…lmaker used PowerShell to download additional payloads and for execution. [128] G0047 Gamaredon Group Gamaredon Group has used obfuscated PowerShell scripts for staging. [129] [130] Additionally, (LinkById : G0047) has used PowerShell based tools later in its attack chain. [131] …

…s multiple modules for injecting into processes, such as Invoke-PSInject . [36] G0047 Gamaredon Group Gamaredon Group has injected Remcos into explorer.exe. [37] S0168 Gazer Gazer injects its communication module into an Internet accessible process through which it performs C2. […

…ls with malicious links to lure victims into installing malware. [39] [40] [41] G0047 Gamaredon Group Gamaredon Group has attempted to get users to click on a link pointing to a malicious HTML file leading to follow-on malicious content. [42] S1138 Gootloader Gootloader has been …

… Gallmaker sent emails with malicious Microsoft Office documents attached. [86] G0047 Gamaredon Group Gamaredon Group has delivered spearphishing emails with malicious attachments to targets. [87] [88] G0078 Gorgon Group Gorgon Group sent emails to victims with malicious Microsof…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. Trend Micro Research. (2023, July 21). Ransomware Spotli…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. F-Secure Lab…

…Gallmaker sent emails with malicious Microsoft Office documents attached. [106] G0047 Gamaredon Group Gamaredon Group has delivered spearphishing emails with malicious attachments to targets. [107] [108] [109] [110] [111] [112] [113] G0078 Gorgon Group Gorgon Group sent emails to…

…n lateral movement as well as for installing tools across multiple assets. [67] G0047 Gamaredon Group Gamaredon Group has used WMI to execute scripts used for discovery and for determining the C2 IP address. [68] [69] S0237 GravityRAT GravityRAT collects various information via W…

…ument with a warning that asked victims to "enable content" for execution. [70] G0047 Gamaredon Group Gamaredon Group has attempted to get users to click on Office attachments with malicious macros embedded. [71] [72] G0078 Gorgon Group Gorgon Group attempted to get users to laun…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Per…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. Roccia, T., …

…es HTTP for C2. [103] S0381 FlawedAmmyy FlawedAmmyy has used HTTP for C2. [104] G0047 Gamaredon Group A Gamaredon Group file stealer can communicate over HTTP for C2. [105] [106] [107] S0168 Gazer Gazer communicates with its C2 servers over HTTP. [108] S0049 GeminiDuke GeminiDuke…

…FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 20…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Insikt Group…

…G0093 GALLIUM GALLIUM used the Windows command shell to execute commands. [113] G0047 Gamaredon Group Gamaredon Group has used various batch scripts to establish C2 and download additional files. Gamaredon Group 's backdoor malware has also been written to a batch file. [114] [11…