groups g0090 — Search

US Masquerading: Match Legitimate Resource Name or Location, Sub-technique T1036.005 - Enterprise | MITRE ATT&CK®

https://attack.mitre.org/versions/v17/techniques/T1036/005

…rs Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. …

2026-04-24 14:56 View archive →

US Application Layer Protocol: Web Protocols, Sub-technique T1071.001 - Enterprise | MITRE ATT&CK®

https://attack.mitre.org/versions/v16/techniques/T1071/001

…spond to specific HTTP POST requests to /api/v1/cav/client/visits . [410] [411] G0090 WIRTE WIRTE has used HTTP for network communication. [412] G0102 Wizard Spider Wizard Spider has used HTTP for network communications. [413] S1065 Woody RAT Woody RAT can communicate with its C2…

2026-04-25 19:15 View archive →

US Ingress Tool Transfer, Technique T1105 - Enterprise | MITRE ATT&CK®

https://attack.mitre.org/versions/v10/techniques/T1105

…d execution, file exfiltration, and socks5 proxying on the infected host. [383] G0090 WIRTE WIRTE has downloaded PowerShell code from the C2 server to be executed. [384] S0341 Xbash Xbash can download additional malicious files from its C2 server. [385] S0653 xCaon xCaon has a co…

2026-04-26 07:40 View archive →

US Masquerading: Match Legitimate Resource Name or Location, Sub-technique T1036.005 - Enterprise | MITRE ATT&CK®

https://attack.mitre.org/techniques/T1036/005

…LL, mimicking the legitimate ASP.NET ISAPI filter DLL with the same name. [230] G0090 WIRTE WIRTE has named a first stage dropper Kaspersky Update Agent in order to appear legitimate. [231] S1248 XORIndex Loader XORIndex Loader has leveraged legitimate package names to mimic freq…

2026-04-25 09:29 View archive →