Indicator Removal on Host: File Deletion

Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native cmd functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. [1]

ID: T1070.004
Sub-technique of:  T1070
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Permissions Required: User
Data Sources: Command: Command Execution, File: File Deletion
Defense Bypassed: Host forensic analysis
Contributors: Walker Johnson
Version: 1.0
Created: 31 January 2020
Last Modified: 29 March 2020

Procedure Examples

ID Name Description
S0045 ADVSTORESHELL

ADVSTORESHELL can delete files and directories.[2]

S0504 Anchor

Anchor can self delete its dropper after the malware is successfully deployed.[3]

S0584 AppleJeus

AppleJeus has deleted the MSI file after installation.[4]

G0026 APT18

APT18 actors deleted tools and batch files from victim systems.[5]

G0007 APT28

APT28 has intentionally deleted computer files to cover their tracks, including with use of the program CCleaner.[6]

G0016 APT29

APT29 routinely removed their tools, including custom backdoors, once remote access was achieved. APT29 has also used SDelete to remove artifacts from victims.[7][8]

G0022 APT3

APT3 has a tool that can delete files.[9]

G0050 APT32

APT32's macOS backdoor can receive a "delete" command.[10]

G0082 APT38

APT38 has used a utility called CLOSESHAVE that can securely delete a file from the system.[11]

G0087 APT39

APT39 has used malware to delete files after they are deployed on a compromised host.[12]

G0096 APT41

APT41 deleted files from the system.[13]

S0456 Aria-body

Aria-body has the ability to delete files and directories on compromised hosts.[14]

S0438 Attor

Attor’s plugin deletes the collected files and log files after exfiltration.[15]

S0347 AuditCred

AuditCred can delete files from the system.[16]

S0344 Azorult

Azorult can delete files from victim machines.[17]

S0414 BabyShark

BabyShark has cleaned up all files associated with the secondary payload execution.[18]

S0475 BackConfig

BackConfig has the ability to remove files and folders related to previous infections.[19]

S0093 Backdoor.Oldrea

Backdoor.Oldrea contains a cleanup module that removes traces of itself from the victim.[20]

S0239 Bankshot

Bankshot marks files to be deleted upon the next system reboot and uninstalls and removes itself from the system.[21]

S0534 Bazar

Bazar can delete its loader using a batch file in the Windows temporary folder.[22]

S0127 BBSRAT

BBSRAT can delete files and directories.[23]

S0268 Bisonal

Bisonal deletes its dropper and VBS scripts from the victim’s machine.[24]

S0069 BLACKCOFFEE

BLACKCOFFEE has the capability to delete files.[25]

S0520 BLINDINGCAN

BLINDINGCAN has deleted itself and associated artifacts from victim machines.[26]

G0060 BRONZE BUTLER

The BRONZE BUTLER uploader or malware the uploader uses command to delete the RAR archives after they have been exfiltrated.[27]

S0274 Calisto

Calisto has the capability to use rm -rf to remove folders and files from the victim's machine.[28]

S0030 Carbanak

Carbanak has a command to delete files.[29]

S0348 Cardinal RAT

Cardinal RAT can uninstall itself, including deleting its executable.[30]

S0462 CARROTBAT

CARROTBAT has the ability to delete downloaded files from a compromised host.[31]

S0107 Cherry Picker

Recent versions of Cherry Picker delete files and registry keys created by the malware.[32]

G0114 Chimera

Chimera has performed file deletion to evade detection.[33]

S0106 cmd

cmd can be used to delete files from the file system.[34]

G0080 Cobalt Group

Cobalt Group deleted the DLL dropper from the victim’s machine to cover their tracks.[35]

S0498 Cryptoistic

Cryptoistic has the ability delete files from a compromised host.[36]

S0527 CSPY Downloader

CSPY Downloader has the ability to self delete.[37]

S0354 Denis

Denis has a command to delete files from the victim’s machine.[38][39]

S0021 Derusbi

Derusbi is capable of deleting files. It has been observed loading a Linux Kernel Module (LKM) and then deleting it from the hard disk as well as overwriting the data with null bytes.[40][41]

G0074 Dragonfly 2.0

Dragonfly 2.0 deleted many of its files used during operations as part of cleanup, including removing applications and deleting screenshots.[42][43]

S0502 Drovorub

Drovorub can delete specific files from a compromised host.[44]

S0567 Dtrack

Dtrack can remove its persistence and delete itself.[45]

S0062 DustySky

DustySky can delete files it creates from the infected system.[46]

S0593 ECCENTRICBANDWAGON

ECCENTRICBANDWAGON can delete log files generated from the malware stored at C:\windows\temp\tmp0207.[47]

S0081 Elise

Elise is capable of launching a remote shell on the host to delete itself.[48]

S0091 Epic

Epic has a command to delete a file from the machine.[49]

S0396 EvilBunny

EvilBunny has deleted the initial dropper after running through the environment checks.[50]

G0120 Evilnum

Evilnum has deleted files used during infection.[51]

S0401 Exaramel for Linux

Exaramel for Linux can uninstall its persistence mechanism and delete its configuration file.[52]

S0181 FALLCHILL

FALLCHILL can delete malware and associated artifacts from the victim.[53]

S0512 FatDuke

FatDuke can secure delete its DLL.[54]

S0267 FELIXROOT

FELIXROOT deletes the .LNK file from the startup directory as well as the dropper components.[55]

G0051 FIN10

FIN10 has used batch scripts and scheduled tasks to delete critical system files.[56]

G0053 FIN5

FIN5 uses SDelete to clean up the environment and attempt to prevent detection.[57]

G0037 FIN6

FIN6 has removed files from victim machines.[58]

G0061 FIN8

FIN8 has deleted tmp and prefetch files during post compromise cleanup activities.[59]

S0277 FruitFly

FruitFly will delete files on the system.[60]

S0410 Fysbis

Fysbis has the ability to delete files.[61]

G0047 Gamaredon Group

Gamaredon Group tools can delete files used during an infection.[62]

S0168 Gazer

Gazer has commands to delete files and persistence mechanisms from the victim.[63][64]

S0032 gh0st RAT

gh0st RAT has the capability to to delete files.[65][66]

S0249 Gold Dragon

Gold Dragon deletes one of its files, 2.hwp, from the endpoint after establishing persistence.[67]

S0493 GoldenSpy

GoldenSpy's uninstaller can delete registry entries, files and folders, and finally itself once these tasks have been completed.[68]

S0531 Grandoreiro

Grandoreiro can delete .LNK files created in the Startup folder.[69]

S0342 GreyEnergy

GreyEnergy can securely delete a file by hooking into the DeleteFileA and DeleteFileW functions in the Windows API.[70]

G0043 Group5

Malware used by Group5 is capable of remotely deleting files from victims.[71]

S0561 GuLoader

GuLoader can delete its executable from the AppData\Local\Temp directory on the compromised host.[72]

S0151 HALFBAKED

HALFBAKED can delete a specified file.[73]

S0499 Hancitor

Hancitor has deleted files using the VBA kill function.[74]

S0391 HAWKBALL

HAWKBALL has the ability to delete files.[75]

S0087 Hi-Zor

Hi-Zor deletes its RAT installer file as it executes its DLL payload file.[76]

S0601 Hildegard

Hildegard has deleted scripts after execution.[77]

G0072 Honeybee

Honeybee removes batch files to reduce fingerprint on the system as well as deletes the CAB file that gets encoded upon infection.[78]

S0431 HotCroissant

HotCroissant has the ability to clean up installed files, delete files, and delete itself from the victim’s machine.[79]

S0070 HTTPBrowser

HTTPBrowser deletes its original installer file once installation is complete.[80]

S0203 Hydraq

Hydraq creates a backdoor through which remote attackers can delete files.[81][82]

S0398 HyperBro

HyperBro has the ability to delete a specified file.[83]

S0434 Imminent Monitor

Imminent Monitor has deleted files related to its dynamic debugger feature.[84]

S0259 InnaputRAT

InnaputRAT has a command to delete files.[85]

S0260 InvisiMole

InvisiMole has deleted files and directories including XML and files successfully uploaded to C2 servers.[86][87]

S0015 Ixeshe

Ixeshe has a command to delete a file from the machine.[88]

S0044 JHUHUGIT

The JHUHUGIT dropper can delete itself from the victim. Another JHUHUGIT variant has the capability to delete specified files.[89][90]

S0201 JPIN

JPIN's installer/uninstaller component deletes itself if it encounters a version of Windows earlier than Windows XP or identifies security-related processes running.[91]

S0283 jRAT

jRAT has a function to delete files from the victim’s machine.[92]

S0265 Kazuar

Kazuar can delete files.[93]

S0271 KEYMARBLE

KEYMARBLE has the capability to delete files off the victim’s machine.[94]

G0094 Kimsuky

Kimsuky has deleted the exfiltrated data on disk after transmission.[95]

S0437 Kivars

Kivars has the ability to uninstall malware from the infected host.[96]

S0162 Komplex

The Komplex trojan supports file deletion.[97]

S0356 KONNI

KONNI can delete files.[98]

G0032 Lazarus Group

Lazarus Group malware deletes files in various ways, including "suicide scripts" to delete malware binaries from the victim. Lazarus Group also uses secure file deletion to delete files from the victim.[99][100][101]

S0395 LightNeuron

LightNeuron has a function to delete files.[102]

S0211 Linfo

Linfo creates a backdoor through which remote attackers can delete files.[103]

S0372 LockerGoga

LockerGoga has been observed deleting its original launcher after execution.[104]

S0582 LookBack

LookBack removes itself after execution and can delete files on the system.[105]

S0451 LoudMiner

LoudMiner deleted installation files after completion.[106]

S0409 Machete

Once a file is uploaded, Machete will delete it from the machine.[107]

S0282 MacSpy

MacSpy deletes any temporary files it creates[108]

G0059 Magic Hound

Magic Hound has deleted and overwrote files to cover tracks.[109][110]

G0045 menuPass

A menuPass macro deletes files after it has decoded and decompressed them.[111][112]

S0443 MESSAGETAP

Once loaded into memory, MESSAGETAP deletes the keyword_parm.txt and parm.txt configuration files from disk. [113]

S0455 Metamorfo

Metamorfo has deleted itself from the system after execution.[114][115]

S0083 Misdat

Misdat is capable of deleting the backdoor file.[116]

S0149 MoonWind

MoonWind can delete itself or specified files.[117]

S0284 More_eggs

More_eggs can remove itself from a system.[35][118]

S0256 Mosquito

Mosquito deletes files using DeleteFileW API call.[119]

S0233 MURKYTOP

MURKYTOP has the capability to delete local files.[41]

G0129 Mustang Panda

Mustang Panda will delete their tools and files, and kill processes after their objectives are reached.[120]

S0228 NanHaiShu

NanHaiShu launches a script to delete their original decoy file to cover tracks.[121]

S0353 NOKKI

NOKKI can delete files to cover tracks.[122]

S0346 OceanSalt

OceanSalt can delete files from the system.[123]

G0049 OilRig

OilRig has deleted files associated with their payload after execution.[124][125]

S0439 Okrum

Okrum's backdoor deletes files after they have been successfully uploaded to C2 servers.[126]

S0264 OopsIE

OopsIE has the capability to delete files and scripts from the victim's machine.[127]

G0116 Operation Wocao

Operation Wocao has deleted logs and executable files used during an intrusion.[128]

S0352 OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D has a command to delete a file from the system.[129][130]

S0598 P.A.S. Webshell

P.A.S. Webshell can delete scripts from a subdirectory of /tmp after they are run.[52]

S0208 Pasam

Pasam creates a backdoor through which remote attackers can delete files.[131]

G0040 Patchwork

Patchwork removed certain files and replaced them so they could not be retrieved.[132]

S0556 Pay2Key

Pay2Key can remove its log file from disk.[133]

S0587 Penquin

Penquin can delete downloaded executables after running them.[134]

S0517 Pillowmint

Pillowmint has deleted the filepath %APPDATA%\Intel\devmonsrv.exe.[135]

S0435 PLEAD

PLEAD has the ability to delete files on the compromised host.[96]

S0067 pngdowner

pngdowner deletes content from C2 communications that was saved to the user's temporary directory.[136]

S0453 Pony

Pony has used scripts to delete itself after execution.[137]

S0139 PowerDuke

PowerDuke has a command to write random data across a file and delete it.[138]

S0441 PowerShower

PowerShower has the ability to remove all files created during the dropper process.[139]

S0223 POWERSTATS

POWERSTATS can delete all files on the C:\, D:\, E:\ and, F:\ drives using PowerShell Remove-Item commands.[140]

S0279 Proton

Proton removes all files in the /tmp directory.[60]

S0238 Proxysvc

Proxysvc can delete files indicated by the attacker and remove itself from disk using a batch file.[100]

S0147 Pteranodon

Pteranodon can delete files that may interfere with it executing. It also can delete temporary files and itself after the initial script executes.[141]

S0196 PUNCHBUGGY

PUNCHBUGGY can delete files written to disk.[59][142]

S0583 Pysa

Pysa has deleted batch files after execution. [143]

S0269 QUADAGENT

QUADAGENT has a command to delete its Registry key and scheduled task.[144]

S0495 RDAT

RDAT can issue SOAP requests to delete already processed C2 emails. RDAT can also delete itself from the infected system.[145]

S0416 RDFSNIFFER

RDFSNIFFER has the capability of deleting local files.[146]

S0172 Reaver

Reaver deletes the original dropped file from the victim.[147]

S0153 RedLeaves

RedLeaves can delete specified files.[148]

S0125 Remsec

Remsec is capable of deleting files on the victim. It also securely removes itself after collecting and exfiltrating data.[149][150][151]

S0496 REvil

REvil can mark its binary code for deletion after reboot.[152]

S0448 Rising Sun

Rising Sun can delete files specified by the C2.[153]

G0106 Rocke

Rocke has deleted files on infected machines.[154]

S0240 ROKRAT

ROKRAT can request to delete files.[155]

S0148 RTM

RTM can delete all files created during its execution.[156][157]

S0253 RunningRAT

RunningRAT contains code to delete files from the victim’s machine.[67]

S0074 Sakula

Some Sakula samples use cmd.exe to delete temporary files.[158]

S0370 SamSam

SamSam has been seen deleting its own files and payloads to make analysis of the attack more difficult.[159]

G0034 Sandworm Team

Sandworm Team has used backdoors that can delete files used in an attack from an infected system.[160][161]

S0461 SDBbot

SDBbot has the ability to delete files from a compromised host.[162]

S0195 SDelete

SDelete deletes data in a way that makes it unrecoverable.[163]

S0053 SeaDuke

SeaDuke can securely delete files, including deleting itself from the victim.[164]

S0345 Seasalt

Seasalt has a command to delete a specified file.[165]

S0382 ServHelper

ServHelper has a module to delete itself from the infected machine.[166][167]

S0444 ShimRat

ShimRat can uninstall itself from compromised hosts, as well create and modify directories, delete, move, copy, and rename files.[168]

S0589 Sibot

Sibot will delete itself if a certain server response is received.[169]

G0091 Silence

Silence has deleted artifacts, including scheduled tasks, communicates files from the C2 and other logs.[170][171]

S0533 SLOTHFULMEDIA

SLOTHFULMEDIA has deleted itself and the 'index.dat' file on a compromised machine to remove recent Internet history from the system.[172]

S0374 SpeakUp

SpeakUp deletes files to remove evidence on the machine. [173]

S0390 SQLRat

SQLRat has used been observed deleting scripts once used.[174]

S0380 StoneDrill

StoneDrill has been observed deleting the temporary files once they fulfill their task.[175]

S0491 StrongPity

StrongPity can delete previously exfiltrated files from the compromised host.[176][177]

S0559 SUNBURST

SUNBURST had a command to delete files.[7][178]

S0562 SUNSPOT

Following the successful injection of SUNBURST, SUNSPOT deleted a temporary file it created named InventoryManager.bk after restoring the original SolarWinds Orion source code to the software library.[179]

S0586 TAINTEDSCRIBE

TAINTEDSCRIBE can delete files from a compromised host.[180]

S0164 TDTESS

TDTESS creates then deletes log files during installation of itself as a service.[181]

G0088 TEMP.Veles

TEMP.Veles routinely deleted tools, logs, and other files after they were finished with them.[182]

G0089 The White Company

The White Company has the ability to delete its malware entirely from the target system.[183]

G0027 Threat Group-3390

Threat Group-3390 has deleted existing logs and exfiltrated file archives from a victim.[184]

S0094 Trojan.Karagany

Trojan.Karagany has used plugins with a self-delete capability.[185]

G0081 Tropic Trooper

Tropic Trooper has deleted dropper files on an infected system using command scripts.[186]

S0263 TYPEFRAME

TYPEFRAME can delete files off the system.[187]

S0386 Ursnif

Ursnif has deleted data staged in tmp files after exfiltration.[188]

S0136 USBStealer

USBStealer has several commands to delete files associated with the malware from the victim.[189]

S0442 VBShower

VBShower has attempted to complicate forensic analysis by deleting all the files contained in %APPDATA%..\Local\Temporary Internet Files\Content.Word and %APPDATA%..\Local Settings\Temporary Internet Files\Content.Word\.[190]

S0257 VERMIN

VERMIN can delete files on the victim’s machine.[191]

S0180 Volgmer

Volgmer can delete files and itself after infection to avoid analysis.[192]

S0155 WINDSHIELD

WINDSHIELD is capable of file deletion along with other file system interaction.[193]

S0466 WindTail

WindTail has the ability to receive and execute a self-delete command.[194]

S0176 Wingbird

Wingbird deletes its payload along with the payload's parent process after it finishes copying files.[195]

G0102 Wizard Spider

Wizard Spider has used file deletion to remove some modules and configurations from an infected host after use.[196]

S0161 XAgentOSX

XAgentOSX contains the deletFileFromPath function to delete a specified file using the NSFileManager:removeFileAtPath method.[197]

S0251 Zebrocy

Zebrocy has a command to delete files and directories.[198][199][200]

S0330 Zeus Panda

Zeus Panda has a command to delete a file. It also can uninstall scripts and delete files to cover its track.[201]

S0350 zwShell

zwShell has deleted itself after creating a service as well as deleted a temporary file when the system reboots.[202]

S0412 ZxShell

ZxShell can delete files from the system.[13][203]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

It may be uncommon for events related to benign command-line functions such as DEL or third-party utilities or tools to be found in an environment, depending on the user base and how systems are typically used. Monitoring for command-line deletion functions to correlate with binaries or other files that an adversary may drop and remove may lead to detection of malicious activity. Another good practice is monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce. Some monitoring tools may collect command-line arguments, but may not capture DEL commands since DEL is a native function within cmd.exe.

References

  1. Wilhoit, K. (2013, March 4). In-Depth Look: APT Attack Tools of the Trade. Retrieved December 2, 2015.
  2. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  3. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
  4. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
  5. Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016.
  6. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  7. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  8. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
  9. Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.
  10. Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
  11. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
  12. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  13. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  14. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
  15. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  16. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
  17. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
  18. Lim, M.. (2019, April 26). BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat . Retrieved October 7, 2019.
  19. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
  20. Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  21. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  22. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  23. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
  24. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  25. FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.
  26. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
  27. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  28. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.
  29. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  30. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  31. Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020.
  32. Merritt, E.. (2015, November 16). Shining the Spotlight on Cherry Picker PoS Malware. Retrieved April 20, 2016.
  33. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.
  34. Microsoft. (n.d.). Del. Retrieved April 22, 2016.
  35. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  36. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
  37. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  38. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  39. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  40. Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
  41. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  42. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  43. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  44. NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
  45. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.
  46. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  47. Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021.
  48. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018.
  49. Kaspersky Lab's Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018.
  50. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
  51. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
  52. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
  53. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.
  54. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  55. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
  56. FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.
  57. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  58. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  59. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  60. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  61. Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.
  62. Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020.
  63. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  64. Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
  65. FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016.
  66. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
  67. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  68. Trustwave SpiderLabs. (2020, June 26). GoldenSpy: Chapter Two – The Uninstaller. Retrieved July 23, 2020.
  69. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  70. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  71. Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
  72. Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021.
  73. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  74. Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020.
  75. Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.
  76. Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
  77. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  78. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  79. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
  80. Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016.
  81. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  82. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  83. Falcone, R. and Lancaster, T.. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
  84. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
  85. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
  86. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  87. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  88. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
  89. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  90. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  91. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  92. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
  93. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  94. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  95. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
  96. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
  97. Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
  98. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  99. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  100. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  101. F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020.
  102. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  1. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
  2. CarbonBlack Threat Analysis Unit. (2019, March 22). TAU Threat Intelligence Notification – LockerGoga Ransomware. Retrieved April 16, 2019.
  3. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.
  4. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.
  5. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  6. PETER EWANE. (2017, June 9). MacSpy: OS X RAT as a Service. Retrieved September 21, 2018.
  7. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  8. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
  9. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
  10. US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020.
  11. Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020.
  12. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  13. Zhang, X.. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
  14. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  15. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  16. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
  17. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  18. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  19. F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018.
  20. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
  21. Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.
  22. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  23. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  24. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  25. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  26. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  27. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
  28. Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020.
  29. Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018.
  30. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  31. Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021.
  32. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
  33. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
  34. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  35. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
  36. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  37. Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020.
  38. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  39. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  40. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  41. CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021.
  42. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  43. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
  44. Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019.
  45. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.
  46. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  47. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  48. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
  49. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  50. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
  51. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  52. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
  53. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.
  54. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  55. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  56. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  57. Palotay, D. and Mackenzie, P. (2018, April). SamSam Ransomware Chooses Its Targets Carefully. Retrieved April 15, 2019.
  58. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
  59. Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020.
  60. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  61. Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February 8, 2018.
  62. Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.
  63. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  64. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  65. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019.
  66. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  67. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  68. Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019.
  69. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
  70. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
  71. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.
  72. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
  73. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  74. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
  75. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
  76. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  77. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
  78. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.
  79. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  80. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
  81. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  82. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  83. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
  84. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  85. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  86. Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.
  87. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  88. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
  89. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  90. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  91. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  92. Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.
  93. Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.
  94. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
  95. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  96. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  97. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  98. CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020.
  99. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  100. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  101. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.