…ured victims into clicking on a malicious link sent through spearphishing. [27] G1034 Daggerfly Daggerfly has used strategic website compromise to deliver a malicious link requiring user interaction. [28] G1006 Earth Lusca Earth Lusca has sent spearphishing emails that required t…

…tegic website compromise to infect victims with malware such as IMAPLoader [23] G1034 Daggerfly Daggerfly has used strategic website compromise for initial access against victims. [24] G0070 Dark Caracal Dark Caracal leveraged a watering hole to serve up malicious code. [25] G001…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. Roccia, T., …

…s for initial process execution and data gathering in victim environments. [79] G1034 Daggerfly Daggerfly used PowerShell to download and execute remote-hosted files on victim systems. [80] G0079 DarkHydrus DarkHydrus leveraged PowerShell to download and execute additional script…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…

…s for initial process execution and data gathering in victim environments. [85] G1034 Daggerfly Daggerfly used PowerShell to download and execute remote-hosted files on victim systems. [86] S1111 DarkGate DarkGate has used PowerShell to create a remote shell. [87] G0079 DarkHydru…

…TTPS. [96] [97] S0497 Dacls Dacls can use HTTPS in C2 communications. [98] [99] G1034 Daggerfly Daggerfly uses HTTP for command and control communication. [100] S1014 DanBot DanBot can use HTTP in C2 communication. [101] G0070 Dark Caracal Dark Caracal 's version of Bandook commu…

… [151] S0497 Dacls Dacls can download its payload from a C2 server. [146] [152] G1034 Daggerfly Daggerfly has used PowerShell and BITSAdmin to retrieve follow-on payloads from external locations for execution on victim machines. [153] S1014 DanBot DanBot can download additional f…

…urveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia a…

… [161] S0497 Dacls Dacls can download its payload from a C2 server. [156] [162] G1034 Daggerfly Daggerfly has used PowerShell and BITSAdmin to retrieve follow-on payloads from external locations for execution on victim machines. [163] S1014 DanBot DanBot can download additional f…

…s the copy of rundll32.exe to load and execute the main CozyCar component. [41] G1034 Daggerfly Daggerfly proxied execution of malicious DLLs through a renamed rundll32.exe binary. [42] S0255 DDKONG DDKONG uses Rundll32 to ensure only a single instance of itself is running at onc…

…s the copy of rundll32.exe to load and execute the main CozyCar component. [39] G1034 Daggerfly Daggerfly proxied execution of malicious DLLs through a renamed rundll32.exe binary. [40] S0255 DDKONG DDKONG uses Rundll32 to ensure only a single instance of itself is running at onc…

…tVersion\last_edate to determine how long it has been installed on a host. [33] G1034 Daggerfly Daggerfly used Reg to dump the Security Account Manager (SAM), System, and Security Windows registry hives from victim machines. [34] S0673 DarkWatchman DarkWatchman can query the Regi…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retri…

… Cyclops Blink Cyclops Blink has the ability to query device information. [112] G1034 Daggerfly Daggerfly utilizes victim machine operating system information to create custom User Agent strings for subsequent command and control communication. [113] S0334 DarkComet DarkComet can…