…athered detailed knowledge of team structures within a target organization. [4] C0022 Operation Dream Job During Operation Dream Job Lazarus Group targeted specific individuals within an organization with tailored job vacancy announcements. [5] [6] G1017 Volt Typhoon Volt Typhoon…

…rmation on victim organizations through email and social media interaction. [7] C0022 Operation Dream Job For Operation Dream Job Lazarus Group gathered victim organization information to identify specific targets. [8] G1017 Volt Typhoon Volt Typhoon has conducted extensive recon…

…er 26, 2024. Hunt & Hackett Research Team. (2024, January 5). Turkish espionage campaigns in the Netherlands. Retrieved November 20, 2024. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. MSTIC, C…

…arphishing attachments. [5] G0138 Andariel Andariel has conducted spearphishing campaigns that included malicious Word or Excel attachments. [6] [7] S0622 AppleSeed AppleSeed has been distributed to victims through malicious e-mail attachments. [8] G0099 APT-C-36 APT-C-36 has use…

…27, 2021. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018. Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of…

… OilRig OilRig has used brute force techniques to obtain credentials. [20] [21] C0022 Operation Dream Job During Operation Dream Job Lazarus Group performed brute force attacks against administrator accounts. [22] S0378 PoshC2 PoshC2 has modules for brute forcing local administra…

…omain environment information and to query users in administrative groups. [47] C0022 Operation Dream Job During Operation Dream Job Lazarus Group queried compromised victim's active directory servers to obtain the list of employees including administrator accounts. [48] C0014 Op…

…s: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020. Cristian Souza, Eduardo Ovalle, Ashley …

…air, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016. Kasza, A. and Re…

…Lazarus. Retrieved May 1, 2020. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020. DFIR. (2022, April 25). Quantum Ransomware. Retrieved July 26, 2024. DFIR. (2021, March 29). Sodinokibi (aka REvil) Ranso…

…ctus Latrodectus has been executed through malicious links distributed in email campaigns. [52] [53] G0140 LazyScripter LazyScripter has relied upon users clicking on links to malicious files. [51] G0065 Leviathan Leviathan has sent spearphishing email links attempting to get a u…

…ra, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020. Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022. CERT-EE. (2021, January 27). Gamaredon Infect…

…files to an actor-controlled OneDrive account via the Microsoft Graph API. [25] C0022 Operation Dream Job During Operation Dream Job Lazarus Group used a custom build of open-source command-line dbxcli to exfiltrate stolen data to Dropbox. [26] [27] S1102 Pcexter Pcexter can uplo…

…f a macro to run a PowerShell command to decode file contents. [43] [192] [193] C0022 Operation Dream Job During Operation Dream Job , Lazarus Group used PowerShell commands to explore the environment of compromised victims. [194] C0014 Operation Wocao During Operation Wocao , th…

… deliver malware. [30] S1039 Bumblebee Bumblebee has been spread through e-mail campaigns with malicious links. [31] [32] C0011 C0011 During C0011 Transparent Tribe sent emails containing a malicious link to student targets in India. [33] C0021 C0021 During C0021 , the threat act…