…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. Roccia, T., …

…s. [50] S0152 EvilGrab EvilGrab has the capability to capture screenshots. [51] G0046 FIN7 FIN7 captured screenshots and desktop video recordings. [52] S0182 FinFisher FinFisher takes a screenshot of the screen and displays it on top of all other windows for few seconds in an app…

…[104] G0037 FIN6 FIN6 has used kill.bat script to disable security tools. [105] G0046 FIN7 FIN7 used the command prompt to launch commands on the victim’s machine. [106] [107] G0061 FIN8 FIN8 has used a Batch file to automate frequently executed post compromise cleanup activities…

…ls (often sent from compromised accounts) containing malicious links. [53] [54] G0046 FIN7 FIN7 has conducted broad phishing campaigns using malicious links. [55] G0061 FIN8 FIN8 has distributed targeted emails containing links to malicious documents with embedded macros. [56] S0…

… FIN6 has used WMI to automate the remote execution of PowerShell scripts. [57] G0046 FIN7 FIN7 has used WMI to install malware on targeted systems. [58] G0061 FIN8 FIN8 's malicious spearphishing payloads use WMI to launch malware and spawn cmd.exe execution. FIN8 has also used …

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Insikt Group…

…XROOT downloads and uploads files to and from the victim’s machine. [140] [141] G0046 FIN7 FIN7 has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload. [142] [143] G0061…

…o download and execute shellcode and to set up a local listener. [74] [75] [76] G0046 FIN7 FIN7 used a PowerShell script to launch shellcode that retrieved an additional payload. [77] [78] G0061 FIN8 FIN8 's malicious spearphishing payloads are executed as PowerShell . FIN8 has a…

…lish persistence for its downloader tools known as HARDTACK and SHIPBREAD. [96] G0046 FIN7 FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder. [97] [98] S0355 Final1stspy Final1stspy creates a Registry R…

…ish persistence for its downloader tools known as HARDTACK and SHIPBREAD. [100] G0046 FIN7 FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder. [101] [102] S0355 Final1stspy Final1stspy creates a Registry…

…ownload and execute shellcode and to set up a local listener. [104] [105] [106] G0046 FIN7 FIN7 used a PowerShell script to launch shellcode that retrieved an additional payload. [107] [108] [109] [110] G0061 FIN8 FIN8 's malicious spearphishing payloads are executed as PowerShel…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…

…rs Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. …

…ownload and execute shellcode and to set up a local listener. [111] [112] [113] G0046 FIN7 FIN7 used a PowerShell script to launch shellcode that retrieved an additional payload. [114] [115] [116] [117] [118] Additionally, FIN7 has executed a custom obfuscation of the shellcode i…

…system user information. [43] S0266 TrickBot TrickBot can identify the user and groups the user belongs to on a compromised host. [214] S0094 Trojan.Karagany Trojan.Karagany can gather information about the user on a compromised host. [215] G0081 Tropic Trooper Tropic Trooper use…