Since 2021, Red Menshen, a China based threat actor, which has been observed targeting telecommunications providers across the Middle East and Asia, as well as entities in the government, education, and logistics sectors using a custom backdoor referred as BPFDoor. This threat actor uses a variety of tools in its post-exploitation phase. This includes custom variants of the shared tool Mangzamel (including Golang variants), custom variants of Gh0st, and open source tools like Mimikatz and Metasploit to aid in its lateral movement across Windows systems. Also, They have been seen sending commands to BPFDoor victims via Virtual Privat Servers (VPSs) hosted at a well-known provider, and that these VPSs, in turn, are administered via compromised routers based in Taiwan, which the threat actor uses as VPN tunnels. Most Red Menshen activity that has been observed took place between Monday to Friday (with none observed on the weekends), with most communication taking place between 01:00 and 10:00 UTC.131 This pattern suggests a consistent 8 to 9-hour activity window for the threat actor, with realistic probability of it aligning to local working hours.
2023-07-18 ⋅ Mandiant ⋅ Mandiant Intelligence @online{intelligence:20230718:stealth:789e8b1,
author = {Mandiant Intelligence},
title = {{Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection}},
date = {2023-07-18},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/blog/chinese-espionage-tactics},
language = {English},
urldate = {2023-07-19}
}
Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection BPFDoor SALTWATER SEASPY SideWalk ZuoRAT Daxin HyperBro HyperSSL Waterbear |
2023-07-13 ⋅ Trend Micro ⋅ Fernando Mercês @online{mercs:20230713:detecting:41237c5,
author = {Fernando Mercês},
title = {{Detecting BPFDoor Backdoor Variants Abusing BPF Filters}},
date = {2023-07-13},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html},
language = {English},
urldate = {2023-07-16}
}
Detecting BPFDoor Backdoor Variants Abusing BPF Filters BPFDoor Symbiote |
2023-05-18 ⋅ Nikhil Hegde @online{hegde:20230518:looking:24677ca,
author = {Nikhil Hegde},
title = {{Looking Closer at BPF Bytecode in BPFDoor}},
date = {2023-05-18},
url = {https://nikhilh-20.github.io/blog/cbpf_bpfdoor/},
language = {English},
urldate = {2023-05-21}
}
Looking Closer at BPF Bytecode in BPFDoor BPFDoor |
2023-05-14 ⋅ unfinished.bike ⋅ Thomas Strömberg @online{strmberg:20230514:fun:778ad3b,
author = {Thomas Strömberg},
title = {{Fun with the new bpfdoor (2023)}},
date = {2023-05-14},
organization = {unfinished.bike},
url = {https://unfinished.bike/fun-with-the-new-bpfdoor-2023},
language = {English},
urldate = {2023-05-24}
}
Fun with the new bpfdoor (2023) BPFDoor |
2023-05-11 ⋅ Bleeping Computer ⋅ Bill Toulas @online{toulas:20230511:stealthier:8a10017,
author = {Bill Toulas},
title = {{Stealthier version of Linux BPFDoor malware spotted in the wild}},
date = {2023-05-11},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/stealthier-version-of-linux-bpfdoor-malware-spotted-in-the-wild/},
language = {English},
urldate = {2023-05-15}
}
Stealthier version of Linux BPFDoor malware spotted in the wild BPFDoor |
2023-05-10 ⋅ Deep instinct ⋅ Deep Instinct Threat Lab @online{lab:20230510:bpfdoor:d22b474,
author = {Deep Instinct Threat Lab},
title = {{BPFDoor Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game}},
date = {2023-05-10},
organization = {Deep instinct},
url = {https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game},
language = {English},
urldate = {2023-05-11}
}
BPFDoor Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game BPFDoor |
2023-04-24 ⋅ Cofense ⋅ Austin Jones @online{jones:20230424:opensource:a0f5347,
author = {Austin Jones},
title = {{Open-Source Gh0st RAT Still Haunting Inboxes 15 Years After Release}},
date = {2023-04-24},
organization = {Cofense},
url = {https://cofense.com/blog/open-source-gh0st-rat-still-haunting-inboxes-15-years-after-release/},
language = {English},
urldate = {2023-04-26}
}
Open-Source Gh0st RAT Still Haunting Inboxes 15 Years After Release Ghost RAT |
2023-04-13 ⋅ Intel 471 ⋅ Souhail Hammou, Jorge Rodriguez @online{hammou:20230413:from:ec710d3,
author = {Souhail Hammou and Jorge Rodriguez},
title = {{From GhostNet to PseudoManuscrypt - The evolution of Gh0st RAT}},
date = {2023-04-13},
organization = {Intel 471},
url = {https://www.youtube.com/watch?v=uakw2HMGZ-I},
language = {English},
urldate = {2023-06-23}
}
From GhostNet to PseudoManuscrypt - The evolution of Gh0st RAT BBSRAT Gh0stTimes Ghost RAT PseudoManuscrypt |
2022-09-15 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20220915:webworm:500c850,
author = {Threat Hunter Team},
title = {{Webworm: Espionage Attackers Testing and Using Older Modified RATs}},
date = {2022-09-15},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats},
language = {English},
urldate = {2022-09-20}
}
Webworm: Espionage Attackers Testing and Using Older Modified RATs 9002 RAT Ghost RAT Trochilus RAT |
2022-08-01 ⋅ Qualys ⋅ Harshal Tupsamudre @online{tupsamudre:20220801:heres:5d6e628,
author = {Harshal Tupsamudre},
title = {{Here’s a Simple Script to Detect the Stealthy Nation-State BPFDoor}},
date = {2022-08-01},
organization = {Qualys},
url = {https://blog.qualys.com/vulnerabilities-threat-research/2022/08/01/heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor},
language = {English},
urldate = {2022-08-02}
}
Here’s a Simple Script to Detect the Stealthy Nation-State BPFDoor BPFDoor |
2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20220718:iron:f7586c5,
author = {Unit 42},
title = {{Iron Taurus}},
date = {2022-07-18},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/atoms/iron-taurus/},
language = {English},
urldate = {2022-07-29}
}
Iron Taurus CHINACHOPPER Ghost RAT Wonknu ZXShell APT27 |
2022-05-25 ⋅ CrowdStrike ⋅ Jamie Harris @online{harris:20220525:hunting:48d53ea,
author = {Jamie Harris},
title = {{Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun}},
date = {2022-05-25},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/},
language = {English},
urldate = {2022-05-29}
}
Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun BPFDoor |
2022-05-23 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší @techreport{lunghi:20220523:operation:e3c402b,
author = {Daniel Lunghi and Jaromír Hořejší},
title = {{Operation Earth Berberoka}},
date = {2022-05-23},
institution = {Trend Micro},
url = {https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf},
language = {English},
urldate = {2022-07-25}
}
Operation Earth Berberoka reptile oRAT Ghost RAT PlugX pupy Earth Berberoka |
2022-05-17 ⋅ Elastic ⋅ Colson Wilhoit, Alex Bell, Rhys Rustad-Elliott, Jake King @online{wilhoit:20220517:peek:fea1eeb,
author = {Colson Wilhoit and Alex Bell and Rhys Rustad-Elliott and Jake King},
title = {{A peek behind the BPFDoor}},
date = {2022-05-17},
organization = {Elastic},
url = {https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/#},
language = {English},
urldate = {2022-05-25}
}
A peek behind the BPFDoor BPFDoor |
2022-05-11 ⋅ ExaTrack ⋅ Tristan Pourcelot @techreport{pourcelot:20220511:tricephalic:d8d6265,
author = {Tristan Pourcelot},
title = {{Tricephalic Hellkeeper: a tale of a passive backdoor}},
date = {2022-05-11},
institution = {ExaTrack},
url = {https://exatrack.com/public/Tricephalic_Hellkeeper.pdf},
language = {English},
urldate = {2022-05-25}
}
Tricephalic Hellkeeper: a tale of a passive backdoor BPFDoor Bvp47 Uroburos |
2022-05-11 ⋅ Sandfly Security ⋅ The Sandfly Security Team @online{team:20220511:bpfdoor:306b873,
author = {The Sandfly Security Team},
title = {{BPFDoor - An Evasive Linux Backdoor Technical Analysis}},
date = {2022-05-11},
organization = {Sandfly Security},
url = {https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/},
language = {English},
urldate = {2022-05-11}
}
BPFDoor - An Evasive Linux Backdoor Technical Analysis BPFDoor |
2022-05-08 ⋅ Twitter (@CraigHRowland) ⋅ Craig Rowland @online{rowland:20220508:twitter:bf58ca0,
author = {Craig Rowland},
title = {{Twitter Thread with description of functionality for BPFDoor}},
date = {2022-05-08},
organization = {Twitter (@CraigHRowland)},
url = {https://twitter.com/CraigHRowland/status/1523266585133457408},
language = {English},
urldate = {2022-06-09}
}
Twitter Thread with description of functionality for BPFDoor BPFDoor |
2022-05-08 ⋅ Twitter (@cyb3rops) ⋅ Florian Roth @online{roth:20220508:source:86add3e,
author = {Florian Roth},
title = {{Tweet on source code for BPFDoor found on VT}},
date = {2022-05-08},
organization = {Twitter (@cyb3rops)},
url = {https://twitter.com/cyb3rops/status/1523227511551033349},
language = {English},
urldate = {2022-05-09}
}
Tweet on source code for BPFDoor found on VT BPFDoor |
2022-05-07 ⋅ DoublePulsar ⋅ Kevin Beaumont @online{beaumont:20220507:bpfdoor:9d41f91,
author = {Kevin Beaumont},
title = {{BPFDoor — an active Chinese global surveillance tool}},
date = {2022-05-07},
organization = {DoublePulsar},
url = {https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896},
language = {English},
urldate = {2022-05-09}
}
BPFDoor — an active Chinese global surveillance tool BPFDoor |
2022-05-05 ⋅ Troopers Conference ⋅ Ben Jackson, Will Bonner @online{jackson:20220505:tinker:2cde4e9,
author = {Ben Jackson and Will Bonner},
title = {{Tinker Telco Soldier Spy (to be given 2022-06-27)}},
date = {2022-05-05},
organization = {Troopers Conference},
url = {https://troopers.de/troopers22/talks/7cv8pz/},
language = {English},
urldate = {2022-05-06}
}
Tinker Telco Soldier Spy (to be given 2022-06-27) BPFDoor GALLIUM |
2022-04-28 ⋅ PWC ⋅ PWC UK @techreport{uk:20220428:cyber:46707aa,
author = {PWC UK},
title = {{Cyber Threats 2021: A Year in Retrospect}},
date = {2022-04-28},
institution = {PWC},
url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf},
language = {English},
urldate = {2023-07-02}
}
Cyber Threats 2021: A Year in Retrospect BPFDoor APT15 APT31 APT41 APT9 BlackTech BRONZE EDGEWOOD DAGGER PANDA Earth Lusca HAFNIUM HAZY TIGER Inception Framework LOTUS PANDA QUILTED TIGER RedAlpha Red Dev 17 Red Menshen Red Nue VICEROY TIGER |
2022-04-28 ⋅ PWC ⋅ PWC UK @techreport{uk:20220428:cyber:c43873f,
author = {PWC UK},
title = {{Cyber Threats 2021: A Year in Retrospect (Annex)}},
date = {2022-04-28},
institution = {PWC},
url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf},
language = {English},
urldate = {2022-04-29}
}
Cyber Threats 2021: A Year in Retrospect (Annex) Cobalt Strike Conti PlugX RokRAT Inception Framework Red Menshen |
2022-04-27 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší @online{lunghi:20220427:new:9068f6e,
author = {Daniel Lunghi and Jaromír Hořejší},
title = {{New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware}},
date = {2022-04-27},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html},
language = {English},
urldate = {2023-04-18}
}
New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware HelloBot AsyncRAT Ghost RAT HelloBot PlugX Quasar RAT Earth Berberoka |
2022-04-27 ⋅ Trendmicro ⋅ Daniel Lunghi, Jaromír Hořejší @techreport{lunghi:20220427:operation:bdba881,
author = {Daniel Lunghi and Jaromír Hořejší},
title = {{Operation Gambling Puppet}},
date = {2022-04-27},
institution = {Trendmicro},
url = {https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf},
language = {English},
urldate = {2022-07-25}
}
Operation Gambling Puppet reptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka |
2022-04-15 ⋅ Center for Internet Security ⋅ CIS @online{cis:20220415:top:62c8245,
author = {CIS},
title = {{Top 10 Malware March 2022}},
date = {2022-04-15},
organization = {Center for Internet Security},
url = {https://www.cisecurity.org/insights/blog/top-10-malware-march-2022},
language = {English},
urldate = {2023-02-17}
}
Top 10 Malware March 2022 Mirai Shlayer Agent Tesla Ghost RAT Nanocore RAT SectopRAT solarmarker Zeus |
2022-04-01 ⋅ The Hacker News ⋅ Ravie Lakshmanan @online{lakshmanan:20220401:chinese:0b445c6,
author = {Ravie Lakshmanan},
title = {{Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit}},
date = {2022-04-01},
organization = {The Hacker News},
url = {https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html},
language = {English},
urldate = {2022-04-04}
}
Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit Fire Chili Ghost RAT |
2022-03-30 ⋅ Fortinet ⋅ Rotem Sde-Or, Eliran Voronovitch @online{sdeor:20220330:new:8eeff0d,
author = {Rotem Sde-Or and Eliran Voronovitch},
title = {{New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits}},
date = {2022-03-30},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits},
language = {English},
urldate = {2022-03-31}
}
New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits Fire Chili Ghost RAT |
2022-03-16 ⋅ AhnLab ⋅ ASEC Analysis Team @online{team:20220316:gh0stcringe:65e2d3e,
author = {ASEC Analysis Team},
title = {{Gh0stCringe RAT Being Distributed to Vulnerable Database Servers}},
date = {2022-03-16},
organization = {AhnLab},
url = {https://asec.ahnlab.com/en/32572/},
language = {English},
urldate = {2022-04-14}
}
Gh0stCringe RAT Being Distributed to Vulnerable Database Servers Ghost RAT Kingminer |
2022-02-11 ⋅ Cisco Talos ⋅ Talos @online{talos:20220211:threat:fcad762,
author = {Talos},
title = {{Threat Roundup for February 4 to February 11}},
date = {2022-02-11},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html},
language = {English},
urldate = {2022-02-14}
}
Threat Roundup for February 4 to February 11 DarkComet Ghost RAT Loki Password Stealer (PWS) Tinba Tofsee Zeus |
2021-12-14 ⋅ Trend Micro ⋅ Nick Dai, Ted Lee, Vickie Su @online{dai:20211214:collecting:3d6dd34,
author = {Nick Dai and Ted Lee and Vickie Su},
title = {{Collecting In the Dark: Tropic Trooper Targets Transportation and Government}},
date = {2021-12-14},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html},
language = {English},
urldate = {2022-03-30}
}
Collecting In the Dark: Tropic Trooper Targets Transportation and Government ChiserClient Ghost RAT Lilith Quasar RAT xPack |
2021-10-05 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team @online{team:20211005:drawing:e53477d,
author = {The BlackBerry Research & Intelligence Team},
title = {{Drawing a Dragon: Connecting the Dots to Find APT41}},
date = {2021-10-05},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41},
language = {English},
urldate = {2021-10-11}
}
Drawing a Dragon: Connecting the Dots to Find APT41 Cobalt Strike Ghost RAT |
2021-10-04 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20211004:malware:5ba808a,
author = {Shusei Tomonaga},
title = {{Malware Gh0stTimes Used by BlackTech}},
date = {2021-10-04},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html},
language = {English},
urldate = {2021-10-11}
}
Malware Gh0stTimes Used by BlackTech Gh0stTimes Ghost RAT |
2021-05-05 ⋅ Zscaler ⋅ Aniruddha Dolas, Mohd Sadique, Manohar Ghule @online{dolas:20210505:catching:ace83fc,
author = {Aniruddha Dolas and Mohd Sadique and Manohar Ghule},
title = {{Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats}},
date = {2021-05-05},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols},
language = {English},
urldate = {2021-05-08}
}
Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats Agent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar RAT Remcos |
2021-04-28 ⋅ Trend Micro ⋅ Jaromír Hořejší, Joseph C Chen @online{hoej:20210428:water:f769ce2,
author = {Jaromír Hořejší and Joseph C Chen},
title = {{Water Pamola Attacked Online Shops Via Malicious Orders}},
date = {2021-04-28},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html},
language = {English},
urldate = {2021-05-04}
}
Water Pamola Attacked Online Shops Via Malicious Orders Ghost RAT |
2021-04-02 ⋅ Dr.Web ⋅ Dr.Web @techreport{drweb:20210402:study:31b191e,
author = {Dr.Web},
title = {{Study of targeted attacks on Russian research institutes}},
date = {2021-04-02},
institution = {Dr.Web},
url = {https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf},
language = {English},
urldate = {2021-04-06}
}
Study of targeted attacks on Russian research institutes Cotx RAT Ghost RAT TA428 |
2021-02-22 ⋅ tccontre Blog ⋅ tcontre @online{tcontre:20210222:gh0strat:9f98308,
author = {tcontre},
title = {{Gh0stRat Anti-Debugging: Nested SEH (try - catch) to Decrypt and Load its Payload}},
date = {2021-02-22},
organization = {tccontre Blog},
url = {https://tccontre.blogspot.com/2021/02/gh0strat-anti-debugging-nested-seh-try.html},
language = {English},
urldate = {2021-02-25}
}
Gh0stRat Anti-Debugging: Nested SEH (try - catch) to Decrypt and Load its Payload Ghost RAT |
2021-02-01 ⋅ ESET Research ⋅ Ignacio Sanmillan, Matthieu Faou @online{sanmillan:20210201:operation:9e52a78,
author = {Ignacio Sanmillan and Matthieu Faou},
title = {{Operation NightScout: Supply‑chain attack targets online gaming in Asia}},
date = {2021-02-01},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/},
language = {English},
urldate = {2021-02-17}
}
Operation NightScout: Supply‑chain attack targets online gaming in Asia Ghost RAT NoxPlayer Poison Ivy Red Dev 17 |
2021-01-15 ⋅ Swisscom ⋅ Markus Neis @techreport{neis:20210115:cracking:b1c1684,
author = {Markus Neis},
title = {{Cracking a Soft Cell is Harder Than You Think}},
date = {2021-01-15},
institution = {Swisscom},
url = {https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf},
language = {English},
urldate = {2021-01-18}
}
Cracking a Soft Cell is Harder Than You Think Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT |
2020-12-18 ⋅ Seqrite ⋅ Pavankumar Chaudhari @online{chaudhari:20201218:rat:50074a2,
author = {Pavankumar Chaudhari},
title = {{RAT used by Chinese cyberspies infiltrating Indian businesses}},
date = {2020-12-18},
organization = {Seqrite},
url = {https://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/},
language = {English},
urldate = {2020-12-18}
}
RAT used by Chinese cyberspies infiltrating Indian businesses Ghost RAT |
2020-12-10 ⋅ US-CERT ⋅ US-CERT, FBI, MS-ISAC @online{uscert:20201210:alert:a5ec77e,
author = {US-CERT and FBI and MS-ISAC},
title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}},
date = {2020-12-10},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a},
language = {English},
urldate = {2020-12-11}
}
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus |
2020-12-10 ⋅ Intel 471 ⋅ Intel 471 @online{471:20201210:no:9fd2ae1,
author = {Intel 471},
title = {{No pandas, just people: The current state of China’s cybercrime underground}},
date = {2020-12-10},
organization = {Intel 471},
url = {https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/},
language = {English},
urldate = {2020-12-10}
}
No pandas, just people: The current state of China’s cybercrime underground Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT |
2020-10-27 ⋅ Dr.Web ⋅ Dr.Web @techreport{drweb:20201027:study:9f6e628,
author = {Dr.Web},
title = {{Study of the ShadowPad APT backdoor and its relation to PlugX}},
date = {2020-10-27},
institution = {Dr.Web},
url = {https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf},
language = {English},
urldate = {2020-10-29}
}
Study of the ShadowPad APT backdoor and its relation to PlugX Ghost RAT PlugX ShadowPad |
2020-07-28 ⋅ NTT ⋅ NTT Security @online{security:20200728:craftypanda:7643b28,
author = {NTT Security},
title = {{CraftyPanda 標的型攻撃解析レポート}},
date = {2020-07-28},
organization = {NTT},
url = {https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report},
language = {Japanese},
urldate = {2020-07-30}
}
CraftyPanda 標的型攻撃解析レポート Ghost RAT PlugX |
2020-07-20 ⋅ Risky.biz ⋅ Daniel Gordon @online{gordon:20200720:what:b88e81f,
author = {Daniel Gordon},
title = {{What even is Winnti?}},
date = {2020-07-20},
organization = {Risky.biz},
url = {https://risky.biz/whatiswinnti/},
language = {English},
urldate = {2020-08-18}
}
What even is Winnti? CCleaner Backdoor Ghost RAT PlugX ZXShell |
2020-06-14 ⋅ BushidoToken ⋅ BushidoToken @online{bushidotoken:20200614:deepdive:3a375ca,
author = {BushidoToken},
title = {{Deep-dive: The DarkHotel APT}},
date = {2020-06-14},
organization = {BushidoToken},
url = {https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html},
language = {English},
urldate = {2020-06-16}
}
Deep-dive: The DarkHotel APT Asruex Ghost RAT Ramsay Retro Unidentified 076 (Higaisa LNK to Shellcode) |
2020-06-05 ⋅ Prevailion ⋅ Danny Adamitis @online{adamitis:20200605:gh0st:849c227,
author = {Danny Adamitis},
title = {{The Gh0st Remains the Same}},
date = {2020-06-05},
organization = {Prevailion},
url = {https://www.prevailion.com/the-gh0st-remains-the-same-2/},
language = {English},
urldate = {2022-09-20}
}
The Gh0st Remains the Same Ghost RAT |
2020-06-04 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence @online{intelligence:20200604:covid19:45fa7ba,
author = {PT ESC Threat Intelligence},
title = {{COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group}},
date = {2020-06-04},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/},
language = {English},
urldate = {2020-06-05}
}
COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group Ghost RAT |
2020-05-20 ⋅ Medium Asuna Amawaka ⋅ Asuna Amawaka @online{amawaka:20200520:what:e02d9a4,
author = {Asuna Amawaka},
title = {{What happened between the BigBadWolf and the Tiger?}},
date = {2020-05-20},
organization = {Medium Asuna Amawaka},
url = {https://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2},
language = {English},
urldate = {2021-02-18}
}
What happened between the BigBadWolf and the Tiger? Ghost RAT |
2020-05-14 ⋅ Avast Decoded ⋅ Luigino Camastra @online{camastra:20200514:planted:7b94cc6,
author = {Luigino Camastra},
title = {{APT Group Planted Backdoors Targeting High Profile Networks in Central Asia}},
date = {2020-05-14},
organization = {Avast Decoded},
url = {https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia},
language = {English},
urldate = {2022-07-25}
}
APT Group Planted Backdoors Targeting High Profile Networks in Central Asia BYEBY Ghost RAT Microcin MimiKatz Vicious Panda |
2020-05-05 ⋅ Troopers Conference ⋅ Ben Jackson, Will Bonner @online{jackson:20200505:tinker:34ae7ae,
author = {Ben Jackson and Will Bonner},
title = {{Tinker Telco Soldier Spy}},
date = {2020-05-05},
organization = {Troopers Conference},
url = {https://troopers.de/troopers22/talks/7cv8pz},
language = {English},
urldate = {2022-05-08}
}
Tinker Telco Soldier Spy Red Menshen |
2020-03-05 ⋅ SophosLabs ⋅ Sergei Shevchenko @techreport{shevchenko:20200305:cloud:e83e58c,
author = {Sergei Shevchenko},
title = {{Cloud Snooper Attack Bypasses AWS Security Measures}},
date = {2020-03-05},
institution = {SophosLabs},
url = {https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf},
language = {English},
urldate = {2022-01-28}
}
Cloud Snooper Attack Bypasses AWS Security Measures Cloud Snooper Ghost RAT |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:dcdc02a,
author = {SecureWorks},
title = {{BRONZE FLEETWOOD}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-fleetwood},
language = {English},
urldate = {2020-05-23}
}
BRONZE FLEETWOOD Binanen Ghost RAT OrcaRAT APT5 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:41a0bc0,
author = {SecureWorks},
title = {{BRONZE EDISON}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-edison},
language = {English},
urldate = {2020-05-23}
}
BRONZE EDISON Ghost RAT sykipot APT4 SAMURAI PANDA |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:4db27ec,
author = {SecureWorks},
title = {{BRONZE UNION}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-union},
language = {English},
urldate = {2020-05-23}
}
BRONZE UNION 9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell APT27 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:dc58892,
author = {SecureWorks},
title = {{BRONZE GLOBE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-globe},
language = {English},
urldate = {2020-05-23}
}
BRONZE GLOBE EtumBot Ghost RAT APT12 |
2019-12-12 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center @online{center:20191212:gallium:79f6460,
author = {Microsoft Threat Intelligence Center},
title = {{GALLIUM: Targeting global telecom}},
date = {2019-12-12},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/},
language = {English},
urldate = {2022-06-15}
}
GALLIUM: Targeting global telecom CHINACHOPPER Ghost RAT HTran MimiKatz Poison Ivy GALLIUM |
2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani Fraser @techreport{vanderlee:20191119:achievement:6be19eb,
author = {Kelli Vanderlee and Nalani Fraser},
title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}},
date = {2019-11-19},
institution = {FireEye},
url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf},
language = {English},
urldate = {2021-03-02}
}
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell |
2019-11-04 ⋅ Tencent ⋅ Tencent Security Mikan TIC @online{tic:20191104:attack:33a29db,
author = {Tencent Security Mikan TIC},
title = {{APT attack group "Higaisa" attack activity disclosed}},
date = {2019-11-04},
organization = {Tencent},
url = {https://s.tencent.com/research/report/836.html},
language = {Chinese},
urldate = {2020-05-13}
}
APT attack group "Higaisa" attack activity disclosed Ghost RAT Higaisa |
2019-09-23 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:20190923:apt41:63b9ff7,
author = {MITRE ATT&CK},
title = {{APT41}},
date = {2019-09-23},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0096},
language = {English},
urldate = {2022-08-30}
}
APT41 Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41 |
2019-09-17 ⋅ Talos ⋅ Christopher Evans, David Liebenberg @online{evans:20190917:cryptocurrency:8f3a9e9,
author = {Christopher Evans and David Liebenberg},
title = {{Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”}},
date = {2019-09-17},
organization = {Talos},
url = {https://blog.talosintelligence.com/2019/09/panda-evolution.html},
language = {English},
urldate = {2019-10-31}
}
Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda” Ghost RAT |
2019-04-25 ⋅ DATANET ⋅ Kim Seon-ae @online{seonae:20190425:chinesebased:fa78904,
author = {Kim Seon-ae},
title = {{Chinese-based hackers attack domestic energy institutions}},
date = {2019-04-25},
organization = {DATANET},
url = {https://www.datanet.co.kr/news/articleView.html?idxno=133346},
language = {Korean},
urldate = {2021-02-09}
}
Chinese-based hackers attack domestic energy institutions CALMTHORN Ghost RAT |
2019-02-27 ⋅ Secureworks ⋅ CTU Research Team @online{team:20190227:peek:16c9160,
author = {CTU Research Team},
title = {{A Peek into BRONZE UNION’s Toolbox}},
date = {2019-02-27},
organization = {Secureworks},
url = {https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox},
language = {English},
urldate = {2020-01-07}
}
A Peek into BRONZE UNION’s Toolbox Ghost RAT HyperBro ZXShell |
2019-01-07 ⋅ Intezer ⋅ Ignacio Sanmillan @online{sanmillan:20190107:chinaz:50bb5f4,
author = {Ignacio Sanmillan},
title = {{ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups}},
date = {2019-01-07},
organization = {Intezer},
url = {https://www.intezer.com/blog/malware-analysis/chinaz-relations/},
language = {English},
urldate = {2022-09-20}
}
ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups Ghost RAT |
2018-09-19 ⋅ Möbius Strip Reverse Engineering ⋅ Rolf Rolles @online{rolles:20180919:hexrays:1afcc0c,
author = {Rolf Rolles},
title = {{Hex-Rays Microcode API vs. Obfuscating Compiler}},
date = {2018-09-19},
organization = {Möbius Strip Reverse Engineering},
url = {http://www.hexblog.com/?p=1248},
language = {English},
urldate = {2019-10-28}
}
Hex-Rays Microcode API vs. Obfuscating Compiler Ghost RAT |
2018-04-20 ⋅ NCC Group ⋅ Nikolaos Pantazopoulos @online{pantazopoulos:20180420:decoding:b4ca1d1,
author = {Nikolaos Pantazopoulos},
title = {{Decoding network data from a Gh0st RAT variant}},
date = {2018-04-20},
organization = {NCC Group},
url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/},
language = {English},
urldate = {2022-10-07}
}
Decoding network data from a Gh0st RAT variant Ghost RAT APT27 |
2018-04-17 ⋅ NCC Group ⋅ Nikolaos Pantazopoulos @online{pantazopoulos:20180417:decoding:7d5f713,
author = {Nikolaos Pantazopoulos},
title = {{Decoding network data from a Gh0st RAT variant}},
date = {2018-04-17},
organization = {NCC Group},
url = {https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/},
language = {English},
urldate = {2022-09-20}
}
Decoding network data from a Gh0st RAT variant Ghost RAT APT27 |
2018-02-01 ⋅ Bitdefender ⋅ Bitdefender Team @techreport{team:20180201:operation:e76f179,
author = {Bitdefender Team},
title = {{Operation PZCHAO Inside a highly specialized espionage infrastructure}},
date = {2018-02-01},
institution = {Bitdefender},
url = {https://www.bitdefender.com/files/News/CaseStudies/study/185/Bitdefender-Business-2017-WhitePaper-PZCHAO-crea2452-en-EN-GenericUse.pdf},
language = {English},
urldate = {2022-09-20}
}
Operation PZCHAO Inside a highly specialized espionage infrastructure Ghost RAT APT27 |
2018-01-04 ⋅ Malware Traffic Analysis ⋅ Brad Duncan @online{duncan:20180104:malspam:ce2dfac,
author = {Brad Duncan},
title = {{MALSPAM PUSHING PCRAT/GH0ST}},
date = {2018-01-04},
organization = {Malware Traffic Analysis},
url = {http://www.malware-traffic-analysis.net/2018/01/04/index.html},
language = {English},
urldate = {2019-12-24}
}
MALSPAM PUSHING PCRAT/GH0ST Ghost RAT |
2018 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:2018:2018:5ba6206,
author = {CrowdStrike},
title = {{2018 Global Threat Report}},
date = {2018},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf},
language = {English},
urldate = {2019-12-17}
}
2018 Global Threat Report Mangzamel BAMBOO SPIDER HOUND SPIDER ZOMBIE SPIDER |
2017-12-19 ⋅ Proofpoint ⋅ Darien Huss @online{huss:20171219:north:e5ef6da,
author = {Darien Huss},
title = {{North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group}},
date = {2017-12-19},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new},
language = {English},
urldate = {2019-12-20}
}
North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group Ghost RAT |
2017-12-19 ⋅ Proofpoint ⋅ Darien Huss @techreport{huss:20171219:north:b2da03e,
author = {Darien Huss},
title = {{North Korea Bitten by Bitcoin Bug}},
date = {2017-12-19},
institution = {Proofpoint},
url = {https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf},
language = {English},
urldate = {2019-10-18}
}
North Korea Bitten by Bitcoin Bug QUICKCAFE PowerSpritz Ghost RAT PowerRatankba |
2017-05-31 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:20170531:pittytiger:cac6452,
author = {MITRE ATT&CK},
title = {{PittyTiger}},
date = {2017-05-31},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0011},
language = {English},
urldate = {2022-08-30}
}
PittyTiger Enfal Ghost RAT MimiKatz Poison Ivy APT24 |
2017-05-31 ⋅ MITRE ⋅ MITRE @online{mitre:20170531:apt18:deb24dc,
author = {MITRE},
title = {{APT18}},
date = {2017-05-31},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0026},
language = {English},
urldate = {2022-07-05}
}
APT18 Ghost RAT HttpBrowser APT18 |
2017-05-31 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:20170531:axiom:b181fdb,
author = {MITRE ATT&CK},
title = {{Axiom}},
date = {2017-05-31},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0001/},
language = {English},
urldate = {2022-08-30}
}
Axiom Derusbi 9002 RAT BLACKCOFFEE Derusbi Ghost RAT HiKit PlugX ZXShell APT17 |
2017-02-25 ⋅ Financial Security Institute ⋅ Kyoung-Ju Kwak (郭炅周) @techreport{:20170225:silent:5a11e12,
author = {Kyoung-Ju Kwak (郭炅周)},
title = {{Silent RIFLE: Response Against Advanced Threat}},
date = {2017-02-25},
institution = {Financial Security Institute},
url = {https://hackcon.org/uploads/327/05%20-%20Kwak.pdf},
language = {English},
urldate = {2020-03-04}
}
Silent RIFLE: Response Against Advanced Threat Ghost RAT |
2016-04-22 ⋅ Cylance ⋅ Isaac Palmer @online{palmer:20160422:ghost:dda6514,
author = {Isaac Palmer},
title = {{The Ghost Dragon}},
date = {2016-04-22},
organization = {Cylance},
url = {https://blog.cylance.com/the-ghost-dragon},
language = {English},
urldate = {2020-01-08}
}
The Ghost Dragon Ghost RAT |
2015-04-14 ⋅ Youtube (Kaspersky) ⋅ Kris McConkey @online{mcconkey:20150414:following:02e29b8,
author = {Kris McConkey},
title = {{Following APT OpSec failures}},
date = {2015-04-14},
organization = {Youtube (Kaspersky)},
url = {https://www.youtube.com/watch?v=NFJqD-LcpIg},
language = {English},
urldate = {2022-08-30}
}
Following APT OpSec failures BLACKCOFFEE Mangzamel APT17 |
2015-04-13 ⋅ Hybrid-Analysis ⋅ Hybrid-Analysis @online{hybridanalysis:20150413:sqlconnt1exe:86539cc,
author = {Hybrid-Analysis},
title = {{sqlconnt1.exe}},
date = {2015-04-13},
organization = {Hybrid-Analysis},
url = {https://www.hybrid-analysis.com/sample/5d631d77401615d53f3ce3dbc2bfee5d934602dc35d488aa7cebf9b3ff1c4816?environmentId=2},
language = {English},
urldate = {2020-01-13}
}
sqlconnt1.exe Mangzamel |
2012 ⋅ Norman ASA ⋅ Snorre Fagerland @techreport{fagerland:2012:many:c938856,
author = {Snorre Fagerland},
title = {{The many faces of Gh0st Rat}},
date = {2012},
institution = {Norman ASA},
url = {https://web.archive.org/web/20170311192337/http://download01.norman.no:80/documents/ThemanyfacesofGh0stRat.pdf},
language = {English},
urldate = {2023-04-08}
}
The many faces of Gh0st Rat Ghost RAT |
2011-06-29 ⋅ Symantec ⋅ John McDonald @online{mcdonald:20110629:inside:b955948,
author = {John McDonald},
title = {{Inside a Back Door Attack}},
date = {2011-06-29},
organization = {Symantec},
url = {https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack},
language = {English},
urldate = {2020-04-21}
}
Inside a Back Door Attack Ghost RAT Dust Storm |
2009-03-28 ⋅ Infinitum Labs ⋅ Information Warfare Monitor @techreport{monitor:20090328:tracking:dffad13,
author = {Information Warfare Monitor},
title = {{Tracking GhostNet: Investigating a Cyber Espionage Network}},
date = {2009-03-28},
institution = {Infinitum Labs},
url = {http://www.nartv.org/mirror/ghostnet.pdf},
language = {English},
urldate = {2022-09-30}
}
Tracking GhostNet: Investigating a Cyber Espionage Network Ghost RAT GhostNet |