UNC2452 (Threat Actor)

SYMBOL	COMMON_NAME	aka. SYNONYMS

UNC2452 (Back to overview)

aka: DarkHalo, StellarParticle, NOBELIUM

Reporting regarding activity related to the SolarWinds supply chain injection has grown quickly since initial disclosure on 13 December 2020. A significant amount of press reporting has focused on the identification of the actor(s) involved, victim organizations, possible campaign timeline, and potential impact. The US Government and cyber community have also provided detailed information on how the campaign was likely conducted and some of the malware used. MITRE’s ATT&CK team — with the assistance of contributors — has been mapping techniques used by the actor group, referred to as UNC2452/Dark Halo by FireEye and Volexity respectively, as well as SUNBURST and TEARDROP malware.

Associated Families

win.teardrop win.sunburst win.goldmax win.raindrop win.cobalt_strike

References

2021-11-30 ⋅ Broadcom ⋅ Symantec Threat Hunter Team
Yanluowang: Further Insights on New Ransomware Threat
BazarBackdoor Cobalt Strike FiveHands

2021-11-29 ⋅ Mandiant ⋅ Tyler McLellan, Brandan Schondorfer
Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again
Cobalt Strike

2021-11-19 ⋅ Trend Micro ⋅ Mohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar
Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains
Cobalt Strike QakBot Squirrelwaffle

2021-11-17 ⋅ Trend Micro ⋅ Mohamed Fahmy, Abdelrhman Sharshar, Sherif Magdy, Ryan Maglaque
Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR
Cobalt Strike Cotx RAT

2021-11-17 ⋅ nviso ⋅ Didier Stevens
Cobalt Strike: Decrypting Obfuscated Traffic – Part 4
Cobalt Strike

2021-11-17 ⋅ Twitter (@Unit42_Intel) ⋅ Unit 42
Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike
Cobalt Strike QakBot

2021-11-16 ⋅ Blackberry ⋅ T.J. O'Leary, Tom Bonner, Marta Janus, Dean Given, Eoin Wickens, Jim Simpson
Finding Beacons in the dark
Cobalt Strike

2021-11-16 ⋅ Cisco ⋅ Chetan Raghuprasad, Vanja Svajcer, Asheer Malhotra
Attackers use domain fronting technique to target Myanmar with Cobalt Strike
Cobalt Strike

2021-11-16 ⋅ IronNet ⋅ IronNet Threat Research, Morgan Demboski, Joey Fitzpatrick, Peter Rydzynski
How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware
Cobalt Strike Conti IcedID REvil

2021-11-15 ⋅ TRUESEC ⋅ Fabio Viggiani
ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks
Cobalt Strike Conti QakBot

2021-11-13 ⋅ Just Still ⋅ Still Hsu
Threat Spotlight - Domain Fronting
Cobalt Strike

2021-11-12 ⋅ Malwarebytes ⋅ Hossein Jazi
A multi-stage PowerShell based attack targets Kazakhstan
Cobalt Strike

2021-11-11 ⋅ Cynet ⋅ Max Malyutin
A Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation
Cobalt Strike QakBot

2021-11-10 ⋅ AT&T ⋅ Josh Gomez
Stories from the SOC - Powershell, Proxyshell, Conti TTPs OH MY!
Cobalt Strike Conti

2021-11-10 ⋅ Sekoia ⋅ Cyber Threat Intelligence team
Walking on APT31 infrastructure footprints
Rekoobe Unidentified ELF 004 Cobalt Strike

2021-11-09 ⋅ Cybereason ⋅ Cybereason Global SOC Team
THREAT ANALYSIS REPORT: From Shatak Emails to the Conti Ransomware
Cobalt Strike Conti

2021-11-05 ⋅ Twitter (@Unit42_Intel) ⋅ Unit 42
Tweet on TA551 (Shathak) BazarLoader infection with CobaltStrike and DarkVNC drops
BazarBackdoor Cobalt Strike

2021-11-05 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
Cobalt Strike DoppelDridex Mount Locker Phobos StrongPity

2021-11-03 ⋅ nviso ⋅ Didier Stevens
Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3
Cobalt Strike

2021-11-03 ⋅ Didier Stevens ⋅ Didier Stevens
New Tool: cs-extract-key.py
Cobalt Strike

2021-11-02 ⋅ Intel 471 ⋅ Intel 471
Cybercrime underground flush with shipping companies’ credentials
Cobalt Strike Conti

2021-11-02 ⋅ unh4ck ⋅ Cyb3rSn0rlax
Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2
Cobalt Strike Conti

2021-11-02 ⋅ boschko.ca blog ⋅ Olivier Laflamme
Cobalt Strike Process Injection
Cobalt Strike

2021-11-01 ⋅ Accenture ⋅ Heather Larrieu, Curt Wilson, Katrina Hill
Diving into double extortion campaigns
Cobalt Strike MimiKatz

2021-11-01 ⋅ The DFIR Report ⋅ @iiamaleks, @samaritan_o
From Zero to Domain Admin
Cobalt Strike Hancitor

2021-10-29 ⋅ Національна поліція України ⋅ Національна поліція України
Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot

2021-10-29 ⋅ Europol ⋅ Europol
12 targeted for involvement in ransomware attacks against critical infrastructure
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot

2021-10-27 ⋅ Kaspersky ⋅ Ivan Kwiatkowski
Extracting type information from Go binaries
GoldMax

2021-10-27 ⋅ nviso ⋅ Didier Stevens
Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 2
Cobalt Strike

2021-10-26 ⋅ Kaspersky ⋅ Kaspersky Lab ICS CERT
APT attacks on industrial organizations in H1 2021
8.t Dropper AllaKore AsyncRAT GoldMax LimeRAT NjRAT NoxPlayer Raindrop ReverseRAT ShadowPad Zebrocy

2021-10-26 ⋅ unh4ck ⋅ Hamza OUADIA
Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1
Cobalt Strike Conti

2021-10-26 ⋅ Cisco Talos ⋅ Edmund Brumaghin, Mariano Graziano, Nick Mavis
SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle

2021-10-21 ⋅ CrowdStrike ⋅ Alex Clinton, Tasha Robinson
Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign
Cobalt Strike FlawedGrace TinyMet

2021-10-21 ⋅ nviso ⋅ Didier Stevens
Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1
Cobalt Strike

2021-10-18 ⋅ Symantec ⋅ Threat Hunter Team
Harvester: Nation-state-backed group uses new toolset to target victims in South Asia
Cobalt Strike Graphon

2021-10-18 ⋅ paloalto Netoworks: Unit42 ⋅ Brad Duncan
Case Study: From BazarLoader to Network Reconnaissance
BazarBackdoor Cobalt Strike

2021-10-18 ⋅ The DFIR Report ⋅ The DFIR Report
IcedID to XingLocker Ransomware in 24 hours
Cobalt Strike IcedID Mount Locker

2021-10-12 ⋅ Mandiant ⋅ Alyssa Rahman
Defining Cobalt Strike Components So You Can BEA-CONfident in Your Analysis
Cobalt Strike

2021-10-11 ⋅ Accenture ⋅ Accenture Cyber Threat Intelligence
Moving Left of the Ransomware Boom
REvil Cobalt Strike MimiKatz RagnarLocker REvil

2021-10-08 ⋅ 0ffset Blog ⋅ Chuong Dong
SQUIRRELWAFFLE – Analysing The Main Loader
Cobalt Strike Squirrelwaffle

2021-10-07 ⋅ Mandiant ⋅ Mandiant Research Team
FIN12 Group Profile: FIN12 Priotizes Speed to Deploy Ransomware Aginst High-Value Targets
Cobalt Strike Empire Downloader TrickBot

2021-10-07 ⋅ Netskope ⋅ Gustavo Palazolo, Ghanashyam Satpathy
SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot
Cobalt Strike QakBot Squirrelwaffle

2021-10-06 ⋅ Blackberry ⋅ Blackberry Research
Finding Beacons in the Dark
Cobalt Strike

2021-10-05 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Drawing a Dragon: Connecting the Dots to Find APT41
Cobalt Strike Ghost RAT

2021-10-04 ⋅ Sophos ⋅ Sean Gallagher, Vikas Singh, Krisztián Diriczi, Kajal Katiyar, Chaitanya Ghorpade, Rahil Shah
Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack
ATOMSILO Cobalt Strike

2021-10-04 ⋅ The DFIR Report ⋅ The DFIR Report
BazarLoader and the Conti Leaks
BazarBackdoor Cobalt Strike Conti

2021-10-03 ⋅ Github (0xjxd) ⋅ Joel Dönne
SquirrelWaffle - From Maldoc to Cobalt Strike
Cobalt Strike Squirrelwaffle

2021-10-01 ⋅ 0ffset Blog ⋅ Chuong Dong
SQUIRRELWAFFLE – Analysing the Custom Packer
Cobalt Strike Squirrelwaffle

2021-09-30 ⋅ PT Expert Security Center
Masters of Mimicry: new APT group ChamelGang and its arsenal
Cobalt Strike

2021-09-30 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence
Masters of Mimicry: new APT group ChamelGang and its arsenal
Cobalt Strike

2021-09-30 ⋅ CrowdStrike ⋅ Falcon OverWatch Team
Hunting for the Confluence Exploitation: When Falcon OverWatch Becomes the First Line of Defense
Cobalt Strike

2021-09-29 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
2021-09-29 (Wednesday) - Hancitor with Cobalt Strike
Cobalt Strike Hancitor

2021-09-29 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy
Backup “Removal” Solutions - From Conti Ransomware With Love
Cobalt Strike Conti

2021-09-28 ⋅ Zscaler ⋅ Avinash Kumar, Brett Stone-Gross
Squirrelwaffle: New Loader Delivering Cobalt Strike
Cobalt Strike Squirrelwaffle

2021-09-27 ⋅ Cynet ⋅ Max Malyutin
A Virtual Baffle to Battle Squirrelwaffle
Cobalt Strike Squirrelwaffle

2021-09-26 ⋅ NSFOCUS ⋅ Jie Ji
Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2
Cobalt Strike LockFile

2021-09-24 ⋅ Trend Micro ⋅ Warren Sto.Tomas
Examining the Cring Ransomware Techniques
Cobalt Strike Cring MimiKatz

2021-09-22 ⋅ CISA ⋅ US-CERT
Alert (AA21-265A) Conti Ransomware
Cobalt Strike Conti

2021-09-21 ⋅ GuidePoint Security ⋅ Drew Schmitt
A Ransomware Near Miss: ProxyShell, a RAT, and Cobalt Strike
Cobalt Strike

2021-09-21 ⋅ Medium elis531989 ⋅ Eli Salem
The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle”
Cobalt Strike Squirrelwaffle

2021-09-21 ⋅ skyblue.team blog ⋅ skyblue team
Scanning VirusTotal's firehose
Cobalt Strike

2021-09-21 ⋅ Sophos ⋅ Andrew Brandt, Vikas Singh, Shefali Gupta, Krisztián Diriczi, Chaitanya Ghorpade
Cring ransomware group exploits ancient ColdFusion server
Cobalt Strike Cring

2021-09-17 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike
Cobalt Strike Squirrelwaffle

2021-09-17 ⋅ CrowdStrike ⋅ Falcon OverWatch Team
Falcon OverWatch Hunts Down Adversaries Where They Hide
BazarBackdoor Cobalt Strike

2021-09-17 ⋅ Medium inteloperator ⋅ Intel Operator
The default: 63 6f 62 61 6c 74 strike
Cobalt Strike

2021-09-16 ⋅ Twitter (@GossiTheDog) ⋅ Kevin Beaumont
Tweet on some unknown threat actor dropping Mgbot, custom IIS modular backdoor and cobalstrike using exploiting ProxyShell
Cobalt Strike MgBot

2021-09-16 ⋅ Medium Shabarkin ⋅ Pavel Shabarkin
Pointer: Hunting Cobalt Strike globally
Cobalt Strike

2021-09-16 ⋅ RiskIQ ⋅ RiskIQ
Untangling the Spider Web: The Curious Connection Between WIZARD SPIDER’s Ransomware Infrastructure and a Windows Zero-Day Exploit
Cobalt Strike Ryuk

2021-09-15 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability
Cobalt Strike

2021-09-14 ⋅ Recorded Future ⋅ Insikt Group®
Full-Spectrum Cobalt Strike Detection
Cobalt Strike

2021-09-13 ⋅ The DFIR Report ⋅ The DFIR Report
BazarLoader to Conti Ransomware in 32 Hours
BazarBackdoor Cobalt Strike Conti

2021-09-10 ⋅ Gigamon ⋅ Joe Slowik
Rendering Threats: A Network Perspective
Cobalt Strike

2021-09-09 ⋅ Trend Micro ⋅ Trend Micro
Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs
Cobalt Strike

2021-09-08 ⋅ Arash's Blog ⋅ Arash Parsa
Hook Heaps and Live Free
Cobalt Strike

2021-09-07 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara
Cobalt Strike C2 Hunting with Shodan
Cobalt Strike

2021-09-06 ⋅ kienmanowar Blog ⋅ m4n0w4r
Quick analysis CobaltStrike loader and shellcode
Cobalt Strike

2021-09-03 ⋅ Sophos ⋅ Sean Gallagher, Peter Mackenzie, Anand Ajjan, Andrew Ludgate, Gabor Szappanos, Sergio Bestulic, Syed Zaidi
Conti affiliates use ProxyShell Exchange exploit in ransomware attacks
Cobalt Strike Conti

2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader

2021-09-02 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
Autodesk reveals it was targeted by Russian SolarWinds hackers
SUNBURST

2021-09-02 ⋅ Twitter (@th3_protoCOL) ⋅ Colin, GaborSzappanos
Tweet on Confluence Server exploitation (CVE-2021-26084) in the wild and cobaltsrike activity (mentioned in replies by GaborSzappanos)
Cobalt Strike

2021-09-02 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara
Cobalt Strike PowerShell Payload Analysis
Cobalt Strike

2021-09-01 ⋅ YouTube (Black Hat) ⋅ Aragorn Tseng, Charles Li
Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
Cobalt Strike PlugX Waterbear

2021-08-31 ⋅ BreakPoint Labs ⋅ BreakPoint Labs
Cobalt Strike and Ransomware – Tracking An Effective Ransomware Campaign
Cobalt Strike

2021-08-30 ⋅ Qianxin ⋅ Red Raindrop Team
Operation (Thủy Tinh) OceanStorm: The evil lotus hidden under the abyss
Cobalt Strike MimiKatz

2021-08-29 ⋅ The DFIR Report ⋅ The DFIR Report
Cobalt Strike, a Defender’s Guide
Cobalt Strike

2021-08-27 ⋅ Morphisec ⋅ Morphisec Labs
ProxyShell Exchange Exploitation Now Leads To An Increasing Amount Of Cobaltstrike Backdoors
Cobalt Strike

2021-08-25 ⋅ Trend Micro ⋅ Hara Hiroaki, Ted Lee
Earth Baku An APT Group Targeting Indo-Pacific Countries With New Stealth Loaders and Backdoor
Cobalt Strike SideWalk

2021-08-24 ⋅ ESET Research ⋅ Thibaut Passilly, Mathieu Tartare
The SideWalk may be as dangerous as the CROSSWALK
Cobalt Strike CROSSWALK SideWalk

2021-08-23 ⋅ FBI ⋅ FBI
Indicators of Compromise Associated with OnePercent Group Ransomware
Cobalt Strike MimiKatz

2021-08-23 ⋅ Youtube (SANS Digital Forensics and Incident Response) ⋅ Chad Tilbury
Keynote: Cobalt Strike Threat Hunting
Cobalt Strike

2021-08-19 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team
BlackBerry Prevents: Threat Actor Group TA575 and Dridex Malware
Cobalt Strike Dridex

2021-08-19 ⋅ Sekoia ⋅ sekoia
An insider insights into Conti operations – Part two
Cobalt Strike Conti

2021-08-18 ⋅ Intezer ⋅ Ryan Robinson
Cobalt Strike: Detect this Persistent Threat
Cobalt Strike

2021-08-17 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy
Hunting for Corporate Insurance Policies: Indicators of [Ransom] Exfiltration
Cobalt Strike Conti

2021-08-17 ⋅ Sekoia ⋅ sekoia
An insider insights into Conti operations – Part one
Cobalt Strike Conti

2021-08-17 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara
Cobalt Strike Hunting — DLL Hijacking/Attack Analysis
Cobalt Strike

2021-08-11 ⋅ Advanced Intelligence ⋅ Vitali Kremez
Secret "Backdoor" Behind Conti Ransomware Operation: Introducing Atera Agent
Cobalt Strike Conti

2021-08-09 ⋅ IstroSec ⋅ Ladislav Bačo
APT Cobalt Strike Campaign targeting Slovakia (DEF CON talk)
Cobalt Strike

2021-08-05 ⋅ Red Canary ⋅ Tony Lambert, Brian Donohue, Dan Cotton
When Dridex and Cobalt Strike give you Grief
Cobalt Strike DoppelDridex DoppelPaymer

2021-08-05 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
Detecting Cobalt Strike: Government-Sponsored Threat Groups (APT32)
Cobalt Strike

2021-08-04 ⋅ CrowdStrike ⋅ Falcon OverWatch Team, CrowdStrike Intelligence Team, CrowdStrike IR
PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity
Cobalt Strike Egregor Mount Locker

2021-08-04 ⋅ Sentinel LABS ⋅ Gal Kristal
Hotcobalt – New Cobalt Strike DoS Vulnerability That Lets You Halt Operations
Cobalt Strike

2021-08-04 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
Detecting Cobalt Strike: Cybercrime Attacks (GOLD LAGOON)
Cobalt Strike

2021-08-03 ⋅ Cybereason ⋅ Assaf Dahan, Lior Rochberger, Daniel Frank, Tom Fakterman
DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos
CHINACHOPPER Cobalt Strike MimiKatz Nebulae

2021-08-02 ⋅ Youtube (Forschungsinstitut Cyber Defense) ⋅ Alexander Rausch, Konstantin Klinger
The CODE 2021: Workshop presentation and demonstration about CobaltStrike
Cobalt Strike

2021-08-01 ⋅ The DFIR Report ⋅ The DFIR Report
BazarCall to Conti Ransomware via Trickbot and Cobalt Strike
BazarBackdoor Cobalt Strike Conti TrickBot

2021-07-30 ⋅ Twitter (@Unit42_Intel) ⋅ Unit 42
Tweet on BazarLoader infection leading to cobaltstrike and Powershell script file for PrintNightmare vulnerability
BazarBackdoor Cobalt Strike

2021-07-29 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team
BazaCall: Phony call centers lead to exfiltration and ransomware
BazarBackdoor Cobalt Strike

2021-07-29 ⋅ Rasta Mouse ⋅ Rasta Mouse
NTLM Relaying via Cobalt Strike
Cobalt Strike

2021-07-27 ⋅ Gigamon ⋅ Joe Slowik
Ghosts on the Wire: Expanding Conceptions of Network Anomalies
SUNBURST

2021-07-27 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team
Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages
elf.wellmess ElectroRAT BazarNimrod Buer Cobalt Strike Remcos Snake TeleBot WellMess Zebrocy

2021-07-25 ⋅ Medium svch0st ⋅ svch0st
Guide to Named Pipes and Hunting for Cobalt Strike Pipes
Cobalt Strike

2021-07-22 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara
Cobalt Strike Hunting — simple PCAP and Beacon Analysis
Cobalt Strike

2021-07-19 ⋅ The DFIR Report ⋅ The DFIR Report
IcedID and Cobalt Strike vs Antivirus
Cobalt Strike IcedID

2021-07-14 ⋅ MDSec ⋅ Chris Basnett
Investigating a Suspicious Service
Cobalt Strike

2021-07-14 ⋅ Kaspersky ⋅ Mark Lechtik, Paul Rascagnères, Aseel Kayal
LuminousMoth APT: Sweeping attacks for the chosen few
Cobalt Strike

2021-07-14 ⋅ Google ⋅ Maddie Stone, Clement Lecigne, Google Threat Analysis Group
How We Protect Users From 0-Day Attacks (CVE-2021-21166, CVE-2021-30551, CVE-2021-33742, CVE-2021-1879)
Cobalt Strike

2021-07-13 ⋅ Symantec ⋅ Threat Hunter Team
Attacks Against the Government Sector
Raindrop TEARDROP

2021-07-13 ⋅ YouTube ( Matt Soseman) ⋅ Matt Soseman
Solarwinds and SUNBURST attacks compromised my lab!
Cobalt Strike Raindrop SUNBURST TEARDROP

2021-07-09 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
Hancitor tries XLL as initial malware file
Cobalt Strike Hancitor

2021-07-08 ⋅ Avast Decoded ⋅ Threat Intelligence Team
Decoding Cobalt Strike: Understanding Payloads
Cobalt Strike Empire Downloader

2021-07-07 ⋅ Trend Micro ⋅ Joseph C Chen, Kenney Lu, Jaromír Hořejší, Gloria Chen
BIOPASS RAT: New Malware Sniffs Victims via Live Streaming
BIOPASS Cobalt Strike Derusbi

2021-07-07 ⋅ McAfee ⋅ McAfee Labs
Ryuk Ransomware Now Targeting Webservers
Cobalt Strike Ryuk

2021-07-07 ⋅ Trustwave ⋅ Rodel Mendrez, Nikita Kazymirskyi
Diving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails
Cobalt Strike REvil

2021-07-06 ⋅ Twitter (@MBThreatIntel) ⋅ Malwarebytes Threat Intelligence
Tweet on a malspam campaign that is taking advantage of Kaseya VSA ransomware attack to drop CobaltStrike
Cobalt Strike

2021-07-05 ⋅ Trend Micro ⋅ Abraham Camba, Catherine Loveria, Ryan Maglaque, Buddy Tancio
Tracking Cobalt Strike: A Trend Micro Vision One Investigation
Cobalt Strike

2021-07-02 ⋅ MalwareBookReports ⋅ muzi
Skip the Middleman: Dridex Document to Cobalt Strike
Cobalt Strike Dridex

2021-07-01 ⋅ The Record ⋅ Catalin Cimpanu
Mongolian certificate authority hacked eight times, compromised with malware
Cobalt Strike

2021-07-01 ⋅ Avast Decoded ⋅ Luigino Camastra, Igor Morgenstern, Jan Vojtěšek
Backdoored Client from Mongolian CA MonPass
Cobalt Strike

2021-06-30 ⋅ Group-IB ⋅ Oleg Skulkin
REvil Twins Deep Dive into Prolific RaaS Affiliates' TTPs
Cobalt Strike REvil

2021-06-29 ⋅ Proofpoint ⋅ Selena Larson, Daniel Blackford
Cobalt Strike: Favorite Tool from APT to Crimeware
Cobalt Strike

2021-06-29 ⋅ Accenture ⋅ Accenture Security
HADES ransomware operators continue attacks
Cobalt Strike Hades MimiKatz

2021-06-28 ⋅ The DFIR Report ⋅ The DFIR Report
Hancitor Continues to Push Cobalt Strike
Cobalt Strike Hancitor

2021-06-22 ⋅ CrowdStrike ⋅ The Falcon Complete Team
Response When Minutes Matter: Falcon Complete Disrupts WIZARD SPIDER eCrime Operators
Cobalt Strike

2021-06-22 ⋅ Twitter (@Cryptolaemus1) ⋅ Cryptolaemus, Kirk Sayre, dao ming si
Tweet on TA575, a Dridex affiliate delivering cobaltstrike (packed withe Cryptone) directly via the macro docs
Cobalt Strike Dridex

2021-06-20 ⋅ The DFIR Report ⋅ The DFIR Report
From Word to Lateral Movement in 1 Hour
Cobalt Strike IcedID

2021-06-18 ⋅ SecurityScorecard ⋅ Ryan Sherstobitoff
SecurityScorecard Finds USAID Hack Much Larger Than Initially Thought
Cobalt Strike

2021-06-17 ⋅ Binary Defense ⋅ Brandon George
Analysis of Hancitor – When Boring Begets Beacon
Cobalt Strike Ficker Stealer Hancitor

2021-06-16 ⋅ Mandiant ⋅ Tyler McLellan, Robert Dean, Justin Moore, Nick Harbour, Mike Hunhoff, Jared Wilson, Jordan Nuce
Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise
Cobalt Strike SMOKEDHAM

2021-06-16 ⋅ FireEye ⋅ Tyler McLellan, Robert Dean, Justin Moore, Nick Harbour, Mike Hunhoff, Jared Wilson
Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise
Cobalt Strike SMOKEDHAM

2021-06-16 ⋅ Національної поліції України ⋅ Національна поліція України
Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies
Clop Cobalt Strike FlawedAmmyy

2021-06-15 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
Hades Ransomware Operators Use Distinctive Tactics and Infrastructure
Cobalt Strike Hades

2021-06-12 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie
A thread on RagnarLocker ransomware group's TTP seen in an Incident Response
Cobalt Strike RagnarLocker

2021-06-12 ⋅ YouTube (BSidesBoulder) ⋅ Kurt Baumgartner, Kaspersky
Same and Different - sesame street level attribution
Kazuar SUNBURST

2021-06-10 ⋅ Group-IB ⋅ Nikita Rostovcev
Big airline heist APT41 likely behind massive supply chain attack
Cobalt Strike

2021-06-09 ⋅ Twitter (@RedDrip7) ⋅ RedDrip7
Tweet on in the wild exploit of CVE-2021-26868 (according to @_clem1)
Cobalt Strike

2021-06-04 ⋅ Inky ⋅ Roger Kay
Colonial Pipeline Ransomware Hack Unleashes Flood of Related Phishing Attempts
Cobalt Strike

2021-06-04 ⋅ Twitter (@alex_lanstein) ⋅ Alex Lanstein
Tweet on UNC2652/NOBELIUM targeting IOS users exploiting CVE-2021-1879
Cobalt Strike

2021-06-02 ⋅ Medium CyCraft ⋅ CyCraft Technology Corp
China-Linked Threat Group Targets Taiwan Critical Infrastructure, Smokescreen Ransomware
Cobalt Strike ColdLock

2021-06-02 ⋅ Sophos ⋅ Sean Gallagher
AMSI bypasses remain tricks of the malware trade
Agent Tesla Cobalt Strike Meterpreter

2021-06-01 ⋅ Department of Justice ⋅ Office of Public Affairs
Justice Department Announces Court-Authorized Seizure of Domain Names Used in Furtherance of Spear-Phishing Campaign Posing as U.S. Agency for International Development
Cobalt Strike

2021-06-01 ⋅ SANS ⋅ Kevin Haley, Jake Williams
A Contrarian View on SolarWinds
Cobalt Strike Raindrop SUNBURST TEARDROP

2021-06-01 ⋅ SentinelOne ⋅ Juan Andrés Guerrero-Saade
NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks
Cobalt Strike

2021-06-01 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team
New sophisticated email-based attack from NOBELIUM
Cobalt Strike

2021-06-01 ⋅ Cisco ⋅ Josh Pyorre
Backdoors, RATs, Loaders evasion techniques
BazarNimrod GoldMax Oblique RAT

2021-05-29 ⋅ Twitter (@elisalem9) ⋅ Eli Salem
Tweet on obfuscation mechanism and extraction procedure of COBALTSTRIKE beacon module used by NOBELIUM/UNC2452
Cobalt Strike

2021-05-28 ⋅ CISA ⋅ US-CERT
Alert (AA21-148A): Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs
Cobalt Strike

2021-05-28 ⋅ CISA ⋅ US-CERT
Malware Analysis Report (AR21-148A): Cobalt Strike Beacon
Cobalt Strike

2021-05-27 ⋅ Volexity ⋅ Damien Cash, Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster
Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns
Cobalt Strike

2021-05-26 ⋅ DeepInstinct ⋅ Ron Ben Yizhak
A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader

2021-05-25 ⋅ Huntress Labs ⋅ Matthew Brennan
Cobalt Strikes Again: An Analysis of Obfuscated Malware
Cobalt Strike

2021-05-21 ⋅ blackarrow ⋅ Pablo Ambite
Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic
Cobalt Strike

2021-05-19 ⋅ Medium Mehmet Ergene ⋅ Mehmet Ergene
Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 2
Cobalt Strike

2021-05-19 ⋅ Intel 471 ⋅ Intel 471
Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot

2021-05-18 ⋅ Sophos ⋅ John Shier, Mat Gangwer, Greg Iddon, Peter Mackenzie
The Active Adversary Playbook 2021
Cobalt Strike MimiKatz

2021-05-17 ⋅ Talos ⋅ Brad Garnett
Case Study: Incident Response is a relationship-driven business
Cobalt Strike

2021-05-16 ⋅ NCSC Ireland ⋅ NCSC Ireland
Ransomware Attack on Health Sector - UPDATE 2021-05-16
Cobalt Strike Conti

2021-05-14 ⋅ CISA ⋅ US-CERT
Analysis Report (AR21-134A): Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise
SUNBURST

2021-05-14 ⋅ Blue Team Blog ⋅ Auth 0r
DarkSide Ransomware Operations – Preventions and Detections.
Cobalt Strike DarkSide

2021-05-14 ⋅ GuidePoint Security ⋅ Drew Schmitt
From ZLoader to DarkSide: A Ransomware Story
DarkSide Cobalt Strike Zloader

2021-05-13 ⋅ AWAKE ⋅ Kieran Evans
Catching the White Stork in Flight
Cobalt Strike MimiKatz RMS

2021-05-12 ⋅ Medium Mehmet Ergene ⋅ Mehmet Ergene
Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 1
Cobalt Strike

2021-05-12 ⋅ The DFIR Report
Conti Ransomware
Cobalt Strike Conti IcedID

2021-05-11 ⋅ Mal-Eats ⋅ mal_eats
Campo, a New Attack Campaign Targeting Japan
Anchor_DNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader

2021-05-11 ⋅ FireEye ⋅ Jordan Nuce, Jeremy Kennelly, Kimberly Goody, Andrew Moore, Alyssa Rahman, Brendan McKeague, Jared Wilson
Shining a Light on DARKSIDE Ransomware Operations
Cobalt Strike DarkSide

2021-05-10 ⋅ ZERO.BS ⋅ ZEROBS
Cobaltstrike-Beacons analyzed
Cobalt Strike

2021-05-10 ⋅ Mal-Eats ⋅ mal_eats
Overview of Campo, a new attack campaign targeting Japan
Anchor_DNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader

2021-05-08 ⋅ The Record ⋅ Catalin Cimpanu
SolarWinds says fewer than 100 customers were impacted by supply chain attack
SUNBURST

2021-05-07 ⋅ TEAMT5 ⋅ Aragorn Tseng, Charles Li
Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
Cobalt Strike PlugX Waterbear

2021-05-07 ⋅ Cisco Talos ⋅ Caitlin Huey, Andrew Windsor, Edmund Brumaghin
Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs
CHINACHOPPER Cobalt Strike

2021-05-07 ⋅ SophosLabs Uncut ⋅ Rajesh Nataraj
New Lemon Duck variants exploiting Microsoft Exchange Server
CHINACHOPPER Cobalt Strike

2021-05-07 ⋅ Medium svch0st ⋅ svch0st
Stats from Hunting Cobalt Strike Beacons
Cobalt Strike

2021-05-07 ⋅ SolarWinds ⋅ Solarwind
An Investigative Update of the Cyberattack
SUNBURST

2021-05-06 ⋅ Trend Micro ⋅ Arianne Dela Cruz, Cris Tomboc, Jayson Chong, Nikki Madayag, Sean Torre
Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party
Prometei BlackKingdom Ransomware CHINACHOPPER Cobalt Strike

2021-05-05 ⋅ TRUESEC ⋅ Mattias Wåhlén
Are The Notorious Cyber Criminals Evil Corp actually Russian Spies?
Cobalt Strike Hades WastedLocker

2021-05-05 ⋅ SophosLabs Uncut ⋅ Andrew Brandt, Peter Mackenzie, Vikas Singh, Gabor Szappanos
Intervention halts a ProxyLogon-enabled attack
Cobalt Strike

2021-05-04 ⋅ Medium sergiusechel ⋅ Sergiu Sechel
Improving the network-based detection of Cobalt Strike C2 servers in the wild while reducing the risk of false positives
Cobalt Strike

2021-05-02 ⋅ The DFIR Report ⋅ The DFIR Report
Trickbot Brief: Creds and Beacons
Cobalt Strike TrickBot

2021-04-29 ⋅ NTT ⋅ Threat Detection NTT Ltd.
The Operations of Winnti group
Cobalt Strike ShadowPad Spyder Winnti

2021-04-27 ⋅ Trend Micro ⋅ Janus Agcaoili, Earle Earnshaw
Legitimate Tools Weaponized for Ransomware in 2021
Cobalt Strike MimiKatz

2021-04-27 ⋅ Trend Micro ⋅ Janus Agcaoili
Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability
CHINACHOPPER Cobalt Strike

2021-04-26 ⋅ getrevue ⋅ Twitter (@80vul)
Hunting Cobalt Strike DNS redirectors by using ZoomEye
Cobalt Strike

2021-04-26 ⋅ nviso ⋅ Maxime Thiebaut
Anatomy of Cobalt Strike’s DLL Stager
Cobalt Strike

2021-04-24 ⋅ Non-offensive security ⋅ Non-offensive security team
Detect Cobalt Strike server through DNS protocol
Cobalt Strike

2021-04-23 ⋅ Twitter (@vikas891) ⋅ Vikas Singh
Tweet on DOPPEL SPIDER using Intensive/Multiple Injected Cobalt Strike Beacons with varied polling intervals
Cobalt Strike DoppelPaymer

2021-04-22 ⋅ RiskIQ ⋅ RiskIQ
SolarWinds: Advancing the Story
SUNBURST

2021-04-22 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie
Twwet On TTPs seen in IR used by DOPPEL SPIDER
Cobalt Strike DoppelPaymer

2021-04-21 ⋅ SophosLabs Uncut ⋅ Sean Gallagher, Suriya Natarajan, Anand Aijan, Michael Wood, Sivagnanam Gn, Markel Picado, Andrew Brandt
Nearly half of malware now use TLS to conceal communications
Agent Tesla Cobalt Strike Dridex SystemBC

2021-04-20 ⋅ Medium walmartglobaltech ⋅ Jason Reaves
CobaltStrike Stager Utilizing Floating Point Math
Cobalt Strike

2021-04-19 ⋅ Netresec ⋅ Erik Hjelmvik
Analysing a malware PCAP with IcedID and Cobalt Strike traffic
Cobalt Strike IcedID

2021-04-18 ⋅ YouTube (dist67) ⋅ Didier Stevens
Decoding Cobalt Strike Traffic
Cobalt Strike

2021-04-15 ⋅ European Council ⋅ Council of the European Union
Declaration by the High Representative on behalf of the European Union expressing solidarity with the United States on the impact of the SolarWinds cyber operation
SUNBURST

2021-04-15 ⋅ CISA ⋅ US-CERT
Malware Analysis Report (AR21-105A): SUNSHUTTLE
GoldMax

2021-04-15 ⋅ Ministry of foreign affairs of the Republic of Latvia ⋅ Ministry of foreign affairs of the Republic of Latvia
Latvia’s statement following the announcement by the United States of actions to respond to the Russian Federation’s destabilizing activities (Deadlink)
SUNBURST

2021-04-15 ⋅ Ministry of Foreign Affairs Republic of Poland ⋅ Ministry of Foreign Affairs Republic of Poland
Statement on Solar Winds Orion cyberattacks
SUNBURST

2021-04-15 ⋅ North Atlantic Treaty Organization ⋅ NATO
North Atlantic Council Statement following the announcement by the United States of actions with regard to Russia
SUNBURST

2021-04-14 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
April 2021 Forensic Quiz: Answers and Analysis
Anchor BazarBackdoor Cobalt Strike

2021-04-09 ⋅ F-Secure ⋅ Riccardo Ancarani, Giulio Ginesi
Detecting Exposed Cobalt Strike DNS Redirectors
Cobalt Strike

2021-04-07 ⋅ Medium sixdub ⋅ Justin Warner
Using Kaitai Struct to Parse Cobalt Strike Beacon Configs
Cobalt Strike

2021-04-05 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
TrickBot Crews New CobaltStrike Loader
Cobalt Strike TrickBot

2021-04-01 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool
Cobalt Strike Hancitor

2021-04-01 ⋅ DomainTools ⋅ Joe Slowik
COVID-19 Phishing With a Side of Cobalt Strike
Cobalt Strike

2021-03-31 ⋅ Red Canary ⋅ Red Canary
2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot

2021-03-30 ⋅ GuidePoint Security ⋅ Drew Schmitt
Yet Another Cobalt Strike Stager: GUID Edition
Cobalt Strike

2021-03-29 ⋅ The DFIR Report ⋅ The DFIR Report
Sodinokibi (aka REvil) Ransomware
Cobalt Strike IcedID REvil

2021-03-21 ⋅ YouTube (dist67) ⋅ Didier Stevens
Finding Metasploit & Cobalt Strike URLs
Cobalt Strike

2021-03-21 ⋅ Blackberry ⋅ Blackberry Research
2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot

2021-03-18 ⋅ CISA ⋅ US-CERT
Alert (AA21-077A): Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool
SUNBURST

2021-03-18 ⋅ Github (cisagov) ⋅ CISA
CISA Hunt and Incident Response Program (CHIRP)
SUNBURST

2021-03-18 ⋅ DeepInstinct ⋅ Ben Gross
Cobalt Strike – Post-Exploitation Attackers Toolkit
Cobalt Strike

2021-03-18 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT
SilverFish GroupThreat Actor Report
Cobalt Strike Dridex Koadic

2021-03-17 ⋅ CISA ⋅ US-CERT
SolarWinds and Active Directory/M365 Compromise: Detecting Advanced Persistent Threat Activity from Known Tactics, Techniques, and Procedures (Dead Link)
SUNBURST

2021-03-16 ⋅ McAfee ⋅ McAfee ATR
Technical Analysis of Operation Diànxùn
Cobalt Strike

2021-03-16 ⋅ Mimecast ⋅ Mimecast
Incident Report
SUNBURST

2021-03-16 ⋅ Elastic ⋅ Joe Desimone
Detecting Cobalt Strike with memory signatures
Cobalt Strike

2021-03-11 ⋅ Qurium ⋅ Qurium
Myanmar – Multi-stage malware attack targets elected lawmakers
Cobalt Strike

2021-03-11 ⋅ Cyborg Security ⋅ Josh Campbell
You Don't Know the HAFNIUM of it...
CHINACHOPPER Cobalt Strike PowerCat

2021-03-10 ⋅ US-CERT ⋅ CISA
Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise
SUNBURST

2021-03-10 ⋅ Proofpoint ⋅ Dennis Schwarz, Matthew Mesa, Proofpoint Threat Research Team
NimzaLoader: TA800’s New Initial Access Malware
BazarNimrod Cobalt Strike

2021-03-09 ⋅ splunk ⋅ Security Research Team
Cloud Federated Credential Abuse & Cobalt Strike: Threat Research February 2021
Cobalt Strike

2021-03-08 ⋅ Youtube (SANS Digital Forensics and Incident Response) ⋅ Katie Nickels, Adam Pennington, Jen Burns
STAR Webcast: Making sense of SolarWinds through the lens of MITRE ATT&CK(R)
Cobalt Strike SUNBURST TEARDROP

2021-03-08 ⋅ The DFIR Report ⋅ The DFIR Report
Bazar Drops the Anchor
Anchor BazarBackdoor Cobalt Strike

2021-03-08 ⋅ x0r19x91.gitlab.io ⋅ Suvaditya Sur
Sunshuttle Malware
GoldMax

2021-03-07 ⋅ InfoSec Handlers Diary Blog ⋅ Didier Stevens
PCAPs and Beacons
Cobalt Strike

2021-03-04 ⋅ Microsoft ⋅ Ramin Nafisi, Andrea Lelli, Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team
GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence
SUNBURST TEARDROP UNC2452

2021-03-04 ⋅ Microsoft ⋅ Ramin Nafisi, Andrea Lelli
GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence
GoldMax

2021-03-04 ⋅ FireEye ⋅ Lindsay Smith, Jonathan Leathery, Ben Read
New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452
UNC2452

2021-03-01 ⋅ Medium walmartglobaltech ⋅ Joshua Platt, Jason Reaves
Nimar Loader
BazarBackdoor BazarNimrod Cobalt Strike

2021-03-01 ⋅ Medium walmartglobaltech ⋅ Joshua Platt, Jason Reaves
Investigation into the state of Nim malware
BazarNimrod Cobalt Strike

2021-03-01 ⋅ Microsoft ⋅ Microsoft
Detect and defend against the recent nation-state cyber attack
SUNBURST

2021-02-28 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare

2021-02-26 ⋅ CrowdStrike ⋅ Eric Loui, Sergei Frankoff
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil

2021-02-26 ⋅ YouTube (Oversight Committee) ⋅ Oversight Committee
Weathering the Storm: The Role of Private Tech in the SolarWinds Breach and Ongoing Campaign
SUNBURST

2021-02-25 ⋅ Microsoft ⋅ Microsoft Identity Security Team
Microsoft open sources CodeQL queries used to hunt for Solorigate activity
SUNBURST

2021-02-25 ⋅ Microsoft ⋅ Microsoft
CodeQL queries to hunt for Solorigate activity
SUNBURST

2021-02-25 ⋅ BrightTALK (FireEye) ⋅ Andrew Rector, Matt Bromiley, Mandiant
Light in the Dark: Hunting for SUNBURST
SUNBURST

2021-02-25 ⋅ FireEye ⋅ Bryce Abdo, Brendan McKeague, Van Ta
So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC

2021-02-24 ⋅ Github (AmnestyTech) ⋅ Amnesty International
Overview of Ocean Lotus Samples used to target Vietnamese Human Rights Defenders
OceanLotus Cobalt Strike KerrDown

2021-02-24 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
NASA and the FAA were also breached by the SolarWinds hackers
SUNBURST

2021-02-24 ⋅ VMWare Carbon Black ⋅ Takahiro Haruyama
Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation
Cobalt Strike

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2021-02-19 ⋅ THE NEW STACK ⋅ Lior Sonntag, Dror Alon
Behind the Scenes of the SunBurst Attack
SUNBURST

2021-02-17 ⋅ apirro ⋅ Ariel Levy
Detect and prevent the SolarWinds build-time code injection attack
SUNBURST

2021-02-17 ⋅ YouTube (The White House) ⋅ Anne Neuberger
Update on Investigaton on Solarwinds supply chain attack from the Deputy National Security Advisor
SUNBURST

2021-02-17 ⋅ Netresec ⋅ Erik Hjelmvik
Targeting Process for the SolarWinds Backdoor
SUNBURST

2021-02-16 ⋅ Accenture ⋅ Alexandrea Berninger
Hard lessons learned: Threat intel takeaways from the community response to Solarigate
SUNBURST TEARDROP

2021-02-16 ⋅ FireEye ⋅ Matt Bromiley, Andrew Rector, Robert Wallace
Light in the Dark: Hunting for SUNBURST
SUNBURST

2021-02-11 ⋅ Twitter (@TheDFIRReport) ⋅ The DFIR Report
Tweet on Hancitor Activity followed by cobaltsrike beacon
Cobalt Strike Hancitor

2021-02-09 ⋅ Cobalt Strike ⋅ Raphael Mudge
Learn Pipe Fitting for all of your Offense Projects
Cobalt Strike

2021-02-09 ⋅ Securehat ⋅ Securehat
Extracting the Cobalt Strike Config from a TEARDROP Loader
Cobalt Strike TEARDROP

2021-02-08 ⋅ US-CERT ⋅ US-CERT
Malware Analysis Report (AR21-039B): MAR-10320115-1.v1 - TEARDROP
TEARDROP

2021-02-08 ⋅ US-CERT ⋅ US-CERT
Malware Analysis Report (AR21-039A): SUNBURST
SUNBURST

2021-02-03 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
Excel spreadsheets push SystemBC malware
Cobalt Strike SystemBC

2021-02-02 ⋅ Committee to Protect Journalists ⋅ Madeline Earp
How Vietnam-based hacking operation OceanLotus targets journalists
Cobalt Strike

2021-02-02 ⋅ CRONUP ⋅ Germán Fernández
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader

2021-02-02 ⋅ Twitter (@TheDFIRReport) ⋅ The DFIR Report
Tweet on recent dridex post infection activity
Cobalt Strike Dridex

2021-02-01 ⋅ pkb1s.github.io ⋅ Petros Koutroumpis
Relay Attacks via Cobalt Strike Beacons
Cobalt Strike

2021-02-01 ⋅ AhnLab ⋅ ASEC Analysis Team
BlueCrab ransomware, CobaltStrike hacking tool installed in corporate environment
Cobalt Strike REvil

2021-01-31 ⋅ The DFIR Report ⋅ The DFIR Report
Bazar, No Ryuk?
BazarBackdoor Cobalt Strike Ryuk

2021-01-29 ⋅ Aon ⋅ Partha Alwar, Carly Battaile, Alex Parsons
Cloudy with a Chance of Persistent Email Access
SUNBURST

2021-01-28 ⋅ TrustedSec ⋅ Adam Chester
Tailoring Cobalt Strike on Target
Cobalt Strike

2021-01-28 ⋅ Check Point ⋅ Lior Sonntag
Deep into the SunBurst Attack
SUNBURST

2021-01-28 ⋅ AhnLab ⋅ ASEC Analysis Team
BlueCrab ransomware constantly trying to bypass detection
Cobalt Strike REvil

2021-01-28 ⋅ YouTube (Microsoft Security Community) ⋅ Microsoft
Microsoft 365 Defender webinar: Protect, Detect, and Respond to Solorigate using M365 Defender
SUNBURST

2021-01-26 ⋅ Twitter (@swisscom_csirt) ⋅ Swisscom CSIRT
Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware
Cobalt Strike Cring MimiKatz

2021-01-26 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
Mimecast links security breach to SolarWinds hackers
SUNBURST

2021-01-26 ⋅ Kaspersky Labs ⋅ Kaspersky Lab ICS CERT
SunBurst industrial victims
SUNBURST

2021-01-26 ⋅ Fidelis ⋅ Chris Kubic
Ongoing Analysis of SolarWinds Impacts
SUNBURST

2021-01-26 ⋅ Mimecast ⋅ Mimecast Contributing Writer
Important Security Update
SUNBURST

2021-01-25 ⋅ Netresec ⋅ Erik Hjelmvik
Twenty-three SUNBURST Targets Identified
SUNBURST

2021-01-25 ⋅ ZenGo ⋅ Tal Be'ery
Ungilded Secrets: A New Paradigm for Key Security
SUNBURST

2021-01-24 ⋅ Medium vrieshd ⋅ VriesHD
Finding SUNBURST victims and targets by using passive DNS, OSINT
SUNBURST

2021-01-22 ⋅ Symantec ⋅ Threat Hunter Team
SolarWinds: How Sunburst Sends Data Back to the Attackers
SUNBURST

2021-01-22 ⋅ DomainTools ⋅ Joe Slowik
Change in Perspective on the Utility of SUNBURST-related Network Indicators
SUNBURST

2021-01-20 ⋅ Microsoft ⋅ Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC), Microsoft Cyber Defense Operations Center (CDOC)
Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop
Cobalt Strike SUNBURST TEARDROP

2021-01-19 ⋅ Github (fireeye) ⋅ FireEye
Mandiant Azure AD Investigator: Focusing on UNC2452 TTPs
SUNBURST

2021-01-18 ⋅ Symantec ⋅ Threat Hunter Team
Raindrop: New Malware Discovered in SolarWinds Investigation
Cobalt Strike Raindrop SUNBURST TEARDROP

2021-01-17 ⋅ a12d404 ⋅ Markus Piéton
Backdooring MSBuild
SUNBURST

2021-01-17 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie
Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders
Cobalt Strike Conti

2021-01-15 ⋅ Symantec ⋅ Threat Hunter Team
SolarWinds: Insights into Attacker Command and Control Process
SUNBURST

2021-01-15 ⋅ Medium Dansec ⋅ Dan Lussier
Detecting Malicious C2 Activity -SpawnAs & SMB Lateral Movement in CobaltStrike
Cobalt Strike

2021-01-14 ⋅ DomainTools ⋅ Joe Slowik
The Devil’s in the Details: SUNBURST Attribution
SUNBURST

2021-01-14 ⋅ Microsoft ⋅ Microsoft 365 Defender Team
Increasing resilience against Solorigate and other sophisticated attacks with Microsoft Defender
SUNBURST

2021-01-14 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence
Higaisa or Winnti? APT41 backdoors, old and new
Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad

2021-01-12 ⋅ BrightTALK (FireEye) ⋅ Ben Read, John Hultquist
UNC2452: What We Know So Far
Cobalt Strike SUNBURST TEARDROP

2021-01-12 ⋅ Fox-IT ⋅ Wouter Jansen
Abusing cloud services to fly under the radar
Cobalt Strike

2021-01-11 ⋅ Kaspersky Labs ⋅ Georgy Kucherin, Igor Kuznetsov, Costin Raiu
Sunburst backdoor – code overlaps with Kazuar
Kazuar SUNBURST

2021-01-11 ⋅ The DFIR Report ⋅ The DFIR Report
Trickbot Still Alive and Well
Cobalt Strike TrickBot

2021-01-11 ⋅ SolarWinds ⋅ Sudhakar Ramakrishna
New Findings From Our Investigation of SUNBURST
Cobalt Strike SUNBURST TEARDROP

2021-01-11 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team
SUNSPOT: An Implant in the Build Process
SUNBURST

2021-01-11 ⋅ Netresec ⋅ Erik Hjelmvik
Robust Indicators of Compromise for SUNBURST
SUNBURST

2021-01-10 ⋅ Medium walmartglobaltech ⋅ Jason Reaves
MAN1, Moskal, Hancitor and a side of Ransomware
Cobalt Strike Hancitor SendSafe VegaLocker

2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot

2021-01-09 ⋅ Connor McGarr's Blog ⋅ Connor McGarr
Malware Development: Leveraging Beacon Object Files for Remote Process Injection via Thread Hijacking
Cobalt Strike

2021-01-08 ⋅ US-CERT ⋅ US-CERT
Alert (AA21-008A): Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments
SUNBURST SUPERNOVA

2021-01-08 ⋅ splunk ⋅ Marcus LaFerrera, John Stoner, Lily Lee, James Brodsky, Ryan Kovar
A Golden SAML Journey: SolarWinds Continued
SUNBURST

2021-01-07 ⋅ Recorded Future ⋅ Insikt Group®
Aversary Infrastructure Report 2020: A Defender's View
Octopus pupy Cobalt Strike Empire Downloader Meterpreter PoshC2

2021-01-07 ⋅ Symantec ⋅ Threat Hunter Team
SolarWinds: How a Rare DGA Helped Attacker Communications Fly Under the Radar
SUNBURST

2021-01-07 ⋅ TRUESEC ⋅ Sebastian Olsson
Avoiding supply-chain attacks similar to SolarWinds Orion’s (SUNBURST)
SUNBURST

2021-01-06 ⋅ Department of Justice ⋅ Department of Justice
Department of Justice Statement on Solarwinds Update
SUNBURST

2021-01-06 ⋅ Github (SentinelLabs) ⋅ SentinelLabs
SolarWinds_Countermeasures
SUNBURST

2021-01-06 ⋅ CISA ⋅ US-CERT
Supply Chain Compromise
SUNBURST

2021-01-06 ⋅ Red Canary ⋅ Tony Lambert
Hunting for GetSystem in offensive security tools
Cobalt Strike Empire Downloader Meterpreter PoshC2

2021-01-06 ⋅ MITRE ⋅ MITRE ATT&CK
ATT&CK Navigator layer for UNC2452
SUNBURST

2021-01-05 ⋅ Sangfor ⋅ Clairvoyance Safety Laboratory
Red team's perspective on the TTPs in Sunburst's backdoor
SUNBURST

2021-01-05 ⋅ Trend Micro ⋅ Trend Micro Research
Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration
Cobalt Strike

2021-01-04 ⋅ Twitter (@TheEnergyStory) ⋅ Dominik Reichel
Some small detail on compiler used for TEARDROP
TEARDROP

2021-01-04 ⋅ Medium haggis-m ⋅ Michael Haag
Malleable C2 Profiles and You
Cobalt Strike

2021-01-04 ⋅ Netresec ⋅ Erik Hjelmvik
Finding Targeted SUNBURST Victims with pDNS
SUNBURST

2021 ⋅ Mandiant ⋅ Mandiant
M-TRENDS 2021
Cobalt Strike SUNBURST

2021 ⋅ Talos ⋅ Talos Incident Response
Evicting Maze
Cobalt Strike Maze

2021 ⋅ Github (WBGlIl) ⋅ WBGlIl
A book on cobaltstrike
Cobalt Strike

2021 ⋅ Talos ⋅ Talos Incident Response
Cobalt Strikes Out
Cobalt Strike

2021 ⋅ SecureWorks
Threat Profile: GOLD DRAKE
Cobalt Strike Dridex FriedEx Koadic MimiKatz WastedLocker Evil Corp

2021 ⋅ Secureworks ⋅ SecureWorks
Threat Profile: GOLD WINTER
Cobalt Strike Hades Meterpreter GOLD WINTER

2021 ⋅ DomainTools ⋅ Joe Slowik
Conceptualizing a Continuum of Cyber Threat Attribution
CHINACHOPPER SUNBURST

2021 ⋅ Secureworks ⋅ SecureWorks
Threat Profile: GOLD WATERFALL
Cobalt Strike DarkSide GOLD WATERFALL

2020-12-31 ⋅ IronNet ⋅ IronNet
SolarWinds/SUNBURST: Behavioral analytics and Collective Defense in action
SUNBURST

2020-12-31 ⋅ Microsoft ⋅ MSRC Team
Microsoft Internal Solorigate Investigation Update
SUNBURST

2020-12-30 ⋅ Recorded Future ⋅ John Wetzel
SOLARWINDS ATTRIBUTION: Are We Getting Ahead of Ourselves? An Analysis of UNC2452 Attribution
SUNBURST

2020-12-29 ⋅ CyberArk ⋅ Shaked Reiner
Golden SAML Revisited: The Solorigate Connection
SUNBURST

2020-12-29 ⋅ Netresec ⋅ Erik Hjelmvik
Extracting Security Products from SUNBURST DNS Beacons
SUNBURST

2020-12-28 ⋅ Microsoft ⋅ Microsoft 365 Defender Team
Using Microsoft 365 Defender to protect against Solorigate
SUNBURST TEARDROP

2020-12-26 ⋅ Medium grimminck ⋅ Stefan Grimminck
Spoofing JARM signatures. I am the Cobalt Strike server now!
Cobalt Strike

2020-12-25 ⋅ Comae ⋅ Matt Suiche
SUNBURST & Memory Analysis
SUNBURST

2020-12-24 ⋅ FireEye ⋅ Stephen Eckels, Jay Smith, William Ballenthin
SUNBURST Additional Technical Details
SUNBURST

2020-12-24 ⋅ Twitter (@TheEnergyStory) ⋅ Dominik Reichel
Tweet on TEARDROP sample
TEARDROP

2020-12-23 ⋅ Qianxin ⋅ Qi AnXin CERT
从Solarwinds供应链攻击（金链熊）看APT行动中的隐蔽作战
SUNBURST

2020-12-23 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
A Timeline Perspective of the SolarStorm Supply-Chain Attack
SUNBURST TEARDROP

2020-12-23 ⋅ Prevasio ⋅ Sergei Shevchenko
DNS Tunneling In The SolarWinds Supply Chain Attack
SUNBURST

2020-12-23 ⋅ CrowdStrike ⋅ Michael Sentonas
CrowdStrike Launches Free Tool to Identify and Help Mitigate Risks in Azure Active Directory
SUNBURST

2020-12-22 ⋅ Checkpoint ⋅ Check Point Research
SUNBURST, TEARDROP and the NetSec New Normal
SUNBURST TEARDROP

2020-12-22 ⋅ Symantec ⋅ Threat Hunter Team
SolarWinds Attacks: Stealthy Attackers Attempted To Evade Detection
SUNBURST

2020-12-22 ⋅ Microsoft ⋅ Alex Weinert
Azure AD workbook to help you assess Solorigate risk
SUNBURST

2020-12-22 ⋅ Zscaler ⋅ Zscaler
The Hitchhiker’s Guide to SolarWinds Incident Response
SUNBURST

2020-12-22 ⋅ TRUESEC ⋅ Mattias Wåhlén
Collaboration between FIN7 and the RYUK group, a Truesec Investigation
Carbanak Cobalt Strike Ryuk

2020-12-22 ⋅ FBI ⋅ FBI
PIN Number 20201222-001: Advanced Persistent Threat Actors Leverage SolarWinds Vulnerabilities
SUNBURST

2020-12-22 ⋅ Medium mitre-attack ⋅ Matt Malone, Adam Pennington
Identifying UNC2452-Related Techniques for ATT&CK
SUNBURST TEARDROP UNC2452

2020-12-22 ⋅ Youtube (Colin Hardy) ⋅ Colin Hardy
SUNBURST SolarWinds RECON - Malware Reverse Engineering, OSINT and Identifying Victims
SUNBURST

2020-12-22 ⋅ Prevasio ⋅ Sergei Shevchenko
Sunburst Backdoor, Part III: DGA & Security Software (Broken Link)
SUNBURST

2020-12-21 ⋅ McAfee ⋅ Mo Cashman, Arnab Roy
How A Device to Cloud Architecture Defends Against the SolarWinds Supply Chain Compromise
SUNBURST

2020-12-21 ⋅ Fortinet ⋅ Udi Yavo
What We Have Learned So Far about the “Sunburst”/SolarWinds Hack
Cobalt Strike SUNBURST TEARDROP

2020-12-21 ⋅ SophosLabs Uncut ⋅ SophosLabs Threat Research
How SunBurst malware does defense evasion
SUNBURST UNC2452

2020-12-21 ⋅ Microsoft ⋅ Alex Weinert
Understanding "Solorigate"'s Identity IOCs - for Identity Vendors and their customers.
SUNBURST

2020-12-21 ⋅ IronNet ⋅ Peter Rydzynski
SolarWinds/SUNBURST: DGA or DNS Tunneling?
SUNBURST

2020-12-21 ⋅ Microsoft ⋅ MSRC Team
Solorigate Resource Center
SUNBURST TEARDROP

2020-12-20 ⋅ Twitter (@TychoTithonus) ⋅ Royce Williams
SolarWinds/SunBurst FNV-1a-XOR hashes found in analysis
SUNBURST

2020-12-20 ⋅ Medium Asuna Amawaka ⋅ Asuna Amawaka
A Look into SUNBURST’s DGA
SUNBURST

2020-12-20 ⋅ Randhome ⋅ Etienne Maynier
Analyzing Cobalt Strike for Fun and Profit
Cobalt Strike

2020-12-19 ⋅ Bleeping Computer ⋅ Lawrence Abrams
The SolarWinds cyberattack: The hack, the victims, and what we know
SUNBURST

2020-12-18 ⋅ Costin Raiu
Tweet from Costin Raiu about confirmed TEARDROP sample
TEARDROP

2020-12-18 ⋅ Cloudflare ⋅ Nick Blazier, Jesse Kipp
A quirk in the SUNBURST DGA algorithm
SUNBURST

2020-12-18 ⋅ Elastic ⋅ Camilla Montonen, Justin Ibarra
Combining supervised and unsupervised machine learning for DGA detection
SUNBURST

2020-12-18 ⋅ IBM ⋅ Gladys Koskas
SUNBURST indicator detection in QRadar
SUNBURST

2020-12-18 ⋅ Sentinel LABS ⋅ James Haughom
SolarWinds SUNBURST Backdoor: Inside the APT Campaign
SUNBURST

2020-12-18 ⋅ Kaspersky Labs ⋅ Igor Kuznetsov, Costin Raiu
Sunburst: connecting the dots in the DNS requests
SUNBURST

2020-12-18 ⋅ DomainTools ⋅ Joe Slowik
Continuous Eruption: Further Analysis of the SolarWinds Supply Chain Incident
SUNBURST

2020-12-18 ⋅ ThreatConnect ⋅ ThreatConnect
Tracking Sunburst-Related Activity with ThreatConnect Dashboards
SUNBURST

2020-12-18 ⋅ Microsoft ⋅ Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC)
Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers
SUNBURST SUPERNOVA TEARDROP UNC2452

2020-12-17 ⋅ TRUESEC ⋅ Fabio Viggiani
The SolarWinds Orion SUNBURST supply-chain Attack
SUNBURST

2020-12-17 ⋅ Microsoft ⋅ Brad Smith
A moment of reckoning: the need for a strong and global cybersecurity response
SUNBURST

2020-12-17 ⋅ US-CERT ⋅ US-CERT
Alert (AA20-352A): Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
SUNBURST

2020-12-17 ⋅ McAfee ⋅ Christiaan Beek, Cedric Cochin, Raj Samani
Additional Analysis into the SUNBURST Backdoor
SUNBURST

2020-12-17 ⋅ Prevasio ⋅ Sergei Shevchenko
Sunburst Backdoor, Part II: DGA & The List of Victims
SUNBURST

2020-12-17 ⋅ Twitter (@megabeets_) ⋅ Itay Cohen
Tweet on SUNBURST malware discussing some of its evasion techniques
SUNBURST

2020-12-17 ⋅ Youtube (Colin Hardy) ⋅ Colin Hardy
SUNBURST SolarWinds Malware - Tools, Tactics and Methods to get you started with Reverse Engineering
SUNBURST

2020-12-17 ⋅ Netresec ⋅ Erik Hjelmvik
Reassembling Victim Domain Fragments from SUNBURST DNS
SUNBURST

2020-12-17 ⋅ splunk ⋅ John Stoner
Onboarding Threat Indicators into Splunk Enterprise Security: SolarWinds Continued
SUNBURST

2020-12-17 ⋅ TrustedSec ⋅ Trustedsec
SolarWinds Backdoor (Sunburst) Incident Response Playbook
SUNBURST

2020-12-16 ⋅ Github (RedDrip7) ⋅ RedDrip7
A script to decode SUNBURST DGA domain
SUNBURST

2020-12-16 ⋅ Microsoft ⋅ Shain Wray
SolarWinds Post-Compromise Hunting with Azure Sentinel
SUNBURST

2020-12-16 ⋅ Cyborg Security ⋅ Josh Meltzer
SUNBURST: SolarWinds Supply-Chain Attack
SUNBURST

2020-12-16 ⋅ ReversingLabs ⋅ Tomislav Pericin
SunBurst: the next level of stealth SolarWinds compromise exploited through sophistication and patience
SUNBURST

2020-12-16 ⋅ Twitter (@0xrb) ⋅ R. Bansal
List of domain infrastructure including DGA domain used by UNC2452
SUNBURST

2020-12-16 ⋅ Pastebin ⋅ Anonymous
Paste of subdomain & DGA domain names used in SolarWinds attack
SUNBURST UNC2452

2020-12-16 ⋅ Intel 471 ⋅ Intel 471
Intel471's full statement on their knowledge of SolarWinds and the cybercriminal underground
SUNBURST

2020-12-16 ⋅ Qianxin ⋅ Red Raindrop Team
中招目标首次披露：SolarWinds供应链攻击相关域名生成算法可破解！
SUNBURST

2020-12-16 ⋅ Cloudflare ⋅ Jesse Kipp, Malavika Balachandran Tadeusz
Trend data on the SolarWinds Orion compromise
SUNBURST

2020-12-16 ⋅ Twitter @cybercdh) ⋅ Colin Hardy
Tweet on 3 key actions SUNBURST performs as soon as it's invoked
SUNBURST

2020-12-16 ⋅ Twitter (@FireEye) ⋅ FireEye
Tweet on SUNBURST from FireEye detailing some additional information
SUNBURST

2020-12-16 ⋅ Bleeping Computer ⋅ Lawrence Abrams
FireEye, Microsoft create kill switch for SolarWinds backdoor
SUNBURST

2020-12-15 ⋅ 360 Threat Intelligence Center ⋅ Advanced Threat Institute
Operation Falling Eagle-the secret of the most influential supply chain attack in history
SUNBURST

2020-12-15 ⋅ Github (sophos-cybersecurity) ⋅ Sophos Cyber Security Team
solarwinds-threathunt
Cobalt Strike SUNBURST

2020-12-15 ⋅ Corelight ⋅ John Gamble
Finding SUNBURST Backdoor with Zeek Logs & Corelight
SUNBURST

2020-12-15 ⋅ Prevasio ⋅ Sergei Shevchenko
Sunburst Backdoor: A Deeper Look Into The SolarWinds' Supply Chain Malware
SUNBURST

2020-12-15 ⋅ Twitter @cybercdh) ⋅ Colin Hardy
Tweet on CyberChef recipe to extract and decode strings from #SolarWinds malware binaries.
SUNBURST

2020-12-15 ⋅ Cyborg Security ⋅ Austin Jackson
Threat Hunt Deep Dives: SolarWinds Supply Chain Compromise (Solorigate / SUNBURST Backdoor)
SUNBURST

2020-12-15 ⋅ PICUS Security ⋅ Süleyman Özarslan
Tactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach
Cobalt Strike SUNBURST

2020-12-15 ⋅ Twitter @cybercdh) ⋅ Colin Hardy
Tweet on some more capabilties of SUNBURST backdoor
SUNBURST

2020-12-14 ⋅ Twitter (@lordx64) ⋅ Taha Karim
Tweet on a one liner to decrypt SUNBURST backdoor
SUNBURST

2020-12-14 ⋅ TrustedSec ⋅ Nick Gilberti, Tyler Hudak
SolarWinds Orion and UNC2452 – Summary and Recommendations
SUNBURST

2020-12-14 ⋅ Cado Security ⋅ Christopher Doman
Responding to Solarigate
SUNBURST

2020-12-14 ⋅ Olaf Hartong
FireEye Sunburst KQL Detections
SUNBURST

2020-12-14 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Threat Brief: SolarStorm and SUNBURST Customer Coverage
Cobalt Strike SUNBURST

2020-12-14 ⋅ Cisco Talos ⋅ Nick Biasini
Threat Advisory: SolarWinds supply chain attack
SUNBURST TEARDROP

2020-12-14 ⋅ Symantec ⋅ Threat Hunter Team
Sunburst: Supply Chain Attack Targets SolarWinds Users
SUNBURST TEARDROP

2020-12-14 ⋅ Twitter (@ItsReallyNick) ⋅ Nick Carr
Tweet on summarizing post-compromise actvity of UNC2452
SUNBURST

2020-12-14 ⋅ Twitter (@KimZetter) ⋅ Kim Zetter
Tweet thread on microsoft report on Solarwind supply chain attack by UNC2452
SUNBURST

2020-12-14 ⋅ Youtube (Ali Hadi) ⋅ Ali Hadi
Learning about .NET Malware by Going Over the SUNBURST SolarWinds Backdoor
SUNBURST

2020-12-14 ⋅ Solarwind ⋅ Solarwind
Security Advisory on SolarWinds Supply chain attack FAQ
SUNBURST SUPERNOVA

2020-12-14 ⋅ Solarwind ⋅ Solarwind
Security Advisory on SolarWinds Supply chain attack
SUNBURST SUPERNOVA

2020-12-14 ⋅ DomainTools ⋅ Joe Slowik
Unraveling Network Infrastructure Linked to the SolarWinds Hack
SUNBURST

2020-12-14 ⋅ Volexity ⋅ Damien Cash, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster, Volexity Threat Research
Dark Halo Leverages SolarWinds Compromise to Breach Organizations
SUNBURST

2020-12-14 ⋅ splunk ⋅ Ryan Kovar
Using Splunk to Detect Sunburst Backdoor
SUNBURST

2020-12-14 ⋅ Sophos ⋅ Ross McKerchar
Incident response playbook for responding to SolarWinds Orion compromise
SUNBURST

2020-12-13 ⋅ VX-Underground
Directory: /samples/Exotic/UNC2452/SolarWinds Breach/
SUNBURST

2020-12-13 ⋅ FireEye ⋅ Andrew Archer, Doug Bienstock, Chris DiGiamo, Glenn Edwards, Nick Hornick, Alex Pennino, Andrew Rector, Scott Runnels, Eric Scales, Nalani Fraiser, Sarah Jones, John Hultquist, Ben Read, Jon Leathery, Fred House, Dileep Jallepalli, Michael Sikorski, Stephen Eckels, William Ballenthin, Jay Smith, Alex Berry, Nick Richard, Isif Ibrahima, Dan Perez, Marcin Siedlarz, Ben Withnell, Barry Vengerik, Nicole Oppenheim, Ian Ahl, Andrew Thompson, Matt Dunwoody, Evan Reese, Steve Miller, Alyssa Rahman, John Gorman, Lennard Galang, Steve Stone, Nick Bennett, Matthew McWhirt, Mike Burns, Omer Baig, Nick Carr, Christopher Glyer, Ramin Nafisi, Microsoft
Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
SUNBURST SUPERNOVA TEARDROP UNC2452

2020-12-13 ⋅ Github (fireeye) ⋅ FireEye
SUNBURST Countermeasures
SUNBURST SUPERNOVA TEARDROP UNC2452

2020-12-13 ⋅ Microsoft ⋅ Microsoft Security Intelligence
Trojan:MSIL/Solorigate.B!dha
SUNBURST

2020-12-13 ⋅ CISA ⋅ CISA
Active Exploitation of SolarWinds Software
SUNBURST

2020-12-11 ⋅ Blackberry ⋅ BlackBerry Research and Intelligence team
MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates
Cobalt Strike Mount Locker

2020-12-10 ⋅ Palo Alto Networks Unit 42 ⋅ Unit42
Threat Brief: FireEye Red Team Tool Breach
Cobalt Strike

2020-12-10 ⋅ Intel 471 ⋅ Intel 471
No pandas, just people: The current state of China’s cybercrime underground
Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT

2020-12-09 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall
It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)
Cobalt Strike DoppelPaymer QakBot REvil

2020-12-09 ⋅ Cisco ⋅ David Liebenberg, Caitlin Huey
Quarterly Report: Incident Response trends from Fall 2020
Cobalt Strike IcedID Maze RansomEXX Ryuk

2020-12-09 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
Recent Qakbot (Qbot) activity
Cobalt Strike QakBot

2020-12-08 ⋅ Cobalt Strike ⋅ Raphael Mudge
A Red Teamer Plays with JARM
Cobalt Strike

2020-12-08 ⋅ Securonix ⋅ Oleg Kolesnikov, Den Iyzvyk
Detecting SolarWinds/SUNBURST/ECLIPSER Supply Chain Attacks
SUNBURST

2020-12-02 ⋅ Red Canary ⋅ twitter (@redcanary)
Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware
Cobalt Strike Egregor QakBot

2020-12 ⋅ FireEye ⋅ FireEye
Solarwinds Breach Resource Center
SUNBURST

2020-12-01 ⋅ 360.cn ⋅ jindanlong
Hunting Beacons
Cobalt Strike

2020-12-01 ⋅ mez0.cc ⋅ mez0
Cobalt Strike PowerShell Execution
Cobalt Strike

2020-11-30 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Threat actor (BISMUTH) leverages coin miner techniques to stay under the radar – here’s how to spot them
Cobalt Strike

2020-11-30 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall
It's not FINished The Evolving Maturity in Ransomware Operations
Cobalt Strike DoppelPaymer MimiKatz QakBot REvil

2020-11-27 ⋅ Macnica ⋅ Hiroshi Takeuchi
Analyzing Organizational Invasion Ransom Incidents Using Dtrack
Cobalt Strike Dtrack

2020-11-26 ⋅ Cybereason ⋅ Lior Rochberger, Cybereason Nocturnus
Cybereason vs. Egregor Ransomware
Cobalt Strike Egregor IcedID ISFB QakBot

2020-11-25 ⋅ SentinelOne ⋅ Jim Walter
Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone
Cobalt Strike Egregor

2020-11-20 ⋅ ZDNet ⋅ Catalin Cimpanu
The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader

2020-11-20 ⋅ F-Secure Labs ⋅ Riccardo Ancarani
Detecting Cobalt Strike Default Modules via Named Pipe Analysis
Cobalt Strike

2020-11-20 ⋅ 360 netlab ⋅ JiaYu
Blackrota, a highly obfuscated backdoor developed by Go
Cobalt Strike

2020-11-17 ⋅ cyble ⋅ Cyble
OceanLotus Continues With Its Cyber Espionage Operations
Cobalt Strike Meterpreter

2020-11-17 ⋅ Salesforce Engineering ⋅ John Althouse
Easily Identify Malicious Servers on the Internet with JARM
Cobalt Strike TrickBot

2020-11-15 ⋅ Trustnet ⋅ Michael Wainshtain
From virus alert to PowerShell Encrypted Loader
Cobalt Strike

2020-11-09 ⋅ Bleeping Computer ⋅ Ionut Ilascu
Fake Microsoft Teams updates lead to Cobalt Strike deployment
Cobalt Strike DoppelPaymer NjRAT Predator The Thief Zloader

2020-11-06 ⋅ Volexity ⋅ Steven Adair, Thomas Lancaster, Volexity Threat Research
OceanLotus: Extending Cyber Espionage Operations Through Fake Websites
Cobalt Strike KerrDown APT32

2020-11-06 ⋅ Cobalt Strike ⋅ Raphael Mudge
Cobalt Strike 4.2 – Everything but the kitchen sink
Cobalt Strike

2020-11-06 ⋅ Palo Alto Networks Unit 42 ⋅ Ryan Tracey, Drew Schmitt, CRYPSIS
Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777
Cobalt Strike PyXie RansomEXX

2020-11-06 ⋅ Advanced Intelligence ⋅ Vitali Kremez
Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike
BazarBackdoor Cobalt Strike Ryuk

2020-11-05 ⋅ The DFIR Report ⋅ The DFIR Report
Ryuk Speed Run, 2 Hours to Ransom
BazarBackdoor Cobalt Strike Ryuk

2020-11-05 ⋅ Twitter (@ffforward) ⋅ TheAnalyst
Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK
Cobalt Strike Ryuk Zloader

2020-11-04 ⋅ VMRay ⋅ Giovanni Vigna
Trick or Threat: Ryuk ransomware targets the health care industry
BazarBackdoor Cobalt Strike Ryuk TrickBot

2020-11-03 ⋅ InfoSec Handlers Diary Blog ⋅ Renato Marinho
Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike
Cobalt Strike

2020-11-03 ⋅ Kaspersky Labs ⋅ GReAT
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti

2020-10-30 ⋅ Github (ThreatConnect-Inc) ⋅ ThreatConnect
UNC 1878 Indicators from Threatconnect
BazarBackdoor Cobalt Strike Ryuk

2020-10-29 ⋅ RiskIQ ⋅ RiskIQ
Ryuk Ransomware: Extensive Attack Infrastructure Revealed
Cobalt Strike Ryuk

2020-10-29 ⋅ Red Canary ⋅ The Red Canary Team
A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak
Cobalt Strike Ryuk TrickBot

2020-10-29 ⋅ Github (Swisscom) ⋅ Swisscom CSIRT
List of CobaltStrike C2's used by RYUK
Cobalt Strike

2020-10-28 ⋅ FireEye ⋅ Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock
Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser
BazarBackdoor Cobalt Strike Ryuk UNC1878

2020-10-27 ⋅ Sophos Managed Threat Response (MTR) ⋅ Greg Iddon
MTR Casebook: An active adversary caught in the act
Cobalt Strike

2020-10-18 ⋅ The DFIR Report ⋅ The DFIR Report
Ryuk in 5 Hours
BazarBackdoor Cobalt Strike Ryuk

2020-10-14 ⋅ RiskIQ ⋅ Steve Ginty, Jon Gross
A Well-Marked Trail: Journeying through OceanLotus's Infrastructure
Cobalt Strike

2020-10-14 ⋅ Sophos ⋅ Sean Gallagher
They’re back: inside a new Ryuk ransomware attack
Cobalt Strike Ryuk SystemBC

2020-10-12 ⋅ Advanced Intelligence ⋅ Roman Marshanski, Vitali Kremez
"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon
BazarBackdoor Cobalt Strike Ryuk

2020-10-11 ⋅ Github (StrangerealIntel) ⋅ StrangerealIntel
Chimera, APT19 under the radar ?
Cobalt Strike Meterpreter

2020-10-08 ⋅ Bayerischer Rundfunk ⋅ Hakan Tanriverdi, Max Zierer, Ann-Kathrin Wetter, Kai Biermann, Thi Do Nguyen
There is no safe place
Cobalt Strike

2020-10-08 ⋅ The DFIR Report ⋅ The DFIR Report
Ryuk’s Return
BazarBackdoor Cobalt Strike Ryuk

2020-10-02 ⋅ Health Sector Cybersecurity Coordination Center (HC3) ⋅ Health Sector Cybersecurity Coordination Center (HC3)
Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns
BazarBackdoor Cobalt Strike Ryuk TrickBot

2020-10-01 ⋅ Wired ⋅ Andy Greenberg
Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency
Cobalt Strike Meterpreter

2020-10-01 ⋅ US-CERT ⋅ US-CERT
Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions
CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy

2020-09-29 ⋅ CrowdStrike ⋅ Kareem Hamdan, Lucas Miller
Getting the Bacon from the Beacon
Cobalt Strike

2020-09-29 ⋅ Github (Apr4h) ⋅ Apra
CobaltStrikeScan
Cobalt Strike

2020-09-24 ⋅ US-CERT ⋅ US-CERT
Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor
Cobalt Strike Meterpreter

2020-09-21 ⋅ Cisco Talos ⋅ Nick Mavis, Joe Marshall, JON MUNSHAW
The art and science of detecting Cobalt Strike
Cobalt Strike

2020-09-18 ⋅ Trend Micro ⋅