…med "WinUpdate", as well as other encoded commands from the command-line. [112] G0093 GALLIUM GALLIUM used the Windows command shell to execute commands. [113] G0047 Gamaredon Group Gamaredon Group has used various batch scripts to establish C2 and download additional files. Gama…

…yDream , the threat actors used cmd.exe to execute the wmiexec.vbs script. [70] G0093 GALLIUM GALLIUM used the Windows command shell to execute commands. [145] G0047 Gamaredon Group Gamaredon Group has used various batch scripts to establish C2 and download additional files. Gama…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Kasza, A., H…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. Roccia, T., …

…ein has enumerated hosts, looking for the public IP address of the system. [69] G0093 GALLIUM GALLIUM used ipconfig /all to obtain information about the victim network configuration. The group also ran a modified version of NBTscan to identify available NetBIOS name servers. [70]…

…nyDream , the threat actors used ipconfig for discovery on remote systems. [93] G0093 GALLIUM GALLIUM used ipconfig /all to obtain information about the victim network configuration. The group also ran a modified version of NBTscan to identify available NetBIOS name servers. [94]…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018. Magisa, L. (2020, November 27). New MacOS Backdoor Connecte…

… Empire , which is automatically sent the data back to the adversary's C2. [31] G0093 GALLIUM GALLIUM used Web shells and HTRAN for C2 and to exfiltrate data. [32] G0047 Gamaredon Group A Gamaredon Group file stealer can transfer collected files to a hardcoded C2 server. [33] S04…

…t is running as SYSTEM. [138] S0266 TrickBot TrickBot can identify the user and groups the user belongs to on a compromised host. [139] S0094 Trojan.Karagany Trojan.Karagany can gather information about the user on a compromised host. [140] G0081 Tropic Trooper Tropic Trooper use…

…system user information. [43] S0266 TrickBot TrickBot can identify the user and groups the user belongs to on a compromised host. [214] S0094 Trojan.Karagany Trojan.Karagany can gather information about the user on a compromised host. [215] G0081 Tropic Trooper Tropic Trooper use…

…ng FunnyDream , the threat actors used wmiexec.vbs to run remote commands. [66] G0093 GALLIUM GALLIUM used WMI for execution to assist in lateral movement as well as for installing tools across multiple assets. [67] G0047 Gamaredon Group Gamaredon Group has used WMI to execute sc…

…628 FYAnti FYAnti can download additional payloads to a compromised host. [125] G0093 GALLIUM GALLIUM dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, and HTRAN . [148] [59] G0047 Gamaredon Group Tools used by Gama…

…628 FYAnti FYAnti can download additional payloads to a compromised host. [181] G0093 GALLIUM GALLIUM dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, and HTRAN . [213] [80] G0047 Gamaredon Group Gamaredon Group ha…

…urveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia a…

…628 FYAnti FYAnti can download additional payloads to a compromised host. [192] G0093 GALLIUM GALLIUM dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, and HTRAN . [226] [89] G0047 Gamaredon Group Gamaredon Group ha…