SYMBOLCOMMON_NAMEaka. SYNONYMS

Stone Panda  (Back to overview)

aka: APT10, APT 10, MenuPass, Menupass Team, menuPass, menuPass Team, happyyongzi, POTASSIUM, DustStorm, Red Apollo, CVNX, HOGFISH, Cloud Hopper, BRONZE RIVERSIDE


Associated Families
win.anel win.chches win.derusbi win.dilljuice win.emdivi win.evilgrab win.flowcloud win.koadic win.poison_ivy win.poldat win.redleaves win.sodamaster win.trochilus_rat win.plugx win.ghost_rat win.quasar_rat

References
2022-01-08Bleeping ComputerLawrence Abrams
@online{abrams:20220108:trojanized:00522d1, author = {Lawrence Abrams}, title = {{Trojanized dnSpy app drops malware cocktail on researchers, devs}}, date = {2022-01-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-malware-cocktail-on-researchers-devs/}, language = {English}, urldate = {2022-01-18} } Trojanized dnSpy app drops malware cocktail on researchers, devs
Quasar RAT
2021-12-14Trend MicroNick Dai, Ted Lee, Vickie Su
@online{dai:20211214:collecting:3d6dd34, author = {Nick Dai and Ted Lee and Vickie Su}, title = {{Collecting In the Dark: Tropic Trooper Targets Transportation and Government}}, date = {2021-12-14}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html}, language = {English}, urldate = {2021-12-31} } Collecting In the Dark: Tropic Trooper Targets Transportation and Government
ChiserClient Ghost RAT Lilith Quasar RAT
2021-12-01ESET ResearchAlexis Dorais-Joncas, Facundo Muñoz
@techreport{doraisjoncas:20211201:jumping:00bc8f5, author = {Alexis Dorais-Joncas and Facundo Muñoz}, title = {{Jumping the air gap: 15 years of nation‑state effort}}, date = {2021-12-01}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf}, language = {English}, urldate = {2021-12-17} } Jumping the air gap: 15 years of nation‑state effort
Agent.BTZ Fanny Flame Gauss PlugX Ramsay Retro Stuxnet USBCulprit USBferry
2021-10-19Cisco TalosAsheer Malhotra
@online{malhotra:20211019:malicious:6889662, author = {Asheer Malhotra}, title = {{Malicious campaign uses a barrage of commodity RATs to target Afghanistan and India}}, date = {2021-10-19}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html}, language = {English}, urldate = {2021-11-02} } Malicious campaign uses a barrage of commodity RATs to target Afghanistan and India
DCRat Quasar RAT
2021-10-18NortonLifeLockNorton Labs
@techreport{labs:20211018:operation:9612cbf, author = {Norton Labs}, title = {{Operation Exorcist - 7 Years of Targeted Attacks against the Roman Catholic Church}}, date = {2021-10-18}, institution = {NortonLifeLock}, url = {https://www.nortonlifelock.com/sites/default/files/2021-10/OPERATION%20EXORCIST%20White%20Paper.pdf}, language = {English}, urldate = {2021-12-15} } Operation Exorcist - 7 Years of Targeted Attacks against the Roman Catholic Church
NewBounce PlugX Zupdax
2021-10-05BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20211005:drawing:e53477d, author = {The BlackBerry Research & Intelligence Team}, title = {{Drawing a Dragon: Connecting the Dots to Find APT41}}, date = {2021-10-05}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41}, language = {English}, urldate = {2021-10-11} } Drawing a Dragon: Connecting the Dots to Find APT41
Cobalt Strike Ghost RAT
2021-10-04JPCERT/CCShusei Tomonaga
@online{tomonaga:20211004:malware:5ba808a, author = {Shusei Tomonaga}, title = {{Malware Gh0stTimes Used by BlackTech}}, date = {2021-10-04}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html}, language = {English}, urldate = {2021-10-11} } Malware Gh0stTimes Used by BlackTech
Gh0stTimes Ghost RAT
2021-09-28Recorded FutureInsikt Group®
@online{group:20210928:4:069b441, author = {Insikt Group®}, title = {{4 Chinese APT Groups Identified Targeting Mail Server of Afghan Telecommunications Firm Roshan}}, date = {2021-09-28}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/}, language = {English}, urldate = {2021-10-11} } 4 Chinese APT Groups Identified Targeting Mail Server of Afghan Telecommunications Firm Roshan
PlugX Winnti
2021-09-20Trend MicroAliakbar Zahravi, William Gamazo Sanchez
@online{zahravi:20210920:water:63df486, author = {Aliakbar Zahravi and William Gamazo Sanchez}, title = {{Water Basilisk Uses New HCrypt Variant to Flood Victims with RAT Payloads}}, date = {2021-09-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html}, language = {English}, urldate = {2021-09-22} } Water Basilisk Uses New HCrypt Variant to Flood Victims with RAT Payloads
Ave Maria BitRAT LimeRAT Nanocore RAT NjRAT Quasar RAT
2021-09-14McAfeeChristiaan Beek
@online{beek:20210914:operation:95aed8d, author = {Christiaan Beek}, title = {{Operation ‘Harvest’: A Deep Dive into a Long-term Campaign}}, date = {2021-09-14}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/}, language = {English}, urldate = {2021-09-19} } Operation ‘Harvest’: A Deep Dive into a Long-term Campaign
MimiKatz PlugX Winnti
2021-09-10The RecordCatalin Cimpanu
@online{cimpanu:20210910:indonesian:fc06998, author = {Catalin Cimpanu}, title = {{Indonesian intelligence agency compromised in suspected Chinese hack}}, date = {2021-09-10}, organization = {The Record}, url = {https://therecord.media/indonesian-intelligence-agency-compromised-in-suspected-chinese-hack/}, language = {English}, urldate = {2021-09-12} } Indonesian intelligence agency compromised in suspected Chinese hack
PlugX
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-09-01YouTube (Black Hat)Aragorn Tseng, Charles Li
@online{tseng:20210901:mem2img:7817a5d, author = {Aragorn Tseng and Charles Li}, title = {{Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network}}, date = {2021-09-01}, organization = {YouTube (Black Hat)}, url = {https://www.youtube.com/watch?v=6SDdUVejR2w}, language = {English}, urldate = {2021-09-12} } Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
Cobalt Strike PlugX Waterbear
2021-07-27Palo Alto Networks Unit 42Mike Harbison, Alex Hinchliffe
@online{harbison:20210727:thor:5d6d793, author = {Mike Harbison and Alex Hinchliffe}, title = {{THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group}}, date = {2021-07-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/thor-plugx-variant/}, language = {English}, urldate = {2021-07-29} } THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group
PlugX
2021-07-21BitdefenderBogdan Botezatu, Victor Vrabie
@online{botezatu:20210721:luminousmoth:7ed907d, author = {Bogdan Botezatu and Victor Vrabie}, title = {{LuminousMoth – PlugX, File Exfiltration and Persistence Revisited}}, date = {2021-07-21}, organization = {Bitdefender}, url = {https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited}, language = {English}, urldate = {2021-07-26} } LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
PlugX
2021-07-12Cipher Tech SolutionsMelissa Frydrych, Claire Zaboeva, Dan Dash
@online{frydrych:20210712:roboski:a3c66bf, author = {Melissa Frydrych and Claire Zaboeva and Dan Dash}, title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}}, date = {2021-07-12}, organization = {Cipher Tech Solutions}, url = {https://www.ciphertechsolutions.com/roboski-global-recovery-automation/}, language = {English}, urldate = {2021-07-20} } RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-07-12IBMMelissa Frydrych, Claire Zaboeva, Dan Dash
@online{frydrych:20210712:roboski:1f66418, author = {Melissa Frydrych and Claire Zaboeva and Dan Dash}, title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}}, date = {2021-07-12}, organization = {IBM}, url = {https://securityintelligence.com/posts/roboski-global-recovery-automation/}, language = {English}, urldate = {2021-07-20} } RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-07-07Trend MicroJoseph C Chen, Kenney Lu, Jaromír Hořejší, Gloria Chen
@online{chen:20210707:biopass:88dcdc2, author = {Joseph C Chen and Kenney Lu and Jaromír Hořejší and Gloria Chen}, title = {{BIOPASS RAT: New Malware Sniffs Victims via Live Streaming}}, date = {2021-07-07}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html}, language = {English}, urldate = {2021-07-19} } BIOPASS RAT: New Malware Sniffs Victims via Live Streaming
BIOPASS Cobalt Strike Derusbi
2021-06-02xorhex blogTwitter (@xorhex)
@online{xorhex:20210602:reddelta:f35268d, author = {Twitter (@xorhex)}, title = {{RedDelta PlugX Undergoing Changes and Overlapping Again with Mustang Panda PlugX Infrastructure}}, date = {2021-06-02}, organization = {xorhex blog}, url = {https://blog.xorhex.com/blog/reddeltaplugxchangeup/}, language = {English}, urldate = {2021-06-09} } RedDelta PlugX Undergoing Changes and Overlapping Again with Mustang Panda PlugX Infrastructure
PlugX
2021-06-02Twitter (@xorhex)Xorhex
@online{xorhex:20210602:new:9e10322, author = {Xorhex}, title = {{Tweet on new variant of PlugX from RedDelta Group}}, date = {2021-06-02}, organization = {Twitter (@xorhex)}, url = {https://twitter.com/xorhex/status/1399906601562165249?s=20}, language = {English}, urldate = {2021-06-09} } Tweet on new variant of PlugX from RedDelta Group
PlugX
2021-05-27MinervaLabsTom Roter
@online{roter:20210527:trapping:76b0b81, author = {Tom Roter}, title = {{Trapping A Fat Quasar RAT}}, date = {2021-05-27}, organization = {MinervaLabs}, url = {https://blog.minerva-labs.com/trapping-quasar-rat}, language = {English}, urldate = {2021-06-01} } Trapping A Fat Quasar RAT
Quasar RAT
2021-05-27xorhex blogTwitter (@xorhex)
@online{xorhex:20210527:mustang:d3c664b, author = {Twitter (@xorhex)}, title = {{Mustang Panda PlugX - Reused Mutex and Folder Found in the Extracted Config}}, date = {2021-05-27}, organization = {xorhex blog}, url = {https://blog.xorhex.com/blog/mustangpandaplugx-2/}, language = {English}, urldate = {2021-06-21} } Mustang Panda PlugX - Reused Mutex and Folder Found in the Extracted Config
PlugX
2021-05-17xorhex blogTwitter (@xorhex)
@online{xorhex:20210517:mustang:c51cc47, author = {Twitter (@xorhex)}, title = {{Mustang Panda PlugX - 45.251.240.55 Pivot}}, date = {2021-05-17}, organization = {xorhex blog}, url = {https://blog.xorhex.com/blog/mustangpandaplugx-1/}, language = {English}, urldate = {2021-06-21} } Mustang Panda PlugX - 45.251.240.55 Pivot
PlugX
2021-05-07TEAMT5Aragorn Tseng, Charles Li
@techreport{tseng:20210507:mem2img:494799d, author = {Aragorn Tseng and Charles Li}, title = {{Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network}}, date = {2021-05-07}, institution = {TEAMT5}, url = {https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf}, language = {English}, urldate = {2021-09-12} } Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
Cobalt Strike PlugX Waterbear
2021-05-05ZscalerAniruddha Dolas, Mohd Sadique, Manohar Ghule
@online{dolas:20210505:catching:ace83fc, author = {Aniruddha Dolas and Mohd Sadique and Manohar Ghule}, title = {{Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats}}, date = {2021-05-05}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols}, language = {English}, urldate = {2021-05-08} } Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats
Agent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar RAT Remcos
2021-04-28Trend MicroJaromír Hořejší, Joseph C Chen
@online{hoej:20210428:water:f769ce2, author = {Jaromír Hořejší and Joseph C Chen}, title = {{Water Pamola Attacked Online Shops Via Malicious Orders}}, date = {2021-04-28}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html}, language = {English}, urldate = {2021-05-04} } Water Pamola Attacked Online Shops Via Malicious Orders
Ghost RAT
2021-04-27KasperskyGReAT
@online{great:20210427:trends:e1c92a3, author = {GReAT}, title = {{APT trends report Q1 2021}}, date = {2021-04-27}, organization = {Kaspersky}, url = {https://securelist.com/apt-trends-report-q1-2021/101967/}, language = {English}, urldate = {2021-04-29} } APT trends report Q1 2021
PAS Artra Downloader BadNews Bozok DILLJUICE Kazuar Quasar RAT SodaMaster
2021-04-26DragosDragos
@online{dragos:20210426:new:19b4a05, author = {Dragos}, title = {{New ICS Threat Activity Group: TALONITE}}, date = {2021-04-26}, organization = {Dragos}, url = {https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-talonite/}, language = {English}, urldate = {2021-05-04} } New ICS Threat Activity Group: TALONITE
FlowCloud Lookback
2021-04-14ZscalerRohit Chaturvedi, Atinderpal Singh, Tarun Dewan
@online{chaturvedi:20210414:look:02bf1e0, author = {Rohit Chaturvedi and Atinderpal Singh and Tarun Dewan}, title = {{A look at HydroJiin campaign}}, date = {2021-04-14}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign}, language = {English}, urldate = {2021-04-16} } A look at HydroJiin campaign
NetWire RC Quasar RAT
2021-04-02Dr.WebDr.Web
@techreport{drweb:20210402:study:31b191e, author = {Dr.Web}, title = {{Study of targeted attacks on Russian research institutes}}, date = {2021-04-02}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf}, language = {English}, urldate = {2021-04-06} } Study of targeted attacks on Russian research institutes
Cotx RAT Ghost RAT
2021-03-29The RecordCatalin Cimpanu
@online{cimpanu:20210329:redecho:30b16b4, author = {Catalin Cimpanu}, title = {{RedEcho group parks domains after public exposure}}, date = {2021-03-29}, organization = {The Record}, url = {https://therecord.media/redecho-group-parks-domains-after-public-exposure/}, language = {English}, urldate = {2021-03-31} } RedEcho group parks domains after public exposure
PlugX ShadowPad RedEcho
2021-03-25Recorded FutureInsikt Group®
@online{group:20210325:suspected:5b0078f, author = {Insikt Group®}, title = {{Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers}}, date = {2021-03-25}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/}, language = {English}, urldate = {2021-03-30} } Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers
Meterpreter PlugX
2021-03-18PRODAFT Threat IntelligencePRODAFT
@techreport{prodaft:20210318:silverfish:f203208, author = {PRODAFT}, title = {{SilverFish GroupThreat Actor Report}}, date = {2021-03-18}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf}, language = {English}, urldate = {2021-04-06} } SilverFish GroupThreat Actor Report
Cobalt Strike Dridex Koadic
2021-03-17Recorded FutureInsikt Group®
@online{group:20210317:chinalinked:65b251b, author = {Insikt Group®}, title = {{China-linked TA428 Continues to Target Russia and Mongolia IT Companies}}, date = {2021-03-17}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/china-linked-ta428-threat-group}, language = {English}, urldate = {2021-03-19} } China-linked TA428 Continues to Target Russia and Mongolia IT Companies
PlugX Poison Ivy
2021-03-10ESET ResearchThomas Dupuy, Matthieu Faou, Mathieu Tartare
@online{dupuy:20210310:exchange:8f65a1f, author = {Thomas Dupuy and Matthieu Faou and Mathieu Tartare}, title = {{Exchange servers under siege from at least 10 APT groups}}, date = {2021-03-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/}, language = {English}, urldate = {2021-03-11} } Exchange servers under siege from at least 10 APT groups
Microcin MimiKatz PlugX Winnti
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-02-28Recorded FutureInsikt Group®
@online{group:20210228:chinalinked:ce3b62d, author = {Insikt Group®}, title = {{China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions}}, date = {2021-02-28}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/redecho-targeting-indian-power-sector/}, language = {English}, urldate = {2021-03-31} } China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
PlugX ShadowPad RedEcho
2021-02-28Recorded FutureInsikt Group®
@techreport{group:20210228:chinalinked:2fb1230, author = {Insikt Group®}, title = {{China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions}}, date = {2021-02-28}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf}, language = {English}, urldate = {2021-03-04} } China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
Icefog PlugX ShadowPad
2021-02-25IntezerIntezer
@techreport{intezer:20210225:year:eb47cd1, author = {Intezer}, title = {{Year of the Gopher A 2020 Go Malware Round-Up}}, date = {2021-02-25}, institution = {Intezer}, url = {https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf}, language = {English}, urldate = {2021-06-30} } Year of the Gopher A 2020 Go Malware Round-Up
NiuB WellMail elf.wellmess ArdaMax AsyncRAT CyberGate DarkComet Glupteba Nanocore RAT Nefilim NjRAT Quasar RAT WellMess Zebrocy
2021-02-24MalwarebytesHossein Jazi
@techreport{jazi:20210224:lazyscripter:433f4bc, author = {Hossein Jazi}, title = {{LazyScripter: From Empire to double RAT}}, date = {2021-02-24}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2021/02/LazyScripter.pdf}, language = {English}, urldate = {2021-02-25} } LazyScripter: From Empire to double RAT
Octopus Koadic
2021-02-24Yusuke Niwa, Motohiko Sato, Hajime Yanagishita, Charles Li, Suguru Ishimaru
@techreport{niwa:20210224:a41apt:d20a784, author = {Yusuke Niwa and Motohiko Sato and Hajime Yanagishita and Charles Li and Suguru Ishimaru}, title = {{A41APT case - Analysis of the Stealth APT Campaign Threatening Japan}}, date = {2021-02-24}, institution = {}, url = {https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf}, language = {English}, urldate = {2021-02-26} } A41APT case - Analysis of the Stealth APT Campaign Threatening Japan
SodaMaster
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-22tccontre Blogtcontre
@online{tcontre:20210222:gh0strat:9f98308, author = {tcontre}, title = {{Gh0stRat Anti-Debugging: Nested SEH (try - catch) to Decrypt and Load its Payload}}, date = {2021-02-22}, organization = {tccontre Blog}, url = {https://tccontre.blogspot.com/2021/02/gh0strat-anti-debugging-nested-seh-try.html}, language = {English}, urldate = {2021-02-25} } Gh0stRat Anti-Debugging: Nested SEH (try - catch) to Decrypt and Load its Payload
Ghost RAT
2021-02-05MorphisecNadav Lorber
@online{lorber:20210205:cinarat:772720f, author = {Nadav Lorber}, title = {{CinaRAT Resurfaces with New Evasive Tactics and Techniques}}, date = {2021-02-05}, organization = {Morphisec}, url = {https://blog.morphisec.com/cinarat-resurfaces-with-new-evasive-tactics-and-techniques}, language = {English}, urldate = {2021-02-09} } CinaRAT Resurfaces with New Evasive Tactics and Techniques
Quasar RAT
2021-02-01ESET ResearchIgnacio Sanmillan, Matthieu Faou
@online{sanmillan:20210201:operation:9e52a78, author = {Ignacio Sanmillan and Matthieu Faou}, title = {{Operation NightScout: Supply‑chain attack targets online gaming in Asia}}, date = {2021-02-01}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/}, language = {English}, urldate = {2021-02-17} } Operation NightScout: Supply‑chain attack targets online gaming in Asia
Ghost RAT NoxPlayer Poison Ivy
2021-01-20Trend MicroGilbert Sison, Abraham Camba, Ryan Maglaque
@online{sison:20210120:xdr:8ea19cc, author = {Gilbert Sison and Abraham Camba and Ryan Maglaque}, title = {{XDR investigation uncovers PlugX, unique technique in APT attack}}, date = {2021-01-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/a/xdr-investigation-uncovers-plugx-unique-technique-in-apt-attack.html}, language = {English}, urldate = {2021-01-27} } XDR investigation uncovers PlugX, unique technique in APT attack
PlugX
2021-01-15SwisscomMarkus Neis
@techreport{neis:20210115:cracking:b1c1684, author = {Markus Neis}, title = {{Cracking a Soft Cell is Harder Than You Think}}, date = {2021-01-15}, institution = {Swisscom}, url = {https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf}, language = {English}, urldate = {2021-01-18} } Cracking a Soft Cell is Harder Than You Think
Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT
2021-01-14PTSecurityPT ESC Threat Intelligence
@online{intelligence:20210114:higaisa:4676ec7, author = {PT ESC Threat Intelligence}, title = {{Higaisa or Winnti? APT41 backdoors, old and new}}, date = {2021-01-14}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/}, language = {English}, urldate = {2021-02-09} } Higaisa or Winnti? APT41 backdoors, old and new
Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad
2021-01-13AlienVaultTom Hegel
@techreport{hegel:20210113:global:72b7b9d, author = {Tom Hegel}, title = {{A Global Perspective of the SideWinder APT}}, date = {2021-01-13}, institution = {AlienVault}, url = {https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf}, language = {English}, urldate = {2021-01-18} } A Global Perspective of the SideWinder APT
8.t Dropper Koadic SideWinder
2021-01-09Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20210109:command:d720b27, author = {Marco Ramilli}, title = {{Command and Control Traffic Patterns}}, date = {2021-01-09}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/}, language = {English}, urldate = {2021-05-17} } Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot
2021-01-08Youtube (Virus Bulletin)Fumio Ozawa, Shogo Hayashi, Rintaro Koike
@online{ozawa:20210108:operation:18eec5e, author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike}, title = {{Operation LagTime IT: colourful Panda footprint}}, date = {2021-01-08}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=1WfPlgtfWnQ}, language = {English}, urldate = {2021-02-06} } Operation LagTime IT: colourful Panda footprint
Cotx RAT nccTrojan Poison Ivy Tmanger
2021-01-04Bleeping ComputerIonut Ilascu
@online{ilascu:20210104:chinas:9677dc6, author = {Ionut Ilascu}, title = {{China's APT hackers move to ransomware attacks}}, date = {2021-01-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/}, language = {English}, urldate = {2021-01-11} } China's APT hackers move to ransomware attacks
Clambling PlugX
2021-01-04nao_sec blognao_sec
@online{naosec:20210104:royal:041b9d3, author = {nao_sec}, title = {{Royal Road! Re:Dive}}, date = {2021-01-04}, organization = {nao_sec blog}, url = {https://nao-sec.org/2021/01/royal-road-redive.html}, language = {English}, urldate = {2021-01-05} } Royal Road! Re:Dive
8.t Dropper Chinoxy FlowCloud FunnyDream Lookback
2021SecureWorks
@online{secureworks:2021:threat:dbd7ed7, author = {SecureWorks}, title = {{Threat Profile: GOLD DRAKE}}, date = {2021}, url = {http://www.secureworks.com/research/threat-profiles/gold-drake}, language = {English}, urldate = {2021-05-28} } Threat Profile: GOLD DRAKE
Cobalt Strike Dridex FriedEx Koadic MimiKatz WastedLocker Evil Corp
2020-12-28Antiy CERTAntiy CERT
@online{cert:20201228:civerids:b40d172, author = {Antiy CERT}, title = {{"Civerids" organization vs. Middle East area attack activity analysis report}}, date = {2020-12-28}, organization = {Antiy CERT}, url = {https://www.antiy.cn/research/notice&report/research_report/20201228.html}, language = {Chinese}, urldate = {2021-01-04} } "Civerids" organization vs. Middle East area attack activity analysis report
Quasar RAT
2020-12-26CYBER GEEKS All Things InfosecCyberMasterV
@online{cybermasterv:20201226:analyzing:b94f52e, author = {CyberMasterV}, title = {{Analyzing APT19 malware using a step-by-step method}}, date = {2020-12-26}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/analyzing-apt19-malware-using-a-step-by-step-method/}, language = {English}, urldate = {2021-01-01} } Analyzing APT19 malware using a step-by-step method
Derusbi
2020-12-24IronNetAdam Hlavek
@online{hlavek:20201224:china:723bed3, author = {Adam Hlavek}, title = {{China cyber attacks: the current threat landscape}}, date = {2020-12-24}, organization = {IronNet}, url = {https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape}, language = {English}, urldate = {2021-01-01} } China cyber attacks: the current threat landscape
PLEAD TSCookie FlowCloud Lookback PLEAD PlugX Quasar RAT Winnti
2020-12-18SeqritePavankumar Chaudhari
@online{chaudhari:20201218:rat:50074a2, author = {Pavankumar Chaudhari}, title = {{RAT used by Chinese cyberspies infiltrating Indian businesses}}, date = {2020-12-18}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/}, language = {English}, urldate = {2020-12-18} } RAT used by Chinese cyberspies infiltrating Indian businesses
Ghost RAT
2020-12-10ESET ResearchMathieu Tartare
@online{tartare:20201210:operation:0eecfc8, author = {Mathieu Tartare}, title = {{Operation StealthyTrident: corporate software under attack}}, date = {2020-12-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/}, language = {English}, urldate = {2020-12-10} } Operation StealthyTrident: corporate software under attack
HyperBro PlugX ShadowPad Tmanger
2020-12-10Intel 471Intel 471
@online{471:20201210:no:9fd2ae1, author = {Intel 471}, title = {{No pandas, just people: The current state of China’s cybercrime underground}}, date = {2020-12-10}, organization = {Intel 471}, url = {https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/}, language = {English}, urldate = {2020-12-10} } No pandas, just people: The current state of China’s cybercrime underground
Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT
2020-12-10JPCERT/CCKota Kino
@online{kino:20201210:attack:cd8c552, author = {Kota Kino}, title = {{Attack Activities by Quasar Family}}, date = {2020-12-10}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html}, language = {English}, urldate = {2020-12-10} } Attack Activities by Quasar Family
AsyncRAT Quasar RAT Venom RAT XPCTRA
2020-12-10US-CERTUS-CERT, FBI, MS-ISAC
@online{uscert:20201210:alert:a5ec77e, author = {US-CERT and FBI and MS-ISAC}, title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}}, date = {2020-12-10}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a}, language = {English}, urldate = {2020-12-11} } Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus
2020-12-09CybereasonCybereason Nocturnus
@online{nocturnus:20201209:new:ef00418, author = {Cybereason Nocturnus}, title = {{New Malware Arsenal Abusing Cloud Platforms in Middle East Espionage Campaign}}, date = {2020-12-09}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign}, language = {English}, urldate = {2020-12-10} } New Malware Arsenal Abusing Cloud Platforms in Middle East Espionage Campaign
DropBook MoleNet Quasar RAT SharpStage Spark
2020-12-09Avast DecodedLuigino Camastra, Igor Morgenstern
@online{camastra:20201209:targeting:952844f, author = {Luigino Camastra and Igor Morgenstern}, title = {{APT Group Targeting Governmental Agencies in East Asia}}, date = {2020-12-09}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/}, language = {English}, urldate = {2021-01-27} } APT Group Targeting Governmental Agencies in East Asia
Albaniiutas HyperBro PlugX Tmanger
2020-12-09CybereasonCybereason Nocturnus Team
@techreport{team:20201209:molerats:a13c569, author = {Cybereason Nocturnus Team}, title = {{MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign}}, date = {2020-12-09}, institution = {Cybereason}, url = {https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf}, language = {English}, urldate = {2020-12-10} } MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign
JhoneRAT Molerat Loader Pierogi Quasar RAT Spark
2020-11-28pat_h/to/filepat_h/to/file
@online{pathtofile:20201128:hunting:21f38be, author = {pat_h/to/file}, title = {{Hunting Koadic Pt. 2 - JARM Fingerprinting}}, date = {2020-11-28}, organization = {pat_h/to/file}, url = {https://blog.tofile.dev/2020/11/28/koadic_jarm.html}, language = {English}, urldate = {2020-12-08} } Hunting Koadic Pt. 2 - JARM Fingerprinting
Koadic
2020-11-23ProofpointProofpoint Threat Research Team
@online{team:20201123:ta416:60e8b7e, author = {Proofpoint Threat Research Team}, title = {{TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader}}, date = {2020-11-23}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader}, language = {English}, urldate = {2020-11-25} } TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader
PlugX
2020-11-20Trend MicroAbraham Camba, Bren Matthew Ebriega, Gilbert Sison
@online{camba:20201120:weaponizing:e15699d, author = {Abraham Camba and Bren Matthew Ebriega and Gilbert Sison}, title = {{Weaponizing Open Source Software for Targeted Attacks}}, date = {2020-11-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html}, language = {English}, urldate = {2020-11-23} } Weaponizing Open Source Software for Targeted Attacks
LaZagne Defray PlugX
2020-11-19ThreatpostElizabeth Montalbano
@online{montalbano:20201119:exploits:f40feb2, author = {Elizabeth Montalbano}, title = {{APT Exploits Microsoft Zerologon Bug: Targets Japanese Companies}}, date = {2020-11-19}, organization = {Threatpost}, url = {https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/}, language = {English}, urldate = {2020-11-23} } APT Exploits Microsoft Zerologon Bug: Targets Japanese Companies
Quasar RAT Ryuk
2020-11-17SymantecThreat Hunter Team
@online{team:20201117:japanlinked:42c6320, author = {Threat Hunter Team}, title = {{Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign}}, date = {2020-11-17}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage}, language = {English}, urldate = {2020-11-19} } Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign
Quasar RAT
2020-11-04SophosGabor Szappanos
@online{szappanos:20201104:new:66b8447, author = {Gabor Szappanos}, title = {{A new APT uses DLL side-loads to “KilllSomeOne”}}, date = {2020-11-04}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/}, language = {English}, urldate = {2020-11-06} } A new APT uses DLL side-loads to “KilllSomeOne”
KilllSomeOne PlugX
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-10-27Dr.WebDr.Web
@techreport{drweb:20201027:study:9f6e628, author = {Dr.Web}, title = {{Study of the ShadowPad APT backdoor and its relation to PlugX}}, date = {2020-10-27}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf}, language = {English}, urldate = {2020-10-29} } Study of the ShadowPad APT backdoor and its relation to PlugX
Ghost RAT PlugX ShadowPad
2020-10-01US-CERTUS-CERT
@online{uscert:20201001:alert:a46c3d4, author = {US-CERT}, title = {{Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions}}, date = {2020-10-01}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-275a}, language = {English}, urldate = {2020-10-04} } Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions
CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy
2020-09-30NTT SecurityFumio Ozawa, Shogo Hayashi, Rintaro Koike
@techreport{ozawa:20200930:operation:04593f6, author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike}, title = {{Operation LagTime IT: colourful Panda footprint (Slides)}}, date = {2020-09-30}, institution = {NTT Security}, url = {https://vblocalhost.com/uploads/VB2020-20.pdf}, language = {English}, urldate = {2021-02-06} } Operation LagTime IT: colourful Panda footprint (Slides)
Cotx RAT nccTrojan Poison Ivy Tmanger
2020-09-30NTT SecurityFumio Ozawa, Shogo Hayashi, Rintaro Koike
@techreport{ozawa:20200930:operation:1efe218, author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike}, title = {{Operation LagTime IT: colourful Panda footprint}}, date = {2020-09-30}, institution = {NTT Security}, url = {https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf}, language = {English}, urldate = {2021-01-25} } Operation LagTime IT: colourful Panda footprint
Cotx RAT nccTrojan Poison Ivy Tmanger
2020-09-18SymantecThreat Hunter Team
@online{team:20200918:apt41:363daa8, author = {Threat Hunter Team}, title = {{APT41: Indictments Put Chinese Espionage Group in the Spotlight}}, date = {2020-09-18}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage}, language = {English}, urldate = {2020-09-23} } APT41: Indictments Put Chinese Espionage Group in the Spotlight
CROSSWALK PlugX poisonplug ShadowPad Winnti
2020-09-16RiskIQJon Gross
@online{gross:20200916:riskiq:da4b864, author = {Jon Gross}, title = {{RiskIQ: Adventures in Cookie Land - Part 2}}, date = {2020-09-16}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/56fa1b2f}, language = {English}, urldate = {2020-09-23} } RiskIQ: Adventures in Cookie Land - Part 2
8.t Dropper Chinoxy Poison Ivy
2020-09-15Recorded FutureInsikt Group®
@techreport{group:20200915:back:2c78a6f, author = {Insikt Group®}, title = {{Back Despite Disruption: RedDelta Resumes Operations}}, date = {2020-09-15}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf}, language = {English}, urldate = {2020-09-16} } Back Despite Disruption: RedDelta Resumes Operations
PlugX
2020-09-11ThreatConnectThreatConnect Research Team
@online{team:20200911:research:edfb074, author = {ThreatConnect Research Team}, title = {{Research Roundup: Activity on Previously Identified APT33 Domains}}, date = {2020-09-11}, organization = {ThreatConnect}, url = {https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/}, language = {English}, urldate = {2020-09-15} } Research Roundup: Activity on Previously Identified APT33 Domains
Emotet PlugX APT33
2020-07-29Recorded FutureInsikt Group
@techreport{group:20200729:chinese:1929fcd, author = {Insikt Group}, title = {{Chinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations}}, date = {2020-07-29}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf}, language = {English}, urldate = {2020-07-30} } Chinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations
PlugX
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-07-28NTTNTT Security
@online{security:20200728:craftypanda:7643b28, author = {NTT Security}, title = {{CraftyPanda 標的型攻撃解析レポート}}, date = {2020-07-28}, organization = {NTT}, url = {https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report}, language = {Japanese}, urldate = {2020-07-30} } CraftyPanda 標的型攻撃解析レポート
Ghost RAT PlugX
2020-07-20Dr.WebDr.Web
@techreport{drweb:20200720:study:442ba99, author = {Dr.Web}, title = {{Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan}}, date = {2020-07-20}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf}, language = {English}, urldate = {2020-10-02} } Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan
Microcin Mirage PlugX WhiteBird
2020-07-20or10nlabsoR10n
@online{or10n:20200720:reverse:bcb6023, author = {oR10n}, title = {{Reverse Engineering the New Mustang Panda PlugX Downloader}}, date = {2020-07-20}, organization = {or10nlabs}, url = {https://or10nlabs.tech/reverse-engineering-the-new-mustang-panda-plugx-downloader/}, language = {English}, urldate = {2021-06-24} } Reverse Engineering the New Mustang Panda PlugX Downloader
PlugX
2020-07-20Risky.bizDaniel Gordon
@online{gordon:20200720:what:b88e81f, author = {Daniel Gordon}, title = {{What even is Winnti?}}, date = {2020-07-20}, organization = {Risky.biz}, url = {https://risky.biz/whatiswinnti/}, language = {English}, urldate = {2020-08-18} } What even is Winnti?
CCleaner Backdoor Ghost RAT PlugX ZXShell
2020-07-15ZDNetCatalin Cimpanu
@online{cimpanu:20200715:chinese:0ff06bd, author = {Catalin Cimpanu}, title = {{Chinese state hackers target Hong Kong Catholic Church}}, date = {2020-07-15}, organization = {ZDNet}, url = {https://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/}, language = {English}, urldate = {2020-07-30} } Chinese state hackers target Hong Kong Catholic Church
PlugX
2020-07-05or10nlabsoR10n
@online{or10n:20200705:reverse:60298dc, author = {oR10n}, title = {{Reverse Engineering the Mustang Panda PlugX RAT – Extracting the Config}}, date = {2020-07-05}, organization = {or10nlabs}, url = {https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-rat-extracting-the-config/}, language = {English}, urldate = {2021-06-24} } Reverse Engineering the Mustang Panda PlugX RAT – Extracting the Config
PlugX
2020-06-24Counter Threat Unit ResearchTeam
@online{researchteam:20200624:bronze:62b58ff, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE VINEWOOD Targets Supply Chains}}, date = {2020-06-24}, url = {https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains}, language = {English}, urldate = {2020-06-26} } BRONZE VINEWOOD Targets Supply Chains
MimiKatz Trochilus RAT APT31
2020-06-22MalwareLab.plMaciej Kotowicz
@online{kotowicz:20200622:venomrat:129ba02, author = {Maciej Kotowicz}, title = {{VenomRAT - new, hackforums grade, reincarnation of QuassarRAT}}, date = {2020-06-22}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/venom/}, language = {English}, urldate = {2020-06-25} } VenomRAT - new, hackforums grade, reincarnation of QuassarRAT
Quasar RAT Venom RAT
2020-06-14BushidoTokenBushidoToken
@online{bushidotoken:20200614:deepdive:3a375ca, author = {BushidoToken}, title = {{Deep-dive: The DarkHotel APT}}, date = {2020-06-14}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html}, language = {English}, urldate = {2020-06-16} } Deep-dive: The DarkHotel APT
Asruex Ghost RAT Ramsay Retro Unidentified 076 (Higaisa LNK to Shellcode)
2020-06-10ProofpointDennis Schwarz
@online{schwarz:20200610:flowcloud:c0b42c0, author = {Dennis Schwarz}, title = {{FlowCloud Version 4.1.3 Malware Analysis}}, date = {2020-06-10}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/flowcloud-version-413-malware-analysis}, language = {English}, urldate = {2020-06-12} } FlowCloud Version 4.1.3 Malware Analysis
FlowCloud
2020-06-08ProofpointMichael Raggi, Dennis Schwarz, Georgi Mladenov, Proofpoint Threat Research Team
@online{raggi:20200608:ta410:f838522, author = {Michael Raggi and Dennis Schwarz and Georgi Mladenov and Proofpoint Threat Research Team}, title = {{TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware}}, date = {2020-06-08}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new}, language = {English}, urldate = {2020-06-09} } TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware
FlowCloud Lookback TA410
2020-06-05PrevailionDanny Adamitis
@online{adamitis:20200605:gh0st:849c227, author = {Danny Adamitis}, title = {{The Gh0st Remains the Same}}, date = {2020-06-05}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/06/the-gh0st-remains-same8.html}, language = {English}, urldate = {2020-06-08} } The Gh0st Remains the Same
Ghost RAT
2020-06-04PTSecurityPT ESC Threat Intelligence
@online{intelligence:20200604:covid19:45fa7ba, author = {PT ESC Threat Intelligence}, title = {{COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group}}, date = {2020-06-04}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/}, language = {English}, urldate = {2020-06-05} } COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group
Ghost RAT
2020-06-03Trend MicroDaniel Lunghi
@techreport{lunghi:20200603:how:4f28e63, author = {Daniel Lunghi}, title = {{How to perform long term monitoring of careless threat actors}}, date = {2020-06-03}, institution = {Trend Micro}, url = {https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf}, language = {English}, urldate = {2020-06-05} } How to perform long term monitoring of careless threat actors
BBSRAT HyperBro Trochilus RAT
2020-06-03Kaspersky LabsGReAT, Mark Lechtik, Giampaolo Dedola
@online{great:20200603:cycldek:ed9a830, author = {GReAT and Mark Lechtik and Giampaolo Dedola}, title = {{Cycldek: Bridging the (air) gap}}, date = {2020-06-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/cycldek-bridging-the-air-gap/97157/}, language = {English}, urldate = {2020-06-03} } Cycldek: Bridging the (air) gap
8.t Dropper NewCore RAT PlugX USBCulprit Hellsing
2020-06-02Lab52Jagaimo Kawaii
@online{kawaii:20200602:mustang:2cf125a, author = {Jagaimo Kawaii}, title = {{Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers}}, date = {2020-06-02}, organization = {Lab52}, url = {https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/}, language = {English}, urldate = {2020-06-03} } Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers
PlugX
2020-05-29ZscalerSudeep Singh
@online{singh:20200529:shellreset:e80d2c8, author = {Sudeep Singh}, title = {{ShellReset RAT Spread Through Macro-Based Documents Using AppLocker Bypass}}, date = {2020-05-29}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass}, language = {English}, urldate = {2020-06-05} } ShellReset RAT Spread Through Macro-Based Documents Using AppLocker Bypass
Quasar RAT
2020-05-24or10nlabsoR10n
@online{or10n:20200524:reverse:49c2ad8, author = {oR10n}, title = {{Reverse Engineering the Mustang Panda PlugX Loader}}, date = {2020-05-24}, organization = {or10nlabs}, url = {https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-loader}, language = {English}, urldate = {2021-06-24} } Reverse Engineering the Mustang Panda PlugX Loader
PlugX
2020-05-20Medium Asuna AmawakaAsuna Amawaka
@online{amawaka:20200520:what:e02d9a4, author = {Asuna Amawaka}, title = {{What happened between the BigBadWolf and the Tiger?}}, date = {2020-05-20}, organization = {Medium Asuna Amawaka}, url = {https://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2}, language = {English}, urldate = {2021-02-18} } What happened between the BigBadWolf and the Tiger?
Ghost RAT
2020-05-15Twitter (@stvemillertime)Steve Miller
@online{miller:20200515:sogu:cc5a1fc, author = {Steve Miller}, title = {{Tweet on SOGU development timeline, including TIGERPLUG IOCs}}, date = {2020-05-15}, organization = {Twitter (@stvemillertime)}, url = {https://twitter.com/stvemillertime/status/1261263000960450562}, language = {English}, urldate = {2020-05-18} } Tweet on SOGU development timeline, including TIGERPLUG IOCs
PlugX
2020-05-14Lab52Dex
@online{dex:20200514:energy:43e92b4, author = {Dex}, title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}}, date = {2020-05-14}, organization = {Lab52}, url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/}, language = {English}, urldate = {2020-06-10} } The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT
2020-05-01Viettel CybersecurityCyberthreat
@online{cyberthreat:20200501:chin:3a4fb89, author = {Cyberthreat}, title = {{Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1)}}, date = {2020-05-01}, organization = {Viettel Cybersecurity}, url = {https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/}, language = {Vietnamese}, urldate = {2020-09-09} } Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1)
NewCore RAT PlugX
2020-04-270x00secDan Lisichkin
@online{lisichkin:20200427:master:1cfb192, author = {Dan Lisichkin}, title = {{Master of RATs - How to create your own Tracker}}, date = {2020-04-27}, organization = {0x00sec}, url = {https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848}, language = {English}, urldate = {2020-04-28} } Master of RATs - How to create your own Tracker
Quasar RAT
2020-03-20BitdefenderLiviu Arsene
@online{arsene:20200320:5:46813c6, author = {Liviu Arsene}, title = {{5 Times More Coronavirus-themed Malware Reports during March}}, date = {2020-03-20}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter}, language = {English}, urldate = {2020-03-26} } 5 Times More Coronavirus-themed Malware Reports during March
ostap HawkEye Keylogger Koadic Loki Password Stealer (PWS) Nanocore RAT Remcos
2020-03-19VinCSSm4n0w4r
@online{m4n0w4r:20200319:phn:461fca7, author = {m4n0w4r}, title = {{Phân tích mã độc lợi dụng dịch Covid-19 để phát tán giả mạo “Chỉ thị của thủ tướng Nguyễn Xuân Phúc” - Phần 2}}, date = {2020-03-19}, organization = {VinCSS}, url = {https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html}, language = {Vietnamese}, urldate = {2020-03-19} } Phân tích mã độc lợi dụng dịch Covid-19 để phát tán giả mạo “Chỉ thị của thủ tướng Nguyễn Xuân Phúc” - Phần 2
PlugX
2020-03-12Check PointCheck Point Research
@online{research:20200312:vicious:3218bb8, author = {Check Point Research}, title = {{Vicious Panda: The COVID Campaign}}, date = {2020-03-12}, organization = {Check Point}, url = {https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/}, language = {English}, urldate = {2020-03-13} } Vicious Panda: The COVID Campaign
8.t Dropper BYEBY Enfal Korlia Poison Ivy
2020-03-02Virus BulletinAlex Hinchliffe
@online{hinchliffe:20200302:pulling:35771e7, author = {Alex Hinchliffe}, title = {{Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary}}, date = {2020-03-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/}, language = {English}, urldate = {2020-03-02} } Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary
HenBox Farseer PlugX Poison Ivy
2020-02-21ADEO DFIRADEO DFIR
@techreport{dfir:20200221:apt10:e9c3328, author = {ADEO DFIR}, title = {{APT10 Threat Analysis Report}}, date = {2020-02-21}, institution = {ADEO DFIR}, url = {https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf}, language = {English}, urldate = {2020-03-03} } APT10 Threat Analysis Report
CHINACHOPPER HTran MimiKatz PlugX Quasar RAT
2020-02-18Trend MicroDaniel Lunghi, Cedric Pernet, Kenney Lu, Jamz Yaneza
@online{lunghi:20200218:uncovering:93b0937, author = {Daniel Lunghi and Cedric Pernet and Kenney Lu and Jamz Yaneza}, title = {{Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations}}, date = {2020-02-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia}, language = {English}, urldate = {2020-02-20} } Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations
Cobalt Strike HyperBro PlugX Trochilus RAT
2020-02-17Talent-Jump TechnologiesTheo Chen, Zero Chen
@online{chen:20200217:clambling:1a0bb8e, author = {Theo Chen and Zero Chen}, title = {{CLAMBLING - A New Backdoor Base On Dropbox}}, date = {2020-02-17}, organization = {Talent-Jump Technologies}, url = {http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/}, language = {English}, urldate = {2020-03-30} } CLAMBLING - A New Backdoor Base On Dropbox
HyperBro PlugX
2020-01-31AviraShahab Hamzeloofard
@online{hamzeloofard:20200131:new:5d058ea, author = {Shahab Hamzeloofard}, title = {{New wave of PlugX targets Hong Kong}}, date = {2020-01-31}, organization = {Avira}, url = {https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/}, language = {English}, urldate = {2020-02-10} } New wave of PlugX targets Hong Kong
PlugX
2020-01-31ReversingLabsRobert Simmons
@online{simmons:20200131:rats:d8a4021, author = {Robert Simmons}, title = {{RATs in the Library: Remote Access Trojans Hide in Plain "Public" Site}}, date = {2020-01-31}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/rats-in-the-library}, language = {English}, urldate = {2020-02-03} } RATs in the Library: Remote Access Trojans Hide in Plain "Public" Site
CyberGate LimeRAT NjRAT Quasar RAT Revenge RAT
2020-01-29nao_sec blognao_sec
@online{naosec:20200129:overhead:ec0aeb5, author = {nao_sec}, title = {{An Overhead View of the Royal Road}}, date = {2020-01-29}, organization = {nao_sec blog}, url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html}, language = {English}, urldate = {2020-02-03} } An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader
2020-01-17JPCERT/CCTakayoshi Shiigi
@techreport{shiigi:20200117:looking:bf71db1, author = {Takayoshi Shiigi}, title = {{Looking back on the incidents in 2019}}, date = {2020-01-17}, institution = {JPCERT/CC}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf}, language = {English}, urldate = {2020-04-06} } Looking back on the incidents in 2019
TSCookie NodeRAT Emotet PoshC2 Quasar RAT
2020-01-09Lab52Jagaimo Kawaii
@online{kawaii:20200109:ta428:2230af2, author = {Jagaimo Kawaii}, title = {{TA428 Group abusing recent conflict between Iran and USA}}, date = {2020-01-09}, organization = {Lab52}, url = {https://lab52.io/blog/icefog-apt-group-abusing-recent-conflict-between-iran-and-eeuu/}, language = {English}, urldate = {2021-02-06} } TA428 Group abusing recent conflict between Iran and USA
Poison Ivy
2020-01-09Github (zerosum0x0)zerosum0x0
@online{zerosum0x0:20200109:koadic:2b6e0c1, author = {zerosum0x0}, title = {{Koadic}}, date = {2020-01-09}, organization = {Github (zerosum0x0)}, url = {https://github.com/zerosum0x0/koadic}, language = {English}, urldate = {2020-01-09} } Koadic
Koadic
2020SecureworksSecureWorks
@online{secureworks:2020:gold:0d8c853, author = {SecureWorks}, title = {{GOLD DRAKE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-drake}, language = {English}, urldate = {2020-05-23} } GOLD DRAKE
Dridex Empire Downloader FriedEx Koadic MimiKatz
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:dcdc02a, author = {SecureWorks}, title = {{BRONZE FLEETWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-fleetwood}, language = {English}, urldate = {2020-05-23} } BRONZE FLEETWOOD
Binanen Ghost RAT OrcaRAT APT5
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:8d36ac3, author = {SecureWorks}, title = {{COBALT TRINITY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-trinity}, language = {English}, urldate = {2020-05-23} } COBALT TRINITY
POWERTON pupy Imminent Monitor RAT Koadic Nanocore RAT NetWire RC PoshC2 APT33
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:e8ad4fb, author = {SecureWorks}, title = {{BRONZE MOHAWK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-mohawk}, language = {English}, urldate = {2020-05-23} } BRONZE MOHAWK
AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll Leviathan
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:65ecf8a, author = {SecureWorks}, title = {{BRONZE KEYSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-keystone}, language = {English}, urldate = {2020-05-23} } BRONZE KEYSTONE
9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell Aurora Panda
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:41a0bc0, author = {SecureWorks}, title = {{BRONZE EDISON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-edison}, language = {English}, urldate = {2020-05-23} } BRONZE EDISON
Ghost RAT sykipot Maverick Panda Samurai Panda
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:1a5bdbb, author = {SecureWorks}, title = {{BRONZE PRESIDENT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-president}, language = {English}, urldate = {2020-05-23} } BRONZE PRESIDENT
CHINACHOPPER Cobalt Strike PlugX Mustang Panda
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:472aea8, author = {SecureWorks}, title = {{BRONZE OLIVE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-olive}, language = {English}, urldate = {2020-05-23} } BRONZE OLIVE
ANGRYREBEL PlugX APT 22
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:972c13a, author = {SecureWorks}, title = {{BRONZE FIRESTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-firestone}, language = {English}, urldate = {2020-05-23} } BRONZE FIRESTONE
9002 RAT Derusbi Empire Downloader PlugX Poison Ivy Shell Crew
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:dc58892, author = {SecureWorks}, title = {{BRONZE GLOBE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-globe}, language = {English}, urldate = {2020-05-23} } BRONZE GLOBE
EtumBot Ghost RAT IXESHE
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:e50c4e9, author = {SecureWorks}, title = {{COBALT ULSTER}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/cobalt-ulster}, language = {English}, urldate = {2020-05-27} } COBALT ULSTER
POWERSTATS Koadic MuddyWater
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:79d8dd2, author = {SecureWorks}, title = {{BRONZE OVERBROOK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-overbrook}, language = {English}, urldate = {2020-05-23} } BRONZE OVERBROOK
Aveo DDKONG IsSpace PLAINTEE PlugX Rambo DragonOK
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:fcb04ab, author = {SecureWorks}, title = {{BRONZE EXPRESS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-express}, language = {English}, urldate = {2020-05-23} } BRONZE EXPRESS
9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT 26
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4db27ec, author = {SecureWorks}, title = {{BRONZE UNION}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-union}, language = {English}, urldate = {2020-05-23} } BRONZE UNION
9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell EMISSARY PANDA
2020SecureworksSecureWorks
@online{secureworks:2020:aluminum:af22ffd, author = {SecureWorks}, title = {{ALUMINUM SARATOGA}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/aluminum-saratoga}, language = {English}, urldate = {2020-05-23} } ALUMINUM SARATOGA
BlackShades DarkComet Xtreme RAT Poison Ivy Quasar RAT Molerats
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:66f1290, author = {SecureWorks}, title = {{BRONZE RIVERSIDE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-riverside}, language = {English}, urldate = {2020-05-23} } BRONZE RIVERSIDE
Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves Stone Panda
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:f48e53c, author = {SecureWorks}, title = {{BRONZE WOODLAND}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-woodland}, language = {English}, urldate = {2020-05-23} } BRONZE WOODLAND
PlugX Zeus Roaming Tiger
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4118462, author = {SecureWorks}, title = {{BRONZE ATLAS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas}, language = {English}, urldate = {2020-05-23} } BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti Axiom
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:66a45ac, author = {SecureWorks}, title = {{BRONZE VINEWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-vinewood}, language = {English}, urldate = {2020-05-23} } BRONZE VINEWOOD
MimiKatz Trochilus RAT APT31
2020-01DragosJoe Slowik
@techreport{slowik:202001:threat:d891011, author = {Joe Slowik}, title = {{Threat Intelligence and the Limits of Malware Analysis}}, date = {2020-01}, institution = {Dragos}, url = {https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf}, language = {English}, urldate = {2020-06-10} } Threat Intelligence and the Limits of Malware Analysis
Exaramel Exaramel Industroyer Lookback NjRAT PlugX
2019-12-29SecureworksCTU Research Team
@online{team:20191229:bronze:bda6bfc, author = {CTU Research Team}, title = {{BRONZE PRESIDENT Targets NGOs}}, date = {2019-12-29}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronze-president-targets-ngos}, language = {English}, urldate = {2020-01-10} } BRONZE PRESIDENT Targets NGOs
PlugX BRONZE PRESIDENT
2019-12-17Palo Alto Networks Unit 42Jen Miller-Osborn, Mike Harbison
@online{millerosborn:20191217:rancor:998fe1c, author = {Jen Miller-Osborn and Mike Harbison}, title = {{Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia}}, date = {2019-12-17}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/}, language = {English}, urldate = {2020-01-08} } Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia
DDKONG Derusbi KHRAT
2019-12-12MicrosoftMicrosoft Threat Intelligence Center
@online{center:20191212:gallium:79f6460, author = {Microsoft Threat Intelligence Center}, title = {{GALLIUM: Targeting global telecom}}, date = {2019-12-12}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/}, language = {English}, urldate = {2020-01-07} } GALLIUM: Targeting global telecom
Ghost RAT HTran GALLIUM
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb, author = {Kelli Vanderlee and Nalani Fraser}, title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}}, date = {2019-11-19}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf}, language = {English}, urldate = {2021-03-02} } Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2019-11-16Silas Cutler's BlogSilas Cutler
@online{cutler:20191116:fresh:871567d, author = {Silas Cutler}, title = {{Fresh PlugX October 2019}}, date = {2019-11-16}, organization = {Silas Cutler's Blog}, url = {https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html}, language = {English}, urldate = {2020-01-07} } Fresh PlugX October 2019
PlugX
2019-11-11Virus BulletinShusei Tomonaga, Tomoaki Tani, Hiroshi Soeda, Wataru Takahashi
@online{tomonaga:20191111:cases:ac5f1b3, author = {Shusei Tomonaga and Tomoaki Tani and Hiroshi Soeda and Wataru Takahashi}, title = {{APT cases exploiting vulnerabilities in region‑specific software}}, date = {2019-11-11}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/}, language = {English}, urldate = {2020-05-13} } APT cases exploiting vulnerabilities in region‑specific software
NodeRAT Emdivi PlugX
2019-11-04TencentTencent Security Mikan TIC
@online{tic:20191104:attack:33a29db, author = {Tencent Security Mikan TIC}, title = {{APT attack group "Higaisa" attack activity disclosed}}, date = {2019-11-04}, organization = {Tencent}, url = {https://s.tencent.com/research/report/836.html}, language = {Chinese}, urldate = {2020-05-13} } APT attack group "Higaisa" attack activity disclosed
Ghost RAT Higaisa
2019-10-31PTSecurityPTSecurity
@online{ptsecurity:20191031:calypso:adaf761, author = {PTSecurity}, title = {{Calypso APT: new group attacking state institutions}}, date = {2019-10-31}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/}, language = {English}, urldate = {2020-01-12} } Calypso APT: new group attacking state institutions
BYEBY FlyingDutchman Hussar PlugX
2019-10-24Carbon BlackTakahiro Haruyama
@techreport{haruyama:20191024:defeating:4016e1f, author = {Takahiro Haruyama}, title = {{Defeating APT10 Compiler-level Obfuscations}}, date = {2019-10-24}, institution = {Carbon Black}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Haruyama.pdf}, language = {English}, urldate = {2020-03-03} } Defeating APT10 Compiler-level Obfuscations
Anel
2019-10-03Palo Alto Networks Unit 42Alex Hinchliffe
@online{hinchliffe:20191003:pkplug:4a43ea5, author = {Alex Hinchliffe}, title = {{PKPLUG: Chinese Cyber Espionage Group Attacking Asia}}, date = {2019-10-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/}, language = {English}, urldate = {2020-01-07} } PKPLUG: Chinese Cyber Espionage Group Attacking Asia
HenBox Farseer PlugX
2019-09-17TalosChristopher Evans, David Liebenberg
@online{evans:20190917:cryptocurrency:8f3a9e9, author = {Christopher Evans and David Liebenberg}, title = {{Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”}}, date = {2019-09-17}, organization = {Talos}, url = {https://blog.talosintelligence.com/2019/09/panda-evolution.html}, language = {English}, urldate = {2019-10-31} } Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”
Ghost RAT
2019-07-23ProofpointMichael Raggi, Dennis Schwarz, Proofpoint Threat Insight Team
@online{raggi:20190723:chinese:804ec1c, author = {Michael Raggi and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia}}, date = {2019-07-23}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology}, language = {English}, urldate = {2021-02-06} } Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia
8.t Dropper Cotx RAT Poison Ivy TA428
2019-06-25CybereasonCybereason Nocturnus
@online{nocturnus:20190625:operation:21efa8f, author = {Cybereason Nocturnus}, title = {{OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS}}, date = {2019-06-25}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers}, language = {English}, urldate = {2019-12-17} } OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS
MimiKatz Poison Ivy Operation Soft Cell
2019-06-10CylanceCylance Threat Research Team
@online{team:20190610:threat:fc73094, author = {Cylance Threat Research Team}, title = {{Threat Spotlight: MenuPass/QuasarRAT Backdoor}}, date = {2019-06-10}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/threat-spotlight-menupass-quasarrat-backdoor.html}, language = {English}, urldate = {2020-01-06} } Threat Spotlight: MenuPass/QuasarRAT Backdoor
DILLJUICE
2019-06-03FireEyeChi-en Shen
@online{shen:20190603:into:d40fee9, author = {Chi-en Shen}, title = {{Into the Fog - The Return of ICEFOG APT}}, date = {2019-06-03}, organization = {FireEye}, url = {https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt}, language = {English}, urldate = {2020-06-30} } Into the Fog - The Return of ICEFOG APT
Icefog PlugX Sarhust
2019-05-24FortinetBen Hunter
@online{hunter:20190524:uncovering:7d8776e, author = {Ben Hunter}, title = {{Uncovering new Activity by APT10}}, date = {2019-05-24}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-}, language = {English}, urldate = {2020-11-04} } Uncovering new Activity by APT10
PlugX Quasar RAT
2019-05-20Twitter (@struppigel)Karsten Hahn
@online{hahn:20190520:yggdrasil:5a23fde, author = {Karsten Hahn}, title = {{Tweet on Yggdrasil / CinaRAT}}, date = {2019-05-20}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/1130455143504318466}, language = {English}, urldate = {2020-01-13} } Tweet on Yggdrasil / CinaRAT
Quasar RAT
2019-04-25DATANETKim Seon-ae
@online{seonae:20190425:chinesebased:fa78904, author = {Kim Seon-ae}, title = {{Chinese-based hackers attack domestic energy institutions}}, date = {2019-04-25}, organization = {DATANET}, url = {https://www.datanet.co.kr/news/articleView.html?idxno=133346}, language = {Korean}, urldate = {2021-02-09} } Chinese-based hackers attack domestic energy institutions
CALMTHORN Ghost RAT
2019-04-16FireEyeJohn Hultquist, Ben Read, Oleg Bondarenko, Chi-en Shen
@online{hultquist:20190416:spear:a0125cb, author = {John Hultquist and Ben Read and Oleg Bondarenko and Chi-en Shen}, title = {{Spear Phishing Campaign Targets Ukraine Government and Military; Infrastructure Reveals Potential Link to So-Called Luhansk People's Republic}}, date = {2019-04-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html}, language = {English}, urldate = {2019-12-20} } Spear Phishing Campaign Targets Ukraine Government and Military; Infrastructure Reveals Potential Link to So-Called Luhansk People's Republic
Quasar RAT Vermin
2019-04-01Macnica NetworksMacnica Networks
@techreport{networks:20190401:trends:cf738dc, author = {Macnica Networks}, title = {{Trends in Cyber ​​Espionage Targeting Japan 2nd Half of 2018}}, date = {2019-04-01}, institution = {Macnica Networks}, url = {https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf}, language = {Japanese}, urldate = {2021-03-02} } Trends in Cyber ​​Espionage Targeting Japan 2nd Half of 2018
Anel Cobalt Strike Datper PLEAD Quasar RAT RedLeaves taidoor Zebrocy
2019-03-27SymantecCritical Attack Discovery and Intelligence Team
@online{team:20190327:elfin:d90a330, author = {Critical Attack Discovery and Intelligence Team}, title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}}, date = {2019-03-27}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage}, language = {English}, urldate = {2020-04-21} } Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP APT33
2019-03-27SymantecSecurity Response Attack Investigation Team
@online{team:20190327:elfin:836cc39, author = {Security Response Attack Investigation Team}, title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}}, date = {2019-03-27}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage}, language = {English}, urldate = {2020-01-06} } Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet Nanocore RAT pupy Quasar RAT Remcos TURNEDUP APT33
2019-03-19NSHCThreatRecon Team
@online{team:20190319:sectorm04:6c6ea37, author = {ThreatRecon Team}, title = {{SectorM04 Targeting Singapore – An Analysis}}, date = {2019-03-19}, organization = {NSHC}, url = {https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/}, language = {English}, urldate = {2020-01-07} } SectorM04 Targeting Singapore – An Analysis
PlugX Termite
2019-02-27SecureworksCTU Research Team
@online{team:20190227:peek:16c9160, author = {CTU Research Team}, title = {{A Peek into BRONZE UNION’s Toolbox}}, date = {2019-02-27}, organization = {Secureworks}, url = {https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox}, language = {English}, urldate = {2020-01-07} } A Peek into BRONZE UNION’s Toolbox
Ghost RAT HyperBro ZXShell
2019-02-06Recorded FutureInsikt Group, Rapid7
@techreport{group:20190206:apt10:74d18e7, author = {Insikt Group and Rapid7}, title = {{APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign}}, date = {2019-02-06}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf}, language = {English}, urldate = {2019-12-17} } APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign
Trochilus RAT APT31 Hurricane Panda Stone Panda
2019-02-06Recorded FutureInsikt Group, Rapid7
@techreport{group:20190206:apt10:9c61d0b, author = {Insikt Group and Rapid7}, title = {{APT10 Targeted NorwegianMSP and US Companies in Sustained Campaign}}, date = {2019-02-06}, institution = {Recorded Future}, url = {http://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf}, language = {English}, urldate = {2020-01-06} } APT10 Targeted NorwegianMSP and US Companies in Sustained Campaign
RedLeaves
2019-01-07IntezerIgnacio Sanmillan
@online{sanmillan:20190107:chinaz:50bb5f4, author = {Ignacio Sanmillan}, title = {{ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups}}, date = {2019-01-07}, organization = {Intezer}, url = {https://www.intezer.com/blog-chinaz-relations/}, language = {English}, urldate = {2019-11-27} } ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups
Ghost RAT
2019Virus BulletinLion Gu, Bowen Pan
@techreport{gu:2019:vine:df5dbfb, author = {Lion Gu and Bowen Pan}, title = {{A vine climbing over the Great Firewall: A long-term attack against China}}, date = {2019}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf}, language = {English}, urldate = {2020-01-08} } A vine climbing over the Great Firewall: A long-term attack against China
Poison Ivy ZXShell
2019MITREMITRE ATT&CK
@online{attck:2019:menupass:8fde950, author = {MITRE ATT&CK}, title = {{Group description: menuPass}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0045/}, language = {English}, urldate = {2019-12-20} } Group description: menuPass
Stone Panda
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:10:0acf62c, author = {Cyber Operations Tracker}, title = {{APT 10}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/apt-10}, language = {English}, urldate = {2019-12-20} } APT 10
Stone Panda
2018-12-20FBIFBI
@online{fbi:20181220:chinese:06e7a78, author = {FBI}, title = {{Chinese Hackers Indicted - Members of APT 10 Group Targeted Intellectual Property and Confidential Business Information}}, date = {2018-12-20}, organization = {FBI}, url = {https://www.fbi.gov/news/stories/chinese-hackers-indicted-122018}, language = {English}, urldate = {2019-11-28} } Chinese Hackers Indicted - Members of APT 10 Group Targeted Intellectual Property and Confidential Business Information
Stone Panda
2018-12-14Australian Cyber Security CentreASD
@techreport{asd:20181214:investigationreport:6eda856, author = {ASD}, title = {{Investigationreport: Compromise of an Australian companyvia their Managed Service Provider}}, date = {2018-12-14}, institution = {Australian Cyber Security Centre}, url = {https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf}, language = {English}, urldate = {2020-03-11} } Investigationreport: Compromise of an Australian companyvia their Managed Service Provider
PlugX RedLeaves
2018-10-11NCSC UKNCSC UK
@techreport{uk:20181011:joint:d7901ac, author = {NCSC UK}, title = {{Joint report on publicly available hacking tools: How to limit the effectiveness of tools commonly used by malicious actors}}, date = {2018-10-11}, institution = {NCSC UK}, url = {https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf}, language = {English}, urldate = {2019-11-20} } Joint report on publicly available hacking tools: How to limit the effectiveness of tools commonly used by malicious actors
Codoso Stone Panda
2018-10-01Macnica NetworksMacnica Networks
@techreport{networks:20181001:trends:17b1db5, author = {Macnica Networks}, title = {{Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018}}, date = {2018-10-01}, institution = {Macnica Networks}, url = {https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf}, language = {Japanese}, urldate = {2021-03-02} } Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018
Anel Cobalt Strike Datper FlawedAmmyy Quasar RAT RedLeaves taidoor Winnti xxmm
2018-09-21Qihoo 360 TechnologyQihoo 360
@online{360:20180921:poison:d1cab92, author = {Qihoo 360}, title = {{Poison Ivy Group and the Cyberespionage Campaign Against Chinese Military and Goverment}}, date = {2018-09-21}, organization = {Qihoo 360 Technology}, url = {http://blogs.360.cn/post/APT_C_01_en.html}, language = {English}, urldate = {2019-11-29} } Poison Ivy Group and the Cyberespionage Campaign Against Chinese Military and Goverment
Poison Ivy
2018-09-19Möbius Strip Reverse EngineeringRolf Rolles
@online{rolles:20180919:hexrays:1afcc0c, author = {Rolf Rolles}, title = {{Hex-Rays Microcode API vs. Obfuscating Compiler}}, date = {2018-09-19}, organization = {Möbius Strip Reverse Engineering}, url = {http://www.hexblog.com/?p=1248}, language = {English}, urldate = {2019-10-28} } Hex-Rays Microcode API vs. Obfuscating Compiler
Ghost RAT
2018-09-13FireEyeAyako Matsuda, Irshad Muhammad
@online{matsuda:20180913:apt10:689e4bb, author = {Ayako Matsuda and Irshad Muhammad}, title = {{APT10 Targeting Japanese Corporations Using Updated TTPs}}, date = {2018-09-13}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html}, language = {English}, urldate = {2019-12-20} } APT10 Targeting Japanese Corporations Using Updated TTPs
Stone Panda
2018-08-02Palo Alto Networks Unit 42Robert Falcone, David Fuertes, Josh Grunzweig, Kyle Wilhoit
@online{falcone:20180802:gorgon:06112b1, author = {Robert Falcone and David Fuertes and Josh Grunzweig and Kyle Wilhoit}, title = {{The Gorgon Group: Slithering Between Nation State and Cybercrime}}, date = {2018-08-02}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/}, language = {English}, urldate = {2019-12-20} } The Gorgon Group: Slithering Between Nation State and Cybercrime
Loki Password Stealer (PWS) Nanocore RAT NjRAT Quasar RAT Remcos Revenge RAT
2018-07-17ESET ResearchKaspars Osis
@online{osis:20180717:deep:56fcfcf, author = {Kaspars Osis}, title = {{A deep dive down the Vermin RAThole}}, date = {2018-07-17}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/}, language = {English}, urldate = {2019-11-14} } A deep dive down the Vermin RAThole
Quasar RAT Sobaken Vermin
2018-06-07VolexityMatthew Meltzer, Sean Koessel, Steven Adair
@online{meltzer:20180607:patchwork:5b8d3c8, author = {Matthew Meltzer and Sean Koessel and Steven Adair}, title = {{Patchwork APT Group Targets US Think Tanks}}, date = {2018-06-07}, organization = {Volexity}, url = {https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/}, language = {English}, urldate = {2020-01-08} } Patchwork APT Group Targets US Think Tanks
Quasar RAT Unidentified 047 Dropping Elephant
2018-06-06Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
@online{lee:20180606:sofacy:6d3e723, author = {Bryan Lee and Robert Falcone}, title = {{Sofacy Group’s Parallel Attacks}}, date = {2018-06-06}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/}, language = {English}, urldate = {2019-12-20} } Sofacy Group’s Parallel Attacks
Koadic Zebrocy
2018-05-15BSides DetroitKeven Murphy, Stefano Maccaglia
@online{murphy:20180515:ir:ac5b561, author = {Keven Murphy and Stefano Maccaglia}, title = {{IR in Heterogeneous Environment}}, date = {2018-05-15}, organization = {BSides Detroit}, url = {https://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment}, language = {English}, urldate = {2020-07-20} } IR in Heterogeneous Environment
Korlia Poison Ivy
2018-05-09COUNT UPON SECURITYLuis Rocha
@online{rocha:20180509:malware:3ee8ecf, author = {Luis Rocha}, title = {{Malware Analysis - PlugX - Part 2}}, date = {2018-05-09}, organization = {COUNT UPON SECURITY}, url = {https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/}, language = {English}, urldate = {2020-01-05} } Malware Analysis - PlugX - Part 2
PlugX
2018-04-23Accenture SecurityBart Parys
@techreport{parys:20180423:hogfish:8cf32f8, author = {Bart Parys}, title = {{HOGFISH REDLEAVES CAMPAIGN: HOGFISH (APT10) targets Japan with RedLeaves implants in “new battle”}}, date = {2018-04-23}, institution = {Accenture Security}, url = {https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf}, language = {English}, urldate = {2020-06-18} } HOGFISH REDLEAVES CAMPAIGN: HOGFISH (APT10) targets Japan with RedLeaves implants in “new battle”
RedLeaves
2018-04-23Accenture SecurityBart Parys
@techreport{parys:20180423:hogfish:4dc2531, author = {Bart Parys}, title = {{HOGFISH REDLEAVES CAMPAIGN: HOGFISH (APT10) targets Japan with RedLeaves implants in “new battle”}}, date = {2018-04-23}, institution = {Accenture Security}, url = {https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf}, language = {English}, urldate = {2020-06-18} } HOGFISH REDLEAVES CAMPAIGN: HOGFISH (APT10) targets Japan with RedLeaves implants in “new battle”
RedLeaves Stone Panda
2018-04-17NCC GroupNikolaos Pantazopoulos
@online{pantazopoulos:20180417:decoding:7d5f713, author = {Nikolaos Pantazopoulos}, title = {{Decoding network data from a Gh0st RAT variant}}, date = {2018-04-17}, organization = {NCC Group}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/}, language = {English}, urldate = {2019-11-27} } Decoding network data from a Gh0st RAT variant
Ghost RAT EMISSARY PANDA
2018-03-30360 Threat IntelligenceQi Anxin Threat Intelligence Center
@online{center:20180330:analysis:4f1feb9, author = {Qi Anxin Threat Intelligence Center}, title = {{Analysis of the latest cyber attack activity of the APT organization against sensitive institutions in China}}, date = {2018-03-30}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/}, language = {Chinese}, urldate = {2020-01-13} } Analysis of the latest cyber attack activity of the APT organization against sensitive institutions in China
Quasar RAT
2018-03-29Trend MicroTamada Kiyotaka, MingYen Hsieh
@online{kiyotaka:20180329:chessmaster:c48e1c0, author = {Tamada Kiyotaka and MingYen Hsieh}, title = {{ChessMaster Adds Updated Tools to Its Arsenal}}, date = {2018-03-29}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/}, language = {English}, urldate = {2020-01-08} } ChessMaster Adds Updated Tools to Its Arsenal
Anel
2018-03-13Kaspersky LabsDenis Makrushin, Yury Namestnikov
@online{makrushin:20180313:time:7171143, author = {Denis Makrushin and Yury Namestnikov}, title = {{Time of death? A therapeutic postmortem of connected medicine}}, date = {2018-03-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/time-of-death-connected-medicine/84315/}, language = {English}, urldate = {2019-12-20} } Time of death? A therapeutic postmortem of connected medicine
PlugX
2018-02-04COUNT UPON SECURITYLuis Rocha
@online{rocha:20180204:malware:ea0aede, author = {Luis Rocha}, title = {{MALWARE ANALYSIS – PLUGX}}, date = {2018-02-04}, organization = {COUNT UPON SECURITY}, url = {https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/}, language = {English}, urldate = {2020-01-07} } MALWARE ANALYSIS – PLUGX
PlugX
2018-02-01BitdefenderBitdefender Team
@online{team:20180201:operation:e76f179, author = {Bitdefender Team}, title = {{Operation PZCHAO: Inside a highly specialized espionage infrastructure}}, date = {2018-02-01}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/}, language = {English}, urldate = {2020-05-18} } Operation PZCHAO: Inside a highly specialized espionage infrastructure
Ghost RAT EMISSARY PANDA
2018-01-04Malware Traffic AnalysisBrad Duncan
@online{duncan:20180104:malspam:ce2dfac, author = {Brad Duncan}, title = {{MALSPAM PUSHING PCRAT/GH0ST}}, date = {2018-01-04}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2018/01/04/index.html}, language = {English}, urldate = {2019-12-24} } MALSPAM PUSHING PCRAT/GH0ST
Ghost RAT
2017-12-19ProofpointDarien Huss
@online{huss:20171219:north:e5ef6da, author = {Darien Huss}, title = {{North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group}}, date = {2017-12-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new}, language = {English}, urldate = {2019-12-20} } North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group
Ghost RAT
2017-12-19ProofpointDarien Huss
@techreport{huss:20171219:north:b2da03e, author = {Darien Huss}, title = {{North Korea Bitten by Bitcoin Bug}}, date = {2017-12-19}, institution = {Proofpoint}, url = {https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf}, language = {English}, urldate = {2019-10-18} } North Korea Bitten by Bitcoin Bug
QUICKCAFE PowerSpritz Ghost RAT PowerRatankba
2017-12-18LACYoshihiro Ishikawa
@online{ishikawa:20171218:relationship:fb13bae, author = {Yoshihiro Ishikawa}, title = {{Relationship between PlugX and attacker group "DragonOK"}}, date = {2017-12-18}, organization = {LAC}, url = {https://www.lac.co.jp/lacwatch/people/20171218_001445.html}, language = {Japanese}, urldate = {2019-11-22} } Relationship between PlugX and attacker group "DragonOK"
PlugX
2017-12-11Trend MicroDaniel Lunghi, Jaromír Hořejší, Cedric Pernet
@online{lunghi:20171211:untangling:5f00f99, author = {Daniel Lunghi and Jaromír Hořejší and Cedric Pernet}, title = {{Untangling the Patchwork Cyberespionage Group}}, date = {2017-12-11}, organization = {Trend Micro}, url = {https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite}, language = {English}, urldate = {2019-10-21} } Untangling the Patchwork Cyberespionage Group
Quasar RAT
2017-12-04MacnicaMacnica
@online{macnica:20171204:new:4bfec6c, author = {Macnica}, title = {{New method of macro malware disguised as defense-related files}}, date = {2017-12-04}, organization = {Macnica}, url = {http://blog.macnica.net/blog/2017/12/post-8c22.html}, language = {Japanese}, urldate = {2020-01-06} } New method of macro malware disguised as defense-related files
RedLeaves
2017-11-03Github (5loyd)5loyd
@online{5loyd:20171103:trochilus:964b44c, author = {5loyd}, title = {{Trochilus}}, date = {2017-11-03}, organization = {Github (5loyd)}, url = {https://github.com/5loyd/trochilus/}, language = {English}, urldate = {2020-01-08} } Trochilus
Trochilus RAT
2017-09-15FortinetXiaopeng Zhang
@online{zhang:20170915:deep:5178fe3, author = {Xiaopeng Zhang}, title = {{Deep Analysis of New Poison Ivy/PlugX Variant - Part II}}, date = {2017-09-15}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/09/15/deep-analysis-of-new-poison-ivy-plugx-variant-part-ii}, language = {English}, urldate = {2020-01-10} } Deep Analysis of New Poison Ivy/PlugX Variant - Part II
Poison Ivy
2017-08-31NCC GroupAhmed Zaki
@online{zaki:20170831:analysing:4c77e47, author = {Ahmed Zaki}, title = {{Analysing a recent Poison Ivy sample}}, date = {2017-08-31}, organization = {NCC Group}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/analysing-a-recent-poison-ivy-sample/}, language = {English}, urldate = {2020-01-10} } Analysing a recent Poison Ivy sample
Poison Ivy
2017-08-23FortinetXiaopeng Zhang
@online{zhang:20170823:deep:3d931ad, author = {Xiaopeng Zhang}, title = {{Deep Analysis of New Poison Ivy Variant}}, date = {2017-08-23}, organization = {Fortinet}, url = {http://blog.fortinet.com/2017/08/23/deep-analysis-of-new-poison-ivy-variant}, language = {English}, urldate = {2020-01-06} } Deep Analysis of New Poison Ivy Variant
Poison Ivy
2017-07-27Trend MicroBenson Sy, CH Lei, Kawabata Kohei
@online{sy:20170727:chessmaster:7d3e4b3, author = {Benson Sy and CH Lei and Kawabata Kohei}, title = {{ChessMaster Makes its Move: A Look into the Campaign’s Cyberespionage Arsenal}}, date = {2017-07-27}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/}, language = {English}, urldate = {2020-01-13} } ChessMaster Makes its Move: A Look into the Campaign’s Cyberespionage Arsenal
Emdivi
2017-07-27Trend MicroBenson Sy, CH Lei, Kawabata Kohei
@online{sy:20170727:chessmaster:a496667, author = {Benson Sy and CH Lei and Kawabata Kohei}, title = {{ChessMaster Makes its Move: A Look into the Campaign’s Cyberespionage Arsenal}}, date = {2017-07-27}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/}, language = {English}, urldate = {2019-10-14} } ChessMaster Makes its Move: A Look into the Campaign’s Cyberespionage Arsenal
Stone Panda
2017-06-27Palo Alto Networks Unit 42Tom Lancaster, Esmid Idrizovic
@online{lancaster:20170627:paranoid:f933eb4, author = {Tom Lancaster and Esmid Idrizovic}, title = {{Paranoid PlugX}}, date = {2017-06-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/}, language = {English}, urldate = {2019-12-20} } Paranoid PlugX
PlugX
2017-05-09VMWare Carbon BlackJared Myers
@online{myers:20170509:carbon:63860ae, author = {Jared Myers}, title = {{Carbon Black Threat Research Dissects Red Leaves Malware, Which Leverages DLL Side Loading}}, date = {2017-05-09}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2017/05/09/carbon-black-threat-research-dissects-red-leaves-malware-leverages-dll-side-loading/}, language = {English}, urldate = {2020-03-11} } Carbon Black Threat Research Dissects Red Leaves Malware, Which Leverages DLL Side Loading
RedLeaves
2017-05-03RSA LinkAhmed Sonbol
@online{sonbol:20170503:hunting:ce577ba, author = {Ahmed Sonbol}, title = {{Hunting pack use case: RedLeaves malware}}, date = {2017-05-03}, organization = {RSA Link}, url = {https://community.rsa.com/community/products/netwitness/blog/2017/05/03/hunting-pack-use-case-redleaves-malware}, language = {English}, urldate = {2020-03-11} } Hunting pack use case: RedLeaves malware
RedLeaves
2017-04-27US-CERTUS-CERT
@online{uscert:20170427:alert:fdb865d, author = {US-CERT}, title = {{Alert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors}}, date = {2017-04-27}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA17-117A}, language = {English}, urldate = {2020-03-11} } Alert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors
PlugX RedLeaves
2017-04-27Homeland SecurityHomeland Security
@techreport{security:20170427:intrusions:d535369, author = {Homeland Security}, title = {{INTRUSIONS AFFECTING MULTIPLE VICTIMS ACROSS MULTIPLE SECTO}}, date = {2017-04-27}, institution = {Homeland Security}, url = {https://www.us-cert.gov/sites/default/files/publications/IR-ALERT-MED-17-093-01C-Intrusions_Affecting_Multiple_Victims_Across_Multiple_Sectors.pdf}, language = {English}, urldate = {2020-01-08} } INTRUSIONS AFFECTING MULTIPLE VICTIMS ACROSS MULTIPLE SECTO
Stone Panda
2017-04-06eWeekSean Michael Kerner
@online{kerner:20170406:chinese:81730df, author = {Sean Michael Kerner}, title = {{Chinese Nation-State Hackers Target U.S in Operation TradeSecret}}, date = {2017-04-06}, organization = {eWeek}, url = {https://www.eweek.com/security/chinese-nation-state-hackers-target-u.s-in-operation-tradesecret}, language = {English}, urldate = {2020-01-08} } Chinese Nation-State Hackers Target U.S in Operation TradeSecret
Stone Panda
2017-04-06FireEyeFireEye iSIGHT Intelligence
@online{intelligence:20170406:apt10:08847cf, author = {FireEye iSIGHT Intelligence}, title = {{APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat}}, date = {2017-04-06}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html}, language = {English}, urldate = {2019-12-20} } APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat
Stone Panda
2017-04-04PWC UKPWC UK
@techreport{uk:20170404:operation:6d02e48, author = {PWC UK}, title = {{Operation Cloud Hopper}}, date = {2017-04-04}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf}, language = {English}, urldate = {2020-01-10} } Operation Cloud Hopper
Stone Panda
2017-04-03JPCERT/CCShusei Tomonaga
@online{tomonaga:20170403:ratredleaves:c0d1a92, author = {Shusei Tomonaga}, title = {{オープンソースのRATを改良したマルウエアRedLeaves}}, date = {2017-04-03}, organization = {JPCERT/CC}, url = {https://www.jpcert.or.jp/magazine/acreport-redleaves.html}, language = {Japanese}, urldate = {2020-01-06} } オープンソースのRATを改良したマルウエアRedLeaves
RedLeaves
2017-04-03JPCERT/CCShusei Tomonaga
@online{tomonaga:20170403:redleaves:211a123, author = {Shusei Tomonaga}, title = {{RedLeaves - Malware Based on Open Source RAT}}, date = {2017-04-03}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html}, language = {English}, urldate = {2021-02-04} } RedLeaves - Malware Based on Open Source RAT
PlugX RedLeaves
2017-04-03Github (nccgroup)David Cannings
@online{cannings:20170403:technical:e27583c, author = {David Cannings}, title = {{Technical Notes on RedLeaves}}, date = {2017-04-03}, organization = {Github (nccgroup)}, url = {https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves}, language = {English}, urldate = {2020-01-06} } Technical Notes on RedLeaves
RedLeaves
2017-04PricewaterhouseCoopersPricewaterhouseCoopers
@techreport{pricewaterhousecoopers:201704:operation:cb50712, author = {PricewaterhouseCoopers}, title = {{Operation Cloud Hopper: Technical Annex}}, date = {2017-04}, institution = {PricewaterhouseCoopers}, url = {https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf}, language = {English}, urldate = {2019-10-15} } Operation Cloud Hopper: Technical Annex
ChChes PlugX Quasar RAT RedLeaves Trochilus RAT
2017-02-27Threat VectorJon Gross
@online{gross:20170227:deception:c424a01, author = {Jon Gross}, title = {{The Deception Project: A New Japanese-Centric Threat}}, date = {2017-02-27}, organization = {Threat Vector}, url = {https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html}, language = {English}, urldate = {2020-01-05} } The Deception Project: A New Japanese-Centric Threat
ChChes Snake Wine
2017-02-25Financial Security InstituteKyoung-Ju Kwak (郭炅周)
@techreport{:20170225:silent:5a11e12, author = {Kyoung-Ju Kwak (郭炅周)}, title = {{Silent RIFLE: Response Against Advanced Threat}}, date = {2017-02-25}, institution = {Financial Security Institute}, url = {https://hackcon.org/uploads/327/05%20-%20Kwak.pdf}, language = {English}, urldate = {2020-03-04} } Silent RIFLE: Response Against Advanced Threat
Ghost RAT
2017-02-21JPCERT/CCShusei Tomonaga
@online{tomonaga:20170221:plugx:f9e4817, author = {Shusei Tomonaga}, title = {{PlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code}}, date = {2017-02-21}, organization = {JPCERT/CC}, url = {http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html}, language = {English}, urldate = {2020-01-13} } PlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code
PlugX
2017-02-16Jen Miller-Osborn, Josh Grunzweig
@online{millerosborn:20170216:menupass:4aebb40, author = {Jen Miller-Osborn and Josh Grunzweig}, title = {{menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations}}, date = {2017-02-16}, url = {https://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/}, language = {English}, urldate = {2019-11-21} } menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations
Stone Panda
2017-02-16Palo Alto Networks Unit 42Jen Miller-Osborn, Josh Grunzweig
@online{millerosborn:20170216:menupass:a829340, author = {Jen Miller-Osborn and Josh Grunzweig}, title = {{menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations}}, date = {2017-02-16}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/}, language = {English}, urldate = {2019-12-20} } menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations
ChChes
2017-02-13RSARSA Research
@techreport{research:20170213:kingslayer:98f4892, author = {RSA Research}, title = {{KINGSLAYER – A SUPPLY CHAIN ATTACK}}, date = {2017-02-13}, institution = {RSA}, url = {https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf}, language = {English}, urldate = {2020-01-08} } KINGSLAYER – A SUPPLY CHAIN ATTACK
CodeKey PlugX
2017-02-10JPCERT/CCShusei Tomonaga
@online{tomonaga:20170210:powersploit:8c4789a, author = {Shusei Tomonaga}, title = {{PowerSploit}}, date = {2017-02-10}, organization = {JPCERT/CC}, url = {https://www.jpcert.or.jp/magazine/acreport-ChChes_ps1.html}, language = {Japanese}, urldate = {2020-01-09} } PowerSploit
ChChes
2017-01-30Palo Alto Networks Unit 42Mashav Sapir, Tomer Bar, Netanel Rimer, Taras Malivanchuk, Yaron Samuel, Simon Conant
@online{sapir:20170130:downeks:8ed6329, author = {Mashav Sapir and Tomer Bar and Netanel Rimer and Taras Malivanchuk and Yaron Samuel and Simon Conant}, title = {{Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments}}, date = {2017-01-30}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments}, language = {English}, urldate = {2019-12-20} } Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments
Quasar RAT
2017-01-26JPCERT/CCYu Nakamura
@online{nakamura:20170126:malware:273897c, author = {Yu Nakamura}, title = {{Malware ChChes interacts with C & C server using Cookie header}}, date = {2017-01-26}, organization = {JPCERT/CC}, url = {https://www.jpcert.or.jp/magazine/acreport-ChChes.html}, language = {Japanese}, urldate = {2019-07-09} } Malware ChChes interacts with C & C server using Cookie header
ChChes Snake Wine
2016-11-22Palo Alto Networks Unit 42Vicky Ray, Robert Falcone, Jen Miller-Osborn, Tom Lancaster
@online{ray:20161122:tropic:7f503e7, author = {Vicky Ray and Robert Falcone and Jen Miller-Osborn and Tom Lancaster}, title = {{Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy}}, date = {2016-11-22}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/}, language = {English}, urldate = {2019-12-20} } Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy
Poison Ivy
2016-10-20Twitter (@malwrhunterteam)MalwareHunterTeam
@online{malwarehunterteam:20161020:quasar:f530cea, author = {MalwareHunterTeam}, title = {{Tweet on Quasar RAT}}, date = {2016-10-20}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/789153556255342596}, language = {English}, urldate = {2019-07-11} } Tweet on Quasar RAT
Quasar RAT
2016-08-25MalwarebytesMalwarebytes Labs
@online{labs:20160825:unpacking:66173f5, author = {Malwarebytes Labs}, title = {{Unpacking the spyware disguised as antivirus}}, date = {2016-08-25}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/}, language = {English}, urldate = {2019-12-20} } Unpacking the spyware disguised as antivirus
PlugX
2016-06-13Macnica NetworksMacnica Networks
@techreport{networks:20160613:survey:c78b147, author = {Macnica Networks}, title = {{Survey of the actual situation of the large-scale cyber spy activity that hit Japan | 1st edition}}, date = {2016-06-13}, institution = {Macnica Networks}, url = {https://www.macnica.net/file/security_report_20160613.pdf}, language = {Japanese}, urldate = {2021-03-02} } Survey of the actual situation of the large-scale cyber spy activity that hit Japan | 1st edition
Emdivi PlugX
2016-04-26Github (CyberMonitor)Jason Jones
@techreport{jones:20160426:new:78ff145, author = {Jason Jones}, title = {{New Poison Ivy Activity Targeting Myanmar, Asian Countries}}, date = {2016-04-26}, institution = {Github (CyberMonitor)}, url = {https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf}, language = {English}, urldate = {2019-12-17} } New Poison Ivy Activity Targeting Myanmar, Asian Countries
Poison Ivy
2016-04-22Palo Alto Networks Unit 42Micah Yates, Mike Scott, Brandon Levene, Jen Miller-Osborn
@online{yates:20160422:new:249e32b, author = {Micah Yates and Mike Scott and Brandon Levene and Jen Miller-Osborn}, title = {{New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists}}, date = {2016-04-22}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/}, language = {English}, urldate = {2019-12-20} } New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists
Poison Ivy
2016-04-22CylanceIsaac Palmer
@online{palmer:20160422:ghost:dda6514, author = {Isaac Palmer}, title = {{The Ghost Dragon}}, date = {2016-04-22}, organization = {Cylance}, url = {https://blog.cylance.com/the-ghost-dragon}, language = {English}, urldate = {2020-01-08} } The Ghost Dragon
Ghost RAT
2016-04-15FireEyeGrady Summers
@techreport{summers:20160415:2016:3d22a6f, author = {Grady Summers}, title = {{2016 THREAT BRIEFING: “GOOD ENOUGH” IS NOT GOOD ENOUGH}}, date = {2016-04-15}, institution = {FireEye}, url = {http://fireeyeday.com/1604/pdf/KeyNote_2.pdf}, language = {English}, urldate = {2020-01-15} } 2016 THREAT BRIEFING: “GOOD ENOUGH” IS NOT GOOD ENOUGH
Poldat
2016-03-02RSA ConferenceVanja Svajcer
@techreport{svajcer:20160302:dissecting:e8721e3, author = {Vanja Svajcer}, title = {{Dissecting Derusbi}}, date = {2016-03-02}, institution = {RSA Conference}, url = {https://web.archive.org/web/20180310053107/https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf}, language = {English}, urldate = {2020-02-27} } Dissecting Derusbi
Derusbi
2016-02-23CylanceJon Gross, Cylance SPEAR Team
@techreport{gross:20160223:operation:424641b, author = {Jon Gross and Cylance SPEAR Team}, title = {{Operation Dust Storm}}, date = {2016-02-23}, institution = {Cylance}, url = {https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf}, language = {English}, urldate = {2020-01-09} } Operation Dust Storm
Misdat Poldat Dust Storm
2016-01-22RSA LinkNorton Santos
@online{santos:20160122:plugx:580fcff, author = {Norton Santos}, title = {{PlugX APT Malware}}, date = {2016-01-22}, organization = {RSA Link}, url = {https://community.rsa.com/thread/185439}, language = {English}, urldate = {2020-01-13} } PlugX APT Malware
PlugX
2015-12-15Airbus Defence & SpaceFabien Perigaud
@online{perigaud:20151215:newcomers:73beb0c, author = {Fabien Perigaud}, title = {{Newcomers in the Derusbi family}}, date = {2015-12-15}, organization = {Airbus Defence & Space}, url = {https://web.archive.org/web/20151216071054/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family}, language = {English}, urldate = {2020-02-27} } Newcomers in the Derusbi family
Derusbi
2015-11-19JPCERT/CCYou Nakatsuru
@online{nakatsuru:20151119:decrypting:8be1808, author = {You Nakatsuru}, title = {{Decrypting Strings in Emdivi}}, date = {2015-11-19}, organization = {JPCERT/CC}, url = {http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html}, language = {English}, urldate = {2019-11-28} } Decrypting Strings in Emdivi
Emdivi
2015-10-08Virus BulletinMicky Pun, Eric Leung, Neo Tan
@techreport{pun:20151008:catching:368d81d, author = {Micky Pun and Eric Leung and Neo Tan}, title = {{Catching the silent whisper: Understanding the Derusbi family tree}}, date = {2015-10-08}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf}, language = {English}, urldate = {2020-02-27} } Catching the silent whisper: Understanding the Derusbi family tree
Derusbi
2015-09-01Trend MicroBenson Sy
@online{sy:20150901:attackers:3703ecf, author = {Benson Sy}, title = {{Attackers Target Organizations in Japan; Transform Local Sites into C&C Servers for EMDIVI Backdoor}}, date = {2015-09-01}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/attackers-target-organizations-in-japan-transform-local-sites-into-cc-servers-for-emdivi-backdoor/}, language = {English}, urldate = {2019-12-17} } Attackers Target Organizations in Japan; Transform Local Sites into C&C Servers for EMDIVI Backdoor
Emdivi
2015-08-20Kaspersky LabsSuguru Ishimaru
@online{ishimaru:20150820:new:d553aa4, author = {Suguru Ishimaru}, title = {{New activity of the Blue Termite APT}}, date = {2015-08-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/new-activity-of-the-blue-termite-apt/71876/}, language = {English}, urldate = {2019-12-20} } New activity of the Blue Termite APT
Emdivi
2015-08Arbor NetworksASERT Team
@online{team:201508:uncovering:121e5cf, author = {ASERT Team}, title = {{Uncovering the Seven Pointed Dagger}}, date = {2015-08}, organization = {Arbor Networks}, url = {https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn}, language = {English}, urldate = {2020-05-18} } Uncovering the Seven Pointed Dagger
9002 RAT EvilGrab PlugX Trochilus RAT Group 27
2015-02-27ThreatConnectThreatConnect Research Team
@online{team:20150227:anthem:3576532, author = {ThreatConnect Research Team}, title = {{The Anthem Hack: All Roads Lead to China}}, date = {2015-02-27}, organization = {ThreatConnect}, url = {https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/}, language = {English}, urldate = {2020-01-09} } The Anthem Hack: All Roads Lead to China
Derusbi
2015-02-06CrowdStrikeCrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
2015-01-29JPCERT/CCShusei Tomonaga
@online{tomonaga:20150129:analysis:0eaad95, author = {Shusei Tomonaga}, title = {{Analysis of a Recent PlugX Variant - “P2P PlugX”}}, date = {2015-01-29}, organization = {JPCERT/CC}, url = {http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html}, language = {English}, urldate = {2020-01-09} } Analysis of a Recent PlugX Variant - “P2P PlugX”
PlugX
2014-10-28NovettaNovetta
@techreport{novetta:20141028:derusbi:aae275a, author = {Novetta}, title = {{Derusbi (Server Variant) Analysis}}, date = {2014-10-28}, institution = {Novetta}, url = {http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf}, language = {English}, urldate = {2020-01-06} } Derusbi (Server Variant) Analysis
Derusbi
2014-09-19Palo Alto Networks Unit 42Jen Miller-Osborn, Ryan Olson
@online{millerosborn:20140919:recent:edf1ed3, author = {Jen Miller-Osborn and Ryan Olson}, title = {{Recent Watering Hole Attacks Attributed to APT Group “th3bug” Using Poison Ivy}}, date = {2014-09-19}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/}, language = {English}, urldate = {2019-12-20} } Recent Watering Hole Attacks Attributed to APT Group “th3bug” Using Poison Ivy
Poison Ivy
2014-06-27SophosLabsGabor Szappanos
@techreport{szappanos:20140627:plugx:e63d8bf, author = {Gabor Szappanos}, title = {{PlugX - The Next Generation}}, date = {2014-06-27}, institution = {SophosLabs}, url = {https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf}, language = {English}, urldate = {2020-01-10} } PlugX - The Next Generation
PlugX
2014-06-10FireEyeMike Scott
@online{scott:20140610:clandestine:6d515ab, author = {Mike Scott}, title = {{Clandestine Fox, Part Deux}}, date = {2014-06-10}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html}, language = {English}, urldate = {2019-12-20} } Clandestine Fox, Part Deux
PlugX
2014-01-06AirbusFabien Perigaud
@online{perigaud:20140106:plugx:16410d7, author = {Fabien Perigaud}, title = {{PlugX: some uncovered points}}, date = {2014-01-06}, organization = {Airbus}, url = {http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html}, language = {English}, urldate = {2020-01-08} } PlugX: some uncovered points
PlugX
2014-01RSARSA Research
@techreport{research:201401:rsa:5fa5815, author = {RSA Research}, title = {{RSA Incident Response: Emerging Threat Profile Shell_Crew}}, date = {2014-01}, institution = {RSA}, url = {https://www.rsa.com/content/dam/en/white-paper/rsa-incident-response-emerging-threat-profile-shell-crew.pdf}, language = {English}, urldate = {2021-01-29} } RSA Incident Response: Emerging Threat Profile Shell_Crew
Derusbi
2014FireEyeFireEye
@techreport{fireeye:2014:operation:2160679, author = {FireEye}, title = {{Operation Quantum Entanglement}}, date = {2014}, institution = {FireEye}, url = {http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf}, language = {English}, urldate = {2021-04-29} } Operation Quantum Entanglement
IsSpace NewCT Poison Ivy SysGet
2013-10-31FireEyeThoufique Haq, Ned Moran
@online{haq:20131031:know:e772ee9, author = {Thoufique Haq and Ned Moran}, title = {{Know Your Enemy: Tracking A Rapidly Evolving APT Actor}}, date = {2013-10-31}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html}, language = {English}, urldate = {2019-12-20} } Know Your Enemy: Tracking A Rapidly Evolving APT Actor
Bozok Poison Ivy Temper Panda
2013-08-23FireEyeNart Villeneuve, Thoufique Haq, Ned Moran
@online{villeneuve:20130823:operation:dc4b5d6, author = {Nart Villeneuve and Thoufique Haq and Ned Moran}, title = {{Operation Molerats: Middle East Cyber Attacks Using Poison Ivy}}, date = {2013-08-23}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html}, language = {English}, urldate = {2019-12-20} } Operation Molerats: Middle East Cyber Attacks Using Poison Ivy
Poison Ivy Molerats
2013-03-29Computer Incident Response Center LuxembourgCIRCL
@techreport{circl:20130329:analysis:b3c48b0, author = {CIRCL}, title = {{Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0)}}, date = {2013-03-29}, institution = {Computer Incident Response Center Luxembourg}, url = {https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf}, language = {English}, urldate = {2019-11-24} } Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0)
PlugX
2013-03ContextisKevin O’Reilly
@techreport{oreilly:201303:plugxpayload:d355f49, author = {Kevin O’Reilly}, title = {{PlugX–Payload Extraction}}, date = {2013-03}, institution = {Contextis}, url = {https://go.contextis.com/rs/140-OCV-459/images/White%20Paper_PlugX%20-%20Payload%20Extraction.pdf}, language = {English}, urldate = {2021-06-24} } PlugX–Payload Extraction
PlugX
2012-02-10tracker.h3x.euMalware Corpus Tracker
@online{tracker:20120210:info:d58b5c1, author = {Malware Corpus Tracker}, title = {{Info for Family: plugx}}, date = {2012-02-10}, organization = {tracker.h3x.eu}, url = {https://tracker.h3x.eu/info/290}, language = {English}, urldate = {2021-06-24} } Info for Family: plugx
PlugX
2012Norman ASASnorre Fagerland
@techreport{fagerland:2012:many:c938856, author = {Snorre Fagerland}, title = {{The many faces of Gh0st Rat}}, date = {2012}, institution = {Norman ASA}, url = {http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf}, language = {English}, urldate = {2019-12-20} } The many faces of Gh0st Rat
Ghost RAT
2011-06-29SymantecJohn McDonald
@online{mcdonald:20110629:inside:b955948, author = {John McDonald}, title = {{Inside a Back Door Attack}}, date = {2011-06-29}, organization = {Symantec}, url = {https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack}, language = {English}, urldate = {2020-04-21} } Inside a Back Door Attack
Ghost RAT Dust Storm
2011SymantecErica Eng, Gavin O'Gorman
@techreport{eng:2011:nitro:656e464, author = {Erica Eng and Gavin O'Gorman}, title = {{The Nitro Attacks: Stealing Secrets from the Chemical Industry}}, date = {2011}, institution = {Symantec}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf}, language = {English}, urldate = {2020-04-21} } The Nitro Attacks: Stealing Secrets from the Chemical Industry
Poison Ivy Nitro
2010MandiantEro Carrera, Peter Silberman
@techreport{carrera:2010:state:687e608, author = {Ero Carrera and Peter Silberman}, title = {{State of Malware: Family Ties}}, date = {2010}, institution = {Mandiant}, url = {https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf}, language = {English}, urldate = {2021-05-11} } State of Malware: Family Ties
Bredolab Conficker Cutwail KoobFace Kraken Poison Ivy Rustock Sinowal Szribi Zeus
2009-03-28Information Warfare MonitorInformation Warfare Monitor
@techreport{monitor:20090328:tracking:dffad13, author = {Information Warfare Monitor}, title = {{Tracking GhostNet: Investigating a Cyber Espionage Network}}, date = {2009-03-28}, institution = {Information Warfare Monitor}, url = {http://www.nartv.org/mirror/ghostnet.pdf}, language = {English}, urldate = {2020-04-23} } Tracking GhostNet: Investigating a Cyber Espionage Network
Ghost RAT GhostNet

Credits: MISP Project