…rs Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Carbon Black Thre…

…ed residential endpoints as proxies for defense evasion and network access. [5] G0022 APT3 An APT3 downloader establishes SOCKS5 connections for its initial C2. [6] G0087 APT39 APT39 has used various tools to proxy C2 communications. [7] G0053 FIN5 FIN5 maintains access to victim…

…alware variant using a legitimate executable that loaded the malicious DLL. [2] G0022 APT3 APT3 has been known to side load DLLs with a valid version of Chrome with one of their tools. [3] [4] G0050 APT32 APT32 ran legitimately-signed executables from Symantec and McAfee which lo…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retri…

… to CozyCar installations to download and install SeaDuke . [15] [16] [17] [18] G0022 APT3 APT3 has used PowerShell on victim systems to download and run payloads after exploitation. [19] G0050 APT32 APT32 has used PowerShell-based tools, PowerShell one-liners, and shellcode load…

…APT1 APT1 used the net use command to get a listing on network connections. [6] G0022 APT3 APT3 has a tool that can enumerate current network connections. [7] [8] [9] G0050 APT32 APT32 used the netstat -anpo tcp command to display TCP connections on the victim's machine. [10] G00…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. Roccia, T., …

… to CozyCar installations to download and install SeaDuke . [18] [19] [20] [21] G0022 APT3 APT3 has used PowerShell on victim systems to download and run payloads after exploitation. [22] G0050 APT32 APT32 has used PowerShell-based tools, PowerShell one-liners, and shellcode load…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…

…nto clicking on a link to a zip file containing malicious files. [11] [12] [13] G0022 APT3 APT3 has sent spearphishing emails containing malicious links. [14] G0050 APT32 APT32 has sent spearphishing emails containing malicious links. [15] [16] [17] [18] [19] G0064 APT33 APT33 ha…

…crosoft Word, Exchange, and Adobe Reader, to gain code execution. [9] [10] [11] G0022 APT3 APT3 has exploited the Adobe Flash Player vulnerability CVE-2015-3113 and Internet Explorer vulnerability CVE-2014-1776. [12] [13] G0050 APT32 APT32 has used RTF document that includes an e…

…of spearphishing attempting to get a user to click on a malicious link. [4] [5] G0022 APT3 APT3 has lured victims into clicking malicious links delivered through spearphishing. [6] G0050 APT32 APT32 has lured targets to download a Cobalt Strike beacon by including a malicious lin…

…enses, exfiltrate data, and to execute other commands. [11] [12] [13] [14] [15] G0022 APT3 APT3 has used PowerShell on victim systems to download and run payloads after exploitation. [16] G0050 APT32 APT32 has used PowerShell-based tools, PowerShell one-liners, and shellcode load…

…pril 2025 Version Permalink Live Version Procedure Examples ID Name Description G0022 APT3 An APT3 downloader first establishes a SOCKS5 connection to 192.157.198[.]103 using TCP port 1913; once the server response is verified, it then requests a connection to 192.184.60[.]229 on…

…ver. [2] S0622 AppleSeed AppleSeed can exfiltrate files via the C2 channel. [3] G0022 APT3 APT3 has a tool that exfiltrates data over the C2 channel. [4] G0050 APT32 APT32 's backdoor has exfiltrated data using the already opened channel with its C&C server. [5] G0087 APT39 APT39…