SYMBOLCOMMON_NAMEaka. SYNONYMS

Stone Panda  (Back to overview)

aka: APT10, APT 10, MenuPass, Menupass Team, menuPass, menuPass Team, happyyongzi, POTASSIUM, DustStorm, Red Apollo, CVNX, HOGFISH, Cloud Hopper, BRONZE RIVERSIDE


Associated Families
win.dilljuice win.chches win.poldat win.evilgrab win.emdivi win.derusbi win.poison_ivy win.redleaves win.anel win.cobalt_strike win.quasar_rat win.trochilus_rat win.ghost_rat

References
2020-06-04PTSecurityPT ESC Threat Intelligence
@online{intelligence:20200604:covid19:45fa7ba, author = {PT ESC Threat Intelligence}, title = {{COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group}}, date = {2020-06-04}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/}, language = {English}, urldate = {2020-06-05} } COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group
Ghost RAT
2020-06-03Trend MicroDaniel Lunghi
@techreport{lunghi:20200603:how:4f28e63, author = {Daniel Lunghi}, title = {{How to perform long term monitoring of careless threat actors}}, date = {2020-06-03}, institution = {Trend Micro}, url = {https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf}, language = {English}, urldate = {2020-06-05} } How to perform long term monitoring of careless threat actors
BBSRAT HyperBro Trochilus RAT
2020-05-29ZscalerSudeep Singh
@online{singh:20200529:shellreset:e80d2c8, author = {Sudeep Singh}, title = {{ShellReset RAT Spread Through Macro-Based Documents Using AppLocker Bypass}}, date = {2020-05-29}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass}, language = {English}, urldate = {2020-06-05} } ShellReset RAT Spread Through Macro-Based Documents Using AppLocker Bypass
Quasar RAT
2020-05-11SentinelOneGal Kristal
@online{kristal:20200511:anatomy:4ece947, author = {Gal Kristal}, title = {{The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration}}, date = {2020-05-11}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/}, language = {English}, urldate = {2020-05-13} } The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration
Cobalt Strike
2020-04-270x00secDan Lisichkin
@online{lisichkin:20200427:master:1cfb192, author = {Dan Lisichkin}, title = {{Master of RATs - How to create your own Tracker}}, date = {2020-04-27}, organization = {0x00sec}, url = {https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848}, language = {English}, urldate = {2020-04-28} } Master of RATs - How to create your own Tracker
Quasar RAT
2020-04-24The DFIR ReportThe DFIR Report
@online{report:20200424:ursnif:e983798, author = {The DFIR Report}, title = {{Ursnif via LOLbins}}, date = {2020-04-24}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/}, language = {English}, urldate = {2020-05-15} } Ursnif via LOLbins
Cobalt Strike LOLSnif
2020-04-02DarktraceMax Heinemeyer
@online{heinemeyer:20200402:catching:b7f137d, author = {Max Heinemeyer}, title = {{Catching APT41 exploiting a zero-day vulnerability}}, date = {2020-04-02}, organization = {Darktrace}, url = {https://www.darktrace.com/en/blog/catching-apt-41-exploiting-a-zero-day-vulnerability/}, language = {English}, urldate = {2020-04-13} } Catching APT41 exploiting a zero-day vulnerability
Cobalt Strike
2020-03-26VMWare Carbon BlackScott Knight
@online{knight:20200326:dukes:df85f94, author = {Scott Knight}, title = {{The Dukes of Moscow}}, date = {2020-03-26}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/}, language = {English}, urldate = {2020-05-18} } The Dukes of Moscow
Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke
2020-03-25Wilbur SecurityJW
@online{jw:20200325:trickbot:17b0dc3, author = {JW}, title = {{Trickbot to Ryuk in Two Hours}}, date = {2020-03-25}, organization = {Wilbur Security}, url = {https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/}, language = {English}, urldate = {2020-03-26} } Trickbot to Ryuk in Two Hours
Cobalt Strike Ryuk TrickBot
2020-03-25FireEyeChristopher Glyer, Dan Perez, Sarah Jones, Steve Miller
@online{glyer:20200325:this:0bc322f, author = {Christopher Glyer and Dan Perez and Sarah Jones and Steve Miller}, title = {{This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits}}, date = {2020-03-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html}, language = {English}, urldate = {2020-04-14} } This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits
Speculoos Cobalt Strike
2020-03-22Malware and StuffAndreas Klopsch
@online{klopsch:20200322:mustang:56f3768, author = {Andreas Klopsch}, title = {{Mustang Panda joins the COVID-19 bandwagon}}, date = {2020-03-22}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/}, language = {English}, urldate = {2020-03-27} } Mustang Panda joins the COVID-19 bandwagon
Cobalt Strike
2020-03-12Check PointCheck Point Research
@online{research:20200312:vicious:3218bb8, author = {Check Point Research}, title = {{Vicious Panda: The COVID Campaign}}, date = {2020-03-12}, organization = {Check Point}, url = {https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/}, language = {English}, urldate = {2020-03-13} } Vicious Panda: The COVID Campaign
8.t Dropper BYEBY Enfal Korlia Poison Ivy
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-03-04} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Judgment Panda Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-04Cobalt StrikeRaphael Mudge
@online{mudge:20200304:cobalt:176b61e, author = {Raphael Mudge}, title = {{Cobalt Strike joins Core Impact at HelpSystems, LLC}}, date = {2020-03-04}, organization = {Cobalt Strike}, url = {https://blog.cobaltstrike.com/2020/03/04/cobalt-strike-joins-core-impact-at-helpsystems-llc/}, language = {English}, urldate = {2020-03-04} } Cobalt Strike joins Core Impact at HelpSystems, LLC
Cobalt Strike
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare
2020-03-02Virus BulletinAlex Hinchliffe
@online{hinchliffe:20200302:pulling:35771e7, author = {Alex Hinchliffe}, title = {{Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary}}, date = {2020-03-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/}, language = {English}, urldate = {2020-03-02} } Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary
HenBox Farseer PlugX Poison Ivy
2020-02-21ADEO DFIRADEO DFIR
@techreport{dfir:20200221:apt10:e9c3328, author = {ADEO DFIR}, title = {{APT10 Threat Analysis Report}}, date = {2020-02-21}, institution = {ADEO DFIR}, url = {https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf}, language = {English}, urldate = {2020-03-03} } APT10 Threat Analysis Report
CHINACHOPPER HTran MimiKatz PlugX Quasar RAT
2020-02-19FireEyeFireEye
@online{fireeye:20200219:mtrends:193613a, author = {FireEye}, title = {{M-Trends 2020}}, date = {2020-02-19}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2020}, language = {English}, urldate = {2020-02-20} } M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot
2020-02-18Trend MicroDaniel Lunghi, Cedric Pernet, Kenney Lu, Jamz Yaneza
@online{lunghi:20200218:uncovering:93b0937, author = {Daniel Lunghi and Cedric Pernet and Kenney Lu and Jamz Yaneza}, title = {{Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations}}, date = {2020-02-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia}, language = {English}, urldate = {2020-02-20} } Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations
Cobalt Strike HyperBro PlugX Trochilus RAT
2020-02-18Cisco TalosVanja Svajcer
@online{svajcer:20200218:building:0a80664, author = {Vanja Svajcer}, title = {{Building a bypass with MSBuild}}, date = {2020-02-18}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html}, language = {English}, urldate = {2020-02-20} } Building a bypass with MSBuild
Cobalt Strike GRUNT MimiKatz
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-01-31ReversingLabsRobert Simmons
@online{simmons:20200131:rats:d8a4021, author = {Robert Simmons}, title = {{RATs in the Library: Remote Access Trojans Hide in Plain "Public" Site}}, date = {2020-01-31}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/rats-in-the-library}, language = {English}, urldate = {2020-02-03} } RATs in the Library: Remote Access Trojans Hide in Plain "Public" Site
CyberGate LimeRAT NjRAT Quasar RAT Revenge RAT
2020-01-29nao_sec blognao_sec
@online{naosec:20200129:overhead:ec0aeb5, author = {nao_sec}, title = {{An Overhead View of the Royal Road}}, date = {2020-01-29}, organization = {nao_sec blog}, url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html}, language = {English}, urldate = {2020-02-03} } An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader
2020-01-17JPCERT/CCTakayoshi Shiigi
@techreport{shiigi:20200117:looking:bf71db1, author = {Takayoshi Shiigi}, title = {{Looking back on the incidents in 2019}}, date = {2020-01-17}, institution = {JPCERT/CC}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf}, language = {English}, urldate = {2020-04-06} } Looking back on the incidents in 2019
TSCookie NodeRAT Emotet PoshC2 Quasar RAT
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:dcdc02a, author = {SecureWorks}, title = {{BRONZE FLEETWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-fleetwood}, language = {English}, urldate = {2020-05-23} } BRONZE FLEETWOOD
Binanen Ghost RAT OrcaRAT APT5
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:e8ad4fb, author = {SecureWorks}, title = {{BRONZE MOHAWK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-mohawk}, language = {English}, urldate = {2020-05-23} } BRONZE MOHAWK
AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll Leviathan
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:65ecf8a, author = {SecureWorks}, title = {{BRONZE KEYSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-keystone}, language = {English}, urldate = {2020-05-23} } BRONZE KEYSTONE
9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell Aurora Panda
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:41a0bc0, author = {SecureWorks}, title = {{BRONZE EDISON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-edison}, language = {English}, urldate = {2020-05-23} } BRONZE EDISON
Ghost RAT sykipot Samurai Panda
2020SecureworksSecureWorks
@online{secureworks:2020:gold:1892bc8, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz
2020SecureworksSecureWorks
@online{secureworks:2020:gold:97e5784, author = {SecureWorks}, title = {{GOLD NIAGARA}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-niagara}, language = {English}, urldate = {2020-05-23} } GOLD NIAGARA
Bateleur Griffon Carbanak Cobalt Strike DRIFTPIN TinyMet Anunak
2020SecureworksSecureWorks
@online{secureworks:2020:tin:ccd6795, author = {SecureWorks}, title = {{TIN WOODLAWN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/tin-woodlawn}, language = {English}, urldate = {2020-05-23} } TIN WOODLAWN
Cobalt Strike KerrDown MimiKatz PHOREAL RatSnif Remy SOUNDBITE APT32
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:972c13a, author = {SecureWorks}, title = {{BRONZE FIRESTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-firestone}, language = {English}, urldate = {2020-05-23} } BRONZE FIRESTONE
9002 RAT Derusbi Empire Downloader PlugX Poison Ivy Shell Crew
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:dc58892, author = {SecureWorks}, title = {{BRONZE GLOBE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-globe}, language = {English}, urldate = {2020-05-23} } BRONZE GLOBE
EtumBot Ghost RAT IXESHE
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4db27ec, author = {SecureWorks}, title = {{BRONZE UNION}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-union}, language = {English}, urldate = {2020-05-23} } BRONZE UNION
9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell LuckyMouse
2020SecureworksSecureWorks
@online{secureworks:2020:aluminum:af22ffd, author = {SecureWorks}, title = {{ALUMINUM SARATOGA}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/aluminum-saratoga}, language = {English}, urldate = {2020-05-23} } ALUMINUM SARATOGA
BlackShades DarkComet Xtreme RAT Poison Ivy Quasar RAT Molerats
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:66f1290, author = {SecureWorks}, title = {{BRONZE RIVERSIDE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-riverside}, language = {English}, urldate = {2020-05-23} } BRONZE RIVERSIDE
Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves Stone Panda
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:1a5bdbb, author = {SecureWorks}, title = {{BRONZE PRESIDENT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-president}, language = {English}, urldate = {2020-05-23} } BRONZE PRESIDENT
CHINACHOPPER Cobalt Strike PlugX Mustang Panda
2020SecureworksSecureWorks
@online{secureworks:2020:gold:983570b, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:66a45ac, author = {SecureWorks}, title = {{BRONZE VINEWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-vinewood}, language = {English}, urldate = {2020-05-23} } BRONZE VINEWOOD
MimiKatz Trochilus RAT APT31
2020SecureworksSecureWorks
@online{secureworks:2020:gold:8050e44, author = {SecureWorks}, title = {{GOLD DUPONT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-dupont}, language = {English}, urldate = {2020-05-23} } GOLD DUPONT
Cobalt Strike Defray PyXie
2019-12-17Palo Alto Networks Unit 42Jen Miller-Osborn, Mike Harbison
@online{millerosborn:20191217:rancor:998fe1c, author = {Jen Miller-Osborn and Mike Harbison}, title = {{Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia}}, date = {2019-12-17}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/}, language = {English}, urldate = {2020-01-08} } Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia
DDKONG Derusbi KHRAT
2019-12-12MicrosoftMicrosoft Threat Intelligence Center
@online{center:20191212:gallium:79f6460, author = {Microsoft Threat Intelligence Center}, title = {{GALLIUM: Targeting global telecom}}, date = {2019-12-12}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/}, language = {English}, urldate = {2020-01-07} } GALLIUM: Targeting global telecom
Ghost RAT HTran
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca, author = {Chi-en Shen and Oleg Bondarenko}, title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}}, date = {2019-12-12}, organization = {FireEye}, url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko}, language = {English}, urldate = {2020-04-16} } Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2019-12-05Github (blackorbird)blackorbird
@techreport{blackorbird:20191205:apt32:0afe4e7, author = {blackorbird}, title = {{APT32 Report}}, date = {2019-12-05}, institution = {Github (blackorbird)}, url = {https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf}, language = {Japanese}, urldate = {2020-01-10} } APT32 Report
Cobalt Strike
2019-12-05Raphael Mudge
@online{mudge:20191205:cobalt:219044e, author = {Raphael Mudge}, title = {{Cobalt Strike 4.0 – Bring Your Own Weaponization}}, date = {2019-12-05}, url = {https://blog.cobaltstrike.com/}, language = {English}, urldate = {2019-12-06} } Cobalt Strike 4.0 – Bring Your Own Weaponization
Cobalt Strike
2019-11-29DeloitteThomas Thomasen
@techreport{thomasen:20191129:cyber:1aae987, author = {Thomas Thomasen}, title = {{Cyber Threat Intelligence & Incident Response}}, date = {2019-11-29}, institution = {Deloitte}, url = {https://www2.deloitte.com/content/dam/Deloitte/dk/Documents/Grabngo/Aarhus_miniseminar_291118.pdf}, language = {English}, urldate = {2020-03-04} } Cyber Threat Intelligence & Incident Response
Cobalt Strike
2019-11-11Virus BulletinShusei Tomonaga, Tomoaki Tani, Hiroshi Soeda, Wataru Takahashi
@online{tomonaga:20191111:cases:ac5f1b3, author = {Shusei Tomonaga and Tomoaki Tani and Hiroshi Soeda and Wataru Takahashi}, title = {{APT cases exploiting vulnerabilities in region‑specific software}}, date = {2019-11-11}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/}, language = {English}, urldate = {2020-05-13} } APT cases exploiting vulnerabilities in region‑specific software
NodeRAT Emdivi PlugX
2019-11-05tccontre Blogtccontre
@online{tccontre:20191105:cobaltstrike:02e37af, author = {tccontre}, title = {{CobaltStrike - beacon.dll : Your No Ordinary MZ Header}}, date = {2019-11-05}, organization = {tccontre Blog}, url = {https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html}, language = {English}, urldate = {2019-12-17} } CobaltStrike - beacon.dll : Your No Ordinary MZ Header
Cobalt Strike
2019-11-04TencentTencent Security Mikan TIC
@online{tic:20191104:attack:33a29db, author = {Tencent Security Mikan TIC}, title = {{APT attack group "Higaisa" attack activity disclosed}}, date = {2019-11-04}, organization = {Tencent}, url = {https://s.tencent.com/research/report/836.html}, language = {Chinese}, urldate = {2020-05-13} } APT attack group "Higaisa" attack activity disclosed
Ghost RAT Higaisa
2019-10-24Carbon BlackTakahiro Haruyama
@techreport{haruyama:20191024:defeating:4016e1f, author = {Takahiro Haruyama}, title = {{Defeating APT10 Compiler-level Obfuscations}}, date = {2019-10-24}, institution = {Carbon Black}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Haruyama.pdf}, language = {English}, urldate = {2020-03-03} } Defeating APT10 Compiler-level Obfuscations
Anel
2019-09-22Check Point ResearchCheck Point Research
@online{research:20190922:rancor:e834f67, author = {Check Point Research}, title = {{Rancor: The Year of The Phish}}, date = {2019-09-22}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/}, language = {English}, urldate = {2020-03-04} } Rancor: The Year of The Phish
8.t Dropper Cobalt Strike
2019-09-17TalosChristopher Evans, David Liebenberg
@online{evans:20190917:cryptocurrency:8f3a9e9, author = {Christopher Evans and David Liebenberg}, title = {{Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”}}, date = {2019-09-17}, organization = {Talos}, url = {https://blog.talosintelligence.com/2019/09/panda-evolution.html}, language = {English}, urldate = {2019-10-31} } Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”
Ghost RAT
2019-06-25CybereasonCybereason Nocturnus
@online{nocturnus:20190625:operation:21efa8f, author = {Cybereason Nocturnus}, title = {{OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS}}, date = {2019-06-25}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers}, language = {English}, urldate = {2019-12-17} } OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS
MimiKatz Poison Ivy Operation Soft Cell
2019-06-10CylanceCylance Threat Research Team
@online{team:20190610:threat:fc73094, author = {Cylance Threat Research Team}, title = {{Threat Spotlight: MenuPass/QuasarRAT Backdoor}}, date = {2019-06-10}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/threat-spotlight-menupass-quasarrat-backdoor.html}, language = {English}, urldate = {2020-01-06} } Threat Spotlight: MenuPass/QuasarRAT Backdoor
DILLJUICE
2019-06-04BitdefenderBitdefender
@techreport{bitdefender:20190604:blueprint:ce0583c, author = {Bitdefender}, title = {{An APT Blueprint: Gaining New Visibility into Financial Threats}}, date = {2019-06-04}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf}, language = {English}, urldate = {2019-12-18} } An APT Blueprint: Gaining New Visibility into Financial Threats
More_eggs Cobalt Strike
2019-05-24enSiloBen Hunter
@online{hunter:20190524:uncovering:7d8776e, author = {Ben Hunter}, title = {{Uncovering new Activity by APT10}}, date = {2019-05-24}, organization = {enSilo}, url = {https://blog.ensilo.com/uncovering-new-activity-by-apt10}, language = {English}, urldate = {2020-01-13} } Uncovering new Activity by APT10
PlugX Quasar RAT
2019-05-20Twitter (@struppigel)Karsten Hahn
@online{hahn:20190520:yggdrasil:5a23fde, author = {Karsten Hahn}, title = {{Tweet on Yggdrasil / CinaRAT}}, date = {2019-05-20}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/1130455143504318466}, language = {English}, urldate = {2020-01-13} } Tweet on Yggdrasil / CinaRAT
Quasar RAT
2019-05-08Verizon Communications Inc.Verizon Communications Inc.
@techreport{inc:20190508:2019:3c20a3b, author = {Verizon Communications Inc.}, title = {{2019 Data Breach Investigations Report}}, date = {2019-05-08}, institution = {Verizon Communications Inc.}, url = {https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf}, language = {English}, urldate = {2020-05-10} } 2019 Data Breach Investigations Report
BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam Unidentified 062 (Lazarus/RAT)
2019-04-24WeixinTencent
@online{tencent:20190424:sea:a722d68, author = {Tencent}, title = {{"Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed}}, date = {2019-04-24}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A}, language = {English}, urldate = {2020-01-13} } "Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed
Cobalt Strike SOUNDBITE
2019-04-16FireEyeJohn Hultquist, Ben Read, Oleg Bondarenko, Chi-en Shen
@online{hultquist:20190416:spear:a0125cb, author = {John Hultquist and Ben Read and Oleg Bondarenko and Chi-en Shen}, title = {{Spear Phishing Campaign Targets Ukraine Government and Military; Infrastructure Reveals Potential Link to So-Called Luhansk People's Republic}}, date = {2019-04-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html}, language = {English}, urldate = {2019-12-20} } Spear Phishing Campaign Targets Ukraine Government and Military; Infrastructure Reveals Potential Link to So-Called Luhansk People's Republic
Quasar RAT Vermin
2019-04-15PenTestPartnersNeil Lines
@online{lines:20190415:cobalt:7b3c086, author = {Neil Lines}, title = {{Cobalt Strike. Walkthrough for Red Teamers}}, date = {2019-04-15}, organization = {PenTestPartners}, url = {https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/}, language = {English}, urldate = {2019-12-17} } Cobalt Strike. Walkthrough for Red Teamers
Cobalt Strike
2019-03-27SymantecSecurity Response Attack Investigation Team
@online{team:20190327:elfin:836cc39, author = {Security Response Attack Investigation Team}, title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}}, date = {2019-03-27}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage}, language = {English}, urldate = {2020-01-06} } Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet Nanocore RAT pupy Quasar RAT Remcos TURNEDUP APT33
2019-03-27SymantecCritical Attack Discovery and Intelligence Team
@online{team:20190327:elfin:d90a330, author = {Critical Attack Discovery and Intelligence Team}, title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}}, date = {2019-03-27}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage}, language = {English}, urldate = {2020-04-21} } Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP APT33
2019-03-24One Night in NorfolkKevin Perlow
@online{perlow:20190324:jeshell:439ae8b, author = {Kevin Perlow}, title = {{JEShell: An OceanLotus (APT32) Backdoor}}, date = {2019-03-24}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/}, language = {English}, urldate = {2020-05-19} } JEShell: An OceanLotus (APT32) Backdoor
Cobalt Strike KerrDown
2019-02-27MorphisecMichael Gorelik, Alon Groisman
@online{gorelik:20190227:new:5296a0b, author = {Michael Gorelik and Alon Groisman}, title = {{New Global Cyber Attack on Point of Sale Sytem}}, date = {2019-02-27}, organization = {Morphisec}, url = {http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems}, language = {English}, urldate = {2020-01-09} } New Global Cyber Attack on Point of Sale Sytem
Cobalt Strike
2019-02-27SecureworksCTU Research Team
@online{team:20190227:peek:16c9160, author = {CTU Research Team}, title = {{A Peek into BRONZE UNION’s Toolbox}}, date = {2019-02-27}, organization = {Secureworks}, url = {https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox}, language = {English}, urldate = {2020-01-07} } A Peek into BRONZE UNION’s Toolbox
Ghost RAT HyperBro ZXShell
2019-02-06Recorded FutureInsikt Group, Rapid7
@techreport{group:20190206:apt10:74d18e7, author = {Insikt Group and Rapid7}, title = {{APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign}}, date = {2019-02-06}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf}, language = {English}, urldate = {2019-12-17} } APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign
Trochilus RAT Hurricane Panda Stone Panda
2019-02-06Recorded FutureInsikt Group, Rapid7
@techreport{group:20190206:apt10:9c61d0b, author = {Insikt Group and Rapid7}, title = {{APT10 Targeted NorwegianMSP and US Companies in Sustained Campaign}}, date = {2019-02-06}, institution = {Recorded Future}, url = {http://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf}, language = {English}, urldate = {2020-01-06} } APT10 Targeted NorwegianMSP and US Companies in Sustained Campaign
RedLeaves
2019-01-07IntezerIgnacio Sanmillan
@online{sanmillan:20190107:chinaz:50bb5f4, author = {Ignacio Sanmillan}, title = {{ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups}}, date = {2019-01-07}, organization = {Intezer}, url = {https://www.intezer.com/blog-chinaz-relations/}, language = {English}, urldate = {2019-11-27} } ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups
Ghost RAT
2019Virus BulletinLion Gu, Bowen Pan
@techreport{gu:2019:vine:df5dbfb, author = {Lion Gu and Bowen Pan}, title = {{A vine climbing over the Great Firewall: A long-term attack against China}}, date = {2019}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf}, language = {English}, urldate = {2020-01-08} } A vine climbing over the Great Firewall: A long-term attack against China
Poison Ivy ZXShell
2019MITREMITRE ATT&CK
@online{attck:2019:menupass:8fde950, author = {MITRE ATT&CK}, title = {{Group description: menuPass}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0045/}, language = {English}, urldate = {2019-12-20} } Group description: menuPass
Stone Panda
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:10:0acf62c, author = {Cyber Operations Tracker}, title = {{APT 10}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/apt-10}, language = {English}, urldate = {2019-12-20} } APT 10
Stone Panda
2018-12-20FBIFBI
@online{fbi:20181220:chinese:06e7a78, author = {FBI}, title = {{Chinese Hackers Indicted - Members of APT 10 Group Targeted Intellectual Property and Confidential Business Information}}, date = {2018-12-20}, organization = {FBI}, url = {https://www.fbi.gov/news/stories/chinese-hackers-indicted-122018}, language = {English}, urldate = {2019-11-28} } Chinese Hackers Indicted - Members of APT 10 Group Targeted Intellectual Property and Confidential Business Information
Stone Panda
2018-12-14Australian Cyber Security CentreASD
@techreport{asd:20181214:investigationreport:6eda856, author = {ASD}, title = {{Investigationreport: Compromise of an Australian companyvia their Managed Service Provider}}, date = {2018-12-14}, institution = {Australian Cyber Security Centre}, url = {https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf}, language = {English}, urldate = {2020-03-11} } Investigationreport: Compromise of an Australian companyvia their Managed Service Provider
PlugX RedLeaves
2018-11-19FireEyeMatthew Dunwoody, Andrew Thompson, Ben Withnell, Jonathan Leathery, Michael Matonis, Nick Carr
@online{dunwoody:20181119:not:e581291, author = {Matthew Dunwoody and Andrew Thompson and Ben Withnell and Jonathan Leathery and Michael Matonis and Nick Carr}, title = {{Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign}}, date = {2018-11-19}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html}, language = {English}, urldate = {2019-12-20} } Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign
Cobalt Strike
2018-11-18Stranded on Pylos BlogJoe
@online{joe:20181118:cozybear:4801301, author = {Joe}, title = {{CozyBear – In from the Cold?}}, date = {2018-11-18}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2018/11/18/cozybear-in-from-the-cold/}, language = {English}, urldate = {2020-01-09} } CozyBear – In from the Cold?
Cobalt Strike APT 29
2018-10-11NCSC UKNCSC UK
@techreport{uk:20181011:joint:d7901ac, author = {NCSC UK}, title = {{Joint report on publicly available hacking tools: How to limit the effectiveness of tools commonly used by malicious actors}}, date = {2018-10-11}, institution = {NCSC UK}, url = {https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf}, language = {English}, urldate = {2019-11-20} } Joint report on publicly available hacking tools: How to limit the effectiveness of tools commonly used by malicious actors
Codoso Stone Panda
2018-10-01FireEyeRegina Elwell, Katie Nickels
@techreport{elwell:20181001:attcking:3c6d888, author = {Regina Elwell and Katie Nickels}, title = {{ATT&CKing FIN7}}, date = {2018-10-01}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf}, language = {English}, urldate = {2020-04-15} } ATT&CKing FIN7
Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN SocksBot
2018-09-21Qihoo 360 TechnologyQihoo 360
@online{360:20180921:poison:d1cab92, author = {Qihoo 360}, title = {{Poison Ivy Group and the Cyberespionage Campaign Against Chinese Military and Goverment}}, date = {2018-09-21}, organization = {Qihoo 360 Technology}, url = {http://blogs.360.cn/post/APT_C_01_en.html}, language = {English}, urldate = {2019-11-29} } Poison Ivy Group and the Cyberespionage Campaign Against Chinese Military and Goverment
Poison Ivy
2018-09-19Möbius Strip Reverse EngineeringRolf Rolles
@online{rolles:20180919:hexrays:1afcc0c, author = {Rolf Rolles}, title = {{Hex-Rays Microcode API vs. Obfuscating Compiler}}, date = {2018-09-19}, organization = {Möbius Strip Reverse Engineering}, url = {http://www.hexblog.com/?p=1248}, language = {English}, urldate = {2019-10-28} } Hex-Rays Microcode API vs. Obfuscating Compiler
Ghost RAT
2018-09-13FireEyeAyako Matsuda, Irshad Muhammad
@online{matsuda:20180913:apt10:689e4bb, author = {Ayako Matsuda and Irshad Muhammad}, title = {{APT10 Targeting Japanese Corporations Using Updated TTPs}}, date = {2018-09-13}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html}, language = {English}, urldate = {2019-12-20} } APT10 Targeting Japanese Corporations Using Updated TTPs
Stone Panda
2018-08-03JPCERT/CCTakuya Endo, Yukako Uchida
@online{endo:20180803:volatility:4597ce0, author = {Takuya Endo and Yukako Uchida}, title = {{Volatility Plugin for Detecting Cobalt Strike Beacon}}, date = {2018-08-03}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html}, language = {English}, urldate = {2019-07-11} } Volatility Plugin for Detecting Cobalt Strike Beacon
Cobalt Strike
2018-08-02Palo Alto Networks Unit 42Robert Falcone, David Fuertes, Josh Grunzweig, Kyle Wilhoit
@online{falcone:20180802:gorgon:06112b1, author = {Robert Falcone and David Fuertes and Josh Grunzweig and Kyle Wilhoit}, title = {{The Gorgon Group: Slithering Between Nation State and Cybercrime}}, date = {2018-08-02}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/}, language = {English}, urldate = {2019-12-20} } The Gorgon Group: Slithering Between Nation State and Cybercrime
Loki Password Stealer (PWS) Nanocore RAT NjRAT Quasar RAT Remcos Revenge RAT
2018-07-31Github (JPCERTCC)JPCERT/CC
@online{jpcertcc:20180731:scanner:d1757d9, author = {JPCERT/CC}, title = {{Scanner for CobaltStrike}}, date = {2018-07-31}, organization = {Github (JPCERTCC)}, url = {https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py}, language = {English}, urldate = {2020-01-13} } Scanner for CobaltStrike
Cobalt Strike
2018-07-17ESET ResearchKaspars Osis
@online{osis:20180717:deep:56fcfcf, author = {Kaspars Osis}, title = {{A deep dive down the Vermin RAThole}}, date = {2018-07-17}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/}, language = {English}, urldate = {2019-11-14} } A deep dive down the Vermin RAThole
Quasar RAT Sobaken Vermin
2018-06-07VolexityMatthew Meltzer, Sean Koessel, Steven Adair
@online{meltzer:20180607:patchwork:5b8d3c8, author = {Matthew Meltzer and Sean Koessel and Steven Adair}, title = {{Patchwork APT Group Targets US Think Tanks}}, date = {2018-06-07}, organization = {Volexity}, url = {https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/}, language = {English}, urldate = {2020-01-08} } Patchwork APT Group Targets US Think Tanks
Quasar RAT Unidentified 047 Dropping Elephant
2018-05-21LACYoshihiro Ishikawa
@online{ishikawa:20180521:confirmed:ad336b5, author = {Yoshihiro Ishikawa}, title = {{Confirmed new attacks by APT attacker group menuPass (APT10)}}, date = {2018-05-21}, organization = {LAC}, url = {https://www.lac.co.jp/lacwatch/people/20180521_001638.html}, language = {Japanese}, urldate = {2019-10-27} } Confirmed new attacks by APT attacker group menuPass (APT10)
Cobalt Strike
2018-04-23Accenture SecurityEileen M. Moynihan
@techreport{moynihan:20180423:hogfish:8cf32f8, author = {Eileen M. Moynihan}, title = {{HOGFISH REDLEAVES CAMPAIGN: HOGFISH (APT10) targets Japan with RedLeaves implants in “new battle”}}, date = {2018-04-23}, institution = {Accenture Security}, url = {https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf}, language = {English}, urldate = {2020-01-13} } HOGFISH REDLEAVES CAMPAIGN: HOGFISH (APT10) targets Japan with RedLeaves implants in “new battle”
RedLeaves
2018-04-23Accenture SecurityAccenture Security
@techreport{security:20180423:hogfish:4dc2531, author = {Accenture Security}, title = {{HOGFISH REDLEAVES CAMPAIGN: HOGFISH (APT10) targets Japan with RedLeaves implants in “new battle”}}, date = {2018-04-23}, institution = {Accenture Security}, url = {https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf}, language = {English}, urldate = {2020-01-10} } HOGFISH REDLEAVES CAMPAIGN: HOGFISH (APT10) targets Japan with RedLeaves implants in “new battle”
Stone Panda
2018-04-17NCC GroupNikolaos Pantazopoulos
@online{pantazopoulos:20180417:decoding:7d5f713, author = {Nikolaos Pantazopoulos}, title = {{Decoding network data from a Gh0st RAT variant}}, date = {2018-04-17}, organization = {NCC Group}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/}, language = {English}, urldate = {2019-11-27} } Decoding network data from a Gh0st RAT variant
Ghost RAT LuckyMouse
2018-03-30360 Threat IntelligenceQi Anxin Threat Intelligence Center
@online{center:20180330:analysis:4f1feb9, author = {Qi Anxin Threat Intelligence Center}, title = {{Analysis of the latest cyber attack activity of the APT organization against sensitive institutions in China}}, date = {2018-03-30}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/}, language = {Chinese}, urldate = {2020-01-13} } Analysis of the latest cyber attack activity of the APT organization against sensitive institutions in China
Quasar RAT
2018-03-29Trend MicroTamada Kiyotaka, MingYen Hsieh
@online{kiyotaka:20180329:chessmaster:c48e1c0, author = {Tamada Kiyotaka and MingYen Hsieh}, title = {{ChessMaster Adds Updated Tools to Its Arsenal}}, date = {2018-03-29}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/}, language = {English}, urldate = {2020-01-08} } ChessMaster Adds Updated Tools to Its Arsenal
Anel
2018-02-01BitdefenderBitdefender Team
@online{team:20180201:operation:e76f179, author = {Bitdefender Team}, title = {{Operation PZCHAO: Inside a highly specialized espionage infrastructure}}, date = {2018-02-01}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/}, language = {English}, urldate = {2020-05-18} } Operation PZCHAO: Inside a highly specialized espionage infrastructure
Ghost RAT Emissary Panda
2018-01-04Malware Traffic AnalysisBrad Duncan
@online{duncan:20180104:malspam:ce2dfac, author = {Brad Duncan}, title = {{MALSPAM PUSHING PCRAT/GH0ST}}, date = {2018-01-04}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2018/01/04/index.html}, language = {English}, urldate = {2019-12-24} } MALSPAM PUSHING PCRAT/GH0ST
Ghost RAT
2017-12-19ProofpointDarien Huss
@online{huss:20171219:north:e5ef6da, author = {Darien Huss}, title = {{North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group}}, date = {2017-12-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new}, language = {English}, urldate = {2019-12-20} } North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group
Ghost RAT
2017-12-19ProofpointDarien Huss
@techreport{huss:20171219:north:b2da03e, author = {Darien Huss}, title = {{North Korea Bitten by Bitcoin Bug}}, date = {2017-12-19}, institution = {Proofpoint}, url = {https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf}, language = {English}, urldate = {2019-10-18} } North Korea Bitten by Bitcoin Bug
QUICKCAFE PowerSpritz Ghost RAT PowerRatankba
2017-12-11Trend MicroDaniel Lunghi, Jaromír Hořejší, Cedric Pernet
@online{lunghi:20171211:untangling:5f00f99, author = {Daniel Lunghi and Jaromír Hořejší and Cedric Pernet}, title = {{Untangling the Patchwork Cyberespionage Group}}, date = {2017-12-11}, organization = {Trend Micro}, url = {https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite}, language = {English}, urldate = {2019-10-21} } Untangling the Patchwork Cyberespionage Group
Quasar RAT
2017-12-04MacnicaMacnica
@online{macnica:20171204:new:4bfec6c, author = {Macnica}, title = {{New method of macro malware disguised as defense-related files}}, date = {2017-12-04}, organization = {Macnica}, url = {http://blog.macnica.net/blog/2017/12/post-8c22.html}, language = {Japanese}, urldate = {2020-01-06} } New method of macro malware disguised as defense-related files
RedLeaves
2017-11-03Github (5loyd)5loyd
@online{5loyd:20171103:trochilus:964b44c, author = {5loyd}, title = {{Trochilus}}, date = {2017-11-03}, organization = {Github (5loyd)}, url = {https://github.com/5loyd/trochilus/}, language = {English}, urldate = {2020-01-08} } Trochilus
Trochilus RAT
2017-09-15FortinetXiaopeng Zhang
@online{zhang:20170915:deep:5178fe3, author = {Xiaopeng Zhang}, title = {{Deep Analysis of New Poison Ivy/PlugX Variant - Part II}}, date = {2017-09-15}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/09/15/deep-analysis-of-new-poison-ivy-plugx-variant-part-ii}, language = {English}, urldate = {2020-01-10} } Deep Analysis of New Poison Ivy/PlugX Variant - Part II
Poison Ivy
2017-08-31NCC GroupAhmed Zaki
@online{zaki:20170831:analysing:4c77e47, author = {Ahmed Zaki}, title = {{Analysing a recent Poison Ivy sample}}, date = {2017-08-31}, organization = {NCC Group}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/analysing-a-recent-poison-ivy-sample/}, language = {English}, urldate = {2020-01-10} } Analysing a recent Poison Ivy sample
Poison Ivy
2017-08-23FortinetXiaopeng Zhang
@online{zhang:20170823:deep:3d931ad, author = {Xiaopeng Zhang}, title = {{Deep Analysis of New Poison Ivy Variant}}, date = {2017-08-23}, organization = {Fortinet}, url = {http://blog.fortinet.com/2017/08/23/deep-analysis-of-new-poison-ivy-variant}, language = {English}, urldate = {2020-01-06} } Deep Analysis of New Poison Ivy Variant
Poison Ivy
2017-07-27Trend MicroBenson Sy, CH Lei, Kawabata Kohei
@online{sy:20170727:chessmaster:7d3e4b3, author = {Benson Sy and CH Lei and Kawabata Kohei}, title = {{ChessMaster Makes its Move: A Look into the Campaign’s Cyberespionage Arsenal}}, date = {2017-07-27}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/}, language = {English}, urldate = {2020-01-13} } ChessMaster Makes its Move: A Look into the Campaign’s Cyberespionage Arsenal
Emdivi
2017-07-27Trend MicroBenson Sy, CH Lei, Kawabata Kohei
@online{sy:20170727:chessmaster:a496667, author = {Benson Sy and CH Lei and Kawabata Kohei}, title = {{ChessMaster Makes its Move: A Look into the Campaign’s Cyberespionage Arsenal}}, date = {2017-07-27}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/}, language = {English}, urldate = {2019-10-14} } ChessMaster Makes its Move: A Look into the Campaign’s Cyberespionage Arsenal
Stone Panda
2017-06-06FireEyeIan Ahl
@online{ahl:20170606:privileges:9598d5f, author = {Ian Ahl}, title = {{Privileges and Credentials: Phished at the Request of Counsel}}, date = {2017-06-06}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html}, language = {English}, urldate = {2019-12-20} } Privileges and Credentials: Phished at the Request of Counsel
Cobalt Strike
2017-05-09VMWare Carbon BlackJared Myers
@online{myers:20170509:carbon:63860ae, author = {Jared Myers}, title = {{Carbon Black Threat Research Dissects Red Leaves Malware, Which Leverages DLL Side Loading}}, date = {2017-05-09}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2017/05/09/carbon-black-threat-research-dissects-red-leaves-malware-leverages-dll-side-loading/}, language = {English}, urldate = {2020-03-11} } Carbon Black Threat Research Dissects Red Leaves Malware, Which Leverages DLL Side Loading
RedLeaves
2017-05-03RSA LinkAhmed Sonbol
@online{sonbol:20170503:hunting:ce577ba, author = {Ahmed Sonbol}, title = {{Hunting pack use case: RedLeaves malware}}, date = {2017-05-03}, organization = {RSA Link}, url = {https://community.rsa.com/community/products/netwitness/blog/2017/05/03/hunting-pack-use-case-redleaves-malware}, language = {English}, urldate = {2020-03-11} } Hunting pack use case: RedLeaves malware
RedLeaves
2017-04-27US-CERTUS-CERT
@online{uscert:20170427:alert:fdb865d, author = {US-CERT}, title = {{Alert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors}}, date = {2017-04-27}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA17-117A}, language = {English}, urldate = {2020-03-11} } Alert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors
PlugX RedLeaves
2017-04-27Homeland SecurityHomeland Security
@techreport{security:20170427:intrusions:d535369, author = {Homeland Security}, title = {{INTRUSIONS AFFECTING MULTIPLE VICTIMS ACROSS MULTIPLE SECTO}}, date = {2017-04-27}, institution = {Homeland Security}, url = {https://www.us-cert.gov/sites/default/files/publications/IR-ALERT-MED-17-093-01C-Intrusions_Affecting_Multiple_Victims_Across_Multiple_Sectors.pdf}, language = {English}, urldate = {2020-01-08} } INTRUSIONS AFFECTING MULTIPLE VICTIMS ACROSS MULTIPLE SECTO
Stone Panda
2017-04-06eWeekSean Michael Kerner
@online{kerner:20170406:chinese:81730df, author = {Sean Michael Kerner}, title = {{Chinese Nation-State Hackers Target U.S in Operation TradeSecret}}, date = {2017-04-06}, organization = {eWeek}, url = {https://www.eweek.com/security/chinese-nation-state-hackers-target-u.s-in-operation-tradesecret}, language = {English}, urldate = {2020-01-08} } Chinese Nation-State Hackers Target U.S in Operation TradeSecret
Stone Panda
2017-04-06FireEyeFireEye iSIGHT Intelligence
@online{intelligence:20170406:apt10:08847cf, author = {FireEye iSIGHT Intelligence}, title = {{APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat}}, date = {2017-04-06}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html}, language = {English}, urldate = {2019-12-20} } APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat
Stone Panda
2017-04-04PWC UKPWC UK
@techreport{uk:20170404:operation:6d02e48, author = {PWC UK}, title = {{Operation Cloud Hopper}}, date = {2017-04-04}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf}, language = {English}, urldate = {2020-01-10} } Operation Cloud Hopper
Stone Panda
2017-04-03JPCERT/CCShusei Tomonaga
@online{tomonaga:20170403:ratredleaves:c0d1a92, author = {Shusei Tomonaga}, title = {{オープンソースのRATを改良したマルウエアRedLeaves}}, date = {2017-04-03}, organization = {JPCERT/CC}, url = {https://www.jpcert.or.jp/magazine/acreport-redleaves.html}, language = {Japanese}, urldate = {2020-01-06} } オープンソースのRATを改良したマルウエアRedLeaves
RedLeaves
2017-04-03JPCERT/CCShusei Tomonaga
@online{tomonaga:20170403:redleaves:211a123, author = {Shusei Tomonaga}, title = {{RedLeaves - Malware Based on Open Source RAT}}, date = {2017-04-03}, organization = {JPCERT/CC}, url = {http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html}, language = {English}, urldate = {2020-01-10} } RedLeaves - Malware Based on Open Source RAT
PlugX RedLeaves
2017-04-03Github (nccgroup)David Cannings
@online{cannings:20170403:technical:e27583c, author = {David Cannings}, title = {{Technical Notes on RedLeaves}}, date = {2017-04-03}, organization = {Github (nccgroup)}, url = {https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves}, language = {English}, urldate = {2020-01-06} } Technical Notes on RedLeaves
RedLeaves
2017-04PricewaterhouseCoopersPricewaterhouseCoopers
@techreport{pricewaterhousecoopers:201704:operation:cb50712, author = {PricewaterhouseCoopers}, title = {{Operation Cloud Hopper: Technical Annex}}, date = {2017-04}, institution = {PricewaterhouseCoopers}, url = {https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf}, language = {English}, urldate = {2019-10-15} } Operation Cloud Hopper: Technical Annex
ChChes PlugX Quasar RAT RedLeaves Trochilus RAT
2017-02-27Threat VectorJon Gross
@online{gross:20170227:deception:c424a01, author = {Jon Gross}, title = {{The Deception Project: A New Japanese-Centric Threat}}, date = {2017-02-27}, organization = {Threat Vector}, url = {https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html}, language = {English}, urldate = {2020-01-05} } The Deception Project: A New Japanese-Centric Threat
ChChes Snake Wine
2017-02-25Financial Security InstituteKyoung-Ju Kwak (郭炅周)
@techreport{:20170225:silent:5a11e12, author = {Kyoung-Ju Kwak (郭炅周)}, title = {{Silent RIFLE: Response Against Advanced Threat}}, date = {2017-02-25}, institution = {Financial Security Institute}, url = {https://hackcon.org/uploads/327/05%20-%20Kwak.pdf}, language = {English}, urldate = {2020-03-04} } Silent RIFLE: Response Against Advanced Threat
Ghost RAT
2017-02-16Jen Miller-Osborn, Josh Grunzweig
@online{millerosborn:20170216:menupass:4aebb40, author = {Jen Miller-Osborn and Josh Grunzweig}, title = {{menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations}}, date = {2017-02-16}, url = {https://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/}, language = {English}, urldate = {2019-11-21} } menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations
Stone Panda
2017-02-16Palo Alto Networks Unit 42Jen Miller-Osborn, Josh Grunzweig
@online{millerosborn:20170216:menupass:a829340, author = {Jen Miller-Osborn and Josh Grunzweig}, title = {{menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations}}, date = {2017-02-16}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/}, language = {English}, urldate = {2019-12-20} } menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations
ChChes
2017-02-10JPCERT/CCShusei Tomonaga
@online{tomonaga:20170210:powersploit:8c4789a, author = {Shusei Tomonaga}, title = {{PowerSploit}}, date = {2017-02-10}, organization = {JPCERT/CC}, url = {https://www.jpcert.or.jp/magazine/acreport-ChChes_ps1.html}, language = {Japanese}, urldate = {2020-01-09} } PowerSploit
ChChes
2017-01-30Palo Alto Networks Unit 42Mashav Sapir, Tomer Bar, Netanel Rimer, Taras Malivanchuk, Yaron Samuel, Simon Conant
@online{sapir:20170130:downeks:8ed6329, author = {Mashav Sapir and Tomer Bar and Netanel Rimer and Taras Malivanchuk and Yaron Samuel and Simon Conant}, title = {{Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments}}, date = {2017-01-30}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments}, language = {English}, urldate = {2019-12-20} } Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments
Quasar RAT
2017-01-26JPCERT/CCYu Nakamura
@online{nakamura:20170126:malware:273897c, author = {Yu Nakamura}, title = {{Malware ChChes interacts with C & C server using Cookie header}}, date = {2017-01-26}, organization = {JPCERT/CC}, url = {https://www.jpcert.or.jp/magazine/acreport-ChChes.html}, language = {Japanese}, urldate = {2019-07-09} } Malware ChChes interacts with C & C server using Cookie header
ChChes Snake Wine
2016-11-22Palo Alto Networks Unit 42Vicky Ray, Robert Falcone, Jen Miller-Osborn, Tom Lancaster
@online{ray:20161122:tropic:7f503e7, author = {Vicky Ray and Robert Falcone and Jen Miller-Osborn and Tom Lancaster}, title = {{Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy}}, date = {2016-11-22}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/}, language = {English}, urldate = {2019-12-20} } Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy
Poison Ivy
2016-10-20Twitter (@malwrhunterteam)MalwareHunterTeam
@online{malwarehunterteam:20161020:quasar:f530cea, author = {MalwareHunterTeam}, title = {{Tweet on Quasar RAT}}, date = {2016-10-20}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/789153556255342596}, language = {English}, urldate = {2019-07-11} } Tweet on Quasar RAT
Quasar RAT
2016-10-11SymantecSymantec Security Response
@online{response:20161011:odinaff:36b35db, author = {Symantec Security Response}, title = {{Odinaff: New Trojan used in high level financial attacks}}, date = {2016-10-11}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks}, language = {English}, urldate = {2019-12-05} } Odinaff: New Trojan used in high level financial attacks
Cobalt Strike KLRD MimiKatz Odinaff Anunak
2016-04-26Github (CyberMonitor)Jason Jones
@techreport{jones:20160426:new:78ff145, author = {Jason Jones}, title = {{New Poison Ivy Activity Targeting Myanmar, Asian Countries}}, date = {2016-04-26}, institution = {Github (CyberMonitor)}, url = {https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf}, language = {English}, urldate = {2019-12-17} } New Poison Ivy Activity Targeting Myanmar, Asian Countries
Poison Ivy
2016-04-22Palo Alto Networks Unit 42Micah Yates, Mike Scott, Brandon Levene, Jen Miller-Osborn
@online{yates:20160422:new:249e32b, author = {Micah Yates and Mike Scott and Brandon Levene and Jen Miller-Osborn}, title = {{New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists}}, date = {2016-04-22}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/}, language = {English}, urldate = {2019-12-20} } New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists
Poison Ivy
2016-04-22CylanceIsaac Palmer
@online{palmer:20160422:ghost:dda6514, author = {Isaac Palmer}, title = {{The Ghost Dragon}}, date = {2016-04-22}, organization = {Cylance}, url = {https://blog.cylance.com/the-ghost-dragon}, language = {English}, urldate = {2020-01-08} } The Ghost Dragon
Ghost RAT
2016-04-15FireEyeGrady Summers
@techreport{summers:20160415:2016:3d22a6f, author = {Grady Summers}, title = {{2016 THREAT BRIEFING: “GOOD ENOUGH” IS NOT GOOD ENOUGH}}, date = {2016-04-15}, institution = {FireEye}, url = {http://fireeyeday.com/1604/pdf/KeyNote_2.pdf}, language = {English}, urldate = {2020-01-15} } 2016 THREAT BRIEFING: “GOOD ENOUGH” IS NOT GOOD ENOUGH
Poldat
2016-03-02RSA ConferenceVanja Svajcer
@techreport{svajcer:20160302:dissecting:e8721e3, author = {Vanja Svajcer}, title = {{Dissecting Derusbi}}, date = {2016-03-02}, institution = {RSA Conference}, url = {https://web.archive.org/web/20180310053107/https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf}, language = {English}, urldate = {2020-02-27} } Dissecting Derusbi
Derusbi
2016-02-23CylanceJon Gross, Cylance SPEAR Team
@techreport{gross:20160223:operation:424641b, author = {Jon Gross and Cylance SPEAR Team}, title = {{Operation Dust Storm}}, date = {2016-02-23}, institution = {Cylance}, url = {https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf}, language = {English}, urldate = {2020-01-09} } Operation Dust Storm
Misdat Poldat Dust Storm
2015-12-15Airbus Defence & SpaceFabien Perigaud
@online{perigaud:20151215:newcomers:73beb0c, author = {Fabien Perigaud}, title = {{Newcomers in the Derusbi family}}, date = {2015-12-15}, organization = {Airbus Defence & Space}, url = {https://web.archive.org/web/20151216071054/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family}, language = {English}, urldate = {2020-02-27} } Newcomers in the Derusbi family
Derusbi
2015-11-19JPCERT/CCYou Nakatsuru
@online{nakatsuru:20151119:decrypting:8be1808, author = {You Nakatsuru}, title = {{Decrypting Strings in Emdivi}}, date = {2015-11-19}, organization = {JPCERT/CC}, url = {http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html}, language = {English}, urldate = {2019-11-28} } Decrypting Strings in Emdivi
Emdivi
2015-10-08Virus BulletinMicky Pun, Eric Leung, Neo Tan
@techreport{pun:20151008:catching:368d81d, author = {Micky Pun and Eric Leung and Neo Tan}, title = {{Catching the silent whisper: Understanding the Derusbi family tree}}, date = {2015-10-08}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf}, language = {English}, urldate = {2020-02-27} } Catching the silent whisper: Understanding the Derusbi family tree
Derusbi
2015-09-01Trend MicroBenson Sy
@online{sy:20150901:attackers:3703ecf, author = {Benson Sy}, title = {{Attackers Target Organizations in Japan; Transform Local Sites into C&C Servers for EMDIVI Backdoor}}, date = {2015-09-01}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/attackers-target-organizations-in-japan-transform-local-sites-into-cc-servers-for-emdivi-backdoor/}, language = {English}, urldate = {2019-12-17} } Attackers Target Organizations in Japan; Transform Local Sites into C&C Servers for EMDIVI Backdoor
Emdivi
2015-08-20Kaspersky LabsSuguru Ishimaru
@online{ishimaru:20150820:new:d553aa4, author = {Suguru Ishimaru}, title = {{New activity of the Blue Termite APT}}, date = {2015-08-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/new-activity-of-the-blue-termite-apt/71876/}, language = {English}, urldate = {2019-12-20} } New activity of the Blue Termite APT
Emdivi
2015-08Arbor NetworksASERT Team
@online{team:201508:uncovering:121e5cf, author = {ASERT Team}, title = {{Uncovering the Seven Pointed Dagger}}, date = {2015-08}, organization = {Arbor Networks}, url = {https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn}, language = {English}, urldate = {2020-05-18} } Uncovering the Seven Pointed Dagger
9002 RAT EvilGrab PlugX Trochilus RAT Group 27
2015-02-27ThreatConnectThreatConnect Research Team
@online{team:20150227:anthem:3576532, author = {ThreatConnect Research Team}, title = {{The Anthem Hack: All Roads Lead to China}}, date = {2015-02-27}, organization = {ThreatConnect}, url = {https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/}, language = {English}, urldate = {2020-01-09} } The Anthem Hack: All Roads Lead to China
Derusbi
2015-02-06CrowdStrikeCrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
2014-10-28NovettaNovetta
@techreport{novetta:20141028:derusbi:aae275a, author = {Novetta}, title = {{Derusbi (Server Variant) Analysis}}, date = {2014-10-28}, institution = {Novetta}, url = {http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf}, language = {English}, urldate = {2020-01-06} } Derusbi (Server Variant) Analysis
Derusbi
2014-09-19Palo Alto Networks Unit 42Jen Miller-Osborn, Ryan Olson
@online{millerosborn:20140919:recent:edf1ed3, author = {Jen Miller-Osborn and Ryan Olson}, title = {{Recent Watering Hole Attacks Attributed to APT Group “th3bug” Using Poison Ivy}}, date = {2014-09-19}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/}, language = {English}, urldate = {2019-12-20} } Recent Watering Hole Attacks Attributed to APT Group “th3bug” Using Poison Ivy
Poison Ivy
2013-10-31FireEyeThoufique Haq, Ned Moran
@online{haq:20131031:know:e772ee9, author = {Thoufique Haq and Ned Moran}, title = {{Know Your Enemy: Tracking A Rapidly Evolving APT Actor}}, date = {2013-10-31}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html}, language = {English}, urldate = {2019-12-20} } Know Your Enemy: Tracking A Rapidly Evolving APT Actor
Bozok Poison Ivy Temper Panda
2013-08-23FireEyeNart Villeneuve, Thoufique Haq, Ned Moran
@online{villeneuve:20130823:operation:dc4b5d6, author = {Nart Villeneuve and Thoufique Haq and Ned Moran}, title = {{Operation Molerats: Middle East Cyber Attacks Using Poison Ivy}}, date = {2013-08-23}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html}, language = {English}, urldate = {2019-12-20} } Operation Molerats: Middle East Cyber Attacks Using Poison Ivy
Poison Ivy Molerats
2012Norman ASASnorre Fagerland
@techreport{fagerland:2012:many:c938856, author = {Snorre Fagerland}, title = {{The many faces of Gh0st Rat}}, date = {2012}, institution = {Norman ASA}, url = {http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf}, language = {English}, urldate = {2019-12-20} } The many faces of Gh0st Rat
Ghost RAT
2012Cobalt StrikeCobalt Strike
@online{strike:2012:cobalt:8522cdd, author = {Cobalt Strike}, title = {{Cobalt Strike Website}}, date = {2012}, organization = {Cobalt Strike}, url = {https://www.cobaltstrike.com/support}, language = {English}, urldate = {2020-01-13} } Cobalt Strike Website
Cobalt Strike
2011-06-29SymantecJohn McDonald
@online{mcdonald:20110629:inside:b955948, author = {John McDonald}, title = {{Inside a Back Door Attack}}, date = {2011-06-29}, organization = {Symantec}, url = {https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack}, language = {English}, urldate = {2020-04-21} } Inside a Back Door Attack
Ghost RAT Dust Storm
2011SymantecErica Eng, Gavin O'Gorman
@techreport{eng:2011:nitro:656e464, author = {Erica Eng and Gavin O'Gorman}, title = {{The Nitro Attacks: Stealing Secrets from the Chemical Industry}}, date = {2011}, institution = {Symantec}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf}, language = {English}, urldate = {2020-04-21} } The Nitro Attacks: Stealing Secrets from the Chemical Industry
Poison Ivy Nitro
2009-03-28Information Warfare MonitorInformation Warfare Monitor
@techreport{monitor:20090328:tracking:dffad13, author = {Information Warfare Monitor}, title = {{Tracking GhostNet: Investigating a Cyber Espionage Network}}, date = {2009-03-28}, institution = {Information Warfare Monitor}, url = {http://www.nartv.org/mirror/ghostnet.pdf}, language = {English}, urldate = {2020-04-23} } Tracking GhostNet: Investigating a Cyber Espionage Network
Ghost RAT GhostNet

Credits: MISP Project