encrypted payload.(Citation: Proofpoint ZeroT Feb 2017)
RDAT

RDAT can deobfuscate the base64-encoded and AES-encrypted files downloaded from the C2 server.(Citation: Unit42 RDAT July 2020)

Skidmap

Skidmap has the ability to download, unpack, and decrypt tar.gz files .(Citation: Trend Micro Skidmap)

Okrum

Okrum's loader can decrypt the backdoor code, embedded within the loader or within a legitimate PNG file. A custom XOR cipher or RC4 is used for decryption.(Citation: ESET Okrum July 2019)
Line Dancer

Line Dancer shellcode payloads are base64 encoded when transmitted to compromised devices.(Citation: CCCS ArcaneDoor 2024)
Conti

Conti has decrypted its payload using a hardcoded AES-256 key.(Citation: Cybereason Conti Jan 2021)(Citation: CarbonBlack Conti July 2020)
Raspberry Robin

Raspberry Robin contains several layers of obfuscation to hide malicious code from detection and analysis.(Citation: TrendMicro RaspberryRobin 2022)
Mispadu

Mispadu decrypts its encrypted configuration files prior to execution.(Citation: SCILabs Malteiro 2021)(Citation: ESET Security Mispadu Facebook Ads 2019)
Raindrop

Raindrop decrypted its Cobalt Strike payload using an AES-256 encryption algorithm in CBC mode with a unique key per sample.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)
Siloscape

Siloscape has decrypted the password of the C2 server with a simple byte by byte XOR. Siloscape also writes both an archive of Tor and the unzip binary to disk from data embedded within the payload using Visual Studio’s Resource Manager.(Citation: Unit 42 Siloscape Jun 2021)
VERMIN

VERMIN decrypts code, strings, and commands to use once it's on the victim's machine.(Citation: Unit 42 VERMIN Jan 2018)
Nightdoor

Nightdoor stores network configuration data in a file XOR encoded with the key value of `0x7A`.(Citation: Symantec Daggerfly 2024)
HUI Loader

HUI Loader can decrypt and load files containing malicious payloads.(Citation: SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022)
CHIMNEYSWEEP

CHIMNEYSWEEP can use an embedded RC4 key to decrypt Windows API function strings.(Citation: Mandiant ROADSWEEP August 2022)
FatDuke

FatDuke can decrypt AES encrypted C2 communications.(Citation: ESET Dukes October 2019)
Lucifer

Lucifer can decrypt its C2 address upon execution.(Citation: Unit 42 Lucifer June 2020)
GLASSTOKEN

GLASSTOKEN has the ability to decode hexadecimal and Base64 C2 requests.(Citation: Volexity Ivanti Zero-Day Exploitation January 2024)
BOOSTWRITE

BOOSTWRITE has used a a 32-byte long multi-XOR key to decode data inside its payload.(Citation: FireEye FIN7 Oct 2019)

Rising Sun

Rising Sun has decrypted itself using a single-byte XOR scheme. Additionally, Rising Sun can decrypt its configuration data at runtime.(Citation: McAfee Sharpshooter December 2018)

ShimRat

ShimRat has decompressed its core DLL using shellcode once an impersonated antivirus component was running on a system.(Citation: FOX-IT May 2016 Mofang)
Chrommme

Chrommme can decrypt its encrypted internal code.(Citation: ESET Gelsemium June 2021)
BADFLICK

BADFLICK can decode shellcode using a custom rotating XOR cipher.(Citation: Accenture MUDCARP March 2019)
Avaddon

Avaddon has decrypted encrypted strings.(Citation: Arxiv Avaddon Feb 2021)
Green Lambert

Green Lambert can use multiple custom routines to decrypt strings prior to execution.(Citation: Objective See Green Lambert for OSX Oct 2021)(Citation: Glitch-Cat Green Lambert ATTCK Oct 2021)
ISMInjector

ISMInjector uses the certutil command to decode a payload file.(Citation: OilRig New Delivery Oct 2017)
PUNCHBUGGY

PUNCHBUGGY has used PowerShell to decode base64-encoded assembly.(Citation: Morphisec ShellTea June 2019)
GoldMax

GoldMax has decoded and decrypted the configuration file when executed.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)
CostaBricks

CostaBricks has the ability to use bytecode to decrypt embedded payloads.(Citation: BlackBerry CostaRicto November 2020)
LIGHTWIRE

LIGHTWIRE can RC4 decrypt and Base64 decode C2 commands.(Citation: Mandiant Cutting Edge Part 2 January 2024)
HyperBro

HyperBro can unpack and decrypt its payload prior to execution.(Citation: Trend Micro DRBControl February 2020)(Citation: Trend Micro Iron Tiger April 2021)
Pteranodon

Pteranodon can decrypt encrypted data strings prior to using them.(Citation: Microsoft Actinium February 2022)
DarkTortilla

DarkTortilla can decrypt its payload and associated configuration elements using the Rijndael cipher.(Citation: Secureworks DarkTortilla Aug 2022)
ROKRAT

ROKRAT can decrypt strings using the victim's hostname as the key.(Citation: Volexity InkySquid RokRAT August 2021)(Citation: Malwarebytes RokRAT VBA January 2021)
Babuk

Babuk has the ability to unpack itself into memory using XOR.(Citation: Sogeti CERT ESEC Babuk March 2021)(Citation: Medium Babuk February 2021)
Exbyte

Exbyte decodes and decrypts data stored in the configuration file with a key provided on the command line during execution.(Citation: Microsoft BlackByte 2023)
DarkWatchman

DarkWatchman has the ability to self-extract as a RAR archive.(Citation: Prevailion DarkWatchman 2021)
Dyre

Dyre decrypts resources needed for targeting the victim.(Citation: Symantec Dyre June 2015)(Citation: Malwarebytes Dyreza November 2015)
LunarLoader

LunarLoader can deobfuscate files containing the next stages in the infection chain.(Citation: ESET Turla Lunar toolset May 2024)
BBSRAT

BBSRAT uses Expand to decompress a CAB file into executable content.(Citation: Palo Alto Networks BBSRAT)
PlugX

PlugX decompresses and decrypts itself using the Microsoft API call RtlDecompressBuffer.(Citation: CIRCL PlugX March 2013)(Citation: Trend Micro DRBControl February 2020)(Citation: Proofpoint TA416 Europe March 2022)
Bisonal

Bisonal has decoded strings in the malware using XOR and RC4.(Citation: Unit 42 Bisonal July 2018)(Citation: Talos Bisonal Mar 2020)

Lumma Stealer

Lumma Stealer has used Base64-encoded content during execution, decoded via PowerShell.(Citation: Netskope LummaStealer 2025)
LightNeuron

LightNeuron has used AES and XOR to decrypt configuration files and commands.(Citation: ESET LightNeuron May 2019)
KEYPLUG

KEYPLUG can decode its configuration file to determine C2 protocols.(Citation: Mandiant APT41)
Clambling

Clambling can deobfuscate its payload prior to execution.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)
Agent Tesla

Agent Tesla has the ability to decrypt strings encrypted with the Rijndael symmetric encryption algorithm.(Citation: Malwarebytes Agent Tesla April 2020)
DarkGate

DarkGate installation includes binary code stored in a file located in a hidden directory, such as shell.txt, that is decrypted then executed.(Citation: Ensilo Darkgate 2018) DarkGate uses hexadecimal-encoded shellcode payloads during installation that are called via Windows API CallWindowProc() to decode and then execute.(Citation: Trellix Darkgate 2023)
Mongall

Mongall has the ability to decrypt its payload prior to execution.(Citation: SentinelOne Aoqin Dragon June 2022)
LockBit 3.0

The LockBit 3.0 payload is decrypted at runtime.(Citation: Sentinel Labs LockBit 3.0 JUL 2022)(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)(Citation: INCIBE-CERT LockBit MAR 2024)
FoggyWeb

FoggyWeb can be decrypted in memory using a Lightweight Encryption Algorithm (LEA)-128 key and decoded using a XOR key.(Citation: MSTIC FoggyWeb September 2021)
Netwalker

Netwalker's PowerShell script can decode and decrypt multiple layers of obfuscation, leading to the Netwalker DLL being loaded into memory.(Citation: Sophos Netwalker May 2020)
Brute Ratel C4

Brute Ratel C4 has the ability to deobfuscate its payload prior to execution.(Citation: Palo Alto Brute Ratel July 2022)
TSCookie

TSCookie has the ability to decrypt, load, and execute a DLL and its resources.(Citation: JPCert TSCookie March 2018)
Latrodectus

Latrodectus has the ability to deobfuscate encrypted strings.(Citation: Latrodectus APR 2024)(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024)
Saint Bot

Saint Bot can deobfuscate strings and files for execution.(Citation: Malwarebytes Saint Bot April 2021)
Chaes

Chaes has decrypted an AES encrypted binary file to trigger the download of other files.(Citation: Cybereason Chaes Nov 2020)

CharmPower

CharmPower can decrypt downloaded modules prior to execution.(Citation: Check Point APT35 CharmPower January 2022)
TYPEFRAME

One TYPEFRAME variant decrypts an archive using an RC4 key, then decompresses and installs the decrypted malicious DLL module. Another variant decodes the embedded file by XORing it with the value "0x35".(Citation: US-CERT TYPEFRAME June 2018)
Bundlore

Bundlore has used openssl to decrypt AES encrypted payload data. Bundlore has also used base64 and RC4 with a hardcoded key to deobfuscate data.(Citation: MacKeeper Bundlore Apr 2019)
Mori

Mori can resolve networking APIs from strings that are ADD-encrypted.(Citation: DHS CISA AA22-055A MuddyWater February 2022)
QUADAGENT

QUADAGENT uses AES and a preshared key to decrypt the custom Base64 routine used to encode strings and scripts.(Citation: Unit 42 QUADAGENT July 2018)
Sagerunex

Sagerunex uses a custom decryption routine to unpack itself during installation.(Citation: Cisco LotusBlossom 2025)
BendyBear

BendyBear has decrypted function blocks using a XOR key during runtime to evade detection.(Citation: Unit42 BendyBear Feb 2021)
Uroburos

Uroburos can decrypt command parameters sent through C2 and use unpacking code to extract its packed executable.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
Metamorfo

Upon execution, Metamorfo has unzipped itself after being downloaded to the system and has performed string decryption.(Citation: Medium Metamorfo Apr 2020)(Citation: FireEye Metamorfo Apr 2018)(Citation: ESET Casbaneiro Oct 2019)

Spica

Upon execution Spica can decode an embedded .pdf and write it to the desktop as a decoy document.(Citation: Google TAG COLDRIVER January 2024)
Bandook

Bandook has decoded its PowerShell script.(Citation: CheckPoint Bandook Nov 2020)
PipeMon

PipeMon can decrypt password-protected executables.(Citation: ESET PipeMon May 2020)
MagicRAT

MagicRAT stores command and control URLs using base64 encoding in the malware's configuration file.(Citation: Cisco MagicRAT 2022)
KONNI

KONNI has used certutil to download and decode base64 encoded strings and has also devoted a custom section to performing all the components of the deobfuscation process.(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021)
Winnti for Linux

Winnti for Linux has decoded XOR encoded strings holding its configuration upon execution.(Citation: Chronicle Winnti for Linux May 2019)
RAPIDPULSE

RAPIDPULSE listens for specific HTTP query parameters in received communications. If specific parameters match, a hard-coded RC4 key is used to decrypt the HTTP query paremter hmacTime. This decrypts to a filename that is then open, read, encrypted with the same RC4 key, base64-encoded, written to standard out, then passed as a response to the HTTP request.(Citation: Mandiant Pulse Secure Update May 2021)
gh0st RAT

gh0st RAT has decrypted and loaded the gh0st RAT DLL into memory, once the initial dropper executable is launched.(Citation: Gh0stRAT ATT March 2019)
Shamoon

Shamoon decrypts ciphertext using an XOR cipher and a base64-encoded string.(Citation: Unit 42 Shamoon3 2018)

KGH_SPY

KGH_SPY can decrypt encrypted strings and write them to a newly created folder.(Citation: Cybereason Kimsuky November 2020)
Kerrdown

Kerrdown can decode, decrypt, and decompress multiple layers of shellcode.(Citation: Unit 42 KerrDown February 2019)
OopsIE

OopsIE concatenates then decompresses multiple resources to load an embedded .Net Framework assembly.(Citation: Unit 42 OopsIE! Feb 2018)
RogueRobin

RogueRobin decodes an embedded executable using base64 and decompresses it.(Citation: Unit42 DarkHydrus Jan 2019)
Imminent Monitor

Imminent Monitor has decoded malware components that are then dropped to the system.(Citation: QiAnXin APT-C-36 Feb2019)
SQLRat

SQLRat has scripts that are responsible for deobfuscating additional scripts.(Citation: Flashpoint FIN 7 March 2019)
MegaCortex

MegaCortex has used a Base64 key to decode its components.(Citation: IBM MegaCortex)
SDBbot

SDBbot has the ability to decrypt and decompress its payload to enable code execution.(Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020)
QUIETCANARY

QUIETCANARY can use a custom parsing routine to decode the command codes and additional parameters from the C2 before executing them.(Citation: Mandiant Suspected Turla Campaign February 2023)
BlackByte Ransomware

BlackByte Ransomware is distributed as an obfuscated JavaScript launcher file.(Citation: Trustwave BlackByte 2021)
StrelaStealer

StrelaStealer payloads have included strings encrypted via XOR.(Citation: DCSO StrelaStealer 2022) StrelaStealer JavaScript payloads utilize Base64-encoded payloads that are decoded via certutil to create a malicious DLL file.(Citation: PaloAlto StrelaStealer 2024)(Citation: Fortgale StrelaStealer 2023)
Grandoreiro

Grandoreiro can decrypt its encrypted internal strings.(Citation: ESET Grandoreiro April 2020)
WellMail

WellMail can decompress scripts received from C2.(Citation: CISA WellMail July 2020)
LiteDuke

LiteDuke has the ability to decrypt and decode multiple layers of obfuscation.(Citation: ESET Dukes October 2019)
Starloader

Starloader decrypts and executes shellcode from a file called Stars.jps.(Citation: Symantec Sowbug Nov 2017)
VaporRage

VaporRage can deobfuscate XOR-encoded shellcode prior to execution.(Citation: MSTIC Nobelium Toolset May 2021)
Sibot

Sibot can decrypt data received from a C2 and save to a file.(Citation: MSTIC NOBELIUM Mar 2021)
ZxxZ

ZxxZ has used a XOR key to decrypt strings.(Citation: Cisco Talos Bitter Bangladesh May 2022)
Drovorub

Drovorub has de-obsfuscated XOR encrypted payloads in WebSocket messages.(Citation: NSA/FBI Drovorub August 2020)
Shark

Shark can extract and decrypt downloaded .zip files.(Citation: ClearSky Siamesekitten August 2021)
Bazar

Bazar can decrypt downloaded payloads. Bazar also resolves strings and other artifacts at runtime.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)
Kobalos

Kobalos decrypts strings right after the initial communication, but before the authentication process.(Citation: ESET Kobalos Jan 2021)

MESSAGETAP

After checking for the existence of two files, keyword_parm.txt and parm.txt, MESSAGETAP XOR decodes and read the contents of the files. (Citation: FireEye MESSAGETAP October 2019)
XLoader

XLoader uses XOR and RC4 algorithms to decrypt payloads and functions.(Citation: Zscaler XLoader 2025) XLoader can be distributed as a self-extracting RAR archive that launches an AutoIT loader.(Citation: Google XLoader 2017)
HermeticWiper

HermeticWiper can decompress and copy driver files using `LZCopy`.(Citation: Crowdstrike DriveSlayer February 2022)
ABK

ABK has the ability to decrypt AES encrypted payloads.(Citation: Trend Micro Tick November 2019)
Final1stspy

Final1stspy uses Python code to deobfuscate base64-encoded strings.(Citation: Unit 42 Nokki Oct 2018)
Kapeka

Kapeka utilizes obfuscated JSON structures for various data storage and configuration management items.(Citation: WithSecure Kapeka 2024)
LockBit 2.0

LockBit 2.0 can decode scripts and strings in loaded modules.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Palo Alto Lockbit 2.0 JUN 2022)
Zebrocy

Zebrocy decodes its secondary payload and writes it to the victim’s machine. Zebrocy also uses AES and XOR to decrypt strings and payloads.(Citation: Unit42 Cannon Nov 2018)(Citation: ESET Zebrocy Nov 2018)
FinFisher

FinFisher extracts and decrypts stage 3 malware, which is stored in encrypted resources.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)
LunarMail

LunarMail can decrypt strings to retrieve configuration settings.(Citation: ESET Turla Lunar toolset May 2024)
Cobalt Strike

Cobalt Strike can deobfuscate shellcode using a rolling XOR and decrypt metadata from Beacon sessions.(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)
SampleCheck5000

SampleCheck5000 can decode and decrypt command line strings and files received through C2.(Citation: ESET OilRig Campaigns Sep 2023)(Citation: ESET OilRig Downloaders DEC 2023)
REvil

REvil can decode encrypted strings to enable execution of commands and payloads.(Citation: G Data Sodinokibi June 2019)(Citation: Kaspersky Sodin July 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Secureworks REvil September 2019)
Valak

Valak has the ability to decode and decrypt downloaded files.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)
OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D uses a decode routine combining bit shifting and XOR operations with a variable key that depends on the length of the string that was encoded. If the computation for the variable XOR key turns out to be 0, the default XOR key of 0x1B is used. This routine is also referenced as the `rotate` function in reporting.(Citation: Unit42 OceanLotus 2017)
OilBooster

OilBooster can Base64-decode and XOR-decrypt C2 commands taken from JSON files.(Citation: ESET OilRig Downloaders DEC 2023)
OnionDuke

OnionDuke can use a custom decryption algorithm to decrypt strings.(Citation: ESET Dukes October 2019)
Taidoor

Taidoor can use a stream cipher to decrypt stings used by the malware.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021)
IronNetInjector

IronNetInjector has the ability to decrypt embedded .NET and PE payloads.(Citation: Unit 42 IronNetInjector February 2021 )
Cyclops Blink

Cyclops Blink can decrypt and parse instructions sent from C2.(Citation: NCSC Cyclops Blink February 2022)
NativeZone

NativeZone can decrypt and decode embedded Cobalt Strike beacon stage shellcode.(Citation: MSTIC Nobelium Toolset May 2021)
Raccoon Stealer

Raccoon Stealer uses RC4-encrypted, base64-encoded strings to obfuscate functionality and command and control servers.(Citation: S2W Racoon 2022)(Citation: Sekoia Raccoon1 2022)
Carbon

Carbon decrypts task and configuration files for execution.(Citation: ESET Carbon Mar 2017)(Citation: Accenture HyperStack October 2020)
Cardinal RAT

Cardinal RAT decodes many of its artifacts and is decrypted (AES-128) after being downloaded.(Citation: PaloAlto CardinalRat Apr 2017)
DanBot

DanBot can use a VBA macro to decode its payload prior to installation and execution.(Citation: SecureWorks August 2019)
RGDoor

RGDoor decodes Base64 strings and decrypts strings using a custom XOR algorithm.(Citation: Unit 42 RGDoor Jan 2018)
Ramsay

Ramsay can extract its agent from the body of a malicious document.(Citation: Eset Ramsay May 2020)

FRAMESTING

FRAMESTING can decompress data received within `POST` requests.(Citation: Mandiant Cutting Edge Part 2 January 2024)
Pillowmint

Pillowmint has been decompressed by included shellcode prior to being launched.(Citation: Trustwave Pillowmint June 2020)

MacMa

MacMa decrypts a downloaded file using AES-128-EBC with a custom delta.(Citation: ESET DazzleSpy Jan 2022)
ROADSWEEP

ROADSWEEP can decrypt embedded scripts prior to execution.(Citation: Mandiant ROADSWEEP August 2022)(Citation: CISA Iran Albanian Attacks September 2022)
SUNSPOT

SUNSPOT decrypts SUNBURST, which was stored in AES128-CBC encrypted blobs.(Citation: CrowdStrike SUNSPOT Implant January 2021)

More_eggs

More_eggs will decode malware components that are then dropped to the system.(Citation: Security Intelligence More Eggs Aug 2019)
SysUpdate

SysUpdate can deobfuscate packed binaries in memory.(Citation: Trend Micro Iron Tiger April 2021)
BackConfig

BackConfig has used a custom routine to decrypt strings.(Citation: Unit 42 BackConfig May 2020)
PowGoop

PowGoop can decrypt PowerShell scripts for execution.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: CYBERCOM Iranian Intel Cyber January 2022)
Kwampirs

Kwampirs decrypts and extracts a copy of its main DLL payload when executing.(Citation: Symantec Orangeworm April 2018)
BoomBox

BoomBox can decrypt AES-encrypted files downloaded from C2.(Citation: MSTIC Nobelium Toolset May 2021)
DEADEYE

DEADEYE has the ability to combine multiple sections of a binary which were broken up to evade detection into a single .dll prior to execution.(Citation: Mandiant APT41)
Proton

Proton uses an encrypted file to store commands and configuration values.(Citation: objsee mac malware 2017)
WIREFIRE

WIREFIRE can decode, decrypt, and decompress data received in C2 HTTP `POST` requests.(Citation: Mandiant Cutting Edge January 2024)
Kessel

Kessel has decrypted the binary's configuration once the main function was launched.(Citation: ESET ForSSHe December 2018)
GrimAgent

GrimAgent can use a decryption algorithm for strings based on Rotate on Right (RoR) and Rotate on Left (RoL) functionality.(Citation: Group IB GrimAgent July 2021)
LookBack

LookBack has a function that decrypts malicious data.(Citation: Proofpoint LookBack Malware Aug 2019)
STEADYPULSE

STEADYPULSE can URL decode key/value pairs sent over C2.(Citation: Mandiant Pulse Secure Zero-Day April 2021)
Expand

Expand can be used to decompress a local or remote CAB file into an executable.(Citation: Microsoft Expand Utility)
Clop

Clop has used a simple XOR operation to decrypt strings.(Citation: Mcafee Clop Aug 2019)
YAHOYAH

YAHOYAH decrypts downloaded files before execution.(Citation: TrendMicro TropicTrooper 2015)
Lokibot

Lokibot has decoded and decrypted its stages multiple times using hard-coded keys to deliver the final payload, and has decoded its server response hex string using XOR.(Citation: Talos Lokibot Jan 2021)
Egregor

Egregor has been decrypted before execution.(Citation: NHS Digital Egregor Nov 2020)(Citation: Cybereason Egregor Nov 2020)

PoetRAT

PoetRAT has used LZMA and base64 libraries to decode obfuscated scripts.(Citation: Talos PoetRAT October 2020)
StealBit

StealBit can deobfuscate loaded modules prior to execution.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Cybereason StealBit Exfiltration Tool)
SLIGHTPULSE

SLIGHTPULSE can deobfuscate base64 encoded and RC4 encrypted C2 messages.(Citation: Mandiant Pulse Secure Zero-Day April 2021)
CoinTicker

CoinTicker decodes the initially-downloaded hidden encoded file using OpenSSL.(Citation: CoinTicker 2019)
DDKONG

DDKONG decodes an embedded configuration using XOR.(Citation: Rancor Unit42 June 2018)
BabyShark

BabyShark has the ability to decode downloaded files prior to execution.(Citation: CISA AA20-301A Kimsuky)
Winnti for Windows

The Winnti for Windows dropper can decrypt and decompresses a data blob.(Citation: Novetta Winnti April 2015)
Ebury

Ebury has verified C2 domain ownership by decrypting the TXT record using an embedded RSA public key.(Citation: ESET Ebury Oct 2017)
PITSTOP

PITSTOP can deobfuscate base64 encoded and AES encrypted commands.(Citation: Mandiant Cutting Edge Part 3 February 2024)
ComRAT

ComRAT has used unique per machine passwords to decrypt the orchestrator payload and a hardcoded XOR key to decrypt its communications module. ComRAT has also used a unique password to decrypt the file used for its hidden file system.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020)
POWERSTATS

POWERSTATS can deobfuscate the main backdoor code.(Citation: ClearSky MuddyWater Nov 2018)
IceApple

IceApple can use a Base64-encoded AES key to decrypt tasking.(Citation: CrowdStrike IceApple May 2022)
metaMain

metaMain can decrypt and load other modules.(Citation: SentinelLabs Metador Sept 2022)
SideTwist

SideTwist can decode and decrypt messages received from C2.(Citation: Check Point APT34 April 2021)
KOCTOPUS

KOCTOPUS has deobfuscated itself before executing its commands.(Citation: MalwareBytes LazyScripter Feb 2021)
Heyoka Backdoor

Heyoka Backdoor can decrypt its payload prior to execution.(Citation: SentinelOne Aoqin Dragon June 2022)
LunarWeb

LunarWeb can decrypt strings related to communication configuration using RC4 with a static key.(Citation: ESET Turla Lunar toolset May 2024)
AppleJeus

AppleJeus has decoded files received from a C2.(Citation: CISA AppleJeus Feb 2021)
SoreFang

SoreFang can decode and decrypt exfiltrated data sent to C2.(Citation: CISA SoreFang July 2016)
MirageFox

MirageFox has a function for decrypting data containing C2 configuration information.(Citation: APT15 Intezer June 2018)
Industroyer

Industroyer decrypts code to connect to a remote C2 server.(Citation: ESET Industroyer)
Goopy

Goopy has used a polymorphic decryptor to decrypt itself at runtime.(Citation: Cybereason Cobalt Kitty 2017)
ShadowPad

ShadowPad has decrypted a binary blob to start execution.(Citation: Kaspersky ShadowPad Aug 2017)
Remexi

Remexi decrypts the configuration data using XOR with 25-character keys.(Citation: Securelist Remexi Jan 2019)
Astaroth

Astaroth uses a fromCharCode() deobfuscation method to avoid explicitly writing execution commands and to hide its code. (Citation: Cybereason Astaroth Feb 2019)(Citation: Securelist Brazilian Banking Malware July 2020)
QakBot

QakBot can deobfuscate and re-assemble code strings for execution.(Citation: Cyberint Qakbot May 2021)(Citation: ATT QakBot April 2021)(Citation: Kaspersky QakBot September 2021)
CookieMiner

CookieMiner has used Google Chrome's decryption and extraction operations.(Citation: Unit42 CookieMiner Jan 2019)
Hancitor

Hancitor has decoded Base64 encoded URLs to insert a recipient’s name into the filename of the Word document. Hancitor has also extracted executables from ZIP files.(Citation: Threatpost Hancitor)(Citation: FireEye Hancitor)
Gelsemium

Gelsemium can decompress and decrypt DLLs and shellcode.(Citation: ESET Gelsemium June 2021)
BBK

BBK has the ability to decrypt AES encrypted payloads.(Citation: Trend Micro Tick November 2019)
OSX/Shlayer

OSX/Shlayer can base64-decode and AES-decrypt downloaded payloads.(Citation: Carbon Black Shlayer Feb 2019) Versions of OSX/Shlayer pass encrypted and password-protected code to openssl and then write the payload to the /tmp folder.(Citation: sentinelone shlayer to zshlayer)(Citation: 20 macOS Common Tools and Techniques)
Denis

Denis will decrypt important strings used for C&C communication.(Citation: Cybereason Cobalt Kitty 2017)
INC Ransomware

INC Ransomware can run `CryptStringToBinaryA` to decrypt base64 content containing its ransom note.(Citation: Cybereason INC Ransomware November 2023)
DEADWOOD

DEADWOOD XORs some strings within the binary using the value 0xD5, and deobfuscates these items at runtime.(Citation: SentinelOne Agrius 2021)
Waterbear

Waterbear has the ability to decrypt its RC4 encrypted payload for execution.(Citation: Trend Micro Waterbear December 2019)
FIVEHANDS

FIVEHANDS has the ability to decrypt its payload prior to execution.(Citation: FireEye FiveHands April 2021)(Citation: CISA AR21-126A FIVEHANDS May 2021)(Citation: NCC Group Fivehands June 2021)
Lizar

Lizar can decrypt its configuration data.(Citation: BiZone Lizar May 2021)
Dtrack

Dtrack has used a decryption routine that is part of an executable physical patch.(Citation: Securelist Dtrack)
Azorult

Azorult uses an XOR key to decrypt content and uses Base64 to decode the C2 address.(Citation: Unit42 Azorult Nov 2018)(Citation: Proofpoint Azorult July 2018)
HiddenWasp

HiddenWasp uses a cipher to implement a decoding function.(Citation: Intezer HiddenWasp Map 2019)
WarzoneRAT

WarzoneRAT can use XOR 0x45 to decrypt obfuscated code.(Citation: Check Point Warzone Feb 2020)
Frankenstein

Frankenstein has deobfuscated base64-encoded commands following the execution of a malicious script, which revealed a small script designed to obtain an additional payload.(Citation: Talos Frankenstein June 2019)

APT28

An APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload.(Citation: Unit 42 Sofacy Feb 2018)(Citation: Palo Alto Sofacy 06-2018)
Turla

Turla has used a custom decryption routine, which pulls key and salt values from other artifacts such as a WMI filter or PowerShell Profile, to decode encrypted PowerShell payloads.(Citation: ESET Turla PowerShell May 2019)
Tropic Trooper

Tropic Trooper used shellcode with an XOR algorithm to decrypt a payload. Tropic Trooper also decrypted image files which contained a payload.(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro Tropic Trooper May 2020)
Lazarus Group

Lazarus Group has used shellcode within macros to decrypt and manually map DLLs and shellcode into memory at runtime.(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)
Gamaredon Group

Gamaredon Group tools decrypted additional payloads from the C2. Gamaredon Group has also decoded base64-encoded source code of a downloader.(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020) Additionally, Gamaredon Group has decoded Telegram content to reveal the IP address for C2 communications.(Citation: unit42_gamaredon_dec2022)

APT29

APT29 used 7-Zip to decode its Raindrop malware.(Citation: Symantec RAINDROP January 2021)
WIRTE

WIRTE has used Base64 to decode malicious VBS script.(Citation: Lab52 WIRTE Apr 2019)
Darkhotel

Darkhotel has decrypted strings and imports using RC4 during execution.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM July 2016)
APT39

APT39 has used malware to decrypt encrypted CAB files.(Citation: FBI FLASH APT39 September 2020)
APT38

APT38 has used the RC4 algorithm to decrypt configuration data. (Citation: 1 - appv)

MuddyWater

MuddyWater has decoded base64-encoded PowerShell, JavaScript, and VBScript.(Citation: FireEye MuddyWater Mar 2018)(Citation: MuddyWater TrendMicro June 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: Talos MuddyWater Jan 2022)
Leviathan

Leviathan has used a DLL known as SeDll to decrypt and execute other JavaScript backdoors.(Citation: Proofpoint Leviathan Oct 2017)
Rocke

Rocke has extracted tar.gz files after downloading them from a C2 server.(Citation: Talos Rocke August 2018)
BRONZE BUTLER

BRONZE BUTLER downloads encoded payloads and decodes them on the victim.(Citation: Secureworks BRONZE BUTLER Oct 2017)
Honeybee

Honeybee drops a Word file containing a Base64-encoded file in it that is read, decoded, and dropped to the disk by the macro.(Citation: McAfee Honeybee)
ZIRCONIUM

ZIRCONIUM has used the AES256 algorithm with a SHA1 derived key to decrypt exploit code.(Citation: Check Point APT31 February 2021)
BlackByte

BlackByte has encoded commands in base64-encoded sections concatenated together in PowerShell.(Citation: FBI BlackByte 2022) BlackByte uses PowerShell commands to disable Windows Defender.(Citation: Picus BlackByte 2022)
Molerats

Molerats decompresses ZIP files once on the victim machine.(Citation: Kaspersky MoleRATs April 2019)
Threat Group-3390

During execution, Threat Group-3390 malware deobfuscates and decompresses code that was encoded with Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression.(Citation: Securelist LuckyMouse June 2018)
Higaisa

Higaisa used certutil to decode Base64 binaries at runtime and a 16-byte XOR key to decrypt data.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)
OilRig

A OilRig macro has run a PowerShell command to decode file contents. OilRig has also used certutil to decode base64-encoded files on victims.(Citation: FireEye APT34 Dec 2017)(Citation: OilRig New Delivery Oct 2017)(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Crowdstrike GTR2020 Mar 2020)
APT19

An APT19 HTTP malware variant decrypts strings using single-byte XOR keys.(Citation: Unit 42 C0d0so0 Jan 2016)
Volt Typhoon

Volt Typhoon has used Base64-encoded data to transfer payloads and commands, including deobfuscation via certutil.(Citation: Secureworks BRONZE SILHOUETTE May 2023)
FIN13

FIN13 has utilized `certutil` to decode base64 encoded versions of custom malware.(Citation: Mandiant FIN13 Aug 2022)
Kimsuky

Kimsuky has decoded malicious VBScripts using Base64.(Citation: Talos Kimsuky Nov 2021)
Cinnamon Tempest

Cinnamon Tempest has used weaponized DLLs to load and decrypt payloads.(Citation: Sygnia Emperor Dragonfly October 2022)
Sandworm Team

Sandworm Team's VBS backdoor can decode Base64-encoded data and save it to the %TEMP% folder. The group also decrypted received information using the Triple DES algorithm and decompresses it using GZip.(Citation: ESET Telebots Dec 2016)(Citation: ESET Telebots July 2017)
menuPass

menuPass has used certutil in a macro to decode base64-encoded content contained in a dropper document attached to an email. The group has also used certutil -decode to decode files on the victim’s machine when dropping UPPERCUT.(Citation: Accenture Hogfish April 2018)(Citation: FireEye APT10 Sept 2018)
TeamTNT

TeamTNT has used a script that decodes a Base64-encoded version of WeaveWorks Scope.(Citation: Cisco Talos Intelligence Group)
Ke3chang

Ke3chang has deobfuscated Base64-encoded shellcode strings prior to loading them.(Citation: Microsoft NICKEL December 2021)
Storm-1811

Storm-1811 has distributed password-protected archives such as ZIP files during intrusions.(Citation: rapid7-email-bombing)
Moonstone Sleet

Moonstone Sleet delivered payloads using multiple rounds of obfuscation and encoding to evade defenses and analysis.(Citation: Microsoft Moonstone Sleet 2024)
Gorgon Group

Gorgon Group malware can decode contents from a payload that was Base64 encoded and write the contents to a file.(Citation: Unit 42 Gorgon Group Aug 2018)
Agrius

Agrius has deployed base64-encoded variants of ASPXSpy to evade detection.(Citation: SentinelOne Agrius 2021)
Winter Vivern

Winter Vivern delivered exploit payloads via base64-encoded payloads in malicious email messages.(Citation: ESET WinterVivern 2023)
Earth Lusca

Earth Lusca has used certutil to decode a string into a cabinet file.(Citation: TrendMicro EarthLusca 2022)
Malteiro

Malteiro has the ability to deobfuscate downloaded files prior to execution.(Citation: SCILabs Malteiro 2021)
UNC2452

UNC2452 used 7-Zip to decode its Raindrop malware.(Citation: Symantec RAINDROP January 2021)
TA505

TA505 has decrypted packed DLLs with an XOR key.(Citation: NCC Group TA505)

Контрмеры
Контрмера Описание
Deobfuscate/Decode Files or Information Mitigation

Identify unnecessary system utilities or potentially malicious software that may be used to deobfuscate or decode files or information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Обнаружение

Detecting the action of deobfuscating or decoding files or information may be difficult depending on the implementation. If the functionality is contained within malware and uses the Windows API, then attempting to detect malicious behavior before or after the action may yield better results than attempting to perform analysis on loaded libraries or API calls. If scripts are used, then collecting the scripts for analysis may be necessary. Perform process and command-line monitoring to detect potentially malicious behavior related to scripts and system utilities such as certutil. Monitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.

Ссылки

  1. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  2. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  3. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
  4. Itkin, E. and Cohen, I. (2021, February 22). The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day. Retrieved March 24, 2021.
  5. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
  6. SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024.
  7. Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023.
  8. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.
  9. CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020.
  10. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  11. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.
  12. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
  13. CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020.
  14. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
  15. Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024.
  16. Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021.
  17. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  18. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
  19. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
  20. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  21. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
  22. Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018.
  23. Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025.
  24. Canadian Centre for Cyber Security. (2024, April 24). Cyber Activity Impacting CISCO ASA VPNs. Retrieved January 6, 2025.
  25. Asheer Malhotra, Vitor Ventura & Jungsoo An, Cisco Talos. (2022, September 7). MagicRAT: Lazarus’ latest gateway into victim networks. Retrieved December 30, 2024.
  26. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  27. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  28. Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.
  29. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  30. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
  31. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
  32. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
  33. Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.
  34. Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018.
  35. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
  36. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
  37. CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.
  38. CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020.
  39. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  40. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
  41. Cisco Talos. (2024, April 24). ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices. Retrieved January 6, 2025.
  42. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021.
  43. Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021.
  44. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.
  45. Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020.
  46. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  47. Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.
  48. Sebdraven. (2021, February 8). Babuk is distributed packed. Retrieved August 11, 2021.
  49. ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.
  50. Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021.
  51. Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023.
  52. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  53. Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.
  54. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  55. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  56. Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021.
  57. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
  58. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  59. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
  60. Dutch Military Intelligence and Security Service (MIVD) & Dutch General Intelligence and Security Service (AIVD). (2024, February 6). Ministry of Defense of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT. Retrieved February 7, 2024.
  61. Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.
  62. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  63. Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.
  64. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  65. NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020.
  66. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  67. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  68. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
  69. Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019.
  70. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.
  71. Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022.
  72. Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020.
  73. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  74. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  75. Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024.
  76. Stokes, P. (2024, May 9). macOS Cuckoo Stealer | Ensuring Detection and Defense as New Samples Rapidly Emerge. Retrieved August 20, 2024.
  77. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
  78. Unit 42. (2024, April 12). Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 . Retrieved January 15, 2025.
  79. SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024.
  80. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
  81. Counter Threat Unit Research Team . (2022, June 23). BRONZE STARLIGHT RANSOMWARE OPERATIONS USE HUI LOADER. Retrieved December 7, 2023.
  82. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  83. Villanueva, M., Co, M. (2018, June 14). Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor. Retrieved July 3, 2018.
  84. Elsad, A. et al. (2022, June 9). LockBit 2.0: How This RaaS Operates and How to Protect Against It. Retrieved January 24, 2025.
  85. Zscaler Threatlabz. (2025, January 27). Technical Analysis of Xloader Versions 6 and 7 | Part 1. Retrieved March 11, 2025.
  86. Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.
  87. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  88. Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
  89. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  90. Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024.
  91. Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.
  92. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
  93. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  94. Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023.
  95. INCIBE-CERT. (2024, March 14). LockBit: response and recovery actions. Retrieved February 5, 2025.
  96. Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020.
  97. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022.
  98. Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.
  99. Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020.
  100. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  101. Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023.
  102. NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
  103. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  104. Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved November 17, 2024.
  105. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  106. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.
  107. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  108. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  109. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.
  110. FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025.
  111. Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.
  112. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024.
  113. McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024.
  114. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.
  115. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
  116. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  117. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  118. Swachchhanda Shrawan Poudel. (2024, February). Pikabot: 
 A Sophisticated and Modular Backdoor Trojan with Advanced Evasion Techniques. Retrieved July 12, 2024.
  119. Pirozzi, A. (2021, June 16). Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets. Retrieved May 28, 2024.
  120. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
  121. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
  122. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  123. Mohammad Kazem Hassan Nejad, WithSecure. (2024, April 17). KAPEKA A novel backdoor spotted in Eastern Europe. Retrieved January 6, 2025.
  124. Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024.
  125. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  126. Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024.
  127. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  128. Volexity Threat Research. (2024, April 12). Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400). Retrieved November 20, 2024.
  129. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
  130. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
  131. NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.
  132. Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018.
  133. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
  134. Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.
  135. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
  136. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
  137. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  138. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
  139. Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018.
  140. Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.
  141. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
  142. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  143. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  144. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  145. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.
  146. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
  147. Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023.
  148. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
  149. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  150. Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019.
  151. Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024.
  152. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  153. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
  154. Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021.
  155. Alfano, V. et al. (2025, February 12). RansomHub Never Sleeps Episode 1: The evolution of modern ransomware. Retrieved March 17, 2025.
  156. Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022.
  157. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  158. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.
  159. Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.
  160. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
  161. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
  162. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  163. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
  164. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.
  165. Tyler McGraw, Thomas Elkins, and Evan McCann. (2024, May 10). Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators. Retrieved January 31, 2025.
  166. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  167. Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024.
  168. Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.
  169. Quentin Bourgue, Pierre le Bourhis, & Sekoia TDR. (2022, June 28). Raccoon Stealer v2 - Part 1: The return of the dead. Retrieved August 1, 2024.
  170. Leandro Fróes, Netskope. (2025, January 23). Lumma Stealer: Fake CAPTCHAs & New Techniques to Evade Detection. Retrieved March 22, 2025.
  171. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
  172. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
  173. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
  174. Szappanos, G. & Brandt, A. (2021, March 1). “Gootloader” expands its payload delivery options. Retrieved September 30, 2022.
  175. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  176. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  177. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
  178. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  179. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.
  180. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  181. FBI. (2022, February 4). Indicators of Compromise Associated with LockBit 2.0 Ransomware. Retrieved January 24, 2025.
  182. Nart Villeneuve, Randi Eitzman, Sandor Nemes & Tyler Dean, Google Cloud. (2017, October 5). Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea. Retrieved March 11, 2025.
  183. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  184. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
  185. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  186. Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024.
  187. US Federal Bureau of Investigation & US Secret Service. (2022, February 11). Indicators of Compromise Associated with BlackByte Ransomware. Retrieved December 16, 2024.
  188. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.
  189. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
  190. PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020.
  191. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  192. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  193. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  194. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.
  195. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  196. Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.
  197. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.
  198. Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018.
  199. Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.
  200. Symantec Threat Hunter Team. (2023, October 19). Crambus: New Campaign Targets Middle Eastern Government. Retrieved November 27, 2024.
  201. Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024.
  202. Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.
  203. Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019.
  204. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  205. Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021.
  206. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
  207. Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022.
  208. Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.
  209. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  210. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  211. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  212. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
  213. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
  214. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  215. Walter, J. (2022, July 21). LockBit 3.0 Update | Unpicking the Ransomware’s Latest Anti-Analysis and Evasion Techniques. Retrieved February 5, 2025.
  216. Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022.
  217. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
  218. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
  219. Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024.
  220. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  221. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  222. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  223. Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020.
  224. Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.
  225. Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024.
  226. Rodel Mendrez & Lloyd Macrohon. (2021, October 15). BlackByte Ransomware – Pt. 1 In-depth Analysis. Retrieved December 16, 2024.
  227. Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.
  228. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  229. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
  230. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.
  231. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  232. FinFisher. (n.d.). Retrieved September 12, 2024.
  233. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  234. Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.
  235. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
  236. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
  237. S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024.
  238. Brett Stone-Gross & Nikolaos Pantazopoulos. (2023, May 24). Technical Analysis of Pikabot. Retrieved July 12, 2024.
  239. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  240. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
  241. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  242. Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020.
  243. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  244. Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020.
  245. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.
  246. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  247. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  248. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.
  249. Malwarebytes Labs. (2017, March 27). New targeted attack against Saudi Arabia Government. Retrieved July 3, 2017.
  250. Benjamin Chang, Goutam Tripathy, Pranay Kumar Chhaparwal, Anmol Maurya & Vishwa Thothathri, Palo Alto Networks. (2024, March 22). Large-Scale StrelaStealer Campaign in Early 2024. Retrieved December 31, 2024.
  251. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
  252. hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020.
  253. Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021.
  254. Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024.
  255. Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020.
  256. Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024.
  257. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  258. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  259. Microsoft. (2017, October 15). Expand. Retrieved February 19, 2019.
  260. Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021.
  261. Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.
  262. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
  263. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
  264. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  265. Matthieu Faou. (2023, October 25). Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers. Retrieved July 29, 2024.
  266. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  267. Shinji Robert Arasawa, Joshua Aquino, Charles Steven Derion, Juhn Emmanuel Atanque, Francisrey Joshua Castillo, John Carlo Marquez, Henry Salcedo, John Rainier Navato, Arianne Dela Cruz, Raymart Yambot & Ian Kenefick. (2024, January 9). Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign. Retrieved July 17, 2024.
  268. Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018.
  269. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
  270. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
  271. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  272. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  273. Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.
  274. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.
  275. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  276. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  277. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  278. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
  279. Aleksandar Milenkoski, Juan Andres Guerrero-Saade, and Joey Chen. (2023, March 23). Operation Tainted Love | Chinese APTs Target Telcos in New Attacks. Retrieved March 18, 2025.
  280. Fortgale. (2023, September 18). StrelaStealer Malware Analysis. Retrieved December 31, 2024.
  281. Huseyin Can Yuceel. (2022, February 21). TTPs used by BlackByte Ransomware Targeting Critical Infrastructure. Retrieved December 16, 2024.
  282. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
  283. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.
  284. Alex Turing, Hui Wang. (2021, April 28). RotaJakiro: A long live secret backdoor with 0 VT detection. Retrieved June 14, 2023.
  285. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  286. Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021.
  287. S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022.
  288. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
  289. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
  290. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
  291. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
  292. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
  293. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
  294. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  295. M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021.
  296. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024.
  297. Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021.
  298. Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024.
  299. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  300. Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020.
  301. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  302. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  303. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  304. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
  305. Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018.
  306. Joe Security. (2020, July 13). TrickBot's new API-Hammering explained. Retrieved September 30, 2021.
  307. CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022.
  308. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  309. Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.
  310. Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.
  311. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.
  312. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
  313. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  314. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020.
  315. Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024.
  316. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  317. Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.
  318. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.
  319. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
  320. Rochberger, L. (2020, November 26). Cybereason vs. Egregor Ransomware. Retrieved December 30, 2020.
  321. Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022.
  322. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
  323. Cybereason Global SOC Team. (n.d.). THREAT ANALYSIS REPORT: Inside the LockBit Arsenal - The StealBit Exfiltration Tool. Retrieved January 29, 2025.
  324. Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.
  325. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  326. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  327. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
  328. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
  329. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
  330. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
  331. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  332. DCSO CyTec Blog. (2022, November 8). #ShortAndMalicious: StrelaStealer aims for mail credentials. Retrieved December 31, 2024.
  333. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
  334. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  335. Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
  336. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  337. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.
  338. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  339. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
  340. CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020.
  341. Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.
  342. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
  343. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.
  344. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  345. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.
  346. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  347. Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022.
  348. Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.