…erShell on victim systems to download and run payloads after exploitation. [19] G0050 APT32 APT32 has used PowerShell-based tools, PowerShell one-liners, and shellcode loaders for execution. [20] [21] [22] G0064 APT33 APT33 has utilized PowerShell to download files from the C2 se…

…APT29 has installed web shells on exploited Microsoft Exchange servers. [6] [7] G0050 APT32 APT32 has used Web shells to maintain access to victim websites. [8] G0082 APT38 APT38 has used web shells for persistence or to ensure redundant access. [9] G0087 APT39 APT39 has installe…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. Roccia, T., …

…erShell on victim systems to download and run payloads after exploitation. [22] G0050 APT32 APT32 has used PowerShell-based tools, PowerShell one-liners, and shellcode loaders for execution. [23] [24] [25] G0064 APT33 APT33 has utilized PowerShell to download files from the C2 se…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…

… for the existence of user email addresses using public Microsoft APIs. [6] [7] G0050 APT32 APT32 has collected e-mail addresses for activists and bloggers in order to target them with spyware. [8] G1011 EXOTIC LILY EXOTIC LILY has gathered targeted individuals' e-mail addresses …

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. Trend Micro Research. (2023, July 21). Ransomware Spotli…

… has exploited CVE-2021-36934 to escalate privileges on a compromised host. [7] G0050 APT32 APT32 has used CVE-2016-7255 to escalate privileges. [8] G0064 APT33 APT33 has used a publicly available exploit for CVE-2017-0213 to escalate privileges on a local system. [9] G1002 BITTE…

… has exploited CVE-2021-36934 to escalate privileges on a compromised host. [7] G0050 APT32 APT32 has used CVE-2016-7255 to escalate privileges. [8] G0064 APT33 APT33 has used a publicly available exploit for CVE-2017-0213 to escalate privileges on a local system. [9] G1002 BITTE…

… G0022 APT3 APT3 has sent spearphishing emails containing malicious links. [14] G0050 APT32 APT32 has sent spearphishing emails containing malicious links. [15] [16] [17] [18] [19] G0064 APT33 APT33 has sent spearphishing emails containing links to .hta files. [20] [21] G0087 APT…

…ent Windows:Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design an…

…lity CVE-2015-3113 and Internet Explorer vulnerability CVE-2014-1776. [12] [13] G0050 APT32 APT32 has used RTF document that includes an exploit to execute malicious code. (CVE-2017-11882) [14] G0064 APT33 APT33 has attempted to exploit a known vulnerability in WinRAR (CVE-2018-2…

… APT30 APT30 has used spearphishing emails with malicious DOC attachments. [23] G0050 APT32 APT32 has sent spearphishing emails with a malicious executable disguised as a document or spreadsheet. [24] [25] [26] [27] [28] [29] G0064 APT33 APT33 has sent spearphishing e-mails with …

…ured victims into clicking malicious links delivered through spearphishing. [6] G0050 APT32 APT32 has lured targets to download a Cobalt Strike beacon by including a malicious link within spearphishing emails. [7] [8] [9] G0064 APT33 APT33 has lured users to click links to malici…

…erShell on victim systems to download and run payloads after exploitation. [16] G0050 APT32 APT32 has used PowerShell-based tools, PowerShell one-liners, and shellcode loaders for execution. [17] [18] [19] G0064 APT33 APT33 has utilized PowerShell to download files from the C2 se…