This threat actor uses spear-phishing techniques to compromise diplomatic targets in Southeast Asia, India, and the United States. It also seems to have targeted the APT 30. Possibly uses the same infrastructure as Mirage
2021-07-27 ⋅ Palo Alto Networks Unit 42 ⋅ Mike Harbison, Alex Hinchliffe
@online{harbison:20210727:thor:5d6d793,
author = {Mike Harbison and Alex Hinchliffe},
title = {{THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group}},
date = {2021-07-27},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/thor-plugx-variant/},
language = {English},
urldate = {2021-07-29}
}
THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group
PlugX |
2021-07-21 ⋅ Bitdefender ⋅ Bogdan Botezatu, Victor Vrabie
@online{botezatu:20210721:luminousmoth:7ed907d,
author = {Bogdan Botezatu and Victor Vrabie},
title = {{LuminousMoth – PlugX, File Exfiltration and Persistence Revisited}},
date = {2021-07-21},
organization = {Bitdefender},
url = {https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited},
language = {English},
urldate = {2021-07-26}
}
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
PlugX |
2021-06-02 ⋅ xorhex blog ⋅ Twitter (@xorhex)
@online{xorhex:20210602:reddelta:f35268d,
author = {Twitter (@xorhex)},
title = {{RedDelta PlugX Undergoing Changes and Overlapping Again with Mustang Panda PlugX Infrastructure}},
date = {2021-06-02},
organization = {xorhex blog},
url = {https://blog.xorhex.com/blog/reddeltaplugxchangeup/},
language = {English},
urldate = {2021-06-09}
}
RedDelta PlugX Undergoing Changes and Overlapping Again with Mustang Panda PlugX Infrastructure
PlugX |
2021-06-02 ⋅ Twitter (@xorhex) ⋅ Xorhex
@online{xorhex:20210602:new:9e10322,
author = {Xorhex},
title = {{Tweet on new variant of PlugX from RedDelta Group}},
date = {2021-06-02},
organization = {Twitter (@xorhex)},
url = {https://twitter.com/xorhex/status/1399906601562165249?s=20},
language = {English},
urldate = {2021-06-09}
}
Tweet on new variant of PlugX from RedDelta Group
PlugX |
2021-05-27 ⋅ xorhex blog ⋅ Twitter (@xorhex)
@online{xorhex:20210527:mustang:d3c664b,
author = {Twitter (@xorhex)},
title = {{Mustang Panda PlugX - Reused Mutex and Folder Found in the Extracted Config}},
date = {2021-05-27},
organization = {xorhex blog},
url = {https://blog.xorhex.com/blog/mustangpandaplugx-2/},
language = {English},
urldate = {2021-06-21}
}
Mustang Panda PlugX - Reused Mutex and Folder Found in the Extracted Config
PlugX |
2021-05-17 ⋅ xorhex blog ⋅ Twitter (@xorhex)
@online{xorhex:20210517:mustang:c51cc47,
author = {Twitter (@xorhex)},
title = {{Mustang Panda PlugX - 45.251.240.55 Pivot}},
date = {2021-05-17},
organization = {xorhex blog},
url = {https://blog.xorhex.com/blog/mustangpandaplugx-1/},
language = {English},
urldate = {2021-06-21}
}
Mustang Panda PlugX - 45.251.240.55 Pivot
PlugX |
2021-03-29 ⋅ The Record ⋅ Catalin Cimpanu
@online{cimpanu:20210329:redecho:30b16b4,
author = {Catalin Cimpanu},
title = {{RedEcho group parks domains after public exposure}},
date = {2021-03-29},
organization = {The Record},
url = {https://therecord.media/redecho-group-parks-domains-after-public-exposure/},
language = {English},
urldate = {2021-03-31}
}
RedEcho group parks domains after public exposure
PlugX ShadowPad RedEcho |
2021-03-25 ⋅ Recorded Future ⋅ Insikt Group®
@online{group:20210325:suspected:5b0078f,
author = {Insikt Group®},
title = {{Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers}},
date = {2021-03-25},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/},
language = {English},
urldate = {2021-03-30}
}
Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers
Meterpreter PlugX |
2021-03-17 ⋅ Recorded Future ⋅ Insikt Group®
@online{group:20210317:chinalinked:65b251b,
author = {Insikt Group®},
title = {{China-linked TA428 Continues to Target Russia and Mongolia IT Companies}},
date = {2021-03-17},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/china-linked-ta428-threat-group},
language = {English},
urldate = {2021-03-19}
}
China-linked TA428 Continues to Target Russia and Mongolia IT Companies
PlugX Poison Ivy |
2021-03-10 ⋅ ESET Research ⋅ Thomas Dupuy, Matthieu Faou, Mathieu Tartare
@online{dupuy:20210310:exchange:8f65a1f,
author = {Thomas Dupuy and Matthieu Faou and Mathieu Tartare},
title = {{Exchange servers under siege from at least 10 APT groups}},
date = {2021-03-10},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/},
language = {English},
urldate = {2021-03-11}
}
Exchange servers under siege from at least 10 APT groups
Microcin MimiKatz PlugX Winnti |
2021-02-28 ⋅ PWC UK ⋅ PWC UK
@techreport{uk:20210228:cyber:bd780cd,
author = {PWC UK},
title = {{Cyber Threats 2020: A Year in Retrospect}},
date = {2021-02-28},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf},
language = {English},
urldate = {2021-03-04}
}
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare |
2021-02-28 ⋅ Recorded Future ⋅ Insikt Group®
@online{group:20210228:chinalinked:ce3b62d,
author = {Insikt Group®},
title = {{China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions}},
date = {2021-02-28},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/redecho-targeting-indian-power-sector/},
language = {English},
urldate = {2021-03-31}
}
China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
PlugX ShadowPad RedEcho |
2021-02-28 ⋅ Recorded Future ⋅ Insikt Group®
@techreport{group:20210228:chinalinked:2fb1230,
author = {Insikt Group®},
title = {{China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions}},
date = {2021-02-28},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf},
language = {English},
urldate = {2021-03-04}
}
China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
Icefog PlugX ShadowPad |
2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f,
author = {CrowdStrike},
title = {{2021 Global Threat Report}},
date = {2021-02-23},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf},
language = {English},
urldate = {2021-02-25}
}
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER |
2021-01-20 ⋅ Trend Micro ⋅ Gilbert Sison, Abraham Camba, Ryan Maglaque
@online{sison:20210120:xdr:8ea19cc,
author = {Gilbert Sison and Abraham Camba and Ryan Maglaque},
title = {{XDR investigation uncovers PlugX, unique technique in APT attack}},
date = {2021-01-20},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/a/xdr-investigation-uncovers-plugx-unique-technique-in-apt-attack.html},
language = {English},
urldate = {2021-01-27}
}
XDR investigation uncovers PlugX, unique technique in APT attack
PlugX |
2021-01-15 ⋅ Swisscom ⋅ Markus Neis
@techreport{neis:20210115:cracking:b1c1684,
author = {Markus Neis},
title = {{Cracking a Soft Cell is Harder Than You Think}},
date = {2021-01-15},
institution = {Swisscom},
url = {https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf},
language = {English},
urldate = {2021-01-18}
}
Cracking a Soft Cell is Harder Than You Think
Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT |
2021-01-14 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence
@online{intelligence:20210114:higaisa:4676ec7,
author = {PT ESC Threat Intelligence},
title = {{Higaisa or Winnti? APT41 backdoors, old and new}},
date = {2021-01-14},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/},
language = {English},
urldate = {2021-02-09}
}
Higaisa or Winnti? APT41 backdoors, old and new
Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad |
2021-01-13 ⋅ AlienVault ⋅ Tom Hegel
@techreport{hegel:20210113:global:72b7b9d,
author = {Tom Hegel},
title = {{A Global Perspective of the SideWinder APT}},
date = {2021-01-13},
institution = {AlienVault},
url = {https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf},
language = {English},
urldate = {2021-01-18}
}
A Global Perspective of the SideWinder APT
8.t Dropper Koadic SideWinder |
2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli
@online{ramilli:20210109:command:d720b27,
author = {Marco Ramilli},
title = {{Command and Control Traffic Patterns}},
date = {2021-01-09},
organization = {Marco Ramilli's Blog},
url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/},
language = {English},
urldate = {2021-05-17}
}
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot |
2021-01-04 ⋅ Bleeping Computer ⋅ Ionut Ilascu
@online{ilascu:20210104:chinas:9677dc6,
author = {Ionut Ilascu},
title = {{China's APT hackers move to ransomware attacks}},
date = {2021-01-04},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/},
language = {English},
urldate = {2021-01-11}
}
China's APT hackers move to ransomware attacks
Clambling PlugX |
2021-01-04 ⋅ nao_sec blog ⋅ nao_sec
@online{naosec:20210104:royal:041b9d3,
author = {nao_sec},
title = {{Royal Road! Re:Dive}},
date = {2021-01-04},
organization = {nao_sec blog},
url = {https://nao-sec.org/2021/01/royal-road-redive.html},
language = {English},
urldate = {2021-01-05}
}
Royal Road! Re:Dive
8.t Dropper Chinoxy FlowCloud FunnyDream Lookback |
2020-12-24 ⋅ IronNet ⋅ Adam Hlavek
@online{hlavek:20201224:china:723bed3,
author = {Adam Hlavek},
title = {{China cyber attacks: the current threat landscape}},
date = {2020-12-24},
organization = {IronNet},
url = {https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape},
language = {English},
urldate = {2021-01-01}
}
China cyber attacks: the current threat landscape
PLEAD TSCookie FlowCloud Lookback PLEAD PlugX Quasar RAT Winnti |
2020-12-10 ⋅ ESET Research ⋅ Mathieu Tartare
@online{tartare:20201210:operation:0eecfc8,
author = {Mathieu Tartare},
title = {{Operation StealthyTrident: corporate software under attack}},
date = {2020-12-10},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/},
language = {English},
urldate = {2020-12-10}
}
Operation StealthyTrident: corporate software under attack
HyperBro PlugX ShadowPad Tmanger |
2020-12-09 ⋅ Avast Decoded ⋅ Luigino Camastra, Igor Morgenstern
@online{camastra:20201209:targeting:952844f,
author = {Luigino Camastra and Igor Morgenstern},
title = {{APT Group Targeting Governmental Agencies in East Asia}},
date = {2020-12-09},
organization = {Avast Decoded},
url = {https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/},
language = {English},
urldate = {2021-01-27}
}
APT Group Targeting Governmental Agencies in East Asia
Albaniiutas HyperBro PlugX Tmanger |
2020-11-23 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team
@online{team:20201123:ta416:60e8b7e,
author = {Proofpoint Threat Research Team},
title = {{TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader}},
date = {2020-11-23},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader},
language = {English},
urldate = {2020-11-25}
}
TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader
PlugX RedDelta |
2020-11-20 ⋅ Trend Micro ⋅ Abraham Camba, Bren Matthew Ebriega, Gilbert Sison
@online{camba:20201120:weaponizing:e15699d,
author = {Abraham Camba and Bren Matthew Ebriega and Gilbert Sison},
title = {{Weaponizing Open Source Software for Targeted Attacks}},
date = {2020-11-20},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html},
language = {English},
urldate = {2020-11-23}
}
Weaponizing Open Source Software for Targeted Attacks
LaZagne Defray PlugX |
2020-11-12 ⋅ Twitter (@ddash_ct) ⋅ ddash
@online{ddash:20201112:lootwodniw:03198af,
author = {ddash},
title = {{Tweet on Lootwodniw}},
date = {2020-11-12},
organization = {Twitter (@ddash_ct)},
url = {https://twitter.com/ddash_ct/status/1326887125103616000},
language = {English},
urldate = {2020-12-03}
}
Tweet on Lootwodniw
Lootwodniw |
2020-11-04 ⋅ Sophos ⋅ Gabor Szappanos
@online{szappanos:20201104:new:66b8447,
author = {Gabor Szappanos},
title = {{A new APT uses DLL side-loads to “KilllSomeOne”}},
date = {2020-11-04},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/},
language = {English},
urldate = {2020-11-06}
}
A new APT uses DLL side-loads to “KilllSomeOne”
KilllSomeOne PlugX |
2020-11-03 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20201103:trends:febc159,
author = {GReAT},
title = {{APT trends report Q3 2020}},
date = {2020-11-03},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q3-2020/99204/},
language = {English},
urldate = {2020-11-04}
}
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti |
2020-10-27 ⋅ Dr.Web ⋅ Dr.Web
@techreport{drweb:20201027:study:9f6e628,
author = {Dr.Web},
title = {{Study of the ShadowPad APT backdoor and its relation to PlugX}},
date = {2020-10-27},
institution = {Dr.Web},
url = {https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf},
language = {English},
urldate = {2020-10-29}
}
Study of the ShadowPad APT backdoor and its relation to PlugX
Ghost RAT PlugX ShadowPad |
2020-09-24 ⋅ CARO ⋅ Mark Lechtik, Giampaolo Dedola
@online{lechtik:20200924:cycldek:8b488b1,
author = {Mark Lechtik and Giampaolo Dedola},
title = {{Cycldek aka Goblin Panda: Chronicles of the Goblin}},
date = {2020-09-24},
organization = {CARO},
url = {https://drive.google.com/file/d/11otA_VmL061KcFC5MhDYuNdIKHYbpyrd/view},
language = {English},
urldate = {2020-09-25}
}
Cycldek aka Goblin Panda: Chronicles of the Goblin
NewCore RAT USBCulprit |
2020-09-18 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20200918:apt41:363daa8,
author = {Threat Hunter Team},
title = {{APT41: Indictments Put Chinese Espionage Group in the Spotlight}},
date = {2020-09-18},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage},
language = {English},
urldate = {2020-09-23}
}
APT41: Indictments Put Chinese Espionage Group in the Spotlight
CROSSWALK PlugX poisonplug ShadowPad Winnti |
2020-09-16 ⋅ RiskIQ ⋅ Jon Gross
@online{gross:20200916:riskiq:da4b864,
author = {Jon Gross},
title = {{RiskIQ: Adventures in Cookie Land - Part 2}},
date = {2020-09-16},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/56fa1b2f},
language = {English},
urldate = {2020-09-23}
}
RiskIQ: Adventures in Cookie Land - Part 2
8.t Dropper Chinoxy Poison Ivy |
2020-09-15 ⋅ Recorded Future ⋅ Insikt Group®
@techreport{group:20200915:back:2c78a6f,
author = {Insikt Group®},
title = {{Back Despite Disruption: RedDelta Resumes Operations}},
date = {2020-09-15},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf},
language = {English},
urldate = {2020-09-16}
}
Back Despite Disruption: RedDelta Resumes Operations
PlugX |
2020-09-11 ⋅ ThreatConnect ⋅ ThreatConnect Research Team
@online{team:20200911:research:edfb074,
author = {ThreatConnect Research Team},
title = {{Research Roundup: Activity on Previously Identified APT33 Domains}},
date = {2020-09-11},
organization = {ThreatConnect},
url = {https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/},
language = {English},
urldate = {2020-09-15}
}
Research Roundup: Activity on Previously Identified APT33 Domains
Emotet PlugX APT33 |
2020-08-19 ⋅ RiskIQ ⋅ Jon Gross, Cory Kennedy
@online{gross:20200819:riskiq:94e5ccf,
author = {Jon Gross and Cory Kennedy},
title = {{RiskIQ Adventures in Cookie Land - Part 1}},
date = {2020-08-19},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/5fe2da7f},
language = {English},
urldate = {2020-09-23}
}
RiskIQ Adventures in Cookie Land - Part 1
8.t Dropper Chinoxy |
2020-07-29 ⋅ Recorded Future ⋅ Insikt Group
@techreport{group:20200729:chinese:1929fcd,
author = {Insikt Group},
title = {{Chinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations}},
date = {2020-07-29},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf},
language = {English},
urldate = {2020-07-30}
}
Chinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations
PlugX |
2020-07-29 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20200729:trends:6810325,
author = {GReAT},
title = {{APT trends report Q2 2020}},
date = {2020-07-29},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q2-2020/97937/},
language = {English},
urldate = {2020-07-30}
}
APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel |
2020-07-29 ⋅ ESET Research ⋅ welivesecurity
@techreport{welivesecurity:20200729:threat:496355c,
author = {welivesecurity},
title = {{THREAT REPORT Q2 2020}},
date = {2020-07-29},
institution = {ESET Research},
url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf},
language = {English},
urldate = {2020-07-30}
}
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor |
2020-07-28 ⋅ NTT ⋅ NTT Security
@online{security:20200728:craftypanda:7643b28,
author = {NTT Security},
title = {{CraftyPanda 標的型攻撃解析レポート}},
date = {2020-07-28},
organization = {NTT},
url = {https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report},
language = {Japanese},
urldate = {2020-07-30}
}
CraftyPanda 標的型攻撃解析レポート
Ghost RAT PlugX |
2020-07-20 ⋅ Dr.Web ⋅ Dr.Web
@techreport{drweb:20200720:study:442ba99,
author = {Dr.Web},
title = {{Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan}},
date = {2020-07-20},
institution = {Dr.Web},
url = {https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf},
language = {English},
urldate = {2020-10-02}
}
Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan
Microcin Mirage PlugX WhiteBird |
2020-07-20 ⋅ or10nlabs ⋅ oR10n
@online{or10n:20200720:reverse:bcb6023,
author = {oR10n},
title = {{Reverse Engineering the New Mustang Panda PlugX Downloader}},
date = {2020-07-20},
organization = {or10nlabs},
url = {https://or10nlabs.tech/reverse-engineering-the-new-mustang-panda-plugx-downloader/},
language = {English},
urldate = {2021-06-24}
}
Reverse Engineering the New Mustang Panda PlugX Downloader
PlugX |
2020-07-20 ⋅ Risky.biz ⋅ Daniel Gordon
@online{gordon:20200720:what:b88e81f,
author = {Daniel Gordon},
title = {{What even is Winnti?}},
date = {2020-07-20},
organization = {Risky.biz},
url = {https://risky.biz/whatiswinnti/},
language = {English},
urldate = {2020-08-18}
}
What even is Winnti?
CCleaner Backdoor Ghost RAT PlugX ZXShell |
2020-07-15 ⋅ ZDNet ⋅ Catalin Cimpanu
@online{cimpanu:20200715:chinese:0ff06bd,
author = {Catalin Cimpanu},
title = {{Chinese state hackers target Hong Kong Catholic Church}},
date = {2020-07-15},
organization = {ZDNet},
url = {https://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/},
language = {English},
urldate = {2020-07-30}
}
Chinese state hackers target Hong Kong Catholic Church
PlugX |
2020-07-05 ⋅ or10nlabs ⋅ oR10n
@online{or10n:20200705:reverse:60298dc,
author = {oR10n},
title = {{Reverse Engineering the Mustang Panda PlugX RAT – Extracting the Config}},
date = {2020-07-05},
organization = {or10nlabs},
url = {https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-rat-extracting-the-config/},
language = {English},
urldate = {2021-06-24}
}
Reverse Engineering the Mustang Panda PlugX RAT – Extracting the Config
PlugX |
2020-06-03 ⋅ Kaspersky Labs ⋅ GReAT, Mark Lechtik, Giampaolo Dedola
@online{great:20200603:cycldek:ed9a830,
author = {GReAT and Mark Lechtik and Giampaolo Dedola},
title = {{Cycldek: Bridging the (air) gap}},
date = {2020-06-03},
organization = {Kaspersky Labs},
url = {https://securelist.com/cycldek-bridging-the-air-gap/97157/},
language = {English},
urldate = {2020-06-03}
}
Cycldek: Bridging the (air) gap
8.t Dropper NewCore RAT PlugX USBCulprit Hellsing |
2020-06-02 ⋅ Lab52 ⋅ Jagaimo Kawaii
@online{kawaii:20200602:mustang:2cf125a,
author = {Jagaimo Kawaii},
title = {{Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers}},
date = {2020-06-02},
organization = {Lab52},
url = {https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/},
language = {English},
urldate = {2020-06-03}
}
Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers
PlugX |
2020-05-24 ⋅ or10nlabs ⋅ oR10n
@online{or10n:20200524:reverse:49c2ad8,
author = {oR10n},
title = {{Reverse Engineering the Mustang Panda PlugX Loader}},
date = {2020-05-24},
organization = {or10nlabs},
url = {https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-loader},
language = {English},
urldate = {2021-06-24}
}
Reverse Engineering the Mustang Panda PlugX Loader
PlugX |
2020-05-15 ⋅ Twitter (@stvemillertime) ⋅ Steve Miller
@online{miller:20200515:sogu:cc5a1fc,
author = {Steve Miller},
title = {{Tweet on SOGU development timeline, including TIGERPLUG IOCs}},
date = {2020-05-15},
organization = {Twitter (@stvemillertime)},
url = {https://twitter.com/stvemillertime/status/1261263000960450562},
language = {English},
urldate = {2020-05-18}
}
Tweet on SOGU development timeline, including TIGERPLUG IOCs
PlugX |
2020-05-14 ⋅ Lab52 ⋅ Dex
@online{dex:20200514:energy:43e92b4,
author = {Dex},
title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}},
date = {2020-05-14},
organization = {Lab52},
url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/},
language = {English},
urldate = {2020-06-10}
}
The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT |
2020-05-01 ⋅ Viettel Cybersecurity ⋅ Cyberthreat
@online{cyberthreat:20200501:chin:3a4fb89,
author = {Cyberthreat},
title = {{Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1)}},
date = {2020-05-01},
organization = {Viettel Cybersecurity},
url = {https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/},
language = {Vietnamese},
urldate = {2020-09-09}
}
Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1)
NewCore RAT PlugX |
2020-03-21 ⋅ MalwareLab.pl ⋅ Maciej Kotowicz
@online{kotowicz:20200321:royal:da8fd16,
author = {Maciej Kotowicz},
title = {{On the Royal Road}},
date = {2020-03-21},
organization = {MalwareLab.pl},
url = {https://blog.malwarelab.pl/posts/on_the_royal_road/},
language = {English},
urldate = {2020-03-24}
}
On the Royal Road
8.t Dropper |
2020-03-20 ⋅ Medium Sebdraven ⋅ Sébastien Larinier
@online{larinier:20200320:new:3da1211,
author = {Sébastien Larinier},
title = {{New version of chinoxy backdoor using COVID19 alerts document lure}},
date = {2020-03-20},
organization = {Medium Sebdraven},
url = {https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746},
language = {English},
urldate = {2020-03-26}
}
New version of chinoxy backdoor using COVID19 alerts document lure
8.t Dropper Chinoxy |
2020-03-19 ⋅ VinCSS ⋅ m4n0w4r
@online{m4n0w4r:20200319:phn:461fca7,
author = {m4n0w4r},
title = {{Phân tích mã độc lợi dụng dịch Covid-19 để phát tán giả mạo “Chỉ thị của thủ tướng Nguyễn Xuân Phúc” - Phần 2}},
date = {2020-03-19},
organization = {VinCSS},
url = {https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html},
language = {Vietnamese},
urldate = {2020-03-19}
}
Phân tích mã độc lợi dụng dịch Covid-19 để phát tán giả mạo “Chỉ thị của thủ tướng Nguyễn Xuân Phúc” - Phần 2
PlugX |
2020-03-12 ⋅ Check Point ⋅ Check Point Research
@online{research:20200312:vicious:3218bb8,
author = {Check Point Research},
title = {{Vicious Panda: The COVID Campaign}},
date = {2020-03-12},
organization = {Check Point},
url = {https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/},
language = {English},
urldate = {2020-03-13}
}
Vicious Panda: The COVID Campaign
8.t Dropper BYEBY Enfal Korlia Poison Ivy |
2020-03-11 ⋅ Virus Bulletin ⋅ Ghareeb Saad, Michael Raggi
@online{saad:20200311:attribution:3efcc0a,
author = {Ghareeb Saad and Michael Raggi},
title = {{Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers}},
date = {2020-03-11},
organization = {Virus Bulletin},
url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/},
language = {English},
urldate = {2020-03-13}
}
Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers
8.t Dropper |
2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f,
author = {CrowdStrike},
title = {{2020 CrowdStrike Global Threat Report}},
date = {2020-03-04},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf},
language = {English},
urldate = {2020-07-24}
}
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER |
2020-03-02 ⋅ Virus Bulletin ⋅ Alex Hinchliffe
@online{hinchliffe:20200302:pulling:35771e7,
author = {Alex Hinchliffe},
title = {{Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary}},
date = {2020-03-02},
organization = {Virus Bulletin},
url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/},
language = {English},
urldate = {2020-03-02}
}
Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary
HenBox Farseer PlugX Poison Ivy |
2020-02-21 ⋅ ADEO DFIR ⋅ ADEO DFIR
@techreport{dfir:20200221:apt10:e9c3328,
author = {ADEO DFIR},
title = {{APT10 Threat Analysis Report}},
date = {2020-02-21},
institution = {ADEO DFIR},
url = {https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf},
language = {English},
urldate = {2020-03-03}
}
APT10 Threat Analysis Report
CHINACHOPPER HTran MimiKatz PlugX Quasar RAT |
2020-02-18 ⋅ Trend Micro ⋅ Daniel Lunghi, Cedric Pernet, Kenney Lu, Jamz Yaneza
@online{lunghi:20200218:uncovering:93b0937,
author = {Daniel Lunghi and Cedric Pernet and Kenney Lu and Jamz Yaneza},
title = {{Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations}},
date = {2020-02-18},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia},
language = {English},
urldate = {2020-02-20}
}
Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations
Cobalt Strike HyperBro PlugX Trochilus RAT |
2020-02-17 ⋅ Talent-Jump Technologies ⋅ Theo Chen, Zero Chen
@online{chen:20200217:clambling:1a0bb8e,
author = {Theo Chen and Zero Chen},
title = {{CLAMBLING - A New Backdoor Base On Dropbox}},
date = {2020-02-17},
organization = {Talent-Jump Technologies},
url = {http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/},
language = {English},
urldate = {2020-03-30}
}
CLAMBLING - A New Backdoor Base On Dropbox
HyperBro PlugX |
2020-02-12 ⋅ MeltX0R Security ⋅ MeltX0R
@online{meltx0r:20200212:goblin:e79762e,
author = {MeltX0R},
title = {{Goblin Panda APT: Recent infrastructure and RAT analysis}},
date = {2020-02-12},
organization = {MeltX0R Security},
url = {https://meltx0r.github.io/tech/2020/02/12/goblin-panda-apt.html},
language = {English},
urldate = {2020-02-25}
}
Goblin Panda APT: Recent infrastructure and RAT analysis
NewCore RAT |
2020-01-31 ⋅ Avira ⋅ Shahab Hamzeloofard
@online{hamzeloofard:20200131:new:5d058ea,
author = {Shahab Hamzeloofard},
title = {{New wave of PlugX targets Hong Kong}},
date = {2020-01-31},
organization = {Avira},
url = {https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/},
language = {English},
urldate = {2020-02-10}
}
New wave of PlugX targets Hong Kong
PlugX |
2020-01-29 ⋅ nao_sec blog ⋅ nao_sec
@online{naosec:20200129:overhead:ec0aeb5,
author = {nao_sec},
title = {{An Overhead View of the Royal Road}},
date = {2020-01-29},
organization = {nao_sec blog},
url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html},
language = {English},
urldate = {2020-02-03}
}
An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:65ecf8a,
author = {SecureWorks},
title = {{BRONZE KEYSTONE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-keystone},
language = {English},
urldate = {2020-05-23}
}
BRONZE KEYSTONE
9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell Aurora Panda |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:1a5bdbb,
author = {SecureWorks},
title = {{BRONZE PRESIDENT}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-president},
language = {English},
urldate = {2020-05-23}
}
BRONZE PRESIDENT
CHINACHOPPER Cobalt Strike PlugX Mustang Panda |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:472aea8,
author = {SecureWorks},
title = {{BRONZE OLIVE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-olive},
language = {English},
urldate = {2020-05-23}
}
BRONZE OLIVE
ANGRYREBEL PlugX APT 22 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:972c13a,
author = {SecureWorks},
title = {{BRONZE FIRESTONE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-firestone},
language = {English},
urldate = {2020-05-23}
}
BRONZE FIRESTONE
9002 RAT Derusbi Empire Downloader PlugX Poison Ivy Shell Crew |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:f48e53c,
author = {SecureWorks},
title = {{BRONZE WOODLAND}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-woodland},
language = {English},
urldate = {2020-05-23}
}
BRONZE WOODLAND
PlugX Zeus Roaming Tiger |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:66f1290,
author = {SecureWorks},
title = {{BRONZE RIVERSIDE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-riverside},
language = {English},
urldate = {2020-05-23}
}
BRONZE RIVERSIDE
Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves Stone Panda |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:fcb04ab,
author = {SecureWorks},
title = {{BRONZE EXPRESS}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-express},
language = {English},
urldate = {2020-05-23}
}
BRONZE EXPRESS
9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT 26 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:4db27ec,
author = {SecureWorks},
title = {{BRONZE UNION}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-union},
language = {English},
urldate = {2020-05-23}
}
BRONZE UNION
9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell EMISSARY PANDA |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:4118462,
author = {SecureWorks},
title = {{BRONZE ATLAS}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas},
language = {English},
urldate = {2020-05-23}
}
BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti Axiom |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:79d8dd2,
author = {SecureWorks},
title = {{BRONZE OVERBROOK}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-overbrook},
language = {English},
urldate = {2020-05-23}
}
BRONZE OVERBROOK
Aveo DDKONG IsSpace PLAINTEE PlugX Rambo DragonOK |
2020-01 ⋅ Dragos ⋅ Joe Slowik
@techreport{slowik:202001:threat:d891011,
author = {Joe Slowik},
title = {{Threat Intelligence and the Limits of Malware Analysis}},
date = {2020-01},
institution = {Dragos},
url = {https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf},
language = {English},
urldate = {2020-06-10}
}
Threat Intelligence and the Limits of Malware Analysis
Exaramel Exaramel Industroyer Lookback NjRAT PlugX |
2019-12-29 ⋅ Secureworks ⋅ CTU Research Team
@online{team:20191229:bronze:bda6bfc,
author = {CTU Research Team},
title = {{BRONZE PRESIDENT Targets NGOs}},
date = {2019-12-29},
organization = {Secureworks},
url = {https://www.secureworks.com/research/bronze-president-targets-ngos},
language = {English},
urldate = {2020-01-10}
}
BRONZE PRESIDENT Targets NGOs
PlugX BRONZE PRESIDENT |
2019-11-16 ⋅ Silas Cutler's Blog ⋅ Silas Cutler
@online{cutler:20191116:fresh:871567d,
author = {Silas Cutler},
title = {{Fresh PlugX October 2019}},
date = {2019-11-16},
organization = {Silas Cutler's Blog},
url = {https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html},
language = {English},
urldate = {2020-01-07}
}
Fresh PlugX October 2019
PlugX |
2019-11-11 ⋅ Virus Bulletin ⋅ Shusei Tomonaga, Tomoaki Tani, Hiroshi Soeda, Wataru Takahashi
@online{tomonaga:20191111:cases:ac5f1b3,
author = {Shusei Tomonaga and Tomoaki Tani and Hiroshi Soeda and Wataru Takahashi},
title = {{APT cases exploiting vulnerabilities in region‑specific software}},
date = {2019-11-11},
organization = {Virus Bulletin},
url = {https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/},
language = {English},
urldate = {2020-05-13}
}
APT cases exploiting vulnerabilities in region‑specific software
NodeRAT Emdivi PlugX |
2019-10-31 ⋅ PTSecurity ⋅ PTSecurity
@online{ptsecurity:20191031:calypso:adaf761,
author = {PTSecurity},
title = {{Calypso APT: new group attacking state institutions}},
date = {2019-10-31},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/},
language = {English},
urldate = {2020-01-12}
}
Calypso APT: new group attacking state institutions
BYEBY FlyingDutchman Hussar PlugX |
2019-10-03 ⋅ Palo Alto Networks Unit 42 ⋅ Alex Hinchliffe
@online{hinchliffe:20191003:pkplug:4a43ea5,
author = {Alex Hinchliffe},
title = {{PKPLUG: Chinese Cyber Espionage Group Attacking Asia}},
date = {2019-10-03},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/},
language = {English},
urldate = {2020-01-07}
}
PKPLUG: Chinese Cyber Espionage Group Attacking Asia
HenBox Farseer PlugX |
2019-09-22 ⋅ Check Point Research ⋅ Check Point Research
@online{research:20190922:rancor:e834f67,
author = {Check Point Research},
title = {{Rancor: The Year of The Phish}},
date = {2019-09-22},
organization = {Check Point Research},
url = {https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/},
language = {English},
urldate = {2020-03-04}
}
Rancor: The Year of The Phish
8.t Dropper Cobalt Strike |
2019-07-23 ⋅ Proofpoint ⋅ Michael Raggi, Dennis Schwarz, Proofpoint Threat Insight Team
@online{raggi:20190723:chinese:804ec1c,
author = {Michael Raggi and Dennis Schwarz and Proofpoint Threat Insight Team},
title = {{Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia}},
date = {2019-07-23},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology},
language = {English},
urldate = {2021-02-06}
}
Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia
8.t Dropper Cotx RAT Poison Ivy TA428 |
2019-06-03 ⋅ FireEye ⋅ Chi-en Shen
@online{shen:20190603:into:d40fee9,
author = {Chi-en Shen},
title = {{Into the Fog - The Return of ICEFOG APT}},
date = {2019-06-03},
organization = {FireEye},
url = {https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt},
language = {English},
urldate = {2020-06-30}
}
Into the Fog - The Return of ICEFOG APT
Icefog PlugX Sarhust |
2019-05-24 ⋅ Fortinet ⋅ Ben Hunter
@online{hunter:20190524:uncovering:7d8776e,
author = {Ben Hunter},
title = {{Uncovering new Activity by APT10}},
date = {2019-05-24},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-},
language = {English},
urldate = {2020-11-04}
}
Uncovering new Activity by APT10
PlugX Quasar RAT |
2019-05-02 ⋅ Medium Sebdraven ⋅ Sébastien Larinier
@online{larinier:20190502:goblin:a0118b4,
author = {Sébastien Larinier},
title = {{Goblin Panda continues to target Vietnam}},
date = {2019-05-02},
organization = {Medium Sebdraven},
url = {https://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6},
language = {English},
urldate = {2019-10-23}
}
Goblin Panda continues to target Vietnam
NewCore RAT |
2019-04-11 ⋅ FireEye ⋅ FireEye
@online{fireeye:20190411:mtrend:597b240,
author = {FireEye},
title = {{M-Trend 2019}},
date = {2019-04-11},
organization = {FireEye},
url = {https://content.fireeye.com/m-trends/rpt-m-trends-2019},
language = {English},
urldate = {2020-01-10}
}
M-Trend 2019
GRILLMARK |
2019-03-19 ⋅ NSHC ⋅ ThreatRecon Team
@online{team:20190319:sectorm04:6c6ea37,
author = {ThreatRecon Team},
title = {{SectorM04 Targeting Singapore – An Analysis}},
date = {2019-03-19},
organization = {NSHC},
url = {https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/},
language = {English},
urldate = {2020-01-07}
}
SectorM04 Targeting Singapore – An Analysis
PlugX Termite |
2019-01-03 ⋅ m4n0w4r
@online{m4n0w4r:20190103:another:2f48120,
author = {m4n0w4r},
title = {{Another malicious document with CVE-2017–11882}},
date = {2019-01-03},
url = {https://tradahacking.vn/another-malicious-document-with-cve-2017-11882-839e9c0bbf2f},
language = {Vietnamese},
urldate = {2020-03-11}
}
Another malicious document with CVE-2017–11882
8.t Dropper |
2019 ⋅ Council on Foreign Relations ⋅ Cyber Operations Tracker
@online{tracker:2019:hellsing:44d21df,
author = {Cyber Operations Tracker},
title = {{Hellsing}},
date = {2019},
organization = {Council on Foreign Relations},
url = {https://www.cfr.org/interactive/cyber-operations/hellsing},
language = {English},
urldate = {2019-12-20}
}
Hellsing
Hellsing |
2018-12-14 ⋅ Australian Cyber Security Centre ⋅ ASD
@techreport{asd:20181214:investigationreport:6eda856,
author = {ASD},
title = {{Investigationreport: Compromise of an Australian companyvia their Managed Service Provider}},
date = {2018-12-14},
institution = {Australian Cyber Security Centre},
url = {https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf},
language = {English},
urldate = {2020-03-11}
}
Investigationreport: Compromise of an Australian companyvia their Managed Service Provider
PlugX RedLeaves |
2018-11-03 ⋅ m4n0w4r
@online{m4n0w4r:20181103:l:d496fbd,
author = {m4n0w4r},
title = {{Là 1937CN hay OceanLotus hay Lazarus …}},
date = {2018-11-03},
url = {https://tradahacking.vn/l%C3%A0-1937cn-hay-oceanlotus-hay-lazarus-6ca15fe1b241},
language = {Vietnamese},
urldate = {2020-03-11}
}
Là 1937CN hay OceanLotus hay Lazarus …
8.t Dropper |
2018-11-01 ⋅ Fortinet ⋅ FortiGuard SE Team
@online{team:20181101:cta:d0c6bde,
author = {FortiGuard SE Team},
title = {{CTA Adversary Playbook: Goblin Panda}},
date = {2018-11-01},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/cta-security-playbook--goblin-panda.html},
language = {English},
urldate = {2020-01-08}
}
CTA Adversary Playbook: Goblin Panda
Hellsing |
2018-08-29 ⋅ CrowdStrike ⋅ Adam Meyers
@online{meyers:20180829:meet:ceb250f,
author = {Adam Meyers},
title = {{Meet CrowdStrike’s Adversary of the Month for August: GOBLIN PANDA}},
date = {2018-08-29},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/},
language = {English},
urldate = {2019-12-20}
}
Meet CrowdStrike’s Adversary of the Month for August: GOBLIN PANDA
Hellsing |
2018-08-02 ⋅ Sébastien Larinier
@online{larinier:20180802:goblin:0aa8168,
author = {Sébastien Larinier},
title = {{Goblin Panda against the Bears}},
date = {2018-08-02},
url = {https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4},
language = {English},
urldate = {2019-07-11}
}
Goblin Panda against the Bears
Sisfader |
2018-07-31 ⋅ Medium Sebdraven ⋅ Sébastien Larinier
@online{larinier:20180731:malicious:571d2df,
author = {Sébastien Larinier},
title = {{Malicious document targets Vietnamese officials}},
date = {2018-07-31},
organization = {Medium Sebdraven},
url = {https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?},
language = {English},
urldate = {2020-03-04}
}
Malicious document targets Vietnamese officials
8.t Dropper |
2018-06-12 ⋅ NCC Group ⋅ Ben Humphrey
@online{humphrey:20180612:cve20178570:4d94250,
author = {Ben Humphrey},
title = {{CVE-2017-8570 RTF and the Sisfader RAT}},
date = {2018-06-12},
organization = {NCC Group},
url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/},
language = {English},
urldate = {2020-01-07}
}
CVE-2017-8570 RTF and the Sisfader RAT
Sisfader |
2018-05-09 ⋅ COUNT UPON SECURITY ⋅ Luis Rocha
@online{rocha:20180509:malware:3ee8ecf,
author = {Luis Rocha},
title = {{Malware Analysis - PlugX - Part 2}},
date = {2018-05-09},
organization = {COUNT UPON SECURITY},
url = {https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/},
language = {English},
urldate = {2020-01-05}
}
Malware Analysis - PlugX - Part 2
PlugX |
2018-03-13 ⋅ Kaspersky Labs ⋅ Denis Makrushin, Yury Namestnikov
@online{makrushin:20180313:time:7171143,
author = {Denis Makrushin and Yury Namestnikov},
title = {{Time of death? A therapeutic postmortem of connected medicine}},
date = {2018-03-13},
organization = {Kaspersky Labs},
url = {https://securelist.com/time-of-death-connected-medicine/84315/},
language = {English},
urldate = {2019-12-20}
}
Time of death? A therapeutic postmortem of connected medicine
PlugX |
2018-02-04 ⋅ COUNT UPON SECURITY ⋅ Luis Rocha
@online{rocha:20180204:malware:ea0aede,
author = {Luis Rocha},
title = {{MALWARE ANALYSIS – PLUGX}},
date = {2018-02-04},
organization = {COUNT UPON SECURITY},
url = {https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/},
language = {English},
urldate = {2020-01-07}
}
MALWARE ANALYSIS – PLUGX
PlugX |
2017-12-18 ⋅ LAC ⋅ Yoshihiro Ishikawa
@online{ishikawa:20171218:relationship:fb13bae,
author = {Yoshihiro Ishikawa},
title = {{Relationship between PlugX and attacker group "DragonOK"}},
date = {2017-12-18},
organization = {LAC},
url = {https://www.lac.co.jp/lacwatch/people/20171218_001445.html},
language = {Japanese},
urldate = {2019-11-22}
}
Relationship between PlugX and attacker group "DragonOK"
PlugX |
2017-09-05 ⋅ Fortinet ⋅ Jasper Manuel, Artem Semenchenko
@online{manuel:20170905:rehashed:c3d5a4c,
author = {Jasper Manuel and Artem Semenchenko},
title = {{Rehashed RAT Used in APT Campaign Against Vietnamese Organizations}},
date = {2017-09-05},
organization = {Fortinet},
url = {https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations},
language = {English},
urldate = {2019-10-23}
}
Rehashed RAT Used in APT Campaign Against Vietnamese Organizations
NewCore RAT |
2017-06-27 ⋅ Palo Alto Networks Unit 42 ⋅ Tom Lancaster, Esmid Idrizovic
@online{lancaster:20170627:paranoid:f933eb4,
author = {Tom Lancaster and Esmid Idrizovic},
title = {{Paranoid PlugX}},
date = {2017-06-27},
organization = {Palo Alto Networks Unit 42},
url = {https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/},
language = {English},
urldate = {2019-12-20}
}
Paranoid PlugX
PlugX |
2017-04-27 ⋅ US-CERT ⋅ US-CERT
@online{uscert:20170427:alert:fdb865d,
author = {US-CERT},
title = {{Alert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors}},
date = {2017-04-27},
organization = {US-CERT},
url = {https://www.us-cert.gov/ncas/alerts/TA17-117A},
language = {English},
urldate = {2020-03-11}
}
Alert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors
PlugX RedLeaves |
2017-04-03 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
@online{tomonaga:20170403:redleaves:211a123,
author = {Shusei Tomonaga},
title = {{RedLeaves - Malware Based on Open Source RAT}},
date = {2017-04-03},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html},
language = {English},
urldate = {2021-02-04}
}
RedLeaves - Malware Based on Open Source RAT
PlugX RedLeaves |
2017-04 ⋅ PricewaterhouseCoopers ⋅ PricewaterhouseCoopers
@techreport{pricewaterhousecoopers:201704:operation:cb50712,
author = {PricewaterhouseCoopers},
title = {{Operation Cloud Hopper: Technical Annex}},
date = {2017-04},
institution = {PricewaterhouseCoopers},
url = {https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf},
language = {English},
urldate = {2019-10-15}
}
Operation Cloud Hopper: Technical Annex
ChChes PlugX Quasar RAT RedLeaves Trochilus RAT |
2017-02-21 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
@online{tomonaga:20170221:plugx:f9e4817,
author = {Shusei Tomonaga},
title = {{PlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code}},
date = {2017-02-21},
organization = {JPCERT/CC},
url = {http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html},
language = {English},
urldate = {2020-01-13}
}
PlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code
PlugX |
2017-02-13 ⋅ RSA ⋅ RSA Research
@techreport{research:20170213:kingslayer:98f4892,
author = {RSA Research},
title = {{KINGSLAYER – A SUPPLY CHAIN ATTACK}},
date = {2017-02-13},
institution = {RSA},
url = {https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf},
language = {English},
urldate = {2020-01-08}
}
KINGSLAYER – A SUPPLY CHAIN ATTACK
CodeKey PlugX |
2016-08-25 ⋅ Malwarebytes ⋅ Malwarebytes Labs
@online{labs:20160825:unpacking:66173f5,
author = {Malwarebytes Labs},
title = {{Unpacking the spyware disguised as antivirus}},
date = {2016-08-25},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/},
language = {English},
urldate = {2019-12-20}
}
Unpacking the spyware disguised as antivirus
PlugX |
2016-06-13 ⋅ Macnica Networks ⋅ Macnica Networks
@techreport{networks:20160613:survey:c78b147,
author = {Macnica Networks},
title = {{Survey of the actual situation of the large-scale cyber spy activity that hit Japan | 1st edition}},
date = {2016-06-13},
institution = {Macnica Networks},
url = {https://www.macnica.net/file/security_report_20160613.pdf},
language = {Japanese},
urldate = {2021-03-02}
}
Survey of the actual situation of the large-scale cyber spy activity that hit Japan | 1st edition
Emdivi PlugX |
2016-01-22 ⋅ RSA Link ⋅ Norton Santos
@online{santos:20160122:plugx:580fcff,
author = {Norton Santos},
title = {{PlugX APT Malware}},
date = {2016-01-22},
organization = {RSA Link},
url = {https://community.rsa.com/thread/185439},
language = {English},
urldate = {2020-01-13}
}
PlugX APT Malware
PlugX |
2015-08 ⋅ Arbor Networks ⋅ ASERT Team
@online{team:201508:uncovering:121e5cf,
author = {ASERT Team},
title = {{Uncovering the Seven Pointed Dagger}},
date = {2015-08},
organization = {Arbor Networks},
url = {https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn},
language = {English},
urldate = {2020-05-18}
}
Uncovering the Seven Pointed Dagger
9002 RAT EvilGrab PlugX Trochilus RAT Group 27 |
2015-04-15 ⋅ Kaspersky Labs ⋅ Costin Raiu, Maxim Golovkin
@online{raiu:20150415:chronicles:aa4af84,
author = {Costin Raiu and Maxim Golovkin},
title = {{The Chronicles of the Hellsing APT: the Empire Strikes Back}},
date = {2015-04-15},
organization = {Kaspersky Labs},
url = {https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/},
language = {English},
urldate = {2021-02-06}
}
The Chronicles of the Hellsing APT: the Empire Strikes Back
GRILLMARK Naikon |
2015-04-15 ⋅ Kaspersky Labs ⋅ Costin Raiu, Maxim Golovkin
@online{raiu:20150415:chronicles:49b4463,
author = {Costin Raiu and Maxim Golovkin},
title = {{The Chronicles of the Hellsing APT: the Empire Strikes Back}},
date = {2015-04-15},
organization = {Kaspersky Labs},
url = {https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/},
language = {English},
urldate = {2019-12-20}
}
The Chronicles of the Hellsing APT: the Empire Strikes Back
Hellsing |
2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f,
author = {CrowdStrike},
title = {{CrowdStrike Global Threat Intel Report 2014}},
date = {2015-02-06},
institution = {CrowdStrike},
url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf},
language = {English},
urldate = {2020-05-11}
}
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor |
2015-01-29 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
@online{tomonaga:20150129:analysis:0eaad95,
author = {Shusei Tomonaga},
title = {{Analysis of a Recent PlugX Variant - “P2P PlugX”}},
date = {2015-01-29},
organization = {JPCERT/CC},
url = {http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html},
language = {English},
urldate = {2020-01-09}
}
Analysis of a Recent PlugX Variant - “P2P PlugX”
PlugX |
2014-06-27 ⋅ SophosLabs ⋅ Gabor Szappanos
@techreport{szappanos:20140627:plugx:e63d8bf,
author = {Gabor Szappanos},
title = {{PlugX - The Next Generation}},
date = {2014-06-27},
institution = {SophosLabs},
url = {https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf},
language = {English},
urldate = {2020-01-10}
}
PlugX - The Next Generation
PlugX |
2014-06-10 ⋅ FireEye ⋅ Mike Scott
@online{scott:20140610:clandestine:6d515ab,
author = {Mike Scott},
title = {{Clandestine Fox, Part Deux}},
date = {2014-06-10},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html},
language = {English},
urldate = {2019-12-20}
}
Clandestine Fox, Part Deux
PlugX |
2014-01-06 ⋅ Airbus ⋅ Fabien Perigaud
@online{perigaud:20140106:plugx:16410d7,
author = {Fabien Perigaud},
title = {{PlugX: some uncovered points}},
date = {2014-01-06},
organization = {Airbus},
url = {http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html},
language = {English},
urldate = {2020-01-08}
}
PlugX: some uncovered points
PlugX |
2013-03-29 ⋅ Computer Incident Response Center Luxembourg ⋅ CIRCL
@techreport{circl:20130329:analysis:b3c48b0,
author = {CIRCL},
title = {{Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0)}},
date = {2013-03-29},
institution = {Computer Incident Response Center Luxembourg},
url = {https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf},
language = {English},
urldate = {2019-11-24}
}
Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0)
PlugX |
2013-03 ⋅ Contextis ⋅ Kevin O’Reilly
@techreport{oreilly:201303:plugxpayload:d355f49,
author = {Kevin O’Reilly},
title = {{PlugX–Payload Extraction}},
date = {2013-03},
institution = {Contextis},
url = {https://go.contextis.com/rs/140-OCV-459/images/White%20Paper_PlugX%20-%20Payload%20Extraction.pdf},
language = {English},
urldate = {2021-06-24}
}
PlugX–Payload Extraction
PlugX |
2012-02-10 ⋅ tracker.h3x.eu ⋅ Malware Corpus Tracker
@online{tracker:20120210:info:d58b5c1,
author = {Malware Corpus Tracker},
title = {{Info for Family: plugx}},
date = {2012-02-10},
organization = {tracker.h3x.eu},
url = {https://tracker.h3x.eu/info/290},
language = {English},
urldate = {2021-06-24}
}
Info for Family: plugx
PlugX |