aka: CHROMIUM, ControlX, TAG-22, FISHMONGER, BRONZE UNIVERSITY, AQUATIC PANDA, Red Dev 10
Earth Lusca is a threat actor from China that targets organizations of interest to the Chinese government, including academic institutions, telecommunication companies, religious organizations, and other civil society groups. Earth Lusca's tools closely resemble those used by Winnti Umbrella, but the group appears to operate separately from Winnti. Earth Lusca has also been observed targeting cryptocurrency payment platforms and cryptocurrency exchanges in what are likely financially motivated attacks.
2023-05-15 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20230515:lancefly:49fd53e,
author = {Threat Hunter Team},
title = {{Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors}},
date = {2023-05-15},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor},
language = {English},
urldate = {2023-05-26}
}
Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors PlugX ShadowPad ZXShell |
2023-05-11 ⋅ cocomelonc ⋅ cocomelonc @online{cocomelonc:20230511:malware:f557876,
author = {cocomelonc},
title = {{Malware development trick - part 28: Dump lsass.exe. Simple C++ example.}},
date = {2023-05-11},
organization = {cocomelonc},
url = {https://cocomelonc.github.io/malware/2023/05/11/malware-tricks-28.html},
language = {English},
urldate = {2023-05-15}
}
Malware development trick - part 28: Dump lsass.exe. Simple C++ example. Cobalt Strike APT3 Keylogger |
2023-04-20 ⋅ Github (dodo-sec) ⋅ dodo-sec @online{dodosec:20230420:analysis:0c18d26,
author = {dodo-sec},
title = {{An analysis of syscall usage in Cobalt Strike Beacons}},
date = {2023-04-20},
organization = {Github (dodo-sec)},
url = {https://github.com/dodo-sec/Malware-Analysis/blob/main/Cobalt%20Strike/Indirect%20Syscalls.md},
language = {English},
urldate = {2023-04-22}
}
An analysis of syscall usage in Cobalt Strike Beacons Cobalt Strike |
2023-04-20 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20230420:bumblebee:c69430d,
author = {Counter Threat Unit ResearchTeam},
title = {{Bumblebee Malware Distributed Via Trojanized Installer Downloads}},
date = {2023-04-20},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads},
language = {English},
urldate = {2023-04-22}
}
Bumblebee Malware Distributed Via Trojanized Installer Downloads BumbleBee Cobalt Strike |
2023-04-18 ⋅ Mandiant ⋅ Mandiant @online{mandiant:20230418:mtrends:af1a28e,
author = {Mandiant},
title = {{M-Trends 2023}},
date = {2023-04-18},
organization = {Mandiant},
url = {https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023},
language = {English},
urldate = {2023-04-18}
}
M-Trends 2023 QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate |
2023-04-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs @techreport{labs:20230412:spamhaus:aa309d1,
author = {Spamhaus Malware Labs},
title = {{Spamhaus Botnet Threat Update Q1 2023}},
date = {2023-04-12},
institution = {Spamhaus},
url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf},
language = {English},
urldate = {2023-04-18}
}
Spamhaus Botnet Threat Update Q1 2023 FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar |
2023-04-10 ⋅ Check Point ⋅ Check Point @online{point:20230410:march:144c1ad,
author = {Check Point},
title = {{March 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute Malicious OneNote Files}},
date = {2023-04-10},
organization = {Check Point},
url = {https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/},
language = {English},
urldate = {2023-04-12}
}
March 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute Malicious OneNote Files Agent Tesla CloudEyE Emotet Formbook Nanocore RAT NjRAT QakBot Remcos Tofsee |
2023-04-03 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20230403:malicious:238465b,
author = {The DFIR Report},
title = {{Malicious ISO File Leads to Domain Wide Ransomware}},
date = {2023-04-03},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/},
language = {English},
urldate = {2023-04-06}
}
Malicious ISO File Leads to Domain Wide Ransomware Cobalt Strike IcedID Mount Locker |
2023-03-30 ⋅ United States District Court (Eastern District of New York) ⋅ Microsoft, Fortra, HEALTH-ISAC @techreport{microsoft:20230330:cracked:08c67c0,
author = {Microsoft and Fortra and HEALTH-ISAC},
title = {{Cracked Cobalt Strike (1:23-cv-02447)}},
date = {2023-03-30},
institution = {United States District Court (Eastern District of New York)},
url = {https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf},
language = {English},
urldate = {2023-04-28}
}
Cracked Cobalt Strike (1:23-cv-02447) Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader |
2023-03-28 ⋅ ExaTrack ⋅ ExaTrack @online{exatrack:20230328:mlofe:6ca8f29,
author = {ExaTrack},
title = {{Mélofée: a new alien malware in the Panda's toolset targeting Linux hosts}},
date = {2023-03-28},
organization = {ExaTrack},
url = {https://blog.exatrack.com/melofee/},
language = {English},
urldate = {2023-03-29}
}
Mélofée: a new alien malware in the Panda's toolset targeting Linux hosts HelloBot Melofee Winnti Cobalt Strike SparkRAT STOWAWAY |
2023-03-10 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt @online{reaves:20230310:from:6bceb30,
author = {Jason Reaves and Joshua Platt},
title = {{From Royal With Love}},
date = {2023-03-10},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65},
language = {English},
urldate = {2023-03-13}
}
From Royal With Love Cobalt Strike Conti PLAY Royal Ransom Somnia |
2023-03-01 ⋅ Zscaler ⋅ Meghraj Nandanwar, Shatak Jain @online{nandanwar:20230301:onenote:07aefe0,
author = {Meghraj Nandanwar and Shatak Jain},
title = {{OneNote: A Growing Threat for Malware Distribution}},
date = {2023-03-01},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution},
language = {English},
urldate = {2023-03-13}
}
OneNote: A Growing Threat for Malware Distribution AsyncRAT Cobalt Strike IcedID QakBot RedLine Stealer |
2023-02-23 ⋅ Bitdefender ⋅ Martin Zugec, Bitdefender Team @online{zugec:20230223:technical:710242c,
author = {Martin Zugec and Bitdefender Team},
title = {{Technical Advisory: Various Threat Actors Targeting ManageEngine Exploit CVE-2022-47966}},
date = {2023-02-23},
organization = {Bitdefender},
url = {https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966},
language = {English},
urldate = {2023-02-27}
}
Technical Advisory: Various Threat Actors Targeting ManageEngine Exploit CVE-2022-47966 Cobalt Strike DarkComet RATel |
2023-02-13 ⋅ Kroll ⋅ Laurie Iacono, Stephen Green @online{iacono:20230213:royal:c789fcc,
author = {Laurie Iacono and Stephen Green},
title = {{Royal Ransomware Deep Dive}},
date = {2023-02-13},
organization = {Kroll},
url = {https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive},
language = {English},
urldate = {2023-04-22}
}
Royal Ransomware Deep Dive Cobalt Strike Royal Ransom |
2023-02-03 ⋅ Mandiant ⋅ Kimberly Goody, Genevieve Stark @online{goody:20230203:float:5150a2b,
author = {Kimberly Goody and Genevieve Stark},
title = {{Float Like a Butterfly Sting Like a Bee}},
date = {2023-02-03},
organization = {Mandiant},
url = {https://www.youtube.com/watch?v=pIXl79IPkLI},
language = {English},
urldate = {2023-02-21}
}
Float Like a Butterfly Sting Like a Bee BazarBackdoor BumbleBee Cobalt Strike |
2023-02-02 ⋅ Kroll ⋅ Stephen Green, Elio Biasiotto @online{green:20230202:hive:4624808,
author = {Stephen Green and Elio Biasiotto},
title = {{Hive Ransomware Technical Analysis and Initial Access Discovery}},
date = {2023-02-02},
organization = {Kroll},
url = {https://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery},
language = {English},
urldate = {2023-04-22}
}
Hive Ransomware Technical Analysis and Initial Access Discovery BATLOADER Cobalt Strike Hive |
2023-02-02 ⋅ Elastic ⋅ Salim Bitam, Remco Sprooten, Cyril François, Andrew Pease, Devon Kerr, Seth Goodwin @online{bitam:20230202:update:57ea3a2,
author = {Salim Bitam and Remco Sprooten and Cyril François and Andrew Pease and Devon Kerr and Seth Goodwin},
title = {{Update to the REF2924 intrusion set and related campaigns}},
date = {2023-02-02},
organization = {Elastic},
url = {https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns},
language = {English},
urldate = {2023-03-21}
}
Update to the REF2924 intrusion set and related campaigns DoorMe ShadowPad SiestaGraph |
2023-01-30 ⋅ Checkpoint ⋅ Arie Olshtein @online{olshtein:20230130:following:e442fcc,
author = {Arie Olshtein},
title = {{Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware}},
date = {2023-01-30},
organization = {Checkpoint},
url = {https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/},
language = {English},
urldate = {2023-01-31}
}
Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot |
2023-01-24 ⋅ Fortinet ⋅ Geri Revay @online{revay:20230124:year:00a1450,
author = {Geri Revay},
title = {{The Year of the Wiper}},
date = {2023-01-24},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper},
language = {English},
urldate = {2023-01-25}
}
The Year of the Wiper Azov Wiper Bruh Wiper CaddyWiper Cobalt Strike Vidar |
2023-01-23 ⋅ Kroll ⋅ Stephen Green, Elio Biasiotto @online{green:20230123:black:dd89d21,
author = {Stephen Green and Elio Biasiotto},
title = {{Black Basta – Technical Analysis}},
date = {2023-01-23},
organization = {Kroll},
url = {https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis},
language = {English},
urldate = {2023-04-22}
}
Black Basta – Technical Analysis Black Basta Cobalt Strike MimiKatz QakBot SystemBC |
2023-01-17 ⋅ Trend Micro ⋅ Peter Girnus, Aliakbar Zahravi @online{girnus:20230117:earth:f1cba60,
author = {Peter Girnus and Aliakbar Zahravi},
title = {{Earth Bogle: Campaigns Target the Middle East with Geopolitical Lures}},
date = {2023-01-17},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/23/a/earth-bogle-campaigns-target-middle-east-with-geopolitical-lures.html},
language = {English},
urldate = {2023-01-19}
}
Earth Bogle: Campaigns Target the Middle East with Geopolitical Lures NjRAT |
2023-01-16 ⋅ Intrinsec ⋅ Intrinsec @online{intrinsec:20230116:proxynotshell:b9b864c,
author = {Intrinsec},
title = {{ProxyNotShell – OWASSRF – Merry Xchange}},
date = {2023-01-16},
organization = {Intrinsec},
url = {https://www.intrinsec.com/proxynotshell-owassrf-merry-xchange/},
language = {English},
urldate = {2023-03-13}
}
ProxyNotShell – OWASSRF – Merry Xchange Cobalt Strike SystemBC |
2022-12-24 ⋅ di.sclosu.re ⋅ di.sclosu.re @online{disclosure:20221224:njrat:0b45969,
author = {di.sclosu.re},
title = {{njRAT malware spreading through Discord CDN and Facebook Ads}},
date = {2022-12-24},
organization = {di.sclosu.re},
url = {https://di.sclosu.re/en/njrat-malware-spreading-through-discord-cdn-and-facebook-ads/},
language = {English},
urldate = {2023-01-10}
}
njRAT malware spreading through Discord CDN and Facebook Ads NjRAT |
2022-12-15 ⋅ Mandiant ⋅ Mandiant @online{mandiant:20221215:trojanized:07a1d55,
author = {Mandiant},
title = {{Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government}},
date = {2022-12-15},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government},
language = {English},
urldate = {2022-12-20}
}
Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government Cobalt Strike STOWAWAY |
2022-12-08 ⋅ Cisco Talos ⋅ Tiago Pereira @online{pereira:20221208:breaking:7f00030,
author = {Tiago Pereira},
title = {{Breaking the silence - Recent Truebot activity}},
date = {2022-12-08},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/},
language = {English},
urldate = {2022-12-12}
}
Breaking the silence - Recent Truebot activity Clop Cobalt Strike FlawedGrace Raspberry Robin Silence Teleport |
2022-12-02 ⋅ Palo Alto Networks Unit 42 ⋅ Dominik Reichel, Esmid Idrizovic, Bob Jung @online{reichel:20221202:blowing:0698d7a,
author = {Dominik Reichel and Esmid Idrizovic and Bob Jung},
title = {{Blowing Cobalt Strike Out of the Water With Memory Analysis}},
date = {2022-12-02},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/cobalt-strike-memory-analysis/},
language = {English},
urldate = {2022-12-05}
}
Blowing Cobalt Strike Out of the Water With Memory Analysis Cobalt Strike |
2022-11-03 ⋅ Github (chronicle) ⋅ Chronicle @online{chronicle:20221103:gcti:dc42ba8,
author = {Chronicle},
title = {{GCTI Open Source Detection Signatures}},
date = {2022-11-03},
organization = {Github (chronicle)},
url = {https://github.com/chronicle/GCTI},
language = {English},
urldate = {2022-11-25}
}
GCTI Open Source Detection Signatures Cobalt Strike Sliver |
2022-11-03 ⋅ Group-IB ⋅ Rustam Mirkasymov @online{mirkasymov:20221103:financially:cd6ff5b,
author = {Rustam Mirkasymov},
title = {{Financially motivated, dangerously activated: OPERA1ER APT in Africa}},
date = {2022-11-03},
organization = {Group-IB},
url = {https://blog.group-ib.com/opera1er-apt},
language = {English},
urldate = {2023-01-19}
}
Financially motivated, dangerously activated: OPERA1ER APT in Africa Cobalt Strike Common Raven |
2022-11-03 ⋅ paloalto Netoworks: Unit42 ⋅ Durgesh Sangvikar, Chris Navarrete, Matthew Tennis, Yanhui Jia, Yu Fu, Siddhart Shibiraj @online{sangvikar:20221103:cobalt:9a81f6f,
author = {Durgesh Sangvikar and Chris Navarrete and Matthew Tennis and Yanhui Jia and Yu Fu and Siddhart Shibiraj},
title = {{Cobalt Strike Analysis and Tutorial: Identifying Beacon Team Servers in the Wild}},
date = {2022-11-03},
organization = {paloalto Netoworks: Unit42},
url = {https://unit42.paloaltonetworks.com/cobalt-strike-team-server/},
language = {English},
urldate = {2022-11-03}
}
Cobalt Strike Analysis and Tutorial: Identifying Beacon Team Servers in the Wild Cobalt Strike |
2022-10-31 ⋅ Cynet ⋅ Max Malyutin @online{malyutin:20221031:orion:49e3b5c,
author = {Max Malyutin},
title = {{Orion Threat Alert: Qakbot TTPs Arsenal and the Black Basta Ransomware}},
date = {2022-10-31},
organization = {Cynet},
url = {https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/},
language = {English},
urldate = {2022-11-15}
}
Orion Threat Alert: Qakbot TTPs Arsenal and the Black Basta Ransomware Black Basta Cobalt Strike QakBot |
2022-10-25 ⋅ VMware Threat Analysis Unit ⋅ Takahiro Haruyama @techreport{haruyama:20221025:tracking:1f60260,
author = {Takahiro Haruyama},
title = {{Tracking the entire iceberg: long-term APT malware C2 protocol emulation and scanning}},
date = {2022-10-25},
institution = {VMware Threat Analysis Unit},
url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2022/slides/VB2022-Tracking-the-entire-iceberg.pdf},
language = {English},
urldate = {2022-11-01}
}
Tracking the entire iceberg: long-term APT malware C2 protocol emulation and scanning ShadowPad Winnti |
2022-10-13 ⋅ Microsoft ⋅ MSRC Team, Microsoft Threat Hunting @online{team:20221013:hunting:601b99c,
author = {MSRC Team and Microsoft Threat Hunting},
title = {{Hunting for Cobalt Strike: Mining and plotting for fun and profit}},
date = {2022-10-13},
organization = {Microsoft},
url = {https://msrc.microsoft.com/blog/2022/10/hunting-for-cobalt-strike-mining-and-plotting-for-fun-and-profit/},
language = {English},
urldate = {2023-03-20}
}
Hunting for Cobalt Strike: Mining and plotting for fun and profit Cobalt Strike |
2022-10-13 ⋅ Spamhaus ⋅ Spamhaus Malware Labs @techreport{labs:20221013:spamhaus:43e3190,
author = {Spamhaus Malware Labs},
title = {{Spamhaus Botnet Threat Update Q3 2022}},
date = {2022-10-13},
institution = {Spamhaus},
url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf},
language = {English},
urldate = {2022-12-29}
}
Spamhaus Botnet Threat Update Q3 2022 FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm |
2022-10-12 ⋅ Trend Micro ⋅ Ian Kenefick, Lucas Silva, Nicole Hernandez @online{kenefick:20221012:black:17505c9,
author = {Ian Kenefick and Lucas Silva and Nicole Hernandez},
title = {{Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike}},
date = {2022-10-12},
organization = {Trend Micro},
url = {https://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html},
language = {English},
urldate = {2023-05-23}
}
Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike Black Basta Brute Ratel C4 Cobalt Strike QakBot |
2022-10-03 ⋅ Check Point ⋅ Marc Salinas Fernandez @online{fernandez:20221003:bumblebee:25732bf,
author = {Marc Salinas Fernandez},
title = {{Bumblebee: increasing its capacity and evolving its TTPs}},
date = {2022-10-03},
organization = {Check Point},
url = {https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/},
language = {English},
urldate = {2022-10-07}
}
Bumblebee: increasing its capacity and evolving its TTPs BumbleBee Cobalt Strike Meterpreter Sliver Vidar |
2022-09-30 ⋅ NCC Group ⋅ William Backhouse, Michael Mullen, Nikolaos Pantazopoulos @online{backhouse:20220930:glimpse:5194be6,
author = {William Backhouse and Michael Mullen and Nikolaos Pantazopoulos},
title = {{A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion}},
date = {2022-09-30},
organization = {NCC Group},
url = {https://research.nccgroup.com/2022/09/30/a-glimpse-into-the-shadowy-realm-of-a-chinese-apt-detailed-analysis-of-a-shadowpad-intrusion/},
language = {English},
urldate = {2022-10-04}
}
A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion ShadowPad |
2022-09-26 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20220926:bumblebee:bce1e92,
author = {The DFIR Report},
title = {{BumbleBee: Round Two}},
date = {2022-09-26},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2022/09/26/bumblebee-round-two/},
language = {English},
urldate = {2022-10-04}
}
BumbleBee: Round Two BumbleBee Cobalt Strike Meterpreter |
2022-09-25 ⋅ YouTube (Arda Büyükkaya) ⋅ Arda Büyükkaya @online{bykkaya:20220925:cobalt:2820666,
author = {Arda Büyükkaya},
title = {{Cobalt Strike Shellcode Loader With Rust (YouTube)}},
date = {2022-09-25},
organization = {YouTube (Arda Büyükkaya)},
url = {https://www.youtube.com/watch?v=XfUTpwZKCDU},
language = {English},
urldate = {2022-09-27}
}
Cobalt Strike Shellcode Loader With Rust (YouTube) Cobalt Strike |
2022-09-19 ⋅ Virus Bulletin ⋅ Takahiro Haruyama @techreport{haruyama:20220919:tracking:bffa146,
author = {Takahiro Haruyama},
title = {{Tracking the entire iceberg - long-term APT malware C2 protocol emulation and scanning}},
date = {2022-09-19},
institution = {Virus Bulletin},
url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Tracking-the-entire-iceberg-long-term-APT-malware-C2-protocol-emulation-and-scanning.pdf},
language = {English},
urldate = {2022-11-01}
}
Tracking the entire iceberg - long-term APT malware C2 protocol emulation and scanning ShadowPad Winnti |
2022-09-13 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20220913:new:2ff2e98,
author = {Threat Hunter Team},
title = {{New Wave of Espionage Activity Targets Asian Governments}},
date = {2022-09-13},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments},
language = {English},
urldate = {2022-09-20}
}
New Wave of Espionage Activity Targets Asian Governments MimiKatz PlugX Quasar RAT ShadowPad Trochilus RAT |
2022-09-13 ⋅ AdvIntel ⋅ Advanced Intelligence @online{intelligence:20220913:advintels:ea02331,
author = {Advanced Intelligence},
title = {{AdvIntel's State of Emotet aka "SpmTools" Displays Over Million Compromised Machines Through 2022}},
date = {2022-09-13},
organization = {AdvIntel},
url = {https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022},
language = {English},
urldate = {2022-09-19}
}
AdvIntel's State of Emotet aka "SpmTools" Displays Over Million Compromised Machines Through 2022 Conti Cobalt Strike Emotet Ryuk TrickBot |
2022-09-12 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20220912:dead:a6b31c3,
author = {The DFIR Report},
title = {{Dead or Alive? An Emotet Story}},
date = {2022-09-12},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/},
language = {English},
urldate = {2022-09-12}
}
Dead or Alive? An Emotet Story Cobalt Strike Emotet |
2022-09-07 ⋅ cyble ⋅ Cyble @online{cyble:20220907:bumblebee:f4baf9f,
author = {Cyble},
title = {{Bumblebee Returns With New Infection Technique}},
date = {2022-09-07},
organization = {cyble},
url = {https://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/},
language = {English},
urldate = {2022-09-16}
}
Bumblebee Returns With New Infection Technique BumbleBee Cobalt Strike |
2022-09-07 ⋅ Google ⋅ Pierre-Marc Bureau, Google Threat Analysis Group @online{bureau:20220907:initial:d1975b3,
author = {Pierre-Marc Bureau and Google Threat Analysis Group},
title = {{Initial access broker repurposing techniques in targeted attacks against Ukraine}},
date = {2022-09-07},
organization = {Google},
url = {https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/},
language = {English},
urldate = {2022-09-13}
}
Initial access broker repurposing techniques in targeted attacks against Ukraine AnchorMail Cobalt Strike IcedID |
2022-09-06 ⋅ INCIBE-CERT ⋅ INCIBE @techreport{incibe:20220906:estudio:20f14b0,
author = {INCIBE},
title = {{Estudio del análisis de Nobelium}},
date = {2022-09-06},
institution = {INCIBE-CERT},
url = {https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf},
language = {Spanish},
urldate = {2022-11-22}
}
Estudio del análisis de Nobelium BEATDROP BOOMBOX Cobalt Strike EnvyScout Unidentified 099 (APT29 Dropbox Loader) VaporRage |
2022-09-06 ⋅ cocomelonc ⋅ cocomelonc @online{cocomelonc:20220906:malware:a09756f,
author = {cocomelonc},
title = {{Malware development tricks: parent PID spoofing. Simple C++ example.}},
date = {2022-09-06},
organization = {cocomelonc},
url = {https://cocomelonc.github.io/malware/2022/09/06/malware-tricks-23.html},
language = {English},
urldate = {2022-11-17}
}
Malware development tricks: parent PID spoofing. Simple C++ example. Cobalt Strike Konni |
2022-09-06 ⋅ ESET Research ⋅ Thibaut Passilly @online{passilly:20220906:worok:0c106ac,
author = {Thibaut Passilly},
title = {{Worok: The big picture}},
date = {2022-09-06},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2022/09/06/worok-big-picture/},
language = {English},
urldate = {2022-09-10}
}
Worok: The big picture MimiKatz PNGLoad reGeorg ShadowPad |
2022-09-06 ⋅ CISA ⋅ US-CERT, FBI, CISA, MS-ISAC @online{uscert:20220906:alert:4058a6d,
author = {US-CERT and FBI and CISA and MS-ISAC},
title = {{Alert (AA22-249A) #StopRansomware: Vice Society}},
date = {2022-09-06},
organization = {CISA},
url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-249a},
language = {English},
urldate = {2022-09-16}
}
Alert (AA22-249A) #StopRansomware: Vice Society Cobalt Strike Empire Downloader FiveHands HelloKitty SystemBC Zeppelin |
2022-09-06 ⋅ Didier Stevens ⋅ Didier Stevens @online{stevens:20220906:obfuscated:889ae4c,
author = {Didier Stevens},
title = {{An Obfuscated Beacon – Extra XOR Layer}},
date = {2022-09-06},
organization = {Didier Stevens},
url = {https://videos.didierstevens.com/2022/09/06/an-obfuscated-beacon-extra-xor-layer/},
language = {English},
urldate = {2022-09-10}
}
An Obfuscated Beacon – Extra XOR Layer Cobalt Strike |
2022-09-01 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara @online{koczwara:20220901:hunting:45c54de,
author = {Michael Koczwara},
title = {{Hunting C2/Adversaries Infrastructure with Shodan and Censys}},
date = {2022-09-01},
organization = {Medium michaelkoczwara},
url = {https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f},
language = {English},
urldate = {2023-01-19}
}
Hunting C2/Adversaries Infrastructure with Shodan and Censys Brute Ratel C4 Cobalt Strike Deimos GRUNT IcedID Merlin Meterpreter Nighthawk PoshC2 Sliver |
2022-09-01 ⋅ Trend Micro ⋅ Trend Micro @online{micro:20220901:ransomware:8eda6e4,
author = {Trend Micro},
title = {{Ransomware Spotlight Black Basta}},
date = {2022-09-01},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta},
language = {English},
urldate = {2022-09-19}
}
Ransomware Spotlight Black Basta Black Basta Cobalt Strike MimiKatz QakBot |
2022-08-25 ⋅ SentinelOne ⋅ Jim Walter @online{walter:20220825:bluesky:1d0f4f0,
author = {Jim Walter},
title = {{BlueSky Ransomware | AD Lateral Movement, Evasion and Fast Encryption Put Threat on the Radar}},
date = {2022-08-25},
organization = {SentinelOne},
url = {https://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/},
language = {English},
urldate = {2022-08-30}
}
BlueSky Ransomware | AD Lateral Movement, Evasion and Fast Encryption Put Threat on the Radar BlueSky Cobalt Strike JuicyPotato |
2022-08-22 ⋅ Microsoft ⋅ Microsoft @online{microsoft:20220822:extortion:67c26d4,
author = {Microsoft},
title = {{Extortion Economics - Ransomware’s new business model}},
date = {2022-08-22},
organization = {Microsoft},
url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v},
language = {English},
urldate = {2022-08-31}
}
Extortion Economics - Ransomware’s new business model BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk |
2022-08-19 ⋅ nccgroup ⋅ Ross Inman @online{inman:20220819:back:11abc41,
author = {Ross Inman},
title = {{Back in Black: Unlocking a LockBit 3.0 Ransomware Attack}},
date = {2022-08-19},
organization = {nccgroup},
url = {https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack},
language = {English},
urldate = {2022-08-22}
}
Back in Black: Unlocking a LockBit 3.0 Ransomware Attack FAKEUPDATES Cobalt Strike LockBit |
2022-08-18 ⋅ Trustwave ⋅ Pawel Knapczyk @online{knapczyk:20220818:overview:bf3eca2,
author = {Pawel Knapczyk},
title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}},
date = {2022-08-18},
organization = {Trustwave},
url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/},
language = {English},
urldate = {2022-08-28}
}
Overview of the Cyber Weapons Used in the Ukraine - Russia War AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket |
2022-08-18 ⋅ Proofpoint ⋅ Joe Wise, Selena Larson, Proofpoint Threat Research Team @online{wise:20220818:reservations:c2f9faf,
author = {Joe Wise and Selena Larson and Proofpoint Threat Research Team},
title = {{Reservations Requested: TA558 Targets Hospitality and Travel}},
date = {2022-08-18},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel},
language = {English},
urldate = {2022-08-18}
}
Reservations Requested: TA558 Targets Hospitality and Travel AsyncRAT Loda NjRAT Ozone RAT Revenge RAT Vjw0rm |
2022-08-18 ⋅ NSFOCUS ⋅ NSFOCUS @online{nsfocus:20220818:new:223b88b,
author = {NSFOCUS},
title = {{New APT group MURENSHARK investigative report: Torpedoes hit Turkish Navy}},
date = {2022-08-18},
organization = {NSFOCUS},
url = {http://blog.nsfocus.net/murenshark},
language = {Chinese},
urldate = {2022-08-22}
}
New APT group MURENSHARK investigative report: Torpedoes hit Turkish Navy Cobalt Strike |
2022-08-18 ⋅ Trustwave ⋅ Pawel Knapczyk @online{knapczyk:20220818:overview:a12950c,
author = {Pawel Knapczyk},
title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}},
date = {2022-08-18},
organization = {Trustwave},
url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war},
language = {English},
urldate = {2022-08-22}
}
Overview of the Cyber Weapons Used in the Ukraine - Russia War AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket |
2022-08-18 ⋅ Group-IB ⋅ Nikita Rostovtsev @online{rostovtsev:20220818:apt41:57ffddb,
author = {Nikita Rostovtsev},
title = {{APT41 World Tour 2021 on a tight schedule}},
date = {2022-08-18},
organization = {Group-IB},
url = {https://blog.group-ib.com/apt41-world-tour-2021},
language = {English},
urldate = {2022-08-18}
}
APT41 World Tour 2021 on a tight schedule Cobalt Strike |
2022-08-18 ⋅ Sophos ⋅ Sean Gallagher @online{gallagher:20220818:cookie:74bd0f5,
author = {Sean Gallagher},
title = {{Cookie stealing: the new perimeter bypass}},
date = {2022-08-18},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass},
language = {English},
urldate = {2022-08-22}
}
Cookie stealing: the new perimeter bypass Cobalt Strike Meterpreter MimiKatz Phoenix Keylogger Quasar RAT |
2022-08-17 ⋅ Cybereason ⋅ Cybereason Global SOC Team @online{team:20220817:bumblebee:56dc043,
author = {Cybereason Global SOC Team},
title = {{Bumblebee Loader – The High Road to Enterprise Domain Control}},
date = {2022-08-17},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control},
language = {English},
urldate = {2022-08-19}
}
Bumblebee Loader – The High Road to Enterprise Domain Control BumbleBee Cobalt Strike |
2022-08-17 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20220817:darktortilla:9a00612,
author = {Counter Threat Unit ResearchTeam},
title = {{DarkTortilla Malware Analysis}},
date = {2022-08-17},
organization = {Secureworks},
url = {https://www.secureworks.com/research/darktortilla-malware-analysis},
language = {English},
urldate = {2023-01-05}
}
DarkTortilla Malware Analysis Agent Tesla AsyncRAT Cobalt Strike DarkTortilla Nanocore RAT RedLine Stealer |
2022-08-17 ⋅ 360 ⋅ 360 Threat Intelligence Center @online{center:20220817:kasablanka:2a28570,
author = {360 Threat Intelligence Center},
title = {{Kasablanka organizes attacks against political groups and non-profit organizations in the Middle East}},
date = {2022-08-17},
organization = {360},
url = {https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA},
language = {Chinese},
urldate = {2022-08-19}
}
Kasablanka organizes attacks against political groups and non-profit organizations in the Middle East SpyNote Loda Nanocore RAT NjRAT |
2022-08-12 ⋅ SANS ISC ⋅ Brad Duncan @online{duncan:20220812:monster:cbf3101,
author = {Brad Duncan},
title = {{Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike}},
date = {2022-08-12},
organization = {SANS ISC},
url = {https://isc.sans.edu/diary/rss/28934},
language = {English},
urldate = {2022-08-15}
}
Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike Cobalt Strike DarkVNC IcedID |
2022-08-11 ⋅ SecurityScorecard ⋅ Robert Ames @online{ames:20220811:increase:5cbc907,
author = {Robert Ames},
title = {{The Increase in Ransomware Attacks on Local Governments}},
date = {2022-08-11},
organization = {SecurityScorecard},
url = {https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments},
language = {English},
urldate = {2022-08-28}
}
The Increase in Ransomware Attacks on Local Governments BlackCat BlackCat Cobalt Strike LockBit |
2022-08-11 ⋅ Malcat ⋅ malcat team @online{team:20220811:lnk:29e9765,
author = {malcat team},
title = {{LNK forensic and config extraction of a cobalt strike beacon}},
date = {2022-08-11},
organization = {Malcat},
url = {https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/},
language = {English},
urldate = {2022-08-12}
}
LNK forensic and config extraction of a cobalt strike beacon Cobalt Strike |
2022-08-10 ⋅ Weixin ⋅ Red Raindrop Team @online{team:20220810:operation:cdad302,
author = {Red Raindrop Team},
title = {{Operation(верность) mercenary: a torrent of steel trapped in the plains of Eastern Europe}},
date = {2022-08-10},
organization = {Weixin},
url = {https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g},
language = {Chinese},
urldate = {2022-08-15}
}
Operation(верность) mercenary: a torrent of steel trapped in the plains of Eastern Europe BumbleBee Cobalt Strike |
2022-08-08 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20220808:bumblebee:74d81a8,
author = {The DFIR Report},
title = {{BumbleBee Roasts Its Way to Domain Admin}},
date = {2022-08-08},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/},
language = {English},
urldate = {2022-08-09}
}
BumbleBee Roasts Its Way to Domain Admin BumbleBee Cobalt Strike |
2022-08-04 ⋅ YouTube (Arda Büyükkaya) ⋅ Arda Büyükkaya @online{bykkaya:20220804:lockbit:15879e8,
author = {Arda Büyükkaya},
title = {{LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool}},
date = {2022-08-04},
organization = {YouTube (Arda Büyükkaya)},
url = {https://www.youtube.com/watch?v=C733AyPzkoc},
language = {English},
urldate = {2022-08-08}
}
LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool Cobalt Strike LockBit |
2022-08-03 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan @online{duncan:20220803:flight:a8efd82,
author = {Brad Duncan},
title = {{Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware}},
date = {2022-08-03},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/},
language = {English},
urldate = {2022-08-08}
}
Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware BazarBackdoor BumbleBee Cobalt Strike Conti |
2022-08-02 ⋅ Cisco Talos ⋅ Asheer Malhotra, Vitor Ventura @online{malhotra:20220802:manjusaka:706c14a,
author = {Asheer Malhotra and Vitor Ventura},
title = {{Manjusaka: A Chinese sibling of Sliver and Cobalt Strike}},
date = {2022-08-02},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html},
language = {English},
urldate = {2022-08-02}
}
Manjusaka: A Chinese sibling of Sliver and Cobalt Strike Manjusaka Cobalt Strike Manjusaka |
2022-07-30 ⋅ cocomelonc @online{cocomelonc:20220730:malware:0f84be1,
author = {cocomelonc},
title = {{Malware AV evasion - part 8. Encode payload via Z85}},
date = {2022-07-30},
url = {https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html},
language = {English},
urldate = {2022-12-01}
}
Malware AV evasion - part 8. Encode payload via Z85 Agent Tesla Carbanak Carberp Cardinal RAT Cobalt Strike donut_injector |
2022-07-28 ⋅ SentinelOne ⋅ Júlio Dantas, James Haughom, Julien Reisdorffer @online{dantas:20220728:living:3cc6f4f,
author = {Júlio Dantas and James Haughom and Julien Reisdorffer},
title = {{Living Off Windows Defender | LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool}},
date = {2022-07-28},
organization = {SentinelOne},
url = {https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/},
language = {English},
urldate = {2022-08-01}
}
Living Off Windows Defender | LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool Cobalt Strike LockBit |
2022-07-27 ⋅ cyble ⋅ Cyble Research Labs @online{labs:20220727:targeted:aa69498,
author = {Cyble Research Labs},
title = {{Targeted Attacks Being Carried Out Via DLL SideLoading}},
date = {2022-07-27},
organization = {cyble},
url = {https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/},
language = {English},
urldate = {2022-08-15}
}
Targeted Attacks Being Carried Out Via DLL SideLoading Cobalt Strike QakBot |
2022-07-27 ⋅ ReversingLabs ⋅ Joseph Edwards @online{edwards:20220727:threat:6aaf018,
author = {Joseph Edwards},
title = {{Threat analysis: Follina exploit fuels 'live-off-the-land' attacks}},
date = {2022-07-27},
organization = {ReversingLabs},
url = {https://blog.reversinglabs.com/blog/threat-analysis-follina-exploit-powers-live-off-the-land-attacks},
language = {English},
urldate = {2022-08-08}
}
Threat analysis: Follina exploit fuels 'live-off-the-land' attacks Cobalt Strike MimiKatz |
2022-07-27 ⋅ Trend Micro ⋅ Buddy Tancio, Jed Valderama @online{tancio:20220727:gootkit:f1c63fa,
author = {Buddy Tancio and Jed Valderama},
title = {{Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike}},
date = {2022-07-27},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html},
language = {English},
urldate = {2022-07-29}
}
Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike Cobalt Strike GootKit Kronos REvil SunCrypt |
2022-07-22 ⋅ Binary Ninja ⋅ Xusheng Li @online{li:20220722:reverse:3fa4adf,
author = {Xusheng Li},
title = {{Reverse Engineering a Cobalt Strike Dropper With Binary Ninja}},
date = {2022-07-22},
organization = {Binary Ninja},
url = {https://binary.ninja/2022/07/22/reverse-engineering-cobalt-strike.html},
language = {English},
urldate = {2022-07-25}
}
Reverse Engineering a Cobalt Strike Dropper With Binary Ninja Cobalt Strike |
2022-07-20 ⋅ NVISO Labs ⋅ Sasja Reynaert @online{reynaert:20220720:analysis:7a5093f,
author = {Sasja Reynaert},
title = {{Analysis of a trojanized jQuery script: GootLoader unleashed}},
date = {2022-07-20},
organization = {NVISO Labs},
url = {https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/},
language = {English},
urldate = {2022-07-25}
}
Analysis of a trojanized jQuery script: GootLoader unleashed GootLoader Cobalt Strike |
2022-07-20 ⋅ U.S. Cyber Command ⋅ Cyber National Mission Force Public Affairs @online{affairs:20220720:cyber:b7604e7,
author = {Cyber National Mission Force Public Affairs},
title = {{Cyber National Mission Force discloses IOCs from Ukrainian networks}},
date = {2022-07-20},
organization = {U.S. Cyber Command},
url = {https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/},
language = {English},
urldate = {2022-07-25}
}
Cyber National Mission Force discloses IOCs from Ukrainian networks Cobalt Strike GraphSteel GrimPlant MicroBackdoor |
2022-07-20 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy, Marley Smith @online{kremez:20220720:anatomy:cd94a81,
author = {Vitali Kremez and Yelisey Boguslavskiy and Marley Smith},
title = {{Anatomy of Attack: Truth Behind the Costa Rica Government Ransomware 5-Day Intrusion}},
date = {2022-07-20},
organization = {Advanced Intelligence},
url = {https://www.advintel.io/post/anatomy-of-attack-truth-behind-the-costa-rica-government-ransomware-5-day-intrusion},
language = {English},
urldate = {2022-07-25}
}
Anatomy of Attack: Truth Behind the Costa Rica Government Ransomware 5-Day Intrusion Cobalt Strike |
2022-07-20 ⋅ Mandiant ⋅ Mandiant Threat Intelligence @online{intelligence:20220720:evacuation:edd478e,
author = {Mandiant Threat Intelligence},
title = {{Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities}},
date = {2022-07-20},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/spear-phish-ukrainian-entities},
language = {English},
urldate = {2022-07-25}
}
Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities Cobalt Strike GraphSteel GrimPlant MicroBackdoor |
2022-07-19 ⋅ Palo Alto Networks Unit 42 ⋅ Mike Harbison, Peter Renals @online{harbison:20220719:russian:acbf388,
author = {Mike Harbison and Peter Renals},
title = {{Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive}},
date = {2022-07-19},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/},
language = {English},
urldate = {2022-07-19}
}
Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive Cobalt Strike EnvyScout Gdrive |
2022-07-18 ⋅ Censys ⋅ Censys @techreport{censys:20220718:russian:dfd4246,
author = {Censys},
title = {{Russian Ransomware C2 Network Discovered in Censys Data}},
date = {2022-07-18},
institution = {Censys},
url = {https://5851803.fs1.hubspotusercontent-na1.net/hubfs/5851803/Russian%20Ransomware%20C2%20Network%20Discovered%20in%20Censys%20Data.pdf},
language = {English},
urldate = {2022-07-25}
}
Russian Ransomware C2 Network Discovered in Censys Data Cobalt Strike MimiKatz PoshC2 |
2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20220718:obscure:28a0051,
author = {Unit 42},
title = {{Obscure Serpens}},
date = {2022-07-18},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/atoms/obscureserpens/},
language = {English},
urldate = {2022-07-29}
}
Obscure Serpens Cobalt Strike Empire Downloader Meterpreter MimiKatz DarkHydrus |
2022-07-13 ⋅ Malwarebytes Labs ⋅ Roberto Santos, Hossein Jazi @online{santos:20220713:cobalt:5d47ba1,
author = {Roberto Santos and Hossein Jazi},
title = {{Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign}},
date = {2022-07-13},
organization = {Malwarebytes Labs},
url = {https://blog.malwarebytes.com/threat-intelligence/2022/07/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/},
language = {English},
urldate = {2022-07-14}
}
Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign Cobalt Strike |
2022-07-13 ⋅ Palo Alto Networks Unit 42 ⋅ Chris Navarrete, Durgesh Sangvikar, Yu Fu, Yanhui Jia, Siddhart Shibiraj @online{navarrete:20220713:cobalt:dd907c3,
author = {Chris Navarrete and Durgesh Sangvikar and Yu Fu and Yanhui Jia and Siddhart Shibiraj},
title = {{Cobalt Strike Analysis and Tutorial: CS Metadata Encryption and Decryption}},
date = {2022-07-13},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encryption-decryption/},
language = {English},
urldate = {2022-07-15}
}
Cobalt Strike Analysis and Tutorial: CS Metadata Encryption and Decryption Cobalt Strike |
2022-07-11 ⋅ Cert-UA ⋅ Cert-UA @online{certua:20220711:uac0056:f690298,
author = {Cert-UA},
title = {{UAC-0056 attack on Ukrainian state organizations using Cobalt Strike Beacon (CERT-UA#4941)}},
date = {2022-07-11},
organization = {Cert-UA},
url = {https://cert.gov.ua/article/703548},
language = {Ukrainian},
urldate = {2022-07-15}
}
UAC-0056 attack on Ukrainian state organizations using Cobalt Strike Beacon (CERT-UA#4941) Cobalt Strike |
2022-07-07 ⋅ SANS ISC ⋅ Brad Duncan @online{duncan:20220707:emotet:3732ca7,
author = {Brad Duncan},
title = {{Emotet infection with Cobalt Strike}},
date = {2022-07-07},
organization = {SANS ISC},
url = {https://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/},
language = {English},
urldate = {2022-07-12}
}
Emotet infection with Cobalt Strike Cobalt Strike Emotet |
2022-07-07 ⋅ IBM ⋅ Ole Villadsen, Charlotte Hammond, Kat Weinberger @online{villadsen:20220707:unprecedented:d0a6add,
author = {Ole Villadsen and Charlotte Hammond and Kat Weinberger},
title = {{Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine}},
date = {2022-07-07},
organization = {IBM},
url = {https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine},
language = {English},
urldate = {2022-07-12}
}
Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine AnchorMail BumbleBee Cobalt Strike IcedID Meterpreter |
2022-07-06 ⋅ Cert-UA ⋅ Cert-UA @online{certua:20220706:uac0056:af030ea,
author = {Cert-UA},
title = {{UAC-0056 cyberattack on Ukrainian state organizations using Cobalt Strike Beacon (CERT-UA#4914)}},
date = {2022-07-06},
organization = {Cert-UA},
url = {https://cert.gov.ua/article/619229},
language = {Ukrainian},
urldate = {2022-07-15}
}
UAC-0056 cyberattack on Ukrainian state organizations using Cobalt Strike Beacon (CERT-UA#4914) Cobalt Strike |
2022-07-01 ⋅ RiskIQ ⋅ RiskIQ @online{riskiq:20220701:toddycat:485d554,
author = {RiskIQ},
title = {{ToddyCat: A Guided Journey through the Attacker's Infrastructure}},
date = {2022-07-01},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/d8b749f2},
language = {English},
urldate = {2022-07-15}
}
ToddyCat: A Guided Journey through the Attacker's Infrastructure ShadowPad ToddyCat |
2022-06-30 ⋅ Trend Micro ⋅ Kenneth Adrian Apostol, Paolo Ronniel Labrador, Mirah Manlapig, James Panlilio, Emmanuel Panopio, John Kenneth Reyes, Melvin Singwa @online{apostol:20220630:black:7464953,
author = {Kenneth Adrian Apostol and Paolo Ronniel Labrador and Mirah Manlapig and James Panlilio and Emmanuel Panopio and John Kenneth Reyes and Melvin Singwa},
title = {{Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit}},
date = {2022-06-30},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html},
language = {English},
urldate = {2022-07-05}
}
Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit Black Basta Cobalt Strike QakBot |
2022-06-28 ⋅ Lumen ⋅ Black Lotus Labs @online{labs:20220628:zuorat:f60583e,
author = {Black Lotus Labs},
title = {{ZuoRAT Hijacks SOHO Routers To Silently Stalk Networks}},
date = {2022-06-28},
organization = {Lumen},
url = {https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/},
language = {English},
urldate = {2022-06-30}
}
ZuoRAT Hijacks SOHO Routers To Silently Stalk Networks ZuoRAT Cobalt Strike |
2022-06-27 ⋅ Kaspersky ICS CERT ⋅ Artem Snegirev, Kirill Kruglov @online{snegirev:20220627:attacks:100c151,
author = {Artem Snegirev and Kirill Kruglov},
title = {{Attacks on industrial control systems using ShadowPad}},
date = {2022-06-27},
organization = {Kaspersky ICS CERT},
url = {https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/},
language = {English},
urldate = {2022-06-29}
}
Attacks on industrial control systems using ShadowPad Cobalt Strike PlugX ShadowPad |
2022-06-26 ⋅ BushidoToken @online{bushidotoken:20220626:overview:97370ff,
author = {BushidoToken},
title = {{Overview of Russian GRU and SVR Cyberespionage Campaigns 1H 2022}},
date = {2022-06-26},
url = {https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html},
language = {English},
urldate = {2022-08-09}
}
Overview of Russian GRU and SVR Cyberespionage Campaigns 1H 2022 Cobalt Strike CredoMap EnvyScout |
2022-06-23 ⋅ cyble ⋅ Cyble Research Labs @online{labs:20220623:matanbuchus:45ed604,
author = {Cyble Research Labs},
title = {{Matanbuchus Loader Resurfaces}},
date = {2022-06-23},
organization = {cyble},
url = {https://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/},
language = {English},
urldate = {2022-08-15}
}
Matanbuchus Loader Resurfaces Cobalt Strike Matanbuchus |
2022-06-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20220623:bronze:8bccd74,
author = {Counter Threat Unit ResearchTeam},
title = {{BRONZE STARLIGHT Ransomware Operations Use HUI Loader}},
date = {2022-06-23},
organization = {Secureworks},
url = {https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader},
language = {English},
urldate = {2022-09-20}
}
BRONZE STARLIGHT Ransomware Operations Use HUI Loader ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster |
2022-06-21 ⋅ Cisco Talos ⋅ Flavio Costa, Chris Neal, Guilherme Venere @online{costa:20220621:avos:b60a2ad,
author = {Flavio Costa and Chris Neal and Guilherme Venere},
title = {{Avos ransomware group expands with new attack arsenal}},
date = {2022-06-21},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html},
language = {English},
urldate = {2022-06-22}
}
Avos ransomware group expands with new attack arsenal AvosLocker Cobalt Strike DarkComet MimiKatz |
2022-06-20 ⋅ Cert-UA ⋅ Cert-UA @online{certua:20220620:uac0098:2a68eac,
author = {Cert-UA},
title = {{UAC-0098 group cyberattack on critical infrastructure of Ukraine (CERT-UA#4842)}},
date = {2022-06-20},
organization = {Cert-UA},
url = {https://cert.gov.ua/article/339662},
language = {Ukrainian},
urldate = {2022-07-15}
}
UAC-0098 group cyberattack on critical infrastructure of Ukraine (CERT-UA#4842) Cobalt Strike |
2022-06-17 ⋅ SANS ISC ⋅ Brad Duncan @online{duncan:20220617:malspam:25c76a4,
author = {Brad Duncan},
title = {{Malspam pushes Matanbuchus malware, leads to Cobalt Strike}},
date = {2022-06-17},
organization = {SANS ISC},
url = {https://isc.sans.edu/diary/rss/28752},
language = {English},
urldate = {2022-06-22}
}
Malspam pushes Matanbuchus malware, leads to Cobalt Strike Cobalt Strike Matanbuchus |
2022-06-07 ⋅ cyble ⋅ Cyble @online{cyble:20220607:bumblebee:9f2dc4a,
author = {Cyble},
title = {{Bumblebee Loader on The Rise}},
date = {2022-06-07},
organization = {cyble},
url = {https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/},
language = {English},
urldate = {2022-06-09}
}
Bumblebee Loader on The Rise BumbleBee Cobalt Strike |
2022-06-07 ⋅ AdvIntel ⋅ Vitali Kremez, Marley Smith, Yelisey Boguslavskiy @online{kremez:20220607:blackcat:3dc977e,
author = {Vitali Kremez and Marley Smith and Yelisey Boguslavskiy},
title = {{BlackCat — In a Shifting Threat Landscape, It Helps to Land on Your Feet: Tech Dive}},
date = {2022-06-07},
organization = {AdvIntel},
url = {https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive},
language = {English},
urldate = {2022-06-08}
}
BlackCat — In a Shifting Threat Landscape, It Helps to Land on Your Feet: Tech Dive BlackCat BlackCat Cobalt Strike |
2022-06-06 ⋅ Trellix ⋅ Trelix @online{trelix:20220606:growling:14f9f75,
author = {Trelix},
title = {{Growling Bears Make Thunderous Noise}},
date = {2022-06-06},
organization = {Trellix},
url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html},
language = {English},
urldate = {2022-06-08}
}
Growling Bears Make Thunderous Noise Cobalt Strike HermeticWiper WhisperGate |
2022-06-04 ⋅ kienmanowar Blog ⋅ m4n0w4r, Tran Trung Kien @online{m4n0w4r:20220604:quicknote:dc79142,
author = {m4n0w4r and Tran Trung Kien},
title = {{[QuickNote] CobaltStrike SMB Beacon Analysis}},
date = {2022-06-04},
organization = {kienmanowar Blog},
url = {https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/},
language = {English},
urldate = {2022-06-07}
}
[QuickNote] CobaltStrike SMB Beacon Analysis Cobalt Strike |
2022-06-03 ⋅ AttackIQ ⋅ Jackson Wells, AttackIQ Adversary Research Team @online{wells:20220603:attack:5e4e9c6,
author = {Jackson Wells and AttackIQ Adversary Research Team},
title = {{Attack Graph Response to US CERT AA22-152A: Karakurt Data Extortion Group}},
date = {2022-06-03},
organization = {AttackIQ},
url = {https://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/},
language = {English},
urldate = {2022-06-18}
}
Attack Graph Response to US CERT AA22-152A: Karakurt Data Extortion Group Cobalt Strike MimiKatz |
2022-06-02 ⋅ Mandiant ⋅ Mandiant @online{mandiant:20220602:trending:0bcdbc4,
author = {Mandiant},
title = {{TRENDING EVIL Q2 2022}},
date = {2022-06-02},
organization = {Mandiant},
url = {https://experience.mandiant.com/trending-evil-2/p/1},
language = {English},
urldate = {2022-06-07}
}
TRENDING EVIL Q2 2022 CloudEyE Cobalt Strike CryptBot Emotet IsaacWiper QakBot |
2022-06-02 ⋅ Mandiant ⋅ Mandiant Intelligence @online{intelligence:20220602:to:e15831c,
author = {Mandiant Intelligence},
title = {{To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions}},
date = {2022-06-02},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions},
language = {English},
urldate = {2022-06-04}
}
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker |
2022-06-01 ⋅ Elastic ⋅ Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew Pease @online{stepanic:20220601:cuba:333f7c1,
author = {Daniel Stepanic and Derek Ditch and Seth Goodwin and Salim Bitam and Andrew Pease},
title = {{CUBA Ransomware Campaign Analysis}},
date = {2022-06-01},
organization = {Elastic},
url = {https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis},
language = {English},
urldate = {2022-06-09}
}
CUBA Ransomware Campaign Analysis Cobalt Strike Cuba Meterpreter MimiKatz SystemBC |
2022-05-25 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt @online{reaves:20220525:socgholish:f876e0e,
author = {Jason Reaves and Joshua Platt},
title = {{SocGholish Campaigns and Initial Access Kit}},
date = {2022-05-25},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee},
language = {English},
urldate = {2022-06-02}
}
SocGholish Campaigns and Initial Access Kit FAKEUPDATES Blister Cobalt Strike NetSupportManager RAT |
2022-05-24 ⋅ The Hacker News ⋅ Florian Goutin @online{goutin:20220524:malware:e85b49b,
author = {Florian Goutin},
title = {{Malware Analysis: Trickbot}},
date = {2022-05-24},
organization = {The Hacker News},
url = {https://thehackernews.com/2022/05/malware-analysis-trickbot.html},
language = {English},
urldate = {2022-05-29}
}
Malware Analysis: Trickbot Cobalt Strike Conti Ryuk TrickBot |
2022-05-24 ⋅ BitSight ⋅ João Batista, Pedro Umbelino, BitSight @online{batista:20220524:emotet:cae57f1,
author = {João Batista and Pedro Umbelino and BitSight},
title = {{Emotet Botnet Rises Again}},
date = {2022-05-24},
organization = {BitSight},
url = {https://www.bitsight.com/blog/emotet-botnet-rises-again},
language = {English},
urldate = {2022-05-25}
}
Emotet Botnet Rises Again Cobalt Strike Emotet QakBot SystemBC |
2022-05-22 ⋅ R136a1 ⋅ Dominik Reichel @online{reichel:20220522:introduction:47edade,
author = {Dominik Reichel},
title = {{Introduction of a PE file extractor for various situations}},
date = {2022-05-22},
organization = {R136a1},
url = {https://r136a1.info/2022/05/25/introduction-of-a-pe-file-extractor-for-various-situations/},
language = {English},
urldate = {2022-06-02}
}
Introduction of a PE file extractor for various situations Cobalt Strike Matanbuchus |
2022-05-20 ⋅ AhnLab ⋅ ASEC @online{asec:20220520:why:c6efba7,
author = {ASEC},
title = {{Why Remediation Alone Is Not Enough When Infected by Malware}},
date = {2022-05-20},
organization = {AhnLab},
url = {https://asec.ahnlab.com/en/34549/},
language = {English},
urldate = {2022-05-24}
}
Why Remediation Alone Is Not Enough When Infected by Malware Cobalt Strike DarkSide |
2022-05-20 ⋅ sonatype ⋅ Ax Sharma @online{sharma:20220520:new:15b8bf7,
author = {Ax Sharma},
title = {{New 'pymafka' malicious package drops Cobalt Strike on macOS, Windows, Linux}},
date = {2022-05-20},
organization = {sonatype},
url = {https://blog.sonatype.com/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux},
language = {English},
urldate = {2022-05-24}
}
New 'pymafka' malicious package drops Cobalt Strike on macOS, Windows, Linux Cobalt Strike |
2022-05-20 ⋅ Cybleinc ⋅ Cyble @online{cyble:20220520:malware:c20f29f,
author = {Cyble},
title = {{Malware Campaign Targets InfoSec Community: Threat Actor Uses Fake Proof Of Concept To Deliver Cobalt-Strike Beacon}},
date = {2022-05-20},
organization = {Cybleinc},
url = {https://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/},
language = {English},
urldate = {2022-05-23}
}
Malware Campaign Targets InfoSec Community: Threat Actor Uses Fake Proof Of Concept To Deliver Cobalt-Strike Beacon Cobalt Strike |
2022-05-19 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20220519:bumblebee:0703c7d,
author = {Brad Duncan},
title = {{Bumblebee Malware from TransferXL URLs}},
date = {2022-05-19},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664},
language = {English},
urldate = {2023-04-06}
}
Bumblebee Malware from TransferXL URLs BumbleBee Cobalt Strike |
2022-05-19 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20220519:bumblebee:20c59e6,
author = {Brad Duncan},
title = {{Bumblebee Malware from TransferXL URLs}},
date = {2022-05-19},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/rss/28664},
language = {English},
urldate = {2022-05-25}
}
Bumblebee Malware from TransferXL URLs BumbleBee Cobalt Strike |
2022-05-18 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT @techreport{prodaft:20220518:wizard:e7ee1c4,
author = {PRODAFT},
title = {{Wizard Spider In-Depth Analysis}},
date = {2022-05-18},
institution = {PRODAFT Threat Intelligence},
url = {https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf},
language = {English},
urldate = {2022-05-25}
}
Wizard Spider In-Depth Analysis Cobalt Strike Conti |
2022-05-17 ⋅ Positive Technologies ⋅ Positive Technologies @online{technologies:20220517:space:abd655a,
author = {Positive Technologies},
title = {{Space Pirates: analyzing the tools and connections of a new hacker group}},
date = {2022-05-17},
organization = {Positive Technologies},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/},
language = {English},
urldate = {2022-05-25}
}
Space Pirates: analyzing the tools and connections of a new hacker group FormerFirstRAT PlugX Poison Ivy Rovnix ShadowPad Zupdax |
2022-05-17 ⋅ Trend Micro ⋅ Trend Micro Research @online{research:20220517:ransomware:7b86339,
author = {Trend Micro Research},
title = {{Ransomware Spotlight: RansomEXX}},
date = {2022-05-17},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx},
language = {English},
urldate = {2022-05-25}
}
Ransomware Spotlight: RansomEXX LaZagne Cobalt Strike IcedID MimiKatz PyXie RansomEXX TrickBot |
2022-05-12 ⋅ Red Canary ⋅ Tony Lambert, Lauren Podber @techreport{lambert:20220512:gootloader:4562030,
author = {Tony Lambert and Lauren Podber},
title = {{Gootloader and Cobalt Strike malware analysis}},
date = {2022-05-12},
institution = {Red Canary},
url = {https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf},
language = {English},
urldate = {2022-05-13}
}
Gootloader and Cobalt Strike malware analysis GootLoader Cobalt Strike |
2022-05-12 ⋅ Intel 471 ⋅ Intel 471 @online{471:20220512:what:05369d4,
author = {Intel 471},
title = {{What malware to look for if you want to prevent a ransomware attack}},
date = {2022-05-12},
organization = {Intel 471},
url = {https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike},
language = {English},
urldate = {2022-05-13}
}
What malware to look for if you want to prevent a ransomware attack Conti BumbleBee Cobalt Strike IcedID Sliver |
2022-05-12 ⋅ TEAMT5 ⋅ Leon Chang, Silvia Yeh @techreport{chang:20220512:next:5fd8a83,
author = {Leon Chang and Silvia Yeh},
title = {{The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides)}},
date = {2022-05-12},
institution = {TEAMT5},
url = {https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf},
language = {English},
urldate = {2022-08-08}
}
The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides) KEYPLUG Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad Winnti SLIME29 TianWu |
2022-05-12 ⋅ Morphisec ⋅ Hido Cohen @online{cohen:20220512:new:6e12278,
author = {Hido Cohen},
title = {{New SYK Crypter Distributed Via Discord}},
date = {2022-05-12},
organization = {Morphisec},
url = {https://blog.morphisec.com/syk-crypter-discord},
language = {English},
urldate = {2022-06-09}
}
New SYK Crypter Distributed Via Discord AsyncRAT Ave Maria Nanocore RAT NjRAT Quasar RAT RedLine Stealer |
2022-05-12 ⋅ Red Canary ⋅ Tony Lambert, Lauren Podber @online{lambert:20220512:goot:1fc62fa,
author = {Tony Lambert and Lauren Podber},
title = {{The Goot cause: Detecting Gootloader and its follow-on activity}},
date = {2022-05-12},
organization = {Red Canary},
url = {https://redcanary.com/blog/gootloader},
language = {English},
urldate = {2022-05-13}
}
The Goot cause: Detecting Gootloader and its follow-on activity GootLoader Cobalt Strike |
2022-05-11 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20220511:ta578:0a0a686,
author = {Brad Duncan},
title = {{TA578 using thread-hijacked emails to push ISO files for Bumblebee malware}},
date = {2022-05-11},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/28636},
language = {English},
urldate = {2022-05-11}
}
TA578 using thread-hijacked emails to push ISO files for Bumblebee malware BumbleBee Cobalt Strike IcedID PhotoLoader |
2022-05-11 ⋅ NTT ⋅ Ryu Hiyoshi @online{hiyoshi:20220511:operation:b5a845d,
author = {Ryu Hiyoshi},
title = {{Operation RestyLink: Targeted attack campaign targeting Japanese companies}},
date = {2022-05-11},
organization = {NTT},
url = {https://insight-jp.nttsecurity.com/post/102ho8o/operation-restylink},
language = {Japanese},
urldate = {2022-05-11}
}
Operation RestyLink: Targeted attack campaign targeting Japanese companies Cobalt Strike |
2022-05-10 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli @online{ramilli:20220510:malware:915e04f,
author = {Marco Ramilli},
title = {{A Malware Analysis in RU-AU conflict}},
date = {2022-05-10},
organization = {Marco Ramilli's Blog},
url = {https://marcoramilli.com/2022/05/10/a-malware-analysis-in-ru-au-conflict/},
language = {English},
urldate = {2022-11-22}
}
A Malware Analysis in RU-AU conflict Cobalt Strike |
2022-05-09 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team @online{team:20220509:dirty:76f87f1,
author = {The BlackBerry Research & Intelligence Team},
title = {{Dirty Deeds Done Dirt Cheap: Russian RAT Offers Backdoor Bargains}},
date = {2022-05-09},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains},
language = {English},
urldate = {2022-05-17}
}
Dirty Deeds Done Dirt Cheap: Russian RAT Offers Backdoor Bargains DCRat NjRAT |
2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC) @online{team:20220509:ransomwareasaservice:13ec472,
author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)},
title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}},
date = {2022-05-09},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself},
language = {English},
urldate = {2022-05-17}
}
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT |
2022-05-09 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20220509:seo:cc8b1c2,
author = {The DFIR Report},
title = {{SEO Poisoning – A Gootloader Story}},
date = {2022-05-09},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/},
language = {English},
urldate = {2022-06-09}
}
SEO Poisoning – A Gootloader Story GootLoader LaZagne Cobalt Strike GootKit |
2022-05-09 ⋅ TEAMT5 ⋅ TeamT5 @online{teamt5:20220509:hiding:5e7c212,
author = {TeamT5},
title = {{Hiding in Plain Sight: Obscuring C2s by Abusing CDN Services}},
date = {2022-05-09},
organization = {TEAMT5},
url = {https://teamt5.org/en/posts/hiding-in-plain-sight-obscuring-c2s-by-abusing-cdn-services},
language = {English},
urldate = {2022-05-11}
}
Hiding in Plain Sight: Obscuring C2s by Abusing CDN Services Cobalt Strike |
2022-05-09 ⋅ cocomelonc ⋅ cocomelonc @online{cocomelonc:20220509:malware:1cdee23,
author = {cocomelonc},
title = {{Malware development: persistence - part 4. Windows services. Simple C++ example.}},
date = {2022-05-09},
organization = {cocomelonc},
url = {https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html},
language = {English},
urldate = {2022-12-01}
}
Malware development: persistence - part 4. Windows services. Simple C++ example. Anchor AppleJeus Attor BBSRAT BlackEnergy Carbanak Cobalt Strike DuQu |
2022-05-08 ⋅ IronNet ⋅ Michael Leardi, Joey Fitzpatrick, Brent Eskridge @online{leardi:20220508:tracking:8f52310,
author = {Michael Leardi and Joey Fitzpatrick and Brent Eskridge},
title = {{Tracking Cobalt Strike Servers Used in Cyberattacks on Ukraine}},
date = {2022-05-08},
organization = {IronNet},
url = {https://www.ironnet.com/blog/tracking-cobalt-strike-servers-used-in-cyberattacks-on-ukraine},
language = {English},
urldate = {2022-05-09}
}
Tracking Cobalt Strike Servers Used in Cyberattacks on Ukraine Cobalt Strike |
2022-05-06 ⋅ Palo Alto Networks Unit 42 ⋅ Chris Navarrete, Durgesh Sangvikar, Yu Fu, Yanhui Jia, Siddhart Shibiraj @online{navarrete:20220506:cobalt:8248108,
author = {Chris Navarrete and Durgesh Sangvikar and Yu Fu and Yanhui Jia and Siddhart Shibiraj},
title = {{Cobalt Strike Analysis and Tutorial: CS Metadata Encoding and Decoding}},
date = {2022-05-06},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/},
language = {English},
urldate = {2022-05-09}
}
Cobalt Strike Analysis and Tutorial: CS Metadata Encoding and Decoding Cobalt Strike |
2022-05-06 ⋅ Twitter (@MsftSecIntel) ⋅ Microsoft Security Intelligence @online{intelligence:20220506:twitter:7a00df8,
author = {Microsoft Security Intelligence},
title = {{Twitter Thread on initial infeciton of SocGholish/ FAKEUPDATES campaigns lead to BLISTER Loader, CobaltStrike, Lockbit and followed by Hands On Keyboard activity}},
date = {2022-05-06},
organization = {Twitter (@MsftSecIntel)},
url = {https://twitter.com/MsftSecIntel/status/1522690116979855360},
language = {English},
urldate = {2022-05-09}
}
Twitter Thread on initial infeciton of SocGholish/ FAKEUPDATES campaigns lead to BLISTER Loader, CobaltStrike, Lockbit and followed by Hands On Keyboard activity FAKEUPDATES Blister Cobalt Strike LockBit |
2022-05-06 ⋅ The Hacker News ⋅ Ravie Lakshmanan @online{lakshmanan:20220506:this:e7fb654,
author = {Ravie Lakshmanan},
title = {{This New Fileless Malware Hides Shellcode in Windows Event Logs}},
date = {2022-05-06},
organization = {The Hacker News},
url = {https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html},
language = {English},
urldate = {2022-05-08}
}
This New Fileless Malware Hides Shellcode in Windows Event Logs Cobalt Strike |
2022-05-05 ⋅ Cisco Talos ⋅ Jung soo An, Asheer Malhotra, Justin Thattil, Aliza Berk, Kendall McKay @online{an:20220505:mustang:cbc06e9,
author = {Jung soo An and Asheer Malhotra and Justin Thattil and Aliza Berk and Kendall McKay},
title = {{Mustang Panda deploys a new wave of malware targeting Europe}},
date = {2022-05-05},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html},
language = {English},
urldate = {2022-05-05}
}
Mustang Panda deploys a new wave of malware targeting Europe Cobalt Strike Meterpreter PlugX |
2022-05-04 ⋅ Twitter (@felixw3000) ⋅ Felix @online{felix:20220504:twitter:0fb7e35,
author = {Felix},
title = {{Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.}},
date = {2022-05-04},
organization = {Twitter (@felixw3000)},
url = {https://twitter.com/felixw3000/status/1521816045769662468},
language = {English},
urldate = {2022-05-09}
}
Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC. Cobalt Strike IcedID PhotoLoader |
2022-05-04 ⋅ Kaspersky ⋅ Denis Legezo @online{legezo:20220504:new:02f705f,
author = {Denis Legezo},
title = {{A new secret stash for “fileless” malware}},
date = {2022-05-04},
organization = {Kaspersky},
url = {https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/},
language = {English},
urldate = {2022-05-09}
}
A new secret stash for “fileless” malware Cobalt Strike |
2022-05-03 ⋅ Recorded Future ⋅ Insikt Group @online{group:20220503:solardeflection:5419c1a,
author = {Insikt Group},
title = {{SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse}},
date = {2022-05-03},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/solardeflection-c2-infrastructure-used-by-nobelium-in-company-brand-misuse/},
language = {English},
urldate = {2022-05-06}
}
SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse Cobalt Strike |
2022-05-03 ⋅ Cluster25 ⋅ Cluster25 @online{cluster25:20220503:strange:1481afa,
author = {Cluster25},
title = {{The Strange Link Between A Destructive Malware And A Ransomware-Gang Linked Custom Loader: IsaacWiper Vs Vatet}},
date = {2022-05-03},
organization = {Cluster25},
url = {https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/},
language = {English},
urldate = {2022-05-04}
}
The Strange Link Between A Destructive Malware And A Ransomware-Gang Linked Custom Loader: IsaacWiper Vs Vatet Cobalt Strike IsaacWiper PyXie |
2022-05-03 ⋅ Recorded Future ⋅ Insikt Group® @techreport{group:20220503:solardeflection:1470221,
author = {Insikt Group®},
title = {{SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse}},
date = {2022-05-03},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0503.pdf},
language = {English},
urldate = {2022-05-04}
}
SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse Cobalt Strike EnvyScout |
2022-05-02 ⋅ Cisco Talos ⋅ Kendall McKay, Paul Eubanks, JAIME FILSON @techreport{mckay:20220502:conti:330e34b,
author = {Kendall McKay and Paul Eubanks and JAIME FILSON},
title = {{Conti and Hive ransomware operations: Leveraging victim chats for insights}},
date = {2022-05-02},
institution = {Cisco Talos},
url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf},
language = {English},
urldate = {2022-05-04}
}
Conti and Hive ransomware operations: Leveraging victim chats for insights Cobalt Strike Conti Hive |
2022-05-02 ⋅ Macnica ⋅ Hiroshi Takeuchi @online{takeuchi:20220502:attack:8a7d966,
author = {Hiroshi Takeuchi},
title = {{Attack Campaigns that Exploit Shortcuts and ISO Files}},
date = {2022-05-02},
organization = {Macnica},
url = {https://security.macnica.co.jp/blog/2022/05/iso.html},
language = {Japanese},
urldate = {2022-05-03}
}
Attack Campaigns that Exploit Shortcuts and ISO Files Cobalt Strike |
2022-05-02 ⋅ Sentinel LABS ⋅ Joey Chen, Amitai Ben Shushan Ehrlich @online{chen:20220502:moshen:1969df2,
author = {Joey Chen and Amitai Ben Shushan Ehrlich},
title = {{Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad}},
date = {2022-05-02},
organization = {Sentinel LABS},
url = {https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/},
language = {English},
urldate = {2022-05-04}
}
Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad PlugX ShadowPad |
2022-04-28 ⋅ PWC ⋅ PWC UK @techreport{uk:20220428:cyber:46707aa,
author = {PWC UK},
title = {{Cyber Threats 2021: A Year in Retrospect}},
date = {2022-04-28},
institution = {PWC},
url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf},
language = {English},
urldate = {2022-04-29}
}
Cyber Threats 2021: A Year in Retrospect APT15 APT31 APT41 APT9 BlackTech BRONZE EDGEWOOD DAGGER PANDA Earth Lusca HAFNIUM HAZY TIGER Inception Framework LOTUS PANDA QUILTED TIGER RedAlpha Red Dev 17 Red Menshen Red Nue VICEROY TIGER |
2022-04-28 ⋅ Mandiant ⋅ John Wolfram, Sarah Hawley, Tyler McLellan, Nick Simonian, Anders Vejlby @online{wolfram:20220428:trello:dab21ca,
author = {John Wolfram and Sarah Hawley and Tyler McLellan and Nick Simonian and Anders Vejlby},
title = {{Trello From the Other Side: Tracking APT29 Phishing Campaigns}},
date = {2022-04-28},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns},
language = {English},
urldate = {2022-04-29}
}
Trello From the Other Side: Tracking APT29 Phishing Campaigns Cobalt Strike |
2022-04-28 ⋅ PWC ⋅ PWC UK @techreport{uk:20220428:cyber:c43873f,
author = {PWC UK},
title = {{Cyber Threats 2021: A Year in Retrospect (Annex)}},
date = {2022-04-28},
institution = {PWC},
url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf},
language = {English},
urldate = {2022-04-29}
}
Cyber Threats 2021: A Year in Retrospect (Annex) Cobalt Strike Conti PlugX RokRAT Inception Framework Red Menshen |
2022-04-27 ⋅ Sentinel LABS ⋅ James Haughom, Júlio Dantas, Jim Walter @online{haughom:20220427:lockbit:f0328ef,
author = {James Haughom and Júlio Dantas and Jim Walter},
title = {{LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility}},
date = {2022-04-27},
organization = {Sentinel LABS},
url = {https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility},
language = {English},
urldate = {2022-07-25}
}
LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility Cobalt Strike LockBit BRONZE STARLIGHT |
2022-04-27 ⋅ Sentinel LABS ⋅ James Haughom, Júlio Dantas, Jim Walter @online{haughom:20220427:lockbit:da3d5d1,
author = {James Haughom and Júlio Dantas and Jim Walter},
title = {{LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility}},
date = {2022-04-27},
organization = {Sentinel LABS},
url = {https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/},
language = {English},
urldate = {2022-04-29}
}
LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility Cobalt Strike LockBit |
2022-04-27 ⋅ Mandiant ⋅ Mandiant @online{mandiant:20220427:assembling:a7068b9,
author = {Mandiant},
title = {{Assembling the Russian Nesting Doll: UNC2452 Merged into APT29}},
date = {2022-04-27},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/unc2452-merged-into-apt29},
language = {English},
urldate = {2022-04-29}
}
Assembling the Russian Nesting Doll: UNC2452 Merged into APT29 Cobalt Strike Raindrop SUNBURST TEARDROP |
2022-04-27 ⋅ Trendmicro ⋅ Trendmicro @online{trendmicro:20220427:iocs:18f7e31,
author = {Trendmicro},
title = {{IOCs for Earth Berberoka - Windows}},
date = {2022-04-27},
organization = {Trendmicro},
url = {https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt},
language = {English},
urldate = {2022-07-25}
}
IOCs for Earth Berberoka - Windows AsyncRAT Cobalt Strike PlugX Quasar RAT Earth Berberoka |
2022-04-27 ⋅ Trendmicro ⋅ Daniel Lunghi, Jaromír Hořejší @techreport{lunghi:20220427:operation:bdba881,
author = {Daniel Lunghi and Jaromír Hořejší},
title = {{Operation Gambling Puppet}},
date = {2022-04-27},
institution = {Trendmicro},
url = {https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf},
language = {English},
urldate = {2022-07-25}
}
Operation Gambling Puppet reptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka |
2022-04-27 ⋅ ANSSI ⋅ ANSSI @techreport{anssi:20220427:le:5d47343,
author = {ANSSI},
title = {{LE GROUPE CYBERCRIMINEL FIN7}},
date = {2022-04-27},
institution = {ANSSI},
url = {https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf},
language = {French},
urldate = {2022-05-05}
}
LE GROUPE CYBERCRIMINEL FIN7 Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot |
2022-04-26 ⋅ Intel 471 ⋅ Intel 471 @online{471:20220426:conti:6bcff7d,
author = {Intel 471},
title = {{Conti and Emotet: A constantly destructive duo}},
date = {2022-04-26},
organization = {Intel 471},
url = {https://intel471.com/blog/conti-emotet-ransomware-conti-leaks},
language = {English},
urldate = {2022-04-29}
}
Conti and Emotet: A constantly destructive duo Cobalt Strike Conti Emotet IcedID QakBot TrickBot |
2022-04-26 ⋅ Trend Micro ⋅ Ryan Flores, Stephen Hilt, Lord Alfred Remorin @online{flores:20220426:how:28d9476,
author = {Ryan Flores and Stephen Hilt and Lord Alfred Remorin},
title = {{How Cybercriminals Abuse Cloud Tunneling Services}},
date = {2022-04-26},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services},
language = {English},
urldate = {2022-05-03}
}
How Cybercriminals Abuse Cloud Tunneling Services AsyncRAT Cobalt Strike DarkComet Meterpreter Nanocore RAT |
2022-04-25 ⋅ Morphisec ⋅ Morphisec Labs @online{labs:20220425:new:7b1c795,
author = {Morphisec Labs},
title = {{New Core Impact Backdoor Delivered Via VMware Vulnerability}},
date = {2022-04-25},
organization = {Morphisec},
url = {https://blog.morphisec.com/vmware-identity-manager-attack-backdoor},
language = {English},
urldate = {2022-04-29}
}
New Core Impact Backdoor Delivered Via VMware Vulnerability Cobalt Strike JSSLoader |
2022-04-25 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20220425:quantum:128d2b3,
author = {The DFIR Report},
title = {{Quantum Ransomware}},
date = {2022-04-25},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2022/04/25/quantum-ransomware/},
language = {English},
urldate = {2022-04-25}
}
Quantum Ransomware Cobalt Strike IcedID |
2022-04-21 ⋅ ZeroSec ⋅ Andy Gill @online{gill:20220421:understanding:65e50fe,
author = {Andy Gill},
title = {{Understanding Cobalt Strike Profiles - Updated For Cobalt Strike 4.6}},
date = {2022-04-21},
organization = {ZeroSec},
url = {https://blog.zsec.uk/cobalt-strike-profiles/},
language = {English},
urldate = {2022-04-24}
}
Understanding Cobalt Strike Profiles - Updated For Cobalt Strike 4.6 Cobalt Strike |
2022-04-19 ⋅ Varonis ⋅ Nadav Ovadia @online{ovadia:20220419:hive:51c5eb7,
author = {Nadav Ovadia},
title = {{Hive Ransomware Analysis}},
date = {2022-04-19},
organization = {Varonis},
url = {https://www.varonis.com/blog/hive-ransomware-analysis},
language = {English},
urldate = {2022-04-25}
}
Hive Ransomware Analysis Cobalt Strike Hive MimiKatz |
2022-04-19 ⋅ Blake's R&D ⋅ bmcder02 @online{bmcder02:20220419:extracting:3e827cf,
author = {bmcder02},
title = {{Extracting Cobalt Strike from Windows Error Reporting}},
date = {2022-04-19},
organization = {Blake's R&D},
url = {https://bmcder.com/blog/extracting-cobalt-strike-from-windows-error-reporting},
language = {English},
urldate = {2022-04-20}
}
Extracting Cobalt Strike from Windows Error Reporting Cobalt Strike |
2022-04-18 ⋅ vanmieghem ⋅ Vincent Van Mieghem @online{mieghem:20220418:blueprint:c4009ef,
author = {Vincent Van Mieghem},
title = {{A blueprint for evading industry leading endpoint protection in 2022}},
date = {2022-04-18},
organization = {vanmieghem},
url = {https://vanmieghem.io/blueprint-for-evading-edr-in-2022/},
language = {English},
urldate = {2022-04-20}
}
A blueprint for evading industry leading endpoint protection in 2022 Cobalt Strike |
2022-04-18 ⋅ AdvIntel ⋅ Vitali Kremez, Yelisey Boguslavskiy @online{kremez:20220418:enter:2f9b689,
author = {Vitali Kremez and Yelisey Boguslavskiy},
title = {{Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group}},
date = {2022-04-18},
organization = {AdvIntel},
url = {https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group},
language = {English},
urldate = {2022-05-17}
}
Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive |
2022-04-18 ⋅ SentinelOne ⋅ James Haughom @online{haughom:20220418:from:b73f12b,
author = {James Haughom},
title = {{From the Front Lines | Peering into A PYSA Ransomware Attack}},
date = {2022-04-18},
organization = {SentinelOne},
url = {https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/},
language = {English},
urldate = {2022-04-20}
}
From the Front Lines | Peering into A PYSA Ransomware Attack Chisel Chisel Cobalt Strike Mespinoza |
2022-04-14 ⋅ Cynet ⋅ Max Malyutin @online{malyutin:20220414:orion:9db6814,
author = {Max Malyutin},
title = {{Orion Threat Alert: Flight of the BumbleBee}},
date = {2022-04-14},
organization = {Cynet},
url = {https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/},
language = {English},
urldate = {2022-05-04}
}
Orion Threat Alert: Flight of the BumbleBee BumbleBee Cobalt Strike |
2022-04-13 ⋅ ESET Research ⋅ Jean-Ian Boutin, Tomáš Procházka @online{boutin:20220413:eset:7463437,
author = {Jean-Ian Boutin and Tomáš Procházka},
title = {{ESET takes part in global operation to disrupt Zloader botnets}},
date = {2022-04-13},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/},
language = {English},
urldate = {2022-04-14}
}
ESET takes part in global operation to disrupt Zloader botnets Cobalt Strike Zloader |
2022-04-13 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team @online{team:20220413:dismantling:ace8546,
author = {Microsoft 365 Defender Threat Intelligence Team},
title = {{Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware}},
date = {2022-04-13},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/},
language = {English},
urldate = {2022-04-14}
}
Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware BlackMatter Cobalt Strike DarkSide Ryuk Zloader |
2022-04-08 ⋅ Infinitum Labs ⋅ Arda Büyükkaya @online{bykkaya:20220408:threat:cbbf292,
author = {Arda Büyükkaya},
title = {{Threat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team}},
date = {2022-04-08},
organization = {Infinitum Labs},
url = {https://www.infinitumit.com.tr/en/conti-ransomware-group-behind-the-karakurt-hacking-team/},
language = {English},
urldate = {2022-04-08}
}
Threat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team Cobalt Strike MimiKatz |
2022-04-08 ⋅ The Register ⋅ Laura Dobberstein @online{dobberstein:20220408:china:6626bbc,
author = {Laura Dobberstein},
title = {{China accused of cyberattacks on Indian power grid}},
date = {2022-04-08},
organization = {The Register},
url = {https://www.theregister.com/2022/04/08/china_sponsored_attacks_india_ukraine/},
language = {English},
urldate = {2022-04-12}
}
China accused of cyberattacks on Indian power grid ShadowPad |
2022-04-07 ⋅ InQuest ⋅ Will MacArthur, Nick Chalard @online{macarthur:20220407:ukraine:99bef5a,
author = {Will MacArthur and Nick Chalard},
title = {{Ukraine CyberWar Overview}},
date = {2022-04-07},
organization = {InQuest},
url = {https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview},
language = {English},
urldate = {2022-04-29}
}
Ukraine CyberWar Overview CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate |
2022-04-07 ⋅ splunk ⋅ Splunk Threat Research Team @online{team:20220407:you:2d088bc,
author = {Splunk Threat Research Team},
title = {{You Bet Your Lsass: Hunting LSASS Access}},
date = {2022-04-07},
organization = {splunk},
url = {https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html},
language = {English},
urldate = {2022-05-04}
}
You Bet Your Lsass: Hunting LSASS Access Cobalt Strike MimiKatz |
2022-04-06 ⋅ Recorded Future ⋅ Insikt Group® @techreport{group:20220406:continued:dcee8d2,
author = {Insikt Group®},
title = {{Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group (TAG-38)}},
date = {2022-04-06},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/ta-2022-0406.pdf},
language = {English},
urldate = {2022-08-05}
}
Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group (TAG-38) ShadowPad |
2022-04-06 ⋅ Github (infinitumlabs) ⋅ Arda Büyükkaya @online{bykkaya:20220406:karakurt:7471190,
author = {Arda Büyükkaya},
title = {{Karakurt Hacking Team Indicators of Compromise (IOC)}},
date = {2022-04-06},
organization = {Github (infinitumlabs)},
url = {https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI},
language = {English},
urldate = {2022-04-08}
}
Karakurt Hacking Team Indicators of Compromise (IOC) Cobalt Strike |
2022-04-06 ⋅ Recorded Future ⋅ Insikt Group @online{group:20220406:continued:cdf57e5,
author = {Insikt Group},
title = {{Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group}},
date = {2022-04-06},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/continued-targeting-of-indian-power-grid-assets/},
language = {English},
urldate = {2022-04-12}
}
Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group ShadowPad |
2022-04-04 ⋅ Mandiant ⋅ Bryce Abdo, Zander Work, Ioana Teaca, Brendan McKeague @online{abdo:20220404:fin7:305d62b,
author = {Bryce Abdo and Zander Work and Ioana Teaca and Brendan McKeague},
title = {{FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7}},
date = {2022-04-04},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/evolution-of-fin7},
language = {English},
urldate = {2022-06-27}
}
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7 Griffon BABYMETAL Carbanak Cobalt Strike JSSLoader Termite |
2022-03-31 ⋅ nccgroup ⋅ Nikolaos Pantazopoulos, Alex Jessop, Simon Biggs, RIFT: Research and Intelligence Fusion Team @online{pantazopoulos:20220331:continuation:b38514d,
author = {Nikolaos Pantazopoulos and Alex Jessop and Simon Biggs and RIFT: Research and Intelligence Fusion Team},
title = {{Conti-nuation: methods and techniques observed in operations post the leaks}},
date = {2022-03-31},
organization = {nccgroup},
url = {https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/},
language = {English},
urldate = {2022-03-31}
}
Conti-nuation: methods and techniques observed in operations post the leaks Cobalt Strike Conti QakBot |
2022-03-31 ⋅ SC Media ⋅ SC Staff @online{staff:20220331:novel:ef704af,
author = {SC Staff},
title = {{Novel obfuscation leveraged by Hive ransomware}},
date = {2022-03-31},
organization = {SC Media},
url = {https://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware},
language = {English},
urldate = {2022-04-05}
}
Novel obfuscation leveraged by Hive ransomware Cobalt Strike Hive |
2022-03-30 ⋅ Prevailion ⋅ Prevailion @online{prevailion:20220330:wizard:6eb38a7,
author = {Prevailion},
title = {{Wizard Spider continues to confound}},
date = {2022-03-30},
organization = {Prevailion},
url = {https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903},
language = {English},
urldate = {2022-03-31}
}
Wizard Spider continues to confound BazarBackdoor Cobalt Strike Emotet |
2022-03-30 ⋅ Bleeping Computer ⋅ Bill Toulas @online{toulas:20220330:phishing:035d666,
author = {Bill Toulas},
title = {{Phishing campaign targets Russian govt dissidents with Cobalt Strike}},
date = {2022-03-30},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-russian-govt-dissidents-with-cobalt-strike/},
language = {English},
urldate = {2022-03-31}
}
Phishing campaign targets Russian govt dissidents with Cobalt Strike Unidentified PS 002 (RAT) Cobalt Strike |
2022-03-29 ⋅ SentinelOne ⋅ James Haughom, Antonis Terefos, Jim Walter, Jeff Cavanaugh, Nick Fox, Shai Tilias @online{haughom:20220329:from:5e4b8cc,
author = {James Haughom and Antonis Terefos and Jim Walter and Jeff Cavanaugh and Nick Fox and Shai Tilias},
title = {{From the Front Lines | Hive Ransomware Deploys Novel IPfuscation Technique To Avoid Detection}},
date = {2022-03-29},
organization = {SentinelOne},
url = {https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/},
language = {English},
urldate = {2022-03-31}
}
From the Front Lines | Hive Ransomware Deploys Novel IPfuscation Technique To Avoid Detection Cobalt Strike Hive |
2022-03-29 ⋅ Malwarebytes Labs ⋅ Hossein Jazi @online{jazi:20220329:new:21f3605,
author = {Hossein Jazi},
title = {{New spear phishing campaign targets Russian dissidents}},
date = {2022-03-29},
organization = {Malwarebytes Labs},
url = {https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/},
language = {English},
urldate = {2022-03-31}
}
New spear phishing campaign targets Russian dissidents Unidentified PS 002 (RAT) Cobalt Strike |
2022-03-28 ⋅ Medium walmartglobaltech ⋅ Jason Reaves @online{reaves:20220328:cobaltstrike:65362d3,
author = {Jason Reaves},
title = {{CobaltStrike UUID stager}},
date = {2022-03-28},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64},
language = {English},
urldate = {2022-04-05}
}
CobaltStrike UUID stager Cobalt Strike |
2022-03-25 ⋅ nccgroup ⋅ Yun Zheng Hu @online{hu:20220325:mining:287a2e7,
author = {Yun Zheng Hu},
title = {{Mining data from Cobalt Strike beacons}},
date = {2022-03-25},
organization = {nccgroup},
url = {https://research.nccgroup.com/2022/03/25/mining-data-from-cobalt-strike-beacons/},
language = {English},
urldate = {2022-03-28}
}
Mining data from Cobalt Strike beacons Cobalt Strike |
2022-03-25 ⋅ GOV.UA ⋅ State Service of Special Communication and Information Protection of Ukraine (CIP) @online{cip:20220325:who:e75f0ac,
author = {State Service of Special Communication and Information Protection of Ukraine (CIP)},
title = {{Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22}},
date = {2022-03-25},
organization = {GOV.UA},
url = {https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya},
language = {English},
urldate = {2022-08-05}
}
Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22 Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora RAT |
2022-03-22 ⋅ Red Canary ⋅ Red Canary @techreport{canary:20220322:2022:67c40ea,
author = {Red Canary},
title = {{2022 Threat Detection Report}},
date = {2022-03-22},
institution = {Red Canary},
url = {https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf},
language = {English},
urldate = {2022-03-23}
}
2022 Threat Detection Report FAKEUPDATES Silver Sparrow BazarBackdoor Cobalt Strike GootKit Yellow Cockatoo RAT |
2022-03-22 ⋅ NVISO Labs ⋅ Didier Stevens @online{stevens:20220322:cobalt:fdf35ba,
author = {Didier Stevens},
title = {{Cobalt Strike: Overview – Part 7}},
date = {2022-03-22},
organization = {NVISO Labs},
url = {https://blog.nviso.eu/2022/03/22/cobalt-strike-overview-part-7/},
language = {English},
urldate = {2022-03-23}
}
Cobalt Strike: Overview – Part 7 Cobalt Strike |
2022-03-21 ⋅ Threat Post ⋅ Lisa Vaas @online{vaas:20220321:conti:0b203c8,
author = {Lisa Vaas},
title = {{Conti Ransomware V. 3, Including Decryptor, Leaked}},
date = {2022-03-21},
organization = {Threat Post},
url = {https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/},
language = {English},
urldate = {2022-03-22}
}
Conti Ransomware V. 3, Including Decryptor, Leaked Cobalt Strike Conti TrickBot |
2022-03-21 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU) @online{tru:20220321:conti:507fdf9,
author = {eSentire Threat Response Unit (TRU)},
title = {{Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered}},
date = {2022-03-21},
organization = {eSentire},
url = {https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire},
language = {English},
urldate = {2022-05-23}
}
Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID |
2022-03-17 ⋅ Google ⋅ Vladislav Stolyarov, Benoit Sevens, Google Threat Analysis Group @online{stolyarov:20220317:exposing:f818c6d,
author = {Vladislav Stolyarov and Benoit Sevens and Google Threat Analysis Group},
title = {{Exposing initial access broker with ties to Conti}},
date = {2022-03-17},
organization = {Google},
url = {https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/},
language = {English},
urldate = {2022-03-18}
}
Exposing initial access broker with ties to Conti BazarBackdoor BumbleBee Cobalt Strike Conti |
2022-03-16 ⋅ SANS ISC ⋅ Brad Duncan @online{duncan:20220316:qakbot:7fe703f,
author = {Brad Duncan},
title = {{Qakbot infection with Cobalt Strike and VNC activity}},
date = {2022-03-16},
organization = {SANS ISC},
url = {https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/},
language = {English},
urldate = {2022-03-17}
}
Qakbot infection with Cobalt Strike and VNC activity Cobalt Strike QakBot |
2022-03-16 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20220316:qakbot:ff11e1e,
author = {Brad Duncan},
title = {{Qakbot infection with Cobalt Strike and VNC activity}},
date = {2022-03-16},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/rss/28448},
language = {English},
urldate = {2022-03-17}
}
Qakbot infection with Cobalt Strike and VNC activity Cobalt Strike QakBot |
2022-03-16 ⋅ paloalto Netoworks: Unit42 ⋅ Chris Navarrete, Durgesh Sangvikar, Andrew Guan, Yu Fu, Yanhui Jia, Siddhart Shibiraj @online{navarrete:20220316:cobalt:015f5df,
author = {Chris Navarrete and Durgesh Sangvikar and Andrew Guan and Yu Fu and Yanhui Jia and Siddhart Shibiraj},
title = {{Cobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect}},
date = {2022-03-16},
organization = {paloalto Netoworks: Unit42},
url = {https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/},
language = {English},
urldate = {2022-03-18}
}
Cobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect Cobalt Strike |
2022-03-15 ⋅ SentinelOne ⋅ Amitai Ben Shushan Ehrlich @online{ehrlich:20220315:threat:7f64477,
author = {Amitai Ben Shushan Ehrlich},
title = {{Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software}},
date = {2022-03-15},
organization = {SentinelOne},
url = {https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/},
language = {English},
urldate = {2022-03-17}
}
Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software Cobalt Strike GraphSteel GrimPlant SaintBear |
2022-03-15 ⋅ Prevailion ⋅ Matt Stafford, Sherman Smith @online{stafford:20220315:what:1df16e6,
author = {Matt Stafford and Sherman Smith},
title = {{What Wicked Webs We Un-weave}},
date = {2022-03-15},
organization = {Prevailion},
url = {https://www.prevailion.com/what-wicked-webs-we-unweave/},
language = {English},
urldate = {2022-03-17}
}
What Wicked Webs We Un-weave Cobalt Strike Conti |
2022-03-14 ⋅ Bleeping Computer ⋅ Bill Toulas @online{toulas:20220314:fake:c599da1,
author = {Bill Toulas},
title = {{Fake antivirus updates used to deploy Cobalt Strike in Ukraine}},
date = {2022-03-14},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/fake-antivirus-updates-used-to-deploy-cobalt-strike-in-ukraine/},
language = {English},
urldate = {2022-03-15}
}
Fake antivirus updates used to deploy Cobalt Strike in Ukraine Cobalt Strike |
2022-03-12 ⋅ Arash's Blog ⋅ Arash Parsa @online{parsa:20220312:analyzing:5b0c5f2,
author = {Arash Parsa},
title = {{Analyzing Malware with Hooks, Stomps, and Return-addresses}},
date = {2022-03-12},
organization = {Arash's Blog},
url = {https://www.arashparsa.com/catching-a-malware-with-no-name/},
language = {English},
urldate = {2022-03-28}
}
Analyzing Malware with Hooks, Stomps, and Return-addresses Cobalt Strike |
2022-03-11 ⋅ Cert-UA @online{certua:20220311:cyberattack:1e34a52,
author = {Cert-UA},
title = {{Cyberattack on Ukrainian state authorities using the Cobalt Strike Beacon (CERT-UA#4145)}},
date = {2022-03-11},
url = {https://cert.gov.ua/article/37704},
language = {Ukrainian},
urldate = {2022-03-14}
}
Cyberattack on Ukrainian state authorities using the Cobalt Strike Beacon (CERT-UA#4145) Cobalt Strike |
2022-03-09 ⋅ Lab52 ⋅ Lab52 @online{lab52:20220309:very:b667537,
author = {Lab52},
title = {{Very very lazy Lazyscripter’s scripts: double compromise in a single obfuscation}},
date = {2022-03-09},
organization = {Lab52},
url = {https://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/},
language = {English},
urldate = {2022-03-10}
}
Very very lazy Lazyscripter’s scripts: double compromise in a single obfuscation NjRAT |
2022-03-09 ⋅ BreachQuest ⋅ Marco Figueroa, Napoleon Bing, Bernard Silvestrini @online{figueroa:20220309:conti:d237b64,
author = {Marco Figueroa and Napoleon Bing and Bernard Silvestrini},
title = {{The Conti Leaks | Insight into a Ransomware Unicorn}},
date = {2022-03-09},
organization = {BreachQuest},
url = {https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/},
language = {English},
urldate = {2022-03-14}
}
The Conti Leaks | Insight into a Ransomware Unicorn Cobalt Strike MimiKatz TrickBot |
2022-03-09 ⋅ Bleeping Computer ⋅ Ionut Ilascu @online{ilascu:20220309:cisa:63f18cd,
author = {Ionut Ilascu},
title = {{CISA updates Conti ransomware alert with nearly 100 domain names}},
date = {2022-03-09},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/},
language = {English},
urldate = {2022-03-10}
}
CISA updates Conti ransomware alert with nearly 100 domain names BazarBackdoor Cobalt Strike Conti TrickBot |
2022-03-08 ⋅ Mandiant ⋅ Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram @online{brown:20220308:does:94c6c3e,
author = {Rufus Brown and Van Ta and Douglas Bienstock and Geoff Ackerman and John Wolfram},
title = {{Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments}},
date = {2022-03-08},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/apt41-us-state-governments},
language = {English},
urldate = {2022-03-10}
}
Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments KEYPLUG Cobalt Strike LOWKEY |
2022-03-07 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20220307:2021:c2e2fbe,
author = {The DFIR Report},
title = {{2021 Year In Review}},
date = {2022-03-07},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2022/03/07/2021-year-in-review/},
language = {English},
urldate = {2022-03-07}
}
2021 Year In Review Cobalt Strike |
2022-03-04 ⋅ Telsy ⋅ Telsy @online{telsy:20220304:legitimate:d46b40c,
author = {Telsy},
title = {{Legitimate Sites Used As Cobalt Strike C2s Against Indian Government}},
date = {2022-03-04},
organization = {Telsy},
url = {https://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/},
language = {English},
urldate = {2022-03-07}
}
Legitimate Sites Used As Cobalt Strike C2s Against Indian Government Cobalt Strike |
2022-03-03 ⋅ Trend Micro ⋅ Trend Micro Research @online{research:20220303:cyberattacks:d961eb0,
author = {Trend Micro Research},
title = {{Cyberattacks are Prominent in the Russia-Ukraine Conflict}},
date = {2022-03-03},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html},
language = {English},
urldate = {2022-03-04}
}
Cyberattacks are Prominent in the Russia-Ukraine Conflict BazarBackdoor Cobalt Strike Conti Emotet WhisperGate |
2022-03 ⋅ VirusTotal ⋅ VirusTotal @techreport{virustotal:202203:virustotals:c6af9c1,
author = {VirusTotal},
title = {{VirusTotal's 2021 Malware Trends Report}},
date = {2022-03},
institution = {VirusTotal},
url = {https://assets.virustotal.com/reports/2021trends.pdf},
language = {English},
urldate = {2022-04-13}
}
VirusTotal's 2021 Malware Trends Report Anubis AsyncRAT BlackMatter Cobalt Strike DanaBot Dridex Khonsari MimiKatz Mirai Nanocore RAT Orcus RAT |
2022-02-24 ⋅ Fortinet ⋅ Fred Gutierrez @online{gutierrez:20220224:nobelium:46d943e,
author = {Fred Gutierrez},
title = {{Nobelium Returns to the Political World Stage}},
date = {2022-02-24},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage},
language = {English},
urldate = {2022-03-02}
}
Nobelium Returns to the Political World Stage Cobalt Strike |
2022-02-24 ⋅ Cynet ⋅ Max Malyutin @online{malyutin:20220224:new:014251e,
author = {Max Malyutin},
title = {{New Wave of Emotet – When Project X Turns Into Y}},
date = {2022-02-24},
organization = {Cynet},
url = {https://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/},
language = {English},
urldate = {2022-05-04}
}
New Wave of Emotet – When Project X Turns Into Y Cobalt Strike Emotet |
2022-02-23 ⋅ SophosLabs Uncut ⋅ Andrew Brandt @online{brandt:20220223:dridex:c1d4784,
author = {Andrew Brandt},
title = {{Dridex bots deliver Entropy ransomware in recent attacks}},
date = {2022-02-23},
organization = {SophosLabs Uncut},
url = {https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/},
language = {English},
urldate = {2022-03-01}
}
Dridex bots deliver Entropy ransomware in recent attacks Cobalt Strike Dridex Entropy |
2022-02-23 ⋅ AdvIntel ⋅ Vitali Kremez, Yelisey Boguslavskiy @online{kremez:20220223:24:59b3a28,
author = {Vitali Kremez and Yelisey Boguslavskiy},
title = {{24 Hours From Log4Shell to Local Admin: Deep-Dive Into Conti Gang Attack on Fortune 500 (DFIR)}},
date = {2022-02-23},
organization = {AdvIntel},
url = {https://www.advintel.io/post/24-hours-from-log4shell-to-local-admin-deep-dive-into-conti-gang-attack-on-fortune-500-dfir},
language = {English},
urldate = {2022-03-01}
}
24 Hours From Log4Shell to Local Admin: Deep-Dive Into Conti Gang Attack on Fortune 500 (DFIR) Cobalt Strike Conti |
2022-02-23 ⋅ Dragos ⋅ Dragos @techreport{dragos:20220223:2021:539931a,
author = {Dragos},
title = {{2021 ICS OT Cybersecurity Year In Review}},
date = {2022-02-23},
institution = {Dragos},
url = {https://hub.dragos.com/hubfs/333%20Year%20in%20Review/2021/2021%20ICS%20OT%20Cybersecurity%20Year%20In%20Review%20-%20Dragos%202021.pdf},
language = {English},
urldate = {2022-04-12}
}
2021 ICS OT Cybersecurity Year In Review ShadowPad |
2022-02-23 ⋅ cyber.wtf blog ⋅ Luca Ebach @online{ebach:20220223:what:0a4496e,
author = {Luca Ebach},
title = {{What the Pack(er)?}},
date = {2022-02-23},
organization = {cyber.wtf blog},
url = {https://cyber.wtf/2022/03/23/what-the-packer/},
language = {English},
urldate = {2022-03-25}
}
What the Pack(er)? Cobalt Strike Emotet |
2022-02-22 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU) @online{tru:20220222:icedid:67f870d,
author = {eSentire Threat Response Unit (TRU)},
title = {{IcedID to Cobalt Strike In Under 20 Minutes}},
date = {2022-02-22},
organization = {eSentire},
url = {https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes},
language = {English},
urldate = {2022-05-23}
}
IcedID to Cobalt Strike In Under 20 Minutes Cobalt Strike IcedID PhotoLoader |
2022-02-22 ⋅ Bleeping Computer ⋅ Bill Toulas @online{toulas:20220222:vulnerable:80109eb,
author = {Bill Toulas},
title = {{Vulnerable Microsoft SQL Servers targeted with Cobalt Strike}},
date = {2022-02-22},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/},
language = {English},
urldate = {2022-02-26}
}
Vulnerable Microsoft SQL Servers targeted with Cobalt Strike Cobalt Strike Kingminer Lemon Duck |
2022-02-21 ⋅ ASEC @online{asec:20220221:cobalt:82a24d8,
author = {ASEC},
title = {{Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers}},
date = {2022-02-21},
url = {https://asec.ahnlab.com/en/31811/},
language = {English},
urldate = {2022-02-26}
}
Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers Cobalt Strike Lemon Duck |
2022-02-21 ⋅ The DFIR Report @online{report:20220221:qbot:8b10b52,
author = {The DFIR Report},
title = {{Qbot and Zerologon Lead To Full Domain Compromise}},
date = {2022-02-21},
url = {https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/},
language = {English},
urldate = {2022-02-26}
}
Qbot and Zerologon Lead To Full Domain Compromise Cobalt Strike QakBot |
2022-02-20 ⋅ Medium SOCFortress ⋅ SOCFortress @online{socfortress:20220220:detecting:5d28c28,
author = {SOCFortress},
title = {{Detecting Cobalt Strike Beacons}},
date = {2022-02-20},
organization = {Medium SOCFortress},
url = {https://socfortress.medium.com/detecting-cobalt-strike-beacons-3f8c9fdcb654},
language = {English},
urldate = {2022-02-26}
}
Detecting Cobalt Strike Beacons Cobalt Strike |
2022-02-18 ⋅ Huntress Labs ⋅ Matthew Brennan @online{brennan:20220218:hackers:243d8b8,
author = {Matthew Brennan},
title = {{Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection}},
date = {2022-02-18},
organization = {Huntress Labs},
url = {https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection},
language = {English},
urldate = {2022-02-26}
}
Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection Cobalt Strike |
2022-02-16 ⋅ Security Onion ⋅ Doug Burks @online{burks:20220216:quick:e515983,
author = {Doug Burks},
title = {{Quick Malware Analysis: Emotet Epoch 5 and Cobalt Strike pcap from 2022-02-08}},
date = {2022-02-16},
organization = {Security Onion},
url = {https://blog.securityonion.net/2022/02/quick-malware-analysis-emotet-epoch-5.html},
language = {English},
urldate = {2022-02-17}
}
Quick Malware Analysis: Emotet Epoch 5 and Cobalt Strike pcap from 2022-02-08 Cobalt Strike Emotet |
2022-02-15 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU) @online{tru:20220215:increase:a4de9ce,
author = {eSentire Threat Response Unit (TRU)},
title = {{Increase in Emotet Activity and Cobalt Strike Deployment}},
date = {2022-02-15},
organization = {eSentire},
url = {https://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment},
language = {English},
urldate = {2022-05-23}
}
Increase in Emotet Activity and Cobalt Strike Deployment Cobalt Strike Emotet |
2022-02-15 ⋅ The Hacker News ⋅ Ravie Lakshmanan @online{lakshmanan:20220215:researchers:834fc13,
author = {Ravie Lakshmanan},
title = {{Researchers Link ShadowPad Malware Attacks to Chinese Ministry and PLA}},
date = {2022-02-15},
organization = {The Hacker News},
url = {https://thehackernews.com/2022/02/researchers-link-shadowpad-malware.html},
language = {English},
urldate = {2022-02-17}
}
Researchers Link ShadowPad Malware Attacks to Chinese Ministry and PLA ShadowPad |
2022-02-15 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20220215:shadowpad:cd3fa10,
author = {Counter Threat Unit ResearchTeam},
title = {{ShadowPad Malware Analysis}},
date = {2022-02-15},
organization = {Secureworks},
url = {https://www.secureworks.com/research/shadowpad-malware-analysis},
language = {English},
urldate = {2022-02-17}
}
ShadowPad Malware Analysis ShadowPad |
2022-02-10 ⋅ Cybereason ⋅ Cybereason Global SOC Team @online{team:20220210:threat:320574f,
author = {Cybereason Global SOC Team},
title = {{Threat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot}},
date = {2022-02-10},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot},
language = {English},
urldate = {2022-02-10}
}
Threat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot Cobalt Strike Emotet IcedID QakBot |
2022-02-09 ⋅ vmware ⋅ VMWare @techreport{vmware:20220209:exposing:7b5f76e,
author = {VMWare},
title = {{Exposing Malware in Linux-Based Multi-Cloud Environments}},
date = {2022-02-09},
institution = {vmware},
url = {https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf},
language = {English},
urldate = {2022-02-10}
}
Exposing Malware in Linux-Based Multi-Cloud Environments ACBackdoor BlackMatter DarkSide Erebus HelloKitty Kinsing PLEAD QNAPCrypt RansomEXX REvil Sysrv-hello TeamTNT Vermilion Strike Cobalt Strike |
2022-02-08 ⋅ Intel 471 ⋅ Intel 471 @online{471:20220208:privateloader:5e226cd,
author = {Intel 471},
title = {{PrivateLoader: The first step in many malware schemes}},
date = {2022-02-08},
organization = {Intel 471},
url = {https://intel471.com/blog/privateloader-malware},
language = {English},
urldate = {2022-05-09}
}
PrivateLoader: The first step in many malware schemes Dridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos SmokeLoader STOP Tofsee TrickBot Vidar |
2022-02-03 ⋅ forensicitguy ⋅ Tony Lambert @online{lambert:20220203:njrat:88ea206,
author = {Tony Lambert},
title = {{njRAT Installed from a MSI}},
date = {2022-02-03},
organization = {forensicitguy},
url = {https://forensicitguy.github.io/njrat-installed-from-msi/},
language = {English},
urldate = {2022-02-04}
}
njRAT Installed from a MSI NjRAT |
2022-01-31 ⋅ CyberArk ⋅ Arash Parsa @online{parsa:20220131:analyzing:c496cc6,
author = {Arash Parsa},
title = {{Analyzing Malware with Hooks, Stomps and Return-addresses}},
date = {2022-01-31},
organization = {CyberArk},
url = {https://www.cyberark.com/resources/threat-research/analyzing-malware-with-hooks-stomps-and-return-addresses-2},
language = {English},
urldate = {2022-05-09}
}
Analyzing Malware with Hooks, Stomps and Return-addresses Cobalt Strike |
2022-01-28 ⋅ Morphisec ⋅ Morphisec Labs @online{labs:20220128:log4j:ee487ec,
author = {Morphisec Labs},
title = {{Log4j Exploit Hits Again: Vulnerable Unifi Network Application (Ubiquiti) at Risk}},
date = {2022-01-28},
organization = {Morphisec},
url = {https://blog.morphisec.com/log4j-exploit-targets-vulnerable-unifi-network-applications},
language = {English},
urldate = {2022-02-02}
}
Log4j Exploit Hits Again: Vulnerable Unifi Network Application (Ubiquiti) at Risk Cobalt Strike |
2022-01-27 ⋅ JSAC 2021 ⋅ Hajime Yanagishita, Kiyotaka Tamada, You Nakatsuru, Suguru Ishimaru @techreport{yanagishita:20220127:what:3c59dc9,
author = {Hajime Yanagishita and Kiyotaka Tamada and You Nakatsuru and Suguru Ishimaru},
title = {{What We Can Do against the Chaotic A41APT Campaign}},
date = {2022-01-27},
institution = {JSAC 2021},
url = {https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf},
language = {English},
urldate = {2022-05-17}
}
What We Can Do against the Chaotic A41APT Campaign CHINACHOPPER Cobalt Strike HUI Loader SodaMaster |
2022-01-26 ⋅ Blackberry ⋅ Ryan Gibson, Codi Starks, Will Ikard @online{gibson:20220126:log4u:3f2992b,
author = {Ryan Gibson and Codi Starks and Will Ikard},
title = {{Log4U, Shell4Me}},
date = {2022-01-26},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2022/01/log4u-shell4me},
language = {English},
urldate = {2022-01-31}
}
Log4U, Shell4Me Cobalt Strike |
2022-01-25 ⋅ Cynet ⋅ Orion Threat Research and Intelligence Team @online{team:20220125:threats:5269cbc,
author = {Orion Threat Research and Intelligence Team},
title = {{Threats Looming Over the Horizon}},
date = {2022-01-25},
organization = {Cynet},
url = {https://www.cynet.com/attack-techniques-hands-on/threats-looming-over-the-horizon/},
language = {English},
urldate = {2022-01-28}
}
Threats Looming Over the Horizon Cobalt Strike Meterpreter NightSky |
2022-01-24 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20220124:cobalt:b0b48ee,
author = {The DFIR Report},
title = {{Cobalt Strike, a Defender’s Guide – Part 2}},
date = {2022-01-24},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/},
language = {English},
urldate = {2022-01-25}
}
Cobalt Strike, a Defender’s Guide – Part 2 Cobalt Strike |
2022-01-20 ⋅ Morphisec ⋅ Michael Gorelik @online{gorelik:20220120:log4j:99fd2e0,
author = {Michael Gorelik},
title = {{Log4j Exploit Hits Again: Vulnerable VMWare Horizon Servers at Risk}},
date = {2022-01-20},
organization = {Morphisec},
url = {https://blog.morphisec.com/log4j-exploit-hits-again-vulnerable-vmware-horizon-servers-at-risk},
language = {English},
urldate = {2022-01-25}
}
Log4j Exploit Hits Again: Vulnerable VMWare Horizon Servers at Risk Cobalt Strike |
2022-01-19 ⋅ Elastic ⋅ Derek Ditch, Daniel Stepanic, Andrew Pease, Seth Goodwin @online{ditch:20220119:extracting:39bd5e5,
author = {Derek Ditch and Daniel Stepanic and Andrew Pease and Seth Goodwin},
title = {{Extracting Cobalt Strike Beacon Configurations}},
date = {2022-01-19},
organization = {Elastic},
url = {https://elastic.github.io/security-research/intelligence/2022/01/03.extracting-cobalt-strike-beacon/article/},
language = {English},
urldate = {2022-01-25}
}
Extracting Cobalt Strike Beacon Configurations Cobalt Strike |
2022-01-19 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team @online{team:20220119:kraken:5b52d17,
author = {The BlackBerry Research & Intelligence Team},
title = {{Kraken the Code on Prometheus}},
date = {2022-01-19},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus},
language = {English},
urldate = {2022-05-25}
}
Kraken the Code on Prometheus Prometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk |
2022-01-19 ⋅ Elastic ⋅ Derek Ditch, Daniel Stepanic, Andrew Pease, Seth Goodwin @online{ditch:20220119:collecting:696e5d0,
author = {Derek Ditch and Daniel Stepanic and Andrew Pease and Seth Goodwin},
title = {{Collecting Cobalt Strike Beacons with the Elastic Stack}},
date = {2022-01-19},
organization = {Elastic},
url = {https://elastic.github.io/security-research/intelligence/2022/01/02.collecting-cobalt-strike-beacons/article/},
language = {English},
urldate = {2022-01-25}
}
Collecting Cobalt Strike Beacons with the Elastic Stack Cobalt Strike |
2022-01-19 ⋅ Sophos ⋅ Colin Cowie, Mat Gangwer, Stan Andic, Sophos MTR Team @online{cowie:20220119:zloader:e87c22c,
author = {Colin Cowie and Mat Gangwer and Stan Andic and Sophos MTR Team},
title = {{Zloader Installs Remote Access Backdoors and Delivers Cobalt Strike}},
date = {2022-01-19},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/},
language = {English},
urldate = {2022-01-25}
}
Zloader Installs Remote Access Backdoors and Delivers Cobalt Strike Cobalt Strike Zloader |
2022-01-18 ⋅ Recorded Future ⋅ Insikt Group® @techreport{group:20220118:2021:9cff6fc,
author = {Insikt Group®},
title = {{2021 Adversary Infrastructure Report}},
date = {2022-01-18},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf},
language = {English},
urldate = {2022-01-24}
}
2021 Adversary Infrastructure Report BazarBackdoor Cobalt Strike Dridex IcedID QakBot TrickBot |
2022-01-17 ⋅ Trend Micro ⋅ Joseph Chen, Kenney Lu, Gloria Chen, Jaromír Hořejší, Daniel Lunghi, Cedric Pernet @techreport{chen:20220117:delving:4cd2b1c,
author = {Joseph Chen and Kenney Lu and Gloria Chen and Jaromír Hořejší and Daniel Lunghi and Cedric Pernet},
title = {{Delving Deep: An Analysis of Earth Lusca’s Operations}},
date = {2022-01-17},
institution = {Trend Micro},
url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf},
language = {English},
urldate = {2022-07-25}
}
Delving Deep: An Analysis of Earth Lusca’s Operations BIOPASS Cobalt Strike FunnySwitch JuicyPotato ShadowPad Winnti Earth Lusca |
2022-01-16 ⋅ forensicitguy ⋅ Tony Lambert @online{lambert:20220116:analyzing:2c8a9db,
author = {Tony Lambert},
title = {{Analyzing a CACTUSTORCH HTA Leading to Cobalt Strike}},
date = {2022-01-16},
organization = {forensicitguy},
url = {https://forensicitguy.github.io/analyzing-cactustorch-hta-cobaltstrike/},
language = {English},
urldate = {2022-01-25}
}
Analyzing a CACTUSTORCH HTA Leading to Cobalt Strike CACTUSTORCH Cobalt Strike |
2022-01-15 ⋅ Huntress Labs ⋅ Team Huntress @online{huntress:20220115:threat:cb103f0,
author = {Team Huntress},
title = {{Threat Advisory: VMware Horizon Servers Actively Being Hit With Cobalt Strike (by DEV-0401)}},
date = {2022-01-15},
organization = {Huntress Labs},
url = {https://www.huntress.com/blog/cybersecurity-advisory-vmware-horizon-servers-actively-being-hit-with-cobalt-strike},
language = {English},
urldate = {2022-03-07}
}
Threat Advisory: VMware Horizon Servers Actively Being Hit With Cobalt Strike (by DEV-0401) Cobalt Strike |
2022-01-12 ⋅ Cyber And Ramen blog ⋅ Mike R @online{r:20220112:analysis:2f570a4,
author = {Mike R},
title = {{Analysis of njRAT PowerPoint Macros}},
date = {2022-01-12},
organization = {Cyber And Ramen blog},
url = {https://cyberandramen.net/2022/01/12/analysis-of-njrat-powerpoint-macros/},
language = {English},
urldate = {2022-04-05}
}
Analysis of njRAT PowerPoint Macros NjRAT |
2022-01-11 ⋅ Cybereason ⋅ Omri Refaeli, Chen Erlich, Ofir Ozer, Niv Yona, Daichi Shimabukuro @online{refaeli:20220111:threat:fd22089,
author = {Omri Refaeli and Chen Erlich and Ofir Ozer and Niv Yona and Daichi Shimabukuro},
title = {{Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike}},
date = {2022-01-11},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike},
language = {English},
urldate = {2022-01-18}
}
Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike Cobalt Strike QakBot Squirrelwaffle |
2022-01-11 ⋅ Twitter (@cglyer) ⋅ Christopher Glyer @online{glyer:20220111:thread:ae5ec3d,
author = {Christopher Glyer},
title = {{Thread on DEV-0401, a china based ransomware operator exploiting VMware Horizon with log4shell and deploying NightSky ransomware}},
date = {2022-01-11},
organization = {Twitter (@cglyer)},
url = {https://twitter.com/cglyer/status/1480742363991580674},
language = {English},
urldate = {2022-01-25}
}
Thread on DEV-0401, a china based ransomware operator exploiting VMware Horizon with log4shell and deploying NightSky ransomware Cobalt Strike NightSky |
2022-01-11 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt @online{reaves:20220111:signed:0f32583,
author = {Jason Reaves and Joshua Platt},
title = {{Signed DLL campaigns as a service}},
date = {2022-01-11},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489},
language = {English},
urldate = {2023-01-31}
}
Signed DLL campaigns as a service BATLOADER Cobalt Strike ISFB Zloader |
2022-01-09 ⋅ forensicitguy ⋅ Tony Lambert @online{lambert:20220109:inspecting:4681f0a,
author = {Tony Lambert},
title = {{Inspecting a PowerShell Cobalt Strike Beacon}},
date = {2022-01-09},
organization = {forensicitguy},
url = {https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/},
language = {English},
urldate = {2022-01-25}
}
Inspecting a PowerShell Cobalt Strike Beacon Cobalt Strike |
2022-01-06 ⋅ Sekoia ⋅ sekoia @online{sekoia:20220106:nobeliums:de631e8,
author = {sekoia},
title = {{NOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies}},
date = {2022-01-06},
organization = {Sekoia},
url = {https://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/},
language = {English},
urldate = {2022-01-10}
}
NOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies Cobalt Strike EnvyScout |
2022 ⋅ Silent Push ⋅ Silent Push @online{push:2022:consequences:765e347,
author = {Silent Push},
title = {{Consequences- The Conti Leaks and future problems}},
date = {2022},
organization = {Silent Push},
url = {https://www.silentpush.com/blog/consequences-the-conti-leaks-and-future-problems},
language = {English},
urldate = {2022-07-15}
}
Consequences- The Conti Leaks and future problems Cobalt Strike Conti |
2021-12-29 ⋅ CrowdStrike ⋅ Benjamin Wiley, Falcon OverWatch Team @online{wiley:20211229:overwatch:bed49ee,
author = {Benjamin Wiley and Falcon OverWatch Team},
title = {{OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt}},
date = {2021-12-29},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools},
language = {English},
urldate = {2022-07-29}
}
OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt Earth Lusca |
2021-12-29 ⋅ CrowdStrike ⋅ Benjamin Wiley, Falcon OverWatch Team @online{wiley:20211229:overwatch:35d7dee,
author = {Benjamin Wiley and Falcon OverWatch Team},
title = {{OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt}},
date = {2021-12-29},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/},
language = {English},
urldate = {2021-12-31}
}
OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt Cobalt Strike |
2021-12-29 ⋅ Blake's R&D ⋅ Blake @online{blake:20211229:cobalt:b8c08bb,
author = {Blake},
title = {{Cobalt Strike DFIR: Listening to the Pipes}},
date = {2021-12-29},
organization = {Blake's R&D},
url = {https://bmcder.com/blog/cobalt-strike-dfir-listening-to-the-pipes},
language = {English},
urldate = {2021-12-31}
}
Cobalt Strike DFIR: Listening to the Pipes Cobalt Strike |
2021-12-28 ⋅ Morphus Labs ⋅ Renato Marinho @online{marinho:20211228:attackers:48320eb,
author = {Renato Marinho},
title = {{Attackers are abusing MSBuild to evade defenses and implant Cobalt Strike beacons}},
date = {2021-12-28},
organization = {Morphus Labs},
url = {https://morphuslabs.com/attackers-are-abusing-msbuild-to-evade-defenses-and-implant-cobalt-strike-beacons-edac4ab84f42},
language = {English},
urldate = {2021-12-31}
}
Attackers are abusing MSBuild to evade defenses and implant Cobalt Strike beacons Cobalt Strike |
2021-12-22 ⋅ Telsy ⋅ Telsy Research Team @online{team:20211222:phishing:ffa707a,
author = {Telsy Research Team},
title = {{Phishing Campaign targeting citizens abroad using COVID-19 theme lures}},
date = {2021-12-22},
organization = {Telsy},
url = {https://www.telsy.com/download/5972/?uid=d7c082ba55},
language = {English},
urldate = {2022-01-25}
}
Phishing Campaign targeting citizens abroad using COVID-19 theme lures Cobalt Strike |
2021-12-17 ⋅ FBI ⋅ FBI @techreport{fbi:20211217:ac000159mw:03082da,
author = {FBI},
title = {{AC-000159-MW: APT Actors Exploiting Newly-Identified Zero Day in ManageEngine Desktop Central (CVE-2021-44515)}},
date = {2021-12-17},
institution = {FBI},
url = {https://www.ic3.gov/Media/News/2021/211220.pdf},
language = {English},
urldate = {2021-12-23}
}
AC-000159-MW: APT Actors Exploiting Newly-Identified Zero Day in ManageEngine Desktop Central (CVE-2021-44515) ShadowPad |
2021-12-16 ⋅ Red Canary ⋅ The Red Canary Team @online{team:20211216:intelligence:f7bad55,
author = {The Red Canary Team},
title = {{Intelligence Insights: December 2021}},
date = {2021-12-16},
organization = {Red Canary},
url = {https://redcanary.com/blog/intelligence-insights-december-2021},
language = {English},
urldate = {2021-12-31}
}
Intelligence Insights: December 2021 Cobalt Strike QakBot Squirrelwaffle |
2021-12-16 ⋅ TEAMT5 ⋅ Charles Li, Aragorn Tseng, Peter Syu, Tom Lai @online{li:20211216:winnti:adce3fa,
author = {Charles Li and Aragorn Tseng and Peter Syu and Tom Lai},
title = {{Winnti is Coming - Evolution after Prosecution}},
date = {2021-12-16},
organization = {TEAMT5},
url = {https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021},
language = {English},
urldate = {2023-04-28}
}
Winnti is Coming - Evolution after Prosecution Cobalt Strike FishMaster FunnySwitch HIGHNOON ShadowPad Spyder |
2021-12-15 ⋅ NCSC UK ⋅ NCSC UK @online{uk:20211215:jolly:bd0859a,
author = {NCSC UK},
title = {{Jolly Jellyfish}},
date = {2021-12-15},
organization = {NCSC UK},
url = {https://media-exp1.licdn.com/dms/document/C561FAQHhWFRcWmdCPw/feedshare-document-pdf-analyzed/0/1639591145314?e=1658966400&v=beta&t=_uCcyEVg6b_VDiBTvWQIXtBOdQ1GQAAydqGyq62KA3E},
language = {English},
urldate = {2022-07-25}
}
Jolly Jellyfish FishMaster Earth Lusca |
2021-12-10 ⋅ Accenture ⋅ Accenture @online{accenture:20211210:karakurt:5bb6d9c,
author = {Accenture},
title = {{Karakurt rises from its lair}},
date = {2021-12-10},
organization = {Accenture},
url = {https://www.accenture.com/us-en/blogs/cyber-defense/karakurt-threat-mitigation},
language = {English},
urldate = {2021-12-15}
}
Karakurt rises from its lair Cobalt Strike |
2021-12-08 ⋅ PWC UK ⋅ Adam Prescott @online{prescott:20211208:chasing:3921a35,
author = {Adam Prescott},
title = {{Chasing Shadows: A deep dive into the latest obfuscation methods being used by ShadowPad}},
date = {2021-12-08},
organization = {PWC UK},
url = {https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html},
language = {English},
urldate = {2021-12-13}
}
Chasing Shadows: A deep dive into the latest obfuscation methods being used by ShadowPad ShadowPad Earth Lusca |
2021-12-07 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20211207:emotet:f33c999,
author = {Lawrence Abrams},
title = {{Emotet now drops Cobalt Strike, fast forwards ransomware attacks}},
date = {2021-12-07},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/},
language = {English},
urldate = {2021-12-08}
}
Emotet now drops Cobalt Strike, fast forwards ransomware attacks Cobalt Strike Emotet |
2021-12-06 ⋅ Mandiant ⋅ Luke Jenkins, Sarah Hawley, Parnian Najafi, Doug Bienstock, Luis Rocha, Marius Fodoreanu, Mitchell Clarke, Manfred Erjak, Josh Madeley, Ashraf Abdalhalim, Juraj Sucik, Wojciech Ledzion, Gabriella Roncone, Jonathan Leathery, Ben Read, Microsoft Threat Intelligence Center (MSTIC), Microsoft Detection and Response Team (DART) @online{jenkins:20211206:suspected:d9da4ec,
author = {Luke Jenkins and Sarah Hawley and Parnian Najafi and Doug Bienstock and Luis Rocha and Marius Fodoreanu and Mitchell Clarke and Manfred Erjak and Josh Madeley and Ashraf Abdalhalim and Juraj Sucik and Wojciech Ledzion and Gabriella Roncone and Jonathan Leathery and Ben Read and Microsoft Threat Intelligence Center (MSTIC) and Microsoft Detection and Response Team (DART)},
title = {{Suspected Russian Activity Targeting Government and Business Entities Around the Globe (UNC2452)}},
date = {2021-12-06},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/russian-targeting-gov-business},
language = {English},
urldate = {2021-12-07}
}
Suspected Russian Activity Targeting Government and Business Entities Around the Globe (UNC2452) Cobalt Strike CryptBot |
2021-12-06 ⋅ CERT-FR ⋅ CERT-FR @online{certfr:20211206:phishing:c58da54,
author = {CERT-FR},
title = {{Phishing campaigns by the Nobelium intrusion set}},
date = {2021-12-06},
organization = {CERT-FR},
url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-011/},
language = {English},
urldate = {2021-12-07}
}
Phishing campaigns by the Nobelium intrusion set Cobalt Strike |
2021-12-02 ⋅ CERT-FR ⋅ CERT-FR @techreport{certfr:20211202:phishing:c22ef4f,
author = {CERT-FR},
title = {{Phishing Campaigns by the Nobelium Intrusion Set}},
date = {2021-12-02},
institution = {CERT-FR},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf},
language = {English},
urldate = {2021-12-07}
}
Phishing Campaigns by the Nobelium Intrusion Set Cobalt Strike |
2021-11-30 ⋅ Symantec ⋅ Symantec Threat Hunter Team @online{team:20211130:yanluowang:538b90c,
author = {Symantec Threat Hunter Team},
title = {{Yanluowang: Further Insights on New Ransomware Threat}},
date = {2021-11-30},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue},
language = {English},
urldate = {2022-09-20}
}
Yanluowang: Further Insights on New Ransomware Threat BazarBackdoor Cobalt Strike FiveHands |
2021-11-30 ⋅ CYBER GEEKS All Things Infosec ⋅ CyberMasterV @online{cybermasterv:20211130:just:d5f53c9,
author = {CyberMasterV},
title = {{Just another analysis of the njRAT malware – A step-by-step approach}},
date = {2021-11-30},
organization = {CYBER GEEKS All Things Infosec},
url = {https://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/},
language = {English},
urldate = {2021-12-06}
}
Just another analysis of the njRAT malware – A step-by-step approach NjRAT |
2021-11-29 ⋅ Trend Micro ⋅ Jaromír Hořejší @online{hoej:20211129:campaign:6e23cf5,
author = {Jaromír Hořejší},
title = {{Campaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites}},
date = {2021-11-29},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html},
language = {English},
urldate = {2021-12-07}
}
Campaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites AsyncRAT Azorult Nanocore RAT NjRAT RedLine Stealer Remcos |
2021-11-29 ⋅ Mandiant ⋅ Tyler McLellan, Brandan Schondorfer @online{mclellan:20211129:kittengif:efb8036,
author = {Tyler McLellan and Brandan Schondorfer},
title = {{Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again}},
date = {2021-11-29},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/sabbath-ransomware-affiliate},
language = {English},
urldate = {2021-11-30}
}
Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again Cobalt Strike ROLLCOAST |
2021-11-29 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20211129:continuing:646e622,
author = {The DFIR Report},
title = {{CONTInuing the Bazar Ransomware Story}},
date = {2021-11-29},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/},
language = {English},
urldate = {2021-12-07}
}
CONTInuing the Bazar Ransomware Story BazarBackdoor Cobalt Strike Conti |
2021-11-19 ⋅ Trend Micro ⋅ Mohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar @online{fahmy:20211119:squirrelwaffle:1e8fa78,
author = {Mohamed Fahmy and Sherif Magdy and Abdelrhman Sharshar},
title = {{Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains}},
date = {2021-11-19},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html},
language = {English},
urldate = {2021-11-25}
}
Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains Cobalt Strike QakBot Squirrelwaffle |
2021-11-19 ⋅ insomniacs(Medium) ⋅ Asuna Amawaka @online{amawaka:20211119:its:bd24ebf,
author = {Asuna Amawaka},
title = {{It’s a BEE! It’s a… no, it’s ShadowPad.}},
date = {2021-11-19},
organization = {insomniacs(Medium)},
url = {https://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2},
language = {English},
urldate = {2021-11-25}
}
It’s a BEE! It’s a… no, it’s ShadowPad. ShadowPad |
2021-11-17 ⋅ Trend Micro ⋅ Mohamed Fahmy, Abdelrhman Sharshar, Sherif Magdy, Ryan Maglaque @online{fahmy:20211117:analyzing:c6c52d1,
author = {Mohamed Fahmy and Abdelrhman Sharshar and Sherif Magdy and Ryan Maglaque},
title = {{Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR}},
date = {2021-11-17},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html},
language = {English},
urldate = {2021-11-18}
}
Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR Cobalt Strike Cotx RAT |
2021-11-17 ⋅ nviso ⋅ Didier Stevens @online{stevens:20211117:cobalt:0b6ecf5,
author = {Didier Stevens},
title = {{Cobalt Strike: Decrypting Obfuscated Traffic – Part 4}},
date = {2021-11-17},
organization = {nviso},
url = {https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/},
language = {English},
urldate = {2021-11-18}
}
Cobalt Strike: Decrypting Obfuscated Traffic – Part 4 Cobalt Strike |
2021-11-17 ⋅ Black Hills Information Security ⋅ Kyle Avery @online{avery:20211117:dns:847b573,
author = {Kyle Avery},
title = {{DNS Over HTTPS for Cobalt Strike}},
date = {2021-11-17},
organization = {Black Hills Information Security},
url = {https://www.blackhillsinfosec.com/dns-over-https-for-cobalt-strike/},
language = {English},
urldate = {2022-02-19}
}
DNS Over HTTPS for Cobalt Strike Cobalt Strike |
2021-11-17 ⋅ Twitter (@Unit42_Intel) ⋅ Unit 42 @online{42:20211117:matanbuchus:9e3556c,
author = {Unit 42},
title = {{Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike}},
date = {2021-11-17},
organization = {Twitter (@Unit42_Intel)},
url = {https://twitter.com/Unit42_Intel/status/1461004489234829320},
language = {English},
urldate = {2021-11-25}
}
Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike Cobalt Strike QakBot |
2021-11-16 ⋅ Cisco ⋅ Chetan Raghuprasad, Vanja Svajcer, Asheer Malhotra @online{raghuprasad:20211116:attackers:c31ad77,
author = {Chetan Raghuprasad and Vanja Svajcer and Asheer Malhotra},
title = {{Attackers use domain fronting technique to target Myanmar with Cobalt Strike}},
date = {2021-11-16},
organization = {Cisco},
url = {https://blog.talosintelligence.com/2021/11/attackers-use-domain-fronting-technique.html},
language = {English},
urldate = {2021-11-17}
}
Attackers use domain fronting technique to target Myanmar with Cobalt Strike Cobalt Strike |
2021-11-16 ⋅ Blackberry ⋅ T.J. O'Leary, Tom Bonner, Marta Janus, Dean Given, Eoin Wickens, Jim Simpson @techreport{oleary:20211116:finding:e8594dd,
author = {T.J. O'Leary and Tom Bonner and Marta Janus and Dean Given and Eoin Wickens and Jim Simpson},
title = {{Finding Beacons in the dark}},
date = {2021-11-16},
institution = {Blackberry},
url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/bb-ebook-finding-beacons-in-the-dark.pdf},
language = {English},
urldate = {2021-11-18}
}
Finding Beacons in the dark Cobalt Strike |
2021-11-16 ⋅ IronNet ⋅ IronNet Threat Research, Morgan Demboski, Joey Fitzpatrick, Peter Rydzynski @online{research:20211116:how:d7fdaf8,
author = {IronNet Threat Research and Morgan Demboski and Joey Fitzpatrick and Peter Rydzynski},
title = {{How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware}},
date = {2021-11-16},
organization = {IronNet},
url = {https://www.ironnet.com/blog/ransomware-graphic-blog},
language = {English},
urldate = {2021-11-25}
}
How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware Cobalt Strike Conti IcedID REvil |
2021-11-15 ⋅ TRUESEC ⋅ Fabio Viggiani @online{viggiani:20211115:proxyshell:bf17c6d,
author = {Fabio Viggiani},
title = {{ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks}},
date = {2021-11-15},
organization = {TRUESEC},
url = {https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks},
language = {English},
urldate = {2021-11-17}
}
ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks Cobalt Strike Conti QakBot |
2021-11-13 ⋅ Just Still ⋅ Still Hsu @online{hsu:20211113:threat:597b1a0,
author = {Still Hsu},
title = {{Threat Spotlight - Domain Fronting}},
date = {2021-11-13},
organization = {Just Still},
url = {https://stillu.cc/threat-spotlight/2021/11/13/domain-fronting-fastly/},
language = {English},
urldate = {2021-11-18}
}
Threat Spotlight - Domain Fronting Cobalt Strike |
2021-11-12 ⋅ Malwarebytes ⋅ Hossein Jazi @online{jazi:20211112:multistage:e70f6d0,
author = {Hossein Jazi},
title = {{A multi-stage PowerShell based attack targets Kazakhstan}},
date = {2021-11-12},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/},
language = {English},
urldate = {2021-11-17}
}
A multi-stage PowerShell based attack targets Kazakhstan Cobalt Strike |
2021-11-11 ⋅ Cynet ⋅ Max Malyutin @online{malyutin:20211111:duck:897cc6f,
author = {Max Malyutin},
title = {{A Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation}},
date = {2021-11-11},
organization = {Cynet},
url = {https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/},
language = {English},
urldate = {2021-11-25}
}
A Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation Cobalt Strike QakBot |
2021-11-11 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team @online{team:20211111:html:410a27f,
author = {Microsoft 365 Defender Threat Intelligence Team},
title = {{HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks}},
date = {2021-11-11},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/},
language = {English},
urldate = {2021-11-12}
}
HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks AsyncRAT Mekotio NjRAT |
2021-11-10 ⋅ AT&T ⋅ Josh Gomez @online{gomez:20211110:stories:4ce1168,
author = {Josh Gomez},
title = {{Stories from the SOC - Powershell, Proxyshell, Conti TTPs OH MY!}},
date = {2021-11-10},
organization = {AT&T},
url = {https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-powershell-proxyshell-conti-ttps-oh-my},
language = {English},
urldate = {2021-11-17}
}
Stories from the SOC - Powershell, Proxyshell, Conti TTPs OH MY! Cobalt Strike Conti |
2021-11-10 ⋅ Sekoia ⋅ Cyber Threat Intelligence team @online{team:20211110:walking:cc41f24,
author = {Cyber Threat Intelligence team},
title = {{Walking on APT31 infrastructure footprints}},
date = {2021-11-10},
organization = {Sekoia},
url = {https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/},
language = {English},
urldate = {2021-11-11}
}
Walking on APT31 infrastructure footprints Rekoobe Unidentified ELF 004 Cobalt Strike |
2021-11-09 ⋅ Cybereason ⋅ Aleksandar Milenkoski, Eli Salem @online{milenkoski:20211109:threat:9f898c9,
author = {Aleksandar Milenkoski and Eli Salem},
title = {{THREAT ANALYSIS REPORT: From Shatak Emails to the Conti Ransomware}},
date = {2021-11-09},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware},
language = {English},
urldate = {2022-02-09}
}
THREAT ANALYSIS REPORT: From Shatak Emails to the Conti Ransomware Cobalt Strike Conti |
2021-11-05 ⋅ Twitter (@Unit42_Intel) ⋅ Unit 42 @online{42:20211105:ta551:98c564e,
author = {Unit 42},
title = {{Tweet on TA551 (Shathak) BazarLoader infection with CobaltStrike and DarkVNC drops}},
date = {2021-11-05},
organization = {Twitter (@Unit42_Intel)},
url = {https://twitter.com/Unit42_Intel/status/1458113934024757256},
language = {English},
urldate = {2021-11-17}
}
Tweet on TA551 (Shathak) BazarLoader infection with CobaltStrike and DarkVNC drops BazarBackdoor Cobalt Strike |
2021-11-05 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team @online{team:20211105:hunter:3c7bab9,
author = {The BlackBerry Research & Intelligence Team},
title = {{Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware}},
date = {2021-11-05},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2021/11/zebra2104},
language = {English},
urldate = {2021-11-08}
}
Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware Cobalt Strike DoppelDridex Mount Locker Phobos StrongPity |
2021-11-04 ⋅ Youtube (Virus Bulletin) ⋅ Yi-Jhen Hsieh, Joey Chen @online{hsieh:20211104:shadowpad:8dbd5c7,
author = {Yi-Jhen Hsieh and Joey Chen},
title = {{ShadowPad: the masterpiece of privately sold malware in Chinese espionage}},
date = {2021-11-04},
organization = {Youtube (Virus Bulletin)},
url = {https://www.youtube.com/watch?v=r1zAVX_HnJg},
language = {English},
urldate = {2022-08-08}
}
ShadowPad: the masterpiece of privately sold malware in Chinese espionage PlugX ShadowPad |
2021-11-03 ⋅ nviso ⋅ Didier Stevens @online{stevens:20211103:cobalt:8f8223d,
author = {Didier Stevens},
title = {{Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3}},
date = {2021-11-03},
organization = {nviso},
url = {https://blog.nviso.eu/2021/11/03/cobalt-strike-using-process-memory-to-decrypt-traffic-part-3/},
language = {English},
urldate = {2021-11-08}
}
Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3 Cobalt Strike |
2021-11-03 ⋅ Didier Stevens ⋅ Didier Stevens @online{stevens:20211103:new:6f8b92c,
author = {Didier Stevens},
title = {{New Tool: cs-extract-key.py}},
date = {2021-11-03},
organization = {Didier Stevens},
url = {https://blog.didierstevens.com/2021/11/03/new-tool-cs-extract-key-py/},
language = {English},
urldate = {2021-11-17}
}
New Tool: cs-extract-key.py Cobalt Strike |
2021-11-02 ⋅ boschko.ca blog ⋅ Olivier Laflamme @online{laflamme:20211102:cobalt:d09aa11,
author = {Olivier Laflamme},
title = {{Cobalt Strike Process Injection}},
date = {2021-11-02},
organization = {boschko.ca blog},
url = {https://boschko.ca/cobalt-strike-process-injection/},
language = {English},
urldate = {2021-11-29}
}
Cobalt Strike Process Injection Cobalt Strike |
2021-11-02 ⋅ Intel 471 ⋅ Intel 471 @online{471:20211102:cybercrime:4d53035,
author = {Intel 471},
title = {{Cybercrime underground flush with shipping companies’ credentials}},
date = {2021-11-02},
organization = {Intel 471},
url = {https://intel471.com/blog/shipping-companies-ransomware-credentials},
language = {English},
urldate = {2021-11-03}
}
Cybercrime underground flush with shipping companies’ credentials Cobalt Strike Conti |
2021-11-02 ⋅ unh4ck ⋅ Cyb3rSn0rlax @online{cyb3rsn0rlax:20211102:detecting:a2828eb,
author = {Cyb3rSn0rlax},
title = {{Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2}},
date = {2021-11-02},
organization = {unh4ck},
url = {https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2},
language = {English},
urldate = {2021-11-03}
}
Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2 Cobalt Strike Conti |
2021-11-01 ⋅ The DFIR Report ⋅ @iiamaleks, @samaritan_o @online{iiamaleks:20211101:from:2348d47,
author = {@iiamaleks and @samaritan_o},
title = {{From Zero to Domain Admin}},
date = {2021-11-01},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/},
language = {English},
urldate = {2021-11-03}
}
From Zero to Domain Admin Cobalt Strike Hancitor |
2021-11-01 ⋅ Accenture ⋅ Heather Larrieu, Curt Wilson, Katrina Hill @online{larrieu:20211101:diving:a732a35,
author = {Heather Larrieu and Curt Wilson and Katrina Hill},
title = {{Diving into double extortion campaigns}},
date = {2021-11-01},
organization = {Accenture},
url = {https://www.accenture.com/us-en/blogs/cyber-defense/double-extortion-campaigns},
language = {English},
urldate = {2021-11-03}
}
Diving into double extortion campaigns Cobalt Strike MimiKatz |
2021-10-29 ⋅ Національна поліція України ⋅ Національна поліція України @online{:20211029:cyberpolice:fc43b20,
author = {Національна поліція України},
title = {{Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies}},
date = {2021-10-29},
organization = {Національна поліція України},
url = {https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/},
language = {Ukrainian},
urldate = {2021-11-02}
}
Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies Cobalt Strike Dharma LockerGoga MegaCortex TrickBot |
2021-10-29 ⋅ Europol ⋅ Europol @online{europol:20211029:12:5c0fd59,
author = {Europol},
title = {{12 targeted for involvement in ransomware attacks against critical infrastructure}},
date = {2021-10-29},
organization = {Europol},
url = {https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure},
language = {English},
urldate = {2021-11-02}
}
12 targeted for involvement in ransomware attacks against critical infrastructure Cobalt Strike Dharma LockerGoga MegaCortex TrickBot |
2021-10-27 ⋅ nviso ⋅ Didier Stevens @online{stevens:20211027:cobalt:b91181a,
author = {Didier Stevens},
title = {{Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 2}},
date = {2021-10-27},
organization = {nviso},
url = {https://blog.nviso.eu/2021/10/27/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-2/},
language = {English},
urldate = {2021-11-03}
}
Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 2 Cobalt Strike |
2021-10-26 ⋅ Kaspersky ⋅ Kaspersky Lab ICS CERT @techreport{cert:20211026:attacks:6f30d0f,
author = {Kaspersky Lab ICS CERT},
title = {{APT attacks on industrial organizations in H1 2021}},
date = {2021-10-26},
institution = {Kaspersky},
url = {https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf},
language = {English},
urldate = {2021-11-08}
}
APT attacks on industrial organizations in H1 2021 8.t Dropper AllaKore AsyncRAT GoldMax LimeRAT NjRAT NoxPlayer Raindrop ReverseRAT ShadowPad Zebrocy |
2021-10-26 ⋅ ANSSI @techreport{anssi:20211026:identification:9444ac3,
author = {ANSSI},
title = {{Identification of a new cyber criminal group: Lockean}},
date = {2021-10-26},
institution = {},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf},
language = {English},
urldate = {2022-01-25}
}
Identification of a new cyber criminal group: Lockean Cobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil |
2021-10-26 ⋅ Cisco Talos ⋅ Edmund Brumaghin, Mariano Graziano, Nick Mavis @online{brumaghin:20211026:squirrelwaffle:88c5943,
author = {Edmund Brumaghin and Mariano Graziano and Nick Mavis},
title = {{SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike}},
date = {2021-10-26},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html},
language = {English},
urldate = {2021-11-02}
}
SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike Cobalt Strike QakBot Squirrelwaffle |
2021-10-26 ⋅ unh4ck ⋅ Hamza OUADIA @online{ouadia:20211026:detecting:2a3e2fa,
author = {Hamza OUADIA},
title = {{Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1}},
date = {2021-10-26},
organization = {unh4ck},
url = {https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1},
language = {English},
urldate = {2021-11-03}
}
Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1 Cobalt Strike Conti |
2021-10-21 ⋅ nviso ⋅ Didier Stevens @online{stevens:20211021:cobalt:bfc8702,
author = {Didier Stevens},
title = {{Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1}},
date = {2021-10-21},
organization = {nviso},
url = {https://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/},
language = {English},
urldate = {2021-10-26}
}
Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1 Cobalt Strike |
2021-10-21 ⋅ CrowdStrike ⋅ Alex Clinton, Tasha Robinson @online{clinton:20211021:stopping:3c26152,
author = {Alex Clinton and Tasha Robinson},
title = {{Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign}},
date = {2021-10-21},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/},
language = {English},
urldate = {2021-11-02}
}
Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign Cobalt Strike FlawedGrace TinyMet |
2021-10-18 ⋅ paloalto Netoworks: Unit42 ⋅ Brad Duncan @online{duncan:20211018:case:bdd95ff,
author = {Brad Duncan},
title = {{Case Study: From BazarLoader to Network Reconnaissance}},
date = {2021-10-18},
organization = {paloalto Netoworks: Unit42},
url = {https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/},
language = {English},
urldate = {2021-10-22}
}
Case Study: From BazarLoader to Network Reconnaissance BazarBackdoor Cobalt Strike |
2021-10-18 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20211018:harvester:ad72962,
author = {Threat Hunter Team},
title = {{Harvester: Nation-state-backed group uses new toolset to target victims in South Asia}},
date = {2021-10-18},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia},
language = {English},
urldate = {2021-11-03}
}
Harvester: Nation-state-backed group uses new toolset to target victims in South Asia Cobalt Strike Graphon |
2021-10-18 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20211018:icedid:0b574b0,
author = {The DFIR Report},
title = {{IcedID to XingLocker Ransomware in 24 hours}},
date = {2021-10-18},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/},
language = {English},
urldate = {2021-10-22}
}
IcedID to XingLocker Ransomware in 24 hours Cobalt Strike IcedID Mount Locker |
2021-10-15 ⋅ ESET Research ⋅ ESET Research @online{research:20211015:malicious:04da9c1,
author = {ESET Research},
title = {{Tweet on a malicious campaign targeting governmental and education entities in Colombia using multiple stages to drop AsyncRAT or njRAT Keylogger on their victims}},
date = {2021-10-15},
organization = {ESET Research},
url = {https://twitter.com/ESETresearch/status/1449132020613922828},
language = {English},
urldate = {2021-11-08}
}
Tweet on a malicious campaign targeting governmental and education entities in Colombia using multiple stages to drop AsyncRAT or njRAT Keylogger on their victims AsyncRAT NjRAT |
2021-10-14 ⋅ Medium walmartglobaltech ⋅ Jason Reaves @online{reaves:20211014:investigation:29ef29c,
author = {Jason Reaves},
title = {{Investigation into the state of NIM malware Part 2}},
date = {2021-10-14},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671},
language = {English},
urldate = {2021-12-15}
}
Investigation into the state of NIM malware Part 2 Cobalt Strike NimGrabber Nimrev Unidentified 088 (Nim Ransomware) |
2021-10-13 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team @online{team:20211013:blackberry:9892a2c,
author = {BlackBerry Research & Intelligence Team},
title = {{BlackBerry Shines Spotlight on Evolving Cobalt Strike Threat in New Book}},
date = {2021-10-13},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2021/10/blackberry-shines-spotlight-on-evolving-cobalt-strike-threat-in-new-book},
language = {English},
urldate = {2022-04-25}
}
BlackBerry Shines Spotlight on Evolving Cobalt Strike Threat in New Book Cobalt Strike |
2021-10-12 ⋅ Mandiant ⋅ Alyssa Rahman @online{rahman:20211012:defining:df3f43c,
author = {Alyssa Rahman},
title = {{Defining Cobalt Strike Components So You Can BEA-CONfident in Your Analysis}},
date = {2021-10-12},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/defining-cobalt-strike-components},
language = {English},
urldate = {2021-11-02}
}
Defining Cobalt Strike Components So You Can BEA-CONfident in Your Analysis Cobalt Strike |
2021-10-11 ⋅ Accenture ⋅ Accenture Cyber Threat Intelligence @online{intelligence:20211011:moving:3b0eaec,
author = {Accenture Cyber Threat Intelligence},
title = {{Moving Left of the Ransomware Boom}},
date = {2021-10-11},
organization = {Accenture},
url = {https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom},
language = {English},
urldate = {2021-11-03}
}
Moving Left of the Ransomware Boom REvil Cobalt Strike MimiKatz RagnarLocker REvil |
2021-10-08 ⋅ 0ffset Blog ⋅ Chuong Dong @online{dong:20211008:squirrelwaffle:4549cd1,
author = {Chuong Dong},
title = {{SQUIRRELWAFFLE – Analysing The Main Loader}},
date = {2021-10-08},
organization = {0ffset Blog},
url = {https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/},
language = {English},
urldate = {2021-10-14}
}
SQUIRRELWAFFLE – Analysing The Main Loader Cobalt Strike Squirrelwaffle |
2021-10-07 ⋅ Netskope ⋅ Gustavo Palazolo, Ghanashyam Satpathy @online{palazolo:20211007:squirrelwaffle:3506816,
author = {Gustavo Palazolo and Ghanashyam Satpathy},
title = {{SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot}},
date = {2021-10-07},
organization = {Netskope},
url = {https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot},
language = {English},
urldate = {2021-10-11}
}
SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot Cobalt Strike QakBot Squirrelwaffle |
2021-10-07 ⋅ Mandiant ⋅ Mandiant Research Team @online{team:20211007:fin12:505a3a8,
author = {Mandiant Research Team},
title = {{FIN12 Group Profile: FIN12 Priotizes Speed to Deploy Ransomware Aginst High-Value Targets}},
date = {2021-10-07},
organization = {Mandiant},
url = {https://www.mandiant.com/media/12596/download},
language = {English},
urldate = {2021-11-27}
}
FIN12 Group Profile: FIN12 Priotizes Speed to Deploy Ransomware Aginst High-Value Targets Cobalt Strike Empire Downloader TrickBot |
2021-10-07 ⋅ Microsoft ⋅ Microsoft @online{microsoft:20211007:microsoft:793e473,
author = {Microsoft},
title = {{Microsoft Digital Defense Report - October 2021}},
date = {2021-10-07},
organization = {Microsoft},
url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi},
language = {English},
urldate = {2021-10-11}
}
Microsoft Digital Defense Report - October 2021 APT15 APT31 APT40 APT5 Earth Lusca HAFNIUM |
2021-10-06 ⋅ Blackberry ⋅ Blackberry Research @techreport{research:20211006:finding:50936df,
author = {Blackberry Research},
title = {{Finding Beacons in the Dark}},
date = {2021-10-06},
institution = {Blackberry},
url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/sneak-peek-ch1-2-finding-beacons-in-the-dark.pdf},
language = {English},
urldate = {2021-11-08}
}
Finding Beacons in the Dark Cobalt Strike |
2021-10-05 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team @online{team:20211005:drawing:e53477d,
author = {The BlackBerry Research & Intelligence Team},
title = {{Drawing a Dragon: Connecting the Dots to Find APT41}},
date = {2021-10-05},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41},
language = {English},
urldate = {2021-10-11}
}
Drawing a Dragon: Connecting the Dots to Find APT41 Cobalt Strike Ghost RAT |
2021-10-04 ⋅ Sophos ⋅ Sean Gallagher, Vikas Singh, Krisztián Diriczi, Kajal Katiyar, Chaitanya Ghorpade, Rahil Shah @online{gallagher:20211004:atom:782b979,
author = {Sean Gallagher and Vikas Singh and Krisztián Diriczi and Kajal Katiyar and Chaitanya Ghorpade and Rahil Shah},
title = {{Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack}},
date = {2021-10-04},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/},
language = {English},
urldate = {2021-10-11}
}
Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack ATOMSILO Cobalt Strike |
2021-10-04 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20211004:bazarloader:fe3adf3,
author = {The DFIR Report},
title = {{BazarLoader and the Conti Leaks}},
date = {2021-10-04},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/},
language = {English},
urldate = {2021-10-11}
}
BazarLoader and the Conti Leaks BazarBackdoor Cobalt Strike Conti |
2021-10-03 ⋅ Github (0xjxd) ⋅ Joel Dönne @techreport{dnne:20211003:squirrelwaffle:3a35566,
author = {Joel Dönne},
title = {{SquirrelWaffle - From Maldoc to Cobalt Strike}},
date = {2021-10-03},
institution = {Github (0xjxd)},
url = {https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf},
language = {English},
urldate = {2021-10-07}
}
SquirrelWaffle - From Maldoc to Cobalt Strike Cobalt Strike Squirrelwaffle |
2021-10-01 ⋅ 0ffset Blog ⋅ Chuong Dong @online{dong:20211001:squirrelwaffle:24c9b06,
author = {Chuong Dong},
title = {{SQUIRRELWAFFLE – Analysing the Custom Packer}},
date = {2021-10-01},
organization = {0ffset Blog},
url = {https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/},
language = {English},
urldate = {2021-10-14}
}
SQUIRRELWAFFLE – Analysing the Custom Packer Cobalt Strike Squirrelwaffle |
2021-09-30 ⋅ CrowdStrike ⋅ Falcon OverWatch Team @online{team:20210930:hunting:bc2e59d,
author = {Falcon OverWatch Team},
title = {{Hunting for the Confluence Exploitation: When Falcon OverWatch Becomes the First Line of Defense}},
date = {2021-09-30},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/how-crowdstrike-threat-hunters-identified-a-confluence-exploit/},
language = {English},
urldate = {2021-10-05}
}
Hunting for the Confluence Exploitation: When Falcon OverWatch Becomes the First Line of Defense Cobalt Strike |
2021-09-30 ⋅ PT Expert Security Center @online{center:20210930:masters:8707c00,
author = {PT Expert Security Center},
title = {{Masters of Mimicry: new APT group ChamelGang and its arsenal}},
date = {2021-09-30},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang},
language = {English},
urldate = {2021-10-14}
}
Masters of Mimicry: new APT group ChamelGang and its arsenal Cobalt Strike |
2021-09-30 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence @online{intelligence:20210930:masters:4394504,
author = {PT ESC Threat Intelligence},
title = {{Masters of Mimicry: new APT group ChamelGang and its arsenal}},
date = {2021-09-30},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3},
language = {English},
urldate = {2021-11-29}
}
Masters of Mimicry: new APT group ChamelGang and its arsenal Cobalt Strike |
2021-09-29 ⋅ Malware Traffic Analysis ⋅ Brad Duncan @online{duncan:20210929:20210929:e348fca,
author = {Brad Duncan},
title = {{2021-09-29 (Wednesday) - Hancitor with Cobalt Strike}},
date = {2021-09-29},
organization = {Malware Traffic Analysis},
url = {https://malware-traffic-analysis.net/2021/09/29/index.html},
language = {English},
urldate = {2021-11-03}
}
2021-09-29 (Wednesday) - Hancitor with Cobalt Strike Cobalt Strike Hancitor |
2021-09-29 ⋅ Malware Traffic Analysis ⋅ Brad Duncan @online{duncan:20210929:hancitor:e510da9,
author = {Brad Duncan},
title = {{Hancitor with Cobalt Strike}},
date = {2021-09-29},
organization = {Malware Traffic Analysis},
url = {https://www.malware-traffic-analysis.net/2021/09/29/index.html},
language = {English},
urldate = {2022-02-01}
}
Hancitor with Cobalt Strike Cobalt Strike Hancitor |
2021-09-29 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy @online{kremez:20210929:backup:4aebe4e,
author = {Vitali Kremez and Yelisey Boguslavskiy},
title = {{Backup “Removal” Solutions - From Conti Ransomware With Love}},
date = {2021-09-29},
organization = {Advanced Intelligence},
url = {https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love},
language = {English},
urldate = {2021-10-20}
}
Backup “Removal” Solutions - From Conti Ransomware With Love Cobalt Strike Conti |
2021-09-28 ⋅ Zscaler ⋅ Avinash Kumar, Brett Stone-Gross @online{kumar:20210928:squirrelwaffle:9b1cffc,
author = {Avinash Kumar and Brett Stone-Gross},
title = {{Squirrelwaffle: New Loader Delivering Cobalt Strike}},
date = {2021-09-28},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike},
language = {English},
urldate = {2021-10-11}
}
Squirrelwaffle: New Loader Delivering Cobalt Strike Cobalt Strike Squirrelwaffle |
2021-09-27 ⋅ Cynet ⋅ Max Malyutin @online{malyutin:20210927:virtual:cd72501,
author = {Max Malyutin},
title = {{A Virtual Baffle to Battle Squirrelwaffle}},
date = {2021-09-27},
organization = {Cynet},
url = {https://www.cynet.com/understanding-squirrelwaffle/},
language = {English},
urldate = {2021-09-28}
}
A Virtual Baffle to Battle Squirrelwaffle Cobalt Strike Squirrelwaffle |
2021-09-26 ⋅ NSFOCUS ⋅ Jie Ji @online{ji:20210926:insights:51c06b8,
author = {Jie Ji},
title = {{Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2}},
date = {2021-09-26},
organization = {NSFOCUS},
url = {https://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/},
language = {English},
urldate = {2021-11-25}
}
Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2 Cobalt Strike LockFile |
2021-09-24 ⋅ Trend Micro ⋅ Warren Sto.Tomas @online{stotomas:20210924:examining:9165fe5,
author = {Warren Sto.Tomas},
title = {{Examining the Cring Ransomware Techniques}},
date = {2021-09-24},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html},
language = {English},
urldate = {2021-09-29}
}
Examining the Cring Ransomware Techniques Cobalt Strike Cring MimiKatz |
2021-09-22 ⋅ CISA ⋅ US-CERT @online{uscert:20210922:alert:50b9d38,
author = {US-CERT},
title = {{Alert (AA21-265A) Conti Ransomware}},
date = {2021-09-22},
organization = {CISA},
url = {https://us-cert.cisa.gov/ncas/alerts/aa21-265a},
language = {English},
urldate = {2021-10-05}
}
Alert (AA21-265A) Conti Ransomware Cobalt Strike Conti |
2021-09-21 ⋅ Medium elis531989 ⋅ Eli Salem @online{salem:20210921:squirrel:1254a9d,
author = {Eli Salem},
title = {{The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle”}},
date = {2021-09-21},
organization = {Medium elis531989},
url = {https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9},
language = {English},
urldate = {2021-09-22}
}
The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle” Cobalt Strike Squirrelwaffle |
2021-09-21 ⋅ GuidePoint Security ⋅ Drew Schmitt @online{schmitt:20210921:ransomware:7c6144d,
author = {Drew Schmitt},
title = {{A Ransomware Near Miss: ProxyShell, a RAT, and Cobalt Strike}},
date = {2021-09-21},
organization = {GuidePoint Security},
url = {https://www.guidepointsecurity.com/blog/a-ransomware-near-miss-proxyshell-a-rat-and-cobalt-strike/},
language = {English},
urldate = {2021-09-22}
}
A Ransomware Near Miss: ProxyShell, a RAT, and Cobalt Strike Cobalt Strike |
2021-09-21 ⋅ skyblue.team blog ⋅ skyblue team @online{team:20210921:scanning:5a0697f,
author = {skyblue team},
title = {{Scanning VirusTotal's firehose}},
date = {2021-09-21},
organization = {skyblue.team blog},
url = {https://skyblue.team/posts/scanning-virustotal-firehose/},
language = {English},
urldate = {2021-09-24}
}
Scanning VirusTotal's firehose Cobalt Strike |
2021-09-21 ⋅ Sophos ⋅ Andrew Brandt, Vikas Singh, Shefali Gupta, Krisztián Diriczi, Chaitanya Ghorpade @online{brandt:20210921:cring:9bd4998,
author = {Andrew Brandt and Vikas Singh and Shefali Gupta and Krisztián Diriczi and Chaitanya Ghorpade},
title = {{Cring ransomware group exploits ancient ColdFusion server}},
date = {2021-09-21},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/?cmp=30728},
language = {English},
urldate = {2021-09-24}
}
Cring ransomware group exploits ancient ColdFusion server Cobalt Strike Cring |
2021-09-20 ⋅ Trend Micro ⋅ Aliakbar Zahravi, William Gamazo Sanchez @online{zahravi:20210920:water:63df486,
author = {Aliakbar Zahravi and William Gamazo Sanchez},
title = {{Water Basilisk Uses New HCrypt Variant to Flood Victims with RAT Payloads}},
date = {2021-09-20},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html},
language = {English},
urldate = {2021-09-22}
}
Water Basilisk Uses New HCrypt Variant to Flood Victims with RAT Payloads Ave Maria BitRAT LimeRAT Nanocore RAT NjRAT Quasar RAT |
2021-09-17 ⋅ Medium inteloperator ⋅ Intel Operator @online{operator:20210917:default:aaaa15c,
author = {Intel Operator},
title = {{The default: 63 6f 62 61 6c 74 strike}},
date = {2021-09-17},
organization = {Medium inteloperator},
url = {https://inteloperator.medium.com/the-default-63-6f-62-61-6c-74-strike-8ac9ee0de1b7},
language = {English},
urldate = {2021-09-19}
}
The default: 63 6f 62 61 6c 74 strike Cobalt Strike |
2021-09-17 ⋅ CrowdStrike ⋅ Falcon OverWatch Team @online{team:20210917:falcon:76aa03b,
author = {Falcon OverWatch Team},
title = {{Falcon OverWatch Hunts Down Adversaries Where They Hide}},
date = {2021-09-17},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/},
language = {English},
urldate = {2021-10-05}
}
Falcon OverWatch Hunts Down Adversaries Where They Hide BazarBackdoor Cobalt Strike |
2021-09-17 ⋅ Malware Traffic Analysis ⋅ Brad Duncan @online{duncan:20210917:20210917:b995435,
author = {Brad Duncan},
title = {{2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike}},
date = {2021-09-17},
organization = {Malware Traffic Analysis},
url = {https://www.malware-traffic-analysis.net/2021/09/17/index.html},
language = {English},
urldate = {2021-09-20}
}
2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike Cobalt Strike Squirrelwaffle |
2021-09-16 ⋅ Medium Shabarkin ⋅ Pavel Shabarkin @online{shabarkin:20210916:pointer:828998f,
author = {Pavel Shabarkin},
title = {{Pointer: Hunting Cobalt Strike globally}},
date = {2021-09-16},
organization = {Medium Shabarkin},
url = {https://medium.com/@shabarkin/pointer-hunting-cobalt-strike-globally-a334ac50619a},
language = {English},
urldate = {2021-09-19}
}
Pointer: Hunting Cobalt Strike globally Cobalt Strike |
2021-09-16 ⋅ Cisco ⋅ Tiago Pereira, Vitor Ventura @online{pereira:20210916:operation:133992d,
author = {Tiago Pereira and Vitor Ventura},
title = {{Operation Layover: How we tracked an attack on the aviation industry to five years of compromise}},
date = {2021-09-16},
organization = {Cisco},
url = {https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html},
language = {English},
urldate = {2021-09-19}
}
Operation Layover: How we tracked an attack on the aviation industry to five years of compromise AsyncRAT Houdini NjRAT |
2021-09-16 ⋅ Twitter (@GossiTheDog) ⋅ Kevin Beaumont @online{beaumont:20210916:some:550bbaa,
author = {Kevin Beaumont},
title = {{Tweet on some unknown threat actor dropping Mgbot, custom IIS modular backdoor and cobalstrike using exploiting ProxyShell}},
date = {2021-09-16},
organization = {Twitter (@GossiTheDog)},
url = {https://twitter.com/GossiTheDog/status/1438500100238577670},
language = {English},
urldate = {2021-09-20}
}
Tweet on some unknown threat actor dropping Mgbot, custom IIS modular backdoor and cobalstrike using exploiting ProxyShell Cobalt Strike MgBot |
2021-09-16 ⋅ RiskIQ ⋅ RiskIQ @online{riskiq:20210916:untangling:d1e0f1b,
author = {RiskIQ},
title = {{Untangling the Spider Web: The Curious Connection Between WIZARD SPIDER’s Ransomware Infrastructure and a Windows Zero-Day Exploit}},
date = {2021-09-16},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/c88cf7e6},
language = {English},
urldate = {2021-09-19}
}
Untangling the Spider Web: The Curious Connection Between WIZARD SPIDER’s Ransomware Infrastructure and a Windows Zero-Day Exploit Cobalt Strike Ryuk |
2021-09-15 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC) @online{team:20210915:analyzing:37b6528,
author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)},
title = {{Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability}},
date = {2021-09-15},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/},
language = {English},
urldate = {2021-09-19}
}
Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability Cobalt Strike |
2021-09-14 ⋅ Recorded Future ⋅ Insikt Group® @techreport{group:20210914:fullspectrum:fdc7b06,
author = {Insikt Group®},
title = {{Full-Spectrum Cobalt Strike Detection}},
date = {2021-09-14},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf},
language = {English},
urldate = {2021-09-19}
}
Full-Spectrum Cobalt Strike Detection Cobalt Strike |
2021-09-13 ⋅ Trend Micro ⋅ Jaromír Hořejší, Daniel Lunghi @online{hoej:20210913:aptc36:d6456f8,
author = {Jaromír Hořejší and Daniel Lunghi},
title = {{APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs (IOCs)}},
date = {2021-09-13},
organization = {Trend Micro},
url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt},
language = {English},
urldate = {2021-09-14}
}
APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs (IOCs) AsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos |
2021-09-13 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210913:bazarloader:5073703,
author = {The DFIR Report},
title = {{BazarLoader to Conti Ransomware in 32 Hours}},
date = {2021-09-13},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/},
language = {English},
urldate = {2021-09-14}
}
BazarLoader to Conti Ransomware in 32 Hours BazarBackdoor Cobalt Strike Conti |
2021-09-13 ⋅ Trend Micro ⋅ Jaromír Hořejší, Daniel Lunghi @online{hoej:20210913:aptc36:9b97238,
author = {Jaromír Hořejší and Daniel Lunghi},
title = {{APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs}},
date = {2021-09-13},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html},
language = {English},
urldate = {2021-09-14}
}
APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs AsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos |
2021-09-12 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara @online{koczwara:20210912:mapping:8a5f43a,
author = {Michael Koczwara},
title = {{Mapping and Pivoting from Cobalt Strike C2 Infrastructure Attributed to CVE-2021-40444}},
date = {2021-09-12},
organization = {Medium michaelkoczwara},
url = {https://michaelkoczwara.medium.com/mapping-and-pivoting-cobalt-strike-c2-infrastructure-attributed-to-cve-2021-40444-438786fcd68a},
language = {English},
urldate = {2022-01-28}
}
Mapping and Pivoting from Cobalt Strike C2 Infrastructure Attributed to CVE-2021-40444 Cobalt Strike |
2021-09-10 ⋅ Gigamon ⋅ Joe Slowik @online{slowik:20210910:rendering:59082b0,
author = {Joe Slowik},
title = {{Rendering Threats: A Network Perspective}},
date = {2021-09-10},
organization = {Gigamon},
url = {https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/},
language = {English},
urldate = {2023-04-06}
}
Rendering Threats: A Network Perspective BumbleBee Cobalt Strike |
2021-09-09 ⋅ Trend Micro ⋅ Trend Micro @online{micro:20210909:remote:17382af,
author = {Trend Micro},
title = {{Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs}},
date = {2021-09-09},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html},
language = {English},
urldate = {2023-04-06}
}
Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs BumbleBee Cobalt Strike |
2021-09-08 ⋅ Arash's Blog ⋅ Arash Parsa @online{parsa:20210908:hook:4dff1b6,
author = {Arash Parsa},
title = {{Hook Heaps and Live Free}},
date = {2021-09-08},
organization = {Arash's Blog},
url = {https://www.arashparsa.com/hook-heaps-and-live-free/},
language = {English},
urldate = {2021-09-10}
}
Hook Heaps and Live Free Cobalt Strike |
2021-09-07 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara @online{koczwara:20210907:cobalt:7af112e,
author = {Michael Koczwara},
title = {{Cobalt Strike C2 Hunting with Shodan}},
date = {2021-09-07},
organization = {Medium michaelkoczwara},
url = {https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2},
language = {English},
urldate = {2021-09-09}
}
Cobalt Strike C2 Hunting with Shodan Cobalt Strike |
2021-09-06 ⋅ kienmanowar Blog ⋅ m4n0w4r @online{m4n0w4r:20210906:quick:0a892b2,
author = {m4n0w4r},
title = {{Quick analysis CobaltStrike loader and shellcode}},
date = {2021-09-06},
organization = {kienmanowar Blog},
url = {https://kienmanowar.wordpress.com/2021/09/06/quick-analysis-cobaltstrike-loader-and-shellcode/},
language = {English},
urldate = {2021-09-10}
}
Quick analysis CobaltStrike loader and shellcode Cobalt Strike |
2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel @techreport{mokbel:20210903:state:df86499,
author = {Mohamad Mokbel},
title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}},
date = {2021-09-03},
institution = {Trend Micro},
url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf},
language = {English},
urldate = {2021-09-19}
}
The State of SSL/TLS Certificate Usage in Malware C&C Communications AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader |
2021-09-03 ⋅ Sophos ⋅ Sean Gallagher, Peter Mackenzie, Anand Ajjan, Andrew Ludgate, Gabor Szappanos, Sergio Bestulic, Syed Zaidi @online{gallagher:20210903:conti:db20680,
author = {Sean Gallagher and Peter Mackenzie and Anand Ajjan and Andrew Ludgate and Gabor Szappanos and Sergio Bestulic and Syed Zaidi},
title = {{Conti affiliates use ProxyShell Exchange exploit in ransomware attacks}},
date = {2021-09-03},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/},
language = {English},
urldate = {2021-09-06}
}
Conti affiliates use ProxyShell Exchange exploit in ransomware attacks Cobalt Strike Conti |
2021-09-02 ⋅ Twitter (@th3_protoCOL) ⋅ Colin, GaborSzappanos @online{colin:20210902:confluence:5bbf2cb,
author = {Colin and GaborSzappanos},
title = {{Tweet on Confluence Server exploitation (CVE-2021-26084) in the wild and cobaltsrike activity (mentioned in replies by GaborSzappanos)}},
date = {2021-09-02},
organization = {Twitter (@th3_protoCOL)},
url = {https://twitter.com/th3_protoCOL/status/1433414685299142660?s=20},
language = {English},
urldate = {2021-09-06}
}
Tweet on Confluence Server exploitation (CVE-2021-26084) in the wild and cobaltsrike activity (mentioned in replies by GaborSzappanos) Cobalt Strike |
2021-09-02 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara @online{koczwara:20210902:cobalt:40a1888,
author = {Michael Koczwara},
title = {{Cobalt Strike PowerShell Payload Analysis}},
date = {2021-09-02},
organization = {Medium michaelkoczwara},
url = {https://michaelkoczwara.medium.com/cobalt-strike-powershell-payload-analysis-eecf74b3c2f7},
language = {English},
urldate = {2021-09-09}
}
Cobalt Strike PowerShell Payload Analysis Cobalt Strike |
2021-09-01 ⋅ YouTube (Black Hat) ⋅ Aragorn Tseng, Charles Li @online{tseng:20210901:mem2img:7817a5d,
author = {Aragorn Tseng and Charles Li},
title = {{Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network}},
date = {2021-09-01},
organization = {YouTube (Black Hat)},
url = {https://www.youtube.com/watch?v=6SDdUVejR2w},
language = {English},
urldate = {2021-09-12}
}
Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network Cobalt Strike PlugX Waterbear |
2021-09-01 ⋅ YouTube (Hack In The Box Security Conference) ⋅ Yi-Jhen Hsieh, Joey Chen @online{hsieh:20210901:shadowpad:f9ae111,
author = {Yi-Jhen Hsieh and Joey Chen},
title = {{SHADOWPAD: Chinese Espionage Malware-as-a-Service}},
date = {2021-09-01},
organization = {YouTube (Hack In The Box Security Conference)},
url = {https://www.youtube.com/watch?v=IRh6R8o1Q7U},
language = {English},
urldate = {2022-08-08}
}
SHADOWPAD: Chinese Espionage Malware-as-a-Service PlugX ShadowPad |
2021-08-31 ⋅ BreakPoint Labs ⋅ BreakPoint Labs @online{labs:20210831:cobalt:47e2c20,
author = {BreakPoint Labs},
title = {{Cobalt Strike and Ransomware – Tracking An Effective Ransomware Campaign}},
date = {2021-08-31},
organization = {BreakPoint Labs},
url = {https://breakpoint-labs.com/blog/cobalt-strike-and-ransomware-tracking-an-effective-ransomware-campaign/},
language = {English},
urldate = {2021-09-23}
}
Cobalt Strike and Ransomware – Tracking An Effective Ransomware Campaign Cobalt Strike |
2021-08-30 ⋅ Qianxin ⋅ Red Raindrop Team @online{team:20210830:operation:7b5be26,
author = {Red Raindrop Team},
title = {{Operation (Thủy Tinh) OceanStorm: The evil lotus hidden under the abyss}},
date = {2021-08-30},
organization = {Qianxin},
url = {https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/},
language = {Chinese},
urldate = {2021-09-09}
}
Operation (Thủy Tinh) OceanStorm: The evil lotus hidden under the abyss Cobalt Strike MimiKatz |
2021-08-29 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210829:cobalt:1e4595e,
author = {The DFIR Report},
title = {{Cobalt Strike, a Defender’s Guide}},
date = {2021-08-29},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/},
language = {English},
urldate = {2021-08-31}
}
Cobalt Strike, a Defender’s Guide Cobalt Strike |
2021-08-27 ⋅ Morphisec ⋅ Morphisec Labs @online{labs:20210827:proxyshell:a4650f1,
author = {Morphisec Labs},
title = {{ProxyShell Exchange Exploitation Now Leads To An Increasing Amount Of Cobaltstrike Backdoors}},
date = {2021-08-27},
organization = {Morphisec},
url = {https://blog.morphisec.com/proxyshell-exchange-exploitation-now-leads-to-an-increasing-amount-of-cobaltstrike-backdoors},
language = {English},
urldate = {2021-08-31}
}
ProxyShell Exchange Exploitation Now Leads To An Increasing Amount Of Cobaltstrike Backdoors Cobalt Strike |
2021-08-27 ⋅ Aon ⋅ Noah Rubin, Aon’s Cyber Labs @online{rubin:20210827:cobalt:a44e08a,
author = {Noah Rubin and Aon’s Cyber Labs},
title = {{Cobalt Strike Configuration Extractor and Parser}},
date = {2021-08-27},
organization = {Aon},
url = {https://www.aon.com/cyber-solutions/aon_cyber_labs/cobalt-strike-configuration-extractor-and-parser/},
language = {English},
urldate = {2022-05-04}
}
Cobalt Strike Configuration Extractor and Parser Cobalt Strike |
2021-08-25 ⋅ Trend Micro ⋅ Hara Hiroaki, Ted Lee @techreport{hiroaki:20210825:earth:776384f,
author = {Hara Hiroaki and Ted Lee},
title = {{Earth Baku An APT Group Targeting Indo-Pacific Countries With New Stealth Loaders and Backdoor}},
date = {2021-08-25},
institution = {Trend Micro},
url = {https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf},
language = {English},
urldate = {2021-08-31}
}
Earth Baku An APT Group Targeting Indo-Pacific Countries With New Stealth Loaders and Backdoor Cobalt Strike SideWalk |
2021-08-24 ⋅ ESET Research ⋅ Thibaut Passilly, Mathieu Tartare @online{passilly:20210824:sidewalk:75d39db,
author = {Thibaut Passilly and Mathieu Tartare},
title = {{The SideWalk may be as dangerous as the CROSSWALK}},
date = {2021-08-24},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/},
language = {English},
urldate = {2021-08-31}
}
The SideWalk may be as dangerous as the CROSSWALK Cobalt Strike CROSSWALK SideWalk |
2021-08-23 ⋅ SentinelOne ⋅ Yi-Jhen Hsieh, Joey Chen
|