…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…

… Molerats Molerats has sent phishing emails with malicious links included. [81] G0069 MuddyWater MuddyWater has sent targeted spearphishing e-mails with malicious links. [82] [83] [84] G0129 Mustang Panda Mustang Panda has delivered malicious links to their intended targets. [85]…

…Bouncer MoustachedBouncer has used plugins to execute PowerShell scripts. [174] G0069 MuddyWater MuddyWater has used PowerShell for execution. [175] [176] [177] [178] [179] [180] [181] [182] [183] [184] G0129 Mustang Panda Mustang Panda has used malicious PowerShell scripts to en…

…sed and modified open-source tools like Impacket , Mimikatz , and pwdump . [49] G0069 MuddyWater MuddyWater has made use of legitimate tools ConnectWise and RemoteUtilities for access to target environments. [50] G0014 Night Dragon Night Dragon has obtained and used tools such as…

…ito Mosquito 's installer uses WMI to search for antivirus display names. [107] G0069 MuddyWater MuddyWater has used malware that leveraged WMI for execution and querying host information. [108] [109] [110] [111] G0129 Mustang Panda Mustang Panda has executed PowerShell scripts v…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. F-Secure Lab…

…Sleet delivered various payloads to victims as spearphishing attachments. [159] G0069 MuddyWater MuddyWater has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments to recipients. [160] [161] [162] [163] [164] [165] [166] …

…_eggs will decode malware components that are then dropped to the system. [117] G0069 MuddyWater MuddyWater decoded base64-encoded PowerShell commands using a VBS file. [118] [119] [120] S0637 NativeZone NativeZone can decrypt and decode embedded Cobalt Strike beacon stage shellc…

…ail trick users into opening a RAR archive and running an executable. [63] [64] G0069 MuddyWater MuddyWater has distributed URLs in phishing e-mails that link to lure documents. [65] [66] [67] G0129 Mustang Panda Mustang Panda has sent malicious links including links directing vi…

…et machines. [115] S0256 Mosquito Mosquito can launch PowerShell Scripts. [116] G0069 MuddyWater MuddyWater has used PowerShell for execution. [117] [118] [119] [120] [121] [122] [123] [124] G0129 Mustang Panda Mustang Panda has used malicious PowerShell scripts to enable executi…

…iated with defenses and can prevent certain processes from launching. [44] [45] G0069 MuddyWater MuddyWater can disable the system's local proxy settings. [46] S0228 NanHaiShu NanHaiShu can change Internet Explorer settings to reduce warnings about malware activity. [47] S0336 Na…

… and folders related to the attack to the Windows Defender exclusion list. [95] G0069 MuddyWater MuddyWater can disable the system's local proxy settings. [96] S1135 MultiLayer Wiper MultiLayer Wiper removes the Volume Shadow Copy (VSS) service from infected devices along with al…

…C Ransom has used AnyDesk and PuTTY on compromised systems. [22] [23] [24] [25] G0069 MuddyWater MuddyWater has used legitimate applications ScreenConnect, AteraAgent and SimpleHelp to manage systems remotely and move laterally. [26] [27] [28] [29] C0002 Night Dragon During Night…

…itimate Microsoft Distributed Transaction Coordinator service binary. [72] [73] G0069 MuddyWater MuddyWater has disguised malicious executables and used filenames and Registry key names associated with Windows Defender. [74] [75] [76] G0129 Mustang Panda Mustang Panda has used 'a…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Insikt Group…