…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. Trend Micro Research. (2023, July 21). Ransomware Spotli…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Insikt Group…

…inder Sidewinder has used PowerShell to drop and execute malware loaders. [278] G0091 Silence Silence has used PowerShell to download and execute payloads. [279] [280] S0692 SILENTTRINITY SILENTTRINITY can use PowerShell to execute commands. [281] S0633 Sliver Sliver has built-in…

… the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot . [185] G0091 Silence Silence can create, delete, or modify a specified Registry key or value. [186] S0692 SILENTTRINITY SILENTTRINITY can modify registry keys, including to enable or disable Remote Desktop P…

… SDBbot SDBbot has the ability to record video on a compromised host. [45] [46] G0091 Silence Silence has been observed making videos of victims to observe bank employees day to day activities. [47] [48] S0098 T9000 T9000 uses the Skype API to record audio and video calls. It wri…

…610 SideTwist SideTwist can execute shell commands on a compromised host. [335] G0091 Silence Silence has used Windows command-line to run commands. [336] [337] [338] S0692 SILENTTRINITY SILENTTRINITY can use cmd.exe to enable lateral movement using DCOM. [339] S0623 Siloscape Si…

…aths to executables in the Registry to establish persistence. [261] [262] [263] G0091 Silence Silence has used HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\Run , and the Startup folder to establish persistence. [264] S0692 SILE…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. Roccia, T., …

…aths to executables in the Registry to establish persistence. [277] [278] [279] G0091 Silence Silence has used HKCU\Software\Microsoft\Windows\CurrentVersion\Run , HKLM\Software\Microsoft\Windows\CurrentVersion\Run , and the Startup folder to establish persistence. [280] S0692 SI…

…FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 20…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Kasza, A., H…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. F-Secure Lab…

…as used LNK files to download remote files to the victim's network. [329] [330] G0091 Silence Silence has downloaded additional modules and malware to victim’s machines. [331] S0468 Skidmap Skidmap has the ability to download files on an infected host. [332] S0633 Sliver Sliver c…

…se64 encoding and ECDH-P256 encryption for scripts and files. [287] [288] [289] G0091 Silence Silence has used environment variable string substitution for obfuscation. [290] S0623 Siloscape Siloscape itself is obfuscated and uses obfuscated API calls. [291] S0468 Skidmap Skidmap…