…etrieved January 5, 2023. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieve…

…uly 5, 2023. Hunt & Hackett Research Team. (2024, January 5). Turkish espionage campaigns in the Netherlands. Retrieved November 20, 2024. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. Cro…

…tifactor authentication token values during Leviathan Australian Intrusions [9] C0014 Operation Wocao During Operation Wocao , threat actors used a custom collection method to intercept two-factor authentication soft tokens. [10] S1104 SLOWPULSE SLOWPULSE can log credentials on c…

…er 7). Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns. Retrieved June 13, 2024. DiMaggio, J. (2016, May 17). Indian organizations targeted in Suckfly attacks. Retrieved August 3, 2016. Dell SecureWorks Counter Threat Unit Threat Intelligence. (…

…OilRig OilRig has modified Windows firewall rules to enable remote access. [41] C0014 Operation Wocao During Operation Wocao , threat actors used PowerShell to add and delete rules in the Windows firewall. [42] S0013 PlugX PlugX has modified local firewall rules on victim machine…

…er 26, 2024. Hunt & Hackett Research Team. (2024, January 5). Turkish espionage campaigns in the Netherlands. Retrieved November 20, 2024. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. MSTIC, C…

… abused the NKN public blockchain protocol for its C2 communications. [25] [26] C0014 Operation Wocao During Operation Wocao , threat actors executed commands through the installed web shell via Tor exit nodes. [27] S0623 Siloscape Siloscape uses Tor to communicate with C2. [28] …

… abused the NKN public blockchain protocol for its C2 communications. [29] [30] C0014 Operation Wocao During Operation Wocao , threat actors executed commands through the installed web shell via Tor exit nodes. [31] C0055 Quad7 Activity Quad7 Activity has routed traffic through c…

…27, 2021. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018. Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of…

…dhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malw…

…prise Resource Planning Web Application Server as a persistence mechanism. [57] C0014 Operation Wocao During Operation Wocao , threat actors used their own web shells, as well as those previously placed on target systems by other threat actors, for reconnaissance and lateral move…

… servers to obtain the list of employees including administrator accounts. [48] C0014 Operation Wocao During Operation Wocao , threat actors used the net command to retrieve information about domain accounts. [49] S0165 OSInfo OSInfo enumerates local and domain users [50] G0033 P…

…ent Instrumentation to help the malware propagate itself across a network. [82] C0014 Operation Wocao During Operation Wocao , threat actors used ProcDump to dump credentials from memory. [83] G0068 PLATINUM PLATINUM has used keyloggers that are also capable of dumping credential…

…ent Instrumentation to help the malware propagate itself across a network. [84] C0014 Operation Wocao During Operation Wocao , threat actors used ProcDump to dump credentials from memory. [85] G0068 PLATINUM PLATINUM has used keyloggers that are also capable of dumping credential…

…stalled Rising Sun in the Startup folder and disguised it as mssync.exe . [146] C0014 Operation Wocao During Operation Wocao , the threat actors renamed some tools and executables to appear as legitimate programs. [147] S0402 OSX/Shlayer OSX/Shlayer can masquerade as a Flash Play…