aka: TEMP.Periscope, TEMP.Jumper, APT 40, APT40, BRONZE MOHAWK, GADOLINIUM, Kryptonite Panda, G0065, ATK29
Leviathan is an espionage actor targeting organizations and high-value targets in defense and government. Active since at least 2014, this actor has long-standing interest in maritime industries, naval defense contractors, and associated research institutions in the United States and Western Europe.
2022-06-28 ⋅ Lumen ⋅ Black Lotus Labs
@online{labs:20220628:zuorat:f60583e,
author = {Black Lotus Labs},
title = {{ZuoRAT Hijacks SOHO Routers To Silently Stalk Networks}},
date = {2022-06-28},
organization = {Lumen},
url = {https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/},
language = {English},
urldate = {2022-06-30}
}
ZuoRAT Hijacks SOHO Routers To Silently Stalk Networks
ZuoRAT Cobalt Strike |
2022-06-27 ⋅ Kaspersky ICS CERT ⋅ Artem Snegirev, Kirill Kruglov
@online{snegirev:20220627:attacks:100c151,
author = {Artem Snegirev and Kirill Kruglov},
title = {{Attacks on industrial control systems using ShadowPad}},
date = {2022-06-27},
organization = {Kaspersky ICS CERT},
url = {https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/},
language = {English},
urldate = {2022-06-29}
}
Attacks on industrial control systems using ShadowPad
Cobalt Strike PlugX ShadowPad |
2022-06-26 ⋅ BushidoToken
@online{bushidotoken:20220626:overview:97370ff,
author = {BushidoToken},
title = {{Overview of Russian GRU and SVR Cyberespionage Campaigns 1H 2022}},
date = {2022-06-26},
url = {https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html},
language = {English},
urldate = {2022-06-27}
}
Overview of Russian GRU and SVR Cyberespionage Campaigns 1H 2022
Cobalt Strike EnvyScout |
2022-06-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
@online{researchteam:20220623:bronze:8bccd74,
author = {Counter Threat Unit ResearchTeam},
title = {{BRONZE STARLIGHT Ransomware Operations Use HUI Loader}},
date = {2022-06-23},
organization = {Secureworks},
url = {https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader},
language = {English},
urldate = {2022-06-27}
}
BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora Rook |
2022-06-21 ⋅ Cisco Talos ⋅ Flavio Costa, Chris Neal, Guilherme Venere
@online{costa:20220621:avos:b60a2ad,
author = {Flavio Costa and Chris Neal and Guilherme Venere},
title = {{Avos ransomware group expands with new attack arsenal}},
date = {2022-06-21},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html},
language = {English},
urldate = {2022-06-22}
}
Avos ransomware group expands with new attack arsenal
AvosLocker Cobalt Strike DarkComet MimiKatz |
2022-06-17 ⋅ SANS ISC ⋅ Brad Duncan
@online{duncan:20220617:malspam:25c76a4,
author = {Brad Duncan},
title = {{Malspam pushes Matanbuchus malware, leads to Cobalt Strike}},
date = {2022-06-17},
organization = {SANS ISC},
url = {https://isc.sans.edu/diary/rss/28752},
language = {English},
urldate = {2022-06-22}
}
Malspam pushes Matanbuchus malware, leads to Cobalt Strike
Cobalt Strike Matanbuchus |
2022-06-15 ⋅ Security Joes ⋅ Charles Lomboni, Venkat Rajgor, Felipe Duarte
@techreport{lomboni:20220615:backdoor:8d43d9e,
author = {Charles Lomboni and Venkat Rajgor and Felipe Duarte},
title = {{Backdoor via XFF: Mysterious Threat Actor Under Radar}},
date = {2022-06-15},
institution = {Security Joes},
url = {https://secjoes-reports.s3.eu-central-1.amazonaws.com/Backdoor%2Bvia%2BXFF%2BMysterious%2BThreat%2BActor%2BUnder%2BRadar.pdf},
language = {English},
urldate = {2022-06-16}
}
Backdoor via XFF: Mysterious Threat Actor Under Radar
CHINACHOPPER |
2022-06-07 ⋅ cyble ⋅ Cyble
@online{cyble:20220607:bumblebee:9f2dc4a,
author = {Cyble},
title = {{Bumblebee Loader on The Rise}},
date = {2022-06-07},
organization = {cyble},
url = {https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/},
language = {English},
urldate = {2022-06-09}
}
Bumblebee Loader on The Rise
BumbleBee Cobalt Strike |
2022-06-07 ⋅ AdvIntel ⋅ Vitali Kremez, Marley Smith, Yelisey Boguslavskiy
@online{kremez:20220607:blackcat:3dc977e,
author = {Vitali Kremez and Marley Smith and Yelisey Boguslavskiy},
title = {{BlackCat — In a Shifting Threat Landscape, It Helps to Land on Your Feet: Tech Dive}},
date = {2022-06-07},
organization = {AdvIntel},
url = {https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive},
language = {English},
urldate = {2022-06-08}
}
BlackCat — In a Shifting Threat Landscape, It Helps to Land on Your Feet: Tech Dive
BlackCat BlackCat Cobalt Strike |
2022-06-06 ⋅ Trellix ⋅ Trelix
@online{trelix:20220606:growling:14f9f75,
author = {Trelix},
title = {{Growling Bears Make Thunderous Noise}},
date = {2022-06-06},
organization = {Trellix},
url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html},
language = {English},
urldate = {2022-06-08}
}
Growling Bears Make Thunderous Noise
Cobalt Strike HermeticWiper WhisperGate |
2022-06-04 ⋅ kienmanowar Blog ⋅ m4n0w4r, Tran Trung Kien
@online{m4n0w4r:20220604:quicknote:dc79142,
author = {m4n0w4r and Tran Trung Kien},
title = {{[QuickNote] CobaltStrike SMB Beacon Analysis}},
date = {2022-06-04},
organization = {kienmanowar Blog},
url = {https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/},
language = {English},
urldate = {2022-06-07}
}
[QuickNote] CobaltStrike SMB Beacon Analysis
Cobalt Strike |
2022-06-03 ⋅ AttackIQ ⋅ Jackson Wells, AttackIQ Adversary Research Team
@online{wells:20220603:attack:5e4e9c6,
author = {Jackson Wells and AttackIQ Adversary Research Team},
title = {{Attack Graph Response to US CERT AA22-152A: Karakurt Data Extortion Group}},
date = {2022-06-03},
organization = {AttackIQ},
url = {https://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/},
language = {English},
urldate = {2022-06-18}
}
Attack Graph Response to US CERT AA22-152A: Karakurt Data Extortion Group
Cobalt Strike MimiKatz |
2022-06-02 ⋅ Mandiant ⋅ Mandiant Intelligence
@online{intelligence:20220602:to:e15831c,
author = {Mandiant Intelligence},
title = {{To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions}},
date = {2022-06-02},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions},
language = {English},
urldate = {2022-06-04}
}
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker |
2022-06-02 ⋅ Mandiant ⋅ Mandiant
@online{mandiant:20220602:trending:0bcdbc4,
author = {Mandiant},
title = {{TRENDING EVIL Q2 2022}},
date = {2022-06-02},
organization = {Mandiant},
url = {https://experience.mandiant.com/trending-evil-2/p/1},
language = {English},
urldate = {2022-06-07}
}
TRENDING EVIL Q2 2022
CloudEyE Cobalt Strike CryptBot Emotet IsaacWiper QakBot |
2022-06-01 ⋅ Elastic ⋅ Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew Pease
@online{stepanic:20220601:cuba:333f7c1,
author = {Daniel Stepanic and Derek Ditch and Seth Goodwin and Salim Bitam and Andrew Pease},
title = {{CUBA Ransomware Campaign Analysis}},
date = {2022-06-01},
organization = {Elastic},
url = {https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis},
language = {English},
urldate = {2022-06-09}
}
CUBA Ransomware Campaign Analysis
Cobalt Strike Cuba Meterpreter MimiKatz SystemBC |
2022-05-25 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
@online{reaves:20220525:socgholish:f876e0e,
author = {Jason Reaves and Joshua Platt},
title = {{SocGholish Campaigns and Initial Access Kit}},
date = {2022-05-25},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee},
language = {English},
urldate = {2022-06-02}
}
SocGholish Campaigns and Initial Access Kit
FAKEUPDATES Blister Cobalt Strike NetSupportManager RAT |
2022-05-24 ⋅ The Hacker News ⋅ Florian Goutin
@online{goutin:20220524:malware:e85b49b,
author = {Florian Goutin},
title = {{Malware Analysis: Trickbot}},
date = {2022-05-24},
organization = {The Hacker News},
url = {https://thehackernews.com/2022/05/malware-analysis-trickbot.html},
language = {English},
urldate = {2022-05-29}
}
Malware Analysis: Trickbot
Cobalt Strike Conti Ryuk TrickBot |
2022-05-24 ⋅ BitSight ⋅ João Batista, Pedro Umbelino, BitSight
@online{batista:20220524:emotet:cae57f1,
author = {João Batista and Pedro Umbelino and BitSight},
title = {{Emotet Botnet Rises Again}},
date = {2022-05-24},
organization = {BitSight},
url = {https://www.bitsight.com/blog/emotet-botnet-rises-again},
language = {English},
urldate = {2022-05-25}
}
Emotet Botnet Rises Again
Cobalt Strike Emotet QakBot SystemBC |
2022-05-22 ⋅ R136a1 ⋅ Dominik Reichel
@online{reichel:20220522:introduction:47edade,
author = {Dominik Reichel},
title = {{Introduction of a PE file extractor for various situations}},
date = {2022-05-22},
organization = {R136a1},
url = {https://r136a1.info/2022/05/25/introduction-of-a-pe-file-extractor-for-various-situations/},
language = {English},
urldate = {2022-06-02}
}
Introduction of a PE file extractor for various situations
Cobalt Strike Matanbuchus |
2022-05-20 ⋅ VinCSS ⋅ m4n0w4r, Tran Trung Kien, Dang Dinh Phuong
@online{m4n0w4r:20220520:re027:38348db,
author = {m4n0w4r and Tran Trung Kien and Dang Dinh Phuong},
title = {{[RE027] China-based APT Mustang Panda might have still continued their attack activities against organizations in Vietnam}},
date = {2022-05-20},
organization = {VinCSS},
url = {https://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html},
language = {English},
urldate = {2022-05-20}
}
[RE027] China-based APT Mustang Panda might have still continued their attack activities against organizations in Vietnam
PlugX |
2022-05-20 ⋅ sonatype ⋅ Ax Sharma
@online{sharma:20220520:new:15b8bf7,
author = {Ax Sharma},
title = {{New 'pymafka' malicious package drops Cobalt Strike on macOS, Windows, Linux}},
date = {2022-05-20},
organization = {sonatype},
url = {https://blog.sonatype.com/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux},
language = {English},
urldate = {2022-05-24}
}
New 'pymafka' malicious package drops Cobalt Strike on macOS, Windows, Linux
Cobalt Strike |
2022-05-20 ⋅ Cybleinc ⋅ Cyble
@online{cyble:20220520:malware:c20f29f,
author = {Cyble},
title = {{Malware Campaign Targets InfoSec Community: Threat Actor Uses Fake Proof Of Concept To Deliver Cobalt-Strike Beacon}},
date = {2022-05-20},
organization = {Cybleinc},
url = {https://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/},
language = {English},
urldate = {2022-05-23}
}
Malware Campaign Targets InfoSec Community: Threat Actor Uses Fake Proof Of Concept To Deliver Cobalt-Strike Beacon
Cobalt Strike |
2022-05-20 ⋅ AhnLab ⋅ ASEC
@online{asec:20220520:why:c6efba7,
author = {ASEC},
title = {{Why Remediation Alone Is Not Enough When Infected by Malware}},
date = {2022-05-20},
organization = {AhnLab},
url = {https://asec.ahnlab.com/en/34549/},
language = {English},
urldate = {2022-05-24}
}
Why Remediation Alone Is Not Enough When Infected by Malware
Cobalt Strike DarkSide |
2022-05-19 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
@online{duncan:20220519:bumblebee:20c59e6,
author = {Brad Duncan},
title = {{Bumblebee Malware from TransferXL URLs}},
date = {2022-05-19},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/rss/28664},
language = {English},
urldate = {2022-05-25}
}
Bumblebee Malware from TransferXL URLs
BumbleBee Cobalt Strike |
2022-05-18 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT
@techreport{prodaft:20220518:wizard:e7ee1c4,
author = {PRODAFT},
title = {{Wizard Spider In-Depth Analysis}},
date = {2022-05-18},
institution = {PRODAFT Threat Intelligence},
url = {https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf},
language = {English},
urldate = {2022-05-25}
}
Wizard Spider In-Depth Analysis
Cobalt Strike Conti |
2022-05-17 ⋅ Trend Micro ⋅ Trend Micro Research
@online{research:20220517:ransomware:7b86339,
author = {Trend Micro Research},
title = {{Ransomware Spotlight: RansomEXX}},
date = {2022-05-17},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx},
language = {English},
urldate = {2022-05-25}
}
Ransomware Spotlight: RansomEXX
LaZagne Cobalt Strike IcedID MimiKatz PyXie RansomEXX TrickBot |
2022-05-17 ⋅ Positive Technologies ⋅ Positive Technologies
@online{technologies:20220517:space:abd655a,
author = {Positive Technologies},
title = {{Space Pirates: analyzing the tools and connections of a new hacker group}},
date = {2022-05-17},
organization = {Positive Technologies},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/},
language = {English},
urldate = {2022-05-25}
}
Space Pirates: analyzing the tools and connections of a new hacker group
FormerFirstRAT PlugX Poison Ivy Rovnix ShadowPad Zupdax |
2022-05-16 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
@online{tomonaga:20220516:analysis:b1c8089,
author = {Shusei Tomonaga},
title = {{Analysis of HUI Loader}},
date = {2022-05-16},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html},
language = {English},
urldate = {2022-05-17}
}
Analysis of HUI Loader
HUI Loader PlugX Poison Ivy Quasar RAT |
2022-05-12 ⋅ Intel 471 ⋅ Intel 471
@online{471:20220512:what:05369d4,
author = {Intel 471},
title = {{What malware to look for if you want to prevent a ransomware attack}},
date = {2022-05-12},
organization = {Intel 471},
url = {https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike},
language = {English},
urldate = {2022-05-13}
}
What malware to look for if you want to prevent a ransomware attack
Conti BumbleBee Cobalt Strike IcedID Sliver |
2022-05-12 ⋅ Red Canary ⋅ Tony Lambert, Lauren Podber
@online{lambert:20220512:goot:1fc62fa,
author = {Tony Lambert and Lauren Podber},
title = {{The Goot cause: Detecting Gootloader and its follow-on activity}},
date = {2022-05-12},
organization = {Red Canary},
url = {https://redcanary.com/blog/gootloader},
language = {English},
urldate = {2022-05-13}
}
The Goot cause: Detecting Gootloader and its follow-on activity
GootLoader Cobalt Strike |
2022-05-12 ⋅ Red Canary ⋅ Tony Lambert, Lauren Podber
@techreport{lambert:20220512:gootloader:4562030,
author = {Tony Lambert and Lauren Podber},
title = {{Gootloader and Cobalt Strike malware analysis}},
date = {2022-05-12},
institution = {Red Canary},
url = {https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf},
language = {English},
urldate = {2022-05-13}
}
Gootloader and Cobalt Strike malware analysis
GootLoader Cobalt Strike |
2022-05-11 ⋅ NTT ⋅ Ryu Hiyoshi
@online{hiyoshi:20220511:operation:b5a845d,
author = {Ryu Hiyoshi},
title = {{Operation RestyLink: Targeted attack campaign targeting Japanese companies}},
date = {2022-05-11},
organization = {NTT},
url = {https://insight-jp.nttsecurity.com/post/102ho8o/operation-restylink},
language = {Japanese},
urldate = {2022-05-11}
}
Operation RestyLink: Targeted attack campaign targeting Japanese companies
Cobalt Strike |
2022-05-11 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
@online{duncan:20220511:ta578:0a0a686,
author = {Brad Duncan},
title = {{TA578 using thread-hijacked emails to push ISO files for Bumblebee malware}},
date = {2022-05-11},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/28636},
language = {English},
urldate = {2022-05-11}
}
TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
BumbleBee Cobalt Strike IcedID PhotoLoader |
2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472,
author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)},
title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}},
date = {2022-05-09},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself},
language = {English},
urldate = {2022-05-17}
}
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker |
2022-05-09 ⋅ TEAMT5 ⋅ TeamT5
@online{teamt5:20220509:hiding:5e7c212,
author = {TeamT5},
title = {{Hiding in Plain Sight: Obscuring C2s by Abusing CDN Services}},
date = {2022-05-09},
organization = {TEAMT5},
url = {https://teamt5.org/en/posts/hiding-in-plain-sight-obscuring-c2s-by-abusing-cdn-services},
language = {English},
urldate = {2022-05-11}
}
Hiding in Plain Sight: Obscuring C2s by Abusing CDN Services
Cobalt Strike |
2022-05-09 ⋅ Qianxin Threat Intelligence Center ⋅ Red Raindrops Team
@online{team:20220509:operation:5c9c0d7,
author = {Red Raindrops Team},
title = {{Operation EviLoong: An electronic party of "borderless" hackers}},
date = {2022-05-09},
organization = {Qianxin Threat Intelligence Center},
url = {https://mp.weixin.qq.com/s/K1uBLGqD8kgsIp1yTyYBfw},
language = {Chinese},
urldate = {2022-05-17}
}
Operation EviLoong: An electronic party of "borderless" hackers
ZXShell |
2022-05-09 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20220509:seo:cc8b1c2,
author = {The DFIR Report},
title = {{SEO Poisoning – A Gootloader Story}},
date = {2022-05-09},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/},
language = {English},
urldate = {2022-06-09}
}
SEO Poisoning – A Gootloader Story
GootLoader LaZagne Cobalt Strike GootKit |
2022-05-08 ⋅ IronNet ⋅ Michael Leardi, Joey Fitzpatrick, Brent Eskridge
@online{leardi:20220508:tracking:8f52310,
author = {Michael Leardi and Joey Fitzpatrick and Brent Eskridge},
title = {{Tracking Cobalt Strike Servers Used in Cyberattacks on Ukraine}},
date = {2022-05-08},
organization = {IronNet},
url = {https://www.ironnet.com/blog/tracking-cobalt-strike-servers-used-in-cyberattacks-on-ukraine},
language = {English},
urldate = {2022-05-09}
}
Tracking Cobalt Strike Servers Used in Cyberattacks on Ukraine
Cobalt Strike |
2022-05-06 ⋅ The Hacker News ⋅ Ravie Lakshmanan
@online{lakshmanan:20220506:this:e7fb654,
author = {Ravie Lakshmanan},
title = {{This New Fileless Malware Hides Shellcode in Windows Event Logs}},
date = {2022-05-06},
organization = {The Hacker News},
url = {https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html},
language = {English},
urldate = {2022-05-08}
}
This New Fileless Malware Hides Shellcode in Windows Event Logs
Cobalt Strike |
2022-05-06 ⋅ Twitter (@MsftSecIntel) ⋅ Microsoft Security Intelligence
@online{intelligence:20220506:twitter:7a00df8,
author = {Microsoft Security Intelligence},
title = {{Twitter Thread on initial infeciton of SocGholish/ FAKEUPDATES campaigns lead to BLISTER Loader, CobaltStrike, Lockbit and followed by Hands On Keyboard activity}},
date = {2022-05-06},
organization = {Twitter (@MsftSecIntel)},
url = {https://twitter.com/MsftSecIntel/status/1522690116979855360},
language = {English},
urldate = {2022-05-09}
}
Twitter Thread on initial infeciton of SocGholish/ FAKEUPDATES campaigns lead to BLISTER Loader, CobaltStrike, Lockbit and followed by Hands On Keyboard activity
FAKEUPDATES Blister Cobalt Strike LockBit |
2022-05-06 ⋅ Palo Alto Networks Unit 42 ⋅ Chris Navarrete, Durgesh Sangvikar, Yu Fu, Yanhui Jia, Siddhart Shibiraj
@online{navarrete:20220506:cobalt:8248108,
author = {Chris Navarrete and Durgesh Sangvikar and Yu Fu and Yanhui Jia and Siddhart Shibiraj},
title = {{Cobalt Strike Analysis and Tutorial: CS Metadata Encoding and Decoding}},
date = {2022-05-06},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/},
language = {English},
urldate = {2022-05-09}
}
Cobalt Strike Analysis and Tutorial: CS Metadata Encoding and Decoding
Cobalt Strike |
2022-05-05 ⋅ Cisco Talos ⋅ Jung soo An, Asheer Malhotra, Justin Thattil, Aliza Berk, Kendall McKay
@online{an:20220505:mustang:cbc06e9,
author = {Jung soo An and Asheer Malhotra and Justin Thattil and Aliza Berk and Kendall McKay},
title = {{Mustang Panda deploys a new wave of malware targeting Europe}},
date = {2022-05-05},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html},
language = {English},
urldate = {2022-05-05}
}
Mustang Panda deploys a new wave of malware targeting Europe
Cobalt Strike Meterpreter PlugX |
2022-05-04 ⋅ Twitter (@felixw3000) ⋅ Felix
@online{felix:20220504:twitter:0fb7e35,
author = {Felix},
title = {{Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.}},
date = {2022-05-04},
organization = {Twitter (@felixw3000)},
url = {https://twitter.com/felixw3000/status/1521816045769662468},
language = {English},
urldate = {2022-05-09}
}
Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.
Cobalt Strike IcedID PhotoLoader |
2022-05-04 ⋅ Kaspersky ⋅ Denis Legezo
@online{legezo:20220504:new:02f705f,
author = {Denis Legezo},
title = {{A new secret stash for “fileless” malware}},
date = {2022-05-04},
organization = {Kaspersky},
url = {https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/},
language = {English},
urldate = {2022-05-09}
}
A new secret stash for “fileless” malware
Cobalt Strike |
2022-05-03 ⋅ Recorded Future ⋅ Insikt Group
@online{group:20220503:solardeflection:5419c1a,
author = {Insikt Group},
title = {{SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse}},
date = {2022-05-03},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/solardeflection-c2-infrastructure-used-by-nobelium-in-company-brand-misuse/},
language = {English},
urldate = {2022-05-06}
}
SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse
Cobalt Strike |
2022-05-03 ⋅ Cluster25 ⋅ Cluster25
@online{cluster25:20220503:strange:1481afa,
author = {Cluster25},
title = {{The Strange Link Between A Destructive Malware And A Ransomware-Gang Linked Custom Loader: IsaacWiper Vs Vatet}},
date = {2022-05-03},
organization = {Cluster25},
url = {https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/},
language = {English},
urldate = {2022-05-04}
}
The Strange Link Between A Destructive Malware And A Ransomware-Gang Linked Custom Loader: IsaacWiper Vs Vatet
Cobalt Strike IsaacWiper PyXie |
2022-05-03 ⋅ Recorded Future ⋅ Insikt Group®
@techreport{group:20220503:solardeflection:1470221,
author = {Insikt Group®},
title = {{SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse}},
date = {2022-05-03},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0503.pdf},
language = {English},
urldate = {2022-05-04}
}
SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse
Cobalt Strike EnvyScout |
2022-05-02 ⋅ Cisco Talos ⋅ Kendall McKay, Paul Eubanks, JAIME FILSON
@techreport{mckay:20220502:conti:330e34b,
author = {Kendall McKay and Paul Eubanks and JAIME FILSON},
title = {{Conti and Hive ransomware operations: Leveraging victim chats for insights}},
date = {2022-05-02},
institution = {Cisco Talos},
url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf},
language = {English},
urldate = {2022-05-04}
}
Conti and Hive ransomware operations: Leveraging victim chats for insights
Cobalt Strike Conti Hive |
2022-05-02 ⋅ Sentinel LABS ⋅ Joey Chen, Amitai Ben Shushan Ehrlich
@online{chen:20220502:moshen:1969df2,
author = {Joey Chen and Amitai Ben Shushan Ehrlich},
title = {{Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad}},
date = {2022-05-02},
organization = {Sentinel LABS},
url = {https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/},
language = {English},
urldate = {2022-05-04}
}
Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad
PlugX ShadowPad |
2022-05-02 ⋅ Macnica ⋅ Hiroshi Takeuchi
@online{takeuchi:20220502:attack:8a7d966,
author = {Hiroshi Takeuchi},
title = {{Attack Campaigns that Exploit Shortcuts and ISO Files}},
date = {2022-05-02},
organization = {Macnica},
url = {https://security.macnica.co.jp/blog/2022/05/iso.html},
language = {Japanese},
urldate = {2022-05-03}
}
Attack Campaigns that Exploit Shortcuts and ISO Files
Cobalt Strike |
2022-04-28 ⋅ PWC ⋅ PWC UK
@techreport{uk:20220428:cyber:c43873f,
author = {PWC UK},
title = {{Cyber Threats 2021: A Year in Retrospect (Annex)}},
date = {2022-04-28},
institution = {PWC},
url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf},
language = {English},
urldate = {2022-04-29}
}
Cyber Threats 2021: A Year in Retrospect (Annex)
Cobalt Strike Conti PlugX RokRAT Red Menshen |
2022-04-28 ⋅ Mandiant ⋅ John Wolfram, Sarah Hawley, Tyler McLellan, Nick Simonian, Anders Vejlby
@online{wolfram:20220428:trello:dab21ca,
author = {John Wolfram and Sarah Hawley and Tyler McLellan and Nick Simonian and Anders Vejlby},
title = {{Trello From the Other Side: Tracking APT29 Phishing Campaigns}},
date = {2022-04-28},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns},
language = {English},
urldate = {2022-04-29}
}
Trello From the Other Side: Tracking APT29 Phishing Campaigns
Cobalt Strike |
2022-04-27 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
@online{researchteam:20220427:bronze:34ac36a,
author = {Counter Threat Unit ResearchTeam},
title = {{BRONZE PRESIDENT Targets Russian Speakers with Updated PlugX}},
date = {2022-04-27},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx},
language = {English},
urldate = {2022-04-29}
}
BRONZE PRESIDENT Targets Russian Speakers with Updated PlugX
PlugX |
2022-04-27 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší
@online{lunghi:20220427:new:9068f6e,
author = {Daniel Lunghi and Jaromír Hořejší},
title = {{New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware}},
date = {2022-04-27},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html},
language = {English},
urldate = {2022-05-04}
}
New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware
AsyncRAT Ghost RAT PlugX Quasar RAT |
2022-04-27 ⋅ Sentinel LABS ⋅ James Haughom, Júlio Dantas, Jim Walter
@online{haughom:20220427:lockbit:da3d5d1,
author = {James Haughom and Júlio Dantas and Jim Walter},
title = {{LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility}},
date = {2022-04-27},
organization = {Sentinel LABS},
url = {https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/},
language = {English},
urldate = {2022-04-29}
}
LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility
Cobalt Strike LockBit |
2022-04-27 ⋅ Mandiant ⋅ Mandiant
@online{mandiant:20220427:assembling:a7068b9,
author = {Mandiant},
title = {{Assembling the Russian Nesting Doll: UNC2452 Merged into APT29}},
date = {2022-04-27},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/unc2452-merged-into-apt29},
language = {English},
urldate = {2022-04-29}
}
Assembling the Russian Nesting Doll: UNC2452 Merged into APT29
Cobalt Strike Raindrop SUNBURST TEARDROP |
2022-04-27 ⋅ ANSSI ⋅ ANSSI
@techreport{anssi:20220427:le:5d47343,
author = {ANSSI},
title = {{LE GROUPE CYBERCRIMINEL FIN7}},
date = {2022-04-27},
institution = {ANSSI},
url = {https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf},
language = {French},
urldate = {2022-05-05}
}
LE GROUPE CYBERCRIMINEL FIN7
Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot |
2022-04-26 ⋅ Trend Micro ⋅ Ryan Flores, Stephen Hilt, Lord Alfred Remorin
@online{flores:20220426:how:28d9476,
author = {Ryan Flores and Stephen Hilt and Lord Alfred Remorin},
title = {{How Cybercriminals Abuse Cloud Tunneling Services}},
date = {2022-04-26},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services},
language = {English},
urldate = {2022-05-03}
}
How Cybercriminals Abuse Cloud Tunneling Services
AsyncRAT Cobalt Strike DarkComet Meterpreter Nanocore RAT |
2022-04-26 ⋅ Intel 471 ⋅ Intel 471
@online{471:20220426:conti:6bcff7d,
author = {Intel 471},
title = {{Conti and Emotet: A constantly destructive duo}},
date = {2022-04-26},
organization = {Intel 471},
url = {https://intel471.com/blog/conti-emotet-ransomware-conti-leaks},
language = {English},
urldate = {2022-04-29}
}
Conti and Emotet: A constantly destructive duo
Cobalt Strike Conti Emotet IcedID QakBot TrickBot |
2022-04-25 ⋅ Morphisec ⋅ Morphisec Labs
@online{labs:20220425:new:7b1c795,
author = {Morphisec Labs},
title = {{New Core Impact Backdoor Delivered Via VMware Vulnerability}},
date = {2022-04-25},
organization = {Morphisec},
url = {https://blog.morphisec.com/vmware-identity-manager-attack-backdoor},
language = {English},
urldate = {2022-04-29}
}
New Core Impact Backdoor Delivered Via VMware Vulnerability
Cobalt Strike JSSLoader |
2022-04-25 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20220425:quantum:128d2b3,
author = {The DFIR Report},
title = {{Quantum Ransomware}},
date = {2022-04-25},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2022/04/25/quantum-ransomware/},
language = {English},
urldate = {2022-04-25}
}
Quantum Ransomware
Cobalt Strike IcedID |
2022-04-21 ⋅ ZeroSec ⋅ Andy Gill
@online{gill:20220421:understanding:65e50fe,
author = {Andy Gill},
title = {{Understanding Cobalt Strike Profiles - Updated For Cobalt Strike 4.6}},
date = {2022-04-21},
organization = {ZeroSec},
url = {https://blog.zsec.uk/cobalt-strike-profiles/},
language = {English},
urldate = {2022-04-24}
}
Understanding Cobalt Strike Profiles - Updated For Cobalt Strike 4.6
Cobalt Strike |
2022-04-19 ⋅ Blake's R&D ⋅ bmcder02
@online{bmcder02:20220419:extracting:3e827cf,
author = {bmcder02},
title = {{Extracting Cobalt Strike from Windows Error Reporting}},
date = {2022-04-19},
organization = {Blake's R&D},
url = {https://bmcder.com/blog/extracting-cobalt-strike-from-windows-error-reporting},
language = {English},
urldate = {2022-04-20}
}
Extracting Cobalt Strike from Windows Error Reporting
Cobalt Strike |
2022-04-19 ⋅ Varonis ⋅ Nadav Ovadia
@online{ovadia:20220419:hive:51c5eb7,
author = {Nadav Ovadia},
title = {{Hive Ransomware Analysis}},
date = {2022-04-19},
organization = {Varonis},
url = {https://www.varonis.com/blog/hive-ransomware-analysis},
language = {English},
urldate = {2022-04-25}
}
Hive Ransomware Analysis
Cobalt Strike Hive MimiKatz |
2022-04-18 ⋅ vanmieghem ⋅ Vincent Van Mieghem
@online{mieghem:20220418:blueprint:c4009ef,
author = {Vincent Van Mieghem},
title = {{A blueprint for evading industry leading endpoint protection in 2022}},
date = {2022-04-18},
organization = {vanmieghem},
url = {https://vanmieghem.io/blueprint-for-evading-edr-in-2022/},
language = {English},
urldate = {2022-04-20}
}
A blueprint for evading industry leading endpoint protection in 2022
Cobalt Strike |
2022-04-18 ⋅ AdvIntel ⋅ Vitali Kremez, Yelisey Boguslavskiy
@online{kremez:20220418:enter:2f9b689,
author = {Vitali Kremez and Yelisey Boguslavskiy},
title = {{Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group}},
date = {2022-04-18},
organization = {AdvIntel},
url = {https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group},
language = {English},
urldate = {2022-05-17}
}
Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive |
2022-04-18 ⋅ SentinelOne ⋅ James Haughom
@online{haughom:20220418:from:b73f12b,
author = {James Haughom},
title = {{From the Front Lines | Peering into A PYSA Ransomware Attack}},
date = {2022-04-18},
organization = {SentinelOne},
url = {https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/},
language = {English},
urldate = {2022-04-20}
}
From the Front Lines | Peering into A PYSA Ransomware Attack
Chisel Chisel Cobalt Strike Mespinoza |
2022-04-14 ⋅ NSHC RedAlert Labs ⋅ NSHC Threatrecon Team
@online{team:20220414:hacking:62e1b17,
author = {NSHC Threatrecon Team},
title = {{Hacking activity of SectorB Group in 2021 Chinese government supported hacking group SectorB}},
date = {2022-04-14},
organization = {NSHC RedAlert Labs},
url = {https://redalert.nshc.net/2022/04/14/hacking-activity-of-sectorb-group-in-2021/},
language = {English},
urldate = {2022-04-15}
}
Hacking activity of SectorB Group in 2021 Chinese government supported hacking group SectorB
PlugX |
2022-04-14 ⋅ Cynet ⋅ Max Malyutin
@online{malyutin:20220414:orion:9db6814,
author = {Max Malyutin},
title = {{Orion Threat Alert: Flight of the BumbleBee}},
date = {2022-04-14},
organization = {Cynet},
url = {https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/},
language = {English},
urldate = {2022-05-04}
}
Orion Threat Alert: Flight of the BumbleBee
BumbleBee Cobalt Strike |
2022-04-13 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team
@online{team:20220413:dismantling:ace8546,
author = {Microsoft 365 Defender Threat Intelligence Team},
title = {{Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware}},
date = {2022-04-13},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/},
language = {English},
urldate = {2022-04-14}
}
Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware
BlackMatter Cobalt Strike DarkSide Ryuk Zloader |
2022-04-13 ⋅ ESET Research ⋅ Jean-Ian Boutin, Tomáš Procházka
@online{boutin:20220413:eset:7463437,
author = {Jean-Ian Boutin and Tomáš Procházka},
title = {{ESET takes part in global operation to disrupt Zloader botnets}},
date = {2022-04-13},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/},
language = {English},
urldate = {2022-04-14}
}
ESET takes part in global operation to disrupt Zloader botnets
Cobalt Strike Zloader |
2022-04-12 ⋅ Max Kersten's Blog ⋅ Max Kersten
@online{kersten:20220412:ghidra:4afe367,
author = {Max Kersten},
title = {{Ghidra script to handle stack strings}},
date = {2022-04-12},
organization = {Max Kersten's Blog},
url = {https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-handle-stack-strings/},
language = {English},
urldate = {2022-04-20}
}
Ghidra script to handle stack strings
CaddyWiper PlugX |
2022-04-08 ⋅ Infinitum Labs ⋅ Arda Büyükkaya
@online{bykkaya:20220408:threat:cbbf292,
author = {Arda Büyükkaya},
title = {{Threat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team}},
date = {2022-04-08},
organization = {Infinitum Labs},
url = {https://www.infinitumit.com.tr/en/conti-ransomware-group-behind-the-karakurt-hacking-team/},
language = {English},
urldate = {2022-04-08}
}
Threat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team
Cobalt Strike MimiKatz |
2022-04-07 ⋅ splunk ⋅ Splunk Threat Research Team
@online{team:20220407:you:2d088bc,
author = {Splunk Threat Research Team},
title = {{You Bet Your Lsass: Hunting LSASS Access}},
date = {2022-04-07},
organization = {splunk},
url = {https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html},
language = {English},
urldate = {2022-05-04}
}
You Bet Your Lsass: Hunting LSASS Access
Cobalt Strike MimiKatz |
2022-04-07 ⋅ InQuest ⋅ Will MacArthur, Nick Chalard
@online{macarthur:20220407:ukraine:99bef5a,
author = {Will MacArthur and Nick Chalard},
title = {{Ukraine CyberWar Overview}},
date = {2022-04-07},
organization = {InQuest},
url = {https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview},
language = {English},
urldate = {2022-04-29}
}
Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate |
2022-04-06 ⋅ Github (infinitumlabs) ⋅ Arda Büyükkaya
@online{bykkaya:20220406:karakurt:7471190,
author = {Arda Büyükkaya},
title = {{Karakurt Hacking Team Indicators of Compromise (IOC)}},
date = {2022-04-06},
organization = {Github (infinitumlabs)},
url = {https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI},
language = {English},
urldate = {2022-04-08}
}
Karakurt Hacking Team Indicators of Compromise (IOC)
Cobalt Strike |
2022-04-04 ⋅ Mandiant ⋅ Bryce Abdo, Zander Work, Ioana Teaca, Brendan McKeague
@online{abdo:20220404:fin7:305d62b,
author = {Bryce Abdo and Zander Work and Ioana Teaca and Brendan McKeague},
title = {{FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7}},
date = {2022-04-04},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/evolution-of-fin7},
language = {English},
urldate = {2022-06-27}
}
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
Griffon BABYMETAL Carbanak Cobalt Strike JSSLoader Termite |
2022-04-01 ⋅ The Hacker News ⋅ Ravie Lakshmanan
@online{lakshmanan:20220401:chinese:0b445c6,
author = {Ravie Lakshmanan},
title = {{Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit}},
date = {2022-04-01},
organization = {The Hacker News},
url = {https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html},
language = {English},
urldate = {2022-04-04}
}
Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit
Fire Chili Ghost RAT |
2022-03-31 ⋅ nccgroup ⋅ Nikolaos Pantazopoulos, Alex Jessop, Simon Biggs, RIFT: Research and Intelligence Fusion Team
@online{pantazopoulos:20220331:continuation:b38514d,
author = {Nikolaos Pantazopoulos and Alex Jessop and Simon Biggs and RIFT: Research and Intelligence Fusion Team},
title = {{Conti-nuation: methods and techniques observed in operations post the leaks}},
date = {2022-03-31},
organization = {nccgroup},
url = {https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/},
language = {English},
urldate = {2022-03-31}
}
Conti-nuation: methods and techniques observed in operations post the leaks
Cobalt Strike Conti QakBot |
2022-03-31 ⋅ SC Media ⋅ SC Staff
@online{staff:20220331:novel:ef704af,
author = {SC Staff},
title = {{Novel obfuscation leveraged by Hive ransomware}},
date = {2022-03-31},
organization = {SC Media},
url = {https://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware},
language = {English},
urldate = {2022-04-05}
}
Novel obfuscation leveraged by Hive ransomware
Cobalt Strike Hive |
2022-03-30 ⋅ Fortinet ⋅ Rotem Sde-Or, Eliran Voronovitch
@online{sdeor:20220330:new:8eeff0d,
author = {Rotem Sde-Or and Eliran Voronovitch},
title = {{New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits}},
date = {2022-03-30},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits},
language = {English},
urldate = {2022-03-31}
}
New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits
Fire Chili Ghost RAT |
2022-03-30 ⋅ Prevailion ⋅ Prevailion
@online{prevailion:20220330:wizard:6eb38a7,
author = {Prevailion},
title = {{Wizard Spider continues to confound}},
date = {2022-03-30},
organization = {Prevailion},
url = {https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903},
language = {English},
urldate = {2022-03-31}
}
Wizard Spider continues to confound
BazarBackdoor Cobalt Strike Emotet |
2022-03-30 ⋅ Bleeping Computer ⋅ Bill Toulas
@online{toulas:20220330:phishing:035d666,
author = {Bill Toulas},
title = {{Phishing campaign targets Russian govt dissidents with Cobalt Strike}},
date = {2022-03-30},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-russian-govt-dissidents-with-cobalt-strike/},
language = {English},
urldate = {2022-03-31}
}
Phishing campaign targets Russian govt dissidents with Cobalt Strike
Unidentified PS 002 (RAT) Cobalt Strike |
2022-03-29 ⋅ Malwarebytes Labs ⋅ Hossein Jazi
@online{jazi:20220329:new:21f3605,
author = {Hossein Jazi},
title = {{New spear phishing campaign targets Russian dissidents}},
date = {2022-03-29},
organization = {Malwarebytes Labs},
url = {https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/},
language = {English},
urldate = {2022-03-31}
}
New spear phishing campaign targets Russian dissidents
Unidentified PS 002 (RAT) Cobalt Strike |
2022-03-29 ⋅ SentinelOne ⋅ James Haughom, Antonis Terefos, Jim Walter, Jeff Cavanaugh, Nick Fox, Shai Tilias
@online{haughom:20220329:from:5e4b8cc,
author = {James Haughom and Antonis Terefos and Jim Walter and Jeff Cavanaugh and Nick Fox and Shai Tilias},
title = {{From the Front Lines | Hive Ransomware Deploys Novel IPfuscation Technique To Avoid Detection}},
date = {2022-03-29},
organization = {SentinelOne},
url = {https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/},
language = {English},
urldate = {2022-03-31}
}
From the Front Lines | Hive Ransomware Deploys Novel IPfuscation Technique To Avoid Detection
Cobalt Strike Hive |
2022-03-28 ⋅ Trellix ⋅ Max Kersten, Marc Elias
@online{kersten:20220328:plugx:37256d5,
author = {Max Kersten and Marc Elias},
title = {{PlugX: A Talisman to Behold}},
date = {2022-03-28},
organization = {Trellix},
url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html},
language = {English},
urldate = {2022-03-30}
}
PlugX: A Talisman to Behold
PlugX |
2022-03-28 ⋅ Medium walmartglobaltech ⋅ Jason Reaves
@online{reaves:20220328:cobaltstrike:65362d3,
author = {Jason Reaves},
title = {{CobaltStrike UUID stager}},
date = {2022-03-28},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64},
language = {English},
urldate = {2022-04-05}
}
CobaltStrike UUID stager
Cobalt Strike |
2022-03-25 ⋅ ESET Research ⋅ Alexandre Côté Cyr
@online{cyr:20220325:mustang:4052776,
author = {Alexandre Côté Cyr},
title = {{Mustang Panda's Hodur: Old stuff, new variant of Korplug}},
date = {2022-03-25},
organization = {ESET Research},
url = {https://www.welivesecurity.com/fr/2022/03/25/mustang-pandas-hodur-nouveau-korplug/},
language = {French},
urldate = {2022-03-30}
}
Mustang Panda's Hodur: Old stuff, new variant of Korplug
PlugX |
2022-03-25 ⋅ nccgroup ⋅ Yun Zheng Hu
@online{hu:20220325:mining:287a2e7,
author = {Yun Zheng Hu},
title = {{Mining data from Cobalt Strike beacons}},
date = {2022-03-25},
organization = {nccgroup},
url = {https://research.nccgroup.com/2022/03/25/mining-data-from-cobalt-strike-beacons/},
language = {English},
urldate = {2022-03-28}
}
Mining data from Cobalt Strike beacons
Cobalt Strike |
2022-03-25 ⋅ GOV.UA ⋅ State Service of Special Communication and Information Protection of Ukraine (CIP)
@online{cip:20220325:who:e75f0ac,
author = {State Service of Special Communication and Information Protection of Ukraine (CIP)},
title = {{Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22}},
date = {2022-03-25},
organization = {GOV.UA},
url = {https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya},
language = {English},
urldate = {2022-03-28}
}
Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora |
2022-03-24 ⋅ Threat Post ⋅ Nate Nelson
@online{nelson:20220324:chinese:da166ef,
author = {Nate Nelson},
title = {{Chinese APT Combines Fresh Hodur RAT with Complex Anti-Detection}},
date = {2022-03-24},
organization = {Threat Post},
url = {https://threatpost.com/chinese-apt-combines-fresh-hodur-rat-with-complex-anti-detection/179084/},
language = {English},
urldate = {2022-03-25}
}
Chinese APT Combines Fresh Hodur RAT with Complex Anti-Detection
PlugX |
2022-03-23 ⋅ BleepingComputer ⋅ Bill Toulas
@online{toulas:20220323:new:14befd9,
author = {Bill Toulas},
title = {{New Mustang Panda hacking campaign targets diplomats, ISPs}},
date = {2022-03-23},
organization = {BleepingComputer},
url = {https://www.bleepingcomputer.com/news/security/new-mustang-panda-hacking-campaign-targets-diplomats-isps/},
language = {English},
urldate = {2022-03-25}
}
New Mustang Panda hacking campaign targets diplomats, ISPs
PlugX |
2022-03-23 ⋅ ESET Research ⋅ Alexandre Côté Cyr
@online{cyr:20220323:mustang:3e97382,
author = {Alexandre Côté Cyr},
title = {{Mustang Panda’s Hodur: Old tricks, new Korplug variant}},
date = {2022-03-23},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/},
language = {English},
urldate = {2022-03-24}
}
Mustang Panda’s Hodur: Old tricks, new Korplug variant
PlugX |
2022-03-22 ⋅ Red Canary ⋅ Red Canary
@techreport{canary:20220322:2022:67c40ea,
author = {Red Canary},
title = {{2022 Threat Detection Report}},
date = {2022-03-22},
institution = {Red Canary},
url = {https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf},
language = {English},
urldate = {2022-03-23}
}
2022 Threat Detection Report
FAKEUPDATES Silver Sparrow BazarBackdoor Cobalt Strike GootKit Yellow Cockatoo RAT |
2022-03-22 ⋅ NVISO Labs ⋅ Didier Stevens
@online{stevens:20220322:cobalt:fdf35ba,
author = {Didier Stevens},
title = {{Cobalt Strike: Overview – Part 7}},
date = {2022-03-22},
organization = {NVISO Labs},
url = {https://blog.nviso.eu/2022/03/22/cobalt-strike-overview-part-7/},
language = {English},
urldate = {2022-03-23}
}
Cobalt Strike: Overview – Part 7
Cobalt Strike |
2022-03-21 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
@online{tru:20220321:conti:507fdf9,
author = {eSentire Threat Response Unit (TRU)},
title = {{Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered}},
date = {2022-03-21},
organization = {eSentire},
url = {https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire},
language = {English},
urldate = {2022-05-23}
}
Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered
HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID |
2022-03-21 ⋅ Threat Post ⋅ Lisa Vaas
@online{vaas:20220321:conti:0b203c8,
author = {Lisa Vaas},
title = {{Conti Ransomware V. 3, Including Decryptor, Leaked}},
date = {2022-03-21},
organization = {Threat Post},
url = {https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/},
language = {English},
urldate = {2022-03-22}
}
Conti Ransomware V. 3, Including Decryptor, Leaked
Cobalt Strike Conti TrickBot |
2022-03-17 ⋅ Google ⋅ Vladislav Stolyarov, Benoit Sevens, Google Threat Analysis Group
@online{stolyarov:20220317:exposing:f818c6d,
author = {Vladislav Stolyarov and Benoit Sevens and Google Threat Analysis Group},
title = {{Exposing initial access broker with ties to Conti}},
date = {2022-03-17},
organization = {Google},
url = {https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/},
language = {English},
urldate = {2022-03-18}
}
Exposing initial access broker with ties to Conti
BazarBackdoor BumbleBee Cobalt Strike Conti |
2022-03-16 ⋅ paloalto Netoworks: Unit42 ⋅ Chris Navarrete, Durgesh Sangvikar, Andrew Guan, Yu Fu, Yanhui Jia, Siddhart Shibiraj
@online{navarrete:20220316:cobalt:015f5df,
author = {Chris Navarrete and Durgesh Sangvikar and Andrew Guan and Yu Fu and Yanhui Jia and Siddhart Shibiraj},
title = {{Cobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect}},
date = {2022-03-16},
organization = {paloalto Netoworks: Unit42},
url = {https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/},
language = {English},
urldate = {2022-03-18}
}
Cobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect
Cobalt Strike |
2022-03-16 ⋅ AhnLab ⋅ ASEC Analysis Team
@online{team:20220316:gh0stcringe:65e2d3e,
author = {ASEC Analysis Team},
title = {{Gh0stCringe RAT Being Distributed to Vulnerable Database Servers}},
date = {2022-03-16},
organization = {AhnLab},
url = {https://asec.ahnlab.com/en/32572/},
language = {English},
urldate = {2022-04-14}
}
Gh0stCringe RAT Being Distributed to Vulnerable Database Servers
Ghost RAT Kingminer |
2022-03-16 ⋅ SANS ISC ⋅ Brad Duncan
@online{duncan:20220316:qakbot:7fe703f,
author = {Brad Duncan},
title = {{Qakbot infection with Cobalt Strike and VNC activity}},
date = {2022-03-16},
organization = {SANS ISC},
url = {https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/},
language = {English},
urldate = {2022-03-17}
}
Qakbot infection with Cobalt Strike and VNC activity
Cobalt Strike QakBot |
2022-03-16 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
@online{duncan:20220316:qakbot:ff11e1e,
author = {Brad Duncan},
title = {{Qakbot infection with Cobalt Strike and VNC activity}},
date = {2022-03-16},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/rss/28448},
language = {English},
urldate = {2022-03-17}
}
Qakbot infection with Cobalt Strike and VNC activity
Cobalt Strike QakBot |
2022-03-15 ⋅ SentinelOne ⋅ Amitai Ben Shushan Ehrlich
@online{ehrlich:20220315:threat:7f64477,
author = {Amitai Ben Shushan Ehrlich},
title = {{Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software}},
date = {2022-03-15},
organization = {SentinelOne},
url = {https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/},
language = {English},
urldate = {2022-03-17}
}
Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software
Cobalt Strike GraphSteel GrimPlant SaintBear |
2022-03-15 ⋅ Prevailion ⋅ Matt Stafford, Sherman Smith
@online{stafford:20220315:what:1df16e6,
author = {Matt Stafford and Sherman Smith},
title = {{What Wicked Webs We Un-weave}},
date = {2022-03-15},
organization = {Prevailion},
url = {https://www.prevailion.com/what-wicked-webs-we-unweave/},
language = {English},
urldate = {2022-03-17}
}
What Wicked Webs We Un-weave
Cobalt Strike Conti |
2022-03-14 ⋅ Bleeping Computer ⋅ Bill Toulas
@online{toulas:20220314:fake:c599da1,
author = {Bill Toulas},
title = {{Fake antivirus updates used to deploy Cobalt Strike in Ukraine}},
date = {2022-03-14},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/fake-antivirus-updates-used-to-deploy-cobalt-strike-in-ukraine/},
language = {English},
urldate = {2022-03-15}
}
Fake antivirus updates used to deploy Cobalt Strike in Ukraine
Cobalt Strike |
2022-03-12 ⋅ Arash's Blog ⋅ Arash Parsa
@online{parsa:20220312:analyzing:5b0c5f2,
author = {Arash Parsa},
title = {{Analyzing Malware with Hooks, Stomps, and Return-addresses}},
date = {2022-03-12},
organization = {Arash's Blog},
url = {https://www.arashparsa.com/catching-a-malware-with-no-name/},
language = {English},
urldate = {2022-03-28}
}
Analyzing Malware with Hooks, Stomps, and Return-addresses
Cobalt Strike |
2022-03-11 ⋅ Cert-UA
@online{certua:20220311:cyberattack:1e34a52,
author = {Cert-UA},
title = {{Cyberattack on Ukrainian state authorities using the Cobalt Strike Beacon (CERT-UA#4145)}},
date = {2022-03-11},
url = {https://cert.gov.ua/article/37704},
language = {Ukrainian},
urldate = {2022-03-14}
}
Cyberattack on Ukrainian state authorities using the Cobalt Strike Beacon (CERT-UA#4145)
Cobalt Strike |
2022-03-09 ⋅ Bleeping Computer ⋅ Ionut Ilascu
@online{ilascu:20220309:cisa:63f18cd,
author = {Ionut Ilascu},
title = {{CISA updates Conti ransomware alert with nearly 100 domain names}},
date = {2022-03-09},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/},
language = {English},
urldate = {2022-03-10}
}
CISA updates Conti ransomware alert with nearly 100 domain names
BazarBackdoor Cobalt Strike Conti TrickBot |
2022-03-09 ⋅ BreachQuest ⋅ Marco Figueroa, Napoleon Bing, Bernard Silvestrini
@online{figueroa:20220309:conti:d237b64,
author = {Marco Figueroa and Napoleon Bing and Bernard Silvestrini},
title = {{The Conti Leaks | Insight into a Ransomware Unicorn}},
date = {2022-03-09},
organization = {BreachQuest},
url = {https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/},
language = {English},
urldate = {2022-03-14}
}
The Conti Leaks | Insight into a Ransomware Unicorn
Cobalt Strike MimiKatz TrickBot |
2022-03-08 ⋅ Mandiant ⋅ Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram
@online{brown:20220308:does:94c6c3e,
author = {Rufus Brown and Van Ta and Douglas Bienstock and Geoff Ackerman and John Wolfram},
title = {{Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments}},
date = {2022-03-08},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/apt41-us-state-governments},
language = {English},
urldate = {2022-03-10}
}
Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments
KEYPLUG Cobalt Strike LOWKEY |
2022-03-07 ⋅ Proofpoint ⋅ Michael Raggi, Myrtus 0x0
@online{raggi:20220307:good:4e4acd6,
author = {Michael Raggi and Myrtus 0x0},
title = {{The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates}},
date = {2022-03-07},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european},
language = {English},
urldate = {2022-03-08}
}
The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates
PlugX |
2022-03-07 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20220307:2021:c2e2fbe,
author = {The DFIR Report},
title = {{2021 Year In Review}},
date = {2022-03-07},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2022/03/07/2021-year-in-review/},
language = {English},
urldate = {2022-03-07}
}
2021 Year In Review
Cobalt Strike |
2022-03-04 ⋅ Telsy ⋅ Telsy
@online{telsy:20220304:legitimate:d46b40c,
author = {Telsy},
title = {{Legitimate Sites Used As Cobalt Strike C2s Against Indian Government}},
date = {2022-03-04},
organization = {Telsy},
url = {https://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/},
language = {English},
urldate = {2022-03-07}
}
Legitimate Sites Used As Cobalt Strike C2s Against Indian Government
Cobalt Strike |
2022-03-03 ⋅ Trend Micro ⋅ Trend Micro Research
@online{research:20220303:cyberattacks:d961eb0,
author = {Trend Micro Research},
title = {{Cyberattacks are Prominent in the Russia-Ukraine Conflict}},
date = {2022-03-03},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html},
language = {English},
urldate = {2022-03-04}
}
Cyberattacks are Prominent in the Russia-Ukraine Conflict
BazarBackdoor Cobalt Strike Conti Emotet WhisperGate |
2022-03 ⋅ VirusTotal ⋅ VirusTotal
@techreport{virustotal:202203:virustotals:c6af9c1,
author = {VirusTotal},
title = {{VirusTotal's 2021 Malware Trends Report}},
date = {2022-03},
institution = {VirusTotal},
url = {https://assets.virustotal.com/reports/2021trends.pdf},
language = {English},
urldate = {2022-04-13}
}
VirusTotal's 2021 Malware Trends Report
Anubis AsyncRAT BlackMatter Cobalt Strike DanaBot Dridex Khonsari MimiKatz Mirai Nanocore RAT Orcus RAT |
2022-02-24 ⋅ Cynet ⋅ Max Malyutin
@online{malyutin:20220224:new:014251e,
author = {Max Malyutin},
title = {{New Wave of Emotet – When Project X Turns Into Y}},
date = {2022-02-24},
organization = {Cynet},
url = {https://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/},
language = {English},
urldate = {2022-05-04}
}
New Wave of Emotet – When Project X Turns Into Y
Cobalt Strike Emotet |
2022-02-24 ⋅ Fortinet ⋅ Fred Gutierrez
@online{gutierrez:20220224:nobelium:46d943e,
author = {Fred Gutierrez},
title = {{Nobelium Returns to the Political World Stage}},
date = {2022-02-24},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage},
language = {English},
urldate = {2022-03-02}
}
Nobelium Returns to the Political World Stage
Cobalt Strike |
2022-02-23 ⋅ AdvIntel ⋅ Vitali Kremez, Yelisey Boguslavskiy
@online{kremez:20220223:24:59b3a28,
author = {Vitali Kremez and Yelisey Boguslavskiy},
title = {{24 Hours From Log4Shell to Local Admin: Deep-Dive Into Conti Gang Attack on Fortune 500 (DFIR)}},
date = {2022-02-23},
organization = {AdvIntel},
url = {https://www.advintel.io/post/24-hours-from-log4shell-to-local-admin-deep-dive-into-conti-gang-attack-on-fortune-500-dfir},
language = {English},
urldate = {2022-03-01}
}
24 Hours From Log4Shell to Local Admin: Deep-Dive Into Conti Gang Attack on Fortune 500 (DFIR)
Cobalt Strike Conti |
2022-02-23 ⋅ SophosLabs Uncut ⋅ Andrew Brandt
@online{brandt:20220223:dridex:c1d4784,
author = {Andrew Brandt},
title = {{Dridex bots deliver Entropy ransomware in recent attacks}},
date = {2022-02-23},
organization = {SophosLabs Uncut},
url = {https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/},
language = {English},
urldate = {2022-03-01}
}
Dridex bots deliver Entropy ransomware in recent attacks
Cobalt Strike Dridex Entropy |
2022-02-23 ⋅ cyber.wtf blog ⋅ Luca Ebach
@online{ebach:20220223:what:0a4496e,
author = {Luca Ebach},
title = {{What the Pack(er)?}},
date = {2022-02-23},
organization = {cyber.wtf blog},
url = {https://cyber.wtf/2022/03/23/what-the-packer/},
language = {English},
urldate = {2022-03-25}
}
What the Pack(er)?
Cobalt Strike Emotet |
2022-02-22 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
@online{tru:20220222:icedid:67f870d,
author = {eSentire Threat Response Unit (TRU)},
title = {{IcedID to Cobalt Strike In Under 20 Minutes}},
date = {2022-02-22},
organization = {eSentire},
url = {https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes},
language = {English},
urldate = {2022-05-23}
}
IcedID to Cobalt Strike In Under 20 Minutes
Cobalt Strike IcedID PhotoLoader |
2022-02-22 ⋅ Bleeping Computer ⋅ Bill Toulas
@online{toulas:20220222:vulnerable:80109eb,
author = {Bill Toulas},
title = {{Vulnerable Microsoft SQL Servers targeted with Cobalt Strike}},
date = {2022-02-22},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/},
language = {English},
urldate = {2022-02-26}
}
Vulnerable Microsoft SQL Servers targeted with Cobalt Strike
Cobalt Strike Kingminer Lemon Duck |
2022-02-21 ⋅ ASEC
@online{asec:20220221:cobalt:82a24d8,
author = {ASEC},
title = {{Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers}},
date = {2022-02-21},
url = {https://asec.ahnlab.com/en/31811/},
language = {English},
urldate = {2022-02-26}
}
Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers
Cobalt Strike Lemon Duck |
2022-02-21 ⋅ The DFIR Report
@online{report:20220221:qbot:8b10b52,
author = {The DFIR Report},
title = {{Qbot and Zerologon Lead To Full Domain Compromise}},
date = {2022-02-21},
url = {https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/},
language = {English},
urldate = {2022-02-26}
}
Qbot and Zerologon Lead To Full Domain Compromise
Cobalt Strike QakBot |
2022-02-20 ⋅ Medium SOCFortress ⋅ SOCFortress
@online{socfortress:20220220:detecting:5d28c28,
author = {SOCFortress},
title = {{Detecting Cobalt Strike Beacons}},
date = {2022-02-20},
organization = {Medium SOCFortress},
url = {https://socfortress.medium.com/detecting-cobalt-strike-beacons-3f8c9fdcb654},
language = {English},
urldate = {2022-02-26}
}
Detecting Cobalt Strike Beacons
Cobalt Strike |
2022-02-18 ⋅ Huntress Labs ⋅ Matthew Brennan
@online{brennan:20220218:hackers:243d8b8,
author = {Matthew Brennan},
title = {{Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection}},
date = {2022-02-18},
organization = {Huntress Labs},
url = {https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection},
language = {English},
urldate = {2022-02-26}
}
Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection
Cobalt Strike |
2022-02-17 ⋅ SinaCyber ⋅ Adam Kozy
@techreport{kozy:20220217:testimony:692e499,
author = {Adam Kozy},
title = {{Testimony before the U.S.-China Economic and Security Review Commission Hearing on “China’s Cyber Capabilities: Warfare, Espionage, and Implications for the United States”}},
date = {2022-02-17},
institution = {SinaCyber},
url = {https://www.uscc.gov/sites/default/files/2022-02/Adam_Kozy_Testimony.pdf},
language = {English},
urldate = {2022-05-23}
}
Testimony before the U.S.-China Economic and Security Review Commission Hearing on “China’s Cyber Capabilities: Warfare, Espionage, and Implications for the United States”
PlugX |
2022-02-16 ⋅ Security Onion ⋅ Doug Burks
@online{burks:20220216:quick:e515983,
author = {Doug Burks},
title = {{Quick Malware Analysis: Emotet Epoch 5 and Cobalt Strike pcap from 2022-02-08}},
date = {2022-02-16},
organization = {Security Onion},
url = {https://blog.securityonion.net/2022/02/quick-malware-analysis-emotet-epoch-5.html},
language = {English},
urldate = {2022-02-17}
}
Quick Malware Analysis: Emotet Epoch 5 and Cobalt Strike pcap from 2022-02-08
Cobalt Strike Emotet |
2022-02-15 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
@online{tru:20220215:increase:a4de9ce,
author = {eSentire Threat Response Unit (TRU)},
title = {{Increase in Emotet Activity and Cobalt Strike Deployment}},
date = {2022-02-15},
organization = {eSentire},
url = {https://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment},
language = {English},
urldate = {2022-05-23}
}
Increase in Emotet Activity and Cobalt Strike Deployment
Cobalt Strike Emotet |
2022-02-11 ⋅ Cisco Talos ⋅ Talos
@online{talos:20220211:threat:fcad762,
author = {Talos},
title = {{Threat Roundup for February 4 to February 11}},
date = {2022-02-11},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html},
language = {English},
urldate = {2022-02-14}
}
Threat Roundup for February 4 to February 11
DarkComet Ghost RAT Loki Password Stealer (PWS) Tinba Tofsee Zeus |
2022-02-10 ⋅ Cybereason ⋅ Cybereason Global SOC Team
@online{team:20220210:threat:320574f,
author = {Cybereason Global SOC Team},
title = {{Threat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot}},
date = {2022-02-10},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot},
language = {English},
urldate = {2022-02-10}
}
Threat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot
Cobalt Strike Emotet IcedID QakBot |
2022-02-09 ⋅ vmware ⋅ VMWare
@techreport{vmware:20220209:exposing:7b5f76e,
author = {VMWare},
title = {{Exposing Malware in Linux-Based Multi-Cloud Environments}},
date = {2022-02-09},
institution = {vmware},
url = {https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf},
language = {English},
urldate = {2022-02-10}
}
Exposing Malware in Linux-Based Multi-Cloud Environments
ACBackdoor BlackMatter DarkSide Erebus HelloKitty Kinsing PLEAD QNAPCrypt RansomEXX REvil Sysrv-hello TeamTNT Vermilion Strike Cobalt Strike |
2022-01-31 ⋅ CyberArk ⋅ Arash Parsa
@online{parsa:20220131:analyzing:c496cc6,
author = {Arash Parsa},
title = {{Analyzing Malware with Hooks, Stomps and Return-addresses}},
date = {2022-01-31},
organization = {CyberArk},
url = {https://www.cyberark.com/resources/threat-research/analyzing-malware-with-hooks-stomps-and-return-addresses-2},
language = {English},
urldate = {2022-05-09}
}
Analyzing Malware with Hooks, Stomps and Return-addresses
Cobalt Strike |
2022-01-28 ⋅ Morphisec ⋅ Morphisec Labs
@online{labs:20220128:log4j:ee487ec,
author = {Morphisec Labs},
title = {{Log4j Exploit Hits Again: Vulnerable Unifi Network Application (Ubiquiti) at Risk}},
date = {2022-01-28},
organization = {Morphisec},
url = {https://blog.morphisec.com/log4j-exploit-targets-vulnerable-unifi-network-applications},
language = {English},
urldate = {2022-02-02}
}
Log4j Exploit Hits Again: Vulnerable Unifi Network Application (Ubiquiti) at Risk
Cobalt Strike |
2022-01-27 ⋅ JSAC 2021 ⋅ Hajime Yanagishita, Kiyotaka Tamada, You Nakatsuru, Suguru Ishimaru
@techreport{yanagishita:20220127:what:3c59dc9,
author = {Hajime Yanagishita and Kiyotaka Tamada and You Nakatsuru and Suguru Ishimaru},
title = {{What We Can Do against the Chaotic A41APT Campaign}},
date = {2022-01-27},
institution = {JSAC 2021},
url = {https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf},
language = {English},
urldate = {2022-05-17}
}
What We Can Do against the Chaotic A41APT Campaign
CHINACHOPPER Cobalt Strike HUI Loader SodaMaster |
2022-01-26 ⋅ Blackberry ⋅ Ryan Gibson, Codi Starks, Will Ikard
@online{gibson:20220126:log4u:3f2992b,
author = {Ryan Gibson and Codi Starks and Will Ikard},
title = {{Log4U, Shell4Me}},
date = {2022-01-26},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2022/01/log4u-shell4me},
language = {English},
urldate = {2022-01-31}
}
Log4U, Shell4Me
Cobalt Strike |
2022-01-25 ⋅ Cynet ⋅ Orion Threat Research and Intelligence Team
@online{team:20220125:threats:5269cbc,
author = {Orion Threat Research and Intelligence Team},
title = {{Threats Looming Over the Horizon}},
date = {2022-01-25},
organization = {Cynet},
url = {https://www.cynet.com/attack-techniques-hands-on/threats-looming-over-the-horizon/},
language = {English},
urldate = {2022-01-28}
}
Threats Looming Over the Horizon
Cobalt Strike Meterpreter NightSky |
2022-01-24 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20220124:cobalt:b0b48ee,
author = {The DFIR Report},
title = {{Cobalt Strike, a Defender’s Guide – Part 2}},
date = {2022-01-24},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/},
language = {English},
urldate = {2022-01-25}
}
Cobalt Strike, a Defender’s Guide – Part 2
Cobalt Strike |
2022-01-20 ⋅ Morphisec ⋅ Michael Gorelik
@online{gorelik:20220120:log4j:99fd2e0,
author = {Michael Gorelik},
title = {{Log4j Exploit Hits Again: Vulnerable VMWare Horizon Servers at Risk}},
date = {2022-01-20},
organization = {Morphisec},
url = {https://blog.morphisec.com/log4j-exploit-hits-again-vulnerable-vmware-horizon-servers-at-risk},
language = {English},
urldate = {2022-01-25}
}
Log4j Exploit Hits Again: Vulnerable VMWare Horizon Servers at Risk
Cobalt Strike |
2022-01-19 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
@online{team:20220119:kraken:5b52d17,
author = {The BlackBerry Research & Intelligence Team},
title = {{Kraken the Code on Prometheus}},
date = {2022-01-19},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus},
language = {English},
urldate = {2022-05-25}
}
Kraken the Code on Prometheus
Prometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk |
2022-01-19 ⋅ Sophos ⋅ Colin Cowie, Mat Gangwer, Stan Andic, Sophos MTR Team
@online{cowie:20220119:zloader:e87c22c,
author = {Colin Cowie and Mat Gangwer and Stan Andic and Sophos MTR Team},
title = {{Zloader Installs Remote Access Backdoors and Delivers Cobalt Strike}},
date = {2022-01-19},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/},
language = {English},
urldate = {2022-01-25}
}
Zloader Installs Remote Access Backdoors and Delivers Cobalt Strike
Cobalt Strike Zloader |
2022-01-19 ⋅ Elastic ⋅ Derek Ditch, Daniel Stepanic, Andrew Pease, Seth Goodwin
@online{ditch:20220119:collecting:696e5d0,
author = {Derek Ditch and Daniel Stepanic and Andrew Pease and Seth Goodwin},
title = {{Collecting Cobalt Strike Beacons with the Elastic Stack}},
date = {2022-01-19},
organization = {Elastic},
url = {https://elastic.github.io/security-research/intelligence/2022/01/02.collecting-cobalt-strike-beacons/article/},
language = {English},
urldate = {2022-01-25}
}
Collecting Cobalt Strike Beacons with the Elastic Stack
Cobalt Strike |
2022-01-19 ⋅ Elastic ⋅ Derek Ditch, Daniel Stepanic, Andrew Pease, Seth Goodwin
@online{ditch:20220119:extracting:39bd5e5,
author = {Derek Ditch and Daniel Stepanic and Andrew Pease and Seth Goodwin},
title = {{Extracting Cobalt Strike Beacon Configurations}},
date = {2022-01-19},
organization = {Elastic},
url = {https://elastic.github.io/security-research/intelligence/2022/01/03.extracting-cobalt-strike-beacon/article/},
language = {English},
urldate = {2022-01-25}
}
Extracting Cobalt Strike Beacon Configurations
Cobalt Strike |
2022-01-18 ⋅ Recorded Future ⋅ Insikt Group®
@techreport{group:20220118:2021:9cff6fc,
author = {Insikt Group®},
title = {{2021 Adversary Infrastructure Report}},
date = {2022-01-18},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf},
language = {English},
urldate = {2022-01-24}
}
2021 Adversary Infrastructure Report
BazarBackdoor Cobalt Strike Dridex IcedID QakBot TrickBot |
2022-01-16 ⋅ forensicitguy ⋅ Tony Lambert
@online{lambert:20220116:analyzing:2c8a9db,
author = {Tony Lambert},
title = {{Analyzing a CACTUSTORCH HTA Leading to Cobalt Strike}},
date = {2022-01-16},
organization = {forensicitguy},
url = {https://forensicitguy.github.io/analyzing-cactustorch-hta-cobaltstrike/},
language = {English},
urldate = {2022-01-25}
}
Analyzing a CACTUSTORCH HTA Leading to Cobalt Strike
CACTUSTORCH Cobalt Strike |
2022-01-15 ⋅ Huntress Labs ⋅ Team Huntress
@online{huntress:20220115:threat:cb103f0,
author = {Team Huntress},
title = {{Threat Advisory: VMware Horizon Servers Actively Being Hit With Cobalt Strike (by DEV-0401)}},
date = {2022-01-15},
organization = {Huntress Labs},
url = {https://www.huntress.com/blog/cybersecurity-advisory-vmware-horizon-servers-actively-being-hit-with-cobalt-strike},
language = {English},
urldate = {2022-03-07}
}
Threat Advisory: VMware Horizon Servers Actively Being Hit With Cobalt Strike (by DEV-0401)
Cobalt Strike |
2022-01-11 ⋅ Cybereason ⋅ Omri Refaeli, Chen Erlich, Ofir Ozer, Niv Yona, Daichi Shimabukuro
@online{refaeli:20220111:threat:fd22089,
author = {Omri Refaeli and Chen Erlich and Ofir Ozer and Niv Yona and Daichi Shimabukuro},
title = {{Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike}},
date = {2022-01-11},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike},
language = {English},
urldate = {2022-01-18}
}
Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle |
2022-01-11 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
@online{reaves:20220111:signed:0f32583,
author = {Jason Reaves and Joshua Platt},
title = {{Signed DLL campaigns as a service}},
date = {2022-01-11},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489},
language = {English},
urldate = {2022-01-25}
}
Signed DLL campaigns as a service
Cobalt Strike ISFB Zloader |
2022-01-11 ⋅ Twitter (@cglyer) ⋅ Christopher Glyer
@online{glyer:20220111:thread:ae5ec3d,
author = {Christopher Glyer},
title = {{Thread on DEV-0401, a china based ransomware operator exploiting VMware Horizon with log4shell and deploying NightSky ransomware}},
date = {2022-01-11},
organization = {Twitter (@cglyer)},
url = {https://twitter.com/cglyer/status/1480742363991580674},
language = {English},
urldate = {2022-01-25}
}
Thread on DEV-0401, a china based ransomware operator exploiting VMware Horizon with log4shell and deploying NightSky ransomware
Cobalt Strike NightSky |
2022-01-09 ⋅ forensicitguy ⋅ Tony Lambert
@online{lambert:20220109:inspecting:4681f0a,
author = {Tony Lambert},
title = {{Inspecting a PowerShell Cobalt Strike Beacon}},
date = {2022-01-09},
organization = {forensicitguy},
url = {https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/},
language = {English},
urldate = {2022-01-25}
}
Inspecting a PowerShell Cobalt Strike Beacon
Cobalt Strike |
2022-01-06 ⋅ Cyber And Ramen blog ⋅ Mike R
@online{r:20220106:gulp:4ab908c,
author = {Mike R},
title = {{A “GULP” of PlugX}},
date = {2022-01-06},
organization = {Cyber And Ramen blog},
url = {https://cyberandramen.net/2022/01/06/a-gulp-of-plugx/},
language = {English},
urldate = {2022-04-05}
}
A “GULP” of PlugX
PlugX |
2022-01-06 ⋅ Sekoia ⋅ sekoia
@online{sekoia:20220106:nobeliums:de631e8,
author = {sekoia},
title = {{NOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies}},
date = {2022-01-06},
organization = {Sekoia},
url = {https://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/},
language = {English},
urldate = {2022-01-10}
}
NOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies
Cobalt Strike EnvyScout |
2021-12-29 ⋅ Blake's R&D ⋅ Blake
@online{blake:20211229:cobalt:b8c08bb,
author = {Blake},
title = {{Cobalt Strike DFIR: Listening to the Pipes}},
date = {2021-12-29},
organization = {Blake's R&D},
url = {https://bmcder.com/blog/cobalt-strike-dfir-listening-to-the-pipes},
language = {English},
urldate = {2021-12-31}
}
Cobalt Strike DFIR: Listening to the Pipes
Cobalt Strike |
2021-12-29 ⋅ CrowdStrike ⋅ Benjamin Wiley, Falcon OverWatch Team
@online{wiley:20211229:overwatch:35d7dee,
author = {Benjamin Wiley and Falcon OverWatch Team},
title = {{OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt}},
date = {2021-12-29},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/},
language = {English},
urldate = {2021-12-31}
}
OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt
Cobalt Strike AQUATIC PANDA |
2021-12-28 ⋅ Morphus Labs ⋅ Renato Marinho
@online{marinho:20211228:attackers:48320eb,
author = {Renato Marinho},
title = {{Attackers are abusing MSBuild to evade defenses and implant Cobalt Strike beacons}},
date = {2021-12-28},
organization = {Morphus Labs},
url = {https://morphuslabs.com/attackers-are-abusing-msbuild-to-evade-defenses-and-implant-cobalt-strike-beacons-edac4ab84f42},
language = {English},
urldate = {2021-12-31}
}
Attackers are abusing MSBuild to evade defenses and implant Cobalt Strike beacons
Cobalt Strike |
2021-12-22 ⋅ Telsy ⋅ Telsy Research Team
@online{team:20211222:phishing:ffa707a,
author = {Telsy Research Team},
title = {{Phishing Campaign targeting citizens abroad using COVID-19 theme lures}},
date = {2021-12-22},
organization = {Telsy},
url = {https://www.telsy.com/download/5972/?uid=d7c082ba55},
language = {English},
urldate = {2022-01-25}
}
Phishing Campaign targeting citizens abroad using COVID-19 theme lures
Cobalt Strike |
2021-12-16 ⋅ Red Canary ⋅ The Red Canary Team
@online{team:20211216:intelligence:f7bad55,
author = {The Red Canary Team},
title = {{Intelligence Insights: December 2021}},
date = {2021-12-16},
organization = {Red Canary},
url = {https://redcanary.com/blog/intelligence-insights-december-2021},
language = {English},
urldate = {2021-12-31}
}
Intelligence Insights: December 2021
Cobalt Strike QakBot Squirrelwaffle |
2021-12-14 ⋅ Trend Micro ⋅ Nick Dai, Ted Lee, Vickie Su
@online{dai:20211214:collecting:3d6dd34,
author = {Nick Dai and Ted Lee and Vickie Su},
title = {{Collecting In the Dark: Tropic Trooper Targets Transportation and Government}},
date = {2021-12-14},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html},
language = {English},
urldate = {2022-03-30}
}
Collecting In the Dark: Tropic Trooper Targets Transportation and Government
ChiserClient Ghost RAT Lilith Quasar RAT xPack |
2021-12-10 ⋅ Accenture ⋅ Accenture
@online{accenture:20211210:karakurt:5bb6d9c,
author = {Accenture},
title = {{Karakurt rises from its lair}},
date = {2021-12-10},
organization = {Accenture},
url = {https://www.accenture.com/us-en/blogs/cyber-defense/karakurt-threat-mitigation},
language = {English},
urldate = {2021-12-15}
}
Karakurt rises from its lair
Cobalt Strike |
2021-12-07 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20211207:emotet:f33c999,
author = {Lawrence Abrams},
title = {{Emotet now drops Cobalt Strike, fast forwards ransomware attacks}},
date = {2021-12-07},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/},
language = {English},
urldate = {2021-12-08}
}
Emotet now drops Cobalt Strike, fast forwards ransomware attacks
Cobalt Strike Emotet |
2021-12-06 ⋅ Mandiant ⋅ Luke Jenkins, Sarah Hawley, Parnian Najafi, Doug Bienstock, Luis Rocha, Marius Fodoreanu, Mitchell Clarke, Manfred Erjak, Josh Madeley, Ashraf Abdalhalim, Juraj Sucik, Wojciech Ledzion, Gabriella Roncone, Jonathan Leathery, Ben Read, Microsoft Threat Intelligence Center (MSTIC), Microsoft Detection and Response Team (DART)
@online{jenkins:20211206:suspected:d9da4ec,
author = {Luke Jenkins and Sarah Hawley and Parnian Najafi and Doug Bienstock and Luis Rocha and Marius Fodoreanu and Mitchell Clarke and Manfred Erjak and Josh Madeley and Ashraf Abdalhalim and Juraj Sucik and Wojciech Ledzion and Gabriella Roncone and Jonathan Leathery and Ben Read and Microsoft Threat Intelligence Center (MSTIC) and Microsoft Detection and Response Team (DART)},
title = {{Suspected Russian Activity Targeting Government and Business Entities Around the Globe (UNC2452)}},
date = {2021-12-06},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/russian-targeting-gov-business},
language = {English},
urldate = {2021-12-07}
}
Suspected Russian Activity Targeting Government and Business Entities Around the Globe (UNC2452)
Cobalt Strike CryptBot |
2021-12-06 ⋅ CERT-FR ⋅ CERT-FR
@online{certfr:20211206:phishing:c58da54,
author = {CERT-FR},
title = {{Phishing campaigns by the Nobelium intrusion set}},
date = {2021-12-06},
organization = {CERT-FR},
url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-011/},
language = {English},
urldate = {2021-12-07}
}
Phishing campaigns by the Nobelium intrusion set
Cobalt Strike |
2021-12-02 ⋅ CERT-FR ⋅ CERT-FR
@techreport{certfr:20211202:phishing:c22ef4f,
author = {CERT-FR},
title = {{Phishing Campaigns by the Nobelium Intrusion Set}},
date = {2021-12-02},
institution = {CERT-FR},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf},
language = {English},
urldate = {2021-12-07}
}
Phishing Campaigns by the Nobelium Intrusion Set
Cobalt Strike |
2021-12-01 ⋅ ESET Research ⋅ Alexis Dorais-Joncas, Facundo Muñoz
@techreport{doraisjoncas:20211201:jumping:00bc8f5,
author = {Alexis Dorais-Joncas and Facundo Muñoz},
title = {{Jumping the air gap: 15 years of nation‑state effort}},
date = {2021-12-01},
institution = {ESET Research},
url = {https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf},
language = {English},
urldate = {2021-12-17}
}
Jumping the air gap: 15 years of nation‑state effort
Agent.BTZ Fanny Flame Gauss PlugX Ramsay Retro Stuxnet USBCulprit USBferry |
2021-11-30 ⋅ Broadcom ⋅ Symantec Threat Hunter Team
@online{team:20211130:yanluowang:538b90c,
author = {Symantec Threat Hunter Team},
title = {{Yanluowang: Further Insights on New Ransomware Threat}},
date = {2021-11-30},
organization = {Broadcom},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue},
language = {English},
urldate = {2021-11-30}
}
Yanluowang: Further Insights on New Ransomware Threat
BazarBackdoor Cobalt Strike FiveHands |
2021-11-29 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20211129:continuing:646e622,
author = {The DFIR Report},
title = {{CONTInuing the Bazar Ransomware Story}},
date = {2021-11-29},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/},
language = {English},
urldate = {2021-12-07}
}
CONTInuing the Bazar Ransomware Story
BazarBackdoor Cobalt Strike Conti |
2021-11-29 ⋅ Mandiant ⋅ Tyler McLellan, Brandan Schondorfer
@online{mclellan:20211129:kittengif:efb8036,
author = {Tyler McLellan and Brandan Schondorfer},
title = {{Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again}},
date = {2021-11-29},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/sabbath-ransomware-affiliate},
language = {English},
urldate = {2021-11-30}
}
Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again
Cobalt Strike |
2021-11-19 ⋅ Trend Micro ⋅ Mohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar
@online{fahmy:20211119:squirrelwaffle:1e8fa78,
author = {Mohamed Fahmy and Sherif Magdy and Abdelrhman Sharshar},
title = {{Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains}},
date = {2021-11-19},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html},
language = {English},
urldate = {2021-11-25}
}
Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains
Cobalt Strike QakBot Squirrelwaffle |
2021-11-18 ⋅ Cisco ⋅ Josh Pyorre
@online{pyorre:20211118:blackmatter:e9e9bbf,
author = {Josh Pyorre},
title = {{BlackMatter, LockBit, and THOR}},
date = {2021-11-18},
organization = {Cisco},
url = {https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor},
language = {English},
urldate = {2022-03-28}
}
BlackMatter, LockBit, and THOR
BlackMatter LockBit PlugX |
2021-11-17 ⋅ Trend Micro ⋅ Mohamed Fahmy, Abdelrhman Sharshar, Sherif Magdy, Ryan Maglaque
@online{fahmy:20211117:analyzing:c6c52d1,
author = {Mohamed Fahmy and Abdelrhman Sharshar and Sherif Magdy and Ryan Maglaque},
title = {{Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR}},
date = {2021-11-17},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html},
language = {English},
urldate = {2021-11-18}
}
Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR
Cobalt Strike Cotx RAT |
2021-11-17 ⋅ nviso ⋅ Didier Stevens
@online{stevens:20211117:cobalt:0b6ecf5,
author = {Didier Stevens},
title = {{Cobalt Strike: Decrypting Obfuscated Traffic – Part 4}},
date = {2021-11-17},
organization = {nviso},
url = {https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/},
language = {English},
urldate = {2021-11-18}
}
Cobalt Strike: Decrypting Obfuscated Traffic – Part 4
Cobalt Strike |
2021-11-17 ⋅ Twitter (@Unit42_Intel) ⋅ Unit 42
@online{42:20211117:matanbuchus:9e3556c,
author = {Unit 42},
title = {{Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike}},
date = {2021-11-17},
organization = {Twitter (@Unit42_Intel)},
url = {https://twitter.com/Unit42_Intel/status/1461004489234829320},
language = {English},
urldate = {2021-11-25}
}
Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike
Cobalt Strike QakBot |
2021-11-17 ⋅ Black Hills Information Security ⋅ Kyle Avery
@online{avery:20211117:dns:847b573,
author = {Kyle Avery},
title = {{DNS Over HTTPS for Cobalt Strike}},
date = {2021-11-17},
organization = {Black Hills Information Security},
url = {https://www.blackhillsinfosec.com/dns-over-https-for-cobalt-strike/},
language = {English},
urldate = {2022-02-19}
}
DNS Over HTTPS for Cobalt Strike
Cobalt Strike |
2021-11-16 ⋅ Blackberry ⋅ T.J. O'Leary, Tom Bonner, Marta Janus, Dean Given, Eoin Wickens, Jim Simpson
@techreport{oleary:20211116:finding:e8594dd,
author = {T.J. O'Leary and Tom Bonner and Marta Janus and Dean Given and Eoin Wickens and Jim Simpson},
title = {{Finding Beacons in the dark}},
date = {2021-11-16},
institution = {Blackberry},
url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/bb-ebook-finding-beacons-in-the-dark.pdf},
language = {English},
urldate = {2021-11-18}
}
Finding Beacons in the dark
Cobalt Strike |
2021-11-16 ⋅ Cisco ⋅ Chetan Raghuprasad, Vanja Svajcer, Asheer Malhotra
@online{raghuprasad:20211116:attackers:c31ad77,
author = {Chetan Raghuprasad and Vanja Svajcer and Asheer Malhotra},
title = {{Attackers use domain fronting technique to target Myanmar with Cobalt Strike}},
date = {2021-11-16},
organization = {Cisco},
url = {https://blog.talosintelligence.com/2021/11/attackers-use-domain-fronting-technique.html},
language = {English},
urldate = {2021-11-17}
}
Attackers use domain fronting technique to target Myanmar with Cobalt Strike
Cobalt Strike |
2021-11-16 ⋅ IronNet ⋅ IronNet Threat Research, Morgan Demboski, Joey Fitzpatrick, Peter Rydzynski
@online{research:20211116:how:d7fdaf8,
author = {IronNet Threat Research and Morgan Demboski and Joey Fitzpatrick and Peter Rydzynski},
title = {{How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware}},
date = {2021-11-16},
organization = {IronNet},
url = {https://www.ironnet.com/blog/ransomware-graphic-blog},
language = {English},
urldate = {2021-11-25}
}
How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware
Cobalt Strike Conti IcedID REvil |
2021-11-15 ⋅ TRUESEC ⋅ Fabio Viggiani
@online{viggiani:20211115:proxyshell:bf17c6d,
author = {Fabio Viggiani},
title = {{ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks}},
date = {2021-11-15},
organization = {TRUESEC},
url = {https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks},
language = {English},
urldate = {2021-11-17}
}
ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks
Cobalt Strike Conti QakBot |
2021-11-13 ⋅ Just Still ⋅ Still Hsu
@online{hsu:20211113:threat:597b1a0,
author = {Still Hsu},
title = {{Threat Spotlight - Domain Fronting}},
date = {2021-11-13},
organization = {Just Still},
url = {https://stillu.cc/threat-spotlight/2021/11/13/domain-fronting-fastly/},
language = {English},
urldate = {2021-11-18}
}
Threat Spotlight - Domain Fronting
Cobalt Strike |
2021-11-12 ⋅ Malwarebytes ⋅ Hossein Jazi
@online{jazi:20211112:multistage:e70f6d0,
author = {Hossein Jazi},
title = {{A multi-stage PowerShell based attack targets Kazakhstan}},
date = {2021-11-12},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/},
language = {English},
urldate = {2021-11-17}
}
A multi-stage PowerShell based attack targets Kazakhstan
Cobalt Strike |
2021-11-11 ⋅ Cynet ⋅ Max Malyutin
@online{malyutin:20211111:duck:897cc6f,
author = {Max Malyutin},
title = {{A Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation}},
date = {2021-11-11},
organization = {Cynet},
url = {https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/},
language = {English},
urldate = {2021-11-25}
}
A Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation
Cobalt Strike QakBot |
2021-11-10 ⋅ AT&T ⋅ Josh Gomez
@online{gomez:20211110:stories:4ce1168,
author = {Josh Gomez},
title = {{Stories from the SOC - Powershell, Proxyshell, Conti TTPs OH MY!}},
date = {2021-11-10},
organization = {AT&T},
url = {https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-powershell-proxyshell-conti-ttps-oh-my},
language = {English},
urldate = {2021-11-17}
}
Stories from the SOC - Powershell, Proxyshell, Conti TTPs OH MY!
Cobalt Strike Conti |
2021-11-10 ⋅ Sekoia ⋅ Cyber Threat Intelligence team
@online{team:20211110:walking:cc41f24,
author = {Cyber Threat Intelligence team},
title = {{Walking on APT31 infrastructure footprints}},
date = {2021-11-10},
organization = {Sekoia},
url = {https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/},
language = {English},
urldate = {2021-11-11}
}
Walking on APT31 infrastructure footprints
Rekoobe Unidentified ELF 004 Cobalt Strike |
2021-11-09 ⋅ Cybereason ⋅ Aleksandar Milenkoski, Eli Salem
@online{milenkoski:20211109:threat:9f898c9,
author = {Aleksandar Milenkoski and Eli Salem},
title = {{THREAT ANALYSIS REPORT: From Shatak Emails to the Conti Ransomware}},
date = {2021-11-09},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware},
language = {English},
urldate = {2022-02-09}
}
THREAT ANALYSIS REPORT: From Shatak Emails to the Conti Ransomware
Cobalt Strike Conti |
2021-11-05 ⋅ Twitter (@Unit42_Intel) ⋅ Unit 42
@online{42:20211105:ta551:98c564e,
author = {Unit 42},
title = {{Tweet on TA551 (Shathak) BazarLoader infection with CobaltStrike and DarkVNC drops}},
date = {2021-11-05},
organization = {Twitter (@Unit42_Intel)},
url = {https://twitter.com/Unit42_Intel/status/1458113934024757256},
language = {English},
urldate = {2021-11-17}
}
Tweet on TA551 (Shathak) BazarLoader infection with CobaltStrike and DarkVNC drops
BazarBackdoor Cobalt Strike |
2021-11-05 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
@online{team:20211105:hunter:3c7bab9,
author = {The BlackBerry Research & Intelligence Team},
title = {{Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware}},
date = {2021-11-05},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2021/11/zebra2104},
language = {English},
urldate = {2021-11-08}
}
Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
Cobalt Strike DoppelDridex Mount Locker Phobos StrongPity |
2021-11-03 ⋅ nviso ⋅ Didier Stevens
@online{stevens:20211103:cobalt:8f8223d,
author = {Didier Stevens},
title = {{Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3}},
date = {2021-11-03},
organization = {nviso},
url = {https://blog.nviso.eu/2021/11/03/cobalt-strike-using-process-memory-to-decrypt-traffic-part-3/},
language = {English},
urldate = {2021-11-08}
}
Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3
Cobalt Strike |
2021-11-03 ⋅ Cisco Talos ⋅ Chetan Raghuprasad, Vanja Svajcer, Caitlin Huey
@online{raghuprasad:20211103:microsoft:2b6de43,
author = {Chetan Raghuprasad and Vanja Svajcer and Caitlin Huey},
title = {{Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk}},
date = {2021-11-03},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html},
language = {English},
urldate = {2021-11-03}
}
Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk
Babuk CHINACHOPPER |
2021-11-03 ⋅ Didier Stevens ⋅ Didier Stevens
@online{stevens:20211103:new:6f8b92c,
author = {Didier Stevens},
title = {{New Tool: cs-extract-key.py}},
date = {2021-11-03},
organization = {Didier Stevens},
url = {https://blog.didierstevens.com/2021/11/03/new-tool-cs-extract-key-py/},
language = {English},
urldate = {2021-11-17}
}
New Tool: cs-extract-key.py
Cobalt Strike |
2021-11-02 ⋅ Intel 471 ⋅ Intel 471
@online{471:20211102:cybercrime:4d53035,
author = {Intel 471},
title = {{Cybercrime underground flush with shipping companies’ credentials}},
date = {2021-11-02},
organization = {Intel 471},
url = {https://intel471.com/blog/shipping-companies-ransomware-credentials},
language = {English},
urldate = {2021-11-03}
}
Cybercrime underground flush with shipping companies’ credentials
Cobalt Strike Conti |
2021-11-02 ⋅ unh4ck ⋅ Cyb3rSn0rlax
@online{cyb3rsn0rlax:20211102:detecting:a2828eb,
author = {Cyb3rSn0rlax},
title = {{Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2}},
date = {2021-11-02},
organization = {unh4ck},
url = {https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2},
language = {English},
urldate = {2021-11-03}
}
Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2
Cobalt Strike Conti |
2021-11-02 ⋅ boschko.ca blog ⋅ Olivier Laflamme
@online{laflamme:20211102:cobalt:d09aa11,
author = {Olivier Laflamme},
title = {{Cobalt Strike Process Injection}},
date = {2021-11-02},
organization = {boschko.ca blog},
url = {https://boschko.ca/cobalt-strike-process-injection/},
language = {English},
urldate = {2021-11-29}
}
Cobalt Strike Process Injection
Cobalt Strike |
2021-11-01 ⋅ Accenture ⋅ Heather Larrieu, Curt Wilson, Katrina Hill
@online{larrieu:20211101:diving:a732a35,
author = {Heather Larrieu and Curt Wilson and Katrina Hill},
title = {{Diving into double extortion campaigns}},
date = {2021-11-01},
organization = {Accenture},
url = {https://www.accenture.com/us-en/blogs/cyber-defense/double-extortion-campaigns},
language = {English},
urldate = {2021-11-03}
}
Diving into double extortion campaigns
Cobalt Strike MimiKatz |
2021-11-01 ⋅ The DFIR Report ⋅ @iiamaleks, @samaritan_o
@online{iiamaleks:20211101:from:2348d47,
author = {@iiamaleks and @samaritan_o},
title = {{From Zero to Domain Admin}},
date = {2021-11-01},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/},
language = {English},
urldate = {2021-11-03}
}
From Zero to Domain Admin
Cobalt Strike Hancitor |
2021-10-29 ⋅ Національна поліція України ⋅ Національна поліція України
@online{:20211029:cyberpolice:fc43b20,
author = {Національна поліція України},
title = {{Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies}},
date = {2021-10-29},
organization = {Національна поліція України},
url = {https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/},
language = {Ukrainian},
urldate = {2021-11-02}
}
Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot |
2021-10-29 ⋅ Europol ⋅ Europol
@online{europol:20211029:12:5c0fd59,
author = {Europol},
title = {{12 targeted for involvement in ransomware attacks against critical infrastructure}},
date = {2021-10-29},
organization = {Europol},
url = {https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure},
language = {English},
urldate = {2021-11-02}
}
12 targeted for involvement in ransomware attacks against critical infrastructure
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot |
2021-10-27 ⋅ nviso ⋅ Didier Stevens
@online{stevens:20211027:cobalt:b91181a,
author = {Didier Stevens},
title = {{Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 2}},
date = {2021-10-27},
organization = {nviso},
url = {https://blog.nviso.eu/2021/10/27/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-2/},
language = {English},
urldate = {2021-11-03}
}
Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 2
Cobalt Strike |
2021-10-26 ⋅ ANSSI
@techreport{anssi:20211026:identification:9444ac3,
author = {ANSSI},
title = {{Identification of a new cyber criminal group: Lockean}},
date = {2021-10-26},
institution = {},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf},
language = {English},
urldate = {2022-01-25}
}
Identification of a new cyber criminal group: Lockean
Cobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil |
2021-10-26 ⋅ unh4ck ⋅ Hamza OUADIA
@online{ouadia:20211026:detecting:2a3e2fa,
author = {Hamza OUADIA},
title = {{Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1}},
date = {2021-10-26},
organization = {unh4ck},
url = {https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1},
language = {English},
urldate = {2021-11-03}
}
Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1
Cobalt Strike Conti |
2021-10-26 ⋅ Cisco Talos ⋅ Edmund Brumaghin, Mariano Graziano, Nick Mavis
@online{brumaghin:20211026:squirrelwaffle:88c5943,
author = {Edmund Brumaghin and Mariano Graziano and Nick Mavis},
title = {{SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike}},
date = {2021-10-26},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html},
language = {English},
urldate = {2021-11-02}
}
SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle |
2021-10-21 ⋅ CrowdStrike ⋅ Alex Clinton, Tasha Robinson
@online{clinton:20211021:stopping:3c26152,
author = {Alex Clinton and Tasha Robinson},
title = {{Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign}},
date = {2021-10-21},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/},
language = {English},
urldate = {2021-11-02}
}
Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign
Cobalt Strike FlawedGrace TinyMet |
2021-10-21 ⋅ nviso ⋅ Didier Stevens
@online{stevens:20211021:cobalt:bfc8702,
author = {Didier Stevens},
title = {{Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1}},
date = {2021-10-21},
organization = {nviso},
url = {https://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/},
language = {English},
urldate = {2021-10-26}
}
Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1
Cobalt Strike |
2021-10-18 ⋅ NortonLifeLock ⋅ Norton Labs
@techreport{labs:20211018:operation:9612cbf,
author = {Norton Labs},
title = {{Operation Exorcist - 7 Years of Targeted Attacks against the Roman Catholic Church}},
date = {2021-10-18},
institution = {NortonLifeLock},
url = {https://www.nortonlifelock.com/sites/default/files/2021-10/OPERATION%20EXORCIST%20White%20Paper.pdf},
language = {English},
urldate = {2021-12-15}
}
Operation Exorcist - 7 Years of Targeted Attacks against the Roman Catholic Church
NewBounce PlugX Zupdax |
2021-10-18 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20211018:harvester:ad72962,
author = {Threat Hunter Team},
title = {{Harvester: Nation-state-backed group uses new toolset to target victims in South Asia}},
date = {2021-10-18},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia},
language = {English},
urldate = {2021-11-03}
}
Harvester: Nation-state-backed group uses new toolset to target victims in South Asia
Cobalt Strike Graphon |
2021-10-18 ⋅ paloalto Netoworks: Unit42 ⋅ Brad Duncan
@online{duncan:20211018:case:bdd95ff,
author = {Brad Duncan},
title = {{Case Study: From BazarLoader to Network Reconnaissance}},
date = {2021-10-18},
organization = {paloalto Netoworks: Unit42},
url = {https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/},
language = {English},
urldate = {2021-10-22}
}
Case Study: From BazarLoader to Network Reconnaissance
BazarBackdoor Cobalt Strike |
2021-10-18 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20211018:icedid:0b574b0,
author = {The DFIR Report},
title = {{IcedID to XingLocker Ransomware in 24 hours}},
date = {2021-10-18},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/},
language = {English},
urldate = {2021-10-22}
}
IcedID to XingLocker Ransomware in 24 hours
Cobalt Strike IcedID Mount Locker |
2021-10-14 ⋅ Medium walmartglobaltech ⋅ Jason Reaves
@online{reaves:20211014:investigation:29ef29c,
author = {Jason Reaves},
title = {{Investigation into the state of NIM malware Part 2}},
date = {2021-10-14},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671},
language = {English},
urldate = {2021-12-15}
}
Investigation into the state of NIM malware Part 2
Cobalt Strike NimGrabber Nimrev Unidentified 088 (Nim Ransomware) |
2021-10-13 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team
@online{team:20211013:blackberry:9892a2c,
author = {BlackBerry Research & Intelligence Team},
title = {{BlackBerry Shines Spotlight on Evolving Cobalt Strike Threat in New Book}},
date = {2021-10-13},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2021/10/blackberry-shines-spotlight-on-evolving-cobalt-strike-threat-in-new-book},
language = {English},
urldate = {2022-04-25}
}
BlackBerry Shines Spotlight on Evolving Cobalt Strike Threat in New Book
Cobalt Strike |
2021-10-12 ⋅ Mandiant ⋅ Alyssa Rahman
@online{rahman:20211012:defining:df3f43c,
author = {Alyssa Rahman},
title = {{Defining Cobalt Strike Components So You Can BEA-CONfident in Your Analysis}},
date = {2021-10-12},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/defining-cobalt-strike-components},
language = {English},
urldate = {2021-11-02}
}
Defining Cobalt Strike Components So You Can BEA-CONfident in Your Analysis
Cobalt Strike |
2021-10-11 ⋅ Accenture ⋅ Accenture Cyber Threat Intelligence
@online{intelligence:20211011:moving:3b0eaec,
author = {Accenture Cyber Threat Intelligence},
title = {{Moving Left of the Ransomware Boom}},
date = {2021-10-11},
organization = {Accenture},
url = {https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom},
language = {English},
urldate = {2021-11-03}
}
Moving Left of the Ransomware Boom
REvil Cobalt Strike MimiKatz RagnarLocker REvil |
2021-10-08 ⋅ 0ffset Blog ⋅ Chuong Dong
@online{dong:20211008:squirrelwaffle:4549cd1,
author = {Chuong Dong},
title = {{SQUIRRELWAFFLE – Analysing The Main Loader}},
date = {2021-10-08},
organization = {0ffset Blog},
url = {https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/},
language = {English},
urldate = {2021-10-14}
}
SQUIRRELWAFFLE – Analysing The Main Loader
Cobalt Strike Squirrelwaffle |
2021-10-07 ⋅ Mandiant ⋅ Mandiant Research Team
@online{team:20211007:fin12:505a3a8,
author = {Mandiant Research Team},
title = {{FIN12 Group Profile: FIN12 Priotizes Speed to Deploy Ransomware Aginst High-Value Targets}},
date = {2021-10-07},
organization = {Mandiant},
url = {https://www.mandiant.com/media/12596/download},
language = {English},
urldate = {2021-11-27}
}
FIN12 Group Profile: FIN12 Priotizes Speed to Deploy Ransomware Aginst High-Value Targets
Cobalt Strike Empire Downloader TrickBot |
2021-10-07 ⋅ Netskope ⋅ Gustavo Palazolo, Ghanashyam Satpathy
@online{palazolo:20211007:squirrelwaffle:3506816,
author = {Gustavo Palazolo and Ghanashyam Satpathy},
title = {{SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot}},
date = {2021-10-07},
organization = {Netskope},
url = {https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot},
language = {English},
urldate = {2021-10-11}
}
SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot
Cobalt Strike QakBot Squirrelwaffle |
2021-10-06 ⋅ Blackberry ⋅ Blackberry Research
@techreport{research:20211006:finding:50936df,
author = {Blackberry Research},
title = {{Finding Beacons in the Dark}},
date = {2021-10-06},
institution = {Blackberry},
url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/sneak-peek-ch1-2-finding-beacons-in-the-dark.pdf},
language = {English},
urldate = {2021-11-08}
}
Finding Beacons in the Dark
Cobalt Strike |
2021-10-05 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
@online{team:20211005:drawing:e53477d,
author = {The BlackBerry Research & Intelligence Team},
title = {{Drawing a Dragon: Connecting the Dots to Find APT41}},
date = {2021-10-05},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41},
language = {English},
urldate = {2021-10-11}
}
Drawing a Dragon: Connecting the Dots to Find APT41
Cobalt Strike Ghost RAT |
2021-10-04 ⋅ Sophos ⋅ Sean Gallagher, Vikas Singh, Krisztián Diriczi, Kajal Katiyar, Chaitanya Ghorpade, Rahil Shah
@online{gallagher:20211004:atom:782b979,
author = {Sean Gallagher and Vikas Singh and Krisztián Diriczi and Kajal Katiyar and Chaitanya Ghorpade and Rahil Shah},
title = {{Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack}},
date = {2021-10-04},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/},
language = {English},
urldate = {2021-10-11}
}
Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack
ATOMSILO Cobalt Strike |
2021-10-04 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
@online{tomonaga:20211004:malware:5ba808a,
author = {Shusei Tomonaga},
title = {{Malware Gh0stTimes Used by BlackTech}},
date = {2021-10-04},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html},
language = {English},
urldate = {2021-10-11}
}
Malware Gh0stTimes Used by BlackTech
Gh0stTimes Ghost RAT |
2021-10-04 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20211004:bazarloader:fe3adf3,
author = {The DFIR Report},
title = {{BazarLoader and the Conti Leaks}},
date = {2021-10-04},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/},
language = {English},
urldate = {2021-10-11}
}
BazarLoader and the Conti Leaks
BazarBackdoor Cobalt Strike Conti |
2021-10-03 ⋅ Github (0xjxd) ⋅ Joel Dönne
@techreport{dnne:20211003:squirrelwaffle:3a35566,
author = {Joel Dönne},
title = {{SquirrelWaffle - From Maldoc to Cobalt Strike}},
date = {2021-10-03},
institution = {Github (0xjxd)},
url = {https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf},
language = {English},
urldate = {2021-10-07}
}
SquirrelWaffle - From Maldoc to Cobalt Strike
Cobalt Strike Squirrelwaffle |
2021-10-01 ⋅ 0ffset Blog ⋅ Chuong Dong
@online{dong:20211001:squirrelwaffle:24c9b06,
author = {Chuong Dong},
title = {{SQUIRRELWAFFLE – Analysing the Custom Packer}},
date = {2021-10-01},
organization = {0ffset Blog},
url = {https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/},
language = {English},
urldate = {2021-10-14}
}
SQUIRRELWAFFLE – Analysing the Custom Packer
Cobalt Strike Squirrelwaffle |
2021-09-30 ⋅ PT Expert Security Center
@online{center:20210930:masters:8707c00,
author = {PT Expert Security Center},
title = {{Masters of Mimicry: new APT group ChamelGang and its arsenal}},
date = {2021-09-30},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang},
language = {English},
urldate = {2021-10-14}
}
Masters of Mimicry: new APT group ChamelGang and its arsenal
Cobalt Strike |
2021-09-30 ⋅ CrowdStrike ⋅ Falcon OverWatch Team
@online{team:20210930:hunting:bc2e59d,
author = {Falcon OverWatch Team},
title = {{Hunting for the Confluence Exploitation: When Falcon OverWatch Becomes the First Line of Defense}},
date = {2021-09-30},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/how-crowdstrike-threat-hunters-identified-a-confluence-exploit/},
language = {English},
urldate = {2021-10-05}
}
Hunting for the Confluence Exploitation: When Falcon OverWatch Becomes the First Line of Defense
Cobalt Strike |
2021-09-30 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence
@online{intelligence:20210930:masters:4394504,
author = {PT ESC Threat Intelligence},
title = {{Masters of Mimicry: new APT group ChamelGang and its arsenal}},
date = {2021-09-30},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3},
language = {English},
urldate = {2021-11-29}
}
Masters of Mimicry: new APT group ChamelGang and its arsenal
Cobalt Strike |
2021-09-29 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy
@online{kremez:20210929:backup:4aebe4e,
author = {Vitali Kremez and Yelisey Boguslavskiy},
title = {{Backup “Removal” Solutions - From Conti Ransomware With Love}},
date = {2021-09-29},
organization = {Advanced Intelligence},
url = {https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love},
language = {English},
urldate = {2021-10-20}
}
Backup “Removal” Solutions - From Conti Ransomware With Love
Cobalt Strike Conti |
2021-09-29 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
@online{duncan:20210929:20210929:e348fca,
author = {Brad Duncan},
title = {{2021-09-29 (Wednesday) - Hancitor with Cobalt Strike}},
date = {2021-09-29},
organization = {Malware Traffic Analysis},
url = {https://malware-traffic-analysis.net/2021/09/29/index.html},
language = {English},
urldate = {2021-11-03}
}
2021-09-29 (Wednesday) - Hancitor with Cobalt Strike
Cobalt Strike Hancitor |
2021-09-29 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
@online{duncan:20210929:hancitor:e510da9,
author = {Brad Duncan},
title = {{Hancitor with Cobalt Strike}},
date = {2021-09-29},
organization = {Malware Traffic Analysis},
url = {https://www.malware-traffic-analysis.net/2021/09/29/index.html},
language = {English},
urldate = {2022-02-01}
}
Hancitor with Cobalt Strike
Cobalt Strike Hancitor |
2021-09-28 ⋅ Zscaler ⋅ Avinash Kumar, Brett Stone-Gross
@online{kumar:20210928:squirrelwaffle:9b1cffc,
author = {Avinash Kumar and Brett Stone-Gross},
title = {{Squirrelwaffle: New Loader Delivering Cobalt Strike}},
date = {2021-09-28},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike},
language = {English},
urldate = {2021-10-11}
}
Squirrelwaffle: New Loader Delivering Cobalt Strike
Cobalt Strike Squirrelwaffle |
2021-09-28 ⋅ Recorded Future ⋅ Insikt Group®
@online{group:20210928:4:069b441,
author = {Insikt Group®},
title = {{4 Chinese APT Groups Identified Targeting Mail Server of Afghan Telecommunications Firm Roshan}},
date = {2021-09-28},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/},
language = {English},
urldate = {2021-10-11}
}
4 Chinese APT Groups Identified Targeting Mail Server of Afghan Telecommunications Firm Roshan
PlugX Winnti |
2021-09-27 ⋅ Cynet ⋅ Max Malyutin
@online{malyutin:20210927:virtual:cd72501,
author = {Max Malyutin},
title = {{A Virtual Baffle to Battle Squirrelwaffle}},
date = {2021-09-27},
organization = {Cynet},
url = {https://www.cynet.com/understanding-squirrelwaffle/},
language = {English},
urldate = {2021-09-28}
}
A Virtual Baffle to Battle Squirrelwaffle
Cobalt Strike Squirrelwaffle |
2021-09-26 ⋅ NSFOCUS ⋅ Jie Ji
@online{ji:20210926:insights:51c06b8,
author = {Jie Ji},
title = {{Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2}},
date = {2021-09-26},
organization = {NSFOCUS},
url = {https://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/},
language = {English},
urldate = {2021-11-25}
}
Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2
Cobalt Strike LockFile |
2021-09-24 ⋅ Trend Micro ⋅ Warren Sto.Tomas
@online{stotomas:20210924:examining:9165fe5,
author = {Warren Sto.Tomas},
title = {{Examining the Cring Ransomware Techniques}},
date = {2021-09-24},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html},
language = {English},
urldate = {2021-09-29}
}
Examining the Cring Ransomware Techniques
Cobalt Strike Cring MimiKatz |
2021-09-22 ⋅ CISA ⋅ US-CERT
@online{uscert:20210922:alert:50b9d38,
author = {US-CERT},
title = {{Alert (AA21-265A) Conti Ransomware}},
date = {2021-09-22},
organization = {CISA},
url = {https://us-cert.cisa.gov/ncas/alerts/aa21-265a},
language = {English},
urldate = {2021-10-05}
}
Alert (AA21-265A) Conti Ransomware
Cobalt Strike Conti |
2021-09-21 ⋅ GuidePoint Security ⋅ Drew Schmitt
@online{schmitt:20210921:ransomware:7c6144d,
author = {Drew Schmitt},
title = {{A Ransomware Near Miss: ProxyShell, a RAT, and Cobalt Strike}},
date = {2021-09-21},
organization = {GuidePoint Security},
url = {https://www.guidepointsecurity.com/blog/a-ransomware-near-miss-proxyshell-a-rat-and-cobalt-strike/},
language = {English},
urldate = {2021-09-22}
}
A Ransomware Near Miss: ProxyShell, a RAT, and Cobalt Strike
Cobalt Strike |
2021-09-21 ⋅ Medium elis531989 ⋅ Eli Salem
@online{salem:20210921:squirrel:1254a9d,
author = {Eli Salem},
title = {{The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle”}},
date = {2021-09-21},
organization = {Medium elis531989},
url = {https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9},
language = {English},
urldate = {2021-09-22}
}
The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle”
Cobalt Strike Squirrelwaffle |
2021-09-21 ⋅ skyblue.team blog ⋅ skyblue team
@online{team:20210921:scanning:5a0697f,
author = {skyblue team},
title = {{Scanning VirusTotal's firehose}},
date = {2021-09-21},
organization = {skyblue.team blog},
url = {https://skyblue.team/posts/scanning-virustotal-firehose/},
language = {English},
urldate = {2021-09-24}
}
Scanning VirusTotal's firehose
Cobalt Strike |
2021-09-21 ⋅ Sophos ⋅ Andrew Brandt, Vikas Singh, Shefali Gupta, Krisztián Diriczi, Chaitanya Ghorpade
@online{brandt:20210921:cring:9bd4998,
author = {Andrew Brandt and Vikas Singh and Shefali Gupta and Krisztián Diriczi and Chaitanya Ghorpade},
title = {{Cring ransomware group exploits ancient ColdFusion server}},
date = {2021-09-21},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/?cmp=30728},
language = {English},
urldate = {2021-09-24}
}
Cring ransomware group exploits ancient ColdFusion server
Cobalt Strike Cring |
2021-09-17 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
@online{duncan:20210917:20210917:b995435,
author = {Brad Duncan},
title = {{2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike}},
date = {2021-09-17},
organization = {Malware Traffic Analysis},
url = {https://www.malware-traffic-analysis.net/2021/09/17/index.html},
language = {English},
urldate = {2021-09-20}
}
2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike
Cobalt Strike Squirrelwaffle |
2021-09-17 ⋅ CrowdStrike ⋅ Falcon OverWatch Team
@online{team:20210917:falcon:76aa03b,
author = {Falcon OverWatch Team},
title = {{Falcon OverWatch Hunts Down Adversaries Where They Hide}},
date = {2021-09-17},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/},
language = {English},
urldate = {2021-10-05}
}
Falcon OverWatch Hunts Down Adversaries Where They Hide
BazarBackdoor Cobalt Strike |
2021-09-17 ⋅ Medium inteloperator ⋅ Intel Operator
@online{operator:20210917:default:aaaa15c,
author = {Intel Operator},
title = {{The default: 63 6f 62 61 6c 74 strike}},
date = {2021-09-17},
organization = {Medium inteloperator},
url = {https://inteloperator.medium.com/the-default-63-6f-62-61-6c-74-strike-8ac9ee0de1b7},
language = {English},
urldate = {2021-09-19}
}
The default: 63 6f 62 61 6c 74 strike
Cobalt Strike |
2021-09-16 ⋅ Twitter (@GossiTheDog) ⋅ Kevin Beaumont
@online{beaumont:20210916:some:550bbaa,
author = {Kevin Beaumont},
title = {{Tweet on some unknown threat actor dropping Mgbot, custom IIS modular backdoor and cobalstrike using exploiting ProxyShell}},
date = {2021-09-16},
organization = {Twitter (@GossiTheDog)},
url = {https://twitter.com/GossiTheDog/status/1438500100238577670},
language = {English},
urldate = {2021-09-20}
}
Tweet on some unknown threat actor dropping Mgbot, custom IIS modular backdoor and cobalstrike using exploiting ProxyShell
Cobalt Strike MgBot |
2021-09-16 ⋅ Medium Shabarkin ⋅ Pavel Shabarkin
@online{shabarkin:20210916:pointer:828998f,
author = {Pavel Shabarkin},
title = {{Pointer: Hunting Cobalt Strike globally}},
date = {2021-09-16},
organization = {Medium Shabarkin},
url = {https://medium.com/@shabarkin/pointer-hunting-cobalt-strike-globally-a334ac50619a},
language = {English},
urldate = {2021-09-19}
}
Pointer: Hunting Cobalt Strike globally
Cobalt Strike |
2021-09-16 ⋅ RiskIQ ⋅ RiskIQ
@online{riskiq:20210916:untangling:d1e0f1b,
author = {RiskIQ},
title = {{Untangling the Spider Web: The Curious Connection Between WIZARD SPIDER’s Ransomware Infrastructure and a Windows Zero-Day Exploit}},
date = {2021-09-16},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/c88cf7e6},
language = {English},
urldate = {2021-09-19}
}
Untangling the Spider Web: The Curious Connection Between WIZARD SPIDER’s Ransomware Infrastructure and a Windows Zero-Day Exploit
Cobalt Strike Ryuk |
2021-09-15 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20210915:analyzing:37b6528,
author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)},
title = {{Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability}},
date = {2021-09-15},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/},
language = {English},
urldate = {2021-09-19}
}
Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability
Cobalt Strike |
2021-09-14 ⋅ Recorded Future ⋅ Insikt Group®
@techreport{group:20210914:fullspectrum:fdc7b06,
author = {Insikt Group®},
title = {{Full-Spectrum Cobalt Strike Detection}},
date = {2021-09-14},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf},
language = {English},
urldate = {2021-09-19}
}
Full-Spectrum Cobalt Strike Detection
Cobalt Strike |
2021-09-14 ⋅ McAfee ⋅ Christiaan Beek
@online{beek:20210914:operation:95aed8d,
author = {Christiaan Beek},
title = {{Operation ‘Harvest’: A Deep Dive into a Long-term Campaign}},
date = {2021-09-14},
organization = {McAfee},
url = {https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/},
language = {English},
urldate = {2021-09-19}
}
Operation ‘Harvest’: A Deep Dive into a Long-term Campaign
MimiKatz PlugX Winnti |
2021-09-13 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210913:bazarloader:5073703,
author = {The DFIR Report},
title = {{BazarLoader to Conti Ransomware in 32 Hours}},
date = {2021-09-13},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/},
language = {English},
urldate = {2021-09-14}
}
BazarLoader to Conti Ransomware in 32 Hours
BazarBackdoor Cobalt Strike Conti |
2021-09-12 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara
@online{koczwara:20210912:mapping:8a5f43a,
author = {Michael Koczwara},
title = {{Mapping and Pivoting from Cobalt Strike C2 Infrastructure Attributed to CVE-2021-40444}},
date = {2021-09-12},
organization = {Medium michaelkoczwara},
url = {https://michaelkoczwara.medium.com/mapping-and-pivoting-cobalt-strike-c2-infrastructure-attributed-to-cve-2021-40444-438786fcd68a},
language = {English},
urldate = {2022-01-28}
}
Mapping and Pivoting from Cobalt Strike C2 Infrastructure Attributed to CVE-2021-40444
Cobalt Strike |
2021-09-10 ⋅ Gigamon ⋅ Joe Slowik
@online{slowik:20210910:rendering:59082b0,
author = {Joe Slowik},
title = {{Rendering Threats: A Network Perspective}},
date = {2021-09-10},
organization = {Gigamon},
url = {https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/},
language = {English},
urldate = {2021-09-12}
}
Rendering Threats: A Network Perspective
Cobalt Strike |
2021-09-10 ⋅ The Record ⋅ Catalin Cimpanu
@online{cimpanu:20210910:indonesian:fc06998,
author = {Catalin Cimpanu},
title = {{Indonesian intelligence agency compromised in suspected Chinese hack}},
date = {2021-09-10},
organization = {The Record},
url = {https://therecord.media/indonesian-intelligence-agency-compromised-in-suspected-chinese-hack/},
language = {English},
urldate = {2021-09-12}
}
Indonesian intelligence agency compromised in suspected Chinese hack
PlugX |
2021-09-09 ⋅ Trend Micro ⋅ Trend Micro
@online{micro:20210909:remote:17382af,
author = {Trend Micro},
title = {{Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs}},
date = {2021-09-09},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html},
language = {English},
urldate = {2021-09-12}
}
Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs
Cobalt Strike |
2021-09-08 ⋅ Arash's Blog ⋅ Arash Parsa
@online{parsa:20210908:hook:4dff1b6,
author = {Arash Parsa},
title = {{Hook Heaps and Live Free}},
date = {2021-09-08},
organization = {Arash's Blog},
url = {https://www.arashparsa.com/hook-heaps-and-live-free/},
language = {English},
urldate = {2021-09-10}
}
Hook Heaps and Live Free
Cobalt Strike |
2021-09-07 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara
@online{koczwara:20210907:cobalt:7af112e,
author = {Michael Koczwara},
title = {{Cobalt Strike C2 Hunting with Shodan}},
date = {2021-09-07},
organization = {Medium michaelkoczwara},
url = {https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2},
language = {English},
urldate = {2021-09-09}
}
Cobalt Strike C2 Hunting with Shodan
Cobalt Strike |
2021-09-06 ⋅ kienmanowar Blog ⋅ m4n0w4r
@online{m4n0w4r:20210906:quick:0a892b2,
author = {m4n0w4r},
title = {{Quick analysis CobaltStrike loader and shellcode}},
date = {2021-09-06},
organization = {kienmanowar Blog},
url = {https://kienmanowar.wordpress.com/2021/09/06/quick-analysis-cobaltstrike-loader-and-shellcode/},
language = {English},
urldate = {2021-09-10}
}
Quick analysis CobaltStrike loader and shellcode
Cobalt Strike |
2021-09-03 ⋅ Sophos ⋅ Sean Gallagher, Peter Mackenzie, Anand Ajjan, Andrew Ludgate, Gabor Szappanos, Sergio Bestulic, Syed Zaidi
@online{gallagher:20210903:conti:db20680,
author = {Sean Gallagher and Peter Mackenzie and Anand Ajjan and Andrew Ludgate and Gabor Szappanos and Sergio Bestulic and Syed Zaidi},
title = {{Conti affiliates use ProxyShell Exchange exploit in ransomware attacks}},
date = {2021-09-03},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/},
language = {English},
urldate = {2021-09-06}
}
Conti affiliates use ProxyShell Exchange exploit in ransomware attacks
Cobalt Strike Conti |
2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel
@techreport{mokbel:20210903:state:df86499,
author = {Mohamad Mokbel},
title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}},
date = {2021-09-03},
institution = {Trend Micro},
url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf},
language = {English},
urldate = {2021-09-19}
}
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader |
2021-09-03 ⋅ FireEye ⋅ Adrian Sanchez Hernandez, Govand Sinjari, Joshua Goddard, Brendan McKeague, John Wolfram, Alex Pennino, Andrew Rector, Harris Ansari, Yash Gupta
@online{hernandez:20210903:pst:a8de902,
author = {Adrian Sanchez Hernandez and Govand Sinjari and Joshua Goddard and Brendan McKeague and John Wolfram and Alex Pennino and Andrew Rector and Harris Ansari and Yash Gupta},
title = {{PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers}},
date = {2021-09-03},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html},
language = {English},
urldate = {2021-09-06}
}
PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers
CHINACHOPPER HTran |
2021-09-02 ⋅ Twitter (@th3_protoCOL) ⋅ Colin, GaborSzappanos
@online{colin:20210902:confluence:5bbf2cb,
author = {Colin and GaborSzappanos},
title = {{Tweet on Confluence Server exploitation (CVE-2021-26084) in the wild and cobaltsrike activity (mentioned in replies by GaborSzappanos)}},
date = {2021-09-02},
organization = {Twitter (@th3_protoCOL)},
url = {https://twitter.com/th3_protoCOL/status/1433414685299142660?s=20},
language = {English},
urldate = {2021-09-06}
}
Tweet on Confluence Server exploitation (CVE-2021-26084) in the wild and cobaltsrike activity (mentioned in replies by GaborSzappanos)
Cobalt Strike |
2021-09-02 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara
@online{koczwara:20210902:cobalt:40a1888,
author = {Michael Koczwara},
title = {{Cobalt Strike PowerShell Payload Analysis}},
date = {2021-09-02},
organization = {Medium michaelkoczwara},
url = {https://michaelkoczwara.medium.com/cobalt-strike-powershell-payload-analysis-eecf74b3c2f7},
language = {English},
urldate = {2021-09-09}
}
Cobalt Strike PowerShell Payload Analysis
Cobalt Strike |
2021-09-01 ⋅ YouTube (Black Hat) ⋅ Aragorn Tseng, Charles Li
@online{tseng:20210901:mem2img:7817a5d,
author = {Aragorn Tseng and Charles Li},
title = {{Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network}},
date = {2021-09-01},
organization = {YouTube (Black Hat)},
url = {https://www.youtube.com/watch?v=6SDdUVejR2w},
language = {English},
urldate = {2021-09-12}
}
Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
Cobalt Strike PlugX Waterbear |
2021-08-31 ⋅ BreakPoint Labs ⋅ BreakPoint Labs
@online{labs:20210831:cobalt:47e2c20,
author = {BreakPoint Labs},
title = {{Cobalt Strike and Ransomware – Tracking An Effective Ransomware Campaign}},
date = {2021-08-31},
organization = {BreakPoint Labs},
url = {https://breakpoint-labs.com/blog/cobalt-strike-and-ransomware-tracking-an-effective-ransomware-campaign/},
language = {English},
urldate = {2021-09-23}
}
Cobalt Strike and Ransomware – Tracking An Effective Ransomware Campaign
Cobalt Strike |
2021-08-30 ⋅ Qianxin ⋅ Red Raindrop Team
@online{team:20210830:operation:7b5be26,
author = {Red Raindrop Team},
title = {{Operation (Thủy Tinh) OceanStorm: The evil lotus hidden under the abyss}},
date = {2021-08-30},
organization = {Qianxin},
url = {https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/},
language = {Chinese},
urldate = {2021-09-09}
}
Operation (Thủy Tinh) OceanStorm: The evil lotus hidden under the abyss
Cobalt Strike MimiKatz |
2021-08-29 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210829:cobalt:1e4595e,
author = {The DFIR Report},
title = {{Cobalt Strike, a Defender’s Guide}},
date = {2021-08-29},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/},
language = {English},
urldate = {2021-08-31}
}
Cobalt Strike, a Defender’s Guide
Cobalt Strike |
2021-08-27 ⋅ Morphisec ⋅ Morphisec Labs
@online{labs:20210827:proxyshell:a4650f1,
author = {Morphisec Labs},
title = {{ProxyShell Exchange Exploitation Now Leads To An Increasing Amount Of Cobaltstrike Backdoors}},
date = {2021-08-27},
organization = {Morphisec},
url = {https://blog.morphisec.com/proxyshell-exchange-exploitation-now-leads-to-an-increasing-amount-of-cobaltstrike-backdoors},
language = {English},
urldate = {2021-08-31}
}
ProxyShell Exchange Exploitation Now Leads To An Increasing Amount Of Cobaltstrike Backdoors
Cobalt Strike |
2021-08-27 ⋅ Aon ⋅ Noah Rubin, Aon’s Cyber Labs
@online{rubin:20210827:cobalt:a44e08a,
author = {Noah Rubin and Aon’s Cyber Labs},
title = {{Cobalt Strike Configuration Extractor and Parser}},
date = {2021-08-27},
organization = {Aon},
url = {https://www.aon.com/cyber-solutions/aon_cyber_labs/cobalt-strike-configuration-extractor-and-parser/},
language = {English},
urldate = {2022-05-04}
}
Cobalt Strike Configuration Extractor and Parser
Cobalt Strike |
2021-08-25 ⋅ Trend Micro ⋅ Hara Hiroaki, Ted Lee
@techreport{hiroaki:20210825:earth:776384f,
author = {Hara Hiroaki and Ted Lee},
title = {{Earth Baku An APT Group Targeting Indo-Pacific Countries With New Stealth Loaders and Backdoor}},
date = {2021-08-25},
institution = {Trend Micro},
url = {https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf},
language = {English},
urldate = {2021-08-31}
}
Earth Baku An APT Group Targeting Indo-Pacific Countries With New Stealth Loaders and Backdoor
Cobalt Strike SideWalk |
2021-08-24 ⋅ ESET Research ⋅ Thibaut Passilly, Mathieu Tartare
@online{passilly:20210824:sidewalk:75d39db,
author = {Thibaut Passilly and Mathieu Tartare},
title = {{The SideWalk may be as dangerous as the CROSSWALK}},
date = {2021-08-24},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/},
language = {English},
urldate = {2021-08-31}
}
The SideWalk may be as dangerous as the CROSSWALK
Cobalt Strike CROSSWALK SideWalk |
2021-08-23 ⋅ FBI ⋅ FBI
@techreport{fbi:20210823:indicators:3308f26,
author = {FBI},
title = {{Indicators of Compromise Associated with OnePercent Group Ransomware}},
date = {2021-08-23},
institution = {FBI},
url = {https://www.ic3.gov/Media/News/2021/210823.pdf},
language = {English},
urldate = {2021-08-24}
}
Indicators of Compromise Associated with OnePercent Group Ransomware
Cobalt Strike MimiKatz |
2021-08-23 ⋅ Youtube (SANS Digital Forensics and Incident Response) ⋅ Chad Tilbury
@online{tilbury:20210823:keynote:23c0084,
author = {Chad Tilbury},
title = {{Keynote: Cobalt Strike Threat Hunting}},
date = {2021-08-23},
organization = {Youtube (SANS Digital Forensics and Incident Response)},
url = {https://www.youtube.com/watch?v=borfuQGrB8g},
language = {English},
urldate = {2021-08-25}
}
Keynote: Cobalt Strike Threat Hunting
Cobalt Strike |
2021-08-19 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team
@online{team:20210819:blackberry:2eec433,
author = {BlackBerry Research & Intelligence Team},
title = {{BlackBerry Prevents: Threat Actor Group TA575 and Dridex Malware}},
date = {2021-08-19},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware},
language = {English},
urldate = {2021-08-23}
}
BlackBerry Prevents: Threat Actor Group TA575 and Dridex Malware
Cobalt Strike Dridex |
2021-08-19 ⋅ Sekoia ⋅ sekoia
@online{sekoia:20210819:insider:ceb84de,
author = {sekoia},
title = {{An insider insights into Conti operations – Part two}},
date = {2021-08-19},
organization = {Sekoia},
url = {https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/},
language = {English},
urldate = {2021-09-06}
}
An insider insights into Conti operations – Part two
Cobalt Strike Conti |
2021-08-18 ⋅ Intezer ⋅ Ryan Robinson
@online{robinson:20210818:cobalt:965e1a9,
author = {Ryan Robinson},
title = {{Cobalt Strike: Detect this Persistent Threat}},
date = {2021-08-18},
organization = {Intezer},
url = {https://www.intezer.com/blog/malware-analysis/cobalt-strike-detect-this-persistent-threat/},
language = {English},
urldate = {2021-08-25}
}
Cobalt Strike: Detect this Persistent Threat
Cobalt Strike |
2021-08-17 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy
@online{kremez:20210817:hunting:1dc14d0,
author = {Vitali Kremez and Yelisey Boguslavskiy},
title = {{Hunting for Corporate Insurance Policies: Indicators of [Ransom] Exfiltration}},
date = {2021-08-17},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations},
language = {English},
urldate = {2021-08-31}
}
Hunting for Corporate Insurance Policies: Indicators of [Ransom] Exfiltration
Cobalt Strike Conti |
2021-08-17 ⋅ Sekoia ⋅ sekoia
@online{sekoia:20210817:insider:3b427c7,
author = {sekoia},
title = {{An insider insights into Conti operations – Part one}},
date = {2021-08-17},
organization = {Sekoia},
url = {https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one},
language = {English},
urldate = {2021-09-06}
}
An insider insights into Conti operations – Part one
Cobalt Strike Conti |
2021-08-17 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara
@online{koczwara:20210817:cobalt:64689eb,
author = {Michael Koczwara},
title = {{Cobalt Strike Hunting — DLL Hijacking/Attack Analysis}},
date = {2021-08-17},
organization = {Medium michaelkoczwara},
url = {https://michaelkoczwara.medium.com/cobalt-strike-hunting-dll-hijacking-attack-analysis-ffbf8fd66a4e},
language = {English},
urldate = {2021-09-09}
}
Cobalt Strike Hunting — DLL Hijacking/Attack Analysis
Cobalt Strike |
2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team
@techreport{team:20210815:ransomware:f799696,
author = {Threat Hunter Team},
title = {{The Ransomware Threat}},
date = {2021-08-15},
institution = {Symantec},
url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf},
language = {English},
urldate = {2021-12-15}
}
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker |
2021-08-11 ⋅ Advanced Intelligence ⋅ Vitali Kremez
@online{kremez:20210811:secret:5c5f06c,
author = {Vitali Kremez},
title = {{Secret "Backdoor" Behind Conti Ransomware Operation: Introducing Atera Agent}},
date = {2021-08-11},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent},
language = {English},
urldate = {2021-08-31}
}
Secret "Backdoor" Behind Conti Ransomware Operation: Introducing Atera Agent
Cobalt Strike Conti |
2021-08-09 ⋅ IstroSec ⋅ Ladislav Bačo
@online{bao:20210809:cobalt:fc98da7,
author = {Ladislav Bačo},
title = {{APT Cobalt Strike Campaign targeting Slovakia (DEF CON talk)}},
date = {2021-08-09},
organization = {IstroSec},
url = {https://www.istrosec.com/blog/apt-sk-cobalt/},
language = {English},
urldate = {2021-08-16}
}
APT Cobalt Strike Campaign targeting Slovakia (DEF CON talk)
Cobalt Strike |
2021-08-05 ⋅ Red Canary ⋅ Tony Lambert, Brian Donohue, Dan Cotton
@online{lambert:20210805:when:aeb7b10,
author = {Tony Lambert and Brian Donohue and Dan Cotton},
title = {{When Dridex and Cobalt Strike give you Grief}},
date = {2021-08-05},
organization = {Red Canary},
url = {https://redcanary.com/blog/grief-ransomware/},
language = {English},
urldate = {2021-09-10}
}
When Dridex and Cobalt Strike give you Grief
Cobalt Strike DoppelDridex DoppelPaymer |
2021-08-05 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
@online{researchteam:20210805:detecting:235fe13,
author = {Counter Threat Unit ResearchTeam},
title = {{Detecting Cobalt Strike: Government-Sponsored Threat Groups (APT32)}},
date = {2021-08-05},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/detecting-cobalt-strike-government-sponsored-threat-groups},
language = {English},
urldate = {2021-08-06}
}
Detecting Cobalt Strike: Government-Sponsored Threat Groups (APT32)
Cobalt Strike |
2021-08-04 ⋅ CrowdStrike ⋅ Falcon OverWatch Team, CrowdStrike Intelligence Team, CrowdStrike IR
@online{team:20210804:prophet:e6e6a99,
author = {Falcon OverWatch Team and CrowdStrike Intelligence Team and CrowdStrike IR},
title = {{PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity}},
date = {2021-08-04},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/},
language = {English},
urldate = {2021-09-02}
}
PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity
Cobalt Strike Egregor Mount Locker |
2021-08-04 ⋅ Sentinel LABS ⋅ Gal Kristal
@online{kristal:20210804:hotcobalt:136e715,
author = {Gal Kristal},
title = {{Hotcobalt – New Cobalt Strike DoS Vulnerability That Lets You Halt Operations}},
date = {2021-08-04},
organization = {Sentinel LABS},
url = {https://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/},
language = {English},
urldate = {2021-08-06}
}
Hotcobalt – New Cobalt Strike DoS Vulnerability That Lets You Halt Operations
Cobalt Strike |
2021-08-04 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
@online{researchteam:20210804:detecting:b379acb,
author = {Counter Threat Unit ResearchTeam},
title = {{Detecting Cobalt Strike: Cybercrime Attacks (GOLD LAGOON)}},
date = {2021-08-04},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/detecting-cobalt-strike-cybercrime-attacks},
language = {English},
urldate = {2021-08-06}
}
Detecting Cobalt Strike: Cybercrime Attacks (GOLD LAGOON)
Cobalt Strike |
2021-08-03 ⋅ Cybereason ⋅ Assaf Dahan, Lior Rochberger, Daniel Frank, Tom Fakterman
@online{dahan:20210803:deadringer:908e8d5,
author = {Assaf Dahan and Lior Rochberger and Daniel Frank and Tom Fakterman},
title = {{DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos}},
date = {2021-08-03},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos},
language = {English},
urldate = {2021-08-06}
}
DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos
CHINACHOPPER Cobalt Strike MimiKatz Nebulae |
2021-08-02 ⋅ Youtube (Forschungsinstitut Cyber Defense) ⋅ Alexander Rausch, Konstantin Klinger
@online{rausch:20210802:code:dee039d,
author = {Alexander Rausch and Konstantin Klinger},
title = {{The CODE 2021: Workshop presentation and demonstration about CobaltStrike}},
date = {2021-08-02},
organization = {Youtube (Forschungsinstitut Cyber Defense)},
url = {https://www.youtube.com/watch?v=y65hmcLIWDY},
language = {English},
urldate = {2021-08-25}
}
The CODE 2021: Workshop presentation and demonstration about CobaltStrike
Cobalt Strike |
2021-08-01 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210801:bazarcall:bb6829b,
author = {The DFIR Report},
title = {{BazarCall to Conti Ransomware via Trickbot and Cobalt Strike}},
date = {2021-08-01},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/},
language = {English},
urldate = {2021-08-02}
}
BazarCall to Conti Ransomware via Trickbot and Cobalt Strike
BazarBackdoor Cobalt Strike Conti TrickBot |
2021-07-30 ⋅ Twitter (@Unit42_Intel) ⋅ Unit 42
@online{42:20210730:bazarloader:43bdc2c,
author = {Unit 42},
title = {{Tweet on BazarLoader infection leading to cobaltstrike and Powershell script file for PrintNightmare vulnerability}},
date = {2021-07-30},
organization = {Twitter (@Unit42_Intel)},
url = {https://twitter.com/Unit42_Intel/status/1421117403644186629?s=20},
language = {English},
urldate = {2021-08-02}
}
Tweet on BazarLoader infection leading to cobaltstrike and Powershell script file for PrintNightmare vulnerability
BazarBackdoor Cobalt Strike |
2021-07-29 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team
@online{team:20210729:bazacall:8d79cdf,
author = {Microsoft 365 Defender Threat Intelligence Team},
title = {{BazaCall: Phony call centers lead to exfiltration and ransomware}},
date = {2021-07-29},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/},
language = {English},
urldate = {2021-08-02}
}
BazaCall: Phony call centers lead to exfiltration and ransomware
BazarBackdoor Cobalt Strike |
2021-07-29 ⋅ Rasta Mouse ⋅ Rasta Mouse
@online{mouse:20210729:ntlm:7f97289,
author = {Rasta Mouse},
title = {{NTLM Relaying via Cobalt Strike}},
date = {2021-07-29},
organization = {Rasta Mouse},
url = {https://rastamouse.me/ntlm-relaying-via-cobalt-strike/},
language = {English},
urldate = {2021-07-29}
}
NTLM Relaying via Cobalt Strike
Cobalt Strike |
2021-07-27 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team
@techreport{team:20210727:old:3060d53,
author = {BlackBerry Research & Intelligence Team},
title = {{Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages}},
date = {2021-07-27},
institution = {Blackberry},
url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf},
language = {English},
urldate = {2021-07-27}
}
Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages
elf.wellmess ElectroRAT BazarNimrod Buer Cobalt Strike Remcos Snake TeleBot WellMess Zebrocy |
2021-07-27 ⋅ Palo Alto Networks Unit 42 ⋅ Mike Harbison, Alex Hinchliffe
@online{harbison:20210727:thor:5d6d793,
author = {Mike Harbison and Alex Hinchliffe},
title = {{THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group}},
date = {2021-07-27},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/thor-plugx-variant/},
language = {English},
urldate = {2021-07-29}
}
THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group
PlugX |
2021-07-25 ⋅ Medium svch0st ⋅ svch0st
@online{svch0st:20210725:guide:28267fd,
author = {svch0st},
title = {{Guide to Named Pipes and Hunting for Cobalt Strike Pipes}},
date = {2021-07-25},
organization = {Medium svch0st},
url = {https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575},
language = {English},
urldate = {2021-08-02}
}
Guide to Named Pipes and Hunting for Cobalt Strike Pipes
Cobalt Strike |
2021-07-22 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara
@online{koczwara:20210722:cobalt:f102b02,
author = {Michael Koczwara},
title = {{Cobalt Strike Hunting — simple PCAP and Beacon Analysis}},
date = {2021-07-22},
organization = {Medium michaelkoczwara},
url = {https://michaelkoczwara.medium.com/cobalt-strike-hunting-simple-pcap-and-beacon-analysis-f51c36ce6811},
language = {English},
urldate = {2021-07-22}
}
Cobalt Strike Hunting — simple PCAP and Beacon Analysis
Cobalt Strike |
2021-07-21 ⋅ Bitdefender ⋅ Bogdan Botezatu, Victor Vrabie
@online{botezatu:20210721:luminousmoth:7ed907d,
author = {Bogdan Botezatu and Victor Vrabie},
title = {{LuminousMoth – PlugX, File Exfiltration and Persistence Revisited}},
date = {2021-07-21},
organization = {Bitdefender},
url = {https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited},
language = {English},
urldate = {2021-07-26}
}
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
PlugX |
2021-07-20 ⋅ RNZ
@online{rnz:20210720:government:92d39e8,
author = {RNZ},
title = {{Government points finger at China over cyber attacks}},
date = {2021-07-20},
url = {https://www.rnz.co.nz/news/political/447239/government-points-finger-at-china-over-cyber-attacks},
language = {English},
urldate = {2021-07-22}
}
Government points finger at China over cyber attacks
HAFNIUM Leviathan |
2021-07-20 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
@online{researchteam:20210720:ongoing:1e6dbd0,
author = {Counter Threat Unit ResearchTeam},
title = {{Ongoing Campaign Leveraging Exchange Vulnerability Potentially Linked to Iran}},
date = {2021-07-20},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran},
language = {English},
urldate = {2021-07-26}
}
Ongoing Campaign Leveraging Exchange Vulnerability Potentially Linked to Iran
CHINACHOPPER MimiKatz RGDoor |
2021-07-19 ⋅ Ministry of Foreign Affairs of Japan ⋅ Ministry of Foreign Affairs of Japan
@online{japan:20210719:cases:7aac86a,
author = {Ministry of Foreign Affairs of Japan},
title = {{Cases of cyberattacks including those by a group known as APT40 which the Chinese government is behind (Statement by Press Secretary YOSHIDA Tomoyuki)}},
date = {2021-07-19},
organization = {Ministry of Foreign Affairs of Japan},
url = {https://www.mofa.go.jp/press/danwa/press6e_000312.html},
language = {English},
urldate = {2021-07-22}
}
Cases of cyberattacks including those by a group known as APT40 which the Chinese government is behind (Statement by Press Secretary YOSHIDA Tomoyuki)
Leviathan |
2021-07-19 ⋅ GOV.UK ⋅ NCSC UK, Dominic Raab
@online{uk:20210719:uk:9674820,
author = {NCSC UK and Dominic Raab},
title = {{UK and allies hold Chinese state responsible for a pervasive pattern of hacking}},
date = {2021-07-19},
organization = {GOV.UK},
url = {https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking},
language = {English},
urldate = {2021-07-22}
}
UK and allies hold Chinese state responsible for a pervasive pattern of hacking
APT31 HAFNIUM Leviathan |
2021-07-19 ⋅ NCSC UK ⋅ NCSC UK
@online{uk:20210719:uk:8ecd954,
author = {NCSC UK},
title = {{UK and allies hold Chinese state responsible for pervasive pattern of hacking}},
date = {2021-07-19},
organization = {NCSC UK},
url = {https://www.ncsc.gov.uk/news/uk-allies-hold-chinese-state-responsible-for-pervasive-pattern-of-hacking},
language = {English},
urldate = {2021-07-22}
}
UK and allies hold Chinese state responsible for pervasive pattern of hacking
APT31 Leviathan |
2021-07-19 ⋅ Government of Canada ⋅ Global Affairs Canada
@online{canada:20210719:statement:e1247f4,
author = {Global Affairs Canada},
title = {{Statement on China’s cyber campaigns}},
date = {2021-07-19},
organization = {Government of Canada},
url = {https://www.canada.ca/en/global-affairs/news/2021/07/statement-on-chinas-cyber-campaigns.html},
language = {English},
urldate = {2021-07-22}
}
Statement on China’s cyber campaigns
Leviathan |
2021-07-19 ⋅ Minister for Foreign Affairs of Australia ⋅ Karen Andrews, Peter Dutton
@online{andrews:20210719:australia:8ca5b16,
author = {Karen Andrews and Peter Dutton},
title = {{Australia joins international partners in attribution of malicious cyber activity to China}},
date = {2021-07-19},
organization = {Minister for Foreign Affairs of Australia},
url = {https://www.foreignminister.gov.au/minister/marise-payne/media-release/australia-joins-international-partners-attribution-malicious-cyber-activity-china},
language = {English},
urldate = {2021-07-22}
}
Australia joins international partners in attribution of malicious cyber activity to China
APT31 HAFNIUM Leviathan |
2021-07-19 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210719:icedid:0365384,
author = {The DFIR Report},
title = {{IcedID and Cobalt Strike vs Antivirus}},
date = {2021-07-19},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/},
language = {English},
urldate = {2021-07-20}
}
IcedID and Cobalt Strike vs Antivirus
Cobalt Strike IcedID |
2021-07-19 ⋅ CISA ⋅ CISA
@online{cisa:20210719:alert:bc070a7,
author = {CISA},
title = {{Alert (AA21-200B): Chinese State-Sponsored Cyber Operations: Observed TTPs}},
date = {2021-07-19},
organization = {CISA},
url = {https://us-cert.cisa.gov/ncas/alerts/aa21-200b},
language = {English},
urldate = {2021-07-22}
}
Alert (AA21-200B): Chinese State-Sponsored Cyber Operations: Observed TTPs
Leviathan |
2021-07-19 ⋅ Council of the European Union ⋅ Council of the European Union
@online{union:20210719:china:37d03d1,
author = {Council of the European Union},
title = {{China: Declaration by the High Representative on behalf of the European Union urging Chinese authorities to take action against malicious cyber activities undertaken from its territory}},
date = {2021-07-19},
organization = {Council of the European Union},
url = {https://www.consilium.europa.eu/en/press/press-releases/2021/07/19/declaration-by-the-high-representative-on-behalf-of-the-eu-urging-china-to-take-action-against-malicious-cyber-activities-undertaken-from-its-territory},
language = {English},
urldate = {2021-07-26}
}
China: Declaration by the High Representative on behalf of the European Union urging Chinese authorities to take action against malicious cyber activities undertaken from its territory
Leviathan |
2021-07-19 ⋅ Department of Justice ⋅ Office of Public Affairs
@online{affairs:20210719:four:083a598,
author = {Office of Public Affairs},
title = {{Four Chinese Nationals Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including Infectious Disease Research}},
date = {2021-07-19},
organization = {Department of Justice},
url = {https://www.justice.gov/opa/pr/four-chinese-nationals-working-ministry-state-security-charged-global-computer-intrusion},
language = {English},
urldate = {2021-07-26}
}
Four Chinese Nationals Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including Infectious Disease Research
Leviathan |
2021-07-14 ⋅ MDSec ⋅ Chris Basnett
@online{basnett:20210714:investigating:585e2a1,
author = {Chris Basnett},
title = {{Investigating a Suspicious Service}},
date = {2021-07-14},
organization = {MDSec},
url = {https://www.mdsec.co.uk/2021/07/investigating-a-suspicious-service/},
language = {English},
urldate = {2021-07-20}
}
Investigating a Suspicious Service
Cobalt Strike |
2021-07-14 ⋅ Kaspersky ⋅ Mark Lechtik, Paul Rascagnères, Aseel Kayal
@online{lechtik:20210714:luminousmoth:a5cf19d,
author = {Mark Lechtik and Paul Rascagnères and Aseel Kayal},
title = {{LuminousMoth APT: Sweeping attacks for the chosen few}},
date = {2021-07-14},
organization = {Kaspersky},
url = {https://securelist.com/apt-luminousmoth/103332/},
language = {English},
urldate = {2021-07-20}
}
LuminousMoth APT: Sweeping attacks for the chosen few
Cobalt Strike |
2021-07-14 ⋅ Google ⋅ Maddie Stone, Clement Lecigne, Google Threat Analysis Group
@online{stone:20210714:how:38dfdc6,
author = {Maddie Stone and Clement Lecigne and Google Threat Analysis Group},
title = {{How We Protect Users From 0-Day Attacks (CVE-2021-21166, CVE-2021-30551, CVE-2021-33742, CVE-2021-1879)}},
date = {2021-07-14},
organization = {Google},
url = {https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/},
language = {English},
urldate = {2021-07-26}
}
How We Protect Users From 0-Day Attacks (CVE-2021-21166, CVE-2021-30551, CVE-2021-33742, CVE-2021-1879)
Cobalt Strike |
2021-07-13 ⋅ YouTube ( Matt Soseman) ⋅ Matt Soseman
@online{soseman:20210713:solarwinds:cb7df1d,
author = {Matt Soseman},
title = {{Solarwinds and SUNBURST attacks compromised my lab!}},
date = {2021-07-13},
organization = {YouTube ( Matt Soseman)},
url = {https://www.youtube.com/watch?v=GfbxHy6xnbA},
language = {English},
urldate = {2021-07-21}
}
Solarwinds and SUNBURST attacks compromised my lab!
Cobalt Strike Raindrop SUNBURST TEARDROP |
2021-07-09 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
@online{duncan:20210709:hancitor:814e815,
author = {Brad Duncan},
title = {{Hancitor tries XLL as initial malware file}},
date = {2021-07-09},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/rss/27618},
language = {English},
urldate = {2021-07-19}
}
Hancitor tries XLL as initial malware file
Cobalt Strike Hancitor |
2021-07-08 ⋅ Avast Decoded ⋅ Threat Intelligence Team
@online{team:20210708:decoding:04acb98,
author = {Threat Intelligence Team},
title = {{Decoding Cobalt Strike: Understanding Payloads}},
date = {2021-07-08},
organization = {Avast Decoded},
url = {https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/},
language = {English},
urldate = {2021-07-08}
}
Decoding Cobalt Strike: Understanding Payloads
Cobalt Strike Empire Downloader |
2021-07-07 ⋅ Trend Micro ⋅ Joseph C Chen, Kenney Lu, Jaromír Hořejší, Gloria Chen
@online{chen:20210707:biopass:88dcdc2,
author = {Joseph C Chen and Kenney Lu and Jaromír Hořejší and Gloria Chen},
title = {{BIOPASS RAT: New Malware Sniffs Victims via Live Streaming}},
date = {2021-07-07},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html},
language = {English},
urldate = {2021-07-19}
}
BIOPASS RAT: New Malware Sniffs Victims via Live Streaming
BIOPASS Cobalt Strike Derusbi |
2021-07-07 ⋅ McAfee ⋅ McAfee Labs
@techreport{labs:20210707:ryuk:ee88024,
author = {McAfee Labs},
title = {{Ryuk Ransomware Now Targeting Webservers}},
date = {2021-07-07},
institution = {McAfee},
url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-ryuk-ransomware-targeting-webservers.pdf},
language = {English},
urldate = {2021-07-11}
}
Ryuk Ransomware Now Targeting Webservers
Cobalt Strike Ryuk |
2021-07-07 ⋅ Trustwave ⋅ Rodel Mendrez, Nikita Kazymirskyi
@online{mendrez:20210707:diving:1c04c81,
author = {Rodel Mendrez and Nikita Kazymirskyi},
title = {{Diving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails}},
date = {2021-07-07},
organization = {Trustwave},
url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/},
language = {English},
urldate = {2021-07-09}
}
Diving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails
Cobalt Strike REvil |
2021-07-06 ⋅ Twitter (@MBThreatIntel) ⋅ Malwarebytes Threat Intelligence
@online{intelligence:20210706:malspam:083ba5a,
author = {Malwarebytes Threat Intelligence},
title = {{Tweet on a malspam campaign that is taking advantage of Kaseya VSA ransomware attack to drop CobaltStrike}},
date = {2021-07-06},
organization = {Twitter (@MBThreatIntel)},
url = {https://twitter.com/MBThreatIntel/status/1412518446013812737},
language = {English},
urldate = {2021-07-09}
}
Tweet on a malspam campaign that is taking advantage of Kaseya VSA ransomware attack to drop CobaltStrike
Cobalt Strike |
2021-07-05 ⋅ Trend Micro ⋅ Abraham Camba, Catherine Loveria, Ryan Maglaque, Buddy Tancio
@online{camba:20210705:tracking:6ae6ad5,
author = {Abraham Camba and Catherine Loveria and Ryan Maglaque and Buddy Tancio},
title = {{Tracking Cobalt Strike: A Trend Micro Vision One Investigation}},
date = {2021-07-05},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/g/tracking_cobalt_strike_a_vision_one_investigation.html},
language = {English},
urldate = {2021-07-19}
}
Tracking Cobalt Strike: A Trend Micro Vision One Investigation
Cobalt Strike |
2021-07-03 ⋅ Medium AK1001 ⋅ AK1001
@online{ak1001:20210703:analyzing:65452fa,
author = {AK1001},
title = {{Analyzing Cobalt Strike PowerShell Payload}},
date = {2021-07-03},
organization = {Medium AK1001},
url = {https://ak100117.medium.com/analyzing-cobalt-strike-powershell-payload-64d55ed3521b},
language = {English},
urldate = {2022-01-31}
}
Analyzing Cobalt Strike PowerShell Payload
Cobalt Strike |
2021-07-02 ⋅ MalwareBookReports ⋅ muzi
@online{muzi:20210702:skip:09c3cd8,
author = {muzi},
title = {{Skip the Middleman: Dridex Document to Cobalt Strike}},
date = {2021-07-02},
organization = {MalwareBookReports},
url = {https://malwarebookreports.com/cryptone-cobalt-strike/},
language = {English},
urldate = {2021-07-06}
}
Skip the Middleman: Dridex Document to Cobalt Strike
Cobalt Strike Dridex |
2021-07-01 ⋅ The Record ⋅ Catalin Cimpanu
@online{cimpanu:20210701:mongolian:1fd57de,
author = {Catalin Cimpanu},
title = {{Mongolian certificate authority hacked eight times, compromised with malware}},
date = {2021-07-01},
organization = {The Record},
url = {https://therecord.media/mongolian-certificate-authority-hacked-eight-times-compromised-with-malware/},
language = {English},
urldate = {2021-07-02}
}
Mongolian certificate authority hacked eight times, compromised with malware
Cobalt Strike |
2021-07-01 ⋅ Avast Decoded ⋅ Luigino Camastra, Igor Morgenstern, Jan Vojtěšek
@online{camastra:20210701:backdoored:6f26c16,
author = {Luigino Camastra and Igor Morgenstern and Jan Vojtěšek},
title = {{Backdoored Client from Mongolian CA MonPass}},
date = {2021-07-01},
organization = {Avast Decoded},
url = {https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/},
language = {English},
urldate = {2021-07-02}
}
Backdoored Client from Mongolian CA MonPass
Cobalt Strike |
2021-06-30 ⋅ Group-IB ⋅ Oleg Skulkin
@online{skulkin:20210630:revil:63bb524,
author = {Oleg Skulkin},
title = {{REvil Twins Deep Dive into Prolific RaaS Affiliates' TTPs}},
date = {2021-06-30},
organization = {Group-IB},
url = {https://blog.group-ib.com/REvil_RaaS},
language = {English},
urldate = {2021-07-02}
}
REvil Twins Deep Dive into Prolific RaaS Affiliates' TTPs
Cobalt Strike REvil |
2021-06-29 ⋅ Proofpoint ⋅ Selena Larson, Daniel Blackford
@online{larson:20210629:cobalt:99ad5a0,
author = {Selena Larson and Daniel Blackford},
title = {{Cobalt Strike: Favorite Tool from APT to Crimeware}},
date = {2021-06-29},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware},
language = {English},
urldate = {2021-06-29}
}
Cobalt Strike: Favorite Tool from APT to Crimeware
Cobalt Strike |
2021-06-29 ⋅ Accenture ⋅ Accenture Security
@online{security:20210629:hades:2d4c606,
author = {Accenture Security},
title = {{HADES ransomware operators continue attacks}},
date = {2021-06-29},
organization = {Accenture},
url = {https://www.accenture.com/us-en/blogs/security/ransomware-hades},
language = {English},
urldate = {2021-07-01}
}
HADES ransomware operators continue attacks
Cobalt Strike Hades MimiKatz |
2021-06-28 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210628:hancitor:b21cdd2,
author = {The DFIR Report},
title = {{Hancitor Continues to Push Cobalt Strike}},
date = {2021-06-28},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/},
language = {English},
urldate = {2021-06-29}
}
Hancitor Continues to Push Cobalt Strike
Cobalt Strike Hancitor |
2021-06-22 ⋅ CrowdStrike ⋅ The Falcon Complete Team
@online{team:20210622:response:13a8ee6,
author = {The Falcon Complete Team},
title = {{Response When Minutes Matter: Falcon Complete Disrupts WIZARD SPIDER eCrime Operators}},
date = {2021-06-22},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/},
language = {English},
urldate = {2021-06-24}
}
Response When Minutes Matter: Falcon Complete Disrupts WIZARD SPIDER eCrime Operators
Cobalt Strike |
2021-06-22 ⋅ Twitter (@Cryptolaemus1) ⋅ Cryptolaemus, Kirk Sayre, dao ming si
@online{cryptolaemus:20210622:ta575:895ac37,
author = {Cryptolaemus and Kirk Sayre and dao ming si},
title = {{Tweet on TA575, a Dridex affiliate delivering cobaltstrike (packed withe Cryptone) directly via the macro docs}},
date = {2021-06-22},
organization = {Twitter (@Cryptolaemus1)},
url = {https://twitter.com/Cryptolaemus1/status/1407135648528711680},
language = {English},
urldate = {2021-06-22}
}
Tweet on TA575, a Dridex affiliate delivering cobaltstrike (packed withe Cryptone) directly via the macro docs
Cobalt Strike Dridex |
2021-06-20 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210620:from:aadb7e8,
author = {The DFIR Report},
title = {{From Word to Lateral Movement in 1 Hour}},
date = {2021-06-20},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/},
language = {English},
urldate = {2021-06-22}
}
From Word to Lateral Movement in 1 Hour
Cobalt Strike IcedID |
2021-06-19 ⋅ CISA ⋅ US-CERT
@online{uscert:20210619:alert:fae1a38,
author = {US-CERT},
title = {{Alert (AA21-200A): Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department}},
date = {2021-06-19},
organization = {CISA},
url = {https://us-cert.cisa.gov/ncas/alerts/aa21-200a},
language = {English},
urldate = {2021-07-26}
}
Alert (AA21-200A): Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department
Leviathan |
2021-06-18 ⋅ SecurityScorecard ⋅ Ryan Sherstobitoff
@online{sherstobitoff:20210618:securityscorecard:0000641,
author = {Ryan Sherstobitoff},
title = {{SecurityScorecard Finds USAID Hack Much Larger Than Initially Thought}},
date = {2021-06-18},
organization = {SecurityScorecard},
url = {https://securityscorecard.com/blog/securityscorecard-finds-usaid-hack-much-larger-than-initially-thought},
language = {English},
urldate = {2021-06-22}
}
SecurityScorecard Finds USAID Hack Much Larger Than Initially Thought
Cobalt Strike |
2021-06-17 ⋅ Binary Defense ⋅ Brandon George
@online{george:20210617:analysis:6e4b8ac,
author = {Brandon George},
title = {{Analysis of Hancitor – When Boring Begets Beacon}},
date = {2021-06-17},
organization = {Binary Defense},
url = {https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon},
language = {English},
urldate = {2021-06-22}
}
Analysis of Hancitor – When Boring Begets Beacon
Cobalt Strike Ficker Stealer Hancitor |
2021-06-16 ⋅ Mandiant ⋅ Tyler McLellan, Robert Dean, Justin Moore, Nick Harbour, Mike Hunhoff, Jared Wilson, Jordan Nuce
@online{mclellan:20210616:smoking:a03a78c,
author = {Tyler McLellan and Robert Dean and Justin Moore and Nick Harbour and Mike Hunhoff and Jared Wilson and Jordan Nuce},
title = {{Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise}},
date = {2021-06-16},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise},
language = {English},
urldate = {2021-12-01}
}
Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise
Cobalt Strike SMOKEDHAM |
2021-06-16 ⋅ FireEye ⋅ Tyler McLellan, Robert Dean, Justin Moore, Nick Harbour, Mike Hunhoff, Jared Wilson
@online{mclellan:20210616:smoking:fa6559d,
author = {Tyler McLellan and Robert Dean and Justin Moore and Nick Harbour and Mike Hunhoff and Jared Wilson},
title = {{Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise}},
date = {2021-06-16},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html},
language = {English},
urldate = {2021-12-01}
}
Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise
Cobalt Strike SMOKEDHAM |
2021-06-16 ⋅ Національної поліції України ⋅ Національна поліція України
@online{:20210616:cyberpolice:f455d86,
author = {Національна поліція України},
title = {{Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies}},
date = {2021-06-16},
organization = {Національної поліції України},
url = {https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/},
language = {Ukrainian},
urldate = {2021-06-21}
}
Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies
Clop Cobalt Strike FlawedAmmyy |
2021-06-15 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
@online{researchteam:20210615:hades:e1734d8,
author = {Counter Threat Unit ResearchTeam},
title = {{Hades Ransomware Operators Use Distinctive Tactics and Infrastructure}},
date = {2021-06-15},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure},
language = {English},
urldate = {2021-06-21}
}
Hades Ransomware Operators Use Distinctive Tactics and Infrastructure
Cobalt Strike Hades |
2021-06-12 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie
@online{mackenzie:20210612:thread:eac742a,
author = {Peter Mackenzie},
title = {{A thread on RagnarLocker ransomware group's TTP seen in an Incident Response}},
date = {2021-06-12},
organization = {Twitter (@AltShiftPrtScn)},
url = {https://twitter.com/AltShiftPrtScn/status/1403707430765273095},
language = {English},
urldate = {2021-06-21}
}
A thread on RagnarLocker ransomware group's TTP seen in an Incident Response
Cobalt Strike RagnarLocker |
2021-06-10 ⋅ ESET Research ⋅ Adam Burgher
@online{burgher:20210610:backdoordiplomacy:4ebcb1d,
author = {Adam Burgher},
title = {{BackdoorDiplomacy: Upgrading from Quarian to Turian}},
date = {2021-06-10},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/},
language = {English},
urldate = {2022-06-08}
}
BackdoorDiplomacy: Upgrading from Quarian to Turian
CHINACHOPPER DoublePulsar EternalRocks turian BackdoorDiplomacy |
2021-06-10 ⋅ Group-IB ⋅ Nikita Rostovcev
@online{rostovcev:20210610:big:4d0a5f2,
author = {Nikita Rostovcev},
title = {{Big airline heist APT41 likely behind massive supply chain attack}},
date = {2021-06-10},
organization = {Group-IB},
url = {https://blog.group-ib.com/colunmtk_apt41},
language = {English},
urldate = {2021-06-16}
}
Big airline heist APT41 likely behind massive supply chain attack
Cobalt Strike |
2021-06-09 ⋅ Twitter (@RedDrip7) ⋅ RedDrip7
@online{reddrip7:20210609:in:74f9bac,
author = {RedDrip7},
title = {{Tweet on in the wild exploit of CVE-2021-26868 (according to @_clem1)}},
date = {2021-06-09},
organization = {Twitter (@RedDrip7)},
url = {https://twitter.com/RedDrip7/status/1402640362972147717?s=20},
language = {English},
urldate = {2021-06-21}
}
Tweet on in the wild exploit of CVE-2021-26868 (according to @_clem1)
Cobalt Strike |
2021-06-04 ⋅ Inky ⋅ Roger Kay
@online{kay:20210604:colonial:959c12f,
author = {Roger Kay},
title = {{Colonial Pipeline Ransomware Hack Unleashes Flood of Related Phishing Attempts}},
date = {2021-06-04},
organization = {Inky},
url = {https://www.inky.com/blog/colonial-pipeline-ransomware-hack-unleashes-flood-of-related-phishing-attempts},
language = {English},
urldate = {2021-06-16}
}
Colonial Pipeline Ransomware Hack Unleashes Flood of Related Phishing Attempts
Cobalt Strike |
2021-06-04 ⋅ Twitter (@alex_lanstein) ⋅ Alex Lanstein
@online{lanstein:20210604:unc2652nobelium:460c6ab,
author = {Alex Lanstein},
title = {{Tweet on UNC2652/NOBELIUM targeting IOS users exploiting CVE-2021-1879}},
date = {2021-06-04},
organization = {Twitter (@alex_lanstein)},
url = {https://twitter.com/alex_lanstein/status/1399829754887524354},
language = {English},
urldate = {2021-07-26}
}
Tweet on UNC2652/NOBELIUM targeting IOS users exploiting CVE-2021-1879
Cobalt Strike |
2021-06-02 ⋅ Twitter (@xorhex) ⋅ Xorhex
@online{xorhex:20210602:new:9e10322,
author = {Xorhex},
title = {{Tweet on new variant of PlugX from RedDelta Group}},
date = {2021-06-02},
organization = {Twitter (@xorhex)},
url = {https://twitter.com/xorhex/status/1399906601562165249?s=20},
language = {English},
urldate = {2021-06-09}
}
Tweet on new variant of PlugX from RedDelta Group
PlugX |
2021-06-02 ⋅ xorhex blog ⋅ Twitter (@xorhex)
@online{xorhex:20210602:reddelta:f35268d,
author = {Twitter (@xorhex)},
title = {{RedDelta PlugX Undergoing Changes and Overlapping Again with Mustang Panda PlugX Infrastructure}},
date = {2021-06-02},
organization = {xorhex blog},
url = {https://blog.xorhex.com/blog/reddeltaplugxchangeup/},
language = {English},
urldate = {2021-06-09}
}
RedDelta PlugX Undergoing Changes and Overlapping Again with Mustang Panda PlugX Infrastructure
PlugX |
2021-06-02 ⋅ Medium CyCraft ⋅ CyCraft Technology Corp
@online{corp:20210602:chinalinked:487955f,
author = {CyCraft Technology Corp},
title = {{China-Linked Threat Group Targets Taiwan Critical Infrastructure, Smokescreen Ransomware}},
date = {2021-06-02},
organization = {Medium CyCraft},
url = {https://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5},
language = {English},
urldate = {2021-06-09}
}
China-Linked Threat Group Targets Taiwan Critical Infrastructure, Smokescreen Ransomware
Cobalt Strike ColdLock |
2021-06-02 ⋅ Sophos ⋅ Sean Gallagher
@online{gallagher:20210602:amsi:084d0ba,
author = {Sean Gallagher},
title = {{AMSI bypasses remain tricks of the malware trade}},
date = {2021-06-02},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/},
language = {English},
urldate = {2021-06-09}
}
AMSI bypasses remain tricks of the malware trade
Agent Tesla Cobalt Strike Meterpreter |
2021-06-01 ⋅ Department of Justice ⋅ Office of Public Affairs
@online{affairs:20210601:justice:1ed9656,
author = {Office of Public Affairs},
title = {{Justice Department Announces Court-Authorized Seizure of Domain Names Used in Furtherance of Spear-Phishing Campaign Posing as U.S. Agency for International Development}},
date = {2021-06-01},
organization = {Department of Justice},
url = {https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-seizure-domain-names-used-furtherance-spear},
language = {English},
urldate = {2021-06-09}
}
Justice Department Announces Court-Authorized Seizure of Domain Names Used in Furtherance of Spear-Phishing Campaign Posing as U.S. Agency for International Development
Cobalt Strike |
2021-06-01 ⋅ SANS ⋅ Kevin Haley, Jake Williams
@online{haley:20210601:contrarian:6aff18c,
author = {Kevin Haley and Jake Williams},
title = {{A Contrarian View on SolarWinds}},
date = {2021-06-01},
organization = {SANS},
url = {https://www.sans.org/webcasts/contrarian-view-solarwinds-119515},
language = {English},
urldate = {2021-06-21}
}
A Contrarian View on SolarWinds
Cobalt Strike Raindrop SUNBURST TEARDROP |
2021-06-01 ⋅ SentinelOne ⋅ Juan Andrés Guerrero-Saade
@online{guerrerosaade:20210601:noblebaron:20dd227,
author = {Juan Andrés Guerrero-Saade},
title = {{NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks}},
date = {2021-06-01},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/},
language = {English},
urldate = {2021-06-09}
}
NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks
Cobalt Strike |
2021-06-01 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team
@online{mstic:20210601:new:83aee4c,
author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Threat Intelligence Team},
title = {{New sophisticated email-based attack from NOBELIUM}},
date = {2021-06-01},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/},
language = {English},
urldate = {2021-06-09}
}
New sophisticated email-based attack from NOBELIUM
Cobalt Strike |
2021-05-29 ⋅ Twitter (@elisalem9) ⋅ Eli Salem
@online{salem:20210529:obfuscation:f1b68f3,
author = {Eli Salem},
title = {{Tweet on obfuscation mechanism and extraction procedure of COBALTSTRIKE beacon module used by NOBELIUM/UNC2452}},
date = {2021-05-29},
organization = {Twitter (@elisalem9)},
url = {https://twitter.com/elisalem9/status/1398566939656601606},
language = {English},
urldate = {2021-08-02}
}
Tweet on obfuscation mechanism and extraction procedure of COBALTSTRIKE beacon module used by NOBELIUM/UNC2452
Cobalt Strike |
2021-05-28 ⋅ FBI
@online{fbi:20210528:wanted:ac99de8,
author = {FBI},
title = {{Wanted by the FBI: Zhu Yunmin, Wu Shurong, Ding Xiaoyang, Cheng Qingmin}},
date = {2021-05-28},
url = {https://www.justice.gov/opa/press-release/file/1412921/download},
language = {English},
urldate = {2021-07-26}
}
Wanted by the FBI: Zhu Yunmin, Wu Shurong, Ding Xiaoyang, Cheng Qingmin
Leviathan |
2021-05-28 ⋅ CISA ⋅ US-CERT
@online{uscert:20210528:alert:be89c5f,
author = {US-CERT},
title = {{Alert (AA21-148A): Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs}},
date = {2021-05-28},
organization = {CISA},
url = {https://us-cert.cisa.gov/ncas/alerts/aa21-148a},
language = {English},
urldate = {2021-07-27}
}
Alert (AA21-148A): Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs
Cobalt Strike |
2021-05-28 ⋅ United States District Court Southern District of California
@online{california:20210528:united:1a0e5db,
author = {United States District Court Southern District of California},
title = {{United States of America vs Ding Xiaoyang, Cheng Qingmin, Zhu Yunmin, Wu Shurong}},
date = {2021-05-28},
url = {https://www.justice.gov/opa/press-release/file/1412916/download},
language = {English},
urldate = {2021-07-26}
}
United States of America vs Ding Xiaoyang, Cheng Qingmin, Zhu Yunmin, Wu Shurong
Leviathan |
2021-05-28 ⋅ CISA ⋅ US-CERT
@online{uscert:20210528:malware:0913332,
author = {US-CERT},
title = {{Malware Analysis Report (AR21-148A): Cobalt Strike Beacon}},
date = {2021-05-28},
organization = {CISA},
url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a},
language = {English},
urldate = {2021-07-19}
}
Malware Analysis Report (AR21-148A): Cobalt Strike Beacon
Cobalt Strike |
2021-05-28 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC)
@online{mstic:20210528:breaking:f55e372,
author = {Microsoft Threat Intelligence Center (MSTIC)},
title = {{Breaking down NOBELIUM’s latest early-stage toolset}},
date = {2021-05-28},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/},
language = {English},
urldate = {2022-05-17}
}
Breaking down NOBELIUM’s latest early-stage toolset
Cobalt Strike |
2021-05-27 ⋅ xorhex blog ⋅ Twitter (@xorhex)
@online{xorhex:20210527:mustang:d3c664b,
author = {Twitter (@xorhex)},
title = {{Mustang Panda PlugX - Reused Mutex and Folder Found in the Extracted Config}},
date = {2021-05-27},
organization = {xorhex blog},
url = {https://blog.xorhex.com/blog/mustangpandaplugx-2/},
language = {English},
urldate = {2021-06-21}
}
Mustang Panda PlugX - Reused Mutex and Folder Found in the Extracted Config
PlugX |
2021-05-27 ⋅ Volexity ⋅ Damien Cash, Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster
@online{cash:20210527:suspected:beb9dd9,
author = {Damien Cash and Josh Grunzweig and Matthew Meltzer and Sean Koessel and Steven Adair and Thomas Lancaster},
title = {{Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns}},
date = {2021-05-27},
organization = {Volexity},
url = {https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/},
language = {English},
urldate = {2021-06-09}
}
Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns
Cobalt Strike |
2021-05-26 ⋅ DeepInstinct ⋅ Ron Ben Yizhak
@online{yizhak:20210526:deep:c123a19,
author = {Ron Ben Yizhak},
title = {{A Deep Dive into Packing Software CryptOne}},
date = {2021-05-26},
organization = {DeepInstinct},
url = {https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/},
language = {English},
urldate = {2021-06-22}
}
A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader |
2021-05-25 ⋅ Huntress Labs ⋅ Matthew Brennan
@online{brennan:20210525:cobalt:c428be0,
author = {Matthew Brennan},
title = {{Cobalt Strikes Again: An Analysis of Obfuscated Malware}},
date = {2021-05-25},
organization = {Huntress Labs},
url = {https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware},
language = {English},
urldate = {2021-06-09}
}
Cobalt Strikes Again: An Analysis of Obfuscated Malware
Cobalt Strike |
2021-05-21 ⋅ blackarrow ⋅ Pablo Ambite
@online{ambite:20210521:leveraging:55f56da,
author = {Pablo Ambite},
title = {{Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic}},
date = {2021-05-21},
organization = {blackarrow},
url = {https://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/},
language = {English},
urldate = {2021-06-22}
}
Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic
Cobalt Strike |
2021-05-19 ⋅ Medium Mehmet Ergene ⋅ Mehmet Ergene
@online{ergene:20210519:enterprise:f7fb481,
author = {Mehmet Ergene},
title = {{Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 2}},
date = {2021-05-19},
organization = {Medium Mehmet Ergene},
url = {https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-ml-and-kql-part-2-bff46cfc1e7e},
language = {English},
urldate = {2021-05-26}
}
Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 2
Cobalt Strike |
2021-05-19 ⋅ Intel 471 ⋅ Intel 471
@online{471:20210519:look:5ba9516,
author = {Intel 471},
title = {{Look how many cybercriminals love Cobalt Strike}},
date = {2021-05-19},
organization = {Intel 471},
url = {https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor},
language = {English},
urldate = {2021-05-19}
}
Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot |
2021-05-18 ⋅ Sophos ⋅ John Shier, Mat Gangwer, Greg Iddon, Peter Mackenzie
@online{shier:20210518:active:f313ac5,
author = {John Shier and Mat Gangwer and Greg Iddon and Peter Mackenzie},
title = {{The Active Adversary Playbook 2021}},
date = {2021-05-18},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153},
language = {English},
urldate = {2021-05-25}
}
The Active Adversary Playbook 2021
Cobalt Strike MimiKatz |
2021-05-17 ⋅ Talos ⋅ Brad Garnett
@online{garnett:20210517:case:a8ef9cf,
author = {Brad Garnett},
title = {{Case Study: Incident Response is a relationship-driven business}},
date = {2021-05-17},
organization = {Talos},
url = {https://blog.talosintelligence.com/2021/05/ctir-case-study.html},
language = {English},
urldate = {2021-05-25}
}
Case Study: Incident Response is a relationship-driven business
Cobalt Strike |
2021-05-17 ⋅ xorhex blog ⋅ Twitter (@xorhex)
@online{xorhex:20210517:mustang:c51cc47,
author = {Twitter (@xorhex)},
title = {{Mustang Panda PlugX - 45.251.240.55 Pivot}},
date = {2021-05-17},
organization = {xorhex blog},
url = {https://blog.xorhex.com/blog/mustangpandaplugx-1/},
language = {English},
urldate = {2021-06-21}
}
Mustang Panda PlugX - 45.251.240.55 Pivot
PlugX |
2021-05-16 ⋅ NCSC Ireland ⋅ NCSC Ireland
@techreport{ireland:20210516:ransomware:b091d9b,
author = {NCSC Ireland},
title = {{Ransomware Attack on Health Sector - UPDATE 2021-05-16}},
date = {2021-05-16},
institution = {NCSC Ireland},
url = {https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf},
language = {English},
urldate = {2021-05-17}
}
Ransomware Attack on Health Sector - UPDATE 2021-05-16
Cobalt Strike Conti |
2021-05-14 ⋅ Blue Team Blog ⋅ Auth 0r
@online{0r:20210514:darkside:bf9c5bc,
author = {Auth 0r},
title = {{DarkSide Ransomware Operations – Preventions and Detections.}},
date = {2021-05-14},
organization = {Blue Team Blog},
url = {https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections},
language = {English},
urldate = {2021-05-17}
}
DarkSide Ransomware Operations – Preventions and Detections.
Cobalt Strike DarkSide |
2021-05-14 ⋅ GuidePoint Security ⋅ Drew Schmitt
@online{schmitt:20210514:from:944b5f1,
author = {Drew Schmitt},
title = {{From ZLoader to DarkSide: A Ransomware Story}},
date = {2021-05-14},
organization = {GuidePoint Security},
url = {https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/},
language = {English},
urldate = {2021-05-17}
}
From ZLoader to DarkSide: A Ransomware Story
DarkSide Cobalt Strike Zloader |
2021-05-13 ⋅ AWAKE ⋅ Kieran Evans
@online{evans:20210513:catching:eaa13e2,
author = {Kieran Evans},
title = {{Catching the White Stork in Flight}},
date = {2021-05-13},
organization = {AWAKE},
url = {https://awakesecurity.com/blog/catching-the-white-stork-in-flight/},
language = {English},
urldate = {2021-09-19}
}
Catching the White Stork in Flight
Cobalt Strike MimiKatz RMS |
2021-05-12 ⋅ The DFIR Report
@online{report:20210512:conti:598c5f2,
author = {The DFIR Report},
title = {{Conti Ransomware}},
date = {2021-05-12},
url = {https://thedfirreport.com/2021/05/12/conti-ransomware/},
language = {English},
urldate = {2021-05-13}
}
Conti Ransomware
Cobalt Strike Conti IcedID |
2021-05-12 ⋅ Medium Mehmet Ergene ⋅ Mehmet Ergene
@online{ergene:20210512:enterprise:09742df,
author = {Mehmet Ergene},
title = {{Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 1}},
date = {2021-05-12},
organization = {Medium Mehmet Ergene},
url = {https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-machine-learning-and-277c4c30304f},
language = {English},
urldate = {2021-05-26}
}
Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 1
Cobalt Strike |
2021-05-11 ⋅ Mal-Eats ⋅ mal_eats
@online{maleats:20210511:campo:0305ab9,
author = {mal_eats},
title = {{Campo, a New Attack Campaign Targeting Japan}},
date = {2021-05-11},
organization = {Mal-Eats},
url = {https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/},
language = {English},
urldate = {2021-06-01}
}
Campo, a New Attack Campaign Targeting Japan
AnchorDNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader |
2021-05-11 ⋅ FireEye ⋅ Jordan Nuce, Jeremy Kennelly, Kimberly Goody, Andrew Moore, Alyssa Rahman, Brendan McKeague, Jared Wilson
@online{nuce:20210511:shining:339d137,
author = {Jordan Nuce and Jeremy Kennelly and Kimberly Goody and Andrew Moore and Alyssa Rahman and Brendan McKeague and Jared Wilson},
title = {{Shining a Light on DARKSIDE Ransomware Operations}},
date = {2021-05-11},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html},
language = {English},
urldate = {2021-05-13}
}
Shining a Light on DARKSIDE Ransomware Operations
Cobalt Strike DarkSide |
2021-05-10 ⋅ ZERO.BS ⋅ ZEROBS
@online{zerobs:20210510:cobaltstrikebeacons:b7fee54,
author = {ZEROBS},
title = {{Cobaltstrike-Beacons analyzed}},
date = {2021-05-10},
organization = {ZERO.BS},
url = {https://zero.bs/cobaltstrike-beacons-analyzed.html},
language = {English},
urldate = {2021-05-11}
}
Cobaltstrike-Beacons analyzed
Cobalt Strike |
2021-05-10 ⋅ Mal-Eats ⋅ mal_eats
@online{maleats:20210510:overview:50ff3b3,
author = {mal_eats},
title = {{Overview of Campo, a new attack campaign targeting Japan}},
date = {2021-05-10},
organization = {Mal-Eats},
url = {https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/},
language = {English},
urldate = {2021-05-13}
}
Overview of Campo, a new attack campaign targeting Japan
AnchorDNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader |
2021-05-07 ⋅ TEAMT5 ⋅ Aragorn Tseng, Charles Li
@techreport{tseng:20210507:mem2img:494799d,
author = {Aragorn Tseng and Charles Li},
title = {{Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network}},
date = {2021-05-07},
institution = {TEAMT5},
url = {https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf},
language = {English},
urldate = {2021-09-12}
}
Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
Cobalt Strike PlugX Waterbear |
2021-05-07 ⋅ SophosLabs Uncut ⋅ Rajesh Nataraj
@online{nataraj:20210507:new:79ec788,
author = {Rajesh Nataraj},
title = {{New Lemon Duck variants exploiting Microsoft Exchange Server}},
date = {2021-05-07},
organization = {SophosLabs Uncut},
url = {https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728},
language = {English},
urldate = {2022-02-16}
}
New Lemon Duck variants exploiting Microsoft Exchange Server
CHINACHOPPER Cobalt Strike Lemon Duck |
2021-05-07 ⋅ Cisco Talos ⋅ Caitlin Huey, Andrew Windsor, Edmund Brumaghin
@online{huey:20210507:lemon:0d46f81,
author = {Caitlin Huey and Andrew Windsor and Edmund Brumaghin},
title = {{Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs}},
date = {2021-05-07},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html},
language = {English},
urldate = {2022-02-16}
}
Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs
CHINACHOPPER Cobalt Strike Lemon Duck |
2021-05-07 ⋅ Medium svch0st ⋅ svch0st
@online{svch0st:20210507:stats:11919e5,
author = {svch0st},
title = {{Stats from Hunting Cobalt Strike Beacons}},
date = {2021-05-07},
organization = {Medium svch0st},
url = {https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b},
language = {English},
urldate = {2021-05-08}
}
Stats from Hunting Cobalt Strike Beacons
Cobalt Strike |
2021-05-06 ⋅ Trend Micro ⋅ Arianne Dela Cruz, Cris Tomboc, Jayson Chong, Nikki Madayag, Sean Torre
@online{cruz:20210506:proxylogon:4920ee4,
author = {Arianne Dela Cruz and Cris Tomboc and Jayson Chong and Nikki Madayag and Sean Torre},
title = {{Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party}},
date = {2021-05-06},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html},
language = {English},
urldate = {2022-02-17}
}
Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party
BlackKingdom Ransomware CHINACHOPPER Lemon Duck Prometei |
2021-05-05 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20210505:multifactor:8834ab8,
author = {Threat Hunter Team},
title = {{Multi-Factor Authentication: Headache for Cyber Actors Inspires New Attack Techniques}},
date = {2021-05-05},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/multi-factor-authentication-new-attacks},
language = {English},
urldate = {2021-05-26}
}
Multi-Factor Authentication: Headache for Cyber Actors Inspires New Attack Techniques
CHINACHOPPER |
2021-05-05 ⋅ TRUESEC ⋅ Mattias Wåhlén
@online{whln:20210505:are:61bb8a0,
author = {Mattias Wåhlén},
title = {{Are The Notorious Cyber Criminals Evil Corp actually Russian Spies?}},
date = {2021-05-05},
organization = {TRUESEC},
url = {https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/},
language = {English},
urldate = {2021-05-08}
}
Are The Notorious Cyber Criminals Evil Corp actually Russian Spies?
Cobalt Strike Hades WastedLocker |
2021-05-05 ⋅ SophosLabs Uncut ⋅ Andrew Brandt, Peter Mackenzie, Vikas Singh, Gabor Szappanos
@online{brandt:20210505:intervention:f548dee,
author = {Andrew Brandt and Peter Mackenzie and Vikas Singh and Gabor Szappanos},
title = {{Intervention halts a ProxyLogon-enabled attack}},
date = {2021-05-05},
organization = {SophosLabs Uncut},
url = {https://news.sophos.com/en-us/2021/05/05/intervention-halts-a-proxylogon-enabled-attack},
language = {English},
urldate = {2021-05-07}
}
Intervention halts a ProxyLogon-enabled attack
Cobalt Strike |
2021-05-05 ⋅ Zscaler ⋅ Aniruddha Dolas, Mohd Sadique, Manohar Ghule
@online{dolas:20210505:catching:ace83fc,
author = {Aniruddha Dolas and Mohd Sadique and Manohar Ghule},
title = {{Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats}},
date = {2021-05-05},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols},
language = {English},
urldate = {2021-05-08}
}
Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats
Agent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar RAT Remcos |
2021-05-04 ⋅ Medium sergiusechel ⋅ Sergiu Sechel
@online{sechel:20210504:improving:ce4da6d,
author = {Sergiu Sechel},
title = {{Improving the network-based detection of Cobalt Strike C2 servers in the wild while reducing the risk of false positives}},
date = {2021-05-04},
organization = {Medium sergiusechel},
url = {https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468},
language = {English},
urldate = {2021-05-04}
}
Improving the network-based detection of Cobalt Strike C2 servers in the wild while reducing the risk of false positives
Cobalt Strike |
2021-05-02 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210502:trickbot:242b786,
author = {The DFIR Report},
title = {{Trickbot Brief: Creds and Beacons}},
date = {2021-05-02},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/},
language = {English},
urldate = {2021-05-04}
}
Trickbot Brief: Creds and Beacons
Cobalt Strike TrickBot |
2021-04-29 ⋅ NTT ⋅ Threat Detection NTT Ltd.
@techreport{ltd:20210429:operations:a7ad0d4,
author = {Threat Detection NTT Ltd.},
title = {{The Operations of Winnti group}},
date = {2021-04-29},
institution = {NTT},
url = {https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf},
language = {English},
urldate = {2021-08-09}
}
The Operations of Winnti group
Cobalt Strike ShadowPad Spyder Winnti |
2021-04-29 ⋅ FireEye ⋅ Tyler McLellan, Justin Moore, Raymond Leong
@online{mclellan:20210429:unc2447:2ad0d96,
author = {Tyler McLellan and Justin Moore and Raymond Leong},
title = {{UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat}},
date = {2021-04-29},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html},
language = {English},
urldate = {2022-03-07}
}
UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat
Cobalt Strike FiveHands HelloKitty |
2021-04-28 ⋅ Trend Micro ⋅ Jaromír Hořejší, Joseph C Chen
@online{hoej:20210428:water:f769ce2,
author = {Jaromír Hořejší and Joseph C Chen},
title = {{Water Pamola Attacked Online Shops Via Malicious Orders}},
date = {2021-04-28},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html},
language = {English},
urldate = {2021-05-04}
}
Water Pamola Attacked Online Shops Via Malicious Orders
Ghost RAT |
2021-04-27 ⋅ Trend Micro ⋅ Janus Agcaoili, Earle Earnshaw
@online{agcaoili:20210427:legitimate:b293526,
author = {Janus Agcaoili and Earle Earnshaw},
title = {{Legitimate Tools Weaponized for Ransomware in 2021}},
date = {2021-04-27},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021},
language = {English},
urldate = {2021-05-03}
}
Legitimate Tools Weaponized for Ransomware in 2021
Cobalt Strike MimiKatz |
2021-04-27 ⋅ Trend Micro ⋅ Janus Agcaoili
@online{agcaoili:20210427:hello:b3c5de5,
author = {Janus Agcaoili},
title = {{Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability}},
date = {2021-04-27},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html},
language = {English},
urldate = {2021-04-29}
}
Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability
CHINACHOPPER Cobalt Strike |
2021-04-26 ⋅ getrevue ⋅ Twitter (@80vul)
@online{80vul:20210426:hunting:e8be278,
author = {Twitter (@80vul)},
title = {{Hunting Cobalt Strike DNS redirectors by using ZoomEye}},
date = {2021-04-26},
organization = {getrevue},
url = {https://www.getrevue.co/profile/80vul/issues/hunting-cobalt-strike-dns-redirectors-by-using-zoomeye-580734},
language = {English},
urldate = {2021-04-29}
}
Hunting Cobalt Strike DNS redirectors by using ZoomEye
Cobalt Strike |
2021-04-26 ⋅ nviso ⋅ Maxime Thiebaut
@online{thiebaut:20210426:anatomy:0ade0a5,
author = {Maxime Thiebaut},
title = {{Anatomy of Cobalt Strike’s DLL Stager}},
date = {2021-04-26},
organization = {nviso},
url = {https://blog.nviso.eu/2021/04/26/anatomy-of-cobalt-strike-dll-stagers/},
language = {English},
urldate = {2021-04-29}
}
Anatomy of Cobalt Strike’s DLL Stager
Cobalt Strike |
2021-04-24 ⋅ Non-offensive security ⋅ Non-offensive security team
@online{team:20210424:detect:4fab11a,
author = {Non-offensive security team},
title = {{Detect Cobalt Strike server through DNS protocol}},
date = {2021-04-24},
organization = {Non-offensive security},
url = {https://mp.weixin.qq.com/s/peIpPJLt4NuJI1a31S_qbQ},
language = {Chinese},
urldate = {2021-04-29}
}
Detect Cobalt Strike server through DNS protocol
Cobalt Strike |
2021-04-23 ⋅ Twitter (@vikas891) ⋅ Vikas Singh
@online{singh:20210423:doppel:1bfd6da,
author = {Vikas Singh},
title = {{Tweet on DOPPEL SPIDER using Intensive/Multiple Injected Cobalt Strike Beacons with varied polling intervals}},
date = {2021-04-23},
organization = {Twitter (@vikas891)},
url = {https://twitter.com/vikas891/status/1385306823662587905},
language = {English},
urldate = {2021-05-25}
}
Tweet on DOPPEL SPIDER using Intensive/Multiple Injected Cobalt Strike Beacons with varied polling intervals
Cobalt Strike DoppelPaymer |
2021-04-22 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie
@online{mackenzie:20210422:twwet:62355c6,
author = {Peter Mackenzie},
title = {{Twwet On TTPs seen in IR used by DOPPEL SPIDER}},
date = {2021-04-22},
organization = {Twitter (@AltShiftPrtScn)},
url = {https://twitter.com/AltShiftPrtScn/status/1385103712918642688},
language = {English},
urldate = {2021-05-25}
}
Twwet On TTPs seen in IR used by DOPPEL SPIDER
Cobalt Strike DoppelPaymer |
2021-04-21 ⋅ SophosLabs Uncut ⋅ Sean Gallagher, Suriya Natarajan, Anand Aijan, Michael Wood, Sivagnanam Gn, Markel Picado, Andrew Brandt
@online{gallagher:20210421:nearly:53964a7,
author = {Sean Gallagher and Suriya Natarajan and Anand Aijan and Michael Wood and Sivagnanam Gn and Markel Picado and Andrew Brandt},
title = {{Nearly half of malware now use TLS to conceal communications}},
date = {2021-04-21},
organization = {SophosLabs Uncut},
url = {https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/},
language = {English},
urldate = {2021-04-28}
}
Nearly half of malware now use TLS to conceal communications
Agent Tesla Cobalt Strike Dridex SystemBC |
2021-04-20 ⋅ Medium walmartglobaltech ⋅ Jason Reaves
@online{reaves:20210420:cobaltstrike:d18d4c4,
author = {Jason Reaves},
title = {{CobaltStrike Stager Utilizing Floating Point Math}},
date = {2021-04-20},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718},
language = {English},
urldate = {2021-04-20}
}
CobaltStrike Stager Utilizing Floating Point Math
Cobalt Strike |
2021-04-19 ⋅ Netresec ⋅ Erik Hjelmvik
@online{hjelmvik:20210419:analysing:c6bff49,
author = {Erik Hjelmvik},
title = {{Analysing a malware PCAP with IcedID and Cobalt Strike traffic}},
date = {2021-04-19},
organization = {Netresec},
url = {https://netresec.com/?b=214d7ff},
language = {English},
urldate = {2021-04-20}
}
Analysing a malware PCAP with IcedID and Cobalt Strike traffic
Cobalt Strike IcedID |
2021-04-18 ⋅ YouTube (dist67) ⋅ Didier Stevens
@online{stevens:20210418:decoding:18e5319,
author = {Didier Stevens},
title = {{Decoding Cobalt Strike Traffic}},
date = {2021-04-18},
organization = {YouTube (dist67)},
url = {https://www.youtube.com/watch?v=ysN-MqyIN7M},
language = {English},
urldate = {2021-04-20}
}
Decoding Cobalt Strike Traffic
Cobalt Strike |
2021-04-16 ⋅ Trend Micro ⋅ Nitesh Surana
@online{surana:20210416:could:bb769ca,
author = {Nitesh Surana},
title = {{Could the Microsoft Exchange breach be stopped?}},
date = {2021-04-16},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/d/could-the-microsoft-exchange-breach-be-stopped.html},
language = {English},
urldate = {2021-05-11}
}
Could the Microsoft Exchange breach be stopped?
CHINACHOPPER |
2021-04-15 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone
@online{falcone:20210415:actor:8428e3f,
author = {Robert Falcone},
title = {{Actor Exploits Microsoft Exchange Server Vulnerabilities, Cortex XDR Blocks Harvesting of Credentials}},
date = {2021-04-15},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/},
language = {English},
urldate = {2021-04-19}
}
Actor Exploits Microsoft Exchange Server Vulnerabilities, Cortex XDR Blocks Harvesting of Credentials
CHINACHOPPER |
2021-04-14 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
@online{duncan:20210414:april:4a29cb5,
author = {Brad Duncan},
title = {{April 2021 Forensic Quiz: Answers and Analysis}},
date = {2021-04-14},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/27308},
language = {English},
urldate = {2021-04-14}
}
April 2021 Forensic Quiz: Answers and Analysis
Anchor BazarBackdoor Cobalt Strike |
2021-04-12 ⋅ Inde ⋅ Chris Campbell
@online{campbell:20210412:different:ea9739f,
author = {Chris Campbell},
title = {{A Different Kind of Zoombomb}},
date = {2021-04-12},
organization = {Inde},
url = {https://www.inde.nz/blog/different-kind-of-zoombomb},
language = {English},
urldate = {2022-04-29}
}
A Different Kind of Zoombomb
Cobalt Strike |
2021-04-09 ⋅ F-Secure ⋅ Riccardo Ancarani, Giulio Ginesi
@online{ancarani:20210409:detecting:01d28ed,
author = {Riccardo Ancarani and Giulio Ginesi},
title = {{Detecting Exposed Cobalt Strike DNS Redirectors}},
date = {2021-04-09},
organization = {F-Secure},
url = {https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirectors},
language = {English},
urldate = {2021-04-14}
}
Detecting Exposed Cobalt Strike DNS Redirectors
Cobalt Strike |
2021-04-07 ⋅ Medium sixdub ⋅ Justin Warner
@online{warner:20210407:using:a7d19fd,
author = {Justin Warner},
title = {{Using Kaitai Struct to Parse Cobalt Strike Beacon Configs}},
date = {2021-04-07},
organization = {Medium sixdub},
url = {https://sixdub.medium.com/using-kaitai-to-parse-cobalt-strike-beacon-configs-f5f0552d5a6e},
language = {English},
urldate = {2021-04-09}
}
Using Kaitai Struct to Parse Cobalt Strike Beacon Configs
Cobalt Strike |
2021-04-05 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
@online{reaves:20210405:trickbot:a6b0592,
author = {Jason Reaves and Joshua Platt},
title = {{TrickBot Crews New CobaltStrike Loader}},
date = {2021-04-05},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c},
language = {English},
urldate = {2021-04-06}
}
TrickBot Crews New CobaltStrike Loader
Cobalt Strike TrickBot |
2021-04-02 ⋅ Dr.Web ⋅ Dr.Web
@techreport{drweb:20210402:study:31b191e,
author = {Dr.Web},
title = {{Study of targeted attacks on Russian research institutes}},
date = {2021-04-02},
institution = {Dr.Web},
url = {https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf},
language = {English},
urldate = {2021-04-06}
}
Study of targeted attacks on Russian research institutes
Cotx RAT Ghost RAT |
2021-04-01 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
@online{duncan:20210401:hancitors:8876ca1,
author = {Brad Duncan},
title = {{Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool}},
date = {2021-04-01},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/},
language = {English},
urldate = {2021-04-06}
}
Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool
Cobalt Strike Hancitor |
2021-04-01 ⋅ DomainTools ⋅ Joe Slowik
@online{slowik:20210401:covid19:6a96e45,
author = {Joe Slowik},
title = {{COVID-19 Phishing With a Side of Cobalt Strike}},
date = {2021-04-01},
organization = {DomainTools},
url = {https://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#},
language = {English},
urldate = {2021-04-06}
}
COVID-19 Phishing With a Side of Cobalt Strike
Cobalt Strike |
2021-03-31 ⋅ Red Canary ⋅ Red Canary
@techreport{canary:20210331:2021:cd81f2d,
author = {Red Canary},
title = {{2021 Threat Detection Report}},
date = {2021-03-31},
institution = {Red Canary},
url = {https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf},
language = {English},
urldate = {2021-04-06}
}
2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot |
2021-03-30 ⋅ GuidePoint Security ⋅ Drew Schmitt
@online{schmitt:20210330:yet:9855592,
author = {Drew Schmitt},
title = {{Yet Another Cobalt Strike Stager: GUID Edition}},
date = {2021-03-30},
organization = {GuidePoint Security},
url = {https://www.guidepointsecurity.com/yet-another-cobalt-strike-loader-guid-edition/},
language = {English},
urldate = {2021-04-06}
}
Yet Another Cobalt Strike Stager: GUID Edition
Cobalt Strike |
2021-03-29 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210329:sodinokibi:4c63e20,
author = {The DFIR Report},
title = {{Sodinokibi (aka REvil) Ransomware}},
date = {2021-03-29},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/},
language = {English},
urldate = {2021-03-30}
}
Sodinokibi (aka REvil) Ransomware
Cobalt Strike IcedID REvil |
2021-03-29 ⋅ The Record ⋅ Catalin Cimpanu
@online{cimpanu:20210329:redecho:30b16b4,
author = {Catalin Cimpanu},
title = {{RedEcho group parks domains after public exposure}},
date = {2021-03-29},
organization = {The Record},
url = {https://therecord.media/redecho-group-parks-domains-after-public-exposure/},
language = {English},
urldate = {2021-03-31}
}
RedEcho group parks domains after public exposure
PlugX ShadowPad RedEcho |
2021-03-26 ⋅ Imperva ⋅ Daniel Johnston
@online{johnston:20210326:imperva:a78367a,
author = {Daniel Johnston},
title = {{Imperva Observes Hive of Activity Following Hafnium Microsoft Exchange Disclosures}},
date = {2021-03-26},
organization = {Imperva},
url = {https://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/},
language = {English},
urldate = {2021-03-30}
}
Imperva Observes Hive of Activity Following Hafnium Microsoft Exchange Disclosures
CHINACHOPPER |
2021-03-25 ⋅ Recorded Future ⋅ Insikt Group®
@online{group:20210325:suspected:5b0078f,
author = {Insikt Group®},
title = {{Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers}},
date = {2021-03-25},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/},
language = {English},
urldate = {2021-03-30}
}
Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers
Meterpreter PlugX |
2021-03-25 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team
@online{team:20210325:analyzing:d9ddef0,
author = {Microsoft 365 Defender Threat Intelligence Team},
title = {{Analyzing attacks taking advantage of the Exchange Server vulnerabilities}},
date = {2021-03-25},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/},
language = {English},
urldate = {2021-03-30}
}
Analyzing attacks taking advantage of the Exchange Server vulnerabilities
CHINACHOPPER |
2021-03-25 ⋅ Microsoft ⋅ Tom McElroy
@online{mcelroy:20210325:web:38010a7,
author = {Tom McElroy},
title = {{Web Shell Threat Hunting with Azure Sentinel}},
date = {2021-03-25},
organization = {Microsoft},
url = {https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968},
language = {English},
urldate = {2021-03-30}
}
Web Shell Threat Hunting with Azure Sentinel
CHINACHOPPER |
2021-03-21 ⋅ YouTube (dist67) ⋅ Didier Stevens
@online{stevens:20210321:finding:92a9a4d,
author = {Didier Stevens},
title = {{Finding Metasploit & Cobalt Strike URLs}},
date = {2021-03-21},
organization = {YouTube (dist67)},
url = {https://www.youtube.com/watch?v=WW0_TgWT2gs},
language = {English},
urldate = {2021-03-25}
}
Finding Metasploit & Cobalt Strike URLs
Cobalt Strike |
2021-03-21 ⋅ Blackberry ⋅ Blackberry Research
@techreport{research:20210321:2021:a393473,
author = {Blackberry Research},
title = {{2021 Threat Report}},
date = {2021-03-21},
institution = {Blackberry},
url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf},
language = {English},
urldate = {2021-03-25}
}
2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot |
2021-03-19 ⋅ Bundesamt für Sicherheit in der Informationstechnik ⋅ CERT-Bund
@techreport{certbund:20210319:microsoft:beb2409,
author = {CERT-Bund},
title = {{Microsoft Exchange Schwachstellen Detektion und Reaktion (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)}},
date = {2021-03-19},
institution = {Bundesamt für Sicherheit in der Informationstechnik},
url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf},
language = {English},
urldate = {2021-03-22}
}
Microsoft Exchange Schwachstellen Detektion und Reaktion (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
CHINACHOPPER MimiKatz |
2021-03-18 ⋅ DeepInstinct ⋅ Ben Gross
@online{gross:20210318:cobalt:5392fb0,
author = {Ben Gross},
title = {{Cobalt Strike – Post-Exploitation Attackers Toolkit}},
date = {2021-03-18},
organization = {DeepInstinct},
url = {https://www.deepinstinct.com/2021/03/18/cobalt-strike-post-exploitation-attackers-toolkit/},
language = {English},
urldate = {2021-06-22}
}
Cobalt Strike – Post-Exploitation Attackers Toolkit
Cobalt Strike |
2021-03-18 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT
@techreport{prodaft:20210318:silverfish:f203208,
author = {PRODAFT},
title = {{SilverFish GroupThreat Actor Report}},
date = {2021-03-18},
institution = {PRODAFT Threat Intelligence},
url = {https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf},
language = {English},
urldate = {2021-04-06}
}
SilverFish GroupThreat Actor Report
Cobalt Strike Dridex Koadic |
2021-03-17 ⋅ Recorded Future ⋅ Insikt Group®
@online{group:20210317:chinalinked:65b251b,
author = {Insikt Group®},
title = {{China-linked TA428 Continues to Target Russia and Mongolia IT Companies}},
date = {2021-03-17},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/china-linked-ta428-threat-group},
language = {English},
urldate = {2021-03-19}
}
China-linked TA428 Continues to Target Russia and Mongolia IT Companies
PlugX Poison Ivy |
2021-03-16 ⋅ McAfee ⋅ McAfee ATR
@techreport{atr:20210316:technical:8c4909a,
author = {McAfee ATR},
title = {{Technical Analysis of Operation Diànxùn}},
date = {2021-03-16},
institution = {McAfee},
url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf},
language = {English},
urldate = {2021-03-22}
}
Technical Analysis of Operation Diànxùn
Cobalt Strike |
2021-03-16 ⋅ Elastic ⋅ Joe Desimone
@online{desimone:20210316:detecting:4091130,
author = {Joe Desimone},
title = {{Detecting Cobalt Strike with memory signatures}},
date = {2021-03-16},
organization = {Elastic},
url = {https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures},
language = {English},
urldate = {2021-03-22}
}
Detecting Cobalt Strike with memory signatures
Cobalt Strike |
2021-03-15 ⋅ Trustwave ⋅ Joshua Deacon
@online{deacon:20210315:hafnium:02beddd,
author = {Joshua Deacon},
title = {{HAFNIUM, China Chopper and ASP.NET Runtime}},
date = {2021-03-15},
organization = {Trustwave},
url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hafnium-china-chopper-and-aspnet-runtime/},
language = {English},
urldate = {2021-03-22}
}
HAFNIUM, China Chopper and ASP.NET Runtime
CHINACHOPPER |
2021-03-11 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
@online{42:20210311:microsoft:c51c694,
author = {Unit 42},
title = {{Microsoft Exchange Server Attack Timeline}},
date = {2021-03-11},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/microsoft-exchange-server-attack-timeline/},
language = {English},
urldate = {2021-03-12}
}
Microsoft Exchange Server Attack Timeline
CHINACHOPPER |
2021-03-11 ⋅ DEVO ⋅ Fran Gomez
@online{gomez:20210311:detection:e16ec1f,
author = {Fran Gomez},
title = {{Detection and Investigation Using Devo: HAFNIUM 0-day Exploits on Microsoft Exchange Service}},
date = {2021-03-11},
organization = {DEVO},
url = {https://www.devo.com/blog/detect-and-investigate-hafnium-using-devo/},
language = {English},
urldate = {2021-03-12}
}
Detection and Investigation Using Devo: HAFNIUM 0-day Exploits on Microsoft Exchange Service
CHINACHOPPER MimiKatz |
2021-03-11 ⋅ Cyborg Security ⋅ Josh Campbell
@online{campbell:20210311:you:7bd2342,
author = {Josh Campbell},
title = {{You Don't Know the HAFNIUM of it...}},
date = {2021-03-11},
organization = {Cyborg Security},
url = {https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/},
language = {English},
urldate = {2021-03-16}
}
You Don't Know the HAFNIUM of it...
CHINACHOPPER Cobalt Strike PowerCat |
2021-03-11 ⋅ Qurium ⋅ Qurium
@online{qurium:20210311:myanmar:7bfc8ce,
author = {Qurium},
title = {{Myanmar – Multi-stage malware attack targets elected lawmakers}},
date = {2021-03-11},
organization = {Qurium},
url = {https://www.qurium.org/alerts/targeted-malware-against-crph/},
language = {English},
urldate = {2021-06-21}
}
Myanmar – Multi-stage malware attack targets elected lawmakers
Cobalt Strike |
2021-03-10 ⋅ ESET Research ⋅ Thomas Dupuy, Matthieu Faou, Mathieu Tartare
@online{dupuy:20210310:exchange:8f65a1f,
author = {Thomas Dupuy and Matthieu Faou and Mathieu Tartare},
title = {{Exchange servers under siege from at least 10 APT groups}},
date = {2021-03-10},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/},
language = {English},
urldate = {2021-03-11}
}
Exchange servers under siege from at least 10 APT groups
Microcin MimiKatz PlugX Winnti ToddyCat |
2021-03-10 ⋅ Lemon's InfoSec Ramblings ⋅ Josh Lemon
@online{lemon:20210310:microsoft:47b2c67,
author = {Josh Lemon},
title = {{Microsoft Exchange & the HAFNIUM Threat Actor}},
date = {2021-03-10},
organization = {Lemon's InfoSec Ramblings},
url = {https://blog.joshlemon.com.au/hafnium-exchange-attacks/},
language = {English},
urldate = {2021-03-11}
}
Microsoft Exchange & the HAFNIUM Threat Actor
CHINACHOPPER |
2021-03-10 ⋅ DomainTools ⋅ Joe Slowik
@online{slowik:20210310:examining:e3eee78,
author = {Joe Slowik},
title = {{Examining Exchange Exploitation and its Lessons for Defenders}},
date = {2021-03-10},
organization = {DomainTools},
url = {https://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders},
language = {English},
urldate = {2021-03-12}
}
Examining Exchange Exploitation and its Lessons for Defenders
CHINACHOPPER |
2021-03-10 ⋅ PICUS Security ⋅ Süleyman Özarslan
@online{zarslan:20210310:tactics:702eb34,
author = {Süleyman Özarslan},
title = {{Tactics, Techniques, and Procedures (TTPs) Used by HAFNIUM to Target Microsoft Exchange Servers}},
date = {2021-03-10},
organization = {PICUS Security},
url = {https://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers},
language = {English},
urldate = {2021-03-16}
}
Tactics, Techniques, and Procedures (TTPs) Used by HAFNIUM to Target Microsoft Exchange Servers
CHINACHOPPER |
2021-03-10 ⋅ Proofpoint ⋅ Dennis Schwarz, Matthew Mesa, Proofpoint Threat Research Team
@online{schwarz:20210310:nimzaloader:f6960d4,
author = {Dennis Schwarz and Matthew Mesa and Proofpoint Threat Research Team},
title = {{NimzaLoader: TA800’s New Initial Access Malware}},
date = {2021-03-10},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware},
language = {English},
urldate = {2021-03-12}
}
NimzaLoader: TA800’s New Initial Access Malware
BazarNimrod Cobalt Strike |
2021-03-09 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
@online{42:20210309:remediation:4973903,
author = {Unit 42},
title = {{Remediation Steps for the Microsoft Exchange Server Vulnerabilities}},
date = {2021-03-09},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/remediation-steps-for-the-Microsoft-Exchange-Server-vulnerabilities/},
language = {English},
urldate = {2021-03-11}
}
Remediation Steps for the Microsoft Exchange Server Vulnerabilities
CHINACHOPPER |
2021-03-09 ⋅ PRAETORIAN ⋅ Anthony Weems, Dallas Kaman, Michael Weber
@online{weems:20210309:reproducing:6c6302c,
author = {Anthony Weems and Dallas Kaman and Michael Weber},
title = {{Reproducing the Microsoft Exchange Proxylogon Exploit Chain}},
date = {2021-03-09},
organization = {PRAETORIAN},
url = {https://www.praetorian.com/blog/reproducing-proxylogon-exploit/},
language = {English},
urldate = {2021-03-11}
}
Reproducing the Microsoft Exchange Proxylogon Exploit Chain
CHINACHOPPER |
2021-03-09 ⋅ Red Canary ⋅ Tony Lambert, Brian Donohue, Katie Nickels
@online{lambert:20210309:microsoft:6a37334,
author = {Tony Lambert and Brian Donohue and Katie Nickels},
title = {{Microsoft Exchange server exploitation: how to detect, mitigate, and stay calm}},
date = {2021-03-09},
organization = {Red Canary},
url = {https://redcanary.com/blog/microsoft-exchange-attacks},
language = {English},
urldate = {2021-03-11}
}
Microsoft Exchange server exploitation: how to detect, mitigate, and stay calm
CHINACHOPPER |
2021-03-09 ⋅ splunk ⋅ Security Research Team
@online{team:20210309:cloud:4deeb78,
author = {Security Research Team},
title = {{Cloud Federated Credential Abuse & Cobalt Strike: Threat Research February 2021}},
date = {2021-03-09},
organization = {splunk},
url = {https://www.splunk.com/en_us/blog/security/cloud-federated-credential-abuse-cobalt-strike-threat-research-feb-2021.html},
language = {English},
urldate = {2021-03-11}
}
Cloud Federated Credential Abuse & Cobalt Strike: Threat Research February 2021
Cobalt Strike |
2021-03-09 ⋅ YouTube (John Hammond) ⋅ John Hammond
@online{hammond:20210309:hafnium:dc2de8d,
author = {John Hammond},
title = {{HAFNIUM - Post-Exploitation Analysis from Microsoft Exchange}},
date = {2021-03-09},
organization = {YouTube (John Hammond)},
url = {https://www.youtube.com/watch?v=rn-6t7OygGk},
language = {English},
urldate = {2021-03-12}
}
HAFNIUM - Post-Exploitation Analysis from Microsoft Exchange
CHINACHOPPER |
2021-03-08 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210308:bazar:ba050d7,
author = {The DFIR Report},
title = {{Bazar Drops the Anchor}},
date = {2021-03-08},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/},
language = {English},
urldate = {2021-03-10}
}
Bazar Drops the Anchor
Anchor BazarBackdoor Cobalt Strike |
2021-03-08 ⋅ Youtube (SANS Digital Forensics and Incident Response) ⋅ Katie Nickels, Adam Pennington, Jen Burns
@online{nickels:20210308:star:083eb29,
author = {Katie Nickels and Adam Pennington and Jen Burns},
title = {{STAR Webcast: Making sense of SolarWinds through the lens of MITRE ATT&CK(R)}},
date = {2021-03-08},
organization = {Youtube (SANS Digital Forensics and Incident Response)},
url = {https://www.youtube.com/watch?v=LA-XE5Jy2kU},
language = {English},
urldate = {2021-03-11}
}
STAR Webcast: Making sense of SolarWinds through the lens of MITRE ATT&CK(R)
Cobalt Strike SUNBURST TEARDROP |
2021-03-08 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20210308:how:752e42e,
author = {Threat Hunter Team},
title = {{How Symantec Stops Microsoft Exchange Server Attacks}},
date = {2021-03-08},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection},
language = {English},
urldate = {2021-03-12}
}
How Symantec Stops Microsoft Exchange Server Attacks
CHINACHOPPER MimiKatz |
2021-03-08 ⋅ Palo Alto Networks Unit 42 ⋅ Jeff White
@online{white:20210308:analyzing:9b932a3,
author = {Jeff White},
title = {{Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells}},
date = {2021-03-08},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/china-chopper-webshell/},
language = {English},
urldate = {2021-03-11}
}
Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells
CHINACHOPPER |
2021-03-07 ⋅ InfoSec Handlers Diary Blog ⋅ Didier Stevens
@online{stevens:20210307:pcaps:980212d,
author = {Didier Stevens},
title = {{PCAPs and Beacons}},
date = {2021-03-07},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/rss/27176},
language = {English},
urldate = {2021-03-11}
}
PCAPs and Beacons
Cobalt Strike |
2021-03-07 ⋅ TRUESEC ⋅ Rasmus Grönlund
@online{grnlund:20210307:tracking:2d920fd,
author = {Rasmus Grönlund},
title = {{Tracking Microsoft Exchange Zero-Day ProxyLogon and HAFNIUM}},
date = {2021-03-07},
organization = {TRUESEC},
url = {https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/},
language = {English},
urldate = {2021-03-12}
}
Tracking Microsoft Exchange Zero-Day ProxyLogon and HAFNIUM
CHINACHOPPER |
2021-03-05 ⋅ Huntress Labs ⋅ Huntress Labs
@techreport{labs:20210305:operation:1248e05,
author = {Huntress Labs},
title = {{Operation Exchange Marauder}},
date = {2021-03-05},
institution = {Huntress Labs},
url = {https://www.huntress.com/hubfs/Mass%20Exploitation%20of%20Microsoft%20Exchange%20(2).pdf},
language = {English},
urldate = {2021-03-06}
}
Operation Exchange Marauder
CHINACHOPPER |
2021-03-05 ⋅ Wired ⋅ Andy Greenberg
@online{greenberg:20210305:chinese:119ea98,
author = {Andy Greenberg},
title = {{Chinese Hacking Spree Hit an ‘Astronomical’ Number of Victims}},
date = {2021-03-05},
organization = {Wired},
url = {https://www.wired.com/story/china-microsoft-exchange-server-hack-victims/},
language = {English},
urldate = {2021-03-06}
}
Chinese Hacking Spree Hit an ‘Astronomical’ Number of Victims
CHINACHOPPER |
2021-03-04 ⋅ FireEye ⋅ Matt Bromiley, Chris DiGiamo, Andrew Thompson, Robert Wallace
@online{bromiley:20210304:detection:3b8c16f,
author = {Matt Bromiley and Chris DiGiamo and Andrew Thompson and Robert Wallace},
title = {{Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities}},
date = {2021-03-04},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html},
language = {English},
urldate = {2021-03-10}
}
Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities
CHINACHOPPER HAFNIUM |
2021-03-04 ⋅ Huntress Labs ⋅ Huntress Labs
@online{labs:20210304:operation:1187712,
author = {Huntress Labs},
title = {{Operation Exchange Marauder}},
date = {2021-03-04},
organization = {Huntress Labs},
url = {https://www.huntress.com/hubfs/Videos/Webinars/Overlay-Mass_Exploitation_of_Exchange.mp4},
language = {English},
urldate = {2021-03-06}
}
Operation Exchange Marauder
CHINACHOPPER |
2021-03-04 ⋅ CrowdStrike ⋅ The Falcon Complete Team
@online{team:20210304:falcon:6170749,
author = {The Falcon Complete Team},
title = {{Falcon Complete Stops Microsoft Exchange Server Zero-Day Exploits}},
date = {2021-03-04},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits},
language = {English},
urldate = {2021-03-10}
}
Falcon Complete Stops Microsoft Exchange Server Zero-Day Exploits
CHINACHOPPER HAFNIUM |
2021-03-03 ⋅ Huntress Labs ⋅ John Hammond
@online{hammond:20210303:rapid:7c97ee5,
author = {John Hammond},
title = {{Rapid Response: Mass Exploitation of On-Prem Exchange Servers}},
date = {2021-03-03},
organization = {Huntress Labs},
url = {https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers},
language = {English},
urldate = {2021-03-10}
}
Rapid Response: Mass Exploitation of On-Prem Exchange Servers
CHINACHOPPER HAFNIUM |
2021-03-03 ⋅ Huntress Labs ⋅ Huntress Labs
@online{labs:20210303:mass:a0ef74d,
author = {Huntress Labs},
title = {{Mass exploitation of on-prem Exchange servers :(}},
date = {2021-03-03},
organization = {Huntress Labs},
url = {https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers},
language = {English},
urldate = {2021-03-10}
}
Mass exploitation of on-prem Exchange servers :(
CHINACHOPPER HAFNIUM |
2021-03-02 ⋅ Twitter (@ESETresearch) ⋅ ESET Research
@online{research:20210302:exchange:4473faa,
author = {ESET Research},
title = {{Tweet on Exchange RCE}},
date = {2021-03-02},
organization = {Twitter (@ESETresearch)},
url = {https://twitter.com/ESETresearch/status/1366862946488451088},
language = {English},
urldate = {2021-03-10}
}
Tweet on Exchange RCE
CHINACHOPPER HAFNIUM |
2021-03-02 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, Microsoft 365 Security
@online{mstic:20210302:hafnium:c7d8588,
author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Threat Intelligence Team and Microsoft 365 Security},
title = {{HAFNIUM targeting Exchange Servers with 0-day exploits}},
date = {2021-03-02},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers},
language = {English},
urldate = {2021-03-07}
}
HAFNIUM targeting Exchange Servers with 0-day exploits
CHINACHOPPER HAFNIUM |
2021-03-02 ⋅ Volexity ⋅ Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster
@online{grunzweig:20210302:operation:44c264f,
author = {Josh Grunzweig and Matthew Meltzer and Sean Koessel and Steven Adair and Thomas Lancaster},
title = {{Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities}},
date = {2021-03-02},
organization = {Volexity},
url = {https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/},
language = {English},
urldate = {2021-03-07}
}
Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities
CHINACHOPPER HAFNIUM |
2021-03-02 ⋅ Rapid7 Labs ⋅ Andrew Christian
@online{christian:20210302:rapid7s:b676aa4,
author = {Andrew Christian},
title = {{Rapid7’s InsightIDR Enables Detection And Response to Microsoft Exchange Zero-Day}},
date = {2021-03-02},
organization = {Rapid7 Labs},
url = {https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day},
language = {English},
urldate = {2021-03-10}
}
Rapid7’s InsightIDR Enables Detection And Response to Microsoft Exchange Zero-Day
CHINACHOPPER HAFNIUM |
2021-03-01 ⋅ Medium walmartglobaltech ⋅ Joshua Platt, Jason Reaves
@online{platt:20210301:nimar:c26af08,
author = {Joshua Platt and Jason Reaves},
title = {{Nimar Loader}},
date = {2021-03-01},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e},
language = {English},
urldate = {2021-03-04}
}
Nimar Loader
BazarBackdoor BazarNimrod Cobalt Strike |
2021-03-01 ⋅ Medium walmartglobaltech ⋅ Joshua Platt, Jason Reaves
@online{platt:20210301:investigation:a7851d5,
author = {Joshua Platt and Jason Reaves},
title = {{Investigation into the state of Nim malware}},
date = {2021-03-01},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811},
language = {English},
urldate = {2021-03-04}
}
Investigation into the state of Nim malware
BazarNimrod Cobalt Strike |