…licious hyperlinks within emails crafted to resemble trustworthy senders. [101] G0121 Sidewinder Sidewinder has lured targets to click on malicious links to gain execution in the target environment. [102] [103] [104] [105] S0649 SMOKEDHAM SMOKEDHAM has relied upon users clicking …

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Insikt Group…

…ncryption key on victim machines and then delete the key from the system. [277] G0121 Sidewinder Sidewinder has used PowerShell to drop and execute malware loaders. [278] G0091 Silence Silence has used PowerShell to download and execute payloads. [279] [280] S0692 SILENTTRINITY S…

…Twist SideTwist has used HTTP GET and POST requests over port 443 for C2. [235] G0121 Sidewinder Sidewinder has used HTTP in C2 communications. [236] [237] [238] G0083 SilverTerrier SilverTerrier uses HTTP for C2 communications. [239] S0633 Sliver Sliver has the ability to suppor…

…system user information. [43] S0266 TrickBot TrickBot can identify the user and groups the user belongs to on a compromised host. [214] S0094 Trojan.Karagany Trojan.Karagany can gather information about the user on a compromised host. [215] G0081 Tropic Trooper Tropic Trooper use…

…deTwist has the ability to collect the domain name on a compromised host. [230] G0121 Sidewinder Sidewinder has used malware to collect information on network interfaces, including the MAC address. [231] S0633 Sliver Sliver has the ability to gather network configuration informat…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018. Magisa, L. (2020, November 27). New MacOS Backdoor Connecte…

…IPSHAPE achieves persistence by creating a shortcut in the Startup folder. [40] G0121 Sidewinder Sidewinder has added paths to executables in the Registry to establish persistence. [261] [262] [263] G0091 Silence Silence has used HKCU\Software\Microsoft\Windows\CurrentVersion\Run…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. F-Secure Lab…

…IPSHAPE achieves persistence by creating a shortcut in the Startup folder. [40] G0121 Sidewinder Sidewinder has added paths to executables in the Registry to establish persistence. [277] [278] [279] G0091 Silence Silence has used HKCU\Software\Microsoft\Windows\CurrentVersion\Run…

…] S0610 SideTwist SideTwist has the ability to download additional files. [328] G0121 Sidewinder Sidewinder has used LNK files to download remote files to the victim's network. [329] [330] G0091 Silence Silence has downloaded additional modules and malware to victim’s machines. […

…Twist SideTwist has used HTTP GET and POST requests over port 443 for C2. [337] G0121 Sidewinder Sidewinder has used HTTP in C2 communications. [338] [339] [340] G0083 SilverTerrier SilverTerrier uses HTTP for C2 communications. [341] S1110 SLIGHTPULSE SLIGHTPULSE has the ability…

… C:\windows\system32\drivers\ folder and renamed it with a .sys extension. [50] G0121 Sidewinder Sidewinder has named malicious files rekeywiz.exe to match the name of a legitimate Windows executable. [112] G0091 Silence Silence has named its backdoor "WINWORD.exe". [113] S0468 S…

…. [285] [286] S0589 Sibot Sibot has obfuscated scripts used in execution. [134] G0121 Sidewinder Sidewinder has used base64 encoding and ECDH-P256 encryption for scripts and files. [287] [288] [289] G0091 Silence Silence has used environment variable string substitution for obfus…

…rs Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. …