…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. Roccia, T., …

…networks. [53] S0590 NBTscan NBTscan can be used to scan IP networks. [54] [55] G0049 OilRig OilRig has used the publicly available tool SoftPerfect Network Scanner as well as a custom tool called GOLDIRONY to conduct network scanning. [56] C0014 Operation Wocao During Operation …

…elp gather credentials that are later used for lateral movement. [78] [79] [72] G0049 OilRig OilRig has used credential dumping tools such as Mimikatz to steal credentials to accounts logged into the compromised system and to Outlook Web Access. [80] [81] [64] [82] S0439 Okrum Ok…

…xploited CVE-2021-1732 to execute malware components with elevated rights. [30] G0049 OilRig OilRig has exploited the Windows Kernel Elevation of Privilege vulnerability, CVE-2024-30088. [31] S0664 Pandora Pandora can use CVE-2017-15303 to bypass Windows Driver Signature Enforcem…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Sygnia Team. (2024, June 3). China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence. Retrieved March 14, 2025. Kaspersky Lab's Global Researc…

…xploited CVE-2021-1732 to execute malware components with elevated rights. [31] G0049 OilRig OilRig has exploited the Windows Kernel Elevation of Privilege vulnerability, CVE-2024-30088. [32] S0664 Pandora Pandora can use CVE-2017-15303 to bypass Windows Driver Signature Enforcem…

…. [121] S0353 NOKKI NOKKI uses a unique, custom de-obfuscation technique. [122] G0049 OilRig A OilRig macro has run a PowerShell command to decode file contents. OilRig has also used certutil to decode base64-encoded files on victims. [123] [95] [124] [125] S0439 Okrum Okrum 's l…

…\Software\NFC\ . [70] S0385 njRAT njRAT can read specific registry values. [71] G0049 OilRig OilRig has used reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" on a victim to query the Registry. [72] C0014 Operation Wocao During Operation Wocao , the …

…d several remote administration tools as persistent infiltration channels. [30] G0049 OilRig OilRig has incorporated remote monitoring and management (RMM) tools into their operations including ngrok [31] S0148 RTM RTM has the capability to download a VNC module from command and …

…ded executable. [222] S0353 NOKKI NOKKI uses Base64 encoding for strings. [223] G0049 OilRig OilRig has encrypted and encoded data in its malware, including by using base64. [224] [225] [226] [227] [228] S0138 OLDBAIT OLDBAIT obfuscates internal strings and unpacks them at startu…

…rs Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. …

…guised as legitimate programs, such as Java and Telegram Messenger. [140] [141] G0049 OilRig OilRig has named a downloaded copy of the Plink tunneling utility as \ProgramData\Adobe.exe. [142] S0138 OLDBAIT OLDBAIT installs itself in %ALLUSERPROFILE%\Application Data\Microsoft\Med…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018. Mercer, W, et al. (2020, April 16). PoetRAT:…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Ret…

…ed account. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled and use of accounts is segmented, as this is often equivalent to having a local administrator account with the same password on all systems. Fo…