Command and Scripting Interpreter: Windows Command Shell, Sub-technique T1059.003 - Enterprise | MITRE ATT&CK®

Command and Scripting Interpreter: Windows Command Shell, Sub-technique T1059.003 - Enterprise | MITRE ATT&CK®
Currently viewing
ATT&CK v17.1
which was live between April 22, 2025 and October 27, 2025.
Learn more about the versioning system
or
see the live site
Techniques
Enterprise
Command and Scripting Interpreter
Windows Command Shell
Command and Scripting Interpreter:
Windows Command Shell
Other sub-techniques of Command and Scripting Interpreter (12)
ID
Name
T1059.001
PowerShell
T1059.002
AppleScript
T1059.003
Windows Command Shell
T1059.004
Unix Shell
T1059.005
Visual Basic
T1059.006
Python
T1059.007
JavaScript
T1059.008
Network Device CLI
T1059.009
Cloud API
T1059.010
AutoHotKey & AutoIT
T1059.011
Lua
T1059.012
Hypervisor CLI
Adversaries may abuse the Windows command shell for execution. The Windows command shell (
cmd
) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via
Remote Services
such as
SSH
[1]
Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.
Adversaries may leverage
cmd
to execute various commands and payloads. Common uses include
cmd
to execute a single command, or abusing
cmd
interactively with input and output forwarded over a command and control channel.
ID:
T1059.003
Sub-technique of:
T1059
Tactic:
Execution
Platforms:
Windows
Version:
1.5
Created:
09 March 2020
Last Modified:
15 April 2025
Version Permalink
Live Version
Procedure Examples
ID
Name
Description
C0025
2016 Ukraine Electric Power Attack
During the
2016 Ukraine Electric Power Attack
Sandworm Team
used the
xp_cmdshell
command in MS-SQL.
[2]
S0065
4H RAT
4H RAT
has the capability to create a remote shell.
[3]
S0469
ABK
ABK
has the ability to use
cmd
to run a Portable Executable (PE) on the compromised host.
[4]
S1028
Action RAT
Action RAT
can use
cmd.exe
to execute commands on an infected host.
[5]
S0202
adbupd
adbupd
can run a copy of cmd.exe.
[6]
G0018
admin@338
Following exploitation with
LOWBALL
malware,
admin@338
actors created a file containing a list of commands to be executed on the compromised computer.
[7]
S0045
ADVSTORESHELL
ADVSTORESHELL
can create a remote shell and run a given command.
[8]
[9]
G1030
Agrius
Agrius
uses
ASPXSpy
web shells to enable follow-on command execution via
cmd.exe
[10]
S1129
Akira
Akira
executes from the Windows command line and can take various arguments for execution.
[11]
S0504
Anchor
Anchor
has used cmd.exe to run its self deletion routine.
[12]
G0006
APT1
APT1
has used the Windows command shell to execute commands, and batch scripting to automate execution.
[13]
G0026
APT18
APT18
uses cmd.exe to execute commands on the victim’s machine.
[14]
[15]
G0007
APT28
An
APT28
loader Trojan uses a cmd.exe and batch script to run its payload.
[16]
The group has also used macros to execute payloads.
[17]
[18]
[19]
[20]
C0051
APT28 Nearest Neighbor Campaign
During
APT28 Nearest Neighbor Campaign
APT28
used
cmd.exe
for execution.
[21]
G0022
APT3
An
APT3
downloader uses the Windows command
"cmd.exe" /C whoami
. The group also uses a tool to execute commands on remote computers.
[22]
[23]
G0050
APT32
APT32
has used cmd.exe for execution.
[24]
G0067
APT37
APT37
has used the command-line interface.
[25]
[26]
G0082
APT38
APT38
has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim’s machine.
[27]
Additionally,
APT38
has used batch scripts.
[28]
G0096
APT41
APT41
used
cmd.exe /c
to execute commands on remote machines.
[29]
APT41
used a batch file to install persistence for the
Cobalt Strike
BEACON loader.
[30]
G1023
APT5
APT5
has used cmd.exe for execution on compromised systems.
[31]
G0143
Aquatic Panda
Aquatic Panda
has attempted and failed to run Bash commands on a Windows host by passing them to
cmd /C
[32]
S0373
Astaroth
Astaroth
spawns a CMD process to execute commands.
[33]
S0347
AuditCred
AuditCred
can open a reverse shell on the system to execute commands.
[34]
S1029
AuTo Stealer
AuTo Stealer
can use
cmd.exe
to execute a created batch file.
[5]
S0638
Babuk
Babuk
has the ability to use the command line to control execution on compromised hosts.
[35]
[36]
S0414
BabyShark
BabyShark
has used cmd.exe to execute commands.
[37]
S0475
BackConfig
BackConfig
can download and run batch files to execute commands on a compromised host.
[38]
S0031
BACKSPACE
Adversaries can direct
BACKSPACE
to execute from the command line on infected hosts, or have
BACKSPACE
create a reverse shell.
[39]
S1081
BADHATCH
BADHATCH
can use
cmd.exe
to execute commands on a compromised host.
[40]
[41]
S0128
BADNEWS
BADNEWS
is capable of executing commands via cmd.exe.
[42]
[43]
S0234
Bandook
Bandook
is capable of spawning a Windows command shell.
[44]
[45]
S0239
Bankshot
Bankshot
uses the command-line interface to execute arbitrary commands.
[46]
[47]
S0534
Bazar
Bazar
can launch cmd.exe to perform reconnaissance commands.
[48]
[49]
S0470
BBK
BBK
has the ability to use
cmd
to run a Portable Executable (PE) on the compromised host.
[4]
S0017
BISCUIT
BISCUIT
has a command to launch a command shell on the system.
[50]
S0268
Bisonal
Bisonal
has launched cmd.exe and used the ShellExecuteW() API function to execute commands on the system.
[51]
[52]
[53]
S1070
Black Basta
Black Basta
can use
cmd.exe
to enable shadow copy deletion.
[54]
G1043
BlackByte
BlackByte
executed ransomware using the Windows command shell.
[55]
S1068
BlackCat
BlackCat
can execute commands on a compromised network with the use of
cmd.exe
[56]
S0069
BLACKCOFFEE
BLACKCOFFEE
has the capability to create a reverse shell.
[57]
S0564
BlackMould
BlackMould
can run cmd.exe with parameters.
[58]
S0520
BLINDINGCAN
BLINDINGCAN
has executed commands via cmd.exe.
[59]
G0108
Blue Mockingbird
Blue Mockingbird
has used batch script files to automate execution and deployment of payloads.
[60]
S0360
BONDUPDATER
BONDUPDATER
can read batch commands in a file sent from its C2 server and execute them with cmd.exe.
[61]
S0651
BoxCaon
BoxCaon
can execute arbitrary commands and utilize the "ComSpec" environment variable.
[62]
G0060
BRONZE BUTLER
BRONZE BUTLER
has used batch scripts and the command-line interface for execution.
[63]
S1063
Brute Ratel C4
Brute Ratel C4
can use cmd.exe for execution.
[64]
S1039
Bumblebee
Bumblebee
can use
cmd.exe
to drop and run files.
[65]
[66]
C0015
C0015
During
C0015
, the threat actors used
cmd.exe
to execute commands and run malicious binaries.
[67]
C0017
C0017
During
C0017
APT41
used
cmd.exe
to execute reconnaissance commands.
[68]
S0025
CALENDAR
CALENDAR
has a command to run cmd.exe to execute commands.
[50]
S0030
Carbanak
Carbanak
has a command to create a reverse shell.
[69]
S0348
Cardinal RAT
Cardinal RAT
can execute commands.
[70]
S0462
CARROTBAT
CARROTBAT
has the ability to execute command line arguments on a compromised host.
[71]
S0572
Caterpillar WebShell
Caterpillar WebShell
can run commands on the compromised asset with CMD functions.
[72]
S1043
ccf32
ccf32
has used
cmd.exe
for archiving data and deleting files.
[73]
S0631
Chaes
Chaes
has used
cmd
to execute tasks on the system.
[74]
S0674
CharmPower
The C# implementation of the
CharmPower
command execution module can use
cmd
[75]
G0114
Chimera
Chimera
has used the Windows Command Shell and batch scripts for execution on compromised hosts.
[76]
S0020
China Chopper
China Chopper
's server component is capable of opening a command terminal.
[77]
[78]
[79]
G1021
Cinnamon Tempest
Cinnamon Tempest
has executed ransomware using batch scripts deployed via GPO.
[80]
S0660
Clambling
Clambling
can use cmd.exe for command execution.
[81]
S0611
Clop
Clop
can use cmd.exe to help execute commands on the system.
[82]
S0106
cmd
cmd
is used to execute programs and other actions at the command-line interface.
[83]
G0080
Cobalt Group
Cobalt Group
has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands.
[84]
The group has used an exploit toolkit known as Threadkit that launches .bat files.
[85]
[86]
[87]
[84]
[88]
[89]
S0154
Cobalt Strike
Cobalt Strike
uses a command-line interface to interact with systems.
[90]
[91]
[92]
[93]
S0338
Cobian RAT
Cobian RAT
can launch a remote command shell interface for executing commands.
[94]
S0369
CoinTicker
CoinTicker
executes a bash script to establish a reverse shell.
[95]
S0244
Comnie
Comnie
executes BAT scripts.
[96]
S0126
ComRAT
ComRAT
has used
cmd.exe
to execute commands.
[97]
S0575
Conti
Conti
can utilize command line options to allow an attacker control over how it scans and encrypts files.
[98]
[67]
S1155
Covenant
Covenant
provides access to a Command Shell in Windows environments for follow-on command execution and tasking.
[99]
S0046
CozyCar
A module in
CozyCar
allows arbitrary commands to be executed by invoking
C:\Windows\System32\cmd.exe
[100]
S0115
Crimson
Crimson
has the ability to execute commands with the COMSPEC environment variable.
[101]
S0625
Cuba
Cuba
has used
cmd.exe /c
and batch files for execution.
[102]
S1014
DanBot
DanBot
has the ability to execute arbitrary commands via
cmd.exe
[103]
[104]
G0070
Dark Caracal
Dark Caracal
has used macros in Word documents that would download a second stage if executed.
[105]
S0334
DarkComet
DarkComet
can launch a remote shell to execute commands on the victim’s machine.
[106]
S1111
DarkGate
DarkGate
uses a malicious Windows Batch script to run the Windows
code
utility to retrieve follow-on script payloads.
[107]
DarkGate
has also used
cmd.exe
to create a remote shell.
[108]
G0012
Darkhotel
Darkhotel
has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.
[109]
S1066
DarkTortilla
DarkTortilla
can use
cmd.exe
to add registry keys for persistence.
[110]
S0673
DarkWatchman
DarkWatchman
can use
cmd.exe
to execute commands.
[111]
S0187
Daserf
Daserf
can execute shell commands.
[112]
[63]
S1052
DEADEYE
DEADEYE
can run
cmd /c copy /y /b C:\Users\public\syslog_6-*.dat C:\Users\public\syslog.dll
to combine separated sections of code into a single DLL prior to execution.
[68]
S0243
DealersChoice
DealersChoice
makes modifications to open-source scripts from GitHub and executes them on the victim’s machine.
[113]
S0354
Denis
Denis
can launch a remote shell to execute arbitrary commands on the victim’s machine.
[114]
[24]
S0200
Dipsind
Dipsind
can spawn remote shells.
[6]
S1021
DnsSystem
DnsSystem
can use
cmd.exe
for execution.
[115]
S0186
DownPaper
DownPaper
uses the command line.
[116]
G0035
Dragonfly
Dragonfly
has used various types of scripting to perform operations, including batch scripts.
[117]
S0547
DropBook
DropBook
can execute arbitrary shell commands on the victims' machines.
[118]
[119]
S0567
Dtrack
Dtrack
has used
cmd.exe
to add a persistent service.
[120]
S1159
DUSTTRAP
DUSTTRAP
can execute commands via
cmd.exe
[121]
S0593
ECCENTRICBANDWAGON
ECCENTRICBANDWAGON
can use
cmd
to execute commands on a victim’s machine.
[122]
S0554
Egregor
Egregor
has used batch files for execution and can launch Internet Explorer from cmd.exe.
[123]
[124]
S0082
Emissary
Emissary
has the capability to create a remote shell and execute specified commands.
[125]
S0367
Emotet
Emotet
has used cmd.exe to run a PowerShell script.
[126]
S0363
Empire
Empire
has modules for executing scripts.
[127]
S0634
EnvyScout
EnvyScout
can use cmd.exe to execute malicious files on compromised hosts.
[128]
S0396
EvilBunny
EvilBunny
has an integrated scripting engine to download and execute Lua scripts.
[129]
S0343
Exaramel for Windows
Exaramel for Windows
has a command to launch a remote shell and executes commands on the victim’s machine.
[130]
S0171
Felismus
Felismus
uses command line for execution.
[131]
S0267
FELIXROOT
FELIXROOT
executes batch scripts on the victim’s machine, and can launch a reverse shell for command execution.
[132]
[133]
G0051
FIN10
FIN10
has executed malicious .bat files containing PowerShell commands.
[134]
G1016
FIN13
FIN13
has leveraged
xp_cmdshell
and Windows Command Shell to execute commands on a compromised machine.
FIN13
has also attempted to leverage the ‘xp_cmdshell’ SQL procedure to execute remote commands on internal MS-SQL servers.
[135]
[136]
G0037
FIN6
FIN6
has used
kill.bat
script to disable security tools.
[137]
G0046
FIN7
FIN7
used the command prompt to launch commands on the victim’s machine.
[138]
[139]
[140]
G0061
FIN8
FIN8
has used a Batch file to automate frequently executed post compromise cleanup activities.
[141]
FIN8
has also executed commands remotely via
cmd.exe
[142]
[143]
[144]
S0696
Flagpro
Flagpro
can use
cmd.exe
to execute commands received from C2.
[145]
S0381
FlawedAmmyy
FlawedAmmyy
has used
cmd
to execute commands on a compromised host.
[146]
G0117
Fox Kitten
Fox Kitten
has used cmd.exe likely as a password changing mechanism.
[147]
C0001
Frankenstein
During
Frankenstein
, the threat actors ran a command script to set up persistence as a scheduled task named "WinUpdate", as well as other encoded commands from the command-line
[148]
S1044
FunnyDream
FunnyDream
can use
cmd.exe
for execution on remote hosts.
[73]
C0007
FunnyDream
During
FunnyDream
, the threat actors used
cmd.exe
to execute the wmiexec.vbs script.
[73]
G0093
GALLIUM
GALLIUM
used the Windows command shell to execute commands.
[149]
G0047
Gamaredon Group
Gamaredon Group
has used various batch scripts to establish C2 and download additional files.
Gamaredon Group
's backdoor malware has also been written to a batch file.
[150]
[151]
[152]
[153]
S0666
Gelsemium
Gelsemium
can use a batch script to delete itself.
[154]
S0249
Gold Dragon
Gold Dragon
uses cmd.exe to execute commands for discovery.
[155]
S0493
GoldenSpy
GoldenSpy
can execute remote commands via the command-line interface.
[156]
S0588
GoldMax
GoldMax
can spawn a command shell, and execute native commands.
[157]
[158]
S0477
Goopy
Goopy
has the ability to use cmd.exe to execute commands passed from an Outlook C2 channel.
[24]
G0078
Gorgon Group
Gorgon Group
malware can use cmd.exe to download and execute payloads and to execute commands on the system.
[159]
S0237
GravityRAT
GravityRAT
executes commands remotely on the infected host.
[160]
S0342
GreyEnergy
GreyEnergy
uses cmd.exe to execute itself in-memory.
[133]
S0632
GrimAgent
GrimAgent
can use the Windows Command Shell to execute commands, including its own removal.
[161]
S0132
H1N1
H1N1
kills and disables services by using cmd.exe.
[162]
G0125
HAFNIUM
HAFNIUM
has used
cmd.exe
to execute commands on the victim's machine.
[163]
S1211
Hannotog
Hannotog
can execute various
cmd.exe /c %s
commands.
[164]
S0246
HARDRAIN
HARDRAIN
uses cmd.exe to execute
netsh
commands.
[165]
S0391
HAWKBALL
HAWKBALL
has created a cmd.exe reverse shell, executed commands, and uploaded output via the command line.
[166]
S0071
hcdLoader
hcdLoader
provides command-line access to the compromised system.
[167]
S0170
Helminth
Helminth
can provide a remote shell. One version of
Helminth
uses batch scripting.
[168]
S0697
HermeticWiper
HermeticWiper
can use
cmd.exe /Q/c move CSIDL_SYSTEM_DRIVE\temp\sys.tmp1 CSIDL_WINDOWS\policydefinitions\postgresql.exe 1> \\127.0.0.1\ADMIN$\_1636727589.6007507 2>&1
to deploy on an infected system.
[169]
S0698
HermeticWizard
HermeticWizard
can use
cmd.exe
for execution on compromised hosts.
[169]
S0087
Hi-Zor
Hi-Zor
has the ability to create a reverse shell.
[170]
S0394
HiddenWasp
HiddenWasp
uses a script to automate tasks on the victim's machine and to assist in execution.
[171]
G0126
Higaisa
Higaisa
used
cmd.exe
for execution.
[172]
[173]
[174]
S0009
Hikit
Hikit
has the ability to create a remote shell and run given commands.
[175]
S0232
HOMEFRY
HOMEFRY
uses a command-line interface.
[176]
C0038
HomeLand Justice
During
HomeLand Justice
, threat actors used Windows batch files for persistence and execution.
[177]
[178]
S0376
HOPLIGHT
HOPLIGHT
can launch cmd.exe to execute commands on the system.
[179]
S0431
HotCroissant
HotCroissant
can remotely open applications on the infected host with the
ShellExecuteA
command.
[180]
S0070
HTTPBrowser
HTTPBrowser
is capable of spawning a reverse shell on a victim.
[181]
S0068
httpclient
httpclient
opens cmd.exe on the victim.
[3]
G1032
INC Ransom
INC Ransom
has used
cmd.exe
to launch malicious payloads.
[182]
G0119
Indrik Spider
Indrik Spider
has used batch scripts on victim's machines.
[183]
[184]
S0259
InnaputRAT
InnaputRAT
launches a shell to execute commands on the victim’s machine.
[185]
S0260
InvisiMole
InvisiMole
can launch a remote shell to execute commands.
[186]
[187]
S1132
IPsec Helper
IPsec Helper
can run arbitrary commands passed to it through
cmd.exe
[10]
S0015
Ixeshe
Ixeshe
is capable of executing commands via
cmd
[188]
S0389
JCry
JCry
has used
cmd.exe
to launch PowerShell.
[189]
S0044
JHUHUGIT
JHUHUGIT
uses a .bat file to execute a .dll.
[17]
S0201
JPIN
JPIN
can use the command-line utility cacls.exe to change file permissions.
[6]
S0283
jRAT
jRAT
has command line access.
[190]
S1190
Kapeka
Kapeka
allows for arbitrary Windows command execution.
[191]
S0088
Kasidet
Kasidet
can execute commands using cmd.exe.
[192]
S0265
Kazuar
Kazuar
uses cmd.exe to execute commands on the victim’s machine.
[193]
G0004
Ke3chang
Ke3chang
has used batch scripts in its malware to install persistence mechanisms.
[194]
S1020
Kevin
Kevin
can use a renamed image of
cmd.exe
for execution.
[195]
S0387
KeyBoy
KeyBoy
can launch interactive shells for communicating with the victim machine.
[196]
[197]
S0271
KEYMARBLE
KEYMARBLE
can execute shell commands using cmd.exe.
[198]
S0526
KGH_SPY
KGH_SPY
has the ability to set a Registry key to run a cmd.exe command.
[199]
G0094
Kimsuky
Kimsuky
has executed Windows commands by using
cmd
and running batch scripts.
[200]
[201]
S0250
Koadic
Koadic
can open an interactive command-shell to perform command line functions on victim machines.
Koadic
performs most of its operations using Windows Script Host (Jscript) and to run arbitrary shellcode.
[202]
[203]
S0669
KOCTOPUS
KOCTOPUS
has used
cmd.exe
and batch files for execution.
[203]
S0156
KOMPROGO
KOMPROGO
is capable of creating a reverse shell.
[204]
S0356
KONNI
KONNI
has used cmd.exe to execute arbitrary commands on the infected host across different stages of the infection chain.
[205]
[206]
[207]
S1160
Latrodectus
The
Latrodectus
command handler can use
cmdexe
to run multiple discovery commands.
[208]
[209]
G0032
Lazarus Group
Lazarus Group
malware uses cmd.exe to execute commands on a compromised host.
[210]
[211]
[212]
[213]
[214]
A Destover-like variant used by
Lazarus Group
uses a batch file mechanism to delete its binaries from the system.
[215]
G0140
LazyScripter
LazyScripter
has used batch files to deploy open-source and multi-stage RATs.
[203]
S0395
LightNeuron
LightNeuron
is capable of executing commands via cmd.exe.
[216]
S0211
Linfo
Linfo
creates a backdoor through which remote attackers can start a remote shell.
[217]
S0681
Lizar
Lizar
has a command to open the command-line on the infected system.
[218]
[219]
S1199
LockBit 2.0
LockBit 2.0
can use the Windows command shell for multiple post-compromise actions on objective.
[220]
[221]
[222]
S0447
Lokibot
Lokibot
has used
cmd /c
commands embedded within batch scripts.
[223]
S0582
LookBack
LookBack
executes the
cmd.exe
command.
[224]
S0451
LoudMiner
LoudMiner
used a batch script to run the Linux virtual machine as a service.
[225]
S0532
Lucifer
Lucifer
can issue shell commands to download and execute additional payloads.
[226]
S1141
LunarWeb
LunarWeb
can run shell commands using a BAT file with a name matching
%TEMP%\<⁠random_9_alnum_chars>.batfile
or through cmd.exe with the
/c
and
/U
option for Unicode output.
[227]
G0095
Machete
Machete
has used batch files to initiate additional downloads of malicious files.
[228]
S1060
Mafalda
Mafalda
can execute shell commands using
cmd.exe
[229]
G0059
Magic Hound
Magic Hound
has used the command-line interface for code execution.
[230]
[231]
[232]
S1182
MagicRAT
MagicRAT
allows for the execution of arbitrary commands on the victim system.
[233]
S1156
Manjusaka
Manjusaka
can execute arbitrary commands passed to it from the C2 controller via
cmd.exe /c
[234]
S0652
MarkiRAT
MarkiRAT
can utilize cmd.exe to execute commands in a victim's environment.
[235]
S0449
Maze
The
Maze
encryption process has used batch scripts with various commands.
[236]
[237]
S0500
MCMD
MCMD
can launch a console process (cmd.exe) with redirected standard input and output.
[238]
S0459
MechaFlounder
MechaFlounder
has the ability to run commands on a compromised host.
[239]
S0576
MegaCortex
MegaCortex
has used
.cmd
scripts on the victim's system.
[240]
S1191
Megazord
Megazord
can execute multiple commands post infection via
cmd.exe
[241]
G0045
menuPass
menuPass
executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands.
[242]
[243]
[244]
[245]
menuPass
has used malicious macros embedded inside Office documents to execute files.
[246]
[245]
G1013
Metador
Metador
has used the Windows command line to execute commands.
[247]
S0455
Metamorfo
Metamorfo
has used
cmd.exe /c
to execute files.
[248]
S0688
Meteor
Meteor
can run
set.bat
update.bat
cache.bat
bcd.bat
msrun.bat
, and similar scripts.
[249]
S0339
Micropsia
Micropsia
creates a command-line shell using cmd.exe.
[250]
S1015
Milan
Milan
can use
cmd.exe
for discovery actions on a targeted system.
[104]
S0280
MirageFox
MirageFox
has the capability to execute commands using cmd.exe.
[251]
S0084
Mis-Type
Mis-Type
has used
cmd.exe
to run commands on a compromised host.
[252]
S0083
Misdat
Misdat
is capable of providing shell functionality to the attacker to execute commands.
[252]
S0080
Mivast
Mivast
has the capability to open a remote shell and run basic commands.
[253]
S0553
MoleNet
MoleNet
can execute commands via the command line utility.
[118]
S0149
MoonWind
MoonWind
can execute commands via an interactive command shell.
[254]
MoonWind
uses batch scripts for various purposes, including to restart and uninstall itself.
[254]
S0284
More_eggs
More_eggs
has used cmd.exe for execution.
[255]
[256]
S0256
Mosquito
Mosquito
executes cmd.exe and uses a pipe to read the results and send back the output to the C2 server.
[257]
G0069
MuddyWater
MuddyWater
has used a custom tool for creating reverse shells.
[258]
S1135
MultiLayer Wiper
MultiLayer Wiper
uses a batch script launched via a scheduled task to delete Windows Event Logs.
[259]
S0233
MURKYTOP
MURKYTOP
uses the command-line interface.
[176]
G0129
Mustang Panda
Mustang Panda
has executed HTA files via cmd.exe, and used batch scripts for collection.
[260]
[261]
S0336
NanoCore
NanoCore
can open a remote command-line interface and execute commands.
[262]
NanoCore
uses JavaScript files.
[263]
S0247
NavRAT
NavRAT
leverages cmd.exe to perform discovery techniques.
[264]
NavRAT
loads malicious shellcode and executes it in memory.
[264]
S0630
Nebulae
Nebulae
can use CMD to execute a process.
[265]
S0034
NETEAGLE
NETEAGLE
allows adversaries to execute shell commands on the infected host.
[39]
S0457
Netwalker
Operators deploying
Netwalker
have used batch scripts to retrieve the
Netwalker
payload.
[266]
S0198
NETWIRE
NETWIRE
can issue commands using cmd.exe.
[267]
[268]
C0002
Night Dragon
During
Night Dragon
, threat actors used
zwShell
to establish full remote control of the connected machine and run command-line shells.
[269]
S1147
Nightdoor
Nightdoor
creates a cmd.exe shell to send and receive commands from the command and control server via open pipes.
[270]
S0385
njRAT
njRAT
can launch a command shell interface for executing commands.
[271]
G0133
Nomadic Octopus
Nomadic Octopus
used
cmd.exe /c
within a malicious macro.
[272]
S0346
OceanSalt
OceanSalt
can create a reverse shell on the infected endpoint using cmd.exe.
[273]
OceanSalt
has been executed via malicious macros.
[273]
S1170
ODAgent
ODAgent
can execute a specified command line passed via API.
[274]
S1172
OilBooster
OilBooster
has the ability to execute shell commands and exfiltrate the results.
[274]
G0049
OilRig
OilRig
has used macros to deliver malware such as
QUADAGENT
and
OopsIE
[275]
[276]
[277]
[278]
[279]
OilRig
has used batch scripts.
[275]
[276]
[277]
[278]
[279]
S0439
Okrum
Okrum
's backdoor has used cmd.exe to execute arbitrary commands as well as batch scripts to update itself to a newer version.
[280]
S0264
OopsIE
OopsIE
uses the command prompt to execute commands on the victim's machine.
[277]
[281]
C0012
Operation CuckooBees
During
Operation CuckooBees
, the threat actors used batch scripts to perform reconnaissance.
[282]
C0022
Operation Dream Job
During
Operation Dream Job
Lazarus Group
launched malicious DLL files, created new folders, and renamed folders with the use of the Windows command shell.
[283]
[284]
C0006
Operation Honeybee
During
Operation Honeybee
, various implants used batch scripting and
cmd.exe
for execution.
[285]
C0014
Operation Wocao
During
Operation Wocao
, threat actors spawned a new
cmd.exe
process to execute commands.
[286]
S0229
Orz
Orz
can execute shell commands.
[287]
Orz
can execute commands with JavaScript.
[287]
S0594
Out1
Out1
can use native command line for execution.
[288]
S1017
OutSteel
OutSteel
has used
cmd.exe
to scan a compromised host for specific file extensions.
[289]
G0040
Patchwork
Patchwork
ran a reverse shell with Meterpreter.
[290]
Patchwork
used JavaScript code and .SCT files on victim machines.
[43]
[291]
S1050
PcShare
PcShare
can execute
cmd
commands on a compromised host.
[73]
S0643
Peppy
Peppy
has the ability to execute shell commands.
[292]
S0158
PHOREAL
PHOREAL
is capable of creating reverse shell.
[204]
S1145
Pikabot
Pikabot
can execute Windows shell commands via
cmd.exe
[293]
S1031
PingPull
PingPull
can use
cmd.exe
to run various commands as a reverse shell.
[294]
S0124
Pisloader
Pisloader
uses cmd.exe to set the Registry Run key value. It also has a command to spawn a command shell.
[295]
S0254
PLAINTEE
PLAINTEE
uses cmd.exe to execute commands on the victim’s machine.
[296]
G1040
Play
Play
has used a batch script to remove indicators of its presence on compromised hosts.
[297]
S0435
PLEAD
PLEAD
has the ability to execute shell commands on the compromised host.
[298]
S0013
PlugX
PlugX
allows actors to spawn a reverse shell on a victim.
[181]
[299]
S0428
PoetRAT
PoetRAT
has called cmd through a Word document macro.
[300]
S0012
PoisonIvy
PoisonIvy
creates a backdoor through which remote attackers can open a command-line interface.
[301]
S0453
Pony
Pony
has used batch scripts to delete itself after execution.
[302]
S0139
PowerDuke
PowerDuke
runs
cmd.exe /c
and sends the output to its C2.
[303]
S0184
POWRUNER
POWRUNER
can execute commands from its C2 server.
[275]
S0238
Proxysvc
Proxysvc
executes a binary on the system and logs the results into a temp file by using:
cmd.exe /c "
> %temp%\PM* .tmp 2>&1"
[215]
S0147
Pteranodon
Pteranodon
can use
cmd.exe
for execution on victim systems.
[150]
[304]
S1032
PyDCrypt
PyDCrypt
has used
cmd.exe
for execution.
[305]
S0650
QakBot
QakBot
can use cmd.exe to launch itself and to execute multiple C2 commands.
[306]
[307]
[308]
[93]
S0269
QUADAGENT
QUADAGENT
uses cmd.exe to execute scripts and commands on the victim’s machine.
[278]
S0262
QuasarRAT
QuasarRAT
can launch a remote shell to execute commands on the victim’s machine.
[309]
[310]
S0481
Ragnar Locker
Ragnar Locker
has used cmd.exe and batch scripts to execute commands.
[311]
S0629
RainyDay
RainyDay
can use the Windows Command Shell for execution.
[265]
G0075
Rancor
Rancor
has used cmd.exe to execute commmands.
[296]
S1212
RansomHub
RansomHub
can use
cmd.exe
to execute multiple commands on infected hosts.
[312]
S1130
Raspberry Robin
Raspberry Robin
uses cmd.exe to read and execute a file stored on an infected USB device as part of initial installation.
[313]
S0241
RATANKBA
RATANKBA
uses cmd.exe to execute commands.
[314]
[315]
S0662
RCSession
RCSession
can use
cmd.exe
for execution on compromised hosts.
[81]
S0495
RDAT
RDAT
has executed commands using
cmd.exe /c
[316]
G1039
RedCurl
RedCurl
has used the Windows Command Prompt to execute commands.
[317]
[318]
[319]
S0153
RedLeaves
RedLeaves
can receive and execute commands with cmd.exe. It can also provide a reverse shell.
[243]
[320]
S0332
Remcos
Remcos
can launch a remote command line to execute commands on the victim’s machine.
[321]
S0375
Remexi
Remexi
silently executes received commands with cmd.exe.
[322]
S0379
Revenge RAT
Revenge RAT
uses cmd.exe to execute commands and run scripts on the victim's machine.
[323]
S0496
REvil
REvil
can use the Windows command line to delete volume shadow copies and disable recovery.
[324]
[325]
[326]
[327]
S0258
RGDoor
RGDoor
uses cmd.exe to execute commands on the victim’s machine.
[328]
S0448
Rising Sun
Rising Sun
has executed commands using
cmd.exe /c " > <%temp%>\AM. tmp" 2>&1
[329]
S1150
ROADSWEEP
ROADSWEEP
can open cmd.exe to enable command execution.
[330]
[178]
S0400
RobbinHood
RobbinHood
uses cmd.exe on the victim's computer.
[331]
S0270
RogueRobin
RogueRobin
uses Windows Script Components.
[332]
[333]
S0148
RTM
RTM
uses the command line and rundll32.exe to execute.
[334]
S0253
RunningRAT
RunningRAT
uses a batch file to kill a security program task and then attempts to remove itself.
[155]
S0446
Ryuk
Ryuk
has used
cmd.exe
to create a Registry entry to establish persistence.
[335]
S0085
S-Type
S-Type
has provided the ability to execute shell commands on a compromised host.
[252]
G1031
Saint Bear
Saint Bear
initial loaders will also drop a malicious Windows batch file, available via open source GitHub repositories, that disables Microsoft Defender functionality.
[289]
S1018
Saint Bot
Saint Bot
has used
cmd.exe
and
.bat
scripts for execution.
[289]
S0074
Sakula
Sakula
calls cmd.exe to run various DLL files via rundll32 and also to perform file cleanup.
Sakula
also has the capability to invoke a reverse shell.
[336]
S1168
SampleCheck5000
SampleCheck5000
can call cmd.exe to execute C2 command line strings.
[337]
[274]
S0370
SamSam
SamSam
uses custom batch scripts to execute some of its components.
[338]
S1099
Samurai
Samurai
can use a remote command module for execution via the Windows command line.
[339]
S1085
Sardonic
Sardonic
has the ability to run
cmd.exe
or other interactive processes on a compromised computer.
[144]
S0461
SDBbot
SDBbot
has the ability to use the command shell to execute commands on a compromised host.
[340]
S0053
SeaDuke
SeaDuke
is capable of executing commands.
[341]
S0345
Seasalt
Seasalt
uses cmd.exe to create a reverse shell on the infected endpoint.
[50]
S0185
SEASHARPEE
SEASHARPEE
can execute commands on victims.
[342]
S0382
ServHelper
ServHelper
can execute shell commands against
cmd
[343]
[344]
S0639
Seth-Locker
Seth-Locker
can execute commands via the command line shell.
[345]
S1019
Shark
Shark
has the ability to use
CMD
to execute commands.
[104]
[346]
S1089
SharpDisco
SharpDisco
can use
cmd.exe
to execute plugins and to send command output to specified SMB shares.
[347]
S0546
SharpStage
SharpStage
can execute arbitrary commands with the command line.
[118]
[119]
S0444
ShimRat
ShimRat
can be issued a command shell function from the C2.
[348]
S0610
SideTwist
SideTwist
can execute shell commands on a compromised host.
[349]
G0091
Silence
Silence
has used Windows command-line to run commands.
[350]
[351]
[352]
S0692
SILENTTRINITY
SILENTTRINITY
can use
cmd.exe
to enable lateral movement using DCOM.
[353]
S0623
Siloscape
Siloscape
can run cmd through an IRC channel.
[354]
S0533
SLOTHFULMEDIA
SLOTHFULMEDIA
can open a command line to execute commands.
[355]
S1035
Small Sieve
Small Sieve
can use
cmd.exe
to execute commands on a victim's system.
[356]
S0159
SNUGRIDE
SNUGRIDE
is capable of executing commands and spawning a reverse shell.
[320]
C0024
SolarWinds Compromise
During the
SolarWinds Compromise
APT29
used
cmd.exe
to execute commands on remote machines.
[357]
[358]
G0054
Sowbug
Sowbug
has used command line during its intrusions.
[359]
S0543
Spark
Spark
can use cmd.exe to run commands.
[360]
S0390
SQLRat
SQLRat
has used SQL to execute JavaScript and VB scripts on the host system.
[139]
S1030
Squirrelwaffle
Squirrelwaffle
has used
cmd.exe
for execution.
[361]
S1037
STARWHALE
STARWHALE
has the ability to execute commands via
cmd.exe
[362]
G1046
Storm-1811
Storm-1811
has used multiple batch scripts during initial access and subsequent actions on victim machines.
[363]
[364]
S0142
StreamEx
StreamEx
has the ability to remotely execute commands.
[365]
S1183
StrelaStealer
StrelaStealer
has included BAT files in some instances for installation.
[366]
[367]
S1034
StrifeWater
StrifeWater
can execute shell commands using
cmd.exe
[368]
G0039
Suckfly
Several tools used by
Suckfly
have been command-line driven.
[369]
S1049
SUGARUSH
SUGARUSH
has used
cmd
for execution on an infected host.
[370]
S0464
SYSCON
SYSCON
has the ability to execute commands through
cmd
on a compromised host.
[71]
G0092
TA505
TA505
has executed commands using
cmd.exe
[371]
G0127
TA551
TA551
has used
cmd.exe
to execute commands.
[372]
G1037
TA577
TA577
has used BAT files in malware execution chains.
[373]
S0011
Taidoor
Taidoor
can copy cmd.exe into the system temp folder.
[374]
S0586
TAINTEDSCRIBE
TAINTEDSCRIBE
can enable Windows CLI access and execute files.
[375]
S1193
TAMECAT
TAMECAT
has used
cmd.exe
to run the
curl
command.
[376]
S1011
Tarrask
Tarrask
may abuse the Windows schtasks command-line tool to create "hidden" scheduled tasks.
[377]
S0164
TDTESS
TDTESS
provides a reverse shell on the victim.
[378]
G0139
TeamTNT
TeamTNT
has used batch scripts to download tools and executing cryptocurrency miners.
[379]
S0146
TEXTMATE
TEXTMATE
executes cmd.exe to provide a reverse shell to adversaries.
[380]
[381]
G0028
Threat Group-1314
Threat Group-1314
actors spawned shells on remote systems on a victim network to execute commands.
[382]
G0027
Threat Group-3390
Threat Group-3390
has used command-line interfaces for execution.
[77]
[383]
S0668
TinyTurla
TinyTurla
has been installed using a .bat file.
[384]
S0004
TinyZBot
TinyZBot
supports execution from the command-line.
[385]
G1022
ToddyCat
ToddyCat
has used .bat scripts and
cmd
for execution on compromised hosts.
[386]
S0266
TrickBot
TrickBot
has used macros in Excel documents to download and deploy the malware on the user’s machine.
[387]
S0094
Trojan.Karagany
Trojan.Karagany
can perform reconnaissance commands on a victim machine via a cmd.exe process.
[388]
S1196
Troll Stealer
Troll Stealer
can create and execute Windows batch scripts.
[389]
G0081
Tropic Trooper
Tropic Trooper
has used Windows command scripts.
[390]
S0436
TSCookie
TSCookie
has the ability to execute shell commands on the infected host.
[391]
S0647
Turian
Turian
can create a remote shell and execute commands using
cmd
[392]
G0010
Turla
Turla
RPC backdoors have used cmd.exe to execute commands.
[393]
[394]
S0199
TURNEDUP
TURNEDUP
is capable of creating a reverse shell.
[395]
S0263
TYPEFRAME
TYPEFRAME
can uninstall malware components using a batch script.
[396]
TYPEFRAME
can execute commands using a shell.
[396]
S0333
UBoatRAT
UBoatRAT
can start a command shell.
[397]
S0221
Umbreon
Umbreon
provides access using both standard facilities like SSH and additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet
[398]
S0275
UPPERCUT
UPPERCUT
uses cmd.exe to execute commands on the victim’s machine.
[245]
S0022
Uroburos
Uroburos
has the ability to use the command line for execution on the targeted system.
[399]
S0452
USBferry
USBferry
can execute various Windows commands.
[390]
S0180
Volgmer
Volgmer
can execute commands on the victim's machine.
[400]
[401]
G1017
Volt Typhoon
Volt Typhoon
has used the Windows command line to perform hands-on-keyboard activities in targeted environments including for discovery.
[402]
[403]
[404]
[405]
S0670
WarzoneRAT
WarzoneRAT
can use
cmd.exe
to execute malicious code.
[406]
S0612
WastedLocker
WastedLocker
has used
cmd
to execute commands on the system.
[407]
C0037
Water Curupira Pikabot Distribution
Water Curupira Pikabot Distribution
installation via JavaScript will launch follow-on commands via cmd.exe.
[408]
S0109
WEBC2
WEBC2
can open an interactive command shell.
[13]
S0514
WellMess
WellMess
can execute command line scripts received from C2.
[409]
S0689
WhisperGate
WhisperGate
can use
cmd.exe
to execute commands.
[410]
S0206
Wiarp
Wiarp
creates a backdoor through which remote attackers can open a command line interface.
[411]
G1035
Winter Vivern
Winter Vivern
distributed Windows batch scripts disguised as virus scanners to prompt download of malicious payloads using built-in system tools.
[412]
[413]
G0102
Wizard Spider
Wizard Spider
has used
cmd.exe
to execute commands on a victim's machine.
[414]
[415]
S1065
Woody RAT
Woody RAT
can execute commands using
cmd.exe
[416]
S0653
xCaon
xCaon
has a command to start an interactive shell.
[62]
S0117
XTunnel
XTunnel
has been used to execute remote commands.
[417]
S0251
Zebrocy
Zebrocy
uses cmd.exe to execute commands on the system.
[418]
[419]
S0330
Zeus Panda
Zeus Panda
can launch an interface where it can execute several commands on the victim’s PC.
[420]
G0128
ZIRCONIUM
ZIRCONIUM
has used a tool to open a Windows Command Shell on a remote host.
[421]
S0086
ZLib
ZLib
has the ability to execute shell commands.
[252]
S0350
zwShell
zwShell
can launch command-line shells.
[269]
S0412
ZxShell
ZxShell
can launch a reverse command shell.
[29]
[422]
[423]
Mitigations
ID
Mitigation
Description
M1038
Execution Prevention
Use application control where appropriate.
Detection
ID
Data Source
Data Component
Detects
DS0017
Command
Command Execution
Monitor executed commands and arguments that may abuse the Windows command shell for execution. Usage of the Windows command shell may be common on administrator, developer, or power user systems depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
Analytic 1 - Look for unusual command shell execution.
sourcetype=WinEventLog:Security| search (EventCode=4688 OR EventCode=4689) process_name="cmd.exe"| eval suspicious_cmd=if(like(command_line, "%/c%") OR like(command_line, "%.bat%") OR like(command_line, "%.cmd%"), "Yes", "No")| where suspicious_cmd="Yes"
DS0009
Process
Process Creation
Monitor for newly executed processes that may abuse the Windows command shell for execution.
Note: Try an Analytic by creating a baseline of parent processes of
cmd
seen over the last 30 days and a list of parent processes of
cmd
seen today. Parent processes in the baseline are removed from the set of parent processes seen today, leaving a list of new parent processes. This analytic attempts to identify suspicious programs spawning
cmd
by looking for programs that do not normally create
cmd
.  It is very common for some programs to spawn
cmd
as a subprocess, for example to run batch files or Windows commands. However, many processes don’t routinely launch a command prompt - e.g., Microsoft Outlook. A command prompt being launched from a process that normally doesn’t launch command prompts could be the result of malicious code being injected into that process, or of an attacker replacing a legitimate program with a malicious one.
Analytic 1 - Unusual Command Execution
(source="
WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="
WinEventLog:Security" EventCode="4688") AND CommandLine="
cmd.exe
" AND (CommandLine REGEXP "./c.
" OR CommandLine REGEXP ".
._ \/k.*")
References
Microsoft. (2020, May 19). Tutorial: SSH in Windows Terminal. Retrieved July 26, 2021.
Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
Max Kersten & Alexandre Mundo. (2023, November 29). Akira Ransomware. Retrieved April 4, 2024.
Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.
Shelmire, A. (2015, July 06). Evasive Maneuvers by the Wekby group with custom ROP-packing and DNS covert channels. Retrieved November 15, 2018.
Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.
Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.
Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024.
Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024.
SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024.
Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.
Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.
Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021.
Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021.
Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019.
Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved November 17, 2024.
Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8's Tooling. Retrieved September 8, 2021.
Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.
Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
Galperin, E., Et al.. (2016, August). I Got a Letter From the Government the Other Day.... Retrieved April 25, 2018.
Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020.
Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.
Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023.
US Federal Bureau of Investigation & US Secret Service. (2022, February 11). Indicators of Compromise Associated with BlackByte Ransomware. Retrieved December 16, 2024.
Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.
FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved November 17, 2024.
MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019.
CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022.
Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.
ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.
Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.
Microsoft. (n.d.). Cmd. Retrieved April 18, 2016.
Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.
Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
Unit 42. (2018, October 25). New Techniques to Uncover and Attribute Financial actors Commodity Builders and Infrastructure Revealed. Retrieved December 11, 2018.
Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019.
Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved November 17, 2024.
Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024.
Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.
Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018.
Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.
Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.
cobbr. (2021, April 21). Covenant. Retrieved September 4, 2024.
F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024.
McGraw, T. (2024, December 4). Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware. Retrieved December 9, 2024.
Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.
Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.
Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022.
ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020.
Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.
Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021.
Joe Security. (n.d.). Analysis Report fasm.dll. Retrieved November 17, 2024.
Rochberger, L. (2020, November 26). Cybereason vs. Egregor Ransomware. Retrieved December 30, 2020.
Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.
Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved November 17, 2024.
Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved November 17, 2024.
Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023.
Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.
McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.
Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.
Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.
Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022.
Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.
Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.
Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.
Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved November 17, 2024.
Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022.
Symntec Threat Hunter Team. (2022, November 12). Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries. Retrieved March 15, 2025.
US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018.
Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.
Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016.
Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved November 17, 2024.
Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.
PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021.
Glyer, C., Kazanciyan, R. (2012, August 22). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved November 17, 2024.
FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.
MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.
US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024.
Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024.
ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019.
Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
Mohammad Kazem Hassan Nejad, WithSecure. (2024, April 17). KAPEKA A novel backdoor spotted in Eastern Europe. Retrieved January 6, 2025.
Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019.
US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024.
Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024.
Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020.
Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024.
Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024.
Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved November 17, 2024.
Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
US-CERT. (2018, March 09). Malware Analysis Report (MAR) - 10135536.11.WHITE. Retrieved June 13, 2018.
Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
Seals, T. (2021, May 14). FIN7 Backdoor Masquerades as Ethical Hacking Tool. Retrieved February 2, 2022.
BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.
FBI. (2022, February 4). Indicators of Compromise Associated with LockBit 2.0 Ransomware. Retrieved January 24, 2025.
Elsad, A. et al. (2022, June 9). LockBit 2.0: How This RaaS Operates and How to Protect Against It. Retrieved January 24, 2025.
Cybereason Global SOC Team. (n.d.). THREAT ANALYSIS REPORT: LockBit 2.0 - All Paths Lead to Ransom. Retrieved January 24, 2025.
Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.
Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.
Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
Asheer Malhotra, Vitor Ventura & Jungsoo An, Cisco Talos. (2022, September 7). MagicRAT: Lazarus’ latest gateway into victim networks. Retrieved December 30, 2024.
Asheer Malhotra & Vitor Ventura. (2022, August 2). Manjusaka: A Chinese sibling of Sliver and Cobalt Strike. Retrieved September 4, 2024.
GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020.
Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.
Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.
Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020.
Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
Zemah, Y. (2024, December 2). Threat Assessment: Howling Scorpius (Akira Ransomware). Retrieved January 8, 2025.
PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
Twi1ight. (2015, July 11). AD-Pentest-Script - wmiexec.vbs. Retrieved June 29, 2017.
Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.
Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018.
Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016.
Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.
Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.
Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
Patel, K. (2018, March 02). The NanoCore RAT Has Resurfaced From the Sewers. Retrieved September 25, 2024.
Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020.
Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021.
McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024.
Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.
Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024.
Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
Falcone, R. and Lee, B. (2017, July 27). OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group. Retrieved January 8, 2018.
Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
Falcone, R., Wilhoit, K.. (2018, November 16). Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery. Retrieved April 23, 2019.
Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved November 17, 2024.
Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
Brett Stone-Gross & Nikolaos Pantazopoulos. (2023, May 24). Technical Analysis of Pikabot. Retrieved July 12, 2024.
Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022.
Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.
Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021.
Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022.
Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021.
Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022.
SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.
Alfano, V. et al. (2025, February 12). RansomHub Never Sleeps Episode 1: The evolution of modern ransomware. Retrieved March 17, 2025.
Lauren Podber and Stef Rand. (2022, May 5). Raspberry Robin gets the worm early. Retrieved May 17, 2024.
Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
Tancio et al. (2024, March 6). Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence. Retrieved August 9, 2024.
FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018.
Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved November 17, 2024.
Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020.
Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.
Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.
Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019.
Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024.
Palotay, D. and Mackenzie, P. (2018, April). SamSam Ransomware Chooses Its Targets Carefully. Retrieved April 15, 2019.
Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved September 16, 2024..
Centero, R. et al. (2021, February 5). New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker. Retrieved August 11, 2021.
Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.
Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved November 17, 2024.
GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019.
Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.
DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022.
Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.
Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022.
Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022.
Microsoft Threat Intelligence. (2024, May 15). Threat actors misusing Quick Assist in social engineering attacks leading to ransomware. Retrieved March 14, 2025.
Tyler McGraw, Thomas Elkins, and Evan McCann. (2024, May 10). Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators. Retrieved January 31, 2025.
Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
Fortgale. (2023, September 18). StrelaStealer Malware Analysis. Retrieved December 31, 2024.
Golo Mühr, Joe Fasulo & Charlotte Hammond, IBM X-Force. (2024, November 12). Strela Stealer: Today’s invoice is tomorrow’s phish. Retrieved December 31, 2024.
Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022.
DiMaggio, J. (2016, May 17). Indian organizations targeted in Suckfly attacks. Retrieved August 3, 2016.
Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.
Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.
Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.
USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.
Rozmann, O., et al. (2024, May 1). Uncharmed: Untangling Iran's APT42 Operations. Retrieved October 9, 2024.
Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022.
ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021.
Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.
Dell SecureWorks Counter Threat Unit Special Operations Team. (2015, May 28). Living off the Land. Retrieved January 26, 2016.
Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.
Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019.
Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025.
Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020.
Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.
Fernando Mercês. (2016, September 5). Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems. Retrieved March 5, 2018.
FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.
NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.
Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.
CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
Shinji Robert Arasawa, Joshua Aquino, Charles Steven Derion, Juhn Emmanuel Atanque, Francisrey Joshua Castillo, John Carlo Marquez, Henry Salcedo, John Rainier Navato, Arianne Dela Cruz, Raymart Yambot & Ian Kenefick. (2024, January 9). Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign. Retrieved July 17, 2024.
PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.
Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022.
Zhou, R. (2012, May 15). Backdoor.Wiarp. Retrieved February 22, 2018.
Tom Hegel. (2023, March 16). Winter Vivern | Uncovering a Wave of Global Espionage. Retrieved July 29, 2024.
CERT-UA. (2023, February 1). UAC-0114 aka Winter Vivern to target Ukrainian and Polish GOV entities (CERT-UA#5909). Retrieved July 29, 2024.
The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022.
Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020.
Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.
Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
Counter Threat Unit Research Team. (2019, February 27). A Peek into BRONZE UNION’s Toolbox. Retrieved September 24, 2019.