…stang Panda has exploited CVE-2017-0199 in Microsoft Word to execute code. [55] G0040 Patchwork Patchwork uses malicious documents to deliver remote execution exploits as part of. The group has previously exploited CVE-2017-8570, CVE-2012-1856, CVE-2014-4114, CVE-2017-0199, CVE-2…

…as also used tunneling tools to tunnel RDP into the environment. [56] [57] [11] G0040 Patchwork Patchwork attempted to use RDP to move laterally. [58] S0192 Pupy Pupy can enable/disable RDP connection and can start a remote desktop session using a browser web socket client. [59] …

… saved in %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\bin\ . [86] G0040 Patchwork Patchwork installed its payload in the startup programs folder as "Baidu Software Update." The group also adds its second stage payload to the startup programs as "Net Monitor." [87] T…

…rs Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. …

…saved in %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\bin\ . [151] G0040 Patchwork Patchwork installed its payload in the startup programs folder as "Baidu Software Update." The group also adds its second stage payload to the startup programs as "Net Monitor." [152] …

…emote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups. M1042 Disable or Remove Feature or Program Disable the RDP service if it is unnecessary. M1035 Limit Access to Resource Over Network Use remote desktop gateway…

…s. [195] S0352 OSX_OCEANLOTUS.D OSX_OCEANLOTUS.D uses PowerShell scripts. [196] G0040 Patchwork Patchwork used PowerSploit to download payloads, run a reverse shell, and execute malware on the victim's machine. [197] [198] C0036 Pikabot Distribution February 2024 Pikabot Distribu…

…s. [225] S0352 OSX_OCEANLOTUS.D OSX_OCEANLOTUS.D uses PowerShell scripts. [226] G0040 Patchwork Patchwork used PowerSploit to download payloads, run a reverse shell, and execute malware on the victim's machine. [227] [228] C0036 Pikabot Distribution February 2024 Pikabot Distribu…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…

…oader installed Rising Sun to %Startup%\mssync.exe on a compromised host. [203] G0040 Patchwork Patchwork has added the path of its second-stage malware to the startup folder to achieve persistence. One of its file stealers has also persisted by adding a Registry Run key. [204] […

…oader installed Rising Sun to %Startup%\mssync.exe on a compromised host. [211] G0040 Patchwork Patchwork has added the path of its second-stage malware to the startup folder to achieve persistence. One of its file stealers has also persisted by adding a Registry Run key. [212] […

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. Roccia, T., …

…s. [134] S0352 OSX_OCEANLOTUS.D OSX_OCEANLOTUS.D uses PowerShell scripts. [135] G0040 Patchwork Patchwork used PowerSploit to download payloads, run a reverse shell, and execute malware on the victim's machine. [136] [137] S0517 Pillowmint Pillowmint has used a PowerShell script …

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Per…

…distributed through malicious links contained within spearphishing emails. [94] G0040 Patchwork Patchwork has used spearphishing with links to deliver files with exploits to initial victims. [95] [96] [97] C0036 Pikabot Distribution February 2024 Pikabot Distribution February 202…