…esidue (Micro Method) RR:D02-1193 D2007-Standard Test Method for Characteristic Groups in Rubber Extender and Processing Oils and Other Petroleum-Derived Oils by the Clay-Gel Absorption Chromatographic Method RR:D02-1195 D3240-Test Method for Undissolved Water In Aviation Turbine…

…[29] S0356 KONNI KONNI has encrypted data and files prior to exfiltration. [30] G0032 Lazarus Group Lazarus Group has compressed exfiltrated data with RAR and used RomeoDelta malware to archive specified directories in .zip format, encrypt the .zip file, and upload it to C2. [31]…

…drops a Windows shortcut on the victim’s machine to establish persistence. [19] G0032 Lazarus Group Lazarus Group malware has maintained persistence on a system by creating a LNK shortcut in the user’s Startup folder. [20] G0065 Leviathan Leviathan has used JavaScript to create a…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Sygnia Team. (2024, June 3). China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence. Retrieved March 14, 2025. Kaspersky Lab's Global Researc…

…y proxy servers used by the victim and use them for C2 communication. [10] [11] G0032 Lazarus Group Lazarus Group has used multiple proxies to obfuscate network traffic from victims. [12] [13] G0045 menuPass menuPass has used a global service provider's IP as a proxy for C2 traff…

…094 Kimsuky Kimsuky has been observed turning off Windows Security Center. [35] G0032 Lazarus Group Lazarus Group malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, Lazarus Group malware SHARPKNOT disables the Microsoft Windows System…

…) documents in their spearphishing campaigns. [101] [102] [103] [104] [105] [6] G0032 Lazarus Group Lazarus Group has targeted victims with spearphishing emails containing malicious Microsoft Word documents. [106] G0065 Leviathan Leviathan has sent spearphishing emails with malic…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Per…

…rodectus Latrodectus can use rundll32.exe to execute downloaded DLLs. [71] [72] G0032 Lazarus Group Lazarus Group has used rundll32 to execute malicious payloads on a compromised host. [73] G0140 LazyScripter LazyScripter has used rundll32.exe to execute Koadic stagers. [74] G005…

…rodectus Latrodectus can use rundll32.exe to execute downloaded DLLs. [73] [74] G0032 Lazarus Group Lazarus Group has used rundll32 to execute malicious payloads on a compromised host. [75] G0140 LazyScripter LazyScripter has used rundll32.exe to execute Koadic stagers. [76] G005…

…oadic can download files off the target system to send back to the server. [68] G0032 Lazarus Group Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is uploaded to one of its 10 C2 servers. Lazarus Group malware RomeoDelta copies specifi…

…stributed through reply-chain phishing emails with malicious attachments. [136] G0032 Lazarus Group Lazarus Group has targeted victims with spearphishing emails containing malicious Microsoft Word documents. [137] [138] [139] [140] G0140 LazyScripter LazyScripter has used spam em…

…suky has obtained specific Registry keys and values on a compromised host. [61] G0032 Lazarus Group Lazarus Group malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightV…

…[48] G0094 Kimsuky Kimsuky has exfiltrated data over its email C2 channel. [49] G0032 Lazarus Group Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is uploaded to one of its 10 C2 servers. Another Lazarus Group malware sample also perfo…

…t is running as SYSTEM. [138] S0266 TrickBot TrickBot can identify the user and groups the user belongs to on a compromised host. [139] S0094 Trojan.Karagany Trojan.Karagany can gather information about the user on a compromised host. [140] G0081 Tropic Trooper Tropic Trooper use…