HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures. HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments. HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.
2023-06-16 ⋅ Palo Alto Networks: Cortex Threat Research ⋅ Lior Rochberger @online{rochberger:20230616:through:5ef09b8,
author = {Lior Rochberger},
title = {{Through the Cortex XDR Lens: Uncovering a New Activity Group Targeting Governments in the Middle East and Africa}},
date = {2023-06-16},
organization = {Palo Alto Networks: Cortex Threat Research},
url = {https://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/},
language = {English},
urldate = {2023-06-22}
}
Through the Cortex XDR Lens: Uncovering a New Activity Group Targeting Governments in the Middle East and Africa CHINACHOPPER Ladon Yasso |
2022-09-29 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20220929:witchetty:628f1c4,
author = {Threat Hunter Team},
title = {{Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East}},
date = {2022-09-29},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage},
language = {English},
urldate = {2022-09-30}
}
Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East CHINACHOPPER Lookback MimiKatz PlugX Unidentified 096 (Keylogger) x4 |
2022-07-26 ⋅ Microsoft ⋅ Microsoft 365 Defender Research Team @online{team:20220726:malicious:ff5f5c0,
author = {Microsoft 365 Defender Research Team},
title = {{Malicious IIS extensions quietly open persistent backdoors into servers}},
date = {2022-07-26},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/},
language = {English},
urldate = {2022-07-28}
}
Malicious IIS extensions quietly open persistent backdoors into servers CHINACHOPPER MimiKatz |
2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20220718:iron:f7586c5,
author = {Unit 42},
title = {{Iron Taurus}},
date = {2022-07-18},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/atoms/iron-taurus/},
language = {English},
urldate = {2022-07-29}
}
Iron Taurus CHINACHOPPER Ghost RAT Wonknu ZXShell APT27 |
2022-06-15 ⋅ Security Joes ⋅ Charles Lomboni, Venkat Rajgor, Felipe Duarte @techreport{lomboni:20220615:backdoor:8d43d9e,
author = {Charles Lomboni and Venkat Rajgor and Felipe Duarte},
title = {{Backdoor via XFF: Mysterious Threat Actor Under Radar}},
date = {2022-06-15},
institution = {Security Joes},
url = {https://secjoes-reports.s3.eu-central-1.amazonaws.com/Backdoor%2Bvia%2BXFF%2BMysterious%2BThreat%2BActor%2BUnder%2BRadar.pdf},
language = {English},
urldate = {2022-06-16}
}
Backdoor via XFF: Mysterious Threat Actor Under Radar CHINACHOPPER |
2022-04-28 ⋅ PWC ⋅ PWC UK @techreport{uk:20220428:cyber:46707aa,
author = {PWC UK},
title = {{Cyber Threats 2021: A Year in Retrospect}},
date = {2022-04-28},
institution = {PWC},
url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf},
language = {English},
urldate = {2023-07-02}
}
Cyber Threats 2021: A Year in Retrospect BPFDoor APT15 APT31 APT41 APT9 BlackTech BRONZE EDGEWOOD DAGGER PANDA Earth Lusca HAFNIUM HAZY TIGER Inception Framework LOTUS PANDA QUILTED TIGER RedAlpha Red Dev 17 Red Menshen Red Nue VICEROY TIGER |
2022-01-27 ⋅ JSAC 2021 ⋅ Hajime Yanagishita, Kiyotaka Tamada, You Nakatsuru, Suguru Ishimaru @techreport{yanagishita:20220127:what:3c59dc9,
author = {Hajime Yanagishita and Kiyotaka Tamada and You Nakatsuru and Suguru Ishimaru},
title = {{What We Can Do against the Chaotic A41APT Campaign}},
date = {2022-01-27},
institution = {JSAC 2021},
url = {https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf},
language = {English},
urldate = {2022-05-17}
}
What We Can Do against the Chaotic A41APT Campaign CHINACHOPPER Cobalt Strike HUI Loader SodaMaster |
2021-11-03 ⋅ Cisco Talos ⋅ Chetan Raghuprasad, Vanja Svajcer, Caitlin Huey @online{raghuprasad:20211103:microsoft:2b6de43,
author = {Chetan Raghuprasad and Vanja Svajcer and Caitlin Huey},
title = {{Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk}},
date = {2021-11-03},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html},
language = {English},
urldate = {2021-11-03}
}
Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk Babuk CHINACHOPPER |
2021-10-07 ⋅ Microsoft ⋅ Microsoft @online{microsoft:20211007:microsoft:793e473,
author = {Microsoft},
title = {{Microsoft Digital Defense Report - October 2021}},
date = {2021-10-07},
organization = {Microsoft},
url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi},
language = {English},
urldate = {2021-10-11}
}
Microsoft Digital Defense Report - October 2021 APT15 APT31 APT40 APT5 Earth Lusca HAFNIUM |
2021-09-03 ⋅ FireEye ⋅ Adrian Sanchez Hernandez, Govand Sinjari, Joshua Goddard, Brendan McKeague, John Wolfram, Alex Pennino, Andrew Rector, Harris Ansari, Yash Gupta @online{hernandez:20210903:pst:a8de902,
author = {Adrian Sanchez Hernandez and Govand Sinjari and Joshua Goddard and Brendan McKeague and John Wolfram and Alex Pennino and Andrew Rector and Harris Ansari and Yash Gupta},
title = {{PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers}},
date = {2021-09-03},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html},
language = {English},
urldate = {2021-09-06}
}
PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers CHINACHOPPER HTran |
2021-08-03 ⋅ Cybereason ⋅ Assaf Dahan, Lior Rochberger, Daniel Frank, Tom Fakterman @online{dahan:20210803:deadringer:908e8d5,
author = {Assaf Dahan and Lior Rochberger and Daniel Frank and Tom Fakterman},
title = {{DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos}},
date = {2021-08-03},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos},
language = {English},
urldate = {2021-08-06}
}
DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos CHINACHOPPER Cobalt Strike MimiKatz Nebulae |
2021-07-20 ⋅ RNZ @online{rnz:20210720:government:92d39e8,
author = {RNZ},
title = {{Government points finger at China over cyber attacks}},
date = {2021-07-20},
url = {https://www.rnz.co.nz/news/political/447239/government-points-finger-at-china-over-cyber-attacks},
language = {English},
urldate = {2021-07-22}
}
Government points finger at China over cyber attacks APT40 HAFNIUM |
2021-07-20 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20210720:ongoing:1e6dbd0,
author = {Counter Threat Unit ResearchTeam},
title = {{Ongoing Campaign Leveraging Exchange Vulnerability Potentially Linked to Iran}},
date = {2021-07-20},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran},
language = {English},
urldate = {2021-07-26}
}
Ongoing Campaign Leveraging Exchange Vulnerability Potentially Linked to Iran CHINACHOPPER MimiKatz RGDoor |
2021-07-19 ⋅ Minister for Foreign Affairs of Australia ⋅ Karen Andrews, Peter Dutton @online{andrews:20210719:australia:8ca5b16,
author = {Karen Andrews and Peter Dutton},
title = {{Australia joins international partners in attribution of malicious cyber activity to China}},
date = {2021-07-19},
organization = {Minister for Foreign Affairs of Australia},
url = {https://www.foreignminister.gov.au/minister/marise-payne/media-release/australia-joins-international-partners-attribution-malicious-cyber-activity-china},
language = {English},
urldate = {2021-07-22}
}
Australia joins international partners in attribution of malicious cyber activity to China APT31 APT40 HAFNIUM |
2021-07-19 ⋅ GOV.UK ⋅ NCSC UK, Dominic Raab @online{uk:20210719:uk:9674820,
author = {NCSC UK and Dominic Raab},
title = {{UK and allies hold Chinese state responsible for a pervasive pattern of hacking}},
date = {2021-07-19},
organization = {GOV.UK},
url = {https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking},
language = {English},
urldate = {2021-07-22}
}
UK and allies hold Chinese state responsible for a pervasive pattern of hacking APT31 APT40 HAFNIUM |
2021-06-10 ⋅ ESET Research ⋅ Adam Burgher @online{burgher:20210610:backdoordiplomacy:4ebcb1d,
author = {Adam Burgher},
title = {{BackdoorDiplomacy: Upgrading from Quarian to Turian}},
date = {2021-06-10},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/},
language = {English},
urldate = {2022-06-08}
}
BackdoorDiplomacy: Upgrading from Quarian to Turian CHINACHOPPER DoublePulsar EternalRocks turian BackdoorDiplomacy |
2021-05-07 ⋅ SophosLabs Uncut ⋅ Rajesh Nataraj @online{nataraj:20210507:new:79ec788,
author = {Rajesh Nataraj},
title = {{New Lemon Duck variants exploiting Microsoft Exchange Server}},
date = {2021-05-07},
organization = {SophosLabs Uncut},
url = {https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728},
language = {English},
urldate = {2022-02-16}
}
New Lemon Duck variants exploiting Microsoft Exchange Server CHINACHOPPER Cobalt Strike Lemon Duck |
2021-05-07 ⋅ Cisco Talos ⋅ Caitlin Huey, Andrew Windsor, Edmund Brumaghin @online{huey:20210507:lemon:0d46f81,
author = {Caitlin Huey and Andrew Windsor and Edmund Brumaghin},
title = {{Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs}},
date = {2021-05-07},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html},
language = {English},
urldate = {2022-02-16}
}
Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs CHINACHOPPER Cobalt Strike Lemon Duck |
2021-05-06 ⋅ Trend Micro ⋅ Arianne Dela Cruz, Cris Tomboc, Jayson Chong, Nikki Madayag, Sean Torre @online{cruz:20210506:proxylogon:4920ee4,
author = {Arianne Dela Cruz and Cris Tomboc and Jayson Chong and Nikki Madayag and Sean Torre},
title = {{Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party}},
date = {2021-05-06},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html},
language = {English},
urldate = {2022-02-17}
}
Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party BlackKingdom Ransomware CHINACHOPPER Lemon Duck Prometei |
2021-05-05 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20210505:multifactor:8834ab8,
author = {Threat Hunter Team},
title = {{Multi-Factor Authentication: Headache for Cyber Actors Inspires New Attack Techniques}},
date = {2021-05-05},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/multi-factor-authentication-new-attacks},
language = {English},
urldate = {2021-05-26}
}
Multi-Factor Authentication: Headache for Cyber Actors Inspires New Attack Techniques CHINACHOPPER |
2021-04-27 ⋅ Trend Micro ⋅ Janus Agcaoili @online{agcaoili:20210427:hello:b3c5de5,
author = {Janus Agcaoili},
title = {{Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability}},
date = {2021-04-27},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html},
language = {English},
urldate = {2021-04-29}
}
Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability CHINACHOPPER Cobalt Strike |
2021-04-16 ⋅ Trend Micro ⋅ Nitesh Surana @online{surana:20210416:could:bb769ca,
author = {Nitesh Surana},
title = {{Could the Microsoft Exchange breach be stopped?}},
date = {2021-04-16},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/d/could-the-microsoft-exchange-breach-be-stopped.html},
language = {English},
urldate = {2021-05-11}
}
Could the Microsoft Exchange breach be stopped? CHINACHOPPER |
2021-04-15 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone @online{falcone:20210415:actor:8428e3f,
author = {Robert Falcone},
title = {{Actor Exploits Microsoft Exchange Server Vulnerabilities, Cortex XDR Blocks Harvesting of Credentials}},
date = {2021-04-15},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/},
language = {English},
urldate = {2021-04-19}
}
Actor Exploits Microsoft Exchange Server Vulnerabilities, Cortex XDR Blocks Harvesting of Credentials CHINACHOPPER |
2021-03-26 ⋅ Imperva ⋅ Daniel Johnston @online{johnston:20210326:imperva:a78367a,
author = {Daniel Johnston},
title = {{Imperva Observes Hive of Activity Following Hafnium Microsoft Exchange Disclosures}},
date = {2021-03-26},
organization = {Imperva},
url = {https://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/},
language = {English},
urldate = {2021-03-30}
}
Imperva Observes Hive of Activity Following Hafnium Microsoft Exchange Disclosures CHINACHOPPER |
2021-03-25 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team @online{team:20210325:analyzing:d9ddef0,
author = {Microsoft 365 Defender Threat Intelligence Team},
title = {{Analyzing attacks taking advantage of the Exchange Server vulnerabilities}},
date = {2021-03-25},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/},
language = {English},
urldate = {2021-03-30}
}
Analyzing attacks taking advantage of the Exchange Server vulnerabilities CHINACHOPPER |
2021-03-25 ⋅ Microsoft ⋅ Tom McElroy @online{mcelroy:20210325:web:38010a7,
author = {Tom McElroy},
title = {{Web Shell Threat Hunting with Azure Sentinel}},
date = {2021-03-25},
organization = {Microsoft},
url = {https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968},
language = {English},
urldate = {2021-03-30}
}
Web Shell Threat Hunting with Azure Sentinel CHINACHOPPER |
2021-03-21 ⋅ Twitter (@CyberRaiju) ⋅ Jai Minton @online{minton:20210321:twitter:8e65e84,
author = {Jai Minton},
title = {{Twitter Thread with analysis of .NET China Chopper}},
date = {2021-03-21},
organization = {Twitter (@CyberRaiju)},
url = {https://twitter.com/CyberRaiju/status/1373582619707867136},
language = {English},
urldate = {2023-09-11}
}
Twitter Thread with analysis of .NET China Chopper CHINACHOPPER |
2021-03-19 ⋅ Bundesamt für Sicherheit in der Informationstechnik ⋅ CERT-Bund @techreport{certbund:20210319:microsoft:beb2409,
author = {CERT-Bund},
title = {{Microsoft Exchange Schwachstellen Detektion und Reaktion (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)}},
date = {2021-03-19},
institution = {Bundesamt für Sicherheit in der Informationstechnik},
url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf},
language = {English},
urldate = {2021-03-22}
}
Microsoft Exchange Schwachstellen Detektion und Reaktion (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) CHINACHOPPER MimiKatz |
2021-03-15 ⋅ Trustwave ⋅ Joshua Deacon @online{deacon:20210315:hafnium:02beddd,
author = {Joshua Deacon},
title = {{HAFNIUM, China Chopper and ASP.NET Runtime}},
date = {2021-03-15},
organization = {Trustwave},
url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hafnium-china-chopper-and-aspnet-runtime/},
language = {English},
urldate = {2021-03-22}
}
HAFNIUM, China Chopper and ASP.NET Runtime CHINACHOPPER |
2021-03-14 ⋅ DAILY BEAST ⋅ Matthew Brazil @online{brazil:20210314:how:5fcb8be,
author = {Matthew Brazil},
title = {{How China’s Devastating Microsoft Hack Puts Us All at Risk}},
date = {2021-03-14},
organization = {DAILY BEAST},
url = {https://www.thedailybeast.com/how-chinas-devastating-microsoft-hack-puts-us-all-at-risk},
language = {English},
urldate = {2021-03-31}
}
How China’s Devastating Microsoft Hack Puts Us All at Risk HAFNIUM |
2021-03-11 ⋅ Cyborg Security ⋅ Josh Campbell @online{campbell:20210311:you:7bd2342,
author = {Josh Campbell},
title = {{You Don't Know the HAFNIUM of it...}},
date = {2021-03-11},
organization = {Cyborg Security},
url = {https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/},
language = {English},
urldate = {2021-03-16}
}
You Don't Know the HAFNIUM of it... CHINACHOPPER Cobalt Strike PowerCat |
2021-03-11 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20210311:microsoft:c51c694,
author = {Unit 42},
title = {{Microsoft Exchange Server Attack Timeline}},
date = {2021-03-11},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/microsoft-exchange-server-attack-timeline/},
language = {English},
urldate = {2021-03-12}
}
Microsoft Exchange Server Attack Timeline CHINACHOPPER |
2021-03-11 ⋅ DEVO ⋅ Fran Gomez @online{gomez:20210311:detection:e16ec1f,
author = {Fran Gomez},
title = {{Detection and Investigation Using Devo: HAFNIUM 0-day Exploits on Microsoft Exchange Service}},
date = {2021-03-11},
organization = {DEVO},
url = {https://www.devo.com/blog/detect-and-investigate-hafnium-using-devo/},
language = {English},
urldate = {2021-03-12}
}
Detection and Investigation Using Devo: HAFNIUM 0-day Exploits on Microsoft Exchange Service CHINACHOPPER MimiKatz |
2021-03-10 ⋅ Lemon's InfoSec Ramblings ⋅ Josh Lemon @online{lemon:20210310:microsoft:47b2c67,
author = {Josh Lemon},
title = {{Microsoft Exchange & the HAFNIUM Threat Actor}},
date = {2021-03-10},
organization = {Lemon's InfoSec Ramblings},
url = {https://blog.joshlemon.com.au/hafnium-exchange-attacks/},
language = {English},
urldate = {2021-03-11}
}
Microsoft Exchange & the HAFNIUM Threat Actor CHINACHOPPER |
2021-03-10 ⋅ PICUS Security ⋅ Süleyman Özarslan @online{zarslan:20210310:tactics:702eb34,
author = {Süleyman Özarslan},
title = {{Tactics, Techniques, and Procedures (TTPs) Used by HAFNIUM to Target Microsoft Exchange Servers}},
date = {2021-03-10},
organization = {PICUS Security},
url = {https://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers},
language = {English},
urldate = {2021-03-16}
}
Tactics, Techniques, and Procedures (TTPs) Used by HAFNIUM to Target Microsoft Exchange Servers CHINACHOPPER |
2021-03-10 ⋅ DomainTools ⋅ Joe Slowik @online{slowik:20210310:examining:e3eee78,
author = {Joe Slowik},
title = {{Examining Exchange Exploitation and its Lessons for Defenders}},
date = {2021-03-10},
organization = {DomainTools},
url = {https://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders},
language = {English},
urldate = {2021-03-12}
}
Examining Exchange Exploitation and its Lessons for Defenders CHINACHOPPER |
2021-03-09 ⋅ PRAETORIAN ⋅ Anthony Weems, Dallas Kaman, Michael Weber @online{weems:20210309:reproducing:6c6302c,
author = {Anthony Weems and Dallas Kaman and Michael Weber},
title = {{Reproducing the Microsoft Exchange Proxylogon Exploit Chain}},
date = {2021-03-09},
organization = {PRAETORIAN},
url = {https://www.praetorian.com/blog/reproducing-proxylogon-exploit/},
language = {English},
urldate = {2021-03-11}
}
Reproducing the Microsoft Exchange Proxylogon Exploit Chain CHINACHOPPER |
2021-03-09 ⋅ Red Canary ⋅ Tony Lambert, Brian Donohue, Katie Nickels @online{lambert:20210309:microsoft:6a37334,
author = {Tony Lambert and Brian Donohue and Katie Nickels},
title = {{Microsoft Exchange server exploitation: how to detect, mitigate, and stay calm}},
date = {2021-03-09},
organization = {Red Canary},
url = {https://redcanary.com/blog/microsoft-exchange-attacks},
language = {English},
urldate = {2021-03-11}
}
Microsoft Exchange server exploitation: how to detect, mitigate, and stay calm CHINACHOPPER |
2021-03-09 ⋅ Microsoft ⋅ MSRC Team @online{team:20210309:microsoft:3e03bbf,
author = {MSRC Team},
title = {{Microsoft Exchange Server Vulnerabilities Mitigations – updated March 9, 2021}},
date = {2021-03-09},
organization = {Microsoft},
url = {https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021},
language = {English},
urldate = {2021-03-10}
}
Microsoft Exchange Server Vulnerabilities Mitigations – updated March 9, 2021 HAFNIUM |
2021-03-09 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20210309:remediation:4973903,
author = {Unit 42},
title = {{Remediation Steps for the Microsoft Exchange Server Vulnerabilities}},
date = {2021-03-09},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/remediation-steps-for-the-Microsoft-Exchange-Server-vulnerabilities/},
language = {English},
urldate = {2021-03-11}
}
Remediation Steps for the Microsoft Exchange Server Vulnerabilities CHINACHOPPER |
2021-03-09 ⋅ YouTube (John Hammond) ⋅ John Hammond @online{hammond:20210309:hafnium:dc2de8d,
author = {John Hammond},
title = {{HAFNIUM - Post-Exploitation Analysis from Microsoft Exchange}},
date = {2021-03-09},
organization = {YouTube (John Hammond)},
url = {https://www.youtube.com/watch?v=rn-6t7OygGk},
language = {English},
urldate = {2021-03-12}
}
HAFNIUM - Post-Exploitation Analysis from Microsoft Exchange CHINACHOPPER |
2021-03-08 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20210308:how:752e42e,
author = {Threat Hunter Team},
title = {{How Symantec Stops Microsoft Exchange Server Attacks}},
date = {2021-03-08},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection},
language = {English},
urldate = {2021-03-12}
}
How Symantec Stops Microsoft Exchange Server Attacks CHINACHOPPER MimiKatz |
2021-03-08 ⋅ Palo Alto Networks Unit 42 ⋅ Jeff White @online{white:20210308:analyzing:9b932a3,
author = {Jeff White},
title = {{Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells}},
date = {2021-03-08},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/china-chopper-webshell/},
language = {English},
urldate = {2021-03-11}
}
Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells CHINACHOPPER |
2021-03-07 ⋅ TRUESEC ⋅ Rasmus Grönlund @online{grnlund:20210307:tracking:2d920fd,
author = {Rasmus Grönlund},
title = {{Tracking Microsoft Exchange Zero-Day ProxyLogon and HAFNIUM}},
date = {2021-03-07},
organization = {TRUESEC},
url = {https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/},
language = {English},
urldate = {2021-03-12}
}
Tracking Microsoft Exchange Zero-Day ProxyLogon and HAFNIUM CHINACHOPPER |
2021-03-06 ⋅ Nextron Systems ⋅ THOR Lite @online{lite:20210306:scan:f7b0dbe,
author = {THOR Lite},
title = {{Scan for HAFNIUM Exploitation Evidence with THOR Lite}},
date = {2021-03-06},
organization = {Nextron Systems},
url = {https://www.nextron-systems.com/2021/03/06/scan-for-hafnium-exploitation-evidence-with-thor-lite},
language = {English},
urldate = {2021-03-10}
}
Scan for HAFNIUM Exploitation Evidence with THOR Lite HAFNIUM |
2021-03-06 ⋅ Github (microsoft) ⋅ Microsoft @online{microsoft:20210306:security:7dca242,
author = {Microsoft},
title = {{Security scripts}},
date = {2021-03-06},
organization = {Github (microsoft)},
url = {https://github.com/microsoft/CSS-Exchange/tree/main/Security},
language = {English},
urldate = {2021-03-10}
}
Security scripts HAFNIUM |
2021-03-05 ⋅ Wired ⋅ Andy Greenberg @online{greenberg:20210305:chinese:119ea98,
author = {Andy Greenberg},
title = {{Chinese Hacking Spree Hit an ‘Astronomical’ Number of Victims}},
date = {2021-03-05},
organization = {Wired},
url = {https://www.wired.com/story/china-microsoft-exchange-server-hack-victims/},
language = {English},
urldate = {2021-03-06}
}
Chinese Hacking Spree Hit an ‘Astronomical’ Number of Victims CHINACHOPPER |
2021-03-05 ⋅ Pastebin (MALWAREQUINN) ⋅ MalwareQuinn @online{malwarequinn:20210305:hafnium:b517725,
author = {MalwareQuinn},
title = {{Hafnium Exchange Vuln Detection - KQL}},
date = {2021-03-05},
organization = {Pastebin (MALWAREQUINN)},
url = {https://pastebin.com/J4L3r2RS},
language = {English},
urldate = {2021-03-10}
}
Hafnium Exchange Vuln Detection - KQL HAFNIUM |
2021-03-05 ⋅ Microsoft ⋅ Louie Mayor @online{mayor:20210305:exchange:632ca07,
author = {Louie Mayor},
title = {{Exchange Server IIS dropping web shells and other artifacts}},
date = {2021-03-05},
organization = {Microsoft},
url = {https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/exchange-iis-worker-dropping-webshell.md},
language = {English},
urldate = {2021-03-10}
}
Exchange Server IIS dropping web shells and other artifacts HAFNIUM |
2021-03-05 ⋅ Github (cert-lv) ⋅ Andrew Konst @online{konst:20210305:detect:a6abfa6,
author = {Andrew Konst},
title = {{Detect webshells dropped on Microsoft Exchange servers after 0day compromises}},
date = {2021-03-05},
organization = {Github (cert-lv)},
url = {https://github.com/cert-lv/exchange_webshell_detection},
language = {English},
urldate = {2021-03-10}
}
Detect webshells dropped on Microsoft Exchange servers after 0day compromises HAFNIUM |
2021-03-05 ⋅ Huntress Labs ⋅ Huntress Labs @techreport{labs:20210305:operation:1248e05,
author = {Huntress Labs},
title = {{Operation Exchange Marauder}},
date = {2021-03-05},
institution = {Huntress Labs},
url = {https://www.huntress.com/hubfs/Mass%20Exploitation%20of%20Microsoft%20Exchange%20(2).pdf},
language = {English},
urldate = {2021-03-06}
}
Operation Exchange Marauder CHINACHOPPER |
2021-03-04 ⋅ CrowdStrike ⋅ The Falcon Complete Team @online{team:20210304:falcon:6170749,
author = {The Falcon Complete Team},
title = {{Falcon Complete Stops Microsoft Exchange Server Zero-Day Exploits}},
date = {2021-03-04},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits},
language = {English},
urldate = {2021-03-10}
}
Falcon Complete Stops Microsoft Exchange Server Zero-Day Exploits CHINACHOPPER HAFNIUM |
2021-03-04 ⋅ Elastic ⋅ Devon Kerr @online{kerr:20210304:detection:eb05792,
author = {Devon Kerr},
title = {{Detection and Response for HAFNIUM Activity}},
date = {2021-03-04},
organization = {Elastic},
url = {https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289},
language = {English},
urldate = {2021-03-10}
}
Detection and Response for HAFNIUM Activity HAFNIUM |
2021-03-04 ⋅ Huntress Labs ⋅ Huntress Labs @online{labs:20210304:operation:1187712,
author = {Huntress Labs},
title = {{Operation Exchange Marauder}},
date = {2021-03-04},
organization = {Huntress Labs},
url = {https://www.huntress.com/hubfs/Videos/Webinars/Overlay-Mass_Exploitation_of_Exchange.mp4},
language = {English},
urldate = {2021-03-06}
}
Operation Exchange Marauder CHINACHOPPER |
2021-03-04 ⋅ FireEye ⋅ Matt Bromiley, Chris DiGiamo, Andrew Thompson, Robert Wallace @online{bromiley:20210304:detection:3b8c16f,
author = {Matt Bromiley and Chris DiGiamo and Andrew Thompson and Robert Wallace},
title = {{Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities}},
date = {2021-03-04},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html},
language = {English},
urldate = {2021-03-10}
}
Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities CHINACHOPPER HAFNIUM |
2021-03-03 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:20210303:hafnium:e35dcb1,
author = {MITRE ATT&CK},
title = {{HAFNIUM}},
date = {2021-03-03},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0125/},
language = {English},
urldate = {2022-07-05}
}
HAFNIUM CHINACHOPPER HAFNIUM |
2021-03-03 ⋅ Huntress Labs ⋅ Huntress Labs @online{labs:20210303:mass:a0ef74d,
author = {Huntress Labs},
title = {{Mass exploitation of on-prem Exchange servers :(}},
date = {2021-03-03},
organization = {Huntress Labs},
url = {https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers},
language = {English},
urldate = {2021-03-10}
}
Mass exploitation of on-prem Exchange servers :( CHINACHOPPER HAFNIUM |
2021-03-03 ⋅ splunk ⋅ Ryan Kovar @online{kovar:20210303:detecting:f8ba84c,
author = {Ryan Kovar},
title = {{Detecting HAFNIUM Exchange Server Zero-Day Activity in Splunk}},
date = {2021-03-03},
organization = {splunk},
url = {https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html},
language = {English},
urldate = {2021-03-10}
}
Detecting HAFNIUM Exchange Server Zero-Day Activity in Splunk HAFNIUM |
2021-03-03 ⋅ Huntress Labs ⋅ John Hammond @online{hammond:20210303:rapid:7c97ee5,
author = {John Hammond},
title = {{Rapid Response: Mass Exploitation of On-Prem Exchange Servers}},
date = {2021-03-03},
organization = {Huntress Labs},
url = {https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers},
language = {English},
urldate = {2021-03-10}
}
Rapid Response: Mass Exploitation of On-Prem Exchange Servers CHINACHOPPER HAFNIUM |
2021-03-03 ⋅ CISA ⋅ CISA @online{cisa:20210303:alert:c05160a,
author = {CISA},
title = {{Alert (AA21-062A): Mitigate Microsoft Exchange Server Vulnerabilities}},
date = {2021-03-03},
organization = {CISA},
url = {https://us-cert.cisa.gov/ncas/alerts/aa21-062a},
language = {English},
urldate = {2021-03-10}
}
Alert (AA21-062A): Mitigate Microsoft Exchange Server Vulnerabilities HAFNIUM |
2021-03-02 ⋅ Rapid7 Labs ⋅ Andrew Christian @online{christian:20210302:rapid7s:b676aa4,
author = {Andrew Christian},
title = {{Rapid7’s InsightIDR Enables Detection And Response to Microsoft Exchange Zero-Day}},
date = {2021-03-02},
organization = {Rapid7 Labs},
url = {https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day},
language = {English},
urldate = {2021-03-10}
}
Rapid7’s InsightIDR Enables Detection And Response to Microsoft Exchange Zero-Day CHINACHOPPER HAFNIUM |
2021-03-02 ⋅ Volexity ⋅ Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster @online{grunzweig:20210302:operation:44c264f,
author = {Josh Grunzweig and Matthew Meltzer and Sean Koessel and Steven Adair and Thomas Lancaster},
title = {{Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities}},
date = {2021-03-02},
organization = {Volexity},
url = {https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/},
language = {English},
urldate = {2021-03-07}
}
Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities CHINACHOPPER HAFNIUM |
2021-03-02 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, Microsoft 365 Security @online{mstic:20210302:hafnium:c7d8588,
author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Threat Intelligence Team and Microsoft 365 Security},
title = {{HAFNIUM targeting Exchange Servers with 0-day exploits}},
date = {2021-03-02},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers},
language = {English},
urldate = {2021-03-07}
}
HAFNIUM targeting Exchange Servers with 0-day exploits CHINACHOPPER HAFNIUM |
2021-03-02 ⋅ Microsoft ⋅ MSRC Team @online{team:20210302:multiple:d62f8de,
author = {MSRC Team},
title = {{Multiple Security Updates Released for Exchange Server – updated March 8, 2021}},
date = {2021-03-02},
organization = {Microsoft},
url = {https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server},
language = {English},
urldate = {2021-03-10}
}
Multiple Security Updates Released for Exchange Server – updated March 8, 2021 HAFNIUM |
2021-03-02 ⋅ Twitter (@ESETresearch) ⋅ ESET Research @online{research:20210302:exchange:4473faa,
author = {ESET Research},
title = {{Tweet on Exchange RCE}},
date = {2021-03-02},
organization = {Twitter (@ESETresearch)},
url = {https://twitter.com/ESETresearch/status/1366862946488451088},
language = {English},
urldate = {2021-03-10}
}
Tweet on Exchange RCE CHINACHOPPER HAFNIUM |
2021-01-29 ⋅ Trend Micro ⋅ Trend Micro @online{micro:20210129:chopper:6dfb7c6,
author = {Trend Micro},
title = {{Chopper ASPX web shell used in targeted attack}},
date = {2021-01-29},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html},
language = {English},
urldate = {2021-02-02}
}
Chopper ASPX web shell used in targeted attack CHINACHOPPER MimiKatz |
2021 ⋅ DomainTools ⋅ Joe Slowik @techreport{slowik:2021:conceptualizing:3cdf067,
author = {Joe Slowik},
title = {{Conceptualizing a Continuum of Cyber Threat Attribution}},
date = {2021},
institution = {DomainTools},
url = {https://www.domaintools.com/content/conceptualizing-a-continuum-of-cyber-threat-attribution.pdf},
language = {English},
urldate = {2021-11-02}
}
Conceptualizing a Continuum of Cyber Threat Attribution CHINACHOPPER SUNBURST |
2020-11-27 ⋅ PTSecurity ⋅ Denis Goydenko, Alexey Vishnyakov @online{goydenko:20201127:investigation:7d12cee,
author = {Denis Goydenko and Alexey Vishnyakov},
title = {{Investigation with a twist: an accidental APT attack and averted data destruction}},
date = {2020-11-27},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/},
language = {English},
urldate = {2020-12-01}
}
Investigation with a twist: an accidental APT attack and averted data destruction TwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz |
2020-10-01 ⋅ US-CERT ⋅ US-CERT @online{uscert:20201001:alert:a46c3d4,
author = {US-CERT},
title = {{Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions}},
date = {2020-10-01},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-275a},
language = {English},
urldate = {2020-10-04}
}
Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy |
2020-09-15 ⋅ US-CERT ⋅ US-CERT @online{uscert:20200915:alert:13d0ab3,
author = {US-CERT},
title = {{Alert (AA20-259A): Iran-Based Threat Actor Exploits VPN Vulnerabilities}},
date = {2020-09-15},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-259a},
language = {English},
urldate = {2020-09-16}
}
Alert (AA20-259A): Iran-Based Threat Actor Exploits VPN Vulnerabilities CHINACHOPPER Fox Kitten |
2020-09-15 ⋅ US-CERT ⋅ US-CERT @online{uscert:20200915:malware:8345418,
author = {US-CERT},
title = {{Malware Analysis Report (AR20-259A): Iranian Web Shells}},
date = {2020-09-15},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a},
language = {English},
urldate = {2020-09-16}
}
Malware Analysis Report (AR20-259A): Iranian Web Shells CHINACHOPPER |
2020-07-21 ⋅ Department of Justice ⋅ Department of Justice @online{justice:20200721:two:81b000b,
author = {Department of Justice},
title = {{Two Chinese Hackers Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including COVID-19 Research}},
date = {2020-07-21},
organization = {Department of Justice},
url = {https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion},
language = {English},
urldate = {2022-07-25}
}
Two Chinese Hackers Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including COVID-19 Research CHINACHOPPER BRONZE SPRING |
2020-02-21 ⋅ ADEO DFIR ⋅ ADEO DFIR @techreport{dfir:20200221:apt10:e9c3328,
author = {ADEO DFIR},
title = {{APT10 Threat Analysis Report}},
date = {2020-02-21},
institution = {ADEO DFIR},
url = {https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf},
language = {English},
urldate = {2020-03-03}
}
APT10 Threat Analysis Report CHINACHOPPER HTran MimiKatz PlugX Quasar RAT |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:4118462,
author = {SecureWorks},
title = {{BRONZE ATLAS}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas},
language = {English},
urldate = {2020-05-23}
}
BRONZE ATLAS Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti APT41 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:1a5bdbb,
author = {SecureWorks},
title = {{BRONZE PRESIDENT}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-president},
language = {English},
urldate = {2020-05-23}
}
BRONZE PRESIDENT CHINACHOPPER Cobalt Strike PlugX MUSTANG PANDA |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:4db27ec,
author = {SecureWorks},
title = {{BRONZE UNION}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-union},
language = {English},
urldate = {2020-05-23}
}
BRONZE UNION 9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell APT27 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:e8ad4fb,
author = {SecureWorks},
title = {{BRONZE MOHAWK}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-mohawk},
language = {English},
urldate = {2020-05-23}
}
BRONZE MOHAWK AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll APT40 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:fcb04ab,
author = {SecureWorks},
title = {{BRONZE EXPRESS}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-express},
language = {English},
urldate = {2020-05-23}
}
BRONZE EXPRESS 9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT26 |
2020-01 ⋅ FireEye ⋅ Tom Hall, Mitchell Clarke, Mandiant @techreport{hall:202001:mandiant:25e38ef,
author = {Tom Hall and Mitchell Clarke and Mandiant},
title = {{Mandiant IR Grab Bag of Attacker Activity}},
date = {2020-01},
institution = {FireEye},
url = {https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf},
language = {English},
urldate = {2021-04-16}
}
Mandiant IR Grab Bag of Attacker Activity TwoFace CHINACHOPPER HyperBro HyperSSL |
2019-12-12 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center @online{center:20191212:gallium:79f6460,
author = {Microsoft Threat Intelligence Center},
title = {{GALLIUM: Targeting global telecom}},
date = {2019-12-12},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/},
language = {English},
urldate = {2022-06-15}
}
GALLIUM: Targeting global telecom CHINACHOPPER Ghost RAT HTran MimiKatz Poison Ivy GALLIUM |
2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani Fraser @techreport{vanderlee:20191119:achievement:6be19eb,
author = {Kelli Vanderlee and Nalani Fraser},
title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}},
date = {2019-11-19},
institution = {FireEye},
url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf},
language = {English},
urldate = {2021-03-02}
}
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell |
2019-09-23 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:20190923:apt41:63b9ff7,
author = {MITRE ATT&CK},
title = {{APT41}},
date = {2019-09-23},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0096},
language = {English},
urldate = {2022-08-30}
}
APT41 Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41 |
2019-08-27 ⋅ Cisco Talos ⋅ Paul Rascagnères, Vanja Svajcer @online{rascagnres:20190827:china:2d2bbb8,
author = {Paul Rascagnères and Vanja Svajcer},
title = {{China Chopper still active 9 years later}},
date = {2019-08-27},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html},
language = {English},
urldate = {2019-10-14}
}
China Chopper still active 9 years later CHINACHOPPER |
2019-08-19 ⋅ FireEye ⋅ Alex Pennino, Matt Bromiley @online{pennino:20190819:game:b6ef5a0,
author = {Alex Pennino and Matt Bromiley},
title = {{GAME OVER: Detecting and Stopping an APT41 Operation}},
date = {2019-08-19},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html},
language = {English},
urldate = {2020-01-06}
}
GAME OVER: Detecting and Stopping an APT41 Operation ACEHASH CHINACHOPPER HIGHNOON |
2019-06-25 ⋅ Cybereason ⋅ Cybereason Nocturnus @online{nocturnus:20190625:operation:21efa8f,
author = {Cybereason Nocturnus},
title = {{OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS}},
date = {2019-06-25},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers},
language = {English},
urldate = {2022-07-01}
}
OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS CHINACHOPPER HTran MimiKatz Poison Ivy Operation Soft Cell |
2019-05-28 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone, Tom Lancaster @online{falcone:20190528:emissary:dc0f942,
author = {Robert Falcone and Tom Lancaster},
title = {{Emissary Panda Attacks Middle East Government Sharepoint Servers}},
date = {2019-05-28},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/},
language = {English},
urldate = {2021-04-16}
}
Emissary Panda Attacks Middle East Government Sharepoint Servers CHINACHOPPER HyperSSL |
2019 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:2019:tool:fd89dda,
author = {MITRE ATT&CK},
title = {{Tool description: China Chopper}},
date = {2019},
organization = {MITRE},
url = {https://attack.mitre.org/software/S0020/},
language = {English},
urldate = {2019-12-20}
}
Tool description: China Chopper CHINACHOPPER |
2018-03-16 ⋅ FireEye ⋅ FireEye @online{fireeye:20180316:suspected:2a77316,
author = {FireEye},
title = {{Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries}},
date = {2018-03-16},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html},
language = {English},
urldate = {2019-12-20}
}
Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries badflick BLACKCOFFEE CHINACHOPPER homefry murkytop SeDll APT40 |
2017-12-20 ⋅ CrowdStrike ⋅ Adam Kozy @online{kozy:20171220:end:218a388,
author = {Adam Kozy},
title = {{An End to “Smash-and-Grab” and a Move to More Targeted Approaches}},
date = {2017-12-20},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/an-end-to-smash-and-grab-more-targeted-approaches/},
language = {English},
urldate = {2020-05-11}
}
An End to “Smash-and-Grab” and a Move to More Targeted Approaches CHINACHOPPER |
2013-08-07 ⋅ FireEye ⋅ Ian Ahl, Tony Lee, Dennis Hanzlik @online{ahl:20130807:breaking:aff06e9,
author = {Ian Ahl and Tony Lee and Dennis Hanzlik},
title = {{Breaking Down the China Chopper Web Shell - Part I}},
date = {2013-08-07},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html},
language = {English},
urldate = {2019-12-20}
}
Breaking Down the China Chopper Web Shell - Part I CHINACHOPPER |