aka: TEMP.Periscope, TEMP.Jumper, APT 40, APT40, BRONZE MOHAWK, GADOLINIUM, Kryptonite Panda
Leviathan is an espionage actor targeting organizations and high-value targets in defense and government. Active since at least 2014, this actor has long-standing interest in maritime industries, naval defense contractors, and associated research institutions in the United States and Western Europe.
2020-06-04 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence
@online{intelligence:20200604:covid19:45fa7ba,
author = {PT ESC Threat Intelligence},
title = {{COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group}},
date = {2020-06-04},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/},
language = {English},
urldate = {2020-06-05}
}
COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group
Ghost RAT |
2020-05-11 ⋅ SentinelOne ⋅ Gal Kristal
@online{kristal:20200511:anatomy:4ece947,
author = {Gal Kristal},
title = {{The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration}},
date = {2020-05-11},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/},
language = {English},
urldate = {2020-05-13}
}
The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration
Cobalt Strike |
2020-04-24 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20200424:ursnif:e983798,
author = {The DFIR Report},
title = {{Ursnif via LOLbins}},
date = {2020-04-24},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/},
language = {English},
urldate = {2020-05-15}
}
Ursnif via LOLbins
Cobalt Strike LOLSnif |
2020-04-02 ⋅ Darktrace ⋅ Max Heinemeyer
@online{heinemeyer:20200402:catching:b7f137d,
author = {Max Heinemeyer},
title = {{Catching APT41 exploiting a zero-day vulnerability}},
date = {2020-04-02},
organization = {Darktrace},
url = {https://www.darktrace.com/en/blog/catching-apt-41-exploiting-a-zero-day-vulnerability/},
language = {English},
urldate = {2020-04-13}
}
Catching APT41 exploiting a zero-day vulnerability
Cobalt Strike |
2020-03-26 ⋅ VMWare Carbon Black ⋅ Scott Knight
@online{knight:20200326:dukes:df85f94,
author = {Scott Knight},
title = {{The Dukes of Moscow}},
date = {2020-03-26},
organization = {VMWare Carbon Black},
url = {https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/},
language = {English},
urldate = {2020-05-18}
}
The Dukes of Moscow
Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke |
2020-03-25 ⋅ Wilbur Security ⋅ JW
@online{jw:20200325:trickbot:17b0dc3,
author = {JW},
title = {{Trickbot to Ryuk in Two Hours}},
date = {2020-03-25},
organization = {Wilbur Security},
url = {https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/},
language = {English},
urldate = {2020-03-26}
}
Trickbot to Ryuk in Two Hours
Cobalt Strike Ryuk TrickBot |
2020-03-25 ⋅ FireEye ⋅ Christopher Glyer, Dan Perez, Sarah Jones, Steve Miller
@online{glyer:20200325:this:0bc322f,
author = {Christopher Glyer and Dan Perez and Sarah Jones and Steve Miller},
title = {{This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits}},
date = {2020-03-25},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html},
language = {English},
urldate = {2020-04-14}
}
This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits
Speculoos Cobalt Strike |
2020-03-22 ⋅ Malware and Stuff ⋅ Andreas Klopsch
@online{klopsch:20200322:mustang:56f3768,
author = {Andreas Klopsch},
title = {{Mustang Panda joins the COVID-19 bandwagon}},
date = {2020-03-22},
organization = {Malware and Stuff},
url = {https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/},
language = {English},
urldate = {2020-03-27}
}
Mustang Panda joins the COVID-19 bandwagon
Cobalt Strike |
2020-03-15 ⋅ insomniacs(Medium) ⋅ Asuna Amawaka
@online{amawaka:20200315:dad:5cad035,
author = {Asuna Amawaka},
title = {{Dad! There’s A Rat In Here!}},
date = {2020-03-15},
organization = {insomniacs(Medium)},
url = {https://medium.com/insomniacs/dad-theres-a-rat-in-here-e3729b65bf7a},
language = {English},
urldate = {2020-04-16}
}
Dad! There’s A Rat In Here!
DADSTACHE |
2020-03-10 ⋅ insomniacs(Medium) ⋅ Asuna Amawaka
@online{amawaka:20200310:apt40:2199052,
author = {Asuna Amawaka},
title = {{APT40 goes from Template Injections to OLE-Linkings for payload delivery}},
date = {2020-03-10},
organization = {insomniacs(Medium)},
url = {https://medium.com/insomniacs/apt40-goes-from-template-injections-to-ole-linkings-for-payload-delivery-99eb43170a97},
language = {English},
urldate = {2020-04-16}
}
APT40 goes from Template Injections to OLE-Linkings for payload delivery
DADSTACHE |
2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f,
author = {CrowdStrike},
title = {{2020 CrowdStrike Global Threat Report}},
date = {2020-03-04},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf},
language = {English},
urldate = {2020-03-04}
}
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Judgment Panda Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER |
2020-03-04 ⋅ Cobalt Strike ⋅ Raphael Mudge
@online{mudge:20200304:cobalt:176b61e,
author = {Raphael Mudge},
title = {{Cobalt Strike joins Core Impact at HelpSystems, LLC}},
date = {2020-03-04},
organization = {Cobalt Strike},
url = {https://blog.cobaltstrike.com/2020/03/04/cobalt-strike-joins-core-impact-at-helpsystems-llc/},
language = {English},
urldate = {2020-03-04}
}
Cobalt Strike joins Core Impact at HelpSystems, LLC
Cobalt Strike |
2020-03-03 ⋅ PWC UK ⋅ PWC UK
@techreport{uk:20200303:cyber:1f1eef0,
author = {PWC UK},
title = {{Cyber Threats 2019:A Year in Retrospect}},
date = {2020-03-03},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf},
language = {English},
urldate = {2020-03-03}
}
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare |
2020-02-21 ⋅ ADEO DFIR ⋅ ADEO DFIR
@techreport{dfir:20200221:apt10:e9c3328,
author = {ADEO DFIR},
title = {{APT10 Threat Analysis Report}},
date = {2020-02-21},
institution = {ADEO DFIR},
url = {https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf},
language = {English},
urldate = {2020-03-03}
}
APT10 Threat Analysis Report
CHINACHOPPER HTran MimiKatz PlugX Quasar RAT |
2020-02-19 ⋅ FireEye ⋅ FireEye
@online{fireeye:20200219:mtrends:193613a,
author = {FireEye},
title = {{M-Trends 2020}},
date = {2020-02-19},
organization = {FireEye},
url = {https://content.fireeye.com/m-trends/rpt-m-trends-2020},
language = {English},
urldate = {2020-02-20}
}
M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot |
2020-02-18 ⋅ Trend Micro ⋅ Daniel Lunghi, Cedric Pernet, Kenney Lu, Jamz Yaneza
@online{lunghi:20200218:uncovering:93b0937,
author = {Daniel Lunghi and Cedric Pernet and Kenney Lu and Jamz Yaneza},
title = {{Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations}},
date = {2020-02-18},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia},
language = {English},
urldate = {2020-02-20}
}
Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations
Cobalt Strike HyperBro PlugX Trochilus RAT |
2020-02-18 ⋅ Cisco Talos ⋅ Vanja Svajcer
@online{svajcer:20200218:building:0a80664,
author = {Vanja Svajcer},
title = {{Building a bypass with MSBuild}},
date = {2020-02-18},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html},
language = {English},
urldate = {2020-02-20}
}
Building a bypass with MSBuild
Cobalt Strike GRUNT MimiKatz |
2020-02-13 ⋅ Qianxin ⋅ Qi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333,
author = {Qi Anxin Threat Intelligence Center},
title = {{APT Report 2019}},
date = {2020-02-13},
institution = {Qianxin},
url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf},
language = {English},
urldate = {2020-02-27}
}
APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy |
2020-02-07 ⋅ Medium Sebdraven ⋅ Sébastien Larinier
@online{larinier:20200207:40:9415c5c,
author = {Sébastien Larinier},
title = {{APT 40 in Malaysia}},
date = {2020-02-07},
organization = {Medium Sebdraven},
url = {https://medium.com/@Sebdraven/apt-40-in-malaysia-61ed9c9642e9},
language = {English},
urldate = {2020-02-09}
}
APT 40 in Malaysia
DADJOKE |
2020-01-29 ⋅ nao_sec blog ⋅ nao_sec
@online{naosec:20200129:overhead:ec0aeb5,
author = {nao_sec},
title = {{An Overhead View of the Royal Road}},
date = {2020-01-29},
organization = {nao_sec blog},
url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html},
language = {English},
urldate = {2020-02-03}
}
An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader |
2020-01-15 ⋅ Intrusiontruth ⋅ Intrusiontruth
@online{intrusiontruth:20200115:hainan:093f6f2,
author = {Intrusiontruth},
title = {{Hainan Xiandun Technology Company is APT40}},
date = {2020-01-15},
organization = {Intrusiontruth},
url = {https://intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40},
language = {English},
urldate = {2020-04-16}
}
Hainan Xiandun Technology Company is APT40
Leviathan |
2020-01-14 ⋅ Intrusiontruth ⋅ Intrusiontruth
@online{intrusiontruth:20200114:who:a06a6c3,
author = {Intrusiontruth},
title = {{Who is Mr Ding?}},
date = {2020-01-14},
organization = {Intrusiontruth},
url = {https://intrusiontruth.wordpress.com/2020/01/14/who-is-mr-ding},
language = {English},
urldate = {2020-04-16}
}
Who is Mr Ding?
Leviathan |
2020-01-13 ⋅ Intrusiontruth ⋅ Intrusiontruth
@online{intrusiontruth:20200113:who:e54190c,
author = {Intrusiontruth},
title = {{Who else works for this cover company network?}},
date = {2020-01-13},
organization = {Intrusiontruth},
url = {https://intrusiontruth.wordpress.com/2020/01/13/who-else-works-for-this-cover-company-network},
language = {English},
urldate = {2020-04-16}
}
Who else works for this cover company network?
Leviathan |
2020-01-13 ⋅ Lab52 ⋅ Jagaimo Kawaii
@online{kawaii:20200113:apt27:4c2f818,
author = {Jagaimo Kawaii},
title = {{APT27 ZxShell RootKit module updates}},
date = {2020-01-13},
organization = {Lab52},
url = {https://lab52.io/blog/apt27-rootkit-updates/},
language = {English},
urldate = {2020-01-13}
}
APT27 ZxShell RootKit module updates
ZXShell |
2020-01-10 ⋅ Intrusiontruth ⋅ Intrusiontruth
@online{intrusiontruth:20200110:who:32afb65,
author = {Intrusiontruth},
title = {{Who is Mr Gu?}},
date = {2020-01-10},
organization = {Intrusiontruth},
url = {https://intrusiontruth.wordpress.com/2020/01/10/who-is-mr-gu},
language = {English},
urldate = {2020-04-16}
}
Who is Mr Gu?
Leviathan |
2020-01-09 ⋅ Intrusiontruth ⋅ Intrusiontruth
@online{intrusiontruth:20200109:what:bc9bc31,
author = {Intrusiontruth},
title = {{What is the Hainan Xiandun Technology Development Company?}},
date = {2020-01-09},
organization = {Intrusiontruth},
url = {https://intrusiontruth.wordpress.com/2020/01/09/what-is-the-hainan-xiandun-technology-development-company},
language = {English},
urldate = {2020-04-16}
}
What is the Hainan Xiandun Technology Development Company?
Leviathan |
2020-01-03 ⋅ Youtube (BSides Belfast) ⋅ Brian Bartholomew
@online{bartholomew:20200103:nice:ddc5c57,
author = {Brian Bartholomew},
title = {{Nice One, Dad: Dissecting A Rare Malware Used By Leviathan}},
date = {2020-01-03},
organization = {Youtube (BSides Belfast)},
url = {https://www.youtube.com/watch?v=vx9IB88wXSE},
language = {English},
urldate = {2020-01-13}
}
Nice One, Dad: Dissecting A Rare Malware Used By Leviathan
DADJOKE |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:dcdc02a,
author = {SecureWorks},
title = {{BRONZE FLEETWOOD}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-fleetwood},
language = {English},
urldate = {2020-05-23}
}
BRONZE FLEETWOOD
Binanen Ghost RAT OrcaRAT APT5 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:65ecf8a,
author = {SecureWorks},
title = {{BRONZE KEYSTONE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-keystone},
language = {English},
urldate = {2020-05-23}
}
BRONZE KEYSTONE
9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell Aurora Panda |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:41a0bc0,
author = {SecureWorks},
title = {{BRONZE EDISON}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-edison},
language = {English},
urldate = {2020-05-23}
}
BRONZE EDISON
Ghost RAT sykipot Samurai Panda |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:gold:1892bc8,
author = {SecureWorks},
title = {{GOLD KINGSWOOD}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-kingswood},
language = {English},
urldate = {2020-05-23}
}
GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:gold:97e5784,
author = {SecureWorks},
title = {{GOLD NIAGARA}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-niagara},
language = {English},
urldate = {2020-05-23}
}
GOLD NIAGARA
Bateleur Griffon Carbanak Cobalt Strike DRIFTPIN TinyMet Anunak |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:66f1290,
author = {SecureWorks},
title = {{BRONZE RIVERSIDE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-riverside},
language = {English},
urldate = {2020-05-23}
}
BRONZE RIVERSIDE
Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves Stone Panda |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:tin:ccd6795,
author = {SecureWorks},
title = {{TIN WOODLAWN}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/tin-woodlawn},
language = {English},
urldate = {2020-05-23}
}
TIN WOODLAWN
Cobalt Strike KerrDown MimiKatz PHOREAL RatSnif Remy SOUNDBITE APT32 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:972c13a,
author = {SecureWorks},
title = {{BRONZE FIRESTONE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-firestone},
language = {English},
urldate = {2020-05-23}
}
BRONZE FIRESTONE
9002 RAT Derusbi Empire Downloader PlugX Poison Ivy Shell Crew |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:dc58892,
author = {SecureWorks},
title = {{BRONZE GLOBE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-globe},
language = {English},
urldate = {2020-05-23}
}
BRONZE GLOBE
EtumBot Ghost RAT IXESHE |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:e8ad4fb,
author = {SecureWorks},
title = {{BRONZE MOHAWK}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-mohawk},
language = {English},
urldate = {2020-05-23}
}
BRONZE MOHAWK
AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll Leviathan |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:fcb04ab,
author = {SecureWorks},
title = {{BRONZE EXPRESS}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-express},
language = {English},
urldate = {2020-05-23}
}
BRONZE EXPRESS
9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT 26 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:4db27ec,
author = {SecureWorks},
title = {{BRONZE UNION}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-union},
language = {English},
urldate = {2020-05-23}
}
BRONZE UNION
9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell LuckyMouse |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:4118462,
author = {SecureWorks},
title = {{BRONZE ATLAS}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas},
language = {English},
urldate = {2020-05-23}
}
BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti Axiom |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:1a5bdbb,
author = {SecureWorks},
title = {{BRONZE PRESIDENT}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-president},
language = {English},
urldate = {2020-05-23}
}
BRONZE PRESIDENT
CHINACHOPPER Cobalt Strike PlugX Mustang Panda |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:gold:983570b,
author = {SecureWorks},
title = {{GOLD KINGSWOOD}},
date = {2020},
organization = {Secureworks},
url = {http://www.secureworks.com/research/threat-profiles/gold-kingswood},
language = {English},
urldate = {2020-05-23}
}
GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:gold:8050e44,
author = {SecureWorks},
title = {{GOLD DUPONT}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-dupont},
language = {English},
urldate = {2020-05-23}
}
GOLD DUPONT
Cobalt Strike Defray PyXie |
2019-12-17 ⋅ Palo Alto Networks Unit 42 ⋅ Jen Miller-Osborn, Mike Harbison
@online{millerosborn:20191217:rancor:998fe1c,
author = {Jen Miller-Osborn and Mike Harbison},
title = {{Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia}},
date = {2019-12-17},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/},
language = {English},
urldate = {2020-01-08}
}
Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia
DDKONG Derusbi KHRAT |
2019-12-12 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center
@online{center:20191212:gallium:79f6460,
author = {Microsoft Threat Intelligence Center},
title = {{GALLIUM: Targeting global telecom}},
date = {2019-12-12},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/},
language = {English},
urldate = {2020-01-07}
}
GALLIUM: Targeting global telecom
Ghost RAT HTran |
2019-12-12 ⋅ FireEye ⋅ Chi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca,
author = {Chi-en Shen and Oleg Bondarenko},
title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}},
date = {2019-12-12},
organization = {FireEye},
url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko},
language = {English},
urldate = {2020-04-16}
}
Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech |
2019-12-05 ⋅ Github (blackorbird) ⋅ blackorbird
@techreport{blackorbird:20191205:apt32:0afe4e7,
author = {blackorbird},
title = {{APT32 Report}},
date = {2019-12-05},
institution = {Github (blackorbird)},
url = {https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf},
language = {Japanese},
urldate = {2020-01-10}
}
APT32 Report
Cobalt Strike |
2019-12-05 ⋅ Raphael Mudge
@online{mudge:20191205:cobalt:219044e,
author = {Raphael Mudge},
title = {{Cobalt Strike 4.0 – Bring Your Own Weaponization}},
date = {2019-12-05},
url = {https://blog.cobaltstrike.com/},
language = {English},
urldate = {2019-12-06}
}
Cobalt Strike 4.0 – Bring Your Own Weaponization
Cobalt Strike |
2019-11-29 ⋅ Deloitte ⋅ Thomas Thomasen
@techreport{thomasen:20191129:cyber:1aae987,
author = {Thomas Thomasen},
title = {{Cyber Threat Intelligence & Incident Response}},
date = {2019-11-29},
institution = {Deloitte},
url = {https://www2.deloitte.com/content/dam/Deloitte/dk/Documents/Grabngo/Aarhus_miniseminar_291118.pdf},
language = {English},
urldate = {2020-03-04}
}
Cyber Threat Intelligence & Incident Response
Cobalt Strike |
2019-11-28 ⋅ Twitter (@cyb3rops) ⋅ Florian Roth
@online{roth:20191128:signature:1d30657,
author = {Florian Roth},
title = {{Tweet on Signature Writing for DADJOKE}},
date = {2019-11-28},
organization = {Twitter (@cyb3rops)},
url = {https://twitter.com/cyb3rops/status/1199978327697694720},
language = {English},
urldate = {2020-01-09}
}
Tweet on Signature Writing for DADJOKE
DADSTACHE |
2019-11-05 ⋅ Brian Bartholomew
@online{bartholomew:20191105:dadjoke:81e2a63,
author = {Brian Bartholomew},
title = {{DADJOKE}},
date = {2019-11-05},
url = {https://prezi.com/view/jGyAzyy5dTOkDrtwsJi5/},
language = {English},
urldate = {2020-01-07}
}
DADJOKE
DADJOKE |
2019-11-05 ⋅ tccontre Blog ⋅ tccontre
@online{tccontre:20191105:cobaltstrike:02e37af,
author = {tccontre},
title = {{CobaltStrike - beacon.dll : Your No Ordinary MZ Header}},
date = {2019-11-05},
organization = {tccontre Blog},
url = {https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html},
language = {English},
urldate = {2019-12-17}
}
CobaltStrike - beacon.dll : Your No Ordinary MZ Header
Cobalt Strike |
2019-11-04 ⋅ Tencent ⋅ Tencent Security Mikan TIC
@online{tic:20191104:attack:33a29db,
author = {Tencent Security Mikan TIC},
title = {{APT attack group "Higaisa" attack activity disclosed}},
date = {2019-11-04},
organization = {Tencent},
url = {https://s.tencent.com/research/report/836.html},
language = {Chinese},
urldate = {2020-05-13}
}
APT attack group "Higaisa" attack activity disclosed
Ghost RAT Higaisa |
2019-09-22 ⋅ Check Point Research ⋅ Check Point Research
@online{research:20190922:rancor:e834f67,
author = {Check Point Research},
title = {{Rancor: The Year of The Phish}},
date = {2019-09-22},
organization = {Check Point Research},
url = {https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/},
language = {English},
urldate = {2020-03-04}
}
Rancor: The Year of The Phish
8.t Dropper Cobalt Strike |
2019-09-19 ⋅ MeltX0R
@online{meltx0r:20190919:emissary:361f1fd,
author = {MeltX0R},
title = {{Emissary Panda APT: Recent infrastructure and RAT analysis}},
date = {2019-09-19},
url = {https://meltx0r.github.io/tech/2019/09/19/emissary-panda-apt.html},
language = {English},
urldate = {2020-01-09}
}
Emissary Panda APT: Recent infrastructure and RAT analysis
ZXShell |
2019-09-17 ⋅ Talos ⋅ Christopher Evans, David Liebenberg
@online{evans:20190917:cryptocurrency:8f3a9e9,
author = {Christopher Evans and David Liebenberg},
title = {{Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”}},
date = {2019-09-17},
organization = {Talos},
url = {https://blog.talosintelligence.com/2019/09/panda-evolution.html},
language = {English},
urldate = {2019-10-31}
}
Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”
Ghost RAT |
2019-09-02 ⋅ Volexity ⋅ Andrew Case, Matthew Meltzer, Steven Adair
@online{case:20190902:digital:0f6cd23,
author = {Andrew Case and Matthew Meltzer and Steven Adair},
title = {{Digital Crackdown: Large-Scale Surveillance and Exploitation of Uyghurs}},
date = {2019-09-02},
organization = {Volexity},
url = {https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/},
language = {English},
urldate = {2019-12-06}
}
Digital Crackdown: Large-Scale Surveillance and Exploitation of Uyghurs
scanbox POISON CARP |
2019-08-27 ⋅ Cisco Talos ⋅ Paul Rascagnères, Vanja Svajcer
@online{rascagnres:20190827:china:2d2bbb8,
author = {Paul Rascagnères and Vanja Svajcer},
title = {{China Chopper still active 9 years later}},
date = {2019-08-27},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html},
language = {English},
urldate = {2019-10-14}
}
China Chopper still active 9 years later
CHINACHOPPER |
2019-08-19 ⋅ FireEye ⋅ Alex Pennino, Matt Bromiley
@online{pennino:20190819:game:b6ef5a0,
author = {Alex Pennino and Matt Bromiley},
title = {{GAME OVER: Detecting and Stopping an APT41 Operation}},
date = {2019-08-19},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html},
language = {English},
urldate = {2020-01-06}
}
GAME OVER: Detecting and Stopping an APT41 Operation
ACEHASH CHINACHOPPER HIGHNOON |
2019-08-13 ⋅ 奇安信威胁情报中心
@online{:20190813::eae3d10,
author = {奇安信威胁情报中心},
title = {{洞察人性:一起利用政治人物桃色丑闻的诱饵攻击活动披露}},
date = {2019-08-13},
url = {https://wemp.app/posts/80ab2b2d-4e0e-4960-94b7-4d452a06fd38?utm_source=latest-posts},
language = {Chinese},
urldate = {2020-01-13}
}
洞察人性:一起利用政治人物桃色丑闻的诱饵攻击活动披露
DADJOKE |
2019-07-26 ⋅ Twitter (@a_tweeter_user) ⋅ a_tweeter_user
@online{atweeteruser:20190726:malware:dce6863,
author = {a_tweeter_user},
title = {{Tweet on Malware}},
date = {2019-07-26},
organization = {Twitter (@a_tweeter_user)},
url = {https://twitter.com/a_tweeter_user/status/1154764787823316993},
language = {English},
urldate = {2020-01-08}
}
Tweet on Malware
DADJOKE |
2019-07-24 ⋅ Intrusiontruth ⋅ Intrusiontruth
@online{intrusiontruth:20190724:apt17:6b9a666,
author = {Intrusiontruth},
title = {{APT17 is run by the Jinan bureau of the Chinese Ministry of State Security}},
date = {2019-07-24},
organization = {Intrusiontruth},
url = {https://intrusiontruth.wordpress.com/2019/07/24/apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security/},
language = {English},
urldate = {2020-04-21}
}
APT17 is run by the Jinan bureau of the Chinese Ministry of State Security
BLACKCOFFEE |
2019-06-04 ⋅ Bitdefender ⋅ Bitdefender
@techreport{bitdefender:20190604:blueprint:ce0583c,
author = {Bitdefender},
title = {{An APT Blueprint: Gaining New Visibility into Financial Threats}},
date = {2019-06-04},
institution = {Bitdefender},
url = {https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf},
language = {English},
urldate = {2019-12-18}
}
An APT Blueprint: Gaining New Visibility into Financial Threats
More_eggs Cobalt Strike |
2019-05-28 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone, Tom Lancaster
@online{falcone:20190528:emissary:dc0f942,
author = {Robert Falcone and Tom Lancaster},
title = {{Emissary Panda Attacks Middle East Government Sharepoint Servers}},
date = {2019-05-28},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/},
language = {English},
urldate = {2020-01-09}
}
Emissary Panda Attacks Middle East Government Sharepoint Servers
CHINACHOPPER Unidentified 060 |
2019-05-08 ⋅ Verizon Communications Inc. ⋅ Verizon Communications Inc.
@techreport{inc:20190508:2019:3c20a3b,
author = {Verizon Communications Inc.},
title = {{2019 Data Breach Investigations Report}},
date = {2019-05-08},
institution = {Verizon Communications Inc.},
url = {https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf},
language = {English},
urldate = {2020-05-10}
}
2019 Data Breach Investigations Report
BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam Unidentified 062 (Lazarus/RAT) |
2019-04-30 ⋅ Council on Foreign Relations ⋅ Cyber Operations Tracker
@online{tracker:20190430:40:271cc62,
author = {Cyber Operations Tracker},
title = {{APT 40}},
date = {2019-04-30},
organization = {Council on Foreign Relations},
url = {https://www.cfr.org/interactive/cyber-operations/apt-40},
language = {English},
urldate = {2020-05-18}
}
APT 40
Leviathan |
2019-04-24 ⋅ Weixin ⋅ Tencent
@online{tencent:20190424:sea:a722d68,
author = {Tencent},
title = {{"Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed}},
date = {2019-04-24},
organization = {Weixin},
url = {https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A},
language = {English},
urldate = {2020-01-13}
}
"Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed
Cobalt Strike SOUNDBITE |
2019-04-22 ⋅ Twitter (@killamjr) ⋅ Suspicious Link
@online{link:20190422:dadstache:5444490,
author = {Suspicious Link},
title = {{Tweet on DADSTACHE payload}},
date = {2019-04-22},
organization = {Twitter (@killamjr)},
url = {https://twitter.com/killamjr/status/1204584085395517440},
language = {English},
urldate = {2020-01-06}
}
Tweet on DADSTACHE payload
DADSTACHE |
2019-04-15 ⋅ PenTestPartners ⋅ Neil Lines
@online{lines:20190415:cobalt:7b3c086,
author = {Neil Lines},
title = {{Cobalt Strike. Walkthrough for Red Teamers}},
date = {2019-04-15},
organization = {PenTestPartners},
url = {https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/},
language = {English},
urldate = {2019-12-17}
}
Cobalt Strike. Walkthrough for Red Teamers
Cobalt Strike |
2019-04-11 ⋅ FireEye ⋅ FireEye
@online{fireeye:20190411:mtrend:597b240,
author = {FireEye},
title = {{M-Trend 2019}},
date = {2019-04-11},
organization = {FireEye},
url = {https://content.fireeye.com/m-trends/rpt-m-trends-2019},
language = {English},
urldate = {2020-01-10}
}
M-Trend 2019
GRILLMARK |
2019-03-27 ⋅ Twitter (@ClearskySec) ⋅ ClearSky Cyber Security
@online{security:20190327:timelines:36e1fb0,
author = {ClearSky Cyber Security},
title = {{Tweet on "Timelines - ECRL.docx"}},
date = {2019-03-27},
organization = {Twitter (@ClearskySec)},
url = {https://twitter.com/ClearskySec/status/1110941178231484417},
language = {English},
urldate = {2020-01-08}
}
Tweet on "Timelines - ECRL.docx"
DADJOKE |
2019-03-24 ⋅ One Night in Norfolk ⋅ Kevin Perlow
@online{perlow:20190324:jeshell:439ae8b,
author = {Kevin Perlow},
title = {{JEShell: An OceanLotus (APT32) Backdoor}},
date = {2019-03-24},
organization = {One Night in Norfolk},
url = {https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/},
language = {English},
urldate = {2020-05-19}
}
JEShell: An OceanLotus (APT32) Backdoor
Cobalt Strike KerrDown |
2019-03-04 ⋅ FireEye ⋅ Fred Plan, Nalani Fraser, Jacqueline O’Leary, Vincent Cannon, Ben Read
@online{plan:20190304:apt40:4f394e2,
author = {Fred Plan and Nalani Fraser and Jacqueline O’Leary and Vincent Cannon and Ben Read},
title = {{APT40: Examining a China-Nexus Espionage Actor}},
date = {2019-03-04},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html},
language = {English},
urldate = {2019-12-20}
}
APT40: Examining a China-Nexus Espionage Actor
LunchMoney Leviathan |
2019-02-27 ⋅ Secureworks ⋅ CTU Research Team
@online{team:20190227:peek:16c9160,
author = {CTU Research Team},
title = {{A Peek into BRONZE UNION’s Toolbox}},
date = {2019-02-27},
organization = {Secureworks},
url = {https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox},
language = {English},
urldate = {2020-01-07}
}
A Peek into BRONZE UNION’s Toolbox
Ghost RAT HyperBro ZXShell |
2019-02-27 ⋅ Morphisec ⋅ Michael Gorelik, Alon Groisman
@online{gorelik:20190227:new:5296a0b,
author = {Michael Gorelik and Alon Groisman},
title = {{New Global Cyber Attack on Point of Sale Sytem}},
date = {2019-02-27},
organization = {Morphisec},
url = {http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems},
language = {English},
urldate = {2020-01-09}
}
New Global Cyber Attack on Point of Sale Sytem
Cobalt Strike |
2019-02-19 ⋅ Twitter (@MrDanPerez) ⋅ Dan Perez
@online{perez:20190219:apt40:f6c06bb,
author = {Dan Perez},
title = {{APT40 dropper}},
date = {2019-02-19},
organization = {Twitter (@MrDanPerez)},
url = {https://twitter.com/MrDanPerez/status/1097881406661902337},
language = {English},
urldate = {2019-10-23}
}
APT40 dropper
LunchMoney |
2019-01-07 ⋅ Intezer ⋅ Ignacio Sanmillan
@online{sanmillan:20190107:chinaz:50bb5f4,
author = {Ignacio Sanmillan},
title = {{ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups}},
date = {2019-01-07},
organization = {Intezer},
url = {https://www.intezer.com/blog-chinaz-relations/},
language = {English},
urldate = {2019-11-27}
}
ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups
Ghost RAT |
2019 ⋅ MITRE ⋅ MITRE ATT&CK
@online{attck:2019:tool:ebc79ce,
author = {MITRE ATT&CK},
title = {{Tool description: BLACKCOFFEE}},
date = {2019},
organization = {MITRE},
url = {https://attack.mitre.org/software/S0069/},
language = {English},
urldate = {2019-12-20}
}
Tool description: BLACKCOFFEE
BLACKCOFFEE |
2019 ⋅ CrowdStrike ⋅ CrowdStrike
@online{crowdstrike:2019:2019:4e50c97,
author = {CrowdStrike},
title = {{2019 CrowdStrike Global Threat Report}},
date = {2019},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/},
language = {English},
urldate = {2020-01-08}
}
2019 CrowdStrike Global Threat Report
Boss Spider Flash Kitten Guru Spider Judgment Panda Leviathan Lunar Spider Nomad Panda Pinchy Spider Ratpak Spider Salty Spider Skeleton Spider Tiny Spider |
2019 ⋅ MITRE ⋅ MITRE ATT&CK
@online{attck:2019:tool:5022816,
author = {MITRE ATT&CK},
title = {{Tool description: NanHaiShu}},
date = {2019},
organization = {MITRE},
url = {https://attack.mitre.org/software/S0228/},
language = {English},
urldate = {2019-12-20}
}
Tool description: NanHaiShu
NanHaiShu |
2019 ⋅ MITRE ⋅ MITRE ATT&CK
@online{attck:2019:tool:fd89dda,
author = {MITRE ATT&CK},
title = {{Tool description: China Chopper}},
date = {2019},
organization = {MITRE},
url = {https://attack.mitre.org/software/S0020/},
language = {English},
urldate = {2019-12-20}
}
Tool description: China Chopper
CHINACHOPPER |
2019 ⋅ Virus Bulletin ⋅ Lion Gu, Bowen Pan
@techreport{gu:2019:vine:df5dbfb,
author = {Lion Gu and Bowen Pan},
title = {{A vine climbing over the Great Firewall: A long-term attack against China}},
date = {2019},
institution = {Virus Bulletin},
url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf},
language = {English},
urldate = {2020-01-08}
}
A vine climbing over the Great Firewall: A long-term attack against China
Poison Ivy ZXShell |
2019 ⋅ MITRE ⋅ MITRE ATT&CK
@online{attck:2019:leviathan:249223a,
author = {MITRE ATT&CK},
title = {{Group description: Leviathan}},
date = {2019},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0065/},
language = {English},
urldate = {2019-12-20}
}
Group description: Leviathan
Leviathan |
2018-11-19 ⋅ FireEye ⋅ Matthew Dunwoody, Andrew Thompson, Ben Withnell, Jonathan Leathery, Michael Matonis, Nick Carr
@online{dunwoody:20181119:not:e581291,
author = {Matthew Dunwoody and Andrew Thompson and Ben Withnell and Jonathan Leathery and Michael Matonis and Nick Carr},
title = {{Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign}},
date = {2018-11-19},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html},
language = {English},
urldate = {2019-12-20}
}
Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign
Cobalt Strike |
2018-11-18 ⋅ Stranded on Pylos Blog ⋅ Joe
@online{joe:20181118:cozybear:4801301,
author = {Joe},
title = {{CozyBear – In from the Cold?}},
date = {2018-11-18},
organization = {Stranded on Pylos Blog},
url = {https://pylos.co/2018/11/18/cozybear-in-from-the-cold/},
language = {English},
urldate = {2020-01-09}
}
CozyBear – In from the Cold?
Cobalt Strike APT 29 |
2018-11-13 ⋅ Recorded Future ⋅ Insikt Group
@online{group:20181113:chinese:6141b55,
author = {Insikt Group},
title = {{Chinese Threat Actor TEMP.Periscope Targets UK-Based Engineering Company Using Russian APT Techniques}},
date = {2018-11-13},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/chinese-threat-actor-tempperiscope/},
language = {English},
urldate = {2020-01-13}
}
Chinese Threat Actor TEMP.Periscope Targets UK-Based Engineering Company Using Russian APT Techniques
SeDll Leviathan |
2018-10-01 ⋅ FireEye ⋅ Regina Elwell, Katie Nickels
@techreport{elwell:20181001:attcking:3c6d888,
author = {Regina Elwell and Katie Nickels},
title = {{ATT&CKing FIN7}},
date = {2018-10-01},
institution = {FireEye},
url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf},
language = {English},
urldate = {2020-04-15}
}
ATT&CKing FIN7
Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN SocksBot |
2018-09-19 ⋅ Möbius Strip Reverse Engineering ⋅ Rolf Rolles
@online{rolles:20180919:hexrays:1afcc0c,
author = {Rolf Rolles},
title = {{Hex-Rays Microcode API vs. Obfuscating Compiler}},
date = {2018-09-19},
organization = {Möbius Strip Reverse Engineering},
url = {http://www.hexblog.com/?p=1248},
language = {English},
urldate = {2019-10-28}
}
Hex-Rays Microcode API vs. Obfuscating Compiler
Ghost RAT |
2018-08-03 ⋅ JPCERT/CC ⋅ Takuya Endo, Yukako Uchida
@online{endo:20180803:volatility:4597ce0,
author = {Takuya Endo and Yukako Uchida},
title = {{Volatility Plugin for Detecting Cobalt Strike Beacon}},
date = {2018-08-03},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html},
language = {English},
urldate = {2019-07-11}
}
Volatility Plugin for Detecting Cobalt Strike Beacon
Cobalt Strike |
2018-07-31 ⋅ Github (JPCERTCC) ⋅ JPCERT/CC
@online{jpcertcc:20180731:scanner:d1757d9,
author = {JPCERT/CC},
title = {{Scanner for CobaltStrike}},
date = {2018-07-31},
organization = {Github (JPCERTCC)},
url = {https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py},
language = {English},
urldate = {2020-01-13}
}
Scanner for CobaltStrike
Cobalt Strike |
2018-07-11 ⋅ FireEye ⋅ Scott Henderson, Steve Miller, Dan Perez, Marcin Siedlarz, Ben Wilson, Ben Read
@online{henderson:20180711:chinese:f0f3cbc,
author = {Scott Henderson and Steve Miller and Dan Perez and Marcin Siedlarz and Ben Wilson and Ben Read},
title = {{Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July 2018 Elections and Reveals Broad Operations Globally}},
date = {2018-07-11},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html},
language = {English},
urldate = {2019-12-20}
}
Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July 2018 Elections and Reveals Broad Operations Globally
AIRBREAK Leviathan |
2018-05-21 ⋅ LAC ⋅ Yoshihiro Ishikawa
@online{ishikawa:20180521:confirmed:ad336b5,
author = {Yoshihiro Ishikawa},
title = {{Confirmed new attacks by APT attacker group menuPass (APT10)}},
date = {2018-05-21},
organization = {LAC},
url = {https://www.lac.co.jp/lacwatch/people/20180521_001638.html},
language = {Japanese},
urldate = {2019-10-27}
}
Confirmed new attacks by APT attacker group menuPass (APT10)
Cobalt Strike |
2018-04-17 ⋅ NCC Group ⋅ Nikolaos Pantazopoulos
@online{pantazopoulos:20180417:decoding:7d5f713,
author = {Nikolaos Pantazopoulos},
title = {{Decoding network data from a Gh0st RAT variant}},
date = {2018-04-17},
organization = {NCC Group},
url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/},
language = {English},
urldate = {2019-11-27}
}
Decoding network data from a Gh0st RAT variant
Ghost RAT LuckyMouse |
2018-03-30 ⋅ Kahu Security ⋅ Kahu Security
@online{security:20180330:reflow:7e1ee15,
author = {Kahu Security},
title = {{Reflow JavaScript Backdoor}},
date = {2018-03-30},
organization = {Kahu Security},
url = {http://www.kahusecurity.com/posts/reflow_javascript_backdoor.html},
language = {English},
urldate = {2020-01-07}
}
Reflow JavaScript Backdoor
AIRBREAK |
2018-03-30 ⋅ AmosSys ⋅ Florent Saudel
@online{saudel:20180330:badflick:c531d01,
author = {Florent Saudel},
title = {{BADFLICK is not so bad!}},
date = {2018-03-30},
organization = {AmosSys},
url = {https://blog.amossys.fr/badflick-is-not-so-bad.html},
language = {English},
urldate = {2020-01-08}
}
BADFLICK is not so bad!
badflick |
2018-03-16 ⋅ FireEye ⋅ FireEye
@online{fireeye:20180316:suspected:2a77316,
author = {FireEye},
title = {{Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries}},
date = {2018-03-16},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html},
language = {English},
urldate = {2019-12-20}
}
Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries
badflick BLACKCOFFEE CHINACHOPPER homefry murkytop SeDll Leviathan |
2018-02-01 ⋅ Bitdefender ⋅ Bitdefender Team
@online{team:20180201:operation:e76f179,
author = {Bitdefender Team},
title = {{Operation PZCHAO: Inside a highly specialized espionage infrastructure}},
date = {2018-02-01},
organization = {Bitdefender},
url = {https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/},
language = {English},
urldate = {2020-05-18}
}
Operation PZCHAO: Inside a highly specialized espionage infrastructure
Ghost RAT Emissary Panda |
2018-01-04 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
@online{duncan:20180104:malspam:ce2dfac,
author = {Brad Duncan},
title = {{MALSPAM PUSHING PCRAT/GH0ST}},
date = {2018-01-04},
organization = {Malware Traffic Analysis},
url = {http://www.malware-traffic-analysis.net/2018/01/04/index.html},
language = {English},
urldate = {2019-12-24}
}
MALSPAM PUSHING PCRAT/GH0ST
Ghost RAT |
2017-12-20 ⋅ CrowdStrike ⋅ Adam Kozy
@online{kozy:20171220:end:218a388,
author = {Adam Kozy},
title = {{An End to “Smash-and-Grab” and a Move to More Targeted Approaches}},
date = {2017-12-20},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/an-end-to-smash-and-grab-more-targeted-approaches/},
language = {English},
urldate = {2020-05-11}
}
An End to “Smash-and-Grab” and a Move to More Targeted Approaches
CHINACHOPPER |
2017-12-19 ⋅ Proofpoint ⋅ Darien Huss
@techreport{huss:20171219:north:b2da03e,
author = {Darien Huss},
title = {{North Korea Bitten by Bitcoin Bug}},
date = {2017-12-19},
institution = {Proofpoint},
url = {https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf},
language = {English},
urldate = {2019-10-18}
}
North Korea Bitten by Bitcoin Bug
QUICKCAFE PowerSpritz Ghost RAT PowerRatankba |
2017-12-19 ⋅ Proofpoint ⋅ Darien Huss
@online{huss:20171219:north:e5ef6da,
author = {Darien Huss},
title = {{North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group}},
date = {2017-12-19},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new},
language = {English},
urldate = {2019-12-20}
}
North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group
Ghost RAT |
2017-10-16 ⋅ Proofpoint ⋅ Axel F, Pierre T
@online{f:20171016:leviathan:a898346,
author = {Axel F and Pierre T},
title = {{Leviathan: Espionage actor spearphishes maritime and defense targets}},
date = {2017-10-16},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets},
language = {English},
urldate = {2019-12-20}
}
Leviathan: Espionage actor spearphishes maritime and defense targets
NanHaiShu SeDll Leviathan |
2017-06-06 ⋅ FireEye ⋅ Ian Ahl
@online{ahl:20170606:privileges:9598d5f,
author = {Ian Ahl},
title = {{Privileges and Credentials: Phished at the Request of Counsel}},
date = {2017-06-06},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html},
language = {English},
urldate = {2019-12-20}
}
Privileges and Credentials: Phished at the Request of Counsel
Cobalt Strike |
2017-02-25 ⋅ Financial Security Institute ⋅ Kyoung-Ju Kwak (郭炅周)
@techreport{:20170225:silent:5a11e12,
author = {Kyoung-Ju Kwak (郭炅周)},
title = {{Silent RIFLE: Response Against Advanced Threat}},
date = {2017-02-25},
institution = {Financial Security Institute},
url = {https://hackcon.org/uploads/327/05%20-%20Kwak.pdf},
language = {English},
urldate = {2020-03-04}
}
Silent RIFLE: Response Against Advanced Threat
Ghost RAT |
2016-10-28 ⋅ Github (smb01) ⋅ smb01
@online{smb01:20161028:zxshell:e4d3a5e,
author = {smb01},
title = {{zxshell repository}},
date = {2016-10-28},
organization = {Github (smb01)},
url = {https://github.com/smb01/zxshell},
language = {English},
urldate = {2020-01-07}
}
zxshell repository
ZXShell |
2016-10-11 ⋅ Symantec ⋅ Symantec Security Response
@online{response:20161011:odinaff:36b35db,
author = {Symantec Security Response},
title = {{Odinaff: New Trojan used in high level financial attacks}},
date = {2016-10-11},
organization = {Symantec},
url = {https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks},
language = {English},
urldate = {2019-12-05}
}
Odinaff: New Trojan used in high level financial attacks
Cobalt Strike KLRD MimiKatz Odinaff Anunak |
2016-08-05 ⋅ F-Secure ⋅ F-Secure Labs
@techreport{labs:20160805:nanhaishu:cee830d,
author = {F-Secure Labs},
title = {{NANHAISHU: RATing the South China Sea}},
date = {2016-08-05},
institution = {F-Secure},
url = {https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf},
language = {English},
urldate = {2020-01-13}
}
NANHAISHU: RATing the South China Sea
NanHaiShu |
2016-04-22 ⋅ Cylance ⋅ Isaac Palmer
@online{palmer:20160422:ghost:dda6514,
author = {Isaac Palmer},
title = {{The Ghost Dragon}},
date = {2016-04-22},
organization = {Cylance},
url = {https://blog.cylance.com/the-ghost-dragon},
language = {English},
urldate = {2020-01-08}
}
The Ghost Dragon
Ghost RAT |
2016-03-02 ⋅ RSA Conference ⋅ Vanja Svajcer
@techreport{svajcer:20160302:dissecting:e8721e3,
author = {Vanja Svajcer},
title = {{Dissecting Derusbi}},
date = {2016-03-02},
institution = {RSA Conference},
url = {https://web.archive.org/web/20180310053107/https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf},
language = {English},
urldate = {2020-02-27}
}
Dissecting Derusbi
Derusbi |
2015-12-15 ⋅ Airbus Defence & Space ⋅ Fabien Perigaud
@online{perigaud:20151215:newcomers:73beb0c,
author = {Fabien Perigaud},
title = {{Newcomers in the Derusbi family}},
date = {2015-12-15},
organization = {Airbus Defence & Space},
url = {https://web.archive.org/web/20151216071054/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family},
language = {English},
urldate = {2020-02-27}
}
Newcomers in the Derusbi family
Derusbi |
2015-10-08 ⋅ Virus Bulletin ⋅ Micky Pun, Eric Leung, Neo Tan
@techreport{pun:20151008:catching:368d81d,
author = {Micky Pun and Eric Leung and Neo Tan},
title = {{Catching the silent whisper: Understanding the Derusbi family tree}},
date = {2015-10-08},
institution = {Virus Bulletin},
url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf},
language = {English},
urldate = {2020-02-27}
}
Catching the silent whisper: Understanding the Derusbi family tree
Derusbi |
2015-06-24 ⋅ Spiceworks ⋅ Chris Miller
@online{miller:20150624:stealthy:9bceed3,
author = {Chris Miller},
title = {{Stealthy Cyberespionage Campaign Attacks With Social Engineering}},
date = {2015-06-24},
organization = {Spiceworks},
url = {https://community.spiceworks.com/topic/1028936-stealthy-cyberespionage-campaign-attacks-with-social-engineering},
language = {English},
urldate = {2019-12-10}
}
Stealthy Cyberespionage Campaign Attacks With Social Engineering
NanHaiShu |
2015-05-18 ⋅ Tetsuji Tanigawa
@online{tanigawa:20150518:tt:4cb29ea,
author = {Tetsuji Tanigawa},
title = {{TT Malware Log}},
date = {2015-05-18},
url = {http://malware-log.hatenablog.com/entry/2015/05/18/000000_1},
language = {Japanese},
urldate = {2020-01-08}
}
TT Malware Log
BLACKCOFFEE |
2015-05 ⋅ FireEye ⋅ FireEye
@techreport{fireeye:201505:hiding:8695fc2,
author = {FireEye},
title = {{HIDING IN PLAIN SIGHT: FIREEYE AND MICROSOFT EXPOSE OBFUSCATION TACTIC}},
date = {2015-05},
institution = {FireEye},
url = {https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf},
language = {English},
urldate = {2019-12-19}
}
HIDING IN PLAIN SIGHT: FIREEYE AND MICROSOFT EXPOSE OBFUSCATION TACTIC
BLACKCOFFEE |
2015-02-27 ⋅ InfoSec Institute ⋅ Ryan Mazerik
@online{mazerik:20150227:scanbox:867abf2,
author = {Ryan Mazerik},
title = {{ScanBox Framework}},
date = {2015-02-27},
organization = {InfoSec Institute},
url = {http://resources.infosecinstitute.com/scanbox-framework/},
language = {English},
urldate = {2020-01-13}
}
ScanBox Framework
scanbox |
2015-02-27 ⋅ ThreatConnect ⋅ ThreatConnect Research Team
@online{team:20150227:anthem:3576532,
author = {ThreatConnect Research Team},
title = {{The Anthem Hack: All Roads Lead to China}},
date = {2015-02-27},
organization = {ThreatConnect},
url = {https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/},
language = {English},
urldate = {2020-01-09}
}
The Anthem Hack: All Roads Lead to China
Derusbi |
2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f,
author = {CrowdStrike},
title = {{CrowdStrike Global Threat Intel Report 2014}},
date = {2015-02-06},
institution = {CrowdStrike},
url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf},
language = {English},
urldate = {2020-05-11}
}
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor |
2014-11 ⋅ Novetta ⋅ Novetta
@techreport{novetta:201411:zoxpng:91e81c6,
author = {Novetta},
title = {{ZoxPNG Analysis}},
date = {2014-11},
institution = {Novetta},
url = {http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf},
language = {English},
urldate = {2020-05-07}
}
ZoxPNG Analysis
BLACKCOFFEE |
2014-10-28 ⋅ Cisco ⋅ Andrea Allievi, Douglas Goddard, Shaun Hurley, Alain Zidouemba
@online{allievi:20141028:threat:a302fbd,
author = {Andrea Allievi and Douglas Goddard and Shaun Hurley and Alain Zidouemba},
title = {{Threat Spotlight: Group 72, Opening the ZxShell}},
date = {2014-10-28},
organization = {Cisco},
url = {https://blogs.cisco.com/security/talos/opening-zxshell},
language = {English},
urldate = {2019-10-15}
}
Threat Spotlight: Group 72, Opening the ZxShell
ZXShell |
2014-10-28 ⋅ Novetta ⋅ Novetta
@techreport{novetta:20141028:derusbi:aae275a,
author = {Novetta},
title = {{Derusbi (Server Variant) Analysis}},
date = {2014-10-28},
institution = {Novetta},
url = {http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf},
language = {English},
urldate = {2020-01-06}
}
Derusbi (Server Variant) Analysis
Derusbi |
2014-08-28 ⋅ AT&T ⋅ Jaime Blasco
@online{blasco:20140828:scanbox:a0cc92a,
author = {Jaime Blasco},
title = {{Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks}},
date = {2014-08-28},
organization = {AT&T},
url = {https://www.alienvault.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks},
language = {English},
urldate = {2019-12-06}
}
Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks
scanbox |
2013-08-07 ⋅ FireEye ⋅ Ian Ahl, Tony Lee, Dennis Hanzlik
@online{ahl:20130807:breaking:aff06e9,
author = {Ian Ahl and Tony Lee and Dennis Hanzlik},
title = {{Breaking Down the China Chopper Web Shell - Part I}},
date = {2013-08-07},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html},
language = {English},
urldate = {2019-12-20}
}
Breaking Down the China Chopper Web Shell - Part I
CHINACHOPPER |
2012 ⋅ Norman ASA ⋅ Snorre Fagerland
@techreport{fagerland:2012:many:c938856,
author = {Snorre Fagerland},
title = {{The many faces of Gh0st Rat}},
date = {2012},
institution = {Norman ASA},
url = {http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf},
language = {English},
urldate = {2019-12-20}
}
The many faces of Gh0st Rat
Ghost RAT |
2012 ⋅ Cobalt Strike ⋅ Cobalt Strike
@online{strike:2012:cobalt:8522cdd,
author = {Cobalt Strike},
title = {{Cobalt Strike Website}},
date = {2012},
organization = {Cobalt Strike},
url = {https://www.cobaltstrike.com/support},
language = {English},
urldate = {2020-01-13}
}
Cobalt Strike Website
Cobalt Strike |
2011-06-29 ⋅ Symantec ⋅ John McDonald
@online{mcdonald:20110629:inside:b955948,
author = {John McDonald},
title = {{Inside a Back Door Attack}},
date = {2011-06-29},
organization = {Symantec},
url = {https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack},
language = {English},
urldate = {2020-04-21}
}
Inside a Back Door Attack
Ghost RAT Dust Storm |
2009-03-28 ⋅ Information Warfare Monitor ⋅ Information Warfare Monitor
@techreport{monitor:20090328:tracking:dffad13,
author = {Information Warfare Monitor},
title = {{Tracking GhostNet: Investigating a Cyber Espionage Network}},
date = {2009-03-28},
institution = {Information Warfare Monitor},
url = {http://www.nartv.org/mirror/ghostnet.pdf},
language = {English},
urldate = {2020-04-23}
}
Tracking GhostNet: Investigating a Cyber Espionage Network
Ghost RAT GhostNet |