GALLIUM, is a threat actor believed to be targeting telecommunication providers over the world, mostly South-East Asia, Europe and Africa. To compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss.
2023-09-12 ⋅ ANSSI ⋅ ANSSI @techreport{anssi:20230912:fin12:b0a08e2,
author = {ANSSI},
title = {{FIN12: A Cybercriminal Group with Multiple Ransomware}},
date = {2023-09-12},
institution = {ANSSI},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf},
language = {French},
urldate = {2023-09-20}
}
FIN12: A Cybercriminal Group with Multiple Ransomware BlackCat Cobalt Strike Conti Hive MimiKatz Nokoyawa Ransomware PLAY Royal Ransom Ryuk SystemBC |
2023-09-07 ⋅ Sekoia ⋅ Jamila B. @online{b:20230907:my:de66f96,
author = {Jamila B.},
title = {{My Tea’s not cold. An overview of China’s cyber threat}},
date = {2023-09-07},
organization = {Sekoia},
url = {https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/},
language = {English},
urldate = {2023-09-08}
}
My Tea’s not cold. An overview of China’s cyber threat Melofee PingPull SoWaT Sword2033 MgBot MQsTTang PlugX TONESHELL |
2023-09-07 ⋅ CISA ⋅ CISA @techreport{cisa:20230907:multiple:e867413,
author = {CISA},
title = {{Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475}},
date = {2023-09-07},
institution = {CISA},
url = {https://www.cisa.gov/sites/default/files/2023-09/aa23-250a-apt-actors-exploit-cve-2022-47966-and-cve-2022-42475.pdf},
language = {English},
urldate = {2023-09-11}
}
Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475 Meterpreter MimiKatz |
2023-08-22 ⋅ AhnLab ⋅ ASEC Analysis Team @online{team:20230822:analyzing:a2e958c,
author = {ASEC Analysis Team},
title = {{Analyzing the new attack activity of the Andariel group}},
date = {2023-08-22},
organization = {AhnLab},
url = {https://asec.ahnlab.com/ko/56256/},
language = {Korean},
urldate = {2023-08-28}
}
Analyzing the new attack activity of the Andariel group Andardoor MimiKatz QuiteRAT Tiger RAT Volgmer |
2023-06-16 ⋅ Palo Alto Networks: Cortex Threat Research ⋅ Lior Rochberger @online{rochberger:20230616:through:5ef09b8,
author = {Lior Rochberger},
title = {{Through the Cortex XDR Lens: Uncovering a New Activity Group Targeting Governments in the Middle East and Africa}},
date = {2023-06-16},
organization = {Palo Alto Networks: Cortex Threat Research},
url = {https://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/},
language = {English},
urldate = {2023-06-22}
}
Through the Cortex XDR Lens: Uncovering a New Activity Group Targeting Governments in the Middle East and Africa CHINACHOPPER Ladon Yasso |
2023-04-26 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20230426:chinese:3dad965,
author = {Unit 42},
title = {{Chinese Alloy Taurus Updates PingPull Malware}},
date = {2023-04-26},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/alloy-taurus/},
language = {English},
urldate = {2023-04-27}
}
Chinese Alloy Taurus Updates PingPull Malware PingPull Sword2033 |
2023-04-12 ⋅ Kaspersky Labs ⋅ Seongsu Park @online{park:20230412:following:851b624,
author = {Seongsu Park},
title = {{Following the Lazarus group by tracking DeathNote campaign}},
date = {2023-04-12},
organization = {Kaspersky Labs},
url = {https://securelist.com/the-lazarus-group-deathnote-campaign/109490/},
language = {English},
urldate = {2023-07-28}
}
Following the Lazarus group by tracking DeathNote campaign Bankshot BLINDINGCAN LPEClient MimiKatz NedDnLoader Racket Downloader Volgmer |
2023-04-03 ⋅ Mandiant ⋅ JASON DEYALSINGH, NICK SMITH, Eduardo Mattos, Tyler McLellan, Nick Richard @online{deyalsingh:20230403:alphv:04f0dfa,
author = {JASON DEYALSINGH and NICK SMITH and Eduardo Mattos and Tyler McLellan and Nick Richard},
title = {{ALPHV Ransomware Affiliate Targets Vulnerable Backup Installations to Gain Initial Access}},
date = {2023-04-03},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/blog/alphv-ransomware-backup},
language = {English},
urldate = {2023-04-22}
}
ALPHV Ransomware Affiliate Targets Vulnerable Backup Installations to Gain Initial Access LaZagne BlackCat MimiKatz |
2023-03-16 ⋅ Palo Alto Networks Unit 42 ⋅ Frank Lee, Scott Roland @online{lee:20230316:beeware:1ad83b4,
author = {Frank Lee and Scott Roland},
title = {{Bee-Ware of Trigona, An Emerging Ransomware Strain}},
date = {2023-03-16},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/trigona-ransomware-update/},
language = {English},
urldate = {2023-03-20}
}
Bee-Ware of Trigona, An Emerging Ransomware Strain Cryakl MimiKatz Trigona |
2023-01-23 ⋅ Kroll ⋅ Stephen Green, Elio Biasiotto @online{green:20230123:black:dd89d21,
author = {Stephen Green and Elio Biasiotto},
title = {{Black Basta – Technical Analysis}},
date = {2023-01-23},
organization = {Kroll},
url = {https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis},
language = {English},
urldate = {2023-04-22}
}
Black Basta – Technical Analysis Black Basta Cobalt Strike MimiKatz QakBot SystemBC |
2022-11-30 ⋅ FFRI Security ⋅ Matsumoto @online{matsumoto:20221130:evolution:29e9b4c,
author = {Matsumoto},
title = {{Evolution of the PlugX loader}},
date = {2022-11-30},
organization = {FFRI Security},
url = {https://engineers.ffri.jp/entry/2022/11/30/141346},
language = {Japanese},
urldate = {2022-12-01}
}
Evolution of the PlugX loader PlugX Poison Ivy |
2022-10-18 ⋅ Intrinsec ⋅ Intrinsec, CERT Intrinsec @online{intrinsec:20221018:apt27:1977039,
author = {Intrinsec and CERT Intrinsec},
title = {{APT27 – One Year To Exfiltrate Them All: Intrusion In-Depth Analysis}},
date = {2022-10-18},
organization = {Intrinsec},
url = {https://www.intrinsec.com/apt27-analysis/},
language = {English},
urldate = {2022-11-07}
}
APT27 – One Year To Exfiltrate Them All: Intrusion In-Depth Analysis HyperBro MimiKatz |
2022-10-11 ⋅ AhnLab ⋅ ASEC Analysis Team @online{team:20221011:from:a35b468,
author = {ASEC Analysis Team},
title = {{From Exchange Server vulnerability to ransomware infection in just 7 days}},
date = {2022-10-11},
organization = {AhnLab},
url = {https://asec.ahnlab.com/ko/39682/},
language = {Korean},
urldate = {2022-10-11}
}
From Exchange Server vulnerability to ransomware infection in just 7 days LockBit MimiKatz |
2022-09-29 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20220929:witchetty:628f1c4,
author = {Threat Hunter Team},
title = {{Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East}},
date = {2022-09-29},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage},
language = {English},
urldate = {2022-09-30}
}
Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East CHINACHOPPER Lookback MimiKatz PlugX Unidentified 096 (Keylogger) x4 |
2022-09-15 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20220915:webworm:500c850,
author = {Threat Hunter Team},
title = {{Webworm: Espionage Attackers Testing and Using Older Modified RATs}},
date = {2022-09-15},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats},
language = {English},
urldate = {2022-09-20}
}
Webworm: Espionage Attackers Testing and Using Older Modified RATs 9002 RAT Ghost RAT Trochilus RAT |
2022-09-13 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20220913:new:2ff2e98,
author = {Threat Hunter Team},
title = {{New Wave of Espionage Activity Targets Asian Governments}},
date = {2022-09-13},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments},
language = {English},
urldate = {2022-09-20}
}
New Wave of Espionage Activity Targets Asian Governments MimiKatz PlugX Quasar RAT ShadowPad Trochilus RAT |
2022-09-08 ⋅ Cisco Talos ⋅ Jung soo An, Asheer Malhotra, Vitor Ventura @online{an:20220908:lazarus:236b4b4,
author = {Jung soo An and Asheer Malhotra and Vitor Ventura},
title = {{Lazarus and the tale of three RATs}},
date = {2022-09-08},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html},
language = {English},
urldate = {2023-01-19}
}
Lazarus and the tale of three RATs MagicRAT MimiKatz VSingle YamaBot |
2022-09-07 ⋅ Blackberry ⋅ Anuj Soni, Ryan Chapman @online{soni:20220907:curious:80138f0,
author = {Anuj Soni and Ryan Chapman},
title = {{The Curious Case of “Monti” Ransomware: A Real-World Doppelganger}},
date = {2022-09-07},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger},
language = {English},
urldate = {2022-09-10}
}
The Curious Case of “Monti” Ransomware: A Real-World Doppelganger Conti MimiKatz Veeam Dumper |
2022-09-06 ⋅ ESET Research ⋅ Thibaut Passilly @online{passilly:20220906:worok:0c106ac,
author = {Thibaut Passilly},
title = {{Worok: The big picture}},
date = {2022-09-06},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2022/09/06/worok-big-picture/},
language = {English},
urldate = {2022-09-10}
}
Worok: The big picture MimiKatz PNGLoad reGeorg ShadowPad Worok |
2022-09-01 ⋅ Trend Micro ⋅ Trend Micro @online{micro:20220901:ransomware:8eda6e4,
author = {Trend Micro},
title = {{Ransomware Spotlight Black Basta}},
date = {2022-09-01},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta},
language = {English},
urldate = {2022-09-19}
}
Ransomware Spotlight Black Basta Black Basta Cobalt Strike MimiKatz QakBot |
2022-08-25 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Research Team, Microsoft 365 Defender Threat Intelligence Team @online{mstic:20220825:mercury:a02a670,
author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team and Microsoft 365 Defender Threat Intelligence Team},
title = {{MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations}},
date = {2022-08-25},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations},
language = {English},
urldate = {2022-08-30}
}
MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations MimiKatz |
2022-08-22 ⋅ Fortinet ⋅ Shunichi Imano, Fred Gutierrez @online{imano:20220822:tale:9a74924,
author = {Shunichi Imano and Fred Gutierrez},
title = {{A Tale of PivNoxy and Chinoxy Puppeteer}},
date = {2022-08-22},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis},
language = {English},
urldate = {2022-08-28}
}
A Tale of PivNoxy and Chinoxy Puppeteer Chinoxy Poison Ivy |
2022-08-18 ⋅ Sophos ⋅ Sean Gallagher @online{gallagher:20220818:cookie:74bd0f5,
author = {Sean Gallagher},
title = {{Cookie stealing: the new perimeter bypass}},
date = {2022-08-18},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass},
language = {English},
urldate = {2022-08-22}
}
Cookie stealing: the new perimeter bypass Cobalt Strike Meterpreter MimiKatz Phoenix Keylogger Quasar RAT |
2022-08-15 ⋅ SentinelOne ⋅ Vikram Navali @online{navali:20220815:detecting:5abdd3d,
author = {Vikram Navali},
title = {{Detecting a Rogue Domain Controller – DCShadow Attack}},
date = {2022-08-15},
organization = {SentinelOne},
url = {https://www.sentinelone.com/blog/detecting-a-rogue-domain-controller-dcshadow-attack/},
language = {English},
urldate = {2022-08-18}
}
Detecting a Rogue Domain Controller – DCShadow Attack MimiKatz TrickBot |
2022-07-31 ⋅ BushidoToken Blog ⋅ BushidoToken @online{bushidotoken:20220731:space:636e570,
author = {BushidoToken},
title = {{Space Invaders: Cyber Threats That Are Out Of This World}},
date = {2022-07-31},
organization = {BushidoToken Blog},
url = {https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html},
language = {English},
urldate = {2022-08-02}
}
Space Invaders: Cyber Threats That Are Out Of This World Poison Ivy Raindrop SUNBURST TEARDROP WastedLocker |
2022-07-27 ⋅ ReversingLabs ⋅ Joseph Edwards @online{edwards:20220727:threat:6aaf018,
author = {Joseph Edwards},
title = {{Threat analysis: Follina exploit fuels 'live-off-the-land' attacks}},
date = {2022-07-27},
organization = {ReversingLabs},
url = {https://blog.reversinglabs.com/blog/threat-analysis-follina-exploit-powers-live-off-the-land-attacks},
language = {English},
urldate = {2022-08-08}
}
Threat analysis: Follina exploit fuels 'live-off-the-land' attacks Cobalt Strike MimiKatz |
2022-07-26 ⋅ Microsoft ⋅ Microsoft 365 Defender Research Team @online{team:20220726:malicious:ff5f5c0,
author = {Microsoft 365 Defender Research Team},
title = {{Malicious IIS extensions quietly open persistent backdoors into servers}},
date = {2022-07-26},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/},
language = {English},
urldate = {2022-07-28}
}
Malicious IIS extensions quietly open persistent backdoors into servers CHINACHOPPER MimiKatz |
2022-07-26 ⋅ Mandiant ⋅ Thibault van Geluwe de Berlaere, Jay Christiansen, Daniel Kapellmann Zafra, Ken Proska, Keith Lunden @online{berlaere:20220726:mandiant:c1c4498,
author = {Thibault van Geluwe de Berlaere and Jay Christiansen and Daniel Kapellmann Zafra and Ken Proska and Keith Lunden},
title = {{Mandiant Red Team Emulates FIN11 Tactics To Control Operational Technology Servers}},
date = {2022-07-26},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics},
language = {English},
urldate = {2023-01-19}
}
Mandiant Red Team Emulates FIN11 Tactics To Control Operational Technology Servers Clop Industroyer MimiKatz Triton |
2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20220718:alloy:740b049,
author = {Unit 42},
title = {{Alloy Taurus}},
date = {2022-07-18},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/atoms/alloytaurus/},
language = {English},
urldate = {2022-07-25}
}
Alloy Taurus GALLIUM |
2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20220718:shallow:cc9413f,
author = {Unit 42},
title = {{Shallow Taurus}},
date = {2022-07-18},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/atoms/shallowtaurus/},
language = {English},
urldate = {2022-07-29}
}
Shallow Taurus FormerFirstRAT IsSpace NewCT PlugX Poison Ivy Tidepool DragonOK |
2022-07-18 ⋅ Censys ⋅ Censys @techreport{censys:20220718:russian:dfd4246,
author = {Censys},
title = {{Russian Ransomware C2 Network Discovered in Censys Data}},
date = {2022-07-18},
institution = {Censys},
url = {https://5851803.fs1.hubspotusercontent-na1.net/hubfs/5851803/Russian%20Ransomware%20C2%20Network%20Discovered%20in%20Censys%20Data.pdf},
language = {English},
urldate = {2022-07-25}
}
Russian Ransomware C2 Network Discovered in Censys Data Cobalt Strike MimiKatz PoshC2 |
2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20220718:obscure:28a0051,
author = {Unit 42},
title = {{Obscure Serpens}},
date = {2022-07-18},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/atoms/obscureserpens/},
language = {English},
urldate = {2022-07-29}
}
Obscure Serpens Cobalt Strike Empire Downloader Meterpreter MimiKatz DarkHydrus |
2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20220718:iron:f7586c5,
author = {Unit 42},
title = {{Iron Taurus}},
date = {2022-07-18},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/atoms/iron-taurus/},
language = {English},
urldate = {2022-07-29}
}
Iron Taurus CHINACHOPPER Ghost RAT Wonknu ZXShell APT27 |
2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20220718:crawling:d229f20,
author = {Unit 42},
title = {{Crawling Taurus}},
date = {2022-07-18},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/atoms/crawling-taurus/},
language = {English},
urldate = {2022-07-29}
}
Crawling Taurus Poison Ivy APT20 |
2022-06-30 ⋅ Kaspersky ⋅ Pierre Delcher @online{delcher:20220630:sessionmanager:f171df2,
author = {Pierre Delcher},
title = {{The SessionManager IIS backdoor: a possibly overlooked GELSEMIUM artefact}},
date = {2022-06-30},
organization = {Kaspersky},
url = {https://securelist.com/the-sessionmanager-iis-backdoor/106868/},
language = {English},
urldate = {2022-07-05}
}
The SessionManager IIS backdoor: a possibly overlooked GELSEMIUM artefact MimiKatz Owlproxy SessionManager |
2022-06-21 ⋅ Cisco Talos ⋅ Flavio Costa, Chris Neal, Guilherme Venere @online{costa:20220621:avos:b60a2ad,
author = {Flavio Costa and Chris Neal and Guilherme Venere},
title = {{Avos ransomware group expands with new attack arsenal}},
date = {2022-06-21},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html},
language = {English},
urldate = {2022-06-22}
}
Avos ransomware group expands with new attack arsenal AvosLocker Cobalt Strike DarkComet MimiKatz |
2022-06-20 ⋅ Infinitum IT ⋅ infinitum IT @online{it:20220620:charming:b356ff2,
author = {infinitum IT},
title = {{Charming Kitten (APT35)}},
date = {2022-06-20},
organization = {Infinitum IT},
url = {https://www.infinitumit.com.tr/apt-35/},
language = {Turkish},
urldate = {2022-06-22}
}
Charming Kitten (APT35) LaZagne DownPaper MimiKatz pupy |
2022-06-15 ⋅ Security Joes ⋅ Charles Lomboni, Venkat Rajgor, Felipe Duarte @techreport{lomboni:20220615:backdoor:8d43d9e,
author = {Charles Lomboni and Venkat Rajgor and Felipe Duarte},
title = {{Backdoor via XFF: Mysterious Threat Actor Under Radar}},
date = {2022-06-15},
institution = {Security Joes},
url = {https://secjoes-reports.s3.eu-central-1.amazonaws.com/Backdoor%2Bvia%2BXFF%2BMysterious%2BThreat%2BActor%2BUnder%2BRadar.pdf},
language = {English},
urldate = {2022-06-16}
}
Backdoor via XFF: Mysterious Threat Actor Under Radar CHINACHOPPER |
2022-06-03 ⋅ AttackIQ ⋅ Jackson Wells, AttackIQ Adversary Research Team @online{wells:20220603:attack:5e4e9c6,
author = {Jackson Wells and AttackIQ Adversary Research Team},
title = {{Attack Graph Response to US CERT AA22-152A: Karakurt Data Extortion Group}},
date = {2022-06-03},
organization = {AttackIQ},
url = {https://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/},
language = {English},
urldate = {2022-06-18}
}
Attack Graph Response to US CERT AA22-152A: Karakurt Data Extortion Group Cobalt Strike MimiKatz |
2022-06-02 ⋅ Mandiant ⋅ Mandiant Intelligence @online{intelligence:20220602:to:e15831c,
author = {Mandiant Intelligence},
title = {{To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions}},
date = {2022-06-02},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions},
language = {English},
urldate = {2022-06-04}
}
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker |
2022-06-01 ⋅ CISA ⋅ CISA, FBI, Department of the Treasury (Treasury), FINCEN @online{cisa:20220601:alert:f73857d,
author = {CISA and FBI and Department of the Treasury (Treasury) and FINCEN},
title = {{Alert (AA22-152A): Karakurt Data Extortion Group}},
date = {2022-06-01},
organization = {CISA},
url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-152a},
language = {English},
urldate = {2022-06-02}
}
Alert (AA22-152A): Karakurt Data Extortion Group MimiKatz |
2022-06-01 ⋅ Elastic ⋅ Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew Pease @online{stepanic:20220601:cuba:333f7c1,
author = {Daniel Stepanic and Derek Ditch and Seth Goodwin and Salim Bitam and Andrew Pease},
title = {{CUBA Ransomware Campaign Analysis}},
date = {2022-06-01},
organization = {Elastic},
url = {https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis},
language = {English},
urldate = {2022-06-09}
}
CUBA Ransomware Campaign Analysis Cobalt Strike Cuba Meterpreter MimiKatz SystemBC |
2022-06-01 ⋅ CISA ⋅ FBI, CISA, Department of the Treasury (Treasury), FINCEN @techreport{fbi:20220601:joint:366b0d0,
author = {FBI and CISA and Department of the Treasury (Treasury) and FINCEN},
title = {{Joint Cybersecurity Advisory (Product ID AA22-152A): Karakurt Data Extortion Group}},
date = {2022-06-01},
institution = {CISA},
url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-152A_Karakurt_Data_Extortion_Group.pdf},
language = {English},
urldate = {2022-06-02}
}
Joint Cybersecurity Advisory (Product ID AA22-152A): Karakurt Data Extortion Group MimiKatz |
2022-05-17 ⋅ Positive Technologies ⋅ Positive Technologies @online{technologies:20220517:space:abd655a,
author = {Positive Technologies},
title = {{Space Pirates: analyzing the tools and connections of a new hacker group}},
date = {2022-05-17},
organization = {Positive Technologies},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/},
language = {English},
urldate = {2022-05-25}
}
Space Pirates: analyzing the tools and connections of a new hacker group FormerFirstRAT PlugX Poison Ivy Rovnix ShadowPad Zupdax |
2022-05-17 ⋅ Trend Micro ⋅ Trend Micro Research @online{research:20220517:ransomware:7b86339,
author = {Trend Micro Research},
title = {{Ransomware Spotlight: RansomEXX}},
date = {2022-05-17},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx},
language = {English},
urldate = {2022-05-25}
}
Ransomware Spotlight: RansomEXX LaZagne Cobalt Strike IcedID MimiKatz PyXie RansomEXX TrickBot |
2022-05-16 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20220516:analysis:b1c8089,
author = {Shusei Tomonaga},
title = {{Analysis of HUI Loader}},
date = {2022-05-16},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html},
language = {English},
urldate = {2022-05-17}
}
Analysis of HUI Loader HUI Loader PlugX Poison Ivy Quasar RAT |
2022-05-05 ⋅ Troopers Conference ⋅ Ben Jackson, Will Bonner @online{jackson:20220505:tinker:2cde4e9,
author = {Ben Jackson and Will Bonner},
title = {{Tinker Telco Soldier Spy (to be given 2022-06-27)}},
date = {2022-05-05},
organization = {Troopers Conference},
url = {https://troopers.de/troopers22/talks/7cv8pz/},
language = {English},
urldate = {2022-05-06}
}
Tinker Telco Soldier Spy (to be given 2022-06-27) BPFDoor GALLIUM |
2022-04-27 ⋅ Trendmicro ⋅ Daniel Lunghi, Jaromír Hořejší @techreport{lunghi:20220427:operation:bdba881,
author = {Daniel Lunghi and Jaromír Hořejší},
title = {{Operation Gambling Puppet}},
date = {2022-04-27},
institution = {Trendmicro},
url = {https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf},
language = {English},
urldate = {2022-07-25}
}
Operation Gambling Puppet reptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka |
2022-04-27 ⋅ ANSSI ⋅ ANSSI @techreport{anssi:20220427:le:5d47343,
author = {ANSSI},
title = {{LE GROUPE CYBERCRIMINEL FIN7}},
date = {2022-04-27},
institution = {ANSSI},
url = {https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf},
language = {French},
urldate = {2022-05-05}
}
LE GROUPE CYBERCRIMINEL FIN7 Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot |
2022-04-19 ⋅ Varonis ⋅ Nadav Ovadia @online{ovadia:20220419:hive:51c5eb7,
author = {Nadav Ovadia},
title = {{Hive Ransomware Analysis}},
date = {2022-04-19},
organization = {Varonis},
url = {https://www.varonis.com/blog/hive-ransomware-analysis},
language = {English},
urldate = {2022-04-25}
}
Hive Ransomware Analysis Cobalt Strike Hive MimiKatz |
2022-04-08 ⋅ Infinitum Labs ⋅ Arda Büyükkaya @online{bykkaya:20220408:threat:cbbf292,
author = {Arda Büyükkaya},
title = {{Threat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team}},
date = {2022-04-08},
organization = {Infinitum Labs},
url = {https://www.infinitumit.com.tr/en/conti-ransomware-group-behind-the-karakurt-hacking-team/},
language = {English},
urldate = {2022-04-08}
}
Threat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team Cobalt Strike MimiKatz |
2022-04-07 ⋅ splunk ⋅ Splunk Threat Research Team @online{team:20220407:you:2d088bc,
author = {Splunk Threat Research Team},
title = {{You Bet Your Lsass: Hunting LSASS Access}},
date = {2022-04-07},
organization = {splunk},
url = {https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html},
language = {English},
urldate = {2022-05-04}
}
You Bet Your Lsass: Hunting LSASS Access Cobalt Strike MimiKatz |
2022-04-05 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20220405:cicada:67f6b8c,
author = {Threat Hunter Team},
title = {{Cicada: Chinese APT Group Widens Targeting in Recent Espionage Activity}},
date = {2022-04-05},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks},
language = {English},
urldate = {2022-04-07}
}
Cicada: Chinese APT Group Widens Targeting in Recent Espionage Activity MimiKatz SodaMaster |
2022-03-25 ⋅ Dragos ⋅ Conor McLaren, Dragos @techreport{mclaren:20220325:how:05e2664,
author = {Conor McLaren and Dragos},
title = {{How Dragos Activity Groups Obtain Initial Access into Industrial Environments}},
date = {2022-03-25},
institution = {Dragos},
url = {https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_Intel_WP_InitAccess-IndEnvirons-Final.pdf},
language = {English},
urldate = {2022-04-12}
}
How Dragos Activity Groups Obtain Initial Access into Industrial Environments MimiKatz |
2022-03-09 ⋅ BreachQuest ⋅ Marco Figueroa, Napoleon Bing, Bernard Silvestrini @online{figueroa:20220309:conti:d237b64,
author = {Marco Figueroa and Napoleon Bing and Bernard Silvestrini},
title = {{The Conti Leaks | Insight into a Ransomware Unicorn}},
date = {2022-03-09},
organization = {BreachQuest},
url = {https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/},
language = {English},
urldate = {2022-03-14}
}
The Conti Leaks | Insight into a Ransomware Unicorn Cobalt Strike MimiKatz TrickBot |
2022-03 ⋅ VirusTotal ⋅ VirusTotal @techreport{virustotal:202203:virustotals:c6af9c1,
author = {VirusTotal},
title = {{VirusTotal's 2021 Malware Trends Report}},
date = {2022-03},
institution = {VirusTotal},
url = {https://assets.virustotal.com/reports/2021trends.pdf},
language = {English},
urldate = {2022-04-13}
}
VirusTotal's 2021 Malware Trends Report Anubis AsyncRAT BlackMatter Cobalt Strike DanaBot Dridex Khonsari MimiKatz Mirai Nanocore RAT Orcus RAT |
2022-02-03 ⋅ Symantec ⋅ Symantec Threat Hunter Team @online{team:20220203:antlion:f2f0600,
author = {Symantec Threat Hunter Team},
title = {{Antlion: Chinese APT Uses Custom Backdoor to Target Financial Institutions in Taiwan}},
date = {2022-02-03},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks},
language = {English},
urldate = {2022-02-04}
}
Antlion: Chinese APT Uses Custom Backdoor to Target Financial Institutions in Taiwan MimiKatz xPack Antlion |
2022-01-27 ⋅ JSAC 2021 ⋅ Hajime Yanagishita, Kiyotaka Tamada, You Nakatsuru, Suguru Ishimaru @techreport{yanagishita:20220127:what:3c59dc9,
author = {Hajime Yanagishita and Kiyotaka Tamada and You Nakatsuru and Suguru Ishimaru},
title = {{What We Can Do against the Chaotic A41APT Campaign}},
date = {2022-01-27},
institution = {JSAC 2021},
url = {https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf},
language = {English},
urldate = {2022-05-17}
}
What We Can Do against the Chaotic A41APT Campaign CHINACHOPPER Cobalt Strike HUI Loader SodaMaster |
2021-12-14 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20211214:espionage:5b6cf02,
author = {Threat Hunter Team},
title = {{Espionage Campaign Targets Telecoms Organizations across Middle East and Asia}},
date = {2021-12-14},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-campaign-telecoms-asia-middle-east},
language = {English},
urldate = {2021-12-31}
}
Espionage Campaign Targets Telecoms Organizations across Middle East and Asia MimiKatz |
2021-12-06 ⋅ PARAFLARE ⋅ Melanie Ninovic @online{ninovic:20211206:attack:65a8a15,
author = {Melanie Ninovic},
title = {{Attack Lifecycle Detection of an Operational Technology Breach}},
date = {2021-12-06},
organization = {PARAFLARE},
url = {https://paraflare.com/attack-lifecycle-detection-of-an-operational-technology-breach/},
language = {English},
urldate = {2022-03-07}
}
Attack Lifecycle Detection of an Operational Technology Breach MimiKatz |
2021-12-06 ⋅ Notice of Pleadings ⋅ Microsoft @online{microsoft:20211206:complaint:035d577,
author = {Microsoft},
title = {{Complaint filed by Microsoft against NICKEL/APT15}},
date = {2021-12-06},
organization = {Notice of Pleadings},
url = {https://noticeofpleadings.com/nickel/#},
language = {English},
urldate = {2021-12-08}
}
Complaint filed by Microsoft against NICKEL/APT15 MimiKatz |
2021-12-06 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC), Microsoft Digital Security Unit (DSU) @online{mstic:20211206:nickel:115c365,
author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU)},
title = {{NICKEL targeting government organizations across Latin America and Europe}},
date = {2021-12-06},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe/},
language = {English},
urldate = {2021-12-08}
}
NICKEL targeting government organizations across Latin America and Europe MimiKatz |
2021-11-18 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC), Microsoft Digital Security Unit (DSU) @online{mstic:20211118:iranian:911ab04,
author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU)},
title = {{Iranian targeting of IT sector on the rise}},
date = {2021-11-18},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/},
language = {English},
urldate = {2021-11-19}
}
Iranian targeting of IT sector on the rise MimiKatz ShellClient RAT |
2021-11-05 ⋅ Twitter (@inversecos) ⋅ inversecos @online{inversecos:20211105:ttps:2b9481e,
author = {inversecos},
title = {{TTPs used by Pysa Ransonmware group}},
date = {2021-11-05},
organization = {Twitter (@inversecos)},
url = {https://twitter.com/inversecos/status/1456486725664993287},
language = {English},
urldate = {2021-11-08}
}
TTPs used by Pysa Ransonmware group Mespinoza MimiKatz |
2021-11-03 ⋅ Cisco Talos ⋅ Chetan Raghuprasad, Vanja Svajcer, Caitlin Huey @online{raghuprasad:20211103:microsoft:2b6de43,
author = {Chetan Raghuprasad and Vanja Svajcer and Caitlin Huey},
title = {{Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk}},
date = {2021-11-03},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html},
language = {English},
urldate = {2021-11-03}
}
Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk Babuk CHINACHOPPER |
2021-11-01 ⋅ Accenture ⋅ Heather Larrieu, Curt Wilson, Katrina Hill @online{larrieu:20211101:diving:a732a35,
author = {Heather Larrieu and Curt Wilson and Katrina Hill},
title = {{Diving into double extortion campaigns}},
date = {2021-11-01},
organization = {Accenture},
url = {https://www.accenture.com/us-en/blogs/cyber-defense/double-extortion-campaigns},
language = {English},
urldate = {2021-11-03}
}
Diving into double extortion campaigns Cobalt Strike MimiKatz |
2021-10-25 ⋅ CrowdStrike ⋅ Falcon OverWatch Team @online{team:20211025:overwatch:8fd2f9f,
author = {Falcon OverWatch Team},
title = {{OverWatch Elite In Action: Prompt Call Escalation Proves Vital to Containing Attack}},
date = {2021-10-25},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/overwatch-elite-call-escalation-vital-to-containing-attack/},
language = {English},
urldate = {2021-11-03}
}
OverWatch Elite In Action: Prompt Call Escalation Proves Vital to Containing Attack MimiKatz |
2021-10-15 ⋅ Volatility Labs ⋅ Volatility Labs @online{labs:20211015:memory:53ea6d8,
author = {Volatility Labs},
title = {{Memory Forensics R&D Illustrated: Detecting Mimikatz's Skeleton Key Attack}},
date = {2021-10-15},
organization = {Volatility Labs},
url = {https://volatility-labs.blogspot.com/2021/10/memory-forensics-r-illustrated.html},
language = {English},
urldate = {2021-11-17}
}
Memory Forensics R&D Illustrated: Detecting Mimikatz's Skeleton Key Attack MimiKatz |
2021-10-11 ⋅ Accenture ⋅ Accenture Cyber Threat Intelligence @online{intelligence:20211011:moving:3b0eaec,
author = {Accenture Cyber Threat Intelligence},
title = {{Moving Left of the Ransomware Boom}},
date = {2021-10-11},
organization = {Accenture},
url = {https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom},
language = {English},
urldate = {2021-11-03}
}
Moving Left of the Ransomware Boom REvil Cobalt Strike MimiKatz RagnarLocker REvil |
2021-09-24 ⋅ Trend Micro ⋅ Warren Sto.Tomas @online{stotomas:20210924:examining:9165fe5,
author = {Warren Sto.Tomas},
title = {{Examining the Cring Ransomware Techniques}},
date = {2021-09-24},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html},
language = {English},
urldate = {2021-09-29}
}
Examining the Cring Ransomware Techniques Cobalt Strike Cring MimiKatz |
2021-09-14 ⋅ McAfee ⋅ Christiaan Beek @online{beek:20210914:operation:95aed8d,
author = {Christiaan Beek},
title = {{Operation ‘Harvest’: A Deep Dive into a Long-term Campaign}},
date = {2021-09-14},
organization = {McAfee},
url = {https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/},
language = {English},
urldate = {2021-09-19}
}
Operation ‘Harvest’: A Deep Dive into a Long-term Campaign MimiKatz PlugX Winnti |
2021-09-09 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20210909:grayfly:60c5478,
author = {Threat Hunter Team},
title = {{Grayfly: Chinese Threat Actor Uses Newly-discovered Sidewalk Malware}},
date = {2021-09-09},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware},
language = {English},
urldate = {2021-09-10}
}
Grayfly: Chinese Threat Actor Uses Newly-discovered Sidewalk Malware CROSSWALK MimiKatz SideWalk |
2021-09-03 ⋅ FireEye ⋅ Adrian Sanchez Hernandez, Govand Sinjari, Joshua Goddard, Brendan McKeague, John Wolfram, Alex Pennino, Andrew Rector, Harris Ansari, Yash Gupta @online{hernandez:20210903:pst:a8de902,
author = {Adrian Sanchez Hernandez and Govand Sinjari and Joshua Goddard and Brendan McKeague and John Wolfram and Alex Pennino and Andrew Rector and Harris Ansari and Yash Gupta},
title = {{PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers}},
date = {2021-09-03},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html},
language = {English},
urldate = {2021-09-06}
}
PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers CHINACHOPPER HTran |
2021-08-30 ⋅ Qianxin ⋅ Red Raindrop Team @online{team:20210830:operation:7b5be26,
author = {Red Raindrop Team},
title = {{Operation (Thủy Tinh) OceanStorm: The evil lotus hidden under the abyss}},
date = {2021-08-30},
organization = {Qianxin},
url = {https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/},
language = {Chinese},
urldate = {2021-09-09}
}
Operation (Thủy Tinh) OceanStorm: The evil lotus hidden under the abyss Cobalt Strike MimiKatz |
2021-08-23 ⋅ FBI ⋅ FBI @techreport{fbi:20210823:indicators:3308f26,
author = {FBI},
title = {{Indicators of Compromise Associated with OnePercent Group Ransomware}},
date = {2021-08-23},
institution = {FBI},
url = {https://www.ic3.gov/Media/News/2021/210823.pdf},
language = {English},
urldate = {2021-08-24}
}
Indicators of Compromise Associated with OnePercent Group Ransomware Cobalt Strike MimiKatz |
2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team @techreport{team:20210815:ransomware:f799696,
author = {Threat Hunter Team},
title = {{The Ransomware Threat}},
date = {2021-08-15},
institution = {Symantec},
url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf},
language = {English},
urldate = {2021-12-15}
}
The Ransomware Threat Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker |
2021-08-10 ⋅ FireEye ⋅ Israel Research Team, U.S. Threat Intel Team @online{team:20210810:unc215:dbc483a,
author = {Israel Research Team and U.S. Threat Intel Team},
title = {{UNC215: Spotlight on a Chinese Espionage Campaign in Israel}},
date = {2021-08-10},
organization = {FireEye},
url = {https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel},
language = {English},
urldate = {2021-12-06}
}
UNC215: Spotlight on a Chinese Espionage Campaign in Israel HyperBro HyperSSL MimiKatz |
2021-08-03 ⋅ Cybereason ⋅ Assaf Dahan, Lior Rochberger, Daniel Frank, Tom Fakterman @online{dahan:20210803:deadringer:908e8d5,
author = {Assaf Dahan and Lior Rochberger and Daniel Frank and Tom Fakterman},
title = {{DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos}},
date = {2021-08-03},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos},
language = {English},
urldate = {2021-08-06}
}
DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos CHINACHOPPER Cobalt Strike MimiKatz Nebulae |
2021-07-20 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20210720:ongoing:1e6dbd0,
author = {Counter Threat Unit ResearchTeam},
title = {{Ongoing Campaign Leveraging Exchange Vulnerability Potentially Linked to Iran}},
date = {2021-07-20},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran},
language = {English},
urldate = {2021-07-26}
}
Ongoing Campaign Leveraging Exchange Vulnerability Potentially Linked to Iran CHINACHOPPER MimiKatz RGDoor |
2021-06-29 ⋅ Accenture ⋅ Accenture Security @online{security:20210629:hades:2d4c606,
author = {Accenture Security},
title = {{HADES ransomware operators continue attacks}},
date = {2021-06-29},
organization = {Accenture},
url = {https://www.accenture.com/us-en/blogs/security/ransomware-hades},
language = {English},
urldate = {2021-07-01}
}
HADES ransomware operators continue attacks Cobalt Strike Hades MimiKatz |
2021-06-16 ⋅ Recorded Future ⋅ Insikt Group® @techreport{group:20210616:threat:d585785,
author = {Insikt Group®},
title = {{Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries}},
date = {2021-06-16},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf},
language = {English},
urldate = {2022-07-29}
}
Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries Icefog PcShare PlugX Poison Ivy QuickHeal DAGGER PANDA |
2021-06-10 ⋅ ESET Research ⋅ Adam Burgher @online{burgher:20210610:backdoordiplomacy:4ebcb1d,
author = {Adam Burgher},
title = {{BackdoorDiplomacy: Upgrading from Quarian to Turian}},
date = {2021-06-10},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/},
language = {English},
urldate = {2022-06-08}
}
BackdoorDiplomacy: Upgrading from Quarian to Turian CHINACHOPPER DoublePulsar EternalRocks turian BackdoorDiplomacy |
2021-05-18 ⋅ Sophos ⋅ John Shier, Mat Gangwer, Greg Iddon, Peter Mackenzie @online{shier:20210518:active:f313ac5,
author = {John Shier and Mat Gangwer and Greg Iddon and Peter Mackenzie},
title = {{The Active Adversary Playbook 2021}},
date = {2021-05-18},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153},
language = {English},
urldate = {2021-05-25}
}
The Active Adversary Playbook 2021 Cobalt Strike MimiKatz |
2021-05-13 ⋅ AWAKE ⋅ Kieran Evans @online{evans:20210513:catching:eaa13e2,
author = {Kieran Evans},
title = {{Catching the White Stork in Flight}},
date = {2021-05-13},
organization = {AWAKE},
url = {https://awakesecurity.com/blog/catching-the-white-stork-in-flight/},
language = {English},
urldate = {2021-09-19}
}
Catching the White Stork in Flight Cobalt Strike MimiKatz RMS |
2021-05-07 ⋅ SophosLabs Uncut ⋅ Rajesh Nataraj @online{nataraj:20210507:new:79ec788,
author = {Rajesh Nataraj},
title = {{New Lemon Duck variants exploiting Microsoft Exchange Server}},
date = {2021-05-07},
organization = {SophosLabs Uncut},
url = {https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728},
language = {English},
urldate = {2022-02-16}
}
New Lemon Duck variants exploiting Microsoft Exchange Server CHINACHOPPER Cobalt Strike Lemon Duck |
2021-05-07 ⋅ Cisco Talos ⋅ Caitlin Huey, Andrew Windsor, Edmund Brumaghin @online{huey:20210507:lemon:0d46f81,
author = {Caitlin Huey and Andrew Windsor and Edmund Brumaghin},
title = {{Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs}},
date = {2021-05-07},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html},
language = {English},
urldate = {2022-02-16}
}
Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs CHINACHOPPER Cobalt Strike Lemon Duck |
2021-05-06 ⋅ Trend Micro ⋅ Arianne Dela Cruz, Cris Tomboc, Jayson Chong, Nikki Madayag, Sean Torre @online{cruz:20210506:proxylogon:4920ee4,
author = {Arianne Dela Cruz and Cris Tomboc and Jayson Chong and Nikki Madayag and Sean Torre},
title = {{Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party}},
date = {2021-05-06},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html},
language = {English},
urldate = {2022-02-17}
}
Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party BlackKingdom Ransomware CHINACHOPPER Lemon Duck Prometei |
2021-05-05 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20210505:multifactor:8834ab8,
author = {Threat Hunter Team},
title = {{Multi-Factor Authentication: Headache for Cyber Actors Inspires New Attack Techniques}},
date = {2021-05-05},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/multi-factor-authentication-new-attacks},
language = {English},
urldate = {2021-05-26}
}
Multi-Factor Authentication: Headache for Cyber Actors Inspires New Attack Techniques CHINACHOPPER |
2021-04-27 ⋅ Trend Micro ⋅ Janus Agcaoili, Earle Earnshaw @online{agcaoili:20210427:legitimate:b293526,
author = {Janus Agcaoili and Earle Earnshaw},
title = {{Legitimate Tools Weaponized for Ransomware in 2021}},
date = {2021-04-27},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021},
language = {English},
urldate = {2021-05-03}
}
Legitimate Tools Weaponized for Ransomware in 2021 Cobalt Strike MimiKatz |
2021-04-27 ⋅ Trend Micro ⋅ Janus Agcaoili @online{agcaoili:20210427:hello:b3c5de5,
author = {Janus Agcaoili},
title = {{Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability}},
date = {2021-04-27},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html},
language = {English},
urldate = {2021-04-29}
}
Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability CHINACHOPPER Cobalt Strike |
2021-04-16 ⋅ Trend Micro ⋅ Nitesh Surana @online{surana:20210416:could:bb769ca,
author = {Nitesh Surana},
title = {{Could the Microsoft Exchange breach be stopped?}},
date = {2021-04-16},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/d/could-the-microsoft-exchange-breach-be-stopped.html},
language = {English},
urldate = {2021-05-11}
}
Could the Microsoft Exchange breach be stopped? CHINACHOPPER |
2021-04-15 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone @online{falcone:20210415:actor:8428e3f,
author = {Robert Falcone},
title = {{Actor Exploits Microsoft Exchange Server Vulnerabilities, Cortex XDR Blocks Harvesting of Credentials}},
date = {2021-04-15},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/},
language = {English},
urldate = {2021-04-19}
}
Actor Exploits Microsoft Exchange Server Vulnerabilities, Cortex XDR Blocks Harvesting of Credentials CHINACHOPPER |
2021-03-31 ⋅ Red Canary ⋅ Red Canary @techreport{canary:20210331:2021:cd81f2d,
author = {Red Canary},
title = {{2021 Threat Detection Report}},
date = {2021-03-31},
institution = {Red Canary},
url = {https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf},
language = {English},
urldate = {2021-04-06}
}
2021 Threat Detection Report Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot |
2021-03-26 ⋅ Imperva ⋅ Daniel Johnston @online{johnston:20210326:imperva:a78367a,
author = {Daniel Johnston},
title = {{Imperva Observes Hive of Activity Following Hafnium Microsoft Exchange Disclosures}},
date = {2021-03-26},
organization = {Imperva},
url = {https://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/},
language = {English},
urldate = {2021-03-30}
}
Imperva Observes Hive of Activity Following Hafnium Microsoft Exchange Disclosures CHINACHOPPER |
2021-03-25 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team @online{team:20210325:analyzing:d9ddef0,
author = {Microsoft 365 Defender Threat Intelligence Team},
title = {{Analyzing attacks taking advantage of the Exchange Server vulnerabilities}},
date = {2021-03-25},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/},
language = {English},
urldate = {2021-03-30}
}
Analyzing attacks taking advantage of the Exchange Server vulnerabilities CHINACHOPPER |
2021-03-25 ⋅ Microsoft ⋅ Tom McElroy @online{mcelroy:20210325:web:38010a7,
author = {Tom McElroy},
title = {{Web Shell Threat Hunting with Azure Sentinel}},
date = {2021-03-25},
organization = {Microsoft},
url = {https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968},
language = {English},
urldate = {2021-03-30}
}
Web Shell Threat Hunting with Azure Sentinel CHINACHOPPER |
2021-03-21 ⋅ Twitter (@CyberRaiju) ⋅ Jai Minton @online{minton:20210321:twitter:8e65e84,
author = {Jai Minton},
title = {{Twitter Thread with analysis of .NET China Chopper}},
date = {2021-03-21},
organization = {Twitter (@CyberRaiju)},
url = {https://twitter.com/CyberRaiju/status/1373582619707867136},
language = {English},
urldate = {2023-09-11}
}
Twitter Thread with analysis of .NET China Chopper CHINACHOPPER |
2021-03-21 ⋅ Blackberry ⋅ Blackberry Research @techreport{research:20210321:2021:a393473,
author = {Blackberry Research},
title = {{2021 Threat Report}},
date = {2021-03-21},
institution = {Blackberry},
url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf},
language = {English},
urldate = {2021-03-25}
}
2021 Threat Report Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot |
2021-03-19 ⋅ Bundesamt für Sicherheit in der Informationstechnik ⋅ CERT-Bund @techreport{certbund:20210319:microsoft:beb2409,
author = {CERT-Bund},
title = {{Microsoft Exchange Schwachstellen Detektion und Reaktion (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)}},
date = {2021-03-19},
institution = {Bundesamt für Sicherheit in der Informationstechnik},
url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf},
language = {English},
urldate = {2021-03-22}
}
Microsoft Exchange Schwachstellen Detektion und Reaktion (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) CHINACHOPPER MimiKatz |
2021-03-17 ⋅ Recorded Future ⋅ Insikt Group® @online{group:20210317:chinalinked:65b251b,
author = {Insikt Group®},
title = {{China-linked TA428 Continues to Target Russia and Mongolia IT Companies}},
date = {2021-03-17},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/china-linked-ta428-threat-group},
language = {English},
urldate = {2021-03-19}
}
China-linked TA428 Continues to Target Russia and Mongolia IT Companies PlugX Poison Ivy TA428 |
2021-03-15 ⋅ Trustwave ⋅ Joshua Deacon @online{deacon:20210315:hafnium:02beddd,
author = {Joshua Deacon},
title = {{HAFNIUM, China Chopper and ASP.NET Runtime}},
date = {2021-03-15},
organization = {Trustwave},
url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hafnium-china-chopper-and-aspnet-runtime/},
language = {English},
urldate = {2021-03-22}
}
HAFNIUM, China Chopper and ASP.NET Runtime CHINACHOPPER |
2021-03-11 ⋅ Cyborg Security ⋅ Josh Campbell @online{campbell:20210311:you:7bd2342,
author = {Josh Campbell},
title = {{You Don't Know the HAFNIUM of it...}},
date = {2021-03-11},
organization = {Cyborg Security},
url = {https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/},
language = {English},
urldate = {2021-03-16}
}
You Don't Know the HAFNIUM of it... CHINACHOPPER Cobalt Strike PowerCat |
2021-03-11 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20210311:microsoft:c51c694,
author = {Unit 42},
title = {{Microsoft Exchange Server Attack Timeline}},
date = {2021-03-11},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/microsoft-exchange-server-attack-timeline/},
language = {English},
urldate = {2021-03-12}
}
Microsoft Exchange Server Attack Timeline CHINACHOPPER |
2021-03-11 ⋅ DEVO ⋅ Fran Gomez @online{gomez:20210311:detection:e16ec1f,
author = {Fran Gomez},
title = {{Detection and Investigation Using Devo: HAFNIUM 0-day Exploits on Microsoft Exchange Service}},
date = {2021-03-11},
organization = {DEVO},
url = {https://www.devo.com/blog/detect-and-investigate-hafnium-using-devo/},
language = {English},
urldate = {2021-03-12}
}
Detection and Investigation Using Devo: HAFNIUM 0-day Exploits on Microsoft Exchange Service CHINACHOPPER MimiKatz |
2021-03-10 ⋅ Lemon's InfoSec Ramblings ⋅ Josh Lemon @online{lemon:20210310:microsoft:47b2c67,
author = {Josh Lemon},
title = {{Microsoft Exchange & the HAFNIUM Threat Actor}},
date = {2021-03-10},
organization = {Lemon's InfoSec Ramblings},
url = {https://blog.joshlemon.com.au/hafnium-exchange-attacks/},
language = {English},
urldate = {2021-03-11}
}
Microsoft Exchange & the HAFNIUM Threat Actor CHINACHOPPER |
2021-03-10 ⋅ PICUS Security ⋅ Süleyman Özarslan @online{zarslan:20210310:tactics:702eb34,
author = {Süleyman Özarslan},
title = {{Tactics, Techniques, and Procedures (TTPs) Used by HAFNIUM to Target Microsoft Exchange Servers}},
date = {2021-03-10},
organization = {PICUS Security},
url = {https://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers},
language = {English},
urldate = {2021-03-16}
}
Tactics, Techniques, and Procedures (TTPs) Used by HAFNIUM to Target Microsoft Exchange Servers CHINACHOPPER |
2021-03-10 ⋅ ESET Research ⋅ Thomas Dupuy, Matthieu Faou, Mathieu Tartare @online{dupuy:20210310:exchange:8f65a1f,
author = {Thomas Dupuy and Matthieu Faou and Mathieu Tartare},
title = {{Exchange servers under siege from at least 10 APT groups}},
date = {2021-03-10},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/},
language = {English},
urldate = {2021-03-11}
}
Exchange servers under siege from at least 10 APT groups Microcin MimiKatz PlugX Winnti APT27 APT41 Calypso Tick ToddyCat Tonto Team Vicious Panda |
2021-03-10 ⋅ DomainTools ⋅ Joe Slowik @online{slowik:20210310:examining:e3eee78,
author = {Joe Slowik},
title = {{Examining Exchange Exploitation and its Lessons for Defenders}},
date = {2021-03-10},
organization = {DomainTools},
url = {https://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders},
language = {English},
urldate = {2021-03-12}
}
Examining Exchange Exploitation and its Lessons for Defenders CHINACHOPPER |
2021-03-09 ⋅ PRAETORIAN ⋅ Anthony Weems, Dallas Kaman, Michael Weber @online{weems:20210309:reproducing:6c6302c,
author = {Anthony Weems and Dallas Kaman and Michael Weber},
title = {{Reproducing the Microsoft Exchange Proxylogon Exploit Chain}},
date = {2021-03-09},
organization = {PRAETORIAN},
url = {https://www.praetorian.com/blog/reproducing-proxylogon-exploit/},
language = {English},
urldate = {2021-03-11}
}
Reproducing the Microsoft Exchange Proxylogon Exploit Chain CHINACHOPPER |
2021-03-09 ⋅ Red Canary ⋅ Tony Lambert, Brian Donohue, Katie Nickels @online{lambert:20210309:microsoft:6a37334,
author = {Tony Lambert and Brian Donohue and Katie Nickels},
title = {{Microsoft Exchange server exploitation: how to detect, mitigate, and stay calm}},
date = {2021-03-09},
organization = {Red Canary},
url = {https://redcanary.com/blog/microsoft-exchange-attacks},
language = {English},
urldate = {2021-03-11}
}
Microsoft Exchange server exploitation: how to detect, mitigate, and stay calm CHINACHOPPER |
2021-03-09 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20210309:remediation:4973903,
author = {Unit 42},
title = {{Remediation Steps for the Microsoft Exchange Server Vulnerabilities}},
date = {2021-03-09},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/remediation-steps-for-the-Microsoft-Exchange-Server-vulnerabilities/},
language = {English},
urldate = {2021-03-11}
}
Remediation Steps for the Microsoft Exchange Server Vulnerabilities CHINACHOPPER |
2021-03-09 ⋅ YouTube (John Hammond) ⋅ John Hammond @online{hammond:20210309:hafnium:dc2de8d,
author = {John Hammond},
title = {{HAFNIUM - Post-Exploitation Analysis from Microsoft Exchange}},
date = {2021-03-09},
organization = {YouTube (John Hammond)},
url = {https://www.youtube.com/watch?v=rn-6t7OygGk},
language = {English},
urldate = {2021-03-12}
}
HAFNIUM - Post-Exploitation Analysis from Microsoft Exchange CHINACHOPPER |
2021-03-08 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20210308:how:752e42e,
author = {Threat Hunter Team},
title = {{How Symantec Stops Microsoft Exchange Server Attacks}},
date = {2021-03-08},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection},
language = {English},
urldate = {2021-03-12}
}
How Symantec Stops Microsoft Exchange Server Attacks CHINACHOPPER MimiKatz |
2021-03-08 ⋅ Palo Alto Networks Unit 42 ⋅ Jeff White @online{white:20210308:analyzing:9b932a3,
author = {Jeff White},
title = {{Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells}},
date = {2021-03-08},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/china-chopper-webshell/},
language = {English},
urldate = {2021-03-11}
}
Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells CHINACHOPPER |
2021-03-07 ⋅ TRUESEC ⋅ Rasmus Grönlund @online{grnlund:20210307:tracking:2d920fd,
author = {Rasmus Grönlund},
title = {{Tracking Microsoft Exchange Zero-Day ProxyLogon and HAFNIUM}},
date = {2021-03-07},
organization = {TRUESEC},
url = {https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/},
language = {English},
urldate = {2021-03-12}
}
Tracking Microsoft Exchange Zero-Day ProxyLogon and HAFNIUM CHINACHOPPER |
2021-03-05 ⋅ Wired ⋅ Andy Greenberg @online{greenberg:20210305:chinese:119ea98,
author = {Andy Greenberg},
title = {{Chinese Hacking Spree Hit an ‘Astronomical’ Number of Victims}},
date = {2021-03-05},
organization = {Wired},
url = {https://www.wired.com/story/china-microsoft-exchange-server-hack-victims/},
language = {English},
urldate = {2021-03-06}
}
Chinese Hacking Spree Hit an ‘Astronomical’ Number of Victims CHINACHOPPER |
2021-03-05 ⋅ Huntress Labs ⋅ Huntress Labs @techreport{labs:20210305:operation:1248e05,
author = {Huntress Labs},
title = {{Operation Exchange Marauder}},
date = {2021-03-05},
institution = {Huntress Labs},
url = {https://www.huntress.com/hubfs/Mass%20Exploitation%20of%20Microsoft%20Exchange%20(2).pdf},
language = {English},
urldate = {2021-03-06}
}
Operation Exchange Marauder CHINACHOPPER |
2021-03-04 ⋅ CrowdStrike ⋅ The Falcon Complete Team @online{team:20210304:falcon:6170749,
author = {The Falcon Complete Team},
title = {{Falcon Complete Stops Microsoft Exchange Server Zero-Day Exploits}},
date = {2021-03-04},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits},
language = {English},
urldate = {2021-03-10}
}
Falcon Complete Stops Microsoft Exchange Server Zero-Day Exploits CHINACHOPPER HAFNIUM |
2021-03-04 ⋅ Huntress Labs ⋅ Huntress Labs @online{labs:20210304:operation:1187712,
author = {Huntress Labs},
title = {{Operation Exchange Marauder}},
date = {2021-03-04},
organization = {Huntress Labs},
url = {https://www.huntress.com/hubfs/Videos/Webinars/Overlay-Mass_Exploitation_of_Exchange.mp4},
language = {English},
urldate = {2021-03-06}
}
Operation Exchange Marauder CHINACHOPPER |
2021-03-04 ⋅ FireEye ⋅ Matt Bromiley, Chris DiGiamo, Andrew Thompson, Robert Wallace @online{bromiley:20210304:detection:3b8c16f,
author = {Matt Bromiley and Chris DiGiamo and Andrew Thompson and Robert Wallace},
title = {{Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities}},
date = {2021-03-04},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html},
language = {English},
urldate = {2021-03-10}
}
Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities CHINACHOPPER HAFNIUM |
2021-03-03 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:20210303:hafnium:e35dcb1,
author = {MITRE ATT&CK},
title = {{HAFNIUM}},
date = {2021-03-03},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0125/},
language = {English},
urldate = {2022-07-05}
}
HAFNIUM CHINACHOPPER HAFNIUM |
2021-03-03 ⋅ Huntress Labs ⋅ Huntress Labs @online{labs:20210303:mass:a0ef74d,
author = {Huntress Labs},
title = {{Mass exploitation of on-prem Exchange servers :(}},
date = {2021-03-03},
organization = {Huntress Labs},
url = {https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers},
language = {English},
urldate = {2021-03-10}
}
Mass exploitation of on-prem Exchange servers :( CHINACHOPPER HAFNIUM |
2021-03-03 ⋅ Huntress Labs ⋅ John Hammond @online{hammond:20210303:rapid:7c97ee5,
author = {John Hammond},
title = {{Rapid Response: Mass Exploitation of On-Prem Exchange Servers}},
date = {2021-03-03},
organization = {Huntress Labs},
url = {https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers},
language = {English},
urldate = {2021-03-10}
}
Rapid Response: Mass Exploitation of On-Prem Exchange Servers CHINACHOPPER HAFNIUM |
2021-03-02 ⋅ Rapid7 Labs ⋅ Andrew Christian @online{christian:20210302:rapid7s:b676aa4,
author = {Andrew Christian},
title = {{Rapid7’s InsightIDR Enables Detection And Response to Microsoft Exchange Zero-Day}},
date = {2021-03-02},
organization = {Rapid7 Labs},
url = {https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day},
language = {English},
urldate = {2021-03-10}
}
Rapid7’s InsightIDR Enables Detection And Response to Microsoft Exchange Zero-Day CHINACHOPPER HAFNIUM |
2021-03-02 ⋅ Volexity ⋅ Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster @online{grunzweig:20210302:operation:44c264f,
author = {Josh Grunzweig and Matthew Meltzer and Sean Koessel and Steven Adair and Thomas Lancaster},
title = {{Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities}},
date = {2021-03-02},
organization = {Volexity},
url = {https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/},
language = {English},
urldate = {2021-03-07}
}
Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities CHINACHOPPER HAFNIUM |
2021-03-02 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, Microsoft 365 Security @online{mstic:20210302:hafnium:c7d8588,
author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Threat Intelligence Team and Microsoft 365 Security},
title = {{HAFNIUM targeting Exchange Servers with 0-day exploits}},
date = {2021-03-02},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers},
language = {English},
urldate = {2021-03-07}
}
HAFNIUM targeting Exchange Servers with 0-day exploits CHINACHOPPER HAFNIUM |
2021-03-02 ⋅ Twitter (@ESETresearch) ⋅ ESET Research @online{research:20210302:exchange:4473faa,
author = {ESET Research},
title = {{Tweet on Exchange RCE}},
date = {2021-03-02},
organization = {Twitter (@ESETresearch)},
url = {https://twitter.com/ESETresearch/status/1366862946488451088},
language = {English},
urldate = {2021-03-10}
}
Tweet on Exchange RCE CHINACHOPPER HAFNIUM |
2021-02-26 ⋅ CrowdStrike ⋅ Eric Loui, Sergei Frankoff @online{loui:20210226:hypervisor:8dadf9c,
author = {Eric Loui and Sergei Frankoff},
title = {{Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact}},
date = {2021-02-26},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout},
language = {English},
urldate = {2021-05-26}
}
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil |
2021-02-01 ⋅ ESET Research ⋅ Ignacio Sanmillan, Matthieu Faou @online{sanmillan:20210201:operation:9e52a78,
author = {Ignacio Sanmillan and Matthieu Faou},
title = {{Operation NightScout: Supply‑chain attack targets online gaming in Asia}},
date = {2021-02-01},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/},
language = {English},
urldate = {2021-02-17}
}
Operation NightScout: Supply‑chain attack targets online gaming in Asia Ghost RAT NoxPlayer Poison Ivy Red Dev 17 |
2021-01-29 ⋅ Trend Micro ⋅ Trend Micro @online{micro:20210129:chopper:6dfb7c6,
author = {Trend Micro},
title = {{Chopper ASPX web shell used in targeted attack}},
date = {2021-01-29},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html},
language = {English},
urldate = {2021-02-02}
}
Chopper ASPX web shell used in targeted attack CHINACHOPPER MimiKatz |
2021-01-26 ⋅ Twitter (@swisscom_csirt) ⋅ Swisscom CSIRT @online{csirt:20210126:cring:f12c487,
author = {Swisscom CSIRT},
title = {{Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware}},
date = {2021-01-26},
organization = {Twitter (@swisscom_csirt)},
url = {https://twitter.com/swisscom_csirt/status/1354052879158571008},
language = {English},
urldate = {2021-01-27}
}
Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware Cobalt Strike Cring MimiKatz |
2021-01-18 ⋅ Bundesamt für Verfassungsschutz ⋅ Bundesamt für Verfassungsschutz @techreport{verfassungsschutz:20210118:bfv:8f2fc64,
author = {Bundesamt für Verfassungsschutz},
title = {{BfV Cyber-Brief Nr. 01/2021 : Vorgehensweise von APT31}},
date = {2021-01-18},
institution = {Bundesamt für Verfassungsschutz},
url = {https://www.verfassungsschutz.de/download/broschuere-2021-01-bfv-cyber-brief-2021-01.pdf},
language = {German},
urldate = {2021-01-29}
}
BfV Cyber-Brief Nr. 01/2021 : Vorgehensweise von APT31 MimiKatz |
2021-01-15 ⋅ Swisscom ⋅ Markus Neis @techreport{neis:20210115:cracking:b1c1684,
author = {Markus Neis},
title = {{Cracking a Soft Cell is Harder Than You Think}},
date = {2021-01-15},
institution = {Swisscom},
url = {https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf},
language = {English},
urldate = {2021-01-18}
}
Cracking a Soft Cell is Harder Than You Think Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT |
2021-01-08 ⋅ Youtube (Virus Bulletin) ⋅ Fumio Ozawa, Shogo Hayashi, Rintaro Koike @online{ozawa:20210108:operation:18eec5e,
author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike},
title = {{Operation LagTime IT: colourful Panda footprint}},
date = {2021-01-08},
organization = {Youtube (Virus Bulletin)},
url = {https://www.youtube.com/watch?v=1WfPlgtfWnQ},
language = {English},
urldate = {2021-02-06}
}
Operation LagTime IT: colourful Panda footprint Cotx RAT nccTrojan Poison Ivy Tmanger TA428 |
2021 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2021:threat:c0ba914,
author = {SecureWorks},
title = {{Threat Profile: GOLD FRANKLIN}},
date = {2021},
organization = {Secureworks},
url = {http://www.secureworks.com/research/threat-profiles/gold-franklin},
language = {English},
urldate = {2021-05-31}
}
Threat Profile: GOLD FRANKLIN Grateful POS Meterpreter MimiKatz RemCom FIN6 |
2021 ⋅ SecureWorks @online{secureworks:2021:threat:dbd7ed7,
author = {SecureWorks},
title = {{Threat Profile: GOLD DRAKE}},
date = {2021},
url = {http://www.secureworks.com/research/threat-profiles/gold-drake},
language = {English},
urldate = {2021-05-28}
}
Threat Profile: GOLD DRAKE Cobalt Strike Dridex FriedEx Koadic MimiKatz WastedLocker Evil Corp |
2021 ⋅ DomainTools ⋅ Joe Slowik @techreport{slowik:2021:conceptualizing:3cdf067,
author = {Joe Slowik},
title = {{Conceptualizing a Continuum of Cyber Threat Attribution}},
date = {2021},
institution = {DomainTools},
url = {https://www.domaintools.com/content/conceptualizing-a-continuum-of-cyber-threat-attribution.pdf},
language = {English},
urldate = {2021-11-02}
}
Conceptualizing a Continuum of Cyber Threat Attribution CHINACHOPPER SUNBURST |
2021 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2021:threat:d17547d,
author = {SecureWorks},
title = {{Threat Profile: GOLD BURLAP}},
date = {2021},
organization = {Secureworks},
url = {http://www.secureworks.com/research/threat-profiles/gold-burlap},
language = {English},
urldate = {2021-05-31}
}
Threat Profile: GOLD BURLAP Empire Downloader Mespinoza MimiKatz GOLD BURLAP |
2020-12-21 ⋅ SlideShare (yurikamuraki5) ⋅ Yurika Kakiuchi @online{kakiuchi:20201221:active:6c42aad,
author = {Yurika Kakiuchi},
title = {{Active Directory 侵害と推奨対策}},
date = {2020-12-21},
organization = {SlideShare (yurikamuraki5)},
url = {https://www.slideshare.net/yurikamuraki5/active-directory-240348605},
language = {Japanese},
urldate = {2021-02-06}
}
Active Directory 侵害と推奨対策 MimiKatz |
2020-12-15 ⋅ HvS-Consulting AG ⋅ HvS-Consulting AG @online{ag:20201215:greetings:452ef44,
author = {HvS-Consulting AG},
title = {{Greetings from Lazarus: Anatomy of a cyber espionage campaign}},
date = {2020-12-15},
organization = {HvS-Consulting AG},
url = {https://www.hvs-consulting.de/lazarus-report/},
language = {English},
urldate = {2021-01-21}
}
Greetings from Lazarus: Anatomy of a cyber espionage campaign BLINDINGCAN MimiKatz Lazarus Group |
2020-12-15 ⋅ HvS-Consulting AG ⋅ HvS-Consulting AG @techreport{ag:20201215:greetings:a5b59d9,
author = {HvS-Consulting AG},
title = {{Greetings from Lazarus Anatomy of a cyber espionage campaign}},
date = {2020-12-15},
institution = {HvS-Consulting AG},
url = {https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf},
language = {English},
urldate = {2023-07-10}
}
Greetings from Lazarus Anatomy of a cyber espionage campaign BLINDINGCAN HTTP(S) uploader MimiKatz |
2020-12-04 ⋅ Theta ⋅ Hamish Krebs @online{krebs:20201204:snakes:7932d5f,
author = {Hamish Krebs},
title = {{Snakes & Ladders: the offensive use of Python on Windows}},
date = {2020-12-04},
organization = {Theta},
url = {https://www.theta.co.nz/news-blogs/cyber-security-blog/snakes-ladders-the-offensive-use-of-python-on-windows/},
language = {English},
urldate = {2022-04-29}
}
Snakes & Ladders: the offensive use of Python on Windows MimiKatz |
2020-11-30 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall @techreport{clarke:20201130:its:1b6b681,
author = {Mitchell Clarke and Tom Hall},
title = {{It's not FINished The Evolving Maturity in Ransomware Operations}},
date = {2020-11-30},
institution = {FireEye},
url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf},
language = {English},
urldate = {2020-12-14}
}
It's not FINished The Evolving Maturity in Ransomware Operations Cobalt Strike DoppelPaymer MimiKatz QakBot REvil |
2020-11-30 ⋅ Yoroi ⋅ Luigi Martire, Antonio Pirozzi, Luca Mella @online{martire:20201130:shadows:2ef4813,
author = {Luigi Martire and Antonio Pirozzi and Luca Mella},
title = {{Shadows From The Past Threaten Italian Enterprises}},
date = {2020-11-30},
organization = {Yoroi},
url = {https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/},
language = {English},
urldate = {2021-06-16}
}
Shadows From The Past Threaten Italian Enterprises Rekoobe LaZagne Responder MimiKatz win.rekoobe |
2020-11-27 ⋅ PTSecurity ⋅ Denis Goydenko, Alexey Vishnyakov @online{goydenko:20201127:investigation:7d12cee,
author = {Denis Goydenko and Alexey Vishnyakov},
title = {{Investigation with a twist: an accidental APT attack and averted data destruction}},
date = {2020-11-27},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/},
language = {English},
urldate = {2020-12-01}
}
Investigation with a twist: an accidental APT attack and averted data destruction TwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz |
2020-10-23 ⋅ F-Secure Labs ⋅ Guillaume Couchard, Qimin Wang, Thiam Loong Siew @online{couchard:20201023:catching:5788228,
author = {Guillaume Couchard and Qimin Wang and Thiam Loong Siew},
title = {{Catching Lazarus: Threat Intelligence to Real Detection Logic - Part Two}},
date = {2020-10-23},
organization = {F-Secure Labs},
url = {https://labs.f-secure.com/blog/catching-lazarus-threat-intelligence-to-real-detection-logic-part-two},
language = {English},
urldate = {2020-10-26}
}
Catching Lazarus: Threat Intelligence to Real Detection Logic - Part Two MimiKatz |
2020-10-20 ⋅ F-Secure ⋅ F-Secure Consulting @techreport{consulting:20201020:incident:275ade2,
author = {F-Secure Consulting},
title = {{Incident Readiness: Preparing a proactive response to attacks}},
date = {2020-10-20},
institution = {F-Secure},
url = {https://www.f-secure.com/content/dam/f-secure/en/consulting/our-thinking/collaterals/digital/f-secure-consulting-incident-readiness-proactive-response-guide-2020.pdf},
language = {English},
urldate = {2020-10-23}
}
Incident Readiness: Preparing a proactive response to attacks MimiKatz |
2020-10-01 ⋅ US-CERT ⋅ US-CERT @online{uscert:20201001:alert:a46c3d4,
author = {US-CERT},
title = {{Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions}},
date = {2020-10-01},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-275a},
language = {English},
urldate = {2020-10-04}
}
Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy |
2020-09-30 ⋅ NTT Security ⋅ Fumio Ozawa, Shogo Hayashi, Rintaro Koike @techreport{ozawa:20200930:operation:04593f6,
author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike},
title = {{Operation LagTime IT: colourful Panda footprint (Slides)}},
date = {2020-09-30},
institution = {NTT Security},
url = {https://vblocalhost.com/uploads/VB2020-20.pdf},
language = {English},
urldate = {2021-02-06}
}
Operation LagTime IT: colourful Panda footprint (Slides) Cotx RAT nccTrojan Poison Ivy Tmanger |
2020-09-30 ⋅ NTT Security ⋅ Fumio Ozawa, Shogo Hayashi, Rintaro Koike @techreport{ozawa:20200930:operation:1efe218,
author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike},
title = {{Operation LagTime IT: colourful Panda footprint}},
date = {2020-09-30},
institution = {NTT Security},
url = {https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf},
language = {English},
urldate = {2021-01-25}
}
Operation LagTime IT: colourful Panda footprint Cotx RAT nccTrojan Poison Ivy Tmanger |
2020-09-17 ⋅ FBI ⋅ FBI @techreport{fbi:20200917:fbi:9893ba0,
author = {FBI},
title = {{FBI PIN Number 20200917-001: IRGC-Associated Cyber Operations Against US Company Networks}},
date = {2020-09-17},
institution = {FBI},
url = {https://www.ic3.gov/media/news/2020/200917-1.pdf},
language = {English},
urldate = {2020-09-23}
}
FBI PIN Number 20200917-001: IRGC-Associated Cyber Operations Against US Company Networks MimiKatz Nanocore RAT |
2020-09-16 ⋅ RiskIQ ⋅ Jon Gross @online{gross:20200916:riskiq:da4b864,
author = {Jon Gross},
title = {{RiskIQ: Adventures in Cookie Land - Part 2}},
date = {2020-09-16},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/56fa1b2f},
language = {English},
urldate = {2020-09-23}
}
RiskIQ: Adventures in Cookie Land - Part 2 8.t Dropper Chinoxy Poison Ivy |
2020-09-15 ⋅ US-CERT ⋅ US-CERT @online{uscert:20200915:alert:13d0ab3,
author = {US-CERT},
title = {{Alert (AA20-259A): Iran-Based Threat Actor Exploits VPN Vulnerabilities}},
date = {2020-09-15},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-259a},
language = {English},
urldate = {2020-09-16}
}
Alert (AA20-259A): Iran-Based Threat Actor Exploits VPN Vulnerabilities CHINACHOPPER Fox Kitten |
2020-09-15 ⋅ US-CERT ⋅ US-CERT @online{uscert:20200915:malware:8345418,
author = {US-CERT},
title = {{Malware Analysis Report (AR20-259A): Iranian Web Shells}},
date = {2020-09-15},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a},
language = {English},
urldate = {2020-09-16}
}
Malware Analysis Report (AR20-259A): Iranian Web Shells CHINACHOPPER |
2020-08-31 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20200831:netwalker:29a1511,
author = {The DFIR Report},
title = {{NetWalker Ransomware in 1 Hour}},
date = {2020-08-31},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/},
language = {English},
urldate = {2020-08-31}
}
NetWalker Ransomware in 1 Hour Cobalt Strike Mailto MimiKatz |
2020-08-28 ⋅ NTT ⋅ Fumio Ozawa, Shogo Hayashi, Rintaro Koike @techreport{ozawa:20200828:operation:e0feab5,
author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike},
title = {{Operation Lagtime IT: Colourful Panda Footprint}},
date = {2020-08-28},
institution = {NTT},
url = {https://vb2020.vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf},
language = {English},
urldate = {2022-07-25}
}
Operation Lagtime IT: Colourful Panda Footprint Cotx RAT Poison Ivy TA428 |
2020-08-19 ⋅ NTT Security ⋅ Fumio Ozawa, Shogo Hayashi, Rintaro Koike @techreport{ozawa:20200819:operation:445be8c,
author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike},
title = {{Operation LagTime IT: Colorful Panda Footprint}},
date = {2020-08-19},
institution = {NTT Security},
url = {https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf},
language = {English},
urldate = {2022-07-29}
}
Operation LagTime IT: Colorful Panda Footprint 8.t Dropper Cotx RAT Poison Ivy TA428 |
2020-08-10 ⋅ ZDNet ⋅ Catalin Cimpanu @online{cimpanu:20200810:fbi:704abe2,
author = {Catalin Cimpanu},
title = {{FBI says an Iranian hacking group is attacking F5 networking devices}},
date = {2020-08-10},
organization = {ZDNet},
url = {https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/},
language = {English},
urldate = {2020-08-12}
}
FBI says an Iranian hacking group is attacking F5 networking devices MimiKatz |
2020-08-06 ⋅ Wired ⋅ Andy Greenberg @online{greenberg:20200806:chinese:32c43e3,
author = {Andy Greenberg},
title = {{Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry}},
date = {2020-08-06},
organization = {Wired},
url = {https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/},
language = {English},
urldate = {2020-11-04}
}
Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry Cobalt Strike MimiKatz Winnti Red Charon |
2020-08-04 ⋅ BlackHat ⋅ Chung-Kuan Chen, Inndy Lin, Shang-De Jiang @techreport{chen:20200804:operation:4cf417f,
author = {Chung-Kuan Chen and Inndy Lin and Shang-De Jiang},
title = {{Operation Chimera - APT Operation Targets Semiconductor Vendors}},
date = {2020-08-04},
institution = {BlackHat},
url = {https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf},
language = {English},
urldate = {2020-11-04}
}
Operation Chimera - APT Operation Targets Semiconductor Vendors Cobalt Strike MimiKatz Winnti Red Charon |
2020-07-21 ⋅ Department of Justice ⋅ Department of Justice @online{justice:20200721:two:81b000b,
author = {Department of Justice},
title = {{Two Chinese Hackers Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including COVID-19 Research}},
date = {2020-07-21},
organization = {Department of Justice},
url = {https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion},
language = {English},
urldate = {2022-07-25}
}
Two Chinese Hackers Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including COVID-19 Research CHINACHOPPER BRONZE SPRING |
2020-06-24 ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20200624:bronze:62b58ff,
author = {Counter Threat Unit ResearchTeam},
title = {{BRONZE VINEWOOD Targets Supply Chains}},
date = {2020-06-24},
url = {https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains},
language = {English},
urldate = {2020-06-26}
}
BRONZE VINEWOOD Targets Supply Chains MimiKatz Trochilus RAT APT31 |
2020-06-18 ⋅ Bundesamt für Verfassungsschutz ⋅ Bundesamt für Verfassungsschutz @techreport{verfassungsschutz:20200618:bfv:52dfe79,
author = {Bundesamt für Verfassungsschutz},
title = {{BfV Cyber-BriefNr. 01/2020 - Hinweis auf aktuelle Angriffskampagne}},
date = {2020-06-18},
institution = {Bundesamt für Verfassungsschutz},
url = {https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf},
language = {German},
urldate = {2020-06-18}
}
BfV Cyber-BriefNr. 01/2020 - Hinweis auf aktuelle Angriffskampagne Ketrican MimiKatz |
2020-06-03 ⋅ Trend Micro ⋅ Daniel Lunghi @techreport{lunghi:20200603:how:4f28e63,
author = {Daniel Lunghi},
title = {{How to perform long term monitoring of careless threat actors}},
date = {2020-06-03},
institution = {Trend Micro},
url = {https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf},
language = {English},
urldate = {2020-06-05}
}
How to perform long term monitoring of careless threat actors BBSRAT HyperBro Trochilus RAT |
2020-05-28 ⋅ Kaspersky Labs ⋅ Vyacheslav Kopeytsev @techreport{kopeytsev:20200528:steganography:8f5230a,
author = {Vyacheslav Kopeytsev},
title = {{Steganography in targeted attacks on industrial enterprises}},
date = {2020-05-28},
institution = {Kaspersky Labs},
url = {https://ics-cert.kaspersky.com/media/KASPERSKY_Steganography_in_targeted_attacks_EN.pdf},
language = {English},
urldate = {2020-05-29}
}
Steganography in targeted attacks on industrial enterprises MimiKatz |
2020-05-27 ⋅ FBI ⋅ FBI @techreport{fbi:20200527:alert:6d31e17,
author = {FBI},
title = {{Alert Number MI-000148-MW: APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity}},
date = {2020-05-27},
institution = {FBI},
url = {https://www.ic3.gov/Media/News/2021/210527.pdf},
language = {English},
urldate = {2021-06-04}
}
Alert Number MI-000148-MW: APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity MimiKatz |
2020-05-21 ⋅ Bitdefender ⋅ Liviu Arsene, Bogdan Rusu @techreport{arsene:20200521:iranian:d9e1468,
author = {Liviu Arsene and Bogdan Rusu},
title = {{Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia}},
date = {2020-05-21},
institution = {Bitdefender},
url = {https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf},
language = {English},
urldate = {2020-05-23}
}
Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia MimiKatz Remexi |
2020-05-21 ⋅ ESET Research ⋅ Mathieu Tartare, Martin Smolár @online{tartare:20200521:no:016fc6c,
author = {Mathieu Tartare and Martin Smolár},
title = {{No “Game over” for the Winnti Group}},
date = {2020-05-21},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/},
language = {English},
urldate = {2020-05-23}
}
No “Game over” for the Winnti Group ACEHASH HTran MimiKatz PipeMon |
2020-05-14 ⋅ Avast Decoded ⋅ Luigino Camastra @online{camastra:20200514:planted:7b94cc6,
author = {Luigino Camastra},
title = {{APT Group Planted Backdoors Targeting High Profile Networks in Central Asia}},
date = {2020-05-14},
organization = {Avast Decoded},
url = {https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia},
language = {English},
urldate = {2022-07-25}
}
APT Group Planted Backdoors Targeting High Profile Networks in Central Asia BYEBY Ghost RAT Microcin MimiKatz Vicious Panda |
2020-05-14 ⋅ Lab52 ⋅ Dex @online{dex:20200514:energy:43e92b4,
author = {Dex},
title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}},
date = {2020-05-14},
organization = {Lab52},
url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/},
language = {English},
urldate = {2020-06-10}
}
The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey Cobalt Strike HTran MimiKatz PlugX Quasar RAT |
2020-05-07 ⋅ REDTEAM.PL ⋅ Adam Ziaja @online{ziaja:20200507:sodinokibi:f5c5cd1,
author = {Adam Ziaja},
title = {{Sodinokibi / REvil ransomware}},
date = {2020-05-07},
organization = {REDTEAM.PL},
url = {https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html},
language = {English},
urldate = {2020-05-13}
}
Sodinokibi / REvil ransomware Maze MimiKatz REvil |
2020-04-16 ⋅ Medium CyCraft ⋅ CyCraft Technology Corp @online{corp:20200416:taiwan:3029f53,
author = {CyCraft Technology Corp},
title = {{Taiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures}},
date = {2020-04-16},
organization = {Medium CyCraft},
url = {https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730},
language = {English},
urldate = {2020-11-04}
}
Taiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures Cobalt Strike MimiKatz Red Charon |
2020-03-12 ⋅ Check Point ⋅ Check Point Research @online{research:20200312:vicious:3218bb8,
author = {Check Point Research},
title = {{Vicious Panda: The COVID Campaign}},
date = {2020-03-12},
organization = {Check Point},
url = {https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/},
language = {English},
urldate = {2020-03-13}
}
Vicious Panda: The COVID Campaign 8.t Dropper BYEBY Enfal Korlia Poison Ivy |
2020-03-05 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team @online{team:20200305:humanoperated:d90a28e,
author = {Microsoft Threat Protection Intelligence Team},
title = {{Human-operated ransomware attacks: A preventable disaster}},
date = {2020-03-05},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/},
language = {English},
urldate = {2020-03-06}
}
Human-operated ransomware attacks: A preventable disaster Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA |
2020-03-02 ⋅ Virus Bulletin ⋅ Alex Hinchliffe @online{hinchliffe:20200302:pulling:35771e7,
author = {Alex Hinchliffe},
title = {{Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary}},
date = {2020-03-02},
organization = {Virus Bulletin},
url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/},
language = {English},
urldate = {2020-03-02}
}
Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary HenBox Farseer PlugX Poison Ivy |
2020-02-21 ⋅ ADEO DFIR ⋅ ADEO DFIR @techreport{dfir:20200221:apt10:e9c3328,
author = {ADEO DFIR},
title = {{APT10 Threat Analysis Report}},
date = {2020-02-21},
institution = {ADEO DFIR},
url = {https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf},
language = {English},
urldate = {2020-03-03}
}
APT10 Threat Analysis Report CHINACHOPPER HTran MimiKatz PlugX Quasar RAT |
2020-02-19 ⋅ Lexfo ⋅ Lexfo @techreport{lexfo:20200219:lazarus:f293c37,
author = {Lexfo},
title = {{The Lazarus Constellation A study on North Korean malware}},
date = {2020-02-19},
institution = {Lexfo},
url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf},
language = {English},
urldate = {2020-03-11}
}
The Lazarus Constellation A study on North Korean malware FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor |
2020-02-18 ⋅ Cisco Talos ⋅ Vanja Svajcer @online{svajcer:20200218:building:0a80664,
author = {Vanja Svajcer},
title = {{Building a bypass with MSBuild}},
date = {2020-02-18},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html},
language = {English},
urldate = {2020-02-20}
}
Building a bypass with MSBuild Cobalt Strike GRUNT MimiKatz |
2020-02-18 ⋅ Trend Micro ⋅ Daniel Lunghi, Cedric Pernet, Kenney Lu, Jamz Yaneza @online{lunghi:20200218:uncovering:93b0937,
author = {Daniel Lunghi and Cedric Pernet and Kenney Lu and Jamz Yaneza},
title = {{Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations}},
date = {2020-02-18},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia},
language = {English},
urldate = {2020-02-20}
}
Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations Cobalt Strike HyperBro PlugX Trochilus RAT |
2020-02-02 ⋅ uf0 Blog ⋅ Matteo Malvica @online{malvica:20200202:uncovering:ec2d3da,
author = {Matteo Malvica},
title = {{Uncovering Mimikatz ‘msv’ and collecting credentials through PyKD}},
date = {2020-02-02},
organization = {uf0 Blog},
url = {https://www.matteomalvica.com/blog/2020/01/30/mimikatz-lsass-dump-windg-pykd/},
language = {English},
urldate = {2020-02-03}
}
Uncovering Mimikatz ‘msv’ and collecting credentials through PyKD MimiKatz |
2020-01-29 ⋅ nao_sec blog ⋅ nao_sec @online{naosec:20200129:overhead:ec0aeb5,
author = {nao_sec},
title = {{An Overhead View of the Royal Road}},
date = {2020-01-29},
organization = {nao_sec blog},
url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html},
language = {English},
urldate = {2020-02-03}
}
An Overhead View of the Royal Road BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader |
2020-01-10 ⋅ Youtube (Azure Thursday) ⋅ Maarten Goet @online{goet:20200110:hitchhikers:03fefe9,
author = {Maarten Goet},
title = {{A hitchhikers guide to the cybersecurity galaxy}},
date = {2020-01-10},
organization = {Youtube (Azure Thursday)},
url = {https://www.youtube.com/watch?v=fBFm2fiEPTg},
language = {English},
urldate = {2020-06-16}
}
A hitchhikers guide to the cybersecurity galaxy GALLIUM |
2020-01-09 ⋅ Lab52 ⋅ Jagaimo Kawaii @online{kawaii:20200109:ta428:2230af2,
author = {Jagaimo Kawaii},
title = {{TA428 Group abusing recent conflict between Iran and USA}},
date = {2020-01-09},
organization = {Lab52},
url = {https://lab52.io/blog/icefog-apt-group-abusing-recent-conflict-between-iran-and-eeuu/},
language = {English},
urldate = {2021-02-06}
}
TA428 Group abusing recent conflict between Iran and USA Poison Ivy |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:4118462,
author = {SecureWorks},
title = {{BRONZE ATLAS}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas},
language = {English},
urldate = {2020-05-23}
}
BRONZE ATLAS Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti APT41 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:65ecf8a,
author = {SecureWorks},
title = {{BRONZE KEYSTONE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-keystone},
language = {English},
urldate = {2020-05-23}
}
BRONZE KEYSTONE 9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell APT17 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:gold:1892bc8,
author = {SecureWorks},
title = {{GOLD KINGSWOOD}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-kingswood},
language = {English},
urldate = {2020-05-23}
}
GOLD KINGSWOOD More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:972c13a,
author = {SecureWorks},
title = {{BRONZE FIRESTONE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-firestone},
language = {English},
urldate = {2020-05-23}
}
BRONZE FIRESTONE 9002 RAT Derusbi Empire Downloader PlugX Poison Ivy APT19 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:1a5bdbb,
author = {SecureWorks},
title = {{BRONZE PRESIDENT}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-president},
language = {English},
urldate = {2020-05-23}
}
BRONZE PRESIDENT CHINACHOPPER Cobalt Strike PlugX MUSTANG PANDA |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:4db27ec,
author = {SecureWorks},
title = {{BRONZE UNION}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-union},
language = {English},
urldate = {2020-05-23}
}
BRONZE UNION 9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell APT27 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:e8ad4fb,
author = {SecureWorks},
title = {{BRONZE MOHAWK}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-mohawk},
language = {English},
urldate = {2020-05-23}
}
BRONZE MOHAWK AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll APT40 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:66f1290,
author = {SecureWorks},
title = {{BRONZE RIVERSIDE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-riverside},
language = {English},
urldate = {2020-05-23}
}
BRONZE RIVERSIDE Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves APT10 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:66a45ac,
author = {SecureWorks},
title = {{BRONZE VINEWOOD}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-vinewood},
language = {English},
urldate = {2020-05-23}
}
BRONZE VINEWOOD MimiKatz Trochilus RAT APT31 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:cobalt:c242388,
author = {SecureWorks},
title = {{COBALT HICKMAN}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/cobalt-hickman},
language = {English},
urldate = {2020-05-23}
}
COBALT HICKMAN MimiKatz Remexi APT39 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:fcb04ab,
author = {SecureWorks},
title = {{BRONZE EXPRESS}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-express},
language = {English},
urldate = {2020-05-23}
}
BRONZE EXPRESS 9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT26 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:tin:ccd6795,
author = {SecureWorks},
title = {{TIN WOODLAWN}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/tin-woodlawn},
language = {English},
urldate = {2020-05-23}
}
TIN WOODLAWN Cobalt Strike KerrDown MimiKatz PHOREAL RatSnif Remy SOUNDBITE APT32 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:b55f797,
author = {SecureWorks},
title = {{BRONZE MAYFAIR}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-mayfair},
language = {English},
urldate = {2020-05-23}
}
BRONZE MAYFAIR HTran pirpi APT3 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:gold:0d8c853,
author = {SecureWorks},
title = {{GOLD DRAKE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-drake},
language = {English},
urldate = {2020-05-23}
}
GOLD DRAKE Dridex Empire Downloader FriedEx Koadic MimiKatz |
2020-01 ⋅ FireEye ⋅ Tom Hall, Mitchell Clarke, Mandiant @techreport{hall:202001:mandiant:25e38ef,
author = {Tom Hall and Mitchell Clarke and Mandiant},
title = {{Mandiant IR Grab Bag of Attacker Activity}},
date = {2020-01},
institution = {FireEye},
url = {https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf},
language = {English},
urldate = {2021-04-16}
}
Mandiant IR Grab Bag of Attacker Activity TwoFace CHINACHOPPER HyperBro HyperSSL |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:gold:983570b,
author = {SecureWorks},
title = {{GOLD KINGSWOOD}},
date = {2020},
organization = {Secureworks},
url = {http://www.secureworks.com/research/threat-profiles/gold-kingswood},
language = {English},
urldate = {2020-05-23}
}
GOLD KINGSWOOD More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:aluminum:af22ffd,
author = {SecureWorks},
title = {{ALUMINUM SARATOGA}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/aluminum-saratoga},
language = {English},
urldate = {2020-05-23}
}
ALUMINUM SARATOGA BlackShades DarkComet Xtreme RAT Poison Ivy Quasar RAT Molerats |
2019-12-12 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center @online{center:20191212:gallium:79f6460,
author = {Microsoft Threat Intelligence Center},
title = {{GALLIUM: Targeting global telecom}},
date = {2019-12-12},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/},
language = {English},
urldate = {2022-06-15}
}
GALLIUM: Targeting global telecom CHINACHOPPER Ghost RAT HTran MimiKatz Poison Ivy GALLIUM |
2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani Fraser @techreport{vanderlee:20191119:achievement:6be19eb,
author = {Kelli Vanderlee and Nalani Fraser},
title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}},
date = {2019-11-19},
institution = {FireEye},
url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf},
language = {English},
urldate = {2021-03-02}
}
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell |
2019-09-23 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:20190923:apt41:63b9ff7,
author = {MITRE ATT&CK},
title = {{APT41}},
date = {2019-09-23},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0096},
language = {English},
urldate = {2022-08-30}
}
APT41 Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41 |
2019-08-27 ⋅ Cisco Talos ⋅ Paul Rascagnères, Vanja Svajcer @online{rascagnres:20190827:china:2d2bbb8,
author = {Paul Rascagnères and Vanja Svajcer},
title = {{China Chopper still active 9 years later}},
date = {2019-08-27},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html},
language = {English},
urldate = {2019-10-14}
}
China Chopper still active 9 years later CHINACHOPPER |
2019-08-19 ⋅ FireEye ⋅ Alex Pennino, Matt Bromiley @online{pennino:20190819:game:b6ef5a0,
author = {Alex Pennino and Matt Bromiley},
title = {{GAME OVER: Detecting and Stopping an APT41 Operation}},
date = {2019-08-19},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html},
language = {English},
urldate = {2020-01-06}
}
GAME OVER: Detecting and Stopping an APT41 Operation ACEHASH CHINACHOPPER HIGHNOON |
2019-07-23 ⋅ Proofpoint ⋅ Michael Raggi, Dennis Schwarz, Proofpoint Threat Insight Team @online{raggi:20190723:chinese:804ec1c,
author = {Michael Raggi and Dennis Schwarz and Proofpoint Threat Insight Team},
title = {{Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia}},
date = {2019-07-23},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology},
language = {English},
urldate = {2021-02-06}
}
Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia 8.t Dropper Cotx RAT Poison Ivy TA428 |
2019-06-25 ⋅ Cybereason ⋅ Cybereason Nocturnus @online{nocturnus:20190625:operation:21efa8f,
author = {Cybereason Nocturnus},
title = {{OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS}},
date = {2019-06-25},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers},
language = {English},
urldate = {2022-07-01}
}
OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS CHINACHOPPER HTran MimiKatz Poison Ivy Operation Soft Cell |
2019-05-28 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone, Tom Lancaster @online{falcone:20190528:emissary:dc0f942,
author = {Robert Falcone and Tom Lancaster},
title = {{Emissary Panda Attacks Middle East Government Sharepoint Servers}},
date = {2019-05-28},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/},
language = {English},
urldate = {2021-04-16}
}
Emissary Panda Attacks Middle East Government Sharepoint Servers CHINACHOPPER HyperSSL |
2019-05-10 ⋅ XPN Blog ⋅ Adam Chester @online{chester:20190510:exploring:758b4e8,
author = {Adam Chester},
title = {{Exploring Mimikatz - Part 1 - WDigest}},
date = {2019-05-10},
organization = {XPN Blog},
url = {https://blog.xpnsec.com/exploring-mimikatz-part-1/},
language = {English},
urldate = {2020-09-01}
}
Exploring Mimikatz - Part 1 - WDigest MimiKatz |
2019-04-04 ⋅ CrowdStrike ⋅ Harlan Carvey @online{carvey:20190404:mimikatz:243c11a,
author = {Harlan Carvey},
title = {{Mimikatz in the Wild: Bypassing Signature-Based Detections Using the “AK47 of Cyber”}},
date = {2019-04-04},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/credential-theft-mimikatz-techniques/},
language = {English},
urldate = {2019-12-20}
}
Mimikatz in the Wild: Bypassing Signature-Based Detections Using the “AK47 of Cyber” MimiKatz |
2019-03-27 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team @online{team:20190327:elfin:d90a330,
author = {Critical Attack Discovery and Intelligence Team},
title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}},
date = {2019-03-27},
organization = {Symantec},
url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage},
language = {English},
urldate = {2020-04-21}
}
Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. DarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP APT33 |
2019-02-06 ⋅ Recorded Future ⋅ Insikt Group, Rapid7 @techreport{group:20190206:apt10:74d18e7,
author = {Insikt Group and Rapid7},
title = {{APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign}},
date = {2019-02-06},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf},
language = {English},
urldate = {2019-12-17}
}
APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign Trochilus RAT APT31 HURRICANE PANDA |
2019-01-04 ⋅ Github (gentilkiwi) ⋅ Benjamin Delpy @online{delpy:20190104:mimikatz:caaf928,
author = {Benjamin Delpy},
title = {{mimikatz Repository}},
date = {2019-01-04},
organization = {Github (gentilkiwi)},
url = {https://github.com/gentilkiwi/mimikatz},
language = {English},
urldate = {2020-01-07}
}
mimikatz Repository MimiKatz |
2019 ⋅ Virus Bulletin ⋅ Lion Gu, Bowen Pan @techreport{gu:2019:vine:df5dbfb,
author = {Lion Gu and Bowen Pan},
title = {{A vine climbing over the Great Firewall: A long-term attack against China}},
date = {2019},
institution = {Virus Bulletin},
url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf},
language = {English},
urldate = {2020-01-08}
}
A vine climbing over the Great Firewall: A long-term attack against China Poison Ivy ZXShell |
2019 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:2019:tool:fd89dda,
author = {MITRE ATT&CK},
title = {{Tool description: China Chopper}},
date = {2019},
organization = {MITRE},
url = {https://attack.mitre.org/software/S0020/},
language = {English},
urldate = {2019-12-20}
}
Tool description: China Chopper CHINACHOPPER |
2018-09-21 ⋅ Qihoo 360 Technology ⋅ Qihoo 360 @online{360:20180921:poison:d1cab92,
author = {Qihoo 360},
title = {{Poison Ivy Group and the Cyberespionage Campaign Against Chinese Military and Goverment}},
date = {2018-09-21},
organization = {Qihoo 360 Technology},
url = {http://blogs.360.cn/post/APT_C_01_en.html},
language = {English},
urldate = {2019-11-29}
}
Poison Ivy Group and the Cyberespionage Campaign Against Chinese Military and Goverment Poison Ivy |
2018-07-25 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team, Network Protection Security Labs @online{team:20180725:leafminer:0591f9b,
author = {Critical Attack Discovery and Intelligence Team and Network Protection Security Labs},
title = {{Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions}},
date = {2018-07-25},
organization = {Symantec},
url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east},
language = {English},
urldate = {2020-04-21}
}
Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions Imecab MimiKatz Sorgu RASPITE |
2018-05-15 ⋅ BSides Detroit ⋅ Keven Murphy, Stefano Maccaglia @online{murphy:20180515:ir:ac5b561,
author = {Keven Murphy and Stefano Maccaglia},
title = {{IR in Heterogeneous Environment}},
date = {2018-05-15},
organization = {BSides Detroit},
url = {https://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment},
language = {English},
urldate = {2020-07-20}
}
IR in Heterogeneous Environment Korlia Poison Ivy |
2018-03-16 ⋅ FireEye ⋅ FireEye @online{fireeye:20180316:suspected:2a77316,
author = {FireEye},
title = {{Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries}},
date = {2018-03-16},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html},
language = {English},
urldate = {2019-12-20}
}
Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries badflick BLACKCOFFEE CHINACHOPPER homefry murkytop SeDll APT40 |
2018-02-28 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team @online{team:20180228:chafer:5b5b77b,
author = {Critical Attack Discovery and Intelligence Team},
title = {{Chafer: Latest Attacks Reveal Heightened Ambitions}},
date = {2018-02-28},
organization = {Symantec},
url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions},
language = {English},
urldate = {2020-04-21}
}
Chafer: Latest Attacks Reveal Heightened Ambitions MimiKatz Remexi |
2018-02-15 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20180215:samsam:bd6d65d,
author = {Counter Threat Unit ResearchTeam},
title = {{SamSam Ransomware Campaigns}},
date = {2018-02-15},
organization = {Secureworks},
url = {https://www.secureworks.com/research/samsam-ransomware-campaigns},
language = {English},
urldate = {2021-05-28}
}
SamSam Ransomware Campaigns MimiKatz reGeorg SamSam BOSS SPIDER |
2017-12-20 ⋅ CrowdStrike ⋅ Adam Kozy @online{kozy:20171220:end:218a388,
author = {Adam Kozy},
title = {{An End to “Smash-and-Grab” and a Move to More Targeted Approaches}},
date = {2017-12-20},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/an-end-to-smash-and-grab-more-targeted-approaches/},
language = {English},
urldate = {2020-05-11}
}
An End to “Smash-and-Grab” and a Move to More Targeted Approaches CHINACHOPPER |
2017-12-04 ⋅ RSA ⋅ Jack Wesley Riley @techreport{riley:20171204:shadows:ae9e436,
author = {Jack Wesley Riley},
title = {{The Shadows of Ghosts Inside the response of a unique Carbanak intrusion}},
date = {2017-12-04},
institution = {RSA},
url = {https://www.rsa.com/content/dam/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf},
language = {English},
urldate = {2021-09-02}
}
The Shadows of Ghosts Inside the response of a unique Carbanak intrusion GOTROJ MimiKatz |
2017-11-09 ⋅ Wired ⋅ Andy Greenberg @online{greenberg:20171109:he:5442358,
author = {Andy Greenberg},
title = {{He Perfected a Password-Hacking Tool—Then the Russians Came Calling}},
date = {2017-11-09},
organization = {Wired},
url = {https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/},
language = {English},
urldate = {2020-01-08}
}
He Perfected a Password-Hacking Tool—Then the Russians Came Calling MimiKatz |
2017-11-03 ⋅ Github (5loyd) ⋅ 5loyd @online{5loyd:20171103:trochilus:964b44c,
author = {5loyd},
title = {{Trochilus}},
date = {2017-11-03},
organization = {Github (5loyd)},
url = {https://github.com/5loyd/trochilus/},
language = {English},
urldate = {2020-01-08}
}
Trochilus Trochilus RAT |
2017-09-15 ⋅ Fortinet ⋅ Xiaopeng Zhang @online{zhang:20170915:deep:5178fe3,
author = {Xiaopeng Zhang},
title = {{Deep Analysis of New Poison Ivy/PlugX Variant - Part II}},
date = {2017-09-15},
organization = {Fortinet},
url = {https://blog.fortinet.com/2017/09/15/deep-analysis-of-new-poison-ivy-plugx-variant-part-ii},
language = {English},
urldate = {2020-01-10}
}
Deep Analysis of New Poison Ivy/PlugX Variant - Part II Poison Ivy |
2017-08-31 ⋅ NCC Group ⋅ Ahmed Zaki @online{zaki:20170831:analysing:4c77e47,
author = {Ahmed Zaki},
title = {{Analysing a recent Poison Ivy sample}},
date = {2017-08-31},
organization = {NCC Group},
url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/analysing-a-recent-poison-ivy-sample/},
language = {English},
urldate = {2020-01-10}
}
Analysing a recent Poison Ivy sample Poison Ivy |
2017-08-23 ⋅ Fortinet ⋅ Xiaopeng Zhang @online{zhang:20170823:deep:3d931ad,
author = {Xiaopeng Zhang},
title = {{Deep Analysis of New Poison Ivy Variant}},
date = {2017-08-23},
organization = {Fortinet},
url = {http://blog.fortinet.com/2017/08/23/deep-analysis-of-new-poison-ivy-variant},
language = {English},
urldate = {2020-01-06}
}
Deep Analysis of New Poison Ivy Variant Poison Ivy |
2017-05-31 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:20170531:pittytiger:cac6452,
author = {MITRE ATT&CK},
title = {{PittyTiger}},
date = {2017-05-31},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0011},
language = {English},
urldate = {2022-08-30}
}
PittyTiger Enfal Ghost RAT MimiKatz Poison Ivy APT24 |
2017-05-31 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:20170531:sandworm:1a9a446,
author = {MITRE ATT&CK},
title = {{Sandworm Team}},
date = {2017-05-31},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0034},
language = {English},
urldate = {2022-08-25}
}
Sandworm Team CyclopsBlink Exaramel BlackEnergy EternalPetya Exaramel GreyEnergy KillDisk MimiKatz Olympic Destroyer Sandworm |
2017-04-03 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20170403:redleaves:211a123,
author = {Shusei Tomonaga},
title = {{RedLeaves - Malware Based on Open Source RAT}},
date = {2017-04-03},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html},
language = {English},
urldate = {2022-06-22}
}
RedLeaves - Malware Based on Open Source RAT PlugX RedLeaves Trochilus RAT |
2017-04 ⋅ PricewaterhouseCoopers ⋅ PricewaterhouseCoopers @techreport{pricewaterhousecoopers:201704:operation:cb50712,
author = {PricewaterhouseCoopers},
title = {{Operation Cloud Hopper: Technical Annex}},
date = {2017-04},
institution = {PricewaterhouseCoopers},
url = {https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf},
language = {English},
urldate = {2019-10-15}
}
Operation Cloud Hopper: Technical Annex ChChes PlugX Quasar RAT RedLeaves Trochilus RAT |
2017-02-27 ⋅ Symantec ⋅ A L Johnson @online{johnson:20170227:shamoon:0188f39,
author = {A L Johnson},
title = {{Shamoon: Multi-staged destructive attacks limited to specific targets}},
date = {2017-02-27},
organization = {Symantec},
url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments},
language = {English},
urldate = {2020-04-21}
}
Shamoon: Multi-staged destructive attacks limited to specific targets DistTrack MimiKatz Rocket Kitten |
2016-11-22 ⋅ Palo Alto Networks Unit 42 ⋅ Vicky Ray, Robert Falcone, Jen Miller-Osborn, Tom Lancaster @online{ray:20161122:tropic:7f503e7,
author = {Vicky Ray and Robert Falcone and Jen Miller-Osborn and Tom Lancaster},
title = {{Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy}},
date = {2016-11-22},
organization = {Palo Alto Networks Unit 42},
url = {https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/},
language = {English},
urldate = {2019-12-20}
}
Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy Poison Ivy |
2016-10-11 ⋅ Symantec ⋅ Symantec Security Response @online{response:20161011:odinaff:36b35db,
author = {Symantec Security Response},
title = {{Odinaff: New Trojan used in high level financial attacks}},
date = {2016-10-11},
organization = {Symantec},
url = {https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks},
language = {English},
urldate = {2019-12-05}
}
Odinaff: New Trojan used in high level financial attacks Cobalt Strike KLRD MimiKatz Odinaff |
2016-04-26 ⋅ Github (CyberMonitor) ⋅ Jason Jones @techreport{jones:20160426:new:78ff145,
author = {Jason Jones},
title = {{New Poison Ivy Activity Targeting Myanmar, Asian Countries}},
date = {2016-04-26},
institution = {Github (CyberMonitor)},
url = {https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf},
language = {English},
urldate = {2019-12-17}
}
New Poison Ivy Activity Targeting Myanmar, Asian Countries Poison Ivy |
2016-04-22 ⋅ Palo Alto Networks Unit 42 ⋅ Micah Yates, Mike Scott, Brandon Levene, Jen Miller-Osborn @online{yates:20160422:new:249e32b,
author = {Micah Yates and Mike Scott and Brandon Levene and Jen Miller-Osborn},
title = {{New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists}},
date = {2016-04-22},
organization = {Palo Alto Networks Unit 42},
url = {https://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/},
language = {English},
urldate = {2019-12-20}
}
New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists Poison Ivy |
2016-03-30 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20160330:ransomware:d1b6fe3,
author = {Counter Threat Unit ResearchTeam},
title = {{Ransomware Deployed by Adversary with Established Foothold}},
date = {2016-03-30},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/ransomware-deployed-by-adversary},
language = {English},
urldate = {2021-05-28}
}
Ransomware Deployed by Adversary with Established Foothold MimiKatz reGeorg SamSam BOSS SPIDER |
2015-08 ⋅ Arbor Networks ⋅ ASERT Team @online{team:201508:uncovering:121e5cf,
author = {ASERT Team},
title = {{Uncovering the Seven Pointed Dagger}},
date = {2015-08},
organization = {Arbor Networks},
url = {https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn},
language = {English},
urldate = {2020-05-18}
}
Uncovering the Seven Pointed Dagger 9002 RAT EvilGrab PlugX Trochilus RAT APT9 |
2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:20150206:crowdstrike:fbcc37f,
author = {CrowdStrike},
title = {{CrowdStrike Global Threat Intel Report 2014}},
date = {2015-02-06},
institution = {CrowdStrike},
url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf},
language = {English},
urldate = {2020-05-11}
}
CrowdStrike Global Threat Intel Report 2014 BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor |
2014-09-19 ⋅ Palo Alto Networks Unit 42 ⋅ Jen Miller-Osborn, Ryan Olson @online{millerosborn:20140919:recent:edf1ed3,
author = {Jen Miller-Osborn and Ryan Olson},
title = {{Recent Watering Hole Attacks Attributed to APT Group “th3bug” Using Poison Ivy}},
date = {2014-09-19},
organization = {Palo Alto Networks Unit 42},
url = {https://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/},
language = {English},
urldate = {2019-12-20}
}
Recent Watering Hole Attacks Attributed to APT Group “th3bug” Using Poison Ivy Poison Ivy |
2014 ⋅ FireEye ⋅ FireEye @techreport{fireeye:2014:operation:2160679,
author = {FireEye},
title = {{Operation Quantum Entanglement}},
date = {2014},
institution = {FireEye},
url = {http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf},
language = {English},
urldate = {2021-04-29}
}
Operation Quantum Entanglement IsSpace NewCT Poison Ivy SysGet |
2013-10-31 ⋅ FireEye ⋅ Thoufique Haq, Ned Moran @online{haq:20131031:know:e772ee9,
author = {Thoufique Haq and Ned Moran},
title = {{Know Your Enemy: Tracking A Rapidly Evolving APT Actor}},
date = {2013-10-31},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html},
language = {English},
urldate = {2019-12-20}
}
Know Your Enemy: Tracking A Rapidly Evolving APT Actor Bozok Poison Ivy TEMPER PANDA |
2013-08-23 ⋅ FireEye ⋅ Nart Villeneuve, Thoufique Haq, Ned Moran @online{villeneuve:20130823:operation:dc4b5d6,
author = {Nart Villeneuve and Thoufique Haq and Ned Moran},
title = {{Operation Molerats: Middle East Cyber Attacks Using Poison Ivy}},
date = {2013-08-23},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html},
language = {English},
urldate = {2019-12-20}
}
Operation Molerats: Middle East Cyber Attacks Using Poison Ivy Poison Ivy Molerats |
2013-08-07 ⋅ FireEye ⋅ Ian Ahl, Tony Lee, Dennis Hanzlik @online{ahl:20130807:breaking:aff06e9,
author = {Ian Ahl and Tony Lee and Dennis Hanzlik},
title = {{Breaking Down the China Chopper Web Shell - Part I}},
date = {2013-08-07},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html},
language = {English},
urldate = {2019-12-20}
}
Breaking Down the China Chopper Web Shell - Part I CHINACHOPPER |
2013-03-04 ⋅ Trend Micro ⋅ Kyle Wilhoit @online{wilhoit:20130304:indepth:ebccc8b,
author = {Kyle Wilhoit},
title = {{In-Depth Look: APT Attack Tools of the Trade}},
date = {2013-03-04},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/},
language = {English},
urldate = {2019-07-11}
}
In-Depth Look: APT Attack Tools of the Trade HTran |
2011-08-03 ⋅ Secureworks ⋅ Joe Stewart @online{stewart:20110803:htran:7a67164,
author = {Joe Stewart},
title = {{HTran and the Advanced Persistent Threat}},
date = {2011-08-03},
organization = {Secureworks},
url = {https://www.secureworks.com/research/htran},
language = {English},
urldate = {2020-01-08}
}
HTran and the Advanced Persistent Threat HTran |
2011-04-28 ⋅ Gentil Kiwi @online{kiwi:20110428:un:4c39d1d,
author = {Gentil Kiwi},
title = {{Un observateur d’événements aveugle…}},
date = {2011-04-28},
url = {http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle},
language = {English},
urldate = {2020-01-07}
}
Un observateur d’événements aveugle… MimiKatz |
2011 ⋅ Symantec ⋅ Erica Eng, Gavin O'Gorman @techreport{eng:2011:nitro:656e464,
author = {Erica Eng and Gavin O'Gorman},
title = {{The Nitro Attacks: Stealing Secrets from the Chemical Industry}},
date = {2011},
institution = {Symantec},
url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf},
language = {English},
urldate = {2020-04-21}
}
The Nitro Attacks: Stealing Secrets from the Chemical Industry Poison Ivy Nitro |
2010 ⋅ Mandiant ⋅ Ero Carrera, Peter Silberman @techreport{carrera:2010:state:687e608,
author = {Ero Carrera and Peter Silberman},
title = {{State of Malware: Family Ties}},
date = {2010},
institution = {Mandiant},
url = {https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf},
language = {English},
urldate = {2022-01-28}
}
State of Malware: Family Ties Bredolab Conficker Cutwail KoobFace Oderoor Poison Ivy Rustock Sinowal Szribi Zeus |