…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. Trend Micro Research. (2023, July 21). Ransomware Spotli…

…20] S1117 GLASSTOKEN GLASSTOKEN can use PowerShell for command execution. [121] G0115 GOLD SOUTHFIELD GOLD SOUTHFIELD has staged and executed PowerShell scripts on compromised hosts. [122] S1138 Gootloader Gootloader can use an encoded PowerShell stager to write to the Registry f…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…

…32] S1117 GLASSTOKEN GLASSTOKEN can use PowerShell for command execution. [133] G0115 GOLD SOUTHFIELD GOLD SOUTHFIELD has staged and executed PowerShell scripts on compromised hosts. [134] S1138 Gootloader Gootloader can use an encoded PowerShell stager to write to the Registry f…

…llmaker used PowerShell to download additional payloads and for execution. [85] G0115 GOLD SOUTHFIELD GOLD SOUTHFIELD has staged and executed PowerShell scripts on compromised hosts. [86] G0078 Gorgon Group Gorgon Group malware can use PowerShell commands to download and execute …

…. [57] S0032 gh0st RAT gh0st RAT can capture the victim’s screen remotely. [58] G0115 GOLD SOUTHFIELD GOLD SOUTHFIELD has used the remote monitoring and management tool ConnectWise to obtain screen captures from victim's machines. [59] S0417 GRIFFON GRIFFON has used a screenshot …

…iders to gain broad access to multiple customers for subsequent operations. [4] G0115 GOLD SOUTHFIELD GOLD SOUTHFIELD has breached Managed Service Providers (MSP's) to deliver malware to MSP customers. [5] G0125 HAFNIUM HAFNIUM has used stolen API keys and credentials associatd w…

…iles that are encrypted with 3DES. It also uses RSA to encrypt resources. [131] G0115 GOLD SOUTHFIELD GOLD SOUTHFIELD has executed base64 encoded PowerShell scripts on compromised hosts. [132] S0493 GoldenSpy GoldenSpy 's uninstaller has base64-encoded its variables. [133] S0588 …

… remote management tool Atera to download malware to a compromised system. [19] G0115 GOLD SOUTHFIELD GOLD SOUTHFIELD has used the cloud-based remote management and monitoring tool "ConnectWise Control" to deploy REvil [20] S0601 Hildegard Hildegard has established tmate sessions…

…ervers including Wildfly/JBoss servers to gain access to the network. [48] [49] G0115 GOLD SOUTHFIELD GOLD SOUTHFIELD has exploited Oracle WebLogic vulnerabilities for initial compromise. [50] G0125 HAFNIUM HAFNIUM has exploited CVE-2021-44228 in Log4j and CVE-2021-26855, CVE-202…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Pla…

…ervers including Wildfly/JBoss servers to gain access to the network. [52] [53] G0115 GOLD SOUTHFIELD GOLD SOUTHFIELD has exploited Oracle WebLogic vulnerabilities for initial compromise. [54] G0125 HAFNIUM HAFNIUM has exploited CVE-2021-44228 in Log4j and CVE-2021-26855, CVE-202…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Pla…

…1 Axiom Axiom has used spear phishing to initially compromise victims. [9] [10] G0115 GOLD SOUTHFIELD GOLD SOUTHFIELD has conducted malicious spam (malspam) campaigns to gain access to victim's machines. [11] S0009 Hikit Hikit has been spread through spear phishing. [10] G1032 IN…