…o exploit the then-zero-day Internet Explorer vulnerability CVE-2014-0322. [48] G0040 Patchwork Patchwork has used watering holes to deliver files with exploits to initial victims. [49] [50] G0068 PLATINUM PLATINUM has sometimes used drive-by attacks against vulnerable browser pl…

… been distributed as a malicious attachment within a spearphishing email. [185] G0040 Patchwork Patchwork has used spearphishing with an attachment to deliver files with exploits to initial victims. [186] [187] [188] [189] G0068 PLATINUM PLATINUM has sent spearphishing emails wit…

…4 Night Dragon Night Dragon has obtained and used tools such as gsecdump . [51] G0040 Patchwork Patchwork has obtained and used open-source tools such as QuasarRAT . [52] G0011 PittyTiger PittyTiger has obtained and used tools such as Mimikatz and gsecdump . [53] G0034 Sandworm T…

…s relied on a user to click a malicious link within a spearphishing email. [85] G0040 Patchwork Patchwork has used spearphishing with links to try to get users to click, download and open malicious files. [86] [87] [88] [15] S0435 PLEAD PLEAD has been executed via malicious links…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. Trend Micro Research. (2023, July 21). Ransomware Spotli…

…has used cmd.exe to scan a compromised host for specific file extensions. [277] G0040 Patchwork Patchwork ran a reverse shell with Meterpreter. [278] Patchwork used JavaScript code and .SCT files on victim machines. [41] [279] S1050 PcShare PcShare can execute cmd commands on a c…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Kasza, A., H…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. F-Secure Lab…

…es. [36] S0630 Nebulae Nebulae can use DLL side-loading to gain execution. [37] G0040 Patchwork A Patchwork .dll that contains BADNEWS is loaded and executed using DLL side-loading. [38] S0013 PlugX PlugX has used DLL side-loading to evade anti-virus. [4] [22] [39] [27] [40] S062…

…rs Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. Volexity Threat Research. (2024, April 12). Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400). Retrieved Nov…

…2] S0198 NETWIRE NETWIRE has the ability to compress archived screenshots. [43] G0040 Patchwork Patchwork encrypted the collected files' path with AES and then encoded them with base64. [44] S0517 Pillowmint Pillowmint has encrypted stolen credit card information with AES and fur…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Insikt Group…

…asam creates a backdoor through which remote attackers can retrieve files. [87] G0040 Patchwork Patchwork collected and exfiltrated files from the infected system. [88] S0517 Pillowmint Pillowmint has collected credit card data using native API functions. [89] S0048 PinchDuke Pin…

…FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 20…

…es a backdoor through which remote attackers can retrieve lists of files. [249] G0040 Patchwork A Patchwork payload has searched all fixed drives on the victim for files matching a specified list of extensions. [250] [39] S1102 Pcexter Pcexter has the ability to search for files …