aka: Chinastrats, Patchwork, Monsoon, Sarit, Dropping Elephant, APT-C-09, ZINC EMERSON, ATK11, G0040, Orange Athos, Thirsty Gemini
Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with China’s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.
2023-02-24 ⋅ Zscaler ⋅ Niraj Shivtarkar, Avinash Kumar
@online{shivtarkar:20230224:snip3:8bab444,
author = {Niraj Shivtarkar and Avinash Kumar},
title = {{Snip3 Crypter Reveals New TTPs Over Time}},
date = {2023-02-24},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/snip3-crypter-reveals-new-ttps-over-time},
language = {English},
urldate = {2023-03-13}
}
Snip3 Crypter Reveals New TTPs Over Time
DCRat Quasar RAT |
2022-11-23 ⋅ ESET Research ⋅ Lukáš Štefanko
@online{tefanko:20221123:bahamut:7e7453f,
author = {Lukáš Štefanko},
title = {{Bahamut cybermercenary group targets Android users with fake VPN apps}},
date = {2022-11-23},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/},
language = {English},
urldate = {2022-11-25}
}
Bahamut cybermercenary group targets Android users with fake VPN apps
Bahamut |
2022-09-13 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20220913:new:2ff2e98,
author = {Threat Hunter Team},
title = {{New Wave of Espionage Activity Targets Asian Governments}},
date = {2022-09-13},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments},
language = {English},
urldate = {2022-09-20}
}
New Wave of Espionage Activity Targets Asian Governments
MimiKatz PlugX Quasar RAT ShadowPad Trochilus RAT |
2022-08-18 ⋅ Sophos ⋅ Sean Gallagher
@online{gallagher:20220818:cookie:74bd0f5,
author = {Sean Gallagher},
title = {{Cookie stealing: the new perimeter bypass}},
date = {2022-08-18},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass},
language = {English},
urldate = {2022-08-22}
}
Cookie stealing: the new perimeter bypass
Cobalt Strike Meterpreter MimiKatz Phoenix Keylogger Quasar RAT |
2022-07-29 ⋅ Qualys ⋅ Viren Chaudhari
@online{chaudhari:20220729:new:3f06f5c,
author = {Viren Chaudhari},
title = {{New Qualys Research Report: Evolution of Quasar RAT}},
date = {2022-07-29},
organization = {Qualys},
url = {https://blog.qualys.com/vulnerabilities-threat-research/2022/07/29/new-qualys-research-report-evolution-of-quasar-rat},
language = {English},
urldate = {2022-08-04}
}
New Qualys Research Report: Evolution of Quasar RAT
Quasar RAT |
2022-07-27 ⋅ Qualys ⋅ Viren Chaudhari
@techreport{chaudhari:20220727:stealthy:9b66a95,
author = {Viren Chaudhari},
title = {{Stealthy Quasar Evolving to Lead the RAT Race}},
date = {2022-07-27},
institution = {Qualys},
url = {https://www.qualys.com/docs/whitepapers/qualys-wp-stealthy-quasar-evolving-to-lead-the-rat-race-v220727.pdf},
language = {English},
urldate = {2022-08-04}
}
Stealthy Quasar Evolving to Lead the RAT Race
Quasar RAT |
2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
@online{42:20220718:thirsty:52ce329,
author = {Unit 42},
title = {{Thirsty Gemini}},
date = {2022-07-18},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/atoms/thirstygemini/},
language = {English},
urldate = {2022-07-29}
}
Thirsty Gemini
BackConfig QUILTED TIGER |
2022-07-13 ⋅ Weixin ⋅ Antiy CERT
@online{cert:20220713:confucius:307a7f4,
author = {Antiy CERT},
title = {{Confucius: The Angler Hidden Under CloudFlare}},
date = {2022-07-13},
organization = {Weixin},
url = {https://mp.weixin.qq.com/s/n6XQAGtNEXfPZXp1mlwDTQ},
language = {English},
urldate = {2022-07-14}
}
Confucius: The Angler Hidden Under CloudFlare
Quasar RAT |
2022-06-29 ⋅ cyble ⋅ Cyble Research Labs
@online{labs:20220629:bahamut:2a1b786,
author = {Cyble Research Labs},
title = {{Bahamut Android Malware Returns With New Spying Capabilities}},
date = {2022-06-29},
organization = {cyble},
url = {https://blog.cyble.com/2022/06/29/bahamut-android-malware-returns-with-new-spying-capabilities/},
language = {English},
urldate = {2022-07-05}
}
Bahamut Android Malware Returns With New Spying Capabilities
Bahamut |
2022-06-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
@online{researchteam:20220623:bronze:8bccd74,
author = {Counter Threat Unit ResearchTeam},
title = {{BRONZE STARLIGHT Ransomware Operations Use HUI Loader}},
date = {2022-06-23},
organization = {Secureworks},
url = {https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader},
language = {English},
urldate = {2022-09-20}
}
BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster |
2022-06-02 ⋅ FortiGuard Labs ⋅ Fred Gutierrez, Shunichi Imano, James Slaughter, Gergely Revay
@online{gutierrez:20220602:threat:6713237,
author = {Fred Gutierrez and Shunichi Imano and James Slaughter and Gergely Revay},
title = {{Threat Actors Prey on Eager Travelers}},
date = {2022-06-02},
organization = {FortiGuard Labs},
url = {https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers},
language = {English},
urldate = {2022-06-15}
}
Threat Actors Prey on Eager Travelers
AsyncRAT NetWire RC Quasar RAT |
2022-06-01 ⋅ Qianxin Threat Intelligence Center ⋅ Red Raindrop Team
@online{team:20220601:analysis:03a76ad,
author = {Red Raindrop Team},
title = {{Analysis of the attack activities of the Maha grass group using the documents of relevant government agencies in Pakistan as bait}},
date = {2022-06-01},
organization = {Qianxin Threat Intelligence Center},
url = {https://ti.qianxin.com/blog/articles/analysis-of-the-attack-activities-of-patchwork-using-the-documents-of-relevant-government-agencies-in-pakistan-as-bait},
language = {English},
urldate = {2022-07-05}
}
Analysis of the attack activities of the Maha grass group using the documents of relevant government agencies in Pakistan as bait
BadNews QUILTED TIGER |
2022-05-19 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
@online{team:20220519:net:ecf311c,
author = {The BlackBerry Research & Intelligence Team},
title = {{.NET Stubs: Sowing the Seeds of Discord (PureCrypter)}},
date = {2022-05-19},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord},
language = {English},
urldate = {2022-06-09}
}
.NET Stubs: Sowing the Seeds of Discord (PureCrypter)
Aberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer Formbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine Stealer WhisperGate |
2022-05-19 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
@online{team:20220519:net:64662b5,
author = {The BlackBerry Research & Intelligence Team},
title = {{.NET Stubs: Sowing the Seeds of Discord}},
date = {2022-05-19},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord?},
language = {English},
urldate = {2022-05-23}
}
.NET Stubs: Sowing the Seeds of Discord
Agent Tesla Quasar RAT WhisperGate |
2022-05-16 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
@online{tomonaga:20220516:analysis:b1c8089,
author = {Shusei Tomonaga},
title = {{Analysis of HUI Loader}},
date = {2022-05-16},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html},
language = {English},
urldate = {2022-05-17}
}
Analysis of HUI Loader
HUI Loader PlugX Poison Ivy Quasar RAT |
2022-05-12 ⋅ Morphisec ⋅ Hido Cohen
@online{cohen:20220512:new:6e12278,
author = {Hido Cohen},
title = {{New SYK Crypter Distributed Via Discord}},
date = {2022-05-12},
organization = {Morphisec},
url = {https://blog.morphisec.com/syk-crypter-discord},
language = {English},
urldate = {2022-06-09}
}
New SYK Crypter Distributed Via Discord
AsyncRAT Ave Maria Nanocore RAT NjRAT Quasar RAT RedLine Stealer |
2022-04-28 ⋅ PWC ⋅ PWC UK
@techreport{uk:20220428:cyber:46707aa,
author = {PWC UK},
title = {{Cyber Threats 2021: A Year in Retrospect}},
date = {2022-04-28},
institution = {PWC},
url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf},
language = {English},
urldate = {2022-04-29}
}
Cyber Threats 2021: A Year in Retrospect
APT15 APT31 APT41 APT9 BlackTech BRONZE EDGEWOOD DAGGER PANDA Earth Lusca HAFNIUM HAZY TIGER Inception Framework LOTUS PANDA QUILTED TIGER RedAlpha Red Dev 17 Red Menshen Red Nue VICEROY TIGER |
2022-04-27 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší
@online{lunghi:20220427:new:9068f6e,
author = {Daniel Lunghi and Jaromír Hořejší},
title = {{New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware}},
date = {2022-04-27},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html},
language = {English},
urldate = {2022-05-04}
}
New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware
AsyncRAT Ghost RAT PlugX Quasar RAT Earth Berberoka |
2022-04-27 ⋅ Trendmicro ⋅ Trendmicro
@online{trendmicro:20220427:iocs:18f7e31,
author = {Trendmicro},
title = {{IOCs for Earth Berberoka - Windows}},
date = {2022-04-27},
organization = {Trendmicro},
url = {https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt},
language = {English},
urldate = {2022-07-25}
}
IOCs for Earth Berberoka - Windows
AsyncRAT Cobalt Strike PlugX Quasar RAT Earth Berberoka |
2022-04-27 ⋅ Trendmicro ⋅ Daniel Lunghi, Jaromír Hořejší
@techreport{lunghi:20220427:operation:bdba881,
author = {Daniel Lunghi and Jaromír Hořejší},
title = {{Operation Gambling Puppet}},
date = {2022-04-27},
institution = {Trendmicro},
url = {https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf},
language = {English},
urldate = {2022-07-25}
}
Operation Gambling Puppet
reptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka |
2022-04-12 ⋅ 360 Threat Intelligence Center ⋅ 360 Beacon Lab
@online{lab:20220412:recent:2a11b0c,
author = {360 Beacon Lab},
title = {{Recent attacks by Bahamut group revealed}},
date = {2022-04-12},
organization = {360 Threat Intelligence Center},
url = {https://mp.weixin.qq.com/s/YAAybJBAvxqrQWYDg31BBw},
language = {Chinese},
urldate = {2022-04-15}
}
Recent attacks by Bahamut group revealed
Bahamut |
2022-03-24 ⋅ Lab52 ⋅ freyit
@online{freyit:20220324:another:4578bc2,
author = {freyit},
title = {{Another cyber espionage campaign in the Russia-Ukrainian ongoing cyber attacks}},
date = {2022-03-24},
organization = {Lab52},
url = {https://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/},
language = {English},
urldate = {2022-03-25}
}
Another cyber espionage campaign in the Russia-Ukrainian ongoing cyber attacks
Quasar RAT |
2022-03-05 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20220305:malware:5ab8b53,
author = {Lawrence Abrams},
title = {{Malware now using NVIDIA's stolen code signing certificates}},
date = {2022-03-05},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/malware-now-using-nvidias-stolen-code-signing-certificates/},
language = {English},
urldate = {2022-03-10}
}
Malware now using NVIDIA's stolen code signing certificates
Quasar RAT |
2022-02-22 ⋅ CyCraft Technology Corp
@online{corp:20220222:china:76aa7e8,
author = {CyCraft Technology Corp},
title = {{China Implicated in Prolonged Supply Chain Attack Targeting Taiwan Financial Sector}},
date = {2022-02-22},
url = {https://medium.com/cycraft/china-implicated-in-prolonged-supply-chain-attack-targeting-taiwan-financial-sector-264b6a1c3525},
language = {English},
urldate = {2022-02-26}
}
China Implicated in Prolonged Supply Chain Attack Targeting Taiwan Financial Sector
Quasar RAT |
2022-02-21 ⋅ CyCraft ⋅ CyCraft AI
@online{ai:20220221:indepth:73e8778,
author = {CyCraft AI},
title = {{An in-depth analysis of the Operation Cache Panda organized supply chain attack on Taiwan's financial industry}},
date = {2022-02-21},
organization = {CyCraft},
url = {https://medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934},
language = {Chinese},
urldate = {2022-02-26}
}
An in-depth analysis of the Operation Cache Panda organized supply chain attack on Taiwan's financial industry
Quasar RAT |
2022-02-21 ⋅ The Record ⋅ Catalin Cimpanu
@online{cimpanu:20220221:chinese:fe29003,
author = {Catalin Cimpanu},
title = {{Chinese hackers linked to months-long attack on Taiwanese financial sector}},
date = {2022-02-21},
organization = {The Record},
url = {https://therecord.media/chinese-hackers-linked-to-months-long-attack-on-taiwanese-financial-sector/},
language = {English},
urldate = {2022-02-26}
}
Chinese hackers linked to months-long attack on Taiwanese financial sector
Quasar RAT |
2022-02-11 ⋅ blog.rootshell.be ⋅ Xavier Mertens
@online{mertens:20220211:sans:7273063,
author = {Xavier Mertens},
title = {{[SANS ISC] CinaRAT Delivered Through HTML ID Attributes}},
date = {2022-02-11},
organization = {blog.rootshell.be},
url = {https://blog.rootshell.be/2022/02/11/sans-isc-cinarat-delivered-through-html-id-attributes/},
language = {English},
urldate = {2022-02-14}
}
[SANS ISC] CinaRAT Delivered Through HTML ID Attributes
Quasar RAT |
2022-02-08 ⋅ ASEC ⋅ ASEC
@online{asec:20220208:distribution:1e72a12,
author = {ASEC},
title = {{Distribution of Kimsuky Group’s xRAT (Quasar RAT) Confirmed}},
date = {2022-02-08},
organization = {ASEC},
url = {https://asec.ahnlab.com/en/31089/},
language = {English},
urldate = {2022-02-10}
}
Distribution of Kimsuky Group’s xRAT (Quasar RAT) Confirmed
GoldDragon Quasar RAT |
2022-02-08 ⋅ Intel 471 ⋅ Intel 471
@online{471:20220208:privateloader:5e226cd,
author = {Intel 471},
title = {{PrivateLoader: The first step in many malware schemes}},
date = {2022-02-08},
organization = {Intel 471},
url = {https://intel471.com/blog/privateloader-malware},
language = {English},
urldate = {2022-05-09}
}
PrivateLoader: The first step in many malware schemes
Dridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos SmokeLoader STOP Tofsee TrickBot Vidar |
2022-01-08 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20220108:trojanized:00522d1,
author = {Lawrence Abrams},
title = {{Trojanized dnSpy app drops malware cocktail on researchers, devs}},
date = {2022-01-08},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-malware-cocktail-on-researchers-devs/},
language = {English},
urldate = {2022-01-18}
}
Trojanized dnSpy app drops malware cocktail on researchers, devs
Quasar RAT |
2022-01-07 ⋅ Malwarebytes ⋅ Threat Intelligence Team
@online{team:20220107:patchwork:84dabfb,
author = {Threat Intelligence Team},
title = {{Patchwork APT caught in its own web}},
date = {2022-01-07},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web/},
language = {English},
urldate = {2022-01-25}
}
Patchwork APT caught in its own web
BadNews |
2021-12-14 ⋅ Trend Micro ⋅ Nick Dai, Ted Lee, Vickie Su
@online{dai:20211214:collecting:3d6dd34,
author = {Nick Dai and Ted Lee and Vickie Su},
title = {{Collecting In the Dark: Tropic Trooper Targets Transportation and Government}},
date = {2021-12-14},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html},
language = {English},
urldate = {2022-03-30}
}
Collecting In the Dark: Tropic Trooper Targets Transportation and Government
ChiserClient Ghost RAT Lilith Quasar RAT xPack |
2021-10-19 ⋅ Cisco Talos ⋅ Asheer Malhotra
@online{malhotra:20211019:malicious:6889662,
author = {Asheer Malhotra},
title = {{Malicious campaign uses a barrage of commodity RATs to target Afghanistan and India}},
date = {2021-10-19},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html},
language = {English},
urldate = {2021-11-02}
}
Malicious campaign uses a barrage of commodity RATs to target Afghanistan and India
DCRat Quasar RAT |
2021-09-20 ⋅ Trend Micro ⋅ Aliakbar Zahravi, William Gamazo Sanchez
@online{zahravi:20210920:water:63df486,
author = {Aliakbar Zahravi and William Gamazo Sanchez},
title = {{Water Basilisk Uses New HCrypt Variant to Flood Victims with RAT Payloads}},
date = {2021-09-20},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html},
language = {English},
urldate = {2021-09-22}
}
Water Basilisk Uses New HCrypt Variant to Flood Victims with RAT Payloads
Ave Maria BitRAT LimeRAT Nanocore RAT NjRAT Quasar RAT |
2021-09-04 ⋅ cocomelonc ⋅ cocomelonc
@online{cocomelonc:20210904:av:06b27c5,
author = {cocomelonc},
title = {{AV engines evasion for C++ simple malware: part 1}},
date = {2021-09-04},
organization = {cocomelonc},
url = {https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html},
language = {English},
urldate = {2022-11-28}
}
AV engines evasion for C++ simple malware: part 1
4h_rat Azorult BADCALL BadNews BazarBackdoor Cardinal RAT |
2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel
@techreport{mokbel:20210903:state:df86499,
author = {Mohamad Mokbel},
title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}},
date = {2021-09-03},
institution = {Trend Micro},
url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf},
language = {English},
urldate = {2021-09-19}
}
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader |
2021-07-12 ⋅ IBM ⋅ Melissa Frydrych, Claire Zaboeva, Dan Dash
@online{frydrych:20210712:roboski:1f66418,
author = {Melissa Frydrych and Claire Zaboeva and Dan Dash},
title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}},
date = {2021-07-12},
organization = {IBM},
url = {https://securityintelligence.com/posts/roboski-global-recovery-automation/},
language = {English},
urldate = {2021-07-20}
}
RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos |
2021-07-12 ⋅ Cipher Tech Solutions ⋅ Melissa Frydrych, Claire Zaboeva, Dan Dash
@online{frydrych:20210712:roboski:a3c66bf,
author = {Melissa Frydrych and Claire Zaboeva and Dan Dash},
title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}},
date = {2021-07-12},
organization = {Cipher Tech Solutions},
url = {https://www.ciphertechsolutions.com/roboski-global-recovery-automation/},
language = {English},
urldate = {2021-07-20}
}
RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos |
2021-05-27 ⋅ MinervaLabs ⋅ Tom Roter
@online{roter:20210527:trapping:76b0b81,
author = {Tom Roter},
title = {{Trapping A Fat Quasar RAT}},
date = {2021-05-27},
organization = {MinervaLabs},
url = {https://blog.minerva-labs.com/trapping-quasar-rat},
language = {English},
urldate = {2021-06-01}
}
Trapping A Fat Quasar RAT
Quasar RAT |
2021-05-05 ⋅ Zscaler ⋅ Aniruddha Dolas, Mohd Sadique, Manohar Ghule
@online{dolas:20210505:catching:ace83fc,
author = {Aniruddha Dolas and Mohd Sadique and Manohar Ghule},
title = {{Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats}},
date = {2021-05-05},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols},
language = {English},
urldate = {2021-05-08}
}
Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats
Agent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar RAT Remcos |
2021-04-27 ⋅ Kaspersky ⋅ GReAT
@online{great:20210427:trends:e1c92a3,
author = {GReAT},
title = {{APT trends report Q1 2021}},
date = {2021-04-27},
organization = {Kaspersky},
url = {https://securelist.com/apt-trends-report-q1-2021/101967/},
language = {English},
urldate = {2021-04-29}
}
APT trends report Q1 2021
PAS Artra Downloader BadNews Bozok DILLJUICE Kazuar Quasar RAT SodaMaster |
2021-04-14 ⋅ Zscaler ⋅ Rohit Chaturvedi, Atinderpal Singh, Tarun Dewan
@online{chaturvedi:20210414:look:02bf1e0,
author = {Rohit Chaturvedi and Atinderpal Singh and Tarun Dewan},
title = {{A look at HydroJiin campaign}},
date = {2021-04-14},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign},
language = {English},
urldate = {2021-04-16}
}
A look at HydroJiin campaign
NetWire RC Quasar RAT |
2021-02-25 ⋅ Intezer ⋅ Intezer
@techreport{intezer:20210225:year:eb47cd1,
author = {Intezer},
title = {{Year of the Gopher A 2020 Go Malware Round-Up}},
date = {2021-02-25},
institution = {Intezer},
url = {https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf},
language = {English},
urldate = {2021-06-30}
}
Year of the Gopher A 2020 Go Malware Round-Up
NiuB WellMail elf.wellmess ArdaMax AsyncRAT CyberGate DarkComet Glupteba Nanocore RAT Nefilim NjRAT Quasar RAT WellMess Zebrocy |
2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f,
author = {CrowdStrike},
title = {{2021 Global Threat Report}},
date = {2021-02-23},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf},
language = {English},
urldate = {2021-02-25}
}
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER |
2021-02-05 ⋅ Morphisec ⋅ Nadav Lorber
@online{lorber:20210205:cinarat:772720f,
author = {Nadav Lorber},
title = {{CinaRAT Resurfaces with New Evasive Tactics and Techniques}},
date = {2021-02-05},
organization = {Morphisec},
url = {https://blog.morphisec.com/cinarat-resurfaces-with-new-evasive-tactics-and-techniques},
language = {English},
urldate = {2021-02-09}
}
CinaRAT Resurfaces with New Evasive Tactics and Techniques
Quasar RAT |
2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli
@online{ramilli:20210109:command:d720b27,
author = {Marco Ramilli},
title = {{Command and Control Traffic Patterns}},
date = {2021-01-09},
organization = {Marco Ramilli's Blog},
url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/},
language = {English},
urldate = {2021-05-17}
}
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot |
2020-12-28 ⋅ Antiy CERT ⋅ Antiy CERT
@online{cert:20201228:civerids:b40d172,
author = {Antiy CERT},
title = {{"Civerids" organization vs. Middle East area attack activity analysis report}},
date = {2020-12-28},
organization = {Antiy CERT},
url = {https://www.antiy.cn/research/notice&report/research_report/20201228.html},
language = {Chinese},
urldate = {2021-01-04}
}
"Civerids" organization vs. Middle East area attack activity analysis report
Quasar RAT |
2020-12-24 ⋅ IronNet ⋅ Adam Hlavek
@online{hlavek:20201224:china:723bed3,
author = {Adam Hlavek},
title = {{China cyber attacks: the current threat landscape}},
date = {2020-12-24},
organization = {IronNet},
url = {https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape},
language = {English},
urldate = {2021-01-01}
}
China cyber attacks: the current threat landscape
PLEAD TSCookie FlowCloud Lookback PLEAD PlugX Quasar RAT Winnti |
2020-12-10 ⋅ JPCERT/CC ⋅ Kota Kino
@online{kino:20201210:attack:cd8c552,
author = {Kota Kino},
title = {{Attack Activities by Quasar Family}},
date = {2020-12-10},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html},
language = {English},
urldate = {2020-12-10}
}
Attack Activities by Quasar Family
AsyncRAT Quasar RAT Venom RAT XPCTRA |
2020-12-09 ⋅ Cybereason ⋅ Cybereason Nocturnus
@online{nocturnus:20201209:new:ef00418,
author = {Cybereason Nocturnus},
title = {{New Malware Arsenal Abusing Cloud Platforms in Middle East Espionage Campaign}},
date = {2020-12-09},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign},
language = {English},
urldate = {2020-12-10}
}
New Malware Arsenal Abusing Cloud Platforms in Middle East Espionage Campaign
DropBook MoleNet Quasar RAT SharpStage Spark |
2020-12-09 ⋅ Cybereason ⋅ Cybereason Nocturnus Team
@techreport{team:20201209:molerats:a13c569,
author = {Cybereason Nocturnus Team},
title = {{MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign}},
date = {2020-12-09},
institution = {Cybereason},
url = {https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf},
language = {English},
urldate = {2022-02-09}
}
MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign
DropBook JhoneRAT Molerat Loader Pierogi Quasar RAT SharpStage Spark |
2020-11-19 ⋅ Threatpost ⋅ Elizabeth Montalbano
@online{montalbano:20201119:exploits:f40feb2,
author = {Elizabeth Montalbano},
title = {{APT Exploits Microsoft Zerologon Bug: Targets Japanese Companies}},
date = {2020-11-19},
organization = {Threatpost},
url = {https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/},
language = {English},
urldate = {2020-11-23}
}
APT Exploits Microsoft Zerologon Bug: Targets Japanese Companies
Quasar RAT Ryuk |
2020-11-17 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20201117:japanlinked:42c6320,
author = {Threat Hunter Team},
title = {{Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign}},
date = {2020-11-17},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage},
language = {English},
urldate = {2020-11-19}
}
Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign
Quasar RAT |
2020-10-06 ⋅ Blackberry ⋅ Blackberry Research
@techreport{research:20201006:bahamut:2a6157f,
author = {Blackberry Research},
title = {{BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps}},
date = {2020-10-06},
institution = {Blackberry},
url = {https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf},
language = {English},
urldate = {2020-10-08}
}
BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps
Bahamut Bahamut |
2020-06-22 ⋅ MalwareLab.pl ⋅ Maciej Kotowicz
@online{kotowicz:20200622:venomrat:129ba02,
author = {Maciej Kotowicz},
title = {{VenomRAT - new, hackforums grade, reincarnation of QuassarRAT}},
date = {2020-06-22},
organization = {MalwareLab.pl},
url = {https://blog.malwarelab.pl/posts/venom/},
language = {English},
urldate = {2020-06-25}
}
VenomRAT - new, hackforums grade, reincarnation of QuassarRAT
Quasar RAT Venom RAT |
2020-05-29 ⋅ Zscaler ⋅ Sudeep Singh
@online{singh:20200529:shellreset:e80d2c8,
author = {Sudeep Singh},
title = {{ShellReset RAT Spread Through Macro-Based Documents Using AppLocker Bypass}},
date = {2020-05-29},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass},
language = {English},
urldate = {2020-06-05}
}
ShellReset RAT Spread Through Macro-Based Documents Using AppLocker Bypass
Quasar RAT |
2020-05-14 ⋅ Lab52 ⋅ Dex
@online{dex:20200514:energy:43e92b4,
author = {Dex},
title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}},
date = {2020-05-14},
organization = {Lab52},
url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/},
language = {English},
urldate = {2020-06-10}
}
The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT |
2020-04-27 ⋅ 0x00sec ⋅ Dan Lisichkin
@online{lisichkin:20200427:master:1cfb192,
author = {Dan Lisichkin},
title = {{Master of RATs - How to create your own Tracker}},
date = {2020-04-27},
organization = {0x00sec},
url = {https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848},
language = {English},
urldate = {2020-04-28}
}
Master of RATs - How to create your own Tracker
Quasar RAT |
2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f,
author = {CrowdStrike},
title = {{2020 CrowdStrike Global Threat Report}},
date = {2020-03-04},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf},
language = {English},
urldate = {2020-07-24}
}
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER |
2020-02-21 ⋅ ADEO DFIR ⋅ ADEO DFIR
@techreport{dfir:20200221:apt10:e9c3328,
author = {ADEO DFIR},
title = {{APT10 Threat Analysis Report}},
date = {2020-02-21},
institution = {ADEO DFIR},
url = {https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf},
language = {English},
urldate = {2020-03-03}
}
APT10 Threat Analysis Report
CHINACHOPPER HTran MimiKatz PlugX Quasar RAT |
2020-01-31 ⋅ ReversingLabs ⋅ Robert Simmons
@online{simmons:20200131:rats:d8a4021,
author = {Robert Simmons},
title = {{RATs in the Library: Remote Access Trojans Hide in Plain "Public" Site}},
date = {2020-01-31},
organization = {ReversingLabs},
url = {https://blog.reversinglabs.com/blog/rats-in-the-library},
language = {English},
urldate = {2020-02-03}
}
RATs in the Library: Remote Access Trojans Hide in Plain "Public" Site
CyberGate LimeRAT NjRAT Quasar RAT Revenge RAT |
2020-01-17 ⋅ JPCERT/CC ⋅ Takayoshi Shiigi
@techreport{shiigi:20200117:looking:bf71db1,
author = {Takayoshi Shiigi},
title = {{Looking back on the incidents in 2019}},
date = {2020-01-17},
institution = {JPCERT/CC},
url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf},
language = {English},
urldate = {2020-04-06}
}
Looking back on the incidents in 2019
TSCookie NodeRAT Emotet PoshC2 Quasar RAT |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:66f1290,
author = {SecureWorks},
title = {{BRONZE RIVERSIDE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-riverside},
language = {English},
urldate = {2020-05-23}
}
BRONZE RIVERSIDE
Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves APT10 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:zinc:13667ec,
author = {SecureWorks},
title = {{ZINC EMERSON}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/zinc-emerson},
language = {English},
urldate = {2020-05-23}
}
ZINC EMERSON
yty QUILTED TIGER |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:aluminum:af22ffd,
author = {SecureWorks},
title = {{ALUMINUM SARATOGA}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/aluminum-saratoga},
language = {English},
urldate = {2020-05-23}
}
ALUMINUM SARATOGA
BlackShades DarkComet Xtreme RAT Poison Ivy Quasar RAT Molerats |
2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb,
author = {Kelli Vanderlee and Nalani Fraser},
title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}},
date = {2019-11-19},
institution = {FireEye},
url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf},
language = {English},
urldate = {2021-03-02}
}
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell |
2019-10-22 ⋅ Lab52 ⋅ Jagaimo Kawaii
@online{kawaii:20191022:new:0d66066,
author = {Jagaimo Kawaii},
title = {{New PatchWork Spearphishing Attack}},
date = {2019-10-22},
organization = {Lab52},
url = {https://lab52.io/blog/new-patchwork-campaign-against-pakistan/},
language = {English},
urldate = {2020-01-13}
}
New PatchWork Spearphishing Attack
BadNews |
2019-10-02 ⋅ Virus Bulletin ⋅ Daniel Lunghi, Jaromír Hořejší
@techreport{lunghi:20191002:abusing:3c9a1b7,
author = {Daniel Lunghi and Jaromír Hořejší},
title = {{Abusing third-party cloud services in targeted attacks}},
date = {2019-10-02},
institution = {Virus Bulletin},
url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-LunghiHorejsi.pdf},
language = {English},
urldate = {2020-01-13}
}
Abusing third-party cloud services in targeted attacks
BadNews SLUB |
2019-08-26 ⋅ Qianxin ⋅ Red Raindrop Team
@online{team:20190826:aptc09:a228795,
author = {Red Raindrop Team},
title = {{APT-C-09 Reappeared as Conflict Intensified Between India and Pakistan}},
date = {2019-08-26},
organization = {Qianxin},
url = {https://ti.qianxin.com/blog/articles/apt-c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/},
language = {English},
urldate = {2020-01-07}
}
APT-C-09 Reappeared as Conflict Intensified Between India and Pakistan
BadNews |
2019-05-24 ⋅ Fortinet ⋅ Ben Hunter
@online{hunter:20190524:uncovering:7d8776e,
author = {Ben Hunter},
title = {{Uncovering new Activity by APT10}},
date = {2019-05-24},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-},
language = {English},
urldate = {2020-11-04}
}
Uncovering new Activity by APT10
PlugX Quasar RAT |
2019-05-20 ⋅ Twitter (@struppigel) ⋅ Karsten Hahn
@online{hahn:20190520:yggdrasil:5a23fde,
author = {Karsten Hahn},
title = {{Tweet on Yggdrasil / CinaRAT}},
date = {2019-05-20},
organization = {Twitter (@struppigel)},
url = {https://twitter.com/struppigel/status/1130455143504318466},
language = {English},
urldate = {2020-01-13}
}
Tweet on Yggdrasil / CinaRAT
Quasar RAT |
2019-04-16 ⋅ FireEye ⋅ John Hultquist, Ben Read, Oleg Bondarenko, Chi-en Shen
@online{hultquist:20190416:spear:a0125cb,
author = {John Hultquist and Ben Read and Oleg Bondarenko and Chi-en Shen},
title = {{Spear Phishing Campaign Targets Ukraine Government and Military; Infrastructure Reveals Potential Link to So-Called Luhansk People's Republic}},
date = {2019-04-16},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html},
language = {English},
urldate = {2019-12-20}
}
Spear Phishing Campaign Targets Ukraine Government and Military; Infrastructure Reveals Potential Link to So-Called Luhansk People's Republic
Quasar RAT Vermin |
2019-04-01 ⋅ Macnica Networks ⋅ Macnica Networks
@techreport{networks:20190401:trends:cf738dc,
author = {Macnica Networks},
title = {{Trends in Cyber Espionage Targeting Japan 2nd Half of 2018}},
date = {2019-04-01},
institution = {Macnica Networks},
url = {https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf},
language = {Japanese},
urldate = {2021-03-02}
}
Trends in Cyber Espionage Targeting Japan 2nd Half of 2018
Anel Cobalt Strike Datper PLEAD Quasar RAT RedLeaves taidoor Zebrocy |
2019-03-27 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team
@online{team:20190327:elfin:d90a330,
author = {Critical Attack Discovery and Intelligence Team},
title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}},
date = {2019-03-27},
organization = {Symantec},
url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage},
language = {English},
urldate = {2020-04-21}
}
Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP APT33 |
2019-03-27 ⋅ Symantec ⋅ Security Response Attack Investigation Team
@online{team:20190327:elfin:836cc39,
author = {Security Response Attack Investigation Team},
title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}},
date = {2019-03-27},
organization = {Symantec},
url = {https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage},
language = {English},
urldate = {2020-01-06}
}
Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet Nanocore RAT pupy Quasar RAT Remcos TURNEDUP APT33 |
2019 ⋅ MITRE ⋅ MITRE ATT&CK
@online{attck:2019:patchwork:b9fa9e1,
author = {MITRE ATT&CK},
title = {{Group description: Patchwork}},
date = {2019},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0040/},
language = {English},
urldate = {2019-12-20}
}
Group description: Patchwork
QUILTED TIGER |
2018-11-29 ⋅ 360 Threat Intelligence ⋅ Threat Intelligence Center
@online{center:20181129:analysis:d46e3e4,
author = {Threat Intelligence Center},
title = {{Analysis Of Targeted Attack Against Pakistan By Exploiting InPage Vulnerability And Related APT Groups}},
date = {2018-11-29},
organization = {360 Threat Intelligence},
url = {https://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/},
language = {English},
urldate = {2022-01-03}
}
Analysis Of Targeted Attack Against Pakistan By Exploiting InPage Vulnerability And Related APT Groups
BioData Bitter RAT WSCSPL |
2018-10-09 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší, Cedric Pernet
@techreport{lunghi:20181009:untangling:348f703,
author = {Daniel Lunghi and Jaromír Hořejší and Cedric Pernet},
title = {{Untangling the Patchwork Espionage Group}},
date = {2018-10-09},
institution = {Trend Micro},
url = {https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf},
language = {English},
urldate = {2020-01-06}
}
Untangling the Patchwork Espionage Group
BadNews SocksBot QUILTED TIGER |
2018-10-01 ⋅ Macnica Networks ⋅ Macnica Networks
@techreport{networks:20181001:trends:17b1db5,
author = {Macnica Networks},
title = {{Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018}},
date = {2018-10-01},
institution = {Macnica Networks},
url = {https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf},
language = {Japanese},
urldate = {2021-03-02}
}
Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018
Anel Cobalt Strike Datper FlawedAmmyy Quasar RAT RedLeaves taidoor Winnti xxmm |
2018-08-29 ⋅ Trend Micro ⋅ Daniel Lunghi, Ecular Xu
@online{lunghi:20180829:urpage:0f63a4b,
author = {Daniel Lunghi and Ecular Xu},
title = {{The Urpage Connection to Bahamut, Confucius and Patchwork}},
date = {2018-08-29},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/},
language = {English},
urldate = {2020-01-06}
}
The Urpage Connection to Bahamut, Confucius and Patchwork
AndroRAT Bahamut |
2018-08-02 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone, David Fuertes, Josh Grunzweig, Kyle Wilhoit
@online{falcone:20180802:gorgon:06112b1,
author = {Robert Falcone and David Fuertes and Josh Grunzweig and Kyle Wilhoit},
title = {{The Gorgon Group: Slithering Between Nation State and Cybercrime}},
date = {2018-08-02},
organization = {Palo Alto Networks Unit 42},
url = {https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/},
language = {English},
urldate = {2019-12-20}
}
The Gorgon Group: Slithering Between Nation State and Cybercrime
Loki Password Stealer (PWS) Nanocore RAT NjRAT Quasar RAT Remcos Revenge RAT |
2018-07-17 ⋅ ESET Research ⋅ Kaspars Osis
@online{osis:20180717:deep:56fcfcf,
author = {Kaspars Osis},
title = {{A deep dive down the Vermin RAThole}},
date = {2018-07-17},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/},
language = {English},
urldate = {2019-11-14}
}
A deep dive down the Vermin RAThole
Quasar RAT Sobaken Vermin |
2018-06-07 ⋅ Volexity ⋅ Matthew Meltzer, Sean Koessel, Steven Adair
@online{meltzer:20180607:patchwork:5b8d3c8,
author = {Matthew Meltzer and Sean Koessel and Steven Adair},
title = {{Patchwork APT Group Targets US Think Tanks}},
date = {2018-06-07},
organization = {Volexity},
url = {https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/},
language = {English},
urldate = {2020-01-08}
}
Patchwork APT Group Targets US Think Tanks
Quasar RAT Unidentified 047 QUILTED TIGER |
2018-03-30 ⋅ 360 Threat Intelligence ⋅ Qi Anxin Threat Intelligence Center
@online{center:20180330:analysis:4f1feb9,
author = {Qi Anxin Threat Intelligence Center},
title = {{Analysis of the latest cyber attack activity of the APT organization against sensitive institutions in China}},
date = {2018-03-30},
organization = {360 Threat Intelligence},
url = {https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/},
language = {Chinese},
urldate = {2020-01-13}
}
Analysis of the latest cyber attack activity of the APT organization against sensitive institutions in China
Quasar RAT |
2018-03-07 ⋅ Palo Alto Networks Unit 42 ⋅ Brandon Levene, Josh Grunzweig, Brittany Ash
@online{levene:20180307:patchwork:8973699,
author = {Brandon Levene and Josh Grunzweig and Brittany Ash},
title = {{Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent}},
date = {2018-03-07},
organization = {Palo Alto Networks Unit 42},
url = {https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/},
language = {English},
urldate = {2019-12-20}
}
Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent
BadNews |
2017-12-11 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší, Cedric Pernet
@online{lunghi:20171211:untangling:5f00f99,
author = {Daniel Lunghi and Jaromír Hořejší and Cedric Pernet},
title = {{Untangling the Patchwork Cyberespionage Group}},
date = {2017-12-11},
organization = {Trend Micro},
url = {https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite},
language = {English},
urldate = {2019-10-21}
}
Untangling the Patchwork Cyberespionage Group
Quasar RAT |
2017-10-27 ⋅ Bellingcat ⋅ Collin Anderson
@online{anderson:20171027:bahamut:e17abf8,
author = {Collin Anderson},
title = {{Bahamut Revisited, More Cyber Espionage in the Middle East and South Asia}},
date = {2017-10-27},
organization = {Bellingcat},
url = {https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/},
language = {English},
urldate = {2020-01-06}
}
Bahamut Revisited, More Cyber Espionage in the Middle East and South Asia
Bahamut Bahamut Bahamut |
2017-09-19 ⋅ Cymmetria ⋅ Cymmetria
@online{cymmetria:20170919:unveiling:e67fe90,
author = {Cymmetria},
title = {{Unveiling Patchwork – a targeted attack caught with cyber deception}},
date = {2017-09-19},
organization = {Cymmetria},
url = {https://www.cymmetria.com/patchwork-targeted-attack/},
language = {English},
urldate = {2019-12-18}
}
Unveiling Patchwork – a targeted attack caught with cyber deception
QUILTED TIGER |
2017-06-12 ⋅ Bellingcat ⋅ Collin Anderson
@online{anderson:20170612:bahamut:9810646,
author = {Collin Anderson},
title = {{Bahamut, Pursuing a Cyber Espionage Actor in the Middle East}},
date = {2017-06-12},
organization = {Bellingcat},
url = {https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/},
language = {English},
urldate = {2020-01-13}
}
Bahamut, Pursuing a Cyber Espionage Actor in the Middle East
Bahamut Bahamut Bahamut |
2017-04-05 ⋅ Fortinet ⋅ Jasper Manuel, Artem Semenchenko
@online{manuel:20170405:indepth:f5fe3b5,
author = {Jasper Manuel and Artem Semenchenko},
title = {{In-Depth Look at New Variant of MONSOON APT Backdoor, Part 1}},
date = {2017-04-05},
organization = {Fortinet},
url = {http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1},
language = {English},
urldate = {2020-01-06}
}
In-Depth Look at New Variant of MONSOON APT Backdoor, Part 1
BadNews |
2017-04-05 ⋅ Fortninet ⋅ Jasper Manuel, Artem Semenchenko
@online{manuel:20170405:indepth:8481b41,
author = {Jasper Manuel and Artem Semenchenko},
title = {{In-Depth Look at New Variant of MONSOON APT Backdoor, Part 2}},
date = {2017-04-05},
organization = {Fortninet},
url = {http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2},
language = {English},
urldate = {2019-10-13}
}
In-Depth Look at New Variant of MONSOON APT Backdoor, Part 2
BadNews |
2017-04 ⋅ PricewaterhouseCoopers ⋅ PricewaterhouseCoopers
@techreport{pricewaterhousecoopers:201704:operation:cb50712,
author = {PricewaterhouseCoopers},
title = {{Operation Cloud Hopper: Technical Annex}},
date = {2017-04},
institution = {PricewaterhouseCoopers},
url = {https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf},
language = {English},
urldate = {2019-10-15}
}
Operation Cloud Hopper: Technical Annex
ChChes PlugX Quasar RAT RedLeaves Trochilus RAT |
2017-01-30 ⋅ Palo Alto Networks Unit 42 ⋅ Mashav Sapir, Tomer Bar, Netanel Rimer, Taras Malivanchuk, Yaron Samuel, Simon Conant
@online{sapir:20170130:downeks:8ed6329,
author = {Mashav Sapir and Tomer Bar and Netanel Rimer and Taras Malivanchuk and Yaron Samuel and Simon Conant},
title = {{Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments}},
date = {2017-01-30},
organization = {Palo Alto Networks Unit 42},
url = {http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments},
language = {English},
urldate = {2019-12-20}
}
Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments
Quasar RAT |
2016-10-20 ⋅ Twitter (@malwrhunterteam) ⋅ MalwareHunterTeam
@online{malwarehunterteam:20161020:quasar:f530cea,
author = {MalwareHunterTeam},
title = {{Tweet on Quasar RAT}},
date = {2016-10-20},
organization = {Twitter (@malwrhunterteam)},
url = {https://twitter.com/malwrhunterteam/status/789153556255342596},
language = {English},
urldate = {2019-07-11}
}
Tweet on Quasar RAT
Quasar RAT |
2016-08-08 ⋅ Forcepoint ⋅ Nicholas Griffin
@online{griffin:20160808:monsoon:ac7eb5b,
author = {Nicholas Griffin},
title = {{MONSOON - Analysis Of An APT Campaign}},
date = {2016-08-08},
organization = {Forcepoint},
url = {https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign},
language = {English},
urldate = {2020-04-06}
}
MONSOON - Analysis Of An APT Campaign
BadNews TinyTyphon QUILTED TIGER |
2016-08-08 ⋅ Forcepoint ⋅ Andy Settle, Nicholas Griffin, Abel Toro
@techreport{settle:20160808:monsoon:c4f71cc,
author = {Andy Settle and Nicholas Griffin and Abel Toro},
title = {{MONSOON – ANALYSIS OF AN APT CAMPAIGN}},
date = {2016-08-08},
institution = {Forcepoint},
url = {https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf},
language = {English},
urldate = {2020-01-07}
}
MONSOON – ANALYSIS OF AN APT CAMPAIGN
BadNews TinyTyphon QUILTED TIGER |
2016-07-25 ⋅ Symantec ⋅ Symantec
@online{symantec:20160725:patchwork:d56802d,
author = {Symantec},
title = {{Patchwork cyberespionage group expands targets from governments to wide range of industries}},
date = {2016-07-25},
organization = {Symantec},
url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=09308982-77bd-41e0-8269-f2cc9ce3266e&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments},
language = {English},
urldate = {2020-04-21}
}
Patchwork cyberespionage group expands targets from governments to wide range of industries
QUILTED TIGER |
2016-07-08 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20160708:dropping:273c1df,
author = {GReAT},
title = {{The Dropping Elephant – aggressive cyber-espionage in the Asian region}},
date = {2016-07-08},
organization = {Kaspersky Labs},
url = {https://securelist.com/the-dropping-elephant-actor/75328/},
language = {English},
urldate = {2019-12-20}
}
The Dropping Elephant – aggressive cyber-espionage in the Asian region
QUILTED TIGER |
2016 ⋅ Cymmetria ⋅ Cymmetria
@techreport{cymmetria:2016:unveiling:da4224b,
author = {Cymmetria},
title = {{Unveiling Patchwork: The Copy-Paste APT}},
date = {2016},
institution = {Cymmetria},
url = {https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf},
language = {English},
urldate = {2020-01-06}
}
Unveiling Patchwork: The Copy-Paste APT
QUILTED TIGER |