SYMBOLCOMMON_NAMEaka. SYNONYMS

GALLIUM  (Back to overview)

aka: Red Dev 4, Alloy Taurus

GALLIUM, is a threat actor believed to be targeting telecommunication providers over the world, mostly South-East Asia, Europe and Africa. To compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss.


Associated Families
win.htran win.poison_ivy win.trochilus_rat elf.pingpull elf.sword2033 win.chinachopper win.mimikatz

References
2023-09-12ANSSIANSSI
@techreport{anssi:20230912:fin12:b0a08e2, author = {ANSSI}, title = {{FIN12: A Cybercriminal Group with Multiple Ransomware}}, date = {2023-09-12}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf}, language = {French}, urldate = {2023-09-20} } FIN12: A Cybercriminal Group with Multiple Ransomware
BlackCat Cobalt Strike Conti Hive MimiKatz Nokoyawa Ransomware PLAY Royal Ransom Ryuk SystemBC
2023-09-07SekoiaJamila B.
@online{b:20230907:my:de66f96, author = {Jamila B.}, title = {{My Tea’s not cold. An overview of China’s cyber threat}}, date = {2023-09-07}, organization = {Sekoia}, url = {https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/}, language = {English}, urldate = {2023-09-08} } My Tea’s not cold. An overview of China’s cyber threat
Melofee PingPull SoWaT Sword2033 MgBot MQsTTang PlugX TONESHELL
2023-09-07CISACISA
@techreport{cisa:20230907:multiple:e867413, author = {CISA}, title = {{Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475}}, date = {2023-09-07}, institution = {CISA}, url = {https://www.cisa.gov/sites/default/files/2023-09/aa23-250a-apt-actors-exploit-cve-2022-47966-and-cve-2022-42475.pdf}, language = {English}, urldate = {2023-09-11} } Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475
Meterpreter MimiKatz
2023-08-22AhnLabASEC Analysis Team
@online{team:20230822:analyzing:a2e958c, author = {ASEC Analysis Team}, title = {{Analyzing the new attack activity of the Andariel group}}, date = {2023-08-22}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/56256/}, language = {Korean}, urldate = {2023-08-28} } Analyzing the new attack activity of the Andariel group
Andardoor MimiKatz QuiteRAT Tiger RAT Volgmer
2023-06-16Palo Alto Networks: Cortex Threat ResearchLior Rochberger
@online{rochberger:20230616:through:5ef09b8, author = {Lior Rochberger}, title = {{Through the Cortex XDR Lens: Uncovering a New Activity Group Targeting Governments in the Middle East and Africa}}, date = {2023-06-16}, organization = {Palo Alto Networks: Cortex Threat Research}, url = {https://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/}, language = {English}, urldate = {2023-06-22} } Through the Cortex XDR Lens: Uncovering a New Activity Group Targeting Governments in the Middle East and Africa
CHINACHOPPER Ladon Yasso
2023-04-26Palo Alto Networks Unit 42Unit 42
@online{42:20230426:chinese:3dad965, author = {Unit 42}, title = {{Chinese Alloy Taurus Updates PingPull Malware}}, date = {2023-04-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/alloy-taurus/}, language = {English}, urldate = {2023-04-27} } Chinese Alloy Taurus Updates PingPull Malware
PingPull Sword2033
2023-04-12Kaspersky LabsSeongsu Park
@online{park:20230412:following:851b624, author = {Seongsu Park}, title = {{Following the Lazarus group by tracking DeathNote campaign}}, date = {2023-04-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-lazarus-group-deathnote-campaign/109490/}, language = {English}, urldate = {2023-07-28} } Following the Lazarus group by tracking DeathNote campaign
Bankshot BLINDINGCAN LPEClient MimiKatz NedDnLoader Racket Downloader Volgmer
2023-04-03MandiantJASON DEYALSINGH, NICK SMITH, Eduardo Mattos, Tyler McLellan, Nick Richard
@online{deyalsingh:20230403:alphv:04f0dfa, author = {JASON DEYALSINGH and NICK SMITH and Eduardo Mattos and Tyler McLellan and Nick Richard}, title = {{ALPHV Ransomware Affiliate Targets Vulnerable Backup Installations to Gain Initial Access}}, date = {2023-04-03}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/alphv-ransomware-backup}, language = {English}, urldate = {2023-04-22} } ALPHV Ransomware Affiliate Targets Vulnerable Backup Installations to Gain Initial Access
LaZagne BlackCat MimiKatz
2023-03-16Palo Alto Networks Unit 42Frank Lee, Scott Roland
@online{lee:20230316:beeware:1ad83b4, author = {Frank Lee and Scott Roland}, title = {{Bee-Ware of Trigona, An Emerging Ransomware Strain}}, date = {2023-03-16}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/trigona-ransomware-update/}, language = {English}, urldate = {2023-03-20} } Bee-Ware of Trigona, An Emerging Ransomware Strain
Cryakl MimiKatz Trigona
2023-01-23KrollStephen Green, Elio Biasiotto
@online{green:20230123:black:dd89d21, author = {Stephen Green and Elio Biasiotto}, title = {{Black Basta – Technical Analysis}}, date = {2023-01-23}, organization = {Kroll}, url = {https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis}, language = {English}, urldate = {2023-04-22} } Black Basta – Technical Analysis
Black Basta Cobalt Strike MimiKatz QakBot SystemBC
2022-11-30FFRI SecurityMatsumoto
@online{matsumoto:20221130:evolution:29e9b4c, author = {Matsumoto}, title = {{Evolution of the PlugX loader}}, date = {2022-11-30}, organization = {FFRI Security}, url = {https://engineers.ffri.jp/entry/2022/11/30/141346}, language = {Japanese}, urldate = {2022-12-01} } Evolution of the PlugX loader
PlugX Poison Ivy
2022-10-18IntrinsecIntrinsec, CERT Intrinsec
@online{intrinsec:20221018:apt27:1977039, author = {Intrinsec and CERT Intrinsec}, title = {{APT27 – One Year To Exfiltrate Them All: Intrusion In-Depth Analysis}}, date = {2022-10-18}, organization = {Intrinsec}, url = {https://www.intrinsec.com/apt27-analysis/}, language = {English}, urldate = {2022-11-07} } APT27 – One Year To Exfiltrate Them All: Intrusion In-Depth Analysis
HyperBro MimiKatz
2022-10-11AhnLabASEC Analysis Team
@online{team:20221011:from:a35b468, author = {ASEC Analysis Team}, title = {{From Exchange Server vulnerability to ransomware infection in just 7 days}}, date = {2022-10-11}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/39682/}, language = {Korean}, urldate = {2022-10-11} } From Exchange Server vulnerability to ransomware infection in just 7 days
LockBit MimiKatz
2022-09-29SymantecThreat Hunter Team
@online{team:20220929:witchetty:628f1c4, author = {Threat Hunter Team}, title = {{Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East}}, date = {2022-09-29}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage}, language = {English}, urldate = {2022-09-30} } Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East
CHINACHOPPER Lookback MimiKatz PlugX Unidentified 096 (Keylogger) x4
2022-09-15SymantecThreat Hunter Team
@online{team:20220915:webworm:500c850, author = {Threat Hunter Team}, title = {{Webworm: Espionage Attackers Testing and Using Older Modified RATs}}, date = {2022-09-15}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats}, language = {English}, urldate = {2022-09-20} } Webworm: Espionage Attackers Testing and Using Older Modified RATs
9002 RAT Ghost RAT Trochilus RAT
2022-09-13SymantecThreat Hunter Team
@online{team:20220913:new:2ff2e98, author = {Threat Hunter Team}, title = {{New Wave of Espionage Activity Targets Asian Governments}}, date = {2022-09-13}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments}, language = {English}, urldate = {2022-09-20} } New Wave of Espionage Activity Targets Asian Governments
MimiKatz PlugX Quasar RAT ShadowPad Trochilus RAT
2022-09-08Cisco TalosJung soo An, Asheer Malhotra, Vitor Ventura
@online{an:20220908:lazarus:236b4b4, author = {Jung soo An and Asheer Malhotra and Vitor Ventura}, title = {{Lazarus and the tale of three RATs}}, date = {2022-09-08}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html}, language = {English}, urldate = {2023-01-19} } Lazarus and the tale of three RATs
MagicRAT MimiKatz VSingle YamaBot
2022-09-07BlackberryAnuj Soni, Ryan Chapman
@online{soni:20220907:curious:80138f0, author = {Anuj Soni and Ryan Chapman}, title = {{The Curious Case of “Monti” Ransomware: A Real-World Doppelganger}}, date = {2022-09-07}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger}, language = {English}, urldate = {2022-09-10} } The Curious Case of “Monti” Ransomware: A Real-World Doppelganger
Conti MimiKatz Veeam Dumper
2022-09-06ESET ResearchThibaut Passilly
@online{passilly:20220906:worok:0c106ac, author = {Thibaut Passilly}, title = {{Worok: The big picture}}, date = {2022-09-06}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/09/06/worok-big-picture/}, language = {English}, urldate = {2022-09-10} } Worok: The big picture
MimiKatz PNGLoad reGeorg ShadowPad Worok
2022-09-01Trend MicroTrend Micro
@online{micro:20220901:ransomware:8eda6e4, author = {Trend Micro}, title = {{Ransomware Spotlight Black Basta}}, date = {2022-09-01}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta}, language = {English}, urldate = {2022-09-19} } Ransomware Spotlight Black Basta
Black Basta Cobalt Strike MimiKatz QakBot
2022-08-25MicrosoftMicrosoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Research Team, Microsoft 365 Defender Threat Intelligence Team
@online{mstic:20220825:mercury:a02a670, author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team and Microsoft 365 Defender Threat Intelligence Team}, title = {{MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations}}, date = {2022-08-25}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations}, language = {English}, urldate = {2022-08-30} } MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations
MimiKatz
2022-08-22FortinetShunichi Imano, Fred Gutierrez
@online{imano:20220822:tale:9a74924, author = {Shunichi Imano and Fred Gutierrez}, title = {{A Tale of PivNoxy and Chinoxy Puppeteer}}, date = {2022-08-22}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis}, language = {English}, urldate = {2022-08-28} } A Tale of PivNoxy and Chinoxy Puppeteer
Chinoxy Poison Ivy
2022-08-18SophosSean Gallagher
@online{gallagher:20220818:cookie:74bd0f5, author = {Sean Gallagher}, title = {{Cookie stealing: the new perimeter bypass}}, date = {2022-08-18}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass}, language = {English}, urldate = {2022-08-22} } Cookie stealing: the new perimeter bypass
Cobalt Strike Meterpreter MimiKatz Phoenix Keylogger Quasar RAT
2022-08-15SentinelOneVikram Navali
@online{navali:20220815:detecting:5abdd3d, author = {Vikram Navali}, title = {{Detecting a Rogue Domain Controller – DCShadow Attack}}, date = {2022-08-15}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/detecting-a-rogue-domain-controller-dcshadow-attack/}, language = {English}, urldate = {2022-08-18} } Detecting a Rogue Domain Controller – DCShadow Attack
MimiKatz TrickBot
2022-07-31BushidoToken BlogBushidoToken
@online{bushidotoken:20220731:space:636e570, author = {BushidoToken}, title = {{Space Invaders: Cyber Threats That Are Out Of This World}}, date = {2022-07-31}, organization = {BushidoToken Blog}, url = {https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html}, language = {English}, urldate = {2022-08-02} } Space Invaders: Cyber Threats That Are Out Of This World
Poison Ivy Raindrop SUNBURST TEARDROP WastedLocker
2022-07-27ReversingLabsJoseph Edwards
@online{edwards:20220727:threat:6aaf018, author = {Joseph Edwards}, title = {{Threat analysis: Follina exploit fuels 'live-off-the-land' attacks}}, date = {2022-07-27}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/threat-analysis-follina-exploit-powers-live-off-the-land-attacks}, language = {English}, urldate = {2022-08-08} } Threat analysis: Follina exploit fuels 'live-off-the-land' attacks
Cobalt Strike MimiKatz
2022-07-26MicrosoftMicrosoft 365 Defender Research Team
@online{team:20220726:malicious:ff5f5c0, author = {Microsoft 365 Defender Research Team}, title = {{Malicious IIS extensions quietly open persistent backdoors into servers}}, date = {2022-07-26}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/}, language = {English}, urldate = {2022-07-28} } Malicious IIS extensions quietly open persistent backdoors into servers
CHINACHOPPER MimiKatz
2022-07-26MandiantThibault van Geluwe de Berlaere, Jay Christiansen, Daniel Kapellmann Zafra, Ken Proska, Keith Lunden
@online{berlaere:20220726:mandiant:c1c4498, author = {Thibault van Geluwe de Berlaere and Jay Christiansen and Daniel Kapellmann Zafra and Ken Proska and Keith Lunden}, title = {{Mandiant Red Team Emulates FIN11 Tactics To Control Operational Technology Servers}}, date = {2022-07-26}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics}, language = {English}, urldate = {2023-01-19} } Mandiant Red Team Emulates FIN11 Tactics To Control Operational Technology Servers
Clop Industroyer MimiKatz Triton
2022-07-18Palo Alto Networks Unit 42Unit 42
@online{42:20220718:alloy:740b049, author = {Unit 42}, title = {{Alloy Taurus}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/alloytaurus/}, language = {English}, urldate = {2022-07-25} } Alloy Taurus
GALLIUM
2022-07-18Palo Alto Networks Unit 42Unit 42
@online{42:20220718:shallow:cc9413f, author = {Unit 42}, title = {{Shallow Taurus}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/shallowtaurus/}, language = {English}, urldate = {2022-07-29} } Shallow Taurus
FormerFirstRAT IsSpace NewCT PlugX Poison Ivy Tidepool DragonOK
2022-07-18CensysCensys
@techreport{censys:20220718:russian:dfd4246, author = {Censys}, title = {{Russian Ransomware C2 Network Discovered in Censys Data}}, date = {2022-07-18}, institution = {Censys}, url = {https://5851803.fs1.hubspotusercontent-na1.net/hubfs/5851803/Russian%20Ransomware%20C2%20Network%20Discovered%20in%20Censys%20Data.pdf}, language = {English}, urldate = {2022-07-25} } Russian Ransomware C2 Network Discovered in Censys Data
Cobalt Strike MimiKatz PoshC2
2022-07-18Palo Alto Networks Unit 42Unit 42
@online{42:20220718:obscure:28a0051, author = {Unit 42}, title = {{Obscure Serpens}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/obscureserpens/}, language = {English}, urldate = {2022-07-29} } Obscure Serpens
Cobalt Strike Empire Downloader Meterpreter MimiKatz DarkHydrus
2022-07-18Palo Alto Networks Unit 42Unit 42
@online{42:20220718:iron:f7586c5, author = {Unit 42}, title = {{Iron Taurus}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/iron-taurus/}, language = {English}, urldate = {2022-07-29} } Iron Taurus
CHINACHOPPER Ghost RAT Wonknu ZXShell APT27
2022-07-18Palo Alto Networks Unit 42Unit 42
@online{42:20220718:crawling:d229f20, author = {Unit 42}, title = {{Crawling Taurus}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/crawling-taurus/}, language = {English}, urldate = {2022-07-29} } Crawling Taurus
Poison Ivy APT20
2022-06-30KasperskyPierre Delcher
@online{delcher:20220630:sessionmanager:f171df2, author = {Pierre Delcher}, title = {{The SessionManager IIS backdoor: a possibly overlooked GELSEMIUM artefact}}, date = {2022-06-30}, organization = {Kaspersky}, url = {https://securelist.com/the-sessionmanager-iis-backdoor/106868/}, language = {English}, urldate = {2022-07-05} } The SessionManager IIS backdoor: a possibly overlooked GELSEMIUM artefact
MimiKatz Owlproxy SessionManager
2022-06-21Cisco TalosFlavio Costa, Chris Neal, Guilherme Venere
@online{costa:20220621:avos:b60a2ad, author = {Flavio Costa and Chris Neal and Guilherme Venere}, title = {{Avos ransomware group expands with new attack arsenal}}, date = {2022-06-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html}, language = {English}, urldate = {2022-06-22} } Avos ransomware group expands with new attack arsenal
AvosLocker Cobalt Strike DarkComet MimiKatz
2022-06-20Infinitum ITinfinitum IT
@online{it:20220620:charming:b356ff2, author = {infinitum IT}, title = {{Charming Kitten (APT35)}}, date = {2022-06-20}, organization = {Infinitum IT}, url = {https://www.infinitumit.com.tr/apt-35/}, language = {Turkish}, urldate = {2022-06-22} } Charming Kitten (APT35)
LaZagne DownPaper MimiKatz pupy
2022-06-15Security JoesCharles Lomboni, Venkat Rajgor, Felipe Duarte
@techreport{lomboni:20220615:backdoor:8d43d9e, author = {Charles Lomboni and Venkat Rajgor and Felipe Duarte}, title = {{Backdoor via XFF: Mysterious Threat Actor Under Radar}}, date = {2022-06-15}, institution = {Security Joes}, url = {https://secjoes-reports.s3.eu-central-1.amazonaws.com/Backdoor%2Bvia%2BXFF%2BMysterious%2BThreat%2BActor%2BUnder%2BRadar.pdf}, language = {English}, urldate = {2022-06-16} } Backdoor via XFF: Mysterious Threat Actor Under Radar
CHINACHOPPER
2022-06-03AttackIQJackson Wells, AttackIQ Adversary Research Team
@online{wells:20220603:attack:5e4e9c6, author = {Jackson Wells and AttackIQ Adversary Research Team}, title = {{Attack Graph Response to US CERT AA22-152A: Karakurt Data Extortion Group}}, date = {2022-06-03}, organization = {AttackIQ}, url = {https://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/}, language = {English}, urldate = {2022-06-18} } Attack Graph Response to US CERT AA22-152A: Karakurt Data Extortion Group
Cobalt Strike MimiKatz
2022-06-02MandiantMandiant Intelligence
@online{intelligence:20220602:to:e15831c, author = {Mandiant Intelligence}, title = {{To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions}}, date = {2022-06-02}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions}, language = {English}, urldate = {2022-06-04} } To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker
2022-06-01CISACISA, FBI, Department of the Treasury (Treasury), FINCEN
@online{cisa:20220601:alert:f73857d, author = {CISA and FBI and Department of the Treasury (Treasury) and FINCEN}, title = {{Alert (AA22-152A): Karakurt Data Extortion Group}}, date = {2022-06-01}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-152a}, language = {English}, urldate = {2022-06-02} } Alert (AA22-152A): Karakurt Data Extortion Group
MimiKatz
2022-06-01ElasticDaniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew Pease
@online{stepanic:20220601:cuba:333f7c1, author = {Daniel Stepanic and Derek Ditch and Seth Goodwin and Salim Bitam and Andrew Pease}, title = {{CUBA Ransomware Campaign Analysis}}, date = {2022-06-01}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis}, language = {English}, urldate = {2022-06-09} } CUBA Ransomware Campaign Analysis
Cobalt Strike Cuba Meterpreter MimiKatz SystemBC
2022-06-01CISAFBI, CISA, Department of the Treasury (Treasury), FINCEN
@techreport{fbi:20220601:joint:366b0d0, author = {FBI and CISA and Department of the Treasury (Treasury) and FINCEN}, title = {{Joint Cybersecurity Advisory (Product ID AA22-152A): Karakurt Data Extortion Group}}, date = {2022-06-01}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-152A_Karakurt_Data_Extortion_Group.pdf}, language = {English}, urldate = {2022-06-02} } Joint Cybersecurity Advisory (Product ID AA22-152A): Karakurt Data Extortion Group
MimiKatz
2022-05-17Positive TechnologiesPositive Technologies
@online{technologies:20220517:space:abd655a, author = {Positive Technologies}, title = {{Space Pirates: analyzing the tools and connections of a new hacker group}}, date = {2022-05-17}, organization = {Positive Technologies}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/}, language = {English}, urldate = {2022-05-25} } Space Pirates: analyzing the tools and connections of a new hacker group
FormerFirstRAT PlugX Poison Ivy Rovnix ShadowPad Zupdax
2022-05-17Trend MicroTrend Micro Research
@online{research:20220517:ransomware:7b86339, author = {Trend Micro Research}, title = {{Ransomware Spotlight: RansomEXX}}, date = {2022-05-17}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx}, language = {English}, urldate = {2022-05-25} } Ransomware Spotlight: RansomEXX
LaZagne Cobalt Strike IcedID MimiKatz PyXie RansomEXX TrickBot
2022-05-16JPCERT/CCShusei Tomonaga
@online{tomonaga:20220516:analysis:b1c8089, author = {Shusei Tomonaga}, title = {{Analysis of HUI Loader}}, date = {2022-05-16}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html}, language = {English}, urldate = {2022-05-17} } Analysis of HUI Loader
HUI Loader PlugX Poison Ivy Quasar RAT
2022-05-05Troopers ConferenceBen Jackson, Will Bonner
@online{jackson:20220505:tinker:2cde4e9, author = {Ben Jackson and Will Bonner}, title = {{Tinker Telco Soldier Spy (to be given 2022-06-27)}}, date = {2022-05-05}, organization = {Troopers Conference}, url = {https://troopers.de/troopers22/talks/7cv8pz/}, language = {English}, urldate = {2022-05-06} } Tinker Telco Soldier Spy (to be given 2022-06-27)
BPFDoor GALLIUM
2022-04-27TrendmicroDaniel Lunghi, Jaromír Hořejší
@techreport{lunghi:20220427:operation:bdba881, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{Operation Gambling Puppet}}, date = {2022-04-27}, institution = {Trendmicro}, url = {https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf}, language = {English}, urldate = {2022-07-25} } Operation Gambling Puppet
reptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka
2022-04-27ANSSIANSSI
@techreport{anssi:20220427:le:5d47343, author = {ANSSI}, title = {{LE GROUPE CYBERCRIMINEL FIN7}}, date = {2022-04-27}, institution = {ANSSI}, url = {https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf}, language = {French}, urldate = {2022-05-05} } LE GROUPE CYBERCRIMINEL FIN7
Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot
2022-04-19VaronisNadav Ovadia
@online{ovadia:20220419:hive:51c5eb7, author = {Nadav Ovadia}, title = {{Hive Ransomware Analysis}}, date = {2022-04-19}, organization = {Varonis}, url = {https://www.varonis.com/blog/hive-ransomware-analysis}, language = {English}, urldate = {2022-04-25} } Hive Ransomware Analysis
Cobalt Strike Hive MimiKatz
2022-04-08Infinitum LabsArda Büyükkaya
@online{bykkaya:20220408:threat:cbbf292, author = {Arda Büyükkaya}, title = {{Threat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team}}, date = {2022-04-08}, organization = {Infinitum Labs}, url = {https://www.infinitumit.com.tr/en/conti-ransomware-group-behind-the-karakurt-hacking-team/}, language = {English}, urldate = {2022-04-08} } Threat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team
Cobalt Strike MimiKatz
2022-04-07splunkSplunk Threat Research Team
@online{team:20220407:you:2d088bc, author = {Splunk Threat Research Team}, title = {{You Bet Your Lsass: Hunting LSASS Access}}, date = {2022-04-07}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html}, language = {English}, urldate = {2022-05-04} } You Bet Your Lsass: Hunting LSASS Access
Cobalt Strike MimiKatz
2022-04-05SymantecThreat Hunter Team
@online{team:20220405:cicada:67f6b8c, author = {Threat Hunter Team}, title = {{Cicada: Chinese APT Group Widens Targeting in Recent Espionage Activity}}, date = {2022-04-05}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks}, language = {English}, urldate = {2022-04-07} } Cicada: Chinese APT Group Widens Targeting in Recent Espionage Activity
MimiKatz SodaMaster
2022-03-25DragosConor McLaren, Dragos
@techreport{mclaren:20220325:how:05e2664, author = {Conor McLaren and Dragos}, title = {{How Dragos Activity Groups Obtain Initial Access into Industrial Environments}}, date = {2022-03-25}, institution = {Dragos}, url = {https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_Intel_WP_InitAccess-IndEnvirons-Final.pdf}, language = {English}, urldate = {2022-04-12} } How Dragos Activity Groups Obtain Initial Access into Industrial Environments
MimiKatz
2022-03-09BreachQuestMarco Figueroa, Napoleon Bing, Bernard Silvestrini
@online{figueroa:20220309:conti:d237b64, author = {Marco Figueroa and Napoleon Bing and Bernard Silvestrini}, title = {{The Conti Leaks | Insight into a Ransomware Unicorn}}, date = {2022-03-09}, organization = {BreachQuest}, url = {https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/}, language = {English}, urldate = {2022-03-14} } The Conti Leaks | Insight into a Ransomware Unicorn
Cobalt Strike MimiKatz TrickBot
2022-03VirusTotalVirusTotal
@techreport{virustotal:202203:virustotals:c6af9c1, author = {VirusTotal}, title = {{VirusTotal's 2021 Malware Trends Report}}, date = {2022-03}, institution = {VirusTotal}, url = {https://assets.virustotal.com/reports/2021trends.pdf}, language = {English}, urldate = {2022-04-13} } VirusTotal's 2021 Malware Trends Report
Anubis AsyncRAT BlackMatter Cobalt Strike DanaBot Dridex Khonsari MimiKatz Mirai Nanocore RAT Orcus RAT
2022-02-03SymantecSymantec Threat Hunter Team
@online{team:20220203:antlion:f2f0600, author = {Symantec Threat Hunter Team}, title = {{Antlion: Chinese APT Uses Custom Backdoor to Target Financial Institutions in Taiwan}}, date = {2022-02-03}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks}, language = {English}, urldate = {2022-02-04} } Antlion: Chinese APT Uses Custom Backdoor to Target Financial Institutions in Taiwan
MimiKatz xPack Antlion
2022-01-27JSAC 2021Hajime Yanagishita, Kiyotaka Tamada, You Nakatsuru, Suguru Ishimaru
@techreport{yanagishita:20220127:what:3c59dc9, author = {Hajime Yanagishita and Kiyotaka Tamada and You Nakatsuru and Suguru Ishimaru}, title = {{What We Can Do against the Chaotic A41APT Campaign}}, date = {2022-01-27}, institution = {JSAC 2021}, url = {https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf}, language = {English}, urldate = {2022-05-17} } What We Can Do against the Chaotic A41APT Campaign
CHINACHOPPER Cobalt Strike HUI Loader SodaMaster
2021-12-14SymantecThreat Hunter Team
@online{team:20211214:espionage:5b6cf02, author = {Threat Hunter Team}, title = {{Espionage Campaign Targets Telecoms Organizations across Middle East and Asia}}, date = {2021-12-14}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-campaign-telecoms-asia-middle-east}, language = {English}, urldate = {2021-12-31} } Espionage Campaign Targets Telecoms Organizations across Middle East and Asia
MimiKatz
2021-12-06PARAFLAREMelanie Ninovic
@online{ninovic:20211206:attack:65a8a15, author = {Melanie Ninovic}, title = {{Attack Lifecycle Detection of an Operational Technology Breach}}, date = {2021-12-06}, organization = {PARAFLARE}, url = {https://paraflare.com/attack-lifecycle-detection-of-an-operational-technology-breach/}, language = {English}, urldate = {2022-03-07} } Attack Lifecycle Detection of an Operational Technology Breach
MimiKatz
2021-12-06Notice of PleadingsMicrosoft
@online{microsoft:20211206:complaint:035d577, author = {Microsoft}, title = {{Complaint filed by Microsoft against NICKEL/APT15}}, date = {2021-12-06}, organization = {Notice of Pleadings}, url = {https://noticeofpleadings.com/nickel/#}, language = {English}, urldate = {2021-12-08} } Complaint filed by Microsoft against NICKEL/APT15
MimiKatz
2021-12-06MicrosoftMicrosoft Threat Intelligence Center (MSTIC), Microsoft Digital Security Unit (DSU)
@online{mstic:20211206:nickel:115c365, author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU)}, title = {{NICKEL targeting government organizations across Latin America and Europe}}, date = {2021-12-06}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe/}, language = {English}, urldate = {2021-12-08} } NICKEL targeting government organizations across Latin America and Europe
MimiKatz
2021-11-18MicrosoftMicrosoft Threat Intelligence Center (MSTIC), Microsoft Digital Security Unit (DSU)
@online{mstic:20211118:iranian:911ab04, author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU)}, title = {{Iranian targeting of IT sector on the rise}}, date = {2021-11-18}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/}, language = {English}, urldate = {2021-11-19} } Iranian targeting of IT sector on the rise
MimiKatz ShellClient RAT
2021-11-05Twitter (@inversecos)inversecos
@online{inversecos:20211105:ttps:2b9481e, author = {inversecos}, title = {{TTPs used by Pysa Ransonmware group}}, date = {2021-11-05}, organization = {Twitter (@inversecos)}, url = {https://twitter.com/inversecos/status/1456486725664993287}, language = {English}, urldate = {2021-11-08} } TTPs used by Pysa Ransonmware group
Mespinoza MimiKatz
2021-11-03Cisco TalosChetan Raghuprasad, Vanja Svajcer, Caitlin Huey
@online{raghuprasad:20211103:microsoft:2b6de43, author = {Chetan Raghuprasad and Vanja Svajcer and Caitlin Huey}, title = {{Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk}}, date = {2021-11-03}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html}, language = {English}, urldate = {2021-11-03} } Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk
Babuk CHINACHOPPER
2021-11-01AccentureHeather Larrieu, Curt Wilson, Katrina Hill
@online{larrieu:20211101:diving:a732a35, author = {Heather Larrieu and Curt Wilson and Katrina Hill}, title = {{Diving into double extortion campaigns}}, date = {2021-11-01}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/double-extortion-campaigns}, language = {English}, urldate = {2021-11-03} } Diving into double extortion campaigns
Cobalt Strike MimiKatz
2021-10-25CrowdStrikeFalcon OverWatch Team
@online{team:20211025:overwatch:8fd2f9f, author = {Falcon OverWatch Team}, title = {{OverWatch Elite In Action: Prompt Call Escalation Proves Vital to Containing Attack}}, date = {2021-10-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/overwatch-elite-call-escalation-vital-to-containing-attack/}, language = {English}, urldate = {2021-11-03} } OverWatch Elite In Action: Prompt Call Escalation Proves Vital to Containing Attack
MimiKatz
2021-10-15Volatility LabsVolatility Labs
@online{labs:20211015:memory:53ea6d8, author = {Volatility Labs}, title = {{Memory Forensics R&D Illustrated: Detecting Mimikatz's Skeleton Key Attack}}, date = {2021-10-15}, organization = {Volatility Labs}, url = {https://volatility-labs.blogspot.com/2021/10/memory-forensics-r-illustrated.html}, language = {English}, urldate = {2021-11-17} } Memory Forensics R&D Illustrated: Detecting Mimikatz's Skeleton Key Attack
MimiKatz
2021-10-11AccentureAccenture Cyber Threat Intelligence
@online{intelligence:20211011:moving:3b0eaec, author = {Accenture Cyber Threat Intelligence}, title = {{Moving Left of the Ransomware Boom}}, date = {2021-10-11}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom}, language = {English}, urldate = {2021-11-03} } Moving Left of the Ransomware Boom
REvil Cobalt Strike MimiKatz RagnarLocker REvil
2021-09-24Trend MicroWarren Sto.Tomas
@online{stotomas:20210924:examining:9165fe5, author = {Warren Sto.Tomas}, title = {{Examining the Cring Ransomware Techniques}}, date = {2021-09-24}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html}, language = {English}, urldate = {2021-09-29} } Examining the Cring Ransomware Techniques
Cobalt Strike Cring MimiKatz
2021-09-14McAfeeChristiaan Beek
@online{beek:20210914:operation:95aed8d, author = {Christiaan Beek}, title = {{Operation ‘Harvest’: A Deep Dive into a Long-term Campaign}}, date = {2021-09-14}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/}, language = {English}, urldate = {2021-09-19} } Operation ‘Harvest’: A Deep Dive into a Long-term Campaign
MimiKatz PlugX Winnti
2021-09-09SymantecThreat Hunter Team
@online{team:20210909:grayfly:60c5478, author = {Threat Hunter Team}, title = {{Grayfly: Chinese Threat Actor Uses Newly-discovered Sidewalk Malware}}, date = {2021-09-09}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware}, language = {English}, urldate = {2021-09-10} } Grayfly: Chinese Threat Actor Uses Newly-discovered Sidewalk Malware
CROSSWALK MimiKatz SideWalk
2021-09-03FireEyeAdrian Sanchez Hernandez, Govand Sinjari, Joshua Goddard, Brendan McKeague, John Wolfram, Alex Pennino, Andrew Rector, Harris Ansari, Yash Gupta
@online{hernandez:20210903:pst:a8de902, author = {Adrian Sanchez Hernandez and Govand Sinjari and Joshua Goddard and Brendan McKeague and John Wolfram and Alex Pennino and Andrew Rector and Harris Ansari and Yash Gupta}, title = {{PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers}}, date = {2021-09-03}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html}, language = {English}, urldate = {2021-09-06} } PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers
CHINACHOPPER HTran
2021-08-30QianxinRed Raindrop Team
@online{team:20210830:operation:7b5be26, author = {Red Raindrop Team}, title = {{Operation (Thủy Tinh) OceanStorm: The evil lotus hidden under the abyss}}, date = {2021-08-30}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/}, language = {Chinese}, urldate = {2021-09-09} } Operation (Thủy Tinh) OceanStorm: The evil lotus hidden under the abyss
Cobalt Strike MimiKatz
2021-08-23FBIFBI
@techreport{fbi:20210823:indicators:3308f26, author = {FBI}, title = {{Indicators of Compromise Associated with OnePercent Group Ransomware}}, date = {2021-08-23}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/210823.pdf}, language = {English}, urldate = {2021-08-24} } Indicators of Compromise Associated with OnePercent Group Ransomware
Cobalt Strike MimiKatz
2021-08-15SymantecThreat Hunter Team
@techreport{team:20210815:ransomware:f799696, author = {Threat Hunter Team}, title = {{The Ransomware Threat}}, date = {2021-08-15}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf}, language = {English}, urldate = {2021-12-15} } The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-08-10FireEyeIsrael Research Team, U.S. Threat Intel Team
@online{team:20210810:unc215:dbc483a, author = {Israel Research Team and U.S. Threat Intel Team}, title = {{UNC215: Spotlight on a Chinese Espionage Campaign in Israel}}, date = {2021-08-10}, organization = {FireEye}, url = {https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel}, language = {English}, urldate = {2021-12-06} } UNC215: Spotlight on a Chinese Espionage Campaign in Israel
HyperBro HyperSSL MimiKatz
2021-08-03CybereasonAssaf Dahan, Lior Rochberger, Daniel Frank, Tom Fakterman
@online{dahan:20210803:deadringer:908e8d5, author = {Assaf Dahan and Lior Rochberger and Daniel Frank and Tom Fakterman}, title = {{DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos}}, date = {2021-08-03}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos}, language = {English}, urldate = {2021-08-06} } DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos
CHINACHOPPER Cobalt Strike MimiKatz Nebulae
2021-07-20SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20210720:ongoing:1e6dbd0, author = {Counter Threat Unit ResearchTeam}, title = {{Ongoing Campaign Leveraging Exchange Vulnerability Potentially Linked to Iran}}, date = {2021-07-20}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran}, language = {English}, urldate = {2021-07-26} } Ongoing Campaign Leveraging Exchange Vulnerability Potentially Linked to Iran
CHINACHOPPER MimiKatz RGDoor
2021-06-29AccentureAccenture Security
@online{security:20210629:hades:2d4c606, author = {Accenture Security}, title = {{HADES ransomware operators continue attacks}}, date = {2021-06-29}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/security/ransomware-hades}, language = {English}, urldate = {2021-07-01} } HADES ransomware operators continue attacks
Cobalt Strike Hades MimiKatz
2021-06-16Recorded FutureInsikt Group®
@techreport{group:20210616:threat:d585785, author = {Insikt Group®}, title = {{Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries}}, date = {2021-06-16}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf}, language = {English}, urldate = {2022-07-29} } Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries
Icefog PcShare PlugX Poison Ivy QuickHeal DAGGER PANDA
2021-06-10ESET ResearchAdam Burgher
@online{burgher:20210610:backdoordiplomacy:4ebcb1d, author = {Adam Burgher}, title = {{BackdoorDiplomacy: Upgrading from Quarian to Turian}}, date = {2021-06-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/}, language = {English}, urldate = {2022-06-08} } BackdoorDiplomacy: Upgrading from Quarian to Turian
CHINACHOPPER DoublePulsar EternalRocks turian BackdoorDiplomacy
2021-05-18SophosJohn Shier, Mat Gangwer, Greg Iddon, Peter Mackenzie
@online{shier:20210518:active:f313ac5, author = {John Shier and Mat Gangwer and Greg Iddon and Peter Mackenzie}, title = {{The Active Adversary Playbook 2021}}, date = {2021-05-18}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153}, language = {English}, urldate = {2021-05-25} } The Active Adversary Playbook 2021
Cobalt Strike MimiKatz
2021-05-13AWAKEKieran Evans
@online{evans:20210513:catching:eaa13e2, author = {Kieran Evans}, title = {{Catching the White Stork in Flight}}, date = {2021-05-13}, organization = {AWAKE}, url = {https://awakesecurity.com/blog/catching-the-white-stork-in-flight/}, language = {English}, urldate = {2021-09-19} } Catching the White Stork in Flight
Cobalt Strike MimiKatz RMS
2021-05-07SophosLabs UncutRajesh Nataraj
@online{nataraj:20210507:new:79ec788, author = {Rajesh Nataraj}, title = {{New Lemon Duck variants exploiting Microsoft Exchange Server}}, date = {2021-05-07}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728}, language = {English}, urldate = {2022-02-16} } New Lemon Duck variants exploiting Microsoft Exchange Server
CHINACHOPPER Cobalt Strike Lemon Duck
2021-05-07Cisco TalosCaitlin Huey, Andrew Windsor, Edmund Brumaghin
@online{huey:20210507:lemon:0d46f81, author = {Caitlin Huey and Andrew Windsor and Edmund Brumaghin}, title = {{Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs}}, date = {2021-05-07}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html}, language = {English}, urldate = {2022-02-16} } Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs
CHINACHOPPER Cobalt Strike Lemon Duck
2021-05-06Trend MicroArianne Dela Cruz, Cris Tomboc, Jayson Chong, Nikki Madayag, Sean Torre
@online{cruz:20210506:proxylogon:4920ee4, author = {Arianne Dela Cruz and Cris Tomboc and Jayson Chong and Nikki Madayag and Sean Torre}, title = {{Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party}}, date = {2021-05-06}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html}, language = {English}, urldate = {2022-02-17} } Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party
BlackKingdom Ransomware CHINACHOPPER Lemon Duck Prometei
2021-05-05SymantecThreat Hunter Team
@online{team:20210505:multifactor:8834ab8, author = {Threat Hunter Team}, title = {{Multi-Factor Authentication: Headache for Cyber Actors Inspires New Attack Techniques}}, date = {2021-05-05}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/multi-factor-authentication-new-attacks}, language = {English}, urldate = {2021-05-26} } Multi-Factor Authentication: Headache for Cyber Actors Inspires New Attack Techniques
CHINACHOPPER
2021-04-27Trend MicroJanus Agcaoili, Earle Earnshaw
@online{agcaoili:20210427:legitimate:b293526, author = {Janus Agcaoili and Earle Earnshaw}, title = {{Legitimate Tools Weaponized for Ransomware in 2021}}, date = {2021-04-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021}, language = {English}, urldate = {2021-05-03} } Legitimate Tools Weaponized for Ransomware in 2021
Cobalt Strike MimiKatz
2021-04-27Trend MicroJanus Agcaoili
@online{agcaoili:20210427:hello:b3c5de5, author = {Janus Agcaoili}, title = {{Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability}}, date = {2021-04-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html}, language = {English}, urldate = {2021-04-29} } Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability
CHINACHOPPER Cobalt Strike
2021-04-16Trend MicroNitesh Surana
@online{surana:20210416:could:bb769ca, author = {Nitesh Surana}, title = {{Could the Microsoft Exchange breach be stopped?}}, date = {2021-04-16}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/d/could-the-microsoft-exchange-breach-be-stopped.html}, language = {English}, urldate = {2021-05-11} } Could the Microsoft Exchange breach be stopped?
CHINACHOPPER
2021-04-15Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20210415:actor:8428e3f, author = {Robert Falcone}, title = {{Actor Exploits Microsoft Exchange Server Vulnerabilities, Cortex XDR Blocks Harvesting of Credentials}}, date = {2021-04-15}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/}, language = {English}, urldate = {2021-04-19} } Actor Exploits Microsoft Exchange Server Vulnerabilities, Cortex XDR Blocks Harvesting of Credentials
CHINACHOPPER
2021-03-31Red CanaryRed Canary
@techreport{canary:20210331:2021:cd81f2d, author = {Red Canary}, title = {{2021 Threat Detection Report}}, date = {2021-03-31}, institution = {Red Canary}, url = {https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf}, language = {English}, urldate = {2021-04-06} } 2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot
2021-03-26ImpervaDaniel Johnston
@online{johnston:20210326:imperva:a78367a, author = {Daniel Johnston}, title = {{Imperva Observes Hive of Activity Following Hafnium Microsoft Exchange Disclosures}}, date = {2021-03-26}, organization = {Imperva}, url = {https://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/}, language = {English}, urldate = {2021-03-30} } Imperva Observes Hive of Activity Following Hafnium Microsoft Exchange Disclosures
CHINACHOPPER
2021-03-25MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20210325:analyzing:d9ddef0, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{Analyzing attacks taking advantage of the Exchange Server vulnerabilities}}, date = {2021-03-25}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/}, language = {English}, urldate = {2021-03-30} } Analyzing attacks taking advantage of the Exchange Server vulnerabilities
CHINACHOPPER
2021-03-25MicrosoftTom McElroy
@online{mcelroy:20210325:web:38010a7, author = {Tom McElroy}, title = {{Web Shell Threat Hunting with Azure Sentinel}}, date = {2021-03-25}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968}, language = {English}, urldate = {2021-03-30} } Web Shell Threat Hunting with Azure Sentinel
CHINACHOPPER
2021-03-21Twitter (@CyberRaiju)Jai Minton
@online{minton:20210321:twitter:8e65e84, author = {Jai Minton}, title = {{Twitter Thread with analysis of .NET China Chopper}}, date = {2021-03-21}, organization = {Twitter (@CyberRaiju)}, url = {https://twitter.com/CyberRaiju/status/1373582619707867136}, language = {English}, urldate = {2023-09-11} } Twitter Thread with analysis of .NET China Chopper
CHINACHOPPER
2021-03-21BlackberryBlackberry Research
@techreport{research:20210321:2021:a393473, author = {Blackberry Research}, title = {{2021 Threat Report}}, date = {2021-03-21}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf}, language = {English}, urldate = {2021-03-25} } 2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot
2021-03-19Bundesamt für Sicherheit in der InformationstechnikCERT-Bund
@techreport{certbund:20210319:microsoft:beb2409, author = {CERT-Bund}, title = {{Microsoft Exchange Schwachstellen Detektion und Reaktion (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)}}, date = {2021-03-19}, institution = {Bundesamt für Sicherheit in der Informationstechnik}, url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf}, language = {English}, urldate = {2021-03-22} } Microsoft Exchange Schwachstellen Detektion und Reaktion (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
CHINACHOPPER MimiKatz
2021-03-17Recorded FutureInsikt Group®
@online{group:20210317:chinalinked:65b251b, author = {Insikt Group®}, title = {{China-linked TA428 Continues to Target Russia and Mongolia IT Companies}}, date = {2021-03-17}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/china-linked-ta428-threat-group}, language = {English}, urldate = {2021-03-19} } China-linked TA428 Continues to Target Russia and Mongolia IT Companies
PlugX Poison Ivy TA428
2021-03-15TrustwaveJoshua Deacon
@online{deacon:20210315:hafnium:02beddd, author = {Joshua Deacon}, title = {{HAFNIUM, China Chopper and ASP.NET Runtime}}, date = {2021-03-15}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hafnium-china-chopper-and-aspnet-runtime/}, language = {English}, urldate = {2021-03-22} } HAFNIUM, China Chopper and ASP.NET Runtime
CHINACHOPPER
2021-03-11Cyborg SecurityJosh Campbell
@online{campbell:20210311:you:7bd2342, author = {Josh Campbell}, title = {{You Don't Know the HAFNIUM of it...}}, date = {2021-03-11}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/}, language = {English}, urldate = {2021-03-16} } You Don't Know the HAFNIUM of it...
CHINACHOPPER Cobalt Strike PowerCat
2021-03-11Palo Alto Networks Unit 42Unit 42
@online{42:20210311:microsoft:c51c694, author = {Unit 42}, title = {{Microsoft Exchange Server Attack Timeline}}, date = {2021-03-11}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/microsoft-exchange-server-attack-timeline/}, language = {English}, urldate = {2021-03-12} } Microsoft Exchange Server Attack Timeline
CHINACHOPPER
2021-03-11DEVOFran Gomez
@online{gomez:20210311:detection:e16ec1f, author = {Fran Gomez}, title = {{Detection and Investigation Using Devo: HAFNIUM 0-day Exploits on Microsoft Exchange Service}}, date = {2021-03-11}, organization = {DEVO}, url = {https://www.devo.com/blog/detect-and-investigate-hafnium-using-devo/}, language = {English}, urldate = {2021-03-12} } Detection and Investigation Using Devo: HAFNIUM 0-day Exploits on Microsoft Exchange Service
CHINACHOPPER MimiKatz
2021-03-10Lemon's InfoSec RamblingsJosh Lemon
@online{lemon:20210310:microsoft:47b2c67, author = {Josh Lemon}, title = {{Microsoft Exchange & the HAFNIUM Threat Actor}}, date = {2021-03-10}, organization = {Lemon's InfoSec Ramblings}, url = {https://blog.joshlemon.com.au/hafnium-exchange-attacks/}, language = {English}, urldate = {2021-03-11} } Microsoft Exchange & the HAFNIUM Threat Actor
CHINACHOPPER
2021-03-10PICUS SecuritySüleyman Özarslan
@online{zarslan:20210310:tactics:702eb34, author = {Süleyman Özarslan}, title = {{Tactics, Techniques, and Procedures (TTPs) Used by HAFNIUM to Target Microsoft Exchange Servers}}, date = {2021-03-10}, organization = {PICUS Security}, url = {https://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers}, language = {English}, urldate = {2021-03-16} } Tactics, Techniques, and Procedures (TTPs) Used by HAFNIUM to Target Microsoft Exchange Servers
CHINACHOPPER
2021-03-10ESET ResearchThomas Dupuy, Matthieu Faou, Mathieu Tartare
@online{dupuy:20210310:exchange:8f65a1f, author = {Thomas Dupuy and Matthieu Faou and Mathieu Tartare}, title = {{Exchange servers under siege from at least 10 APT groups}}, date = {2021-03-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/}, language = {English}, urldate = {2021-03-11} } Exchange servers under siege from at least 10 APT groups
Microcin MimiKatz PlugX Winnti APT27 APT41 Calypso Tick ToddyCat Tonto Team Vicious Panda
2021-03-10DomainToolsJoe Slowik
@online{slowik:20210310:examining:e3eee78, author = {Joe Slowik}, title = {{Examining Exchange Exploitation and its Lessons for Defenders}}, date = {2021-03-10}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders}, language = {English}, urldate = {2021-03-12} } Examining Exchange Exploitation and its Lessons for Defenders
CHINACHOPPER
2021-03-09PRAETORIANAnthony Weems, Dallas Kaman, Michael Weber
@online{weems:20210309:reproducing:6c6302c, author = {Anthony Weems and Dallas Kaman and Michael Weber}, title = {{Reproducing the Microsoft Exchange Proxylogon Exploit Chain}}, date = {2021-03-09}, organization = {PRAETORIAN}, url = {https://www.praetorian.com/blog/reproducing-proxylogon-exploit/}, language = {English}, urldate = {2021-03-11} } Reproducing the Microsoft Exchange Proxylogon Exploit Chain
CHINACHOPPER
2021-03-09Red CanaryTony Lambert, Brian Donohue, Katie Nickels
@online{lambert:20210309:microsoft:6a37334, author = {Tony Lambert and Brian Donohue and Katie Nickels}, title = {{Microsoft Exchange server exploitation: how to detect, mitigate, and stay calm}}, date = {2021-03-09}, organization = {Red Canary}, url = {https://redcanary.com/blog/microsoft-exchange-attacks}, language = {English}, urldate = {2021-03-11} } Microsoft Exchange server exploitation: how to detect, mitigate, and stay calm
CHINACHOPPER
2021-03-09Palo Alto Networks Unit 42Unit 42
@online{42:20210309:remediation:4973903, author = {Unit 42}, title = {{Remediation Steps for the Microsoft Exchange Server Vulnerabilities}}, date = {2021-03-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/remediation-steps-for-the-Microsoft-Exchange-Server-vulnerabilities/}, language = {English}, urldate = {2021-03-11} } Remediation Steps for the Microsoft Exchange Server Vulnerabilities
CHINACHOPPER
2021-03-09YouTube (John Hammond)John Hammond
@online{hammond:20210309:hafnium:dc2de8d, author = {John Hammond}, title = {{HAFNIUM - Post-Exploitation Analysis from Microsoft Exchange}}, date = {2021-03-09}, organization = {YouTube (John Hammond)}, url = {https://www.youtube.com/watch?v=rn-6t7OygGk}, language = {English}, urldate = {2021-03-12} } HAFNIUM - Post-Exploitation Analysis from Microsoft Exchange
CHINACHOPPER
2021-03-08SymantecThreat Hunter Team
@online{team:20210308:how:752e42e, author = {Threat Hunter Team}, title = {{How Symantec Stops Microsoft Exchange Server Attacks}}, date = {2021-03-08}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection}, language = {English}, urldate = {2021-03-12} } How Symantec Stops Microsoft Exchange Server Attacks
CHINACHOPPER MimiKatz
2021-03-08Palo Alto Networks Unit 42Jeff White
@online{white:20210308:analyzing:9b932a3, author = {Jeff White}, title = {{Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells}}, date = {2021-03-08}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/china-chopper-webshell/}, language = {English}, urldate = {2021-03-11} } Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells
CHINACHOPPER
2021-03-07TRUESECRasmus Grönlund
@online{grnlund:20210307:tracking:2d920fd, author = {Rasmus Grönlund}, title = {{Tracking Microsoft Exchange Zero-Day ProxyLogon and HAFNIUM}}, date = {2021-03-07}, organization = {TRUESEC}, url = {https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/}, language = {English}, urldate = {2021-03-12} } Tracking Microsoft Exchange Zero-Day ProxyLogon and HAFNIUM
CHINACHOPPER
2021-03-05WiredAndy Greenberg
@online{greenberg:20210305:chinese:119ea98, author = {Andy Greenberg}, title = {{Chinese Hacking Spree Hit an ‘Astronomical’ Number of Victims}}, date = {2021-03-05}, organization = {Wired}, url = {https://www.wired.com/story/china-microsoft-exchange-server-hack-victims/}, language = {English}, urldate = {2021-03-06} } Chinese Hacking Spree Hit an ‘Astronomical’ Number of Victims
CHINACHOPPER
2021-03-05Huntress LabsHuntress Labs
@techreport{labs:20210305:operation:1248e05, author = {Huntress Labs}, title = {{Operation Exchange Marauder}}, date = {2021-03-05}, institution = {Huntress Labs}, url = {https://www.huntress.com/hubfs/Mass%20Exploitation%20of%20Microsoft%20Exchange%20(2).pdf}, language = {English}, urldate = {2021-03-06} } Operation Exchange Marauder
CHINACHOPPER
2021-03-04CrowdStrikeThe Falcon Complete Team
@online{team:20210304:falcon:6170749, author = {The Falcon Complete Team}, title = {{Falcon Complete Stops Microsoft Exchange Server Zero-Day Exploits}}, date = {2021-03-04}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits}, language = {English}, urldate = {2021-03-10} } Falcon Complete Stops Microsoft Exchange Server Zero-Day Exploits
CHINACHOPPER HAFNIUM
2021-03-04Huntress LabsHuntress Labs
@online{labs:20210304:operation:1187712, author = {Huntress Labs}, title = {{Operation Exchange Marauder}}, date = {2021-03-04}, organization = {Huntress Labs}, url = {https://www.huntress.com/hubfs/Videos/Webinars/Overlay-Mass_Exploitation_of_Exchange.mp4}, language = {English}, urldate = {2021-03-06} } Operation Exchange Marauder
CHINACHOPPER
2021-03-04FireEyeMatt Bromiley, Chris DiGiamo, Andrew Thompson, Robert Wallace
@online{bromiley:20210304:detection:3b8c16f, author = {Matt Bromiley and Chris DiGiamo and Andrew Thompson and Robert Wallace}, title = {{Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities}}, date = {2021-03-04}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html}, language = {English}, urldate = {2021-03-10} } Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities
CHINACHOPPER HAFNIUM
2021-03-03MITREMITRE ATT&CK
@online{attck:20210303:hafnium:e35dcb1, author = {MITRE ATT&CK}, title = {{HAFNIUM}}, date = {2021-03-03}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0125/}, language = {English}, urldate = {2022-07-05} } HAFNIUM
CHINACHOPPER HAFNIUM
2021-03-03Huntress LabsHuntress Labs
@online{labs:20210303:mass:a0ef74d, author = {Huntress Labs}, title = {{Mass exploitation of on-prem Exchange servers :(}}, date = {2021-03-03}, organization = {Huntress Labs}, url = {https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers}, language = {English}, urldate = {2021-03-10} } Mass exploitation of on-prem Exchange servers :(
CHINACHOPPER HAFNIUM
2021-03-03Huntress LabsJohn Hammond
@online{hammond:20210303:rapid:7c97ee5, author = {John Hammond}, title = {{Rapid Response: Mass Exploitation of On-Prem Exchange Servers}}, date = {2021-03-03}, organization = {Huntress Labs}, url = {https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers}, language = {English}, urldate = {2021-03-10} } Rapid Response: Mass Exploitation of On-Prem Exchange Servers
CHINACHOPPER HAFNIUM
2021-03-02Rapid7 LabsAndrew Christian
@online{christian:20210302:rapid7s:b676aa4, author = {Andrew Christian}, title = {{Rapid7’s InsightIDR Enables Detection And Response to Microsoft Exchange Zero-Day}}, date = {2021-03-02}, organization = {Rapid7 Labs}, url = {https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day}, language = {English}, urldate = {2021-03-10} } Rapid7’s InsightIDR Enables Detection And Response to Microsoft Exchange Zero-Day
CHINACHOPPER HAFNIUM
2021-03-02VolexityJosh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster
@online{grunzweig:20210302:operation:44c264f, author = {Josh Grunzweig and Matthew Meltzer and Sean Koessel and Steven Adair and Thomas Lancaster}, title = {{Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities}}, date = {2021-03-02}, organization = {Volexity}, url = {https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/}, language = {English}, urldate = {2021-03-07} } Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities
CHINACHOPPER HAFNIUM
2021-03-02MicrosoftMicrosoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, Microsoft 365 Security
@online{mstic:20210302:hafnium:c7d8588, author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Threat Intelligence Team and Microsoft 365 Security}, title = {{HAFNIUM targeting Exchange Servers with 0-day exploits}}, date = {2021-03-02}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers}, language = {English}, urldate = {2021-03-07} } HAFNIUM targeting Exchange Servers with 0-day exploits
CHINACHOPPER HAFNIUM
2021-03-02Twitter (@ESETresearch)ESET Research
@online{research:20210302:exchange:4473faa, author = {ESET Research}, title = {{Tweet on Exchange RCE}}, date = {2021-03-02}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1366862946488451088}, language = {English}, urldate = {2021-03-10} } Tweet on Exchange RCE
CHINACHOPPER HAFNIUM
2021-02-26CrowdStrikeEric Loui, Sergei Frankoff
@online{loui:20210226:hypervisor:8dadf9c, author = {Eric Loui and Sergei Frankoff}, title = {{Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact}}, date = {2021-02-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout}, language = {English}, urldate = {2021-05-26} } Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil
2021-02-01ESET ResearchIgnacio Sanmillan, Matthieu Faou
@online{sanmillan:20210201:operation:9e52a78, author = {Ignacio Sanmillan and Matthieu Faou}, title = {{Operation NightScout: Supply‑chain attack targets online gaming in Asia}}, date = {2021-02-01}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/}, language = {English}, urldate = {2021-02-17} } Operation NightScout: Supply‑chain attack targets online gaming in Asia
Ghost RAT NoxPlayer Poison Ivy Red Dev 17
2021-01-29Trend MicroTrend Micro
@online{micro:20210129:chopper:6dfb7c6, author = {Trend Micro}, title = {{Chopper ASPX web shell used in targeted attack}}, date = {2021-01-29}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html}, language = {English}, urldate = {2021-02-02} } Chopper ASPX web shell used in targeted attack
CHINACHOPPER MimiKatz
2021-01-26Twitter (@swisscom_csirt)Swisscom CSIRT
@online{csirt:20210126:cring:f12c487, author = {Swisscom CSIRT}, title = {{Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware}}, date = {2021-01-26}, organization = {Twitter (@swisscom_csirt)}, url = {https://twitter.com/swisscom_csirt/status/1354052879158571008}, language = {English}, urldate = {2021-01-27} } Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware
Cobalt Strike Cring MimiKatz
2021-01-18Bundesamt für VerfassungsschutzBundesamt für Verfassungsschutz
@techreport{verfassungsschutz:20210118:bfv:8f2fc64, author = {Bundesamt für Verfassungsschutz}, title = {{BfV Cyber-Brief Nr. 01/2021 : Vorgehensweise von APT31}}, date = {2021-01-18}, institution = {Bundesamt für Verfassungsschutz}, url = {https://www.verfassungsschutz.de/download/broschuere-2021-01-bfv-cyber-brief-2021-01.pdf}, language = {German}, urldate = {2021-01-29} } BfV Cyber-Brief Nr. 01/2021 : Vorgehensweise von APT31
MimiKatz
2021-01-15SwisscomMarkus Neis
@techreport{neis:20210115:cracking:b1c1684, author = {Markus Neis}, title = {{Cracking a Soft Cell is Harder Than You Think}}, date = {2021-01-15}, institution = {Swisscom}, url = {https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf}, language = {English}, urldate = {2021-01-18} } Cracking a Soft Cell is Harder Than You Think
Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT
2021-01-08Youtube (Virus Bulletin)Fumio Ozawa, Shogo Hayashi, Rintaro Koike
@online{ozawa:20210108:operation:18eec5e, author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike}, title = {{Operation LagTime IT: colourful Panda footprint}}, date = {2021-01-08}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=1WfPlgtfWnQ}, language = {English}, urldate = {2021-02-06} } Operation LagTime IT: colourful Panda footprint
Cotx RAT nccTrojan Poison Ivy Tmanger TA428
2021SecureworksSecureWorks
@online{secureworks:2021:threat:c0ba914, author = {SecureWorks}, title = {{Threat Profile: GOLD FRANKLIN}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-franklin}, language = {English}, urldate = {2021-05-31} } Threat Profile: GOLD FRANKLIN
Grateful POS Meterpreter MimiKatz RemCom FIN6
2021SecureWorks
@online{secureworks:2021:threat:dbd7ed7, author = {SecureWorks}, title = {{Threat Profile: GOLD DRAKE}}, date = {2021}, url = {http://www.secureworks.com/research/threat-profiles/gold-drake}, language = {English}, urldate = {2021-05-28} } Threat Profile: GOLD DRAKE
Cobalt Strike Dridex FriedEx Koadic MimiKatz WastedLocker Evil Corp
2021DomainToolsJoe Slowik
@techreport{slowik:2021:conceptualizing:3cdf067, author = {Joe Slowik}, title = {{Conceptualizing a Continuum of Cyber Threat Attribution}}, date = {2021}, institution = {DomainTools}, url = {https://www.domaintools.com/content/conceptualizing-a-continuum-of-cyber-threat-attribution.pdf}, language = {English}, urldate = {2021-11-02} } Conceptualizing a Continuum of Cyber Threat Attribution
CHINACHOPPER SUNBURST
2021SecureworksSecureWorks
@online{secureworks:2021:threat:d17547d, author = {SecureWorks}, title = {{Threat Profile: GOLD BURLAP}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-burlap}, language = {English}, urldate = {2021-05-31} } Threat Profile: GOLD BURLAP
Empire Downloader Mespinoza MimiKatz GOLD BURLAP
2020-12-21SlideShare (yurikamuraki5)Yurika Kakiuchi
@online{kakiuchi:20201221:active:6c42aad, author = {Yurika Kakiuchi}, title = {{Active Directory 侵害と推奨対策}}, date = {2020-12-21}, organization = {SlideShare (yurikamuraki5)}, url = {https://www.slideshare.net/yurikamuraki5/active-directory-240348605}, language = {Japanese}, urldate = {2021-02-06} } Active Directory 侵害と推奨対策
MimiKatz
2020-12-15HvS-Consulting AGHvS-Consulting AG
@online{ag:20201215:greetings:452ef44, author = {HvS-Consulting AG}, title = {{Greetings from Lazarus: Anatomy of a cyber espionage campaign}}, date = {2020-12-15}, organization = {HvS-Consulting AG}, url = {https://www.hvs-consulting.de/lazarus-report/}, language = {English}, urldate = {2021-01-21} } Greetings from Lazarus: Anatomy of a cyber espionage campaign
BLINDINGCAN MimiKatz Lazarus Group
2020-12-15HvS-Consulting AGHvS-Consulting AG
@techreport{ag:20201215:greetings:a5b59d9, author = {HvS-Consulting AG}, title = {{Greetings from Lazarus Anatomy of a cyber espionage campaign}}, date = {2020-12-15}, institution = {HvS-Consulting AG}, url = {https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf}, language = {English}, urldate = {2023-07-10} } Greetings from Lazarus Anatomy of a cyber espionage campaign
BLINDINGCAN HTTP(S) uploader MimiKatz
2020-12-04ThetaHamish Krebs
@online{krebs:20201204:snakes:7932d5f, author = {Hamish Krebs}, title = {{Snakes & Ladders: the offensive use of Python on Windows}}, date = {2020-12-04}, organization = {Theta}, url = {https://www.theta.co.nz/news-blogs/cyber-security-blog/snakes-ladders-the-offensive-use-of-python-on-windows/}, language = {English}, urldate = {2022-04-29} } Snakes & Ladders: the offensive use of Python on Windows
MimiKatz
2020-11-30FireEyeMitchell Clarke, Tom Hall
@techreport{clarke:20201130:its:1b6b681, author = {Mitchell Clarke and Tom Hall}, title = {{It's not FINished The Evolving Maturity in Ransomware Operations}}, date = {2020-11-30}, institution = {FireEye}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf}, language = {English}, urldate = {2020-12-14} } It's not FINished The Evolving Maturity in Ransomware Operations
Cobalt Strike DoppelPaymer MimiKatz QakBot REvil
2020-11-30YoroiLuigi Martire, Antonio Pirozzi, Luca Mella
@online{martire:20201130:shadows:2ef4813, author = {Luigi Martire and Antonio Pirozzi and Luca Mella}, title = {{Shadows From The Past Threaten Italian Enterprises}}, date = {2020-11-30}, organization = {Yoroi}, url = {https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/}, language = {English}, urldate = {2021-06-16} } Shadows From The Past Threaten Italian Enterprises
Rekoobe LaZagne Responder MimiKatz win.rekoobe
2020-11-27PTSecurityDenis Goydenko, Alexey Vishnyakov
@online{goydenko:20201127:investigation:7d12cee, author = {Denis Goydenko and Alexey Vishnyakov}, title = {{Investigation with a twist: an accidental APT attack and averted data destruction}}, date = {2020-11-27}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/}, language = {English}, urldate = {2020-12-01} } Investigation with a twist: an accidental APT attack and averted data destruction
TwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz
2020-10-23F-Secure LabsGuillaume Couchard, Qimin Wang, Thiam Loong Siew
@online{couchard:20201023:catching:5788228, author = {Guillaume Couchard and Qimin Wang and Thiam Loong Siew}, title = {{Catching Lazarus: Threat Intelligence to Real Detection Logic - Part Two}}, date = {2020-10-23}, organization = {F-Secure Labs}, url = {https://labs.f-secure.com/blog/catching-lazarus-threat-intelligence-to-real-detection-logic-part-two}, language = {English}, urldate = {2020-10-26} } Catching Lazarus: Threat Intelligence to Real Detection Logic - Part Two
MimiKatz
2020-10-20F-SecureF-Secure Consulting
@techreport{consulting:20201020:incident:275ade2, author = {F-Secure Consulting}, title = {{Incident Readiness: Preparing a proactive response to attacks}}, date = {2020-10-20}, institution = {F-Secure}, url = {https://www.f-secure.com/content/dam/f-secure/en/consulting/our-thinking/collaterals/digital/f-secure-consulting-incident-readiness-proactive-response-guide-2020.pdf}, language = {English}, urldate = {2020-10-23} } Incident Readiness: Preparing a proactive response to attacks
MimiKatz
2020-10-01US-CERTUS-CERT
@online{uscert:20201001:alert:a46c3d4, author = {US-CERT}, title = {{Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions}}, date = {2020-10-01}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-275a}, language = {English}, urldate = {2020-10-04} } Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions
CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy
2020-09-30NTT SecurityFumio Ozawa, Shogo Hayashi, Rintaro Koike
@techreport{ozawa:20200930:operation:04593f6, author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike}, title = {{Operation LagTime IT: colourful Panda footprint (Slides)}}, date = {2020-09-30}, institution = {NTT Security}, url = {https://vblocalhost.com/uploads/VB2020-20.pdf}, language = {English}, urldate = {2021-02-06} } Operation LagTime IT: colourful Panda footprint (Slides)
Cotx RAT nccTrojan Poison Ivy Tmanger
2020-09-30NTT SecurityFumio Ozawa, Shogo Hayashi, Rintaro Koike
@techreport{ozawa:20200930:operation:1efe218, author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike}, title = {{Operation LagTime IT: colourful Panda footprint}}, date = {2020-09-30}, institution = {NTT Security}, url = {https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf}, language = {English}, urldate = {2021-01-25} } Operation LagTime IT: colourful Panda footprint
Cotx RAT nccTrojan Poison Ivy Tmanger
2020-09-17FBIFBI
@techreport{fbi:20200917:fbi:9893ba0, author = {FBI}, title = {{FBI PIN Number 20200917-001: IRGC-Associated Cyber Operations Against US Company Networks}}, date = {2020-09-17}, institution = {FBI}, url = {https://www.ic3.gov/media/news/2020/200917-1.pdf}, language = {English}, urldate = {2020-09-23} } FBI PIN Number 20200917-001: IRGC-Associated Cyber Operations Against US Company Networks
MimiKatz Nanocore RAT
2020-09-16RiskIQJon Gross
@online{gross:20200916:riskiq:da4b864, author = {Jon Gross}, title = {{RiskIQ: Adventures in Cookie Land - Part 2}}, date = {2020-09-16}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/56fa1b2f}, language = {English}, urldate = {2020-09-23} } RiskIQ: Adventures in Cookie Land - Part 2
8.t Dropper Chinoxy Poison Ivy
2020-09-15US-CERTUS-CERT
@online{uscert:20200915:alert:13d0ab3, author = {US-CERT}, title = {{Alert (AA20-259A): Iran-Based Threat Actor Exploits VPN Vulnerabilities}}, date = {2020-09-15}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-259a}, language = {English}, urldate = {2020-09-16} } Alert (AA20-259A): Iran-Based Threat Actor Exploits VPN Vulnerabilities
CHINACHOPPER Fox Kitten
2020-09-15US-CERTUS-CERT
@online{uscert:20200915:malware:8345418, author = {US-CERT}, title = {{Malware Analysis Report (AR20-259A): Iranian Web Shells}}, date = {2020-09-15}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a}, language = {English}, urldate = {2020-09-16} } Malware Analysis Report (AR20-259A): Iranian Web Shells
CHINACHOPPER
2020-08-31The DFIR ReportThe DFIR Report
@online{report:20200831:netwalker:29a1511, author = {The DFIR Report}, title = {{NetWalker Ransomware in 1 Hour}}, date = {2020-08-31}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/}, language = {English}, urldate = {2020-08-31} } NetWalker Ransomware in 1 Hour
Cobalt Strike Mailto MimiKatz
2020-08-28NTTFumio Ozawa, Shogo Hayashi, Rintaro Koike
@techreport{ozawa:20200828:operation:e0feab5, author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike}, title = {{Operation Lagtime IT: Colourful Panda Footprint}}, date = {2020-08-28}, institution = {NTT}, url = {https://vb2020.vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf}, language = {English}, urldate = {2022-07-25} } Operation Lagtime IT: Colourful Panda Footprint
Cotx RAT Poison Ivy TA428
2020-08-19NTT SecurityFumio Ozawa, Shogo Hayashi, Rintaro Koike
@techreport{ozawa:20200819:operation:445be8c, author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike}, title = {{Operation LagTime IT: Colorful Panda Footprint}}, date = {2020-08-19}, institution = {NTT Security}, url = {https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf}, language = {English}, urldate = {2022-07-29} } Operation LagTime IT: Colorful Panda Footprint
8.t Dropper Cotx RAT Poison Ivy TA428
2020-08-10ZDNetCatalin Cimpanu
@online{cimpanu:20200810:fbi:704abe2, author = {Catalin Cimpanu}, title = {{FBI says an Iranian hacking group is attacking F5 networking devices}}, date = {2020-08-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/}, language = {English}, urldate = {2020-08-12} } FBI says an Iranian hacking group is attacking F5 networking devices
MimiKatz
2020-08-06WiredAndy Greenberg
@online{greenberg:20200806:chinese:32c43e3, author = {Andy Greenberg}, title = {{Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry}}, date = {2020-08-06}, organization = {Wired}, url = {https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/}, language = {English}, urldate = {2020-11-04} } Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry
Cobalt Strike MimiKatz Winnti Red Charon
2020-08-04BlackHatChung-Kuan Chen, Inndy Lin, Shang-De Jiang
@techreport{chen:20200804:operation:4cf417f, author = {Chung-Kuan Chen and Inndy Lin and Shang-De Jiang}, title = {{Operation Chimera - APT Operation Targets Semiconductor Vendors}}, date = {2020-08-04}, institution = {BlackHat}, url = {https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf}, language = {English}, urldate = {2020-11-04} } Operation Chimera - APT Operation Targets Semiconductor Vendors
Cobalt Strike MimiKatz Winnti Red Charon
2020-07-21Department of JusticeDepartment of Justice
@online{justice:20200721:two:81b000b, author = {Department of Justice}, title = {{Two Chinese Hackers Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including COVID-19 Research}}, date = {2020-07-21}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion}, language = {English}, urldate = {2022-07-25} } Two Chinese Hackers Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including COVID-19 Research
CHINACHOPPER BRONZE SPRING
2020-06-24Counter Threat Unit ResearchTeam
@online{researchteam:20200624:bronze:62b58ff, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE VINEWOOD Targets Supply Chains}}, date = {2020-06-24}, url = {https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains}, language = {English}, urldate = {2020-06-26} } BRONZE VINEWOOD Targets Supply Chains
MimiKatz Trochilus RAT APT31
2020-06-18Bundesamt für VerfassungsschutzBundesamt für Verfassungsschutz
@techreport{verfassungsschutz:20200618:bfv:52dfe79, author = {Bundesamt für Verfassungsschutz}, title = {{BfV Cyber-BriefNr. 01/2020 - Hinweis auf aktuelle Angriffskampagne}}, date = {2020-06-18}, institution = {Bundesamt für Verfassungsschutz}, url = {https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf}, language = {German}, urldate = {2020-06-18} } BfV Cyber-BriefNr. 01/2020 - Hinweis auf aktuelle Angriffskampagne
Ketrican MimiKatz
2020-06-03Trend MicroDaniel Lunghi
@techreport{lunghi:20200603:how:4f28e63, author = {Daniel Lunghi}, title = {{How to perform long term monitoring of careless threat actors}}, date = {2020-06-03}, institution = {Trend Micro}, url = {https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf}, language = {English}, urldate = {2020-06-05} } How to perform long term monitoring of careless threat actors
BBSRAT HyperBro Trochilus RAT
2020-05-28Kaspersky LabsVyacheslav Kopeytsev
@techreport{kopeytsev:20200528:steganography:8f5230a, author = {Vyacheslav Kopeytsev}, title = {{Steganography in targeted attacks on industrial enterprises}}, date = {2020-05-28}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/KASPERSKY_Steganography_in_targeted_attacks_EN.pdf}, language = {English}, urldate = {2020-05-29} } Steganography in targeted attacks on industrial enterprises
MimiKatz
2020-05-27FBIFBI
@techreport{fbi:20200527:alert:6d31e17, author = {FBI}, title = {{Alert Number MI-000148-MW: APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity}}, date = {2020-05-27}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/210527.pdf}, language = {English}, urldate = {2021-06-04} } Alert Number MI-000148-MW: APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity
MimiKatz
2020-05-21BitdefenderLiviu Arsene, Bogdan Rusu
@techreport{arsene:20200521:iranian:d9e1468, author = {Liviu Arsene and Bogdan Rusu}, title = {{Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia}}, date = {2020-05-21}, institution = {Bitdefender}, url = {https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf}, language = {English}, urldate = {2020-05-23} } Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia
MimiKatz Remexi
2020-05-21ESET ResearchMathieu Tartare, Martin Smolár
@online{tartare:20200521:no:016fc6c, author = {Mathieu Tartare and Martin Smolár}, title = {{No “Game over” for the Winnti Group}}, date = {2020-05-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/}, language = {English}, urldate = {2020-05-23} } No “Game over” for the Winnti Group
ACEHASH HTran MimiKatz PipeMon
2020-05-14Avast DecodedLuigino Camastra
@online{camastra:20200514:planted:7b94cc6, author = {Luigino Camastra}, title = {{APT Group Planted Backdoors Targeting High Profile Networks in Central Asia}}, date = {2020-05-14}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia}, language = {English}, urldate = {2022-07-25} } APT Group Planted Backdoors Targeting High Profile Networks in Central Asia
BYEBY Ghost RAT Microcin MimiKatz Vicious Panda
2020-05-14Lab52Dex
@online{dex:20200514:energy:43e92b4, author = {Dex}, title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}}, date = {2020-05-14}, organization = {Lab52}, url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/}, language = {English}, urldate = {2020-06-10} } The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT
2020-05-07REDTEAM.PLAdam Ziaja
@online{ziaja:20200507:sodinokibi:f5c5cd1, author = {Adam Ziaja}, title = {{Sodinokibi / REvil ransomware}}, date = {2020-05-07}, organization = {REDTEAM.PL}, url = {https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html}, language = {English}, urldate = {2020-05-13} } Sodinokibi / REvil ransomware
Maze MimiKatz REvil
2020-04-16Medium CyCraftCyCraft Technology Corp
@online{corp:20200416:taiwan:3029f53, author = {CyCraft Technology Corp}, title = {{Taiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures}}, date = {2020-04-16}, organization = {Medium CyCraft}, url = {https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730}, language = {English}, urldate = {2020-11-04} } Taiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures
Cobalt Strike MimiKatz Red Charon
2020-03-12Check PointCheck Point Research
@online{research:20200312:vicious:3218bb8, author = {Check Point Research}, title = {{Vicious Panda: The COVID Campaign}}, date = {2020-03-12}, organization = {Check Point}, url = {https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/}, language = {English}, urldate = {2020-03-13} } Vicious Panda: The COVID Campaign
8.t Dropper BYEBY Enfal Korlia Poison Ivy
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA
2020-03-02Virus BulletinAlex Hinchliffe
@online{hinchliffe:20200302:pulling:35771e7, author = {Alex Hinchliffe}, title = {{Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary}}, date = {2020-03-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/}, language = {English}, urldate = {2020-03-02} } Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary
HenBox Farseer PlugX Poison Ivy
2020-02-21ADEO DFIRADEO DFIR
@techreport{dfir:20200221:apt10:e9c3328, author = {ADEO DFIR}, title = {{APT10 Threat Analysis Report}}, date = {2020-02-21}, institution = {ADEO DFIR}, url = {https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf}, language = {English}, urldate = {2020-03-03} } APT10 Threat Analysis Report
CHINACHOPPER HTran MimiKatz PlugX Quasar RAT
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-18Cisco TalosVanja Svajcer
@online{svajcer:20200218:building:0a80664, author = {Vanja Svajcer}, title = {{Building a bypass with MSBuild}}, date = {2020-02-18}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html}, language = {English}, urldate = {2020-02-20} } Building a bypass with MSBuild
Cobalt Strike GRUNT MimiKatz
2020-02-18Trend MicroDaniel Lunghi, Cedric Pernet, Kenney Lu, Jamz Yaneza
@online{lunghi:20200218:uncovering:93b0937, author = {Daniel Lunghi and Cedric Pernet and Kenney Lu and Jamz Yaneza}, title = {{Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations}}, date = {2020-02-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia}, language = {English}, urldate = {2020-02-20} } Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations
Cobalt Strike HyperBro PlugX Trochilus RAT
2020-02-02uf0 BlogMatteo Malvica
@online{malvica:20200202:uncovering:ec2d3da, author = {Matteo Malvica}, title = {{Uncovering Mimikatz ‘msv’ and collecting credentials through PyKD}}, date = {2020-02-02}, organization = {uf0 Blog}, url = {https://www.matteomalvica.com/blog/2020/01/30/mimikatz-lsass-dump-windg-pykd/}, language = {English}, urldate = {2020-02-03} } Uncovering Mimikatz ‘msv’ and collecting credentials through PyKD
MimiKatz
2020-01-29nao_sec blognao_sec
@online{naosec:20200129:overhead:ec0aeb5, author = {nao_sec}, title = {{An Overhead View of the Royal Road}}, date = {2020-01-29}, organization = {nao_sec blog}, url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html}, language = {English}, urldate = {2020-02-03} } An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader
2020-01-10Youtube (Azure Thursday)Maarten Goet
@online{goet:20200110:hitchhikers:03fefe9, author = {Maarten Goet}, title = {{A hitchhikers guide to the cybersecurity galaxy}}, date = {2020-01-10}, organization = {Youtube (Azure Thursday)}, url = {https://www.youtube.com/watch?v=fBFm2fiEPTg}, language = {English}, urldate = {2020-06-16} } A hitchhikers guide to the cybersecurity galaxy
GALLIUM
2020-01-09Lab52Jagaimo Kawaii
@online{kawaii:20200109:ta428:2230af2, author = {Jagaimo Kawaii}, title = {{TA428 Group abusing recent conflict between Iran and USA}}, date = {2020-01-09}, organization = {Lab52}, url = {https://lab52.io/blog/icefog-apt-group-abusing-recent-conflict-between-iran-and-eeuu/}, language = {English}, urldate = {2021-02-06} } TA428 Group abusing recent conflict between Iran and USA
Poison Ivy
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4118462, author = {SecureWorks}, title = {{BRONZE ATLAS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas}, language = {English}, urldate = {2020-05-23} } BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti APT41
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:65ecf8a, author = {SecureWorks}, title = {{BRONZE KEYSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-keystone}, language = {English}, urldate = {2020-05-23} } BRONZE KEYSTONE
9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell APT17
2020SecureworksSecureWorks
@online{secureworks:2020:gold:1892bc8, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:972c13a, author = {SecureWorks}, title = {{BRONZE FIRESTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-firestone}, language = {English}, urldate = {2020-05-23} } BRONZE FIRESTONE
9002 RAT Derusbi Empire Downloader PlugX Poison Ivy APT19
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:1a5bdbb, author = {SecureWorks}, title = {{BRONZE PRESIDENT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-president}, language = {English}, urldate = {2020-05-23} } BRONZE PRESIDENT
CHINACHOPPER Cobalt Strike PlugX MUSTANG PANDA
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4db27ec, author = {SecureWorks}, title = {{BRONZE UNION}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-union}, language = {English}, urldate = {2020-05-23} } BRONZE UNION
9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell APT27
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:e8ad4fb, author = {SecureWorks}, title = {{BRONZE MOHAWK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-mohawk}, language = {English}, urldate = {2020-05-23} } BRONZE MOHAWK
AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll APT40
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:66f1290, author = {SecureWorks}, title = {{BRONZE RIVERSIDE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-riverside}, language = {English}, urldate = {2020-05-23} } BRONZE RIVERSIDE
Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves APT10
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:66a45ac, author = {SecureWorks}, title = {{BRONZE VINEWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-vinewood}, language = {English}, urldate = {2020-05-23} } BRONZE VINEWOOD
MimiKatz Trochilus RAT APT31
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:c242388, author = {SecureWorks}, title = {{COBALT HICKMAN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-hickman}, language = {English}, urldate = {2020-05-23} } COBALT HICKMAN
MimiKatz Remexi APT39
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:fcb04ab, author = {SecureWorks}, title = {{BRONZE EXPRESS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-express}, language = {English}, urldate = {2020-05-23} } BRONZE EXPRESS
9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT26
2020SecureworksSecureWorks
@online{secureworks:2020:tin:ccd6795, author = {SecureWorks}, title = {{TIN WOODLAWN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/tin-woodlawn}, language = {English}, urldate = {2020-05-23} } TIN WOODLAWN
Cobalt Strike KerrDown MimiKatz PHOREAL RatSnif Remy SOUNDBITE APT32
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:b55f797, author = {SecureWorks}, title = {{BRONZE MAYFAIR}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-mayfair}, language = {English}, urldate = {2020-05-23} } BRONZE MAYFAIR
HTran pirpi APT3
2020SecureworksSecureWorks
@online{secureworks:2020:gold:0d8c853, author = {SecureWorks}, title = {{GOLD DRAKE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-drake}, language = {English}, urldate = {2020-05-23} } GOLD DRAKE
Dridex Empire Downloader FriedEx Koadic MimiKatz
2020-01FireEyeTom Hall, Mitchell Clarke, Mandiant
@techreport{hall:202001:mandiant:25e38ef, author = {Tom Hall and Mitchell Clarke and Mandiant}, title = {{Mandiant IR Grab Bag of Attacker Activity}}, date = {2020-01}, institution = {FireEye}, url = {https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf}, language = {English}, urldate = {2021-04-16} } Mandiant IR Grab Bag of Attacker Activity
TwoFace CHINACHOPPER HyperBro HyperSSL
2020SecureworksSecureWorks
@online{secureworks:2020:gold:983570b, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt
2020SecureworksSecureWorks
@online{secureworks:2020:aluminum:af22ffd, author = {SecureWorks}, title = {{ALUMINUM SARATOGA}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/aluminum-saratoga}, language = {English}, urldate = {2020-05-23} } ALUMINUM SARATOGA
BlackShades DarkComet Xtreme RAT Poison Ivy Quasar RAT Molerats
2019-12-12MicrosoftMicrosoft Threat Intelligence Center
@online{center:20191212:gallium:79f6460, author = {Microsoft Threat Intelligence Center}, title = {{GALLIUM: Targeting global telecom}}, date = {2019-12-12}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/}, language = {English}, urldate = {2022-06-15} } GALLIUM: Targeting global telecom
CHINACHOPPER Ghost RAT HTran MimiKatz Poison Ivy GALLIUM
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb, author = {Kelli Vanderlee and Nalani Fraser}, title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}}, date = {2019-11-19}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf}, language = {English}, urldate = {2021-03-02} } Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2019-09-23MITREMITRE ATT&CK
@online{attck:20190923:apt41:63b9ff7, author = {MITRE ATT&CK}, title = {{APT41}}, date = {2019-09-23}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0096}, language = {English}, urldate = {2022-08-30} } APT41
Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41
2019-08-27Cisco TalosPaul Rascagnères, Vanja Svajcer
@online{rascagnres:20190827:china:2d2bbb8, author = {Paul Rascagnères and Vanja Svajcer}, title = {{China Chopper still active 9 years later}}, date = {2019-08-27}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html}, language = {English}, urldate = {2019-10-14} } China Chopper still active 9 years later
CHINACHOPPER
2019-08-19FireEyeAlex Pennino, Matt Bromiley
@online{pennino:20190819:game:b6ef5a0, author = {Alex Pennino and Matt Bromiley}, title = {{GAME OVER: Detecting and Stopping an APT41 Operation}}, date = {2019-08-19}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html}, language = {English}, urldate = {2020-01-06} } GAME OVER: Detecting and Stopping an APT41 Operation
ACEHASH CHINACHOPPER HIGHNOON
2019-07-23ProofpointMichael Raggi, Dennis Schwarz, Proofpoint Threat Insight Team
@online{raggi:20190723:chinese:804ec1c, author = {Michael Raggi and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia}}, date = {2019-07-23}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology}, language = {English}, urldate = {2021-02-06} } Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia
8.t Dropper Cotx RAT Poison Ivy TA428
2019-06-25CybereasonCybereason Nocturnus
@online{nocturnus:20190625:operation:21efa8f, author = {Cybereason Nocturnus}, title = {{OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS}}, date = {2019-06-25}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers}, language = {English}, urldate = {2022-07-01} } OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS
CHINACHOPPER HTran MimiKatz Poison Ivy Operation Soft Cell
2019-05-28Palo Alto Networks Unit 42Robert Falcone, Tom Lancaster
@online{falcone:20190528:emissary:dc0f942, author = {Robert Falcone and Tom Lancaster}, title = {{Emissary Panda Attacks Middle East Government Sharepoint Servers}}, date = {2019-05-28}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/}, language = {English}, urldate = {2021-04-16} } Emissary Panda Attacks Middle East Government Sharepoint Servers
CHINACHOPPER HyperSSL
2019-05-10XPN BlogAdam Chester
@online{chester:20190510:exploring:758b4e8, author = {Adam Chester}, title = {{Exploring Mimikatz - Part 1 - WDigest}}, date = {2019-05-10}, organization = {XPN Blog}, url = {https://blog.xpnsec.com/exploring-mimikatz-part-1/}, language = {English}, urldate = {2020-09-01} } Exploring Mimikatz - Part 1 - WDigest
MimiKatz
2019-04-04CrowdStrikeHarlan Carvey
@online{carvey:20190404:mimikatz:243c11a, author = {Harlan Carvey}, title = {{Mimikatz in the Wild: Bypassing Signature-Based Detections Using the “AK47 of Cyber”}}, date = {2019-04-04}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/credential-theft-mimikatz-techniques/}, language = {English}, urldate = {2019-12-20} } Mimikatz in the Wild: Bypassing Signature-Based Detections Using the “AK47 of Cyber”
MimiKatz
2019-03-27SymantecCritical Attack Discovery and Intelligence Team
@online{team:20190327:elfin:d90a330, author = {Critical Attack Discovery and Intelligence Team}, title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}}, date = {2019-03-27}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage}, language = {English}, urldate = {2020-04-21} } Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP APT33
2019-02-06Recorded FutureInsikt Group, Rapid7
@techreport{group:20190206:apt10:74d18e7, author = {Insikt Group and Rapid7}, title = {{APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign}}, date = {2019-02-06}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf}, language = {English}, urldate = {2019-12-17} } APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign
Trochilus RAT APT31 HURRICANE PANDA
2019-01-04Github (gentilkiwi)Benjamin Delpy
@online{delpy:20190104:mimikatz:caaf928, author = {Benjamin Delpy}, title = {{mimikatz Repository}}, date = {2019-01-04}, organization = {Github (gentilkiwi)}, url = {https://github.com/gentilkiwi/mimikatz}, language = {English}, urldate = {2020-01-07} } mimikatz Repository
MimiKatz
2019Virus BulletinLion Gu, Bowen Pan
@techreport{gu:2019:vine:df5dbfb, author = {Lion Gu and Bowen Pan}, title = {{A vine climbing over the Great Firewall: A long-term attack against China}}, date = {2019}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf}, language = {English}, urldate = {2020-01-08} } A vine climbing over the Great Firewall: A long-term attack against China
Poison Ivy ZXShell
2019MITREMITRE ATT&CK
@online{attck:2019:tool:fd89dda, author = {MITRE ATT&CK}, title = {{Tool description: China Chopper}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0020/}, language = {English}, urldate = {2019-12-20} } Tool description: China Chopper
CHINACHOPPER
2018-09-21Qihoo 360 TechnologyQihoo 360
@online{360:20180921:poison:d1cab92, author = {Qihoo 360}, title = {{Poison Ivy Group and the Cyberespionage Campaign Against Chinese Military and Goverment}}, date = {2018-09-21}, organization = {Qihoo 360 Technology}, url = {http://blogs.360.cn/post/APT_C_01_en.html}, language = {English}, urldate = {2019-11-29} } Poison Ivy Group and the Cyberespionage Campaign Against Chinese Military and Goverment
Poison Ivy
2018-07-25SymantecCritical Attack Discovery and Intelligence Team, Network Protection Security Labs
@online{team:20180725:leafminer:0591f9b, author = {Critical Attack Discovery and Intelligence Team and Network Protection Security Labs}, title = {{Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions}}, date = {2018-07-25}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east}, language = {English}, urldate = {2020-04-21} } Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions
Imecab MimiKatz Sorgu RASPITE
2018-05-15BSides DetroitKeven Murphy, Stefano Maccaglia
@online{murphy:20180515:ir:ac5b561, author = {Keven Murphy and Stefano Maccaglia}, title = {{IR in Heterogeneous Environment}}, date = {2018-05-15}, organization = {BSides Detroit}, url = {https://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment}, language = {English}, urldate = {2020-07-20} } IR in Heterogeneous Environment
Korlia Poison Ivy
2018-03-16FireEyeFireEye
@online{fireeye:20180316:suspected:2a77316, author = {FireEye}, title = {{Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries}}, date = {2018-03-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html}, language = {English}, urldate = {2019-12-20} } Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries
badflick BLACKCOFFEE CHINACHOPPER homefry murkytop SeDll APT40
2018-02-28SymantecCritical Attack Discovery and Intelligence Team
@online{team:20180228:chafer:5b5b77b, author = {Critical Attack Discovery and Intelligence Team}, title = {{Chafer: Latest Attacks Reveal Heightened Ambitions}}, date = {2018-02-28}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions}, language = {English}, urldate = {2020-04-21} } Chafer: Latest Attacks Reveal Heightened Ambitions
MimiKatz Remexi
2018-02-15SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20180215:samsam:bd6d65d, author = {Counter Threat Unit ResearchTeam}, title = {{SamSam Ransomware Campaigns}}, date = {2018-02-15}, organization = {Secureworks}, url = {https://www.secureworks.com/research/samsam-ransomware-campaigns}, language = {English}, urldate = {2021-05-28} } SamSam Ransomware Campaigns
MimiKatz reGeorg SamSam BOSS SPIDER
2017-12-20CrowdStrikeAdam Kozy
@online{kozy:20171220:end:218a388, author = {Adam Kozy}, title = {{An End to “Smash-and-Grab” and a Move to More Targeted Approaches}}, date = {2017-12-20}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/an-end-to-smash-and-grab-more-targeted-approaches/}, language = {English}, urldate = {2020-05-11} } An End to “Smash-and-Grab” and a Move to More Targeted Approaches
CHINACHOPPER
2017-12-04RSAJack Wesley Riley
@techreport{riley:20171204:shadows:ae9e436, author = {Jack Wesley Riley}, title = {{The Shadows of Ghosts Inside the response of a unique Carbanak intrusion}}, date = {2017-12-04}, institution = {RSA}, url = {https://www.rsa.com/content/dam/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf}, language = {English}, urldate = {2021-09-02} } The Shadows of Ghosts Inside the response of a unique Carbanak intrusion
GOTROJ MimiKatz
2017-11-09WiredAndy Greenberg
@online{greenberg:20171109:he:5442358, author = {Andy Greenberg}, title = {{He Perfected a Password-Hacking Tool—Then the Russians Came Calling}}, date = {2017-11-09}, organization = {Wired}, url = {https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/}, language = {English}, urldate = {2020-01-08} } He Perfected a Password-Hacking Tool—Then the Russians Came Calling
MimiKatz
2017-11-03Github (5loyd)5loyd
@online{5loyd:20171103:trochilus:964b44c, author = {5loyd}, title = {{Trochilus}}, date = {2017-11-03}, organization = {Github (5loyd)}, url = {https://github.com/5loyd/trochilus/}, language = {English}, urldate = {2020-01-08} } Trochilus
Trochilus RAT
2017-09-15FortinetXiaopeng Zhang
@online{zhang:20170915:deep:5178fe3, author = {Xiaopeng Zhang}, title = {{Deep Analysis of New Poison Ivy/PlugX Variant - Part II}}, date = {2017-09-15}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/09/15/deep-analysis-of-new-poison-ivy-plugx-variant-part-ii}, language = {English}, urldate = {2020-01-10} } Deep Analysis of New Poison Ivy/PlugX Variant - Part II
Poison Ivy
2017-08-31NCC GroupAhmed Zaki
@online{zaki:20170831:analysing:4c77e47, author = {Ahmed Zaki}, title = {{Analysing a recent Poison Ivy sample}}, date = {2017-08-31}, organization = {NCC Group}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/analysing-a-recent-poison-ivy-sample/}, language = {English}, urldate = {2020-01-10} } Analysing a recent Poison Ivy sample
Poison Ivy
2017-08-23FortinetXiaopeng Zhang
@online{zhang:20170823:deep:3d931ad, author = {Xiaopeng Zhang}, title = {{Deep Analysis of New Poison Ivy Variant}}, date = {2017-08-23}, organization = {Fortinet}, url = {http://blog.fortinet.com/2017/08/23/deep-analysis-of-new-poison-ivy-variant}, language = {English}, urldate = {2020-01-06} } Deep Analysis of New Poison Ivy Variant
Poison Ivy
2017-05-31MITREMITRE ATT&CK
@online{attck:20170531:pittytiger:cac6452, author = {MITRE ATT&CK}, title = {{PittyTiger}}, date = {2017-05-31}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0011}, language = {English}, urldate = {2022-08-30} } PittyTiger
Enfal Ghost RAT MimiKatz Poison Ivy APT24
2017-05-31MITREMITRE ATT&CK
@online{attck:20170531:sandworm:1a9a446, author = {MITRE ATT&CK}, title = {{Sandworm Team}}, date = {2017-05-31}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0034}, language = {English}, urldate = {2022-08-25} } Sandworm Team
CyclopsBlink Exaramel BlackEnergy EternalPetya Exaramel GreyEnergy KillDisk MimiKatz Olympic Destroyer Sandworm
2017-04-03JPCERT/CCShusei Tomonaga
@online{tomonaga:20170403:redleaves:211a123, author = {Shusei Tomonaga}, title = {{RedLeaves - Malware Based on Open Source RAT}}, date = {2017-04-03}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html}, language = {English}, urldate = {2022-06-22} } RedLeaves - Malware Based on Open Source RAT
PlugX RedLeaves Trochilus RAT
2017-04PricewaterhouseCoopersPricewaterhouseCoopers
@techreport{pricewaterhousecoopers:201704:operation:cb50712, author = {PricewaterhouseCoopers}, title = {{Operation Cloud Hopper: Technical Annex}}, date = {2017-04}, institution = {PricewaterhouseCoopers}, url = {https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf}, language = {English}, urldate = {2019-10-15} } Operation Cloud Hopper: Technical Annex
ChChes PlugX Quasar RAT RedLeaves Trochilus RAT
2017-02-27SymantecA L Johnson
@online{johnson:20170227:shamoon:0188f39, author = {A L Johnson}, title = {{Shamoon: Multi-staged destructive attacks limited to specific targets}}, date = {2017-02-27}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Shamoon: Multi-staged destructive attacks limited to specific targets
DistTrack MimiKatz Rocket Kitten
2016-11-22Palo Alto Networks Unit 42Vicky Ray, Robert Falcone, Jen Miller-Osborn, Tom Lancaster
@online{ray:20161122:tropic:7f503e7, author = {Vicky Ray and Robert Falcone and Jen Miller-Osborn and Tom Lancaster}, title = {{Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy}}, date = {2016-11-22}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/}, language = {English}, urldate = {2019-12-20} } Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy
Poison Ivy
2016-10-11SymantecSymantec Security Response
@online{response:20161011:odinaff:36b35db, author = {Symantec Security Response}, title = {{Odinaff: New Trojan used in high level financial attacks}}, date = {2016-10-11}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks}, language = {English}, urldate = {2019-12-05} } Odinaff: New Trojan used in high level financial attacks
Cobalt Strike KLRD MimiKatz Odinaff
2016-04-26Github (CyberMonitor)Jason Jones
@techreport{jones:20160426:new:78ff145, author = {Jason Jones}, title = {{New Poison Ivy Activity Targeting Myanmar, Asian Countries}}, date = {2016-04-26}, institution = {Github (CyberMonitor)}, url = {https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf}, language = {English}, urldate = {2019-12-17} } New Poison Ivy Activity Targeting Myanmar, Asian Countries
Poison Ivy
2016-04-22Palo Alto Networks Unit 42Micah Yates, Mike Scott, Brandon Levene, Jen Miller-Osborn
@online{yates:20160422:new:249e32b, author = {Micah Yates and Mike Scott and Brandon Levene and Jen Miller-Osborn}, title = {{New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists}}, date = {2016-04-22}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/}, language = {English}, urldate = {2019-12-20} } New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists
Poison Ivy
2016-03-30SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20160330:ransomware:d1b6fe3, author = {Counter Threat Unit ResearchTeam}, title = {{Ransomware Deployed by Adversary with Established Foothold}}, date = {2016-03-30}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/ransomware-deployed-by-adversary}, language = {English}, urldate = {2021-05-28} } Ransomware Deployed by Adversary with Established Foothold
MimiKatz reGeorg SamSam BOSS SPIDER
2015-08Arbor NetworksASERT Team
@online{team:201508:uncovering:121e5cf, author = {ASERT Team}, title = {{Uncovering the Seven Pointed Dagger}}, date = {2015-08}, organization = {Arbor Networks}, url = {https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn}, language = {English}, urldate = {2020-05-18} } Uncovering the Seven Pointed Dagger
9002 RAT EvilGrab PlugX Trochilus RAT APT9
2015-02-06CrowdStrikeCrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
2014-09-19Palo Alto Networks Unit 42Jen Miller-Osborn, Ryan Olson
@online{millerosborn:20140919:recent:edf1ed3, author = {Jen Miller-Osborn and Ryan Olson}, title = {{Recent Watering Hole Attacks Attributed to APT Group “th3bug” Using Poison Ivy}}, date = {2014-09-19}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/}, language = {English}, urldate = {2019-12-20} } Recent Watering Hole Attacks Attributed to APT Group “th3bug” Using Poison Ivy
Poison Ivy
2014FireEyeFireEye
@techreport{fireeye:2014:operation:2160679, author = {FireEye}, title = {{Operation Quantum Entanglement}}, date = {2014}, institution = {FireEye}, url = {http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf}, language = {English}, urldate = {2021-04-29} } Operation Quantum Entanglement
IsSpace NewCT Poison Ivy SysGet
2013-10-31FireEyeThoufique Haq, Ned Moran
@online{haq:20131031:know:e772ee9, author = {Thoufique Haq and Ned Moran}, title = {{Know Your Enemy: Tracking A Rapidly Evolving APT Actor}}, date = {2013-10-31}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html}, language = {English}, urldate = {2019-12-20} } Know Your Enemy: Tracking A Rapidly Evolving APT Actor
Bozok Poison Ivy TEMPER PANDA
2013-08-23FireEyeNart Villeneuve, Thoufique Haq, Ned Moran
@online{villeneuve:20130823:operation:dc4b5d6, author = {Nart Villeneuve and Thoufique Haq and Ned Moran}, title = {{Operation Molerats: Middle East Cyber Attacks Using Poison Ivy}}, date = {2013-08-23}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html}, language = {English}, urldate = {2019-12-20} } Operation Molerats: Middle East Cyber Attacks Using Poison Ivy
Poison Ivy Molerats
2013-08-07FireEyeIan Ahl, Tony Lee, Dennis Hanzlik
@online{ahl:20130807:breaking:aff06e9, author = {Ian Ahl and Tony Lee and Dennis Hanzlik}, title = {{Breaking Down the China Chopper Web Shell - Part I}}, date = {2013-08-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html}, language = {English}, urldate = {2019-12-20} } Breaking Down the China Chopper Web Shell - Part I
CHINACHOPPER
2013-03-04Trend MicroKyle Wilhoit
@online{wilhoit:20130304:indepth:ebccc8b, author = {Kyle Wilhoit}, title = {{In-Depth Look: APT Attack Tools of the Trade}}, date = {2013-03-04}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/}, language = {English}, urldate = {2019-07-11} } In-Depth Look: APT Attack Tools of the Trade
HTran
2011-08-03SecureworksJoe Stewart
@online{stewart:20110803:htran:7a67164, author = {Joe Stewart}, title = {{HTran and the Advanced Persistent Threat}}, date = {2011-08-03}, organization = {Secureworks}, url = {https://www.secureworks.com/research/htran}, language = {English}, urldate = {2020-01-08} } HTran and the Advanced Persistent Threat
HTran
2011-04-28Gentil Kiwi
@online{kiwi:20110428:un:4c39d1d, author = {Gentil Kiwi}, title = {{Un observateur d’événements aveugle…}}, date = {2011-04-28}, url = {http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle}, language = {English}, urldate = {2020-01-07} } Un observateur d’événements aveugle…
MimiKatz
2011SymantecErica Eng, Gavin O'Gorman
@techreport{eng:2011:nitro:656e464, author = {Erica Eng and Gavin O'Gorman}, title = {{The Nitro Attacks: Stealing Secrets from the Chemical Industry}}, date = {2011}, institution = {Symantec}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf}, language = {English}, urldate = {2020-04-21} } The Nitro Attacks: Stealing Secrets from the Chemical Industry
Poison Ivy Nitro
2010MandiantEro Carrera, Peter Silberman
@techreport{carrera:2010:state:687e608, author = {Ero Carrera and Peter Silberman}, title = {{State of Malware: Family Ties}}, date = {2010}, institution = {Mandiant}, url = {https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf}, language = {English}, urldate = {2022-01-28} } State of Malware: Family Ties
Bredolab Conficker Cutwail KoobFace Oderoor Poison Ivy Rustock Sinowal Szribi Zeus

Credits: MISP Project