…uly 5, 2023. Hunt & Hackett Research Team. (2024, January 5). Turkish espionage campaigns in the Netherlands. Retrieved November 20, 2024. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. Cro…

…er 26, 2024. Hunt & Hackett Research Team. (2024, January 5). Turkish espionage campaigns in the Netherlands. Retrieved November 20, 2024. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. MSTIC, C…

…27, 2021. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018. Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of…

…dhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malw…

…d web shells, often to maintain access to a victim network. [53] [54] [55] [56] C0012 Operation CuckooBees During Operation CuckooBees , the threat actors generated a web shell within a vulnerable Enterprise Resource Planning Web Application Server as a persistence mechanism. [57…

…tory name is missing a space and the file name is missing the letter "o." [143] C0012 Operation CuckooBees During Operation CuckooBees , the threat actors renamed a malicious executable to rundll32.exe to allow it to blend in with other Windows system files. [144] C0006 Operation…

… "Exchange Trusted Subsystem" /domain to get account listings on a victim. [46] C0012 Operation CuckooBees During Operation CuckooBees , the threat actors used the dsquery and dsget commands to get domain environment information and to query users in administrative groups. [47] C…

…17, 2024. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020. The Cylance Threat R…

…OilRig has used sc query on a victim to gather information about services. [38] C0012 Operation CuckooBees During Operation CuckooBees , the threat actors used the net start command as part of their initial reconnaissance. [39] C0014 Operation Wocao During Operation Wocao , threa…

…Lazarus. Retrieved May 1, 2020. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020. DFIR. (2022, April 25). Quantum Ransomware. Retrieved July 26, 2024. DFIR. (2021, March 29). Sodinokibi (aka REvil) Ranso…

…o victim environments by exploiting multiple known vulnerabilities over several campaigns. [97] [98] C0045 ShadowRay During ShadowRay , threat actors exploited CVE-2023-48022 on publicly exposed Ray servers to steal computing power and to expose sensitive data. [99] S0623 Silosca…

…an exfiltration tool named STEALHOOK to retreive valid domain credentials. [21] C0012 Operation CuckooBees During Operation CuckooBees , the threat actors used compromised domain administrator credentials as part of their lateral movement. [22] C0023 Operation Ghost For Operation…

…. Retrieved May 26, 2020. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23,…

…dhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018. Faou, M. (2019, Ma…

…lRig OilRig has used PowerShell to upload files from compromised systems. [148] C0012 Operation CuckooBees During Operation CuckooBees , the threat actors collected data, files, and other information from compromised networks. [149] C0022 Operation Dream Job During Operation Drea…