aka: Group 8, AURORA PANDA, Hidden Lynx, Tailgater Team, Dogfish, BRONZE KEYSTONE, G0025, Group 72, G0001, Axiom, HELIUM
FireEye described APT17 in a 2015 report as: 'APT17, also known as DeputyDog, is a China based threat group that FireEye Intelligence has observed conducting network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.'
2023-02-02 ⋅ Elastic ⋅ Salim Bitam, Remco Sprooten, Cyril François, Andrew Pease, Devon Kerr, Seth Goodwin
@online{bitam:20230202:update:57ea3a2,
author = {Salim Bitam and Remco Sprooten and Cyril François and Andrew Pease and Devon Kerr and Seth Goodwin},
title = {{Update to the REF2924 intrusion set and related campaigns}},
date = {2023-02-02},
organization = {Elastic},
url = {https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns},
language = {English},
urldate = {2023-03-21}
}
Update to the REF2924 intrusion set and related campaigns
DoorMe ShadowPad SiestaGraph |
2022-10-25 ⋅ VMware Threat Analysis Unit ⋅ Takahiro Haruyama
@techreport{haruyama:20221025:tracking:1f60260,
author = {Takahiro Haruyama},
title = {{Tracking the entire iceberg: long-term APT malware C2 protocol emulation and scanning}},
date = {2022-10-25},
institution = {VMware Threat Analysis Unit},
url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2022/slides/VB2022-Tracking-the-entire-iceberg.pdf},
language = {English},
urldate = {2022-11-01}
}
Tracking the entire iceberg: long-term APT malware C2 protocol emulation and scanning
ShadowPad Winnti |
2022-09-30 ⋅ NCC Group ⋅ William Backhouse, Michael Mullen, Nikolaos Pantazopoulos
@online{backhouse:20220930:glimpse:5194be6,
author = {William Backhouse and Michael Mullen and Nikolaos Pantazopoulos},
title = {{A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion}},
date = {2022-09-30},
organization = {NCC Group},
url = {https://research.nccgroup.com/2022/09/30/a-glimpse-into-the-shadowy-realm-of-a-chinese-apt-detailed-analysis-of-a-shadowpad-intrusion/},
language = {English},
urldate = {2022-10-04}
}
A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion
ShadowPad |
2022-09-19 ⋅ Virus Bulletin ⋅ Takahiro Haruyama
@techreport{haruyama:20220919:tracking:bffa146,
author = {Takahiro Haruyama},
title = {{Tracking the entire iceberg - long-term APT malware C2 protocol emulation and scanning}},
date = {2022-09-19},
institution = {Virus Bulletin},
url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Tracking-the-entire-iceberg-long-term-APT-malware-C2-protocol-emulation-and-scanning.pdf},
language = {English},
urldate = {2022-11-01}
}
Tracking the entire iceberg - long-term APT malware C2 protocol emulation and scanning
ShadowPad Winnti |
2022-09-13 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20220913:new:2ff2e98,
author = {Threat Hunter Team},
title = {{New Wave of Espionage Activity Targets Asian Governments}},
date = {2022-09-13},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments},
language = {English},
urldate = {2022-09-20}
}
New Wave of Espionage Activity Targets Asian Governments
MimiKatz PlugX Quasar RAT ShadowPad Trochilus RAT |
2022-09-06 ⋅ ESET Research ⋅ Thibaut Passilly
@online{passilly:20220906:worok:0c106ac,
author = {Thibaut Passilly},
title = {{Worok: The big picture}},
date = {2022-09-06},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2022/09/06/worok-big-picture/},
language = {English},
urldate = {2022-09-10}
}
Worok: The big picture
MimiKatz PNGLoad reGeorg ShadowPad |
2022-08-04 ⋅ Mandiant ⋅ Mandiant
@online{mandiant:20220804:advanced:afb8956,
author = {Mandiant},
title = {{Advanced Persistent Threats (APTs)}},
date = {2022-08-04},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/insights/apt-groups},
language = {English},
urldate = {2022-08-30}
}
Advanced Persistent Threats (APTs)
APT1 APT10 APT12 APT14 APT15 APT16 APT17 APT18 APT19 APT2 APT20 APT21 APT22 APT23 APT24 APT27 APT3 APT30 APT31 APT4 APT40 APT5 APT9 |
2022-07-01 ⋅ RiskIQ ⋅ RiskIQ
@online{riskiq:20220701:toddycat:485d554,
author = {RiskIQ},
title = {{ToddyCat: A Guided Journey through the Attacker's Infrastructure}},
date = {2022-07-01},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/d8b749f2},
language = {English},
urldate = {2022-07-15}
}
ToddyCat: A Guided Journey through the Attacker's Infrastructure
ShadowPad ToddyCat |
2022-06-27 ⋅ Kaspersky ICS CERT ⋅ Artem Snegirev, Kirill Kruglov
@online{snegirev:20220627:attacks:100c151,
author = {Artem Snegirev and Kirill Kruglov},
title = {{Attacks on industrial control systems using ShadowPad}},
date = {2022-06-27},
organization = {Kaspersky ICS CERT},
url = {https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/},
language = {English},
urldate = {2022-06-29}
}
Attacks on industrial control systems using ShadowPad
Cobalt Strike PlugX ShadowPad |
2022-05-17 ⋅ Positive Technologies ⋅ Positive Technologies
@online{technologies:20220517:space:abd655a,
author = {Positive Technologies},
title = {{Space Pirates: analyzing the tools and connections of a new hacker group}},
date = {2022-05-17},
organization = {Positive Technologies},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/},
language = {English},
urldate = {2022-05-25}
}
Space Pirates: analyzing the tools and connections of a new hacker group
FormerFirstRAT PlugX Poison Ivy Rovnix ShadowPad Zupdax |
2022-05-12 ⋅ TEAMT5 ⋅ Leon Chang, Silvia Yeh
@techreport{chang:20220512:next:5fd8a83,
author = {Leon Chang and Silvia Yeh},
title = {{The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides)}},
date = {2022-05-12},
institution = {TEAMT5},
url = {https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf},
language = {English},
urldate = {2022-08-08}
}
The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides)
KEYPLUG Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad Winnti SLIME29 TianWu |
2022-05-04 ⋅ Cybereason ⋅ Chen Erlich, Fusao Tanida, Ofir Ozer, Akihiro Tomita, Niv Yona, Daniel Frank, Assaf Dahan
@online{erlich:20220504:operation:0d23595,
author = {Chen Erlich and Fusao Tanida and Ofir Ozer and Akihiro Tomita and Niv Yona and Daniel Frank and Assaf Dahan},
title = {{Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques}},
date = {2022-05-04},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques},
language = {English},
urldate = {2022-05-09}
}
Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques
PRIVATELOG Spyder STASHLOG Winnti |
2022-05-04 ⋅ Cybereason ⋅ Chen Erlich, Fusao Tanida, Ofir Ozer, Akihiro Tomita, Niv Yona, Daniel Frank, Assaf Dahan
@online{erlich:20220504:operation:e40ec58,
author = {Chen Erlich and Fusao Tanida and Ofir Ozer and Akihiro Tomita and Niv Yona and Daniel Frank and Assaf Dahan},
title = {{Operation CuckooBees: A Winnti Malware Arsenal Deep-Dive}},
date = {2022-05-04},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive},
language = {English},
urldate = {2022-05-05}
}
Operation CuckooBees: A Winnti Malware Arsenal Deep-Dive
PRIVATELOG Spyder STASHLOG Winnti |
2022-05-02 ⋅ Sentinel LABS ⋅ Joey Chen, Amitai Ben Shushan Ehrlich
@online{chen:20220502:moshen:1969df2,
author = {Joey Chen and Amitai Ben Shushan Ehrlich},
title = {{Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad}},
date = {2022-05-02},
organization = {Sentinel LABS},
url = {https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/},
language = {English},
urldate = {2022-05-04}
}
Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad
PlugX ShadowPad |
2022-05-01 ⋅ BushidoToken ⋅ BushidoToken
@online{bushidotoken:20220501:gamer:0acfc22,
author = {BushidoToken},
title = {{Gamer Cheater Hacker Spy}},
date = {2022-05-01},
organization = {BushidoToken},
url = {https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html},
language = {English},
urldate = {2022-05-03}
}
Gamer Cheater Hacker Spy
Egregor HelloKitty NetfilterRootkit RagnarLocker Winnti |
2022-04-08 ⋅ The Register ⋅ Laura Dobberstein
@online{dobberstein:20220408:china:6626bbc,
author = {Laura Dobberstein},
title = {{China accused of cyberattacks on Indian power grid}},
date = {2022-04-08},
organization = {The Register},
url = {https://www.theregister.com/2022/04/08/china_sponsored_attacks_india_ukraine/},
language = {English},
urldate = {2022-04-12}
}
China accused of cyberattacks on Indian power grid
ShadowPad |
2022-04-06 ⋅ Recorded Future ⋅ Insikt Group®
@techreport{group:20220406:continued:dcee8d2,
author = {Insikt Group®},
title = {{Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group (TAG-38)}},
date = {2022-04-06},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/ta-2022-0406.pdf},
language = {English},
urldate = {2022-08-05}
}
Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group (TAG-38)
ShadowPad |
2022-04-06 ⋅ Recorded Future ⋅ Insikt Group
@online{group:20220406:continued:cdf57e5,
author = {Insikt Group},
title = {{Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group}},
date = {2022-04-06},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/continued-targeting-of-indian-power-grid-assets/},
language = {English},
urldate = {2022-04-12}
}
Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group
ShadowPad |
2022-02-23 ⋅ Dragos ⋅ Dragos
@techreport{dragos:20220223:2021:539931a,
author = {Dragos},
title = {{2021 ICS OT Cybersecurity Year In Review}},
date = {2022-02-23},
institution = {Dragos},
url = {https://hub.dragos.com/hubfs/333%20Year%20in%20Review/2021/2021%20ICS%20OT%20Cybersecurity%20Year%20In%20Review%20-%20Dragos%202021.pdf},
language = {English},
urldate = {2022-04-12}
}
2021 ICS OT Cybersecurity Year In Review
ShadowPad |
2022-02-15 ⋅ The Hacker News ⋅ Ravie Lakshmanan
@online{lakshmanan:20220215:researchers:834fc13,
author = {Ravie Lakshmanan},
title = {{Researchers Link ShadowPad Malware Attacks to Chinese Ministry and PLA}},
date = {2022-02-15},
organization = {The Hacker News},
url = {https://thehackernews.com/2022/02/researchers-link-shadowpad-malware.html},
language = {English},
urldate = {2022-02-17}
}
Researchers Link ShadowPad Malware Attacks to Chinese Ministry and PLA
ShadowPad |
2022-02-15 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
@online{researchteam:20220215:shadowpad:cd3fa10,
author = {Counter Threat Unit ResearchTeam},
title = {{ShadowPad Malware Analysis}},
date = {2022-02-15},
organization = {Secureworks},
url = {https://www.secureworks.com/research/shadowpad-malware-analysis},
language = {English},
urldate = {2022-02-17}
}
ShadowPad Malware Analysis
ShadowPad |
2022-01-17 ⋅ Trend Micro ⋅ Joseph Chen, Kenney Lu, Gloria Chen, Jaromír Hořejší, Daniel Lunghi, Cedric Pernet
@techreport{chen:20220117:delving:4cd2b1c,
author = {Joseph Chen and Kenney Lu and Gloria Chen and Jaromír Hořejší and Daniel Lunghi and Cedric Pernet},
title = {{Delving Deep: An Analysis of Earth Lusca’s Operations}},
date = {2022-01-17},
institution = {Trend Micro},
url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf},
language = {English},
urldate = {2022-07-25}
}
Delving Deep: An Analysis of Earth Lusca’s Operations
BIOPASS Cobalt Strike FunnySwitch JuicyPotato ShadowPad Winnti Earth Lusca |
2021-12-17 ⋅ FBI ⋅ FBI
@techreport{fbi:20211217:ac000159mw:03082da,
author = {FBI},
title = {{AC-000159-MW: APT Actors Exploiting Newly-Identified Zero Day in ManageEngine Desktop Central (CVE-2021-44515)}},
date = {2021-12-17},
institution = {FBI},
url = {https://www.ic3.gov/Media/News/2021/211220.pdf},
language = {English},
urldate = {2021-12-23}
}
AC-000159-MW: APT Actors Exploiting Newly-Identified Zero Day in ManageEngine Desktop Central (CVE-2021-44515)
ShadowPad |
2021-12-08 ⋅ PWC UK ⋅ Adam Prescott
@online{prescott:20211208:chasing:3921a35,
author = {Adam Prescott},
title = {{Chasing Shadows: A deep dive into the latest obfuscation methods being used by ShadowPad}},
date = {2021-12-08},
organization = {PWC UK},
url = {https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html},
language = {English},
urldate = {2021-12-13}
}
Chasing Shadows: A deep dive into the latest obfuscation methods being used by ShadowPad
ShadowPad Earth Lusca |
2021-11-19 ⋅ insomniacs(Medium) ⋅ Asuna Amawaka
@online{amawaka:20211119:its:bd24ebf,
author = {Asuna Amawaka},
title = {{It’s a BEE! It’s a… no, it’s ShadowPad.}},
date = {2021-11-19},
organization = {insomniacs(Medium)},
url = {https://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2},
language = {English},
urldate = {2021-11-25}
}
It’s a BEE! It’s a… no, it’s ShadowPad.
ShadowPad |
2021-11-16 ⋅ vmware ⋅ Takahiro Haruyama
@online{haruyama:20211116:monitoring:e4ca54e,
author = {Takahiro Haruyama},
title = {{Monitoring Winnti 4.0 C2 Servers for Two Years}},
date = {2021-11-16},
organization = {vmware},
url = {https://blogs.vmware.com/security/2021/11/monitoring-winnti-4-0-c2-servers-for-two-years.html},
language = {English},
urldate = {2021-11-17}
}
Monitoring Winnti 4.0 C2 Servers for Two Years
Winnti |
2021-11-04 ⋅ Youtube (Virus Bulletin) ⋅ Yi-Jhen Hsieh, Joey Chen
@online{hsieh:20211104:shadowpad:8dbd5c7,
author = {Yi-Jhen Hsieh and Joey Chen},
title = {{ShadowPad: the masterpiece of privately sold malware in Chinese espionage}},
date = {2021-11-04},
organization = {Youtube (Virus Bulletin)},
url = {https://www.youtube.com/watch?v=r1zAVX_HnJg},
language = {English},
urldate = {2022-08-08}
}
ShadowPad: the masterpiece of privately sold malware in Chinese espionage
PlugX ShadowPad |
2021-10-26 ⋅ Kaspersky ⋅ Kaspersky Lab ICS CERT
@techreport{cert:20211026:attacks:6f30d0f,
author = {Kaspersky Lab ICS CERT},
title = {{APT attacks on industrial organizations in H1 2021}},
date = {2021-10-26},
institution = {Kaspersky},
url = {https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf},
language = {English},
urldate = {2021-11-08}
}
APT attacks on industrial organizations in H1 2021
8.t Dropper AllaKore AsyncRAT GoldMax LimeRAT NjRAT NoxPlayer Raindrop ReverseRAT ShadowPad Zebrocy |
2021-09-28 ⋅ Recorded Future ⋅ Insikt Group®
@online{group:20210928:4:069b441,
author = {Insikt Group®},
title = {{4 Chinese APT Groups Identified Targeting Mail Server of Afghan Telecommunications Firm Roshan}},
date = {2021-09-28},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/},
language = {English},
urldate = {2021-10-11}
}
4 Chinese APT Groups Identified Targeting Mail Server of Afghan Telecommunications Firm Roshan
PlugX Winnti |
2021-09-21 ⋅ Recorded Future ⋅ Insikt Group®
@techreport{group:20210921:chinalinked:8959683,
author = {Insikt Group®},
title = {{China-Linked Group TAG-28 Targets India’s “The Times Group” and UIDAI (Aadhaar) Government Agency With Winnti Malware}},
date = {2021-09-21},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0921.pdf},
language = {English},
urldate = {2021-10-11}
}
China-Linked Group TAG-28 Targets India’s “The Times Group” and UIDAI (Aadhaar) Government Agency With Winnti Malware
Winnti |
2021-09-14 ⋅ McAfee ⋅ Christiaan Beek
@online{beek:20210914:operation:95aed8d,
author = {Christiaan Beek},
title = {{Operation ‘Harvest’: A Deep Dive into a Long-term Campaign}},
date = {2021-09-14},
organization = {McAfee},
url = {https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/},
language = {English},
urldate = {2021-09-19}
}
Operation ‘Harvest’: A Deep Dive into a Long-term Campaign
MimiKatz PlugX Winnti |
2021-09-01 ⋅ YouTube (Hack In The Box Security Conference) ⋅ Yi-Jhen Hsieh, Joey Chen
@online{hsieh:20210901:shadowpad:f9ae111,
author = {Yi-Jhen Hsieh and Joey Chen},
title = {{SHADOWPAD: Chinese Espionage Malware-as-a-Service}},
date = {2021-09-01},
organization = {YouTube (Hack In The Box Security Conference)},
url = {https://www.youtube.com/watch?v=IRh6R8o1Q7U},
language = {English},
urldate = {2022-08-08}
}
SHADOWPAD: Chinese Espionage Malware-as-a-Service
PlugX ShadowPad |
2021-08-23 ⋅ SentinelOne ⋅ Yi-Jhen Hsieh, Joey Chen
@techreport{hsieh:20210823:shadowpad:58780f1,
author = {Yi-Jhen Hsieh and Joey Chen},
title = {{ShadowPad: the Masterpiece of Privately Sold Malware in Chinese Espionage}},
date = {2021-08-23},
institution = {SentinelOne},
url = {https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20ShadowPad%20-%20A%20Masterpiece%20of%20Privately%20Sold%20Malware%20in%20Chinese%20Espionage%20-%20Yi-Jhen%20Hsieh%20&%20Joey%20Chen.pdf},
language = {English},
urldate = {2022-07-18}
}
ShadowPad: the Masterpiece of Privately Sold Malware in Chinese Espionage
PlugX ShadowPad |
2021-08-19 ⋅ Sentinel LABS ⋅ Yi-Jhen Hsieh, Joey Chen
@online{hsieh:20210819:shadowpad:04bbb1e,
author = {Yi-Jhen Hsieh and Joey Chen},
title = {{ShadowPad | A Masterpiece of Privately Sold Malware in Chinese Espionage}},
date = {2021-08-19},
organization = {Sentinel LABS},
url = {https://labs.sentinelone.com/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/},
language = {English},
urldate = {2021-08-23}
}
ShadowPad | A Masterpiece of Privately Sold Malware in Chinese Espionage
ShadowPad |
2021-08-12 ⋅ Sentinel LABS ⋅ SentinelLabs
@techreport{sentinellabs:20210812:shadowpad:61c0a20,
author = {SentinelLabs},
title = {{ShadowPad: A Masterpiece of Privately Sold Malware in Chinese Espionage}},
date = {2021-08-12},
institution = {Sentinel LABS},
url = {https://www.sentinelone.com/wp-content/uploads/2021/08/SentinelOne_-SentinelLabs_ShadowPad_WP_V2.pdf},
language = {English},
urldate = {2022-07-25}
}
ShadowPad: A Masterpiece of Privately Sold Malware in Chinese Espionage
ShadowPad Earth Lusca |
2021-07-08 ⋅ Recorded Future ⋅ Insikt Group®
@online{group:20210708:chinese:98d34d3,
author = {Insikt Group®},
title = {{Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling}},
date = {2021-07-08},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/},
language = {English},
urldate = {2021-07-12}
}
Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling
ShadowPad Spyder Winnti |
2021-07-08 ⋅ YouTube (PT Product Update) ⋅ Denis Kuvshinov
@online{kuvshinov:20210708:how:ea6d201,
author = {Denis Kuvshinov},
title = {{How winnti APT grouping works}},
date = {2021-07-08},
organization = {YouTube (PT Product Update)},
url = {https://www.youtube.com/watch?v=_fstHQSK-kk},
language = {Russian},
urldate = {2021-09-20}
}
How winnti APT grouping works
Korlia ShadowPad Winnti |
2021-07-08 ⋅ PTSecurity ⋅ Denis Kuvshinov
@techreport{kuvshinov:20210708:how:2e5a659,
author = {Denis Kuvshinov},
title = {{How winnti APT grouping works}},
date = {2021-07-08},
institution = {PTSecurity},
url = {https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf},
language = {Russian},
urldate = {2021-09-20}
}
How winnti APT grouping works
Korlia ShadowPad Winnti |
2021-07-07 ⋅ Trend Micro ⋅ Joseph C Chen, Kenney Lu, Jaromír Hořejší, Gloria Chen
@online{chen:20210707:biopass:88dcdc2,
author = {Joseph C Chen and Kenney Lu and Jaromír Hořejší and Gloria Chen},
title = {{BIOPASS RAT: New Malware Sniffs Victims via Live Streaming}},
date = {2021-07-07},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html},
language = {English},
urldate = {2021-07-19}
}
BIOPASS RAT: New Malware Sniffs Victims via Live Streaming
BIOPASS Cobalt Strike Derusbi |
2021-04-29 ⋅ NTT ⋅ Threat Detection NTT Ltd.
@techreport{ltd:20210429:operations:a7ad0d4,
author = {Threat Detection NTT Ltd.},
title = {{The Operations of Winnti group}},
date = {2021-04-29},
institution = {NTT},
url = {https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf},
language = {English},
urldate = {2021-08-09}
}
The Operations of Winnti group
Cobalt Strike ShadowPad Spyder Winnti Earth Lusca |
2021-03-29 ⋅ The Record ⋅ Catalin Cimpanu
@online{cimpanu:20210329:redecho:30b16b4,
author = {Catalin Cimpanu},
title = {{RedEcho group parks domains after public exposure}},
date = {2021-03-29},
organization = {The Record},
url = {https://therecord.media/redecho-group-parks-domains-after-public-exposure/},
language = {English},
urldate = {2021-03-31}
}
RedEcho group parks domains after public exposure
PlugX ShadowPad RedEcho |
2021-03-10 ⋅ ESET Research ⋅ Thomas Dupuy, Matthieu Faou, Mathieu Tartare
@online{dupuy:20210310:exchange:8f65a1f,
author = {Thomas Dupuy and Matthieu Faou and Mathieu Tartare},
title = {{Exchange servers under siege from at least 10 APT groups}},
date = {2021-03-10},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/},
language = {English},
urldate = {2021-03-11}
}
Exchange servers under siege from at least 10 APT groups
Microcin MimiKatz PlugX Winnti APT27 APT41 Calypso Tick ToddyCat Tonto Team Vicious Panda |
2021-02-28 ⋅ Recorded Future ⋅ Insikt Group®
@techreport{group:20210228:chinalinked:2fb1230,
author = {Insikt Group®},
title = {{China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions}},
date = {2021-02-28},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf},
language = {English},
urldate = {2021-03-04}
}
China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
Icefog PlugX ShadowPad |
2021-02-28 ⋅ Recorded Future ⋅ Insikt Group®
@online{group:20210228:chinalinked:ce3b62d,
author = {Insikt Group®},
title = {{China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions}},
date = {2021-02-28},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/redecho-targeting-indian-power-sector/},
language = {English},
urldate = {2021-03-31}
}
China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
PlugX ShadowPad RedEcho |
2021-02-28 ⋅ PWC UK ⋅ PWC UK
@techreport{uk:20210228:cyber:bd780cd,
author = {PWC UK},
title = {{Cyber Threats 2020: A Year in Retrospect}},
date = {2021-02-28},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf},
language = {English},
urldate = {2021-03-04}
}
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team |
2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f,
author = {CrowdStrike},
title = {{2021 Global Threat Report}},
date = {2021-02-23},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf},
language = {English},
urldate = {2021-02-25}
}
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER |
2021-01-20 ⋅ FireEye ⋅ Andrew Davis
@online{davis:20210120:emulation:4061f1c,
author = {Andrew Davis},
title = {{Emulation of Kernel Mode Rootkits With Speakeasy}},
date = {2021-01-20},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2021/01/emulation-of-kernel-mode-rootkits-with-speakeasy.html},
language = {English},
urldate = {2021-01-25}
}
Emulation of Kernel Mode Rootkits With Speakeasy
Winnti |
2021-01-14 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence
@online{intelligence:20210114:higaisa:4676ec7,
author = {PT ESC Threat Intelligence},
title = {{Higaisa or Winnti? APT41 backdoors, old and new}},
date = {2021-01-14},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/},
language = {English},
urldate = {2021-02-09}
}
Higaisa or Winnti? APT41 backdoors, old and new
Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad |
2020-12-26 ⋅ CYBER GEEKS All Things Infosec ⋅ CyberMasterV
@online{cybermasterv:20201226:analyzing:b94f52e,
author = {CyberMasterV},
title = {{Analyzing APT19 malware using a step-by-step method}},
date = {2020-12-26},
organization = {CYBER GEEKS All Things Infosec},
url = {https://cybergeeks.tech/analyzing-apt19-malware-using-a-step-by-step-method/},
language = {English},
urldate = {2021-01-01}
}
Analyzing APT19 malware using a step-by-step method
Derusbi |
2020-12-24 ⋅ IronNet ⋅ Adam Hlavek
@online{hlavek:20201224:china:723bed3,
author = {Adam Hlavek},
title = {{China cyber attacks: the current threat landscape}},
date = {2020-12-24},
organization = {IronNet},
url = {https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape},
language = {English},
urldate = {2021-01-01}
}
China cyber attacks: the current threat landscape
PLEAD TSCookie FlowCloud Lookback PLEAD PlugX Quasar RAT Winnti |
2020-12-10 ⋅ ESET Research ⋅ Mathieu Tartare
@online{tartare:20201210:operation:0eecfc8,
author = {Mathieu Tartare},
title = {{Operation StealthyTrident: corporate software under attack}},
date = {2020-12-10},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/},
language = {English},
urldate = {2020-12-10}
}
Operation StealthyTrident: corporate software under attack
HyperBro PlugX ShadowPad Tmanger |
2020-11-23 ⋅ Youtube (OWASP DevSlop) ⋅ Negar Shabab, Noushin Shabab
@online{shabab:20201123:compromised:6dd1417,
author = {Negar Shabab and Noushin Shabab},
title = {{Compromised Compilers - A new perspective of supply chain cyber attacks}},
date = {2020-11-23},
organization = {Youtube (OWASP DevSlop)},
url = {https://www.youtube.com/watch?v=55kaaMGBARM},
language = {English},
urldate = {2020-11-23}
}
Compromised Compilers - A new perspective of supply chain cyber attacks
ShadowPad |
2020-11-03 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20201103:trends:febc159,
author = {GReAT},
title = {{APT trends report Q3 2020}},
date = {2020-11-03},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q3-2020/99204/},
language = {English},
urldate = {2020-11-04}
}
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti |
2020-10-27 ⋅ Dr.Web ⋅ Dr.Web
@techreport{drweb:20201027:study:9f6e628,
author = {Dr.Web},
title = {{Study of the ShadowPad APT backdoor and its relation to PlugX}},
date = {2020-10-27},
institution = {Dr.Web},
url = {https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf},
language = {English},
urldate = {2020-10-29}
}
Study of the ShadowPad APT backdoor and its relation to PlugX
Ghost RAT PlugX ShadowPad |
2020-10-12 ⋅ Malwarebytes Labs ⋅ Roberto Santos, Hossein Jazi, Jérôme Segura, Malwarebytes Threat Intelligence Team
@techreport{santos:20201012:winnti:597eacc,
author = {Roberto Santos and Hossein Jazi and Jérôme Segura and Malwarebytes Threat Intelligence Team},
title = {{Winnti APT group docks in Sri Lanka for new campaign}},
date = {2020-10-12},
institution = {Malwarebytes Labs},
url = {https://www.malwarebytes.com/blog/threat-intelligence/2022/winnti-apt-group-docks-in-sri-lanka-for-new-campaign-final.pdf},
language = {English},
urldate = {2022-11-18}
}
Winnti APT group docks in Sri Lanka for new campaign
DBoxAgent SerialVlogger Winnti |
2020-09-18 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20200918:apt41:363daa8,
author = {Threat Hunter Team},
title = {{APT41: Indictments Put Chinese Espionage Group in the Spotlight}},
date = {2020-09-18},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage},
language = {English},
urldate = {2020-09-23}
}
APT41: Indictments Put Chinese Espionage Group in the Spotlight
CROSSWALK PlugX poisonplug ShadowPad Winnti |
2020-09-08 ⋅ PTSecurity ⋅ PTSecurity
@techreport{ptsecurity:20200908:shadowpad:2903f45,
author = {PTSecurity},
title = {{ShadowPad: new activity from the Winnti group}},
date = {2020-09-08},
institution = {PTSecurity},
url = {https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf},
language = {English},
urldate = {2020-10-08}
}
ShadowPad: new activity from the Winnti group
CCleaner Backdoor Korlia ShadowPad TypeHash |
2020-08-06 ⋅ Wired ⋅ Andy Greenberg
@online{greenberg:20200806:chinese:32c43e3,
author = {Andy Greenberg},
title = {{Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry}},
date = {2020-08-06},
organization = {Wired},
url = {https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/},
language = {English},
urldate = {2020-11-04}
}
Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry
Cobalt Strike MimiKatz Winnti Red Charon |
2020-08-04 ⋅ BlackHat ⋅ Chung-Kuan Chen, Inndy Lin, Shang-De Jiang
@techreport{chen:20200804:operation:4cf417f,
author = {Chung-Kuan Chen and Inndy Lin and Shang-De Jiang},
title = {{Operation Chimera - APT Operation Targets Semiconductor Vendors}},
date = {2020-08-04},
institution = {BlackHat},
url = {https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf},
language = {English},
urldate = {2020-11-04}
}
Operation Chimera - APT Operation Targets Semiconductor Vendors
Cobalt Strike MimiKatz Winnti Red Charon |
2020-07-29 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20200729:trends:6810325,
author = {GReAT},
title = {{APT trends report Q2 2020}},
date = {2020-07-29},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q2-2020/97937/},
language = {English},
urldate = {2020-07-30}
}
APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel |
2020-07-14 ⋅ CrowdStrike ⋅ Falcon OverWatch Team
@online{team:20200714:manufacturing:3e552ec,
author = {Falcon OverWatch Team},
title = {{Manufacturing Industry in the Adversaries’ Crosshairs}},
date = {2020-07-14},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/},
language = {English},
urldate = {2020-07-23}
}
Manufacturing Industry in the Adversaries’ Crosshairs
ShadowPad Snake |
2020-05-07 ⋅ Council on Foreign Relations ⋅ Cyber Operations Tracker
@online{tracker:20200507:axiom:da87987,
author = {Cyber Operations Tracker},
title = {{Axiom}},
date = {2020-05-07},
organization = {Council on Foreign Relations},
url = {https://cfr.org/cyber-operations/axiom},
language = {English},
urldate = {2022-08-30}
}
Axiom
APT17 |
2020-04-20 ⋅ QuoScient ⋅ QuoIntelligence
@online{quointelligence:20200420:winnti:6a4fb66,
author = {QuoIntelligence},
title = {{WINNTI GROUP: Insights From the Past}},
date = {2020-04-20},
organization = {QuoScient},
url = {https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/},
language = {English},
urldate = {2020-04-21}
}
WINNTI GROUP: Insights From the Past
Winnti |
2020-04-13 ⋅ Palo Alto Networks Unit 42 ⋅ Bryan Lee, Robert Falcone, Jen Miller-Osborn
@online{lee:20200413:apt41:fdd4c46,
author = {Bryan Lee and Robert Falcone and Jen Miller-Osborn},
title = {{APT41 Using New Speculoos Backdoor to Target Organizations Globally}},
date = {2020-04-13},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/},
language = {English},
urldate = {2020-04-14}
}
APT41 Using New Speculoos Backdoor to Target Organizations Globally
Speculoos APT41 |
2020-03-25 ⋅ FireEye ⋅ Christopher Glyer, Dan Perez, Sarah Jones, Steve Miller
@online{glyer:20200325:this:0bc322f,
author = {Christopher Glyer and Dan Perez and Sarah Jones and Steve Miller},
title = {{This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits}},
date = {2020-03-25},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html},
language = {English},
urldate = {2020-04-14}
}
This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits
Speculoos Cobalt Strike |
2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f,
author = {CrowdStrike},
title = {{2020 CrowdStrike Global Threat Report}},
date = {2020-03-04},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf},
language = {English},
urldate = {2020-07-24}
}
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER |
2020-03-03 ⋅ PWC UK ⋅ PWC UK
@techreport{uk:20200303:cyber:1f1eef0,
author = {PWC UK},
title = {{Cyber Threats 2019:A Year in Retrospect}},
date = {2020-03-03},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf},
language = {English},
urldate = {2020-03-03}
}
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA |
2020-03-03 ⋅ GIthub (superkhung) ⋅ superkhung
@online{superkhung:20200303:github:8ea37ed,
author = {superkhung},
title = {{GitHub Repository: winnti-sniff}},
date = {2020-03-03},
organization = {GIthub (superkhung)},
url = {https://github.com/superkhung/winnti-sniff},
language = {English},
urldate = {2020-03-04}
}
GitHub Repository: winnti-sniff
Winnti |
2020-02-20 ⋅ Carbon Black ⋅ Takahiro Haruyama
@online{haruyama:20200220:threat:aa4ef11,
author = {Takahiro Haruyama},
title = {{Threat Analysis: Active C2 Discovery Using Protocol Emulation Part2 (Winnti 4.0)}},
date = {2020-02-20},
organization = {Carbon Black},
url = {https://www.carbonblack.com/2020/02/20/threat-analysis-active-c2-discovery-using-protocol-emulation-part2-winnti-4-0/},
language = {English},
urldate = {2020-02-21}
}
Threat Analysis: Active C2 Discovery Using Protocol Emulation Part2 (Winnti 4.0)
Winnti |
2020-01-31 ⋅ ESET Research ⋅ Mathieu Tartare
@online{tartare:20200131:winnti:9f891e4,
author = {Mathieu Tartare},
title = {{Winnti Group targeting universities in Hong Kong}},
date = {2020-01-31},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/},
language = {English},
urldate = {2020-02-03}
}
Winnti Group targeting universities in Hong Kong
ShadowPad Winnti |
2020-01-31 ⋅ Tagesschau ⋅ Jan Lukas Strozyk
@online{strozyk:20200131:deutsches:d0a9221,
author = {Jan Lukas Strozyk},
title = {{Deutsches Chemieunternehmen gehackt}},
date = {2020-01-31},
organization = {Tagesschau},
url = {https://www.tagesschau.de/investigativ/ndr/hackerangriff-chemieunternehmen-101.html},
language = {German},
urldate = {2020-02-03}
}
Deutsches Chemieunternehmen gehackt
Winnti |
2020-01-29 ⋅ nao_sec blog ⋅ nao_sec
@online{naosec:20200129:overhead:ec0aeb5,
author = {nao_sec},
title = {{An Overhead View of the Royal Road}},
date = {2020-01-29},
organization = {nao_sec blog},
url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html},
language = {English},
urldate = {2020-02-03}
}
An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:4118462,
author = {SecureWorks},
title = {{BRONZE ATLAS}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas},
language = {English},
urldate = {2020-05-23}
}
BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti APT41 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:65ecf8a,
author = {SecureWorks},
title = {{BRONZE KEYSTONE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-keystone},
language = {English},
urldate = {2020-05-23}
}
BRONZE KEYSTONE
9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell APT17 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:972c13a,
author = {SecureWorks},
title = {{BRONZE FIRESTONE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-firestone},
language = {English},
urldate = {2020-05-23}
}
BRONZE FIRESTONE
9002 RAT Derusbi Empire Downloader PlugX Poison Ivy APT19 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:e8ad4fb,
author = {SecureWorks},
title = {{BRONZE MOHAWK}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-mohawk},
language = {English},
urldate = {2020-05-23}
}
BRONZE MOHAWK
AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll APT40 |
2019-12-17 ⋅ Palo Alto Networks Unit 42 ⋅ Jen Miller-Osborn, Mike Harbison
@online{millerosborn:20191217:rancor:998fe1c,
author = {Jen Miller-Osborn and Mike Harbison},
title = {{Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia}},
date = {2019-12-17},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/},
language = {English},
urldate = {2020-01-08}
}
Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia
DDKONG Derusbi KHRAT |
2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb,
author = {Kelli Vanderlee and Nalani Fraser},
title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}},
date = {2019-11-19},
institution = {FireEye},
url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf},
language = {English},
urldate = {2021-03-02}
}
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell |
2019-10-07 ⋅ ESET Research ⋅ Marc-Etienne M.Léveillé, Mathieu Tartare
@techreport{mlveill:20191007:connecting:e59d4c8,
author = {Marc-Etienne M.Léveillé and Mathieu Tartare},
title = {{CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group}},
date = {2019-10-07},
institution = {ESET Research},
url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf},
language = {English},
urldate = {2020-01-10}
}
CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group
LOWKEY shadowhammer ShadowPad |
2019-10 ⋅ CrowdStrike ⋅ Karl Scheuerman, Piotr Wojtyla
@online{scheuerman:201910:dont:11aa9dc,
author = {Karl Scheuerman and Piotr Wojtyla},
title = {{Don't miss the forest for the trees gleaning hunting value from too much intrusion data}},
date = {2019-10},
organization = {CrowdStrike},
url = {https://docplayer.net/162112338-Don-t-miss-the-forest-for-the-trees-gleaning-hunting-value-from-too-much-intrusion-data.html},
language = {English},
urldate = {2021-03-31}
}
Don't miss the forest for the trees gleaning hunting value from too much intrusion data
Winnti |
2019-09-30 ⋅ Lastline ⋅ Jason Zhang, Stefano Ortolani
@online{zhang:20190930:helo:559ed11,
author = {Jason Zhang and Stefano Ortolani},
title = {{HELO Winnti: Attack or Scan?}},
date = {2019-09-30},
organization = {Lastline},
url = {https://www.lastline.com/labsblog/helo-winnti-attack-scan/},
language = {English},
urldate = {2019-10-23}
}
HELO Winnti: Attack or Scan?
Winnti |
2019-09-23 ⋅ MITRE ⋅ MITRE ATT&CK
@online{attck:20190923:apt41:63b9ff7,
author = {MITRE ATT&CK},
title = {{APT41}},
date = {2019-09-23},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0096},
language = {English},
urldate = {2022-08-30}
}
APT41
Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41 |
2019-09-04 ⋅ CarbonBlack ⋅ Takahiro Haruyama
@online{haruyama:20190904:cb:7c71995,
author = {Takahiro Haruyama},
title = {{CB TAU Threat Intelligence Notification: Winnti Malware 4.0}},
date = {2019-09-04},
organization = {CarbonBlack},
url = {https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-winnti-malware-4-0/},
language = {English},
urldate = {2019-12-17}
}
CB TAU Threat Intelligence Notification: Winnti Malware 4.0
Winnti |
2019-09-04 ⋅ FireEye ⋅ FireEye
@online{fireeye:20190904:apt41:b5d6780,
author = {FireEye},
title = {{APT41: Double Dragon APT41, a dual espionage and cyber crime operation}},
date = {2019-09-04},
organization = {FireEye},
url = {https://content.fireeye.com/api/pdfproxy?id=86840},
language = {English},
urldate = {2020-01-13}
}
APT41: Double Dragon APT41, a dual espionage and cyber crime operation
EASYNIGHT Winnti |
2019-08-09 ⋅ FireEye ⋅ FireEye
@online{fireeye:20190809:double:40f736e,
author = {FireEye},
title = {{Double Dragon APT41, a dual espionage and cyber crime operation}},
date = {2019-08-09},
organization = {FireEye},
url = {https://content.fireeye.com/apt-41/rpt-apt41/},
language = {English},
urldate = {2019-12-18}
}
Double Dragon APT41, a dual espionage and cyber crime operation
CLASSFON crackshot CROSSWALK GEARSHIFT HIGHNOON HIGHNOON.BIN JUMPALL poisonplug Winnti |
2019-07-24 ⋅ Github (br-data) ⋅ Hakan Tanriverdi, Svea Eckert, Jan Strozyk, Maximilian Zierer, Rebecca Ciesielski
@online{tanriverdi:20190724:winnti:25b27fb,
author = {Hakan Tanriverdi and Svea Eckert and Jan Strozyk and Maximilian Zierer and Rebecca Ciesielski},
title = {{Winnti analysis}},
date = {2019-07-24},
organization = {Github (br-data)},
url = {https://github.com/br-data/2019-winnti-analyse/},
language = {English},
urldate = {2019-12-10}
}
Winnti analysis
Winnti |
2019-07-24 ⋅ Bayerischer Rundfunk ⋅ Hakan Tanriverdi, Svea Eckert, Jan Strozyk, Maximilian Zierer, Rebecca Ciesielski
@online{tanriverdi:20190724:attacking:66ef327,
author = {Hakan Tanriverdi and Svea Eckert and Jan Strozyk and Maximilian Zierer and Rebecca Ciesielski},
title = {{Attacking the Heart of the German Industry}},
date = {2019-07-24},
organization = {Bayerischer Rundfunk},
url = {http://web.br.de/interaktiv/winnti/english/},
language = {English},
urldate = {2019-11-29}
}
Attacking the Heart of the German Industry
Winnti |
2019-07-24 ⋅ Twitter (@bkMSFT) ⋅ Ben K (bkMSFT)
@online{bkmsft:20190724:apt17:8b88bcb,
author = {Ben K (bkMSFT)},
title = {{Tweet on APT17}},
date = {2019-07-24},
organization = {Twitter (@bkMSFT)},
url = {https://twitter.com/bkMSFT/status/1153994428949749761},
language = {English},
urldate = {2020-01-07}
}
Tweet on APT17
HIGHNOTE |
2019-04-23 ⋅ Kaspersky Labs ⋅ GReAT, AMR
@online{great:20190423:operation:20b8f83,
author = {GReAT and AMR},
title = {{Operation ShadowHammer: a high-profile supply chain attack}},
date = {2019-04-23},
organization = {Kaspersky Labs},
url = {https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/},
language = {English},
urldate = {2019-12-20}
}
Operation ShadowHammer: a high-profile supply chain attack
shadowhammer ShadowPad |
2019-04-22 ⋅ Trend Micro ⋅ Mohamad Mokbel
@online{mokbel:20190422:cc:23b1202,
author = {Mohamad Mokbel},
title = {{C/C++ Runtime Library Code Tampering in Supply Chain}},
date = {2019-04-22},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html},
language = {English},
urldate = {2021-09-19}
}
C/C++ Runtime Library Code Tampering in Supply Chain
shadowhammer ShadowPad Winnti |
2019 ⋅ Council on Foreign Relations ⋅ Cyber Operations Tracker
@online{tracker:2019:17:d2951a8,
author = {Cyber Operations Tracker},
title = {{APT 17}},
date = {2019},
organization = {Council on Foreign Relations},
url = {https://www.cfr.org/interactive/cyber-operations/apt-17},
language = {English},
urldate = {2019-12-20}
}
APT 17
APT17 |
2018-10-01 ⋅ Macnica Networks ⋅ Macnica Networks
@techreport{networks:20181001:trends:17b1db5,
author = {Macnica Networks},
title = {{Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018}},
date = {2018-10-01},
institution = {Macnica Networks},
url = {https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf},
language = {Japanese},
urldate = {2021-03-02}
}
Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018
Anel Cobalt Strike Datper FlawedAmmyy Quasar RAT RedLeaves taidoor Winnti xxmm |
2018-05-22 ⋅ Github (TKCERT) ⋅ thyssenkrupp CERT
@online{cert:20180522:nmap:1ee2530,
author = {thyssenkrupp CERT},
title = {{Nmap Script to scan for Winnti infections}},
date = {2018-05-22},
organization = {Github (TKCERT)},
url = {https://github.com/TKCERT/winnti-nmap-script},
language = {English},
urldate = {2020-01-07}
}
Nmap Script to scan for Winnti infections
Winnti |
2018-03-05 ⋅ Github (TKCERT) ⋅ TKCERT
@online{tkcert:20180305:suricata:0b45f94,
author = {TKCERT},
title = {{Suricata rules to detect Winnti communication}},
date = {2018-03-05},
organization = {Github (TKCERT)},
url = {https://github.com/TKCERT/winnti-suricata-lua},
language = {English},
urldate = {2020-01-07}
}
Suricata rules to detect Winnti communication
Winnti |
2017-08-15 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20170815:shadowpad:3d5b9a0,
author = {GReAT},
title = {{ShadowPad in corporate networks}},
date = {2017-08-15},
organization = {Kaspersky Labs},
url = {https://securelist.com/shadowpad-in-corporate-networks/81432/},
language = {English},
urldate = {2019-12-20}
}
ShadowPad in corporate networks
ShadowPad |
2017-05-31 ⋅ MITRE ⋅ MITRE ATT&CK
@online{attck:20170531:apt17:ebee596,
author = {MITRE ATT&CK},
title = {{APT17}},
date = {2017-05-31},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0025/},
language = {English},
urldate = {2022-07-05}
}
APT17
BLACKCOFFEE APT17 |
2017-05-31 ⋅ MITRE ⋅ MITRE ATT&CK
@online{attck:20170531:axiom:b181fdb,
author = {MITRE ATT&CK},
title = {{Axiom}},
date = {2017-05-31},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0001/},
language = {English},
urldate = {2022-08-30}
}
Axiom
Derusbi 9002 RAT BLACKCOFFEE Derusbi Ghost RAT HiKit PlugX ZXShell APT17 |
2017-04-19 ⋅ Trend Micro ⋅ Trendmicro
@online{trendmicro:20170419:of:1656f97,
author = {Trendmicro},
title = {{Of Pigs and Malware: Examining a Possible Member of the Winnti Group}},
date = {2017-04-19},
organization = {Trend Micro},
url = {http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/},
language = {English},
urldate = {2019-12-04}
}
Of Pigs and Malware: Examining a Possible Member of the Winnti Group
Winnti |
2017-03-22 ⋅ Trend Micro ⋅ Cedric Pernet
@online{pernet:20170322:winnti:bfd35bc,
author = {Cedric Pernet},
title = {{Winnti Abuses GitHub for C&C Communications}},
date = {2017-03-22},
organization = {Trend Micro},
url = {http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/},
language = {English},
urldate = {2019-07-09}
}
Winnti Abuses GitHub for C&C Communications
Winnti |
2016-03-06 ⋅ Github (TKCERT) ⋅ thyssenkrupp CERT
@online{cert:20160306:network:f9244d3,
author = {thyssenkrupp CERT},
title = {{Network detector for Winnti malware}},
date = {2016-03-06},
organization = {Github (TKCERT)},
url = {https://github.com/TKCERT/winnti-detector},
language = {English},
urldate = {2020-01-07}
}
Network detector for Winnti malware
Winnti |
2016-03-02 ⋅ RSA Conference ⋅ Vanja Svajcer
@techreport{svajcer:20160302:dissecting:e8721e3,
author = {Vanja Svajcer},
title = {{Dissecting Derusbi}},
date = {2016-03-02},
institution = {RSA Conference},
url = {https://web.archive.org/web/20180310053107/https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf},
language = {English},
urldate = {2020-02-27}
}
Dissecting Derusbi
Derusbi |
2015-12-15 ⋅ Airbus Defence & Space ⋅ Fabien Perigaud
@online{perigaud:20151215:newcomers:73beb0c,
author = {Fabien Perigaud},
title = {{Newcomers in the Derusbi family}},
date = {2015-12-15},
organization = {Airbus Defence & Space},
url = {https://web.archive.org/web/20151216071054/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family},
language = {English},
urldate = {2020-02-27}
}
Newcomers in the Derusbi family
Derusbi |
2015-10-13 ⋅ Kaspersky Labs ⋅ Dmitry Tarakanov
@online{tarakanov:20151013:i:36fae83,
author = {Dmitry Tarakanov},
title = {{I am HDRoot! Part 2}},
date = {2015-10-13},
organization = {Kaspersky Labs},
url = {https://securelist.com/i-am-hdroot-part-2/72356/},
language = {English},
urldate = {2020-03-19}
}
I am HDRoot! Part 2
HDRoot |
2015-10-08 ⋅ Virus Bulletin ⋅ Micky Pun, Eric Leung, Neo Tan
@techreport{pun:20151008:catching:368d81d,
author = {Micky Pun and Eric Leung and Neo Tan},
title = {{Catching the silent whisper: Understanding the Derusbi family tree}},
date = {2015-10-08},
institution = {Virus Bulletin},
url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf},
language = {English},
urldate = {2020-02-27}
}
Catching the silent whisper: Understanding the Derusbi family tree
Derusbi |
2015-10-06 ⋅ Kaspersky Labs ⋅ Dmitry Tarakanov
@online{tarakanov:20151006:i:445dc3a,
author = {Dmitry Tarakanov},
title = {{I am HDRoot! Part 1}},
date = {2015-10-06},
organization = {Kaspersky Labs},
url = {https://securelist.com/i-am-hdroot-part-1/72275/},
language = {English},
urldate = {2020-03-19}
}
I am HDRoot! Part 1
HDRoot |
2015-06-22 ⋅ Kaspersky Labs ⋅ Dmitry Tarakanov
@online{tarakanov:20150622:games:aba8183,
author = {Dmitry Tarakanov},
title = {{Games are over: Winnti is now targeting pharmaceutical companies}},
date = {2015-06-22},
organization = {Kaspersky Labs},
url = {https://securelist.com/games-are-over/70991/},
language = {English},
urldate = {2019-12-20}
}
Games are over: Winnti is now targeting pharmaceutical companies
Winnti APT41 |
2015-04-14 ⋅ Youtube (Kaspersky) ⋅ Kris McConkey
@online{mcconkey:20150414:following:02e29b8,
author = {Kris McConkey},
title = {{Following APT OpSec failures}},
date = {2015-04-14},
organization = {Youtube (Kaspersky)},
url = {https://www.youtube.com/watch?v=NFJqD-LcpIg},
language = {English},
urldate = {2022-08-30}
}
Following APT OpSec failures
BLACKCOFFEE Mangzamel APT17 |
2015-04-06 ⋅ Novetta ⋅ Novetta
@techreport{novetta:20150406:winnti:acc4030,
author = {Novetta},
title = {{WINNTI ANALYSIS}},
date = {2015-04-06},
institution = {Novetta},
url = {https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf},
language = {English},
urldate = {2020-01-10}
}
WINNTI ANALYSIS
Winnti |
2015-02-27 ⋅ ThreatConnect ⋅ ThreatConnect Research Team
@online{team:20150227:anthem:3576532,
author = {ThreatConnect Research Team},
title = {{The Anthem Hack: All Roads Lead to China}},
date = {2015-02-27},
organization = {ThreatConnect},
url = {https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/},
language = {English},
urldate = {2020-01-09}
}
The Anthem Hack: All Roads Lead to China
Derusbi |
2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f,
author = {CrowdStrike},
title = {{CrowdStrike Global Threat Intel Report 2014}},
date = {2015-02-06},
institution = {CrowdStrike},
url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf},
language = {English},
urldate = {2020-05-11}
}
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor |
2015 ⋅ Ruxcon ⋅ Matt McCormack
@techreport{mccormack:2015:why:fa3d041,
author = {Matt McCormack},
title = {{WHY ATTACKER TOOLSETS DO WHAT THEY DO}},
date = {2015},
institution = {Ruxcon},
url = {http://2015.ruxcon.org.au/assets/2015/slides/Ruxcon%202015%20-%20McCormack.pdf},
language = {English},
urldate = {2020-01-08}
}
WHY ATTACKER TOOLSETS DO WHAT THEY DO
Winnti |
2014-10-28 ⋅ Novetta ⋅ Novetta
@techreport{novetta:20141028:derusbi:aae275a,
author = {Novetta},
title = {{Derusbi (Server Variant) Analysis}},
date = {2014-10-28},
institution = {Novetta},
url = {http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf},
language = {English},
urldate = {2020-01-06}
}
Derusbi (Server Variant) Analysis
Derusbi |
2014-10-14 ⋅ Symantec ⋅ Symantec Security Response
@online{response:20141014:security:81c5ea5,
author = {Symantec Security Response},
title = {{Security vendors take action against Hidden Lynx malware}},
date = {2014-10-14},
organization = {Symantec},
url = {https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware},
language = {English},
urldate = {2020-04-21}
}
Security vendors take action against Hidden Lynx malware
Gameover P2P HiKit Shylock APT17 |
2014-05-01 ⋅ Recorded Future ⋅ Chris
@online{chris:20140501:hunting:bcefc84,
author = {Chris},
title = {{Hunting Hidden Lynx: How OSINT is Crucial for APT Analysis}},
date = {2014-05-01},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/hidden-lynx-analysis/},
language = {English},
urldate = {2020-01-07}
}
Hunting Hidden Lynx: How OSINT is Crucial for APT Analysis
APT17 |
2014-01 ⋅ RSA ⋅ RSA Research
@techreport{research:201401:rsa:5fa5815,
author = {RSA Research},
title = {{RSA Incident Response: Emerging Threat Profile Shell_Crew}},
date = {2014-01},
institution = {RSA},
url = {https://www.rsa.com/content/dam/en/white-paper/rsa-incident-response-emerging-threat-profile-shell-crew.pdf},
language = {English},
urldate = {2021-01-29}
}
RSA Incident Response: Emerging Threat Profile Shell_Crew
Derusbi |
2013-09-21 ⋅ FireEye ⋅ Ned Moran, Nart Villeneuve
@online{moran:20130921:operation:0289318,
author = {Ned Moran and Nart Villeneuve},
title = {{Operation DeputyDog: Zero-Day (CVE-2013-3893) Attack Against Japanese Targets}},
date = {2013-09-21},
organization = {FireEye},
url = {https://web.archive.org/web/20130924130243/https://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html},
language = {English},
urldate = {2020-06-08}
}
Operation DeputyDog: Zero-Day (CVE-2013-3893) Attack Against Japanese Targets
DeputyDog APT17 |
2013-09-17 ⋅ Symantec ⋅ Symantec Security Response
@online{response:20130917:hidden:e91b6bb,
author = {Symantec Security Response},
title = {{Hidden Lynx – Professional Hackers for Hire}},
date = {2013-09-17},
organization = {Symantec},
url = {https://web.archive.org/web/20130920000343/https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire},
language = {English},
urldate = {2020-04-21}
}
Hidden Lynx – Professional Hackers for Hire
APT17 |
2013-09-17 ⋅ Symantec ⋅ Stephen Doherty, Jozsef Gegeny, Branko Spasojevic, Jonell Baltazar
@techreport{doherty:20130917:hidden:72a1bd7,
author = {Stephen Doherty and Jozsef Gegeny and Branko Spasojevic and Jonell Baltazar},
title = {{Hidden Lynx – Professional Hackers for Hire}},
date = {2013-09-17},
institution = {Symantec},
url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf},
language = {English},
urldate = {2020-04-21}
}
Hidden Lynx – Professional Hackers for Hire
9002 RAT HiKit APT17 |
2013-04 ⋅ Kaspersky Labs ⋅ GReAT
@techreport{great:201304:winnti:c8e6f40,
author = {GReAT},
title = {{Winnti - More than just a game}},
date = {2013-04},
institution = {Kaspersky Labs},
url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf},
language = {English},
urldate = {2019-07-11}
}
Winnti - More than just a game
portless Winnti |
2013-02-08 ⋅ VMWare Carbon Black ⋅ Patrick Morley
@online{morley:20130208:bit9:edaa56d,
author = {Patrick Morley},
title = {{Bit9 and Our Customers’ Security}},
date = {2013-02-08},
organization = {VMWare Carbon Black},
url = {https://www.carbonblack.com/2013/02/08/bit9-and-our-customers-security/},
language = {English},
urldate = {2020-05-18}
}
Bit9 and Our Customers’ Security
APT17 |