Software Discovery: Security Software Discovery

Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cloud monitoring agents and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Example commands that can be used to obtain security software information are netsh, reg query with Reg, dir with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.

Adversaries may also utilize the Cloud API to discover cloud-native security software installed on compute infrastructure, such as the AWS CloudWatch agent, Azure VM Agent, and Google Cloud Monitor agent. These agents may collect metrics and logs from the VM, which may be centrally aggregated in a cloud-based monitoring platform.

ID: T1518.001
Sub-technique of:  T1518
Tactic: Discovery
Platforms: IaaS, Linux, Windows, macOS
Contributors: Isif Ibrahima, Mandiant
Version: 1.5
Created: 21 February 2020
Last Modified: 16 April 2024

Procedure Examples

ID Name Description
S0469 ABK

ABK has the ability to identify the installed anti-virus product on the compromised host.[1]

S1028 Action RAT

Action RAT can identify AV products on an infected host using the following command: cmd.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List.[2]

S1025 Amadey

Amadey has checked for a variety of antivirus products.[3][4]

G0082 APT38

APT38 has identified security software, configurations, defensive tools, and sensors installed on a compromised system.[5]

G0143 Aquatic Panda

Aquatic Panda has attempted to discover third party endpoint detection and response (EDR) tools on compromised systems.[6]

S0373 Astaroth

Astaroth checks for the presence of Avast antivirus in the C:\Program\Files\ folder. [7]

S1029 AuTo Stealer

AuTo Stealer has the ability to collect information about installed AV products from an infected host.[2]

S0473 Avenger

Avenger has the ability to identify installed anti-virus products on a compromised host.[1]

S0337 BadPatch

BadPatch uses WMI to enumerate installed security products in the victim’s environment.[8]

S0534 Bazar

Bazar can identify the installed antivirus engine.[9]

S0657 BLUELIGHT

BLUELIGHT can collect a list of anti-virus products installed on a machine.[10]

S1063 Brute Ratel C4

Brute Ratel C4 can detect EDR userland hooks.[11]

S0471 build_downer

build_downer has the ability to detect if the infected host is running an anti-virus process.[1]

S1039 Bumblebee

Bumblebee can identify specific analytical tools based on running processes.[12][13][14]

S0484 Carberp

Carberp has queried the infected system's registry searching for specific registry keys associated with antivirus products.[15]

S1149 CHIMNEYSWEEP

CHIMNEYSWEEP is capable of checking whether a compromised device is running DeepFreeze by Faronics.[16]

S0023 CHOPSTICK

CHOPSTICK checks for antivirus and forensics software.[17]

S0611 Clop

Clop can search for processes with antivirus and antimalware product names.[18][19]

G0080 Cobalt Group

Cobalt Group used a JavaScript backdoor that is capable of collecting a list of the security solutions installed on the victim's machine.[20]

S0244 Comnie

Comnie attempts to detect several anti-virus products.[21]

S0492 CookieMiner

CookieMiner has checked for the presence of "Little Snitch", macOS network monitoring and application firewall software, stopping and exiting if it is found.[22]

S0046 CozyCar

The main CozyCar dropper checks whether the victim has an anti-virus product installed. If the installed product is on a predetermined list, the dropper will exit.[23]

S0115 Crimson

Crimson contains a command to collect information about anti-virus software on the victim.[24][25]

S1111 DarkGate

DarkGate looks for various security products by process name using hard-coded values in the malware. DarkGate will not execute its keylogging thread if a process name associated with Trend Micro anti-virus is identified, or if runtime checks identify the presence of Kaspersky anti-virus. DarkGate will initiate a new thread if certain security products are identified on the victim, and recreate any malicious files associated with it if it determines they were removed by security software in a new system location.[26]

G0012 Darkhotel

Darkhotel has searched for anti-malware strings and anti-virus processes running on the system.[27][28]

S1066 DarkTortilla

DarkTortilla can check for the Kaspersky Anti-Virus suite.[29]

S0673 DarkWatchman

DarkWatchman can search for anti-virus products on the system.[30]

S0472 down_new

down_new has the ability to detect anti-virus products and processes on a compromised host.[1]

S1159 DUSTTRAP

DUSTTRAP can identify security software.[31]

S0062 DustySky

DustySky checks for the existence of anti-virus.[32]

S0363 Empire

Empire can enumerate antivirus software on the target.[33]

S0091 Epic

Epic searches for anti-malware services running on the victim’s machine and terminates itself if it finds them.[34]

S0396 EvilBunny

EvilBunny has been observed querying installed antivirus software.[35]

S0568 EVILNUM

EVILNUM can search for anti-virus products on the system.[36]

S0171 Felismus

Felismus checks for processes associated with anti-virus vendors.[37]

S0267 FELIXROOT

FELIXROOT checks for installed security software like antivirus and firewall.[38]

S0679 Ferocious

Ferocious has checked for AV software as part of its persistence process.[39]

G0061 FIN8

FIN8 has used Registry keys to detect and avoid executing in potential sandboxes.[40]

S0182 FinFisher

FinFisher probes the system to check for antimalware processes.[41][42]

S0143 Flame

Flame identifies security software such as antivirus through the Security module.[43][44]

S0381 FlawedAmmyy

FlawedAmmyy will attempt to detect anti-virus products during the initial infection.[45]

C0001 Frankenstein

During Frankenstein, the threat actors used WMI queries to determine if analysis tools were running on a compromised system.[46]

S1044 FunnyDream

FunnyDream can identify the processes for Bkav antivirus.[47]

S0666 Gelsemium

Gelsemium can check for the presence of specific security products.[48]

S0249 Gold Dragon

Gold Dragon checks for anti-malware products and processes.[49]

S0531 Grandoreiro

Grandoreiro can list installed security products including the Trusteer and Diebold Warsaw GAS Tecnologia online banking protections.[50][50]

S0483 IcedID

IcedID can identify AV products on an infected host using the following command:WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List.[51][52]

S0260 InvisiMole

InvisiMole can check for the presence of network sniffers, AV, and BitDefender firewall.[53]

S0201 JPIN

JPIN checks for the presence of certain security-related processes and deletes its installer/uninstaller component if it identifies any of them.[54]

S0283 jRAT

jRAT can list security software, such as by using WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.[55][56]

S0088 Kasidet

Kasidet has the ability to identify any anti-virus installed on the infected system.[57]

G0094 Kimsuky

Kimsuky has checked for the presence of antivirus software with powershell Get-CimInstance -Namespace root/securityCenter2 – classname antivirusproduct.[58]

C0035 KV Botnet Activity

KV Botnet Activity involved removal of security tools, as well as other identified IOT malware, from compromised devices.[59]

S1160 Latrodectus

Latrodectus has the ability to identify installed antivirus products.[60][61]

S0513 LiteDuke

LiteDuke has the ability to check for the presence of Kaspersky security software.[62]

S0680 LitePower

LitePower can identify installed AV software.[39]

S0681 Lizar

Lizar can search for processes associated with an anti-virus product from list.[63]

S1141 LunarWeb

LunarWeb has run shell commands to obtain a list of installed security products.[64]

S1060 Mafalda

Mafalda can search for a variety of security software programs, EDR systems, and malware analysis tools.[65][66]

G1026 Malteiro

Malteiro collects the installed antivirus on the victim machine.[67]

S0652 MarkiRAT

MarkiRAT can check for running processes on the victim’s machine to look for Kaspersky and Bitdefender antivirus products.[68]

S0455 Metamorfo

Metamorfo collects a list of installed antivirus software from the victim’s system.[69][70]

S0688 Meteor

Meteor has the ability to search for Kaspersky Antivirus on a victim's machine.[71]

S0339 Micropsia

Micropsia searches for anti-virus software and firewall products installed on the victim’s machine using WMI.[72][73]

S1122 Mispadu

Mispadu can list installed security products in the victim’s environment.[74][75]

S0553 MoleNet

MoleNet can use WMI commands to check the system for firewall and antivirus software.[76]

S0284 More_eggs

More_eggs can obtain information on installed anti-malware programs.[77]

S0256 Mosquito

Mosquito's installer searches the Registry and system to see if specific antivirus tools are installed on the system.[78]

G0069 MuddyWater

MuddyWater has used malware to check running processes against a hard-coded list of security tools often used by malware researchers.[79]

G0019 Naikon

Naikon uses commands such as netsh advfirewall firewall to discover local firewall settings.[80]

S0108 netsh

netsh can be used to discover system firewall settings.[81][82]

S0457 Netwalker

Netwalker can detect and terminate active security software-related processes on infected systems.[83]

S0368 NotPetya

NotPetya determines if specific antivirus programs are running on an infected host machine.[84]

C0014 Operation Wocao

During Operation Wocao, threat actors used scripts to detect security software.[85]

S1091 Pacu

Pacu can enumerate AWS security services, including WAF rules and GuardDuty detectors.[86]

G0040 Patchwork

Patchwork scanned the "Program Files" directories for a directory with the string "Total Security" (the installation path of the "360 Total Security" antivirus tool).[87]

S0501 PipeMon

PipeMon can check for the presence of ESET and Kaspersky security software.[88]

G1040 Play

Play has used the information-stealing tool Grixba to scan for anti-virus software.[89]

S0223 POWERSTATS

POWERSTATS has detected security tools.[90]

S0184 POWRUNER

POWRUNER may collect information on the victim's anti-virus software.[91]

S0113 Prikormka

A module in Prikormka collects information from the victim about installed anti-virus software.[92]

S0196 PUNCHBUGGY

PUNCHBUGGY can gather AVs registered in the system.[93]

S0650 QakBot

QakBot can identify the installed antivirus product on a targeted system.[94][95][95][96]

S1130 Raspberry Robin

Raspberry Robin attempts to identify security software running on the victim machine, such as BitDefender, Avast, and Kaspersky.[97][98]

S0125 Remsec

Remsec has a plugin detect security products via active drivers.[99]

G0106 Rocke

Rocke used scripts which detected and uninstalled antivirus software.[100][101]

S0270 RogueRobin

RogueRobin enumerates running processes to search for Wireshark and Windows Sysinternals suite.[102][103]

S0148 RTM

RTM can obtain information about security software on the victim.[104]

G1008 SideCopy

SideCopy uses a loader DLL file to collect AV product names from an infected host.[2]

G0121 Sidewinder

Sidewinder has used the Windows service winmgmts:\.\root\SecurityCenter2 to check installed antivirus products.[105]

S0692 SILENTTRINITY

SILENTTRINITY can determine if an anti-virus product is installed through the resolution of the service's virtual SID.[106]

S0468 Skidmap

Skidmap has the ability to check if /usr/sbin/setenforce exists. This file controls what mode SELinux is in.[107]

S0646 SpicyOmelette

SpicyOmelette can check for the presence of 29 different antivirus tools.[108]

S0380 StoneDrill

StoneDrill can check for antivirus and antimalware programs.[109]

S0142 StreamEx

StreamEx has the ability to scan for security tools such as firewalls and antivirus tools.[110]

S0491 StrongPity

StrongPity can identify if ESET or BitDefender antivirus are installed before dropping its payload.[111]

S0603 Stuxnet

Stuxnet enumerates the currently running processes related to a variety of security products.[112]

S0559 SUNBURST

SUNBURST checked for a variety of antivirus/endpoint detection agents prior to execution.[113][114]

S0098 T9000

T9000 performs checks for various antivirus and security products during installation.[115]

G1018 TA2541

TA2541 has used tools to search victim systems for security products such as antivirus and firewall software.[116]

S0467 TajMahal

TajMahal has the ability to identify which anti-virus products, firewalls, and anti-spyware products are in use.[117]

S0057 Tasklist

Tasklist can be used to enumerate security software currently running on a system by process name of known products.[118]

G0139 TeamTNT

TeamTNT has searched for security products on infected machines.[119][120]

G0089 The White Company

The White Company has checked for specific antivirus products on the target’s computer, including Kaspersky, Quick Heal, AVG, BitDefender, Avira, Sophos, Avast!, and ESET.[121]

S0595 ThiefQuest

ThiefQuest uses the kill_unwanted function to get a list of running processes, compares each process with an encrypted list of "unwanted" security related programs, and kills the processes for security related programs.[122]

G1022 ToddyCat

ToddyCat can determine is Kaspersky software is running on an endpoint by running cmd /c wmic process where name="avp.exe".[123]

G0081 Tropic Trooper

Tropic Trooper can search for anti-virus software running on the system.[124]

G0010 Turla

Turla has obtained information on security software, including security logging information that may indicate whether their malware has been detected.[125]

S0476 Valak

Valak can determine if a compromised host has security products installed.[126]

S0257 VERMIN

VERMIN uses WMI to check for anti-virus software installed on the system.[127]

S0579 Waterbear

Waterbear can find the presence of a specific security software.[128]

S0689 WhisperGate

WhisperGate can recognize the presence of monitoring tools on a target system.[129]

G0112 Windshift

Windshift has used malware to identify installed AV and commonly used forensic and malware analysis tools.[130]

S0176 Wingbird

Wingbird checks for the presence of Bitdefender security software.[131]

G0102 Wizard Spider

Wizard Spider has used WMI to identify anti-virus products installed on a victim's machine.[132]

S1065 Woody RAT

Woody RAT can detect Avast Software, Doctor Web, Kaspersky, AVG, ESET, and Sophos antivirus programs.[133]

S0653 xCaon

xCaon has checked for the existence of Kaspersky antivirus software on the system.[134]

S0658 XCSSET

XCSSET searches firewall configuration files located in /Library/Preferences/ and uses csrutil status to determine if System Integrity Protection is enabled.[135]

S0388 YAHOYAH

YAHOYAH checks for antimalware solution processes on the system.[136]

S0330 Zeus Panda

Zeus Panda checks to see if anti-virus, anti-spyware, or firewall products are installed in the victim’s environment.[137][138]

S1013 ZxxZ

ZxxZ can search a compromised host to determine if it is running Windows Defender or Kasperky antivirus.[139]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.

Note: For Windows, Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on potential Security Software Discovery.

DS0018 Firewall Firewall Enumeration

Monitor for an extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands)

Firewall Metadata

Monitor for contextual data about a firewall and activity around it such as name, policy, or status

DS0009 Process OS API Execution

Monitor for API calls that may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. OS API calls associated with LSASS process dumping include EnumProcesses, which can be used to enumerate the set of processes running on a host and filtered to look for security-specific processes.

Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary.

Process Creation

Monitor newly executed processes that may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.

References

  1. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  2. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
  3. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  4. Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.
  5. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
  6. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.
  7. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved September 25, 2024.
  8. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  9. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  10. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
  11. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
  12. Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
  13. Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022.
  14. Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022.
  15. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024.
  16. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  17. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  18. Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.
  19. Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.
  20. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
  21. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  22. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
  23. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  24. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  25. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  26. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  27. Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.
  28. Microsoft. (2016, June 9). Reverse-engineering DUBNIUM. Retrieved March 31, 2021.
  29. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
  30. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  31. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  32. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  33. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  34. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  35. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
  36. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021.
  37. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
  38. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  39. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
  40. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  41. FinFisher. (n.d.). Retrieved September 12, 2024.
  42. Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.
  43. Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.
  44. Gostev, A. (2012, May 30). Flame: Bunny, Frog, Munch and BeetleJuice…. Retrieved March 1, 2017.
  45. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
  46. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  47. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  48. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  49. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  50. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  51. DFIR. (2021, March 29). Sodinokibi (aka REvil) Ransomware. Retrieved July 22, 2024.
  52. DFIR. (2022, April 25). Quantum Ransomware. Retrieved July 26, 2024.
  53. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  54. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  55. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
  56. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  57. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  58. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
  59. Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024.
  60. Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024.
  61. Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024.
  62. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  63. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.
  64. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  65. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
  66. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
  67. SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024.
  68. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
  69. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
  70. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
  1. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.
  2. Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018.
  3. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  4. ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.
  5. Garcia, F., Regalado, D. (2023, March 7). Inside Mispadu massive infection campaign in LATAM. Retrieved March 15, 2024.
  6. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
  7. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  8. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  9. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  10. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  11. Microsoft. (n.d.). Using Netsh. Retrieved February 13, 2017.
  12. Microsoft. (2009, June 3). Netsh Commands for Windows Firewall. Retrieved April 20, 2016.
  13. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
  14. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  15. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  16. Rhino Security Labs. (2019, August 22). Pacu. Retrieved October 17, 2019.
  17. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  18. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  19. CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024.
  20. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  21. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  22. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  23. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  24. CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021.
  25. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
  26. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  27. Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024.
  28. Patrick Schläpfer . (2024, April 10). Raspberry Robin Now Spreading Through Windows Script Files. Retrieved May 17, 2024.
  29. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  30. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
  31. Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020.
  32. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  33. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
  34. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  35. Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021.
  36. Paganini, P. (2019, July 7). Croatia government agencies targeted with news SilentTrinity malware. Retrieved March 23, 2022.
  37. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  38. CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021.
  39. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  40. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
  41. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
  42. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22
  43. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  44. Stephen Eckels, Jay Smith, William Ballenthin. (2020, December 24). SUNBURST Additional Technical Details. Retrieved January 6, 2021.
  45. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
  46. Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.
  47. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  48. Microsoft. (n.d.). Tasklist. Retrieved December 23, 2015.
  49. AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021.
  50. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
  51. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  52. Patrick Wardle. (2020, June 29). OSX.EvilQuest Uncovered part i: infection, persistence, and more!. Retrieved March 18, 2021.
  53. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  54. Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.
  55. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  56. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  57. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  58. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.
  59. Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022.
  60. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.
  61. Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.
  62. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
  63. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022.
  64. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
  65. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
  66. Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.
  67. Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018.
  68. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  69. Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.