aka: CactusPete, KARMA PANDA, BRONZE HUNTLEY, COPPER, Red Beifang, G0131, PLA Unit 65017
2023-09-19 ⋅ Recorded Future ⋅ Insikt Group
@techreport{group:20230919:multiyear:84b50f8,
author = {Insikt Group},
title = {{Multi-year Chinese APT Campaign Targets South Korean Academic, Government, and Political Entities}},
date = {2023-09-19},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2023-0919.pdf},
language = {English},
urldate = {2023-09-20}
}
Multi-year Chinese APT Campaign Targets South Korean Academic, Government, and Political Entities
Korlia |
2023-09-12 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20230912:redfly:b57156b,
author = {Threat Hunter Team},
title = {{Redfly: Espionage Actors Continue to Target Critical Infrastructure}},
date = {2023-09-12},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/critical-infrastructure-attacks},
language = {English},
urldate = {2023-12-04}
}
Redfly: Espionage Actors Continue to Target Critical Infrastructure
ShadowPad |
2023-08-07 ⋅ Recorded Future ⋅ Insikt Group
@techreport{group:20230807:redhotel:ee4dd20,
author = {Insikt Group},
title = {{RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale}},
date = {2023-08-07},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf},
language = {English},
urldate = {2023-08-09}
}
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
Winnti Brute Ratel C4 Cobalt Strike FunnySwitch PlugX ShadowPad Spyder Earth Lusca |
2023-07-14 ⋅ Trend Micro ⋅ Daniel Lunghi
@online{lunghi:20230714:possible:94fad78,
author = {Daniel Lunghi},
title = {{Possible Supply-Chain Attack Targeting Pakistani Government Delivers Shadowpad}},
date = {2023-07-14},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html},
language = {English},
urldate = {2023-09-04}
}
Possible Supply-Chain Attack Targeting Pakistani Government Delivers Shadowpad
ShadowPad |
2023-05-15 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20230515:lancefly:49fd53e,
author = {Threat Hunter Team},
title = {{Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors}},
date = {2023-05-15},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor},
language = {English},
urldate = {2023-05-26}
}
Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors
Merdoor PlugX ShadowPad ZXShell Lancefly |
2023-04-05 ⋅ Medium Ilandu ⋅ Ilan Duhin
@online{duhin:20230405:portdoor:e39d907,
author = {Ilan Duhin},
title = {{PortDoor - APT Backdoor analysis}},
date = {2023-04-05},
organization = {Medium Ilandu},
url = {https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba},
language = {English},
urldate = {2023-04-06}
}
PortDoor - APT Backdoor analysis
ACBackdoor 8.t Dropper PortDoor |
2023-03-07 ⋅ Check Point Research ⋅ Check Point Research
@online{research:20230307:pandas:2e3c757,
author = {Check Point Research},
title = {{Pandas with a Soul: Chinese Espionage Attacks Against Southeast Asian Government Entities}},
date = {2023-03-07},
organization = {Check Point Research},
url = {https://research.checkpoint.com/2023/pandas-with-a-soul-chinese-espionage-attacks-against-southeast-asian-government-entities/},
language = {English},
urldate = {2023-07-24}
}
Pandas with a Soul: Chinese Espionage Attacks Against Southeast Asian Government Entities
5.t Downloader 8.t Dropper Soul |
2023-02-07 ⋅ MalGamy ⋅ MalGamy
@online{malgamy:20230207:approach:ef67110,
author = {MalGamy},
title = {{The Approach of TA413 for Tibetan Targets}},
date = {2023-02-07},
organization = {MalGamy},
url = {https://malgamy.github.io/malware-analysis/The-Approach-of-TA413-for-Tibetan-Targets/#third-stage},
language = {English},
urldate = {2023-02-09}
}
The Approach of TA413 for Tibetan Targets
8.t Dropper LOWZERO |
2023-02-02 ⋅ Elastic ⋅ Salim Bitam, Remco Sprooten, Cyril François, Andrew Pease, Devon Kerr, Seth Goodwin
@online{bitam:20230202:update:57ea3a2,
author = {Salim Bitam and Remco Sprooten and Cyril François and Andrew Pease and Devon Kerr and Seth Goodwin},
title = {{Update to the REF2924 intrusion set and related campaigns}},
date = {2023-02-02},
organization = {Elastic},
url = {https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns},
language = {English},
urldate = {2023-03-21}
}
Update to the REF2924 intrusion set and related campaigns
DoorMe ShadowPad SiestaGraph |
2022-10-25 ⋅ VMware Threat Analysis Unit ⋅ Takahiro Haruyama
@techreport{haruyama:20221025:tracking:1f60260,
author = {Takahiro Haruyama},
title = {{Tracking the entire iceberg: long-term APT malware C2 protocol emulation and scanning}},
date = {2022-10-25},
institution = {VMware Threat Analysis Unit},
url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2022/slides/VB2022-Tracking-the-entire-iceberg.pdf},
language = {English},
urldate = {2022-11-01}
}
Tracking the entire iceberg: long-term APT malware C2 protocol emulation and scanning
ShadowPad Winnti |
2022-09-30 ⋅ NCC Group ⋅ William Backhouse, Michael Mullen, Nikolaos Pantazopoulos
@online{backhouse:20220930:glimpse:5194be6,
author = {William Backhouse and Michael Mullen and Nikolaos Pantazopoulos},
title = {{A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion}},
date = {2022-09-30},
organization = {NCC Group},
url = {https://research.nccgroup.com/2022/09/30/a-glimpse-into-the-shadowy-realm-of-a-chinese-apt-detailed-analysis-of-a-shadowpad-intrusion/},
language = {English},
urldate = {2022-10-04}
}
A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion
ShadowPad |
2022-09-22 ⋅ Recorded Future ⋅ Insikt Group®
@techreport{group:20220922:chinese:9349a24,
author = {Insikt Group®},
title = {{Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets}},
date = {2022-09-22},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0922.pdf},
language = {English},
urldate = {2022-09-26}
}
Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets
8.t Dropper LOWZERO |
2022-09-19 ⋅ Virus Bulletin ⋅ Takahiro Haruyama
@techreport{haruyama:20220919:tracking:bffa146,
author = {Takahiro Haruyama},
title = {{Tracking the entire iceberg - long-term APT malware C2 protocol emulation and scanning}},
date = {2022-09-19},
institution = {Virus Bulletin},
url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Tracking-the-entire-iceberg-long-term-APT-malware-C2-protocol-emulation-and-scanning.pdf},
language = {English},
urldate = {2022-11-01}
}
Tracking the entire iceberg - long-term APT malware C2 protocol emulation and scanning
ShadowPad Winnti |
2022-09-13 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20220913:new:2ff2e98,
author = {Threat Hunter Team},
title = {{New Wave of Espionage Activity Targets Asian Governments}},
date = {2022-09-13},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments},
language = {English},
urldate = {2022-09-20}
}
New Wave of Espionage Activity Targets Asian Governments
MimiKatz PlugX Quasar RAT ShadowPad Trochilus RAT |
2022-09-06 ⋅ ESET Research ⋅ Thibaut Passilly
@online{passilly:20220906:worok:0c106ac,
author = {Thibaut Passilly},
title = {{Worok: The big picture}},
date = {2022-09-06},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2022/09/06/worok-big-picture/},
language = {English},
urldate = {2022-09-10}
}
Worok: The big picture
MimiKatz PNGLoad reGeorg ShadowPad Worok |
2022-07-07 ⋅ Sentinel LABS ⋅ Tom Hegel
@online{hegel:20220707:targets:174ab91,
author = {Tom Hegel},
title = {{Targets of Interest - Russian Organizations Increasingly Under Attack By Chinese APTs}},
date = {2022-07-07},
organization = {Sentinel LABS},
url = {https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/},
language = {English},
urldate = {2022-07-12}
}
Targets of Interest - Russian Organizations Increasingly Under Attack By Chinese APTs
8.t Dropper Korlia |
2022-07-01 ⋅ RiskIQ ⋅ RiskIQ
@online{riskiq:20220701:toddycat:485d554,
author = {RiskIQ},
title = {{ToddyCat: A Guided Journey through the Attacker's Infrastructure}},
date = {2022-07-01},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/d8b749f2},
language = {English},
urldate = {2022-07-15}
}
ToddyCat: A Guided Journey through the Attacker's Infrastructure
ShadowPad ToddyCat |
2022-06-27 ⋅ Kaspersky ICS CERT ⋅ Artem Snegirev, Kirill Kruglov
@online{snegirev:20220627:attacks:100c151,
author = {Artem Snegirev and Kirill Kruglov},
title = {{Attacks on industrial control systems using ShadowPad}},
date = {2022-06-27},
organization = {Kaspersky ICS CERT},
url = {https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/},
language = {English},
urldate = {2022-06-29}
}
Attacks on industrial control systems using ShadowPad
Cobalt Strike PlugX ShadowPad |
2022-06-22 ⋅ Cert-UA ⋅ Cert-UA
@online{certua:20220622:cyberattacks:3a05a70,
author = {Cert-UA},
title = {{Cyberattacks by China-associated groups against Russian scientific and technical enterprises and government agencies (CERT-UA#4860)}},
date = {2022-06-22},
organization = {Cert-UA},
url = {https://cert.gov.ua/article/375404},
language = {Ukrainian},
urldate = {2022-07-13}
}
Cyberattacks by China-associated groups against Russian scientific and technical enterprises and government agencies (CERT-UA#4860)
QUICKMUTE |
2022-05-17 ⋅ Positive Technologies ⋅ Positive Technologies
@online{technologies:20220517:space:abd655a,
author = {Positive Technologies},
title = {{Space Pirates: analyzing the tools and connections of a new hacker group}},
date = {2022-05-17},
organization = {Positive Technologies},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/},
language = {English},
urldate = {2022-05-25}
}
Space Pirates: analyzing the tools and connections of a new hacker group
FormerFirstRAT PlugX Poison Ivy Rovnix ShadowPad Zupdax |
2022-05-12 ⋅ TEAMT5 ⋅ Leon Chang, Silvia Yeh
@techreport{chang:20220512:next:5fd8a83,
author = {Leon Chang and Silvia Yeh},
title = {{The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides)}},
date = {2022-05-12},
institution = {TEAMT5},
url = {https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf},
language = {English},
urldate = {2022-08-08}
}
The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides)
KEYPLUG Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad Winnti SLIME29 TianWu |
2022-05-02 ⋅ Sentinel LABS ⋅ Joey Chen, Amitai Ben Shushan Ehrlich
@online{chen:20220502:moshen:1969df2,
author = {Joey Chen and Amitai Ben Shushan Ehrlich},
title = {{Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad}},
date = {2022-05-02},
organization = {Sentinel LABS},
url = {https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/},
language = {English},
urldate = {2022-05-04}
}
Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad
PlugX ShadowPad |
2022-04-08 ⋅ The Register ⋅ Laura Dobberstein
@online{dobberstein:20220408:china:6626bbc,
author = {Laura Dobberstein},
title = {{China accused of cyberattacks on Indian power grid}},
date = {2022-04-08},
organization = {The Register},
url = {https://www.theregister.com/2022/04/08/china_sponsored_attacks_india_ukraine/},
language = {English},
urldate = {2022-04-12}
}
China accused of cyberattacks on Indian power grid
ShadowPad |
2022-04-06 ⋅ Recorded Future ⋅ Insikt Group®
@techreport{group:20220406:continued:dcee8d2,
author = {Insikt Group®},
title = {{Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group (TAG-38)}},
date = {2022-04-06},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/ta-2022-0406.pdf},
language = {English},
urldate = {2022-08-05}
}
Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group (TAG-38)
ShadowPad |
2022-04-06 ⋅ Recorded Future ⋅ Insikt Group
@online{group:20220406:continued:cdf57e5,
author = {Insikt Group},
title = {{Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group}},
date = {2022-04-06},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/continued-targeting-of-indian-power-grid-assets/},
language = {English},
urldate = {2022-04-12}
}
Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group
ShadowPad |
2022-02-23 ⋅ Dragos ⋅ Dragos
@techreport{dragos:20220223:2021:539931a,
author = {Dragos},
title = {{2021 ICS OT Cybersecurity Year In Review}},
date = {2022-02-23},
institution = {Dragos},
url = {https://hub.dragos.com/hubfs/333%20Year%20in%20Review/2021/2021%20ICS%20OT%20Cybersecurity%20Year%20In%20Review%20-%20Dragos%202021.pdf},
language = {English},
urldate = {2022-04-12}
}
2021 ICS OT Cybersecurity Year In Review
ShadowPad |
2022-02-15 ⋅ The Hacker News ⋅ Ravie Lakshmanan
@online{lakshmanan:20220215:researchers:834fc13,
author = {Ravie Lakshmanan},
title = {{Researchers Link ShadowPad Malware Attacks to Chinese Ministry and PLA}},
date = {2022-02-15},
organization = {The Hacker News},
url = {https://thehackernews.com/2022/02/researchers-link-shadowpad-malware.html},
language = {English},
urldate = {2022-02-17}
}
Researchers Link ShadowPad Malware Attacks to Chinese Ministry and PLA
ShadowPad |
2022-02-15 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
@online{researchteam:20220215:shadowpad:cd3fa10,
author = {Counter Threat Unit ResearchTeam},
title = {{ShadowPad Malware Analysis}},
date = {2022-02-15},
organization = {Secureworks},
url = {https://www.secureworks.com/research/shadowpad-malware-analysis},
language = {English},
urldate = {2022-02-17}
}
ShadowPad Malware Analysis
ShadowPad |
2022-01-17 ⋅ Trend Micro ⋅ Joseph Chen, Kenney Lu, Gloria Chen, Jaromír Hořejší, Daniel Lunghi, Cedric Pernet
@techreport{chen:20220117:delving:4cd2b1c,
author = {Joseph Chen and Kenney Lu and Gloria Chen and Jaromír Hořejší and Daniel Lunghi and Cedric Pernet},
title = {{Delving Deep: An Analysis of Earth Lusca’s Operations}},
date = {2022-01-17},
institution = {Trend Micro},
url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf},
language = {English},
urldate = {2022-07-25}
}
Delving Deep: An Analysis of Earth Lusca’s Operations
BIOPASS Cobalt Strike FunnySwitch JuicyPotato ShadowPad Winnti Earth Lusca |
2021-12-17 ⋅ FBI ⋅ FBI
@techreport{fbi:20211217:ac000159mw:03082da,
author = {FBI},
title = {{AC-000159-MW: APT Actors Exploiting Newly-Identified Zero Day in ManageEngine Desktop Central (CVE-2021-44515)}},
date = {2021-12-17},
institution = {FBI},
url = {https://www.ic3.gov/Media/News/2021/211220.pdf},
language = {English},
urldate = {2021-12-23}
}
AC-000159-MW: APT Actors Exploiting Newly-Identified Zero Day in ManageEngine Desktop Central (CVE-2021-44515)
ShadowPad |
2021-12-16 ⋅ TEAMT5 ⋅ Charles Li, Aragorn Tseng, Peter Syu, Tom Lai
@online{li:20211216:winnti:adce3fa,
author = {Charles Li and Aragorn Tseng and Peter Syu and Tom Lai},
title = {{Winnti is Coming - Evolution after Prosecution}},
date = {2021-12-16},
organization = {TEAMT5},
url = {https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021},
language = {English},
urldate = {2023-04-28}
}
Winnti is Coming - Evolution after Prosecution
Cobalt Strike FishMaster FunnySwitch HIGHNOON ShadowPad Spyder |
2021-12-08 ⋅ PWC UK ⋅ Adam Prescott
@online{prescott:20211208:chasing:3921a35,
author = {Adam Prescott},
title = {{Chasing Shadows: A deep dive into the latest obfuscation methods being used by ShadowPad}},
date = {2021-12-08},
organization = {PWC UK},
url = {https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html},
language = {English},
urldate = {2021-12-13}
}
Chasing Shadows: A deep dive into the latest obfuscation methods being used by ShadowPad
ShadowPad Earth Lusca |
2021-11-19 ⋅ insomniacs(Medium) ⋅ Asuna Amawaka
@online{amawaka:20211119:its:bd24ebf,
author = {Asuna Amawaka},
title = {{It’s a BEE! It’s a… no, it’s ShadowPad.}},
date = {2021-11-19},
organization = {insomniacs(Medium)},
url = {https://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2},
language = {English},
urldate = {2021-11-25}
}
It’s a BEE! It’s a… no, it’s ShadowPad.
ShadowPad |
2021-11-04 ⋅ Youtube (Virus Bulletin) ⋅ Yi-Jhen Hsieh, Joey Chen
@online{hsieh:20211104:shadowpad:8dbd5c7,
author = {Yi-Jhen Hsieh and Joey Chen},
title = {{ShadowPad: the masterpiece of privately sold malware in Chinese espionage}},
date = {2021-11-04},
organization = {Youtube (Virus Bulletin)},
url = {https://www.youtube.com/watch?v=r1zAVX_HnJg},
language = {English},
urldate = {2022-08-08}
}
ShadowPad: the masterpiece of privately sold malware in Chinese espionage
PlugX ShadowPad |
2021-10-26 ⋅ Kaspersky ⋅ Kaspersky Lab ICS CERT
@techreport{cert:20211026:attacks:6f30d0f,
author = {Kaspersky Lab ICS CERT},
title = {{APT attacks on industrial organizations in H1 2021}},
date = {2021-10-26},
institution = {Kaspersky},
url = {https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf},
language = {English},
urldate = {2021-11-08}
}
APT attacks on industrial organizations in H1 2021
8.t Dropper AllaKore AsyncRAT GoldMax LimeRAT NjRAT NoxPlayer Raindrop ReverseRAT ShadowPad Zebrocy |
2021-09-01 ⋅ YouTube (Hack In The Box Security Conference) ⋅ Yi-Jhen Hsieh, Joey Chen
@online{hsieh:20210901:shadowpad:f9ae111,
author = {Yi-Jhen Hsieh and Joey Chen},
title = {{SHADOWPAD: Chinese Espionage Malware-as-a-Service}},
date = {2021-09-01},
organization = {YouTube (Hack In The Box Security Conference)},
url = {https://www.youtube.com/watch?v=IRh6R8o1Q7U},
language = {English},
urldate = {2022-08-08}
}
SHADOWPAD: Chinese Espionage Malware-as-a-Service
PlugX ShadowPad |
2021-08-23 ⋅ SentinelOne ⋅ Yi-Jhen Hsieh, Joey Chen
@techreport{hsieh:20210823:shadowpad:58780f1,
author = {Yi-Jhen Hsieh and Joey Chen},
title = {{ShadowPad: the Masterpiece of Privately Sold Malware in Chinese Espionage}},
date = {2021-08-23},
institution = {SentinelOne},
url = {https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20ShadowPad%20-%20A%20Masterpiece%20of%20Privately%20Sold%20Malware%20in%20Chinese%20Espionage%20-%20Yi-Jhen%20Hsieh%20&%20Joey%20Chen.pdf},
language = {English},
urldate = {2022-07-18}
}
ShadowPad: the Masterpiece of Privately Sold Malware in Chinese Espionage
PlugX ShadowPad |
2021-08-19 ⋅ Sentinel LABS ⋅ Yi-Jhen Hsieh, Joey Chen
@online{hsieh:20210819:shadowpad:04bbb1e,
author = {Yi-Jhen Hsieh and Joey Chen},
title = {{ShadowPad | A Masterpiece of Privately Sold Malware in Chinese Espionage}},
date = {2021-08-19},
organization = {Sentinel LABS},
url = {https://labs.sentinelone.com/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/},
language = {English},
urldate = {2021-08-23}
}
ShadowPad | A Masterpiece of Privately Sold Malware in Chinese Espionage
ShadowPad |
2021-08-12 ⋅ Sentinel LABS ⋅ SentinelLabs
@techreport{sentinellabs:20210812:shadowpad:61c0a20,
author = {SentinelLabs},
title = {{ShadowPad: A Masterpiece of Privately Sold Malware in Chinese Espionage}},
date = {2021-08-12},
institution = {Sentinel LABS},
url = {https://www.sentinelone.com/wp-content/uploads/2021/08/SentinelOne_-SentinelLabs_ShadowPad_WP_V2.pdf},
language = {English},
urldate = {2022-07-25}
}
ShadowPad: A Masterpiece of Privately Sold Malware in Chinese Espionage
ShadowPad Earth Lusca |
2021-07-08 ⋅ Recorded Future ⋅ Insikt Group®
@online{group:20210708:chinese:98d34d3,
author = {Insikt Group®},
title = {{Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling}},
date = {2021-07-08},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/},
language = {English},
urldate = {2021-07-12}
}
Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling
ShadowPad Spyder Winnti |
2021-07-08 ⋅ YouTube (PT Product Update) ⋅ Denis Kuvshinov
@online{kuvshinov:20210708:how:ea6d201,
author = {Denis Kuvshinov},
title = {{How winnti APT grouping works}},
date = {2021-07-08},
organization = {YouTube (PT Product Update)},
url = {https://www.youtube.com/watch?v=_fstHQSK-kk},
language = {Russian},
urldate = {2021-09-20}
}
How winnti APT grouping works
Korlia ShadowPad Winnti |
2021-07-08 ⋅ PTSecurity ⋅ Denis Kuvshinov
@techreport{kuvshinov:20210708:how:2e5a659,
author = {Denis Kuvshinov},
title = {{How winnti APT grouping works}},
date = {2021-07-08},
institution = {PTSecurity},
url = {https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf},
language = {Russian},
urldate = {2021-09-20}
}
How winnti APT grouping works
Korlia ShadowPad Winnti |
2021-04-29 ⋅ NTT ⋅ Threat Detection NTT Ltd.
@techreport{ltd:20210429:operations:a7ad0d4,
author = {Threat Detection NTT Ltd.},
title = {{The Operations of Winnti group}},
date = {2021-04-29},
institution = {NTT},
url = {https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf},
language = {English},
urldate = {2021-08-09}
}
The Operations of Winnti group
Cobalt Strike ShadowPad Spyder Winnti Earth Lusca |
2021-03-29 ⋅ The Record ⋅ Catalin Cimpanu
@online{cimpanu:20210329:redecho:30b16b4,
author = {Catalin Cimpanu},
title = {{RedEcho group parks domains after public exposure}},
date = {2021-03-29},
organization = {The Record},
url = {https://therecord.media/redecho-group-parks-domains-after-public-exposure/},
language = {English},
urldate = {2021-03-31}
}
RedEcho group parks domains after public exposure
PlugX ShadowPad RedEcho |
2021-03-10 ⋅ ESET Research ⋅ Thomas Dupuy, Matthieu Faou, Mathieu Tartare
@online{dupuy:20210310:exchange:8f65a1f,
author = {Thomas Dupuy and Matthieu Faou and Mathieu Tartare},
title = {{Exchange servers under siege from at least 10 APT groups}},
date = {2021-03-10},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/},
language = {English},
urldate = {2021-03-11}
}
Exchange servers under siege from at least 10 APT groups
Microcin MimiKatz PlugX Winnti APT27 APT41 Calypso Tick ToddyCat Tonto Team Vicious Panda |
2021-02-28 ⋅ Recorded Future ⋅ Insikt Group®
@techreport{group:20210228:chinalinked:2fb1230,
author = {Insikt Group®},
title = {{China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions}},
date = {2021-02-28},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf},
language = {English},
urldate = {2021-03-04}
}
China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
Icefog PlugX ShadowPad |
2021-02-28 ⋅ Recorded Future ⋅ Insikt Group®
@online{group:20210228:chinalinked:ce3b62d,
author = {Insikt Group®},
title = {{China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions}},
date = {2021-02-28},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/redecho-targeting-indian-power-sector/},
language = {English},
urldate = {2021-03-31}
}
China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
PlugX ShadowPad RedEcho |
2021-02-28 ⋅ PWC UK ⋅ PWC UK
@techreport{uk:20210228:cyber:bd780cd,
author = {PWC UK},
title = {{Cyber Threats 2020: A Year in Retrospect}},
date = {2021-02-28},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf},
language = {English},
urldate = {2021-03-04}
}
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team |
2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f,
author = {CrowdStrike},
title = {{2021 Global Threat Report}},
date = {2021-02-23},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf},
language = {English},
urldate = {2021-02-25}
}
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER |
2021-02-05 ⋅ Twitter (@8th_grey_owl) ⋅ 8thGreyOwl
@online{8thgreyowl:20210205:calmthorn:8397a05,
author = {8thGreyOwl},
title = {{Tweet on CALMTHORN, used by Tonto Team}},
date = {2021-02-05},
organization = {Twitter (@8th_grey_owl)},
url = {https://twitter.com/8th_grey_owl/status/1357550261963689985},
language = {English},
urldate = {2021-02-09}
}
Tweet on CALMTHORN, used by Tonto Team
CALMTHORN |
2021-01-14 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence
@online{intelligence:20210114:higaisa:4676ec7,
author = {PT ESC Threat Intelligence},
title = {{Higaisa or Winnti? APT41 backdoors, old and new}},
date = {2021-01-14},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/},
language = {English},
urldate = {2021-02-09}
}
Higaisa or Winnti? APT41 backdoors, old and new
Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad |
2021-01-13 ⋅ AlienVault ⋅ Tom Hegel
@techreport{hegel:20210113:global:72b7b9d,
author = {Tom Hegel},
title = {{A Global Perspective of the SideWinder APT}},
date = {2021-01-13},
institution = {AlienVault},
url = {https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf},
language = {English},
urldate = {2021-01-18}
}
A Global Perspective of the SideWinder APT
8.t Dropper Koadic SideWinder |
2021-01-04 ⋅ nao_sec blog ⋅ nao_sec
@online{naosec:20210104:royal:041b9d3,
author = {nao_sec},
title = {{Royal Road! Re:Dive}},
date = {2021-01-04},
organization = {nao_sec blog},
url = {https://nao-sec.org/2021/01/royal-road-redive.html},
language = {English},
urldate = {2021-01-05}
}
Royal Road! Re:Dive
8.t Dropper Chinoxy FlowCloud FunnyDream Lookback |
2020-12-10 ⋅ ESET Research ⋅ Mathieu Tartare
@online{tartare:20201210:operation:0eecfc8,
author = {Mathieu Tartare},
title = {{Operation StealthyTrident: corporate software under attack}},
date = {2020-12-10},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/},
language = {English},
urldate = {2020-12-10}
}
Operation StealthyTrident: corporate software under attack
HyperBro PlugX ShadowPad Tmanger |
2020-11-23 ⋅ Youtube (OWASP DevSlop) ⋅ Negar Shabab, Noushin Shabab
@online{shabab:20201123:compromised:6dd1417,
author = {Negar Shabab and Noushin Shabab},
title = {{Compromised Compilers - A new perspective of supply chain cyber attacks}},
date = {2020-11-23},
organization = {Youtube (OWASP DevSlop)},
url = {https://www.youtube.com/watch?v=55kaaMGBARM},
language = {English},
urldate = {2020-11-23}
}
Compromised Compilers - A new perspective of supply chain cyber attacks
ShadowPad |
2020-11-03 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20201103:trends:febc159,
author = {GReAT},
title = {{APT trends report Q3 2020}},
date = {2020-11-03},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q3-2020/99204/},
language = {English},
urldate = {2020-11-04}
}
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti |
2020-10-27 ⋅ Dr.Web ⋅ Dr.Web
@techreport{drweb:20201027:study:9f6e628,
author = {Dr.Web},
title = {{Study of the ShadowPad APT backdoor and its relation to PlugX}},
date = {2020-10-27},
institution = {Dr.Web},
url = {https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf},
language = {English},
urldate = {2020-10-29}
}
Study of the ShadowPad APT backdoor and its relation to PlugX
Ghost RAT PlugX ShadowPad |
2020-10-03 ⋅ Trend Micro ⋅ Jaromír Hořejší, Daniel Lunghi, Cedric Pernet, Kazuki Fujisawa
@techreport{hoej:20201003:earth:688aaf8,
author = {Jaromír Hořejší and Daniel Lunghi and Cedric Pernet and Kazuki Fujisawa},
title = {{Earth Akhlut: Exploring the Tools, Tactics, and Procedures of an Advanced Threat Actor Operating a Large Infrastructure}},
date = {2020-10-03},
institution = {Trend Micro},
url = {https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf},
language = {English},
urldate = {2020-10-06}
}
Earth Akhlut: Exploring the Tools, Tactics, and Procedures of an Advanced Threat Actor Operating a Large Infrastructure
Dexbia TypeHash |
2020-09-18 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20200918:apt41:363daa8,
author = {Threat Hunter Team},
title = {{APT41: Indictments Put Chinese Espionage Group in the Spotlight}},
date = {2020-09-18},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage},
language = {English},
urldate = {2020-09-23}
}
APT41: Indictments Put Chinese Espionage Group in the Spotlight
CROSSWALK PlugX poisonplug ShadowPad Winnti |
2020-09-16 ⋅ RiskIQ ⋅ Jon Gross
@online{gross:20200916:riskiq:da4b864,
author = {Jon Gross},
title = {{RiskIQ: Adventures in Cookie Land - Part 2}},
date = {2020-09-16},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/56fa1b2f},
language = {English},
urldate = {2020-09-23}
}
RiskIQ: Adventures in Cookie Land - Part 2
8.t Dropper Chinoxy Poison Ivy |
2020-09-08 ⋅ PTSecurity ⋅ PTSecurity
@techreport{ptsecurity:20200908:shadowpad:2903f45,
author = {PTSecurity},
title = {{ShadowPad: new activity from the Winnti group}},
date = {2020-09-08},
institution = {PTSecurity},
url = {https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf},
language = {English},
urldate = {2020-10-08}
}
ShadowPad: new activity from the Winnti group
CCleaner Backdoor Korlia ShadowPad TypeHash |
2020-08-19 ⋅ RiskIQ ⋅ Jon Gross, Cory Kennedy
@online{gross:20200819:riskiq:94e5ccf,
author = {Jon Gross and Cory Kennedy},
title = {{RiskIQ Adventures in Cookie Land - Part 1}},
date = {2020-08-19},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/5fe2da7f},
language = {English},
urldate = {2020-09-23}
}
RiskIQ Adventures in Cookie Land - Part 1
8.t Dropper Chinoxy |
2020-08-19 ⋅ NTT Security ⋅ Fumio Ozawa, Shogo Hayashi, Rintaro Koike
@techreport{ozawa:20200819:operation:445be8c,
author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike},
title = {{Operation LagTime IT: Colorful Panda Footprint}},
date = {2020-08-19},
institution = {NTT Security},
url = {https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf},
language = {English},
urldate = {2022-07-29}
}
Operation LagTime IT: Colorful Panda Footprint
8.t Dropper Cotx RAT Poison Ivy TA428 |
2020-08-13 ⋅ Kaspersky Labs ⋅ Konstantin Zykov
@online{zykov:20200813:cactuspete:6753952,
author = {Konstantin Zykov},
title = {{CactusPete APT group’s updated Bisonal backdoor}},
date = {2020-08-13},
organization = {Kaspersky Labs},
url = {https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/},
language = {English},
urldate = {2020-08-14}
}
CactusPete APT group’s updated Bisonal backdoor
Korlia Tonto Team |
2020-07-29 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20200729:trends:6810325,
author = {GReAT},
title = {{APT trends report Q2 2020}},
date = {2020-07-29},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q2-2020/97937/},
language = {English},
urldate = {2020-07-30}
}
APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel |
2020-07-14 ⋅ CrowdStrike ⋅ Falcon OverWatch Team
@online{team:20200714:manufacturing:3e552ec,
author = {Falcon OverWatch Team},
title = {{Manufacturing Industry in the Adversaries’ Crosshairs}},
date = {2020-07-14},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/},
language = {English},
urldate = {2020-07-23}
}
Manufacturing Industry in the Adversaries’ Crosshairs
ShadowPad Snake |
2020-06-03 ⋅ Kaspersky Labs ⋅ GReAT, Mark Lechtik, Giampaolo Dedola
@online{great:20200603:cycldek:ed9a830,
author = {GReAT and Mark Lechtik and Giampaolo Dedola},
title = {{Cycldek: Bridging the (air) gap}},
date = {2020-06-03},
organization = {Kaspersky Labs},
url = {https://securelist.com/cycldek-bridging-the-air-gap/97157/},
language = {English},
urldate = {2020-06-03}
}
Cycldek: Bridging the (air) gap
8.t Dropper NewCore RAT PlugX USBCulprit GOBLIN PANDA Hellsing |
2020-03-21 ⋅ MalwareLab.pl ⋅ Maciej Kotowicz
@online{kotowicz:20200321:royal:da8fd16,
author = {Maciej Kotowicz},
title = {{On the Royal Road}},
date = {2020-03-21},
organization = {MalwareLab.pl},
url = {https://blog.malwarelab.pl/posts/on_the_royal_road/},
language = {English},
urldate = {2020-03-24}
}
On the Royal Road
8.t Dropper |
2020-03-20 ⋅ Medium Sebdraven ⋅ Sébastien Larinier
@online{larinier:20200320:new:3da1211,
author = {Sébastien Larinier},
title = {{New version of chinoxy backdoor using COVID19 alerts document lure}},
date = {2020-03-20},
organization = {Medium Sebdraven},
url = {https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746},
language = {English},
urldate = {2020-03-26}
}
New version of chinoxy backdoor using COVID19 alerts document lure
8.t Dropper Chinoxy |
2020-03-12 ⋅ Check Point ⋅ Check Point Research
@online{research:20200312:vicious:3218bb8,
author = {Check Point Research},
title = {{Vicious Panda: The COVID Campaign}},
date = {2020-03-12},
organization = {Check Point},
url = {https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/},
language = {English},
urldate = {2020-03-13}
}
Vicious Panda: The COVID Campaign
8.t Dropper BYEBY Enfal Korlia Poison Ivy |
2020-03-12 ⋅ Check Point Research ⋅ Check Point
@online{point:20200312:vicious:1d97e93,
author = {Check Point},
title = {{Vicious Panda: The COVID Campaign}},
date = {2020-03-12},
organization = {Check Point Research},
url = {https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign},
language = {English},
urldate = {2022-07-25}
}
Vicious Panda: The COVID Campaign
8.t Dropper Vicious Panda |
2020-03-11 ⋅ Virus Bulletin ⋅ Ghareeb Saad, Michael Raggi
@online{saad:20200311:attribution:3efcc0a,
author = {Ghareeb Saad and Michael Raggi},
title = {{Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers}},
date = {2020-03-11},
organization = {Virus Bulletin},
url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/},
language = {English},
urldate = {2020-03-13}
}
Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers
8.t Dropper |
2020-03-05 ⋅ Cisco Talos ⋅ Warren Mercer, Paul Rascagnères, Vitor Ventura
@online{mercer:20200305:bisonal:7885944,
author = {Warren Mercer and Paul Rascagnères and Vitor Ventura},
title = {{Bisonal: 10 years of play}},
date = {2020-03-05},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html},
language = {English},
urldate = {2020-03-05}
}
Bisonal: 10 years of play
Korlia |
2020-03-05 ⋅ AhnLab ⋅ AhnLab ASEC Analysis Team
@online{team:20200305:bisonal:96d4292,
author = {AhnLab ASEC Analysis Team},
title = {{신천지 비상연락처 위장한 Bisonal 악성코드 유포 중}},
date = {2020-03-05},
organization = {AhnLab},
url = {https://asec.ahnlab.com/1298},
language = {Korean},
urldate = {2020-03-09}
}
신천지 비상연락처 위장한 Bisonal 악성코드 유포 중
Korlia |
2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f,
author = {CrowdStrike},
title = {{2020 CrowdStrike Global Threat Report}},
date = {2020-03-04},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf},
language = {English},
urldate = {2020-07-24}
}
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER |
2020-03-03 ⋅ PWC UK ⋅ PWC UK
@techreport{uk:20200303:cyber:1f1eef0,
author = {PWC UK},
title = {{Cyber Threats 2019:A Year in Retrospect}},
date = {2020-03-03},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf},
language = {English},
urldate = {2020-03-03}
}
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle |
2020-01-31 ⋅ ESET Research ⋅ Mathieu Tartare
@online{tartare:20200131:winnti:9f891e4,
author = {Mathieu Tartare},
title = {{Winnti Group targeting universities in Hong Kong}},
date = {2020-01-31},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/},
language = {English},
urldate = {2020-02-03}
}
Winnti Group targeting universities in Hong Kong
ShadowPad Winnti |
2020-01-29 ⋅ nao_sec blog ⋅ nao_sec
@online{naosec:20200129:overhead:ec0aeb5,
author = {nao_sec},
title = {{An Overhead View of the Royal Road}},
date = {2020-01-29},
organization = {nao_sec blog},
url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html},
language = {English},
urldate = {2020-02-03}
}
An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader |
2020-01-17 ⋅ NTT Security ⋅ Takai Hajime
@techreport{hajime:20200117:operation:ef488fd,
author = {Takai Hajime},
title = {{Operation Bitter Biscuit}},
date = {2020-01-17},
institution = {NTT Security},
url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_3_takai_jp.pdf},
language = {Japanese},
urldate = {2020-07-20}
}
Operation Bitter Biscuit
Korlia |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:3d292d3,
author = {SecureWorks},
title = {{BRONZE HUNTLEY}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-huntley},
language = {English},
urldate = {2020-05-23}
}
BRONZE HUNTLEY
Korlia |
2019-11-19 ⋅ FireEye ⋅ Nalani Fraser, Kelli Vanderlee
@techreport{fraser:20191119:achievement:30aad54,
author = {Nalani Fraser and Kelli Vanderlee},
title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}},
date = {2019-11-19},
institution = {FireEye},
url = {https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf},
language = {English},
urldate = {2022-09-12}
}
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
APT1 APT10 APT2 APT26 APT3 APT30 APT41 Naikon Tonto Team |
2019-10-07 ⋅ ESET Research ⋅ Marc-Etienne M.Léveillé, Mathieu Tartare
@techreport{mlveill:20191007:connecting:e59d4c8,
author = {Marc-Etienne M.Léveillé and Mathieu Tartare},
title = {{CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group}},
date = {2019-10-07},
institution = {ESET Research},
url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf},
language = {English},
urldate = {2020-01-10}
}
CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group
LOWKEY shadowhammer ShadowPad |
2019-09-23 ⋅ MITRE ⋅ MITRE ATT&CK
@online{attck:20190923:apt41:63b9ff7,
author = {MITRE ATT&CK},
title = {{APT41}},
date = {2019-09-23},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0096},
language = {English},
urldate = {2022-08-30}
}
APT41
Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41 |
2019-09-22 ⋅ Check Point Research ⋅ Check Point Research
@online{research:20190922:rancor:e834f67,
author = {Check Point Research},
title = {{Rancor: The Year of The Phish}},
date = {2019-09-22},
organization = {Check Point Research},
url = {https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/},
language = {English},
urldate = {2020-03-04}
}
Rancor: The Year of The Phish
8.t Dropper Cobalt Strike |
2019-07-23 ⋅ Proofpoint ⋅ Michael Raggi, Dennis Schwarz, Proofpoint Threat Insight Team
@online{raggi:20190723:chinese:804ec1c,
author = {Michael Raggi and Dennis Schwarz and Proofpoint Threat Insight Team},
title = {{Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia}},
date = {2019-07-23},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology},
language = {English},
urldate = {2021-02-06}
}
Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia
8.t Dropper Cotx RAT Poison Ivy TA428 |
2019-05-09 ⋅ Youtube (FireEye Korea) ⋅ Ryan Whelan
@online{whelan:20190509:over:e376af5,
author = {Ryan Whelan},
title = {{Over the Horizon: Innovating to confront evolving cyber threats}},
date = {2019-05-09},
organization = {Youtube (FireEye Korea)},
url = {https://www.youtube.com/watch?v=3cUWjojQXWE},
language = {English},
urldate = {2021-02-09}
}
Over the Horizon: Innovating to confront evolving cyber threats
CALMTHORN |
2019-04-25 ⋅ DATANET ⋅ Kim Seon-ae
@online{seonae:20190425:chinesebased:fa78904,
author = {Kim Seon-ae},
title = {{Chinese-based hackers attack domestic energy institutions}},
date = {2019-04-25},
organization = {DATANET},
url = {https://www.datanet.co.kr/news/articleView.html?idxno=133346},
language = {Korean},
urldate = {2021-02-09}
}
Chinese-based hackers attack domestic energy institutions
CALMTHORN Ghost RAT |
2019-04-23 ⋅ Kaspersky Labs ⋅ GReAT, AMR
@online{great:20190423:operation:20b8f83,
author = {GReAT and AMR},
title = {{Operation ShadowHammer: a high-profile supply chain attack}},
date = {2019-04-23},
organization = {Kaspersky Labs},
url = {https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/},
language = {English},
urldate = {2019-12-20}
}
Operation ShadowHammer: a high-profile supply chain attack
shadowhammer ShadowPad |
2019-04-22 ⋅ Trend Micro ⋅ Mohamad Mokbel
@online{mokbel:20190422:cc:23b1202,
author = {Mohamad Mokbel},
title = {{C/C++ Runtime Library Code Tampering in Supply Chain}},
date = {2019-04-22},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html},
language = {English},
urldate = {2021-09-19}
}
C/C++ Runtime Library Code Tampering in Supply Chain
shadowhammer ShadowPad Winnti |
2019-03-22 ⋅ AhnLab ⋅ AhnLab ASEC Analysis Team
@techreport{team:20190322:asec:3a00378,
author = {AhnLab ASEC Analysis Team},
title = {{ASEC REPORT VOL.93 Q4 2018}},
date = {2019-03-22},
institution = {AhnLab},
url = {https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.93_ENG.pdf},
language = {English},
urldate = {2020-07-24}
}
ASEC REPORT VOL.93 Q4 2018
Korlia |
2019-03-05 ⋅ Accenture ⋅ Accenture
@techreport{accenture:20190305:mudcarps:2e785cc,
author = {Accenture},
title = {{MUDCARP's Focus on Submarine Technologies}},
date = {2019-03-05},
institution = {Accenture},
url = {https://www.accenture.com/_acnmedia/pdf-96/accenture-security-mudcarp.pdf},
language = {English},
urldate = {2022-09-12}
}
MUDCARP's Focus on Submarine Technologies
8.t Dropper APT40 |
2019-01-03 ⋅ m4n0w4r
@online{m4n0w4r:20190103:another:2f48120,
author = {m4n0w4r},
title = {{Another malicious document with CVE-2017–11882}},
date = {2019-01-03},
url = {https://tradahacking.vn/another-malicious-document-with-cve-2017-11882-839e9c0bbf2f},
language = {Vietnamese},
urldate = {2020-03-11}
}
Another malicious document with CVE-2017–11882
8.t Dropper |
2018-11-03 ⋅ m4n0w4r
@online{m4n0w4r:20181103:l:d496fbd,
author = {m4n0w4r},
title = {{Là 1937CN hay OceanLotus hay Lazarus …}},
date = {2018-11-03},
url = {https://tradahacking.vn/l%C3%A0-1937cn-hay-oceanlotus-hay-lazarus-6ca15fe1b241},
language = {Vietnamese},
urldate = {2020-03-11}
}
Là 1937CN hay OceanLotus hay Lazarus …
8.t Dropper |
2018-07-31 ⋅ Medium Sebdraven ⋅ Sébastien Larinier
@online{larinier:20180731:malicious:571d2df,
author = {Sébastien Larinier},
title = {{Malicious document targets Vietnamese officials}},
date = {2018-07-31},
organization = {Medium Sebdraven},
url = {https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?},
language = {English},
urldate = {2020-03-04}
}
Malicious document targets Vietnamese officials
8.t Dropper |
2018-07-31 ⋅ Medium Sebdraven ⋅ Sébastien Larinier
@online{larinier:20180731:malicious:5e45e30,
author = {Sébastien Larinier},
title = {{Malicious document targets Vietnamese officials}},
date = {2018-07-31},
organization = {Medium Sebdraven},
url = {https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a},
language = {English},
urldate = {2023-11-27}
}
Malicious document targets Vietnamese officials
8.t Dropper PlugX |
2018-07-31 ⋅ Palo Alto Networks Unit 42 ⋅ Kaoru Hayashi, Vicky Ray
@online{hayashi:20180731:bisonal:8ca9ce6,
author = {Kaoru Hayashi and Vicky Ray},
title = {{Bisonal Malware Used in Attacks Against Russia and South Korea}},
date = {2018-07-31},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/},
language = {English},
urldate = {2020-07-20}
}
Bisonal Malware Used in Attacks Against Russia and South Korea
Korlia |
2018-05-15 ⋅ BSides Detroit ⋅ Keven Murphy, Stefano Maccaglia
@online{murphy:20180515:ir:ac5b561,
author = {Keven Murphy and Stefano Maccaglia},
title = {{IR in Heterogeneous Environment}},
date = {2018-05-15},
organization = {BSides Detroit},
url = {https://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment},
language = {English},
urldate = {2020-07-20}
}
IR in Heterogeneous Environment
Korlia Poison Ivy |
2017-08-15 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20170815:shadowpad:3d5b9a0,
author = {GReAT},
title = {{ShadowPad in corporate networks}},
date = {2017-08-15},
organization = {Kaspersky Labs},
url = {https://securelist.com/shadowpad-in-corporate-networks/81432/},
language = {English},
urldate = {2019-12-20}
}
ShadowPad in corporate networks
ShadowPad |
2017-04-21 ⋅ Ars Technica ⋅ Sean Gallagher
@online{gallagher:20170421:researchers:f1ea70c,
author = {Sean Gallagher},
title = {{Researchers claim China trying to hack South Korea missile defense efforts}},
date = {2017-04-21},
organization = {Ars Technica},
url = {https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/},
language = {English},
urldate = {2020-01-08}
}
Researchers claim China trying to hack South Korea missile defense efforts
Tonto Team |
2017-04-21 ⋅ The Wall Street Journal ⋅ Jonathan Cheng, Josh Chin
@online{cheng:20170421:china:8c7d327,
author = {Jonathan Cheng and Josh Chin},
title = {{China Hacked South Korea Over Missile Defense, U.S. Firm Says}},
date = {2017-04-21},
organization = {The Wall Street Journal},
url = {https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403},
language = {English},
urldate = {2020-08-17}
}
China Hacked South Korea Over Missile Defense, U.S. Firm Says
Tonto Team |
2017-04-21 ⋅ The Wall Street Journal ⋅ Jonathan Cheng, Josh Chin
@online{cheng:20170421:china:ab10228,
author = {Jonathan Cheng and Josh Chin},
title = {{China Hacked South Korea Over Missile Defense, U.S. Firm Says}},
date = {2017-04-21},
organization = {The Wall Street Journal},
url = {https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403?emailToken=JRrydPtyYnqTg9EyZsw31FwuZ7JNEOKCXF7LaW/HM1DLsjnUp6e6wLgph560pnmiTAN/5ssf7moyADPQj2p2Gc+YkL1yi0zhIiUM9M6aj1HTYQ==},
language = {English},
urldate = {2020-01-06}
}
China Hacked South Korea Over Missile Defense, U.S. Firm Says
Tonto Team |
2014-11-25 ⋅ Adventures in Security ⋅ Nick Hoffman
@online{hoffman:20141125:curious:57f7b6a,
author = {Nick Hoffman},
title = {{Curious Korlia}},
date = {2014-11-25},
organization = {Adventures in Security},
url = {https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2014-11-25-curious-korlia.md},
language = {English},
urldate = {2022-09-19}
}
Curious Korlia
Korlia |
2014-02-24 ⋅ RSA Conference ⋅ Dmitri Alperovitch
@techreport{alperovitch:20140224:art:df5650c,
author = {Dmitri Alperovitch},
title = {{The Art of Attribution Identifying and Pursuing your Cyber Adversaries}},
date = {2014-02-24},
institution = {RSA Conference},
url = {https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf},
language = {English},
urldate = {2020-04-06}
}
The Art of Attribution Identifying and Pursuing your Cyber Adversaries
ANDROMEDA SPIDER APT19 DEXTOROUS SPIDER Ghost Jackal Silent Chollima SINGING SPIDER Tonto Team TOXIC PANDA UNION SPIDER |
2013 ⋅ FireEye ⋅ Alex Lanstein
@techreport{lanstein:2013:apts:2b30193,
author = {Alex Lanstein},
title = {{APTs By The Dozen: Dissecting Advanced Attacks}},
date = {2013},
institution = {FireEye},
url = {https://web.archive.org/web/20130920120931/https:/www.rsaconference.com/writable/presentations/file_upload/cle-t04_final_v1.pdf},
language = {English},
urldate = {2020-08-14}
}
APTs By The Dozen: Dissecting Advanced Attacks
Korlia |