Standard Application Layer Protocol

Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are RPC, SSH, or RDP.

ID: T1071
Tactic: Command And Control
Platform: Linux, macOS, Windows
Data Sources: Packet capture, Netflow/Enclave netflow, Process use of network, Malware reverse engineering, Process monitoring
Requires Network:  Yes
Version: 1.0

Procedure Examples

Name Description
3PARA RAT

3PARA RAT uses HTTP for command and control.[20]

4H RAT

4H RAT uses HTTP for command and control.[20]

ADVSTORESHELL

ADVSTORESHELL connects to port 80 of a C2 server using Wininet API.[64]

Agent Tesla

Agent Tesla has used HTTP and SMTP for C2 communications.[37][38]

APT18

APT18 uses HTTP and DNS for C2 communications.[160]

APT19

APT19 used HTTP for C2 communications. APT19 also used an HTTP malware variant to communicate over HTTP for C2.[152][153]

APT28

APT28 used SMTP as a communication channel in various implants, initially using self-registered Google Mail accounts and later compromised email servers of its victims. Later implants such as CHOPSTICK use a blend of HTTP and other legitimate channels, depending on module configuration.[42]

APT32

APT32 has used JavaScript that communicates over HTTP or HTTPS to attacker controlled domains to download additional frameworks. The group has also used email for C2 via an Office macro. The group's backdoor can also exfiltrate data by encoding it in the subdomain field of DNS packets.[165][98][166][167]

APT33

APT33 has used HTTP for command and control.[180]

APT37

APT37 uses HTTPS to conceal C2 communications.[164]

APT38

APT38 used a backdoor, QUICKRIDE, to communicate to the C2 server over HTTP and HTTPS.[158]

APT41

APT41 used DNS for C2 communications. [183]

BACKSPACE

BACKSPACE uses HTTP as a transport to communicate with its command server.[17]

BADNEWS

BADNEWS establishes a backdoor over HTTP.[5]

BadPatch

BadPatch uses HTTP and SMTP for C2.[94]

Bankshot

Bankshot uses HTTP for command and control communication.[65]

BBSRAT

BBSRAT uses GET and POST requests over HTTP or HTTPS for command and control to obtain commands and send ZLIB compressed data back to the C2 server.[9]

Bisonal

Bisonal uses HTTP for C2 communications.[96]

BlackEnergy

BlackEnergy communicates with its C2 server over HTTP.[86]

BONDUPDATER

BONDUPDATER can use DNS and TXT records within its DNS tunneling protocol for command and control.[130]

Brave Prince

Some Brave Prince variants have used South Korea's Daum email service to exfiltrate information, and later variants have posted the data to a web server via an HTTP post command.[113]

BRONZE BUTLER

BRONZE BUTLER malware has used HTTP for C2.[29]

BUBBLEWRAP

BUBBLEWRAP can communicate using HTTP or HTTPS.[59]

Cannon

Cannon uses SMTP/S and POP3/S for C2 communications by sending and receiving emails.[25]

Carbanak

The Carbanak malware communicates to its command server using HTTP with an encrypted payload.[21]

Cardinal RAT

Cardinal RAT is downloaded using HTTP over port 443.[105]

ChChes

ChChes communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header.[46][47]

China Chopper

China Chopper's server component executes code sent via HTTP POST commands.[73]

CHOPSTICK

Various implementations of CHOPSTICK communicate with C2 over HTTP, SMTP, and POP3.[110]

CloudDuke

One variant of CloudDuke uses HTTP and HTTPS for C2.[12]

Cobalt Group

Cobalt Group has used HTTPS and DNS tunneling for C2. The group has also used the Plink utility to create SSH tunnels.[106][154][155]

Cobalt Strike

Cobalt Strike uses a custom command and control protocol that is encapsulated in HTTP, HTTPS, or DNS. In addition, it conducts peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. All protocols use their standard assigned ports.[2]

Cobian RAT

Cobian RAT uses DNS for C2.[60]

Comnie

Comnie uses HTTP for C2 communication.[36]

ComRAT

ComRAT has used HTTP requests for command and control.[119]

CORALDECK

CORALDECK has exfiltrated data in HTTP POST headers.[58]

CORESHELL

CORESHELL can communicate over HTTP, SMTP, and POP3 for C2.[42][43]

CosmicDuke

CosmicDuke can use HTTP or HTTPS for command and control to hard-coded C2 servers.[12][103]

CozyCar

CozyCar's main method of communicating with its C2 servers is using HTTP or HTTPS.[8]

Dark Caracal

Dark Caracal's version of Bandook communicates with their server over a TCP port using HTTP payloads Base64 encoded and suffixed with the string "&&&".[177]

DarkComet

DarkComet can use HTTP for C2 communications.[53]

Daserf

Daserf uses HTTP for C2.[29]

DealersChoice

DealersChoice uses HTTP for communication with the C2 server.[118]

Denis

Denis has used DNS tunneling for C2 communications.[98][99]

Dipsind

Dipsind uses HTTP for C2.[16]

DownPaper

DownPaper communicates to its C2 server over HTTP.[40]

Dragonfly 2.0

Dragonfly 2.0 used SMB for C2.[151]

Dridex

Dridex has used HTTPS for C2 communications.[137]

Duqu

Duqu uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols.[67]

DustySky

DustySky has used both HTTP and HTTPS for C2.[120]

Dyre

Dyre uses HTTPS for C2 communications.[74]

Ebury

Ebury has used DNS requests over UDP port 53. [134]

Elise

Elise communicates over HTTP or HTTPS for C2.[104]

ELMER

ELMER uses HTTP for command and control.[50]

Emissary

Emissary uses HTTP or HTTPS for C2.[121]

Empire

Empire can conduct command and control over protocols like HTTP and HTTPS.[3]

Epic

Epic uses HTTP and HTTPS for C2 communications.[61][62]

EvilBunny

EvilBunny has executed C2 commands directly via HTTP.[145]

Exaramel for Linux

Exaramel for Linux uses HTTPS for C2 communications.[148]

FakeM

Some variants of FakeM use SSL to communicate with C2 servers.[13]

Felismus

Felismus uses HTTP for C2.[114]

FELIXROOT

FELIXROOT uses HTTP and HTTPS to communicate with the C2 server.[14][15]

FIN4

FIN4 has used HTTP POST requests to transmit data.[174][175]

FIN6

FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.[172]

FIN7

FIN7 has performed C2 using DNS via A, OPT, and TXT records.[156]

Final1stspy

Final1stspy uses HTTP for C2.[115]

FlawedAmmyy

FlawedAmmyy has used HTTP for C2.[135]

FLIPSIDE

FLIPSIDE uses RDP to tunnel traffic from a victim environment.[39]

Gamaredon Group

A Gamaredon Group file stealer can communicate over HTTP for C2.[10]

Gazer

Gazer communicates with its C2 servers over HTTP.[54]

GeminiDuke

GeminiDuke uses HTTP and HTTPS for command and control.[12]

Gold Dragon

Gold Dragon uses HTTP for communication to the control servers.[113]

GravityRAT

GravityRAT uses HTTP for C2.[18]

GreyEnergy

GreyEnergy uses HTTP and HTTPS for C2 communications.[15]

HAMMERTOSS

The "Uploader" variant of HAMMERTOSS visits a hard-coded server over HTTP/S to download the images HAMMERTOSS uses to receive commands.[95]

HAWKBALL

HAWKBALL has used HTTP to communicate with a single hard-coded C2 server.[143]

Helminth

Helminth can use HTTP or DNS for C2.[66]

Hi-Zor

Hi-Zor communicates with its C2 server over HTTPS.[116]

Honeybee

Honeybee uses FTP for command and control.[179]

HTTPBrowser

HTTPBrowser has used HTTP, HTTPS, and DNS for command and control.[6][7]

httpclient

httpclient uses HTTP for command and control.[20]

HyperBro

HyperBro has used HTTPS for C2 communications.[147]

InvisiMole

InvisiMole uses HTTP for C2 communications.[55]

Ixeshe

Ixeshe uses HTTP for command and control.[141][142]

JHUHUGIT

JHUHUGIT variants have communicated with C2 servers over HTTP and HTTPS.[79][80][81]

JPIN

JPIN can communicate over FTP and send email over SMTP.[16]

Kazuar

Kazuar uses HTTP, HTTPS, FTP, and FTPS to communicate with the C2 server. Kazuar can also act as a webserver and listen for inbound HTTP requests through an exposed API.[11]

Ke3chang

Ke3chang malware RoyalCli and BS2005 have communicated over HTTP with the C2 server through Internet Explorer (IE) by using the COM interface IWebBrowser2. Additionally, Ke3chang malware RoyalDNS has used DNS for C2.[176]

Keydnap

Keydnap uses HTTPS for command and control.[56]

Komplex

The Komplex C2 channel uses HTTP POST requests.[52]

KONNI

KONNI has used HTTP for C2.[93]

Lazarus Group

A Lazarus Group malware sample conducts C2 over HTTP.[162]

LightNeuron

LightNeuron uses SMTP for C2.[144]

LOWBALL

LOWBALL command and control occurs via HTTPS over port 443.[59]

Machete

Machete uses FTP and HTTP for Command & Control.[149]

Machete

Machete malware used FTP and Python’s urllib library to make HTTP requests to the C2 server.[182]

MacSpy

MacSpy uses HTTP for command and control.[51]

Magic Hound

Magic Hound malware has used HTTP and IRC for C2.[178]

Matroyshka

Matroyshka uses DNS for C2.[126][127]

Micropsia

Micropsia uses HTTP and HTTPS for C2 network communications.[124][125]

MiniDuke

MiniDuke uses HTTP and HTTPS for command and control.[12]

Mis-Type

Mis-Type network traffic can communicate over HTTP.[57]

More_eggs

More_eggs uses HTTPS for C2.[106][107]

NanHaiShu

NanHaiShu uses DNS for the C2 communications.[123]

NavRAT

NavRAT uses the email platform, Naver, for C2 communications, leveraging SMTP.[128]

NETEAGLE

NETEAGLE will attempt to detect if the infected host is configured to a proxy. If so, NETEAGLE will send beacons via an HTTP POST request; otherwise it will send beacons via UDP/6000. NETEAGLE will also use HTTP to download resources that contain an IP address and Port Number pair to connect to for further C2. Adversaries can also use NETEAGLE to establish an RDP connection with a controller over TCP/7519.[17]

Night Dragon

Night Dragon has used HTTP for C2.[173]

NOKKI

NOKKI has used FTP and HTTP for C2 communications.[101]

Octopus

Octopus uses HTTP for C2 communications.[19]

OilRig

OilRig has used HTTP and DNS for C2. The group has also used the Plink utility and other tools to create tunnels to C2 servers.[81][31][168]

OLDBAIT

OLDBAIT can use HTTP or SMTP for C2.[42]

OnionDuke

OnionDuke uses HTTP and HTTPS for C2.[12]

OopsIE

OopsIE uses HTTP for C2 communications.[48][49]

Orangeworm

Orangeworm has used HTTP for C2.[169]

OwaAuth

OwaAuth uses incoming HTTP requests with a username keyword and commands and handles them as instructions to perform actions.[6]

PinchDuke

PinchDuke transfers files from the compromised host via HTTP or HTTPS to a C2 server.[12]

Pisloader

Pisloader uses DNS as its C2 protocol.[44]

PlugX

PlugX can be configured to use HTTP or DNS for command and control.[6]

pngdowner

pngdowner uses HTTP for command and control.[20]

PoshC2

PoshC2 can use protocols like HTTP/HTTPS for command and control traffic.[4]

POWERSOURCE

POWERSOURCE uses DNS TXT records for C2.[45][71]

POWERTON

POWERTON has used HTTP/HTTPS for C2 traffic.[131]

POWRUNER

POWRUNER can use HTTP and DNS for C2 communications.[30][31]

Proxysvc

Proxysvc uses HTTP over SSL to communicate commands with the control server.[23]

Psylo

Psylo uses HTTPS for C2.[13]

Pteranodon

Pteranodon can use HTTP for C2.[10]

PUNCHBUGGY

PUNCHBUGGY enables remote interaction and can obtain additional code over HTTPS GET and POST requests.[75][76][77]

Pupy

Pupy can communicate over HTTP for C2.[1]

QUADAGENT

QUADAGENT uses HTTPS, HTTP, and DNS for C2 communications.[63]

Rancor

Rancor has used HTTP for C2.[163]

RARSTONE

RARSTONE uses SSL to encrypt its communication with its C2 server.[72]

RATANKBA

RATANKBA uses HTTP/HTTPS for command and control communication.[108][109]

Reaver

Some Reaver variants use HTTP for C2.[129]

RedLeaves

RedLeaves can communicate to its C2 over HTTP and HTTPS if directed.[41][100]

Regin

The Regin malware platform supports many standard protocols, including HTTP, HTTPS, and SMB.[102]

Remexi

Remexi uses BITSAdmin to communicate with the C2 server over HTTP.[133]

Remsec

Remsec is capable of using HTTP, HTTPS, SMTP, and DNS for C2.[33][34][35]

RGDoor

RGDoor uses HTTP for C2 communications.[32]

RIPTIDE

APT12 has used RIPTIDE, a RAT that uses HTTP to communicate.[24]

ROKRAT

ROKRAT use HTTPS for all command and control communication methods.[68]

S-Type

S-Type uses HTTP for C2.[57]

Sakula

Sakula uses HTTP for C2.[122]

SeaDuke

SeaDuke uses HTTP and HTTPS for C2.[12]

Seasalt

Seasalt uses HTTP for C2 communications.[28]

ServHelper

ServHelper uses HTTP for C2.[136]

Shamoon

Shamoon uses HTTP for C2.[78]

SilverTerrier

SilverTerrier uses SMTP, FTP, and HTTP for C2 communications.[159]

Smoke Loader

Smoke Loader uses HTTP for C2.[117]

SNUGRIDE

SNUGRIDE communicates with its C2 server over HTTP.[41]

SOUNDBITE

SOUNDBITE communicates via DNS for C2.[22]

SpeakUp

SpeakUp uses POST and GET requests over HTTP to communicate with its main C&C server.[132]

Stealth Falcon

Stealth Falcon malware communicates with its C2 server via HTTPS.[161]

Sys10

Sys10 uses HTTP for C2.[112]

TEXTMATE

TEXTMATE uses DNS TXT records for C2.[45]

Threat Group-3390

Threat Group-3390 malware has used HTTP for C2.[157]

TrickBot

TrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files.[27]

Turla

Turla has used HTTP and HTTPS for C2 communications.[170][171]

UBoatRAT

UBoatRAT has used HTTP for C2 communications.[97]

Umbreon

Umbreon provides access to the system via SSH or any other protocol that uses PAM to authenticate.[70]

UPPERCUT

UPPERCUT has used HTTP for C2, including sending error codes in Cookie headers.[82]

Ursnif

Ursnif has used HTTPS for C2 as well as HTTP POSTs to exfil gathered information.[138][139][140]

Vasport

Vasport creates a backdoor by making a connection using a HTTP POST.[111]

VERMIN

VERMIN uses HTTP for C2 communications.[85]

WinMM

WinMM uses HTTP for C2.[112]

WIRTE

WIRTE has used HTTP for network communication. [181]

XAgentOSX

XAgentOSX contains the ftpUpload function to use the FTPManager:uploadFile method to upload files from the target system.[69]

Xbash

Xbash uses HTTP for C2 communications.[26]

Yahoyah

Yahoyah uses HTTP for C2.[146]

Zebrocy

Zebrocy uses HTTP, SMTP, and POP3 for C2.[88][25][89][90][91][92]

ZeroT

ZeroT has used HTTP for C2.[83][84]

Zeus Panda

Zeus Panda uses HTTP for C2 communications.[87]

ZLib

ZLib communicates over HTTP for C2.[57]

ZxShell

ZxShell has used HTTP and FTP for connections. [150]

Mitigations

Mitigation Description
Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

Detection

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used. [184]

References

  1. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  2. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  3. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  4. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  5. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
  6. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  7. Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016.
  8. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  9. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
  10. Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  11. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  12. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  13. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  14. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
  15. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  16. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  17. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  18. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
  19. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
  20. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  21. Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
  22. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  23. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  24. Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin’s Favorite APT Group [Blog]. Retrieved November 12, 2014.
  25. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  26. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
  27. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  28. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  29. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  30. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  31. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  32. Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.
  33. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  34. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
  35. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  36. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  37. The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.
  38. Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.
  39. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  40. ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
  41. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  42. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  43. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
  44. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  45. Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
  46. Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
  47. Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017.
  48. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  49. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  50. Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.
  51. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  52. Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
  53. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  54. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  55. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  56. Patrick Wardle. (2017, January 1). Mac Malware of 2016. Retrieved September 21, 2018.
  57. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  58. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  59. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  60. Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018.
  61. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  62. Kaspersky Lab's Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018.
  63. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  64. Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  65. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  66. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  67. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  68. Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.
  69. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  70. Fernando Mercês. (2016, September 5). Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems. Retrieved March 5, 2018.
  71. Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.
  72. Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015.
  73. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  74. Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.
  75. Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
  76. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  77. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  78. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  79. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  80. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  81. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  82. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  83. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
  84. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  85. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  86. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  87. Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018.
  88. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  89. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  90. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
  91. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  92. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
  1. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  2. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  3. FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.
  4. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  5. Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.
  6. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  7. Shulmin, A., Yunakovsky, S. (2017, April 28). Use of DNS Tunneling for C&C Communications. Retrieved November 5, 2018.
  8. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
  9. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
  10. Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
  11. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
  12. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  13. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  14. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  15. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
  16. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
  17. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  18. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  19. Zhou, R. (2012, May 15). Backdoor.Vasport. Retrieved February 22, 2018.
  20. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  21. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  22. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
  23. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
  24. Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
  25. Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018.
  26. Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.
  27. Rascagneres, P. (2015, May). Tools used by the Uroburos actors. Retrieved August 18, 2016.
  28. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  29. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  30. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  31. F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018.
  32. Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018.
  33. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  34. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  35. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
  36. Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
  37. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.
  38. Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019.
  39. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
  40. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.
  41. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  42. M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.
  43. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
  44. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  45. Slepogin, N. (2017, May 25). Dridex: A History of Evolution. Retrieved May 31, 2019.
  46. Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.
  47. Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019.
  48. Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019.
  49. Moran, N., & Villeneuve, N. (2013, August 12). Survival of the Fittest: New York Times Attackers Evolve Quickly [Blog]. Retrieved November 12, 2014.
  50. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
  51. Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.
  52. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  53. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
  54. Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.
  55. Falcone, R. and Lancaster, T.. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
  56. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  57. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  58. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  59. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  60. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
  61. Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018.
  62. Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.
  63. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
  64. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  65. Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.
  66. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
  67. Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.
  68. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.
  69. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  70. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  71. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  72. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  73. Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.
  74. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  75. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  76. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019.
  77. Symantec Security Response Attack Investigation Team. (2018, April 23). Orangeworm: Indicators of Compromise. Retrieved July 8, 2018.
  78. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  79. ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.
  80. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  81. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  82. Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.
  83. Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019.
  84. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
  85. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  86. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  87. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  88. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  89. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.
  90. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
  91. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  92. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.