SYMBOLCOMMON_NAMEaka. SYNONYMS

APT40  (Back to overview)

aka: ATK29, BRONZE MOHAWK, G0065, GADOLINIUM, Gingham Typhoon, ISLANDDREAMS, ITG09, KRYPTONITE PANDA, Leviathan, MUDCARP, Red Ladon, TA423, TEMP.Jumper, TEMP.Periscope

Leviathan is an espionage actor targeting organizations and high-value targets in defense and government. Active since at least 2014, this actor has long-standing interest in maritime industries, naval defense contractors, and associated research institutions in the United States and Western Europe.


Associated Families
js.airbreak js.cactustorch js.nanhaishu js.scanbox win.lazycat win.zxshell win.chinachopper win.badflick win.blackcoffee win.dadjoke win.dadstache win.derusbi win.ghost_rat win.grillmark win.homefry win.lunchmoney win.murkytop win.sedll win.cobalt_strike win.plugx

References
2024-03-01Medium b.magnezi0xMrMagnezi
Malware Analysis - Cobalt Strike
Cobalt Strike
2024-02-21YouTube (SentinelOne)Kris McConkey
LABSCon23 Replay | Chasing Shadows | The rise of a prolific espionage actor
9002 RAT PlugX ShadowPad Spyder
2024-02-09CensysCensys, Embee_research
A Beginners Guide to Tracking Malware Infrastructure
AsyncRAT BianLian Cobalt Strike QakBot
2024-02-08YouTube (Embee Research)Embee_research
Cobalt Strike Decoding and C2 Extraction - 3 Minute Malware Analysis Speedrun
Cobalt Strike
2024-01-25JSAC 2024Yi-Chin Chuang, Yu-Tung Chang
Unveiling TeleBoyi: Chinese APT Group Targeting Critical Infrastructure Worldwide
PlugX
2024-01-25JSAC 2024Hara Hiroaki, Kawakami Ryonosuke, Shota Nakajima
The Secret Life of RATs: connecting the dots by dissecting multiple backdoors
DracuLoader GroundPeony HemiGate PlugX
2024-01-23CSIRT-CTICSIRT-CTI
Stately Taurus Targets Myanmar Amidst Concerns over Military Junta’s Handling of Rebel Attacks
PlugX TONESHELL Unidentified 094
2024-01-13YouTube (Embee Research)Embee_research
Cobalt Strike Shellcode Analysis and C2 Extraction
Cobalt Strike
2024-01-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q4 2023
FluBot Hook FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc IcedID Lumma Stealer Meterpreter NjRAT Pikabot QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver
2024-01-09Recorded FutureInsikt Group
2023 Adversary Infrastructure Report
AsyncRAT Cobalt Strike Emotet PlugX ShadowPad
2024-01-04NetresecErik Hjelmvik
Hunting for Cobalt Strike in PCAP
Cobalt Strike
2023-12-20Twitter (@embee_research)Embee_research
Defeating Obfuscated Malware Scripts - Cobalt Strike
Cobalt Strike
2023-12-19Twitter (@embee_research)Embee_research
Free Ghidra Tutorials for Beginners
Cobalt Strike DarkGate
2023-12-08Twitter (@embee_research)Embee_research
Ghidra Basics - Manual Shellcode Analysis and C2 Extraction
Cobalt Strike
2023-12-06splunkSplunk Threat Research Team
Unmasking the Enigma: A Historical Dive into the World of PlugX Malware
PlugX
2023-12-04The DFIR ReportThe DFIR Report
SQL Brute Force leads to Bluesky Ransomware
BlueSky Cobalt Strike
2023-11-19Twitter (@embee_research)Embee_research
Combining Pivot Points to Identify Malware Infrastructure - Redline, Smokeloader and Cobalt Strike
Amadey Cobalt Strike RedLine Stealer SmokeLoader
2023-11-14Medium joshuapenny88Joshua Penny
HostingHunter Series: CHANG WAY TECHNOLOGIES CO. LIMITED
Hook Hydra Cobalt Strike SectopRAT
2023-11-10NSFOCUSNSFOCUS
The New APT Group DarkCasino and the Global Surge in WinRAR 0-Day Exploits
Cobalt Strike Konni DarkCasino Opal Sleet
2023-11-07SOCRadarSOCRadar
New Gootloader Variant “GootBot” Changes the Game in Malware Tactics
GootLoader Cobalt Strike UNC2565
2023-11-06Twitter (@embee_research)Embee_research
Unpacking Malware With Hardware Breakpoints - Cobalt Strike
Cobalt Strike
2023-11-01nccgroupMick Koomen
Popping Blisters for research: An overview of past payloads and exploring recent developments
Blister Cobalt Strike
2023-10-23Twitter (@embee_research)Embee_research
Cobalt Strike .VBS Loader - Decoding with Advanced CyberChef and Emulation
Cobalt Strike
2023-10-20Twitter (@embee_research)Embee_research
Decoding a Cobalt Strike .hta Loader Using CyberChef and Emulation
Cobalt Strike
2023-10-18Twitter (@embee_research)Embee_research
Ghidra Tutorial - Using Entropy To Locate a Cobalt Strike Decryption Function
Cobalt Strike
2023-10-18GoogleKate Morgan
Government-backed actors exploiting WinRAR vulnerability
APT40
2023-10-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2023
FluBot AsyncRAT Ave Maria Cobalt Strike DCRat Havoc IcedID ISFB Nanocore RAT NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Stealc Tofsee Vidar
2023-10-12NetresecErik Hjelmvik
Forensic Timeline of an IcedID Infection
Cobalt Strike IcedID IcedID Downloader
2023-10-10SymantecThreat Hunter Team
Grayling: Previously Unseen Threat Actor Targets Multiple Organizations in Taiwan
Cobalt Strike Havoc MimiKatz Grayling
2023-10-03Malware Traffic AnalysisBrad Duncan
2023-10-03 (Tuesday) - PikaBot infection with Cobalt Strike
Cobalt Strike Pikabot
2023-09-22MandiantDan Black, Josh Atkins, Luke Jenkins
Backchannel Diplomacy: APT29’s Rapidly Evolving Diplomatic Phishing Operations
Brute Ratel C4 Cobalt Strike EnvyScout GraphDrop QUARTERRIG sRDI Unidentified 107 (APT29)
2023-09-12ANSSIANSSI
FIN12: A Cybercriminal Group with Multiple Ransomware
BlackCat Cobalt Strike Conti Hive MimiKatz Nokoyawa Ransomware PLAY Royal Ransom Ryuk SystemBC
2023-09-08PolySwarm Tech TeamThe Hivemind
Carderbee Targets Hong Kong in Supply Chain Attack
PlugX Carderbee
2023-09-07SekoiaJamila B.
My Tea’s not cold. An overview of China’s cyber threat
Melofee PingPull SoWaT Sword2033 MgBot MQsTTang PlugX TONESHELL Dalbit MirrorFace
2023-08-30Trend MicroGilbert Sison, Hara Hiroaki, Lenart Bermejo, Leon M Chang, Ted Lee
Earth Estries Targets Government, Tech for Cyberespionage
Cobalt Strike HemiGate Earth Estries
2023-08-28The DFIR ReportThe DFIR Report
HTML Smuggling Leads to Domain Wide Ransomware
Cobalt Strike IcedID Nokoyawa Ransomware
2023-08-22SymantecThreat Hunter Team
Carderbee: APT Group use Legit Software in Supply Chain Attack Targeting Orgs in Hong Kong
PlugX Carderbee
2023-08-18TEAMT5Still Hsu, Zih-Cing Liao
Unmasking CamoFei: An In-depth Analysis of an Emerging APT Group Focused on Healthcare Sectors in East Asia
CatB Cobalt Strike DoorMe GIMMICK
2023-08-18d01aMohamed Adel
Understanding Syscalls: Direct, Indirect, and Cobalt Strike Implementation
Cobalt Strike
2023-08-17SentinelOneAleksandar Milenkoski, Tom Hegel
Chinese Entanglement | DLL Hijacking in the Asian Gambling Sector
Cobalt Strike HUI Loader BRONZE STARLIGHT
2023-08-07Recorded FutureInsikt Group
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
Winnti Brute Ratel C4 Cobalt Strike FunnySwitch PlugX ShadowPad Spyder Earth Lusca
2023-07-29GoogleGoogle Cybersecurity Action Team
Threat Horizons August 2023 Threat Horizons Report
SharkBot Cobalt Strike
2023-07-11SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2023
Hydra AsyncRAT Aurora Stealer Ave Maria BumbleBee Cobalt Strike DCRat Havoc IcedID ISFB NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee
2023-07-11MandiantNg Choon Kiat, Rommel Joven
The Spies Who Loved You: Infected USB Drives to Steal Secrets
PlugX
2023-07-07Lab52Lab52
Beyond appearances: unknown actor using APT29’s TTP against Chinese users
Cobalt Strike
2023-07-03Check Point ResearchCheckpoint Research
Chinese Threat Actors Targeting Europe in SmugX Campaign
PlugX SmugX
2023-06-30K7 SecurityDhanush
Cobalt Strike’s Deployment with Hardware Breakpoint for AMSI Bypass
Cobalt Strike
2023-06-16Palo Alto Networks: Cortex Threat ResearchLior Rochberger
Through the Cortex XDR Lens: Uncovering a New Activity Group Targeting Governments in the Middle East and Africa
CHINACHOPPER Ladon Yasso CL-STA-0043
2023-06-15eSentireRussianPanda
eSentire Threat Intelligence Malware Analysis: Resident Campaign
Cobalt Strike Rhadamanthys
2023-06-08Twitter (@embee_research)Embee_research
Practical Queries for Identifying Malware Infrastructure: An informal page for storing Censys/Shodan queries
Amadey AsyncRAT Cobalt Strike QakBot Quasar RAT Sliver solarmarker
2023-06-08VMRayPatrick Staubmann
Busy Bees - The Transformation of BumbleBee
BumbleBee Cobalt Strike Conti Meterpreter Sliver
2023-05-15SymantecThreat Hunter Team
Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors
Merdoor PlugX ShadowPad ZXShell Lancefly
2023-05-11cocomelonccocomelonc
Malware development trick - part 28: Dump lsass.exe. Simple C++ example.
Cobalt Strike APT3 Keylogger
2023-05-03Lab52Lab52
New Mustang Panda’s campaing against Australia
PlugX
2023-04-24CofenseAustin Jones
Open-Source Gh0st RAT Still Haunting Inboxes 15 Years After Release
Ghost RAT
2023-04-20Github (dodo-sec)dodo-sec
An analysis of syscall usage in Cobalt Strike Beacons
Cobalt Strike
2023-04-20SecureworksCounter Threat Unit ResearchTeam
Bumblebee Malware Distributed Via Trojanized Installer Downloads
BumbleBee Cobalt Strike
2023-04-18MandiantMandiant
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate
2023-04-13Intel 471Jorge Rodriguez, Souhail Hammou
From GhostNet to PseudoManuscrypt - The evolution of Gh0st RAT
BBSRAT Gh0stTimes Ghost RAT PseudoManuscrypt
2023-04-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar
2023-04-03The DFIR ReportThe DFIR Report
Malicious ISO File Leads to Domain Wide Ransomware
Cobalt Strike IcedID Mount Locker
2023-03-30United States District Court (Eastern District of New York)Fortra, HEALTH-ISAC, Microsoft
Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader
2023-03-30Recorded FutureInsikt Group
With KEYPLUG, China’s RedGolf Spies On, Steals From Wide Field of Targets
KEYPLUG Cobalt Strike PlugX RedGolf
2023-03-30eSentireeSentire Threat Response Unit (TRU)
eSentire Threat Intelligence Malware Analysis: BatLoader
BATLOADER Cobalt Strike ISFB SystemBC Vidar
2023-03-28ExaTrackExaTrack
Mélofée: a new alien malware in the Panda's toolset targeting Linux hosts
HelloBot Melofee Winnti Cobalt Strike SparkRAT STOWAWAY
2023-03-10Medium walmartglobaltechJason Reaves, Joshua Platt
From Royal With Love
Cobalt Strike Conti PLAY Royal Ransom Somnia
2023-03-09ASECSanseo
PlugX Malware Being Distributed via Vulnerability Exploitation
PlugX
2023-03-09SophosGabor Szappanos
A border-hopping PlugX USB worm takes its act on the road
PlugX
2023-03-01ZscalerMeghraj Nandanwar, Shatak Jain
OneNote: A Growing Threat for Malware Distribution
AsyncRAT Cobalt Strike IcedID QakBot RedLine Stealer
2023-02-24Trend MicroBuddy Tancio, Catherine Loveria, Jed Valderama
Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool
PlugX
2023-02-23BitdefenderBitdefender Team, Martin Zugec
Technical Advisory: Various Threat Actors Targeting ManageEngine Exploit CVE-2022-47966
Cobalt Strike DarkComet QuiteRAT RATel
2023-02-22SymantecSymantec Threat Hunter Team
Hydrochasma: Previously Unknown Group Targets Medical and Shipping Organizations in Asia
Cobalt Strike
2023-02-14CybereasonCybereason Incident Response (IR) team
GootLoader - SEO Poisoning and Large Payloads Leading to Compromise
GootLoader Cobalt Strike SystemBC
2023-02-13AhnLabkingkimgim
Dalbit (m00nlight): Chinese Hacker Group’s APT Attack Campaign
Godzilla Webshell ASPXSpy BlueShell CHINACHOPPER Cobalt Strike Ladon MimiKatz Dalbit
2023-02-13KrollLaurie Iacono, Stephen Green
Royal Ransomware Deep Dive
Cobalt Strike Royal Ransom
2023-02-08Trend MicroTed Lee
Earth Zhulong: Familiar Patterns Target Southeast Asian Firms
Cobalt Strike MACAMAX 1937CN
2023-02-03MandiantGenevieve Stark, Kimberly Goody
Float Like a Butterfly Sting Like a Bee
BazarBackdoor BumbleBee Cobalt Strike
2023-02-02KrollElio Biasiotto, Stephen Green
Hive Ransomware Technical Analysis and Initial Access Discovery
BATLOADER Cobalt Strike Hive
2023-02-02EclecticIQEclecticIQ Threat Research Team
Mustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware
PlugX
2023-01-30CheckpointArie Olshtein
Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware
Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot
2023-01-26TEAMT5Still Hsu
Brief History of MustangPanda and its PlugX Evolution
PlugX
2023-01-26Palo Alto Networks Unit 42Jen Miller-Osborn, Mike Harbison
Chinese PlugX Malware Hidden in Your USB Devices?
PlugX
2023-01-24FortinetGeri Revay
The Year of the Wiper
Azov Wiper Bruh Wiper CaddyWiper Cobalt Strike Vidar
2023-01-23KrollElio Biasiotto, Stephen Green
Black Basta – Technical Analysis
Black Basta Cobalt Strike MimiKatz QakBot SystemBC
2023-01-16IntrinsecIntrinsec
ProxyNotShell – OWASSRF – Merry Xchange
Cobalt Strike SystemBC
2023-01-09kienmanowar Blogm4n0w4r, Tran Trung Kien
[QuickNote] Another nice PlugX sample
PlugX
2023-01-05SymantecThreat Hunter Team
Bluebottle: Campaign Hits Banks in French-speaking Countries in Africa
CloudEyE Cobalt Strike MimiKatz NetWire RC POORTRY Quasar RAT BlueBottle
2022-12-27kienmanowar Blogm4n0w4r, Tran Trung Kien
Diving into a PlugX sample of Mustang Panda group
PlugX
2022-12-22Recorded FutureInsikt Group
RedDelta Targets European Government Organizations and Continues to Iterate Custom PlugX Variant
PlugX RedDelta
2022-12-15MandiantMandiant
Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government
Cobalt Strike STOWAWAY
2022-12-08Cisco TalosTiago Pereira
Breaking the silence - Recent Truebot activity
Clop Cobalt Strike FlawedGrace Raspberry Robin Silence Teleport
2022-12-06EuRepoCCamille Borrett, Kerstin Zettl-Schabath, Lena Rottinger
Conti/Wizard Spider
BazarBackdoor Cobalt Strike Conti Emotet IcedID Ryuk TrickBot WIZARD SPIDER
2022-12-06BlackberryBlackBerry Research & Intelligence Team
Mustang Panda Uses the Russian-Ukrainian War to Attack Europe and Asia Pacific Targets
PlugX
2022-12-02Palo Alto Networks Unit 42Bob Jung, Dominik Reichel, Esmid Idrizovic
Blowing Cobalt Strike Out of the Water With Memory Analysis
Cobalt Strike
2022-12-02Avast DecodedThreat Intelligence Team
Hitching a ride with Mustang Panda
PlugX
2022-11-30FFRI SecurityMatsumoto
Evolution of the PlugX loader
PlugX Poison Ivy
2022-11-15SOC PrimeVeronika Telychko
Somnia Malware Detection: UAC-0118 aka FRwL Launches Cyber Attacks Against Organizations in Ukraine Using Enhanced Malware Strains
Cobalt Strike Vidar UAC-0118
2022-11-09Trend MicroHara Hiroaki, Ted Lee
Hack the Real Box: APT41’s New Subgroup Earth Longzhi
Cobalt Strike MimiKatz Earth Longzhi
2022-11-03paloalto Netoworks: Unit42Chris Navarrete, Durgesh Sangvikar, Matthew Tennis, Siddhart Shibiraj, Yanhui Jia, Yu Fu
Cobalt Strike Analysis and Tutorial: Identifying Beacon Team Servers in the Wild
Cobalt Strike
2022-11-03Group-IBRustam Mirkasymov
Financially motivated, dangerously activated: OPERA1ER APT in Africa
Cobalt Strike Common Raven
2022-11-03Github (chronicle)Chronicle
GCTI Open Source Detection Signatures
Cobalt Strike Sliver
2022-10-31CynetMax Malyutin
Orion Threat Alert: Qakbot TTPs Arsenal and the Black Basta Ransomware
Black Basta Cobalt Strike QakBot
2022-10-13SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm
2022-10-13MicrosoftMicrosoft Threat Hunting, MSRC Team
Hunting for Cobalt Strike: Mining and plotting for fun and profit
Cobalt Strike
2022-10-12Trend MicroIan Kenefick, Lucas Silva, Nicole Hernandez
Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike
Black Basta Brute Ratel C4 Cobalt Strike QakBot
2022-10-06BlackberryThe BlackBerry Research & Intelligence Team
Mustang Panda Abuses Legitimate Apps to Target Myanmar Based Victims
PlugX
2022-10-03Check PointMarc Salinas Fernandez
Bumblebee: increasing its capacity and evolving its TTPs
BumbleBee Cobalt Strike Meterpreter Sliver Vidar
2022-10-03Trend MicroJaromír Hořejší, Joseph Chen
Water Labbu Abuses Malicious DApps to Steal Cryptocurrency
Cobalt Strike Water Labbu
2022-09-29SymantecThreat Hunter Team
Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East
CHINACHOPPER Lookback MimiKatz PlugX Unidentified 096 (Keylogger) x4 Witchetty
2022-09-26Palo Alto Networks Unit 42Daniela Shalev, Itay Gamliel
Hunting for Unsigned DLLs to Find APTs
PlugX Raspberry Robin Roshtyak
2022-09-26The DFIR ReportThe DFIR Report
BumbleBee: Round Two
BumbleBee Cobalt Strike Meterpreter
2022-09-25YouTube (Arda Büyükkaya)Arda Büyükkaya
Cobalt Strike Shellcode Loader With Rust (YouTube)
Cobalt Strike
2022-09-15SymantecThreat Hunter Team
Webworm: Espionage Attackers Testing and Using Older Modified RATs
9002 RAT Ghost RAT Trochilus RAT
2022-09-14Security JoesFelipe Duarte
Dissecting PlugX to Extract Its Crown Jewels
PlugX
2022-09-13SymantecThreat Hunter Team
New Wave of Espionage Activity Targets Asian Governments
MimiKatz PlugX Quasar RAT ShadowPad Trochilus RAT
2022-09-13AdvIntelAdvanced Intelligence
AdvIntel's State of Emotet aka "SpmTools" Displays Over Million Compromised Machines Through 2022
Conti Cobalt Strike Emotet Ryuk TrickBot
2022-09-12The DFIR ReportThe DFIR Report
Dead or Alive? An Emotet Story
Cobalt Strike Emotet
2022-09-09Github (m4now4r)m4n0w4r
“Mustang Panda” – Enemy at the gate
PlugX
2022-09-08SecureworksCounter Threat Unit ResearchTeam
BRONZE PRESIDENT Targets Government Officials
PlugX
2022-09-08CybereasonAleksandar Milenkoski, Kotaro Ogino, Yuki Shibuya
Threat Analysis Report: PlugX RAT Loader Evolution
PlugX
2022-09-07GoogleGoogle Threat Analysis Group, Pierre-Marc Bureau
Initial access broker repurposing techniques in targeted attacks against Ukraine
AnchorMail Cobalt Strike IcedID
2022-09-07cybleCyble
Bumblebee Returns With New Infection Technique
BumbleBee Cobalt Strike
2022-09-06INCIBE-CERTINCIBE
Estudio del análisis de Nobelium
BEATDROP BOOMBOX Cobalt Strike EnvyScout Unidentified 099 (APT29 Dropbox Loader) VaporRage
2022-09-06CISACISA, FBI, MS-ISAC, US-CERT
Alert (AA22-249A) #StopRansomware: Vice Society
Cobalt Strike Empire Downloader FiveHands HelloKitty SystemBC Zeppelin
2022-09-06Didier StevensDidier Stevens
An Obfuscated Beacon – Extra XOR Layer
Cobalt Strike
2022-09-06cocomelonccocomelonc
Malware development tricks: parent PID spoofing. Simple C++ example.
Cobalt Strike Konni
2022-09-01Medium michaelkoczwaraMichael Koczwara
Hunting C2/Adversaries Infrastructure with Shodan and Censys
Brute Ratel C4 Cobalt Strike Deimos GRUNT IcedID Merlin Meterpreter Nighthawk PoshC2 Sliver
2022-09-01Trend MicroTrend Micro
Ransomware Spotlight Black Basta
Black Basta Cobalt Strike MimiKatz QakBot
2022-08-30ProofpointMichael Raggi, PWC UK, Sveva Vittoria Scenarelli
Rising Tide: Chasing the Currents of Espionage in the South China Sea
scanbox Meterpreter APT40
2022-08-30eSentireeSentire Threat Response Unit (TRU)
Hacker Infrastructure Used in Cisco Breach Discovered Attacking a Top Workforce Management Corporation & an Affiliate of Russia’s Evil Corp Gang Suspected, Reports eSentire
Cobalt Strike FiveHands UNC2447
2022-08-25SentinelOneJim Walter
BlueSky Ransomware | AD Lateral Movement, Evasion and Fast Encryption Put Threat on the Radar
BlueSky Cobalt Strike JuicyPotato
2022-08-22MicrosoftMicrosoft
Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk
2022-08-19nccgroupRoss Inman
Back in Black: Unlocking a LockBit 3.0 Ransomware Attack
FAKEUPDATES Cobalt Strike LockBit
2022-08-18NSFOCUSNSFOCUS
New APT group MURENSHARK investigative report: Torpedoes hit Turkish Navy
Cobalt Strike
2022-08-18Group-IBNikita Rostovtsev
APT41 World Tour 2021 on a tight schedule
Cobalt Strike
2022-08-18SophosSean Gallagher
Cookie stealing: the new perimeter bypass
Cobalt Strike Meterpreter MimiKatz Phoenix Keylogger Quasar RAT
2022-08-18TrustwavePawel Knapczyk
Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-18TrustwavePawel Knapczyk
Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-17CybereasonCybereason Global SOC Team
Bumblebee Loader – The High Road to Enterprise Domain Control
BumbleBee Cobalt Strike
2022-08-17SecureworksCounter Threat Unit ResearchTeam
DarkTortilla Malware Analysis
Agent Tesla AsyncRAT Cobalt Strike DarkTortilla Nanocore RAT RedLine Stealer
2022-08-12SANS ISCBrad Duncan
Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike
Cobalt Strike DarkVNC IcedID
2022-08-11Malcatmalcat team
LNK forensic and config extraction of a cobalt strike beacon
Cobalt Strike
2022-08-11SecurityScorecardRobert Ames
The Increase in Ransomware Attacks on Local Governments
BlackCat BlackCat Cobalt Strike LockBit
2022-08-10WeixinRed Raindrop Team
Operation(верность) mercenary: a torrent of steel trapped in the plains of Eastern Europe
BumbleBee Cobalt Strike
2022-08-08The DFIR ReportThe DFIR Report
BumbleBee Roasts Its Way to Domain Admin
BumbleBee Cobalt Strike
2022-08-04YouTube (Arda Büyükkaya)Arda Büyükkaya
LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool
Cobalt Strike LockBit
2022-08-04MandiantMandiant
Advanced Persistent Threats (APTs)
APT1 APT10 APT12 APT14 APT15 APT16 APT17 APT18 APT19 APT2 APT20 APT21 APT22 APT23 APT24 APT27 APT3 APT30 APT31 APT4 APT40 APT5 APT9 Naikon
2022-08-03Palo Alto Networks Unit 42Brad Duncan
Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware
BazarBackdoor BumbleBee Cobalt Strike Conti
2022-08-02Cisco TalosAsheer Malhotra, Vitor Ventura
Manjusaka: A Chinese sibling of Sliver and Cobalt Strike
Manjusaka Cobalt Strike Manjusaka
2022-07-30cocomelonc
Malware AV evasion - part 8. Encode payload via Z85
Agent Tesla Carbanak Carberp Cardinal RAT Cobalt Strike donut_injector
2022-07-28SentinelOneJames Haughom, Julien Reisdorffer, Júlio Dantas
Living Off Windows Defender | LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool
Cobalt Strike LockBit
2022-07-27ReversingLabsJoseph Edwards
Threat analysis: Follina exploit fuels 'live-off-the-land' attacks
Cobalt Strike MimiKatz
2022-07-27cybleCyble Research Labs
Targeted Attacks Being Carried Out Via DLL SideLoading
Cobalt Strike QakBot
2022-07-27Trend MicroBuddy Tancio, Jed Valderama
Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike
Cobalt Strike GootKit Kronos REvil SunCrypt
2022-07-26MicrosoftMicrosoft 365 Defender Research Team
Malicious IIS extensions quietly open persistent backdoors into servers
CHINACHOPPER MimiKatz
2022-07-22Binary NinjaXusheng Li
Reverse Engineering a Cobalt Strike Dropper With Binary Ninja
Cobalt Strike
2022-07-20NVISO LabsSasja Reynaert
Analysis of a trojanized jQuery script: GootLoader unleashed
GootLoader Cobalt Strike
2022-07-20U.S. Cyber CommandCyber National Mission Force Public Affairs
Cyber National Mission Force discloses IOCs from Ukrainian networks
Cobalt Strike GraphSteel GrimPlant MicroBackdoor
2022-07-20Advanced IntelligenceMarley Smith, Vitali Kremez, Yelisey Boguslavskiy
Anatomy of Attack: Truth Behind the Costa Rica Government Ransomware 5-Day Intrusion
Cobalt Strike
2022-07-20MandiantMandiant Threat Intelligence
Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities
Cobalt Strike GraphSteel GrimPlant MicroBackdoor
2022-07-19Palo Alto Networks Unit 42Mike Harbison, Peter Renals
Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive
Cobalt Strike EnvyScout Gdrive
2022-07-18Palo Alto Networks Unit 42Unit 42
Obscure Serpens
Cobalt Strike Empire Downloader Meterpreter MimiKatz DarkHydrus
2022-07-18YouTube (Security Joes)Felipe Duarte
PlugX DLL Side-Loading Technique
PlugX
2022-07-18Palo Alto Networks Unit 42Unit 42
Shallow Taurus
FormerFirstRAT IsSpace NewCT PlugX Poison Ivy Tidepool DragonOK
2022-07-18CensysCensys
Russian Ransomware C2 Network Discovered in Censys Data
Cobalt Strike DeimosC2 MimiKatz PoshC2
2022-07-18Palo Alto Networks Unit 42Unit 42
Iron Taurus
CHINACHOPPER Ghost RAT Wonknu ZXShell APT27
2022-07-13Malwarebytes LabsHossein Jazi, Roberto Santos
Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign
Cobalt Strike
2022-07-13Palo Alto Networks Unit 42Chris Navarrete, Durgesh Sangvikar, Siddhart Shibiraj, Yanhui Jia, Yu Fu
Cobalt Strike Analysis and Tutorial: CS Metadata Encryption and Decryption
Cobalt Strike
2022-07-11Cert-UACert-UA
UAC-0056 attack on Ukrainian state organizations using Cobalt Strike Beacon (CERT-UA#4941)
Cobalt Strike
2022-07-07SANS ISCBrad Duncan
Emotet infection with Cobalt Strike
Cobalt Strike Emotet
2022-07-07IBMCharlotte Hammond, Kat Weinberger, Ole Villadsen
Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine
AnchorMail BumbleBee Cobalt Strike IcedID Meterpreter
2022-07-06Cert-UACert-UA
UAC-0056 cyberattack on Ukrainian state organizations using Cobalt Strike Beacon (CERT-UA#4914)
Cobalt Strike
2022-06-30Trend MicroEmmanuel Panopio, James Panlilio, John Kenneth Reyes, Kenneth Adrian Apostol, Melvin Singwa, Mirah Manlapig, Paolo Ronniel Labrador
Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit
Black Basta Cobalt Strike QakBot
2022-06-28LumenBlack Lotus Labs
ZuoRAT Hijacks SOHO Routers To Silently Stalk Networks
ZuoRAT Cobalt Strike
2022-06-27Kaspersky ICS CERTArtem Snegirev, Kirill Kruglov
Attacks on industrial control systems using ShadowPad
Cobalt Strike PlugX ShadowPad
2022-06-26BushidoToken
Overview of Russian GRU and SVR Cyberespionage Campaigns 1H 2022
Cobalt Strike CredoMap EnvyScout
2022-06-23cybleCyble Research Labs
Matanbuchus Loader Resurfaces
Cobalt Strike Matanbuchus
2022-06-23SecureworksCounter Threat Unit ResearchTeam
BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster BRONZE STARLIGHT
2022-06-21Cisco TalosChris Neal, Flavio Costa, Guilherme Venere
Avos ransomware group expands with new attack arsenal
AvosLocker Cobalt Strike DarkComet MimiKatz
2022-06-20Cert-UACert-UA
UAC-0098 group cyberattack on critical infrastructure of Ukraine (CERT-UA#4842)
Cobalt Strike
2022-06-17SANS ISCBrad Duncan
Malspam pushes Matanbuchus malware, leads to Cobalt Strike
Cobalt Strike Matanbuchus
2022-06-15Security JoesCharles Lomboni, Felipe Duarte, Venkat Rajgor
Backdoor via XFF: Mysterious Threat Actor Under Radar
CHINACHOPPER
2022-06-11Twitter (@MsftSecIntel)Microsoft Threat Intelligence
Tweet on DEV-0401, DEV-0234 exploiting Confluence RCE CVE-2022-26134
Kinsing Mirai Cobalt Strike
2022-06-07AdvIntelMarley Smith, Vitali Kremez, Yelisey Boguslavskiy
BlackCat — In a Shifting Threat Landscape, It Helps to Land on Your Feet: Tech Dive
BlackCat BlackCat Cobalt Strike
2022-06-07cybleCyble
Bumblebee Loader on The Rise
BumbleBee Cobalt Strike
2022-06-06TrellixTrelix
Growling Bears Make Thunderous Noise
Cobalt Strike HermeticWiper WhisperGate NB65
2022-06-04kienmanowar Blogm4n0w4r, Tran Trung Kien
[QuickNote] CobaltStrike SMB Beacon Analysis
Cobalt Strike
2022-06-03AttackIQAttackIQ Adversary Research Team, Jackson Wells
Attack Graph Response to US CERT AA22-152A: Karakurt Data Extortion Group
Cobalt Strike MimiKatz
2022-06-03Avast DecodedThreat Intelligence Team
Outbreak of Follina in Australia
AsyncRAT APT40
2022-06-02MandiantMandiant
TRENDING EVIL Q2 2022
CloudEyE Cobalt Strike CryptBot Emotet IsaacWiper QakBot
2022-06-02MandiantMandiant Intelligence
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker
2022-06-01ElasticAndrew Pease, Daniel Stepanic, Derek Ditch, Salim Bitam, Seth Goodwin
CUBA Ransomware Campaign Analysis
Cobalt Strike Cuba Meterpreter MimiKatz SystemBC
2022-05-25Medium walmartglobaltechJason Reaves, Joshua Platt
SocGholish Campaigns and Initial Access Kit
FAKEUPDATES Blister Cobalt Strike NetSupportManager RAT
2022-05-24BitSightBitSight, João Batista, Pedro Umbelino
Emotet Botnet Rises Again
Cobalt Strike Emotet QakBot SystemBC
2022-05-24The Hacker NewsFlorian Goutin
Malware Analysis: Trickbot
Cobalt Strike Conti Ryuk TrickBot
2022-05-23Trend MicroDaniel Lunghi, Jaromír Hořejší
Operation Earth Berberoka
reptile oRAT Ghost RAT PlugX pupy Earth Berberoka
2022-05-22R136a1Dominik Reichel
Introduction of a PE file extractor for various situations
Cobalt Strike Matanbuchus
2022-05-20sonatypeAx Sharma
New 'pymafka' malicious package drops Cobalt Strike on macOS, Windows, Linux
Cobalt Strike
2022-05-20VinCSSDang Dinh Phuong, m4n0w4r, Tran Trung Kien
[RE027] China-based APT Mustang Panda might have still continued their attack activities against organizations in Vietnam
PlugX
2022-05-20CybleincCyble
Malware Campaign Targets InfoSec Community: Threat Actor Uses Fake Proof Of Concept To Deliver Cobalt-Strike Beacon
Cobalt Strike
2022-05-20AhnLabASEC
Why Remediation Alone Is Not Enough When Infected by Malware
Cobalt Strike DarkSide
2022-05-19InfoSec Handlers Diary BlogBrad Duncan
Bumblebee Malware from TransferXL URLs
BumbleBee Cobalt Strike
2022-05-19InfoSec Handlers Diary BlogBrad Duncan
Bumblebee Malware from TransferXL URLs
BumbleBee Cobalt Strike
2022-05-18PRODAFT Threat IntelligencePRODAFT
Wizard Spider In-Depth Analysis
Cobalt Strike Conti WIZARD SPIDER
2022-05-17Trend MicroTrend Micro Research
Ransomware Spotlight: RansomEXX
LaZagne Cobalt Strike IcedID MimiKatz PyXie RansomEXX TrickBot
2022-05-17Positive TechnologiesPositive Technologies
Space Pirates: analyzing the tools and connections of a new hacker group
FormerFirstRAT PlugX Poison Ivy Rovnix ShadowPad Zupdax
2022-05-16JPCERT/CCShusei Tomonaga
Analysis of HUI Loader
HUI Loader PlugX Poison Ivy Quasar RAT
2022-05-12Intel 471Intel 471
What malware to look for if you want to prevent a ransomware attack
Conti BumbleBee Cobalt Strike IcedID Sliver
2022-05-12Red CanaryLauren Podber, Tony Lambert
The Goot cause: Detecting Gootloader and its follow-on activity
GootLoader Cobalt Strike
2022-05-12Red CanaryLauren Podber, Tony Lambert
Gootloader and Cobalt Strike malware analysis
GootLoader Cobalt Strike
2022-05-12TEAMT5Leon Chang, Silvia Yeh
The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides)
KEYPLUG Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad Winnti SLIME29 TianWu
2022-05-11InfoSec Handlers Diary BlogBrad Duncan
TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
BumbleBee Cobalt Strike IcedID PhotoLoader
2022-05-11NTTRyu Hiyoshi
Operation RestyLink: Targeted attack campaign targeting Japanese companies
Cobalt Strike
2022-05-10Marco Ramilli's BlogMarco Ramilli
A Malware Analysis in RU-AU conflict
Cobalt Strike
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-09cocomelonccocomelonc
Malware development: persistence - part 4. Windows services. Simple C++ example.
Anchor AppleJeus Attor BBSRAT BlackEnergy Carbanak Cobalt Strike DuQu
2022-05-09Qianxin Threat Intelligence CenterRed Raindrops Team
Operation EviLoong: An electronic party of "borderless" hackers
ZXShell
2022-05-09TEAMT5TeamT5
Hiding in Plain Sight: Obscuring C2s by Abusing CDN Services
Cobalt Strike
2022-05-09The DFIR ReportThe DFIR Report
SEO Poisoning – A Gootloader Story
GootLoader LaZagne Cobalt Strike GootKit
2022-05-08IronNetBrent Eskridge, Joey Fitzpatrick, Michael Leardi
Tracking Cobalt Strike Servers Used in Cyberattacks on Ukraine
Cobalt Strike
2022-05-06Twitter (@MsftSecIntel)Microsoft Security Intelligence
Twitter Thread on initial infeciton of SocGholish/ FAKEUPDATES campaigns lead to BLISTER Loader, CobaltStrike, Lockbit and followed by Hands On Keyboard activity
FAKEUPDATES Blister Cobalt Strike LockBit
2022-05-06Palo Alto Networks Unit 42Chris Navarrete, Durgesh Sangvikar, Siddhart Shibiraj, Yanhui Jia, Yu Fu
Cobalt Strike Analysis and Tutorial: CS Metadata Encoding and Decoding
Cobalt Strike
2022-05-06The Hacker NewsRavie Lakshmanan
This New Fileless Malware Hides Shellcode in Windows Event Logs
Cobalt Strike
2022-05-05Cisco TalosAliza Berk, Asheer Malhotra, Jung soo An, Justin Thattil, Kendall McKay
Mustang Panda deploys a new wave of malware targeting Europe
Cobalt Strike Meterpreter PlugX Unidentified 094
2022-05-04KasperskyDenis Legezo
A new secret stash for “fileless” malware
Cobalt Strike
2022-05-04Twitter (@felixw3000)Felix
Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.
Cobalt Strike IcedID PhotoLoader
2022-05-03Recorded FutureInsikt Group®
SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse
Cobalt Strike EnvyScout
2022-05-03Cluster25Cluster25
The Strange Link Between A Destructive Malware And A Ransomware-Gang Linked Custom Loader: IsaacWiper Vs Vatet
Cobalt Strike IsaacWiper PyXie
2022-05-03Recorded FutureInsikt Group
SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse
Cobalt Strike
2022-05-02Sentinel LABSAmitai Ben Shushan Ehrlich, Joey Chen
Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad
PlugX ShadowPad Moshen Dragon
2022-05-02Cisco TalosJAIME FILSON, Kendall McKay, Paul Eubanks
Conti and Hive ransomware operations: Leveraging victim chats for insights
Cobalt Strike Conti Hive
2022-05-02MacnicaHiroshi Takeuchi
Attack Campaigns that Exploit Shortcuts and ISO Files
Cobalt Strike
2022-04-28PWCPWC UK
Cyber Threats 2021: A Year in Retrospect (Annex)
Cobalt Strike Conti PlugX RokRAT Inception Framework Red Menshen
2022-04-28DARKReadingJai Vijayan
Chinese APT Bronze President Mounts Spy Campaign on Russian Military
PlugX MUSTANG PANDA
2022-04-28MandiantAnders Vejlby, John Wolfram, Nick Simonian, Sarah Hawley, Tyler McLellan
Trello From the Other Side: Tracking APT29 Phishing Campaigns
Cobalt Strike
2022-04-27TrendmicroTrendmicro
IOCs for Earth Berberoka - Windows
AsyncRAT Cobalt Strike PlugX Quasar RAT Earth Berberoka
2022-04-27SecureworksCounter Threat Unit ResearchTeam
BRONZE PRESIDENT Targets Russian Speakers with Updated PlugX
PlugX
2022-04-27ANSSIANSSI
LE GROUPE CYBERCRIMINEL FIN7
Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot
2022-04-27Trend MicroDaniel Lunghi, Jaromír Hořejší
New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware
HelloBot AsyncRAT Ghost RAT HelloBot PlugX Quasar RAT Earth Berberoka
2022-04-27MandiantMandiant
Assembling the Russian Nesting Doll: UNC2452 Merged into APT29
Cobalt Strike Raindrop SUNBURST TEARDROP
2022-04-27TrendmicroDaniel Lunghi, Jaromír Hořejší
Operation Gambling Puppet
reptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka
2022-04-27Sentinel LABSJames Haughom, Jim Walter, Júlio Dantas
LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility
Cobalt Strike LockBit
2022-04-27Sentinel LABSJames Haughom, Jim Walter, Júlio Dantas
LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility
Cobalt Strike LockBit BRONZE STARLIGHT
2022-04-26Trend MicroLord Alfred Remorin, Ryan Flores, Stephen Hilt
How Cybercriminals Abuse Cloud Tunneling Services
AsyncRAT Cobalt Strike DarkComet Meterpreter Nanocore RAT
2022-04-26Intel 471Intel 471
Conti and Emotet: A constantly destructive duo
Cobalt Strike Conti Emotet IcedID QakBot TrickBot
2022-04-25The DFIR ReportThe DFIR Report
Quantum Ransomware
Cobalt Strike IcedID
2022-04-25MorphisecMorphisec Labs
New Core Impact Backdoor Delivered Via VMware Vulnerability
Cobalt Strike JSSLoader
2022-04-21ZeroSecAndy Gill
Understanding Cobalt Strike Profiles - Updated For Cobalt Strike 4.6
Cobalt Strike
2022-04-19Blake's R&Dbmcder02
Extracting Cobalt Strike from Windows Error Reporting
Cobalt Strike
2022-04-19VaronisNadav Ovadia
Hive Ransomware Analysis
Cobalt Strike Hive MimiKatz
2022-04-18AdvIntelVitali Kremez, Yelisey Boguslavskiy
Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive Karakurt
2022-04-18SentinelOneJames Haughom
From the Front Lines | Peering into A PYSA Ransomware Attack
Chisel Chisel Cobalt Strike Mespinoza
2022-04-18vanmieghemVincent Van Mieghem
A blueprint for evading industry leading endpoint protection in 2022
Cobalt Strike
2022-04-15Center for Internet SecurityCIS
Top 10 Malware March 2022
Mirai Shlayer Agent Tesla Ghost RAT Nanocore RAT SectopRAT solarmarker Zeus
2022-04-14NSHC RedAlert LabsNSHC Threatrecon Team
Hacking activity of SectorB Group in 2021 Chinese government supported hacking group SectorB
PlugX
2022-04-14CynetMax Malyutin
Orion Threat Alert: Flight of the BumbleBee
BumbleBee Cobalt Strike
2022-04-13ESET ResearchJean-Ian Boutin, Tomáš Procházka
ESET takes part in global operation to disrupt Zloader botnets
Cobalt Strike Zloader
2022-04-13MicrosoftMicrosoft 365 Defender Threat Intelligence Team
Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware
BlackMatter Cobalt Strike DarkSide Ryuk Zloader
2022-04-12Max Kersten's BlogMax Kersten
Ghidra script to handle stack strings
CaddyWiper PlugX
2022-04-08Infinitum LabsArda Büyükkaya
Threat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team
Cobalt Strike MimiKatz
2022-04-07splunkSplunk Threat Research Team
You Bet Your Lsass: Hunting LSASS Access
Cobalt Strike MimiKatz
2022-04-07InQuestNick Chalard, Will MacArthur
Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate
2022-04-06Github (infinitumlabs)Arda Büyükkaya
Karakurt Hacking Team Indicators of Compromise (IOC)
Cobalt Strike
2022-04-04MandiantBrendan McKeague, Bryce Abdo, Ioana Teaca, Zander Work
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
Griffon BABYMETAL Carbanak Cobalt Strike JSSLoader Termite
2022-04-01The Hacker NewsRavie Lakshmanan
Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit
Fire Chili Ghost RAT
2022-03-31nccgroupAlex Jessop, Nikolaos Pantazopoulos, RIFT: Research and Intelligence Fusion Team, Simon Biggs
Conti-nuation: methods and techniques observed in operations post the leaks
Cobalt Strike Conti QakBot
2022-03-31SC MediaSC Staff
Novel obfuscation leveraged by Hive ransomware
Cobalt Strike Hive
2022-03-30Bleeping ComputerBill Toulas
Phishing campaign targets Russian govt dissidents with Cobalt Strike
Unidentified PS 002 (RAT) Cobalt Strike
2022-03-30PrevailionPrevailion
Wizard Spider continues to confound
BazarBackdoor Cobalt Strike Emotet
2022-03-30FortinetEliran Voronovitch, Rotem Sde-Or
New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits
Fire Chili Ghost RAT
2022-03-29Malwarebytes LabsHossein Jazi
New spear phishing campaign targets Russian dissidents
Unidentified PS 002 (RAT) Cobalt Strike
2022-03-29SentinelOneAntonis Terefos, James Haughom, Jeff Cavanaugh, Jim Walter, Nick Fox, Shai Tilias
From the Front Lines | Hive Ransomware Deploys Novel IPfuscation Technique To Avoid Detection
Cobalt Strike Hive
2022-03-28TrellixMarc Elias, Max Kersten
PlugX: A Talisman to Behold
PlugX
2022-03-28Medium walmartglobaltechJason Reaves
CobaltStrike UUID stager
Cobalt Strike
2022-03-25nccgroupYun Zheng Hu
Mining data from Cobalt Strike beacons
Cobalt Strike
2022-03-25ESET ResearchAlexandre Côté Cyr
Mustang Panda's Hodur: Old stuff, new variant of Korplug
PlugX
2022-03-25GOV.UAState Service of Special Communication and Information Protection of Ukraine (CIP)
Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora RAT
2022-03-24Threat PostNate Nelson
Chinese APT Combines Fresh Hodur RAT with Complex Anti-Detection
PlugX
2022-03-23BleepingComputerBill Toulas
New Mustang Panda hacking campaign targets diplomats, ISPs
PlugX
2022-03-23ESET ResearchAlexandre Côté Cyr
Mustang Panda’s Hodur: Old tricks, new Korplug variant
PlugX
2022-03-22Red CanaryRed Canary
2022 Threat Detection Report
FAKEUPDATES Silver Sparrow BazarBackdoor Cobalt Strike GootKit Yellow Cockatoo RAT
2022-03-22NVISO LabsDidier Stevens
Cobalt Strike: Overview – Part 7
Cobalt Strike
2022-03-21Threat PostLisa Vaas
Conti Ransomware V. 3, Including Decryptor, Leaked
Cobalt Strike Conti TrickBot
2022-03-21eSentireeSentire Threat Response Unit (TRU)
Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered
HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID
2022-03-17GoogleBenoit Sevens, Google Threat Analysis Group, Vladislav Stolyarov
Exposing initial access broker with ties to Conti
BazarBackdoor BumbleBee Cobalt Strike Conti
2022-03-16paloalto Netoworks: Unit42Andrew Guan, Chris Navarrete, Durgesh Sangvikar, Siddhart Shibiraj, Yanhui Jia, Yu Fu
Cobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect
Cobalt Strike
2022-03-16AhnLabASEC Analysis Team
Gh0stCringe RAT Being Distributed to Vulnerable Database Servers
Ghost RAT Kingminer
2022-03-16SANS ISCBrad Duncan
Qakbot infection with Cobalt Strike and VNC activity
Cobalt Strike QakBot
2022-03-16InfoSec Handlers Diary BlogBrad Duncan
Qakbot infection with Cobalt Strike and VNC activity
Cobalt Strike QakBot
2022-03-15PrevailionMatt Stafford, Sherman Smith
What Wicked Webs We Un-weave
Cobalt Strike Conti
2022-03-15SentinelOneAmitai Ben Shushan Ehrlich
Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software
Cobalt Strike GraphSteel GrimPlant SaintBear
2022-03-14Bleeping ComputerBill Toulas
Fake antivirus updates used to deploy Cobalt Strike in Ukraine
Cobalt Strike
2022-03-12Arash's BlogArash Parsa
Analyzing Malware with Hooks, Stomps, and Return-addresses
Cobalt Strike
2022-03-11Cert-UA
Cyberattack on Ukrainian state authorities using the Cobalt Strike Beacon (CERT-UA#4145)
Cobalt Strike
2022-03-09Bleeping ComputerIonut Ilascu
CISA updates Conti ransomware alert with nearly 100 domain names
BazarBackdoor Cobalt Strike Conti TrickBot
2022-03-09BreachQuestBernard Silvestrini, Marco Figueroa, Napoleon Bing
The Conti Leaks | Insight into a Ransomware Unicorn
Cobalt Strike MimiKatz TrickBot
2022-03-08MandiantDouglas Bienstock, Geoff Ackerman, John Wolfram, Rufus Brown, Van Ta
Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments
KEYPLUG Cobalt Strike LOWKEY
2022-03-07ProofpointMichael Raggi, Myrtus 0x0
The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates
PlugX MUSTANG PANDA
2022-03-07The DFIR ReportThe DFIR Report
2021 Year In Review
Cobalt Strike
2022-03-04TelsyTelsy
Legitimate Sites Used As Cobalt Strike C2s Against Indian Government
Cobalt Strike
2022-03-03Trend MicroTrend Micro Research
Cyberattacks are Prominent in the Russia-Ukraine Conflict
BazarBackdoor Cobalt Strike Conti Emotet WhisperGate
2022-03-01VirusTotalVirusTotal
VirusTotal's 2021 Malware Trends Report
Anubis AsyncRAT BlackMatter Cobalt Strike DanaBot Dridex Khonsari MimiKatz Mirai Nanocore RAT Orcus RAT
2022-02-24CynetMax Malyutin
New Wave of Emotet – When Project X Turns Into Y
Cobalt Strike Emotet
2022-02-24FortinetFred Gutierrez
Nobelium Returns to the Political World Stage
Cobalt Strike
2022-02-23cyber.wtf blogLuca Ebach
What the Pack(er)?
Cobalt Strike Emotet
2022-02-23AdvIntelVitali Kremez, Yelisey Boguslavskiy
24 Hours From Log4Shell to Local Admin: Deep-Dive Into Conti Gang Attack on Fortune 500 (DFIR)
Cobalt Strike Conti
2022-02-23SophosLabs UncutAndrew Brandt
Dridex bots deliver Entropy ransomware in recent attacks
Cobalt Strike Dridex Entropy
2022-02-22eSentireeSentire Threat Response Unit (TRU)
IcedID to Cobalt Strike In Under 20 Minutes
Cobalt Strike IcedID PhotoLoader
2022-02-22Bleeping ComputerBill Toulas
Vulnerable Microsoft SQL Servers targeted with Cobalt Strike
Cobalt Strike Kingminer Lemon Duck
2022-02-21ASEC
Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers
Cobalt Strike Lemon Duck
2022-02-21The DFIR Report
Qbot and Zerologon Lead To Full Domain Compromise
Cobalt Strike QakBot
2022-02-20Medium SOCFortressSOCFortress
Detecting Cobalt Strike Beacons
Cobalt Strike
2022-02-18Huntress LabsMatthew Brennan
Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection
Cobalt Strike
2022-02-17SinaCyberAdam Kozy
Testimony before the U.S.-China Economic and Security Review Commission Hearing on “China’s Cyber Capabilities: Warfare, Espionage, and Implications for the United States”
PlugX APT26 APT41
2022-02-16Security OnionDoug Burks
Quick Malware Analysis: Emotet Epoch 5 and Cobalt Strike pcap from 2022-02-08
Cobalt Strike Emotet
2022-02-15eSentireeSentire Threat Response Unit (TRU)
Increase in Emotet Activity and Cobalt Strike Deployment
Cobalt Strike Emotet
2022-02-11Cisco TalosTalos
Threat Roundup for February 4 to February 11
DarkComet Ghost RAT Loki Password Stealer (PWS) Tinba Tofsee Zeus
2022-02-10CybereasonCybereason Global SOC Team
Threat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot
Cobalt Strike Emotet IcedID QakBot
2022-02-09vmwareVMWare
Exposing Malware in Linux-Based Multi-Cloud Environments
ACBackdoor BlackMatter DarkSide Erebus HelloKitty Kinsing PLEAD QNAPCrypt RansomEXX REvil Sysrv-hello TeamTNT Vermilion Strike Cobalt Strike
2022-01-31CyberArkArash Parsa
Analyzing Malware with Hooks, Stomps and Return-addresses
Cobalt Strike
2022-01-28MorphisecMorphisec Labs
Log4j Exploit Hits Again: Vulnerable Unifi Network Application (Ubiquiti) at Risk
Cobalt Strike
2022-01-27JSAC 2021Hajime Yanagishita, Kiyotaka Tamada, Suguru Ishimaru, You Nakatsuru
What We Can Do against the Chaotic A41APT Campaign
CHINACHOPPER Cobalt Strike HUI Loader SodaMaster
2022-01-26BlackberryCodi Starks, Ryan Gibson, Will Ikard
Log4U, Shell4Me
Cobalt Strike
2022-01-25CynetOrion Threat Research and Intelligence Team
Threats Looming Over the Horizon
Cobalt Strike Meterpreter NightSky
2022-01-24The DFIR ReportThe DFIR Report
Cobalt Strike, a Defender’s Guide – Part 2
Cobalt Strike
2022-01-20MorphisecMichael Gorelik
Log4j Exploit Hits Again: Vulnerable VMWare Horizon Servers at Risk
Cobalt Strike
2022-01-19ElasticAndrew Pease, Daniel Stepanic, Derek Ditch, Seth Goodwin
Extracting Cobalt Strike Beacon Configurations
Cobalt Strike
2022-01-19BlackberryThe BlackBerry Research & Intelligence Team
Kraken the Code on Prometheus
Prometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk
2022-01-19ElasticAndrew Pease, Daniel Stepanic, Derek Ditch, Seth Goodwin
Collecting Cobalt Strike Beacons with the Elastic Stack
Cobalt Strike
2022-01-19SophosColin Cowie, Mat Gangwer, Sophos MTR Team, Stan Andic
Zloader Installs Remote Access Backdoors and Delivers Cobalt Strike
Cobalt Strike Zloader
2022-01-18Recorded FutureInsikt Group®
2021 Adversary Infrastructure Report
BazarBackdoor Cobalt Strike Dridex IcedID QakBot TrickBot
2022-01-17Trend MicroCedric Pernet, Daniel Lunghi, Gloria Chen, Jaromír Hořejší, Joseph Chen, Kenney Lu
Delving Deep: An Analysis of Earth Lusca’s Operations
BIOPASS Cobalt Strike FunnySwitch JuicyPotato ShadowPad Winnti Earth Lusca
2022-01-16forensicitguyTony Lambert
Analyzing a CACTUSTORCH HTA Leading to Cobalt Strike
CACTUSTORCH Cobalt Strike
2022-01-15Huntress LabsTeam Huntress
Threat Advisory: VMware Horizon Servers Actively Being Hit With Cobalt Strike (by DEV-0401)
Cobalt Strike
2022-01-11Medium walmartglobaltechJason Reaves, Joshua Platt
Signed DLL campaigns as a service
BATLOADER Cobalt Strike ISFB Zloader
2022-01-11Twitter (@cglyer)Christopher Glyer
Thread on DEV-0401, a china based ransomware operator exploiting VMware Horizon with log4shell and deploying NightSky ransomware
Cobalt Strike NightSky
2022-01-11CybereasonChen Erlich, Daichi Shimabukuro, Niv Yona, Ofir Ozer, Omri Refaeli
Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle
2022-01-09forensicitguyTony Lambert
Inspecting a PowerShell Cobalt Strike Beacon
Cobalt Strike
2022-01-06Cyber And Ramen blogMike R
A “GULP” of PlugX
PlugX
2022-01-06Sekoiasekoia
NOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies
Cobalt Strike EnvyScout
2022-01-01Silent PushSilent Push
Consequences- The Conti Leaks and future problems
Cobalt Strike Conti
2021-12-29CrowdStrikeBenjamin Wiley, Falcon OverWatch Team
OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt
Cobalt Strike
2021-12-29Blake's R&DBlake
Cobalt Strike DFIR: Listening to the Pipes
Cobalt Strike
2021-12-28Morphus LabsRenato Marinho
Attackers are abusing MSBuild to evade defenses and implant Cobalt Strike beacons
Cobalt Strike
2021-12-22TelsyTelsy Research Team
Phishing Campaign targeting citizens abroad using COVID-19 theme lures
Cobalt Strike
2021-12-16TEAMT5Aragorn Tseng, Charles Li, Peter Syu, Tom Lai
Winnti is Coming - Evolution after Prosecution
Cobalt Strike FishMaster FunnySwitch HIGHNOON ShadowPad Spyder
2021-12-16Red CanaryThe Red Canary Team
Intelligence Insights: December 2021
Cobalt Strike QakBot Squirrelwaffle
2021-12-14Trend MicroNick Dai, Ted Lee, Vickie Su
Collecting In the Dark: Tropic Trooper Targets Transportation and Government
ChiserClient Ghost RAT Lilith Quasar RAT xPack APT23
2021-12-10AccentureAccenture
Karakurt rises from its lair
Cobalt Strike Karakurt
2021-12-07Bleeping ComputerLawrence Abrams
Emotet now drops Cobalt Strike, fast forwards ransomware attacks
Cobalt Strike Emotet
2021-12-06CERT-FRCERT-FR
Phishing campaigns by the Nobelium intrusion set
Cobalt Strike
2021-12-06MandiantAshraf Abdalhalim, Ben Read, Doug Bienstock, Gabriella Roncone, Jonathan Leathery, Josh Madeley, Juraj Sucik, Luis Rocha, Luke Jenkins, Manfred Erjak, Marius Fodoreanu, Microsoft Detection and Response Team (DART), Microsoft Threat Intelligence Center (MSTIC), Mitchell Clarke, Parnian Najafi, Sarah Hawley, Wojciech Ledzion
Suspected Russian Activity Targeting Government and Business Entities Around the Globe (UNC2452)
Cobalt Strike CryptBot
2021-12-02CERT-FRCERT-FR
Phishing Campaigns by the Nobelium Intrusion Set
Cobalt Strike
2021-12-01ESET ResearchAlexis Dorais-Joncas, Facundo Muñoz
Jumping the air gap: 15 years of nation‑state effort
Agent.BTZ Fanny Flame Gauss PlugX Ramsay Retro Stuxnet USBCulprit USBferry
2021-11-30SymantecSymantec Threat Hunter Team
Yanluowang: Further Insights on New Ransomware Threat
BazarBackdoor Cobalt Strike FiveHands
2021-11-29The DFIR ReportThe DFIR Report
CONTInuing the Bazar Ransomware Story
BazarBackdoor Cobalt Strike Conti
2021-11-29MandiantBrandan Schondorfer, Tyler McLellan
Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again
Cobalt Strike ROLLCOAST
2021-11-19Trend MicroAbdelrhman Sharshar, Mohamed Fahmy, Sherif Magdy
Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains
Cobalt Strike QakBot Squirrelwaffle
2021-11-18CiscoJosh Pyorre
BlackMatter, LockBit, and THOR
BlackMatter LockBit PlugX
2021-11-17nvisoDidier Stevens
Cobalt Strike: Decrypting Obfuscated Traffic – Part 4
Cobalt Strike
2021-11-17Black Hills Information SecurityKyle Avery
DNS Over HTTPS for Cobalt Strike
Cobalt Strike
2021-11-17Twitter (@Unit42_Intel)Unit 42
Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike
Cobalt Strike QakBot
2021-11-17Trend MicroAbdelrhman Sharshar, Mohamed Fahmy, Ryan Maglaque, Sherif Magdy
Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR
Cobalt Strike Cotx RAT
2021-11-16CiscoAsheer Malhotra, Chetan Raghuprasad, Vanja Svajcer
Attackers use domain fronting technique to target Myanmar with Cobalt Strike
Cobalt Strike
2021-11-16IronNetIronNet Threat Research, Joey Fitzpatrick, Morgan Demboski, Peter Rydzynski
How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware
Cobalt Strike Conti IcedID REvil
2021-11-16BlackberryDean Given, Eoin Wickens, Jim Simpson, Marta Janus, T.J. O'Leary, Tom Bonner
Finding Beacons in the dark
Cobalt Strike
2021-11-15TRUESECFabio Viggiani
ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks
Cobalt Strike Conti QakBot
2021-11-13Just StillStill Hsu
Threat Spotlight - Domain Fronting
Cobalt Strike
2021-11-12MalwarebytesHossein Jazi
A multi-stage PowerShell based attack targets Kazakhstan
Cobalt Strike
2021-11-11CynetMax Malyutin
A Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation
Cobalt Strike QakBot
2021-11-10AT&TJosh Gomez
Stories from the SOC - Powershell, Proxyshell, Conti TTPs OH MY!
Cobalt Strike Conti
2021-11-10SekoiaCyber Threat Intelligence team
Walking on APT31 infrastructure footprints
Rekoobe Unidentified ELF 004 Cobalt Strike
2021-11-09CybereasonAleksandar Milenkoski, Eli Salem
THREAT ANALYSIS REPORT: From Shatak Emails to the Conti Ransomware
Cobalt Strike Conti
2021-11-05BlackberryThe BlackBerry Research & Intelligence Team
Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
Cobalt Strike DoppelDridex Mount Locker Phobos StrongPity
2021-11-05Twitter (@Unit42_Intel)Unit 42
Tweet on TA551 (Shathak) BazarLoader infection with CobaltStrike and DarkVNC drops
BazarBackdoor Cobalt Strike
2021-11-04Youtube (Virus Bulletin)Joey Chen, Yi-Jhen Hsieh
ShadowPad: the masterpiece of privately sold malware in Chinese espionage
PlugX ShadowPad
2021-11-03Cisco TalosCaitlin Huey, Chetan Raghuprasad, Vanja Svajcer
Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk
Babuk CHINACHOPPER
2021-11-03Didier StevensDidier Stevens
New Tool: cs-extract-key.py
Cobalt Strike
2021-11-03nvisoDidier Stevens
Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3
Cobalt Strike
2021-11-02Intel 471Intel 471
Cybercrime underground flush with shipping companies’ credentials
Cobalt Strike Conti
2021-11-02unh4ckCyb3rSn0rlax
Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2
Cobalt Strike Conti
2021-11-02boschko.ca blogOlivier Laflamme
Cobalt Strike Process Injection
Cobalt Strike
2021-11-01The DFIR Report@iiamaleks, @samaritan_o
From Zero to Domain Admin
Cobalt Strike Hancitor
2021-11-01AccentureCurt Wilson, Heather Larrieu, Katrina Hill
Diving into double extortion campaigns
Cobalt Strike MimiKatz
2021-10-29EuropolEuropol
12 targeted for involvement in ransomware attacks against critical infrastructure
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot
2021-10-29Національна поліція УкраїниНаціональна поліція України
Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot
2021-10-27nvisoDidier Stevens
Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 2
Cobalt Strike
2021-10-26unh4ckHamza OUADIA
Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1
Cobalt Strike Conti
2021-10-26Cisco TalosEdmund Brumaghin, Mariano Graziano, Nick Mavis
SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle
2021-10-26ANSSI
Identification of a new cyber criminal group: Lockean
Cobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil
2021-10-21CrowdStrikeAlex Clinton, Tasha Robinson
Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign
Cobalt Strike FlawedGrace TinyMet
2021-10-21nvisoDidier Stevens
Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1
Cobalt Strike
2021-10-18The DFIR ReportThe DFIR Report
IcedID to XingLocker Ransomware in 24 hours
Cobalt Strike IcedID Mount Locker
2021-10-18NortonLifeLockNorton Labs
Operation Exorcist - 7 Years of Targeted Attacks against the Roman Catholic Church
NewBounce PlugX Zupdax
2021-10-18SymantecThreat Hunter Team
Harvester: Nation-state-backed group uses new toolset to target victims in South Asia
Cobalt Strike Graphon
2021-10-18paloalto Netoworks: Unit42Brad Duncan
Case Study: From BazarLoader to Network Reconnaissance
BazarBackdoor Cobalt Strike
2021-10-14Medium walmartglobaltechJason Reaves
Investigation into the state of NIM malware Part 2
Cobalt Strike NimGrabber Nimrev Unidentified 088 (Nim Ransomware)
2021-10-13BlackberryBlackBerry Research & Intelligence Team
BlackBerry Shines Spotlight on Evolving Cobalt Strike Threat in New Book
Cobalt Strike
2021-10-12MandiantAlyssa Rahman
Defining Cobalt Strike Components So You Can BEA-CONfident in Your Analysis
Cobalt Strike
2021-10-11AccentureAccenture Cyber Threat Intelligence
Moving Left of the Ransomware Boom
REvil Cobalt Strike MimiKatz RagnarLocker REvil
2021-10-080ffset BlogChuong Dong
SQUIRRELWAFFLE – Analysing The Main Loader
Cobalt Strike Squirrelwaffle
2021-10-07NetskopeGhanashyam Satpathy, Gustavo Palazolo
SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot
Cobalt Strike QakBot Squirrelwaffle
2021-10-07MandiantMandiant Research Team
FIN12 Group Profile: FIN12 Priotizes Speed to Deploy Ransomware Aginst High-Value Targets
Cobalt Strike Empire Downloader TrickBot
2021-10-07MicrosoftMicrosoft
Microsoft Digital Defense Report - October 2021
APT15 APT31 APT40 APT5 Earth Lusca HAFNIUM
2021-10-06BlackberryBlackberry Research
Finding Beacons in the Dark
Cobalt Strike
2021-10-05BlackberryThe BlackBerry Research & Intelligence Team
Drawing a Dragon: Connecting the Dots to Find APT41
Cobalt Strike Ghost RAT
2021-10-04JPCERT/CCShusei Tomonaga
Malware Gh0stTimes Used by BlackTech
Gh0stTimes Ghost RAT
2021-10-04SophosChaitanya Ghorpade, Kajal Katiyar, Krisztián Diriczi, Rahil Shah, Sean Gallagher, Vikas Singh
Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack
ATOMSILO Cobalt Strike
2021-10-04The DFIR ReportThe DFIR Report
BazarLoader and the Conti Leaks
BazarBackdoor Cobalt Strike Conti
2021-10-03Github (0xjxd)Joel Dönne
SquirrelWaffle - From Maldoc to Cobalt Strike
Cobalt Strike Squirrelwaffle
2021-10-010ffset BlogChuong Dong
SQUIRRELWAFFLE – Analysing the Custom Packer
Cobalt Strike Squirrelwaffle
2021-09-30PTSecurityPT ESC Threat Intelligence
Masters of Mimicry: new APT group ChamelGang and its arsenal
Cobalt Strike
2021-09-30PT Expert Security Center
Masters of Mimicry: new APT group ChamelGang and its arsenal
Cobalt Strike
2021-09-30CrowdStrikeFalcon OverWatch Team
Hunting for the Confluence Exploitation: When Falcon OverWatch Becomes the First Line of Defense
Cobalt Strike
2021-09-29Advanced IntelligenceVitali Kremez, Yelisey Boguslavskiy
Backup “Removal” Solutions - From Conti Ransomware With Love
Cobalt Strike Conti
2021-09-29Malware Traffic AnalysisBrad Duncan
2021-09-29 (Wednesday) - Hancitor with Cobalt Strike
Cobalt Strike Hancitor
2021-09-29Malware Traffic AnalysisBrad Duncan
Hancitor with Cobalt Strike
Cobalt Strike Hancitor
2021-09-28Recorded FutureInsikt Group®
4 Chinese APT Groups Identified Targeting Mail Server of Afghan Telecommunications Firm Roshan
PlugX Winnti
2021-09-28ZscalerAvinash Kumar, Brett Stone-Gross
Squirrelwaffle: New Loader Delivering Cobalt Strike
Cobalt Strike Squirrelwaffle
2021-09-27CynetMax Malyutin
A Virtual Baffle to Battle Squirrelwaffle
Cobalt Strike Squirrelwaffle
2021-09-26NSFOCUSJie Ji
Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2
Cobalt Strike LockFile
2021-09-24Trend MicroWarren Sto.Tomas
Examining the Cring Ransomware Techniques
Cobalt Strike Cring MimiKatz
2021-09-22CISAUS-CERT
Alert (AA21-265A) Conti Ransomware
Cobalt Strike Conti
2021-09-21Medium elis531989Eli Salem
The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle”
Cobalt Strike Squirrelwaffle
2021-09-21skyblue.team blogskyblue team
Scanning VirusTotal's firehose
Cobalt Strike
2021-09-21GuidePoint SecurityDrew Schmitt
A Ransomware Near Miss: ProxyShell, a RAT, and Cobalt Strike
Cobalt Strike
2021-09-21SophosAndrew Brandt, Chaitanya Ghorpade, Krisztián Diriczi, Shefali Gupta, Vikas Singh
Cring ransomware group exploits ancient ColdFusion server
Cobalt Strike Cring
2021-09-21eSentireeSentire
Ransomware Hackers Attack a Top Safety Testing Org. Using Tactics and Techniques Borrowed from Chinese Espionage Groups
Cobalt Strike MimiKatz UNC215
2021-09-17CrowdStrikeFalcon OverWatch Team
Falcon OverWatch Hunts Down Adversaries Where They Hide
BazarBackdoor Cobalt Strike
2021-09-17Medium inteloperatorIntel Operator
The default: 63 6f 62 61 6c 74 strike
Cobalt Strike
2021-09-17Malware Traffic AnalysisBrad Duncan
2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike
Cobalt Strike Squirrelwaffle
2021-09-16Twitter (@GossiTheDog)Kevin Beaumont
Tweet on some unknown threat actor dropping Mgbot, custom IIS modular backdoor and cobalstrike using exploiting ProxyShell
Cobalt Strike MgBot
2021-09-16Medium ShabarkinPavel Shabarkin
Pointer: Hunting Cobalt Strike globally
Cobalt Strike
2021-09-16RiskIQRiskIQ
Untangling the Spider Web: The Curious Connection Between WIZARD SPIDER’s Ransomware Infrastructure and a Windows Zero-Day Exploit
Cobalt Strike Ryuk
2021-09-15MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability
Cobalt Strike
2021-09-14McAfeeChristiaan Beek
Operation ‘Harvest’: A Deep Dive into a Long-term Campaign
MimiKatz PlugX Winnti
2021-09-14Recorded FutureInsikt Group®
Full-Spectrum Cobalt Strike Detection
Cobalt Strike
2021-09-13The DFIR ReportThe DFIR Report
BazarLoader to Conti Ransomware in 32 Hours
BazarBackdoor Cobalt Strike Conti
2021-09-12Medium michaelkoczwaraMichael Koczwara
Mapping and Pivoting from Cobalt Strike C2 Infrastructure Attributed to CVE-2021-40444
Cobalt Strike
2021-09-10GigamonJoe Slowik
Rendering Threats: A Network Perspective
BumbleBee Cobalt Strike
2021-09-10The RecordCatalin Cimpanu
Indonesian intelligence agency compromised in suspected Chinese hack
PlugX
2021-09-09Trend MicroTrend Micro
Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs
BumbleBee Cobalt Strike
2021-09-08Arash's BlogArash Parsa
Hook Heaps and Live Free
Cobalt Strike
2021-09-07Medium michaelkoczwaraMichael Koczwara
Cobalt Strike C2 Hunting with Shodan
Cobalt Strike
2021-09-06kienmanowar Blogm4n0w4r
Quick analysis CobaltStrike loader and shellcode
Cobalt Strike
2021-09-03FireEyeAdrian Sanchez Hernandez, Alex Pennino, Andrew Rector, Brendan McKeague, Govand Sinjari, Harris Ansari, John Wolfram, Joshua Goddard, Yash Gupta
PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers
CHINACHOPPER HTran
2021-09-03SophosAnand Ajjan, Andrew Ludgate, Gabor Szappanos, Peter Mackenzie, Sean Gallagher, Sergio Bestulic, Syed Zaidi
Conti affiliates use ProxyShell Exchange exploit in ransomware attacks
Cobalt Strike Conti
2021-09-03Trend MicroMohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-09-02Medium michaelkoczwaraMichael Koczwara
Cobalt Strike PowerShell Payload Analysis
Cobalt Strike
2021-09-02Twitter (@th3_protoCOL)Colin, GaborSzappanos
Tweet on Confluence Server exploitation (CVE-2021-26084) in the wild and cobaltsrike activity (mentioned in replies by GaborSzappanos)
Cobalt Strike
2021-09-01YouTube (Black Hat)Aragorn Tseng, Charles Li
Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
Cobalt Strike PlugX Waterbear
2021-09-01YouTube (Hack In The Box Security Conference)Joey Chen, Yi-Jhen Hsieh
SHADOWPAD: Chinese Espionage Malware-as-a-Service
PlugX ShadowPad
2021-08-31BreakPoint LabsBreakPoint Labs
Cobalt Strike and Ransomware – Tracking An Effective Ransomware Campaign
Cobalt Strike
2021-08-30QianxinRed Raindrop Team
Operation (Thủy Tinh) OceanStorm: The evil lotus hidden under the abyss
Cobalt Strike MimiKatz
2021-08-29The DFIR ReportThe DFIR Report
Cobalt Strike, a Defender’s Guide
Cobalt Strike
2021-08-27AonAon’s Cyber Labs, Noah Rubin
Cobalt Strike Configuration Extractor and Parser
Cobalt Strike
2021-08-27MorphisecMorphisec Labs
ProxyShell Exchange Exploitation Now Leads To An Increasing Amount Of Cobaltstrike Backdoors
Cobalt Strike
2021-08-25Trend MicroHara Hiroaki, Ted Lee
Earth Baku An APT Group Targeting Indo-Pacific Countries With New Stealth Loaders and Backdoor
Cobalt Strike SideWalk
2021-08-24ESET ResearchMathieu Tartare, Thibaut Passilly
The SideWalk may be as dangerous as the CROSSWALK
Cobalt Strike CROSSWALK SideWalk SparklingGoblin
2021-08-23Youtube (SANS Digital Forensics and Incident Response)Chad Tilbury
Keynote: Cobalt Strike Threat Hunting
Cobalt Strike
2021-08-23FBIFBI
Indicators of Compromise Associated with OnePercent Group Ransomware
Cobalt Strike MimiKatz
2021-08-23SentinelOneJoey Chen, Yi-Jhen Hsieh
ShadowPad: the Masterpiece of Privately Sold Malware in Chinese Espionage
PlugX ShadowPad
2021-08-19BlackberryBlackBerry Research & Intelligence Team
BlackBerry Prevents: Threat Actor Group TA575 and Dridex Malware
Cobalt Strike Dridex TA575
2021-08-19Sekoiasekoia
An insider insights into Conti operations – Part two
Cobalt Strike Conti
2021-08-18IntezerRyan Robinson
Cobalt Strike: Detect this Persistent Threat
Cobalt Strike
2021-08-17Advanced IntelligenceVitali Kremez, Yelisey Boguslavskiy
Hunting for Corporate Insurance Policies: Indicators of [Ransom] Exfiltration
Cobalt Strike Conti
2021-08-17Sekoiasekoia
An insider insights into Conti operations – Part one
Cobalt Strike Conti
2021-08-17Medium michaelkoczwaraMichael Koczwara
Cobalt Strike Hunting — DLL Hijacking/Attack Analysis
Cobalt Strike
2021-08-15SymantecThreat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-08-11Advanced IntelligenceVitali Kremez
Secret "Backdoor" Behind Conti Ransomware Operation: Introducing Atera Agent
Cobalt Strike Conti
2021-08-09IstroSecLadislav Bačo
APT Cobalt Strike Campaign targeting Slovakia (DEF CON talk)
Cobalt Strike
2021-08-05SecureworksCounter Threat Unit ResearchTeam
Detecting Cobalt Strike: Government-Sponsored Threat Groups (APT32)
Cobalt Strike
2021-08-05Red CanaryBrian Donohue, Dan Cotton, Tony Lambert
When Dridex and Cobalt Strike give you Grief
Cobalt Strike DoppelDridex DoppelPaymer
2021-08-04Sentinel LABSGal Kristal
Hotcobalt – New Cobalt Strike DoS Vulnerability That Lets You Halt Operations
Cobalt Strike
2021-08-04SecureworksCounter Threat Unit ResearchTeam
Detecting Cobalt Strike: Cybercrime Attacks (GOLD LAGOON)
Cobalt Strike
2021-08-04CrowdStrikeCrowdStrike Intelligence Team, CrowdStrike IR, Falcon OverWatch Team
PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity
Cobalt Strike Egregor Mount Locker Prophet Spider
2021-08-03CybereasonAssaf Dahan, Daniel Frank, Lior Rochberger, Tom Fakterman
DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos
CHINACHOPPER Cobalt Strike MimiKatz Nebulae
2021-08-02Youtube (Forschungsinstitut Cyber Defense)Alexander Rausch, Konstantin Klinger
The CODE 2021: Workshop presentation and demonstration about CobaltStrike
Cobalt Strike
2021-08-01The DFIR ReportThe DFIR Report
BazarCall to Conti Ransomware via Trickbot and Cobalt Strike
BazarBackdoor Cobalt Strike Conti TrickBot
2021-07-30Twitter (@Unit42_Intel)Unit 42
Tweet on BazarLoader infection leading to cobaltstrike and Powershell script file for PrintNightmare vulnerability
BazarBackdoor Cobalt Strike
2021-07-29Rasta MouseRasta Mouse
NTLM Relaying via Cobalt Strike
Cobalt Strike
2021-07-29MicrosoftMicrosoft 365 Defender Threat Intelligence Team
BazaCall: Phony call centers lead to exfiltration and ransomware
BazarBackdoor Cobalt Strike
2021-07-27BlackberryBlackBerry Research & Intelligence Team
Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages
elf.wellmess ElectroRAT BazarNimrod Buer Cobalt Strike Remcos Snake TeleBot WellMess Zebrocy
2021-07-27Palo Alto Networks Unit 42Alex Hinchliffe, Mike Harbison
THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group
PlugX
2021-07-25Medium svch0stsvch0st
Guide to Named Pipes and Hunting for Cobalt Strike Pipes
Cobalt Strike
2021-07-22Medium michaelkoczwaraMichael Koczwara
Cobalt Strike Hunting — simple PCAP and Beacon Analysis
Cobalt Strike
2021-07-21BitdefenderBogdan Botezatu, Victor Vrabie
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
PlugX
2021-07-20SecureworksCounter Threat Unit ResearchTeam
Ongoing Campaign Leveraging Exchange Vulnerability Potentially Linked to Iran
CHINACHOPPER MimiKatz RGDoor
2021-07-20RNZ
Government points finger at China over cyber attacks
APT40 HAFNIUM
2021-07-19The DFIR ReportThe DFIR Report
IcedID and Cobalt Strike vs Antivirus
Cobalt Strike IcedID
2021-07-19Department of JusticeOffice of Public Affairs
Four Chinese Nationals Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including Infectious Disease Research
APT40
2021-07-19Council of the European UnionCouncil of the European Union
China: Declaration by the High Representative on behalf of the European Union urging Chinese authorities to take action against malicious cyber activities undertaken from its territory
APT40
2021-07-19Ministry of Foreign Affairs of JapanMinistry of Foreign Affairs of Japan
Cases of cyberattacks including those by a group known as APT40 which the Chinese government is behind (Statement by Press Secretary YOSHIDA Tomoyuki)
APT40
2021-07-19Minister for Foreign Affairs of AustraliaKaren Andrews, Peter Dutton
Australia joins international partners in attribution of malicious cyber activity to China
APT31 APT40 HAFNIUM
2021-07-19NCSC UKNCSC UK
UK and allies hold Chinese state responsible for pervasive pattern of hacking
APT31 APT40
2021-07-19GOV.UKDominic Raab, NCSC UK
UK and allies hold Chinese state responsible for a pervasive pattern of hacking
APT31 APT40 HAFNIUM
2021-07-19CISACISA
Alert (AA21-200B): Chinese State-Sponsored Cyber Operations: Observed TTPs
APT40
2021-07-19Government of CanadaGlobal Affairs Canada
Statement on China’s cyber campaigns
APT40
2021-07-14GoogleClement Lecigne, Google Threat Analysis Group, Maddie Stone
How We Protect Users From 0-Day Attacks (CVE-2021-21166, CVE-2021-30551, CVE-2021-33742, CVE-2021-1879)
Cobalt Strike
2021-07-14MDSecChris Basnett
Investigating a Suspicious Service
Cobalt Strike
2021-07-14KasperskyAseel Kayal, Mark Lechtik, Paul Rascagnères
LuminousMoth APT: Sweeping attacks for the chosen few
Cobalt Strike
2021-07-13YouTube ( Matt Soseman)Matt Soseman
Solarwinds and SUNBURST attacks compromised my lab!
Cobalt Strike Raindrop SUNBURST TEARDROP
2021-07-09InfoSec Handlers Diary BlogBrad Duncan
Hancitor tries XLL as initial malware file
Cobalt Strike Hancitor
2021-07-08Avast DecodedThreat Intelligence Team
Decoding Cobalt Strike: Understanding Payloads
Cobalt Strike Empire Downloader
2021-07-08Recorded FutureInsikt Group
Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling
Cobalt Strike Earth Lusca
2021-07-07TrustwaveNikita Kazymirskyi, Rodel Mendrez
Diving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails
Cobalt Strike REvil
2021-07-07Trend MicroGloria Chen, Jaromír Hořejší, Joseph C Chen, Kenney Lu
BIOPASS RAT: New Malware Sniffs Victims via Live Streaming
BIOPASS Cobalt Strike Derusbi
2021-07-07McAfeeMcAfee Labs
Ryuk Ransomware Now Targeting Webservers
Cobalt Strike Ryuk
2021-07-06Twitter (@MBThreatIntel)Malwarebytes Threat Intelligence
Tweet on a malspam campaign that is taking advantage of Kaseya VSA ransomware attack to drop CobaltStrike
Cobalt Strike
2021-07-05Trend MicroAbraham Camba, Buddy Tancio, Catherine Loveria, Ryan Maglaque
Tracking Cobalt Strike: A Trend Micro Vision One Investigation
Cobalt Strike
2021-07-03Medium AK1001AK1001
Analyzing Cobalt Strike PowerShell Payload
Cobalt Strike
2021-07-02MalwareBookReportsmuzi
Skip the Middleman: Dridex Document to Cobalt Strike
Cobalt Strike Dridex
2021-07-01The RecordCatalin Cimpanu
Mongolian certificate authority hacked eight times, compromised with malware
Cobalt Strike
2021-07-01Avast DecodedIgor Morgenstern, Jan Vojtěšek, Luigino Camastra
Backdoored Client from Mongolian CA MonPass
Cobalt Strike Earth Lusca
2021-07-01Avast DecodedIgor Morgenstern, Jan Vojtěšek, Luigino Camastra
Backdoored Client from Mongolian CA MonPass
Cobalt Strike FishMaster
2021-06-30Group-IBOleg Skulkin
REvil Twins Deep Dive into Prolific RaaS Affiliates' TTPs
Cobalt Strike REvil
2021-06-29AccentureAccenture Security
HADES ransomware operators continue attacks
Cobalt Strike Hades MimiKatz
2021-06-29ProofpointDaniel Blackford, Selena Larson
Cobalt Strike: Favorite Tool from APT to Crimeware
Cobalt Strike
2021-06-28The DFIR ReportThe DFIR Report
Hancitor Continues to Push Cobalt Strike
Cobalt Strike Hancitor
2021-06-22CrowdStrikeThe Falcon Complete Team
Response When Minutes Matter: Falcon Complete Disrupts WIZARD SPIDER eCrime Operators
Cobalt Strike
2021-06-22Twitter (@Cryptolaemus1)Cryptolaemus, dao ming si, Kirk Sayre
Tweet on TA575, a Dridex affiliate delivering cobaltstrike (packed withe Cryptone) directly via the macro docs
Cobalt Strike Dridex
2021-06-20The DFIR ReportThe DFIR Report
From Word to Lateral Movement in 1 Hour
Cobalt Strike IcedID
2021-06-19CISAUS-CERT
Alert (AA21-200A): Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department
APT40
2021-06-18SecurityScorecardRyan Sherstobitoff
SecurityScorecard Finds USAID Hack Much Larger Than Initially Thought
Cobalt Strike
2021-06-17Binary DefenseBrandon George
Analysis of Hancitor – When Boring Begets Beacon
Cobalt Strike Ficker Stealer Hancitor
2021-06-16MandiantJared Wilson, Jordan Nuce, Justin Moore, Mike Hunhoff, Nick Harbour, Robert Dean, Tyler McLellan
Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise
Cobalt Strike SMOKEDHAM
2021-06-16Recorded FutureInsikt Group®
Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries
Icefog PcShare PlugX Poison Ivy QuickHeal DAGGER PANDA
2021-06-16Національної поліції УкраїниНаціональна поліція України
Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies
Clop Cobalt Strike FlawedAmmyy
2021-06-16FireEyeJared Wilson, Justin Moore, Mike Hunhoff, Nick Harbour, Robert Dean, Tyler McLellan
Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise
Cobalt Strike SMOKEDHAM
2021-06-15SecureworksCounter Threat Unit ResearchTeam
Hades Ransomware Operators Use Distinctive Tactics and Infrastructure
Cobalt Strike Hades
2021-06-12Twitter (@AltShiftPrtScn)Peter Mackenzie
A thread on RagnarLocker ransomware group's TTP seen in an Incident Response
Cobalt Strike RagnarLocker
2021-06-10Group-IBNikita Rostovcev
Big airline heist APT41 likely behind massive supply chain attack
Cobalt Strike
2021-06-10ESET ResearchAdam Burgher
BackdoorDiplomacy: Upgrading from Quarian to Turian
CHINACHOPPER DoublePulsar EternalRocks turian BackdoorDiplomacy
2021-06-09Twitter (@RedDrip7)RedDrip7
Tweet on in the wild exploit of CVE-2021-26868 (according to @_clem1)
Cobalt Strike
2021-06-04Twitter (@alex_lanstein)Alex Lanstein
Tweet on UNC2652/NOBELIUM targeting IOS users exploiting CVE-​2021-1879
Cobalt Strike
2021-06-04InkyRoger Kay
Colonial Pipeline Ransomware Hack Unleashes Flood of Related Phishing Attempts
Cobalt Strike
2021-06-02SophosSean Gallagher
AMSI bypasses remain tricks of the malware trade
Agent Tesla Cobalt Strike Meterpreter
2021-06-02Medium CyCraftCyCraft Technology Corp
China-Linked Threat Group Targets Taiwan Critical Infrastructure, Smokescreen Ransomware
Cobalt Strike ColdLock
2021-06-02Twitter (@xorhex)Xorhex
Tweet on new variant of PlugX from RedDelta Group
PlugX
2021-06-02xorhex blogTwitter (@xorhex)
RedDelta PlugX Undergoing Changes and Overlapping Again with Mustang Panda PlugX Infrastructure
PlugX
2021-06-01Department of JusticeOffice of Public Affairs
Justice Department Announces Court-Authorized Seizure of Domain Names Used in Furtherance of Spear-Phishing Campaign Posing as U.S. Agency for International Development
Cobalt Strike
2021-06-01SentinelOneJuan Andrés Guerrero-Saade
NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks
Cobalt Strike
2021-06-01SANSJake Williams, Kevin Haley
A Contrarian View on SolarWinds
Cobalt Strike Raindrop SUNBURST TEARDROP
2021-06-01MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
New sophisticated email-based attack from NOBELIUM
Cobalt Strike
2021-05-29Twitter (@elisalem9)Eli Salem
Tweet on obfuscation mechanism and extraction procedure of COBALTSTRIKE beacon module used by NOBELIUM/UNC2452
Cobalt Strike
2021-05-28CISAUS-CERT
Malware Analysis Report (AR21-148A): Cobalt Strike Beacon
Cobalt Strike
2021-05-28United States District Court Southern District of California
United States of America vs Ding Xiaoyang, Cheng Qingmin, Zhu Yunmin, Wu Shurong
APT40
2021-05-28FBI
Wanted by the FBI: Zhu Yunmin, Wu Shurong, Ding Xiaoyang, Cheng Qingmin
APT40
2021-05-28CISAUS-CERT
Alert (AA21-148A): Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs
Cobalt Strike
2021-05-28MicrosoftMicrosoft Threat Intelligence Center (MSTIC)
Breaking down NOBELIUM’s latest early-stage toolset
BOOMBOX Cobalt Strike
2021-05-27VolexityDamien Cash, Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster
Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns
Cobalt Strike
2021-05-27xorhex blogTwitter (@xorhex)
Mustang Panda PlugX - Reused Mutex and Folder Found in the Extracted Config
PlugX
2021-05-26DeepInstinctRon Ben Yizhak
A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader
2021-05-25Huntress LabsMatthew Brennan
Cobalt Strikes Again: An Analysis of Obfuscated Malware
Cobalt Strike
2021-05-21blackarrowPablo Ambite
Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic
Cobalt Strike
2021-05-19Intel 471Intel 471
Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot
2021-05-19Medium Mehmet ErgeneMehmet Ergene
Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 2
Cobalt Strike
2021-05-18SophosGreg Iddon, John Shier, Mat Gangwer, Peter Mackenzie
The Active Adversary Playbook 2021
Cobalt Strike MimiKatz
2021-05-17TalosBrad Garnett
Case Study: Incident Response is a relationship-driven business
Cobalt Strike
2021-05-17xorhex blogTwitter (@xorhex)
Mustang Panda PlugX - 45.251.240.55 Pivot
PlugX
2021-05-16NCSC IrelandNCSC Ireland
Ransomware Attack on Health Sector - UPDATE 2021-05-16
Cobalt Strike Conti
2021-05-14GuidePoint SecurityDrew Schmitt
From ZLoader to DarkSide: A Ransomware Story
DarkSide Cobalt Strike Zloader
2021-05-14Blue Team BlogAuth 0r
DarkSide Ransomware Operations – Preventions and Detections.
Cobalt Strike DarkSide
2021-05-13AWAKEKieran Evans
Catching the White Stork in Flight
Cobalt Strike MimiKatz RMS
2021-05-12Medium Mehmet ErgeneMehmet Ergene
Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 1
Cobalt Strike
2021-05-12The DFIR Report
Conti Ransomware
Cobalt Strike Conti IcedID
2021-05-11Mal-Eatsmal_eats
Campo, a New Attack Campaign Targeting Japan
AnchorDNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader
2021-05-11FireEyeAlyssa Rahman, Andrew Moore, Brendan McKeague, Jared Wilson, Jeremy Kennelly, Jordan Nuce, Kimberly Goody
Shining a Light on DARKSIDE Ransomware Operations
Cobalt Strike DarkSide
2021-05-10Mal-Eatsmal_eats
Overview of Campo, a new attack campaign targeting Japan
AnchorDNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader
2021-05-10ZERO.BSZEROBS
Cobaltstrike-Beacons analyzed
Cobalt Strike
2021-05-07Cisco TalosAndrew Windsor, Caitlin Huey, Edmund Brumaghin
Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs
CHINACHOPPER Cobalt Strike Lemon Duck
2021-05-07Medium svch0stsvch0st
Stats from Hunting Cobalt Strike Beacons
Cobalt Strike
2021-05-07TEAMT5Aragorn Tseng, Charles Li
Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
Cobalt Strike PlugX Waterbear
2021-05-07SophosLabs UncutRajesh Nataraj
New Lemon Duck variants exploiting Microsoft Exchange Server
CHINACHOPPER Cobalt Strike Lemon Duck
2021-05-06Trend MicroArianne Dela Cruz, Cris Tomboc, Jayson Chong, Nikki Madayag, Sean Torre
Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party
BlackKingdom Ransomware CHINACHOPPER Lemon Duck Prometei
2021-05-05TRUESECMattias Wåhlén
Are The Notorious Cyber Criminals Evil Corp actually Russian Spies?
Cobalt Strike Hades WastedLocker
2021-05-05SymantecThreat Hunter Team
Multi-Factor Authentication: Headache for Cyber Actors Inspires New Attack Techniques
CHINACHOPPER
2021-05-05ZscalerAniruddha Dolas, Manohar Ghule, Mohd Sadique
Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats
Agent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar RAT Remcos
2021-05-05SophosLabs UncutAndrew Brandt, Gabor Szappanos, Peter Mackenzie, Vikas Singh
Intervention halts a ProxyLogon-enabled attack
Cobalt Strike
2021-05-04Medium sergiusechelSergiu Sechel
Improving the network-based detection of Cobalt Strike C2 servers in the wild while reducing the risk of false positives
Cobalt Strike
2021-05-02The DFIR ReportThe DFIR Report
Trickbot Brief: Creds and Beacons
Cobalt Strike TrickBot
2021-04-29FireEyeJustin Moore, Raymond Leong, Tyler McLellan
UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat
Cobalt Strike FiveHands HelloKitty
2021-04-29NTTThreat Detection NTT Ltd.
The Operations of Winnti group
Cobalt Strike ShadowPad Spyder Winnti Earth Lusca
2021-04-28Trend MicroJaromír Hořejší, Joseph C Chen
Water Pamola Attacked Online Shops Via Malicious Orders
Ghost RAT
2021-04-27Trend MicroEarle Earnshaw, Janus Agcaoili
Legitimate Tools Weaponized for Ransomware in 2021
Cobalt Strike MimiKatz
2021-04-27Trend MicroJanus Agcaoili
Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability
CHINACHOPPER Cobalt Strike
2021-04-26nvisoMaxime Thiebaut
Anatomy of Cobalt Strike’s DLL Stager
Cobalt Strike
2021-04-26getrevueTwitter (@80vul)
Hunting Cobalt Strike DNS redirectors by using ZoomEye
Cobalt Strike
2021-04-24Non-offensive securityNon-offensive security team
Detect Cobalt Strike server through DNS protocol
Cobalt Strike
2021-04-23Twitter (@vikas891)Vikas Singh
Tweet on DOPPEL SPIDER using Intensive/Multiple Injected Cobalt Strike Beacons with varied polling intervals
Cobalt Strike DoppelPaymer
2021-04-22Twitter (@AltShiftPrtScn)Peter Mackenzie
Twwet On TTPs seen in IR used by DOPPEL SPIDER
Cobalt Strike DoppelPaymer
2021-04-21SophosLabs UncutAnand Aijan, Andrew Brandt, Markel Picado, Michael Wood, Sean Gallagher, Sivagnanam Gn, Suriya Natarajan
Nearly half of malware now use TLS to conceal communications
Agent Tesla Cobalt Strike Dridex SystemBC
2021-04-20Medium walmartglobaltechJason Reaves
CobaltStrike Stager Utilizing Floating Point Math
Cobalt Strike
2021-04-19NetresecErik Hjelmvik
Analysing a malware PCAP with IcedID and Cobalt Strike traffic
Cobalt Strike IcedID
2021-04-18YouTube (dist67)Didier Stevens
Decoding Cobalt Strike Traffic
Cobalt Strike
2021-04-16Trend MicroNitesh Surana
Could the Microsoft Exchange breach be stopped?
CHINACHOPPER
2021-04-15Palo Alto Networks Unit 42Robert Falcone
Actor Exploits Microsoft Exchange Server Vulnerabilities, Cortex XDR Blocks Harvesting of Credentials
CHINACHOPPER
2021-04-14InfoSec Handlers Diary BlogBrad Duncan
April 2021 Forensic Quiz: Answers and Analysis
Anchor BazarBackdoor Cobalt Strike
2021-04-12IndeChris Campbell
A Different Kind of Zoombomb
Cobalt Strike
2021-04-09F-SecureGiulio Ginesi, Riccardo Ancarani
Detecting Exposed Cobalt Strike DNS Redirectors
Cobalt Strike
2021-04-07Medium sixdubJustin Warner
Using Kaitai Struct to Parse Cobalt Strike Beacon Configs
Cobalt Strike
2021-04-05Medium walmartglobaltechJason Reaves, Joshua Platt
TrickBot Crews New CobaltStrike Loader
Cobalt Strike TrickBot
2021-04-02Dr.WebDr.Web
Study of targeted attacks on Russian research institutes
Cotx RAT Ghost RAT TA428
2021-04-01DomainToolsJoe Slowik
COVID-19 Phishing With a Side of Cobalt Strike
Cobalt Strike
2021-04-01Palo Alto Networks Unit 42Brad Duncan
Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool
Cobalt Strike Hancitor Moskalvzapoe
2021-03-31Red CanaryRed Canary
2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot
2021-03-30GuidePoint SecurityDrew Schmitt
Yet Another Cobalt Strike Stager: GUID Edition
Cobalt Strike
2021-03-29The RecordCatalin Cimpanu
RedEcho group parks domains after public exposure
PlugX ShadowPad RedEcho
2021-03-29The DFIR ReportThe DFIR Report
Sodinokibi (aka REvil) Ransomware
Cobalt Strike IcedID REvil
2021-03-26ImpervaDaniel Johnston
Imperva Observes Hive of Activity Following Hafnium Microsoft Exchange Disclosures
CHINACHOPPER
2021-03-25MicrosoftTom McElroy
Web Shell Threat Hunting with Azure Sentinel
CHINACHOPPER
2021-03-25Recorded FutureInsikt Group®
Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers
Meterpreter PlugX
2021-03-25MicrosoftMicrosoft 365 Defender Threat Intelligence Team
Analyzing attacks taking advantage of the Exchange Server vulnerabilities
CHINACHOPPER
2021-03-21Twitter (@CyberRaiju)Jai Minton
Twitter Thread with analysis of .NET China Chopper
CHINACHOPPER
2021-03-21YouTube (dist67)Didier Stevens
Finding Metasploit & Cobalt Strike URLs
Cobalt Strike
2021-03-21BlackberryBlackberry Research
2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot
2021-03-19Bundesamt für Sicherheit in der InformationstechnikCERT-Bund
Microsoft Exchange Schwachstellen Detektion und Reaktion (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
CHINACHOPPER MimiKatz
2021-03-18DeepInstinctBen Gross
Cobalt Strike – Post-Exploitation Attackers Toolkit
Cobalt Strike
2021-03-18PRODAFT Threat IntelligencePRODAFT
SilverFish GroupThreat Actor Report
Cobalt Strike Dridex Koadic
2021-03-17Recorded FutureInsikt Group®
China-linked TA428 Continues to Target Russia and Mongolia IT Companies
PlugX Poison Ivy TA428
2021-03-16ElasticJoe Desimone
Detecting Cobalt Strike with memory signatures
Cobalt Strike
2021-03-16McAfeeMcAfee ATR
Technical Analysis of Operation Diànxùn
Cobalt Strike
2021-03-15TrustwaveJoshua Deacon
HAFNIUM, China Chopper and ASP.NET Runtime
CHINACHOPPER
2021-03-11Cyborg SecurityJosh Campbell
You Don't Know the HAFNIUM of it...
CHINACHOPPER Cobalt Strike PowerCat
2021-03-11QuriumQurium
Myanmar – Multi-stage malware attack targets elected lawmakers
Cobalt Strike
2021-03-11Palo Alto Networks Unit 42Unit 42
Microsoft Exchange Server Attack Timeline
CHINACHOPPER
2021-03-11DEVOFran Gomez
Detection and Investigation Using Devo: HAFNIUM 0-day Exploits on Microsoft Exchange Service
CHINACHOPPER MimiKatz
2021-03-10Lemon's InfoSec RamblingsJosh Lemon
Microsoft Exchange & the HAFNIUM Threat Actor
CHINACHOPPER
2021-03-10PICUS SecuritySüleyman Özarslan
Tactics, Techniques, and Procedures (TTPs) Used by HAFNIUM to Target Microsoft Exchange Servers
CHINACHOPPER
2021-03-10ESET ResearchMathieu Tartare, Matthieu Faou, Thomas Dupuy
Exchange servers under siege from at least 10 APT groups
Microcin MimiKatz PlugX Winnti APT27 APT41 Calypso Tick ToddyCat Tonto Team Vicious Panda
2021-03-10DomainToolsJoe Slowik
Examining Exchange Exploitation and its Lessons for Defenders
CHINACHOPPER
2021-03-10ProofpointDennis Schwarz, Matthew Mesa, Proofpoint Threat Research Team
NimzaLoader: TA800’s New Initial Access Malware
BazarNimrod Cobalt Strike
2021-03-09Palo Alto Networks Unit 42Unit 42
Remediation Steps for the Microsoft Exchange Server Vulnerabilities
CHINACHOPPER
2021-03-09splunkSecurity Research Team
Cloud Federated Credential Abuse & Cobalt Strike: Threat Research February 2021
Cobalt Strike
2021-03-09Red CanaryBrian Donohue, Katie Nickels, Tony Lambert
Microsoft Exchange server exploitation: how to detect, mitigate, and stay calm
CHINACHOPPER
2021-03-09PRAETORIANAnthony Weems, Dallas Kaman, Michael Weber
Reproducing the Microsoft Exchange Proxylogon Exploit Chain
CHINACHOPPER
2021-03-09YouTube (John Hammond)John Hammond
HAFNIUM - Post-Exploitation Analysis from Microsoft Exchange
CHINACHOPPER
2021-03-08Youtube (SANS Digital Forensics and Incident Response)Adam Pennington, Jen Burns, Katie Nickels
STAR Webcast: Making sense of SolarWinds through the lens of MITRE ATT&CK(R)
Cobalt Strike SUNBURST TEARDROP
2021-03-08SymantecThreat Hunter Team
How Symantec Stops Microsoft Exchange Server Attacks
CHINACHOPPER MimiKatz
2021-03-08Palo Alto Networks Unit 42Jeff White
Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells
CHINACHOPPER
2021-03-08The DFIR ReportThe DFIR Report
Bazar Drops the Anchor
Anchor BazarBackdoor Cobalt Strike
2021-03-07TRUESECRasmus Grönlund
Tracking Microsoft Exchange Zero-Day ProxyLogon and HAFNIUM
CHINACHOPPER
2021-03-07InfoSec Handlers Diary BlogDidier Stevens
PCAPs and Beacons
Cobalt Strike
2021-03-05WiredAndy Greenberg
Chinese Hacking Spree Hit an ‘Astronomical’ Number of Victims
CHINACHOPPER
2021-03-05Huntress LabsHuntress Labs
Operation Exchange Marauder
CHINACHOPPER
2021-03-04Huntress LabsHuntress Labs
Operation Exchange Marauder
CHINACHOPPER
2021-03-04FireEyeAndrew Thompson, Chris DiGiamo, Matt Bromiley, Robert Wallace
Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities
CHINACHOPPER HAFNIUM
2021-03-04CrowdStrikeThe Falcon Complete Team
Falcon Complete Stops Microsoft Exchange Server Zero-Day Exploits
CHINACHOPPER HAFNIUM
2021-03-03Huntress LabsJohn Hammond
Rapid Response: Mass Exploitation of On-Prem Exchange Servers
CHINACHOPPER HAFNIUM
2021-03-03Huntress LabsHuntress Labs
Mass exploitation of on-prem Exchange servers :(
CHINACHOPPER HAFNIUM
2021-03-03MITREMITRE ATT&CK
HAFNIUM
CHINACHOPPER HAFNIUM
2021-03-02Twitter (@ESETresearch)ESET Research
Tweet on Exchange RCE
CHINACHOPPER HAFNIUM
2021-03-02VolexityJosh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster
Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities
CHINACHOPPER HAFNIUM
2021-03-02Rapid7 LabsAndrew Christian
Rapid7’s InsightIDR Enables Detection And Response to Microsoft Exchange Zero-Day
CHINACHOPPER HAFNIUM
2021-03-02MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft 365 Security, Microsoft Threat Intelligence Center (MSTIC)
HAFNIUM targeting Exchange Servers with 0-day exploits
CHINACHOPPER HAFNIUM
2021-03-01Medium walmartglobaltechJason Reaves, Joshua Platt
Investigation into the state of Nim malware
BazarNimrod Cobalt Strike
2021-03-01Medium walmartglobaltechJason Reaves, Joshua Platt
Nimar Loader
BazarBackdoor BazarNimrod Cobalt Strike
2021-02-28Recorded FutureInsikt Group®
China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
Icefog PlugX ShadowPad
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-02-28Recorded FutureInsikt Group®
China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
PlugX ShadowPad RedEcho
2021-02-26CrowdStrikeEric Loui, Sergei Frankoff
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil
2021-02-25ProofpointMichael Raggi, Proofpoint Threat Research Team
TA413 Leverages New FriarFox Browser Extension to Target the Gmail Accounts of Global Tibetan Organizations
scanbox Sepulcher Lucky Cat
2021-02-25FireEyeBrendan McKeague, Bryce Abdo, Van Ta
So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC
2021-02-24Github (AmnestyTech)Amnesty International
Overview of Ocean Lotus Samples used to target Vietnamese Human Rights Defenders
OceanLotus Cobalt Strike KerrDown
2021-02-24VMWare Carbon BlackTakahiro Haruyama
Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation
Cobalt Strike
2021-02-23CrowdStrikeCrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-22tccontre Blogtcontre
Gh0stRat Anti-Debugging: Nested SEH (try - catch) to Decrypt and Load its Payload
Ghost RAT
2021-02-11Twitter (@TheDFIRReport)The DFIR Report
Tweet on Hancitor Activity followed by cobaltsrike beacon
Cobalt Strike Hancitor
2021-02-09SecurehatSecurehat
Extracting the Cobalt Strike Config from a TEARDROP Loader
Cobalt Strike TEARDROP
2021-02-09Cobalt StrikeRaphael Mudge
Learn Pipe Fitting for all of your Offense Projects
Cobalt Strike
2021-02-03InfoSec Handlers Diary BlogBrad Duncan
Excel spreadsheets push SystemBC malware
Cobalt Strike SystemBC
2021-02-02Twitter (@TheDFIRReport)The DFIR Report
Tweet on recent dridex post infection activity
Cobalt Strike Dridex
2021-02-02CRONUPGermán Fernández
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-02-02Committee to Protect JournalistsMadeline Earp
How Vietnam-based hacking operation OceanLotus targets journalists
Cobalt Strike
2021-02-01pkb1s.github.ioPetros Koutroumpis
Relay Attacks via Cobalt Strike Beacons
Cobalt Strike
2021-02-01ESET ResearchIgnacio Sanmillan, Matthieu Faou
Operation NightScout: Supply‑chain attack targets online gaming in Asia
Ghost RAT NoxPlayer Poison Ivy Red Dev 17
2021-02-01AhnLabASEC Analysis Team
BlueCrab ransomware, CobaltStrike hacking tool installed in corporate environment
Cobalt Strike REvil
2021-01-31The DFIR ReportThe DFIR Report
Bazar, No Ryuk?
BazarBackdoor Cobalt Strike Ryuk
2021-01-29Trend MicroTrend Micro
Chopper ASPX web shell used in targeted attack
CHINACHOPPER MimiKatz
2021-01-28AhnLabASEC Analysis Team
BlueCrab ransomware constantly trying to bypass detection
Cobalt Strike REvil
2021-01-28TrustedSecAdam Chester
Tailoring Cobalt Strike on Target
Cobalt Strike
2021-01-26Twitter (@swisscom_csirt)Swisscom CSIRT
Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware
Cobalt Strike Cring MimiKatz
2021-01-20MicrosoftMicrosoft 365 Defender Research Team, Microsoft Cyber Defense Operations Center (CDOC), Microsoft Threat Intelligence Center (MSTIC)
Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop
Cobalt Strike SUNBURST TEARDROP
2021-01-20Trend MicroAbraham Camba, Gilbert Sison, Ryan Maglaque
XDR investigation uncovers PlugX, unique technique in APT attack
PlugX
2021-01-18SymantecThreat Hunter Team
Raindrop: New Malware Discovered in SolarWinds Investigation
Cobalt Strike Raindrop SUNBURST TEARDROP
2021-01-17Twitter (@AltShiftPrtScn)Peter Mackenzie
Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders
Cobalt Strike Conti
2021-01-15SwisscomMarkus Neis
Cracking a Soft Cell is Harder Than You Think
Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT
2021-01-15Medium DansecDan Lussier
Detecting Malicious C2 Activity -SpawnAs & SMB Lateral Movement in CobaltStrike
Cobalt Strike
2021-01-14PTSecurityPT ESC Threat Intelligence
Higaisa or Winnti? APT41 backdoors, old and new
Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad
2021-01-12BrightTALK (FireEye)Ben Read, John Hultquist
UNC2452: What We Know So Far
Cobalt Strike SUNBURST TEARDROP
2021-01-12Fox-ITWouter Jansen
Abusing cloud services to fly under the radar
Cobalt Strike
2021-01-11SolarWindsSudhakar Ramakrishna
New Findings From Our Investigation of SUNBURST
Cobalt Strike SUNBURST TEARDROP
2021-01-11The DFIR ReportThe DFIR Report
Trickbot Still Alive and Well
Cobalt Strike TrickBot
2021-01-10Medium walmartglobaltechJason Reaves
MAN1, Moskal, Hancitor and a side of Ransomware
Cobalt Strike Hancitor SendSafe VegaLocker Moskalvzapoe
2021-01-09Marco Ramilli's BlogMarco Ramilli
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot
2021-01-09Connor McGarr's BlogConnor McGarr
Malware Development: Leveraging Beacon Object Files for Remote Process Injection via Thread Hijacking
Cobalt Strike
2021-01-07Recorded FutureInsikt Group®
Aversary Infrastructure Report 2020: A Defender's View
Octopus pupy Cobalt Strike Empire Downloader Meterpreter PoshC2
2021-01-06Red CanaryTony Lambert
Hunting for GetSystem in offensive security tools
Cobalt Strike Empire Downloader Meterpreter PoshC2
2021-01-05Trend MicroTrend Micro Research
Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration
Cobalt Strike Earth Wendigo
2021-01-04Bleeping ComputerIonut Ilascu
China's APT hackers move to ransomware attacks
Clambling PlugX
2021-01-04Medium haggis-mMichael Haag
Malleable C2 Profiles and You
Cobalt Strike
2021-01-01AWAKEAwake Security
Breaking the Ice: Detecting IcedID and Cobalt Strike Beacon with Network Detection and Response (NDR)
Cobalt Strike IcedID PhotoLoader
2021-01-01DomainToolsJoe Slowik
Conceptualizing a Continuum of Cyber Threat Attribution
CHINACHOPPER SUNBURST
2021-01-01SecureworksSecureWorks
Threat Profile: GOLD WATERFALL
Cobalt Strike DarkSide GOLD WATERFALL
2021-01-01MandiantMandiant
M-TRENDS 2021
Cobalt Strike SUNBURST
2021-01-01Github (WBGlIl)WBGlIl
A book on cobaltstrike
Cobalt Strike
2021-01-01SymantecSymantec Threat Hunter Team
Supply Chain Attacks:Cyber Criminals Target the Weakest Link
Cobalt Strike Raindrop SUNBURST TEARDROP
2021-01-01SecureworksSecureWorks
Threat Profile: GOLD WINTER
Cobalt Strike Hades Meterpreter GOLD WINTER
2021-01-01TalosTalos Incident Response
Evicting Maze
Cobalt Strike Maze
2021-01-01SecureWorks
Threat Profile: GOLD DRAKE
Cobalt Strike Dridex FriedEx Koadic MimiKatz WastedLocker Evil Corp
2021-01-01TalosTalos Incident Response
Cobalt Strikes Out
Cobalt Strike
2020-12-26Medium grimminckStefan Grimminck
Spoofing JARM signatures. I am the Cobalt Strike server now!
Cobalt Strike
2020-12-26CYBER GEEKS All Things InfosecCyberMasterV
Analyzing APT19 malware using a step-by-step method
Derusbi
2020-12-24IronNetAdam Hlavek
China cyber attacks: the current threat landscape
PLEAD TSCookie FlowCloud Lookback PLEAD PlugX Quasar RAT Winnti
2020-12-22TRUESECMattias Wåhlén
Collaboration between FIN7 and the RYUK group, a Truesec Investigation
Carbanak Cobalt Strike Ryuk
2020-12-21FortinetUdi Yavo
What We Have Learned So Far about the “Sunburst”/SolarWinds Hack
Cobalt Strike SUNBURST TEARDROP
2020-12-20RandhomeEtienne Maynier
Analyzing Cobalt Strike for Fun and Profit
Cobalt Strike
2020-12-18SeqritePavankumar Chaudhari
RAT used by Chinese cyberspies infiltrating Indian businesses
Ghost RAT
2020-12-15Github (sophos-cybersecurity)Sophos Cyber Security Team
solarwinds-threathunt
Cobalt Strike SUNBURST
2020-12-15PICUS SecuritySüleyman Özarslan
Tactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach
Cobalt Strike SUNBURST
2020-12-14Palo Alto Networks Unit 42Unit 42
Threat Brief: SolarStorm and SUNBURST Customer Coverage
Cobalt Strike SUNBURST
2020-12-11BlackberryBlackBerry Research and Intelligence team
MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates
Cobalt Strike Mount Locker
2020-12-10ESET ResearchMathieu Tartare
Operation StealthyTrident: corporate software under attack
HyperBro PlugX Tmanger TA428
2020-12-10ESET ResearchMathieu Tartare
Operation StealthyTrident: corporate software under attack
HyperBro PlugX ShadowPad Tmanger
2020-12-10Palo Alto Networks Unit 42Unit42
Threat Brief: FireEye Red Team Tool Breach
Cobalt Strike
2020-12-10Intel 471Intel 471
No pandas, just people: The current state of China’s cybercrime underground
Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT
2020-12-10US-CERTFBI, MS-ISAC, US-CERT
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus
2020-12-09InfoSec Handlers Diary BlogBrad Duncan
Recent Qakbot (Qbot) activity
Cobalt Strike QakBot
2020-12-09Avast DecodedIgor Morgenstern, Luigino Camastra
APT Group Targeting Governmental Agencies in East Asia
Albaniiutas HyperBro PlugX PolPo Tmanger
2020-12-09CiscoCaitlin Huey, David Liebenberg
Quarterly Report: Incident Response trends from Fall 2020
Cobalt Strike IcedID Maze RansomEXX Ryuk
2020-12-09FireEyeMitchell Clarke, Tom Hall
It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)
Cobalt Strike DoppelPaymer QakBot REvil
2020-12-09Avast DecodedIgor Morgenstern, Luigino Camastra
APT Group Targeting Governmental Agencies in East Asia
Albaniiutas HyperBro PlugX Tmanger TA428
2020-12-08Cobalt StrikeRaphael Mudge
A Red Teamer Plays with JARM
Cobalt Strike
2020-12-02Red Canarytwitter (@redcanary)
Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware
Cobalt Strike Egregor QakBot
2020-12-01mez0.ccmez0
Cobalt Strike PowerShell Execution
Cobalt Strike
2020-12-01360.cnjindanlong
Hunting Beacons
Cobalt Strike
2020-11-30FireEyeMitchell Clarke, Tom Hall
It's not FINished The Evolving Maturity in Ransomware Operations
Cobalt Strike DoppelPaymer MimiKatz QakBot REvil
2020-11-30MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Threat actor (BISMUTH) leverages coin miner techniques to stay under the radar – here’s how to spot them
Cobalt Strike
2020-11-27MacnicaHiroshi Takeuchi
Analyzing Organizational Invasion Ransom Incidents Using Dtrack
Cobalt Strike Dtrack
2020-11-27PTSecurityAlexey Vishnyakov, Denis Goydenko
Investigation with a twist: an accidental APT attack and averted data destruction
TwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz
2020-11-26CybereasonCybereason Nocturnus, Lior Rochberger
Cybereason vs. Egregor Ransomware
Cobalt Strike Egregor IcedID ISFB QakBot
2020-11-25SentinelOneJim Walter
Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone
Cobalt Strike Egregor
2020-11-23ProofpointProofpoint Threat Research Team
TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader
PlugX MUSTANG PANDA
2020-11-20ZDNetCatalin Cimpanu
The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-20F-Secure LabsRiccardo Ancarani
Detecting Cobalt Strike Default Modules via Named Pipe Analysis
Cobalt Strike
2020-11-20Trend MicroAbraham Camba, Bren Matthew Ebriega, Gilbert Sison
Weaponizing Open Source Software for Targeted Attacks
LaZagne Defray PlugX
2020-11-20360 netlabJiaYu
Blackrota, a highly obfuscated backdoor developed by Go
Cobalt Strike
2020-11-17Salesforce EngineeringJohn Althouse
Easily Identify Malicious Servers on the Internet with JARM
Cobalt Strike TrickBot
2020-11-17cybleCyble
OceanLotus Continues With Its Cyber Espionage Operations
Cobalt Strike Meterpreter
2020-11-15TrustnetMichael Wainshtain
From virus alert to PowerShell Encrypted Loader
Cobalt Strike
2020-11-09Bleeping ComputerIonut Ilascu
Fake Microsoft Teams updates lead to Cobalt Strike deployment
Cobalt Strike DoppelPaymer NjRAT Predator The Thief Zloader
2020-11-06Cobalt StrikeRaphael Mudge
Cobalt Strike 4.2 – Everything but the kitchen sink
Cobalt Strike
2020-11-06Palo Alto Networks Unit 42CRYPSIS, Drew Schmitt, Ryan Tracey
Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777
Cobalt Strike PyXie RansomEXX
2020-11-06Advanced IntelligenceVitali Kremez
Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike
BazarBackdoor Cobalt Strike Ryuk
2020-11-06VolexitySteven Adair, Thomas Lancaster, Volexity Threat Research
OceanLotus: Extending Cyber Espionage Operations Through Fake Websites
Cobalt Strike KerrDown APT32
2020-11-05Twitter (@ffforward)TheAnalyst
Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK
Cobalt Strike Ryuk Zloader
2020-11-05The DFIR ReportThe DFIR Report
Ryuk Speed Run, 2 Hours to Ransom
BazarBackdoor Cobalt Strike Ryuk
2020-11-04SophosGabor Szappanos
A new APT uses DLL side-loads to “KilllSomeOne”
KilllSomeOne PlugX
2020-11-04VMRayGiovanni Vigna
Trick or Threat: Ryuk ransomware targets the health care industry
BazarBackdoor Cobalt Strike Ryuk TrickBot
2020-11-03InfoSec Handlers Diary BlogRenato Marinho
Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike
Cobalt Strike
2020-11-03Kaspersky LabsGReAT
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-10-30Github (ThreatConnect-Inc)ThreatConnect
UNC 1878 Indicators from Threatconnect
BazarBackdoor Cobalt Strike Ryuk
2020-10-29RiskIQRiskIQ
Ryuk Ransomware: Extensive Attack Infrastructure Revealed
Cobalt Strike Ryuk
2020-10-29Red CanaryThe Red Canary Team
A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak
Cobalt Strike Ryuk TrickBot
2020-10-29Github (Swisscom)Swisscom CSIRT
List of CobaltStrike C2's used by RYUK
Cobalt Strike
2020-10-28FireEyeDouglas Bienstock, Jeremy Kennelly, Joshua Shilko, Kimberly Goody, Steve Elovitz
Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser
BazarBackdoor Cobalt Strike Ryuk UNC1878
2020-10-27Sophos Managed Threat Response (MTR)Greg Iddon
MTR Casebook: An active adversary caught in the act
Cobalt Strike
2020-10-27Dr.WebDr.Web
Study of the ShadowPad APT backdoor and its relation to PlugX
Ghost RAT PlugX ShadowPad
2020-10-18The DFIR ReportThe DFIR Report
Ryuk in 5 Hours
BazarBackdoor Cobalt Strike Ryuk
2020-10-14RiskIQJon Gross, Steve Ginty
A Well-Marked Trail: Journeying through OceanLotus's Infrastructure
Cobalt Strike
2020-10-14SophosSean Gallagher
They’re back: inside a new Ryuk ransomware attack
Cobalt Strike Ryuk SystemBC
2020-10-12Advanced IntelligenceRoman Marshanski, Vitali Kremez
"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon
BazarBackdoor Cobalt Strike Ryuk
2020-10-11Github (StrangerealIntel)StrangerealIntel
Chimera, APT19 under the radar ?
Cobalt Strike Meterpreter
2020-10-08Bayerischer RundfunkAnn-Kathrin Wetter, Hakan Tanriverdi, Kai Biermann, Max Zierer, Thi Do Nguyen
There is no safe place
Cobalt Strike
2020-10-08The DFIR ReportThe DFIR Report
Ryuk’s Return
BazarBackdoor Cobalt Strike Ryuk
2020-10-02Health Sector Cybersecurity Coordination Center (HC3)Health Sector Cybersecurity Coordination Center (HC3)
Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns
BazarBackdoor Cobalt Strike Ryuk TrickBot
2020-10-01WiredAndy Greenberg
Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency
Cobalt Strike Meterpreter
2020-10-01US-CERTUS-CERT
Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions
CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy
2020-09-29Github (Apr4h)Apra
CobaltStrikeScan
Cobalt Strike
2020-09-29CrowdStrikeKareem Hamdan, Lucas Miller
Getting the Bacon from the Beacon
Cobalt Strike
2020-09-24MicrosoftBen Koehl, Joe Hannon, Microsoft Identity Security Team
Microsoft Security—detecting empires in the cloud
CACTUSTORCH LazyCat APT40
2020-09-24US-CERTUS-CERT
Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor
Cobalt Strike Meterpreter
2020-09-23SeqriteGoutam Tripathy, Kalpesh Mantri, Pawan CHaudhari
Operation SideCopy: An insight into Transparent Tribe’s sub-division which has been incorrectly attributed for years
CACTUSTORCH AllaKore
2020-09-21Cisco TalosJoe Marshall, JON MUNSHAW, Nick Mavis
The art and science of detecting Cobalt Strike
Cobalt Strike
2020-09-18SymantecThreat Hunter Team
APT41: Indictments Put Chinese Espionage Group in the Spotlight
CROSSWALK PlugX poisonplug ShadowPad Winnti
2020-09-18Trend MicroTrend Micro
U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks
Cobalt Strike ColdLock
2020-09-15US-CERTUS-CERT
Alert (AA20-259A): Iran-Based Threat Actor Exploits VPN Vulnerabilities
CHINACHOPPER Fox Kitten
2020-09-15Recorded FutureInsikt Group®
Back Despite Disruption: RedDelta Resumes Operations
PlugX
2020-09-15US-CERTUS-CERT
Malware Analysis Report (AR20-259A): Iranian Web Shells
CHINACHOPPER
2020-09-11ThreatConnectThreatConnect Research Team
Research Roundup: Activity on Previously Identified APT33 Domains
Emotet PlugX APT33
2020-09-03Viettel Cybersecurityvuonglvm
APT32 deobfuscation arsenal: Deobfuscating một vài loại Obfucation Toolkit của APT32 (Phần 2)
Cobalt Strike
2020-09-01Cisco TalosCaitlin Huey, David Liebenberg
Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk
2020-08-31The DFIR ReportThe DFIR Report
NetWalker Ransomware in 1 Hour
Cobalt Strike Mailto MimiKatz
2020-08-20Seebug PaperMalayke
Use ZoomEye to track multiple Redteam C&C post-penetration attack frameworks
Cobalt Strike Empire Downloader PoshC2
2020-08-19TEAMT5TeamT5
調查局 08/19 公布中國對台灣政府機關駭侵事件說明
Cobalt Strike Waterbear
2020-08-14Twitter (@VK_intel)Vitali Kremez
Tweet on Zloader infection leading to Cobaltstrike Installation
Cobalt Strike Zloader
2020-08-06WiredAndy Greenberg
Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry
Cobalt Strike MimiKatz Winnti Red Charon
2020-08-04BlackHatChung-Kuan Chen, Inndy Lin, Shang-De Jiang
Operation Chimera - APT Operation Targets Semiconductor Vendors
Cobalt Strike MimiKatz Winnti Red Charon
2020-07-29Recorded FutureInsikt Group
Chinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations
PlugX
2020-07-29ESET Researchwelivesecurity
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-07-29Kaspersky LabsGReAT
APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-07-28NTTNTT Security
CraftyPanda 標的型攻撃解析レポート
Ghost RAT PlugX
2020-07-26Shells.System blogAskar
In-Memory shellcode decoding to evade AVs/EDRs
Cobalt Strike
2020-07-22On the HuntNewton Paul
Analysing Fileless Malware: Cobalt Strike Beacon
Cobalt Strike
2020-07-21Department of JusticeDepartment of Justice
Two Chinese Hackers Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including COVID-19 Research
CHINACHOPPER BRONZE SPRING
2020-07-21MalwarebytesHossein Jazi, Jérôme Segura
Chinese APT group targets India and Hong Kong using new variant of MgBot malware
KSREMOTE Cobalt Strike MgBot Evasive Panda
2020-07-20Dr.WebDr.Web
Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan
Microcin Mirage PlugX WhiteBird
2020-07-20Risky.bizDaniel Gordon
What even is Winnti?
CCleaner Backdoor Ghost RAT PlugX ZXShell
2020-07-20or10nlabsoR10n
Reverse Engineering the New Mustang Panda PlugX Downloader
PlugX
2020-07-15ZDNetCatalin Cimpanu
Chinese state hackers target Hong Kong Catholic Church
PlugX
2020-07-10ByteAtlasDaniel Plohmann
Knowledge Fragment: Casting Sandbox Necromancy on DADSTACHE
DADSTACHE
2020-07-07MWLabLadislav Bačo
Cobalt Strike stagers used by FIN6
Cobalt Strike
2020-07-05or10nlabsoR10n
Reverse Engineering the Mustang Panda PlugX RAT – Extracting the Config
PlugX
2020-07-01ContextisLampros Noutsos, Oliver Fay
DLL Search Order Hijacking
Cobalt Strike PlugX
2020-06-25ElasticDaniel Stepanic, Samir Bousseaden
A close look at the advanced techniques used in a Malaysian-focused APT campaign
DADSTACHE APT40
2020-06-23NCC GroupMichael Sandee, Nikolaos Pantazopoulos, Stefano Antenucci
WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
Cobalt Strike ISFB WastedLocker
2020-06-23SymantecCritical Attack Discovery and Intelligence Team
Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike
Cobalt Strike REvil
2020-06-22Talos IntelligenceAsheer Malhotra
IndigoDrop spreads via military-themed lures to deliver Cobalt Strike
Cobalt Strike IndigoDrop
2020-06-22Sentinel LABSJason Reaves, Joshua Platt
Inside a TrickBot Cobalt Strike Attack Server
Cobalt Strike TrickBot
2020-06-19ZscalerAtinderpal Singh, Nirmal Singh, Sahil Antil
Targeted Attack Leverages India-China Border Dispute to Lure Victims
Cobalt Strike
2020-06-19Youtube (Raphael Mudge)Raphael Mudge
Beacon Object Files - Luser Demo
Cobalt Strike
2020-06-18Australian Cyber Security CentreAustralian Cyber Security Centre (ACSC)
Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks
TwoFace Cobalt Strike Empire Downloader
2020-06-17MalwarebytesHossein Jazi, Jérôme Segura
Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature
Cobalt Strike
2020-06-15NCC GroupExploit Development Group
Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability
Cobalt Strike
2020-06-14BushidoTokenBushidoToken
Deep-dive: The DarkHotel APT
Asruex Ghost RAT Ramsay Retro Unidentified 076 (Higaisa LNK to Shellcode)
2020-06-09Github (Sentinel-One)Gal Kristal
CobaltStrikeParser
Cobalt Strike
2020-06-05PrevailionDanny Adamitis
The Gh0st Remains the Same
Ghost RAT
2020-06-04PTSecurityPT ESC Threat Intelligence
COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group
Ghost RAT
2020-06-03Kaspersky LabsGiampaolo Dedola, GReAT, Mark Lechtik
Cycldek: Bridging the (air) gap
8.t Dropper NewCore RAT PlugX USBCulprit GOBLIN PANDA Hellsing
2020-06-02Lab52Jagaimo Kawaii
Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers
PlugX
2020-05-24or10nlabsoR10n
Reverse Engineering the Mustang Panda PlugX Loader
PlugX
2020-05-20Medium Asuna AmawakaAsuna Amawaka
What happened between the BigBadWolf and the Tiger?
Ghost RAT
2020-05-15Twitter (@stvemillertime)Steve Miller
Tweet on SOGU development timeline, including TIGERPLUG IOCs
PlugX
2020-05-14Lab52Dex
The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT
2020-05-14Avast DecodedLuigino Camastra
APT Group Planted Backdoors Targeting High Profile Networks in Central Asia
BYEBY Ghost RAT Microcin MimiKatz Vicious Panda
2020-05-11SentinelOneGal Kristal
The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration
Cobalt Strike
2020-05-01Viettel CybersecurityCyberthreat
Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1)
NewCore RAT PlugX
2020-04-24The DFIR ReportThe DFIR Report
Ursnif via LOLbins
Cobalt Strike LOLSnif TeamSpy
2020-04-16Medium CyCraftCyCraft Technology Corp
Taiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures
Cobalt Strike MimiKatz Red Charon
2020-04-07BlackberryBlackberry Research
Decade of the RATS: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android
Penquin Turla XOR DDoS ZXShell
2020-04-02DarktraceMax Heinemeyer
Catching APT41 exploiting a zero-day vulnerability
Cobalt Strike
2020-03-26VMWare Carbon BlackScott Knight
The Dukes of Moscow
Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke
2020-03-25FireEyeChristopher Glyer, Dan Perez, Sarah Jones, Steve Miller
This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits
Speculoos Cobalt Strike
2020-03-25Wilbur SecurityJW
Trickbot to Ryuk in Two Hours
Cobalt Strike Ryuk TrickBot
2020-03-22Malware and StuffAndreas Klopsch
Mustang Panda joins the COVID-19 bandwagon
Cobalt Strike
2020-03-22AnomaliAnomali Threat Research
COVID-19 Themes Are Being Utilized by Threat Actors of Varying Sophistication
PlugX
2020-03-20RECON INFOSECLuke Rusten
Analysis Of Exploitation: CVE-2020-10189 ( exploited by APT41)
Cobalt Strike
2020-03-19VinCSSm4n0w4r
Analysis of malware taking advantage of the Covid-19 epidemic to spread fake "Directive of Prime Minister Nguyen Xuan Phuc" - Part 2
PlugX
2020-03-15insomniacs(Medium)Asuna Amawaka
Dad! There’s A Rat In Here!
DADSTACHE
2020-03-10insomniacs(Medium)Asuna Amawaka
APT40 goes from Template Injections to OLE-Linkings for payload delivery
DADSTACHE
2020-03-10VinCSSm4n0w4r
[RE012] Analysis of malware taking advantage of the Covid-19 epidemic to spread fake "Directive of Prime Minister Nguyen Xuan Phuc" - Part 1
PlugX
2020-03-05SophosLabsSergei Shevchenko
Cloud Snooper Attack Bypasses AWS Security Measures
Cloud Snooper Ghost RAT
2020-03-04Cobalt StrikeRaphael Mudge
Cobalt Strike joins Core Impact at HelpSystems, LLC
Cobalt Strike
2020-03-04CrowdStrikeCrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2020-03-02Virus BulletinAlex Hinchliffe
Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary
HenBox Farseer PlugX Poison Ivy
2020-02-21ADEO DFIRADEO DFIR
APT10 Threat Analysis Report
CHINACHOPPER HTran MimiKatz PlugX Quasar RAT
2020-02-20McAfeeChristiaan Beek, Darren Fitzpatrick, Eamonn Ryan
CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II
Cobalt Strike LockerGoga Maze MegaCortex
2020-02-19FireEyeFireEye
M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot
2020-02-18Cisco TalosVanja Svajcer
Building a bypass with MSBuild
Cobalt Strike GRUNT MimiKatz
2020-02-18Trend MicroCedric Pernet, Daniel Lunghi, Jamz Yaneza, Kenney Lu
Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations
Cobalt Strike HyperBro PlugX Trochilus RAT
2020-02-17Talent-Jump TechnologiesTheo Chen, Zero Chen
CLAMBLING - A New Backdoor Base On Dropbox
HyperBro PlugX
2020-02-13QianxinQi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-02-08MyCERTMyCERT
MA-774.022020: MyCERT Advisory - Espionage Campaign Based On Technical Indicators
APT40
2020-02-07Medium SebdravenSébastien Larinier
APT 40 in Malaysia
DADJOKE
2020-01-31AviraShahab Hamzeloofard
New wave of PlugX targets Hong Kong
PlugX
2020-01-31YouTube (Context Information Security)Contextis
New AVIVORE threat group – how they operate and managing the risk
PlugX
2020-01-29nao_sec blognao_sec
An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader
2020-01-15IntrusiontruthIntrusiontruth
Hainan Xiandun Technology Company is APT40
APT40
2020-01-14IntrusiontruthIntrusiontruth
Who is Mr Ding?
APT40
2020-01-13Lab52Jagaimo Kawaii
APT27 ZxShell RootKit module updates
ZXShell
2020-01-13IntrusiontruthIntrusiontruth
Who else works for this cover company network?
APT40
2020-01-10IntrusiontruthIntrusiontruth
Who is Mr Gu?
APT40
2020-01-09IntrusiontruthIntrusiontruth
What is the Hainan Xiandun Technology Development Company?
APT40
2020-01-03Youtube (BSides Belfast)Brian Bartholomew
Nice One, Dad: Dissecting A Rare Malware Used By Leviathan
DADJOKE
2020-01-01SecureworksSecureWorks
GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz
2020-01-01SecureworksSecureWorks
BRONZE PRESIDENT
CHINACHOPPER Cobalt Strike PlugX MUSTANG PANDA
2020-01-01FireEyeMandiant, Mitchell Clarke, Tom Hall
Mandiant IR Grab Bag of Attacker Activity
TwoFace CHINACHOPPER HyperBro HyperSSL
2020-01-01SecureworksSecureWorks
BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti APT41
2020-01-01SecureworksSecureWorks
BRONZE EDISON
Ghost RAT sykipot APT4 SAMURAI PANDA
2020-01-01SecureworksSecureWorks
BRONZE OLIVE
ANGRYREBEL PlugX APT22
2020-01-01SecureworksSecureWorks
BRONZE UNION
9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell APT27
2020-01-01SecureworksSecureWorks
BRONZE KEYSTONE
9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell APT17
2020-01-01SecureworksSecureWorks
BRONZE RIVERSIDE
Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves APT10
2020-01-01SecureworksSecureWorks
BRONZE OVERBROOK
Aveo DDKONG IsSpace PLAINTEE PlugX Rambo DragonOK
2020-01-01SecureworksSecureWorks
GOLD DUPONT
Cobalt Strike Defray PyXie GOLD DUPONT
2020-01-01SecureworksSecureWorks
BRONZE FIRESTONE
9002 RAT Derusbi Empire Downloader PlugX Poison Ivy APT19
2020-01-01SecureworksSecureWorks
GOLD NIAGARA
Bateleur Griffon Carbanak Cobalt Strike DRIFTPIN TinyMet FIN7
2020-01-01SecureworksSecureWorks
GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt
2020-01-01SecureworksSecureWorks
TIN WOODLAWN
Cobalt Strike KerrDown MimiKatz PHOREAL RatSnif Remy SOUNDBITE APT32
2020-01-01DragosJoe Slowik
Threat Intelligence and the Limits of Malware Analysis
Exaramel Exaramel Industroyer Lookback NjRAT PlugX
2020-01-01SecureworksSecureWorks
BRONZE GLOBE
EtumBot Ghost RAT APT12
2020-01-01SecureworksSecureWorks
BRONZE FLEETWOOD
Binanen Ghost RAT OrcaRAT APT5
2020-01-01SecureworksSecureWorks
BRONZE MOHAWK
AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll APT40
2020-01-01SecureworksSecureWorks
BRONZE WOODLAND
PlugX Zeus Roaming Tiger
2020-01-01SecureworksSecureWorks
BRONZE EXPRESS
9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT26
2019-12-29SecureworksCTU Research Team
BRONZE PRESIDENT Targets NGOs
PlugX
2019-12-17Palo Alto Networks Unit 42Jen Miller-Osborn, Mike Harbison
Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia
DDKONG Derusbi KHRAT
2019-12-12MicrosoftMicrosoft Threat Intelligence Center
GALLIUM: Targeting global telecom
CHINACHOPPER Ghost RAT HTran MimiKatz Poison Ivy GALLIUM
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2019-12-05Github (blackorbird)blackorbird
APT32 Report
Cobalt Strike
2019-12-05Raphael Mudge
Cobalt Strike 4.0 – Bring Your Own Weaponization
Cobalt Strike
2019-11-29DeloitteThomas Thomasen
Cyber Threat Intelligence & Incident Response
Cobalt Strike
2019-11-28Twitter (@cyb3rops)Florian Roth
Tweet on Signature Writing for DADJOKE
DADSTACHE
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2019-11-16Silas Cutler's BlogSilas Cutler
Fresh PlugX October 2019
PlugX
2019-11-11Virus BulletinHiroshi Soeda, Shusei Tomonaga, Tomoaki Tani, Wataru Takahashi
APT cases exploiting vulnerabilities in region‑specific software
NodeRAT Emdivi PlugX
2019-11-05tccontre Blogtccontre
CobaltStrike - beacon.dll : Your No Ordinary MZ Header
Cobalt Strike
2019-11-05Brian Bartholomew
DADJOKE
DADJOKE
2019-11-04TencentTencent Security Mikan TIC
APT attack group "Higaisa" attack activity disclosed
Ghost RAT Higaisa
2019-10-31PTSecurityPTSecurity
Calypso APT: new group attacking state institutions
BYEBY FlyingDutchman Hussar PlugX
2019-10-22ContextisContextis
AVIVORE - An overview of Tools, Techniques and Procedures (Whitepaper)
PlugX Avivore
2019-10-03Palo Alto Networks Unit 42Alex Hinchliffe
PKPLUG: Chinese Cyber Espionage Group Attacking Asia
HenBox Farseer PlugX
2019-10-03ComputerWeeklyAlex Scroxton
New threat group behind Airbus cyber attacks, claim researchers
PlugX Avivore
2019-09-23MITREMITRE ATT&CK
APT41
Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41
2019-09-22Check Point ResearchCheck Point Research
Rancor: The Year of The Phish
8.t Dropper Cobalt Strike
2019-09-19MeltX0R
Emissary Panda APT: Recent infrastructure and RAT analysis
ZXShell
2019-09-17TalosChristopher Evans, David Liebenberg
Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”
Ghost RAT
2019-09-02VolexityAndrew Case, Matthew Meltzer, Steven Adair
Digital Crackdown: Large-Scale Surveillance and Exploitation of Uyghurs
scanbox POISON CARP
2019-08-27Cisco TalosPaul Rascagnères, Vanja Svajcer
China Chopper still active 9 years later
CHINACHOPPER
2019-08-19FireEyeAlex Pennino, Matt Bromiley
GAME OVER: Detecting and Stopping an APT41 Operation
ACEHASH CHINACHOPPER HIGHNOON
2019-08-13奇安信威胁情报中心
洞察人性:一起利用政治人物桃色丑闻的诱饵攻击活动披露
DADJOKE
2019-07-26Twitter (@a_tweeter_user)a_tweeter_user
Tweet on Malware
DADJOKE
2019-07-24IntrusiontruthIntrusiontruth
APT17 is run by the Jinan bureau of the Chinese Ministry of State Security
BLACKCOFFEE
2019-06-25CybereasonCybereason Nocturnus
OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS
CHINACHOPPER HTran MimiKatz Poison Ivy Operation Soft Cell
2019-06-19YouTube (44CON Information Security Conference)Kevin O’Reilly
The Malware CAPE: Automated Extraction of Configuration and Payloads from Sophisticated Malware
PlugX
2019-06-13Sekoiasekoia
Hunting and detecting Cobalt Strike
Cobalt Strike
2019-06-04BitdefenderBitdefender
An APT Blueprint: Gaining New Visibility into Financial Threats
More_eggs Cobalt Strike
2019-06-03FireEyeChi-en Shen
Into the Fog - The Return of ICEFOG APT
Icefog PlugX Sarhust
2019-05-28Palo Alto Networks Unit 42Robert Falcone, Tom Lancaster
Emissary Panda Attacks Middle East Government Sharepoint Servers
CHINACHOPPER HyperSSL
2019-05-24FortinetBen Hunter
Uncovering new Activity by APT10
PlugX Quasar RAT
2019-05-08Verizon Communications Inc.Verizon Communications Inc.
2019 Data Breach Investigations Report
BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam
2019-04-30Council on Foreign RelationsCyber Operations Tracker
APT 40
APT40
2019-04-25DATANETKim Seon-ae
Chinese-based hackers attack domestic energy institutions
CALMTHORN Ghost RAT
2019-04-24WeixinTencent
"Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed
Cobalt Strike SOUNDBITE
2019-04-22Twitter (@killamjr)Suspicious Link
Tweet on DADSTACHE payload
DADSTACHE
2019-04-15PenTestPartnersNeil Lines
Cobalt Strike. Walkthrough for Red Teamers
Cobalt Strike
2019-04-11FireEyeFireEye
M-Trend 2019
GRILLMARK
2019-04-01Macnica NetworksMacnica Networks
OceanLotus Attack on Southeast Asian Automotive Industry
CACTUSTORCH Cobalt Strike
2019-04-01Macnica NetworksMacnica Networks
Trends in Cyber ​​Espionage Targeting Japan 2nd Half of 2018
Anel Cobalt Strike Datper PLEAD Quasar RAT RedLeaves taidoor Zebrocy
2019-03-27Twitter (@ClearskySec)ClearSky Cyber Security
Tweet on "Timelines - ECRL.docx"
DADJOKE
2019-03-24One Night in NorfolkKevin Perlow
JEShell: An OceanLotus (APT32) Backdoor
Cobalt Strike KerrDown
2019-03-19NSHCThreatRecon Team
SectorM04 Targeting Singapore – An Analysis
PlugX Termite
2019-03-14TrustwaveSimon Kenin
Attacker Tracking Users Seeking Pakistani Passport
scanbox
2019-03-05AccentureAccenture
MUDCARP's Focus on Submarine Technologies
8.t Dropper APT40
2019-03-04FireEyeBen Read, Fred Plan, Jacqueline O’Leary, Nalani Fraser, Vincent Cannon
APT40: Examining a China-Nexus Espionage Actor
LunchMoney APT40
2019-02-27SecureworksCTU Research Team
A Peek into BRONZE UNION’s Toolbox
Ghost RAT HyperBro ZXShell
2019-02-27MorphisecAlon Groisman, Michael Gorelik
New Global Cyber Attack on Point of Sale Sytem
Cobalt Strike
2019-02-26Fox-ITFox IT
Identifying Cobalt Strike team servers in the wild
Cobalt Strike
2019-02-26YoroiZLAB-Yoroi
The Arsenal Behind the Australian Parliament Hack
LazyCat powerkatz Unidentified 057
2019-02-19Twitter (@MrDanPerez)Dan Perez
APT40 dropper
LunchMoney
2019-01-07IntezerIgnacio Sanmillan
ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups
Ghost RAT
2019-01-01MITREMITRE ATT&CK
Group description: Leviathan
APT40
2019-01-01CrowdStrikeCrowdStrike
2019 CrowdStrike Global Threat Report
APT40 BOSS SPIDER FIN6 Flash Kitten GURU SPIDER LUNAR SPIDER NOMAD PANDA PINCHY SPIDER RATPAK SPIDER SALTY SPIDER TINY SPIDER
2019-01-01MITREMITRE ATT&CK
Tool description: NanHaiShu
NanHaiShu
2019-01-01Virus BulletinBowen Pan, Lion Gu
A vine climbing over the Great Firewall: A long-term attack against China
Poison Ivy ZXShell
2019-01-01MITREMITRE ATT&CK
Tool description: BLACKCOFFEE
BLACKCOFFEE
2019-01-01MITREMITRE ATT&CK
Tool description: China Chopper
CHINACHOPPER
2018-12-20CoderctoCodercto
Analysis of the attack activities of Hailian Lotus APT group against large domestic investment companies
CACTUSTORCH
2018-12-14Australian Cyber Security CentreASD
Investigationreport: Compromise of an Australian companyvia their Managed Service Provider
PlugX RedLeaves
2018-11-19FireEyeAndrew Thompson, Ben Withnell, Jonathan Leathery, Matthew Dunwoody, Michael Matonis, Nick Carr
Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign
Cobalt Strike
2018-11-18Stranded on Pylos BlogJoe
CozyBear – In from the Cold?
Cobalt Strike APT29
2018-11-13Recorded FutureInsikt Group
Chinese Threat Actor TEMP.Periscope Targets UK-Based Engineering Company Using Russian APT Techniques
SeDll APT40
2018-10-01Macnica NetworksMacnica Networks
Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018
Anel Cobalt Strike Datper FlawedAmmyy Quasar RAT RedLeaves taidoor Winnti xxmm
2018-10-01FireEyeKatie Nickels, Regina Elwell
ATT&CKing FIN7
Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN PILLOWMINT SocksBot
2018-10-01Group-IBGroup-IB
Hi-Tech Crime Trends 2018
BackSwap Cobalt Strike Cutlet Meterpreter
2018-09-19Möbius Strip Reverse EngineeringRolf Rolles
Hex-Rays Microcode API vs. Obfuscating Compiler
Ghost RAT
2018-08-21Trend MicroJaromír Hořejší, Joseph C Chen, Kawabata Kohei, Kenney Lu
Operation Red Signature Targets South Korean Companies
9002 RAT PlugX
2018-08-03JPCERT/CCTakuya Endo, Yukako Uchida
Volatility Plugin for Detecting Cobalt Strike Beacon
Cobalt Strike
2018-07-31Medium SebdravenSébastien Larinier
Malicious document targets Vietnamese officials
8.t Dropper PlugX 1937CN
2018-07-31Github (JPCERTCC)JPCERT/CC
Scanner for CobaltStrike
Cobalt Strike
2018-07-11FireEyeBen Read, Ben Wilson, Dan Perez, Marcin Siedlarz, Scott Henderson, Steve Miller
Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July 2018 Elections and Reveals Broad Operations Globally
AIRBREAK APT40
2018-05-21LACYoshihiro Ishikawa
Confirmed new attacks by APT attacker group menuPass (APT10)
Cobalt Strike
2018-05-09COUNT UPON SECURITYLuis Rocha
Malware Analysis - PlugX - Part 2
PlugX
2018-04-20NCC GroupNikolaos Pantazopoulos
Decoding network data from a Gh0st RAT variant
Ghost RAT APT27
2018-04-17NCC GroupNikolaos Pantazopoulos
Decoding network data from a Gh0st RAT variant
Ghost RAT APT27
2018-03-30Kahu SecurityKahu Security
Reflow JavaScript Backdoor
AIRBREAK
2018-03-30AmosSysFlorent Saudel
BADFLICK is not so bad!
badflick
2018-03-16FireEyeFireEye
Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries
badflick BLACKCOFFEE CHINACHOPPER homefry murkytop SeDll APT40
2018-03-13Kaspersky LabsDenis Makrushin, Yury Namestnikov
Time of death? A therapeutic postmortem of connected medicine
PlugX
2018-02-04COUNT UPON SECURITYLuis Rocha
MALWARE ANALYSIS – PLUGX
PlugX
2018-02-01BitdefenderBitdefender Team
Operation PZCHAO Inside a highly specialized espionage infrastructure
Ghost RAT APT27
2018-01-04Malware Traffic AnalysisBrad Duncan
MALSPAM PUSHING PCRAT/GH0ST
Ghost RAT
2017-12-20CrowdStrikeAdam Kozy
An End to “Smash-and-Grab” and a Move to More Targeted Approaches
CHINACHOPPER
2017-12-19ProofpointDarien Huss
North Korea Bitten by Bitcoin Bug
QUICKCAFE PowerSpritz Ghost RAT PowerRatankba
2017-12-19ProofpointDarien Huss
North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group
Ghost RAT
2017-12-18LACYoshihiro Ishikawa
Relationship between PlugX and attacker group "DragonOK"
PlugX
2017-11-16Github (mdsecactivebreach)Vincent Yiu
CACTUSTORCH: Payload Generation for Adversary Simulations
CACTUSTORCH
2017-10-16ProofpointAxel F, Pierre T
Leviathan: Espionage actor spearphishes maritime and defense targets
NanHaiShu SeDll APT40
2017-06-27Palo Alto Networks Unit 42Esmid Idrizovic, Tom Lancaster
Paranoid PlugX
PlugX
2017-06-06FireEyeIan Ahl
Privileges and Credentials: Phished at the Request of Counsel
Cobalt Strike
2017-06-06MandiantIan Ahl
Privileges and Credentials: Phished at the Request of Counsel
Cobalt Strike APT19
2017-05-31MITREMITRE ATT&CK
Axiom
Derusbi 9002 RAT BLACKCOFFEE Derusbi Ghost RAT HiKit PlugX ZXShell APT17
2017-05-31MITREMITRE ATT&CK
PittyTiger
Enfal Ghost RAT MimiKatz Poison Ivy APT24
2017-05-31MITREMITRE
APT18
Ghost RAT HttpBrowser APT18
2017-05-31MITREMITRE ATT&CK
APT17
BLACKCOFFEE APT17
2017-04-27US-CERTUS-CERT
Alert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors
PlugX RedLeaves
2017-04-26Youtube (Kaspersky)Kaspersky
China's Evolving Cyber Operations: A Look into APT19's Shift in Tactics
Cobalt Strike APT19
2017-04-03JPCERT/CCShusei Tomonaga
RedLeaves - Malware Based on Open Source RAT
PlugX RedLeaves Trochilus RAT
2017-04-01PricewaterhouseCoopersPricewaterhouseCoopers
Operation Cloud Hopper: Technical Annex
ChChes PlugX Quasar RAT RedLeaves Trochilus RAT
2017-02-25Financial Security InstituteKyoung-Ju Kwak (郭炅周)
Silent RIFLE: Response Against Advanced Threat
Ghost RAT
2017-02-21JPCERT/CCShusei Tomonaga
PlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code
PlugX
2017-02-13RSARSA Research
KINGSLAYER – A SUPPLY CHAIN ATTACK
CodeKey PlugX
2016-10-28Github (smb01)smb01
zxshell repository
ZXShell
2016-10-11SymantecSymantec Security Response
Odinaff: New Trojan used in high level financial attacks
Cobalt Strike KLRD MimiKatz Odinaff
2016-08-25MalwarebytesMalwarebytes Labs
Unpacking the spyware disguised as antivirus
PlugX
2016-08-05F-SecureF-Secure Labs
NANHAISHU: RATing the South China Sea
NanHaiShu
2016-06-13Macnica NetworksMacnica Networks
Survey of the actual situation of the large-scale cyber spy activity that hit Japan | 1st edition
Emdivi PlugX
2016-04-22CylanceIsaac Palmer
The Ghost Dragon
Ghost RAT
2016-03-02RSA ConferenceVanja Svajcer
Dissecting Derusbi
Derusbi
2016-01-22RSA LinkNorton Santos
PlugX APT Malware
PlugX
2015-12-15Airbus Defence & SpaceFabien Perigaud
Newcomers in the Derusbi family
Derusbi
2015-10-08Virus BulletinEric Leung, Micky Pun, Neo Tan
Catching the silent whisper: Understanding the Derusbi family tree
Derusbi
2015-08-01Arbor NetworksASERT Team
Uncovering the Seven Pointed Dagger
9002 RAT EvilGrab PlugX Trochilus RAT APT9
2015-06-24SpiceworksChris Miller
Stealthy Cyberespionage Campaign Attacks With Social Engineering
NanHaiShu
2015-05-18Tetsuji Tanigawa
TT Malware Log
BLACKCOFFEE
2015-05-01FireEyeFireEye
HIDING IN PLAIN SIGHT: FIREEYE AND MICROSOFT EXPOSE OBFUSCATION TACTIC
BLACKCOFFEE
2015-04-15Kaspersky LabsCostin Raiu, Maxim Golovkin
The Chronicles of the Hellsing APT: the Empire Strikes Back
GRILLMARK Hellsing
2015-04-14Youtube (Kaspersky)Kris McConkey
Following APT OpSec failures
BLACKCOFFEE Mangzamel APT17
2015-02-27ThreatConnectThreatConnect Research Team
The Anthem Hack: All Roads Lead to China
Derusbi
2015-02-27InfoSec InstituteRyan Mazerik
ScanBox Framework
scanbox
2015-02-06CrowdStrikeCrowdStrike
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
2015-01-29JPCERT/CCShusei Tomonaga
Analysis of a Recent PlugX Variant - “P2P PlugX”
PlugX
2014-11-01NovettaNovetta
ZoxPNG Analysis
BLACKCOFFEE
2014-10-28CiscoAlain Zidouemba, Andrea Allievi, Douglas Goddard, Shaun Hurley
Threat Spotlight: Group 72, Opening the ZxShell
ZXShell
2014-10-28NovettaNovetta
Derusbi (Server Variant) Analysis
Derusbi
2014-08-28AT&TJaime Blasco
Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks
scanbox
2014-06-27SophosLabsGabor Szappanos
PlugX - The Next Generation
PlugX
2014-06-10FireEyeMike Scott
Clandestine Fox, Part Deux
PlugX
2014-01-06AirbusFabien Perigaud
PlugX: some uncovered points
PlugX
2014-01-01RSARSA Research
RSA Incident Response: Emerging Threat Profile Shell_Crew
Derusbi
2013-08-07FireEyeDennis Hanzlik, Ian Ahl, Tony Lee
Breaking Down the China Chopper Web Shell - Part I
CHINACHOPPER
2013-03-29Computer Incident Response Center LuxembourgCIRCL
Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0)
PlugX
2013-03-26ContextisKevin O’Reilly
PlugX–Payload Extraction
PlugX
2013-02-27Trend MicroAbraham Camba
BKDR_RARSTONE: New RAT to Watch Out For
PlugX Naikon
2012-02-10tracker.h3x.euMalware Corpus Tracker
Info for Family: plugx
PlugX
2012-01-01Cobalt StrikeCobalt Strike
Cobalt Strike Website
Cobalt Strike
2012-01-01Norman ASASnorre Fagerland
The many faces of Gh0st Rat
Ghost RAT
2011-06-29SymantecJohn McDonald
Inside a Back Door Attack
Ghost RAT Dust Storm
2009-03-28Infinitum LabsInformation Warfare Monitor
Tracking GhostNet: Investigating a Cyber Espionage Network
Ghost RAT GhostNet

Credits: MISP Project