…Goopy Goopy has used a polymorphic decryptor to decrypt itself at runtime. [55] G0078 Gorgon Group Gorgon Group malware can decode contents from a payload that was Base64 encoded and write the contents to a file. [80] S0531 Grandoreiro Grandoreiro can decrypt its encrypted intern…

…lity to use cmd.exe to execute commands passed from an Outlook C2 channel. [21] G0078 Gorgon Group Gorgon Group malware can use cmd.exe to download and execute payloads and to execute commands on the system. [120] S0237 GravityRAT GravityRAT executes commands remotely on the infe…

…lity to use cmd.exe to execute commands passed from an Outlook C2 channel. [23] G0078 Gorgon Group Gorgon Group malware can use cmd.exe to download and execute payloads and to execute commands on the system. [155] S0237 GravityRAT GravityRAT executes commands remotely on the infe…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Kasza, A., H…

…7] S0588 GoldMax GoldMax can download and execute additional files. [158] [159] G0078 Gorgon Group Gorgon Group malware can download additional files from C2 servers. [160] S0531 Grandoreiro Grandoreiro can download its second stage from a hardcoded URL within the loader's code. …

…der can create an autorun entry for a PowerShell script to run at reboot. [113] G0078 Gorgon Group Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence. [114] S0531 Grandoreiro Grandoreiro can use run keys and create link files in the st…

…der can create an autorun entry for a PowerShell script to run at reboot. [118] G0078 Gorgon Group Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence. [119] S0531 Grandoreiro Grandoreiro can use run keys and create link files in the st…

… Gootloader can fetch second stage code from hardcoded web domains. [227] [228] G0078 Gorgon Group Gorgon Group malware can download additional files from C2 servers. [229] S0531 Grandoreiro Grandoreiro can download its second stage from a hardcoded URL within the loader's code. …

… Gootloader can fetch second stage code from hardcoded web domains. [242] [243] G0078 Gorgon Group Gorgon Group malware can download additional files from C2 servers. [244] S0531 Grandoreiro Grandoreiro can download its second stage from a hardcoded URL within the loader's code. …

…urveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia a…

…s they modified to add functionality and/or subvert antimalware solutions. [39] G0078 Gorgon Group Gorgon Group has obtained and used tools such as QuasarRAT and Remcos . [40] G0100 Inception Inception has obtained and used open-source tools such as LaZagne . [41] G0136 IndigoZeb…

…OUTHFIELD has staged and executed PowerShell scripts on compromised hosts. [86] G0078 Gorgon Group Gorgon Group malware can use PowerShell commands to download and execute a payload and open a decoy document on the victim’s machine. [87] S0417 GRIFFON GRIFFON has used PowerShell …

…modifying existing .lnk files to execute the malware through cmd.exe. [12] [13] G0078 Gorgon Group Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence. [14] S0531 Grandoreiro Grandoreiro can write or modify browser shortcuts to enable l…