APT41  (Back to overview)

APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.

---

Associated Families

---

References

2020-10-18 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20201018:ryuk:fbaadb8, author = {The DFIR Report}, title = {{Ryuk in 5 Hours}}, date = {2020-10-18}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/}, language = {English}, urldate = {2020-10-19} } Ryuk in 5 Hours BazarBackdoor Cobalt Strike Ryuk

2020-10-14 ⋅ Sophos ⋅ Sean Gallagher @online{gallagher:20201014:theyre:99f5d1e, author = {Sean Gallagher}, title = {{They’re back: inside a new Ryuk ransomware attack}}, date = {2020-10-14}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/}, language = {English}, urldate = {2020-10-16} } They’re back: inside a new Ryuk ransomware attack Cobalt Strike Ryuk SystemBC

2020-10-12 ⋅ Advanced Intelligence ⋅ Roman Marshanski, Vitali Kremez @online{marshanski:20201012:front:686add1, author = {Roman Marshanski and Vitali Kremez}, title = {{"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon}}, date = {2020-10-12}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon}, language = {English}, urldate = {2020-10-13} } "Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon BazarBackdoor Cobalt Strike Ryuk

2020-10-11 ⋅ Github (StrangerealIntel) ⋅ StrangerealIntel @online{strangerealintel:20201011:chimera:a423a07, author = {StrangerealIntel}, title = {{Chimera, APT19 under the radar ?}}, date = {2020-10-11}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md}, language = {English}, urldate = {2020-10-15} } Chimera, APT19 under the radar ? Cobalt Strike Meterpreter

2020-10-08 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20201008:ryuks:e47d8fa, author = {The DFIR Report}, title = {{Ryuk’s Return}}, date = {2020-10-08}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/10/08/ryuks-return/}, language = {English}, urldate = {2020-10-09} } Ryuk’s Return BazarBackdoor Cobalt Strike Ryuk

2020-10-08 ⋅ Bayerischer Rundfunk ⋅ Hakan Tanriverdi, Max Zierer, Ann-Kathrin Wetter, Kai Biermann, Thi Do Nguyen @online{tanriverdi:20201008:there:620f4e7, author = {Hakan Tanriverdi and Max Zierer and Ann-Kathrin Wetter and Kai Biermann and Thi Do Nguyen}, title = {{There is no safe place}}, date = {2020-10-08}, organization = {Bayerischer Rundfunk}, url = {https://web.br.de/interaktiv/ocean-lotus/en/}, language = {English}, urldate = {2020-10-12} } There is no safe place Cobalt Strike

2020-10-01 ⋅ US-CERT ⋅ US-CERT @online{uscert:20201001:alert:a46c3d4, author = {US-CERT}, title = {{Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions}}, date = {2020-10-01}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-275a}, language = {English}, urldate = {2020-10-04} } Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy

2020-10-01 ⋅ Wired ⋅ Andy Greenberg @online{greenberg:20201001:russias:3440982, author = {Andy Greenberg}, title = {{Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency}}, date = {2020-10-01}, organization = {Wired}, url = {https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/}, language = {English}, urldate = {2020-10-05} } Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency Cobalt Strike Meterpreter

2020-09-29 ⋅ CrowdStrike ⋅ Kareem Hamdan, Lucas Miller @online{hamdan:20200929:getting:c01923a, author = {Kareem Hamdan and Lucas Miller}, title = {{Getting the Bacon from the Beacon}}, date = {2020-09-29}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/}, language = {English}, urldate = {2020-10-05} } Getting the Bacon from the Beacon Cobalt Strike

2020-09-29 ⋅ Github (Apr4h) ⋅ Apra @online{apra:20200929:cobaltstrikescan:ab5f221, author = {Apra}, title = {{CobaltStrikeScan}}, date = {2020-09-29}, organization = {Github (Apr4h)}, url = {https://github.com/Apr4h/CobaltStrikeScan}, language = {English}, urldate = {2020-10-05} } CobaltStrikeScan Cobalt Strike

2020-09-24 ⋅ US-CERT ⋅ US-CERT @online{uscert:20200924:analysis:e1e4cc0, author = {US-CERT}, title = {{Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor}}, date = {2020-09-24}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a}, language = {English}, urldate = {2020-10-13} } Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor Cobalt Strike Meterpreter

2020-09-21 ⋅ Cisco Talos ⋅ Nick Mavis, Joe Marshall, JON MUNSHAW @techreport{mavis:20200921:art:d9702a4, author = {Nick Mavis and Joe Marshall and JON MUNSHAW}, title = {{The art and science of detecting Cobalt Strike}}, date = {2020-09-21}, institution = {Cisco Talos}, url = {https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf}, language = {English}, urldate = {2020-09-23} } The art and science of detecting Cobalt Strike Cobalt Strike

2020-09-18 ⋅ Trend Micro ⋅ Trend Micro @online{micro:20200918:us:7900e6a, author = {Trend Micro}, title = {{U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks}}, date = {2020-09-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html}, language = {English}, urldate = {2020-09-23} } U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks Cobalt Strike ColdLock

2020-09-18 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20200918:apt41:363daa8, author = {Threat Hunter Team}, title = {{APT41: Indictments Put Chinese Espionage Group in the Spotlight}}, date = {2020-09-18}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage}, language = {English}, urldate = {2020-09-23} } APT41: Indictments Put Chinese Espionage Group in the Spotlight CROSSWALK PlugX poisonplug ShadowPad Winnti

2020-09-15 ⋅ US-CERT ⋅ US-CERT @online{uscert:20200915:alert:13d0ab3, author = {US-CERT}, title = {{Alert (AA20-259A): Iran-Based Threat Actor Exploits VPN Vulnerabilities}}, date = {2020-09-15}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-259a}, language = {English}, urldate = {2020-09-16} } Alert (AA20-259A): Iran-Based Threat Actor Exploits VPN Vulnerabilities CHINACHOPPER Fox Kitten

2020-09-15 ⋅ Recorded Future ⋅ Insikt Group® @techreport{group:20200915:back:2c78a6f, author = {Insikt Group®}, title = {{Back Despite Disruption: RedDelta Resumes Operations}}, date = {2020-09-15}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf}, language = {English}, urldate = {2020-09-16} } Back Despite Disruption: RedDelta Resumes Operations PlugX

2020-09-15 ⋅ US-CERT ⋅ US-CERT @online{uscert:20200915:malware:8345418, author = {US-CERT}, title = {{Malware Analysis Report (AR20-259A): Iranian Web Shells}}, date = {2020-09-15}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a}, language = {English}, urldate = {2020-09-16} } Malware Analysis Report (AR20-259A): Iranian Web Shells CHINACHOPPER

2020-09-11 ⋅ ThreatConnect ⋅ ThreatConnect Research Team @online{team:20200911:research:edfb074, author = {ThreatConnect Research Team}, title = {{Research Roundup: Activity on Previously Identified APT33 Domains}}, date = {2020-09-11}, organization = {ThreatConnect}, url = {https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/}, language = {English}, urldate = {2020-09-15} } Research Roundup: Activity on Previously Identified APT33 Domains Emotet PlugX APT33

2020-09-10 ⋅ Kaspersky Labs ⋅ GReAT @online{great:20200910:overview:f751b73, author = {GReAT}, title = {{An overview of targeted attacks and APTs on Linux}}, date = {2020-09-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/}, language = {English}, urldate = {2020-10-05} } An overview of targeted attacks and APTs on Linux Cloud Snooper Dacls DoubleFantasy MESSAGETAP Penquin Turla Tsunami elf.wellmess X-Agent

2020-09-08 ⋅ PTSecurity ⋅ PTSecurity @techreport{ptsecurity:20200908:shadowpad:2903f45, author = {PTSecurity}, title = {{ShadowPad: new activity from the Winnti group}}, date = {2020-09-08}, institution = {PTSecurity}, url = {https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf}, language = {English}, urldate = {2020-10-08} } ShadowPad: new activity from the Winnti group CCleaner Backdoor Korlia ShadowPad TypeHash

2020-09-03 ⋅ Viettel Cybersecurity ⋅ vuonglvm @online{vuonglvm:20200903:apt32:02bd8fc, author = {vuonglvm}, title = {{APT32 deobfuscation arsenal: Deobfuscating một vài loại Obfucation Toolkit của APT32 (Phần 2)}}, date = {2020-09-03}, organization = {Viettel Cybersecurity}, url = {https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-2/}, language = {Vietnamese}, urldate = {2020-09-09} } APT32 deobfuscation arsenal: Deobfuscating một vài loại Obfucation Toolkit của APT32 (Phần 2) Cobalt Strike

2020-09-01 ⋅ Cisco Talos ⋅ David Liebenberg, Caitlin Huey @online{liebenberg:20200901:quarterly:c02962b, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends in Summer 2020}}, date = {2020-09-01}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html}, language = {English}, urldate = {2020-09-03} } Quarterly Report: Incident Response trends in Summer 2020 Cobalt Strike LockBit Mailto Maze Ryuk

2020-08-31 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20200831:netwalker:29a1511, author = {The DFIR Report}, title = {{NetWalker Ransomware in 1 Hour}}, date = {2020-08-31}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/}, language = {English}, urldate = {2020-08-31} } NetWalker Ransomware in 1 Hour Cobalt Strike Mailto MimiKatz

2020-08-20 ⋅ Seebug Paper ⋅ Malayke @online{malayke:20200820:use:77d3957, author = {Malayke}, title = {{Use ZoomEye to track multiple Redteam C&C post-penetration attack frameworks}}, date = {2020-08-20}, organization = {Seebug Paper}, url = {https://paper.seebug.org/1301/}, language = {Chinese}, urldate = {2020-08-24} } Use ZoomEye to track multiple Redteam C&C post-penetration attack frameworks Cobalt Strike Empire Downloader PoshC2

2020-08-19 ⋅ TEAMT5 ⋅ TeamT5 @online{teamt5:20200819:0819:e955419, author = {TeamT5}, title = {{調查局 08/19 公布中國對台灣政府機關駭侵事件說明}}, date = {2020-08-19}, organization = {TEAMT5}, url = {https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/}, language = {Chinese}, urldate = {2020-08-25} } 調查局 08/19 公布中國對台灣政府機關駭侵事件說明 Cobalt Strike

2020-07-29 ⋅ Recorded Future ⋅ Insikt Group @techreport{group:20200729:chinese:1929fcd, author = {Insikt Group}, title = {{Chinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations}}, date = {2020-07-29}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf}, language = {English}, urldate = {2020-07-30} } Chinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations PlugX

2020-07-29 ⋅ Kaspersky Labs ⋅ GReAT @online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020 PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel

2020-07-29 ⋅ ESET Research ⋅ welivesecurity @techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020 DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor

2020-07-28 ⋅ NTT ⋅ NTT Security @online{security:20200728:craftypanda:7643b28, author = {NTT Security}, title = {{CraftyPanda 標的型攻撃解析レポート}}, date = {2020-07-28}, organization = {NTT}, url = {https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report}, language = {Japanese}, urldate = {2020-07-30} } CraftyPanda 標的型攻撃解析レポート Ghost RAT PlugX

2020-07-26 ⋅ Shells.System blog ⋅ Askar @online{askar:20200726:inmemory:5556cad, author = {Askar}, title = {{In-Memory shellcode decoding to evade AVs/EDRs}}, date = {2020-07-26}, organization = {Shells.System blog}, url = {https://shells.systems/in-memory-shellcode-decoding-to-evade-avs/}, language = {English}, urldate = {2020-07-30} } In-Memory shellcode decoding to evade AVs/EDRs Cobalt Strike

2020-07-22 ⋅ On the Hunt ⋅ Newton Paul @online{paul:20200722:analysing:2de83d7, author = {Newton Paul}, title = {{Analysing Fileless Malware: Cobalt Strike Beacon}}, date = {2020-07-22}, organization = {On the Hunt}, url = {https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/}, language = {English}, urldate = {2020-07-24} } Analysing Fileless Malware: Cobalt Strike Beacon Cobalt Strike

2020-07-21 ⋅ Malwarebytes ⋅ Hossein Jazi, Jérôme Segura @online{jazi:20200721:chinese:da6a239, author = {Hossein Jazi and Jérôme Segura}, title = {{Chinese APT group targets India and Hong Kong using new variant of MgBot malware}}, date = {2020-07-21}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/}, language = {English}, urldate = {2020-07-22} } Chinese APT group targets India and Hong Kong using new variant of MgBot malware Cobalt Strike MgBot

2020-07-20 ⋅ Dr.Web ⋅ Dr.Web @techreport{drweb:20200720:study:442ba99, author = {Dr.Web}, title = {{Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan}}, date = {2020-07-20}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf}, language = {English}, urldate = {2020-10-02} } Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan Microcin Mirage PlugX WhiteBird

2020-07-20 ⋅ Risky.biz ⋅ Daniel Gordon @online{gordon:20200720:what:b88e81f, author = {Daniel Gordon}, title = {{What even is Winnti?}}, date = {2020-07-20}, organization = {Risky.biz}, url = {https://risky.biz/whatiswinnti/}, language = {English}, urldate = {2020-08-18} } What even is Winnti? CCleaner Backdoor Ghost RAT PlugX ZXShell

2020-07-15 ⋅ ZDNet ⋅ Catalin Cimpanu @online{cimpanu:20200715:chinese:0ff06bd, author = {Catalin Cimpanu}, title = {{Chinese state hackers target Hong Kong Catholic Church}}, date = {2020-07-15}, organization = {ZDNet}, url = {https://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/}, language = {English}, urldate = {2020-07-30} } Chinese state hackers target Hong Kong Catholic Church PlugX

2020-07-14 ⋅ CrowdStrike ⋅ Falcon OverWatch Team @online{team:20200714:manufacturing:3e552ec, author = {Falcon OverWatch Team}, title = {{Manufacturing Industry in the Adversaries’ Crosshairs}}, date = {2020-07-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/}, language = {English}, urldate = {2020-07-23} } Manufacturing Industry in the Adversaries’ Crosshairs ShadowPad Snake Ransomware

2020-07-07 ⋅ MWLab ⋅ Ladislav Bačo @online{bao:20200707:cobalt:cf80aa8, author = {Ladislav Bačo}, title = {{Cobalt Strike stagers used by FIN6}}, date = {2020-07-07}, organization = {MWLab}, url = {https://malwarelab.eu/posts/fin6-cobalt-strike/}, language = {English}, urldate = {2020-07-11} } Cobalt Strike stagers used by FIN6 Cobalt Strike

2020-06-23 ⋅ NCC Group ⋅ Nikolaos Pantazopoulos, Stefano Antenucci, Michael Sandee @online{pantazopoulos:20200623:wastedlocker:112d6b3, author = {Nikolaos Pantazopoulos and Stefano Antenucci and Michael Sandee}, title = {{WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group}}, date = {2020-06-23}, organization = {NCC Group}, url = {https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/}, language = {English}, urldate = {2020-06-23} } WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group Cobalt Strike ISFB WastedLocker

2020-06-23 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team @online{team:20200623:sodinokibi:7eff193, author = {Critical Attack Discovery and Intelligence Team}, title = {{Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike}}, date = {2020-06-23}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos}, language = {English}, urldate = {2020-06-23} } Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike Cobalt Strike REvil

2020-06-22 ⋅ Talos Intelligence ⋅ Asheer Malhotra @online{malhotra:20200622:indigodrop:6d5e7e1, author = {Asheer Malhotra}, title = {{IndigoDrop spreads via military-themed lures to deliver Cobalt Strike}}, date = {2020-06-22}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html}, language = {English}, urldate = {2020-06-24} } IndigoDrop spreads via military-themed lures to deliver Cobalt Strike Cobalt Strike IndigoDrop

2020-06-22 ⋅ Sentinel LABS ⋅ Joshua Platt, Jason Reaves @online{platt:20200622:inside:b381dd5, author = {Joshua Platt and Jason Reaves}, title = {{Inside a TrickBot Cobalt Strike Attack Server}}, date = {2020-06-22}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/}, language = {English}, urldate = {2020-06-23} } Inside a TrickBot Cobalt Strike Attack Server Cobalt Strike TrickBot

2020-06-19 ⋅ Zscaler ⋅ Atinderpal Singh, Nirmal Singh, Sahil Antil @online{singh:20200619:targeted:05d8d31, author = {Atinderpal Singh and Nirmal Singh and Sahil Antil}, title = {{Targeted Attack Leverages India-China Border Dispute to Lure Victims}}, date = {2020-06-19}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims}, language = {English}, urldate = {2020-06-21} } Targeted Attack Leverages India-China Border Dispute to Lure Victims Cobalt Strike

2020-06-19 ⋅ Youtube (Raphael Mudge) ⋅ Raphael Mudge @online{mudge:20200619:beacon:bc8ae77, author = {Raphael Mudge}, title = {{Beacon Object Files - Luser Demo}}, date = {2020-06-19}, organization = {Youtube (Raphael Mudge)}, url = {https://www.youtube.com/watch?v=gfYswA_Ronw}, language = {English}, urldate = {2020-06-23} } Beacon Object Files - Luser Demo Cobalt Strike

2020-06-18 ⋅ Australian Cyber Security Centre ⋅ Australian Cyber Security Centre (ACSC) @techreport{acsc:20200618:advisory:ed0f53c, author = {Australian Cyber Security Centre (ACSC)}, title = {{Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks}}, date = {2020-06-18}, institution = {Australian Cyber Security Centre}, url = {https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf}, language = {English}, urldate = {2020-06-19} } Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks TwoFace Cobalt Strike Empire Downloader

2020-06-17 ⋅ Malwarebytes ⋅ Hossein Jazi, Jérôme Segura @online{jazi:20200617:multistage:6358f3f, author = {Hossein Jazi and Jérôme Segura}, title = {{Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature}}, date = {2020-06-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/}, language = {English}, urldate = {2020-06-19} } Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature Cobalt Strike

2020-06-16 ⋅ Intezer ⋅ Aviygayil Mechtinger @online{mechtinger:20200616:elf:7057d58, author = {Aviygayil Mechtinger}, title = {{ELF Malware Analysis 101: Linux Threats No Longer an Afterthought}}, date = {2020-06-16}, organization = {Intezer}, url = {https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought}, language = {English}, urldate = {2020-06-16} } ELF Malware Analysis 101: Linux Threats No Longer an Afterthought Cloud Snooper Dacls EvilGnome HiddenWasp MESSAGETAP NOTROBIN QNAPCrypt Winnti

2020-06-15 ⋅ NCC Group ⋅ Exploit Development Group @online{group:20200615:striking:8fdf4bb, author = {Exploit Development Group}, title = {{Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability}}, date = {2020-06-15}, organization = {NCC Group}, url = {https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/}, language = {English}, urldate = {2020-06-16} } Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability Cobalt Strike

2020-06-09 ⋅ Github (Sentinel-One) ⋅ Gal Kristal @online{kristal:20200609:cobaltstrikeparser:a023ac8, author = {Gal Kristal}, title = {{CobaltStrikeParser}}, date = {2020-06-09}, organization = {Github (Sentinel-One)}, url = {https://github.com/Sentinel-One/CobaltStrikeParser/blob/master/parse_beacon_config.py}, language = {English}, urldate = {2020-09-15} } CobaltStrikeParser Cobalt Strike

2020-06-03 ⋅ Kaspersky Labs ⋅ GReAT, Mark Lechtik, Giampaolo Dedola @online{great:20200603:cycldek:ed9a830, author = {GReAT and Mark Lechtik and Giampaolo Dedola}, title = {{Cycldek: Bridging the (air) gap}}, date = {2020-06-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/cycldek-bridging-the-air-gap/97157/}, language = {English}, urldate = {2020-06-03} } Cycldek: Bridging the (air) gap 8.t Dropper NewCore RAT PlugX USBCulprit Hellsing

2020-06-02 ⋅ Lab52 ⋅ Jagaimo Kawaii @online{kawaii:20200602:mustang:2cf125a, author = {Jagaimo Kawaii}, title = {{Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers}}, date = {2020-06-02}, organization = {Lab52}, url = {https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/}, language = {English}, urldate = {2020-06-03} } Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers PlugX

2020-05-21 ⋅ ESET Research ⋅ Mathieu Tartare, Martin Smolár @online{tartare:20200521:no:016fc6c, author = {Mathieu Tartare and Martin Smolár}, title = {{No “Game over” for the Winnti Group}}, date = {2020-05-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/}, language = {English}, urldate = {2020-05-23} } No “Game over” for the Winnti Group ACEHASH HTran MimiKatz

2020-05-15 ⋅ Twitter (@stvemillertime) ⋅ Steve Miller @online{miller:20200515:sogu:cc5a1fc, author = {Steve Miller}, title = {{Tweet on SOGU development timeline, including TIGERPLUG IOCs}}, date = {2020-05-15}, organization = {Twitter (@stvemillertime)}, url = {https://twitter.com/stvemillertime/status/1261263000960450562}, language = {English}, urldate = {2020-05-18} } Tweet on SOGU development timeline, including TIGERPLUG IOCs PlugX

2020-05-14 ⋅ Lab52 ⋅ Dex @online{dex:20200514:energy:43e92b4, author = {Dex}, title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}}, date = {2020-05-14}, organization = {Lab52}, url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/}, language = {English}, urldate = {2020-06-10} } The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey Cobalt Strike HTran MimiKatz PlugX Quasar RAT

2020-05-11 ⋅ SentinelOne ⋅ Gal Kristal @online{kristal:20200511:anatomy:4ece947, author = {Gal Kristal}, title = {{The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration}}, date = {2020-05-11}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/}, language = {English}, urldate = {2020-05-13} } The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration Cobalt Strike

2020-05-01 ⋅ Viettel Cybersecurity ⋅ Cyberthreat @online{cyberthreat:20200501:chin:3a4fb89, author = {Cyberthreat}, title = {{Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1)}}, date = {2020-05-01}, organization = {Viettel Cybersecurity}, url = {https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/}, language = {Vietnamese}, urldate = {2020-09-09} } Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1) NewCore RAT PlugX

2020-04-24 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20200424:ursnif:e983798, author = {The DFIR Report}, title = {{Ursnif via LOLbins}}, date = {2020-04-24}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/}, language = {English}, urldate = {2020-05-15} } Ursnif via LOLbins Cobalt Strike LOLSnif

2020-04-13 ⋅ Palo Alto Networks Unit 42 ⋅ Bryan Lee, Robert Falcone, Jen Miller-Osborn @online{lee:20200413:apt41:fdd4c46, author = {Bryan Lee and Robert Falcone and Jen Miller-Osborn}, title = {{APT41 Using New Speculoos Backdoor to Target Organizations Globally}}, date = {2020-04-13}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/}, language = {English}, urldate = {2020-04-14} } APT41 Using New Speculoos Backdoor to Target Organizations Globally Speculoos APT41

2020-04-07 ⋅ Blackberry ⋅ Blackberry Research @techreport{research:20200407:decade:6441e18, author = {Blackberry Research}, title = {{Decade of the RATS: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android}}, date = {2020-04-07}, institution = {Blackberry}, url = {https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf}, language = {English}, urldate = {2020-08-10} } Decade of the RATS: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android Penquin Turla XOR DDoS ZXShell

2020-04-02 ⋅ Darktrace ⋅ Max Heinemeyer @online{heinemeyer:20200402:catching:b7f137d, author = {Max Heinemeyer}, title = {{Catching APT41 exploiting a zero-day vulnerability}}, date = {2020-04-02}, organization = {Darktrace}, url = {https://www.darktrace.com/en/blog/catching-apt-41-exploiting-a-zero-day-vulnerability/}, language = {English}, urldate = {2020-04-13} } Catching APT41 exploiting a zero-day vulnerability Cobalt Strike

2020-03-26 ⋅ VMWare Carbon Black ⋅ Scott Knight @online{knight:20200326:dukes:df85f94, author = {Scott Knight}, title = {{The Dukes of Moscow}}, date = {2020-03-26}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/}, language = {English}, urldate = {2020-05-18} } The Dukes of Moscow Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke

2020-03-25 ⋅ Wilbur Security ⋅ JW @online{jw:20200325:trickbot:17b0dc3, author = {JW}, title = {{Trickbot to Ryuk in Two Hours}}, date = {2020-03-25}, organization = {Wilbur Security}, url = {https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/}, language = {English}, urldate = {2020-03-26} } Trickbot to Ryuk in Two Hours Cobalt Strike Ryuk TrickBot

2020-03-25 ⋅ FireEye ⋅ Christopher Glyer, Dan Perez, Sarah Jones, Steve Miller @online{glyer:20200325:this:0bc322f, author = {Christopher Glyer and Dan Perez and Sarah Jones and Steve Miller}, title = {{This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits}}, date = {2020-03-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html}, language = {English}, urldate = {2020-04-14} } This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits Speculoos Cobalt Strike

2020-03-22 ⋅ Malware and Stuff ⋅ Andreas Klopsch @online{klopsch:20200322:mustang:56f3768, author = {Andreas Klopsch}, title = {{Mustang Panda joins the COVID-19 bandwagon}}, date = {2020-03-22}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/}, language = {English}, urldate = {2020-03-27} } Mustang Panda joins the COVID-19 bandwagon Cobalt Strike

2020-03-20 ⋅ RECON INFOSEC ⋅ Luke Rusten @online{rusten:20200320:analysis:f82a963, author = {Luke Rusten}, title = {{Analysis Of Exploitation: CVE-2020-10189 ( exploited by APT41)}}, date = {2020-03-20}, organization = {RECON INFOSEC}, url = {https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/}, language = {English}, urldate = {2020-06-22} } Analysis Of Exploitation: CVE-2020-10189 ( exploited by APT41) Cobalt Strike

2020-03-19 ⋅ VinCSS ⋅ m4n0w4r @online{m4n0w4r:20200319:phn:461fca7, author = {m4n0w4r}, title = {{Phân tích mã độc lợi dụng dịch Covid-19 để phát tán giả mạo “Chỉ thị của thủ tướng Nguyễn Xuân Phúc” - Phần 2}}, date = {2020-03-19}, organization = {VinCSS}, url = {https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html}, language = {Vietnamese}, urldate = {2020-03-19} } Phân tích mã độc lợi dụng dịch Covid-19 để phát tán giả mạo “Chỉ thị của thủ tướng Nguyễn Xuân Phúc” - Phần 2 PlugX

2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER

2020-03-04 ⋅ Cobalt Strike ⋅ Raphael Mudge @online{mudge:20200304:cobalt:176b61e, author = {Raphael Mudge}, title = {{Cobalt Strike joins Core Impact at HelpSystems, LLC}}, date = {2020-03-04}, organization = {Cobalt Strike}, url = {https://blog.cobaltstrike.com/2020/03/04/cobalt-strike-joins-core-impact-at-helpsystems-llc/}, language = {English}, urldate = {2020-03-04} } Cobalt Strike joins Core Impact at HelpSystems, LLC Cobalt Strike

2020-03-03 ⋅ PWC UK ⋅ PWC UK @techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom

2020-03-02 ⋅ Virus Bulletin ⋅ Alex Hinchliffe @online{hinchliffe:20200302:pulling:35771e7, author = {Alex Hinchliffe}, title = {{Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary}}, date = {2020-03-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/}, language = {English}, urldate = {2020-03-02} } Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary HenBox Farseer PlugX Poison Ivy

2020-02-21 ⋅ ADEO DFIR ⋅ ADEO DFIR @techreport{dfir:20200221:apt10:e9c3328, author = {ADEO DFIR}, title = {{APT10 Threat Analysis Report}}, date = {2020-02-21}, institution = {ADEO DFIR}, url = {https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf}, language = {English}, urldate = {2020-03-03} } APT10 Threat Analysis Report CHINACHOPPER HTran MimiKatz PlugX Quasar RAT

2020-02-19 ⋅ FireEye ⋅ FireEye @online{fireeye:20200219:mtrends:193613a, author = {FireEye}, title = {{M-Trends 2020}}, date = {2020-02-19}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2020}, language = {English}, urldate = {2020-02-20} } M-Trends 2020 Cobalt Strike Grateful POS LockerGoga QakBot TrickBot

2020-02-18 ⋅ Trend Micro ⋅ Daniel Lunghi, Cedric Pernet, Kenney Lu, Jamz Yaneza @online{lunghi:20200218:uncovering:93b0937, author = {Daniel Lunghi and Cedric Pernet and Kenney Lu and Jamz Yaneza}, title = {{Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations}}, date = {2020-02-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia}, language = {English}, urldate = {2020-02-20} } Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations Cobalt Strike HyperBro PlugX Trochilus RAT

2020-02-18 ⋅ Cisco Talos ⋅ Vanja Svajcer @online{svajcer:20200218:building:0a80664, author = {Vanja Svajcer}, title = {{Building a bypass with MSBuild}}, date = {2020-02-18}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html}, language = {English}, urldate = {2020-02-20} } Building a bypass with MSBuild Cobalt Strike GRUNT MimiKatz

2020-02-17 ⋅ Talent-Jump Technologies ⋅ Theo Chen, Zero Chen @online{chen:20200217:clambling:1a0bb8e, author = {Theo Chen and Zero Chen}, title = {{CLAMBLING - A New Backdoor Base On Dropbox}}, date = {2020-02-17}, organization = {Talent-Jump Technologies}, url = {http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/}, language = {English}, urldate = {2020-03-30} } CLAMBLING - A New Backdoor Base On Dropbox HyperBro PlugX

2020-02-13 ⋅ Qianxin ⋅ Qi Anxin Threat Intelligence Center @techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019 Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy

2020-01-31 ⋅ ESET Research ⋅ Mathieu Tartare @online{tartare:20200131:winnti:9f891e4, author = {Mathieu Tartare}, title = {{Winnti Group targeting universities in Hong Kong}}, date = {2020-01-31}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/}, language = {English}, urldate = {2020-02-03} } Winnti Group targeting universities in Hong Kong ShadowPad Winnti

2020-01-31 ⋅ Avira ⋅ Shahab Hamzeloofard @online{hamzeloofard:20200131:new:5d058ea, author = {Shahab Hamzeloofard}, title = {{New wave of PlugX targets Hong Kong}}, date = {2020-01-31}, organization = {Avira}, url = {https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/}, language = {English}, urldate = {2020-02-10} } New wave of PlugX targets Hong Kong PlugX

2020-01-29 ⋅ nao_sec blog ⋅ nao_sec @online{naosec:20200129:overhead:ec0aeb5, author = {nao_sec}, title = {{An Overhead View of the Royal Road}}, date = {2020-01-29}, organization = {nao_sec blog}, url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html}, language = {English}, urldate = {2020-02-03} } An Overhead View of the Royal Road BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader

2020-01-13 ⋅ Lab52 ⋅ Jagaimo Kawaii @online{kawaii:20200113:apt27:4c2f818, author = {Jagaimo Kawaii}, title = {{APT27 ZxShell RootKit module updates}}, date = {2020-01-13}, organization = {Lab52}, url = {https://lab52.io/blog/apt27-rootkit-updates/}, language = {English}, urldate = {2020-01-13} } APT27 ZxShell RootKit module updates ZXShell

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:gold:983570b, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:gold:1892bc8, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:gold:97e5784, author = {SecureWorks}, title = {{GOLD NIAGARA}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-niagara}, language = {English}, urldate = {2020-05-23} } GOLD NIAGARA Bateleur Griffon Carbanak Cobalt Strike DRIFTPIN TinyMet Anunak

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:66f1290, author = {SecureWorks}, title = {{BRONZE RIVERSIDE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-riverside}, language = {English}, urldate = {2020-05-23} } BRONZE RIVERSIDE Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves Stone Panda

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:472aea8, author = {SecureWorks}, title = {{BRONZE OLIVE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-olive}, language = {English}, urldate = {2020-05-23} } BRONZE OLIVE ANGRYREBEL PlugX APT 22

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:tin:ccd6795, author = {SecureWorks}, title = {{TIN WOODLAWN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/tin-woodlawn}, language = {English}, urldate = {2020-05-23} } TIN WOODLAWN Cobalt Strike KerrDown MimiKatz PHOREAL RatSnif Remy SOUNDBITE APT32

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:972c13a, author = {SecureWorks}, title = {{BRONZE FIRESTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-firestone}, language = {English}, urldate = {2020-05-23} } BRONZE FIRESTONE 9002 RAT Derusbi Empire Downloader PlugX Poison Ivy Shell Crew

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:f48e53c, author = {SecureWorks}, title = {{BRONZE WOODLAND}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-woodland}, language = {English}, urldate = {2020-05-23} } BRONZE WOODLAND PlugX Zeus Roaming Tiger

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:65ecf8a, author = {SecureWorks}, title = {{BRONZE KEYSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-keystone}, language = {English}, urldate = {2020-05-23} } BRONZE KEYSTONE 9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell Aurora Panda

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:e8ad4fb, author = {SecureWorks}, title = {{BRONZE MOHAWK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-mohawk}, language = {English}, urldate = {2020-05-23} } BRONZE MOHAWK AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll Leviathan

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:fcb04ab, author = {SecureWorks}, title = {{BRONZE EXPRESS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-express}, language = {English}, urldate = {2020-05-23} } BRONZE EXPRESS 9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT 26

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:4db27ec, author = {SecureWorks}, title = {{BRONZE UNION}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-union}, language = {English}, urldate = {2020-05-23} } BRONZE UNION 9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell LuckyMouse

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:4118462, author = {SecureWorks}, title = {{BRONZE ATLAS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas}, language = {English}, urldate = {2020-05-23} } BRONZE ATLAS Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti Axiom

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:1a5bdbb, author = {SecureWorks}, title = {{BRONZE PRESIDENT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-president}, language = {English}, urldate = {2020-05-23} } BRONZE PRESIDENT CHINACHOPPER Cobalt Strike PlugX Mustang Panda

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:79d8dd2, author = {SecureWorks}, title = {{BRONZE OVERBROOK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-overbrook}, language = {English}, urldate = {2020-05-23} } BRONZE OVERBROOK Aveo DDKONG IsSpace PLAINTEE PlugX Rambo DragonOK

2020-01 ⋅ Dragos ⋅ Joe Slowik @techreport{slowik:202001:threat:d891011, author = {Joe Slowik}, title = {{Threat Intelligence and the Limits of Malware Analysis}}, date = {2020-01}, institution = {Dragos}, url = {https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf}, language = {English}, urldate = {2020-06-10} } Threat Intelligence and the Limits of Malware Analysis Exaramel Exaramel Industroyer Lookback NjRAT PlugX

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:gold:8050e44, author = {SecureWorks}, title = {{GOLD DUPONT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-dupont}, language = {English}, urldate = {2020-05-23} } GOLD DUPONT Cobalt Strike Defray PyXie

2019-12-29 ⋅ Secureworks ⋅ CTU Research Team @online{team:20191229:bronze:bda6bfc, author = {CTU Research Team}, title = {{BRONZE PRESIDENT Targets NGOs}}, date = {2019-12-29}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronze-president-targets-ngos}, language = {English}, urldate = {2020-01-10} } BRONZE PRESIDENT Targets NGOs PlugX BRONZE PRESIDENT

2019-12-17 ⋅ Palo Alto Networks Unit 42 ⋅ Jen Miller-Osborn, Mike Harbison @online{millerosborn:20191217:rancor:998fe1c, author = {Jen Miller-Osborn and Mike Harbison}, title = {{Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia}}, date = {2019-12-17}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/}, language = {English}, urldate = {2020-01-08} } Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia DDKONG Derusbi KHRAT

2019-12-12 ⋅ FireEye ⋅ Chi-en Shen, Oleg Bondarenko @online{shen:20191212:cyber:e01baca, author = {Chi-en Shen and Oleg Bondarenko}, title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}}, date = {2019-12-12}, organization = {FireEye}, url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko}, language = {English}, urldate = {2020-04-16} } Cyber Threat Landscape in Japan – Revealing Threat in the Shadow Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech

2019-12-05 ⋅ Github (blackorbird) ⋅ blackorbird @techreport{blackorbird:20191205:apt32:0afe4e7, author = {blackorbird}, title = {{APT32 Report}}, date = {2019-12-05}, institution = {Github (blackorbird)}, url = {https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf}, language = {Japanese}, urldate = {2020-01-10} } APT32 Report Cobalt Strike

2019-12-05 ⋅ Raphael Mudge @online{mudge:20191205:cobalt:219044e, author = {Raphael Mudge}, title = {{Cobalt Strike 4.0 – Bring Your Own Weaponization}}, date = {2019-12-05}, url = {https://blog.cobaltstrike.com/}, language = {English}, urldate = {2019-12-06} } Cobalt Strike 4.0 – Bring Your Own Weaponization Cobalt Strike

2019-11-29 ⋅ Deloitte ⋅ Thomas Thomasen @techreport{thomasen:20191129:cyber:1aae987, author = {Thomas Thomasen}, title = {{Cyber Threat Intelligence & Incident Response}}, date = {2019-11-29}, institution = {Deloitte}, url = {https://www2.deloitte.com/content/dam/Deloitte/dk/Documents/Grabngo/Aarhus_miniseminar_291118.pdf}, language = {English}, urldate = {2020-03-04} } Cyber Threat Intelligence & Incident Response Cobalt Strike

2019-11-16 ⋅ Silas Cutler's Blog ⋅ Silas Cutler @online{cutler:20191116:fresh:871567d, author = {Silas Cutler}, title = {{Fresh PlugX October 2019}}, date = {2019-11-16}, organization = {Silas Cutler's Blog}, url = {https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html}, language = {English}, urldate = {2020-01-07} } Fresh PlugX October 2019 PlugX

2019-11-11 ⋅ Virus Bulletin ⋅ Shusei Tomonaga, Tomoaki Tani, Hiroshi Soeda, Wataru Takahashi @online{tomonaga:20191111:cases:ac5f1b3, author = {Shusei Tomonaga and Tomoaki Tani and Hiroshi Soeda and Wataru Takahashi}, title = {{APT cases exploiting vulnerabilities in region‑specific software}}, date = {2019-11-11}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/}, language = {English}, urldate = {2020-05-13} } APT cases exploiting vulnerabilities in region‑specific software NodeRAT Emdivi PlugX

2019-11-05 ⋅ tccontre Blog ⋅ tccontre @online{tccontre:20191105:cobaltstrike:02e37af, author = {tccontre}, title = {{CobaltStrike - beacon.dll : Your No Ordinary MZ Header}}, date = {2019-11-05}, organization = {tccontre Blog}, url = {https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html}, language = {English}, urldate = {2019-12-17} } CobaltStrike - beacon.dll : Your No Ordinary MZ Header Cobalt Strike

2019-10-31 ⋅ FireEye ⋅ Raymond Leong, Dan Perez, Tyler Dean @online{leong:20191031:messagetap:823e994, author = {Raymond Leong and Dan Perez and Tyler Dean}, title = {{MESSAGETAP: Who’s Reading Your Text Messages?}}, date = {2019-10-31}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html}, language = {English}, urldate = {2019-12-18} } MESSAGETAP: Who’s Reading Your Text Messages? MESSAGETAP

2019-10-31 ⋅ PTSecurity ⋅ PTSecurity @online{ptsecurity:20191031:calypso:adaf761, author = {PTSecurity}, title = {{Calypso APT: new group attacking state institutions}}, date = {2019-10-31}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/}, language = {English}, urldate = {2020-01-12} } Calypso APT: new group attacking state institutions BYEBY FlyingDutchman Hussar PlugX

2019-10-21 ⋅ ESET Research ⋅ Mathieu Tartare @online{tartare:20191021:winnti:eb2c722, author = {Mathieu Tartare}, title = {{Winnti Group’s skip‑2.0: A Microsoft SQL Server backdoor}}, date = {2019-10-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/}, language = {English}, urldate = {2019-11-14} } Winnti Group’s skip‑2.0: A Microsoft SQL Server backdoor LOWKEY skip-2.0

2019-10-15 ⋅ FireEye ⋅ Tobias Krueger @online{krueger:20191015:lowkey:aab2f5e, author = {Tobias Krueger}, title = {{LOWKEY: Hunting for the Missing Volume Serial ID}}, date = {2019-10-15}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html}, language = {English}, urldate = {2019-12-10} } LOWKEY: Hunting for the Missing Volume Serial ID LOWKEY poisonplug

2019-10-07 ⋅ ESET Research ⋅ Marc-Etienne M.Léveillé, Mathieu Tartare @techreport{mlveill:20191007:connecting:e59d4c8, author = {Marc-Etienne M.Léveillé and Mathieu Tartare}, title = {{CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group}}, date = {2019-10-07}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf}, language = {English}, urldate = {2020-01-10} } CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group LOWKEY shadowhammer ShadowPad

2019-10-03 ⋅ Palo Alto Networks Unit 42 ⋅ Alex Hinchliffe @online{hinchliffe:20191003:pkplug:4a43ea5, author = {Alex Hinchliffe}, title = {{PKPLUG: Chinese Cyber Espionage Group Attacking Asia}}, date = {2019-10-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/}, language = {English}, urldate = {2020-01-07} } PKPLUG: Chinese Cyber Espionage Group Attacking Asia HenBox Farseer PlugX

2019-09-30 ⋅ vmware ⋅ Scott Knight @online{knight:20190930:cb:a21cf30, author = {Scott Knight}, title = {{CB Threat Analysis Unit: Technical Analysis of “Crosswalk”}}, date = {2019-09-30}, organization = {vmware}, url = {https://www.carbonblack.com/2019/09/30/cb-threat-analysis-unit-technical-analysis-of-crosswalk/}, language = {English}, urldate = {2020-04-21} } CB Threat Analysis Unit: Technical Analysis of “Crosswalk” CROSSWALK

2019-09-22 ⋅ Check Point Research ⋅ Check Point Research @online{research:20190922:rancor:e834f67, author = {Check Point Research}, title = {{Rancor: The Year of The Phish}}, date = {2019-09-22}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/}, language = {English}, urldate = {2020-03-04} } Rancor: The Year of The Phish 8.t Dropper Cobalt Strike

2019-09-19 ⋅ MeltX0R @online{meltx0r:20190919:emissary:361f1fd, author = {MeltX0R}, title = {{Emissary Panda APT: Recent infrastructure and RAT analysis}}, date = {2019-09-19}, url = {https://meltx0r.github.io/tech/2019/09/19/emissary-panda-apt.html}, language = {English}, urldate = {2020-01-09} } Emissary Panda APT: Recent infrastructure and RAT analysis ZXShell

2019-09-04 ⋅ FireEye ⋅ FireEye @online{fireeye:20190904:apt41:b5d6780, author = {FireEye}, title = {{APT41: Double Dragon APT41, a dual espionage and cyber crime operation}}, date = {2019-09-04}, organization = {FireEye}, url = {https://content.fireeye.com/api/pdfproxy?id=86840}, language = {English}, urldate = {2020-01-13} } APT41: Double Dragon APT41, a dual espionage and cyber crime operation EASYNIGHT Winnti

2019-08-27 ⋅ Cisco Talos ⋅ Paul Rascagnères, Vanja Svajcer @online{rascagnres:20190827:china:2d2bbb8, author = {Paul Rascagnères and Vanja Svajcer}, title = {{China Chopper still active 9 years later}}, date = {2019-08-27}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html}, language = {English}, urldate = {2019-10-14} } China Chopper still active 9 years later CHINACHOPPER

2019-08-19 ⋅ FireEye ⋅ Alex Pennino, Matt Bromiley @online{pennino:20190819:game:b6ef5a0, author = {Alex Pennino and Matt Bromiley}, title = {{GAME OVER: Detecting and Stopping an APT41 Operation}}, date = {2019-08-19}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html}, language = {English}, urldate = {2020-01-06} } GAME OVER: Detecting and Stopping an APT41 Operation ACEHASH CHINACHOPPER HIGHNOON

2019-08-09 ⋅ FireEye ⋅ FireEye @online{fireeye:20190809:double:40f736e, author = {FireEye}, title = {{Double Dragon APT41, a dual espionage and cyber crime operation}}, date = {2019-08-09}, organization = {FireEye}, url = {https://content.fireeye.com/apt-41/rpt-apt41/}, language = {English}, urldate = {2019-12-18} } Double Dragon APT41, a dual espionage and cyber crime operation CLASSFON crackshot CROSSWALK GEARSHIFT HIGHNOON HIGHNOON.BIN JUMPALL poisonplug Winnti

2019-08-08 ⋅ Twitter (@MrDanPerez) ⋅ Dan Perez @online{perez:20190808:winnti:6c0b6b0, author = {Dan Perez}, title = {{Tweet on Winnti and HIGHNOON}}, date = {2019-08-08}, organization = {Twitter (@MrDanPerez)}, url = {https://twitter.com/MrDanPerez/status/1159461995013378048}, language = {English}, urldate = {2020-01-13} } Tweet on Winnti and HIGHNOON HIGHNOON

2019-08-07 ⋅ FireEye ⋅ Nalani Fraser, Fred Plan, Jacqueline O’Leary, Vincent Cannon, Raymond Leong, Dan Perez, Chi-en Shen @online{fraser:20190807:apt41:ce48314, author = {Nalani Fraser and Fred Plan and Jacqueline O’Leary and Vincent Cannon and Raymond Leong and Dan Perez and Chi-en Shen}, title = {{APT41: A Dual Espionage and Cyber Crime Operation}}, date = {2019-08-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html}, language = {English}, urldate = {2019-12-20} } APT41: A Dual Espionage and Cyber Crime Operation APT41

2019-07-24 ⋅ Intrusiontruth ⋅ Intrusiontruth @online{intrusiontruth:20190724:apt17:6b9a666, author = {Intrusiontruth}, title = {{APT17 is run by the Jinan bureau of the Chinese Ministry of State Security}}, date = {2019-07-24}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2019/07/24/apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security/}, language = {English}, urldate = {2020-04-21} } APT17 is run by the Jinan bureau of the Chinese Ministry of State Security BLACKCOFFEE

2019-06-04 ⋅ Bitdefender ⋅ Bitdefender @techreport{bitdefender:20190604:blueprint:ce0583c, author = {Bitdefender}, title = {{An APT Blueprint: Gaining New Visibility into Financial Threats}}, date = {2019-06-04}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf}, language = {English}, urldate = {2019-12-18} } An APT Blueprint: Gaining New Visibility into Financial Threats More_eggs Cobalt Strike

2019-06-03 ⋅ FireEye ⋅ Chi-en Shen @online{shen:20190603:into:d40fee9, author = {Chi-en Shen}, title = {{Into the Fog - The Return of ICEFOG APT}}, date = {2019-06-03}, organization = {FireEye}, url = {https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt}, language = {English}, urldate = {2020-06-30} } Into the Fog - The Return of ICEFOG APT Icefog PlugX Sarhust

2019-05-28 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone, Tom Lancaster @online{falcone:20190528:emissary:dc0f942, author = {Robert Falcone and Tom Lancaster}, title = {{Emissary Panda Attacks Middle East Government Sharepoint Servers}}, date = {2019-05-28}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/}, language = {English}, urldate = {2020-01-09} } Emissary Panda Attacks Middle East Government Sharepoint Servers CHINACHOPPER Unidentified 060

2019-05-24 ⋅ enSilo ⋅ Ben Hunter @online{hunter:20190524:uncovering:7d8776e, author = {Ben Hunter}, title = {{Uncovering new Activity by APT10}}, date = {2019-05-24}, organization = {enSilo}, url = {https://blog.ensilo.com/uncovering-new-activity-by-apt10}, language = {English}, urldate = {2020-01-13} } Uncovering new Activity by APT10 PlugX Quasar RAT

2019-05-08 ⋅ Verizon Communications Inc. ⋅ Verizon Communications Inc. @techreport{inc:20190508:2019:3c20a3b, author = {Verizon Communications Inc.}, title = {{2019 Data Breach Investigations Report}}, date = {2019-05-08}, institution = {Verizon Communications Inc.}, url = {https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf}, language = {English}, urldate = {2020-05-10} } 2019 Data Breach Investigations Report BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam

2019-04-24 ⋅ Weixin ⋅ Tencent @online{tencent:20190424:sea:a722d68, author = {Tencent}, title = {{"Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed}}, date = {2019-04-24}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A}, language = {English}, urldate = {2020-01-13} } "Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed Cobalt Strike SOUNDBITE

2019-04-23 ⋅ Kaspersky Labs ⋅ GReAT, AMR @online{great:20190423:operation:20b8f83, author = {GReAT and AMR}, title = {{Operation ShadowHammer: a high-profile supply chain attack}}, date = {2019-04-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/}, language = {English}, urldate = {2019-12-20} } Operation ShadowHammer: a high-profile supply chain attack shadowhammer ShadowPad

2019-04-15 ⋅ PenTestPartners ⋅ Neil Lines @online{lines:20190415:cobalt:7b3c086, author = {Neil Lines}, title = {{Cobalt Strike. Walkthrough for Red Teamers}}, date = {2019-04-15}, organization = {PenTestPartners}, url = {https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/}, language = {English}, urldate = {2019-12-17} } Cobalt Strike. Walkthrough for Red Teamers Cobalt Strike

2019-03-24 ⋅ One Night in Norfolk ⋅ Kevin Perlow @online{perlow:20190324:jeshell:439ae8b, author = {Kevin Perlow}, title = {{JEShell: An OceanLotus (APT32) Backdoor}}, date = {2019-03-24}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/}, language = {English}, urldate = {2020-05-19} } JEShell: An OceanLotus (APT32) Backdoor Cobalt Strike KerrDown

2019-03-19 ⋅ NSHC ⋅ ThreatRecon Team @online{team:20190319:sectorm04:6c6ea37, author = {ThreatRecon Team}, title = {{SectorM04 Targeting Singapore – An Analysis}}, date = {2019-03-19}, organization = {NSHC}, url = {https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/}, language = {English}, urldate = {2020-01-07} } SectorM04 Targeting Singapore – An Analysis PlugX Termite

2019-02-27 ⋅ Morphisec ⋅ Michael Gorelik, Alon Groisman @online{gorelik:20190227:new:5296a0b, author = {Michael Gorelik and Alon Groisman}, title = {{New Global Cyber Attack on Point of Sale Sytem}}, date = {2019-02-27}, organization = {Morphisec}, url = {http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems}, language = {English}, urldate = {2020-01-09} } New Global Cyber Attack on Point of Sale Sytem Cobalt Strike

2019-02-27 ⋅ Secureworks ⋅ CTU Research Team @online{team:20190227:peek:16c9160, author = {CTU Research Team}, title = {{A Peek into BRONZE UNION’s Toolbox}}, date = {2019-02-27}, organization = {Secureworks}, url = {https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox}, language = {English}, urldate = {2020-01-07} } A Peek into BRONZE UNION’s Toolbox Ghost RAT HyperBro ZXShell

2019 ⋅ Virus Bulletin ⋅ Lion Gu, Bowen Pan @techreport{gu:2019:vine:df5dbfb, author = {Lion Gu and Bowen Pan}, title = {{A vine climbing over the Great Firewall: A long-term attack against China}}, date = {2019}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf}, language = {English}, urldate = {2020-01-08} } A vine climbing over the Great Firewall: A long-term attack against China Poison Ivy ZXShell

2019 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:2019:tool:fd89dda, author = {MITRE ATT&CK}, title = {{Tool description: China Chopper}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0020/}, language = {English}, urldate = {2019-12-20} } Tool description: China Chopper CHINACHOPPER

2019 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:2019:tool:ebc79ce, author = {MITRE ATT&CK}, title = {{Tool description: BLACKCOFFEE}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0069/}, language = {English}, urldate = {2019-12-20} } Tool description: BLACKCOFFEE BLACKCOFFEE

2018-12-24 ⋅ Twitter (@MrDanPerez) ⋅ Dan Perez @online{perez:20181224:hashes:9a4fc8c, author = {Dan Perez}, title = {{Tweet on hashes for CROSSWALK}}, date = {2018-12-24}, organization = {Twitter (@MrDanPerez)}, url = {https://twitter.com/MrDanPerez/status/1159459082534825986}, language = {English}, urldate = {2019-11-27} } Tweet on hashes for CROSSWALK CROSSWALK

2018-12-14 ⋅ Australian Cyber Security Centre ⋅ ASD @techreport{asd:20181214:investigationreport:6eda856, author = {ASD}, title = {{Investigationreport: Compromise of an Australian companyvia their Managed Service Provider}}, date = {2018-12-14}, institution = {Australian Cyber Security Centre}, url = {https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf}, language = {English}, urldate = {2020-03-11} } Investigationreport: Compromise of an Australian companyvia their Managed Service Provider PlugX RedLeaves

2018-11-19 ⋅ FireEye ⋅ Matthew Dunwoody, Andrew Thompson, Ben Withnell, Jonathan Leathery, Michael Matonis, Nick Carr @online{dunwoody:20181119:not:e581291, author = {Matthew Dunwoody and Andrew Thompson and Ben Withnell and Jonathan Leathery and Michael Matonis and Nick Carr}, title = {{Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign}}, date = {2018-11-19}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html}, language = {English}, urldate = {2019-12-20} } Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign Cobalt Strike

2018-11-18 ⋅ Stranded on Pylos Blog ⋅ Joe @online{joe:20181118:cozybear:4801301, author = {Joe}, title = {{CozyBear – In from the Cold?}}, date = {2018-11-18}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2018/11/18/cozybear-in-from-the-cold/}, language = {English}, urldate = {2020-01-09} } CozyBear – In from the Cold? Cobalt Strike APT 29

2018-10-01 ⋅ FireEye ⋅ Regina Elwell, Katie Nickels @techreport{elwell:20181001:attcking:3c6d888, author = {Regina Elwell and Katie Nickels}, title = {{ATT&CKing FIN7}}, date = {2018-10-01}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf}, language = {English}, urldate = {2020-06-25} } ATT&CKing FIN7 Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN PILLOWMINT SocksBot

2018-08-03 ⋅ JPCERT/CC ⋅ Takuya Endo, Yukako Uchida @online{endo:20180803:volatility:4597ce0, author = {Takuya Endo and Yukako Uchida}, title = {{Volatility Plugin for Detecting Cobalt Strike Beacon}}, date = {2018-08-03}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html}, language = {English}, urldate = {2019-07-11} } Volatility Plugin for Detecting Cobalt Strike Beacon Cobalt Strike

2018-07-31 ⋅ Github (JPCERTCC) ⋅ JPCERT/CC @online{jpcertcc:20180731:scanner:d1757d9, author = {JPCERT/CC}, title = {{Scanner for CobaltStrike}}, date = {2018-07-31}, organization = {Github (JPCERTCC)}, url = {https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py}, language = {English}, urldate = {2020-01-13} } Scanner for CobaltStrike Cobalt Strike

2018-05-21 ⋅ LAC ⋅ Yoshihiro Ishikawa @online{ishikawa:20180521:confirmed:ad336b5, author = {Yoshihiro Ishikawa}, title = {{Confirmed new attacks by APT attacker group menuPass (APT10)}}, date = {2018-05-21}, organization = {LAC}, url = {https://www.lac.co.jp/lacwatch/people/20180521_001638.html}, language = {Japanese}, urldate = {2019-10-27} } Confirmed new attacks by APT attacker group menuPass (APT10) Cobalt Strike

2018-05-09 ⋅ COUNT UPON SECURITY ⋅ Luis Rocha @online{rocha:20180509:malware:3ee8ecf, author = {Luis Rocha}, title = {{Malware Analysis - PlugX - Part 2}}, date = {2018-05-09}, organization = {COUNT UPON SECURITY}, url = {https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/}, language = {English}, urldate = {2020-01-05} } Malware Analysis - PlugX - Part 2 PlugX

2018-03-16 ⋅ FireEye ⋅ FireEye @online{fireeye:20180316:suspected:2a77316, author = {FireEye}, title = {{Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries}}, date = {2018-03-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html}, language = {English}, urldate = {2019-12-20} } Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries badflick BLACKCOFFEE CHINACHOPPER homefry murkytop SeDll Leviathan

2018-03-13 ⋅ Kaspersky Labs ⋅ Denis Makrushin, Yury Namestnikov @online{makrushin:20180313:time:7171143, author = {Denis Makrushin and Yury Namestnikov}, title = {{Time of death? A therapeutic postmortem of connected medicine}}, date = {2018-03-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/time-of-death-connected-medicine/84315/}, language = {English}, urldate = {2019-12-20} } Time of death? A therapeutic postmortem of connected medicine PlugX

2018-02-04 ⋅ COUNT UPON SECURITY ⋅ Luis Rocha @online{rocha:20180204:malware:ea0aede, author = {Luis Rocha}, title = {{MALWARE ANALYSIS – PLUGX}}, date = {2018-02-04}, organization = {COUNT UPON SECURITY}, url = {https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/}, language = {English}, urldate = {2020-01-07} } MALWARE ANALYSIS – PLUGX PlugX

2017-12-20 ⋅ CrowdStrike ⋅ Adam Kozy @online{kozy:20171220:end:218a388, author = {Adam Kozy}, title = {{An End to “Smash-and-Grab” and a Move to More Targeted Approaches}}, date = {2017-12-20}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/an-end-to-smash-and-grab-more-targeted-approaches/}, language = {English}, urldate = {2020-05-11} } An End to “Smash-and-Grab” and a Move to More Targeted Approaches CHINACHOPPER

2017-12-18 ⋅ LAC ⋅ Yoshihiro Ishikawa @online{ishikawa:20171218:relationship:fb13bae, author = {Yoshihiro Ishikawa}, title = {{Relationship between PlugX and attacker group "DragonOK"}}, date = {2017-12-18}, organization = {LAC}, url = {https://www.lac.co.jp/lacwatch/people/20171218_001445.html}, language = {Japanese}, urldate = {2019-11-22} } Relationship between PlugX and attacker group "DragonOK" PlugX

2017-08-15 ⋅ Kaspersky Labs ⋅ GReAT @online{great:20170815:shadowpad:3d5b9a0, author = {GReAT}, title = {{ShadowPad in corporate networks}}, date = {2017-08-15}, organization = {Kaspersky Labs}, url = {https://securelist.com/shadowpad-in-corporate-networks/81432/}, language = {English}, urldate = {2019-12-20} } ShadowPad in corporate networks ShadowPad

2017-06-27 ⋅ Palo Alto Networks Unit 42 ⋅ Tom Lancaster, Esmid Idrizovic @online{lancaster:20170627:paranoid:f933eb4, author = {Tom Lancaster and Esmid Idrizovic}, title = {{Paranoid PlugX}}, date = {2017-06-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/}, language = {English}, urldate = {2019-12-20} } Paranoid PlugX PlugX

2017-06-06 ⋅ FireEye ⋅ Ian Ahl @online{ahl:20170606:privileges:9598d5f, author = {Ian Ahl}, title = {{Privileges and Credentials: Phished at the Request of Counsel}}, date = {2017-06-06}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html}, language = {English}, urldate = {2019-12-20} } Privileges and Credentials: Phished at the Request of Counsel Cobalt Strike

2017-04-27 ⋅ US-CERT ⋅ US-CERT @online{uscert:20170427:alert:fdb865d, author = {US-CERT}, title = {{Alert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors}}, date = {2017-04-27}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA17-117A}, language = {English}, urldate = {2020-03-11} } Alert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors PlugX RedLeaves

2017-04-03 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20170403:redleaves:211a123, author = {Shusei Tomonaga}, title = {{RedLeaves - Malware Based on Open Source RAT}}, date = {2017-04-03}, organization = {JPCERT/CC}, url = {http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html}, language = {English}, urldate = {2020-01-10} } RedLeaves - Malware Based on Open Source RAT PlugX RedLeaves

2017-04 ⋅ PricewaterhouseCoopers ⋅ PricewaterhouseCoopers @techreport{pricewaterhousecoopers:201704:operation:cb50712, author = {PricewaterhouseCoopers}, title = {{Operation Cloud Hopper: Technical Annex}}, date = {2017-04}, institution = {PricewaterhouseCoopers}, url = {https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf}, language = {English}, urldate = {2019-10-15} } Operation Cloud Hopper: Technical Annex ChChes PlugX Quasar RAT RedLeaves Trochilus RAT

2017-03-22 ⋅ Trend Micro ⋅ Cedric Pernet @online{pernet:20170322:winnti:44f428b, author = {Cedric Pernet}, title = {{Winnti Abuses GitHub for C&C Communications}}, date = {2017-03-22}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/}, language = {English}, urldate = {2020-01-07} } Winnti Abuses GitHub for C&C Communications EASYNIGHT Axiom

2017-02-21 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20170221:plugx:f9e4817, author = {Shusei Tomonaga}, title = {{PlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code}}, date = {2017-02-21}, organization = {JPCERT/CC}, url = {http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html}, language = {English}, urldate = {2020-01-13} } PlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code PlugX

2017-02-13 ⋅ RSA ⋅ RSA Research @techreport{research:20170213:kingslayer:98f4892, author = {RSA Research}, title = {{KINGSLAYER – A SUPPLY CHAIN ATTACK}}, date = {2017-02-13}, institution = {RSA}, url = {https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf}, language = {English}, urldate = {2020-01-08} } KINGSLAYER – A SUPPLY CHAIN ATTACK CodeKey PlugX

2016-10-28 ⋅ Github (smb01) ⋅ smb01 @online{smb01:20161028:zxshell:e4d3a5e, author = {smb01}, title = {{zxshell repository}}, date = {2016-10-28}, organization = {Github (smb01)}, url = {https://github.com/smb01/zxshell}, language = {English}, urldate = {2020-01-07} } zxshell repository ZXShell

2016-10-11 ⋅ Symantec ⋅ Symantec Security Response @online{response:20161011:odinaff:36b35db, author = {Symantec Security Response}, title = {{Odinaff: New Trojan used in high level financial attacks}}, date = {2016-10-11}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks}, language = {English}, urldate = {2019-12-05} } Odinaff: New Trojan used in high level financial attacks Cobalt Strike KLRD MimiKatz Odinaff Anunak

2016-08-25 ⋅ Malwarebytes ⋅ Malwarebytes Labs @online{labs:20160825:unpacking:66173f5, author = {Malwarebytes Labs}, title = {{Unpacking the spyware disguised as antivirus}}, date = {2016-08-25}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/}, language = {English}, urldate = {2019-12-20} } Unpacking the spyware disguised as antivirus PlugX

2016-03-02 ⋅ RSA Conference ⋅ Vanja Svajcer @techreport{svajcer:20160302:dissecting:e8721e3, author = {Vanja Svajcer}, title = {{Dissecting Derusbi}}, date = {2016-03-02}, institution = {RSA Conference}, url = {https://web.archive.org/web/20180310053107/https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf}, language = {English}, urldate = {2020-02-27} } Dissecting Derusbi Derusbi

2016-01-22 ⋅ RSA Link ⋅ Norton Santos @online{santos:20160122:plugx:580fcff, author = {Norton Santos}, title = {{PlugX APT Malware}}, date = {2016-01-22}, organization = {RSA Link}, url = {https://community.rsa.com/thread/185439}, language = {English}, urldate = {2020-01-13} } PlugX APT Malware PlugX

2015-12-15 ⋅ Airbus Defence & Space ⋅ Fabien Perigaud @online{perigaud:20151215:newcomers:73beb0c, author = {Fabien Perigaud}, title = {{Newcomers in the Derusbi family}}, date = {2015-12-15}, organization = {Airbus Defence & Space}, url = {https://web.archive.org/web/20151216071054/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family}, language = {English}, urldate = {2020-02-27} } Newcomers in the Derusbi family Derusbi

2015-10-08 ⋅ Virus Bulletin ⋅ Micky Pun, Eric Leung, Neo Tan @techreport{pun:20151008:catching:368d81d, author = {Micky Pun and Eric Leung and Neo Tan}, title = {{Catching the silent whisper: Understanding the Derusbi family tree}}, date = {2015-10-08}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf}, language = {English}, urldate = {2020-02-27} } Catching the silent whisper: Understanding the Derusbi family tree Derusbi

2015-08 ⋅ Arbor Networks ⋅ ASERT Team @online{team:201508:uncovering:121e5cf, author = {ASERT Team}, title = {{Uncovering the Seven Pointed Dagger}}, date = {2015-08}, organization = {Arbor Networks}, url = {https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn}, language = {English}, urldate = {2020-05-18} } Uncovering the Seven Pointed Dagger 9002 RAT EvilGrab PlugX Trochilus RAT Group 27

2015-05-18 ⋅ Tetsuji Tanigawa @online{tanigawa:20150518:tt:4cb29ea, author = {Tetsuji Tanigawa}, title = {{TT Malware Log}}, date = {2015-05-18}, url = {http://malware-log.hatenablog.com/entry/2015/05/18/000000_1}, language = {Japanese}, urldate = {2020-01-08} } TT Malware Log BLACKCOFFEE

2015-05 ⋅ FireEye ⋅ FireEye @techreport{fireeye:201505:hiding:8695fc2, author = {FireEye}, title = {{HIDING IN PLAIN SIGHT: FIREEYE AND MICROSOFT EXPOSE OBFUSCATION TACTIC}}, date = {2015-05}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf}, language = {English}, urldate = {2019-12-19} } HIDING IN PLAIN SIGHT: FIREEYE AND MICROSOFT EXPOSE OBFUSCATION TACTIC BLACKCOFFEE

2015-02-27 ⋅ ThreatConnect ⋅ ThreatConnect Research Team @online{team:20150227:anthem:3576532, author = {ThreatConnect Research Team}, title = {{The Anthem Hack: All Roads Lead to China}}, date = {2015-02-27}, organization = {ThreatConnect}, url = {https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/}, language = {English}, urldate = {2020-01-09} } The Anthem Hack: All Roads Lead to China Derusbi

2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } CrowdStrike Global Threat Intel Report 2014 BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor

2015-01-29 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20150129:analysis:0eaad95, author = {Shusei Tomonaga}, title = {{Analysis of a Recent PlugX Variant - “P2P PlugX”}}, date = {2015-01-29}, organization = {JPCERT/CC}, url = {http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html}, language = {English}, urldate = {2020-01-09} } Analysis of a Recent PlugX Variant - “P2P PlugX” PlugX

2014-11 ⋅ Novetta ⋅ Novetta @techreport{novetta:201411:zoxpng:91e81c6, author = {Novetta}, title = {{ZoxPNG Analysis}}, date = {2014-11}, institution = {Novetta}, url = {http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf}, language = {English}, urldate = {2020-05-07} } ZoxPNG Analysis BLACKCOFFEE

2014-10-28 ⋅ Cisco ⋅ Andrea Allievi, Douglas Goddard, Shaun Hurley, Alain Zidouemba @online{allievi:20141028:threat:a302fbd, author = {Andrea Allievi and Douglas Goddard and Shaun Hurley and Alain Zidouemba}, title = {{Threat Spotlight: Group 72, Opening the ZxShell}}, date = {2014-10-28}, organization = {Cisco}, url = {https://blogs.cisco.com/security/talos/opening-zxshell}, language = {English}, urldate = {2019-10-15} } Threat Spotlight: Group 72, Opening the ZxShell ZXShell

2014-10-28 ⋅ Novetta ⋅ Novetta @techreport{novetta:20141028:derusbi:aae275a, author = {Novetta}, title = {{Derusbi (Server Variant) Analysis}}, date = {2014-10-28}, institution = {Novetta}, url = {http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf}, language = {English}, urldate = {2020-01-06} } Derusbi (Server Variant) Analysis Derusbi

2014-06-27 ⋅ SophosLabs ⋅ Gabor Szappanos @techreport{szappanos:20140627:plugx:e63d8bf, author = {Gabor Szappanos}, title = {{PlugX - The Next Generation}}, date = {2014-06-27}, institution = {SophosLabs}, url = {https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf}, language = {English}, urldate = {2020-01-10} } PlugX - The Next Generation PlugX

2014-06-10 ⋅ FireEye ⋅ Mike Scott @online{scott:20140610:clandestine:6d515ab, author = {Mike Scott}, title = {{Clandestine Fox, Part Deux}}, date = {2014-06-10}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html}, language = {English}, urldate = {2019-12-20} } Clandestine Fox, Part Deux PlugX

2014-01-06 ⋅ Airbus ⋅ Fabien Perigaud @online{perigaud:20140106:plugx:16410d7, author = {Fabien Perigaud}, title = {{PlugX: some uncovered points}}, date = {2014-01-06}, organization = {Airbus}, url = {http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html}, language = {English}, urldate = {2020-01-08} } PlugX: some uncovered points PlugX

2013-08-07 ⋅ FireEye ⋅ Ian Ahl, Tony Lee, Dennis Hanzlik @online{ahl:20130807:breaking:aff06e9, author = {Ian Ahl and Tony Lee and Dennis Hanzlik}, title = {{Breaking Down the China Chopper Web Shell - Part I}}, date = {2013-08-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html}, language = {English}, urldate = {2019-12-20} } Breaking Down the China Chopper Web Shell - Part I CHINACHOPPER

2013-03-29 ⋅ Computer Incident Response Center Luxembourg ⋅ CIRCL @techreport{circl:20130329:analysis:b3c48b0, author = {CIRCL}, title = {{Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0)}}, date = {2013-03-29}, institution = {Computer Incident Response Center Luxembourg}, url = {https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf}, language = {English}, urldate = {2019-11-24} } Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0) PlugX

2012 ⋅ Cobalt Strike ⋅ Cobalt Strike @online{strike:2012:cobalt:8522cdd, author = {Cobalt Strike}, title = {{Cobalt Strike Website}}, date = {2012}, organization = {Cobalt Strike}, url = {https://www.cobaltstrike.com/support}, language = {English}, urldate = {2020-01-13} } Cobalt Strike Website Cobalt Strike

---

Credits: MISP Project