User Execution: Malicious File, Sub-technique T1204.002 - Enterprise | MITRE ATT&CK®

User Execution: Malicious File, Sub-technique T1204.002 - Enterprise | MITRE ATT&CK®
Currently viewing
ATT&CK v17.1
which was live between April 22, 2025 and October 27, 2025.
Learn more about the versioning system
or
see the live site
Techniques
Enterprise
User Execution
Malicious File
User Execution:
Malicious File
Other sub-techniques of User Execution (4)
ID
Name
T1204.001
Malicious Link
T1204.002
Malicious File
T1204.003
Malicious Image
T1204.004
Malicious Copy and Paste
An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from
Spearphishing Attachment
. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, and .reg.
Adversaries may employ various forms of
Masquerading
and
Obfuscated Files or Information
to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.
[1]
While
Malicious File
frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after
Internal Spearphishing
ID:
T1204.002
Sub-technique of:
T1204
Tactic:
Execution
Platforms:
Linux, Windows, macOS
Contributors:
TruKno
Version:
1.5
Created:
11 March 2020
Last Modified:
15 April 2025
Version Permalink
Live Version
Procedure Examples
ID
Name
Description
C0028
2015 Ukraine Electric Power Attack
During the
2015 Ukraine Electric Power Attack
Sandworm Team
leveraged Microsoft Office attachments which contained malicious macros that were automatically executed once the user permitted them.
[2]
G0018
admin@338
admin@338
has attempted to get victims to launch malicious Microsoft Word attachments delivered via spearphishing emails.
[3]
S0331
Agent Tesla
Agent Tesla
has been executed through malicious e-mail attachments
[4]
G0130
Ajax Security Team
Ajax Security Team
has lured victims into executing malicious files.
[5]
G0138
Andariel
Andariel
has attempted to lure victims into enabling malicious macros within email attachments.
[6]
G1007
Aoqin Dragon
Aoqin Dragon
has lured victims into opening weaponized documents, fake external drives, and fake antivirus to execute malicious payloads.
[7]
S0584
AppleJeus
AppleJeus
has required user execution of a malicious MSI installer.
[8]
S0622
AppleSeed
AppleSeed
can achieve execution through users running malicious file attachments distributed via email.
[9]
G0099
APT-C-36
APT-C-36
has prompted victims to accept macros in order to execute the subsequent payload.
[10]
G0005
APT12
APT12
has attempted to get victims to open malicious Microsoft Word and PDF attachment sent via spearphishing.
[11]
[12]
G0073
APT19
APT19
attempted to get users to launch malicious attachments delivered via spearphishing emails.
[13]
G0007
APT28
APT28
attempted to get users to click on Microsoft Office attachments containing malicious macro scripts.
[14]
[15]
[16]
G0016
APT29
APT29
has used various forms of spearphishing attempting to get a user to open attachments, including, but not limited to, malicious Microsoft Word documents, .pdf, and .lnk files.
[17]
[18]
[19]
G0013
APT30
APT30
has relied on users to execute malicious file attachments delivered via spearphishing emails.
[20]
G0050
APT32
APT32
has attempted to lure users to execute a malicious dropper delivered via a spearphishing attachment.
[21]
[22]
[23]
[24]
[25]
G0064
APT33
APT33
has used malicious e-mail attachments to lure victims into executing malware.
[26]
G0067
APT37
APT37
has sent spearphishing attachments attempting to get a user to open them.
[27]
G0082
APT38
APT38
has attempted to lure victims into enabling malicious macros within email attachments.
[28]
Additionally,
APT38
has used malicious Word documents and shortcut files.
[29]
G0087
APT39
APT39
has sent spearphishing emails in an attempt to lure users to click on a malicious attachment.
[30]
[31]
[32]
[33]
S0373
Astaroth
Astaroth
has used malicious files including VBS, LNK, and HTML for execution.
[34]
S0606
Bad Rabbit
Bad Rabbit
has been executed through user installation of an executable disguised as a flash installer.
[35]
[36]
S0642
BADFLICK
BADFLICK
has relied upon users clicking on a malicious attachment delivered through spearphishing.
[37]
S0234
Bandook
Bandook
has used lure documents to convince the user to enable macros.
[38]
S0268
Bisonal
Bisonal
has relied on users to execute malicious file attachments delivered via spearphishing emails.
[39]
G1002
BITTER
BITTER
has attempted to lure victims into opening malicious attachments delivered via spearphishing.
[40]
[41]
S1070
Black Basta
Black Basta
has been downloaded and executed from malicious Excel files.
[42]
[43]
G0098
BlackTech
BlackTech
has used e-mails with malicious documents to lure victims into installing malware.
[44]
[45]
S0520
BLINDINGCAN
BLINDINGCAN
has lured victims into executing malicious macros embedded within Microsoft Office documents.
[46]
S0635
BoomBox
BoomBox
has gained execution through user interaction with a malicious file.
[47]
G0060
BRONZE BUTLER
BRONZE BUTLER
has attempted to get users to launch malicious Microsoft Word attachments delivered via spearphishing emails.
[48]
[49]
S1063
Brute Ratel C4
Brute Ratel C4
has gained execution through users opening malicious documents.
[50]
S1039
Bumblebee
Bumblebee
has relied upon a user opening an ISO file to enable execution of malicious shortcut files and DLLs.
[51]
[52]
[53]
[54]
S0482
Bundlore
Bundlore
has attempted to get users to execute a malicious .app file that looks like a Flash Player update.
[55]
C0011
C0011
During
C0011
Transparent Tribe
relied on a student target to open a malicious document delivered via email.
[56]
C0015
C0015
During
C0015
, the threat actors relied on users to enable macros within a malicious Microsoft Word document.
[57]
S0348
Cardinal RAT
Cardinal RAT
lures victims into executing malicious macros embedded within Microsoft Excel documents.
[58]
S0465
CARROTBALL
CARROTBALL
has been executed through users being lured into opening malicious e-mail attachments.
[59]
S0631
Chaes
Chaes
requires the user to click on the malicious Word document to execute the next part of the attack.
[60]
S0660
Clambling
Clambling
has gained execution through luring victims into opening malicious files.
[61]
G0080
Cobalt Group
Cobalt Group
has sent emails containing malicious attachments that require users to execute a file or macro to infect the victim machine.
[62]
[63]
G0142
Confucius
Confucius
has lured victims to execute malicious attachments included in crafted spearphishing emails related to current topics.
[64]
S0527
CSPY Downloader
CSPY Downloader
has been delivered via malicious documents with embedded macros.
[65]
G1012
CURIUM
CURIUM
has lured users into opening malicious files delivered via social media.
[66]
S1014
DanBot
DanBot
has relied on victims' opening a malicious file for initial execution.
[67]
[68]
G0070
Dark Caracal
Dark Caracal
makes their malware look like Flash Player, Office, or PDF documents in order to entice a user to click on it.
[69]
S1111
DarkGate
DarkGate
initial infection payloads can masquerade as pirated media content requiring user interaction for code execution.
[70]
DarkGate
is distributed through phishing links to VBS or MSI objects requiring user interaction for execution.
[71]
G0012
Darkhotel
Darkhotel
has sent spearphishing emails in an attempt to lure users into clicking on a malicious attachments.
[72]
[73]
G0079
DarkHydrus
DarkHydrus
has sent malware that required users to hit the enable button in Microsoft Excel to allow an .iqy file to be downloaded.
[74]
[75]
S1066
DarkTortilla
DarkTortilla
has relied on a user to open a malicious document or archived file delivered via email for initial execution.
[76]
S1088
Disco
Disco
has been executed through inducing user interaction with malicious .zip and .msi files.
[77]
S1021
DnsSystem
DnsSystem
has lured victims into opening macro-enabled Word documents for execution.
[78]
G0035
Dragonfly
Dragonfly
has used various forms of spearphishing in attempts to get users to open malicious attachments.
[79]
S0384
Dridex
Dridex
has relied upon users clicking on a malicious attachment delivered through spearphishing.
[80]
G1006
Earth Lusca
Earth Lusca
required users to click on a malicious file for the loader to activate.
[81]
G0066
Elderwood
Elderwood
has leveraged multiple types of spearphishing in order to attempt to get a user to open attachments.
[82]
[83]
S0367
Emotet
Emotet
has relied upon users clicking on a malicious attachment delivered through spearphishing.
[84]
[85]
[86]
S0634
EnvyScout
EnvyScout
has been executed through malicious files attached to e-mails.
[47]
G1011
EXOTIC LILY
EXOTIC LILY
has gained execution through victims clicking on malicious LNK files contained within ISO files, which can execute hidden DLLs within the ISO.
[87]
[51]
G0137
Ferocious Kitten
Ferocious Kitten
has attempted to convince victims to enable malicious content within a spearphishing email by including an odd decoy message.
[88]
G0085
FIN4
FIN4
has lured victims to launch malicious attachments delivered via spearphishing emails (often sent from compromised accounts).
[89]
[90]
G0037
FIN6
FIN6
has used malicious documents to lure victims into allowing execution of PowerShell scripts.
[91]
G0046
FIN7
FIN7
lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file.
[92]
[93]
[94]
G0061
FIN8
FIN8
has used malicious e-mail attachments to lure victims into executing malware.
[95]
[96]
[97]
S0696
Flagpro
Flagpro
has relied on users clicking a malicious attachment delivered through spearphishing.
[45]
C0001
Frankenstein
During
Frankenstein
, the threat actors relied on a victim to enable macros within a malicious Microsoft Word document likely sent via email.
[98]
G0084
Gallmaker
Gallmaker
sent victims a lure document with a warning that asked victims to "enable content" for execution.
[99]
G0047
Gamaredon Group
Gamaredon Group
has attempted to get users to click on Office attachments with malicious macros embedded.
[100]
[101]
[102]
[103]
[104]
[105]
[106]
[107]
G0078
Gorgon Group
Gorgon Group
attempted to get users to launch malicious Microsoft Office attachments delivered via spearphishing emails.
[108]
S0531
Grandoreiro
Grandoreiro
has infected victims via malicious attachments.
[109]
S0561
GuLoader
The
GuLoader
executable has been retrieved via embedded macros in malicious Word documents.
[110]
S0499
Hancitor
Hancitor
has used malicious Microsoft Word documents, sent via email, which prompted the victim to enable macros.
[111]
G1001
HEXANE
HEXANE
has relied on victim's executing malicious file attachments delivered via email or embedded within actor-controlled websites to deliver malware.
[67]
[112]
[68]
[78]
S1027
Heyoka Backdoor
Heyoka Backdoor
has been spread through malicious document lures.
[7]
G0126
Higaisa
Higaisa
used malicious e-mail attachments to lure victims into executing LNK files.
[113]
[114]
S0483
IcedID
IcedID
has been executed through Word and Excel files with malicious embedded macros and through ISO and LNK files that execute the malicious DLL.
[115]
[116]
[117]
G0100
Inception
Inception
lured victims into clicking malicious files for machine reconnaissance and to execute malware.
[118]
[119]
[120]
[121]
G0136
IndigoZebra
IndigoZebra
sent spearphishing emails containing malicious attachments that urged recipients to review modifications in the file which would trigger the attack.
[122]
G0119
Indrik Spider
Indrik Spider
has attempted to get users to click on a malicious zipped file.
[123]
S0260
InvisiMole
InvisiMole
can deliver trojanized versions of software and documents, relying on user execution.
[124]
S0528
Javali
Javali
has achieved execution through victims opening malicious attachments, including MSI files with embedded VBScript.
[34]
S0389
JCry
JCry
has achieved execution by luring users to click on a file that appeared to be an Adobe Flash Player update installer.
[125]
S0648
JSS Loader
JSS Loader
has been executed through malicious attachments contained in spearphishing emails.
[93]
S0585
Kerrdown
Kerrdown
has gained execution through victims opening malicious files.
[25]
[126]
S0526
KGH_SPY
KGH_SPY
has been spread through Word documents containing malicious macros.
[65]
G0094
Kimsuky
Kimsuky
has used attempted to lure victims into opening malicious e-mail attachments.
[127]
[128]
[129]
[65]
[9]
[130]
S0669
KOCTOPUS
KOCTOPUS
has relied on victims clicking a malicious document for execution.
[131]
S0356
KONNI
KONNI
has relied on a victim to enable malicious macros within an attachment delivered via email.
[132]
S1075
KOPILUWAK
KOPILUWAK
has gained execution through malicious attachments.
[133]
S1160
Latrodectus
Latrodectus
has lured users into opening malicious email attachments for execution.
[134]
G0032
Lazarus Group
Lazarus Group
has attempted to get users to launch a malicious Microsoft Word attachment delivered via a spearphishing email.
[135]
[136]
[137]
[138]
G0140
LazyScripter
LazyScripter
has lured users to open malicious email attachments.
[131]
G0065
Leviathan
Leviathan
has sent spearphishing attachments attempting to get a user to click.
[139]
[140]
S0447
Lokibot
Lokibot
has tricked recipients into enabling malicious macros by getting victims to click "enable content" in email attachments.
[141]
[142]
S1213
Lumma Stealer
Lumma Stealer
has gained initial execution through victims opening malicious executable files embedded in zip archives, and MSI files within RAR files.
[143]
S1142
LunarMail
LunarMail
has been installed through a malicious macro in a Microsoft Word document.
[144]
G0095
Machete
Machete
has relied on users opening malicious attachments delivered through spearphishing to execute malware.
[145]
[146]
[147]
[148]
G0059
Magic Hound
Magic Hound
has attempted to lure victims into opening malicious email attachments.
[149]
G1026
Malteiro
Malteiro
has relied on users to execute .zip file attachments containing malicious URLs.
[150]
S1169
Mango
Mango
has been executed through a Microsoft Word document with a malicious macro.
[151]
G0045
menuPass
menuPass
has attempted to get victims to open malicious files such as Windows Shortcuts (.lnk) and/or Microsoft Office documents, sent via email as part of spearphishing campaigns.
[152]
[153]
[154]
[155]
[156]
S0455
Metamorfo
Metamorfo
requires the user to double-click the executable to run the malicious HTA file or to download a malicious installer.
[157]
[158]
S1122
Mispadu
Mispadu
has relied on users to execute malicious files in order to gain execution on victim machines.
[159]
[160]
[150]
G0103
Mofang
Mofang
's malicious spearphishing attachments required a user to open the file after receiving.
[161]
G0021
Molerats
Molerats
has sent malicious files via email that tricked users into clicking Enable Content to run an embedded macro and to download malicious archives.
[162]
[163]
[164]
S1026
Mongall
Mongall
has relied on a user opening a malicious document for execution.
[7]
G1036
Moonstone Sleet
Moonstone Sleet
relied on users interacting with malicious files, such as a trojanized PuTTY installer, for initial execution.
[165]
G0069
MuddyWater
MuddyWater
has attempted to get users to open malicious PDF attachment and to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails.
[166]
[167]
[168]
[169]
[170]
[171]
[172]
[173]
[174]
[175]
[176]
G0129
Mustang Panda
Mustang Panda
has sent malicious files requiring direct victim interaction to execute.
[177]
[178]
[179]
[180]
[181]
[182]
G0019
Naikon
Naikon
has convinced victims to open malicious attachments to execute malware.
[183]
S0637
NativeZone
NativeZone
can display an RTF document to the user to enable execution of
Cobalt Strike
stage shellcode.
[47]
S0198
NETWIRE
NETWIRE
has been executed through luring victims into opening malicious documents.
[184]
[110]
[185]
S1100
Ninja
Ninja
has gained execution through victims opening malicious executable files embedded in zip archives.
[186]
G0133
Nomadic Octopus
Nomadic Octopus
as attempted to lure victims into clicking on malicious attachments within spearphishing emails.
[187]
[188]
S0340
Octopus
Octopus
has relied upon users clicking on a malicious attachment delivered through spearphishing.
[188]
G0049
OilRig
OilRig
has delivered macro-enabled documents that required targets to click the "enable content" button to execute the payload on the system.
[189]
[190]
[191]
[192]
[193]
C0022
Operation Dream Job
During
Operation Dream Job
Lazarus Group
lured victims into executing malicious documents that contained "dream job" descriptions from defense, aerospace, and other sectors.
[194]
[195]
C0016
Operation Dust Storm
During
Operation Dust Storm
, the threat actors relied on potential victims to open a malicious Microsoft Word document sent via email.
[196]
C0006
Operation Honeybee
During
Operation Honeybee
, threat actors relied on a victim to enable macros within a malicious Word document.
[197]
C0013
Operation Sharpshooter
During
Operation Sharpshooter
, the threat actors relied on victims executing malicious Microsoft Word or PDF files.
[198]
C0005
Operation Spalax
During
Operation Spalax
, the threat actors relied on a victim to open a PDF document and click on an embedded malicious link to download malware.
[199]
S0402
OSX/Shlayer
OSX/Shlayer
has relied on users mounting and executing a malicious DMG file.
[200]
[201]
S1017
OutSteel
OutSteel
has relied on a user to execute a malicious attachment delivered via spearphishing.
[202]
G0040
Patchwork
Patchwork
embedded a malicious macro in a Word document and lured the victim to click on an icon to execute the malware.
[203]
[204]
G0068
PLATINUM
PLATINUM
has attempted to get users to open malicious files by sending spearphishing emails with attachments to victims.
[205]
S0435
PLEAD
PLEAD
has been executed via malicious e-mail attachments.
[44]
S0428
PoetRAT
PoetRAT
has used spearphishing attachments to infect victims.
[206]
S0453
Pony
Pony
has attempted to lure targets into downloading an attached executable (ZIP, RAR, or CAB archives) or document (PDF or other MS Office format).
[207]
G0056
PROMETHIUM
PROMETHIUM
has attempted to get users to execute compromised installation files for legitimate software including compression applications, security software, browsers, file recovery applications, and other tools and utilities.
[208]
[209]
S0650
QakBot
QakBot
has gained execution through users opening malicious attachments.
[210]
[211]
[212]
[213]
[214]
[215]
[216]
[217]
[218]
[219]
S0458
Ramsay
Ramsay
has been executed through malicious e-mail attachments.
[220]
G0075
Rancor
Rancor
attempted to get users to click on an embedded macro within a Microsoft Office Excel document to launch their malware.
[221]
G1039
RedCurl
RedCurl
has used malicious files to infect the victim machines.
[222]
[223]
[224]
C0047
RedDelta Modified PlugX Infection Chain Operations
Mustang Panda
distributed malicious LNK objects for user execution during
RedDelta Modified PlugX Infection Chain Operations
[225]
S0496
REvil
REvil
has been executed via malicious MS Word e-mail attachments.
[226]
[227]
[228]
S0433
Rifdoor
Rifdoor
has been executed from malicious Excel or Word documents containing macros.
[229]
S0240
ROKRAT
ROKRAT
has relied upon users clicking on a malicious attachment delivered through spearphishing.
[230]
S0148
RTM
RTM
has relied on users opening malicious email attachments, decompressing the attached archive, and double-clicking the executable within.
[231]
G0048
RTM
RTM
has attempted to lure victims into opening e-mail attachments to execute malicious code.
[232]
G1031
Saint Bear
Saint Bear
relies on user interaction and execution of malicious attachments and similar for initial execution on victim systems.
[202]
S1018
Saint Bot
Saint Bot
has relied on users to execute a malicious attachment delivered via spearphishing.
[233]
[202]
G0034
Sandworm Team
Sandworm Team
has tricked unwitting recipients into clicking on spearphishing attachments and enabling malicious macros embedded within files.
[234]
[235]
G1008
SideCopy
SideCopy
has attempted to lure victims into clicking on malicious embedded archive files sent via spearphishing campaigns.
[236]
G0121
Sidewinder
Sidewinder
has lured targets to click on malicious files to gain execution in the target environment.
[237]
[238]
[239]
[240]
G0091
Silence
Silence
attempts to get users to launch malicious attachments delivered via spearphishing emails.
[241]
[242]
[243]
S1086
Snip3
Snip3
can gain execution through the download of visual basic files.
[244]
[245]
S0390
SQLRat
SQLRat
relies on users clicking on an embedded image to execute the scripts.
[246]
S1030
Squirrelwaffle
Squirrelwaffle
has relied on users enabling malicious macros within Microsoft Excel and Word attachments.
[247]
[248]
G1033
Star Blizzard
Star Blizzard
has lured targets into opening malicious .pdf files to deliver malware.
[249]
S1037
STARWHALE
STARWHALE
has relied on victims opening a malicious Excel file for execution.
[174]
G1046
Storm-1811
Storm-1811
has prompted users to execute downloaded software and payloads as the result of social engineering activity.
[250]
[251]
[252]
S1183
StrelaStealer
StrelaStealer
relies on user execution of a malicious file for installation.
[253]
S0491
StrongPity
StrongPity
has been executed via compromised installation files for legitimate software including compression applications, security software, browsers, file recovery applications, and other tools and utilities.
[208]
[209]
S1042
SUGARDUMP
Some
SUGARDUMP
variants required a user to enable a macro within a malicious .xls file for execution.
[254]
S1064
SVCReady
SVCReady
has relied on users clicking a malicious attachment delivered through spearphishing.
[255]
S0464
SYSCON
SYSCON
has been executed by luring victims to open malicious e-mail attachments.
[256]
G1018
TA2541
TA2541
has used macro-enabled MS Word documents to lure victims into executing malicious payloads.
[257]
[258]
[245]
G0062
TA459
TA459
has attempted to get victims to open malicious Microsoft Word attachment sent via spearphishing.
[259]
G0092
TA505
TA505
has used lures to get users to enable content in malicious attachments and execute malicious files contained in archives. For example,
TA505
makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files.
[260]
[261]
[262]
[263]
[264]
[265]
[266]
[267]
[268]
G0127
TA551
TA551
has prompted users to enable macros within spearphishing attachments to install malware.
[269]
S0011
Taidoor
Taidoor
has relied upon a victim to click on a malicious email attachment.
[270]
G0089
The White Company
The White Company
has used phishing lure documents that trick users into opening them and infecting their computers.
[271]
G0027
Threat Group-3390
Threat Group-3390
has lured victims into opening malicious files containing malware.
[61]
S0665
ThreatNeedle
ThreatNeedle
relies on a victim to click on a malicious document for initial execution.
[136]
G0131
Tonto Team
Tonto Team
has relied on user interaction to open their malicious RTF documents.
[272]
[39]
G0134
Transparent Tribe
Transparent Tribe
has used weaponized documents in e-mail to compromise targeted systems.
[273]
[274]
[275]
[276]
[277]
S0266
TrickBot
TrickBot
has attempted to get users to launch malicious documents to deliver its payload.
[278]
[279]
G0081
Tropic Trooper
Tropic Trooper
has lured victims into executing malware via malicious e-mail attachments.
[280]
S0263
TYPEFRAME
A Word document delivering
TYPEFRAME
prompts the user to enable macro execution.
[281]
S0476
Valak
Valak
has been executed via Microsoft Word documents containing malicious macros.
[282]
[283]
[284]
S0670
WarzoneRAT
WarzoneRAT
has relied on a victim to open a malicious attachment within an email for execution.
[285]
[64]
C0037
Water Curupira Pikabot Distribution
Water Curupira Pikabot Distribution
delivered
Pikabot
installers as password-protected ZIP files containing heavily obfuscated JavaScript, or IMG files containing an LNK mimicking a Word document and a malicious DLL.
[286]
G0107
Whitefly
Whitefly
has used malicious .exe or .dll files disguised as documents or images.
[287]
G0112
Windshift
Windshift
has used e-mail attachments to lure victims into executing malicious code.
[288]
G0090
WIRTE
WIRTE
has attempted to lure users into opening malicious MS Word and Excel files to execute malicious payloads.
[289]
G0102
Wizard Spider
Wizard Spider
has lured victims to execute malware with spearphishing attachments containing macros to download either
Emotet
, Bokbot,
TrickBot
, or
Bazar
[290]
[291]
[292]
S1065
Woody RAT
Woody RAT
has relied on users opening a malicious email attachment for execution.
[293]
S1013
ZxxZ
ZxxZ
has relied on victims to open a malicious attachment delivered via email.
[40]
Mitigations
ID
Mitigation
Description
M1040
Behavior Prevention on Endpoint
On Windows 10, various Attack Surface Reduction (ASR) rules can be enabled to prevent the execution of potentially malicious executable files (such as those that have been downloaded and executed by Office applications/scripting interpreters/email clients or that do not meet specific prevalence, age, or trusted list criteria). Note: cloud-delivered protection must be enabled for certain rules.
[294]
M1038
Execution Prevention
Application control may be able to prevent the running of executables masquerading as other files.
M1017
User Training
Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.
Detection
ID
Data Source
Data Component
Detects
DS0022
File
File Creation
Monitor for files created in unusual directories or files with suspicious extensions. Focus on common locations like the Downloads folder, Temp directories, or the user’s Desktop, especially files that would be of interest from spearphishing attachments.
While batch files are not inherently malicious, it is uncommon to see them created after OS installation, especially in the Windows directory. This analytic looks for the suspicious activity of a batch file being created within the C:\Windows\System32 directory tree. There will be only occasional false positives due to administrator actions.
For MacOS, utilities that work in concert with Apple’s Endpoint Security Framework such as File Monitor can be used to track file creation events.
Analytic 1 - Batch File Write to System32
(sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode="11") file_path="
system32
" AND file_extension=".bat"
Analytic 2 - New file creation in unusual directories.
sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=11| search file_path IN ("
/Downloads/
", "
/Temp/
", "
/Desktop/
")| stats count by file_name file_extension file_path user| where file_extension IN ("doc", "docx", "pdf", "xls", "rtf", "exe", "scr", "lnk", "pif", "cpl", "zip")
DS0009
Process
Process Creation
Monitor for processes spawned after opening a suspicious file. Common applications that might be exploited are Microsoft Word, PDF readers, or compression utilities.
Analytic 1 - Processes created from malicious files.
(sourcetype=WinEventLog:Security EventCode=4688) OR (sourcetype=Sysmon EventCode=1)| search process_name IN ("WINWORD.EXE", "EXCEL.EXE", "PDFReader.exe", "7z.exe", "powershell.exe", "cmd.exe")| stats count by process_name parent_process_name command_line user| where parent_process_name IN ("explorer.exe", "outlook.exe", "thunderbird.exe")
References
Lawrence Abrams. (2017, July 12). PSA: Don't Open SPAM Containing Password Protected Word Docs. Retrieved January 5, 2022.
Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.
FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.
Villeneuve, N. et al.. (2013). OPERATION SAFFRON ROSE . Retrieved May 28, 2020.
AhnLab. (2018, June 23). Targeted attacks by Andariel Threat Group, a subgroup of the Lazarus. Retrieved September 29, 2021.
Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin’s Favorite APT Group [Blog]. Retrieved November 12, 2014.
Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.
F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022.
Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.
FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved November 17, 2024.
Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.
Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
Henderson, S., et al. (2020, April 22). Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage. Retrieved April 28, 2020.
Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.
Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.
FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024.
DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024.
Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.
FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
M.Léveille, M-E.. (2017, October 24). Bad Rabbit: Not‑Petya is back with improved ransomware. Retrieved January 28, 2021.
Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021.
Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.
Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.
Gonzalez, I., Chavez I., et al. (2022, May 9). Examining the Black Basta Ransomware’s Infection Routine. Retrieved March 7, 2023.
Trend Micro. (2022, September 1). Ransomware Spotlight Black Basta. Retrieved March 8, 2023.
Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022.
Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022.
Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022.
Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022.
DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.
Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
Unit 42. (2018, October 25). New Techniques to Uncover and Attribute Financial actors Commodity Builders and Infrastructure Revealed. Retrieved December 11, 2018.
Uptycs Threat Research Team. (2021, January 12). Confucius APT deploys Warzone RAT. Retrieved December 17, 2021.
Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.
SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024.
Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.
Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021.
Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022.
Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.
Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021.
Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved November 17, 2024.
Clayton, M.. (2012, September 14). Stealing US business secrets: Experts ID two huge cyber 'gangs' in China. Retrieved February 15, 2018.
Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019.
Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019.
Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.
Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022.
GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.
Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019.
Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.
Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
eSentire. (2021, July 21). Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm Using Fake Legal Complaint Against Jack Daniels’ Owner, Brown-Forman Inc.. Retrieved September 20, 2021.
Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
Symantec Security Response. (2018, October 10). Gallmaker: New Attack Group Eschews Malware to Live off the Land. Retrieved November 27, 2018.
Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020.
Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022.
CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022.
Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.
Secureworks CTU. (n.d.). IRON TILDEN. Retrieved February 24, 2022.
Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024.
Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.
Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021.
Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020.
Dragos. (n.d.). Hexane. Retrieved October 27, 2019.
Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.
Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
DFIR. (2022, April 25). Quantum Ransomware. Retrieved July 26, 2024.
DFIR. (2021, March 29). Sodinokibi (aka REvil) Ransomware. Retrieved July 22, 2024.
GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020.
GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020.
Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020.
Lakshmanan, R.. (2021, July 1). IndigoZebra APT Hacking Campaign Targets the Afghan Government. Retrieved September 24, 2021.
Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019.
Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021.
ThreatConnect. (2020, September 28). Kimsuky Phishing Operations Putting In Work. Retrieved October 30, 2020.
Kim, J. et al. (2019, October). KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING. Retrieved November 2, 2020.
CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024.
Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
Abrams, L. (2024, April 30). New Latrodectus malware attacks use Microsoft, Cloudflare themes. Retrieved September 13, 2024.
Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
Co, M. and Sison, G. (2018, February 8). Attack Using Windows Installer msiexec.exe leads to LokiBot. Retrieved April 18, 2019.
Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
Cybereaon Security Services Team. (n.d.). Your Data Is Under New Lummanagement: The Rise of LummaStealer. Retrieved March 22, 2025.
Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021.
SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024.
Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024.
PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020.
Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.
Garcia, F., Regalado, D. (2023, March 7). Inside Mispadu massive infection campaign in LATAM. Retrieved March 15, 2024.
Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.
Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024.
Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.
ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020.
Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.
Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.
Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022.
Miller, J. et al. (2024, March 21). Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign. Retrieved March 27, 2024.
Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021.
Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.
Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.
Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.
Huntley, S. (2022, March 7). An update on the threat landscape. Retrieved March 16, 2022.
Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.
Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021.
Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.
Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.
ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.
Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.
Long, Joshua. (2018, February 21). OSX/Shlayer: New Mac malware comes out of its shell. Retrieved August 28, 2019.
Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021.
Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021.
CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021.
Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved November 17, 2024.
Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021.
Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
Group IB. (2020, September). LOCK LIKE A PRO. Retrieved November 17, 2024.
Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023.
Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.
Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
Tancio et al. (2024, March 6). Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence. Retrieved August 9, 2024.
Insikt Group. (2025, January 9). Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain. Retrieved January 14, 2025.
Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020.
Saavedra-Morales, J, et al. (2019, October 20). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo. Retrieved August 5, 2020.
Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.
Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
Skulkin, O. (2019, August 5). Following the RTM Forensic examination of a computer infected with a banking trojan. Retrieved May 11, 2020.
Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.
Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021.
Rewterz. (2020, June 22). Analysis on Sidewinder APT Group – COVID-19. Retrieved January 29, 2021.
Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021.
Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved November 17, 2024.
GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019.
Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.
Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023.
Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022.
Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022.
Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024.
Microsoft Threat Intelligence. (2024, May 15). Threat actors misusing Quick Assist in social engineering attacks leading to ransomware. Retrieved March 14, 2025.
Tyler McGraw, Thomas Elkins, and Evan McCann. (2024, May 10). Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators. Retrieved January 31, 2025.
Red Canary Intelligence. (2024, December 2). Storm-1811 exploits RMM tools to drop Black Basta ransomware. Retrieved March 14, 2025.
DCSO CyTec Blog. (2022, November 8). #ShortAndMalicious: StrelaStealer aims for mail credentials. Retrieved December 31, 2024.
Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022.
Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020.
Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.
Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.
Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019.
Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.
Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019.
Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.
Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.
Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014.
Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021.
Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.
Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021.
Falcone, R. and Conant S. (2016, March 25). ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe. Retrieved September 2, 2021.
Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019.
Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
Moore, S. et al. (2020, April 30). Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center. Retrieved May 19, 2020.
US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.
Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
Shinji Robert Arasawa, Joshua Aquino, Charles Steven Derion, Juhn Emmanuel Atanque, Francisrey Joshua Castillo, John Carlo Marquez, Henry Salcedo, John Rainier Navato, Arianne Dela Cruz, Raymart Yambot & Ian Kenefick. (2024, January 9). Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign. Retrieved July 17, 2024.
Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020.
Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved November 17, 2024.
Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022.
Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.