…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Sygnia Team. (2024, June 3). China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence. Retrieved March 14, 2025. Kaspersky Lab's Global Researc…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Kasza, A., H…

…un key HKCU\Software\Microsoft\Windows\CurrentVersion\Run for persistence. [47] G1043 BlackByte BlackByte has used Registry Run keys for persistence. [48] S0089 BlackEnergy The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the…

…un key HKCU\Software\Microsoft\Windows\CurrentVersion\Run for persistence. [47] G1043 BlackByte BlackByte has used Registry Run keys for persistence. [48] S0089 BlackEnergy The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the…

…FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 20…

…o a temporary file in an encrypted form before exfiltration to a C2 server. [8] G1043 BlackByte BlackByte compressed data collected from victim environments prior to exfiltration. [9] S0521 BloodHound BloodHound can compress data collected by its SharpHound ingestor into a ZIP fi…

…ed account. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled and use of accounts is segmented, as this is often equivalent to having a local administrator account with the same password on all systems. Fo…

…ow copies using vssadmin.exe. [18] [19] [20] [21] [22] [23] [24] [25] [25] [26] G1043 BlackByte BlackByte resized and deleted volume shadow copy files to prevent system recovery after encryption. [27] [28] S1181 BlackByte 2.0 Ransomware BlackByte 2.0 Ransomware modifies volume sh…

…m disk in order to identity and remove API hooks set by security products. [25] G1043 BlackByte BlackByte disabled security tools such as Windows Defender and the Raccine anti-ransomware tool during operations. [26] [27] [28] S1180 BlackByte Ransomware BlackByte Ransomware adds .…

…rs Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Carbon Black Thre…

…Paymer BitPaymer can use the RegEnumKeyW to iterate through Registry keys. [16] G1043 BlackByte BlackByte queried registry values to determine system language settings. [17] S1180 BlackByte Ransomware BlackByte Ransomware enumerates the Registry, specifically the HKLM\SOFTWARE\Mi…

…les, and to add the malware path for persistence. [30] [31] [32] [33] [34] [35] G1043 BlackByte BlackByte performed Registry modifications to escalate privileges and disable security tools. [36] [37] S1181 BlackByte 2.0 Ransomware BlackByte 2.0 Ransomware modifies the victim Regi…

…urveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia a…

… has downloaded additional malware and tools onto a compromised host. [86] [87] G1043 BlackByte BlackByte has transferred tools such as Cobalt Strike to victim environments from file sharing and hosting websites. [88] S0564 BlackMould BlackMould has the ability to download files …

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018. Magisa, L. (2020, November 27). New MacOS Backdoor Connecte…