aka: GOTHIC PANDA, TG-0110, Group 6, UPS, Buckeye, Boyusec, BORON, BRONZE MAYFAIR, Red Sylvan
Symantec described UPS in 2016 report as: 'Buckeye (also known as APT3, Gothic Panda, UPS Team, and TG-0110) is a cyberespionage group that is believed to have been operating for well over half a decade. Traditionally, the group attacked organizations in the US as well as other targets. However, Buckeyes focus appears to have changed as of June 2015, when the group began compromising political entities in Hong Kong.'
2023-09-08 ⋅ PolySwarm Tech Team ⋅ The Hivemind
@online{hivemind:20230908:carderbee:f42e2a4,
author = {The Hivemind},
title = {{Carderbee Targets Hong Kong in Supply Chain Attack}},
date = {2023-09-08},
organization = {PolySwarm Tech Team},
url = {https://blog.polyswarm.io/carderbee-targets-hong-kong-in-supply-chain-attack},
language = {English},
urldate = {2023-12-04}
}
Carderbee Targets Hong Kong in Supply Chain Attack
PlugX |
2023-09-07 ⋅ Sekoia ⋅ Jamila B.
@online{b:20230907:my:de66f96,
author = {Jamila B.},
title = {{My Tea’s not cold. An overview of China’s cyber threat}},
date = {2023-09-07},
organization = {Sekoia},
url = {https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/},
language = {English},
urldate = {2023-09-08}
}
My Tea’s not cold. An overview of China’s cyber threat
Melofee PingPull SoWaT Sword2033 MgBot MQsTTang PlugX TONESHELL Dalbit |
2023-08-22 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20230822:carderbee:927bbd8,
author = {Threat Hunter Team},
title = {{Carderbee: APT Group use Legit Software in Supply Chain Attack Targeting Orgs in Hong Kong}},
date = {2023-08-22},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse},
language = {English},
urldate = {2023-08-24}
}
Carderbee: APT Group use Legit Software in Supply Chain Attack Targeting Orgs in Hong Kong
PlugX Carderbee |
2023-08-07 ⋅ Recorded Future ⋅ Insikt Group
@techreport{group:20230807:redhotel:ee4dd20,
author = {Insikt Group},
title = {{RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale}},
date = {2023-08-07},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf},
language = {English},
urldate = {2023-08-09}
}
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
Winnti Brute Ratel C4 Cobalt Strike FunnySwitch PlugX ShadowPad Spyder Earth Lusca |
2023-07-11 ⋅ Mandiant ⋅ Rommel Joven, Ng Choon Kiat
@online{joven:20230711:spies:5594cd9,
author = {Rommel Joven and Ng Choon Kiat},
title = {{The Spies Who Loved You: Infected USB Drives to Steal Secrets}},
date = {2023-07-11},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/blog/infected-usb-steal-secrets},
language = {English},
urldate = {2023-07-31}
}
The Spies Who Loved You: Infected USB Drives to Steal Secrets
PlugX |
2023-07-03 ⋅ Check Point Research ⋅ Checkpoint Research
@online{research:20230703:chinese:b18e8f3,
author = {Checkpoint Research},
title = {{Chinese Threat Actors Targeting Europe in SmugX Campaign}},
date = {2023-07-03},
organization = {Check Point Research},
url = {https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/},
language = {English},
urldate = {2023-07-08}
}
Chinese Threat Actors Targeting Europe in SmugX Campaign
PlugX SmugX |
2023-05-15 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20230515:lancefly:49fd53e,
author = {Threat Hunter Team},
title = {{Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors}},
date = {2023-05-15},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor},
language = {English},
urldate = {2023-05-26}
}
Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors
Merdoor PlugX ShadowPad ZXShell Lancefly |
2023-05-11 ⋅ cocomelonc ⋅ cocomelonc
@online{cocomelonc:20230511:malware:f557876,
author = {cocomelonc},
title = {{Malware development trick - part 28: Dump lsass.exe. Simple C++ example.}},
date = {2023-05-11},
organization = {cocomelonc},
url = {https://cocomelonc.github.io/malware/2023/05/11/malware-tricks-28.html},
language = {English},
urldate = {2023-05-15}
}
Malware development trick - part 28: Dump lsass.exe. Simple C++ example.
Cobalt Strike APT3 Keylogger |
2023-05-03 ⋅ Lab52 ⋅ Lab52
@online{lab52:20230503:new:1056613,
author = {Lab52},
title = {{New Mustang Panda’s campaing against Australia}},
date = {2023-05-03},
organization = {Lab52},
url = {https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/},
language = {English},
urldate = {2023-05-08}
}
New Mustang Panda’s campaing against Australia
PlugX |
2023-04-18 ⋅ Mandiant ⋅ Mandiant
@online{mandiant:20230418:mtrends:af1a28e,
author = {Mandiant},
title = {{M-Trends 2023}},
date = {2023-04-18},
organization = {Mandiant},
url = {https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023},
language = {English},
urldate = {2023-04-18}
}
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate |
2023-03-30 ⋅ Recorded Future ⋅ Insikt Group
@techreport{group:20230330:with:95ccd1c,
author = {Insikt Group},
title = {{With KEYPLUG, China’s RedGolf Spies On, Steals From Wide Field of Targets}},
date = {2023-03-30},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf},
language = {English},
urldate = {2023-07-27}
}
With KEYPLUG, China’s RedGolf Spies On, Steals From Wide Field of Targets
KEYPLUG Cobalt Strike PlugX |
2023-03-09 ⋅ Sophos ⋅ Gabor Szappanos
@online{szappanos:20230309:borderhopping:5220748,
author = {Gabor Szappanos},
title = {{A border-hopping PlugX USB worm takes its act on the road}},
date = {2023-03-09},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2023/03/09/border-hopping-plugx-usb-worm/},
language = {English},
urldate = {2023-03-22}
}
A border-hopping PlugX USB worm takes its act on the road
PlugX |
2023-03-09 ⋅ ASEC ⋅ Sanseo
@online{sanseo:20230309:plugx:4683b0e,
author = {Sanseo},
title = {{PlugX Malware Being Distributed via Vulnerability Exploitation}},
date = {2023-03-09},
organization = {ASEC},
url = {https://asec.ahnlab.com/en/49097/},
language = {English},
urldate = {2023-03-17}
}
PlugX Malware Being Distributed via Vulnerability Exploitation
PlugX |
2023-02-24 ⋅ Trend Micro ⋅ Buddy Tancio, Jed Valderama, Catherine Loveria
@online{tancio:20230224:investigating:94d8b43,
author = {Buddy Tancio and Jed Valderama and Catherine Loveria},
title = {{Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool}},
date = {2023-02-24},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html},
language = {English},
urldate = {2023-03-22}
}
Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool
PlugX |
2023-02-02 ⋅ EclecticIQ ⋅ EclecticIQ Threat Research Team
@online{team:20230202:mustang:cac147b,
author = {EclecticIQ Threat Research Team},
title = {{Mustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware}},
date = {2023-02-02},
organization = {EclecticIQ},
url = {https://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware},
language = {English},
urldate = {2023-02-06}
}
Mustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware
PlugX |
2023-01-26 ⋅ Palo Alto Networks Unit 42 ⋅ Mike Harbison, Jen Miller-Osborn
@online{harbison:20230126:chinese:a83622f,
author = {Mike Harbison and Jen Miller-Osborn},
title = {{Chinese PlugX Malware Hidden in Your USB Devices?}},
date = {2023-01-26},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/},
language = {English},
urldate = {2023-01-27}
}
Chinese PlugX Malware Hidden in Your USB Devices?
PlugX |
2023-01-26 ⋅ TEAMT5 ⋅ Still Hsu
@techreport{hsu:20230126:brief:5a0716d,
author = {Still Hsu},
title = {{Brief History of MustangPanda and its PlugX Evolution}},
date = {2023-01-26},
institution = {TEAMT5},
url = {https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_2_LT4.pdf},
language = {English},
urldate = {2023-02-09}
}
Brief History of MustangPanda and its PlugX Evolution
PlugX |
2023-01-09 ⋅ kienmanowar Blog ⋅ m4n0w4r, Tran Trung Kien
@online{m4n0w4r:20230109:quicknote:5a8b18c,
author = {m4n0w4r and Tran Trung Kien},
title = {{[QuickNote] Another nice PlugX sample}},
date = {2023-01-09},
organization = {kienmanowar Blog},
url = {https://kienmanowar.wordpress.com/2023/01/09/quicknote-another-nice-plugx-sample/},
language = {English},
urldate = {2023-01-10}
}
[QuickNote] Another nice PlugX sample
PlugX |
2022-12-27 ⋅ kienmanowar Blog ⋅ m4n0w4r, Tran Trung Kien
@online{m4n0w4r:20221227:diving:857147e,
author = {m4n0w4r and Tran Trung Kien},
title = {{Diving into a PlugX sample of Mustang Panda group}},
date = {2022-12-27},
organization = {kienmanowar Blog},
url = {https://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/},
language = {English},
urldate = {2022-12-29}
}
Diving into a PlugX sample of Mustang Panda group
PlugX |
2022-12-22 ⋅ Recorded Future ⋅ Insikt Group
@techreport{group:20221222:reddelta:7469cca,
author = {Insikt Group},
title = {{RedDelta Targets European Government Organizations and Continues to Iterate Custom PlugX Variant}},
date = {2022-12-22},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-1223.pdf},
language = {English},
urldate = {2023-08-11}
}
RedDelta Targets European Government Organizations and Continues to Iterate Custom PlugX Variant
PlugX RedDelta |
2022-12-06 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team
@online{team:20221206:mustang:fa0e3e1,
author = {BlackBerry Research & Intelligence Team},
title = {{Mustang Panda Uses the Russian-Ukrainian War to Attack Europe and Asia Pacific Targets}},
date = {2022-12-06},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets},
language = {English},
urldate = {2022-12-06}
}
Mustang Panda Uses the Russian-Ukrainian War to Attack Europe and Asia Pacific Targets
PlugX |
2022-12-02 ⋅ Avast Decoded ⋅ Threat Intelligence Team
@online{team:20221202:hitching:0cb7557,
author = {Threat Intelligence Team},
title = {{Hitching a ride with Mustang Panda}},
date = {2022-12-02},
organization = {Avast Decoded},
url = {https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/},
language = {English},
urldate = {2022-12-02}
}
Hitching a ride with Mustang Panda
PlugX |
2022-11-30 ⋅ FFRI Security ⋅ Matsumoto
@online{matsumoto:20221130:evolution:29e9b4c,
author = {Matsumoto},
title = {{Evolution of the PlugX loader}},
date = {2022-11-30},
organization = {FFRI Security},
url = {https://engineers.ffri.jp/entry/2022/11/30/141346},
language = {Japanese},
urldate = {2022-12-01}
}
Evolution of the PlugX loader
PlugX Poison Ivy |
2022-10-06 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
@online{team:20221006:mustang:a7e981c,
author = {The BlackBerry Research & Intelligence Team},
title = {{Mustang Panda Abuses Legitimate Apps to Target Myanmar Based Victims}},
date = {2022-10-06},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims},
language = {English},
urldate = {2022-10-24}
}
Mustang Panda Abuses Legitimate Apps to Target Myanmar Based Victims
PlugX |
2022-09-29 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20220929:witchetty:628f1c4,
author = {Threat Hunter Team},
title = {{Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East}},
date = {2022-09-29},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage},
language = {English},
urldate = {2022-09-30}
}
Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East
CHINACHOPPER Lookback MimiKatz PlugX Unidentified 096 (Keylogger) x4 Witchetty |
2022-09-26 ⋅ Palo Alto Networks Unit 42 ⋅ Daniela Shalev, Itay Gamliel
@online{shalev:20220926:hunting:3489fdb,
author = {Daniela Shalev and Itay Gamliel},
title = {{Hunting for Unsigned DLLs to Find APTs}},
date = {2022-09-26},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/unsigned-dlls/},
language = {English},
urldate = {2022-09-30}
}
Hunting for Unsigned DLLs to Find APTs
PlugX Raspberry Robin Roshtyak |
2022-09-14 ⋅ Security Joes ⋅ Felipe Duarte
@techreport{duarte:20220914:dissecting:6ab0659,
author = {Felipe Duarte},
title = {{Dissecting PlugX to Extract Its Crown Jewels}},
date = {2022-09-14},
institution = {Security Joes},
url = {https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf},
language = {English},
urldate = {2022-09-16}
}
Dissecting PlugX to Extract Its Crown Jewels
PlugX |
2022-09-13 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20220913:new:2ff2e98,
author = {Threat Hunter Team},
title = {{New Wave of Espionage Activity Targets Asian Governments}},
date = {2022-09-13},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments},
language = {English},
urldate = {2022-09-20}
}
New Wave of Espionage Activity Targets Asian Governments
MimiKatz PlugX Quasar RAT ShadowPad Trochilus RAT |
2022-09-09 ⋅ Github (m4now4r) ⋅ m4n0w4r
@techreport{m4n0w4r:20220909:mustang:120306a,
author = {m4n0w4r},
title = {{“Mustang Panda” – Enemy at the gate}},
date = {2022-09-09},
institution = {Github (m4now4r)},
url = {https://raw.githubusercontent.com/m4now4r/Presentations/main/MustangPanda%20-%20Enemy%20at%20the%20gate_final.pdf},
language = {English},
urldate = {2022-09-26}
}
“Mustang Panda” – Enemy at the gate
PlugX |
2022-09-08 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
@online{researchteam:20220908:bronze:1975ebf,
author = {Counter Threat Unit ResearchTeam},
title = {{BRONZE PRESIDENT Targets Government Officials}},
date = {2022-09-08},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/bronze-president-targets-government-officials},
language = {English},
urldate = {2022-09-13}
}
BRONZE PRESIDENT Targets Government Officials
PlugX |
2022-09-08 ⋅ Cybereason ⋅ Kotaro Ogino, Yuki Shibuya, Aleksandar Milenkoski
@online{ogino:20220908:threat:2ec8deb,
author = {Kotaro Ogino and Yuki Shibuya and Aleksandar Milenkoski},
title = {{Threat Analysis Report: PlugX RAT Loader Evolution}},
date = {2022-09-08},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/threat-analysis-report-plugx-rat-loader-evolution},
language = {English},
urldate = {2022-09-13}
}
Threat Analysis Report: PlugX RAT Loader Evolution
PlugX |
2022-08-04 ⋅ Mandiant ⋅ Mandiant
@online{mandiant:20220804:advanced:afb8956,
author = {Mandiant},
title = {{Advanced Persistent Threats (APTs)}},
date = {2022-08-04},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/insights/apt-groups},
language = {English},
urldate = {2022-08-30}
}
Advanced Persistent Threats (APTs)
APT1 APT10 APT12 APT14 APT15 APT16 APT17 APT18 APT19 APT2 APT20 APT21 APT22 APT23 APT24 APT27 APT3 APT30 APT31 APT4 APT40 APT5 APT9 Naikon |
2022-07-18 ⋅ YouTube (Security Joes) ⋅ Felipe Duarte
@online{duarte:20220718:plugx:bfdba72,
author = {Felipe Duarte},
title = {{PlugX DLL Side-Loading Technique}},
date = {2022-07-18},
organization = {YouTube (Security Joes)},
url = {https://www.youtube.com/watch?v=E2_DTQJjDYc},
language = {English},
urldate = {2022-07-19}
}
PlugX DLL Side-Loading Technique
PlugX |
2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
@online{42:20220718:shallow:cc9413f,
author = {Unit 42},
title = {{Shallow Taurus}},
date = {2022-07-18},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/atoms/shallowtaurus/},
language = {English},
urldate = {2022-07-29}
}
Shallow Taurus
FormerFirstRAT IsSpace NewCT PlugX Poison Ivy Tidepool DragonOK |
2022-06-27 ⋅ Kaspersky ICS CERT ⋅ Artem Snegirev, Kirill Kruglov
@online{snegirev:20220627:attacks:100c151,
author = {Artem Snegirev and Kirill Kruglov},
title = {{Attacks on industrial control systems using ShadowPad}},
date = {2022-06-27},
organization = {Kaspersky ICS CERT},
url = {https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/},
language = {English},
urldate = {2022-06-29}
}
Attacks on industrial control systems using ShadowPad
Cobalt Strike PlugX ShadowPad |
2022-06-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
@online{researchteam:20220623:bronze:8bccd74,
author = {Counter Threat Unit ResearchTeam},
title = {{BRONZE STARLIGHT Ransomware Operations Use HUI Loader}},
date = {2022-06-23},
organization = {Secureworks},
url = {https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader},
language = {English},
urldate = {2022-09-20}
}
BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster |
2022-05-23 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší
@techreport{lunghi:20220523:operation:e3c402b,
author = {Daniel Lunghi and Jaromír Hořejší},
title = {{Operation Earth Berberoka}},
date = {2022-05-23},
institution = {Trend Micro},
url = {https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf},
language = {English},
urldate = {2022-07-25}
}
Operation Earth Berberoka
reptile oRAT Ghost RAT PlugX pupy Earth Berberoka |
2022-05-20 ⋅ VinCSS ⋅ m4n0w4r, Tran Trung Kien, Dang Dinh Phuong
@online{m4n0w4r:20220520:re027:38348db,
author = {m4n0w4r and Tran Trung Kien and Dang Dinh Phuong},
title = {{[RE027] China-based APT Mustang Panda might have still continued their attack activities against organizations in Vietnam}},
date = {2022-05-20},
organization = {VinCSS},
url = {https://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html},
language = {English},
urldate = {2022-05-20}
}
[RE027] China-based APT Mustang Panda might have still continued their attack activities against organizations in Vietnam
PlugX |
2022-05-17 ⋅ Positive Technologies ⋅ Positive Technologies
@online{technologies:20220517:space:abd655a,
author = {Positive Technologies},
title = {{Space Pirates: analyzing the tools and connections of a new hacker group}},
date = {2022-05-17},
organization = {Positive Technologies},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/},
language = {English},
urldate = {2022-05-25}
}
Space Pirates: analyzing the tools and connections of a new hacker group
FormerFirstRAT PlugX Poison Ivy Rovnix ShadowPad Zupdax |
2022-05-16 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
@online{tomonaga:20220516:analysis:b1c8089,
author = {Shusei Tomonaga},
title = {{Analysis of HUI Loader}},
date = {2022-05-16},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html},
language = {English},
urldate = {2022-05-17}
}
Analysis of HUI Loader
HUI Loader PlugX Poison Ivy Quasar RAT |
2022-05-12 ⋅ TEAMT5 ⋅ Leon Chang, Silvia Yeh
@techreport{chang:20220512:next:5fd8a83,
author = {Leon Chang and Silvia Yeh},
title = {{The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides)}},
date = {2022-05-12},
institution = {TEAMT5},
url = {https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf},
language = {English},
urldate = {2022-08-08}
}
The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides)
KEYPLUG Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad Winnti SLIME29 TianWu |
2022-05-05 ⋅ Cisco Talos ⋅ Jung soo An, Asheer Malhotra, Justin Thattil, Aliza Berk, Kendall McKay
@online{an:20220505:mustang:cbc06e9,
author = {Jung soo An and Asheer Malhotra and Justin Thattil and Aliza Berk and Kendall McKay},
title = {{Mustang Panda deploys a new wave of malware targeting Europe}},
date = {2022-05-05},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html},
language = {English},
urldate = {2023-08-03}
}
Mustang Panda deploys a new wave of malware targeting Europe
Cobalt Strike Meterpreter PlugX Unidentified 094 |
2022-05-02 ⋅ Sentinel LABS ⋅ Joey Chen, Amitai Ben Shushan Ehrlich
@online{chen:20220502:moshen:1969df2,
author = {Joey Chen and Amitai Ben Shushan Ehrlich},
title = {{Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad}},
date = {2022-05-02},
organization = {Sentinel LABS},
url = {https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/},
language = {English},
urldate = {2022-05-04}
}
Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad
PlugX ShadowPad |
2022-04-28 ⋅ DARKReading ⋅ Jai Vijayan
@online{vijayan:20220428:chinese:c4c2534,
author = {Jai Vijayan},
title = {{Chinese APT Bronze President Mounts Spy Campaign on Russian Military}},
date = {2022-04-28},
organization = {DARKReading},
url = {https://www.darkreading.com/threat-intelligence/chinese-apt-bronze-president-spy-campaign-russian-military},
language = {English},
urldate = {2022-08-26}
}
Chinese APT Bronze President Mounts Spy Campaign on Russian Military
PlugX MUSTANG PANDA |
2022-04-28 ⋅ PWC ⋅ PWC UK
@techreport{uk:20220428:cyber:c43873f,
author = {PWC UK},
title = {{Cyber Threats 2021: A Year in Retrospect (Annex)}},
date = {2022-04-28},
institution = {PWC},
url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf},
language = {English},
urldate = {2022-04-29}
}
Cyber Threats 2021: A Year in Retrospect (Annex)
Cobalt Strike Conti PlugX RokRAT Inception Framework Red Menshen |
2022-04-27 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší
@online{lunghi:20220427:new:9068f6e,
author = {Daniel Lunghi and Jaromír Hořejší},
title = {{New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware}},
date = {2022-04-27},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html},
language = {English},
urldate = {2023-04-18}
}
New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware
HelloBot AsyncRAT Ghost RAT HelloBot PlugX Quasar RAT Earth Berberoka |
2022-04-27 ⋅ Trendmicro ⋅ Trendmicro
@online{trendmicro:20220427:iocs:18f7e31,
author = {Trendmicro},
title = {{IOCs for Earth Berberoka - Windows}},
date = {2022-04-27},
organization = {Trendmicro},
url = {https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt},
language = {English},
urldate = {2022-07-25}
}
IOCs for Earth Berberoka - Windows
AsyncRAT Cobalt Strike PlugX Quasar RAT Earth Berberoka |
2022-04-27 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
@online{researchteam:20220427:bronze:34ac36a,
author = {Counter Threat Unit ResearchTeam},
title = {{BRONZE PRESIDENT Targets Russian Speakers with Updated PlugX}},
date = {2022-04-27},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx},
language = {English},
urldate = {2022-04-29}
}
BRONZE PRESIDENT Targets Russian Speakers with Updated PlugX
PlugX |
2022-04-27 ⋅ Trendmicro ⋅ Daniel Lunghi, Jaromír Hořejší
@techreport{lunghi:20220427:operation:bdba881,
author = {Daniel Lunghi and Jaromír Hořejší},
title = {{Operation Gambling Puppet}},
date = {2022-04-27},
institution = {Trendmicro},
url = {https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf},
language = {English},
urldate = {2022-07-25}
}
Operation Gambling Puppet
reptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka |
2022-04-14 ⋅ NSHC RedAlert Labs ⋅ NSHC Threatrecon Team
@online{team:20220414:hacking:62e1b17,
author = {NSHC Threatrecon Team},
title = {{Hacking activity of SectorB Group in 2021 Chinese government supported hacking group SectorB}},
date = {2022-04-14},
organization = {NSHC RedAlert Labs},
url = {https://redalert.nshc.net/2022/04/14/hacking-activity-of-sectorb-group-in-2021/},
language = {English},
urldate = {2022-04-15}
}
Hacking activity of SectorB Group in 2021 Chinese government supported hacking group SectorB
PlugX |
2022-04-12 ⋅ Max Kersten's Blog ⋅ Max Kersten
@online{kersten:20220412:ghidra:4afe367,
author = {Max Kersten},
title = {{Ghidra script to handle stack strings}},
date = {2022-04-12},
organization = {Max Kersten's Blog},
url = {https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-handle-stack-strings/},
language = {English},
urldate = {2022-04-20}
}
Ghidra script to handle stack strings
CaddyWiper PlugX |
2022-03-28 ⋅ Trellix ⋅ Max Kersten, Marc Elias
@online{kersten:20220328:plugx:37256d5,
author = {Max Kersten and Marc Elias},
title = {{PlugX: A Talisman to Behold}},
date = {2022-03-28},
organization = {Trellix},
url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html},
language = {English},
urldate = {2022-03-30}
}
PlugX: A Talisman to Behold
PlugX |
2022-03-25 ⋅ ESET Research ⋅ Alexandre Côté Cyr
@online{cyr:20220325:mustang:4052776,
author = {Alexandre Côté Cyr},
title = {{Mustang Panda's Hodur: Old stuff, new variant of Korplug}},
date = {2022-03-25},
organization = {ESET Research},
url = {https://www.welivesecurity.com/fr/2022/03/25/mustang-pandas-hodur-nouveau-korplug/},
language = {French},
urldate = {2022-03-30}
}
Mustang Panda's Hodur: Old stuff, new variant of Korplug
PlugX |
2022-03-24 ⋅ Threat Post ⋅ Nate Nelson
@online{nelson:20220324:chinese:da166ef,
author = {Nate Nelson},
title = {{Chinese APT Combines Fresh Hodur RAT with Complex Anti-Detection}},
date = {2022-03-24},
organization = {Threat Post},
url = {https://threatpost.com/chinese-apt-combines-fresh-hodur-rat-with-complex-anti-detection/179084/},
language = {English},
urldate = {2022-03-25}
}
Chinese APT Combines Fresh Hodur RAT with Complex Anti-Detection
PlugX |
2022-03-23 ⋅ ESET Research ⋅ Alexandre Côté Cyr
@online{cyr:20220323:mustang:3e97382,
author = {Alexandre Côté Cyr},
title = {{Mustang Panda’s Hodur: Old tricks, new Korplug variant}},
date = {2022-03-23},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/},
language = {English},
urldate = {2022-03-24}
}
Mustang Panda’s Hodur: Old tricks, new Korplug variant
PlugX |
2022-03-23 ⋅ BleepingComputer ⋅ Bill Toulas
@online{toulas:20220323:new:14befd9,
author = {Bill Toulas},
title = {{New Mustang Panda hacking campaign targets diplomats, ISPs}},
date = {2022-03-23},
organization = {BleepingComputer},
url = {https://www.bleepingcomputer.com/news/security/new-mustang-panda-hacking-campaign-targets-diplomats-isps/},
language = {English},
urldate = {2022-03-25}
}
New Mustang Panda hacking campaign targets diplomats, ISPs
PlugX |
2022-03-07 ⋅ Proofpoint ⋅ Michael Raggi, Myrtus 0x0
@online{raggi:20220307:good:4e4acd6,
author = {Michael Raggi and Myrtus 0x0},
title = {{The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates}},
date = {2022-03-07},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european},
language = {English},
urldate = {2022-03-08}
}
The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates
PlugX |
2022-02-17 ⋅ SinaCyber ⋅ Adam Kozy
@techreport{kozy:20220217:testimony:692e499,
author = {Adam Kozy},
title = {{Testimony before the U.S.-China Economic and Security Review Commission Hearing on “China’s Cyber Capabilities: Warfare, Espionage, and Implications for the United States”}},
date = {2022-02-17},
institution = {SinaCyber},
url = {https://www.uscc.gov/sites/default/files/2022-02/Adam_Kozy_Testimony.pdf},
language = {English},
urldate = {2022-05-23}
}
Testimony before the U.S.-China Economic and Security Review Commission Hearing on “China’s Cyber Capabilities: Warfare, Espionage, and Implications for the United States”
PlugX APT26 APT41 |
2022-01-06 ⋅ Cyber And Ramen blog ⋅ Mike R
@online{r:20220106:gulp:4ab908c,
author = {Mike R},
title = {{A “GULP” of PlugX}},
date = {2022-01-06},
organization = {Cyber And Ramen blog},
url = {https://cyberandramen.net/2022/01/06/a-gulp-of-plugx/},
language = {English},
urldate = {2022-04-05}
}
A “GULP” of PlugX
PlugX |
2021-12-01 ⋅ ESET Research ⋅ Alexis Dorais-Joncas, Facundo Muñoz
@techreport{doraisjoncas:20211201:jumping:00bc8f5,
author = {Alexis Dorais-Joncas and Facundo Muñoz},
title = {{Jumping the air gap: 15 years of nation‑state effort}},
date = {2021-12-01},
institution = {ESET Research},
url = {https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf},
language = {English},
urldate = {2021-12-17}
}
Jumping the air gap: 15 years of nation‑state effort
Agent.BTZ Fanny Flame Gauss PlugX Ramsay Retro Stuxnet USBCulprit USBferry |
2021-11-18 ⋅ Cisco ⋅ Josh Pyorre
@online{pyorre:20211118:blackmatter:e9e9bbf,
author = {Josh Pyorre},
title = {{BlackMatter, LockBit, and THOR}},
date = {2021-11-18},
organization = {Cisco},
url = {https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor},
language = {English},
urldate = {2022-03-28}
}
BlackMatter, LockBit, and THOR
BlackMatter LockBit PlugX |
2021-11-04 ⋅ Youtube (Virus Bulletin) ⋅ Yi-Jhen Hsieh, Joey Chen
@online{hsieh:20211104:shadowpad:8dbd5c7,
author = {Yi-Jhen Hsieh and Joey Chen},
title = {{ShadowPad: the masterpiece of privately sold malware in Chinese espionage}},
date = {2021-11-04},
organization = {Youtube (Virus Bulletin)},
url = {https://www.youtube.com/watch?v=r1zAVX_HnJg},
language = {English},
urldate = {2022-08-08}
}
ShadowPad: the masterpiece of privately sold malware in Chinese espionage
PlugX ShadowPad |
2021-10-18 ⋅ NortonLifeLock ⋅ Norton Labs
@techreport{labs:20211018:operation:9612cbf,
author = {Norton Labs},
title = {{Operation Exorcist - 7 Years of Targeted Attacks against the Roman Catholic Church}},
date = {2021-10-18},
institution = {NortonLifeLock},
url = {https://www.nortonlifelock.com/sites/default/files/2021-10/OPERATION%20EXORCIST%20White%20Paper.pdf},
language = {English},
urldate = {2021-12-15}
}
Operation Exorcist - 7 Years of Targeted Attacks against the Roman Catholic Church
NewBounce PlugX Zupdax |
2021-09-28 ⋅ Recorded Future ⋅ Insikt Group®
@online{group:20210928:4:069b441,
author = {Insikt Group®},
title = {{4 Chinese APT Groups Identified Targeting Mail Server of Afghan Telecommunications Firm Roshan}},
date = {2021-09-28},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/},
language = {English},
urldate = {2021-10-11}
}
4 Chinese APT Groups Identified Targeting Mail Server of Afghan Telecommunications Firm Roshan
PlugX Winnti |
2021-09-14 ⋅ McAfee ⋅ Christiaan Beek
@online{beek:20210914:operation:95aed8d,
author = {Christiaan Beek},
title = {{Operation ‘Harvest’: A Deep Dive into a Long-term Campaign}},
date = {2021-09-14},
organization = {McAfee},
url = {https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/},
language = {English},
urldate = {2021-09-19}
}
Operation ‘Harvest’: A Deep Dive into a Long-term Campaign
MimiKatz PlugX Winnti |
2021-09-10 ⋅ The Record ⋅ Catalin Cimpanu
@online{cimpanu:20210910:indonesian:fc06998,
author = {Catalin Cimpanu},
title = {{Indonesian intelligence agency compromised in suspected Chinese hack}},
date = {2021-09-10},
organization = {The Record},
url = {https://therecord.media/indonesian-intelligence-agency-compromised-in-suspected-chinese-hack/},
language = {English},
urldate = {2021-09-12}
}
Indonesian intelligence agency compromised in suspected Chinese hack
PlugX |
2021-09-03 ⋅ FireEye ⋅ Adrian Sanchez Hernandez, Govand Sinjari, Joshua Goddard, Brendan McKeague, John Wolfram, Alex Pennino, Andrew Rector, Harris Ansari, Yash Gupta
@online{hernandez:20210903:pst:a8de902,
author = {Adrian Sanchez Hernandez and Govand Sinjari and Joshua Goddard and Brendan McKeague and John Wolfram and Alex Pennino and Andrew Rector and Harris Ansari and Yash Gupta},
title = {{PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers}},
date = {2021-09-03},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html},
language = {English},
urldate = {2021-09-06}
}
PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers
CHINACHOPPER HTran |
2021-09-01 ⋅ YouTube (Black Hat) ⋅ Aragorn Tseng, Charles Li
@online{tseng:20210901:mem2img:7817a5d,
author = {Aragorn Tseng and Charles Li},
title = {{Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network}},
date = {2021-09-01},
organization = {YouTube (Black Hat)},
url = {https://www.youtube.com/watch?v=6SDdUVejR2w},
language = {English},
urldate = {2021-09-12}
}
Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
Cobalt Strike PlugX Waterbear |
2021-09-01 ⋅ YouTube (Hack In The Box Security Conference) ⋅ Yi-Jhen Hsieh, Joey Chen
@online{hsieh:20210901:shadowpad:f9ae111,
author = {Yi-Jhen Hsieh and Joey Chen},
title = {{SHADOWPAD: Chinese Espionage Malware-as-a-Service}},
date = {2021-09-01},
organization = {YouTube (Hack In The Box Security Conference)},
url = {https://www.youtube.com/watch?v=IRh6R8o1Q7U},
language = {English},
urldate = {2022-08-08}
}
SHADOWPAD: Chinese Espionage Malware-as-a-Service
PlugX ShadowPad |
2021-08-23 ⋅ SentinelOne ⋅ Yi-Jhen Hsieh, Joey Chen
@techreport{hsieh:20210823:shadowpad:58780f1,
author = {Yi-Jhen Hsieh and Joey Chen},
title = {{ShadowPad: the Masterpiece of Privately Sold Malware in Chinese Espionage}},
date = {2021-08-23},
institution = {SentinelOne},
url = {https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20ShadowPad%20-%20A%20Masterpiece%20of%20Privately%20Sold%20Malware%20in%20Chinese%20Espionage%20-%20Yi-Jhen%20Hsieh%20&%20Joey%20Chen.pdf},
language = {English},
urldate = {2022-07-18}
}
ShadowPad: the Masterpiece of Privately Sold Malware in Chinese Espionage
PlugX ShadowPad |
2021-07-27 ⋅ Palo Alto Networks Unit 42 ⋅ Mike Harbison, Alex Hinchliffe
@online{harbison:20210727:thor:5d6d793,
author = {Mike Harbison and Alex Hinchliffe},
title = {{THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group}},
date = {2021-07-27},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/thor-plugx-variant/},
language = {English},
urldate = {2021-07-29}
}
THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group
PlugX |
2021-07-21 ⋅ Bitdefender ⋅ Bogdan Botezatu, Victor Vrabie
@online{botezatu:20210721:luminousmoth:7ed907d,
author = {Bogdan Botezatu and Victor Vrabie},
title = {{LuminousMoth – PlugX, File Exfiltration and Persistence Revisited}},
date = {2021-07-21},
organization = {Bitdefender},
url = {https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited},
language = {English},
urldate = {2021-07-26}
}
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
PlugX |
2021-06-16 ⋅ Recorded Future ⋅ Insikt Group®
@techreport{group:20210616:threat:d585785,
author = {Insikt Group®},
title = {{Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries}},
date = {2021-06-16},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf},
language = {English},
urldate = {2022-07-29}
}
Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries
Icefog PcShare PlugX Poison Ivy QuickHeal DAGGER PANDA |
2021-06-10 ⋅ ESET Research ⋅ Adam Burgher
@online{burgher:20210610:backdoordiplomacy:4ebcb1d,
author = {Adam Burgher},
title = {{BackdoorDiplomacy: Upgrading from Quarian to Turian}},
date = {2021-06-10},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/},
language = {English},
urldate = {2022-06-08}
}
BackdoorDiplomacy: Upgrading from Quarian to Turian
CHINACHOPPER DoublePulsar EternalRocks turian BackdoorDiplomacy |
2021-06-02 ⋅ Twitter (@xorhex) ⋅ Xorhex
@online{xorhex:20210602:new:9e10322,
author = {Xorhex},
title = {{Tweet on new variant of PlugX from RedDelta Group}},
date = {2021-06-02},
organization = {Twitter (@xorhex)},
url = {https://twitter.com/xorhex/status/1399906601562165249?s=20},
language = {English},
urldate = {2021-06-09}
}
Tweet on new variant of PlugX from RedDelta Group
PlugX |
2021-06-02 ⋅ xorhex blog ⋅ Twitter (@xorhex)
@online{xorhex:20210602:reddelta:f35268d,
author = {Twitter (@xorhex)},
title = {{RedDelta PlugX Undergoing Changes and Overlapping Again with Mustang Panda PlugX Infrastructure}},
date = {2021-06-02},
organization = {xorhex blog},
url = {https://blog.xorhex.com/blog/reddeltaplugxchangeup/},
language = {English},
urldate = {2021-06-09}
}
RedDelta PlugX Undergoing Changes and Overlapping Again with Mustang Panda PlugX Infrastructure
PlugX |
2021-05-27 ⋅ xorhex blog ⋅ Twitter (@xorhex)
@online{xorhex:20210527:mustang:d3c664b,
author = {Twitter (@xorhex)},
title = {{Mustang Panda PlugX - Reused Mutex and Folder Found in the Extracted Config}},
date = {2021-05-27},
organization = {xorhex blog},
url = {https://blog.xorhex.com/blog/mustangpandaplugx-2/},
language = {English},
urldate = {2021-06-21}
}
Mustang Panda PlugX - Reused Mutex and Folder Found in the Extracted Config
PlugX |
2021-05-17 ⋅ xorhex blog ⋅ Twitter (@xorhex)
@online{xorhex:20210517:mustang:c51cc47,
author = {Twitter (@xorhex)},
title = {{Mustang Panda PlugX - 45.251.240.55 Pivot}},
date = {2021-05-17},
organization = {xorhex blog},
url = {https://blog.xorhex.com/blog/mustangpandaplugx-1/},
language = {English},
urldate = {2021-06-21}
}
Mustang Panda PlugX - 45.251.240.55 Pivot
PlugX |
2021-05-07 ⋅ TEAMT5 ⋅ Aragorn Tseng, Charles Li
@techreport{tseng:20210507:mem2img:494799d,
author = {Aragorn Tseng and Charles Li},
title = {{Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network}},
date = {2021-05-07},
institution = {TEAMT5},
url = {https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf},
language = {English},
urldate = {2021-09-12}
}
Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
Cobalt Strike PlugX Waterbear |
2021-03-29 ⋅ The Record ⋅ Catalin Cimpanu
@online{cimpanu:20210329:redecho:30b16b4,
author = {Catalin Cimpanu},
title = {{RedEcho group parks domains after public exposure}},
date = {2021-03-29},
organization = {The Record},
url = {https://therecord.media/redecho-group-parks-domains-after-public-exposure/},
language = {English},
urldate = {2021-03-31}
}
RedEcho group parks domains after public exposure
PlugX ShadowPad RedEcho |
2021-03-25 ⋅ Recorded Future ⋅ Insikt Group®
@online{group:20210325:suspected:5b0078f,
author = {Insikt Group®},
title = {{Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers}},
date = {2021-03-25},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/},
language = {English},
urldate = {2021-03-30}
}
Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers
Meterpreter PlugX |
2021-03-17 ⋅ Recorded Future ⋅ Insikt Group®
@online{group:20210317:chinalinked:65b251b,
author = {Insikt Group®},
title = {{China-linked TA428 Continues to Target Russia and Mongolia IT Companies}},
date = {2021-03-17},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/china-linked-ta428-threat-group},
language = {English},
urldate = {2021-03-19}
}
China-linked TA428 Continues to Target Russia and Mongolia IT Companies
PlugX Poison Ivy TA428 |
2021-03-10 ⋅ ESET Research ⋅ Thomas Dupuy, Matthieu Faou, Mathieu Tartare
@online{dupuy:20210310:exchange:8f65a1f,
author = {Thomas Dupuy and Matthieu Faou and Mathieu Tartare},
title = {{Exchange servers under siege from at least 10 APT groups}},
date = {2021-03-10},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/},
language = {English},
urldate = {2021-03-11}
}
Exchange servers under siege from at least 10 APT groups
Microcin MimiKatz PlugX Winnti APT27 APT41 Calypso Tick ToddyCat Tonto Team Vicious Panda |
2021-02-28 ⋅ Recorded Future ⋅ Insikt Group®
@techreport{group:20210228:chinalinked:2fb1230,
author = {Insikt Group®},
title = {{China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions}},
date = {2021-02-28},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf},
language = {English},
urldate = {2021-03-04}
}
China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
Icefog PlugX ShadowPad |
2021-02-28 ⋅ Recorded Future ⋅ Insikt Group®
@online{group:20210228:chinalinked:ce3b62d,
author = {Insikt Group®},
title = {{China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions}},
date = {2021-02-28},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/redecho-targeting-indian-power-sector/},
language = {English},
urldate = {2021-03-31}
}
China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
PlugX ShadowPad RedEcho |
2021-02-28 ⋅ PWC UK ⋅ PWC UK
@techreport{uk:20210228:cyber:bd780cd,
author = {PWC UK},
title = {{Cyber Threats 2020: A Year in Retrospect}},
date = {2021-02-28},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf},
language = {English},
urldate = {2021-03-04}
}
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team |
2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f,
author = {CrowdStrike},
title = {{2021 Global Threat Report}},
date = {2021-02-23},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf},
language = {English},
urldate = {2021-02-25}
}
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER |
2021-01-20 ⋅ Trend Micro ⋅ Gilbert Sison, Abraham Camba, Ryan Maglaque
@online{sison:20210120:xdr:8ea19cc,
author = {Gilbert Sison and Abraham Camba and Ryan Maglaque},
title = {{XDR investigation uncovers PlugX, unique technique in APT attack}},
date = {2021-01-20},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/a/xdr-investigation-uncovers-plugx-unique-technique-in-apt-attack.html},
language = {English},
urldate = {2021-01-27}
}
XDR investigation uncovers PlugX, unique technique in APT attack
PlugX |
2021-01-15 ⋅ Swisscom ⋅ Markus Neis
@techreport{neis:20210115:cracking:b1c1684,
author = {Markus Neis},
title = {{Cracking a Soft Cell is Harder Than You Think}},
date = {2021-01-15},
institution = {Swisscom},
url = {https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf},
language = {English},
urldate = {2021-01-18}
}
Cracking a Soft Cell is Harder Than You Think
Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT |
2021-01-14 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence
@online{intelligence:20210114:higaisa:4676ec7,
author = {PT ESC Threat Intelligence},
title = {{Higaisa or Winnti? APT41 backdoors, old and new}},
date = {2021-01-14},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/},
language = {English},
urldate = {2021-02-09}
}
Higaisa or Winnti? APT41 backdoors, old and new
Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad |
2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli
@online{ramilli:20210109:command:d720b27,
author = {Marco Ramilli},
title = {{Command and Control Traffic Patterns}},
date = {2021-01-09},
organization = {Marco Ramilli's Blog},
url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/},
language = {English},
urldate = {2021-05-17}
}
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot |
2021-01-04 ⋅ Bleeping Computer ⋅ Ionut Ilascu
@online{ilascu:20210104:chinas:9677dc6,
author = {Ionut Ilascu},
title = {{China's APT hackers move to ransomware attacks}},
date = {2021-01-04},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/},
language = {English},
urldate = {2021-01-11}
}
China's APT hackers move to ransomware attacks
Clambling PlugX |
2020-12-24 ⋅ IronNet ⋅ Adam Hlavek
@online{hlavek:20201224:china:723bed3,
author = {Adam Hlavek},
title = {{China cyber attacks: the current threat landscape}},
date = {2020-12-24},
organization = {IronNet},
url = {https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape},
language = {English},
urldate = {2021-01-01}
}
China cyber attacks: the current threat landscape
PLEAD TSCookie FlowCloud Lookback PLEAD PlugX Quasar RAT Winnti |
2020-12-10 ⋅ ESET Research ⋅ Mathieu Tartare
@online{tartare:20201210:operation:0eecfc8,
author = {Mathieu Tartare},
title = {{Operation StealthyTrident: corporate software under attack}},
date = {2020-12-10},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/},
language = {English},
urldate = {2020-12-10}
}
Operation StealthyTrident: corporate software under attack
HyperBro PlugX ShadowPad Tmanger |
2020-12-10 ⋅ ESET Research ⋅ Mathieu Tartare
@online{tartare:20201210:operation:0df1b72,
author = {Mathieu Tartare},
title = {{Operation StealthyTrident: corporate software under attack}},
date = {2020-12-10},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop},
language = {English},
urldate = {2022-07-29}
}
Operation StealthyTrident: corporate software under attack
HyperBro PlugX Tmanger TA428 |
2020-12-09 ⋅ Avast Decoded ⋅ Luigino Camastra, Igor Morgenstern
@online{camastra:20201209:targeting:952844f,
author = {Luigino Camastra and Igor Morgenstern},
title = {{APT Group Targeting Governmental Agencies in East Asia}},
date = {2020-12-09},
organization = {Avast Decoded},
url = {https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/},
language = {English},
urldate = {2021-01-27}
}
APT Group Targeting Governmental Agencies in East Asia
Albaniiutas HyperBro PlugX PolPo Tmanger |
2020-12-09 ⋅ Avast Decoded ⋅ Luigino Camastra, Igor Morgenstern
@online{camastra:20201209:targeting:d3469a1,
author = {Luigino Camastra and Igor Morgenstern},
title = {{APT Group Targeting Governmental Agencies in East Asia}},
date = {2020-12-09},
organization = {Avast Decoded},
url = {https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia},
language = {English},
urldate = {2022-07-29}
}
APT Group Targeting Governmental Agencies in East Asia
Albaniiutas HyperBro PlugX Tmanger TA428 |
2020-11-23 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team
@online{team:20201123:ta416:60e8b7e,
author = {Proofpoint Threat Research Team},
title = {{TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader}},
date = {2020-11-23},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader},
language = {English},
urldate = {2020-11-25}
}
TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader
PlugX |
2020-11-20 ⋅ Trend Micro ⋅ Abraham Camba, Bren Matthew Ebriega, Gilbert Sison
@online{camba:20201120:weaponizing:e15699d,
author = {Abraham Camba and Bren Matthew Ebriega and Gilbert Sison},
title = {{Weaponizing Open Source Software for Targeted Attacks}},
date = {2020-11-20},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html},
language = {English},
urldate = {2020-11-23}
}
Weaponizing Open Source Software for Targeted Attacks
LaZagne Defray PlugX |
2020-11-04 ⋅ Sophos ⋅ Gabor Szappanos
@online{szappanos:20201104:new:66b8447,
author = {Gabor Szappanos},
title = {{A new APT uses DLL side-loads to “KilllSomeOne”}},
date = {2020-11-04},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/},
language = {English},
urldate = {2020-11-06}
}
A new APT uses DLL side-loads to “KilllSomeOne”
KilllSomeOne PlugX |
2020-11-03 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20201103:trends:febc159,
author = {GReAT},
title = {{APT trends report Q3 2020}},
date = {2020-11-03},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q3-2020/99204/},
language = {English},
urldate = {2020-11-04}
}
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti |
2020-10-27 ⋅ Dr.Web ⋅ Dr.Web
@techreport{drweb:20201027:study:9f6e628,
author = {Dr.Web},
title = {{Study of the ShadowPad APT backdoor and its relation to PlugX}},
date = {2020-10-27},
institution = {Dr.Web},
url = {https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf},
language = {English},
urldate = {2020-10-29}
}
Study of the ShadowPad APT backdoor and its relation to PlugX
Ghost RAT PlugX ShadowPad |
2020-09-18 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20200918:apt41:363daa8,
author = {Threat Hunter Team},
title = {{APT41: Indictments Put Chinese Espionage Group in the Spotlight}},
date = {2020-09-18},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage},
language = {English},
urldate = {2020-09-23}
}
APT41: Indictments Put Chinese Espionage Group in the Spotlight
CROSSWALK PlugX poisonplug ShadowPad Winnti |
2020-09-15 ⋅ Recorded Future ⋅ Insikt Group®
@techreport{group:20200915:back:2c78a6f,
author = {Insikt Group®},
title = {{Back Despite Disruption: RedDelta Resumes Operations}},
date = {2020-09-15},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf},
language = {English},
urldate = {2020-09-16}
}
Back Despite Disruption: RedDelta Resumes Operations
PlugX |
2020-09-11 ⋅ ThreatConnect ⋅ ThreatConnect Research Team
@online{team:20200911:research:edfb074,
author = {ThreatConnect Research Team},
title = {{Research Roundup: Activity on Previously Identified APT33 Domains}},
date = {2020-09-11},
organization = {ThreatConnect},
url = {https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/},
language = {English},
urldate = {2020-09-15}
}
Research Roundup: Activity on Previously Identified APT33 Domains
Emotet PlugX APT33 |
2020-07-29 ⋅ Recorded Future ⋅ Insikt Group
@techreport{group:20200729:chinese:1929fcd,
author = {Insikt Group},
title = {{Chinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations}},
date = {2020-07-29},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf},
language = {English},
urldate = {2020-07-30}
}
Chinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations
PlugX |
2020-07-29 ⋅ ESET Research ⋅ welivesecurity
@techreport{welivesecurity:20200729:threat:496355c,
author = {welivesecurity},
title = {{THREAT REPORT Q2 2020}},
date = {2020-07-29},
institution = {ESET Research},
url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf},
language = {English},
urldate = {2020-07-30}
}
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor |
2020-07-29 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20200729:trends:6810325,
author = {GReAT},
title = {{APT trends report Q2 2020}},
date = {2020-07-29},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q2-2020/97937/},
language = {English},
urldate = {2020-07-30}
}
APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel |
2020-07-28 ⋅ NTT ⋅ NTT Security
@online{security:20200728:craftypanda:7643b28,
author = {NTT Security},
title = {{CraftyPanda 標的型攻撃解析レポート}},
date = {2020-07-28},
organization = {NTT},
url = {https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report},
language = {Japanese},
urldate = {2020-07-30}
}
CraftyPanda 標的型攻撃解析レポート
Ghost RAT PlugX |
2020-07-20 ⋅ Dr.Web ⋅ Dr.Web
@techreport{drweb:20200720:study:442ba99,
author = {Dr.Web},
title = {{Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan}},
date = {2020-07-20},
institution = {Dr.Web},
url = {https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf},
language = {English},
urldate = {2020-10-02}
}
Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan
Microcin Mirage PlugX WhiteBird |
2020-07-20 ⋅ or10nlabs ⋅ oR10n
@online{or10n:20200720:reverse:bcb6023,
author = {oR10n},
title = {{Reverse Engineering the New Mustang Panda PlugX Downloader}},
date = {2020-07-20},
organization = {or10nlabs},
url = {https://or10nlabs.tech/reverse-engineering-the-new-mustang-panda-plugx-downloader/},
language = {English},
urldate = {2021-06-24}
}
Reverse Engineering the New Mustang Panda PlugX Downloader
PlugX |
2020-07-20 ⋅ Risky.biz ⋅ Daniel Gordon
@online{gordon:20200720:what:b88e81f,
author = {Daniel Gordon},
title = {{What even is Winnti?}},
date = {2020-07-20},
organization = {Risky.biz},
url = {https://risky.biz/whatiswinnti/},
language = {English},
urldate = {2020-08-18}
}
What even is Winnti?
CCleaner Backdoor Ghost RAT PlugX ZXShell |
2020-07-15 ⋅ ZDNet ⋅ Catalin Cimpanu
@online{cimpanu:20200715:chinese:0ff06bd,
author = {Catalin Cimpanu},
title = {{Chinese state hackers target Hong Kong Catholic Church}},
date = {2020-07-15},
organization = {ZDNet},
url = {https://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/},
language = {English},
urldate = {2020-07-30}
}
Chinese state hackers target Hong Kong Catholic Church
PlugX |
2020-07-05 ⋅ or10nlabs ⋅ oR10n
@online{or10n:20200705:reverse:60298dc,
author = {oR10n},
title = {{Reverse Engineering the Mustang Panda PlugX RAT – Extracting the Config}},
date = {2020-07-05},
organization = {or10nlabs},
url = {https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-rat-extracting-the-config/},
language = {English},
urldate = {2021-06-24}
}
Reverse Engineering the Mustang Panda PlugX RAT – Extracting the Config
PlugX |
2020-07-01 ⋅ Contextis ⋅ Lampros Noutsos, Oliver Fay
@online{noutsos:20200701:dll:00c6e85,
author = {Lampros Noutsos and Oliver Fay},
title = {{DLL Search Order Hijacking}},
date = {2020-07-01},
organization = {Contextis},
url = {https://www.contextis.com/en/blog/dll-search-order-hijacking},
language = {English},
urldate = {2022-04-06}
}
DLL Search Order Hijacking
Cobalt Strike PlugX |
2020-06-03 ⋅ Kaspersky Labs ⋅ GReAT, Mark Lechtik, Giampaolo Dedola
@online{great:20200603:cycldek:ed9a830,
author = {GReAT and Mark Lechtik and Giampaolo Dedola},
title = {{Cycldek: Bridging the (air) gap}},
date = {2020-06-03},
organization = {Kaspersky Labs},
url = {https://securelist.com/cycldek-bridging-the-air-gap/97157/},
language = {English},
urldate = {2020-06-03}
}
Cycldek: Bridging the (air) gap
8.t Dropper NewCore RAT PlugX USBCulprit GOBLIN PANDA Hellsing |
2020-06-02 ⋅ Lab52 ⋅ Jagaimo Kawaii
@online{kawaii:20200602:mustang:2cf125a,
author = {Jagaimo Kawaii},
title = {{Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers}},
date = {2020-06-02},
organization = {Lab52},
url = {https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/},
language = {English},
urldate = {2020-06-03}
}
Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers
PlugX |
2020-05-24 ⋅ or10nlabs ⋅ oR10n
@online{or10n:20200524:reverse:49c2ad8,
author = {oR10n},
title = {{Reverse Engineering the Mustang Panda PlugX Loader}},
date = {2020-05-24},
organization = {or10nlabs},
url = {https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-loader},
language = {English},
urldate = {2021-06-24}
}
Reverse Engineering the Mustang Panda PlugX Loader
PlugX |
2020-05-21 ⋅ ESET Research ⋅ Mathieu Tartare, Martin Smolár
@online{tartare:20200521:no:016fc6c,
author = {Mathieu Tartare and Martin Smolár},
title = {{No “Game over” for the Winnti Group}},
date = {2020-05-21},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/},
language = {English},
urldate = {2020-05-23}
}
No “Game over” for the Winnti Group
ACEHASH HTran MimiKatz PipeMon |
2020-05-15 ⋅ Twitter (@stvemillertime) ⋅ Steve Miller
@online{miller:20200515:sogu:cc5a1fc,
author = {Steve Miller},
title = {{Tweet on SOGU development timeline, including TIGERPLUG IOCs}},
date = {2020-05-15},
organization = {Twitter (@stvemillertime)},
url = {https://twitter.com/stvemillertime/status/1261263000960450562},
language = {English},
urldate = {2020-05-18}
}
Tweet on SOGU development timeline, including TIGERPLUG IOCs
PlugX |
2020-05-14 ⋅ Lab52 ⋅ Dex
@online{dex:20200514:energy:43e92b4,
author = {Dex},
title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}},
date = {2020-05-14},
organization = {Lab52},
url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/},
language = {English},
urldate = {2020-06-10}
}
The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT |
2020-05-01 ⋅ Viettel Cybersecurity ⋅ Cyberthreat
@online{cyberthreat:20200501:chin:3a4fb89,
author = {Cyberthreat},
title = {{Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1)}},
date = {2020-05-01},
organization = {Viettel Cybersecurity},
url = {https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/},
language = {Vietnamese},
urldate = {2020-09-09}
}
Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1)
NewCore RAT PlugX |
2020-03-19 ⋅ VinCSS ⋅ m4n0w4r
@online{m4n0w4r:20200319:phn:461fca7,
author = {m4n0w4r},
title = {{Phân tích mã độc lợi dụng dịch Covid-19 để phát tán giả mạo “Chỉ thị của thủ tướng Nguyễn Xuân Phúc” - Phần 2}},
date = {2020-03-19},
organization = {VinCSS},
url = {https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html},
language = {Vietnamese},
urldate = {2020-03-19}
}
Phân tích mã độc lợi dụng dịch Covid-19 để phát tán giả mạo “Chỉ thị của thủ tướng Nguyễn Xuân Phúc” - Phần 2
PlugX |
2020-03-10 ⋅ VinCSS ⋅ m4n0w4r
@online{m4n0w4r:20200310:re012:43d61e3,
author = {m4n0w4r},
title = {{[RE012] Phân tích mã độc lợi dụng dịch Covid-19 để phát tán giả mạo “Chỉ thị của thủ tướng Nguyễn Xuân Phúc” - Phần 1}},
date = {2020-03-10},
organization = {VinCSS},
url = {https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc.html},
language = {Vietnamese},
urldate = {2023-07-24}
}
[RE012] Phân tích mã độc lợi dụng dịch Covid-19 để phát tán giả mạo “Chỉ thị của thủ tướng Nguyễn Xuân Phúc” - Phần 1
PlugX |
2020-03-02 ⋅ Virus Bulletin ⋅ Alex Hinchliffe
@online{hinchliffe:20200302:pulling:35771e7,
author = {Alex Hinchliffe},
title = {{Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary}},
date = {2020-03-02},
organization = {Virus Bulletin},
url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/},
language = {English},
urldate = {2020-03-02}
}
Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary
HenBox Farseer PlugX Poison Ivy |
2020-02-21 ⋅ ADEO DFIR ⋅ ADEO DFIR
@techreport{dfir:20200221:apt10:e9c3328,
author = {ADEO DFIR},
title = {{APT10 Threat Analysis Report}},
date = {2020-02-21},
institution = {ADEO DFIR},
url = {https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf},
language = {English},
urldate = {2020-03-03}
}
APT10 Threat Analysis Report
CHINACHOPPER HTran MimiKatz PlugX Quasar RAT |
2020-02-18 ⋅ Trend Micro ⋅ Daniel Lunghi, Cedric Pernet, Kenney Lu, Jamz Yaneza
@online{lunghi:20200218:uncovering:93b0937,
author = {Daniel Lunghi and Cedric Pernet and Kenney Lu and Jamz Yaneza},
title = {{Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations}},
date = {2020-02-18},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia},
language = {English},
urldate = {2020-02-20}
}
Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations
Cobalt Strike HyperBro PlugX Trochilus RAT |
2020-02-17 ⋅ Talent-Jump Technologies ⋅ Theo Chen, Zero Chen
@online{chen:20200217:clambling:1a0bb8e,
author = {Theo Chen and Zero Chen},
title = {{CLAMBLING - A New Backdoor Base On Dropbox}},
date = {2020-02-17},
organization = {Talent-Jump Technologies},
url = {http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/},
language = {English},
urldate = {2020-03-30}
}
CLAMBLING - A New Backdoor Base On Dropbox
HyperBro PlugX |
2020-01-31 ⋅ Avira ⋅ Shahab Hamzeloofard
@online{hamzeloofard:20200131:new:5d058ea,
author = {Shahab Hamzeloofard},
title = {{New wave of PlugX targets Hong Kong}},
date = {2020-01-31},
organization = {Avira},
url = {https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/},
language = {English},
urldate = {2020-02-10}
}
New wave of PlugX targets Hong Kong
PlugX |
2020-01-31 ⋅ YouTube (Context Information Security) ⋅ Contextis
@online{contextis:20200131:new:74e3724,
author = {Contextis},
title = {{New AVIVORE threat group – how they operate and managing the risk}},
date = {2020-01-31},
organization = {YouTube (Context Information Security)},
url = {https://www.youtube.com/watch?v=C_TmANnbS2k},
language = {English},
urldate = {2022-04-13}
}
New AVIVORE threat group – how they operate and managing the risk
PlugX |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:4118462,
author = {SecureWorks},
title = {{BRONZE ATLAS}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas},
language = {English},
urldate = {2020-05-23}
}
BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti APT41 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:65ecf8a,
author = {SecureWorks},
title = {{BRONZE KEYSTONE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-keystone},
language = {English},
urldate = {2020-05-23}
}
BRONZE KEYSTONE
9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell APT17 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:972c13a,
author = {SecureWorks},
title = {{BRONZE FIRESTONE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-firestone},
language = {English},
urldate = {2020-05-23}
}
BRONZE FIRESTONE
9002 RAT Derusbi Empire Downloader PlugX Poison Ivy APT19 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:472aea8,
author = {SecureWorks},
title = {{BRONZE OLIVE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-olive},
language = {English},
urldate = {2020-05-23}
}
BRONZE OLIVE
ANGRYREBEL PlugX APT22 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:1a5bdbb,
author = {SecureWorks},
title = {{BRONZE PRESIDENT}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-president},
language = {English},
urldate = {2020-05-23}
}
BRONZE PRESIDENT
CHINACHOPPER Cobalt Strike PlugX MUSTANG PANDA |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:4db27ec,
author = {SecureWorks},
title = {{BRONZE UNION}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-union},
language = {English},
urldate = {2020-05-23}
}
BRONZE UNION
9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell APT27 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:66f1290,
author = {SecureWorks},
title = {{BRONZE RIVERSIDE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-riverside},
language = {English},
urldate = {2020-05-23}
}
BRONZE RIVERSIDE
Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves APT10 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:fcb04ab,
author = {SecureWorks},
title = {{BRONZE EXPRESS}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-express},
language = {English},
urldate = {2020-05-23}
}
BRONZE EXPRESS
9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT26 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:b55f797,
author = {SecureWorks},
title = {{BRONZE MAYFAIR}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-mayfair},
language = {English},
urldate = {2020-05-23}
}
BRONZE MAYFAIR
HTran pirpi APT3 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:f48e53c,
author = {SecureWorks},
title = {{BRONZE WOODLAND}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-woodland},
language = {English},
urldate = {2020-05-23}
}
BRONZE WOODLAND
PlugX Zeus Roaming Tiger |
2020-01 ⋅ Dragos ⋅ Joe Slowik
@techreport{slowik:202001:threat:d891011,
author = {Joe Slowik},
title = {{Threat Intelligence and the Limits of Malware Analysis}},
date = {2020-01},
institution = {Dragos},
url = {https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf},
language = {English},
urldate = {2020-06-10}
}
Threat Intelligence and the Limits of Malware Analysis
Exaramel Exaramel Industroyer Lookback NjRAT PlugX |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:79d8dd2,
author = {SecureWorks},
title = {{BRONZE OVERBROOK}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-overbrook},
language = {English},
urldate = {2020-05-23}
}
BRONZE OVERBROOK
Aveo DDKONG IsSpace PLAINTEE PlugX Rambo DragonOK |
2019-12-29 ⋅ Secureworks ⋅ CTU Research Team
@online{team:20191229:bronze:bda6bfc,
author = {CTU Research Team},
title = {{BRONZE PRESIDENT Targets NGOs}},
date = {2019-12-29},
organization = {Secureworks},
url = {https://www.secureworks.com/research/bronze-president-targets-ngos},
language = {English},
urldate = {2020-01-10}
}
BRONZE PRESIDENT Targets NGOs
PlugX |
2019-12-19 ⋅ Fox-IT ⋅ Maarten van Dantzig, Erik Schamper
@techreport{dantzig:20191219:operation:96804be,
author = {Maarten van Dantzig and Erik Schamper},
title = {{Operation Wocao: Shining a light on one of China’s hidden hacking groups}},
date = {2019-12-19},
institution = {Fox-IT},
url = {https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf},
language = {English},
urldate = {2020-01-13}
}
Operation Wocao: Shining a light on one of China’s hidden hacking groups
XServer |
2019-12-12 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center
@online{center:20191212:gallium:79f6460,
author = {Microsoft Threat Intelligence Center},
title = {{GALLIUM: Targeting global telecom}},
date = {2019-12-12},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/},
language = {English},
urldate = {2022-06-15}
}
GALLIUM: Targeting global telecom
CHINACHOPPER Ghost RAT HTran MimiKatz Poison Ivy GALLIUM |
2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb,
author = {Kelli Vanderlee and Nalani Fraser},
title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}},
date = {2019-11-19},
institution = {FireEye},
url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf},
language = {English},
urldate = {2021-03-02}
}
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell |
2019-11-19 ⋅ FireEye ⋅ Nalani Fraser, Kelli Vanderlee
@techreport{fraser:20191119:achievement:30aad54,
author = {Nalani Fraser and Kelli Vanderlee},
title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}},
date = {2019-11-19},
institution = {FireEye},
url = {https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf},
language = {English},
urldate = {2022-09-12}
}
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
APT1 APT10 APT2 APT26 APT3 APT30 APT41 Naikon Tonto Team |
2019-11-16 ⋅ Silas Cutler's Blog ⋅ Silas Cutler
@online{cutler:20191116:fresh:871567d,
author = {Silas Cutler},
title = {{Fresh PlugX October 2019}},
date = {2019-11-16},
organization = {Silas Cutler's Blog},
url = {https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html},
language = {English},
urldate = {2020-01-07}
}
Fresh PlugX October 2019
PlugX |
2019-11-11 ⋅ Virus Bulletin ⋅ Shusei Tomonaga, Tomoaki Tani, Hiroshi Soeda, Wataru Takahashi
@online{tomonaga:20191111:cases:ac5f1b3,
author = {Shusei Tomonaga and Tomoaki Tani and Hiroshi Soeda and Wataru Takahashi},
title = {{APT cases exploiting vulnerabilities in region‑specific software}},
date = {2019-11-11},
organization = {Virus Bulletin},
url = {https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/},
language = {English},
urldate = {2020-05-13}
}
APT cases exploiting vulnerabilities in region‑specific software
NodeRAT Emdivi PlugX |
2019-10-31 ⋅ PTSecurity ⋅ PTSecurity
@online{ptsecurity:20191031:calypso:adaf761,
author = {PTSecurity},
title = {{Calypso APT: new group attacking state institutions}},
date = {2019-10-31},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/},
language = {English},
urldate = {2020-01-12}
}
Calypso APT: new group attacking state institutions
BYEBY FlyingDutchman Hussar PlugX |
2019-10-22 ⋅ Contextis ⋅ Contextis
@techreport{contextis:20191022:avivore:421fc23,
author = {Contextis},
title = {{AVIVORE - An overview of Tools, Techniques and Procedures (Whitepaper)}},
date = {2019-10-22},
institution = {Contextis},
url = {https://web.archive.org/web/20191214125833/https://contextis.com/media/downloads/AVIVORE_An_overview.pdf},
language = {English},
urldate = {2023-01-19}
}
AVIVORE - An overview of Tools, Techniques and Procedures (Whitepaper)
PlugX Avivore |
2019-10-03 ⋅ ComputerWeekly ⋅ Alex Scroxton
@online{scroxton:20191003:new:ce11edf,
author = {Alex Scroxton},
title = {{New threat group behind Airbus cyber attacks, claim researchers}},
date = {2019-10-03},
organization = {ComputerWeekly},
url = {https://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers},
language = {English},
urldate = {2022-04-05}
}
New threat group behind Airbus cyber attacks, claim researchers
PlugX Avivore |
2019-10-03 ⋅ Palo Alto Networks Unit 42 ⋅ Alex Hinchliffe
@online{hinchliffe:20191003:pkplug:4a43ea5,
author = {Alex Hinchliffe},
title = {{PKPLUG: Chinese Cyber Espionage Group Attacking Asia}},
date = {2019-10-03},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/},
language = {English},
urldate = {2020-01-07}
}
PKPLUG: Chinese Cyber Espionage Group Attacking Asia
HenBox Farseer PlugX |
2019-09-23 ⋅ MITRE ⋅ MITRE ATT&CK
@online{attck:20190923:apt41:63b9ff7,
author = {MITRE ATT&CK},
title = {{APT41}},
date = {2019-09-23},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0096},
language = {English},
urldate = {2022-08-30}
}
APT41
Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41 |
2019-06-25 ⋅ Cybereason ⋅ Cybereason Nocturnus
@online{nocturnus:20190625:operation:21efa8f,
author = {Cybereason Nocturnus},
title = {{OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS}},
date = {2019-06-25},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers},
language = {English},
urldate = {2022-07-01}
}
OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS
CHINACHOPPER HTran MimiKatz Poison Ivy Operation Soft Cell |
2019-06-19 ⋅ YouTube (44CON Information Security Conference) ⋅ Kevin O’Reilly
@online{oreilly:20190619:malware:a2f7812,
author = {Kevin O’Reilly},
title = {{The Malware CAPE: Automated Extraction of Configuration and Payloads from Sophisticated Malware}},
date = {2019-06-19},
organization = {YouTube (44CON Information Security Conference)},
url = {https://www.youtube.com/watch?v=qEwBGGgWgOM},
language = {English},
urldate = {2022-04-04}
}
The Malware CAPE: Automated Extraction of Configuration and Payloads from Sophisticated Malware
PlugX |
2019-06-03 ⋅ FireEye ⋅ Chi-en Shen
@online{shen:20190603:into:d40fee9,
author = {Chi-en Shen},
title = {{Into the Fog - The Return of ICEFOG APT}},
date = {2019-06-03},
organization = {FireEye},
url = {https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt},
language = {English},
urldate = {2020-06-30}
}
Into the Fog - The Return of ICEFOG APT
Icefog PlugX Sarhust |
2019-05-24 ⋅ Fortinet ⋅ Ben Hunter
@online{hunter:20190524:uncovering:7d8776e,
author = {Ben Hunter},
title = {{Uncovering new Activity by APT10}},
date = {2019-05-24},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-},
language = {English},
urldate = {2020-11-04}
}
Uncovering new Activity by APT10
PlugX Quasar RAT |
2019-05-07 ⋅ Symantec ⋅ Security Response Attack Investigation Team
@online{team:20190507:buckeye:a4cf7d8,
author = {Security Response Attack Investigation Team},
title = {{Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak}},
date = {2019-05-07},
organization = {Symantec},
url = {https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit},
language = {English},
urldate = {2020-01-13}
}
Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak
DoublePulsar |
2019-05-07 ⋅ One Night in Norfolk ⋅ Kevin Perlow
@online{perlow:20190507:filesnfer:36164a2,
author = {Kevin Perlow},
title = {{“Filesnfer” Tool (C#, Python)}},
date = {2019-05-07},
organization = {One Night in Norfolk},
url = {https://norfolkinfosec.com/filesnfer-tool-c-python/},
language = {English},
urldate = {2020-05-19}
}
“Filesnfer” Tool (C#, Python)
XServer |
2019-03-19 ⋅ NSHC ⋅ ThreatRecon Team
@online{team:20190319:sectorm04:6c6ea37,
author = {ThreatRecon Team},
title = {{SectorM04 Targeting Singapore – An Analysis}},
date = {2019-03-19},
organization = {NSHC},
url = {https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/},
language = {English},
urldate = {2020-01-07}
}
SectorM04 Targeting Singapore – An Analysis
PlugX Termite |
2019 ⋅ Council on Foreign Relations ⋅ Cyber Operations Tracker
@online{tracker:2019:3:45bb245,
author = {Cyber Operations Tracker},
title = {{APT 3}},
date = {2019},
organization = {Council on Foreign Relations},
url = {https://www.cfr.org/interactive/cyber-operations/apt-3},
language = {English},
urldate = {2019-12-20}
}
APT 3
APT3 |
2018-12-14 ⋅ Australian Cyber Security Centre ⋅ ASD
@techreport{asd:20181214:investigationreport:6eda856,
author = {ASD},
title = {{Investigationreport: Compromise of an Australian companyvia their Managed Service Provider}},
date = {2018-12-14},
institution = {Australian Cyber Security Centre},
url = {https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf},
language = {English},
urldate = {2020-03-11}
}
Investigationreport: Compromise of an Australian companyvia their Managed Service Provider
PlugX RedLeaves |
2018-07-31 ⋅ Medium Sebdraven ⋅ Sébastien Larinier
@online{larinier:20180731:malicious:5e45e30,
author = {Sébastien Larinier},
title = {{Malicious document targets Vietnamese officials}},
date = {2018-07-31},
organization = {Medium Sebdraven},
url = {https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a},
language = {English},
urldate = {2023-11-27}
}
Malicious document targets Vietnamese officials
8.t Dropper PlugX |
2018-05-09 ⋅ COUNT UPON SECURITY ⋅ Luis Rocha
@online{rocha:20180509:malware:3ee8ecf,
author = {Luis Rocha},
title = {{Malware Analysis - PlugX - Part 2}},
date = {2018-05-09},
organization = {COUNT UPON SECURITY},
url = {https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/},
language = {English},
urldate = {2020-01-05}
}
Malware Analysis - PlugX - Part 2
PlugX |
2018-03-13 ⋅ Kaspersky Labs ⋅ Denis Makrushin, Yury Namestnikov
@online{makrushin:20180313:time:7171143,
author = {Denis Makrushin and Yury Namestnikov},
title = {{Time of death? A therapeutic postmortem of connected medicine}},
date = {2018-03-13},
organization = {Kaspersky Labs},
url = {https://securelist.com/time-of-death-connected-medicine/84315/},
language = {English},
urldate = {2019-12-20}
}
Time of death? A therapeutic postmortem of connected medicine
PlugX |
2018-02-04 ⋅ COUNT UPON SECURITY ⋅ Luis Rocha
@online{rocha:20180204:malware:ea0aede,
author = {Luis Rocha},
title = {{MALWARE ANALYSIS – PLUGX}},
date = {2018-02-04},
organization = {COUNT UPON SECURITY},
url = {https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/},
language = {English},
urldate = {2020-01-07}
}
MALWARE ANALYSIS – PLUGX
PlugX |
2017-12-18 ⋅ LAC ⋅ Yoshihiro Ishikawa
@online{ishikawa:20171218:relationship:fb13bae,
author = {Yoshihiro Ishikawa},
title = {{Relationship between PlugX and attacker group "DragonOK"}},
date = {2017-12-18},
organization = {LAC},
url = {https://www.lac.co.jp/lacwatch/people/20171218_001445.html},
language = {Japanese},
urldate = {2019-11-22}
}
Relationship between PlugX and attacker group "DragonOK"
PlugX |
2017-06-27 ⋅ Palo Alto Networks Unit 42 ⋅ Tom Lancaster, Esmid Idrizovic
@online{lancaster:20170627:paranoid:f933eb4,
author = {Tom Lancaster and Esmid Idrizovic},
title = {{Paranoid PlugX}},
date = {2017-06-27},
organization = {Palo Alto Networks Unit 42},
url = {https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/},
language = {English},
urldate = {2019-12-20}
}
Paranoid PlugX
PlugX |
2017-05-31 ⋅ MITRE ⋅ MITRE ATT&CK
@online{attck:20170531:axiom:b181fdb,
author = {MITRE ATT&CK},
title = {{Axiom}},
date = {2017-05-31},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0001/},
language = {English},
urldate = {2022-08-30}
}
Axiom
Derusbi 9002 RAT BLACKCOFFEE Derusbi Ghost RAT HiKit PlugX ZXShell APT17 |
2017-05-31 ⋅ MITRE ATT&CK ⋅ Various
@online{various:20170531:apt3:178e308,
author = {Various},
title = {{Group Description: APT3}},
date = {2017-05-31},
organization = {MITRE ATT&CK},
url = {https://attack.mitre.org/wiki/Group/G0022},
language = {English},
urldate = {2020-01-09}
}
Group Description: APT3
w32times |
2017-05-09 ⋅ Intrusiontruth ⋅ Intrusiontruth
@online{intrusiontruth:20170509:apt3:4014a9f,
author = {Intrusiontruth},
title = {{APT3 is Boyusec, a Chinese Intelligence Contractor}},
date = {2017-05-09},
organization = {Intrusiontruth},
url = {https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/},
language = {English},
urldate = {2020-01-07}
}
APT3 is Boyusec, a Chinese Intelligence Contractor
APT3 Keylogger |
2017-04-27 ⋅ US-CERT ⋅ US-CERT
@online{uscert:20170427:alert:fdb865d,
author = {US-CERT},
title = {{Alert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors}},
date = {2017-04-27},
organization = {US-CERT},
url = {https://www.us-cert.gov/ncas/alerts/TA17-117A},
language = {English},
urldate = {2020-03-11}
}
Alert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors
PlugX RedLeaves |
2017-04-03 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
@online{tomonaga:20170403:redleaves:211a123,
author = {Shusei Tomonaga},
title = {{RedLeaves - Malware Based on Open Source RAT}},
date = {2017-04-03},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html},
language = {English},
urldate = {2022-06-22}
}
RedLeaves - Malware Based on Open Source RAT
PlugX RedLeaves Trochilus RAT |
2017-04 ⋅ PricewaterhouseCoopers ⋅ PricewaterhouseCoopers
@techreport{pricewaterhousecoopers:201704:operation:cb50712,
author = {PricewaterhouseCoopers},
title = {{Operation Cloud Hopper: Technical Annex}},
date = {2017-04},
institution = {PricewaterhouseCoopers},
url = {https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf},
language = {English},
urldate = {2019-10-15}
}
Operation Cloud Hopper: Technical Annex
ChChes PlugX Quasar RAT RedLeaves Trochilus RAT |
2017-02-21 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
@online{tomonaga:20170221:plugx:f9e4817,
author = {Shusei Tomonaga},
title = {{PlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code}},
date = {2017-02-21},
organization = {JPCERT/CC},
url = {http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html},
language = {English},
urldate = {2020-01-13}
}
PlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code
PlugX |
2017-02-13 ⋅ RSA ⋅ RSA Research
@techreport{research:20170213:kingslayer:98f4892,
author = {RSA Research},
title = {{KINGSLAYER – A SUPPLY CHAIN ATTACK}},
date = {2017-02-13},
institution = {RSA},
url = {https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf},
language = {English},
urldate = {2020-01-08}
}
KINGSLAYER – A SUPPLY CHAIN ATTACK
CodeKey PlugX |
2016-09-07 ⋅ Twitter (smoothimpact) ⋅ Kris McConkey
@online{mcconkey:20160907:with:1cca78a,
author = {Kris McConkey},
title = {{Tweet with hashes on APT3}},
date = {2016-09-07},
organization = {Twitter (smoothimpact)},
url = {https://twitter.com/smoothimpact/status/773631684038107136},
language = {English},
urldate = {2019-12-17}
}
Tweet with hashes on APT3
APT3 Keylogger |
2016-09-06 ⋅ Symantec ⋅ Symantec Security Response
@online{response:20160906:buckeye:ffc6501,
author = {Symantec Security Response},
title = {{Buckeye cyberespionage group shifts gaze from US to Hong Kong}},
date = {2016-09-06},
organization = {Symantec},
url = {http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong},
language = {English},
urldate = {2019-12-24}
}
Buckeye cyberespionage group shifts gaze from US to Hong Kong
APT3 Keylogger |
2016-09-06 ⋅ Symantec ⋅ Security Response
@online{response:20160906:buckeye:5934e6f,
author = {Security Response},
title = {{Buckeye cyberespionage group shifts gaze from US to Hong Kong}},
date = {2016-09-06},
organization = {Symantec},
url = {https://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong},
language = {English},
urldate = {2020-04-21}
}
Buckeye cyberespionage group shifts gaze from US to Hong Kong
pirpi APT3 |
2016-09-06 ⋅ Symantec ⋅ Symantec Security Response
@online{response:20160906:buckeye:9f3e86a,
author = {Symantec Security Response},
title = {{Buckeye cyberespionage group shifts gaze from US to Hong Kong}},
date = {2016-09-06},
organization = {Symantec},
url = {https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong},
language = {English},
urldate = {2020-01-09}
}
Buckeye cyberespionage group shifts gaze from US to Hong Kong
shareip |
2016-08-25 ⋅ Malwarebytes ⋅ Malwarebytes Labs
@online{labs:20160825:unpacking:66173f5,
author = {Malwarebytes Labs},
title = {{Unpacking the spyware disguised as antivirus}},
date = {2016-08-25},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/},
language = {English},
urldate = {2019-12-20}
}
Unpacking the spyware disguised as antivirus
PlugX |
2016-06-13 ⋅ Macnica Networks ⋅ Macnica Networks
@techreport{networks:20160613:survey:c78b147,
author = {Macnica Networks},
title = {{Survey of the actual situation of the large-scale cyber spy activity that hit Japan | 1st edition}},
date = {2016-06-13},
institution = {Macnica Networks},
url = {https://www.macnica.net/file/security_report_20160613.pdf},
language = {Japanese},
urldate = {2021-03-02}
}
Survey of the actual situation of the large-scale cyber spy activity that hit Japan | 1st edition
Emdivi PlugX |
2016-01-22 ⋅ RSA Link ⋅ Norton Santos
@online{santos:20160122:plugx:580fcff,
author = {Norton Santos},
title = {{PlugX APT Malware}},
date = {2016-01-22},
organization = {RSA Link},
url = {https://community.rsa.com/thread/185439},
language = {English},
urldate = {2020-01-13}
}
PlugX APT Malware
PlugX |
2015-08 ⋅ Arbor Networks ⋅ ASERT Team
@online{team:201508:uncovering:121e5cf,
author = {ASERT Team},
title = {{Uncovering the Seven Pointed Dagger}},
date = {2015-08},
organization = {Arbor Networks},
url = {https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn},
language = {English},
urldate = {2020-05-18}
}
Uncovering the Seven Pointed Dagger
9002 RAT EvilGrab PlugX Trochilus RAT APT9 |
2015-07-27 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone, Richard Wartell
@online{falcone:20150727:ups:ae69e4c,
author = {Robert Falcone and Richard Wartell},
title = {{UPS: Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload}},
date = {2015-07-27},
organization = {Palo Alto Networks Unit 42},
url = {https://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/},
language = {English},
urldate = {2019-12-20}
}
UPS: Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload
pirpi |
2015-06-23 ⋅ FireEye ⋅ Dan Caselden, Erica Eng
@online{caselden:20150623:operation:dc2929c,
author = {Dan Caselden and Erica Eng},
title = {{Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign}},
date = {2015-06-23},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html},
language = {English},
urldate = {2019-12-20}
}
Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign
APT3 |
2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f,
author = {CrowdStrike},
title = {{CrowdStrike Global Threat Intel Report 2014}},
date = {2015-02-06},
institution = {CrowdStrike},
url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf},
language = {English},
urldate = {2020-05-11}
}
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor |
2015-01-29 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
@online{tomonaga:20150129:analysis:0eaad95,
author = {Shusei Tomonaga},
title = {{Analysis of a Recent PlugX Variant - “P2P PlugX”}},
date = {2015-01-29},
organization = {JPCERT/CC},
url = {http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html},
language = {English},
urldate = {2020-01-09}
}
Analysis of a Recent PlugX Variant - “P2P PlugX”
PlugX |
2014-11-21 ⋅ FireEye ⋅ Ned Moran, Mike Scott, Mike Oppenheim, Joshua Homan
@online{moran:20141121:operation:18b04d9,
author = {Ned Moran and Mike Scott and Mike Oppenheim and Joshua Homan},
title = {{Operation Double Tap}},
date = {2014-11-21},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html},
language = {English},
urldate = {2019-12-20}
}
Operation Double Tap
pirpi |
2014-06-27 ⋅ SophosLabs ⋅ Gabor Szappanos
@techreport{szappanos:20140627:plugx:e63d8bf,
author = {Gabor Szappanos},
title = {{PlugX - The Next Generation}},
date = {2014-06-27},
institution = {SophosLabs},
url = {https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf},
language = {English},
urldate = {2020-01-10}
}
PlugX - The Next Generation
PlugX |
2014-06-10 ⋅ FireEye ⋅ Mike Scott
@online{scott:20140610:clandestine:6d515ab,
author = {Mike Scott},
title = {{Clandestine Fox, Part Deux}},
date = {2014-06-10},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html},
language = {English},
urldate = {2019-12-20}
}
Clandestine Fox, Part Deux
PlugX |
2014-01-06 ⋅ Airbus ⋅ Fabien Perigaud
@online{perigaud:20140106:plugx:16410d7,
author = {Fabien Perigaud},
title = {{PlugX: some uncovered points}},
date = {2014-01-06},
organization = {Airbus},
url = {http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html},
language = {English},
urldate = {2020-01-08}
}
PlugX: some uncovered points
PlugX |
2013-03-29 ⋅ Computer Incident Response Center Luxembourg ⋅ CIRCL
@techreport{circl:20130329:analysis:b3c48b0,
author = {CIRCL},
title = {{Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0)}},
date = {2013-03-29},
institution = {Computer Incident Response Center Luxembourg},
url = {https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf},
language = {English},
urldate = {2019-11-24}
}
Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0)
PlugX |
2013-03-26 ⋅ Contextis ⋅ Kevin O’Reilly
@techreport{oreilly:20130326:plugxpayload:d355f49,
author = {Kevin O’Reilly},
title = {{PlugX–Payload Extraction}},
date = {2013-03-26},
institution = {Contextis},
url = {https://web.archive.org/web/20200424035112/https://go.contextis.com/rs/140-OCV-459/images/White%20Paper_PlugX%20-%20Payload%20Extraction.pdf},
language = {English},
urldate = {2023-01-19}
}
PlugX–Payload Extraction
PlugX |
2013-03-04 ⋅ Trend Micro ⋅ Kyle Wilhoit
@online{wilhoit:20130304:indepth:ebccc8b,
author = {Kyle Wilhoit},
title = {{In-Depth Look: APT Attack Tools of the Trade}},
date = {2013-03-04},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/},
language = {English},
urldate = {2019-07-11}
}
In-Depth Look: APT Attack Tools of the Trade
HTran |
2013-02-27 ⋅ Trend Micro ⋅ Abraham Camba
@online{camba:20130227:bkdrrarstone:8893f88,
author = {Abraham Camba},
title = {{BKDR_RARSTONE: New RAT to Watch Out For}},
date = {2013-02-27},
organization = {Trend Micro},
url = {https://web.archive.org/web/20210925164035/https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/},
language = {English},
urldate = {2023-04-22}
}
BKDR_RARSTONE: New RAT to Watch Out For
PlugX Naikon |
2012-02-10 ⋅ tracker.h3x.eu ⋅ Malware Corpus Tracker
@online{tracker:20120210:info:d58b5c1,
author = {Malware Corpus Tracker},
title = {{Info for Family: plugx}},
date = {2012-02-10},
organization = {tracker.h3x.eu},
url = {https://tracker.h3x.eu/info/290},
language = {English},
urldate = {2021-06-24}
}
Info for Family: plugx
PlugX |
2011-08-03 ⋅ Secureworks ⋅ Joe Stewart
@online{stewart:20110803:htran:7a67164,
author = {Joe Stewart},
title = {{HTran and the Advanced Persistent Threat}},
date = {2011-08-03},
organization = {Secureworks},
url = {https://www.secureworks.com/research/htran},
language = {English},
urldate = {2020-01-08}
}
HTran and the Advanced Persistent Threat
HTran |