User Execution: Malicious Link, Sub-technique T1204.001 - Enterprise | MITRE ATT&CK®

User Execution: Malicious Link, Sub-technique T1204.001 - Enterprise | MITRE ATT&CK®
Currently viewing
ATT&CK v17.1
which was live between April 22, 2025 and October 27, 2025.
Learn more about the versioning system
or
see the live site
Techniques
Enterprise
User Execution
Malicious Link
User Execution:
Malicious Link
Other sub-techniques of User Execution (4)
ID
Name
T1204.001
Malicious Link
T1204.002
Malicious File
T1204.003
Malicious Image
T1204.004
Malicious Copy and Paste
An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from
Spearphishing Link
. Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via
Exploitation for Client Execution
. Links may also lead users to download files that require execution via
Malicious File
ID:
T1204.001
Sub-technique of:
T1204
Tactic:
Execution
Platforms:
Linux, Windows, macOS
Version:
1.2
Created:
11 March 2020
Last Modified:
15 April 2025
Version Permalink
Live Version
Procedure Examples
ID
Name
Description
S0584
AppleJeus
AppleJeus
's spearphishing links required user interaction to navigate to the malicious website.
[1]
G0007
APT28
APT28
has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.
[2]
[3]
G0016
APT29
APT29
has used various forms of spearphishing attempting to get a user to click on a malicious link.
[4]
[5]
G0022
APT3
APT3
has lured victims into clicking malicious links delivered through spearphishing.
[6]
G0050
APT32
APT32
has lured targets to download a Cobalt Strike beacon by including a malicious link within spearphishing emails.
[7]
[8]
[9]
G0064
APT33
APT33
has lured users to click links to malicious HTML applications delivered via spearphishing emails.
[10]
[11]
G0082
APT38
APT38
has used links to execute a malicious Visual Basic script.
[12]
G0087
APT39
APT39
has sent spearphishing emails in an attempt to lure users to click on a malicious link.
[13]
[14]
S0475
BackConfig
BackConfig
has compromised victims via links to URLs hosting malicious content.
[15]
S0534
Bazar
Bazar
can gain execution after a user clicks on a malicious link to decoy landing pages hosted on Google Docs.
[16]
[17]
[18]
G0098
BlackTech
BlackTech
has used e-mails with malicious links to lure victims into installing malware.
[19]
S1039
Bumblebee
Bumblebee
has relied upon a user downloading a file from a OneDrive link for execution.
[20]
[21]
C0011
C0011
During
C0011
Transparent Tribe
relied on student targets to click on a malicious link sent via email.
[22]
C0021
C0021
During
C0021
, the threat actors lured users into clicking a malicious link which led to the download of a ZIP archive containing a malicious .LNK file.
[23]
G0080
Cobalt Group
Cobalt Group
has sent emails containing malicious links that require users to execute a file or macro to infect the victim machine.
[24]
[25]
[26]
G0142
Confucius
Confucius
has lured victims into clicking on a malicious link sent through spearphishing.
[27]
G1034
Daggerfly
Daggerfly
has used strategic website compromise to deliver a malicious link requiring user interaction.
[28]
G1006
Earth Lusca
Earth Lusca
has sent spearphishing emails that required the user to click on a malicious link and subsequently open a decoy document with a malicious loader.
[29]
G0066
Elderwood
Elderwood
has leveraged multiple types of spearphishing in order to attempt to get a user to open links.
[30]
[31]
S0367
Emotet
Emotet
has relied upon users clicking on a malicious link delivered through spearphishing.
[32]
[33]
G0120
Evilnum
Evilnum
has sent spearphishing emails designed to trick the recipient into opening malicious shortcut links which downloads a .LNK file.
[34]
G1011
EXOTIC LILY
EXOTIC LILY
has used malicious links to lure users into executing malicious payloads.
[35]
G0085
FIN4
FIN4
has lured victims to click malicious links delivered via spearphishing emails (often sent from compromised accounts).
[36]
[37]
G0046
FIN7
FIN7
has used malicious links to lure victims into downloading malware.
[38]
G0061
FIN8
FIN8
has used emails with malicious links to lure victims into installing malware.
[39]
[40]
[41]
G0047
Gamaredon Group
Gamaredon Group
has attempted to get users to click on a link pointing to a malicious HTML file leading to follow-on malicious content.
[42]
S1138
Gootloader
Gootloader
has been executed through malicious links presented to users as internet search results.
[43]
[44]
S0531
Grandoreiro
Grandoreiro
has used malicious links to gain execution on victim machines.
[45]
[46]
S0561
GuLoader
GuLoader
has relied upon users clicking on links to malicious documents.
[47]
S0499
Hancitor
Hancitor
has relied upon users clicking on a malicious link delivered through phishing.
[48]
S0528
Javali
Javali
has achieved execution through victims clicking links to malicious websites.
[49]
S0585
Kerrdown
Kerrdown
has gained execution through victims opening malicious links.
[9]
G0094
Kimsuky
Kimsuky
has lured victims into clicking malicious links.
[50]
S0669
KOCTOPUS
KOCTOPUS
has relied on victims clicking on a malicious link delivered via email.
[51]
S1160
Latrodectus
Latrodectus
has been executed through malicious links distributed in email campaigns.
[52]
[53]
G0140
LazyScripter
LazyScripter
has relied upon users clicking on links to malicious files.
[51]
G0065
Leviathan
Leviathan
has sent spearphishing email links attempting to get a user to click.
[54]
[55]
G1014
LuminousMoth
LuminousMoth
has lured victims into clicking malicious Dropbox download links delivered through spearphishing.
[56]
G0095
Machete
Machete
has has relied on users opening malicious links delivered through spearphishing to execute malware.
[57]
[58]
[59]
G0059
Magic Hound
Magic Hound
has attempted to lure victims into opening malicious links embedded in emails.
[60]
[61]
S0530
Melcoz
Melcoz
has gained execution through victims opening malicious links.
[49]
G0103
Mofang
Mofang
's spearphishing emails required a user to click the link to connect to a compromised website.
[62]
G0021
Molerats
Molerats
has sent malicious links via email trick users into opening a RAR archive and running an executable.
[63]
[64]
G0069
MuddyWater
MuddyWater
has distributed URLs in phishing e-mails that link to lure documents.
[65]
[66]
[67]
G0129
Mustang Panda
Mustang Panda
has sent malicious links including links directing victims to a Google Drive folder.
[68]
[69]
[70]
G1020
Mustard Tempest
Mustard Tempest
has lured users into downloading malware through malicious links in fake advertisements and spearphishing emails.
[71]
[72]
S0198
NETWIRE
NETWIRE
has been executed through convincing victims into clicking malicious links.
[73]
[47]
C0002
Night Dragon
During
Night Dragon
, threat actors enticed users to click on links in spearphishing emails to download malware.
[74]
S0644
ObliqueRAT
ObliqueRAT
has gained execution on targeted systems through luring users to click on links to malicious URLs.
[75]
[76]
G0049
OilRig
OilRig
has delivered malicious links to achieve execution on the target system.
[77]
[78]
[79]
[80]
C0022
Operation Dream Job
During
Operation Dream Job
Lazarus Group
lured users into executing a malicious link to disclose private account information or provide initial access.
[81]
[82]
C0016
Operation Dust Storm
During
Operation Dust Storm
, the threat actors relied on a victim clicking on a malicious link sent via email.
[83]
C0005
Operation Spalax
During
Operation Spalax
, the threat actors relied on a victim to click on a malicious link distributed via phishing emails.
[84]
S1017
OutSteel
OutSteel
has relied on a user to click a malicious link within a spearphishing email.
[85]
G0040
Patchwork
Patchwork
has used spearphishing with links to try to get users to click, download and open malicious files.
[86]
[87]
[88]
[15]
S0435
PLEAD
PLEAD
has been executed via malicious links in e-mails.
[19]
S0453
Pony
Pony
has attempted to lure targets into clicking links in spoofed emails from legitimate banks.
[89]
S0650
QakBot
QakBot
has gained execution through users opening malicious links.
[90]
[91]
[92]
[93]
[94]
[95]
[96]
G1039
RedCurl
RedCurl
has used malicious links to infect the victim machines.
[97]
[98]
C0047
RedDelta Modified PlugX Infection Chain Operations
Mustang Panda
distributed hyperlinks that would result in an MSC file running a PowerShell command to download and install a remotely-hosted MSI file during
RedDelta Modified PlugX Infection Chain Operations
[99]
G1031
Saint Bear
Saint Bear
has, in addition to email-based phishing attachments, used malicious websites masquerading as legitimate entities to host links to malicious files for user execution.
[85]
[100]
S1018
Saint Bot
Saint Bot
has relied on users to click on a malicious link delivered via a spearphishing.
[85]
G0034
Sandworm Team
Sandworm Team
has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.
[101]
G0121
Sidewinder
Sidewinder
has lured targets to click on malicious links to gain execution in the target environment.
[102]
[103]
[104]
[105]
S0649
SMOKEDHAM
SMOKEDHAM
has relied upon users clicking on a malicious link delivered through phishing.
[106]
S1086
Snip3
Snip3
has been executed through luring victims into clicking malicious links.
[107]
S1124
SocGholish
SocGholish
has lured victims into interacting with malicious links on compromised websites for execution.
[72]
S0646
SpicyOmelette
SpicyOmelette
has been executed through malicious links within spearphishing emails.
[26]
S1030
Squirrelwaffle
Squirrelwaffle
has relied on victims to click on a malicious link send via phishing campaigns.
[108]
G1018
TA2541
TA2541
has used malicious links to cloud and web services to gain execution on victim machines.
[109]
[73]
G0092
TA505
TA505
has used lures to get users to click links in emails and attachments. For example,
TA505
makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files.
[110]
[111]
[112]
[113]
[114]
[115]
[116]
[117]
G1037
TA577
TA577
has lured users into executing malicious JavaScript files by sending malicious links via email.
[52]
G1038
TA578
TA578
has placed malicious links in contact forms on victim sites, often spoofing a copyright complaint, to redirect users to malicious file downloads.
[52]
G0134
Transparent Tribe
Transparent Tribe
has directed users to open URLs hosting malicious content.
[75]
[76]
S0436
TSCookie
TSCookie
has been executed via malicious links embedded in e-mails spoofing the Ministries of Education, Culture, Sports, Science and Technology of Japan.
[118]
G0010
Turla
Turla
has used spearphishing via a link to get users to download and run their malware.
[119]
C0037
Water Curupira Pikabot Distribution
Water Curupira Pikabot Distribution
distributed a PDF attachment containing a malicious link to a
Pikabot
installer.
[120]
G0112
Windshift
Windshift
has used links embedded in e-mails to lure victims into executing malicious code.
[121]
G1035
Winter Vivern
Winter Vivern
has mimicked legitimate government-related domains to deliver malicious webpages containing links to documents or other content for user execution.
[122]
[123]
G0102
Wizard Spider
Wizard Spider
has lured victims into clicking a malicious link delivered through spearphishing.
[124]
G0128
ZIRCONIUM
ZIRCONIUM
has used malicious links in e-mails to lure victims into downloading malware.
[125]
[126]
Mitigations
ID
Mitigation
Description
M1031
Network Intrusion Prevention
If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity.
M1021
Restrict Web-Based Content
If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files.
M1017
User Training
Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.
Detection
ID
Data Source
Data Component
Detects
DS0022
File
File Creation
Monitor for files created on a system after a user clicks on a malicious link. Look for common download paths and suspicious files with executable extensions.
Analytic 1 - Files downloaded from links and then executed.
sourcetype=Sysmon EventCode=11| search file_path IN ("
/Downloads/
", "
/Temp/
")| stats count by file_name file_path user| where file_name LIKE "%.exe" OR file_name LIKE "%.zip" OR file_name LIKE "%.js" OR file_name LIKE "%.docm"
DS0029
Network Traffic
Network Connection Creation
Monitor for network connections to suspicious or external sites shortly after a user clicks on a link, especially if the URL is linked to phishing or malicious activities.
Analytic 1 - Web-based network connections to suspicious destinations.
sourcetype=network_connection| search process_name IN ("chrome.exe", "firefox.exe", "iexplore.exe", "msedge.exe") OR src_ip IN ("
")
Network Traffic Content
Inspect the content of the network traffic to look for signs of suspicious web traffic, such as phishing links or abnormal HTTP GET/POST requests.
Analytic 1 - Suspicious network traffic content
sourcetype=network_traffic_content| search http_method="GET" OR http_method="POST"| stats count by url domain http_method| where domain NOT IN ("
")
References
Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.
Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.
Secureworks CTU. (2021, May 28). USAID-Themed Phishing Campaign Leverages U.S. Elections Lure. Retrieved February 24, 2022.
Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.
Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020.
Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.
O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024.
Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020.
Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022.
N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022.
Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
Unit 42. (2018, October 25). New Techniques to Uncover and Attribute Financial actors Commodity Builders and Infrastructure Revealed. Retrieved December 11, 2018.
CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021.
Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021.
Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024.
Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved November 17, 2024.
Clayton, M.. (2012, September 14). Stealing US business secrets: Experts ID two huge cyber 'gangs' in China. Retrieved February 15, 2018.
Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019.
Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019.
Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022.
Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.
Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019.
Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024.
Szappanos, G. & Brandt, A. (2021, March 1). “Gootloader” expands its payload delivery options. Retrieved September 30, 2022.
Pirozzi, A. (2021, June 16). Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets. Retrieved May 28, 2024.
Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.
ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021.
Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020.
GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024.
Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
Abrams, L. (2024, April 30). New Latrodectus malware attacks use Microsoft, Cloudflare themes. Retrieved September 13, 2024.
Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022.
The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021.
Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021.
Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.
Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.
Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
Miller, J. et al. (2024, March 21). Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign. Retrieved March 27, 2024.
Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021.
Roccia, T., Seret, T., Fokker, J. (2021, March 16). Technical Analysis of Operation Dianxun. Retrieved April 13, 2021.
Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024.
Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.
McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.
Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021.
Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.
ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.
ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.
Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
Hamada, J.. (2016, July 25). Patchwork cyberespionage group expands targets from governments to wide range of industries. Retrieved August 17, 2016.
Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021.
Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021.
Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved November 17, 2024.
Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
Group IB. (2020, September). LOCK LIKE A PRO. Retrieved November 17, 2024.
Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.
Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
Insikt Group. (2025, January 9). Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain. Retrieved January 14, 2025.
Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023.
Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021.
Rewterz. (2020, June 22). Analysis on Sidewinder APT Group – COVID-19. Retrieved January 29, 2021.
Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021.
FireEye. (2021, May 11). Shining a Light on DARKSIDE Ransomware Operations. Retrieved September 22, 2021.
Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023.
Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022.
Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.
Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019.
Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.
Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019.
Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.
Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020.
ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
Shinji Robert Arasawa, Joshua Aquino, Charles Steven Derion, Juhn Emmanuel Atanque, Francisrey Joshua Castillo, John Carlo Marquez, Henry Salcedo, John Rainier Navato, Arianne Dela Cruz, Raymart Yambot & Ian Kenefick. (2024, January 9). Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign. Retrieved July 17, 2024.
Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved November 17, 2024.
Tom Hegel. (2023, March 16). Winter Vivern | Uncovering a Wave of Global Espionage. Retrieved July 29, 2024.
CERT-UA. (2023, February 1). UAC-0114 aka Winter Vivern to target Ukrainian and Polish GOV entities (CERT-UA#5909). Retrieved July 29, 2024.
DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
Huntley, S. (2020, October 16). How We're Tackling Evolving Online Threats. Retrieved March 24, 2021.
Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.