…SHFLOOD achieves persistence by making an entry in the Registry's Run key. [35] G0047 Gamaredon Group Gamaredon Group tools have registered Run keys in the registry to give malicious VBS files persistence. [86] [87] S0168 Gazer Gazer can establish persistence by creating a .lnk f…

…lmaker used PowerShell to download additional payloads and for execution. [119] G0047 Gamaredon Group Gamaredon Group has used obfuscated PowerShell scripts for staging. [120] S1117 GLASSTOKEN GLASSTOKEN can use PowerShell for command execution. [121] G0115 GOLD SOUTHFIELD GOLD S…

…, including portqry.exe, a renamed cmd.exe file, winrar, and HTRAN . [148] [59] G0047 Gamaredon Group Tools used by Gamaredon Group are capable of downloading and executing additional payloads. [149] [150] [151] S0168 Gazer Gazer can execute a task to download a file. [152] [153]…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…

…an use a Registry Run Key and the Startup folder to establish persistence. [59] G0047 Gamaredon Group Gamaredon Group tools have registered Run keys in the registry to give malicious VBS files persistence. [103] [104] [105] [106] S0168 Gazer Gazer can establish persistence by cre…

… enable the forwarding of requests for internal services via domain name. [147] G0047 Gamaredon Group Gamaredon Group has used HTTP and HTTPS for C2 communications. [148] [149] [150] [151] [152] [153] [154] S0168 Gazer Gazer communicates with its C2 servers over HTTP. [155] S0666…

…G0093 GALLIUM GALLIUM used the Windows command shell to execute commands. [145] G0047 Gamaredon Group Gamaredon Group has used various batch scripts to establish C2 and download additional files. Gamaredon Group 's backdoor malware has also been written to a batch file. [146] [14…

…an use a Registry Run Key and the Startup folder to establish persistence. [59] G0047 Gamaredon Group Gamaredon Group tools have registered Run keys in the registry to give malicious VBS files persistence. [107] [108] [109] [110] [111] S0168 Gazer Gazer can establish persistence …

…28] G0084 Gallmaker Gallmaker obfuscated shellcode used during execution. [129] G0047 Gamaredon Group Gamaredon Group has delivered self-extracting 7z archive files within malicious document attachments, and used obfuscated or encrypted scripts. [130] S0168 Gazer Gazer logs its a…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Kasza, A., H…

…, including portqry.exe, a renamed cmd.exe file, winrar, and HTRAN . [213] [80] G0047 Gamaredon Group Gamaredon Group has downloaded additional malware and tools onto a compromised host. [214] [215] [216] [217] For example, Gamaredon Group uses a backdoor script to retrieve and d…

…urveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia a…

…, including portqry.exe, a renamed cmd.exe file, winrar, and HTRAN . [226] [89] G0047 Gamaredon Group Gamaredon Group has downloaded additional malware and tools onto a compromised host. [227] [228] [229] [230] [231] [232] For example, Gamaredon Group uses a backdoor script to re…

…fied size. [100] S0410 Fysbis Fysbis has the ability to search for files. [101] G0047 Gamaredon Group Gamaredon Group macros can scan for Microsoft Word and Excel files to inject with additional malicious macros. Gamaredon Group has also used its backdoors to automatically list i…

…sb-*|sun-*|SUSE*|release" to determine which Linux OS version is running. [114] G0047 Gamaredon Group A Gamaredon Group file stealer can gather the victim's computer name and drive serial numbers to send to a C2 server. [115] [116] S0460 Get2 Get2 has the ability to identify the …