…PLUG file extensions from .vmp to .upx likely to avoid hunting detections. [37] C0018 C0018 For C0018 , the threat actors renamed a Sliver payload to vmware_kb.exe . [38] C0032 C0032 During the C0032 campaign, TEMP.Veles renamed files to look like legitimate files, such as Window…

…dhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malw…

…, the threat actors used RDP to access specific network hosts of interest. [21] C0018 C0018 During C0018 , the threat actors opened a variety of ports to establish RDP connections, including ports 28035, 32467, 41578, and 46892. [22] C0032 C0032 During the C0032 campaign, TEMP.Ve…

…, the threat actors used RDP to access specific network hosts of interest. [17] C0018 C0018 During C0018 , the threat actors opened a variety of ports to establish RDP connections, including ports 28035, 32467, 41578, and 46892. [18] C0032 C0032 During the C0032 campaign, TEMP.Ve…

…etrieved January 5, 2023. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieve…

…xecution. [51] S1039 Bumblebee Bumblebee can use PowerShell for execution. [52] C0018 C0018 During C0018 , the threat actors used encoded PowerShell scripts for execution. [53] [54] C0021 C0021 During C0021 , the threat actors used obfuscated PowerShell to extract an encoded payl…

…s: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020. Cristian Souza, Eduardo Ovalle, Ashley …

…xecution. [45] S1039 Bumblebee Bumblebee can use PowerShell for execution. [46] C0018 C0018 During C0018 , the threat actors used encoded PowerShell scripts for execution. [47] [48] C0021 C0021 During C0021 , the threat actors used obfuscated PowerShell to extract an encoded payl…

…27, 2021. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018. Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of…

…ider [77] [40] [78] G0102 Wizard Spider [79] [80] [81] [82] [83] [84] [85] [86] Campaigns ID Name Description C0040 APT41 DUST Cobalt Strike was used during APT41 DUST [43] C0015 C0015 [12] C0017 C0017 During C0017 APT41 used the DUSTPAN in-memory dropper to drop a Cobalt Strike …

…17, 2024. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020. The Cylance Threat R…

…air, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016. Kasza, A. and Re…

…o victim environments by exploiting multiple known vulnerabilities over several campaigns. [97] [98] C0045 ShadowRay During ShadowRay , threat actors exploited CVE-2023-48022 on publicly exposed Ray servers to steal computing power and to expose sensitive data. [99] S0623 Silosca…

… the threat actors used Conti ransomware to encrypt a compromised network. [48] C0018 C0018 During C0018 , the threat actors used AvosLocker ransomware to encrypt files on the compromised network. [23] [49] S1096 Cheerscrypt Cheerscrypt can encrypt data on victim machines using a…

…air, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWa…