Data from Local System, Technique T1005 - Enterprise | MITRE ATT&CK®

Data from Local System, Technique T1005 - Enterprise | MITRE ATT&CK®
Currently viewing
ATT&CK v17.1
which was live between April 22, 2025 and October 27, 2025.
Learn more about the versioning system
or
see the live site
Techniques
Enterprise
Data from Local System
Data from Local System
Adversaries may search local system sources, such as file systems, configuration files, local databases, or virtual machine files, to find files of interest and sensitive data prior to Exfiltration.
Adversaries may do this using a
Command and Scripting Interpreter
, such as
cmd
as well as a
Network Device CLI
, which have functionality to interact with the file system to gather information.
[1]
Adversaries may also use
Automated Collection
on the local system.
ID:
T1005
Sub-techniques:
No sub-techniques
Tactic:
Collection
Platforms:
ESXi, Linux, Network Devices, Windows, macOS
Contributors:
Austin Clark, @c2defense; William Cain
Version:
1.7
Created:
31 May 2017
Last Modified:
15 April 2025
Version Permalink
Live Version
Procedure Examples
ID
Name
Description
S1028
Action RAT
Action RAT
can collect local data from an infected machine.
[2]
G1030
Agrius
Agrius
gathered data from database and other critical servers in victim environments, then used wiping mechanisms as an anti-analysis and anti-forensics mechanism.
[3]
S1025
Amadey
Amadey
can collect information from a compromised host.
[4]
G0138
Andariel
Andariel
has collected large numbers of files from compromised network systems for later extraction.
[5]
S0622
AppleSeed
AppleSeed
can collect data on a compromised host.
[6]
[7]
G0006
APT1
APT1
has collected files from a local victim.
[8]
G0007
APT28
APT28
has retrieved internal documents from machines inside victim environments, including by using
Forfiles
to stage documents before exfiltration.
[9]
[10]
[11]
[12]
G0016
APT29
APT29
has stolen data from compromised hosts.
[13]
G0022
APT3
APT3
will identify Microsoft Office documents on the victim's computer.
[14]
G0067
APT37
APT37
has collected data from victims' local systems.
[15]
G0082
APT38
APT38
has collected data from a compromised host.
[16]
G0087
APT39
APT39
has used various tools to steal files from the compromised host.
[17]
[18]
G0096
APT41
APT41
has uploaded files and data from a compromised host.
[19]
G0143
Aquatic Panda
Aquatic Panda
captured local Windows security event log data from victim machines using the
wevtutil
utility to extract contents to an
evtx
output file.
[20]
S1029
AuTo Stealer
AuTo Stealer
can collect data such as PowerPoint files, Word documents, Excel files, PDF files, text files, database files, and image files from an infected machine.
[2]
G0001
Axiom
Axiom
has collected data from a compromised network.
[21]
S0642
BADFLICK
BADFLICK
has uploaded files from victims' machines.
[22]
S0128
BADNEWS
When it first starts,
BADNEWS
crawls the victim's local drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.
[23]
[24]
S0337
BadPatch
BadPatch
collects files from the local system that have the following extensions, then prepares them for exfiltration: .xls, .xlsx, .pdf, .mdb, .rar, .zip, .doc, .docx.
[25]
S0234
Bandook
Bandook
can collect local files from the system .
[26]
S0239
Bankshot
Bankshot
collects files from the local system.
[27]
S0534
Bazar
Bazar
can retrieve information from the infected machine.
[28]
S0268
Bisonal
Bisonal
has collected information from a compromised host.
[29]
S0564
BlackMould
BlackMould
can copy files on a compromised host.
[30]
S0520
BLINDINGCAN
BLINDINGCAN
has uploaded files from victim machines.
[31]
S0651
BoxCaon
BoxCaon
can upload files from a compromised host.
[32]
G0060
BRONZE BUTLER
BRONZE BUTLER
has exfiltrated files stolen from local systems.
[33]
S1063
Brute Ratel C4
Brute Ratel C4
has the ability to upload files from a compromised system.
[34]
S1039
Bumblebee
Bumblebee
can capture and compress stolen credentials from the Registry and volume shadow copies.
[35]
C0015
C0015
During
C0015
, the threat actors obtained files and data from the compromised network.
[36]
C0017
C0017
During
C0017
APT41
collected information related to compromised machines as well as Personal Identifiable Information (PII) from victim networks.
[37]
C0026
C0026
During
C0026
, the threat actors collected documents from compromised hosts.
[38]
S0274
Calisto
Calisto
can collect data from user directories.
[39]
S0572
Caterpillar WebShell
Caterpillar WebShell
has a module to collect information from the local database.
[40]
S1043
ccf32
ccf32
can collect files from a compromised host.
[41]
S0674
CharmPower
CharmPower
can collect data and files from a compromised host.
[42]
S1149
CHIMNEYSWEEP
CHIMNEYSWEEP
can collect files from compromised hosts.
[43]
S0020
China Chopper
China Chopper
's server component can upload local files.
[44]
[45]
[46]
[47]
S0667
Chrommme
Chrommme
can collect data from a local system.
[48]
S0660
Clambling
Clambling
can collect information from a compromised host.
[49]
S0154
Cobalt Strike
Cobalt Strike
can collect data from a local system.
[50]
[51]
S0492
CookieMiner
CookieMiner
has retrieved iPhone text messages from iTunes phone backup files.
[52]
S0050
CosmicDuke
CosmicDuke
steals user files from local hard drives with file extensions that match a predefined list.
[53]
C0004
CostaRicto
During
CostaRicto
, the threat actors collected data and files from compromised networks.
[54]
S1023
CreepyDrive
CreepyDrive
can upload files to C2 from victim machines.
[55]
S0115
Crimson
Crimson
can collect information from a compromised host.
[56]
S0538
Crutch
Crutch
can exfiltrate files from compromised systems.
[57]
S0498
Cryptoistic
Cryptoistic
can retrieve files from the local file system.
[58]
G1012
CURIUM
CURIUM
has exfiltrated data from a compromised machine.
[59]
C0029
Cutting Edge
During
Cutting Edge
, threat actors stole the running configuration and cache data from targeted Ivanti Connect Secure VPNs.
[60]
[61]
S0687
Cyclops Blink
Cyclops Blink
can upload files from a compromised host.
[62]
S1014
DanBot
DanBot
can upload files from compromised hosts.
[63]
G0070
Dark Caracal
Dark Caracal
collected complete contents of the 'Pictures' folder from compromised Windows systems.
[64]
S1111
DarkGate
DarkGate
has stolen
sitemanager.xml
and
recentservers.xml
from
%APPDATA%\FileZilla\
if present.
[65]
S0673
DarkWatchman
DarkWatchman
can collect files from a compromised host.
[66]
S1021
DnsSystem
DnsSystem
can upload files from infected machines after receiving a command with
uploaddd
in the string.
[67]
G0035
Dragonfly
Dragonfly
has collected data from local victim systems.
[68]
S0694
DRATzarus
DRATzarus
can collect information from a compromised host.
[69]
S0502
Drovorub
Drovorub
can transfer files from the victim machine.
[70]
S0567
Dtrack
Dtrack
can collect a variety of information from victim machines.
[71]
S1159
DUSTTRAP
DUSTTRAP
can gather data from infected systems.
[72]
G1003
Ember Bear
Ember Bear
gathers victim system information such as enumerating the volume of a given device or extracting system and security event logs for analysis.
[73]
[74]
S0634
EnvyScout
EnvyScout
can collect sensitive NTLM material from a compromised host.
[75]
S0404
esentutl
esentutl
can be used to collect data from local file systems.
[76]
S0512
FatDuke
FatDuke
can copy files and directories from a compromised host.
[77]
G1016
FIN13
FIN13
has gathered stolen credentials, sensitive data such as point-of-sale (POS), and ATM data from a compromised network before exfiltration.
[78]
[79]
G0037
FIN6
FIN6
has collected and exfiltrated payment card data from compromised systems.
[80]
[81]
[82]
G0046
FIN7
FIN7
has collected files and other sensitive information from a compromised network.
[83]
S0696
Flagpro
Flagpro
can collect data from a compromised host, including Windows authentication information.
[84]
S0036
FLASHFLOOD
FLASHFLOOD
searches for interesting files (either a default or customized set of file extensions) on the local system.
FLASHFLOOD
will scan the My Recent Documents, Desktop, Temporary Internet Files, and TEMP directories.
FLASHFLOOD
also collects information stored in the Windows Address Book.
[85]
S0381
FlawedAmmyy
FlawedAmmyy
has collected information and files from a compromised machine.
[86]
S0661
FoggyWeb
FoggyWeb
can retrieve configuration data from a compromised AD FS server.
[87]
S0193
Forfiles
Forfiles
can be used to act on (ex: copy, move, etc.) files/directories in a system during (ex: copy files into a staging area before).
[9]
G0117
Fox Kitten
Fox Kitten
has searched local system resources to access sensitive documents.
[88]
S0503
FrameworkPOS
FrameworkPOS
can collect elements related to credit card data from process memory.
[89]
C0001
Frankenstein
During
Frankenstein
, the threat actors used
Empire
to gather various local system information.
[90]
S1044
FunnyDream
FunnyDream
can upload files from victims' machines.
[41]
[91]
G0093
GALLIUM
GALLIUM
collected data from the victim's local system, including password hashes from the SAM hive in the Registry.
[92]
G0047
Gamaredon Group
Gamaredon Group
has collected files from infected systems and uploaded them to a C2 server.
[93]
S0666
Gelsemium
Gelsemium
can collect data from a compromised host.
[48]
S0477
Goopy
Goopy
has the ability to exfiltrate documents from infected systems.
[94]
S0237
GravityRAT
GravityRAT
steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf.
[95]
S0690
Green Lambert
Green Lambert
can collect data from a compromised host.
[96]
S0632
GrimAgent
GrimAgent
can collect data and files from a compromised host.
[97]
G0125
HAFNIUM
HAFNIUM
has collected data and files from a compromised machine.
[47]
[98]
S0009
Hikit
Hikit
can upload files from compromised machines.
[21]
S0203
Hydraq
Hydraq
creates a backdoor through which remote attackers can read data from files.
[99]
[100]
S1022
IceApple
IceApple
can collect files, passwords, and other data from a compromised host.
[101]
G0100
Inception
Inception
used a file hunting plugin to collect .txt, .pdf, .xls or .doc files from the infected host.
[102]
S0260
InvisiMole
InvisiMole
can collect data from the system, and can monitor changes in specified directories.
[103]
S1132
IPsec Helper
IPsec Helper
can identify specific files and folders for follow-on exfiltration.
[104]
S0015
Ixeshe
Ixeshe
can collect data from a local system.
[105]
S0265
Kazuar
Kazuar
uploads files from a specified directory to the C2 server.
[106]
G0004
Ke3chang
Ke3chang
gathered information and files from local directories for exfiltration.
[107]
[108]
S1020
Kevin
Kevin
can upload logs and other data from a compromised host.
[109]
S0526
KGH_SPY
KGH_SPY
can send a file containing victim system information to C2.
[110]
G0094
Kimsuky
Kimsuky
has collected Office, PDF, and HWP documents from its victims.
[111]
[112]
S0250
Koadic
Koadic
can download files off the target system to send back to the server.
[113]
[114]
S0356
KONNI
KONNI
has stored collected information and discovered processes in a tmp file.
[115]
S1075
KOPILUWAK
KOPILUWAK
can gather information from compromised hosts.
[38]
G1004
LAPSUS$
LAPSUS$
uploaded sensitive files, information, and credentials from a targeted organization for extortion or public release.
[116]
S1160
Latrodectus
Latrodectus
can collect data from a compromised host using a stealer module.
[117]
G0032
Lazarus Group
Lazarus Group
has collected data and files from compromised networks.
[118]
[119]
[120]
[121]
S0395
LightNeuron
LightNeuron
can collect files from a local system.
[122]
S0211
Linfo
Linfo
creates a backdoor through which remote attackers can obtain data from local systems.
[123]
S1101
LoFiSe
LoFiSe
can collect files of interest from targeted systems.
[124]
G1014
LuminousMoth
LuminousMoth
has collected files and data from compromised machines.
[125]
[126]
S0409
Machete
Machete
searches the File system for files of interest.
[127]
S1016
MacMa
MacMa
can collect then exfiltrate files from the compromised system.
[128]
S1060
Mafalda
Mafalda
can collect files and information from a compromised host.
[129]
G0059
Magic Hound
Magic Hound
has used a web shell to exfiltrate a ZIP file containing a dump of LSASS memory on a compromised machine.
[130]
[131]
S0652
MarkiRAT
MarkiRAT
can upload data from the victim's machine to the C2 server.
[132]
S0500
MCMD
MCMD
has the ability to upload files from an infected device.
[133]
G0045
menuPass
menuPass
has collected various files from the compromised computers.
[134]
[135]
S1059
metaMain
metaMain
can collect files and system information from a compromised host.
[129]
[136]
S1146
MgBot
MgBot
includes modules for collecting files from local systems based on a given set of properties and filenames.
[137]
S1015
Milan
Milan
can upload files from a compromised host.
[138]
S0084
Mis-Type
Mis-Type
has collected files and data from a compromised host.
[139]
S0083
Misdat
Misdat
has collected files and data from a compromised host.
[139]
S0079
MobileOrder
MobileOrder
exfiltrates data collected from the victim mobile device.
[140]
S1026
Mongall
Mongall
has the ability to upload files from victim's machines.
[141]
S0630
Nebulae
Nebulae
has the capability to upload collected files to C2.
[142]
S0691
Neoichor
Neoichor
can upload files from a victim's machine.
[108]
C0002
Night Dragon
During
Night Dragon
, the threat actors collected files and other data from compromised systems.
[143]
S1090
NightClub
NightClub
can use a file monitor to steal specific files from targeted systems.
[144]
S0385
njRAT
njRAT
can collect data from a local system.
[145]
S1131
NPPSPY
NPPSPY
records data entered from the local system logon at Winlogon to capture credentials in cleartext.
[146]
S0340
Octopus
Octopus
can exfiltrate files from the system using a documents collector tool.
[147]
G0049
OilRig
OilRig
has used PowerShell to upload files from compromised systems.
[148]
C0012
Operation CuckooBees
During
Operation CuckooBees
, the threat actors collected data, files, and other information from compromised networks.
[149]
C0022
Operation Dream Job
During
Operation Dream Job
Lazarus Group
used malicious Trojans and DLL files to exfiltrate data from an infected host.
[69]
[150]
C0006
Operation Honeybee
During
Operation Honeybee
, the threat actors collected data from compromised hosts.
[151]
C0048
Operation MidnightEclipse
During
Operation MidnightEclipse
, threat actors stole saved cookies and login data from targeted systems.
[152]
C0014
Operation Wocao
During
Operation Wocao
, threat actors exfiltrated files and directories of interest from the targeted system.
[153]
S0352
OSX_OCEANLOTUS.D
OSX_OCEANLOTUS.D
has the ability to upload files from a compromised host.
[154]
S0594
Out1
Out1
can copy files and Registry data from compromised hosts.
[155]
S1017
OutSteel
OutSteel
can collect information from a compromised host.
[156]
S0598
P.A.S. Webshell
P.A.S. Webshell
has the ability to copy files on a compromised host.
[157]
S0208
Pasam
Pasam
creates a backdoor through which remote attackers can retrieve files.
[158]
G0040
Patchwork
Patchwork
collected and exfiltrated files from the infected system.
[159]
S1102
Pcexter
Pcexter
can upload files from targeted systems.
[124]
S1050
PcShare
PcShare
can collect files and information from a compromised host.
[41]
S0517
Pillowmint
Pillowmint
has collected credit card data using native API functions.
[160]
S0048
PinchDuke
PinchDuke
collects user files from the compromised host based on predefined file extensions.
[161]
S1031
PingPull
PingPull
can collect data from a compromised host.
[162]
S0012
PoisonIvy
PoisonIvy
creates a backdoor through which remote attackers can steal system information.
[163]
S1012
PowerLess
PowerLess
has the ability to exfiltrate data, including Chrome and Edge browser database files, from compromised machines.
[164]
S0194
PowerSploit
PowerSploit
contains a collection of Exfiltration modules that can access data from local files, volumes, and processes.
[165]
[166]
S0223
POWERSTATS
POWERSTATS
can upload files from compromised hosts.
[167]
S0238
Proxysvc
Proxysvc
searches the local system and gathers data.
[168]
S0197
PUNCHTRACK
PUNCHTRACK
scrapes memory for properly formatted payment card data.
[169]
[170]
S0650
QakBot
QakBot
can use a variety of commands, including esentutl.exe to steal sensitive data from Internet Explorer and Microsoft Edge, to acquire information that is subsequently exfiltrated.
[171]
[172]
S0262
QuasarRAT
QuasarRAT
can retrieve files from compromised client machines.
[173]
S0686
QuietSieve
QuietSieve
can collect files from a compromised host.
[174]
S1148
Raccoon Stealer
Raccoon Stealer
collects data from victim machines based on configuration information received from command and control nodes.
[175]
[176]
S0629
RainyDay
RainyDay
can use a file exfiltration tool to collect recently changed files on a compromised host.
[142]
S0458
Ramsay
Ramsay
can collect Microsoft Word documents from the target's file system, as well as
.txt
.doc
, and
.xls
files from the Internet Explorer cache.
[177]
[178]
S1113
RAPIDPULSE
RAPIDPULSE
retrieves files from the victim system via encrypted commands sent to the web shell.
[179]
S0169
RawPOS
RawPOS
dumps memory from specific processes on a victim system, parses the dumped files, and scrapes them for credit card data.
[180]
[181]
[182]
S0662
RCSession
RCSession
can collect data from a compromised host.
[183]
[49]
G1039
RedCurl
RedCurl
has collected data from the local disk of compromised hosts.
[184]
[185]
S0448
Rising Sun
Rising Sun
has collected data and files from a compromised host.
[186]
S0240
ROKRAT
ROKRAT
can collect host data and specific file types.
[187]
[188]
[189]
S0090
Rover
Rover
searches for files on local drives based on a predefined list of file extensions.
[190]
S1018
Saint Bot
Saint Bot
can collect files and information from a compromised host.
[191]
S1099
Samurai
Samurai
can leverage an exfiltration module to download arbitrary files from compromised machines.
[192]
G0034
Sandworm Team
Sandworm Team
has exfiltrated internal documents, files, and other data from compromised hosts.
[193]
S1085
Sardonic
Sardonic
has the ability to collect data from a compromised machine to deliver to the attacker.
[194]
S0461
SDBbot
SDBbot
has the ability to access the file system on a compromised host.
[195]
S1019
Shark
Shark
can upload files to its C2.
[138]
[196]
S1089
SharpDisco
SharpDisco
has dropped a recent-files stealer plugin to
C:\Users\Public\WinSrcNT\It11.exe
[144]
S0444
ShimRat
ShimRat
has the capability to upload collected files to a C2.
[197]
S0610
SideTwist
SideTwist
has the ability to upload files from a compromised host.
[198]
S1110
SLIGHTPULSE
SLIGHTPULSE
can read files specified on the local system.
[199]
S0533
SLOTHFULMEDIA
SLOTHFULMEDIA
has uploaded files and information from victim machines.
[200]
C0024
SolarWinds Compromise
During the
SolarWinds Compromise
APT29
extracted files from compromised networks.
[201]
S0615
SombRAT
SombRAT
has collected data and files from a compromised host.
[54]
[202]
S0646
SpicyOmelette
SpicyOmelette
has collected data and other information from a compromised host.
[203]
S1037
STARWHALE
STARWHALE
can collect data from an infected local host.
[204]
S1200
StealBit
StealBit
can upload data and files to the LockBit victim-shaming site.
[205]
[206]
G0038
Stealth Falcon
Stealth Falcon
malware gathers data from the local victim system.
[207]
S1034
StrifeWater
StrifeWater
can collect data from a compromised host.
[208]
S0559
SUNBURST
SUNBURST
collected information from a compromised host.
[209]
[210]
S1064
SVCReady
SVCReady
can collect data from an infected host.
[211]
S0663
SysUpdate
SysUpdate
can collect information and files from a compromised host.
[212]
S0011
Taidoor
Taidoor
can upload data and files from a victim's machine.
[213]
S0467
TajMahal
TajMahal
has the ability to steal documents from the local system including the print spooler queue.
[214]
G0027
Threat Group-3390
Threat Group-3390
ran a command to compile an archive of file types of interest from the victim user's directories.
[215]
S0665
ThreatNeedle
ThreatNeedle
can collect data and files from a compromised host.
[121]
S0668
TinyTurla
TinyTurla
can upload files from a compromised host.
[216]
G1022
ToddyCat
ToddyCat
has run scripts to collect documents from targeted hosts.
[124]
S0671
Tomiris
Tomiris
has the ability to collect recent files matching a hardcoded list of extensions prior to exfiltration.
[217]
S0266
TrickBot
TrickBot
collects local files and information from the victim’s local machine.
[218]
S1196
Troll Stealer
Troll Stealer
gathers information from infected systems such as SSH information from the victim's
.ssh
directory.
[219]
Troll Stealer
collects information from local FileZilla installations and Microsoft Sticky Note.
[220]
G0010
Turla
Turla
RPC backdoors can upload files from victim machines.
[221]
S0022
Uroburos
Uroburos
can use its
Get
command to exfiltrate specified files from the compromised system.
[222]
S0386
Ursnif
Ursnif
has collected files from victim machines, including certificates and cookies.
[223]
S0452
USBferry
USBferry
can collect information from an air-gapped host machine.
[224]
G1017
Volt Typhoon
Volt Typhoon
has stolen files from a sensitive file server and the Active Directory database from targeted environments, and used
Wevtutil
to extract event log information.
[225]
[226]
[227]
S0670
WarzoneRAT
WarzoneRAT
can collect data from a compromised host.
[228]
S0515
WellMail
WellMail
can exfiltrate files from the victim machine.
[229]
S0514
WellMess
WellMess
can send files from the victim machine to C2.
[230]
[231]
S0645
Wevtutil
Wevtutil
can be used to export events from a specific log.
[232]
[233]
G0124
Windigo
Windigo
has used a script to gather credentials in files left on disk by OpenSSH backdoors.
[234]
G0102
Wizard Spider
Wizard Spider
has collected data from a compromised host prior to exfiltration.
[235]
S1065
Woody RAT
Woody RAT
can collect information from a compromised host.
[236]
S0653
xCaon
xCaon
has uploaded files from victims' machines.
[32]
S0658
XCSSET
XCSSET
collects contacts and application data from files in Desktop, Documents, Downloads, Dropbox, and WeChat folders.
[237]
S0248
yty
yty
collects files with the following extensions: .ppt, .pptx, .pdf, .doc, .docx, .xls, .xlsx, .docm, .rtf, .inp, .xlsm, .csv, .odt, .pps, .vcf and sends them back to the C2 server.
[238]
S0672
Zox
Zox
has the ability to upload files from a targeted system.
[21]
S0412
ZxShell
ZxShell
can transfer files from a compromised host.
[239]
S1013
ZxxZ
ZxxZ
can collect data from a compromised host.
[240]
Mitigations
ID
Mitigation
Description
M1057
Data Loss Prevention
Data loss prevention can restrict access to sensitive data and detect sensitive data that is unencrypted.
Detection
ID
Data Source
Data Component
Detects
DS0017
Command
Command Execution
Monitor executed commands and arguments that may search and collect local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as
Windows Management Instrumentation
and
PowerShell
For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.
DS0022
File
File Access
Monitor for unexpected/abnormal access to files that may be malicious collection of local data, such as user files (
pdf
.docx
.jpg
, etc.) or local databases. On ESXi servers, this may include
.vmdk
and
.vmsn
files in the
/vmfs/volumes
directory.
DS0009
Process
OS API Execution
Monitor for API calls that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Process Creation
Monitor for newly executed processes that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
DS0012
Script
Script Execution
Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Data may also be acquired through Windows system management tools such as
Windows Management Instrumentation
and
PowerShell
References
Cisco. (2022, August 16). show running-config - Cisco IOS Configuration Fundamentals Command Reference . Retrieved July 13, 2022.
Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.
FSI. (2017, July 27). Campaign Rifle - Andariel, the Maiden of Anguish. Retrieved September 12, 2024.
Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018.
Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024.
Hacquebord, F. (n.d.). Pawn Storm in 2019 A Year of Scanning and Credential Phishing on High-Profile Targets. Retrieved December 29, 2020.
NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.
FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024.
DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.
FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.
CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024.
Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022.
DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.
ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.
Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022.
Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved November 17, 2024.
Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.
N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022.
Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.
Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.
Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.
NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.
SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
McGraw, T. (2024, December 4). Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware. Retrieved December 9, 2024.
Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022.
US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.
Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023.
US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
Red Canary. (2021, March 31). 2021 Threat Detection Report. Retrieved August 31, 2021.
Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023.
Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.
Chen, J. (2019, October 10). Magecart Card Skimmers Injected Into Online Shops. Retrieved September 9, 2020.
Klijnsma, Y. (2018, September 11). Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims. Retrieved September 9, 2020.
Klijnsma, Y. (2018, September 19). Another Victim of the Magecart Assault Emerges: Newegg. Retrieved September 9, 2020.
Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved November 17, 2024.
Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
Kremez, V. (2019, September 19). FIN6 “FrameworkPOS”: Point-of-Sale Malware Analysis & Internals. Retrieved September 8, 2020.
Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
Global Research and Analysis Team. (2020, April 30). APT trends report Q1 2020. Retrieved September 19, 2022.
Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.
Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
Microsoft Threat Intelligence . (2025, March 5). Silk Typhoon targeting IT supply chain. Retrieved March 20, 2025.
Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022.
GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024.
Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024.
Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024.
Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved November 17, 2024.
Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022.
Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022.
ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.
United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.
Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024.
ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
Dray Agha. (2022, August 16). Cleartext Shenanigans: Gifting User Passwords to Adversaries With NPPSPY. Retrieved May 17, 2024.
Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
Fahmy, M. et al. (2024, October 11). Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East. Retrieved November 27, 2024.
Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
Volexity Threat Research. (2024, April 12). Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400). Retrieved November 20, 2024.
Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020.
Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018.
Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved November 17, 2024.
Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022.
Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022.
PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021.
Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022.
Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024.
Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024.
Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.
Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.
Nesbit, B. and Ackerman, D. (2017, January). Malware Analysis Report - RawPOS Malware: Deconstructing an Intruder’s Toolkit. Retrieved October 4, 2017.
TrendLabs Security Intelligence Blog. (2015, April). RawPOS Technical Brief. Retrieved October 4, 2017.
Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.
Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.
Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.
Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.
Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.
DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.
CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021.
FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
FBI. (2022, February 4). Indicators of Compromise Associated with LockBit 2.0 Ransomware. Retrieved January 24, 2025.
Cybereason Global SOC Team. (n.d.). THREAT ANALYSIS REPORT: Inside the LockBit Arsenal - The StealBit Exfiltration Tool. Retrieved January 29, 2025.
Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022.
MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022.
Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023.
Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014.
GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.
Kwiatkoswki, I. and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021.
Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
Symantec Threat Hunter Team. (2024, May 16). Springtail: New Linux Backdoor Added to Toolkit. Retrieved January 17, 2025.
Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025.
Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.
Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.
Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.
CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020.
PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.
CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020.
Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021.
F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020.
Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.
Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022.
Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.