Updates - April 2024

The April 2024 (v15) ATT&CK release updates Techniques, Groups, Campaigns and Software for Enterprise, Mobile, and ICS.

The biggest changes in ATT&CK v15 are a shift in language (from CAR pseudocode to real-world query languages) for analytics in Enterprise detections, detection notes and analytics added to Enterprise Execution techniques, improved defensive recommendations for Cloud techniques, and the addition of activity from a number of cyber-criminal and underreported threat groups. An accompanying blog post describes these changes as well as additional improvements across ATT&CK's various domains and platforms.

This release also includes a human-readable detailed changelog showing more specifically what changed in updated ATT&CK objects, and a machine-readable JSON changelog, whose format is described in ATT&CK's Github.

This version of ATT&CK contains 794 Pieces of Software, 152 Groups, and 30 Campaigns. Broken out by domain:

• Enterprise: 14 Tactics, 202 Techniques, 435 Sub-Techniques, 148 Groups, 677 Pieces of Software, 28 Campaigns, 43 Mitigations, and 37 Data Sources
• Mobile: 12 Tactics, 73 Techniques, 46 Sub-Techniques, 13 Groups, 113 Pieces of Software, 2 Campaigns, 13 Mitigations, and 6 Data Sources
• ICS: 12 Tactics, 83 Techniques, 0 Sub-Techniques, 14 Groups, 21 Pieces of Software, 6 Campaigns, 52 Mitigations, 14 Assets, and 17 Data Sources

Release Notes Terminology

• New: ATT&CK objects which are only present in the new release.
• Major version changes: ATT&CK objects that have a major version change. (e.g. 1.0 → 2.0)
• Minor version changes: ATT&CK objects that have a minor version change. (e.g. 1.0 → 1.1)
• Other version changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 → 1.2)
• Patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 → 1.0 but something immaterial like a typo, a URL, or some metadata was fixed)
• Revocations: ATT&CK objects which are revoked by a different object.
• Deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced.
• Deletions: ATT&CK objects which are no longer found in the STIX data.

Table of Contents

Techniques

Enterprise

New Techniques

• Abuse Elevation Control Mechanism: TCC Manipulation (v1.0)
• Command and Scripting Interpreter: AutoHotKey & AutoIT (v1.0)
• Compromise Infrastructure: Network Devices (v1.0)
• Create or Modify System Process: Container Service (v1.0)
• Hide Artifacts: File/Path Exclusions (v1.0)
• Hide Infrastructure (v1.0)
• Hijack Execution Flow: AppDomainManager (v1.0)
• Modify Authentication Process: Conditional Access Policies (v1.0)
• Obfuscated Files or Information: Encrypted/Encoded File (v1.0)
• Obtain Capabilities: Artificial Intelligence (v1.0)
• System Binary Proxy Execution: Electron Applications (v1.0)
• System Script Proxy Execution: SyncAppvPublishingServer (v1.0)

Major Version Changes

• Cloud Administration Command (v1.0→v2.0)
• Compromise Host Software Binary (v1.1→v2.0)
• Domain or Tenant Policy Modification (v2.0→v3.0)
  • Trust Modification (v1.1→v2.0)
• Software Deployment Tools (v2.2→v3.0)

Minor Version Changes

• Abuse Elevation Control Mechanism (v1.2→v1.3)
  • Temporary Elevated Cloud Access (v1.0→v1.1)
• Account Manipulation: Additional Cloud Credentials (v2.6→v2.7)
• Account Manipulation: Additional Cloud Roles (v2.3→v2.4)
• Acquire Infrastructure (v1.3→v1.4)
  • Domains (v1.2→v1.3)
  • Server (v1.2→v1.3)
• Adversary-in-the-Middle (v2.3→v2.4)
• Application Layer Protocol (v2.1→v2.2)
  • DNS (v1.1→v1.2)
  • File Transfer Protocols (v1.1→v1.2)
  • Mail Protocols (v1.0→v1.1)
  • Web Protocols (v1.2→v1.3)
• Automated Collection (v1.1→v1.2)
• Boot or Logon Autostart Execution (v1.1→v1.2)
  • Port Monitors (v1.1→v1.2)
  • Time Providers (v1.0→v1.1)
  • Winlogon Helper DLL (v1.1→v1.2)
• Boot or Logon Initialization Scripts (v2.2→v2.3)
  • RC Scripts (v2.0→v2.1)
• Browser Extensions (v1.2→v1.3)
• Brute Force: Credential Stuffing (v1.4→v1.5)
• Brute Force: Password Spraying (v1.4→v1.5)
• Cloud Service Dashboard (v1.2→v1.3)
• Command and Scripting Interpreter: AppleScript (v1.1→v1.2)
• Command and Scripting Interpreter: PowerShell (v1.3→v1.4)
• Command and Scripting Interpreter: Unix Shell (v1.1→v1.2)
• Command and Scripting Interpreter: Windows Command Shell (v1.3→v1.4)
• Compromise Infrastructure (v1.4→v1.5)
• Create Account: Cloud Account (v1.4→v1.5)
• Create or Modify System Process (v1.1→v1.2)
  • Systemd Service (v1.4→v1.5)
  • Windows Service (v1.4→v1.5)
• Credentials from Password Stores (v1.1→v1.2)
  • Securityd Memory (v1.1→v1.2)
• Data from Information Repositories (v3.2→v3.3)
• Deploy Container (v1.2→v1.3)
• Direct Volume Access (v2.1→v2.2)
• Disk Wipe: Disk Content Wipe (v1.0→v1.1)
• Encrypted Channel (v1.0→v1.1)
  • Asymmetric Cryptography (v1.0→v1.1)
  • Symmetric Cryptography (v1.0→v1.1)
• Escape to Host (v1.4→v1.5)
• Establish Accounts (v1.2→v1.3)
  • Email Accounts (v1.0→v1.1)
• Event Triggered Execution (v1.2→v1.3)
  • Installer Packages (v1.0→v1.1)
  • Windows Management Instrumentation Event Subscription (v1.3→v1.4)
• Exploit Public-Facing Application (v2.4→v2.5)
• File and Directory Discovery (v1.5→v1.6)
• Financial Theft (v1.0→v1.1)
• Forge Web Credentials: SAML Tokens (v1.2→v1.3)
• Gather Victim Identity Information (v1.2→v1.3)
• Hide Artifacts (v1.1→v1.2)
  • Hidden Window (v1.1→v1.2)
  • NTFS File Attributes (v1.0→v1.1)
• Hijack Execution Flow: DLL Search Order Hijacking (v1.1→v1.2)
• Impair Defenses: Disable or Modify System Firewall (v1.1→v1.2)
• Impair Defenses: Indicator Blocking (v1.3→v1.4)
• Indicator Removal: Clear Command History (v1.4→v1.5)
• Indicator Removal: Clear Windows Event Logs (v1.3→v1.4)
• Ingress Tool Transfer (v2.3→v2.4)
• Inhibit System Recovery (v1.3→v1.4)
• Input Capture: GUI Input Capture (v1.2→v1.3)
• Internal Spearphishing (v1.2→v1.3)
• Masquerading (v1.6→v1.7)
• Modify Authentication Process (v2.3→v2.4)
  • Multi-Factor Authentication (v1.1→v1.2)
• Multi-Factor Authentication Request Generation (v1.0→v1.1)
• Network Sniffing (v1.5→v1.6)
• OS Credential Dumping (v2.1→v2.2)
  • Cached Domain Credentials (v1.0→v1.1)
  • LSASS Memory (v1.3→v1.4)
  • Proc Filesystem (v1.1→v1.2)
• Obfuscated Files or Information (v1.5→v1.6)
  • Stripped Payloads (v1.0→v1.1)
• Office Application Startup: Office Test (v1.1→v1.2)
• Phishing (v2.4→v2.5)
  • Spearphishing Link (v2.5→v2.6)
• Phishing for Information: Spearphishing Link (v1.5→v1.6)
• Pre-OS Boot (v1.1→v1.2)
  • System Firmware (v1.0→v1.1)
• Process Discovery (v1.4→v1.5)
• Proxy: External Proxy (v1.0→v1.1)
• Proxy: Internal Proxy (v1.0→v1.1)
• Proxy: Multi-hop Proxy (v2.0→v2.1)
• Reflective Code Loading (v1.1→v1.2)
• Remote Access Software (v2.2→v2.3)
• Remote Service Session Hijacking (v1.0→v1.1)
• Remote Services (v1.4→v1.5)
• Resource Hijacking (v1.4→v1.5)
• Scheduled Task/Job (v2.2→v2.3)
  • At (v2.1→v2.2)
  • Scheduled Task (v1.4→v1.5)
• Server Software Component: Web Shell (v1.3→v1.4)
• Software Discovery (v1.3→v1.4)
  • Security Software Discovery (v1.4→v1.5)
• Stage Capabilities: Link Target (v1.3→v1.4)
• Steal Application Access Token (v1.2→v1.3)
• Steal Web Session Cookie (v1.2→v1.3)
• Steal or Forge Kerberos Tickets (v1.4→v1.5)
• Subvert Trust Controls (v1.1→v1.2)
• Supply Chain Compromise (v1.5→v1.6)
  • Compromise Software Dependencies and Development Tools (v1.1→v1.2)
• System Binary Proxy Execution (v3.0→v3.1)
• System Time Discovery (v1.3→v1.4)
• Transfer Data to Cloud Account (v1.3→v1.4)
• Use Alternate Authentication Material (v1.2→v1.3)
  • Application Access Token (v1.5→v1.6)
• User Execution (v1.5→v1.6)
• Valid Accounts: Cloud Accounts (v1.6→v1.7)
• Valid Accounts: Default Accounts (v1.2→v1.3)
• Virtualization/Sandbox Evasion: System Checks (v2.1→v2.2)
• Windows Management Instrumentation (v1.4→v1.5)

Patches

• Access Token Manipulation: Make and Impersonate Token (v1.1)
• Access Token Manipulation: Token Impersonation/Theft (v1.2)
• Account Discovery (v2.4)
  • Domain Account (v1.2)
  • Local Account (v1.4)
• Account Manipulation (v2.6)
  • Additional Email Delegate Permissions (v2.1)
• Acquire Infrastructure: Web Services (v1.2)
• Archive Collected Data (v1.0)
• Audio Capture (v1.0)
• Automated Exfiltration (v1.2)
• Brute Force (v2.5)
• Command and Scripting Interpreter: Python (v1.0)
• Communication Through Removable Media (v1.0)
• Compromise Infrastructure: Server (v1.2)
• Create Account (v2.4)
  • Domain Account (v1.1)
• Data Manipulation (v1.1)
• Data Obfuscation (v1.1)
  • Junk Data (v1.0)
• Group Policy Discovery (v1.1)
• Hijack Execution Flow (v1.2)
• Impair Defenses: Disable or Modify Cloud Logs (v2.0)
• Impair Defenses: Disable or Modify Tools (v1.5)
• Phishing: Spearphishing Attachment (v2.2)
• Phishing: Spearphishing via Service (v2.0)
• Serverless Execution (v1.0)
• Subvert Trust Controls: Install Root Certificate (v1.2)
• Unsecured Credentials (v1.3)
  • Credentials In Files (v1.2)
• Unused/Unsupported Cloud Regions (v1.1)

Mobile

New Techniques

• Encrypted Channel: SSL Pinning (v1.0)
• Exploitation for Initial Access (v1.0)
• Hide Artifacts: Conceal Multimedia Files (v1.0)
• System Network Configuration Discovery: Internet Connection Discovery (v1.0)
• System Network Configuration Discovery: Wi-Fi Discovery (v1.0)

Minor Version Changes

• Adversary-in-the-Middle (v2.1→v2.2)
• Steal Application Access Token (v1.1→v1.2)
• System Network Configuration Discovery (v2.3→v2.4)

ICS

New Techniques

• Autorun Image (v1.0)
• System Binary Proxy Execution (v1.0)

Minor Version Changes

• Automated Collection (v1.0→v1.1)
• Network Connection Enumeration (v1.1→v1.2)

Patches

• Data from Local System (v1.0)

Software

Enterprise

New Software

• AcidRain (v1.0)
• Akira (v1.0)
• BUSHWALK (v1.0)
• COATHANGER (v1.0)
• Cheerscrypt (v1.0)
• DarkGate (v1.0)
• FRAMESTING (v1.0)
• GLASSTOKEN (v1.0)
• HUI Loader (v1.0)
• LIGHTWIRE (v1.0)
• LITTLELAMB.WOOLTEA (v1.0)
• LoFiSe (v1.0)
• Mispadu (v1.0)
• NGLite (v1.0)
• NKAbuse (v1.0)
• Ninja (v1.0)
• PACEMAKER (v1.0)
• PITSTOP (v1.0)
• PULSECHECK (v1.0)
• Pcexter (v1.0)
• RAPIDPULSE (v1.0)
• SLIGHTPULSE (v1.0)
• SLOWPULSE (v1.0)
• STEADYPULSE (v1.0)
• Samurai (v1.0)
• SocGholish (v1.0)
• WARPWIRE (v1.0)
• WIREFIRE (v1.0)
• ZIPLINE (v1.0)

Major Version Changes

• Bazar (v1.2→v2.0)
• Diavol (v1.0→v2.0)

Minor Version Changes

• AdFind (v1.3→v1.4)
• Anchor (v1.0→v1.1)
• Aria-body (v1.1→v1.2)
• Astaroth (v2.2→v2.3)
• Attor (v1.0→v1.1)
• AuditCred (v1.1→v1.2)
• Avenger (v1.0→v1.1)
• BADHATCH (v1.0→v1.1)
• BISCUIT (v1.2→v1.3)
• BLINDINGCAN (v1.0→v1.1)
• BLUELIGHT (v1.0→v1.1)
• BOOSTWRITE (v1.0→v1.1)
• BendyBear (v1.0→v1.1)
• Bisonal (v2.0→v2.1)
• BitPaymer (v1.0→v1.1)
• CARROTBAT (v1.1→v1.2)
• CaddyWiper (v1.0→v1.1)
• Carberp (v1.1→v1.2)
• Cardinal RAT (v1.1→v1.2)
• China Chopper (v2.4→v2.5)
• Chinoxy (v1.0→v1.1)
• Chrommme (v1.0→v1.1)
• Cobalt Strike (v1.11→v1.12)
• CozyCar (v1.2→v1.3)
• CrackMapExec (v1.0→v1.1)
• DCSrv (v1.0→v1.1)
• DEADEYE (v1.0→v1.1)
• DOGCALL (v1.2→v1.3)
• Dacls (v1.0→v1.1)
• DanBot (v1.0→v1.1)
• DarkWatchman (v1.1→v1.2)
• Elise (v1.2→v1.3)
• Emissary (v1.2→v1.3)
• EnvyScout (v1.0→v1.1)
• Exaramel for Linux (v1.2→v1.3)
• FELIXROOT (v2.1→v2.2)
• FIVEHANDS (v1.0→v1.1)
• FlawedGrace (v1.0→v1.1)
• FoggyWeb (v1.0→v1.1)
• FunnyDream (v1.0→v1.1)
• Fysbis (v1.3→v1.4)
• Gazer (v1.2→v1.3)
• Gelsemium (v1.1→v1.2)
• GoldMax (v2.2→v2.3)
• GoldenSpy (v1.0→v1.1)
• Grandoreiro (v1.1→v1.2)
• GravityRAT (v1.2→v1.3)
• GreyEnergy (v1.1→v1.2)
• HAWKBALL (v1.1→v1.2)
• HOMEFRY (v1.1→v1.2)
• HOPLIGHT (v1.2→v1.3)
• Helminth (v1.1→v1.2)
• HermeticWiper (v1.0→v1.1)
• HermeticWizard (v1.0→v1.1)
• Heyoka Backdoor (v1.0→v1.1)
• Hi-Zor (v1.1→v1.2)
• HiddenWasp (v1.2→v1.3)
• Hildegard (v1.1→v1.2)
• HotCroissant (v1.0→v1.1)
• HyperBro (v1.2→v1.3)
• IcedID (v1.0→v1.1)
• Impacket (v1.5→v1.6)
• IronNetInjector (v1.0→v1.1)
• JHUHUGIT (v2.1→v2.2)
• KEYPLUG (v1.0→v1.1)
• KGH_SPY (v1.0→v1.1)
• KONNI (v2.0→v2.1)
• Kessel (v1.0→v1.1)
• Kevin (v1.0→v1.1)
• KeyBoy (v1.2→v1.3)
• Kwampirs (v1.1→v1.2)
• LaZagne (v1.5→v1.6)
• LightNeuron (v1.1→v1.2)
• LoudMiner (v1.3→v1.4)
• Mafalda (v1.0→v1.1)
• Melcoz (v1.0→v1.1)
• Metamorfo (v2.0→v2.1)
• Micropsia (v1.1→v1.2)
• Milan (v1.0→v1.1)
• Mimikatz (v1.8→v1.9)
• More_eggs (v3.0→v3.1)
• Mosquito (v1.2→v1.3)
• NanHaiShu (v1.1→v1.2)
• Net (v2.5→v2.6)
• OSX_OCEANLOTUS.D (v3.0→v3.1)
• PS1 (v1.1→v1.2)
• PcShare (v1.0→v1.1)
• Penquin (v1.1→v1.2)
• PipeMon (v1.1→v1.2)
• PoisonIvy (v2.1→v2.2)
• Prikormka (v1.3→v1.4)
• PsExec (v1.5→v1.6)
• PyDCrypt (v1.0→v1.1)
• QakBot (v1.1→v1.2)
• RCSession (v1.1→v1.2)
• REvil (v2.1→v2.2)
• Raindrop (v1.2→v1.3)
• RainyDay (v1.0→v1.1)
• Rclone (v1.0→v1.1)
• Reaver (v1.1→v1.2)
• RedLeaves (v1.1→v1.2)
• Remexi (v1.1→v1.2)
• Remsec (v1.2→v1.3)
• Rifdoor (v1.0→v1.1)
• Rising Sun (v2.0→v2.1)
• STARWHALE (v1.0→v1.1)
• SUNBURST (v2.4→v2.5)
• SUPERNOVA (v1.0→v1.1)
• Sakula (v1.1→v1.2)
• SamSam (v1.0→v1.1)
• Seasalt (v1.1→v1.2)
• Shamoon (v2.1→v2.2)
• Shark (v1.0→v1.1)
• Skeleton Key (v1.1→v1.2)
• Skidmap (v1.0→v1.1)
• Sliver (v1.1→v1.2)
• Smoke Loader (v1.2→v1.3)
• SpeakUp (v1.1→v1.2)
• Squirrelwaffle (v1.0→v1.1)
• StoneDrill (v1.1→v1.2)
• StrongPity (v1.0→v1.1)
• Stuxnet (v1.3→v1.4)
• SysUpdate (v1.1→v1.2)
• TINYTYPHON (v1.0→v1.1)
• TYPEFRAME (v1.2→v1.3)
• Taidoor (v2.0→v2.1)
• Tasklist (v1.1→v1.2)
• ThreatNeedle (v1.1→v1.2)
• Torisma (v1.1→v1.2)
• TrickBot (v2.1→v2.2)
• UBoatRAT (v1.1→v1.2)
• USBStealer (v1.2→v1.3)
• Uroburos (v2.0→v2.1)
• Ursnif (v1.4→v1.5)
• VERMIN (v1.1→v1.2)
• Volgmer (v1.2→v1.3)
• WastedLocker (v1.0→v1.1)
• Waterbear (v1.1→v1.2)
• WhisperGate (v1.1→v1.2)
• WindTail (v1.0→v1.1)
• Winnti for Linux (v1.0→v1.1)
• Winnti for Windows (v3.0→v3.1)
• Woody RAT (v1.0→v1.1)
• YAHOYAH (v1.1→v1.2)
• ZeroT (v1.1→v1.2)
• Zeus Panda (v1.3→v1.4)
• Zox (v1.0→v1.1)
• ZxxZ (v1.0→v1.1)
• gh0st RAT (v3.1→v3.2)
• metaMain (v1.0→v1.1)
• netstat (v1.2→v1.3)
• njRAT (v1.5→v1.6)

Patches

• Industroyer (v1.1)
• Keydnap (v1.2)
• WEBC2 (v2.0)

Mobile

New Software

• AhRat (v1.0)
• BRATA (v1.0)
• FlixOnline (v1.0)
• HilalRAT (v1.0)
• Phenakite (v1.0)

Minor Version Changes

• AndroRAT (v1.0→v1.1)
• Pegasus for iOS (v1.1→v1.2)
• eSurv (v1.0→v1.1)

ICS

Minor Version Changes

• REvil (v2.1→v2.2)
• Stuxnet (v1.3→v1.4)
• Triton (v1.0→v1.1)
• VPNFilter (v1.0→v1.1)

Patches

• Industroyer (v1.1)

Groups

Enterprise

New Groups

• APT-C-23 (v1.0)
• APT5 (v1.0)
• Akira (v1.0)
• Cinnamon Tempest (v1.0)
• Malteiro (v1.0)
• Mustard Tempest (v1.0)
• ToddyCat (v1.0)

Major Version Changes

• APT28 (v4.0→v5.0)
• APT29 (v5.0→v6.0)
• APT32 (v2.7→v3.0)
• APT33 (v1.4→v2.0)
• APT38 (v2.0→v3.0)
• APT41 (v3.1→v4.0)
• Andariel (v1.0→v2.0)
• CURIUM (v1.0→v2.0)
• Darkhotel (v2.1→v3.0)
• Dragonfly (v3.2→v4.0)
• Earth Lusca (v1.0→v2.0)
• FIN6 (v3.3→v4.0)
• FIN7 (v3.0→v4.0)
• Fox Kitten (v1.1→v2.0)
• GALLIUM (v3.0→v4.0)
• Gamaredon Group (v2.1→v3.0)
• HAFNIUM (v1.3→v2.0)
• Indrik Spider (v3.0→v4.0)
• Ke3chang (v2.0→v3.0)
• Kimsuky (v3.1→v4.0)
• LAPSUS$ (v1.2→v2.0)
• Lazarus Group (v3.2→v4.0)
• Leviathan (v3.0→v4.0)
• Lotus Blossom (v2.0→v3.0)
• Magic Hound (v5.2→v6.0)
• Moses Staff (v1.0→v2.0)
• MuddyWater (v4.1→v5.0)
• OilRig (v3.1→v4.0)
• Orangeworm (v1.1→v2.0)
• POLONIUM (v1.0→v2.0)
• Sandworm Team (v3.1→v4.0)
• Scattered Spider (v1.0→v2.0)
• TA505 (v2.1→v3.0)
• Turla (v4.0→v5.0)
• Wizard Spider (v3.0→v4.0)
• ZIRCONIUM (v1.1→v2.0)
• menuPass (v2.1→v3.0)

Minor Version Changes

• APT18 (v2.1→v2.2)
• APT19 (v1.5→v1.6)
• APT39 (v3.1→v3.2)
• BITTER (v1.0→v1.1)
• Blue Mockingbird (v1.1→v1.2)
• Dark Caracal (v1.3→v1.4)
• Elderwood (v1.2→v1.3)
• Group5 (v1.2→v1.3)
• HEXANE (v2.1→v2.2)
• Higaisa (v1.0→v1.1)
• Inception (v1.1→v1.2)
• Metador (v1.0→v1.1)
• Mofang (v1.0→v1.1)
• Molerats (v2.0→v2.1)
• PROMETHIUM (v2.0→v2.1)
• Putter Panda (v1.1→v1.2)
• Rancor (v1.2→v1.3)
• Sidewinder (v1.1→v1.2)
• TA2541 (v1.0→v1.1)
• TEMP.Veles (v1.3→v1.4)
• TeamTNT (v1.2→v1.3)
• Threat Group-3390 (v2.1→v2.2)
• Transparent Tribe (v1.1→v1.2)
• Tropic Trooper (v1.4→v1.5)
• Volt Typhoon (v1.0→v1.1)
• Whitefly (v1.1→v1.2)

Patches

• APT3 (v1.4)

Mobile

New Groups

• APT-C-23 (v1.0)
• BITTER (v1.1)
• PROMETHIUM (v2.1)
• Scattered Spider (v2.0)
• UNC788 (v1.0)

Major Version Changes

• APT28 (v4.0→v5.0)
• Earth Lusca (v1.0→v2.0)
• Sandworm Team (v3.1→v4.0)

Minor Version Changes

• Dark Caracal (v1.3→v1.4)

ICS

New Groups

• CyberAv3ngers (v1.0)

Major Version Changes

• APT33 (v1.4→v2.0)
• APT38 (v2.0→v3.0)
• Dragonfly (v3.2→v4.0)
• FIN6 (v3.3→v4.0)
• FIN7 (v3.0→v4.0)
• Lazarus Group (v3.2→v4.0)
• OilRig (v3.1→v4.0)
• Sandworm Team (v3.1→v4.0)
• Wizard Spider (v3.0→v4.0)

Minor Version Changes

• HEXANE (v2.1→v2.2)
• TEMP.Veles (v1.3→v1.4)

Campaigns

Enterprise

New Campaigns

• 2022 Ukraine Electric Power Attack (v1.0)
• C0032 (v1.0)
• C0033 (v1.0)
• Cutting Edge (v1.0)
• Triton Safety Instrumented System Attack (v1.0)

Minor Version Changes

• Night Dragon (v1.0→v1.1)
• Operation Dream Job (v1.1→v1.2)
• Operation Dust Storm (v1.0→v1.1)
• Operation Honeybee (v1.0→v1.1)
• Operation Spalax (v1.0→v1.1)

Mobile

New Campaigns

• C0033 (v1.0)

Minor Version Changes

• Operation Dust Storm (v1.0→v1.1)

ICS

New Campaigns

• 2022 Ukraine Electric Power Attack (v1.0)
• Triton Safety Instrumented System Attack (v1.0)
• Unitronics Defacement Campaign (v1.0)

Mitigations

Enterprise

Minor Version Changes

• Software Configuration (v1.1→v1.2)

Mobile

New Mitigations

• Do Not Mitigate (v1.0)

Data Components

Mobile

New Data Components

• Application Assets (v1.0)

Contributors to this release

• @_montysecurity
• Alexander Rodchenko
• Ami Holeston
• Andrew Northern, @ex_raritas
• Blake Strom, Microsoft Threat Intelligence
• BT Security
• Daniel Fernando Soriano Espinosa
• David Galazin @themalwareman1
• Debabrata Sharma
• Denise Tan
• Diyar Saadi Ali
• Dragos Threat Intelligence
• Dray Agha, @Purp1eW0lf, Huntress Labs
• Eduardo Chavarro Ovalle
• Edward Stevens
• Eliav Livneh
• Eliraz Levi, Hunters
• Gabriel Currie
• Gavin Knapp
• Goldstein Menachem
• Harjot Shah Singh
• Harun Küßner
• Hen Porcilan
• Hiroki Nagahama, NEC Corporation
• Ivy Bostock
• Jai Minton, @Cyberraiju
• Jeremy Hedges
• Jiraput Thamsongkrah
• Joas Antonio dos Santos, @C0d3Cr4zy
• Joe Wise
• Joshua Penny
• Kostya Vasilkov
• Liran Ravich, CardinalOps
• Manikantan Srinivasan, NEC Corporation India
• Marina Liang
• Mark Tsipershtein
• Matt Mullins
• Monty
• Nikita Rostovcev, Group-IB
• Nikola Kovac
• Obsidian Security
• Pooja Natarajan, NEC Corporation India
• Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International
• Sam Seabrook, Duke Energy
• SCILabs
• Selena Larson, @selenalarson
• Serhii Melnyk, Trustwave SpiderLabs
• Shankar Raman, Amrita University, Gen Digital, Traboda
• Shaul Vilkomir-Preisman
• Sittikorn Sangrattanapitak
• Takahashi Wataru, NEC Corporation
• Tamir Yehuda
• Thomas B
• Tim (Wadhwa-)Brown
• Tristan Madani
• TruKno
• Vectra AI
• Viren Chaudhari, Qualys
• Will Alexander
• Wirapong Petshagun
• Yves Yonan