Obfuscated Files or Information

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and Deobfuscate/Decode Files or Information for User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. [1] Adversaries may also use compressed or archived scripts, such as JavaScript.

Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. [2] Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. [3]

Adversaries may also abuse Command Obfuscation to obscure commands executed from payloads or directly via Command and Scripting Interpreter. Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. [4] [5][6]

ID: T1027
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Defense Bypassed: Application Control, Host Forensic Analysis, Host Intrusion Prevention Systems, Log Analysis, Signature-based Detection
Contributors: Christiaan Beek, @ChristiaanBeek; Red Canary
Version: 1.5
Created: 31 May 2017
Last Modified: 28 August 2023

Procedure Examples

ID Name Description
C0025 2016 Ukraine Electric Power Attack

During the 2016 Ukraine Electric Power Attack, Sandworm Team used heavily obfuscated code with Industroyer in its Windows Notepad backdoor.[7]

S1028 Action RAT

Action RAT's commands, strings, and domains can be Base64 encoded within the payload.[8]

S0045 ADVSTORESHELL

Most of the strings in ADVSTORESHELL are encrypted with an XOR-based algorithm; some strings are also encrypted with 3DES and reversed. API function names are also reversed, presumably to avoid detection in memory.[9][10]

S0331 Agent Tesla

Agent Tesla has had its code obfuscated in an apparent attempt to make analysis difficult.[11] Agent Tesla has used the Rijndael symmetric encryption algorithm to encrypt strings.[12]

S1025 Amadey

Amadey has obfuscated strings such as antivirus vendor names, domains, files, and others.[13]

S0504 Anchor

Anchor has obfuscated code with stack strings and string encryption.[14]

S0584 AppleJeus

AppleJeus has XOR-encrypted collected system information prior to sending to a C2. AppleJeus has also used the open source ADVObfuscation library for its components.[15]

S0622 AppleSeed

AppleSeed has the ability to Base64 encode its payload and custom encrypt API calls.[16]

G0099 APT-C-36

APT-C-36 has used ConfuserEx to obfuscate its variant of Imminent Monitor, compressed payload and RAT packages, and password protected encrypted email attachments to avoid detection.[17]

G0026 APT18

APT18 obfuscates strings in the payload.[18]

G0073 APT19

APT19 used Base64 to obfuscate payloads.[19]

G0007 APT28

APT28 encrypted a .dll payload using RTL and a custom encryption algorithm. APT28 has also obfuscated payloads with base64, XOR, and RC4.[10][20][21][22][23]

G0022 APT3

APT3 obfuscates files or information to help evade defensive measures.[24]

G0050 APT32

APT32 has performed code obfuscation, including encoding payloads using Base64 and using a framework called "Dont-Kill-My-Cat (DKMC). APT32 also encrypts the library used for network exfiltration with AES-256 in CBC mode in their macOS backdoor.[25][26][27][28][29][30][31]

G0064 APT33

APT33 has used base64 to encode payloads.[32]

G0067 APT37

APT37 obfuscates strings and payloads.[33][34][35]

G0087 APT39

APT39 has used malware to drop encrypted CAB files.[36]

G0096 APT41

APT41 used VMProtected binaries in multiple intrusions.[37]

S0456 Aria-body

Aria-body has used an encrypted configuration file for its loader.[38]

S0373 Astaroth

Astaroth has used an XOR-based algorithm to encrypt payloads twice with different keys.[39]

S0438 Attor

Strings in Attor's components are encrypted with a XOR cipher, using a hardcoded key and the configuration data, log files and plugins are encrypted using a hybrid encryption scheme of Blowfish-OFB combined with RSA.[40]

S0347 AuditCred

AuditCred encrypts the configuration.[41]

S0640 Avaddon

Avaddon has used encrypted strings.[42]

S0473 Avenger

Avenger has the ability to XOR encrypt files to be sent to C2.[43]

S1053 AvosLocker

AvosLocker has used XOR-encoded strings.[44]

G0135 BackdoorDiplomacy

BackdoorDiplomacy has obfuscated tools and malware it uses with VMProtect.[45]

S1081 BADHATCH

BADHATCH can be compressed with the ApLib algorithm.[46]

S0534 Bazar

Bazar has used XOR, RSA2, and RC4 encrypted files.[47][48][49]

S0574 BendyBear

BendyBear has encrypted payloads using RC4 and XOR.[50]

S0268 Bisonal

Bisonal's DLL file and non-malicious decoy file are encrypted with RC4 and some function name strings are obfuscated.[51][52]

S0570 BitPaymer

BitPaymer has used RC4-encrypted strings and string hashes to avoid identifiable strings within the binary.[53]

G1002 BITTER

BITTER has used a RAR SFX dropper to deliver malware.[54]

G0063 BlackOasis

BlackOasis's first stage shellcode contains a NOP sled with alternative instructions that was likely designed to bypass antivirus tools.[55]

S0520 BLINDINGCAN

BLINDINGCAN has obfuscated code using Base64 encoding.[56]

G0108 Blue Mockingbird

Blue Mockingbird has obfuscated the wallet address in the payload binary.[57]

S0657 BLUELIGHT

BLUELIGHT has a XOR-encoded payload.[58]

S0635 BoomBox

BoomBox can encrypt data using AES prior to exfiltration.[59]

S0415 BOOSTWRITE

BOOSTWRITE has encoded its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit Initialization vector (IV) to evade detection.[60]

S0651 BoxCaon

BoxCaon used the "StackStrings" obfuscation technique to hide malicious functionalities.[61]

S1063 Brute Ratel C4

Brute Ratel C4 has used encrypted payload files and maintains an encrypted configuration structure in memory.[62][63]

S1039 Bumblebee

Bumblebee has been delivered as password-protected zipped ISO files and used control-flow-flattening to obfuscate the flow of functions.[64][65][66]

S0482 Bundlore

Bundlore has obfuscated data with base64, AES, RC4, and bz2.[67]

C0015 C0015

During C0015, the threat actors used Base64-encoded strings.[68]

C0017 C0017

During C0017, APT41 broke malicious binaries, including DEADEYE and KEYPLUG, into multiple sections on disk to evade detection.[69]

S0030 Carbanak

Carbanak encrypts strings to make analysis more difficult.[70]

S0484 Carberp

Carberp has used XOR-based encryption to mask C2 server locations within the trojan.[71]

S0335 Carbon

Carbon encrypts configuration files and tasks for the malware to complete using CAST-128 algorithm.[72][73]

S0348 Cardinal RAT

Cardinal RAT encodes many of its artifacts and is encrypted (AES-128) when downloaded.[74]

S0465 CARROTBALL

CARROTBALL has used a custom base64 alphabet to decode files.[75]

S0462 CARROTBAT

CARROTBAT has the ability to download a base64 encoded payload.[76]

S1041 Chinoxy

Chinoxy has encrypted its configuration file.[77]

S0667 Chrommme

Chrommme can encrypt sections of its code to evade detection.[78]

S0660 Clambling

The Clambling executable has been obfuscated when dropped on a compromised host.[79]

S0154 Cobalt Strike

Cobalt Strike can hash functions to obfuscate calls to the Windows API and use a public/private key pair to encrypt Beacon session metadata.[80][81]

S0369 CoinTicker

CoinTicker initially downloads a hidden encoded file.[82]

S0244 Comnie

Comnie uses RC4 and Base64 to obfuscate strings.[83]

S0126 ComRAT

ComRAT has encrypted its virtual file system using AES-256 in XTS mode.[84][85]

S0608 Conficker

Conficker has obfuscated its code to prevent its removal from host machines.[86]

S0575 Conti

Conti can use compiler-based obfuscation for its code, encrypt DLLs, and hide Windows API calls.[87][88][49]

S0137 CORESHELL

CORESHELL obfuscates strings using a custom stream cipher.[89]

S0046 CozyCar

The payload of CozyCar is encrypted with simple XOR with a rotating key. The CozyCar configuration file has been encrypted with RC4 keys.[90]

S0625 Cuba

Cuba has used multiple layers of obfuscation to avoid analysis, including its Base64 encoded payload.[91]

S0497 Dacls

Dacls can encrypt its configuration file with AES CBC.[92]

S1014 DanBot

DanBot can Base64 encode its payload.[93]

G0070 Dark Caracal

Dark Caracal has obfuscated strings in Bandook by base64 encoding, and then encrypting them.[94]

G0012 Darkhotel

Darkhotel has obfuscated code using RC4, XOR, and RSA.[95][96]

S1066 DarkTortilla

DarkTortilla has been obfuscated with the DeepSea .NET and ConfuserEx code obfuscators.[97]

S0673 DarkWatchman

DarkWatchman has been delivered as compressed RAR payloads in ZIP files to victims.[98]

S0187 Daserf

Daserf uses encrypted Windows APIs and also encrypts data using the alternative base64+RC4 or the Caesar cipher.[99]

S1033 DCSrv

DCSrv's configuration is encrypted.[100]

S1052 DEADEYE

DEADEYE has encrypted its payload.[69]

S0354 Denis

Denis obfuscates its code and encrypts the API names.[29]

S0659 Diavol

Diavol has Base64 encoded the RSA public key used for encrypting files.[101]

S0213 DOGCALL

DOGCALL is encrypted using single-byte XOR.[102]

S0695 Donut

Donut can generate encrypted, compressed/encoded, or otherwise obfuscated code modules.[103]

S0694 DRATzarus

DRATzarus can be partly encrypted with XOR.[104]

S0384 Dridex

Dridex's strings are obfuscated using RC4.[105]

S0502 Drovorub

Drovorub has used XOR encrypted payloads in WebSocket client to server messages.[106]

S0062 DustySky

The DustySky dropper uses a function to obfuscate the name of functions and other parts of the malware.[107]

G1006 Earth Lusca

Earth Lusca used Base64 to encode strings.[108]

S0377 Ebury

Ebury has obfuscated its strings with a simple XOR encryption with a static key.[109]

S0593 ECCENTRICBANDWAGON

ECCENTRICBANDWAGON has encrypted strings with RC4.[110]

S0624 Ecipekac

Ecipekac can use XOR, AES, and DES to encrypt loader shellcode.[111]

S0605 EKANS

EKANS uses encoded strings in its process kill list.[112]

G0066 Elderwood

Elderwood has encrypted documents and malicious executables.[113]

S0081 Elise

Elise encrypts several of its files, including configuration files.[114]

G1003 Ember Bear

Ember Bear has obfuscated malware to help avoid detection.[115]

S0082 Emissary

Variants of Emissary encrypt payloads using various XOR ciphers, as well as a custom algorithm that uses the "srand" and "rand" functions.[116][117]

S0634 EnvyScout

EnvyScout can Base64 encode payloads.[59]

S0091 Epic

Epic heavily obfuscates its code to make analysis more difficult.[118]

S0401 Exaramel for Linux

Exaramel for Linux uses RC4 for encrypting the configuration.[119][120]

S0512 FatDuke

FatDuke can use base64 encoding, string stacking, and opaque predicates for obfuscation.[121]

S0267 FELIXROOT

FELIXROOT encrypts strings in the backdoor using a custom XOR algorithm.[122][123]

S0355 Final1stspy

Final1stspy obfuscates strings with base64 encoding.[102]

S0182 FinFisher

FinFisher is heavily obfuscated in many ways, including through the use of spaghetti code in its functions in an effort to confuse disassembly programs. It also uses a custom XOR algorithm to obfuscate code.[124][125]

S0618 FIVEHANDS

The FIVEHANDS payload is encrypted with AES-128.[126][127][128]

S0696 Flagpro

Flagpro has been delivered within ZIP or RAR password-protected archived files.[129]

S0383 FlawedGrace

FlawedGrace encrypts its C2 configuration files with AES in CBC mode.[130]

S0661 FoggyWeb

FoggyWeb has been XOR-encoded.[131]

G0117 Fox Kitten

Fox Kitten has base64 encoded payloads to avoid detection.[132]

S1044 FunnyDream

FunnyDream can Base64 encode its C2 address stored in a template binary with the xyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw_- orxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw_= character sets.[77]

S0410 Fysbis

Fysbis has been encrypted using XOR and RC4.[133]

G0093 GALLIUM

GALLIUM used a modified version of HTRAN in which they obfuscated strings such as debug messages in an apparent attempt to evade detection.[134]

G0084 Gallmaker

Gallmaker obfuscated shellcode used during execution.[135]

G0047 Gamaredon Group

Gamaredon Group has delivered self-extracting 7z archive files within malicious document attachments.[136]

S0168 Gazer

Gazer logs its actions into files that are encrypted with 3DES. It also uses RSA to encrypt resources.[137]

S0666 Gelsemium

Gelsemium has the ability to compress its components.[78]

S0493 GoldenSpy

GoldenSpy's uninstaller has base64-encoded its variables. [138]

S0588 GoldMax

GoldMax has written AES-encrypted and Base64-encoded configuration files to disk.[139][140]

S0477 Goopy

Goopy's decrypter have been inflated with junk code in between legitimate API functions, and also included infinite loops to avoid analysis.[29]

S0531 Grandoreiro

The Grandoreiro payload has been delivered encrypted with a custom XOR-based algorithm and also as a base64-encoded ZIP file.[39][141][141]

S0237 GravityRAT

GravityRAT supports file encryption (AES with the key "lolomycin2017").[142]

S0690 Green Lambert

Green Lambert has encrypted strings.[143][144]

S0342 GreyEnergy

GreyEnergy encrypts its configuration files with AES-256 and also encrypts its strings.[123]

S0632 GrimAgent

GrimAgent has used Rotate on Right (RoR) and Rotate on Left (RoL) functionality to encrypt strings.[145]

G0043 Group5

Group5 disguised its malicious binaries with several layers of obfuscation, including encrypting the files.[146]

S0132 H1N1

H1N1 uses multiple techniques to obfuscate strings, including XOR.[147]

S0499 Hancitor

Hancitor has used Base64 to encode malicious links. Hancitor has also delivered compressed payloads in ZIP files to victims.[148][149]

S0391 HAWKBALL

HAWKBALL has encrypted the payload with an XOR-based algorithm.[150]

S0170 Helminth

The Helminth config file is encrypted with RC4.[151]

S0697 HermeticWiper

HermeticWiper can compress 32-bit and 64-bit driver files with the Lempel-Ziv algorithm.[152][153][154]

S0698 HermeticWizard

HermeticWizard has the ability to encrypt PE files with a reverse XOR loop.[155]

S1027 Heyoka Backdoor

Heyoka Backdoor can encrypt its payload.[156]

S0087 Hi-Zor

Hi-Zor uses various XOR techniques to obfuscate its components.[157]

S0394 HiddenWasp

HiddenWasp encrypts its configuration and payload.[158]

G0126 Higaisa

Higaisa used Base64 encoded compressed payloads.[159][160]

S0601 Hildegard

Hildegard has encrypted an ELF file.[161]

S0232 HOMEFRY

Some strings in HOMEFRY are obfuscated with XOR x56.[162]

S0431 HotCroissant

HotCroissant has encrypted strings with single-byte XOR and base64 encoded RC4.[163]

S0070 HTTPBrowser

HTTPBrowser's code may be obfuscated through structured exception handling and return-oriented programming.[164]

S0203 Hydraq

Hydraq uses basic obfuscation in the form of spaghetti code.[113][165]

S0398 HyperBro

HyperBro can be delivered encrypted to a compromised host.[79]

S0483 IcedID

IcedID has utilzed encrypted binaries and base64 encoded strings.[166]

S0434 Imminent Monitor

Imminent Monitor has encrypted the spearphish attachments to avoid detection from email gateways; the debugger also encrypts information before sending to the C2.[17]

G0100 Inception

Inception has encrypted malware payloads dropped on victim machines with AES and RC4 encryption.[167]

S0604 Industroyer

Industroyer uses heavily obfuscated code in its Windows Notepad backdoor.[7]

S0259 InnaputRAT

InnaputRAT uses an 8-byte XOR key to obfuscate API names and other strings contained in the payload.[168]

S0260 InvisiMole

InvisiMole avoids analysis by encrypting all strings, internal files, configuration data and by using a custom executable format.[169][170]

S0581 IronNetInjector

IronNetInjector can obfuscate variable names, encrypt strings, as well as base64 encode and Rijndael encrypt payloads.[171]

S0189 ISMInjector

ISMInjector is obfuscated with the off-the-shelf SmartAssembly .NET obfuscator created by red-gate.com.[172]

S0044 JHUHUGIT

Many strings in JHUHUGIT are obfuscated with a XOR algorithm.[173][174][22]

S0201 JPIN

A JPIN uses a encrypted and compressed payload that is disguised as a bitmap within the resource section of the installer.[175]

S0283 jRAT

jRAT’s Java payload is encrypted with AES.[176] Additionally, backdoor files are encrypted using DES as a stream cipher. Later variants of jRAT also incorporated AV evasion methods such as Java bytecode obfuscation via the commercial Allatori obfuscation tool.[177]

S0265 Kazuar

Kazuar is obfuscated using the open source ConfuserEx protector. Kazuar also obfuscates the name of created files/folders/mutexes and encrypts debug messages written to log files using the Rijndael cipher.[178]

G0004 Ke3chang

Ke3chang has used Base64-encoded shellcode strings.[179]

S0585 Kerrdown

Kerrdown can encrypt, encode, and compress multiple layers of shellcode.[180]

S0487 Kessel

Kessel's configuration is hardcoded and RC4 encrypted within the binary.[181]

S1020 Kevin

Kevin has Base64-encoded its configuration file.[182]

S0387 KeyBoy

In one version of KeyBoy, string obfuscation routines were used to hide many of the critical values referenced in the malware.[183]

S1051 KEYPLUG

KEYPLUG can use a hardcoded one-byte XOR encoded configuration file.[69]

S0526 KGH_SPY

KGH_SPY has used encrypted strings in its installer.[184]

S0607 KillDisk

KillDisk uses VMProtect to make reverse engineering the malware more difficult.[185]

G0094 Kimsuky

Kimsuky has obfuscated binary strings including the use of XOR encryption and Base64 encoding.[186][187] Kimsuky has also modified the first byte of DLL implants targeting victims to prevent recognition of the executable file format.[188]

S0641 Kobalos

Kobalos encrypts all strings using RC4 and bundles all functionality into a single function call.[189]

S0356 KONNI

KONNI is heavily obfuscated and includes encrypted configuration files.[190]

S0236 Kwampirs

Kwampirs downloads additional files that are base64-encoded and encrypted with another cipher.[191]

G0032 Lazarus Group

Lazarus Group has used multiple types of encryption and encoding for their payloads, including AES, Caracachs, RC4, XOR, Base64, and other tricks such as creating aliases in code for Native API function names.[192][193][194][195][92][196][197]

G0065 Leviathan

Leviathan has obfuscated code using base64 and gzip compression.[198]

S0395 LightNeuron

LightNeuron encrypts its configuration files with AES-256.[199]

S0447 Lokibot

Lokibot has obfuscated strings with base64 encoding.[200]

S0451 LoudMiner

LoudMiner has encrypted DMG files.[201]

S1060 Mafalda

Mafalda has been obfuscated and contains encrypted functions.[202]

G0059 Magic Hound

Magic Hound malware has used base64-encoded files and has also encrypted embedded strings with AES.[203][204]

S0167 Matryoshka

Matryoshka obfuscates API function names using a substitute cipher combined with Base64 encoding.[205]

S0449 Maze

Maze has decrypted strings and other important information during the encryption process. Maze also calls certain functions dynamically to hinder analysis.[206]

S0500 MCMD

MCMD can Base64 encode output strings prior to sending to C2.[207]

G0045 menuPass

menuPass has encoded strings in its malware with base64 as well as with a simple, single-byte XOR obfuscation using key 0x40.[208][209][210]

G1013 Metador

Metador has encrypted their payloads.[202]

S1059 metaMain

metaMain's module file has been encrypted via XOR.[211]

S0455 Metamorfo

Metamorfo has encrypted payloads and strings.[212][213]

S0339 Micropsia

Micropsia obfuscates the configuration with a custom Base64 and XOR.[214][215]

S1015 Milan

Milan can encode files containing information about the targeted system.[216][182]

S0051 MiniDuke

MiniDuke can use control flow flattening to obscure code.[121]

G0103 Mofang

Mofang has compressed the ShimRat executable within malicious email attachments. Mofang has also encrypted payloads before they are downloaded to victims.[217]

G0021 Molerats

Molerats has delivered compressed executables within ZIP files to victims.[218]

S0284 More_eggs

More_eggs's payload has been encrypted with a key that has the hostname and processor family information appended to the end.[219]

G1009 Moses Staff

Moses Staff has used obfuscated web shells in their operations.[100]

S0256 Mosquito

Mosquito’s installer is obfuscated with a custom crypter to obfuscate the installer.[220]

G0129 Mustang Panda

Mustang Panda has delivered initial payloads hidden using archives and encoding measures.[221][222][223][224][225][226]

S0228 NanHaiShu

NanHaiShu encodes files in Base64.[227]

S0336 NanoCore

NanoCore’s plugins were obfuscated with Eazfuscater.NET 3.3.[228]

S0198 NETWIRE

NETWIRE has used a custom obfuscation algorithm to hide strings including Registry keys, APIs, and DLL names.[229]

C0002 Night Dragon

During Night Dragon, threat actors used a DLL that included an XOR-encoded section.[230]

S1090 NightClub

NightClub can obfuscate strings using the congruential generator (LCG): staten+1 = (690069 × staten + 1) mod 232.[231]

S0385 njRAT

njRAT has included a base64 encoded executable.[232]

S0353 NOKKI

NOKKI uses Base64 encoding for strings.[233]

G0049 OilRig

OilRig has encrypted and encoded data in its malware, including by using base64.[234][235][236][237][238]

S0138 OLDBAIT

OLDBAIT obfuscates internal strings and unpacks them at startup.[89]

S0264 OopsIE

OopsIE uses the Confuser protector to obfuscate an embedded .Net Framework assembly used for C2. OopsIE also encodes collected data in hexadecimal format before writing to files on disk and obfuscates strings.[239][240]

C0022 Operation Dream Job

During Operation Dream Job, Lazarus Group encrypted malware such as DRATzarus with XOR and DLL files with base64.[104][241][242][243]

C0016 Operation Dust Storm

During Operation Dust Storm, the threat actors encoded some payloads with a single-byte XOR, both skipping the key itself and zeroing in an attempt to avoid exposing the key; other payloads were Base64-encoded.[244]

C0006 Operation Honeybee

During Operation Honeybee, the threat actors used Base64 to encode files with a custom key.[245]

C0005 Operation Spalax

For Operation Spalax, the threat actors used XOR-encrypted payloads.[246]

S0229 Orz

Some Orz strings are base64 encoded, such as the embedded DLL known as MockDll.[198]

S0352 OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D encrypts its strings in RSA256 and encodes them in a custom base64 scheme and XOR.[247]

S0594 Out1

Out1 has the ability to encode data.[248]

S0598 P.A.S. Webshell

P.A.S. Webshell can use encryption and base64 encoding to hide strings and to enforce access control once deployed.[120]

S0664 Pandora

Pandora has the ability to compress stings with QuickLZ.[249]

S1050 PcShare

PcShare has been encrypted with XOR using different 32-long Base16 strings and compressed with LZW algorithm.[77]

S0587 Penquin

Penquin has encrypted strings in the binary for obfuscation.[250]

S0517 Pillowmint

Pillowmint has been compressed and stored within a registry key. Pillowmint has also obfuscated the AES key used for encryption.[251]

S0501 PipeMon

PipeMon modules are stored encrypted on disk.[252]

S0124 Pisloader

Pisloader obfuscates files by splitting strings into smaller sub-strings and including "garbage" strings that are never used. The malware also uses return-oriented programming (ROP) technique and single-byte XOR to obfuscate data.[253]

S0013 PlugX

PlugX can use API hashing and modify the names of strings to evade detection.[79][226]

S0428 PoetRAT

PoetRAT has used a custom encryption scheme for communication between scripts.[254]

S0012 PoisonIvy

PoisonIvy hides any strings related to its own indicators of compromise.[255]

S0518 PolyglotDuke

PolyglotDuke can custom encrypt strings.[121]

S0453 Pony

Pony attachments have been delivered via compressed archive files. Pony also obfuscates the memory flow by adding junk instructions when executing to make analysis more difficult.[256]

S0150 POSHSPY

POSHSPY appends a file signature header (randomly selected from six file types) to encrypted data prior to upload or download.[257]

S0393 PowerStallion

PowerStallion uses a XOR cipher to encrypt command output written to its OneDrive C2 server.[258]

S0113 Prikormka

Some resources in Prikormka are encrypted with a simple XOR operation or encoded with Base64.[259]

S0613 PS1

PS1 is distributed as a set of encrypted files and scripts.[260]

S0196 PUNCHBUGGY

PUNCHBUGGY has hashed most its code's functions and encrypted payloads with base64 and XOR.[261]

S0197 PUNCHTRACK

PUNCHTRACK is loaded and executed by a highly obfuscated launcher.[262]

G0024 Putter Panda

Droppers used by Putter Panda use RC4 or a 16-byte XOR key consisting of the bytes 0xA0 – 0xAF to obfuscate payloads.[263]

S1032 PyDCrypt

PyDCrypt has been compiled and encrypted with PyInstaller, specifically using the --key flag during the build phase.[100]

S0650 QakBot

QakBot has hidden code within Excel spreadsheets by turning the font color to white and splitting it across multiple cells.[264]

S0565 Raindrop

Raindrop encrypted its payload using a simple XOR algorithm with a single-byte key.[265][266]

S0629 RainyDay

RainyDay has downloaded as a XOR-encrypted payload.[267]

S0458 Ramsay

Ramsay has base64-encoded its portable executable and hidden itself under a JPG header. Ramsay can also embed information within document footers.[268]

S0662 RCSession

RCSession can compress and obfuscate its strings to evade detection on a compromised host.[79]

S0172 Reaver

Reaver encrypts some of its files with XOR.[269]

S0153 RedLeaves

A RedLeaves configuration file is encrypted with a simple XOR key, 0x53.[270]

S0511 RegDuke

RegDuke can use control-flow flattening or the commercially available .NET Reactor for obfuscation.[121]

S0332 Remcos

Remcos uses RC4 and base64 to obfuscate data, including Registry entries and file paths.[271]

S0375 Remexi

Remexi obfuscates its configuration data with XOR.[272]

S0125 Remsec

Some data in Remsec is encrypted using RC5 in CBC mode, AES-CBC with a hardcoded key, RC4, or Salsa20. Some data is also base64-encoded.[273][274]

S0496 REvil

REvil has used encrypted strings and configuration files.[275][276][277][278][279][280][281]

S0433 Rifdoor

Rifdoor has encrypted strings with a single byte XOR algorithm.[163]

S0448 Rising Sun

Configuration data used by Rising Sun has been encrypted using an RC4 stream algorithm.[282]

G0106 Rocke

Rocke has modified UPX headers after packing files to break unpackers.[283]

S0240 ROKRAT

ROKRAT can encrypt data prior to exfiltration by using an RSA public key.[35][284]

S0148 RTM

RTM strings, network data, configuration, and modules are encrypted with a modified RC4 algorithm. RTM has also been delivered to targets as various archive files including ZIP, 7-ZIP, and RAR.[285][286]

S0446 Ryuk

Ryuk can use anti-disassembly and code transformation obfuscation techniques.[49]

S1018 Saint Bot

Saint Bot has been obfuscated to help avoid detection.[115]

S0074 Sakula

Sakula uses single-byte XOR obfuscation to obfuscate many of its files.[287]

S0370 SamSam

SamSam has been seen using AES or DES to encrypt payloads and payload components.[288][289]

G0034 Sandworm Team

Sandworm Team has used Base64 encoding within malware variants.[290]

S1085 Sardonic

Sardonic can use certain ConfuserEx features for obfuscation and can be encoded in a base64 string.[291]

S0461 SDBbot

SDBbot has the ability to XOR the strings for its installer component with a hardcoded 128 byte key.[292]

S0345 Seasalt

Seasalt obfuscates configuration data.[293]

S0596 ShadowPad

ShadowPad has encrypted its payload, a virtual file system, and various files.[294][108]

S0140 Shamoon

Shamoon contains base64-encoded strings.[295]

S1019 Shark

Shark can use encrypted and encoded files for C2 configuration.[216][296]

S0444 ShimRat

ShimRat has been delivered as a package that includes compressed DLL and shellcode payloads within a .dat file.[217]

S0445 ShimRatReporter

ShimRatReporter encrypted gathered information with a combination of shifting and XOR using a static key.[217]

S0063 SHOTPUT

SHOTPUT is obscured using XOR encoding and appended to a valid GIF file.[297][298]

G0121 Sidewinder

Sidewinder has used base64 encoding and ECDH-P256 encryption for payloads.[299][300][301]

S0623 Siloscape

Siloscape itself is obfuscated and uses obfuscated API calls.[302]

S0468 Skidmap

Skidmap has encrypted it's main payload using 3DES.[303]

S0633 Sliver

Sliver can encrypt strings at compile time.[304][305]

S1035 Small Sieve

Small Sieve has the ability to use a custom hex byte swapping encoding scheme combined with an obfuscated Base64 function to protect program strings and Telegram credentials.[306]

S0226 Smoke Loader

Smoke Loader uses a simple one-byte XOR method to obfuscate values in the malware.[307][308]

S1086 Snip3

Snip3 has the ability to obfuscate strings using XOR encryption.[309]

S0627 SodaMaster

SodaMaster can use "stackstrings" for obfuscation.[111]

S0615 SombRAT

SombRAT can encrypt strings with XOR-based routines and use a custom AES storage format for plugins, configuration, C2 domains, and harvested data.[260][126][127]

S0516 SoreFang

SoreFang has the ability to encode and RC6 encrypt data sent to C2.[310]

S0374 SpeakUp

SpeakUp encodes its second-stage payload with Base64. [311]

S1030 Squirrelwaffle

Squirrelwaffle has been obfuscated with a XOR-based algorithm.[312][313]

S1037 STARWHALE

STARWHALE has been obfuscated with hex-encoded strings.[314]

S0380 StoneDrill

StoneDrill has obfuscated its module with an alphabet-based table or XOR encryption.[315]

S0142 StreamEx

StreamEx obfuscates some commands by using statically programmed fragments of strings when starting a DLL. It also uses a one-byte xor against 0x91 to encode configuration data.[316]

S0491 StrongPity

StrongPity has used encrypted strings in its dropper component.[317][318]

S0603 Stuxnet

Stuxnet uses encrypted configuration blocks and writes encrypted files to disk.[319]

S0559 SUNBURST

SUNBURST strings were compressed and encoded in Base64.[320] SUNBURST also obfuscated collected system information using a FNV-1a + XOR algorithm.[321]

S0562 SUNSPOT

SUNSPOT encrypted log entries it collected with the stream cipher RC4 using a hard-coded key. It also uses AES128-CBC encrypted blobs for SUNBURST source code and data extracted from the SolarWinds Orion <MsBuild.exe process.[322]

S0578 SUPERNOVA

SUPERNOVA contained Base64-encoded strings.[323]

S1064 SVCReady

SVCReady can encrypt victim data with an RC4 cipher.[324]

S0242 SynAck

SynAck payloads are obfuscated prior to compilation to inhibit analysis and/or reverse engineering.[325][326]

S0663 SysUpdate

SysUpdate can encrypt and encode its configuration file.[249]

G1018 TA2541

TA2541 has used compressed and char-encoded scripts in operations.[327]

G0092 TA505

TA505 has password-protected malicious Word documents.[328]

S0011 Taidoor

Taidoor can use encrypted string blocks for obfuscation.[329]

S0467 TajMahal

TajMahal has used an encrypted Virtual File System to store plugins.[330]

G0139 TeamTNT

TeamTNT has encrypted its binaries via AES and encoded files using Base64.[331][332]

S0560 TEARDROP

TEARDROP created and read from a file with a fake JPG header, and its payload was encrypted with a simple rotating XOR cipher.[321][333][266]

G0027 Threat Group-3390

A Threat Group-3390 tool can encrypt payloads using XOR. Threat Group-3390 malware is also obfuscated using Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression.[334][335][336]

S0665 ThreatNeedle

ThreatNeedle has been compressed and obfuscated using RC4, AES, or XOR.[337]

S0131 TINYTYPHON

TINYTYPHON has used XOR with 0x90 to obfuscate its configuration file.[338]

S0678 Torisma

Torisma has been Base64 encoded and AES encrypted.[243]

G0134 Transparent Tribe

Transparent Tribe has dropped encoded executables on compromised hosts.[339]

S0266 TrickBot

TrickBot uses non-descriptive names to hide functionality and uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files.[340]

S0094 Trojan.Karagany

Trojan.Karagany can base64 encode and AES-128-CBC encrypt data prior to transmission.[341]

G0081 Tropic Trooper

Tropic Trooper has encrypted configuration files.[342][343]

S0647 Turian

Turian can use VMProtect for obfuscation.[45]

S0263 TYPEFRAME

APIs and strings in some TYPEFRAME variants are RC4 encrypted. Another variant is encoded with XOR.[344]

S0333 UBoatRAT

UBoatRAT encrypts instructions in the payload using a simple XOR cipher.[345]

S0022 Uroburos

Uroburos can use AES and CAST-128 encryption to obfuscate resources.[346]

S0386 Ursnif

Ursnif has used an XOR-based algorithm to encrypt Tor clients dropped to disk.[347] Ursnif droppers have also been delivered as password-protected zip files that execute base64 encoded PowerShell commands.[348]

S0136 USBStealer

Most strings in USBStealer are encrypted using 3DES and XOR and reversed.[349]

S0476 Valak

Valak has the ability to base64 encode and XOR encrypt strings.[350][351][352]

S0257 VERMIN

VERMIN is obfuscated using the obfuscation tool called ConfuserEx.[353]

S0180 Volgmer

A Volgmer variant is encoded using a simple XOR cipher.[354]

S0612 WastedLocker

The WastedLocker payload includes encrypted strings stored within the .bss section of the binary file.[355]

S0579 Waterbear

Waterbear has used RC4 encrypted shellcode and encrypted functions.[356]

S0689 WhisperGate

WhisperGate can Base64 encode strings, store downloaded files in reverse byte order, and use the Eazfuscator tool to obfuscate its third stage.[357][358][359]

G0107 Whitefly

Whitefly has encrypted the payload used for C2.[360]

G0112 Windshift

Windshift has used string encoding with floating point calculations.[361]

S0466 WindTail

WindTail can be delivered as a compressed, encrypted, and encoded payload.[362]

S0430 Winnti for Linux

Winnti for Linux can encode its configuration file with single-byte XOR encoding.[363]

S0141 Winnti for Windows

Winnti for Windows has the ability to encrypt and compress its payload.[364]

S1065 Woody RAT

Woody RAT has used Base64 encoded strings and scripts.[365]

S0117 XTunnel

A version of XTunnel introduced in July 2015 obfuscated the binary using opaque predicates and other techniques in a likely attempt to obfuscate it and bypass security products.[366]

S0388 YAHOYAH

YAHOYAH encrypts its configuration file using a simple algorithm.[367]

S0230 ZeroT

ZeroT has encrypted its payload with RC4.[368]

S0330 Zeus Panda

Zeus Panda encrypts strings with XOR. Zeus Panda also encrypts all configuration and settings in AES and RC4.[369][370]

S0672 Zox

Zox has been encoded with Base64.[371]

S1013 ZxxZ

ZxxZ has been encoded to avoid detection from static analysis tools.[372]

Mitigations

ID Mitigation Description
M1049 Antivirus/Antimalware

Anti-virus can be used to automatically detect and quarantine suspicious files. Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted. [373]

M1047 Audit

Consider periodic review of common fileless storage locations (such as the Registry or WMI repository) to potentially identify abnormal and malicious data.

M1040 Behavior Prevention on Endpoint

On Windows 10+, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated payloads. [374]

M1017 User Training

Ensure that a finite amount of ingress points to a software deployment system exist with restricted access for those required to allow and enable newly deployed software.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments for indicators of obfuscation and potentially suspicious syntax such as uninterpreted escape characters (e.g., ^).

Also monitor command-lines for syntax-specific signs of obfuscation, such as variations of arguments associated with encoding.

DS0022 File File Creation

Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system).

File Metadata

Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.

File-based signatures may be capable of detecting code obfuscation depending on the methods used.[375][376][377]

DS0011 Module Module Load

Monitoring module loads, especially those not explicitly included in import tables, may highlight obfuscated code functionality. Dynamic malware analysis may also expose signs of code obfuscation.[376]

DS0009 Process OS API Execution

Monitor and analyze calls to functions such as GetProcAddress() that are associated with malicious code obfuscation.[375]

Process Creation

Monitor for newly executed processes that may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.

DS0012 Script Script Execution

Monitor executed scripts for indicators of obfuscation and potentially suspicious command syntax, such as uninterpreted escape characters (e.g., ^).

Also monitor commands within scripts for syntax-specific signs of obfuscation, such as encoded or otherwise unreadable blobs of characters.

DS0024 Windows Registry Windows Registry Key Creation

Monitor for the creation of Registry values that may highlight storage of malicious data such as commands or payloads.

DS0005 WMI WMI Creation

Monitor for the creation of WMI Objects and values that may highlight storage of malicious data such as commands or payloads.

References

  1. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  2. Pierre-Marc Bureau. (2013, April 26). Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole. Retrieved September 10, 2017.
  3. Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018.
  4. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
  5. Bohannon, D. & Holmes, L. (2017, July 27). Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science. Retrieved February 12, 2018.
  6. White, J. (2017, March 10). Pulling Back the Curtains on EncodedCommand PowerShell Attacks. Retrieved February 12, 2018.
  7. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.
  8. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
  9. Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  10. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  11. Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.
  12. Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.
  13. Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.
  14. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
  15. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
  16. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  17. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
  18. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.
  19. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
  20. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  21. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  22. Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
  23. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
  24. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  25. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  26. Bohannon, D.. (2017, March 13). Invoke-Obfuscation - PowerShell Obfuscator. Retrieved June 18, 2017.
  27. Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.
  28. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  29. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  30. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  31. Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
  32. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
  33. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  34. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  35. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
  36. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  37. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
  38. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
  39. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
  40. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  41. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
  42. Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.
  43. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  44. Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023.
  45. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  46. Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.
  47. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  48. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  49. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
  50. Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021.
  51. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  52. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  53. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  54. Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.
  55. Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.
  56. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
  57. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
  58. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
  59. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  60. Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019.
  61. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
  62. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
  63. Chell, D. PART 3: How I Met Your Beacon – Brute Ratel. Retrieved February 6, 2023.
  64. Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
  65. Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022.
  66. Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022.
  67. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
  68. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  69. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  70. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  71. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020.
  72. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
  73. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
  74. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  75. McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.
  76. Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020.
  77. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  78. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  79. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  80. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021.
  81. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  82. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.
  83. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  84. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  85. CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020.
  86. Trend Micro. (2014, March 18). Conficker. Retrieved February 18, 2021.
  87. Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.
  88. Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021.
  89. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  90. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  91. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
  92. Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020.
  93. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
  94. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  95. Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.
  96. Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021.
  97. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
  98. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  99. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  100. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  101. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021.
  102. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
  103. TheWover. (2019, May 9). donut. Retrieved March 25, 2022.
  104. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  105. Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021.
  106. NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
  107. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  108. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  109. M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.
  110. Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021.
  111. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
  112. Zafra, D., et al. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved March 2, 2021.
  113. O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.
  114. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  115. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  116. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  117. Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.
  118. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  119. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  120. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
  121. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  122. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
  123. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  124. FinFisher. (n.d.). Retrieved December 20, 2017.
  125. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  126. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
  127. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.
  128. Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021.
  129. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
  130. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  131. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
  132. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  133. Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.
  134. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  135. Symantec Security Response. (2018, October 10). Gallmaker: New Attack Group Eschews Malware to Live off the Land. Retrieved November 27, 2018.
  136. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  137. Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
  138. Trustwave SpiderLabs. (2020, June 26). GoldenSpy: Chapter Two – The Uninstaller. Retrieved July 23, 2020.
  139. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  140. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.
  141. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  142. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
  143. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.
  144. Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved March 21, 2022.
  145. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021.
  146. Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
  147. Reynolds, J.. (2016, September 13). H1N1: Technical analysis reveals new capabilities. Retrieved September 26, 2016.
  148. Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020.
  149. Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020.
  150. Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.
  151. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  152. Symantec Threat Hunter Team. (2022, February 24). Ukraine: Disk-wiping Attacks Precede Russian Invasion. Retrieved March 25, 2022.
  153. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.
  154. Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022.
  155. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
  156. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
  157. Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
  158. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
  159. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
  160. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.
  161. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  162. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  163. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
  164. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  165. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  166. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
  167. GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020.
  168. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
  169. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  170. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  171. Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021.
  172. Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018.
  173. F-Secure. (2015, September 8). Sofacy Recycles Carberp and Metasploit Code. Retrieved August 3, 2016.
  174. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  175. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  176. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
  177. Bingham, J. (2013, February 11). Cross-Platform Frutas RAT Builder and Back Door. Retrieved April 23, 2019.
  178. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  179. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  180. Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021.
  181. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.
  182. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  183. Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019.
  184. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  185. Fernando Merces, Byron Gelera, Martin Co. (2018, June 7). KillDisk Variant Hits Latin American Finance Industry. Retrieved January 12, 2021.
  186. ThreatConnect. (2020, September 28). Kimsuky Phishing Operations Putting In Work. Retrieved October 30, 2020.
  187. Kim, J. et al. (2019, October). KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING. Retrieved November 2, 2020.
  188. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  189. M.Leveille, M., Sanmillan, I. (2021, February 2). Kobalos – A complex Linux threat to high performance computing infrastructure. Retrieved August 24, 2021.
  1. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
  2. Moench, B. and Aboud, E. (2016, August 23). Trojan.Kwampirs. Retrieved May 10, 2018.
  3. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  4. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  5. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  6. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  7. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  8. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
  9. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  10. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  11. Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020.
  12. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.
  13. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
  14. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  15. MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.
  16. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
  17. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
  18. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.
  19. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
  20. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  21. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
  22. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
  23. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  24. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
  25. Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018.
  26. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  27. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
  28. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  29. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  30. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
  31. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  32. Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021.
  33. Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.
  34. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  35. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.
  36. Proofpoint Threat Research Team. (2020, November 23). TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader. Retrieved April 13, 2021.
  37. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
  38. F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018.
  39. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  40. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.
  41. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  42. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  43. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  44. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
  45. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  46. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  47. Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.
  48. Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.
  49. Falcone, R., Wilhoit, K.. (2018, November 16). Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery. Retrieved April 23, 2019.
  50. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  51. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  52. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
  53. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
  54. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.
  55. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  56. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  57. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.
  58. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
  59. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  60. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  61. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
  62. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
  63. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  64. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  65. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  66. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  67. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
  68. Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
  69. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  70. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  71. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  72. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  73. Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
  74. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  75. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021.
  76. Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.
  77. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  78. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  79. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  80. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.
  81. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  82. Brumaghin, E., Unterbrink, H. (2018, August 22). Picking Apart Remcos Botnet-In-A-Box. Retrieved November 6, 2018.
  83. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  84. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  85. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  86. Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020.
  87. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
  88. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
  89. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
  90. Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020.
  91. Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.
  92. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  93. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  94. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
  95. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
  96. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  97. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  98. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  99. Palotay, D. and Mackenzie, P. (2018, April). SamSam Ransomware Chooses Its Targets Carefully. Retrieved April 15, 2019.
  100. Ventura, V. (2018, January 22). SamSam - The Evolution Continues Netting Over $325,000 in 4 Weeks. Retrieved April 16, 2019.
  101. Ward, S.. (2014, October 14). iSIGHT discovers zero-day vulnerability CVE-2014-4114 used in Russian cyber-espionage campaign. Retrieved June 10, 2020.
  102. Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.
  103. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  104. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  105. GReAT. (2017, August 15). ShadowPad in corporate networks. Retrieved March 22, 2021.
  106. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  107. Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.
  108. Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.
  109. Falcone, R. and Wartell, R.. (2015, July 27). Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved January 22, 2016.
  110. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
  111. Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021.
  112. Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021.
  113. Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.
  114. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  115. Kervella, R. (2019, August 4). Cross-platform General Purpose Implant Framework Written in Golang. Retrieved July 30, 2021.
  116. BishopFox. (n.d.). Sliver. Retrieved September 15, 2021.
  117. NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022.
  118. Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018.
  119. Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018.
  120. Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.
  121. CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020.
  122. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.
  123. Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022.
  124. Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022.
  125. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  126. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  127. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
  128. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
  129. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
  130. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22
  131. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  132. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  133. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
  134. CISA. (2021, January 27). Malware Analysis Report (AR21-027A). Retrieved February 22, 2021.
  135. Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022.
  136. Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
  137. Bettencourt, J. (2018, May 7). Kaspersky Lab finds new variant of SynAck ransomware using sophisticated Doppelgänging technique. Retrieved May 24, 2018.
  138. Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.
  139. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
  140. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.
  141. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  142. Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.
  143. Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021.
  144. Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021.
  145. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
  146. Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.
  147. Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
  148. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
  149. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  150. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  151. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  152. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
  153. Horejsi, J., et al. (2018, March 14). Tropic Trooper’s New Strategy. Retrieved November 9, 2018.
  154. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  155. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  156. Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.
  157. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  158. Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019.
  159. Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019.
  160. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  161. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  162. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
  163. Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.
  164. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  165. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  166. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  167. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.
  168. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.
  169. S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022.
  170. Insikt Group. (2020, January 28). WhisperGate Malware Corrupts Computers in Ukraine. Retrieved March 31, 2023.
  171. Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020.
  172. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.
  173. Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.
  174. Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.
  175. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
  176. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022.
  177. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  178. Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.
  179. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  180. Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018.
  181. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  182. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  183. Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.
  184. Microsoft. (2015, June 9). Windows 10 to offer application developers new malware defenses. Retrieved February 12, 2018.
  185. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  186. Brennan, M. (2022, February 16). Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection. Retrieved August 22, 2022.
  187. Choi, S. (2015, August 6). Obfuscated API Functions in Modern Packers. Retrieved August 22, 2022.
  188. Jason (jxb5151). (2021, January 28). findapihash.py. Retrieved August 22, 2022.