Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

Remote File Copy

Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.

Adversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with Windows Admin Shares or Remote Desktop Protocol.

ID: T1105

Tactic: Command And Control, Lateral Movement

Platform:  Linux, macOS, Windows

Permissions Required:  User

Data Sources:  File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoring

Requires Network:  Yes

Version: 1.0

Examples

NameDescription
Agent.btz

Agent.btz attempts to download an encrypted binary from a specified domain.[1]

APT28

APT28 has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.[2][3]

APT3

APT3 has a tool that can copy files to remote machines.[4]

APT32

APT32 has added JavaScript to victim websites to download additional frameworks that profile and compromise website visitors.[5]

APT37

APT37 has downloaded second stage malware from compromised websites.[6]

BADNEWS

BADNEWS is capable of downloading additional files through C2 channels, including a new version of itself.[7][8][9]

Bankshot

Bankshot uploads files and secondary payloads to the victim's machine.[10]

Bisonal

Bisonal has the capability to download files to execute on the victim’s machine.[11]

BITSAdmin

BITSAdmin can be used to create BITS Jobs to upload and/or download files.[12]

Briba

Briba downloads files onto infected hosts.[13]

BRONZE BUTLER

BRONZE BUTLER has used various tools to download files, including DGet (a similar tool to wget).[14]

Calisto

Calisto has the capability to upload and download files to the victim's machine.[15]

CallMe

CallMe has the capability to download a file to the victim from the C2 server.[16]

certutil

certutil can be used to download files from a given URL.[17][18]

ChChes

ChChes is capable of downloading files, including additional modules.[19][20][21]

China Chopper

China Chopper can upload and download files.[22]

CHOPSTICK

CHOPSTICK is capable of performing remote file transmission.[23]

CloudDuke

CloudDuke downloads and executes additional malware from either a Web address or a Microsoft OneDrive account.[24]

cmd

cmd can be used to copy files to a remotely connected system.[25]

Cobalt Group

Cobalt Group uses public sites such as github.com and sendspace.com to upload files and then download them to victim computers.[26][27]

CORESHELL

CORESHELL downloads another dropper from its C2 server.[28]

Crimson

Crimson contains a command to retrieve files from its C2 server.[29]

Daserf

Daserf can download remote files.[30][14]

DDKONG

DDKONG downloads and uploads files on the victim’s machine.[31]

Dipsind

Dipsind can download remote files.[32]

Downdelph

After downloading its main config file, Downdelph downloads multiple payloads from C2 servers.[33]

Dragonfly 2.0

Dragonfly 2.0 copied and installed tools for operations once in the victim environment.[34][35]

DustySky

DustySky searches for network drives and removable media and duplicates itself onto them.[36]

Dyre

Dyre has a command to download and executes additional files.[37]

Elderwood

The Ritsol backdoor trojan used by Elderwood can download files onto a compromised host from a remote location.[38]

Emissary

Emissary has the capability to download files from the C2 server.[39]

Felismus

Felismus can download files from remote servers.[40]

FELIXROOT

FELIXROOT downloads and uploads files to and from the victim’s machine.[41]

FIN10

FIN10 has deployed Meterpreter stagers and SplinterRAT instances in the victim network after moving laterally.[42]

FIN7

FIN7 has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.[43][44]

FIN8

FIN8 has used remote code execution to download subsequent payloads.[45]

Gamaredon Group

Tools used by Gamaredon Group are capable of downloading and executing additional payloads.[46]

Gazer

Gazer can execute a task to download a file.[47][48]

Gold Dragon

Gold Dragon can download additional components from the C2 server.[49]

Gorgon Group

Gorgon Group malware can download additional files from C2 servers.[50]

H1N1

H1N1 contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests.[51]

HAPPYWORK

can download and execute a second-stage payload.[6]

Helminth

Helminth can download additional files.[52]

Hi-Zor

Hi-Zor has the ability to upload and download files from its C2 server.[53]

HTTPBrowser

HTTPBrowser is capable of writing a file to the compromised system from the C2 server.[54]

Hydraq

Hydraq creates a backdoor through which remote attackers can download files and additional malware components.[55][56]

InvisiMole

InvisiMole can upload files to the victim's machine for operations.[57]

JHUHUGIT

JHUHUGIT can retrieve an additional payload from its C2 server.[58][59]

JPIN

JPIN can download files and upgrade itself.[32]

jRAT

jRAT can download and execute files.[60]

KARAE

KARAE can upload and download files, including second-stage malware.[6]

Kasidet

Kasidet has the ability to download and execute additional files.[61]

Kazuar

Kazuar downloads additional plug-ins to load on the victim’s machine, including the ability to upgrade and replace its own binary.[62]

KEYMARBLE

KEYMARBLE can upload files to the victim’s machine and can download additional payloads.[63]

Koadic

Koadic can download additional files.[64]

Kwampirs

Kwampirs downloads additional files from C2 servers.[65]

Lazarus Group

Several Lazarus Group malware families are capable of downloading and executing binaries from its C2 server.[66][67][68]

Leviathan

Leviathan has downloaded additional scripts and files from adversary-controlled servers. Leviathan has also used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.[69][22]

Linfo

Linfo creates a backdoor through which remote attackers can download files onto compromised hosts.[70]

LOWBALL

LOWBALL uses the Dropbox API to request two files, one of which is the same file as the one dropped by the malicious email attachment. This is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware.[71]

Magic Hound

Magic Hound has downloaded additional code and files from servers onto victims.[72]

menuPass

menuPass has installed updates and new malware on victims.[73]

MiniDuke

MiniDuke can download additional encrypted backdoors onto the victim via GIF files.[74]

Misdat

Misdat is capable of downloading files from the C2.[75]

Mivast

Mivast has the capability to download and execute .exe files.[76]

MobileOrder

MobileOrder has a command to download a file from the C2 server to the victim mobile device's SD card.[16]

More_eggs

More_eggs can download and launch additional payloads.[77]

Mosquito

Mosquito can upload and download files to the victim.[78]

NanHaiShu

NanHaiShu can download additional files from URLs.[69]

NavRAT

NavRAT can download files remotely.[79]

NDiskMonitor

NDiskMonitor can download and execute a file from given URL.[9]

Nerex

Nerex creates a backdoor through which remote attackers can download files onto a compromised host.[38]

Nidiran

Nidiran can download and execute files.[80]

OilRig

OilRig can download remote files onto victims.[81]

OopsIE

OopsIE can download files from its C2 server to the victim's machine.[82][83]

Orz

Orz can download files onto the victim.[69]

Pasam

Pasam creates a backdoor through which remote attackers can upload files.[84]

Patchwork

Patchwork payloads download additional files from the C2 server.[85][9]

Pisloader

Pisloader has a command to upload a file to the victim machine.[86]

PLAINTEE

PLAINTEE has downloaded and executed additional plugins.[31]

PLATINUM

PLATINUM has transferred files using the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel.[87]

PoisonIvy

PoisonIvy creates a backdoor through which remote attackers can upload files.[88]

POSHSPY

POSHSPY downloads and executes additional PowerShell code and Windows binaries.[89]

PowerDuke

PowerDuke has a command to download a file.[90]

POWERSOURCE

POWERSOURCE has been observed being used to download TEXTMATE and the Cobalt Strike Beacon payload onto victims.[91]

POWERSTATS

POWERSTATS can retrieve and execute additional PowerShell payloads from the C2 server.[92]

POWRUNER

POWRUNER can download or upload files from its C2 server.[81]

Psylo

Psylo has a command to download a file to the system from its C2 server.[16]

Pteranodon

Pteranodon can download and execute additional files.[46]

PUNCHBUGGY

PUNCHBUGGY can download additional files and payloads to compromised hosts.[93]

Pupy

Pupy can upload and download to/from a victim machine.[94]

QuasarRAT

QuasarRAT can download files to the victim’s machine and execute them.[95][96]

Rancor

Rancor has downloaded additional malware, including by using certutil.[31]

RARSTONE

RARSTONE downloads its backdoor component from a C2 server and loads it directly into memory.[97]

RATANKBA

RATANKBA uploads and downloads information.[98][99]

RedLeaves

RedLeaves is capable of downloading a file from a specified URL.[100]

RemoteCMD

RemoteCMD copies a file over to the remote system before execution.[101]

Remsec

Remsec contains a network loader to receive executable modules from remote attackers and run them on the local victim. It can also upload and download files over HTTP and HTTPS.[102][103]

RGDoor

RGDoor uploads and downloads files to and from the victim’s machine.[104]

RogueRobin

RogueRobin can download files from the C2 server to the victim’s machine.[105]

ROKRAT

ROKRAT retrieves additional malicious payloads from the C2 server.[106]

RTM

RTM can download additional files.[107]

Sakula

Sakula has the capability to download files.[108]

SeaDuke

SeaDuke is capable of uploading and downloading files.[109]

SEASHARPEE

SEASHARPEE can download remote files onto victims.[110]

Shamoon

Shamoon can download an executable to run on the victim.[111]

SHUTTERSPEED

SHUTTERSPEED can download and execute an arbitary executable.[6]

SLOWDRIFT

SLOWDRIFT downloads additional payloads.[6]

Smoke Loader

Smoke Loader downloads a new version of itself once it has installed. It also downloads additional plugins.[112]

TDTESS

TDTESS has a command to download and execute an additional file.[113]

Threat Group-3390

After re-establishing access to a victim network, Threat Group-3390 actors download tools including gsecdump and WCE that are staged temporarily on websites that were previously compromised but never used.[54]

TrickBot

TrickBot downloads several additional files and saves them to the victim's machine.[114]

Trojan.Karagany

Trojan.Karagany can upload, download, and execute files on the victim.[115]

Turla

Turla has used shellcode to download Meterpreter after compromising a victim.[116]

TURNEDUP

TURNEDUP is capable of downloading additional files.[117]

TYPEFRAME

TYPEFRAME can upload and download files to the victim’s machine.[118]

Unknown Logger

Unknown Logger is capable of downloading remote files.[7]

UPPERCUT

UPPERCUT can download and upload files to and from the victim’s machine.[119]

Vasport

Vasport can download files.[120]

VERMIN

VERMIN can download and upload files to the victim's machine.[121]

Volgmer

Volgmer can download remote files and additional payloads to the victim's machine.[122][123][124]

Wiarp

Wiarp creates a backdoor through which remote attackers can download files.[125]

XTunnel

XTunnel is capable of downloading additional files.[126]

Zebrocy

Zebrocy obtains additional code to execute on the victim's machine.[127]

ZeroT

ZeroT can download additional payloads onto the victim.[128]

ZLib

ZLib has the ability to download files.[75]

Mitigation

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. [129]

Detection

Monitor for file creation and files transferred within a network over SMB. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. [129]

References

  1. Shevchenko, S.. (2008, November 30). Agent.btz - A Threat That Hit Pentagon. Retrieved April 8, 2016.
  2. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  3. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  4. Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.
  5. Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.
  6. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  7. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  8. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
  9. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  10. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  11. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  12. Microsoft. (n.d.). BITSAdmin Tool. Retrieved January 12, 2018.
  13. Ladley, F. (2012, May 15). Backdoor.Briba. Retrieved February 21, 2018.
  14. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  15. Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.
  16. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  17. Microsoft. (2012, November 14). Certutil. Retrieved July 3, 2017.
  18. Smith, Casey. (2017, July 20). SubTee Twitter Status. Retrieved July 21, 2017.
  19. Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
  20. Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017.
  21. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  22. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  23. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  24. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  25. Microsoft. (n.d.). Copy. Retrieved April 26, 2016.
  26. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.
  27. Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.
  28. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  29. Huss, D.. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  30. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  31. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  32. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  33. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  34. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  35. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  36. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  37. Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.
  38. Ladley, F. (2012, May 15). Backdoor.Ritsol. Retrieved February 23, 2018.
  39. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  40. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
  41. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
  42. FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.
  43. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  44. Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018.
  45. Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
  46. Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  47. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  48. Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
  49. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  50. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  51. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  52. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  53. Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
  54. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  55. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  56. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  57. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  58. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  59. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  60. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
  61. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  62. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  63. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  64. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  65. Moench, B. and Aboud, E. (2016, August 23). Trojan.Kwampirs. Retrieved May 10, 2018.
  1. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  2. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
  3. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  4. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  5. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
  6. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  7. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  8. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
  9. Kaspersky Lab's Global Research & Analysis Team. (2013, February 27). The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor. Retrieved April 5, 2017.
  10. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  11. Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016.
  12. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  13. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  14. Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
  15. Sponchioni, R.. (2016, March 11). Backdoor.Nidiran. Retrieved August 3, 2016.
  16. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  17. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  18. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  19. Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018.
  20. Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.
  21. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  22. Kaplan, D, et al. (2017, June 7). PLATINUM continues to evolve, find ways to maintain invisibility. Retrieved February 19, 2018.
  23. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  24. Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
  25. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  26. Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
  27. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  28. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  29. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  30. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  31. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  32. Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015.
  33. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
  34. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  35. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  36. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  37. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  38. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  39. Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.
  40. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  41. Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.
  42. Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  43. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  44. Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
  45. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  46. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  47. Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018.
  48. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  49. Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018.
  50. Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  51. ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.
  52. O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
  53. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  54. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  55. Zhou, R. (2012, May 15). Backdoor.Vasport. Retrieved February 22, 2018.
  56. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  57. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
  58. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  59. Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.
  60. Zhou, R. (2012, May 15). Backdoor.Wiarp. Retrieved February 22, 2018.
  61. Belcher, P.. (2016, July 28). Tunnel of Gov: DNC Hack and the Russian XTunnel. Retrieved August 3, 2016.
  62. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  63. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  64. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.