GALLIUM (Threat Actor)

SYMBOL	COMMON_NAME	aka. SYNONYMS

GALLIUM (Back to overview)

aka: Red Dev 4, Alloy Taurus

GALLIUM, is a threat actor believed to be targeting telecommunication providers over the world, mostly South-East Asia, Europe and Africa. To compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss.

Associated Families

win.htran win.poison_ivy win.trochilus_rat elf.pingpull elf.sword2033 win.chinachopper win.mimikatz

References

2023-09-12 ⋅ ANSSI ⋅ ANSSI
FIN12: A Cybercriminal Group with Multiple Ransomware
BlackCat Cobalt Strike Conti Hive MimiKatz Nokoyawa Ransomware PLAY Royal Ransom Ryuk SystemBC

2023-09-07 ⋅ Sekoia ⋅ Jamila B.
My Tea’s not cold. An overview of China’s cyber threat
Melofee PingPull SoWaT Sword2033 MgBot MQsTTang PlugX TONESHELL

2023-09-07 ⋅ CISA ⋅ CISA
Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475
Meterpreter MimiKatz

2023-08-22 ⋅ AhnLab ⋅ ASEC Analysis Team
Analyzing the new attack activity of the Andariel group
Andardoor MimiKatz QuiteRAT Tiger RAT Volgmer

2023-06-16 ⋅ Palo Alto Networks: Cortex Threat Research ⋅ Lior Rochberger
Through the Cortex XDR Lens: Uncovering a New Activity Group Targeting Governments in the Middle East and Africa
CHINACHOPPER Ladon Yasso

2023-04-26 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Chinese Alloy Taurus Updates PingPull Malware
PingPull Sword2033

2023-04-12 ⋅ Kaspersky Labs ⋅ Seongsu Park
Following the Lazarus group by tracking DeathNote campaign
Bankshot BLINDINGCAN LPEClient MimiKatz NedDnLoader Racket Downloader Volgmer

2023-04-03 ⋅ Mandiant ⋅ JASON DEYALSINGH, NICK SMITH, Eduardo Mattos, Tyler McLellan, Nick Richard
ALPHV Ransomware Affiliate Targets Vulnerable Backup Installations to Gain Initial Access
LaZagne BlackCat MimiKatz

2023-03-16 ⋅ Palo Alto Networks Unit 42 ⋅ Frank Lee, Scott Roland
Bee-Ware of Trigona, An Emerging Ransomware Strain
Cryakl MimiKatz Trigona

2023-01-23 ⋅ Kroll ⋅ Stephen Green, Elio Biasiotto
Black Basta – Technical Analysis
Black Basta Cobalt Strike MimiKatz QakBot SystemBC

2022-11-30 ⋅ FFRI Security ⋅ Matsumoto
Evolution of the PlugX loader
PlugX Poison Ivy

2022-10-18 ⋅ Intrinsec ⋅ Intrinsec, CERT Intrinsec
APT27 – One Year To Exfiltrate Them All: Intrusion In-Depth Analysis
HyperBro MimiKatz

2022-10-11 ⋅ AhnLab ⋅ ASEC Analysis Team
From Exchange Server vulnerability to ransomware infection in just 7 days
LockBit MimiKatz

2022-09-29 ⋅ Symantec ⋅ Threat Hunter Team
Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East
CHINACHOPPER Lookback MimiKatz PlugX Unidentified 096 (Keylogger) x4

2022-09-15 ⋅ Symantec ⋅ Threat Hunter Team
Webworm: Espionage Attackers Testing and Using Older Modified RATs
9002 RAT Ghost RAT Trochilus RAT

2022-09-13 ⋅ Symantec ⋅ Threat Hunter Team
New Wave of Espionage Activity Targets Asian Governments
MimiKatz PlugX Quasar RAT ShadowPad Trochilus RAT

2022-09-08 ⋅ Cisco Talos ⋅ Jung soo An, Asheer Malhotra, Vitor Ventura
Lazarus and the tale of three RATs
MagicRAT MimiKatz VSingle YamaBot

2022-09-07 ⋅ Blackberry ⋅ Anuj Soni, Ryan Chapman
The Curious Case of “Monti” Ransomware: A Real-World Doppelganger
Conti MimiKatz Veeam Dumper

2022-09-06 ⋅ ESET Research ⋅ Thibaut Passilly
Worok: The big picture
MimiKatz PNGLoad reGeorg ShadowPad Worok

2022-09-01 ⋅ Trend Micro ⋅ Trend Micro
Ransomware Spotlight Black Basta
Black Basta Cobalt Strike MimiKatz QakBot

2022-08-25 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Research Team, Microsoft 365 Defender Threat Intelligence Team
MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations
MimiKatz

2022-08-22 ⋅ Fortinet ⋅ Shunichi Imano, Fred Gutierrez
A Tale of PivNoxy and Chinoxy Puppeteer
Chinoxy Poison Ivy

2022-08-18 ⋅ Sophos ⋅ Sean Gallagher
Cookie stealing: the new perimeter bypass
Cobalt Strike Meterpreter MimiKatz Phoenix Keylogger Quasar RAT

2022-08-15 ⋅ SentinelOne ⋅ Vikram Navali
Detecting a Rogue Domain Controller – DCShadow Attack
MimiKatz TrickBot

2022-07-31 ⋅ BushidoToken Blog ⋅ BushidoToken
Space Invaders: Cyber Threats That Are Out Of This World
Poison Ivy Raindrop SUNBURST TEARDROP WastedLocker

2022-07-27 ⋅ ReversingLabs ⋅ Joseph Edwards
Threat analysis: Follina exploit fuels 'live-off-the-land' attacks
Cobalt Strike MimiKatz

2022-07-26 ⋅ Microsoft ⋅ Microsoft 365 Defender Research Team
Malicious IIS extensions quietly open persistent backdoors into servers
CHINACHOPPER MimiKatz

2022-07-26 ⋅ Mandiant ⋅ Thibault van Geluwe de Berlaere, Jay Christiansen, Daniel Kapellmann Zafra, Ken Proska, Keith Lunden
Mandiant Red Team Emulates FIN11 Tactics To Control Operational Technology Servers
Clop Industroyer MimiKatz Triton

2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Alloy Taurus
GALLIUM

2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Shallow Taurus
FormerFirstRAT IsSpace NewCT PlugX Poison Ivy Tidepool DragonOK

2022-07-18 ⋅ Censys ⋅ Censys
Russian Ransomware C2 Network Discovered in Censys Data
Cobalt Strike MimiKatz PoshC2

2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Obscure Serpens
Cobalt Strike Empire Downloader Meterpreter MimiKatz DarkHydrus

2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Iron Taurus
CHINACHOPPER Ghost RAT Wonknu ZXShell APT27

2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Crawling Taurus
Poison Ivy APT20

2022-06-30 ⋅ Kaspersky ⋅ Pierre Delcher
The SessionManager IIS backdoor: a possibly overlooked GELSEMIUM artefact
MimiKatz Owlproxy SessionManager

2022-06-21 ⋅ Cisco Talos ⋅ Flavio Costa, Chris Neal, Guilherme Venere
Avos ransomware group expands with new attack arsenal
AvosLocker Cobalt Strike DarkComet MimiKatz

2022-06-20 ⋅ Infinitum IT ⋅ infinitum IT
Charming Kitten (APT35)
LaZagne DownPaper MimiKatz pupy

2022-06-15 ⋅ Security Joes ⋅ Charles Lomboni, Venkat Rajgor, Felipe Duarte
Backdoor via XFF: Mysterious Threat Actor Under Radar
CHINACHOPPER

2022-06-03 ⋅ AttackIQ ⋅ Jackson Wells, AttackIQ Adversary Research Team
Attack Graph Response to US CERT AA22-152A: Karakurt Data Extortion Group
Cobalt Strike MimiKatz

2022-06-02 ⋅ Mandiant ⋅ Mandiant Intelligence
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker

2022-06-01 ⋅ CISA ⋅ CISA, FBI, Department of the Treasury (Treasury), FINCEN
Alert (AA22-152A): Karakurt Data Extortion Group
MimiKatz

2022-06-01 ⋅ Elastic ⋅ Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew Pease
CUBA Ransomware Campaign Analysis
Cobalt Strike Cuba Meterpreter MimiKatz SystemBC

2022-06-01 ⋅ CISA ⋅ FBI, CISA, Department of the Treasury (Treasury), FINCEN
Joint Cybersecurity Advisory (Product ID AA22-152A): Karakurt Data Extortion Group
MimiKatz

2022-05-17 ⋅ Positive Technologies ⋅ Positive Technologies
Space Pirates: analyzing the tools and connections of a new hacker group
FormerFirstRAT PlugX Poison Ivy Rovnix ShadowPad Zupdax

2022-05-17 ⋅ Trend Micro ⋅ Trend Micro Research
Ransomware Spotlight: RansomEXX
LaZagne Cobalt Strike IcedID MimiKatz PyXie RansomEXX TrickBot

2022-05-16 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
Analysis of HUI Loader
HUI Loader PlugX Poison Ivy Quasar RAT

2022-05-05 ⋅ Troopers Conference ⋅ Ben Jackson, Will Bonner
Tinker Telco Soldier Spy (to be given 2022-06-27)
BPFDoor GALLIUM

2022-04-27 ⋅ Trendmicro ⋅ Daniel Lunghi, Jaromír Hořejší
Operation Gambling Puppet
reptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka

2022-04-27 ⋅ ANSSI ⋅ ANSSI
LE GROUPE CYBERCRIMINEL FIN7
Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot

2022-04-19 ⋅ Varonis ⋅ Nadav Ovadia
Hive Ransomware Analysis
Cobalt Strike Hive MimiKatz

2022-04-08 ⋅ Infinitum Labs ⋅ Arda Büyükkaya
Threat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team
Cobalt Strike MimiKatz

2022-04-07 ⋅ splunk ⋅ Splunk Threat Research Team
You Bet Your Lsass: Hunting LSASS Access
Cobalt Strike MimiKatz

2022-04-05 ⋅ Symantec ⋅ Threat Hunter Team
Cicada: Chinese APT Group Widens Targeting in Recent Espionage Activity
MimiKatz SodaMaster

2022-03-25 ⋅ Dragos ⋅ Conor McLaren, Dragos
How Dragos Activity Groups Obtain Initial Access into Industrial Environments
MimiKatz

2022-03-09 ⋅ BreachQuest ⋅ Marco Figueroa, Napoleon Bing, Bernard Silvestrini
The Conti Leaks | Insight into a Ransomware Unicorn
Cobalt Strike MimiKatz TrickBot

2022-03 ⋅ VirusTotal ⋅ VirusTotal
VirusTotal's 2021 Malware Trends Report
Anubis AsyncRAT BlackMatter Cobalt Strike DanaBot Dridex Khonsari MimiKatz Mirai Nanocore RAT Orcus RAT

2022-02-03 ⋅ Symantec ⋅ Symantec Threat Hunter Team
Antlion: Chinese APT Uses Custom Backdoor to Target Financial Institutions in Taiwan
MimiKatz xPack Antlion

2022-01-27 ⋅ JSAC 2021 ⋅ Hajime Yanagishita, Kiyotaka Tamada, You Nakatsuru, Suguru Ishimaru
What We Can Do against the Chaotic A41APT Campaign
CHINACHOPPER Cobalt Strike HUI Loader SodaMaster

2021-12-14 ⋅ Symantec ⋅ Threat Hunter Team
Espionage Campaign Targets Telecoms Organizations across Middle East and Asia
MimiKatz

2021-12-06 ⋅ PARAFLARE ⋅ Melanie Ninovic
Attack Lifecycle Detection of an Operational Technology Breach
MimiKatz

2021-12-06 ⋅ Notice of Pleadings ⋅ Microsoft
Complaint filed by Microsoft against NICKEL/APT15
MimiKatz

2021-12-06 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC), Microsoft Digital Security Unit (DSU)
NICKEL targeting government organizations across Latin America and Europe
MimiKatz

2021-11-18 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC), Microsoft Digital Security Unit (DSU)
Iranian targeting of IT sector on the rise
MimiKatz ShellClient RAT

2021-11-05 ⋅ Twitter (@inversecos) ⋅ inversecos
TTPs used by Pysa Ransonmware group
Mespinoza MimiKatz

2021-11-03 ⋅ Cisco Talos ⋅ Chetan Raghuprasad, Vanja Svajcer, Caitlin Huey
Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk
Babuk CHINACHOPPER

2021-11-01 ⋅ Accenture ⋅ Heather Larrieu, Curt Wilson, Katrina Hill
Diving into double extortion campaigns
Cobalt Strike MimiKatz

2021-10-25 ⋅ CrowdStrike ⋅ Falcon OverWatch Team
OverWatch Elite In Action: Prompt Call Escalation Proves Vital to Containing Attack
MimiKatz

2021-10-15 ⋅ Volatility Labs ⋅ Volatility Labs
Memory Forensics R&D Illustrated: Detecting Mimikatz's Skeleton Key Attack
MimiKatz

2021-10-11 ⋅ Accenture ⋅ Accenture Cyber Threat Intelligence
Moving Left of the Ransomware Boom
REvil Cobalt Strike MimiKatz RagnarLocker REvil

2021-09-24 ⋅ Trend Micro ⋅ Warren Sto.Tomas
Examining the Cring Ransomware Techniques
Cobalt Strike Cring MimiKatz

2021-09-14 ⋅ McAfee ⋅ Christiaan Beek
Operation ‘Harvest’: A Deep Dive into a Long-term Campaign
MimiKatz PlugX Winnti

2021-09-09 ⋅ Symantec ⋅ Threat Hunter Team
Grayfly: Chinese Threat Actor Uses Newly-discovered Sidewalk Malware
CROSSWALK MimiKatz SideWalk

2021-09-03 ⋅ FireEye ⋅ Adrian Sanchez Hernandez, Govand Sinjari, Joshua Goddard, Brendan McKeague, John Wolfram, Alex Pennino, Andrew Rector, Harris Ansari, Yash Gupta
PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers
CHINACHOPPER HTran

2021-08-30 ⋅ Qianxin ⋅ Red Raindrop Team
Operation (Thủy Tinh) OceanStorm: The evil lotus hidden under the abyss
Cobalt Strike MimiKatz

2021-08-23 ⋅ FBI ⋅ FBI
Indicators of Compromise Associated with OnePercent Group Ransomware
Cobalt Strike MimiKatz

2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker

2021-08-10 ⋅ FireEye ⋅ Israel Research Team, U.S. Threat Intel Team
UNC215: Spotlight on a Chinese Espionage Campaign in Israel
HyperBro HyperSSL MimiKatz

2021-08-03 ⋅ Cybereason ⋅ Assaf Dahan, Lior Rochberger, Daniel Frank, Tom Fakterman
DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos
CHINACHOPPER Cobalt Strike MimiKatz Nebulae

2021-07-20 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
Ongoing Campaign Leveraging Exchange Vulnerability Potentially Linked to Iran
CHINACHOPPER MimiKatz RGDoor

2021-06-29 ⋅ Accenture ⋅ Accenture Security
HADES ransomware operators continue attacks
Cobalt Strike Hades MimiKatz

2021-06-16 ⋅ Recorded Future ⋅ Insikt Group®
Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries
Icefog PcShare PlugX Poison Ivy QuickHeal DAGGER PANDA

2021-06-10 ⋅ ESET Research ⋅ Adam Burgher
BackdoorDiplomacy: Upgrading from Quarian to Turian
CHINACHOPPER DoublePulsar EternalRocks turian BackdoorDiplomacy

2021-05-18 ⋅ Sophos ⋅ John Shier, Mat Gangwer, Greg Iddon, Peter Mackenzie
The Active Adversary Playbook 2021
Cobalt Strike MimiKatz

2021-05-13 ⋅ AWAKE ⋅ Kieran Evans
Catching the White Stork in Flight
Cobalt Strike MimiKatz RMS

2021-05-07 ⋅ SophosLabs Uncut ⋅ Rajesh Nataraj
New Lemon Duck variants exploiting Microsoft Exchange Server
CHINACHOPPER Cobalt Strike Lemon Duck

2021-05-07 ⋅ Cisco Talos ⋅ Caitlin Huey, Andrew Windsor, Edmund Brumaghin
Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs
CHINACHOPPER Cobalt Strike Lemon Duck

2021-05-06 ⋅ Trend Micro ⋅ Arianne Dela Cruz, Cris Tomboc, Jayson Chong, Nikki Madayag, Sean Torre
Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party
BlackKingdom Ransomware CHINACHOPPER Lemon Duck Prometei

2021-05-05 ⋅ Symantec ⋅ Threat Hunter Team
Multi-Factor Authentication: Headache for Cyber Actors Inspires New Attack Techniques
CHINACHOPPER

2021-04-27 ⋅ Trend Micro ⋅ Janus Agcaoili, Earle Earnshaw
Legitimate Tools Weaponized for Ransomware in 2021
Cobalt Strike MimiKatz

2021-04-27 ⋅ Trend Micro ⋅ Janus Agcaoili
Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability
CHINACHOPPER Cobalt Strike

2021-04-16 ⋅ Trend Micro ⋅ Nitesh Surana
Could the Microsoft Exchange breach be stopped?
CHINACHOPPER

2021-04-15 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone
Actor Exploits Microsoft Exchange Server Vulnerabilities, Cortex XDR Blocks Harvesting of Credentials
CHINACHOPPER

2021-03-31 ⋅ Red Canary ⋅ Red Canary
2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot

2021-03-26 ⋅ Imperva ⋅ Daniel Johnston
Imperva Observes Hive of Activity Following Hafnium Microsoft Exchange Disclosures
CHINACHOPPER

2021-03-25 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team
Analyzing attacks taking advantage of the Exchange Server vulnerabilities
CHINACHOPPER

2021-03-25 ⋅ Microsoft ⋅ Tom McElroy
Web Shell Threat Hunting with Azure Sentinel
CHINACHOPPER

2021-03-21 ⋅ Twitter (@CyberRaiju) ⋅ Jai Minton
Twitter Thread with analysis of .NET China Chopper
CHINACHOPPER

2021-03-21 ⋅ Blackberry ⋅ Blackberry Research
2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot

2021-03-19 ⋅ Bundesamt für Sicherheit in der Informationstechnik ⋅ CERT-Bund
Microsoft Exchange Schwachstellen Detektion und Reaktion (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
CHINACHOPPER MimiKatz

2021-03-17 ⋅ Recorded Future ⋅ Insikt Group®
China-linked TA428 Continues to Target Russia and Mongolia IT Companies
PlugX Poison Ivy TA428

2021-03-15 ⋅ Trustwave ⋅ Joshua Deacon
HAFNIUM, China Chopper and ASP.NET Runtime
CHINACHOPPER

2021-03-11 ⋅ Cyborg Security ⋅ Josh Campbell
You Don't Know the HAFNIUM of it...
CHINACHOPPER Cobalt Strike PowerCat

2021-03-11 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Microsoft Exchange Server Attack Timeline
CHINACHOPPER

2021-03-11 ⋅ DEVO ⋅ Fran Gomez
Detection and Investigation Using Devo: HAFNIUM 0-day Exploits on Microsoft Exchange Service
CHINACHOPPER MimiKatz

2021-03-10 ⋅ Lemon's InfoSec Ramblings ⋅ Josh Lemon
Microsoft Exchange & the HAFNIUM Threat Actor
CHINACHOPPER

2021-03-10 ⋅ PICUS Security ⋅ Süleyman Özarslan
Tactics, Techniques, and Procedures (TTPs) Used by HAFNIUM to Target Microsoft Exchange Servers
CHINACHOPPER

2021-03-10 ⋅ ESET Research ⋅ Thomas Dupuy, Matthieu Faou, Mathieu Tartare
Exchange servers under siege from at least 10 APT groups
Microcin MimiKatz PlugX Winnti APT27 APT41 Calypso Tick ToddyCat Tonto Team Vicious Panda

2021-03-10 ⋅ DomainTools ⋅ Joe Slowik
Examining Exchange Exploitation and its Lessons for Defenders
CHINACHOPPER

2021-03-09 ⋅ PRAETORIAN ⋅ Anthony Weems, Dallas Kaman, Michael Weber
Reproducing the Microsoft Exchange Proxylogon Exploit Chain
CHINACHOPPER

2021-03-09 ⋅ Red Canary ⋅ Tony Lambert, Brian Donohue, Katie Nickels
Microsoft Exchange server exploitation: how to detect, mitigate, and stay calm
CHINACHOPPER

2021-03-09 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Remediation Steps for the Microsoft Exchange Server Vulnerabilities
CHINACHOPPER

2021-03-09 ⋅ YouTube (John Hammond) ⋅ John Hammond
HAFNIUM - Post-Exploitation Analysis from Microsoft Exchange
CHINACHOPPER

2021-03-08 ⋅ Symantec ⋅ Threat Hunter Team
How Symantec Stops Microsoft Exchange Server Attacks
CHINACHOPPER MimiKatz

2021-03-08 ⋅ Palo Alto Networks Unit 42 ⋅ Jeff White
Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells
CHINACHOPPER

2021-03-07 ⋅ TRUESEC ⋅ Rasmus Grönlund
Tracking Microsoft Exchange Zero-Day ProxyLogon and HAFNIUM
CHINACHOPPER

2021-03-05 ⋅ Wired ⋅ Andy Greenberg
Chinese Hacking Spree Hit an ‘Astronomical’ Number of Victims
CHINACHOPPER

2021-03-05 ⋅ Huntress Labs ⋅ Huntress Labs
Operation Exchange Marauder
CHINACHOPPER

2021-03-04 ⋅ CrowdStrike ⋅ The Falcon Complete Team
Falcon Complete Stops Microsoft Exchange Server Zero-Day Exploits
CHINACHOPPER HAFNIUM

2021-03-04 ⋅ Huntress Labs ⋅ Huntress Labs
Operation Exchange Marauder
CHINACHOPPER

2021-03-04 ⋅ FireEye ⋅ Matt Bromiley, Chris DiGiamo, Andrew Thompson, Robert Wallace
Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities
CHINACHOPPER HAFNIUM

2021-03-03 ⋅ MITRE ⋅ MITRE ATT&CK
HAFNIUM
CHINACHOPPER HAFNIUM

2021-03-03 ⋅ Huntress Labs ⋅ Huntress Labs
Mass exploitation of on-prem Exchange servers :(
CHINACHOPPER HAFNIUM

2021-03-03 ⋅ Huntress Labs ⋅ John Hammond
Rapid Response: Mass Exploitation of On-Prem Exchange Servers
CHINACHOPPER HAFNIUM

2021-03-02 ⋅ Rapid7 Labs ⋅ Andrew Christian
Rapid7’s InsightIDR Enables Detection And Response to Microsoft Exchange Zero-Day
CHINACHOPPER HAFNIUM

2021-03-02 ⋅ Volexity ⋅ Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster
Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities
CHINACHOPPER HAFNIUM

2021-03-02 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, Microsoft 365 Security
HAFNIUM targeting Exchange Servers with 0-day exploits
CHINACHOPPER HAFNIUM

2021-03-02 ⋅ Twitter (@ESETresearch) ⋅ ESET Research
Tweet on Exchange RCE
CHINACHOPPER HAFNIUM

2021-02-26 ⋅ CrowdStrike ⋅ Eric Loui, Sergei Frankoff
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil

2021-02-01 ⋅ ESET Research ⋅ Ignacio Sanmillan, Matthieu Faou
Operation NightScout: Supply‑chain attack targets online gaming in Asia
Ghost RAT NoxPlayer Poison Ivy Red Dev 17

2021-01-29 ⋅ Trend Micro ⋅ Trend Micro
Chopper ASPX web shell used in targeted attack
CHINACHOPPER MimiKatz

2021-01-26 ⋅ Twitter (@swisscom_csirt) ⋅ Swisscom CSIRT
Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware
Cobalt Strike Cring MimiKatz

2021-01-18 ⋅ Bundesamt für Verfassungsschutz ⋅ Bundesamt für Verfassungsschutz
BfV Cyber-Brief Nr. 01/2021 : Vorgehensweise von APT31
MimiKatz

2021-01-15 ⋅ Swisscom ⋅ Markus Neis
Cracking a Soft Cell is Harder Than You Think
Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT

2021-01-08 ⋅ Youtube (Virus Bulletin) ⋅ Fumio Ozawa, Shogo Hayashi, Rintaro Koike
Operation LagTime IT: colourful Panda footprint
Cotx RAT nccTrojan Poison Ivy Tmanger TA428

2021 ⋅ Secureworks ⋅ SecureWorks
Threat Profile: GOLD FRANKLIN
Grateful POS Meterpreter MimiKatz RemCom FIN6

2021 ⋅ SecureWorks
Threat Profile: GOLD DRAKE
Cobalt Strike Dridex FriedEx Koadic MimiKatz WastedLocker Evil Corp

2021 ⋅ DomainTools ⋅ Joe Slowik
Conceptualizing a Continuum of Cyber Threat Attribution
CHINACHOPPER SUNBURST

2021 ⋅ Secureworks ⋅ SecureWorks
Threat Profile: GOLD BURLAP
Empire Downloader Mespinoza MimiKatz GOLD BURLAP

2020-12-21 ⋅ SlideShare (yurikamuraki5) ⋅ Yurika Kakiuchi
Active Directory 侵害と推奨対策
MimiKatz

2020-12-15 ⋅ HvS-Consulting AG ⋅ HvS-Consulting AG
Greetings from Lazarus: Anatomy of a cyber espionage campaign
BLINDINGCAN MimiKatz Lazarus Group

2020-12-15 ⋅ HvS-Consulting AG ⋅ HvS-Consulting AG
Greetings from Lazarus Anatomy of a cyber espionage campaign
BLINDINGCAN HTTP(S) uploader MimiKatz

2020-12-04 ⋅ Theta ⋅ Hamish Krebs
Snakes & Ladders: the offensive use of Python on Windows
MimiKatz

2020-11-30 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall
It's not FINished The Evolving Maturity in Ransomware Operations
Cobalt Strike DoppelPaymer MimiKatz QakBot REvil

2020-11-30 ⋅ Yoroi ⋅ Luigi Martire, Antonio Pirozzi, Luca Mella
Shadows From The Past Threaten Italian Enterprises
Rekoobe LaZagne Responder MimiKatz win.rekoobe

2020-11-27 ⋅ PTSecurity ⋅ Denis Goydenko, Alexey Vishnyakov
Investigation with a twist: an accidental APT attack and averted data destruction
TwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz

2020-10-23 ⋅ F-Secure Labs ⋅ Guillaume Couchard, Qimin Wang, Thiam Loong Siew
Catching Lazarus: Threat Intelligence to Real Detection Logic - Part Two
MimiKatz

2020-10-20 ⋅ F-Secure ⋅ F-Secure Consulting
Incident Readiness: Preparing a proactive response to attacks
MimiKatz

2020-10-01 ⋅ US-CERT ⋅ US-CERT
Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions
CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy

2020-09-30 ⋅ NTT Security ⋅ Fumio Ozawa, Shogo Hayashi, Rintaro Koike
Operation LagTime IT: colourful Panda footprint (Slides)
Cotx RAT nccTrojan Poison Ivy Tmanger

2020-09-30 ⋅ NTT Security ⋅ Fumio Ozawa, Shogo Hayashi, Rintaro Koike
Operation LagTime IT: colourful Panda footprint
Cotx RAT nccTrojan Poison Ivy Tmanger

2020-09-17 ⋅ FBI ⋅ FBI
FBI PIN Number 20200917-001: IRGC-Associated Cyber Operations Against US Company Networks
MimiKatz Nanocore RAT

2020-09-16 ⋅ RiskIQ ⋅ Jon Gross
RiskIQ: Adventures in Cookie Land - Part 2
8.t Dropper Chinoxy Poison Ivy

2020-09-15 ⋅ US-CERT ⋅ US-CERT
Alert (AA20-259A): Iran-Based Threat Actor Exploits VPN Vulnerabilities
CHINACHOPPER Fox Kitten

2020-09-15 ⋅ US-CERT ⋅ US-CERT
Malware Analysis Report (AR20-259A): Iranian Web Shells
CHINACHOPPER

2020-08-31 ⋅ The DFIR Report ⋅ The DFIR Report
NetWalker Ransomware in 1 Hour
Cobalt Strike Mailto MimiKatz

2020-08-28 ⋅ NTT ⋅ Fumio Ozawa, Shogo Hayashi, Rintaro Koike
Operation Lagtime IT: Colourful Panda Footprint
Cotx RAT Poison Ivy TA428

2020-08-19 ⋅ NTT Security ⋅ Fumio Ozawa, Shogo Hayashi, Rintaro Koike
Operation LagTime IT: Colorful Panda Footprint
8.t Dropper Cotx RAT Poison Ivy TA428

2020-08-10 ⋅ ZDNet ⋅ Catalin Cimpanu
FBI says an Iranian hacking group is attacking F5 networking devices
MimiKatz

2020-08-06 ⋅ Wired ⋅ Andy Greenberg
Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry
Cobalt Strike MimiKatz Winnti Red Charon

2020-08-04 ⋅ BlackHat ⋅ Chung-Kuan Chen, Inndy Lin, Shang-De Jiang
Operation Chimera - APT Operation Targets Semiconductor Vendors
Cobalt Strike MimiKatz Winnti Red Charon

2020-07-21 ⋅ Department of Justice ⋅ Department of Justice
Two Chinese Hackers Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including COVID-19 Research
CHINACHOPPER BRONZE SPRING

2020-06-24 ⋅ Counter Threat Unit ResearchTeam
BRONZE VINEWOOD Targets Supply Chains
MimiKatz Trochilus RAT APT31

2020-06-18 ⋅ Bundesamt für Verfassungsschutz ⋅ Bundesamt für Verfassungsschutz
BfV Cyber-BriefNr. 01/2020 - Hinweis auf aktuelle Angriffskampagne
Ketrican MimiKatz

2020-06-03 ⋅ Trend Micro ⋅ Daniel Lunghi
How to perform long term monitoring of careless threat actors
BBSRAT HyperBro Trochilus RAT

2020-05-28 ⋅ Kaspersky Labs ⋅ Vyacheslav Kopeytsev
Steganography in targeted attacks on industrial enterprises
MimiKatz

2020-05-27 ⋅ FBI ⋅ FBI
Alert Number MI-000148-MW: APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity
MimiKatz

2020-05-21 ⋅ Bitdefender ⋅ Liviu Arsene, Bogdan Rusu
Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia
MimiKatz Remexi

2020-05-21 ⋅ ESET Research ⋅ Mathieu Tartare, Martin Smolár
No “Game over” for the Winnti Group
ACEHASH HTran MimiKatz PipeMon

2020-05-14 ⋅ Avast Decoded ⋅ Luigino Camastra
APT Group Planted Backdoors Targeting High Profile Networks in Central Asia
BYEBY Ghost RAT Microcin MimiKatz Vicious Panda

2020-05-14 ⋅ Lab52 ⋅ Dex
The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT

2020-05-07 ⋅ REDTEAM.PL ⋅ Adam Ziaja
Sodinokibi / REvil ransomware
Maze MimiKatz REvil

2020-04-16 ⋅ Medium CyCraft ⋅ CyCraft Technology Corp
Taiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures
Cobalt Strike MimiKatz Red Charon

2020-03-12 ⋅ Check Point ⋅ Check Point Research
Vicious Panda: The COVID Campaign
8.t Dropper BYEBY Enfal Korlia Poison Ivy

2020-03-05 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team
Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA

2020-03-02 ⋅ Virus Bulletin ⋅ Alex Hinchliffe
Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary
HenBox Farseer PlugX Poison Ivy

2020-02-21 ⋅ ADEO DFIR ⋅ ADEO DFIR
APT10 Threat Analysis Report
CHINACHOPPER HTran MimiKatz PlugX Quasar RAT

2020-02-19 ⋅ Lexfo ⋅ Lexfo
The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor

2020-02-18 ⋅ Cisco Talos ⋅ Vanja Svajcer
Building a bypass with MSBuild
Cobalt Strike GRUNT MimiKatz

2020-02-18 ⋅ Trend Micro ⋅ Daniel Lunghi, Cedric Pernet, Kenney Lu, Jamz Yaneza
Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations
Cobalt Strike HyperBro PlugX Trochilus RAT

2020-02-02 ⋅ uf0 Blog ⋅ Matteo Malvica
Uncovering Mimikatz ‘msv’ and collecting credentials through PyKD
MimiKatz

2020-01-29 ⋅ nao_sec blog ⋅ nao_sec
An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader

2020-01-10 ⋅ Youtube (Azure Thursday) ⋅ Maarten Goet
A hitchhikers guide to the cybersecurity galaxy
GALLIUM

2020-01-09 ⋅ Lab52 ⋅ Jagaimo Kawaii
TA428 Group abusing recent conflict between Iran and USA
Poison Ivy

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti APT41

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE KEYSTONE
9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell APT17

2020 ⋅ Secureworks ⋅ SecureWorks
GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE FIRESTONE
9002 RAT Derusbi Empire Downloader PlugX Poison Ivy APT19

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE PRESIDENT
CHINACHOPPER Cobalt Strike PlugX MUSTANG PANDA

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE UNION
9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell APT27

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE MOHAWK
AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll APT40

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE RIVERSIDE
Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves APT10

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE VINEWOOD
MimiKatz Trochilus RAT APT31

2020 ⋅ Secureworks ⋅ SecureWorks
COBALT HICKMAN
MimiKatz Remexi APT39

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE EXPRESS
9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT26

2020 ⋅ Secureworks ⋅ SecureWorks
TIN WOODLAWN
Cobalt Strike KerrDown MimiKatz PHOREAL RatSnif Remy SOUNDBITE APT32

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE MAYFAIR
HTran pirpi APT3

2020 ⋅ Secureworks ⋅ SecureWorks
GOLD DRAKE
Dridex Empire Downloader FriedEx Koadic MimiKatz

2020-01 ⋅ FireEye ⋅ Tom Hall, Mitchell Clarke, Mandiant
Mandiant IR Grab Bag of Attacker Activity
TwoFace CHINACHOPPER HyperBro HyperSSL

2020 ⋅ Secureworks ⋅ SecureWorks
GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt

2020 ⋅ Secureworks ⋅ SecureWorks
ALUMINUM SARATOGA
BlackShades DarkComet Xtreme RAT Poison Ivy Quasar RAT Molerats

2019-12-12 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center
GALLIUM: Targeting global telecom
CHINACHOPPER Ghost RAT HTran MimiKatz Poison Ivy GALLIUM

2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani Fraser
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell

2019-09-23 ⋅ MITRE ⋅ MITRE ATT&CK
APT41
Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41

2019-08-27 ⋅ Cisco Talos ⋅ Paul Rascagnères, Vanja Svajcer
China Chopper still active 9 years later
CHINACHOPPER

2019-08-19 ⋅ FireEye ⋅ Alex Pennino, Matt Bromiley
GAME OVER: Detecting and Stopping an APT41 Operation
ACEHASH CHINACHOPPER HIGHNOON

2019-07-23 ⋅ Proofpoint ⋅ Michael Raggi, Dennis Schwarz, Proofpoint Threat Insight Team
Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia
8.t Dropper Cotx RAT Poison Ivy TA428

2019-06-25 ⋅ Cybereason ⋅ Cybereason Nocturnus
OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS
CHINACHOPPER HTran MimiKatz Poison Ivy Operation Soft Cell

2019-05-28 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone, Tom Lancaster
Emissary Panda Attacks Middle East Government Sharepoint Servers
CHINACHOPPER HyperSSL

2019-05-10 ⋅ XPN Blog ⋅ Adam Chester
Exploring Mimikatz - Part 1 - WDigest
MimiKatz

2019-04-04 ⋅ CrowdStrike ⋅ Harlan Carvey
Mimikatz in the Wild: Bypassing Signature-Based Detections Using the “AK47 of Cyber”
MimiKatz

2019-03-27 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team
Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP APT33

2019-02-06 ⋅ Recorded Future ⋅ Insikt Group, Rapid7
APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign
Trochilus RAT APT31 HURRICANE PANDA

2019-01-04 ⋅ Github (gentilkiwi) ⋅ Benjamin Delpy
mimikatz Repository
MimiKatz

2019 ⋅ Virus Bulletin ⋅ Lion Gu, Bowen Pan
A vine climbing over the Great Firewall: A long-term attack against China
Poison Ivy ZXShell

2019 ⋅ MITRE ⋅ MITRE ATT&CK
Tool description: China Chopper
CHINACHOPPER

2018-09-21 ⋅ Qihoo 360 Technology ⋅ Qihoo 360
Poison Ivy Group and the Cyberespionage Campaign Against Chinese Military and Goverment
Poison Ivy

2018-07-25 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team, Network Protection Security Labs
Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions
Imecab MimiKatz Sorgu RASPITE

2018-05-15 ⋅ BSides Detroit ⋅ Keven Murphy, Stefano Maccaglia
IR in Heterogeneous Environment
Korlia Poison Ivy

2018-03-16 ⋅ FireEye ⋅ FireEye
Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries
badflick BLACKCOFFEE CHINACHOPPER homefry murkytop SeDll APT40

2018-02-28 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team
Chafer: Latest Attacks Reveal Heightened Ambitions
MimiKatz Remexi

2018-02-15 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
SamSam Ransomware Campaigns
MimiKatz reGeorg SamSam BOSS SPIDER

2017-12-20 ⋅ CrowdStrike ⋅ Adam Kozy
An End to “Smash-and-Grab” and a Move to More Targeted Approaches
CHINACHOPPER

2017-12-04 ⋅ RSA ⋅ Jack Wesley Riley
The Shadows of Ghosts Inside the response of a unique Carbanak intrusion
GOTROJ MimiKatz

2017-11-09 ⋅ Wired ⋅ Andy Greenberg
He Perfected a Password-Hacking Tool—Then the Russians Came Calling
MimiKatz

2017-11-03 ⋅ Github (5loyd) ⋅ 5loyd
Trochilus
Trochilus RAT

2017-09-15 ⋅ Fortinet ⋅ Xiaopeng Zhang
Deep Analysis of New Poison Ivy/PlugX Variant - Part II
Poison Ivy

2017-08-31 ⋅ NCC Group ⋅ Ahmed Zaki
Analysing a recent Poison Ivy sample
Poison Ivy

2017-08-23 ⋅ Fortinet ⋅ Xiaopeng Zhang
Deep Analysis of New Poison Ivy Variant
Poison Ivy

2017-05-31 ⋅ MITRE ⋅ MITRE ATT&CK
PittyTiger
Enfal Ghost RAT MimiKatz Poison Ivy APT24

2017-05-31 ⋅ MITRE ⋅ MITRE ATT&CK
Sandworm Team
CyclopsBlink Exaramel BlackEnergy EternalPetya Exaramel GreyEnergy KillDisk MimiKatz Olympic Destroyer Sandworm

2017-04-03 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
RedLeaves - Malware Based on Open Source RAT
PlugX RedLeaves Trochilus RAT

2017-04 ⋅ PricewaterhouseCoopers ⋅ PricewaterhouseCoopers
Operation Cloud Hopper: Technical Annex
ChChes PlugX Quasar RAT RedLeaves Trochilus RAT

2017-02-27 ⋅ Symantec ⋅ A L Johnson
Shamoon: Multi-staged destructive attacks limited to specific targets
DistTrack MimiKatz Rocket Kitten

2016-11-22 ⋅ Palo Alto Networks Unit 42 ⋅ Vicky Ray, Robert Falcone, Jen Miller-Osborn, Tom Lancaster
Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy
Poison Ivy

2016-10-11 ⋅ Symantec ⋅ Symantec Security Response
Odinaff: New Trojan used in high level financial attacks
Cobalt Strike KLRD MimiKatz Odinaff

2016-04-26 ⋅ Github (CyberMonitor) ⋅ Jason Jones
New Poison Ivy Activity Targeting Myanmar, Asian Countries
Poison Ivy

2016-04-22 ⋅ Palo Alto Networks Unit 42 ⋅ Micah Yates, Mike Scott, Brandon Levene, Jen Miller-Osborn
New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists
Poison Ivy

2016-03-30 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
Ransomware Deployed by Adversary with Established Foothold
MimiKatz reGeorg SamSam BOSS SPIDER

2015-08 ⋅ Arbor Networks ⋅ ASERT Team
Uncovering the Seven Pointed Dagger
9002 RAT EvilGrab PlugX Trochilus RAT APT9

2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor

2014-09-19 ⋅ Palo Alto Networks Unit 42 ⋅ Jen Miller-Osborn, Ryan Olson
Recent Watering Hole Attacks Attributed to APT Group “th3bug” Using Poison Ivy
Poison Ivy

2014 ⋅ FireEye ⋅ FireEye
Operation Quantum Entanglement
IsSpace NewCT Poison Ivy SysGet

2013-10-31 ⋅ FireEye ⋅ Thoufique Haq, Ned Moran
Know Your Enemy: Tracking A Rapidly Evolving APT Actor
Bozok Poison Ivy TEMPER PANDA

2013-08-23 ⋅ FireEye ⋅ Nart Villeneuve, Thoufique Haq, Ned Moran
Operation Molerats: Middle East Cyber Attacks Using Poison Ivy
Poison Ivy Molerats

2013-08-07 ⋅ FireEye ⋅ Ian Ahl, Tony Lee, Dennis Hanzlik
Breaking Down the China Chopper Web Shell - Part I
CHINACHOPPER

2013-03-04 ⋅ Trend Micro ⋅ Kyle Wilhoit
In-Depth Look: APT Attack Tools of the Trade
HTran

2011-08-03 ⋅ Secureworks ⋅ Joe Stewart
HTran and the Advanced Persistent Threat
HTran

2011-04-28 ⋅ Gentil Kiwi
Un observateur d’événements aveugle…
MimiKatz

2011 ⋅ Symantec ⋅ Erica Eng, Gavin O'Gorman
The Nitro Attacks: Stealing Secrets from the Chemical Industry
Poison Ivy Nitro

2010 ⋅ Mandiant ⋅ Ero Carrera, Peter Silberman
State of Malware: Family Ties
Bredolab Conficker Cutwail KoobFace Oderoor Poison Ivy Rustock Sinowal Szribi Zeus

Credits: MISP Project