… APT38 APT38 has injected malicious payloads into the explorer.exe process. [8] G0096 APT41 APT41 malware TIDYELF loaded the main WINTERLOVE component by injecting it into the iexplore.exe process. [9] G1023 APT5 APT5 has used the CLEANPULSE utility to insert command line strings…

…RemCom and the Non-sucking Service Manager (NSSM) to execute processes. [7] [8] G0096 APT41 APT41 used svchost.exe and Net to execute a system service installed to launch a Cobalt Strike BEACON loader. [9] [10] C0040 APT41 DUST APT41 DUST used Windows services to execute DUSTPAN …

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Per…

…pril 2025 Version Permalink Live Version Procedure Examples ID Name Description G0096 APT41 APT41 used NATBypass to bypass firewall restrictions and to access compromised systems via RDP. [2] C0043 Indian Critical Infrastructure Intrusions Indian Critical Infrastructure Intrusion…

…ls on remote machines and to gather information about the Outlook process. [10] G0096 APT41 APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit . [11] [12] APT41 has executed files through Windows Management I…

… [32] [33] G0087 APT39 APT39 has used malware to drop encrypted CAB files. [34] G0096 APT41 APT41 used VMProtected binaries in multiple intrusions. [35] S0456 Aria-body Aria-body has used an encrypted configuration file for its loader. [36] S0373 Astaroth Astaroth obfuscates its …

…24] G0087 APT39 APT39 has maintained persistence using the startup folder. [25] G0096 APT41 APT41 created and modified startup files for persistence. [26] [27] APT41 added a registry key in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost to establish persistence for Cob…

…t is running as SYSTEM. [138] S0266 TrickBot TrickBot can identify the user and groups the user belongs to on a compromised host. [139] S0094 Trojan.Karagany Trojan.Karagany can gather information about the user on a compromised host. [140] G0081 Tropic Trooper Tropic Trooper use…

…les and to execute code via proxy to avoid triggering security tools. [18] [19] G0096 APT41 APT41 has used rundll32.exe to execute a loader. [20] G0143 Aquatic Panda Aquatic Panda used rundll32.exe to proxy execution of a malicious DLL file identified as a keylogging binary. [21]…

…les and to execute code via proxy to avoid triggering security tools. [16] [17] G0096 APT41 APT41 has used rundll32.exe to execute a loader. [18] G0143 Aquatic Panda Aquatic Panda used rundll32.exe to proxy execution of a malicious DLL file identified as a keylogging binary. [19]…

…26] G0087 APT39 APT39 has maintained persistence using the startup folder. [27] G0096 APT41 APT41 created and modified startup files for persistence. [28] [29] APT41 added a registry key in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost to establish persistence for Cob…

…FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 20…

…PT39 has used various tools to steal files from the compromised host. [12] [13] G0096 APT41 APT41 has uploaded files and data from a compromised host. [14] S0642 BADFLICK BADFLICK has uploaded files from victims' machines. [15] S0128 BADNEWS When it first starts, BADNEWS crawls t…

…26] G0087 APT39 APT39 has maintained persistence using the startup folder. [27] G0096 APT41 APT41 created and modified startup files for persistence. [28] [29] APT41 added a registry key in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost to establish persistence for Cob…

…used Mimikatz, Windows Credential Editor and ProcDump to dump credentials. [17] G0096 APT41 APT41 has used hashdump, Mimikatz , Procdump, and the Windows Credential Editor to dump password hashes from memory and authenticate to other user accounts. [18] [19] [20] G1023 APT5 APT5 …