SYMBOLCOMMON_NAMEaka. SYNONYMS

APT31  (Back to overview)

aka: APT 31, ZIRCONIUM, JUDGMENT PANDA, BRONZE VINEWOOD

FireEye characterizes APT31 as an actor specialized on intellectual property theft, focusing on data and projects that make a particular organization competetive in its field. Based on available data (April 2016), FireEye assesses that APT31 conducts network operations at the behest of the Chinese Government. Also according to Crowdstrike, this adversary is suspected of continuing to target upstream providers (e.g., law firms and managed service providers) to support additional intrusions against high-profile assets. In 2018, CrowdStrike observed this adversary using spear-phishing, URL “web bugs” and scheduled tasks to automate credential harvesting.


Associated Families
elf.unidentified_003 win.9002 win.plugx win.sihost win.trochilus_rat

References
2021-09-28Recorded FutureInsikt Group®
@online{group:20210928:4:069b441, author = {Insikt Group®}, title = {{4 Chinese APT Groups Identified Targeting Mail Server of Afghan Telecommunications Firm Roshan}}, date = {2021-09-28}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/}, language = {English}, urldate = {2021-10-11} } 4 Chinese APT Groups Identified Targeting Mail Server of Afghan Telecommunications Firm Roshan
PlugX Winnti
2021-09-14McAfeeChristiaan Beek
@online{beek:20210914:operation:95aed8d, author = {Christiaan Beek}, title = {{Operation ‘Harvest’: A Deep Dive into a Long-term Campaign}}, date = {2021-09-14}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/}, language = {English}, urldate = {2021-09-19} } Operation ‘Harvest’: A Deep Dive into a Long-term Campaign
MimiKatz PlugX Winnti
2021-09-10The RecordCatalin Cimpanu
@online{cimpanu:20210910:indonesian:fc06998, author = {Catalin Cimpanu}, title = {{Indonesian intelligence agency compromised in suspected Chinese hack}}, date = {2021-09-10}, organization = {The Record}, url = {https://therecord.media/indonesian-intelligence-agency-compromised-in-suspected-chinese-hack/}, language = {English}, urldate = {2021-09-12} } Indonesian intelligence agency compromised in suspected Chinese hack
PlugX
2021-09-01YouTube (Black Hat)Aragorn Tseng, Charles Li
@online{tseng:20210901:mem2img:7817a5d, author = {Aragorn Tseng and Charles Li}, title = {{Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network}}, date = {2021-09-01}, organization = {YouTube (Black Hat)}, url = {https://www.youtube.com/watch?v=6SDdUVejR2w}, language = {English}, urldate = {2021-09-12} } Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
Cobalt Strike PlugX Waterbear
2021-07-27Palo Alto Networks Unit 42Mike Harbison, Alex Hinchliffe
@online{harbison:20210727:thor:5d6d793, author = {Mike Harbison and Alex Hinchliffe}, title = {{THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group}}, date = {2021-07-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/thor-plugx-variant/}, language = {English}, urldate = {2021-07-29} } THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group
PlugX
2021-07-21Twitter (@bkMSFT)Ben Koehl
@online{koehl:20210721:anssi:d77e4ad, author = {Ben Koehl}, title = {{Tweet on an ANSSI report detailing APT31 intrusions in France}}, date = {2021-07-21}, organization = {Twitter (@bkMSFT)}, url = {https://twitter.com/bkMSFT/status/1417823714922610689}, language = {English}, urldate = {2021-07-22} } Tweet on an ANSSI report detailing APT31 intrusions in France
Unidentified ELF 003 APT31
2021-07-21Twitter (@billyleonard)Billy Leonard
@online{leonard:20210721:apt31:95e177c, author = {Billy Leonard}, title = {{Tweet on APT31 using a router implant.}}, date = {2021-07-21}, organization = {Twitter (@billyleonard)}, url = {https://twitter.com/billyleonard/status/1417910729005490177}, language = {English}, urldate = {2021-07-22} } Tweet on APT31 using a router implant.
Unidentified ELF 003
2021-07-21CERT-FRANSSI
@online{anssi:20210721:indicateurs:9f20dae, author = {ANSSI}, title = {{INDICATEURS DE COMPROMISSION DU CERT-FR}}, date = {2021-07-21}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003}, language = {French}, urldate = {2021-07-22} } INDICATEURS DE COMPROMISSION DU CERT-FR
Unidentified ELF 003 APT31
2021-07-21BitdefenderBogdan Botezatu, Victor Vrabie
@online{botezatu:20210721:luminousmoth:7ed907d, author = {Bogdan Botezatu and Victor Vrabie}, title = {{LuminousMoth – PlugX, File Exfiltration and Persistence Revisited}}, date = {2021-07-21}, organization = {Bitdefender}, url = {https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited}, language = {English}, urldate = {2021-07-26} } LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
PlugX
2021-07-19Minister for Foreign Affairs of AustraliaKaren Andrews, Peter Dutton
@online{andrews:20210719:australia:8ca5b16, author = {Karen Andrews and Peter Dutton}, title = {{Australia joins international partners in attribution of malicious cyber activity to China}}, date = {2021-07-19}, organization = {Minister for Foreign Affairs of Australia}, url = {https://www.foreignminister.gov.au/minister/marise-payne/media-release/australia-joins-international-partners-attribution-malicious-cyber-activity-china}, language = {English}, urldate = {2021-07-22} } Australia joins international partners in attribution of malicious cyber activity to China
APT31 HAFNIUM Leviathan
2021-07-19NCSC UKNCSC UK
@online{uk:20210719:uk:8ecd954, author = {NCSC UK}, title = {{UK and allies hold Chinese state responsible for pervasive pattern of hacking}}, date = {2021-07-19}, organization = {NCSC UK}, url = {https://www.ncsc.gov.uk/news/uk-allies-hold-chinese-state-responsible-for-pervasive-pattern-of-hacking}, language = {English}, urldate = {2021-07-22} } UK and allies hold Chinese state responsible for pervasive pattern of hacking
APT31 Leviathan
2021-07-19GOV.UKNCSC UK, Dominic Raab
@online{uk:20210719:uk:9674820, author = {NCSC UK and Dominic Raab}, title = {{UK and allies hold Chinese state responsible for a pervasive pattern of hacking}}, date = {2021-07-19}, organization = {GOV.UK}, url = {https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking}, language = {English}, urldate = {2021-07-22} } UK and allies hold Chinese state responsible for a pervasive pattern of hacking
APT31 HAFNIUM Leviathan
2021-07-19Council of the European UnionCouncil of the European Union
@online{union:20210719:china:69896f8, author = {Council of the European Union}, title = {{China: Declaration by the High Representative on behalf of the European Union urging Chinese authorities to take action against malicious cyber activities undertaken from its territory}}, date = {2021-07-19}, organization = {Council of the European Union}, url = {https://www.consilium.europa.eu/en/press/press-releases/2021/07/19/declaration-by-the-high-representative-on-behalf-of-the-eu-urging-china-to-take-action-against-malicious-cyber-activities-undertaken-from-its-territory/}, language = {English}, urldate = {2021-07-22} } China: Declaration by the High Representative on behalf of the European Union urging Chinese authorities to take action against malicious cyber activities undertaken from its territory
APT31
2021-06-17Norwegian Police Security Service (PST)Dafina Shala
@online{shala:20210617:etterforskningen:cdef568, author = {Dafina Shala}, title = {{Etterforskningen av datanettverksoperasjonen mot statsforvalterembeter henlegges}}, date = {2021-06-17}, organization = {Norwegian Police Security Service (PST)}, url = {https://pst.no/alle-artikler/pressemeldinger/etterforskningen-av-datanettverksoperasjonen-mot-fylkesmannsembetene-er-avsluttet}, language = {Norwegian}, urldate = {2021-07-22} } Etterforskningen av datanettverksoperasjonen mot statsforvalterembeter henlegges
APT31
2021-06-17nrkØyvind Bye Skille, Tormod Strand, Espen Kjendlie
@online{skille:20210617:for:6450508, author = {Øyvind Bye Skille and Tormod Strand and Espen Kjendlie}, title = {{For the first time, PST says that China (APT31) is behind a computer attack}}, date = {2021-06-17}, organization = {nrk}, url = {https://www.nrk.no/norge/pst_-har-etterretning-om-at-kinesisk-gruppe-stod-bak-dataangrep-mot-statsforvaltere-1.15540601}, language = {Norwegian}, urldate = {2021-06-24} } For the first time, PST says that China (APT31) is behind a computer attack
APT31
2021-06-02xorhex blogTwitter (@xorhex)
@online{xorhex:20210602:reddelta:f35268d, author = {Twitter (@xorhex)}, title = {{RedDelta PlugX Undergoing Changes and Overlapping Again with Mustang Panda PlugX Infrastructure}}, date = {2021-06-02}, organization = {xorhex blog}, url = {https://blog.xorhex.com/blog/reddeltaplugxchangeup/}, language = {English}, urldate = {2021-06-09} } RedDelta PlugX Undergoing Changes and Overlapping Again with Mustang Panda PlugX Infrastructure
PlugX
2021-06-02Twitter (@xorhex)Xorhex
@online{xorhex:20210602:new:9e10322, author = {Xorhex}, title = {{Tweet on new variant of PlugX from RedDelta Group}}, date = {2021-06-02}, organization = {Twitter (@xorhex)}, url = {https://twitter.com/xorhex/status/1399906601562165249?s=20}, language = {English}, urldate = {2021-06-09} } Tweet on new variant of PlugX from RedDelta Group
PlugX
2021-05-27xorhex blogTwitter (@xorhex)
@online{xorhex:20210527:mustang:d3c664b, author = {Twitter (@xorhex)}, title = {{Mustang Panda PlugX - Reused Mutex and Folder Found in the Extracted Config}}, date = {2021-05-27}, organization = {xorhex blog}, url = {https://blog.xorhex.com/blog/mustangpandaplugx-2/}, language = {English}, urldate = {2021-06-21} } Mustang Panda PlugX - Reused Mutex and Folder Found in the Extracted Config
PlugX
2021-05-17xorhex blogTwitter (@xorhex)
@online{xorhex:20210517:mustang:c51cc47, author = {Twitter (@xorhex)}, title = {{Mustang Panda PlugX - 45.251.240.55 Pivot}}, date = {2021-05-17}, organization = {xorhex blog}, url = {https://blog.xorhex.com/blog/mustangpandaplugx-1/}, language = {English}, urldate = {2021-06-21} } Mustang Panda PlugX - 45.251.240.55 Pivot
PlugX
2021-05-07TEAMT5Aragorn Tseng, Charles Li
@techreport{tseng:20210507:mem2img:494799d, author = {Aragorn Tseng and Charles Li}, title = {{Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network}}, date = {2021-05-07}, institution = {TEAMT5}, url = {https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf}, language = {English}, urldate = {2021-09-12} } Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
Cobalt Strike PlugX Waterbear
2021-03-29The RecordCatalin Cimpanu
@online{cimpanu:20210329:redecho:30b16b4, author = {Catalin Cimpanu}, title = {{RedEcho group parks domains after public exposure}}, date = {2021-03-29}, organization = {The Record}, url = {https://therecord.media/redecho-group-parks-domains-after-public-exposure/}, language = {English}, urldate = {2021-03-31} } RedEcho group parks domains after public exposure
PlugX ShadowPad RedEcho
2021-03-25Recorded FutureInsikt Group®
@online{group:20210325:suspected:5b0078f, author = {Insikt Group®}, title = {{Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers}}, date = {2021-03-25}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/}, language = {English}, urldate = {2021-03-30} } Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers
Meterpreter PlugX
2021-03-18SUPO Finnish Security Intelligence ServiceSUPO Finnish Security Intelligence Service
@online{service:20210318:supo:9dc5c66, author = {SUPO Finnish Security Intelligence Service}, title = {{Supo identified the cyber espionage operation against the parliament as APT31}}, date = {2021-03-18}, organization = {SUPO Finnish Security Intelligence Service}, url = {https://supo.fi/-/suojelupoliisi-tunnisti-eduskuntaan-kohdistuneen-kybervakoiluoperaation-apt31-ksi}, language = {Finnish}, urldate = {2021-03-19} } Supo identified the cyber espionage operation against the parliament as APT31
APT31
2021-03-18PoliisiPoliisi
@online{poliisi:20210318:eduskunnan:cb59032, author = {Poliisi}, title = {{Eduskunnan tietojärjestelmiin kohdistuneen tietomurron tutkinnassa selvitetään yhteyttä APT31-toimijaan}}, date = {2021-03-18}, organization = {Poliisi}, url = {https://poliisi.fi/-/eduskunnan-tietojarjestelmiin-kohdistuneen-tietomurron-tutkinnassa-selvitetaan-yhteytta-apt31-toimijaan}, language = {Finnish}, urldate = {2021-07-22} } Eduskunnan tietojärjestelmiin kohdistuneen tietomurron tutkinnassa selvitetään yhteyttä APT31-toimijaan
APT31
2021-03-17Recorded FutureInsikt Group®
@online{group:20210317:chinalinked:65b251b, author = {Insikt Group®}, title = {{China-linked TA428 Continues to Target Russia and Mongolia IT Companies}}, date = {2021-03-17}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/china-linked-ta428-threat-group}, language = {English}, urldate = {2021-03-19} } China-linked TA428 Continues to Target Russia and Mongolia IT Companies
PlugX Poison Ivy
2021-03-10ESET ResearchThomas Dupuy, Matthieu Faou, Mathieu Tartare
@online{dupuy:20210310:exchange:8f65a1f, author = {Thomas Dupuy and Matthieu Faou and Mathieu Tartare}, title = {{Exchange servers under siege from at least 10 APT groups}}, date = {2021-03-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/}, language = {English}, urldate = {2021-03-11} } Exchange servers under siege from at least 10 APT groups
Microcin MimiKatz PlugX Winnti
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-02-28Recorded FutureInsikt Group®
@online{group:20210228:chinalinked:ce3b62d, author = {Insikt Group®}, title = {{China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions}}, date = {2021-02-28}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/redecho-targeting-indian-power-sector/}, language = {English}, urldate = {2021-03-31} } China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
PlugX ShadowPad RedEcho
2021-02-28Recorded FutureInsikt Group®
@techreport{group:20210228:chinalinked:2fb1230, author = {Insikt Group®}, title = {{China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions}}, date = {2021-02-28}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf}, language = {English}, urldate = {2021-03-04} } China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
Icefog PlugX ShadowPad
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-22Check Point ResearchEyal Itkin, Itay Cohen
@online{itkin:20210222:story:a3a3da9, author = {Eyal Itkin and Itay Cohen}, title = {{The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day}}, date = {2021-02-22}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2021/the-story-of-jian}, language = {English}, urldate = {2021-07-22} } The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day
APT31
2021-01-20Trend MicroGilbert Sison, Abraham Camba, Ryan Maglaque
@online{sison:20210120:xdr:8ea19cc, author = {Gilbert Sison and Abraham Camba and Ryan Maglaque}, title = {{XDR investigation uncovers PlugX, unique technique in APT attack}}, date = {2021-01-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/a/xdr-investigation-uncovers-plugx-unique-technique-in-apt-attack.html}, language = {English}, urldate = {2021-01-27} } XDR investigation uncovers PlugX, unique technique in APT attack
PlugX
2021-01-15SwisscomMarkus Neis
@techreport{neis:20210115:cracking:b1c1684, author = {Markus Neis}, title = {{Cracking a Soft Cell is Harder Than You Think}}, date = {2021-01-15}, institution = {Swisscom}, url = {https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf}, language = {English}, urldate = {2021-01-18} } Cracking a Soft Cell is Harder Than You Think
Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT
2021-01-14PTSecurityPT ESC Threat Intelligence
@online{intelligence:20210114:higaisa:4676ec7, author = {PT ESC Threat Intelligence}, title = {{Higaisa or Winnti? APT41 backdoors, old and new}}, date = {2021-01-14}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/}, language = {English}, urldate = {2021-02-09} } Higaisa or Winnti? APT41 backdoors, old and new
Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad
2021-01-09Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20210109:command:d720b27, author = {Marco Ramilli}, title = {{Command and Control Traffic Patterns}}, date = {2021-01-09}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/}, language = {English}, urldate = {2021-05-17} } Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot
2021-01-04Bleeping ComputerIonut Ilascu
@online{ilascu:20210104:chinas:9677dc6, author = {Ionut Ilascu}, title = {{China's APT hackers move to ransomware attacks}}, date = {2021-01-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/}, language = {English}, urldate = {2021-01-11} } China's APT hackers move to ransomware attacks
Clambling PlugX
2020-12-24IronNetAdam Hlavek
@online{hlavek:20201224:china:723bed3, author = {Adam Hlavek}, title = {{China cyber attacks: the current threat landscape}}, date = {2020-12-24}, organization = {IronNet}, url = {https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape}, language = {English}, urldate = {2021-01-01} } China cyber attacks: the current threat landscape
PLEAD TSCookie FlowCloud Lookback PLEAD PlugX Quasar RAT Winnti
2020-12-10ESET ResearchMathieu Tartare
@online{tartare:20201210:operation:0eecfc8, author = {Mathieu Tartare}, title = {{Operation StealthyTrident: corporate software under attack}}, date = {2020-12-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/}, language = {English}, urldate = {2020-12-10} } Operation StealthyTrident: corporate software under attack
HyperBro PlugX ShadowPad Tmanger
2020-12-09Avast DecodedLuigino Camastra, Igor Morgenstern
@online{camastra:20201209:targeting:952844f, author = {Luigino Camastra and Igor Morgenstern}, title = {{APT Group Targeting Governmental Agencies in East Asia}}, date = {2020-12-09}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/}, language = {English}, urldate = {2021-01-27} } APT Group Targeting Governmental Agencies in East Asia
Albaniiutas HyperBro PlugX Tmanger
2020-11-23ProofpointProofpoint Threat Research Team
@online{team:20201123:ta416:60e8b7e, author = {Proofpoint Threat Research Team}, title = {{TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader}}, date = {2020-11-23}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader}, language = {English}, urldate = {2020-11-25} } TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader
PlugX RedDelta
2020-11-20Trend MicroAbraham Camba, Bren Matthew Ebriega, Gilbert Sison
@online{camba:20201120:weaponizing:e15699d, author = {Abraham Camba and Bren Matthew Ebriega and Gilbert Sison}, title = {{Weaponizing Open Source Software for Targeted Attacks}}, date = {2020-11-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html}, language = {English}, urldate = {2020-11-23} } Weaponizing Open Source Software for Targeted Attacks
LaZagne Defray PlugX
2020-11-04SophosGabor Szappanos
@online{szappanos:20201104:new:66b8447, author = {Gabor Szappanos}, title = {{A new APT uses DLL side-loads to “KilllSomeOne”}}, date = {2020-11-04}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/}, language = {English}, urldate = {2020-11-06} } A new APT uses DLL side-loads to “KilllSomeOne”
KilllSomeOne PlugX
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-10-27Dr.WebDr.Web
@techreport{drweb:20201027:study:9f6e628, author = {Dr.Web}, title = {{Study of the ShadowPad APT backdoor and its relation to PlugX}}, date = {2020-10-27}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf}, language = {English}, urldate = {2020-10-29} } Study of the ShadowPad APT backdoor and its relation to PlugX
Ghost RAT PlugX ShadowPad
2020-09-18SymantecThreat Hunter Team
@online{team:20200918:apt41:363daa8, author = {Threat Hunter Team}, title = {{APT41: Indictments Put Chinese Espionage Group in the Spotlight}}, date = {2020-09-18}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage}, language = {English}, urldate = {2020-09-23} } APT41: Indictments Put Chinese Espionage Group in the Spotlight
CROSSWALK PlugX poisonplug ShadowPad Winnti
2020-09-15Recorded FutureInsikt Group®
@techreport{group:20200915:back:2c78a6f, author = {Insikt Group®}, title = {{Back Despite Disruption: RedDelta Resumes Operations}}, date = {2020-09-15}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf}, language = {English}, urldate = {2020-09-16} } Back Despite Disruption: RedDelta Resumes Operations
PlugX
2020-09-11ThreatConnectThreatConnect Research Team
@online{team:20200911:research:edfb074, author = {ThreatConnect Research Team}, title = {{Research Roundup: Activity on Previously Identified APT33 Domains}}, date = {2020-09-11}, organization = {ThreatConnect}, url = {https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/}, language = {English}, urldate = {2020-09-15} } Research Roundup: Activity on Previously Identified APT33 Domains
Emotet PlugX APT33
2020-07-29Recorded FutureInsikt Group
@techreport{group:20200729:chinese:1929fcd, author = {Insikt Group}, title = {{Chinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations}}, date = {2020-07-29}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf}, language = {English}, urldate = {2020-07-30} } Chinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations
PlugX
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-07-28NTTNTT Security
@online{security:20200728:craftypanda:7643b28, author = {NTT Security}, title = {{CraftyPanda 標的型攻撃解析レポート}}, date = {2020-07-28}, organization = {NTT}, url = {https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report}, language = {Japanese}, urldate = {2020-07-30} } CraftyPanda 標的型攻撃解析レポート
Ghost RAT PlugX
2020-07-20Dr.WebDr.Web
@techreport{drweb:20200720:study:442ba99, author = {Dr.Web}, title = {{Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan}}, date = {2020-07-20}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf}, language = {English}, urldate = {2020-10-02} } Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan
Microcin Mirage PlugX WhiteBird
2020-07-20or10nlabsoR10n
@online{or10n:20200720:reverse:bcb6023, author = {oR10n}, title = {{Reverse Engineering the New Mustang Panda PlugX Downloader}}, date = {2020-07-20}, organization = {or10nlabs}, url = {https://or10nlabs.tech/reverse-engineering-the-new-mustang-panda-plugx-downloader/}, language = {English}, urldate = {2021-06-24} } Reverse Engineering the New Mustang Panda PlugX Downloader
PlugX
2020-07-20Risky.bizDaniel Gordon
@online{gordon:20200720:what:b88e81f, author = {Daniel Gordon}, title = {{What even is Winnti?}}, date = {2020-07-20}, organization = {Risky.biz}, url = {https://risky.biz/whatiswinnti/}, language = {English}, urldate = {2020-08-18} } What even is Winnti?
CCleaner Backdoor Ghost RAT PlugX ZXShell
2020-07-15ZDNetCatalin Cimpanu
@online{cimpanu:20200715:chinese:0ff06bd, author = {Catalin Cimpanu}, title = {{Chinese state hackers target Hong Kong Catholic Church}}, date = {2020-07-15}, organization = {ZDNet}, url = {https://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/}, language = {English}, urldate = {2020-07-30} } Chinese state hackers target Hong Kong Catholic Church
PlugX
2020-07-05or10nlabsoR10n
@online{or10n:20200705:reverse:60298dc, author = {oR10n}, title = {{Reverse Engineering the Mustang Panda PlugX RAT – Extracting the Config}}, date = {2020-07-05}, organization = {or10nlabs}, url = {https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-rat-extracting-the-config/}, language = {English}, urldate = {2021-06-24} } Reverse Engineering the Mustang Panda PlugX RAT – Extracting the Config
PlugX
2020-06-24SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20200624:bronze:a4d2ead, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE VINEWOOD Uses HanaLoader to Target Government Supply Chain}}, date = {2020-06-24}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronz-vinewood-uses-hanaloader-to-target-government-supply-chain}, language = {English}, urldate = {2020-06-26} } BRONZE VINEWOOD Uses HanaLoader to Target Government Supply Chain
APT31
2020-06-24Counter Threat Unit ResearchTeam
@online{researchteam:20200624:bronze:62b58ff, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE VINEWOOD Targets Supply Chains}}, date = {2020-06-24}, url = {https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains}, language = {English}, urldate = {2020-06-26} } BRONZE VINEWOOD Targets Supply Chains
MimiKatz Trochilus RAT APT31
2020-06-03Trend MicroDaniel Lunghi
@techreport{lunghi:20200603:how:4f28e63, author = {Daniel Lunghi}, title = {{How to perform long term monitoring of careless threat actors}}, date = {2020-06-03}, institution = {Trend Micro}, url = {https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf}, language = {English}, urldate = {2020-06-05} } How to perform long term monitoring of careless threat actors
BBSRAT HyperBro Trochilus RAT
2020-06-03Kaspersky LabsGReAT, Mark Lechtik, Giampaolo Dedola
@online{great:20200603:cycldek:ed9a830, author = {GReAT and Mark Lechtik and Giampaolo Dedola}, title = {{Cycldek: Bridging the (air) gap}}, date = {2020-06-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/cycldek-bridging-the-air-gap/97157/}, language = {English}, urldate = {2020-06-03} } Cycldek: Bridging the (air) gap
8.t Dropper NewCore RAT PlugX USBCulprit Hellsing
2020-06-02Lab52Jagaimo Kawaii
@online{kawaii:20200602:mustang:2cf125a, author = {Jagaimo Kawaii}, title = {{Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers}}, date = {2020-06-02}, organization = {Lab52}, url = {https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/}, language = {English}, urldate = {2020-06-03} } Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers
PlugX
2020-05-24or10nlabsoR10n
@online{or10n:20200524:reverse:49c2ad8, author = {oR10n}, title = {{Reverse Engineering the Mustang Panda PlugX Loader}}, date = {2020-05-24}, organization = {or10nlabs}, url = {https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-loader}, language = {English}, urldate = {2021-06-24} } Reverse Engineering the Mustang Panda PlugX Loader
PlugX
2020-05-15Twitter (@stvemillertime)Steve Miller
@online{miller:20200515:sogu:cc5a1fc, author = {Steve Miller}, title = {{Tweet on SOGU development timeline, including TIGERPLUG IOCs}}, date = {2020-05-15}, organization = {Twitter (@stvemillertime)}, url = {https://twitter.com/stvemillertime/status/1261263000960450562}, language = {English}, urldate = {2020-05-18} } Tweet on SOGU development timeline, including TIGERPLUG IOCs
PlugX
2020-05-14Lab52Dex
@online{dex:20200514:energy:43e92b4, author = {Dex}, title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}}, date = {2020-05-14}, organization = {Lab52}, url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/}, language = {English}, urldate = {2020-06-10} } The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT
2020-05-01Viettel CybersecurityCyberthreat
@online{cyberthreat:20200501:chin:3a4fb89, author = {Cyberthreat}, title = {{Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1)}}, date = {2020-05-01}, organization = {Viettel Cybersecurity}, url = {https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/}, language = {Vietnamese}, urldate = {2020-09-09} } Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1)
NewCore RAT PlugX
2020-03-19VinCSSm4n0w4r
@online{m4n0w4r:20200319:phn:461fca7, author = {m4n0w4r}, title = {{Phân tích mã độc lợi dụng dịch Covid-19 để phát tán giả mạo “Chỉ thị của thủ tướng Nguyễn Xuân Phúc” - Phần 2}}, date = {2020-03-19}, organization = {VinCSS}, url = {https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html}, language = {Vietnamese}, urldate = {2020-03-19} } Phân tích mã độc lợi dụng dịch Covid-19 để phát tán giả mạo “Chỉ thị của thủ tướng Nguyễn Xuân Phúc” - Phần 2
PlugX
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-02Virus BulletinAlex Hinchliffe
@online{hinchliffe:20200302:pulling:35771e7, author = {Alex Hinchliffe}, title = {{Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary}}, date = {2020-03-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/}, language = {English}, urldate = {2020-03-02} } Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary
HenBox Farseer PlugX Poison Ivy
2020-02-21ADEO DFIRADEO DFIR
@techreport{dfir:20200221:apt10:e9c3328, author = {ADEO DFIR}, title = {{APT10 Threat Analysis Report}}, date = {2020-02-21}, institution = {ADEO DFIR}, url = {https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf}, language = {English}, urldate = {2020-03-03} } APT10 Threat Analysis Report
CHINACHOPPER HTran MimiKatz PlugX Quasar RAT
2020-02-18Trend MicroDaniel Lunghi, Cedric Pernet, Kenney Lu, Jamz Yaneza
@online{lunghi:20200218:uncovering:93b0937, author = {Daniel Lunghi and Cedric Pernet and Kenney Lu and Jamz Yaneza}, title = {{Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations}}, date = {2020-02-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia}, language = {English}, urldate = {2020-02-20} } Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations
Cobalt Strike HyperBro PlugX Trochilus RAT
2020-02-17Talent-Jump TechnologiesTheo Chen, Zero Chen
@online{chen:20200217:clambling:1a0bb8e, author = {Theo Chen and Zero Chen}, title = {{CLAMBLING - A New Backdoor Base On Dropbox}}, date = {2020-02-17}, organization = {Talent-Jump Technologies}, url = {http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/}, language = {English}, urldate = {2020-03-30} } CLAMBLING - A New Backdoor Base On Dropbox
HyperBro PlugX
2020-01-31AviraShahab Hamzeloofard
@online{hamzeloofard:20200131:new:5d058ea, author = {Shahab Hamzeloofard}, title = {{New wave of PlugX targets Hong Kong}}, date = {2020-01-31}, organization = {Avira}, url = {https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/}, language = {English}, urldate = {2020-02-10} } New wave of PlugX targets Hong Kong
PlugX
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:65ecf8a, author = {SecureWorks}, title = {{BRONZE KEYSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-keystone}, language = {English}, urldate = {2020-05-23} } BRONZE KEYSTONE
9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell Aurora Panda
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:66f1290, author = {SecureWorks}, title = {{BRONZE RIVERSIDE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-riverside}, language = {English}, urldate = {2020-05-23} } BRONZE RIVERSIDE
Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves Stone Panda
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:1a5bdbb, author = {SecureWorks}, title = {{BRONZE PRESIDENT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-president}, language = {English}, urldate = {2020-05-23} } BRONZE PRESIDENT
CHINACHOPPER Cobalt Strike PlugX Mustang Panda
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:472aea8, author = {SecureWorks}, title = {{BRONZE OLIVE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-olive}, language = {English}, urldate = {2020-05-23} } BRONZE OLIVE
ANGRYREBEL PlugX APT 22
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:972c13a, author = {SecureWorks}, title = {{BRONZE FIRESTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-firestone}, language = {English}, urldate = {2020-05-23} } BRONZE FIRESTONE
9002 RAT Derusbi Empire Downloader PlugX Poison Ivy Shell Crew
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:f48e53c, author = {SecureWorks}, title = {{BRONZE WOODLAND}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-woodland}, language = {English}, urldate = {2020-05-23} } BRONZE WOODLAND
PlugX Zeus Roaming Tiger
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:fcb04ab, author = {SecureWorks}, title = {{BRONZE EXPRESS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-express}, language = {English}, urldate = {2020-05-23} } BRONZE EXPRESS
9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT 26
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4db27ec, author = {SecureWorks}, title = {{BRONZE UNION}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-union}, language = {English}, urldate = {2020-05-23} } BRONZE UNION
9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell EMISSARY PANDA
2020CrowdStrikeCrowdStrike
@online{crowdstrike:2020:2019:f849658, author = {CrowdStrike}, title = {{2019 Crowdstrike Global Threat Report}}, date = {2020}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report}, language = {English}, urldate = {2020-07-23} } 2019 Crowdstrike Global Threat Report
APT31
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4118462, author = {SecureWorks}, title = {{BRONZE ATLAS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas}, language = {English}, urldate = {2020-05-23} } BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti Axiom
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:79d8dd2, author = {SecureWorks}, title = {{BRONZE OVERBROOK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-overbrook}, language = {English}, urldate = {2020-05-23} } BRONZE OVERBROOK
Aveo DDKONG IsSpace PLAINTEE PlugX Rambo DragonOK
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:66a45ac, author = {SecureWorks}, title = {{BRONZE VINEWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-vinewood}, language = {English}, urldate = {2020-05-23} } BRONZE VINEWOOD
MimiKatz Trochilus RAT APT31
2020-01DragosJoe Slowik
@techreport{slowik:202001:threat:d891011, author = {Joe Slowik}, title = {{Threat Intelligence and the Limits of Malware Analysis}}, date = {2020-01}, institution = {Dragos}, url = {https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf}, language = {English}, urldate = {2020-06-10} } Threat Intelligence and the Limits of Malware Analysis
Exaramel Exaramel Industroyer Lookback NjRAT PlugX
2019-12-29SecureworksCTU Research Team
@online{team:20191229:bronze:bda6bfc, author = {CTU Research Team}, title = {{BRONZE PRESIDENT Targets NGOs}}, date = {2019-12-29}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronze-president-targets-ngos}, language = {English}, urldate = {2020-01-10} } BRONZE PRESIDENT Targets NGOs
PlugX BRONZE PRESIDENT
2019-12-03Twitter (@bkMSFT)Ben K (bkMSFT)
@online{bkmsft:20191203:zirconium:c025731, author = {Ben K (bkMSFT)}, title = {{Tweet on ZIRCONIUM alias for APT31}}, date = {2019-12-03}, organization = {Twitter (@bkMSFT)}, url = {https://twitter.com/bkMSFT/status/1201876664667582466}, language = {English}, urldate = {2020-06-16} } Tweet on ZIRCONIUM alias for APT31
APT31
2019-12-03NSHCNSHC Threatrecon Team
@online{team:20191203:threat:6665e7f, author = {NSHC Threatrecon Team}, title = {{Threat Actor Targeting Hong Kong Pro-Democracy Figures}}, date = {2019-12-03}, organization = {NSHC}, url = {https://threatrecon.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists/}, language = {English}, urldate = {2020-01-08} } Threat Actor Targeting Hong Kong Pro-Democracy Figures
sihost
2019-12-03NSHCRed Alert
@online{alert:20191203:threat:f7b8cb6, author = {Red Alert}, title = {{THREAT ACTOR TARGETING HONG KONG PRO-DEMOCRACY FIGURES}}, date = {2019-12-03}, organization = {NSHC}, url = {https://redalert.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists}, language = {English}, urldate = {2020-06-03} } THREAT ACTOR TARGETING HONG KONG PRO-DEMOCRACY FIGURES
APT31
2019-11-16Silas Cutler's BlogSilas Cutler
@online{cutler:20191116:fresh:871567d, author = {Silas Cutler}, title = {{Fresh PlugX October 2019}}, date = {2019-11-16}, organization = {Silas Cutler's Blog}, url = {https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html}, language = {English}, urldate = {2020-01-07} } Fresh PlugX October 2019
PlugX
2019-11-11Virus BulletinShusei Tomonaga, Tomoaki Tani, Hiroshi Soeda, Wataru Takahashi
@online{tomonaga:20191111:cases:ac5f1b3, author = {Shusei Tomonaga and Tomoaki Tani and Hiroshi Soeda and Wataru Takahashi}, title = {{APT cases exploiting vulnerabilities in region‑specific software}}, date = {2019-11-11}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/}, language = {English}, urldate = {2020-05-13} } APT cases exploiting vulnerabilities in region‑specific software
NodeRAT Emdivi PlugX
2019-10-31PTSecurityPTSecurity
@online{ptsecurity:20191031:calypso:adaf761, author = {PTSecurity}, title = {{Calypso APT: new group attacking state institutions}}, date = {2019-10-31}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/}, language = {English}, urldate = {2020-01-12} } Calypso APT: new group attacking state institutions
BYEBY FlyingDutchman Hussar PlugX
2019-10-03Palo Alto Networks Unit 42Alex Hinchliffe
@online{hinchliffe:20191003:pkplug:4a43ea5, author = {Alex Hinchliffe}, title = {{PKPLUG: Chinese Cyber Espionage Group Attacking Asia}}, date = {2019-10-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/}, language = {English}, urldate = {2020-01-07} } PKPLUG: Chinese Cyber Espionage Group Attacking Asia
HenBox Farseer PlugX
2019-06-03FireEyeChi-en Shen
@online{shen:20190603:into:d40fee9, author = {Chi-en Shen}, title = {{Into the Fog - The Return of ICEFOG APT}}, date = {2019-06-03}, organization = {FireEye}, url = {https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt}, language = {English}, urldate = {2020-06-30} } Into the Fog - The Return of ICEFOG APT
Icefog PlugX Sarhust
2019-05-24FortinetBen Hunter
@online{hunter:20190524:uncovering:7d8776e, author = {Ben Hunter}, title = {{Uncovering new Activity by APT10}}, date = {2019-05-24}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-}, language = {English}, urldate = {2020-11-04} } Uncovering new Activity by APT10
PlugX Quasar RAT
2019-03-19NSHCThreatRecon Team
@online{team:20190319:sectorm04:6c6ea37, author = {ThreatRecon Team}, title = {{SectorM04 Targeting Singapore – An Analysis}}, date = {2019-03-19}, organization = {NSHC}, url = {https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/}, language = {English}, urldate = {2020-01-07} } SectorM04 Targeting Singapore – An Analysis
PlugX Termite
2019-02-12DuoDennis Fisher
@online{fisher:20190212:groups:6605dcc, author = {Dennis Fisher}, title = {{APT Groups Moving Down the Supply Chain}}, date = {2019-02-12}, organization = {Duo}, url = {https://duo.com/decipher/apt-groups-moving-down-the-supply-chain}, language = {English}, urldate = {2019-11-26} } APT Groups Moving Down the Supply Chain
APT31
2019-02-06Recorded FutureInsikt Group, Rapid7
@techreport{group:20190206:apt10:74d18e7, author = {Insikt Group and Rapid7}, title = {{APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign}}, date = {2019-02-06}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf}, language = {English}, urldate = {2019-12-17} } APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign
Trochilus RAT APT31 Hurricane Panda Stone Panda
2018-12-14Australian Cyber Security CentreASD
@techreport{asd:20181214:investigationreport:6eda856, author = {ASD}, title = {{Investigationreport: Compromise of an Australian companyvia their Managed Service Provider}}, date = {2018-12-14}, institution = {Australian Cyber Security Centre}, url = {https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf}, language = {English}, urldate = {2020-03-11} } Investigationreport: Compromise of an Australian companyvia their Managed Service Provider
PlugX RedLeaves
2018-08-21Trend MicroJaromír Hořejší, Joseph C. Chen, Kawabata Kohei, Kenney Lu
@online{hoej:20180821:supply:d426e6b, author = {Jaromír Hořejší and Joseph C. Chen and Kawabata Kohei and Kenney Lu}, title = {{Supply Chain Attack Operation Red Signature Targets South Korean Organizations}}, date = {2018-08-21}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/}, language = {English}, urldate = {2020-01-06} } Supply Chain Attack Operation Red Signature Targets South Korean Organizations
9002 RAT
2018-05-09COUNT UPON SECURITYLuis Rocha
@online{rocha:20180509:malware:3ee8ecf, author = {Luis Rocha}, title = {{Malware Analysis - PlugX - Part 2}}, date = {2018-05-09}, organization = {COUNT UPON SECURITY}, url = {https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/}, language = {English}, urldate = {2020-01-05} } Malware Analysis - PlugX - Part 2
PlugX
2018-03-13Kaspersky LabsDenis Makrushin, Yury Namestnikov
@online{makrushin:20180313:time:7171143, author = {Denis Makrushin and Yury Namestnikov}, title = {{Time of death? A therapeutic postmortem of connected medicine}}, date = {2018-03-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/time-of-death-connected-medicine/84315/}, language = {English}, urldate = {2019-12-20} } Time of death? A therapeutic postmortem of connected medicine
PlugX
2018-03CrySyS LabBoldizsar Bencsath
@techreport{bencsath:201803:territorial:04343bb, author = {Boldizsar Bencsath}, title = {{Territorial Dispute – NSA’s perspective on APT landscape}}, date = {2018-03}, institution = {CrySyS Lab}, url = {https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf}, language = {English}, urldate = {2020-05-07} } Territorial Dispute – NSA’s perspective on APT landscape
9002 RAT Agent.BTZ DuQu EYService Flame FlowerShop Stuxnet Uroburos
2018-02-04COUNT UPON SECURITYLuis Rocha
@online{rocha:20180204:malware:ea0aede, author = {Luis Rocha}, title = {{MALWARE ANALYSIS – PLUGX}}, date = {2018-02-04}, organization = {COUNT UPON SECURITY}, url = {https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/}, language = {English}, urldate = {2020-01-07} } MALWARE ANALYSIS – PLUGX
PlugX
2017-12-18LACYoshihiro Ishikawa
@online{ishikawa:20171218:relationship:fb13bae, author = {Yoshihiro Ishikawa}, title = {{Relationship between PlugX and attacker group "DragonOK"}}, date = {2017-12-18}, organization = {LAC}, url = {https://www.lac.co.jp/lacwatch/people/20171218_001445.html}, language = {Japanese}, urldate = {2019-11-22} } Relationship between PlugX and attacker group "DragonOK"
PlugX
2017-11-03Github (5loyd)5loyd
@online{5loyd:20171103:trochilus:964b44c, author = {5loyd}, title = {{Trochilus}}, date = {2017-11-03}, organization = {Github (5loyd)}, url = {https://github.com/5loyd/trochilus/}, language = {English}, urldate = {2020-01-08} } Trochilus
Trochilus RAT
2017-08-25ProofpointDarien Huss, Matthew Mesa
@online{huss:20170825:operation:87e2e2b, author = {Darien Huss and Matthew Mesa}, title = {{Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures}}, date = {2017-08-25}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures}, language = {English}, urldate = {2019-12-20} } Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures
9002 RAT
2017-06-27Palo Alto Networks Unit 42Tom Lancaster, Esmid Idrizovic
@online{lancaster:20170627:paranoid:f933eb4, author = {Tom Lancaster and Esmid Idrizovic}, title = {{Paranoid PlugX}}, date = {2017-06-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/}, language = {English}, urldate = {2019-12-20} } Paranoid PlugX
PlugX
2017-04-27US-CERTUS-CERT
@online{uscert:20170427:alert:fdb865d, author = {US-CERT}, title = {{Alert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors}}, date = {2017-04-27}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA17-117A}, language = {English}, urldate = {2020-03-11} } Alert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors
PlugX RedLeaves
2017-04-03JPCERT/CCShusei Tomonaga
@online{tomonaga:20170403:redleaves:211a123, author = {Shusei Tomonaga}, title = {{RedLeaves - Malware Based on Open Source RAT}}, date = {2017-04-03}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html}, language = {English}, urldate = {2021-02-04} } RedLeaves - Malware Based on Open Source RAT
PlugX RedLeaves
2017-04PricewaterhouseCoopersPricewaterhouseCoopers
@techreport{pricewaterhousecoopers:201704:operation:cb50712, author = {PricewaterhouseCoopers}, title = {{Operation Cloud Hopper: Technical Annex}}, date = {2017-04}, institution = {PricewaterhouseCoopers}, url = {https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf}, language = {English}, urldate = {2019-10-15} } Operation Cloud Hopper: Technical Annex
ChChes PlugX Quasar RAT RedLeaves Trochilus RAT
2017-03-27MicrosoftMicrosoft Defender ATP Research Team
@online{team:20170327:detecting:46740f0, author = {Microsoft Defender ATP Research Team}, title = {{Detecting and mitigating elevation-of-privilege exploit for CVE-2017-0005}}, date = {2017-03-27}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/}, language = {English}, urldate = {2020-01-08} } Detecting and mitigating elevation-of-privilege exploit for CVE-2017-0005
APT31
2017-02-21JPCERT/CCShusei Tomonaga
@online{tomonaga:20170221:plugx:f9e4817, author = {Shusei Tomonaga}, title = {{PlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code}}, date = {2017-02-21}, organization = {JPCERT/CC}, url = {http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html}, language = {English}, urldate = {2020-01-13} } PlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code
PlugX
2017-02-13RSARSA Research
@techreport{research:20170213:kingslayer:98f4892, author = {RSA Research}, title = {{KINGSLAYER – A SUPPLY CHAIN ATTACK}}, date = {2017-02-13}, institution = {RSA}, url = {https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf}, language = {English}, urldate = {2020-01-08} } KINGSLAYER – A SUPPLY CHAIN ATTACK
CodeKey PlugX
2016-08-25MalwarebytesMalwarebytes Labs
@online{labs:20160825:unpacking:66173f5, author = {Malwarebytes Labs}, title = {{Unpacking the spyware disguised as antivirus}}, date = {2016-08-25}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/}, language = {English}, urldate = {2019-12-20} } Unpacking the spyware disguised as antivirus
PlugX
2016-06-13Macnica NetworksMacnica Networks
@techreport{networks:20160613:survey:c78b147, author = {Macnica Networks}, title = {{Survey of the actual situation of the large-scale cyber spy activity that hit Japan | 1st edition}}, date = {2016-06-13}, institution = {Macnica Networks}, url = {https://www.macnica.net/file/security_report_20160613.pdf}, language = {Japanese}, urldate = {2021-03-02} } Survey of the actual situation of the large-scale cyber spy activity that hit Japan | 1st edition
Emdivi PlugX
2016-04-26FireEyeFireEye
@techreport{fireeye:20160426:apt31:ecc41bd, author = {FireEye}, title = {{APT31 Threat Group Profile}}, date = {2016-04-26}, institution = {FireEye}, url = {https://github.com/GuardaCyber/APT-Groups-and-Operations/blob/master/Reports/FireEye%20Intel%20-%20APT31%20Threat%20Group%20Profile.pdf}, language = {English}, urldate = {2019-10-13} } APT31 Threat Group Profile
APT31
2016-01-22RSA LinkNorton Santos
@online{santos:20160122:plugx:580fcff, author = {Norton Santos}, title = {{PlugX APT Malware}}, date = {2016-01-22}, organization = {RSA Link}, url = {https://community.rsa.com/thread/185439}, language = {English}, urldate = {2020-01-13} } PlugX APT Malware
PlugX
2015-09-23Palo Alto Networks Unit 42Robert Falcone, Jen Miller-Osborn
@online{falcone:20150923:chinese:4faf76a, author = {Robert Falcone and Jen Miller-Osborn}, title = {{Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media}}, date = {2015-09-23}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/}, language = {English}, urldate = {2019-12-20} } Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media
9002 RAT
2015-08Arbor NetworksASERT Team
@online{team:201508:uncovering:121e5cf, author = {ASERT Team}, title = {{Uncovering the Seven Pointed Dagger}}, date = {2015-08}, organization = {Arbor Networks}, url = {https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn}, language = {English}, urldate = {2020-05-18} } Uncovering the Seven Pointed Dagger
9002 RAT EvilGrab PlugX Trochilus RAT Group 27
2015-02-06CrowdStrikeCrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
2015-01-29JPCERT/CCShusei Tomonaga
@online{tomonaga:20150129:analysis:0eaad95, author = {Shusei Tomonaga}, title = {{Analysis of a Recent PlugX Variant - “P2P PlugX”}}, date = {2015-01-29}, organization = {JPCERT/CC}, url = {http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html}, language = {English}, urldate = {2020-01-09} } Analysis of a Recent PlugX Variant - “P2P PlugX”
PlugX
2014-06-27SophosLabsGabor Szappanos
@techreport{szappanos:20140627:plugx:e63d8bf, author = {Gabor Szappanos}, title = {{PlugX - The Next Generation}}, date = {2014-06-27}, institution = {SophosLabs}, url = {https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf}, language = {English}, urldate = {2020-01-10} } PlugX - The Next Generation
PlugX
2014-06-10FireEyeMike Scott
@online{scott:20140610:clandestine:6d515ab, author = {Mike Scott}, title = {{Clandestine Fox, Part Deux}}, date = {2014-06-10}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html}, language = {English}, urldate = {2019-12-20} } Clandestine Fox, Part Deux
PlugX
2014-01-06AirbusFabien Perigaud
@online{perigaud:20140106:plugx:16410d7, author = {Fabien Perigaud}, title = {{PlugX: some uncovered points}}, date = {2014-01-06}, organization = {Airbus}, url = {http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html}, language = {English}, urldate = {2020-01-08} } PlugX: some uncovered points
PlugX
2013-11-10FireEyeSai Omkar Vashisht, Mike Scott, Thoufique Haq, Ned Moran
@online{vashisht:20131110:operation:d653a09, author = {Sai Omkar Vashisht and Mike Scott and Thoufique Haq and Ned Moran}, title = {{Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method}}, date = {2013-11-10}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html}, language = {English}, urldate = {2019-12-20} } Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method
9002 RAT
2013-09-17SymantecStephen Doherty, Jozsef Gegeny, Branko Spasojevic, Jonell Baltazar
@techreport{doherty:20130917:hidden:72a1bd7, author = {Stephen Doherty and Jozsef Gegeny and Branko Spasojevic and Jonell Baltazar}, title = {{Hidden Lynx – Professional Hackers for Hire}}, date = {2013-09-17}, institution = {Symantec}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf}, language = {English}, urldate = {2020-04-21} } Hidden Lynx – Professional Hackers for Hire
9002 RAT HiKit Aurora Panda
2013-05-20FireEyeNed Moran
@online{moran:20130520:ready:6a59df8, author = {Ned Moran}, title = {{Ready for Summer: The Sunshop Campaign}}, date = {2013-05-20}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html}, language = {English}, urldate = {2019-12-20} } Ready for Summer: The Sunshop Campaign
9002 RAT
2013-03-29Computer Incident Response Center LuxembourgCIRCL
@techreport{circl:20130329:analysis:b3c48b0, author = {CIRCL}, title = {{Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0)}}, date = {2013-03-29}, institution = {Computer Incident Response Center Luxembourg}, url = {https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf}, language = {English}, urldate = {2019-11-24} } Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0)
PlugX
2013-03ContextisKevin O’Reilly
@techreport{oreilly:201303:plugxpayload:d355f49, author = {Kevin O’Reilly}, title = {{PlugX–Payload Extraction}}, date = {2013-03}, institution = {Contextis}, url = {https://go.contextis.com/rs/140-OCV-459/images/White%20Paper_PlugX%20-%20Payload%20Extraction.pdf}, language = {English}, urldate = {2021-06-24} } PlugX–Payload Extraction
PlugX
2013-02-07FireEyeJ. Gomez, Thoufique Haq
@online{gomez:20130207:ladyboyle:5927b00, author = {J. Gomez and Thoufique Haq}, title = {{LadyBoyle Comes to Town with a New Exploit}}, date = {2013-02-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html}, language = {English}, urldate = {2019-12-20} } LadyBoyle Comes to Town with a New Exploit
9002 RAT
2012-09-07SymantecGavin O'Gorman, Geoff McDonald
@techreport{ogorman:20120907:elderwood:4247c36, author = {Gavin O'Gorman and Geoff McDonald}, title = {{The Elderwood Project}}, date = {2012-09-07}, institution = {Symantec}, url = {https://www.infopoint-security.de/medien/the-elderwood-project.pdf}, language = {English}, urldate = {2020-07-11} } The Elderwood Project
9002 RAT Beijing Group
2012-02-10tracker.h3x.euMalware Corpus Tracker
@online{tracker:20120210:info:d58b5c1, author = {Malware Corpus Tracker}, title = {{Info for Family: plugx}}, date = {2012-02-10}, organization = {tracker.h3x.eu}, url = {https://tracker.h3x.eu/info/290}, language = {English}, urldate = {2021-06-24} } Info for Family: plugx
PlugX

Credits: MISP Project