…b shell that has the ability to execute arbitrary commands or write files. [18] C0017 C0017 During C0017 , APT41 deployed JScript web shells through the creation of malicious ViewState objects. [19] C0032 C0032 During the C0032 campaign, TEMP.Veles planted Web shells on Outlook E…

…Lazarus. Retrieved May 1, 2020. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020. DFIR. (2022, April 25). Quantum Ransomware. Retrieved July 26, 2024. DFIR. (2021, March 29). Sodinokibi (aka REvil) Ranso…

…ore Bundlore has disguised a malicious .app file as a Flash Player update. [36] C0017 C0017 During C0017 , APT41 used file names beginning with USERS, SYSUSER, and SYSLOG for DEADEYE , and changed KEYPLUG file extensions from .vmp to .upx likely to avoid hunting detections. [37] …

…dhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malw…

…27, 2021. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018. Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of…

…ider [77] [40] [78] G0102 Wizard Spider [79] [80] [81] [82] [83] [84] [85] [86] Campaigns ID Name Description C0040 APT41 DUST Cobalt Strike was used during APT41 DUST [43] C0015 C0015 [12] C0017 C0017 During C0017 APT41 used the DUSTPAN in-memory dropper to drop a Cobalt Strike …

…dhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018. Faou, M. (2019, Ma…

…etrieved November 5, 2018. Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020. Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11,…

…ingbird has used FRP , ssf, and Venom to establish SOCKS proxy connections. [8] C0017 C0017 During C0017 APT41 used the Cloudflare CDN to proxy C2 traffic. [9] C0027 C0027 During C0027 Scattered Spider installed the open-source rsocx reverse proxy tool on a targeted ESXi applianc…

…o victim environments by exploiting multiple known vulnerabilities over several campaigns. [97] [98] C0045 ShadowRay During ShadowRay , threat actors exploited CVE-2023-48022 on publicly exposed Ray servers to steal computing power and to expose sensitive data. [99] S0623 Silosca…

… , the threat actors obtained files and data from the compromised network. [36] C0017 C0017 During C0017 APT41 collected information related to compromised machines as well as Personal Identifiable Information (PII) from victim networks. [37] C0026 C0026 During C0026 , the threat…

…air, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. Pierre-Marc Bureau. (2013, April 26). Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole. Retrieved Se…

…air, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWa…

…rieved February 22, 2018. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 1…

…ra, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrai…