Ingress Tool Transfer

Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.

ID: T1105
Sub-techniques:  No sub-techniques
Tactic: Command And Control
Platforms: Linux, Windows, macOS
Permissions Required: User
Data Sources: File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Version: 2.0
Created: 31 May 2017
Last Modified: 20 March 2020

Procedure Examples

Name Description
ABK

ABK has the ability to download files from C2.[196]

Agent Tesla

Agent Tesla can download additional files for execution on the victim’s machine.[35][36]

Agent.btz

Agent.btz attempts to download an encrypted binary from a specified domain.[31]

APT-C-36

APT-C-36 has downloaded binary data from a specified domain after the malicious document is opened.[240]

APT18

APT18 can upload a file to the victim’s machine.[229]

APT28

APT28 has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.[202][203][90]

APT3

APT3 has a tool that can copy files to remote machines.[207]

APT32

APT32 has added JavaScript to victim websites to download additional frameworks that profile and compromise website visitors.[216]

APT33

APT33 has downloaded additional files and programs from its C2 server.[233][234]

APT37

APT37 has downloaded second stage malware from compromised websites.[49][208]

APT38

APT38 used a backdoor, NESTEGG, that has the capability to download and upload files to and from a victim’s machine.[232]

APT39

APT39 has downloaded tools to compromised hosts.[246]

APT41

APT41 used certutil to download additional files.[239]

Aria-body

Aria-body has the ability to download additional payloads from C2.[191]

Astaroth

Astaroth uses certutil and BITSAdmin to download additional malware. [154][155]

Attor

Attor can download additional plugins, updates and other files. [185]

AuditCred

AuditCred can download files and additional malware.[119]

Avenger

Avenger has the ability to download files from C2 to a compromised host.[196]

Azorult

Azorult can download and execute additional files. Azorult has also downloaded a ransomware payload called Hermes.[135][136]

BabyShark

BabyShark has downloaded additional files from the C2.[178]

BackConfig

BackConfig can download and execute additional payloads on a compromised host.[200]

BADNEWS

BADNEWS is capable of downloading additional files through C2 channels, including a new version of itself.[44][45][46]

BadPatch

BadPatch can download and execute or update malware.[150]

Bankshot

Bankshot uploads files and secondary payloads to the victim's machine.[57]

BBK

BBK has the ability to download files from C2 to the infected host.[196]

BISCUIT

BISCUIT has a command to download a file from the C2 server.[37]

Bisonal

Bisonal has the capability to download files to execute on the victim’s machine.[139]

BITSAdmin

BITSAdmin can be used to create BITS Jobs to upload and/or download files.[8]

BONDUPDATER

BONDUPDATER can download or upload files from its C2 server.[153]

Briba

Briba downloads files onto infected hosts.[77]

BRONZE BUTLER

BRONZE BUTLER has used various tools to download files, including DGet (a similar tool to wget).[20]

build_downer

build_downer has the ability to download files from C2 to the infected host.[196]

Bundlore

Bundlore can download and execute new versions of itself.[201]

Calisto

Calisto has the capability to upload and download files to the victim's machine.[84]

CallMe

CallMe has the capability to download a file to the victim from the C2 server.[32]

Cannon

Cannon can download a payload for execution.[88]

Cardinal RAT

Cardinal RAT can download and execute additional payloads.[92]

CARROTBALL

CARROTBALL has the ability to download and install a remote payload.[14]

CARROTBAT

CARROTBAT has the ability to download and execute a remote file via certutil.[195]

certutil

certutil can be used to download files from a given URL.[4][5]

ChChes

ChChes is capable of downloading files, including additional modules.[27][28][29]

China Chopper

China Chopper's server component can download remote files.[51][52][53]

CHOPSTICK

CHOPSTICK is capable of performing remote file transmission.[54]

CloudDuke

CloudDuke downloads and executes additional malware from either a Web address or a Microsoft OneDrive account.[99]

cmd

cmd can be used to copy files to/from a remotely connected external system.[12]

Cobalt Group

Cobalt Group has used public sites such as github.com and sendspace.com to upload files and then download them to victim computers.[210][211] The group's JavaScript backdoor is also capable of downloading files.[212]

CoinTicker

CoinTicker executes a Python script to download its second stage.[158]

CORESHELL

CORESHELL downloads another dropper from its C2 server.[41]

Crimson

Crimson contains a command to retrieve files from its C2 server.[129]

DarkComet

DarkComet can load any files onto the infected machine to execute.[143][144]

Daserf

Daserf can download remote files.[19][20]

DDKONG

DDKONG downloads and uploads files on the victim’s machine.[137]

Denis

Denis deploys additional backdoors and hacking tools to the system.[151]

Dipsind

Dipsind can download remote files.[21]

DOGCALL

DOGCALL can download and execute additional payloads.[73]

down_new

down_new has the ability to download files to the compromised host.[196]

Downdelph

After downloading its main config file, Downdelph downloads multiple payloads from C2 servers.[76]

Dragonfly 2.0

Dragonfly 2.0 copied and installed tools for operations once in the victim environment.[217][218]

Dyre

Dyre has a command to download and executes additional files.[58]

Elderwood

The Ritsol backdoor trojan used by Elderwood can download files onto a compromised host from a remote location.[142]

Elise

Elise can download additional files from the C2 server for execution.[74]

Emissary

Emissary has the capability to download files from the C2 server.[97]

Empire

Empire can upload and download to and from a victim machine.[10]

esentutl

esentutl can be used to copy files to/from a given URL.[11]

EvilBunny

EvilBunny has downloaded additional Lua scripts from the C2.[173]

Exaramel for Linux

Exaramel for Linux has a command to download a file from a remote server.[175]

Felismus

Felismus can download files from remote servers.[15]

FELIXROOT

FELIXROOT downloads and uploads files to and from the victim’s machine.[145][102]

FIN7

FIN7 has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.[219][220]

FIN8

FIN8 has used remote code execution to download subsequent payloads.[209]

Frankenstein

Frankenstein has uploaded and downloaded files to utilize additional plugins.[242]

Gamaredon Group

Tools used by Gamaredon Group are capable of downloading and executing additional payloads.[66][221][222]

Gazer

Gazer can execute a task to download a file.[93][94]

gh0st RAT

gh0st RAT can download files to the victim’s machine.[40]

Gold Dragon

Gold Dragon can download additional components from the C2 server.[75]

Gorgon Group

Gorgon Group malware can download additional files from C2 servers.[215]

GreyEnergy

GreyEnergy can download additional modules and payloads.[102]

H1N1

H1N1 contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests.[47]

HAPPYWORK

can download and execute a second-stage payload.[49]

Helminth

Helminth can download additional files.[18]

Hi-Zor

Hi-Zor has the ability to upload and download files from its C2 server.[80]

HiddenWasp

HiddenWasp downloads a tar compressed archive from a download server to the system.[171]

HOPLIGHT

HOPLIGHT has the ability to connect to a remote host in order to upload and download files.[157]

HotCroissant

HotCroissant has the ability to upload a file from the command and control (C2) server to the victim machine.[181]

HTTPBrowser

HTTPBrowser is capable of writing a file to the compromised system from the C2 server.[60]

Hydraq

Hydraq creates a backdoor through which remote attackers can download files and additional malware components.[55][56]

HyperBro

HyperBro has the ability to download additional files.[174]

InvisiMole

InvisiMole can upload files to the victim's machine for operations.[121]

Ixeshe

Ixeshe can download and execute additional files.[166]

JHUHUGIT

JHUHUGIT can retrieve an additional payload from its C2 server.[62][63] JHUHUGIT has a command to download files to the victim’s machine.[64]

JPIN

JPIN can download files and upgrade itself.[21]

jRAT

jRAT can download and execute files.[125][126][127]

KARAE

KARAE can upload and download files, including second-stage malware.[49]

Kasidet

Kasidet has the ability to download and execute additional files.[116]

Kazuar

Kazuar downloads additional plug-ins to load on the victim’s machine, including the ability to upgrade and replace its own binary.[95]

KeyBoy

KeyBoy has a download and upload functionality.[167][168]

KEYMARBLE

KEYMARBLE can upload files to the victim’s machine and can download additional payloads.[30]

Kivars

Kivars has the ability to download and execute files.[184]

Koadic

Koadic can download additional files.[7]

KONNI

KONNI can download files and execute them on the victim’s machine.[108]

Kwampirs

Kwampirs downloads additional files from C2 servers.[69]

Lazarus Group

Several Lazarus Group malware families are capable of downloading and executing binaries from its C2 server.[223][224][225]

Leviathan

Leviathan has downloaded additional scripts and files from adversary-controlled servers.[122][51]

LightNeuron

LightNeuron has the ability to download and execute additional files.[172]

Linfo

Linfo creates a backdoor through which remote attackers can download files onto compromised hosts.[133]

LoudMiner

LoudMiner used SCP to update the miner from the C2.[189]

LOWBALL

LOWBALL uses the Dropbox API to request two files, one of which is the same file as the one dropped by the malicious email attachment. This is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware.[96]

Machete

Machete can download additional files for execution on the victim’s machine.[176]

Magic Hound

Magic Hound has downloaded additional code and files from servers onto victims.[205] Magic Hound used Wrapper/Gholee, custom-developed malware, which downloaded additional malware to the infected system.[206][206]

MechaFlounder

MechaFlounder has the ability to upload and download files to and from a compromised host.[192]

menuPass

menuPass has installed updates and new malware on victims.[230][231]

Metamorfo

Metamorfo has used MSI to download files for execution.[199]

Micropsia

Micropsia can download and execute an executable from the C2 server.[109][110]

MiniDuke

MiniDuke can download additional encrypted backdoors onto the victim via GIF files.[16]

Misdat

Misdat is capable of downloading files from the C2.[71]

Mivast

Mivast has the capability to download and execute .exe files.[61]

MobileOrder

MobileOrder has a command to download a file from the C2 server to the victim mobile device's SD card.[32]

Molerats

Molerats used executables to download malicious files from different sources.[243]

More_eggs

More_eggs can download and launch additional payloads.[100][101]

Mosquito

Mosquito can upload and download files to the victim.[17]

MuddyWater

MuddyWater has used malware that can upload additional files to the victim’s machine.[226][227][228]

NanHaiShu

NanHaiShu can download additional files from URLs.[122]

NanoCore

NanoCore has the capability to download and activate additional modules for execution.[85][86]

NavRAT

NavRAT can download files remotely.[78]

NDiskMonitor

NDiskMonitor can download and execute a file from given URL.[46]

Nerex

Nerex creates a backdoor through which remote attackers can download files onto a compromised host.[142]

Netwalker

Operators deploying Netwalker have used psexec and certutil to retrieve the Netwalker payload.[193]

Nidiran

Nidiran can download and execute files.[26]

njRAT

njRAT can upload and download files to and from the victim’s machine.[163]

NOKKI

NOKKI has downloaded a remote module for execution.[104]

Octopus

Octopus can upload and download files to and from the victim’s machine.[146]

OilRig

OilRig can download remote files onto victims.[123]

Okrum

Okrum has built-in commands for uploading, downloading, and executing files to the system.[186]

OopsIE

OopsIE can download files from its C2 server to the victim's machine.[111][112]

Orz

Orz can download files onto the victim.[122]

OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D has a command to download and execute a file on the victim’s machine.[105]

Pasam

Pasam creates a backdoor through which remote attackers can upload files.[65]

Patchwork

Patchwork payloads download additional files from the C2 server.[204][46]

Pisloader

Pisloader has a command to upload a file to the victim machine.[68]

PLAINTEE

PLAINTEE has downloaded and executed additional plugins.[137]

PLATINUM

PLATINUM has transferred files using the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel.[214]

PLEAD

PLEAD has the ability to upload and download files to and from an infected host.[182]

PlugX

PlugX has a module to download and execute files on the compromised machine.[118]

PoetRAT

PoetRAT has the ability to copy files and download/upload files into command and control channels (C2) using FTP.[179]

PoisonIvy

PoisonIvy creates a backdoor through which remote attackers can upload files.[22]

Pony

Pony can download additional files onto the infected system.[190]

POSHSPY

POSHSPY downloads and executes additional PowerShell code and Windows binaries.[98]

PowerDuke

PowerDuke has a command to download a file.[59]

POWERSOURCE

POWERSOURCE has been observed being used to download TEXTMATE and the Cobalt Strike Beacon payload onto victims.[39]

POWERSTATS

POWERSTATS can retrieve and execute additional PowerShell payloads from the C2 server.[134]

POWRUNER

POWRUNER can download or upload files from its C2 server.[123]

Psylo

Psylo has a command to download a file to the system from its C2 server.[32]

Pteranodon

Pteranodon can download and execute additional files.[66]

PUNCHBUGGY

PUNCHBUGGY can download additional files and payloads to compromised hosts.[33][34]

Pupy

Pupy can upload and download to/from a victim machine.[9]

QuasarRAT

QuasarRAT can download files to the victim’s machine and execute them.[2][3]

Rancor

Rancor has downloaded additional malware, including by using certutil.[137]

RARSTONE

RARSTONE downloads its backdoor component from a C2 server and loads it directly into memory.[132]

RATANKBA

RATANKBA uploads and downloads information.[140][141]

RedLeaves

RedLeaves is capable of downloading a file from a specified URL.[128]

Remcos

Remcos can upload and download files to and from the victim’s machine.[6]

RemoteCMD

RemoteCMD copies a file over to the remote system before execution.[138]

Remsec

Remsec contains a network loader to receive executable modules from remote attackers and run them on the local victim. It can also upload and download files over HTTP and HTTPS.[106][107]

Revenge RAT

Revenge RAT has the ability to upload and download files.[159]

RGDoor

RGDoor uploads and downloads files to and from the victim’s machine.[48]

Rocke

Rocke used malware to download additional malicious files to the target system.[247]

RogueRobin

RogueRobin can save a new file to the system from the C2 server.[42][43]

ROKRAT

ROKRAT retrieves additional malicious payloads from the C2 server.[81][82]

RTM

RTM can download additional files.[23][24]

Sakula

Sakula has the capability to download files.[38]

Sandworm Team

Sandworm Team's Python backdoor can push additional malicious tools to an infected system.[249]

SDBot

SDBot has the ability to download a DLL from C2 to a compromised host.[194]

SeaDuke

SeaDuke is capable of uploading and downloading files.[79]

Seasalt

Seasalt has a command to download additional files.[37][37]

SEASHARPEE

SEASHARPEE can download remote files onto victims.[25]

ServHelper

ServHelper may download additional files to execute.[161][162]

Shamoon

Shamoon can download an executable to run on the victim.[148]

Sharpshooter

Sharpshooter downloaded additional payloads after a target was infected with a first-stage downloader.[244]

SHARPSTATS

SHARPSTATS has the ability to upload and download files.[188]

ShimRat

ShimRat can download additional files.[13]

ShimRatReporter

ShimRatReporter had the ability to download additional payloads.[13]

SHUTTERSPEED

SHUTTERSPEED can download and execute an arbitary executable.[49]

Silence

Silence has downloaded additional modules and malware to victim’s machines.[241]

Skidmap

Skidmap has the ability to download files on an infected host.[198]

SLOWDRIFT

SLOWDRIFT downloads additional payloads.[49]

Smoke Loader

Smoke Loader downloads a new version of itself once it has installed. It also downloads additional plugins.[91]

Soft Cell

Soft Cell dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, and HTRAN.[238]

SpeakUp

SpeakUp downloads and executes additional files from a remote server. [156]

SQLRat

SQLRat can make a direct SQL connection to a Microsoft database controlled by the attackers, retrieve an item from the bindata table, then write and execute the file on disk.[170]

StoneDrill

StoneDrill has downloaded and dropped temporary files containing scripts; it additionally has a function to upload files from the victims machine.[160]

TA505

TA505 has downloaded additional malware to execute on victim systems.[236][162][237]

TDTESS

TDTESS has a command to download and execute an additional file.[117]

Threat Group-3390

After re-establishing access to a victim network, Threat Group-3390 actors download tools including gsecdump and WCE that are staged temporarily on websites that were previously compromised but never used.[60]

TrickBot

TrickBot downloads several additional files and saves them to the victim's machine.[67]

Trojan.Karagany

Trojan.Karagany can upload, download, and execute files on the victim.[72]

Tropic Trooper

Tropic Trooper has used a delivered trojan to download additional files.[245]

TSCookie

TSCookie has the ability to upload and download files to and from the infected host.[183]

Turla

Turla has used shellcode to download Meterpreter after compromising a victim.[213]

TURNEDUP

TURNEDUP is capable of downloading additional files.[120]

TYPEFRAME

TYPEFRAME can upload and download files to the victim’s machine.[83]

UBoatRAT

UBoatRAT can upload and download files to the victim’s machine.[149]

Unknown Logger

Unknown Logger is capable of downloading remote files.[44]

UPPERCUT

UPPERCUT can download and upload files to and from the victim’s machine.[124]

Ursnif

Ursnif has dropped payload and configuration files to disk. Ursnif has also been used to download and execute additional payloads.[164][165]

Valak

Valak has downloaded a variety of modules and payloads to the compromised host, including IcedID and Ursnif.[197]

Vasport

Vasport can download files.[103]

VBShower

VBShower has the ability to download VBS files to the target computer.[187]

VERMIN

VERMIN can download and upload files to the victim's machine.[50]

Volgmer

Volgmer can download remote files and additional payloads to the victim's machine.[113][114][115]

WEBC2

WEBC2 can download and execute a file.[130]

Whitefly

Whitefly has the ability to download additional tools from the C2.[248]

Wiarp

Wiarp creates a backdoor through which remote attackers can download files.[147]

Winnti for Linux

Winnti for Linux has the ability to deploy modules directly from command and control (C2) servers, possibly for remote command execution, file exfiltration, and socks5 proxying on the infected host. [180]

WIRTE

WIRTE has downloaded PowerShell code from the C2 server to be executed.[235]

Xbash

Xbash can download additional malicious files from its C2 server.[152]

YAHOYAH

YAHOYAH uses HTTP GET requests to download other files that are executed in memory.[169]

Zebrocy

Zebrocy obtains additional code to execute on the victim's machine, including the downloading of a secondary payload.[87][88][89][90]

ZeroT

ZeroT can download additional payloads onto the victim.[131]

Zeus Panda

Zeus Panda can download additional malware plug-in modules and execute them on the victim’s machine.[70]

ZLib

ZLib has the ability to download files.[71]

ZxShell

ZxShell has a command to transfer files from a remote host.[177]

Mitigations

Mitigation Description
Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[1]

Detection

Monitor for file creation and files transferred into the network. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.[1]

References

  1. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
  2. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  3. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  4. Microsoft. (2012, November 14). Certutil. Retrieved July 3, 2017.
  5. LOLBAS. (n.d.). Certutil.exe. Retrieved July 31, 2019.
  6. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
  7. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  8. Microsoft. (n.d.). BITSAdmin Tool. Retrieved January 12, 2018.
  9. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  10. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  11. LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019.
  12. Microsoft. (n.d.). Copy. Retrieved April 26, 2016.
  13. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  14. McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.
  15. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
  16. Kaspersky Lab's Global Research & Analysis Team. (2013, February 27). The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor. Retrieved April 5, 2017.
  17. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  18. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  19. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  20. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  21. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  22. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  23. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  24. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  25. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  26. Sponchioni, R.. (2016, March 11). Backdoor.Nidiran. Retrieved August 3, 2016.
  27. Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
  28. Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017.
  29. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  30. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  31. Shevchenko, S.. (2008, November 30). Agent.btz - A Threat That Hit Pentagon. Retrieved April 8, 2016.
  32. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  33. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  34. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  35. Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.
  36. The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.
  37. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  38. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  39. Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
  40. Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.
  41. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  42. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  43. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
  44. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  45. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
  46. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  47. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  48. Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.
  49. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  50. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  51. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  52. Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
  53. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
  54. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  55. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  56. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  57. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  58. Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.
  59. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  60. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  61. Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016.
  62. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  63. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  64. Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
  65. Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018.
  66. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  67. Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018.
  68. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  69. Moench, B. and Aboud, E. (2016, August 23). Trojan.Kwampirs. Retrieved May 10, 2018.
  70. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  71. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  72. Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  73. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
  74. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018.
  75. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  76. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  77. Ladley, F. (2012, May 15). Backdoor.Briba. Retrieved February 21, 2018.
  78. Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
  79. Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
  80. Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
  81. Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.
  82. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.
  83. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  84. Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.
  85. The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018.
  86. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  87. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  88. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  89. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  90. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
  91. Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018.
  92. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  93. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  94. Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
  95. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  96. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  97. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  98. Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
  99. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  100. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  101. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
  102. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  103. Zhou, R. (2012, May 15). Backdoor.Vasport. Retrieved February 22, 2018.
  104. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
  105. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
  106. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  107. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  108. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  109. Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018.
  110. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  111. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  112. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  113. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
  114. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  115. Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.
  116. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  117. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  118. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
  119. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
  120. O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
  121. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  122. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  123. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  124. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  125. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
  1. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  2. Bingham, J. (2013, February 11). Cross-Platform Frutas RAT Builder and Back Door. Retrieved April 23, 2019.
  3. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  4. Huss, D.. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  5. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  6. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  7. Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015.
  8. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
  9. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  10. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
  11. Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018.
  12. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  13. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  14. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  15. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
  16. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  17. Ladley, F. (2012, May 15). Backdoor.Ritsol. Retrieved February 23, 2018.
  18. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
  19. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  20. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
  21. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
  22. Zhou, R. (2012, May 15). Backdoor.Wiarp. Retrieved February 22, 2018.
  23. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  24. Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.
  25. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  26. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  27. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
  28. Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019.
  29. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.
  30. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  31. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.
  32. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  33. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.
  34. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  35. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  36. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  37. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019.
  38. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  39. Trend Micro. (2014, December 11). PE_URSNIF.A2. Retrieved June 5, 2019.
  40. Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.
  41. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
  42. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
  43. Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019.
  44. Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.
  45. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
  46. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
  47. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  48. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
  49. Falcone, R. and Lancaster, T.. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
  50. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  51. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  52. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  53. Lim, M.. (2019, April 26). BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat . Retrieved October 7, 2019.
  54. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  55. Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.
  56. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
  57. Tomonaga, S.. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.
  58. Tomonaga, S.. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020.
  59. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
  60. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  61. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  62. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
  63. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
  64. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.
  65. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
  66. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
  67. Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020.
  68. Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020.
  69. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  70. Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020.
  71. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  72. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  73. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  74. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  75. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
  76. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
  77. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  78. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  79. Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.
  80. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  81. Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018.
  82. Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.
  83. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  84. Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
  85. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.
  86. Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.
  87. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
  88. ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.
  89. Kaplan, D, et al. (2017, June 7). PLATINUM continues to evolve, find ways to maintain invisibility. Retrieved February 19, 2018.
  90. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  91. Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.
  92. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  93. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  94. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  95. Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018.
  96. Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020.
  97. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  98. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  99. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
  100. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  101. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  102. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  103. Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.
  104. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.
  105. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
  106. United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.
  107. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
  108. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  109. Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.
  110. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.
  111. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.
  112. Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019.
  113. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  114. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
  115. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
  116. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
  117. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  118. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  119. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  120. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  121. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.
  122. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
  123. Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020.
  124. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.