…balt Group has sent emails with URLs pointing to malicious documents. [36] [37] G0142 Confucius Confucius has sent malicious links to victims through email campaigns. [38] S1111 DarkGate DarkGate is distributed in phishing emails containing links to distribute malicious VBS or MS…

…e users to execute a file or macro to infect the victim machine. [24] [25] [26] G0142 Confucius Confucius has lured victims into clicking on a malicious link sent through spearphishing. [27] G1034 Daggerfly Daggerfly has used strategic website compromise to deliver a malicious li…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Insikt Group…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. Roccia, T., …

…s containing .exe and .scr executables. [61] [62] [63] [64] [65] [66] [67] [68] G0142 Confucius Confucius has crafted and sent victims malicious attachments to gain initial access. [69] G1012 CURIUM CURIUM has used phishing with malicious attachments for initial access to victim …

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. F-Secure Lab…

…608 Conficker Conficker downloads an HTTP server to the infected machine. [136] G0142 Confucius Confucius has downloaded additional files and payloads onto a compromised host following initial access. [137] [138] S0492 CookieMiner CookieMiner can download additional scripts from …

…urveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia a…

…608 Conficker Conficker downloads an HTTP server to the infected machine. [146] G0142 Confucius Confucius has downloaded additional files and payloads onto a compromised host following initial access. [147] [148] S0492 CookieMiner CookieMiner can download additional scripts from …

…S0608 Conficker Conficker adds Registry Run keys to establish persistence. [65] G0142 Confucius Confucius has dropped malicious files into the startup folder %AppData%\Microsoft\Windows\Start Menu\Programs\Startup on a compromised host in order to maintain persistence. [66] S0137…

…S0608 Conficker Conficker adds Registry Run keys to establish persistence. [67] G0142 Confucius Confucius has dropped malicious files into the startup folder %AppData%\Microsoft\Windows\Start Menu\Programs\Startup on a compromised host in order to maintain persistence. [68] G1052…

…26 ComRAT ComRAT has used HTTP requests for command and control. [83] [84] [85] G0142 Confucius Confucius has used HTTP for C2 communications. [86] S0137 CORESHELL CORESHELL can communicate over HTTP for C2. [19] [87] S0050 CosmicDuke CosmicDuke can use HTTP or HTTPS for command …

…xecute PowerShell scripts loaded into memory or from the file system. [70] [71] G0142 Confucius Confucius has used PowerShell to execute malicious files and payloads. [72] S0591 ConnectWise ConnectWise can be used to execute PowerShell commands on target machines. [73] G0052 Copy…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…

…xecute PowerShell scripts loaded into memory or from the file system. [76] [77] G0142 Confucius Confucius has used PowerShell to execute malicious files and payloads. [78] S0591 ConnectWise ConnectWise can be used to execute PowerShell commands on target machines. [79] G0052 Copy…