… persistence via writing a PowerShell script to the autorun registry key. [143] G0065 Leviathan Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor. [150] [151] S0513 LiteDuke LiteDuke can create persistence by adding a s…

… persistence via writing a PowerShell script to the autorun registry key. [149] G0065 Leviathan Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor. [156] [157] S0513 LiteDuke LiteDuke can create persistence by adding a s…

…en-source malware—much of which is shared with multiple other suspected Chinese groups—to establish initial access via user and administrator credentials, enable lateral movement once inside the network, and locate high value assets in order to exfiltrate data. Table 1 provides d…

…s exfiltrated stolen files and data to actor-controlled Blogspot accounts. [20] G0065 Leviathan Leviathan has used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox. [21] [22] G1014 LuminousMoth LuminousMoth has exfiltrated data to Google Drive. [23] S0340 Octo…

…ls to maintain access, often adding "Dinosaur" references within the code. [42] G0065 Leviathan Leviathan relies on web shells for an initial foothold as well as persistence into the victim's systems. [43] [44] [45] C0049 Leviathan Australian Intrusions Leviathan relied extensive…

…retrieving login and password information, including LaZagne and Mimikatz. [59] G0065 Leviathan Leviathan has used publicly available tools to dump password hashes, including ProcDump and WCE. [60] S0681 Lizar Lizar can run Mimikatz to harvest credentials. [61] [62] S0121 Lslsass…

…ent Windows:Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design an…

…pirs decrypts and extracts a copy of its main DLL payload when executing. [101] G0065 Leviathan Leviathan has used a DLL known as SeDll to decrypt and execute other JavaScript backdoors. [102] S0395 LightNeuron LightNeuron has used AES and XOR to decrypt configuration files and c…

…r LazyScripter has relied upon users clicking on links to malicious files. [51] G0065 Leviathan Leviathan has sent spearphishing email links attempting to get a user to click. [54] [55] G1014 LuminousMoth LuminousMoth has lured victims into clicking malicious Dropbox download lin…

…erShell to download and execute a specific 64-bit version of the malware. [104] G0065 Leviathan Leviathan has used PowerShell for execution. [105] [106] [107] [108] S0447 Lokibot Lokibot has used PowerShell commands embedded inside batch scripts. [109] G0059 Magic Hound Magic Hou…

… S1020 Kevin Kevin can use a custom protocol tunneled through DNS or HTTP. [31] G0065 Leviathan Leviathan has used protocol tunneling to further conceal C2 communications and infrastructure. [32] S1141 LunarWeb LunarWeb can run a custom binary protocol under HTTPS for C2. [33] G0…

…liers, and business partners of target organizations for credentials. [10] [11] G0065 Leviathan Leviathan has compromised email accounts to conduct social engineering attacks. [12] G0059 Magic Hound Magic Hound has compromised personal email accounts through the use of legitimate…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Pla…

…retrieving login and password information, including LaZagne and Mimikatz. [41] G0065 Leviathan Leviathan has used publicly available tools to dump password hashes, including ProcDump and WCE. [42] S0121 Lslsass Lslsass can dump active logon session password hashes from the lsass…

…retrieving login and password information, including LaZagne and Mimikatz. [59] G0065 Leviathan Leviathan has used publicly available tools to dump password hashes, including ProcDump and WCE. [60] S0681 Lizar Lizar can run Mimikatz to harvest credentials. [61] [62] S0121 Lslsass…