Software is a generic term for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behavior modeled in ATT&CK. Some instances of software have multiple names associated with the same instance due to various organizations tracking the same set of software by different names. Software entries are tagged with enterprise techniques and may be mapped to Groups.
Software is broken down into three high-level categories:
- Tool - Commercial, open-source, or publicly available software that could be used by a defender, pen tester, red teamer, or an adversary for malicious purposes that generally is not found on an enterprise system. Examples include PsExec, Metasploit, Mimikatz, etc.
- Utility - Software generally available as part of an operating system that is already present in an environment. Adversaries tend to leverage existing functionality on systems to gather information and perform actions. Examples include Windows utilities such as Net, netstat, Tasklist, etc.
- Malware - Commercial, custom closed source, or open source software intended to be used for malicious purposes by adversaries. Examples include PlugX, CHOPSTICK, etc.
|3PARA RAT||3PARA RAT|
|4H RAT||4H RAT|
Adups is software that was pre-installed onto Android devices, including those made by BLU Products. The software was reportedly designed to help a Chinese phone manufacturer monitor user behavior, transferring sensitive data to a Chinese server.
|ADVSTORESHELL||ADVSTORESHELL, AZZY, EVILTOSS, NETUI, Sedreco|
ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase.
Agent.btz is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008.
|Android Overlay Malware||Android Overlay Malware|
Android Overlay Malware is malware that was used in a 2016 campaign targeting European countries. The malware attempted to trick users into providing banking credentials.
Android/Chuli.A is Android malware that was delivered to activist groups via a spearphishing email with an attachment.
ANDROIDOS_ANSERVER.A is Android malware that is unique because it uses encrypted content within a blog site for command and control.
AndroRAT is malware that allows a third party to control the device and collect information.
Arp displays information about a system's Address Resolution Protocol (ARP) cache.
at is used to schedule tasks on a system to run at a specified date or time.
|AutoIt backdoor||AutoIt backdoor|
AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.
Bandook is a commercially available RAT, written in Delphi, which has been available since roughly 2007 .
|Bankshot||Bankshot, Trojan Manuscript|
Bankshot is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, Lazarus Group used the Bankshot implant in attacks against the Turkish financial sector.
BBSRAT is malware with remote access tool functionality that has been used in targeted compromises.
Bisonal is malware that has been used in attacks against targets in Russia, South Korea, and Japan. It has been observed in the wild since 2014.
BLACKCOFFEE is malware that has been used by several Chinese groups since at least 2013.
|BlackEnergy||BlackEnergy, Black Energy|
BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3.
BrainTest is a family of Android malware.
|Brave Prince||Brave Prince|
Brave Prince is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to Gold Dragon, and was seen along with Gold Dragon and RunningRAT in operations surrounding the 2018 Pyeongchang Winter Olympics.
BUBBLEWRAP is a full-featured, second-stage backdoor used by the admin@338 group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities.
Cachedump is a publicly-available tool that program extracts cached password hashes from a system’s registry.
CallMe is a Trojan designed to run on Apple OSX. It is based on a publicly available tool called Tiny SHell.
Catchamas is a Windows Trojan that steals information from compromised systems.
CCBkdr is malware that was injected into a signed version of CCleaner and distributed from CCleaner's distribution website.
certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services.
Chaos is Linux malware that compromises systems by brute force attacks against SSH services. Once installed, it provides a reverse shell to its controllers, triggered by unsolicited packets.
Charger is Android malware that steals steals contacts and SMS messages from the user's device. It can also lock the device and demand ransom payment if it receives admin permissions.
|ChChes||ChChes, Scorpion, HAYMAKER|
ChChes is a Trojan that appears to be used exclusively by menuPass. It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool.
|Cherry Picker||Cherry Picker|
Cherry Picker is a point of sale (PoS) memory scraper.
|China Chopper||China Chopper|
China Chopper is a Web Shell hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server. It has been used by several threat groups.
|CHOPSTICK||CHOPSTICK, SPLM, Xagent, X-Agent, webhp|
CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. It is tracked separately from the Android version of the malware.
|CloudDuke||CloudDuke, MiniDionis, CloudLook|
cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities.
Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g.,
|Cobalt Strike||Cobalt Strike|
Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.
Comnie is a remote backdoor which has been used in attacks in East Asia.
CORESHELL is a downloader used by APT28. The older versions of this malware are known as SOURFACE and newer versions as CORESHELL. It has also been referred to as Sofacy, though that term has been used widely to refer to both the group APT28 and malware families associated with the group.
|CosmicDuke||CosmicDuke, TinyBaron, BotgenStudios, NemesisGemina|
|CozyCar||CozyCar, CozyDuke, CozyBear, Cozer, EuroAPT|
CozyCar is malware that was used by APT29 from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality.
Crimson is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims.
CrossRAT is a cross platform RAT.
|Daserf||Daserf, Muirim, Nioupale|
Daserf is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi.
Dendroid is an Android malware family.
Derusbi is malware used by multiple Chinese APT groups. Both Windows and Linux variants have been observed.
Dok steals banking information through man-in-the-middle .
DownPaper is a backdoor Trojan; its main functionality is to download and run second stage malware.
DressCode is an Android malware family.
DroidJack RAT is an Android remote access tool that has been observed posing as legitimate applications including the Super Mario Run and Pokemon GO games.
dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain. It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.
DualToy is Windows malware that installs malicious applications onto Android and iOS devices connected over USB.
Duqu is a malware platform that uses a modular approach to extend functionality after deployment within a target network.
|DustySky||DustySky, NeD Worm|
Dyre is a Trojan that has been used for financial gain.
|Elise||Elise, BKDR_ESILE, Page|
|Epic||Epic, Tavdig, Wipbot, WorldCupSec, TadjMakhal|
FALLCHILL is a RAT that has been used by Lazarus Group since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other Lazarus Group malware or delivered when a victim unknowingly visits a compromised website.
FELIXROOT is a backdoor that has been used to target Ukrainian victims.
Fgdump is a Windows password hash dumper.
FinFisher is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including Wingbird.
|Flame||Flame, Flamer, sKyWIper|
Flame is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries.
Forfiles is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts.
FruitFly is designed to spy on mac users .
FTP is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.
gh0st is a remote access tool (RAT). The source code is public and it has been used by many groups.
|Gold Dragon||Gold Dragon|
Gold Dragon is a Korean-language, data gathering implant that was first observed in the wild in South Korea in July 2017. Gold Dragon was used along with Brave Prince and RunningRAT in operations targeting organizations associated with the 2018 Pyeongchang Winter Olympics.
|Gooligan||Gooligan, Ghost Push|
Gooligan is a malware family that runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal authentication tokens that can be used to access data from many Google applications. Gooligan has been described as part of the Ghost Push Android malware family.
GravityRAT is a remote access tool (RAT) and has been in ongoing development since 2016. The actor behind the tool remains unknown, but two usernames have been recovered that link to the author, which are "TheMartian" and "The Invincible." According to the National Computer Emergency Response Team (CERT) of India, the malware has been identified in attacks against organization and entities in India.
gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems.
H1N1 is a malware variant that has been distributed via a campaign using VBA macros to infect victims. Although it initially had only loader capabilities, it has evolved to include information-stealing functionality.
|Hacking Team UEFI Rootkit||Hacking Team UEFI Rootkit|
Hacking Team UEFI Rootkit is a rootkit developed by the company Hacking Team as a method of persistence for remote access software.
HALFBAKED is a malware family consisting of multiple components intended to establish persistence in victim networks.
|HAMMERTOSS||HAMMERTOSS, HammerDuke, NetDuke|
HARDRAIN is a Trojan malware variant reportedly used by the North Korean government.
Havij is an automatic SQL Injection tool distributed by the Iranian ITSecTeam security company. Havij has been used by penetration testers and adversaries.
|HDoor||HDoor, Custom HDoor|
Helminth is a backdoor that has at least two variants - one written in VBScript and PowerShell that is delivered via a macros in Excel spreadsheets, and one that is a standalone Windows executable.
|HTRAN||HTRAN, HUC Packet Transmit Tool|
HTRAN is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks.
|HTTPBrowser||HTTPBrowser, Token Control, HttpDump|
HTTPBrowser is malware that has been used by several threat groups. It is believed to be of Chinese origin.
HummingBad is a family of Android malware that generates fraudulent advertising revenue and has the ability to obtain root access on older, vulnerable versions of Android.
HummingWhale is an Android malware family that performs ad fraud.
|Hydraq||Hydraq, Aurora, 9002 RAT|
Hydraq is a data-theft trojan first used by Elderwood in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including APT17.
ifconfig is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system.
iKitten is a macOS exfiltration agent .
InvisiMole is a modular spyware program that has been used by threat actors since at least 2013. InvisiMole has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia.
Invoke-PSImage takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a one liner for executing either from a file of from the web. Example of usage is embedding the PowerShell code from the Invoke-Mimikatz module and embed it into an image file. By calling the image file from a macro for example, the macro will download the picture and execute the PowerShell code, which in this case will dump the passwords.
ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration.
Ixeshe is a malware family that has been used since 2009 to attack targets in East Asia.
Janicab is an OS X trojan that relied on a valid developer ID and oblivious users to install it.
|JHUHUGIT||JHUHUGIT, Seduploader, JKEYSKW, Sednit, GAMEFISH, SofacyCarberp|
jRAT is a cross-platform remote access tool that was first observed in November 2017.
Judy is auto-clicking adware that was distributed through multiple apps in the Google Play Store.
Kasidet is a backdoor that has been dropped by using malicious VBA macros.
Kazuar is a fully featured, multi-platform backdoor Trojan written using the Microsoft .NET framework.
This piece of malware steals the content of the user's keychain while maintaining a permanent backdoor .
KEYMARBLE is a Trojan that has reportedly been used by the North Korean government.
KeyRaider is malware that steals Apple account credentials and other data from jailbroken iOS devices. It also has ransomware functionality.
Koadic is a Windows post-exploitation framework and penetration testing tool. Koadic is publicly available on GitHub and the tool is executed via the command-line. Koadic has several options for staging payloads and creating implants. Koadic performs most of its operations using Windows Script Host.
Lslsass is a publicly-available tool that can dump active logon session password hashes from the lsass process.
MacSpy is a malware-as-a-service offered on the darkweb .
Marcher is Android malware that is used for financial fraud.
Matroyshka is a malware framework used by CopyKittens that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences.
MazarBOT is Android malware that was distributed via SMS in Denmark in 2016.
meek is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.
Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks.
|Miner-C||Miner-C, Mal/Miner-C, PhotoMiner|
Miner-C is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and Network Attached Storage (NAS) devices to spread.
MiniDuke is malware that was used by APT29 from 2010 to 2015. The MiniDuke toolset consists of multiple downloader and backdoor components. The loader has been used with other MiniDuke components as well as in conjunction with CosmicDuke and PinchDuke.
MirageFox is a remote access tool used against Windows systems. It appears to be an upgraded version of a tool known as Mirage, which is a RAT believed to originate in 2012.
MoonWind is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand.
More_eggs is a JScript backdoor used by Cobalt Group. Its name was given based on the variable "More_eggs" being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4.
Mosquito is a Win32 backdoor that has been used by Turla. Mosquito is made up of three parts: the installer, the launcher, and the backdoor. The main backdoor is called CommanderDLL and is launched by the loader program.
NanHaiShu is a remote access tool and JScript backdoor used by Leviathan. NanHaiShu has been used to target government and private-sector organizations that have relations to the South China Sea dispute.
NavRAT is a remote access tool designed to upload, download, and execute files. It has been observed in attacks targeting South Korea.
nbtstat is a utility used to troubleshoot NetBIOS name resolution.
The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections.
Net has a great deal of functionality, much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through Windows Admin Shares using
|Net Crawler||Net Crawler, NetC|
Net Crawler is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using PsExec to execute a copy of Net Crawler.
netsh is a scripting utility used to interact with networking components on local or remote systems.
netstat is an operating system utility that displays active TCP connections, listening ports, and network statistics.
NetTraveler is malware that has been used in multiple cyber espionage campaigns for basic surveillance of victims. The earliest known samples have timestamps back to 2005, and the largest number of observed samples were created between 2010 and 2013.
NETWIRE is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012.
NotCompatible is an Android malware family that was used between at least 2014 and 2016. It has multiple variants that have become more sophisticated over time.
OBAD is an Android malware family.
OldBoot is an Android malware family.
|P2P ZeuS||P2P ZeuS, Peer-to-Peer ZeuS, Gameover ZeuS|
P2P ZeuS is a closed-source fork of the leaked version of the ZeuS botnet. It presents improvements over the leaked version, including a peer-to-peer architecture.
|Pass-The-Hash Toolkit||Pass-The-Hash Toolkit|
Pass-The-Hash Toolkit is a toolkit that allows an adversary to "pass" a password hash (without knowing the original password) to log in to systems.
|Pegasus for Android||Pegasus for Android, Chrysaor|
|Pegasus for iOS||Pegasus for iOS|
Pegasus for iOS is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims. The Android version is tracked separately under Pegasus for Android.
Ping is an operating system utility commonly used to troubleshoot and verify network connections.
Pisloader is a malware family that is notable due to its use of DNS as a C2 protocol as well as its use of anti-analysis tactics. It has been used by APT18 and is similar to another malware family, HTTPBrowser, that has been used by the group.
PJApps is an Android malware family.
|PlugX||PlugX, Sogu, Kaba, Korplug|
PlugX is a remote access tool (RAT) that uses modular plugins. It has been used by multiple threat groups.
|PoisonIvy||PoisonIvy, Poison Ivy, Darkmoon|
PoisonIvy is a popular remote access tool (RAT) that has been used by many groups.
|Power Loader||Power Loader, Win32/Agent.UAW|
Power Loader is modular code sold in the cybercrime market used as a downloader in malware families such as Carberp, Redyms and Gapz.
POWERSOURCE is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped.
PowerSploit is an open source, offensive security framework compromised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration.
POWRUNER is a PowerShell script that sends and receives commands to and from the C2 server.
Prikormka is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008.
Proton is a macOS backdoor focusing on data theft and credential access .
Proxysvc is a malicious DLL used by Lazarus Group in a campaign known as Operation GhostSecret. It has appeared to be operating undetected since 2017 and was mostly observed in higher education organizations. The goal of Proxysvc is to deliver additional payloads to the target and to maintain control for the attacker. It is in the form of a DLL that can also be executed as a standalone process.
PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.
Pupy is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). Pupy is publicly available on GitHub.
pwdump is a credential dumper.
RATANKBA is a remote controller tool used by Lazarus Group. RATANKBA has been used in attacks targeting financial institutions in Poland, Mexico, Uruguay, the United Kingdom, and Chile. It was also seen used against organizations related to telecommunications, management consulting, information technology, insurance, aviation, and education. RATANKBA has a graphical user interface to allow the attacker to issue jobs to perform on the infected machines.
|RawPOS||RawPOS, FIENDCRY, DUEBREW, DRIFTWOOD|
RawPOS is a point-of-sale (POS) malware family that searches for cardholder data on victims. It has been in use since at least 2008. FireEye divides RawPOS into three components: FIENDCRY, DUEBREW, and DRIFTWOOD.
RCSAndroid is Android malware.
Reaver is a malware family that has been in the wild since at least late 2016. Reporting indicates victims have primarily been associated with the "Five Poisons," which are movements the Chinese government considers dangerous. The type of malware is rare due to its final payload being in the form of Control Panel Items.
RedDrop is an Android malware family that exfiltrates sensitive data from devices.
Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information.
Utilities such as Reg are known to be used by persistent threats.
|Remsec||Remsec, Backdoor.Remsec, ProjectSauron|
Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
RGDoor is a malicious Internet Information Services (IIS) backdoor developed in the C++ language. RGDoor has been seen deployed on webservers belonging to the Middle East government organizations. RGDoor provides backdoor access to compromised IIS servers.
route can be used to find or change information within the local system IP routing table.
Rover is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan.
RuMMS is an Android malware family.
|Sakula||Sakula, Sakurel, VIPER|
Sakula is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015.
schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time.
SDelete is an application that securely deletes data in a way that makes it unrecoverable. It is part of the Microsoft Sysinternals suite of tools.
|SeaDuke||SeaDuke, SeaDaddy, SeaDesk|
Shamoon is malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. The 2.0 version was seen in 2016 targeting Middle Eastern states.
ShiftyBug is an auto-rooting adware family of malware for Android. The family is very similar to the other Android families known as Shedun, Shuanet, Kemoge, though it is not believed all the families were created by the same group.
|SHOTPUT||SHOTPUT, Backdoor.APT.CookieCutter, Pirpi|
|Skeleton Key||Skeleton Key|
Skeleton Key is malware used to inject false credentials into domain controllers with the intent of creating a backdoor password. Functionality similar to Skeleton Key is included as a module in Mimikatz.
Skygofree is Android spyware that is believed to have been developed in 2014 and used through at least 2017.
|Smoke Loader||Smoke Loader, Dofoil|
Smoke Loader is a malicious bot application that can be used to load other malware. Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins.
Socksbot is a backdoor that abuses Socket Secure (SOCKS) proxies.
spwebmember is a Microsoft SharePoint enumeration and data dumping tool written in .NET.
SpyDealer is Android malware that exfiltrates sensitive data from Android devices.
|SpyNote RAT||SpyNote RAT|
sqlmap is an open source penetration testing tool that can be used to automate the process of detecting and exploiting SQL injection flaws.
|Stealth Mango||Stealth Mango|
Stealth Mango is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as Tangelo is believed to be from the same developer.
Sykipot is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of Sykipot hijacks smart cards on victims. The group using this malware has also been referred to as Sykipot.
SynAck is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2017.
Systeminfo is a Windows utility that can be used to gather detailed information about a computer.
T9000 is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations.
Taidoor is malware that has been used since at least 2010, primarily to target Taiwanese government organizations.
Tangelo is iOS malware that is believed to be from the same developers as the Stealth Mango Android malware. It is not a mobile application, but rather a Debian package that can only run on jailbroken iOS devices.
The Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface.
TINYTYPHON is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm.
Tor is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. Tor utilizes "Onion Routing," in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination.
|TrickBot||TrickBot, Totbrick, TSPY_TRICKLOAD|
TrickBot is a Trojan spyware program that has mainly been used for targeting banking sites in Australia. TrickBot first emerged in the wild in September 2016 and appears to be a successor to Dyre. TrickBot is developed in the C++ programming language.
Trojan-SMS.AndroidOS.Agent.ao is Android malware.
Trojan-SMS.AndroidOS.FakeInst.a is Android malware.
Trojan-SMS.AndroidOS.OpFake.a is Android malware.
Trojan.Karagany is a backdoor primarily used for recon. The source code for it was leaked in 2010 and it is sold on underground forums.
Trojan.Mebromi is BIOS-level malware that takes control of the victim before MBR.
Twitoor is an Android malware family that likely spreads by SMS or via malicious URLs.
UACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system.
A Linux rootkit that provides backdoor access and hides from defenders.
|Unknown Logger||Unknown Logger|
Unknown Logger is a publicly released, free backdoor. Version 1.5 of the backdoor has been used by the actors responsible for the MONSOON campaign.
|USBStealer||USBStealer, USB Stealer, Win32/USBStealer|
USBStealer is malware that has used by APT28 since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with ADVSTORESHELL.
VERMIN is a remote access tool written in the Microsoft .NET framework. It is mostly composed of original code, but also has some open source code.
Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. It has been used since at least 2013 to target the government, financial, automotive, and media industries. Its primary delivery mechanism is suspected to be spearphishing.
|Windows Credential Editor||Windows Credential Editor, WCE|
Windows Credential Editor is a password dumping tool.
Wingbird is a backdoor that appears to be a version of commercial software FinFisher. It is reportedly used to attack individual computers instead of networks. It was used by NEODYMIUM in a May 2016 campaign.
Winnti is a Trojan that has been used by multiple groups to carry out intrusions in varied regions from at least 2010 to 2016. One of the groups using this malware is referred to by the same name, Winnti Group; however, reporting indicates a second distinct group, Axiom, also uses the malware.
Wiper is a family of destructive malware used in March 2013 during breaches of South Korean banks and media companies.
WireLurker is a family of macOS malware that targets iOS devices connected over USB.
|X-Agent for Android||X-Agent for Android|
X-Agent for Android is Android malware that was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data on where the victim device was used, and therefore could likely indicate the potential location of Ukrainian artillery. Is it tracked separately from the Windows and Linux versions of X-Agent.
Xbot is an Android malware family that was observed in 2016 primarily targeting Android users in Russia and Australia.
XcodeGhost is iOS malware that infected at least 39 iOS apps in 2015 and potentially affected millions of users.
XLoader is a malicious Android app that was observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018.
|XTunnel||XTunnel, X-Tunnel, XAPS|
XTunnel a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by APT28 during the compromise of the Democratic National Committee.
YiSpecter iOS malware that affects both jailbroken and non-jailbroken iOS devices. It is also unique because it abuses private APIs in the iOS system to implement functionality.
yty is a modular, plugin-based malware framework. The components of the framework are written in a variety of programming languages.
ZergHelper is iOS riskware that was unique due to its apparent evasion of Apple's App Store review process. No malicious functionality was identified in the app, but it presents security risks.
ZLib is a full-featured backdoor that was used as a second-stage implant by Dust Storm from 2014 to 2015. It is malware and should not be confused with the compression library from which its name is derived.