Non-Application Layer Protocol, Technique T1095 - Enterprise | MITRE ATT&CK®

Non-Application Layer Protocol, Technique T1095 - Enterprise | MITRE ATT&CK®
Currently viewing
ATT&CK v17.1
which was live between April 22, 2025 and October 27, 2025.
Learn more about the versioning system
or
see the live site
Techniques
Enterprise
Non-Application Layer Protocol
Non-Application Layer Protocol
Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.
[1]
Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
ICMP communication between hosts is one example.
[2]
Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.
[3]
However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.
In ESXi environments, adversaries may leverage the Virtual Machine Communication Interface (VMCI) for communication between guest virtual machines and the ESXi host. This traffic is similar to client-server communications on traditional network sockets but is localized to the physical machine running the ESXi host, meaning it does not traverse external networks (routers, switches). This results in communications that are invisible to external monitoring and standard networking tools like tcpdump, netstat, nmap, and Wireshark. By adding a VMCI backdoor to a compromised ESXi host, adversaries may persistently regain access from any guest VM to the compromised ESXi host’s backdoor, regardless of network segmentation or firewall rules in place.
[4]
ID:
T1095
Sub-techniques:
No sub-techniques
Tactic:
Command and Control
Platforms:
ESXi, Linux, Network Devices, Windows, macOS
Contributors:
Duane Michael; Ryan Becwar
Version:
2.4
Created:
31 May 2017
Last Modified:
15 April 2025
Version Permalink
Live Version
Procedure Examples
ID
Name
Description
C0034
2022 Ukraine Electric Power Attack
During the
2022 Ukraine Electric Power Attack
Sandworm Team
proxied C2 communications within a TLS-based tunnel.
[5]
S0504
Anchor
Anchor
has used ICMP in C2 communications.
[6]
G0022
APT3
An
APT3
downloader establishes SOCKS5 connections for its initial C2.
[7]
S0456
Aria-body
Aria-body
has used TCP in C2 communications.
[8]
S1029
AuTo Stealer
AuTo Stealer
can use TCP to communicate with command and control servers.
[9]
G0135
BackdoorDiplomacy
BackdoorDiplomacy
has used EarthWorm for network tunneling with a SOCKS5 server and port transfer functionalities.
[10]
S0234
Bandook
Bandook
has a command built in to use a raw TCP socket.
[11]
S0268
Bisonal
Bisonal
has used raw sockets for network communication.
[12]
G1002
BITTER
BITTER
has used TCP for C2 communications.
[13]
S1063
Brute Ratel C4
Brute Ratel C4
has the ability to use TCP for external C2.
[14]
S0043
BUBBLEWRAP
BUBBLEWRAP
can communicate using SOCKS.
[15]
C0021
C0021
During
C0021
, the threat actors used TCP for some C2 communications.
[16]
S0335
Carbon
Carbon
uses TCP and UDP for C2.
[17]
S1204
cd00r
cd00r
can monitor incoming C2 communications sent over TCP to the compromised host.
[18]
[19]
S0660
Clambling
Clambling
has the ability to use TCP and UDP for communication.
[20]
S1105
COATHANGER
COATHANGER
uses ICMP for transmitting configuration information to and from its command and control server.
[21]
S0154
Cobalt Strike
Cobalt Strike
can be configured to use TCP, ICMP, and UDP for C2 communications.
[22]
[23]
S0115
Crimson
Crimson
uses a custom TCP protocol for C2.
[24]
[25]
S0498
Cryptoistic
Cryptoistic
can use TCP in communications with C2.
[26]
S1153
Cuckoo Stealer
Cuckoo Stealer
can use sockets for communications to its C2 server.
[27]
C0029
Cutting Edge
During
Cutting Edge
, threat actors used the Unix socket and a reverse TCP shell for C2 communications.
[28]
S0021
Derusbi
Derusbi
binds to a raw socket on a random source port between 31800 and 31900 for C2.
[29]
S0502
Drovorub
Drovorub
can use TCP to communicate between its agent and client modules.
[30]
G1003
Ember Bear
Ember Bear
uses socket-based tunneling utilities for command and control purposes such as NetCat and Go Simple Tunnel (GOST). These tunnels are used to push interactive command prompts over the created sockets.
[31]
Ember Bear
has also used reverse TCP connections from Meterpreter installations to communicate back with C2 infrastructure.
[32]
S0076
FakeM
Some variants of
FakeM
use SSL to communicate with C2 servers.
[33]
G0037
FIN6
FIN6
has used Metasploit Bind and Reverse TCP stagers.
[34]
S1144
FRP
FRP
can communicate over TCP, TCP stream multiplexing, KERN Communications Protocol (KCP), QUIC, and UDP.
[35]
S1044
FunnyDream
FunnyDream
can communicate with C2 over TCP and UDP.
[36]
S0666
Gelsemium
Gelsemium
has the ability to use TCP and UDP in C2 communications.
[37]
S0032
gh0st RAT
gh0st RAT
has used an encrypted protocol within TCP segments to communicate with the C2.
[38]
G0125
HAFNIUM
HAFNIUM
has used TCP for C2.
[39]
S0394
HiddenWasp
HiddenWasp
communicates with a simple network protocol over TCP.
[40]
S0260
InvisiMole
InvisiMole
has used TCP to download additional modules.
[41]
S1203
J-magic
J-magic
can monitor incoming C2 communications sent over TCP to the compromised host.
[19]
S1051
KEYPLUG
KEYPLUG
can use TCP and KCP (KERN Communications Protocol) over UDP for C2 communication.
[42]
C0035
KV Botnet Activity
KV Botnet Activity
command and control traffic uses a non-standard, likely custom protocol for communication.
[43]
S1121
LITTLELAMB.WOOLTEA
LITTLELAMB.WOOLTEA
can function as a stand-alone backdoor communicating over the
/tmp/clientsDownload.sock
socket.
[28]
S0582
LookBack
LookBack
uses a custom binary protocol over sockets for C2 communications.
[44]
S1142
LunarMail
LunarMail
can ping a specific C2 URL with the ID of a victim machine in the subdomain.
[45]
S1016
MacMa
MacMa
has used a custom JSON-based protocol for its C&C communications.
[46]
S1060
Mafalda
Mafalda
can use raw TCP for C2.
[47]
G1013
Metador
Metador
has used TCP for C2.
[47]
S1059
metaMain
metaMain
can establish an indirect and raw TCP socket-based connection to the C2 server.
[47]
[48]
S0455
Metamorfo
Metamorfo
has used raw TCP for C2.
[49]
S0084
Mis-Type
Mis-Type
network traffic can communicate over a raw socket.
[50]
S0083
Misdat
Misdat
network traffic communicates over a raw socket.
[50]
S0149
MoonWind
MoonWind
completes network communication via raw sockets.
[51]
S0699
Mythic
Mythic
supports WebSocket and TCP-based C2 profiles.
[52]
S0630
Nebulae
Nebulae
can use TCP in C2 communications.
[53]
S1189
Neo-reGeorg
Neo-reGeorg
can create multiple TCP connections for a single session.
[54]
S0034
NETEAGLE
If
NETEAGLE
does not detect a proxy configured on the infected machine, it will send beacons via UDP/6000. Also, after retrieving a C2 IP address and Port Number,
NETEAGLE
will initiate a TCP connection to this socket. The ensuing connection is a plaintext C2 channel in which commands are specified by DWORDs.
[55]
S0198
NETWIRE
NETWIRE
can use TCP in C2 communications.
[56]
[57]
S1100
Ninja
Ninja
can forward TCP packets between the C2 and a remote host.
[58]
[59]
C0014
Operation Wocao
During
Operation Wocao
, threat actors used a custom protocol for command and control.
[60]
S0352
OSX_OCEANLOTUS.D
OSX_OCEANLOTUS.D
has used a custom binary protocol over port 443 for C2 traffic.
[61]
S0556
Pay2Key
Pay2Key
has sent its public key to the C2 server over TCP.
[62]
S0587
Penquin
The
Penquin
C2 mechanism is based on TCP and UDP packets.
[63]
[64]
S0158
PHOREAL
PHOREAL
communicates via ICMP for C2.
[65]
S1031
PingPull
PingPull
variants have the ability to communicate with C2 servers using ICMP or TCP.
[66]
S0501
PipeMon
The
PipeMon
communication module can use a custom protocol based on TLS over TCP.
[67]
G0068
PLATINUM
PLATINUM
has used the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel for command and control.
[68]
S0013
PlugX
PlugX
can be configured to use raw TCP or UDP for command and control.
[69]
S0650
QakBot
QakBot
has the ability use TCP to send or receive C2 packets.
[70]
S0262
QuasarRAT
QuasarRAT
can use TCP for C2 communication.
[71]
S1084
QUIETEXIT
QUIETEXIT
can establish a TCP connection as part of its initial connection to the C2.
[72]
S0629
RainyDay
RainyDay
can use TCP in C2 communications.
[53]
S0055
RARSTONE
RARSTONE
uses SSL to encrypt its communication with its C2 server.
[73]
S0662
RCSession
RCSession
has the ability to use TCP and UDP in C2 communications.
[20]
[74]
S0172
Reaver
Some
Reaver
variants use raw TCP for C2.
[75]
C0047
RedDelta Modified PlugX Infection Chain Operations
Mustang Panda
communicated over TCP 5000 from adversary administrative servers to adversary command and control nodes during
RedDelta Modified PlugX Infection Chain Operations
[76]
S1187
reGeorg
reGeorg
can tunnel TCP sessions into targeted networks.
[77]
S0019
Regin
The
Regin
malware platform can use ICMP to communicate between infected computers.
[78]
S0125
Remsec
Remsec
is capable of using ICMP, TCP, and UDP for C2.
[79]
[80]
S1078
RotaJakiro
RotaJakiro
uses a custom binary protocol using a type, length, value format over TCP.
[81]
S1073
Royal
Royal
establishes a TCP socket for C2 communication using the API
WSASocketW
[82]
S1099
Samurai
Samurai
can use a proxy module to forward TCP packets to external hosts.
[58]
S1085
Sardonic
Sardonic
can communicate with actor-controlled C2 servers by using a custom little-endian binary protocol.
[83]
S0461
SDBbot
SDBbot
has the ability to communicate with C2 with TCP over port 443.
[84]
S0596
ShadowPad
ShadowPad
has used UDP for C2 communications.
[85]
S1163
SnappyTCP
SnappyTCP
spawns a reverse TCP shell following an HTTP-based negotiation.
[86]
S0615
SombRAT
SombRAT
has the ability to use TCP sockets to send data and ICMP to ping the C2 server.
[87]
[88]
S1140
Spica
Spica
can use JSON over WebSockets for C2 communications.
[89]
S1200
StealBit
StealBit
can use the Windows Socket networking library to communicate with attacker-controlled endpoints.
[90]
S1049
SUGARUSH
SUGARUSH
has used TCP for C2.
[91]
S0011
Taidoor
Taidoor
can use TCP for C2 communications.
[92]
G1022
ToddyCat
ToddyCat
has used a passive backdoor that receives commands with UDP packets.
[59]
S0436
TSCookie
TSCookie
can use ICMP to receive information on the destination server.
[93]
S0221
Umbreon
Umbreon
provides access to the system via SSH or any other protocol that uses PAM to authenticate.
[94]
S0022
Uroburos
Uroburos
can communicate through custom methodologies for UDP, ICMP, and TCP that use distinct sessions to ride over the legitimate protocols.
[95]
C0039
Versa Director Zero Day Exploitation
Versa Director Zero Day Exploitation
used a non-standard TCP session to initialize communication prior to establishing HTTPS command and control.
[96]
S0670
WarzoneRAT
WarzoneRAT
can communicate with its C2 server via TCP over port 5200.
[97]
S0515
WellMail
WellMail
can use TCP for C2 communications.
[98]
S0155
WINDSHIELD
WINDSHIELD
C2 traffic can communicate via TCP raw sockets.
[65]
S0430
Winnti for Linux
Winnti for Linux
has used ICMP, custom TCP, and UDP in outbound communications.
[99]
S0141
Winnti for Windows
Winnti for Windows
can communicate using custom TCP.
[100]
S1114
ZIPLINE
ZIPLINE
can communicate with C2 using a custom binary protocol.
[101]
Mitigations
ID
Mitigation
Description
M1047
Audit
Periodically investigate ESXi hosts for open VMCI ports. Running the
lsof -A
command and inspecting results with a type of
SOCKET_VMCI
will reveal processes that have open VMCI ports.
[102]
M1037
Filter Network Traffic
Filter network traffic to prevent use of protocols across the network boundary that are unnecessary. If VMCI is not required in ESXi environments, consider restricting guest virtual machines from accessing VMCI services.
[103]
M1031
Network Intrusion Prevention
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
M1030
Network Segmentation
Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems. Also ensure hosts are only provisioned to communicate over authorized interfaces.
Detection
ID
Data Source
Data Component
Detects
DS0029
Network Traffic
Network Traffic Content
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
While VMCI traffic is invisible to most traditional network sniffing tools, there are ways to potentially monitor this traffic.
[102]
Network Traffic Flow
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.
While VMCI traffic is invisible to most traditional network sniffing tools, there are ways to potentially monitor this traffic.
[102]
References
Wikipedia. (n.d.). List of network protocols (OSI model). Retrieved December 4, 2014.
Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.
Microsoft. (n.d.). Internet Control Message Protocol (ICMP) Basics. Retrieved December 1, 2014.
Alexander Marvi, Brad Slaybaugh, Ron Craft, and Rufus Brown. (2023, June 13). VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors. Retrieved March 26, 2025.
Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024.
Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.
Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible backdoor. Retrieved October 13, 2018.
Black Lotus Labs. (2025, January 23). The J-Magic Show: Magic Packets and Where to find them. Retrieved February 17, 2025.
Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
Dutch Military Intelligence and Security Service (MIVD) & Dutch General Intelligence and Security Service (AIVD). (2024, February 6). Ministry of Defense of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT. Retrieved February 7, 2024.
Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024.
Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024.
Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024.
Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023.
US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
Chen, J. (2019, October 10). Magecart Card Skimmers Injected Into Online Shops. Retrieved September 9, 2020.
fatedier. (n.d.). What is frp?. Retrieved July 10, 2024.
Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.
Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024.
Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.
Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
Thomas, C. (n.d.). Mythc Documentation. Retrieved March 25, 2022.
Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
L-Codes. (2019). Neo-reGeorg. Retrieved December 4, 2024.
FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved November 17, 2024.
Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021.
Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023.
Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021.
Baumgartner, K. and Raiu, C. (2014, December 8). The ‘Penquin’ Turla. Retrieved March 11, 2021.
Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022.
Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
Kaplan, D, et al. (2017, June 7). PLATINUM continues to evolve, find ways to maintain invisibility. Retrieved February 19, 2018.
Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022.
Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015.
Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.
Insikt Group. (2025, January 9). Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain. Retrieved January 14, 2025.
FortiGard Labs. (2019, March 12). ReGeorg.HTTP.Tunnel. Retrieved December 3, 2024.
Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
Alex Turing. (2021, May 6). RotaJakiro, the Linux version of the OceanLotus. Retrieved June 14, 2023.
Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023.
Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.
Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.
PwC Threat Intelligence. (2023, December 5). The Tortoise and The Malware. Retrieved November 20, 2024.
The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024.
Cybereason Global SOC Team. (n.d.). THREAT ANALYSIS REPORT: Inside the LockBit Arsenal - The StealBit Exfiltration Tool. Retrieved January 29, 2025.
Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.
Tomonaga, S.. (2019, September 18). Malware Used by BlackTech after Network Intrusion. Retrieved May 6, 2020.
Fernando Mercês. (2016, September 5). Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems. Retrieved March 5, 2018.
FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
Black Lotus Labs. (2024, August 27). Taking The Crossroads: The Versa Director Zero-Day Exploitaiton. Retrieved August 27, 2024.
Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020.
Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.
Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.
Alex Marvi, Greg Blaum, and Ron Craft. (2023, June 28). Detection, Containment, and Hardening Opportunities for Privileged Guest Operations, Anomalous Behavior, and VMCI Backdoors on Compromised VMware Hosts. Retrieved March 26, 2025.
Broadcom. (2025, March 24). Configure Virtual Machine Communication Interface Firewall. Retrieved March 31, 2025.