Credentials from Password Stores: Credentials from Web Browsers

Adversaries may acquire credentials from web browsers by reading files specific to the target browser.[1] Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.

For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\Local\Google\Chrome\User Data\Default\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key.[2]

Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.[3][4] Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the Windows Credential Manager.

Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.[5]

After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).

ID: T1555.003
Sub-technique of:  T1555
Platforms: Linux, Windows, macOS
Contributors: Barry Shteiman, Exabeam; RedHuntLabs, @redhuntlabs; Ryan Benson, Exabeam; Sylvain Gil, Exabeam
Version: 1.2
Created: 12 February 2020
Last Modified: 15 August 2024

Procedure Examples

ID Name Description
S0331 Agent Tesla

Agent Tesla can gather credentials from a number of browsers.[6]

G0130 Ajax Security Team

Ajax Security Team has used FireMalv custom-developed malware, which collected passwords from the Firefox browser storage.[7]

G0022 APT3

APT3 has used tools to dump passwords from browsers.[8]

G0064 APT33

APT33 has used a variety of publicly available tools like LaZagne to gather credentials.[9][10]

G0067 APT37

APT37 has used a credential stealer known as ZUMKONG that can harvest usernames and passwords stored in browsers.[11]

G0096 APT41

APT41 used BrowserGhost, a tool designed to obtain credentials from browsers, to retrieve information from password stores.[12]

S0344 Azorult

Azorult can steal credentials from the victim's browser.[13]

S0093 Backdoor.Oldrea

Some Backdoor.Oldrea samples contain a publicly available Web browser password recovery tool.[14]

S0089 BlackEnergy

BlackEnergy has used a plug-in to gather credentials from web browsers including FireFox, Google Chrome, and Internet Explorer.[15][16]

S0657 BLUELIGHT

BLUELIGHT can collect passwords stored in web browers, including Internet Explorer, Edge, Chrome, and Naver Whale.[17]

S0484 Carberp

Carberp's passw.plug plugin can gather passwords saved in Opera, Internet Explorer, Safari, Firefox, and Chrome.[18]

S0631 Chaes

Chaes can steal login credentials and stored financial information from the browser.[19]

S0144 ChChes

ChChes steals credentials stored inside Internet Explorer.[20]

S0492 CookieMiner

CookieMiner can steal saved usernames and passwords in Chrome as well as credit card credentials.[21]

S0050 CosmicDuke

CosmicDuke collects user credentials, including passwords, for various programs including Web browsers.[22]

S0115 Crimson

Crimson contains a module to steal credentials from Web browsers on the victim machine.[23][24]

S0367 Emotet

Emotet has been observed dropping browser password grabber modules. [25][26]

S0363 Empire

Empire can use modules that extract passwords from common web browsers such as Firefox and Chrome.[27]

G0037 FIN6

FIN6 has used the Stealer One credential stealer to target web browsers.[28]

S0531 Grandoreiro

Grandoreiro can steal cookie data and credentials from Google Chrome.[29][30]

S0132 H1N1

H1N1 dumps usernames and passwords from Firefox, Internet Explorer, and Outlook.[31]

G1001 HEXANE

HEXANE has used a Mimikatz-based tool and a PowerShell script to steal passwords from Google Chrome.[32]

S0434 Imminent Monitor

Imminent Monitor has a PasswordRecoveryPacket module for recovering browser passwords.[33]

G0100 Inception

Inception used a browser plugin to steal passwords and sessions from Internet Explorer, Chrome, Opera, Firefox, Torch, and Yandex.[34]

S0528 Javali

Javali can capture login credentials from open browsers including Firefox, Chrome, Internet Explorer, and Edge.[35]

S0283 jRAT

jRAT can capture passwords from common web browsers such as Internet Explorer, Google Chrome, and Firefox.[36]

S0387 KeyBoy

KeyBoy attempts to collect passwords from browsers.[37]

S0526 KGH_SPY

KGH_SPY has the ability to steal data from the Chrome, Edge, Firefox, Thunderbird, and Opera browsers.[38]

G0094 Kimsuky

Kimsuky has used browser extensions including Google Chrome to steal passwords and cookies from browsers. Kimsuky has also used Nirsoft's WebBrowserPassView tool to dump the passwords obtained from victims.[39][40][41][42]

S0356 KONNI

KONNI can steal profiles (containing credential information) from Firefox, Chrome, and Opera.[43]

G1004 LAPSUS$

LAPSUS$ has obtained passwords and session tokens with the use of the Redline password stealer.[44]

S0349 LaZagne

LaZagne can obtain credentials from web browsers such as Google Chrome, Internet Explorer, and Firefox.[45]

G0077 Leafminer

Leafminer used several tools for retrieving login and password information, including LaZagne.[46]

S0681 Lizar

Lizar has a module to collect usernames and passwords stored in browsers.[47]

S0447 Lokibot

Lokibot has demonstrated the ability to steal credentials from multiple applications and data sources including Safari and the Chromium and Mozilla Firefox-based web browsers.[48]

S0409 Machete

Machete collects stored credentials from several web browsers.[49]

G1026 Malteiro

Malteiro has stolen credentials stored in the victim’s browsers via software tool NirSoft WebBrowserPassView.[50]

S1156 Manjusaka

Manjusaka gathers credentials from Chromium-based browsers.[51]

S0530 Melcoz

Melcoz has the ability to steal credentials from web browsers.[35]

S1146 MgBot

MgBot includes modules for stealing credentials from various browsers and applications, including Chrome, Opera, Firefox, Foxmail, QQBrowser, FileZilla, and WinSCP.[52][53]

S0002 Mimikatz

Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from DPAPI.[54][55][56][57]

S1122 Mispadu

Mispadu can steal credentials from Google Chrome.[50][58][59]

G0021 Molerats

Molerats used the public tool BrowserPasswordDump10 to dump passwords saved in browsers on victims.[60]

G0069 MuddyWater

MuddyWater has run tools including Browser64 to steal passwords saved in victim web browsers.[61][62]

S0198 NETWIRE

NETWIRE has the ability to steal credentials from web browsers including Internet Explorer, Opera, Yandex, and Chrome.[63][64][65]

S0385 njRAT

njRAT has a module that steals passwords saved in victim web browsers.[66][67][68]

G0049 OilRig

OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[69][70][71][72] OilRig has also used tool named PICKPOCKET to dump passwords from web browsers.[72]

S0138 OLDBAIT

OLDBAIT collects credentials from Internet Explorer, Mozilla Firefox, and Eudora.[73]

S0365 Olympic Destroyer

Olympic Destroyer contains a module that tries to obtain stored credentials from web browsers.[1]

G0040 Patchwork

Patchwork dumped the login data database from \AppData\Local\Google\Chrome\User Data\Default\Login Data.[74]

S0048 PinchDuke

PinchDuke steals credentials from compromised hosts. PinchDuke's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated with many sources such as Netscape Navigator, Mozilla Firefox, Mozilla Thunderbird, and Internet Explorer. [22]

S0435 PLEAD

PLEAD can harvest saved credentials from browsers such as Google Chrome, Microsoft Internet Explorer, and Mozilla Firefox.[75][76]

S0428 PoetRAT

PoetRAT has used a Python tool named Browdec.exe to steal browser credentials.[77]

S0113 Prikormka

A module in Prikormka gathers logins and passwords stored in applications on the victims, including Google Chrome, Mozilla Firefox, and several other browsers.[78]

S0279 Proton

Proton gathers credentials for Google Chrome.[79]

S0192 Pupy

Pupy can use Lazagne for harvesting credentials.[80]

S0650 QakBot

QakBot has collected usernames and passwords from Firefox and Chrome.[81]

S0262 QuasarRAT

QuasarRAT can obtain passwords from common web browsers.[82][83]

S1148 Raccoon Stealer

Raccoon Stealer collects passwords, cookies, and autocomplete information from various popular web browsers.[84]

S0629 RainyDay

RainyDay can use tools to collect credentials from web browsers.[85]

G1039 RedCurl

RedCurl used LaZagne to obtain passwords from web browsers.[86][87]

S0153 RedLeaves

RedLeaves can gather browser usernames and passwords.[88]

S0240 ROKRAT

ROKRAT can steal credentials stored in Web browsers by querying the sqlite database.[89]

G0034 Sandworm Team

Sandworm Team's CredRaptor tool can collect saved passwords from various internet browsers.[90]

S0692 SILENTTRINITY

SILENTTRINITY can collect clear text web credentials for Internet Explorer/Edge.[91]

S0226 Smoke Loader

Smoke Loader searches for credentials stored from web browsers.[92]

C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 stole users' saved passwords from Chrome.[93]

G0038 Stealth Falcon

Stealth Falcon malware gathers passwords from multiple sources, including Internet Explorer, Firefox, and Chrome.[94]

S1042 SUGARDUMP

SUGARDUMP variants have harvested credentials from browsers such as Firefox, Chrome, Opera, and Edge.[95]

G0092 TA505

TA505 has used malware to gather credentials from Internet Explorer.[96]

S0266 TrickBot

TrickBot can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge, sometimes using esentutl.[97][98][99]

S0094 Trojan.Karagany

Trojan.Karagany can steal data and credentials from browsers.[100]

S0436 TSCookie

TSCookie has the ability to steal saved passwords from the Internet Explorer, Edge, Firefox, and Chrome browsers.[101]

S0130 Unknown Logger

Unknown Logger is capable of stealing usernames and passwords from browsers on the victim machine.[102]

G1017 Volt Typhoon

Volt Typhoon has targeted network administrator browser data including browsing history and stored credentials.[103]

S0670 WarzoneRAT

WarzoneRAT has the capability to grab passwords from numerous web browsers as well as from Outlook and Thunderbird email clients.[104][105]

S0161 XAgentOSX

XAgentOSX contains the getFirefoxPassword function to attempt to locate Firefox passwords.[106]

S0251 Zebrocy

Zebrocy has the capability to upload dumper tools that extract credentials from web browsers and store them in database files.[107]

G0128 ZIRCONIUM

ZIRCONIUM has used a tool to steal credentials from installed web browsers including Microsoft Internet Explorer and Google Chrome.[108]

Mitigations

ID Mitigation Description
M1027 Password Policies

Organizations may consider weighing the risk of storing credentials in web browsers. If web browser credential disclosure is a significant concern, technical controls, policy, and user training may be used to prevent storage of credentials in web browsers.

M1021 Restrict Web-Based Content

Restrict or block web-based content that could be used to extract session cookies or credentials stored in browsers. Use browser security settings, such as disabling third-party cookies and restricting browser extensions, to limit the attack surface.

M1051 Update Software

Regularly update web browsers, password managers, and all related software to the latest versions. Keeping software up-to-date reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies.

M1018 User Account Management

Implement strict user account management policies to prevent unnecessary accounts from accessing sensitive systems. Regularly audit user accounts to identify and disable inactive accounts that may be targeted by attackers to extract credentials or gain unauthorized access.

M1017 User Training

Provide user training on secure practices for managing credentials, including avoiding storing sensitive passwords in browsers and using password managers securely. Users should also be educated on identifying phishing attempts that could steal session cookies or credentials.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may acquire credentials from web browsers by reading files specific to the target browser.[1]

Analytic 1 - Commands indicating credential searches in web browsers.

index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure") event_type="process"(CommandLine IN ("sqlite3 logins", "CryptUnprotectData", "security find-internet-password", "sqlcipher logins", "strings Login Data", "cat Login Data", "cat logins.json", "sqlite3 signons.sqlite"))

DS0022 File File Access

Identify web browser files that contain credentials such as Google Chrome’s Login Data database file: AppData\Local\Google\Chrome\User Data\Default\Login Data. Monitor file read events of web browser files that contain credentials, especially when the reading process is unrelated to the subject web browser.

Analytic 1 - Unauthorized access to web browser credential files.

index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure") event_type="file_open"((file_path IN ("\AppData\Local\Google\Chrome\User Data\Default\Login Data", "\AppData\Local\Microsoft\Edge\User Data\Default\Login Data", "\AppData\Roaming\Mozilla\Firefox\Profiles\\logins.json") AND Platform="Windows") OR (file_path IN ("/home//.mozilla/firefox//logins.json", "/home//.config/google-chrome/Default/Login Data") AND Platform="Linux") OR (file_path IN ("/Users//Library/Application Support/Google/Chrome/Default/Login Data", "/Users//Library/Application Support/Firefox/Profiles//logins.json") AND Platform="macOS"))

DS0009 Process OS API Execution

Monitor for API calls that may acquire credentials from web browsers by reading files specific to the target browser.[1]

Analytic 1 - Suspicious API calls related to web browser credential access.

index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure") event_type="api_call"(api IN ("CryptUnprotectData", "NSS_Init", "PK11SDR_Decrypt", "SecItemCopyMatching", "SecItemAdd", "SecItemUpdate", "SecItemDelete"))

Process Access

Monitor process execution logs to include PowerShell Transcription focusing on those that perform a combination of behaviors including reading web browser process memory, utilizing regular expressions, and those that contain numerous keywords for common web applications (Gmail, Twitter, Office365, etc.).

Analytic 1 - Unauthorized process access indicating credential searches in web browsers.

index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure") event_type="process"(CommandLine IN ("sqlite3 logins", "sqlcipher logins", "db-browser Login Data", "db-browser logins.json", "CryptUnprotectData", "security find-internet-password", "security dump-keychain", "strings Login Data", "cat Login Data", "cat logins.json", "sqlite3 signons.sqlite"))

References

  1. Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
  2. Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved June 18, 2019.
  3. Proofpoint. (2018, May 10). New Vega Stealer shines brightly in targeted campaign . Retrieved June 18, 2019.
  4. Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18, 2019.
  5. Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz. Retrieved June 20, 2019.
  6. Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.
  7. Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018.
  8. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  9. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  10. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
  11. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  12. Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024.
  13. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
  14. Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  15. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  16. Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
  17. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
  18. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024.
  19. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  20. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  21. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
  22. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  23. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  24. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  25. Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.
  26. Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.
  27. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  28. Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.
  29. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.
  30. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  31. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  32. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  33. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
  34. Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020.
  35. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
  36. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  37. Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019.
  38. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  39. Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019.
  40. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
  41. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
  42. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  43. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  44. MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
  45. Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.
  46. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  47. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.
  48. Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020.
  49. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  50. SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024.
  51. Asheer Malhotra & Vitor Ventura. (2022, August 2). Manjusaka: A Chinese sibling of Sliver and Cobalt Strike. Retrieved September 4, 2024.
  52. Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024.
  53. Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.
  54. Deply, B. (n.d.). Mimikatz. Retrieved September 29, 2015.
  1. Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved August 7, 2017.
  2. Grafnetter, M. (2015, October 26). Retrieving DPAPI Backup Keys from Active Directory. Retrieved December 19, 2017.
  3. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
  4. ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.
  5. Garcia, F., Regalado, D. (2023, March 7). Inside Mispadu massive infection campaign in LATAM. Retrieved March 15, 2024.
  6. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  7. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
  8. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  9. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.
  10. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
  11. Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021.
  12. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  13. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  14. Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
  15. Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.
  16. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  17. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
  18. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019.
  19. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  20. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  21. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
  22. Cherepanov, A.. (2018, July 9). Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign. Retrieved May 6, 2020.
  23. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  24. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  25. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  26. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  27. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  28. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  29. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  30. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024.
  31. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  32. Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
  33. Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
  34. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
  35. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  36. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
  37. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  38. Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018.
  39. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
  40. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  41. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
  42. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
  43. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
  44. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
  45. Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot’s Ever-Improving VNC Module. Retrieved September 28, 2021.
  46. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
  47. Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020.
  48. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  49. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  50. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
  51. Mohanta, A. (2020, November 25). Warzone RAT comes with UAC bypass technique. Retrieved April 7, 2022.
  52. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  53. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  54. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.