…s including Mimikatz , SDelete , Tor , meek , and Cobalt Strike . [9] [10] [11] G0050 APT32 APT32 has obtained and used tools such as Mimikatz and Cobalt Strike , and a variety of other open-source tools from GitHub. [12] [13] G0064 APT33 APT33 has obtained and leveraged publicly…
…nEggDrop to perform detailed scans of hosts of interest in victim networks. [4] G0050 APT32 APT32 performed network scanning on the network to search for open ports, services, OS finger-printing, and other vulnerabilities. [5] G0087 APT39 APT39 has used CrackMapExec and a custom …
…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. F-Secure Lab…
…DA ANDROMEDA can inject into the wuauclt.exe process to perform C2 actions. [5] G0050 APT32 APT32 malware has injected a Cobalt Strike beacon into Rundll32.exe. [6] G0067 APT37 APT37 injects its malware variant, ROKRAT , into the cmd.exe process. [7] G0082 APT38 APT38 has injecte…
…Agent Tesla has routines for exfiltration over SMTP, FTP, and HTTP. [2] [3] [4] G0050 APT32 APT32 's backdoor can exfiltrate data by encoding it in the subdomain field of DNS packets. [5] G0064 APT33 APT33 has used FTP to exfiltrate files (separately from the C2 channel). [6] S01…
… to execute malicious file attachments delivered via spearphishing emails. [16] G0050 APT32 APT32 has attempted to lure users to execute a malicious dropper delivered via a spearphishing attachment. [17] [18] [19] [20] [21] G0064 APT33 APT33 has used malicious e-mail attachments …
… APT30 APT30 has used spearphishing emails with malicious DOC attachments. [26] G0050 APT32 APT32 has sent spearphishing emails with a malicious executable disguised as a document or spreadsheet. [27] [28] [29] [30] [31] [32] G0064 APT33 APT33 has sent spearphishing e-mails with …
…ool to gather and compress multiple documents on the DCCC and DNC networks. [1] G0050 APT32 APT32 's backdoor has used LZMA compression and RC4 encryption before exfiltration. [5] S0456 Aria-body Aria-body has used ZIP to compress data gathered on a compromised host. [6] G0001 Ax…
…0504 Anchor Anchor can create and execute services to load its payload. [3] [4] G0050 APT32 APT32 's backdoor has used Windows services as a way to execute its malicious payload. [5] G0082 APT38 APT38 has created new services or modified existing ones to run executables, commands…
…. [3] G0022 APT3 APT3 has a tool that exfiltrates data over the C2 channel. [4] G0050 APT32 APT32 's backdoor has exfiltrated data using the already opened channel with its C&C server. [5] G0087 APT39 APT39 has exfiltrated stolen victim data through C2 communications. [6] S0373 A…
…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023. Daniel Stepanic & Salim Bitam…
…APT29 used WMI to steal credentials and execute backdoors at a future time. [9] G0050 APT32 APT32 used WMI to deploy their tools on remote machines and to gather information about the Outlook process. [10] G0096 APT41 APT41 used WMI in several ways, including for execution of com…
…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Per…
…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Insikt Group…
…[16] G0022 APT3 APT3 places scripts in the startup folder for persistence. [17] G0050 APT32 APT32 established persistence using Registry Run keys, both to execute PowerShell and VBS scripts as well as to execute their backdoor directly. [18] [19] [20] G0064 APT33 APT33 has deploy…