… can be installed on compromised web servers to tunnel C2 connections. [52] [3] G0049 OilRig OilRig has used web shells, often to maintain access to a victim network. [53] [54] [55] [56] C0012 Operation CuckooBees During Operation CuckooBees , the threat actors generated a web sh…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Per…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. F-Secure Lab…

…ownload additional files and tools onto the victim’s machine. [361] [362] [360] G0049 OilRig OilRig can download remote files onto victims. [363] S0439 Okrum Okrum has built-in commands for uploading, downloading, and executing files to the system. [364] S0264 OopsIE OopsIE can d…

…eck can download staged payloads from an actor-controlled infrastructure. [396] G0049 OilRig OilRig had downloaded remote files onto victim infrastructure. [397] [398] S0439 Okrum Okrum has built-in commands for uploading, downloading, and executing files to the system. [399] S02…

…FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 20…

…urveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia a…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Kaspersky Lab's Global Research and Analysis Team. (2016, February 9). Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage. Retrieved M…

…nuPass menuPass has used Putty Secure Copy Client (PSCP) to transfer data. [22] G0049 OilRig OilRig has used Putty to access compromised systems. [23] S1187 reGeorg reGeorg can communicate using SSH through an HTTP tunnel. [24] G0106 Rocke Rocke has spread its coinminer via SSH. …

… Octopus has used HTTP GET and POST requests for C2 communications. [256] [257] G0049 OilRig OilRig has used HTTP for C2. [258] [259] [260] S0439 Okrum Okrum uses HTTP for communication with its C2. [261] S0138 OLDBAIT OLDBAIT can use HTTP for C2. [19] S0052 OnionDuke OnionDuke u…

… G0133 Nomadic Octopus Nomadic Octopus has used PowerShell for execution. [131] G0049 OilRig OilRig has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents. [33] [132] [133] G0116 Operation Wocao Operation Wocao has …

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015. CISA. (2023, December 18). #Stop…

…NETWIRE NETWIRE can capture session logon details from a compromised host. [47] G0049 OilRig OilRig has used netstat -an on a victim to get a listing of network connections. [48] S0439 Okrum Okrum was seen using NetSess to discover NetBIOS sessions. [49] G0116 Operation Wocao Ope…

…nt using cmd.exe. [262] OceanSalt has been executed via malicious macros. [262] G0049 OilRig OilRig has used macros to deliver malware such as QUADAGENT and OopsIE . [263] [264] [265] [266] [267] OilRig has used batch scripts. [263] [264] [265] [266] [267] S0439 Okrum Okrum 's ba…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Kasza, A., H…