aka: TEMP.Periscope, TEMP.Jumper, APT 40, APT40, BRONZE MOHAWK, GADOLINIUM, Kryptonite Panda
Leviathan is an espionage actor targeting organizations and high-value targets in defense and government. Active since at least 2014, this actor has long-standing interest in maritime industries, naval defense contractors, and associated research institutions in the United States and Western Europe.
2021-02-26 ⋅ CrowdStrike ⋅ Eric Loui, Sergei Frankoff @online{loui:20210226:hypervisor:8dadf9c,
author = {Eric Loui and Sergei Frankoff},
title = {{Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact}},
date = {2021-02-26},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout},
language = {English},
urldate = {2021-03-02}
}
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact RansomEXX Griffon Carbanak Cobalt Strike IcedID MimiKatz PyXie RansomEXX REvil |
2021-02-25 ⋅ FireEye ⋅ Bryce Abdo, Brendan McKeague, Van Ta @online{abdo:20210225:so:88f3400,
author = {Bryce Abdo and Brendan McKeague and Van Ta},
title = {{So Unchill: Melting UNC2198 ICEDID to Ransomware Operations}},
date = {2021-02-25},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html},
language = {English},
urldate = {2021-03-02}
}
So Unchill: Melting UNC2198 ICEDID to Ransomware Operations Cobalt Strike Egregor IcedID Maze SystemBC |
2021-02-25 ⋅ Proofpoint ⋅ Michael Raggi, Proofpoint Threat Research Team @online{raggi:20210225:ta413:400254c,
author = {Michael Raggi and Proofpoint Threat Research Team},
title = {{TA413 Leverages New FriarFox Browser Extension to Target the Gmail Accounts of Global Tibetan Organizations}},
date = {2021-02-25},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global},
language = {English},
urldate = {2021-02-25}
}
TA413 Leverages New FriarFox Browser Extension to Target the Gmail Accounts of Global Tibetan Organizations scanbox Sepulcher |
2021-02-24 ⋅ VMWare Carbon Black ⋅ Takahiro Haruyama @techreport{haruyama:20210224:knock:f4903a2,
author = {Takahiro Haruyama},
title = {{Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation}},
date = {2021-02-24},
institution = {VMWare Carbon Black},
url = {https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf},
language = {Japanese},
urldate = {2021-02-26}
}
Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation Cobalt Strike |
2021-02-24 ⋅ Github (AmnestyTech) ⋅ Amnesty International @online{international:20210224:overview:95b80e0,
author = {Amnesty International},
title = {{Overview of Ocean Lotus Samples used to target Vietnamese Human Rights Defenders}},
date = {2021-02-24},
organization = {Github (AmnestyTech)},
url = {https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam},
language = {English},
urldate = {2021-02-25}
}
Overview of Ocean Lotus Samples used to target Vietnamese Human Rights Defenders OceanLotus Cobalt Strike KerrDown |
2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:20210223:2021:bf5bc4f,
author = {CrowdStrike},
title = {{2021 Global Threat Report}},
date = {2021-02-23},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf},
language = {English},
urldate = {2021-02-25}
}
2021 Global Threat Report RansomEXX Amadey Anchor Avaddon Ransomware BazarBackdoor Clop Cobalt Strike Conti Ransomware Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet Ransomware ShadowPad SmokeLoader Snake Ransomware SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader |
2021-02-22 ⋅ tccontre Blog ⋅ tcontre @online{tcontre:20210222:gh0strat:9f98308,
author = {tcontre},
title = {{Gh0stRat Anti-Debugging: Nested SEH (try - catch) to Decrypt and Load its Payload}},
date = {2021-02-22},
organization = {tccontre Blog},
url = {https://tccontre.blogspot.com/2021/02/gh0strat-anti-debugging-nested-seh-try.html},
language = {English},
urldate = {2021-02-25}
}
Gh0stRat Anti-Debugging: Nested SEH (try - catch) to Decrypt and Load its Payload Ghost RAT |
2021-02-11 ⋅ Twitter (@TheDFIRReport) ⋅ The DFIR Report @online{report:20210211:hancitor:9fa527e,
author = {The DFIR Report},
title = {{Tweet on Hancitor Activity followed by cobaltsrike beacon}},
date = {2021-02-11},
organization = {Twitter (@TheDFIRReport)},
url = {https://twitter.com/TheDFIRReport/status/1359669513520873473},
language = {English},
urldate = {2021-02-18}
}
Tweet on Hancitor Activity followed by cobaltsrike beacon Cobalt Strike Hancitor |
2021-02-09 ⋅ Securehat ⋅ Securehat @online{securehat:20210209:extracting:0f4ae2f,
author = {Securehat},
title = {{Extracting the Cobalt Strike Config from a TEARDROP Loader}},
date = {2021-02-09},
organization = {Securehat},
url = {https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader},
language = {English},
urldate = {2021-02-10}
}
Extracting the Cobalt Strike Config from a TEARDROP Loader Cobalt Strike TEARDROP |
2021-02-09 ⋅ Cobalt Strike ⋅ Raphael Mudge @online{mudge:20210209:learn:c08b657,
author = {Raphael Mudge},
title = {{Learn Pipe Fitting for all of your Offense Projects}},
date = {2021-02-09},
organization = {Cobalt Strike},
url = {https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/},
language = {English},
urldate = {2021-02-10}
}
Learn Pipe Fitting for all of your Offense Projects Cobalt Strike |
2021-02-03 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20210203:excel:8e949c9,
author = {Brad Duncan},
title = {{Excel spreadsheets push SystemBC malware}},
date = {2021-02-03},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/},
language = {English},
urldate = {2021-02-04}
}
Excel spreadsheets push SystemBC malware Cobalt Strike SystemBC |
2021-02-02 ⋅ Committee to Protect Journalists ⋅ Madeline Earp @online{earp:20210202:how:923f969,
author = {Madeline Earp},
title = {{How Vietnam-based hacking operation OceanLotus targets journalists}},
date = {2021-02-02},
organization = {Committee to Protect Journalists},
url = {https://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists},
language = {English},
urldate = {2021-02-04}
}
How Vietnam-based hacking operation OceanLotus targets journalists Cobalt Strike |
2021-02-02 ⋅ CRONUP ⋅ Germán Fernández @online{fernndez:20210202:de:6ff4f3a,
author = {Germán Fernández},
title = {{De ataque con Malware a incidente de Ransomware}},
date = {2021-02-02},
organization = {CRONUP},
url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware},
language = {Spanish},
urldate = {2021-03-02}
}
De ataque con Malware a incidente de Ransomware Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader |
2021-02-02 ⋅ Twitter (@TheDFIRReport) ⋅ The DFIR Report @online{report:20210202:recent:5272ed0,
author = {The DFIR Report},
title = {{Tweet on recent dridex post infection activity}},
date = {2021-02-02},
organization = {Twitter (@TheDFIRReport)},
url = {https://twitter.com/TheDFIRReport/status/1356729371931860992},
language = {English},
urldate = {2021-02-04}
}
Tweet on recent dridex post infection activity Cobalt Strike Dridex |
2021-02-01 ⋅ ESET Research ⋅ Ignacio Sanmillan, Matthieu Faou @online{sanmillan:20210201:operation:9e52a78,
author = {Ignacio Sanmillan and Matthieu Faou},
title = {{Operation NightScout: Supply‑chain attack targets online gaming in Asia}},
date = {2021-02-01},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/},
language = {English},
urldate = {2021-02-17}
}
Operation NightScout: Supply‑chain attack targets online gaming in Asia Ghost RAT Poison Ivy |
2021-02-01 ⋅ AhnLab ⋅ ASEC Analysis Team @online{team:20210201:bluecrab:df21c0a,
author = {ASEC Analysis Team},
title = {{BlueCrab ransomware, CobaltStrike hacking tool installed in corporate environment}},
date = {2021-02-01},
organization = {AhnLab},
url = {https://asec.ahnlab.com/ko/19860/},
language = {English},
urldate = {2021-02-06}
}
BlueCrab ransomware, CobaltStrike hacking tool installed in corporate environment Cobalt Strike REvil |
2021-02-01 ⋅ pkb1s.github.io ⋅ Petros Koutroumpis @online{koutroumpis:20210201:relay:596413f,
author = {Petros Koutroumpis},
title = {{Relay Attacks via Cobalt Strike Beacons}},
date = {2021-02-01},
organization = {pkb1s.github.io},
url = {https://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/},
language = {English},
urldate = {2021-02-04}
}
Relay Attacks via Cobalt Strike Beacons Cobalt Strike |
2021-01-31 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210131:bazar:c3b3859,
author = {The DFIR Report},
title = {{Bazar, No Ryuk?}},
date = {2021-01-31},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/01/31/bazar-no-ryuk/},
language = {English},
urldate = {2021-02-02}
}
Bazar, No Ryuk? BazarBackdoor Cobalt Strike Ryuk |
2021-01-29 ⋅ Trend Micro ⋅ Trend Micro @online{micro:20210129:chopper:6dfb7c6,
author = {Trend Micro},
title = {{Chopper ASPX web shell used in targeted attack}},
date = {2021-01-29},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html},
language = {English},
urldate = {2021-02-02}
}
Chopper ASPX web shell used in targeted attack CHINACHOPPER MimiKatz |
2021-01-28 ⋅ AhnLab ⋅ ASEC Analysis Team @online{team:20210128:bluecrab:44d2e64,
author = {ASEC Analysis Team},
title = {{BlueCrab ransomware constantly trying to bypass detection}},
date = {2021-01-28},
organization = {AhnLab},
url = {https://asec.ahnlab.com/ko/19640/},
language = {Korean},
urldate = {2021-02-04}
}
BlueCrab ransomware constantly trying to bypass detection Cobalt Strike REvil |
2021-01-28 ⋅ TrustedSec ⋅ Adam Chester @online{chester:20210128:tailoring:d3f973c,
author = {Adam Chester},
title = {{Tailoring Cobalt Strike on Target}},
date = {2021-01-28},
organization = {TrustedSec},
url = {https://www.trustedsec.com/blog/tailoring-cobalt-strike-on-target/},
language = {English},
urldate = {2021-01-29}
}
Tailoring Cobalt Strike on Target Cobalt Strike |
2021-01-26 ⋅ Twitter (@swisscom_csirt) ⋅ Swisscom CSIRT @online{csirt:20210126:cring:f12c487,
author = {Swisscom CSIRT},
title = {{Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware}},
date = {2021-01-26},
organization = {Twitter (@swisscom_csirt)},
url = {https://twitter.com/swisscom_csirt/status/1354052879158571008},
language = {English},
urldate = {2021-01-27}
}
Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware Cobalt Strike Cring Ransomware MimiKatz |
2021-01-20 ⋅ Microsoft ⋅ Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC), Microsoft Cyber Defense Operations Center (CDOC) @online{team:20210120:deep:1cc0551,
author = {Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center (MSTIC) and Microsoft Cyber Defense Operations Center (CDOC)},
title = {{Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop}},
date = {2021-01-20},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/},
language = {English},
urldate = {2021-01-21}
}
Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop Cobalt Strike SUNBURST TEARDROP |
2021-01-20 ⋅ Trend Micro ⋅ Gilbert Sison, Abraham Camba, Ryan Maglaque @online{sison:20210120:xdr:8ea19cc,
author = {Gilbert Sison and Abraham Camba and Ryan Maglaque},
title = {{XDR investigation uncovers PlugX, unique technique in APT attack}},
date = {2021-01-20},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/a/xdr-investigation-uncovers-plugx-unique-technique-in-apt-attack.html},
language = {English},
urldate = {2021-01-27}
}
XDR investigation uncovers PlugX, unique technique in APT attack PlugX |
2021-01-18 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20210118:raindrop:9ab1262,
author = {Threat Hunter Team},
title = {{Raindrop: New Malware Discovered in SolarWinds Investigation}},
date = {2021-01-18},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware},
language = {English},
urldate = {2021-01-21}
}
Raindrop: New Malware Discovered in SolarWinds Investigation Cobalt Strike Raindrop SUNBURST TEARDROP |
2021-01-17 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie @online{mackenzie:20210117:conti:db7f1cb,
author = {Peter Mackenzie},
title = {{Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders}},
date = {2021-01-17},
organization = {Twitter (@AltShiftPrtScn)},
url = {https://twitter.com/AltShiftPrtScn/status/1350755169965924352},
language = {English},
urldate = {2021-01-21}
}
Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders Cobalt Strike Conti Ransomware |
2021-01-15 ⋅ Swisscom ⋅ Markus Neis @techreport{neis:20210115:cracking:b1c1684,
author = {Markus Neis},
title = {{Cracking a Soft Cell is Harder Than You Think}},
date = {2021-01-15},
institution = {Swisscom},
url = {https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf},
language = {English},
urldate = {2021-01-18}
}
Cracking a Soft Cell is Harder Than You Think Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT |
2021-01-15 ⋅ Medium Dansec ⋅ Dan Lussier @online{lussier:20210115:detecting:fecd6c3,
author = {Dan Lussier},
title = {{Detecting Malicious C2 Activity -SpawnAs & SMB Lateral Movement in CobaltStrike}},
date = {2021-01-15},
organization = {Medium Dansec},
url = {https://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64},
language = {English},
urldate = {2021-01-21}
}
Detecting Malicious C2 Activity -SpawnAs & SMB Lateral Movement in CobaltStrike Cobalt Strike |
2021-01-14 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence @online{intelligence:20210114:higaisa:4676ec7,
author = {PT ESC Threat Intelligence},
title = {{Higaisa or Winnti? APT41 backdoors, old and new}},
date = {2021-01-14},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/},
language = {English},
urldate = {2021-02-09}
}
Higaisa or Winnti? APT41 backdoors, old and new Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad |
2021-01-12 ⋅ Fox-IT ⋅ Wouter Jansen @online{jansen:20210112:abusing:c38eeb6,
author = {Wouter Jansen},
title = {{Abusing cloud services to fly under the radar}},
date = {2021-01-12},
organization = {Fox-IT},
url = {https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/},
language = {English},
urldate = {2021-01-18}
}
Abusing cloud services to fly under the radar Cobalt Strike |
2021-01-12 ⋅ BrightTALK (FireEye) ⋅ Ben Read, John Hultquist @online{read:20210112:unc2452:6e54c6c,
author = {Ben Read and John Hultquist},
title = {{UNC2452: What We Know So Far}},
date = {2021-01-12},
organization = {BrightTALK (FireEye)},
url = {https://www.brighttalk.com/webcast/7451/462719},
language = {English},
urldate = {2021-01-18}
}
UNC2452: What We Know So Far Cobalt Strike SUNBURST TEARDROP |
2021-01-11 ⋅ SolarWinds ⋅ Sudhakar Ramakrishna @online{ramakrishna:20210111:new:296b621,
author = {Sudhakar Ramakrishna},
title = {{New Findings From Our Investigation of SUNBURST}},
date = {2021-01-11},
organization = {SolarWinds},
url = {https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/},
language = {English},
urldate = {2021-01-18}
}
New Findings From Our Investigation of SUNBURST Cobalt Strike SUNBURST TEARDROP |
2021-01-11 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210111:trickbot:d1011f9,
author = {The DFIR Report},
title = {{Trickbot Still Alive and Well}},
date = {2021-01-11},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/},
language = {English},
urldate = {2021-01-11}
}
Trickbot Still Alive and Well Cobalt Strike TrickBot |
2021-01-10 ⋅ Medium walmartglobaltech ⋅ Jason Reaves @online{reaves:20210110:man1:54a4162,
author = {Jason Reaves},
title = {{MAN1, Moskal, Hancitor and a side of Ransomware}},
date = {2021-01-10},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618},
language = {English},
urldate = {2021-01-11}
}
MAN1, Moskal, Hancitor and a side of Ransomware Cobalt Strike Hancitor SendSafe VegaLocker Zeppelin Ransomware |
2021-01-09 ⋅ Connor McGarr's Blog ⋅ Connor McGarr @online{mcgarr:20210109:malware:dde1353,
author = {Connor McGarr},
title = {{Malware Development: Leveraging Beacon Object Files for Remote Process Injection via Thread Hijacking}},
date = {2021-01-09},
organization = {Connor McGarr's Blog},
url = {https://connormcgarr.github.io/thread-hijacking/},
language = {English},
urldate = {2021-01-11}
}
Malware Development: Leveraging Beacon Object Files for Remote Process Injection via Thread Hijacking Cobalt Strike |
2021-01-07 ⋅ Recorded Future ⋅ Insikt Group® @techreport{group:20210107:aversary:9771829,
author = {Insikt Group®},
title = {{Aversary Infrastructure Report 2020: A Defender's View}},
date = {2021-01-07},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf},
language = {English},
urldate = {2021-01-11}
}
Aversary Infrastructure Report 2020: A Defender's View Octopus pupy Cobalt Strike Empire Downloader Meterpreter PoshC2 |
2021-01-06 ⋅ Red Canary ⋅ Tony Lambert @online{lambert:20210106:hunting:272410b,
author = {Tony Lambert},
title = {{Hunting for GetSystem in offensive security tools}},
date = {2021-01-06},
organization = {Red Canary},
url = {https://redcanary.com/blog/getsystem-offsec/},
language = {English},
urldate = {2021-01-11}
}
Hunting for GetSystem in offensive security tools Cobalt Strike Empire Downloader Meterpreter PoshC2 |
2021-01-05 ⋅ Trend Micro ⋅ Trend Micro Research @online{research:20210105:earth:d7bb547,
author = {Trend Micro Research},
title = {{Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration}},
date = {2021-01-05},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html},
language = {English},
urldate = {2021-01-10}
}
Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration Cobalt Strike |
2021-01-04 ⋅ Bleeping Computer ⋅ Ionut Ilascu @online{ilascu:20210104:chinas:9677dc6,
author = {Ionut Ilascu},
title = {{China's APT hackers move to ransomware attacks}},
date = {2021-01-04},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/},
language = {English},
urldate = {2021-01-11}
}
China's APT hackers move to ransomware attacks Clambling PlugX |
2021-01-04 ⋅ Medium haggis-m ⋅ Michael Haag @online{haag:20210104:malleable:ab64356,
author = {Michael Haag},
title = {{Malleable C2 Profiles and You}},
date = {2021-01-04},
organization = {Medium haggis-m},
url = {https://haggis-m.medium.com/malleable-c2-profiles-and-you-7c7ab43e7929},
language = {English},
urldate = {2021-01-05}
}
Malleable C2 Profiles and You Cobalt Strike |
2020-12-26 ⋅ Medium grimminck ⋅ Stefan Grimminck @online{grimminck:20201226:spoofing:a0a5622,
author = {Stefan Grimminck},
title = {{Spoofing JARM signatures. I am the Cobalt Strike server now!}},
date = {2020-12-26},
organization = {Medium grimminck},
url = {https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b},
language = {English},
urldate = {2021-01-01}
}
Spoofing JARM signatures. I am the Cobalt Strike server now! Cobalt Strike |
2020-12-26 ⋅ CYBER GEEKS All Things Infosec ⋅ CyberMasterV @online{cybermasterv:20201226:analyzing:b94f52e,
author = {CyberMasterV},
title = {{Analyzing APT19 malware using a step-by-step method}},
date = {2020-12-26},
organization = {CYBER GEEKS All Things Infosec},
url = {https://cybergeeks.tech/analyzing-apt19-malware-using-a-step-by-step-method/},
language = {English},
urldate = {2021-01-01}
}
Analyzing APT19 malware using a step-by-step method Derusbi |
2020-12-24 ⋅ IronNet ⋅ Adam Hlavek @online{hlavek:20201224:china:723bed3,
author = {Adam Hlavek},
title = {{China cyber attacks: the current threat landscape}},
date = {2020-12-24},
organization = {IronNet},
url = {https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape},
language = {English},
urldate = {2021-01-01}
}
China cyber attacks: the current threat landscape PLEAD TSCookie FlowCloud Lookback PLEAD PlugX Quasar RAT Winnti |
2020-12-22 ⋅ TRUESEC ⋅ Mattias Wåhlén @online{whln:20201222:collaboration:5d2ad28,
author = {Mattias Wåhlén},
title = {{Collaboration between FIN7 and the RYUK group, a Truesec Investigation}},
date = {2020-12-22},
organization = {TRUESEC},
url = {https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/},
language = {English},
urldate = {2021-01-01}
}
Collaboration between FIN7 and the RYUK group, a Truesec Investigation Carbanak Cobalt Strike Ryuk |
2020-12-21 ⋅ Fortinet ⋅ Udi Yavo @online{yavo:20201221:what:716b31d,
author = {Udi Yavo},
title = {{What We Have Learned So Far about the “Sunburst”/SolarWinds Hack}},
date = {2020-12-21},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack},
language = {English},
urldate = {2021-01-18}
}
What We Have Learned So Far about the “Sunburst”/SolarWinds Hack Cobalt Strike SUNBURST TEARDROP |
2020-12-20 ⋅ Randhome ⋅ Etienne Maynier @online{maynier:20201220:analyzing:3e15960,
author = {Etienne Maynier},
title = {{Analyzing Cobalt Strike for Fun and Profit}},
date = {2020-12-20},
organization = {Randhome},
url = {https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/},
language = {English},
urldate = {2020-12-23}
}
Analyzing Cobalt Strike for Fun and Profit Cobalt Strike |
2020-12-18 ⋅ Seqrite ⋅ Pavankumar Chaudhari @online{chaudhari:20201218:rat:50074a2,
author = {Pavankumar Chaudhari},
title = {{RAT used by Chinese cyberspies infiltrating Indian businesses}},
date = {2020-12-18},
organization = {Seqrite},
url = {https://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/},
language = {English},
urldate = {2020-12-18}
}
RAT used by Chinese cyberspies infiltrating Indian businesses Ghost RAT |
2020-12-15 ⋅ Github (sophos-cybersecurity) ⋅ Sophos Cyber Security Team @online{team:20201215:solarwindsthreathunt:4357421,
author = {Sophos Cyber Security Team},
title = {{solarwinds-threathunt}},
date = {2020-12-15},
organization = {Github (sophos-cybersecurity)},
url = {https://github.com/sophos-cybersecurity/solarwinds-threathunt},
language = {English},
urldate = {2020-12-15}
}
solarwinds-threathunt Cobalt Strike SUNBURST |
2020-12-15 ⋅ PICUS Security ⋅ Süleyman Özarslan @online{zarslan:20201215:tactics:bba1b4f,
author = {Süleyman Özarslan},
title = {{Tactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach}},
date = {2020-12-15},
organization = {PICUS Security},
url = {https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach},
language = {English},
urldate = {2020-12-17}
}
Tactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach Cobalt Strike SUNBURST |
2020-12-14 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20201214:threat:032b92d,
author = {Unit 42},
title = {{Threat Brief: SolarStorm and SUNBURST Customer Coverage}},
date = {2020-12-14},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/},
language = {English},
urldate = {2020-12-15}
}
Threat Brief: SolarStorm and SUNBURST Customer Coverage Cobalt Strike SUNBURST |
2020-12-11 ⋅ Blackberry ⋅ BlackBerry Research and Intelligence team @online{team:20201211:mountlocker:9c495cb,
author = {BlackBerry Research and Intelligence team},
title = {{MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates}},
date = {2020-12-11},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates},
language = {English},
urldate = {2020-12-14}
}
MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates Cobalt Strike Mount Locker |
2020-12-10 ⋅ ESET Research ⋅ Mathieu Tartare @online{tartare:20201210:operation:0eecfc8,
author = {Mathieu Tartare},
title = {{Operation StealthyTrident: corporate software under attack}},
date = {2020-12-10},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/},
language = {English},
urldate = {2020-12-10}
}
Operation StealthyTrident: corporate software under attack HyperBro PlugX ShadowPad Tmanger |
2020-12-10 ⋅ Intel 471 ⋅ Intel 471 @online{471:20201210:no:9fd2ae1,
author = {Intel 471},
title = {{No pandas, just people: The current state of China’s cybercrime underground}},
date = {2020-12-10},
organization = {Intel 471},
url = {https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/},
language = {English},
urldate = {2020-12-10}
}
No pandas, just people: The current state of China’s cybercrime underground Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT |
2020-12-10 ⋅ Palo Alto Networks Unit 42 ⋅ Unit42 @online{unit42:20201210:threat:6ac31af,
author = {Unit42},
title = {{Threat Brief: FireEye Red Team Tool Breach}},
date = {2020-12-10},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/},
language = {English},
urldate = {2020-12-15}
}
Threat Brief: FireEye Red Team Tool Breach Cobalt Strike |
2020-12-10 ⋅ US-CERT ⋅ US-CERT, FBI, MS-ISAC @online{uscert:20201210:alert:a5ec77e,
author = {US-CERT and FBI and MS-ISAC},
title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}},
date = {2020-12-10},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a},
language = {English},
urldate = {2020-12-11}
}
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim Ransomware REvil Ryuk Zeus |
2020-12-09 ⋅ Cisco ⋅ David Liebenberg, Caitlin Huey @online{liebenberg:20201209:quarterly:9ed3062,
author = {David Liebenberg and Caitlin Huey},
title = {{Quarterly Report: Incident Response trends from Fall 2020}},
date = {2020-12-09},
organization = {Cisco},
url = {https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html},
language = {English},
urldate = {2020-12-10}
}
Quarterly Report: Incident Response trends from Fall 2020 Cobalt Strike IcedID Maze RansomEXX Ryuk |
2020-12-09 ⋅ Avast Decoded ⋅ Luigino Camastra, Igor Morgenstern @online{camastra:20201209:targeting:952844f,
author = {Luigino Camastra and Igor Morgenstern},
title = {{APT Group Targeting Governmental Agencies in East Asia}},
date = {2020-12-09},
organization = {Avast Decoded},
url = {https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/},
language = {English},
urldate = {2021-01-27}
}
APT Group Targeting Governmental Agencies in East Asia Albaniiutas HyperBro PlugX Tmanger |
2020-12-09 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20201209:recent:0992506,
author = {Brad Duncan},
title = {{Recent Qakbot (Qbot) activity}},
date = {2020-12-09},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/rss/26862},
language = {English},
urldate = {2020-12-10}
}
Recent Qakbot (Qbot) activity Cobalt Strike QakBot |
2020-12-09 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall @techreport{clarke:20201209:its:c312acc,
author = {Mitchell Clarke and Tom Hall},
title = {{It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)}},
date = {2020-12-09},
institution = {FireEye},
url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf},
language = {English},
urldate = {2020-12-15}
}
It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES) Cobalt Strike DoppelPaymer QakBot REvil |
2020-12-08 ⋅ Cobalt Strike ⋅ Raphael Mudge @online{mudge:20201208:red:8ccdfcf,
author = {Raphael Mudge},
title = {{A Red Teamer Plays with JARM}},
date = {2020-12-08},
organization = {Cobalt Strike},
url = {https://blog.cobaltstrike.com/2020/12/08/a-red-teamer-plays-with-jarm/},
language = {English},
urldate = {2021-01-11}
}
A Red Teamer Plays with JARM Cobalt Strike |
2020-12-02 ⋅ Red Canary ⋅ twitter (@redcanary) @online{redcanary:20201202:increased:5db5dce,
author = {twitter (@redcanary)},
title = {{Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware}},
date = {2020-12-02},
organization = {Red Canary},
url = {https://twitter.com/redcanary/status/1334224861628039169},
language = {English},
urldate = {2020-12-08}
}
Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware Cobalt Strike Egregor QakBot |
2020-12-01 ⋅ 360.cn ⋅ jindanlong @online{jindanlong:20201201:hunting:b9e2674,
author = {jindanlong},
title = {{Hunting Beacons}},
date = {2020-12-01},
organization = {360.cn},
url = {https://quake.360.cn/quake/#/reportDetail?id=5fc6fedd191038c3b25c4950},
language = {English},
urldate = {2021-01-10}
}
Hunting Beacons Cobalt Strike |
2020-12-01 ⋅ mez0.cc ⋅ mez0 @online{mez0:20201201:cobalt:38336ed,
author = {mez0},
title = {{Cobalt Strike PowerShell Execution}},
date = {2020-12-01},
organization = {mez0.cc},
url = {https://mez0.cc/posts/cobaltstrike-powershell-exec/},
language = {English},
urldate = {2020-12-14}
}
Cobalt Strike PowerShell Execution Cobalt Strike |
2020-11-30 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC) @online{team:20201130:threat:2633df5,
author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)},
title = {{Threat actor (BISMUTH) leverages coin miner techniques to stay under the radar – here’s how to spot them}},
date = {2020-11-30},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/},
language = {English},
urldate = {2020-12-01}
}
Threat actor (BISMUTH) leverages coin miner techniques to stay under the radar – here’s how to spot them Cobalt Strike |
2020-11-30 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall @techreport{clarke:20201130:its:1b6b681,
author = {Mitchell Clarke and Tom Hall},
title = {{It's not FINished The Evolving Maturity in Ransomware Operations}},
date = {2020-11-30},
institution = {FireEye},
url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf},
language = {English},
urldate = {2020-12-14}
}
It's not FINished The Evolving Maturity in Ransomware Operations Cobalt Strike DoppelPaymer MimiKatz QakBot REvil |
2020-11-27 ⋅ Macnica ⋅ Hiroshi Takeuchi @online{takeuchi:20201127:analyzing:4089f84,
author = {Hiroshi Takeuchi},
title = {{Analyzing Organizational Invasion Ransom Incidents Using Dtrack}},
date = {2020-11-27},
organization = {Macnica},
url = {https://blog.macnica.net/blog/2020/11/dtrack.html},
language = {Japanese},
urldate = {2020-12-08}
}
Analyzing Organizational Invasion Ransom Incidents Using Dtrack Cobalt Strike Dtrack |
2020-11-27 ⋅ PTSecurity ⋅ Denis Goydenko, Alexey Vishnyakov @online{goydenko:20201127:investigation:7d12cee,
author = {Denis Goydenko and Alexey Vishnyakov},
title = {{Investigation with a twist: an accidental APT attack and averted data destruction}},
date = {2020-11-27},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/},
language = {English},
urldate = {2020-12-01}
}
Investigation with a twist: an accidental APT attack and averted data destruction TwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz LuckyMouse |
2020-11-26 ⋅ Cybereason ⋅ Lior Rochberger, Cybereason Nocturnus @online{rochberger:20201126:cybereason:8301aeb,
author = {Lior Rochberger and Cybereason Nocturnus},
title = {{Cybereason vs. Egregor Ransomware}},
date = {2020-11-26},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware},
language = {English},
urldate = {2020-12-08}
}
Cybereason vs. Egregor Ransomware Cobalt Strike Egregor IcedID ISFB QakBot |
2020-11-25 ⋅ SentinelOne ⋅ Jim Walter @online{walter:20201125:egregor:5727f7a,
author = {Jim Walter},
title = {{Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone}},
date = {2020-11-25},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/},
language = {English},
urldate = {2020-12-08}
}
Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone Cobalt Strike Egregor |
2020-11-23 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team @online{team:20201123:ta416:60e8b7e,
author = {Proofpoint Threat Research Team},
title = {{TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader}},
date = {2020-11-23},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader},
language = {English},
urldate = {2020-11-25}
}
TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader PlugX |
2020-11-20 ⋅ 360 netlab ⋅ JiaYu @online{jiayu:20201120:blackrota:ee43da1,
author = {JiaYu},
title = {{Blackrota, a highly obfuscated backdoor developed by Go}},
date = {2020-11-20},
organization = {360 netlab},
url = {https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go/},
language = {Chinese},
urldate = {2020-11-23}
}
Blackrota, a highly obfuscated backdoor developed by Go Cobalt Strike |
2020-11-20 ⋅ F-Secure Labs ⋅ Riccardo Ancarani @online{ancarani:20201120:detecting:79afa40,
author = {Riccardo Ancarani},
title = {{Detecting Cobalt Strike Default Modules via Named Pipe Analysis}},
date = {2020-11-20},
organization = {F-Secure Labs},
url = {https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis},
language = {English},
urldate = {2020-11-23}
}
Detecting Cobalt Strike Default Modules via Named Pipe Analysis Cobalt Strike |
2020-11-20 ⋅ ZDNet ⋅ Catalin Cimpanu @online{cimpanu:20201120:malware:0b8ff59,
author = {Catalin Cimpanu},
title = {{The malware that usually installs ransomware and you need to remove right away}},
date = {2020-11-20},
organization = {ZDNet},
url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/},
language = {English},
urldate = {2020-11-23}
}
The malware that usually installs ransomware and you need to remove right away Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader |
2020-11-20 ⋅ Trend Micro ⋅ Abraham Camba, Bren Matthew Ebriega, Gilbert Sison @online{camba:20201120:weaponizing:e15699d,
author = {Abraham Camba and Bren Matthew Ebriega and Gilbert Sison},
title = {{Weaponizing Open Source Software for Targeted Attacks}},
date = {2020-11-20},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html},
language = {English},
urldate = {2020-11-23}
}
Weaponizing Open Source Software for Targeted Attacks LaZagne Defray PlugX |
2020-11-17 ⋅ cyble ⋅ Cyble @online{cyble:20201117:oceanlotus:d33eb97,
author = {Cyble},
title = {{OceanLotus Continues With Its Cyber Espionage Operations}},
date = {2020-11-17},
organization = {cyble},
url = {https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/},
language = {English},
urldate = {2020-11-18}
}
OceanLotus Continues With Its Cyber Espionage Operations Cobalt Strike Meterpreter |
2020-11-17 ⋅ Salesforce Engineering ⋅ John Althouse @online{althouse:20201117:easily:172bd6d,
author = {John Althouse},
title = {{Easily Identify Malicious Servers on the Internet with JARM}},
date = {2020-11-17},
organization = {Salesforce Engineering},
url = {https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a},
language = {English},
urldate = {2020-12-03}
}
Easily Identify Malicious Servers on the Internet with JARM Cobalt Strike TrickBot |
2020-11-09 ⋅ Bleeping Computer ⋅ Ionut Ilascu @online{ilascu:20201109:fake:c6dd7b3,
author = {Ionut Ilascu},
title = {{Fake Microsoft Teams updates lead to Cobalt Strike deployment}},
date = {2020-11-09},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/},
language = {English},
urldate = {2020-11-11}
}
Fake Microsoft Teams updates lead to Cobalt Strike deployment Cobalt Strike DoppelPaymer NjRAT Predator The Thief Zloader |
2020-11-06 ⋅ Cobalt Strike ⋅ Raphael Mudge @online{mudge:20201106:cobalt:05fe8fc,
author = {Raphael Mudge},
title = {{Cobalt Strike 4.2 – Everything but the kitchen sink}},
date = {2020-11-06},
organization = {Cobalt Strike},
url = {https://blog.cobaltstrike.com/2020/11/06/cobalt-strike-4-2-everything-but-the-kitchen-sink/},
language = {English},
urldate = {2020-11-09}
}
Cobalt Strike 4.2 – Everything but the kitchen sink Cobalt Strike |
2020-11-06 ⋅ Volexity ⋅ Steven Adair, Thomas Lancaster, Volexity Threat Research @online{adair:20201106:oceanlotus:f7b11ac,
author = {Steven Adair and Thomas Lancaster and Volexity Threat Research},
title = {{OceanLotus: Extending Cyber Espionage Operations Through Fake Websites}},
date = {2020-11-06},
organization = {Volexity},
url = {https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/},
language = {English},
urldate = {2020-11-09}
}
OceanLotus: Extending Cyber Espionage Operations Through Fake Websites Cobalt Strike KerrDown APT32 |
2020-11-06 ⋅ Advanced Intelligence ⋅ Vitali Kremez @online{kremez:20201106:anatomy:b2ce3ae,
author = {Vitali Kremez},
title = {{Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike}},
date = {2020-11-06},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike},
language = {English},
urldate = {2020-11-09}
}
Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike BazarBackdoor Cobalt Strike Ryuk |
2020-11-06 ⋅ Palo Alto Networks Unit 42 ⋅ Ryan Tracey, Drew Schmitt, CRYPSIS @online{tracey:20201106:indicators:1ec9384,
author = {Ryan Tracey and Drew Schmitt and CRYPSIS},
title = {{Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777}},
date = {2020-11-06},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/},
language = {English},
urldate = {2020-11-12}
}
Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777 Cobalt Strike PyXie RansomEXX |
2020-11-05 ⋅ Twitter (@ffforward) ⋅ TheAnalyst @online{theanalyst:20201105:zloader:c4bab85,
author = {TheAnalyst},
title = {{Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK}},
date = {2020-11-05},
organization = {Twitter (@ffforward)},
url = {https://twitter.com/ffforward/status/1324281530026524672},
language = {English},
urldate = {2020-11-09}
}
Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK Cobalt Strike Ryuk Zloader |
2020-11-05 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20201105:ryuk:ceaa823,
author = {The DFIR Report},
title = {{Ryuk Speed Run, 2 Hours to Ransom}},
date = {2020-11-05},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/},
language = {English},
urldate = {2020-11-06}
}
Ryuk Speed Run, 2 Hours to Ransom BazarBackdoor Cobalt Strike Ryuk |
2020-11-04 ⋅ Sophos ⋅ Gabor Szappanos @online{szappanos:20201104:new:66b8447,
author = {Gabor Szappanos},
title = {{A new APT uses DLL side-loads to “KilllSomeOne”}},
date = {2020-11-04},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/},
language = {English},
urldate = {2020-11-06}
}
A new APT uses DLL side-loads to “KilllSomeOne” PlugX |
2020-11-04 ⋅ VMRay ⋅ Giovanni Vigna @online{vigna:20201104:trick:a59a333,
author = {Giovanni Vigna},
title = {{Trick or Threat: Ryuk ransomware targets the health care industry}},
date = {2020-11-04},
organization = {VMRay},
url = {https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/},
language = {English},
urldate = {2020-11-06}
}
Trick or Threat: Ryuk ransomware targets the health care industry BazarBackdoor Cobalt Strike Ryuk TrickBot |
2020-11-03 ⋅ Kaspersky Labs ⋅ GReAT @online{great:20201103:trends:febc159,
author = {GReAT},
title = {{APT trends report Q3 2020}},
date = {2020-11-03},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q3-2020/99204/},
language = {English},
urldate = {2020-11-04}
}
APT trends report Q3 2020 WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti |
2020-11-03 ⋅ InfoSec Handlers Diary Blog ⋅ Renato Marinho @online{marinho:20201103:attackers:9b3762b,
author = {Renato Marinho},
title = {{Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike}},
date = {2020-11-03},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/26752},
language = {English},
urldate = {2020-11-06}
}
Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike Cobalt Strike |
2020-10-30 ⋅ Github (ThreatConnect-Inc) ⋅ ThreatConnect @online{threatconnect:20201030:unc:b3ae3d0,
author = {ThreatConnect},
title = {{UNC 1878 Indicators from Threatconnect}},
date = {2020-10-30},
organization = {Github (ThreatConnect-Inc)},
url = {https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv},
language = {English},
urldate = {2020-11-06}
}
UNC 1878 Indicators from Threatconnect BazarBackdoor Cobalt Strike Ryuk |
2020-10-29 ⋅ Github (Swisscom) ⋅ Swisscom CSIRT @online{csirt:20201029:list:5fb0206,
author = {Swisscom CSIRT},
title = {{List of CobaltStrike C2's used by RYUK}},
date = {2020-10-29},
organization = {Github (Swisscom)},
url = {https://github.com/swisscom/detections/blob/main/RYUK/cobaltstrike_c2s.txt},
language = {English},
urldate = {2020-11-02}
}
List of CobaltStrike C2's used by RYUK Cobalt Strike |
2020-10-29 ⋅ RiskIQ ⋅ RiskIQ @online{riskiq:20201029:ryuk:0643968,
author = {RiskIQ},
title = {{Ryuk Ransomware: Extensive Attack Infrastructure Revealed}},
date = {2020-10-29},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/0bcefe76},
language = {English},
urldate = {2020-11-02}
}
Ryuk Ransomware: Extensive Attack Infrastructure Revealed Cobalt Strike Ryuk |
2020-10-29 ⋅ Red Canary ⋅ The Red Canary Team @online{team:20201029:bazar:1846b93,
author = {The Red Canary Team},
title = {{A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak}},
date = {2020-10-29},
organization = {Red Canary},
url = {https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/},
language = {English},
urldate = {2020-11-02}
}
A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak Cobalt Strike Ryuk TrickBot |
2020-10-28 ⋅ FireEye ⋅ Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock @online{goody:20201028:unhappy:c0d2e4b,
author = {Kimberly Goody and Jeremy Kennelly and Joshua Shilko and Steve Elovitz and Douglas Bienstock},
title = {{Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser}},
date = {2020-10-28},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html},
language = {English},
urldate = {2020-11-02}
}
Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser BazarBackdoor Cobalt Strike Ryuk UNC1878 |
2020-10-27 ⋅ Dr.Web ⋅ Dr.Web @techreport{drweb:20201027:study:9f6e628,
author = {Dr.Web},
title = {{Study of the ShadowPad APT backdoor and its relation to PlugX}},
date = {2020-10-27},
institution = {Dr.Web},
url = {https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf},
language = {English},
urldate = {2020-10-29}
}
Study of the ShadowPad APT backdoor and its relation to PlugX Ghost RAT PlugX ShadowPad |
2020-10-27 ⋅ Sophos Managed Threat Response (MTR) ⋅ Greg Iddon @online{iddon:20201027:mtr:3b62ca9,
author = {Greg Iddon},
title = {{MTR Casebook: An active adversary caught in the act}},
date = {2020-10-27},
organization = {Sophos Managed Threat Response (MTR)},
url = {https://news.sophos.com/en-us/2020/10/27/mtr-casebook-an-active-adversary-caught-in-the-act/},
language = {English},
urldate = {2020-11-02}
}
MTR Casebook: An active adversary caught in the act Cobalt Strike |
2020-10-18 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20201018:ryuk:fbaadb8,
author = {The DFIR Report},
title = {{Ryuk in 5 Hours}},
date = {2020-10-18},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/},
language = {English},
urldate = {2020-10-19}
}
Ryuk in 5 Hours BazarBackdoor Cobalt Strike Ryuk |
2020-10-14 ⋅ RiskIQ ⋅ Steve Ginty, Jon Gross @online{ginty:20201014:wellmarked:9176303,
author = {Steve Ginty and Jon Gross},
title = {{A Well-Marked Trail: Journeying through OceanLotus's Infrastructure}},
date = {2020-10-14},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/f0320980},
language = {English},
urldate = {2020-10-23}
}
A Well-Marked Trail: Journeying through OceanLotus's Infrastructure Cobalt Strike |
2020-10-14 ⋅ Sophos ⋅ Sean Gallagher @online{gallagher:20201014:theyre:99f5d1e,
author = {Sean Gallagher},
title = {{They’re back: inside a new Ryuk ransomware attack}},
date = {2020-10-14},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/},
language = {English},
urldate = {2020-10-16}
}
They’re back: inside a new Ryuk ransomware attack Cobalt Strike Ryuk SystemBC |
2020-10-12 ⋅ Advanced Intelligence ⋅ Roman Marshanski, Vitali Kremez @online{marshanski:20201012:front:686add1,
author = {Roman Marshanski and Vitali Kremez},
title = {{"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon}},
date = {2020-10-12},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon},
language = {English},
urldate = {2020-10-13}
}
"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon BazarBackdoor Cobalt Strike Ryuk |
2020-10-11 ⋅ Github (StrangerealIntel) ⋅ StrangerealIntel @online{strangerealintel:20201011:chimera:a423a07,
author = {StrangerealIntel},
title = {{Chimera, APT19 under the radar ?}},
date = {2020-10-11},
organization = {Github (StrangerealIntel)},
url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md},
language = {English},
urldate = {2020-10-15}
}
Chimera, APT19 under the radar ? Cobalt Strike Meterpreter |
2020-10-08 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20201008:ryuks:e47d8fa,
author = {The DFIR Report},
title = {{Ryuk’s Return}},
date = {2020-10-08},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/10/08/ryuks-return/},
language = {English},
urldate = {2020-10-09}
}
Ryuk’s Return BazarBackdoor Cobalt Strike Ryuk |
2020-10-08 ⋅ Bayerischer Rundfunk ⋅ Hakan Tanriverdi, Max Zierer, Ann-Kathrin Wetter, Kai Biermann, Thi Do Nguyen @online{tanriverdi:20201008:there:620f4e7,
author = {Hakan Tanriverdi and Max Zierer and Ann-Kathrin Wetter and Kai Biermann and Thi Do Nguyen},
title = {{There is no safe place}},
date = {2020-10-08},
organization = {Bayerischer Rundfunk},
url = {https://web.br.de/interaktiv/ocean-lotus/en/},
language = {English},
urldate = {2020-10-12}
}
There is no safe place Cobalt Strike |
2020-10-02 ⋅ Health Sector Cybersecurity Coordination Center (HC3) ⋅ Health Sector Cybersecurity Coordination Center (HC3) @techreport{hc3:20201002:report:0ca373f,
author = {Health Sector Cybersecurity Coordination Center (HC3)},
title = {{Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns}},
date = {2020-10-02},
institution = {Health Sector Cybersecurity Coordination Center (HC3)},
url = {https://www.hhs.gov/sites/default/files/bazarloader.pdf},
language = {English},
urldate = {2020-11-02}
}
Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns BazarBackdoor Cobalt Strike Ryuk TrickBot |
2020-10-01 ⋅ US-CERT ⋅ US-CERT @online{uscert:20201001:alert:a46c3d4,
author = {US-CERT},
title = {{Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions}},
date = {2020-10-01},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-275a},
language = {English},
urldate = {2020-10-04}
}
Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy |
2020-10-01 ⋅ Wired ⋅ Andy Greenberg @online{greenberg:20201001:russias:3440982,
author = {Andy Greenberg},
title = {{Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency}},
date = {2020-10-01},
organization = {Wired},
url = {https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/},
language = {English},
urldate = {2020-10-05}
}
Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency Cobalt Strike Meterpreter |
2020-09-29 ⋅ CrowdStrike ⋅ Kareem Hamdan, Lucas Miller @online{hamdan:20200929:getting:c01923a,
author = {Kareem Hamdan and Lucas Miller},
title = {{Getting the Bacon from the Beacon}},
date = {2020-09-29},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/},
language = {English},
urldate = {2020-10-05}
}
Getting the Bacon from the Beacon Cobalt Strike |
2020-09-29 ⋅ Github (Apr4h) ⋅ Apra @online{apra:20200929:cobaltstrikescan:ab5f221,
author = {Apra},
title = {{CobaltStrikeScan}},
date = {2020-09-29},
organization = {Github (Apr4h)},
url = {https://github.com/Apr4h/CobaltStrikeScan},
language = {English},
urldate = {2020-10-05}
}
CobaltStrikeScan Cobalt Strike |
2020-09-24 ⋅ US-CERT ⋅ US-CERT @online{uscert:20200924:analysis:e1e4cc0,
author = {US-CERT},
title = {{Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor}},
date = {2020-09-24},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a},
language = {English},
urldate = {2020-10-13}
}
Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor Cobalt Strike Meterpreter |
2020-09-24 ⋅ Microsoft ⋅ Ben Koehl, Joe Hannon, Microsoft Identity Security Team @online{koehl:20200924:microsoft:adbe527,
author = {Ben Koehl and Joe Hannon and Microsoft Identity Security Team},
title = {{Microsoft Security—detecting empires in the cloud}},
date = {2020-09-24},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/},
language = {English},
urldate = {2020-09-24}
}
Microsoft Security—detecting empires in the cloud CACTUSTORCH LazyCat Leviathan |
2020-09-23 ⋅ Seqrite ⋅ Kalpesh Mantri, Pawan CHaudhari, Goutam Tripathy @techreport{mantri:20200923:operation:1bb33e6,
author = {Kalpesh Mantri and Pawan CHaudhari and Goutam Tripathy},
title = {{Operation SideCopy: An insight into Transparent Tribe’s sub-division which has been incorrectly attributed for years}},
date = {2020-09-23},
institution = {Seqrite},
url = {https://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf},
language = {English},
urldate = {2020-09-25}
}
Operation SideCopy: An insight into Transparent Tribe’s sub-division which has been incorrectly attributed for years CACTUSTORCH AllaKore |
2020-09-21 ⋅ Cisco Talos ⋅ Nick Mavis, Joe Marshall, JON MUNSHAW @techreport{mavis:20200921:art:d9702a4,
author = {Nick Mavis and Joe Marshall and JON MUNSHAW},
title = {{The art and science of detecting Cobalt Strike}},
date = {2020-09-21},
institution = {Cisco Talos},
url = {https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf},
language = {English},
urldate = {2020-09-23}
}
The art and science of detecting Cobalt Strike Cobalt Strike |
2020-09-18 ⋅ Trend Micro ⋅ Trend Micro @online{micro:20200918:us:7900e6a,
author = {Trend Micro},
title = {{U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks}},
date = {2020-09-18},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html},
language = {English},
urldate = {2020-09-23}
}
U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks Cobalt Strike ColdLock |
2020-09-18 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20200918:apt41:363daa8,
author = {Threat Hunter Team},
title = {{APT41: Indictments Put Chinese Espionage Group in the Spotlight}},
date = {2020-09-18},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage},
language = {English},
urldate = {2020-09-23}
}
APT41: Indictments Put Chinese Espionage Group in the Spotlight CROSSWALK PlugX poisonplug ShadowPad Winnti |
2020-09-15 ⋅ US-CERT ⋅ US-CERT @online{uscert:20200915:alert:13d0ab3,
author = {US-CERT},
title = {{Alert (AA20-259A): Iran-Based Threat Actor Exploits VPN Vulnerabilities}},
date = {2020-09-15},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-259a},
language = {English},
urldate = {2020-09-16}
}
Alert (AA20-259A): Iran-Based Threat Actor Exploits VPN Vulnerabilities CHINACHOPPER Fox Kitten |
2020-09-15 ⋅ US-CERT ⋅ US-CERT @online{uscert:20200915:malware:8345418,
author = {US-CERT},
title = {{Malware Analysis Report (AR20-259A): Iranian Web Shells}},
date = {2020-09-15},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a},
language = {English},
urldate = {2020-09-16}
}
Malware Analysis Report (AR20-259A): Iranian Web Shells CHINACHOPPER |
2020-09-15 ⋅ Recorded Future ⋅ Insikt Group® @techreport{group:20200915:back:2c78a6f,
author = {Insikt Group®},
title = {{Back Despite Disruption: RedDelta Resumes Operations}},
date = {2020-09-15},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf},
language = {English},
urldate = {2020-09-16}
}
Back Despite Disruption: RedDelta Resumes Operations PlugX |
2020-09-11 ⋅ ThreatConnect ⋅ ThreatConnect Research Team @online{team:20200911:research:edfb074,
author = {ThreatConnect Research Team},
title = {{Research Roundup: Activity on Previously Identified APT33 Domains}},
date = {2020-09-11},
organization = {ThreatConnect},
url = {https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/},
language = {English},
urldate = {2020-09-15}
}
Research Roundup: Activity on Previously Identified APT33 Domains Emotet PlugX APT33 |
2020-09-03 ⋅ Viettel Cybersecurity ⋅ vuonglvm @online{vuonglvm:20200903:apt32:02bd8fc,
author = {vuonglvm},
title = {{APT32 deobfuscation arsenal: Deobfuscating một vài loại Obfucation Toolkit của APT32 (Phần 2)}},
date = {2020-09-03},
organization = {Viettel Cybersecurity},
url = {https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-2/},
language = {Vietnamese},
urldate = {2020-09-09}
}
APT32 deobfuscation arsenal: Deobfuscating một vài loại Obfucation Toolkit của APT32 (Phần 2) Cobalt Strike |
2020-09-01 ⋅ Cisco Talos ⋅ David Liebenberg, Caitlin Huey @online{liebenberg:20200901:quarterly:c02962b,
author = {David Liebenberg and Caitlin Huey},
title = {{Quarterly Report: Incident Response trends in Summer 2020}},
date = {2020-09-01},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html},
language = {English},
urldate = {2020-09-03}
}
Quarterly Report: Incident Response trends in Summer 2020 Cobalt Strike LockBit Mailto Maze Ryuk |
2020-08-31 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20200831:netwalker:29a1511,
author = {The DFIR Report},
title = {{NetWalker Ransomware in 1 Hour}},
date = {2020-08-31},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/},
language = {English},
urldate = {2020-08-31}
}
NetWalker Ransomware in 1 Hour Cobalt Strike Mailto MimiKatz |
2020-08-20 ⋅ Seebug Paper ⋅ Malayke @online{malayke:20200820:use:77d3957,
author = {Malayke},
title = {{Use ZoomEye to track multiple Redteam C&C post-penetration attack frameworks}},
date = {2020-08-20},
organization = {Seebug Paper},
url = {https://paper.seebug.org/1301/},
language = {Chinese},
urldate = {2020-08-24}
}
Use ZoomEye to track multiple Redteam C&C post-penetration attack frameworks Cobalt Strike Empire Downloader PoshC2 |
2020-08-19 ⋅ TEAMT5 ⋅ TeamT5 @online{teamt5:20200819:0819:e955419,
author = {TeamT5},
title = {{調查局 08/19 公布中國對台灣政府機關駭侵事件說明}},
date = {2020-08-19},
organization = {TEAMT5},
url = {https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/},
language = {Chinese},
urldate = {2020-08-25}
}
調查局 08/19 公布中國對台灣政府機關駭侵事件說明 Cobalt Strike |
2020-08-14 ⋅ Twitter (@VK_intel) ⋅ Vitali Kremez @online{kremez:20200814:zloader:cbd9ad5,
author = {Vitali Kremez},
title = {{Tweet on Zloader infection leading to Cobaltstrike Installation}},
date = {2020-08-14},
organization = {Twitter (@VK_intel)},
url = {https://twitter.com/VK_Intel/status/1294320579311435776},
language = {English},
urldate = {2020-11-09}
}
Tweet on Zloader infection leading to Cobaltstrike Installation Cobalt Strike Zloader |
2020-08-06 ⋅ Wired ⋅ Andy Greenberg @online{greenberg:20200806:chinese:32c43e3,
author = {Andy Greenberg},
title = {{Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry}},
date = {2020-08-06},
organization = {Wired},
url = {https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/},
language = {English},
urldate = {2020-11-04}
}
Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry Cobalt Strike MimiKatz Winnti Operation Skeleton Key |
2020-08-04 ⋅ BlackHat ⋅ Chung-Kuan Chen, Inndy Lin, Shang-De Jiang @techreport{chen:20200804:operation:4cf417f,
author = {Chung-Kuan Chen and Inndy Lin and Shang-De Jiang},
title = {{Operation Chimera - APT Operation Targets Semiconductor Vendors}},
date = {2020-08-04},
institution = {BlackHat},
url = {https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf},
language = {English},
urldate = {2020-11-04}
}
Operation Chimera - APT Operation Targets Semiconductor Vendors Cobalt Strike MimiKatz Winnti Operation Skeleton Key |
2020-07-29 ⋅ ESET Research ⋅ welivesecurity @techreport{welivesecurity:20200729:threat:496355c,
author = {welivesecurity},
title = {{THREAT REPORT Q2 2020}},
date = {2020-07-29},
institution = {ESET Research},
url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf},
language = {English},
urldate = {2020-07-30}
}
THREAT REPORT Q2 2020 DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor |
2020-07-29 ⋅ Recorded Future ⋅ Insikt Group @techreport{group:20200729:chinese:1929fcd,
author = {Insikt Group},
title = {{Chinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations}},
date = {2020-07-29},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf},
language = {English},
urldate = {2020-07-30}
}
Chinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations PlugX |
2020-07-29 ⋅ Kaspersky Labs ⋅ GReAT @online{great:20200729:trends:6810325,
author = {GReAT},
title = {{APT trends report Q2 2020}},
date = {2020-07-29},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q2-2020/97937/},
language = {English},
urldate = {2020-07-30}
}
APT trends report Q2 2020 PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel |
2020-07-28 ⋅ NTT ⋅ NTT Security @online{security:20200728:craftypanda:7643b28,
author = {NTT Security},
title = {{CraftyPanda 標的型攻撃解析レポート}},
date = {2020-07-28},
organization = {NTT},
url = {https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report},
language = {Japanese},
urldate = {2020-07-30}
}
CraftyPanda 標的型攻撃解析レポート Ghost RAT PlugX |
2020-07-26 ⋅ Shells.System blog ⋅ Askar @online{askar:20200726:inmemory:5556cad,
author = {Askar},
title = {{In-Memory shellcode decoding to evade AVs/EDRs}},
date = {2020-07-26},
organization = {Shells.System blog},
url = {https://shells.systems/in-memory-shellcode-decoding-to-evade-avs/},
language = {English},
urldate = {2020-07-30}
}
In-Memory shellcode decoding to evade AVs/EDRs Cobalt Strike |
2020-07-22 ⋅ On the Hunt ⋅ Newton Paul @online{paul:20200722:analysing:2de83d7,
author = {Newton Paul},
title = {{Analysing Fileless Malware: Cobalt Strike Beacon}},
date = {2020-07-22},
organization = {On the Hunt},
url = {https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/},
language = {English},
urldate = {2020-07-24}
}
Analysing Fileless Malware: Cobalt Strike Beacon Cobalt Strike |
2020-07-21 ⋅ Malwarebytes ⋅ Hossein Jazi, Jérôme Segura @online{jazi:20200721:chinese:da6a239,
author = {Hossein Jazi and Jérôme Segura},
title = {{Chinese APT group targets India and Hong Kong using new variant of MgBot malware}},
date = {2020-07-21},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/},
language = {English},
urldate = {2020-07-22}
}
Chinese APT group targets India and Hong Kong using new variant of MgBot malware KSREMOTE Cobalt Strike MgBot |
2020-07-20 ⋅ Dr.Web ⋅ Dr.Web @techreport{drweb:20200720:study:442ba99,
author = {Dr.Web},
title = {{Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan}},
date = {2020-07-20},
institution = {Dr.Web},
url = {https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf},
language = {English},
urldate = {2020-10-02}
}
Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan Microcin Mirage PlugX WhiteBird |
2020-07-20 ⋅ Risky.biz ⋅ Daniel Gordon @online{gordon:20200720:what:b88e81f,
author = {Daniel Gordon},
title = {{What even is Winnti?}},
date = {2020-07-20},
organization = {Risky.biz},
url = {https://risky.biz/whatiswinnti/},
language = {English},
urldate = {2020-08-18}
}
What even is Winnti? CCleaner Backdoor Ghost RAT PlugX ZXShell |
2020-07-15 ⋅ ZDNet ⋅ Catalin Cimpanu @online{cimpanu:20200715:chinese:0ff06bd,
author = {Catalin Cimpanu},
title = {{Chinese state hackers target Hong Kong Catholic Church}},
date = {2020-07-15},
organization = {ZDNet},
url = {https://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/},
language = {English},
urldate = {2020-07-30}
}
Chinese state hackers target Hong Kong Catholic Church PlugX |
2020-07-10 ⋅ ByteAtlas ⋅ Daniel Plohmann @online{plohmann:20200710:knowledge:358aef1,
author = {Daniel Plohmann},
title = {{Knowledge Fragment: Casting Sandbox Necromancy on DADSTACHE}},
date = {2020-07-10},
organization = {ByteAtlas},
url = {https://danielplohmann.github.io/blog/2020/07/10/kf-sandbox-necromancy.html},
language = {English},
urldate = {2020-07-11}
}
Knowledge Fragment: Casting Sandbox Necromancy on DADSTACHE DADSTACHE |
2020-07-07 ⋅ MWLab ⋅ Ladislav Bačo @online{bao:20200707:cobalt:cf80aa8,
author = {Ladislav Bačo},
title = {{Cobalt Strike stagers used by FIN6}},
date = {2020-07-07},
organization = {MWLab},
url = {https://malwarelab.eu/posts/fin6-cobalt-strike/},
language = {English},
urldate = {2020-07-11}
}
Cobalt Strike stagers used by FIN6 Cobalt Strike |
2020-06-25 ⋅ Elastic ⋅ Samir Bousseaden, Daniel Stepanic @online{bousseaden:20200625:close:be8a8b2,
author = {Samir Bousseaden and Daniel Stepanic},
title = {{A close look at the advanced techniques used in a Malaysian-focused APT campaign}},
date = {2020-06-25},
organization = {Elastic},
url = {https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign},
language = {English},
urldate = {2020-06-25}
}
A close look at the advanced techniques used in a Malaysian-focused APT campaign DADSTACHE Leviathan |
2020-06-23 ⋅ NCC Group ⋅ Nikolaos Pantazopoulos, Stefano Antenucci, Michael Sandee @online{pantazopoulos:20200623:wastedlocker:112d6b3,
author = {Nikolaos Pantazopoulos and Stefano Antenucci and Michael Sandee},
title = {{WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group}},
date = {2020-06-23},
organization = {NCC Group},
url = {https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/},
language = {English},
urldate = {2020-06-23}
}
WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group Cobalt Strike ISFB WastedLocker |
2020-06-23 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team @online{team:20200623:sodinokibi:7eff193,
author = {Critical Attack Discovery and Intelligence Team},
title = {{Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike}},
date = {2020-06-23},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos},
language = {English},
urldate = {2020-06-23}
}
Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike Cobalt Strike REvil |
2020-06-22 ⋅ Talos Intelligence ⋅ Asheer Malhotra @online{malhotra:20200622:indigodrop:6d5e7e1,
author = {Asheer Malhotra},
title = {{IndigoDrop spreads via military-themed lures to deliver Cobalt Strike}},
date = {2020-06-22},
organization = {Talos Intelligence},
url = {https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html},
language = {English},
urldate = {2020-06-24}
}
IndigoDrop spreads via military-themed lures to deliver Cobalt Strike Cobalt Strike IndigoDrop |
2020-06-22 ⋅ Sentinel LABS ⋅ Joshua Platt, Jason Reaves @online{platt:20200622:inside:b381dd5,
author = {Joshua Platt and Jason Reaves},
title = {{Inside a TrickBot Cobalt Strike Attack Server}},
date = {2020-06-22},
organization = {Sentinel LABS},
url = {https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/},
language = {English},
urldate = {2020-06-23}
}
Inside a TrickBot Cobalt Strike Attack Server Cobalt Strike TrickBot |
2020-06-19 ⋅ Zscaler ⋅ Atinderpal Singh, Nirmal Singh, Sahil Antil @online{singh:20200619:targeted:05d8d31,
author = {Atinderpal Singh and Nirmal Singh and Sahil Antil},
title = {{Targeted Attack Leverages India-China Border Dispute to Lure Victims}},
date = {2020-06-19},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims},
language = {English},
urldate = {2020-06-21}
}
Targeted Attack Leverages India-China Border Dispute to Lure Victims Cobalt Strike |
2020-06-19 ⋅ Youtube (Raphael Mudge) ⋅ Raphael Mudge @online{mudge:20200619:beacon:bc8ae77,
author = {Raphael Mudge},
title = {{Beacon Object Files - Luser Demo}},
date = {2020-06-19},
organization = {Youtube (Raphael Mudge)},
url = {https://www.youtube.com/watch?v=gfYswA_Ronw},
language = {English},
urldate = {2020-06-23}
}
Beacon Object Files - Luser Demo Cobalt Strike |
2020-06-18 ⋅ Australian Cyber Security Centre ⋅ Australian Cyber Security Centre (ACSC) @techreport{acsc:20200618:advisory:ed0f53c,
author = {Australian Cyber Security Centre (ACSC)},
title = {{Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks}},
date = {2020-06-18},
institution = {Australian Cyber Security Centre},
url = {https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf},
language = {English},
urldate = {2020-06-19}
}
Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks TwoFace Cobalt Strike Empire Downloader |
2020-06-17 ⋅ Malwarebytes ⋅ Hossein Jazi, Jérôme Segura @online{jazi:20200617:multistage:6358f3f,
author = {Hossein Jazi and Jérôme Segura},
title = {{Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature}},
date = {2020-06-17},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/},
language = {English},
urldate = {2020-06-19}
}
Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature Cobalt Strike |
2020-06-15 ⋅ NCC Group ⋅ Exploit Development Group @online{group:20200615:striking:8fdf4bb,
author = {Exploit Development Group},
title = {{Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability}},
date = {2020-06-15},
organization = {NCC Group},
url = {https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/},
language = {English},
urldate = {2020-06-16}
}
Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability Cobalt Strike |
2020-06-14 ⋅ BushidoToken ⋅ BushidoToken @online{bushidotoken:20200614:deepdive:3a375ca,
author = {BushidoToken},
title = {{Deep-dive: The DarkHotel APT}},
date = {2020-06-14},
organization = {BushidoToken},
url = {https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html},
language = {English},
urldate = {2020-06-16}
}
Deep-dive: The DarkHotel APT Asruex Ghost RAT Ramsay Retro Unidentified 076 (Higaisa LNK to Shellcode) |
2020-06-09 ⋅ Github (Sentinel-One) ⋅ Gal Kristal @online{kristal:20200609:cobaltstrikeparser:a023ac8,
author = {Gal Kristal},
title = {{CobaltStrikeParser}},
date = {2020-06-09},
organization = {Github (Sentinel-One)},
url = {https://github.com/Sentinel-One/CobaltStrikeParser/blob/master/parse_beacon_config.py},
language = {English},
urldate = {2020-09-15}
}
CobaltStrikeParser Cobalt Strike |
2020-06-05 ⋅ Prevailion ⋅ Danny Adamitis @online{adamitis:20200605:gh0st:849c227,
author = {Danny Adamitis},
title = {{The Gh0st Remains the Same}},
date = {2020-06-05},
organization = {Prevailion},
url = {https://blog.prevailion.com/2020/06/the-gh0st-remains-same8.html},
language = {English},
urldate = {2020-06-08}
}
The Gh0st Remains the Same Ghost RAT |
2020-06-04 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence @online{intelligence:20200604:covid19:45fa7ba,
author = {PT ESC Threat Intelligence},
title = {{COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group}},
date = {2020-06-04},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/},
language = {English},
urldate = {2020-06-05}
}
COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group Ghost RAT |
2020-06-03 ⋅ Kaspersky Labs ⋅ GReAT, Mark Lechtik, Giampaolo Dedola @online{great:20200603:cycldek:ed9a830,
author = {GReAT and Mark Lechtik and Giampaolo Dedola},
title = {{Cycldek: Bridging the (air) gap}},
date = {2020-06-03},
organization = {Kaspersky Labs},
url = {https://securelist.com/cycldek-bridging-the-air-gap/97157/},
language = {English},
urldate = {2020-06-03}
}
Cycldek: Bridging the (air) gap 8.t Dropper NewCore RAT PlugX USBCulprit Hellsing |
2020-06-02 ⋅ Lab52 ⋅ Jagaimo Kawaii @online{kawaii:20200602:mustang:2cf125a,
author = {Jagaimo Kawaii},
title = {{Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers}},
date = {2020-06-02},
organization = {Lab52},
url = {https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/},
language = {English},
urldate = {2020-06-03}
}
Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers PlugX |
2020-05-20 ⋅ Medium Asuna Amawaka ⋅ Asuna Amawaka @online{amawaka:20200520:what:e02d9a4,
author = {Asuna Amawaka},
title = {{What happened between the BigBadWolf and the Tiger?}},
date = {2020-05-20},
organization = {Medium Asuna Amawaka},
url = {https://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2},
language = {English},
urldate = {2021-02-18}
}
What happened between the BigBadWolf and the Tiger? Ghost RAT |
2020-05-15 ⋅ Twitter (@stvemillertime) ⋅ Steve Miller @online{miller:20200515:sogu:cc5a1fc,
author = {Steve Miller},
title = {{Tweet on SOGU development timeline, including TIGERPLUG IOCs}},
date = {2020-05-15},
organization = {Twitter (@stvemillertime)},
url = {https://twitter.com/stvemillertime/status/1261263000960450562},
language = {English},
urldate = {2020-05-18}
}
Tweet on SOGU development timeline, including TIGERPLUG IOCs PlugX |
2020-05-14 ⋅ Lab52 ⋅ Dex @online{dex:20200514:energy:43e92b4,
author = {Dex},
title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}},
date = {2020-05-14},
organization = {Lab52},
url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/},
language = {English},
urldate = {2020-06-10}
}
The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey Cobalt Strike HTran MimiKatz PlugX Quasar RAT |
2020-05-11 ⋅ SentinelOne ⋅ Gal Kristal @online{kristal:20200511:anatomy:4ece947,
author = {Gal Kristal},
title = {{The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration}},
date = {2020-05-11},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/},
language = {English},
urldate = {2020-05-13}
}
The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration Cobalt Strike |
2020-05-01 ⋅ Viettel Cybersecurity ⋅ Cyberthreat @online{cyberthreat:20200501:chin:3a4fb89,
author = {Cyberthreat},
title = {{Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1)}},
date = {2020-05-01},
organization = {Viettel Cybersecurity},
url = {https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/},
language = {Vietnamese},
urldate = {2020-09-09}
}
Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1) NewCore RAT PlugX |
2020-04-24 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20200424:ursnif:e983798,
author = {The DFIR Report},
title = {{Ursnif via LOLbins}},
date = {2020-04-24},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/},
language = {English},
urldate = {2020-05-15}
}
Ursnif via LOLbins Cobalt Strike LOLSnif |
2020-04-16 ⋅ Medium CyCraft ⋅ CyCraft Technology Corp @online{corp:20200416:taiwan:3029f53,
author = {CyCraft Technology Corp},
title = {{Taiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures}},
date = {2020-04-16},
organization = {Medium CyCraft},
url = {https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730},
language = {English},
urldate = {2020-11-04}
}
Taiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures Cobalt Strike MimiKatz Operation Skeleton Key |
2020-04-07 ⋅ Blackberry ⋅ Blackberry Research @techreport{research:20200407:decade:6441e18,
author = {Blackberry Research},
title = {{Decade of the RATS: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android}},
date = {2020-04-07},
institution = {Blackberry},
url = {https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf},
language = {English},
urldate = {2020-08-10}
}
Decade of the RATS: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android Penquin Turla XOR DDoS ZXShell |
2020-04-02 ⋅ Darktrace ⋅ Max Heinemeyer @online{heinemeyer:20200402:catching:b7f137d,
author = {Max Heinemeyer},
title = {{Catching APT41 exploiting a zero-day vulnerability}},
date = {2020-04-02},
organization = {Darktrace},
url = {https://www.darktrace.com/en/blog/catching-apt-41-exploiting-a-zero-day-vulnerability/},
language = {English},
urldate = {2020-04-13}
}
Catching APT41 exploiting a zero-day vulnerability Cobalt Strike |
2020-03-26 ⋅ VMWare Carbon Black ⋅ Scott Knight @online{knight:20200326:dukes:df85f94,
author = {Scott Knight},
title = {{The Dukes of Moscow}},
date = {2020-03-26},
organization = {VMWare Carbon Black},
url = {https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/},
language = {English},
urldate = {2020-05-18}
}
The Dukes of Moscow Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke |
2020-03-25 ⋅ Wilbur Security ⋅ JW @online{jw:20200325:trickbot:17b0dc3,
author = {JW},
title = {{Trickbot to Ryuk in Two Hours}},
date = {2020-03-25},
organization = {Wilbur Security},
url = {https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/},
language = {English},
urldate = {2020-03-26}
}
Trickbot to Ryuk in Two Hours Cobalt Strike Ryuk TrickBot |
2020-03-25 ⋅ FireEye ⋅ Christopher Glyer, Dan Perez, Sarah Jones, Steve Miller @online{glyer:20200325:this:0bc322f,
author = {Christopher Glyer and Dan Perez and Sarah Jones and Steve Miller},
title = {{This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits}},
date = {2020-03-25},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html},
language = {English},
urldate = {2020-04-14}
}
This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits Speculoos Cobalt Strike |
2020-03-22 ⋅ Malware and Stuff ⋅ Andreas Klopsch @online{klopsch:20200322:mustang:56f3768,
author = {Andreas Klopsch},
title = {{Mustang Panda joins the COVID-19 bandwagon}},
date = {2020-03-22},
organization = {Malware and Stuff},
url = {https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/},
language = {English},
urldate = {2020-03-27}
}
Mustang Panda joins the COVID-19 bandwagon Cobalt Strike |
2020-03-20 ⋅ RECON INFOSEC ⋅ Luke Rusten @online{rusten:20200320:analysis:f82a963,
author = {Luke Rusten},
title = {{Analysis Of Exploitation: CVE-2020-10189 ( exploited by APT41)}},
date = {2020-03-20},
organization = {RECON INFOSEC},
url = {https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/},
language = {English},
urldate = {2020-06-22}
}
Analysis Of Exploitation: CVE-2020-10189 ( exploited by APT41) Cobalt Strike |
2020-03-19 ⋅ VinCSS ⋅ m4n0w4r @online{m4n0w4r:20200319:phn:461fca7,
author = {m4n0w4r},
title = {{Phân tích mã độc lợi dụng dịch Covid-19 để phát tán giả mạo “Chỉ thị của thủ tướng Nguyễn Xuân Phúc” - Phần 2}},
date = {2020-03-19},
organization = {VinCSS},
url = {https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html},
language = {Vietnamese},
urldate = {2020-03-19}
}
Phân tích mã độc lợi dụng dịch Covid-19 để phát tán giả mạo “Chỉ thị của thủ tướng Nguyễn Xuân Phúc” - Phần 2 PlugX |
2020-03-15 ⋅ insomniacs(Medium) ⋅ Asuna Amawaka @online{amawaka:20200315:dad:5cad035,
author = {Asuna Amawaka},
title = {{Dad! There’s A Rat In Here!}},
date = {2020-03-15},
organization = {insomniacs(Medium)},
url = {https://medium.com/insomniacs/dad-theres-a-rat-in-here-e3729b65bf7a},
language = {English},
urldate = {2020-04-16}
}
Dad! There’s A Rat In Here! DADSTACHE |
2020-03-10 ⋅ insomniacs(Medium) ⋅ Asuna Amawaka @online{amawaka:20200310:apt40:2199052,
author = {Asuna Amawaka},
title = {{APT40 goes from Template Injections to OLE-Linkings for payload delivery}},
date = {2020-03-10},
organization = {insomniacs(Medium)},
url = {https://medium.com/insomniacs/apt40-goes-from-template-injections-to-ole-linkings-for-payload-delivery-99eb43170a97},
language = {English},
urldate = {2020-04-16}
}
APT40 goes from Template Injections to OLE-Linkings for payload delivery DADSTACHE |
2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:20200304:2020:818c85f,
author = {CrowdStrike},
title = {{2020 CrowdStrike Global Threat Report}},
date = {2020-03-04},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf},
language = {English},
urldate = {2020-07-24}
}
2020 CrowdStrike Global Threat Report MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER |
2020-03-04 ⋅ Cobalt Strike ⋅ Raphael Mudge @online{mudge:20200304:cobalt:176b61e,
author = {Raphael Mudge},
title = {{Cobalt Strike joins Core Impact at HelpSystems, LLC}},
date = {2020-03-04},
organization = {Cobalt Strike},
url = {https://blog.cobaltstrike.com/2020/03/04/cobalt-strike-joins-core-impact-at-helpsystems-llc/},
language = {English},
urldate = {2020-03-04}
}
Cobalt Strike joins Core Impact at HelpSystems, LLC Cobalt Strike |
2020-03-03 ⋅ PWC UK ⋅ PWC UK @techreport{uk:20200303:cyber:1f1eef0,
author = {PWC UK},
title = {{Cyber Threats 2019:A Year in Retrospect}},
date = {2020-03-03},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf},
language = {English},
urldate = {2020-03-03}
}
Cyber Threats 2019:A Year in Retrospect KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom |
2020-03-02 ⋅ Virus Bulletin ⋅ Alex Hinchliffe @online{hinchliffe:20200302:pulling:35771e7,
author = {Alex Hinchliffe},
title = {{Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary}},
date = {2020-03-02},
organization = {Virus Bulletin},
url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/},
language = {English},
urldate = {2020-03-02}
}
Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary HenBox Farseer PlugX Poison Ivy |
2020-02-28 ⋅ PWC UK ⋅ PWC UK @techreport{uk:20200228:cyber:bd780cd,
author = {PWC UK},
title = {{Cyber Threats 2020: A Year in Retrospect}},
date = {2020-02-28},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf},
language = {English},
urldate = {2021-03-02}
}
Cyber Threats 2020: A Year in Retrospect elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Ransomware Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Ransomware Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare |
2020-02-28 ⋅ Recorded Future ⋅ Insikt Group® @techreport{group:20200228:chinalinked:2fb1230,
author = {Insikt Group®},
title = {{China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions}},
date = {2020-02-28},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf},
language = {English},
urldate = {2021-03-02}
}
China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions Icefog PlugX ShadowPad |
2020-02-21 ⋅ ADEO DFIR ⋅ ADEO DFIR @techreport{dfir:20200221:apt10:e9c3328,
author = {ADEO DFIR},
title = {{APT10 Threat Analysis Report}},
date = {2020-02-21},
institution = {ADEO DFIR},
url = {https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf},
language = {English},
urldate = {2020-03-03}
}
APT10 Threat Analysis Report CHINACHOPPER HTran MimiKatz PlugX Quasar RAT |
2020-02-19 ⋅ FireEye ⋅ FireEye @online{fireeye:20200219:mtrends:193613a,
author = {FireEye},
title = {{M-Trends 2020}},
date = {2020-02-19},
organization = {FireEye},
url = {https://content.fireeye.com/m-trends/rpt-m-trends-2020},
language = {English},
urldate = {2020-02-20}
}
M-Trends 2020 Cobalt Strike Grateful POS LockerGoga QakBot TrickBot |
2020-02-18 ⋅ Trend Micro ⋅ Daniel Lunghi, Cedric Pernet, Kenney Lu, Jamz Yaneza @online{lunghi:20200218:uncovering:93b0937,
author = {Daniel Lunghi and Cedric Pernet and Kenney Lu and Jamz Yaneza},
title = {{Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations}},
date = {2020-02-18},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia},
language = {English},
urldate = {2020-02-20}
}
Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations Cobalt Strike HyperBro PlugX Trochilus RAT |
2020-02-18 ⋅ Cisco Talos ⋅ Vanja Svajcer @online{svajcer:20200218:building:0a80664,
author = {Vanja Svajcer},
title = {{Building a bypass with MSBuild}},
date = {2020-02-18},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html},
language = {English},
urldate = {2020-02-20}
}
Building a bypass with MSBuild Cobalt Strike GRUNT MimiKatz |
2020-02-17 ⋅ Talent-Jump Technologies ⋅ Theo Chen, Zero Chen @online{chen:20200217:clambling:1a0bb8e,
author = {Theo Chen and Zero Chen},
title = {{CLAMBLING - A New Backdoor Base On Dropbox}},
date = {2020-02-17},
organization = {Talent-Jump Technologies},
url = {http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/},
language = {English},
urldate = {2020-03-30}
}
CLAMBLING - A New Backdoor Base On Dropbox HyperBro PlugX |
2020-02-13 ⋅ Qianxin ⋅ Qi Anxin Threat Intelligence Center @techreport{center:20200213:report:146d333,
author = {Qi Anxin Threat Intelligence Center},
title = {{APT Report 2019}},
date = {2020-02-13},
institution = {Qianxin},
url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf},
language = {English},
urldate = {2020-02-27}
}
APT Report 2019 Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy |
2020-02-08 ⋅ MyCERT ⋅ MyCERT @online{mycert:20200208:ma774022020:4b7fd13,
author = {MyCERT},
title = {{MA-774.022020: MyCERT Advisory - Espionage Campaign Based On Technical Indicators}},
date = {2020-02-08},
organization = {MyCERT},
url = {https://www.mycert.org.my/portal/advisory?id=MA-774.022020},
language = {English},
urldate = {2020-08-17}
}
MA-774.022020: MyCERT Advisory - Espionage Campaign Based On Technical Indicators Leviathan |
2020-02-07 ⋅ Medium Sebdraven ⋅ Sébastien Larinier @online{larinier:20200207:40:9415c5c,
author = {Sébastien Larinier},
title = {{APT 40 in Malaysia}},
date = {2020-02-07},
organization = {Medium Sebdraven},
url = {https://medium.com/@Sebdraven/apt-40-in-malaysia-61ed9c9642e9},
language = {English},
urldate = {2020-02-09}
}
APT 40 in Malaysia DADJOKE |
2020-01-31 ⋅ Avira ⋅ Shahab Hamzeloofard @online{hamzeloofard:20200131:new:5d058ea,
author = {Shahab Hamzeloofard},
title = {{New wave of PlugX targets Hong Kong}},
date = {2020-01-31},
organization = {Avira},
url = {https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/},
language = {English},
urldate = {2020-02-10}
}
New wave of PlugX targets Hong Kong PlugX |
2020-01-29 ⋅ nao_sec blog ⋅ nao_sec @online{naosec:20200129:overhead:ec0aeb5,
author = {nao_sec},
title = {{An Overhead View of the Royal Road}},
date = {2020-01-29},
organization = {nao_sec blog},
url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html},
language = {English},
urldate = {2020-02-03}
}
An Overhead View of the Royal Road BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader |
2020-01-15 ⋅ Intrusiontruth ⋅ Intrusiontruth @online{intrusiontruth:20200115:hainan:093f6f2,
author = {Intrusiontruth},
title = {{Hainan Xiandun Technology Company is APT40}},
date = {2020-01-15},
organization = {Intrusiontruth},
url = {https://intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40},
language = {English},
urldate = {2020-04-16}
}
Hainan Xiandun Technology Company is APT40 Leviathan |
2020-01-14 ⋅ Intrusiontruth ⋅ Intrusiontruth @online{intrusiontruth:20200114:who:a06a6c3,
author = {Intrusiontruth},
title = {{Who is Mr Ding?}},
date = {2020-01-14},
organization = {Intrusiontruth},
url = {https://intrusiontruth.wordpress.com/2020/01/14/who-is-mr-ding},
language = {English},
urldate = {2020-04-16}
}
Who is Mr Ding? Leviathan |
2020-01-13 ⋅ Intrusiontruth ⋅ Intrusiontruth @online{intrusiontruth:20200113:who:e54190c,
author = {Intrusiontruth},
title = {{Who else works for this cover company network?}},
date = {2020-01-13},
organization = {Intrusiontruth},
url = {https://intrusiontruth.wordpress.com/2020/01/13/who-else-works-for-this-cover-company-network},
language = {English},
urldate = {2020-04-16}
}
Who else works for this cover company network? Leviathan |
2020-01-13 ⋅ Lab52 ⋅ Jagaimo Kawaii @online{kawaii:20200113:apt27:4c2f818,
author = {Jagaimo Kawaii},
title = {{APT27 ZxShell RootKit module updates}},
date = {2020-01-13},
organization = {Lab52},
url = {https://lab52.io/blog/apt27-rootkit-updates/},
language = {English},
urldate = {2020-01-13}
}
APT27 ZxShell RootKit module updates ZXShell |
2020-01-10 ⋅ Intrusiontruth ⋅ Intrusiontruth @online{intrusiontruth:20200110:who:32afb65,
author = {Intrusiontruth},
title = {{Who is Mr Gu?}},
date = {2020-01-10},
organization = {Intrusiontruth},
url = {https://intrusiontruth.wordpress.com/2020/01/10/who-is-mr-gu},
language = {English},
urldate = {2020-04-16}
}
Who is Mr Gu? Leviathan |
2020-01-09 ⋅ Intrusiontruth ⋅ Intrusiontruth @online{intrusiontruth:20200109:what:bc9bc31,
author = {Intrusiontruth},
title = {{What is the Hainan Xiandun Technology Development Company?}},
date = {2020-01-09},
organization = {Intrusiontruth},
url = {https://intrusiontruth.wordpress.com/2020/01/09/what-is-the-hainan-xiandun-technology-development-company},
language = {English},
urldate = {2020-04-16}
}
What is the Hainan Xiandun Technology Development Company? Leviathan |
2020-01-03 ⋅ Youtube (BSides Belfast) ⋅ Brian Bartholomew @online{bartholomew:20200103:nice:ddc5c57,
author = {Brian Bartholomew},
title = {{Nice One, Dad: Dissecting A Rare Malware Used By Leviathan}},
date = {2020-01-03},
organization = {Youtube (BSides Belfast)},
url = {https://www.youtube.com/watch?v=vx9IB88wXSE},
language = {English},
urldate = {2020-01-13}
}
Nice One, Dad: Dissecting A Rare Malware Used By Leviathan DADJOKE |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:dcdc02a,
author = {SecureWorks},
title = {{BRONZE FLEETWOOD}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-fleetwood},
language = {English},
urldate = {2020-05-23}
}
BRONZE FLEETWOOD Binanen Ghost RAT OrcaRAT APT5 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:65ecf8a,
author = {SecureWorks},
title = {{BRONZE KEYSTONE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-keystone},
language = {English},
urldate = {2020-05-23}
}
BRONZE KEYSTONE 9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell Aurora Panda |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:41a0bc0,
author = {SecureWorks},
title = {{BRONZE EDISON}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-edison},
language = {English},
urldate = {2020-05-23}
}
BRONZE EDISON Ghost RAT sykipot Maverick Panda Samurai Panda |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:gold:983570b,
author = {SecureWorks},
title = {{GOLD KINGSWOOD}},
date = {2020},
organization = {Secureworks},
url = {http://www.secureworks.com/research/threat-profiles/gold-kingswood},
language = {English},
urldate = {2020-05-23}
}
GOLD KINGSWOOD More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:66f1290,
author = {SecureWorks},
title = {{BRONZE RIVERSIDE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-riverside},
language = {English},
urldate = {2020-05-23}
}
BRONZE RIVERSIDE Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves Stone Panda |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:472aea8,
author = {SecureWorks},
title = {{BRONZE OLIVE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-olive},
language = {English},
urldate = {2020-05-23}
}
BRONZE OLIVE ANGRYREBEL PlugX APT 22 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:tin:ccd6795,
author = {SecureWorks},
title = {{TIN WOODLAWN}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/tin-woodlawn},
language = {English},
urldate = {2020-05-23}
}
TIN WOODLAWN Cobalt Strike KerrDown MimiKatz PHOREAL RatSnif Remy SOUNDBITE APT32 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:972c13a,
author = {SecureWorks},
title = {{BRONZE FIRESTONE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-firestone},
language = {English},
urldate = {2020-05-23}
}
BRONZE FIRESTONE 9002 RAT Derusbi Empire Downloader PlugX Poison Ivy Shell Crew |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:79d8dd2,
author = {SecureWorks},
title = {{BRONZE OVERBROOK}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-overbrook},
language = {English},
urldate = {2020-05-23}
}
BRONZE OVERBROOK Aveo DDKONG IsSpace PLAINTEE PlugX Rambo DragonOK |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:dc58892,
author = {SecureWorks},
title = {{BRONZE GLOBE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-globe},
language = {English},
urldate = {2020-05-23}
}
BRONZE GLOBE EtumBot Ghost RAT IXESHE |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:4118462,
author = {SecureWorks},
title = {{BRONZE ATLAS}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas},
language = {English},
urldate = {2020-05-23}
}
BRONZE ATLAS Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti Axiom |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:e8ad4fb,
author = {SecureWorks},
title = {{BRONZE MOHAWK}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-mohawk},
language = {English},
urldate = {2020-05-23}
}
BRONZE MOHAWK AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll Leviathan |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:fcb04ab,
author = {SecureWorks},
title = {{BRONZE EXPRESS}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-express},
language = {English},
urldate = {2020-05-23}
}
BRONZE EXPRESS 9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT 26 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:4db27ec,
author = {SecureWorks},
title = {{BRONZE UNION}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-union},
language = {English},
urldate = {2020-05-23}
}
BRONZE UNION 9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell LuckyMouse |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:gold:1892bc8,
author = {SecureWorks},
title = {{GOLD KINGSWOOD}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-kingswood},
language = {English},
urldate = {2020-05-23}
}
GOLD KINGSWOOD More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:1a5bdbb,
author = {SecureWorks},
title = {{BRONZE PRESIDENT}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-president},
language = {English},
urldate = {2020-05-23}
}
BRONZE PRESIDENT CHINACHOPPER Cobalt Strike PlugX Mustang Panda |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:f48e53c,
author = {SecureWorks},
title = {{BRONZE WOODLAND}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-woodland},
language = {English},
urldate = {2020-05-23}
}
BRONZE WOODLAND PlugX Zeus Roaming Tiger |
2020-01 ⋅ Dragos ⋅ Joe Slowik @techreport{slowik:202001:threat:d891011,
author = {Joe Slowik},
title = {{Threat Intelligence and the Limits of Malware Analysis}},
date = {2020-01},
institution = {Dragos},
url = {https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf},
language = {English},
urldate = {2020-06-10}
}
Threat Intelligence and the Limits of Malware Analysis Exaramel Exaramel Industroyer Lookback NjRAT PlugX |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:gold:8050e44,
author = {SecureWorks},
title = {{GOLD DUPONT}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-dupont},
language = {English},
urldate = {2020-05-23}
}
GOLD DUPONT Cobalt Strike Defray PyXie |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:gold:97e5784,
author = {SecureWorks},
title = {{GOLD NIAGARA}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-niagara},
language = {English},
urldate = {2020-05-23}
}
GOLD NIAGARA Bateleur Griffon Carbanak Cobalt Strike DRIFTPIN TinyMet Anunak |
2019-12-29 ⋅ Secureworks ⋅ CTU Research Team @online{team:20191229:bronze:bda6bfc,
author = {CTU Research Team},
title = {{BRONZE PRESIDENT Targets NGOs}},
date = {2019-12-29},
organization = {Secureworks},
url = {https://www.secureworks.com/research/bronze-president-targets-ngos},
language = {English},
urldate = {2020-01-10}
}
BRONZE PRESIDENT Targets NGOs PlugX BRONZE PRESIDENT |
2019-12-17 ⋅ Palo Alto Networks Unit 42 ⋅ Jen Miller-Osborn, Mike Harbison @online{millerosborn:20191217:rancor:998fe1c,
author = {Jen Miller-Osborn and Mike Harbison},
title = {{Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia}},
date = {2019-12-17},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/},
language = {English},
urldate = {2020-01-08}
}
Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia DDKONG Derusbi KHRAT |
2019-12-12 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center @online{center:20191212:gallium:79f6460,
author = {Microsoft Threat Intelligence Center},
title = {{GALLIUM: Targeting global telecom}},
date = {2019-12-12},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/},
language = {English},
urldate = {2020-01-07}
}
GALLIUM: Targeting global telecom Ghost RAT HTran GALLIUM |
2019-12-12 ⋅ FireEye ⋅ Chi-en Shen, Oleg Bondarenko @online{shen:20191212:cyber:e01baca,
author = {Chi-en Shen and Oleg Bondarenko},
title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}},
date = {2019-12-12},
organization = {FireEye},
url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko},
language = {English},
urldate = {2020-04-16}
}
Cyber Threat Landscape in Japan – Revealing Threat in the Shadow Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech |
2019-12-05 ⋅ Github (blackorbird) ⋅ blackorbird @techreport{blackorbird:20191205:apt32:0afe4e7,
author = {blackorbird},
title = {{APT32 Report}},
date = {2019-12-05},
institution = {Github (blackorbird)},
url = {https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf},
language = {Japanese},
urldate = {2020-01-10}
}
APT32 Report Cobalt Strike |
2019-12-05 ⋅ Raphael Mudge @online{mudge:20191205:cobalt:219044e,
author = {Raphael Mudge},
title = {{Cobalt Strike 4.0 – Bring Your Own Weaponization}},
date = {2019-12-05},
url = {https://blog.cobaltstrike.com/},
language = {English},
urldate = {2019-12-06}
}
Cobalt Strike 4.0 – Bring Your Own Weaponization Cobalt Strike |
2019-11-29 ⋅ Deloitte ⋅ Thomas Thomasen @techreport{thomasen:20191129:cyber:1aae987,
author = {Thomas Thomasen},
title = {{Cyber Threat Intelligence & Incident Response}},
date = {2019-11-29},
institution = {Deloitte},
url = {https://www2.deloitte.com/content/dam/Deloitte/dk/Documents/Grabngo/Aarhus_miniseminar_291118.pdf},
language = {English},
urldate = {2020-03-04}
}
Cyber Threat Intelligence & Incident Response Cobalt Strike |
2019-11-28 ⋅ Twitter (@cyb3rops) ⋅ Florian Roth @online{roth:20191128:signature:1d30657,
author = {Florian Roth},
title = {{Tweet on Signature Writing for DADJOKE}},
date = {2019-11-28},
organization = {Twitter (@cyb3rops)},
url = {https://twitter.com/cyb3rops/status/1199978327697694720},
language = {English},
urldate = {2020-01-09}
}
Tweet on Signature Writing for DADJOKE DADSTACHE |
2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani Fraser @techreport{vanderlee:20191119:achievement:6be19eb,
author = {Kelli Vanderlee and Nalani Fraser},
title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}},
date = {2019-11-19},
institution = {FireEye},
url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf},
language = {English},
urldate = {2021-03-02}
}
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell |
2019-11-16 ⋅ Silas Cutler's Blog ⋅ Silas Cutler @online{cutler:20191116:fresh:871567d,
author = {Silas Cutler},
title = {{Fresh PlugX October 2019}},
date = {2019-11-16},
organization = {Silas Cutler's Blog},
url = {https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html},
language = {English},
urldate = {2020-01-07}
}
Fresh PlugX October 2019 PlugX |
2019-11-11 ⋅ Virus Bulletin ⋅ Shusei Tomonaga, Tomoaki Tani, Hiroshi Soeda, Wataru Takahashi @online{tomonaga:20191111:cases:ac5f1b3,
author = {Shusei Tomonaga and Tomoaki Tani and Hiroshi Soeda and Wataru Takahashi},
title = {{APT cases exploiting vulnerabilities in region‑specific software}},
date = {2019-11-11},
organization = {Virus Bulletin},
url = {https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/},
language = {English},
urldate = {2020-05-13}
}
APT cases exploiting vulnerabilities in region‑specific software NodeRAT Emdivi PlugX |
2019-11-05 ⋅ Brian Bartholomew @online{bartholomew:20191105:dadjoke:81e2a63,
author = {Brian Bartholomew},
title = {{DADJOKE}},
date = {2019-11-05},
url = {https://prezi.com/view/jGyAzyy5dTOkDrtwsJi5/},
language = {English},
urldate = {2020-01-07}
}
DADJOKE DADJOKE |
2019-11-05 ⋅ tccontre Blog ⋅ tccontre @online{tccontre:20191105:cobaltstrike:02e37af,
author = {tccontre},
title = {{CobaltStrike - beacon.dll : Your No Ordinary MZ Header}},
date = {2019-11-05},
organization = {tccontre Blog},
url = {https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html},
language = {English},
urldate = {2019-12-17}
}
CobaltStrike - beacon.dll : Your No Ordinary MZ Header Cobalt Strike |
2019-11-04 ⋅ Tencent ⋅ Tencent Security Mikan TIC @online{tic:20191104:attack:33a29db,
author = {Tencent Security Mikan TIC},
title = {{APT attack group "Higaisa" attack activity disclosed}},
date = {2019-11-04},
organization = {Tencent},
url = {https://s.tencent.com/research/report/836.html},
language = {Chinese},
urldate = {2020-05-13}
}
APT attack group "Higaisa" attack activity disclosed Ghost RAT Higaisa |
2019-10-31 ⋅ PTSecurity ⋅ PTSecurity @online{ptsecurity:20191031:calypso:adaf761,
author = {PTSecurity},
title = {{Calypso APT: new group attacking state institutions}},
date = {2019-10-31},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/},
language = {English},
urldate = {2020-01-12}
}
Calypso APT: new group attacking state institutions BYEBY FlyingDutchman Hussar PlugX |
2019-10-03 ⋅ Palo Alto Networks Unit 42 ⋅ Alex Hinchliffe @online{hinchliffe:20191003:pkplug:4a43ea5,
author = {Alex Hinchliffe},
title = {{PKPLUG: Chinese Cyber Espionage Group Attacking Asia}},
date = {2019-10-03},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/},
language = {English},
urldate = {2020-01-07}
}
PKPLUG: Chinese Cyber Espionage Group Attacking Asia HenBox Farseer PlugX |
2019-09-22 ⋅ Check Point Research ⋅ Check Point Research @online{research:20190922:rancor:e834f67,
author = {Check Point Research},
title = {{Rancor: The Year of The Phish}},
date = {2019-09-22},
organization = {Check Point Research},
url = {https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/},
language = {English},
urldate = {2020-03-04}
}
Rancor: The Year of The Phish 8.t Dropper Cobalt Strike |
2019-09-19 ⋅ MeltX0R @online{meltx0r:20190919:emissary:361f1fd,
author = {MeltX0R},
title = {{Emissary Panda APT: Recent infrastructure and RAT analysis}},
date = {2019-09-19},
url = {https://meltx0r.github.io/tech/2019/09/19/emissary-panda-apt.html},
language = {English},
urldate = {2020-01-09}
}
Emissary Panda APT: Recent infrastructure and RAT analysis ZXShell |
2019-09-17 ⋅ Talos ⋅ Christopher Evans, David Liebenberg @online{evans:20190917:cryptocurrency:8f3a9e9,
author = {Christopher Evans and David Liebenberg},
title = {{Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”}},
date = {2019-09-17},
organization = {Talos},
url = {https://blog.talosintelligence.com/2019/09/panda-evolution.html},
language = {English},
urldate = {2019-10-31}
}
Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda” Ghost RAT |
2019-09-02 ⋅ Volexity ⋅ Andrew Case, Matthew Meltzer, Steven Adair @online{case:20190902:digital:0f6cd23,
author = {Andrew Case and Matthew Meltzer and Steven Adair},
title = {{Digital Crackdown: Large-Scale Surveillance and Exploitation of Uyghurs}},
date = {2019-09-02},
organization = {Volexity},
url = {https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/},
language = {English},
urldate = {2019-12-06}
}
Digital Crackdown: Large-Scale Surveillance and Exploitation of Uyghurs scanbox POISON CARP |
2019-08-27 ⋅ Cisco Talos ⋅ Paul Rascagnères, Vanja Svajcer @online{rascagnres:20190827:china:2d2bbb8,
author = {Paul Rascagnères and Vanja Svajcer},
title = {{China Chopper still active 9 years later}},
date = {2019-08-27},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html},
language = {English},
urldate = {2019-10-14}
}
China Chopper still active 9 years later CHINACHOPPER |
2019-08-19 ⋅ FireEye ⋅ Alex Pennino, Matt Bromiley @online{pennino:20190819:game:b6ef5a0,
author = {Alex Pennino and Matt Bromiley},
title = {{GAME OVER: Detecting and Stopping an APT41 Operation}},
date = {2019-08-19},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html},
language = {English},
urldate = {2020-01-06}
}
GAME OVER: Detecting and Stopping an APT41 Operation ACEHASH CHINACHOPPER HIGHNOON |
2019-08-13 ⋅ 奇安信威胁情报中心 @online{:20190813::eae3d10,
author = {奇安信威胁情报中心},
title = {{洞察人性:一起利用政治人物桃色丑闻的诱饵攻击活动披露}},
date = {2019-08-13},
url = {https://wemp.app/posts/80ab2b2d-4e0e-4960-94b7-4d452a06fd38?utm_source=latest-posts},
language = {Chinese},
urldate = {2020-01-13}
}
洞察人性:一起利用政治人物桃色丑闻的诱饵攻击活动披露 DADJOKE |
2019-07-26 ⋅ Twitter (@a_tweeter_user) ⋅ a_tweeter_user @online{atweeteruser:20190726:malware:dce6863,
author = {a_tweeter_user},
title = {{Tweet on Malware}},
date = {2019-07-26},
organization = {Twitter (@a_tweeter_user)},
url = {https://twitter.com/a_tweeter_user/status/1154764787823316993},
language = {English},
urldate = {2020-01-08}
}
Tweet on Malware DADJOKE |
2019-07-24 ⋅ Intrusiontruth ⋅ Intrusiontruth @online{intrusiontruth:20190724:apt17:6b9a666,
author = {Intrusiontruth},
title = {{APT17 is run by the Jinan bureau of the Chinese Ministry of State Security}},
date = {2019-07-24},
organization = {Intrusiontruth},
url = {https://intrusiontruth.wordpress.com/2019/07/24/apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security/},
language = {English},
urldate = {2020-04-21}
}
APT17 is run by the Jinan bureau of the Chinese Ministry of State Security BLACKCOFFEE |
2019-06-04 ⋅ Bitdefender ⋅ Bitdefender @techreport{bitdefender:20190604:blueprint:ce0583c,
author = {Bitdefender},
title = {{An APT Blueprint: Gaining New Visibility into Financial Threats}},
date = {2019-06-04},
institution = {Bitdefender},
url = {https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf},
language = {English},
urldate = {2019-12-18}
}
An APT Blueprint: Gaining New Visibility into Financial Threats More_eggs Cobalt Strike |
2019-06-03 ⋅ FireEye ⋅ Chi-en Shen @online{shen:20190603:into:d40fee9,
author = {Chi-en Shen},
title = {{Into the Fog - The Return of ICEFOG APT}},
date = {2019-06-03},
organization = {FireEye},
url = {https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt},
language = {English},
urldate = {2020-06-30}
}
Into the Fog - The Return of ICEFOG APT Icefog PlugX Sarhust |
2019-05-28 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone, Tom Lancaster @online{falcone:20190528:emissary:dc0f942,
author = {Robert Falcone and Tom Lancaster},
title = {{Emissary Panda Attacks Middle East Government Sharepoint Servers}},
date = {2019-05-28},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/},
language = {English},
urldate = {2020-01-09}
}
Emissary Panda Attacks Middle East Government Sharepoint Servers CHINACHOPPER Unidentified 060 |
2019-05-24 ⋅ Fortinet ⋅ Ben Hunter @online{hunter:20190524:uncovering:7d8776e,
author = {Ben Hunter},
title = {{Uncovering new Activity by APT10}},
date = {2019-05-24},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-},
language = {English},
urldate = {2020-11-04}
}
Uncovering new Activity by APT10 PlugX Quasar RAT |
2019-05-08 ⋅ Verizon Communications Inc. ⋅ Verizon Communications Inc. @techreport{inc:20190508:2019:3c20a3b,
author = {Verizon Communications Inc.},
title = {{2019 Data Breach Investigations Report}},
date = {2019-05-08},
institution = {Verizon Communications Inc.},
url = {https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf},
language = {English},
urldate = {2020-05-10}
}
2019 Data Breach Investigations Report BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam |
2019-04-30 ⋅ Council on Foreign Relations ⋅ Cyber Operations Tracker @online{tracker:20190430:40:271cc62,
author = {Cyber Operations Tracker},
title = {{APT 40}},
date = {2019-04-30},
organization = {Council on Foreign Relations},
url = {https://www.cfr.org/interactive/cyber-operations/apt-40},
language = {English},
urldate = {2020-05-18}
}
APT 40 Leviathan |
2019-04-25 ⋅ DATANET ⋅ Kim Seon-ae @online{seonae:20190425:chinesebased:fa78904,
author = {Kim Seon-ae},
title = {{Chinese-based hackers attack domestic energy institutions}},
date = {2019-04-25},
organization = {DATANET},
url = {https://www.datanet.co.kr/news/articleView.html?idxno=133346},
language = {Korean},
urldate = {2021-02-09}
}
Chinese-based hackers attack domestic energy institutions CALMTHORN Ghost RAT |
2019-04-24 ⋅ Weixin ⋅ Tencent @online{tencent:20190424:sea:a722d68,
author = {Tencent},
title = {{"Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed}},
date = {2019-04-24},
organization = {Weixin},
url = {https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A},
language = {English},
urldate = {2020-01-13}
}
"Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed Cobalt Strike SOUNDBITE |
2019-04-22 ⋅ Twitter (@killamjr) ⋅ Suspicious Link @online{link:20190422:dadstache:5444490,
author = {Suspicious Link},
title = {{Tweet on DADSTACHE payload}},
date = {2019-04-22},
organization = {Twitter (@killamjr)},
url = {https://twitter.com/killamjr/status/1204584085395517440},
language = {English},
urldate = {2020-01-06}
}
Tweet on DADSTACHE payload DADSTACHE |
2019-04-15 ⋅ PenTestPartners ⋅ Neil Lines @online{lines:20190415:cobalt:7b3c086,
author = {Neil Lines},
title = {{Cobalt Strike. Walkthrough for Red Teamers}},
date = {2019-04-15},
organization = {PenTestPartners},
url = {https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/},
language = {English},
urldate = {2019-12-17}
}
Cobalt Strike. Walkthrough for Red Teamers Cobalt Strike |
2019-04-11 ⋅ FireEye ⋅ FireEye @online{fireeye:20190411:mtrend:597b240,
author = {FireEye},
title = {{M-Trend 2019}},
date = {2019-04-11},
organization = {FireEye},
url = {https://content.fireeye.com/m-trends/rpt-m-trends-2019},
language = {English},
urldate = {2020-01-10}
}
M-Trend 2019 GRILLMARK |
2019-04 ⋅ Macnica Networks ⋅ Macnica Networks @techreport{networks:201904:oceanlotus:8ceeac3,
author = {Macnica Networks},
title = {{OceanLotus Attack on Southeast Asian Automotive Industry}},
date = {2019-04},
institution = {Macnica Networks},
url = {https://www.macnica.net/file/mpression_automobile.pdf},
language = {Japanese},
urldate = {2021-03-02}
}
OceanLotus Attack on Southeast Asian Automotive Industry CACTUSTORCH Cobalt Strike |
2019-04-01 ⋅ Macnica Networks ⋅ Macnica Networks @techreport{networks:20190401:trends:cf738dc,
author = {Macnica Networks},
title = {{Trends in Cyber Espionage Targeting Japan 2nd Half of 2018}},
date = {2019-04-01},
institution = {Macnica Networks},
url = {https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf},
language = {Japanese},
urldate = {2021-03-02}
}
Trends in Cyber Espionage Targeting Japan 2nd Half of 2018 Anel Cobalt Strike Datper PLEAD Quasar RAT RedLeaves taidoor Zebrocy |
2019-03-27 ⋅ Twitter (@ClearskySec) ⋅ ClearSky Cyber Security @online{security:20190327:timelines:36e1fb0,
author = {ClearSky Cyber Security},
title = {{Tweet on "Timelines - ECRL.docx"}},
date = {2019-03-27},
organization = {Twitter (@ClearskySec)},
url = {https://twitter.com/ClearskySec/status/1110941178231484417},
language = {English},
urldate = {2020-01-08}
}
Tweet on "Timelines - ECRL.docx" DADJOKE |
2019-03-24 ⋅ One Night in Norfolk ⋅ Kevin Perlow @online{perlow:20190324:jeshell:439ae8b,
author = {Kevin Perlow},
title = {{JEShell: An OceanLotus (APT32) Backdoor}},
date = {2019-03-24},
organization = {One Night in Norfolk},
url = {https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/},
language = {English},
urldate = {2020-05-19}
}
JEShell: An OceanLotus (APT32) Backdoor Cobalt Strike KerrDown |
2019-03-19 ⋅ NSHC ⋅ ThreatRecon Team @online{team:20190319:sectorm04:6c6ea37,
author = {ThreatRecon Team},
title = {{SectorM04 Targeting Singapore – An Analysis}},
date = {2019-03-19},
organization = {NSHC},
url = {https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/},
language = {English},
urldate = {2020-01-07}
}
SectorM04 Targeting Singapore – An Analysis PlugX Termite |
2019-03-14 ⋅ Trustwave ⋅ Simon Kenin @online{kenin:20190314:attacker:807e3e6,
author = {Simon Kenin},
title = {{Attacker Tracking Users Seeking Pakistani Passport}},
date = {2019-03-14},
organization = {Trustwave},
url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/attacker-tracking-users-seeking-pakistani-passport/},
language = {English},
urldate = {2020-10-02}
}
Attacker Tracking Users Seeking Pakistani Passport scanbox |
2019-03-04 ⋅ FireEye ⋅ Fred Plan, Nalani Fraser, Jacqueline O’Leary, Vincent Cannon, Ben Read @online{plan:20190304:apt40:4f394e2,
author = {Fred Plan and Nalani Fraser and Jacqueline O’Leary and Vincent Cannon and Ben Read},
title = {{APT40: Examining a China-Nexus Espionage Actor}},
date = {2019-03-04},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html},
language = {English},
urldate = {2019-12-20}
}
APT40: Examining a China-Nexus Espionage Actor LunchMoney Leviathan |
2019-02-27 ⋅ Secureworks ⋅ CTU Research Team @online{team:20190227:peek:16c9160,
author = {CTU Research Team},
title = {{A Peek into BRONZE UNION’s Toolbox}},
date = {2019-02-27},
organization = {Secureworks},
url = {https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox},
language = {English},
urldate = {2020-01-07}
}
A Peek into BRONZE UNION’s Toolbox Ghost RAT HyperBro ZXShell |
2019-02-27 ⋅ Morphisec ⋅ Michael Gorelik, Alon Groisman @online{gorelik:20190227:new:5296a0b,
author = {Michael Gorelik and Alon Groisman},
title = {{New Global Cyber Attack on Point of Sale Sytem}},
date = {2019-02-27},
organization = {Morphisec},
url = {http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems},
language = {English},
urldate = {2020-01-09}
}
New Global Cyber Attack on Point of Sale Sytem Cobalt Strike |
2019-02-26 ⋅ Fox-IT ⋅ Fox IT @online{it:20190226:identifying:689104d,
author = {Fox IT},
title = {{Identifying Cobalt Strike team servers in the wild}},
date = {2019-02-26},
organization = {Fox-IT},
url = {https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/},
language = {English},
urldate = {2020-10-25}
}
Identifying Cobalt Strike team servers in the wild Cobalt Strike |
2019-02-26 ⋅ Yoroi ⋅ ZLAB-Yoroi @online{zlabyoroi:20190226:arsenal:ce0227f,
author = {ZLAB-Yoroi},
title = {{The Arsenal Behind the Australian Parliament Hack}},
date = {2019-02-26},
organization = {Yoroi},
url = {https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/},
language = {English},
urldate = {2020-01-13}
}
The Arsenal Behind the Australian Parliament Hack LazyCat powerkatz Unidentified 057 |
2019-02-19 ⋅ Twitter (@MrDanPerez) ⋅ Dan Perez @online{perez:20190219:apt40:f6c06bb,
author = {Dan Perez},
title = {{APT40 dropper}},
date = {2019-02-19},
organization = {Twitter (@MrDanPerez)},
url = {https://twitter.com/MrDanPerez/status/1097881406661902337},
language = {English},
urldate = {2019-10-23}
}
APT40 dropper LunchMoney |
2019-01-07 ⋅ Intezer ⋅ Ignacio Sanmillan @online{sanmillan:20190107:chinaz:50bb5f4,
author = {Ignacio Sanmillan},
title = {{ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups}},
date = {2019-01-07},
organization = {Intezer},
url = {https://www.intezer.com/blog-chinaz-relations/},
language = {English},
urldate = {2019-11-27}
}
ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups Ghost RAT |
2019 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:2019:2019:4e50c97,
author = {CrowdStrike},
title = {{2019 CrowdStrike Global Threat Report}},
date = {2019},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2019GlobalThreatReport.pdf},
language = {English},
urldate = {2020-07-15}
}
2019 CrowdStrike Global Threat Report Boss Spider Flash Kitten Guru Spider Leviathan Lunar Spider Nomad Panda Pinchy Spider Ratpak Spider Salty Spider Skeleton Spider Tiny Spider |
2019 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:2019:tool:5022816,
author = {MITRE ATT&CK},
title = {{Tool description: NanHaiShu}},
date = {2019},
organization = {MITRE},
url = {https://attack.mitre.org/software/S0228/},
language = {English},
urldate = {2019-12-20}
}
Tool description: NanHaiShu NanHaiShu |
2019 ⋅ Virus Bulletin ⋅ Lion Gu, Bowen Pan @techreport{gu:2019:vine:df5dbfb,
author = {Lion Gu and Bowen Pan},
title = {{A vine climbing over the Great Firewall: A long-term attack against China}},
date = {2019},
institution = {Virus Bulletin},
url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf},
language = {English},
urldate = {2020-01-08}
}
A vine climbing over the Great Firewall: A long-term attack against China Poison Ivy ZXShell |
2019 ⋅ CrowdStrike ⋅ CrowdStrike @online{crowdstrike:2019:2019:2c268c8,
author = {CrowdStrike},
title = {{2019 CrowdStrike Global Threat Report}},
date = {2019},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/},
language = {English},
urldate = {2020-07-16}
}
2019 CrowdStrike Global Threat Report Boss Spider Flash Kitten Guru Spider Leviathan Lunar Spider Nomad Panda Pinchy Spider Ratpak Spider Salty Spider Skeleton Spider Tiny Spider |
2019 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:2019:tool:ebc79ce,
author = {MITRE ATT&CK},
title = {{Tool description: BLACKCOFFEE}},
date = {2019},
organization = {MITRE},
url = {https://attack.mitre.org/software/S0069/},
language = {English},
urldate = {2019-12-20}
}
Tool description: BLACKCOFFEE BLACKCOFFEE |
2019 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:2019:tool:fd89dda,
author = {MITRE ATT&CK},
title = {{Tool description: China Chopper}},
date = {2019},
organization = {MITRE},
url = {https://attack.mitre.org/software/S0020/},
language = {English},
urldate = {2019-12-20}
}
Tool description: China Chopper CHINACHOPPER |
2019 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:2019:leviathan:249223a,
author = {MITRE ATT&CK},
title = {{Group description: Leviathan}},
date = {2019},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0065/},
language = {English},
urldate = {2019-12-20}
}
Group description: Leviathan Leviathan |
2018-12-20 ⋅ Codercto ⋅ Codercto @online{codercto:20181220:analysis:60da1aa,
author = {Codercto},
title = {{Analysis of the attack activities of Hailian Lotus APT group against large domestic investment companies}},
date = {2018-12-20},
organization = {Codercto},
url = {https://www.codercto.com/a/46729.html},
language = {Chinese},
urldate = {2020-01-07}
}
Analysis of the attack activities of Hailian Lotus APT group against large domestic investment companies CACTUSTORCH |
2018-12-14 ⋅ Australian Cyber Security Centre ⋅ ASD @techreport{asd:20181214:investigationreport:6eda856,
author = {ASD},
title = {{Investigationreport: Compromise of an Australian companyvia their Managed Service Provider}},
date = {2018-12-14},
institution = {Australian Cyber Security Centre},
url = {https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf},
language = {English},
urldate = {2020-03-11}
}
Investigationreport: Compromise of an Australian companyvia their Managed Service Provider PlugX RedLeaves |
2018-11-19 ⋅ FireEye ⋅ Matthew Dunwoody, Andrew Thompson, Ben Withnell, Jonathan Leathery, Michael Matonis, Nick Carr @online{dunwoody:20181119:not:e581291,
author = {Matthew Dunwoody and Andrew Thompson and Ben Withnell and Jonathan Leathery and Michael Matonis and Nick Carr},
title = {{Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign}},
date = {2018-11-19},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html},
language = {English},
urldate = {2019-12-20}
}
Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign Cobalt Strike |
2018-11-18 ⋅ Stranded on Pylos Blog ⋅ Joe @online{joe:20181118:cozybear:4801301,
author = {Joe},
title = {{CozyBear – In from the Cold?}},
date = {2018-11-18},
organization = {Stranded on Pylos Blog},
url = {https://pylos.co/2018/11/18/cozybear-in-from-the-cold/},
language = {English},
urldate = {2020-01-09}
}
CozyBear – In from the Cold? Cobalt Strike APT 29 |
2018-11-13 ⋅ Recorded Future ⋅ Insikt Group @online{group:20181113:chinese:6141b55,
author = {Insikt Group},
title = {{Chinese Threat Actor TEMP.Periscope Targets UK-Based Engineering Company Using Russian APT Techniques}},
date = {2018-11-13},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/chinese-threat-actor-tempperiscope/},
language = {English},
urldate = {2020-01-13}
}
Chinese Threat Actor TEMP.Periscope Targets UK-Based Engineering Company Using Russian APT Techniques SeDll Leviathan |
2018-10-01 ⋅ Macnica Networks ⋅ Macnica Networks @techreport{networks:20181001:trends:17b1db5,
author = {Macnica Networks},
title = {{Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018}},
date = {2018-10-01},
institution = {Macnica Networks},
url = {https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf},
language = {Japanese},
urldate = {2021-03-02}
}
Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018 Anel Cobalt Strike Datper FlawedAmmyy Quasar RAT RedLeaves taidoor Winnti xxmm |
2018-10 ⋅ Group-IB ⋅ Group-IB @techreport{groupib:201810:hitech:420711f,
author = {Group-IB},
title = {{Hi-Tech Crime Trends 2018}},
date = {2018-10},
institution = {Group-IB},
url = {https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf},
language = {English},
urldate = {2021-02-09}
}
Hi-Tech Crime Trends 2018 BackSwap Cobalt Strike Cutlet Meterpreter |
2018-10-01 ⋅ FireEye ⋅ Regina Elwell, Katie Nickels @techreport{elwell:20181001:attcking:3c6d888,
author = {Regina Elwell and Katie Nickels},
title = {{ATT&CKing FIN7}},
date = {2018-10-01},
institution = {FireEye},
url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf},
language = {English},
urldate = {2020-06-25}
}
ATT&CKing FIN7 Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN PILLOWMINT SocksBot |
2018-09-19 ⋅ Möbius Strip Reverse Engineering ⋅ Rolf Rolles @online{rolles:20180919:hexrays:1afcc0c,
author = {Rolf Rolles},
title = {{Hex-Rays Microcode API vs. Obfuscating Compiler}},
date = {2018-09-19},
organization = {Möbius Strip Reverse Engineering},
url = {http://www.hexblog.com/?p=1248},
language = {English},
urldate = {2019-10-28}
}
Hex-Rays Microcode API vs. Obfuscating Compiler Ghost RAT |
2018-08-03 ⋅ JPCERT/CC ⋅ Takuya Endo, Yukako Uchida @online{endo:20180803:volatility:4597ce0,
author = {Takuya Endo and Yukako Uchida},
title = {{Volatility Plugin for Detecting Cobalt Strike Beacon}},
date = {2018-08-03},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html},
language = {English},
urldate = {2019-07-11}
}
Volatility Plugin for Detecting Cobalt Strike Beacon Cobalt Strike |
2018-07-31 ⋅ Github (JPCERTCC) ⋅ JPCERT/CC @online{jpcertcc:20180731:scanner:d1757d9,
author = {JPCERT/CC},
title = {{Scanner for CobaltStrike}},
date = {2018-07-31},
organization = {Github (JPCERTCC)},
url = {https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py},
language = {English},
urldate = {2020-01-13}
}
Scanner for CobaltStrike Cobalt Strike |
2018-07-11 ⋅ FireEye ⋅ Scott Henderson, Steve Miller, Dan Perez, Marcin Siedlarz, Ben Wilson, Ben Read @online{henderson:20180711:chinese:f0f3cbc,
author = {Scott Henderson and Steve Miller and Dan Perez and Marcin Siedlarz and Ben Wilson and Ben Read},
title = {{Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July 2018 Elections and Reveals Broad Operations Globally}},
date = {2018-07-11},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html},
language = {English},
urldate = {2019-12-20}
}
Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July 2018 Elections and Reveals Broad Operations Globally AIRBREAK Leviathan |
2018-05-21 ⋅ LAC ⋅ Yoshihiro Ishikawa @online{ishikawa:20180521:confirmed:ad336b5,
author = {Yoshihiro Ishikawa},
title = {{Confirmed new attacks by APT attacker group menuPass (APT10)}},
date = {2018-05-21},
organization = {LAC},
url = {https://www.lac.co.jp/lacwatch/people/20180521_001638.html},
language = {Japanese},
urldate = {2019-10-27}
}
Confirmed new attacks by APT attacker group menuPass (APT10) Cobalt Strike |
2018-05-09 ⋅ COUNT UPON SECURITY ⋅ Luis Rocha @online{rocha:20180509:malware:3ee8ecf,
author = {Luis Rocha},
title = {{Malware Analysis - PlugX - Part 2}},
date = {2018-05-09},
organization = {COUNT UPON SECURITY},
url = {https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/},
language = {English},
urldate = {2020-01-05}
}
Malware Analysis - PlugX - Part 2 PlugX |
2018-04-17 ⋅ NCC Group ⋅ Nikolaos Pantazopoulos @online{pantazopoulos:20180417:decoding:7d5f713,
author = {Nikolaos Pantazopoulos},
title = {{Decoding network data from a Gh0st RAT variant}},
date = {2018-04-17},
organization = {NCC Group},
url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/},
language = {English},
urldate = {2019-11-27}
}
Decoding network data from a Gh0st RAT variant Ghost RAT LuckyMouse |
2018-03-30 ⋅ Kahu Security ⋅ Kahu Security @online{security:20180330:reflow:7e1ee15,
author = {Kahu Security},
title = {{Reflow JavaScript Backdoor}},
date = {2018-03-30},
organization = {Kahu Security},
url = {http://www.kahusecurity.com/posts/reflow_javascript_backdoor.html},
language = {English},
urldate = {2020-01-07}
}
Reflow JavaScript Backdoor AIRBREAK |
2018-03-30 ⋅ AmosSys ⋅ Florent Saudel @online{saudel:20180330:badflick:c531d01,
author = {Florent Saudel},
title = {{BADFLICK is not so bad!}},
date = {2018-03-30},
organization = {AmosSys},
url = {https://blog.amossys.fr/badflick-is-not-so-bad.html},
language = {English},
urldate = {2020-01-08}
}
BADFLICK is not so bad! badflick |
2018-03-16 ⋅ FireEye ⋅ FireEye @online{fireeye:20180316:suspected:2a77316,
author = {FireEye},
title = {{Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries}},
date = {2018-03-16},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html},
language = {English},
urldate = {2019-12-20}
}
Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries badflick BLACKCOFFEE CHINACHOPPER homefry murkytop SeDll Leviathan |
2018-03-13 ⋅ Kaspersky Labs ⋅ Denis Makrushin, Yury Namestnikov @online{makrushin:20180313:time:7171143,
author = {Denis Makrushin and Yury Namestnikov},
title = {{Time of death? A therapeutic postmortem of connected medicine}},
date = {2018-03-13},
organization = {Kaspersky Labs},
url = {https://securelist.com/time-of-death-connected-medicine/84315/},
language = {English},
urldate = {2019-12-20}
}
Time of death? A therapeutic postmortem of connected medicine PlugX |
2018-02-04 ⋅ COUNT UPON SECURITY ⋅ Luis Rocha @online{rocha:20180204:malware:ea0aede,
author = {Luis Rocha},
title = {{MALWARE ANALYSIS – PLUGX}},
date = {2018-02-04},
organization = {COUNT UPON SECURITY},
url = {https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/},
language = {English},
urldate = {2020-01-07}
}
MALWARE ANALYSIS – PLUGX PlugX |
2018-02-01 ⋅ Bitdefender ⋅ Bitdefender Team @online{team:20180201:operation:e76f179,
author = {Bitdefender Team},
title = {{Operation PZCHAO: Inside a highly specialized espionage infrastructure}},
date = {2018-02-01},
organization = {Bitdefender},
url = {https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/},
language = {English},
urldate = {2020-05-18}
}
Operation PZCHAO: Inside a highly specialized espionage infrastructure Ghost RAT Emissary Panda |
2018-01-04 ⋅ Malware Traffic Analysis ⋅ Brad Duncan @online{duncan:20180104:malspam:ce2dfac,
author = {Brad Duncan},
title = {{MALSPAM PUSHING PCRAT/GH0ST}},
date = {2018-01-04},
organization = {Malware Traffic Analysis},
url = {http://www.malware-traffic-analysis.net/2018/01/04/index.html},
language = {English},
urldate = {2019-12-24}
}
MALSPAM PUSHING PCRAT/GH0ST Ghost RAT |
2017-12-20 ⋅ CrowdStrike ⋅ Adam Kozy @online{kozy:20171220:end:218a388,
author = {Adam Kozy},
title = {{An End to “Smash-and-Grab” and a Move to More Targeted Approaches}},
date = {2017-12-20},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/an-end-to-smash-and-grab-more-targeted-approaches/},
language = {English},
urldate = {2020-05-11}
}
An End to “Smash-and-Grab” and a Move to More Targeted Approaches CHINACHOPPER |
2017-12-19 ⋅ Proofpoint ⋅ Darien Huss @online{huss:20171219:north:e5ef6da,
author = {Darien Huss},
title = {{North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group}},
date = {2017-12-19},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new},
language = {English},
urldate = {2019-12-20}
}
North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group Ghost RAT |
2017-12-19 ⋅ Proofpoint ⋅ Darien Huss @techreport{huss:20171219:north:b2da03e,
author = {Darien Huss},
title = {{North Korea Bitten by Bitcoin Bug}},
date = {2017-12-19},
institution = {Proofpoint},
url = {https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf},
language = {English},
urldate = {2019-10-18}
}
North Korea Bitten by Bitcoin Bug QUICKCAFE PowerSpritz Ghost RAT PowerRatankba |
2017-12-18 ⋅ LAC ⋅ Yoshihiro Ishikawa @online{ishikawa:20171218:relationship:fb13bae,
author = {Yoshihiro Ishikawa},
title = {{Relationship between PlugX and attacker group "DragonOK"}},
date = {2017-12-18},
organization = {LAC},
url = {https://www.lac.co.jp/lacwatch/people/20171218_001445.html},
language = {Japanese},
urldate = {2019-11-22}
}
Relationship between PlugX and attacker group "DragonOK" PlugX |
2017-11-16 ⋅ Github (mdsecactivebreach) ⋅ Vincent Yiu @online{yiu:20171116:cactustorch:be5ebfd,
author = {Vincent Yiu},
title = {{CACTUSTORCH: Payload Generation for Adversary Simulations}},
date = {2017-11-16},
organization = {Github (mdsecactivebreach)},
url = {https://github.com/mdsecactivebreach/CACTUSTORCH},
language = {English},
urldate = {2020-01-09}
}
CACTUSTORCH: Payload Generation for Adversary Simulations CACTUSTORCH |
2017-10-16 ⋅ Proofpoint ⋅ Axel F, Pierre T @online{f:20171016:leviathan:a898346,
author = {Axel F and Pierre T},
title = {{Leviathan: Espionage actor spearphishes maritime and defense targets}},
date = {2017-10-16},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets},
language = {English},
urldate = {2019-12-20}
}
Leviathan: Espionage actor spearphishes maritime and defense targets NanHaiShu SeDll Leviathan |
2017-06-27 ⋅ Palo Alto Networks Unit 42 ⋅ Tom Lancaster, Esmid Idrizovic @online{lancaster:20170627:paranoid:f933eb4,
author = {Tom Lancaster and Esmid Idrizovic},
title = {{Paranoid PlugX}},
date = {2017-06-27},
organization = {Palo Alto Networks Unit 42},
url = {https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/},
language = {English},
urldate = {2019-12-20}
}
Paranoid PlugX PlugX |
2017-06-06 ⋅ FireEye ⋅ Ian Ahl @online{ahl:20170606:privileges:9598d5f,
author = {Ian Ahl},
title = {{Privileges and Credentials: Phished at the Request of Counsel}},
date = {2017-06-06},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html},
language = {English},
urldate = {2019-12-20}
}
Privileges and Credentials: Phished at the Request of Counsel Cobalt Strike |
2017-04-27 ⋅ US-CERT ⋅ US-CERT @online{uscert:20170427:alert:fdb865d,
author = {US-CERT},
title = {{Alert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors}},
date = {2017-04-27},
organization = {US-CERT},
url = {https://www.us-cert.gov/ncas/alerts/TA17-117A},
language = {English},
urldate = {2020-03-11}
}
Alert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors PlugX RedLeaves |
2017-04-03 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20170403:redleaves:211a123,
author = {Shusei Tomonaga},
title = {{RedLeaves - Malware Based on Open Source RAT}},
date = {2017-04-03},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html},
language = {English},
urldate = {2021-02-04}
}
RedLeaves - Malware Based on Open Source RAT PlugX RedLeaves |
2017-04 ⋅ PricewaterhouseCoopers ⋅ PricewaterhouseCoopers @techreport{pricewaterhousecoopers:201704:operation:cb50712,
author = {PricewaterhouseCoopers},
title = {{Operation Cloud Hopper: Technical Annex}},
date = {2017-04},
institution = {PricewaterhouseCoopers},
url = {https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf},
language = {English},
urldate = {2019-10-15}
}
Operation Cloud Hopper: Technical Annex ChChes PlugX Quasar RAT RedLeaves Trochilus RAT |
2017-02-25 ⋅ Financial Security Institute ⋅ Kyoung-Ju Kwak (郭炅周) @techreport{:20170225:silent:5a11e12,
author = {Kyoung-Ju Kwak (郭炅周)},
title = {{Silent RIFLE: Response Against Advanced Threat}},
date = {2017-02-25},
institution = {Financial Security Institute},
url = {https://hackcon.org/uploads/327/05%20-%20Kwak.pdf},
language = {English},
urldate = {2020-03-04}
}
Silent RIFLE: Response Against Advanced Threat Ghost RAT |
2017-02-21 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20170221:plugx:f9e4817,
author = {Shusei Tomonaga},
title = {{PlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code}},
date = {2017-02-21},
organization = {JPCERT/CC},
url = {http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html},
language = {English},
urldate = {2020-01-13}
}
PlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code PlugX |
2017-02-13 ⋅ RSA ⋅ RSA Research @techreport{research:20170213:kingslayer:98f4892,
author = {RSA Research},
title = {{KINGSLAYER – A SUPPLY CHAIN ATTACK}},
date = {2017-02-13},
institution = {RSA},
url = {https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf},
language = {English},
urldate = {2020-01-08}
}
KINGSLAYER – A SUPPLY CHAIN ATTACK CodeKey PlugX |
2016-10-28 ⋅ Github (smb01) ⋅ smb01 @online{smb01:20161028:zxshell:e4d3a5e,
author = {smb01},
title = {{zxshell repository}},
date = {2016-10-28},
organization = {Github (smb01)},
url = {https://github.com/smb01/zxshell},
language = {English},
urldate = {2020-01-07}
}
zxshell repository ZXShell |
2016-10-11 ⋅ Symantec ⋅ Symantec Security Response @online{response:20161011:odinaff:36b35db,
author = {Symantec Security Response},
title = {{Odinaff: New Trojan used in high level financial attacks}},
date = {2016-10-11},
organization = {Symantec},
url = {https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks},
language = {English},
urldate = {2019-12-05}
}
Odinaff: New Trojan used in high level financial attacks Cobalt Strike KLRD MimiKatz Odinaff Anunak |
2016-08-25 ⋅ Malwarebytes ⋅ Malwarebytes Labs @online{labs:20160825:unpacking:66173f5,
author = {Malwarebytes Labs},
title = {{Unpacking the spyware disguised as antivirus}},
date = {2016-08-25},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/},
language = {English},
urldate = {2019-12-20}
}
Unpacking the spyware disguised as antivirus PlugX |
2016-08-05 ⋅ F-Secure ⋅ F-Secure Labs @techreport{labs:20160805:nanhaishu:cee830d,
author = {F-Secure Labs},
title = {{NANHAISHU: RATing the South China Sea}},
date = {2016-08-05},
institution = {F-Secure},
url = {https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf},
language = {English},
urldate = {2020-01-13}
}
NANHAISHU: RATing the South China Sea NanHaiShu |
2016-06-13 ⋅ Macnica Networks ⋅ Macnica Networks @techreport{networks:20160613:survey:c78b147,
author = {Macnica Networks},
title = {{Survey of the actual situation of the large-scale cyber spy activity that hit Japan | 1st edition}},
date = {2016-06-13},
institution = {Macnica Networks},
url = {https://www.macnica.net/file/security_report_20160613.pdf},
language = {Japanese},
urldate = {2021-03-02}
}
Survey of the actual situation of the large-scale cyber spy activity that hit Japan | 1st edition Emdivi PlugX |
2016-04-22 ⋅ Cylance ⋅ Isaac Palmer @online{palmer:20160422:ghost:dda6514,
author = {Isaac Palmer},
title = {{The Ghost Dragon}},
date = {2016-04-22},
organization = {Cylance},
url = {https://blog.cylance.com/the-ghost-dragon},
language = {English},
urldate = {2020-01-08}
}
The Ghost Dragon Ghost RAT |
2016-03-02 ⋅ RSA Conference ⋅ Vanja Svajcer @techreport{svajcer:20160302:dissecting:e8721e3,
author = {Vanja Svajcer},
title = {{Dissecting Derusbi}},
date = {2016-03-02},
institution = {RSA Conference},
url = {https://web.archive.org/web/20180310053107/https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf},
language = {English},
urldate = {2020-02-27}
}
Dissecting Derusbi Derusbi |
2016-01-22 ⋅ RSA Link ⋅ Norton Santos @online{santos:20160122:plugx:580fcff,
author = {Norton Santos},
title = {{PlugX APT Malware}},
date = {2016-01-22},
organization = {RSA Link},
url = {https://community.rsa.com/thread/185439},
language = {English},
urldate = {2020-01-13}
}
PlugX APT Malware PlugX |
2015-12-15 ⋅ Airbus Defence & Space ⋅ Fabien Perigaud @online{perigaud:20151215:newcomers:73beb0c,
author = {Fabien Perigaud},
title = {{Newcomers in the Derusbi family}},
date = {2015-12-15},
organization = {Airbus Defence & Space},
url = {https://web.archive.org/web/20151216071054/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family},
language = {English},
urldate = {2020-02-27}
}
Newcomers in the Derusbi family Derusbi |
2015-10-08 ⋅ Virus Bulletin ⋅ Micky Pun, Eric Leung, Neo Tan @techreport{pun:20151008:catching:368d81d,
author = {Micky Pun and Eric Leung and Neo Tan},
title = {{Catching the silent whisper: Understanding the Derusbi family tree}},
date = {2015-10-08},
institution = {Virus Bulletin},
url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf},
language = {English},
urldate = {2020-02-27}
}
Catching the silent whisper: Understanding the Derusbi family tree Derusbi |
2015-08 ⋅ Arbor Networks ⋅ ASERT Team @online{team:201508:uncovering:121e5cf,
author = {ASERT Team},
title = {{Uncovering the Seven Pointed Dagger}},
date = {2015-08},
organization = {Arbor Networks},
url = {https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn},
language = {English},
urldate = {2020-05-18}
}
Uncovering the Seven Pointed Dagger 9002 RAT EvilGrab PlugX Trochilus RAT Group 27 |
2015-06-24 ⋅ Spiceworks ⋅ Chris Miller @online{miller:20150624:stealthy:9bceed3,
author = {Chris Miller},
title = {{Stealthy Cyberespionage Campaign Attacks With Social Engineering}},
date = {2015-06-24},
organization = {Spiceworks},
url = {https://community.spiceworks.com/topic/1028936-stealthy-cyberespionage-campaign-attacks-with-social-engineering},
language = {English},
urldate = {2019-12-10}
}
Stealthy Cyberespionage Campaign Attacks With Social Engineering NanHaiShu |
2015-05-18 ⋅ Tetsuji Tanigawa @online{tanigawa:20150518:tt:4cb29ea,
author = {Tetsuji Tanigawa},
title = {{TT Malware Log}},
date = {2015-05-18},
url = {http://malware-log.hatenablog.com/entry/2015/05/18/000000_1},
language = {Japanese},
urldate = {2020-01-08}
}
TT Malware Log BLACKCOFFEE |
2015-05 ⋅ FireEye ⋅ FireEye @techreport{fireeye:201505:hiding:8695fc2,
author = {FireEye},
title = {{HIDING IN PLAIN SIGHT: FIREEYE AND MICROSOFT EXPOSE OBFUSCATION TACTIC}},
date = {2015-05},
institution = {FireEye},
url = {https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf},
language = {English},
urldate = {2019-12-19}
}
HIDING IN PLAIN SIGHT: FIREEYE AND MICROSOFT EXPOSE OBFUSCATION TACTIC BLACKCOFFEE |
2015-04-15 ⋅ Kaspersky Labs ⋅ Costin Raiu, Maxim Golovkin @online{raiu:20150415:chronicles:aa4af84,
author = {Costin Raiu and Maxim Golovkin},
title = {{The Chronicles of the Hellsing APT: the Empire Strikes Back}},
date = {2015-04-15},
organization = {Kaspersky Labs},
url = {https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/},
language = {English},
urldate = {2021-02-06}
}
The Chronicles of the Hellsing APT: the Empire Strikes Back GRILLMARK Naikon |
2015-02-27 ⋅ InfoSec Institute ⋅ Ryan Mazerik @online{mazerik:20150227:scanbox:867abf2,
author = {Ryan Mazerik},
title = {{ScanBox Framework}},
date = {2015-02-27},
organization = {InfoSec Institute},
url = {http://resources.infosecinstitute.com/scanbox-framework/},
language = {English},
urldate = {2020-01-13}
}
ScanBox Framework scanbox |
2015-02-27 ⋅ ThreatConnect ⋅ ThreatConnect Research Team @online{team:20150227:anthem:3576532,
author = {ThreatConnect Research Team},
title = {{The Anthem Hack: All Roads Lead to China}},
date = {2015-02-27},
organization = {ThreatConnect},
url = {https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/},
language = {English},
urldate = {2020-01-09}
}
The Anthem Hack: All Roads Lead to China Derusbi |
2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:20150206:crowdstrike:fbcc37f,
author = {CrowdStrike},
title = {{CrowdStrike Global Threat Intel Report 2014}},
date = {2015-02-06},
institution = {CrowdStrike},
url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf},
language = {English},
urldate = {2020-05-11}
}
CrowdStrike Global Threat Intel Report 2014 BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor |
2015-01-29 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20150129:analysis:0eaad95,
author = {Shusei Tomonaga},
title = {{Analysis of a Recent PlugX Variant - “P2P PlugX”}},
date = {2015-01-29},
organization = {JPCERT/CC},
url = {http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html},
language = {English},
urldate = {2020-01-09}
}
Analysis of a Recent PlugX Variant - “P2P PlugX” PlugX |
2014-11 ⋅ Novetta ⋅ Novetta @techreport{novetta:201411:zoxpng:91e81c6,
author = {Novetta},
title = {{ZoxPNG Analysis}},
date = {2014-11},
institution = {Novetta},
url = {http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf},
language = {English},
urldate = {2020-05-07}
}
ZoxPNG Analysis BLACKCOFFEE |
2014-10-28 ⋅ Cisco ⋅ Andrea Allievi, Douglas Goddard, Shaun Hurley, Alain Zidouemba @online{allievi:20141028:threat:a302fbd,
author = {Andrea Allievi and Douglas Goddard and Shaun Hurley and Alain Zidouemba},
title = {{Threat Spotlight: Group 72, Opening the ZxShell}},
date = {2014-10-28},
organization = {Cisco},
url = {https://blogs.cisco.com/security/talos/opening-zxshell},
language = {English},
urldate = {2019-10-15}
}
Threat Spotlight: Group 72, Opening the ZxShell ZXShell |
2014-10-28 ⋅ Novetta ⋅ Novetta @techreport{novetta:20141028:derusbi:aae275a,
author = {Novetta},
title = {{Derusbi (Server Variant) Analysis}},
date = {2014-10-28},
institution = {Novetta},
url = {http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf},
language = {English},
urldate = {2020-01-06}
}
Derusbi (Server Variant) Analysis Derusbi |
2014-08-28 ⋅ AT&T ⋅ Jaime Blasco @online{blasco:20140828:scanbox:a0cc92a,
author = {Jaime Blasco},
title = {{Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks}},
date = {2014-08-28},
organization = {AT&T},
url = {https://www.alienvault.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks},
language = {English},
urldate = {2019-12-06}
}
Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks scanbox |
2014-06-27 ⋅ SophosLabs ⋅ Gabor Szappanos @techreport{szappanos:20140627:plugx:e63d8bf,
author = {Gabor Szappanos},
title = {{PlugX - The Next Generation}},
date = {2014-06-27},
institution = {SophosLabs},
url = {https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf},
language = {English},
urldate = {2020-01-10}
}
PlugX - The Next Generation PlugX |
2014-06-10 ⋅ FireEye ⋅ Mike Scott @online{scott:20140610:clandestine:6d515ab,
author = {Mike Scott},
title = {{Clandestine Fox, Part Deux}},
date = {2014-06-10},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html},
language = {English},
urldate = {2019-12-20}
}
Clandestine Fox, Part Deux PlugX |
2014-01-06 ⋅ Airbus ⋅ Fabien Perigaud @online{perigaud:20140106:plugx:16410d7,
author = {Fabien Perigaud},
title = {{PlugX: some uncovered points}},
date = {2014-01-06},
organization = {Airbus},
url = {http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html},
language = {English},
urldate = {2020-01-08}
}
PlugX: some uncovered points PlugX |
2014-01 ⋅ RSA ⋅ RSA Research @techreport{research:201401:rsa:5fa5815,
author = {RSA Research},
title = {{RSA Incident Response: Emerging Threat Profile Shell_Crew}},
date = {2014-01},
institution = {RSA},
url = {https://www.rsa.com/content/dam/en/white-paper/rsa-incident-response-emerging-threat-profile-shell-crew.pdf},
language = {English},
urldate = {2021-01-29}
}
RSA Incident Response: Emerging Threat Profile Shell_Crew Derusbi |
2013-08-07 ⋅ FireEye ⋅ Ian Ahl, Tony Lee, Dennis Hanzlik @online{ahl:20130807:breaking:aff06e9,
author = {Ian Ahl and Tony Lee and Dennis Hanzlik},
title = {{Breaking Down the China Chopper Web Shell - Part I}},
date = {2013-08-07},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html},
language = {English},
urldate = {2019-12-20}
}
Breaking Down the China Chopper Web Shell - Part I CHINACHOPPER |
2013-03-29 ⋅ Computer Incident Response Center Luxembourg ⋅ CIRCL @techreport{circl:20130329:analysis:b3c48b0,
author = {CIRCL},
title = {{Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0)}},
date = {2013-03-29},
institution = {Computer Incident Response Center Luxembourg},
url = {https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf},
language = {English},
urldate = {2019-11-24}
}
Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0) PlugX |
2012 ⋅ Norman ASA ⋅ Snorre Fagerland @techreport{fagerland:2012:many:c938856,
author = {Snorre Fagerland},
title = {{The many faces of Gh0st Rat}},
date = {2012},
institution = {Norman ASA},
url = {http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf},
language = {English},
urldate = {2019-12-20}
}
The many faces of Gh0st Rat Ghost RAT |
2012 ⋅ Cobalt Strike ⋅ Cobalt Strike @online{strike:2012:cobalt:8522cdd,
author = {Cobalt Strike},
title = {{Cobalt Strike Website}},
date = {2012},
organization = {Cobalt Strike},
url = {https://www.cobaltstrike.com/support},
language = {English},
urldate = {2020-01-13}
}
Cobalt Strike Website Cobalt Strike |
2011-06-29 ⋅ Symantec ⋅ John McDonald @online{mcdonald:20110629:inside:b955948,
author = {John McDonald},
title = {{Inside a Back Door Attack}},
date = {2011-06-29},
organization = {Symantec},
url = {https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack},
language = {English},
urldate = {2020-04-21}
}
Inside a Back Door Attack Ghost RAT Dust Storm |
2009-03-28 ⋅ Information Warfare Monitor ⋅ Information Warfare Monitor @techreport{monitor:20090328:tracking:dffad13,
author = {Information Warfare Monitor},
title = {{Tracking GhostNet: Investigating a Cyber Espionage Network}},
date = {2009-03-28},
institution = {Information Warfare Monitor},
url = {http://www.nartv.org/mirror/ghostnet.pdf},
language = {English},
urldate = {2020-04-23}
}
Tracking GhostNet: Investigating a Cyber Espionage Network Ghost RAT GhostNet |