Register to stream ATT&CKcon 2.0 October 29-30

Command-Line Interface

Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. [1] One example command-line interface on Windows systems is cmd, which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task).

Adversaries may use command-line interfaces to interact with systems and execute other software during the course of an operation.

ID: T1059
Tactic: Execution
Platform: Linux, macOS, Windows
Permissions Required: User, Administrator, SYSTEM
Data Sources: Process monitoring, Process command-line parameters
Version: 1.0


Mitigation Description
Execution Prevention Audit and/or block unnecessary command-line interpreters by using application whitelisting tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate. [2] [3] [4] [5] [6] [7]


Name Description
4H RAT 4H RAT has the capability to create a remote shell. [33]
adbupd adbupd can run a copy of cmd.exe. [36]
admin@338 Following exploitation with LOWBALL malware, admin@338 actors created a file containing a list of commands to be executed on the compromised computer. [143]
ADVSTORESHELL ADVSTORESHELL can create a remote shell and run a given command. [29] [30]
APT1 APT1 has used the Windows command shell to execute commands. [68]
APT18 APT18 uses cmd.exe to execute commands on the victim’s machine. [157] [158]
APT28 APT28 uses cmd.exe to execute commands and custom backdoors. [142] [134]
APT3 An APT3 downloader uses the Windows command "cmd.exe" /C whoami. The group also uses a tool to execute commands on remote computers. [144] [145]
APT32 APT32 has used cmd.exe for execution. [117]
APT37 APT37 has used the command-line interface. [41] [137]
APT38 APT38 has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim’s machine. [156]
Astaroth Astaroth spawns a CMD process to execute commands. [120]
AuditCred AuditCred can open a reverse shell on the system to execute commands. [64]
BACKSPACE Adversaries can direct BACKSPACE to execute from the command-line on infected hosts, or have BACKSPACE create a reverse shell. [34]
BADNEWS BADNEWS is capable of executing commands via cmd.exe. [83] [84]
Bandook Bandook is capable of spawning a Windows command shell. [110]
Bankshot Bankshot uses the command-line interface to execute arbitrary commands. [66] [67]
BISCUIT BISCUIT has a command to launch a command shell on the system. [86]
Bisonal Bisonal can launch cmd.exe to execute commands on the system. [79]
BLACKCOFFEE BLACKCOFFEE has the capability to create a reverse shell. [43]
BONDUPDATER BONDUPDATER can read batch commands in a file sent from its C2 server and execute them with cmd.exe. [118]
BRONZE BUTLER BRONZE BUTLER uses the command-line interface. [94]
CALENDAR CALENDAR has a command to run cmd.exe to execute commands. [86]
CallMe CallMe has the capability to create a reverse shell on victims. [54]
Carbanak Carbanak has a command to create a reverse shell. [106]
Cardinal RAT Cardinal RAT can execute commands. [32]
Chaos Chaos provides a reverse shell connection on 8338/TCP, encrypted via AES. [56]
China Chopper China Chopper's server component is capable of opening a command terminal. [23] [24] [25]
CHOPSTICK CHOPSTICK is capable of performing remote command execution. [52] [29]
cmd cmd is used to execute programs and other actions at the command-line interface. [9]
Cobalt Group Cobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands. [159]
Cobalt Strike Cobalt Strike uses a command-line interface to interact with systems. [8]
Cobian RAT Cobian RAT can launch a remote command shell interface for executing commands. [95]
CoinTicker CoinTicker executes a bash script to establish a reverse shell. [123]
CozyCar A module in CozyCar allows arbitrary commands to be executed by invoking C:\Windows\System32\cmd.exe. [14]
DarkComet DarkComet can launch a remote shell to execute commands on the victim’s machine. [90]
Daserf Daserf can execute shell commands. [93] [94]
Denis Denis can launch a remote shell to execute arbitrary commands on the victim’s machine. [116] [117]
Derusbi Derusbi is capable of creating a remote Bash shell and executing commands. [99] [100]
Dipsind Dipsind can spawn remote shells. [36]
DownPaper DownPaper uses the command line. [92]
Dragonfly 2.0 Dragonfly 2.0 used command line for execution. [136]
Emissary Emissary has the capability to create a remote shell and execute specified commands. [47]
Emotet Emotet has used cmd.exe to run a PowerShell script. [119]
Empire Empire uses a command-line interface to interact with systems. [13]
Exaramel Exaramel has a command to launch a remote shell and executes commands on the victim’s machine. [37]
Felismus Felismus uses command line for execution. [76]
FELIXROOT FELIXROOT opens a remote shell to execute commands on the infected system. [61] [62]
FIN7 FIN7 used cmd.exe to launch commands on the victim’s machine. [150]
FIN8 FIN8 executes commands remotely via cmd.exe. [148]
gh0st RAT gh0st RAT is able to open a remote shell to execute commands. [59] [60]
Gold Dragon Gold Dragon uses cmd.exe to execute commands for discovery. [48]
Gorgon Group Gorgon Group malware can use cmd.exe to download and execute payloads and to execute commands on the system. [139]
GravityRAT GravityRAT executes commands remotely on the infected host. [19]
GreyEnergy GreyEnergy uses cmd.exe to execute itself in-memory. [62]
H1N1 H1N1 kills and disables services by using cmd.exe. [27]
HARDRAIN HARDRAIN uses cmd.exe to execute netshcommands. [22]
HAWKBALL HAWKBALL has created a cmd.exe reverse shell, executed commands, and uploaded output via the command line. [133]
hcdLoader hcdLoader provides command-line access to the compromised system. [75]
Helminth Helminth can provide a remote shell. [82]
Hi-Zor Hi-Zor has the ability to create a reverse shell. [85]
HOMEFRY HOMEFRY uses a command-line interface. [100]
Honeybee Several commands are supported by the Honeybee's implant via the command-line interface and there’s also a utility to execute any custom command on an infected endpoint. [164]
HOPLIGHT HOPLIGHT can launch cmd.exe to execute commands on the system. [122]
HTTPBrowser HTTPBrowser is capable of spawning a reverse shell on a victim. [80]
httpclient httpclient opens cmd.exe on the victim. [33]
InnaputRAT InnaputRAT launches a shell to execute commands on the victim’s machine. [55]
InvisiMole InvisiMole can launch a remote shell to execute commands. [107]
Ixeshe Ixeshe is capable of executing commands via cmd. [129]
JCry JCry has used cmd.exe to launch PowerShell. [132]
JPIN JPIN can use the command-line utility cacls.exe to change file permissions. [36]
jRAT jRAT has command line access. [124]
Kasidet Kasidet can execute commands using cmd.exe. [46]
Kazuar Kazuar uses cmd.exe and /bin/bash to execute commands on the victim’s machine. [104]
Ke3chang Malware used by Ke3chang can run commands on the command-line interface. [140] [141]
KeyBoy KeyBoy can launch interactive shells for communicating with the victim machine. [130] [131]
KEYMARBLE KEYMARBLE can execute shell commands using cmd.exe. [78]
Koadic Koadic can open an interactive command-shell to perform command line functions on victim machines. [11]
KOMPROGO KOMPROGO is capable of creating a reverse shell. [26]
KONNI KONNI can execute arbitrary commands on the infected host using cmd.exe. [69]
Lazarus Group Lazarus Group malware uses cmd.exe to execute commands on victims. [160] [161] [162] [163]
Leviathan Leviathan uses a backdoor known as BADFLICK that is is capable of generating a reverse shell. [100]
LightNeuron LightNeuron is capable of executing commands via cmd.exe. [135]
Linfo Linfo creates a backdoor through which remote attackers can start a remote shell. [15]
Magic Hound Magic Hound has used the command-line interface. [138]
Matroyshka Matroyshka is capable of providing Meterpreter shell access. [35]
menuPass menuPass executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands. [146] [77] [147] [70]
Micropsia Micropsia creates a command-line shell using cmd.exe. [115]
MirageFox MirageFox has the capability to execute commands using cmd.exe. [113]
Mis-Type Mis-Type uses cmd.exe to run commands for enumerating the host. [21]
Misdat Misdat is capable of providing shell functionality to the attacker to execute commands. [21]
Mivast Mivast has the capability to open a remote shell and run basic commands. [16]
MoonWind MoonWind can execute commands via an interactive command shell. [91]
Mosquito Mosquito executes cmd.exe and uses a pipe to read the results and send back the output to the C2 server. [18]
MuddyWater MuddyWater has used a custom tool for creating reverse shells. [155]
MURKYTOP MURKYTOP uses the command-line interface. [100]
NanoCore NanoCore can open a remote command-line interface and execute commands. [111]
NavRAT NavRAT leverages cmd.exe to perform discovery techniques. [72]
NETEAGLE NETEAGLE allows adversaries to execute shell commands on the infected host. [34]
njRAT njRAT can launch a command shell interface for executing commands. [128]
OceanSalt OceanSalt can create a reverse shell on the infected endpoint using cmd.exe. [38]
OilRig OilRig has used the command-line interface for execution. [98] [73] [152] [28]
OopsIE OopsIE uses the command prompt to execute commands on the victim's machine. [73] [74]
Orz Orz can execute shell commands. [53]
OSX_OCEANLOTUS.D OSX_OCEANLOTUS.D can run commands through a terminal on the victim’s machine. [65]
Patchwork Patchwork ran a reverse shell with Meterpreter. [165]
PHOREAL PHOREAL is capable of creating reverse shell. [26]
Pisloader Pisloader uses cmd.exe to set the Registry Run key value. It also has a command to spawn a command shell. [63]
PLAINTEE PLAINTEE uses cmd.exe to execute commands on the victim’s machine. [109]
PlugX PlugX allows actors to spawn a reverse shell on a victim. [80] [81]
PoisonIvy PoisonIvy creates a backdoor through which remote attackers can open a command-line interface. [103]
PowerDuke PowerDuke runs cmd.exe /c and sends the output to its C2. [102]
POWRUNER POWRUNER can execute commands from its C2 server. [98]
Proxysvc Proxysvc executes a binary on the system and logs the results into a temp file by using: cmd.exe /c " > %temp%\PM* .tmp 2>&1". [57]
Pteranodon Pteranodon can execute commands on the victim. [20]
QUADAGENT QUADAGENT uses cmd.exe to execute scripts and commands on the victim’s machine. [42]
QuasarRAT QuasarRAT can launch a remote shell to execute commands on the victim’s machine. [10]
Rancor Rancor has used cmd.exe to execute commmands. [109]
RATANKBA RATANKBA uses cmd.exe to execute commands. [88] [89]
RedLeaves RedLeaves can receive and execute commands with cmd.exe. It can also provide a reverse shell. [77] [45]
Remcos Remcos can launch a remote command line to execute commands on the victim’s machine. [12]
Remexi Remexi silently executes received commands with cmd.exe. [121]
Revenge RAT Revenge RAT uses cmd.exe to execute commands and run scripts on the victim's machine. [125]
RGDoor RGDoor uses cmd.exe to execute commands on the victim’s machine. [87]
RogueRobin RogueRobin uses a command prompt to run a PowerShell script from Excel. [51]
RTM RTM uses the command line and rundll32.exe to execute. [17]
Sakula Sakula calls cmd.exe to run various DLL files via rundll32 and also to perform file cleanup. Sakula also has the capability to invoke a reverse shell. [31]
SeaDuke SeaDuke is capable of executing commands. [114]
Seasalt Seasalt uses cmd.exe to create a reverse shell on the infected endpoint. [86]
SEASHARPEE SEASHARPEE can execute commands on victims. [28]
ServHelper ServHelper can execute shell commands against cmd. [126] [127]
Silence Silence has used Windows command-line to run commands. [166] [167]
SNUGRIDE SNUGRIDE is capable of executing commands and spawning a reverse shell. [45]
Soft Cell Soft Cell used the Windows command shell to execute commands. [170]
Sowbug Sowbug has used command line during its intrusions. [151]
StreamEx StreamEx has the ability to remotely execute commands. [71]
Suckfly Several tools used by Suckfly have been command-line driven. [154]
TDTESS TDTESS provides a reverse shell on the victim. [35]
TEXTMATE TEXTMATE executes cmd.exe to provide a reverse shell to adversaries. [39] [40]
Threat Group-1314 Threat Group-1314 actors spawned shells on remote systems on a victim network to execute commands. [149]
Threat Group-3390 Threat Group-3390 has used command-line interfaces for execution. [23] [153]
TinyZBot TinyZBot supports execution from the command-line. [44]
Turla Turla RPC backdoors have used cmd.exe to execute commands. [168] [169]
TURNEDUP TURNEDUP is capable of creating a reverse shell. [112]
TYPEFRAME TYPEFRAME can execute commands using a shell. [58]
UBoatRAT UBoatRAT can start a command shell. [96]
Umbreon Umbreon provides access using both standard facilities like SSH and additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet [101]
UPPERCUT UPPERCUT uses cmd.exe to execute commands on the victim’s machine. [70]
Volgmer Volgmer can execute commands on the victim's machine. [49] [50]
WEBC2 WEBC2 can open an interactive command shell. [68]
Wiarp Wiarp creates a backdoor through which remote attackers can open a command line interface. [108]
WINERACK WINERACK can create a reverse shell that utilizes statically-linked Wine cmd.exe code to emulate Windows command prompt commands. [41]
XTunnel XTunnel has been used to execute remote commands. [52]
Zebrocy Zebrocy uses cmd.exe to execute commands on the system. [134]
Zeus Panda Zeus Panda can launch an interface where it can execute several commands on the victim’s PC. [105]
ZLib ZLib has the ability to execute shell commands. [21]
zwShell zwShell can launch command-line shells. [97]


Command-line interface activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools.


  1. Wikipedia. (2016, June 26). Command-line interface. Retrieved June 27, 2016.
  2. Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  3. Gorzelany, A., Hall, J., Poggemeyer, L.. (2019, January 7). Windows Defender Application Control. Retrieved July 16, 2019.
  4. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  5. NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  6. Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
  7. Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.
  8. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017.
  9. Microsoft. (n.d.). Cmd. Retrieved April 18, 2016.
  10. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  11. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  12. Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018.
  13. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  14. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  15. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
  16. Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016.
  17. Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  18. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  19. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
  20. Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  21. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  22. US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018.
  23. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  24. Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
  25. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
  26. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  27. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  28. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  29. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  30. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  31. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  32. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  33. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  34. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  35. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  36. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  37. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  38. Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.
  39. Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
  40. Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.
  41. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  42. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  43. FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.
  44. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
  45. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  46. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  47. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  48. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  49. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
  50. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  51. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  52. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  53. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  54. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  55. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
  56. Sebastian Feldmann. (2018, February 14). Chaos: a Stolen Backdoor Rising Again. Retrieved March 5, 2018.
  57. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  58. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  59. FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016.
  60. Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.
  61. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
  62. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  63. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  64. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
  65. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
  66. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  67. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  68. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  69. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  70. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  71. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
  72. Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
  73. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  74. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  75. Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016.
  76. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
  77. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  78. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  79. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  80. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  81. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
  82. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  83. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  84. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  85. Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
  1. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  2. Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.
  3. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
  4. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  5. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  6. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  7. ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
  8. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  9. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  10. Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018.
  11. Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.
  12. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  13. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  14. Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
  15. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  16. Fernando Mercês. (2016, September 5). Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems. Retrieved March 5, 2018.
  17. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  18. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  19. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  20. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  21. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  22. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  23. Zhou, R. (2012, May 15). Backdoor.Wiarp. Retrieved February 22, 2018.
  24. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  25. Galperin, E., Et al.. (2016, August). I Got a Letter From the Government the Other Day.... Retrieved April 25, 2018.
  26. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  27. O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
  28. Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018.
  29. Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
  30. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  32. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  33. Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019.
  34. Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.
  36. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  37. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  38. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.
  39. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  40. Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved May 1, 2019.
  41. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  42. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019.
  43. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  44. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
  45. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
  46. Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019.
  47. Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019.
  48. Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.
  49. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  50. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  51. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  52. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  53. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  54. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  55. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  56. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
  57. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  58. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  59. Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
  60. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  61. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
  62. Twi1ight. (2015, July 11). AD-Pentest-Script - wmiexec.vbs. Retrieved June 29, 2017.
  63. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
  64. Dell SecureWorks Counter Threat Unit Special Operations Team. (2015, May 28). Living off the Land. Retrieved January 26, 2016.
  65. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  66. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  67. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  68. Falcone, R. and Lancaster, T.. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
  69. DiMaggio, J.. (2016, May 17). Indian organizations targeted in Suckfly attacks. Retrieved August 3, 2016.
  70. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
  71. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
  72. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.
  73. Shelmire, A. (2015, July 06). Evasive Maneuvers by the Wekby group with custom ROP-packing and DNS covert channels. Retrieved November 15, 2018.
  74. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
  75. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  76. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
  77. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  78. US-CERT. (2018, March 09). Malware Analysis Report (MAR) - 10135536.11.WHITE. Retrieved June 13, 2018.
  79. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  80. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  81. Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019.
  82. GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019.
  83. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  84. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  85. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.