Hellsing  (Back to overview)

This threat actor uses spear-phishing techniques to compromise diplomatic targets in Southeast Asia, India, and the United States. It also seems to have targeted the APT 30. Possibly uses the same infrastructure as Mirage

---

Associated Families

---

References

2023-05-15 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20230515:lancefly:49fd53e, author = {Threat Hunter Team}, title = {{Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors}}, date = {2023-05-15}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor}, language = {English}, urldate = {2023-05-26} } Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors PlugX ShadowPad ZXShell

2023-05-03 ⋅ Lab52 ⋅ Lab52 @online{lab52:20230503:new:1056613, author = {Lab52}, title = {{New Mustang Panda’s campaing against Australia}}, date = {2023-05-03}, organization = {Lab52}, url = {https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/}, language = {English}, urldate = {2023-05-08} } New Mustang Panda’s campaing against Australia PlugX

2023-04-18 ⋅ Mandiant ⋅ Mandiant @online{mandiant:20230418:mtrends:af1a28e, author = {Mandiant}, title = {{M-Trends 2023}}, date = {2023-04-18}, organization = {Mandiant}, url = {https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023}, language = {English}, urldate = {2023-04-18} } M-Trends 2023 QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate

2023-04-05 ⋅ Medium Ilandu ⋅ Ilan Duhin @online{duhin:20230405:portdoor:e39d907, author = {Ilan Duhin}, title = {{PortDoor - APT Backdoor analysis}}, date = {2023-04-05}, organization = {Medium Ilandu}, url = {https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba}, language = {English}, urldate = {2023-04-06} } PortDoor - APT Backdoor analysis ACBackdoor 8.t Dropper PortDoor

2023-03-09 ⋅ Sophos ⋅ Gabor Szappanos @online{szappanos:20230309:borderhopping:5220748, author = {Gabor Szappanos}, title = {{A border-hopping PlugX USB worm takes its act on the road}}, date = {2023-03-09}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2023/03/09/border-hopping-plugx-usb-worm/}, language = {English}, urldate = {2023-03-22} } A border-hopping PlugX USB worm takes its act on the road PlugX

2023-03-09 ⋅ ASEC ⋅ Sanseo @online{sanseo:20230309:plugx:4683b0e, author = {Sanseo}, title = {{PlugX Malware Being Distributed via Vulnerability Exploitation}}, date = {2023-03-09}, organization = {ASEC}, url = {https://asec.ahnlab.com/en/49097/}, language = {English}, urldate = {2023-03-17} } PlugX Malware Being Distributed via Vulnerability Exploitation PlugX

2023-03-07 ⋅ Check Point Research ⋅ Check Point Research @online{research:20230307:pandas:2e3c757, author = {Check Point Research}, title = {{Pandas with a Soul: Chinese Espionage Attacks Against Southeast Asian Government Entities}}, date = {2023-03-07}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2023/pandas-with-a-soul-chinese-espionage-attacks-against-southeast-asian-government-entities/}, language = {English}, urldate = {2023-03-13} } Pandas with a Soul: Chinese Espionage Attacks Against Southeast Asian Government Entities 8.t Dropper Soul Unidentified 089 (Downloader)

2023-02-24 ⋅ Trend Micro ⋅ Buddy Tancio, Jed Valderama, Catherine Loveria @online{tancio:20230224:investigating:94d8b43, author = {Buddy Tancio and Jed Valderama and Catherine Loveria}, title = {{Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool}}, date = {2023-02-24}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html}, language = {English}, urldate = {2023-03-22} } Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool PlugX

2023-02-07 ⋅ MalGamy ⋅ MalGamy @online{malgamy:20230207:approach:ef67110, author = {MalGamy}, title = {{The Approach of TA413 for Tibetan Targets}}, date = {2023-02-07}, organization = {MalGamy}, url = {https://malgamy.github.io/malware-analysis/The-Approach-of-TA413-for-Tibetan-Targets/#third-stage}, language = {English}, urldate = {2023-02-09} } The Approach of TA413 for Tibetan Targets 8.t Dropper LOWZERO

2023-02-02 ⋅ EclecticIQ ⋅ EclecticIQ Threat Research Team @online{team:20230202:mustang:cac147b, author = {EclecticIQ Threat Research Team}, title = {{Mustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware}}, date = {2023-02-02}, organization = {EclecticIQ}, url = {https://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware}, language = {English}, urldate = {2023-02-06} } Mustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware PlugX

2023-01-26 ⋅ Palo Alto Networks Unit 42 ⋅ Mike Harbison, Jen Miller-Osborn @online{harbison:20230126:chinese:a83622f, author = {Mike Harbison and Jen Miller-Osborn}, title = {{Chinese PlugX Malware Hidden in Your USB Devices?}}, date = {2023-01-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/}, language = {English}, urldate = {2023-01-27} } Chinese PlugX Malware Hidden in Your USB Devices? PlugX

2023-01-26 ⋅ TEAMT5 ⋅ Still Hsu @techreport{hsu:20230126:brief:5a0716d, author = {Still Hsu}, title = {{Brief History of MustangPanda and its PlugX Evolution}}, date = {2023-01-26}, institution = {TEAMT5}, url = {https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_2_LT4.pdf}, language = {English}, urldate = {2023-02-09} } Brief History of MustangPanda and its PlugX Evolution PlugX

2023-01-09 ⋅ kienmanowar Blog ⋅ m4n0w4r, Tran Trung Kien @online{m4n0w4r:20230109:quicknote:5a8b18c, author = {m4n0w4r and Tran Trung Kien}, title = {{[QuickNote] Another nice PlugX sample}}, date = {2023-01-09}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2023/01/09/quicknote-another-nice-plugx-sample/}, language = {English}, urldate = {2023-01-10} } [QuickNote] Another nice PlugX sample PlugX

2022-12-27 ⋅ kienmanowar Blog ⋅ m4n0w4r, Tran Trung Kien @online{m4n0w4r:20221227:diving:857147e, author = {m4n0w4r and Tran Trung Kien}, title = {{Diving into a PlugX sample of Mustang Panda group}}, date = {2022-12-27}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/}, language = {English}, urldate = {2022-12-29} } Diving into a PlugX sample of Mustang Panda group PlugX

2022-12-06 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team @online{team:20221206:mustang:fa0e3e1, author = {BlackBerry Research & Intelligence Team}, title = {{Mustang Panda Uses the Russian-Ukrainian War to Attack Europe and Asia Pacific Targets}}, date = {2022-12-06}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets}, language = {English}, urldate = {2022-12-06} } Mustang Panda Uses the Russian-Ukrainian War to Attack Europe and Asia Pacific Targets PlugX

2022-12-02 ⋅ Avast Decoded ⋅ Threat Intelligence Team @online{team:20221202:hitching:0cb7557, author = {Threat Intelligence Team}, title = {{Hitching a ride with Mustang Panda}}, date = {2022-12-02}, organization = {Avast Decoded}, url = {https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/}, language = {English}, urldate = {2022-12-02} } Hitching a ride with Mustang Panda PlugX

2022-11-30 ⋅ FFRI Security ⋅ Matsumoto @online{matsumoto:20221130:evolution:29e9b4c, author = {Matsumoto}, title = {{Evolution of the PlugX loader}}, date = {2022-11-30}, organization = {FFRI Security}, url = {https://engineers.ffri.jp/entry/2022/11/30/141346}, language = {Japanese}, urldate = {2022-12-01} } Evolution of the PlugX loader PlugX Poison Ivy

2022-10-06 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team @online{team:20221006:mustang:a7e981c, author = {The BlackBerry Research & Intelligence Team}, title = {{Mustang Panda Abuses Legitimate Apps to Target Myanmar Based Victims}}, date = {2022-10-06}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims}, language = {English}, urldate = {2022-10-24} } Mustang Panda Abuses Legitimate Apps to Target Myanmar Based Victims PlugX

2022-09-29 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20220929:witchetty:628f1c4, author = {Threat Hunter Team}, title = {{Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East}}, date = {2022-09-29}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage}, language = {English}, urldate = {2022-09-30} } Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East CHINACHOPPER Lookback MimiKatz PlugX Unidentified 096 (Keylogger) x4

2022-09-26 ⋅ Palo Alto Networks Unit 42 ⋅ Daniela Shalev, Itay Gamliel @online{shalev:20220926:hunting:3489fdb, author = {Daniela Shalev and Itay Gamliel}, title = {{Hunting for Unsigned DLLs to Find APTs}}, date = {2022-09-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unsigned-dlls/}, language = {English}, urldate = {2022-09-30} } Hunting for Unsigned DLLs to Find APTs PlugX Raspberry Robin Roshtyak

2022-09-22 ⋅ Recorded Future ⋅ Insikt Group® @techreport{group:20220922:chinese:9349a24, author = {Insikt Group®}, title = {{Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets}}, date = {2022-09-22}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0922.pdf}, language = {English}, urldate = {2022-09-26} } Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets 8.t Dropper LOWZERO

2022-09-14 ⋅ Security Joes ⋅ Felipe Duarte @techreport{duarte:20220914:dissecting:6ab0659, author = {Felipe Duarte}, title = {{Dissecting PlugX to Extract Its Crown Jewels}}, date = {2022-09-14}, institution = {Security Joes}, url = {https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf}, language = {English}, urldate = {2022-09-16} } Dissecting PlugX to Extract Its Crown Jewels PlugX

2022-09-13 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20220913:new:2ff2e98, author = {Threat Hunter Team}, title = {{New Wave of Espionage Activity Targets Asian Governments}}, date = {2022-09-13}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments}, language = {English}, urldate = {2022-09-20} } New Wave of Espionage Activity Targets Asian Governments MimiKatz PlugX Quasar RAT ShadowPad Trochilus RAT

2022-09-09 ⋅ Github (m4now4r) ⋅ m4n0w4r @techreport{m4n0w4r:20220909:mustang:120306a, author = {m4n0w4r}, title = {{“Mustang Panda” – Enemy at the gate}}, date = {2022-09-09}, institution = {Github (m4now4r)}, url = {https://raw.githubusercontent.com/m4now4r/Presentations/main/MustangPanda%20-%20Enemy%20at%20the%20gate_final.pdf}, language = {English}, urldate = {2022-09-26} } “Mustang Panda” – Enemy at the gate PlugX

2022-09-08 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20220908:bronze:1975ebf, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE PRESIDENT Targets Government Officials}}, date = {2022-09-08}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/bronze-president-targets-government-officials}, language = {English}, urldate = {2022-09-13} } BRONZE PRESIDENT Targets Government Officials PlugX

2022-09-08 ⋅ Cybereason ⋅ Kotaro Ogino, Yuki Shibuya, Aleksandar Milenkoski @online{ogino:20220908:threat:2ec8deb, author = {Kotaro Ogino and Yuki Shibuya and Aleksandar Milenkoski}, title = {{Threat Analysis Report: PlugX RAT Loader Evolution}}, date = {2022-09-08}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-report-plugx-rat-loader-evolution}, language = {English}, urldate = {2022-09-13} } Threat Analysis Report: PlugX RAT Loader Evolution PlugX

2022-07-18 ⋅ YouTube (Security Joes) ⋅ Felipe Duarte @online{duarte:20220718:plugx:bfdba72, author = {Felipe Duarte}, title = {{PlugX DLL Side-Loading Technique}}, date = {2022-07-18}, organization = {YouTube (Security Joes)}, url = {https://www.youtube.com/watch?v=E2_DTQJjDYc}, language = {English}, urldate = {2022-07-19} } PlugX DLL Side-Loading Technique PlugX

2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20220718:shallow:cc9413f, author = {Unit 42}, title = {{Shallow Taurus}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/shallowtaurus/}, language = {English}, urldate = {2022-07-29} } Shallow Taurus FormerFirstRAT IsSpace NewCT PlugX Poison Ivy Tidepool DragonOK

2022-07-07 ⋅ Sentinel LABS ⋅ Tom Hegel @online{hegel:20220707:targets:174ab91, author = {Tom Hegel}, title = {{Targets of Interest - Russian Organizations Increasingly Under Attack By Chinese APTs}}, date = {2022-07-07}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/}, language = {English}, urldate = {2022-07-12} } Targets of Interest - Russian Organizations Increasingly Under Attack By Chinese APTs 8.t Dropper Korlia

2022-06-27 ⋅ Kaspersky ICS CERT ⋅ Artem Snegirev, Kirill Kruglov @online{snegirev:20220627:attacks:100c151, author = {Artem Snegirev and Kirill Kruglov}, title = {{Attacks on industrial control systems using ShadowPad}}, date = {2022-06-27}, organization = {Kaspersky ICS CERT}, url = {https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/}, language = {English}, urldate = {2022-06-29} } Attacks on industrial control systems using ShadowPad Cobalt Strike PlugX ShadowPad

2022-06-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20220623:bronze:8bccd74, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE STARLIGHT Ransomware Operations Use HUI Loader}}, date = {2022-06-23}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader}, language = {English}, urldate = {2022-09-20} } BRONZE STARLIGHT Ransomware Operations Use HUI Loader ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster

2022-05-23 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší @techreport{lunghi:20220523:operation:e3c402b, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{Operation Earth Berberoka}}, date = {2022-05-23}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf}, language = {English}, urldate = {2022-07-25} } Operation Earth Berberoka reptile oRAT Ghost RAT PlugX pupy Earth Berberoka

2022-05-20 ⋅ VinCSS ⋅ m4n0w4r, Tran Trung Kien, Dang Dinh Phuong @online{m4n0w4r:20220520:re027:38348db, author = {m4n0w4r and Tran Trung Kien and Dang Dinh Phuong}, title = {{[RE027] China-based APT Mustang Panda might have still continued their attack activities against organizations in Vietnam}}, date = {2022-05-20}, organization = {VinCSS}, url = {https://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html}, language = {English}, urldate = {2022-05-20} } [RE027] China-based APT Mustang Panda might have still continued their attack activities against organizations in Vietnam PlugX

2022-05-17 ⋅ Positive Technologies ⋅ Positive Technologies @online{technologies:20220517:space:abd655a, author = {Positive Technologies}, title = {{Space Pirates: analyzing the tools and connections of a new hacker group}}, date = {2022-05-17}, organization = {Positive Technologies}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/}, language = {English}, urldate = {2022-05-25} } Space Pirates: analyzing the tools and connections of a new hacker group FormerFirstRAT PlugX Poison Ivy Rovnix ShadowPad Zupdax

2022-05-16 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20220516:analysis:b1c8089, author = {Shusei Tomonaga}, title = {{Analysis of HUI Loader}}, date = {2022-05-16}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html}, language = {English}, urldate = {2022-05-17} } Analysis of HUI Loader HUI Loader PlugX Poison Ivy Quasar RAT

2022-05-12 ⋅ TEAMT5 ⋅ Leon Chang, Silvia Yeh @techreport{chang:20220512:next:5fd8a83, author = {Leon Chang and Silvia Yeh}, title = {{The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides)}}, date = {2022-05-12}, institution = {TEAMT5}, url = {https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf}, language = {English}, urldate = {2022-08-08} } The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides) KEYPLUG Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad Winnti SLIME29 TianWu

2022-05-05 ⋅ Cisco Talos ⋅ Jung soo An, Asheer Malhotra, Justin Thattil, Aliza Berk, Kendall McKay @online{an:20220505:mustang:cbc06e9, author = {Jung soo An and Asheer Malhotra and Justin Thattil and Aliza Berk and Kendall McKay}, title = {{Mustang Panda deploys a new wave of malware targeting Europe}}, date = {2022-05-05}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html}, language = {English}, urldate = {2022-05-05} } Mustang Panda deploys a new wave of malware targeting Europe Cobalt Strike Meterpreter PlugX

2022-05-02 ⋅ Sentinel LABS ⋅ Joey Chen, Amitai Ben Shushan Ehrlich @online{chen:20220502:moshen:1969df2, author = {Joey Chen and Amitai Ben Shushan Ehrlich}, title = {{Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad}}, date = {2022-05-02}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/}, language = {English}, urldate = {2022-05-04} } Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad PlugX ShadowPad

2022-04-28 ⋅ DARKReading ⋅ Jai Vijayan @online{vijayan:20220428:chinese:c4c2534, author = {Jai Vijayan}, title = {{Chinese APT Bronze President Mounts Spy Campaign on Russian Military}}, date = {2022-04-28}, organization = {DARKReading}, url = {https://www.darkreading.com/threat-intelligence/chinese-apt-bronze-president-spy-campaign-russian-military}, language = {English}, urldate = {2022-08-26} } Chinese APT Bronze President Mounts Spy Campaign on Russian Military PlugX MUSTANG PANDA

2022-04-28 ⋅ PWC ⋅ PWC UK @techreport{uk:20220428:cyber:c43873f, author = {PWC UK}, title = {{Cyber Threats 2021: A Year in Retrospect (Annex)}}, date = {2022-04-28}, institution = {PWC}, url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf}, language = {English}, urldate = {2022-04-29} } Cyber Threats 2021: A Year in Retrospect (Annex) Cobalt Strike Conti PlugX RokRAT Inception Framework Red Menshen

2022-04-27 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší @online{lunghi:20220427:new:9068f6e, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware}}, date = {2022-04-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html}, language = {English}, urldate = {2023-04-18} } New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware HelloBot AsyncRAT Ghost RAT HelloBot PlugX Quasar RAT Earth Berberoka

2022-04-27 ⋅ Trendmicro ⋅ Trendmicro @online{trendmicro:20220427:iocs:18f7e31, author = {Trendmicro}, title = {{IOCs for Earth Berberoka - Windows}}, date = {2022-04-27}, organization = {Trendmicro}, url = {https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt}, language = {English}, urldate = {2022-07-25} } IOCs for Earth Berberoka - Windows AsyncRAT Cobalt Strike PlugX Quasar RAT Earth Berberoka

2022-04-27 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20220427:bronze:34ac36a, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE PRESIDENT Targets Russian Speakers with Updated PlugX}}, date = {2022-04-27}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx}, language = {English}, urldate = {2022-04-29} } BRONZE PRESIDENT Targets Russian Speakers with Updated PlugX PlugX

2022-04-27 ⋅ Trendmicro ⋅ Daniel Lunghi, Jaromír Hořejší @techreport{lunghi:20220427:operation:bdba881, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{Operation Gambling Puppet}}, date = {2022-04-27}, institution = {Trendmicro}, url = {https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf}, language = {English}, urldate = {2022-07-25} } Operation Gambling Puppet reptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka

2022-04-14 ⋅ NSHC RedAlert Labs ⋅ NSHC Threatrecon Team @online{team:20220414:hacking:62e1b17, author = {NSHC Threatrecon Team}, title = {{Hacking activity of SectorB Group in 2021 Chinese government supported hacking group SectorB}}, date = {2022-04-14}, organization = {NSHC RedAlert Labs}, url = {https://redalert.nshc.net/2022/04/14/hacking-activity-of-sectorb-group-in-2021/}, language = {English}, urldate = {2022-04-15} } Hacking activity of SectorB Group in 2021 Chinese government supported hacking group SectorB PlugX

2022-04-12 ⋅ Max Kersten's Blog ⋅ Max Kersten @online{kersten:20220412:ghidra:4afe367, author = {Max Kersten}, title = {{Ghidra script to handle stack strings}}, date = {2022-04-12}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-handle-stack-strings/}, language = {English}, urldate = {2022-04-20} } Ghidra script to handle stack strings CaddyWiper PlugX

2022-03-28 ⋅ Trellix ⋅ Max Kersten, Marc Elias @online{kersten:20220328:plugx:37256d5, author = {Max Kersten and Marc Elias}, title = {{PlugX: A Talisman to Behold}}, date = {2022-03-28}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html}, language = {English}, urldate = {2022-03-30} } PlugX: A Talisman to Behold PlugX

2022-03-25 ⋅ ESET Research ⋅ Alexandre Côté Cyr @online{cyr:20220325:mustang:4052776, author = {Alexandre Côté Cyr}, title = {{Mustang Panda's Hodur: Old stuff, new variant of Korplug}}, date = {2022-03-25}, organization = {ESET Research}, url = {https://www.welivesecurity.com/fr/2022/03/25/mustang-pandas-hodur-nouveau-korplug/}, language = {French}, urldate = {2022-03-30} } Mustang Panda's Hodur: Old stuff, new variant of Korplug PlugX

2022-03-24 ⋅ Threat Post ⋅ Nate Nelson @online{nelson:20220324:chinese:da166ef, author = {Nate Nelson}, title = {{Chinese APT Combines Fresh Hodur RAT with Complex Anti-Detection}}, date = {2022-03-24}, organization = {Threat Post}, url = {https://threatpost.com/chinese-apt-combines-fresh-hodur-rat-with-complex-anti-detection/179084/}, language = {English}, urldate = {2022-03-25} } Chinese APT Combines Fresh Hodur RAT with Complex Anti-Detection PlugX

2022-03-23 ⋅ ESET Research ⋅ Alexandre Côté Cyr @online{cyr:20220323:mustang:3e97382, author = {Alexandre Côté Cyr}, title = {{Mustang Panda’s Hodur: Old tricks, new Korplug variant}}, date = {2022-03-23}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/}, language = {English}, urldate = {2022-03-24} } Mustang Panda’s Hodur: Old tricks, new Korplug variant PlugX

2022-03-23 ⋅ BleepingComputer ⋅ Bill Toulas @online{toulas:20220323:new:14befd9, author = {Bill Toulas}, title = {{New Mustang Panda hacking campaign targets diplomats, ISPs}}, date = {2022-03-23}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-mustang-panda-hacking-campaign-targets-diplomats-isps/}, language = {English}, urldate = {2022-03-25} } New Mustang Panda hacking campaign targets diplomats, ISPs PlugX

2022-03-07 ⋅ Proofpoint ⋅ Michael Raggi, Myrtus 0x0 @online{raggi:20220307:good:4e4acd6, author = {Michael Raggi and Myrtus 0x0}, title = {{The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates}}, date = {2022-03-07}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european}, language = {English}, urldate = {2022-03-08} } The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates PlugX

2022-02-17 ⋅ SinaCyber ⋅ Adam Kozy @techreport{kozy:20220217:testimony:692e499, author = {Adam Kozy}, title = {{Testimony before the U.S.-China Economic and Security Review Commission Hearing on “China’s Cyber Capabilities: Warfare, Espionage, and Implications for the United States”}}, date = {2022-02-17}, institution = {SinaCyber}, url = {https://www.uscc.gov/sites/default/files/2022-02/Adam_Kozy_Testimony.pdf}, language = {English}, urldate = {2022-05-23} } Testimony before the U.S.-China Economic and Security Review Commission Hearing on “China’s Cyber Capabilities: Warfare, Espionage, and Implications for the United States” PlugX APT26 APT41

2022-01-06 ⋅ Cyber And Ramen blog ⋅ Mike R @online{r:20220106:gulp:4ab908c, author = {Mike R}, title = {{A “GULP” of PlugX}}, date = {2022-01-06}, organization = {Cyber And Ramen blog}, url = {https://cyberandramen.net/2022/01/06/a-gulp-of-plugx/}, language = {English}, urldate = {2022-04-05} } A “GULP” of PlugX PlugX

2021-12-01 ⋅ ESET Research ⋅ Alexis Dorais-Joncas, Facundo Muñoz @techreport{doraisjoncas:20211201:jumping:00bc8f5, author = {Alexis Dorais-Joncas and Facundo Muñoz}, title = {{Jumping the air gap: 15 years of nation‑state effort}}, date = {2021-12-01}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf}, language = {English}, urldate = {2021-12-17} } Jumping the air gap: 15 years of nation‑state effort Agent.BTZ Fanny Flame Gauss PlugX Ramsay Retro Stuxnet USBCulprit USBferry

2021-11-18 ⋅ Cisco ⋅ Josh Pyorre @online{pyorre:20211118:blackmatter:e9e9bbf, author = {Josh Pyorre}, title = {{BlackMatter, LockBit, and THOR}}, date = {2021-11-18}, organization = {Cisco}, url = {https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor}, language = {English}, urldate = {2022-03-28} } BlackMatter, LockBit, and THOR BlackMatter LockBit PlugX

2021-11-04 ⋅ Youtube (Virus Bulletin) ⋅ Yi-Jhen Hsieh, Joey Chen @online{hsieh:20211104:shadowpad:8dbd5c7, author = {Yi-Jhen Hsieh and Joey Chen}, title = {{ShadowPad: the masterpiece of privately sold malware in Chinese espionage}}, date = {2021-11-04}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=r1zAVX_HnJg}, language = {English}, urldate = {2022-08-08} } ShadowPad: the masterpiece of privately sold malware in Chinese espionage PlugX ShadowPad

2021-10-26 ⋅ Kaspersky ⋅ Kaspersky Lab ICS CERT @techreport{cert:20211026:attacks:6f30d0f, author = {Kaspersky Lab ICS CERT}, title = {{APT attacks on industrial organizations in H1 2021}}, date = {2021-10-26}, institution = {Kaspersky}, url = {https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf}, language = {English}, urldate = {2021-11-08} } APT attacks on industrial organizations in H1 2021 8.t Dropper AllaKore AsyncRAT GoldMax LimeRAT NjRAT NoxPlayer Raindrop ReverseRAT ShadowPad Zebrocy

2021-10-18 ⋅ NortonLifeLock ⋅ Norton Labs @techreport{labs:20211018:operation:9612cbf, author = {Norton Labs}, title = {{Operation Exorcist - 7 Years of Targeted Attacks against the Roman Catholic Church}}, date = {2021-10-18}, institution = {NortonLifeLock}, url = {https://www.nortonlifelock.com/sites/default/files/2021-10/OPERATION%20EXORCIST%20White%20Paper.pdf}, language = {English}, urldate = {2021-12-15} } Operation Exorcist - 7 Years of Targeted Attacks against the Roman Catholic Church NewBounce PlugX Zupdax

2021-09-28 ⋅ Recorded Future ⋅ Insikt Group® @online{group:20210928:4:069b441, author = {Insikt Group®}, title = {{4 Chinese APT Groups Identified Targeting Mail Server of Afghan Telecommunications Firm Roshan}}, date = {2021-09-28}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/}, language = {English}, urldate = {2021-10-11} } 4 Chinese APT Groups Identified Targeting Mail Server of Afghan Telecommunications Firm Roshan PlugX Winnti

2021-09-14 ⋅ McAfee ⋅ Christiaan Beek @online{beek:20210914:operation:95aed8d, author = {Christiaan Beek}, title = {{Operation ‘Harvest’: A Deep Dive into a Long-term Campaign}}, date = {2021-09-14}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/}, language = {English}, urldate = {2021-09-19} } Operation ‘Harvest’: A Deep Dive into a Long-term Campaign MimiKatz PlugX Winnti

2021-09-10 ⋅ The Record ⋅ Catalin Cimpanu @online{cimpanu:20210910:indonesian:fc06998, author = {Catalin Cimpanu}, title = {{Indonesian intelligence agency compromised in suspected Chinese hack}}, date = {2021-09-10}, organization = {The Record}, url = {https://therecord.media/indonesian-intelligence-agency-compromised-in-suspected-chinese-hack/}, language = {English}, urldate = {2021-09-12} } Indonesian intelligence agency compromised in suspected Chinese hack PlugX

2021-09-01 ⋅ YouTube (Black Hat) ⋅ Aragorn Tseng, Charles Li @online{tseng:20210901:mem2img:7817a5d, author = {Aragorn Tseng and Charles Li}, title = {{Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network}}, date = {2021-09-01}, organization = {YouTube (Black Hat)}, url = {https://www.youtube.com/watch?v=6SDdUVejR2w}, language = {English}, urldate = {2021-09-12} } Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network Cobalt Strike PlugX Waterbear

2021-09-01 ⋅ YouTube (Hack In The Box Security Conference) ⋅ Yi-Jhen Hsieh, Joey Chen @online{hsieh:20210901:shadowpad:f9ae111, author = {Yi-Jhen Hsieh and Joey Chen}, title = {{SHADOWPAD: Chinese Espionage Malware-as-a-Service}}, date = {2021-09-01}, organization = {YouTube (Hack In The Box Security Conference)}, url = {https://www.youtube.com/watch?v=IRh6R8o1Q7U}, language = {English}, urldate = {2022-08-08} } SHADOWPAD: Chinese Espionage Malware-as-a-Service PlugX ShadowPad

2021-08-23 ⋅ SentinelOne ⋅ Yi-Jhen Hsieh, Joey Chen @techreport{hsieh:20210823:shadowpad:58780f1, author = {Yi-Jhen Hsieh and Joey Chen}, title = {{ShadowPad: the Masterpiece of Privately Sold Malware in Chinese Espionage}}, date = {2021-08-23}, institution = {SentinelOne}, url = {https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20ShadowPad%20-%20A%20Masterpiece%20of%20Privately%20Sold%20Malware%20in%20Chinese%20Espionage%20-%20Yi-Jhen%20Hsieh%20&%20Joey%20Chen.pdf}, language = {English}, urldate = {2022-07-18} } ShadowPad: the Masterpiece of Privately Sold Malware in Chinese Espionage PlugX ShadowPad

2021-07-27 ⋅ Palo Alto Networks Unit 42 ⋅ Mike Harbison, Alex Hinchliffe @online{harbison:20210727:thor:5d6d793, author = {Mike Harbison and Alex Hinchliffe}, title = {{THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group}}, date = {2021-07-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/thor-plugx-variant/}, language = {English}, urldate = {2021-07-29} } THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group PlugX

2021-07-21 ⋅ Bitdefender ⋅ Bogdan Botezatu, Victor Vrabie @online{botezatu:20210721:luminousmoth:7ed907d, author = {Bogdan Botezatu and Victor Vrabie}, title = {{LuminousMoth – PlugX, File Exfiltration and Persistence Revisited}}, date = {2021-07-21}, organization = {Bitdefender}, url = {https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited}, language = {English}, urldate = {2021-07-26} } LuminousMoth – PlugX, File Exfiltration and Persistence Revisited PlugX

2021-06-16 ⋅ Recorded Future ⋅ Insikt Group® @techreport{group:20210616:threat:d585785, author = {Insikt Group®}, title = {{Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries}}, date = {2021-06-16}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf}, language = {English}, urldate = {2022-07-29} } Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries Icefog PcShare PlugX Poison Ivy QuickHeal DAGGER PANDA

2021-06-02 ⋅ Twitter (@xorhex) ⋅ Xorhex @online{xorhex:20210602:new:9e10322, author = {Xorhex}, title = {{Tweet on new variant of PlugX from RedDelta Group}}, date = {2021-06-02}, organization = {Twitter (@xorhex)}, url = {https://twitter.com/xorhex/status/1399906601562165249?s=20}, language = {English}, urldate = {2021-06-09} } Tweet on new variant of PlugX from RedDelta Group PlugX

2021-06-02 ⋅ xorhex blog ⋅ Twitter (@xorhex) @online{xorhex:20210602:reddelta:f35268d, author = {Twitter (@xorhex)}, title = {{RedDelta PlugX Undergoing Changes and Overlapping Again with Mustang Panda PlugX Infrastructure}}, date = {2021-06-02}, organization = {xorhex blog}, url = {https://blog.xorhex.com/blog/reddeltaplugxchangeup/}, language = {English}, urldate = {2021-06-09} } RedDelta PlugX Undergoing Changes and Overlapping Again with Mustang Panda PlugX Infrastructure PlugX

2021-05-27 ⋅ xorhex blog ⋅ Twitter (@xorhex) @online{xorhex:20210527:mustang:d3c664b, author = {Twitter (@xorhex)}, title = {{Mustang Panda PlugX - Reused Mutex and Folder Found in the Extracted Config}}, date = {2021-05-27}, organization = {xorhex blog}, url = {https://blog.xorhex.com/blog/mustangpandaplugx-2/}, language = {English}, urldate = {2021-06-21} } Mustang Panda PlugX - Reused Mutex and Folder Found in the Extracted Config PlugX

2021-05-17 ⋅ xorhex blog ⋅ Twitter (@xorhex) @online{xorhex:20210517:mustang:c51cc47, author = {Twitter (@xorhex)}, title = {{Mustang Panda PlugX - 45.251.240.55 Pivot}}, date = {2021-05-17}, organization = {xorhex blog}, url = {https://blog.xorhex.com/blog/mustangpandaplugx-1/}, language = {English}, urldate = {2021-06-21} } Mustang Panda PlugX - 45.251.240.55 Pivot PlugX

2021-05-07 ⋅ TEAMT5 ⋅ Aragorn Tseng, Charles Li @techreport{tseng:20210507:mem2img:494799d, author = {Aragorn Tseng and Charles Li}, title = {{Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network}}, date = {2021-05-07}, institution = {TEAMT5}, url = {https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf}, language = {English}, urldate = {2021-09-12} } Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network Cobalt Strike PlugX Waterbear

2021-03-29 ⋅ The Record ⋅ Catalin Cimpanu @online{cimpanu:20210329:redecho:30b16b4, author = {Catalin Cimpanu}, title = {{RedEcho group parks domains after public exposure}}, date = {2021-03-29}, organization = {The Record}, url = {https://therecord.media/redecho-group-parks-domains-after-public-exposure/}, language = {English}, urldate = {2021-03-31} } RedEcho group parks domains after public exposure PlugX ShadowPad RedEcho

2021-03-25 ⋅ Recorded Future ⋅ Insikt Group® @online{group:20210325:suspected:5b0078f, author = {Insikt Group®}, title = {{Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers}}, date = {2021-03-25}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/}, language = {English}, urldate = {2021-03-30} } Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers Meterpreter PlugX

2021-03-17 ⋅ Recorded Future ⋅ Insikt Group® @online{group:20210317:chinalinked:65b251b, author = {Insikt Group®}, title = {{China-linked TA428 Continues to Target Russia and Mongolia IT Companies}}, date = {2021-03-17}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/china-linked-ta428-threat-group}, language = {English}, urldate = {2021-03-19} } China-linked TA428 Continues to Target Russia and Mongolia IT Companies PlugX Poison Ivy TA428

2021-03-10 ⋅ ESET Research ⋅ Thomas Dupuy, Matthieu Faou, Mathieu Tartare @online{dupuy:20210310:exchange:8f65a1f, author = {Thomas Dupuy and Matthieu Faou and Mathieu Tartare}, title = {{Exchange servers under siege from at least 10 APT groups}}, date = {2021-03-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/}, language = {English}, urldate = {2021-03-11} } Exchange servers under siege from at least 10 APT groups Microcin MimiKatz PlugX Winnti APT27 APT41 Calypso Tick ToddyCat Tonto Team Vicious Panda

2021-02-28 ⋅ Recorded Future ⋅ Insikt Group® @techreport{group:20210228:chinalinked:2fb1230, author = {Insikt Group®}, title = {{China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions}}, date = {2021-02-28}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf}, language = {English}, urldate = {2021-03-04} } China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions Icefog PlugX ShadowPad

2021-02-28 ⋅ Recorded Future ⋅ Insikt Group® @online{group:20210228:chinalinked:ce3b62d, author = {Insikt Group®}, title = {{China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions}}, date = {2021-02-28}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/redecho-targeting-indian-power-sector/}, language = {English}, urldate = {2021-03-31} } China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions PlugX ShadowPad RedEcho

2021-02-28 ⋅ PWC UK ⋅ PWC UK @techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2021-01-20 ⋅ Trend Micro ⋅ Gilbert Sison, Abraham Camba, Ryan Maglaque @online{sison:20210120:xdr:8ea19cc, author = {Gilbert Sison and Abraham Camba and Ryan Maglaque}, title = {{XDR investigation uncovers PlugX, unique technique in APT attack}}, date = {2021-01-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/a/xdr-investigation-uncovers-plugx-unique-technique-in-apt-attack.html}, language = {English}, urldate = {2021-01-27} } XDR investigation uncovers PlugX, unique technique in APT attack PlugX

2021-01-15 ⋅ Swisscom ⋅ Markus Neis @techreport{neis:20210115:cracking:b1c1684, author = {Markus Neis}, title = {{Cracking a Soft Cell is Harder Than You Think}}, date = {2021-01-15}, institution = {Swisscom}, url = {https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf}, language = {English}, urldate = {2021-01-18} } Cracking a Soft Cell is Harder Than You Think Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT

2021-01-14 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence @online{intelligence:20210114:higaisa:4676ec7, author = {PT ESC Threat Intelligence}, title = {{Higaisa or Winnti? APT41 backdoors, old and new}}, date = {2021-01-14}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/}, language = {English}, urldate = {2021-02-09} } Higaisa or Winnti? APT41 backdoors, old and new Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad

2021-01-13 ⋅ AlienVault ⋅ Tom Hegel @techreport{hegel:20210113:global:72b7b9d, author = {Tom Hegel}, title = {{A Global Perspective of the SideWinder APT}}, date = {2021-01-13}, institution = {AlienVault}, url = {https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf}, language = {English}, urldate = {2021-01-18} } A Global Perspective of the SideWinder APT 8.t Dropper Koadic SideWinder

2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli @online{ramilli:20210109:command:d720b27, author = {Marco Ramilli}, title = {{Command and Control Traffic Patterns}}, date = {2021-01-09}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/}, language = {English}, urldate = {2021-05-17} } Command and Control Traffic Patterns ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot

2021-01-04 ⋅ Bleeping Computer ⋅ Ionut Ilascu @online{ilascu:20210104:chinas:9677dc6, author = {Ionut Ilascu}, title = {{China's APT hackers move to ransomware attacks}}, date = {2021-01-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/}, language = {English}, urldate = {2021-01-11} } China's APT hackers move to ransomware attacks Clambling PlugX

2021-01-04 ⋅ nao_sec blog ⋅ nao_sec @online{naosec:20210104:royal:041b9d3, author = {nao_sec}, title = {{Royal Road! Re:Dive}}, date = {2021-01-04}, organization = {nao_sec blog}, url = {https://nao-sec.org/2021/01/royal-road-redive.html}, language = {English}, urldate = {2021-01-05} } Royal Road! Re:Dive 8.t Dropper Chinoxy FlowCloud FunnyDream Lookback

2020-12-24 ⋅ IronNet ⋅ Adam Hlavek @online{hlavek:20201224:china:723bed3, author = {Adam Hlavek}, title = {{China cyber attacks: the current threat landscape}}, date = {2020-12-24}, organization = {IronNet}, url = {https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape}, language = {English}, urldate = {2021-01-01} } China cyber attacks: the current threat landscape PLEAD TSCookie FlowCloud Lookback PLEAD PlugX Quasar RAT Winnti

2020-12-10 ⋅ ESET Research ⋅ Mathieu Tartare @online{tartare:20201210:operation:0eecfc8, author = {Mathieu Tartare}, title = {{Operation StealthyTrident: corporate software under attack}}, date = {2020-12-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/}, language = {English}, urldate = {2020-12-10} } Operation StealthyTrident: corporate software under attack HyperBro PlugX ShadowPad Tmanger

2020-12-10 ⋅ ESET Research ⋅ Mathieu Tartare @online{tartare:20201210:operation:0df1b72, author = {Mathieu Tartare}, title = {{Operation StealthyTrident: corporate software under attack}}, date = {2020-12-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop}, language = {English}, urldate = {2022-07-29} } Operation StealthyTrident: corporate software under attack HyperBro PlugX Tmanger TA428

2020-12-09 ⋅ Avast Decoded ⋅ Luigino Camastra, Igor Morgenstern @online{camastra:20201209:targeting:952844f, author = {Luigino Camastra and Igor Morgenstern}, title = {{APT Group Targeting Governmental Agencies in East Asia}}, date = {2020-12-09}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/}, language = {English}, urldate = {2021-01-27} } APT Group Targeting Governmental Agencies in East Asia Albaniiutas HyperBro PlugX PolPo Tmanger

2020-12-09 ⋅ Avast Decoded ⋅ Luigino Camastra, Igor Morgenstern @online{camastra:20201209:targeting:d3469a1, author = {Luigino Camastra and Igor Morgenstern}, title = {{APT Group Targeting Governmental Agencies in East Asia}}, date = {2020-12-09}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia}, language = {English}, urldate = {2022-07-29} } APT Group Targeting Governmental Agencies in East Asia Albaniiutas HyperBro PlugX Tmanger TA428

2020-11-23 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team @online{team:20201123:ta416:60e8b7e, author = {Proofpoint Threat Research Team}, title = {{TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader}}, date = {2020-11-23}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader}, language = {English}, urldate = {2020-11-25} } TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader PlugX

2020-11-20 ⋅ Trend Micro ⋅ Abraham Camba, Bren Matthew Ebriega, Gilbert Sison @online{camba:20201120:weaponizing:e15699d, author = {Abraham Camba and Bren Matthew Ebriega and Gilbert Sison}, title = {{Weaponizing Open Source Software for Targeted Attacks}}, date = {2020-11-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html}, language = {English}, urldate = {2020-11-23} } Weaponizing Open Source Software for Targeted Attacks LaZagne Defray PlugX

2020-11-12 ⋅ Twitter (@ddash_ct) ⋅ ddash @online{ddash:20201112:lootwodniw:03198af, author = {ddash}, title = {{Tweet on Lootwodniw}}, date = {2020-11-12}, organization = {Twitter (@ddash_ct)}, url = {https://twitter.com/ddash_ct/status/1326887125103616000}, language = {English}, urldate = {2020-12-03} } Tweet on Lootwodniw Lootwodniw

2020-11-04 ⋅ Sophos ⋅ Gabor Szappanos @online{szappanos:20201104:new:66b8447, author = {Gabor Szappanos}, title = {{A new APT uses DLL side-loads to “KilllSomeOne”}}, date = {2020-11-04}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/}, language = {English}, urldate = {2020-11-06} } A new APT uses DLL side-loads to “KilllSomeOne” KilllSomeOne PlugX

2020-11-03 ⋅ Kaspersky Labs ⋅ GReAT @online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020 WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti

2020-10-27 ⋅ Dr.Web ⋅ Dr.Web @techreport{drweb:20201027:study:9f6e628, author = {Dr.Web}, title = {{Study of the ShadowPad APT backdoor and its relation to PlugX}}, date = {2020-10-27}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf}, language = {English}, urldate = {2020-10-29} } Study of the ShadowPad APT backdoor and its relation to PlugX Ghost RAT PlugX ShadowPad

2020-09-24 ⋅ CARO ⋅ Mark Lechtik, Giampaolo Dedola @online{lechtik:20200924:cycldek:8b488b1, author = {Mark Lechtik and Giampaolo Dedola}, title = {{Cycldek aka Goblin Panda: Chronicles of the Goblin}}, date = {2020-09-24}, organization = {CARO}, url = {https://drive.google.com/file/d/11otA_VmL061KcFC5MhDYuNdIKHYbpyrd/view}, language = {English}, urldate = {2020-09-25} } Cycldek aka Goblin Panda: Chronicles of the Goblin NewCore RAT USBCulprit

2020-09-18 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20200918:apt41:363daa8, author = {Threat Hunter Team}, title = {{APT41: Indictments Put Chinese Espionage Group in the Spotlight}}, date = {2020-09-18}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage}, language = {English}, urldate = {2020-09-23} } APT41: Indictments Put Chinese Espionage Group in the Spotlight CROSSWALK PlugX poisonplug ShadowPad Winnti

2020-09-16 ⋅ RiskIQ ⋅ Jon Gross @online{gross:20200916:riskiq:da4b864, author = {Jon Gross}, title = {{RiskIQ: Adventures in Cookie Land - Part 2}}, date = {2020-09-16}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/56fa1b2f}, language = {English}, urldate = {2020-09-23} } RiskIQ: Adventures in Cookie Land - Part 2 8.t Dropper Chinoxy Poison Ivy

2020-09-15 ⋅ Recorded Future ⋅ Insikt Group® @techreport{group:20200915:back:2c78a6f, author = {Insikt Group®}, title = {{Back Despite Disruption: RedDelta Resumes Operations}}, date = {2020-09-15}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf}, language = {English}, urldate = {2020-09-16} } Back Despite Disruption: RedDelta Resumes Operations PlugX

2020-09-11 ⋅ ThreatConnect ⋅ ThreatConnect Research Team @online{team:20200911:research:edfb074, author = {ThreatConnect Research Team}, title = {{Research Roundup: Activity on Previously Identified APT33 Domains}}, date = {2020-09-11}, organization = {ThreatConnect}, url = {https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/}, language = {English}, urldate = {2020-09-15} } Research Roundup: Activity on Previously Identified APT33 Domains Emotet PlugX APT33

2020-08-19 ⋅ RiskIQ ⋅ Jon Gross, Cory Kennedy @online{gross:20200819:riskiq:94e5ccf, author = {Jon Gross and Cory Kennedy}, title = {{RiskIQ Adventures in Cookie Land - Part 1}}, date = {2020-08-19}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/5fe2da7f}, language = {English}, urldate = {2020-09-23} } RiskIQ Adventures in Cookie Land - Part 1 8.t Dropper Chinoxy

2020-08-19 ⋅ NTT Security ⋅ Fumio Ozawa, Shogo Hayashi, Rintaro Koike @techreport{ozawa:20200819:operation:445be8c, author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike}, title = {{Operation LagTime IT: Colorful Panda Footprint}}, date = {2020-08-19}, institution = {NTT Security}, url = {https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf}, language = {English}, urldate = {2022-07-29} } Operation LagTime IT: Colorful Panda Footprint 8.t Dropper Cotx RAT Poison Ivy TA428

2020-07-29 ⋅ Recorded Future ⋅ Insikt Group @techreport{group:20200729:chinese:1929fcd, author = {Insikt Group}, title = {{Chinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations}}, date = {2020-07-29}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf}, language = {English}, urldate = {2020-07-30} } Chinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations PlugX

2020-07-29 ⋅ ESET Research ⋅ welivesecurity @techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020 DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor

2020-07-29 ⋅ Kaspersky Labs ⋅ GReAT @online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020 PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel

2020-07-28 ⋅ NTT ⋅ NTT Security @online{security:20200728:craftypanda:7643b28, author = {NTT Security}, title = {{CraftyPanda 標的型攻撃解析レポート}}, date = {2020-07-28}, organization = {NTT}, url = {https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report}, language = {Japanese}, urldate = {2020-07-30} } CraftyPanda 標的型攻撃解析レポート Ghost RAT PlugX

2020-07-20 ⋅ Dr.Web ⋅ Dr.Web @techreport{drweb:20200720:study:442ba99, author = {Dr.Web}, title = {{Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan}}, date = {2020-07-20}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf}, language = {English}, urldate = {2020-10-02} } Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan Microcin Mirage PlugX WhiteBird

2020-07-20 ⋅ or10nlabs ⋅ oR10n @online{or10n:20200720:reverse:bcb6023, author = {oR10n}, title = {{Reverse Engineering the New Mustang Panda PlugX Downloader}}, date = {2020-07-20}, organization = {or10nlabs}, url = {https://or10nlabs.tech/reverse-engineering-the-new-mustang-panda-plugx-downloader/}, language = {English}, urldate = {2021-06-24} } Reverse Engineering the New Mustang Panda PlugX Downloader PlugX

2020-07-20 ⋅ Risky.biz ⋅ Daniel Gordon @online{gordon:20200720:what:b88e81f, author = {Daniel Gordon}, title = {{What even is Winnti?}}, date = {2020-07-20}, organization = {Risky.biz}, url = {https://risky.biz/whatiswinnti/}, language = {English}, urldate = {2020-08-18} } What even is Winnti? CCleaner Backdoor Ghost RAT PlugX ZXShell

2020-07-15 ⋅ ZDNet ⋅ Catalin Cimpanu @online{cimpanu:20200715:chinese:0ff06bd, author = {Catalin Cimpanu}, title = {{Chinese state hackers target Hong Kong Catholic Church}}, date = {2020-07-15}, organization = {ZDNet}, url = {https://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/}, language = {English}, urldate = {2020-07-30} } Chinese state hackers target Hong Kong Catholic Church PlugX

2020-07-05 ⋅ or10nlabs ⋅ oR10n @online{or10n:20200705:reverse:60298dc, author = {oR10n}, title = {{Reverse Engineering the Mustang Panda PlugX RAT – Extracting the Config}}, date = {2020-07-05}, organization = {or10nlabs}, url = {https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-rat-extracting-the-config/}, language = {English}, urldate = {2021-06-24} } Reverse Engineering the Mustang Panda PlugX RAT – Extracting the Config PlugX

2020-07-01 ⋅ Contextis ⋅ Lampros Noutsos, Oliver Fay @online{noutsos:20200701:dll:00c6e85, author = {Lampros Noutsos and Oliver Fay}, title = {{DLL Search Order Hijacking}}, date = {2020-07-01}, organization = {Contextis}, url = {https://www.contextis.com/en/blog/dll-search-order-hijacking}, language = {English}, urldate = {2022-04-06} } DLL Search Order Hijacking Cobalt Strike PlugX

2020-06-03 ⋅ Kaspersky Labs ⋅ GReAT, Mark Lechtik, Giampaolo Dedola @online{great:20200603:cycldek:ed9a830, author = {GReAT and Mark Lechtik and Giampaolo Dedola}, title = {{Cycldek: Bridging the (air) gap}}, date = {2020-06-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/cycldek-bridging-the-air-gap/97157/}, language = {English}, urldate = {2020-06-03} } Cycldek: Bridging the (air) gap 8.t Dropper NewCore RAT PlugX USBCulprit GOBLIN PANDA Hellsing

2020-06-02 ⋅ Lab52 ⋅ Jagaimo Kawaii @online{kawaii:20200602:mustang:2cf125a, author = {Jagaimo Kawaii}, title = {{Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers}}, date = {2020-06-02}, organization = {Lab52}, url = {https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/}, language = {English}, urldate = {2020-06-03} } Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers PlugX

2020-05-24 ⋅ or10nlabs ⋅ oR10n @online{or10n:20200524:reverse:49c2ad8, author = {oR10n}, title = {{Reverse Engineering the Mustang Panda PlugX Loader}}, date = {2020-05-24}, organization = {or10nlabs}, url = {https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-loader}, language = {English}, urldate = {2021-06-24} } Reverse Engineering the Mustang Panda PlugX Loader PlugX

2020-05-15 ⋅ Twitter (@stvemillertime) ⋅ Steve Miller @online{miller:20200515:sogu:cc5a1fc, author = {Steve Miller}, title = {{Tweet on SOGU development timeline, including TIGERPLUG IOCs}}, date = {2020-05-15}, organization = {Twitter (@stvemillertime)}, url = {https://twitter.com/stvemillertime/status/1261263000960450562}, language = {English}, urldate = {2020-05-18} } Tweet on SOGU development timeline, including TIGERPLUG IOCs PlugX

2020-05-14 ⋅ Lab52 ⋅ Dex @online{dex:20200514:energy:43e92b4, author = {Dex}, title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}}, date = {2020-05-14}, organization = {Lab52}, url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/}, language = {English}, urldate = {2020-06-10} } The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey Cobalt Strike HTran MimiKatz PlugX Quasar RAT

2020-05-01 ⋅ Viettel Cybersecurity ⋅ Cyberthreat @online{cyberthreat:20200501:chin:3a4fb89, author = {Cyberthreat}, title = {{Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1)}}, date = {2020-05-01}, organization = {Viettel Cybersecurity}, url = {https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/}, language = {Vietnamese}, urldate = {2020-09-09} } Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1) NewCore RAT PlugX

2020-03-21 ⋅ MalwareLab.pl ⋅ Maciej Kotowicz @online{kotowicz:20200321:royal:da8fd16, author = {Maciej Kotowicz}, title = {{On the Royal Road}}, date = {2020-03-21}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/on_the_royal_road/}, language = {English}, urldate = {2020-03-24} } On the Royal Road 8.t Dropper

2020-03-20 ⋅ Medium Sebdraven ⋅ Sébastien Larinier @online{larinier:20200320:new:3da1211, author = {Sébastien Larinier}, title = {{New version of chinoxy backdoor using COVID19 alerts document lure}}, date = {2020-03-20}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746}, language = {English}, urldate = {2020-03-26} } New version of chinoxy backdoor using COVID19 alerts document lure 8.t Dropper Chinoxy

2020-03-19 ⋅ VinCSS ⋅ m4n0w4r @online{m4n0w4r:20200319:phn:461fca7, author = {m4n0w4r}, title = {{Phân tích mã độc lợi dụng dịch Covid-19 để phát tán giả mạo “Chỉ thị của thủ tướng Nguyễn Xuân Phúc” - Phần 2}}, date = {2020-03-19}, organization = {VinCSS}, url = {https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html}, language = {Vietnamese}, urldate = {2020-03-19} } Phân tích mã độc lợi dụng dịch Covid-19 để phát tán giả mạo “Chỉ thị của thủ tướng Nguyễn Xuân Phúc” - Phần 2 PlugX

2020-03-12 ⋅ Check Point ⋅ Check Point Research @online{research:20200312:vicious:3218bb8, author = {Check Point Research}, title = {{Vicious Panda: The COVID Campaign}}, date = {2020-03-12}, organization = {Check Point}, url = {https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/}, language = {English}, urldate = {2020-03-13} } Vicious Panda: The COVID Campaign 8.t Dropper BYEBY Enfal Korlia Poison Ivy

2020-03-12 ⋅ Check Point Research ⋅ Check Point @online{point:20200312:vicious:1d97e93, author = {Check Point}, title = {{Vicious Panda: The COVID Campaign}}, date = {2020-03-12}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign}, language = {English}, urldate = {2022-07-25} } Vicious Panda: The COVID Campaign 8.t Dropper Vicious Panda

2020-03-11 ⋅ Virus Bulletin ⋅ Ghareeb Saad, Michael Raggi @online{saad:20200311:attribution:3efcc0a, author = {Ghareeb Saad and Michael Raggi}, title = {{Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers}}, date = {2020-03-11}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/}, language = {English}, urldate = {2020-03-13} } Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers 8.t Dropper

2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER

2020-03-02 ⋅ Virus Bulletin ⋅ Alex Hinchliffe @online{hinchliffe:20200302:pulling:35771e7, author = {Alex Hinchliffe}, title = {{Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary}}, date = {2020-03-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/}, language = {English}, urldate = {2020-03-02} } Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary HenBox Farseer PlugX Poison Ivy

2020-02-21 ⋅ ADEO DFIR ⋅ ADEO DFIR @techreport{dfir:20200221:apt10:e9c3328, author = {ADEO DFIR}, title = {{APT10 Threat Analysis Report}}, date = {2020-02-21}, institution = {ADEO DFIR}, url = {https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf}, language = {English}, urldate = {2020-03-03} } APT10 Threat Analysis Report CHINACHOPPER HTran MimiKatz PlugX Quasar RAT

2020-02-18 ⋅ Trend Micro ⋅ Daniel Lunghi, Cedric Pernet, Kenney Lu, Jamz Yaneza @online{lunghi:20200218:uncovering:93b0937, author = {Daniel Lunghi and Cedric Pernet and Kenney Lu and Jamz Yaneza}, title = {{Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations}}, date = {2020-02-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia}, language = {English}, urldate = {2020-02-20} } Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations Cobalt Strike HyperBro PlugX Trochilus RAT

2020-02-17 ⋅ Talent-Jump Technologies ⋅ Theo Chen, Zero Chen @online{chen:20200217:clambling:1a0bb8e, author = {Theo Chen and Zero Chen}, title = {{CLAMBLING - A New Backdoor Base On Dropbox}}, date = {2020-02-17}, organization = {Talent-Jump Technologies}, url = {http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/}, language = {English}, urldate = {2020-03-30} } CLAMBLING - A New Backdoor Base On Dropbox HyperBro PlugX

2020-02-12 ⋅ MeltX0R Security ⋅ MeltX0R @online{meltx0r:20200212:goblin:e79762e, author = {MeltX0R}, title = {{Goblin Panda APT: Recent infrastructure and RAT analysis}}, date = {2020-02-12}, organization = {MeltX0R Security}, url = {https://meltx0r.github.io/tech/2020/02/12/goblin-panda-apt.html}, language = {English}, urldate = {2020-02-25} } Goblin Panda APT: Recent infrastructure and RAT analysis NewCore RAT

2020-01-31 ⋅ Avira ⋅ Shahab Hamzeloofard @online{hamzeloofard:20200131:new:5d058ea, author = {Shahab Hamzeloofard}, title = {{New wave of PlugX targets Hong Kong}}, date = {2020-01-31}, organization = {Avira}, url = {https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/}, language = {English}, urldate = {2020-02-10} } New wave of PlugX targets Hong Kong PlugX

2020-01-31 ⋅ YouTube (Context Information Security) ⋅ Contextis @online{contextis:20200131:new:74e3724, author = {Contextis}, title = {{New AVIVORE threat group – how they operate and managing the risk}}, date = {2020-01-31}, organization = {YouTube (Context Information Security)}, url = {https://www.youtube.com/watch?v=C_TmANnbS2k}, language = {English}, urldate = {2022-04-13} } New AVIVORE threat group – how they operate and managing the risk PlugX

2020-01-29 ⋅ nao_sec blog ⋅ nao_sec @online{naosec:20200129:overhead:ec0aeb5, author = {nao_sec}, title = {{An Overhead View of the Royal Road}}, date = {2020-01-29}, organization = {nao_sec blog}, url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html}, language = {English}, urldate = {2020-02-03} } An Overhead View of the Royal Road BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:4118462, author = {SecureWorks}, title = {{BRONZE ATLAS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas}, language = {English}, urldate = {2020-05-23} } BRONZE ATLAS Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti APT41

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:65ecf8a, author = {SecureWorks}, title = {{BRONZE KEYSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-keystone}, language = {English}, urldate = {2020-05-23} } BRONZE KEYSTONE 9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell APT17

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:972c13a, author = {SecureWorks}, title = {{BRONZE FIRESTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-firestone}, language = {English}, urldate = {2020-05-23} } BRONZE FIRESTONE 9002 RAT Derusbi Empire Downloader PlugX Poison Ivy APT19

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:472aea8, author = {SecureWorks}, title = {{BRONZE OLIVE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-olive}, language = {English}, urldate = {2020-05-23} } BRONZE OLIVE ANGRYREBEL PlugX APT22

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:1a5bdbb, author = {SecureWorks}, title = {{BRONZE PRESIDENT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-president}, language = {English}, urldate = {2020-05-23} } BRONZE PRESIDENT CHINACHOPPER Cobalt Strike PlugX MUSTANG PANDA

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:4db27ec, author = {SecureWorks}, title = {{BRONZE UNION}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-union}, language = {English}, urldate = {2020-05-23} } BRONZE UNION 9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell APT27

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:66f1290, author = {SecureWorks}, title = {{BRONZE RIVERSIDE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-riverside}, language = {English}, urldate = {2020-05-23} } BRONZE RIVERSIDE Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves APT10

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:fcb04ab, author = {SecureWorks}, title = {{BRONZE EXPRESS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-express}, language = {English}, urldate = {2020-05-23} } BRONZE EXPRESS 9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT26

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:f48e53c, author = {SecureWorks}, title = {{BRONZE WOODLAND}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-woodland}, language = {English}, urldate = {2020-05-23} } BRONZE WOODLAND PlugX Zeus Roaming Tiger

2020-01 ⋅ Dragos ⋅ Joe Slowik @techreport{slowik:202001:threat:d891011, author = {Joe Slowik}, title = {{Threat Intelligence and the Limits of Malware Analysis}}, date = {2020-01}, institution = {Dragos}, url = {https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf}, language = {English}, urldate = {2020-06-10} } Threat Intelligence and the Limits of Malware Analysis Exaramel Exaramel Industroyer Lookback NjRAT PlugX

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:79d8dd2, author = {SecureWorks}, title = {{BRONZE OVERBROOK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-overbrook}, language = {English}, urldate = {2020-05-23} } BRONZE OVERBROOK Aveo DDKONG IsSpace PLAINTEE PlugX Rambo DragonOK

2019-12-29 ⋅ Secureworks ⋅ CTU Research Team @online{team:20191229:bronze:bda6bfc, author = {CTU Research Team}, title = {{BRONZE PRESIDENT Targets NGOs}}, date = {2019-12-29}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronze-president-targets-ngos}, language = {English}, urldate = {2020-01-10} } BRONZE PRESIDENT Targets NGOs PlugX

2019-11-16 ⋅ Silas Cutler's Blog ⋅ Silas Cutler @online{cutler:20191116:fresh:871567d, author = {Silas Cutler}, title = {{Fresh PlugX October 2019}}, date = {2019-11-16}, organization = {Silas Cutler's Blog}, url = {https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html}, language = {English}, urldate = {2020-01-07} } Fresh PlugX October 2019 PlugX

2019-11-11 ⋅ Virus Bulletin ⋅ Shusei Tomonaga, Tomoaki Tani, Hiroshi Soeda, Wataru Takahashi @online{tomonaga:20191111:cases:ac5f1b3, author = {Shusei Tomonaga and Tomoaki Tani and Hiroshi Soeda and Wataru Takahashi}, title = {{APT cases exploiting vulnerabilities in region‑specific software}}, date = {2019-11-11}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/}, language = {English}, urldate = {2020-05-13} } APT cases exploiting vulnerabilities in region‑specific software NodeRAT Emdivi PlugX

2019-10-31 ⋅ PTSecurity ⋅ PTSecurity @online{ptsecurity:20191031:calypso:adaf761, author = {PTSecurity}, title = {{Calypso APT: new group attacking state institutions}}, date = {2019-10-31}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/}, language = {English}, urldate = {2020-01-12} } Calypso APT: new group attacking state institutions BYEBY FlyingDutchman Hussar PlugX

2019-10-22 ⋅ Contextis ⋅ Contextis @techreport{contextis:20191022:avivore:421fc23, author = {Contextis}, title = {{AVIVORE - An overview of Tools, Techniques and Procedures (Whitepaper)}}, date = {2019-10-22}, institution = {Contextis}, url = {https://web.archive.org/web/20191214125833/https://contextis.com/media/downloads/AVIVORE_An_overview.pdf}, language = {English}, urldate = {2023-01-19} } AVIVORE - An overview of Tools, Techniques and Procedures (Whitepaper) PlugX Avivore

2019-10-03 ⋅ ComputerWeekly ⋅ Alex Scroxton @online{scroxton:20191003:new:ce11edf, author = {Alex Scroxton}, title = {{New threat group behind Airbus cyber attacks, claim researchers}}, date = {2019-10-03}, organization = {ComputerWeekly}, url = {https://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers}, language = {English}, urldate = {2022-04-05} } New threat group behind Airbus cyber attacks, claim researchers PlugX Avivore

2019-10-03 ⋅ Palo Alto Networks Unit 42 ⋅ Alex Hinchliffe @online{hinchliffe:20191003:pkplug:4a43ea5, author = {Alex Hinchliffe}, title = {{PKPLUG: Chinese Cyber Espionage Group Attacking Asia}}, date = {2019-10-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/}, language = {English}, urldate = {2020-01-07} } PKPLUG: Chinese Cyber Espionage Group Attacking Asia HenBox Farseer PlugX

2019-09-23 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:20190923:apt41:63b9ff7, author = {MITRE ATT&CK}, title = {{APT41}}, date = {2019-09-23}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0096}, language = {English}, urldate = {2022-08-30} } APT41 Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41

2019-09-22 ⋅ Check Point Research ⋅ Check Point Research @online{research:20190922:rancor:e834f67, author = {Check Point Research}, title = {{Rancor: The Year of The Phish}}, date = {2019-09-22}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/}, language = {English}, urldate = {2020-03-04} } Rancor: The Year of The Phish 8.t Dropper Cobalt Strike

2019-07-23 ⋅ Proofpoint ⋅ Michael Raggi, Dennis Schwarz, Proofpoint Threat Insight Team @online{raggi:20190723:chinese:804ec1c, author = {Michael Raggi and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia}}, date = {2019-07-23}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology}, language = {English}, urldate = {2021-02-06} } Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia 8.t Dropper Cotx RAT Poison Ivy TA428

2019-06-19 ⋅ YouTube (44CON Information Security Conference) ⋅ Kevin O’Reilly @online{oreilly:20190619:malware:a2f7812, author = {Kevin O’Reilly}, title = {{The Malware CAPE: Automated Extraction of Configuration and Payloads from Sophisticated Malware}}, date = {2019-06-19}, organization = {YouTube (44CON Information Security Conference)}, url = {https://www.youtube.com/watch?v=qEwBGGgWgOM}, language = {English}, urldate = {2022-04-04} } The Malware CAPE: Automated Extraction of Configuration and Payloads from Sophisticated Malware PlugX

2019-06-03 ⋅ FireEye ⋅ Chi-en Shen @online{shen:20190603:into:d40fee9, author = {Chi-en Shen}, title = {{Into the Fog - The Return of ICEFOG APT}}, date = {2019-06-03}, organization = {FireEye}, url = {https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt}, language = {English}, urldate = {2020-06-30} } Into the Fog - The Return of ICEFOG APT Icefog PlugX Sarhust

2019-05-24 ⋅ Fortinet ⋅ Ben Hunter @online{hunter:20190524:uncovering:7d8776e, author = {Ben Hunter}, title = {{Uncovering new Activity by APT10}}, date = {2019-05-24}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-}, language = {English}, urldate = {2020-11-04} } Uncovering new Activity by APT10 PlugX Quasar RAT

2019-05-02 ⋅ Medium Sebdraven ⋅ Sébastien Larinier @online{larinier:20190502:goblin:a0118b4, author = {Sébastien Larinier}, title = {{Goblin Panda continues to target Vietnam}}, date = {2019-05-02}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6}, language = {English}, urldate = {2019-10-23} } Goblin Panda continues to target Vietnam NewCore RAT

2019-04-11 ⋅ FireEye ⋅ FireEye @online{fireeye:20190411:mtrend:597b240, author = {FireEye}, title = {{M-Trend 2019}}, date = {2019-04-11}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2019}, language = {English}, urldate = {2020-01-10} } M-Trend 2019 GRILLMARK

2019-03-19 ⋅ NSHC ⋅ ThreatRecon Team @online{team:20190319:sectorm04:6c6ea37, author = {ThreatRecon Team}, title = {{SectorM04 Targeting Singapore – An Analysis}}, date = {2019-03-19}, organization = {NSHC}, url = {https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/}, language = {English}, urldate = {2020-01-07} } SectorM04 Targeting Singapore – An Analysis PlugX Termite

2019-03-05 ⋅ Accenture ⋅ Accenture @techreport{accenture:20190305:mudcarps:2e785cc, author = {Accenture}, title = {{MUDCARP's Focus on Submarine Technologies}}, date = {2019-03-05}, institution = {Accenture}, url = {https://www.accenture.com/_acnmedia/pdf-96/accenture-security-mudcarp.pdf}, language = {English}, urldate = {2022-09-12} } MUDCARP's Focus on Submarine Technologies 8.t Dropper APT40

2019-01-03 ⋅ m4n0w4r @online{m4n0w4r:20190103:another:2f48120, author = {m4n0w4r}, title = {{Another malicious document with CVE-2017–11882}}, date = {2019-01-03}, url = {https://tradahacking.vn/another-malicious-document-with-cve-2017-11882-839e9c0bbf2f}, language = {Vietnamese}, urldate = {2020-03-11} } Another malicious document with CVE-2017–11882 8.t Dropper

2019 ⋅ Council on Foreign Relations ⋅ Cyber Operations Tracker @online{tracker:2019:hellsing:44d21df, author = {Cyber Operations Tracker}, title = {{Hellsing}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/hellsing}, language = {English}, urldate = {2019-12-20} } Hellsing Hellsing

2018-12-14 ⋅ Australian Cyber Security Centre ⋅ ASD @techreport{asd:20181214:investigationreport:6eda856, author = {ASD}, title = {{Investigationreport: Compromise of an Australian companyvia their Managed Service Provider}}, date = {2018-12-14}, institution = {Australian Cyber Security Centre}, url = {https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf}, language = {English}, urldate = {2020-03-11} } Investigationreport: Compromise of an Australian companyvia their Managed Service Provider PlugX RedLeaves

2018-11-03 ⋅ m4n0w4r @online{m4n0w4r:20181103:l:d496fbd, author = {m4n0w4r}, title = {{Là 1937CN hay OceanLotus hay Lazarus …}}, date = {2018-11-03}, url = {https://tradahacking.vn/l%C3%A0-1937cn-hay-oceanlotus-hay-lazarus-6ca15fe1b241}, language = {Vietnamese}, urldate = {2020-03-11} } Là 1937CN hay OceanLotus hay Lazarus … 8.t Dropper

2018-11-01 ⋅ Fortinet ⋅ FortiGuard SE Team @online{team:20181101:cta:d0c6bde, author = {FortiGuard SE Team}, title = {{CTA Adversary Playbook: Goblin Panda}}, date = {2018-11-01}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/cta-security-playbook--goblin-panda.html}, language = {English}, urldate = {2020-01-08} } CTA Adversary Playbook: Goblin Panda GOBLIN PANDA Hellsing

2018-08-29 ⋅ CrowdStrike ⋅ Adam Meyers @online{meyers:20180829:meet:ceb250f, author = {Adam Meyers}, title = {{Meet CrowdStrike’s Adversary of the Month for August: GOBLIN PANDA}}, date = {2018-08-29}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/}, language = {English}, urldate = {2019-12-20} } Meet CrowdStrike’s Adversary of the Month for August: GOBLIN PANDA GOBLIN PANDA Hellsing

2018-08-02 ⋅ Sébastien Larinier @online{larinier:20180802:goblin:0aa8168, author = {Sébastien Larinier}, title = {{Goblin Panda against the Bears}}, date = {2018-08-02}, url = {https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4}, language = {English}, urldate = {2019-07-11} } Goblin Panda against the Bears Sisfader

2018-07-31 ⋅ Medium Sebdraven ⋅ Sébastien Larinier @online{larinier:20180731:malicious:571d2df, author = {Sébastien Larinier}, title = {{Malicious document targets Vietnamese officials}}, date = {2018-07-31}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?}, language = {English}, urldate = {2020-03-04} } Malicious document targets Vietnamese officials 8.t Dropper

2018-06-12 ⋅ NCC Group ⋅ Ben Humphrey @online{humphrey:20180612:cve20178570:4d94250, author = {Ben Humphrey}, title = {{CVE-2017-8570 RTF and the Sisfader RAT}}, date = {2018-06-12}, organization = {NCC Group}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/}, language = {English}, urldate = {2020-01-07} } CVE-2017-8570 RTF and the Sisfader RAT Sisfader

2018-05-09 ⋅ COUNT UPON SECURITY ⋅ Luis Rocha @online{rocha:20180509:malware:3ee8ecf, author = {Luis Rocha}, title = {{Malware Analysis - PlugX - Part 2}}, date = {2018-05-09}, organization = {COUNT UPON SECURITY}, url = {https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/}, language = {English}, urldate = {2020-01-05} } Malware Analysis - PlugX - Part 2 PlugX

2018-03-13 ⋅ Kaspersky Labs ⋅ Denis Makrushin, Yury Namestnikov @online{makrushin:20180313:time:7171143, author = {Denis Makrushin and Yury Namestnikov}, title = {{Time of death? A therapeutic postmortem of connected medicine}}, date = {2018-03-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/time-of-death-connected-medicine/84315/}, language = {English}, urldate = {2019-12-20} } Time of death? A therapeutic postmortem of connected medicine PlugX

2018-02-04 ⋅ COUNT UPON SECURITY ⋅ Luis Rocha @online{rocha:20180204:malware:ea0aede, author = {Luis Rocha}, title = {{MALWARE ANALYSIS – PLUGX}}, date = {2018-02-04}, organization = {COUNT UPON SECURITY}, url = {https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/}, language = {English}, urldate = {2020-01-07} } MALWARE ANALYSIS – PLUGX PlugX

2017-12-18 ⋅ LAC ⋅ Yoshihiro Ishikawa @online{ishikawa:20171218:relationship:fb13bae, author = {Yoshihiro Ishikawa}, title = {{Relationship between PlugX and attacker group "DragonOK"}}, date = {2017-12-18}, organization = {LAC}, url = {https://www.lac.co.jp/lacwatch/people/20171218_001445.html}, language = {Japanese}, urldate = {2019-11-22} } Relationship between PlugX and attacker group "DragonOK" PlugX

2017-09-05 ⋅ Fortinet ⋅ Jasper Manuel, Artem Semenchenko @online{manuel:20170905:rehashed:c3d5a4c, author = {Jasper Manuel and Artem Semenchenko}, title = {{Rehashed RAT Used in APT Campaign Against Vietnamese Organizations}}, date = {2017-09-05}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations}, language = {English}, urldate = {2019-10-23} } Rehashed RAT Used in APT Campaign Against Vietnamese Organizations NewCore RAT

2017-06-27 ⋅ Palo Alto Networks Unit 42 ⋅ Tom Lancaster, Esmid Idrizovic @online{lancaster:20170627:paranoid:f933eb4, author = {Tom Lancaster and Esmid Idrizovic}, title = {{Paranoid PlugX}}, date = {2017-06-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/}, language = {English}, urldate = {2019-12-20} } Paranoid PlugX PlugX

2017-05-31 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:20170531:axiom:b181fdb, author = {MITRE ATT&CK}, title = {{Axiom}}, date = {2017-05-31}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0001/}, language = {English}, urldate = {2022-08-30} } Axiom Derusbi 9002 RAT BLACKCOFFEE Derusbi Ghost RAT HiKit PlugX ZXShell APT17

2017-04-27 ⋅ US-CERT ⋅ US-CERT @online{uscert:20170427:alert:fdb865d, author = {US-CERT}, title = {{Alert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors}}, date = {2017-04-27}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA17-117A}, language = {English}, urldate = {2020-03-11} } Alert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors PlugX RedLeaves

2017-04-03 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20170403:redleaves:211a123, author = {Shusei Tomonaga}, title = {{RedLeaves - Malware Based on Open Source RAT}}, date = {2017-04-03}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html}, language = {English}, urldate = {2022-06-22} } RedLeaves - Malware Based on Open Source RAT PlugX RedLeaves Trochilus RAT

2017-04 ⋅ PricewaterhouseCoopers ⋅ PricewaterhouseCoopers @techreport{pricewaterhousecoopers:201704:operation:cb50712, author = {PricewaterhouseCoopers}, title = {{Operation Cloud Hopper: Technical Annex}}, date = {2017-04}, institution = {PricewaterhouseCoopers}, url = {https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf}, language = {English}, urldate = {2019-10-15} } Operation Cloud Hopper: Technical Annex ChChes PlugX Quasar RAT RedLeaves Trochilus RAT

2017-02-21 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20170221:plugx:f9e4817, author = {Shusei Tomonaga}, title = {{PlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code}}, date = {2017-02-21}, organization = {JPCERT/CC}, url = {http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html}, language = {English}, urldate = {2020-01-13} } PlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code PlugX

2017-02-13 ⋅ RSA ⋅ RSA Research @techreport{research:20170213:kingslayer:98f4892, author = {RSA Research}, title = {{KINGSLAYER – A SUPPLY CHAIN ATTACK}}, date = {2017-02-13}, institution = {RSA}, url = {https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf}, language = {English}, urldate = {2020-01-08} } KINGSLAYER – A SUPPLY CHAIN ATTACK CodeKey PlugX

2016-08-25 ⋅ Malwarebytes ⋅ Malwarebytes Labs @online{labs:20160825:unpacking:66173f5, author = {Malwarebytes Labs}, title = {{Unpacking the spyware disguised as antivirus}}, date = {2016-08-25}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/}, language = {English}, urldate = {2019-12-20} } Unpacking the spyware disguised as antivirus PlugX

2016-06-13 ⋅ Macnica Networks ⋅ Macnica Networks @techreport{networks:20160613:survey:c78b147, author = {Macnica Networks}, title = {{Survey of the actual situation of the large-scale cyber spy activity that hit Japan | 1st edition}}, date = {2016-06-13}, institution = {Macnica Networks}, url = {https://www.macnica.net/file/security_report_20160613.pdf}, language = {Japanese}, urldate = {2021-03-02} } Survey of the actual situation of the large-scale cyber spy activity that hit Japan | 1st edition Emdivi PlugX

2016-01-22 ⋅ RSA Link ⋅ Norton Santos @online{santos:20160122:plugx:580fcff, author = {Norton Santos}, title = {{PlugX APT Malware}}, date = {2016-01-22}, organization = {RSA Link}, url = {https://community.rsa.com/thread/185439}, language = {English}, urldate = {2020-01-13} } PlugX APT Malware PlugX

2015-08 ⋅ Arbor Networks ⋅ ASERT Team @online{team:201508:uncovering:121e5cf, author = {ASERT Team}, title = {{Uncovering the Seven Pointed Dagger}}, date = {2015-08}, organization = {Arbor Networks}, url = {https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn}, language = {English}, urldate = {2020-05-18} } Uncovering the Seven Pointed Dagger 9002 RAT EvilGrab PlugX Trochilus RAT APT9

2015-04-15 ⋅ Kaspersky Labs ⋅ Costin Raiu, Maxim Golovkin @online{raiu:20150415:chronicles:aa4af84, author = {Costin Raiu and Maxim Golovkin}, title = {{The Chronicles of the Hellsing APT: the Empire Strikes Back}}, date = {2015-04-15}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/}, language = {English}, urldate = {2021-02-06} } The Chronicles of the Hellsing APT: the Empire Strikes Back GRILLMARK Hellsing

2015-04-15 ⋅ Kaspersky Labs ⋅ Costin Raiu, Maxim Golovkin @online{raiu:20150415:chronicles:49b4463, author = {Costin Raiu and Maxim Golovkin}, title = {{The Chronicles of the Hellsing APT: the Empire Strikes Back}}, date = {2015-04-15}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/}, language = {English}, urldate = {2019-12-20} } The Chronicles of the Hellsing APT: the Empire Strikes Back Hellsing

2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } CrowdStrike Global Threat Intel Report 2014 BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor

2015-01-29 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20150129:analysis:0eaad95, author = {Shusei Tomonaga}, title = {{Analysis of a Recent PlugX Variant - “P2P PlugX”}}, date = {2015-01-29}, organization = {JPCERT/CC}, url = {http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html}, language = {English}, urldate = {2020-01-09} } Analysis of a Recent PlugX Variant - “P2P PlugX” PlugX

2014-06-27 ⋅ SophosLabs ⋅ Gabor Szappanos @techreport{szappanos:20140627:plugx:e63d8bf, author = {Gabor Szappanos}, title = {{PlugX - The Next Generation}}, date = {2014-06-27}, institution = {SophosLabs}, url = {https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf}, language = {English}, urldate = {2020-01-10} } PlugX - The Next Generation PlugX

2014-06-10 ⋅ FireEye ⋅ Mike Scott @online{scott:20140610:clandestine:6d515ab, author = {Mike Scott}, title = {{Clandestine Fox, Part Deux}}, date = {2014-06-10}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html}, language = {English}, urldate = {2019-12-20} } Clandestine Fox, Part Deux PlugX

2014-01-06 ⋅ Airbus ⋅ Fabien Perigaud @online{perigaud:20140106:plugx:16410d7, author = {Fabien Perigaud}, title = {{PlugX: some uncovered points}}, date = {2014-01-06}, organization = {Airbus}, url = {http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html}, language = {English}, urldate = {2020-01-08} } PlugX: some uncovered points PlugX

2013-03-29 ⋅ Computer Incident Response Center Luxembourg ⋅ CIRCL @techreport{circl:20130329:analysis:b3c48b0, author = {CIRCL}, title = {{Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0)}}, date = {2013-03-29}, institution = {Computer Incident Response Center Luxembourg}, url = {https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf}, language = {English}, urldate = {2019-11-24} } Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0) PlugX

2013-03-26 ⋅ Contextis ⋅ Kevin O’Reilly @techreport{oreilly:20130326:plugxpayload:d355f49, author = {Kevin O’Reilly}, title = {{PlugX–Payload Extraction}}, date = {2013-03-26}, institution = {Contextis}, url = {https://web.archive.org/web/20200424035112/https://go.contextis.com/rs/140-OCV-459/images/White%20Paper_PlugX%20-%20Payload%20Extraction.pdf}, language = {English}, urldate = {2023-01-19} } PlugX–Payload Extraction PlugX

2013-02-27 ⋅ Trend Micro ⋅ Abraham Camba @online{camba:20130227:bkdrrarstone:8893f88, author = {Abraham Camba}, title = {{BKDR_RARSTONE: New RAT to Watch Out For}}, date = {2013-02-27}, organization = {Trend Micro}, url = {https://web.archive.org/web/20210925164035/https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/}, language = {English}, urldate = {2023-04-22} } BKDR_RARSTONE: New RAT to Watch Out For PlugX Naikon

2012-02-10 ⋅ tracker.h3x.eu ⋅ Malware Corpus Tracker @online{tracker:20120210:info:d58b5c1, author = {Malware Corpus Tracker}, title = {{Info for Family: plugx}}, date = {2012-02-10}, organization = {tracker.h3x.eu}, url = {https://tracker.h3x.eu/info/290}, language = {English}, urldate = {2021-06-24} } Info for Family: plugx PlugX

---

Credits: MISP Project