Cobalt Strike, Software S0154 | MITRE ATT&CK®

Cobalt Strike, Software S0154 | MITRE ATT&CK®
Currently viewing
ATT&CK v17.1
which was live between April 22, 2025 and October 27, 2025.
Learn more about the versioning system
or
see the live site
Software
Cobalt Strike
Cobalt Strike
Cobalt Strike
is a commercial, full-featured, remote access tool that bills itself as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors". Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.
[1]
In addition to its own capabilities,
Cobalt Strike
leverages the capabilities of other well-known tools such as Metasploit and
Mimikatz
[1]
ID:
S0154
Type
: MALWARE
Platforms
: Windows, Linux, macOS
Contributors
: Martin Sohn Christensen, Improsec; Josh Abraham
Version
: 1.13
Created:
14 December 2017
Last Modified:
25 September 2024
Version Permalink
Live Version
Enterprise Layer
view
Techniques Used
Domain
ID
Name
Use
Enterprise
T1548
.002
Abuse Elevation Control Mechanism
Bypass User Account Control
Cobalt Strike
can use a number of known techniques to bypass Windows UAC.
[1]
[2]
.003
Abuse Elevation Control Mechanism
Sudo and Sudo Caching
Cobalt Strike
can use
sudo
to run a command.
[2]
Enterprise
T1134
.001
Access Token Manipulation
Token Impersonation/Theft
Cobalt Strike
can steal access tokens from exiting processes.
[1]
[2]
.003
Access Token Manipulation
Make and Impersonate Token
Cobalt Strike
can make tokens from known credentials.
[1]
.004
Access Token Manipulation
Parent PID Spoofing
Cobalt Strike
can spawn processes with alternate PPIDs.
[3]
[2]
Enterprise
T1087
.002
Account Discovery
Domain Account
Cobalt Strike
can determine if the user on an infected machine is in the admin or domain admin group.
[4]
Enterprise
T1071
.001
Application Layer Protocol
Web Protocols
Cobalt Strike
can use a custom command and control protocol that can be encapsulated in HTTP or HTTPS. All protocols use their standard assigned ports.
[1]
[5]
[2]
[6]
[7]
.002
Application Layer Protocol
File Transfer Protocols
Cobalt Strike
can conduct peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. All protocols use their standard assigned ports.
[1]
[5]
.004
Application Layer Protocol
DNS
Cobalt Strike
can use a custom command and control protocol that can be encapsulated in DNS. All protocols use their standard assigned ports.
[1]
[5]
[2]
Enterprise
T1197
BITS Jobs
Cobalt Strike
can download a hosted "beacon" payload using
BITSAdmin
[8]
[5]
[2]
Enterprise
T1185
Browser Session Hijacking
Cobalt Strike
can perform browser pivoting and inject into a user's browser to inherit cookies, authenticated HTTP sessions, and client SSL certificates.
[1]
[2]
Enterprise
T1059
.001
Command and Scripting Interpreter
PowerShell
Cobalt Strike
can execute a payload on a remote host with PowerShell. This technique does not write any data to disk.
[1]
[4]
Cobalt Strike
can also use
PowerSploit
and other scripting frameworks to perform execution.
[9]
[3]
[5]
[2]
.003
Command and Scripting Interpreter
Windows Command Shell
Cobalt Strike
uses a command-line interface to interact with systems.
[9]
[5]
[2]
[10]
.005
Command and Scripting Interpreter
Visual Basic
Cobalt Strike
can use VBA to perform execution.
[9]
[3]
[5]
.006
Command and Scripting Interpreter
Python
Cobalt Strike
can use Python to perform execution.
[9]
[3]
[5]
[2]
.007
Command and Scripting Interpreter
JavaScript
The
Cobalt Strike
System Profiler can use JavaScript to perform reconnaissance actions.
[5]
Enterprise
T1543
.003
Create or Modify System Process
Windows Service
Cobalt Strike
can install a new service.
[9]
Enterprise
T1132
.001
Data Encoding
Standard Encoding
Cobalt Strike
can use Base64, URL-safe Base64, or NetBIOS encoding in its C2 traffic.
[2]
Enterprise
T1005
Data from Local System
Cobalt Strike
can collect data from a local system.
[9]
[2]
Enterprise
T1001
.003
Data Obfuscation
Protocol or Service Impersonation
Cobalt Strike
can leverage the HTTP protocol for C2 communication, while hiding the actual data in either an HTTP header, URI parameter, the transaction body, or appending it to the URI.
[2]
Enterprise
T1030
Data Transfer Size Limits
Cobalt Strike
will break large data sets into smaller chunks for exfiltration.
[1]
Enterprise
T1140
Deobfuscate/Decode Files or Information
Cobalt Strike
can deobfuscate shellcode using a rolling XOR and decrypt metadata from Beacon sessions.
[5]
[2]
Enterprise
T1573
.001
Encrypted Channel
Symmetric Cryptography
Cobalt Strike
has the ability to use AES-256 symmetric encryption in CBC mode with HMAC-SHA-256 to encrypt task commands and XOR to encrypt shell code and configuration data.
[5]
.002
Encrypted Channel
Asymmetric Cryptography
Cobalt Strike
can use RSA asymmetric encryption with PKCS1 padding to encrypt data sent to the C2 server.
[5]
Enterprise
T1203
Exploitation for Client Execution
Cobalt Strike
can exploit Oracle Java vulnerabilities for execution, including CVE-2011-3544, CVE-2013-2465, CVE-2012-4681, and CVE-2013-2460.
[5]
[2]
Enterprise
T1068
Exploitation for Privilege Escalation
Cobalt Strike
can exploit vulnerabilities such as MS14-058.
[9]
[2]
Enterprise
T1083
File and Directory Discovery
Cobalt Strike
can explore files on a compromised system.
[2]
Enterprise
T1564
.010
Hide Artifacts
Process Argument Spoofing
Cobalt Strike
can use spoof arguments in spawned processes that execute beacon commands.
[2]
Enterprise
T1562
.001
Impair Defenses
Disable or Modify Tools
Cobalt Strike
has the ability to use Smart Applet attacks to disable the Java SecurityManager sandbox.
[5]
[2]
Enterprise
T1070
.006
Indicator Removal
Timestomp
Cobalt Strike
can timestomp any files or payloads placed on a target machine to help them blend in.
[1]
[2]
Enterprise
T1105
Ingress Tool Transfer
Cobalt Strike
can deliver additional payloads to victim machines.
[5]
[2]
Enterprise
T1056
.001
Input Capture
Keylogging
Cobalt Strike
can track key presses with a keylogger module.
[1]
[11]
[2]
Enterprise
T1112
Modify Registry
Cobalt Strike
can modify Registry values within
HKEY_CURRENT_USER\Software\Microsoft\Office\
\Excel\Security\AccessVBOM\
to enable the execution of additional code.
[5]
Enterprise
T1106
Native API
Cobalt Strike
's Beacon payload is capable of running shell commands without
cmd.exe
and PowerShell commands without
powershell.exe
[1]
[5]
[2]
Enterprise
T1046
Network Service Discovery
Cobalt Strike
can perform port scans from an infected host.
[1]
[5]
[2]
Enterprise
T1135
Network Share Discovery
Cobalt Strike
can query shared drives on the local system.
[9]
Enterprise
T1095
Non-Application Layer Protocol
Cobalt Strike
can be configured to use TCP, ICMP, and UDP for C2 communications.
[5]
[2]
Enterprise
T1027
Obfuscated Files or Information
Cobalt Strike
can hash functions to obfuscate calls to the Windows API and use a public/private key pair to encrypt Beacon session metadata.
[5]
[2]
.005
Indicator Removal from Tools
Cobalt Strike
includes a capability to modify the Beacon payload to eliminate known signatures or unpacking methods.
[1]
[2]
Enterprise
T1137
.001
Office Application Startup
Office Template Macros
Cobalt Strike
has the ability to use an Excel Workbook to execute additional code by enabling Office to trust macros and execute code without user permission.
[5]
Enterprise
T1003
.001
OS Credential Dumping
LSASS Memory
Cobalt Strike
can spawn a job to inject into LSASS memory and dump password hashes.
[2]
.002
OS Credential Dumping
Security Account Manager
Cobalt Strike
can recover hashed passwords.
[1]
Enterprise
T1069
.001
Permission Groups Discovery
Local Groups
Cobalt Strike
can use
net localgroup
to list local groups on a system.
[2]
.002
Permission Groups Discovery
Domain Groups
Cobalt Strike
can identify targets by querying account groups on a domain contoller.
[2]
Enterprise
T1057
Process Discovery
Cobalt Strike
's Beacon payload can collect information on process details.
[1]
[5]
[2]
Enterprise
T1055
Process Injection
Cobalt Strike
can inject a variety of payloads into processes dynamically chosen by the adversary.
[1]
[2]
[12]
.001
Dynamic-link Library Injection
Cobalt Strike
has the ability to load DLLs via reflective injection.
[5]
[2]
.012
Process Hollowing
Cobalt Strike
can use process hollowing for execution.
[9]
[2]
Enterprise
T1572
Protocol Tunneling
Cobalt Strike
uses a custom command and control protocol that is encapsulated in HTTP, HTTPS, or DNS. In addition, it conducts peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. All protocols use their standard assigned ports.
[1]
[2]
Enterprise
T1090
.001
Proxy
Internal Proxy
Cobalt Strike
can be configured to have commands relayed over a peer-to-peer network of infected hosts. This can be used to limit the number of egress points, or provide access to a host without direct internet access.
[1]
[2]
.004
Proxy
Domain Fronting
Cobalt Strike
has the ability to accept a value for HTTP Host Header to enable domain fronting.
[2]
Enterprise
T1012
Query Registry
Cobalt Strike
can query
HKEY_CURRENT_USER\Software\Microsoft\Office\
\Excel\Security\AccessVBOM\
to determine if the security setting for restricting default programmatic access is enabled.
[5]
[2]
Enterprise
T1620
Reflective Code Loading
Cobalt Strike
's
execute-assembly
command can run a .NET executable within the memory of a sacrificial process by loading the CLR.
[2]
Enterprise
T1021
.001
Remote Services
Remote Desktop Protocol
Cobalt Strike
can start a VNC-based remote desktop server and tunnel the connection through the already established C2 channel.
[1]
[13]
.002
Remote Services
SMB/Windows Admin Shares
Cobalt Strike
can use Window admin shares (C$ and ADMIN$) for lateral movement.
[9]
[10]
.003
Remote Services
Distributed Component Object Model
Cobalt Strike
can deliver Beacon payloads for lateral movement by leveraging remote COM execution.
[14]
.004
Remote Services
SSH
Cobalt Strike
can SSH to a remote service.
[9]
[2]
.006
Remote Services
Windows Remote Management
Cobalt Strike
can use
WinRM
to execute a payload on a remote host.
[1]
[2]
Enterprise
T1018
Remote System Discovery
Cobalt Strike
uses the native Windows Network Enumeration APIs to interrogate and discover targets in a Windows Active Directory network.
[1]
[5]
[2]
Enterprise
T1029
Scheduled Transfer
Cobalt Strike
can set its Beacon payload to reach out to the C2 server on an arbitrary and random interval.
[1]
Enterprise
T1113
Screen Capture
Cobalt Strike
's Beacon payload is capable of capturing screenshots.
[1]
[11]
[2]
Enterprise
T1518
Software Discovery
The
Cobalt Strike
System Profiler can discover applications through the browser and identify the version of Java the target has.
[2]
Enterprise
T1553
.002
Subvert Trust Controls
Code Signing
Cobalt Strike
can use self signed Java applets to execute signed applet attacks.
[5]
[2]
Enterprise
T1218
.011
System Binary Proxy Execution
Rundll32
Cobalt Strike
can use
rundll32.exe
to load DLL from the command line.
[2]
[12]
[10]
Enterprise
T1016
System Network Configuration Discovery
Cobalt Strike
can determine the NetBios name and the IP addresses of targets machines including domain controllers.
[4]
[2]
Enterprise
T1049
System Network Connections Discovery
Cobalt Strike
can produce a sessions report from compromised hosts.
[5]
Enterprise
T1007
System Service Discovery
Cobalt Strike
can enumerate services on compromised hosts.
[2]
Enterprise
T1569
.002
System Services
Service Execution
Cobalt Strike
can use
PsExec
to execute a payload on a remote host. It can also use Service Control Manager to start new services.
[1]
[9]
[2]
Enterprise
T1550
.002
Use Alternate Authentication Material
Pass the Hash
Cobalt Strike
can perform pass the hash.
[9]
Enterprise
T1078
.002
Valid Accounts
Domain Accounts
Cobalt Strike
can use known credentials to run commands and spawn processes as a domain user account.
[1]
[3]
[2]
.003
Valid Accounts
Local Accounts
Cobalt Strike
can use known credentials to run commands and spawn processes as a local user account.
[1]
[3]
Enterprise
T1047
Windows Management Instrumentation
Cobalt Strike
can use WMI to deliver a payload to a remote host.
[1]
[2]
[12]
Groups That Use This Software
ID
Name
References
G1046
Storm-1811
Storm-1811
operations include the use of
Cobalt Strike
[15]
[16]
G0129
Mustang Panda
[17]
[18]
[19]
[20]
[21]
G0027
Threat Group-3390
[22]
G0050
APT32
[23]
[24]
[25]
[26]
[27]
[11]
[28]
G1022
ToddyCat
[7]
G0073
APT19
[29]
G0037
FIN6
[30]
G0092
TA505
[31]
G0052
CopyKittens
[32]
G0079
DarkHydrus
[33]
[34]
G1040
Play
[35]
G1006
Earth Lusca
[36]
G0046
FIN7
[37]
[38]
[39]
G1020
Mustard Tempest
[40]
G0096
APT41
[41]
[42]
[43]
[44]
G0045
menuPass
[6]
G0143
Aquatic Panda
[45]
G0080
Cobalt Group
[46]
[47]
[48]
[49]
[50]
[51]
[52]
[53]
G0034
Sandworm Team
Sandworm Team
has used multiple publicly available tools during operations, such as Cobalt Strike.
[54]
G1043
BlackByte
BlackByte
has used
Cobalt Strike
as a post-exploitation tool.
[55]
[56]
G0065
Leviathan
[57]
[58]
[59]
G0016
APT29
[60]
[61]
[62]
[63]
[64]
[65]
[66]
[67]
[68]
[69]
[70]
G1021
Cinnamon Tempest
[40]
[71]
G0067
APT37
[72]
G1014
LuminousMoth
[73]
[74]
G0114
Chimera
[75]
[76]
G0119
Indrik Spider
[77]
[40]
[78]
G0102
Wizard Spider
[79]
[80]
[81]
[82]
[83]
[84]
[85]
[86]
Campaigns
ID
Name
Description
C0040
APT41 DUST
Cobalt Strike
was used during
APT41 DUST
[43]
C0015
C0015
[12]
C0017
C0017
During
C0017
APT41
used the DUSTPAN in-memory dropper to drop a
Cobalt Strike
BEACON backdoor onto a compromised network.
[44]
C0018
C0018
[87]
C0021
C0021
[88]
[89]
C0024
SolarWinds Compromise
[60]
[61]
References
Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
Mudge, R. (2017, May 23). Cobalt Strike 3.8 – Who’s Your Daddy?. Retrieved June 4, 2019.
Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024.
GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
Strategic Cyber, LLC. (n.d.). Scripted Web Delivery. Retrieved January 23, 2018.
Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved November 17, 2024.
Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.
Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.
DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022.
Mudge, R. (2017, January 24). Scripting Matt Nelson’s MMC20.Application Lateral Movement Technique. Retrieved November 21, 2017.
Microsoft Threat Intelligence. (2024, May 15). Threat actors misusing Quick Assist in social engineering attacks leading to ransomware. Retrieved March 14, 2025.
Tyler McGraw, Thomas Elkins, and Evan McCann. (2024, May 10). Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators. Retrieved January 31, 2025.
Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021.
Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.
Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.
Roccia, T., Seret, T., Fokker, J. (2021, March 16). Technical Analysis of Operation Dianxun. Retrieved April 13, 2021.
Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.
Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020.
Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021.
Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022.
ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022.
Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.
Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.
Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.
Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.
Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
Mesa, M, et al. (2017, June 1). Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by Cobalt Group to Target Financial Institutions. Retrieved October 10, 2018.
Klijnsma, Y.. (2017, November 28). Gaffe Reveals Full List of Targets in Spear Phishing Attack Using Cobalt Strike Against Financial Institutions. Retrieved October 10, 2018.
Klijnsma, Y.. (2018, January 16). First Activities of Cobalt Group in 2018: Spear Phishing Russian Banks. Retrieved October 10, 2018.
CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018.
Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019.
Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024.
Huseyin Can Yuceel. (2022, February 21). TTPs used by BlackByte Ransomware Targeting Critical Infrastructure. Retrieved December 16, 2024.
Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024.
Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.
Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.
MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021.
ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022.
Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022.
Secureworks CTU. (2021, May 28). USAID-Themed Phishing Campaign Leverages U.S. Elections Lure. Retrieved February 24, 2022.
NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021.
UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.
Mandiant. (2020, April 27). Assembling the Russian Nesting Doll: UNC2452 Merged into APT29. Retrieved March 26, 2023.
SecureWorks. (n.d.). BRONZE STARLIGHT. Retrieved December 6, 2023.
Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022.
Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022.
Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020..
Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
Podlosky, A., Feeley, B. (2021, March 17). INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions. Retrieved September 15, 2021.
Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024.
Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.
Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.
Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023.
Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.