…urveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia a…

…REFIRE WIREFIRE has the ability to download files to compromised devices. [540] G0090 WIRTE WIRTE has downloaded PowerShell code from the C2 server to be executed. [541] G0102 Wizard Spider Wizard Spider can transfer malicious payloads such as ransomware to compromised machines. …

…REFIRE WIREFIRE has the ability to download files to compromised devices. [602] G0090 WIRTE WIRTE has downloaded PowerShell code from the C2 server to be executed. [603] G0102 Wizard Spider Wizard Spider can transfer malicious payloads such as ransomware to compromised machines. …

…63] G0107 Whitefly Whitefly has obtained and used tools such as Mimikatz . [64] G0090 WIRTE WIRTE has obtained and used Empire for post-exploitation activities. [65] G0102 Wizard Spider Wizard Spider has obtained and used publicly-available post-exploitation frameworks and tools …

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023. Daniel Stepanic & Salim Bitam…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Per…

… WellMess WellMess can execute PowerShell scripts received from C2. [190] [191] G0090 WIRTE WIRTE has used PowerShell for script execution. [192] G0102 Wizard Spider Wizard Spider has used macros to execute PowerShell scripts to download malware on victim's machines. [193] It has…

… attachments delivered via email for initial access activity. [265] [266] [267] G0090 WIRTE WIRTE has sent emails to intended victims with malicious MS Word and Excel attachments. [268] G0102 Wizard Spider Wizard Spider has used spearphishing attachments to deliver Microsoft docu…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Insikt Group…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…

…owerShell commands as part of initial access and installation operations. [281] G0090 WIRTE WIRTE has used PowerShell for script execution. [282] G0102 Wizard Spider Wizard Spider has used macros to execute PowerShell scripts to download malware on victim's machines. [283] It has…

…nnti for Linux Winnti for Linux has used HTTP in outbound communications. [290] G0090 WIRTE WIRTE has used HTTP for network communication. [291] G0102 Wizard Spider Wizard Spider has used HTTP for network communications. [292] S0341 Xbash Xbash uses HTTP for C2 communications. [2…

…owerShell commands as part of initial access and installation operations. [331] G0090 WIRTE WIRTE has used PowerShell for script execution. [332] G0102 Wizard Spider Wizard Spider has used macros to execute PowerShell scripts to download malware on victim's machines. [333] It has…

…has decoded XOR encoded strings holding its configuration upon execution. [198] G0090 WIRTE WIRTE has decoded a base64 encoded document which was embedded in a VBS script. [199] S0653 xCaon xCaon has decoded strings from the C2 server before executing commands. [200] S0388 YAHOYA…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. F-Secure Lab…