APT41 (Threat Actor)

SYMBOL	COMMON_NAME	aka. SYNONYMS

APT41 (Back to overview)

APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.

Associated Families

elf.messagetap win.crackshot win.easynight win.highnoon win.highnoon_bin win.jumpall win.poisonplug win.zxshell win.coldlock win.skip20 win.acehash win.blackcoffee win.gearshift win.lowkey win.crosswalk win.shadowpad win.derusbi win.biopass win.chinachopper win.plugx win.cobalt_strike

References

2021-07-29 ⋅ Rasta Mouse ⋅ Rasta Mouse
NTLM Relaying via Cobalt Strike
Cobalt Strike

2021-07-27 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team
Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages
elf.wellmess ElectroRAT BazarNimrod Buer Cobalt Strike Remcos Snake TeleBot WellMess Zebrocy

2021-07-27 ⋅ Palo Alto Networks Unit 42 ⋅ Mike Harbison, Alex Hinchliffe
THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group
PlugX

2021-07-22 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara
Cobalt Strike Hunting — simple PCAP and Beacon Analysis
Cobalt Strike

2021-07-21 ⋅ Bitdefender ⋅ Bogdan Botezatu, Victor Vrabie
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
PlugX

2021-07-20 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
Ongoing Campaign Leveraging Exchange Vulnerability Potentially Linked to Iran
CHINACHOPPER MimiKatz RGDoor

2021-07-19 ⋅ The DFIR Report ⋅ The DFIR Report
IcedID and Cobalt Strike vs Antivirus
Cobalt Strike IcedID

2021-07-14 ⋅ MDSec ⋅ Chris Basnett
Investigating a Suspicious Service
Cobalt Strike

2021-07-14 ⋅ Kaspersky ⋅ Mark Lechtik, Paul Rascagnères, Aseel Kayal
LuminousMoth APT: Sweeping attacks for the chosen few
Cobalt Strike

2021-07-14 ⋅ Google ⋅ Maddie Stone, Clement Lecigne, Google Threat Analysis Group
How We Protect Users From 0-Day Attacks (CVE-2021-21166, CVE-2021-30551, CVE-2021-33742, CVE-2021-1879)
Cobalt Strike

2021-07-13 ⋅ YouTube ( Matt Soseman) ⋅ Matt Soseman
Solarwinds and SUNBURST attacks compromised my lab!
Cobalt Strike Raindrop SUNBURST TEARDROP

2021-07-09 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
Hancitor tries XLL as initial malware file
Cobalt Strike Hancitor

2021-07-08 ⋅ Recorded Future ⋅ Insikt Group®
Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling
ShadowPad Spyder Winnti

2021-07-08 ⋅ Avast Decoded ⋅ Threat Intelligence Team
Decoding Cobalt Strike: Understanding Payloads
Cobalt Strike Empire Downloader

2021-07-07 ⋅ Trend Micro ⋅ Joseph C Chen, Kenney Lu, Jaromír Hořejší, Gloria Chen
BIOPASS RAT: New Malware Sniffs Victims via Live Streaming
win.BIOPASS Cobalt Strike Derusbi

2021-07-07 ⋅ McAfee ⋅ McAfee Labs
Ryuk Ransomware Now Targeting Webservers
Cobalt Strike Ryuk

2021-07-07 ⋅ Trustwave ⋅ Rodel Mendrez, Nikita Kazymirskyi
Diving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails
Cobalt Strike REvil

2021-07-06 ⋅ Twitter (@MBThreatIntel) ⋅ Malwarebytes Threat Intelligence
Tweet on a malspam campaign that is taking advantage of Kaseya VSA ransomware attack to drop CobaltStrike
Cobalt Strike

2021-07-05 ⋅ Trend Micro ⋅ Abraham Camba, Catherine Loveria, Ryan Maglaque, Buddy Tancio
Tracking Cobalt Strike: A Trend Micro Vision One Investigation
Cobalt Strike

2021-07-02 ⋅ MalwareBookReports ⋅ muzi
Skip the Middleman: Dridex Document to Cobalt Strike
Cobalt Strike Dridex

2021-07-01 ⋅ The Record ⋅ Catalin Cimpanu
Mongolian certificate authority hacked eight times, compromised with malware
Cobalt Strike

2021-07-01 ⋅ Avast Decoded ⋅ Luigino Camastra, Igor Morgenstern, Jan Vojtěšek
Backdoored Client from Mongolian CA MonPass
Cobalt Strike

2021-06-30 ⋅ Group-IB ⋅ Oleg Skulkin
REvil Twins Deep Dive into Prolific RaaS Affiliates' TTPs
Cobalt Strike REvil

2021-06-29 ⋅ Proofpoint ⋅ Selena Larson, Daniel Blackford
Cobalt Strike: Favorite Tool from APT to Crimeware
Cobalt Strike

2021-06-29 ⋅ Accenture ⋅ Accenture Security
HADES ransomware operators continue attacks
Cobalt Strike Hades MimiKatz

2021-06-28 ⋅ The DFIR Report ⋅ The DFIR Report
Hancitor Continues to Push Cobalt Strike
Cobalt Strike Hancitor

2021-06-22 ⋅ CrowdStrike ⋅ The Falcon Complete Team
Response When Minutes Matter: Falcon Complete Disrupts WIZARD SPIDER eCrime Operators
Cobalt Strike

2021-06-22 ⋅ Twitter (@Cryptolaemus1) ⋅ Cryptolaemus, Kirk Sayre, dao ming si
Tweet on TA575, a Dridex affiliate delivering cobaltstrike (packed withe Cryptone) directly via the macro docs
Cobalt Strike Dridex

2021-06-20 ⋅ The DFIR Report ⋅ The DFIR Report
From Word to Lateral Movement in 1 Hour
Cobalt Strike IcedID

2021-06-18 ⋅ SecurityScorecard ⋅ Ryan Sherstobitoff
SecurityScorecard Finds USAID Hack Much Larger Than Initially Thought
Cobalt Strike

2021-06-17 ⋅ Binary Defense ⋅ Brandon George
Analysis of Hancitor – When Boring Begets Beacon
Cobalt Strike Ficker Stealer Hancitor

2021-06-16 ⋅ FireEye ⋅ Tyler McLellan, Robert Dean, Justin Moore, Nick Harbour, Mike Hunhoff, Jared Wilson
Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise
Cobalt Strike FiveHands

2021-06-16 ⋅ Національної поліції України ⋅ Національна поліція України
Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies
Clop Cobalt Strike FlawedAmmyy

2021-06-15 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
Hades Ransomware Operators Use Distinctive Tactics and Infrastructure
Cobalt Strike Hades

2021-06-12 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie
A thread on RagnarLocker ransomware group's TTP seen in an Incident Response
Cobalt Strike RagnarLocker

2021-06-10 ⋅ ESET Research ⋅ Adam Burgher
BackdoorDiplomacy: Upgrading from Quarian to Turian
CHINACHOPPER DoublePulsar EternalRocks BackdoorDiplomacy

2021-06-10 ⋅ Group-IB ⋅ Nikita Rostovcev
Big airline heist APT41 likely behind massive supply chain attack
Cobalt Strike

2021-06-09 ⋅ Twitter (@RedDrip7) ⋅ RedDrip7
Tweet on in the wild exploit of CVE-2021-26868 (according to @_clem1)
Cobalt Strike

2021-06-04 ⋅ Inky ⋅ Roger Kay
Colonial Pipeline Ransomware Hack Unleashes Flood of Related Phishing Attempts
Cobalt Strike

2021-06-04 ⋅ Twitter (@alex_lanstein) ⋅ Alex Lanstein
Tweet on UNC2652/NOBELIUM targeting IOS users exploiting CVE-2021-1879
Cobalt Strike

2021-06-02 ⋅ Twitter (@xorhex) ⋅ Xorhex
Tweet on new variant of PlugX from RedDelta Group
PlugX

2021-06-02 ⋅ xorhex blog ⋅ Twitter (@xorhex)
RedDelta PlugX Undergoing Changes and Overlapping Again with Mustang Panda PlugX Infrastructure
PlugX

2021-06-02 ⋅ Medium CyCraft ⋅ CyCraft Technology Corp
China-Linked Threat Group Targets Taiwan Critical Infrastructure, Smokescreen Ransomware
Cobalt Strike ColdLock

2021-06-02 ⋅ Sophos ⋅ Sean Gallagher
AMSI bypasses remain tricks of the malware trade
Agent Tesla Cobalt Strike Meterpreter

2021-06-01 ⋅ Department of Justice ⋅ Office of Public Affairs
Justice Department Announces Court-Authorized Seizure of Domain Names Used in Furtherance of Spear-Phishing Campaign Posing as U.S. Agency for International Development
Cobalt Strike

2021-06-01 ⋅ SANS ⋅ Kevin Haley, Jake Williams
A Contrarian View on SolarWinds
Cobalt Strike Raindrop SUNBURST TEARDROP

2021-06-01 ⋅ SentinelOne ⋅ Juan Andrés Guerrero-Saade
NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks
Cobalt Strike

2021-06-01 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team
New sophisticated email-based attack from NOBELIUM
Cobalt Strike

2021-05-28 ⋅ CISA ⋅ US-CERT
Alert (AA21-148A): Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs
Cobalt Strike

2021-05-28 ⋅ CISA ⋅ US-CERT
Malware Analysis Report (AR21-148A): Cobalt Strike Beacon
Cobalt Strike

2021-05-27 ⋅ xorhex blog ⋅ Twitter (@xorhex)
Mustang Panda PlugX - Reused Mutex and Folder Found in the Extracted Config
PlugX

2021-05-27 ⋅ Volexity ⋅ Damien Cash, Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster
Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns
Cobalt Strike

2021-05-26 ⋅ DeepInstinct ⋅ Ron Ben Yizhak
A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader

2021-05-25 ⋅ Huntress Labs ⋅ Matthew Brennan
Cobalt Strikes Again: An Analysis of Obfuscated Malware
Cobalt Strike

2021-05-21 ⋅ blackarrow ⋅ Pablo Ambite
Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic
Cobalt Strike

2021-05-19 ⋅ Medium Mehmet Ergene ⋅ Mehmet Ergene
Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 2
Cobalt Strike

2021-05-19 ⋅ Intel 471 ⋅ Intel 471
Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot

2021-05-18 ⋅ Sophos ⋅ John Shier, Mat Gangwer, Greg Iddon, Peter Mackenzie
The Active Adversary Playbook 2021
Cobalt Strike MimiKatz

2021-05-17 ⋅ Talos ⋅ Brad Garnett
Case Study: Incident Response is a relationship-driven business
Cobalt Strike

2021-05-17 ⋅ xorhex blog ⋅ Twitter (@xorhex)
Mustang Panda PlugX - 45.251.240.55 Pivot
PlugX

2021-05-16 ⋅ NCSC Ireland ⋅ NCSC Ireland
Ransomware Attack on Health Sector - UPDATE 2021-05-16
Cobalt Strike Conti

2021-05-14 ⋅ Blue Team Blog ⋅ Auth 0r
DarkSide Ransomware Operations – Preventions and Detections.
Cobalt Strike DarkSide

2021-05-14 ⋅ GuidePoint Security ⋅ Drew Schmitt
From ZLoader to DarkSide: A Ransomware Story
DarkSide Cobalt Strike Zloader

2021-05-12 ⋅ Medium Mehmet Ergene ⋅ Mehmet Ergene
Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 1
Cobalt Strike

2021-05-12 ⋅ The DFIR Report
Conti Ransomware
Cobalt Strike Conti IcedID

2021-05-11 ⋅ Mal-Eats ⋅ mal_eats
Campo, a New Attack Campaign Targeting Japan
Anchor_DNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader

2021-05-11 ⋅ FireEye ⋅ Jordan Nuce, Jeremy Kennelly, Kimberly Goody, Andrew Moore, Alyssa Rahman, Brendan McKeague, Jared Wilson
Shining a Light on DARKSIDE Ransomware Operations
Cobalt Strike DarkSide

2021-05-10 ⋅ ZERO.BS ⋅ ZEROBS
Cobaltstrike-Beacons analyzed
Cobalt Strike

2021-05-10 ⋅ Mal-Eats ⋅ mal_eats
Overview of Campo, a new attack campaign targeting Japan
Anchor_DNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader

2021-05-07 ⋅ SophosLabs Uncut ⋅ Rajesh Nataraj
New Lemon Duck variants exploiting Microsoft Exchange Server
CHINACHOPPER Cobalt Strike

2021-05-07 ⋅ Cisco Talos ⋅ Caitlin Huey, Andrew Windsor, Edmund Brumaghin
Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs
CHINACHOPPER Cobalt Strike

2021-05-07 ⋅ Medium svch0st ⋅ svch0st
Stats from Hunting Cobalt Strike Beacons
Cobalt Strike

2021-05-06 ⋅ Trend Micro ⋅ Arianne Dela Cruz, Cris Tomboc, Jayson Chong, Nikki Madayag, Sean Torre
Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party
Prometei BlackKingdom Ransomware CHINACHOPPER Cobalt Strike

2021-05-05 ⋅ Symantec ⋅ Threat Hunter Team
Multi-Factor Authentication: Headache for Cyber Actors Inspires New Attack Techniques
CHINACHOPPER

2021-05-05 ⋅ TRUESEC ⋅ Mattias Wåhlén
Are The Notorious Cyber Criminals Evil Corp actually Russian Spies?
Cobalt Strike Hades WastedLocker

2021-05-05 ⋅ SophosLabs Uncut ⋅ Andrew Brandt, Peter Mackenzie, Vikas Singh, Gabor Szappanos
Intervention halts a ProxyLogon-enabled attack
Cobalt Strike

2021-05-04 ⋅ Medium sergiusechel ⋅ Sergiu Sechel
Improving the network-based detection of Cobalt Strike C2 servers in the wild while reducing the risk of false positives
Cobalt Strike

2021-05-02 ⋅ The DFIR Report ⋅ The DFIR Report
Trickbot Brief: Creds and Beacons
Cobalt Strike TrickBot

2021-05 ⋅ AWAKE ⋅ Kieran Evans
Catching the White Stork in Flight
Cobalt Strike MimiKatz RMS

2021-04-27 ⋅ Trend Micro ⋅ Janus Agcaoili, Earle Earnshaw
Legitimate Tools Weaponized for Ransomware in 2021
Cobalt Strike MimiKatz

2021-04-27 ⋅ Trend Micro ⋅ Janus Agcaoili
Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability
CHINACHOPPER Cobalt Strike

2021-04-26 ⋅ getrevue ⋅ Twitter (@80vul)
Hunting Cobalt Strike DNS redirectors by using ZoomEye
Cobalt Strike

2021-04-26 ⋅ nviso ⋅ Maxime Thiebaut
Anatomy of Cobalt Strike’s DLL Stager
Cobalt Strike

2021-04-24 ⋅ Non-offensive security ⋅ Non-offensive security team
Detect Cobalt Strike server through DNS protocol
Cobalt Strike

2021-04-23 ⋅ Twitter (@vikas891) ⋅ Vikas Singh
Tweet on DOPPEL SPIDER using Intensive/Multiple Injected Cobalt Strike Beacons with varied polling intervals
Cobalt Strike DoppelPaymer

2021-04-22 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie
Twwet On TTPs seen in IR used by DOPPEL SPIDER
Cobalt Strike DoppelPaymer

2021-04-21 ⋅ SophosLabs Uncut ⋅ Sean Gallagher, Suriya Natarajan, Anand Aijan, Michael Wood, Sivagnanam Gn, Markel Picado, Andrew Brandt
Nearly half of malware now use TLS to conceal communications
Agent Tesla Cobalt Strike Dridex SystemBC

2021-04-20 ⋅ Medium walmartglobaltech ⋅ Jason Reaves
CobaltStrike Stager Utilizing Floating Point Math
Cobalt Strike

2021-04-19 ⋅ Netresec ⋅ Erik Hjelmvik
Analysing a malware PCAP with IcedID and Cobalt Strike traffic
Cobalt Strike IcedID

2021-04-18 ⋅ YouTube (dist67) ⋅ Didier Stevens
Decoding Cobalt Strike Traffic
Cobalt Strike

2021-04-16 ⋅ Trend Micro ⋅ Nitesh Surana
Could the Microsoft Exchange breach be stopped?
CHINACHOPPER

2021-04-15 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone
Actor Exploits Microsoft Exchange Server Vulnerabilities, Cortex XDR Blocks Harvesting of Credentials
CHINACHOPPER

2021-04-14 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
April 2021 Forensic Quiz: Answers and Analysis
Anchor BazarBackdoor Cobalt Strike

2021-04-09 ⋅ F-Secure ⋅ Riccardo Ancarani, Giulio Ginesi
Detecting Exposed Cobalt Strike DNS Redirectors
Cobalt Strike

2021-04-07 ⋅ Medium sixdub ⋅ Justin Warner
Using Kaitai Struct to Parse Cobalt Strike Beacon Configs
Cobalt Strike

2021-04-05 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
TrickBot Crews New CobaltStrike Loader
Cobalt Strike TrickBot

2021-04-01 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool
Cobalt Strike Hancitor

2021-04-01 ⋅ DomainTools ⋅ Joe Slowik
COVID-19 Phishing With a Side of Cobalt Strike
Cobalt Strike

2021-03-31 ⋅ Red Canary ⋅ Red Canary
2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot

2021-03-30 ⋅ GuidePoint Security ⋅ Drew Schmitt
Yet Another Cobalt Strike Stager: GUID Edition
Cobalt Strike

2021-03-29 ⋅ The DFIR Report ⋅ The DFIR Report
Sodinokibi (aka REvil) Ransomware
Cobalt Strike IcedID REvil

2021-03-29 ⋅ The Record ⋅ Catalin Cimpanu
RedEcho group parks domains after public exposure
PlugX ShadowPad RedEcho

2021-03-26 ⋅ Imperva ⋅ Daniel Johnston
Imperva Observes Hive of Activity Following Hafnium Microsoft Exchange Disclosures
CHINACHOPPER

2021-03-25 ⋅ Microsoft ⋅ Tom McElroy
Web Shell Threat Hunting with Azure Sentinel
CHINACHOPPER

2021-03-25 ⋅ Recorded Future ⋅ Insikt Group®
Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers
Meterpreter PlugX

2021-03-25 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team
Analyzing attacks taking advantage of the Exchange Server vulnerabilities
CHINACHOPPER

2021-03-21 ⋅ YouTube (dist67) ⋅ Didier Stevens
Finding Metasploit & Cobalt Strike URLs
Cobalt Strike

2021-03-21 ⋅ Blackberry ⋅ Blackberry Research
2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot

2021-03-19 ⋅ Bundesamt für Sicherheit in der Informationstechnik ⋅ CERT-Bund
Microsoft Exchange Schwachstellen Detektion und Reaktion (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
CHINACHOPPER MimiKatz

2021-03-18 ⋅ DeepInstinct ⋅ Ben Gross
Cobalt Strike – Post-Exploitation Attackers Toolkit
Cobalt Strike

2021-03-18 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT
SilverFish GroupThreat Actor Report
Cobalt Strike Dridex Koadic

2021-03-17 ⋅ Recorded Future ⋅ Insikt Group®
China-linked TA428 Continues to Target Russia and Mongolia IT Companies
PlugX Poison Ivy

2021-03-16 ⋅ McAfee ⋅ McAfee ATR
Technical Analysis of Operation Diànxùn
Cobalt Strike

2021-03-16 ⋅ Elastic ⋅ Joe Desimone
Detecting Cobalt Strike with memory signatures
Cobalt Strike

2021-03-15 ⋅ Trustwave ⋅ Joshua Deacon
HAFNIUM, China Chopper and ASP.NET Runtime
CHINACHOPPER

2021-03-11 ⋅ DEVO ⋅ Fran Gomez
Detection and Investigation Using Devo: HAFNIUM 0-day Exploits on Microsoft Exchange Service
CHINACHOPPER MimiKatz

2021-03-11 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Microsoft Exchange Server Attack Timeline
CHINACHOPPER

2021-03-11 ⋅ Cyborg Security ⋅ Josh Campbell
You Don't Know the HAFNIUM of it...
CHINACHOPPER Cobalt Strike PowerCat

2021-03-11 ⋅ Qurium ⋅ Qurium
Myanmar – Multi-stage malware attack targets elected lawmakers
Cobalt Strike

2021-03-10 ⋅ PICUS Security ⋅ Süleyman Özarslan
Tactics, Techniques, and Procedures (TTPs) Used by HAFNIUM to Target Microsoft Exchange Servers
CHINACHOPPER

2021-03-10 ⋅ DomainTools ⋅ Joe Slowik
Examining Exchange Exploitation and its Lessons for Defenders
CHINACHOPPER

2021-03-10 ⋅ ESET Research ⋅ Thomas Dupuy, Matthieu Faou, Mathieu Tartare
Exchange servers under siege from at least 10 APT groups
Microcin MimiKatz PlugX Winnti

2021-03-10 ⋅ Lemon's InfoSec Ramblings ⋅ Josh Lemon
Microsoft Exchange & the HAFNIUM Threat Actor
CHINACHOPPER

2021-03-10 ⋅ Proofpoint ⋅ Dennis Schwarz, Matthew Mesa, Proofpoint Threat Research Team
NimzaLoader: TA800’s New Initial Access Malware
BazarNimrod Cobalt Strike

2021-03-09 ⋅ PRAETORIAN ⋅ Anthony Weems, Dallas Kaman, Michael Weber
Reproducing the Microsoft Exchange Proxylogon Exploit Chain
CHINACHOPPER

2021-03-09 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Remediation Steps for the Microsoft Exchange Server Vulnerabilities
CHINACHOPPER

2021-03-09 ⋅ splunk ⋅ Security Research Team
Cloud Federated Credential Abuse & Cobalt Strike: Threat Research February 2021
Cobalt Strike

2021-03-09 ⋅ YouTube (John Hammond) ⋅ John Hammond
HAFNIUM - Post-Exploitation Analysis from Microsoft Exchange
CHINACHOPPER

2021-03-09 ⋅ Red Canary ⋅ Tony Lambert, Brian Donohue, Katie Nickels
Microsoft Exchange server exploitation: how to detect, mitigate, and stay calm
CHINACHOPPER

2021-03-08 ⋅ The DFIR Report ⋅ The DFIR Report
Bazar Drops the Anchor
Anchor BazarBackdoor Cobalt Strike

2021-03-08 ⋅ Youtube (SANS Digital Forensics and Incident Response) ⋅ Katie Nickels, Adam Pennington, Jen Burns
STAR Webcast: Making sense of SolarWinds through the lens of MITRE ATT&CK(R)
Cobalt Strike SUNBURST TEARDROP

2021-03-08 ⋅ Symantec ⋅ Threat Hunter Team
How Symantec Stops Microsoft Exchange Server Attacks
CHINACHOPPER MimiKatz

2021-03-08 ⋅ Palo Alto Networks Unit 42 ⋅ Jeff White
Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells
CHINACHOPPER

2021-03-07 ⋅ InfoSec Handlers Diary Blog ⋅ Didier Stevens
PCAPs and Beacons
Cobalt Strike

2021-03-07 ⋅ TRUESEC ⋅ Rasmus Grönlund
Tracking Microsoft Exchange Zero-Day ProxyLogon and HAFNIUM
CHINACHOPPER

2021-03-05 ⋅ Huntress Labs ⋅ Huntress Labs
Operation Exchange Marauder
CHINACHOPPER

2021-03-05 ⋅ Wired ⋅ Andy Greenberg
Chinese Hacking Spree Hit an ‘Astronomical’ Number of Victims
CHINACHOPPER

2021-03-04 ⋅ CrowdStrike ⋅ The Falcon Complete Team
Falcon Complete Stops Microsoft Exchange Server Zero-Day Exploits
CHINACHOPPER HAFNIUM

2021-03-04 ⋅ FireEye ⋅ Matt Bromiley, Chris DiGiamo, Andrew Thompson, Robert Wallace
Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities
CHINACHOPPER HAFNIUM

2021-03-04 ⋅ Huntress Labs ⋅ Huntress Labs
Operation Exchange Marauder
CHINACHOPPER

2021-03-03 ⋅ Huntress Labs ⋅ John Hammond
Rapid Response: Mass Exploitation of On-Prem Exchange Servers
CHINACHOPPER HAFNIUM

2021-03-03 ⋅ Huntress Labs ⋅ Huntress Labs
Mass exploitation of on-prem Exchange servers :(
CHINACHOPPER HAFNIUM

2021-03-02 ⋅ Twitter (@ESETresearch) ⋅ ESET Research
Tweet on Exchange RCE
CHINACHOPPER HAFNIUM

2021-03-02 ⋅ Volexity ⋅ Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster
Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities
CHINACHOPPER HAFNIUM

2021-03-02 ⋅ Rapid7 Labs ⋅ Andrew Christian
Rapid7’s InsightIDR Enables Detection And Response to Microsoft Exchange Zero-Day
CHINACHOPPER HAFNIUM

2021-03-02 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, Microsoft 365 Security
HAFNIUM targeting Exchange Servers with 0-day exploits
CHINACHOPPER HAFNIUM

2021-03-01 ⋅ Medium walmartglobaltech ⋅ Joshua Platt, Jason Reaves
Nimar Loader
BazarBackdoor BazarNimrod Cobalt Strike

2021-03-01 ⋅ Medium walmartglobaltech ⋅ Joshua Platt, Jason Reaves
Investigation into the state of Nim malware
BazarNimrod Cobalt Strike

2021-02-28 ⋅ Recorded Future ⋅ Insikt Group®
China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
Icefog PlugX ShadowPad

2021-02-28 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare

2021-02-28 ⋅ Recorded Future ⋅ Insikt Group®
China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
PlugX ShadowPad RedEcho

2021-02-26 ⋅ CrowdStrike ⋅ Eric Loui, Sergei Frankoff
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil

2021-02-25 ⋅ FireEye ⋅ Bryce Abdo, Brendan McKeague, Van Ta
So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC

2021-02-24 ⋅ Github (AmnestyTech) ⋅ Amnesty International
Overview of Ocean Lotus Samples used to target Vietnamese Human Rights Defenders
OceanLotus Cobalt Strike KerrDown

2021-02-24 ⋅ VMWare Carbon Black ⋅ Takahiro Haruyama
Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation
Cobalt Strike

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2021-02-11 ⋅ Twitter (@TheDFIRReport) ⋅ The DFIR Report
Tweet on Hancitor Activity followed by cobaltsrike beacon
Cobalt Strike Hancitor

2021-02-09 ⋅ Cobalt Strike ⋅ Raphael Mudge
Learn Pipe Fitting for all of your Offense Projects
Cobalt Strike

2021-02-09 ⋅ Securehat ⋅ Securehat
Extracting the Cobalt Strike Config from a TEARDROP Loader
Cobalt Strike TEARDROP

2021-02-03 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
Excel spreadsheets push SystemBC malware
Cobalt Strike SystemBC

2021-02-02 ⋅ Committee to Protect Journalists ⋅ Madeline Earp
How Vietnam-based hacking operation OceanLotus targets journalists
Cobalt Strike

2021-02-02 ⋅ CRONUP ⋅ Germán Fernández
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader

2021-02-02 ⋅ Twitter (@TheDFIRReport) ⋅ The DFIR Report
Tweet on recent dridex post infection activity
Cobalt Strike Dridex

2021-02-01 ⋅ pkb1s.github.io ⋅ Petros Koutroumpis
Relay Attacks via Cobalt Strike Beacons
Cobalt Strike

2021-02-01 ⋅ AhnLab ⋅ ASEC Analysis Team
BlueCrab ransomware, CobaltStrike hacking tool installed in corporate environment
Cobalt Strike REvil

2021-01-31 ⋅ The DFIR Report ⋅ The DFIR Report
Bazar, No Ryuk?
BazarBackdoor Cobalt Strike Ryuk

2021-01-29 ⋅ Trend Micro ⋅ Trend Micro
Chopper ASPX web shell used in targeted attack
CHINACHOPPER MimiKatz

2021-01-28 ⋅ TrustedSec ⋅ Adam Chester
Tailoring Cobalt Strike on Target
Cobalt Strike

2021-01-28 ⋅ AhnLab ⋅ ASEC Analysis Team
BlueCrab ransomware constantly trying to bypass detection
Cobalt Strike REvil

2021-01-26 ⋅ Twitter (@swisscom_csirt) ⋅ Swisscom CSIRT
Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware
Cobalt Strike Cring MimiKatz

2021-01-20 ⋅ Trend Micro ⋅ Gilbert Sison, Abraham Camba, Ryan Maglaque
XDR investigation uncovers PlugX, unique technique in APT attack
PlugX

2021-01-20 ⋅ Microsoft ⋅ Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC), Microsoft Cyber Defense Operations Center (CDOC)
Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop
Cobalt Strike SUNBURST TEARDROP

2021-01-18 ⋅ Symantec ⋅ Threat Hunter Team
Raindrop: New Malware Discovered in SolarWinds Investigation
Cobalt Strike Raindrop SUNBURST TEARDROP

2021-01-17 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie
Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders
Cobalt Strike Conti

2021-01-15 ⋅ The Hacker News ⋅ Ravie Lakshmaman
Researchers Disclose Undocumented Chinese Malware Used in Recent Attacks
CROSSWALK

2021-01-15 ⋅ Swisscom ⋅ Markus Neis
Cracking a Soft Cell is Harder Than You Think
Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT

2021-01-15 ⋅ Medium Dansec ⋅ Dan Lussier
Detecting Malicious C2 Activity -SpawnAs & SMB Lateral Movement in CobaltStrike
Cobalt Strike

2021-01-14 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence
Higaisa or Winnti? APT41 backdoors, old and new
Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad

2021-01-12 ⋅ BrightTALK (FireEye) ⋅ Ben Read, John Hultquist
UNC2452: What We Know So Far
Cobalt Strike SUNBURST TEARDROP

2021-01-12 ⋅ Fox-IT ⋅ Wouter Jansen
Abusing cloud services to fly under the radar
Cobalt Strike

2021-01-11 ⋅ The DFIR Report ⋅ The DFIR Report
Trickbot Still Alive and Well
Cobalt Strike TrickBot

2021-01-11 ⋅ SolarWinds ⋅ Sudhakar Ramakrishna
New Findings From Our Investigation of SUNBURST
Cobalt Strike SUNBURST TEARDROP

2021-01-10 ⋅ Medium walmartglobaltech ⋅ Jason Reaves
MAN1, Moskal, Hancitor and a side of Ransomware
Cobalt Strike Hancitor SendSafe VegaLocker Zeppelin Ransomware

2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot

2021-01-09 ⋅ Connor McGarr's Blog ⋅ Connor McGarr
Malware Development: Leveraging Beacon Object Files for Remote Process Injection via Thread Hijacking
Cobalt Strike

2021-01-07 ⋅ Recorded Future ⋅ Insikt Group®
Aversary Infrastructure Report 2020: A Defender's View
Octopus pupy Cobalt Strike Empire Downloader Meterpreter PoshC2

2021-01-06 ⋅ Red Canary ⋅ Tony Lambert
Hunting for GetSystem in offensive security tools
Cobalt Strike Empire Downloader Meterpreter PoshC2

2021-01-05 ⋅ Trend Micro ⋅ Trend Micro Research
Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration
Cobalt Strike

2021-01-04 ⋅ Medium haggis-m ⋅ Michael Haag
Malleable C2 Profiles and You
Cobalt Strike

2021-01-04 ⋅ Bleeping Computer ⋅ Ionut Ilascu
China's APT hackers move to ransomware attacks
Clambling PlugX

2021 ⋅ Talos ⋅ Talos Incident Response
Evicting Maze
Cobalt Strike Maze

2021 ⋅ Talos ⋅ Talos Incident Response
Cobalt Strikes Out
Cobalt Strike

2021 ⋅ SecureWorks
Threat Profile: GOLD DRAKE
Cobalt Strike Dridex FriedEx Koadic MimiKatz WastedLocker Evil Corp

2021 ⋅ Secureworks ⋅ SecureWorks
Threat Profile: GOLD WINTER
Cobalt Strike Hades Meterpreter GOLD WINTER

2021 ⋅ Secureworks ⋅ SecureWorks
Threat Profile: GOLD WATERFALL
Cobalt Strike DarkSide GOLD WATERFALL

2020-12-26 ⋅ CYBER GEEKS All Things Infosec ⋅ CyberMasterV
Analyzing APT19 malware using a step-by-step method
Derusbi

2020-12-26 ⋅ Medium grimminck ⋅ Stefan Grimminck
Spoofing JARM signatures. I am the Cobalt Strike server now!
Cobalt Strike

2020-12-24 ⋅ IronNet ⋅ Adam Hlavek
China cyber attacks: the current threat landscape
PLEAD TSCookie FlowCloud Lookback PLEAD PlugX Quasar RAT Winnti

2020-12-22 ⋅ TRUESEC ⋅ Mattias Wåhlén
Collaboration between FIN7 and the RYUK group, a Truesec Investigation
Carbanak Cobalt Strike Ryuk

2020-12-21 ⋅ Fortinet ⋅ Udi Yavo
What We Have Learned So Far about the “Sunburst”/SolarWinds Hack
Cobalt Strike SUNBURST TEARDROP

2020-12-20 ⋅ Randhome ⋅ Etienne Maynier
Analyzing Cobalt Strike for Fun and Profit
Cobalt Strike

2020-12-15 ⋅ Github (sophos-cybersecurity) ⋅ Sophos Cyber Security Team
solarwinds-threathunt
Cobalt Strike SUNBURST

2020-12-15 ⋅ PICUS Security ⋅ Süleyman Özarslan
Tactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach
Cobalt Strike SUNBURST

2020-12-14 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Threat Brief: SolarStorm and SUNBURST Customer Coverage
Cobalt Strike SUNBURST

2020-12-11 ⋅ Blackberry ⋅ BlackBerry Research and Intelligence team
MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates
Cobalt Strike Mount Locker

2020-12-10 ⋅ Palo Alto Networks Unit 42 ⋅ Unit42
Threat Brief: FireEye Red Team Tool Breach
Cobalt Strike

2020-12-10 ⋅ Intel 471 ⋅ Intel 471
No pandas, just people: The current state of China’s cybercrime underground
Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT

2020-12-10 ⋅ ESET Research ⋅ Mathieu Tartare
Operation StealthyTrident: corporate software under attack
HyperBro PlugX ShadowPad Tmanger

2020-12-09 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall
It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)
Cobalt Strike DoppelPaymer QakBot REvil

2020-12-09 ⋅ Cisco ⋅ David Liebenberg, Caitlin Huey
Quarterly Report: Incident Response trends from Fall 2020
Cobalt Strike IcedID Maze RansomEXX Ryuk

2020-12-09 ⋅ Avast Decoded ⋅ Luigino Camastra, Igor Morgenstern
APT Group Targeting Governmental Agencies in East Asia
Albaniiutas HyperBro PlugX Tmanger

2020-12-09 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
Recent Qakbot (Qbot) activity
Cobalt Strike QakBot

2020-12-08 ⋅ Cobalt Strike ⋅ Raphael Mudge
A Red Teamer Plays with JARM
Cobalt Strike

2020-12-02 ⋅ Red Canary ⋅ twitter (@redcanary)
Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware
Cobalt Strike Egregor QakBot

2020-12-01 ⋅ 360.cn ⋅ jindanlong
Hunting Beacons
Cobalt Strike

2020-12-01 ⋅ mez0.cc ⋅ mez0
Cobalt Strike PowerShell Execution
Cobalt Strike

2020-11-30 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Threat actor (BISMUTH) leverages coin miner techniques to stay under the radar – here’s how to spot them
Cobalt Strike

2020-11-30 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall
It's not FINished The Evolving Maturity in Ransomware Operations
Cobalt Strike DoppelPaymer MimiKatz QakBot REvil

2020-11-27 ⋅ PTSecurity ⋅ Denis Goydenko, Alexey Vishnyakov
Investigation with a twist: an accidental APT attack and averted data destruction
TwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz

2020-11-27 ⋅ Macnica ⋅ Hiroshi Takeuchi
Analyzing Organizational Invasion Ransom Incidents Using Dtrack
Cobalt Strike Dtrack

2020-11-26 ⋅ Cybereason ⋅ Lior Rochberger, Cybereason Nocturnus
Cybereason vs. Egregor Ransomware
Cobalt Strike Egregor IcedID ISFB QakBot

2020-11-25 ⋅ SentinelOne ⋅ Jim Walter
Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone
Cobalt Strike Egregor

2020-11-23 ⋅ Youtube (OWASP DevSlop) ⋅ Negar Shabab, Noushin Shabab
Compromised Compilers - A new perspective of supply chain cyber attacks
ShadowPad

2020-11-23 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team
TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader
PlugX RedDelta

2020-11-20 ⋅ ZDNet ⋅ Catalin Cimpanu
The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader

2020-11-20 ⋅ Trend Micro ⋅ Abraham Camba, Bren Matthew Ebriega, Gilbert Sison
Weaponizing Open Source Software for Targeted Attacks
LaZagne Defray PlugX

2020-11-20 ⋅ F-Secure Labs ⋅ Riccardo Ancarani
Detecting Cobalt Strike Default Modules via Named Pipe Analysis
Cobalt Strike

2020-11-20 ⋅ 360 netlab ⋅ JiaYu
Blackrota, a highly obfuscated backdoor developed by Go
Cobalt Strike

2020-11-17 ⋅ cyble ⋅ Cyble
OceanLotus Continues With Its Cyber Espionage Operations
Cobalt Strike Meterpreter

2020-11-17 ⋅ Salesforce Engineering ⋅ John Althouse
Easily Identify Malicious Servers on the Internet with JARM
Cobalt Strike TrickBot

2020-11-15 ⋅ Trustnet ⋅ Michael Wainshtain
From virus alert to PowerShell Encrypted Loader
Cobalt Strike

2020-11-13 ⋅ Youtube (The Standoff) ⋅ Alexey Zakharov, Positive Technologies
FF_202_Eng - From old Higaisa samples to new Winnti backdoors: The story of one research
CROSSWALK Unidentified 076 (Higaisa LNK to Shellcode)

2020-11-09 ⋅ Bleeping Computer ⋅ Ionut Ilascu
Fake Microsoft Teams updates lead to Cobalt Strike deployment
Cobalt Strike DoppelPaymer NjRAT Predator The Thief Zloader

2020-11-06 ⋅ Volexity ⋅ Steven Adair, Thomas Lancaster, Volexity Threat Research
OceanLotus: Extending Cyber Espionage Operations Through Fake Websites
Cobalt Strike KerrDown APT32

2020-11-06 ⋅ Cobalt Strike ⋅ Raphael Mudge
Cobalt Strike 4.2 – Everything but the kitchen sink
Cobalt Strike

2020-11-06 ⋅ Palo Alto Networks Unit 42 ⋅ Ryan Tracey, Drew Schmitt, CRYPSIS
Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777
Cobalt Strike PyXie RansomEXX

2020-11-06 ⋅ Advanced Intelligence ⋅ Vitali Kremez
Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike
BazarBackdoor Cobalt Strike Ryuk

2020-11-05 ⋅ The DFIR Report ⋅ The DFIR Report
Ryuk Speed Run, 2 Hours to Ransom
BazarBackdoor Cobalt Strike Ryuk

2020-11-05 ⋅ Twitter (@ffforward) ⋅ TheAnalyst
Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK
Cobalt Strike Ryuk Zloader

2020-11-04 ⋅ VMRay ⋅ Giovanni Vigna
Trick or Threat: Ryuk ransomware targets the health care industry
BazarBackdoor Cobalt Strike Ryuk TrickBot

2020-11-04 ⋅ Sophos ⋅ Gabor Szappanos
A new APT uses DLL side-loads to “KilllSomeOne”
KilllSomeOne PlugX

2020-11-03 ⋅ InfoSec Handlers Diary Blog ⋅ Renato Marinho
Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike
Cobalt Strike

2020-11-03 ⋅ Kaspersky Labs ⋅ GReAT
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti

2020-10-30 ⋅ Github (ThreatConnect-Inc) ⋅ ThreatConnect
UNC 1878 Indicators from Threatconnect
BazarBackdoor Cobalt Strike Ryuk

2020-10-29 ⋅ Red Canary ⋅ The Red Canary Team
A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak
Cobalt Strike Ryuk TrickBot

2020-10-29 ⋅ Github (Swisscom) ⋅ Swisscom CSIRT
List of CobaltStrike C2's used by RYUK
Cobalt Strike

2020-10-29 ⋅ RiskIQ ⋅ RiskIQ
Ryuk Ransomware: Extensive Attack Infrastructure Revealed
Cobalt Strike Ryuk

2020-10-28 ⋅ FireEye ⋅ Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock
Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser
BazarBackdoor Cobalt Strike Ryuk UNC1878

2020-10-27 ⋅ Sophos Managed Threat Response (MTR) ⋅ Greg Iddon
MTR Casebook: An active adversary caught in the act
Cobalt Strike

2020-10-27 ⋅ Dr.Web ⋅ Dr.Web
Study of the ShadowPad APT backdoor and its relation to PlugX
Ghost RAT PlugX ShadowPad

2020-10-18 ⋅ The DFIR Report ⋅ The DFIR Report
Ryuk in 5 Hours
BazarBackdoor Cobalt Strike Ryuk

2020-10-14 ⋅ RiskIQ ⋅ Steve Ginty, Jon Gross
A Well-Marked Trail: Journeying through OceanLotus's Infrastructure
Cobalt Strike

2020-10-14 ⋅ Sophos ⋅ Sean Gallagher
They’re back: inside a new Ryuk ransomware attack
Cobalt Strike Ryuk SystemBC

2020-10-12 ⋅ Advanced Intelligence ⋅ Roman Marshanski, Vitali Kremez
"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon
BazarBackdoor Cobalt Strike Ryuk

2020-10-11 ⋅ Github (StrangerealIntel) ⋅ StrangerealIntel
Chimera, APT19 under the radar ?
Cobalt Strike Meterpreter

2020-10-08 ⋅ Bayerischer Rundfunk ⋅ Hakan Tanriverdi, Max Zierer, Ann-Kathrin Wetter, Kai Biermann, Thi Do Nguyen
There is no safe place
Cobalt Strike

2020-10-08 ⋅ The DFIR Report ⋅ The DFIR Report
Ryuk’s Return
BazarBackdoor Cobalt Strike Ryuk

2020-10-02 ⋅ Health Sector Cybersecurity Coordination Center (HC3) ⋅ Health Sector Cybersecurity Coordination Center (HC3)
Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns
BazarBackdoor Cobalt Strike Ryuk TrickBot

2020-10-01 ⋅ Wired ⋅ Andy Greenberg
Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency
Cobalt Strike Meterpreter

2020-10-01 ⋅ US-CERT ⋅ US-CERT
Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions
CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy

2020-09-29 ⋅ CrowdStrike ⋅ Kareem Hamdan, Lucas Miller
Getting the Bacon from the Beacon
Cobalt Strike

2020-09-29 ⋅ Github (Apr4h) ⋅ Apra
CobaltStrikeScan
Cobalt Strike

2020-09-24 ⋅ US-CERT ⋅ US-CERT
Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor
Cobalt Strike Meterpreter

2020-09-21 ⋅ Cisco Talos ⋅ Nick Mavis, Joe Marshall, JON MUNSHAW
The art and science of detecting Cobalt Strike
Cobalt Strike

2020-09-18 ⋅ Trend Micro ⋅ Trend Micro
U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks
Cobalt Strike ColdLock

2020-09-18 ⋅ Symantec ⋅ Threat Hunter Team
APT41: Indictments Put Chinese Espionage Group in the Spotlight
CROSSWALK PlugX poisonplug ShadowPad Winnti

2020-09-15 ⋅ US-CERT ⋅ US-CERT
Alert (AA20-259A): Iran-Based Threat Actor Exploits VPN Vulnerabilities
CHINACHOPPER Fox Kitten

2020-09-15 ⋅ Recorded Future ⋅ Insikt Group®
Back Despite Disruption: RedDelta Resumes Operations
PlugX

2020-09-15 ⋅ US-CERT ⋅ US-CERT
Malware Analysis Report (AR20-259A): Iranian Web Shells
CHINACHOPPER

2020-09-11 ⋅ ThreatConnect ⋅ ThreatConnect Research Team
Research Roundup: Activity on Previously Identified APT33 Domains
Emotet PlugX APT33

2020-09-10 ⋅ Kaspersky Labs ⋅ GReAT
An overview of targeted attacks and APTs on Linux
Cloud Snooper Dacls DoubleFantasy MESSAGETAP Penquin Turla Tsunami elf.wellmess X-Agent

2020-09-08 ⋅ PTSecurity ⋅ PTSecurity
ShadowPad: new activity from the Winnti group
CCleaner Backdoor Korlia ShadowPad TypeHash

2020-09-03 ⋅ Viettel Cybersecurity ⋅ vuonglvm
APT32 deobfuscation arsenal: Deobfuscating một vài loại Obfucation Toolkit của APT32 (Phần 2)
Cobalt Strike

2020-09-01 ⋅ Cisco Talos ⋅ David Liebenberg, Caitlin Huey
Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk

2020-08-31 ⋅ The DFIR Report ⋅ The DFIR Report
NetWalker Ransomware in 1 Hour
Cobalt Strike Mailto MimiKatz

2020-08-20 ⋅ Seebug Paper ⋅ Malayke
Use ZoomEye to track multiple Redteam C&C post-penetration attack frameworks
Cobalt Strike Empire Downloader PoshC2

2020-08-19 ⋅ TEAMT5 ⋅ TeamT5
調查局 08/19 公布中國對台灣政府機關駭侵事件說明
Cobalt Strike Waterbear

2020-08-14 ⋅ Twitter (@VK_intel) ⋅ Vitali Kremez
Tweet on Zloader infection leading to Cobaltstrike Installation
Cobalt Strike Zloader

2020-08-06 ⋅ Wired ⋅ Andy Greenberg
Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry
Cobalt Strike MimiKatz Winnti Operation Skeleton Key

2020-08-04 ⋅ BlackHat ⋅ Chung-Kuan Chen, Inndy Lin, Shang-De Jiang
Operation Chimera - APT Operation Targets Semiconductor Vendors
Cobalt Strike MimiKatz Winnti Operation Skeleton Key

2020-07-29 ⋅ Recorded Future ⋅ Insikt Group
Chinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations
PlugX

2020-07-29 ⋅ Kaspersky Labs ⋅ GReAT
APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel

2020-07-29 ⋅ ESET Research ⋅ welivesecurity
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor

2020-07-28 ⋅ NTT ⋅ NTT Security
CraftyPanda 標的型攻撃解析レポート
Ghost RAT PlugX

2020-07-26 ⋅ Shells.System blog ⋅ Askar
In-Memory shellcode decoding to evade AVs/EDRs
Cobalt Strike

2020-07-22 ⋅ On the Hunt ⋅ Newton Paul
Analysing Fileless Malware: Cobalt Strike Beacon
Cobalt Strike

2020-07-21 ⋅ Malwarebytes ⋅ Hossein Jazi, Jérôme Segura
Chinese APT group targets India and Hong Kong using new variant of MgBot malware
KSREMOTE Cobalt Strike MgBot

2020-07-20 ⋅ Dr.Web ⋅ Dr.Web
Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan
Microcin Mirage PlugX WhiteBird

2020-07-20 ⋅ Risky.biz ⋅ Daniel Gordon
What even is Winnti?
CCleaner Backdoor Ghost RAT PlugX ZXShell

2020-07-20 ⋅ or10nlabs ⋅ oR10n
Reverse Engineering the New Mustang Panda PlugX Downloader
PlugX

2020-07-15 ⋅ ZDNet ⋅ Catalin Cimpanu
Chinese state hackers target Hong Kong Catholic Church
PlugX

2020-07-14 ⋅ CrowdStrike ⋅ Falcon OverWatch Team
Manufacturing Industry in the Adversaries’ Crosshairs
ShadowPad Snake

2020-07-07 ⋅ MWLab ⋅ Ladislav Bačo
Cobalt Strike stagers used by FIN6
Cobalt Strike

2020-07-05 ⋅ or10nlabs ⋅ oR10n
Reverse Engineering the Mustang Panda PlugX RAT – Extracting the Config
PlugX

2020-06-23 ⋅ NCC Group ⋅ Nikolaos Pantazopoulos, Stefano Antenucci, Michael Sandee
WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
Cobalt Strike ISFB WastedLocker

2020-06-23 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team
Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike
Cobalt Strike REvil

2020-06-22 ⋅ Sentinel LABS ⋅ Joshua Platt, Jason Reaves
Inside a TrickBot Cobalt Strike Attack Server
Cobalt Strike TrickBot

2020-06-22 ⋅ Talos Intelligence ⋅ Asheer Malhotra
IndigoDrop spreads via military-themed lures to deliver Cobalt Strike
Cobalt Strike IndigoDrop

2020-06-19 ⋅ Zscaler ⋅ Atinderpal Singh, Nirmal Singh, Sahil Antil
Targeted Attack Leverages India-China Border Dispute to Lure Victims
Cobalt Strike

2020-06-19 ⋅ Youtube (Raphael Mudge) ⋅ Raphael Mudge
Beacon Object Files - Luser Demo
Cobalt Strike

2020-06-18 ⋅ Australian Cyber Security Centre ⋅ Australian Cyber Security Centre (ACSC)
Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks
TwoFace Cobalt Strike Empire Downloader

2020-06-17 ⋅ Malwarebytes ⋅ Hossein Jazi, Jérôme Segura
Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature
Cobalt Strike

2020-06-16 ⋅ Intezer ⋅ Aviygayil Mechtinger
ELF Malware Analysis 101: Linux Threats No Longer an Afterthought
Cloud Snooper Dacls EvilGnome HiddenWasp MESSAGETAP NOTROBIN QNAPCrypt Winnti

2020-06-15 ⋅ NCC Group ⋅ Exploit Development Group
Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability
Cobalt Strike

2020-06-09 ⋅ Github (Sentinel-One) ⋅ Gal Kristal
CobaltStrikeParser
Cobalt Strike

2020-06-03 ⋅ Kaspersky Labs ⋅ GReAT, Mark Lechtik, Giampaolo Dedola
Cycldek: Bridging the (air) gap
8.t Dropper NewCore RAT PlugX USBCulprit Hellsing

2020-06-02 ⋅ Lab52 ⋅ Jagaimo Kawaii
Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers
PlugX

2020-05-28 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC)
Breaking down NOBELIUM’s latest early-stage toolset
Cobalt Strike

2020-05-24 ⋅ or10nlabs ⋅ oR10n
Reverse Engineering the Mustang Panda PlugX Loader
PlugX

2020-05-21 ⋅ ESET Research ⋅ Mathieu Tartare, Martin Smolár
No “Game over” for the Winnti Group
ACEHASH HTran MimiKatz

2020-05-15 ⋅ Twitter (@stvemillertime) ⋅ Steve Miller
Tweet on SOGU development timeline, including TIGERPLUG IOCs
PlugX

2020-05-14 ⋅ Lab52 ⋅ Dex
The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT

2020-05-11 ⋅ SentinelOne ⋅ Gal Kristal
The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration
Cobalt Strike

2020-05-01 ⋅ Viettel Cybersecurity ⋅ Cyberthreat
Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1)
NewCore RAT PlugX

2020-04-24 ⋅ The DFIR Report ⋅ The DFIR Report
Ursnif via LOLbins
Cobalt Strike LOLSnif TeamSpy

2020-04-16 ⋅ Medium CyCraft ⋅ CyCraft Technology Corp
Taiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures
Cobalt Strike MimiKatz Operation Skeleton Key

2020-04-13 ⋅ Palo Alto Networks Unit 42 ⋅ Bryan Lee, Robert Falcone, Jen Miller-Osborn
APT41 Using New Speculoos Backdoor to Target Organizations Globally
Speculoos APT41

2020-04-07 ⋅ Blackberry ⋅ Blackberry Research
Decade of the RATS: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android
Penquin Turla XOR DDoS ZXShell

2020-04-02 ⋅ Darktrace ⋅ Max Heinemeyer
Catching APT41 exploiting a zero-day vulnerability
Cobalt Strike

2020-03-26 ⋅ VMWare Carbon Black ⋅ Scott Knight
The Dukes of Moscow
Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke

2020-03-25 ⋅ FireEye ⋅ Christopher Glyer, Dan Perez, Sarah Jones, Steve Miller
This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits
Speculoos Cobalt Strike

2020-03-25 ⋅ Wilbur Security ⋅ JW
Trickbot to Ryuk in Two Hours
Cobalt Strike Ryuk TrickBot

2020-03-22 ⋅ Malware and Stuff ⋅ Andreas Klopsch
Mustang Panda joins the COVID-19 bandwagon
Cobalt Strike

2020-03-20 ⋅ RECON INFOSEC ⋅ Luke Rusten
Analysis Of Exploitation: CVE-2020-10189 ( exploited by APT41)
Cobalt Strike

2020-03-19 ⋅ VinCSS ⋅ m4n0w4r
Phân tích mã độc lợi dụng dịch Covid-19 để phát tán giả mạo “Chỉ thị của thủ tướng Nguyễn Xuân Phúc” - Phần 2
PlugX

2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER

2020-03-04 ⋅ Cobalt Strike ⋅ Raphael Mudge
Cobalt Strike joins Core Impact at HelpSystems, LLC
Cobalt Strike

2020-03-03 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom

2020-03-02 ⋅ Virus Bulletin ⋅ Alex Hinchliffe
Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary
HenBox Farseer PlugX Poison Ivy

2020-02-21 ⋅ ADEO DFIR ⋅ ADEO DFIR
APT10 Threat Analysis Report
CHINACHOPPER HTran MimiKatz PlugX Quasar RAT

2020-02-20 ⋅ McAfee ⋅ Christiaan Beek, Eamonn Ryan, Darren Fitzpatrick
CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II
Cobalt Strike LockerGoga Maze MegaCortex

2020-02-19 ⋅ FireEye ⋅ FireEye
M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot

2020-02-18 ⋅ Cisco Talos ⋅ Vanja Svajcer
Building a bypass with MSBuild
Cobalt Strike GRUNT MimiKatz

2020-02-18 ⋅ Trend Micro ⋅ Daniel Lunghi, Cedric Pernet, Kenney Lu, Jamz Yaneza
Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations
Cobalt Strike HyperBro PlugX Trochilus RAT

2020-02-17 ⋅ Talent-Jump Technologies ⋅ Theo Chen, Zero Chen
CLAMBLING - A New Backdoor Base On Dropbox
HyperBro PlugX

2020-02-13 ⋅ Qianxin ⋅ Qi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy

2020-01-31 ⋅ ESET Research ⋅ Mathieu Tartare
Winnti Group targeting universities in Hong Kong
ShadowPad Winnti

2020-01-31 ⋅ Avira ⋅ Shahab Hamzeloofard
New wave of PlugX targets Hong Kong
PlugX

2020-01-29 ⋅ nao_sec blog ⋅ nao_sec
An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader

2020-01-13 ⋅ Lab52 ⋅ Jagaimo Kawaii
APT27 ZxShell RootKit module updates
ZXShell

2020 ⋅ Secureworks ⋅ SecureWorks
GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE RIVERSIDE
Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves Stone Panda

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE EXPRESS
9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT 26

2020 ⋅ Secureworks ⋅ SecureWorks
GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt

2020 ⋅ Secureworks ⋅ SecureWorks
GOLD NIAGARA
Bateleur Griffon Carbanak Cobalt Strike DRIFTPIN TinyMet FIN7

2020 ⋅ Secureworks ⋅ SecureWorks
TIN WOODLAWN
Cobalt Strike KerrDown MimiKatz PHOREAL RatSnif Remy SOUNDBITE APT32

2020-01 ⋅ FireEye ⋅ Tom Hall, Mitchell Clarke, Mandiant
Mandiant IR Grab Bag of Attacker Activity
TwoFace CHINACHOPPER HyperBro HyperSSL

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE WOODLAND
PlugX Zeus Roaming Tiger

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE UNION
9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell EMISSARY PANDA

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE OVERBROOK
Aveo DDKONG IsSpace PLAINTEE PlugX Rambo DragonOK

2020 ⋅ Secureworks ⋅ SecureWorks
GOLD DUPONT
Cobalt Strike Defray PyXie GOLD DUPONT

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE KEYSTONE
9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell Aurora Panda

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE OLIVE
ANGRYREBEL PlugX APT 22

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE FIRESTONE
9002 RAT Derusbi Empire Downloader PlugX Poison Ivy Shell Crew

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti Axiom

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE PRESIDENT
CHINACHOPPER Cobalt Strike PlugX Mustang Panda

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE MOHAWK
AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll Leviathan

2020-01 ⋅ Dragos ⋅ Joe Slowik
Threat Intelligence and the Limits of Malware Analysis
Exaramel Exaramel Industroyer Lookback NjRAT PlugX

2019-12-29 ⋅ Secureworks ⋅ CTU Research Team
BRONZE PRESIDENT Targets NGOs
PlugX BRONZE PRESIDENT

2019-12-17 ⋅ Palo Alto Networks Unit 42 ⋅ Jen Miller-Osborn, Mike Harbison
Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia
DDKONG Derusbi KHRAT

2019-12-12 ⋅ FireEye ⋅ Chi-en Shen, Oleg Bondarenko
Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech

2019-12-05 ⋅ Github (blackorbird) ⋅ blackorbird
APT32 Report
Cobalt Strike

2019-12-05 ⋅ Raphael Mudge
Cobalt Strike 4.0 – Bring Your Own Weaponization
Cobalt Strike

2019-11-29 ⋅ Deloitte ⋅ Thomas Thomasen
Cyber Threat Intelligence & Incident Response
Cobalt Strike

2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani Fraser
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell

2019-11-16 ⋅ Silas Cutler's Blog ⋅ Silas Cutler
Fresh PlugX October 2019
PlugX

2019-11-11 ⋅ Virus Bulletin ⋅ Shusei Tomonaga, Tomoaki Tani, Hiroshi Soeda, Wataru Takahashi
APT cases exploiting vulnerabilities in region‑specific software
NodeRAT Emdivi PlugX

2019-11-05 ⋅ tccontre Blog ⋅ tccontre
CobaltStrike - beacon.dll : Your No Ordinary MZ Header
Cobalt Strike

2019-10-31 ⋅ FireEye ⋅ Raymond Leong, Dan Perez, Tyler Dean
MESSAGETAP: Who’s Reading Your Text Messages?
MESSAGETAP

2019-10-31 ⋅ PTSecurity ⋅ PTSecurity
Calypso APT: new group attacking state institutions
BYEBY FlyingDutchman Hussar PlugX

2019-10-21 ⋅ ESET Research ⋅ Mathieu Tartare
Winnti Group’s skip‑2.0: A Microsoft SQL Server backdoor
LOWKEY skip-2.0

2019-10-15 ⋅ FireEye ⋅ Tobias Krueger
LOWKEY: Hunting for the Missing Volume Serial ID
LOWKEY poisonplug

2019-10-07 ⋅ ESET Research ⋅ Marc-Etienne M.Léveillé, Mathieu Tartare
CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group
LOWKEY shadowhammer ShadowPad

2019-10-03 ⋅ Palo Alto Networks Unit 42 ⋅ Alex Hinchliffe
PKPLUG: Chinese Cyber Espionage Group Attacking Asia
HenBox Farseer PlugX

2019-09-30 ⋅ vmware ⋅ Scott Knight
CB Threat Analysis Unit: Technical Analysis of “Crosswalk”
CROSSWALK

2019-09-22 ⋅ Check Point Research ⋅ Check Point Research
Rancor: The Year of The Phish
8.t Dropper Cobalt Strike

2019-09-19 ⋅ MeltX0R
Emissary Panda APT: Recent infrastructure and RAT analysis
ZXShell

2019-09-04 ⋅ FireEye ⋅ FireEye
APT41: Double Dragon APT41, a dual espionage and cyber crime operation
EASYNIGHT Winnti

2019-08-27 ⋅ Cisco Talos ⋅ Paul Rascagnères, Vanja Svajcer
China Chopper still active 9 years later
CHINACHOPPER

2019-08-19 ⋅ FireEye ⋅ Alex Pennino, Matt Bromiley
GAME OVER: Detecting and Stopping an APT41 Operation
ACEHASH CHINACHOPPER HIGHNOON

2019-08-09 ⋅ FireEye ⋅ FireEye
Double Dragon APT41, a dual espionage and cyber crime operation
CLASSFON crackshot CROSSWALK GEARSHIFT HIGHNOON HIGHNOON.BIN JUMPALL poisonplug Winnti

2019-08-08 ⋅ Twitter (@MrDanPerez) ⋅ Dan Perez
Tweet on Winnti and HIGHNOON
HIGHNOON

2019-08-07 ⋅ FireEye ⋅ Nalani Fraser, Fred Plan, Jacqueline O’Leary, Vincent Cannon, Raymond Leong, Dan Perez, Chi-en Shen
APT41: A Dual Espionage and Cyber Crime Operation
APT41

2019-07-24 ⋅ Intrusiontruth ⋅ Intrusiontruth
APT17 is run by the Jinan bureau of the Chinese Ministry of State Security
BLACKCOFFEE

2019-06-04 ⋅ Bitdefender ⋅ Bitdefender
An APT Blueprint: Gaining New Visibility into Financial Threats
More_eggs Cobalt Strike

2019-06-03 ⋅ FireEye ⋅ Chi-en Shen
Into the Fog - The Return of ICEFOG APT
Icefog PlugX Sarhust

2019-05-28 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone, Tom Lancaster
Emissary Panda Attacks Middle East Government Sharepoint Servers
CHINACHOPPER HyperSSL

2019-05-24 ⋅ Fortinet ⋅ Ben Hunter
Uncovering new Activity by APT10
PlugX Quasar RAT

2019-05-08 ⋅ Verizon Communications Inc. ⋅ Verizon Communications Inc.
2019 Data Breach Investigations Report
BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam

2019-04-24 ⋅ Weixin ⋅ Tencent
"Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed
Cobalt Strike SOUNDBITE

2019-04-23 ⋅ Kaspersky Labs ⋅ GReAT, AMR
Operation ShadowHammer: a high-profile supply chain attack
shadowhammer ShadowPad

2019-04-15 ⋅ PenTestPartners ⋅ Neil Lines
Cobalt Strike. Walkthrough for Red Teamers
Cobalt Strike

2019-04 ⋅ Macnica Networks ⋅ Macnica Networks
OceanLotus Attack on Southeast Asian Automotive Industry
CACTUSTORCH Cobalt Strike

2019-04-01 ⋅ Macnica Networks ⋅ Macnica Networks
Trends in Cyber Espionage Targeting Japan 2nd Half of 2018
Anel Cobalt Strike Datper PLEAD Quasar RAT RedLeaves taidoor Zebrocy

2019-03-24 ⋅ One Night in Norfolk ⋅ Kevin Perlow
JEShell: An OceanLotus (APT32) Backdoor
Cobalt Strike KerrDown

2019-03-19 ⋅ NSHC ⋅ ThreatRecon Team
SectorM04 Targeting Singapore – An Analysis
PlugX Termite

2019-02-27 ⋅ Secureworks ⋅ CTU Research Team
A Peek into BRONZE UNION’s Toolbox
Ghost RAT HyperBro ZXShell

2019-02-27 ⋅ Morphisec ⋅ Michael Gorelik, Alon Groisman
New Global Cyber Attack on Point of Sale Sytem
Cobalt Strike

2019-02-26 ⋅ Fox-IT ⋅ Fox IT
Identifying Cobalt Strike team servers in the wild
Cobalt Strike

2019 ⋅ MITRE ⋅ MITRE ATT&CK
Tool description: China Chopper
CHINACHOPPER

2019 ⋅ Virus Bulletin ⋅ Lion Gu, Bowen Pan
A vine climbing over the Great Firewall: A long-term attack against China
Poison Ivy ZXShell

2019 ⋅ MITRE ⋅ MITRE ATT&CK
Tool description: BLACKCOFFEE
BLACKCOFFEE

2018-12-24 ⋅ Twitter (@MrDanPerez) ⋅ Dan Perez
Tweet on hashes for CROSSWALK
CROSSWALK

2018-12-14 ⋅ Australian Cyber Security Centre ⋅ ASD
Investigationreport: Compromise of an Australian companyvia their Managed Service Provider
PlugX RedLeaves

2018-11-19 ⋅ FireEye ⋅ Matthew Dunwoody, Andrew Thompson, Ben Withnell, Jonathan Leathery, Michael Matonis, Nick Carr
Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign
Cobalt Strike

2018-11-18 ⋅ Stranded on Pylos Blog ⋅ Joe
CozyBear – In from the Cold?
Cobalt Strike APT 29

2018-10-01 ⋅ Macnica Networks ⋅ Macnica Networks
Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018
Anel Cobalt Strike Datper FlawedAmmyy Quasar RAT RedLeaves taidoor Winnti xxmm

2018-10-01 ⋅ FireEye ⋅ Regina Elwell, Katie Nickels
ATT&CKing FIN7
Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN PILLOWMINT SocksBot

2018-10 ⋅ Group-IB ⋅ Group-IB
Hi-Tech Crime Trends 2018
BackSwap Cobalt Strike Cutlet Meterpreter

2018-08-03 ⋅ JPCERT/CC ⋅ Takuya Endo, Yukako Uchida
Volatility Plugin for Detecting Cobalt Strike Beacon
Cobalt Strike

2018-07-31 ⋅ Github (JPCERTCC) ⋅ JPCERT/CC
Scanner for CobaltStrike
Cobalt Strike

2018-05-21 ⋅ LAC ⋅ Yoshihiro Ishikawa
Confirmed new attacks by APT attacker group menuPass (APT10)
Cobalt Strike

2018-05-09 ⋅ COUNT UPON SECURITY ⋅ Luis Rocha
Malware Analysis - PlugX - Part 2
PlugX

2018-03-16 ⋅ FireEye ⋅ FireEye
Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries
badflick BLACKCOFFEE CHINACHOPPER homefry murkytop SeDll Leviathan

2018-03-13 ⋅ Kaspersky Labs ⋅ Denis Makrushin, Yury Namestnikov
Time of death? A therapeutic postmortem of connected medicine
PlugX

2018-02-04 ⋅ COUNT UPON SECURITY ⋅ Luis Rocha
MALWARE ANALYSIS – PLUGX
PlugX

2017-12-20 ⋅ CrowdStrike ⋅ Adam Kozy
An End to “Smash-and-Grab” and a Move to More Targeted Approaches
CHINACHOPPER

2017-12-18 ⋅ LAC ⋅ Yoshihiro Ishikawa
Relationship between PlugX and attacker group "DragonOK"
PlugX

2017-08-15 ⋅ Kaspersky Labs ⋅ GReAT
ShadowPad in corporate networks
ShadowPad

2017-06-27 ⋅ Palo Alto Networks Unit 42 ⋅ Tom Lancaster, Esmid Idrizovic
Paranoid PlugX
PlugX

2017-06-06 ⋅ FireEye ⋅ Ian Ahl
Privileges and Credentials: Phished at the Request of Counsel
Cobalt Strike

2017-04-27 ⋅ US-CERT ⋅ US-CERT
Alert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors
PlugX RedLeaves

2017-04-03 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
RedLeaves - Malware Based on Open Source RAT
PlugX RedLeaves

2017-04 ⋅ PricewaterhouseCoopers ⋅ PricewaterhouseCoopers
Operation Cloud Hopper: Technical Annex
ChChes PlugX Quasar RAT RedLeaves Trochilus RAT

2017-03-22 ⋅ Trend Micro ⋅ Cedric Pernet
Winnti Abuses GitHub for C&C Communications
EASYNIGHT Axiom

2017-02-21 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
PlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code
PlugX

2017-02-13 ⋅ RSA ⋅ RSA Research
KINGSLAYER – A SUPPLY CHAIN ATTACK
CodeKey PlugX

2016-10-28 ⋅ Github (smb01) ⋅ smb01