…43] G0004 Ke3chang Ke3chang has obtained and used tools such as Mimikatz . [44] G0094 Kimsuky Kimsuky has obtained and used tools such as Mimikatz and PsExec . [45] G0077 Leafminer Leafminer has obtained and used tools such as LaZagne , Mimikatz , PsExec , and MailSniper . [46] G…

…xecutives, human resources staff, and IT personnel for spearphishing. [11] [12] G0094 Kimsuky Kimsuky has collected valid email addresses including personal accounts that were subsequently used for spearphishing and other forms of social engineering. [13] [14] [15] G1004 LAPSUS$ …

… KGH_SPY KGH_SPY can execute PowerShell commands on the victim's machine. [145] G0094 Kimsuky Kimsuky has executed a variety of PowerShell scripts including Invoke-Mimikatz. [146] [147] [148] [149] [150] S0250 Koadic Koadic has used PowerShell to establish persistence. [151] S066…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…

…own Kerrdown has been distributed via e-mails containing a malicious link. [19] G0094 Kimsuky Kimsuky has sent spearphishing emails containing a link to a document that contained malicious macros or took the victim to an actor-controlled domain. [62] [63] [64] S0669 KOCTOPUS KOCT…

…sk uses VMProtect to make reverse engineering the malware more difficult. [174] G0094 Kimsuky Kimsuky has obfuscated binary strings including the use of XOR encryption and Base64 encoding. [175] [176] S0641 Kobalos Kobalos encrypts all strings using RC4 and bundles all functional…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018. Mercer, W, et al. (2020, April 16). PoetRAT:…

…rrdown Kerrdown has been distributed through malicious e-mail attachments. [32] G0094 Kimsuky Kimsuky has used emails containing Word, Excel and/or HWP (Hangul Word Processor) documents in their spearphishing campaigns. [126] [127] [128] [129] [130] [8] [131] [132] S0669 KOCTOPUS…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. F-Secure Lab…

… KGH_SPY KGH_SPY can execute PowerShell commands on the victim's machine. [160] G0094 Kimsuky Kimsuky has executed a variety of PowerShell scripts including Invoke-Mimikatz. [161] [162] [163] [164] [165] Kimsuky has also utilized PowerShell scripts for execution, persistence, and…

…or storing data under HKEY_CURRENT_USER\SOFTWARE\Microsoft\WABE\DataPath . [97] G0094 Kimsuky Kimsuky has modified Registry settings for default file associations to enable all macros and for persistence. [98] [99] [100] [101] S0669 KOCTOPUS KOCTOPUS has added and deleted keys fr…

…53] S0201 JPIN JPIN can lower security settings by changing Registry keys. [54] G0094 Kimsuky Kimsuky has been observed turning off Windows Security Center and can hide the AV software window from the view of the infected user. [55] [56] S0669 KOCTOPUS KOCTOPUS will attempt to de…

…66] S0201 JPIN JPIN can lower security settings by changing Registry keys. [67] G0094 Kimsuky Kimsuky has been observed turning off Windows Security Center and can hide the AV software window from the view of the infected user. [68] [69] S0669 KOCTOPUS KOCTOPUS will attempt to de…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Insikt Group…

…rs Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. …