SYMBOLCOMMON_NAMEaka. SYNONYMS

Shell Crew  (Back to overview)

aka: Deep Panda, WebMasters, APT 19, KungFu Kittens, Black Vine, Group 13, PinkPanther, Sh3llCr3w, BRONZE FIRESTONE

Adversary group targeting financial, technology, non-profit organisations.


Associated Families
win.cobalt_strike

References
2021-04-20Medium walmartglobaltechJason Reaves
@online{reaves:20210420:cobaltstrike:d18d4c4, author = {Jason Reaves}, title = {{CobaltStrike Stager Utilizing Floating Point Math}}, date = {2021-04-20}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718}, language = {English}, urldate = {2021-04-20} } CobaltStrike Stager Utilizing Floating Point Math
Cobalt Strike
2021-04-19NetresecErik Hjelmvik
@online{hjelmvik:20210419:analysing:c6bff49, author = {Erik Hjelmvik}, title = {{Analysing a malware PCAP with IcedID and Cobalt Strike traffic}}, date = {2021-04-19}, organization = {Netresec}, url = {https://netresec.com/?b=214d7ff}, language = {English}, urldate = {2021-04-20} } Analysing a malware PCAP with IcedID and Cobalt Strike traffic
Cobalt Strike IcedID
2021-04-18YouTube (dist67)Didier Stevens
@online{stevens:20210418:decoding:18e5319, author = {Didier Stevens}, title = {{Decoding Cobalt Strike Traffic}}, date = {2021-04-18}, organization = {YouTube (dist67)}, url = {https://www.youtube.com/watch?v=ysN-MqyIN7M}, language = {English}, urldate = {2021-04-20} } Decoding Cobalt Strike Traffic
Cobalt Strike
2021-04-14InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20210414:april:4a29cb5, author = {Brad Duncan}, title = {{April 2021 Forensic Quiz: Answers and Analysis}}, date = {2021-04-14}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/27308}, language = {English}, urldate = {2021-04-14} } April 2021 Forensic Quiz: Answers and Analysis
Anchor BazarBackdoor Cobalt Strike
2021-04-09F-SecureRiccardo Ancarani, Giulio Ginesi
@online{ancarani:20210409:detecting:01d28ed, author = {Riccardo Ancarani and Giulio Ginesi}, title = {{Detecting Exposed Cobalt Strike DNS Redirectors}}, date = {2021-04-09}, organization = {F-Secure}, url = {https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirectors}, language = {English}, urldate = {2021-04-14} } Detecting Exposed Cobalt Strike DNS Redirectors
Cobalt Strike
2021-04-07Medium sixdubJustin Warner
@online{warner:20210407:using:a7d19fd, author = {Justin Warner}, title = {{Using Kaitai Struct to Parse Cobalt Strike Beacon Configs}}, date = {2021-04-07}, organization = {Medium sixdub}, url = {https://sixdub.medium.com/using-kaitai-to-parse-cobalt-strike-beacon-configs-f5f0552d5a6e}, language = {English}, urldate = {2021-04-09} } Using Kaitai Struct to Parse Cobalt Strike Beacon Configs
Cobalt Strike
2021-04-05Medium walmartglobaltechJason Reaves, Joshua Platt
@online{reaves:20210405:trickbot:a6b0592, author = {Jason Reaves and Joshua Platt}, title = {{TrickBot Crews New CobaltStrike Loader}}, date = {2021-04-05}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c}, language = {English}, urldate = {2021-04-06} } TrickBot Crews New CobaltStrike Loader
Cobalt Strike TrickBot
2021-04-01DomainToolsJoe Slowik
@online{slowik:20210401:covid19:6a96e45, author = {Joe Slowik}, title = {{COVID-19 Phishing With a Side of Cobalt Strike}}, date = {2021-04-01}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#}, language = {English}, urldate = {2021-04-06} } COVID-19 Phishing With a Side of Cobalt Strike
Cobalt Strike
2021-04-01Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20210401:hancitors:8876ca1, author = {Brad Duncan}, title = {{Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool}}, date = {2021-04-01}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/}, language = {English}, urldate = {2021-04-06} } Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool
Cobalt Strike Hancitor
2021-03-31Red CanaryRed Canary
@techreport{canary:20210331:2021:cd81f2d, author = {Red Canary}, title = {{2021 Threat Detection Report}}, date = {2021-03-31}, institution = {Red Canary}, url = {https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf}, language = {English}, urldate = {2021-04-06} } 2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot
2021-03-30GuidePoint SecurityDrew Schmitt
@online{schmitt:20210330:yet:9855592, author = {Drew Schmitt}, title = {{Yet Another Cobalt Strike Stager: GUID Edition}}, date = {2021-03-30}, organization = {GuidePoint Security}, url = {https://www.guidepointsecurity.com/yet-another-cobalt-strike-loader-guid-edition/}, language = {English}, urldate = {2021-04-06} } Yet Another Cobalt Strike Stager: GUID Edition
Cobalt Strike
2021-03-29The DFIR ReportThe DFIR Report
@online{report:20210329:sodinokibi:4c63e20, author = {The DFIR Report}, title = {{Sodinokibi (aka REvil) Ransomware}}, date = {2021-03-29}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/}, language = {English}, urldate = {2021-03-30} } Sodinokibi (aka REvil) Ransomware
Cobalt Strike IcedID REvil
2021-03-21YouTube (dist67)Didier Stevens
@online{stevens:20210321:finding:92a9a4d, author = {Didier Stevens}, title = {{Finding Metasploit & Cobalt Strike URLs}}, date = {2021-03-21}, organization = {YouTube (dist67)}, url = {https://www.youtube.com/watch?v=WW0_TgWT2gs}, language = {English}, urldate = {2021-03-25} } Finding Metasploit & Cobalt Strike URLs
Cobalt Strike
2021-03-21BlackberryBlackberry Research
@techreport{research:20210321:2021:a393473, author = {Blackberry Research}, title = {{2021 Threat Report}}, date = {2021-03-21}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf}, language = {English}, urldate = {2021-03-25} } 2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot
2021-03-18PRODAFT Threat IntelligencePRODAFT
@techreport{prodaft:20210318:silverfish:f203208, author = {PRODAFT}, title = {{SilverFish GroupThreat Actor Report}}, date = {2021-03-18}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf}, language = {English}, urldate = {2021-04-06} } SilverFish GroupThreat Actor Report
Cobalt Strike Dridex Koadic
2021-03-16McAfeeMcAfee ATR
@techreport{atr:20210316:technical:8c4909a, author = {McAfee ATR}, title = {{Technical Analysis of Operation Diànxùn}}, date = {2021-03-16}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf}, language = {English}, urldate = {2021-03-22} } Technical Analysis of Operation Diànxùn
Cobalt Strike
2021-03-16ElasticJoe Desimone
@online{desimone:20210316:detecting:4091130, author = {Joe Desimone}, title = {{Detecting Cobalt Strike with memory signatures}}, date = {2021-03-16}, organization = {Elastic}, url = {https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures}, language = {English}, urldate = {2021-03-22} } Detecting Cobalt Strike with memory signatures
Cobalt Strike
2021-03-11Cyborg SecurityJosh Campbell
@online{campbell:20210311:you:7bd2342, author = {Josh Campbell}, title = {{You Don't Know the HAFNIUM of it...}}, date = {2021-03-11}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/}, language = {English}, urldate = {2021-03-16} } You Don't Know the HAFNIUM of it...
CHINACHOPPER Cobalt Strike PowerCat
2021-03-10ProofpointDennis Schwarz, Matthew Mesa, Proofpoint Threat Research Team
@online{schwarz:20210310:nimzaloader:f6960d4, author = {Dennis Schwarz and Matthew Mesa and Proofpoint Threat Research Team}, title = {{NimzaLoader: TA800’s New Initial Access Malware}}, date = {2021-03-10}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware}, language = {English}, urldate = {2021-03-12} } NimzaLoader: TA800’s New Initial Access Malware
BazarNimrod Cobalt Strike
2021-03-09splunkSecurity Research Team
@online{team:20210309:cloud:4deeb78, author = {Security Research Team}, title = {{Cloud Federated Credential Abuse & Cobalt Strike: Threat Research February 2021}}, date = {2021-03-09}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/cloud-federated-credential-abuse-cobalt-strike-threat-research-feb-2021.html}, language = {English}, urldate = {2021-03-11} } Cloud Federated Credential Abuse & Cobalt Strike: Threat Research February 2021
Cobalt Strike
2021-03-08The DFIR ReportThe DFIR Report
@online{report:20210308:bazar:ba050d7, author = {The DFIR Report}, title = {{Bazar Drops the Anchor}}, date = {2021-03-08}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/}, language = {English}, urldate = {2021-03-10} } Bazar Drops the Anchor
Anchor BazarBackdoor Cobalt Strike
2021-03-08Youtube (SANS Digital Forensics and Incident Response)Katie Nickels, Adam Pennington, Jen Burns
@online{nickels:20210308:star:083eb29, author = {Katie Nickels and Adam Pennington and Jen Burns}, title = {{STAR Webcast: Making sense of SolarWinds through the lens of MITRE ATT&CK(R)}}, date = {2021-03-08}, organization = {Youtube (SANS Digital Forensics and Incident Response)}, url = {https://www.youtube.com/watch?v=LA-XE5Jy2kU}, language = {English}, urldate = {2021-03-11} } STAR Webcast: Making sense of SolarWinds through the lens of MITRE ATT&CK(R)
Cobalt Strike SUNBURST TEARDROP
2021-03-07InfoSec Handlers Diary BlogDidier Stevens
@online{stevens:20210307:pcaps:980212d, author = {Didier Stevens}, title = {{PCAPs and Beacons}}, date = {2021-03-07}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/27176}, language = {English}, urldate = {2021-03-11} } PCAPs and Beacons
Cobalt Strike
2021-03-01Medium walmartglobaltechJoshua Platt, Jason Reaves
@online{platt:20210301:nimar:c26af08, author = {Joshua Platt and Jason Reaves}, title = {{Nimar Loader}}, date = {2021-03-01}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e}, language = {English}, urldate = {2021-03-04} } Nimar Loader
BazarBackdoor BazarNimrod Cobalt Strike
2021-03-01Medium walmartglobaltechJoshua Platt, Jason Reaves
@online{platt:20210301:investigation:a7851d5, author = {Joshua Platt and Jason Reaves}, title = {{Investigation into the state of Nim malware}}, date = {2021-03-01}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811}, language = {English}, urldate = {2021-03-04} } Investigation into the state of Nim malware
BazarNimrod Cobalt Strike
2021-02-26CrowdStrikeEric Loui, Sergei Frankoff
@online{loui:20210226:hypervisor:8dadf9c, author = {Eric Loui and Sergei Frankoff}, title = {{Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact}}, date = {2021-02-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout}, language = {English}, urldate = {2021-03-02} } Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
RansomEXX Griffon Carbanak Cobalt Strike IcedID MimiKatz PyXie RansomEXX REvil
2021-02-25FireEyeBryce Abdo, Brendan McKeague, Van Ta
@online{abdo:20210225:so:88f3400, author = {Bryce Abdo and Brendan McKeague and Van Ta}, title = {{So Unchill: Melting UNC2198 ICEDID to Ransomware Operations}}, date = {2021-02-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html}, language = {English}, urldate = {2021-03-02} } So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
Cobalt Strike Egregor IcedID Maze SystemBC
2021-02-24VMWare Carbon BlackTakahiro Haruyama
@techreport{haruyama:20210224:knock:f4903a2, author = {Takahiro Haruyama}, title = {{Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation}}, date = {2021-02-24}, institution = {VMWare Carbon Black}, url = {https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf}, language = {Japanese}, urldate = {2021-02-26} } Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation
Cobalt Strike
2021-02-24Github (AmnestyTech)Amnesty International
@online{international:20210224:overview:95b80e0, author = {Amnesty International}, title = {{Overview of Ocean Lotus Samples used to target Vietnamese Human Rights Defenders}}, date = {2021-02-24}, organization = {Github (AmnestyTech)}, url = {https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam}, language = {English}, urldate = {2021-02-25} } Overview of Ocean Lotus Samples used to target Vietnamese Human Rights Defenders
OceanLotus Cobalt Strike KerrDown
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon Ransomware BazarBackdoor Clop Cobalt Strike Conti Ransomware Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet Ransomware ShadowPad SmokeLoader Snake Ransomware SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader
2021-02-11Twitter (@TheDFIRReport)The DFIR Report
@online{report:20210211:hancitor:9fa527e, author = {The DFIR Report}, title = {{Tweet on Hancitor Activity followed by cobaltsrike beacon}}, date = {2021-02-11}, organization = {Twitter (@TheDFIRReport)}, url = {https://twitter.com/TheDFIRReport/status/1359669513520873473}, language = {English}, urldate = {2021-02-18} } Tweet on Hancitor Activity followed by cobaltsrike beacon
Cobalt Strike Hancitor
2021-02-09Cobalt StrikeRaphael Mudge
@online{mudge:20210209:learn:c08b657, author = {Raphael Mudge}, title = {{Learn Pipe Fitting for all of your Offense Projects}}, date = {2021-02-09}, organization = {Cobalt Strike}, url = {https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/}, language = {English}, urldate = {2021-02-10} } Learn Pipe Fitting for all of your Offense Projects
Cobalt Strike
2021-02-09SecurehatSecurehat
@online{securehat:20210209:extracting:0f4ae2f, author = {Securehat}, title = {{Extracting the Cobalt Strike Config from a TEARDROP Loader}}, date = {2021-02-09}, organization = {Securehat}, url = {https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader}, language = {English}, urldate = {2021-02-10} } Extracting the Cobalt Strike Config from a TEARDROP Loader
Cobalt Strike TEARDROP
2021-02-03InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20210203:excel:8e949c9, author = {Brad Duncan}, title = {{Excel spreadsheets push SystemBC malware}}, date = {2021-02-03}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/}, language = {English}, urldate = {2021-02-04} } Excel spreadsheets push SystemBC malware
Cobalt Strike SystemBC
2021-02-02Committee to Protect JournalistsMadeline Earp
@online{earp:20210202:how:923f969, author = {Madeline Earp}, title = {{How Vietnam-based hacking operation OceanLotus targets journalists}}, date = {2021-02-02}, organization = {Committee to Protect Journalists}, url = {https://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists}, language = {English}, urldate = {2021-02-04} } How Vietnam-based hacking operation OceanLotus targets journalists
Cobalt Strike
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-02-02Twitter (@TheDFIRReport)The DFIR Report
@online{report:20210202:recent:5272ed0, author = {The DFIR Report}, title = {{Tweet on recent dridex post infection activity}}, date = {2021-02-02}, organization = {Twitter (@TheDFIRReport)}, url = {https://twitter.com/TheDFIRReport/status/1356729371931860992}, language = {English}, urldate = {2021-02-04} } Tweet on recent dridex post infection activity
Cobalt Strike Dridex
2021-02-01AhnLabASEC Analysis Team
@online{team:20210201:bluecrab:df21c0a, author = {ASEC Analysis Team}, title = {{BlueCrab ransomware, CobaltStrike hacking tool installed in corporate environment}}, date = {2021-02-01}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/19860/}, language = {English}, urldate = {2021-02-06} } BlueCrab ransomware, CobaltStrike hacking tool installed in corporate environment
Cobalt Strike REvil
2021-02-01pkb1s.github.ioPetros Koutroumpis
@online{koutroumpis:20210201:relay:596413f, author = {Petros Koutroumpis}, title = {{Relay Attacks via Cobalt Strike Beacons}}, date = {2021-02-01}, organization = {pkb1s.github.io}, url = {https://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/}, language = {English}, urldate = {2021-02-04} } Relay Attacks via Cobalt Strike Beacons
Cobalt Strike
2021-01-31The DFIR ReportThe DFIR Report
@online{report:20210131:bazar:c3b3859, author = {The DFIR Report}, title = {{Bazar, No Ryuk?}}, date = {2021-01-31}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/01/31/bazar-no-ryuk/}, language = {English}, urldate = {2021-02-02} } Bazar, No Ryuk?
BazarBackdoor Cobalt Strike Ryuk
2021-01-28TrustedSecAdam Chester
@online{chester:20210128:tailoring:d3f973c, author = {Adam Chester}, title = {{Tailoring Cobalt Strike on Target}}, date = {2021-01-28}, organization = {TrustedSec}, url = {https://www.trustedsec.com/blog/tailoring-cobalt-strike-on-target/}, language = {English}, urldate = {2021-01-29} } Tailoring Cobalt Strike on Target
Cobalt Strike
2021-01-28AhnLabASEC Analysis Team
@online{team:20210128:bluecrab:44d2e64, author = {ASEC Analysis Team}, title = {{BlueCrab ransomware constantly trying to bypass detection}}, date = {2021-01-28}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/19640/}, language = {Korean}, urldate = {2021-02-04} } BlueCrab ransomware constantly trying to bypass detection
Cobalt Strike REvil
2021-01-26Twitter (@swisscom_csirt)Swisscom CSIRT
@online{csirt:20210126:cring:f12c487, author = {Swisscom CSIRT}, title = {{Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware}}, date = {2021-01-26}, organization = {Twitter (@swisscom_csirt)}, url = {https://twitter.com/swisscom_csirt/status/1354052879158571008}, language = {English}, urldate = {2021-01-27} } Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware
Cobalt Strike Cring Ransomware MimiKatz
2021-01-20MicrosoftMicrosoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC), Microsoft Cyber Defense Operations Center (CDOC)
@online{team:20210120:deep:1cc0551, author = {Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center (MSTIC) and Microsoft Cyber Defense Operations Center (CDOC)}, title = {{Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop}}, date = {2021-01-20}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/}, language = {English}, urldate = {2021-01-21} } Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop
Cobalt Strike SUNBURST TEARDROP
2021-01-18SymantecThreat Hunter Team
@online{team:20210118:raindrop:9ab1262, author = {Threat Hunter Team}, title = {{Raindrop: New Malware Discovered in SolarWinds Investigation}}, date = {2021-01-18}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware}, language = {English}, urldate = {2021-01-21} } Raindrop: New Malware Discovered in SolarWinds Investigation
Cobalt Strike Raindrop SUNBURST TEARDROP
2021-01-17Twitter (@AltShiftPrtScn)Peter Mackenzie
@online{mackenzie:20210117:conti:db7f1cb, author = {Peter Mackenzie}, title = {{Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders}}, date = {2021-01-17}, organization = {Twitter (@AltShiftPrtScn)}, url = {https://twitter.com/AltShiftPrtScn/status/1350755169965924352}, language = {English}, urldate = {2021-01-21} } Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders
Cobalt Strike Conti Ransomware
2021-01-15Medium DansecDan Lussier
@online{lussier:20210115:detecting:fecd6c3, author = {Dan Lussier}, title = {{Detecting Malicious C2 Activity -SpawnAs & SMB Lateral Movement in CobaltStrike}}, date = {2021-01-15}, organization = {Medium Dansec}, url = {https://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64}, language = {English}, urldate = {2021-01-21} } Detecting Malicious C2 Activity -SpawnAs & SMB Lateral Movement in CobaltStrike
Cobalt Strike
2021-01-14PTSecurityPT ESC Threat Intelligence
@online{intelligence:20210114:higaisa:4676ec7, author = {PT ESC Threat Intelligence}, title = {{Higaisa or Winnti? APT41 backdoors, old and new}}, date = {2021-01-14}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/}, language = {English}, urldate = {2021-02-09} } Higaisa or Winnti? APT41 backdoors, old and new
Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad
2021-01-12Fox-ITWouter Jansen
@online{jansen:20210112:abusing:c38eeb6, author = {Wouter Jansen}, title = {{Abusing cloud services to fly under the radar}}, date = {2021-01-12}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/}, language = {English}, urldate = {2021-01-18} } Abusing cloud services to fly under the radar
Cobalt Strike
2021-01-12BrightTALK (FireEye)Ben Read, John Hultquist
@online{read:20210112:unc2452:6e54c6c, author = {Ben Read and John Hultquist}, title = {{UNC2452: What We Know So Far}}, date = {2021-01-12}, organization = {BrightTALK (FireEye)}, url = {https://www.brighttalk.com/webcast/7451/462719}, language = {English}, urldate = {2021-01-18} } UNC2452: What We Know So Far
Cobalt Strike SUNBURST TEARDROP
2021-01-11SolarWindsSudhakar Ramakrishna
@online{ramakrishna:20210111:new:296b621, author = {Sudhakar Ramakrishna}, title = {{New Findings From Our Investigation of SUNBURST}}, date = {2021-01-11}, organization = {SolarWinds}, url = {https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/}, language = {English}, urldate = {2021-01-18} } New Findings From Our Investigation of SUNBURST
Cobalt Strike SUNBURST TEARDROP
2021-01-11The DFIR ReportThe DFIR Report
@online{report:20210111:trickbot:d1011f9, author = {The DFIR Report}, title = {{Trickbot Still Alive and Well}}, date = {2021-01-11}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/}, language = {English}, urldate = {2021-01-11} } Trickbot Still Alive and Well
Cobalt Strike TrickBot
2021-01-10Medium walmartglobaltechJason Reaves
@online{reaves:20210110:man1:54a4162, author = {Jason Reaves}, title = {{MAN1, Moskal, Hancitor and a side of Ransomware}}, date = {2021-01-10}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618}, language = {English}, urldate = {2021-01-11} } MAN1, Moskal, Hancitor and a side of Ransomware
Cobalt Strike Hancitor SendSafe VegaLocker Zeppelin Ransomware
2021-01-09Connor McGarr's BlogConnor McGarr
@online{mcgarr:20210109:malware:dde1353, author = {Connor McGarr}, title = {{Malware Development: Leveraging Beacon Object Files for Remote Process Injection via Thread Hijacking}}, date = {2021-01-09}, organization = {Connor McGarr's Blog}, url = {https://connormcgarr.github.io/thread-hijacking/}, language = {English}, urldate = {2021-01-11} } Malware Development: Leveraging Beacon Object Files for Remote Process Injection via Thread Hijacking
Cobalt Strike
2021-01-07Recorded FutureInsikt Group®
@techreport{group:20210107:aversary:9771829, author = {Insikt Group®}, title = {{Aversary Infrastructure Report 2020: A Defender's View}}, date = {2021-01-07}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf}, language = {English}, urldate = {2021-01-11} } Aversary Infrastructure Report 2020: A Defender's View
Octopus pupy Cobalt Strike Empire Downloader Meterpreter PoshC2
2021-01-06Red CanaryTony Lambert
@online{lambert:20210106:hunting:272410b, author = {Tony Lambert}, title = {{Hunting for GetSystem in offensive security tools}}, date = {2021-01-06}, organization = {Red Canary}, url = {https://redcanary.com/blog/getsystem-offsec/}, language = {English}, urldate = {2021-01-11} } Hunting for GetSystem in offensive security tools
Cobalt Strike Empire Downloader Meterpreter PoshC2
2021-01-05Trend MicroTrend Micro Research
@online{research:20210105:earth:d7bb547, author = {Trend Micro Research}, title = {{Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration}}, date = {2021-01-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html}, language = {English}, urldate = {2021-01-10} } Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration
Cobalt Strike
2021-01-04Medium haggis-mMichael Haag
@online{haag:20210104:malleable:ab64356, author = {Michael Haag}, title = {{Malleable C2 Profiles and You}}, date = {2021-01-04}, organization = {Medium haggis-m}, url = {https://haggis-m.medium.com/malleable-c2-profiles-and-you-7c7ab43e7929}, language = {English}, urldate = {2021-01-05} } Malleable C2 Profiles and You
Cobalt Strike
2020-12-26Medium grimminckStefan Grimminck
@online{grimminck:20201226:spoofing:a0a5622, author = {Stefan Grimminck}, title = {{Spoofing JARM signatures. I am the Cobalt Strike server now!}}, date = {2020-12-26}, organization = {Medium grimminck}, url = {https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b}, language = {English}, urldate = {2021-01-01} } Spoofing JARM signatures. I am the Cobalt Strike server now!
Cobalt Strike
2020-12-22TRUESECMattias Wåhlén
@online{whln:20201222:collaboration:5d2ad28, author = {Mattias Wåhlén}, title = {{Collaboration between FIN7 and the RYUK group, a Truesec Investigation}}, date = {2020-12-22}, organization = {TRUESEC}, url = {https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/}, language = {English}, urldate = {2021-01-01} } Collaboration between FIN7 and the RYUK group, a Truesec Investigation
Carbanak Cobalt Strike Ryuk
2020-12-21FortinetUdi Yavo
@online{yavo:20201221:what:716b31d, author = {Udi Yavo}, title = {{What We Have Learned So Far about the “Sunburst”/SolarWinds Hack}}, date = {2020-12-21}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack}, language = {English}, urldate = {2021-01-18} } What We Have Learned So Far about the “Sunburst”/SolarWinds Hack
Cobalt Strike SUNBURST TEARDROP
2020-12-20RandhomeEtienne Maynier
@online{maynier:20201220:analyzing:3e15960, author = {Etienne Maynier}, title = {{Analyzing Cobalt Strike for Fun and Profit}}, date = {2020-12-20}, organization = {Randhome}, url = {https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/}, language = {English}, urldate = {2020-12-23} } Analyzing Cobalt Strike for Fun and Profit
Cobalt Strike
2020-12-15Github (sophos-cybersecurity)Sophos Cyber Security Team
@online{team:20201215:solarwindsthreathunt:4357421, author = {Sophos Cyber Security Team}, title = {{solarwinds-threathunt}}, date = {2020-12-15}, organization = {Github (sophos-cybersecurity)}, url = {https://github.com/sophos-cybersecurity/solarwinds-threathunt}, language = {English}, urldate = {2020-12-15} } solarwinds-threathunt
Cobalt Strike SUNBURST
2020-12-15PICUS SecuritySüleyman Özarslan
@online{zarslan:20201215:tactics:bba1b4f, author = {Süleyman Özarslan}, title = {{Tactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach}}, date = {2020-12-15}, organization = {PICUS Security}, url = {https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach}, language = {English}, urldate = {2020-12-17} } Tactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach
Cobalt Strike SUNBURST
2020-12-14Palo Alto Networks Unit 42Unit 42
@online{42:20201214:threat:032b92d, author = {Unit 42}, title = {{Threat Brief: SolarStorm and SUNBURST Customer Coverage}}, date = {2020-12-14}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/}, language = {English}, urldate = {2020-12-15} } Threat Brief: SolarStorm and SUNBURST Customer Coverage
Cobalt Strike SUNBURST
2020-12-11BlackberryBlackBerry Research and Intelligence team
@online{team:20201211:mountlocker:9c495cb, author = {BlackBerry Research and Intelligence team}, title = {{MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates}}, date = {2020-12-11}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates}, language = {English}, urldate = {2020-12-14} } MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates
Cobalt Strike Mount Locker
2020-12-10Intel 471Intel 471
@online{471:20201210:no:9fd2ae1, author = {Intel 471}, title = {{No pandas, just people: The current state of China’s cybercrime underground}}, date = {2020-12-10}, organization = {Intel 471}, url = {https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/}, language = {English}, urldate = {2020-12-10} } No pandas, just people: The current state of China’s cybercrime underground
Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT
2020-12-10Palo Alto Networks Unit 42Unit42
@online{unit42:20201210:threat:6ac31af, author = {Unit42}, title = {{Threat Brief: FireEye Red Team Tool Breach}}, date = {2020-12-10}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/}, language = {English}, urldate = {2020-12-15} } Threat Brief: FireEye Red Team Tool Breach
Cobalt Strike
2020-12-09FireEyeMitchell Clarke, Tom Hall
@techreport{clarke:20201209:its:c312acc, author = {Mitchell Clarke and Tom Hall}, title = {{It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)}}, date = {2020-12-09}, institution = {FireEye}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf}, language = {English}, urldate = {2020-12-15} } It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)
Cobalt Strike DoppelPaymer QakBot REvil
2020-12-09InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20201209:recent:0992506, author = {Brad Duncan}, title = {{Recent Qakbot (Qbot) activity}}, date = {2020-12-09}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/26862}, language = {English}, urldate = {2020-12-10} } Recent Qakbot (Qbot) activity
Cobalt Strike QakBot
2020-12-09CiscoDavid Liebenberg, Caitlin Huey
@online{liebenberg:20201209:quarterly:9ed3062, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends from Fall 2020}}, date = {2020-12-09}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html}, language = {English}, urldate = {2020-12-10} } Quarterly Report: Incident Response trends from Fall 2020
Cobalt Strike IcedID Maze RansomEXX Ryuk
2020-12-08Cobalt StrikeRaphael Mudge
@online{mudge:20201208:red:8ccdfcf, author = {Raphael Mudge}, title = {{A Red Teamer Plays with JARM}}, date = {2020-12-08}, organization = {Cobalt Strike}, url = {https://blog.cobaltstrike.com/2020/12/08/a-red-teamer-plays-with-jarm/}, language = {English}, urldate = {2021-01-11} } A Red Teamer Plays with JARM
Cobalt Strike
2020-12-02Red Canarytwitter (@redcanary)
@online{redcanary:20201202:increased:5db5dce, author = {twitter (@redcanary)}, title = {{Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware}}, date = {2020-12-02}, organization = {Red Canary}, url = {https://twitter.com/redcanary/status/1334224861628039169}, language = {English}, urldate = {2020-12-08} } Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware
Cobalt Strike Egregor QakBot
2020-12-01360.cnjindanlong
@online{jindanlong:20201201:hunting:b9e2674, author = {jindanlong}, title = {{Hunting Beacons}}, date = {2020-12-01}, organization = {360.cn}, url = {https://quake.360.cn/quake/#/reportDetail?id=5fc6fedd191038c3b25c4950}, language = {English}, urldate = {2021-01-10} } Hunting Beacons
Cobalt Strike
2020-12-01mez0.ccmez0
@online{mez0:20201201:cobalt:38336ed, author = {mez0}, title = {{Cobalt Strike PowerShell Execution}}, date = {2020-12-01}, organization = {mez0.cc}, url = {https://mez0.cc/posts/cobaltstrike-powershell-exec/}, language = {English}, urldate = {2020-12-14} } Cobalt Strike PowerShell Execution
Cobalt Strike
2020-11-30MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20201130:threat:2633df5, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Threat actor (BISMUTH) leverages coin miner techniques to stay under the radar – here’s how to spot them}}, date = {2020-11-30}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/}, language = {English}, urldate = {2020-12-01} } Threat actor (BISMUTH) leverages coin miner techniques to stay under the radar – here’s how to spot them
Cobalt Strike
2020-11-30FireEyeMitchell Clarke, Tom Hall
@techreport{clarke:20201130:its:1b6b681, author = {Mitchell Clarke and Tom Hall}, title = {{It's not FINished The Evolving Maturity in Ransomware Operations}}, date = {2020-11-30}, institution = {FireEye}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf}, language = {English}, urldate = {2020-12-14} } It's not FINished The Evolving Maturity in Ransomware Operations
Cobalt Strike DoppelPaymer MimiKatz QakBot REvil
2020-11-27MacnicaHiroshi Takeuchi
@online{takeuchi:20201127:analyzing:4089f84, author = {Hiroshi Takeuchi}, title = {{Analyzing Organizational Invasion Ransom Incidents Using Dtrack}}, date = {2020-11-27}, organization = {Macnica}, url = {https://blog.macnica.net/blog/2020/11/dtrack.html}, language = {Japanese}, urldate = {2020-12-08} } Analyzing Organizational Invasion Ransom Incidents Using Dtrack
Cobalt Strike Dtrack
2020-11-26CybereasonLior Rochberger, Cybereason Nocturnus
@online{rochberger:20201126:cybereason:8301aeb, author = {Lior Rochberger and Cybereason Nocturnus}, title = {{Cybereason vs. Egregor Ransomware}}, date = {2020-11-26}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware}, language = {English}, urldate = {2020-12-08} } Cybereason vs. Egregor Ransomware
Cobalt Strike Egregor IcedID ISFB QakBot
2020-11-25SentinelOneJim Walter
@online{walter:20201125:egregor:5727f7a, author = {Jim Walter}, title = {{Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone}}, date = {2020-11-25}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/}, language = {English}, urldate = {2020-12-08} } Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone
Cobalt Strike Egregor
2020-11-20360 netlabJiaYu
@online{jiayu:20201120:blackrota:ee43da1, author = {JiaYu}, title = {{Blackrota, a highly obfuscated backdoor developed by Go}}, date = {2020-11-20}, organization = {360 netlab}, url = {https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go/}, language = {Chinese}, urldate = {2020-11-23} } Blackrota, a highly obfuscated backdoor developed by Go
Cobalt Strike
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-20F-Secure LabsRiccardo Ancarani
@online{ancarani:20201120:detecting:79afa40, author = {Riccardo Ancarani}, title = {{Detecting Cobalt Strike Default Modules via Named Pipe Analysis}}, date = {2020-11-20}, organization = {F-Secure Labs}, url = {https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis}, language = {English}, urldate = {2020-11-23} } Detecting Cobalt Strike Default Modules via Named Pipe Analysis
Cobalt Strike
2020-11-17cybleCyble
@online{cyble:20201117:oceanlotus:d33eb97, author = {Cyble}, title = {{OceanLotus Continues With Its Cyber Espionage Operations}}, date = {2020-11-17}, organization = {cyble}, url = {https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/}, language = {English}, urldate = {2020-11-18} } OceanLotus Continues With Its Cyber Espionage Operations
Cobalt Strike Meterpreter
2020-11-17Salesforce EngineeringJohn Althouse
@online{althouse:20201117:easily:172bd6d, author = {John Althouse}, title = {{Easily Identify Malicious Servers on the Internet with JARM}}, date = {2020-11-17}, organization = {Salesforce Engineering}, url = {https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a}, language = {English}, urldate = {2020-12-03} } Easily Identify Malicious Servers on the Internet with JARM
Cobalt Strike TrickBot
2020-11-09Bleeping ComputerIonut Ilascu
@online{ilascu:20201109:fake:c6dd7b3, author = {Ionut Ilascu}, title = {{Fake Microsoft Teams updates lead to Cobalt Strike deployment}}, date = {2020-11-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/}, language = {English}, urldate = {2020-11-11} } Fake Microsoft Teams updates lead to Cobalt Strike deployment
Cobalt Strike DoppelPaymer NjRAT Predator The Thief Zloader
2020-11-06VolexitySteven Adair, Thomas Lancaster, Volexity Threat Research
@online{adair:20201106:oceanlotus:f7b11ac, author = {Steven Adair and Thomas Lancaster and Volexity Threat Research}, title = {{OceanLotus: Extending Cyber Espionage Operations Through Fake Websites}}, date = {2020-11-06}, organization = {Volexity}, url = {https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/}, language = {English}, urldate = {2020-11-09} } OceanLotus: Extending Cyber Espionage Operations Through Fake Websites
Cobalt Strike KerrDown APT32
2020-11-06Cobalt StrikeRaphael Mudge
@online{mudge:20201106:cobalt:05fe8fc, author = {Raphael Mudge}, title = {{Cobalt Strike 4.2 – Everything but the kitchen sink}}, date = {2020-11-06}, organization = {Cobalt Strike}, url = {https://blog.cobaltstrike.com/2020/11/06/cobalt-strike-4-2-everything-but-the-kitchen-sink/}, language = {English}, urldate = {2020-11-09} } Cobalt Strike 4.2 – Everything but the kitchen sink
Cobalt Strike
2020-11-06Palo Alto Networks Unit 42Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:indicators:1ec9384, author = {Ryan Tracey and Drew Schmitt and CRYPSIS}, title = {{Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777}}, date = {2020-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/}, language = {English}, urldate = {2020-11-12} } Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777
Cobalt Strike PyXie RansomEXX
2020-11-06Advanced IntelligenceVitali Kremez
@online{kremez:20201106:anatomy:b2ce3ae, author = {Vitali Kremez}, title = {{Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike}}, date = {2020-11-06}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike}, language = {English}, urldate = {2020-11-09} } Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike
BazarBackdoor Cobalt Strike Ryuk
2020-11-05Twitter (@ffforward)TheAnalyst
@online{theanalyst:20201105:zloader:c4bab85, author = {TheAnalyst}, title = {{Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK}}, date = {2020-11-05}, organization = {Twitter (@ffforward)}, url = {https://twitter.com/ffforward/status/1324281530026524672}, language = {English}, urldate = {2020-11-09} } Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK
Cobalt Strike Ryuk Zloader
2020-11-05The DFIR ReportThe DFIR Report
@online{report:20201105:ryuk:ceaa823, author = {The DFIR Report}, title = {{Ryuk Speed Run, 2 Hours to Ransom}}, date = {2020-11-05}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/}, language = {English}, urldate = {2020-11-06} } Ryuk Speed Run, 2 Hours to Ransom
BazarBackdoor Cobalt Strike Ryuk
2020-11-04VMRayGiovanni Vigna
@online{vigna:20201104:trick:a59a333, author = {Giovanni Vigna}, title = {{Trick or Threat: Ryuk ransomware targets the health care industry}}, date = {2020-11-04}, organization = {VMRay}, url = {https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/}, language = {English}, urldate = {2020-11-06} } Trick or Threat: Ryuk ransomware targets the health care industry
BazarBackdoor Cobalt Strike Ryuk TrickBot
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-11-03InfoSec Handlers Diary BlogRenato Marinho
@online{marinho:20201103:attackers:9b3762b, author = {Renato Marinho}, title = {{Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike}}, date = {2020-11-03}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/26752}, language = {English}, urldate = {2020-11-06} } Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike
Cobalt Strike
2020-10-30Github (ThreatConnect-Inc)ThreatConnect
@online{threatconnect:20201030:unc:b3ae3d0, author = {ThreatConnect}, title = {{UNC 1878 Indicators from Threatconnect}}, date = {2020-10-30}, organization = {Github (ThreatConnect-Inc)}, url = {https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv}, language = {English}, urldate = {2020-11-06} } UNC 1878 Indicators from Threatconnect
BazarBackdoor Cobalt Strike Ryuk
2020-10-29Github (Swisscom)Swisscom CSIRT
@online{csirt:20201029:list:5fb0206, author = {Swisscom CSIRT}, title = {{List of CobaltStrike C2's used by RYUK}}, date = {2020-10-29}, organization = {Github (Swisscom)}, url = {https://github.com/swisscom/detections/blob/main/RYUK/cobaltstrike_c2s.txt}, language = {English}, urldate = {2020-11-02} } List of CobaltStrike C2's used by RYUK
Cobalt Strike
2020-10-29RiskIQRiskIQ
@online{riskiq:20201029:ryuk:0643968, author = {RiskIQ}, title = {{Ryuk Ransomware: Extensive Attack Infrastructure Revealed}}, date = {2020-10-29}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/0bcefe76}, language = {English}, urldate = {2020-11-02} } Ryuk Ransomware: Extensive Attack Infrastructure Revealed
Cobalt Strike Ryuk
2020-10-29Red CanaryThe Red Canary Team
@online{team:20201029:bazar:1846b93, author = {The Red Canary Team}, title = {{A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak}}, date = {2020-10-29}, organization = {Red Canary}, url = {https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/}, language = {English}, urldate = {2020-11-02} } A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak
Cobalt Strike Ryuk TrickBot
2020-10-28FireEyeKimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock
@online{goody:20201028:unhappy:c0d2e4b, author = {Kimberly Goody and Jeremy Kennelly and Joshua Shilko and Steve Elovitz and Douglas Bienstock}, title = {{Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser}}, date = {2020-10-28}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html}, language = {English}, urldate = {2020-11-02} } Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser
BazarBackdoor Cobalt Strike Ryuk UNC1878
2020-10-27Sophos Managed Threat Response (MTR)Greg Iddon
@online{iddon:20201027:mtr:3b62ca9, author = {Greg Iddon}, title = {{MTR Casebook: An active adversary caught in the act}}, date = {2020-10-27}, organization = {Sophos Managed Threat Response (MTR)}, url = {https://news.sophos.com/en-us/2020/10/27/mtr-casebook-an-active-adversary-caught-in-the-act/}, language = {English}, urldate = {2020-11-02} } MTR Casebook: An active adversary caught in the act
Cobalt Strike
2020-10-18The DFIR ReportThe DFIR Report
@online{report:20201018:ryuk:fbaadb8, author = {The DFIR Report}, title = {{Ryuk in 5 Hours}}, date = {2020-10-18}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/}, language = {English}, urldate = {2020-10-19} } Ryuk in 5 Hours
BazarBackdoor Cobalt Strike Ryuk
2020-10-14RiskIQSteve Ginty, Jon Gross
@online{ginty:20201014:wellmarked:9176303, author = {Steve Ginty and Jon Gross}, title = {{A Well-Marked Trail: Journeying through OceanLotus's Infrastructure}}, date = {2020-10-14}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/f0320980}, language = {English}, urldate = {2020-10-23} } A Well-Marked Trail: Journeying through OceanLotus's Infrastructure
Cobalt Strike
2020-10-14SophosSean Gallagher
@online{gallagher:20201014:theyre:99f5d1e, author = {Sean Gallagher}, title = {{They’re back: inside a new Ryuk ransomware attack}}, date = {2020-10-14}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/}, language = {English}, urldate = {2020-10-16} } They’re back: inside a new Ryuk ransomware attack
Cobalt Strike Ryuk SystemBC
2020-10-12Advanced IntelligenceRoman Marshanski, Vitali Kremez
@online{marshanski:20201012:front:686add1, author = {Roman Marshanski and Vitali Kremez}, title = {{"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon}}, date = {2020-10-12}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon}, language = {English}, urldate = {2020-10-13} } "Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon
BazarBackdoor Cobalt Strike Ryuk
2020-10-11Github (StrangerealIntel)StrangerealIntel
@online{strangerealintel:20201011:chimera:a423a07, author = {StrangerealIntel}, title = {{Chimera, APT19 under the radar ?}}, date = {2020-10-11}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md}, language = {English}, urldate = {2020-10-15} } Chimera, APT19 under the radar ?
Cobalt Strike Meterpreter
2020-10-08The DFIR ReportThe DFIR Report
@online{report:20201008:ryuks:e47d8fa, author = {The DFIR Report}, title = {{Ryuk’s Return}}, date = {2020-10-08}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/10/08/ryuks-return/}, language = {English}, urldate = {2020-10-09} } Ryuk’s Return
BazarBackdoor Cobalt Strike Ryuk
2020-10-08Bayerischer RundfunkHakan Tanriverdi, Max Zierer, Ann-Kathrin Wetter, Kai Biermann, Thi Do Nguyen
@online{tanriverdi:20201008:there:620f4e7, author = {Hakan Tanriverdi and Max Zierer and Ann-Kathrin Wetter and Kai Biermann and Thi Do Nguyen}, title = {{There is no safe place}}, date = {2020-10-08}, organization = {Bayerischer Rundfunk}, url = {https://web.br.de/interaktiv/ocean-lotus/en/}, language = {English}, urldate = {2020-10-12} } There is no safe place
Cobalt Strike
2020-10-02Health Sector Cybersecurity Coordination Center (HC3)Health Sector Cybersecurity Coordination Center (HC3)
@techreport{hc3:20201002:report:0ca373f, author = {Health Sector Cybersecurity Coordination Center (HC3)}, title = {{Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns}}, date = {2020-10-02}, institution = {Health Sector Cybersecurity Coordination Center (HC3)}, url = {https://www.hhs.gov/sites/default/files/bazarloader.pdf}, language = {English}, urldate = {2020-11-02} } Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns
BazarBackdoor Cobalt Strike Ryuk TrickBot
2020-10-01WiredAndy Greenberg
@online{greenberg:20201001:russias:3440982, author = {Andy Greenberg}, title = {{Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency}}, date = {2020-10-01}, organization = {Wired}, url = {https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/}, language = {English}, urldate = {2020-10-05} } Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency
Cobalt Strike Meterpreter
2020-10-01US-CERTUS-CERT
@online{uscert:20201001:alert:a46c3d4, author = {US-CERT}, title = {{Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions}}, date = {2020-10-01}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-275a}, language = {English}, urldate = {2020-10-04} } Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions
CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy
2020-09-29Github (Apr4h)Apra
@online{apra:20200929:cobaltstrikescan:ab5f221, author = {Apra}, title = {{CobaltStrikeScan}}, date = {2020-09-29}, organization = {Github (Apr4h)}, url = {https://github.com/Apr4h/CobaltStrikeScan}, language = {English}, urldate = {2020-10-05} } CobaltStrikeScan
Cobalt Strike
2020-09-29CrowdStrikeKareem Hamdan, Lucas Miller
@online{hamdan:20200929:getting:c01923a, author = {Kareem Hamdan and Lucas Miller}, title = {{Getting the Bacon from the Beacon}}, date = {2020-09-29}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/}, language = {English}, urldate = {2020-10-05} } Getting the Bacon from the Beacon
Cobalt Strike
2020-09-24US-CERTUS-CERT
@online{uscert:20200924:analysis:e1e4cc0, author = {US-CERT}, title = {{Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor}}, date = {2020-09-24}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a}, language = {English}, urldate = {2020-10-13} } Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor
Cobalt Strike Meterpreter
2020-09-21Cisco TalosNick Mavis, Joe Marshall, JON MUNSHAW
@techreport{mavis:20200921:art:d9702a4, author = {Nick Mavis and Joe Marshall and JON MUNSHAW}, title = {{The art and science of detecting Cobalt Strike}}, date = {2020-09-21}, institution = {Cisco Talos}, url = {https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf}, language = {English}, urldate = {2020-09-23} } The art and science of detecting Cobalt Strike
Cobalt Strike
2020-09-18Trend MicroTrend Micro
@online{micro:20200918:us:7900e6a, author = {Trend Micro}, title = {{U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks}}, date = {2020-09-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html}, language = {English}, urldate = {2020-09-23} } U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks
Cobalt Strike ColdLock
2020-09-03Viettel Cybersecurityvuonglvm
@online{vuonglvm:20200903:apt32:02bd8fc, author = {vuonglvm}, title = {{APT32 deobfuscation arsenal: Deobfuscating một vài loại Obfucation Toolkit của APT32 (Phần 2)}}, date = {2020-09-03}, organization = {Viettel Cybersecurity}, url = {https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-2/}, language = {Vietnamese}, urldate = {2020-09-09} } APT32 deobfuscation arsenal: Deobfuscating một vài loại Obfucation Toolkit của APT32 (Phần 2)
Cobalt Strike
2020-09-01Cisco TalosDavid Liebenberg, Caitlin Huey
@online{liebenberg:20200901:quarterly:c02962b, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends in Summer 2020}}, date = {2020-09-01}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html}, language = {English}, urldate = {2020-09-03} } Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk
2020-08-31The DFIR ReportThe DFIR Report
@online{report:20200831:netwalker:29a1511, author = {The DFIR Report}, title = {{NetWalker Ransomware in 1 Hour}}, date = {2020-08-31}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/}, language = {English}, urldate = {2020-08-31} } NetWalker Ransomware in 1 Hour
Cobalt Strike Mailto MimiKatz
2020-08-20Seebug PaperMalayke
@online{malayke:20200820:use:77d3957, author = {Malayke}, title = {{Use ZoomEye to track multiple Redteam C&C post-penetration attack frameworks}}, date = {2020-08-20}, organization = {Seebug Paper}, url = {https://paper.seebug.org/1301/}, language = {Chinese}, urldate = {2020-08-24} } Use ZoomEye to track multiple Redteam C&C post-penetration attack frameworks
Cobalt Strike Empire Downloader PoshC2
2020-08-19TEAMT5TeamT5
@online{teamt5:20200819:0819:e955419, author = {TeamT5}, title = {{調查局 08/19 公布中國對台灣政府機關駭侵事件說明}}, date = {2020-08-19}, organization = {TEAMT5}, url = {https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/}, language = {Chinese}, urldate = {2020-08-25} } 調查局 08/19 公布中國對台灣政府機關駭侵事件說明
Cobalt Strike
2020-08-14Twitter (@VK_intel)Vitali Kremez
@online{kremez:20200814:zloader:cbd9ad5, author = {Vitali Kremez}, title = {{Tweet on Zloader infection leading to Cobaltstrike Installation}}, date = {2020-08-14}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1294320579311435776}, language = {English}, urldate = {2020-11-09} } Tweet on Zloader infection leading to Cobaltstrike Installation
Cobalt Strike Zloader
2020-08-06WiredAndy Greenberg
@online{greenberg:20200806:chinese:32c43e3, author = {Andy Greenberg}, title = {{Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry}}, date = {2020-08-06}, organization = {Wired}, url = {https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/}, language = {English}, urldate = {2020-11-04} } Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry
Cobalt Strike MimiKatz Winnti Operation Skeleton Key
2020-08-04BlackHatChung-Kuan Chen, Inndy Lin, Shang-De Jiang
@techreport{chen:20200804:operation:4cf417f, author = {Chung-Kuan Chen and Inndy Lin and Shang-De Jiang}, title = {{Operation Chimera - APT Operation Targets Semiconductor Vendors}}, date = {2020-08-04}, institution = {BlackHat}, url = {https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf}, language = {English}, urldate = {2020-11-04} } Operation Chimera - APT Operation Targets Semiconductor Vendors
Cobalt Strike MimiKatz Winnti Operation Skeleton Key
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-07-26Shells.System blogAskar
@online{askar:20200726:inmemory:5556cad, author = {Askar}, title = {{In-Memory shellcode decoding to evade AVs/EDRs}}, date = {2020-07-26}, organization = {Shells.System blog}, url = {https://shells.systems/in-memory-shellcode-decoding-to-evade-avs/}, language = {English}, urldate = {2020-07-30} } In-Memory shellcode decoding to evade AVs/EDRs
Cobalt Strike
2020-07-22On the HuntNewton Paul
@online{paul:20200722:analysing:2de83d7, author = {Newton Paul}, title = {{Analysing Fileless Malware: Cobalt Strike Beacon}}, date = {2020-07-22}, organization = {On the Hunt}, url = {https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/}, language = {English}, urldate = {2020-07-24} } Analysing Fileless Malware: Cobalt Strike Beacon
Cobalt Strike
2020-07-21MalwarebytesHossein Jazi, Jérôme Segura
@online{jazi:20200721:chinese:da6a239, author = {Hossein Jazi and Jérôme Segura}, title = {{Chinese APT group targets India and Hong Kong using new variant of MgBot malware}}, date = {2020-07-21}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/}, language = {English}, urldate = {2020-07-22} } Chinese APT group targets India and Hong Kong using new variant of MgBot malware
KSREMOTE Cobalt Strike MgBot
2020-07-07MWLabLadislav Bačo
@online{bao:20200707:cobalt:cf80aa8, author = {Ladislav Bačo}, title = {{Cobalt Strike stagers used by FIN6}}, date = {2020-07-07}, organization = {MWLab}, url = {https://malwarelab.eu/posts/fin6-cobalt-strike/}, language = {English}, urldate = {2020-07-11} } Cobalt Strike stagers used by FIN6
Cobalt Strike
2020-06-23NCC GroupNikolaos Pantazopoulos, Stefano Antenucci, Michael Sandee
@online{pantazopoulos:20200623:wastedlocker:112d6b3, author = {Nikolaos Pantazopoulos and Stefano Antenucci and Michael Sandee}, title = {{WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group}}, date = {2020-06-23}, organization = {NCC Group}, url = {https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/}, language = {English}, urldate = {2020-06-23} } WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
Cobalt Strike ISFB WastedLocker
2020-06-23SymantecCritical Attack Discovery and Intelligence Team
@online{team:20200623:sodinokibi:7eff193, author = {Critical Attack Discovery and Intelligence Team}, title = {{Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike}}, date = {2020-06-23}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos}, language = {English}, urldate = {2020-06-23} } Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike
Cobalt Strike REvil
2020-06-22Talos IntelligenceAsheer Malhotra
@online{malhotra:20200622:indigodrop:6d5e7e1, author = {Asheer Malhotra}, title = {{IndigoDrop spreads via military-themed lures to deliver Cobalt Strike}}, date = {2020-06-22}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html}, language = {English}, urldate = {2020-06-24} } IndigoDrop spreads via military-themed lures to deliver Cobalt Strike
Cobalt Strike IndigoDrop
2020-06-22Sentinel LABSJoshua Platt, Jason Reaves
@online{platt:20200622:inside:b381dd5, author = {Joshua Platt and Jason Reaves}, title = {{Inside a TrickBot Cobalt Strike Attack Server}}, date = {2020-06-22}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/}, language = {English}, urldate = {2020-06-23} } Inside a TrickBot Cobalt Strike Attack Server
Cobalt Strike TrickBot
2020-06-19ZscalerAtinderpal Singh, Nirmal Singh, Sahil Antil
@online{singh:20200619:targeted:05d8d31, author = {Atinderpal Singh and Nirmal Singh and Sahil Antil}, title = {{Targeted Attack Leverages India-China Border Dispute to Lure Victims}}, date = {2020-06-19}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims}, language = {English}, urldate = {2020-06-21} } Targeted Attack Leverages India-China Border Dispute to Lure Victims
Cobalt Strike
2020-06-19Youtube (Raphael Mudge)Raphael Mudge
@online{mudge:20200619:beacon:bc8ae77, author = {Raphael Mudge}, title = {{Beacon Object Files - Luser Demo}}, date = {2020-06-19}, organization = {Youtube (Raphael Mudge)}, url = {https://www.youtube.com/watch?v=gfYswA_Ronw}, language = {English}, urldate = {2020-06-23} } Beacon Object Files - Luser Demo
Cobalt Strike
2020-06-18Australian Cyber Security CentreAustralian Cyber Security Centre (ACSC)
@techreport{acsc:20200618:advisory:ed0f53c, author = {Australian Cyber Security Centre (ACSC)}, title = {{Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks}}, date = {2020-06-18}, institution = {Australian Cyber Security Centre}, url = {https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf}, language = {English}, urldate = {2020-06-19} } Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks
TwoFace Cobalt Strike Empire Downloader
2020-06-17MalwarebytesHossein Jazi, Jérôme Segura
@online{jazi:20200617:multistage:6358f3f, author = {Hossein Jazi and Jérôme Segura}, title = {{Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature}}, date = {2020-06-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/}, language = {English}, urldate = {2020-06-19} } Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature
Cobalt Strike
2020-06-15NCC GroupExploit Development Group
@online{group:20200615:striking:8fdf4bb, author = {Exploit Development Group}, title = {{Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability}}, date = {2020-06-15}, organization = {NCC Group}, url = {https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/}, language = {English}, urldate = {2020-06-16} } Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability
Cobalt Strike
2020-06-09Github (Sentinel-One)Gal Kristal
@online{kristal:20200609:cobaltstrikeparser:a023ac8, author = {Gal Kristal}, title = {{CobaltStrikeParser}}, date = {2020-06-09}, organization = {Github (Sentinel-One)}, url = {https://github.com/Sentinel-One/CobaltStrikeParser/blob/master/parse_beacon_config.py}, language = {English}, urldate = {2020-09-15} } CobaltStrikeParser
Cobalt Strike
2020-05-14Lab52Dex
@online{dex:20200514:energy:43e92b4, author = {Dex}, title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}}, date = {2020-05-14}, organization = {Lab52}, url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/}, language = {English}, urldate = {2020-06-10} } The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT
2020-05-11SentinelOneGal Kristal
@online{kristal:20200511:anatomy:4ece947, author = {Gal Kristal}, title = {{The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration}}, date = {2020-05-11}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/}, language = {English}, urldate = {2020-05-13} } The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration
Cobalt Strike
2020-04-24The DFIR ReportThe DFIR Report
@online{report:20200424:ursnif:e983798, author = {The DFIR Report}, title = {{Ursnif via LOLbins}}, date = {2020-04-24}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/}, language = {English}, urldate = {2021-03-16} } Ursnif via LOLbins
Cobalt Strike LOLSnif TeamSpy
2020-04-16Medium CyCraftCyCraft Technology Corp
@online{corp:20200416:taiwan:3029f53, author = {CyCraft Technology Corp}, title = {{Taiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures}}, date = {2020-04-16}, organization = {Medium CyCraft}, url = {https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730}, language = {English}, urldate = {2020-11-04} } Taiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures
Cobalt Strike MimiKatz Operation Skeleton Key
2020-04-02DarktraceMax Heinemeyer
@online{heinemeyer:20200402:catching:b7f137d, author = {Max Heinemeyer}, title = {{Catching APT41 exploiting a zero-day vulnerability}}, date = {2020-04-02}, organization = {Darktrace}, url = {https://www.darktrace.com/en/blog/catching-apt-41-exploiting-a-zero-day-vulnerability/}, language = {English}, urldate = {2020-04-13} } Catching APT41 exploiting a zero-day vulnerability
Cobalt Strike
2020-03-26VMWare Carbon BlackScott Knight
@online{knight:20200326:dukes:df85f94, author = {Scott Knight}, title = {{The Dukes of Moscow}}, date = {2020-03-26}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/}, language = {English}, urldate = {2020-05-18} } The Dukes of Moscow
Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke
2020-03-25FireEyeChristopher Glyer, Dan Perez, Sarah Jones, Steve Miller
@online{glyer:20200325:this:0bc322f, author = {Christopher Glyer and Dan Perez and Sarah Jones and Steve Miller}, title = {{This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits}}, date = {2020-03-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html}, language = {English}, urldate = {2020-04-14} } This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits
Speculoos Cobalt Strike
2020-03-25Wilbur SecurityJW
@online{jw:20200325:trickbot:17b0dc3, author = {JW}, title = {{Trickbot to Ryuk in Two Hours}}, date = {2020-03-25}, organization = {Wilbur Security}, url = {https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/}, language = {English}, urldate = {2020-03-26} } Trickbot to Ryuk in Two Hours
Cobalt Strike Ryuk TrickBot
2020-03-22Malware and StuffAndreas Klopsch
@online{klopsch:20200322:mustang:56f3768, author = {Andreas Klopsch}, title = {{Mustang Panda joins the COVID-19 bandwagon}}, date = {2020-03-22}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/}, language = {English}, urldate = {2020-03-27} } Mustang Panda joins the COVID-19 bandwagon
Cobalt Strike
2020-03-20RECON INFOSECLuke Rusten
@online{rusten:20200320:analysis:f82a963, author = {Luke Rusten}, title = {{Analysis Of Exploitation: CVE-2020-10189 ( exploited by APT41)}}, date = {2020-03-20}, organization = {RECON INFOSEC}, url = {https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/}, language = {English}, urldate = {2020-06-22} } Analysis Of Exploitation: CVE-2020-10189 ( exploited by APT41)
Cobalt Strike
2020-03-04Cobalt StrikeRaphael Mudge
@online{mudge:20200304:cobalt:176b61e, author = {Raphael Mudge}, title = {{Cobalt Strike joins Core Impact at HelpSystems, LLC}}, date = {2020-03-04}, organization = {Cobalt Strike}, url = {https://blog.cobaltstrike.com/2020/03/04/cobalt-strike-joins-core-impact-at-helpsystems-llc/}, language = {English}, urldate = {2020-03-04} } Cobalt Strike joins Core Impact at HelpSystems, LLC
Cobalt Strike
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-02-19FireEyeFireEye
@online{fireeye:20200219:mtrends:193613a, author = {FireEye}, title = {{M-Trends 2020}}, date = {2020-02-19}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2020}, language = {English}, urldate = {2020-02-20} } M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot
2020-02-18Trend MicroDaniel Lunghi, Cedric Pernet, Kenney Lu, Jamz Yaneza
@online{lunghi:20200218:uncovering:93b0937, author = {Daniel Lunghi and Cedric Pernet and Kenney Lu and Jamz Yaneza}, title = {{Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations}}, date = {2020-02-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia}, language = {English}, urldate = {2020-02-20} } Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations
Cobalt Strike HyperBro PlugX Trochilus RAT
2020-02-18Cisco TalosVanja Svajcer
@online{svajcer:20200218:building:0a80664, author = {Vanja Svajcer}, title = {{Building a bypass with MSBuild}}, date = {2020-02-18}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html}, language = {English}, urldate = {2020-02-20} } Building a bypass with MSBuild
Cobalt Strike GRUNT MimiKatz
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:gold:1892bc8, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz
2020SecureworksSecureWorks
@online{secureworks:2020:gold:97e5784, author = {SecureWorks}, title = {{GOLD NIAGARA}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-niagara}, language = {English}, urldate = {2020-05-23} } GOLD NIAGARA
Bateleur Griffon Carbanak Cobalt Strike DRIFTPIN TinyMet Anunak
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:66f1290, author = {SecureWorks}, title = {{BRONZE RIVERSIDE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-riverside}, language = {English}, urldate = {2020-05-23} } BRONZE RIVERSIDE
Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves Stone Panda
2020SecureworksSecureWorks
@online{secureworks:2020:tin:ccd6795, author = {SecureWorks}, title = {{TIN WOODLAWN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/tin-woodlawn}, language = {English}, urldate = {2020-05-23} } TIN WOODLAWN
Cobalt Strike KerrDown MimiKatz PHOREAL RatSnif Remy SOUNDBITE APT32
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:972c13a, author = {SecureWorks}, title = {{BRONZE FIRESTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-firestone}, language = {English}, urldate = {2020-05-23} } BRONZE FIRESTONE
9002 RAT Derusbi Empire Downloader PlugX Poison Ivy Shell Crew
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:e8ad4fb, author = {SecureWorks}, title = {{BRONZE MOHAWK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-mohawk}, language = {English}, urldate = {2020-05-23} } BRONZE MOHAWK
AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll Leviathan
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:1a5bdbb, author = {SecureWorks}, title = {{BRONZE PRESIDENT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-president}, language = {English}, urldate = {2020-05-23} } BRONZE PRESIDENT
CHINACHOPPER Cobalt Strike PlugX Mustang Panda
2020SecureworksSecureWorks
@online{secureworks:2020:gold:983570b, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt
2020SecureworksSecureWorks
@online{secureworks:2020:gold:8050e44, author = {SecureWorks}, title = {{GOLD DUPONT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-dupont}, language = {English}, urldate = {2020-05-23} } GOLD DUPONT
Cobalt Strike Defray PyXie
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca, author = {Chi-en Shen and Oleg Bondarenko}, title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}}, date = {2019-12-12}, organization = {FireEye}, url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko}, language = {English}, urldate = {2020-04-16} } Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2019-12-05Github (blackorbird)blackorbird
@techreport{blackorbird:20191205:apt32:0afe4e7, author = {blackorbird}, title = {{APT32 Report}}, date = {2019-12-05}, institution = {Github (blackorbird)}, url = {https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf}, language = {Japanese}, urldate = {2020-01-10} } APT32 Report
Cobalt Strike
2019-12-05Raphael Mudge
@online{mudge:20191205:cobalt:219044e, author = {Raphael Mudge}, title = {{Cobalt Strike 4.0 – Bring Your Own Weaponization}}, date = {2019-12-05}, url = {https://blog.cobaltstrike.com/}, language = {English}, urldate = {2019-12-06} } Cobalt Strike 4.0 – Bring Your Own Weaponization
Cobalt Strike
2019-11-29DeloitteThomas Thomasen
@techreport{thomasen:20191129:cyber:1aae987, author = {Thomas Thomasen}, title = {{Cyber Threat Intelligence & Incident Response}}, date = {2019-11-29}, institution = {Deloitte}, url = {https://www2.deloitte.com/content/dam/Deloitte/dk/Documents/Grabngo/Aarhus_miniseminar_291118.pdf}, language = {English}, urldate = {2020-03-04} } Cyber Threat Intelligence & Incident Response
Cobalt Strike
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb, author = {Kelli Vanderlee and Nalani Fraser}, title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}}, date = {2019-11-19}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf}, language = {English}, urldate = {2021-03-02} } Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2019-11-05tccontre Blogtccontre
@online{tccontre:20191105:cobaltstrike:02e37af, author = {tccontre}, title = {{CobaltStrike - beacon.dll : Your No Ordinary MZ Header}}, date = {2019-11-05}, organization = {tccontre Blog}, url = {https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html}, language = {English}, urldate = {2019-12-17} } CobaltStrike - beacon.dll : Your No Ordinary MZ Header
Cobalt Strike
2019-09-22Check Point ResearchCheck Point Research
@online{research:20190922:rancor:e834f67, author = {Check Point Research}, title = {{Rancor: The Year of The Phish}}, date = {2019-09-22}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/}, language = {English}, urldate = {2020-03-04} } Rancor: The Year of The Phish
8.t Dropper Cobalt Strike
2019-06-04BitdefenderBitdefender
@techreport{bitdefender:20190604:blueprint:ce0583c, author = {Bitdefender}, title = {{An APT Blueprint: Gaining New Visibility into Financial Threats}}, date = {2019-06-04}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf}, language = {English}, urldate = {2019-12-18} } An APT Blueprint: Gaining New Visibility into Financial Threats
More_eggs Cobalt Strike
2019-05-09CyberScoopSean Lyngaas
@online{lyngaas:20190509:chinese:90e8320, author = {Sean Lyngaas}, title = {{Chinese national indicted for 2015 Anthem breach}}, date = {2019-05-09}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/anthem-breach-indictment-chinese-national/}, language = {English}, urldate = {2020-01-13} } Chinese national indicted for 2015 Anthem breach
Shell Crew
2019-05-08Verizon Communications Inc.Verizon Communications Inc.
@techreport{inc:20190508:2019:3c20a3b, author = {Verizon Communications Inc.}, title = {{2019 Data Breach Investigations Report}}, date = {2019-05-08}, institution = {Verizon Communications Inc.}, url = {https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf}, language = {English}, urldate = {2020-05-10} } 2019 Data Breach Investigations Report
BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam
2019-04-24WeixinTencent
@online{tencent:20190424:sea:a722d68, author = {Tencent}, title = {{"Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed}}, date = {2019-04-24}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A}, language = {English}, urldate = {2020-01-13} } "Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed
Cobalt Strike SOUNDBITE
2019-04-15PenTestPartnersNeil Lines
@online{lines:20190415:cobalt:7b3c086, author = {Neil Lines}, title = {{Cobalt Strike. Walkthrough for Red Teamers}}, date = {2019-04-15}, organization = {PenTestPartners}, url = {https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/}, language = {English}, urldate = {2019-12-17} } Cobalt Strike. Walkthrough for Red Teamers
Cobalt Strike
2019-04Macnica NetworksMacnica Networks
@techreport{networks:201904:oceanlotus:8ceeac3, author = {Macnica Networks}, title = {{OceanLotus Attack on Southeast Asian Automotive Industry}}, date = {2019-04}, institution = {Macnica Networks}, url = {https://www.macnica.net/file/mpression_automobile.pdf}, language = {Japanese}, urldate = {2021-03-02} } OceanLotus Attack on Southeast Asian Automotive Industry
CACTUSTORCH Cobalt Strike
2019-04-01Macnica NetworksMacnica Networks
@techreport{networks:20190401:trends:cf738dc, author = {Macnica Networks}, title = {{Trends in Cyber ​​Espionage Targeting Japan 2nd Half of 2018}}, date = {2019-04-01}, institution = {Macnica Networks}, url = {https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf}, language = {Japanese}, urldate = {2021-03-02} } Trends in Cyber ​​Espionage Targeting Japan 2nd Half of 2018
Anel Cobalt Strike Datper PLEAD Quasar RAT RedLeaves taidoor Zebrocy
2019-03-24One Night in NorfolkKevin Perlow
@online{perlow:20190324:jeshell:439ae8b, author = {Kevin Perlow}, title = {{JEShell: An OceanLotus (APT32) Backdoor}}, date = {2019-03-24}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/}, language = {English}, urldate = {2020-05-19} } JEShell: An OceanLotus (APT32) Backdoor
Cobalt Strike KerrDown
2019-02-27MorphisecMichael Gorelik, Alon Groisman
@online{gorelik:20190227:new:5296a0b, author = {Michael Gorelik and Alon Groisman}, title = {{New Global Cyber Attack on Point of Sale Sytem}}, date = {2019-02-27}, organization = {Morphisec}, url = {http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems}, language = {English}, urldate = {2020-01-09} } New Global Cyber Attack on Point of Sale Sytem
Cobalt Strike
2019-02-26Fox-ITFox IT
@online{it:20190226:identifying:689104d, author = {Fox IT}, title = {{Identifying Cobalt Strike team servers in the wild}}, date = {2019-02-26}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/}, language = {English}, urldate = {2020-10-25} } Identifying Cobalt Strike team servers in the wild
Cobalt Strike
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:deep:a149fef, author = {Cyber Operations Tracker}, title = {{Deep Panda}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/deep-panda}, language = {English}, urldate = {2019-12-20} } Deep Panda
Shell Crew
2019MITREMITRE ATT&CK
@online{attck:2019:deep:7220dc2, author = {MITRE ATT&CK}, title = {{Group description: Deep Panda}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0009/}, language = {English}, urldate = {2019-12-20} } Group description: Deep Panda
Shell Crew
2018-11-19FireEyeMatthew Dunwoody, Andrew Thompson, Ben Withnell, Jonathan Leathery, Michael Matonis, Nick Carr
@online{dunwoody:20181119:not:e581291, author = {Matthew Dunwoody and Andrew Thompson and Ben Withnell and Jonathan Leathery and Michael Matonis and Nick Carr}, title = {{Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign}}, date = {2018-11-19}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html}, language = {English}, urldate = {2019-12-20} } Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign
Cobalt Strike
2018-11-18Stranded on Pylos BlogJoe
@online{joe:20181118:cozybear:4801301, author = {Joe}, title = {{CozyBear – In from the Cold?}}, date = {2018-11-18}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2018/11/18/cozybear-in-from-the-cold/}, language = {English}, urldate = {2020-01-09} } CozyBear – In from the Cold?
Cobalt Strike APT 29
2018-10-30GizmodoDell Cameron
@online{cameron:20181030:us:45da6b7, author = {Dell Cameron}, title = {{U.S. Indicts Chinese Hacker-Spies in Conspiracy to Steal Aerospace Secrets}}, date = {2018-10-30}, organization = {Gizmodo}, url = {https://gizmodo.com/u-s-indicts-chinese-hacker-spies-in-conspiracy-to-stea-1830111695}, language = {English}, urldate = {2019-11-27} } U.S. Indicts Chinese Hacker-Spies in Conspiracy to Steal Aerospace Secrets
Shell Crew
2018-10Group-IBGroup-IB
@techreport{groupib:201810:hitech:420711f, author = {Group-IB}, title = {{Hi-Tech Crime Trends 2018}}, date = {2018-10}, institution = {Group-IB}, url = {https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf}, language = {English}, urldate = {2021-02-09} } Hi-Tech Crime Trends 2018
BackSwap Cobalt Strike Cutlet Meterpreter
2018-10-01FireEyeRegina Elwell, Katie Nickels
@techreport{elwell:20181001:attcking:3c6d888, author = {Regina Elwell and Katie Nickels}, title = {{ATT&CKing FIN7}}, date = {2018-10-01}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf}, language = {English}, urldate = {2020-06-25} } ATT&CKing FIN7
Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN PILLOWMINT SocksBot
2018-10-01Macnica NetworksMacnica Networks
@techreport{networks:20181001:trends:17b1db5, author = {Macnica Networks}, title = {{Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018}}, date = {2018-10-01}, institution = {Macnica Networks}, url = {https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf}, language = {Japanese}, urldate = {2021-03-02} } Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018
Anel Cobalt Strike Datper FlawedAmmyy Quasar RAT RedLeaves taidoor Winnti xxmm
2018-08-03JPCERT/CCTakuya Endo, Yukako Uchida
@online{endo:20180803:volatility:4597ce0, author = {Takuya Endo and Yukako Uchida}, title = {{Volatility Plugin for Detecting Cobalt Strike Beacon}}, date = {2018-08-03}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html}, language = {English}, urldate = {2019-07-11} } Volatility Plugin for Detecting Cobalt Strike Beacon
Cobalt Strike
2018-07-31Github (JPCERTCC)JPCERT/CC
@online{jpcertcc:20180731:scanner:d1757d9, author = {JPCERT/CC}, title = {{Scanner for CobaltStrike}}, date = {2018-07-31}, organization = {Github (JPCERTCC)}, url = {https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py}, language = {English}, urldate = {2020-01-13} } Scanner for CobaltStrike
Cobalt Strike
2018-05-21LACYoshihiro Ishikawa
@online{ishikawa:20180521:confirmed:ad336b5, author = {Yoshihiro Ishikawa}, title = {{Confirmed new attacks by APT attacker group menuPass (APT10)}}, date = {2018-05-21}, organization = {LAC}, url = {https://www.lac.co.jp/lacwatch/people/20180521_001638.html}, language = {Japanese}, urldate = {2019-10-27} } Confirmed new attacks by APT attacker group menuPass (APT10)
Cobalt Strike
2017-08-26Bleeping ComputerCatalin Cimpanu
@online{cimpanu:20170826:us:0d7249a, author = {Catalin Cimpanu}, title = {{US Arrests Chinese Man Involved With Sakula Malware Used in OPM and Anthem Hacks}}, date = {2017-08-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/us-arrests-chinese-man-involved-with-sakula-malware-used-in-opm-and-anthem-hacks/}, language = {English}, urldate = {2019-12-20} } US Arrests Chinese Man Involved With Sakula Malware Used in OPM and Anthem Hacks
Shell Crew
2017-06-06FireEyeIan Ahl
@online{ahl:20170606:privileges:9598d5f, author = {Ian Ahl}, title = {{Privileges and Credentials: Phished at the Request of Counsel}}, date = {2017-06-06}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html}, language = {English}, urldate = {2019-12-20} } Privileges and Credentials: Phished at the Request of Counsel
Cobalt Strike
2017-02-09CylanceThe Cylance Threat Research Team
@online{team:20170209:shell:16b5133, author = {The Cylance Threat Research Team}, title = {{Shell Crew Variants Continue to Fly Under Big AV’s Radar}}, date = {2017-02-09}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/shell-crew-variants-continue-to-fly-under-big-avs-radar.html}, language = {English}, urldate = {2019-10-14} } Shell Crew Variants Continue to Fly Under Big AV’s Radar
Shell Crew
2016-10-11SymantecSymantec Security Response
@online{response:20161011:odinaff:36b35db, author = {Symantec Security Response}, title = {{Odinaff: New Trojan used in high level financial attacks}}, date = {2016-10-11}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks}, language = {English}, urldate = {2019-12-05} } Odinaff: New Trojan used in high level financial attacks
Cobalt Strike KLRD MimiKatz Odinaff Anunak
2015-08-06SymantecJon DiMaggio
@techreport{dimaggio:20150806:black:b0fbb35, author = {Jon DiMaggio}, title = {{The Black Vine cyberespionage group}}, date = {2015-08-06}, institution = {Symantec}, url = {https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/black-vine-cyberespionage-group-15-en.pdf}, language = {English}, urldate = {2020-04-21} } The Black Vine cyberespionage group
Sakula RAT Shell Crew
2015-08-06SymantecJon DiMaggio
@techreport{dimaggio:20150806:black:af5cf27, author = {Jon DiMaggio}, title = {{The Black Vine cyberespionage group}}, date = {2015-08-06}, institution = {Symantec}, url = {https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf}, language = {English}, urldate = {2020-01-10} } The Black Vine cyberespionage group
Shell Crew
2015-06-15KrebsOnSecurityBrian Krebs
@online{krebs:20150615:catching:d4edaea, author = {Brian Krebs}, title = {{Catching Up on the OPM Breach}}, date = {2015-06-15}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2015/06/catching-up-on-the-opm-breach/}, language = {English}, urldate = {2020-01-09} } Catching Up on the OPM Breach
Shell Crew
2015-05-15Brian Krebs
@online{krebs:20150515:carefirst:2847408, author = {Brian Krebs}, title = {{Carefirst Blue Cross Breach Hits 1.1M}}, date = {2015-05-15}, url = {https://krebsonsecurity.com/2015/05/carefirst-blue-cross-breach-hits-1-1m/}, language = {English}, urldate = {2020-01-05} } Carefirst Blue Cross Breach Hits 1.1M
Shell Crew
2015-05-10NextGovAliya Sternstein
@online{sternstein:20150510:thirdparty:c631abb, author = {Aliya Sternstein}, title = {{Third-Party Software Was Entry Point for Background-Check System Hack}}, date = {2015-05-10}, organization = {NextGov}, url = {https://www.nextgov.com/cybersecurity/2015/05/third-party-software-was-entry-point-background-check-system-hack/112354/}, language = {English}, urldate = {2020-01-08} } Third-Party Software Was Entry Point for Background-Check System Hack
Shell Crew
2015-03-18Seattle TimesMike Baker
@online{baker:20150318:feds:e9fe961, author = {Mike Baker}, title = {{Feds warned Premera about security flaws before breach}}, date = {2015-03-18}, organization = {Seattle Times}, url = {https://www.seattletimes.com/business/local-business/feds-warned-premera-about-security-flaws-before-breach/}, language = {English}, urldate = {2020-01-10} } Feds warned Premera about security flaws before breach
Shell Crew
2015-02-09KrebsOnSecurityBrian Krebs
@online{krebs:20150209:anthem:1631cd7, author = {Brian Krebs}, title = {{Anthem Breach May Have Started in April 2014}}, date = {2015-02-09}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/}, language = {English}, urldate = {2019-11-29} } Anthem Breach May Have Started in April 2014
Shell Crew
2014-12-18The Washington PostChristian Davenport
@online{davenport:20141218:keypoint:4c1fd04, author = {Christian Davenport}, title = {{KeyPoint network breach could affect thousands of federal workers}}, date = {2014-12-18}, organization = {The Washington Post}, url = {https://www.washingtonpost.com/business/economy/keypoint-suffers-network-breach-thousands-of-fed-workers-could-be-affected/2014/12/18/e6c7146c-86e1-11e4-a702-fa31ff4ae98e_story.html}, language = {English}, urldate = {2020-01-13} } KeyPoint network breach could affect thousands of federal workers
Shell Crew
2014-11-24CrowdStrikeMatt Dahl
@online{dahl:20141124:i:38a6ade, author = {Matt Dahl}, title = {{I am Ironman: DEEP PANDA Uses Sakula Malware to Target Organizations in Multiple Sectors}}, date = {2014-11-24}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/ironman-deep-panda-uses-sakula-malware-target-organizations-multiple-sectors/}, language = {English}, urldate = {2019-12-20} } I am Ironman: DEEP PANDA Uses Sakula Malware to Target Organizations in Multiple Sectors
Shell Crew
2014-11-13ABC NewsDylan Welch
@online{welch:20141113:chinese:96bcb7c, author = {Dylan Welch}, title = {{Chinese hackers 'breach Australian media organisations' ahead of G20}}, date = {2014-11-13}, organization = {ABC News}, url = {https://www.abc.net.au/news/2014-11-13/g20-china-affliliated-hackers-breaches-australian-media/5889442}, language = {English}, urldate = {2020-01-08} } Chinese hackers 'breach Australian media organisations' ahead of G20
Shell Crew
2014-07-07CrowdStrikeDmitri Alperovitch
@online{alperovitch:20140707:deep:63e59f7, author = {Dmitri Alperovitch}, title = {{Deep in Thought: Chinese Targeting of National Security Think Tanks}}, date = {2014-07-07}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/}, language = {English}, urldate = {2019-12-20} } Deep in Thought: Chinese Targeting of National Security Think Tanks
Shell Crew
2014-02-24RSA ConferenceDmitri Alperovitch
@techreport{alperovitch:20140224:art:df5650c, author = {Dmitri Alperovitch}, title = {{The Art of Attribution Identifying and Pursuing your Cyber Adversaries}}, date = {2014-02-24}, institution = {RSA Conference}, url = {https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf}, language = {English}, urldate = {2020-04-06} } The Art of Attribution Identifying and Pursuing your Cyber Adversaries
Andromeda Spider Dextorous Spider Shell Crew Silent Chollima Singing Spider Tonto Team Toxic Panda Union Spider
2013-06CrowdStrikeCrowdstrike Global intelliGenCe team
@techreport{team:201306:deep:fa9b41d, author = {Crowdstrike Global intelliGenCe team}, title = {{DEEP PANDA}}, date = {2013-06}, institution = {CrowdStrike}, url = {http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf}, language = {English}, urldate = {2019-12-17} } DEEP PANDA
Shell Crew
2013-05-03CrowdStrikeMatt Dahl
@online{dahl:20130503:department:8be1534, author = {Matt Dahl}, title = {{Department of Labor Strategic Web Compromise}}, date = {2013-05-03}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/department-labor-strategic-web-compromise/}, language = {English}, urldate = {2019-12-20} } Department of Labor Strategic Web Compromise
Shell Crew
2013-01-02Eric Romang
@online{romang:20130102:capstone:468051d, author = {Eric Romang}, title = {{Capstone Turbine Corporation Also Targeted in the CFR Watering Hole Attack And More}}, date = {2013-01-02}, url = {https://eromang.zataz.com/2013/01/02/capstone-turbine-corporation-also-targeted-in-the-cfr-watering-hole-attack-and-more/}, language = {English}, urldate = {2020-01-08} } Capstone Turbine Corporation Also Targeted in the CFR Watering Hole Attack And More
Shell Crew
2012-12-29Eric Romang BlogEric Romang
@online{romang:20121229:attack:2826780, author = {Eric Romang}, title = {{Attack and IE 0day Informations Used Against Council on Foreign Relations}}, date = {2012-12-29}, organization = {Eric Romang Blog}, url = {https://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/}, language = {English}, urldate = {2020-01-08} } Attack and IE 0day Informations Used Against Council on Foreign Relations
Shell Crew
2012Cobalt StrikeCobalt Strike
@online{strike:2012:cobalt:8522cdd, author = {Cobalt Strike}, title = {{Cobalt Strike Website}}, date = {2012}, organization = {Cobalt Strike}, url = {https://www.cobaltstrike.com/support}, language = {English}, urldate = {2020-01-13} } Cobalt Strike Website
Cobalt Strike

Credits: MISP Project