…ipter LazyScripter has used PowerShell scripts to execute malicious code. [151] G0065 Leviathan Leviathan has used PowerShell for execution. [155] [156] [157] [158] S0680 LitePower LitePower can use a PowerShell script to execute commands. [101] S0681 Lizar Lizar has used PowerSh…
… [38] G0077 Leafminer Leafminer has infected victims using watering holes. [39] G0065 Leviathan Leviathan has infected victims using watering holes. [40] S0451 LoudMiner LoudMiner is typically bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS. […
…elf in the Start menu folder or by adding a Registry Run key. [121] [122] [123] G0065 Leviathan Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor. [124] [125] S0513 LiteDuke LiteDuke can create persistence by adding a s…
…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. F-Secure Lab…
…contain a link that redirects the victim to download a malicious document. [65] G0065 Leviathan Leviathan has sent spearphishing emails with links, often using a fraudulent lookalike domain and stolen branding. [69] [70] G1014 LuminousMoth LuminousMoth has sent spearphishing emai…
…ries in .zip format, encrypt the .zip file, and upload it to C2. [31] [32] [33] G0065 Leviathan Leviathan has archived victim's data prior to exfiltration. [34] S0395 LightNeuron LightNeuron contains a function to encrypt and store emails that it collects. [35] S0681 Lizar Lizar …
…eaponized with archive or document files as its initial infection vector. [133] G0065 Leviathan Leviathan has sent spearphishing emails with malicious attachments, including .rtf, .doc, and .xls files. [141] [142] S0447 Lokibot Lokibot is delivered via a malicious XLS attachment …
…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Microsoft Threat Intelligence. (2024, October 31). Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network. Retrieved June…
…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Insikt Group…
…ipter LazyScripter had downloaded additional tools to a compromised host. [303] G0065 Leviathan Leviathan has downloaded additional scripts and files from adversary-controlled servers. [318] [132] S0395 LightNeuron LightNeuron has the ability to download and execute additional fi…
…ipter LazyScripter had downloaded additional tools to a compromised host. [282] G0065 Leviathan Leviathan has downloaded additional scripts and files from adversary-controlled servers. [297] [122] S0395 LightNeuron LightNeuron has the ability to download and execute additional fi…
…urveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia a…
…in code for Native API function names. [113] [114] [115] [116] [47] [117] [118] G0065 Leviathan Leviathan has obfuscated code using base64 and gzip compression. [119] S0395 LightNeuron LightNeuron encrypts its configuration files with AES-256. [120] S0451 LoudMiner LoudMiner has …
…obalt Strike can recover hashed passwords. [1] Enterprise T1069 .001 Permission Groups Discovery Local Groups Cobalt Strike can use net localgroup to list local groups on a system. [2] .002 Permission Groups Discovery Domain Groups Cobalt Strike can identify targets by querying a…
…Leafminer Leafminer obfuscated scripts that were used on victim machines. [183] G0065 Leviathan Leviathan has obfuscated code using base64 and gzip compression. [184] S0395 LightNeuron LightNeuron encrypts its configuration files with AES-256. [185] S0447 Lokibot Lokibot has obfu…