…ter tool to conduct network service discovery for vulnerable systems. [76] [77] G0081 Tropic Trooper Tropic Trooper used pr and an openly available tool to scan for open ports on target systems. [78] [79] G1017 Volt Typhoon Volt Typhoon has used commercial tools, LOTL utilities, …

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Ret…

… Trojan.Karagany can use netstat to collect a list of network connections. [73] G0081 Tropic Trooper Tropic Trooper has tested if the localhost network is available and other connection capability on an infected system using command scripts. [74] G0010 Turla Turla surveys a syste…

…d a first stage web shell after compromising a vulnerable Exchange server. [72] G0081 Tropic Trooper Tropic Trooper has started a web service in the target host and wait for the adversary to connect, acting as a web shell. [73] C0039 Versa Director Zero Day Exploitation Versa Dir…

…ts as a stub loader that loads and executes the shell code. [22] [44] [45] [23] G0081 Tropic Trooper Tropic Trooper has been known to side-load DLLs using a valid version of a Windows Address Book and Windows Defender executable with one of their tools. [46] [47] S0579 Waterbear …

…TrickBot TrickBot decodes the configuration data and modules. [177] [178] [179] G0081 Tropic Trooper Tropic Trooper used shellcode with an XOR algorithm to decrypt a payload. Tropic Trooper also decrypted image files which contained a payload. [180] [181] S0436 TSCookie TSCookie …

…system user information. [43] S0266 TrickBot TrickBot can identify the user and groups the user belongs to on a compromised host. [214] S0094 Trojan.Karagany Trojan.Karagany can gather information about the user on a compromised host. [215] G0081 Tropic Trooper Tropic Trooper use…

…FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 20…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retri…

…an gather information on the network configuration of a compromised host. [188] G0081 Tropic Trooper Tropic Trooper has used scripts to collect the host's network topology. [189] S0436 TSCookie TSCookie has the ability to identify the IP of the infected host. [190] S0647 Turian T…

….Karagany Trojan.Karagany can communicate with C2 via HTTP POST requests. [268] G0081 Tropic Trooper Tropic Trooper has used HTTP in communication with the C2. [269] [270] S0436 TSCookie TSCookie can multiple protocols including HTTP and HTTPS in communication with command and co…

…erform reconnaissance commands on a victim machine via a cmd.exe process. [279] G0081 Tropic Trooper Tropic Trooper has used Windows command scripts. [280] S0436 TSCookie TSCookie has the ability to execute shell commands on the infected host. [281] S0647 Turian Turian can create…

…an gather information on the network configuration of a compromised host. [257] G0081 Tropic Trooper Tropic Trooper has used scripts to collect the host's network topology. [258] S0436 TSCookie TSCookie has the ability to identify the IP of the infected host. [259] S0647 Turian T…

…jan.Karagany can upload, download, and execute files on the victim. [356] [357] G0081 Tropic Trooper Tropic Trooper has used a delivered trojan to download additional files. [358] S0436 TSCookie TSCookie has the ability to upload and download files to and from the infected host. …

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018. Magisa, L. (2020, November 27). New MacOS Backdoor Connecte…