SYMBOLCOMMON_NAMEaka. SYNONYMS

APT33  (Back to overview)

aka: APT 33, Elfin, MAGNALLIUM, Refined Kitten, HOLMIUM, COBALT TRINITY, G0064, ATK35

Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government.


Associated Families
ps1.powerton win.filerase win.poshc2 win.powerband win.pupy win.darkcomet win.dropshot win.shapeshift win.turnedup win.nanocore win.netwire win.quasar_rat win.remcos

References
2023-05-16CyberRaijuJai Minton
@online{minton:20230516:remcos:55b425b, author = {Jai Minton}, title = {{Remcos RAT - Malware Analysis Lab}}, date = {2023-05-16}, organization = {CyberRaiju}, url = {https://www.jaiminton.com/reverse-engineering/remcos#}, language = {English}, urldate = {2023-05-21} } Remcos RAT - Malware Analysis Lab
Remcos
2023-05-15embeeresearchEmbee_research
@online{embeeresearch:20230515:quasar:6a364a0, author = {Embee_research}, title = {{Quasar Rat Analysis - Identification of 64 Quasar Servers Using Shodan and Censys}}, date = {2023-05-15}, organization = {embeeresearch}, url = {https://embee-research.ghost.io/hunting-quasar-rat-shodan}, language = {English}, urldate = {2023-05-16} } Quasar Rat Analysis - Identification of 64 Quasar Servers Using Shodan and Censys
Quasar RAT
2023-04-13MicrosoftMicrosoft Threat Intelligence
@online{intelligence:20230413:threat:a445e97, author = {Microsoft Threat Intelligence}, title = {{Threat actors strive to cause Tax Day headaches}}, date = {2023-04-13}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2023/04/13/threat-actors-strive-to-cause-tax-day-headaches/}, language = {English}, urldate = {2023-04-18} } Threat actors strive to cause Tax Day headaches
CloudEyE Remcos
2023-04-13OALabsSergei Frankoff
@online{frankoff:20230413:quasar:3ad6058, author = {Sergei Frankoff}, title = {{Quasar Chaos: Open Source Ransomware Meets Open Source RAT}}, date = {2023-04-13}, organization = {OALabs}, url = {https://research.openanalysis.net/quasar/chaos/rat/ransomware/2023/04/13/quasar-chaos.html}, language = {English}, urldate = {2023-05-02} } Quasar Chaos: Open Source Ransomware Meets Open Source RAT
Chaos Quasar RAT
2023-04-12SpamhausSpamhaus Malware Labs
@techreport{labs:20230412:spamhaus:aa309d1, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q1 2023}}, date = {2023-04-12}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2023-04-18} } Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar
2023-04-10Check PointCheck Point
@online{point:20230410:march:144c1ad, author = {Check Point}, title = {{March 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute Malicious OneNote Files}}, date = {2023-04-10}, organization = {Check Point}, url = {https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/}, language = {English}, urldate = {2023-04-12} } March 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute Malicious OneNote Files
Agent Tesla CloudEyE Emotet Formbook Nanocore RAT NjRAT QakBot Remcos Tofsee
2023-03-30loginsoftSaharsh Agrawal
@online{agrawal:20230330:from:7b46ae0, author = {Saharsh Agrawal}, title = {{From Innocence to Malice: The OneNote Malware Campaign Uncovered}}, date = {2023-03-30}, organization = {loginsoft}, url = {https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/}, language = {English}, urldate = {2023-04-14} } From Innocence to Malice: The OneNote Malware Campaign Uncovered
Agent Tesla AsyncRAT DOUBLEBACK Emotet Formbook IcedID NetWire RC QakBot Quasar RAT RedLine Stealer XWorm
2023-03-27ZscalerMeghraj Nandanwar, Satyam Singh
@online{nandanwar:20230327:dbatloader:a8f205c, author = {Meghraj Nandanwar and Satyam Singh}, title = {{DBatLoader: Actively Distributing Malwares Targeting European Businesses}}, date = {2023-03-27}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/dbatloader-actively-distributing-malwares-targeting-european-businesses}, language = {English}, urldate = {2023-03-29} } DBatLoader: Actively Distributing Malwares Targeting European Businesses
DBatLoader Remcos
2023-03-16Trend MicroCedric Pernet, Jaromír Hořejší, Loseway Lu
@online{pernet:20230316:ipfs:6f479ce, author = {Cedric Pernet and Jaromír Hořejší and Loseway Lu}, title = {{IPFS: A New Data Frontier or a New Cybercriminal Hideout?}}, date = {2023-03-16}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout}, language = {English}, urldate = {2023-03-20} } IPFS: A New Data Frontier or a New Cybercriminal Hideout?
Agent Tesla Formbook RedLine Stealer Remcos
2023-03-10The RegisterJessica Lyons Hardcastle
@online{hardcastle:20230310:fbi:f026768, author = {Jessica Lyons Hardcastle}, title = {{FBI and international cops catch a NetWire RAT}}, date = {2023-03-10}, organization = {The Register}, url = {https://www.theregister.com/2023/03/10/fbi_netwire_seizure/}, language = {English}, urldate = {2023-03-13} } FBI and international cops catch a NetWire RAT
NetWire RC
2023-02-24ZscalerNiraj Shivtarkar, Avinash Kumar
@online{shivtarkar:20230224:snip3:8bab444, author = {Niraj Shivtarkar and Avinash Kumar}, title = {{Snip3 Crypter Reveals New TTPs Over Time}}, date = {2023-02-24}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/snip3-crypter-reveals-new-ttps-over-time}, language = {English}, urldate = {2023-03-13} } Snip3 Crypter Reveals New TTPs Over Time
DCRat Quasar RAT
2023-02-23BitdefenderMartin Zugec, Bitdefender Team
@online{zugec:20230223:technical:710242c, author = {Martin Zugec and Bitdefender Team}, title = {{Technical Advisory: Various Threat Actors Targeting ManageEngine Exploit CVE-2022-47966}}, date = {2023-02-23}, organization = {Bitdefender}, url = {https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966}, language = {English}, urldate = {2023-02-27} } Technical Advisory: Various Threat Actors Targeting ManageEngine Exploit CVE-2022-47966
Cobalt Strike DarkComet RATel
2023-01-30CheckpointArie Olshtein
@online{olshtein:20230130:following:e442fcc, author = {Arie Olshtein}, title = {{Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware}}, date = {2023-01-30}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/}, language = {English}, urldate = {2023-01-31} } Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware
Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot
2023-01-24TrellixDaksh Kapur, Tomer Shloman, Robert Venal, John Fokker
@online{kapur:20230124:cyberattacks:0a05372, author = {Daksh Kapur and Tomer Shloman and Robert Venal and John Fokker}, title = {{Cyberattacks Targeting Ukraine Increase 20-fold at End of 2022 Fueled by Russia-linked Gamaredon Activity}}, date = {2023-01-24}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/research/cyberattacks-targeting-ukraine-increase.html}, language = {English}, urldate = {2023-01-25} } Cyberattacks Targeting Ukraine Increase 20-fold at End of 2022 Fueled by Russia-linked Gamaredon Activity
Andromeda Formbook Houdini Remcos
2023-01-04K7 SecuritySaikumaravel
@online{saikumaravel:20230104:pupy:f6eacce, author = {Saikumaravel}, title = {{Pupy RAT hiding under WerFault’s cover}}, date = {2023-01-04}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/pupy-rat-hiding-under-werfaults-cover/}, language = {English}, urldate = {2023-01-05} } Pupy RAT hiding under WerFault’s cover
pupy
2022-12-18ZAYOTEMEnes Şakir Çolak
@online{olak:20221218:netwire:b9000cb, author = {Enes Şakir Çolak}, title = {{NetWire Technical Analysis Report}}, date = {2022-12-18}, organization = {ZAYOTEM}, url = {https://drive.google.com/file/d/13prt2ve_sHNRRiGthB07qtfuinftJX35/view}, language = {English}, urldate = {2022-12-20} } NetWire Technical Analysis Report
NetWire RC
2022-11-21MalwarebytesMalwarebytes
@techreport{malwarebytes:20221121:20221121:f4c6d35, author = {Malwarebytes}, title = {{2022-11-21 Threat Intel Report}}, date = {2022-11-21}, institution = {Malwarebytes}, url = {https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf}, language = {English}, urldate = {2022-11-25} } 2022-11-21 Threat Intel Report
404 Keylogger Agent Tesla Formbook Hive Remcos
2022-11-06LMNTRIXLMNTRIX
@online{lmntrix:20221106:analysis:af3394b, author = {LMNTRIX}, title = {{Analysis Of Netwire RAT}}, date = {2022-11-06}, organization = {LMNTRIX}, url = {https://lmntrix.com/lab/analysis-of-netwire-rat/}, language = {English}, urldate = {2022-12-05} } Analysis Of Netwire RAT
NetWire RC
2022-10-13SpamhausSpamhaus Malware Labs
@techreport{labs:20221013:spamhaus:43e3190, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q3 2022}}, date = {2022-10-13}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2022-12-29} } Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm
2022-09-22MorphisecMorphisec Labs
@online{labs:20220922:watch:0f6c6c3, author = {Morphisec Labs}, title = {{Watch Out For The New NFT-001}}, date = {2022-09-22}, organization = {Morphisec}, url = {https://blog.morphisec.com/nft-malware-new-evasion-abilities}, language = {English}, urldate = {2022-11-21} } Watch Out For The New NFT-001
Eternity Stealer Remcos
2022-09-13SymantecThreat Hunter Team
@online{team:20220913:new:2ff2e98, author = {Threat Hunter Team}, title = {{New Wave of Espionage Activity Targets Asian Governments}}, date = {2022-09-13}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments}, language = {English}, urldate = {2022-09-20} } New Wave of Espionage Activity Targets Asian Governments
MimiKatz PlugX Quasar RAT ShadowPad Trochilus RAT
2022-09-06Check PointCheck Point Research
@online{research:20220906:dangeroussavanna:5bec8b7, author = {Check Point Research}, title = {{DangerousSavanna: Two-year long campaign targets financial institutions in French-speaking Africa}}, date = {2022-09-06}, organization = {Check Point}, url = {https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/}, language = {English}, urldate = {2022-09-07} } DangerousSavanna: Two-year long campaign targets financial institutions in French-speaking Africa
AsyncRAT Meterpreter PoshC2 DangerousSavanna
2022-09-01Medium michaelkoczwaraMichael Koczwara
@online{koczwara:20220901:hunting:45c54de, author = {Michael Koczwara}, title = {{Hunting C2/Adversaries Infrastructure with Shodan and Censys}}, date = {2022-09-01}, organization = {Medium michaelkoczwara}, url = {https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f}, language = {English}, urldate = {2023-01-19} } Hunting C2/Adversaries Infrastructure with Shodan and Censys
Brute Ratel C4 Cobalt Strike Deimos GRUNT IcedID Merlin Meterpreter Nighthawk PoshC2 Sliver
2022-08-30Medium the_abjuri5tJohn F
@online{f:20220830:nanocore:86aa443, author = {John F}, title = {{NanoCore RAT Hunting Guide}}, date = {2022-08-30}, organization = {Medium the_abjuri5t}, url = {https://medium.com/@the_abjuri5t/nanocore-rat-hunting-guide-cb185473c1e0}, language = {English}, urldate = {2022-08-30} } NanoCore RAT Hunting Guide
Nanocore RAT
2022-08-29Soc InvestigationBalaGanesh
@online{balaganesh:20220829:remcos:6f6dbe5, author = {BalaGanesh}, title = {{Remcos RAT New TTPS - Detection & Response}}, date = {2022-08-29}, organization = {Soc Investigation}, url = {https://www.socinvestigation.com/remcos-rat-new-ttps-detection-response/}, language = {English}, urldate = {2022-09-06} } Remcos RAT New TTPS - Detection & Response
Remcos
2022-08-21Perception PointIgal Lytzki
@online{lytzki:20220821:behind:e6e884e, author = {Igal Lytzki}, title = {{Behind the Attack: Remcos RAT}}, date = {2022-08-21}, organization = {Perception Point}, url = {https://perception-point.io/behind-the-attack-remcos-rat/}, language = {English}, urldate = {2022-09-22} } Behind the Attack: Remcos RAT
Remcos
2022-08-18SophosSean Gallagher
@online{gallagher:20220818:cookie:74bd0f5, author = {Sean Gallagher}, title = {{Cookie stealing: the new perimeter bypass}}, date = {2022-08-18}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass}, language = {English}, urldate = {2022-08-22} } Cookie stealing: the new perimeter bypass
Cobalt Strike Meterpreter MimiKatz Phoenix Keylogger Quasar RAT
2022-08-17SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220817:darktortilla:9a00612, author = {Counter Threat Unit ResearchTeam}, title = {{DarkTortilla Malware Analysis}}, date = {2022-08-17}, organization = {Secureworks}, url = {https://www.secureworks.com/research/darktortilla-malware-analysis}, language = {English}, urldate = {2023-01-05} } DarkTortilla Malware Analysis
Agent Tesla AsyncRAT Cobalt Strike DarkTortilla Nanocore RAT RedLine Stealer
2022-08-17360360 Threat Intelligence Center
@online{center:20220817:kasablanka:2a28570, author = {360 Threat Intelligence Center}, title = {{Kasablanka organizes attacks against political groups and non-profit organizations in the Middle East}}, date = {2022-08-17}, organization = {360}, url = {https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA}, language = {Chinese}, urldate = {2022-08-19} } Kasablanka organizes attacks against political groups and non-profit organizations in the Middle East
SpyNote Loda Nanocore RAT NjRAT
2022-08-04ConnectWiseStu Gonzalez
@online{gonzalez:20220804:formbook:f3addb8, author = {Stu Gonzalez}, title = {{Formbook and Remcos Backdoor RAT by ConnectWise CRU}}, date = {2022-08-04}, organization = {ConnectWise}, url = {https://www.connectwise.com/resources/formbook-remcos-rat}, language = {English}, urldate = {2022-08-08} } Formbook and Remcos Backdoor RAT by ConnectWise CRU
Formbook Remcos
2022-07-29QualysViren Chaudhari
@online{chaudhari:20220729:new:3f06f5c, author = {Viren Chaudhari}, title = {{New Qualys Research Report: Evolution of Quasar RAT}}, date = {2022-07-29}, organization = {Qualys}, url = {https://blog.qualys.com/vulnerabilities-threat-research/2022/07/29/new-qualys-research-report-evolution-of-quasar-rat}, language = {English}, urldate = {2022-08-04} } New Qualys Research Report: Evolution of Quasar RAT
Quasar RAT
2022-07-27QualysViren Chaudhari
@techreport{chaudhari:20220727:stealthy:9b66a95, author = {Viren Chaudhari}, title = {{Stealthy Quasar Evolving to Lead the RAT Race}}, date = {2022-07-27}, institution = {Qualys}, url = {https://www.qualys.com/docs/whitepapers/qualys-wp-stealthy-quasar-evolving-to-lead-the-rat-race-v220727.pdf}, language = {English}, urldate = {2022-08-04} } Stealthy Quasar Evolving to Lead the RAT Race
Quasar RAT
2022-07-20SophosColin Cowie, Gabor Szappanos
@online{cowie:20220720:ooda:6c453ab, author = {Colin Cowie and Gabor Szappanos}, title = {{OODA: X-Ops Takes On Burgeoning SQL Server Attacks}}, date = {2022-07-20}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/07/20/ooda-x-ops-takes-on-burgeoning-sql-server-attacks/}, language = {English}, urldate = {2023-05-30} } OODA: X-Ops Takes On Burgeoning SQL Server Attacks
Maoloa Remcos TargetCompany
2022-07-18CensysCensys
@techreport{censys:20220718:russian:dfd4246, author = {Censys}, title = {{Russian Ransomware C2 Network Discovered in Censys Data}}, date = {2022-07-18}, institution = {Censys}, url = {https://5851803.fs1.hubspotusercontent-na1.net/hubfs/5851803/Russian%20Ransomware%20C2%20Network%20Discovered%20in%20Censys%20Data.pdf}, language = {English}, urldate = {2022-07-25} } Russian Ransomware C2 Network Discovered in Censys Data
Cobalt Strike MimiKatz PoshC2
2022-07-13WeixinAntiy CERT
@online{cert:20220713:confucius:307a7f4, author = {Antiy CERT}, title = {{Confucius: The Angler Hidden Under CloudFlare}}, date = {2022-07-13}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s/n6XQAGtNEXfPZXp1mlwDTQ}, language = {English}, urldate = {2022-07-14} } Confucius: The Angler Hidden Under CloudFlare
Quasar RAT
2022-06-23SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220623:bronze:8bccd74, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE STARLIGHT Ransomware Operations Use HUI Loader}}, date = {2022-06-23}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader}, language = {English}, urldate = {2022-09-20} } BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster
2022-06-21Cisco TalosFlavio Costa, Chris Neal, Guilherme Venere
@online{costa:20220621:avos:b60a2ad, author = {Flavio Costa and Chris Neal and Guilherme Venere}, title = {{Avos ransomware group expands with new attack arsenal}}, date = {2022-06-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html}, language = {English}, urldate = {2022-06-22} } Avos ransomware group expands with new attack arsenal
AvosLocker Cobalt Strike DarkComet MimiKatz
2022-06-20Infinitum ITinfinitum IT
@online{it:20220620:charming:b356ff2, author = {infinitum IT}, title = {{Charming Kitten (APT35)}}, date = {2022-06-20}, organization = {Infinitum IT}, url = {https://www.infinitumit.com.tr/apt-35/}, language = {Turkish}, urldate = {2022-06-22} } Charming Kitten (APT35)
LaZagne DownPaper MimiKatz pupy
2022-06-15VolexitySteven Adair, Thomas Lancaster, Volexity Threat Research
@online{adair:20220615:driftingcloud:58322a8, author = {Steven Adair and Thomas Lancaster and Volexity Threat Research}, title = {{DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach}}, date = {2022-06-15}, organization = {Volexity}, url = {https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/}, language = {English}, urldate = {2022-06-17} } DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach
pupy Sliver
2022-06-02FortiGuard LabsFred Gutierrez, Shunichi Imano, James Slaughter, Gergely Revay
@online{gutierrez:20220602:threat:6713237, author = {Fred Gutierrez and Shunichi Imano and James Slaughter and Gergely Revay}, title = {{Threat Actors Prey on Eager Travelers}}, date = {2022-06-02}, organization = {FortiGuard Labs}, url = {https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers}, language = {English}, urldate = {2022-06-15} } Threat Actors Prey on Eager Travelers
AsyncRAT NetWire RC Quasar RAT
2022-05-23Trend MicroDaniel Lunghi, Jaromír Hořejší
@techreport{lunghi:20220523:operation:e3c402b, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{Operation Earth Berberoka}}, date = {2022-05-23}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf}, language = {English}, urldate = {2022-07-25} } Operation Earth Berberoka
reptile oRAT Ghost RAT PlugX pupy Earth Berberoka
2022-05-19BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220519:net:ecf311c, author = {The BlackBerry Research & Intelligence Team}, title = {{.NET Stubs: Sowing the Seeds of Discord (PureCrypter)}}, date = {2022-05-19}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord}, language = {English}, urldate = {2022-06-09} } .NET Stubs: Sowing the Seeds of Discord (PureCrypter)
Aberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer Formbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine Stealer WhisperGate
2022-05-19BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220519:net:64662b5, author = {The BlackBerry Research & Intelligence Team}, title = {{.NET Stubs: Sowing the Seeds of Discord}}, date = {2022-05-19}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord?}, language = {English}, urldate = {2022-05-23} } .NET Stubs: Sowing the Seeds of Discord
Agent Tesla Quasar RAT WhisperGate
2022-05-16JPCERT/CCShusei Tomonaga
@online{tomonaga:20220516:analysis:b1c8089, author = {Shusei Tomonaga}, title = {{Analysis of HUI Loader}}, date = {2022-05-16}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html}, language = {English}, urldate = {2022-05-17} } Analysis of HUI Loader
HUI Loader PlugX Poison Ivy Quasar RAT
2022-05-12MorphisecHido Cohen
@online{cohen:20220512:new:6e12278, author = {Hido Cohen}, title = {{New SYK Crypter Distributed Via Discord}}, date = {2022-05-12}, organization = {Morphisec}, url = {https://blog.morphisec.com/syk-crypter-discord}, language = {English}, urldate = {2022-06-09} } New SYK Crypter Distributed Via Discord
AsyncRAT Ave Maria Nanocore RAT NjRAT Quasar RAT RedLine Stealer
2022-05-05Github (muha2xmad)Muhammad Hasan Ali
@online{ali:20220505:analysis:3ec712d, author = {Muhammad Hasan Ali}, title = {{Analysis of MS Word to drop Remcos RAT | VBA extraction and analysis | IoCs}}, date = {2022-05-05}, organization = {Github (muha2xmad)}, url = {https://muha2xmad.github.io/mal-document/remcosdoc/}, language = {English}, urldate = {2022-05-08} } Analysis of MS Word to drop Remcos RAT | VBA extraction and analysis | IoCs
Remcos
2022-04-27Trend MicroDaniel Lunghi, Jaromír Hořejší
@online{lunghi:20220427:new:9068f6e, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware}}, date = {2022-04-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html}, language = {English}, urldate = {2023-04-18} } New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware
HelloBot AsyncRAT Ghost RAT HelloBot PlugX Quasar RAT Earth Berberoka
2022-04-27TrendmicroTrendmicro
@online{trendmicro:20220427:iocs:b6d7ab5, author = {Trendmicro}, title = {{IOCs for Earth Berberoka - Linux}}, date = {2022-04-27}, organization = {Trendmicro}, url = {https://documents.trendmicro.com/assets/txt/earth-berberoka-linux-iocs-2.txt}, language = {English}, urldate = {2022-07-25} } IOCs for Earth Berberoka - Linux
Rekoobe pupy Earth Berberoka
2022-04-27TrendmicroTrendmicro
@online{trendmicro:20220427:iocs:18f7e31, author = {Trendmicro}, title = {{IOCs for Earth Berberoka - Windows}}, date = {2022-04-27}, organization = {Trendmicro}, url = {https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt}, language = {English}, urldate = {2022-07-25} } IOCs for Earth Berberoka - Windows
AsyncRAT Cobalt Strike PlugX Quasar RAT Earth Berberoka
2022-04-27TrendmicroDaniel Lunghi, Jaromír Hořejší
@techreport{lunghi:20220427:operation:bdba881, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{Operation Gambling Puppet}}, date = {2022-04-27}, institution = {Trendmicro}, url = {https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf}, language = {English}, urldate = {2022-07-25} } Operation Gambling Puppet
reptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka
2022-04-26Trend MicroRyan Flores, Stephen Hilt, Lord Alfred Remorin
@online{flores:20220426:how:28d9476, author = {Ryan Flores and Stephen Hilt and Lord Alfred Remorin}, title = {{How Cybercriminals Abuse Cloud Tunneling Services}}, date = {2022-04-26}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services}, language = {English}, urldate = {2022-05-03} } How Cybercriminals Abuse Cloud Tunneling Services
AsyncRAT Cobalt Strike DarkComet Meterpreter Nanocore RAT
2022-04-15Center for Internet SecurityCIS
@online{cis:20220415:top:62c8245, author = {CIS}, title = {{Top 10 Malware March 2022}}, date = {2022-04-15}, organization = {Center for Internet Security}, url = {https://www.cisecurity.org/insights/blog/top-10-malware-march-2022}, language = {English}, urldate = {2023-02-17} } Top 10 Malware March 2022
Mirai Shlayer Agent Tesla Ghost RAT Nanocore RAT SectopRAT solarmarker Zeus
2022-04-12HPPatrick Schläpfer
@online{schlpfer:20220412:malware:5032799, author = {Patrick Schläpfer}, title = {{Malware Campaigns Targeting African Banking Sector}}, date = {2022-04-12}, organization = {HP}, url = {https://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/}, language = {English}, urldate = {2022-04-15} } Malware Campaigns Targeting African Banking Sector
CloudEyE Remcos
2022-04-06FortinetXiaopeng Zhang
@online{zhang:20220406:latest:a7dbcb3, author = {Xiaopeng Zhang}, title = {{The Latest Remcos RAT Driven By Phishing Campaign}}, date = {2022-04-06}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing}, language = {English}, urldate = {2022-08-05} } The Latest Remcos RAT Driven By Phishing Campaign
Remcos
2022-03-30Recorded FutureInsikt Group
@techreport{group:20220330:social:e36c4e5, author = {Insikt Group}, title = {{Social Engineering Remains Key Tradecraft for Iranian APTs}}, date = {2022-03-30}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0330.pdf}, language = {English}, urldate = {2022-04-05} } Social Engineering Remains Key Tradecraft for Iranian APTs
Liderc pupy
2022-03-30MorphisecHido Cohen
@online{cohen:20220330:new:b2abe2b, author = {Hido Cohen}, title = {{New Wave Of Remcos RAT Phishing Campaign}}, date = {2022-03-30}, organization = {Morphisec}, url = {https://blog.morphisec.com/remcos-trojan-analyzing-attack-chain}, language = {English}, urldate = {2022-03-31} } New Wave Of Remcos RAT Phishing Campaign
Remcos
2022-03-27Medium M3H51NM3H51N
@online{m3h51n:20220327:malware:b1e1deb, author = {M3H51N}, title = {{Malware Analysis — NanoCore Rat}}, date = {2022-03-27}, organization = {Medium M3H51N}, url = {https://medium.com/@M3HS1N/malware-analysis-nanocore-rat-6cae8c6df918}, language = {English}, urldate = {2022-04-04} } Malware Analysis — NanoCore Rat
Nanocore RAT
2022-03-25TrustwaveTrustwave SpiderLabs
@online{spiderlabs:20220325:cyber:6401810, author = {Trustwave SpiderLabs}, title = {{Cyber Attackers Leverage Russia-Ukraine Conflict in Multiple Spam Campaigns}}, date = {2022-03-25}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cyber-attackers-leverage-russia-ukraine-conflict-in-multiple-spam-campaigns}, language = {English}, urldate = {2022-08-17} } Cyber Attackers Leverage Russia-Ukraine Conflict in Multiple Spam Campaigns
Remcos
2022-03-24Lab52freyit
@online{freyit:20220324:another:4578bc2, author = {freyit}, title = {{Another cyber espionage campaign in the Russia-Ukrainian ongoing cyber attacks}}, date = {2022-03-24}, organization = {Lab52}, url = {https://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/}, language = {English}, urldate = {2022-03-25} } Another cyber espionage campaign in the Russia-Ukrainian ongoing cyber attacks
Quasar RAT
2022-03-07ASECASEC
@online{asec:20220307:distribution:d298aca, author = {ASEC}, title = {{Distribution of Remcos RAT Disguised as Tax Invoice}}, date = {2022-03-07}, organization = {ASEC}, url = {https://asec.ahnlab.com/en/32376/}, language = {English}, urldate = {2022-03-07} } Distribution of Remcos RAT Disguised as Tax Invoice
Remcos
2022-03-05Bleeping ComputerLawrence Abrams
@online{abrams:20220305:malware:5ab8b53, author = {Lawrence Abrams}, title = {{Malware now using NVIDIA's stolen code signing certificates}}, date = {2022-03-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/malware-now-using-nvidias-stolen-code-signing-certificates/}, language = {English}, urldate = {2022-03-10} } Malware now using NVIDIA's stolen code signing certificates
Quasar RAT
2022-03-04Bleeping ComputerBill Toulas
@online{toulas:20220304:russiaukraine:60c3069, author = {Bill Toulas}, title = {{Russia-Ukraine war exploited as lure for malware distribution}}, date = {2022-03-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/russia-ukraine-war-exploited-as-lure-for-malware-distribution/}, language = {English}, urldate = {2022-03-04} } Russia-Ukraine war exploited as lure for malware distribution
Agent Tesla Remcos
2022-03-04BitdefenderAlina Bizga
@online{bizga:20220304:bitdefender:44d1f32, author = {Alina Bizga}, title = {{Bitdefender Labs Sees Increased Malicious and Scam Activity Exploiting the War in Ukraine}}, date = {2022-03-04}, organization = {Bitdefender}, url = {https://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine}, language = {English}, urldate = {2022-03-04} } Bitdefender Labs Sees Increased Malicious and Scam Activity Exploiting the War in Ukraine
Agent Tesla Remcos
2022-03VirusTotalVirusTotal
@techreport{virustotal:202203:virustotals:c6af9c1, author = {VirusTotal}, title = {{VirusTotal's 2021 Malware Trends Report}}, date = {2022-03}, institution = {VirusTotal}, url = {https://assets.virustotal.com/reports/2021trends.pdf}, language = {English}, urldate = {2022-04-13} } VirusTotal's 2021 Malware Trends Report
Anubis AsyncRAT BlackMatter Cobalt Strike DanaBot Dridex Khonsari MimiKatz Mirai Nanocore RAT Orcus RAT
2022-02-28ASECASEC
@online{asec:20220228:remcos:d53c470, author = {ASEC}, title = {{Remcos RAT malware disseminated by pretending to be tax invoices}}, date = {2022-02-28}, organization = {ASEC}, url = {https://asec.ahnlab.com/ko/32101/}, language = {Korean}, urldate = {2022-03-07} } Remcos RAT malware disseminated by pretending to be tax invoices
Remcos
2022-02-22CyCraft Technology Corp
@online{corp:20220222:china:76aa7e8, author = {CyCraft Technology Corp}, title = {{China Implicated in Prolonged Supply Chain Attack Targeting Taiwan Financial Sector}}, date = {2022-02-22}, url = {https://medium.com/cycraft/china-implicated-in-prolonged-supply-chain-attack-targeting-taiwan-financial-sector-264b6a1c3525}, language = {English}, urldate = {2022-02-26} } China Implicated in Prolonged Supply Chain Attack Targeting Taiwan Financial Sector
Quasar RAT
2022-02-21CyCraftCyCraft AI
@online{ai:20220221:indepth:73e8778, author = {CyCraft AI}, title = {{An in-depth analysis of the Operation Cache Panda organized supply chain attack on Taiwan's financial industry}}, date = {2022-02-21}, organization = {CyCraft}, url = {https://medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934}, language = {Chinese}, urldate = {2022-02-26} } An in-depth analysis of the Operation Cache Panda organized supply chain attack on Taiwan's financial industry
Quasar RAT
2022-02-21The RecordCatalin Cimpanu
@online{cimpanu:20220221:chinese:fe29003, author = {Catalin Cimpanu}, title = {{Chinese hackers linked to months-long attack on Taiwanese financial sector}}, date = {2022-02-21}, organization = {The Record}, url = {https://therecord.media/chinese-hackers-linked-to-months-long-attack-on-taiwanese-financial-sector/}, language = {English}, urldate = {2022-02-26} } Chinese hackers linked to months-long attack on Taiwanese financial sector
Quasar RAT
2022-02-18YouTube (John Hammond)John Hammond
@online{hammond:20220218:uncovering:1c5162c, author = {John Hammond}, title = {{Uncovering NETWIRE Malware - Discovery & Deobfuscation}}, date = {2022-02-18}, organization = {YouTube (John Hammond)}, url = {https://www.youtube.com/watch?v=TeQdZxP0RYY}, language = {English}, urldate = {2022-02-19} } Uncovering NETWIRE Malware - Discovery & Deobfuscation
NetWire RC
2022-02-18SANS ISCXavier Mertens
@online{mertens:20220218:remcos:c302a64, author = {Xavier Mertens}, title = {{Remcos RAT Delivered Through Double Compressed Archive}}, date = {2022-02-18}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/Remcos+RAT+Delivered+Through+Double+Compressed+Archive/28354/}, language = {English}, urldate = {2022-02-18} } Remcos RAT Delivered Through Double Compressed Archive
Remcos
2022-02-15Threat PostElizabeth Montalbano
@online{montalbano:20220215:ta2541:7e201a7, author = {Elizabeth Montalbano}, title = {{TA2541: APT Has Been Shooting RATs at Aviation for Years}}, date = {2022-02-15}, organization = {Threat Post}, url = {https://threatpost.com/ta2541-apt-rats-aviation/178422/}, language = {English}, urldate = {2022-02-17} } TA2541: APT Has Been Shooting RATs at Aviation for Years
AsyncRAT Houdini NetWire RC Parallax RAT
2022-02-15BleepingComputerIonut Ilascu
@online{ilascu:20220215:unskilled:1bf1eb3, author = {Ionut Ilascu}, title = {{Unskilled hacker linked to years of attacks on aviation, transport sectors}}, date = {2022-02-15}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/}, language = {English}, urldate = {2022-02-17} } Unskilled hacker linked to years of attacks on aviation, transport sectors
AsyncRAT Houdini NetWire RC Parallax RAT
2022-02-14MorphisecHido Cohen, Arnold Osipov
@techreport{cohen:20220214:journey:6c209dc, author = {Hido Cohen and Arnold Osipov}, title = {{Journey of a Crypto Scammer - NFT-001}}, date = {2022-02-14}, institution = {Morphisec}, url = {https://blog.morphisec.com/hubfs/Journey%20of%20a%20Crypto%20Scammer%20-%20NFT-001%20%7C%20Morphisec%20%7C%20Threat%20Report.pdf}, language = {English}, urldate = {2022-02-19} } Journey of a Crypto Scammer - NFT-001
AsyncRAT BitRAT Remcos
2022-02-11Cisco TalosTalos
@online{talos:20220211:threat:fcad762, author = {Talos}, title = {{Threat Roundup for February 4 to February 11}}, date = {2022-02-11}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html}, language = {English}, urldate = {2022-02-14} } Threat Roundup for February 4 to February 11
DarkComet Ghost RAT Loki Password Stealer (PWS) Tinba Tofsee Zeus
2022-02-11blog.rootshell.beXavier Mertens
@online{mertens:20220211:sans:7273063, author = {Xavier Mertens}, title = {{[SANS ISC] CinaRAT Delivered Through HTML ID Attributes}}, date = {2022-02-11}, organization = {blog.rootshell.be}, url = {https://blog.rootshell.be/2022/02/11/sans-isc-cinarat-delivered-through-html-id-attributes/}, language = {English}, urldate = {2022-02-14} } [SANS ISC] CinaRAT Delivered Through HTML ID Attributes
Quasar RAT
2022-02-09Sentinel LABSTom Hegel
@online{hegel:20220209:modifiedelephant:b004138, author = {Tom Hegel}, title = {{ModifiedElephant APT and a Decade of Fabricating Evidence}}, date = {2022-02-09}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/}, language = {English}, urldate = {2022-02-14} } ModifiedElephant APT and a Decade of Fabricating Evidence
DarkComet Incubator NetWire RC ModifiedElephant
2022-02-09SentinelOneTom Hegel, Juan Andrés Guerrero-Saade
@techreport{hegel:20220209:modified:3c039c6, author = {Tom Hegel and Juan Andrés Guerrero-Saade}, title = {{Modified Elephant APT and a Decade of Fabricating Evidence}}, date = {2022-02-09}, institution = {SentinelOne}, url = {https://www.sentinelone.com/wp-content/uploads/2022/02/Modified-Elephant-APT-and-a-Decade-of-Fabricating-Evidence-SentinelLabs.pdf}, language = {English}, urldate = {2022-02-14} } Modified Elephant APT and a Decade of Fabricating Evidence
DarkComet Incubator NetWire RC
2022-02-08ASECASEC
@online{asec:20220208:distribution:1e72a12, author = {ASEC}, title = {{Distribution of Kimsuky Group’s xRAT (Quasar RAT) Confirmed}}, date = {2022-02-08}, organization = {ASEC}, url = {https://asec.ahnlab.com/en/31089/}, language = {English}, urldate = {2022-02-10} } Distribution of Kimsuky Group’s xRAT (Quasar RAT) Confirmed
GoldDragon Quasar RAT
2022-02-08Itay Migdal
@online{migdal:20220208:remcos:e52c6ec, author = {Itay Migdal}, title = {{Remcos Analysis}}, date = {2022-02-08}, url = {https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/Remcos.md}, language = {English}, urldate = {2022-02-09} } Remcos Analysis
Remcos
2022-02-08Intel 471Intel 471
@online{471:20220208:privateloader:5e226cd, author = {Intel 471}, title = {{PrivateLoader: The first step in many malware schemes}}, date = {2022-02-08}, organization = {Intel 471}, url = {https://intel471.com/blog/privateloader-malware}, language = {English}, urldate = {2022-05-09} } PrivateLoader: The first step in many malware schemes
Dridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos SmokeLoader STOP Tofsee TrickBot Vidar
2022-02-07RiskIQRiskIQ
@online{riskiq:20220207:riskiq:43b167b, author = {RiskIQ}, title = {{RiskIQ: Malicious Infrastructure Connected to Particular Windows Host Certificates}}, date = {2022-02-07}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/ade260c6}, language = {English}, urldate = {2022-02-09} } RiskIQ: Malicious Infrastructure Connected to Particular Windows Host Certificates
AsyncRAT BitRAT Nanocore RAT
2022-01-28eSentireeSentire Threat Response Unit (TRU)
@online{tru:20220128:remcos:b6e5f46, author = {eSentire Threat Response Unit (TRU)}, title = {{Remcos RAT}}, date = {2022-01-28}, organization = {eSentire}, url = {https://www.esentire.com/blog/remcos-rat}, language = {English}, urldate = {2022-05-23} } Remcos RAT
Remcos
2022-01-13muha2xmadMuhammad Hasan Ali
@online{ali:20220113:unpacking:09ab5c5, author = {Muhammad Hasan Ali}, title = {{Unpacking Remcos malware}}, date = {2022-01-13}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/unpacking/remcos/}, language = {English}, urldate = {2022-01-25} } Unpacking Remcos malware
Remcos
2022-01-12CiscoChetan Raghuprasad, Vanja Svajcer
@online{raghuprasad:20220112:nanocore:938e93c, author = {Chetan Raghuprasad and Vanja Svajcer}, title = {{Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure}}, date = {2022-01-12}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html}, language = {English}, urldate = {2022-01-18} } Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure
AsyncRAT Nanocore RAT NetWire RC
2022-01-10splunkSplunk Threat Research Team
@online{team:20220110:detecting:a46a6e5, author = {Splunk Threat Research Team}, title = {{Detecting Malware Script Loaders using Remcos: Threat Research Release December 2021}}, date = {2022-01-10}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/detecting-malware-script-loaders-using-remcos-threat-research-release-december-2021.html}, language = {English}, urldate = {2022-01-25} } Detecting Malware Script Loaders using Remcos: Threat Research Release December 2021
Remcos
2022-01-08Bleeping ComputerLawrence Abrams
@online{abrams:20220108:trojanized:00522d1, author = {Lawrence Abrams}, title = {{Trojanized dnSpy app drops malware cocktail on researchers, devs}}, date = {2022-01-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-malware-cocktail-on-researchers-devs/}, language = {English}, urldate = {2022-01-18} } Trojanized dnSpy app drops malware cocktail on researchers, devs
Quasar RAT
2022-01-02Medium amgedwagehAmged Wageh
@online{wageh:20220102:automating:90d5701, author = {Amged Wageh}, title = {{Automating The Analysis Of An AutoIT Script That Wraps A Remcos RAT}}, date = {2022-01-02}, organization = {Medium amgedwageh}, url = {https://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87}, language = {English}, urldate = {2022-01-25} } Automating The Analysis Of An AutoIT Script That Wraps A Remcos RAT
Remcos
2021-12-14Trend MicroNick Dai, Ted Lee, Vickie Su
@online{dai:20211214:collecting:3d6dd34, author = {Nick Dai and Ted Lee and Vickie Su}, title = {{Collecting In the Dark: Tropic Trooper Targets Transportation and Government}}, date = {2021-12-14}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html}, language = {English}, urldate = {2022-03-30} } Collecting In the Dark: Tropic Trooper Targets Transportation and Government
ChiserClient Ghost RAT Lilith Quasar RAT xPack
2021-12-13RiskIQJordan Herman
@online{herman:20211213:riskiq:82a7631, author = {Jordan Herman}, title = {{RiskIQ: Connections between Nanocore, Netwire, and AsyncRAT and Vjw0rm dynamic DNS C2 infrastructure}}, date = {2021-12-13}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/24759ad2}, language = {English}, urldate = {2022-01-18} } RiskIQ: Connections between Nanocore, Netwire, and AsyncRAT and Vjw0rm dynamic DNS C2 infrastructure
AsyncRAT Nanocore RAT NetWire RC Vjw0rm
2021-11-29Trend MicroJaromír Hořejší
@online{hoej:20211129:campaign:6e23cf5, author = {Jaromír Hořejší}, title = {{Campaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites}}, date = {2021-11-29}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html}, language = {English}, urldate = {2021-12-07} } Campaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites
AsyncRAT Azorult Nanocore RAT NjRAT RedLine Stealer Remcos
2021-11-23MorphisecHido Cohen, Arnold Osipov
@online{cohen:20211123:babadeda:ae0d0ac, author = {Hido Cohen and Arnold Osipov}, title = {{Babadeda Crypter targeting crypto, NFT, and DeFi communities}}, date = {2021-11-23}, organization = {Morphisec}, url = {https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities}, language = {English}, urldate = {2021-12-22} } Babadeda Crypter targeting crypto, NFT, and DeFi communities
Babadeda BitRAT LockBit Remcos
2021-11-23HPPatrick Schläpfer
@online{schlpfer:20211123:ratdispenser:4677686, author = {Patrick Schläpfer}, title = {{RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild}}, date = {2021-11-23}, organization = {HP}, url = {https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/}, language = {English}, urldate = {2021-11-29} } RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild
AdWind Ratty STRRAT CloudEyE Formbook Houdini Panda Stealer Remcos
2021-11-11splunkSplunk Threat Research Team
@online{team:20211111:fin7:cd0d233, author = {Splunk Threat Research Team}, title = {{FIN7 Tools Resurface in the Field – Splinter or Copycat?}}, date = {2021-11-11}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html}, language = {English}, urldate = {2021-11-12} } FIN7 Tools Resurface in the Field – Splinter or Copycat?
JSSLoader Remcos
2021-10-27ProofpointSelena Larson, Joe Wise
@online{larson:20211027:new:0d80a57, author = {Selena Larson and Joe Wise}, title = {{New Threat Actor Spoofs Philippine Government, COVID-19 Health Data in Widespread RAT Campaigns}}, date = {2021-10-27}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread}, language = {English}, urldate = {2021-11-03} } New Threat Actor Spoofs Philippine Government, COVID-19 Health Data in Widespread RAT Campaigns
Nanocore RAT Remcos
2021-10-19Cisco TalosAsheer Malhotra
@online{malhotra:20211019:malicious:6889662, author = {Asheer Malhotra}, title = {{Malicious campaign uses a barrage of commodity RATs to target Afghanistan and India}}, date = {2021-10-19}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html}, language = {English}, urldate = {2021-11-02} } Malicious campaign uses a barrage of commodity RATs to target Afghanistan and India
DCRat Quasar RAT
2021-10-06ESET ResearchMartina López
@online{lpez:20211006:to:8e09f8a, author = {Martina López}, title = {{To the moon and hack: Fake SafeMoon app drops malware to spy on you}}, date = {2021-10-06}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/10/06/moon-hack-fake-safemoon-cryptocurrency-app-drops-malware-spy/}, language = {English}, urldate = {2021-10-11} } To the moon and hack: Fake SafeMoon app drops malware to spy on you
Remcos
2021-10HPHP Wolf Security
@techreport{security:202110:threat:49f8fc2, author = {HP Wolf Security}, title = {{Threat Insights Report Q3 - 2021}}, date = {2021-10}, institution = {HP}, url = {https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf}, language = {English}, urldate = {2021-10-25} } Threat Insights Report Q3 - 2021
STRRAT CloudEyE NetWire RC Remcos TrickBot Vjw0rm
2021-09-23TalosAsheer Malhotra, Vanja Svajcer, Justin Thattil
@online{malhotra:20210923:operation:056c76c, author = {Asheer Malhotra and Vanja Svajcer and Justin Thattil}, title = {{Operation “Armor Piercer:” Targeted attacks in the Indian subcontinent using commercial RATs}}, date = {2021-09-23}, organization = {Talos}, url = {https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html}, language = {English}, urldate = {2021-10-05} } Operation “Armor Piercer:” Targeted attacks in the Indian subcontinent using commercial RATs
Ave Maria NetWire RC
2021-09-20Trend MicroAliakbar Zahravi, William Gamazo Sanchez
@online{zahravi:20210920:water:63df486, author = {Aliakbar Zahravi and William Gamazo Sanchez}, title = {{Water Basilisk Uses New HCrypt Variant to Flood Victims with RAT Payloads}}, date = {2021-09-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html}, language = {English}, urldate = {2021-09-22} } Water Basilisk Uses New HCrypt Variant to Flood Victims with RAT Payloads
Ave Maria BitRAT LimeRAT Nanocore RAT NjRAT Quasar RAT
2021-09-16BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20210916:threat:ae9400e, author = {The BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: NetWire RAT is Coming Down the Line}}, date = {2021-09-16}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line}, language = {English}, urldate = {2021-09-19} } Threat Thursday: NetWire RAT is Coming Down the Line
NetWire RC
2021-09-15TelsyTelsy
@online{telsy:20210915:remcos:83c0670, author = {Telsy}, title = {{REMCOS and Agent Tesla loaded into memory with Rezer0 loader}}, date = {2021-09-15}, organization = {Telsy}, url = {https://www.telsy.com/download/4832/}, language = {English}, urldate = {2021-09-23} } REMCOS and Agent Tesla loaded into memory with Rezer0 loader
Agent Tesla Remcos
2021-09-13Trend MicroJaromír Hořejší, Daniel Lunghi
@online{hoej:20210913:aptc36:d6456f8, author = {Jaromír Hořejší and Daniel Lunghi}, title = {{APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs (IOCs)}}, date = {2021-09-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt}, language = {English}, urldate = {2021-09-14} } APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs (IOCs)
AsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos
2021-09-13Trend MicroJaromír Hořejší, Daniel Lunghi
@online{hoej:20210913:aptc36:9b97238, author = {Jaromír Hořejší and Daniel Lunghi}, title = {{APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs}}, date = {2021-09-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html}, language = {English}, urldate = {2021-09-14} } APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs
AsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos
2021-09-06dbappsecurity猎影实验室
@online{:20210906:operation:3e2fd42, author = {猎影实验室}, title = {{假面行动(Operation MaskFace)-疑似针对境外银行的利用问卷调查为主题的钓鱼攻击事件分析}}, date = {2021-09-06}, organization = {dbappsecurity}, url = {https://ti.dbappsecurity.com.cn/blog/articles/2021/09/06/operation-maskface/}, language = {Chinese}, urldate = {2021-10-24} } 假面行动(Operation MaskFace)-疑似针对境外银行的利用问卷调查为主题的钓鱼攻击事件分析
PoshC2
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-09-01360 Threat Intelligence CenterAdvanced Threat Institute
@online{institute:20210901:aptc56:0f08cce, author = {Advanced Threat Institute}, title = {{APT-C-56 (Transparent Tribe) Latest Attack Analysis and Associated Suspected Gorgon Group Attack Analysis Alert}}, date = {2021-09-01}, organization = {360 Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/xUM2x89GuB8uP6otN612Fg}, language = {Chinese}, urldate = {2021-09-09} } APT-C-56 (Transparent Tribe) Latest Attack Analysis and Associated Suspected Gorgon Group Attack Analysis Alert
Crimson RAT NetWire RC
2021-08-05Twitter (@BaoshengbinCumt)2ero
@online{2ero:20210805:attacks:200d665, author = {2ero}, title = {{Attacks on NCGSA, MOITT, MOD, NSCP and SCO in Pakistan}}, date = {2021-08-05}, organization = {Twitter (@BaoshengbinCumt)}, url = {https://mp.weixin.qq.com/s/yrDzybPVTbu_9SrZPlSNKA}, language = {Chinese}, urldate = {2021-08-06} } Attacks on NCGSA, MOITT, MOD, NSCP and SCO in Pakistan
NetWire RC
2021-08-04ASECASEC
@online{asec:20210804:sw:fd538d1, author = {ASEC}, title = {{S/W Download Camouflage, Spreading Various Kinds of Malware}}, date = {2021-08-04}, organization = {ASEC}, url = {https://asec.ahnlab.com/ko/25837/}, language = {Korean}, urldate = {2022-03-07} } S/W Download Camouflage, Spreading Various Kinds of Malware
Raccoon RedLine Stealer Remcos Vidar
2021-07-27BlackberryBlackBerry Research & Intelligence Team
@techreport{team:20210727:old:3060d53, author = {BlackBerry Research & Intelligence Team}, title = {{Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages}}, date = {2021-07-27}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf}, language = {English}, urldate = {2021-07-27} } Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages
elf.wellmess ElectroRAT BazarNimrod Buer Cobalt Strike Remcos Snake TeleBot WellMess Zebrocy
2021-07-19MalwarebytesErika Noerenberg
@online{noerenberg:20210719:remcos:fdf8bd6, author = {Erika Noerenberg}, title = {{Remcos RAT delivered via Visual Basic}}, date = {2021-07-19}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/}, language = {English}, urldate = {2021-07-26} } Remcos RAT delivered via Visual Basic
Remcos
2021-07-12IBMMelissa Frydrych, Claire Zaboeva, Dan Dash
@online{frydrych:20210712:roboski:1f66418, author = {Melissa Frydrych and Claire Zaboeva and Dan Dash}, title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}}, date = {2021-07-12}, organization = {IBM}, url = {https://securityintelligence.com/posts/roboski-global-recovery-automation/}, language = {English}, urldate = {2021-07-20} } RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-07-12Cipher Tech SolutionsMelissa Frydrych, Claire Zaboeva, Dan Dash
@online{frydrych:20210712:roboski:a3c66bf, author = {Melissa Frydrych and Claire Zaboeva and Dan Dash}, title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}}, date = {2021-07-12}, organization = {Cipher Tech Solutions}, url = {https://www.ciphertechsolutions.com/roboski-global-recovery-automation/}, language = {English}, urldate = {2021-07-20} } RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-06-10ZAYOTEMFatma Nur Gözüküçük, Fatma Helin Çakmak, Hakan Soysal, Halil Filik, Yasin Mersin
@online{gzkk:20210610:netwire:e6fa34d, author = {Fatma Nur Gözüküçük and Fatma Helin Çakmak and Hakan Soysal and Halil Filik and Yasin Mersin}, title = {{NetWire Technical Analysis Report}}, date = {2021-06-10}, organization = {ZAYOTEM}, url = {https://drive.google.com/file/d/1dD2sWYES_hrPsoql4G0aVF9ILIxAS4Fd/view}, language = {English}, urldate = {2021-06-16} } NetWire Technical Analysis Report
NetWire RC
2021-05-27MinervaLabsTom Roter
@online{roter:20210527:trapping:76b0b81, author = {Tom Roter}, title = {{Trapping A Fat Quasar RAT}}, date = {2021-05-27}, organization = {MinervaLabs}, url = {https://blog.minerva-labs.com/trapping-quasar-rat}, language = {English}, urldate = {2021-06-01} } Trapping A Fat Quasar RAT
Quasar RAT
2021-05-13AnomaliTara Gould, Gage Mele
@online{gould:20210513:threat:6115cfb, author = {Tara Gould and Gage Mele}, title = {{Threat Actors Use MSBuild to Deliver RATs Filelessly}}, date = {2021-05-13}, organization = {Anomali}, url = {https://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly}, language = {English}, urldate = {2021-05-17} } Threat Actors Use MSBuild to Deliver RATs Filelessly
Remcos
2021-05-07MorphisecNadav Lorber
@online{lorber:20210507:revealing:add3b8a, author = {Nadav Lorber}, title = {{Revealing the ‘Snip3’ Crypter, a Highly Evasive RAT Loader}}, date = {2021-05-07}, organization = {Morphisec}, url = {https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader}, language = {English}, urldate = {2021-05-13} } Revealing the ‘Snip3’ Crypter, a Highly Evasive RAT Loader
Agent Tesla AsyncRAT NetWire RC Revenge RAT
2021-05-05ZscalerAniruddha Dolas, Mohd Sadique, Manohar Ghule
@online{dolas:20210505:catching:ace83fc, author = {Aniruddha Dolas and Mohd Sadique and Manohar Ghule}, title = {{Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats}}, date = {2021-05-05}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols}, language = {English}, urldate = {2021-05-08} } Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats
Agent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar RAT Remcos
2021-04-27KasperskyGReAT
@online{great:20210427:trends:e1c92a3, author = {GReAT}, title = {{APT trends report Q1 2021}}, date = {2021-04-27}, organization = {Kaspersky}, url = {https://securelist.com/apt-trends-report-q1-2021/101967/}, language = {English}, urldate = {2021-04-29} } APT trends report Q1 2021
PAS Artra Downloader BadNews Bozok DILLJUICE Kazuar Quasar RAT SodaMaster
2021-04-21TalosVanja Svajcer
@online{svajcer:20210421:year:4741c8e, author = {Vanja Svajcer}, title = {{A year of Fajan evolution and Bloomberg themed campaigns}}, date = {2021-04-21}, organization = {Talos}, url = {https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html}, language = {English}, urldate = {2021-04-28} } A year of Fajan evolution and Bloomberg themed campaigns
MASS Logger Nanocore RAT NetWire RC Revenge RAT XpertRAT
2021-04-14ZscalerRohit Chaturvedi, Atinderpal Singh, Tarun Dewan
@online{chaturvedi:20210414:look:02bf1e0, author = {Rohit Chaturvedi and Atinderpal Singh and Tarun Dewan}, title = {{A look at HydroJiin campaign}}, date = {2021-04-14}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign}, language = {English}, urldate = {2021-04-16} } A look at HydroJiin campaign
NetWire RC Quasar RAT
2021-03-18CybereasonDaniel Frank
@online{frank:20210318:cybereason:22a301a, author = {Daniel Frank}, title = {{Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware}}, date = {2021-03-18}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers}, language = {English}, urldate = {2021-03-19} } Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware
NetWire RC Remcos
2021-03-16MorphisecNadav Lorber
@online{lorber:20210316:tracking:2d8ef0b, author = {Nadav Lorber}, title = {{Tracking HCrypt: An Active Crypter as a Service}}, date = {2021-03-16}, organization = {Morphisec}, url = {https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service}, language = {English}, urldate = {2021-05-13} } Tracking HCrypt: An Active Crypter as a Service
AsyncRAT LimeRAT Remcos
2021-03-11TrustwaveDiana Lopera
@online{lopera:20210311:image:dbb9908, author = {Diana Lopera}, title = {{Image File Trickery Part II: Fake Icon Delivers NanoCore}}, date = {2021-03-11}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/image-file-trickery-part-ii-fake-icon-delivers-nanocore/}, language = {English}, urldate = {2021-03-16} } Image File Trickery Part II: Fake Icon Delivers NanoCore
Nanocore RAT
2021-02-25IntezerIntezer
@techreport{intezer:20210225:year:eb47cd1, author = {Intezer}, title = {{Year of the Gopher A 2020 Go Malware Round-Up}}, date = {2021-02-25}, institution = {Intezer}, url = {https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf}, language = {English}, urldate = {2021-06-30} } Year of the Gopher A 2020 Go Malware Round-Up
NiuB WellMail elf.wellmess ArdaMax AsyncRAT CyberGate DarkComet Glupteba Nanocore RAT Nefilim NjRAT Quasar RAT WellMess Zebrocy
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-18PTSecurityPTSecurity
@online{ptsecurity:20210218:httpswwwptsecuritycomwwenanalyticsantisandboxtechniques:d616c1f, author = {PTSecurity}, title = {{https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/}}, date = {2021-02-18}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/}, language = {English}, urldate = {2021-02-25} } https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/
Poet RAT Gravity RAT Ketrican Okrum OopsIE Remcos RogueRobinNET RokRAT SmokeLoader
2021-02-08Arsenal ConsultingArsenal Consulting
@online{consulting:20210208:national:25bf467, author = {Arsenal Consulting}, title = {{National Investigation Agency VS Sudhir Pralhad Dhawale & others Report 1}}, date = {2021-02-08}, organization = {Arsenal Consulting}, url = {https://context-cdn.washingtonpost.com/notes/prod/default/documents/b19a6f2e-55a1-4915-9c2d-5fae0110418c/note/b463d38b-2384-4bb0-a94b-b1b17223ffd0.}, language = {English}, urldate = {2021-02-25} } National Investigation Agency VS Sudhir Pralhad Dhawale & others Report 1
NetWire RC
2021-02-05MorphisecNadav Lorber
@online{lorber:20210205:cinarat:772720f, author = {Nadav Lorber}, title = {{CinaRAT Resurfaces with New Evasive Tactics and Techniques}}, date = {2021-02-05}, organization = {Morphisec}, url = {https://blog.morphisec.com/cinarat-resurfaces-with-new-evasive-tactics-and-techniques}, language = {English}, urldate = {2021-02-09} } CinaRAT Resurfaces with New Evasive Tactics and Techniques
Quasar RAT
2021-01-13BitdefenderJanos Gergo Szeles
@techreport{szeles:20210113:remcos:5ffdb28, author = {Janos Gergo Szeles}, title = {{Remcos RAT Revisited: A Colombian Coronavirus-Themed Campaign}}, date = {2021-01-13}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/390/Bitdefender-PR-Whitepaper-Remcos-creat5080-en-EN-GenericUse.pdf}, language = {English}, urldate = {2021-01-18} } Remcos RAT Revisited: A Colombian Coronavirus-Themed Campaign
Remcos
2021-01-11ESET ResearchMatías Porolli
@online{porolli:20210111:operation:409662d, author = {Matías Porolli}, title = {{Operation Spalax: Targeted malware attacks in Colombia}}, date = {2021-01-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/}, language = {English}, urldate = {2021-01-18} } Operation Spalax: Targeted malware attacks in Colombia
Agent Tesla AsyncRAT NjRAT Remcos
2021-01-09Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20210109:command:d720b27, author = {Marco Ramilli}, title = {{Command and Control Traffic Patterns}}, date = {2021-01-09}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/}, language = {English}, urldate = {2021-05-17} } Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot
2021-01-07Recorded FutureInsikt Group®
@techreport{group:20210107:aversary:9771829, author = {Insikt Group®}, title = {{Aversary Infrastructure Report 2020: A Defender's View}}, date = {2021-01-07}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf}, language = {English}, urldate = {2021-01-11} } Aversary Infrastructure Report 2020: A Defender's View
Octopus pupy Cobalt Strike Empire Downloader Meterpreter PoshC2
2021-01-06Red CanaryTony Lambert
@online{lambert:20210106:hunting:272410b, author = {Tony Lambert}, title = {{Hunting for GetSystem in offensive security tools}}, date = {2021-01-06}, organization = {Red Canary}, url = {https://redcanary.com/blog/getsystem-offsec/}, language = {English}, urldate = {2021-01-11} } Hunting for GetSystem in offensive security tools
Cobalt Strike Empire Downloader Meterpreter PoshC2
2020-12-28Antiy CERTAntiy CERT
@online{cert:20201228:civerids:b40d172, author = {Antiy CERT}, title = {{"Civerids" organization vs. Middle East area attack activity analysis report}}, date = {2020-12-28}, organization = {Antiy CERT}, url = {https://www.antiy.cn/research/notice&report/research_report/20201228.html}, language = {Chinese}, urldate = {2021-01-04} } "Civerids" organization vs. Middle East area attack activity analysis report
Quasar RAT
2020-12-24IronNetAdam Hlavek
@online{hlavek:20201224:china:723bed3, author = {Adam Hlavek}, title = {{China cyber attacks: the current threat landscape}}, date = {2020-12-24}, organization = {IronNet}, url = {https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape}, language = {English}, urldate = {2021-01-01} } China cyber attacks: the current threat landscape
PLEAD TSCookie FlowCloud Lookback PLEAD PlugX Quasar RAT Winnti
2020-12-21Cisco TalosJON MUNSHAW
@online{munshaw:20201221:2020:4a88f84, author = {JON MUNSHAW}, title = {{2020: The year in malware}}, date = {2020-12-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html}, language = {English}, urldate = {2020-12-26} } 2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-12-10JPCERT/CCKota Kino
@online{kino:20201210:attack:cd8c552, author = {Kota Kino}, title = {{Attack Activities by Quasar Family}}, date = {2020-12-10}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html}, language = {English}, urldate = {2020-12-10} } Attack Activities by Quasar Family
AsyncRAT Quasar RAT Venom RAT XPCTRA
2020-12-10US-CERTUS-CERT, FBI, MS-ISAC
@online{uscert:20201210:alert:a5ec77e, author = {US-CERT and FBI and MS-ISAC}, title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}}, date = {2020-12-10}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a}, language = {English}, urldate = {2020-12-11} } Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus
2020-12-09CybereasonCybereason Nocturnus
@online{nocturnus:20201209:new:ef00418, author = {Cybereason Nocturnus}, title = {{New Malware Arsenal Abusing Cloud Platforms in Middle East Espionage Campaign}}, date = {2020-12-09}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign}, language = {English}, urldate = {2020-12-10} } New Malware Arsenal Abusing Cloud Platforms in Middle East Espionage Campaign
DropBook MoleNet Quasar RAT SharpStage Spark
2020-12-09CybereasonCybereason Nocturnus Team
@techreport{team:20201209:molerats:a13c569, author = {Cybereason Nocturnus Team}, title = {{MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign}}, date = {2020-12-09}, institution = {Cybereason}, url = {https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf}, language = {English}, urldate = {2022-02-09} } MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign
DropBook JhoneRAT Molerat Loader Pierogi Quasar RAT SharpStage Spark
2020-12-07ProofpointProofpoint Threat Research Team
@online{team:20201207:commodity:027b864, author = {Proofpoint Threat Research Team}, title = {{Commodity .NET Packers use Embedded Images to Hide Payloads}}, date = {2020-12-07}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads}, language = {English}, urldate = {2020-12-10} } Commodity .NET Packers use Embedded Images to Hide Payloads
Agent Tesla Loki Password Stealer (PWS) Remcos
2020-11-19ThreatpostElizabeth Montalbano
@online{montalbano:20201119:exploits:f40feb2, author = {Elizabeth Montalbano}, title = {{APT Exploits Microsoft Zerologon Bug: Targets Japanese Companies}}, date = {2020-11-19}, organization = {Threatpost}, url = {https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/}, language = {English}, urldate = {2020-11-23} } APT Exploits Microsoft Zerologon Bug: Targets Japanese Companies
Quasar RAT Ryuk
2020-11-18G DataG-Data
@online{gdata:20201118:business:f4eda3a, author = {G-Data}, title = {{Business as usual: Criminal Activities in Times of a Global Pandemic}}, date = {2020-11-18}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire}, language = {English}, urldate = {2020-11-23} } Business as usual: Criminal Activities in Times of a Global Pandemic
Agent Tesla Nanocore RAT NetWire RC Remcos
2020-11-17SymantecThreat Hunter Team
@online{team:20201117:japanlinked:42c6320, author = {Threat Hunter Team}, title = {{Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign}}, date = {2020-11-17}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage}, language = {English}, urldate = {2020-11-19} } Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign
Quasar RAT
2020-09-18SymantecThreat Hunter Team
@online{team:20200918:elfin:dff6499, author = {Threat Hunter Team}, title = {{Elfin: Latest U.S. Indictments Appear to Target Iranian Espionage Group}}, date = {2020-09-18}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/elfin-indictments-iran-espionage}, language = {English}, urldate = {2020-09-23} } Elfin: Latest U.S. Indictments Appear to Target Iranian Espionage Group
Nanocore RAT
2020-09-17FBIFBI
@techreport{fbi:20200917:fbi:9893ba0, author = {FBI}, title = {{FBI PIN Number 20200917-001: IRGC-Associated Cyber Operations Against US Company Networks}}, date = {2020-09-17}, institution = {FBI}, url = {https://www.ic3.gov/media/news/2020/200917-1.pdf}, language = {English}, urldate = {2020-09-23} } FBI PIN Number 20200917-001: IRGC-Associated Cyber Operations Against US Company Networks
MimiKatz Nanocore RAT
2020-09-11ThreatConnectThreatConnect Research Team
@online{team:20200911:research:edfb074, author = {ThreatConnect Research Team}, title = {{Research Roundup: Activity on Previously Identified APT33 Domains}}, date = {2020-09-11}, organization = {ThreatConnect}, url = {https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/}, language = {English}, urldate = {2020-09-15} } Research Roundup: Activity on Previously Identified APT33 Domains
Emotet PlugX APT33
2020-09-10Medium mariohenkelMario Henkel
@online{henkel:20200910:decrypting:2bcb10d, author = {Mario Henkel}, title = {{Decrypting NanoCore config and dump all plugins}}, date = {2020-09-10}, organization = {Medium mariohenkel}, url = {https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52}, language = {English}, urldate = {2020-09-10} } Decrypting NanoCore config and dump all plugins
Nanocore RAT
2020-08-26ProofpointProofpoint Threat Research Team
@online{team:20200826:threat:e6d1646, author = {Proofpoint Threat Research Team}, title = {{Threat Actor Profile: TA2719 Uses Colorful Lures to Deliver RATs in Local Languages}}, date = {2020-08-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages}, language = {English}, urldate = {2020-09-01} } Threat Actor Profile: TA2719 Uses Colorful Lures to Deliver RATs in Local Languages
AsyncRAT Nanocore RAT
2020-08-20Seebug PaperMalayke
@online{malayke:20200820:use:77d3957, author = {Malayke}, title = {{Use ZoomEye to track multiple Redteam C&C post-penetration attack frameworks}}, date = {2020-08-20}, organization = {Seebug Paper}, url = {https://paper.seebug.org/1301/}, language = {Chinese}, urldate = {2020-08-24} } Use ZoomEye to track multiple Redteam C&C post-penetration attack frameworks
Cobalt Strike Empire Downloader PoshC2
2020-08TG SoftTG Soft
@online{soft:202008:tg:88b671c, author = {TG Soft}, title = {{TG Soft Cyber - Threat Report}}, date = {2020-08}, organization = {TG Soft}, url = {https://www.tgsoft.it/files/report/download.asp?id=7481257469}, language = {Italian}, urldate = {2020-09-15} } TG Soft Cyber - Threat Report
DarkComet Darktrack RAT Emotet ISFB
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-07-14SophosLabs UncutMarkel Picado, Sean Gallagher
@online{picado:20200714:raticate:85d260a, author = {Markel Picado and Sean Gallagher}, title = {{RATicate upgrades “RATs as a Service” attacks with commercial “crypter”}}, date = {2020-07-14}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728}, language = {English}, urldate = {2020-07-15} } RATicate upgrades “RATs as a Service” attacks with commercial “crypter”
LokiBot BetaBot CloudEyE NetWire RC
2020-07-13Github (1d8)1d8
@online{1d8:20200713:remcos:531702d, author = {1d8}, title = {{Remcos RAT Macro Dropper Doc}}, date = {2020-07-13}, organization = {Github (1d8)}, url = {https://github.com/1d8/analyses/blob/master/RemcosDocDropper.MD}, language = {English}, urldate = {2020-07-16} } Remcos RAT Macro Dropper Doc
Remcos
2020-07-13FireEyeAndrew Thompson, Aaron Stephens
@online{thompson:20200713:scandalous:15d59a2, author = {Andrew Thompson and Aaron Stephens}, title = {{SCANdalous! (External Detection Using Network Scan Data and Automation)}}, date = {2020-07-13}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html}, language = {English}, urldate = {2020-07-15} } SCANdalous! (External Detection Using Network Scan Data and Automation)
POWERTON QUADAGENT PoshC2
2020-06-22MalwareLab.plMaciej Kotowicz
@online{kotowicz:20200622:venomrat:129ba02, author = {Maciej Kotowicz}, title = {{VenomRAT - new, hackforums grade, reincarnation of QuassarRAT}}, date = {2020-06-22}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/venom/}, language = {English}, urldate = {2020-06-25} } VenomRAT - new, hackforums grade, reincarnation of QuassarRAT
Quasar RAT Venom RAT
2020-06-18MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200618:inside:4d53bcc, author = {Microsoft Threat Protection Intelligence Team}, title = {{Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint (APT33/HOLMIUM)}}, date = {2020-06-18}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/}, language = {English}, urldate = {2020-06-19} } Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint (APT33/HOLMIUM)
POWERTON
2020-06-17Nettitude LabsRob Bone
@online{bone:20200617:detecting:be87469, author = {Rob Bone}, title = {{Detecting PoshC2 – Indicators of Compromise}}, date = {2020-06-17}, organization = {Nettitude Labs}, url = {https://labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/}, language = {English}, urldate = {2020-06-18} } Detecting PoshC2 – Indicators of Compromise
PoshC2
2020-06-15Amnesty InternationalAmnesty International
@online{international:20200615:india:2e4e60b, author = {Amnesty International}, title = {{India: Human Rights Defenders Targeted by a Coordinated Spyware Operation}}, date = {2020-06-15}, organization = {Amnesty International}, url = {https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/}, language = {English}, urldate = {2020-06-16} } India: Human Rights Defenders Targeted by a Coordinated Spyware Operation
NetWire RC
2020-06-11Talos IntelligenceKendall McKay, Joe Marshall
@online{mckay:20200611:tor2mine:ee5dda6, author = {Kendall McKay and Joe Marshall}, title = {{Tor2Mine is up to their old tricks — and adds a few new ones}}, date = {2020-06-11}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html}, language = {English}, urldate = {2020-06-12} } Tor2Mine is up to their old tricks — and adds a few new ones
Azorult Remcos
2020-06-07Zero2Automated Blog0verfl0w_
@online{0verfl0w:20200607:dealing:b50665d, author = {0verfl0w_}, title = {{Dealing with Obfuscated Macros, Statically - NanoCore}}, date = {2020-06-07}, organization = {Zero2Automated Blog}, url = {https://zero2auto.com/2020/06/07/dealing-with-obfuscated-macros/}, language = {English}, urldate = {2020-06-11} } Dealing with Obfuscated Macros, Statically - NanoCore
Nanocore RAT
2020-05-29ZscalerSudeep Singh
@online{singh:20200529:shellreset:e80d2c8, author = {Sudeep Singh}, title = {{ShellReset RAT Spread Through Macro-Based Documents Using AppLocker Bypass}}, date = {2020-05-29}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass}, language = {English}, urldate = {2020-06-05} } ShellReset RAT Spread Through Macro-Based Documents Using AppLocker Bypass
Quasar RAT
2020-05-26CrowdStrikeGuillermo Taibo
@online{taibo:20200526:weaponized:0bca503, author = {Guillermo Taibo}, title = {{Weaponized Disk Image Files: Analysis, Trends and Remediation}}, date = {2020-05-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/}, language = {English}, urldate = {2020-06-05} } Weaponized Disk Image Files: Analysis, Trends and Remediation
Nanocore RAT
2020-05-21MalwarebytesMalwarebytes Labs
@techreport{labs:20200521:cybercrime:d38d2da, author = {Malwarebytes Labs}, title = {{Cybercrime tactics and techniques}}, date = {2020-05-21}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf}, language = {English}, urldate = {2020-06-03} } Cybercrime tactics and techniques
Ave Maria Azorult DanaBot Loki Password Stealer (PWS) NetWire RC
2020-05-14SophosLabsMarkel Picado
@online{picado:20200514:raticate:6334722, author = {Markel Picado}, title = {{RATicate: an attacker’s waves of information-stealing malware}}, date = {2020-05-14}, organization = {SophosLabs}, url = {https://news.sophos.com/en-us/2020/05/14/raticate/}, language = {English}, urldate = {2020-05-18} } RATicate: an attacker’s waves of information-stealing malware
Agent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos
2020-05-14Lab52Dex
@online{dex:20200514:energy:43e92b4, author = {Dex}, title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}}, date = {2020-05-14}, organization = {Lab52}, url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/}, language = {English}, urldate = {2020-06-10} } The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT
2020-05-14360 Total Securitykate
@online{kate:20200514:vendetta:06e3cde, author = {kate}, title = {{Vendetta - new threat actor from Europe}}, date = {2020-05-14}, organization = {360 Total Security}, url = {https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/}, language = {English}, urldate = {2020-05-18} } Vendetta - new threat actor from Europe
Nanocore RAT Remcos
2020-05-06YoroiLuigi Martire, Davide Testa, Luca Mella
@online{martire:20200506:new:4e0c27b, author = {Luigi Martire and Davide Testa and Luca Mella}, title = {{New Cyber Operation Targets Italy: Digging Into the Netwire Attack Chain}}, date = {2020-05-06}, organization = {Yoroi}, url = {https://yoroi.company/research/new-cyber-operation-targets-italy-digging-into-the-netwire-attack-chain/}, language = {English}, urldate = {2021-06-16} } New Cyber Operation Targets Italy: Digging Into the Netwire Attack Chain
NetWire RC
2020-04-270x00secDan Lisichkin
@online{lisichkin:20200427:master:1cfb192, author = {Dan Lisichkin}, title = {{Master of RATs - How to create your own Tracker}}, date = {2020-04-27}, organization = {0x00sec}, url = {https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848}, language = {English}, urldate = {2020-04-28} } Master of RATs - How to create your own Tracker
Quasar RAT
2020-04-15ZscalerSudeep Singh
@online{singh:20200415:multistage:c0330fa, author = {Sudeep Singh}, title = {{Multistage FreeDom loader used in Aggah Campaign to spread Nanocore and AZORult}}, date = {2020-04-15}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat}, language = {English}, urldate = {2020-06-08} } Multistage FreeDom loader used in Aggah Campaign to spread Nanocore and AZORult
Azorult Nanocore RAT
2020-04-04MalwareInDepthMyrtus 0x0
@online{0x0:20200404:nanocore:6649008, author = {Myrtus 0x0}, title = {{Nanocore & CypherIT}}, date = {2020-04-04}, organization = {MalwareInDepth}, url = {https://malwareindepth.com/defeating-nanocore-and-cypherit/}, language = {English}, urldate = {2020-04-07} } Nanocore & CypherIT
Nanocore RAT
2020-04-03Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20200403:guloader:4b27e7a, author = {Brad Duncan}, title = {{GuLoader: Malspam Campaign Installing NetWire RAT}}, date = {2020-04-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/}, language = {English}, urldate = {2021-01-10} } GuLoader: Malspam Campaign Installing NetWire RAT
CloudEyE NetWire RC
2020-04-02Cisco TalosVanja Svajcer
@online{svajcer:20200402:azorult:97b15f2, author = {Vanja Svajcer}, title = {{AZORult brings friends to the party}}, date = {2020-04-02}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html}, language = {English}, urldate = {2020-04-07} } AZORult brings friends to the party
Azorult Remcos
2020-04-01CiscoShyam Sundar Ramaswami, Andrea Kaiser
@online{ramaswami:20200401:navigating:965952a, author = {Shyam Sundar Ramaswami and Andrea Kaiser}, title = {{Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors}}, date = {2020-04-01}, organization = {Cisco}, url = {https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors}, language = {English}, urldate = {2020-08-19} } Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors
Azorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot
2020-03-20BitdefenderLiviu Arsene
@online{arsene:20200320:5:46813c6, author = {Liviu Arsene}, title = {{5 Times More Coronavirus-themed Malware Reports during March}}, date = {2020-03-20}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter}, language = {English}, urldate = {2020-03-26} } 5 Times More Coronavirus-themed Malware Reports during March
ostap HawkEye Keylogger Koadic Loki Password Stealer (PWS) Nanocore RAT Remcos
2020-03-18ProofpointAxel F, Sam Scholten
@online{f:20200318:coronavirus:8fe12a3, author = {Axel F and Sam Scholten}, title = {{Coronavirus Threat Landscape Update}}, date = {2020-03-18}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update}, language = {English}, urldate = {2020-03-26} } Coronavirus Threat Landscape Update
Agent Tesla Get2 ISFB Remcos
2020-03-05VinCSSDang Dinh Phuong
@online{phuong:20200305:re011:4496e8a, author = {Dang Dinh Phuong}, title = {{[RE011] Unpack crypter của malware Netwire bằng x64dbg}}, date = {2020-03-05}, organization = {VinCSS}, url = {https://blog.vincss.net/2020/03/re011-unpack-crypter-cua-malware-netwire-bang-x64dbg.html}, language = {Vietnamese}, urldate = {2020-03-11} } [RE011] Unpack crypter của malware Netwire bằng x64dbg
NetWire RC
2020-02-21ADEO DFIRADEO DFIR
@techreport{dfir:20200221:apt10:e9c3328, author = {ADEO DFIR}, title = {{APT10 Threat Analysis Report}}, date = {2020-02-21}, institution = {ADEO DFIR}, url = {https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf}, language = {English}, urldate = {2020-03-03} } APT10 Threat Analysis Report
CHINACHOPPER HTran MimiKatz PlugX Quasar RAT
2020-02-13TalosNick Biasini, Edmund Brumaghin
@online{biasini:20200213:threat:443d687, author = {Nick Biasini and Edmund Brumaghin}, title = {{Threat actors attempt to capitalize on coronavirus outbreak}}, date = {2020-02-13}, organization = {Talos}, url = {https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html}, language = {English}, urldate = {2020-03-19} } Threat actors attempt to capitalize on coronavirus outbreak
Emotet Nanocore RAT Parallax RAT
2020-02-12TelsyTelsy
@online{telsy:20200212:meeting:085d775, author = {Telsy}, title = {{Meeting POWERBAND: The APT33 .NET POWERTON Variant}}, date = {2020-02-12}, organization = {Telsy}, url = {https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/}, language = {English}, urldate = {2020-02-14} } Meeting POWERBAND: The APT33 .NET POWERTON Variant
POWERTON POWERBAND
2020-01-31ReversingLabsRobert Simmons
@online{simmons:20200131:rats:d8a4021, author = {Robert Simmons}, title = {{RATs in the Library: Remote Access Trojans Hide in Plain "Public" Site}}, date = {2020-01-31}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/rats-in-the-library}, language = {English}, urldate = {2020-02-03} } RATs in the Library: Remote Access Trojans Hide in Plain "Public" Site
CyberGate LimeRAT NjRAT Quasar RAT Revenge RAT
2020-01-26Brown Farinholt, Mohammad Rezaeirad, Damon McCoy, Kirill Levchenko
@techreport{farinholt:20200126:dark:9c2f434, author = {Brown Farinholt and Mohammad Rezaeirad and Damon McCoy and Kirill Levchenko}, title = {{Dark Matter: Uncovering the DarkComet RAT Ecosystem}}, date = {2020-01-26}, institution = {}, url = {https://www.sysnet.ucsd.edu/sysnet/miscpapers/darkmatter-www20.pdf}, language = {English}, urldate = {2020-03-07} } Dark Matter: Uncovering the DarkComet RAT Ecosystem
DarkComet
2020-01-23Recorded FutureInsikt Group
@techreport{group:20200123:european:c3ca9e3, author = {Insikt Group}, title = {{European Energy Sector Organization Targeted by PupyRAT Malware in Late 2019}}, date = {2020-01-23}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf}, language = {English}, urldate = {2020-01-27} } European Energy Sector Organization Targeted by PupyRAT Malware in Late 2019
pupy pupy pupy
2020-01-19360kate
@online{kate:20200119:bayworld:2cc2212, author = {kate}, title = {{BayWorld event, Cyber Attack Against Foreign Trade Industry}}, date = {2020-01-19}, organization = {360}, url = {https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/}, language = {English}, urldate = {2020-02-03} } BayWorld event, Cyber Attack Against Foreign Trade Industry
Azorult Formbook Nanocore RAT Revenge RAT
2020-01-17JPCERT/CCTakayoshi Shiigi
@techreport{shiigi:20200117:looking:bf71db1, author = {Takayoshi Shiigi}, title = {{Looking back on the incidents in 2019}}, date = {2020-01-17}, institution = {JPCERT/CC}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf}, language = {English}, urldate = {2020-04-06} } Looking back on the incidents in 2019
TSCookie NodeRAT Emotet PoshC2 Quasar RAT
2020-01-01Github (nettitude)Nettitude
@online{nettitude:20200101:repository:640d828, author = {Nettitude}, title = {{Repository for Python Server for PoshC2}}, date = {2020-01-01}, organization = {Github (nettitude)}, url = {https://github.com/nettitude/PoshC2_Python/}, language = {English}, urldate = {2020-01-08} } Repository for Python Server for PoshC2
PoshC2
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:66f1290, author = {SecureWorks}, title = {{BRONZE RIVERSIDE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-riverside}, language = {English}, urldate = {2020-05-23} } BRONZE RIVERSIDE
Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves APT10
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:8d36ac3, author = {SecureWorks}, title = {{COBALT TRINITY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-trinity}, language = {English}, urldate = {2020-05-23} } COBALT TRINITY
POWERTON pupy Imminent Monitor RAT Koadic Nanocore RAT NetWire RC PoshC2 APT33
2020SecureworksSecureWorks
@online{secureworks:2020:copper:e356116, author = {SecureWorks}, title = {{COPPER FIELDSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/copper-fieldstone}, language = {English}, urldate = {2020-05-23} } COPPER FIELDSTONE
Crimson RAT DarkComet Luminosity RAT NjRAT Operation C-Major
2020SecureworksSecureWorks
@online{secureworks:2020:aluminum:af22ffd, author = {SecureWorks}, title = {{ALUMINUM SARATOGA}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/aluminum-saratoga}, language = {English}, urldate = {2020-05-23} } ALUMINUM SARATOGA
BlackShades DarkComet Xtreme RAT Poison Ivy Quasar RAT Molerats
2019-12-12Trend MicroFeike Hacquebord, Cedric Pernet, Kenney Lu
@online{hacquebord:20191212:more:a1e84b7, author = {Feike Hacquebord and Cedric Pernet and Kenney Lu}, title = {{More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting}}, date = {2019-12-12}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/}, language = {English}, urldate = {2020-01-13} } More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting
APT33
2019-12-05Github (jeFF0Falltrades)Jeff Archer
@online{archer:20191205:poshc2:3066e19, author = {Jeff Archer}, title = {{PoshC2 (specifically as used by APT33)}}, date = {2019-12-05}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/poshc2_apt_33.md}, language = {English}, urldate = {2020-01-06} } PoshC2 (specifically as used by APT33)
PoshC2
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb, author = {Kelli Vanderlee and Nalani Fraser}, title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}}, date = {2019-11-19}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf}, language = {English}, urldate = {2021-03-02} } Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2019-11-18Rewterz Information SecurityRewterz Information Security
@online{security:20191118:rewterz:29686ba, author = {Rewterz Information Security}, title = {{REWTERZ THREAT ALERT – IRANIAN APT USES JOB SCAMS TO LURE TARGETS}}, date = {2019-11-18}, organization = {Rewterz Information Security}, url = {http://www.rewterz.com/rewterz-news/rewterz-threat-alert-iranian-apt-uses-job-scams-to-lure-targets}, language = {English}, urldate = {2019-12-17} } REWTERZ THREAT ALERT – IRANIAN APT USES JOB SCAMS TO LURE TARGETS
PoshC2
2019-10-21FortinetXiaopeng Zhang, Chris Navarrete
@online{zhang:20191021:new:b72bcde, author = {Xiaopeng Zhang and Chris Navarrete}, title = {{New Variant of Remcos RAT Observed In the Wild}}, date = {2019-10-21}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html}, language = {English}, urldate = {2019-11-21} } New Variant of Remcos RAT Observed In the Wild
Remcos
2019-09-26ProofpointBryan Campbell, Jeremy Hedges, Proofpoint Threat Insight Team
@online{campbell:20190926:new:d228362, author = {Bryan Campbell and Jeremy Hedges and Proofpoint Threat Insight Team}, title = {{New WhiteShadow downloader uses Microsoft SQL to retrieve malware}}, date = {2019-09-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware}, language = {English}, urldate = {2020-02-26} } New WhiteShadow downloader uses Microsoft SQL to retrieve malware
WhiteShadow Agent Tesla Azorult Crimson RAT Formbook Nanocore RAT NetWire RC NjRAT Remcos
2019-09-19NSHCThreatRecon Team
@online{team:20190919:hagga:066e932, author = {ThreatRecon Team}, title = {{Hagga of SectorH01 continues abusing Bitly, Blogger and Pastebin to deliver RevengeRAT and NanoCore}}, date = {2019-09-19}, organization = {NSHC}, url = {https://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/}, language = {English}, urldate = {2020-01-08} } Hagga of SectorH01 continues abusing Bitly, Blogger and Pastebin to deliver RevengeRAT and NanoCore
Nanocore RAT Revenge RAT
2019-09-12AvastAdolf Středa, Luigino Camastra
@online{steda:20190912:tangle:204c26f, author = {Adolf Středa and Luigino Camastra}, title = {{The tangle of WiryJMPer’s obfuscation}}, date = {2019-09-12}, organization = {Avast}, url = {https://decoded.avast.io/adolfstreda/the-tangle-of-wiryjmpers-obfuscation/}, language = {English}, urldate = {2020-01-13} } The tangle of WiryJMPer’s obfuscation
NetWire RC
2019-09-07Dissecting MalwareMarius Genheimer
@online{genheimer:20190907:malicious:37195ec, author = {Marius Genheimer}, title = {{Malicious RATatouille}}, date = {2019-09-07}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/malicious-ratatouille.html}, language = {English}, urldate = {2020-03-27} } Malicious RATatouille
Remcos
2019-08-25Github (threatland)ThreatLand
@online{threatland:20190825:nanocor:0ef5e7c, author = {ThreatLand}, title = {{Nanocor Sample}}, date = {2019-08-25}, organization = {Github (threatland)}, url = {https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.Nanocore}, language = {English}, urldate = {2020-01-13} } Nanocor Sample
Nanocore RAT
2019-08-22Youtube (OALabs)Sergei Frankoff
@online{frankoff:20190822:remcos:b86c5bd, author = {Sergei Frankoff}, title = {{Remcos RAT Unpacked From VB6 With x64dbg Debugger}}, date = {2019-08-22}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=DIH4SvKuktM}, language = {English}, urldate = {2020-01-10} } Remcos RAT Unpacked From VB6 With x64dbg Debugger
Remcos
2019-08-22Github (n1nj4sec)n1nj4sec
@online{n1nj4sec:20190822:pupy:a822ccd, author = {n1nj4sec}, title = {{Pupy RAT}}, date = {2019-08-22}, organization = {Github (n1nj4sec)}, url = {https://github.com/n1nj4sec/pupy}, language = {English}, urldate = {2020-01-07} } Pupy RAT
pupy pupy pupy
2019-08-15Trend MicroAliakbar Zahravi
@online{zahravi:20190815:analysis:fadf6bc, author = {Aliakbar Zahravi}, title = {{Analysis: New Remcos RAT Arrives Via Phishing Email}}, date = {2019-08-15}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html}, language = {English}, urldate = {2021-08-25} } Analysis: New Remcos RAT Arrives Via Phishing Email
Remcos
2019-07-22One Night in NorfolkKevin Perlow
@online{perlow:20190722:apt33:3258e71, author = {Kevin Perlow}, title = {{APT33 PowerShell Malware}}, date = {2019-07-22}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/apt33-powershell-malware/}, language = {English}, urldate = {2020-05-19} } APT33 PowerShell Malware
POWERTON
2019-06-24SymantecBenjamin Moench
@online{moench:20190624:backdoorpowerton:0fef32a, author = {Benjamin Moench}, title = {{Backdoor.Powerton}}, date = {2019-06-24}, organization = {Symantec}, url = {https://www.symantec.com/security-center/writeup/2019-062513-4935-99}, language = {English}, urldate = {2020-01-12} } Backdoor.Powerton
POWERTON
2019-06-19Check PointKobi Eisenkraft, Moshe Hayun
@online{eisenkraft:20190619:check:0a79b2b, author = {Kobi Eisenkraft and Moshe Hayun}, title = {{Check Point’s Threat Emulation Stops Large-Scale Phishing Campaign in Germany}}, date = {2019-06-19}, organization = {Check Point}, url = {https://blog.checkpoint.com/2019/06/19/sandblast-agent-phishing-germany-campaign-security-hack-ransomware/}, language = {English}, urldate = {2020-01-08} } Check Point’s Threat Emulation Stops Large-Scale Phishing Campaign in Germany
Remcos
2019-05-24FortinetBen Hunter
@online{hunter:20190524:uncovering:7d8776e, author = {Ben Hunter}, title = {{Uncovering new Activity by APT10}}, date = {2019-05-24}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-}, language = {English}, urldate = {2020-11-04} } Uncovering new Activity by APT10
PlugX Quasar RAT
2019-05-20Twitter (@struppigel)Karsten Hahn
@online{hahn:20190520:yggdrasil:5a23fde, author = {Karsten Hahn}, title = {{Tweet on Yggdrasil / CinaRAT}}, date = {2019-05-20}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/1130455143504318466}, language = {English}, urldate = {2020-01-13} } Tweet on Yggdrasil / CinaRAT
Quasar RAT
2019-05-08VMRayFrancis Montesino
@online{montesino:20190508:get:ed8ceb4, author = {Francis Montesino}, title = {{Get Smart with Enhanced Memory Dumping in VMRay Analyzer 3.0}}, date = {2019-05-08}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/smart-memory-dumping/}, language = {English}, urldate = {2020-01-13} } Get Smart with Enhanced Memory Dumping in VMRay Analyzer 3.0
Remcos
2019-05-08Dr.WebDr.Web
@online{drweb:20190508:new:06a3aa5, author = {Dr.Web}, title = {{A new threat for macOS spreads as WhatsApp}}, date = {2019-05-08}, organization = {Dr.Web}, url = {https://news.drweb.ru/show/?i=13281&c=23}, language = {English}, urldate = {2020-01-08} } A new threat for macOS spreads as WhatsApp
NetWire RC
2019-05-05GoggleHeadedHacker BlogJacob Pimental
@online{pimental:20190505:unpacking:3b96fc8, author = {Jacob Pimental}, title = {{Unpacking NanoCore Sample Using AutoIT}}, date = {2019-05-05}, organization = {GoggleHeadedHacker Blog}, url = {https://goggleheadedhacker.com/blog/post/11}, language = {English}, urldate = {2019-12-18} } Unpacking NanoCore Sample Using AutoIT
Nanocore RAT
2019-04-16FireEyeJohn Hultquist, Ben Read, Oleg Bondarenko, Chi-en Shen
@online{hultquist:20190416:spear:a0125cb, author = {John Hultquist and Ben Read and Oleg Bondarenko and Chi-en Shen}, title = {{Spear Phishing Campaign Targets Ukraine Government and Military; Infrastructure Reveals Potential Link to So-Called Luhansk People's Republic}}, date = {2019-04-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html}, language = {English}, urldate = {2019-12-20} } Spear Phishing Campaign Targets Ukraine Government and Military; Infrastructure Reveals Potential Link to So-Called Luhansk People's Republic
Quasar RAT Vermin
2019-04-01Macnica NetworksMacnica Networks
@techreport{networks:20190401:trends:cf738dc, author = {Macnica Networks}, title = {{Trends in Cyber ​​Espionage Targeting Japan 2nd Half of 2018}}, date = {2019-04-01}, institution = {Macnica Networks}, url = {https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf}, language = {Japanese}, urldate = {2021-03-02} } Trends in Cyber ​​Espionage Targeting Japan 2nd Half of 2018
Anel Cobalt Strike Datper PLEAD Quasar RAT RedLeaves taidoor Zebrocy
2019-03-27SymantecCritical Attack Discovery and Intelligence Team
@online{team:20190327:elfin:d90a330, author = {Critical Attack Discovery and Intelligence Team}, title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}}, date = {2019-03-27}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage}, language = {English}, urldate = {2020-04-21} } Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP APT33
2019-03-27SymantecSecurity Response Attack Investigation Team
@online{team:20190327:elfin:836cc39, author = {Security Response Attack Investigation Team}, title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}}, date = {2019-03-27}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage}, language = {English}, urldate = {2020-01-06} } Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet Nanocore RAT pupy Quasar RAT Remcos TURNEDUP APT33
2019-01-30Samip Pokharel
@online{pokharel:20190130:analysis:df83b7e, author = {Samip Pokharel}, title = {{Analysis of NetWiredRC trojan}}, date = {2019-01-30}, url = {https://maskop9.wordpress.com/2019/01/30/analysis-of-netwiredrc-trojan/}, language = {English}, urldate = {2020-01-13} } Analysis of NetWiredRC trojan
NetWire RC
2019DragosDragos
@online{dragos:2019:adversary:0237a20, author = {Dragos}, title = {{Adversary Reports}}, date = {2019}, organization = {Dragos}, url = {https://dragos.com/adversaries.html}, language = {English}, urldate = {2020-01-10} } Adversary Reports
ALLANITE APT33 CHRYSENE ENERGETIC BEAR Lazarus Group Sandworm
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:33:a0eb560, author = {Cyber Operations Tracker}, title = {{APT 33}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/apt-33}, language = {English}, urldate = {2019-12-20} } APT 33
APT33
2018-12-21FireEyeGeoff Ackerman, Rick Cole, Andrew Thompson, Alex Orleans, Nick Carr
@online{ackerman:20181221:overruled:74ac7b4, author = {Geoff Ackerman and Rick Cole and Andrew Thompson and Alex Orleans and Nick Carr}, title = {{OVERRULED: Containing a Potentially Destructive Adversary}}, date = {2018-12-21}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html}, language = {English}, urldate = {2019-12-20} } OVERRULED: Containing a Potentially Destructive Adversary
POWERTON PoshC2 pupy
2018-12-19McAfeeThomas Roccia, Jessica Saavedra-Morales, Christiaan Beek
@online{roccia:20181219:shamoon:8ffbc81, author = {Thomas Roccia and Jessica Saavedra-Morales and Christiaan Beek}, title = {{Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems}}, date = {2018-12-19}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems}, language = {English}, urldate = {2020-02-01} } Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems
Filerase
2018-12-14SymantecCritical Attack Discovery and Intelligence Team
@online{team:20181214:shamoon:1f24fa5, author = {Critical Attack Discovery and Intelligence Team}, title = {{Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail}}, date = {2018-12-14}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail}, language = {English}, urldate = {2020-04-21} } Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail
DistTrack Filerase StoneDrill OilRig
2018-10-01Macnica NetworksMacnica Networks
@techreport{networks:20181001:trends:17b1db5, author = {Macnica Networks}, title = {{Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018}}, date = {2018-10-01}, institution = {Macnica Networks}, url = {https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf}, language = {Japanese}, urldate = {2021-03-02} } Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018
Anel Cobalt Strike Datper FlawedAmmyy Quasar RAT RedLeaves taidoor Winnti xxmm
2018-08-22Cisco TalosEdmund Brumaghin, Holger Unterbrink, Eric Kuhla, Lilia Gonzalez Medina
@online{brumaghin:20180822:picking:925912d, author = {Edmund Brumaghin and Holger Unterbrink and Eric Kuhla and Lilia Gonzalez Medina}, title = {{Picking Apart Remcos Botnet-In-A-Box}}, date = {2018-08-22}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html}, language = {English}, urldate = {2019-10-23} } Picking Apart Remcos Botnet-In-A-Box
Remcos
2018-08-02Palo Alto Networks Unit 42Robert Falcone, David Fuertes, Josh Grunzweig, Kyle Wilhoit
@online{falcone:20180802:gorgon:06112b1, author = {Robert Falcone and David Fuertes and Josh Grunzweig and Kyle Wilhoit}, title = {{The Gorgon Group: Slithering Between Nation State and Cybercrime}}, date = {2018-08-02}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/}, language = {English}, urldate = {2019-12-20} } The Gorgon Group: Slithering Between Nation State and Cybercrime
Loki Password Stealer (PWS) Nanocore RAT NjRAT Quasar RAT Remcos Revenge RAT
2018-07-17ESET ResearchKaspars Osis
@online{osis:20180717:deep:56fcfcf, author = {Kaspars Osis}, title = {{A deep dive down the Vermin RAThole}}, date = {2018-07-17}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/}, language = {English}, urldate = {2019-11-14} } A deep dive down the Vermin RAThole
Quasar RAT Sobaken Vermin
2018-06-18Megabeets
@online{megabeets:20180618:decrypting:42e2d5f, author = {Megabeets}, title = {{Decrypting APT33’s Dropshot Malware with Radare2 and Cutter – Part 2}}, date = {2018-06-18}, url = {https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-2/}, language = {English}, urldate = {2019-10-14} } Decrypting APT33’s Dropshot Malware with Radare2 and Cutter – Part 2
DROPSHOT
2018-06-07VolexityMatthew Meltzer, Sean Koessel, Steven Adair
@online{meltzer:20180607:patchwork:5b8d3c8, author = {Matthew Meltzer and Sean Koessel and Steven Adair}, title = {{Patchwork APT Group Targets US Think Tanks}}, date = {2018-06-07}, organization = {Volexity}, url = {https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/}, language = {English}, urldate = {2020-01-08} } Patchwork APT Group Targets US Think Tanks
Quasar RAT Unidentified 047 QUILTED TIGER
2018-05-21MegaBeetsItay Cohen
@online{cohen:20180521:decrypting:37d595c, author = {Itay Cohen}, title = {{Decrypting APT33’s Dropshot Malware with Radare2 and Cutter – Part 1}}, date = {2018-05-21}, organization = {MegaBeets}, url = {https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/}, language = {English}, urldate = {2019-07-10} } Decrypting APT33’s Dropshot Malware with Radare2 and Cutter – Part 1
DROPSHOT
2018-04-18MITREMITRE ATT&CK
@online{attck:20180418:apt33:c810337, author = {MITRE ATT&CK}, title = {{APT33}}, date = {2018-04-18}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0064/}, language = {English}, urldate = {2022-07-13} } APT33
APT33
2018-04-11CyberbitHod Gavriel, Boris Erbesfeld
@online{gavriel:20180411:new:9ed9a94, author = {Hod Gavriel and Boris Erbesfeld}, title = {{New ‘Early Bird’ Code Injection Technique Discovered}}, date = {2018-04-11}, organization = {Cyberbit}, url = {https://www.cyberbit.com/new-early-bird-code-injection-technique-discovered/}, language = {English}, urldate = {2020-08-21} } New ‘Early Bird’ Code Injection Technique Discovered
TURNEDUP
2018-03-30360 Threat IntelligenceQi Anxin Threat Intelligence Center
@online{center:20180330:analysis:4f1feb9, author = {Qi Anxin Threat Intelligence Center}, title = {{Analysis of the latest cyber attack activity of the APT organization against sensitive institutions in China}}, date = {2018-03-30}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/}, language = {Chinese}, urldate = {2020-01-13} } Analysis of the latest cyber attack activity of the APT organization against sensitive institutions in China
Quasar RAT
2018-03-02KrabsOnSecurityMr. Krabs
@online{krabs:20180302:analysing:7b1f12f, author = {Mr. Krabs}, title = {{Analysing Remcos RAT’s executable}}, date = {2018-03-02}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/}, language = {English}, urldate = {2019-07-31} } Analysing Remcos RAT’s executable
Remcos
2018-03-01DragosDragos
@techreport{dragos:20180301:industrial:6e4e898, author = {Dragos}, title = {{INDUSTRIAL CONTROL SYSTEM THREATS}}, date = {2018-03-01}, institution = {Dragos}, url = {https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf}, language = {English}, urldate = {2020-01-08} } INDUSTRIAL CONTROL SYSTEM THREATS
APT33 CHRYSENE ENERGETIC BEAR Lazarus Group Sandworm
2018-03-01My Online SecurityMy Online Security
@online{security:20180301:fake:7f835ef, author = {My Online Security}, title = {{Fake order spoofed from Finchers ltd Sankyo-Rubber delivers Remcos RAT via ACE attachments}}, date = {2018-03-01}, organization = {My Online Security}, url = {https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/}, language = {English}, urldate = {2020-01-13} } Fake order spoofed from Finchers ltd Sankyo-Rubber delivers Remcos RAT via ACE attachments
Remcos
2018-02-26Bleeping ComputerCatalin Cimpanu
@online{cimpanu:20180226:nanocore:4659d30, author = {Catalin Cimpanu}, title = {{Nanocore RAT Author Gets 33 Months in Prison}}, date = {2018-02-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/}, language = {English}, urldate = {2019-12-20} } Nanocore RAT Author Gets 33 Months in Prison
Nanocore RAT
2018-01-23RiskIQYonathan Klijnsma
@online{klijnsma:20180123:espionage:f3d28b0, author = {Yonathan Klijnsma}, title = {{Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors}}, date = {2018-01-23}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/}, language = {English}, urldate = {2019-12-24} } Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors
Remcos
2018FireEyeFireEye
@online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
2017-12-22Malware Traffic AnalysisBrad Duncan
@online{duncan:20171222:malspam:4a3fd87, author = {Brad Duncan}, title = {{MALSPAM USES CVE-2017-0199 TO DISTRIBUTE REMCOS RAT}}, date = {2017-12-22}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/12/22/index.html}, language = {English}, urldate = {2019-07-11} } MALSPAM USES CVE-2017-0199 TO DISTRIBUTE REMCOS RAT
Remcos
2017-12-11Trend MicroDaniel Lunghi, Jaromír Hořejší, Cedric Pernet
@online{lunghi:20171211:untangling:5f00f99, author = {Daniel Lunghi and Jaromír Hořejší and Cedric Pernet}, title = {{Untangling the Patchwork Cyberespionage Group}}, date = {2017-12-11}, organization = {Trend Micro}, url = {https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite}, language = {English}, urldate = {2019-10-21} } Untangling the Patchwork Cyberespionage Group
Quasar RAT
2017-12-06CiscoHolger Unterbrink, Christopher Marczewski
@online{unterbrink:20171206:recam:2790363, author = {Holger Unterbrink and Christopher Marczewski}, title = {{Recam Redux - DeConfusing ConfuserEx}}, date = {2017-12-06}, organization = {Cisco}, url = {http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html}, language = {English}, urldate = {2019-12-06} } Recam Redux - DeConfusing ConfuserEx
NetWire RC
2017-09-21FireEyeStuart Davis, Nick Carr
@online{davis:20170921:apt33:52822d2, author = {Stuart Davis and Nick Carr}, title = {{APT33: New Insights into Iranian Cyber Espionage Group}}, date = {2017-09-21}, organization = {FireEye}, url = {https://www.brighttalk.com/webcast/10703/275683}, language = {English}, urldate = {2019-12-20} } APT33: New Insights into Iranian Cyber Espionage Group
APT33
2017-09-20FireEyeJacqueline O’Leary, Josiah Kimble, Kelli Vanderlee, Nalani Fraser
@online{oleary:20170920:insights:27e8253, author = {Jacqueline O’Leary and Josiah Kimble and Kelli Vanderlee and Nalani Fraser}, title = {{Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware}}, date = {2017-09-20}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html}, language = {English}, urldate = {2019-12-20} } Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware
DROPSHOT Nanocore RAT NetWire RC SHAPESHIFT TURNEDUP APT33
2017-07-01Secrary Bloglasha
@online{lasha:20170701:remcos:984d85c, author = {lasha}, title = {{Remcos RAT}}, date = {2017-07-01}, organization = {Secrary Blog}, url = {https://secrary.com/ReversingMalware/RemcosRAT/}, language = {English}, urldate = {2020-01-09} } Remcos RAT
Remcos
2017-04PricewaterhouseCoopersPricewaterhouseCoopers
@techreport{pricewaterhousecoopers:201704:operation:cb50712, author = {PricewaterhouseCoopers}, title = {{Operation Cloud Hopper: Technical Annex}}, date = {2017-04}, institution = {PricewaterhouseCoopers}, url = {https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf}, language = {English}, urldate = {2019-10-15} } Operation Cloud Hopper: Technical Annex
ChChes PlugX Quasar RAT RedLeaves Trochilus RAT
2017-02-16SecurityAffairsPierluigi Paganini
@online{paganini:20170216:iranian:917f46c, author = {Pierluigi Paganini}, title = {{Iranian hackers behind the Magic Hound campaign linked to Shamoon}}, date = {2017-02-16}, organization = {SecurityAffairs}, url = {https://securityaffairs.co/wordpress/56348/intelligence/magic-hound-campaign.html}, language = {English}, urldate = {2022-07-29} } Iranian hackers behind the Magic Hound campaign linked to Shamoon
pupy APT35
2017-02-15Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
@online{lee:20170215:magic:e0b1b72, author = {Bryan Lee and Robert Falcone}, title = {{Magic Hound Campaign Attacks Saudi Targets}}, date = {2017-02-15}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/}, language = {English}, urldate = {2019-09-22} } Magic Hound Campaign Attacks Saudi Targets
Leash MPKBot pupy Rocket Kitten
2017-02-15SecureworksSecureWorks' Counter Threat Unit Research Team
@online{team:20170215:iranian:004ec5a, author = {SecureWorks' Counter Threat Unit Research Team}, title = {{Iranian PupyRAT Bites Middle Eastern Organizations}}, date = {2017-02-15}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations}, language = {English}, urldate = {2019-10-23} } Iranian PupyRAT Bites Middle Eastern Organizations
pupy Cleaver
2017-02-14FortinetFloser Bacurio, Joie Salvio
@online{bacurio:20170214:remcos:e924c55, author = {Floser Bacurio and Joie Salvio}, title = {{REMCOS: A New RAT In The Wild}}, date = {2017-02-14}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2}, language = {English}, urldate = {2020-01-09} } REMCOS: A New RAT In The Wild
Remcos
2017-02-10JPCERT/CCShusei Tomonaga
@online{tomonaga:20170210:malware:4f2c9aa, author = {Shusei Tomonaga}, title = {{Malware that infects using PowerSploit}}, date = {2017-02-10}, organization = {JPCERT/CC}, url = {https://blog.cyber4sight.com/2017/02/malicious-powershell-script-analysis-indicates-shamoon-actors-used-pupy-rat/}, language = {Japanese}, urldate = {2020-01-08} } Malware that infects using PowerSploit
pupy
2017-01-30Palo Alto Networks Unit 42Mashav Sapir, Tomer Bar, Netanel Rimer, Taras Malivanchuk, Yaron Samuel, Simon Conant
@online{sapir:20170130:downeks:8ed6329, author = {Mashav Sapir and Tomer Bar and Netanel Rimer and Taras Malivanchuk and Yaron Samuel and Simon Conant}, title = {{Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments}}, date = {2017-01-30}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments}, language = {English}, urldate = {2019-12-20} } Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments
Quasar RAT
2016-11-28SecureworksIncident Reponse Team
@online{team:20161128:netwire:b81c423, author = {Incident Reponse Team}, title = {{NetWire RAT Steals Payment Card Data}}, date = {2016-11-28}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data}, language = {English}, urldate = {2019-12-18} } NetWire RAT Steals Payment Card Data
NetWire RC
2016-10-20Twitter (@malwrhunterteam)MalwareHunterTeam
@online{malwarehunterteam:20161020:quasar:f530cea, author = {MalwareHunterTeam}, title = {{Tweet on Quasar RAT}}, date = {2016-10-20}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/789153556255342596}, language = {English}, urldate = {2019-07-11} } Tweet on Quasar RAT
Quasar RAT
2016-06-03FireEyeYin Hong Chang, Sudeep Singh
@online{chang:20160603:sends:176f9ab, author = {Yin Hong Chang and Sudeep Singh}, title = {{APT Group Sends Spear Phishing Emails to Indian Government Officials}}, date = {2016-06-03}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html}, language = {English}, urldate = {2019-12-20} } APT Group Sends Spear Phishing Emails to Indian Government Officials
BreachRAT DarkComet Operation C-Major
2014-11-26CIRCLCIRCL
@online{circl:20141126:tr23:fb5d867, author = {CIRCL}, title = {{TR-23 Analysis - NetWiredRC malware}}, date = {2014-11-26}, organization = {CIRCL}, url = {https://www.circl.lu/pub/tr-23/}, language = {English}, urldate = {2020-01-09} } TR-23 Analysis - NetWiredRC malware
NetWire RC
2014-08-04Palo Alto Networks Unit 42Phil Da Silva, Rob Downs, Ryan Olson
@online{silva:20140804:new:826d436, author = {Phil Da Silva and Rob Downs and Ryan Olson}, title = {{New Release: Decrypting NetWire C2 Traffic}}, date = {2014-08-04}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/}, language = {English}, urldate = {2019-12-20} } New Release: Decrypting NetWire C2 Traffic
NetWire RC
2012-10-05MalwarebytesAdam Kujawa
@online{kujawa:20121005:dark:192d4aa, author = {Adam Kujawa}, title = {{Dark Comet 2: Electric Boogaloo}}, date = {2012-10-05}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/}, language = {English}, urldate = {2019-12-20} } Dark Comet 2: Electric Boogaloo
DarkComet
2012-06-21Contagio DumpMila Parkour
@online{parkour:20120621:rat:2186087, author = {Mila Parkour}, title = {{RAT samples from Syrian Targeted attacks - Blackshades RAT, XTreme RAT, Dark Comet RAT used by Syrian Electronic Army}}, date = {2012-06-21}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html}, language = {English}, urldate = {2019-12-20} } RAT samples from Syrian Targeted attacks - Blackshades RAT, XTreme RAT, Dark Comet RAT used by Syrian Electronic Army
BlackShades DarkComet Terminator RAT
2012-06-09MalwarebytesAdam Kujawa
@online{kujawa:20120609:you:c8d15e0, author = {Adam Kujawa}, title = {{You dirty RAT! Part 1: DarkComet}}, date = {2012-06-09}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/}, language = {English}, urldate = {2019-12-20} } You dirty RAT! Part 1: DarkComet
DarkComet

Credits: MISP Project