Obfuscated Files or Information

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and Deobfuscate/Decode Files or Information for User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. [1] Adversaries may also use compressed or archived scripts, such as JavaScript.

Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. [2] Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. [3]

Adversaries may also abuse Command Obfuscation to obscure commands executed from payloads or directly via Command and Scripting Interpreter. Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. [4] [5][6]

ID: T1027
Tactic: Defense Evasion
Platforms: Linux, Network, Windows, macOS
Defense Bypassed: Application Control, Host Forensic Analysis, Host Intrusion Prevention Systems, Log Analysis, Signature-based Detection
Contributors: Christiaan Beek, @ChristiaanBeek; Red Canary
Version: 1.6
Created: 31 May 2017
Last Modified: 16 April 2024

Procedure Examples

ID Name Description
C0025 2016 Ukraine Electric Power Attack

During the 2016 Ukraine Electric Power Attack, Sandworm Team used heavily obfuscated code with Industroyer in its Windows Notepad backdoor.[7]

S1028 Action RAT

Action RAT's commands, strings, and domains can be Base64 encoded within the payload.[8]

S0045 ADVSTORESHELL

Most of the strings in ADVSTORESHELL are encrypted with an XOR-based algorithm; some strings are also encrypted with 3DES and reversed. API function names are also reversed, presumably to avoid detection in memory.[9][10]

S0331 Agent Tesla

Agent Tesla has had its code obfuscated in an apparent attempt to make analysis difficult.[11] Agent Tesla has used the Rijndael symmetric encryption algorithm to encrypt strings.[12]

S1025 Amadey

Amadey has obfuscated strings such as antivirus vendor names, domains, files, and others.[13]

S0504 Anchor

Anchor has obfuscated code with stack strings and string encryption.[14]

S0584 AppleJeus

AppleJeus has XOR-encrypted collected system information prior to sending to a C2. AppleJeus has also used the open source ADVObfuscation library for its components.[15]

S0622 AppleSeed

AppleSeed has the ability to Base64 encode its payload and custom encrypt API calls.[16]

G0099 APT-C-36

APT-C-36 has used ConfuserEx to obfuscate its variant of Imminent Monitor, compressed payload and RAT packages, and password protected encrypted email attachments to avoid detection.[17]

G0022 APT3

APT3 obfuscates files or information to help evade defensive measures.[18]

G0067 APT37

APT37 obfuscates strings and payloads.[19][20][21]

G0096 APT41

APT41 used VMProtected binaries in multiple intrusions.[22]

S0640 Avaddon

Avaddon has used encrypted strings.[23]

S1053 AvosLocker

AvosLocker has used XOR-encoded strings.[24]

G0135 BackdoorDiplomacy

BackdoorDiplomacy has obfuscated tools and malware it uses with VMProtect.[25]

G0063 BlackOasis

BlackOasis's first stage shellcode contains a NOP sled with alternative instructions that was likely designed to bypass antivirus tools.[26]

S0635 BoomBox

BoomBox can encrypt data using AES prior to exfiltration.[27]

S0651 BoxCaon

BoxCaon used the "StackStrings" obfuscation technique to hide malicious functionalities.[28]

S1063 Brute Ratel C4

Brute Ratel C4 has used encrypted payload files and maintains an encrypted configuration structure in memory.[29][30]

S1039 Bumblebee

Bumblebee has been delivered as password-protected zipped ISO files and used control-flow-flattening to obfuscate the flow of functions.[31][32][33]

S0482 Bundlore

Bundlore has obfuscated data with base64, AES, RC4, and bz2.[34]

S1118 BUSHWALK

BUSHWALK can encrypt the resulting data generated from C2 commands with RC4.[35]

C0015 C0015

During C0015, the threat actors used Base64-encoded strings.[36]

C0017 C0017

During C0017, APT41 broke malicious binaries, including DEADEYE and KEYPLUG, into multiple sections on disk to evade detection.[37]

S0030 Carbanak

Carbanak encrypts strings to make analysis more difficult.[38]

S0335 Carbon

Carbon encrypts configuration files and tasks for the malware to complete using CAST-128 algorithm.[39][40]

S0465 CARROTBALL

CARROTBALL has used a custom base64 alphabet to decode files.[41]

S0660 Clambling

The Clambling executable has been obfuscated when dropped on a compromised host.[42]

S1105 COATHANGER

COATHANGER can store obfuscated configuration information in the last 56 bytes of the file /date/.bd.key/preload.so.[43]

S0154 Cobalt Strike

Cobalt Strike can hash functions to obfuscate calls to the Windows API and use a public/private key pair to encrypt Beacon session metadata.[44][45]

S0369 CoinTicker

CoinTicker initially downloads a hidden encoded file.[46]

S0244 Comnie

Comnie uses RC4 and Base64 to obfuscate strings.[47]

S0126 ComRAT

ComRAT has encrypted its virtual file system using AES-256 in XTS mode.[48][49]

S0608 Conficker

Conficker has obfuscated its code to prevent its removal from host machines.[50]

S0575 Conti

Conti can use compiler-based obfuscation for its code, encrypt DLLs, and hide Windows API calls.[51][52][53]

S0137 CORESHELL

CORESHELL obfuscates strings using a custom stream cipher.[54]

S0625 Cuba

Cuba has used multiple layers of obfuscation to avoid analysis, including its Base64 encoded payload.[55]

S1111 DarkGate

DarkGate uses a hard-coded string as a seed, along with the victim machine hardware identifier and input text, to generate a unique string used as an internal mutex value to evade static detection based on mutexes.[56]

S1066 DarkTortilla

DarkTortilla has been obfuscated with the DeepSea .NET and ConfuserEx code obfuscators.[57]

S0187 Daserf

Daserf uses encrypted Windows APIs and also encrypts data using the alternative base64+RC4 or the Caesar cipher.[58]

S0354 Denis

Denis obfuscates its code and encrypts the API names.[59]

S0659 Diavol

Diavol has Base64 encoded the RSA public key used for encrypting files.[60]

S0695 Donut

Donut can generate encrypted, compressed/encoded, or otherwise obfuscated code modules.[61]

S0694 DRATzarus

DRATzarus can be partly encrypted with XOR.[62]

S0384 Dridex

Dridex's strings are obfuscated using RC4.[63]

S0502 Drovorub

Drovorub has used XOR encrypted payloads in WebSocket client to server messages.[64]

S0062 DustySky

The DustySky dropper uses a function to obfuscate the name of functions and other parts of the malware.[65]

G1006 Earth Lusca

Earth Lusca used Base64 to encode strings.[66]

S0377 Ebury

Ebury has obfuscated its strings with a simple XOR encryption with a static key.[67]

S0593 ECCENTRICBANDWAGON

ECCENTRICBANDWAGON has encrypted strings with RC4.[68]

S0624 Ecipekac

Ecipekac can use XOR, AES, and DES to encrypt loader shellcode.[69]

S0605 EKANS

EKANS uses encoded strings in its process kill list.[70]

G1003 Ember Bear

Ember Bear has obfuscated malware to help avoid detection.[71]

S0091 Epic

Epic heavily obfuscates its code to make analysis more difficult.[72]

S0512 FatDuke

FatDuke can use base64 encoding, string stacking, and opaque predicates for obfuscation.[73]

S0355 Final1stspy

Final1stspy obfuscates strings with base64 encoding.[74]

S0182 FinFisher

FinFisher is heavily obfuscated in many ways, including through the use of spaghetti code in its functions in an effort to confuse disassembly programs. It also uses a custom XOR algorithm to obfuscate code.[75][76]

S0696 Flagpro

Flagpro has been delivered within ZIP or RAR password-protected archived files.[77]

G0093 GALLIUM

GALLIUM used a modified version of HTRAN in which they obfuscated strings such as debug messages in an apparent attempt to evade detection.[78]

G0084 Gallmaker

Gallmaker obfuscated shellcode used during execution.[79]

G0047 Gamaredon Group

Gamaredon Group has delivered self-extracting 7z archive files within malicious document attachments.[80]

S0477 Goopy

Goopy's decrypter have been inflated with junk code in between legitimate API functions, and also included infinite loops to avoid analysis.[59]

S0690 Green Lambert

Green Lambert has encrypted strings.[81][82]

S0632 GrimAgent

GrimAgent has used Rotate on Right (RoR) and Rotate on Left (RoL) functionality to encrypt strings.[83]

S0132 H1N1

H1N1 uses multiple techniques to obfuscate strings, including XOR.[84]

S0499 Hancitor

Hancitor has used Base64 to encode malicious links. Hancitor has also delivered compressed payloads in ZIP files to victims.[85][86]

S0070 HTTPBrowser

HTTPBrowser's code may be obfuscated through structured exception handling and return-oriented programming.[87]

S0203 Hydraq

Hydraq uses basic obfuscation in the form of spaghetti code.[88][89]

S0434 Imminent Monitor

Imminent Monitor has encrypted the spearphish attachments to avoid detection from email gateways; the debugger also encrypts information before sending to the C2.[17]

S0604 Industroyer

Industroyer uses heavily obfuscated code in its Windows Notepad backdoor.[7]

S0259 InnaputRAT

InnaputRAT uses an 8-byte XOR key to obfuscate API names and other strings contained in the payload.[90]

S0260 InvisiMole

InvisiMole avoids analysis by encrypting all strings, internal files, configuration data and by using a custom executable format.[91][92]

S0189 ISMInjector

ISMInjector is obfuscated with the off-the-shelf SmartAssembly .NET obfuscator created by red-gate.com.[93]

S0201 JPIN

A JPIN uses a encrypted and compressed payload that is disguised as a bitmap within the resource section of the installer.[94]

S0283 jRAT

jRAT’s Java payload is encrypted with AES.[95] Additionally, backdoor files are encrypted using DES as a stream cipher. Later variants of jRAT also incorporated AV evasion methods such as Java bytecode obfuscation via the commercial Allatori obfuscation tool.[96]

S0265 Kazuar

Kazuar is obfuscated using the open source ConfuserEx protector. Kazuar also obfuscates the name of created files/folders/mutexes and encrypts debug messages written to log files using the Rijndael cipher.[97]

G0004 Ke3chang

Ke3chang has used Base64-encoded shellcode strings.[98]

S0585 Kerrdown

Kerrdown can encrypt, encode, and compress multiple layers of shellcode.[99]

S0607 KillDisk

KillDisk uses VMProtect to make reverse engineering the malware more difficult.[100]

G0094 Kimsuky

Kimsuky has obfuscated binary strings including the use of XOR encryption and Base64 encoding.[101][102] Kimsuky has also modified the first byte of DLL implants targeting victims to prevent recognition of the executable file format.[103]

S0641 Kobalos

Kobalos encrypts all strings using RC4 and bundles all functionality into a single function call.[104]

S0447 Lokibot

Lokibot has obfuscated strings with base64 encoding.[105]

S0167 Matryoshka

Matryoshka obfuscates API function names using a substitute cipher combined with Base64 encoding.[106]

S0449 Maze

Maze has decrypted strings and other important information during the encryption process. Maze also calls certain functions dynamically to hinder analysis.[107]

S0500 MCMD

MCMD can Base64 encode output strings prior to sending to C2.[108]

S0051 MiniDuke

MiniDuke can use control flow flattening to obscure code.[73]

G0129 Mustang Panda

Mustang Panda has delivered initial payloads hidden using archives and encoding measures.[109][110][111][112][113][114]

S0336 NanoCore

NanoCore’s plugins were obfuscated with Eazfuscater.NET 3.3.[115]

S0198 NETWIRE

NETWIRE has used a custom obfuscation algorithm to hide strings including Registry keys, APIs, and DLL names.[116]

S1090 NightClub

NightClub can obfuscate strings using the congruential generator (LCG): staten+1 = (690069 × staten + 1) mod 232.[117]

S0353 NOKKI

NOKKI uses Base64 encoding for strings.[118]

S0138 OLDBAIT

OLDBAIT obfuscates internal strings and unpacks them at startup.[54]

S0264 OopsIE

OopsIE uses the Confuser protector to obfuscate an embedded .Net Framework assembly used for C2. OopsIE also encodes collected data in hexadecimal format before writing to files on disk and obfuscates strings.[119][120]

S0229 Orz

Some Orz strings are base64 encoded, such as the embedded DLL known as MockDll.[121]

S0594 Out1

Out1 has the ability to encode data.[122]

S0598 P.A.S. Webshell

P.A.S. Webshell can use encryption and base64 encoding to hide strings and to enforce access control once deployed.[123]

S0664 Pandora

Pandora has the ability to compress stings with QuickLZ.[124]

S0517 Pillowmint

Pillowmint has been compressed and stored within a registry key. Pillowmint has also obfuscated the AES key used for encryption.[125]

S0124 Pisloader

Pisloader obfuscates files by splitting strings into smaller sub-strings and including "garbage" strings that are never used. The malware also uses return-oriented programming (ROP) technique and single-byte XOR to obfuscate data.[126]

S0013 PlugX

PlugX can use API hashing and modify the names of strings to evade detection.[42][114]

S0428 PoetRAT

PoetRAT has used a custom encryption scheme for communication between scripts.[127]

S0012 PoisonIvy

PoisonIvy hides any strings related to its own indicators of compromise.[128]

S0518 PolyglotDuke

PolyglotDuke can custom encrypt strings.[73]

S0453 Pony

Pony attachments have been delivered via compressed archive files. Pony also obfuscates the memory flow by adding junk instructions when executing to make analysis more difficult.[129]

S0150 POSHSPY

POSHSPY appends a file signature header (randomly selected from six file types) to encrypted data prior to upload or download.[130]

S0393 PowerStallion

PowerStallion uses a XOR cipher to encrypt command output written to its OneDrive C2 server.[131]

S0196 PUNCHBUGGY

PUNCHBUGGY has hashed most its code's functions and encrypted payloads with base64 and XOR.[132]

S0197 PUNCHTRACK

PUNCHTRACK is loaded and executed by a highly obfuscated launcher.[133]

S0650 QakBot

QakBot has hidden code within Excel spreadsheets by turning the font color to white and splitting it across multiple cells.[134]

S0458 Ramsay

Ramsay has base64-encoded its portable executable and hidden itself under a JPG header. Ramsay can also embed information within document footers.[135]

S0511 RegDuke

RegDuke can use control-flow flattening or the commercially available .NET Reactor for obfuscation.[73]

S0332 Remcos

Remcos uses RC4 and base64 to obfuscate data, including Registry entries and file paths.[136]

G0106 Rocke

Rocke has modified UPX headers after packing files to break unpackers.[137]

S0240 ROKRAT

ROKRAT can encrypt data prior to exfiltration by using an RSA public key.[21][138]

S0148 RTM

RTM strings, network data, configuration, and modules are encrypted with a modified RC4 algorithm. RTM has also been delivered to targets as various archive files including ZIP, 7-ZIP, and RAR.[139][140]

S0446 Ryuk

Ryuk can use anti-disassembly and code transformation obfuscation techniques.[53]

S1018 Saint Bot

Saint Bot has been obfuscated to help avoid detection.[71]

S1099 Samurai

Samurai can encrypt the names of requested APIs and deliver its final payload as a compressed, encrypted and base64 encoded blob.[141]

G0034 Sandworm Team

Sandworm Team has used Base64 encoding within malware variants.[142]

S1085 Sardonic

Sardonic can use certain ConfuserEx features for obfuscation and can be encoded in a base64 string.[143]

S0461 SDBbot

SDBbot has the ability to XOR the strings for its installer component with a hardcoded 128 byte key.[144]

S0596 ShadowPad

ShadowPad has encrypted its payload, a virtual file system, and various files.[145][66]

S0140 Shamoon

Shamoon contains base64-encoded strings.[146]

S0444 ShimRat

ShimRat has been delivered as a package that includes compressed DLL and shellcode payloads within a .dat file.[147]

S0445 ShimRatReporter

ShimRatReporter encrypted gathered information with a combination of shifting and XOR using a static key.[147]

S0063 SHOTPUT

SHOTPUT is obscured using XOR encoding and appended to a valid GIF file.[148][149]

S0623 Siloscape

Siloscape itself is obfuscated and uses obfuscated API calls.[150]

S1104 SLOWPULSE

SLOWPULSE can hide malicious code in the padding regions between legitimate functions in the Pulse Secure libdsplibs.so file.[151]

S1035 Small Sieve

Small Sieve has the ability to use a custom hex byte swapping encoding scheme combined with an obfuscated Base64 function to protect program strings and Telegram credentials.[152]

S1086 Snip3

Snip3 has the ability to obfuscate strings using XOR encryption.[153]

S0627 SodaMaster

SodaMaster can use "stackstrings" for obfuscation.[69]

S0615 SombRAT

SombRAT can encrypt strings with XOR-based routines and use a custom AES storage format for plugins, configuration, C2 domains, and harvested data.[154][155][156]

S0516 SoreFang

SoreFang has the ability to encode and RC6 encrypt data sent to C2.[157]

S0142 StreamEx

StreamEx obfuscates some commands by using statically programmed fragments of strings when starting a DLL. It also uses a one-byte xor against 0x91 to encode configuration data.[158]

S0559 SUNBURST

SUNBURST strings were compressed and encoded in Base64.[159] SUNBURST also obfuscated collected system information using a FNV-1a + XOR algorithm.[160]

S0562 SUNSPOT

SUNSPOT encrypted log entries it collected with the stream cipher RC4 using a hard-coded key. It also uses AES128-CBC encrypted blobs for SUNBURST source code and data extracted from the SolarWinds Orion <MsBuild.exe process.[161]

S1064 SVCReady

SVCReady can encrypt victim data with an RC4 cipher.[162]

S0242 SynAck

SynAck payloads are obfuscated prior to compilation to inhibit analysis and/or reverse engineering.[163][164]

S0467 TajMahal

TajMahal has used an encrypted Virtual File System to store plugins.[165]

S0560 TEARDROP

TEARDROP created and read from a file with a fake JPG header, and its payload was encrypted with a simple rotating XOR cipher.[160][166][167]

S0266 TrickBot

TrickBot uses non-descriptive names to hide functionality.[168]

S0094 Trojan.Karagany

Trojan.Karagany can base64 encode and AES-128-CBC encrypt data prior to transmission.[169]

S0647 Turian

Turian can use VMProtect for obfuscation.[25]

S0476 Valak

Valak has the ability to base64 encode and XOR encrypt strings.[170][171][172]

G0112 Windshift

Windshift has used string encoding with floating point calculations.[173]

S0117 XTunnel

A version of XTunnel introduced in July 2015 obfuscated the binary using opaque predicates and other techniques in a likely attempt to obfuscate it and bypass security products.[174]

Mitigations

ID Mitigation Description
M1049 Antivirus/Antimalware

Anti-virus can be used to automatically detect and quarantine suspicious files. Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted. [175]

M1047 Audit

Consider periodic review of common fileless storage locations (such as the Registry or WMI repository) to potentially identify abnormal and malicious data.

M1040 Behavior Prevention on Endpoint

On Windows 10+, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated payloads. [176]

M1017 User Training

Ensure that a finite amount of ingress points to a software deployment system exist with restricted access for those required to allow and enable newly deployed software.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments for indicators of obfuscation and potentially suspicious syntax such as uninterpreted escape characters (e.g., ^).

Also monitor command-lines for syntax-specific signs of obfuscation, such as variations of arguments associated with encoding.

DS0022 File File Creation

Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system).

File Metadata

Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.

File-based signatures may be capable of detecting code obfuscation depending on the methods used.[177][178][179]

DS0011 Module Module Load

Monitoring module loads, especially those not explicitly included in import tables, may highlight obfuscated code functionality. Dynamic malware analysis may also expose signs of code obfuscation.[178]

DS0009 Process OS API Execution

Monitor and analyze calls to functions such as GetProcAddress() that are associated with malicious code obfuscation.[177]

Process Creation

Monitor for newly executed processes that may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.

DS0012 Script Script Execution

Monitor executed scripts for indicators of obfuscation and potentially suspicious command syntax, such as uninterpreted escape characters (e.g., ^).

Also monitor commands within scripts for syntax-specific signs of obfuscation, such as encoded or otherwise unreadable blobs of characters.

DS0024 Windows Registry Windows Registry Key Creation

Monitor for the creation of Registry values that may highlight storage of malicious data such as commands or payloads.

DS0005 WMI WMI Creation

Monitor for the creation of WMI Objects and values that may highlight storage of malicious data such as commands or payloads.

References

  1. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  2. Pierre-Marc Bureau. (2013, April 26). Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole. Retrieved September 10, 2017.
  3. Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018.
  4. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
  5. Bohannon, D. & Holmes, L. (2017, July 27). Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science. Retrieved February 12, 2018.
  6. White, J. (2017, March 10). Pulling Back the Curtains on EncodedCommand PowerShell Attacks. Retrieved February 12, 2018.
  7. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.
  8. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
  9. Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  10. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  11. Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.
  12. Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.
  13. Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.
  14. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
  15. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
  16. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  17. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
  18. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  19. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  20. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  21. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
  22. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
  23. Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.
  24. Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023.
  25. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  26. Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.
  27. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  28. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
  29. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
  30. Chell, D. PART 3: How I Met Your Beacon – Brute Ratel. Retrieved February 6, 2023.
  31. Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
  32. Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022.
  33. Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022.
  34. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
  35. Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.
  36. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  37. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  38. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  39. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
  40. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
  41. McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.
  42. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  43. Dutch Military Intelligence and Security Service (MIVD) & Dutch General Intelligence and Security Service (AIVD). (2024, February 6). Ministry of Defense of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT. Retrieved February 7, 2024.
  44. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021.
  45. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  46. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.
  47. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  48. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  49. CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020.
  50. Trend Micro. (2014, March 18). Conficker. Retrieved February 18, 2021.
  51. Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.
  52. Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021.
  53. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
  54. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  55. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
  56. Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024.
  57. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
  58. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  59. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  60. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021.
  61. TheWover. (2019, May 9). donut. Retrieved March 25, 2022.
  62. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  63. Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021.
  64. NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
  65. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  66. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  67. M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.
  68. Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021.
  69. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
  70. Zafra, D., et al. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved March 2, 2021.
  71. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  72. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  73. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  74. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
  75. FinFisher. (n.d.). Retrieved December 20, 2017.
  76. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  77. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
  78. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  79. Symantec Security Response. (2018, October 10). Gallmaker: New Attack Group Eschews Malware to Live off the Land. Retrieved November 27, 2018.
  80. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  81. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.
  82. Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved March 21, 2022.
  83. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021.
  84. Reynolds, J.. (2016, September 13). H1N1: Technical analysis reveals new capabilities. Retrieved September 26, 2016.
  85. Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020.
  86. Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020.
  87. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  88. O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.
  89. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  90. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
  1. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  2. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  3. Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018.
  4. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  5. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
  6. Bingham, J. (2013, February 11). Cross-Platform Frutas RAT Builder and Back Door. Retrieved April 23, 2019.
  7. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  8. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  9. Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021.
  10. Fernando Merces, Byron Gelera, Martin Co. (2018, June 7). KillDisk Variant Hits Latin American Finance Industry. Retrieved January 12, 2021.
  11. ThreatConnect. (2020, September 28). Kimsuky Phishing Operations Putting In Work. Retrieved October 30, 2020.
  12. Kim, J. et al. (2019, October). KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING. Retrieved November 2, 2020.
  13. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  14. M.Leveille, M., Sanmillan, I. (2021, February 2). Kobalos – A complex Linux threat to high performance computing infrastructure. Retrieved August 24, 2021.
  15. Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020.
  16. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
  17. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
  18. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.
  19. Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021.
  20. Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.
  21. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  22. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.
  23. Proofpoint Threat Research Team. (2020, November 23). TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader. Retrieved April 13, 2021.
  24. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
  25. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  26. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.
  27. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  28. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
  29. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  30. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  31. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  32. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  33. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
  34. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  35. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
  36. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  37. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  38. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  39. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
  40. Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
  41. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  42. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  43. Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
  44. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021.
  45. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  46. Brumaghin, E., Unterbrink, H. (2018, August 22). Picking Apart Remcos Botnet-In-A-Box. Retrieved November 6, 2018.
  47. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
  48. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
  49. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  50. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  51. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
  52. Ward, S.. (2014, October 14). iSIGHT discovers zero-day vulnerability CVE-2014-4114 used in Russian cyber-espionage campaign. Retrieved June 10, 2020.
  53. Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.
  54. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  55. GReAT. (2017, August 15). ShadowPad in corporate networks. Retrieved March 22, 2021.
  56. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  57. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  58. Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.
  59. Falcone, R. and Wartell, R.. (2015, July 27). Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved January 22, 2016.
  60. Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.
  61. Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.
  62. NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022.
  63. Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.
  64. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  65. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
  66. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.
  67. CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020.
  68. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
  69. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  70. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  71. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
  72. Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022.
  73. Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
  74. Bettencourt, J. (2018, May 7). Kaspersky Lab finds new variant of SynAck ransomware using sophisticated Doppelgänging technique. Retrieved May 24, 2018.
  75. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  76. Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021.
  77. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  78. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  79. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
  80. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  81. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
  82. Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.
  83. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.
  84. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  85. Microsoft. (2015, June 9). Windows 10 to offer application developers new malware defenses. Retrieved February 12, 2018.
  86. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  87. Brennan, M. (2022, February 16). Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection. Retrieved August 22, 2022.
  88. Choi, S. (2015, August 6). Obfuscated API Functions in Modern Packers. Retrieved August 22, 2022.
  89. Jason (jxb5151). (2021, January 28). findapihash.py. Retrieved August 22, 2022.