…se shells. [190] S0233 MURKYTOP MURKYTOP uses the command-line interface. [134] G0129 Mustang Panda Mustang Panda has executed HTA files via cmd.exe, and used batch scripts for collection. [191] [192] S0336 NanoCore NanoCore can open a remote command-line interface and execute co…
…ames and Registry key names associated with Windows Defender. [129] [130] [131] G0129 Mustang Panda Mustang Panda has used names like adobeupdate.dat and PotPlayerDB.dat to disguise PlugX , and a file named OneDrive.exe to load a Cobalt Strike payload. [132] Mustang Panda has als…
…ystemTextEncoding to establish persistence. [188] [189] [190] [191] [192] [193] G0129 Mustang Panda Mustang Panda has created the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobelmdyU to maintain persistence. [194] Mustang Panda has …
…5] G0069 MuddyWater MuddyWater has used HTTP for C2 communications. [166] [167] G0129 Mustang Panda Mustang Panda has communicated with its C2 via HTTP POST requests. [168] [169] [170] [171] S0034 NETEAGLE NETEAGLE will attempt to detect if the infected host is configured to a pr…
…at can upload additional files to the victim’s machine. [369] [370] [371] [372] G0129 Mustang Panda Mustang Panda has downloaded additional executables following the initial infection stage. [373] [374] [375] [376] Mustang Panda has also leveraged Visual Studio Code code.exe and …
… files on the system except specific folders defined in a hardcoded list. [224] G0129 Mustang Panda Mustang Panda has searched the entire target system for DOC, DOCX, PPT, PPTX, XLS, XLSX, and PDF files. [225] S0272 NDiskMonitor NDiskMonitor can obtain a list of all files and dir…
…ater has used malware to collect the victim’s IP address and domain name. [112] G0129 Mustang Panda Mustang Panda has used ipconfig and arp to determine network configuration information. [113] S0205 Naid Naid collects the domain name from a compromised host. [114] G0019 Naikon N…
…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Ret…
…at can upload additional files to the victim’s machine. [342] [343] [344] [345] G0129 Mustang Panda Mustang Panda has downloaded additional executables following the initial infection stage. [346] G1020 Mustard Tempest Mustard Tempest has deployed secondary payloads and third sta…
…vered via spearphishing emails. [113] [114] [115] [116] [117] [118] [119] [120] G0129 Mustang Panda Mustang Panda has sent malicious files requiring direct victim interaction to execute. [121] [122] [123] [124] G0019 Naikon Naikon has convinced victims to open malicious attachmen…
…urveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia a…
…\Run\SystemTextEncoding to establish persistence. [145] [146] [147] [148] [149] G0129 Mustang Panda Mustang Panda has created the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobelmdyU to maintain persistence. [150] G0019 Naikon Naiko…
…ater has used malware to collect the victim’s IP address and domain name. [161] G0129 Mustang Panda Mustang Panda has used ipconfig and arp to determine network configuration information. [162] S0205 Naid Naid collects the domain name from a compromised host. [163] G0019 Naikon N…
…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018. Magisa, L. (2020, November 27). New MacOS Backdoor Connecte…
…at can upload additional files to the victim’s machine. [236] [237] [238] [239] G0129 Mustang Panda Mustang Panda has downloaded additional executables following the initial infection stage. [240] S0228 NanHaiShu NanHaiShu can download additional files from URLs. [207] S0336 Nano…