aka: GreedyTaotie, TG-3390, EMISSARY PANDA, TEMP.Hippo, Red Phoenix, Budworm, Group 35, ZipToken, Iron Tiger, BRONZE UNION, Lucky Mouse, G0027, Iron Taurus, Earth Smilodon
A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.
2023-05-15 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20230515:lancefly:49fd53e,
author = {Threat Hunter Team},
title = {{Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors}},
date = {2023-05-15},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor},
language = {English},
urldate = {2023-05-26}
}
Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors PlugX ShadowPad ZXShell |
2023-05-03 ⋅ Lab52 ⋅ Lab52 @online{lab52:20230503:new:1056613,
author = {Lab52},
title = {{New Mustang Panda’s campaing against Australia}},
date = {2023-05-03},
organization = {Lab52},
url = {https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/},
language = {English},
urldate = {2023-05-08}
}
New Mustang Panda’s campaing against Australia PlugX |
2023-04-24 ⋅ Cofense ⋅ Austin Jones @online{jones:20230424:opensource:a0f5347,
author = {Austin Jones},
title = {{Open-Source Gh0st RAT Still Haunting Inboxes 15 Years After Release}},
date = {2023-04-24},
organization = {Cofense},
url = {https://cofense.com/blog/open-source-gh0st-rat-still-haunting-inboxes-15-years-after-release/},
language = {English},
urldate = {2023-04-26}
}
Open-Source Gh0st RAT Still Haunting Inboxes 15 Years After Release Ghost RAT |
2023-04-18 ⋅ Mandiant ⋅ Mandiant @online{mandiant:20230418:mtrends:af1a28e,
author = {Mandiant},
title = {{M-Trends 2023}},
date = {2023-04-18},
organization = {Mandiant},
url = {https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023},
language = {English},
urldate = {2023-04-18}
}
M-Trends 2023 QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate |
2023-03-09 ⋅ Sophos ⋅ Gabor Szappanos @online{szappanos:20230309:borderhopping:5220748,
author = {Gabor Szappanos},
title = {{A border-hopping PlugX USB worm takes its act on the road}},
date = {2023-03-09},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2023/03/09/border-hopping-plugx-usb-worm/},
language = {English},
urldate = {2023-03-22}
}
A border-hopping PlugX USB worm takes its act on the road PlugX |
2023-03-09 ⋅ ASEC ⋅ Sanseo @online{sanseo:20230309:plugx:4683b0e,
author = {Sanseo},
title = {{PlugX Malware Being Distributed via Vulnerability Exploitation}},
date = {2023-03-09},
organization = {ASEC},
url = {https://asec.ahnlab.com/en/49097/},
language = {English},
urldate = {2023-03-17}
}
PlugX Malware Being Distributed via Vulnerability Exploitation PlugX |
2023-03-01 ⋅ Trend Micro ⋅ Daniel Lunghi @online{lunghi:20230301:iron:20d88cd,
author = {Daniel Lunghi},
title = {{Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting}},
date = {2023-03-01},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html},
language = {English},
urldate = {2023-03-13}
}
Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting HyperSSL HyperSSL |
2023-02-24 ⋅ Trend Micro ⋅ Buddy Tancio, Jed Valderama, Catherine Loveria @online{tancio:20230224:investigating:94d8b43,
author = {Buddy Tancio and Jed Valderama and Catherine Loveria},
title = {{Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool}},
date = {2023-02-24},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html},
language = {English},
urldate = {2023-03-22}
}
Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool PlugX |
2023-02-02 ⋅ EclecticIQ ⋅ EclecticIQ Threat Research Team @online{team:20230202:mustang:cac147b,
author = {EclecticIQ Threat Research Team},
title = {{Mustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware}},
date = {2023-02-02},
organization = {EclecticIQ},
url = {https://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware},
language = {English},
urldate = {2023-02-06}
}
Mustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware PlugX |
2023-01-26 ⋅ Palo Alto Networks Unit 42 ⋅ Mike Harbison, Jen Miller-Osborn @online{harbison:20230126:chinese:a83622f,
author = {Mike Harbison and Jen Miller-Osborn},
title = {{Chinese PlugX Malware Hidden in Your USB Devices?}},
date = {2023-01-26},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/},
language = {English},
urldate = {2023-01-27}
}
Chinese PlugX Malware Hidden in Your USB Devices? PlugX |
2023-01-26 ⋅ TEAMT5 ⋅ Still Hsu @techreport{hsu:20230126:brief:5a0716d,
author = {Still Hsu},
title = {{Brief History of MustangPanda and its PlugX Evolution}},
date = {2023-01-26},
institution = {TEAMT5},
url = {https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_2_LT4.pdf},
language = {English},
urldate = {2023-02-09}
}
Brief History of MustangPanda and its PlugX Evolution PlugX |
2023-01-09 ⋅ kienmanowar Blog ⋅ m4n0w4r, Tran Trung Kien @online{m4n0w4r:20230109:quicknote:5a8b18c,
author = {m4n0w4r and Tran Trung Kien},
title = {{[QuickNote] Another nice PlugX sample}},
date = {2023-01-09},
organization = {kienmanowar Blog},
url = {https://kienmanowar.wordpress.com/2023/01/09/quicknote-another-nice-plugx-sample/},
language = {English},
urldate = {2023-01-10}
}
[QuickNote] Another nice PlugX sample PlugX |
2022-12-27 ⋅ kienmanowar Blog ⋅ m4n0w4r, Tran Trung Kien @online{m4n0w4r:20221227:diving:857147e,
author = {m4n0w4r and Tran Trung Kien},
title = {{Diving into a PlugX sample of Mustang Panda group}},
date = {2022-12-27},
organization = {kienmanowar Blog},
url = {https://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/},
language = {English},
urldate = {2022-12-29}
}
Diving into a PlugX sample of Mustang Panda group PlugX |
2022-12-06 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team @online{team:20221206:mustang:fa0e3e1,
author = {BlackBerry Research & Intelligence Team},
title = {{Mustang Panda Uses the Russian-Ukrainian War to Attack Europe and Asia Pacific Targets}},
date = {2022-12-06},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets},
language = {English},
urldate = {2022-12-06}
}
Mustang Panda Uses the Russian-Ukrainian War to Attack Europe and Asia Pacific Targets PlugX |
2022-12-02 ⋅ Avast Decoded ⋅ Threat Intelligence Team @online{team:20221202:hitching:0cb7557,
author = {Threat Intelligence Team},
title = {{Hitching a ride with Mustang Panda}},
date = {2022-12-02},
organization = {Avast Decoded},
url = {https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/},
language = {English},
urldate = {2022-12-02}
}
Hitching a ride with Mustang Panda PlugX |
2022-11-30 ⋅ FFRI Security ⋅ Matsumoto @online{matsumoto:20221130:evolution:29e9b4c,
author = {Matsumoto},
title = {{Evolution of the PlugX loader}},
date = {2022-11-30},
organization = {FFRI Security},
url = {https://engineers.ffri.jp/entry/2022/11/30/141346},
language = {Japanese},
urldate = {2022-12-01}
}
Evolution of the PlugX loader PlugX Poison Ivy |
2022-11-22 ⋅ Twitter (@ESETresearch) ⋅ ESET Research @online{research:20221122:tweets:518c665,
author = {ESET Research},
title = {{Tweets on SysUpdate / Soldier / HyperSSL}},
date = {2022-11-22},
organization = {Twitter (@ESETresearch)},
url = {https://twitter.com/ESETresearch/status/1594937054303236096},
language = {English},
urldate = {2022-11-25}
}
Tweets on SysUpdate / Soldier / HyperSSL HyperSSL |
2022-10-18 ⋅ Intrinsec ⋅ Intrinsec, CERT Intrinsec @online{intrinsec:20221018:apt27:1977039,
author = {Intrinsec and CERT Intrinsec},
title = {{APT27 – One Year To Exfiltrate Them All: Intrusion In-Depth Analysis}},
date = {2022-10-18},
organization = {Intrinsec},
url = {https://www.intrinsec.com/apt27-analysis/},
language = {English},
urldate = {2022-11-07}
}
APT27 – One Year To Exfiltrate Them All: Intrusion In-Depth Analysis HyperBro MimiKatz |
2022-10-06 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team @online{team:20221006:mustang:a7e981c,
author = {The BlackBerry Research & Intelligence Team},
title = {{Mustang Panda Abuses Legitimate Apps to Target Myanmar Based Victims}},
date = {2022-10-06},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims},
language = {English},
urldate = {2022-10-24}
}
Mustang Panda Abuses Legitimate Apps to Target Myanmar Based Victims PlugX |
2022-09-29 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20220929:witchetty:628f1c4,
author = {Threat Hunter Team},
title = {{Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East}},
date = {2022-09-29},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage},
language = {English},
urldate = {2022-09-30}
}
Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East CHINACHOPPER Lookback MimiKatz PlugX Unidentified 096 (Keylogger) x4 |
2022-09-26 ⋅ Palo Alto Networks Unit 42 ⋅ Daniela Shalev, Itay Gamliel @online{shalev:20220926:hunting:3489fdb,
author = {Daniela Shalev and Itay Gamliel},
title = {{Hunting for Unsigned DLLs to Find APTs}},
date = {2022-09-26},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/unsigned-dlls/},
language = {English},
urldate = {2022-09-30}
}
Hunting for Unsigned DLLs to Find APTs PlugX Raspberry Robin Roshtyak |
2022-09-15 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20220915:webworm:500c850,
author = {Threat Hunter Team},
title = {{Webworm: Espionage Attackers Testing and Using Older Modified RATs}},
date = {2022-09-15},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats},
language = {English},
urldate = {2022-09-20}
}
Webworm: Espionage Attackers Testing and Using Older Modified RATs 9002 RAT Ghost RAT Trochilus RAT |
2022-09-14 ⋅ Security Joes ⋅ Felipe Duarte @techreport{duarte:20220914:dissecting:6ab0659,
author = {Felipe Duarte},
title = {{Dissecting PlugX to Extract Its Crown Jewels}},
date = {2022-09-14},
institution = {Security Joes},
url = {https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf},
language = {English},
urldate = {2022-09-16}
}
Dissecting PlugX to Extract Its Crown Jewels PlugX |
2022-09-13 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20220913:new:2ff2e98,
author = {Threat Hunter Team},
title = {{New Wave of Espionage Activity Targets Asian Governments}},
date = {2022-09-13},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments},
language = {English},
urldate = {2022-09-20}
}
New Wave of Espionage Activity Targets Asian Governments MimiKatz PlugX Quasar RAT ShadowPad Trochilus RAT |
2022-09-09 ⋅ Github (m4now4r) ⋅ m4n0w4r @techreport{m4n0w4r:20220909:mustang:120306a,
author = {m4n0w4r},
title = {{“Mustang Panda” – Enemy at the gate}},
date = {2022-09-09},
institution = {Github (m4now4r)},
url = {https://raw.githubusercontent.com/m4now4r/Presentations/main/MustangPanda%20-%20Enemy%20at%20the%20gate_final.pdf},
language = {English},
urldate = {2022-09-26}
}
“Mustang Panda” – Enemy at the gate PlugX |
2022-09-08 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20220908:bronze:1975ebf,
author = {Counter Threat Unit ResearchTeam},
title = {{BRONZE PRESIDENT Targets Government Officials}},
date = {2022-09-08},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/bronze-president-targets-government-officials},
language = {English},
urldate = {2022-09-13}
}
BRONZE PRESIDENT Targets Government Officials PlugX |
2022-09-08 ⋅ Cybereason ⋅ Kotaro Ogino, Yuki Shibuya, Aleksandar Milenkoski @online{ogino:20220908:threat:2ec8deb,
author = {Kotaro Ogino and Yuki Shibuya and Aleksandar Milenkoski},
title = {{Threat Analysis Report: PlugX RAT Loader Evolution}},
date = {2022-09-08},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/threat-analysis-report-plugx-rat-loader-evolution},
language = {English},
urldate = {2022-09-13}
}
Threat Analysis Report: PlugX RAT Loader Evolution PlugX |
2022-08-12 ⋅ Sekoia ⋅ Threat & Detection Research Team @online{team:20220812:luckymouse:2667f45,
author = {Threat & Detection Research Team},
title = {{LuckyMouse uses a backdoored Electron app to target MacOS}},
date = {2022-08-12},
organization = {Sekoia},
url = {https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/},
language = {English},
urldate = {2022-08-18}
}
LuckyMouse uses a backdoored Electron app to target MacOS HyperBro |
2022-08-12 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší @online{lunghi:20220812:iron:c55d0cd,
author = {Daniel Lunghi and Jaromír Hořejší},
title = {{Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users}},
date = {2022-08-12},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html},
language = {English},
urldate = {2022-08-18}
}
Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users Rshell HyperBro |
2022-08-12 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší @online{lunghi:20220812:iron:38c15d7,
author = {Daniel Lunghi and Jaromír Hořejší},
title = {{Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users (IOCs)}},
date = {2022-08-12},
organization = {Trend Micro},
url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/iron-tiger-compromises-chat-application-mimi,-targets-windows,-mac,-and-linux-users/IOCs-IronTiger-compromises-chat-application-mimi-targets-windows-mac-linux-users.txt},
language = {English},
urldate = {2022-08-18}
}
Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users (IOCs) HyperBro |
2022-08-04 ⋅ Mandiant ⋅ Mandiant @online{mandiant:20220804:advanced:afb8956,
author = {Mandiant},
title = {{Advanced Persistent Threats (APTs)}},
date = {2022-08-04},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/insights/apt-groups},
language = {English},
urldate = {2022-08-30}
}
Advanced Persistent Threats (APTs) APT1 APT10 APT12 APT14 APT15 APT16 APT17 APT18 APT19 APT2 APT20 APT21 APT22 APT23 APT24 APT27 APT3 APT30 APT31 APT4 APT40 APT5 APT9 Naikon |
2022-07-26 ⋅ Microsoft ⋅ Microsoft 365 Defender Research Team @online{team:20220726:malicious:ff5f5c0,
author = {Microsoft 365 Defender Research Team},
title = {{Malicious IIS extensions quietly open persistent backdoors into servers}},
date = {2022-07-26},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/},
language = {English},
urldate = {2022-07-28}
}
Malicious IIS extensions quietly open persistent backdoors into servers CHINACHOPPER MimiKatz |
2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20220718:iron:f7586c5,
author = {Unit 42},
title = {{Iron Taurus}},
date = {2022-07-18},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/atoms/iron-taurus/},
language = {English},
urldate = {2022-07-29}
}
Iron Taurus CHINACHOPPER Ghost RAT Wonknu ZXShell APT27 |
2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20220718:shallow:cc9413f,
author = {Unit 42},
title = {{Shallow Taurus}},
date = {2022-07-18},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/atoms/shallowtaurus/},
language = {English},
urldate = {2022-07-29}
}
Shallow Taurus FormerFirstRAT IsSpace NewCT PlugX Poison Ivy Tidepool DragonOK |
2022-07-18 ⋅ YouTube (Security Joes) ⋅ Felipe Duarte @online{duarte:20220718:plugx:bfdba72,
author = {Felipe Duarte},
title = {{PlugX DLL Side-Loading Technique}},
date = {2022-07-18},
organization = {YouTube (Security Joes)},
url = {https://www.youtube.com/watch?v=E2_DTQJjDYc},
language = {English},
urldate = {2022-07-19}
}
PlugX DLL Side-Loading Technique PlugX |
2022-06-27 ⋅ Kaspersky ICS CERT ⋅ Artem Snegirev, Kirill Kruglov @online{snegirev:20220627:attacks:100c151,
author = {Artem Snegirev and Kirill Kruglov},
title = {{Attacks on industrial control systems using ShadowPad}},
date = {2022-06-27},
organization = {Kaspersky ICS CERT},
url = {https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/},
language = {English},
urldate = {2022-06-29}
}
Attacks on industrial control systems using ShadowPad Cobalt Strike PlugX ShadowPad |
2022-06-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20220623:bronze:8bccd74,
author = {Counter Threat Unit ResearchTeam},
title = {{BRONZE STARLIGHT Ransomware Operations Use HUI Loader}},
date = {2022-06-23},
organization = {Secureworks},
url = {https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader},
language = {English},
urldate = {2022-09-20}
}
BRONZE STARLIGHT Ransomware Operations Use HUI Loader ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster |
2022-06-15 ⋅ Security Joes ⋅ Charles Lomboni, Venkat Rajgor, Felipe Duarte @techreport{lomboni:20220615:backdoor:8d43d9e,
author = {Charles Lomboni and Venkat Rajgor and Felipe Duarte},
title = {{Backdoor via XFF: Mysterious Threat Actor Under Radar}},
date = {2022-06-15},
institution = {Security Joes},
url = {https://secjoes-reports.s3.eu-central-1.amazonaws.com/Backdoor%2Bvia%2BXFF%2BMysterious%2BThreat%2BActor%2BUnder%2BRadar.pdf},
language = {English},
urldate = {2022-06-16}
}
Backdoor via XFF: Mysterious Threat Actor Under Radar CHINACHOPPER |
2022-05-23 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší @techreport{lunghi:20220523:operation:e3c402b,
author = {Daniel Lunghi and Jaromír Hořejší},
title = {{Operation Earth Berberoka}},
date = {2022-05-23},
institution = {Trend Micro},
url = {https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf},
language = {English},
urldate = {2022-07-25}
}
Operation Earth Berberoka reptile oRAT Ghost RAT PlugX pupy Earth Berberoka |
2022-05-20 ⋅ VinCSS ⋅ m4n0w4r, Tran Trung Kien, Dang Dinh Phuong @online{m4n0w4r:20220520:re027:38348db,
author = {m4n0w4r and Tran Trung Kien and Dang Dinh Phuong},
title = {{[RE027] China-based APT Mustang Panda might have still continued their attack activities against organizations in Vietnam}},
date = {2022-05-20},
organization = {VinCSS},
url = {https://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html},
language = {English},
urldate = {2022-05-20}
}
[RE027] China-based APT Mustang Panda might have still continued their attack activities against organizations in Vietnam PlugX |
2022-05-17 ⋅ Positive Technologies ⋅ Positive Technologies @online{technologies:20220517:space:abd655a,
author = {Positive Technologies},
title = {{Space Pirates: analyzing the tools and connections of a new hacker group}},
date = {2022-05-17},
organization = {Positive Technologies},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/},
language = {English},
urldate = {2022-05-25}
}
Space Pirates: analyzing the tools and connections of a new hacker group FormerFirstRAT PlugX Poison Ivy Rovnix ShadowPad Zupdax |
2022-05-16 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20220516:analysis:b1c8089,
author = {Shusei Tomonaga},
title = {{Analysis of HUI Loader}},
date = {2022-05-16},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html},
language = {English},
urldate = {2022-05-17}
}
Analysis of HUI Loader HUI Loader PlugX Poison Ivy Quasar RAT |
2022-05-12 ⋅ TEAMT5 ⋅ Leon Chang, Silvia Yeh @techreport{chang:20220512:next:5fd8a83,
author = {Leon Chang and Silvia Yeh},
title = {{The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides)}},
date = {2022-05-12},
institution = {TEAMT5},
url = {https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf},
language = {English},
urldate = {2022-08-08}
}
The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides) KEYPLUG Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad Winnti SLIME29 TianWu |
2022-05-11 ⋅ TEAMT5 ⋅ Charles Li, Che Chang @techreport{li:20220511:to:12668fe,
author = {Charles Li and Che Chang},
title = {{To loot or Not to Loot? That Is Not a Question - When State-Nexus APT Targets Online Entertainment Industry}},
date = {2022-05-11},
institution = {TEAMT5},
url = {https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf},
language = {English},
urldate = {2022-08-15}
}
To loot or Not to Loot? That Is Not a Question - When State-Nexus APT Targets Online Entertainment Industry APT27 BRONZE STARLIGHT SLIME29 TianWu |
2022-05-09 ⋅ Qianxin Threat Intelligence Center ⋅ Red Raindrops Team @online{team:20220509:operation:5c9c0d7,
author = {Red Raindrops Team},
title = {{Operation EviLoong: An electronic party of "borderless" hackers}},
date = {2022-05-09},
organization = {Qianxin Threat Intelligence Center},
url = {https://mp.weixin.qq.com/s/K1uBLGqD8kgsIp1yTyYBfw},
language = {Chinese},
urldate = {2022-05-17}
}
Operation EviLoong: An electronic party of "borderless" hackers ZXShell |
2022-05-05 ⋅ Cisco Talos ⋅ Jung soo An, Asheer Malhotra, Justin Thattil, Aliza Berk, Kendall McKay @online{an:20220505:mustang:cbc06e9,
author = {Jung soo An and Asheer Malhotra and Justin Thattil and Aliza Berk and Kendall McKay},
title = {{Mustang Panda deploys a new wave of malware targeting Europe}},
date = {2022-05-05},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html},
language = {English},
urldate = {2022-05-05}
}
Mustang Panda deploys a new wave of malware targeting Europe Cobalt Strike Meterpreter PlugX |
2022-05-02 ⋅ Sentinel LABS ⋅ Joey Chen, Amitai Ben Shushan Ehrlich @online{chen:20220502:moshen:1969df2,
author = {Joey Chen and Amitai Ben Shushan Ehrlich},
title = {{Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad}},
date = {2022-05-02},
organization = {Sentinel LABS},
url = {https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/},
language = {English},
urldate = {2022-05-04}
}
Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad PlugX ShadowPad |
2022-04-28 ⋅ DARKReading ⋅ Jai Vijayan @online{vijayan:20220428:chinese:c4c2534,
author = {Jai Vijayan},
title = {{Chinese APT Bronze President Mounts Spy Campaign on Russian Military}},
date = {2022-04-28},
organization = {DARKReading},
url = {https://www.darkreading.com/threat-intelligence/chinese-apt-bronze-president-spy-campaign-russian-military},
language = {English},
urldate = {2022-08-26}
}
Chinese APT Bronze President Mounts Spy Campaign on Russian Military PlugX MUSTANG PANDA |
2022-04-28 ⋅ PWC ⋅ PWC UK @techreport{uk:20220428:cyber:c43873f,
author = {PWC UK},
title = {{Cyber Threats 2021: A Year in Retrospect (Annex)}},
date = {2022-04-28},
institution = {PWC},
url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf},
language = {English},
urldate = {2022-04-29}
}
Cyber Threats 2021: A Year in Retrospect (Annex) Cobalt Strike Conti PlugX RokRAT Inception Framework Red Menshen |
2022-04-27 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší @online{lunghi:20220427:new:9068f6e,
author = {Daniel Lunghi and Jaromír Hořejší},
title = {{New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware}},
date = {2022-04-27},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html},
language = {English},
urldate = {2023-04-18}
}
New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware HelloBot AsyncRAT Ghost RAT HelloBot PlugX Quasar RAT Earth Berberoka |
2022-04-27 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20220427:bronze:34ac36a,
author = {Counter Threat Unit ResearchTeam},
title = {{BRONZE PRESIDENT Targets Russian Speakers with Updated PlugX}},
date = {2022-04-27},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx},
language = {English},
urldate = {2022-04-29}
}
BRONZE PRESIDENT Targets Russian Speakers with Updated PlugX PlugX |
2022-04-27 ⋅ Trendmicro ⋅ Trendmicro @online{trendmicro:20220427:iocs:18f7e31,
author = {Trendmicro},
title = {{IOCs for Earth Berberoka - Windows}},
date = {2022-04-27},
organization = {Trendmicro},
url = {https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt},
language = {English},
urldate = {2022-07-25}
}
IOCs for Earth Berberoka - Windows AsyncRAT Cobalt Strike PlugX Quasar RAT Earth Berberoka |
2022-04-27 ⋅ Trendmicro ⋅ Daniel Lunghi, Jaromír Hořejší @techreport{lunghi:20220427:operation:bdba881,
author = {Daniel Lunghi and Jaromír Hořejší},
title = {{Operation Gambling Puppet}},
date = {2022-04-27},
institution = {Trendmicro},
url = {https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf},
language = {English},
urldate = {2022-07-25}
}
Operation Gambling Puppet reptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka |
2022-04-15 ⋅ Center for Internet Security ⋅ CIS @online{cis:20220415:top:62c8245,
author = {CIS},
title = {{Top 10 Malware March 2022}},
date = {2022-04-15},
organization = {Center for Internet Security},
url = {https://www.cisecurity.org/insights/blog/top-10-malware-march-2022},
language = {English},
urldate = {2023-02-17}
}
Top 10 Malware March 2022 Mirai Shlayer Agent Tesla Ghost RAT Nanocore RAT SectopRAT solarmarker Zeus |
2022-04-14 ⋅ NSHC RedAlert Labs ⋅ NSHC Threatrecon Team @online{team:20220414:hacking:62e1b17,
author = {NSHC Threatrecon Team},
title = {{Hacking activity of SectorB Group in 2021 Chinese government supported hacking group SectorB}},
date = {2022-04-14},
organization = {NSHC RedAlert Labs},
url = {https://redalert.nshc.net/2022/04/14/hacking-activity-of-sectorb-group-in-2021/},
language = {English},
urldate = {2022-04-15}
}
Hacking activity of SectorB Group in 2021 Chinese government supported hacking group SectorB PlugX |
2022-04-12 ⋅ Max Kersten's Blog ⋅ Max Kersten @online{kersten:20220412:ghidra:4afe367,
author = {Max Kersten},
title = {{Ghidra script to handle stack strings}},
date = {2022-04-12},
organization = {Max Kersten's Blog},
url = {https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-handle-stack-strings/},
language = {English},
urldate = {2022-04-20}
}
Ghidra script to handle stack strings CaddyWiper PlugX |
2022-04-01 ⋅ The Hacker News ⋅ Ravie Lakshmanan @online{lakshmanan:20220401:chinese:0b445c6,
author = {Ravie Lakshmanan},
title = {{Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit}},
date = {2022-04-01},
organization = {The Hacker News},
url = {https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html},
language = {English},
urldate = {2022-04-04}
}
Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit Fire Chili Ghost RAT |
2022-03-30 ⋅ Fortinet ⋅ Rotem Sde-Or, Eliran Voronovitch @online{sdeor:20220330:new:8eeff0d,
author = {Rotem Sde-Or and Eliran Voronovitch},
title = {{New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits}},
date = {2022-03-30},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits},
language = {English},
urldate = {2022-03-31}
}
New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits Fire Chili Ghost RAT |
2022-03-28 ⋅ Trellix ⋅ Max Kersten, Marc Elias @online{kersten:20220328:plugx:37256d5,
author = {Max Kersten and Marc Elias},
title = {{PlugX: A Talisman to Behold}},
date = {2022-03-28},
organization = {Trellix},
url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html},
language = {English},
urldate = {2022-03-30}
}
PlugX: A Talisman to Behold PlugX |
2022-03-25 ⋅ ESET Research ⋅ Alexandre Côté Cyr @online{cyr:20220325:mustang:4052776,
author = {Alexandre Côté Cyr},
title = {{Mustang Panda's Hodur: Old stuff, new variant of Korplug}},
date = {2022-03-25},
organization = {ESET Research},
url = {https://www.welivesecurity.com/fr/2022/03/25/mustang-pandas-hodur-nouveau-korplug/},
language = {French},
urldate = {2022-03-30}
}
Mustang Panda's Hodur: Old stuff, new variant of Korplug PlugX |
2022-03-24 ⋅ Threat Post ⋅ Nate Nelson @online{nelson:20220324:chinese:da166ef,
author = {Nate Nelson},
title = {{Chinese APT Combines Fresh Hodur RAT with Complex Anti-Detection}},
date = {2022-03-24},
organization = {Threat Post},
url = {https://threatpost.com/chinese-apt-combines-fresh-hodur-rat-with-complex-anti-detection/179084/},
language = {English},
urldate = {2022-03-25}
}
Chinese APT Combines Fresh Hodur RAT with Complex Anti-Detection PlugX |
2022-03-23 ⋅ BleepingComputer ⋅ Bill Toulas @online{toulas:20220323:new:14befd9,
author = {Bill Toulas},
title = {{New Mustang Panda hacking campaign targets diplomats, ISPs}},
date = {2022-03-23},
organization = {BleepingComputer},
url = {https://www.bleepingcomputer.com/news/security/new-mustang-panda-hacking-campaign-targets-diplomats-isps/},
language = {English},
urldate = {2022-03-25}
}
New Mustang Panda hacking campaign targets diplomats, ISPs PlugX |
2022-03-23 ⋅ ESET Research ⋅ Alexandre Côté Cyr @online{cyr:20220323:mustang:3e97382,
author = {Alexandre Côté Cyr},
title = {{Mustang Panda’s Hodur: Old tricks, new Korplug variant}},
date = {2022-03-23},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/},
language = {English},
urldate = {2022-03-24}
}
Mustang Panda’s Hodur: Old tricks, new Korplug variant PlugX |
2022-03-16 ⋅ AhnLab ⋅ ASEC Analysis Team @online{team:20220316:gh0stcringe:65e2d3e,
author = {ASEC Analysis Team},
title = {{Gh0stCringe RAT Being Distributed to Vulnerable Database Servers}},
date = {2022-03-16},
organization = {AhnLab},
url = {https://asec.ahnlab.com/en/32572/},
language = {English},
urldate = {2022-04-14}
}
Gh0stCringe RAT Being Distributed to Vulnerable Database Servers Ghost RAT Kingminer |
2022-03-07 ⋅ Proofpoint ⋅ Michael Raggi, Myrtus 0x0 @online{raggi:20220307:good:4e4acd6,
author = {Michael Raggi and Myrtus 0x0},
title = {{The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates}},
date = {2022-03-07},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european},
language = {English},
urldate = {2022-03-08}
}
The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates PlugX |
2022-02-17 ⋅ SinaCyber ⋅ Adam Kozy @techreport{kozy:20220217:testimony:692e499,
author = {Adam Kozy},
title = {{Testimony before the U.S.-China Economic and Security Review Commission Hearing on “China’s Cyber Capabilities: Warfare, Espionage, and Implications for the United States”}},
date = {2022-02-17},
institution = {SinaCyber},
url = {https://www.uscc.gov/sites/default/files/2022-02/Adam_Kozy_Testimony.pdf},
language = {English},
urldate = {2022-05-23}
}
Testimony before the U.S.-China Economic and Security Review Commission Hearing on “China’s Cyber Capabilities: Warfare, Espionage, and Implications for the United States” PlugX APT26 APT41 |
2022-02-11 ⋅ Cisco Talos ⋅ Talos @online{talos:20220211:threat:fcad762,
author = {Talos},
title = {{Threat Roundup for February 4 to February 11}},
date = {2022-02-11},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html},
language = {English},
urldate = {2022-02-14}
}
Threat Roundup for February 4 to February 11 DarkComet Ghost RAT Loki Password Stealer (PWS) Tinba Tofsee Zeus |
2022-02-07 ⋅ Cyware ⋅ Cyware @online{cyware:20220207:apt27:e900fc7,
author = {Cyware},
title = {{APT27 Group Targets German Organizations with HyperBro}},
date = {2022-02-07},
organization = {Cyware},
url = {https://cyware.com/news/apt27-group-targets-german-organizations-with-hyperbro-2c43b7cf/},
language = {English},
urldate = {2022-02-09}
}
APT27 Group Targets German Organizations with HyperBro HyperBro |
2022-01-27 ⋅ JSAC 2021 ⋅ Hajime Yanagishita, Kiyotaka Tamada, You Nakatsuru, Suguru Ishimaru @techreport{yanagishita:20220127:what:3c59dc9,
author = {Hajime Yanagishita and Kiyotaka Tamada and You Nakatsuru and Suguru Ishimaru},
title = {{What We Can Do against the Chaotic A41APT Campaign}},
date = {2022-01-27},
institution = {JSAC 2021},
url = {https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf},
language = {English},
urldate = {2022-05-17}
}
What We Can Do against the Chaotic A41APT Campaign CHINACHOPPER Cobalt Strike HUI Loader SodaMaster |
2022-01-26 ⋅ BleepingComputer ⋅ Sergiu Gatlan @online{gatlan:20220126:german:06fb2dc,
author = {Sergiu Gatlan},
title = {{German govt warns of APT27 hackers backdooring business networks}},
date = {2022-01-26},
organization = {BleepingComputer},
url = {https://www.bleepingcomputer.com/news/security/german-govt-warns-of-apt27-hackers-backdooring-business-networks/},
language = {English},
urldate = {2022-01-31}
}
German govt warns of APT27 hackers backdooring business networks HyperBro |
2022-01-26 ⋅ Bundesamt für Verfassungsschutz ⋅ Bundesamt für Verfassungsschutz @online{verfassungsschutz:20220126:current:de1a6be,
author = {Bundesamt für Verfassungsschutz},
title = {{Current cyber attack campaign against German business enterprises by APT27}},
date = {2022-01-26},
organization = {Bundesamt für Verfassungsschutz},
url = {https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2022-01-bfv-cyber-brief.pdf?__blob=publicationFile&v=10},
language = {English},
urldate = {2022-01-31}
}
Current cyber attack campaign against German business enterprises by APT27 HyperBro |
2022-01-06 ⋅ Cyber And Ramen blog ⋅ Mike R @online{r:20220106:gulp:4ab908c,
author = {Mike R},
title = {{A “GULP” of PlugX}},
date = {2022-01-06},
organization = {Cyber And Ramen blog},
url = {https://cyberandramen.net/2022/01/06/a-gulp-of-plugx/},
language = {English},
urldate = {2022-04-05}
}
A “GULP” of PlugX PlugX |
2021-12-14 ⋅ Trend Micro ⋅ Nick Dai, Ted Lee, Vickie Su @online{dai:20211214:collecting:3d6dd34,
author = {Nick Dai and Ted Lee and Vickie Su},
title = {{Collecting In the Dark: Tropic Trooper Targets Transportation and Government}},
date = {2021-12-14},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html},
language = {English},
urldate = {2022-03-30}
}
Collecting In the Dark: Tropic Trooper Targets Transportation and Government ChiserClient Ghost RAT Lilith Quasar RAT xPack |
2021-12-01 ⋅ ESET Research ⋅ Alexis Dorais-Joncas, Facundo Muñoz @techreport{doraisjoncas:20211201:jumping:00bc8f5,
author = {Alexis Dorais-Joncas and Facundo Muñoz},
title = {{Jumping the air gap: 15 years of nation‑state effort}},
date = {2021-12-01},
institution = {ESET Research},
url = {https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf},
language = {English},
urldate = {2021-12-17}
}
Jumping the air gap: 15 years of nation‑state effort Agent.BTZ Fanny Flame Gauss PlugX Ramsay Retro Stuxnet USBCulprit USBferry |
2021-11-18 ⋅ Cisco ⋅ Josh Pyorre @online{pyorre:20211118:blackmatter:e9e9bbf,
author = {Josh Pyorre},
title = {{BlackMatter, LockBit, and THOR}},
date = {2021-11-18},
organization = {Cisco},
url = {https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor},
language = {English},
urldate = {2022-03-28}
}
BlackMatter, LockBit, and THOR BlackMatter LockBit PlugX |
2021-11-04 ⋅ Youtube (Virus Bulletin) ⋅ Yi-Jhen Hsieh, Joey Chen @online{hsieh:20211104:shadowpad:8dbd5c7,
author = {Yi-Jhen Hsieh and Joey Chen},
title = {{ShadowPad: the masterpiece of privately sold malware in Chinese espionage}},
date = {2021-11-04},
organization = {Youtube (Virus Bulletin)},
url = {https://www.youtube.com/watch?v=r1zAVX_HnJg},
language = {English},
urldate = {2022-08-08}
}
ShadowPad: the masterpiece of privately sold malware in Chinese espionage PlugX ShadowPad |
2021-11-03 ⋅ Cisco Talos ⋅ Chetan Raghuprasad, Vanja Svajcer, Caitlin Huey @online{raghuprasad:20211103:microsoft:2b6de43,
author = {Chetan Raghuprasad and Vanja Svajcer and Caitlin Huey},
title = {{Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk}},
date = {2021-11-03},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html},
language = {English},
urldate = {2021-11-03}
}
Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk Babuk CHINACHOPPER |
2021-10-18 ⋅ NortonLifeLock ⋅ Norton Labs @techreport{labs:20211018:operation:9612cbf,
author = {Norton Labs},
title = {{Operation Exorcist - 7 Years of Targeted Attacks against the Roman Catholic Church}},
date = {2021-10-18},
institution = {NortonLifeLock},
url = {https://www.nortonlifelock.com/sites/default/files/2021-10/OPERATION%20EXORCIST%20White%20Paper.pdf},
language = {English},
urldate = {2021-12-15}
}
Operation Exorcist - 7 Years of Targeted Attacks against the Roman Catholic Church NewBounce PlugX Zupdax |
2021-10-05 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team @online{team:20211005:drawing:e53477d,
author = {The BlackBerry Research & Intelligence Team},
title = {{Drawing a Dragon: Connecting the Dots to Find APT41}},
date = {2021-10-05},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41},
language = {English},
urldate = {2021-10-11}
}
Drawing a Dragon: Connecting the Dots to Find APT41 Cobalt Strike Ghost RAT |
2021-10-04 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20211004:malware:5ba808a,
author = {Shusei Tomonaga},
title = {{Malware Gh0stTimes Used by BlackTech}},
date = {2021-10-04},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html},
language = {English},
urldate = {2021-10-11}
}
Malware Gh0stTimes Used by BlackTech Gh0stTimes Ghost RAT |
2021-09-28 ⋅ Recorded Future ⋅ Insikt Group® @online{group:20210928:4:069b441,
author = {Insikt Group®},
title = {{4 Chinese APT Groups Identified Targeting Mail Server of Afghan Telecommunications Firm Roshan}},
date = {2021-09-28},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/},
language = {English},
urldate = {2021-10-11}
}
4 Chinese APT Groups Identified Targeting Mail Server of Afghan Telecommunications Firm Roshan PlugX Winnti |
2021-09-14 ⋅ McAfee ⋅ Christiaan Beek @online{beek:20210914:operation:95aed8d,
author = {Christiaan Beek},
title = {{Operation ‘Harvest’: A Deep Dive into a Long-term Campaign}},
date = {2021-09-14},
organization = {McAfee},
url = {https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/},
language = {English},
urldate = {2021-09-19}
}
Operation ‘Harvest’: A Deep Dive into a Long-term Campaign MimiKatz PlugX Winnti |
2021-09-10 ⋅ The Record ⋅ Catalin Cimpanu @online{cimpanu:20210910:indonesian:fc06998,
author = {Catalin Cimpanu},
title = {{Indonesian intelligence agency compromised in suspected Chinese hack}},
date = {2021-09-10},
organization = {The Record},
url = {https://therecord.media/indonesian-intelligence-agency-compromised-in-suspected-chinese-hack/},
language = {English},
urldate = {2021-09-12}
}
Indonesian intelligence agency compromised in suspected Chinese hack PlugX |
2021-09-03 ⋅ FireEye ⋅ Adrian Sanchez Hernandez, Govand Sinjari, Joshua Goddard, Brendan McKeague, John Wolfram, Alex Pennino, Andrew Rector, Harris Ansari, Yash Gupta @online{hernandez:20210903:pst:a8de902,
author = {Adrian Sanchez Hernandez and Govand Sinjari and Joshua Goddard and Brendan McKeague and John Wolfram and Alex Pennino and Andrew Rector and Harris Ansari and Yash Gupta},
title = {{PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers}},
date = {2021-09-03},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html},
language = {English},
urldate = {2021-09-06}
}
PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers CHINACHOPPER HTran |
2021-09-01 ⋅ YouTube (Black Hat) ⋅ Aragorn Tseng, Charles Li @online{tseng:20210901:mem2img:7817a5d,
author = {Aragorn Tseng and Charles Li},
title = {{Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network}},
date = {2021-09-01},
organization = {YouTube (Black Hat)},
url = {https://www.youtube.com/watch?v=6SDdUVejR2w},
language = {English},
urldate = {2021-09-12}
}
Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network Cobalt Strike PlugX Waterbear |
2021-09-01 ⋅ YouTube (Hack In The Box Security Conference) ⋅ Yi-Jhen Hsieh, Joey Chen @online{hsieh:20210901:shadowpad:f9ae111,
author = {Yi-Jhen Hsieh and Joey Chen},
title = {{SHADOWPAD: Chinese Espionage Malware-as-a-Service}},
date = {2021-09-01},
organization = {YouTube (Hack In The Box Security Conference)},
url = {https://www.youtube.com/watch?v=IRh6R8o1Q7U},
language = {English},
urldate = {2022-08-08}
}
SHADOWPAD: Chinese Espionage Malware-as-a-Service PlugX ShadowPad |
2021-08-23 ⋅ SentinelOne ⋅ Yi-Jhen Hsieh, Joey Chen @techreport{hsieh:20210823:shadowpad:58780f1,
author = {Yi-Jhen Hsieh and Joey Chen},
title = {{ShadowPad: the Masterpiece of Privately Sold Malware in Chinese Espionage}},
date = {2021-08-23},
institution = {SentinelOne},
url = {https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20ShadowPad%20-%20A%20Masterpiece%20of%20Privately%20Sold%20Malware%20in%20Chinese%20Espionage%20-%20Yi-Jhen%20Hsieh%20&%20Joey%20Chen.pdf},
language = {English},
urldate = {2022-07-18}
}
ShadowPad: the Masterpiece of Privately Sold Malware in Chinese Espionage PlugX ShadowPad |
2021-08-10 ⋅ FireEye ⋅ Israel Research Team, U.S. Threat Intel Team @online{team:20210810:unc215:dbc483a,
author = {Israel Research Team and U.S. Threat Intel Team},
title = {{UNC215: Spotlight on a Chinese Espionage Campaign in Israel}},
date = {2021-08-10},
organization = {FireEye},
url = {https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel},
language = {English},
urldate = {2021-12-06}
}
UNC215: Spotlight on a Chinese Espionage Campaign in Israel HyperBro HyperSSL MimiKatz |
2021-08-03 ⋅ Cybereason ⋅ Assaf Dahan, Lior Rochberger, Daniel Frank, Tom Fakterman @online{dahan:20210803:deadringer:908e8d5,
author = {Assaf Dahan and Lior Rochberger and Daniel Frank and Tom Fakterman},
title = {{DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos}},
date = {2021-08-03},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos},
language = {English},
urldate = {2021-08-06}
}
DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos CHINACHOPPER Cobalt Strike MimiKatz Nebulae |
2021-07-27 ⋅ Palo Alto Networks Unit 42 ⋅ Mike Harbison, Alex Hinchliffe @online{harbison:20210727:thor:5d6d793,
author = {Mike Harbison and Alex Hinchliffe},
title = {{THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group}},
date = {2021-07-27},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/thor-plugx-variant/},
language = {English},
urldate = {2021-07-29}
}
THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group PlugX |
2021-07-21 ⋅ Bitdefender ⋅ Bogdan Botezatu, Victor Vrabie @online{botezatu:20210721:luminousmoth:7ed907d,
author = {Bogdan Botezatu and Victor Vrabie},
title = {{LuminousMoth – PlugX, File Exfiltration and Persistence Revisited}},
date = {2021-07-21},
organization = {Bitdefender},
url = {https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited},
language = {English},
urldate = {2021-07-26}
}
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited PlugX |
2021-07-20 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20210720:ongoing:1e6dbd0,
author = {Counter Threat Unit ResearchTeam},
title = {{Ongoing Campaign Leveraging Exchange Vulnerability Potentially Linked to Iran}},
date = {2021-07-20},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran},
language = {English},
urldate = {2021-07-26}
}
Ongoing Campaign Leveraging Exchange Vulnerability Potentially Linked to Iran CHINACHOPPER MimiKatz RGDoor |
2021-06-16 ⋅ Recorded Future ⋅ Insikt Group® @techreport{group:20210616:threat:d585785,
author = {Insikt Group®},
title = {{Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries}},
date = {2021-06-16},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf},
language = {English},
urldate = {2022-07-29}
}
Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries Icefog PcShare PlugX Poison Ivy QuickHeal DAGGER PANDA |
2021-06-10 ⋅ ESET Research ⋅ Adam Burgher @online{burgher:20210610:backdoordiplomacy:4ebcb1d,
author = {Adam Burgher},
title = {{BackdoorDiplomacy: Upgrading from Quarian to Turian}},
date = {2021-06-10},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/},
language = {English},
urldate = {2022-06-08}
}
BackdoorDiplomacy: Upgrading from Quarian to Turian CHINACHOPPER DoublePulsar EternalRocks turian BackdoorDiplomacy |
2021-06-02 ⋅ Trend Micro ⋅ Daniel Lunghi @techreport{lunghi:20210602:taking:f1bdefc,
author = {Daniel Lunghi},
title = {{Taking Advantage of PE Metadata, or How To Complete Your Favorite Threat Actor’s Sample Collection}},
date = {2021-06-02},
institution = {Trend Micro},
url = {https://www.sstic.org/media/SSTIC2021/SSTIC-actes/Taking_Advantage_of_PE_Metadata_or_How_To_Complete/SSTIC2021-Slides-Taking_Advantage_of_PE_Metadata_or_How_To_Complete_your_Favorite_Threat_Actor_Sample_Collection-lunghi.pdf},
language = {English},
urldate = {2021-06-09}
}
Taking Advantage of PE Metadata, or How To Complete Your Favorite Threat Actor’s Sample Collection HyperSSL |
2021-06-02 ⋅ Twitter (@xorhex) ⋅ Xorhex @online{xorhex:20210602:new:9e10322,
author = {Xorhex},
title = {{Tweet on new variant of PlugX from RedDelta Group}},
date = {2021-06-02},
organization = {Twitter (@xorhex)},
url = {https://twitter.com/xorhex/status/1399906601562165249?s=20},
language = {English},
urldate = {2021-06-09}
}
Tweet on new variant of PlugX from RedDelta Group PlugX |
2021-06-02 ⋅ xorhex blog ⋅ Twitter (@xorhex) @online{xorhex:20210602:reddelta:f35268d,
author = {Twitter (@xorhex)},
title = {{RedDelta PlugX Undergoing Changes and Overlapping Again with Mustang Panda PlugX Infrastructure}},
date = {2021-06-02},
organization = {xorhex blog},
url = {https://blog.xorhex.com/blog/reddeltaplugxchangeup/},
language = {English},
urldate = {2021-06-09}
}
RedDelta PlugX Undergoing Changes and Overlapping Again with Mustang Panda PlugX Infrastructure PlugX |
2021-06-02 ⋅ Trend Micro ⋅ Daniel Lunghi @techreport{lunghi:20210602:taking:49c7b1f,
author = {Daniel Lunghi},
title = {{Taking Advantage of PE Metadata,or How To Complete your Favorite ThreatActor’s Sample Collection (Paper)}},
date = {2021-06-02},
institution = {Trend Micro},
url = {https://www.sstic.org/media/SSTIC2021/SSTIC-actes/Taking_Advantage_of_PE_Metadata_or_How_To_Complete/SSTIC2021-Article-Taking_Advantage_of_PE_Metadata_or_How_To_Complete_your_Favorite_Threat_Actor_Sample_Collection-lunghi.pdf},
language = {English},
urldate = {2021-06-11}
}
Taking Advantage of PE Metadata,or How To Complete your Favorite ThreatActor’s Sample Collection (Paper) HyperSSL |
2021-05-27 ⋅ xorhex blog ⋅ Twitter (@xorhex) @online{xorhex:20210527:mustang:d3c664b,
author = {Twitter (@xorhex)},
title = {{Mustang Panda PlugX - Reused Mutex and Folder Found in the Extracted Config}},
date = {2021-05-27},
organization = {xorhex blog},
url = {https://blog.xorhex.com/blog/mustangpandaplugx-2/},
language = {English},
urldate = {2021-06-21}
}
Mustang Panda PlugX - Reused Mutex and Folder Found in the Extracted Config PlugX |
2021-05-17 ⋅ xorhex blog ⋅ Twitter (@xorhex) @online{xorhex:20210517:mustang:c51cc47,
author = {Twitter (@xorhex)},
title = {{Mustang Panda PlugX - 45.251.240.55 Pivot}},
date = {2021-05-17},
organization = {xorhex blog},
url = {https://blog.xorhex.com/blog/mustangpandaplugx-1/},
language = {English},
urldate = {2021-06-21}
}
Mustang Panda PlugX - 45.251.240.55 Pivot PlugX |
2021-05-07 ⋅ SophosLabs Uncut ⋅ Rajesh Nataraj @online{nataraj:20210507:new:79ec788,
author = {Rajesh Nataraj},
title = {{New Lemon Duck variants exploiting Microsoft Exchange Server}},
date = {2021-05-07},
organization = {SophosLabs Uncut},
url = {https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728},
language = {English},
urldate = {2022-02-16}
}
New Lemon Duck variants exploiting Microsoft Exchange Server CHINACHOPPER Cobalt Strike Lemon Duck |
2021-05-07 ⋅ Cisco Talos ⋅ Caitlin Huey, Andrew Windsor, Edmund Brumaghin @online{huey:20210507:lemon:0d46f81,
author = {Caitlin Huey and Andrew Windsor and Edmund Brumaghin},
title = {{Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs}},
date = {2021-05-07},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html},
language = {English},
urldate = {2022-02-16}
}
Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs CHINACHOPPER Cobalt Strike Lemon Duck |
2021-05-07 ⋅ TEAMT5 ⋅ Aragorn Tseng, Charles Li @techreport{tseng:20210507:mem2img:494799d,
author = {Aragorn Tseng and Charles Li},
title = {{Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network}},
date = {2021-05-07},
institution = {TEAMT5},
url = {https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf},
language = {English},
urldate = {2021-09-12}
}
Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network Cobalt Strike PlugX Waterbear |
2021-05-06 ⋅ Trend Micro ⋅ Arianne Dela Cruz, Cris Tomboc, Jayson Chong, Nikki Madayag, Sean Torre @online{cruz:20210506:proxylogon:4920ee4,
author = {Arianne Dela Cruz and Cris Tomboc and Jayson Chong and Nikki Madayag and Sean Torre},
title = {{Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party}},
date = {2021-05-06},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html},
language = {English},
urldate = {2022-02-17}
}
Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party BlackKingdom Ransomware CHINACHOPPER Lemon Duck Prometei |
2021-05-05 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20210505:multifactor:8834ab8,
author = {Threat Hunter Team},
title = {{Multi-Factor Authentication: Headache for Cyber Actors Inspires New Attack Techniques}},
date = {2021-05-05},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/multi-factor-authentication-new-attacks},
language = {English},
urldate = {2021-05-26}
}
Multi-Factor Authentication: Headache for Cyber Actors Inspires New Attack Techniques CHINACHOPPER |
2021-05-05 ⋅ Zscaler ⋅ Aniruddha Dolas, Mohd Sadique, Manohar Ghule @online{dolas:20210505:catching:ace83fc,
author = {Aniruddha Dolas and Mohd Sadique and Manohar Ghule},
title = {{Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats}},
date = {2021-05-05},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols},
language = {English},
urldate = {2021-05-08}
}
Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats Agent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar RAT Remcos |
2021-04-29 ⋅ ESET Research ⋅ Robert Lipovsky, Matthieu Faou, Tony Anscombe, Andy Garth, Daniel Chromek @techreport{lipovsky:20210429:eset:ff67b6c,
author = {Robert Lipovsky and Matthieu Faou and Tony Anscombe and Andy Garth and Daniel Chromek},
title = {{ESET Industry Report on Government: Targeted but not alone}},
date = {2021-04-29},
institution = {ESET Research},
url = {https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf},
language = {English},
urldate = {2021-05-03}
}
ESET Industry Report on Government: Targeted but not alone Exaramel Crutch Exaramel HyperBro HyperSSL InvisiMole XDSpy |
2021-04-28 ⋅ Trend Micro ⋅ Jaromír Hořejší, Joseph C Chen @online{hoej:20210428:water:f769ce2,
author = {Jaromír Hořejší and Joseph C Chen},
title = {{Water Pamola Attacked Online Shops Via Malicious Orders}},
date = {2021-04-28},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html},
language = {English},
urldate = {2021-05-04}
}
Water Pamola Attacked Online Shops Via Malicious Orders Ghost RAT |
2021-04-27 ⋅ Trend Micro ⋅ Janus Agcaoili @online{agcaoili:20210427:hello:b3c5de5,
author = {Janus Agcaoili},
title = {{Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability}},
date = {2021-04-27},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html},
language = {English},
urldate = {2021-04-29}
}
Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability CHINACHOPPER Cobalt Strike |
2021-04-16 ⋅ Trend Micro ⋅ Nitesh Surana @online{surana:20210416:could:bb769ca,
author = {Nitesh Surana},
title = {{Could the Microsoft Exchange breach be stopped?}},
date = {2021-04-16},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/d/could-the-microsoft-exchange-breach-be-stopped.html},
language = {English},
urldate = {2021-05-11}
}
Could the Microsoft Exchange breach be stopped? CHINACHOPPER |
2021-04-15 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone @online{falcone:20210415:actor:8428e3f,
author = {Robert Falcone},
title = {{Actor Exploits Microsoft Exchange Server Vulnerabilities, Cortex XDR Blocks Harvesting of Credentials}},
date = {2021-04-15},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/},
language = {English},
urldate = {2021-04-19}
}
Actor Exploits Microsoft Exchange Server Vulnerabilities, Cortex XDR Blocks Harvesting of Credentials CHINACHOPPER |
2021-04-09 ⋅ Trend Micro ⋅ Daniel Lunghi, Kenney Lu @online{lunghi:20210409:iron:402e62f,
author = {Daniel Lunghi and Kenney Lu},
title = {{Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware}},
date = {2021-04-09},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html},
language = {English},
urldate = {2021-04-09}
}
Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware HyperBro HyperSSL APT27 |
2021-04-02 ⋅ Dr.Web ⋅ Dr.Web @techreport{drweb:20210402:study:31b191e,
author = {Dr.Web},
title = {{Study of targeted attacks on Russian research institutes}},
date = {2021-04-02},
institution = {Dr.Web},
url = {https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf},
language = {English},
urldate = {2021-04-06}
}
Study of targeted attacks on Russian research institutes Cotx RAT Ghost RAT TA428 |
2021-03-29 ⋅ The Record ⋅ Catalin Cimpanu @online{cimpanu:20210329:redecho:30b16b4,
author = {Catalin Cimpanu},
title = {{RedEcho group parks domains after public exposure}},
date = {2021-03-29},
organization = {The Record},
url = {https://therecord.media/redecho-group-parks-domains-after-public-exposure/},
language = {English},
urldate = {2021-03-31}
}
RedEcho group parks domains after public exposure PlugX ShadowPad RedEcho |
2021-03-26 ⋅ Imperva ⋅ Daniel Johnston @online{johnston:20210326:imperva:a78367a,
author = {Daniel Johnston},
title = {{Imperva Observes Hive of Activity Following Hafnium Microsoft Exchange Disclosures}},
date = {2021-03-26},
organization = {Imperva},
url = {https://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/},
language = {English},
urldate = {2021-03-30}
}
Imperva Observes Hive of Activity Following Hafnium Microsoft Exchange Disclosures CHINACHOPPER |
2021-03-25 ⋅ Recorded Future ⋅ Insikt Group® @online{group:20210325:suspected:5b0078f,
author = {Insikt Group®},
title = {{Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers}},
date = {2021-03-25},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/},
language = {English},
urldate = {2021-03-30}
}
Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers Meterpreter PlugX |
2021-03-25 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team @online{team:20210325:analyzing:d9ddef0,
author = {Microsoft 365 Defender Threat Intelligence Team},
title = {{Analyzing attacks taking advantage of the Exchange Server vulnerabilities}},
date = {2021-03-25},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/},
language = {English},
urldate = {2021-03-30}
}
Analyzing attacks taking advantage of the Exchange Server vulnerabilities CHINACHOPPER |
2021-03-25 ⋅ Microsoft ⋅ Tom McElroy @online{mcelroy:20210325:web:38010a7,
author = {Tom McElroy},
title = {{Web Shell Threat Hunting with Azure Sentinel}},
date = {2021-03-25},
organization = {Microsoft},
url = {https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968},
language = {English},
urldate = {2021-03-30}
}
Web Shell Threat Hunting with Azure Sentinel CHINACHOPPER |
2021-03-19 ⋅ Bundesamt für Sicherheit in der Informationstechnik ⋅ CERT-Bund @techreport{certbund:20210319:microsoft:beb2409,
author = {CERT-Bund},
title = {{Microsoft Exchange Schwachstellen Detektion und Reaktion (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)}},
date = {2021-03-19},
institution = {Bundesamt für Sicherheit in der Informationstechnik},
url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf},
language = {English},
urldate = {2021-03-22}
}
Microsoft Exchange Schwachstellen Detektion und Reaktion (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) CHINACHOPPER MimiKatz |
2021-03-17 ⋅ Recorded Future ⋅ Insikt Group® @online{group:20210317:chinalinked:65b251b,
author = {Insikt Group®},
title = {{China-linked TA428 Continues to Target Russia and Mongolia IT Companies}},
date = {2021-03-17},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/china-linked-ta428-threat-group},
language = {English},
urldate = {2021-03-19}
}
China-linked TA428 Continues to Target Russia and Mongolia IT Companies PlugX Poison Ivy TA428 |
2021-03-15 ⋅ Trustwave ⋅ Joshua Deacon @online{deacon:20210315:hafnium:02beddd,
author = {Joshua Deacon},
title = {{HAFNIUM, China Chopper and ASP.NET Runtime}},
date = {2021-03-15},
organization = {Trustwave},
url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hafnium-china-chopper-and-aspnet-runtime/},
language = {English},
urldate = {2021-03-22}
}
HAFNIUM, China Chopper and ASP.NET Runtime CHINACHOPPER |
2021-03-11 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20210311:microsoft:c51c694,
author = {Unit 42},
title = {{Microsoft Exchange Server Attack Timeline}},
date = {2021-03-11},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/microsoft-exchange-server-attack-timeline/},
language = {English},
urldate = {2021-03-12}
}
Microsoft Exchange Server Attack Timeline CHINACHOPPER |
2021-03-11 ⋅ Cyborg Security ⋅ Josh Campbell @online{campbell:20210311:you:7bd2342,
author = {Josh Campbell},
title = {{You Don't Know the HAFNIUM of it...}},
date = {2021-03-11},
organization = {Cyborg Security},
url = {https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/},
language = {English},
urldate = {2021-03-16}
}
You Don't Know the HAFNIUM of it... CHINACHOPPER Cobalt Strike PowerCat |
2021-03-11 ⋅ DEVO ⋅ Fran Gomez @online{gomez:20210311:detection:e16ec1f,
author = {Fran Gomez},
title = {{Detection and Investigation Using Devo: HAFNIUM 0-day Exploits on Microsoft Exchange Service}},
date = {2021-03-11},
organization = {DEVO},
url = {https://www.devo.com/blog/detect-and-investigate-hafnium-using-devo/},
language = {English},
urldate = {2021-03-12}
}
Detection and Investigation Using Devo: HAFNIUM 0-day Exploits on Microsoft Exchange Service CHINACHOPPER MimiKatz |
2021-03-10 ⋅ Lemon's InfoSec Ramblings ⋅ Josh Lemon @online{lemon:20210310:microsoft:47b2c67,
author = {Josh Lemon},
title = {{Microsoft Exchange & the HAFNIUM Threat Actor}},
date = {2021-03-10},
organization = {Lemon's InfoSec Ramblings},
url = {https://blog.joshlemon.com.au/hafnium-exchange-attacks/},
language = {English},
urldate = {2021-03-11}
}
Microsoft Exchange & the HAFNIUM Threat Actor CHINACHOPPER |
2021-03-10 ⋅ PICUS Security ⋅ Süleyman Özarslan @online{zarslan:20210310:tactics:702eb34,
author = {Süleyman Özarslan},
title = {{Tactics, Techniques, and Procedures (TTPs) Used by HAFNIUM to Target Microsoft Exchange Servers}},
date = {2021-03-10},
organization = {PICUS Security},
url = {https://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers},
language = {English},
urldate = {2021-03-16}
}
Tactics, Techniques, and Procedures (TTPs) Used by HAFNIUM to Target Microsoft Exchange Servers CHINACHOPPER |
2021-03-10 ⋅ ESET Research ⋅ Thomas Dupuy, Matthieu Faou, Mathieu Tartare @online{dupuy:20210310:exchange:8f65a1f,
author = {Thomas Dupuy and Matthieu Faou and Mathieu Tartare},
title = {{Exchange servers under siege from at least 10 APT groups}},
date = {2021-03-10},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/},
language = {English},
urldate = {2021-03-11}
}
Exchange servers under siege from at least 10 APT groups Microcin MimiKatz PlugX Winnti APT27 APT41 Calypso Tick ToddyCat Tonto Team Vicious Panda |
2021-03-10 ⋅ DomainTools ⋅ Joe Slowik @online{slowik:20210310:examining:e3eee78,
author = {Joe Slowik},
title = {{Examining Exchange Exploitation and its Lessons for Defenders}},
date = {2021-03-10},
organization = {DomainTools},
url = {https://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders},
language = {English},
urldate = {2021-03-12}
}
Examining Exchange Exploitation and its Lessons for Defenders CHINACHOPPER |
2021-03-09 ⋅ PRAETORIAN ⋅ Anthony Weems, Dallas Kaman, Michael Weber @online{weems:20210309:reproducing:6c6302c,
author = {Anthony Weems and Dallas Kaman and Michael Weber},
title = {{Reproducing the Microsoft Exchange Proxylogon Exploit Chain}},
date = {2021-03-09},
organization = {PRAETORIAN},
url = {https://www.praetorian.com/blog/reproducing-proxylogon-exploit/},
language = {English},
urldate = {2021-03-11}
}
Reproducing the Microsoft Exchange Proxylogon Exploit Chain CHINACHOPPER |
2021-03-09 ⋅ YouTube (John Hammond) ⋅ John Hammond @online{hammond:20210309:hafnium:dc2de8d,
author = {John Hammond},
title = {{HAFNIUM - Post-Exploitation Analysis from Microsoft Exchange}},
date = {2021-03-09},
organization = {YouTube (John Hammond)},
url = {https://www.youtube.com/watch?v=rn-6t7OygGk},
language = {English},
urldate = {2021-03-12}
}
HAFNIUM - Post-Exploitation Analysis from Microsoft Exchange CHINACHOPPER |
2021-03-09 ⋅ Red Canary ⋅ Tony Lambert, Brian Donohue, Katie Nickels @online{lambert:20210309:microsoft:6a37334,
author = {Tony Lambert and Brian Donohue and Katie Nickels},
title = {{Microsoft Exchange server exploitation: how to detect, mitigate, and stay calm}},
date = {2021-03-09},
organization = {Red Canary},
url = {https://redcanary.com/blog/microsoft-exchange-attacks},
language = {English},
urldate = {2021-03-11}
}
Microsoft Exchange server exploitation: how to detect, mitigate, and stay calm CHINACHOPPER |
2021-03-09 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20210309:remediation:4973903,
author = {Unit 42},
title = {{Remediation Steps for the Microsoft Exchange Server Vulnerabilities}},
date = {2021-03-09},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/remediation-steps-for-the-Microsoft-Exchange-Server-vulnerabilities/},
language = {English},
urldate = {2021-03-11}
}
Remediation Steps for the Microsoft Exchange Server Vulnerabilities CHINACHOPPER |
2021-03-08 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20210308:how:752e42e,
author = {Threat Hunter Team},
title = {{How Symantec Stops Microsoft Exchange Server Attacks}},
date = {2021-03-08},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection},
language = {English},
urldate = {2021-03-12}
}
How Symantec Stops Microsoft Exchange Server Attacks CHINACHOPPER MimiKatz |
2021-03-08 ⋅ Palo Alto Networks Unit 42 ⋅ Jeff White @online{white:20210308:analyzing:9b932a3,
author = {Jeff White},
title = {{Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells}},
date = {2021-03-08},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/china-chopper-webshell/},
language = {English},
urldate = {2021-03-11}
}
Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells CHINACHOPPER |
2021-03-07 ⋅ TRUESEC ⋅ Rasmus Grönlund @online{grnlund:20210307:tracking:2d920fd,
author = {Rasmus Grönlund},
title = {{Tracking Microsoft Exchange Zero-Day ProxyLogon and HAFNIUM}},
date = {2021-03-07},
organization = {TRUESEC},
url = {https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/},
language = {English},
urldate = {2021-03-12}
}
Tracking Microsoft Exchange Zero-Day ProxyLogon and HAFNIUM CHINACHOPPER |
2021-03-05 ⋅ Wired ⋅ Andy Greenberg @online{greenberg:20210305:chinese:119ea98,
author = {Andy Greenberg},
title = {{Chinese Hacking Spree Hit an ‘Astronomical’ Number of Victims}},
date = {2021-03-05},
organization = {Wired},
url = {https://www.wired.com/story/china-microsoft-exchange-server-hack-victims/},
language = {English},
urldate = {2021-03-06}
}
Chinese Hacking Spree Hit an ‘Astronomical’ Number of Victims CHINACHOPPER |
2021-03-05 ⋅ Huntress Labs ⋅ Huntress Labs @techreport{labs:20210305:operation:1248e05,
author = {Huntress Labs},
title = {{Operation Exchange Marauder}},
date = {2021-03-05},
institution = {Huntress Labs},
url = {https://www.huntress.com/hubfs/Mass%20Exploitation%20of%20Microsoft%20Exchange%20(2).pdf},
language = {English},
urldate = {2021-03-06}
}
Operation Exchange Marauder CHINACHOPPER |
2021-03-04 ⋅ CrowdStrike ⋅ The Falcon Complete Team @online{team:20210304:falcon:6170749,
author = {The Falcon Complete Team},
title = {{Falcon Complete Stops Microsoft Exchange Server Zero-Day Exploits}},
date = {2021-03-04},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits},
language = {English},
urldate = {2021-03-10}
}
Falcon Complete Stops Microsoft Exchange Server Zero-Day Exploits CHINACHOPPER HAFNIUM |
2021-03-04 ⋅ FireEye ⋅ Matt Bromiley, Chris DiGiamo, Andrew Thompson, Robert Wallace @online{bromiley:20210304:detection:3b8c16f,
author = {Matt Bromiley and Chris DiGiamo and Andrew Thompson and Robert Wallace},
title = {{Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities}},
date = {2021-03-04},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html},
language = {English},
urldate = {2021-03-10}
}
Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities CHINACHOPPER HAFNIUM |
2021-03-04 ⋅ Huntress Labs ⋅ Huntress Labs @online{labs:20210304:operation:1187712,
author = {Huntress Labs},
title = {{Operation Exchange Marauder}},
date = {2021-03-04},
organization = {Huntress Labs},
url = {https://www.huntress.com/hubfs/Videos/Webinars/Overlay-Mass_Exploitation_of_Exchange.mp4},
language = {English},
urldate = {2021-03-06}
}
Operation Exchange Marauder CHINACHOPPER |
2021-03-03 ⋅ Huntress Labs ⋅ Huntress Labs @online{labs:20210303:mass:a0ef74d,
author = {Huntress Labs},
title = {{Mass exploitation of on-prem Exchange servers :(}},
date = {2021-03-03},
organization = {Huntress Labs},
url = {https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers},
language = {English},
urldate = {2021-03-10}
}
Mass exploitation of on-prem Exchange servers :( CHINACHOPPER HAFNIUM |
2021-03-03 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:20210303:hafnium:e35dcb1,
author = {MITRE ATT&CK},
title = {{HAFNIUM}},
date = {2021-03-03},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0125/},
language = {English},
urldate = {2022-07-05}
}
HAFNIUM CHINACHOPPER HAFNIUM |
2021-03-03 ⋅ Huntress Labs ⋅ John Hammond @online{hammond:20210303:rapid:7c97ee5,
author = {John Hammond},
title = {{Rapid Response: Mass Exploitation of On-Prem Exchange Servers}},
date = {2021-03-03},
organization = {Huntress Labs},
url = {https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers},
language = {English},
urldate = {2021-03-10}
}
Rapid Response: Mass Exploitation of On-Prem Exchange Servers CHINACHOPPER HAFNIUM |
2021-03-02 ⋅ Rapid7 Labs ⋅ Andrew Christian @online{christian:20210302:rapid7s:b676aa4,
author = {Andrew Christian},
title = {{Rapid7’s InsightIDR Enables Detection And Response to Microsoft Exchange Zero-Day}},
date = {2021-03-02},
organization = {Rapid7 Labs},
url = {https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day},
language = {English},
urldate = {2021-03-10}
}
Rapid7’s InsightIDR Enables Detection And Response to Microsoft Exchange Zero-Day CHINACHOPPER HAFNIUM |
2021-03-02 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, Microsoft 365 Security @online{mstic:20210302:hafnium:c7d8588,
author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Threat Intelligence Team and Microsoft 365 Security},
title = {{HAFNIUM targeting Exchange Servers with 0-day exploits}},
date = {2021-03-02},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers},
language = {English},
urldate = {2021-03-07}
}
HAFNIUM targeting Exchange Servers with 0-day exploits CHINACHOPPER HAFNIUM |
2021-03-02 ⋅ Volexity ⋅ Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster @online{grunzweig:20210302:operation:44c264f,
author = {Josh Grunzweig and Matthew Meltzer and Sean Koessel and Steven Adair and Thomas Lancaster},
title = {{Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities}},
date = {2021-03-02},
organization = {Volexity},
url = {https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/},
language = {English},
urldate = {2021-03-07}
}
Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities CHINACHOPPER HAFNIUM |
2021-03-02 ⋅ Twitter (@ESETresearch) ⋅ ESET Research @online{research:20210302:exchange:4473faa,
author = {ESET Research},
title = {{Tweet on Exchange RCE}},
date = {2021-03-02},
organization = {Twitter (@ESETresearch)},
url = {https://twitter.com/ESETresearch/status/1366862946488451088},
language = {English},
urldate = {2021-03-10}
}
Tweet on Exchange RCE CHINACHOPPER HAFNIUM |
2021-02-28 ⋅ Recorded Future ⋅ Insikt Group® @techreport{group:20210228:chinalinked:2fb1230,
author = {Insikt Group®},
title = {{China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions}},
date = {2021-02-28},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf},
language = {English},
urldate = {2021-03-04}
}
China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions Icefog PlugX ShadowPad |
2021-02-28 ⋅ PWC UK ⋅ PWC UK @techreport{uk:20210228:cyber:bd780cd,
author = {PWC UK},
title = {{Cyber Threats 2020: A Year in Retrospect}},
date = {2021-02-28},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf},
language = {English},
urldate = {2021-03-04}
}
Cyber Threats 2020: A Year in Retrospect elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team |
2021-02-28 ⋅ Recorded Future ⋅ Insikt Group® @online{group:20210228:chinalinked:ce3b62d,
author = {Insikt Group®},
title = {{China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions}},
date = {2021-02-28},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/redecho-targeting-indian-power-sector/},
language = {English},
urldate = {2021-03-31}
}
China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions PlugX ShadowPad RedEcho |
2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:20210223:2021:bf5bc4f,
author = {CrowdStrike},
title = {{2021 Global Threat Report}},
date = {2021-02-23},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf},
language = {English},
urldate = {2021-02-25}
}
2021 Global Threat Report RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER |
2021-02-22 ⋅ tccontre Blog ⋅ tcontre @online{tcontre:20210222:gh0strat:9f98308,
author = {tcontre},
title = {{Gh0stRat Anti-Debugging: Nested SEH (try - catch) to Decrypt and Load its Payload}},
date = {2021-02-22},
organization = {tccontre Blog},
url = {https://tccontre.blogspot.com/2021/02/gh0strat-anti-debugging-nested-seh-try.html},
language = {English},
urldate = {2021-02-25}
}
Gh0stRat Anti-Debugging: Nested SEH (try - catch) to Decrypt and Load its Payload Ghost RAT |
2021-02-01 ⋅ ESET Research ⋅ Ignacio Sanmillan, Matthieu Faou @online{sanmillan:20210201:operation:9e52a78,
author = {Ignacio Sanmillan and Matthieu Faou},
title = {{Operation NightScout: Supply‑chain attack targets online gaming in Asia}},
date = {2021-02-01},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/},
language = {English},
urldate = {2021-02-17}
}
Operation NightScout: Supply‑chain attack targets online gaming in Asia Ghost RAT NoxPlayer Poison Ivy Red Dev 17 |
2021-01-29 ⋅ Trend Micro ⋅ Trend Micro @online{micro:20210129:chopper:6dfb7c6,
author = {Trend Micro},
title = {{Chopper ASPX web shell used in targeted attack}},
date = {2021-01-29},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html},
language = {English},
urldate = {2021-02-02}
}
Chopper ASPX web shell used in targeted attack CHINACHOPPER MimiKatz |
2021-01-20 ⋅ Trend Micro ⋅ Gilbert Sison, Abraham Camba, Ryan Maglaque @online{sison:20210120:xdr:8ea19cc,
author = {Gilbert Sison and Abraham Camba and Ryan Maglaque},
title = {{XDR investigation uncovers PlugX, unique technique in APT attack}},
date = {2021-01-20},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/a/xdr-investigation-uncovers-plugx-unique-technique-in-apt-attack.html},
language = {English},
urldate = {2021-01-27}
}
XDR investigation uncovers PlugX, unique technique in APT attack PlugX |
2021-01-15 ⋅ Swisscom ⋅ Markus Neis @techreport{neis:20210115:cracking:b1c1684,
author = {Markus Neis},
title = {{Cracking a Soft Cell is Harder Than You Think}},
date = {2021-01-15},
institution = {Swisscom},
url = {https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf},
language = {English},
urldate = {2021-01-18}
}
Cracking a Soft Cell is Harder Than You Think Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT |
2021-01-14 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence @online{intelligence:20210114:higaisa:4676ec7,
author = {PT ESC Threat Intelligence},
title = {{Higaisa or Winnti? APT41 backdoors, old and new}},
date = {2021-01-14},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/},
language = {English},
urldate = {2021-02-09}
}
Higaisa or Winnti? APT41 backdoors, old and new Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad |
2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli @online{ramilli:20210109:command:d720b27,
author = {Marco Ramilli},
title = {{Command and Control Traffic Patterns}},
date = {2021-01-09},
organization = {Marco Ramilli's Blog},
url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/},
language = {English},
urldate = {2021-05-17}
}
Command and Control Traffic Patterns ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot |
2021-01-04 ⋅ Bleeping Computer ⋅ Ionut Ilascu @online{ilascu:20210104:chinas:9677dc6,
author = {Ionut Ilascu},
title = {{China's APT hackers move to ransomware attacks}},
date = {2021-01-04},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/},
language = {English},
urldate = {2021-01-11}
}
China's APT hackers move to ransomware attacks Clambling PlugX |
2021 ⋅ DomainTools ⋅ Joe Slowik @techreport{slowik:2021:conceptualizing:3cdf067,
author = {Joe Slowik},
title = {{Conceptualizing a Continuum of Cyber Threat Attribution}},
date = {2021},
institution = {DomainTools},
url = {https://www.domaintools.com/content/conceptualizing-a-continuum-of-cyber-threat-attribution.pdf},
language = {English},
urldate = {2021-11-02}
}
Conceptualizing a Continuum of Cyber Threat Attribution CHINACHOPPER SUNBURST |
2020-12-24 ⋅ IronNet ⋅ Adam Hlavek @online{hlavek:20201224:china:723bed3,
author = {Adam Hlavek},
title = {{China cyber attacks: the current threat landscape}},
date = {2020-12-24},
organization = {IronNet},
url = {https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape},
language = {English},
urldate = {2021-01-01}
}
China cyber attacks: the current threat landscape PLEAD TSCookie FlowCloud Lookback PLEAD PlugX Quasar RAT Winnti |
2020-12-18 ⋅ Seqrite ⋅ Pavankumar Chaudhari @online{chaudhari:20201218:rat:50074a2,
author = {Pavankumar Chaudhari},
title = {{RAT used by Chinese cyberspies infiltrating Indian businesses}},
date = {2020-12-18},
organization = {Seqrite},
url = {https://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/},
language = {English},
urldate = {2020-12-18}
}
RAT used by Chinese cyberspies infiltrating Indian businesses Ghost RAT |
2020-12-10 ⋅ Intel 471 ⋅ Intel 471 @online{471:20201210:no:9fd2ae1,
author = {Intel 471},
title = {{No pandas, just people: The current state of China’s cybercrime underground}},
date = {2020-12-10},
organization = {Intel 471},
url = {https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/},
language = {English},
urldate = {2020-12-10}
}
No pandas, just people: The current state of China’s cybercrime underground Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT |
2020-12-10 ⋅ US-CERT ⋅ US-CERT, FBI, MS-ISAC @online{uscert:20201210:alert:a5ec77e,
author = {US-CERT and FBI and MS-ISAC},
title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}},
date = {2020-12-10},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a},
language = {English},
urldate = {2020-12-11}
}
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus |
2020-12-10 ⋅ ESET Research ⋅ Mathieu Tartare @online{tartare:20201210:operation:0df1b72,
author = {Mathieu Tartare},
title = {{Operation StealthyTrident: corporate software under attack}},
date = {2020-12-10},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop},
language = {English},
urldate = {2022-07-29}
}
Operation StealthyTrident: corporate software under attack HyperBro PlugX Tmanger TA428 |
2020-12-10 ⋅ ESET Research ⋅ Mathieu Tartare @online{tartare:20201210:operation:0eecfc8,
author = {Mathieu Tartare},
title = {{Operation StealthyTrident: corporate software under attack}},
date = {2020-12-10},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/},
language = {English},
urldate = {2020-12-10}
}
Operation StealthyTrident: corporate software under attack HyperBro PlugX ShadowPad Tmanger |
2020-12-09 ⋅ Avast Decoded ⋅ Luigino Camastra, Igor Morgenstern @online{camastra:20201209:targeting:952844f,
author = {Luigino Camastra and Igor Morgenstern},
title = {{APT Group Targeting Governmental Agencies in East Asia}},
date = {2020-12-09},
organization = {Avast Decoded},
url = {https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/},
language = {English},
urldate = {2021-01-27}
}
APT Group Targeting Governmental Agencies in East Asia Albaniiutas HyperBro PlugX PolPo Tmanger |
2020-12-09 ⋅ Avast Decoded ⋅ Luigino Camastra, Igor Morgenstern @online{camastra:20201209:targeting:d3469a1,
author = {Luigino Camastra and Igor Morgenstern},
title = {{APT Group Targeting Governmental Agencies in East Asia}},
date = {2020-12-09},
organization = {Avast Decoded},
url = {https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia},
language = {English},
urldate = {2022-07-29}
}
APT Group Targeting Governmental Agencies in East Asia Albaniiutas HyperBro PlugX Tmanger TA428 |
2020-11-27 ⋅ PTSecurity ⋅ Denis Goydenko, Alexey Vishnyakov @online{goydenko:20201127:investigation:7d12cee,
author = {Denis Goydenko and Alexey Vishnyakov},
title = {{Investigation with a twist: an accidental APT attack and averted data destruction}},
date = {2020-11-27},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/},
language = {English},
urldate = {2020-12-01}
}
Investigation with a twist: an accidental APT attack and averted data destruction TwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz |
2020-11-23 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team @online{team:20201123:ta416:60e8b7e,
author = {Proofpoint Threat Research Team},
title = {{TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader}},
date = {2020-11-23},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader},
language = {English},
urldate = {2020-11-25}
}
TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader PlugX |
2020-11-20 ⋅ Trend Micro ⋅ Abraham Camba, Bren Matthew Ebriega, Gilbert Sison @online{camba:20201120:weaponizing:e15699d,
author = {Abraham Camba and Bren Matthew Ebriega and Gilbert Sison},
title = {{Weaponizing Open Source Software for Targeted Attacks}},
date = {2020-11-20},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html},
language = {English},
urldate = {2020-11-23}
}
Weaponizing Open Source Software for Targeted Attacks LaZagne Defray PlugX |
2020-11-04 ⋅ Sophos ⋅ Gabor Szappanos @online{szappanos:20201104:new:66b8447,
author = {Gabor Szappanos},
title = {{A new APT uses DLL side-loads to “KilllSomeOne”}},
date = {2020-11-04},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/},
language = {English},
urldate = {2020-11-06}
}
A new APT uses DLL side-loads to “KilllSomeOne” KilllSomeOne PlugX |
2020-11-03 ⋅ Kaspersky Labs ⋅ GReAT @online{great:20201103:trends:febc159,
author = {GReAT},
title = {{APT trends report Q3 2020}},
date = {2020-11-03},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q3-2020/99204/},
language = {English},
urldate = {2020-11-04}
}
APT trends report Q3 2020 WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti |
2020-10-27 ⋅ Dr.Web ⋅ Dr.Web @techreport{drweb:20201027:study:9f6e628,
author = {Dr.Web},
title = {{Study of the ShadowPad APT backdoor and its relation to PlugX}},
date = {2020-10-27},
institution = {Dr.Web},
url = {https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf},
language = {English},
urldate = {2020-10-29}
}
Study of the ShadowPad APT backdoor and its relation to PlugX Ghost RAT PlugX ShadowPad |
2020-10-01 ⋅ US-CERT ⋅ US-CERT @online{uscert:20201001:alert:a46c3d4,
author = {US-CERT},
title = {{Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions}},
date = {2020-10-01},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-275a},
language = {English},
urldate = {2020-10-04}
}
Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy |
2020-09-30 ⋅ Team Cymru ⋅ James Shank, Jacomo Piccolini @techreport{shank:20200930:pandamic:f210107,
author = {James Shank and Jacomo Piccolini},
title = {{Pandamic: Emissary Pandas in the Middle East}},
date = {2020-09-30},
institution = {Team Cymru},
url = {https://vblocalhost.com/uploads/VB2020-Shank-Piccolini.pdf},
language = {English},
urldate = {2021-04-16}
}
Pandamic: Emissary Pandas in the Middle East HyperBro HyperSSL |
2020-09-18 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20200918:apt41:363daa8,
author = {Threat Hunter Team},
title = {{APT41: Indictments Put Chinese Espionage Group in the Spotlight}},
date = {2020-09-18},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage},
language = {English},
urldate = {2020-09-23}
}
APT41: Indictments Put Chinese Espionage Group in the Spotlight CROSSWALK PlugX poisonplug ShadowPad Winnti |
2020-09-15 ⋅ Recorded Future ⋅ Insikt Group® @techreport{group:20200915:back:2c78a6f,
author = {Insikt Group®},
title = {{Back Despite Disruption: RedDelta Resumes Operations}},
date = {2020-09-15},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf},
language = {English},
urldate = {2020-09-16}
}
Back Despite Disruption: RedDelta Resumes Operations PlugX |
2020-09-15 ⋅ US-CERT ⋅ US-CERT @online{uscert:20200915:alert:13d0ab3,
author = {US-CERT},
title = {{Alert (AA20-259A): Iran-Based Threat Actor Exploits VPN Vulnerabilities}},
date = {2020-09-15},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-259a},
language = {English},
urldate = {2020-09-16}
}
Alert (AA20-259A): Iran-Based Threat Actor Exploits VPN Vulnerabilities CHINACHOPPER Fox Kitten |
2020-09-15 ⋅ US-CERT ⋅ US-CERT @online{uscert:20200915:malware:8345418,
author = {US-CERT},
title = {{Malware Analysis Report (AR20-259A): Iranian Web Shells}},
date = {2020-09-15},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a},
language = {English},
urldate = {2020-09-16}
}
Malware Analysis Report (AR20-259A): Iranian Web Shells CHINACHOPPER |
2020-09-11 ⋅ ThreatConnect ⋅ ThreatConnect Research Team @online{team:20200911:research:edfb074,
author = {ThreatConnect Research Team},
title = {{Research Roundup: Activity on Previously Identified APT33 Domains}},
date = {2020-09-11},
organization = {ThreatConnect},
url = {https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/},
language = {English},
urldate = {2020-09-15}
}
Research Roundup: Activity on Previously Identified APT33 Domains Emotet PlugX APT33 |
2020-07-29 ⋅ Recorded Future ⋅ Insikt Group @techreport{group:20200729:chinese:1929fcd,
author = {Insikt Group},
title = {{Chinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations}},
date = {2020-07-29},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf},
language = {English},
urldate = {2020-07-30}
}
Chinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations PlugX |
2020-07-29 ⋅ Kaspersky Labs ⋅ GReAT @online{great:20200729:trends:6810325,
author = {GReAT},
title = {{APT trends report Q2 2020}},
date = {2020-07-29},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q2-2020/97937/},
language = {English},
urldate = {2020-07-30}
}
APT trends report Q2 2020 PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel |
2020-07-29 ⋅ ESET Research ⋅ welivesecurity @techreport{welivesecurity:20200729:threat:496355c,
author = {welivesecurity},
title = {{THREAT REPORT Q2 2020}},
date = {2020-07-29},
institution = {ESET Research},
url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf},
language = {English},
urldate = {2020-07-30}
}
THREAT REPORT Q2 2020 DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor |
2020-07-28 ⋅ NTT ⋅ NTT Security @online{security:20200728:craftypanda:7643b28,
author = {NTT Security},
title = {{CraftyPanda 標的型攻撃解析レポート}},
date = {2020-07-28},
organization = {NTT},
url = {https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report},
language = {Japanese},
urldate = {2020-07-30}
}
CraftyPanda 標的型攻撃解析レポート Ghost RAT PlugX |
2020-07-21 ⋅ Department of Justice ⋅ Department of Justice @online{justice:20200721:two:81b000b,
author = {Department of Justice},
title = {{Two Chinese Hackers Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including COVID-19 Research}},
date = {2020-07-21},
organization = {Department of Justice},
url = {https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion},
language = {English},
urldate = {2022-07-25}
}
Two Chinese Hackers Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including COVID-19 Research CHINACHOPPER BRONZE SPRING |
2020-07-20 ⋅ Risky.biz ⋅ Daniel Gordon @online{gordon:20200720:what:b88e81f,
author = {Daniel Gordon},
title = {{What even is Winnti?}},
date = {2020-07-20},
organization = {Risky.biz},
url = {https://risky.biz/whatiswinnti/},
language = {English},
urldate = {2020-08-18}
}
What even is Winnti? CCleaner Backdoor Ghost RAT PlugX ZXShell |
2020-07-20 ⋅ or10nlabs ⋅ oR10n @online{or10n:20200720:reverse:bcb6023,
author = {oR10n},
title = {{Reverse Engineering the New Mustang Panda PlugX Downloader}},
date = {2020-07-20},
organization = {or10nlabs},
url = {https://or10nlabs.tech/reverse-engineering-the-new-mustang-panda-plugx-downloader/},
language = {English},
urldate = {2021-06-24}
}
Reverse Engineering the New Mustang Panda PlugX Downloader PlugX |
2020-07-20 ⋅ Dr.Web ⋅ Dr.Web @techreport{drweb:20200720:study:442ba99,
author = {Dr.Web},
title = {{Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan}},
date = {2020-07-20},
institution = {Dr.Web},
url = {https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf},
language = {English},
urldate = {2020-10-02}
}
Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan Microcin Mirage PlugX WhiteBird |
2020-07-15 ⋅ ZDNet ⋅ Catalin Cimpanu @online{cimpanu:20200715:chinese:0ff06bd,
author = {Catalin Cimpanu},
title = {{Chinese state hackers target Hong Kong Catholic Church}},
date = {2020-07-15},
organization = {ZDNet},
url = {https://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/},
language = {English},
urldate = {2020-07-30}
}
Chinese state hackers target Hong Kong Catholic Church PlugX |
2020-07-05 ⋅ or10nlabs ⋅ oR10n @online{or10n:20200705:reverse:60298dc,
author = {oR10n},
title = {{Reverse Engineering the Mustang Panda PlugX RAT – Extracting the Config}},
date = {2020-07-05},
organization = {or10nlabs},
url = {https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-rat-extracting-the-config/},
language = {English},
urldate = {2021-06-24}
}
Reverse Engineering the Mustang Panda PlugX RAT – Extracting the Config PlugX |
2020-07-01 ⋅ Contextis ⋅ Lampros Noutsos, Oliver Fay @online{noutsos:20200701:dll:00c6e85,
author = {Lampros Noutsos and Oliver Fay},
title = {{DLL Search Order Hijacking}},
date = {2020-07-01},
organization = {Contextis},
url = {https://www.contextis.com/en/blog/dll-search-order-hijacking},
language = {English},
urldate = {2022-04-06}
}
DLL Search Order Hijacking Cobalt Strike PlugX |
2020-06-14 ⋅ BushidoToken ⋅ BushidoToken @online{bushidotoken:20200614:deepdive:3a375ca,
author = {BushidoToken},
title = {{Deep-dive: The DarkHotel APT}},
date = {2020-06-14},
organization = {BushidoToken},
url = {https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html},
language = {English},
urldate = {2020-06-16}
}
Deep-dive: The DarkHotel APT Asruex Ghost RAT Ramsay Retro Unidentified 076 (Higaisa LNK to Shellcode) |
2020-06-05 ⋅ Prevailion ⋅ Danny Adamitis @online{adamitis:20200605:gh0st:849c227,
author = {Danny Adamitis},
title = {{The Gh0st Remains the Same}},
date = {2020-06-05},
organization = {Prevailion},
url = {https://www.prevailion.com/the-gh0st-remains-the-same-2/},
language = {English},
urldate = {2022-09-20}
}
The Gh0st Remains the Same Ghost RAT |
2020-06-04 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence @online{intelligence:20200604:covid19:45fa7ba,
author = {PT ESC Threat Intelligence},
title = {{COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group}},
date = {2020-06-04},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/},
language = {English},
urldate = {2020-06-05}
}
COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group Ghost RAT |
2020-06-03 ⋅ Kaspersky Labs ⋅ GReAT, Mark Lechtik, Giampaolo Dedola @online{great:20200603:cycldek:ed9a830,
author = {GReAT and Mark Lechtik and Giampaolo Dedola},
title = {{Cycldek: Bridging the (air) gap}},
date = {2020-06-03},
organization = {Kaspersky Labs},
url = {https://securelist.com/cycldek-bridging-the-air-gap/97157/},
language = {English},
urldate = {2020-06-03}
}
Cycldek: Bridging the (air) gap 8.t Dropper NewCore RAT PlugX USBCulprit GOBLIN PANDA Hellsing |
2020-06-03 ⋅ Trend Micro ⋅ Daniel Lunghi @techreport{lunghi:20200603:how:4f28e63,
author = {Daniel Lunghi},
title = {{How to perform long term monitoring of careless threat actors}},
date = {2020-06-03},
institution = {Trend Micro},
url = {https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf},
language = {English},
urldate = {2020-06-05}
}
How to perform long term monitoring of careless threat actors BBSRAT HyperBro Trochilus RAT |
2020-06-02 ⋅ Lab52 ⋅ Jagaimo Kawaii @online{kawaii:20200602:mustang:2cf125a,
author = {Jagaimo Kawaii},
title = {{Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers}},
date = {2020-06-02},
organization = {Lab52},
url = {https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/},
language = {English},
urldate = {2020-06-03}
}
Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers PlugX |
2020-05-24 ⋅ or10nlabs ⋅ oR10n @online{or10n:20200524:reverse:49c2ad8,
author = {oR10n},
title = {{Reverse Engineering the Mustang Panda PlugX Loader}},
date = {2020-05-24},
organization = {or10nlabs},
url = {https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-loader},
language = {English},
urldate = {2021-06-24}
}
Reverse Engineering the Mustang Panda PlugX Loader PlugX |
2020-05-20 ⋅ Medium Asuna Amawaka ⋅ Asuna Amawaka @online{amawaka:20200520:what:e02d9a4,
author = {Asuna Amawaka},
title = {{What happened between the BigBadWolf and the Tiger?}},
date = {2020-05-20},
organization = {Medium Asuna Amawaka},
url = {https://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2},
language = {English},
urldate = {2021-02-18}
}
What happened between the BigBadWolf and the Tiger? Ghost RAT |
2020-05-15 ⋅ Twitter (@stvemillertime) ⋅ Steve Miller @online{miller:20200515:sogu:cc5a1fc,
author = {Steve Miller},
title = {{Tweet on SOGU development timeline, including TIGERPLUG IOCs}},
date = {2020-05-15},
organization = {Twitter (@stvemillertime)},
url = {https://twitter.com/stvemillertime/status/1261263000960450562},
language = {English},
urldate = {2020-05-18}
}
Tweet on SOGU development timeline, including TIGERPLUG IOCs PlugX |
2020-05-14 ⋅ Avast Decoded ⋅ Luigino Camastra @online{camastra:20200514:planted:7b94cc6,
author = {Luigino Camastra},
title = {{APT Group Planted Backdoors Targeting High Profile Networks in Central Asia}},
date = {2020-05-14},
organization = {Avast Decoded},
url = {https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia},
language = {English},
urldate = {2022-07-25}
}
APT Group Planted Backdoors Targeting High Profile Networks in Central Asia BYEBY Ghost RAT Microcin MimiKatz Vicious Panda |
2020-05-14 ⋅ Lab52 ⋅ Dex @online{dex:20200514:energy:43e92b4,
author = {Dex},
title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}},
date = {2020-05-14},
organization = {Lab52},
url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/},
language = {English},
urldate = {2020-06-10}
}
The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey Cobalt Strike HTran MimiKatz PlugX Quasar RAT |
2020-05-01 ⋅ Viettel Cybersecurity ⋅ Cyberthreat @online{cyberthreat:20200501:chin:3a4fb89,
author = {Cyberthreat},
title = {{Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1)}},
date = {2020-05-01},
organization = {Viettel Cybersecurity},
url = {https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/},
language = {Vietnamese},
urldate = {2020-09-09}
}
Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1) NewCore RAT PlugX |
2020-04-07 ⋅ Blackberry ⋅ Blackberry Research @techreport{research:20200407:decade:6441e18,
author = {Blackberry Research},
title = {{Decade of the RATS: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android}},
date = {2020-04-07},
institution = {Blackberry},
url = {https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf},
language = {English},
urldate = {2020-08-10}
}
Decade of the RATS: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android Penquin Turla XOR DDoS ZXShell |
2020-03-25 ⋅ Team Cymru ⋅ Team Cymru @online{cymru:20200325:how:b1d8c31,
author = {Team Cymru},
title = {{How the Iranian Cyber Security Agency Detects Emissary Panda Malware}},
date = {2020-03-25},
organization = {Team Cymru},
url = {https://team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/},
language = {English},
urldate = {2020-07-13}
}
How the Iranian Cyber Security Agency Detects Emissary Panda Malware HyperBro |
2020-03-19 ⋅ VinCSS ⋅ m4n0w4r @online{m4n0w4r:20200319:phn:461fca7,
author = {m4n0w4r},
title = {{Phân tích mã độc lợi dụng dịch Covid-19 để phát tán giả mạo “Chỉ thị của thủ tướng Nguyễn Xuân Phúc” - Phần 2}},
date = {2020-03-19},
organization = {VinCSS},
url = {https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html},
language = {Vietnamese},
urldate = {2020-03-19}
}
Phân tích mã độc lợi dụng dịch Covid-19 để phát tán giả mạo “Chỉ thị của thủ tướng Nguyễn Xuân Phúc” - Phần 2 PlugX |
2020-03-05 ⋅ SophosLabs ⋅ Sergei Shevchenko @techreport{shevchenko:20200305:cloud:e83e58c,
author = {Sergei Shevchenko},
title = {{Cloud Snooper Attack Bypasses AWS Security Measures}},
date = {2020-03-05},
institution = {SophosLabs},
url = {https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf},
language = {English},
urldate = {2022-01-28}
}
Cloud Snooper Attack Bypasses AWS Security Measures Cloud Snooper Ghost RAT |
2020-03-02 ⋅ Virus Bulletin ⋅ Alex Hinchliffe @online{hinchliffe:20200302:pulling:35771e7,
author = {Alex Hinchliffe},
title = {{Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary}},
date = {2020-03-02},
organization = {Virus Bulletin},
url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/},
language = {English},
urldate = {2020-03-02}
}
Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary HenBox Farseer PlugX Poison Ivy |
2020-02-21 ⋅ ADEO DFIR ⋅ ADEO DFIR @techreport{dfir:20200221:apt10:e9c3328,
author = {ADEO DFIR},
title = {{APT10 Threat Analysis Report}},
date = {2020-02-21},
institution = {ADEO DFIR},
url = {https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf},
language = {English},
urldate = {2020-03-03}
}
APT10 Threat Analysis Report CHINACHOPPER HTran MimiKatz PlugX Quasar RAT |
2020-02-18 ⋅ Trend Micro ⋅ Daniel Lunghi, Cedric Pernet, Kenney Lu, Jamz Yaneza @online{lunghi:20200218:uncovering:93b0937,
author = {Daniel Lunghi and Cedric Pernet and Kenney Lu and Jamz Yaneza},
title = {{Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations}},
date = {2020-02-18},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia},
language = {English},
urldate = {2020-02-20}
}
Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations Cobalt Strike HyperBro PlugX Trochilus RAT |
2020-02-17 ⋅ Talent-Jump Technologies ⋅ Theo Chen, Zero Chen @online{chen:20200217:clambling:1a0bb8e,
author = {Theo Chen and Zero Chen},
title = {{CLAMBLING - A New Backdoor Base On Dropbox}},
date = {2020-02-17},
organization = {Talent-Jump Technologies},
url = {http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/},
language = {English},
urldate = {2020-03-30}
}
CLAMBLING - A New Backdoor Base On Dropbox HyperBro PlugX |
2020-01-31 ⋅ YouTube (Context Information Security) ⋅ Contextis @online{contextis:20200131:new:74e3724,
author = {Contextis},
title = {{New AVIVORE threat group – how they operate and managing the risk}},
date = {2020-01-31},
organization = {YouTube (Context Information Security)},
url = {https://www.youtube.com/watch?v=C_TmANnbS2k},
language = {English},
urldate = {2022-04-13}
}
New AVIVORE threat group – how they operate and managing the risk PlugX |
2020-01-31 ⋅ Avira ⋅ Shahab Hamzeloofard @online{hamzeloofard:20200131:new:5d058ea,
author = {Shahab Hamzeloofard},
title = {{New wave of PlugX targets Hong Kong}},
date = {2020-01-31},
organization = {Avira},
url = {https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/},
language = {English},
urldate = {2020-02-10}
}
New wave of PlugX targets Hong Kong PlugX |
2020-01-13 ⋅ Lab52 ⋅ Jagaimo Kawaii @online{kawaii:20200113:apt27:4c2f818,
author = {Jagaimo Kawaii},
title = {{APT27 ZxShell RootKit module updates}},
date = {2020-01-13},
organization = {Lab52},
url = {https://lab52.io/blog/apt27-rootkit-updates/},
language = {English},
urldate = {2020-01-13}
}
APT27 ZxShell RootKit module updates ZXShell |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:dcdc02a,
author = {SecureWorks},
title = {{BRONZE FLEETWOOD}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-fleetwood},
language = {English},
urldate = {2020-05-23}
}
BRONZE FLEETWOOD Binanen Ghost RAT OrcaRAT APT5 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:472aea8,
author = {SecureWorks},
title = {{BRONZE OLIVE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-olive},
language = {English},
urldate = {2020-05-23}
}
BRONZE OLIVE ANGRYREBEL PlugX APT22 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:66f1290,
author = {SecureWorks},
title = {{BRONZE RIVERSIDE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-riverside},
language = {English},
urldate = {2020-05-23}
}
BRONZE RIVERSIDE Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves APT10 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:fcb04ab,
author = {SecureWorks},
title = {{BRONZE EXPRESS}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-express},
language = {English},
urldate = {2020-05-23}
}
BRONZE EXPRESS 9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT26 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:79d8dd2,
author = {SecureWorks},
title = {{BRONZE OVERBROOK}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-overbrook},
language = {English},
urldate = {2020-05-23}
}
BRONZE OVERBROOK Aveo DDKONG IsSpace PLAINTEE PlugX Rambo DragonOK |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:65ecf8a,
author = {SecureWorks},
title = {{BRONZE KEYSTONE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-keystone},
language = {English},
urldate = {2020-05-23}
}
BRONZE KEYSTONE 9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell APT17 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:41a0bc0,
author = {SecureWorks},
title = {{BRONZE EDISON}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-edison},
language = {English},
urldate = {2020-05-23}
}
BRONZE EDISON Ghost RAT sykipot APT4 SAMURAI PANDA |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:1a5bdbb,
author = {SecureWorks},
title = {{BRONZE PRESIDENT}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-president},
language = {English},
urldate = {2020-05-23}
}
BRONZE PRESIDENT CHINACHOPPER Cobalt Strike PlugX MUSTANG PANDA |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:e8ad4fb,
author = {SecureWorks},
title = {{BRONZE MOHAWK}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-mohawk},
language = {English},
urldate = {2020-05-23}
}
BRONZE MOHAWK AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll APT40 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:dc58892,
author = {SecureWorks},
title = {{BRONZE GLOBE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-globe},
language = {English},
urldate = {2020-05-23}
}
BRONZE GLOBE EtumBot Ghost RAT APT12 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:f48e53c,
author = {SecureWorks},
title = {{BRONZE WOODLAND}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-woodland},
language = {English},
urldate = {2020-05-23}
}
BRONZE WOODLAND PlugX Zeus Roaming Tiger |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:4118462,
author = {SecureWorks},
title = {{BRONZE ATLAS}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas},
language = {English},
urldate = {2020-05-23}
}
BRONZE ATLAS Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti APT41 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:972c13a,
author = {SecureWorks},
title = {{BRONZE FIRESTONE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-firestone},
language = {English},
urldate = {2020-05-23}
}
BRONZE FIRESTONE 9002 RAT Derusbi Empire Downloader PlugX Poison Ivy APT19 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:4db27ec,
author = {SecureWorks},
title = {{BRONZE UNION}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-union},
language = {English},
urldate = {2020-05-23}
}
BRONZE UNION 9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell APT27 |
2020-01 ⋅ Dragos ⋅ Joe Slowik @techreport{slowik:202001:threat:d891011,
author = {Joe Slowik},
title = {{Threat Intelligence and the Limits of Malware Analysis}},
date = {2020-01},
institution = {Dragos},
url = {https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf},
language = {English},
urldate = {2020-06-10}
}
Threat Intelligence and the Limits of Malware Analysis Exaramel Exaramel Industroyer Lookback NjRAT PlugX |
2020-01 ⋅ FireEye ⋅ Tom Hall, Mitchell Clarke, Mandiant @techreport{hall:202001:mandiant:25e38ef,
author = {Tom Hall and Mitchell Clarke and Mandiant},
title = {{Mandiant IR Grab Bag of Attacker Activity}},
date = {2020-01},
institution = {FireEye},
url = {https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf},
language = {English},
urldate = {2021-04-16}
}
Mandiant IR Grab Bag of Attacker Activity TwoFace CHINACHOPPER HyperBro HyperSSL |
2019-12-29 ⋅ Secureworks ⋅ CTU Research Team @online{team:20191229:bronze:bda6bfc,
author = {CTU Research Team},
title = {{BRONZE PRESIDENT Targets NGOs}},
date = {2019-12-29},
organization = {Secureworks},
url = {https://www.secureworks.com/research/bronze-president-targets-ngos},
language = {English},
urldate = {2020-01-10}
}
BRONZE PRESIDENT Targets NGOs PlugX |
2019-12-12 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center @online{center:20191212:gallium:79f6460,
author = {Microsoft Threat Intelligence Center},
title = {{GALLIUM: Targeting global telecom}},
date = {2019-12-12},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/},
language = {English},
urldate = {2022-06-15}
}
GALLIUM: Targeting global telecom CHINACHOPPER Ghost RAT HTran MimiKatz Poison Ivy GALLIUM |
2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani Fraser @techreport{vanderlee:20191119:achievement:6be19eb,
author = {Kelli Vanderlee and Nalani Fraser},
title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}},
date = {2019-11-19},
institution = {FireEye},
url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf},
language = {English},
urldate = {2021-03-02}
}
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell |
2019-11-16 ⋅ Silas Cutler's Blog ⋅ Silas Cutler @online{cutler:20191116:fresh:871567d,
author = {Silas Cutler},
title = {{Fresh PlugX October 2019}},
date = {2019-11-16},
organization = {Silas Cutler's Blog},
url = {https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html},
language = {English},
urldate = {2020-01-07}
}
Fresh PlugX October 2019 PlugX |
2019-11-11 ⋅ Virus Bulletin ⋅ Shusei Tomonaga, Tomoaki Tani, Hiroshi Soeda, Wataru Takahashi @online{tomonaga:20191111:cases:ac5f1b3,
author = {Shusei Tomonaga and Tomoaki Tani and Hiroshi Soeda and Wataru Takahashi},
title = {{APT cases exploiting vulnerabilities in region‑specific software}},
date = {2019-11-11},
organization = {Virus Bulletin},
url = {https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/},
language = {English},
urldate = {2020-05-13}
}
APT cases exploiting vulnerabilities in region‑specific software NodeRAT Emdivi PlugX |
2019-11-04 ⋅ Tencent ⋅ Tencent Security Mikan TIC @online{tic:20191104:attack:33a29db,
author = {Tencent Security Mikan TIC},
title = {{APT attack group "Higaisa" attack activity disclosed}},
date = {2019-11-04},
organization = {Tencent},
url = {https://s.tencent.com/research/report/836.html},
language = {Chinese},
urldate = {2020-05-13}
}
APT attack group "Higaisa" attack activity disclosed Ghost RAT Higaisa |
2019-10-31 ⋅ PTSecurity ⋅ PTSecurity @online{ptsecurity:20191031:calypso:adaf761,
author = {PTSecurity},
title = {{Calypso APT: new group attacking state institutions}},
date = {2019-10-31},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/},
language = {English},
urldate = {2020-01-12}
}
Calypso APT: new group attacking state institutions BYEBY FlyingDutchman Hussar PlugX |
2019-10-22 ⋅ Contextis ⋅ Contextis @techreport{contextis:20191022:avivore:421fc23,
author = {Contextis},
title = {{AVIVORE - An overview of Tools, Techniques and Procedures (Whitepaper)}},
date = {2019-10-22},
institution = {Contextis},
url = {https://web.archive.org/web/20191214125833/https://contextis.com/media/downloads/AVIVORE_An_overview.pdf},
language = {English},
urldate = {2023-01-19}
}
AVIVORE - An overview of Tools, Techniques and Procedures (Whitepaper) PlugX Avivore |
2019-10-03 ⋅ ComputerWeekly ⋅ Alex Scroxton @online{scroxton:20191003:new:ce11edf,
author = {Alex Scroxton},
title = {{New threat group behind Airbus cyber attacks, claim researchers}},
date = {2019-10-03},
organization = {ComputerWeekly},
url = {https://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers},
language = {English},
urldate = {2022-04-05}
}
New threat group behind Airbus cyber attacks, claim researchers PlugX Avivore |
2019-10-03 ⋅ Palo Alto Networks Unit 42 ⋅ Alex Hinchliffe @online{hinchliffe:20191003:pkplug:4a43ea5,
author = {Alex Hinchliffe},
title = {{PKPLUG: Chinese Cyber Espionage Group Attacking Asia}},
date = {2019-10-03},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/},
language = {English},
urldate = {2020-01-07}
}
PKPLUG: Chinese Cyber Espionage Group Attacking Asia HenBox Farseer PlugX |
2019-09-23 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:20190923:apt41:63b9ff7,
author = {MITRE ATT&CK},
title = {{APT41}},
date = {2019-09-23},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0096},
language = {English},
urldate = {2022-08-30}
}
APT41 Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41 |
2019-09-19 ⋅ MeltX0R @online{meltx0r:20190919:emissary:361f1fd,
author = {MeltX0R},
title = {{Emissary Panda APT: Recent infrastructure and RAT analysis}},
date = {2019-09-19},
url = {https://meltx0r.github.io/tech/2019/09/19/emissary-panda-apt.html},
language = {English},
urldate = {2020-01-09}
}
Emissary Panda APT: Recent infrastructure and RAT analysis ZXShell |
2019-09-17 ⋅ Talos ⋅ Christopher Evans, David Liebenberg @online{evans:20190917:cryptocurrency:8f3a9e9,
author = {Christopher Evans and David Liebenberg},
title = {{Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”}},
date = {2019-09-17},
organization = {Talos},
url = {https://blog.talosintelligence.com/2019/09/panda-evolution.html},
language = {English},
urldate = {2019-10-31}
}
Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda” Ghost RAT |
2019-08-27 ⋅ Cisco Talos ⋅ Paul Rascagnères, Vanja Svajcer @online{rascagnres:20190827:china:2d2bbb8,
author = {Paul Rascagnères and Vanja Svajcer},
title = {{China Chopper still active 9 years later}},
date = {2019-08-27},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html},
language = {English},
urldate = {2019-10-14}
}
China Chopper still active 9 years later CHINACHOPPER |
2019-08-19 ⋅ FireEye ⋅ Alex Pennino, Matt Bromiley @online{pennino:20190819:game:b6ef5a0,
author = {Alex Pennino and Matt Bromiley},
title = {{GAME OVER: Detecting and Stopping an APT41 Operation}},
date = {2019-08-19},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html},
language = {English},
urldate = {2020-01-06}
}
GAME OVER: Detecting and Stopping an APT41 Operation ACEHASH CHINACHOPPER HIGHNOON |
2019-07-21 ⋅ One Night in Norfolk ⋅ Kevin Perlow @online{perlow:20190721:emissary:dbd4bd3,
author = {Kevin Perlow},
title = {{Emissary Panda DLL Backdoor}},
date = {2019-07-21},
organization = {One Night in Norfolk},
url = {https://norfolkinfosec.com/emissary-panda-dll-backdoor/},
language = {English},
urldate = {2021-04-16}
}
Emissary Panda DLL Backdoor HyperSSL |
2019-06-25 ⋅ Cybereason ⋅ Cybereason Nocturnus @online{nocturnus:20190625:operation:21efa8f,
author = {Cybereason Nocturnus},
title = {{OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS}},
date = {2019-06-25},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers},
language = {English},
urldate = {2022-07-01}
}
OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS CHINACHOPPER HTran MimiKatz Poison Ivy Operation Soft Cell |
2019-06-19 ⋅ YouTube (44CON Information Security Conference) ⋅ Kevin O’Reilly @online{oreilly:20190619:malware:a2f7812,
author = {Kevin O’Reilly},
title = {{The Malware CAPE: Automated Extraction of Configuration and Payloads from Sophisticated Malware}},
date = {2019-06-19},
organization = {YouTube (44CON Information Security Conference)},
url = {https://www.youtube.com/watch?v=qEwBGGgWgOM},
language = {English},
urldate = {2022-04-04}
}
The Malware CAPE: Automated Extraction of Configuration and Payloads from Sophisticated Malware PlugX |
2019-06-13 ⋅ ae CERT ⋅ ae CERT @online{cert:20190613:advanced:5d2e200,
author = {ae CERT},
title = {{Advanced Notification of Cyber Threats against Family of Malware Giving Remote Access to Computers}},
date = {2019-06-13},
organization = {ae CERT},
url = {https://www.tra.gov.ae/assets/mTP39Tp6.pdf.aspx},
language = {English},
urldate = {2021-04-16}
}
Advanced Notification of Cyber Threats against Family of Malware Giving Remote Access to Computers HyperBro HyperSSL |
2019-06-03 ⋅ FireEye ⋅ Chi-en Shen @online{shen:20190603:into:d40fee9,
author = {Chi-en Shen},
title = {{Into the Fog - The Return of ICEFOG APT}},
date = {2019-06-03},
organization = {FireEye},
url = {https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt},
language = {English},
urldate = {2020-06-30}
}
Into the Fog - The Return of ICEFOG APT Icefog PlugX Sarhust |
2019-05-28 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone, Tom Lancaster @online{falcone:20190528:emissary:dc0f942,
author = {Robert Falcone and Tom Lancaster},
title = {{Emissary Panda Attacks Middle East Government Sharepoint Servers}},
date = {2019-05-28},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/},
language = {English},
urldate = {2021-04-16}
}
Emissary Panda Attacks Middle East Government Sharepoint Servers CHINACHOPPER HyperSSL |
2019-05-24 ⋅ Fortinet ⋅ Ben Hunter @online{hunter:20190524:uncovering:7d8776e,
author = {Ben Hunter},
title = {{Uncovering new Activity by APT10}},
date = {2019-05-24},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-},
language = {English},
urldate = {2020-11-04}
}
Uncovering new Activity by APT10 PlugX Quasar RAT |
2019-04-25 ⋅ DATANET ⋅ Kim Seon-ae @online{seonae:20190425:chinesebased:fa78904,
author = {Kim Seon-ae},
title = {{Chinese-based hackers attack domestic energy institutions}},
date = {2019-04-25},
organization = {DATANET},
url = {https://www.datanet.co.kr/news/articleView.html?idxno=133346},
language = {Korean},
urldate = {2021-02-09}
}
Chinese-based hackers attack domestic energy institutions CALMTHORN Ghost RAT |
2019-03-19 ⋅ NSHC ⋅ ThreatRecon Team @online{team:20190319:sectorm04:6c6ea37,
author = {ThreatRecon Team},
title = {{SectorM04 Targeting Singapore – An Analysis}},
date = {2019-03-19},
organization = {NSHC},
url = {https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/},
language = {English},
urldate = {2020-01-07}
}
SectorM04 Targeting Singapore – An Analysis PlugX Termite |
2019-02-27 ⋅ Secureworks ⋅ CTU Research Team @online{team:20190227:peek:16c9160,
author = {CTU Research Team},
title = {{A Peek into BRONZE UNION’s Toolbox}},
date = {2019-02-27},
organization = {Secureworks},
url = {https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox},
language = {English},
urldate = {2020-01-07}
}
A Peek into BRONZE UNION’s Toolbox Ghost RAT HyperBro ZXShell |
2019-01-07 ⋅ Intezer ⋅ Ignacio Sanmillan @online{sanmillan:20190107:chinaz:50bb5f4,
author = {Ignacio Sanmillan},
title = {{ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups}},
date = {2019-01-07},
organization = {Intezer},
url = {https://www.intezer.com/blog/malware-analysis/chinaz-relations/},
language = {English},
urldate = {2022-09-20}
}
ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups Ghost RAT |
2019 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:2019:threat:739dbdd,
author = {MITRE ATT&CK},
title = {{Group description: Threat Group-3390}},
date = {2019},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0027/},
language = {English},
urldate = {2019-12-20}
}
Group description: Threat Group-3390 APT27 |
2019 ⋅ Virus Bulletin ⋅ Lion Gu, Bowen Pan @techreport{gu:2019:vine:df5dbfb,
author = {Lion Gu and Bowen Pan},
title = {{A vine climbing over the Great Firewall: A long-term attack against China}},
date = {2019},
institution = {Virus Bulletin},
url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf},
language = {English},
urldate = {2020-01-08}
}
A vine climbing over the Great Firewall: A long-term attack against China Poison Ivy ZXShell |
2019 ⋅ Council on Foreign Relations ⋅ Cyber Operations Tracker @online{tracker:2019:iron:9e841bb,
author = {Cyber Operations Tracker},
title = {{Iron Tiger}},
date = {2019},
organization = {Council on Foreign Relations},
url = {https://www.cfr.org/interactive/cyber-operations/iron-tiger},
language = {English},
urldate = {2019-12-20}
}
Iron Tiger APT27 |
2019 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:2019:tool:fd89dda,
author = {MITRE ATT&CK},
title = {{Tool description: China Chopper}},
date = {2019},
organization = {MITRE},
url = {https://attack.mitre.org/software/S0020/},
language = {English},
urldate = {2019-12-20}
}
Tool description: China Chopper CHINACHOPPER |
2018-12-14 ⋅ Australian Cyber Security Centre ⋅ ASD @techreport{asd:20181214:investigationreport:6eda856,
author = {ASD},
title = {{Investigationreport: Compromise of an Australian companyvia their Managed Service Provider}},
date = {2018-12-14},
institution = {Australian Cyber Security Centre},
url = {https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf},
language = {English},
urldate = {2020-03-11}
}
Investigationreport: Compromise of an Australian companyvia their Managed Service Provider PlugX RedLeaves |
2018-09-19 ⋅ Möbius Strip Reverse Engineering ⋅ Rolf Rolles @online{rolles:20180919:hexrays:1afcc0c,
author = {Rolf Rolles},
title = {{Hex-Rays Microcode API vs. Obfuscating Compiler}},
date = {2018-09-19},
organization = {Möbius Strip Reverse Engineering},
url = {http://www.hexblog.com/?p=1248},
language = {English},
urldate = {2019-10-28}
}
Hex-Rays Microcode API vs. Obfuscating Compiler Ghost RAT |
2018-09-10 ⋅ Kaspersky Labs ⋅ GReAT @online{great:20180910:luckymouse:e309805,
author = {GReAT},
title = {{LuckyMouse signs malicious NDISProxy driver with certificate of Chinese IT company}},
date = {2018-09-10},
organization = {Kaspersky Labs},
url = {https://securelist.com/luckymouse-ndisproxy-driver/87914/},
language = {English},
urldate = {2019-12-20}
}
LuckyMouse signs malicious NDISProxy driver with certificate of Chinese IT company Unidentified 080 APT27 |
2018-06-15 ⋅ Bleeping Computer ⋅ Catalin Cimpanu @online{cimpanu:20180615:chinese:e0be0ab,
author = {Catalin Cimpanu},
title = {{Chinese Cyber-Espionage Group Hacked Government Data Center}},
date = {2018-06-15},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/chinese-cyber-espionage-group-hacked-government-data-center/},
language = {English},
urldate = {2019-12-20}
}
Chinese Cyber-Espionage Group Hacked Government Data Center APT27 |
2018-06-13 ⋅ Kaspersky Labs ⋅ Denis Legezo @online{legezo:20180613:luckymouse:26f9860,
author = {Denis Legezo},
title = {{LuckyMouse hits national data center to organize country-level waterholing campaign}},
date = {2018-06-13},
organization = {Kaspersky Labs},
url = {https://securelist.com/luckymouse-hits-national-data-center/86083/},
language = {English},
urldate = {2019-12-20}
}
LuckyMouse hits national data center to organize country-level waterholing campaign HyperBro APT27 |
2018-05-18 ⋅ NCC Group ⋅ Nikolaos Pantazopoulos, Thomas Henry @online{pantazopoulos:20180518:emissary:ed9583a,
author = {Nikolaos Pantazopoulos and Thomas Henry},
title = {{Emissary Panda – A potential new malicious tool}},
date = {2018-05-18},
organization = {NCC Group},
url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/},
language = {English},
urldate = {2021-03-22}
}
Emissary Panda – A potential new malicious tool HttpBrowser |
2018-05-09 ⋅ COUNT UPON SECURITY ⋅ Luis Rocha @online{rocha:20180509:malware:3ee8ecf,
author = {Luis Rocha},
title = {{Malware Analysis - PlugX - Part 2}},
date = {2018-05-09},
organization = {COUNT UPON SECURITY},
url = {https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/},
language = {English},
urldate = {2020-01-05}
}
Malware Analysis - PlugX - Part 2 PlugX |
2018-04-20 ⋅ NCC Group ⋅ Nikolaos Pantazopoulos @online{pantazopoulos:20180420:decoding:b4ca1d1,
author = {Nikolaos Pantazopoulos},
title = {{Decoding network data from a Gh0st RAT variant}},
date = {2018-04-20},
organization = {NCC Group},
url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/},
language = {English},
urldate = {2022-10-07}
}
Decoding network data from a Gh0st RAT variant Ghost RAT APT27 |
2018-04-17 ⋅ NCC Group ⋅ Nikolaos Pantazopoulos @online{pantazopoulos:20180417:decoding:7d5f713,
author = {Nikolaos Pantazopoulos},
title = {{Decoding network data from a Gh0st RAT variant}},
date = {2018-04-17},
organization = {NCC Group},
url = {https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/},
language = {English},
urldate = {2022-09-20}
}
Decoding network data from a Gh0st RAT variant Ghost RAT APT27 |
2018-03-16 ⋅ FireEye ⋅ FireEye @online{fireeye:20180316:suspected:2a77316,
author = {FireEye},
title = {{Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries}},
date = {2018-03-16},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html},
language = {English},
urldate = {2019-12-20}
}
Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries badflick BLACKCOFFEE CHINACHOPPER homefry murkytop SeDll APT40 |
2018-03-13 ⋅ Kaspersky Labs ⋅ Denis Makrushin, Yury Namestnikov @online{makrushin:20180313:time:7171143,
author = {Denis Makrushin and Yury Namestnikov},
title = {{Time of death? A therapeutic postmortem of connected medicine}},
date = {2018-03-13},
organization = {Kaspersky Labs},
url = {https://securelist.com/time-of-death-connected-medicine/84315/},
language = {English},
urldate = {2019-12-20}
}
Time of death? A therapeutic postmortem of connected medicine PlugX |
2018-02-04 ⋅ COUNT UPON SECURITY ⋅ Luis Rocha @online{rocha:20180204:malware:ea0aede,
author = {Luis Rocha},
title = {{MALWARE ANALYSIS – PLUGX}},
date = {2018-02-04},
organization = {COUNT UPON SECURITY},
url = {https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/},
language = {English},
urldate = {2020-01-07}
}
MALWARE ANALYSIS – PLUGX PlugX |
2018-02-01 ⋅ Bitdefender ⋅ Ivona Alexandra Chili, Bogdan Botezatu @online{chili:20180201:operation:305d726,
author = {Ivona Alexandra Chili and Bogdan Botezatu},
title = {{Operation PZChao: a possible return of the Iron Tiger APT}},
date = {2018-02-01},
organization = {Bitdefender},
url = {https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/},
language = {English},
urldate = {2020-01-05}
}
Operation PZChao: a possible return of the Iron Tiger APT APT27 |
2018-02-01 ⋅ Bitdefender ⋅ Bitdefender Team @techreport{team:20180201:operation:e76f179,
author = {Bitdefender Team},
title = {{Operation PZCHAO Inside a highly specialized espionage infrastructure}},
date = {2018-02-01},
institution = {Bitdefender},
url = {https://www.bitdefender.com/files/News/CaseStudies/study/185/Bitdefender-Business-2017-WhitePaper-PZCHAO-crea2452-en-EN-GenericUse.pdf},
language = {English},
urldate = {2022-09-20}
}
Operation PZCHAO Inside a highly specialized espionage infrastructure Ghost RAT APT27 |
2018-01-04 ⋅ Malware Traffic Analysis ⋅ Brad Duncan @online{duncan:20180104:malspam:ce2dfac,
author = {Brad Duncan},
title = {{MALSPAM PUSHING PCRAT/GH0ST}},
date = {2018-01-04},
organization = {Malware Traffic Analysis},
url = {http://www.malware-traffic-analysis.net/2018/01/04/index.html},
language = {English},
urldate = {2019-12-24}
}
MALSPAM PUSHING PCRAT/GH0ST Ghost RAT |
2017-12-20 ⋅ CrowdStrike ⋅ Adam Kozy @online{kozy:20171220:end:218a388,
author = {Adam Kozy},
title = {{An End to “Smash-and-Grab” and a Move to More Targeted Approaches}},
date = {2017-12-20},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/an-end-to-smash-and-grab-more-targeted-approaches/},
language = {English},
urldate = {2020-05-11}
}
An End to “Smash-and-Grab” and a Move to More Targeted Approaches CHINACHOPPER |
2017-12-19 ⋅ Proofpoint ⋅ Darien Huss @online{huss:20171219:north:e5ef6da,
author = {Darien Huss},
title = {{North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group}},
date = {2017-12-19},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new},
language = {English},
urldate = {2019-12-20}
}
North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group Ghost RAT |
2017-12-19 ⋅ Proofpoint ⋅ Darien Huss @techreport{huss:20171219:north:b2da03e,
author = {Darien Huss},
title = {{North Korea Bitten by Bitcoin Bug}},
date = {2017-12-19},
institution = {Proofpoint},
url = {https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf},
language = {English},
urldate = {2019-10-18}
}
North Korea Bitten by Bitcoin Bug QUICKCAFE PowerSpritz Ghost RAT PowerRatankba |
2017-12-18 ⋅ LAC ⋅ Yoshihiro Ishikawa @online{ishikawa:20171218:relationship:fb13bae,
author = {Yoshihiro Ishikawa},
title = {{Relationship between PlugX and attacker group "DragonOK"}},
date = {2017-12-18},
organization = {LAC},
url = {https://www.lac.co.jp/lacwatch/people/20171218_001445.html},
language = {Japanese},
urldate = {2019-11-22}
}
Relationship between PlugX and attacker group "DragonOK" PlugX |
2017-06-27 ⋅ Secureworks ⋅ CTU Research Team @online{team:20170627:bronze:b3fb197,
author = {CTU Research Team},
title = {{BRONZE UNION Cyberespionage Persists Despite Disclosures}},
date = {2017-06-27},
organization = {Secureworks},
url = {https://www.secureworks.com/research/bronze-union},
language = {English},
urldate = {2019-12-17}
}
BRONZE UNION Cyberespionage Persists Despite Disclosures APT27 |
2017-06-27 ⋅ Palo Alto Networks Unit 42 ⋅ Tom Lancaster, Esmid Idrizovic @online{lancaster:20170627:paranoid:f933eb4,
author = {Tom Lancaster and Esmid Idrizovic},
title = {{Paranoid PlugX}},
date = {2017-06-27},
organization = {Palo Alto Networks Unit 42},
url = {https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/},
language = {English},
urldate = {2019-12-20}
}
Paranoid PlugX PlugX |
2017-05-31 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:20170531:axiom:b181fdb,
author = {MITRE ATT&CK},
title = {{Axiom}},
date = {2017-05-31},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0001/},
language = {English},
urldate = {2022-08-30}
}
Axiom Derusbi 9002 RAT BLACKCOFFEE Derusbi Ghost RAT HiKit PlugX ZXShell APT17 |
2017-05-31 ⋅ MITRE ⋅ MITRE @online{mitre:20170531:apt18:deb24dc,
author = {MITRE},
title = {{APT18}},
date = {2017-05-31},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0026},
language = {English},
urldate = {2022-07-05}
}
APT18 Ghost RAT HttpBrowser APT18 |
2017-05-31 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:20170531:pittytiger:cac6452,
author = {MITRE ATT&CK},
title = {{PittyTiger}},
date = {2017-05-31},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0011},
language = {English},
urldate = {2022-08-30}
}
PittyTiger Enfal Ghost RAT MimiKatz Poison Ivy APT24 |
2017-04-27 ⋅ US-CERT ⋅ US-CERT @online{uscert:20170427:alert:fdb865d,
author = {US-CERT},
title = {{Alert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors}},
date = {2017-04-27},
organization = {US-CERT},
url = {https://www.us-cert.gov/ncas/alerts/TA17-117A},
language = {English},
urldate = {2020-03-11}
}
Alert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors PlugX RedLeaves |
2017-04-03 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20170403:redleaves:211a123,
author = {Shusei Tomonaga},
title = {{RedLeaves - Malware Based on Open Source RAT}},
date = {2017-04-03},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html},
language = {English},
urldate = {2022-06-22}
}
RedLeaves - Malware Based on Open Source RAT PlugX RedLeaves Trochilus RAT |
2017-04 ⋅ PricewaterhouseCoopers ⋅ PricewaterhouseCoopers @techreport{pricewaterhousecoopers:201704:operation:cb50712,
author = {PricewaterhouseCoopers},
title = {{Operation Cloud Hopper: Technical Annex}},
date = {2017-04},
institution = {PricewaterhouseCoopers},
url = {https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf},
language = {English},
urldate = {2019-10-15}
}
Operation Cloud Hopper: Technical Annex ChChes PlugX Quasar RAT RedLeaves Trochilus RAT |
2017-02-25 ⋅ Financial Security Institute ⋅ Kyoung-Ju Kwak (郭炅周) @techreport{:20170225:silent:5a11e12,
author = {Kyoung-Ju Kwak (郭炅周)},
title = {{Silent RIFLE: Response Against Advanced Threat}},
date = {2017-02-25},
institution = {Financial Security Institute},
url = {https://hackcon.org/uploads/327/05%20-%20Kwak.pdf},
language = {English},
urldate = {2020-03-04}
}
Silent RIFLE: Response Against Advanced Threat Ghost RAT |
2017-02-21 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20170221:plugx:f9e4817,
author = {Shusei Tomonaga},
title = {{PlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code}},
date = {2017-02-21},
organization = {JPCERT/CC},
url = {http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html},
language = {English},
urldate = {2020-01-13}
}
PlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code PlugX |
2017-02-13 ⋅ RSA ⋅ RSA Research @techreport{research:20170213:kingslayer:98f4892,
author = {RSA Research},
title = {{KINGSLAYER – A SUPPLY CHAIN ATTACK}},
date = {2017-02-13},
institution = {RSA},
url = {https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf},
language = {English},
urldate = {2020-01-08}
}
KINGSLAYER – A SUPPLY CHAIN ATTACK CodeKey PlugX |
2016-10-28 ⋅ Github (smb01) ⋅ smb01 @online{smb01:20161028:zxshell:e4d3a5e,
author = {smb01},
title = {{zxshell repository}},
date = {2016-10-28},
organization = {Github (smb01)},
url = {https://github.com/smb01/zxshell},
language = {English},
urldate = {2020-01-07}
}
zxshell repository ZXShell |
2016-10-17 ⋅ ThreatConnect ⋅ ThreatConnect @online{threatconnect:20161017:tale:b318dae,
author = {ThreatConnect},
title = {{A Tale of Two Targets}},
date = {2016-10-17},
organization = {ThreatConnect},
url = {https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/},
language = {English},
urldate = {2019-12-02}
}
A Tale of Two Targets HttpBrowser APT27 |
2016-08-25 ⋅ Malwarebytes ⋅ Malwarebytes Labs @online{labs:20160825:unpacking:66173f5,
author = {Malwarebytes Labs},
title = {{Unpacking the spyware disguised as antivirus}},
date = {2016-08-25},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/},
language = {English},
urldate = {2019-12-20}
}
Unpacking the spyware disguised as antivirus PlugX |
2016-06-13 ⋅ Macnica Networks ⋅ Macnica Networks @techreport{networks:20160613:survey:c78b147,
author = {Macnica Networks},
title = {{Survey of the actual situation of the large-scale cyber spy activity that hit Japan | 1st edition}},
date = {2016-06-13},
institution = {Macnica Networks},
url = {https://www.macnica.net/file/security_report_20160613.pdf},
language = {Japanese},
urldate = {2021-03-02}
}
Survey of the actual situation of the large-scale cyber spy activity that hit Japan | 1st edition Emdivi PlugX |
2016-04-22 ⋅ Cylance ⋅ Isaac Palmer @online{palmer:20160422:ghost:dda6514,
author = {Isaac Palmer},
title = {{The Ghost Dragon}},
date = {2016-04-22},
organization = {Cylance},
url = {https://blog.cylance.com/the-ghost-dragon},
language = {English},
urldate = {2020-01-08}
}
The Ghost Dragon Ghost RAT |
2016-01-22 ⋅ RSA Link ⋅ Norton Santos @online{santos:20160122:plugx:580fcff,
author = {Norton Santos},
title = {{PlugX APT Malware}},
date = {2016-01-22},
organization = {RSA Link},
url = {https://community.rsa.com/thread/185439},
language = {English},
urldate = {2020-01-13}
}
PlugX APT Malware PlugX |
2015-09-17 ⋅ Trend Micro ⋅ Trendmicro @techreport{trendmicro:20150917:operation:e14b193,
author = {Trendmicro},
title = {{Operation Iron Tiger: Exploring Chinese Cyber-Espionage Attacks on United States Defense Contractors}},
date = {2015-09-17},
institution = {Trend Micro},
url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.09.17.Operation_Iron_Tiger/Operation%20Iron%20Tiger%20Appendix.pdf},
language = {English},
urldate = {2020-01-07}
}
Operation Iron Tiger: Exploring Chinese Cyber-Espionage Attacks on United States Defense Contractors APT27 |
2015-09-16 ⋅ Trend Micro ⋅ Christopher Budd @online{budd:20150916:operation:7889703,
author = {Christopher Budd},
title = {{Operation Iron Tiger: Attackers Shift from East Asia to the United States}},
date = {2015-09-16},
organization = {Trend Micro},
url = {http://newsroom.trendmicro.com/blog/operation-iron-tiger-attackers-shift-east-asia-united-states},
language = {English},
urldate = {2019-12-17}
}
Operation Iron Tiger: Attackers Shift from East Asia to the United States APT27 |
2015-08-05 ⋅ Ars Technica ⋅ Sean Gallagher @online{gallagher:20150805:newly:dc763a1,
author = {Sean Gallagher},
title = {{Newly discovered Chinese hacking group hacked 100+ websites to use as “watering holes”}},
date = {2015-08-05},
organization = {Ars Technica},
url = {https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/},
language = {English},
urldate = {2020-01-06}
}
Newly discovered Chinese hacking group hacked 100+ websites to use as “watering holes” APT27 |
2015-08-05 ⋅ Secureworks ⋅ CTU Research Team @online{team:20150805:threat:410b881,
author = {CTU Research Team},
title = {{Threat Group 3390 Cyberespionage}},
date = {2015-08-05},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage},
language = {English},
urldate = {2020-01-09}
}
Threat Group 3390 Cyberespionage APT27 |
2015-08 ⋅ Arbor Networks ⋅ ASERT Team @online{team:201508:uncovering:121e5cf,
author = {ASERT Team},
title = {{Uncovering the Seven Pointed Dagger}},
date = {2015-08},
organization = {Arbor Networks},
url = {https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn},
language = {English},
urldate = {2020-05-18}
}
Uncovering the Seven Pointed Dagger 9002 RAT EvilGrab PlugX Trochilus RAT APT9 |
2015-02-27 ⋅ ThreatConnect ⋅ ThreatConnect Research Team @online{team:20150227:anthem:ac7d814,
author = {ThreatConnect Research Team},
title = {{The Anthem Hack: All Roads Lead to China}},
date = {2015-02-27},
organization = {ThreatConnect},
url = {https://threatconnect.com/blog/the-anthem-hack-all-roads-lead-to-china/},
language = {English},
urldate = {2020-04-06}
}
The Anthem Hack: All Roads Lead to China HttpBrowser |
2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:20150206:crowdstrike:fbcc37f,
author = {CrowdStrike},
title = {{CrowdStrike Global Threat Intel Report 2014}},
date = {2015-02-06},
institution = {CrowdStrike},
url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf},
language = {English},
urldate = {2020-05-11}
}
CrowdStrike Global Threat Intel Report 2014 BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor |
2015-01-29 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20150129:analysis:0eaad95,
author = {Shusei Tomonaga},
title = {{Analysis of a Recent PlugX Variant - “P2P PlugX”}},
date = {2015-01-29},
organization = {JPCERT/CC},
url = {http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html},
language = {English},
urldate = {2020-01-09}
}
Analysis of a Recent PlugX Variant - “P2P PlugX” PlugX |
2014-10-28 ⋅ Cisco ⋅ Andrea Allievi, Douglas Goddard, Shaun Hurley, Alain Zidouemba @online{allievi:20141028:threat:a302fbd,
author = {Andrea Allievi and Douglas Goddard and Shaun Hurley and Alain Zidouemba},
title = {{Threat Spotlight: Group 72, Opening the ZxShell}},
date = {2014-10-28},
organization = {Cisco},
url = {https://blogs.cisco.com/security/talos/opening-zxshell},
language = {English},
urldate = {2019-10-15}
}
Threat Spotlight: Group 72, Opening the ZxShell ZXShell |
2014-06-27 ⋅ SophosLabs ⋅ Gabor Szappanos @techreport{szappanos:20140627:plugx:e63d8bf,
author = {Gabor Szappanos},
title = {{PlugX - The Next Generation}},
date = {2014-06-27},
institution = {SophosLabs},
url = {https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf},
language = {English},
urldate = {2020-01-10}
}
PlugX - The Next Generation PlugX |
2014-06-10 ⋅ FireEye ⋅ Mike Scott @online{scott:20140610:clandestine:6d515ab,
author = {Mike Scott},
title = {{Clandestine Fox, Part Deux}},
date = {2014-06-10},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html},
language = {English},
urldate = {2019-12-20}
}
Clandestine Fox, Part Deux PlugX |
2014-01-22 ⋅ SC Magazine ⋅ Steve Gold @online{gold:20140122:iran:b9a3b8e,
author = {Steve Gold},
title = {{Iran and Russia blamed for state-sponsored espionage}},
date = {2014-01-22},
organization = {SC Magazine},
url = {https://web.archive.org/web/20140129192702/https://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/},
language = {English},
urldate = {2020-06-08}
}
Iran and Russia blamed for state-sponsored espionage APT27 |
2014-01-06 ⋅ Airbus ⋅ Fabien Perigaud @online{perigaud:20140106:plugx:16410d7,
author = {Fabien Perigaud},
title = {{PlugX: some uncovered points}},
date = {2014-01-06},
organization = {Airbus},
url = {http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html},
language = {English},
urldate = {2020-01-08}
}
PlugX: some uncovered points PlugX |
2013-08-07 ⋅ FireEye ⋅ Ian Ahl, Tony Lee, Dennis Hanzlik @online{ahl:20130807:breaking:aff06e9,
author = {Ian Ahl and Tony Lee and Dennis Hanzlik},
title = {{Breaking Down the China Chopper Web Shell - Part I}},
date = {2013-08-07},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html},
language = {English},
urldate = {2019-12-20}
}
Breaking Down the China Chopper Web Shell - Part I CHINACHOPPER |
2013-03-29 ⋅ Computer Incident Response Center Luxembourg ⋅ CIRCL @techreport{circl:20130329:analysis:b3c48b0,
author = {CIRCL},
title = {{Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0)}},
date = {2013-03-29},
institution = {Computer Incident Response Center Luxembourg},
url = {https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf},
language = {English},
urldate = {2019-11-24}
}
Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0) PlugX |
2013-03-26 ⋅ Contextis ⋅ Kevin O’Reilly @techreport{oreilly:20130326:plugxpayload:d355f49,
author = {Kevin O’Reilly},
title = {{PlugX–Payload Extraction}},
date = {2013-03-26},
institution = {Contextis},
url = {https://web.archive.org/web/20200424035112/https://go.contextis.com/rs/140-OCV-459/images/White%20Paper_PlugX%20-%20Payload%20Extraction.pdf},
language = {English},
urldate = {2023-01-19}
}
PlugX–Payload Extraction PlugX |
2013-02-27 ⋅ Trend Micro ⋅ Abraham Camba @online{camba:20130227:bkdrrarstone:8893f88,
author = {Abraham Camba},
title = {{BKDR_RARSTONE: New RAT to Watch Out For}},
date = {2013-02-27},
organization = {Trend Micro},
url = {https://web.archive.org/web/20210925164035/https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/},
language = {English},
urldate = {2023-04-22}
}
BKDR_RARSTONE: New RAT to Watch Out For PlugX Naikon |
2012-02-10 ⋅ tracker.h3x.eu ⋅ Malware Corpus Tracker @online{tracker:20120210:info:d58b5c1,
author = {Malware Corpus Tracker},
title = {{Info for Family: plugx}},
date = {2012-02-10},
organization = {tracker.h3x.eu},
url = {https://tracker.h3x.eu/info/290},
language = {English},
urldate = {2021-06-24}
}
Info for Family: plugx PlugX |
2012 ⋅ Norman ASA ⋅ Snorre Fagerland @techreport{fagerland:2012:many:c938856,
author = {Snorre Fagerland},
title = {{The many faces of Gh0st Rat}},
date = {2012},
institution = {Norman ASA},
url = {https://web.archive.org/web/20170311192337/http://download01.norman.no:80/documents/ThemanyfacesofGh0stRat.pdf},
language = {English},
urldate = {2023-04-08}
}
The many faces of Gh0st Rat Ghost RAT |
2011-06-29 ⋅ Symantec ⋅ John McDonald @online{mcdonald:20110629:inside:b955948,
author = {John McDonald},
title = {{Inside a Back Door Attack}},
date = {2011-06-29},
organization = {Symantec},
url = {https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack},
language = {English},
urldate = {2020-04-21}
}
Inside a Back Door Attack Ghost RAT Dust Storm |
2009-03-28 ⋅ Infinitum Labs ⋅ Information Warfare Monitor @techreport{monitor:20090328:tracking:dffad13,
author = {Information Warfare Monitor},
title = {{Tracking GhostNet: Investigating a Cyber Espionage Network}},
date = {2009-03-28},
institution = {Infinitum Labs},
url = {http://www.nartv.org/mirror/ghostnet.pdf},
language = {English},
urldate = {2022-09-30}
}
Tracking GhostNet: Investigating a Cyber Espionage Network Ghost RAT GhostNet |