@online{037:20190320:apt38:4c7f1d4, author = {@037}, title = {{APT38 DYEPACK FRAMEWORK}}, date = {2019-03-20}, organization = {Github (649)}, url = {https://github.com/649/APT38-DYEPACK}, language = {English}, urldate = {2019-12-17} } @online{0day2:20221225:sapphirestealer:2d1e2b2, author = {0day2}, title = {{SapphireStealer}}, date = {2022-12-25}, organization = {Github (0day2)}, url = {https://github.com/0day2/SapphireStealer/}, language = {English}, urldate = {2023-09-01} } @online{0r:20210306:microsoft:099b122, author = {Auth 0r}, title = {{Microsoft Exchange Zero Day’s – Mitigations and Detections.}}, date = {2021-03-06}, organization = {Blue Team Blog}, url = {https://blueteamblog.com/microsoft-exchange-zero-days-mitigations-and-detections}, language = {English}, urldate = {2021-03-11} } @online{0r:20210514:darkside:bf9c5bc, author = {Auth 0r}, title = {{DarkSide Ransomware Operations – Preventions and Detections.}}, date = {2021-05-14}, organization = {Blue Team Blog}, url = {https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections}, language = {English}, urldate = {2021-05-17} } @online{0verfl0w:20190115:analyzing:bf3b215, author = {0verfl0w_}, title = {{Analyzing COMmunication in Malware}}, date = {2019-01-15}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/analyzing-com-mechanisms-in-malware/}, language = {English}, urldate = {2020-01-06} } @online{0verfl0w:20190205:revisiting:8e39d7e, author = {0verfl0w_}, title = {{Revisiting Hancitor in Depth}}, date = {2019-02-05}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/reversing-hancitor-again/}, language = {English}, urldate = {2020-01-06} } @online{0verfl0w:20190313:analysing:1f83706, author = {0verfl0w_}, title = {{Analysing ISFB – The First Loader}}, date = {2019-03-13}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analysing-isfb-loader/}, language = {English}, urldate = {2020-01-10} } @online{0verfl0w:20190525:analyzing:84874ea, author = {0verfl0w_}, title = {{Analyzing ISFB – The Second Loader}}, date = {2019-05-25}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analyzing-isfb-second-loader/}, language = {English}, urldate = {2020-01-13} } @online{0verfl0w:20190531:defeating:eb0994e, author = {0verfl0w_}, title = {{Defeating Commercial and Custom Packers like a Pro - VMProtect, ASPack, PECompact, and more}}, date = {2019-05-31}, organization = {Youtube (0verfl0w_)}, url = {https://www.youtube.com/watch?v=N4f2e8Mygag}, language = {English}, urldate = {2020-01-08} } @online{0verfl0w:20190708:analyzing:b984acf, author = {0verfl0w_}, title = {{Analyzing KSL0T (Turla’s Keylogger), Part 2 – Reupload}}, date = {2019-07-08}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-2/}, language = {English}, urldate = {2020-01-10} } @online{0verfl0w:20190708:analyzing:f246b28, author = {0verfl0w_}, title = {{Analyzing KSL0T (Turla’s Keylogger), Part 1 – Reupload}}, date = {2019-07-08}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-1/}, language = {English}, urldate = {2020-01-06} } @online{0verfl0w:20200607:dealing:b50665d, author = {0verfl0w_}, title = {{Dealing with Obfuscated Macros, Statically - NanoCore}}, date = {2020-06-07}, organization = {Zero2Automated Blog}, url = {https://zero2auto.com/2020/06/07/dealing-with-obfuscated-macros/}, language = {English}, urldate = {2020-06-11} } @online{0x09al:20181020:dropboxc2c:bf05a34, author = {0x09AL}, title = {{DropboxC2C}}, date = {2018-10-20}, url = {https://github.com/0x09AL/DropboxC2C}, language = {English}, urldate = {2020-03-06} } @online{0x0:20191221:shamoon:eb1828b, author = {Myrtus 0x0}, title = {{Shamoon 2012 Complete Analysis}}, date = {2019-12-21}, organization = {MalwareInDepth}, url = {https://malwareindepth.com/shamoon-2012/}, language = {English}, urldate = {2020-01-12} } @online{0x0:20200404:nanocore:6649008, author = {Myrtus 0x0}, title = {{Nanocore & CypherIT}}, date = {2020-04-04}, organization = {MalwareInDepth}, url = {https://malwareindepth.com/defeating-nanocore-and-cypherit/}, language = {English}, urldate = {2020-04-07} } @online{0x0:20231208:naming:d2bc4d6, author = {Myrtus 0x0}, title = {{Tweet naming the family}}, date = {2023-12-08}, organization = {Twitter (@Myrtus0x0)}, url = {https://twitter.com/Myrtus0x0/status/1732997981866209550}, language = {English}, urldate = {2023-12-11} } @online{0x0d4y:20230202:zero2automated:deb74e1, author = {0x0d4y}, title = {{[Zero2Automated] Complete Custom Sample Challenge Analysis}}, date = {2023-02-02}, organization = {0x0d4y}, url = {https://0x0d4y.blog/zero2automated-custom-sample/}, language = {English}, urldate = {2024-02-06} } @online{0x0d4y:20240109:icedid:c2c1394, author = {0x0d4y}, title = {{IcedID – Technical Malware Analysis [Second Stage]}}, date = {2024-01-09}, organization = {0x0d4y}, url = {https://0x0d4y.blog/icedid-technical-analysis/}, language = {English}, urldate = {2024-02-06} } @online{0x0d4y:20240408:icedid:a2778bd, author = {0x0d4y}, title = {{IcedID – Technical Analysis of an IcedID Lightweight x64 DLL}}, date = {2024-04-08}, organization = {0x0d4y}, url = {https://0x0d4y.blog/icedid-technical-analysis-of-x64-dll-version/}, language = {English}, urldate = {2024-04-10} } @online{0x0d4y:20240430:latrodectus:6311cf3, author = {0x0d4y}, title = {{Latrodectus [IceNova] – Technical Analysis of the… New IcedID… Its Continuation… Or its Replacement?}}, date = {2024-04-30}, organization = {0x0d4y}, url = {https://0x0d4y.blog/latrodectus-technical-analysis-of-the-new-icedid/}, language = {English}, urldate = {2024-05-02} } @online{0x0d4y:20240509:case:5c2e812, author = {0x0d4y}, title = {{[Case Study: Latrodectus] Analyzing and Implementing String Decryption Algorithms}}, date = {2024-05-09}, organization = {0x0d4y}, url = {https://0x0d4y.blog/case-study-analyzing-and-implementing-string-decryption-algorithms-latrodectus/}, language = {English}, urldate = {2024-05-13} } @online{0x0d4y:20250115:babbleloader:2d7a1a7, author = {0x0d4y}, title = {{[BabbleLoader] A Deep Dive into EDR and Machine Learning-Based Endpoint Protection Evasion}}, date = {2025-01-15}, organization = {0x0d4y}, url = {https://0x0d4y.blog/babbleloader-deep-dive-into-edr-and-machine-learning-based-endpoint-protection-evasion/}, language = {English}, urldate = {2025-01-26} } @online{0x0d4y:20250219:technical:8ca81de, author = {0x0d4y}, title = {{Technical Analysis of Lockbit4.0 Evasion Tales}}, date = {2025-02-19}, organization = {0x0d4y}, url = {https://0x0d4y.blog/lockbit4-0-evasion-tales/}, language = {English}, urldate = {2025-02-19} } @online{0x0d4y:20250326:ffdgf:5d00548, author = {0x0d4y and Ismael Rocha}, title = {{ffdgf}}, date = {2025-03-26}, organization = {ISH Tecnologia}, url = {https://ish.com.br/en/blog/ransomware-lynx-saiba-como-mitigar-essa-ameaca/}, language = {Portuguese}, urldate = {2025-04-16} } @online{0x1c3n:20210827:anubis:1705302, author = {0x1c3N}, title = {{Anubis Android Malware Analysis}}, date = {2021-08-27}, organization = {0x1c3n.tech}, url = {https://0x1c3n.tech/anubis-android-malware-analysis}, language = {English}, urldate = {2021-09-02} } @online{0x1c:20240621:0001:ab3887b, author = {0x1c}, title = {{[0001] AmberAmethystDaisy -> QuartzBegonia -> LummaStealer}}, date = {2024-06-21}, organization = {0x1c}, url = {https://www.0x1c.zip/0001-lummastealer/}, language = {English}, urldate = {2024-07-17} } @online{0xastrovax:20201121:deep:89c1a51, author = {0xastrovax}, title = {{Deep Dive Into HERMES Ransomware}}, date = {2020-11-21}, organization = {vxhive blog}, url = {https://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html}, language = {English}, urldate = {2021-12-13} } @online{0xastrovax:20210123:deep:47d960f, author = {0xastrovax}, title = {{Deep Dive Into SectopRat}}, date = {2021-01-23}, organization = {vxhive blog}, url = {https://vxhive.blogspot.com/2021/01/deep-dive-into-sectoprat.html}, language = {English}, urldate = {2021-01-25} } @online{0xca7:20210504:malware:7647ea6, author = {0xca7}, title = {{Malware - Anti-Analysis}}, date = {2021-05-04}, organization = {YouTube (0xca7)}, url = {https://www.youtube.com/watch?v=42yldTQ-fWA}, language = {English}, urldate = {2022-05-04} } @online{0xca7:20210603:fatalrat:b54478b, author = {0xca7}, title = {{FatalRAT: Dumping the "payload" aka. Cat vs RAT}}, date = {2021-06-03}, organization = {YouTube (0xca7)}, url = {https://www.youtube.com/watch?v=gjvnVZc11Vg}, language = {English}, urldate = {2022-03-15} } @online{0xca7:20210707:snakekeylogger:fccf1d2, author = {0xca7}, title = {{Snakekeylogger - Information Stealer}}, date = {2021-07-07}, organization = {YouTube (0xca7)}, url = {https://www.youtube.com/watch?v=vzyJp2w8bPE}, language = {English}, urldate = {2022-03-17} } @online{0xca7:20220109:cat:ca6499b, author = {0xca7}, title = {{Cat vs. RAT II - Bitrat}}, date = {2022-01-09}, organization = {YouTube (0xca7)}, url = {https://www.youtube.com/watch?v=CYm3g4zkQdw}, language = {English}, urldate = {2022-03-17} } @online{0xca7:20220322:blackguard:05392f9, author = {0xca7}, title = {{Blackguard Infostealer}}, date = {2022-03-22}, organization = {YouTube (0xca7)}, url = {https://www.youtube.com/watch?v=Fd8WjxzY2_g}, language = {English}, urldate = {2022-05-04} } @online{0xca7:20220403:powershell:397a431, author = {0xca7}, title = {{Powershell Script Deobfuscation}}, date = {2022-04-03}, organization = {YouTube (0xca7)}, url = {https://www.youtube.com/watch?v=ip4aWFfdx4g}, language = {English}, urldate = {2022-05-04} } @online{0xebfe:20130330:fooled:88d133a, author = {0xEBFE}, title = {{Fooled by Andromeda}}, date = {2013-03-30}, organization = {0xEBFE Blog about life}, url = {http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/}, language = {English}, urldate = {2019-07-27} } @online{0xffff0800:20181114:amadey:e362501, author = {0xffff0800}, title = {{Tweet on Amadey C2}}, date = {2018-11-14}, organization = {Twitter (@0xffff0800)}, url = {https://twitter.com/0xffff0800/status/1062948406266642432}, language = {English}, urldate = {2020-01-07} } @online{0xffff0800:20190222:pe:ea39c56, author = {0xffff0800}, title = {{Tweet on PE}}, date = {2019-02-22}, organization = {Twitter}, url = {https://twitter.com/i/web/status/1099147896950185985}, language = {English}, urldate = {2020-01-08} } @online{0xffff0800:20190302:opjerusalm:4743e08, author = {@0xffff0800}, title = {{Tweet on #OpJerusalm Ransomware}}, date = {2019-03-02}, organization = {Twitter (@0xffff0800)}, url = {https://twitter.com/0xffff0800/status/1102078898320302080}, language = {English}, urldate = {2019-07-08} } @online{0xmrmagnezi:20240216:malware:ff0c04a, author = {0xMrMagnezi}, title = {{Malware Analysis — AgentTesla}}, date = {2024-02-16}, organization = {Medium b.magnezi}, url = {https://medium.com/@b.magnezi/malware-analysis-agenttesla-2af3d73a7825}, language = {English}, urldate = {2024-02-22} } @online{0xmrmagnezi:20240221:malware:5b5607b, author = {0xMrMagnezi}, title = {{Malware Analysis — Remcos RAT}}, date = {2024-02-21}, organization = {Medium b.magnezi}, url = {https://medium.com/@b.magnezi/malware-analysis-ramcos-rat-48fd986328f5}, language = {English}, urldate = {2024-02-22} } @online{0xmrmagnezi:20240222:malware:e2071d8, author = {0xMrMagnezi}, title = {{Malware Analysis - XWorm}}, date = {2024-02-22}, organization = {Medium b.magnezi}, url = {https://medium.com/@b.magnezi/malware-analysis-xworm-80b3bbb072fb}, language = {English}, urldate = {2024-02-26} } @online{0xmrmagnezi:20240301:malware:8b2147e, author = {0xMrMagnezi}, title = {{Malware Analysis - Cobalt Strike}}, date = {2024-03-01}, organization = {Medium b.magnezi}, url = {https://medium.com/@b.magnezi/malware-analysis-cobalt-strike-92ef02b35ae0}, language = {English}, urldate = {2024-03-04} } @online{0xmrmagnezi:20240319:malware:25d1e5a, author = {0xMrMagnezi}, title = {{Malware Analysis NjRat}}, date = {2024-03-19}, organization = {Medium b.magnezi}, url = {https://medium.com/@b.magnezi/malware-analysis-njrat-5633847bd6f1}, language = {English}, urldate = {2024-03-25} } @online{0xmrmagnezi:20240606:agent:c4819c1, author = {0xMrMagnezi}, title = {{Agent Tesla Analysis}}, date = {2024-06-06}, organization = {Medium b.magnezi}, url = {https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/}, language = {English}, urldate = {2024-06-10} } @online{0xmrmagnezi:20240606:remcos:1f72f25, author = {0xMrMagnezi}, title = {{Remcos RAT Analysis}}, date = {2024-06-06}, organization = {Medium b.magnezi}, url = {https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/}, language = {English}, urldate = {2024-06-10} } @online{0xmrmagnezi:20240615:malware:eb4df1c, author = {0xMrMagnezi}, title = {{Malware Analysis FormBook}}, date = {2024-06-15}, organization = {Medium b.magnezi}, url = {https://0xmrmagnezi.github.io/malware%20analysis/FormBook/}, language = {English}, urldate = {2024-06-24} } @online{0xmrmagnezi:20240714:malware:9aa2e7b, author = {0xMrMagnezi}, title = {{Malware Analysis - Rhadamanthys}}, date = {2024-07-14}, organization = {Medium b.magnezi}, url = {https://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/}, language = {English}, urldate = {2024-07-19} } @online{0xmrmagnezi:20240925:lumma:9302edc, author = {0xMrMagnezi}, title = {{Lumma Stealer - Malware Analysis}}, date = {2024-09-25}, organization = {Medium b.magnezi}, url = {https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/}, language = {English}, urldate = {2024-09-27} } @online{0xmrmagnezi:20241202:lokibot:c7fa796, author = {0xMrMagnezi}, title = {{LokiBot Malware Analysis}}, date = {2024-12-02}, organization = {Medium b.magnezi}, url = {https://0xmrmagnezi.github.io/malware%20analysis/LokiBot/}, language = {English}, urldate = {2024-12-09} } @online{0xmrmagnezi:20250227:nanocore:5eb8359, author = {0xMrMagnezi}, title = {{NanoCore Malware Analysis}}, date = {2025-02-27}, organization = {Medium b.magnezi}, url = {https://0xmrmagnezi.github.io/malware%20analysis/NanoCore/}, language = {English}, urldate = {2025-02-28} } @online{0xmrmagnezi:20250423:asyncrat:120e824, author = {0xMrMagnezi}, title = {{AsyncRAT Malware Analysis}}, date = {2025-04-23}, organization = {Medium b.magnezi}, url = {https://0xmrmagnezi.github.io/malware%20analysis/AsyncRAT/}, language = {English}, urldate = {2025-04-25} } @online{0xmrmagnezi:20250515:ave:8aacad6, author = {0xMrMagnezi}, title = {{Ave Maria Malware Analysis}}, date = {2025-05-15}, organization = {Medium b.magnezi}, url = {https://0xmrmagnezi.github.io/malware%20analysis/AveMaria/}, language = {English}, urldate = {2025-05-19} } @online{0xperator:20230722:hookbot:58a83c8, author = {0xperator}, title = {{HookBot Android Malware Builder Panel and APK Source}}, date = {2023-07-22}, organization = {Github (0xperator)}, url = {https://github.com/0xperator/hookbot_source}, language = {English}, urldate = {2023-07-24} } @online{0xthreatintel:20201212:reversing:945a5b8, author = {0xthreatintel}, title = {{Reversing QakBot [ TLP: White]}}, date = {2020-12-12}, organization = {Medium 0xthreatintel}, url = {https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7}, language = {English}, urldate = {2020-12-14} } @online{0xthreatintel:20201215:reversing:eddc936, author = {0xthreatintel}, title = {{Reversing Conti Ransomware}}, date = {2020-12-15}, organization = {Medium 0xthreatintel}, url = {https://0xthreatintel.medium.com/reversing-conti-ransomware-bfce15019e74}, language = {English}, urldate = {2020-12-15} } @online{0xthreatintel:20210126:reversing:716c09c, author = {0xthreatintel}, title = {{Reversing APT Tool : SManager (Unpacked)}}, date = {2021-01-26}, organization = {Medium 0xthreatintel}, url = {https://0xthreatintel.medium.com/reversing-apt-tool-smanager-unpacked-d413a04961c4}, language = {English}, urldate = {2021-01-27} } @online{0xthreatintel:20210201:uncovering:d7b9216, author = {0xthreatintel}, title = {{Uncovering APT-C-41 (StrongPity) Backdoor}}, date = {2021-02-01}, organization = {Medium 0xthreatintel}, url = {https://0xthreatintel.medium.com/uncovering-apt-c-41-strongpity-backdoor-e7f9a7a076f4}, language = {English}, urldate = {2021-02-02} } @online{0xthreatintel:20210219:how:5fed055, author = {0xthreatintel}, title = {{How to unpack SManager APT tool?}}, date = {2021-02-19}, organization = {Medium 0xthreatintel}, url = {https://0xthreatintel.medium.com/how-to-unpack-smanager-apt-tool-cb5909819214}, language = {English}, urldate = {2021-02-20} } @online{0xtornado:20211115:exchange:2920728, author = {0xtornado and v3t0_}, title = {{Exchange Exploit Leads to Domain Wide Ransomware}}, date = {2021-11-15}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/}, language = {English}, urldate = {2021-11-17} } @online{0xtornado:20220404:stolen:3df91a7, author = {@0xtornado and @yatinwad and @MettalicHack and @_pete_0}, title = {{Stolen Images Campaign Ends in Conti Ransomware}}, date = {2022-04-04}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/}, language = {English}, urldate = {2022-04-04} } @online{0xtornado:20250519:another:6027f4b, author = {0xtornado and pcsc0ut and Randy Pargman}, title = {{Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware}}, date = {2025-05-19}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/}, language = {English}, urldate = {2025-05-21} } @online{0xtoxin:20220921:doenerium:0441083, author = {@0xToxin}, title = {{doenerium phishing campaign}}, date = {2022-09-21}, organization = {Twitter (@0xToxin)}, url = {https://twitter.com/0xToxin/status/1572612089901993985}, language = {English}, urldate = {2022-09-22} } @online{0xtoxin:20230110:rebranded:84d3bbc, author = {@0xToxin and Igal Lytzki}, title = {{The Rebranded Crypter: ScrubCrypt}}, date = {2023-01-10}, organization = {Perception Point}, url = {https://perception-point.io/blog/the-rebranded-crypter-scrubcrypt/}, language = {English}, urldate = {2023-01-11} } @online{0xtoxin:20230211:asyncrat:371c70d, author = {@0xToxin}, title = {{AsyncRAT OneNote Dropper}}, date = {2023-02-11}, url = {https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper}, language = {English}, urldate = {2023-02-14} } @online{0xtoxin:20230214:about:070431b, author = {@0xToxin}, title = {{Tweet about Venus Stealer}}, date = {2023-02-14}, url = {https://twitter.com/0xToxin/status/1625435116771180546}, language = {English}, urldate = {2023-02-21} } @online{0xtoxin:20230220:vidar:dd38156, author = {@0xToxin}, title = {{Vidar Stealer H&M Campaign}}, date = {2023-02-20}, organization = {0xToxin Labs}, url = {https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/}, language = {English}, urldate = {2023-05-17} } @online{0xtoxin:20230304:bumblebee:810e7fc, author = {@0xToxin}, title = {{Bumblebee DocuSign Campaign}}, date = {2023-03-04}, organization = {0xToxin Labs}, url = {https://0xtoxin.github.io/malware%20analysis/Bumblebee-DocuSign-Campaign/}, language = {English}, urldate = {2023-05-17} } @online{0xtoxin:20230319:gozi:bb7bade, author = {@0xToxin}, title = {{Gozi - Italian ShellCode Dance}}, date = {2023-03-19}, organization = {0xToxin Labs}, url = {https://0xtoxin.github.io/threat%20breakdown/Gozi-Italy-Campaign/}, language = {English}, urldate = {2023-05-17} } @online{0xtoxin:20230319:scrubcrypt:707ec19, author = {@0xToxin}, title = {{ScrubCrypt - The Rebirth of Jlaive}}, date = {2023-03-19}, organization = {0xToxin Labs}, url = {https://0xtoxin.github.io/threat%20breakdown/ScrubCrypt-Rebirth-Of-Jlaive/}, language = {English}, urldate = {2023-05-17} } @online{0xtoxin:20230409:lummac2:b5f84e3, author = {@0xToxin}, title = {{LummaC2 BreakDown}}, date = {2023-04-09}, url = {https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx}, language = {English}, urldate = {2023-04-10} } @online{0xtoxin:20230414:plutocrypt:8145f93, author = {@0xToxin}, title = {{PlutoCrypt - A CryptoJoker Ransomware Variant}}, date = {2023-04-14}, url = {https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/plutocrypt-a-cryptojoker-ransomware-variant}, language = {English}, urldate = {2023-04-18} } @online{0xtoxin:20230520:kraken:bda38fc, author = {@0xToxin}, title = {{Kraken - The Deep Sea Lurker Part 1}}, date = {2023-05-20}, url = {https://0xtoxin.github.io/malware%20analysis/KrakenKeylogger-pt1/}, language = {English}, urldate = {2023-05-21} } @online{0xtoxin:20230526:kraken:5536c6f, author = {@0xToxin}, title = {{Kraken - The Deep Sea Lurker Part 2}}, date = {2023-05-26}, organization = {0xToxin Labs}, url = {https://0xtoxin.github.io/threat%20hunting/KrakenKeylogger-pt2/}, language = {English}, urldate = {2023-05-26} } @online{0xtoxin:20230806:darkgate:8847660, author = {@0xToxin}, title = {{DarkGate - Threat Breakdown Journey}}, date = {2023-08-06}, organization = {0xToxin Labs}, url = {https://0xtoxin.github.io/threat%20breakdown/DarkGate-Camapign-Analysis/}, language = {English}, urldate = {2023-08-07} } @online{1d8:20200713:remcos:531702d, author = {1d8}, title = {{Remcos RAT Macro Dropper Doc}}, date = {2020-07-13}, organization = {Github (1d8)}, url = {https://github.com/1d8/analyses/blob/master/RemcosDocDropper.MD}, language = {English}, urldate = {2020-07-16} } @online{1umos:20210616:cerberus:9fc9528, author = {Twitter (@1umos_)}, title = {{Cerberus Analysis - Android Banking Trojan}}, date = {2021-06-16}, organization = {nur.pub}, url = {https://nur.pub/cerberus-analysis}, language = {English}, urldate = {2021-06-21} } @online{20140313:20140313:energy:8736af5, author = {2014-03-13}, title = {{Energy Watering Hole Attack Used LightsOut Exploit Kit}}, date = {2014-03-13}, organization = {Threatpost}, url = {https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/}, language = {English}, urldate = {2020-01-08} } @online{2ero:20210805:attacks:200d665, author = {2ero}, title = {{Attacks on NCGSA, MOITT, MOD, NSCP and SCO in Pakistan}}, date = {2021-08-05}, organization = {Twitter (@BaoshengbinCumt)}, url = {https://mp.weixin.qq.com/s/yrDzybPVTbu_9SrZPlSNKA}, language = {Chinese}, urldate = {2021-08-06} } @online{360:20160531:operation:406d937, author = {360}, title = {{Operation Mermaid: 6 years of overseas targeted attacks revealed}}, date = {2016-05-31}, organization = {Freebuf}, url = {https://www.freebuf.com/articles/network/105726.html}, language = {Chinese}, urldate = {2021-03-04} } @online{360:20180712:blue:ca92dea, author = {360}, title = {{Blue Pork Mushroom (APT-C-12) targeted attack technical details revealed}}, date = {2018-07-12}, organization = {360 Threat Intelligence}, url = {https://mp.weixin.qq.com/s/S-hiGFNC6WXGrkjytAVbpA}, language = {Chinese}, urldate = {2020-04-06} } @online{360:20180921:poison:d1cab92, author = {Qihoo 360}, title = {{Poison Ivy Group and the Cyberespionage Campaign Against Chinese Military and Goverment}}, date = {2018-09-21}, organization = {Qihoo 360 Technology}, url = {http://blogs.360.cn/post/APT_C_01_en.html}, language = {English}, urldate = {2019-11-29} } @online{360:20181205:operation:65a4907, author = {360}, title = {{Operation Poison Needles - APT Group Attacked the Polyclinic of the Presidential Administration of Russia, Exploiting a Zero-day}}, date = {2018-12-05}, organization = {360}, url = {http://blogs.360.cn/post/PoisonNeedles_CVE-2018-15982_EN}, language = {English}, urldate = {2020-01-06} } @online{360:20190228:urlzone:e1814da, author = {360威胁情报中心}, title = {{URLZone: Analysis of Suspected Attacks Against Japanese Hi-Tech Enterprise Employees}}, date = {2019-02-28}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s/NRytT94ne5gKN31CSLq6GA}, language = {Chinese}, urldate = {2019-11-27} } @online{360:20200302:cia:d88b9c9, author = {Qihoo 360}, title = {{The CIA Hacking Group (APT-C-39) Conducts Cyber-Espionage Operation on China's Critical Industries for 11 Years}}, date = {2020-03-02}, organization = {Qihoo 360 Technology}, url = {http://blogs.360.cn/post/APT-C-39_CIA_EN.html}, language = {English}, urldate = {2020-03-03} } @online{360:20200406:darkhotel:78f0a7f, author = {Qihoo 360}, title = {{The DarkHotel (APT-C-06) Attacked Chinese Institutions Abroad via Exploiting SangFor VPN Vulnerability}}, date = {2020-04-06}, organization = {360.cn}, url = {https://blogs.360.cn/post/APT_Darkhotel_attacks_during_coronavirus_pandemic.html}, language = {English}, urldate = {2020-04-07} } @online{360:20200828:sneak:bc0fea4, author = {360威胁情报中心}, title = {{The "sneak camera" in mobile pornography software}}, date = {2020-08-28}, organization = {360 Core Security}, url = {https://blogs.360.cn/post/shou-ji-se-qing-ruan-jian-zhong-de-tou-pai-zhe.html}, language = {English}, urldate = {2020-09-06} } @online{360:20201026:aptc44:a336bf6, author = {360}, title = {{北非狐(APT-C-44)攻击活动揭露}}, date = {2020-10-26}, organization = {360 Core Security}, url = {https://blogs.360.cn/post/APT-C-44.html}, language = {Chinese}, urldate = {2020-11-09} } @online{360:20201030:aptc35:0c53f1a, author = {360}, title = {{肚脑虫组织( APT-C-35)疑似针对巴基斯坦军事人员的最新攻击活动}}, date = {2020-10-30}, organization = {360 Core Security}, url = {https://blogs.360.cn/post/APT-C-35_target_at_armed_forces_in_Pakistan.html}, language = {Chinese}, urldate = {2023-07-24} } @online{360:20201204:domestic:4c457ee, author = {360}, title = {{Domestic Kitten组织(APT-C-50)针对中东地区反政府群体的监控活动}}, date = {2020-12-04}, organization = {360 Core Security}, url = {https://blogs.360.cn/post/APT-C-50.html}, language = {Chinese}, urldate = {2020-12-17} } @online{360cert:20211018:global:5e330cf, author = {360Cert}, title = {{Global Advanced Persistent Threat (APT) Research Report for the First Half of 2021}}, date = {2021-10-18}, organization = {360}, url = {https://cert.360.cn/report/detail?id=6c9a1b56e4ceb84a8ab9e96044429adc}, language = {English}, urldate = {2023-08-11} } @online{360quake:20201218:solarwinds:1b22539, author = {360Quake}, title = {{SolarWinds失陷服务器测绘分析报告}}, date = {2020-12-18}, organization = {360Quake}, url = {https://www.anquanke.com/post/id/226029}, language = {Chinese}, urldate = {2020-12-23} } @online{3722304989:20231211:mustang:74599f1, author = {3722304989 and varit0}, title = {{Mustang Panda’s PlugX new variant targetting Taiwanese government and diplomats}}, date = {2023-12-11}, organization = {Lab52}, url = {https://lab52.io/blog/mustang-pandas-plugx-new-variant-targetting-taiwanese-government-and-diplomats/}, language = {English}, urldate = {2024-07-17} } @online{3xp0rt:20200405:lets:fb49d9f, author = {3xp0rt}, title = {{Let's check: Sorano Stealer}}, date = {2020-04-05}, url = {https://3xp0rt.xyz/lpmkikVic}, language = {English}, urldate = {2020-05-20} } @online{3xp0rt:20200407:decompiled:83e10aa, author = {3xp0rt}, title = {{Decompiled SoranoStealer}}, date = {2020-04-07}, organization = {Github (3xp0rt)}, url = {https://github.com/3xp0rt/SoranoStealer}, language = {English}, urldate = {2020-05-20} } @online{3xp0rt:20200624:new:6b725c2, author = {3xp0rt}, title = {{Tweet on new version of TaurusStealer (v1.4)}}, date = {2020-06-24}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1275746149719252992}, language = {English}, urldate = {2020-06-24} } @online{3xp0rt:20200814:osiris:5de6596, author = {3xp0rt}, title = {{Tweet on Osiris}}, date = {2020-08-14}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1294157781415743488}, language = {English}, urldate = {2020-08-18} } @online{3xp0rt:20200906:of:b1e77c3, author = {3xp0rt}, title = {{Tweet and description of NixScare Stealer}}, date = {2020-09-06}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1302584919592501248}, language = {English}, urldate = {2020-09-15} } @online{3xp0rt:20201027:ficker:b890340, author = {3xp0rt}, title = {{Tweet on Ficker Stealer}}, date = {2020-10-27}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1321209656774135810}, language = {English}, urldate = {2021-12-17} } @online{3xp0rt:20201106:hunter:90ca7c9, author = {3xp0rt}, title = {{Tweet on Hunter Stealer}}, date = {2020-11-06}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1324800226381758471}, language = {English}, urldate = {2020-11-12} } @online{3xp0rt:20201126:xenon:83af8c2, author = {3xp0rt}, title = {{Tweet on Xenon Stealer}}, date = {2020-11-26}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1331974232192987142}, language = {English}, urldate = {2020-12-03} } @online{3xp0rt:20201230:alfonso:d99501e, author = {3xp0rt}, title = {{Tweet on Alfonso Stealer}}, date = {2020-12-30}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1344352253294104576}, language = {English}, urldate = {2021-01-11} } @online{3xp0rt:20210323:chminer:02aed99, author = {3xp0rt}, title = {{Tweet on chMiner RAT}}, date = {2021-03-23}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1374080720906420227}, language = {English}, urldate = {2021-04-16} } @online{3xp0rt:20210326:cypress:42266e4, author = {3xp0rt}, title = {{Tweet on Cypress Stealer}}, date = {2021-03-26}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1375547064348782595}, language = {English}, urldate = {2021-04-06} } @online{3xp0rt:20210408:bloody:403ff45, author = {3xp0rt}, title = {{Tweet on Bloody Stealer}}, date = {2021-04-08}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1380087553676697617}, language = {English}, urldate = {2021-05-19} } @online{3xp0rt:20210430:zenar:be4f5e3, author = {3xp0rt}, title = {{Tweet on Zenar Miner}}, date = {2021-04-30}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1387996083712888832?s=20}, language = {English}, urldate = {2021-05-19} } @online{3xp0rt:20210505:toxin:00d47c5, author = {3xp0rt}, title = {{Tweet on Toxin Miner}}, date = {2021-05-05}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1389692430061027328}, language = {English}, urldate = {2021-05-08} } @online{3xp0rt:20211112:tweets:fbce5a2, author = {3xp0rt}, title = {{Tweets on DarkLoader}}, date = {2021-11-12}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1459081435361517585}, language = {English}, urldate = {2021-12-22} } @online{3xp0rt:20211225:new:f35c1ac, author = {3xp0rt}, title = {{A new version of X-Files Stealer}}, date = {2021-12-25}, organization = {3xp0rt}, url = {https://twitter.com/3xp0rtblog/status/1473323635469438978}, language = {English}, urldate = {2022-04-20} } @online{3xp0rt:20220201:mars:3ff37ea, author = {3xp0rt}, title = {{Mars Stealer: Oski refactoring}}, date = {2022-02-01}, organization = {3xp0rt}, url = {https://3xp0rt.com/posts/mars-stealer}, language = {English}, urldate = {2022-04-15} } @online{3xp0rt:20220331:eternity:86e2c72, author = {3xp0rt}, title = {{Tweet on Eternity stealer}}, date = {2022-03-31}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1509601846494695438}, language = {English}, urldate = {2022-05-04} } @online{3xp0rt:20220401:000stealer:8b1ea3c, author = {3xp0rt}, title = {{Tweet on 000stealer, written in GO and its panel}}, date = {2022-04-01}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1509978637189419008}, language = {English}, urldate = {2022-05-04} } @online{3xp0rt:20220411:safire:69718f1, author = {3xp0rt}, title = {{Tweet on Safire Miner}}, date = {2022-04-11}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1513099720578801670}, language = {English}, urldate = {2022-05-04} } @online{3xp0rt:20220614:keona:a8f556d, author = {3xp0rt}, title = {{Tweet on Keona Clipper}}, date = {2022-06-14}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1536704209760010241}, language = {English}, urldate = {2022-07-01} } @online{404:20240206:aptk47:4728820, author = {K&XWS@Knownsec 404}, title = {{APT-K-47 Organization Launches Espionage Attacks Using a New Trojan Tool}}, date = {2024-02-06}, organization = {Knownsec}, url = {https://paper.seebug.org/3117/}, language = {English}, urldate = {2024-05-21} } @online{42:20171027:tracking:bde654e, author = {Unit 42}, title = {{Tracking Subaat: Targeted Phishing Attack Leads to Threat Actor’s Repository}}, date = {2017-10-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/10/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/}, language = {English}, urldate = {2019-12-20} } @online{42:20190222:new:7bda906, author = {Unit 42}, title = {{New BabyShark Malware Targets U.S. National Security Think Tanks}}, date = {2019-02-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/}, language = {English}, urldate = {2020-01-07} } @online{42:20190312:operation:3610bc8, author = {Unit 42}, title = {{Operation Comando: How to Run a Cheap and Effective Credit Card Business}}, date = {2019-03-12}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/}, language = {English}, urldate = {2019-10-23} } @online{42:20191202:imminent:462e901, author = {Unit 42}, title = {{Imminent Monitor – a RAT Down Under}}, date = {2019-12-02}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/}, language = {English}, urldate = {2020-01-06} } @online{42:20201214:threat:032b92d, author = {Unit 42}, title = {{Threat Brief: SolarStorm and SUNBURST Customer Coverage}}, date = {2020-12-14}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/}, language = {English}, urldate = {2020-12-15} } @online{42:20201223:timeline:466b51a, author = {Unit 42}, title = {{A Timeline Perspective of the SolarStorm Supply-Chain Attack}}, date = {2020-12-23}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline}, language = {English}, urldate = {2020-12-26} } @online{42:20210309:remediation:4973903, author = {Unit 42}, title = {{Remediation Steps for the Microsoft Exchange Server Vulnerabilities}}, date = {2021-03-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/remediation-steps-for-the-Microsoft-Exchange-Server-vulnerabilities/}, language = {English}, urldate = {2021-03-11} } @online{42:20210311:microsoft:c51c694, author = {Unit 42}, title = {{Microsoft Exchange Server Attack Timeline}}, date = {2021-03-11}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/microsoft-exchange-server-attack-timeline/}, language = {English}, urldate = {2021-03-12} } @online{42:20210326:threat:343faf5, author = {Unit 42}, title = {{Threat Assessment: Matrix Ransomware}}, date = {2021-03-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/matrix-ransomware/}, language = {English}, urldate = {2021-03-30} } @online{42:20210703:threat:b329d9c, author = {Unit 42}, title = {{Threat Brief: Kaseya VSA Ransomware Attack}}, date = {2021-07-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/threat-brief-kaseya-vsa-ransomware-attacks/}, language = {English}, urldate = {2021-07-12} } @online{42:20210730:bazarloader:43bdc2c, author = {Unit 42}, title = {{Tweet on BazarLoader infection leading to cobaltstrike and Powershell script file for PrintNightmare vulnerability}}, date = {2021-07-30}, organization = {Twitter (@Unit42_Intel)}, url = {https://twitter.com/Unit42_Intel/status/1421117403644186629?s=20}, language = {English}, urldate = {2021-08-02} } @online{42:20211105:ta551:98c564e, author = {Unit 42}, title = {{Tweet on TA551 (Shathak) BazarLoader infection with CobaltStrike and DarkVNC drops}}, date = {2021-11-05}, organization = {Twitter (@Unit42_Intel)}, url = {https://twitter.com/Unit42_Intel/status/1458113934024757256}, language = {English}, urldate = {2021-11-17} } @online{42:20211117:matanbuchus:9e3556c, author = {Unit 42}, title = {{Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike}}, date = {2021-11-17}, organization = {Twitter (@Unit42_Intel)}, url = {https://twitter.com/Unit42_Intel/status/1461004489234829320}, language = {English}, urldate = {2021-11-25} } @online{42:20220203:russias:920c595, author = {Unit 42}, title = {{Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine}}, date = {2022-02-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/}, language = {English}, urldate = {2022-02-07} } @online{42:20220203:russias:cd52f9f, author = {Unit 42}, title = {{Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine (Updated June 22)}}, date = {2022-02-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021}, language = {English}, urldate = {2022-08-25} } @online{42:20220222:russiaukraine:63a2dfc, author = {Unit 42}, title = {{Russia-Ukraine Crisis: How to Protect Against the Cyber Impact}}, date = {2022-02-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/}, language = {English}, urldate = {2022-03-02} } @online{42:20220224:sockdetour:c8b1500, author = {Unit 42}, title = {{SockDetour – a Silent, Fileless, Socketless Backdoor – Targets U.S. Defense Contractors}}, date = {2022-02-24}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/sockdetour/}, language = {English}, urldate = {2022-03-10} } @online{42:20220225:spear:34925b2, author = {Unit 42}, title = {{Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot}}, date = {2022-02-25}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/}, language = {English}, urldate = {2022-03-01} } @techreport{42:20220324:ransomware:5478011, author = {Unit 42}, title = {{Ransomware Threat Report 2022}}, date = {2022-03-24}, institution = {Palo Alto Networks Unit 42}, url = {https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/2022-unit42-ransomware-threat-report-final.pdf}, language = {English}, urldate = {2022-03-28} } @online{42:20220613:gallium:d89b0b2, author = {Unit 42}, title = {{GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool}}, date = {2022-06-13}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/pingpull-gallium/}, language = {English}, urldate = {2022-06-15} } @online{42:20220718:adept:6318e92, author = {Unit 42}, title = {{Adept Libra}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/adept-libra/}, language = {English}, urldate = {2022-07-25} } @online{42:20220718:aged:83ea482, author = {Unit 42}, title = {{Aged Libra}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/agedlibra/}, language = {English}, urldate = {2022-07-29} } @online{42:20220718:alloy:740b049, author = {Unit 42}, title = {{Alloy Taurus}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/alloytaurus/}, language = {English}, urldate = {2022-07-25} } @online{42:20220718:boggy:69e4bfd, author = {Unit 42}, title = {{Boggy Serpens}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/boggyserpens/}, language = {English}, urldate = {2022-07-29} } @online{42:20220718:clean:053c441, author = {Unit 42}, title = {{Clean Ursa}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/clean-ursa/}, language = {English}, urldate = {2022-07-29} } @online{42:20220718:cloaked:ae3f3ab, author = {Unit 42}, title = {{Cloaked Ursa}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/cloaked-ursa/}, language = {English}, urldate = {2022-07-29} } @online{42:20220718:crawling:d229f20, author = {Unit 42}, title = {{Crawling Taurus}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/crawling-taurus/}, language = {English}, urldate = {2022-07-29} } @online{42:20220718:evasive:ccfb062, author = {Unit 42}, title = {{Evasive Serpens}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/evasive-serpens/}, language = {English}, urldate = {2022-07-29} } @online{42:20220718:fighting:865c81e, author = {Unit 42}, title = {{Fighting Ursa}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/fighting-ursa/}, language = {English}, urldate = {2022-07-29} } @online{42:20220718:golfing:a35ad38, author = {Unit 42}, title = {{Golfing Taurus}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/golfing-taurus/}, language = {English}, urldate = {2022-07-29} } @online{42:20220718:granite:aaa5c01, author = {Unit 42}, title = {{Granite Taurus}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/granite-taurus}, language = {English}, urldate = {2022-08-30} } @online{42:20220718:granite:f7d2634, author = {Unit 42}, title = {{Granite Taurus}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/granite-taurus/}, language = {English}, urldate = {2022-07-29} } @online{42:20220718:hunter:5d20e4d, author = {Unit 42}, title = {{Hunter Serpens}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/hunter-serpens/}, language = {English}, urldate = {2022-07-25} } @online{42:20220718:iron:f7586c5, author = {Unit 42}, title = {{Iron Taurus}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/iron-taurus/}, language = {English}, urldate = {2022-07-29} } @online{42:20220718:manga:5eaad04, author = {Unit 42}, title = {{Manga Taurus}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/mangataurus/}, language = {English}, urldate = {2022-07-29} } @online{42:20220718:moldy:593ab77, author = {Unit 42}, title = {{Moldy Pisces}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/moldypisces/}, language = {English}, urldate = {2022-07-29} } @online{42:20220718:money:f5f3920, author = {Unit 42}, title = {{Money Libra}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/moneylibra/}, language = {English}, urldate = {2022-07-25} } @online{42:20220718:monster:1aaba4e, author = {Unit 42}, title = {{Monster Libra}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/monsterlibra/}, language = {English}, urldate = {2022-07-29} } @online{42:20220718:mule:e63194d, author = {Unit 42}, title = {{Mule Libra}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/mulelibra/}, language = {English}, urldate = {2022-07-29} } @online{42:20220718:nascent:4d2484b, author = {Unit 42}, title = {{Nascent Ursa}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/nascentursa/}, language = {English}, urldate = {2022-07-25} } @online{42:20220718:obscure:28a0051, author = {Unit 42}, title = {{Obscure Serpens}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/obscureserpens/}, language = {English}, urldate = {2022-07-29} } @online{42:20220718:pasty:1cb785a, author = {Unit 42}, title = {{Pasty Gemini}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/pastygemini/}, language = {English}, urldate = {2022-07-29} } @online{42:20220718:prying:1e164c7, author = {Unit 42}, title = {{Prying Libra}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/pryinglibra/}, language = {English}, urldate = {2022-07-29} } @online{42:20220718:radio:5594a61, author = {Unit 42}, title = {{Radio Serpens}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/radioserpens/}, language = {English}, urldate = {2022-07-29} } @online{42:20220718:rancor:f5d3324, author = {Unit 42}, title = {{Rancor Taurus}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/rancortaurus/}, language = {English}, urldate = {2022-07-29} } @online{42:20220718:returned:7e264d7, author = {Unit 42}, title = {{Returned Libra}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/returnedlibra/}, language = {English}, urldate = {2022-07-29} } @online{42:20220718:ruinous:c0bf32d, author = {Unit 42}, title = {{Ruinous Ursa}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/ruinousursa/}, language = {English}, urldate = {2022-07-25} } @online{42:20220718:shallow:cc9413f, author = {Unit 42}, title = {{Shallow Taurus}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/shallowtaurus/}, language = {English}, urldate = {2022-07-29} } @online{42:20220718:solar:e79bbfb, author = {Unit 42}, title = {{Solar Phoenix}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/solarphoenix/}, language = {English}, urldate = {2022-07-25} } @online{42:20220718:stalker:29762e4, author = {Unit 42}, title = {{Stalker Taurus}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/stalkertaurus/}, language = {English}, urldate = {2022-07-29} } @online{42:20220718:thief:907b1b4, author = {Unit 42}, title = {{Thief Libr}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/thieflibra/}, language = {English}, urldate = {2022-07-29} } @online{42:20220718:thirsty:52ce329, author = {Unit 42}, title = {{Thirsty Gemini}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/thirstygemini/}, language = {English}, urldate = {2022-07-29} } @online{42:20220718:trident:0e9c23b, author = {Unit 42}, title = {{Trident Ursa}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/tridentursa/}, language = {English}, urldate = {2022-07-29} } @online{42:20220718:trident:310d54a, author = {Unit 42}, title = {{Trident Ursa}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/trident-ursa/}, language = {English}, urldate = {2024-06-24} } @online{42:20220718:windy:66f5597, author = {Unit 42}, title = {{Windy Phoenix}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/windyphoenix/}, language = {English}, urldate = {2022-07-29} } @online{42:20230426:chinese:3dad965, author = {Unit 42}, title = {{Chinese Alloy Taurus Updates PingPull Malware}}, date = {2023-04-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/alloy-taurus/}, language = {English}, urldate = {2023-04-27} } @online{42:20230526:threat:59dc234, author = {Unit 42}, title = {{Threat Brief: Attacks on Critical Infrastructure Attributed to Insidious Taurus (aka Volt Typhoon)}}, date = {2023-05-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/volt-typhoon-threat-brief/}, language = {English}, urldate = {2023-07-31} } @online{42:20230712:diplomats:53b84ac, author = {Unit 42}, title = {{Diplomats Beware: Cloaked Ursa Phishing With a Twist}}, date = {2023-07-12}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/#post-129063-_odp1m3lxt5m2}, language = {English}, urldate = {2023-07-13} } @online{42:20230712:diplomats:ff60fd1, author = {Unit 42}, title = {{Diplomats Beware: Cloaked Ursa Phishing With a Twist}}, date = {2023-07-12}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/}, language = {English}, urldate = {2023-07-17} } @online{42:20230719:p2pinfect:c1613c2, author = {Unit 42 and Nelson William Gamazo Sanchez and Nathaniel Quist}, title = {{P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm}}, date = {2023-07-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/}, language = {English}, urldate = {2023-12-12} } @online{42:20231121:hacking:94da88b, author = {Unit 42}, title = {{Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors}}, date = {2023-11-21}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/}, language = {English}, urldate = {2023-11-23} } @online{42:20231207:fighting:3e676a6, author = {Unit 42}, title = {{Fighting Ursa Aka APT28: Illuminating a Covert Campaign}}, date = {2023-12-07}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/russian-apt-fighting-ursa-exploits-cve-2023-233397/}, language = {English}, urldate = {2023-12-12} } @online{42:20240326:asean:0575c63, author = {Unit 42}, title = {{ASEAN Entities in the Spotlight: Chinese APT Group Targeting}}, date = {2024-03-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/chinese-apts-target-asean-entities/}, language = {English}, urldate = {2024-03-28} } @online{42:20240412:threat:f3f1b3d, author = {Unit 42}, title = {{Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400}}, date = {2024-04-12}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/cve-2024-3400/}, language = {English}, urldate = {2024-04-15} } @online{42:20240627:threat:f619ee7, author = {Unit 42}, title = {{Threat Actor Groups Tracked by Palo Alto Networks Unit 42}}, date = {2024-06-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/}, language = {English}, urldate = {2025-03-05} } @online{42:20240802:fighting:2bf636a, author = {Unit 42}, title = {{Fighting Ursa Luring Targets With Car for Sale}}, date = {2024-08-02}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/fighting-ursa-car-for-sale-phishing-lure/}, language = {English}, urldate = {2025-02-03} } @online{42:20241009:contagious:ac5facd, author = {Unit 42}, title = {{Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware}}, date = {2024-10-09}, organization = {Palo Alto}, url = {https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/}, language = {English}, urldate = {2024-10-17} } @online{42:20241030:jumpy:4a38cc2, author = {Unit 42}, title = {{Jumpy Pisces Engages in Play Ransomware}}, date = {2024-10-30}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/}, language = {English}, urldate = {2024-10-31} } @online{42:20241114:fake:0bd401d, author = {Unit 42}, title = {{Fake North Korean IT Worker Linked to BeaverTail Video Conference App Phishing Attack}}, date = {2024-11-14}, organization = {Palo Alto}, url = {https://unit42.paloaltonetworks.com/fake-north-korean-it-worker-activity-cluster/}, language = {English}, urldate = {2024-11-29} } @online{42:20250117:about:1221674, author = {Unit 42}, title = {{Tweet about affiliates of DarkScorpius using Social Engineering via MS Teams}}, date = {2025-01-17}, organization = {Twitter (@Unit42_Intel)}, url = {https://x.com/Unit42_Intel/status/1880368272610050459}, language = {English}, urldate = {2025-03-05} } @online{42:20250507:iranian:4d1c3cb, author = {Unit 42}, title = {{Iranian Cyber Actors Impersonate Model Agency in Suspected Espionage Operation}}, date = {2025-05-07}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/iranian-attackers-impersonate-model-agency/}, language = {English}, urldate = {2025-05-20} } @online{42:20250613:about:f7012e8, author = {Unit 42}, title = {{Tweet about APT27 SysUpdate activity}}, date = {2025-06-13}, organization = {Twitter (@Unit42_Intel)}, url = {https://x.com/Unit42_Intel/status/1933565063736021372}, language = {English}, urldate = {2025-06-20} } @online{471:20200331:revil:0e5226a, author = {Intel 471}, title = {{REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation}}, date = {2020-03-31}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/}, language = {English}, urldate = {2020-04-01} } @online{471:20200414:understanding:ca95961, author = {Intel 471}, title = {{Understanding the relationship between Emotet, Ryuk and TrickBot}}, date = {2020-04-14}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/}, language = {English}, urldate = {2020-04-26} } @online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://intel471.com/blog/a-brief-history-of-ta505}, language = {English}, urldate = {2022-02-14} } @online{471:20200708:irans:0bc8398, author = {Intel 471}, title = {{Iran’s domestic espionage: Lessons from recent data leaks}}, date = {2020-07-08}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/07/08/irans-domestic-espionage-lessons-from-recent-data-leaks/}, language = {English}, urldate = {2020-07-11} } @online{471:20200715:flowspec:683a5a1, author = {Intel 471}, title = {{Flowspec – TA505’s bulletproof hoster of choice}}, date = {2020-07-15}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/07/15/flowspec-ta505s-bulletproof-hoster-of-choice/}, language = {English}, urldate = {2020-07-16} } @online{471:20200812:prioritizing:83e5896, author = {Intel 471}, title = {{Prioritizing “critical” vulnerabilities: A threat intelligence perspective}}, date = {2020-08-12}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/08/12/prioritizing-critical-vulnerabilities-a-threat-intelligence-perspective/}, language = {English}, urldate = {2020-08-14} } @online{471:20200916:partners:c65839f, author = {Intel 471}, title = {{Partners in crime: North Koreans and elite Russian-speaking cybercriminals}}, date = {2020-09-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/partners-in-crime-north-koreans-and-elite-russian-speaking-cybercriminals/}, language = {English}, urldate = {2020-09-23} } @online{471:20201015:that:2d4b495, author = {Intel 471}, title = {{That was quick: Trickbot is back after disruption attempts}}, date = {2020-10-15}, organization = {Intel 471}, url = {https://public.intel471.com/blog/trickbot-online-emotet-microsoft-cyber-command-disruption-attempts/}, language = {English}, urldate = {2020-10-15} } @online{471:20201020:global:570e26f, author = {Intel 471}, title = {{Global Trickbot disruption operation shows promise}}, date = {2020-10-20}, organization = {Intel 471}, url = {https://public.intel471.com/blog/global-trickbot-disruption-operation-shows-promise/}, language = {English}, urldate = {2020-10-21} } @online{471:20201028:alleged:46a2bb1, author = {Intel 471}, title = {{Alleged REvil member spills details on group’s ransomware operations}}, date = {2020-10-28}, organization = {Intel 471}, url = {https://public.intel471.com/blog/revil-ransomware-interview-russian-osint-100-million/}, language = {English}, urldate = {2020-11-02} } @online{471:20201110:trickbot:5db76db, author = {Intel 471}, title = {{Trickbot down, but is it out?}}, date = {2020-11-10}, organization = {Intel 471}, url = {https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/}, language = {English}, urldate = {2020-11-11} } @online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } @online{471:20201123:heres:1435e96, author = {Intel 471}, title = {{Here’s what happens after a business gets hit with ransomware}}, date = {2020-11-23}, organization = {Intel 471}, url = {https://intel471.com/blog/how-to-recover-from-a-ransomware-attack/}, language = {English}, urldate = {2020-12-17} } @online{471:20201201:steal:db9aadd, author = {Intel 471}, title = {{Steal, then strike: Access merchants are first clues to future ransomware attacks}}, date = {2020-12-01}, organization = {Intel 471}, url = {https://intel471.com/blog/ransomware-attack-access-merchants-infostealer-escrow-service/}, language = {English}, urldate = {2020-12-17} } @online{471:20201210:no:9fd2ae1, author = {Intel 471}, title = {{No pandas, just people: The current state of China’s cybercrime underground}}, date = {2020-12-10}, organization = {Intel 471}, url = {https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/}, language = {English}, urldate = {2020-12-10} } @online{471:20201216:intel471s:f245d05, author = {Intel 471}, title = {{Intel471's full statement on their knowledge of SolarWinds and the cybercriminal underground}}, date = {2020-12-16}, organization = {Intel 471}, url = {https://twitter.com/Intel471Inc/status/1339233255741120513}, language = {English}, urldate = {2020-12-17} } @online{471:20201218:ta505s:8fb97af, author = {Intel 471}, title = {{TA505’s modified loader means new attack campaign could be coming}}, date = {2020-12-18}, organization = {Intel 471}, url = {https://intel471.com/blog/ta505-get2-loader-malware-december-2020/}, language = {English}, urldate = {2020-12-19} } @online{471:20210115:last:c976da0, author = {Intel 471}, title = {{Last Dash for Joker’s Stash: Carding forum may close in 30 days}}, date = {2021-01-15}, organization = {Intel 471}, url = {https://intel471.com/blog/jokers-stash-closed-february-2021/}, language = {English}, urldate = {2021-01-18} } @online{471:20210127:emotet:0a7344b, author = {Intel 471}, title = {{Emotet takedown is not like the Trickbot takedown}}, date = {2021-01-27}, organization = {Intel 471}, url = {https://intel471.com/blog/emotet-takedown-2021/}, language = {English}, urldate = {2021-01-29} } @online{471:20210217:egregor:6194a4b, author = {Intel 471}, title = {{Egregor operation takes huge hit after police raids}}, date = {2021-02-17}, organization = {Intel 471}, url = {https://intel471.com/blog/egregor-arrests-ukraine-sbu-maze-ransomware}, language = {English}, urldate = {2021-02-20} } @online{471:20210406:ettersilent:b591f59, author = {Intel 471}, title = {{EtterSilent: the underground’s new favorite maldoc builder}}, date = {2021-04-06}, organization = {Intel 471}, url = {https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/}, language = {English}, urldate = {2021-04-06} } @online{471:20210419:how:2cba4f2, author = {Intel 471}, title = {{How China’s cybercrime underground is making money off big data}}, date = {2021-04-19}, organization = {Intel 471}, url = {https://intel471.com/blog/china-cybercrime-big-data-privacy-laws/}, language = {English}, urldate = {2021-04-20} } @online{471:20210426:cybercriminal:a1f6da3, author = {Intel 471}, title = {{The cybercriminal underground hasn’t forgotten about financial services}}, date = {2021-04-26}, organization = {Intel 471}, url = {https://www.intel471.com/blog/financial-cybercrime-2021-jackpotting-atm-malware}, language = {English}, urldate = {2021-05-03} } @online{471:20210510:heres:ebc6e81, author = {Intel 471}, title = {{Here’s what we know about DarkSide ransomware}}, date = {2021-05-10}, organization = {Intel 471}, url = {https://www.intel471.com/blog/darkside-ransomware-colonial-pipeline-attack}, language = {English}, urldate = {2021-05-13} } @online{471:20210514:moral:83d138a, author = {Intel 471}, title = {{The moral underground? Ransomware operators retreat after Colonial Pipeline hack}}, date = {2021-05-14}, organization = {Intel 471}, url = {https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime}, language = {English}, urldate = {2021-05-17} } @online{471:20210519:look:5ba9516, author = {Intel 471}, title = {{Look how many cybercriminals love Cobalt Strike}}, date = {2021-05-19}, organization = {Intel 471}, url = {https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor}, language = {English}, urldate = {2021-05-19} } @online{471:20210608:blurry:5b278e5, author = {Intel 471}, title = {{The blurry boundaries between nation-state actors and the cybercrime underground}}, date = {2021-06-08}, organization = {Intel 471}, url = {https://www.intel471.com/blog/cybercrime-russia-china-iran-nation-state}, language = {English}, urldate = {2021-06-16} } @online{471:20210714:how:0cf4b03, author = {Intel 471}, title = {{How cybercriminals create turbulence for the transportation industry}}, date = {2021-07-14}, organization = {Intel 471}, url = {https://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry}, language = {English}, urldate = {2021-07-29} } @online{471:20210823:heres:49f1424, author = {Intel 471}, title = {{Here's how to guard your enterprise against ShinyHunters}}, date = {2021-08-23}, organization = {Intel 471}, url = {https://intel471.com/blog/shinyhunters-data-breach-mitre-attack}, language = {English}, urldate = {2021-08-25} } @online{471:20211020:cybercriminals:494dd97, author = {Intel 471}, title = {{Cybercriminals cash in on black market vaccine schemes}}, date = {2021-10-20}, organization = {Intel 471}, url = {https://intel471.com/blog/fake-covid-vaccination-cards-cybercrime}, language = {English}, urldate = {2021-11-03} } @online{471:20211102:cybercrime:4d53035, author = {Intel 471}, title = {{Cybercrime underground flush with shipping companies’ credentials}}, date = {2021-11-02}, organization = {Intel 471}, url = {https://intel471.com/blog/shipping-companies-ransomware-credentials}, language = {English}, urldate = {2021-11-03} } @online{471:20211116:how:dfdf383, author = {Intel 471}, title = {{How cryptomixers allow cybercriminals to clean their ransoms}}, date = {2021-11-16}, organization = {Intel 471}, url = {https://intel471.com/blog/cryptomixers-ransomware}, language = {English}, urldate = {2021-11-18} } @online{471:20220208:privateloader:5e226cd, author = {Intel 471}, title = {{PrivateLoader: The first step in many malware schemes}}, date = {2022-02-08}, organization = {Intel 471}, url = {https://intel471.com/blog/privateloader-malware}, language = {English}, urldate = {2022-05-09} } @online{471:20220215:how:c105692, author = {Intel 471}, title = {{How the Russia-Ukraine conflict is impacting cybercrime}}, date = {2022-02-15}, organization = {Intel 471}, url = {https://intel471.com/blog/russia-ukraine-conflict-cybercrime-underground}, language = {English}, urldate = {2022-02-17} } @online{471:20220323:conti:694f144, author = {Intel 471}, title = {{Conti puts the ‘organized’ in organized crime}}, date = {2022-03-23}, organization = {Intel 471}, url = {https://intel471.com/blog/conti-leaks-cybercrime-fire-team}, language = {English}, urldate = {2022-03-23} } @online{471:20220405:move:d589859, author = {Intel 471}, title = {{Move fast and commit crimes: Conti’s development teams mirror corporate tech}}, date = {2022-04-05}, organization = {Intel 471}, url = {https://intel471.com/blog/conti-leaks-ransomware-development}, language = {English}, urldate = {2022-04-07} } @online{471:20220426:conti:6bcff7d, author = {Intel 471}, title = {{Conti and Emotet: A constantly destructive duo}}, date = {2022-04-26}, organization = {Intel 471}, url = {https://intel471.com/blog/conti-emotet-ransomware-conti-leaks}, language = {English}, urldate = {2022-04-29} } @online{471:20220505:cybercrime:f091e4f, author = {Intel 471}, title = {{Cybercrime loves company: Conti cooperated with other ransomware gangs}}, date = {2022-05-05}, organization = {Intel 471}, url = {https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker}, language = {English}, urldate = {2022-05-05} } @online{471:20220512:what:05369d4, author = {Intel 471}, title = {{What malware to look for if you want to prevent a ransomware attack}}, date = {2022-05-12}, organization = {Intel 471}, url = {https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike}, language = {English}, urldate = {2022-05-13} } @online{471:20220907:conti:594cb06, author = {Intel 471}, title = {{Conti vs. Monti: A Reinvention or Just a Simple Rebranding?}}, date = {2022-09-07}, organization = {Intel 471}, url = {https://intel471.com/blog/conti-vs-monti-a-reinvention-or-just-a-simple-rebranding}, language = {English}, urldate = {2022-09-19} } @online{471:20220914:prorussian:99cfb4d, author = {Intel 471}, title = {{Pro-Russian Hacktivist Groups Target Ukraine Supporters}}, date = {2022-09-14}, organization = {Intel 471}, url = {https://intel471.com/blog/pro-russian-hacktivist-groups-target-ukraine-supporters}, language = {English}, urldate = {2022-09-19} } @online{471:20230228:malvertising:268d961, author = {Intel 471}, title = {{Malvertising Surges to Distribute Malware}}, date = {2023-02-28}, organization = {Intel 471}, url = {https://intel471.com/blog/malvertising-surges-to-distribute-malware}, language = {English}, urldate = {2023-03-13} } @online{471:20240801:blankbot:9ec5a75, author = {Intel 471}, title = {{BlankBot - a new Android banking trojan with screen recording, keylogging and remote control capabilities}}, date = {2024-08-01}, organization = {Intel 471}, url = {https://intel471.com/blog/blankbot-a-new-android-banking-trojan-with-screen-recording-keylogging-and-remote-control-capabilities}, language = {English}, urldate = {2024-08-15} } @online{471:20240820:threat:1d69c21, author = {Intel 471}, title = {{Threat Hunting Case Study: Tracking Down GootLoader}}, date = {2024-08-20}, organization = {Intel 471}, url = {https://intel471.com/blog/threat-hunting-case-study-tracking-down-gootloader}, language = {English}, urldate = {2024-08-23} } @online{471:20250213:threat:cf6a3df, author = {Intel 471}, title = {{Threat hunting case study: SocGholish}}, date = {2025-02-13}, organization = {Intel 471}, url = {https://intel471.com/blog/threat-hunting-case-study-socgholish}, language = {English}, urldate = {2025-02-21} } @online{471:20250224:android:2475c11, author = {Intel 471}, title = {{Android trojan TgToxic updates its capabilities}}, date = {2025-02-24}, organization = {Intel 471}, url = {https://intel471.com/blog/android-trojan-tgtoxic-updates-its-capabilities}, language = {English}, urldate = {2025-02-28} } @online{471:20250228:black:596ee5a, author = {Intel 471}, title = {{Black Basta exposed: A look at a cybercrime data leak}}, date = {2025-02-28}, organization = {Intel 471}, url = {https://intel471.com/blog/black-basta-exposed-a-look-at-a-cybercrime-data-leak}, language = {English}, urldate = {2025-03-25} } @online{471:20250402:indepth:3d6994e, author = {Intel 471}, title = {{An in-depth look at Black Basta's TTPs}}, date = {2025-04-02}, organization = {Intel 471}, url = {https://intel471.com/blog/an-in-depth-look-at-black-bastas-ttps}, language = {English}, urldate = {2025-04-09} } @online{471:20250416:labhost:cea2861, author = {Intel 471}, title = {{LabHost: A defunct but potent phishing service}}, date = {2025-04-16}, organization = {Intel 471}, url = {https://intel471.com/blog/labhost-a-defunct-but-potent-phishing-kit}, language = {English}, urldate = {2025-04-25} } @online{4pfsec:20221005:havoc:f3b689d, author = {4pfsec}, title = {{Havoc C2: First look}}, date = {2022-10-05}, organization = {4pfsec}, url = {https://4pfsec.com/havoc-c2-first-look/}, language = {English}, urldate = {2022-10-12} } @online{4rays:20240708:lifting:899d0e4, author = {Solar 4RAYS}, title = {{Lifting Zmiy: hacking SCADA controllers in pursuit of prime victims}}, date = {2024-07-08}, organization = {Solar 4RAYS}, url = {https://rt-solar.ru/solar-4rays/blog/4506/}, language = {Russian}, urldate = {2024-09-02} } @online{4rays:20241108:elusive:2cf8acd, author = {Solar 4RAYS}, title = {{The Elusive GoblinRAT – The Story Behind the Most Secretive and Mysterious Linux Backdoor Found in Government Infrastructures}}, date = {2024-11-08}, organization = {Rostelecom-Solar}, url = {https://rt-solar.ru/solar-4rays/blog/4861/}, language = {Russian}, urldate = {2024-11-17} } @online{4rchibld:20210227:nice:e7960f8, author = {4rchibld}, title = {{Nice to meet you, too. My name is Ryuk.}}, date = {2021-02-27}, organization = {4rchibld}, url = {https://4rchib4ld.github.io/blog/NiceToMeetYouRyuk/}, language = {English}, urldate = {2021-05-11} } @online{4rchibld:20210405:cruloader:b04f4b6, author = {4rchibld}, title = {{CruLoader Analysis}}, date = {2021-04-05}, organization = {4rchibld}, url = {https://4rchib4ld.github.io/malwareanalysis/CruLoader/}, language = {English}, urldate = {2021-05-11} } @online{4rchibld:20210411:icedid:4135c21, author = {4rchibld}, title = {{IcedID on my neck I’m the coolest}}, date = {2021-04-11}, organization = {4rchibld}, url = {https://4rchib4ld.github.io/blog/IcedIDOnMyNeckImTheCoolest/}, language = {English}, urldate = {2021-05-11} } @online{51ddh4r7h4:20180820:advanced:9eb6e5c, author = {51ddh4r7h4}, title = {{Advanced Brazilian Malware Analysis}}, date = {2018-08-20}, organization = {ReversingMinds' Blog}, url = {http://reversingminds-blog.logdown.com/posts/7807545-analysis-of-advanced-brazilian-banker-malware}, language = {English}, urldate = {2020-01-13} } @online{51pwn:20221104:behinder:2fe7382, author = {51pwn}, title = {{Behinder Mem Shell}}, date = {2022-11-04}, organization = {Github (hktalent)}, url = {https://github.com/hktalent/MyDocs/blob/main/BehinderShell.md}, language = {Chinese}, urldate = {2023-02-22} } @online{5loyd:20171103:trochilus:964b44c, author = {5loyd}, title = {{Trochilus}}, date = {2017-11-03}, organization = {Github (5loyd)}, url = {https://github.com/5loyd/trochilus/}, language = {English}, urldate = {2020-01-08} } @online{71:20220731:adrastea:8ea3f4b, author = {Treadstone 71}, title = {{Adrastea hackers claim leading European designer and manufacturer of missile systems MBDA hacked}}, date = {2022-07-31}, organization = {Cyber Shafarat}, url = {https://cybershafarat.com/2022/07/31/adrastea-hackers-claim-leading-european-designer-and-manufacturer-of-missile-systems-mbda-hacked/}, language = {English}, urldate = {2024-12-09} } @online{71:20221117:kromsec:531dde8, author = {Treadstone 71}, title = {{KromSec outs AnonOpsSE as Iranian regime – Makes statement}}, date = {2022-11-17}, organization = {Cyber Shafarat}, url = {https://cybershafarat.com/2022/11/17/kromsec-outs-anonopsse-as-iranian-regime-makes-statement/}, language = {English}, urldate = {2023-12-04} } @online{71:20240722:hacking:e853a6b, author = {Treadstone 71}, title = {{Hacking group Anonymous KSA, a notorious threat actor, is targeting India in a series of cyber attacks}}, date = {2024-07-22}, organization = {Cyber Shafarat}, url = {https://cybershafarat.com/2024/07/22/hacking-group-anonymous-ksa-a-notorious-threat-actor-is-targeting-india-in-a-series-of-cyber-attacks/}, language = {English}, urldate = {2025-02-19} } @online{71:20240904:major:9367fab, author = {Treadstone 71}, title = {{Major IR leaks}}, date = {2024-09-04}, organization = {Cybershafarat}, url = {https://cybershafarat.com/2024/09/04/major-ir-leaks/}, language = {English}, urldate = {2024-09-27} } @online{71:20250310:dienet:4f16372, author = {Treadstone 71}, title = {{DieNet and #Shiite_Harvest claimed responsibility for disabling ten significant Iraqi websites}}, date = {2025-03-10}, organization = {Cybershafarat}, url = {https://cybershafarat.com/2025/03/10/dienet-and-shiite_harvest-claimed-responsibility-for-disabling-ten-significant-iraqi-websites/}, language = {English}, urldate = {2025-04-25} } @online{773:20220412:tween:9f9a70c, author = {Section 773}, title = {{Tween on Lapsus$ (UNC3661) Attack chain of compromise via Sitel (Okta subprocessor)'s systems}}, date = {2022-04-12}, organization = {Twitter (@apt773)}, url = {https://twitter.com/apt773/status/1513909922643476485}, language = {English}, urldate = {2022-04-15} } @online{80vul:20210426:hunting:e8be278, author = {Twitter (@80vul)}, title = {{Hunting Cobalt Strike DNS redirectors by using ZoomEye}}, date = {2021-04-26}, organization = {getrevue}, url = {https://www.getrevue.co/profile/80vul/issues/hunting-cobalt-strike-dns-redirectors-by-using-zoomeye-580734}, language = {English}, urldate = {2021-04-29} } @online{8thgreyowl:20210205:calmthorn:8397a05, author = {8thGreyOwl}, title = {{Tweet on CALMTHORN, used by Tonto Team}}, date = {2021-02-05}, organization = {Twitter (@8th_grey_owl)}, url = {https://twitter.com/8th_grey_owl/status/1357550261963689985}, language = {English}, urldate = {2021-02-09} } @online{8thgreyowl:20220113:selfmake:b0e52ab, author = {8thGreyOwl}, title = {{Tweet on SelfMake Loader}}, date = {2022-01-13}, organization = {Twitter (@8th_grey_owl)}, url = {https://twitter.com/8th_grey_owl/status/1481433481485844483}, language = {English}, urldate = {2022-01-19} } @online{9b:20180627:latest:5770e87, author = {9b}, title = {{Latest observed JS payload used for APT32 profiling}}, date = {2018-06-27}, organization = {Github (9b)}, url = {https://gist.github.com/9b/141a5c7ab8b4280901722e2cd931b7ef}, language = {English}, urldate = {2020-01-09} } @online{:2010:trojandownloaderw32chyminea:30597d8, author = {_}, title = {{Trojan-Downloader:W32/Chymine.A}}, date = {2010}, organization = {F-Secure}, url = {https://www.f-secure.com/v-descs/trojan-downloader_w32_chymine_a.shtml}, language = {English}, urldate = {2019-09-22} } @online{:20130203:forum:e9bf784, author = {小男孩}, title = {{Forum Post: GetPwd_K8 one-click to get the plain text password of the system login user based on French ...}}, date = {2013-02-03}, url = {https://ihonker.org/thread-1504-1-1.html}, language = {Chinese}, urldate = {2020-01-23} } @online{:20131217:bebloh:dcd1f5f, author = {}, title = {{Bebloh – a well-known banking Trojan with noteworthy innovations}}, date = {2013-12-17}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2013/12/23978-bebloh-a-well-known-banking-trojan-with-noteworthy-innovations}, language = {English}, urldate = {2019-10-28} } @online{:20141022:cryakl:aaecc86, author = {Артём Семенченко and Федор Синицын and Татьяна Куликова}, title = {{Шифровальщик Cryakl или Фантомас разбушевался}}, date = {2014-10-22}, organization = {Kaspersky Labs}, url = {https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/}, language = {Russian}, urldate = {2019-12-16} } @techreport{:20170225:silent:5a11e12, author = {Kyoung-Ju Kwak (郭炅周)}, title = {{Silent RIFLE: Response Against Advanced Threat}}, date = {2017-02-25}, institution = {Financial Security Institute}, url = {https://hackcon.org/uploads/327/05%20-%20Kwak.pdf}, language = {English}, urldate = {2020-03-04} } @online{:20180602:hidden:674cfb9, author = {安全豹}, title = {{"Hidden Bee" strikes: Kingsoft Internet Security intercepts the world's first bootkit-level mining botnet (Part 1)}}, date = {2018-06-02}, organization = {Freebuf}, url = {https://www.freebuf.com/column/174581.html}, language = {Chinese}, urldate = {2020-01-13} } @online{:20180726:analysis:66722b6, author = {奇安信威胁情报中心 | 事件追踪}, title = {{Analysis of the latest attack activities of APT-C-35}}, date = {2018-07-26}, url = {https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/}, language = {Chinese}, urldate = {2020-01-08} } @online{:20181005:post:4890d7d, author = {_}, title = {{Post 0x17.2: Analyzing Turla’s Keylogger}}, date = {2018-10-05}, url = {https://0ffset.wordpress.com/2018/10/05/post-0x17-2-turla-keylogger/}, language = {English}, urldate = {2019-07-27} } @online{:20181225:bittertapt17:faf6bde, author = {腾讯电脑管家}, title = {{BITTER/T-APT-17 reports on the latest attacks on sensitive agencies such as military, nuclear, and government agencies in China}}, date = {2018-12-25}, organization = {Tencent}, url = {https://www.freebuf.com/articles/database/192726.html}, language = {Chinese}, urldate = {2020-03-02} } @online{:20190124:excel:2dd401c, author = {事件追踪}, title = {{Excel 4.0 Macro Utilized by TA505 to Target Financial Institutions Recently}}, date = {2019-01-24}, organization = {奇安信威胁情报中心}, url = {https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/}, language = {English}, urldate = {2019-12-02} } @online{:20190214:suspected:25adc45, author = {奇安信威胁情报中心}, title = {{Suspected Molerats New Attack in the Middle East}}, date = {2019-02-14}, organization = {360.cn}, url = {https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east/}, language = {Chinese}, urldate = {2019-10-12} } @online{:20190214:suspected:5df65f1, author = {事件追踪}, title = {{Suspected Molerats' New Attack in the Middle East}}, date = {2019-02-14}, organization = {奇安信威胁情报中心}, url = {https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/}, language = {English}, urldate = {2020-01-07} } @online{:20190306:taidoor:651efa6, author = {NTT セキュリティ and ジャパン株式会社}, title = {{Taidoor を用いた標的型攻撃}}, date = {2019-03-06}, organization = {Unit CANARY}, url = {https://www.nttsecurity.com/docs/librariesprovider3/resources/taidoor%E3%82%92%E7%94%A8%E3%81%84%E3%81%9F%E6%A8%99%E7%9A%84%E5%9E%8B%E6%94%BB%E6%92%83%E8%A7%A3%E6%9E%90%E3%83%AC%E3%83%9D%E3%83%BC%E3%83%88_v1}, language = {English}, urldate = {2020-01-13} } @online{:20190319:aptc27:6ab4857, author = {奇安信威胁情报中心}, title = {{APT-C-27 (Goldmouse): Suspected Target Attack against the Middle East with WinRAR Exploit}}, date = {2019-03-19}, url = {https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/}, language = {English}, urldate = {2019-10-26} } @online{:20190813::eae3d10, author = {奇安信威胁情报中心}, title = {{洞察人性:一起利用政治人物桃色丑闻的诱饵攻击活动披露}}, date = {2019-08-13}, url = {https://wemp.app/posts/80ab2b2d-4e0e-4960-94b7-4d452a06fd38?utm_source=latest-posts}, language = {Chinese}, urldate = {2020-01-13} } @online{:20200723::adadd32, author = {AhnLab ASEC 분석팀}, title = {{국내 인터넷 커뮤니티 사이트에서 악성코드 유포 (유틸리티 위장)}}, date = {2020-07-23}, organization = {AhnLab}, url = {https://asec.ahnlab.com/1360}, language = {Korean}, urldate = {2020-07-30} } @online{:20200816:wastedlocker:4210f22, author = {谷川哲司}, title = {{WastedLocker IoC collection}}, date = {2020-08-16}, organization = {Hatena Blog}, url = {https://ioc.hatenablog.com/entry/2020/08/16/132853}, language = {Japanese}, urldate = {2020-10-02} } @online{:20200819:njrat:a8e3234, author = {AhnLab ASEC 분석팀}, title = {{국내 유명 웹하드를 통해 유포되는 njRAT 악성코드}}, date = {2020-08-19}, organization = {AhnLab}, url = {https://asec.ahnlab.com/1369}, language = {Korean}, urldate = {2020-08-25} } @online{:20210127:emotet:abc27db, author = {Національна поліція України}, title = {{Кіберполіція викрила транснаціональне угруповання хакерів у розповсюдженні вірусу EMOTET}}, date = {2021-01-27}, organization = {Youtube (Національна поліція України)}, url = {https://www.youtube.com/watch?v=_BLOmClsSpc}, language = {Ukrainian}, urldate = {2021-01-27} } @techreport{:20210521:research:1e23090, author = {Ростелеком-Солар and НКЦКИ - Главная}, title = {{Research report of the series of attacks on the state authorities of the Russian Federation}}, date = {2021-05-21}, institution = {}, url = {https://rt-solar.ru/upload/iblock/b55/Ataki-na-FOIV_otchet-NKTSKI-i-Rostelekom_Solar_otkrytyy.pdf}, language = {Russian}, urldate = {2021-06-21} } @online{:20210616:clop:28caf8c, author = {Національна поліція України}, title = {{Кіберполіція викрила хакерське угруповання у розповсюдженні вірусу-шифрувальника (Clop operators)}}, date = {2021-06-16}, organization = {Youtube (Національна поліція України)}, url = {https://www.youtube.com/watch?v=PqGaZgepNTE}, language = {Ukrainian}, urldate = {2021-06-21} } @online{:20210616:cyberpolice:f455d86, author = {Національна поліція України}, title = {{Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies}}, date = {2021-06-16}, organization = {Національної поліції України}, url = {https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/}, language = {Ukrainian}, urldate = {2021-06-21} } @online{:20210618:atomic:d62e18f, author = {손덕호 기자 and Son Deok-ho}, title = {{The Atomic Energy Research Institute has been breached by a North Korean hacker organization Kimsuky}}, date = {2021-06-18}, organization = {Chosun Biz}, url = {https://biz.chosun.com/policy/politics/2021/06/18/V4DTFCEXPRA4DFCBVVJO3DPR5I/}, language = {Korean}, urldate = {2021-06-22} } @online{:20210906:operation:3e2fd42, author = {猎影实验室}, title = {{假面行动(Operation MaskFace)-疑似针对境外银行的利用问卷调查为主题的钓鱼攻击事件分析}}, date = {2021-09-06}, organization = {dbappsecurity}, url = {https://ti.dbappsecurity.com.cn/blog/articles/2021/09/06/operation-maskface/}, language = {Chinese}, urldate = {2021-10-24} } @online{:20211025:ukrainian:8b0814a, author = {Національна поліція України}, title = {{Ukrainian law enforcement officers blocked the activities of members of an international transnational hacker group}}, date = {2021-10-25}, organization = {Національної поліції України}, url = {https://www.npu.gov.ua/news/kiberzlochini/ukrajinski-pravooxoronczi-blokuvali-diyalnist-chleniv-mizhnarodnogo-transnaczionalnogo-xakerskogo-ugrupovannya/}, language = {Ukrainian}, urldate = {2021-11-03} } @online{:20211029:cyberpolice:fc43b20, author = {Національна поліція України}, title = {{Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies}}, date = {2021-10-29}, organization = {Національна поліція України}, url = {https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/}, language = {Ukrainian}, urldate = {2021-11-02} } @online{a:2016:cyber:140f384, author = {Monnappa K A}, title = {{CYBER ATTACK IMPERSONATING IDENTITY OF INDIAN THINK TANK TO TARGET CENTRAL BUREAU OF INVESTIGATION (CBI) AND POSSIBLY INDIAN ARMY OFFICIALS}}, date = {2016}, organization = {Cysinfo}, url = {https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials}, language = {English}, urldate = {2020-01-07} } @online{a:20180910:turla:c92b687, author = {Monnappa K A}, title = {{turla gazer backdoor code injection & winlogon shell persistence}}, date = {2018-09-10}, organization = {Youtube ( Monnappa K A)}, url = {https://www.youtube.com/watch?v=Pvzhtjl86wc}, language = {English}, urldate = {2020-01-13} } @online{a:20190513:chacha:840508a, author = {Amigo A}, title = {{ChaCha Ransomware}}, date = {2019-05-13}, url = {https://id-ransomware.blogspot.com/2019/05/chacha-ransomware.html}, language = {Russian}, urldate = {2019-12-02} } @online{a:20200411:rhino:c3d7b04, author = {Amigo A}, title = {{Rhino Ransomware}}, date = {2020-04-11}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/04/rhino-ransomware.html}, language = {Russian}, urldate = {2020-05-18} } @online{a:20201016:geofenced:8c31198, author = {Cassandra A. and Proofpoint Threat Research Team}, title = {{Geofenced Amazon Japan Credential Phishing Volumes Rival Emotet}}, date = {2020-10-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/geofenced-amazon-japan-credential-phishing-volumes-rival-emotet}, language = {English}, urldate = {2020-10-23} } @online{a:20211216:mrac:d625fc1, author = {Amigo A}, title = {{MRAC Ransomware}}, date = {2021-12-16}, url = {https://id-ransomware.blogspot.com/2021/12/mrac-ransomware.html}, language = {Russian}, urldate = {2022-02-01} } @online{a:20220819:moisha:7635a3f, author = {Amigo A and Andrew Ivanov}, title = {{Moisha Ransomware}}, date = {2022-08-19}, url = {https://id-ransomware.blogspot.com/2022/08/moisha-ransomware.html}, language = {Russian}, urldate = {2022-09-08} } @online{a:20230605:iran:aa3a10c, author = {Maxime A}, title = {{Iran Cyber Threat Overview}}, date = {2023-06-05}, organization = {Sekoia}, url = {https://blog.sekoia.io/iran-cyber-threat-overview/}, language = {English}, urldate = {2024-02-08} } @online{a:20230723:guloader:887fa35, author = {Muhammed Irfan V A}, title = {{Guloader Deobfuscation using Ghidra}}, date = {2023-07-23}, organization = {irfan_eternal}, url = {https://irfan-eternal.github.io/guloader-deobfuscation-using-ghidra/}, language = {English}, urldate = {2025-07-14} } @online{a:20230912:transportation:fc8aa76, author = {Maxime A and Livia Tibirna}, title = {{The Transportation sector cyber threat overview}}, date = {2023-09-12}, organization = {Sekoia}, url = {https://blog.sekoia.io/the-transportation-sector-cyber-threat-overview/}, language = {English}, urldate = {2024-02-08} } @online{a:20240106:understanding:6e0f234, author = {Muhammed Irfan V A}, title = {{Understanding Internals of SmokeLoader}}, date = {2024-01-06}, organization = {irfan_eternal}, url = {https://irfan-eternal.github.io/understanding-internals-of-smokeloader/}, language = {English}, urldate = {2024-06-24} } @online{a:20240506:hijackloader:d2512e1, author = {Muhammed Irfan V A}, title = {{HijackLoader Updates}}, date = {2024-05-06}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/hijackloader-updates}, language = {English}, urldate = {2024-06-24} } @online{a:20240610:technical:0114a8e, author = {Muhammed Irfan V A and Manisha Ramcharan Prajapati}, title = {{Technical Analysis of the Latest Variant of ValleyRAT}}, date = {2024-06-10}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/technical-analysis-latest-variant-valleyrat}, language = {English}, urldate = {2024-06-12} } @online{a:20241010:technical:b6379a1, author = {Muhammed Irfan V A}, title = {{Technical Analysis of DarkVision RAT}}, date = {2024-10-10}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/technical-analysis-darkvision-rat}, language = {English}, urldate = {2024-11-05} } @online{a:20241202:unveiling:e4e025b, author = {Muhammed Irfan V A}, title = {{Unveiling RevC2 and Venom Loader}}, date = {2024-12-02}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader}, language = {English}, urldate = {2024-12-06} } @online{a:20250331:analyzing:3a9ee25, author = {Muhammed Irfan V A}, title = {{Analyzing New HijackLoader Evasion Tactics}}, date = {2025-03-31}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/analyzing-new-hijackloader-evasion-tactics}, language = {English}, urldate = {2025-04-10} } @online{aaaaaaaannn:20150716:github:609e30a, author = {aaaaaaaannn}, title = {{Github Repo with source code of cd00r.c}}, date = {2015-07-16}, organization = {Github (aaaaaaaannn)}, url = {https://github.com/aaaaaaaannn/cd00r.c/blob/master/cd00r.c}, language = {English}, urldate = {2025-01-24} } @online{abbasi:20180716:danabot:08d5942, author = {Fahim Abbasi}, title = {{DanaBot Riding Fake MYOB Invoice Emails}}, date = {2018-07-16}, organization = {SpiderLabs Blog}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/}, language = {English}, urldate = {2020-01-10} } @online{abbati:20161108:analysis:374eea4, author = {Arnaud Abbati}, title = {{Analysis of IOS.GUIINJECT Adware Library}}, date = {2016-11-08}, organization = {SentinelOne}, url = {https://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/}, language = {English}, urldate = {2022-09-12} } @online{abbati:20170823:cs:1ecb9bb, author = {Arnaud Abbati}, title = {{CS: Go Hacks for Mac – OSX.Pwnet.A}}, date = {2017-08-23}, organization = {SentinelOne}, url = {https://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/}, language = {English}, urldate = {2019-08-07} } @online{abbati:20171128:osxcpumeaner:23f69f0, author = {Arnaud Abbati}, title = {{OSX.CPUMEANER: New Cryptocurrency Mining Trojan Targets MacOS}}, date = {2017-11-28}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/}, language = {English}, urldate = {2019-12-05} } @online{abc123:20230513:article:98ec150, author = {ABC123}, title = {{Article 62: Summary of Vietnam Hailianhua APT’s Email Phishing Techniques and Tactics against Mainland China}}, date = {2023-05-13}, organization = {Xitan Laboratory}, url = {https://mp.weixin.qq.com/s/hi1YgUUHnFDGf26cUXJkQQ}, language = {Chinese}, urldate = {2023-05-25} } @online{abdillah:20250513:intrusion:cc75bc8, author = {Ahmad Abdillah}, title = {{Intrusion Insights Straight from Leaked Operator Chats}}, date = {2025-05-13}, organization = {CSA}, url = {https://www.linkedin.com/pulse/intrusion-insights-straight-from-leaked-operator-chats-ahmad-abdillah-p1ejc?utm_source=share&utm_medium=member_ios&utm_campaign=share_via}, language = {English}, urldate = {2025-05-19} } @online{abdillah:20250519:reversing:0956cb9, author = {Ahmad Abdillah}, title = {{Reversing a Microsoft-Signed Rootkit: The Netfilter Driver}}, date = {2025-05-19}, organization = {CSA}, url = {https://splintersfury.github.io/mal_blog/post/netfilter_driver/}, language = {English}, urldate = {2025-05-20} } @online{abdo:20210225:so:50d0f11, author = {Bryce Abdo and Brendan McKeague and Van Ta}, title = {{So Unchill: Melting UNC2198 ICEDID to Ransomware Operations}}, date = {2021-02-25}, organization = {Mandiant}, url = {https://cloud.google.com/blog/topics/threat-intelligence/melting-unc2198-icedid-to-ransomware-operations}, language = {English}, urldate = {2025-03-05} } @online{abdo:20210225:so:88f3400, author = {Bryce Abdo and Brendan McKeague and Van Ta}, title = {{So Unchill: Melting UNC2198 ICEDID to Ransomware Operations}}, date = {2021-02-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html}, language = {English}, urldate = {2021-03-02} } @online{abdo:20220404:fin7:305d62b, author = {Bryce Abdo and Zander Work and Ioana Teaca and Brendan McKeague}, title = {{FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7}}, date = {2022-04-04}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/evolution-of-fin7}, language = {English}, urldate = {2022-06-27} } @online{abdo:20240515:unc5449:4471fec, author = {Bryce Abdo}, title = {{Tweet on UNC5449 exploiting CVE-2024-30051 to deliver QAKBOT}}, date = {2024-05-15}, organization = {X (@bryceabdo)}, url = {https://x.com/bryceabdo/status/1790457784099614776}, language = {English}, urldate = {2024-05-21} } @online{abdulrhman:20220617:unpacking:50af663, author = {Motawkkel Abdulrhman}, title = {{Unpacking Kovter malware}}, date = {2022-06-17}, organization = {Github (0xchrollo)}, url = {https://ry0dan.github.io/malware%20analysis/unpacking-kovter-malware/}, language = {English}, urldate = {2024-05-14} } @online{abel:20180720:malware:62e1c9e, author = {Robert Abel}, title = {{Malware author ‘Anarchy’ builds 18,000-strong Huawei router botnet}}, date = {2018-07-20}, url = {https://www.scmagazine.com/malware-author-anarchy-builds-18000-strong-huawei-router-botnet/article/782395/}, language = {English}, urldate = {2019-11-27} } @online{abel:20250305:satori:ab77028, author = {Louisa Abel and Nico Agnese and Gabi Cirlig and Maor Elizen and Will Herbig and Aviad Kaiserman and Lindsay Kaye and Joao Marques and Vikas Parthasarathy and João Santos and Adam Sell and Inna Vasilyeva and Mikhail Venkov}, title = {{Satori Threat Intelligence Disruption: BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes}}, date = {2025-03-05}, organization = {HUMAN}, url = {https://www.humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0/}, language = {English}, urldate = {2025-06-06} } @online{aboud:20220311:indepth:7f4eb47, author = {Marah Aboud and Janet Jose and Hansika Saxena}, title = {{In-depth Technical Analysis of Colibri Loader Malware}}, date = {2022-03-11}, organization = {Cloudsek}, url = {https://cloudsek.com/in-depth-technical-analysis-of-colibri-loader-malware/}, language = {English}, urldate = {2022-03-14} } @online{abrams:20160125:hidden:66efed3, author = {Lawrence Abrams}, title = {{Hidden Tear Ransomware Developer Blackmailed by Malware Developers using his Code}}, date = {2016-01-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hidden-tear-ransomware-developer-blackmailed-by-malware-developers-using-his-code/}, language = {English}, urldate = {2023-11-22} } @online{abrams:20160214:padcrypt:626523d, author = {Lawrence Abrams}, title = {{PadCrypt: The first ransomware with Live Support Chat and an Uninstaller}}, date = {2016-02-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20160408:cryptohost:d0f5780, author = {Lawrence Abrams}, title = {{CryptoHost Decrypted: Locks files in a password protected RAR File}}, date = {2016-04-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20160722:stampado:207584f, author = {Lawrence Abrams}, title = {{Stampado Ransomware campaign decrypted before it Started}}, date = {2016-07-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20160908:philadelphia:18b2e18, author = {Lawrence Abrams}, title = {{The Philadelphia Ransomware offers a Mercy Button for Compassionate Criminals}}, date = {2016-09-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20160928:introducing:f09b941, author = {Lawrence Abrams}, title = {{Introducing Her Royal Highness, the Princess Locker Ransomware}}, date = {2016-09-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20160930:hacked:760d56c, author = {Lawrence Abrams}, title = {{Hacked Steam accounts spreading Remote Access Trojan}}, date = {2016-09-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20161027:indev:79b8937, author = {Lawrence Abrams}, title = {{In-Dev Ransomware forces you do to Survey before unlocking Computer}}, date = {2016-10-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20161115:cryptoluck:19599ea, author = {Lawrence Abrams}, title = {{CryptoLuck Ransomware being Malvertised via RIG-E Exploit Kits}}, date = {2016-11-15}, organization = {Bleeping Computer}, url = {http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170119:new:b020afc, author = {Lawrence Abrams}, title = {{New Satan Ransomware available through a Ransomware as a Service.}}, date = {2017-01-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170207:erebus:2328bb9, author = {Lawrence Abrams}, title = {{Erebus Ransomware Utilizes a UAC Bypass and Request a $90 Ransom Payment}}, date = {2017-02-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170315:revenge:b047d2f, author = {Lawrence Abrams}, title = {{Revenge Ransomware, a CryptoMix Variant, Being Distributed by RIG Exploit Kit}}, date = {2017-03-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170705:new:f1fc004, author = {Lawrence Abrams}, title = {{New Azer CryptoMix Ransomware Variant Released}}, date = {2017-07-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-azer-cryptomix-ransomware-variant-released/}, language = {English}, urldate = {2023-02-06} } @online{abrams:20170816:locky:7445bd0, author = {Lawrence Abrams}, title = {{Locky Ransomware switches to the Lukitus extension for Encrypted Files}}, date = {2017-08-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170816:synccrypt:c8d0c48, author = {Lawrence Abrams}, title = {{SyncCrypt Ransomware Hides Inside JPG Files, Appends .KK Extension}}, date = {2017-08-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170825:new:a2d73b9, author = {Lawrence Abrams}, title = {{New Arena Crysis Ransomware Variant Released}}, date = {2017-08-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170828:new:4c237c7, author = {Lawrence Abrams}, title = {{New Nuclear BTCWare Ransomware Released (Updated)}}, date = {2017-08-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-nuclear-btcware-ransomware-released-updated/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20171031:oni:b366161, author = {Lawrence Abrams}, title = {{ONI Ransomware Used in Month-Long Attacks Against Japanese Companies}}, date = {2017-10-31}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/oni-ransomware-used-in-month-long-attacks-against-japanese-companies/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20171213:work:d439b4b, author = {Lawrence Abrams}, title = {{WORK Cryptomix Ransomware Variant Released}}, date = {2017-12-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20171222:new:eadbe96, author = {Lawrence Abrams}, title = {{New .DOC GlobeImposter Ransomware Variant Malspam Campaign Underway}}, date = {2017-12-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180121:evrial:5df289b, author = {Lawrence Abrams}, title = {{Evrial Trojan Switches Bitcoin Addresses Copied to Windows Clipboard}}, date = {2018-01-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/evrial-trojan-switches-bitcoin-addresses-copied-to-windows-clipboard/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180126:velso:4b06608, author = {Lawrence Abrams}, title = {{The Velso Ransomware Being Manually Installed by Attackers}}, date = {2018-01-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/the-velso-ransomware-being-manually-installed-by-attackers/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180129:gandcrab:9e003f9, author = {Lawrence Abrams}, title = {{GandCrab Ransomware Distributed by Exploit Kits, Appends GDCB Extension}}, date = {2018-01-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180208:gandcrab:40fb494, author = {Lawrence Abrams}, title = {{GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts}}, date = {2018-02-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180209:black:85fdc3c, author = {Lawrence Abrams}, title = {{Black Ruby Ransomware Skips Victims in Iran and Adds a Miner for Good Measure}}, date = {2018-02-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/black-ruby-ransomware-skips-victims-in-iran-and-adds-a-miner-for-good-measure/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180209:dexcrypt:a7d1f62, author = {Lawrence Abrams}, title = {{DexCrypt MBRLocker Demands 30 Yuan To Gain Access to Computer}}, date = {2018-02-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/dexcrypt-mbrlocker-demands-30-yuan-to-gain-access-to-computer/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180226:thanatos:546a986, author = {Lawrence Abrams}, title = {{Thanatos Ransomware Is First to Use Bitcoin Cash. Messes Up Encryption}}, date = {2018-02-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/thanatos-ransomware-is-first-to-use-bitcoin-cash-messes-up-encryption/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180323:avcrypt:edb1b07, author = {Lawrence Abrams}, title = {{The AVCrypt Ransomware Tries To Uninstall Your AV Software}}, date = {2018-03-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/the-avcrypt-ransomware-tries-to-uninstall-your-av-software/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180514:stalinlocker:5c9f91e, author = {Lawrence Abrams}, title = {{StalinLocker Deletes Your Files Unless You Enter the Right Code}}, date = {2018-05-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/stalinlocker-deletes-your-files-unless-you-enter-the-right-code/}, language = {English}, urldate = {2020-03-02} } @online{abrams:20180626:thanatos:bbe20fc, author = {Lawrence Abrams}, title = {{Thanatos Ransomware Decryptor Released by the Cisco Talos Group}}, date = {2018-06-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/thanatos-ransomware-decryptor-released-by-the-cisco-talos-group/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180912:feedify:7beba8a, author = {Lawrence Abrams}, title = {{Feedify Hacked with Magecart Information Stealing Script}}, date = {2018-09-12}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/feedify-hacked-with-magecart-information-stealing-script/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180914:kraken:643744c, author = {Lawrence Abrams}, title = {{Kraken Cryptor Ransomware Masquerading as SuperAntiSpyware Security Program}}, date = {2018-09-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20181001:roaming:3a9e1c5, author = {Lawrence Abrams}, title = {{Roaming Mantis Group Testing Coinhive Miner Redirects on iPhones}}, date = {2018-10-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/roaming-mantis-group-testing-coinhive-miner-redirects-on-iphones/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20181113:hookads:ef89e4e, author = {Lawrence Abrams}, title = {{HookAds Malvertising Installing Malware via the Fallout Exploit Kit}}, date = {2018-11-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hookads-malvertising-installing-malware-via-the-fallout-exploit-kit/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20181119:visiondirect:6c2560e, author = {Lawrence Abrams}, title = {{VisionDirect Data Breach Caused by MageCart Attack}}, date = {2018-11-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/visiondirect-data-breach-caused-by-magecart-attack/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190104:how:8932d09, author = {Lawrence Abrams}, title = {{How to Decrypt the Aurora Ransomware with AuroraDecrypter}}, date = {2019-01-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/ransomware/decryptor/how-to-decrypt-the-aurora-ransomware-with-auroradecrypter/}, language = {English}, urldate = {2019-12-17} } @online{abrams:20190115:djvu:a8b1d06, author = {Lawrence Abrams}, title = {{Djvu Ransomware Spreading New .TRO Variant Through Cracks & Adware Bundles}}, date = {2019-01-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190117:blackrouter:2e83ebf, author = {Lawrence Abrams}, title = {{BlackRouter Ransomware Promoted as a RaaS by Iranian Developer}}, date = {2019-01-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/blackrouter-ransomware-promoted-as-a-raas-by-iranian-developer/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190305:cryptomix:33e7eac, author = {Lawrence Abrams}, title = {{CryptoMix Clop Ransomware Says It's Targeting Networks, Not Computers}}, date = {2019-03-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/}, language = {English}, urldate = {2020-01-13} } @online{abrams:20190426:closer:ba13483, author = {Lawrence Abrams}, title = {{A Closer Look at the RobbinHood Ransomware}}, date = {2019-04-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190601:gandcrab:cb581e3, author = {Lawrence Abrams}, title = {{GandCrab Ransomware Shutting Down After Claiming to Earn $2 Billion}}, date = {2019-06-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-shutting-down-after-claiming-to-earn-25-billion/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190613:pylocky:15be611, author = {Lawrence Abrams}, title = {{pyLocky Decryptor Released by French Authorities}}, date = {2019-06-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/pylocky-decryptor-released-by-french-authorities/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190719:elusive:153c1b0, author = {Lawrence Abrams}, title = {{Elusive MegaCortex Ransomware Found - Here is What We Know}}, date = {2019-07-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/}, language = {English}, urldate = {2020-01-15} } @online{abrams:20190906:lilocked:4042feb, author = {Lawrence Abrams}, title = {{Lilocked Ransomware Actively Targeting Servers and Web Sites}}, date = {2019-09-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/lilocked-ransomware-actively-targeting-servers-and-web-sites/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190911:ryuk:8a18715, author = {Lawrence Abrams}, title = {{Ryuk Related Malware Steals Confidential Military, Financial Files}}, date = {2019-09-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190917:tflower:31c9072, author = {Lawrence Abrams}, title = {{TFlower Ransomware - The Latest Attack Targeting Businesses}}, date = {2019-09-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/tflower-ransomware-the-latest-attack-targeting-businesses/}, language = {English}, urldate = {2019-10-15} } @online{abrams:20191005:hildacrypt:420f788, author = {Lawrence Abrams}, title = {{HildaCrypt Ransomware Developer Releases Decryption Keys}}, date = {2019-10-05}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/hildacrypt-ransomware-developer-releases-decryption-keys/}, language = {English}, urldate = {2023-10-10} } @online{abrams:20191010:nemty:319e3b7, author = {Lawrence Abrams}, title = {{Nemty Ransomware Decryptor Released, Recover Files for Free}}, date = {2019-10-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/nemty-ransomware-decryptor-released-recover-files-for-free/}, language = {English}, urldate = {2020-01-09} } @online{abrams:20191025:new:f7feebd, author = {Lawrence Abrams}, title = {{New FuxSocy Ransomware Impersonates the Notorious Cerber}}, date = {2019-10-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-fuxsocy-ransomware-impersonates-the-notorious-cerber/}, language = {English}, urldate = {2020-01-13} } @online{abrams:20191105:new:14b4aaf, author = {Lawrence Abrams}, title = {{New Megacortex Ransomware Changes Windows Passwords, Threatens to Publish Data}}, date = {2019-11-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/}, language = {English}, urldate = {2020-01-07} } @online{abrams:20191121:allied:a3d69d7, author = {Lawrence Abrams}, title = {{Allied Universal Breached by Maze Ransomware, Stolen Data Leaked}}, date = {2019-11-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/}, language = {English}, urldate = {2020-01-08} } @online{abrams:20191202:facebook:5630b4e, author = {Lawrence Abrams}, title = {{Facebook Ads Manager Targeted by New Info-Stealing Trojan}}, date = {2019-12-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/facebook-ads-manager-targeted-by-new-info-stealing-trojan/}, language = {English}, urldate = {2020-02-26} } @online{abrams:20191211:maze:acb23da, author = {Lawrence Abrams}, title = {{Maze Ransomware Behind Pensacola Cyberattack, $1M Ransom Demand}}, date = {2019-12-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-behind-pensacola-cyberattack-1m-ransom-demand/}, language = {English}, urldate = {2020-01-09} } @online{abrams:20191212:another:77246f4, author = {Lawrence Abrams}, title = {{Another Ransomware Will Now Publish Victims' Data If Not Paid}}, date = {2019-12-12}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/}, language = {English}, urldate = {2020-01-05} } @online{abrams:20191215:ryuk:74f6eab, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Likely Behind New Orleans Cyberattack}}, date = {2019-12-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/}, language = {English}, urldate = {2020-01-13} } @online{abrams:20191223:fbi:7c11cf8, author = {Lawrence Abrams}, title = {{FBI Issues Alert For LockerGoga and MegaCortex Ransomware}}, date = {2019-12-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/}, language = {English}, urldate = {2020-01-08} } @online{abrams:20191224:maze:33a4e28, author = {Lawrence Abrams}, title = {{Maze Ransomware Releases Files Stolen from City of Pensacola}}, date = {2019-12-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-releases-files-stolen-from-city-of-pensacola/}, language = {English}, urldate = {2020-02-13} } @online{abrams:20191226:ryuk:acc2284, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Stops Encrypting Linux Folders}}, date = {2019-12-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/}, language = {English}, urldate = {2020-01-08} } @online{abrams:20200108:snake:aaf992f, author = {Lawrence Abrams}, title = {{SNAKE Ransomware Is the Next Threat Targeting Business Networks}}, date = {2020-01-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/}, language = {English}, urldate = {2020-01-12} } @online{abrams:20200109:sodinokibi:c0204cc, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware Says Travelex Will Pay, One Way or Another}}, date = {2020-01-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-says-travelex-will-pay-one-way-or-another/}, language = {English}, urldate = {2020-01-13} } @online{abrams:20200111:sodinokibi:8fe0ebe, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware Publishes Stolen Data for the First Time}}, date = {2020-01-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/}, language = {English}, urldate = {2020-01-20} } @online{abrams:20200114:ryuk:b2e47fa, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices}}, date = {2020-01-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/}, language = {English}, urldate = {2020-01-15} } @online{abrams:20200114:united:a309baa, author = {Lawrence Abrams}, title = {{United Nations Targeted With Emotet Malware Phishing Attack}}, date = {2020-01-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/}, language = {English}, urldate = {2020-01-20} } @online{abrams:20200116:trickbot:ed6fdb3, author = {Lawrence Abrams}, title = {{TrickBot Now Uses a Windows 10 UAC Bypass to Evade Detection}}, date = {2020-01-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/}, language = {English}, urldate = {2020-01-20} } @online{abrams:20200118:new:4ad3c25, author = {Lawrence Abrams}, title = {{New Jersey Synagogue Suffers Sodinokibi Ransomware Attack}}, date = {2020-01-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-jersey-synagogue-suffers-sodinokibi-ransomware-attack/}, language = {English}, urldate = {2020-01-22} } @online{abrams:20200121:bitpylock:ded9871, author = {Lawrence Abrams}, title = {{BitPyLock Ransomware Now Threatens to Publish Stolen Data}}, date = {2020-01-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/bitpylock-ransomware-now-threatens-to-publish-stolen-data/}, language = {English}, urldate = {2020-01-22} } @online{abrams:20200123:trickbot:5ca7827, author = {Lawrence Abrams}, title = {{TrickBot Now Steals Windows Active Directory Credentials}}, date = {2020-01-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/}, language = {English}, urldate = {2020-01-27} } @online{abrams:20200124:new:05d5a6a, author = {Lawrence Abrams}, title = {{New Ryuk Info Stealer Targets Government and Military Secrets}}, date = {2020-01-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/}, language = {English}, urldate = {2020-02-03} } @online{abrams:20200128:ragnarok:713a314, author = {Lawrence Abrams}, title = {{Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender}}, date = {2020-01-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/}, language = {English}, urldate = {2020-01-28} } @online{abrams:20200129:malware:920dc7e, author = {Lawrence Abrams}, title = {{Malware Tries to Trump Security Software With POTUS Impeachment}}, date = {2020-01-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/malware-tries-to-trump-security-software-with-potus-impeachment/}, language = {English}, urldate = {2020-02-03} } @online{abrams:20200130:trickbot:22db786, author = {Lawrence Abrams}, title = {{TrickBot Uses a New Windows 10 UAC Bypass to Launch Quietly}}, date = {2020-01-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly/}, language = {English}, urldate = {2020-02-03} } @online{abrams:20200205:mailto:3027008, author = {Lawrence Abrams}, title = {{Mailto (NetWalker) Ransomware Targets Enterprise Networks}}, date = {2020-02-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/}, language = {English}, urldate = {2020-02-11} } @online{abrams:20200206:ransomware:8b6a606, author = {Lawrence Abrams}, title = {{Ransomware Exploits GIGABYTE Driver to Kill AV Processes}}, date = {2020-02-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-exploits-gigabyte-driver-to-kill-av-processes/}, language = {English}, urldate = {2020-02-13} } @online{abrams:20200213:parallax:9842604, author = {Lawrence Abrams}, title = {{Parallax RAT: Common Malware Payload After Hacker Forums Promotion}}, date = {2020-02-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/parallax-rat-common-malware-payload-after-hacker-forums-promotion/}, language = {English}, urldate = {2020-04-01} } @online{abrams:20200225:doppelpaymer:9ca20ab, author = {Lawrence Abrams}, title = {{DoppelPaymer Ransomware Launches Site to Post Victim's Data}}, date = {2020-02-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/}, language = {English}, urldate = {2020-02-26} } @online{abrams:20200226:sodinokibi:7d730ac, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware May Tip NASDAQ on Attacks to Hurt Stock Prices}}, date = {2020-02-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-may-tip-nasdaq-on-attacks-to-hurt-stock-prices/}, language = {English}, urldate = {2020-03-02} } @online{abrams:20200302:new:e4cb07c, author = {Lawrence Abrams}, title = {{New PwndLocker Ransomware Targeting U.S. Cities, Enterprises}}, date = {2020-03-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-pwndlocker-ransomware-targeting-us-cities-enterprises/}, language = {English}, urldate = {2020-03-02} } @online{abrams:20200303:ransomware:8be6fa7, author = {Lawrence Abrams}, title = {{Ransomware Attackers Use Your Cloud Backups Against You}}, date = {2020-03-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/}, language = {English}, urldate = {2020-03-04} } @online{abrams:20200304:ryuk:31f2ce0, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection}}, date = {2020-03-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/}, language = {English}, urldate = {2020-03-09} } @online{abrams:20200305:pwndlocker:d9b200a, author = {Lawrence Abrams}, title = {{PwndLocker Ransomware Gets Pwned: Decryption Now Available}}, date = {2020-03-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/pwndlocker-ransomware-gets-pwned-decryption-now-available/}, language = {English}, urldate = {2020-03-05} } @online{abrams:20200307:ransomware:f839049, author = {Lawrence Abrams}, title = {{Ransomware Threatens to Reveal Company's 'Dirty' Secrets}}, date = {2020-03-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/}, language = {English}, urldate = {2020-03-11} } @online{abrams:20200317:new:d6fa158, author = {Lawrence Abrams}, title = {{New Nefilim Ransomware Threatens to Release Victims' Data}}, date = {2020-03-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/}, language = {English}, urldate = {2020-03-19} } @online{abrams:20200319:redline:5966456, author = {Lawrence Abrams}, title = {{RedLine Info-Stealing Malware Spread by Folding@home Phishing}}, date = {2020-03-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/redline-info-stealing-malware-spread-by-folding-home-phishing/}, language = {English}, urldate = {2020-03-22} } @online{abrams:20200321:netwalker:5d2936c, author = {Lawrence Abrams}, title = {{Netwalker Ransomware Infecting Users via Coronavirus Phishing}}, date = {2020-03-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/}, language = {English}, urldate = {2020-03-22} } @online{abrams:20200324:three:fb92d03, author = {Lawrence Abrams}, title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}}, date = {2020-03-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/}, language = {English}, urldate = {2020-03-26} } @online{abrams:20200411:sodinokibi:82f9f79, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware to stop taking Bitcoin to hide money trail}}, date = {2020-04-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/}, language = {English}, urldate = {2020-04-26} } @online{abrams:20200418:it:bb2d626, author = {Lawrence Abrams}, title = {{IT services giant Cognizant suffers Maze Ransomware cyber attack}}, date = {2020-04-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/}, language = {English}, urldate = {2020-04-20} } @online{abrams:20200424:bazarbackdoor:86afc50, author = {Lawrence Abrams}, title = {{BazarBackdoor: TrickBot gang’s new stealthy network-hacking malware}}, date = {2020-04-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/}, language = {English}, urldate = {2020-05-02} } @online{abrams:20200608:new:c1f97ec, author = {Lawrence Abrams}, title = {{New Avaddon Ransomware launches in massive smiley spam campaign}}, date = {2020-06-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-avaddon-ransomware-launches-in-massive-smiley-spam-campaign/}, language = {English}, urldate = {2020-06-10} } @online{abrams:20200622:indiabulls:ce0fcdb, author = {Lawrence Abrams}, title = {{Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline}}, date = {2020-06-22}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/indiabulls-group-hit-by-clop-ransomware-gets-24h-leak-deadline/}, language = {English}, urldate = {2020-06-23} } @online{abrams:20200626:new:d6e2d17, author = {Lawrence Abrams}, title = {{New Ransom X Ransomware used in Texas TxDOT cyberattack}}, date = {2020-06-26}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/}, language = {English}, urldate = {2020-07-11} } @online{abrams:20200626:ransom:9e453cd, author = {Lawrence Abrams}, title = {{Ransom .exx notes}}, date = {2020-06-26}, organization = {Github (Bleeping)}, url = {https://github.com/Bleeping/Ransom.exx}, language = {English}, urldate = {2020-07-11} } @online{abrams:20200711:trickbot:7e70ad3, author = {Lawrence Abrams}, title = {{TrickBot malware mistakenly warns victims that they are infected}}, date = {2020-07-11}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-malware-mistakenly-warns-victims-that-they-are-infected/}, language = {English}, urldate = {2020-07-15} } @online{abrams:20200713:new:a9e2a62, author = {Lawrence Abrams}, title = {{New AgeLocker Ransomware uses Googler's utility to encrypt files}}, date = {2020-07-13}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-agelocker-ransomware-uses-googlers-utility-to-encrypt-files/}, language = {English}, urldate = {2020-07-15} } @online{abrams:20200720:emotettrickbot:a8e84d2, author = {Lawrence Abrams}, title = {{Emotet-TrickBot malware duo is back infecting Windows machines}}, date = {2020-07-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/}, language = {English}, urldate = {2020-07-21} } @online{abrams:20200821:darkside:3ebbc35, author = {Lawrence Abrams}, title = {{DarkSide: New targeted ransomware demands million dollar ransoms}}, date = {2020-08-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/darkside-new-targeted-ransomware-demands-million-dollar-ransoms/}, language = {English}, urldate = {2020-08-24} } @online{abrams:20200825:ryuk:fbd5d99, author = {Lawrence Abrams}, title = {{Ryuk successor Conti Ransomware releases data leak site}}, date = {2020-08-25}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-successor-conti-ransomware-releases-data-leak-site/}, language = {English}, urldate = {2020-08-26} } @online{abrams:20200826:suncrypt:426964e, author = {Lawrence Abrams}, title = {{SunCrypt Ransomware sheds light on the Maze ransomware cartel}}, date = {2020-08-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/}, language = {English}, urldate = {2020-08-27} } @online{abrams:20200917:maze:81b8c38, author = {Lawrence Abrams}, title = {{Maze ransomware now encrypts via virtual machines to evade detection}}, date = {2020-09-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/}, language = {English}, urldate = {2020-09-21} } @online{abrams:20200923:agelocker:1826fc8, author = {Lawrence Abrams}, title = {{AgeLocker ransomware targets QNAP NAS devices, steals data}}, date = {2020-09-23}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/agelocker-ransomware-targets-qnap-nas-devices-steals-data/}, language = {English}, urldate = {2020-09-25} } @online{abrams:20200923:government:bf7b212, author = {Lawrence Abrams}, title = {{Government software provider Tyler Technologies hit by ransomware}}, date = {2020-09-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/government-software-provider-tyler-technologies-hit-by-ransomware/}, language = {English}, urldate = {2020-10-02} } @online{abrams:20200924:mount:0456f2a, author = {Lawrence Abrams}, title = {{Mount Locker ransomware joins the multi-million dollar ransom game}}, date = {2020-09-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/}, language = {English}, urldate = {2020-10-02} } @online{abrams:20201016:thunderx:7e8ece8, author = {Lawrence Abrams}, title = {{ThunderX Ransomware rebrands as Ranzy Locker, adds data leak site}}, date = {2020-10-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/thunderx-ransomware-rebrands-as-ranzy-locker-adds-data-leak-site/}, language = {English}, urldate = {2020-10-23} } @online{abrams:20201020:barnes:f210b39, author = {Lawrence Abrams}, title = {{Barnes & Noble hit by Egregor ransomware, strange data leaked}}, date = {2020-10-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/barnes-and-noble-hit-by-egregor-ransomware-strange-data-leaked/}, language = {English}, urldate = {2020-10-23} } @online{abrams:20201022:french:6d52e19, author = {Lawrence Abrams}, title = {{French IT giant Sopra Steria hit by Ryuk ransomware}}, date = {2020-10-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/french-it-giant-sopra-steria-hit-by-ryuk-ransomware/}, language = {English}, urldate = {2020-10-26} } @online{abrams:20201023:new:b9a8801, author = {Lawrence Abrams}, title = {{New RAT malware gets commands via Discord, has ransomware feature}}, date = {2020-10-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/}, language = {English}, urldate = {2020-10-27} } @online{abrams:20201027:steelcase:25f66a9, author = {Lawrence Abrams}, title = {{Steelcase furniture giant hit by Ryuk ransomware attack}}, date = {2020-10-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/steelcase-furniture-giant-hit-by-ryuk-ransomware-attack/}, language = {English}, urldate = {2020-10-28} } @online{abrams:20201029:hacking:c8d5379, author = {Lawrence Abrams}, title = {{Hacking group is targeting US hospitals with Ryuk ransomware}}, date = {2020-10-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hacking-group-is-targeting-us-hospitals-with-ryuk-ransomware/}, language = {English}, urldate = {2020-11-02} } @online{abrams:20201029:maze:f90b399, author = {Lawrence Abrams}, title = {{Maze ransomware is shutting down its cybercrime operation}}, date = {2020-10-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/}, language = {English}, urldate = {2020-11-02} } @online{abrams:20201103:new:819bca9, author = {Lawrence Abrams}, title = {{New RegretLocker ransomware targets Windows virtual machines}}, date = {2020-11-03}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-regretlocker-ransomware-targets-windows-virtual-machines/}, language = {English}, urldate = {2020-11-06} } @online{abrams:20201105:capcom:e0ff215, author = {Lawrence Abrams}, title = {{Capcom hit by Ragnar Locker ransomware, 1TB allegedly stolen}}, date = {2020-11-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/capcom-hit-by-ragnar-locker-ransomware-1tb-allegedly-stolen/}, language = {English}, urldate = {2020-11-06} } @online{abrams:20201105:japanese:0221abc, author = {Lawrence Abrams}, title = {{Japanese game dev Capcom hit by cyberattack, business impacted}}, date = {2020-11-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/japanese-game-dev-capcom-hit-by-cyberattack-business-impacted/}, language = {English}, urldate = {2020-11-06} } @online{abrams:20201109:laptop:fa3207d, author = {Lawrence Abrams}, title = {{Laptop maker Compal hit by ransomware, $17 million demanded}}, date = {2020-11-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/laptop-maker-compal-hit-by-ransomware-17-million-demanded/}, language = {English}, urldate = {2020-11-11} } @online{abrams:20201113:darkside:82cdb5f, author = {Lawrence Abrams}, title = {{DarkSide ransomware is creating a secure data leak service in Iran}}, date = {2020-11-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/darkside-ransomware-is-creating-a-secure-data-leak-service-in-iran/}, language = {English}, urldate = {2020-11-18} } @online{abrams:20201114:retail:f5192ae, author = {Lawrence Abrams}, title = {{Retail giant Cencosud hit by Egregor Ransomware attack, stores impacted}}, date = {2020-11-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/retail-giant-cencosud-hit-by-egregor-ransomware-attack-stores-impacted/}, language = {English}, urldate = {2020-11-19} } @online{abrams:20201114:week:71b8a1e, author = {Lawrence Abrams}, title = {{The Week in Ransomware - November 13th 2020 - Extortion gone wild}}, date = {2020-11-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-13th-2020-extortion-gone-wild/}, language = {English}, urldate = {2021-06-01} } @online{abrams:20201118:revil:fda480b, author = {Lawrence Abrams}, title = {{REvil ransomware hits Managed.com hosting provider, 500K ransom}}, date = {2020-11-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-managedcom-hosting-provider-500k-ransom/}, language = {English}, urldate = {2020-11-19} } @online{abrams:20201119:mount:0294998, author = {Lawrence Abrams}, title = {{Mount Locker ransomware now targets your TurboTax tax returns}}, date = {2020-11-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-now-targets-your-turbotax-tax-returns/}, language = {English}, urldate = {2020-11-23} } @online{abrams:20201120:lightbot:473b7c3, author = {Lawrence Abrams}, title = {{LightBot: TrickBot’s new reconnaissance malware for high-value targets}}, date = {2020-11-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/}, language = {English}, urldate = {2020-11-23} } @online{abrams:20201203:kmart:0795c86, author = {Lawrence Abrams}, title = {{Kmart nationwide retailer suffers a ransomware attack}}, date = {2020-12-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/kmart-nationwide-retailer-suffers-a-ransomware-attack/}, language = {English}, urldate = {2020-12-08} } @online{abrams:20201203:ransomware:186759f, author = {Lawrence Abrams}, title = {{Ransomware gang says they stole 2 million credit cards from E-Land}}, date = {2020-12-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-gang-says-they-stole-2-million-credit-cards-from-e-land/}, language = {English}, urldate = {2020-12-08} } @online{abrams:20201204:largest:43455f7, author = {Lawrence Abrams}, title = {{Largest global staffing agency Randstad hit by Egregor ransomware}}, date = {2020-12-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/largest-global-staffing-agency-randstad-hit-by-egregor-ransomware/}, language = {English}, urldate = {2020-12-08} } @online{abrams:20201204:metro:3350ee7, author = {Lawrence Abrams}, title = {{Metro Vancouver's transit system hit by Egregor ransomware}}, date = {2020-12-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/metro-vancouvers-transit-system-hit-by-egregor-ransomware/}, language = {English}, urldate = {2020-12-08} } @online{abrams:20201207:foxconn:307c147, author = {Lawrence Abrams}, title = {{Foxconn electronics giant hit by ransomware, $34 million ransom}}, date = {2020-12-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/foxconn-electronics-giant-hit-by-ransomware-34-million-ransom/}, language = {English}, urldate = {2020-12-08} } @online{abrams:20201213:intels:ae85240, author = {Lawrence Abrams}, title = {{Intel's Habana Labs hacked by Pay2Key ransomware, data stolen}}, date = {2020-12-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/intels-habana-labs-hacked-by-pay2key-ransomware-data-stolen/}, language = {English}, urldate = {2020-12-14} } @online{abrams:20201216:fireeye:d24dc6f, author = {Lawrence Abrams}, title = {{FireEye, Microsoft create kill switch for SolarWinds backdoor}}, date = {2020-12-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fireeye-microsoft-create-kill-switch-for-solarwinds-backdoor/}, language = {English}, urldate = {2020-12-17} } @online{abrams:20201219:solarwinds:0129ee8, author = {Lawrence Abrams}, title = {{The SolarWinds cyberattack: The hack, the victims, and what we know}}, date = {2020-12-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/}, language = {English}, urldate = {2020-12-19} } @online{abrams:20201221:trucking:2b6b278, author = {Lawrence Abrams}, title = {{Trucking giant Forward Air hit by new Hades ransomware gang}}, date = {2020-12-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trucking-giant-forward-air-hit-by-new-hades-ransomware-gang/}, language = {English}, urldate = {2020-12-23} } @online{abrams:20201228:home:5e0aaf7, author = {Lawrence Abrams}, title = {{Home appliance giant Whirlpool hit in Nefilim ransomware attack}}, date = {2020-12-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/home-appliance-giant-whirlpool-hit-in-nefilim-ransomware-attack/}, language = {English}, urldate = {2021-01-01} } @online{abrams:20210106:hackers:638f09c, author = {Lawrence Abrams}, title = {{Hackers start exploiting the new backdoor in Zyxel devices}}, date = {2021-01-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hackers-start-exploiting-the-new-backdoor-in-zyxel-devices/}, language = {English}, urldate = {2021-01-11} } @online{abrams:20210115:windows:350b568, author = {Lawrence Abrams}, title = {{Windows Finger command abused by phishing to download malware}}, date = {2021-01-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/windows-finger-command-abused-by-phishing-to-download-malware/}, language = {English}, urldate = {2021-01-21} } @online{abrams:20210118:iobit:398481c, author = {Lawrence Abrams}, title = {{IObit forums hacked to spread ransomware to its members}}, date = {2021-01-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/}, language = {English}, urldate = {2021-01-21} } @online{abrams:20210118:iobit:7539655, author = {Lawrence Abrams}, title = {{IObit forums hacked in widespread DeroHE ransomware attack}}, date = {2021-01-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-in-widespread-derohe-ransomware-attack/}, language = {English}, urldate = {2021-01-21} } @online{abrams:20210124:another:23e31f7, author = {Lawrence Abrams}, title = {{Another ransomware (Avaddon) now uses DDoS attacks to force victims to pay}}, date = {2021-01-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/another-ransomware-now-uses-ddos-attacks-to-force-victims-to-pay/}, language = {English}, urldate = {2021-01-25} } @online{abrams:20210202:babyk:0f0a60d, author = {Lawrence Abrams}, title = {{Babyk Ransomware won't hit charities, unless they support LGBT, BLM}}, date = {2021-02-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/babyk-ransomware-wont-hit-charities-unless-they-support-lgbt-blm/}, language = {English}, urldate = {2021-02-04} } @online{abrams:20210207:new:704db11, author = {Lawrence Abrams}, title = {{New phishing attack uses Morse code to hide malicious URLs}}, date = {2021-02-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-phishing-attack-uses-morse-code-to-hide-malicious-urls/}, language = {English}, urldate = {2021-02-09} } @online{abrams:20210310:norway:1db24ea, author = {Lawrence Abrams}, title = {{Norway parliament data stolen in Microsoft Exchange attack}}, date = {2021-03-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/norway-parliament-data-stolen-in-microsoft-exchange-attack/}, language = {English}, urldate = {2021-03-11} } @online{abrams:20210311:ransomware:0cd191c, author = {Lawrence Abrams}, title = {{Ransomware now attacks Microsoft Exchange servers with ProxyLogon exploits}}, date = {2021-03-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-dearcry-ransomware-is-targeting-microsoft-exchange-servers/}, language = {English}, urldate = {2021-03-12} } @online{abrams:20210319:revil:32f2221, author = {Lawrence Abrams}, title = {{REvil ransomware has a new ‘Windows Safe Mode’ encryption mode}}, date = {2021-03-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/}, language = {English}, urldate = {2021-03-24} } @online{abrams:20210325:insurance:5e12adf, author = {Lawrence Abrams}, title = {{Insurance giant CNA hit by new Phoenix CryptoLocker ransomware}}, date = {2021-03-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/insurance-giant-cna-hit-by-new-phoenix-cryptolocker-ransomware/}, language = {English}, urldate = {2021-03-30} } @online{abrams:20210326:ransomware:bc58d85, author = {Lawrence Abrams}, title = {{Ransomware gang urges victims’ customers to demand a ransom payment}}, date = {2021-03-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-gang-urges-victims-customers-to-demand-a-ransom-payment/}, language = {English}, urldate = {2021-03-31} } @online{abrams:20210418:discord:8787410, author = {Lawrence Abrams}, title = {{Discord Nitro gift codes now demanded as ransomware payments}}, date = {2021-04-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/discord-nitro-gift-codes-now-demanded-as-ransomware-payments/}, language = {English}, urldate = {2021-08-26} } @online{abrams:20210420:fake:fca82a4, author = {Lawrence Abrams}, title = {{Fake Microsoft Store, Spotify sites spread info-stealing malware}}, date = {2021-04-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fake-microsoft-store-spotify-sites-spread-info-stealing-malware/}, language = {English}, urldate = {2021-06-16} } @online{abrams:20210421:logins:d779ad8, author = {Lawrence Abrams}, title = {{Logins for 1.3 million Windows RDP servers collected from hacker market}}, date = {2021-04-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/logins-for-13-million-windows-rdp-servers-collected-from-hacker-market/}, language = {English}, urldate = {2021-04-28} } @online{abrams:20210421:massive:1718928, author = {Lawrence Abrams}, title = {{Massive Qlocker ransomware attack uses 7zip to encrypt QNAP devices}}, date = {2021-04-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/massive-qlocker-ransomware-attack-uses-7zip-to-encrypt-qnap-devices/}, language = {English}, urldate = {2021-04-28} } @online{abrams:20210424:ransomware:3358dd7, author = {Lawrence Abrams}, title = {{A ransomware gang made $260,000 in 5 days using the 7zip utility}}, date = {2021-04-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/a-ransomware-gang-made-260-000-in-5-days-using-the-7zip-utility/}, language = {English}, urldate = {2021-04-29} } @online{abrams:20210428:uk:2cce8c7, author = {Lawrence Abrams}, title = {{UK rail network Merseyrail likely hit by Lockbit ransomware}}, date = {2021-04-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware/}, language = {English}, urldate = {2021-05-04} } @online{abrams:20210429:whistler:7e56ef7, author = {Lawrence Abrams}, title = {{Whistler resort municipality hit by new ransomware operation}}, date = {2021-04-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/whistler-resort-municipality-hit-by-new-ransomware-operation/}, language = {English}, urldate = {2021-05-08} } @online{abrams:20210503:apple:f499daf, author = {Lawrence Abrams}, title = {{Apple fixes 2 iOS zero-day vulnerabilities actively used in attacks}}, date = {2021-05-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/apple/apple-fixes-2-ios-zero-day-vulnerabilities-actively-used-in-attacks/}, language = {English}, urldate = {2021-05-04} } @online{abrams:20210503:n3tw0rm:a58b595, author = {Lawrence Abrams}, title = {{N3TW0RM ransomware emerges in wave of cyberattacks in Israel}}, date = {2021-05-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/n3tw0rm-ransomware-emerges-in-wave-of-cyberattacks-in-israel/}, language = {English}, urldate = {2021-05-04} } @online{abrams:20210507:data:c674b2b, author = {Lawrence Abrams}, title = {{Data leak marketplaces aim to take over the extortion economy}}, date = {2021-05-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/}, language = {English}, urldate = {2021-05-08} } @online{abrams:20210510:city:ba5dcd5, author = {Lawrence Abrams}, title = {{City of Tulsa's online services disrupted in ransomware incident}}, date = {2021-05-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/city-of-tulsas-online-services-disrupted-in-ransomware-incident/}, language = {English}, urldate = {2021-05-13} } @online{abrams:20210513:chemical:86f4f4a, author = {Lawrence Abrams}, title = {{Chemical distributor pays $4.4 million to DarkSide ransomware}}, date = {2021-05-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/}, language = {English}, urldate = {2021-05-17} } @online{abrams:20210513:meet:7ffacf5, author = {Lawrence Abrams}, title = {{Meet Lorenz — A new ransomware gang targeting the enterprise}}, date = {2021-05-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/meet-lorenz-a-new-ransomware-gang-targeting-the-enterprise/}, language = {English}, urldate = {2021-05-13} } @online{abrams:20210513:popular:62e98c8, author = {Lawrence Abrams}, title = {{Popular Russian hacking forum XSS bans all ransomware topics}}, date = {2021-05-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/}, language = {English}, urldate = {2021-05-17} } @online{abrams:20210514:darkside:5169afb, author = {Lawrence Abrams}, title = {{DarkSide ransomware servers reportedly seized, REvil restricts targets}}, date = {2021-05-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/darkside-ransomware-servers-reportedly-seized-revil-restricts-targets/}, language = {English}, urldate = {2021-05-17} } @online{abrams:20210602:fbi:a9cb4ad, author = {Lawrence Abrams}, title = {{FBI: REvil cybergang behind the JBS ransomware attack}}, date = {2021-06-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fbi-revil-cybergang-behind-the-jbs-ransomware-attack/}, language = {English}, urldate = {2021-06-09} } @online{abrams:20210602:fujifilm:eced96f, author = {Lawrence Abrams}, title = {{FUJIFILM shuts down network after suspected ransomware attack}}, date = {2021-06-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fujifilm-shuts-down-network-after-suspected-ransomware-attack/}, language = {English}, urldate = {2021-06-09} } @online{abrams:20210606:new:8c47cad, author = {Lawrence Abrams}, title = {{New Evil Corp ransomware mimics PayloadBin gang to evade US sanctions}}, date = {2021-06-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/}, language = {English}, urldate = {2021-06-16} } @online{abrams:20210611:avaddon:0c89258, author = {Lawrence Abrams}, title = {{Avaddon ransomware shuts down and releases decryption keys}}, date = {2021-06-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/}, language = {English}, urldate = {2021-06-16} } @online{abrams:20210630:leaked:ea62d8a, author = {Lawrence Abrams}, title = {{Leaked Babuk Locker ransomware builder used in new attacks}}, date = {2021-06-30}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/}, language = {English}, urldate = {2021-07-02} } @online{abrams:20210702:revil:576023e, author = {Lawrence Abrams}, title = {{REvil ransomware hits 1,000+ companies in MSP supply-chain attack}}, date = {2021-07-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-1-000-plus-companies-in-msp-supply-chain-attack/}, language = {English}, urldate = {2021-07-26} } @online{abrams:20210713:revil:902b974, author = {Lawrence Abrams}, title = {{REvil ransomware gang's web sites mysteriously shut down}}, date = {2021-07-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revil-ransomware-gangs-web-sites-mysteriously-shut-down/}, language = {English}, urldate = {2021-07-20} } @online{abrams:20210715:linux:87987af, author = {Lawrence Abrams}, title = {{Linux version of HelloKitty ransomware targets VMware ESXi servers}}, date = {2021-07-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/linux-version-of-hellokitty-ransomware-targets-vmware-esxi-servers/}, language = {English}, urldate = {2021-08-06} } @online{abrams:20210717:ecuadors:3940c8e, author = {Lawrence Abrams}, title = {{Ecuador's state-run CNT telco hit by RansomEXX ransomware}}, date = {2021-07-17}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/ecuadors-state-run-cnt-telco-hit-by-ransomexx-ransomware/}, language = {English}, urldate = {2021-07-26} } @online{abrams:20210722:kaseya:7ec0805, author = {Lawrence Abrams}, title = {{Kaseya obtains universal decryptor for REvil ransomware victims}}, date = {2021-07-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/kaseya-obtains-universal-decryptor-for-revil-ransomware-victims/}, language = {English}, urldate = {2021-07-26} } @online{abrams:20210727:lockbit:095b8d6, author = {Lawrence Abrams}, title = {{LockBit ransomware now encrypts Windows domains using group policies}}, date = {2021-07-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/}, language = {English}, urldate = {2021-07-29} } @online{abrams:20210731:blackmatter:924d440, author = {Lawrence Abrams}, title = {{BlackMatter ransomware gang rises from the ashes of DarkSide, REvil}}, date = {2021-07-31}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/}, language = {English}, urldate = {2021-08-02} } @online{abrams:20210731:darkside:1d6ac34, author = {Lawrence Abrams}, title = {{DarkSide ransomware gang returns as new BlackMatter operation}}, date = {2021-07-31}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/darkside-ransomware-gang-returns-as-new-blackmatter-operation/}, language = {English}, urldate = {2021-08-02} } @online{abrams:20210803:ransomware:d1b938f, author = {Lawrence Abrams}, title = {{Ransomware attack hits Italy's Lazio region, affects COVID-19 site}}, date = {2021-08-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/}, language = {English}, urldate = {2021-08-06} } @online{abrams:20210804:lockbit:c6ab8ec, author = {Lawrence Abrams}, title = {{LockBit ransomware recruiting insiders to breach corporate networks}}, date = {2021-08-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/lockbit-ransomware-recruiting-insiders-to-breach-corporate-networks/}, language = {English}, urldate = {2021-08-06} } @online{abrams:20210805:angry:a9916d3, author = {Lawrence Abrams}, title = {{Angry Conti ransomware affiliate leaks gang's attack playbook}}, date = {2021-08-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/angry-conti-ransomware-affiliate-leaks-gangs-attack-playbook/}, language = {English}, urldate = {2021-08-06} } @online{abrams:20210805:linux:d6e65f8, author = {Lawrence Abrams}, title = {{Linux version of BlackMatter ransomware targets VMware ESXi servers}}, date = {2021-08-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/linux-version-of-blackmatter-ransomware-targets-vmware-esxi-servers/}, language = {English}, urldate = {2021-08-09} } @online{abrams:20210811:kaseyas:93f86e6, author = {Lawrence Abrams}, title = {{Kaseya's universal REvil decryption key leaked on a hacking forum}}, date = {2021-08-11}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/kaseyas-universal-revil-decryption-key-leaked-on-a-hacking-forum/}, language = {English}, urldate = {2021-08-16} } @online{abrams:20210824:ransomware:7095151, author = {Lawrence Abrams}, title = {{Ransomware gang's script shows exactly the files they're after}}, date = {2021-08-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-gangs-script-shows-exactly-the-files-theyre-after/}, language = {English}, urldate = {2022-01-28} } @online{abrams:20210906:trickbot:652a467, author = {Lawrence Abrams}, title = {{TrickBot gang developer arrested when trying to leave Korea}}, date = {2021-09-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-gang-developer-arrested-when-trying-to-leave-korea/}, language = {English}, urldate = {2021-09-10} } @online{abrams:20210907:revil:121f953, author = {Lawrence Abrams}, title = {{REvil ransomware's servers mysteriously come back online}}, date = {2021-09-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revil-ransomwares-servers-mysteriously-come-back-online/}, language = {English}, urldate = {2021-09-10} } @online{abrams:20211017:revil:b53b66f, author = {Lawrence Abrams}, title = {{REvil ransomware shuts down again after Tor sites were hijacked}}, date = {2021-10-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/}, language = {English}, urldate = {2021-10-25} } @online{abrams:20211021:evil:71bc16a, author = {Lawrence Abrams}, title = {{Evil Corp demands $40 million in new Macaw ransomware attacks}}, date = {2021-10-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/evil-corp-demands-40-million-in-new-macaw-ransomware-attacks/}, language = {English}, urldate = {2022-05-17} } @online{abrams:20211021:massive:89295e6, author = {Lawrence Abrams}, title = {{Massive campaign uses YouTube to push password-stealing malware}}, date = {2021-10-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/massive-campaign-uses-youtube-to-push-password-stealing-malware/}, language = {English}, urldate = {2021-11-02} } @online{abrams:20211103:blackmatter:5681de9, author = {Lawrence Abrams}, title = {{BlackMatter ransomware moves victims to LockBit after shutdown}}, date = {2021-11-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/}, language = {English}, urldate = {2021-11-08} } @online{abrams:20211115:emotet:8de6d81, author = {Lawrence Abrams}, title = {{Emotet malware is back and rebuilding its botnet via TrickBot}}, date = {2021-11-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-malware-is-back-and-rebuilding-its-botnet-via-trickbot/}, language = {English}, urldate = {2021-11-17} } @online{abrams:20211207:emotet:f33c999, author = {Lawrence Abrams}, title = {{Emotet now drops Cobalt Strike, fast forwards ransomware attacks}}, date = {2021-12-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/}, language = {English}, urldate = {2021-12-08} } @online{abrams:20211220:log4j:1a80230, author = {Lawrence Abrams}, title = {{Log4j vulnerability now used to install Dridex banking malware}}, date = {2021-12-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/}, language = {English}, urldate = {2021-12-21} } @online{abrams:20220102:malicious:a53af29, author = {Lawrence Abrams}, title = {{Malicious CSV text files used to install BazarBackdoor malware}}, date = {2022-01-02}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/malicious-csv-text-files-used-to-install-bazarbackdoor-malware/}, language = {English}, urldate = {2022-02-02} } @online{abrams:20220108:trojanized:00522d1, author = {Lawrence Abrams}, title = {{Trojanized dnSpy app drops malware cocktail on researchers, devs}}, date = {2022-01-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-malware-cocktail-on-researchers-devs/}, language = {English}, urldate = {2022-01-18} } @online{abrams:20220120:fbi:e5f3fc1, author = {Lawrence Abrams}, title = {{FBI links Diavol ransomware to the TrickBot cybercrime group}}, date = {2022-01-20}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/fbi-links-diavol-ransomware-to-the-trickbot-cybercrime-group/}, language = {English}, urldate = {2022-01-24} } @online{abrams:20220125:new:5f8b7cf, author = {Lawrence Abrams}, title = {{New DeadBolt ransomware targets QNAP devices, asks 50 BTC for master key}}, date = {2022-01-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key/}, language = {English}, urldate = {2022-01-28} } @online{abrams:20220209:ransomware:e36973b, author = {Lawrence Abrams}, title = {{Ransomware dev releases Egregor, Maze master decryption keys}}, date = {2022-02-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/}, language = {English}, urldate = {2022-02-10} } @online{abrams:20220227:conti:bf48bb7, author = {Lawrence Abrams}, title = {{Conti ransomware's internal chats leaked after siding with Russia}}, date = {2022-02-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/}, language = {English}, urldate = {2022-03-01} } @online{abrams:20220301:conti:4cd4535, author = {Lawrence Abrams}, title = {{Conti Ransomware source code leaked by Ukrainian researcher}}, date = {2022-03-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/conti-ransomware-source-code-leaked-by-ukrainian-researcher/}, language = {English}, urldate = {2022-03-07} } @online{abrams:20220303:malware:e800ffb, author = {Lawrence Abrams}, title = {{Malware campaign impersonates VC firm looking to buy sites}}, date = {2022-03-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/malware-campaign-impersonates-vc-firm-looking-to-buy-sites/}, language = {English}, urldate = {2022-03-04} } @online{abrams:20220305:malware:5ab8b53, author = {Lawrence Abrams}, title = {{Malware now using NVIDIA's stolen code signing certificates}}, date = {2022-03-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/malware-now-using-nvidias-stolen-code-signing-certificates/}, language = {English}, urldate = {2022-03-10} } @online{abrams:20220306:mozilla:fabd07e, author = {Lawrence Abrams}, title = {{Mozilla Firefox 97.0.2 fixes two actively exploited zero-day bugs (CVE-2022-26485 & CVE-2022-26486)}}, date = {2022-03-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mozilla-firefox-9702-fixes-two-actively-exploited-zero-day-bugs/}, language = {English}, urldate = {2022-03-07} } @online{abrams:20220319:new:197ca68, author = {Lawrence Abrams}, title = {{New Phishing toolkit lets anyone create fake Chrome browser windows}}, date = {2022-03-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-phishing-toolkit-lets-anyone-create-fake-chrome-browser-windows/}, language = {English}, urldate = {2022-03-22} } @online{abrams:20220322:microsoft:54e0518, author = {Lawrence Abrams}, title = {{Microsoft confirms they were hacked by Lapsus$ extortion group}}, date = {2022-03-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-they-were-hacked-by-lapsus-extortion-group/}, language = {English}, urldate = {2022-03-23} } @online{abrams:20220325:raccoon:c99dbc5, author = {Lawrence Abrams}, title = {{Raccoon Stealer malware suspends operations due to war in Ukraine}}, date = {2022-03-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/raccoon-stealer-malware-suspends-operations-due-to-war-in-ukraine/}, language = {English}, urldate = {2022-04-07} } @online{abrams:20220327:hive:4b2408f, author = {Lawrence Abrams}, title = {{Hive ransomware ports its Linux VMware ESXi encryptor to Rust}}, date = {2022-03-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/}, language = {English}, urldate = {2022-03-29} } @online{abrams:20220401:week:14d9669, author = {Lawrence Abrams}, title = {{The Week in Ransomware - April 1st 2022 - 'I can fight with a keyboard'}}, date = {2022-04-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/}, language = {English}, urldate = {2022-04-05} } @online{abrams:20220409:hackers:0a9cea8, author = {Lawrence Abrams}, title = {{Hackers use Conti's leaked ransomware to attack Russian companies}}, date = {2022-04-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hackers-use-contis-leaked-ransomware-to-attack-russian-companies/}, language = {English}, urldate = {2022-05-05} } @online{abrams:20220426:american:621959c, author = {Lawrence Abrams}, title = {{American Dental Association hit by new Black Basta ransomware}}, date = {2022-04-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/american-dental-association-hit-by-new-black-basta-ransomware/}, language = {English}, urldate = {2022-05-03} } @online{abrams:20220430:fake:a553f90, author = {Lawrence Abrams}, title = {{Fake Windows 10 updates infect you with Magniber ransomware}}, date = {2022-04-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fake-windows-10-updates-infect-you-with-magniber-ransomware/}, language = {English}, urldate = {2022-05-03} } @online{abrams:20220501:revil:0d6a35a, author = {Lawrence Abrams}, title = {{REvil ransomware returns: New malware sample confirms gang is back}}, date = {2022-05-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/}, language = {English}, urldate = {2022-05-03} } @online{abrams:20220515:fake:13bfa09, author = {Lawrence Abrams}, title = {{Fake Pixelmon NFT site infects you with password-stealing malware}}, date = {2022-05-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fake-pixelmon-nft-site-infects-you-with-password-stealing-malware/}, language = {English}, urldate = {2022-05-17} } @online{abrams:20220609:roblox:19b3f09, author = {Lawrence Abrams}, title = {{Roblox Game Pass store used to sell ransomware decryptor}}, date = {2022-06-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/roblox-game-pass-store-used-to-sell-ransomware-decryptor/}, language = {English}, urldate = {2022-06-10} } @online{abrams:20220705:new:6189686, author = {Lawrence Abrams}, title = {{New RedAlert Ransomware targets Windows, Linux VMware ESXi servers}}, date = {2022-07-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-redalert-ransomware-targets-windows-linux-vmware-esxi-servers/}, language = {English}, urldate = {2022-07-13} } @online{abrams:20220916:uber:0317b11, author = {Lawrence Abrams}, title = {{Uber hacked, internal systems breached and vulnerability reports stolen}}, date = {2022-09-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/}, language = {English}, urldate = {2022-09-19} } @online{abrams:20220929:new:6e43d69, author = {Lawrence Abrams}, title = {{New Royal Ransomware emerges in multi-million dollar attacks}}, date = {2022-09-29}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-royal-ransomware-emerges-in-multi-million-dollar-attacks/}, language = {English}, urldate = {2022-11-03} } @online{abrams:20230307:emotet:734058c, author = {Lawrence Abrams}, title = {{Emotet malware attacks return after three-month break}}, date = {2023-03-07}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/emotet-malware-attacks-return-after-three-month-break/}, language = {English}, urldate = {2023-03-13} } @online{abrams:20230729:linux:4a94420, author = {Lawrence Abrams}, title = {{Linux version of Abyss Locker ransomware targets VMware ESXi servers}}, date = {2023-07-29}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/linux-version-of-abyss-locker-ransomware-targets-vmware-esxi-servers/}, language = {English}, urldate = {2023-08-03} } @online{abrams:20231203:linux:b5f945e, author = {Lawrence Abrams}, title = {{Linux version of Qilin ransomware focuses on VMware ESXi}}, date = {2023-12-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/linux-version-of-qilin-ransomware-focuses-on-vmware-esxi/}, language = {English}, urldate = {2023-12-05} } @online{abrams:20250130:backdoor:4ee29d1, author = {Lawrence Abrams}, title = {{Backdoor found in two healthcare patient monitors, linked to IP in China}}, date = {2025-01-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/backdoor-found-in-two-healthcare-patient-monitors-linked-to-ip-in-china/}, language = {English}, urldate = {2025-01-31} } @online{abrams:20250505:new:3ba22ab, author = {Lawrence Abrams}, title = {{New "Bring Your Own Installer" EDR bypass used in ransomware attack}}, date = {2025-05-05}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-bring-your-own-installer-edr-bypass-used-in-ransomware-attack/}, language = {English}, urldate = {2025-05-20} } @online{abusech:20130118:feodo:5354db0, author = {abuse.ch}, title = {{Feodo Tracker}}, date = {2013-01-18}, organization = {abuse.ch}, url = {https://feodotracker.abuse.ch/?filter=version_e}, language = {English}, urldate = {2020-01-13} } @online{abusech:2018:feodo:3a9a017, author = {abuse.ch}, title = {{Feodo Tracker}}, date = {2018}, organization = {abuse.ch}, url = {https://feodotracker.abuse.ch/}, language = {English}, urldate = {2019-11-17} } @online{abusech:20210321:vjw0rm:d90bf99, author = {abuse.ch}, title = {{Vjw0rm malware samples}}, date = {2021-03-21}, organization = {abuse.ch}, url = {https://bazaar.abuse.ch/browse/signature/Vjw0rm/}, language = {English}, urldate = {2021-03-22} } @online{abusech:20210806:zgrat:bfbf906, author = {abuse.ch}, title = {{zgRAT malware samples}}, date = {2021-08-06}, organization = {abuse.ch}, url = {https://bazaar.abuse.ch/browse/signature/zgRAT/}, language = {English}, urldate = {2021-08-06} } @online{abusech:20210828:malwarebazaar:d3dbedb, author = {abuse.ch}, title = {{MalwareBazaar | GCleaner}}, date = {2021-08-28}, organization = {abuse.ch}, url = {https://bazaar.abuse.ch/browse/signature/GCleaner/}, language = {English}, urldate = {2021-08-31} } @online{abusech:20211104:malwarebazaar:27b4390, author = {abuse.ch}, title = {{MalwareBazaar Report for Misha sample}}, date = {2021-11-04}, organization = {MalwareBazaar}, url = {https://bazaar.abuse.ch/sample/efab8bfe43de6edf96f9451a5a2cc15017cfc5c88f81b46b33e6ba5c7e2d7a7b/}, language = {English}, urldate = {2021-11-09} } @online{abusech:20220123:nw0rm:3ff0a18, author = {abuse.ch}, title = {{N-W0rm malware samples}}, date = {2022-01-23}, organization = {abuse.ch}, url = {https://bazaar.abuse.ch/browse/tag/N-W0rm/}, language = {English}, urldate = {2022-01-25} } @online{abusech:20220901:new:3ae2715, author = {abuse.ch}, title = {{New stealer in town}}, date = {2022-09-01}, organization = {abuse.ch}, url = {https://twitter.com/abuse_ch/status/1565290110572175361}, language = {English}, urldate = {2022-09-01} } @online{abusech:20220927:allcomeclipper:a0eddae, author = {abuse.ch}, title = {{AllcomeClipper samples on MalwareBazaar}}, date = {2022-09-27}, organization = {abuse.ch}, url = {https://bazaar.abuse.ch/browse/signature/AllcomeClipper/}, language = {English}, urldate = {2022-09-27} } @online{abusech:20230227:phonk:db3f7a2, author = {abuse.ch}, title = {{Tweet on Phonk by abuse.ch}}, date = {2023-02-27}, organization = {abuse.ch}, url = {https://twitter.com/abuse_ch/status/1630111198036348928}, language = {English}, urldate = {2023-02-27} } @online{abusech:20230330:lu0bot:acc5ddd, author = {abuse.ch}, title = {{Lu0Bot samples on MalwareBazaar}}, date = {2023-03-30}, organization = {abuse.ch}, url = {https://bazaar.abuse.ch/browse/tag/Lu0Bot/}, language = {English}, urldate = {2023-03-30} } @online{abusech:20230907:whitesnake:22eaec8, author = {abuse.ch}, title = {{WhiteSnake Stealer malware sample on MalwareBazaar}}, date = {2023-09-07}, organization = {abuse.ch}, url = {https://bazaar.abuse.ch/sample/5066eca9c7309af16c882ffae79ceee93d5c8a8bcfe3726455c9b5589a492553/}, language = {English}, urldate = {2023-09-07} } @online{abusech:20240201:t34loader:b09e717, author = {abuse.ch}, title = {{T34loader payload URLs}}, date = {2024-02-01}, organization = {abuse.ch}, url = {https://urlhaus.abuse.ch/browse/tag/T34loader/}, language = {English}, urldate = {2024-02-02} } @online{abusech:20240706:povertystealer:f23fd71, author = {abuse.ch}, title = {{PovertyStealer malware samples}}, date = {2024-07-06}, organization = {abuse.ch}, url = {https://bazaar.abuse.ch/browse/signature/PovertyStealer/}, language = {English}, urldate = {2024-07-08} } @online{abusech:20250523:malwarebazaar:60b339d, author = {abuse.ch}, title = {{MalwareBazaar - AurotunStealer}}, date = {2025-05-23}, organization = {abuse.ch}, url = {https://bazaar.abuse.ch/browse/signature/AurotunStealer/}, language = {English}, urldate = {2025-05-23} } @online{abusech:20250610:malwarebazaar:4ecc765, author = {abuse.ch}, title = {{MalwareBazaar | SHA256 73fd51d4a0959e5c5a82db9be0d765069d02a2b97f51f55f5d6422a7bec01caa (AmateraStealer)}}, date = {2025-06-10}, url = {https://bazaar.abuse.ch/sample/73fd51d4a0959e5c5a82db9be0d765069d02a2b97f51f55f5d6422a7bec01caa/}, language = {English}, urldate = {2025-06-11} } @online{abusech:20250614:malwarebazaar:1c8df0e, author = {abuse.ch}, title = {{MalwareBazaar | SalatStealer}}, date = {2025-06-14}, organization = {abuse.ch}, url = {https://bazaar.abuse.ch/browse/tag/SalatStealer/}, language = {English}, urldate = {2025-06-16} } @online{abuseio:20190504:abuseio:d5062ca, author = {Abuse.io}, title = {{Abuse.io Report - Lockergoga}}, date = {2019-05-04}, organization = {Abuse.io}, url = {https://www.abuse.io/lockergoga.txt}, language = {English}, urldate = {2020-01-07} } @online{academy:20250429:ransomhub:45b5060, author = {Ethical Hackers Academy}, title = {{RansomHub Ransomware Deploys Malware to Breach Corporate Networks}}, date = {2025-04-29}, organization = {LinkedIn (Ethical Hackers Academy)}, url = {https://www.linkedin.com/pulse/ransomhub-ransomware-deploys-malware-breach-corporate-hb44c/}, language = {English}, urldate = {2025-05-01} } @online{acalvio:20180613:lateral:ab17115, author = {Team Acalvio}, title = {{Lateral Movement Technique Employed by Hidden Cobra}}, date = {2018-06-13}, organization = {Acalvio}, url = {https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/}, language = {English}, urldate = {2020-01-13} } @online{accenture:2018:hogfish:4bd6290, author = {Accenture}, title = {{HOGFISH REDLEAVES CAMPAIGN}}, date = {2018}, organization = {Accenture}, url = {http://blog.alyac.co.kr/1853}, language = {English}, urldate = {2020-01-06} } @techreport{accenture:20190305:mudcarps:2e785cc, author = {Accenture}, title = {{MUDCARP's Focus on Submarine Technologies}}, date = {2019-03-05}, institution = {Accenture}, url = {https://www.accenture.com/_acnmedia/pdf-96/accenture-security-mudcarp.pdf}, language = {English}, urldate = {2022-09-12} } @online{accenture:20211210:karakurt:5bb6d9c, author = {Accenture}, title = {{Karakurt rises from its lair}}, date = {2021-12-10}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/karakurt-threat-mitigation}, language = {English}, urldate = {2021-12-15} } @techreport{accenture:20220415:global:7244169, author = {Accenture}, title = {{Global Incident Report: Russia-Ukraine Crisis}}, date = {2022-04-15}, institution = {Accenture}, url = {https://acn-marketing-blog.accenture.com/wp-content/uploads/2022/04/Global-incident-report-Russia-Ukraine-Crisis-April-14.pdf}, language = {English}, urldate = {2022-04-20} } @online{accenture:20220609:finding:1f4e3a0, author = {Accenture}, title = {{Finding Vulnerabilities with VulFi IDA Plugin}}, date = {2022-06-09}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/security/finding-vulnerabilities-vulfi-ida-plugin}, language = {English}, urldate = {2022-09-26} } @online{accenture:20220610:russia:5ab3b69, author = {Accenture}, title = {{Russia Ukraine Crisis Overview}}, date = {2022-06-10}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/ukraine-russia-2022}, language = {English}, urldate = {2023-01-19} } @online{accenture:20220628:stealbit:ec9bb0e, author = {Accenture}, title = {{Steal(Bit) or exfil, what does it (Ex)Matter? Comparative Analysis of Custom Exfiltration Tools}}, date = {2022-06-28}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/security/stealbit-exmatter-exfiltration-tool-analysis}, language = {English}, urldate = {2022-09-26} } @online{accenture:20220811:how:c19491d, author = {Accenture}, title = {{How cybercriminals are weaponizing leaked ransomware data for follow-up attacks}}, date = {2022-08-11}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/security/cybercriminals-weaponizing-leaked-ransomware-data}, language = {English}, urldate = {2022-09-26} } @online{acey9:20250115:zombies:2f94aeb, author = {Acey9 and Alex.Turing and Daji and wanghao}, title = {{Zombies Never Die: Analysis of the Current Situation of Large Botnet AIRASHI}}, date = {2025-01-15}, organization = {Qianxin}, url = {https://blog.xlab.qianxin.com/large-scale-botnet-airashi/}, language = {Chinese}, urldate = {2025-04-10} } @online{acey9:20250313:botnets:2345d05, author = {Acey9 and Alex.Turing and Daji and Wang Hao}, title = {{Botnets never die}}, date = {2025-03-13}, organization = {APNIC}, url = {https://blog.apnic.net/2025/03/13/botnets-never-die/}, language = {English}, urldate = {2025-04-10} } @online{ackerman:20181221:overruled:74ac7b4, author = {Geoff Ackerman and Rick Cole and Andrew Thompson and Alex Orleans and Nick Carr}, title = {{OVERRULED: Containing a Potentially Destructive Adversary}}, date = {2018-12-21}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html}, language = {English}, urldate = {2019-12-20} } @online{ackerman:20190821:taking:3b8daac, author = {Pascal Ackerman}, title = {{Taking a Closer Look at the LookBack Malware Campaign – Part 1}}, date = {2019-08-21}, organization = {Threatgen}, url = {https://threatgen.com/taking-a-closer-look-at-the-lookback-malware-campaign-part-1/}, language = {English}, urldate = {2020-01-13} } @online{ackerman:20220328:forged:3105d8e, author = {Geoff Ackerman and Tufail Ahmed and James Maclachlan and Dallin Warne and John Wolfram and Brandon Wilbur}, title = {{Forged in Fire: A Survey of MobileIron Log4Shell Exploitation}}, date = {2022-03-28}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/mobileiron-log4shell-exploitation}, language = {English}, urldate = {2022-03-30} } @online{ackerman:20230612:deep:895f24c, author = {Karl Ackerman}, title = {{Deep dive into the Pikabot cyber threat}}, date = {2023-06-12}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2023/06/12/deep-dive-into-the-pikabot-cyber-threat/}, language = {English}, urldate = {2023-11-13} } @online{acpenw:20210522:lessons:6747f56, author = {YouTube (ACPEnw)}, title = {{Lessons Learned from a Cyber Attack System Admin Perspective}}, date = {2021-05-22}, organization = {Youtube (ACPEnw)}, url = {https://www.youtube.com/watch?v=HwfRxjV2wok}, language = {English}, urldate = {2021-06-21} } @online{acsc:20200523:summary:32bbf2b, author = {Australian Cyber Security Centre (ACSC)}, title = {{Summary of Tradecraft Trends for 2019-20: Tactics, Techniques and Procedures Used to Target Australian Networks}}, date = {2020-05-23}, organization = {Australian Cyber Security Centre}, url = {https://www.cyber.gov.au/threats/summary-of-tradecraft-trends-for-2019-20-tactics-techniques-and-procedures-used-to-target-australian-networks}, language = {English}, urldate = {2020-05-23} } @techreport{acsc:20200618:advisory:ed0f53c, author = {Australian Cyber Security Centre (ACSC)}, title = {{Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks}}, date = {2020-06-18}, institution = {Australian Cyber Security Centre}, url = {https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf}, language = {English}, urldate = {2020-06-19} } @online{acsc:20200619:advisory:bfa3598, author = {Australian Cyber Security Centre (ACSC)}, title = {{Advisory 2020-008: Copy-paste compromises - tactics, techniques and procedures used to target multiple Australian networks}}, date = {2020-06-19}, organization = {Australian Signals Directorate}, url = {https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks}, language = {English}, urldate = {2022-04-20} } @online{acsc:20200619:copypaste:3df3d7e, author = {Australian Cyber Security Centre (ACSC)}, title = {{Copy-paste compromises}}, date = {2020-06-19}, organization = {ACSC}, url = {https://www.cyber.gov.au/acsc/view-all-content/alerts/copy-paste-compromises}, language = {English}, urldate = {2022-04-25} } @online{acsc:20201112:biotech:edf0f4a, author = {Australian Cyber Security Centre (ACSC)}, title = {{Biotech research firm Miltenyi Biotec hit by ransomware, data leaked}}, date = {2020-11-12}, organization = {Australian Cyber Security Centre}, url = {https://www.cyber.gov.au/acsc/view-all-content/alerts/sdbbot-targeting-health-sector}, language = {English}, urldate = {2020-11-18} } @techreport{acsc:20210508:2021003:ac0c913, author = {Australian Cyber Security Centre (ACSC)}, title = {{2021-003: Ongoing campaign using Avaddon Ransomware}}, date = {2021-05-08}, institution = {Australian Signals Directorate}, url = {https://www.cyber.gov.au/sites/default/files/2021-05/2021-003%20Ongoing%20campaign%20using%20Avaddon%20Ransomware%20-%2020210508.pdf}, language = {English}, urldate = {2021-05-11} } @online{acsc:20230124:202301:0fa06a3, author = {Australian Cyber Security Centre (ACSC)}, title = {{2023-01: ACSC Ransomware Profile - Royal}}, date = {2023-01-24}, organization = {ACSC}, url = {https://www.cyber.gov.au/about-us/advisories/2023-01-acsc-ransomware-profile-royal}, language = {English}, urldate = {2023-05-05} } @online{action09:20181116:c0ld:89e6c06, author = {Action09}, title = {{(C)0ld Case : From Aerospace to China’s interests.}}, date = {2018-11-16}, organization = {CyberThreatIntelligence Blog}, url = {https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/}, language = {English}, urldate = {2020-01-07} } @online{actiondan:20180219:intro:0d978b0, author = {ActionDan}, title = {{Intro to Using GScript for Red Teams}}, date = {2018-02-19}, url = {http://lockboxx.blogspot.com/2018/02/intro-to-using-gscript-for-red-teams.html}, language = {English}, urldate = {2019-12-20} } @online{actions:20210512:executive:b437939, author = {Presidential Actions}, title = {{Executive Order on Improving the Nation’s Cybersecurity}}, date = {2021-05-12}, organization = {THE WHITE HOUSE}, url = {https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/}, language = {English}, urldate = {2021-05-13} } @online{adair:20161109:powerduke:335bceb, author = {Steven Adair}, title = {{PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs}}, date = {2016-11-09}, organization = {Volexity}, url = {https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/}, language = {English}, urldate = {2019-12-24} } @online{adair:20201106:oceanlotus:f7b11ac, author = {Steven Adair and Thomas Lancaster and Volexity Threat Research}, title = {{OceanLotus: Extending Cyber Espionage Operations Through Fake Websites}}, date = {2020-11-06}, organization = {Volexity}, url = {https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/}, language = {English}, urldate = {2020-11-09} } @online{adair:20220203:operation:fd96d5c, author = {Steven Adair and Thomas Lancaster}, title = {{Operation EmailThief: Active Exploitation of Zero-day XSS Vulnerability in Zimbra}}, date = {2022-02-03}, organization = {Volexity}, url = {https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/}, language = {English}, urldate = {2022-02-07} } @online{adair:20220615:driftingcloud:58322a8, author = {Steven Adair and Thomas Lancaster and Volexity Threat Research}, title = {{DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach}}, date = {2022-06-15}, organization = {Volexity}, url = {https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/}, language = {English}, urldate = {2022-06-17} } @online{adamitis:20181105:persian:5adf8c2, author = {Danny Adamitis and Warren Mercer and Paul Rascagnères and Vitor Ventura and Eric Kuhla}, title = {{Persian Stalker pillages Iranian users of Instagram and Telegram}}, date = {2018-11-05}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2018/11/persian-stalker.html}, language = {English}, urldate = {2019-11-27} } @online{adamitis:20190417:dns:0146532, author = {Danny Adamitis and David Maynor and Warren Mercer and Matthew Olney and Paul Rascagnères}, title = {{DNS Hijacking Abuses Trust In Core Internet Service}}, date = {2019-04-17}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/04/seaturtle.html}, language = {English}, urldate = {2020-01-09} } @online{adamitis:20190520:recent:4bb543f, author = {Danny Adamitis and David Maynor and Kendall McKay}, title = {{Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques}}, date = {2019-05-20}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html}, language = {English}, urldate = {2020-01-07} } @online{adamitis:20190709:sea:62515b8, author = {Danny Adamitis and Paul Rascagnères}, title = {{Sea Turtle Keeps on Swimming}}, date = {2019-07-09}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2019/07/sea-turtle-keeps-on-swimming.html}, language = {English}, urldate = {2020-06-08} } @online{adamitis:20190911:autumn:2b311d7, author = {Danny Adamitis}, title = {{Autumn Aperture Report}}, date = {2019-09-11}, url = {https://web.archive.org/web/20200401171809/https://blog.prevailion.com/2019/09/autumn-aperture-report.html}, language = {English}, urldate = {2024-12-20} } @online{adamitis:20190911:autumn:8bec4cb, author = {Danny Adamitis and Elizabeth Wharton}, title = {{Autumn Aperture}}, date = {2019-09-11}, organization = {Prevailion}, url = {https://blog.prevailion.com/2019/09/autumn-aperture-report.html}, language = {English}, urldate = {2020-06-08} } @online{adamitis:20200107:summer:637a53f, author = {Danny Adamitis}, title = {{Summer Mirage}}, date = {2020-01-07}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/01/summer-mirage.html}, language = {English}, urldate = {2020-01-12} } @online{adamitis:20200206:triune:ada8ad3, author = {Danny Adamitis}, title = {{The Triune Threat: MasterMana Returns}}, date = {2020-02-06}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html}, language = {English}, urldate = {2020-04-13} } @online{adamitis:20200506:phantom:2a752f7, author = {Danny Adamitis}, title = {{Phantom in the Command Shell}}, date = {2020-05-06}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html}, language = {English}, urldate = {2020-05-07} } @online{adamitis:20200506:phantom:d536e0b, author = {Danny Adamitis}, title = {{Phantom in the Command Shell}}, date = {2020-05-06}, organization = {Prevailion}, url = {https://web.archive.org/web/20210422172657/https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html}, language = {English}, urldate = {2024-12-20} } @online{adamitis:20200605:gh0st:849c227, author = {Danny Adamitis}, title = {{The Gh0st Remains the Same}}, date = {2020-06-05}, organization = {Prevailion}, url = {https://www.prevailion.com/the-gh0st-remains-the-same-2/}, language = {English}, urldate = {2022-09-20} } @online{adamitis:20210605:gh0st:78aa8a1, author = {Danny Adamitis}, title = {{The Gh0st remain the same}}, date = {2021-06-05}, organization = {Prevailion}, url = {https://web.archive.org/web/20210422180517/https://blog.prevailion.com/}, language = {English}, urldate = {2024-12-20} } @online{adamitis:20220105:new:4342d69, author = {Danny Adamitis and Steve Rudd}, title = {{New Konni Campaign Kicks Off the New Year by Targeting Russian Ministry of Foreign Affairs}}, date = {2022-01-05}, organization = {Lumen}, url = {https://blog.lumen.com/new-konni-campaign-targeting-russian-ministry-of-foreign-affairs/}, language = {English}, urldate = {2022-01-25} } @online{adamov:20170502:targeted:31454f7, author = {Alexander Adamov}, title = {{Targeted attack against the Ukrainian military}}, date = {2017-05-02}, url = {https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html}, language = {English}, urldate = {2019-12-17} } @online{adamov:20221024:russian:97d3e2a, author = {Alexander Adamov}, title = {{Russian wipers in the cyberwar against Ukraine}}, date = {2022-10-24}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=mrTdSdMMgnk}, language = {English}, urldate = {2023-03-20} } @techreport{adams:20161207:trickbot:fc3427c, author = {Joshua Adams}, title = {{The TrickBot Evolution}}, date = {2016-12-07}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf}, language = {English}, urldate = {2020-01-09} } @online{adamtheanalyst:20210628:suspected:a9109b3, author = {AdamTheAnalyst}, title = {{Tweet on suspected REvil exfiltration (over RClone FTP) server}}, date = {2021-06-28}, organization = {Twitter (@AdamTheAnalyst)}, url = {https://twitter.com/AdamTheAnalyst/status/1409499591452639242?s=20}, language = {English}, urldate = {2021-06-29} } @online{adel:20220912:raccoon:f423625, author = {Mohamed Adel}, title = {{Raccoon Stealer V2 in depth Analysis}}, date = {2022-09-12}, organization = {d01a}, url = {https://d01a.github.io/raccoon-stealer/}, language = {English}, urldate = {2022-09-14} } @online{adel:20230413:aurora:05f3c4a, author = {Mohamed Adel}, title = {{Aurora Stealer deep dive Analysis}}, date = {2023-04-13}, organization = {d01a}, url = {https://d01a.github.io/aurora-stealer/}, language = {English}, urldate = {2023-04-14} } @online{adel:20230423:exposing:f6a4b57, author = {Mohamed Adel}, title = {{exposing the internals of Aurora Stealer Builder}}, date = {2023-04-23}, organization = {d01a}, url = {https://d01a.github.io/aurora-stealer-builder/}, language = {English}, urldate = {2023-04-25} } @online{adel:20230731:pikabot:8393b59, author = {Mohamed Adel}, title = {{Pikabot deep analysis}}, date = {2023-07-31}, organization = {d01a}, url = {https://d01a.github.io/pikabot/}, language = {English}, urldate = {2023-08-01} } @online{adel:20230818:understanding:688e1f2, author = {Mohamed Adel}, title = {{Understanding Syscalls: Direct, Indirect, and Cobalt Strike Implementation}}, date = {2023-08-18}, organization = {d01a}, url = {https://d01a.github.io/syscalls/}, language = {English}, urldate = {2023-08-21} } @online{adetomiwa:20220204:static:86b3c83, author = {Adetomiwa}, title = {{Static analysis of Goldenhelper Malware (Golden Tax malware)}}, date = {2022-02-04}, organization = {Medium tomiwa-xy}, url = {https://tomiwa-xy.medium.com/static-analysis-of-goldenhelper-malware-golden-tax-malware-d9f85a88e74d}, language = {English}, urldate = {2022-02-17} } @online{adhikara:20250401:salvador:d09f905, author = {Adhikara}, title = {{Salvador Stealer: New Android Malware That Phishes Banking Details & OTPs}}, date = {2025-04-01}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/salvador-stealer-malware-analysis/}, language = {English}, urldate = {2025-04-10} } @online{adlab:20170705:trump:88e09f8, author = {ADLab}, title = {{Trump Zombies: New IoT Zombies Attacking 'In Trump's Name'}}, date = {2017-07-05}, organization = {Seebug Paper}, url = {http://paper.seebug.org/345/}, language = {Chinese}, urldate = {2022-10-25} } @online{adlab:20210616:apt34:4697e7c, author = {ADLab}, title = {{APT34 organization latest in-depth analysis report on attack activities}}, date = {2021-06-16}, organization = {Venustech}, url = {https://mp.weixin.qq.com/s/o_EVjBVN2sQ1q7cl4rUXoQ}, language = {Chinese}, urldate = {2021-06-21} } @online{adlam:20240202:crackedcantil:c9b3eea, author = {Stephanie Adlam}, title = {{CrackedCantil Dropper Delivers Numerous Malware}}, date = {2024-02-02}, organization = {Gridinsoft}, url = {https://gridinsoft.com/blogs/crackedcantil-dropper-malware/}, language = {English}, urldate = {2024-02-05} } @online{adlumin:20231121:playcrypt:a3455dc, author = {adlumin}, title = {{PlayCrypt Ransomware-as-a-Service Expands Threat from Script Kiddies and Sophisticated Attackers}}, date = {2023-11-21}, organization = {adlumin}, url = {https://adlumin.com/post/playcrypt-ransomware-as-a-service-expands-threat-from-script-kiddies-and-sophisticated-attackers/}, language = {English}, urldate = {2023-11-22} } @online{admin001:20191120:shadow:49b26ff, author = {admin001}, title = {{Shadow of the Circle Hovering Over Central Asia - The Golden Eagle (APT-C-34) Organizing Attack Revealed}}, date = {2019-11-20}, organization = {360}, url = {http://blogs.360.cn/post/APT-C-34_Golden_Falcon.html}, language = {English}, urldate = {2020-01-10} } @online{admin:20111220:analyzing:b643c33, author = {admin}, title = {{Analyzing CVE-2011-4369 – Part One}}, date = {2011-12-20}, organization = {9bplus}, url = {https://web.archive.org/web/20150310155151/http://blog.9bplus.com/analyzing-cve-2011-4369-part-one/}, language = {English}, urldate = {2024-10-09} } @online{admin:20231010:sand:f91a858, author = {admin}, title = {{Sand Cat Group - Attacks on Kurdistan Democratic Party (KDP) Activists}}, date = {2023-10-10}, organization = {Qianxin}, url = {https://www.ctfiot.com/138538.html}, language = {English}, urldate = {2023-10-12} } @online{admin:20240202:fritzfrog:19109a0, author = {admin}, title = {{FritzFrog Botnet Expands Attack Arsenal with Log4Shell Exploits}}, date = {2024-02-02}, organization = {Cyber Kendra}, url = {https://www.cyberkendra.com/2024/02/fritzfrog-botnet-expands-attack-arsenal.html}, language = {English}, urldate = {2024-02-06} } @online{adobe:20210209:adobe:02148d5, author = {Adobe}, title = {{Adobe Security Bulletin for 0-day CVE-2021-21017 (exploited ITW)}}, date = {2021-02-09}, organization = {Adobe}, url = {https://helpx.adobe.com/security/products/acrobat/apsb21-09.html}, language = {English}, urldate = {2021-02-10} } @online{adolphi:20231130:promon:16916dd, author = {Benjamin Adolphi}, title = {{Promon discovers new Android banking malware, “FjordPhantom”}}, date = {2023-11-30}, organization = {Promon}, url = {https://promon.co/security-news/fjordphantom-android-malware/}, language = {English}, urldate = {2023-12-14} } @online{advintel:20220811:bazarcall:1ad6bb2, author = {AdvIntel}, title = {{“BazarCall” Advisory: Essential Guide to Attack Vector that Revolutionized Data Breaches}}, date = {2022-08-11}, organization = {AdvIntel}, url = {https://www.advintel.io/post/bazarcall-advisory-the-essential-guide-to-call-back-phishing-attacks-that-revolutionized-the-data}, language = {English}, urldate = {2022-08-11} } @techreport{advisory:20200528:sandworm:d509ae5, author = {Cybersecurity Advisory}, title = {{Sandworm Actors Exploiting Vulnerability in EXIM Mail Transfer Agent}}, date = {2020-05-28}, institution = {National Security Agency}, url = {https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf}, language = {English}, urldate = {2020-05-29} } @online{affairs:20140202:us:872a22b, author = {Office of Public Affairs}, title = {{U.S. Leads Multi-National Action Against “Gameover Zeus” Botnet and “Cryptolocker” Ransomware, Charges Botnet Administrator}}, date = {2014-02-02}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware}, language = {English}, urldate = {2020-01-08} } @online{affairs:20170328:russian:e9c593c, author = {Office of Public Affairs}, title = {{Russian Citizen Pleads Guilty for Involvement in Global Botnet Conspiracy}}, date = {2017-03-28}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy}, language = {English}, urldate = {2020-01-07} } @online{affairs:20180523:justice:806d785, author = {Office of Public Affairs}, title = {{Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage Devices}}, date = {2018-05-23}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected}, language = {English}, urldate = {2020-01-06} } @online{affairs:20180906:north:9b30dd0, author = {Office of Public Affairs}, title = {{North Korean Regime-Backed Programmer Charged With Conspiracy to Conduct Multiple Cyber Attacks and Intrusions}}, date = {2018-09-06}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and}, language = {English}, urldate = {2020-01-07} } @online{affairs:20181128:two:9032b25, author = {Office of Public Affairs}, title = {{Two Iranian Men Indicted for Deploying Ransomware to Extort Hospitals, Municipalities, and Public Institutions, Causing Over $30 Million in Losses}}, date = {2018-11-28}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public}, language = {English}, urldate = {2020-01-08} } @online{affairs:20190213:former:3518c47, author = {Office of Public Affairs}, title = {{Former U.S. Counterintelligence Agent Charged With Espionage on Behalf of Iran; Four Iranians Charged With a Cyber Campaign Targeting Her Former Colleagues}}, date = {2019-02-13}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/former-us-counterintelligence-agent-charged-espionage-behalf-iran-four-iranians-charged-cyber}, language = {English}, urldate = {2019-10-14} } @online{affairs:20190411:two:8ce139a, author = {Office of Public Affairs}, title = {{Two Romanian Cybercriminals Convicted of All 21 Counts Relating to Infecting Over 400,000 Victim Computers with Malware and Stealing Millions of Dollars}}, date = {2019-04-11}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/two-romanian-cybercriminals-convicted-all-21-counts-relating-infecting-over-400000-victim}, language = {English}, urldate = {2019-10-13} } @online{affairs:20190516:goznym:714f938, author = {Office of Public Affairs}, title = {{GozNym Cyber-Criminal Network Operating out of Europe Targeting American Entities Dismantled in International Operation}}, date = {2019-05-16}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/goznym-cyber-criminal-network-operating-out-europe-targeting-american-entities-dismantled}, language = {English}, urldate = {2020-01-08} } @online{affairs:20210507:four:8efdc7e, author = {Office of Public Affairs}, title = {{Four Individuals Plead Guilty to RICO Conspiracy Involving “Bulletproof Hosting” for Cybercriminals}}, date = {2021-05-07}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals}, language = {English}, urldate = {2021-05-11} } @online{affairs:20210601:justice:1ed9656, author = {Office of Public Affairs}, title = {{Justice Department Announces Court-Authorized Seizure of Domain Names Used in Furtherance of Spear-Phishing Campaign Posing as U.S. Agency for International Development}}, date = {2021-06-01}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-seizure-domain-names-used-furtherance-spear}, language = {English}, urldate = {2021-06-09} } @online{affairs:20210604:latvian:4403f09, author = {Office of Public Affairs}, title = {{Latvian National Charged for Alleged Role in Transnational Cybercrime Organization}}, date = {2021-06-04}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/latvian-national-charged-alleged-role-transnational-cybercrime-organization}, language = {English}, urldate = {2021-06-16} } @online{affairs:20210607:department:d8a05d5, author = {Office of Public Affairs}, title = {{Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to the Ransomware Extortionists Darkside}}, date = {2021-06-07}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside}, language = {English}, urldate = {2021-06-09} } @online{affairs:20210616:russian:42a61cf, author = {Office of Public Affairs}, title = {{Russian National Convicted of Charges Relating to Kelihos Botnet}}, date = {2021-06-16}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/russian-national-convicted-charges-relating-kelihos-botnet}, language = {English}, urldate = {2021-06-21} } @online{affairs:20210624:highlevel:28f0725, author = {Office of Public Affairs}, title = {{High-Level Member of Hacking Group Sentenced to Prison for Scheme that Compromised Tens of Millions of Debit and Credit Cards}}, date = {2021-06-24}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/high-level-member-hacking-group-sentenced-prison-scheme-compromised-tens-millions-debit-and}, language = {English}, urldate = {2021-06-29} } @online{affairs:20210719:four:083a598, author = {Office of Public Affairs}, title = {{Four Chinese Nationals Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including Infectious Disease Research}}, date = {2021-07-19}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/four-chinese-nationals-working-ministry-state-security-charged-global-computer-intrusion}, language = {English}, urldate = {2021-07-26} } @online{affairs:20220309:sodinokibirevil:7c18d03, author = {Office of Public Affairs}, title = {{Sodinokibi/REvil Ransomware Defendant Extradited to United States and Arraigned in Texas}}, date = {2022-03-09}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/sodinokibirevil-ransomware-defendant-extradited-united-states-and-arraigned-texas}, language = {English}, urldate = {2022-03-10} } @online{affairs:20220324:americas:024ab10, author = {U.S. Senate Committee on Homeland Security & Governmental Affairs}, title = {{America's Data Held Hostage: Case Studies in Ransomware Attacks on American Companies}}, date = {2022-03-24}, organization = {United States Senate}, url = {https://www.documentcloud.org/documents/21505031-hgsac-staff-report-americas-data-held-hostage-032422}, language = {English}, urldate = {2022-03-25} } @online{affairs:20220324:new:bfc2f76, author = {U.S. Senate Committee on Homeland Security & Governmental Affairs}, title = {{New Portman Report Demonstrates Threat Ransomware Presents to the United States}}, date = {2022-03-24}, organization = {United States Senate}, url = {https://www.hsgac.senate.gov/media/minority-media/new-portman-report-demonstrates-threat-ransomware-presents-to-the-united-states}, language = {English}, urldate = {2022-03-25} } @online{affairs:20220720:cyber:b7604e7, author = {Cyber National Mission Force Public Affairs}, title = {{Cyber National Mission Force discloses IOCs from Ukrainian networks}}, date = {2022-07-20}, organization = {U.S. Cyber Command}, url = {https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/}, language = {English}, urldate = {2022-07-25} } @online{affairs:20230907:multiple:8952f60, author = {Office of Public Affairs}, title = {{Multiple Foreign Nationals Charged in Connection with Trickbot Malware and Conti Ransomware Conspiracies}}, date = {2023-09-07}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/multiple-foreign-nationals-charged-connection-trickbot-malware-and-conti-ransomware}, language = {English}, urldate = {2023-09-08} } @online{affairs:20231207:two:b15a0a9, author = {Office of Public Affairs}, title = {{Two Russian Nationals Working with Russia’s Federal Security Service Charged with Global Computer Intrusion Campaign}}, date = {2023-12-07}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/two-russian-nationals-working-russias-federal-security-service-charged-global-computer}, language = {English}, urldate = {2024-11-25} } @online{affairs:20240131:us:8f03a16, author = {Office of Public Affairs}, title = {{U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure}}, date = {2024-01-31}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical}, language = {English}, urldate = {2024-02-02} } @online{affairs:20240209:international:4ae7ba3, author = {Office of Public Affairs}, title = {{International Cybercrime Malware Service Dismantled by Federal Authorities: Key Malware Sales and Support Actors in Malta and Nigeria Charged in Federal Indictments}}, date = {2024-02-09}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/international-cybercrime-malware-service-dismantled-federal-authorities-key-malware-sales}, language = {English}, urldate = {2024-03-18} } @online{affairs:20240215:foreign:dd6aa60, author = {Office of Public Affairs}, title = {{Foreign National Pleads Guilty to Role in Cybercrime Schemes Involving Tens of Millions of Dollars in Losses}}, date = {2024-02-15}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/foreign-national-pleads-guilty-role-cybercrime-schemes-involving-tens-millions-dollars}, language = {English}, urldate = {2024-02-16} } @online{affairs:20240215:justice:1145b3e, author = {Office of Public Affairs}, title = {{Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU)}}, date = {2024-02-15}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian}, language = {English}, urldate = {2024-02-16} } @online{affairs:20240626:russian:220aa08, author = {Office of Public Affairs}, title = {{Russian National Charged for Conspiring with Russian Military Intelligence to Destroy Ukrainian Government Computer Systems and Data}}, date = {2024-06-26}, organization = {US Department of Justice}, url = {https://www.justice.gov/opa/pr/russian-national-charged-conspiring-russia-military-intelligence-destroy-ukrainian}, language = {English}, urldate = {2025-02-03} } @online{affairs:20240709:justice:8e1be72, author = {Office of Public Affairs}, title = {{Justice Department Leads Efforts Among Federal, International, and Private Sector Partners to Disrupt Covert Russian Government-Operated Social Media Bot Farm}}, date = {2024-07-09}, organization = {US Department of Justice}, url = {https://www.justice.gov/opa/pr/justice-department-leads-efforts-among-federal-international-and-private-sector-partners}, language = {English}, urldate = {2025-02-03} } @online{affairs:20241003:justice:bcbdf88, author = {Office of Public Affairs}, title = {{Justice Department Disrupts Russian Intelligence Spear-Phishing Efforts}}, date = {2024-10-03}, organization = {US Department of Justice}, url = {https://www.justice.gov/opa/pr/justice-department-disrupts-russian-intelligence-spear-phishing-efforts}, language = {English}, urldate = {2024-11-25} } @online{affairs:20250114:justice:8c5a342, author = {Office of Public Affairs}, title = {{Justice Department and FBI Conduct International Operation to Delete Malware Used by China-Backed Hackers}}, date = {2025-01-14}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/justice-department-and-fbi-conduct-international-operation-delete-malware-used-china-backed}, language = {English}, urldate = {2025-01-15} } @online{ag:20201215:greetings:452ef44, author = {HvS-Consulting AG}, title = {{Greetings from Lazarus: Anatomy of a cyber espionage campaign}}, date = {2020-12-15}, organization = {HvS-Consulting AG}, url = {https://www.hvs-consulting.de/lazarus-report/}, language = {English}, urldate = {2021-01-21} } @techreport{ag:20201215:greetings:a5b59d9, author = {HvS-Consulting AG}, title = {{Greetings from Lazarus Anatomy of a cyber espionage campaign}}, date = {2020-12-15}, institution = {HvS-Consulting AG}, url = {https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf}, language = {English}, urldate = {2023-07-10} } @online{ag:20210107:lazarus:963b364, author = {HvS-Consulting AG}, title = {{Lazarus / APT37 IOCs}}, date = {2021-01-07}, organization = {Github (hvs-consulting)}, url = {https://github.com/hvs-consulting/ioc_signatures/tree/main/Lazarus_APT37}, language = {English}, urldate = {2021-01-21} } @techreport{ag:20220214:fallout:c2111fe, author = {HvS-Consulting AG}, title = {{The APT Fallout of Vulnerabilities such as ProxyLogon, OGNL Injection, and log4shell}}, date = {2022-02-14}, institution = {}, url = {https://www.hvs-consulting.de/public/ThreatReport-EmissaryPanda.pdf}, language = {English}, urldate = {2022-02-16} } @online{agarwal:20210726:from:71cb8dd, author = {Kabir Agarwal and Sangeeta Barooah Pisharoty}, title = {{From Army and BSF to RAW, Spyware Threat Touched National Security Field Too}}, date = {2021-07-26}, organization = {The Wire}, url = {https://thewire.in/government/indian-army-bsf-raw-pegasus-spyware-threat}, language = {English}, urldate = {2021-08-02} } @online{agcaoili:20210427:hello:b3c5de5, author = {Janus Agcaoili}, title = {{Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability}}, date = {2021-04-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html}, language = {English}, urldate = {2021-04-29} } @online{agcaoili:20210427:legitimate:b293526, author = {Janus Agcaoili and Earle Earnshaw}, title = {{Legitimate Tools Weaponized for Ransomware in 2021}}, date = {2021-04-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021}, language = {English}, urldate = {2021-05-03} } @online{agcaoili:20210615:ransomware:41013af, author = {Janus Agcaoili and Miguel Ang and Earle Earnshaw and Byron Gelera and Nikko Tamana}, title = {{Ransomware Double Extortion and Beyond: REvil, Clop, and Conti}}, date = {2021-06-15}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti}, language = {English}, urldate = {2021-06-21} } @online{agency:20191025:qsnatch:9631c95, author = {Finnish Transport & Communications Agency}, title = {{QSnatch - Malware designed for QNAP NAS devices}}, date = {2019-10-25}, organization = {Finnish Transport & Communications Agency}, url = {https://www.kyberturvallisuuskeskus.fi/en/news/qsnatch-malware-designed-qnap-nas-devices}, language = {English}, urldate = {2020-01-10} } @techreport{agency:20200813:russian:c0ae2d5, author = {National Security Agency and Federal Bureau of Investigation}, title = {{Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware}}, date = {2020-08-13}, institution = {National Security Agency}, url = {https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF}, language = {English}, urldate = {2020-08-14} } @techreport{agency:202008:finspy:9de4cba, author = {Defensive Lab Agency}, title = {{FinSpy Android Technical Analysis}}, date = {2020-08}, institution = {Defensive Lab Agency}, url = {https://raw.githubusercontent.com/DefensiveLabAgency/FinSpy-for-Android/master/20200806_finspy_android_analysis_public_release.pdf}, language = {English}, urldate = {2020-10-02} } @techreport{agency:20201020:chinese:73ad10e, author = {National Security Agency}, title = {{Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities}}, date = {2020-10-20}, institution = {National Security Agency}, url = {https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF}, language = {English}, urldate = {2020-10-23} } @online{agha:20220816:cleartext:3262c13, author = {Dray Agha}, title = {{Cleartext Shenanigans: Gifting User Passwords to Adversaries With NPPSPY}}, date = {2022-08-16}, organization = {Huntress Labs}, url = {https://www.huntress.com/blog/cleartext-shenanigans-gifting-user-passwords-to-adversaries-with-nppspy}, language = {English}, urldate = {2022-09-12} } @online{agman:20200817:uncover:948e868, author = {Yaniv Agman}, title = {{Uncover Malware Payload Executions Automatically with Tracee}}, date = {2020-08-17}, organization = {Aqua}, url = {https://blog.aquasec.com/ebpf-container-tracing-malware-detection}, language = {English}, urldate = {2020-08-21} } @online{agrawal:20230324:aurora:0c417c4, author = {Saharsh Agrawal}, title = {{Aurora: The Dark Dawn and its Menacing Effects}}, date = {2023-03-24}, organization = {loginsoft}, url = {https://research.loginsoft.com/threat-research/aurora-the-dark-dawn-and-its-menacing-effects/}, language = {English}, urldate = {2023-04-12} } @online{agrawal:20230330:from:7b46ae0, author = {Saharsh Agrawal}, title = {{From Innocence to Malice: The OneNote Malware Campaign Uncovered}}, date = {2023-03-30}, organization = {loginsoft}, url = {https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/}, language = {English}, urldate = {2023-04-14} } @online{agrawal:20230523:taming:7a77f19, author = {Saharsh Agrawal}, title = {{Taming the Storm: Understanding and Mitigating the Consequences of CVE-2023-27350}}, date = {2023-05-23}, organization = {loginsoft}, url = {https://research.loginsoft.com/threat-research/taming-the-storm-understanding-and-mitigating-the-consequences-of-cve-2023-27350/}, language = {English}, urldate = {2023-05-30} } @online{agrawal:20240729:blue:d18bc6f, author = {Saharsh Agrawal}, title = {{Blue Screen Mayhem: When CrowdStrike's Glitch Became Threat Actor's Playground}}, date = {2024-07-29}, organization = {loginsoft}, url = {https://www.loginsoft.com/post/blue-screen-mayhem-when-crowdstrikes-glitch-became-threat-actors-playground}, language = {English}, urldate = {2024-10-21} } @online{agregado:20220322:dissecting:eeb76c4, author = {Karla Agregado}, title = {{Dissecting a Phishing Campaign with a Captcha-based URL}}, date = {2022-03-22}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/dissecting-a-phishing-campaign-with-a-captcha-based-url}, language = {English}, urldate = {2022-08-17} } @online{agregado:20220728:ipfs:6c62759, author = {Karla Agregado and Katrina Udquin}, title = {{IPFS: The New Hotbed of Phishing}}, date = {2022-07-28}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/ipfs-the-new-hotbed-of-phishing}, language = {English}, urldate = {2022-08-17} } @online{agu:20201209:yara:12fa707, author = {Anyasor Chukwuemeka Agu}, title = {{Yara Rules + Assembly == ??}}, date = {2020-12-09}, organization = {Linkedin}, url = {https://www.linkedin.com/pulse/yara-rules-assembly-emeka-agu?trk=public_profile_article_view}, language = {English}, urldate = {2021-10-05} } @techreport{ahinkaya:20200828:cerberus:5575c7b, author = {Ali Rıza Şahinkaya and Can Atakan Işık and Rıdvan Ethem Canavar}, title = {{Cerberus Banking Trojan Analysis}}, date = {2020-08-28}, institution = {CYBERWISE}, url = {https://www.biznet.com.tr/wp-content/uploads/2020/08/Cerberus.pdf}, language = {English}, urldate = {2023-09-22} } @online{ahinkaya:20200831:cerberus:ecd6606, author = {Ali Rıza Şahinkaya and Can Atakan Işık and Rıdvan Ethem Canavar}, title = {{Cerberus Banking Trojan Research}}, date = {2020-08-31}, organization = {Github (ics-iot-bootcamp)}, url = {https://github.com/ics-iot-bootcamp/cerberus_research}, language = {English}, urldate = {2020-09-21} } @online{ahinkaya:20230824:proxy:290c6f4, author = {Ali Rıza Şahinkaya and Sevcan Kazdağ}, title = {{“Proxy” Based Phishing Attacks Are on the Rise Again}}, date = {2023-08-24}, organization = {CYBERWISE}, url = {https://medium.com/cyberwise/proxy-tabanl%C4%B1-oltalama-sald%C4%B1r%C4%B1lar%C4%B1-yeniden-y%C3%BCkseli%C5%9Fte-139a9eb8ee79}, language = {Turkish}, urldate = {2023-09-19} } @online{ahl:20130807:breaking:aff06e9, author = {Ian Ahl and Tony Lee and Dennis Hanzlik}, title = {{Breaking Down the China Chopper Web Shell - Part I}}, date = {2013-08-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html}, language = {English}, urldate = {2019-12-20} } @online{ahl:20170606:privileges:9598d5f, author = {Ian Ahl}, title = {{Privileges and Credentials: Phished at the Request of Counsel}}, date = {2017-06-06}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html}, language = {English}, urldate = {2019-12-20} } @online{ahl:20170606:privileges:a73c0dc, author = {Ian Ahl}, title = {{Privileges and Credentials: Phished at the Request of Counsel}}, date = {2017-06-06}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel}, language = {English}, urldate = {2022-09-12} } @online{ahn:20190304:kimsuky:e84d908, author = {Chang-Yong Ahn}, title = {{Kimsuky}}, date = {2019-03-04}, organization = {AhnLab}, url = {https://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?menu_dist=2&curPage=1&seq=28102}, language = {Korean}, urldate = {2019-10-23} } @online{ahnlab:20180330:magniber:5d13799, author = {AhnLab}, title = {{Magniber}}, date = {2018-03-30}, organization = {AhnLab}, url = {http://asec.ahnlab.com/1124}, language = {English}, urldate = {2019-07-09} } @techreport{ahnlab:20180623:full:dced6a4, author = {AhnLab}, title = {{Full Discloser of Andariel, A Subgroup of Lazarus Threat Group}}, date = {2018-06-23}, institution = {AhnLab}, url = {https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf}, language = {English}, urldate = {2019-12-24} } @techreport{ahnlab:20180625:asec:dcc35cb, author = {AhnLab}, title = {{ASEC Report vol. 91 (2018)}}, date = {2018-06-25}, institution = {AhnLab}, url = {http://image.ahnlab.com/file_upload/asecissue_files/ASEC%20REPORT_vol.91.pdf}, language = {Korean}, urldate = {2020-01-10} } @techreport{ahnlab:20190221:operation:3e3c720, author = {AhnLab}, title = {{Operation Kabar Cobra}}, date = {2019-02-21}, institution = {AhnLab}, url = {http://download.ahnlab.com/kr/site/library/%5bAnalysis_Report%5dOperation_Kabar_Cobra.pdf}, language = {Korean}, urldate = {2019-12-02} } @techreport{ahnlab:20200302:analysis:c0c47c3, author = {AhnLab}, title = {{Analysis Report: MyKings Botnet}}, date = {2020-03-02}, institution = {AhnLab}, url = {http://download.ahnlab.com/kr/site/library/[AhnLab]Analysis%20Report_MyKings%20Botnet.pdf}, language = {Korean}, urldate = {2020-03-04} } @online{ahnlab:20200406:shadow:450342b, author = {AhnLab}, title = {{Shadow Force behind normal certificate reveals seven years}}, date = {2020-04-06}, organization = {AhnLab}, url = {https://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?curPage=1&menu_dist=2&seq=29129}, language = {Korean}, urldate = {2020-05-18} } @online{ahnlab:20210628:cryptbot:6d593f3, author = {AhnLab}, title = {{CryptBot Info-stealer Malware Being Distributed in Different Forms}}, date = {2021-06-28}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/24423/}, language = {English}, urldate = {2022-04-07} } @online{ahnlab:20220818:rat:8957381, author = {AhnLab}, title = {{RAT tool disguised as a solution file (*.sln) on GitHub}}, date = {2022-08-18}, url = {https://asec.ahnlab.com/ko/37764/}, language = {English}, urldate = {2022-09-30} } @online{ahnlab:20241016:ahnlab:a875ca5, author = {AhnLab}, title = {{AhnLab and NCSC Release Joint Report on Microsoft Zero-Day Browser Vulnerability (CVE-2024-38178)}}, date = {2024-10-16}, organization = {ASEC}, url = {https://asec.ahnlab.com/en/83877/}, language = {English}, urldate = {2024-10-25} } @online{ahuje:20220127:new:3b60ed4, author = {Manoj Ahuje}, title = {{New Docker Cryptojacking Attempts Detected Over 2021 End-of-Year Holidays}}, date = {2022-01-27}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/new-docker-cryptojacking-attempts-detected-over-2021-holidays/}, language = {English}, urldate = {2022-02-01} } @online{ahuje:20220421:lemonduck:6b61d01, author = {Manoj Ahuje}, title = {{LemonDuck Targets Docker for Cryptomining Operations}}, date = {2022-04-21}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/}, language = {English}, urldate = {2022-04-24} } @online{ahuje:20221026:crowdstrike:92b8440, author = {Manoj Ahuje}, title = {{CrowdStrike Identifies New Kiss-a-Dog Cryptojacking Campaign Targeting Vulnerable Docker and Kubernetes Infrastructure}}, date = {2022-10-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/}, language = {English}, urldate = {2023-11-17} } @online{ai:20210804:what:2c27f4a, author = {Cybots AI}, title = {{What Is Lemon Duck Attack?}}, date = {2021-08-04}, url = {https://cybotsai.com/lemon-duck-attack/}, language = {English}, urldate = {2022-02-19} } @online{ai:20211216:road:a658d43, author = {CyCraft AI}, title = {{The Road to Ransomware Resilience, Part One: The State of Ransomware}}, date = {2021-12-16}, organization = {CyCraft}, url = {https://medium.com/cycraft/the-road-to-ransomware-resilience-24f8f82c1b6}, language = {English}, urldate = {2022-03-02} } @online{ai:20220124:road:2070066, author = {CyCraft AI}, title = {{The Road to Ransomware Resilience, Part 2: Behavior Analysis}}, date = {2022-01-24}, organization = {CyCraft}, url = {https://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd}, language = {English}, urldate = {2022-03-02} } @online{ai:20220221:indepth:73e8778, author = {CyCraft AI}, title = {{An in-depth analysis of the Operation Cache Panda organized supply chain attack on Taiwan's financial industry}}, date = {2022-02-21}, organization = {CyCraft}, url = {https://medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934}, language = {Chinese}, urldate = {2022-02-26} } @online{ailes:20221216:scl:c31cce9, author = {John Ailes and Julia Paluch}, title = {{SCL -1: The Dangerous Side Of Safe Senders}}, date = {2022-12-16}, organization = {Aon}, url = {https://www.aon.com/cyber-solutions/aon_cyber_labs/scl-1-the-dangerous-side-of-safe-senders/}, language = {English}, urldate = {2023-05-02} } @online{aime:20200323:fin7:66bea6f, author = {Félix Aime and Yury Namestnikov}, title = {{Fin7 APT: how billion dollar crime ring remains active after leaders’ arrest}}, date = {2020-03-23}, organization = {Kaspersky Labs}, url = {https://www.brighttalk.com/webcast/15591/382191/fin7-apt-how-billion-dollar-crime-ring-remains-active-after-leaders-arrest}, language = {English}, urldate = {2020-04-07} } @online{aime:20221205:calisto:37fef59, author = {Félix Aime and Maxime A and Sekoia TDR}, title = {{Calisto show interests into entities involved in Ukraine war support}}, date = {2022-12-05}, organization = {Sekoia}, url = {https://blog.sekoia.io/calisto-show-interests-into-entities-involved-in-ukraine-war-support}, language = {English}, urldate = {2024-11-25} } @online{aime:20230517:apt28:4906010, author = {Félix Aime}, title = {{APT28 leverages multiple phishing techniques to target Ukrainian civil society}}, date = {2023-05-17}, organization = {Sekoia}, url = {https://blog.sekoia.io/apt28-leverages-multiple-phishing-techniques-to-target-ukrainian-civil-society/}, language = {English}, urldate = {2023-05-25} } @online{aime:20250522:vicioustrap:4068b1f, author = {Félix Aime and Jeremy Scion}, title = {{ViciousTrap – Infiltrate, Control, Lure: Turning edge devices into honeypots en masse.}}, date = {2025-05-22}, organization = {Sekoia}, url = {https://blog.sekoia.io/vicioustrap-infiltrate-control-lure-turning-edge-devices-into-honeypots-en-masse/}, language = {English}, urldate = {2025-05-26} } @techreport{aivd:20250527:aivd:4b122b6, author = {AIVD}, title = {{AIVD and MIVD identify new Russian cyber threat actor}}, date = {2025-05-27}, institution = {AIVD}, url = {https://www.aivd.nl/binaries/aivd_nl/documenten/publicaties/2025/05/27/aivd-en-mivd-onderkennen-nieuwe-russische-cyberactor/Advisory+AIVD+en+MIVD+Public+report+on+new+cyber+actor.pdf}, language = {English}, urldate = {2025-05-28} } @online{aivd:20250527:unknown:4bc7da1, author = {AIVD}, title = {{Unknown Russian group behind hacks Dutch targets}}, date = {2025-05-27}, organization = {AIVD}, url = {https://www.aivd.nl/actueel/nieuws/2025/05/27/onbekende-russische-groep-achter-hacks-nederlandse-doelen}, language = {English}, urldate = {2025-06-05} } @online{ajjan:20130305:russian:4bb6a48, author = {Anand Ajjan}, title = {{Russian ransomware takes advantage of Windows PowerShell}}, date = {2013-03-05}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2013/03/05/russian-ransomware-windows-powershell/}, language = {English}, urldate = {2020-01-27} } @online{ak1001:20210703:analyzing:65452fa, author = {AK1001}, title = {{Analyzing Cobalt Strike PowerShell Payload}}, date = {2021-07-03}, organization = {Medium AK1001}, url = {https://ak100117.medium.com/analyzing-cobalt-strike-powershell-payload-64d55ed3521b}, language = {English}, urldate = {2022-01-31} } @techreport{akamai:20160404:threat:14239df, author = {Akamai}, title = {{Threat Advisory: “BillGates” Botnet}}, date = {2016-04-04}, institution = {Akamai}, url = {https://www.akamai.com/kr/ko/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf}, language = {English}, urldate = {2020-01-07} } @techreport{akamai:20161001:kaitenstd:40de1e6, author = {Akamai}, title = {{Kaiten/STD router DDoS Malware}}, date = {2016-10-01}, institution = {Akamai}, url = {https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/kaiten-std-router-ddos-malware-threat-advisory.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{akamei:20171016:upnproxy:044596d, author = {Akamei}, title = {{UPnProxy: Blackhat Proxies via NAT Injections}}, date = {2017-10-16}, institution = {Akamai}, url = {https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf}, language = {English}, urldate = {2019-12-10} } @techreport{akbanov:201901:wannacry:60d302c, author = {Maxat Akbanov and Vassilios G. Vassilakis and Michael D. Logothetis}, title = {{WannaCry Ransomware: Analysis of Infection, Persistence, Recovery Prevention and Propagation Mechanisms}}, date = {2019-01}, institution = {Journal of Telecommunications and Information Technology}, url = {https://www.il-pib.pl/czasopisma/JTIT/2019/1/113.pdf}, language = {English}, urldate = {2021-01-11} } @online{akhtar:20220303:threat:533eac8, author = {Syed Hasan Akhtar}, title = {{Threat Hunting for Malicious PowerShell Usage in Gigasheet}}, date = {2022-03-03}, organization = {gigasheet}, url = {https://www.gigasheet.co/post/threat-hunting-for-malicious-powershell-usage-in-gigasheet}, language = {English}, urldate = {2022-03-07} } @techreport{akinci:20210727:diamondfox:f648c5c, author = {Abdulsamet Akinci}, title = {{Diamondfox Technical Analysis Report}}, date = {2021-07-27}, institution = {ZAYOTEM}, url = {https://github.com/samoceyn/Diamondfox-Technical-Analysis-Report/blob/6375314ccecdf3fe450f975a384bcc1b16f068a8/D%C4%B0AMONDFOX%20Technical%20Analysis%20Report.PDF}, language = {English}, urldate = {2021-08-24} } @online{albassam:20160816:equation:e185e6b, author = {Mustafa Al-Bassam}, title = {{Equation Group firewall operations catalogue}}, date = {2016-08-16}, url = {https://musalbas.com/blog/2016/08/16/equation-group-firewall-operations-catalogue.html}, language = {English}, urldate = {2019-11-20} } @online{albors:20151216:nemucod:b1c1305, author = {Josep Albors}, title = {{Nemucod malware spreads ransomware Teslacrypt around the world}}, date = {2015-12-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/}, language = {English}, urldate = {2019-11-14} } @online{albrecht:20220616:lookout:854484b, author = {Justin Albrecht and Paul Shunk}, title = {{Lookout Uncovers Android Spyware Deployed in Kazakhstan}}, date = {2022-06-16}, organization = {Lookout}, url = {https://www.lookout.com/blog/hermit-spyware-discovery}, language = {English}, urldate = {2022-07-01} } @online{albrecht:20220616:lookout:9bc50ad, author = {Justin Albrecht and Paul Shunk}, title = {{Lookout Uncovers Android Spyware Deployed in Kazakhstan}}, date = {2022-06-16}, url = {https://de.lookout.com/blog/hermit-spyware-discovery}, language = {English}, urldate = {2022-07-01} } @online{alert:20191203:threat:f7b8cb6, author = {Red Alert}, title = {{THREAT ACTOR TARGETING HONG KONG PRO-DEMOCRACY FIGURES}}, date = {2019-12-03}, organization = {NSHC}, url = {https://redalert.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists}, language = {English}, urldate = {2020-06-03} } @techreport{alert:201912:cybercrime:b12d39c, author = {Visa Security Alert}, title = {{Cybercrime Groups (FIN8) Targeting Fuel Dispenser Merchants}}, date = {2019-12}, institution = {VISA}, url = {https://usa.visa.com/dam/VCOM/global/support-legal/documents/cybercrime-groups-targeting-fuel-dispenser-merchants.pdf}, language = {English}, urldate = {2020-07-23} } @techreport{alert:202008:baka:586781b, author = {Visa Security Alert}, title = {{‘Baka’ JavaScript Skimmer Identified}}, date = {2020-08}, institution = {VISA}, url = {https://usa.visa.com/content/dam/VCOM/global/support-legal/documents/visa-security-alert-baka-javascript-skimmer.pdf}, language = {English}, urldate = {2020-09-06} } @techreport{alert:20200925:visa:3bac371, author = {Visa Security Alert}, title = {{Visa Security Alert: New Malware Samples identified in Point-of-Sale Compromises}}, date = {2020-09-25}, institution = {VISA}, url = {https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf}, language = {English}, urldate = {2020-10-05} } @online{alert:20211104:threat:4505399, author = {Red Alert}, title = {{Threat Actor targeted attack against Finance and Investment industry}}, date = {2021-11-04}, organization = {NSHC RedAlert Labs}, url = {https://redalert.nshc.net/2021/11/04/threat-actor-targeted-attack-against-finance-and-investment-industry/}, language = {Korean}, urldate = {2021-11-08} } @online{alessandroz:20200914:lazagne:b0b9e44, author = {AlessandroZ}, title = {{The LaZagne Project !!!}}, date = {2020-09-14}, organization = {Github (AlessandroZ)}, url = {https://github.com/AlessandroZ/LaZagne}, language = {English}, urldate = {2020-10-28} } @online{alexturing:20200202:new:4a4ebd9, author = {Alex.Turing and Hui Wang and Liu Yang}, title = {{New Threat: Matryosh Botnet Is Spreading}}, date = {2020-02-02}, organization = {360 netlab}, url = {https://blog.netlab.360.com/matryosh-botnet-is-spreading-en/}, language = {English}, urldate = {2021-02-04} } @online{alexturing:20210312:new:37158fe, author = {Alex.Turing and liuyang and YANG XU}, title = {{New Threat: ZHtrap botnet implements honeypot to facilitate finding more victims}}, date = {2021-03-12}, organization = {360 netlab}, url = {https://blog.netlab.360.com/new_threat_zhtrap_botnet_en/}, language = {English}, urldate = {2021-03-16} } @online{alexturing:20210527:analysis:bc5ec0e, author = {Alex.Turing and Jinye and Chai Linyuan}, title = {{Analysis report of the Facefish rootkit}}, date = {2021-05-27}, organization = {360 netlab}, url = {https://blog.netlab.360.com/ssh_stealer_facefish_en/}, language = {English}, urldate = {2021-06-07} } @online{alexturing:20210830:mostly:d4d0f30, author = {Alex.Turing and Hui Wang and GenShen Ye}, title = {{The Mostly Dead Mozi and Its’ Lingering Bots}}, date = {2021-08-30}, organization = {360 netlab}, url = {https://blog.netlab.360.com/the-mostly-dead-mozi-and-its-lingering-bots/}, language = {English}, urldate = {2021-08-31} } @online{alexturing:20211109:abcbot:8e1eee4, author = {Alex.Turing and Hui Wang}, title = {{Abcbot, an evolving botnet}}, date = {2021-11-09}, organization = {360 netlab}, url = {https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/}, language = {English}, urldate = {2021-11-17} } @online{alexturing:20211112:malware:70f965d, author = {Alex.Turing and Hui Wang and YANG XU}, title = {{Malware uses namesilo Parking pages and Google's custom pages to spread}}, date = {2021-11-12}, organization = {360 netlab}, url = {https://blog.netlab.360.com/zhatuniubility-malware-uses-namesilo-parking-pages-and-googles-custom-pages-to-spread/}, language = {English}, urldate = {2021-11-17} } @online{alexturing:20211130:ewdoor:aa6e76e, author = {Alex.Turing and Hui Wang}, title = {{EwDoor Botnet Is Attacking AT&T Customers}}, date = {2021-11-30}, organization = {360 netlab}, url = {https://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/}, language = {English}, urldate = {2021-12-07} } @online{alexturing:20220315:new:3b64b05, author = {Alex.Turing and Hui Wang}, title = {{New Threat: Linux Backdoor B1txor20 using DNS Tunnel technology is spreading through the Log4j vulnerability}}, date = {2022-03-15}, organization = {360 netlab}, url = {https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_cn/}, language = {Chinese}, urldate = {2022-03-15} } @online{alexturing:20240609:new:d6466d0, author = {Alex.Turing and Acey9}, title = {{New Threat: A Deep Dive Into the Zergeca Botnet}}, date = {2024-06-09}, organization = {XLab}, url = {https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet}, language = {English}, urldate = {2024-07-24} } @online{alexturing:20240904:uncovering:c079c63, author = {Alex.Turing and Acey9 and TF0xn}, title = {{Uncovering DarkCracks: How a Stealthy Payload Delivery Framework Exploits GLPI and WordPress}}, date = {2024-09-04}, organization = {XLab}, url = {https://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/}, language = {English}, urldate = {2024-09-23} } @online{alexuiop1337:20190731:github:215c261, author = {Alexuiop1337}, title = {{Github Repository for SoranoStealer}}, date = {2019-07-31}, organization = {Github (Alexuiop1337)}, url = {https://github.com/Alexuiop1337/SoranoStealer}, language = {English}, urldate = {2020-01-06} } @online{alfano:20240918:storm:c0f0bd7, author = {Vito Alfano and Nam Le Phuong}, title = {{Storm clouds on the horizon: Resurgence of TeamTNT?}}, date = {2024-09-18}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/teamtnt/}, language = {English}, urldate = {2025-03-21} } @online{algayar:20171224:lilyofthevalley:40d90c1, author = {Mustapha Algayar}, title = {{LilyOfTheValley Repository}}, date = {2017-12-24}, organization = {Github (LilyOfTheValley)}, url = {https://github.com/En14c/LilyOfTheValley}, language = {English}, urldate = {2020-01-10} } @online{alguacil:201911:vb2019:a565e76, author = {Alexandre Mundo Alguacil and John Fokker}, title = {{VB2019 paper: Different ways to cook a crab: GandCrab ransomware-as-a-service (RaaS) analysed in depth}}, date = {2019-11}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/}, language = {English}, urldate = {2020-01-08} } @online{ali:20210505:roaming:b3131fd, author = {Kashif Ali}, title = {{Roaming Mantis Amplifies Smishing Campaign with OS-Specific Android Malware}}, date = {2021-05-05}, organization = {Kashif Ali Surfeit and Blasé Security}, url = {https://www.kashifali.ca/2021/05/05/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware/}, language = {English}, urldate = {2021-05-08} } @online{ali:20220106:unpacking:57cdd55, author = {Muhammad Hasan Ali}, title = {{Unpacking Emotet malware part 01}}, date = {2022-01-06}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/unpacking/emotet-part-1/}, language = {English}, urldate = {2022-02-14} } @online{ali:20220107:unpacking:e59d104, author = {Muhammad Hasan Ali}, title = {{Unpacking Emotet malware part 02}}, date = {2022-01-07}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/unpacking/emotet-part-2/}, language = {English}, urldate = {2022-02-14} } @online{ali:20220108:unpacking:498463e, author = {Muhammad Hasan Ali}, title = {{Unpacking Hancitor malware}}, date = {2022-01-08}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/unpacking/hancitor/}, language = {English}, urldate = {2022-01-19} } @online{ali:20220109:unpacking:04bcf90, author = {Muhammad Hasan Ali}, title = {{Unpacking Vmprotect packer}}, date = {2022-01-09}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/unpacking/Vmprotect/}, language = {English}, urldate = {2022-01-25} } @online{ali:20220111:unpacking:2fe091c, author = {Muhammad Hasan Ali}, title = {{Unpacking Dridex malware}}, date = {2022-01-11}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/unpacking/dridex/}, language = {English}, urldate = {2022-01-25} } @online{ali:20220112:unpacking:035e302, author = {Muhammad Hasan Ali}, title = {{Unpacking Ramnit malware}}, date = {2022-01-12}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/unpacking/ramnit/}, language = {English}, urldate = {2022-01-25} } @online{ali:20220113:unpacking:09ab5c5, author = {Muhammad Hasan Ali}, title = {{Unpacking Remcos malware}}, date = {2022-01-13}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/unpacking/remcos/}, language = {English}, urldate = {2022-01-25} } @online{ali:20220121:deep:fe5caf7, author = {Gameel Ali}, title = {{Deep Analysis Agent Tesla Malware}}, date = {2022-01-21}, organization = {MalGamy}, url = {https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/}, language = {English}, urldate = {2022-01-25} } @online{ali:20220212:full:2c09100, author = {Muhammad Hasan Ali}, title = {{Full Hancitor malware analysis}}, date = {2022-02-12}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/malware-analysis/fullHancitor/}, language = {English}, urldate = {2022-02-14} } @online{ali:20220425:full:d0f9c5d, author = {Muhammad Hasan Ali}, title = {{Full RedLine malware analysis | IoCs | Stealing information}}, date = {2022-04-25}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/malware-analysis/fullredline/}, language = {English}, urldate = {2022-04-29} } @online{ali:20220505:analysis:3ec712d, author = {Muhammad Hasan Ali}, title = {{Analysis of MS Word to drop Remcos RAT | VBA extraction and analysis | IoCs}}, date = {2022-05-05}, organization = {Github (muha2xmad)}, url = {https://muha2xmad.github.io/mal-document/remcosdoc/}, language = {English}, urldate = {2022-05-08} } @online{ali:20220529:full:cf742e7, author = {Muhammad Hasan Ali}, title = {{Full Anubis android malware analysis}}, date = {2022-05-29}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/malware-analysis/anubis/}, language = {English}, urldate = {2022-05-29} } @online{ali:20220725:pdf:5a2f3b4, author = {Muhammad Hasan Ali}, title = {{PDF Analysis of Lokibot malware}}, date = {2022-07-25}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/mal-document/lokibotpdf/}, language = {English}, urldate = {2022-07-28} } @online{ali:20220825:technical:1c77145, author = {Muhammad Hasan Ali}, title = {{Technical analysis of IRATA android malware}}, date = {2022-08-25}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/malware-analysis/irata/}, language = {English}, urldate = {2022-08-28} } @online{ali:20220825:thread:745bcc7, author = {Muhammad Hasan Ali}, title = {{Thread about the content of IRATA malicious APK}}, date = {2022-08-25}, organization = {Github (muha2xmad)}, url = {https://twitter.com/muha2xmad/status/1562831996078157826}, language = {English}, urldate = {2022-08-28} } @online{ali:20220901:technical:efa6a99, author = {Muhammad Hasan Ali}, title = {{Technical analysis of SOVA android malware}}, date = {2022-09-01}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/malware-analysis/sova/}, language = {English}, urldate = {2022-09-06} } @online{ali:20220906:technical:8bcc916, author = {Muhammad Hasan Ali}, title = {{Technical analysis of SharkBot android malware}}, date = {2022-09-06}, organization = {Github (muha2xmad)}, url = {https://muha2xmad.github.io/malware-analysis/sharkbot/}, language = {English}, urldate = {2022-09-07} } @online{ali:20220916:tweets:b0293e1, author = {Muhammad Hasan Ali}, title = {{Tweets about Hydra android malware}}, date = {2022-09-16}, organization = {muha2xmad}, url = {https://twitter.com/muha2xmad/status/1570788983474638849}, language = {English}, urldate = {2022-09-19} } @online{ali:20220921:technical:04911e9, author = {Muhammad Hasan Ali}, title = {{Technical analysis of Hydra android malware}}, date = {2022-09-21}, organization = {Github (muha2xmad)}, url = {https://muha2xmad.github.io/malware-analysis/hydra/}, language = {English}, urldate = {2022-09-21} } @online{ali:20220922:technical:2b8e614, author = {Muhammad Hasan Ali}, title = {{Technical analysis of Ginp android malware}}, date = {2022-09-22}, organization = {Github (muha2xmad)}, url = {https://muha2xmad.github.io/malware-analysis/ginp/}, language = {English}, urldate = {2022-09-26} } @online{ali:20220925:technical:1bd1947, author = {Muhammad Hasan Ali}, title = {{Technical analysis of Alien android malware}}, date = {2022-09-25}, organization = {Github (muha2xmad)}, url = {https://muha2xmad.github.io/malware-analysis/alien/}, language = {English}, urldate = {2022-09-26} } @online{ali:20230209:technical:e89556b, author = {Muhammad Hasan Ali}, title = {{Technical analysis of Godfather android malware}}, date = {2023-02-09}, organization = {Github (muha2xmad)}, url = {https://muha2xmad.github.io/malware-analysis/godfather/}, language = {English}, urldate = {2023-02-09} } @online{ali:20230428:explaning:21f000e, author = {Gameel Ali}, title = {{Tweet explaning similarity between Conti and Akira code}}, date = {2023-04-28}, organization = {Twitter (@MalGamy12)}, url = {https://twitter.com/MalGamy12/status/1651972583615602694}, language = {English}, urldate = {2023-05-25} } @online{ali:20230810:amadey:2b2dafc, author = {Muhammad Hasan Ali}, title = {{Amadey string decryptor}}, date = {2023-08-10}, organization = {Github (muha2xmad)}, url = {https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/Amadey/amadey_string_decryptor.py}, language = {English}, urldate = {2023-08-25} } @online{ali:20230810:amadey:5aed2ed, author = {Muhammad Hasan Ali}, title = {{Amadey configuration extractor}}, date = {2023-08-10}, organization = {Github (muha2xmad)}, url = {https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/Amadey/amadey_config_extractor.ipynb}, language = {English}, urldate = {2023-08-25} } @online{ali:20230811:astasia:6b52985, author = {Gameel Ali}, title = {{Tweet on Astasia loader}}, date = {2023-08-11}, organization = {Twitter (@MalGamy12)}, url = {https://twitter.com/MalGamy12/status/1690100567756906497}, language = {English}, urldate = {2023-08-13} } @online{ali:20230815:stealc:4aa8523, author = {Muhammad Hasan Ali}, title = {{StealC string decryption}}, date = {2023-08-15}, organization = {Github (muha2xmad)}, url = {https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/Stealc/stealc_string_decryption.py}, language = {English}, urldate = {2023-08-25} } @online{ali:20230824:stealc:7286a94, author = {Muhammad Hasan Ali}, title = {{StealC configuration extractor}}, date = {2023-08-24}, organization = {Github (muha2xmad)}, url = {https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/Stealc/stealc_config_extractor.ipynb}, language = {English}, urldate = {2023-08-25} } @online{ali:20230825:technical:f86126a, author = {Muhammad Hasan Ali}, title = {{Technical analysis of WarZoneRAT malware}}, date = {2023-08-25}, organization = {Github (muha2xmad)}, url = {https://muha2xmad.github.io/malware-analysis/warzonerat/}, language = {English}, urldate = {2023-08-25} } @online{ali:20230825:warzone:c3a141c, author = {Muhammad Hasan Ali}, title = {{Warzone RAT configuration extractor}}, date = {2023-08-25}, organization = {Github (muha2xmad)}, url = {https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/warzonerat/warzonerat_config_extraction.ipynb}, language = {English}, urldate = {2023-08-25} } @online{ali:20230904:deep:26611fe, author = {Muhammad Hasan Ali}, title = {{A deep dive into DCRAT/DarkCrystalRAT malware}}, date = {2023-09-04}, organization = {Github (muha2xmad)}, url = {https://muha2xmad.github.io/malware-analysis/dcrat/}, language = {English}, urldate = {2023-09-04} } @online{ali:20250326:about:8d35f67, author = {Gameel Ali}, title = {{Tweet about RALord ransomware}}, date = {2025-03-26}, organization = {Twitter (@MalGamy12)}, url = {https://x.com/MalGamy12/status/1905020136211275777}, language = {English}, urldate = {2025-03-27} } @online{alienvault:20190801:hexane:3d63fd0, author = {AlienVault}, title = {{Hexane Targeting Oil and Gas}}, date = {2019-08-01}, organization = {AlienVault OTX}, url = {https://otx.alienvault.com/pulse/5d4301edb3f3406ac01acc0f}, language = {English}, urldate = {2019-11-28} } @online{alienvault:20201209:sidewinder:65e0781, author = {AlienVault}, title = {{SideWinder APT South Asian Territorial Themed Spear Phishing and Mobile Device Attacks}}, date = {2020-12-09}, organization = {AlienVault OTX}, url = {https://otx.alienvault.com/pulse/5fd10760f9afb730d37c4742/}, language = {English}, urldate = {2021-03-12} } @online{alienvault:20210611:prism:a13c100, author = {AlienVault}, title = {{PRISM attacks manage to stay under the radar}}, date = {2021-06-11}, organization = {AlienVault}, url = {https://otx.alienvault.com/pulse/60c31c4e4978e9721446c121}, language = {English}, urldate = {2021-06-16} } @online{alienvault:20210628:revil:1b4ddb9, author = {AlienVault}, title = {{REvil ransomware Linux version (with YARA rule)}}, date = {2021-06-28}, organization = {AT&T}, url = {https://otx.alienvault.com/pulse/60da2c80aa5400db8f1561d5}, language = {English}, urldate = {2021-07-02} } @online{alienvault:20220813:analysis:6d9e528, author = {AlienVault}, title = {{An Analysis of Infrastructure linked to the Hagga Threat Actor}}, date = {2022-08-13}, organization = {AlienVault OTX}, url = {https://otx.alienvault.com/pulse/62cfe4ef3415be5f83be81d1}, language = {English}, urldate = {2023-08-11} } @online{alienvault:20240131:otx:e3464b2, author = {AlienVault}, title = {{OTX Pulse - CrackedCantil: Malware Work Together}}, date = {2024-01-31}, organization = {AlienVault OTX}, url = {https://otx.alienvault.com/pulse/65ba54eeaea0fcd931ff3b3b/}, language = {English}, urldate = {2024-02-06} } @online{alintanahin:20140702:kivars:4fe6877, author = {Kervin Alintanahin and Ronnie Giagone}, title = {{KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”}}, date = {2014-07-02}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/}, language = {English}, urldate = {2020-06-19} } @techreport{alintanahin:20150513:operation:a90911a, author = {Kervin Alintanahin}, title = {{Operation Tropic Trooper}}, date = {2015-05-13}, institution = {Trend Micro}, url = {http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf}, language = {English}, urldate = {2020-01-06} } @online{alintanahin:20220712:example:ae62e81, author = {Kervin Alintanahin}, title = {{Example Analysis of Multi-Component Malware}}, date = {2022-07-12}, organization = {Cyren}, url = {https://www.cyren.com/blog/articles/example-analysis-of-multi-component-malware}, language = {English}, urldate = {2022-07-18} } @online{alintanahin:20250218:malvertisements:c0046a5, author = {Kervin Alintanahin}, title = {{Malvertisements, Fake Captchas and Infostealers}}, date = {2025-02-18}, organization = {Varist}, url = {https://www.varist.com/blogs-news/malvertisements-fake-captchas}, language = {English}, urldate = {2025-02-26} } @online{aljaberi:20220226:hunting:270b30c, author = {Zayed AlJaberi}, title = {{Hunting Recent QakBot Malware}}, date = {2022-02-26}, organization = {LinkedIn (Zayed AlJaberi)}, url = {https://www.linkedin.com/posts/zayedaljaberi_hunting-recent-qakbot-malware-activity-6903498764984606720-2Gl4}, language = {English}, urldate = {2022-03-01} } @techreport{alliance:20230411:review:753a3d5, author = {China Cybersecurity Industry Alliance}, title = {{Review of Cyberattacks from US Intelligence Agencies - Based on Global Cybersecurity Communities' Analyses}}, date = {2023-04-11}, institution = {China Cybersecurity Industry Alliance}, url = {https://web.archive.org/web/20230416140914if_/http://www.chinaview.cn/20230411/4e0fa0f4fd1d408aaddeef8be63a4757/202304114e0fa0f4fd1d408aaddeef8be63a4757_20230411161526_0531.pdf}, language = {English}, urldate = {2023-10-05} } @online{allievi:20141028:threat:a302fbd, author = {Andrea Allievi and Douglas Goddard and Shaun Hurley and Alain Zidouemba}, title = {{Threat Spotlight: Group 72, Opening the ZxShell}}, date = {2014-10-28}, organization = {Cisco}, url = {https://blogs.cisco.com/security/talos/opening-zxshell}, language = {English}, urldate = {2019-10-15} } @online{allievi:20150320:threat:2f200b6, author = {Andrea Allievi and Ben Baker and Nick Biasini and JJ Cummings and Douglas Goddard and William Largent and Angel Villegas and Alain Zidouemba}, title = {{Threat Spotlight: PoSeidon, A Deep Dive Into Point of Sale Malware}}, date = {2015-03-20}, organization = {Cisco Talos}, url = {https://blogs.cisco.com/security/talos/poseidon}, language = {English}, urldate = {2020-01-13} } @online{allievi:20150427:threat:3754b13, author = {Andrea Allievi and Earl Carter and Emmanuel Tacheau}, title = {{Threat Spotlight: TeslaCrypt – Decrypt It Yourself}}, date = {2015-04-27}, organization = {Cisco Talos}, url = {https://blogs.cisco.com/security/talos/teslacrypt}, language = {English}, urldate = {2019-10-15} } @online{almaskati:20220405:peace:8678b53, author = {Mohammed Al-Maskati and Front Line Defenders and Bill Marczak and Siena Anstis and Ron Deibert and CitizenLab}, title = {{Peace through Pegasus Jordanian Human Rights Defenders and Journalists Hacked with Pegasus Spyware}}, date = {2022-04-05}, organization = {CitizenLab}, url = {https://citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/}, language = {English}, urldate = {2022-04-07} } @online{alnakal:20211118:malware:a0b177d, author = {Hamad Alnakal}, title = {{Malware reverse engineering (Ryuk Ransomware)}}, date = {2021-11-18}, organization = {Medium 0xchina}, url = {https://0xchina.medium.com/malware-reverse-engineering-31039450af27}, language = {English}, urldate = {2021-11-19} } @online{alon:20221208:compromised:08b9dac, author = {Dror Alon}, title = {{Compromised Cloud Compute Credentials: Case Studies From the Wild}}, date = {2022-12-08}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/}, language = {English}, urldate = {2022-12-13} } @online{alonso:20170224:hunting:073d36e, author = {Angel Alonso}, title = {{Hunting Retefe with Splunk - some interesting points}}, date = {2017-02-24}, organization = {Some stuff about security.. Blog}, url = {http://blog.angelalonso.es/2017/02/hunting-retefe-with-splunk-some24.html}, language = {English}, urldate = {2020-01-06} } @online{alonsoparrizas:20151028:reversing:92cdf4f, author = {Angel Alonso-Parrizas}, title = {{Reversing the C2C HTTP Emmental communication}}, date = {2015-10-28}, url = {http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html}, language = {English}, urldate = {2019-12-05} } @online{alonsoparrizas:20151103:reversing:762708a, author = {Angel Alonso-Parrizas}, title = {{Reversing the SMS C&C protocol of Emmental (1st part - understanding the code)}}, date = {2015-11-03}, url = {http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html}, language = {English}, urldate = {2019-10-14} } @online{alonsoparrizas:20171005:analysis:cfea758, author = {Angel Alonso-Parrizas}, title = {{Analysis of a malicious DOC used by Turla APT group; hunting persistence via PowerShell}}, date = {2017-10-05}, url = {https://blog.angelalonso.es/2017/10/analysis-of-malicious-doc-used-by-turla.html}, language = {English}, urldate = {2023-01-30} } @techreport{alperovitch:20140224:art:df5650c, author = {Dmitri Alperovitch}, title = {{The Art of Attribution Identifying and Pursuing your Cyber Adversaries}}, date = {2014-02-24}, institution = {RSA Conference}, url = {https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf}, language = {English}, urldate = {2020-04-06} } @online{alperovitch:20140707:deep:63e59f7, author = {Dmitri Alperovitch}, title = {{Deep in Thought: Chinese Targeting of National Security Think Tanks}}, date = {2014-07-07}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/}, language = {English}, urldate = {2019-12-20} } @online{alperovitch:20141014:crowdstrike:9be6684, author = {Dmitri Alperovitch}, title = {{CrowdStrike Discovers Use of 64-bit Zero-Day Privilege Escalation Exploit (CVE-2014-4113) by Hurricane Panda}}, date = {2014-10-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/}, language = {English}, urldate = {2020-06-03} } @online{alperovitch:20150413:cyber:93796f8, author = {Dmitri Alperovitch}, title = {{Cyber Deterrence in Action? A story of one long HURRICANE PANDA campaign}}, date = {2015-04-13}, organization = {CrowdStrike}, url = {http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/}, language = {English}, urldate = {2019-12-20} } @online{alperovitch:20150413:cyber:9cee61c, author = {Dmitri Alperovitch}, title = {{Cyber Deterrence in Action? A story of one long HURRICANE PANDA campaign}}, date = {2015-04-13}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/}, language = {English}, urldate = {2020-06-03} } @online{alperovitch:20160615:bears:604c1d9, author = {Dmitri Alperovitch}, title = {{Bears in the Midst: Intrusion into the Democratic National Committee}}, date = {2016-06-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/}, language = {English}, urldate = {2022-03-14} } @online{alperovitch:20210419:great:4cdaa13, author = {Dmitri Alperovitch and Erica Borghard and Jason Healey and Ryan Evans}, title = {{Great Power Cyber Party}}, date = {2021-04-19}, organization = {WAR ON THE ROCKS}, url = {https://warontherocks.com/2021/04/great-power-cyber-party/}, language = {English}, urldate = {2021-04-29} } @online{altheide:20201021:media:fce4b18, author = {Cory Altheide and DAnon and Sam S. and Proofpoint Threat Research Team}, title = {{Media Coverage Doesn’t Deter Actor From Threatening Democratic Voters}}, date = {2020-10-21}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/media-coverage-doesnt-deter-actor-threatening-democratic-voters}, language = {English}, urldate = {2020-10-26} } @online{althouse:20201117:easily:172bd6d, author = {John Althouse}, title = {{Easily Identify Malicious Servers on the Internet with JARM}}, date = {2020-11-17}, organization = {Salesforce Engineering}, url = {https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a}, language = {English}, urldate = {2020-12-03} } @online{alvares:20190805:smokeloaders:3ee435d, author = {Marcos Alvares}, title = {{Smokeloader's Hardcoded Domains - Sneaky Third Party Vendor or Cheap Buyer?}}, date = {2019-08-05}, organization = {security.neurolabs}, url = {http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html}, language = {English}, urldate = {2021-09-19} } @online{alvares:20191031:dynamic:a295d00, author = {Marcos Alvares}, title = {{Dynamic Imports and Working Around Indirect Calls - Smokeloader Study Case}}, date = {2019-10-31}, organization = {m.alvar.es}, url = {https://m.alvar.es/2019/10/dynamic-imports-and-working-around.html}, language = {English}, urldate = {2021-11-17} } @online{alvares:20200610:unpacking:38f29d6, author = {Marcos Alvares}, title = {{Unpacking Smokeloader and Reconstructing PE Programatically using LIEF}}, date = {2020-06-10}, organization = {m.alvar.es}, url = {https://m.alvar.es/2020/06/unpacking-smokeloader-and.html}, language = {English}, urldate = {2021-11-17} } @online{alvares:20200622:comparative:270905b, author = {Marcos Alvares}, title = {{Comparative analysis between Bindiff and Diaphora - Patched Smokeloader Study Case}}, date = {2020-06-22}, organization = {m.alvar.es}, url = {https://m.alvar.es/2020/06/comparative-analysis-between-bindiff.html}, language = {English}, urldate = {2021-11-09} } @online{alvarez:20100901:injection:7a95406, author = {Raul Alvarez}, title = {{Injection as a way of life}}, date = {2010-09-01}, organization = {VirusBulletin}, url = {https://www.virusbulletin.com/virusbulletin/2010/09/injection-way-life/}, language = {English}, urldate = {2025-05-02} } @online{alvarez:20121203:compromised:1e6dcb7, author = {Raul Alvarez}, title = {{Compromised library}}, date = {2012-12-03}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2012/12/compromised-library}, language = {English}, urldate = {2019-12-17} } @online{alvarez:20140718:birds:9f9e509, author = {Raul Alvarez}, title = {{Bird's nest}}, date = {2014-07-18}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2014/08/bird-s-nest}, language = {English}, urldate = {2019-11-28} } @online{alvarezperez:20171215:in:c0e0afe, author = {David Alvarez-Perez}, title = {{In depth analysis of malware exploiting CVE-2017-11826}}, date = {2017-12-15}, organization = {Gradiant}, url = {https://www.gradiant.org/noticia/analysis-malware-cve-2017/}, language = {English}, urldate = {2021-01-21} } @online{alwar:20210129:cloudy:e701758, author = {Partha Alwar and Carly Battaile and Alex Parsons}, title = {{Cloudy with a Chance of Persistent Email Access}}, date = {2021-01-29}, organization = {Aon}, url = {https://www.aon.com/cyber-solutions/aon_cyber_labs/cloudy-with-a-chance-of-persistent-email-access/}, language = {English}, urldate = {2021-02-09} } @online{alyac:20190131:lazarus:bbb47f8, author = {Alyac}, title = {{Lazarus APT Organization Attacks with Operation Extreme Job}}, date = {2019-01-31}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/2105}, language = {Korean}, urldate = {2019-10-21} } @online{alyac:20190327:lazarus:2172304, author = {Alyac}, title = {{라자루스(Lazarus) 그룹, 이스라엘 군수업체 대상 APT 역습}}, date = {2019-03-27}, url = {https://blog.alyac.co.kr/m/2219}, language = {Korean}, urldate = {2020-07-15} } @online{alyac:20190327:lazarus:df092d7, author = {Alyac}, title = {{Lazarus Group APT Counterattack Against Israeli Military}}, date = {2019-03-27}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/2219}, language = {Korean}, urldate = {2020-06-29} } @online{alyac:20190610:special:f4e2a26, author = {Alyac}, title = {{[Special Report] APT Campaign 'Konni' & 'Kimsuky' Organizations Found in Common}}, date = {2019-06-10}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/2347}, language = {Korean}, urldate = {2020-03-17} } @online{alyac:20190627:lazarus:9afc51d, author = {Alyac}, title = {{Lazarus APT Group attacks with a malicious '진실겜.xls' via the Telegram messenger}}, date = {2019-06-27}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/2388}, language = {Korean}, urldate = {2020-03-17} } @techreport{alyac:20200330:spy:e23215b, author = {Alyac}, title = {{The 'Spy Cloud' Operation: Geumseong121 group carries out the APT attack disguising the evidence of North Korean defection}}, date = {2020-03-30}, institution = {EST Security}, url = {https://blog.alyac.co.kr/attachment/cfile8.uf@9977CF405E81A09B1C4CE2.pdf}, language = {English}, urldate = {2020-04-07} } @online{alyac:20200725:special:ca84b90, author = {Alyac}, title = {{[Special Report] Thallium Group sued by Microsoft in the US, threatens 'Fake Striker' APT campaign against South Korea}}, date = {2020-07-25}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/3120}, language = {Korean}, urldate = {2020-07-30} } @online{alyac:20201016:thallium:aff8d61, author = {Alyac}, title = {{탈륨조직의 국내 암호화폐 지갑 펌웨어로 위장한 다차원 APT 공격 분석출처 ( THALLIUM)}}, date = {2020-10-16}, organization = {Alyac}, url = {https://blog.alyac.co.kr/3310}, language = {Korean}, urldate = {2020-10-23} } @online{alyac:20201021:zloader:d78b7b7, author = {Alyac}, title = {{ZLoader 악성코드, 사업 정지 경고로 위장해 유포중}}, date = {2020-10-21}, organization = {Alyac}, url = {https://blog.alyac.co.kr/3322}, language = {Korean}, urldate = {2020-10-29} } @online{alyac:20201104:apt:668b6b4, author = {Alyac}, title = {{북한 연계 해킹조직 탈륨, 미국 대선 예측 언론 문서로 위장한 APT 공격 수행 출처}}, date = {2020-11-04}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/3352}, language = {Korean}, urldate = {2020-11-04} } @online{alyac:20201112:blue:68c4df2, author = {Alyac}, title = {{北 연계 탈륨조직, '블루 에스티메이트(Blue Estimate)' APT 캠페인 지속}}, date = {2020-11-12}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/3368}, language = {Korean}, urldate = {2020-11-18} } @online{alyac:20201215:goldstar:c592b26, author = {Alyac}, title = {{Goldstar 121 organization proceeds with HWP OLE-based APT attack}}, date = {2020-12-15}, organization = {EST Security}, url = {https://blog.alyac.co.kr/3451}, language = {Korean}, urldate = {2020-12-16} } @online{alyac:20201217:thallium:d04a7df, author = {Alyac}, title = {{Thallium organization attacks domestic blockchain company with documents of non-delinquency confirmation}}, date = {2020-12-17}, organization = {EST Security}, url = {https://blog.alyac.co.kr/3458}, language = {Korean}, urldate = {2020-12-18} } @online{alyac:20210103:thallium:cad0add, author = {Alyac}, title = {{Thallium organization exploits private stock investment messenger to attack software supply chain}}, date = {2021-01-03}, organization = {EST Security}, url = {https://blog.alyac.co.kr/3489}, language = {Korean}, urldate = {2021-01-10} } @online{alyac:20210201:thallium:4821887, author = {Alyac}, title = {{Thallium organization conducts elaborate cyber attack against Russian researchers working in the North Korean economyPerforming sophisticated cyber attacks against researchers}}, date = {2021-02-01}, organization = {EST Security}, url = {https://blog.alyac.co.kr/3550}, language = {Korean}, urldate = {2021-02-02} } @online{alyushin:20150914:shade:3558938, author = {Victor Alyushin and Fedor Sinitsyn}, title = {{The Shade Encryptor: a Double Threat}}, date = {2015-09-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-shade-encryptor-a-double-threat/72087/}, language = {English}, urldate = {2019-12-20} } @online{amadey:20231202:approaching:174710e, author = {amadey}, title = {{Approaching stealers devs : a brief interview with Amadey}}, date = {2023-12-02}, organization = {Medium g0njxa}, url = {https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-amadey-56c8c6ea0ad6}, language = {English}, urldate = {2023-12-15} } @online{amawaka:20200310:apt40:2199052, author = {Asuna Amawaka}, title = {{APT40 goes from Template Injections to OLE-Linkings for payload delivery}}, date = {2020-03-10}, organization = {insomniacs(Medium)}, url = {https://medium.com/insomniacs/apt40-goes-from-template-injections-to-ole-linkings-for-payload-delivery-99eb43170a97}, language = {English}, urldate = {2020-04-16} } @online{amawaka:20200315:dad:5cad035, author = {Asuna Amawaka}, title = {{Dad! There’s A Rat In Here!}}, date = {2020-03-15}, organization = {insomniacs(Medium)}, url = {https://medium.com/insomniacs/dad-theres-a-rat-in-here-e3729b65bf7a}, language = {English}, urldate = {2020-04-16} } @online{amawaka:20200316:shadows:2ee247e, author = {Asuna Amawaka}, title = {{Shadows in the Rain}}, date = {2020-03-16}, organization = {Medium Asuna Amawaka}, url = {https://medium.com/insomniacs/shadows-in-the-rain-a16efaf21aae}, language = {English}, urldate = {2021-02-18} } @online{amawaka:20200506:shadows:889fc47, author = {Asuna Amawaka}, title = {{Shadows with a chance of BlackNix}}, date = {2020-05-06}, organization = {Medium Asuna Amawaka}, url = {https://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb}, language = {English}, urldate = {2021-02-18} } @online{amawaka:20200520:what:e02d9a4, author = {Asuna Amawaka}, title = {{What happened between the BigBadWolf and the Tiger?}}, date = {2020-05-20}, organization = {Medium Asuna Amawaka}, url = {https://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2}, language = {English}, urldate = {2021-02-18} } @online{amawaka:20201130:do:ff3adb4, author = {Asuna Amawaka}, title = {{Do you want to bake a donut? Come on, let’s go update~ Go away, Maria.}}, date = {2020-11-30}, organization = {Medium Asuna Amawaka}, url = {https://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1}, language = {English}, urldate = {2021-02-18} } @online{amawaka:20201220:look:8cd19a2, author = {Asuna Amawaka}, title = {{A Look into SUNBURST’s DGA}}, date = {2020-12-20}, organization = {Medium Asuna Amawaka}, url = {https://medium.com/insomniacs/a-look-into-sunbursts-dga-ba4029193947}, language = {English}, urldate = {2021-02-18} } @online{amawaka:20210829:quarians:7788603, author = {Asuna Amawaka}, title = {{Quarians, Turians and…QuickHeal}}, date = {2021-08-29}, organization = {Medium Asuna Amawaka}, url = {https://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42}, language = {English}, urldate = {2021-10-20} } @online{amawaka:20211119:its:bd24ebf, author = {Asuna Amawaka}, title = {{It’s a BEE! It’s a… no, it’s ShadowPad.}}, date = {2021-11-19}, organization = {insomniacs(Medium)}, url = {https://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2}, language = {English}, urldate = {2021-11-25} } @online{amazon:20220304:amazons:33ad1cf, author = {Amazon}, title = {{Amazon's assistance in Ukraine}}, date = {2022-03-04}, organization = {Amazon}, url = {https://www.aboutamazon.com/news/community/amazons-assistance-in-ukraine#March4}, language = {English}, urldate = {2022-03-07} } @online{ambite:20210521:leveraging:55f56da, author = {Pablo Ambite}, title = {{Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic}}, date = {2021-05-21}, organization = {blackarrow}, url = {https://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/}, language = {English}, urldate = {2021-06-22} } @online{ames:20220811:increase:5cbc907, author = {Robert Ames}, title = {{The Increase in Ransomware Attacks on Local Governments}}, date = {2022-08-11}, organization = {SecurityScorecard}, url = {https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments}, language = {English}, urldate = {2022-08-28} } @online{ames:20220830:brute:b0c863f, author = {Robert Ames}, title = {{Brute Force Attempts May Have Preceded Ransomware Attack on School District}}, date = {2022-08-30}, organization = {SecurityScorecard}, url = {https://securityscorecard.com/research/brute-force-attempts-may-have-preceded-ransomware-attack-on-school-district}, language = {English}, urldate = {2022-09-12} } @online{amini:20220623:follina:60ea599, author = {Pedram Amini}, title = {{Follina, the Latest in a Long Chain of Microsoft Office Exploits}}, date = {2022-06-23}, organization = {InQuest}, url = {https://inquest.net/blog/2022/06/23/follina-latest-long-chain-microsoft-office-exploits}, language = {English}, urldate = {2023-03-24} } @online{amnpardaz:20210713:trojanwin32breakwin:3654b7d, author = {amnpardaz}, title = {{Trojan.Win32.BreakWin}}, date = {2021-07-13}, organization = {amnpardaz}, url = {https://threats.amnpardaz.com/malware/trojan-win32-breakwin/}, language = {Persian}, urldate = {2021-07-20} } @online{amon:20210629:security:bf73b27, author = {Nicholas Amon and Jon Baker}, title = {{Security Control Mappings: A Starting Point for Threat-Informed Defense}}, date = {2021-06-29}, organization = {Medium MITRE-Engenuity}, url = {https://medium.com/mitre-engenuity/security-control-mappings-a-starting-point-for-threat-informed-defense-a3aab55b1625}, language = {English}, urldate = {2021-07-02} } @online{amr:20190410:project:460b6e5, author = {AMR and GReAT}, title = {{Project TajMahal – a sophisticated new APT framework}}, date = {2019-04-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/project-tajmahal/90240/}, language = {English}, urldate = {2019-12-20} } @online{amr:20190925:ransomware:ec80bad, author = {AMR}, title = {{Ransomware: two pieces of good news}}, date = {2019-09-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/ransomware-two-pieces-of-good-news/93355/}, language = {English}, urldate = {2020-01-08} } @online{amr:20191101:chrome:4c689f4, author = {AMR and GReAT}, title = {{Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium}}, date = {2019-11-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/}, language = {English}, urldate = {2020-01-08} } @online{amr:20191210:windows:1a5c25d, author = {AMR and GReAT}, title = {{Windows 0-day exploit CVE-2019-1458 used in Operation WizardOpium}}, date = {2019-12-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432}, language = {English}, urldate = {2020-05-05} } @online{amr:20200305:mokes:698295f, author = {AMR}, title = {{Mokes and Buerak distributed under the guise of security certificates}}, date = {2020-03-05}, organization = {Kaspersky Labs}, url = {https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/}, language = {English}, urldate = {2020-03-09} } @online{amr:20210402:browser:7dc98ab, author = {AMR}, title = {{Browser lockers: extortion disguised as a fine}}, date = {2021-04-02}, organization = {Kaspersky}, url = {https://securelist.com/browser-lockers-extortion-disguised-as-a-fine/101735}, language = {English}, urldate = {2021-04-06} } @online{amr:20210916:exploitation:f015aee, author = {AMR}, title = {{Exploitation of the CVE-2021-40444 vulnerability in MSHTML}}, date = {2021-09-16}, organization = {Kaspersky}, url = {https://securelist.com/exploitation-of-the-cve-2021-40444-vulnerability-in-mshtml/104218/}, language = {English}, urldate = {2021-09-19} } @online{amr:20220404:spring4shell:db1b469, author = {AMR}, title = {{Spring4Shell (CVE-2022-22965): details and mitigations}}, date = {2022-04-04}, organization = {Kaspersky}, url = {https://securelist.com/spring4shell-cve-2022-22965/106239/}, language = {English}, urldate = {2022-04-07} } @online{amr:20220413:emotet:113c0db, author = {AMR}, title = {{Emotet modules and recent attacks}}, date = {2022-04-13}, organization = {Kaspersky}, url = {https://securelist.com/emotet-modules-and-recent-attacks/106290/}, language = {English}, urldate = {2022-04-15} } @online{amr:20220418:how:6783da1, author = {AMR}, title = {{How to recover files encrypted by Yanlouwang}}, date = {2022-04-18}, organization = {Kaspersky}, url = {https://securelist.com/how-to-recover-files-encrypted-by-yanlouwang/106332/}, language = {English}, urldate = {2022-04-20} } @online{amr:20231110:ducktail:fe60004, author = {AMR}, title = {{Ducktail fashion week}}, date = {2023-11-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/ducktail-fashion-week/111017/}, language = {English}, urldate = {2024-01-03} } @online{amr:20250311:dcrat:c27ea62, author = {AMR}, title = {{DCRat backdoor returns}}, date = {2025-03-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/new-wave-of-attacks-with-dcrat-backdoor-distributed-by-maas/115850/}, language = {English}, urldate = {2025-03-12} } @online{amr:20250520:httpssecurelistrupureratattacksrussianorganizations112619:91cdc05, author = {AMR}, title = {{https://securelist.ru/purerat-attacks-russian-organizations/112619/}}, date = {2025-05-20}, organization = {Kaspersky}, url = {https://securelist.ru/purerat-attacks-russian-organizations/112619/}, language = {Russian}, urldate = {2025-05-21} } @online{amrthabet:20110909:stuxnet:07c5348, author = {AmrThabet}, title = {{Stuxnet Malware Analysis Paper}}, date = {2011-09-09}, organization = {CodeProject}, url = {https://www.codeproject.com/articles/246545/stuxnet-malware-analysis-paper}, language = {English}, urldate = {2020-11-13} } @online{an:20211110:north:feab945, author = {Jungsoo An and Asheer Malhotra and Kendall McKay}, title = {{North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets}}, date = {2021-11-10}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html}, language = {English}, urldate = {2021-11-17} } @online{an:20220505:mustang:cbc06e9, author = {Jung soo An and Asheer Malhotra and Justin Thattil and Aliza Berk and Kendall McKay}, title = {{Mustang Panda deploys a new wave of malware targeting Europe}}, date = {2022-05-05}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html}, language = {English}, urldate = {2023-08-03} } @online{an:20220907:magicrat:efb6a3d, author = {Jung soo An and Asheer Malhotra and Vitor Ventura}, title = {{MagicRAT: Lazarus’ latest gateway into victim networks}}, date = {2022-09-07}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html}, language = {English}, urldate = {2022-09-16} } @online{an:20220908:lazarus:236b4b4, author = {Jung soo An and Asheer Malhotra and Vitor Ventura}, title = {{Lazarus and the tale of three RATs}}, date = {2022-09-08}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html}, language = {English}, urldate = {2023-01-19} } @online{an:20231211:operation:abfe848, author = {Jungsoo An and Asheer Malhotra and Vitor Ventura}, title = {{Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang}}, date = {2023-12-11}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/}, language = {English}, urldate = {2023-12-15} } @online{an:20241120:custom:e98e5b1, author = {Kahng An}, title = {{Custom I2P RAT “I2Parcae” Delivered via Pornographic Customer Support Form Spam}}, date = {2024-11-20}, organization = {Cofense}, url = {https://cofense.com/blog/custom-i2p-rat-i2parcae%E2%80%9D-delivered-via-pornographic-customer-support-form-spam}, language = {English}, urldate = {2025-03-05} } @online{analysis:20170314:rig:56f3334, author = {Broad Analysis}, title = {{Rig Exploit Kit via the EiTest delivers CryptoShield/REVENGE ransomware}}, date = {2017-03-14}, organization = {Broad Analysis}, url = {http://www.broadanalysis.com/2017/03/14/rig-exploit-kit-via-the-eitest-delivers-cryptoshieldrevenge-ransomware/}, language = {English}, urldate = {2020-01-07} } @online{analysis:20190412:rig:0230572, author = {Analysis}, title = {{Rig Exploit Kit delivers Bunitu Malware}}, date = {2019-04-12}, organization = {BroadAnalysis}, url = {https://broadanalysis.com/2019/04/12/rig-exploit-kit-delivers-bunitu-malware/}, language = {English}, urldate = {2020-01-10} } @techreport{analyst1:20250402:inside:508d14b, author = {analyst1}, title = {{Inside BlackBasta: Actor Profiles, Extortion Tactics & Finances}}, date = {2025-04-02}, institution = {ANALYST1}, url = {https://analyst1.com/wp-content/uploads/2025/04/Anastasia-Inside-BlackBasta.pdf}, language = {English}, urldate = {2025-04-10} } @online{anand:20200521:blox:14090c1, author = {Chetan Anand}, title = {{Blox Tales #6: Subpoena-Themed Phishing With CAPTCHA Redirect}}, date = {2020-05-21}, organization = {Armorblox}, url = {https://www.armorblox.com/blog/blox-tales-6-subpoena-themed-phishing-with-captcha-redirect/}, language = {English}, urldate = {2020-05-23} } @online{anand:20250304:thousands:9bdd2e9, author = {Himanshu Anand}, title = {{Thousands of websites hit by four backdoors in 3rd party JavaScript attack}}, date = {2025-03-04}, organization = {c/side}, url = {https://cside.dev/blog/thousands-of-websites-hit-by-four-backdoors-in-3rd-party-javascript-attack}, language = {English}, urldate = {2025-03-07} } @online{anbalagan:20200605:new:9f3abf8, author = {Gayathri Anbalagan}, title = {{New Campaign Abusing StackBlitz Tool to Host Phishing Pages}}, date = {2020-06-05}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/new-campaign-abusing-stackblitz-tool-host-phishing-pages}, language = {English}, urldate = {2020-08-05} } @online{ancarani:20201120:detecting:79afa40, author = {Riccardo Ancarani}, title = {{Detecting Cobalt Strike Default Modules via Named Pipe Analysis}}, date = {2020-11-20}, organization = {F-Secure Labs}, url = {https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis}, language = {English}, urldate = {2020-11-23} } @online{ancarani:20210409:detecting:01d28ed, author = {Riccardo Ancarani and Giulio Ginesi}, title = {{Detecting Exposed Cobalt Strike DNS Redirectors}}, date = {2021-04-09}, organization = {F-Secure}, url = {https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirectors}, language = {English}, urldate = {2021-04-14} } @online{ancarani:20220504:scheduled:9cd69c7, author = {Riccardo Ancarani}, title = {{Scheduled Task Tampering}}, date = {2022-05-04}, organization = {F-Secure}, url = {https://labs.f-secure.com/blog/scheduled-task-tampering/}, language = {English}, urldate = {2022-05-06} } @online{ancel:20150930:when:ed6915f, author = {Benoît Ancel}, title = {{When ELF.BillGates met Windows}}, date = {2015-09-30}, organization = {ThisIsSecurity}, url = {https://thisissecurity.stormshield.com/2015/09/30/when-elf-billgates-met-windows/}, language = {English}, urldate = {2020-01-13} } @online{ancel:20161020:nexter91:909eaee, author = {Benoît Ancel}, title = {{Tweet on nexter91 Panel}}, date = {2016-10-20}, organization = {Twitter (@benkow_)}, url = {https://twitter.com/benkow_/status/789006720668405760}, language = {English}, urldate = {2020-01-07} } @online{ancel:20170227:spambot:b40e584, author = {Benoît Ancel}, title = {{Spambot safari #2 - Online Mail System}}, date = {2017-02-27}, organization = {Benkow Lab}, url = {https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html}, language = {English}, urldate = {2020-01-09} } @online{ancel:20170816:quick:e3a37c1, author = {Benoît Ancel}, title = {{Quick look at another Alina fork: XBOT-POS}}, date = {2017-08-16}, organization = {Benkow Lab}, url = {https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html}, language = {English}, urldate = {2020-01-10} } @online{ancel:20170829:from:7ef6dac, author = {Benoît Ancel}, title = {{From Onliner Spambot to millions of email's lists and credentials}}, date = {2017-08-29}, organization = {Benkow Lab}, url = {https://benkowlab.blogspot.com/2017/08/from-onliner-spambot-to-millions-of.html}, language = {English}, urldate = {2020-01-06} } @online{ancel:20190607:zeusaction:5977152, author = {Benoît Ancel}, title = {{Tweet on ZeusAction hashes}}, date = {2019-06-07}, organization = {Twitter (@benkow_)}, url = {https://twitter.com/benkow_/status/1136983062699487232}, language = {English}, urldate = {2020-01-06} } @techreport{ancel:2019:dreambot:e29023e, author = {Benoît Ancel and Peter Kruse}, title = {{Dreambot Business overview 2019}}, date = {2019}, institution = {CSIS}, url = {http://benkow.cc/DreambotSAS19.pdf}, language = {English}, urldate = {2019-12-10} } @online{ancel:20200207:installcapital:23b3760, author = {Benoît Ancel}, title = {{InstallCapital — When AdWare Becomes Pay-per-Install Cyber-Crime}}, date = {2020-02-07}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451}, language = {English}, urldate = {2020-02-09} } @online{ancel:20200501:end:939414e, author = {Benoît Ancel}, title = {{The end of Dreambot? Obituary for a loved piece of Gozi.}}, date = {2020-05-01}, organization = {CSIS}, url = {https://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122}, language = {English}, urldate = {2020-05-05} } @online{ancel:20210118:gcleaner:f8b9064, author = {Benoît Ancel}, title = {{GCleaner — Garbage Provider Since 2019}}, date = {2021-01-18}, organization = {Medium csis-techblog}, url = {https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a}, language = {English}, urldate = {2021-01-21} } @online{ancel:20210125:nemty:7e56d61, author = {Benoît Ancel}, title = {{The Nemty affiliate model}}, date = {2021-01-25}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/the-nemty-affiliate-model-13f5cf7ab66b}, language = {English}, urldate = {2021-01-25} } @online{ancel:20210128:bagsu:7de60de, author = {Benoît Ancel}, title = {{The Bagsu banker case}}, date = {2021-01-28}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=EyDiIAt__dI}, language = {English}, urldate = {2021-02-01} } @online{ancel:20210716:deeprat:d7d7959, author = {Benoît Ancel}, title = {{Tweet on DeepRAT}}, date = {2021-07-16}, organization = {Twitter (@benkow_)}, url = {https://twitter.com/benkow_/status/1415797114794397701}, language = {English}, urldate = {2021-07-26} } @online{ancel:20220808:inside:67ef9a0, author = {Benoît Ancel}, title = {{An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure}}, date = {2022-08-08}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145}, language = {English}, urldate = {2022-08-28} } @online{ancel:20221024:chapter:c870465, author = {Benoît Ancel}, title = {{Chapter 1 — From Gozi to ISFB: The history of a mythical malware family.}}, date = {2022-10-24}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef}, language = {English}, urldate = {2023-05-02} } @online{anderson:20170612:bahamut:9810646, author = {Collin Anderson}, title = {{Bahamut, Pursuing a Cyber Espionage Actor in the Middle East}}, date = {2017-06-12}, organization = {Bellingcat}, url = {https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/}, language = {English}, urldate = {2020-01-13} } @online{anderson:20171027:bahamut:e17abf8, author = {Collin Anderson}, title = {{Bahamut Revisited, More Cyber Espionage in the Middle East and South Asia}}, date = {2017-10-27}, organization = {Bellingcat}, url = {https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/}, language = {English}, urldate = {2020-01-06} } @online{anderson:20180104:irans:dcad15c, author = {Collin Anderson and Karim Sadjapour}, title = {{Iran’s Cyber Ecosystem: Who Are the Threat Actors?}}, date = {2018-01-04}, organization = {Carnegie Endowment for International Peace}, url = {https://carnegieendowment.org/2018/01/04/iran-s-cyber-ecosystem-who-are-threat-actors-pub-75140}, language = {English}, urldate = {2020-04-25} } @online{anderson:20180703:iranian:8f4a4d5, author = {Collin Anderson}, title = {{Tweet on Iranian Malware}}, date = {2018-07-03}, organization = {Twitter (@CDA)}, url = {https://twitter.com/CDA/status/1014144988454772736}, language = {English}, urldate = {2020-09-21} } @online{anderson:20200206:finding:e86ebd1, author = {Chad Anderson}, title = {{Finding Additional Indicators With a SeaTurtle Deep Dive in Passive DNS Within DomainTools Iris}}, date = {2020-02-06}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/finding-additional-indicators-with-passive-dns-within-domaintools-iris}, language = {English}, urldate = {2023-08-11} } @online{anderson:20200820:revealing:7a1da00, author = {Chad Anderson}, title = {{Revealing REvil Ransomware With DomainTools and Maltego}}, date = {2020-08-20}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/revealing-revil-ransomware-with-domaintools-and-maltego}, language = {English}, urldate = {2020-08-24} } @online{anderson:20210427:winter:da59fc3, author = {Chad Anderson}, title = {{Winter Vivern: A Look At Re-Crafted Government MalDocs Targeting Multiple Languages}}, date = {2021-04-27}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs}, language = {English}, urldate = {2021-04-29} } @online{anderson:20210429:domaintools:d9fc32c, author = {Chad Anderson}, title = {{DomainTools And Digital Archeology: A Look At RotaJakiro}}, date = {2021-04-29}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/domaintools-and-digital-archeology-a-look-at-rotajakiro}, language = {English}, urldate = {2021-05-04} } @online{anderson:20210610:cloud:c2efde5, author = {Chad Anderson}, title = {{Cloud Atlas Navigates Us Into New Waters}}, date = {2021-06-10}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/cloud-atlas-navigates-us-into-new-waters}, language = {English}, urldate = {2021-06-21} } @online{anderson:20210701:most:39f64b8, author = {Chad Anderson}, title = {{The Most Prolific Ransomware Families: A Defenders Guide}}, date = {2021-07-01}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide}, language = {English}, urldate = {2021-07-11} } @online{anderson:20210715:american:b688a5d, author = {Chad Anderson}, title = {{American Rescue Plan Act Lures in the Wild}}, date = {2021-07-15}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/american-rescue-plan-act-lures-in-the-wild}, language = {English}, urldate = {2021-07-24} } @online{anderson:20210728:finding:e853c97, author = {Chad Anderson}, title = {{Finding AnchorDNS C2s With Iris Investigate}}, date = {2021-07-28}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/finding-anchordns-c2s-with-iris-investigate}, language = {English}, urldate = {2021-08-02} } @online{anderson:20220608:not:5c393ce, author = {John Anderson}, title = {{Not all "Internet Connections" are Equal}}, date = {2022-06-08}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/not-all-internet-connections-are-equal}, language = {English}, urldate = {2022-08-17} } @online{andersson:20210706:how:5087e07, author = {Alexander Andersson}, title = {{How the Kaseya VSA Zero Day Exploit Worked}}, date = {2021-07-06}, organization = {TRUESEC}, url = {https://blog.truesec.com/2021/07/06/kaseya-vsa-zero-day-exploit}, language = {English}, urldate = {2021-07-20} } @online{andonov:20151207:thriving:196c5eb, author = {Dimiter Andonov and William Ballenthin and Nalani Fraser and Will Matson and Jay Taylor}, title = {{Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record}}, date = {2015-12-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html}, language = {English}, urldate = {2020-04-21} } @online{andrewcs:20210305:20210305:e34f0e7, author = {Andrew-CS}, title = {{2021-03-05 - Cool Query Friday - Hunting For Renamed Command Line Programs}}, date = {2021-03-05}, organization = {Reddit Crowdstrike}, url = {https://www.reddit.com/r/crowdstrike/comments/lyhga8/20210305_cool_query_friday_hunting_for_renamed/}, language = {English}, urldate = {2021-03-11} } @online{andrewjess:20191213:python:8af049c, author = {@AndrewJess}, title = {{Стиллер паролей на python с отправкой на почту}}, date = {2019-12-13}, url = {https://habr.com/en/sandbox/135410/}, language = {Russian}, urldate = {2020-03-04} } @online{andrews:20210719:australia:8ca5b16, author = {Karen Andrews and Peter Dutton}, title = {{Australia joins international partners in attribution of malicious cyber activity to China}}, date = {2021-07-19}, organization = {Minister for Foreign Affairs of Australia}, url = {https://www.foreignminister.gov.au/minister/marise-payne/media-release/australia-joins-international-partners-attribution-malicious-cyber-activity-china}, language = {English}, urldate = {2021-07-22} } @techreport{andriesse:201310:highly:bc65090, author = {Dennis Andriesse and Christian Rossow and Brett Stone-Gross and Daniel Plohmann and Herbert Bos}, title = {{Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameover Zeus}}, date = {2013-10}, institution = {MALWARE Conference}, url = {http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf}, language = {English}, urldate = {2020-01-08} } @online{andy2002a:20241101:finding:f83de4f, author = {andy2002a}, title = {{Finding Malware: Detecting GOOTLOADER with Google Security Operations.}}, date = {2024-11-01}, organization = {Google}, url = {https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Detecting-GOOTLOADER-with-Google-Security/ba-p/823766}, language = {English}, urldate = {2024-11-04} } @online{ang:20180426:necurs:83d08fc, author = {Miguel Ang}, title = {{Necurs Evolves to Evade Spam Detection via Internet Shortcut File}}, date = {2018-04-26}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/}, language = {English}, urldate = {2020-01-10} } @online{ang:20200428:loki:169b27e, author = {Miguel Ang}, title = {{Loki Info Stealer Propagates through LZH Files}}, date = {2020-04-28}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/loki-info-stealer-propagates-through-lzh-files}, language = {English}, urldate = {2020-08-14} } @online{anishell:20110603:anishell:6870af0, author = {Ani-Shell}, title = {{Ani-Shell}}, date = {2011-06-03}, organization = {Sourceforge}, url = {http://ani-shell.sourceforge.net/}, language = {English}, urldate = {2020-01-13} } @online{anjos:20210318:server:10b99ea, author = {Cesar Anjos}, title = {{Server Side Data Exfiltration via Telegram API}}, date = {2021-03-18}, organization = {SUCURI}, url = {https://blog.sucuri.net/2021/03/server-side-data-exfiltration-via-telegram-api.html}, language = {English}, urldate = {2021-03-19} } @techreport{anomali:20171102:country:853fdd8, author = {Anomali}, title = {{Country Profile: Russian Federation}}, date = {2017-11-02}, institution = {Anomali}, url = {https://www.anomali.com/files/white-papers/russian-federation-country-profile.pdf}, language = {English}, urldate = {2020-09-23} } @online{anonymous:20170210:rebranding:877e1bd, author = {Anonymous}, title = {{Rebranding iSpy Keylogger: Gear Informer}}, date = {2017-02-10}, organization = {Wapack Labs}, url = {https://wapacklabs.blogspot.ch/2017/02/rebranding-ispy-keylogger-gear-informer.html}, language = {English}, urldate = {2020-01-07} } @online{anonymous:20201216:paste:a02ef52, author = {Anonymous}, title = {{Paste of subdomain & DGA domain names used in SolarWinds attack}}, date = {2020-12-16}, organization = {Pastebin}, url = {https://pastebin.com/6EDgCKxd}, language = {English}, urldate = {2021-01-13} } @online{anonymous:20240109:ssload:bd86f60, author = {Anonymous}, title = {{SSLoad}}, date = {2024-01-09}, url = {https://malpedia.caad.fkie.fraunhofer.de/details/win.ssload}, language = {English}, urldate = {2024-04-18} } @techreport{anssi:20190326:informations:7965c3d, author = {ANSSI}, title = {{INFORMATIONS CONCERNANTLES RANÇONGICIELSLOCKERGOGA ET RYUK}}, date = {2019-03-26}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf}, language = {French}, urldate = {2020-01-10} } @techreport{anssi:20190725:analysis:9df2d22, author = {ANSSI}, title = {{ANALYSIS OF THE AMCACHE}}, date = {2019-07-25}, institution = {ANSSI}, url = {https://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-analysis_amcache.pdf}, language = {English}, urldate = {2020-12-08} } @techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } @online{anssi:20210721:indicateurs:9f20dae, author = {ANSSI}, title = {{INDICATEURS DE COMPROMISSION DU CERT-FR}}, date = {2021-07-21}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003}, language = {French}, urldate = {2021-12-17} } @techreport{anssi:20211026:identification:9444ac3, author = {ANSSI}, title = {{Identification of a new cyber criminal group: Lockean}}, date = {2021-10-26}, institution = {}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf}, language = {English}, urldate = {2022-01-25} } @online{anssi:20211103:identification:3143cbb, author = {ANSSI}, title = {{Identification of a new cybercriminal group: Lockean}}, date = {2021-11-03}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/}, language = {English}, urldate = {2021-11-03} } @techreport{anssi:20220427:le:5d47343, author = {ANSSI}, title = {{LE GROUPE CYBERCRIMINEL FIN7}}, date = {2022-04-27}, institution = {ANSSI}, url = {https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf}, language = {French}, urldate = {2022-05-05} } @techreport{anssi:20230118:panorama:1841161, author = {ANSSI}, title = {{Panorama of the Cyber Threat 2022}}, date = {2023-01-18}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-001.pdf}, language = {French}, urldate = {2023-01-25} } @techreport{anssi:20230912:fin12:b0a08e2, author = {ANSSI}, title = {{FIN12: A Cybercriminal Group with Multiple Ransomware}}, date = {2023-09-12}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf}, language = {French}, urldate = {2023-09-20} } @techreport{anssi:20231026:attack:c121d4d, author = {ANSSI}, title = {{Attack Campaigns of APT28 since 2021}}, date = {2023-10-26}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-009.pdf}, language = {French}, urldate = {2023-11-14} } @techreport{anssi:20240619:malicious:d41a5d9, author = {ANSSI}, title = {{Malicious activities linked to the Nobelium intrusion set}}, date = {2024-06-19}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2024-CTI-006.pdf}, language = {English}, urldate = {2024-07-19} } @techreport{anssi:20250701:houken:38d5df3, author = {ANSSI}, title = {{Houken: Seeking a Path by Living on The Edge With Zero-Days}}, date = {2025-07-01}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2025-CTI-009.pdf}, language = {English}, urldate = {2025-07-07} } @techreport{anssi:20250701:houken:4311392, author = {ANSSI}, title = {{Houken seeking a path by living on the edge with zero-days}}, date = {2025-07-01}, institution = {ANSSI}, url = {https://cert.ssi.gouv.fr/uploads/CERTFR-2025-CTI-009.pdf}, language = {English}, urldate = {2025-07-02} } @online{antenucci:20190327:psixbot:9e1a258, author = {Stefano Antenucci and Antonio Parata}, title = {{PsiXBot: The Evolution Of A Modular .NET Bot}}, date = {2019-03-27}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/}, language = {English}, urldate = {2019-10-12} } @online{antil:20190912:innfirat:22e8987, author = {Sahil Antil and Rohit Chaturvedi}, title = {{InnfiRAT: A new RAT aiming for your cryptocurrency and more}}, date = {2019-09-12}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more}, language = {English}, urldate = {2020-01-10} } @online{antil:20220120:new:2bc6613, author = {Sahil Antil and Sudeep Singh}, title = {{New espionage attack by Molerats APT targeting users in the Middle East}}, date = {2022-01-20}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east}, language = {English}, urldate = {2022-01-24} } @online{antivirnews:20110120:beschreibung:678e455, author = {antivirnews}, title = {{Beschreibung des Virus Backdoor.Win32. Buterat.afj}}, date = {2011-01-20}, url = {http://antivirnews.blogspot.com/2011/01/backdoorwin32-buteratafj.html}, language = {Russian}, urldate = {2020-01-10} } @online{anton:20200602:hunting:5aa320f, author = {Anton}, title = {{Hunting Malicious Macros}}, date = {2020-06-02}, organization = {Pwntario Blog}, url = {https://blog.pwntario.com/team-posts/antons-posts/hunting-malicious-macros#first}, language = {English}, urldate = {2020-06-03} } @online{antonaanei:20250205:lazarus:2d139d4, author = {Andrei ANTON-AANEI and Alina Bizga}, title = {{Lazarus Group Targets Organizations with Sophisticated LinkedIn Recruiting Scam}}, date = {2025-02-05}, organization = {Bitdefender}, url = {https://www.bitdefender.com/en-us/blog/labs/lazarus-group-targets-organizations-with-sophisticated-linkedin-recruiting-scam}, language = {English}, urldate = {2025-02-10} } @online{antonio:20250513:sit:ecf82c9, author = {Lovely Antonio and Chloe de Leon}, title = {{Sit, Fetch, Steal - Chihuahua Stealer: A new Breed of Infostealer}}, date = {2025-05-13}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2025/05/38199-chihuahua-infostealer}, language = {English}, urldate = {2025-05-19} } @online{antoniuk:20221229:this:ebb9bbc, author = {Daryna Antoniuk}, title = {{This app will self-destruct: How Belarusian hackers created an alternative Telegram for activists}}, date = {2022-12-29}, organization = {The Record}, url = {https://therecord.media/this-app-will-self-destruct-how-belarusian-hackers-created-an-alternative-telegram-for-activists/}, language = {English}, urldate = {2024-02-08} } @online{antoniuk:20230110:proukraine:1fd5c0a, author = {Daryna Antoniuk}, title = {{Pro-Ukraine hackers leak Russian data in hopes someone will make sense of it}}, date = {2023-01-10}, organization = {The Record}, url = {https://therecord.media/pro-ukraine-hackers-leak-russian-data-in-hopes-someone-will-make-sense-of-it/}, language = {English}, urldate = {2024-02-08} } @online{antoniuk:20230215:scandinavian:bd951c2, author = {Daryna Antoniuk}, title = {{Scandinavian Airlines hit by cyberattack, ‘Anonymous Sudan’ claims responsibility}}, date = {2023-02-15}, organization = {The Record}, url = {https://therecord.media/scandinavian-airlines-cyberattack-anonymous-sudan/}, language = {English}, urldate = {2023-11-27} } @online{antoniuk:20230705:belarusian:81de4ab, author = {Daryna Antoniuk}, title = {{Belarusian hacktivists сlaim to breach country’s leading state university}}, date = {2023-07-05}, organization = {The Record}, url = {https://therecord.media/cyber-partisans-belarusian-state-university-attack}, language = {English}, urldate = {2024-02-08} } @online{antoniuk:20231010:hacktivists:eb03fb8, author = {Daryna Antoniuk}, title = {{Hacktivists take sides in Israel-Palestinian war}}, date = {2023-10-10}, organization = {The Record}, url = {https://therecord.media/hacktivists-take-sides-israel-palestinian}, language = {English}, urldate = {2023-12-04} } @online{antoniuk:20231106:iranlinked:95ad6a7, author = {Daryna Antoniuk}, title = {{Iran-linked hackers attack Israeli education and tech organizations}}, date = {2023-11-06}, organization = {The Record}, url = {https://therecord.media/iran-linked-hackers-target-israel-education-tech-sectors}, language = {English}, urldate = {2024-02-08} } @online{antoniuk:20231201:russian:546018e, author = {Daryna Antoniuk}, title = {{Russian developer of Trickbot malware pleads guilty, faces 35-year sentence}}, date = {2023-12-01}, organization = {The Record}, url = {https://therecord.media/russian-trickbot-malware-developer-pleads-guilty}, language = {English}, urldate = {2023-12-04} } @online{antoniuk:20240328:russian:28e4e97, author = {Daryna Antoniuk}, title = {{Russian researchers say espionage operation using WinRAR bug is linked to Ukraine}}, date = {2024-03-28}, organization = {The Record}, url = {https://therecord.media/russian-researchers-winrar-bug-ukraine-espionage}, language = {English}, urldate = {2024-12-11} } @online{antoniuk:20240404:hackers:6f0c436, author = {Daryna Antoniuk}, title = {{Hackers claim to breach database containing thousands of Russian criminal records}}, date = {2024-04-04}, organization = {The Record}, url = {https://therecord.media/hackers-claim-to-breach-russia-prosecutor-general-database}, language = {English}, urldate = {2025-05-02} } @online{antoniuk:20240607:russialinked:5ba5125, author = {Daryna Antoniuk}, title = {{Russia-linked Vermin hackers target Ukrainian military in new espionage campaign}}, date = {2024-06-07}, organization = {The Record}, url = {https://therecord.media/russian-vermin-hackers-target-ukraine}, language = {English}, urldate = {2024-12-11} } @online{antoniuk:20250109:hackers:147a0df, author = {Daryna Antoniuk}, title = {{Hackers claim to breach Russian state agency managing property, land records}}, date = {2025-01-09}, organization = {The Record}, url = {https://therecord.media/hackers-claim-to-breach-russian-state-agency-land-records}, language = {English}, urldate = {2025-02-03} } @online{antoniuk:20250114:russias:5a08856, author = {Daryna Antoniuk}, title = {{Russia's largest platform for state procurement hit by cyberattack from pro-Ukraine group}}, date = {2025-01-14}, organization = {The Record}, url = {https://therecord.media/russian-platform-for-state-procurement-hit-cyberattack}, language = {English}, urldate = {2025-01-15} } @online{antoniuk:20250221:ukrainian:34ebaa5, author = {Daryna Antoniuk}, title = {{Ukrainian hackers claim breach of Russian loan company linked to Putin’s ex-wife}}, date = {2025-02-21}, organization = {The Record}, url = {https://therecord.media/russia-carmoney-data-breach-ukrainian-cyber-alliance}, language = {English}, urldate = {2025-05-21} } @online{antoniuk:20250407:flaw:a5cefb2, author = {Daryna Antoniuk}, title = {{Flaw in ESET security software used to spread malware from ToddyCat group}}, date = {2025-04-07}, organization = {The Record}, url = {https://therecord.media/eset-software-vulnerability-malware-toddycat-apt}, language = {English}, urldate = {2025-04-09} } @online{anubhav:20160923:hancitor:220140e, author = {Ankit Anubhav and Dileep Kumar Jallepalli}, title = {{Hancitor (AKA Chanitor) observed using multiple attack approaches}}, date = {2016-09-23}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html}, language = {English}, urldate = {2019-12-20} } @online{anubhav:20180718:huawai:e28ad1e, author = {Ankit Anubhav}, title = {{Tweet on Huawai Router Hacker Anarchy}}, date = {2018-07-18}, organization = {Twitter (@anit_anubhav)}, url = {https://twitter.com/ankit_anubhav/status/1019647993547550720}, language = {English}, urldate = {2020-01-13} } @techreport{anubislabs:20151015:dridex:4dafca8, author = {AnubisLabs}, title = {{Dridex: Chasing a botnet from the inside}}, date = {2015-10-15}, institution = {BitSight}, url = {https://cdn2.hubspot.net/hubfs/507516/ANB_MIR_Dridex_PRv7_final.pdf}, language = {English}, urldate = {2020-08-06} } @online{anupriya:20241023:darkraas:e88772a, author = {Anupriya}, title = {{DarkRaaS ransomware Group Allegedly Selling Global Intelligence Data}}, date = {2024-10-23}, organization = {Cyber Press}, url = {https://cyberpress.org/darkraas-ransomware-intelligence-data/}, language = {English}, urldate = {2024-11-04} } @online{anupriya:20241030:darkraas:78ed561, author = {Anupriya}, title = {{DarkRaaS Ransomware Group Allegedly Selling Login Access to Oil & Gas Company}}, date = {2024-10-30}, organization = {Cyber Press}, url = {https://cyberpress.org/darkraas-ransomware-oil-gas-company/}, language = {English}, urldate = {2024-11-04} } @online{anurag:20200405:trojan:2bb6584, author = {Anurag}, title = {{Trojan Agent Tesla – Malware Analysis}}, date = {2020-04-05}, organization = {MalwrAnalysis}, url = {https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/}, language = {English}, urldate = {2020-04-08} } @online{anurag:20200622:njrat:381c066, author = {Anurag}, title = {{njRat Malware Analysis}}, date = {2020-06-22}, url = {https://malwr-analysis.com/2020/06/21/njrat-malware-analysis/}, language = {English}, urldate = {2020-06-22} } @online{anwar:20220410:threatening:784ed0e, author = {Hura Anwar}, title = {{Threatening Redirect Web Service Instills Malicious Campaigns In Over 16,500 Websites}}, date = {2022-04-10}, organization = {Digital Information World}, url = {https://www.digitalinformationworld.com/2022/04/threatening-redirect-web-service.html}, language = {English}, urldate = {2022-05-05} } @online{anxin:20190116:latest:60776ef, author = {Qi Anxin}, title = {{Latest Target Attack of DarkHydruns Group Against Middle East}}, date = {2019-01-16}, organization = {360.cn}, url = {https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/}, language = {English}, urldate = {2019-12-15} } @online{anxin:20190321:analysis:952c16d, author = {Qi Anxin}, title = {{Analysis of the latest attack activities of the suspected MuddyWater APT group against the Iraqi mobile operator Korek Telecom}}, date = {2019-03-21}, organization = {Qianxin}, url = {https://mp.weixin.qq.com/s/NN_iRvwA6yOHFS9Z3A0RBA}, language = {Chinese}, urldate = {2023-09-12} } @online{anyrun:20180208:anyrun:611fc13, author = {ANY.RUN}, title = {{ANY.RUN analysis of MBRLock}}, date = {2018-02-08}, organization = {ANY.RUN}, url = {https://app.any.run/tasks/0a7e643f-7562-4575-b8a5-747bd6b5f02d}, language = {English}, urldate = {2020-01-13} } @online{anyrun:20180321:bandios:cd8a14c, author = {ANY.RUN}, title = {{Tweet on Bandios / Colony}}, date = {2018-03-21}, organization = {Twitter (@anyrun_app)}, url = {https://twitter.com/anyrun_app/status/976385355384590337}, language = {English}, urldate = {2020-01-07} } @online{anyrun:20190719:anyrun:890dfc0, author = {ANY.RUN}, title = {{ANY.RUN analysis on URL}}, date = {2019-07-19}, organization = {ANY.RUN}, url = {https://app.any.run/tasks/ea024149-8e83-41c0-b0ed-32ec38dea4a6/}, language = {English}, urldate = {2020-01-08} } @online{anyrun:20190924:anyrun:649c085, author = {ANY.RUN}, title = {{ANY.RUN analysis on unidentified sample}}, date = {2019-09-24}, organization = {ANY.RUN}, url = {https://app.any.run/tasks/4e48bcbf-015b-4a57-bb98-50f9531ff37a}, language = {English}, urldate = {2020-01-13} } @online{anyrun:20211007:anyrun:c7453bb, author = {ANY.RUN}, title = {{ANY.RUN report for activity of the downloader}}, date = {2021-10-07}, organization = {ANY.RUN}, url = {https://app.any.run/tasks/cd25d8c3-1944-4fa0-a4be-436dc1389fca/}, language = {English}, urldate = {2021-10-11} } @online{anyrun:20220830:raccoon:5e2f00f, author = {ANY.RUN}, title = {{Raccoon Stealer 2.0 Malware analysis}}, date = {2022-08-30}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/raccoon-stealer-v2-malware-analysis/}, language = {English}, urldate = {2022-08-31} } @online{anyrun:20221027:strrat:1b2aef4, author = {ANY.RUN}, title = {{STRRAT: Malware Analysis of a JAR archive}}, date = {2022-10-27}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/strrat-malware-analysis-of-a-jar-archive/}, language = {English}, urldate = {2022-11-07} } @online{anyrun:20221103:what:6f847b0, author = {ANY.RUN}, title = {{What is Orcus RAT? Technical Analysis and Malware Configuration}}, date = {2022-11-03}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/orcus-rat-malware-analysis/}, language = {English}, urldate = {2023-01-10} } @online{anyrun:20230126:cryptbot:fa17489, author = {ANY.RUN}, title = {{CryptBot Infostealer: Malware Analysis}}, date = {2023-01-26}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/}, language = {English}, urldate = {2023-01-27} } @online{anyrun:20230228:xloaderformbook:bdcb64a, author = {ANY.RUN}, title = {{XLoader/FormBook: Encryption Analysis and Malware Decryption}}, date = {2023-02-28}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/}, language = {English}, urldate = {2023-09-07} } @online{anyrun:20230328:limerat:14deee8, author = {ANY.RUN}, title = {{LimeRAT Malware Analysis: Extracting the Config}}, date = {2023-03-28}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/limerat-malware-analysis/}, language = {English}, urldate = {2023-03-30} } @online{anyrun:20230418:privateloader:464df80, author = {ANY.RUN}, title = {{PrivateLoader: Analyzing the Encryption and Decryption of a Modern Loader}}, date = {2023-04-18}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/privateloader-analyzing-the-encryption-and-decryption-of-a-modern-loader/}, language = {English}, urldate = {2023-05-26} } @online{anyrun:20230517:deobfuscating:5a82be9, author = {ANY.RUN}, title = {{Deobfuscating the Latest GuLoader: Automating Analysis with Ghidra Scripting}}, date = {2023-05-17}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/deobfuscating-guloader/}, language = {English}, urldate = {2023-05-26} } @online{anyrun:20230622:malware:2e1142f, author = {ANY.RUN}, title = {{Malware Analysis Gh0stBins, Chinese RAT: Malware Analysis, Protocol Description, RDP Stream Recovery}}, date = {2023-06-22}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/gh0stbins-chinese-rat-malware-analysis/}, language = {English}, urldate = {2023-08-07} } @online{anyrun:20230720:analyzing:012c44c, author = {ANY.RUN}, title = {{Analyzing a New .NET variant of LaplasClipper: retrieving the config}}, date = {2023-07-20}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/analyzing-laplasclipper-malware/}, language = {English}, urldate = {2023-07-27} } @online{anyrun:20240516:malware:dc48542, author = {ANY.RUN}, title = {{Malware trend: Latrodectus}}, date = {2024-05-16}, organization = {ANY.RUN}, url = {https://any.run/malware-trends/latrodectus}, language = {English}, urldate = {2024-05-17} } @online{anyrun:20240606:example:42c9b99, author = {ANY.RUN}, title = {{Example Run on ANY.RUN for GaboonGrabber}}, date = {2024-06-06}, organization = {ANY.RUN}, url = {https://app.any.run/tasks/65855217-7209-4eae-a572-b030a2305b22/}, language = {English}, urldate = {2024-06-10} } @online{anyrun:20250128:linux:c74171d, author = {ANY.RUN}, title = {{Tweet on Linux version of SystemBC}}, date = {2025-01-28}, organization = {Twitter (@anyrun_app)}, url = {https://x.com/anyrun_app/status/1884207667058463188}, language = {English}, urldate = {2025-02-01} } @online{anyrun:20250407:valleyrat:4cfd593, author = {ANY.RUN}, title = {{ValleyRAT}}, date = {2025-04-07}, organization = {ANY.RUN}, url = {https://any.run/malware-trends/valleyrat}, language = {English}, urldate = {2025-04-09} } @online{anyrun:20250603:ottercookie:3bd8709, author = {ANY.RUN}, title = {{OtterCookie: Analysis of Lazarus Group Malware Targeting Finance and Tech Professionals}}, date = {2025-06-03}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/ottercookie-malware-analysis/}, language = {English}, urldate = {2025-06-04} } @online{api:20230412:probing:cb926c0, author = {WhoisXML API}, title = {{Probing Lorec53 Phishing through the DNS Microscope}}, date = {2023-04-12}, organization = {circleid}, url = {https://circleid.com/posts/20230412-probing-lorec53-phishing-through-the-dns-microscope}, language = {English}, urldate = {2024-12-11} } @online{api:20240530:dns:503cd9d, author = {WhoisXML API}, title = {{A DNS Investigation of the Phobos Ransomware 8Base Attack}}, date = {2024-05-30}, organization = {circleid}, url = {https://circleid.com/posts/20240530-a-dns-investigation-of-the-phobos-ransomware-8base-attack}, language = {English}, urldate = {2024-06-05} } @online{apoc:20250304:black:da3d2df, author = {A-poc}, title = {{Black Basta Leak Analysis}}, date = {2025-03-04}, organization = {Medium (A-poc)}, url = {https://medium.com/@a-poc/black-basta-leak-analysis-add723b179a5}, language = {English}, urldate = {2025-04-09} } @online{apostol:20220630:black:7464953, author = {Kenneth Adrian Apostol and Paolo Ronniel Labrador and Mirah Manlapig and James Panlilio and Emmanuel Panopio and John Kenneth Reyes and Melvin Singwa}, title = {{Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit}}, date = {2022-06-30}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html}, language = {English}, urldate = {2022-07-05} } @online{apra:20200929:cobaltstrikescan:ab5f221, author = {Apra}, title = {{CobaltStrikeScan}}, date = {2020-09-29}, organization = {Github (Apr4h)}, url = {https://github.com/Apr4h/CobaltStrikeScan}, language = {English}, urldate = {2020-10-05} } @online{aprahamian:20240321:bringing:e9d2eeb, author = {Adam Aprahamian and Austin Larsen and Dan Kelly and Marcin Siedlarz and Mathew Potaczek and Michael Raggi}, title = {{Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect}}, date = {2024-03-21}, organization = {Mandiant}, url = {https://cloud.google.com/blog/topics/threat-intelligence/initial-access-brokers-exploit-f5-screenconnect}, language = {English}, urldate = {2025-07-07} } @online{aprozper:20180322:ghostminer:711cbd2, author = {Asaf Aprozper and Gal Bitensky}, title = {{GhostMiner: Cryptomining Malware Goes Fileless}}, date = {2018-03-22}, organization = {Minerva}, url = {https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless}, language = {English}, urldate = {2020-01-07} } @online{aprozper:20190128:azorult:78563e2, author = {Asaf Aprozper and Gal Bitensky}, title = {{AZORult: Now, as A Signed “Google Update”}}, date = {2019-01-28}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update}, language = {English}, urldate = {2019-12-04} } @online{apvrille:20170315:teardown:76fb758, author = {Axelle Apvrille}, title = {{Teardown of a Recent Variant of Android/Ztorg (Part 1)}}, date = {2017-03-15}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1}, language = {English}, urldate = {2019-12-10} } @online{apvrille:20170315:teardown:e3c30e6, author = {Axelle Apvrille}, title = {{Teardown of Android/Ztorg (Part 2)}}, date = {2017-03-15}, organization = {Fortinet}, url = {http://blog.fortinet.com/2017/03/08/teardown-of-android-ztorg-part-2}, language = {English}, urldate = {2019-12-24} } @online{apvrille:20200918:locating:56e0b57, author = {Axelle Apvrille}, title = {{Locating the Trojan inside an infected COVID-19 contact tracing app}}, date = {2020-09-18}, organization = {Medium cryptax}, url = {https://medium.com/@cryptax/locating-the-trojan-inside-an-infected-covid-19-contact-tracing-app-21e23f90fbfe}, language = {English}, urldate = {2020-09-25} } @online{apvrille:20200925:into:cf7b514, author = {Axelle Apvrille}, title = {{Into Android Meterpreter and how the malware launches it - part 2}}, date = {2020-09-25}, organization = {Medium cryptax}, url = {https://medium.com/@cryptax/into-android-meterpreter-and-how-the-malware-launches-it-part-2-ef5aad2ebf12}, language = {English}, urldate = {2020-09-25} } @online{apvrille:20201213:decrypting:ee8b00f, author = {Axelle Apvrille}, title = {{Decrypting strings with a JEB script}}, date = {2020-12-13}, organization = {Medium (Cryptax)}, url = {https://cryptax.medium.com/decrypting-strings-with-a-jeb-script-1af522fa4979}, language = {English}, urldate = {2020-12-19} } @online{apvrille:20201215:unpacking:af6a6ee, author = {Axelle Apvrille}, title = {{Unpacking an Android malware with Dexcalibur and JEB}}, date = {2020-12-15}, organization = {Medium (Cryptax)}, url = {https://cryptax.medium.com/unpacking-an-android-malware-with-dexcalibur-and-jeb-59bdd905d4a7}, language = {English}, urldate = {2020-12-19} } @online{apvrille:20210329:androidflubot:01484cd, author = {Axelle Apvrille}, title = {{Android/Flubot: preparing for a new campaign?}}, date = {2021-03-29}, organization = {Medium (Cryptax)}, url = {https://cryptax.medium.com/android-flubot-preparing-for-a-new-campaign-2f7563fc6c06}, language = {English}, urldate = {2021-03-31} } @online{apvrille:20210518:native:350d98f, author = {Axelle Apvrille}, title = {{A native packer for Android/MoqHao}}, date = {2021-05-18}, organization = {Medium (Cryptax)}, url = {https://cryptax.medium.com/a-native-packer-for-android-moqhao-6362a8412fe1}, language = {English}, urldate = {2021-05-19} } @online{apvrille:20220114:multidex:eaa6c6b, author = {Axelle Apvrille}, title = {{Multidex trick to unpack Android/BianLian}}, date = {2022-01-14}, organization = {Medium (Cryptax)}, url = {https://cryptax.medium.com/multidex-trick-to-unpack-android-bianlian-ed52eb791e56}, language = {English}, urldate = {2022-03-30} } @online{apvrille:20220117:androidbianlian:f425de5, author = {Axelle Apvrille}, title = {{Android/BianLian payload}}, date = {2022-01-17}, organization = {Medium (Cryptax)}, url = {https://cryptax.medium.com/android-bianlian-payload-61febabed00a}, language = {English}, urldate = {2022-08-15} } @online{apvrille:20220121:creating:9e6e3cf, author = {Axelle Apvrille}, title = {{Creating a safe dummy C&C to test Android bots}}, date = {2022-01-21}, organization = {Medium (Cryptax)}, url = {https://cryptax.medium.com/creating-a-safe-dummy-c-c-to-test-android-bots-ffa6e7a3dce5}, language = {English}, urldate = {2022-08-15} } @online{apvrille:20220125:bianlian:016e450, author = {Axelle Apvrille}, title = {{BianLian C&C domain name}}, date = {2022-01-25}, organization = {Medium (Cryptax)}, url = {https://cryptax.medium.com/bianlian-c-c-domain-name-4f226a29e221}, language = {English}, urldate = {2022-08-15} } @online{apvrille:20220308:live:c5b7cca, author = {Axelle Apvrille}, title = {{Live reverse engineering of a trojanized medical app — Android/Joker}}, date = {2022-03-08}, organization = {Medium (Cryptax)}, url = {https://cryptax.medium.com/live-reverse-engineering-of-a-trojanized-medical-app-android-joker-632d114073c1}, language = {English}, urldate = {2022-08-15} } @online{apvrille:20220429:warning:a17311e, author = {Axelle Apvrille}, title = {{Warning: GRIM and Magnus Android Botnets are Underground}}, date = {2022-04-29}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/grim-magnus-android-botnets}, language = {English}, urldate = {2022-05-09} } @online{apvrille:20220512:reversing:65ed9cb, author = {Axelle Apvrille}, title = {{Reversing an Android sample which uses Flutter}}, date = {2022-05-12}, organization = {Medium (Cryptax)}, url = {https://cryptax.medium.com/reversing-an-android-sample-which-uses-flutter-23c3ff04b847}, language = {English}, urldate = {2022-08-15} } @online{apvrille:20220609:quick:0b409f4, author = {Axelle Apvrille}, title = {{Quick look into a new sample of Android/BianLian}}, date = {2022-06-09}, organization = {Medium (Cryptax)}, url = {https://cryptax.medium.com/quick-look-into-a-new-sample-of-android-bianlian-bc5619efa726}, language = {English}, urldate = {2022-08-15} } @online{apvrille:20220620:tracking:828037d, author = {Axelle Apvrille}, title = {{Tracking Android/Joker payloads with Medusa, static analysis (and patience)}}, date = {2022-06-20}, organization = {Medium (Cryptax)}, url = {https://cryptax.medium.com/tracking-android-joker-payloads-with-medusa-static-analysis-and-patience-672348b81ac2}, language = {English}, urldate = {2022-08-15} } @online{apvrille:20220627:unpacking:1b11605, author = {Axelle Apvrille}, title = {{Unpacking a JsonPacker-packed sample}}, date = {2022-06-27}, organization = {Medium (Cryptax)}, url = {https://cryptax.medium.com/unpacking-a-jsonpacker-packed-sample-4038e12119f5}, language = {English}, urldate = {2022-08-15} } @online{apvrille:20221024:hunting:8eeb90d, author = {Axelle Apvrille}, title = {{Hunting the AndroidBianLian botnet}}, date = {2022-10-24}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=DPFcvSy4OZk}, language = {English}, urldate = {2022-11-11} } @online{apvrille:20230621:fortinet:d3403aa, author = {Axelle Apvrille}, title = {{Fortinet Reverses Flutter-based Android Malware “Fluhorse”}}, date = {2023-06-21}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/fortinet-reverses-flutter-based-android-malware-fluhorse}, language = {English}, urldate = {2023-06-26} } @online{apvrille:20230623:inside:80ab43b, author = {Axelle Apvrille}, title = {{Inside KangaPack: the Kangaroo packer with native decryption}}, date = {2023-06-23}, organization = {Medium (Cryptax)}, url = {https://cryptax.medium.com/inside-kangapack-the-kangaroo-packer-with-native-decryption-3e7e054679c4}, language = {English}, urldate = {2023-06-26} } @online{apvrille:20230707:eyes:27a9978, author = {Axelle Apvrille}, title = {{Eyes on Android/S.O.V.A botnet sample}}, date = {2023-07-07}, organization = {Medium cryptax}, url = {https://cryptax.medium.com/eyes-on-android-s-o-v-a-botnet-sample-fb5ed332d08}, language = {English}, urldate = {2023-12-19} } @online{apvrille:20231214:bad:943c0a0, author = {Axelle Apvrille}, title = {{Bad Zip and new Packer for Android/BianLian}}, date = {2023-12-14}, organization = {Medium (Cryptax)}, url = {https://cryptax.medium.com/bad-zip-and-new-packer-for-android-bianlian-5bdad4b90aeb}, language = {English}, urldate = {2023-12-19} } @online{apvrille:20231218:organizing:6b377dc, author = {Axelle Apvrille}, title = {{Organizing malware analysis with Colander: example on Android/WyrmSpy}}, date = {2023-12-18}, organization = {Medium (Cryptax)}, url = {https://cryptax.medium.com/organizing-malware-analysis-with-colander-example-on-android-wyrmspy-1f3ec30ae33b}, language = {English}, urldate = {2023-12-19} } @online{apvrille:20240206:reverse:13b233c, author = {Axelle Apvrille}, title = {{Reverse engineering of Android/Phoenix}}, date = {2024-02-06}, organization = {Fortinet}, url = {https://cryptax.medium.com/reverse-engineering-of-android-phoenix-b59693c03bd3}, language = {English}, urldate = {2024-04-29} } @online{apvrille:20240215:androidspynote:a1e69a8, author = {Axelle Apvrille}, title = {{Android/SpyNote Moves to Crypto Currencies}}, date = {2024-02-15}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/android-spynote-moves-to-crypto-currencies}, language = {English}, urldate = {2024-04-23} } @online{apvrille:20240219:androidspynote:3aef046, author = {Axelle Apvrille}, title = {{Android/SpyNote bypasses Restricted Settings + breaks many RE tools}}, date = {2024-02-19}, organization = {Fortinet}, url = {https://cryptax.medium.com/android-spynote-bypasses-restricted-settings-breaks-many-re-tools-8791b3e6bf38}, language = {English}, urldate = {2024-04-23} } @online{apvrille:20250204:analyzing:5eb4b86, author = {Axelle Apvrille}, title = {{Analyzing ELF/Sshdinjector.A!tr with a Human and Artificial Analyst}}, date = {2025-02-04}, organization = {FortiGuard Labs}, url = {https://www.fortinet.com/blog/threat-research/analyzing-elf-sshdinjector-with-a-human-and-artificial-analyst}, language = {English}, urldate = {2025-02-10} } @online{aqeel:20210118:docx:aaa26f8, author = {Ali Aqeel}, title = {{Docx Files Template-Injection}}, date = {2021-01-18}, organization = {aaqeel01}, url = {https://aaqeel01.wordpress.com/2021/01/18/docx-files-template-injection/}, language = {English}, urldate = {2021-01-21} } @online{aqeel:20210207:dridex:871b7d0, author = {Ali Aqeel}, title = {{Dridex Malware Analysis}}, date = {2021-02-07}, organization = {Technical Blog of Ali Aqeel}, url = {https://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/}, language = {English}, urldate = {2021-02-09} } @online{aqeel:20210409:icedid:a6e3243, author = {Ali Aqeel}, title = {{IcedID Analysis}}, date = {2021-04-09}, organization = {aaqeel01}, url = {https://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/}, language = {English}, urldate = {2021-04-12} } @online{aqeel:20211018:zloader:898c290, author = {Ali Aqeel}, title = {{ZLoader Reversing}}, date = {2021-10-18}, url = {https://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/}, language = {English}, urldate = {2021-10-22} } @online{aquilino:20130715:signed:013bd1d, author = {Broderick Aquilino}, title = {{Signed Mac Malware Using Right-to-Left Override Trick}}, date = {2013-07-15}, organization = {F-Secure}, url = {https://archive.f-secure.com/weblog/archives/00002576.html}, language = {English}, urldate = {2020-05-19} } @online{aquino:20140306:siesta:9a574bc, author = {Maharlito Aquino}, title = {{The Siesta Campaign: A New Targeted Attack Awakens}}, date = {2014-03-06}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/}, language = {English}, urldate = {2020-01-13} } @online{ar6s:20190106:rat:f0a6a2f, author = {Ar6s}, title = {{[RAT] DARK TRACK ALIEN 4.1}}, date = {2019-01-06}, organization = {Cracked.to Forum}, url = {https://cracked.to/Thread-Release-RAT-Dark-track-alien-4-1}, language = {English}, urldate = {2021-02-17} } @online{arada:20130924:osxleveragea:ba6e883, author = {Eduardo De La Arada}, title = {{OSX/Leverage.a Analysis}}, date = {2013-09-24}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/osx-leveragea-analysis}, language = {English}, urldate = {2020-01-13} } @online{arai:20210618:cyber:efd5b54, author = {Yuu Arai and Twitter (@yarai1978)}, title = {{"Cyber ​​Security" Yu Arai, NTT DATA Executive Security Analyst}}, date = {2021-06-18}, organization = {YouTube (jnpc)}, url = {https://www.youtube.com/watch?v=2GRhJgF49vA&ab_channel=jnpc}, language = {Japanese}, urldate = {2021-06-22} } @online{arasawa:20240109:black:f6a9dfe, author = {Shinji Robert Arasawa and Joshua Aquino and Charles Steven Derion and Juhn Emmanuel Atanque and Francisrey Joshua Castillo and John Carlo Marquez and Henry Salcedo and John Rainier Navato and Arianne Dela Cruz and Raymart Yambot and Ian Kenefick}, title = {{Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign}}, date = {2024-01-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html}, language = {English}, urldate = {2024-01-10} } @online{archcloud:20201126:tracking:46717fb, author = {ArchCloud}, title = {{Tracking Cryptocurrency Malware in The Homelab}}, date = {2020-11-26}, organization = {Arch Cloud Labs}, url = {https://www.archcloudlabs.com/projects/tracking_cryptominer_domains/}, language = {English}, urldate = {2020-12-03} } @techreport{archer:20190531:qealler:2d73860, author = {Jeff Archer}, title = {{Qealler Unloaded}}, date = {2019-05-31}, institution = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/Malware-Writeups/blob/master/Qealler/Qealler-Unloaded.pdf}, language = {English}, urldate = {2019-12-17} } @online{archer:20190815:micropsia:8ed52a1, author = {Jeff Archer}, title = {{MICROPSIA (APT-C-23)}}, date = {2019-08-15}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/micropsia_apt_c_23.md}, language = {English}, urldate = {2019-12-10} } @online{archer:20190914:wsh:103aefa, author = {Jeff Archer}, title = {{WSH RAT (A variant of H-Worm/Houdini)}}, date = {2019-09-14}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/wsh_rat.md}, language = {English}, urldate = {2020-01-06} } @online{archer:20191103:dtrack:de46ce3, author = {Jeff Archer}, title = {{DTrack}}, date = {2019-11-03}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/dtrack_lazarus_group.md}, language = {English}, urldate = {2019-12-18} } @online{archer:20191205:poshc2:3066e19, author = {Jeff Archer}, title = {{PoshC2 (specifically as used by APT33)}}, date = {2019-12-05}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/poshc2_apt_33.md}, language = {English}, urldate = {2020-01-06} } @online{archer:20200211:metamorfo:663ae17, author = {Jeff Archer}, title = {{Metamorfo (aka Casbaneiro)}}, date = {2020-02-11}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md}, language = {English}, urldate = {2020-02-11} } @online{archer:20201213:highly:9fe1728, author = {Andrew Archer and Doug Bienstock and Chris DiGiamo and Glenn Edwards and Nick Hornick and Alex Pennino and Andrew Rector and Scott Runnels and Eric Scales and Nalani Fraiser and Sarah Jones and John Hultquist and Ben Read and Jon Leathery and Fred House and Dileep Jallepalli and Michael Sikorski and Stephen Eckels and William Ballenthin and Jay Smith and Alex Berry and Nick Richard and Isif Ibrahima and Dan Perez and Marcin Siedlarz and Ben Withnell and Barry Vengerik and Nicole Oppenheim and Ian Ahl and Andrew Thompson and Matt Dunwoody and Evan Reese and Steve Miller and Alyssa Rahman and John Gorman and Lennard Galang and Steve Stone and Nick Bennett and Matthew McWhirt and Mike Burns and Omer Baig and Nick Carr and Christopher Glyer and Ramin Nafisi and Microsoft}, title = {{Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor}}, date = {2020-12-13}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html}, language = {English}, urldate = {2020-12-19} } @online{archer:20211229:asyncrat:4b7c4d9, author = {Jeff Archer}, title = {{AsyncRAT Configuration Parser}}, date = {2021-12-29}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/Tutorials/tree/master/asyncrat_config_parser}, language = {English}, urldate = {2021-12-31} } @online{archer:20240411:rat:7006731, author = {Jeff Archer}, title = {{Rat King Configuration Parser}}, date = {2024-04-11}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/rat_king_parser}, language = {English}, urldate = {2024-04-15} } @online{arghire:20210429:chinese:0dcf839, author = {Ionut Arghire}, title = {{Chinese Cyberspies Target Military Organizations in Asia With New Malware}}, date = {2021-04-29}, organization = {SecurityWeek}, url = {https://www.securityweek.com/chinese-cyberspies-target-military-organizations-asia-new-malware}, language = {English}, urldate = {2022-02-04} } @online{arghire:20240523:newly:25987c5, author = {Ionut Arghire}, title = {{Newly Detected Chinese Group Targeting Military, Government Entities}}, date = {2024-05-23}, organization = {SecurityWeek}, url = {https://www.securityweek.com/newly-detected-chinese-group-targeting-military-government-entities/}, language = {English}, urldate = {2024-12-11} } @online{arkbird:20200817:short:a510811, author = {Arkbird}, title = {{Short twitter thread with analysis on Loup ATM malware}}, date = {2020-08-17}, organization = {Twitter (@Arkbird_SOLG)}, url = {https://twitter.com/Arkbird_SOLG/status/1295396936896438272}, language = {English}, urldate = {2020-08-25} } @online{arkbird:20200903:development:cf8dd7d, author = {Arkbird}, title = {{Tweet on development in more_eggs}}, date = {2020-09-03}, organization = {Twitter (@Arkbird_SOLG)}, url = {https://twitter.com/Arkbird_SOLG/status/1301536930069278727}, language = {English}, urldate = {2020-09-15} } @online{arkbird:20200911:discovery:99adb88, author = {Arkbird}, title = {{Tweet on discovery of a sample}}, date = {2020-09-11}, organization = {Twitter (@Arkbird_SOLG)}, url = {https://twitter.com/Arkbird_SOLG/status/1304187749373800455}, language = {English}, urldate = {2020-10-21} } @online{arkbird:20210830:mercurialgrabber:0c3b718, author = {Arkbird}, title = {{Tweet on MercurialGrabber}}, date = {2021-08-30}, organization = {Twitter (@Arkbird_SOLG)}, url = {https://twitter.com/Arkbird_SOLG/status/1432127748001128459}, language = {English}, urldate = {2021-12-22} } @online{arkbird:20211112:tweets:3905e33, author = {Arkbird}, title = {{Tweets on Void Balaur using QuantLoader and ZStealer}}, date = {2021-11-12}, organization = {Twitter (@Arkbird_SOLG)}, url = {https://twitter.com/Arkbird_SOLG/status/1458973883068043264}, language = {English}, urldate = {2021-12-22} } @online{arkbirdsolg:20200505:operation:448dc4a, author = {@Arkbird_SOLG}, title = {{Operation Flash Cobra}}, date = {2020-05-05}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/Lazarus/2020-05-05/Analysis.md}, language = {English}, urldate = {2020-05-07} } @online{arkbirdsolg:20200622:ftcode:1f79b62, author = {Twitter (@Arkbird_SOLG)}, title = {{FTcode targets European countries}}, date = {2020-06-22}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Unknown/2020-06-22/Analysis.md}, language = {English}, urldate = {2020-06-24} } @online{arkbirdsolg:20210327:terraloader:73371d5, author = {Twitter (@Arkbird_SOLG)}, title = {{Terraloader: Congrats, you have a new fake job!}}, date = {2021-03-27}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Terraloader/2021-03-25/Analysis.md#terraloader--congrats-you-have-a-new-fake-job-}, language = {English}, urldate = {2021-05-03} } @online{armelli:20200708:named:c581e3d, author = {Matthew Armelli and Stuart Caudill and John Patrick Dees and Max Egar and Jennifer Keltz and Lan Pelekis and John Sakellariadis and Vipratap Vikram Singh and Katherine von Ofenheim and Neal Pollard}, title = {{Named But Hardly Shamed: What is the Impact of Information Disclosures on an APT Operations?}}, date = {2020-07-08}, organization = {COLUMBIA | SIPA}, url = {https://sipa.columbia.edu/file/12461/download?token=o5TRWZnI}, language = {English}, urldate = {2020-07-13} } @online{armor:20220105:threat:178f0e9, author = {Armor}, title = {{Threat Intelligence Report: The Evolution of Doppel Spider from BitPaymer to Grief Ransomware}}, date = {2022-01-05}, organization = {ARMOR}, url = {https://www.armor.com/resources/threat-intelligence/the-evolution-of-doppel-spider-from-bitpaymer-to-grief-ransomware/}, language = {English}, urldate = {2022-01-12} } @online{armstrong:20220901:bianlian:a1feb73, author = {Ben Armstrong and Lauren Pearce and Brad Pittack and Danny Quist}, title = {{BianLian Ransomware Gang Gives It a Go!}}, date = {2022-09-01}, organization = {[redacted]}, url = {https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/}, language = {English}, urldate = {2022-10-24} } @online{armstrong:20250224:autocolor:b70e606, author = {Alex Armstrong}, title = {{Auto-Color: An Emerging and Evasive Linux Backdoor}}, date = {2025-02-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/new-linux-backdoor-auto-color/}, language = {English}, urldate = {2025-02-28} } @techreport{army:20200724:atp:37eeefe, author = {Department of the Army}, title = {{ATP 7-100.2: North Korean Tactics}}, date = {2020-07-24}, institution = {Department of the Army}, url = {https://armypubs.army.mil/epubs/DR_pubs/DR_a/ARN30043-ATP_7-100.2-000-WEB-2.pdf}, language = {English}, urldate = {2020-08-20} } @online{arndt:20200924:zloader:ad8bf21, author = {Jamie Arndt}, title = {{zLoader XLM Update: Macro code and behavior change}}, date = {2020-09-24}, organization = {Click All the Things! Blog}, url = {https://clickallthethings.wordpress.com/2020/09/21/zloader-xlm-update-macro-code-and-behavior-change/}, language = {English}, urldate = {2020-09-25} } @online{arndt:20210306:oleobject1bin:22436df, author = {Jamie Arndt}, title = {{oleObject1.bin – OLe10nATive – shellcode}}, date = {2021-03-06}, organization = {Click All the Things! Blog}, url = {https://clickallthethings.wordpress.com/2021/03/06/oleobject1-bin-ole10native-shellcode/}, language = {English}, urldate = {2021-03-11} } @online{arneson:20190124:cisco:58d9a8f, author = {John Arneson}, title = {{Cisco AMP tracks new campaign that delivers Ursnif}}, date = {2019-01-24}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html}, language = {English}, urldate = {2019-10-12} } @online{arnoud:20210215:analysis:6955fb8, author = {Stanislas Arnoud}, title = {{Analysis of an APT41 rootkit}}, date = {2021-02-15}, organization = {stan's blog}, url = {https://s4r.cc/analysis/2021/02/15/Analysis_of_an_APT41_rootkit.html}, language = {English}, urldate = {2021-02-18} } @online{arnoud:20221005:sinkholing:8a928c6, author = {Stanislas Arnoud and João Godinho}, title = {{Sinkholing PseudoManuscrypt: From Zero To 50k Infections - Part 1}}, date = {2022-10-05}, organization = {BitSight}, url = {https://www.bitsight.com/blog/zero-50k-infections-pseudomanuscrypt-sinkholing-part-1}, language = {English}, urldate = {2022-10-07} } @online{arnoud:20230213:mylobot:c81a83d, author = {Stanislas Arnoud}, title = {{Mylobot: Investigating a proxy botnet}}, date = {2023-02-13}, organization = {BitSight}, url = {https://www.bitsight.com/blog/mylobot-investigating-proxy-botnet}, language = {English}, urldate = {2023-02-14} } @online{arntz:20171031:analyzing:9d5c49e, author = {Pieter Arntz}, title = {{Analyzing malware by API calls}}, date = {2017-10-31}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/10/analyzing-malware-by-api-calls/}, language = {English}, urldate = {2019-12-20} } @online{arntz:20200710:threat:f64cac0, author = {Pieter Arntz}, title = {{Threat spotlight: WastedLocker, customized ransomware}}, date = {2020-07-10}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/}, language = {English}, urldate = {2020-07-15} } @online{arntz:20200813:chrome:2120054, author = {Pieter Arntz}, title = {{Chrome extensions that lie about their permissions}}, date = {2020-08-13}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/puppum/2020/08/chrome-extensions-that-lie-about-their-permissions/}, language = {English}, urldate = {2020-08-14} } @online{arntz:20201215:threat:8286d80, author = {Pieter Arntz}, title = {{Threat profile: Egregor ransomware is making a name for itself}}, date = {2020-12-15}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/ransomware/2020/12/threat-profile-egregor-ransomware-is-making-a-name-for-itself/}, language = {English}, urldate = {2021-01-11} } @online{arntz:20210309:microsoft:9f7d246, author = {Pieter Arntz}, title = {{Microsoft Exchange attacks cause panic as criminals go shell collecting}}, date = {2021-03-09}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/malwarebytes-news/2021/03/microsoft-exchange-attacks-cause-panic-as-criminals-go-shell-collecting/}, language = {English}, urldate = {2021-03-11} } @online{arntz:20211021:chrome:0f71e05, author = {Pieter Arntz}, title = {{Chrome targeted by Magnitude exploit kit}}, date = {2021-10-21}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/magnitude-ek-has-been-spotted-targeting-the-chrome-browser/}, language = {English}, urldate = {2021-10-26} } @online{arntz:20240621:was:bdaa34c, author = {Pieter Arntz}, title = {{Was T-Mobile compromised by a zero-day in Jira?}}, date = {2024-06-21}, organization = {Malwarebytes Labs}, url = {https://www.malwarebytes.com/blog/news/2024/06/was-t-mobile-compromised-by-a-zero-day-in-jira}, language = {English}, urldate = {2024-09-04} } @online{arntz:20250430:fake:959668c, author = {Pieter Arntz}, title = {{Fake Social Security Statement emails trick users into installing remote tool}}, date = {2025-04-30}, organization = {Malwarebytes}, url = {https://www.malwarebytes.com/blog/news/2025/04/fake-social-security-statement-emails-trick-users-into-installing-remote-tool}, language = {English}, urldate = {2025-05-19} } @online{aronov:20150723:analysis:0162f34, author = {Igor Aronov}, title = {{An Analysis of the Qadars Banking Trojan}}, date = {2015-07-23}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/an-analysis-of-the-qadars-trojan/}, language = {English}, urldate = {2020-01-10} } @online{arrowrat:20220928:arrowrat:05fe8cc, author = {ArrowRat}, title = {{ArrowRat}}, date = {2022-09-28}, organization = {ArrowRAT}, url = {https://www.arrowrat.com}, language = {English}, urldate = {2022-09-29} } @online{arsdale:20230427:week:7f9985d, author = {Carolynn van Arsdale}, title = {{The Week in Security: A possible Colonial Pipeline 2.0, ransomware takes bite out of American eateries}}, date = {2023-04-27}, organization = {ReversingLabs}, url = {https://www.reversinglabs.com/blog/the-week-in-security-possible-colonial-pipeline-2.0-ransomware-hurts-small-american-eateries}, language = {English}, urldate = {2023-11-17} } @online{arsene:20160808:possibly:55e5441, author = {Liviu Arsene}, title = {{Possibly Italy-Born Android RAT Reported in China, Find Bitdefender Researchers}}, date = {2016-08-08}, organization = {Bitdefender}, url = {https://hotforsecurity.bitdefender.com/blog/possibly-italy-born-android-rat-reported-in-china-find-bitdefender-researchers-16264.html}, language = {English}, urldate = {2020-01-06} } @online{arsene:20171026:keranger:a908ea4, author = {Liviu Arsene}, title = {{Keranger: the first “in-the-wild” ransomware for Macs. But certainly not the last}}, date = {2017-10-26}, organization = {Macworld}, url = {https://www.macworld.com/article/3234650/macs/keranger-the-first-in-the-wild-ransomware-for-macs-but-certainly-not-the-last.html}, language = {English}, urldate = {2020-01-08} } @online{arsene:20200107:hold:b9c1aa4, author = {Liviu Arsene}, title = {{Hold My Beer Mirai – Spinoff Named ‘LiquorBot’ Incorporates Cryptomining}}, date = {2020-01-07}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/01/hold-my-beer-mirai-spinoff-named-liquorbot-incorporates-cryptomining/}, language = {English}, urldate = {2020-01-13} } @techreport{arsene:20200318:new:2d895da, author = {Liviu Arsene and Radu Tudorica and Alexandru Maximciuc and Cristina Vatamanu}, title = {{New TrickBot Module Bruteforces RDP Connections, Targets Select Telecommunication Services in US and Hong Kong}}, date = {2020-03-18}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/316/Bitdefender-Whitepaper-TrickBot-en-EN-interactive.pdf}, language = {English}, urldate = {2020-03-19} } @online{arsene:20200320:5:46813c6, author = {Liviu Arsene}, title = {{5 Times More Coronavirus-themed Malware Reports during March}}, date = {2020-03-20}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter}, language = {English}, urldate = {2020-03-26} } @online{arsene:20200325:new:51ce027, author = {Liviu Arsene}, title = {{New Router DNS Hijacking Attacks Abuse Bitbucket to Host Infostealer}}, date = {2020-03-25}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/new-router-dns-hijacking-attacks-abuse-bitbucket-to-host-infostealer/}, language = {English}, urldate = {2020-03-30} } @online{arsene:20200326:android:946032b, author = {Liviu Arsene}, title = {{Android Apps and Malware Capitalize on Coronavirus}}, date = {2020-03-26}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus}, language = {English}, urldate = {2020-03-26} } @online{arsene:20200513:global:6217d6f, author = {Liviu Arsene}, title = {{Global Ransomware and Cyberattacks on Healthcare Spike during Pandemic}}, date = {2020-05-13}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/05/global-ransomware-and-cyberattacks-on-healthcare-spike-during-pandemic/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter}, language = {English}, urldate = {2020-07-06} } @techreport{arsene:20200521:iranian:d9e1468, author = {Liviu Arsene and Bogdan Rusu}, title = {{Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia}}, date = {2020-05-21}, institution = {Bitdefender}, url = {https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf}, language = {English}, urldate = {2020-05-23} } @techreport{arsene:20200630:strongpity:ed365fb, author = {Liviu Arsene and Radu Tudorica and Cristina Vatamanu and Alexandru Maximciuc}, title = {{StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure}}, date = {2020-06-30}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf}, language = {English}, urldate = {2020-06-30} } @techreport{arsene:20200820:more:a98fa7e, author = {Liviu Arsene and Victor Vrabie and Bogdan Rusu and Alexandru Maximciuc and Cristina Vatamanu}, title = {{More Evidence of APT Hackers-for-Hire Usedfor Industrial Espionage}}, date = {2020-08-20}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/365/Bitdefender-PR-Whitepaper-APTHackers-creat4740-en-EN-GenericUse.pdf}, language = {English}, urldate = {2020-08-27} } @online{arsene:20201123:trickbot:bcf3c42, author = {Liviu Arsene and Radu Tudorica}, title = {{TrickBot is Dead. Long Live TrickBot!}}, date = {2020-11-23}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/11/trickbot-is-dead-long-live-trickbot/}, language = {English}, urldate = {2020-11-25} } @online{arsene:20210811:teaching:aeec28a, author = {Liviu Arsene}, title = {{Teaching an Old Dog New Tricks: 2017 Magniber Ransomware Uses PrintNightmare Vulnerability to Infect Victims in South Korea}}, date = {2021-08-11}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/}, language = {English}, urldate = {2021-09-02} } @online{arsium:20201227:horuseyesrat:255f0e8, author = {arsium}, title = {{HorusEyesRat}}, date = {2020-12-27}, organization = {Github (arsium)}, url = {https://github.com/arsium/HorusEyesRat_Public}, language = {English}, urldate = {2021-02-06} } @online{artilllerie:20230911:bumblebee:dea7720, author = {@Artilllerie}, title = {{Tweet on BumbleBee sample containing a DGA}}, date = {2023-09-11}, organization = {Twitter (@Artilllerie)}, url = {https://twitter.com/Artilllerie/status/1701250284238823493}, language = {English}, urldate = {2023-10-05} } @online{arunkumar:20231130:uncovering:f655d68, author = {Arunkumar}, title = {{Uncovering the Serpent}}, date = {2023-11-30}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/uncovering-the-serpent/}, language = {English}, urldate = {2023-11-30} } @online{arunkumar:20240702:kematian:3c635c7, author = {Arunkumar}, title = {{Kematian Stealer forked from PowerShell Token Grabber}}, date = {2024-07-02}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/kematian-stealer-forked-from-powershell-token-grabber/}, language = {English}, urldate = {2024-07-10} } @online{arya:20220713:targeted:82e3d8c, author = {Sushant Kumar Arya and Mohsin Dalla}, title = {{Targeted Attack on Government Agencies}}, date = {2022-07-13}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/targeted-attack-on-government-agencies.html}, language = {English}, urldate = {2022-07-14} } @online{arzamendi:20180118:arc:384a9b0, author = {Pete Arzamendi and Matt Bing and Kirk Soluk}, title = {{The ARC of Satori}}, date = {2018-01-18}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/the-arc-of-satori/}, language = {English}, urldate = {2019-11-29} } @techreport{asd:20181214:investigationreport:6eda856, author = {ASD}, title = {{Investigationreport: Compromise of an Australian companyvia their Managed Service Provider}}, date = {2018-12-14}, institution = {Australian Cyber Security Centre}, url = {https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf}, language = {English}, urldate = {2020-03-11} } @techreport{asd:20241119:annual:0d12616, author = {ASD}, title = {{Annual Cyber Threat Report 2023-2024}}, date = {2024-11-19}, institution = {Australian Signals Directorate}, url = {https://www.cyber.gov.au/sites/default/files/2024-11/asd-cyber-threat-report-2024.pdf}, language = {English}, urldate = {2025-01-15} } @online{asec:20171016:operation:68f1182, author = {ASEC}, title = {{Operation Bitter Biscuit}}, date = {2017-10-16}, organization = {AhnLab}, url = {http://asec.ahnlab.com/tag/Operation%20Bitter%20Biscuit}, language = {Korean}, urldate = {2020-01-13} } @online{asec:20210804:sw:fd538d1, author = {ASEC}, title = {{S/W Download Camouflage, Spreading Various Kinds of Malware}}, date = {2021-08-04}, organization = {ASEC}, url = {https://asec.ahnlab.com/ko/25837/}, language = {Korean}, urldate = {2022-03-07} } @online{asec:20220208:distribution:1e72a12, author = {ASEC}, title = {{Distribution of Kimsuky Group’s xRAT (Quasar RAT) Confirmed}}, date = {2022-02-08}, organization = {ASEC}, url = {https://asec.ahnlab.com/en/31089/}, language = {English}, urldate = {2022-02-10} } @online{asec:20220221:cobalt:82a24d8, author = {ASEC}, title = {{Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers}}, date = {2022-02-21}, url = {https://asec.ahnlab.com/en/31811/}, language = {English}, urldate = {2022-02-26} } @online{asec:20220221:new:a4d0291, author = {ASEC}, title = {{New information takeover malware "ColdStealer" is being distributed}}, date = {2022-02-21}, organization = {ASEC}, url = {https://asec.ahnlab.com/ko/31703/}, language = {Korean}, urldate = {2022-03-02} } @online{asec:20220228:remcos:d53c470, author = {ASEC}, title = {{Remcos RAT malware disseminated by pretending to be tax invoices}}, date = {2022-02-28}, organization = {ASEC}, url = {https://asec.ahnlab.com/ko/32101/}, language = {Korean}, urldate = {2022-03-07} } @online{asec:20220303:dissemination:e2ce2f4, author = {ASEC}, title = {{Dissemination of malicious korean documents masquering as press releases for the 20th presidential election}}, date = {2022-03-03}, organization = {ASEC}, url = {https://asec.ahnlab.com/ko/32330/}, language = {Korean}, urldate = {2022-03-04} } @online{asec:20220307:distribution:d298aca, author = {ASEC}, title = {{Distribution of Remcos RAT Disguised as Tax Invoice}}, date = {2022-03-07}, organization = {ASEC}, url = {https://asec.ahnlab.com/en/32376/}, language = {English}, urldate = {2022-03-07} } @online{asec:20220328:vbs:9f536ea, author = {ASEC}, title = {{VBS Script Disguised as PDF File Being Distributed (Kimsuky)}}, date = {2022-03-28}, organization = {ASEC}, url = {https://asec.ahnlab.com/en/33032/}, language = {English}, urldate = {2022-03-30} } @online{asec:20220503:backdoors:43e357a, author = {ASEC}, title = {{Backdoors disguised as document editing and messenger programs (*.chm)}}, date = {2022-05-03}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/33948/}, language = {Korean}, urldate = {2022-05-05} } @online{asec:20220520:why:c6efba7, author = {ASEC}, title = {{Why Remediation Alone Is Not Enough When Infected by Malware}}, date = {2022-05-20}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/34549/}, language = {English}, urldate = {2022-05-24} } @online{asec:20220624:lockbit:a98a9bb, author = {ASEC}, title = {{LockBit Ransomware Disguised as Copyright Claim E-mail Being Distributed}}, date = {2022-06-24}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/35822/}, language = {English}, urldate = {2022-06-27} } @online{asec:20220628:new:df3f9bf, author = {ASEC}, title = {{New Info-stealer Disguised as Crack Being Distributed}}, date = {2022-06-28}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/35981/}, language = {English}, urldate = {2022-06-30} } @online{asec:20220711:appleseed:c064586, author = {ASEC}, title = {{AppleSeed Disguised as Purchase Order and Request Form Being Distributed}}, date = {2022-07-11}, organization = {ASEC}, url = {https://asec.ahnlab.com/en/36368/}, language = {English}, urldate = {2022-11-03} } @online{asec:20220721:amadey:1bbe53b, author = {ASEC}, title = {{Amadey Bot Being Distributed Through SmokeLoader}}, date = {2022-07-21}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/36634/}, language = {English}, urldate = {2023-03-20} } @online{asec:20220728:attackers:666ffd0, author = {ASEC}, title = {{Attackers Profiting from Proxyware}}, date = {2022-07-28}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/37276/}, language = {English}, urldate = {2022-08-18} } @online{asec:20220923:fargo:35c7da4, author = {ASEC}, title = {{FARGO Ransomware (Mallox) Being Distributed to Unsecured MS-SQL Servers}}, date = {2022-09-23}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/39152/}, language = {English}, urldate = {2022-12-14} } @online{asec:20221012:analysis:fb014e5, author = {ASEC}, title = {{Analysis on Attack Techniques and Cases Using RDP}}, date = {2022-10-12}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/40394/}, language = {English}, urldate = {2025-01-29} } @online{asec:20221017:amadey:9973757, author = {ASEC}, title = {{Amadey Bot Disguised as a Famous Korean Messenger Program Being Distributed}}, date = {2022-10-17}, organization = {ASEC}, url = {https://asec.ahnlab.com/en/40483/}, language = {English}, urldate = {2024-09-06} } @online{asec:20221102:appleseed:0cc5b91, author = {ASEC}, title = {{Appleseed Being Distributed to Nuclear Power Plant-Related Companies}}, date = {2022-11-02}, organization = {ASEC}, url = {https://asec.ahnlab.com/en/41015/}, language = {English}, urldate = {2022-11-03} } @online{asec:20221108:lockbit:6acb17e, author = {ASEC}, title = {{LockBit 3.0 Being Distributed via Amadey Bot}}, date = {2022-11-08}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/41450/}, language = {English}, urldate = {2022-11-09} } @online{asec:20221110:penetration:d92badf, author = {ASEC}, title = {{Penetration and Distribution Method of Gwisin Attacker}}, date = {2022-11-10}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/41565/}, language = {English}, urldate = {2022-11-11} } @online{asec:20221111:magniber:7426c1e, author = {ASEC}, title = {{Magniber Ransomware Attempts to Bypass MOTW (Mark of the Web)}}, date = {2022-11-11}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/41889/}, language = {English}, urldate = {2022-11-15} } @online{asec:20221222:qakbot:9e92461, author = {ASEC}, title = {{Qakbot Being Distributed via Virtual Disk Files (*.vhd)}}, date = {2022-12-22}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/44662/}, language = {English}, urldate = {2023-06-12} } @online{asec:20230106:distribution:dd88acd, author = {ASEC}, title = {{Distribution of NetSupport RAT Malware Disguised as a Pokemon Game}}, date = {2023-01-06}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/45312/}, language = {English}, urldate = {2023-03-20} } @online{asec:20230113:orcus:49e1676, author = {ASEC}, title = {{Orcus RAT Being Distributed Disguised as a Hangul Word Processor Crack}}, date = {2023-01-13}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/45462/}, language = {English}, urldate = {2023-03-20} } @online{asec:20230206:sliver:4683d40, author = {ASEC}, title = {{Sliver Malware With BYOVD Distributed Through Sunlogin Vulnerability Exploitations}}, date = {2023-02-06}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/47088/}, language = {English}, urldate = {2023-03-20} } @online{asec:20230215:paradise:0db313d, author = {ASEC}, title = {{Paradise Ransomware Distributed Through AweSun Vulnerability Exploitation}}, date = {2023-02-15}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/47590/}, language = {English}, urldate = {2023-03-20} } @online{asec:20230308:globeimposter:2a15455, author = {ASEC}, title = {{GlobeImposter Ransomware Being Distributed with MedusaLocker via RDP}}, date = {2023-03-08}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/48940/}, language = {English}, urldate = {2023-03-20} } @online{asec:20230317:shellbot:93d3ae5, author = {ASEC}, title = {{ShellBot Malware Being Distributed to Linux SSH Servers}}, date = {2023-03-17}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/49769/}, language = {English}, urldate = {2023-03-20} } @online{asec:20230417:8220:1919cad, author = {ASEC}, title = {{8220 Gang Uses Log4Shell Vulnerability to Install CoinMiner}}, date = {2023-04-17}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/51568/}, language = {English}, urldate = {2024-09-04} } @online{asec:20230417:trigona:7dcaf83, author = {ASEC}, title = {{Trigona Ransomware Attacking MS-SQL Servers}}, date = {2023-04-17}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/51343/}, language = {English}, urldate = {2023-08-07} } @online{asec:20230503:recordbreaker:402a5e6, author = {ASEC}, title = {{RecordBreaker Stealer Distributed via Hacked YouTube Accounts}}, date = {2023-05-03}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/52072/}, language = {English}, urldate = {2023-08-07} } @online{asec:20230518:sparkrat:f283ffc, author = {ASEC}, title = {{SparkRAT Being Distributed Within a Korean VPN Installer}}, date = {2023-05-18}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/52899/}, language = {English}, urldate = {2023-08-07} } @online{asec:20230522:kimsuky:6007eeb, author = {ASEC}, title = {{Kimsuky Group Using Meterpreter to Attack Web Servers}}, date = {2023-05-22}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/53046/}, language = {English}, urldate = {2023-08-07} } @online{asec:20230523:darkcloud:cbd48ff, author = {ASEC}, title = {{DarkCloud Infostealer Being Distributed via Spam Emails}}, date = {2023-05-23}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/53128/}, language = {English}, urldate = {2023-08-07} } @online{asec:20230620:tsunami:bbf63b6, author = {ASEC}, title = {{Tsunami DDoS Malware Distributed to Linux SSH Servers}}, date = {2023-06-20}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/54647/}, language = {English}, urldate = {2023-08-07} } @online{asec:20230703:crysis:3ffd122, author = {ASEC}, title = {{Crysis Threat Actor Installing Venus Ransomware Through RDP}}, date = {2023-07-03}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/54937/}, language = {English}, urldate = {2023-08-07} } @online{asec:20230711:analysis:d4ec4ec, author = {ASEC}, title = {{Analysis of the Rekoobe Backdoor Being Used In Attacks Against Linux Systems in Korea}}, date = {2023-07-11}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/55229/}, language = {English}, urldate = {2023-08-07} } @online{asec:20230724:lazarus:63cd113, author = {ASEC}, title = {{Lazarus Threat Group Attacking Windows Servers to Use as Malware Distribution Points}}, date = {2023-07-24}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/55369/}, language = {English}, urldate = {2023-08-07} } @online{asec:20230801:sliver:e32a5e1, author = {ASEC}, title = {{Sliver C2 Being Distributed Through Korean Program Development Company}}, date = {2023-08-01}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/55652/}, language = {English}, urldate = {2023-08-07} } @online{asec:20230803:reptile:ee853ee, author = {ASEC}, title = {{Reptile Malware Targeting Linux Systems}}, date = {2023-08-03}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/55785/}, language = {English}, urldate = {2023-08-07} } @online{asec:20231201:kimsuky:b7944a5, author = {ASEC}, title = {{Kimsuky Group Uses AutoIt to Create Malware (RftRAT, Amadey)}}, date = {2023-12-01}, organization = {ASEC}, url = {https://asec.ahnlab.com/en/59590/}, language = {English}, urldate = {2024-09-02} } @online{asec:20240507:lnk:d8cb18a, author = {ASEC}, title = {{LNK File Disguised as Certificate Distributing RokRAT Malware}}, date = {2024-05-07}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/65076/}, language = {English}, urldate = {2024-05-08} } @online{asec:20240516:analysis:aca6d85, author = {ASEC}, title = {{Analysis of APT attack cases targeting domestic companies using Dora RAT (Andariel Group)}}, date = {2024-05-16}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/65495/}, language = {Korean}, urldate = {2024-09-13} } @online{asec:20240528:bondnet:8d7b3e2, author = {ASEC}, title = {{Bondnet Using Miner Bots as C2}}, date = {2024-05-28}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/66662/}, language = {English}, urldate = {2024-12-11} } @online{asec:20241016:lab:c9eb875, author = {ASEC}, title = {{An Lab and the National Cyber Security Center (NCSC), joint report distribution and Microsoft browser 0-DAY discovery (CVE-2024-38178)}}, date = {2024-10-16}, organization = {ASEC}, url = {https://asec.ahnlab.com/ko/83876/}, language = {Korean}, urldate = {2024-10-17} } @online{asec:20250123:rid:202821b, author = {ASEC}, title = {{RID Hijacking Technique Utilized by Andariel Attack Group}}, date = {2025-01-23}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/85942/}, language = {English}, urldate = {2025-01-28} } @online{asec:20250227:phishing:ec1c793, author = {ASEC}, title = {{Phishing Email Attacks by the Larva-24005 Group Targeting Japan}}, date = {2025-02-27}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/86535/}, language = {English}, urldate = {2025-03-07} } @online{asec:20250402:beavertail:e5ad6ba, author = {ASEC}, title = {{BeaverTail and Tropidoor Malware Distributed via Recruitment Emails}}, date = {2025-04-02}, organization = {ASEC}, url = {https://asec.ahnlab.com/en/87299/}, language = {English}, urldate = {2025-04-10} } @online{asec:20250422:distribution:5e69e12, author = {ASEC}, title = {{Distribution of PebbleDash Malware in March 2025}}, date = {2025-04-22}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/87621/}, language = {English}, urldate = {2025-05-23} } @online{asec:20250516:dbatloader:cb649ba, author = {ASEC}, title = {{DBatLoader (ModiLoader) Being Distributed to Turkish Users}}, date = {2025-05-16}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/88025/}, language = {English}, urldate = {2025-05-20} } @online{ash:20180626:rancor:99f5616, author = {Brittany Ash and Josh Grunzweig and Tom Lancaster}, title = {{RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families}}, date = {2018-06-26}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/}, language = {English}, urldate = {2019-12-20} } @online{ash:20180626:rancor:cc2a967, author = {Brittany Ash and Josh Grunzweig and Tom Lancaster}, title = {{RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families}}, date = {2018-06-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/}, language = {English}, urldate = {2019-12-18} } @online{ashford:20180802:three:1fa3b70, author = {Warwick Ashford}, title = {{Three Carbanak cyber heist gang members arrested}}, date = {2018-08-02}, organization = {ComputerWeekly}, url = {https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested}, language = {English}, urldate = {2020-01-10} } @online{ashman:20190605:upgraded:519af7d, author = {Ofir Ashman}, title = {{Upgraded JasperLoader Infecting Machines with New Targets & Functional Improvements: What You Need to Know}}, date = {2019-06-05}, organization = {ThreatStop}, url = {https://blog.threatstop.com/upgraded-jasperloader-infecting-machines}, language = {English}, urldate = {2020-01-08} } @online{ashman:20220322:conti:7ffebe5, author = {Ofir Ashman}, title = {{Conti ransomware leaks - what happens when hackers support Russia}}, date = {2022-03-22}, organization = {ThreatStop}, url = {https://www.threatstop.com/blog/conti-ransomware-source-code-leaked}, language = {English}, urldate = {2022-04-07} } @online{ashman:20220524:gamaredon:7638a47, author = {Ofir Ashman}, title = {{Gamaredon Group: Understanding the Russian APT}}, date = {2022-05-24}, organization = {ThreatStop}, url = {https://www.threatstop.com/blog/gamaredon-group-understanding-the-russian-apt}, language = {English}, urldate = {2022-05-25} } @online{ashman:20220615:first:a157972, author = {Ofir Ashman}, title = {{First Conti, then Hive: Costa Rica gets hit with ransomware again}}, date = {2022-06-15}, organization = {ThreatStop}, url = {https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again}, language = {English}, urldate = {2022-06-27} } @online{ashraf:20220521:deep:0e3523b, author = {Mohamed Ashraf}, title = {{Deep Analysis of Mars Stealer}}, date = {2022-05-21}, organization = {Github (x-junior)}, url = {https://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html}, language = {English}, urldate = {2024-01-22} } @online{ashraf:20220624:apt34:92c90d5, author = {Mohamed Ashraf}, title = {{APT34 - Saitama Agent}}, date = {2022-06-24}, organization = {XJunior}, url = {https://x-junior.github.io/malware%20analysis/2022/06/24/Apt34.html}, language = {English}, urldate = {2022-07-01} } @online{ashraf:20220624:deep:5c1c1cf, author = {Mohamed Ashraf}, title = {{Deep Analysis of Snake Keylogger}}, date = {2022-06-24}, organization = {Github (x-junior)}, url = {https://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html}, language = {English}, urldate = {2022-07-05} } @online{ashraf:20240105:about:775e874, author = {Mohamed Ashraf}, title = {{Tweet about a SpectralBlur Linux sample}}, date = {2024-01-05}, organization = {Twitter (@X__Junior)}, url = {https://twitter.com/X__Junior/status/1743193763000828066}, language = {English}, urldate = {2024-03-18} } @online{ashraf:20240226:pikabot:e7cb850, author = {Amr Ashraf}, title = {{Pikabot Loader Detailed Analysis}}, date = {2024-02-26}, organization = {cyber5w}, url = {https://blog.cyber5w.com/2024/02/25/pikabotloader/}, language = {English}, urldate = {2024-03-12} } @online{ashraf:20240523:ida:67d177f, author = {Mohamed Ashraf}, title = {{IDA Script for WarmCookie}}, date = {2024-05-23}, organization = {Github (x-junior)}, url = {https://github.com/X-Junior/Malware-IDAPython-Scripts/blob/main/Badspace/badspace.py}, language = {English}, urldate = {2024-06-05} } @online{ashraf:20240523:string:3c83a03, author = {Mohamed Ashraf}, title = {{String Decryptor for WarmCookie}}, date = {2024-05-23}, organization = {Github (x-junior)}, url = {https://github.com/X-Junior/Malware-String-Decryptor-Scripts/blob/main/Badspace/badspace.py}, language = {English}, urldate = {2024-06-05} } @online{ashton:20200621:maersk:5121522, author = {Gavin Ashton}, title = {{Maersk, me & notPetya}}, date = {2020-06-21}, organization = {GVNSHTN}, url = {https://gvnshtn.com/maersk-me-notpetya/}, language = {English}, urldate = {2020-08-18} } @online{asic:20210127:accellion:939c001, author = {Australian Securities and Investments Commission (ASIC)}, title = {{Accellion cyber incident}}, date = {2021-01-27}, organization = {Australian Securities and Investments Commission (ASIC)}, url = {https://asic.gov.au/about-asic/news-centre/news-items/accellion-cyber-incident/}, language = {English}, urldate = {2021-01-29} } @online{asinovsky:20200324:trickbot:e42e06c, author = {Pavel Asinovsky}, title = {{TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany}}, date = {2020-03-24}, url = {https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/}, language = {English}, urldate = {2024-09-23} } @online{asinovsky:20200618:ginp:724e3ef, author = {Pavel Asinovsky}, title = {{Ginp Malware Operations are on the Rise, Aiming to Expand in Turkey}}, date = {2020-06-18}, organization = {IBM Security}, url = {https://securityintelligence.com/posts/ginp-malware-operations-rising-expansions-turkey/}, language = {English}, urldate = {2020-06-19} } @online{askar:20190830:github:81bb2c2, author = {Askar}, title = {{Github Repository of Octopus}}, date = {2019-08-30}, organization = {Github (mhaskar)}, url = {https://github.com/mhaskar/Octopus}, language = {English}, urldate = {2021-01-04} } @online{askar:20200726:inmemory:5556cad, author = {Askar}, title = {{In-Memory shellcode decoding to evade AVs/EDRs}}, date = {2020-07-26}, organization = {Shells.System blog}, url = {https://shells.systems/in-memory-shellcode-decoding-to-evade-avs/}, language = {English}, urldate = {2020-07-30} } @online{asoltanei:20200331:infected:eaa940e, author = {Oana Asoltanei and Alin Mihai Barbatei and Ioan-Septimiu Dinulica}, title = {{Infected Zoom Apps for Android Target Work-From-Home Users}}, date = {2020-03-31}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/infected-zoom-apps-for-android-target-work-from-home-users}, language = {English}, urldate = {2020-04-07} } @techreport{asoltanei:20200619:bitterapt:2e8e1d2, author = {Oana Asoltanei and Denis Cosmin Nutiu and Alin Mihai Barbatei}, title = {{BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool}}, date = {2020-06-19}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf}, language = {English}, urldate = {2020-06-21} } @online{asoltanei:20201008:fake:88db68e, author = {Oana Asoltanei and Elena Flondor and Alin Mihai Barbatei and Liviu Aarsene}, title = {{Fake Users Rave but Real Users Rant as Apps on Google Play Deal Aggressive Adware}}, date = {2020-10-08}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/10/fake-users-rave-but-real-users-rant-as-apps-on-google-play-deal-aggressive-adware/}, language = {English}, urldate = {2020-10-12} } @online{asrar:201901:destructive:f4cc200, author = {Irfan Asrar}, title = {{Destructive Attack "Dustman" Technical Report}}, date = {2019-01}, organization = {LinkedIn Irfan Asrar}, url = {https://www.linkedin.com/posts/iasrar_dustman-report-in-english-activity-6619216346083393537-NV1z/}, language = {English}, urldate = {2020-01-13} } @online{asrar:20200104:dustman:8df5168, author = {Irfan Asrar}, title = {{Tweet on Dustman}}, date = {2020-01-04}, organization = {Twitter (@Irfan_Asrar)}, url = {https://twitter.com/Irfan_Asrar/status/1213544175355908096}, language = {English}, urldate = {2020-01-09} } @online{assante:20151230:current:342c55e, author = {Michael J. Assante}, title = {{Current Reporting on the Cyber Attack in Ukraine Resulting in Power Outage}}, date = {2015-12-30}, organization = {SANS}, url = {https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage}, language = {English}, urldate = {2019-12-17} } @online{assaraf:20250226:wolf:85547a1, author = {Amit Assaraf}, title = {{A Wolf in Dark Mode: The Malicious VS Code Theme That Fooled Millions}}, date = {2025-02-26}, organization = {Medium extensiontotal}, url = {https://medium.com/extensiontotal/a-wolf-in-dark-mode-the-malicious-vs-code-theme-that-fooled-millions-85ed92b4bd26}, language = {English}, urldate = {2025-02-28} } @online{associates:20240504:191:1224e59, author = {Risk Associates}, title = {{191 Australian Organizations affected by ZircoDATA Breach Linked to Russian Ransomware Gang}}, date = {2024-05-04}, organization = {Risk Associates}, url = {https://riskassociates.com/blogs/191-australian-organisations-affected-by-zircodata-breach-linked-to-russian-ransomeware-gang/}, language = {English}, urldate = {2024-05-13} } @techreport{astolfi:20191009:corso:2a93766, author = {Riccardo Astolfi and Giacomo Ferro and Francesco Gobbi}, title = {{Corso di Codice Malevolo: Relazione sull’analisi del malware sample2.exe}}, date = {2019-10-09}, institution = {Github (GiacomoFerro)}, url = {https://github.com/GiacomoFerro/malware-analysis/blob/master/report/report-malware.pdf}, language = {Italian}, urldate = {2022-02-16} } @online{astrovax:20201114:deep:b50ae08, author = {astrovax}, title = {{Deep Dive Into Ryuk Ransomware}}, date = {2020-11-14}, organization = {Medium 0xastrovax}, url = {https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12}, language = {English}, urldate = {2021-01-25} } @online{aswanda:20180622:formbook:ce3c98b, author = {Aswanda}, title = {{FormBook stealer: Data theft made easy}}, date = {2018-06-22}, organization = {InQuest}, url = {http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/}, language = {English}, urldate = {2020-01-09} } @online{atch:20210819:how:53769da, author = {David Atch and Gil Regev and Ross Bevington}, title = {{How to proactively defend against Mozi IoT botnet}}, date = {2021-08-19}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/08/19/how-to-proactively-defend-against-mozi-iot-botnet/}, language = {English}, urldate = {2021-08-30} } @online{atlas:20210730:bear:04ae603, author = {Team Atlas}, title = {{Bear Tracks: Infrastructure Patterns Lead to More Than 30 Active APT29 C2 Servers}}, date = {2021-07-30}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/541a465f/description}, language = {English}, urldate = {2021-08-02} } @techreport{atr:20210316:technical:8c4909a, author = {McAfee ATR}, title = {{Technical Analysis of Operation Diànxùn}}, date = {2021-03-16}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf}, language = {English}, urldate = {2021-03-22} } @techreport{atr:20210512:technical:24b2378, author = {McAfee ATR}, title = {{Technical Analysis of Access Token Theft and Manipulation}}, date = {2021-05-12}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-access-token-theft-manipulation-attacks.pdf}, language = {English}, urldate = {2021-05-13} } @online{attck:20170531:apt16:a615343, author = {MITRE ATT&CK}, title = {{APT16}}, date = {2017-05-31}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0023}, language = {English}, urldate = {2022-07-05} } @online{attck:20170531:apt17:ebee596, author = {MITRE ATT&CK}, title = {{APT17}}, date = {2017-05-31}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0025/}, language = {English}, urldate = {2022-07-05} } @online{attck:20170531:apt29:27ed60c, author = {MITRE ATT&CK}, title = {{APT29}}, date = {2017-05-31}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0016}, language = {English}, urldate = {2022-07-13} } @online{attck:20170531:axiom:b181fdb, author = {MITRE ATT&CK}, title = {{Axiom}}, date = {2017-05-31}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0001/}, language = {English}, urldate = {2022-08-30} } @online{attck:20170531:gamaredon:3f7ed54, author = {MITRE ATT&CK}, title = {{Gamaredon Group}}, date = {2017-05-31}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0047}, language = {English}, urldate = {2022-08-25} } @online{attck:20170531:lazarus:9e5ef58, author = {MITRE ATT&CK}, title = {{Lazarus Group}}, date = {2017-05-31}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0032}, language = {English}, urldate = {2022-07-13} } @online{attck:20170531:pittytiger:cac6452, author = {MITRE ATT&CK}, title = {{PittyTiger}}, date = {2017-05-31}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0011}, language = {English}, urldate = {2022-08-30} } @online{attck:20170531:putter:f56a7fd, author = {MITRE ATT&CK}, title = {{Putter Panda}}, date = {2017-05-31}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0024}, language = {English}, urldate = {2022-08-30} } @online{attck:20170531:sandworm:1a9a446, author = {MITRE ATT&CK}, title = {{Sandworm Team}}, date = {2017-05-31}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0034}, language = {English}, urldate = {2022-08-25} } @online{attck:20171214:apt32:eb42ce5, author = {MITRE ATT&CK}, title = {{APT32}}, date = {2017-12-14}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0050/}, language = {English}, urldate = {2022-07-13} } @online{attck:20180418:apt33:c810337, author = {MITRE ATT&CK}, title = {{APT33}}, date = {2018-04-18}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0064/}, language = {English}, urldate = {2022-07-13} } @online{attck:20181017:thrip:98b79cc, author = {MITRE ATT&CK}, title = {{Thrip}}, date = {2018-10-17}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0076}, language = {English}, urldate = {2022-07-13} } @online{attck:20190129:apt38:dcc2df5, author = {MITRE ATT&CK}, title = {{APT38}}, date = {2019-01-29}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0082}, language = {English}, urldate = {2022-07-13} } @online{attck:20190913:machete:bc6c8e1, author = {MITRE ATT&CK}, title = {{Machete}}, date = {2019-09-13}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0095/}, language = {English}, urldate = {2022-07-13} } @online{attck:20190923:apt41:63b9ff7, author = {MITRE ATT&CK}, title = {{APT41}}, date = {2019-09-23}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0096}, language = {English}, urldate = {2022-08-30} } @online{attck:2019:admin338:c8e4d93, author = {MITRE ATT&CK}, title = {{Group description: admin@338}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0018/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:apt1:9f69f1f, author = {MITRE ATT&CK}, title = {{Group description: APT1}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0006/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:apt28:f03c2bd, author = {MITRE ATT&CK}, title = {{Group description: APT28}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0007/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:apt37:b488fef, author = {MITRE ATT&CK}, title = {{Group description: APT37}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0067/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:apt39:573abf3, author = {MITRE ATT&CK}, title = {{Group description: APT39}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0087/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:blackoasis:ceb12ff, author = {MITRE ATT&CK}, title = {{Group description: BlackOasis}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0063/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:bronze:b7965ff, author = {MITRE ATT&CK}, title = {{Group description: BRONZE BUTLER}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0060/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:carbanak:0e2fe5c, author = {MITRE ATT&CK}, title = {{Group description: Carbanak}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0008/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:charming:f900c21, author = {MITRE ATT&CK}, title = {{Group description: Charming Kitten}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0058/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:cleaver:ac864e2, author = {MITRE ATT&CK}, title = {{Group description: Cleaver}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0003/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:cobalt:0e0496e, author = {MITRE ATT&CK}, title = {{Group description: Cobalt Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0080/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:copykittens:a691b76, author = {MITRE ATT&CK}, title = {{Group description: CopyKittens}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0052/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:dark:01cd067, author = {MITRE ATT&CK}, title = {{Group description: Dark Caracal}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0070/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:darkhotel:eab9170, author = {MITRE ATT&CK}, title = {{Group description: Darkhotel}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0012/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:darkhydrus:b9db207, author = {MITRE ATT&CK}, title = {{Group description: DarkHydrus}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0079/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:deep:7220dc2, author = {MITRE ATT&CK}, title = {{Group description: Deep Panda}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0009/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:dragonfly:c84141f, author = {MITRE ATT&CK}, title = {{Group description: Dragonfly}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0035/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:dragonok:f2cc4fa, author = {MITRE ATT&CK}, title = {{Group description: DragonOK}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0017/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:dust:699660d, author = {MITRE ATT&CK}, title = {{Group description: Dust Storm}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0031/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:elderwood:581a3e4, author = {MITRE ATT&CK}, title = {{Group description: Elderwood}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0066/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:equation:8b2ae74, author = {MITRE ATT&CK}, title = {{Group description: Equation}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0020/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:fin10:ae5d375, author = {MITRE ATT&CK}, title = {{Group description: FIN10}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0051/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:fin4:dd68444, author = {MITRE ATT&CK}, title = {{Group description: FIN4}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0085/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:fin5:48f7065, author = {MITRE ATT&CK}, title = {{Group description: FIN5}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0053/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:fin6:791eaef, author = {MITRE ATT&CK}, title = {{Group description: FIN6}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0037/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:fin7:be45dfe, author = {MITRE ATT&CK}, title = {{Group description: FIN7}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0046/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:fin8:2b2b924, author = {MITRE ATT&CK}, title = {{Group description: FIN8}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0061}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:gamaredon:982ecc4, author = {MITRE ATT&CK}, title = {{Group description: Gamaredon Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0047/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:gcman:23384a0, author = {MITRE ATT&CK}, title = {{Group description: GCMAN}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0036/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:gorgon:f7c9936, author = {MITRE ATT&CK}, title = {{Group description: Gorgon Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0078/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:group5:fcdeaa8, author = {MITRE ATT&CK}, title = {{Group description: Group5}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0043/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:honeybee:9d1ffa6, author = {MITRE ATT&CK}, title = {{Group description: Honeybee}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0072/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:ke3chang:89a4a35, author = {MITRE ATT&CK}, title = {{Group description: Ke3chang}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0004/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:lazarus:a298c2f, author = {MITRE ATT&CK}, title = {{Group description: Lazarus Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0032/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:leafminer:c73518e, author = {MITRE ATT&CK}, title = {{Group description: Leafminer}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0077/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:leviathan:249223a, author = {MITRE ATT&CK}, title = {{Group description: Leviathan}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0065/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:lotus:98bf87a, author = {MITRE ATT&CK}, title = {{Group description: Lotus Blossom}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0030/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:magic:f2f07ab, author = {MITRE ATT&CK}, title = {{Group description: Magic Hound}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0059/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:menupass:8fde950, author = {MITRE ATT&CK}, title = {{Group description: menuPass}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0045/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:moafee:021312c, author = {MITRE ATT&CK}, title = {{Group description: Moafee}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0002/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:molerats:9927c33, author = {MITRE ATT&CK}, title = {{Group description: Molerats}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0021/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:muddywater:b990d10, author = {MITRE ATT&CK}, title = {{Group description: MuddyWater}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0069/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:naikon:f6661ca, author = {MITRE ATT&CK}, title = {{Group description: Naikon}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0019/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:neodymium:2979fa4, author = {MITRE ATT&CK}, title = {{Group description: NEODYMIUM}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0055/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:night:45c6d39, author = {MITRE ATT&CK}, title = {{Group description: Night Dragon}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0014/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:oilrig:40b5deb, author = {MITRE ATT&CK}, title = {{Group description: OilRig}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0049/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:orangeworm:7b6180d, author = {MITRE ATT&CK}, title = {{Group description: Orangeworm}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0071/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:patchwork:b9fa9e1, author = {MITRE ATT&CK}, title = {{Group description: Patchwork}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0040/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:pittytiger:9fde514, author = {MITRE ATT&CK}, title = {{Group description: PittyTiger}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0011/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:platinum:7fbd5ec, author = {MITRE ATT&CK}, title = {{Group description: PLATINUM}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0068/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:poseidon:9c4e9d2, author = {MITRE ATT&CK}, title = {{Group description: Poseidon Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0033/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:promethium:845588e, author = {MITRE ATT&CK}, title = {{Group description: PROMETHIUM}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0056/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:putter:db997a2, author = {MITRE ATT&CK}, title = {{Group description: Putter Panda}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0024/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:rancor:d326bb1, author = {MITRE ATT&CK}, title = {{Group description: Rancor}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0075/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:rtm:24fd219, author = {MITRE ATT&CK}, title = {{Group description: RTM}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0048/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:sandworm:2c635f5, author = {MITRE ATT&CK}, title = {{Group description: Sandworm Team}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0034/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:scarlet:c7d064d, author = {MITRE ATT&CK}, title = {{Group description: Scarlet Mimic}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0029/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:sowbug:1065fa1, author = {MITRE ATT&CK}, title = {{Group description: Sowbug}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0054/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:stealth:5d9f9cd, author = {MITRE ATT&CK}, title = {{Group description: Stealth Falcon}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0038/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:stolen:1489d7d, author = {MITRE ATT&CK}, title = {{Group description: Stolen Pencil}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0086/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:strider:e8991a7, author = {MITRE ATT&CK}, title = {{Group description: Strider}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0041/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:suckfly:686a402, author = {MITRE ATT&CK}, title = {{Group description: Suckfly}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0039/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:ta459:3a8408d, author = {MITRE ATT&CK}, title = {{Group description: TA459}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0062/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:taidoor:e2e9ac3, author = {MITRE ATT&CK}, title = {{Group description: Taidoor}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0015/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tempveles:c62b7f7, author = {MITRE ATT&CK}, title = {{Group description: TEMP.Veles}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0088/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:threat:739dbdd, author = {MITRE ATT&CK}, title = {{Group description: Threat Group-3390}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0027/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:thrip:b7cf7c3, author = {MITRE ATT&CK}, title = {{Group description: Thrip}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0076/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tool:5022816, author = {MITRE ATT&CK}, title = {{Tool description: NanHaiShu}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0228/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tool:ae50919, author = {MITRE ATT&CK}, title = {{Tool description: BUBBLEWRAP}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0043/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tool:aef0372, author = {MITRE ATT&CK}, title = {{Tool description: HALFBAKED}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0151/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tool:e80f843, author = {MITRE ATT&CK}, title = {{Tool description: ELMER}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0064}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tool:ebc79ce, author = {MITRE ATT&CK}, title = {{Tool description: BLACKCOFFEE}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0069/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tool:fd89dda, author = {MITRE ATT&CK}, title = {{Tool description: China Chopper}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0020/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tropic:0324452, author = {MITRE ATT&CK}, title = {{Group description: Tropic Trooper}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0081/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:turla:6c3dec8, author = {MITRE ATT&CK}, title = {{Group description: Turla}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0010/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:winnti:ad3b350, author = {MITRE ATT&CK}, title = {{Group description: Winnti Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0044/}, language = {English}, urldate = {2019-12-20} } @online{attck:20200508:inception:354e1e3, author = {MITRE ATT&CK}, title = {{Inception}}, date = {2020-05-08}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0100}, language = {English}, urldate = {2022-08-26} } @online{attck:20200508:inception:a4454ac, author = {MITRE ATT&CK}, title = {{Inception}}, date = {2020-05-08}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0100/}, language = {English}, urldate = {2022-07-05} } @online{attck:20210106:attck:841bad7, author = {MITRE ATT&CK}, title = {{ATT&CK Navigator layer for UNC2452}}, date = {2021-01-06}, organization = {MITRE}, url = {https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/center-for-threat-informed-defense/public-resources/master/solorigate/UNC2452.json}, language = {English}, urldate = {2021-01-11} } @online{attck:20210303:hafnium:e35dcb1, author = {MITRE ATT&CK}, title = {{HAFNIUM}}, date = {2021-03-03}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0125/}, language = {English}, urldate = {2022-07-05} } @online{attck:20210319:ta551:48627e5, author = {MITRE ATT&CK}, title = {{TA551}}, date = {2021-03-19}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0127/}, language = {English}, urldate = {2022-07-13} } @online{attck:20231206:cinnamon:0c5edc5, author = {MITRE ATT&CK}, title = {{Cinnamon Tempest}}, date = {2023-12-06}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G1021/}, language = {English}, urldate = {2025-06-20} } @online{attfield:20241217:hidden:1a178a2, author = {Nick Attfield and Konstantin Klinger and Pim Trouerbach and David Galazin}, title = {{Hidden in Plain Sight: TA397’s New Attack Chain Delivers Espionage RATs}}, date = {2024-12-17}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats}, language = {English}, urldate = {2024-12-17} } @online{attfield:20250604:bitter:df416a3, author = {Nick Attfield and Konstantin Klinger and Abdallah Elshinbary and Jonas Wagner}, title = {{The Bitter End: Unraveling Eight Years of Espionage Antics—Part One}}, date = {2025-06-04}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/bitter-end-unraveling-eight-years-espionage-antics-part-one}, language = {English}, urldate = {2025-06-05} } @online{atweeteruser:20190726:malware:dce6863, author = {a_tweeter_user}, title = {{Tweet on Malware}}, date = {2019-07-26}, organization = {Twitter (@a_tweeter_user)}, url = {https://twitter.com/a_tweeter_user/status/1154764787823316993}, language = {English}, urldate = {2020-01-08} } @online{audit:20240513:wavestealer:eedbf24, author = {Cool Audit}, title = {{Wavestealer Spotted In The Wild}}, date = {2024-05-13}, url = {https://coolaudit.com/new-wavestealer-spotted-in-wild-stealing-login-credentials-credit-card-data/}, language = {English}, urldate = {2024-06-28} } @online{auld:20200929:whats:2782a62, author = {Andy Auld}, title = {{What's behind the increase in ransomware attacks this year?}}, date = {2020-09-29}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html}, language = {English}, urldate = {2021-05-25} } @online{authos:20160320:hidden:151e4e4, author = {Tripwire Guest Authos}, title = {{Hidden Tear Project: Forbidden Fruit Is the Sweetest}}, date = {2016-03-20}, organization = {Tripwire}, url = {https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/hidden-tear-project-forbidden-fruit-is-the-sweetest/}, language = {English}, urldate = {2020-01-08} } @online{avast:20171220:video:4c6aaa5, author = {Avast}, title = {{Video about Catelites Bot - Airbank Example}}, date = {2017-12-20}, organization = {YouTube}, url = {https://www.youtube.com/watch?v=1LOy0ZyjEOk}, language = {English}, urldate = {2020-01-07} } @online{avast:2018:hide:cd78bb0, author = {Avast}, title = {{Hide 'N Seek}}, date = {2018}, organization = {Avast}, url = {https://threatlabs.avast.com/botnet}, language = {English}, urldate = {2019-12-17} } @online{avast:20211027:avast:6b44ea1, author = {Avast}, title = {{Avast releases decryptor for AtomSilo and LockFile ransomware}}, date = {2021-10-27}, organization = {Avast Decoded}, url = {https://decoded.avast.io/threatintel/decryptor-for-atomsilo-and-lockfile-ransomware/}, language = {English}, urldate = {2021-11-08} } @online{avast:20220321:ioc:b4bb870, author = {Avast}, title = {{IoC from Operation Dragon Castling}}, date = {2022-03-21}, organization = {Avast}, url = {https://github.com/avast/ioc/tree/master/OperationDragonCastling}, language = {English}, urldate = {2022-08-26} } @online{avast:20220819:iocs:bc5a832, author = {Avast}, title = {{IOCs for Manjusaka}}, date = {2022-08-19}, organization = {Github (Avast)}, url = {https://github.com/avast/ioc/tree/master/Manjusaka}, language = {English}, urldate = {2022-08-22} } @online{avastthreatlabs:20211109:by:9f805da, author = {Twitter (@AvastThreatLabs)}, title = {{Tweet by Avast on a new Android Banker they call MasterFred}}, date = {2021-11-09}, url = {https://twitter.com/AvastThreatLabs/status/1458162276708483073}, language = {English}, urldate = {2021-11-10} } @online{avertium:20220601:indepth:ccc8f54, author = {Avertium}, title = {{An In-Depth Look At Black Basta Ransomware}}, date = {2022-06-01}, organization = {Avertium}, url = {https://www.avertium.com/resources/threat-reports/in-depth-look-at-black-basta-ransomware}, language = {English}, urldate = {2022-08-18} } @online{avertium:20221213:everything:7b69285, author = {Avertium}, title = {{Everything You Need to Know about Royal Ransomware}}, date = {2022-12-13}, organization = {Avertium}, url = {https://www.avertium.com/resources/threat-reports/everything-you-need-to-know-about-royal-ransomware}, language = {English}, urldate = {2022-12-24} } @online{avertium:20230104:indepth:5233ed0, author = {Avertium}, title = {{An In-Depth Look at PLAY Ransomware}}, date = {2023-01-04}, organization = {Avertium}, url = {https://www.avertium.com/resources/threat-reports/an-in-depth-look-at-play-ransomware}, language = {English}, urldate = {2023-01-05} } @online{avertium:20230725:evolution:15a6f6a, author = {Avertium}, title = {{EVOLUTION OF RUSSIAN APT29 – NEW ATTACKS AND TECHNIQUES UNCOVERED}}, date = {2023-07-25}, organization = {Avertium}, url = {https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered}, language = {English}, urldate = {2023-07-28} } @online{avertium:20230823:unraveling:4ab27cb, author = {Avertium}, title = {{Unraveling SCATTERED SPIEDER: A Stealthy and Persistent Threat Actor Targeting Telecom Networks}}, date = {2023-08-23}, organization = {Avertium}, url = {https://explore.avertium.com/resource/unraveling-scattered-spider-a-stealthy-and-persistent-threat-actor}, language = {English}, urldate = {2023-11-17} } @online{avery:20211117:dns:847b573, author = {Kyle Avery}, title = {{DNS Over HTTPS for Cobalt Strike}}, date = {2021-11-17}, organization = {Black Hills Information Security}, url = {https://www.blackhillsinfosec.com/dns-over-https-for-cobalt-strike/}, language = {English}, urldate = {2022-02-19} } @online{aviab:20250323:analyzing:6ce081c, author = {AviaB}, title = {{Analyzing Vidar Stealer}}, date = {2025-03-23}, organization = {AviaB}, url = {https://aviab1.github.io/Vidar-Stealer/}, language = {English}, urldate = {2025-03-25} } @online{avllazagaj:20210601:inside:e8edbce, author = {Erin Avllazagaj}, title = {{Inside commercial malware sandboxes}}, date = {2021-06-01}, organization = {Github (Albocoder)}, url = {https://web.archive.org/web/20210613070852/https://albocoder.github.io/malware/2021/06/01/SandboxStudy.html}, language = {English}, urldate = {2021-07-27} } @online{aydinbas:20190502:formbook:d1ef715, author = {Johann Aydinbas}, title = {{FormBook - Hiding in plain sight}}, date = {2019-05-02}, organization = {Usual Suspect RE}, url = {https://usualsuspect.re/article/formbook-hiding-in-plain-sight}, language = {English}, urldate = {2020-01-13} } @online{aydinbas:20220301:python:1e7cf7b, author = {Johann Aydinbas}, title = {{Python script to decrypt embedded driver used in Daxin}}, date = {2022-03-01}, organization = {Github (usualsuspect)}, url = {https://gist.github.com/usualsuspect/839fbc54e0d76bb2626329cd94274cd6}, language = {English}, urldate = {2022-03-07} } @online{aydinbas:20220523:deal:00dc16f, author = {Johann Aydinbas and Colin Murphy}, title = {{A deal with the devil: Analysis of a recent Matanbuchus sample}}, date = {2022-05-23}, organization = {DCSO}, url = {https://medium.com/@DCSO_CyTec/a-deal-with-the-devil-analysis-of-a-recent-matanbuchus-sample-3ce991951d6a}, language = {English}, urldate = {2022-05-24} } @online{aydinbas:20221004:mssql:df4869a, author = {Johann Aydinbas and Axel Wauer}, title = {{MSSQL, meet Maggie}}, date = {2022-10-04}, organization = {Medium (@DCSO_CyTec)}, url = {https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01}, language = {English}, urldate = {2022-10-05} } @online{aydinbas:20221116:hz:b5a2d6d, author = {Johann Aydinbas and Axel Wauer}, title = {{HZ RAT goes China}}, date = {2022-11-16}, organization = {Medium (@DCSO_CyTec)}, url = {https://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2}, language = {English}, urldate = {2022-11-18} } @online{aydinbas:20221219:twitter:6e70f3d, author = {Johann Aydinbas}, title = {{Twitter thread describing ISO drop for Kami}}, date = {2022-12-19}, organization = {Twitter (@jaydinbas)}, url = {https://twitter.com/jaydinbas/status/1604918636422070289}, language = {English}, urldate = {2022-12-20} } @online{aydinbas:20230210:shortandmalicious:c26d7a5, author = {Johann Aydinbas and Axel Wauer}, title = {{#ShortAndMalicious — PikaBot and the Matanbuchus connection}}, date = {2023-02-10}, organization = {DCSO}, url = {https://medium.com/@DCSO_CyTec/shortandmalicious-pikabot-and-the-matanbuchus-connection-5e302644398}, language = {English}, urldate = {2023-02-15} } @online{aydinbas:20230517:andariels:517dbe2, author = {Johann Aydinbas and Emilia Neuber and Kritika Roy and Axel Wauer and Jiro Minier}, title = {{Andariel’s “Jupiter” malware and the case of the curious C2}}, date = {2023-05-17}, organization = {Medium (@DCSO_CyTec)}, url = {https://medium.com/@DCSO_CyTec/andariels-jupiter-malware-and-the-case-of-the-curious-c2-dbfe29f57499}, language = {English}, urldate = {2023-05-21} } @online{aydinbas:20230531:about:19b2edc, author = {Johann Aydinbas}, title = {{Tweet about C++ payload delivered via ISO}}, date = {2023-05-31}, organization = {Twitter (@jaydinbas)}, url = {https://twitter.com/jaydinbas/status/1663916211975987201}, language = {English}, urldate = {2023-06-01} } @online{aydinbas:20230919:shortandmalicious:a0cff0b, author = {Johann Aydinbas}, title = {{#ShortAndMalicious — DarkGate}}, date = {2023-09-19}, organization = {Medium (@DCSO_CyTec)}, url = {https://medium.com/@DCSO_CyTec/shortandmalicious-darkgate-d9102a457232}, language = {English}, urldate = {2023-09-20} } @online{aydinbas:20240221:to:c8d7610, author = {Johann Aydinbas and Olivia Hayward and Jiro Minier and Kritika Roy}, title = {{To Russia With Love: Assessing a KONNI-Backdoored Suspected Russian Consular Software Installer}}, date = {2024-02-21}, organization = {DCSO}, url = {https://medium.com/@DCSO_CyTec/to-russia-with-love-assessing-a-konni-backdoored-suspected-russian-consular-software-installer-ce618ea4b8f3}, language = {English}, urldate = {2024-02-21} } @online{aydinbas:20241104:unransomware:2fb79f1, author = {Johann Aydinbas and Denis Szadkowski and Maike Orlikowski and Paul van Ramesdonk}, title = {{Unransomware: From Zero to Full Recovery in a Blink}}, date = {2024-11-04}, organization = {Medium (@DCSO_CyTec)}, url = {https://medium.com/@DCSO_CyTec/unransomware-from-zero-to-full-recovery-in-a-blink-8a47dd031df3}, language = {English}, urldate = {2024-11-11} } @techreport{ayers:20191113:through:70cc3b3, author = {Jen Ayers and Jason Rivera}, title = {{Through the Eyes of the Adversary}}, date = {2019-11-13}, institution = {CrowdStrike}, url = {https://na.eventscloud.com/file_uploads/6568237bca6dc156e5c5557c5989e97c_CrowdStrikeFal.Con2019_ThroughEyesOfAdversary_J.Ayers.pdf}, language = {English}, urldate = {2020-03-22} } @online{azad:20211215:threatlabz:fcf4d6c, author = {Rubin Azad}, title = {{ThreatLabz analysis - Log4Shell CVE-2021-44228 Exploit Attempts}}, date = {2021-12-15}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts}, language = {English}, urldate = {2022-01-05} } @online{azmagic:20220630:github:c71aed8, author = {AZMagic}, title = {{Github Repository with source code for Pandora hVNC}}, date = {2022-06-30}, organization = {Github (AZMagic)}, url = {https://github.com/AZMagic/Pandora-Hvnc-Hidden-Browser-Real-Vnc-Working-Chromium-Edge-Opera-Gx}, language = {English}, urldate = {2022-08-05} } @online{azzam:20240123:cherryloader:518d29f, author = {Hady Azzam and Christopher Prest and Steven Campbell}, title = {{CherryLoader: A New Go-based Loader Discovered in Recent Intrusions}}, date = {2024-01-23}, organization = {Arctic Wolf}, url = {https://arcticwolf.com/resources/blog/cherryloader-a-new-go-based-loader-discovered-in-recent-intrusions/}, language = {English}, urldate = {2024-02-02} } @online{b:20200815:doublefantasy:6c843b6, author = {Adrien B}, title = {{Tweet on DoubleFantasy}}, date = {2020-08-15}, organization = {Twitter (@Int2e_)}, url = {https://twitter.com/Int2e_/status/1294565186939092994}, language = {English}, urldate = {2020-08-18} } @online{b:20230522:bluenoroffs:4fd8a5c, author = {Jamila B. and Kilian Seznec and Charles M.}, title = {{Bluenoroff’s RustBucket campaign}}, date = {2023-05-22}, organization = {Sekoia}, url = {https://blog.sekoia.io/bluenoroffs-rustbucket-campaign/}, language = {English}, urldate = {2023-05-30} } @online{b:20230907:my:de66f96, author = {Jamila B.}, title = {{My Tea’s not cold. An overview of China’s cyber threat}}, date = {2023-09-07}, organization = {Sekoia}, url = {https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/}, language = {English}, urldate = {2023-09-08} } @online{b:20240130:pythons:94f0ee7, author = {Deepa B}, title = {{Python’s Byte: The Rise of Scripted Ransomware}}, date = {2024-01-30}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/pythons-byte-the-rise-of-scripted-ransomware/}, language = {English}, urldate = {2024-02-02} } @online{babaee:20200908:automated:eb3272c, author = {Hamidreza Babaee}, title = {{Automated dynamic import resolving using binary emulation}}, date = {2020-09-08}, organization = {Lopqto's Adventures}, url = {https://lopqto.me/posts/automated-dynamic-import-resolving}, language = {English}, urldate = {2020-09-09} } @online{babaee:20211017:building:4626116, author = {Hamidreza Babaee}, title = {{Building highly interactive honeypots: CVE-2021-41773 case study}}, date = {2021-10-17}, organization = {Lopqto's Adventures}, url = {https://lopqto.me/posts/building-highly-interactive-honeypots}, language = {English}, urldate = {2021-11-08} } @online{babayeva:20210203:dissecting:c116828, author = {Kamila Babayeva and Sebastian García}, title = {{Dissecting a RAT. Analysis of DroidJack v4.4 RAT network traffic.}}, date = {2021-02-03}, organization = {Stratosphere Lab}, url = {https://www.stratosphereips.org/blog/2021/1/22/analysis-of-droidjack-v44-rat-network-traffic}, language = {English}, urldate = {2021-02-04} } @online{babayeva:20210510:dissecting:7ea0641, author = {Kamila Babayeva and Sebastian García}, title = {{Dissecting a RAT. Analysis of the HawkShaw.}}, date = {2021-05-10}, organization = {Stratosphere Lab}, url = {https://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-hawkshaw}, language = {English}, urldate = {2021-05-12} } @online{babayeva:20210601:dissecting:edf6609, author = {Kamila Babayeva and Sebastian García}, title = {{Dissecting a RAT. Analysis of the Command-line AndroRAT.}}, date = {2021-06-01}, organization = {Stratosphere Lab}, url = {https://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-command-line-androrat}, language = {English}, urldate = {2021-06-09} } @online{babayeva:20210621:dissecting:98ec148, author = {Kamila Babayeva and Sebastian García}, title = {{Dissecting a RAT. Analysis of the Saefko RAT.}}, date = {2021-06-21}, organization = {Stratosphere Lab}, url = {https://www.stratosphereips.org/blog/2021/6/2/dissecting-a-rat-analysis-of-the-saefko-rat}, language = {English}, urldate = {2021-06-22} } @online{babe:201904:analyzing:3a404ff, author = {Cafe Babe}, title = {{Analyzing Emotet with Ghidra — Part 1}}, date = {2019-04}, url = {https://medium.com/@0xd0cf11e/analyzing-emotet-with-ghidra-part-1-4da71a5c8d69}, language = {English}, urldate = {2019-12-06} } @online{babinski:20221228:html:7dbe8af, author = {Micah Babinski}, title = {{HTML Smuggling Detection}}, date = {2022-12-28}, url = {https://micahbabinski.medium.com/html-smuggling-detection-5adefebb6841}, language = {English}, urldate = {2022-12-31} } @online{babu:20250603:indepth:6409129, author = {Praveen Babu}, title = {{In-depth Analysis of a 2025 ViperSoftX Variant}}, date = {2025-06-03}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/in-depth-analysis-of-a-2025-vipersoftx-variant}, language = {English}, urldate = {2025-06-04} } @online{babuder:20220314:nasty:8cfc0e3, author = {Lane Babuder}, title = {{Nasty Escobar Banking Trojan Is Targeting Google Authenticator Codes For Android}}, date = {2022-03-14}, organization = {HotHardware}, url = {https://hothardware.com/news/escobar-banking-trojan-targets-mfa-codes}, language = {English}, urldate = {2022-03-17} } @online{baca:20200326:would:a184711, author = {Alejandro Baca and Rodel Mendrez}, title = {{Would You Exchange Your Security for a Gift Card?}}, date = {2020-03-26}, organization = {SpiderLabs Blog}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/}, language = {English}, urldate = {2020-03-30} } @techreport{backdoor:201803:oceanlotus:a2c3636, author = {OceanLotus: Old techniques, new backdoor}, title = {{OceanLotus: Old techniques, new backdoor}}, date = {2018-03}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf}, language = {English}, urldate = {2020-01-07} } @online{backhouse:20220930:glimpse:5194be6, author = {William Backhouse and Michael Mullen and Nikolaos Pantazopoulos}, title = {{A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion}}, date = {2022-09-30}, organization = {NCC Group}, url = {https://research.nccgroup.com/2022/09/30/a-glimpse-into-the-shadowy-realm-of-a-chinese-apt-detailed-analysis-of-a-shadowpad-intrusion/}, language = {English}, urldate = {2022-10-04} } @online{backman:20210517:investigating:447e111, author = {Kent Backman}, title = {{Investigating the Watering Hole Linked to the Oldsmar Water Treatment Facility Breach}}, date = {2021-05-17}, organization = {Dragos}, url = {https://www.dragos.com/blog/investigating-the-watering-hole-linked-to-the-oldsmar-water-treatment-facility-breach/}, language = {English}, urldate = {2021-05-19} } @online{bacurio:20160621:curious:8607f46, author = {Floser Bacurio and Roland Dela Paz}, title = {{The Curious Case of an Unknown Trojan Targeting German-Speaking Users}}, date = {2016-06-21}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html}, language = {English}, urldate = {2020-01-08} } @online{bacurio:20170214:remcos:e924c55, author = {Floser Bacurio and Joie Salvio}, title = {{REMCOS: A New RAT In The Wild}}, date = {2017-02-14}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2}, language = {English}, urldate = {2020-01-09} } @online{bacurio:20171207:peculiar:e4c095f, author = {Floser Bacurio and Joie Salvio}, title = {{A Peculiar Case of Orcus RAT Targeting Bitcoin Investors}}, date = {2017-12-07}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors}, language = {English}, urldate = {2020-01-08} } @online{badaev:20240415:steganoamor:a3b7239, author = {Aleksandr Badaev and Kseniya Naumova}, title = {{SteganoAmor campaign: TA558 mass-attacking companies and public institutions all around the world}}, date = {2024-04-15}, organization = {Positive Technologies}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/}, language = {English}, urldate = {2024-04-23} } @online{bader:20141221:dga:f85933e, author = {Johannes Bader}, title = {{The DGA of Ramnit}}, date = {2014-12-21}, organization = {bin.re}, url = {https://bin.re/blog/the-dga-of-ramnit/}, language = {English}, urldate = {2023-10-30} } @online{bader:20150112:dga:b961e18, author = {Johannes Bader}, title = {{The DGA of Shiotob}}, date = {2015-01-12}, url = {https://www.johannesbader.ch/2015/01/the-dga-of-shiotob/}, language = {English}, urldate = {2019-12-19} } @online{bader:20150121:dga:c2a0550, author = {Johannes Bader}, title = {{The DGA of Symmi}}, date = {2015-01-21}, organization = {Johannes Bader's Blog}, url = {https://bin.re/blog/the-dga-of-symmi/}, language = {English}, urldate = {2023-08-10} } @online{bader:20150210:dga:2ff5cf7, author = {Johannes Bader}, title = {{The DGA of Banjori}}, date = {2015-02-10}, organization = {Johannes Bader's Blog}, url = {https://www.johannesbader.ch/2015/02/the-dga-of-banjori/}, language = {English}, urldate = {2020-01-07} } @online{bader:20150220:dgas:b2e059a, author = {Johannes Bader}, title = {{The DGAs of Necurs}}, date = {2015-02-20}, organization = {Johannes Bader's Blog}, url = {https://bin.re/blog/the-dgas-of-necurs/}, language = {English}, urldate = {2023-04-27} } @online{bader:20150306:dga:3673443, author = {Johannes Bader}, title = {{The DGA of DirCrypt}}, date = {2015-03-06}, url = {https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/}, language = {English}, urldate = {2019-11-28} } @online{bader:20150310:dga:4409507, author = {Johannes Bader}, title = {{The DGA of Pykspa}}, date = {2015-03-10}, organization = {Johannes Bader Blog}, url = {https://bin.re/blog/the-dga-of-pykspa/}, language = {English}, urldate = {2023-04-14} } @online{bader:20150311:dga:5f3c096, author = {Johannes Bader}, title = {{The DGA of Simda/Shiz}}, date = {2015-03-11}, organization = {Johannes Bader's Blog}, url = {https://bin.re/blog/the-dga-of-simda-shiz/}, language = {English}, urldate = {2025-03-07} } @online{bader:20150522:dga:9ba1744, author = {Johannes Bader}, title = {{The DGA of Ranbyus}}, date = {2015-05-22}, organization = {Johannes Bader Blog}, url = {https://bin.re/blog/the-dga-of-ranbyus/}, language = {English}, urldate = {2023-04-14} } @online{bader:20150610:win32upatrebi:36ea1eb, author = {Johannes Bader}, title = {{Win32/Upatre.BI - Part One}}, date = {2015-06-10}, url = {https://johannesbader.ch/2015/06/Win32-Upatre-BI-Part-1-Unpacking/}, language = {English}, urldate = {2019-12-02} } @online{bader:20150719:faulty:e287eee, author = {Johannes Bader}, title = {{The Faulty Precursor of Pykspa's DGA}}, date = {2015-07-19}, organization = {Johannes Bader Blog}, url = {https://bin.re/blog/pykspas-inferior-dga-version/}, language = {English}, urldate = {2023-04-14} } @online{bader:20150903:three:f3785d9, author = {Johannes Bader}, title = {{Three Variants of Murofet's DGA}}, date = {2015-09-03}, organization = {Johannes Bader's Blog}, url = {https://bin.re/blog/three-variants-of-murofets-dga/}, language = {English}, urldate = {2023-12-11} } @online{bader:20150923:ranbyuss:424dcfd, author = {Johannes Bader}, title = {{Ranbyus's DGA, Revisited}}, date = {2015-09-23}, organization = {Johannes Bader's Blog}, url = {https://bin.re/blog/ranbyuss-dga-revisited/}, language = {English}, urldate = {2024-02-13} } @online{bader:20151222:krakens:330079f, author = {Johannes Bader}, title = {{Kraken's two Domain Generation Algorithms}}, date = {2015-12-22}, organization = {Johannes Bader's Blog}, url = {https://bin.re/blog/krakens-two-domain-generation-algorithms/}, language = {English}, urldate = {2024-02-21} } @online{bader:20160110:dga:cb8a5e5, author = {Johannes Bader}, title = {{The DGA in Alureon/DNSChanger}}, date = {2016-01-10}, url = {https://www.johannesbader.ch/2016/01/the-dga-in-alureon-dnschanger/}, language = {English}, urldate = {2019-12-17} } @online{bader:20160221:phorpiex:ab65d87, author = {Johannes Bader}, title = {{Phorpiex - An IRC worm}}, date = {2016-02-21}, organization = {Johannes Bader Blog}, url = {https://bin.re/blog/phorpiex/}, language = {English}, urldate = {2023-04-14} } @online{bader:20160224:dga:735ff10, author = {Johannes Bader}, title = {{The DGA of Qakbot.T}}, date = {2016-02-24}, organization = {Johannes Bader Blog}, url = {https://bin.re/blog/the-dga-of-qakbot/}, language = {English}, urldate = {2023-04-14} } @online{bader:20160306:dga:fe673b7, author = {Johannes Bader}, title = {{The DGA of PadCrypt}}, date = {2016-03-06}, url = {https://johannesbader.ch/2016/03/the-dga-of-padcrypt/}, language = {English}, urldate = {2019-12-06} } @online{bader:20160412:dga:469d85e, author = {Johannes Bader}, title = {{The DGA of Qadars v3}}, date = {2016-04-12}, url = {https://www.johannesbader.ch/2016/04/the-dga-of-qadars/}, language = {English}, urldate = {2019-07-11} } @online{bader:20170725:dridex:44f64d8, author = {Johannes Bader}, title = {{Dridex Loot}}, date = {2017-07-25}, organization = {Github (viql)}, url = {https://viql.github.io/dridex/}, language = {English}, urldate = {2020-01-07} } @online{bader:20180429:new:b8e7b59, author = {Johannes Bader}, title = {{The new Domain Generation Algorithm of Nymaim}}, date = {2018-04-29}, url = {https://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/}, language = {English}, urldate = {2020-01-07} } @online{bader:20190708:dga:0c56ba3, author = {Johannes Bader}, title = {{The DGA of Pitou}}, date = {2019-07-08}, url = {https://johannesbader.ch/2019/07/the-dga-of-pitou/}, language = {English}, urldate = {2020-01-10} } @online{bader:20191112:dga:0a1d2c8, author = {Johannes Bader}, title = {{The DGA of QSnatch}}, date = {2019-11-12}, organization = {Johannes Bader Blog}, url = {https://bin.re/blog/the-dga-of-qsnatch/}, language = {English}, urldate = {2020-01-13} } @online{bader:20200123:dga:129802e, author = {Johannes Bader}, title = {{The DGA of a Monero Miner Downloader}}, date = {2020-01-23}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-dga-of-a-monero-miner-downloader/}, language = {English}, urldate = {2020-01-27} } @online{bader:20200426:dga:edd448c, author = {Johannes Bader}, title = {{The DGA of Zloader}}, date = {2020-04-26}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-dga-of-zloader/}, language = {English}, urldate = {2020-04-26} } @online{bader:20200714:domain:51498ab, author = {Johannes Bader}, title = {{The Domain Generation Algorithm of BazarBackdoor}}, date = {2020-07-14}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-dga-of-bazarbackdoor/}, language = {English}, urldate = {2020-07-15} } @online{bader:20200715:defective:3a3721f, author = {Johannes Bader}, title = {{The Defective Domain Generation Algorithm of BazarBackdoor}}, date = {2020-07-15}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/}, language = {English}, urldate = {2020-07-15} } @online{bader:20201216:next:a8f5998, author = {Johannes Bader}, title = {{Next Version of the Bazar Loader DGA}}, date = {2020-12-16}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/next-version-of-the-bazarloader-dga/}, language = {English}, urldate = {2020-12-16} } @online{bader:20210123:yet:1274cbe, author = {Johannes Bader}, title = {{Yet Another Bazar Loader DGA}}, date = {2021-01-23}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/yet-another-bazarloader-dga/}, language = {English}, urldate = {2021-01-25} } @online{bader:20210809:bazarloader:e123577, author = {Johannes Bader}, title = {{A BazarLoader DGA that Breaks Down in the Summer}}, date = {2021-08-09}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/a-bazarloader-dga-that-breaks-during-summer-months/}, language = {English}, urldate = {2021-08-09} } @online{bader:20220111:reimplementation:f8b45d0, author = {Johannes Bader}, title = {{Reimplementation of Expiro's DGA}}, date = {2022-01-11}, organization = {Github (baderj)}, url = {https://github.com/baderj/domain_generation_algorithms/blob/master/m0yv/dga.py}, language = {English}, urldate = {2022-11-03} } @online{bader:20220604:domain:5dd1e0a, author = {Johannes Bader}, title = {{The Domain Generation Algorithms of SharkBot}}, date = {2022-06-04}, organization = {bin.re}, url = {https://bin.re/blog/the-dgas-of-sharkbot/}, language = {English}, urldate = {2023-04-14} } @online{bader:20220724:dga:cf56d0c, author = {Johannes Bader}, title = {{A DGA Seeded by the Bitcoin Genesis Block}}, date = {2022-07-24}, organization = {bin.re}, url = {https://bin.re/blog/a-dga-seeded-by-the-bitcoin-genesis-block/}, language = {English}, urldate = {2022-08-08} } @online{bader:20230915:dga:38f37f8, author = {Johannes Bader}, title = {{The DGA of BumbleBee}}, date = {2023-09-15}, organization = {Johannes Bader's Blog}, url = {https://bin.re/blog/the-dga-of-bumblebee/}, language = {English}, urldate = {2023-10-05} } @online{bagnoli:20211117:sorveglianza:3272e30, author = {Lorenzo Bagnoli and Riccardo Coluccini}, title = {{Sorveglianza: l’azienda italiana che vuole sfidare i colossi NSO e Palantir}}, date = {2021-11-17}, organization = {Investigative reporting project Italy}, url = {https://irpimedia.irpi.eu/sorveglianze-cy4gate/}, language = {Italian}, urldate = {2021-11-18} } @online{bahtiarian:20220405:incident:abf42a6, author = {Brian Bahtiarian and David Blanton and Britton Manahan and Kyle Pellett}, title = {{Incident report: From CLI to console, chasing an attacker in AWS}}, date = {2022-04-05}, organization = {Expel}, url = {https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/}, language = {English}, urldate = {2022-04-08} } @techreport{bailey:201601:matryoshka:3c7753f, author = {Michael Bailey}, title = {{MATRYOSHKA MINING}}, date = {2016-01}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf}, language = {English}, urldate = {2019-11-27} } @online{bailey:20190422:carbanak:c94c9f1, author = {Michael Bailey and James T. Bennett}, title = {{CARBANAK Week Part One: A Rare Occurrence}}, date = {2019-04-22}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html}, language = {English}, urldate = {2019-12-20} } @online{bailey:20190423:carbanak:cbe986c, author = {Michael Bailey and James T. Bennett}, title = {{CARBANAK Week Part Two: Continuing the CARBANAK Source Code Analysis}}, date = {2019-04-23}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-two-continuing-source-code-analysis.html}, language = {English}, urldate = {2019-12-20} } @online{bailey:20200208:reversing:b033cdc, author = {Michael Bailey}, title = {{Reversing the Gophe SPambot: Confronting COM Code and Surmounting STL Snags}}, date = {2020-02-08}, organization = {FireEye}, url = {https://github.com/strictlymike/presentations/tree/master/2020/2020.02.08_BSidesHuntsville}, language = {English}, urldate = {2020-10-05} } @online{bailey:20200407:thinking:7ee19d0, author = {Michael Bailey}, title = {{Thinking Outside the Bochs: Code Grafting to Unpack Malware in Emulation}}, date = {2020-04-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/04/code-grafting-to-unpack-malware-in-emulation.html}, language = {English}, urldate = {2020-05-05} } @online{bailey:20210209:bazarbackdoors:a9cf426, author = {Zachary Bailey}, title = {{BazarBackdoor’s Stealthy Infiltration Evades Multiple SEGs}}, date = {2021-02-09}, organization = {Cofense}, url = {https://cofense.com/blog/bazarbackdoor-stealthy-infiltration}, language = {English}, urldate = {2021-02-09} } @online{baines:20230309:vulncheck:55f2b21, author = {Jacob Baines}, title = {{The VulnCheck 2022 Exploited Vulnerability Report - Missing CISA KEV Catalog Entries}}, date = {2023-03-09}, organization = {VulnCheck}, url = {https://vulncheck.com/blog/2022-missing-kev-report}, language = {English}, urldate = {2023-03-13} } @online{baines:20230614:fake:9168f27, author = {Jacob Baines}, title = {{Fake Security Researcher GitHub Repositories Deliver Malicious Implant}}, date = {2023-06-14}, organization = {VulnCheck}, url = {https://vulncheck.com/blog/fake-repos-deliver-malicious-implant}, language = {English}, urldate = {2023-07-11} } @online{baird:20170320:necurs:ee5da07, author = {Sean Baird and Edmund Brumaghin and Earl Carter and Jaeson Schultz}, title = {{Necurs Diversifies Its Portfolio}}, date = {2017-03-20}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/03/necurs-diversifies.html}, language = {English}, urldate = {2020-01-07} } @online{bajak:20201023:report:7bb3ff0, author = {Frank Bajak}, title = {{Report: Ransomware disables Georgia county election database}}, date = {2020-10-23}, organization = {AP News}, url = {https://apnews.com/article/virus-outbreak-elections-georgia-voting-2020-voting-c191f128b36d1c0334c9d0b173daa18c}, language = {English}, urldate = {2020-11-02} } @online{bajak:20210416:how:d6f8b5a, author = {Frank Bajak}, title = {{How the Kremlin provides a safe harbor for ransomware}}, date = {2021-04-16}, organization = {Associated Press}, url = {https://apnews.com/article/russia-safe-harbor-ransomeware-hacking-c9dab7eb3841be45dff2d93ed3102999}, language = {English}, urldate = {2021-04-19} } @online{bajak:20210416:sanctioned:84bffd0, author = {Frank Bajak and Matt O'Brien}, title = {{Sanctioned Russian IT firm was partner with Microsoft, IBM}}, date = {2021-04-16}, organization = {Associated Press}, url = {https://apnews.com/article/business-europe-hacking-russia-dd8c331ff30d366ea4f5d828e788c307}, language = {English}, urldate = {2021-04-19} } @online{bajo:20211027:github:7419051, author = {Marcos Bajo}, title = {{Github Repo for TripleCross}}, date = {2021-10-27}, organization = {Github (h3xduck)}, url = {https://github.com/h3xduck/TripleCross}, language = {English}, urldate = {2024-03-19} } @techreport{bakartepe:20230925:rhdamanthys:0be0c55, author = {Bilal BAKARTEPE and bixploit}, title = {{Rhdamanthys Technical Analysis Report}}, date = {2023-09-25}, institution = {EchoCTI}, url = {https://github.com/echocti/ECHO-Reports/blob/main/Malware%20Analysis%20Report/Rhdamanthys/Rhadamanthys-EN.pdf}, language = {English}, urldate = {2024-03-19} } @techreport{bakartepe:20230925:stealc:5b08fe5, author = {Bilal BAKARTEPE and bixploit}, title = {{StealC Technical Analysis Report}}, date = {2023-09-25}, institution = {EchoCTI}, url = {https://github.com/echocti/ECHO-Reports/blob/main/Malware%20Analysis%20Report/StealC/StealC_Technical_Analysis_Report.pdf}, language = {English}, urldate = {2024-03-18} } @techreport{bakartepe:20240228:raccoon:fa40510, author = {Bilal BAKARTEPE and bixploit}, title = {{Raccoon Stealer V2.0 Technical Analysis}}, date = {2024-02-28}, institution = {EchoCTI}, url = {https://github.com/echocti/ECHO-Reports/blob/main/Malware%20Analysis%20Report/RaccoonStealer_V2.0/Raccon%20Stealer%20Technical%20Analysis%20Report.pdf}, language = {English}, urldate = {2024-03-19} } @techreport{bakartepe:20240326:agent:a49cfb8, author = {Bilal BAKARTEPE and bixploit}, title = {{Agent Tesla Technical Analysis Report}}, date = {2024-03-26}, institution = {EchoCTI}, url = {https://github.com/echocti/ECHO-Reports/blob/main/Malware%20Analysis%20Report/Agent%20Tesla/Agent%20Tesla%20Technical%20Analysis%20Report.pdf}, language = {English}, urldate = {2024-03-27} } @online{baker:20150318:feds:e9fe961, author = {Mike Baker}, title = {{Feds warned Premera about security flaws before breach}}, date = {2015-03-18}, organization = {Seattle Times}, url = {https://www.seattletimes.com/business/local-business/feds-warned-premera-about-security-flaws-before-breach/}, language = {English}, urldate = {2020-01-10} } @online{baker:20150504:threat:726f1f2, author = {Ben Baker and Alex Chiu}, title = {{Threat Spotlight: Rombertik – Gazing Past the Smoke, Mirrors, and Trapdoors}}, date = {2015-05-04}, organization = {Cisco Talos}, url = {http://blogs.cisco.com/security/talos/rombertik}, language = {English}, urldate = {2020-01-06} } @online{baker:20160428:research:999032f, author = {Ben Baker}, title = {{Research Spotlight: The Resurgence of Qbot}}, date = {2016-04-28}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2016/04/qbot-on-the-rise.html}, language = {English}, urldate = {2021-03-04} } @online{baker:20161207:floki:69ffd12, author = {Ben Baker and Edmund Brumaghin and Mariano Graziano and Jonas Zaddach}, title = {{Floki Bot Strikes, Talos and Flashpoint Respond}}, date = {2016-12-07}, organization = {Cisco Talos}, url = {http://blog.talosintel.com/2016/12/flokibot-collab.html#more}, language = {English}, urldate = {2020-01-09} } @online{baker:20180703:smoking:067be1f, author = {Ben Baker and Holger Unterbrink}, title = {{Smoking Guns - Smoke Loader learned new tricks}}, date = {2018-07-03}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html}, language = {English}, urldate = {2019-10-14} } @online{baker:20200706:wastedlocker:f33e129, author = {Ben Baker and Edmund Brumaghin and JJ Cummings and Arnaud Zobec}, title = {{WastedLocker Goes "Big-Game Hunting" in 2020}}, date = {2020-07-06}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html}, language = {English}, urldate = {2020-07-07} } @online{bakuei:20210125:fake:eeac584, author = {Matsukawa Bakuei and Marshall Chen and Vladimir Kropotov and Loseway Lu and Fyodor Yarochkin}, title = {{Fake Office 365 Used for Phishing Attacks on C-Suite Targets}}, date = {2021-01-25}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/a/fake-office-365-used-for-phishing-attacks-on-c-suite-targets.html}, language = {English}, urldate = {2021-01-27} } @online{balaam:20211028:rooting:fbbe47f, author = {Kristina Balaam and Paul Shunk}, title = {{Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign}}, date = {2021-10-28}, organization = {Lookout}, url = {https://blog.lookout.com/lookout-discovers-global-rooting-malware-campaign}, language = {English}, urldate = {2021-11-03} } @online{balaam:20230719:lookout:102fb09, author = {Kristina Balaam and Justin Albrecht}, title = {{Lookout Attributes Advanced Android Surveillanceware to Chinese Espionage Group APT41}}, date = {2023-07-19}, organization = {Lookout}, url = {https://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41}, language = {English}, urldate = {2023-09-04} } @online{balaam:20241211:lookout:b824bd5, author = {Kristina Balaam}, title = {{Lookout Discovers New Chinese Surveillance Tool Used by Public Security Bureaus}}, date = {2024-12-11}, organization = {Lookout}, url = {https://www.lookout.com/threat-intelligence/article/eaglemsgspy-chinese-android-surveillanceware}, language = {English}, urldate = {2024-12-13} } @online{balaganesh:20220624:icedid:2bb9d0d, author = {BalaGanesh}, title = {{IcedID Banking Trojan returns with new TTPS – Detection & Response}}, date = {2022-06-24}, organization = {Soc Investigation}, url = {https://www.socinvestigation.com/icedid-banking-trojan-returns-with-new-ttps-detection-response/}, language = {English}, urldate = {2022-06-27} } @online{balaganesh:20220711:threat:3847e38, author = {BalaGanesh}, title = {{Threat Actors Delivers New Rozena backdoor with Follina Bug – Detection & Response}}, date = {2022-07-11}, organization = {Soc Investigation}, url = {https://www.socinvestigation.com/threat-actors-delivers-new-rozena-backdoor-with-follina-bug-detection-response/}, language = {English}, urldate = {2022-07-12} } @online{balaganesh:20220818:raccoon:3678767, author = {BalaGanesh}, title = {{Raccoon Infostealer Malware Returns with New TTPS – Detection & Response}}, date = {2022-08-18}, organization = {Soc Investigation}, url = {https://www.socinvestigation.com/raccoon-infostealer-malware-returns-with-new-ttps-detection-response/}, language = {English}, urldate = {2022-08-28} } @online{balaganesh:20220829:remcos:6f6dbe5, author = {BalaGanesh}, title = {{Remcos RAT New TTPS - Detection & Response}}, date = {2022-08-29}, organization = {Soc Investigation}, url = {https://www.socinvestigation.com/remcos-rat-new-ttps-detection-response/}, language = {English}, urldate = {2022-09-06} } @online{balaji:20220705:qbot:75c3b14, author = {Priyadharshini Balaji}, title = {{QBot Spreads via LNK Files – Detection & Response}}, date = {2022-07-05}, organization = {Soc Investigation}, url = {https://www.socinvestigation.com/qbot-spreads-via-lnk-files-detection-response/}, language = {English}, urldate = {2022-07-13} } @online{ballenthin:20200117:404:cc95f5f, author = {William Ballenthin and Josh Madeley}, title = {{404 Exploit Not Found: Vigilante Deploying Mitigation for Citrix NetScaler Vulnerability While Maintaining Backdoor}}, date = {2020-01-17}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html}, language = {English}, urldate = {2020-01-17} } @online{baltazar:20230810:exploring:44f8ef6, author = {Jonell Baltazar and Antonio Ribeiro}, title = {{Exploring New Techniques of Fake Browser Updates Leading to NetSupport RAT}}, date = {2023-08-10}, organization = {Trellix}, url = {https://www.trellix.com/about/newsroom/stories/research/new-techniques-of-fake-browser-updates/}, language = {English}, urldate = {2023-11-14} } @online{bambenek:20160502:osint:54b6791, author = {John Bambenek}, title = {{OSINT Feed}}, date = {2016-05-02}, organization = {John Bambenek}, url = {http://osint.bambenekconsulting.com/feeds/}, language = {English}, urldate = {2020-01-06} } @online{bambenek:20190207:inside:2a18c89, author = {John Bambenek}, title = {{An Inside Look at the Infrastructure Behind the Russian APT Gamaredon Group}}, date = {2019-02-07}, organization = {ThreatStop}, url = {https://blog.threatstop.com/russian-apt-gamaredon-group}, language = {English}, urldate = {2020-01-06} } @online{banasiakmrozek:20210621:lolifox:7b82098, author = {Marzena Banasiak-Mrozek}, title = {{Lolifox – kto za nim stał i co się z nim stało?}}, date = {2021-06-21}, organization = {payload.pl}, url = {https://payload.pl/co-sie-stalo-z-lolifoxem/}, language = {Polish}, urldate = {2021-06-22} } @online{bancal:20200130:cyber:0a267d4, author = {Damien Bancal}, title = {{Cyber attaque à l’encontre des serveurs de Bouygues Construction}}, date = {2020-01-30}, organization = {ZATAZ}, url = {https://www.zataz.com/cyber-attaque-a-lencontre-des-serveurs-de-bouygues-construction/}, language = {French}, urldate = {2020-02-03} } @online{banker:20250523:shadow:e751752, author = {Shadow Banker}, title = {{Shadow Banker Makes Glorious Return, Interviews Guy Exposing Conti Command & Control}}, date = {2025-05-23}, organization = {Shadow Banker}, url = {https://www.shadowbanker.io/2025/05/shadow-banker-makes-glorious-return-interviews-guy-exposing-conti-command-control/}, language = {English}, urldate = {2025-06-04} } @online{banksecurity:20190601:new:3ddfbf1, author = {Bank_Security}, title = {{New ATM Malware NVISOSPIT}}, date = {2019-06-01}, organization = {Twitter (@Bank_Security)}, url = {https://twitter.com/Bank_Security/status/1134850646413385728}, language = {English}, urldate = {2019-11-17} } @online{banksecurity:20210416:are:88ed36e, author = {Bank_Security}, title = {{Are the hackers all Russian? Results of a 1 year espionage operation in the Top-tier Russian underground communities}}, date = {2021-04-16}, organization = {Medium (Bank Security)}, url = {https://bank-security.medium.com/are-the-hackers-all-russian-363d09a6610}, language = {English}, urldate = {2021-04-19} } @online{bansal:20201216:list:aa0388d, author = {R. Bansal}, title = {{List of domain infrastructure including DGA domain used by UNC2452}}, date = {2020-12-16}, organization = {Twitter (@0xrb)}, url = {https://twitter.com/0xrb/status/1339199268146442241}, language = {English}, urldate = {2020-12-17} } @online{bao:20200707:cobalt:cf80aa8, author = {Ladislav Bačo}, title = {{Cobalt Strike stagers used by FIN6}}, date = {2020-07-07}, organization = {MWLab}, url = {https://malwarelab.eu/posts/fin6-cobalt-strike/}, language = {English}, urldate = {2020-07-11} } @online{bao:20210809:cobalt:fc98da7, author = {Ladislav Bačo}, title = {{APT Cobalt Strike Campaign targeting Slovakia (DEF CON talk)}}, date = {2021-08-09}, organization = {IstroSec}, url = {https://www.istrosec.com/blog/apt-sk-cobalt/}, language = {English}, urldate = {2021-08-16} } @online{bar:20160502:prince:7769673, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia: Infy Malware Active In Decade of Targeted Attacks}}, date = {2016-05-02}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/}, language = {English}, urldate = {2020-01-06} } @online{bar:20160502:prince:8b14d7f, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia: Infy Malware Active In Decade of Targeted Attacks}}, date = {2016-05-02}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/}, language = {English}, urldate = {2019-12-20} } @online{bar:20160502:prince:cfd5940, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia: Infy Malware Active In Decade of Targeted Attacks}}, date = {2016-05-02}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/}, language = {English}, urldate = {2020-04-06} } @online{bar:20160628:prince:b1d2cdd, author = {Tomer Bar and Lior Efraim and Simon Conant}, title = {{Prince of Persia – Game Over}}, date = {2016-06-28}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/}, language = {English}, urldate = {2019-10-28} } @online{bar:20170405:targeted:49e76a6, author = {Tomer Bar and Tom Lancaster}, title = {{Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA}}, date = {2017-04-05}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/}, language = {English}, urldate = {2019-12-10} } @online{bar:20170405:targeted:feb4b54, author = {Tomer Bar and Tom Lancaster}, title = {{Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA}}, date = {2017-04-05}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/}, language = {English}, urldate = {2019-12-20} } @online{bar:20170801:prince:db6038a, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia – Ride the Lightning: Infy returns as “Foudre”}}, date = {2017-08-01}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/}, language = {English}, urldate = {2019-12-20} } @online{bar:20170801:prince:e7d5542, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia – Ride the Lightning: Infy returns as “Foudre”}}, date = {2017-08-01}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/}, language = {English}, urldate = {2020-01-08} } @online{bar:20211124:new:3fc1309, author = {Tomer Bar}, title = {{New PowerShortShell Stealer Exploits Recent Microsoft MSHTML Vulnerability to Spy on Farsi Speakers}}, date = {2021-11-24}, organization = {safebreach}, url = {https://www.safebreach.com/blog/2021/new-powershortshell-stealer-exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-speakers/}, language = {English}, urldate = {2021-11-29} } @online{bar:20220901:safebreach:590dc9f, author = {Tomer Bar}, title = {{SafeBreach Labs Researchers Uncover New Remote Access Trojan (RAT)}}, date = {2022-09-01}, organization = {safebreach}, url = {https://www.safebreach.com/resources/blog/remote-access-trojan-coderat}, language = {English}, urldate = {2022-09-16} } @online{barabosch:20200114:inside:2187ad3, author = {Thomas Barabosch}, title = {{Inside of CL0P’s ransomware operation}}, date = {2020-01-14}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824}, language = {English}, urldate = {2021-01-14} } @online{barabosch:20200122:malware:f805475, author = {Thomas Barabosch}, title = {{The malware analyst’s guide to PE timestamps}}, date = {2020-01-22}, url = {https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/}, language = {English}, urldate = {2021-01-25} } @online{barabosch:20200203:dissecting:c1a6bca, author = {Thomas Barabosch}, title = {{Dissecting Emotet – Part 1}}, date = {2020-02-03}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-one-592612}, language = {English}, urldate = {2020-02-07} } @online{barabosch:20200306:dissecting:809bc54, author = {Thomas Barabosch}, title = {{Dissecting Emotet - Part 2}}, date = {2020-03-06}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-two-596128}, language = {English}, urldate = {2020-03-09} } @online{barabosch:20200326:ta505s:24d9805, author = {Thomas Barabosch}, title = {{TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer}}, date = {2020-03-26}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672}, language = {English}, urldate = {2020-03-27} } @online{barabosch:20200514:lolsnif:c7a2736, author = {Thomas Barabosch}, title = {{LOLSnif – Tracking Another Ursnif-Based Targeted Campaign}}, date = {2020-05-14}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/lolsnif-tracking-another-ursnif-based-targeted-campaign-600062}, language = {English}, urldate = {2020-05-14} } @online{barabosch:20200616:ta505:619f2c6, author = {Thomas Barabosch}, title = {{TA505 returns with a new bag of tricks}}, date = {2020-06-16}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104}, language = {English}, urldate = {2020-06-18} } @online{barabosch:20201006:eager:54da318, author = {Thomas Barabosch}, title = {{Eager Beaver: A Short Overview of the Restless Threat Actor TA505}}, date = {2020-10-06}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546}, language = {English}, urldate = {2020-10-08} } @online{barabosch:20201217:smokeloader:937c780, author = {Thomas Barabosch}, title = {{Smokeloader is still alive and kickin’ – A new way to encrypt CC server URLs}}, date = {2020-12-17}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/a-new-way-to-encrypt-cc-server-urls-614886}, language = {English}, urldate = {2020-12-18} } @online{barabosch:20201223:detect:bd873bc, author = {Thomas Barabosch}, title = {{Detect RC4 in (malicious) binaries}}, date = {2020-12-23}, organization = {0xC0DECAFE}, url = {https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries}, language = {English}, urldate = {2020-12-26} } @online{barabosch:20201228:never:f7e93aa, author = {Thomas Barabosch}, title = {{Never upload ransomware samples to the Internet}}, date = {2020-12-28}, organization = {0xC0DECAFE}, url = {https://0xc0decafe.com/2020/12/28/never-upload-ransomware-samples-to-the-internet/}, language = {English}, urldate = {2021-01-01} } @online{barabosch:20210108:malware:27c7ee2, author = {Thomas Barabosch}, title = {{The malware analyst’s guide to aPLib decompression}}, date = {2021-01-08}, organization = {0xC0DECAFE}, url = {https://0xc0decafe.com/malware-analysts-guide-to-aplib-decompression/}, language = {English}, urldate = {2021-01-11} } @online{barabosch:20210128:learn:8ffa412, author = {Thomas Barabosch}, title = {{Learn how to fix PE magic numbers with Malduck}}, date = {2021-01-28}, organization = {0xC0DECAFE}, url = {https://0xc0decafe.com/fix-pe-magic-numbers-with-malduck/}, language = {English}, urldate = {2021-02-06} } @online{barabosch:20210517:lets:04a8b63, author = {Thomas Barabosch}, title = {{Let’s set ice on fire: Hunting and detecting IcedID infections}}, date = {2021-05-17}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240}, language = {English}, urldate = {2021-05-17} } @online{barabosch:20210914:flubots:a0b25c3, author = {Thomas Barabosch}, title = {{Flubot’s Smishing Campaigns under the Microscope}}, date = {2021-09-14}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368}, language = {English}, urldate = {2021-09-22} } @online{barak:20170712:operation:ba66745, author = {Israel Barak}, title = {{Operation Escalation: How click-fraud malware transforms into an advanced threat}}, date = {2017-07-12}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/how-click-fraud-commodity-malware-transforms-into-an-advanced-threat}, language = {English}, urldate = {2023-08-15} } @online{barak:20220712:chromeloader:8cd4c4b, author = {Nadav Barak}, title = {{ChromeLoader: New Stubborn Malware Campaign}}, date = {2022-07-12}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/chromeloader-malware/}, language = {English}, urldate = {2022-07-13} } @online{baranov:20120726:investigation:4b1ee14, author = {Artem Baranov}, title = {{Investigation an interesting kernel mode stealer}}, date = {2012-07-26}, organization = {Blog (Artem Baranov)}, url = {https://artemonsecurity.blogspot.com/2012/07/investigation-interesting-kernel-mode.html}, language = {English}, urldate = {2024-04-29} } @online{baranov:20121212:analysis:6e76df4, author = {Artem Baranov}, title = {{Analysis of VirTool:WinNT/Exforel.A rootkit}}, date = {2012-12-12}, url = {https://artemonsecurity.blogspot.com/2012/12/analysis-of-virtoolwinntexforela-rootkit.html}, language = {English}, urldate = {2020-09-25} } @online{baranov:20161003:remsec:3877dab, author = {Artem Baranov}, title = {{Remsec driver analysis}}, date = {2016-10-03}, url = {https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis.html}, language = {English}, urldate = {2020-03-28} } @online{baranov:20161010:remsec:9ed5754, author = {Artem Baranov}, title = {{Remsec driver analysis - Part 2}}, date = {2016-10-10}, url = {https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-part-2.html}, language = {English}, urldate = {2020-03-28} } @online{baranov:20161011:remsec:02eae63, author = {Artem Baranov}, title = {{Remsec driver analysis - Part 3}}, date = {2016-10-11}, url = {https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-part-3.html}, language = {English}, urldate = {2020-03-28} } @online{baranov:20170113:finfisher:436b89e, author = {Artem Baranov}, title = {{Finfisher rootkit analysis}}, date = {2017-01-13}, url = {https://artemonsecurity.blogspot.de/2017/01/finfisher-rootkit-analysis.html}, language = {English}, urldate = {2019-11-26} } @online{baranov:20170330:equationdrug:7255a48, author = {Artem Baranov}, title = {{EquationDrug rootkit analysis (mstcp32.sys)}}, date = {2017-03-30}, url = {http://artemonsecurity.blogspot.com/2017/03/equationdrug-rootkit-analysis-mstcp32sys.html}, language = {English}, urldate = {2020-01-07} } @online{baranov:20170413:stuxnet:c221f57, author = {Artem Baranov}, title = {{Stuxnet drivers: detailed analysis}}, date = {2017-04-13}, organization = {A blog about rootkits research and the Windows kernel}, url = {http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html}, language = {English}, urldate = {2020-01-08} } @online{barbatei:20210601:threat:83b0dfc, author = {Alin Mihai Barbatei and Oana Asoltanei and Silviu Stahie}, title = {{Threat Actors Use Mockups of Popular Apps to Spread Teabot and Flubot Malware on Android}}, date = {2021-06-01}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2021/06/threat-actors-use-mockups-of-popular-apps-to-spread-teabot-and-flubot-malware-on-android/}, language = {English}, urldate = {2021-06-09} } @online{barbehenn:20201029:threat:de33a6d, author = {Brittany Barbehenn and Doel Santos and Brad Duncan}, title = {{Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector}}, date = {2020-10-29}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ryuk-ransomware/}, language = {English}, urldate = {2020-11-02} } @online{barboza:20181229:malware:d5d8d0d, author = {Tony Barboza and Meg James and Emily Alpert Reyes}, title = {{Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.}}, date = {2018-12-29}, organization = {Los Angeles Times}, url = {https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html}, language = {English}, urldate = {2020-01-10} } @online{barc:20180619:backswap:f0869a4, author = {Hubert Barc}, title = {{Backswap malware analysis}}, date = {2018-06-19}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/backswap-malware-analysis/}, language = {English}, urldate = {2019-12-10} } @online{barclay:20211109:capability:14dd962, author = {Michael Barclay}, title = {{Capability Abstraction Case Study: Detecting Malicious Boot Configuration Modifications}}, date = {2021-11-09}, organization = {SpecterOps}, url = {https://posts.specterops.io/capability-abstraction-case-study-detecting-malicious-boot-configuration-modifications-1852e2098a65}, language = {English}, urldate = {2021-11-17} } @online{barda:20220124:scammers:df4feaf, author = {Dikla Barda and Romain Zaikin and Oded Vanunu}, title = {{Scammers are creating new fraudulent Crypto Tokens and misconfiguring smart contract’s to steal funds}}, date = {2022-01-24}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2022/scammers-are-creating-new-fraudulent-crypto-tokens-and-misconfiguring-smart-contracts-to-steal-funds/}, language = {English}, urldate = {2022-01-25} } @online{bareli:20210114:python:c95ebf6, author = {Shiran Bareli}, title = {{Python Cryptominer Botnet Quickly Adopts Latest Vulnerabilities}}, date = {2021-01-14}, organization = {Imperva}, url = {https://www.imperva.com/blog/python-cryptominer-botnet-quickly-adopts-latest-vulnerabilities/}, language = {English}, urldate = {2021-01-21} } @online{barker:20201001:duck:edcc017, author = {Dylan Barker and Quinten Bowen and Ryan Campbell}, title = {{Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 1}}, date = {2020-10-01}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/}, language = {English}, urldate = {2020-10-07} } @online{barnea:20220210:fritzfrog:630a9b9, author = {Ben Barnea and Shiran Guez and Ophir Harpaz}, title = {{FritzFrog: P2P Botnet Hops Back on the Scene}}, date = {2022-02-10}, organization = {Akamai}, url = {https://www.akamai.com/blog/security/fritzfrog-p2p}, language = {English}, urldate = {2022-02-14} } @online{barnea:20220413:critical:e87961f, author = {Ben Barnea and Ophir Harpaz}, title = {{Critical Remote Code Execution Vulnerabilities in Windows RPC Runtime (CVE-2022-26809)}}, date = {2022-04-13}, organization = {Akamai}, url = {https://www.akamai.com/blog/security/critical-remote-code-execution-vulnerabilities-windows-rpc-runtime}, language = {English}, urldate = {2022-04-15} } @online{barnett:20201020:404:c398034, author = {James Barnett}, title = {{404 Keylogger Campaigns}}, date = {2020-10-20}, organization = {Infoblox}, url = {https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--89}, language = {English}, urldate = {2021-02-24} } @online{barnett:20240530:redtail:56adac9, author = {Ryan Barnett and Stiv Kupchik and Maxim Zavodchik}, title = {{RedTail Cryptominer Threat Actors Adopt PAN-OS CVE-2024-3400 Exploit}}, date = {2024-05-30}, organization = {Akamai}, url = {https://www.akamai.com/blog/security-research/2024-redtail-cryptominer-pan-os-cve-exploit}, language = {English}, urldate = {2024-08-01} } @online{barnhart:20220323:not:ca8438c, author = {Michael Barnhart and Michelle Cantos and Jeffery Johnson and Elias fox and Gary Freas and Dan Scott}, title = {{Not So Lazarus: Mapping DPRK Cyber Threat Groups to Government Organizations}}, date = {2022-03-23}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/mapping-dprk-groups-to-government}, language = {English}, urldate = {2022-03-25} } @online{barnhart:20231010:assessed:258e711, author = {Michael Barnhart and Austin Larsen and JEFF JOHNSON and Taylor Long and Michelle Cantos and Adrian Hernandez}, title = {{Assessed Cyber Structure and Alignments of North Korea in 2023}}, date = {2023-10-10}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/north-korea-cyber-structure-alignment-2023}, language = {English}, urldate = {2023-10-10} } @online{barracuda:20231224:barracuda:42534b1, author = {Barracuda}, title = {{Barracuda Email Security Gateway Appliance (ESG) Vulnerability}}, date = {2023-12-24}, organization = {Barracuda}, url = {https://www.barracuda.com/company/legal/esg-vulnerability}, language = {English}, urldate = {2024-01-02} } @online{barrett:20091029:twoheaded:0032db0, author = {Larry Barrett}, title = {{Two-Headed Trojan Targets Online Banks}}, date = {2009-10-29}, organization = {InternetNews}, url = {http://www.internetnews.com/security/article.php/3846186/TwoHeaded+Trojan+Targets+Online+Banks.htm}, language = {English}, urldate = {2020-01-08} } @online{barrett:20210425:vpn:79e7c48, author = {Brian Barrett}, title = {{VPN Hacks Are a Slow-Motion Disaster}}, date = {2021-04-25}, organization = {wire}, url = {https://www.wired.com/story/vpn-hacks-pulse-secure-espionage/}, language = {English}, urldate = {2021-04-29} } @online{bartblaze:20141110:thoughts:d7d0d68, author = {BartBlaze}, title = {{Thoughts on Absolute Computrace}}, date = {2014-11-10}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html}, language = {English}, urldate = {2019-11-26} } @online{bartblaze:20150303:c99shell:a7f3a5b, author = {BartBlaze}, title = {{C99Shell not dead}}, date = {2015-03-03}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2015/03/c99shell-not-dead.html}, language = {English}, urldate = {2020-01-13} } @online{bartblaze:20150925:notes:79b37fe, author = {BartBlaze}, title = {{Notes on Linux/Xor.DDoS}}, date = {2015-09-25}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2015/09/notes-on-linuxxorddos.html}, language = {English}, urldate = {2020-01-08} } @online{bartblaze:20160202:vipasana:cf5cdd6, author = {BartBlaze}, title = {{Vipasana ransomware new ransom on the block}}, date = {2016-02-02}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2016/02/vipasana-ransomware-new-ransom-on-block.html}, language = {English}, urldate = {2020-09-15} } @online{bartblaze:20160726:otx:b95458e, author = {BartBlaze}, title = {{OTX Pulse on R980 ransomware}}, date = {2016-07-26}, organization = {AlienVault}, url = {https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/}, language = {English}, urldate = {2020-01-13} } @online{bartblaze:20170824:crystal:16adb4a, author = {BartBlaze}, title = {{Crystal Finance Millennium used to spread malware}}, date = {2017-08-24}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html}, language = {English}, urldate = {2020-02-01} } @online{bartblaze:20171203:notes:53a752f, author = {BartBlaze}, title = {{Notes on Linux/BillGates}}, date = {2017-12-03}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2017/12/notes-on-linuxbillgates.html}, language = {English}, urldate = {2020-01-13} } @online{bartblaze:20180320:unlock92:863a267, author = {BartBlaze}, title = {{Tweet on Unlock92 Ransomware}}, date = {2018-03-20}, organization = {Twitter (@bartblaze)}, url = {https://twitter.com/bartblaze/status/976188821078462465}, language = {English}, urldate = {2020-01-07} } @online{bartblaze:20180410:maktub:e67ade0, author = {BartBlaze}, title = {{Maktub ransomware: possibly rebranded as Iron}}, date = {2018-04-10}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html}, language = {English}, urldate = {2019-07-10} } @online{bartblaze:20180415:this:1eaf3ba, author = {BartBlaze}, title = {{This is Spartacus: new ransomware on the block}}, date = {2018-04-15}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2018/04/this-is-spartacus-new-ransomware-on.html}, language = {English}, urldate = {2020-01-22} } @online{bartblaze:20180422:satan:04f63e8, author = {BartBlaze}, title = {{Satan ransomware adds EternalBlue exploit}}, date = {2018-04-22}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html}, language = {English}, urldate = {2020-01-10} } @online{bartblaze:20200114:satan:4d45ea5, author = {BartBlaze}, title = {{Satan ransomware rebrands as 5ss5c ransomware}}, date = {2020-01-14}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html}, language = {English}, urldate = {2020-01-17} } @online{bartblaze:20200913:cryakl:3d29bf0, author = {BartBlaze}, title = {{Tweet on Cryakl 2.0.0.0}}, date = {2020-09-13}, organization = {Twitter (@bartblaze)}, url = {https://twitter.com/bartblaze/status/1305197264332369920}, language = {English}, urldate = {2020-09-15} } @online{bartblaze:20210614:digital:f5d4313, author = {BartBlaze}, title = {{Digital artists targeted in RedLine infostealer campaign}}, date = {2021-06-14}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html}, language = {English}, urldate = {2021-06-16} } @techreport{bartholomew:20160907:wave:96e9f50, author = {Brian Bartholomew and Juan Andrés Guerrero-Saade}, title = {{Wave Your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks}}, date = {2016-09-07}, institution = {Virus Bulletin}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf}, language = {English}, urldate = {2020-03-13} } @online{bartholomew:20170202:kopiluwak:d5c0245, author = {Brian Bartholomew}, title = {{KopiLuwak: A New JavaScript Payload from Turla}}, date = {2017-02-02}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/}, language = {English}, urldate = {2019-12-20} } @online{bartholomew:20191105:dadjoke:81e2a63, author = {Brian Bartholomew}, title = {{DADJOKE}}, date = {2019-11-05}, url = {https://prezi.com/view/jGyAzyy5dTOkDrtwsJi5/}, language = {English}, urldate = {2020-01-07} } @online{bartholomew:20200103:nice:ddc5c57, author = {Brian Bartholomew}, title = {{Nice One, Dad: Dissecting A Rare Malware Used By Leviathan}}, date = {2020-01-03}, organization = {Youtube (BSides Belfast)}, url = {https://www.youtube.com/watch?v=vx9IB88wXSE}, language = {English}, urldate = {2020-01-13} } @online{bary:20200115:analyzing:02aabc4, author = {Guy Bary}, title = {{Analyzing Magecart Malware – From Zero to Hero}}, date = {2020-01-15}, organization = {PerimeterX}, url = {https://www.perimeterx.com/blog/analyzing_magecart_malware_from_zero_to_hero/}, language = {English}, urldate = {2020-01-17} } @online{bash:20211014:countering:eef058c, author = {Ajax Bash and Google Threat Analysis Group}, title = {{Countering threats from Iran (APT35)}}, date = {2021-10-14}, organization = {Google}, url = {https://blog.google/threat-analysis-group/countering-threats-iran/}, language = {English}, urldate = {2021-10-25} } @online{bash:20220823:new:df2d83e, author = {Ajax Bash}, title = {{New Iranian APT data extraction tool}}, date = {2022-08-23}, organization = {Google}, url = {https://blog.google/threat-analysis-group/new-iranian-apt-data-extraction-tool/}, language = {English}, urldate = {2022-08-25} } @online{bashir:20220211:netwalker:7459a58, author = {Sadia Bashir}, title = {{Netwalker: from Powershell reflective loader to injected dll}}, date = {2022-02-11}, organization = {Github (0x00-0x7f)}, url = {https://0x00-0x7f.github.io/Netwalker-from-Powershell-reflective-loader-to-injected-Dll/}, language = {English}, urldate = {2022-02-18} } @online{bashir:20220327:case:80e7471, author = {Sadia Bashir}, title = {{A Case of Vidar Infostealer - Part 1 (Unpacking)}}, date = {2022-03-27}, organization = {Github (0x00-0x7f)}, url = {https://xer0xe9.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/}, language = {English}, urldate = {2023-10-10} } @online{bashir:20220518:case:986df17, author = {Sadia Bashir}, title = {{A Case of Vidar Infostealer - Part 2}}, date = {2022-05-18}, organization = {Github (0x00-0x7f)}, url = {https://xer0xe9.github.io/A-Case-of-Vidar-Infostealer-Part-2/}, language = {English}, urldate = {2023-10-10} } @online{bashis:20170306:0day:e03d5c7, author = {bashis}, title = {{0-Day: Dahua backdoor Generation 2 and 3}}, date = {2017-03-06}, url = {http://seclists.org/fulldisclosure/2017/Mar/7}, language = {English}, urldate = {2019-12-18} } @online{baskin:20200603:medusa:8d92754, author = {Brian Baskin}, title = {{Medusa Locker Ransomware}}, date = {2020-06-03}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/06/03/tau-threat-analyis-medusa-locker-ransomware/}, language = {English}, urldate = {2020-06-04} } @online{baskin:20200708:tau:4b05a00, author = {Brian Baskin}, title = {{TAU Threat Discovery: Conti Ransomware}}, date = {2020-07-08}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/}, language = {English}, urldate = {2020-07-08} } @online{basnett:20210714:investigating:585e2a1, author = {Chris Basnett}, title = {{Investigating a Suspicious Service}}, date = {2021-07-14}, organization = {MDSec}, url = {https://www.mdsec.co.uk/2021/07/investigating-a-suspicious-service/}, language = {English}, urldate = {2021-07-20} } @online{bassat:20170807:new:d776333, author = {Omri Ben Bassat}, title = {{New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit The Pentagon In 2008 Still Evolving; Part 1/2}}, date = {2017-08-07}, organization = {Intezer}, url = {http://www.intezer.com/new-variants-of-agent-btz-comrat-found/}, language = {English}, urldate = {2019-12-17} } @online{bassat:20170913:new:376f00f, author = {Omri Ben Bassat}, title = {{New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit The Pentagon In 2008 Still Evolving; Part 2/2}}, date = {2017-09-13}, organization = {Intezer}, url = {http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/}, language = {English}, urldate = {2019-12-24} } @online{bassat:20180529:iron:5943a09, author = {Omri Ben Bassat}, title = {{Iron Cybercrime Group Under The Scope}}, date = {2018-05-29}, organization = {Intezer}, url = {https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/}, language = {English}, urldate = {2019-12-05} } @techreport{bataille:201810:hunting:c5ffe40, author = {Adrian Bataille and Matias Bevilacqua}, title = {{Hunting for PLATINUM}}, date = {2018-10}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s01-hunting-for-platinum.pdf}, language = {English}, urldate = {2020-01-07} } @online{bataille:20191219:do:b3f74df, author = {Adrien Bataille and Anders Vejlby}, title = {{Do You Know What's On Your Exchange Server?}}, date = {2019-12-19}, organization = {Youtube (FireEye Inc.)}, url = {https://www.youtube.com/watch?v=vbS9YBVGD2Q}, language = {English}, urldate = {2025-04-28} } @online{bataille:20210901:too:5f62b52, author = {Adrien Bataille and Blaine Stancill}, title = {{Too Log; Didn't Read — Unknown Actor Using CLFS Log Files for Stealth}}, date = {2021-09-01}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html}, language = {English}, urldate = {2021-09-02} } @online{bataille:20211214:azure:bb96515, author = {Adrien Bataille and Anders Vejlby and Jared Scott Wilson and Nader Zaveri}, title = {{Azure Run Command for Dummies}}, date = {2021-12-14}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/azure-run-command-dummies}, language = {English}, urldate = {2022-01-03} } @online{bateman:20221216:russias:0a9ec5b, author = {Jon Bateman}, title = {{Russia’s Wartime Cyber Operations in Ukraine: Military Impacts, Influences, and Implications}}, date = {2022-12-16}, organization = {Carnegie Endowment for International Peace}, url = {https://carnegieendowment.org/2022/12/16/russia-s-wartime-cyber-operations-in-ukraine-military-impacts-influences-and-implications-pub-88657}, language = {English}, urldate = {2022-12-20} } @online{batista:20220524:emotet:cae57f1, author = {João Batista and Pedro Umbelino and BitSight}, title = {{Emotet Botnet Rises Again}}, date = {2022-05-24}, organization = {BitSight}, url = {https://www.bitsight.com/blog/emotet-botnet-rises-again}, language = {English}, urldate = {2022-05-25} } @online{batista:20220810:emotet:2248a42, author = {João Batista}, title = {{Emotet SMB Spreader is Back}}, date = {2022-08-10}, organization = {BitSight}, url = {https://www.bitsight.com/blog/emotet-smb-spreader-back}, language = {English}, urldate = {2022-08-11} } @online{batista:20220921:systembc:4aca73f, author = {João Batista}, title = {{SystemBC: The Multipurpose Proxy Bot Still Breathes}}, date = {2022-09-21}, organization = {BitSight}, url = {https://www.bitsight.com/blog/systembc-multipurpose-proxy-bot-still-breathes}, language = {English}, urldate = {2022-09-22} } @online{batista:20221206:cova:a19beea, author = {João Batista}, title = {{Cova and Nosu: a new loader spreads a new stealer}}, date = {2022-12-06}, organization = {BitSight}, url = {https://www.bitsight.com/blog/cova-and-nosu-new-loader-spreads-new-stealer}, language = {English}, urldate = {2022-12-07} } @online{batista:20240617:latrodectus:39bfc76, author = {João Batista}, title = {{Latrodectus are you coming back}}, date = {2024-06-17}, organization = {BitSight}, url = {https://www.bitsight.com/blog/latrodectus-are-you-coming-back}, language = {English}, urldate = {2024-06-24} } @online{batra:20220404:detailed:eb43a08, author = {Anirudh Batra}, title = {{Detailed Analysis of LAPSUS$ Cybercriminal Group that has Compromised Nvidia, Microsoft, Okta, and Globant}}, date = {2022-04-04}, organization = {Cloudsek}, url = {https://cloudsek.com/profile-lapsus-cybercriminal-group/}, language = {English}, urldate = {2022-05-25} } @techreport{batra:20231031:phishing:00ca64c, author = {Anirudh Batra}, title = {{Phishing in the Oasis: Investigating the 2 year real estate data harvesting campaign targeting the Middle East}}, date = {2023-10-31}, institution = {Cloudsek}, url = {https://assets-global.website-files.com/635e632477408d12d1811a64/654079151b30065625766e3a_Phishing%20in%20the%20Oasis%20Defending%20Middle%20Eastern%20Real%20Estate.pdf}, language = {English}, urldate = {2023-11-13} } @online{batsec:20200811:defending:7710531, author = {batsec}, title = {{Defending Your Malware}}, date = {2020-08-11}, organization = {Dylan Codes Blog}, url = {https://blog.dylan.codes/defending-your-malware/}, language = {English}, urldate = {2020-08-12} } @online{battaile:20230210:bypassing:972141e, author = {Carly Battaile}, title = {{Bypassing MFA: A Forensic Look At Evilginx2 Phishing Kit}}, date = {2023-02-10}, organization = {Aon}, url = {https://www.aon.com/cyber-solutions/aon_cyber_labs/bypassing-mfa-a-forensic-look-at-evilginx2-phishing-kit/}, language = {English}, urldate = {2023-05-02} } @online{baughman:20211107:selling:2961086, author = {Maggie Baughman}, title = {{Selling China's Story}}, date = {2021-11-07}, organization = {ChinaTalk}, url = {https://shows.acast.com/g/episodes/selling-chinas-story2}, language = {English}, urldate = {2021-11-17} } @online{baumgartner:20141103:be2:ea8544a, author = {Kurt Baumgartner and Maria Garnaeva}, title = {{BE2 custom plugins, router abuse, and target profiles}}, date = {2014-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20141208:penquin:afd9ae5, author = {Kurt Baumgartner and Costin Raiu}, title = {{The ‘Penquin’ Turla}}, date = {2014-12-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/67962/the-penquin-turla-2/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20150217:be2:f7ce288, author = {Kurt Baumgartner and Maria Garnaeva}, title = {{BE2 extraordinary plugins, Siemens targeting, dev fails}}, date = {2015-02-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20150304:whos:0b8331c, author = {Kurt Baumgartner and Juan Andrés Guerrero-Saade}, title = {{Who’s Really Spreading through the Bright Star?}}, date = {2015-03-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/whos-really-spreading-through-the-bright-star/68978/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20150331:sinkholing:7a359b4, author = {Kurt Baumgartner and Costin Raiu}, title = {{Sinkholing Volatile Cedar DGA Infrastructure}}, date = {2015-03-31}, organization = {Kaspersky Labs}, url = {https://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20150514:naikon:9edea2f, author = {Kurt Baumgartner and Maxim Golovkin}, title = {{The Naikon APT}}, date = {2015-05-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/69953/the-naikon-apt/}, language = {English}, urldate = {2019-12-20} } @techreport{baumgartner:20150529:msnmm:3d6b500, author = {Kurt Baumgartner and Maxim Golovkin}, title = {{THE MsnMM CAMPAIGNS: The Earliest Naikon APT Campaigns}}, date = {2015-05-29}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf}, language = {English}, urldate = {2020-01-09} } @techreport{baumgartner:201505:msnmm:13a9145, author = {Kurt Baumgartner and Maxim Golovkin}, title = {{The MsnMM Campaigns - The Earliest Naikon APTCampaigns}}, date = {2015-05}, institution = {Kaspersky Labs}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf}, language = {English}, urldate = {2019-07-11} } @online{baumgartner:20150617:spring:dc116aa, author = {Kurt Baumgartner}, title = {{The Spring Dragon APT}}, date = {2015-06-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/70726/the-spring-dragon-apt/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20161003:strongpity:d4a8c09, author = {Kurt Baumgartner}, title = {{On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users}}, date = {2016-10-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20161006:strongpity:898bc2b, author = {Kurt Baumgartner}, title = {{On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users}}, date = {2016-10-06}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users}, language = {English}, urldate = {2020-01-09} } @online{baumgartner:20210612:same:49bc254, author = {Kurt Baumgartner and Kaspersky}, title = {{Same and Different - sesame street level attribution}}, date = {2021-06-12}, organization = {YouTube (BSidesBoulder)}, url = {https://youtu.be/SW8kVkwDOrc?t=24706}, language = {English}, urldate = {2021-06-21} } @online{baumgartner:20220809:andariel:89d6b24, author = {Kurt Baumgartner and Seongsu Park}, title = {{Andariel deploys DTrack and Maui ransomware}}, date = {2022-08-09}, organization = {Kaspersky}, url = {https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/}, language = {English}, urldate = {2022-08-11} } @online{baumgartner:20221006:diceyf:f69a639, author = {Kurt Baumgartner and Georgy Kucherin}, title = {{DiceyF deploys GamePlayerFramework (Video)}}, date = {2022-10-06}, organization = {YouTube ( BSides Budapest IT Security Conference)}, url = {https://www.youtube.com/watch?v=yVqALLtvkN8&t=8117s}, language = {English}, urldate = {2022-10-25} } @online{baumgartner:20221017:diceyf:8aa2bed, author = {Kurt Baumgartner and Georgy Kucherin}, title = {{DiceyF deploys GamePlayerFramework in online casino development studio}}, date = {2022-10-17}, organization = {Kaspersky}, url = {https://securelist.com/diceyf-deploys-gameplayerframework-in-online-casino-development-studio/107723/}, language = {English}, urldate = {2022-10-25} } @online{baumgartner:20230810:focus:2b93571, author = {Kurt Baumgartner}, title = {{Focus on DroxiDat/SystemBC}}, date = {2023-08-10}, organization = {Kaspersky}, url = {https://securelist.com/focus-on-droxidat-systembc/110302/}, language = {English}, urldate = {2023-08-11} } @online{bautista:20190110:pylocky:92bf2fc, author = {Mike Bautista}, title = {{Pylocky Unlocked: Cisco Talos releases PyLocky ransomware decryptor}}, date = {2019-01-10}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/01/pylocky-unlocked-cisco-talos-releases.html}, language = {English}, urldate = {2019-10-15} } @online{bautista:20220526:grandoreiro:6f399f8, author = {Bernard Bautista}, title = {{Grandoreiro Banking Malware Resurfaces for Tax Season}}, date = {2022-05-26}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/grandoreiro-banking-malware-resurfaces-for-tax-season}, language = {English}, urldate = {2022-08-17} } @online{baylor:20210512:darkside:f63c2c2, author = {Ramarcus Baylor}, title = {{DarkSide Ransomware Gang: An Overview}}, date = {2021-05-12}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/darkside-ransomware/}, language = {English}, urldate = {2021-05-13} } @online{baz:20170228:dridexs:f72a5ec, author = {Magal Baz and Or Safran}, title = {{Dridex’s Cold War: Enter AtomBombing}}, date = {2017-02-28}, organization = {Security Intelligence}, url = {https://securityintelligence.com/dridexs-cold-war-enter-atombombing/}, language = {English}, urldate = {2019-12-16} } @online{bazally:20161227:pegasus:9fd5170, author = {Max Bazally}, title = {{Pegasus internals: Technical Teardown of the Pegasus malware and Trident exploit chain}}, date = {2016-12-27}, organization = {CCC}, url = {https://media.ccc.de/v/33c3-7901-pegasus_internals}, language = {English}, urldate = {2020-01-08} } @techreport{beauchampmustafaga:20210621:deciphering:997606b, author = {Nathan Beauchamp-Mustafaga and Derek Grossman and Kristen Gunness and Michael S. Chase and Marigold Black and Natalia D. Simmons-Thomas}, title = {{Deciphering Chinese Deterrence Signalling in the New Era An Analytic Framework and Seven Case Studies}}, date = {2021-06-21}, institution = {RAND Corporation}, url = {https://www.rand.org/content/dam/rand/pubs/research_reports/RRA1000/RR-A1074-1/RAND_RRA1074-1.pdf}, language = {English}, urldate = {2021-07-24} } @online{beaumont:20190321:how:ecfbbf1, author = {Kevin Beaumont}, title = {{How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business}}, date = {2019-03-21}, organization = {DoublePulsar}, url = {https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880}, language = {English}, urldate = {2019-11-29} } @online{beaumont:20201016:second:197ec38, author = {Kevin Beaumont}, title = {{Second Zerologon attacker seen exploiting internet honeypot}}, date = {2020-10-16}, organization = {Medium Doublepulsar}, url = {https://doublepulsar.com/second-zerologon-attacker-seen-exploiting-internet-honeypot-c7fb074451ef}, language = {English}, urldate = {2020-10-23} } @online{beaumont:20201219:twitter:7b4cb8f, author = {Kevin Beaumont}, title = {{A twitter thread on Azure sentinel hunting queries for detecting UNC2452 activity}}, date = {2020-12-19}, organization = {Twitter (@GossiTheDog)}, url = {https://twitter.com/GossiTheDog/status/1340035657838850048}, language = {English}, urldate = {2020-12-19} } @online{beaumont:20210627:babuk:a031da5, author = {Kevin Beaumont}, title = {{Tweet on babuk ransomware builder}}, date = {2021-06-27}, organization = {Twitter (@GossiTheDog)}, url = {https://twitter.com/GossiTheDog/status/1409117153182224386}, language = {English}, urldate = {2021-07-01} } @online{beaumont:20210703:kaseya:8013669, author = {Kevin Beaumont}, title = {{Kaseya supply chain attack delivers mass ransomware event to US companies}}, date = {2021-07-03}, organization = {Medium Doublepulsar}, url = {https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b}, language = {English}, urldate = {2021-07-24} } @online{beaumont:20210916:some:550bbaa, author = {Kevin Beaumont}, title = {{Tweet on some unknown threat actor dropping Mgbot, custom IIS modular backdoor and cobalstrike using exploiting ProxyShell}}, date = {2021-09-16}, organization = {Twitter (@GossiTheDog)}, url = {https://twitter.com/GossiTheDog/status/1438500100238577670}, language = {English}, urldate = {2021-09-20} } @online{beaumont:20220507:bpfdoor:9d41f91, author = {Kevin Beaumont}, title = {{BPFDoor — an active Chinese global surveillance tool}}, date = {2022-05-07}, organization = {DoublePulsar}, url = {https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896}, language = {English}, urldate = {2022-05-09} } @online{becker:20240820:fog:3ef12f4, author = {Sarah Becker and Marc Messer and Dan Cox}, title = {{FOG Ransomware Targets Higher Education}}, date = {2024-08-20}, organization = {Kroll}, url = {https://www.kroll.com/en/insights/publications/cyber/fog-ransomware-targets-higher-education}, language = {English}, urldate = {2025-05-02} } @online{beckers:20210419:how:60ec572, author = {Jeroen Beckers}, title = {{How to analyze mobile malware: a Cabassous/FluBot Case study}}, date = {2021-04-19}, organization = {nviso}, url = {https://blog.nviso.eu/2021/04/19/how-to-analyze-mobile-malware-a-cabassous-flubot-case-study/}, language = {English}, urldate = {2021-04-28} } @online{beckers:20210511:android:4e1e946, author = {Jeroen Beckers}, title = {{Android overlay attacks on Belgian financial applications}}, date = {2021-05-11}, organization = {nviso}, url = {https://blog.nviso.eu/2021/05/11/android-overlay-attacks-on-belgian-financial-applications/}, language = {English}, urldate = {2021-05-13} } @online{beckman:20171208:gratefulpos:0ba1053, author = {Kent Beckman}, title = {{GratefulPOS credit card stealing malware - just in time for the shopping season}}, date = {2017-12-08}, organization = {RSA}, url = {https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season}, language = {English}, urldate = {2020-01-08} } @online{beek:20200212:csi:4308ee0, author = {Christiaan Beek}, title = {{CSI: Evidence Indicators for Targeted Ransomware Attacks – Part I}}, date = {2020-02-12}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks/}, language = {English}, urldate = {2021-05-13} } @online{beek:20200220:csi:8525a7b, author = {Christiaan Beek and Eamonn Ryan and Darren Fitzpatrick}, title = {{CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II}}, date = {2020-02-20}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/}, language = {English}, urldate = {2021-05-13} } @online{beek:20201105:operation:ca0ac54, author = {Christiaan Beek and Ryan Sherstobitoff}, title = {{Operation North Star: Behind The Scenes}}, date = {2020-11-05}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/}, language = {English}, urldate = {2023-07-31} } @online{beek:20201217:additional:cd38b54, author = {Christiaan Beek and Cedric Cochin and Raj Samani}, title = {{Additional Analysis into the SUNBURST Backdoor}}, date = {2020-12-17}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/additional-analysis-into-the-sunburst-backdoor/}, language = {English}, urldate = {2020-12-18} } @online{beek:20210116:vhd:12336a8, author = {Christiaan Beek}, title = {{VHD Forensics — the sequel}}, date = {2021-01-16}, organization = {Medium christiaanbeek}, url = {https://christiaanbeek.medium.com/vhd-forensics-the-sequel-9fc39460bc1b}, language = {English}, urldate = {2021-02-20} } @online{beek:20210629:demo:2cbd075, author = {Christiaan Beek}, title = {{Demo of REvil/Sodinokibi Linux variant encrypting a Linux system}}, date = {2021-06-29}, organization = {YouTube (C. Beek)}, url = {https://www.youtube.com/watch?v=ptbNMlWxYnE}, language = {English}, urldate = {2021-06-29} } @online{beek:20210914:operation:95aed8d, author = {Christiaan Beek}, title = {{Operation ‘Harvest’: A Deep Dive into a Long-term Campaign}}, date = {2021-09-14}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/}, language = {English}, urldate = {2021-09-19} } @online{beek:20220120:return:a89bce6, author = {Christiaan Beek and Max Kersten and Raj Samani}, title = {{Return of Pseudo Ransomware}}, date = {2022-01-20}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/return-of-pseudo-ransomware.html}, language = {English}, urldate = {2022-01-24} } @online{beek:20220217:looking:0149198, author = {Christiaan Beek and Marc Elias}, title = {{Looking over the nation-state actors’ shoulders: Even they have a difficult day sometimes}}, date = {2022-02-17}, organization = {Trellix}, url = {https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/looking-over-the-nation-state-actors-shoulders.html}, language = {English}, urldate = {2022-03-01} } @online{beek:20220503:hermit:70ec592, author = {Christiaan Beek}, title = {{The Hermit Kingdom’s Ransomware play}}, date = {2022-05-03}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-hermit-kingdoms-ransomware-play.html}, language = {English}, urldate = {2022-05-04} } @online{beek:20220623:sound:31e77bd, author = {Christiaan Beek}, title = {{The Sound of Malware}}, date = {2022-06-23}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-sound-of-malware.html}, language = {English}, urldate = {2022-06-27} } @online{beer:20190829:implant:f25a696, author = {Ian Beer and Project Zero}, title = {{Implant Teardown}}, date = {2019-08-29}, organization = {Google}, url = {https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html}, language = {English}, urldate = {2020-01-06} } @online{beer:20201215:deep:b14a3bc, author = {Ian Beer and Samuel Groß}, title = {{A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution}}, date = {2020-12-15}, organization = {Google Project Zero}, url = {https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html}, language = {English}, urldate = {2022-01-24} } @online{beer:20220623:curious:9aadd47, author = {Ian Beer and Google Project Zero}, title = {{The curious tale of a fake Carrier.app}}, date = {2022-06-23}, organization = {Google}, url = {https://googleprojectzero.blogspot.com/2022/06/curious-case-carrier-app.html}, language = {English}, urldate = {2022-07-01} } @online{beery:20200903:bitcoin:932fb45, author = {Tal Be'ery}, title = {{The Bitcoin Ransomware Detective Strikes Again: The UCSF Case}}, date = {2020-09-03}, organization = {ZenGo}, url = {https://zengo.com/bitcoin-ransomware-detective-ucsf/}, language = {English}, urldate = {2020-09-06} } @online{beery:20210125:ungilded:97355a8, author = {Tal Be'ery}, title = {{Ungilded Secrets: A New Paradigm for Key Security}}, date = {2021-01-25}, organization = {ZenGo}, url = {https://zengo.com/ungilded-secrets-a-new-paradigm-for-key-security/}, language = {English}, urldate = {2021-01-26} } @online{behling:20220920:threat:099a73a, author = {Dana Behling}, title = {{Threat Report: Illuminating Volume Shadow Deletion}}, date = {2022-09-20}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/09/threat-report-illuminating-volume-shadow-deletion.html}, language = {English}, urldate = {2022-09-26} } @online{behling:20220920:threat:8e95f5a, author = {Dana Behling}, title = {{Threat Research: New Method of Volume Shadow Backup Deletion Seen in Recent Ransomware}}, date = {2022-09-20}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/09/threat-research-new-method-of-volume-shadow-backup-deletion-seen-in-recent-ransomware.html}, language = {English}, urldate = {2022-09-26} } @online{behling:20221015:lockbit:b6ba83c, author = {Dana Behling}, title = {{LockBit 3.0 Ransomware Unlocked}}, date = {2022-10-15}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html}, language = {English}, urldate = {2022-10-24} } @online{behm:20241010:uncovering:6706a5b, author = {Steve Behm}, title = {{Uncovering Domains Created by Octo2’s Domain Generation Algorithm}}, date = {2024-10-10}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/uncovering-octo2-domains/}, language = {English}, urldate = {2024-10-14} } @online{bekerman:20170329:new:e4007ca, author = {Dima Bekerman}, title = {{New Mirai Variant Launches 54 Hour DDoS Attack against US College}}, date = {2017-03-29}, organization = {Imperva}, url = {https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html}, language = {English}, urldate = {2020-01-05} } @online{bell:20220517:peek:fea1eeb, author = {Alex Bell and Colson Wilhoit and Jake King and Rhys Rustad-Elliott}, title = {{A peek behind the BPFDoor}}, date = {2022-05-17}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor}, language = {English}, urldate = {2025-01-29} } @online{belousov:20220527:how:d00c942, author = {Anton Belousov and Aleksey Vishnyakov}, title = {{How bootkits are implemented in modern firmware and how UEFI differs from Legacy BIOS}}, date = {2022-05-27}, organization = {PTSecurity}, url = {https://habr.com/ru/amp/post/668154/}, language = {Russian}, urldate = {2022-05-29} } @online{beltran:20230113:grandoreiro:751868d, author = {Leonardo Beltran and Diana Tadeo}, title = {{Grandoreiro banking malware: deciphering the DGA}}, date = {2023-01-13}, organization = {Metabase Q}, url = {https://www.metabaseq.com/grandoreiro-banking-malware-deciphering-the-dga/}, language = {English}, urldate = {2023-08-30} } @online{ben:20220217:log4j2:aa3e992, author = {Amitai Ben and Shushan Ehrlich}, title = {{Log4j2 In The Wild | Iranian-Aligned Threat Actor “TunnelVision” Actively Exploiting VMware Horizon}}, date = {2022-02-17}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/}, language = {English}, urldate = {2022-02-19} } @online{bencherchali:20210124:common:0efc28c, author = {Nasreddine Bencherchali}, title = {{Common Tools & Techniques Used By Threat Actors and Malware — Part I}}, date = {2021-01-24}, organization = {Medium nasbench}, url = {https://nasbench.medium.com/common-tools-techniques-used-by-threat-actors-and-malware-part-i-deb05b664879}, language = {English}, urldate = {2021-01-25} } @online{bencherchali:20210220:finding:01aa9bf, author = {Nasreddine Bencherchali}, title = {{Finding Forensic Goodness In Obscure Windows Event Logs}}, date = {2021-02-20}, organization = {Medium (Nasreddine Bencherchali)}, url = {https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3}, language = {English}, urldate = {2021-03-19} } @online{bencsath:20170103:technical:1c2e81e, author = {Boldizsar Bencsath}, title = {{Technical details on the Fancy Bear Android malware (poprd30.apk)}}, date = {2017-01-03}, organization = {CrySyS Lab}, url = {http://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/}, language = {English}, urldate = {2020-01-09} } @online{bencsath:20170302:update:0e03ee6, author = {Boldizsar Bencsath}, title = {{Update on the Fancy Bear Android malware (poprd30.apk)}}, date = {2017-03-02}, organization = {Laboratory of Cryptography and System Security}, url = {http://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/}, language = {English}, urldate = {2019-10-13} } @techreport{bencsath:201803:territorial:04343bb, author = {Boldizsar Bencsath}, title = {{Territorial Dispute – NSA’s perspective on APT landscape}}, date = {2018-03}, institution = {CrySyS Lab}, url = {https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf}, language = {English}, urldate = {2020-05-07} } @online{bene:20210624:crackonosh:ce54a93, author = {Daniel Beneš}, title = {{Crackonosh: A New Malware Distributed in Cracked Software}}, date = {2021-06-24}, organization = {Avast}, url = {https://decoded.avast.io/danielbenes/crackonosh-a-new-malware-distributed-in-cracked-software/}, language = {English}, urldate = {2021-06-29} } @online{bene:20220421:warez:b31715c, author = {Daniel Beneš}, title = {{Warez users fell for Certishell}}, date = {2022-04-21}, organization = {Avast Decoded}, url = {https://decoded.avast.io/danielbenes/warez-users-fell-for-certishell/}, language = {English}, urldate = {2022-04-29} } @online{benge:20190502:qakbot:8c34660, author = {Ashlee Benge and Nick Randolph}, title = {{Qakbot levels up with new obfuscation techniques}}, date = {2019-05-02}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html}, language = {English}, urldate = {2019-10-14} } @online{benincasa:20250219:pangu:aa2a268, author = {Eugenio Benincasa}, title = {{The Pangu Team—iOS Jailbreak and Vulnerability Research Giant: A Member of i-SOON’s Exploit-Sharing Network}}, date = {2025-02-19}, organization = {Natto Thoughts}, url = {https://nattothoughts.substack.com/p/the-pangu-teamios-jailbreak-and-vulnerability}, language = {English}, urldate = {2025-02-20} } @online{benkow:20140820:command:ec27583, author = {Benkow}, title = {{Command Line Confusion}}, date = {2014-08-20}, organization = {ThisIsSecurity}, url = {https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/}, language = {English}, urldate = {2020-01-07} } @online{bennett:20130213:number:c947ab9, author = {James T. Bennett}, title = {{The Number of the Beast}}, date = {2013-02-13}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/02/the-number-of-the-beast.html}, language = {English}, urldate = {2020-04-24} } @online{bennett:20130228:its:1534b7e, author = {James T. Bennett}, title = {{It's a Kind of Magic}}, date = {2013-02-28}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/02/its-a-kind-of-magic-1.html}, language = {English}, urldate = {2020-04-24} } @online{bennett:20190424:carbanak:2376f75, author = {James T. Bennett and Michael Bailey}, title = {{CARBANAK Week Part Three: Behind the CARBANAK Backdoor}}, date = {2019-04-24}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-three-behind-the-backdoor.html}, language = {English}, urldate = {2019-12-20} } @online{bennett:20190425:carbanak:be237af, author = {James T. Bennett and Michael Bailey}, title = {{CARBANAK Week Part Four: The CARBANAK Desktop Video Player}}, date = {2019-04-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-four-desktop-video-player.html}, language = {English}, urldate = {2019-12-20} } @online{bennett:20201201:using:d19f4ce, author = {James T. Bennett}, title = {{Using Speakeasy Emulation Framework Programmatically to Unpack Malware}}, date = {2020-12-01}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/12/using-speakeasy-emulation-framework-programmatically-to-unpack-malware.html}, language = {English}, urldate = {2020-12-15} } @online{bennett:20210608:ual:12fb9fb, author = {Patrick Bennett}, title = {{UAL Thank Us Later: Leveraging User Access Logging for Forensic Investigations}}, date = {2021-06-08}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/user-access-logging-ual-overview/}, language = {English}, urldate = {2021-06-09} } @online{bennett:20220623:call:13d0e4e, author = {Patrick Bennett}, title = {{The Call Is Coming from Inside the House: CrowdStrike Identifies Novel Exploit in VOIP Appliance (CVE-2022-29499)}}, date = {2022-06-23}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/novel-exploit-detected-in-mitel-voip-appliance/}, language = {English}, urldate = {2023-08-01} } @online{benyo:20230223:evasive:71d600c, author = {Matt Benyo and Ferdous Saljooki and Jaron Bradley}, title = {{Evasive cryptojacking malware targeting macOS found lurking in pirated applications}}, date = {2023-02-23}, organization = {Jamf Blog}, url = {https://www.jamf.com/blog/cryptojacking-macos-malware-discovered-by-jamf-threat-labs/}, language = {English}, urldate = {2023-02-27} } @techreport{berady:20210204:from:6570db5, author = {Aimad Berady and Mathieu Jaume and Valérie Viet Triem Tong and Gilles Guette}, title = {{From TTP to IoC: Advanced Persistent Graphs forThreat Hunting}}, date = {2021-02-04}, institution = {HAL}, url = {https://hal.inria.fr/hal-03131262/file/Final%20version%20TNSM%20-%20From%20TTP%20to%20IoC%20-%20Advanced%20Persistent%20Graphs%20for%20Threat%20Hunting.pdf}, language = {English}, urldate = {2021-02-20} } @online{berchem:20170810:weltweite:5df6bfa, author = {Tom Berchem}, title = {{Weltweite Spamwelle verbreitet teuflische Variante des Locky}}, date = {2017-08-10}, organization = {botfrei Blog}, url = {https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/}, language = {German}, urldate = {2019-12-10} } @online{berdan:20211216:pegasus:c1c06eb, author = {Kristin Berdan and John Scott-Railton and Bill Marczak and Noura Al-Jizawi and Bahr Abdul Razzak and Ron Deibert and Siena Anstis}, title = {{Pegasus vs. Predator: Dissident's Doubly-Infected iPhone Reveals Cytrox Mercenary Spyware}}, date = {2021-12-16}, organization = {CitizenLab}, url = {https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/}, language = {English}, urldate = {2022-01-24} } @online{berdnikov:20170925:simple:62b80bb, author = {Vasily Berdnikov and Dmitry Karasovsky and Alexey Shulmin}, title = {{A simple example of a complex cyberattack}}, date = {2017-09-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/}, language = {English}, urldate = {2019-12-20} } @online{berdnikov:20170925:simple:fced582, author = {Vasily Berdnikov and Dmitry Karasovsky and Alexey Shulmin}, title = {{A simple example of a complex cyberattack}}, date = {2017-09-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636}, language = {English}, urldate = {2022-08-26} } @techreport{berdnikov:20171125:microcin:69e0ae0, author = {Vasily Berdnikov and Dmitry Karasovsky and Alexey Shulmin}, title = {{MICROCIN MALWARE: TECHNICAL DETAILS AND INDICATORS OF COMPROMISE}}, date = {2017-11-25}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf}, language = {English}, urldate = {2020-04-06} } @online{berdnikov:20190313:fourth:98b1131, author = {Vasily Berdnikov and Boris Larin}, title = {{The fourth horseman: CVE-2019-0797 vulnerability}}, date = {2019-03-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/}, language = {English}, urldate = {2019-12-20} } @online{berdnikov:20241219:lazarus:f6b92f0, author = {Vasily Berdnikov and Sojun Ryu}, title = {{Lazarus group evolves its infection chain with old and new malware}}, date = {2024-12-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-new-malware/115059/}, language = {English}, urldate = {2025-01-15} } @online{bergbom:20180206:danderspritzpeddlecheap:b09bc8f, author = {John Bergbom}, title = {{DanderSpritz/PeddleCheap traffic analysis (Part 1 of 2)}}, date = {2018-02-06}, organization = {Forcepoint}, url = {https://www.forcepoint.com/fr/blog/security-labs/new-whitepaper-danderspritzpeddlecheap-traffic-analysis-part-1-2#}, language = {English}, urldate = {2020-05-07} } @online{berger:20220508:twitter:64d3ed7, author = {Stephan Berger}, title = {{Twitter Thread on popularity and detection of r77}}, date = {2022-05-08}, organization = {Twitter (@malmoeb)}, url = {https://twitter.com/malmoeb/status/1523179260273254407}, language = {English}, urldate = {2023-04-28} } @online{berger:20240115:hunting:6b8d2f6, author = {Stephan Berger}, title = {{Hunting AsyncRAT & QuasarRAT}}, date = {2024-01-15}, organization = {DFIR.ch}, url = {https://dfir.ch/posts/asyncrat_quasarrat/}, language = {English}, urldate = {2024-10-17} } @online{berger:20240414:sysrv:a25f00d, author = {Stephan Berger}, title = {{Sysrv Infection (Linux Edition)}}, date = {2024-04-14}, organization = {DFIR.ch}, url = {https://dfir.ch/posts/sysrv/}, language = {English}, urldate = {2024-10-17} } @online{berger:20240822:botnet:11fdbe0, author = {Stephan Berger}, title = {{Botnet Fenix}}, date = {2024-08-22}, organization = {DFIR.ch}, url = {https://dfir.ch/posts/botnex_fenix/}, language = {English}, urldate = {2024-10-17} } @online{berger:20241110:reptiles:0c568a1, author = {Stephan Berger}, title = {{Reptile's Custom Kernel-Module Launcher}}, date = {2024-11-10}, organization = {DFIR.ch}, url = {https://dfir.ch/posts/reptile_launcher/}, language = {English}, urldate = {2024-11-12} } @online{bergin:20160520:special:46b3cc4, author = {Tom Bergin and Nathan Layne}, title = {{Special Report: Cyber thieves exploit banks' faith in SWIFT transfer network}}, date = {2016-05-20}, organization = {Reuters}, url = {https://www.reuters.com/article/us-cyber-heist-swift-specialreport-idUSKCN0YB0DD}, language = {English}, urldate = {2019-12-17} } @online{berlaere:20220726:mandiant:c1c4498, author = {Thibault van Geluwe de Berlaere and Jay Christiansen and Daniel Kapellmann Zafra and Ken Proska and Keith Lunden}, title = {{Mandiant Red Team Emulates FIN11 Tactics To Control Operational Technology Servers}}, date = {2022-07-26}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics}, language = {English}, urldate = {2023-01-19} } @online{bermejo:20170622:following:7126b3b, author = {Lenart Bermejo and Razor Huang and CH Lei}, title = {{Following the Trail of BlackTech’s Cyber Espionage Campaigns}}, date = {2017-06-22}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/}, language = {English}, urldate = {2019-12-24} } @online{bermejo:20170622:trail:ba78447, author = {Lenart Bermejo and Razor Huang and CH Lei}, title = {{The Trail of BlackTech’s Cyber Espionage Campaigns}}, date = {2017-06-22}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html}, language = {English}, urldate = {2021-01-29} } @techreport{bermejo:201706:following:61e6dae, author = {Lenart Bermejo and Razor Huang and CH Lei}, title = {{Following the Trail of BlackTech’s Cyber Espionage Campaigns}}, date = {2017-06}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/appendix-following-the-trail-of-blacktechs-cyber-espionage-campaigns.pdf}, language = {English}, urldate = {2020-01-07} } @online{bermejo:20170717:android:593475f, author = {Lenart Bermejo and Jordan Pan and Cedric Pernet}, title = {{Android Backdoor GhostCtrl can Silently Record Your Audio, Video, and More}}, date = {2017-07-17}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/android-backdoor-ghostctrl-can-silently-record-your-audio-video-and-more/}, language = {English}, urldate = {2020-01-13} } @online{bermejo:20170807:backdoorcarrying:317ebe3, author = {Lenart Bermejo and Ronnie Giagone and Rubio Wu and Fyodor Yarochkin}, title = {{Backdoor-carrying Emails Set Sights on Russian-speaking Businesses}}, date = {2017-08-07}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/}, language = {English}, urldate = {2020-01-09} } @online{bermejo:20181120:lazarus:1d8d3b3, author = {Lenart Bermejo and Joelson Soares}, title = {{Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America}}, date = {2018-11-20}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/}, language = {English}, urldate = {2020-01-06} } @techreport{bermejo:20201215:finding:f68f005, author = {Lenart Bermejo and Gilbert Sison and Buddy Tancio}, title = {{Finding APTX: Attacks via MITRE TTPs}}, date = {2020-12-15}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-finding-APTX-attributing-attacks-via-MITRE-TTPs.pdf}, language = {English}, urldate = {2020-12-17} } @online{bermejo:20240924:earth:dc068f4, author = {Lenart Bermejo and Sunny Lu and Ted Lee}, title = {{Earth Preta Evolves its Attacks with New Malware and Strategies}}, date = {2024-09-24}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_in/research/24/i/earth-preta-new-malware-and-strategies.html}, language = {English}, urldate = {2024-10-25} } @online{bermejo:20250331:espionage:9c89f41, author = {Lenart Bermejo and Ted Lee and Theo Chen}, title = {{The Espionage Toolkit of Earth Alux: A Closer Look at its Advanced Techniques}}, date = {2025-03-31}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html}, language = {English}, urldate = {2025-04-11} } @online{bernardo:20210816:lockbit:d709d4c, author = {Jett Paulo Bernardo and Jayson Chong and Nikki Madayag and Mark Marti and Cris Tomboc and Sean Torre and Byron Gelera}, title = {{LockBit Resurfaces With Version 2.0 Ransomware Detections in Chile, Italy, Taiwan, UK}}, date = {2021-08-16}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/h/lockbit-resurfaces-with-version-2-0-ransomware-detections-in-chi.html}, language = {English}, urldate = {2021-08-23} } @online{berninger:20200528:masked:44cad71, author = {Matthew Berninger}, title = {{The Masked SYNger: Investigating a Traffic Phenomenon}}, date = {2020-05-28}, organization = {Rapid7 Labs}, url = {https://blog.rapid7.com/2020/05/28/the-masked-synger-investigating-a-traffic-phenomenon/}, language = {English}, urldate = {2020-05-29} } @online{berninger:20210216:hard:55e809e, author = {Alexandrea Berninger}, title = {{Hard lessons learned: Threat intel takeaways from the community response to Solarigate}}, date = {2021-02-16}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/threat-intel-takeaways-solarigate}, language = {English}, urldate = {2021-02-20} } @online{bernsen:20240229:same:8bb5888, author = {Winnona Bernsen}, title = {{Same Same, but Different}}, date = {2024-02-29}, organization = {Margin Research}, url = {https://margin.re/2024/02/same-same-but-different/}, language = {English}, urldate = {2024-03-04} } @online{bernstein:20210430:qbot:104bad4, author = {Odin Bernstein}, title = {{Qbot: Analyzing PHP Proxy Scripts from Compromised Web Server}}, date = {2021-04-30}, organization = {MADRID Labs}, url = {https://madlabs.dsu.edu/madrid/blog/2021/04/30/qbot-analyzing-php-proxy-scripts-from-compromised-web-server/}, language = {English}, urldate = {2021-05-08} } @techreport{berre:20180209:hey:8be9a1c, author = {Stéfan Le Berre}, title = {{Hey Uroburos! What's up ?}}, date = {2018-02-09}, institution = {ExaTrack}, url = {https://exatrack.com/public/Uroburos_EN.pdf}, language = {English}, urldate = {2022-05-25} } @online{best:20150912:stuxnet:c9b43da, author = {Emma Best}, title = {{Stuxnet code}}, date = {2015-09-12}, organization = {Archive-org}, url = {https://archive.org/details/Stuxnet}, language = {English}, urldate = {2020-01-09} } @online{bestuzhev:20201111:targeted:e2e0c3a, author = {Dmitry Bestuzhev and Fedor Sinitsyn}, title = {{Targeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends”}}, date = {2020-11-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/targeted-ransomware-encrypting-data/99255/}, language = {English}, urldate = {2020-11-11} } @online{bestuzhev:20231110:bibi:0f5740c, author = {Dmitry Bestuzhev}, title = {{BiBi Wiper Used in the Israel-Hamas War Now Runs on Windows}}, date = {2023-11-10}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2023/11/bibi-wiper-used-in-the-israel-hamas-war-now-runs-on-windows}, language = {English}, urldate = {2024-12-16} } @online{beukema:20200622:hijacking:b46d971, author = {Wietze Beukema}, title = {{Hijacking DLLs in Windows}}, date = {2020-06-22}, organization = {wietzebeukema.nl}, url = {https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows}, language = {English}, urldate = {2020-06-24} } @online{beuth:20200617:die:4272009, author = {Patrick Beuth}, title = {{Die erste Cyberwaffe und ihre Folgen}}, date = {2020-06-17}, organization = {Der Spiegel}, url = {https://www.spiegel.de/netzwelt/web/die-erste-cyberwaffe-und-ihre-folgen-a-a0ed08c9-5080-4ac2-8518-ed69347dc147}, language = {German}, urldate = {2020-06-18} } @online{bevis:202103:unseen:b20b5bf, author = {Jason Bevis}, title = {{The Unseen One: Hades Ransomware Gang or Hafnium}}, date = {2021-03}, organization = {AWAKE}, url = {https://awakesecurity.com/blog/incident-response-hades-ransomware-gang-or-hafnium/}, language = {English}, urldate = {2021-03-31} } @online{bezverkhyi:20220321:vermin:ff92a22, author = {Andrii Bezverkhyi}, title = {{Vermin (UAC-0020) Hacking Collective Hits Ukrainian Government and Military with SPECTR Malware}}, date = {2022-03-21}, organization = {SOC Prime}, url = {https://socprime.com/blog/vermin-uac-0020-hacking-collective-hits-ukrainian-government-and-military-with-spectr-malware/}, language = {English}, urldate = {2024-12-11} } @online{bezvershenko:20210927:bloodystealer:5944099, author = {Leonid Bezvershenko and Marc Rivero López and Dmitry Galov}, title = {{BloodyStealer and gaming assets for sale}}, date = {2021-09-27}, organization = {Kaspersky}, url = {https://securelist.com/bloodystealer-and-gaming-assets-for-sale/104319/}, language = {English}, urldate = {2021-10-05} } @online{bezvershenko:20220816:two:89002d5, author = {Leonid Bezvershenko and Igor Kuznetsov}, title = {{Two more malicious Python packages in the PyPI}}, date = {2022-08-16}, organization = {Kaspersky}, url = {https://securelist.com/two-more-malicious-python-packages-in-the-pypi/107218/}, language = {English}, urldate = {2022-08-28} } @online{bezvershenko:20230321:bad:054dcba, author = {Leonid Bezvershenko and Georgy Kucherin and Igor Kuznetsov}, title = {{Bad magic: new APT found in the area of Russo-Ukrainian conflict}}, date = {2023-03-21}, organization = {Kaspersky Labs}, url = {https://securelist.com/bad-magic-apt/109087/?s=31}, language = {English}, urldate = {2023-03-21} } @online{bezvershenko:20230321:bad:5749404, author = {Leonid Bezvershenko and Georgy Kucherin and Igor Kuznetsov}, title = {{Bad magic: new APT found in the area of Russo-Ukrainian conflict}}, date = {2023-03-21}, organization = {Kaspersky Labs}, url = {https://securelist.com/bad-magic-apt/109087/}, language = {English}, urldate = {2023-12-04} } @online{bezvershenko:20230519:cloudwizard:7ad05b6, author = {Leonid Bezvershenko and Georgy Kucherin and Igor Kuznetsov}, title = {{CloudWizard APT: the bad magic story goes on}}, date = {2023-05-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/cloudwizard-apt/109722/}, language = {English}, urldate = {2023-06-01} } @online{bezvershenko:20231026:how:8136ca0, author = {Leonid Bezvershenko and Georgy Kucherin and Igor Kuznetsov and Boris Larin and Valentin Pashkov}, title = {{How to catch a wild triangle}}, date = {2023-10-26}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-triangulation-catching-wild-triangle/110916/}, language = {English}, urldate = {2024-02-08} } @online{bghjmun:20230426:rokrat:e241546, author = {bghjmun}, title = {{RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft)}}, date = {2023-04-26}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/51751/}, language = {English}, urldate = {2023-04-26} } @online{bhaaskaran:20220610:new:d2fb70b, author = {Vignesh Bhaaskaran}, title = {{New SVCReady malware loads from Word doc properties – Detection & Response}}, date = {2022-06-10}, organization = {Soc Investigation}, url = {https://www.socinvestigation.com/new-svcready-malware-loads-from-word-doc-properties-detection-response/}, language = {English}, urldate = {2022-06-10} } @online{bharti:20220914:postexploitation:3baee2f, author = {Sunil Bharti}, title = {{A Post-exploitation Look at Coinminers Abusing WebLogic Vulnerabilities}}, date = {2022-09-14}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html}, language = {English}, urldate = {2022-09-16} } @online{bharti:20230516:8220:130d18b, author = {Sunil Bharti}, title = {{8220 Gang Evolves With New Strategies}}, date = {2023-05-16}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html}, language = {English}, urldate = {2024-09-04} } @online{bharti:20240530:decoding:c1e88eb, author = {Sunil Bharti}, title = {{Decoding Water Sigbin's Latest Obfuscation Tricks}}, date = {2024-05-30}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/24/e/decoding-8220-latest-obfuscation-tricks.html}, language = {English}, urldate = {2024-09-04} } @online{bhat:20160201:tracking:f5fa1f1, author = {Raashid Bhat}, title = {{Tracking the footprints of PushDo Trojan}}, date = {2016-02-01}, organization = {Blueliv}, url = {https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/}, language = {English}, urldate = {2019-11-20} } @online{bhat:20170222:dissecting:8124914, author = {Raashid Bhat}, title = {{Dissecting the Qadars Banking Trojan}}, date = {2017-02-22}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan}, language = {English}, urldate = {2019-12-20} } @online{bhat:20180906:dissecting:8c82fb5, author = {Raashid Bhat}, title = {{Dissecting DEloader malware with obfuscation}}, date = {2018-09-06}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware}, language = {English}, urldate = {2020-01-06} } @online{bhat:20180918:taste:e7dd98d, author = {Raashid Bhat}, title = {{A taste of our own medicine: How SmokeLoader is deceiving configuration extraction by using binary code as bait}}, date = {2018-09-18}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait}, language = {English}, urldate = {2020-01-10} } @online{bhat:20190422:dissecting:ffba987, author = {Raashid Bhat}, title = {{Dissecting Emotet’s network communication protocol}}, date = {2019-04-22}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/dissecting-emotet-s-network-communication-protocol}, language = {English}, urldate = {2020-01-06} } @online{bhat:20190730:practical:d049779, author = {Raashid Bhat}, title = {{Practical Threat Hunting and Incidence Response : A Case of A Pony Malware Infection}}, date = {2019-07-30}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection}, language = {English}, urldate = {2020-01-08} } @online{bhat:20200311:emotet:c178008, author = {Raashid Bhat}, title = {{Tweet on Emotet Deobfuscation with Video}}, date = {2020-03-11}, organization = {Twitter (@raashidbhatt)}, url = {https://twitter.com/raashidbhatt/status/1237853549200936960}, language = {English}, urldate = {2020-03-13} } @online{bhat:20200331:emotet:50264e0, author = {Raashid Bhat}, title = {{Emotet Binary Deobfuscation | Coconut Paradise | Episode 1}}, date = {2020-03-31}, organization = {Youtube (Infosec Alpha)}, url = {https://www.youtube.com/watch?v=_mGMJFNJWSk}, language = {English}, urldate = {2020-04-23} } @online{bhat:20200422:flattenthecurve:0bdf5a3, author = {Raashid Bhat}, title = {{FlattenTheCurve - Emotet Control Flow Unflattening | Episode 2}}, date = {2020-04-22}, organization = {Youtube (Infosec Alpha)}, url = {https://www.youtube.com/watch?v=8PHCZdpNKrw}, language = {English}, urldate = {2020-04-23} } @online{bhat:20221012:dissecting:b1921fe, author = {Raashid Bhat}, title = {{Dissecting the new shellcode-based variant of GuLoader (CloudEyE)}}, date = {2022-10-12}, organization = {Spamhaus}, url = {https://www.spamhaus.com/resource-center/dissecting-the-new-shellcode-based-variant-of-guloader-cloudeye/}, language = {English}, urldate = {2022-10-14} } @online{bhat:20230406:neutralizing:c151309, author = {Raashid Bhat}, title = {{Neutralizing Tofsee Spambot – Part 3 | Network-based kill switch}}, date = {2023-04-06}, organization = {Spamhaus}, url = {https://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-3-network-based-kill-switch/}, language = {English}, urldate = {2023-04-14} } @online{bhat:20230406:neutralizing:fb399f6, author = {Raashid Bhat}, title = {{Neutralizing Tofsee Spambot – Part 2 | InMemoryConfig store vaccine}}, date = {2023-04-06}, organization = {Spamhaus}, url = {https://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-2-inmemoryconfig-store-vaccine/}, language = {English}, urldate = {2023-04-08} } @online{bhat:20230406:neutralizing:fe6fd3b, author = {Raashid Bhat}, title = {{Neutralizing Tofsee Spambot – Part 1 | Binary file vaccine}}, date = {2023-04-06}, organization = {Spamhaus}, url = {https://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-1-binary-file-vaccine/}, language = {English}, urldate = {2023-04-08} } @online{biaczak:20200901:characterizing:422e6a1, author = {Piotr Białczak and Wojciech Mazurczyk}, title = {{Characterizing Anomalies in Malware-Generated HTTP Traffic}}, date = {2020-09-01}, url = {https://www.hindawi.com/journals/scn/2020/8848863/}, language = {English}, urldate = {2020-09-03} } @online{biasini:20171024:threat:7bd8515, author = {Nick Biasini}, title = {{Threat Spotlight: Follow the Bad Rabbit}}, date = {2017-10-24}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/10/bad-rabbit.html}, language = {English}, urldate = {2019-12-10} } @online{biasini:20180509:gandcrab:50296a6, author = {Nick Biasini and Nick Lister and Christopher Marczewski}, title = {{Gandcrab Ransomware Walks its Way onto Compromised Sites}}, date = {2018-05-09}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html}, language = {English}, urldate = {2019-10-21} } @online{biasini:20190220:combing:bdc059c, author = {Nick Biasini and Edmund Brumaghin and Matthew Molyett}, title = {{Combing Through Brushaloader Amid Massive Detection Uptick}}, date = {2019-02-20}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html}, language = {English}, urldate = {2019-11-29} } @online{biasini:20190320:ransomware:cda21f8, author = {Nick Biasini}, title = {{Ransomware or Wiper? LockerGoga Straddles the Line}}, date = {2019-03-20}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/lockergoga/}, language = {English}, urldate = {2023-04-27} } @online{biasini:20190425:jasperloader:ebe50ca, author = {Nick Biasini and Edmund Brumaghin and Andrew Williams}, title = {{JasperLoader Emerges, Targets Italy with Gootkit Banking Trojan}}, date = {2019-04-25}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html}, language = {English}, urldate = {2020-01-09} } @online{biasini:20190523:sorpresa:e7cbd9d, author = {Nick Biasini and Edmund Brumaghin}, title = {{Sorpresa! JasperLoader targets Italy with a new bag of tricks}}, date = {2019-05-23}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/05/sorpresa-jasperloader.html}, language = {English}, urldate = {2020-01-06} } @online{biasini:20200213:threat:443d687, author = {Nick Biasini and Edmund Brumaghin}, title = {{Threat actors attempt to capitalize on coronavirus outbreak}}, date = {2020-02-13}, organization = {Talos}, url = {https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html}, language = {English}, urldate = {2020-03-19} } @online{biasini:20200511:astaroth:f325070, author = {Nick Biasini and Edmund Brumaghin and Nick Lister}, title = {{Astaroth - Maze of obfuscation and evasion reveals dark stealer}}, date = {2020-05-11}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/05/astaroth-analysis.html}, language = {English}, urldate = {2020-05-11} } @online{biasini:20200701:threat:a726b7e, author = {Nick Biasini and Edmund Brumaghin and Mariano Graziano}, title = {{Threat Spotlight: Valak Slithers Its Way Into Manufacturing and Transportation Networks}}, date = {2020-07-01}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/07/valak-emerges.html}, language = {English}, urldate = {2020-08-18} } @online{biasini:20201118:back:178d20d, author = {Nick Biasini and Edmund Brumaghin and Jaeson Schultz}, title = {{Back from vacation: Analyzing Emotet’s activity in 2020}}, date = {2020-11-18}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2020/11/emotet-2020.html}, language = {English}, urldate = {2020-11-19} } @online{biasini:20201214:threat:63acc35, author = {Nick Biasini}, title = {{Threat Advisory: SolarWinds supply chain attack}}, date = {2020-12-14}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html#more}, language = {English}, urldate = {2020-12-19} } @online{biasini:20210407:sowing:2bf94a9, author = {Nick Biasini and Edmund Brumaghin and Chris Neal and Paul Eubanks.}, title = {{Sowing Discord: Reaping the benefits of collaboration app abuse}}, date = {2021-04-07}, organization = {Talos}, url = {https://blog.talosintelligence.com/2021/04/collab-app-abuse.html}, language = {English}, urldate = {2021-04-19} } @online{biasini:20210622:attackers:ba60e36, author = {Nick Biasini}, title = {{Attackers in Executive Clothing - BEC continues to separate orgs from their money}}, date = {2021-06-22}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2021/06/business-email-compromise.html}, language = {English}, urldate = {2021-06-24} } @online{biasini:20220121:ukraine:e0da072, author = {Nick Biasini and Michael Chen and Chris Neal and Matt Olney and Dmytro Korzhevin}, title = {{Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation}}, date = {2022-01-21}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html}, language = {English}, urldate = {2022-01-25} } @online{biasini:20220713:transparent:b83f9dd, author = {Nick Biasini}, title = {{Transparent Tribe begins targeting education sector in latest campaign}}, date = {2022-07-13}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html}, language = {English}, urldate = {2022-07-15} } @online{biasini:20220810:cisco:81eec81, author = {Nick Biasini}, title = {{Cisco Talos shares insights related to recent cyber attack on Cisco}}, date = {2022-08-10}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html}, language = {English}, urldate = {2022-08-11} } @online{bichet:20200414:deobfuscating:d7320ab, author = {Jean Bichet}, title = {{Deobfuscating and hunting for OSTAP, Trickbot’s dropper and best friend}}, date = {2020-04-14}, organization = {Intrinsec}, url = {https://www.intrinsec.com/deobfuscating-hunting-ostap/}, language = {English}, urldate = {2021-01-11} } @online{bichet:20201112:egregor:1ac0eb1, author = {Jean Bichet}, title = {{Egregor – Prolock: Fraternal Twins ?}}, date = {2020-11-12}, organization = {Intrinsec}, url = {https://www.intrinsec.com/egregor-prolock/}, language = {English}, urldate = {2020-11-23} } @online{biderman:20220701:luna:42b3fcf, author = {Oren Biderman and Tomer Lahiyani and Noam Lifshitz}, title = {{Luna Moth: The Actors Behind the Recent False Subscription Scams}}, date = {2022-07-01}, organization = {SYGNIA}, url = {https://blog.sygnia.co/luna-moth-false-subscription-scams}, language = {English}, urldate = {2022-07-15} } @online{biebs:20180214:reversing:4411496, author = {Biebs}, title = {{Reversing Py2Exe binaries}}, date = {2018-02-14}, organization = {BieberMalware}, url = {https://biebermalware.wordpress.com/2018/02/14/reversing-py2exe-binaries/}, language = {English}, urldate = {2022-11-03} } @online{bienstock:20210427:abusing:60f23c5, author = {Doug Bienstock}, title = {{Abusing Replication: Stealing AD FS Secrets Over the Network}}, date = {2021-04-27}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/04/abusing-replication-stealing-adfs-secrets-over-the-network.html}, language = {English}, urldate = {2021-04-29} } @techreport{bienstock:20210804:cloudy:a74cb93, author = {Doug Bienstock and Josh Madeley}, title = {{Cloudy with a Chance of APTNovel Microsoft 365 Attacks in the Wild}}, date = {2021-08-04}, institution = {FireEye}, url = {https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Cloudy-With-A-Chance-Of-APT-Novel-Microsoft-365-Attacks-In-The-Wild.pdf}, language = {English}, urldate = {2021-08-06} } @online{bienstock:20220502:unc3524:5948892, author = {Doug Bienstock and Melissa Derr and Josh Madeley and Tyler McLellan and Chris Gardner}, title = {{UNC3524: Eye Spy on Your Email}}, date = {2022-05-02}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/unc3524-eye-spy-email}, language = {English}, urldate = {2022-05-03} } @online{bienstock:20220818:you:f22ee5c, author = {Douglas Bienstock}, title = {{You Can’t Audit Me: APT29 Continues Targeting Microsoft 365}}, date = {2022-08-18}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/apt29-continues-targeting-microsoft}, language = {English}, urldate = {2022-08-18} } @online{bienstock:20221129:suspected:fe09dd8, author = {Doug Bienstock and Luke Jenkins and Parnian Najafi and Sarah Hawley}, title = {{Suspected Russian Activity Targeting Government and Business Entities Around the Globe}}, date = {2022-11-29}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/russian-targeting-gov-business}, language = {English}, urldate = {2024-12-13} } @online{biermann:20201008:hanois:3f2def5, author = {Kai Biermann and Thi Do Nguyen and Hakan Tanriverdi and Maximilian Zierer}, title = {{Hanois Hacker}}, date = {2020-10-08}, organization = {ZEIT Online}, url = {https://www.zeit.de/politik/deutschland/2020-10/cyberspionage-vietnam-hackerangriffe-deutschland-bmw-verfassungsschutz-oceanlotus-apt32/komplettansicht}, language = {German}, urldate = {2020-10-12} } @online{biermann:20210610:trail:42969a8, author = {Von Kai Biermann and Astrid Geisler and Herwig G. Höller and Karsten Polke-Majewski and Zachary Kamel}, title = {{On the Trail of the Internet Extortionists}}, date = {2021-06-10}, organization = {ZEIT Online}, url = {https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers}, language = {English}, urldate = {2021-07-02} } @online{biggs:20220217:detecting:95e53bb, author = {Simon Biggs and Richard Footman and Michael Mullen}, title = {{Detecting Karakurt – an extortion focused threat actor}}, date = {2022-02-17}, organization = {NCC Group}, url = {https://research.nccgroup.com/2022/02/17/detecting-karakurt-an-extortion-focused-threat-actor/}, language = {English}, urldate = {2022-02-26} } @online{bill:20230731:cado:d8b3831, author = {Nate Bill and Matt Muir}, title = {{Cado Security Labs Encounter Novel Malware, Redis P2Pinfect}}, date = {2023-07-31}, organization = {Cado Security}, url = {https://www.cadosecurity.com/redis-p2pinfect/}, language = {English}, urldate = {2023-12-12} } @online{bill:20231018:qubitstrike:860a8fa, author = {Nate Bill and Matt Muir}, title = {{Qubitstrike - An Emerging Malware Campaign Targeting Jupyter Notebooks}}, date = {2023-10-18}, organization = {Cado Security}, url = {https://www.cadosecurity.com/qubitstrike-an-emerging-malware-campaign-targeting-jupyter-notebooks/}, language = {English}, urldate = {2023-10-18} } @online{bill:20240625:from:19bacdb, author = {Nate Bill}, title = {{From Dormant to Dangerous: P2Pinfect Evolves to Deploy New Ransomware and Cryptominer}}, date = {2024-06-25}, organization = {Cado Security}, url = {https://www.cadosecurity.com/blog/from-dormant-to-dangerous-p2pinfect-evolves-to-deploy-new-ransomware-and-cryptominer}, language = {English}, urldate = {2024-06-28} } @techreport{bilodeau:201403:operation:40b7f42, author = {Olivier Bilodeau and Pierre-Marc Bureau and Joan Calvet and Alexis Dorais-Joncas and Marc-Etienne M.Léveillé and Benjamin Vanheuverzwijn}, title = {{OPERATION WINDIGO}}, date = {2014-03}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf}, language = {English}, urldate = {2020-01-08} } @online{bilodeau:20141015:operation:f775b05, author = {Olivier Bilodeau}, title = {{Operation Windigo: “Good job, ESET!” says malware author}}, date = {2014-10-15}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2014/10/15/operation-windigo-good-job-eset-says-malware-author/}, language = {English}, urldate = {2022-07-05} } @techreport{bilodeau:20150519:dissecting:edb3fec, author = {Olivier Bilodeau and Thomas Dupuy}, title = {{Dissecting Linux/Moose}}, date = {2015-05-19}, institution = {ESET Research}, url = {https://web-assets.esetstatic.com/wls/2015/05/Dissecting-LinuxMoose.pdf}, language = {English}, urldate = {2025-03-10} } @online{binance:20210624:binance:afde1e5, author = {Binance}, title = {{Binance Helps Take Down Cybercriminal Ring Laundering $500M in Ransomware Attacks}}, date = {2021-06-24}, organization = {Binance}, url = {https://www.binance.com/en/blog/421499824684902240/Binance-Helps-Take-Down-Cybercriminal-Ring-Laundering-%24500M-in-Ransomware-Attacks}, language = {English}, urldate = {2021-06-29} } @online{bing:20170418:shadow:f8c81a6, author = {Chris Bing}, title = {{Shadow Brokers leaks show U.S. spies successfully hacked Russian, Iranian targets}}, date = {2017-04-18}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/nsa-shadow-brokers-leaks-iran-russia-optimusprime-stoicsurgeon/}, language = {English}, urldate = {2020-01-12} } @online{bing:20180320:kasperskys:9cf65c1, author = {Chris Bing and Patrick Howell O'Neill}, title = {{Kaspersky's 'Slingshot' report burned an ISIS-focused intelligence operation}}, date = {2018-03-20}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/}, language = {English}, urldate = {2019-07-11} } @online{bing:20201023:exclusive:00afa85, author = {Christopher Bing and Jack Stubbs}, title = {{Exclusive: 'Dumb mistake' exposed Iranian hand behind fake Proud Boys U.S. election emails - sources}}, date = {2020-10-23}, organization = {Reuters}, url = {https://www.reuters.com/article/us-usa-election-cyber-iran-exclusive/exclusive-dumb-mistake-exposed-iranian-hand-behind-fake-proud-boy-u-s-election-emails-sources-idUSKBN2772YL}, language = {English}, urldate = {2020-10-26} } @online{bing:20201023:exclusive:9ffe805, author = {Christopher Bing}, title = {{Exclusive: National Guard called in to thwart cyberattack in Louisiana weeks before election}}, date = {2020-10-23}, organization = {Reuters}, url = {https://www.reuters.com/article/us-usa-election-cyber-louisiana-exclusiv/exclusive-national-guard-called-in-to-thwart-cyberattack-in-louisiana-weeks-before-election-idUSKBN27823F}, language = {English}, urldate = {2020-10-27} } @online{bing:20201029:building:ceeb50f, author = {Christopher Bing and Joseph Menn}, title = {{Building wave of ransomware attacks strike U.S. hospitals}}, date = {2020-10-29}, organization = {Reuters}, url = {https://www.reuters.com/article/usa-healthcare-cyber-idUSKBN27E0EP}, language = {English}, urldate = {2020-11-02} } @online{bing:20201213:suspected:81b53a9, author = {Christopher Bing}, title = {{Suspected Russian hackers spied on U.S. Treasury emails - sources}}, date = {2020-12-13}, organization = {Reuters}, url = {https://www.reuters.com/article/us-usa-cyber-treasury-exclsuive/suspected-russian-hackers-spied-on-u-s-treasury-emails-sources-idUSKBN28N0PG}, language = {English}, urldate = {2020-12-14} } @online{bing:20210111:exclusive:cf710cb, author = {Christopher Bing}, title = {{Exclusive: FBI probes Russian-linked postcard sent to FireEye CEO after cybersecurity firm uncovered hack - sources}}, date = {2021-01-11}, organization = {Reuters}, url = {https://www.reuters.com/article/us-global-cyber-fireeye/exclusive-fbi-probes-russian-linked-postcard-sent-to-fireeye-ceo-after-cybersecurity-firm-uncovered-hack-sources-idUSKBN29G2IG}, language = {English}, urldate = {2021-01-18} } @online{bing:20210202:exclusive:426eec4, author = {Christopher Bing and Jack Stubbs and Raphael Satter and Joseph Menn}, title = {{Exclusive: Suspected Chinese hackers used SolarWinds bug to spy on U.S. payroll agency - sources}}, date = {2021-02-02}, organization = {Reuters}, url = {https://www.reuters.com/article/us-cyber-solarwinds-china/exclusive-suspected-chinese-hackers-used-solarwinds-bug-to-spy-on-u-s-payroll-agency-sources-idUSKBN2A22K8}, language = {English}, urldate = {2021-02-04} } @online{bing:20210508:cyber:0adb323, author = {Christopher Bing and Stephanie Kelly}, title = {{Cyber attack shuts down top U.S. fuel pipeline network}}, date = {2021-05-08}, organization = {Reuters}, url = {https://www.reuters.com/technology/colonial-pipeline-halts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/}, language = {English}, urldate = {2021-05-11} } @online{bing:20220228:new:f79957b, author = {Christopher Bing}, title = {{New Chinese hacking tool found, spurring U.S. warning to allies}}, date = {2022-02-28}, organization = {Reuters}, url = {https://www.reuters.com/technology/new-chinese-hacking-tool-found-spurring-us-warning-allies-2022-02-28/}, language = {English}, urldate = {2022-03-08} } @online{bingham:20130130:backdoorbarkiofork:8a76c17, author = {Joseph Bingham}, title = {{Backdoor.Barkiofork Targets Aerospace and Defense Industry}}, date = {2013-01-30}, url = {https://www.symantec.com/connect/blogs/backdoorbarkiofork-targets-aerospace-and-defense-industry}, language = {English}, urldate = {2021-01-25} } @online{bingl:20210820:virtualbox:a8f9a4e, author = {Berhan Bingöl}, title = {{VirtualBox Detection, Anti-Detection}}, date = {2021-08-20}, organization = {Medium Berhan Bingöl}, url = {https://berhanbingol.medium.com/virtualbox-detection-anti-detection-30614691f108}, language = {Turkish}, urldate = {2021-08-25} } @techreport{biradar:20150120:reversing:8a25caf, author = {Basavaraj K. Biradar}, title = {{Reversing the Inception APT malware}}, date = {2015-01-20}, institution = {Blue Coat}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Inception_APT_Analysis_Bluecoat.pdf}, language = {English}, urldate = {2020-04-21} } @online{birsan:20210209:dependency:44eaf05, author = {Alex Birsan}, title = {{Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies}}, date = {2021-02-09}, organization = {Medium (@alex.birsan)}, url = {https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610}, language = {English}, urldate = {2021-02-10} } @online{bishopfox:20190117:sliver:915fc7e, author = {BishopFox}, title = {{Sliver Implant Framework}}, date = {2019-01-17}, organization = {Github (BishopFox)}, url = {https://github.com/BishopFox/sliver}, language = {English}, urldate = {2020-01-07} } @techreport{bissell:2018:latest:1c1fba4, author = {Kelly Bissell and Joshua Ray and Uwe Kissman and Ryan LaSalle and Gareth Russell}, title = {{LATEST CYBER ESPIONAGE MALWARE ATTACKS}}, date = {2018}, institution = {Accenture Security}, url = {https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-46/Accenture-Security-Elise-Threat-Analysis.pdf}, language = {English}, urldate = {2020-01-08} } @online{bisson:20210428:qbot:dcbcd50, author = {David Bisson}, title = {{QBot Malware Spotted Using Windows Defender Antivirus Lure}}, date = {2021-04-28}, organization = {IBM}, url = {https://securityintelligence.com/news/qbot-malware-using-windows-defender-antivirus-lure/}, language = {English}, urldate = {2021-05-03} } @online{bitam:20220601:cuba:040c34a, author = {Salim Bitam}, title = {{CUBA Ransomware Malware Analysis}}, date = {2022-06-01}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/cuba-ransomware-malware-analysis}, language = {English}, urldate = {2022-06-09} } @online{bitam:20220909:bughatch:438e7ac, author = {Salim Bitam}, title = {{BUGHATCH Malware Analysis}}, date = {2022-09-09}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/bughatch-malware-analysis}, language = {English}, urldate = {2022-09-13} } @online{bitam:20230202:update:57ea3a2, author = {Salim Bitam and Remco Sprooten and Cyril François and Andrew Pease and Devon Kerr and Seth Goodwin}, title = {{Update to the REF2924 intrusion set and related campaigns}}, date = {2023-02-02}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns}, language = {English}, urldate = {2023-03-21} } @online{bitam:20230407:attack:aed6a32, author = {Salim Bitam}, title = {{Attack chain leads to XWORM and AGENTTESLA}}, date = {2023-04-07}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla}, language = {English}, urldate = {2023-05-08} } @online{bitam:20230824:revisting:2a2c2e3, author = {Salim Bitam and Daniel Stepanic}, title = {{Revisting BLISTER: New development of the BLISTER loader}}, date = {2023-08-24}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader}, language = {English}, urldate = {2023-09-06} } @online{bitam:20230824:revisting:87dde30, author = {Salim Bitam and Daniel Stepanic}, title = {{Revisting BLISTER: New development of the BLISTER loader}}, date = {2023-08-24}, organization = {Elastic}, url = {https://security-labs.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader}, language = {English}, urldate = {2023-08-28} } @online{bitam:20240521:invisible:6678668, author = {Salim Bitam and Terrance DeJesus and Andrew Pease and Samir Bousseaden}, title = {{Invisible miners: unveiling GHOSTENGINE’s crypto mining operations}}, date = {2024-05-21}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine}, language = {English}, urldate = {2024-06-05} } @techreport{bitam:20241003:sugarcoating:cddedfd, author = {Salim Bitam}, title = {{Sugarcoating KANDYKORN: a sweet dive into a sophisticated MacOS backdoor}}, date = {2024-10-03}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2024/papers/Sugarcoating-KANDYKORN-a-sweet-dive-into-a-sophisticated-MacOS-backdoor.pdf}, language = {English}, urldate = {2025-01-14} } @online{bitam:20241019:tricks:b17833b, author = {Salim Bitam}, title = {{Tricks and Treats: GHOSTPULSE’s new pixel- level deception}}, date = {2024-10-19}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/tricks-and-treats}, language = {English}, urldate = {2024-10-21} } @online{bitam:20250618:wretch:f299e89, author = {Salim Bitam}, title = {{A Wretch Client: From ClickFix deception to information stealer deployment}}, date = {2025-06-18}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/a-wretch-client}, language = {English}, urldate = {2025-06-20} } @techreport{bitdefender:20151217:apt28:fca586f, author = {Bitdefender}, title = {{APT28 Under the Scope: A Journey into Exfiltrating Intelligence and Government Information}}, date = {2015-12-17}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf}, language = {English}, urldate = {2020-01-09} } @techreport{bitdefender:20160630:pacifier:2b7078c, author = {Bitdefender}, title = {{Pacifier APT}}, date = {2016-06-30}, institution = {Bitdefender}, url = {http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{bitdefender:20160630:pacifier:642af11, author = {Bitdefender}, title = {{Pacifier APT}}, date = {2016-06-30}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{bitdefender:20160630:pacifier:cbcb081, author = {Bitdefender}, title = {{Pacifier APT}}, date = {2016-06-30}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender-Whitepaper-PAC-A4-en_EN1.pdf}, language = {English}, urldate = {2020-01-09} } @techreport{bitdefender:20170221:dissecting:eec4e1f, author = {Bitdefender}, title = {{Dissecting the APT28 Mac OS X Payload}}, date = {2017-02-21}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{bitdefender:20190604:blueprint:ce0583c, author = {Bitdefender}, title = {{An APT Blueprint: Gaining New Visibility into Financial Threats}}, date = {2019-06-04}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf}, language = {English}, urldate = {2019-12-18} } @techreport{bitdefender:20191029:close:30321a7, author = {Bitdefender}, title = {{A close look at Fallout Exploit Kit and Raccoon Stealer}}, date = {2019-10-29}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/289/Bitdefender-WhitePaper-Fallout.pdf}, language = {English}, urldate = {2020-01-09} } @online{bitdefender:20210714:how:3e51ccd, author = {Bitdefender}, title = {{How We Tracked a Threat Group Running an Active Cryptojacking Campaign}}, date = {2021-07-14}, organization = {Bitdefender}, url = {https://www.bitdefender.com/blog/labs/how-we-tracked-a-threat-group-running-an-active-cryptojacking-campaign}, language = {English}, urldate = {2021-07-20} } @techreport{bitdefender:20210719:debugging:48353a0, author = {Bitdefender}, title = {{Debugging MosaicLoader, One Step at a Time}}, date = {2021-07-19}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf}, language = {English}, urldate = {2021-07-20} } @techreport{bitdefender:20211021:digitallysigned:248a238, author = {Bitdefender}, title = {{Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions}}, date = {2021-10-21}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/405/Bitdefender-DT-Whitepaper-Fivesys-creat5699-en-EN.pdf}, language = {English}, urldate = {2021-11-03} } @online{bitdefender:20220126:new:587f615, author = {Bitdefender}, title = {{New FluBot and TeaBot Global Malware Campaigns Discovered}}, date = {2022-01-26}, organization = {Bitdefender}, url = {https://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered}, language = {English}, urldate = {2022-02-01} } @techreport{bitdefender:20230222:s1deload:f4e075c, author = {Bitdefender}, title = {{S1deload Stealer – Exploring the Economics of Social Network Account Hijacking}}, date = {2023-02-22}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/428/Bitdefender-PR-Whitepaper-S1deloadStealer-creat6669-en-EN.pdf}, language = {English}, urldate = {2023-02-27} } @online{bitensky:20170518:uiwix:4cc9aa8, author = {Gal Bitensky}, title = {{UIWIX – Evasive Ransomware Exploiting ETERNALBLUE}}, date = {2017-05-18}, organization = {Minerva}, url = {https://www.minerva-labs.com/post/uiwix-evasive-ransomware-exploiting-eternalblue}, language = {English}, urldate = {2020-01-08} } @online{bitensky:20180517:analyzing:c25d2ac, author = {Gal Bitensky}, title = {{Analyzing an AZORult Attack – Evasion in a Cloak of Multiple Layers}}, date = {2018-05-17}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers}, language = {English}, urldate = {2019-10-14} } @online{bits:20250417:mitigating:0ed3f67, author = {Trail of Bits}, title = {{Mitigating ELUSIVE COMET Zoom remote control attacks}}, date = {2025-04-17}, organization = {Trail of Bits}, url = {https://blog.trailofbits.com/2025/04/17/mitigating-elusive-comet-zoom-remote-control-attacks/}, language = {English}, urldate = {2025-05-19} } @online{bitsight:20231102:unveiling:26ed4db, author = {BitSight}, title = {{Unveiling Socks5Systemz: The Rise of a New Proxy Service via PrivateLoader and Amadey}}, date = {2023-11-02}, organization = {BitSight}, url = {https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey}, language = {English}, urldate = {2023-11-13} } @online{bitsight:20231102:unveiling:747482a, author = {BitSight}, title = {{Unveiling Socks5Systemz: The Rise of a New Proxy Service via PrivateLoader and Amadey}}, date = {2023-11-02}, organization = {BitSight}, url = {https://www.bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey}, language = {English}, urldate = {2023-11-13} } @online{bitsofbinary:20201211:macos:a00d112, author = {Twitter (@BitsOfBinary)}, title = {{Tweet on macOS Manuscypt samples}}, date = {2020-12-11}, organization = {PWC UK}, url = {https://twitter.com/BitsOfBinary/status/1337330286787518464}, language = {English}, urldate = {2020-12-14} } @online{bitton:20200803:httpskelacombacktoschoolwhycybercriminalscontinuetotargettheeducationsector:c7312d4, author = {Sharon Bitton and Victoria Kivilevich}, title = {{https://ke-la.com/back-to-school-why-cybercriminals-continue-to-target-the-education-sector/}}, date = {2020-08-03}, organization = {KELA}, url = {https://ke-la.com/back-to-school-why-cybercriminals-continue-to-target-the-education-sector/}, language = {English}, urldate = {2021-05-07} } @online{bitton:20210307:australian:0166781, author = {Sharon Bitton and Victoria Kivilevich}, title = {{Australian Mining Companies and Cybercriminals Digging for the Gold}}, date = {2021-03-07}, organization = {KELA}, url = {https://ke-la.com/australian-mining-companies-and-cybercriminals-digging-for-the-gold/}, language = {English}, urldate = {2021-03-11} } @techreport{bixploit:20231130:lockbit:eb78b87, author = {bixploit and Bilal BAKARTEPE}, title = {{LockBit 3.0 Technical Analysis Report}}, date = {2023-11-30}, institution = {EchoCTI}, url = {https://github.com/echocti/ECHO-Reports/blob/main/Malware%20Analysis%20Report/LockBit_3.0/LockBit%20Technical%20Analysis%20Report.pdf}, language = {English}, urldate = {2024-03-19} } @techreport{bixploit:20240418:turla:0eb1c15, author = {bixploit and Bilal BAKARTEPE}, title = {{Turla APT Analysis with TinyTurla-NG}}, date = {2024-04-18}, institution = {EchoCTI}, url = {https://github.com/echocti/ECHO-Reports/blob/main/APT%20Reports/Turla/Turla%20Technical%20Analysis%20Report.pdf}, language = {English}, urldate = {2024-04-19} } @online{bizeul:20140711:eye:3cb48c1, author = {David Bizeul and Ivan Fontarensky and Ronan Mouchoux and Fabien Perigaud and Cedric Pernet}, title = {{The Eye of the Tiger}}, date = {2014-07-11}, organization = {Airbus}, url = {http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2}, language = {English}, urldate = {2019-11-25} } @online{bizeul:20140711:eye:bdaf0a0, author = {David Bizeul and Ivan Fontarensky and Ronan Mouchoux and Fabien Perigaud and Cedric Pernet}, title = {{The Eye of the Tiger}}, date = {2014-07-11}, organization = {Airbus}, url = {http://blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2}, language = {English}, urldate = {2019-11-29} } @online{bizga:20220304:bitdefender:44d1f32, author = {Alina Bizga}, title = {{Bitdefender Labs Sees Increased Malicious and Scam Activity Exploiting the War in Ukraine}}, date = {2022-03-04}, organization = {Bitdefender}, url = {https://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine}, language = {English}, urldate = {2022-03-04} } @online{bizone:20210513:from:aeb3d77, author = {BI.ZONE}, title = {{From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit}}, date = {2021-05-13}, organization = {BI. ZONE Cyber Threats Research Team}, url = {https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319}, language = {English}, urldate = {2023-10-11} } @online{bizone:20231013:sticky:c1fa9ca, author = {BI.ZONE}, title = {{Sticky Werewolf spies attack state organizations of Russia and Belarus}}, date = {2023-10-13}, organization = {Medium BI.ZONE}, url = {https://bi.zone/expertise/blog/shpiony-sticky-werewolf-atakuyut-gosudarstvennye-organizatsii-rossii-i-belarusi/}, language = {Russian}, urldate = {2025-02-25} } @online{bkmsft:20190724:apt17:8b88bcb, author = {Ben K (bkMSFT)}, title = {{Tweet on APT17}}, date = {2019-07-24}, organization = {Twitter (@bkMSFT)}, url = {https://twitter.com/bkMSFT/status/1153994428949749761}, language = {English}, urldate = {2020-01-07} } @online{bkmsft:20191203:zirconium:c025731, author = {Ben K (bkMSFT)}, title = {{Tweet on ZIRCONIUM alias for APT31}}, date = {2019-12-03}, organization = {Twitter (@bkMSFT)}, url = {https://twitter.com/bkMSFT/status/1201876664667582466}, language = {English}, urldate = {2020-06-16} } @online{black:20180703:iranian:2e94ec4, author = {Samantha Black}, title = {{Iranian APT Charming Kitten impersonates ClearSky, the security firm that uncovered its campaigns}}, date = {2018-07-03}, organization = {Cyware}, url = {https://cyware.com/news/iranian-apt-charming-kitten-impersonates-clearsky-the-security-firm-that-uncovered-its-campaigns-7fea0b4f}, language = {English}, urldate = {2020-01-08} } @techreport{black:20230327:russias:8cad5d3, author = {Dan Black}, title = {{Russia's War in Ukraine: Examining the Success of Ukrainian Cyber Defences}}, date = {2023-03-27}, institution = {The International Institute for Strategic Studies}, url = {https://www.iiss.org/globalassets/media-library---content--migration/files/research-papers/2023/03/russias-war-in-ukraine-examining-the-success-of-ukrainian-cyber-defences.pdf}, language = {English}, urldate = {2023-07-24} } @online{black:20230712:grus:7a7b81d, author = {Dan Black and Gabby Roncone}, title = {{The GRU's Disruptive Playbook}}, date = {2023-07-12}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/gru-disruptive-playbook}, language = {English}, urldate = {2023-07-13} } @online{blackhacker511:20190104:github:e7e5d16, author = {BlackHacker511}, title = {{Github Repository: BlackNET}}, date = {2019-01-04}, organization = {Github (BlackHacker511)}, url = {https://github.com/FarisCode511/BlackNET/}, language = {English}, urldate = {2020-07-13} } @online{blackhacker511:20191123:blackworm:9cf1955, author = {BlackHacker511}, title = {{BlackWorm v6.0 Black Ninja}}, date = {2019-11-23}, organization = {Github (BlackHacker511)}, url = {https://github.com/BlackHacker511/BlackWorm}, language = {English}, urldate = {2020-01-13} } @techreport{blackorbird:20191205:apt32:0afe4e7, author = {blackorbird}, title = {{APT32 Report}}, date = {2019-12-05}, institution = {Github (blackorbird)}, url = {https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf}, language = {Japanese}, urldate = {2020-01-10} } @online{blackorbird:20200408:wannaren:8da1d44, author = {blackorbird}, title = {{Tweet on WannaRen}}, date = {2020-04-08}, organization = {Twitter (@blackorbird)}, url = {https://twitter.com/blackorbird/status/1247834024711577601}, language = {English}, urldate = {2020-05-05} } @techreport{blackpoint:20221101:ratting:8a43425, author = {BlackPoint}, title = {{Ratting Out Arechclient2}}, date = {2022-11-01}, institution = {BlackPoint}, url = {https://cdn-production.blackpointcyber.com/wp-content/uploads/2022/11/01161208/Blackpoint-Cyber-Ratting-out-Arechclient2-Whitepaper.pdf}, language = {English}, urldate = {2023-02-06} } @techreport{blaich:20180118:dark:31c31f6, author = {Andrew Blaich and Apurva Kumar and Jeremy Richards and Michael Flossman and Cooper Quintin and Eva Galperin}, title = {{Dark Caracal: Cyber-espionage at a Global Scal}}, date = {2018-01-18}, institution = {Lookout}, url = {https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf}, language = {English}, urldate = {2020-06-08} } @online{blaich:20180518:stealth:c96fd9b, author = {Andrew Blaich and Michael Flossman}, title = {{Stealth Mango and Tangelo: Nation state mobile surveillanceware stealing data from military & government officials}}, date = {2018-05-18}, organization = {Lookout}, url = {https://www.lookout.com/blog/stealth-mango}, language = {English}, urldate = {2022-08-26} } @online{blake:20210122:ldap:edfef67, author = {Scott W Blake}, title = {{LDAP Channel Binding and Signing}}, date = {2021-01-22}, organization = {Trimarc Security}, url = {https://www.hub.trimarcsecurity.com/post/ldap-channel-binding-and-signing}, language = {English}, urldate = {2021-01-29} } @online{blake:20211229:cobalt:b8c08bb, author = {Blake}, title = {{Cobalt Strike DFIR: Listening to the Pipes}}, date = {2021-12-29}, organization = {Blake's R&D}, url = {https://bmcder.com/blog/cobalt-strike-dfir-listening-to-the-pipes}, language = {English}, urldate = {2021-12-31} } @online{blancrolin:20211125:emotet:b02b32b, author = {Charles Blanc-Rolin}, title = {{Emotet de retour, POC Exchange, 0-day Windows : à quelle sauce les attaquants prévoient de nous manger cette semaine?}}, date = {2021-11-25}, organization = {DSIH}, url = {https://www.dsih.fr/article/4483/emotet-de-retour-poc-exchange-0-day-windows-a-quelle-sauce-les-attaquants-prevoient-de-nous-manger-cette-semaine.html}, language = {French}, urldate = {2021-12-06} } @online{blancrolin:20230214:comment:aa336bd, author = {Charles Blanc-Rolin}, title = {{Comment Qbot revient en force avec OneNote ?}}, date = {2023-02-14}, organization = {DSIH}, url = {https://www.dsih.fr/article/5020/comment-qbot-revient-en-force-avec-onenote.html}, language = {French}, urldate = {2023-02-21} } @online{blankc:20220705:github:e84c78c, author = {Blank-c}, title = {{Github Repository for BlankGrabber}}, date = {2022-07-05}, organization = {Github (Blank-c)}, url = {https://github.com/Blank-c/Blank-Grabber}, language = {English}, urldate = {2024-04-03} } @online{blasco:20120702:sykipot:09eeec7, author = {Jaime Blasco}, title = {{Sykipot is back}}, date = {2012-07-02}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/sykipot-is-back}, language = {English}, urldate = {2019-12-18} } @online{blasco:20130321:new:511f1a7, author = {Jaime Blasco}, title = {{New Sykipot developments}}, date = {2013-03-21}, organization = {AT&T}, url = {https://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments}, language = {English}, urldate = {2020-01-12} } @online{blasco:20140828:scanbox:a0cc92a, author = {Jaime Blasco}, title = {{Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks}}, date = {2014-08-28}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks}, language = {English}, urldate = {2019-12-06} } @online{blasco:20190402:xwo:11817a2, author = {Jaime Blasco and Chris Doman}, title = {{Xwo - A Python-based bot scanner}}, date = {2019-04-02}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/xwo-a-python-based-bot-scanner}, language = {English}, urldate = {2020-01-06} } @online{blasi:20200922:darkside:67c758a, author = {Stefano De Blasi}, title = {{DarkSide: The New Ransomware Group Behind Highly Targeted Attacks}}, date = {2020-09-22}, organization = {Digital Shadows}, url = {https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/}, language = {English}, urldate = {2020-11-17} } @online{blasi:20210203:emotet:8e8ac18, author = {Stefano De Blasi}, title = {{Emotet Disruption: what it means for the cyber threat landscape}}, date = {2021-02-03}, organization = {Digital Shadows}, url = {https://www.digitalshadows.com/blog-and-research/emotet-disruption/}, language = {English}, urldate = {2021-02-06} } @online{blasi:20210520:ransomwareasaservice:c7173c4, author = {Stefano De Blasi}, title = {{Ransomware-as-a-Service, Rogue Affiliates, and What’s Next}}, date = {2021-05-20}, organization = {Digital Shadows}, url = {https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/}, language = {English}, urldate = {2021-05-26} } @online{blazek:20210524:scotch:7104907, author = {Sam Blazek}, title = {{SCOTCH: A framework for rapidly assessing influence operations}}, date = {2021-05-24}, organization = {Atlantic Council}, url = {https://www.atlanticcouncil.org/blogs/geotech-cues/scotch-a-framework-for-rapidly-assessing-influence-operations/}, language = {English}, urldate = {2021-06-21} } @online{blazier:20201218:quirk:fe216c8, author = {Nick Blazier and Jesse Kipp}, title = {{A quirk in the SUNBURST DGA algorithm}}, date = {2020-12-18}, organization = {Cloudflare}, url = {https://blog.cloudflare.com/a-quirk-in-the-sunburst-dga-algorithm/}, language = {English}, urldate = {2020-12-18} } @online{blazytko:20210630:automation:4b8423b, author = {Tim Blazytko}, title = {{Automation in Reverse Engineering: String Decryption}}, date = {2021-06-30}, organization = {synthesis.to blog}, url = {https://synthesis.to/2021/06/30/automating_string_decryption.html}, language = {English}, urldate = {2021-07-12} } @online{bleepingcomputer:20170417:remove:4727489, author = {BleepingComputer}, title = {{Remove Search.searchetan.com Chrome New Tab Page}}, date = {2017-04-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/virus-removal/remove-search-searchetan.com-chrome-new-tab-page}, language = {English}, urldate = {2020-01-06} } @online{bleepingcomputer:20211219:exposed:333be0a, author = {BleepingComputer}, title = {{Exposed Docker APIs Abused by DDoS, Cryptojacking Botnet Malware}}, date = {2021-12-19}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/exposed-docker-apis-abused-by-ddos-cryptojacking-botnet-malware/}, language = {English}, urldate = {2023-07-24} } @online{bleepingcomputer:20220106:night:7b146e2, author = {BleepingComputer}, title = {{Night Sky is the latest ransomware targeting corporate networks}}, date = {2022-01-06}, url = {https://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-ransomware-targeting-corporate-networks/}, language = {English}, urldate = {2022-01-12} } @online{bleepingcomputer:20220427:new:e66d2b0, author = {BleepingComputer}, title = {{New Black Basta ransomware springs into action with a dozen breaches}}, date = {2022-04-27}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-black-basta-ransomware-springs-into-action-with-a-dozen-breaches/}, language = {English}, urldate = {2022-04-29} } @online{bleih:20240311:guloader:02db2fa, author = {Adi Bleih}, title = {{GuLoader Downloaded: A Look at the Latest Iteration}}, date = {2024-03-11}, organization = {CyberInt}, url = {https://cyberint.com/blog/other/guloader-downloaded-a-look-at-the-latest-iteration/}, language = {English}, urldate = {2024-04-04} } @online{blinken:20210415:holding:13b5d18, author = {Antony J. Blinken}, title = {{Holding Russia To Account}}, date = {2021-04-15}, organization = {U.S. Department of State}, url = {https://www.state.gov/holding-russia-to-account/}, language = {English}, urldate = {2021-04-16} } @online{blksmth:20220118:analysis:f6d259e, author = {BLKSMTH}, title = {{Analysis of Destructive Malware (WhisperGate) targeting Ukraine}}, date = {2022-01-18}, organization = {S2W Inc.}, url = {https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3}, language = {English}, urldate = {2022-01-19} } @online{blksmth:20230317:kimsuky:984e133, author = {BLKSMTH and S2W TALON}, title = {{Kimsuky group appears to be exploiting OneNote like the cybercrime group}}, date = {2023-03-17}, organization = {Medium s2wlab}, url = {https://medium.com/s2wblog/kimsuky-group-appears-to-be-exploiting-onenote-like-the-cybercrime-group-3c96b0b85b9f}, language = {English}, urldate = {2023-03-20} } @online{blksmth:20230323:scarcruft:82ba4d6, author = {BLKSMTH and S2W TALON}, title = {{Scarcruft Bolsters Arsenal for targeting individual Android devices}}, date = {2023-03-23}, organization = {Medium s2wlab}, url = {https://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab}, language = {English}, urldate = {2023-03-27} } @online{blksmth:20230517:detailed:4e38725, author = {BLKSMTH}, title = {{Detailed Analysis of AlphaSeed, a new version of Kimsuky’s AppleSeed written in Golang}}, date = {2023-05-17}, organization = {S2W LAB Inc.}, url = {https://medium.com/s2wblog/detailed-analysis-of-alphaseed-a-new-version-of-kimsukys-appleseed-written-in-golang-2c885cce352a}, language = {Korean}, urldate = {2023-05-30} } @online{block:20210604:ransomware:9b1bb93, author = {Bar Block}, title = {{The Ransomware Conundrum – A Look into DarkSide}}, date = {2021-06-04}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2021/06/04/the-ransomware-conundrum-a-look-into-darkside/}, language = {English}, urldate = {2021-06-22} } @online{block:20220524:blame:9f45829, author = {Bar Block}, title = {{Blame the Messenger: 4 Types of Dropper Malware in Microsoft Office & How to Detect Them}}, date = {2022-05-24}, organization = {Deep instinct}, url = {https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office}, language = {English}, urldate = {2022-05-29} } @online{blog:20081124:iwormnuwarw:424455b, author = {NoVirusThanks Blog}, title = {{I-Worm/Nuwar.W + Rustock.E Variant – Analysis}}, date = {2008-11-24}, organization = {NoVirusThanks Blog}, url = {http://blog.novirusthanks.org/2008/11/i-wormnuwarw-rustocke-variant-analysis/}, language = {English}, urldate = {2019-10-15} } @online{blog:20170413:decrypting:c59a1bd, author = {Koodous Blog}, title = {{Decrypting Bankbot communications.}}, date = {2017-04-13}, organization = {Koodous}, url = {http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html}, language = {English}, urldate = {2019-08-07} } @online{blog:20200904:navigating:75404a6, author = {Quosec Blog}, title = {{Navigating QakBot samples with grap}}, date = {2020-09-04}, organization = {QuoSec GmbH}, url = {https://quosecgmbh.github.io/blog/grap_qakbot_navigation.html}, language = {English}, urldate = {2021-03-22} } @online{blog:20200910:grap:d2f055d, author = {Quosec Blog}, title = {{grap: Automating QakBot strings decryption}}, date = {2020-09-10}, organization = {QuoSec GmbH}, url = {https://quosecgmbh.github.io/blog/grap_qakbot_strings.html}, language = {English}, urldate = {2021-03-22} } @online{blog:202102:profiling:e0aafb8, author = {Dancho Danchev's Blog}, title = {{Profiling a Currently Active High-Profile Cybercriminals Portfolio of Ransomware-Themed Extortion Email Addresses - Part Two}}, date = {2021-02}, organization = {Dancho Danchev's Blog}, url = {https://ddanchev.blogspot.com/2021/02/profiling-currently-active-high-profile.html}, language = {English}, urldate = {2021-02-20} } @online{blog:20211005:regarding:ed16d41, author = {EXPMON's Blog}, title = {{Regarding the Threats Posed by Encrypted Office Files}}, date = {2021-10-05}, organization = {EXPMON}, url = {https://expmon.blogspot.com/2021/10/regarding-threats-posed-by-encrypted.html}, language = {English}, urldate = {2021-10-11} } @online{blog:20211124:from:541a657, author = {Lasq's Security Blog}, title = {{From the archive #1: OSTap downloader deobfuscation and analysis}}, date = {2021-11-24}, organization = {Lasq's Security Blog}, url = {https://malfind.com/index.php/2021/11/24/from-the-archive-1-ostap-dropper-deobfuscation-and-analysis/}, language = {English}, urldate = {2021-11-29} } @online{blogs:20210720:growing:25ed338, author = {Microsoft Corporate Blogs}, title = {{The growing threat of ransomware}}, date = {2021-07-20}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2021/07/20/the-growing-threat-of-ransomware/}, language = {English}, urldate = {2021-07-26} } @online{blue:20220709:malware:be9282b, author = {Artik Blue}, title = {{Malware analysis with IDA/Radare2 - Basic Unpacking (Dridex first stage)}}, date = {2022-07-09}, organization = {Artik Blue}, url = {https://artik.blue/malware3}, language = {English}, urldate = {2022-07-15} } @online{blue:20220712:malware:744a58a, author = {Artik Blue}, title = {{Malware analysis with IDA/Radare2 - Multiple unpacking (Ramnit worm)}}, date = {2022-07-12}, organization = {Artik Blue}, url = {https://artik.blue/malware4}, language = {English}, urldate = {2022-07-15} } @techreport{blueliv:20151026:chasing:975ef1a, author = {Blueliv}, title = {{Chasing cybercrime: network insights of Dyre and Dridex Trojan bankers}}, date = {2015-10-26}, institution = {Blueliv}, url = {https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{blueliv:201609:chasing:1c02f62, author = {Blueliv}, title = {{Chasing Cybercrime: Network insights into Vawtrak v2}}, date = {2016-09}, institution = {Blueliv}, url = {https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf}, language = {English}, urldate = {2020-01-07} } @online{blueliv:20171006:trickbot:a2a9ac8, author = {Blueliv}, title = {{TrickBot banking trojan using EFLAGS as an anti-hook technique}}, date = {2017-10-06}, organization = {Blueliv}, url = {https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/}, language = {English}, urldate = {2020-01-08} } @techreport{blueliv:201807:necurs:652cee2, author = {Blueliv}, title = {{Necurs Malware Overview}}, date = {2018-07}, institution = {Blueliv}, url = {https://www.blueliv.com/wp-content/uploads/2018/07/Blueliv-Necurs-report-2017.pdf}, language = {English}, urldate = {2019-12-10} } @techreport{blueliv:20220125:cyber:47bcefd, author = {Blueliv}, title = {{Cyber Threat Intelligence for Banking & Financial Services FOLLOW THE MONEY}}, date = {2022-01-25}, institution = {Blueliv}, url = {https://www.blueliv.com/resources/white-papers/financial_wp_21.pdf}, language = {English}, urldate = {2022-01-28} } @techreport{blueliv:2022:jester:f41226f, author = {Blueliv}, title = {{Jester Stealer Malware Research 2022}}, date = {2022}, institution = {Blueliv}, url = {https://outpost24.com/sites/default/files/2022-06/jester_stealer_blogspot_22.pdf}, language = {English}, urldate = {2022-07-20} } @online{bluemonkey:20210929:ariabody:49911f8, author = {BlueMonkey}, title = {{Aria-Body Loader? Is that you?}}, date = {2021-09-29}, organization = {Medium BlueMonkey}, url = {https://medium.com/insomniacs/aria-body-loader-is-that-you-53bdd630f8a1}, language = {English}, urldate = {2021-10-20} } @online{blueteamops:20210926:supercharging:aad33da, author = {BlueteamOps}, title = {{Supercharging Bulk DFIR triage with Node-RED, Google’s Log2timeline & Google’s Timesketch}}, date = {2021-09-26}, organization = {Medium BlueteamOps}, url = {https://blueteamops.medium.com/super-charging-bulk-dfir-triage-with-node-red-google-log2timeline-google-timesketch-2d78e1ee335c}, language = {English}, urldate = {2021-09-28} } @online{blumira:20210714:threat:614d084, author = {Blumira}, title = {{Threat of the Month: IcedID Malware}}, date = {2021-07-14}, organization = {Cerium Networks}, url = {https://ceriumnetworks.com/threat-of-the-month-icedid-malware/}, language = {English}, urldate = {2021-07-20} } @online{bmcder02:20220419:extracting:3e827cf, author = {bmcder02}, title = {{Extracting Cobalt Strike from Windows Error Reporting}}, date = {2022-04-19}, organization = {Blake's R&D}, url = {https://bmcder.com/blog/extracting-cobalt-strike-from-windows-error-reporting}, language = {English}, urldate = {2022-04-20} } @online{bnn:20230904:certlv:bfc1b15, author = {BNN and }, title = {{Cert.lv: activist groups supported by Russia perform cyber attacks on Latvian state institutions}}, date = {2023-09-04}, organization = {Baltic News Network}, url = {https://bnn-news.com/cert-lv-activist-groups-supported-by-russia-perform-cyber-attacks-on-latvian-state-institutions-249022}, language = {English}, urldate = {2023-09-06} } @techreport{board:20240320:review:19cc3eb, author = {Cyber Safety Review Board}, title = {{Review of the Summer 2023 Microsoft Exchange Online Intrusion}}, date = {2024-03-20}, institution = {CISA}, url = {https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf}, language = {English}, urldate = {2024-04-08} } @online{bobritsky:20201118:stopping:e5c486b, author = {Eddy Bobritsky}, title = {{Stopping BuerLoader With Minerva Lab's Hostile Environment Simulation module}}, date = {2020-11-18}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/stopping-buerloader}, language = {English}, urldate = {2020-11-19} } @online{bocereg:20200924:apps:88b3497, author = {Alexandra Bocereg and Oana Asoltanei and Ioan-Septimiu Dinulica and Bogdan Botezatu}, title = {{Apps on Google Play Tainted with Cerberus Banker Malware}}, date = {2020-09-24}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/09/apps-on-google-play-tainted-with-cerberus-banker-malware/}, language = {English}, urldate = {2020-10-13} } @techreport{bock:20210827:even:9845698, author = {Kevin Bock and Gabriel Naval and Kyle Reese and Dave Levin}, title = {{Even Censors Have a Backup: Examining China’s Double HTTPS Censorship Middleboxes}}, date = {2021-08-27}, institution = {University of Maryland}, url = {https://geneva.cs.umd.edu/papers/foci21.pdf}, language = {English}, urldate = {2021-10-13} } @online{bock:20210828:even:8ce1f2c, author = {Kevin Bock}, title = {{Even Censors Have a Backup: Examining China’s Double HTTPS Censorship Middleboxes - FOCI 21}}, date = {2021-08-28}, organization = {YouTube (Kevin Bock)}, url = {https://www.youtube.com/watch?v=ASskHbwnrV4}, language = {English}, urldate = {2021-10-13} } @online{boczan:20180605:evolution:372e566, author = {Tamas Boczan}, title = {{The Evolution of GandCrab Ransomware}}, date = {2018-06-05}, organization = {VMRay}, url = {http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/}, language = {English}, urldate = {2019-11-20} } @online{boczan:20190625:analyzing:fe5a161, author = {Tamas Boczan}, title = {{Analyzing Ursnif’s Behavior Using a Malware Sandbox}}, date = {2019-06-25}, organization = {VMRay}, url = {https://www.vmray.com/analyzing-ursnif-behavior-malware-sandbox/}, language = {English}, urldate = {2025-06-02} } @online{boddy:20170615:trickbot:6eb1db4, author = {Sara Boddy and Jesse Smith and Doron Voolf}, title = {{Trickbot Expands Global Targets Beyond Banks and Payment Processors to CRMs}}, date = {2017-06-15}, organization = {F5}, url = {https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms}, language = {English}, urldate = {2019-12-24} } @online{boehs:20240329:everything:d9af186, author = {Evan Boehs}, title = {{Everything I Know About the XZ Backdoor}}, date = {2024-03-29}, organization = {boehs.org}, url = {https://boehs.org/node/everything-i-know-about-the-xz-backdoor}, language = {English}, urldate = {2024-04-02} } @online{bogati:20221018:hunting:c2cd9ba, author = {Anish Bogati and Nilaa Maharjan}, title = {{Hunting Lockbit Variation}}, date = {2022-10-18}, organization = {Logpoint}, url = {https://www.logpoint.com/en/blog/hunting-lockbit-variations-using-logpoint/}, language = {English}, urldate = {2023-01-05} } @online{bogati:20230105:crowning:ee8f347, author = {Anish Bogati}, title = {{A crowning achievement: Exploring the exploit of Royal ransomware}}, date = {2023-01-05}, organization = {Logpoint}, url = {https://www.logpoint.com/en/blog/exploring-the-exploit-of-royal-ransomware/}, language = {English}, urldate = {2023-01-06} } @online{bogati:20230323:emerging:3b75884, author = {Anish Bogati}, title = {{Emerging Threats: AgentTesla – A Review and Detection Strategies}}, date = {2023-03-23}, organization = {Logpoint}, url = {https://www.logpoint.com/en/blog/agentteslas-capabilities-review-detection-strategies/}, language = {English}, urldate = {2023-04-12} } @online{bogati:20230823:defending:9322a16, author = {Anish Bogati and Nischal khadgi}, title = {{Defending Against 8base: Uncovering Their Arsenal and Crafting Responses}}, date = {2023-08-23}, organization = {Logpoint}, url = {https://www.logpoint.com/en/blog/emerging-threat/defending-against-8base/}, language = {English}, urldate = {2023-12-27} } @online{bogati:20240304:inside:a37721f, author = {Anish Bogati}, title = {{Inside DarkGate: Exploring the infection chain and capabilities}}, date = {2024-03-04}, organization = {Logpoint}, url = {https://www.logpoint.com/en/blog/inside-darkgate/}, language = {English}, urldate = {2024-03-07} } @online{bogati:20241107:hiding:e5201ca, author = {Anish Bogati}, title = {{Hiding in Plain Sight: The Subtle Art of Loki Malware’s Obfuscation}}, date = {2024-11-07}, organization = {Logpoint}, url = {https://www.logpoint.com/en/blog/hiding-in-plain-sight-the-subtle-art-of-loki-malwares-obfuscation/}, language = {English}, urldate = {2024-11-11} } @online{bogati:20241118:exploring:affc08c, author = {Anish Bogati}, title = {{Exploring Strela Stealer: Initial Payload Analysis and Insights}}, date = {2024-11-18}, organization = {Logpoint}, url = {https://www.logpoint.com/en/blog/strela-a-newcomer-in-stealer-family/}, language = {English}, urldate = {2024-11-25} } @online{bogdanov:20210324:encounters:e5ed159, author = {Igor Bogdanov}, title = {{APT Encounters of the Third Kind}}, date = {2021-03-24}, organization = {Igor's Blog}, url = {https://igor-blue.github.io/2021/03/24/apt1.html}, language = {English}, urldate = {2021-03-25} } @online{boguslavskiy:20200715:inside:f9b95b1, author = {Yelisey Boguslavskiy and Samantha van de Ven}, title = {{Inside REvil Extortionist “Machine”: Predictive Insights}}, date = {2020-07-15}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights}, language = {English}, urldate = {2020-07-16} } @online{boguslavskiy:20210503:tween:35cfbaf, author = {Yelisey Boguslavskiy}, title = {{Tween on new RaaS Galaxy Ransomware}}, date = {2021-05-03}, organization = {Twitter (@y_advintel)}, url = {https://twitter.com/y_advintel/status/1389330275616710657}, language = {English}, urldate = {2021-05-08} } @online{boguslavskiy:20210630:ransomwarecve:deae6a7, author = {Yelisey Boguslavskiy and Brandon Rudisel and AdvIntel Security & Development Team}, title = {{Ransomware-&-CVE: Industry Insights Into Exclusive High-Value Target Adversarial Datasets}}, date = {2021-06-30}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities}, language = {English}, urldate = {2021-07-01} } @online{boguslavskiy:20210714:revil:7729e3d, author = {Yelisey Boguslavskiy and AdvIntel Security & Development Team}, title = {{REvil Vanishes From Underground - Infrastructure Down}}, date = {2021-07-14}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/revil-vanishes-from-underground-infrastructure-down-support-staff-adverts-silent}, language = {English}, urldate = {2021-07-20} } @online{boguslavskiy:20210909:groove:f678f6d, author = {Yelisey Boguslavskiy and Anastasia Sentsova}, title = {{Groove VS Babuk; Groove Ransom Manifesto & RAMP Underground Platform Secret Inner Workings}}, date = {2021-09-09}, organization = {Advanced Intelligence}, url = {https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings}, language = {English}, urldate = {2021-09-12} } @online{boguslavskiy:20211120:corporate:a8b0a1c, author = {Yelisey Boguslavskiy and Vitali Kremez}, title = {{Corporate Loader "Emotet": History of "X" Project Return for Ransomware}}, date = {2021-11-20}, organization = {Advanced Intelligence}, url = {https://www.advintel.io/post/corporate-loader-emotet-history-of-x-project-return-for-ransomware}, language = {English}, urldate = {2021-11-25} } @online{boguslavskiy:20220114:storm:ad0e3d7, author = {Yelisey Boguslavskiy}, title = {{Storm in "Safe Haven": Takeaways from Russian Authorities Takedown of REvil}}, date = {2022-01-14}, organization = {Advanced Intelligence}, url = {https://www.advintel.io/post/storm-in-safe-haven-takeaways-from-russian-authorities-takedown-of-revil}, language = {English}, urldate = {2022-01-24} } @online{boguslavskiy:20220216:trickbot:a431e84, author = {Yelisey Boguslavskiy}, title = {{The TrickBot Saga’s Finale Has Aired: Spinoff is Already in the Works}}, date = {2022-02-16}, organization = {Advanced Intelligence}, url = {https://www.advintel.io/post/the-trickbot-saga-s-finale-has-aired-but-a-spinoff-is-already-in-the-works}, language = {English}, urldate = {2022-02-19} } @online{boguslavskiy:20220520:discontinued:de13f97, author = {Yelisey Boguslavskiy and Vitali Kremez and Marley Smith}, title = {{DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape}}, date = {2022-05-20}, organization = {AdvIntel}, url = {https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape}, language = {English}, urldate = {2022-05-25} } @online{bohio:20150319:analyzing:eac298c, author = {Muhammad Junaid Bohio}, title = {{Analyzing a Backdoor/Bot forthe MIPS Platform}}, date = {2015-03-19}, url = {https://www.sans.org/reading-room/whitepapers/malicious/analyzing-backdoor-bot-mips-platform-35902}, language = {English}, urldate = {2020-09-21} } @online{bohuslavskiy:20250114:from:452e934, author = {Yelisey Bohuslavskiy and Marley Smith and Landon Rice}, title = {{From Royal to BlackSuit}}, date = {2025-01-14}, organization = {RedSense}, url = {https://redsense.com/publications/royal-blacksuit-how-ransomware-rebrand-reshaped-them/}, language = {English}, urldate = {2025-01-15} } @online{bojaxhi:20200324:exchange:bd67613, author = {Hermes Bojaxhi}, title = {{Exchange Exploit Case Study – CVE-2020-0688}}, date = {2020-03-24}, organization = {RSA}, url = {https://community.rsa.com/community/products/netwitness/blog/2020/03/24/exchange-exploit-case-study-cve-2020-0688}, language = {English}, urldate = {2021-02-02} } @online{boldewin:20181231:fastcashmalwaredissected:d72e332, author = {Frank Boldewin}, title = {{FastCashMalwareDissected}}, date = {2018-12-31}, organization = {Github Repository}, url = {https://github.com/fboldewin/FastCashMalwareDissected/}, language = {English}, urldate = {2019-07-10} } @online{boldewin:20190328:javadispcash:8899167, author = {Frank Boldewin}, title = {{Tweet on JavaDispCash}}, date = {2019-03-28}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1111254169623674882}, language = {English}, urldate = {2020-01-06} } @online{boldewin:20190601:atm:7c1d0c2, author = {Frank Boldewin}, title = {{Tweet on ATM Malware NVISOSPIT}}, date = {2019-06-01}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1135606944427905025}, language = {English}, urldate = {2019-11-26} } @online{boldewin:20190710:xfs:aa523ad, author = {Frank Boldewin}, title = {{Tweet on XFS ATM malware}}, date = {2019-07-10}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1149043362244308992}, language = {English}, urldate = {2020-01-06} } @online{boldewin:20190828:atm:b393cb8, author = {Frank Boldewin}, title = {{Tweet on ATM Malware}}, date = {2019-08-28}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1166773324548063232}, language = {English}, urldate = {2019-12-05} } @online{boldewin:20191129:libertad:974f5d8, author = {Frank Boldewin}, title = {{Libertad y gloria - A Mexican cyber heist story - CyberCrimeCon19 Singapore}}, date = {2019-11-29}, organization = {Github (fboldewin)}, url = {https://github.com/fboldewin/Libertad-y-gloria---A-Mexican-cyber-heist-story---CyberCrimeCon19-Singapore}, language = {English}, urldate = {2019-12-17} } @online{boldewin:20200227:dispcashbr:7dda1c8, author = {Frank Boldewin}, title = {{Tweet on DispCashBR}}, date = {2020-02-27}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1232944566208286720}, language = {English}, urldate = {2020-02-27} } @online{boldewin:20200817:loup:c8e43e4, author = {Frank Boldewin}, title = {{Tweet on Loup}}, date = {2020-08-17}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1295275546780327936}, language = {English}, urldate = {2020-08-17} } @techreport{boldewin:20201127:when:9697611, author = {Frank Boldewin}, title = {{When ransomware hits an ATM giant - The Diebold Nixdorf case dissected}}, date = {2020-11-27}, institution = {Fiducia & GAD IT AG}, url = {https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf}, language = {English}, urldate = {2020-12-01} } @online{boldewin:20210812:stealbit:08f3307, author = {Frank Boldewin}, title = {{Tweet on StealBit malware as used by LockBit 2.0}}, date = {2021-08-12}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1425875923606310913}, language = {English}, urldate = {2021-08-16} } @online{bone:20200617:detecting:be87469, author = {Rob Bone}, title = {{Detecting PoshC2 – Indicators of Compromise}}, date = {2020-06-17}, organization = {Nettitude Labs}, url = {https://labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/}, language = {English}, urldate = {2020-06-18} } @online{bonfa:20101115:tracing:4f23185, author = {Giuseppe Bonfa}, title = {{Tracing the Crimeware Origins by Reversing Injected Code}}, date = {2010-11-15}, organization = {Infosec}, url = {http://resources.infosecinstitute.com/zeroaccess-malware-part-4-tracing-the-crimeware-origins-by-reversing-injected-code/}, language = {English}, urldate = {2020-01-05} } @online{bonfa:20101116:zeroaccess:14293db, author = {Giuseppe Bonfa}, title = {{ZEROACCESS MALWARE - PART 3: The Device Driver Process Injection Rootkit}}, date = {2010-11-16}, url = {http://resources.infosecinstitute.com/zeroaccess-malware-part-3-the-device-driver-process-injection-rootkit/}, language = {English}, urldate = {2020-01-08} } @online{bonfa:20101120:kernelmode:b6d039e, author = {Giuseppe Bonfa}, title = {{The Kernel-Mode Device Driver Stealth Rootkit}}, date = {2010-11-20}, organization = {InfoSec Institute}, url = {http://resources.infosecinstitute.com/zeroaccess-malware-part-2-the-kernel-mode-device-driver-stealth-rootkit/}, language = {English}, urldate = {2020-01-13} } @online{bonfa:201011:zeroaccess:fd02426, author = {Giuseppe Bonfa}, title = {{ZEROACCESS MALWARE - PART 1: De-Obfuscating and Reversing the User-Mode Agent Dropper}}, date = {2010-11}, organization = {InfoSec Institute}, url = {http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/}, language = {English}, urldate = {2019-12-17} } @online{bonicontro:20201107:linuxmidrashim:55a5b54, author = {Guilherme Thomazi Bonicontro}, title = {{Linux.Midrashim}}, date = {2020-11-07}, organization = {Github (guitmz)}, url = {https://github.com/guitmz/midrashim}, language = {English}, urldate = {2021-01-21} } @online{bonicontro:20210118:linuxmidrashim:0ffc38f, author = {Guilherme Thomazi Bonicontro}, title = {{Linux.Midrashim: Assembly x64 ELF virus}}, date = {2021-01-18}, organization = {guitmz blog}, url = {https://www.guitmz.com/linux-midrashim-elf-virus/}, language = {English}, urldate = {2021-01-21} } @online{bonnefoi:20250220:meet:9ad052f, author = {Alexis Bonnefoi and Marine PICHON}, title = {{Meet NailaoLocker: a ransomware distributed in Europe by ShadowPad and PlugX backdoors}}, date = {2025-02-20}, organization = {Orange Cyberdefense}, url = {https://www.orangecyberdefense.com/global/blog/cert-news/meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-and-plugx-backdoors}, language = {English}, urldate = {2025-02-21} } @online{boonen:20230221:direct:6f70379, author = {Ruben Boonen}, title = {{Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers}}, date = {2023-02-21}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/direct-kernel-object-manipulation-attacks-etw-providers/}, language = {English}, urldate = {2023-03-21} } @online{boram:20250526:investigation:d69396c, author = {Kim Boram}, title = {{Investigation into SK Telecom data breach expands to KT, LG Uplus: sources}}, date = {2025-05-26}, organization = {Yonhap News Agency}, url = {https://en.yna.co.kr/view/AEN20250526002700320}, language = {English}, urldate = {2025-05-26} } @online{borders:20190329:exodus:e3044af, author = {Security without Borders}, title = {{Exodus: New Android Spyware Made in Italy}}, date = {2019-03-29}, organization = {Security Without Borders}, url = {https://securitywithoutborders.org/blog/2019/03/29/exodus.html}, language = {English}, urldate = {2019-07-09} } @online{borg:2020:memory:974bf75, author = {Steve Borg}, title = {{Memory Forensics of Qakbot}}, date = {2020}, organization = {University of Malta}, url = {https://www.um.edu.mt/library/oar/handle/123456789/76802}, language = {English}, urldate = {2021-06-24} } @techreport{borges:20221124:malware:a5021aa, author = {Alexandre Borges}, title = {{Malware Analysis Series (MAS): Article 6}}, date = {2022-11-24}, institution = {ExploitReversing}, url = {https://exploitreversing.files.wordpress.com/2022/11/mas_6-1.pdf}, language = {English}, urldate = {2022-11-25} } @online{borghard:20201217:russias:5ad1412, author = {Erica Borghard and Jacquelyn Schneider}, title = {{Russia's Hack Wasn't Cyberwar. That Complicates US Strategy}}, date = {2020-12-17}, organization = {Wired}, url = {https://www.wired.com/story/russia-solarwinds-hack-wasnt-cyberwar-us-strategy}, language = {English}, urldate = {2021-06-21} } @techreport{boris:20141113:computer:290f01d, author = {Ivanov Boris}, title = {{Computer Forensic Investigation of mobile Banking Trojan}}, date = {2014-11-13}, institution = {ZeroNights}, url = {http://2014.zeronights.ru/assets/files/slides/ivanovb-zeronights.pdf}, language = {English}, urldate = {2019-11-27} } @online{boris:20220331:new:fc75dc9, author = {Teejay Boris}, title = {{New Password-Stealing Malware Sells on Hacking Forum! Chrome, Binance, Outlook, Telegram Users Affected?}}, date = {2022-03-31}, organization = {Tech Times}, url = {https://www.techtimes.com/articles/273752/20220331/new-password-stealing-malware-hacking-forum-hack-password-stealing-google-chrome-binance-outlook-telegram.htm}, language = {English}, urldate = {2022-04-05} } @online{borja:20200914:analysis:36d3fee, author = {Aprilyn Borja and Abraham Camba and Khristoffer Jocson and Ryan Maglaque and Gilbert Sison and Jay Yaneza}, title = {{Analysis of a Convoluted Attack Chain Involving Ngrok}}, date = {2020-09-14}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/i/analysis-of-a-convoluted-attack-chain-involving-ngrok.html}, language = {English}, urldate = {2020-09-23} } @online{boscovich:20120913:microsoft:da601a2, author = {Richard Domingues Boscovich}, title = {{Microsoft Disrupts the Emerging Nitol Botnet Being Spread through an Unsecure Supply Chain}}, date = {2012-09-13}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/microsoft_blog/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain/}, language = {English}, urldate = {2020-01-13} } @online{botezatu:20170505:inside:0cff0e6, author = {Bogdan Botezatu and Alexandru Maximciuc and Cristina Vatamanu and Adrian Schipur}, title = {{Inside Netrepser – a JavaScript-based Targeted Attack}}, date = {2017-05-05}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2017/05/inside-netrepser-a-javascript-based-targeted-attack/}, language = {English}, urldate = {2020-01-08} } @online{botezatu:20180124:new:f993782, author = {Bogdan Botezatu}, title = {{New Hide ‘N Seek IoT Botnet using custom-built Peer-to-Peer communication spotted in the wild}}, date = {2018-01-24}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2018/01/new-hide-n-seek-iot-botnet-using-custom-built-peer-to-peer-communication-spotted-in-the-wild/}, language = {English}, urldate = {2020-01-08} } @online{botezatu:20180413:radrat:e2bc7ad, author = {Bogdan Botezatu and Eduard Budaca}, title = {{RadRAT: An all-in-one toolkit for complex espionage ops}}, date = {2018-04-13}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2018/04/radrat-an-all-in-one-toolkit-for-complex-espionage-ops/}, language = {English}, urldate = {2020-01-09} } @online{botezatu:20180507:hide:0fd8d9a, author = {Bogdan Botezatu}, title = {{Hide and Seek IoT Botnet resurfaces with new tricks, persistence}}, date = {2018-05-07}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2018/05/hide-and-seek-iot-botnet-resurfaces-with-new-tricks-persistence/}, language = {English}, urldate = {2020-01-06} } @online{botezatu:20181025:gandcrab:4e85fe9, author = {Bogdan Botezatu}, title = {{GandCrab Ransomware decryption tool}}, date = {2018-10-25}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/}, language = {English}, urldate = {2020-01-10} } @online{botezatu:20190219:new:21079a9, author = {Bogdan Botezatu}, title = {{New GandCrab v5.1 Decryptor Available Now}}, date = {2019-02-19}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/}, language = {English}, urldate = {2019-10-15} } @online{botezatu:20190416:inside:8302b5d, author = {Bogdan Botezatu and Cristofor Ochinca and Andrei Ardelean}, title = {{Inside Scranos – A Cross Platform, Rootkit-Enabled Spyware Operation}}, date = {2019-04-16}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2019/04/inside-scranos-a-cross-platform-rootkit-enabled-spyware-operation/}, language = {English}, urldate = {2019-12-18} } @online{botezatu:20190617:good:c24ed06, author = {Bogdan Botezatu}, title = {{Good riddance, GandCrab! We’re still fixing the mess you left behind}}, date = {2019-06-17}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2019/06/good-riddance-gandcrab-were-still-fixing-the-mess-you-left-behind}, language = {English}, urldate = {2020-01-10} } @techreport{botezatu:20190625:scranos:13c5096, author = {Bogdan Botezatu and Andrei Ardelean and Cristofor Ochinca and Cristian Alexandru and Istrate and Claudiu Stefan Coblis}, title = {{Scranos Revisited – Rethinking persistence to keep established network alive}}, date = {2019-06-25}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/271/Bitdefender-Whitepaper-Scranos-2.pdf}, language = {English}, urldate = {2020-01-08} } @online{botezatu:20210204:fonix:9d53bd8, author = {Bogdan Botezatu}, title = {{Fonix Ransomware Decryptor}}, date = {2021-02-04}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2021/02/fonix-ransomware-decryptor/}, language = {English}, urldate = {2021-05-04} } @techreport{botezatu:20210428:new:5e28909, author = {Bogdan Botezatu and Victor Vrabie}, title = {{New Nebulae Backdoor Linked with the NAIKON Group}}, date = {2021-04-28}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf}, language = {English}, urldate = {2024-06-04} } @online{botezatu:20210721:luminousmoth:7ed907d, author = {Bogdan Botezatu and Victor Vrabie}, title = {{LuminousMoth – PlugX, File Exfiltration and Persistence Revisited}}, date = {2021-07-21}, organization = {Bitdefender}, url = {https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited}, language = {English}, urldate = {2021-07-26} } @techreport{botezatu:20210825:fin8:44ba5b3, author = {Bogdan Botezatu and Victor Vrabie and Cristina Vatamanu and Eduard Budaca}, title = {{FIN8 Threat Actor Goes Agile with New Sardonic Backdoor}}, date = {2021-08-25}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf}, language = {English}, urldate = {2021-09-02} } @online{bourgue:20240702:exposing:0337f1a, author = {Quentin Bourgue}, title = {{Exposing FakeBat loader: distribution methods and adversary infrastructure}}, date = {2024-07-02}, organization = {Sekoia}, url = {https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/}, language = {English}, urldate = {2024-07-03} } @online{bourgue:2024:tycoon:99d04dd, author = {Quentin Bourgue}, title = {{Tycoon 2FA: an in-depth analysis of the latest version of the AiTM phishing kit}}, date = {2024}, organization = {Sekoia}, url = {https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit}, language = {English}, urldate = {2024-03-28} } @online{bourhis:20230329:bumblebee:2cb17f7, author = {Pierre Le Bourhis}, title = {{BumbleBee notes}}, date = {2023-03-29}, organization = {Krakz}, url = {https://blog.krakz.fr/articles/bumblebee/}, language = {English}, urldate = {2023-04-06} } @online{bourhis:20231120:darkgate:9bff66a, author = {Pierre Le Bourhis}, title = {{DarkGate Internals}}, date = {2023-11-20}, organization = {Sekoia}, url = {https://blog.sekoia.io/darkgate-internals/}, language = {English}, urldate = {2023-11-22} } @online{bourhis:20240310:syswhispers2:a737ee0, author = {Pierre Le Bourhis}, title = {{SysWhispers2 analysis}}, date = {2024-03-10}, organization = {Krakz}, url = {https://blog.krakz.fr/notes/syswhispers2/}, language = {English}, urldate = {2024-03-18} } @online{bourhis:20240603:pikabot:cb686df, author = {Pierre Le Bourhis and Quentin Bourgue and Sekoia TDR}, title = {{PikaBot: a Guide to its Deep Secrets and Operations}}, date = {2024-06-03}, organization = {Sekoia}, url = {https://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/}, language = {English}, urldate = {2024-06-04} } @online{bourhis:20240801:latrodectus:1f887f7, author = {Pierre Le Bourhis}, title = {{Latrodectus dropped by BR4}}, date = {2024-08-01}, organization = {Krakz}, url = {https://blog.krakz.fr/articles/latrodectus/}, language = {English}, urldate = {2024-08-29} } @online{bourhis:20250211:ratatouille:3c969ce, author = {Pierre Le Bourhis}, title = {{RATatouille: Cooking Up Chaos in the I2P Kitchen}}, date = {2025-02-11}, organization = {Sekoia}, url = {https://blog.sekoia.io/ratatouille-cooking-up-chaos-in-the-i2p-kitchen/}, language = {English}, urldate = {2025-03-05} } @online{bousseaden:20200625:close:be8a8b2, author = {Samir Bousseaden and Daniel Stepanic}, title = {{A close look at the advanced techniques used in a Malaysian-focused APT campaign}}, date = {2020-06-25}, organization = {Elastic}, url = {https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign}, language = {English}, urldate = {2020-06-25} } @online{bousseaden:20210318:hunting:3c36ea4, author = {Samir Bousseaden}, title = {{Hunting for Lateral Movement using Event Query Language}}, date = {2021-03-18}, organization = {Elastic}, url = {https://www.elastic.co/blog/hunting-for-lateral-movement-using-event-query-language}, language = {English}, urldate = {2021-03-19} } @online{bousseaden:20220207:exploring:c0df09d, author = {Samir Bousseaden}, title = {{Exploring Windows UAC Bypasses: Techniques and Detection Strategies}}, date = {2022-02-07}, organization = {Elastic}, url = {https://elastic.github.io/security-research/whitepapers/2022/02/03.exploring-windows-uac-bypass-techniques-detection-strategies/article/}, language = {English}, urldate = {2022-03-07} } @online{bousseaden:20221216:siestagraph:bb73ce7, author = {Samir Bousseaden and Andrew Pease and Daniel Stepanic and Salim Bitam and Seth Goodwin and Devon Kerr}, title = {{SiestaGraph: New implant uncovered in ASEAN member foreign ministry}}, date = {2022-12-16}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry}, language = {English}, urldate = {2022-12-19} } @online{bousseaden:20240329:in:bac1eca, author = {Samir Bousseaden}, title = {{In- the- Wild Windows LPE 0- days: Insights & Detection Strategies}}, date = {2024-03-29}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/itw-windows-lpe-0days-insights-and-detection-strategies}, language = {English}, urldate = {2024-04-02} } @online{boutin:20131218:qadars:98a9a63, author = {Jean-Ian Boutin}, title = {{Qadars – a banking Trojan with the Netherlands in its sights}}, date = {2013-12-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/}, language = {English}, urldate = {2019-11-14} } @online{boutin:20150409:operation:077f5fe, author = {Jean-Ian Boutin}, title = {{Operation Buhtrap, the trap for Russian accountants}}, date = {2015-04-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2015/04/09/operation-buhtrap/}, language = {English}, urldate = {2019-11-14} } @online{boutin:20151111:operation:baffed9, author = {Jean-Ian Boutin}, title = {{Operation Buhtrap malware distributed via ammyy.com}}, date = {2015-11-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/}, language = {English}, urldate = {2020-01-08} } @online{boutin:20170606:turlas:f9b4935, author = {Jean-Ian Boutin}, title = {{Turla’s watering hole campaign: An updated Firefox extension abusing Instagram}}, date = {2017-06-06}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/}, language = {English}, urldate = {2019-11-14} } @online{boutin:20181105:bluehat:65f6d65, author = {Jean-Ian Boutin and Frédéric Vachon}, title = {{BlueHat v18 || First STRONTIUM UEFI Rootkit Unveiled}}, date = {2018-11-05}, organization = {Youtube (MSRC)}, url = {https://www.youtube.com/watch?v=VeoXT0nEcFU}, language = {English}, urldate = {2019-12-17} } @online{boutin:20190711:buhtrap:ec174bc, author = {Jean-Ian Boutin}, title = {{Buhtrap group uses zero‑day in latest espionage campaigns}}, date = {2019-07-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/}, language = {English}, urldate = {2019-11-14} } @online{boutin:20200611:gamaredon:14a96c2, author = {Jean-Ian Boutin}, title = {{Gamaredon group grows its game}}, date = {2020-06-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/}, language = {English}, urldate = {2020-06-11} } @online{boutin:20200611:gamaredon:3376ccd, author = {Jean-Ian Boutin}, title = {{Gamaredon group grows its game}}, date = {2020-06-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game}, language = {English}, urldate = {2022-08-25} } @online{boutin:20201012:eset:a7eeb51, author = {Jean-Ian Boutin}, title = {{ESET takes part in global operation to disrupt Trickbot}}, date = {2020-10-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/}, language = {English}, urldate = {2020-10-12} } @online{boutin:20220413:eset:7463437, author = {Jean-Ian Boutin and Tomáš Procházka}, title = {{ESET takes part in global operation to disrupt Zloader botnets}}, date = {2022-04-13}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/}, language = {English}, urldate = {2022-04-14} } @online{boyarchuk:20220329:emotet:18b143b, author = {Oleg Boyarchuk and Jason Zhang and Threat Analysis Unit}, title = {{Emotet C2 Configuration Extraction and Analysis}}, date = {2022-03-29}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/03/emotet-c2-configuration-extraction-and-analysis.html}, language = {English}, urldate = {2022-04-04} } @online{boyarchuk:20220516:emotet:6392ff3, author = {Oleg Boyarchuk and Stefano Ortolani and Jason Zhang and Threat Analysis Unit}, title = {{Emotet Moves to 64 bit and Updates its Loader}}, date = {2022-05-16}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/05/emotet-moves-to-64-bit-and-updates-its-loader.html}, language = {English}, urldate = {2022-05-17} } @online{boyarchuk:20220525:emotet:ada82ac, author = {Oleg Boyarchuk and Stefano Ortolani}, title = {{Emotet Config Redux}}, date = {2022-05-25}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/05/emotet-config-redux.html}, language = {English}, urldate = {2022-05-29} } @online{boyarchuk:20220819:how:a43d0e2, author = {Oleg Boyarchuk and Stefano Ortolani}, title = {{How to Replicate Emotet Lateral Movement}}, date = {2022-08-19}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/08/how-to-replicate-emotet-lateral-movement.html}, language = {English}, urldate = {2022-08-31} } @online{boychenko:20250129:north:81993c8, author = {Kirill Boychenko and Peter van der Zee}, title = {{North Korean APT Lazarus Targets Developers with Malicious npm Package}}, date = {2025-01-29}, organization = {Socket}, url = {https://socket.dev/blog/north-korean-apt-lazarus-targets-developers-with-malicious-npm-package}, language = {English}, urldate = {2025-01-31} } @online{boychenko:20250310:lazarus:4889627, author = {Kirill Boychenko}, title = {{Lazarus Strikes npm Again with New Wave of Malicious Packages}}, date = {2025-03-10}, organization = {Socket}, url = {https://socket.dev/blog/lazarus-strikes-npm-again-with-a-new-wave-of-malicious-packages}, language = {English}, urldate = {2025-03-11} } @online{boychenko:20250714:contagious:8ec0536, author = {Kirill Boychenko}, title = {{Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader}}, date = {2025-07-14}, organization = {Socket}, url = {https://socket.dev/blog/contagious-interview-campaign-escalates-67-malicious-npm-packages}, language = {English}, urldate = {2025-07-16} } @online{boyd:20220701:astralocker:7ef70a2, author = {Christopher Boyd}, title = {{AstraLocker 2.0 ransomware isn’t going to give you your files back}}, date = {2022-07-01}, organization = {Malwarebytes Labs}, url = {https://blog.malwarebytes.com/ransomware/2022/07/astralocker-2-0-ransomware-isnt-going-to-give-you-your-files-back/}, language = {English}, urldate = {2022-07-05} } @online{boyd:20241024:writing:b79f0ca, author = {Aaron Boyd}, title = {{Writing a BugSleep C2 server and detecting its traffic with Snort}}, date = {2024-10-24}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/writing-a-bugsleep-c2-server/}, language = {English}, urldate = {2024-11-25} } @online{boyle:20240130:darkgate:5d8fbfe, author = {Peter Boyle}, title = {{DarkGate malware delivered via Microsoft Teams - detection and response}}, date = {2024-01-30}, organization = {AT&T Cybersecurity}, url = {https://cybersecurity.att.com/blogs/security-essentials/darkgate-malware-delivered-via-microsoft-teams-detection-and-response}, language = {English}, urldate = {2024-02-02} } @techreport{boyton:20211105:analysis:2711253, author = {Christopher Boyton}, title = {{An Analysis of Buer Loader}}, date = {2021-11-05}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/k/a-review-and-analysis-of-2021-buer-loader-campaigns/TechnicalBrief-An-Analysis-of-Buer-Loader.pdf}, language = {English}, urldate = {2021-11-08} } @online{boyton:20211105:review:a1394e6, author = {Christopher Boyton}, title = {{A Review and Analysis of 2021 Buer Loader Campaigns}}, date = {2021-11-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/k/a-review-and-analysis-of-2021-buer-loader-campaigns.html}, language = {English}, urldate = {2021-11-08} } @online{boyton:20240403:unveiling:ea8c9b5, author = {Christopher Boyton}, title = {{Unveiling the Fallout: Operation Cronos' Impact on LockBit Following Landmark Disruption}}, date = {2024-04-03}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html}, language = {English}, urldate = {2024-04-04} } @online{bozoslivehere:20230928:exploring:3cc7b21, author = {BOZOSLIVEHERE}, title = {{Exploring ScamClub Payloads via Deobfuscation Using Abstract Syntax Trees}}, date = {2023-09-28}, organization = {Confiant}, url = {https://blog.confiant.com/exploring-scamclub-payloads-via-deobfuscation-using-abstract-syntax-trees-65ef7f412537}, language = {English}, urldate = {2023-09-29} } @online{bozzato:20211109:cisco:2f6a349, author = {Claudio Bozzato and Lilith Wyatt}, title = {{Cisco Talos finds 10 vulnerabilities in Azure Sphere’s Linux kernel, Security Monitor and Pluton}}, date = {2021-11-09}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/11/cisco-talos-finds-10-vulnerabilities-in.html}, language = {English}, urldate = {2021-11-11} } @online{br3akp0int:20211118:how:02114e2, author = {Br3akp0int}, title = {{Tweet on how to decrypt 4 layers of encryption & obfuscation of vjw0rm}}, date = {2021-11-18}, organization = {Twitter (@tccontre18)}, url = {https://twitter.com/tccontre18/status/1461386178528264204}, language = {English}, urldate = {2021-11-19} } @techreport{br:202003:nova:38220a4, author = {CTIR GOV BR}, title = {{Nova campanha de ataques de Ransomware}}, date = {2020-03}, institution = {CTIR GOV}, url = {https://www.ctir.gov.br/arquivos/alertas/2020/alerta_2020_03_ataques_de_ransomware.pdf}, language = {English}, urldate = {2021-01-29} } @online{bracken:20210713:guess:eafaf32, author = {Becky Bracken}, title = {{Guess Fashion Brand Deals With Data Loss After Ransomware Attack}}, date = {2021-07-13}, organization = {Threat Post}, url = {https://threatpost.com/guess-fashion-data-loss-ransomware/167754/}, language = {English}, urldate = {2021-07-20} } @online{brackmann:20200709:threat:dc4f44e, author = {Pascal Brackmann}, title = {{Threat Bulletin: Dissecting GuLoader’s Evasion Techniques}}, date = {2020-07-09}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/}, language = {English}, urldate = {2021-01-10} } @online{brackmann:20220912:evolution:df38f6a, author = {Pascal Brackmann}, title = {{The evolution of GuLoader}}, date = {2022-09-12}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-guloader}, language = {English}, urldate = {2022-09-19} } @online{brad:20180117:reviewing:49ad844, author = {brad}, title = {{Reviewing the spam filters: Malspam pushing Gozi-ISFB}}, date = {2018-01-17}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245}, language = {English}, urldate = {2019-12-20} } @online{bradley:20210426:shlayer:1802a7d, author = {Jaron Bradley}, title = {{Shlayer malware abusing Gatekeeper bypass on macOS}}, date = {2021-04-26}, organization = {Jamf Blog}, url = {https://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/}, language = {English}, urldate = {2021-04-29} } @online{bradley:20210524:zeroday:7196ca4, author = {Jaron Bradley}, title = {{Zero-Day TCC bypass discovered in XCSSET malware}}, date = {2021-05-24}, organization = {Jamf Blog}, url = {https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/}, language = {English}, urldate = {2021-06-11} } @online{bradley:20210811:rising:3bef356, author = {Tony Bradley}, title = {{The Rising Threat from LockBit Ransomware}}, date = {2021-08-11}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/rising-threat-from-lockbit-ransomware}, language = {English}, urldate = {2022-02-14} } @online{bradley:20220516:updateagent:c0c5625, author = {Jaron Bradley and Stuart Ashenbrenner and Matt Benyo}, title = {{UpdateAgent Adapts Again}}, date = {2022-05-16}, organization = {Jamf Blog}, url = {https://www.jamf.com/blog/updateagent-adapts-again/}, language = {English}, urldate = {2022-05-17} } @online{brady:20190117:pond:572e6e8, author = {Matthew Brady}, title = {{Pond Loach delivers BadCake malware}}, date = {2019-01-17}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/blogs-pond-loach-delivers-badcake-malware}, language = {English}, urldate = {2020-03-03} } @online{brandefense:20220221:darkside:98639e6, author = {Brandefense}, title = {{Darkside Ransomware Analysis Report}}, date = {2022-02-21}, organization = {Brandefense}, url = {https://brandefense.io/darkside-ransomware-analysis-report/}, language = {English}, urldate = {2022-05-03} } @online{brandefense:20220310:hermeticwiper:c5162c1, author = {Brandefense}, title = {{HermeticWiper - Technical Analysis Report}}, date = {2022-03-10}, organization = {Brandefense}, url = {https://brandefense.io/hermeticwiper-technical-analysis-report/}, language = {English}, urldate = {2022-05-03} } @online{brandefense:20220410:zebrocy:467d0a0, author = {Brandefense}, title = {{Zebrocy Malware Technical Analysis Report}}, date = {2022-04-10}, organization = {Brandefense}, url = {https://brandefense.io/zebrocy-malware-technical-analysis-report/}, language = {English}, urldate = {2022-05-03} } @online{brandefense:20220801:el:6a6efcc, author = {Brandefense}, title = {{El Machete APT Group}}, date = {2022-08-01}, organization = {Brandefense}, url = {https://brandefense.io/blog/apt-groups/el-machete-apt-group/}, language = {English}, urldate = {2024-11-29} } @online{brandefense:20220805:fancy:f70cd2b, author = {Brandefense}, title = {{Fancy Bear APT Group}}, date = {2022-08-05}, organization = {Brandefense}, url = {https://brandefense.io/blog/apt-groups/fancy-bear-apt-group/}, language = {English}, urldate = {2024-08-19} } @online{brandefense:20220808:dynamite:bf04b44, author = {Brandefense}, title = {{Dynamite Panda APT Group}}, date = {2022-08-08}, organization = {Brandefense}, url = {https://brandefense.io/blog/apt-groups/dynamite-panda-apt-group/}, language = {English}, urldate = {2024-11-29} } @online{brandefense:20220812:mythic:f1d77d4, author = {Brandefense}, title = {{Mythic Leopard APT Group}}, date = {2022-08-12}, organization = {Brandefense}, url = {https://brandefense.io/blog/apt-groups/mythic-leopard-apt-group/}, language = {English}, urldate = {2024-11-29} } @online{brandefense:20220815:lazarus:87c9789, author = {Brandefense}, title = {{Lazarus APT Group (APT38)}}, date = {2022-08-15}, organization = {Brandefense}, url = {https://brandefense.io/blog/apt-groups/lazarus-apt-group-apt38/}, language = {English}, urldate = {2024-11-29} } @online{brandefense:20220818:apt33:ca3735c, author = {Brandefense}, title = {{APT33 Threat Actors}}, date = {2022-08-18}, organization = {Brandefense}, url = {https://brandefense.io/blog/apt-groups/apt33-threat-actors/}, language = {English}, urldate = {2024-12-02} } @online{brandefense:20220822:ocean:4d5c507, author = {Brandefense}, title = {{Ocean Lotus APT Group}}, date = {2022-08-22}, organization = {Brandefense}, url = {https://brandefense.io/blog/apt-groups/ocean-lotus-apt-group/}, language = {English}, urldate = {2024-08-15} } @online{brandefense:20220905:equation:e40e5fe, author = {Brandefense}, title = {{Equation APT Group}}, date = {2022-09-05}, organization = {Brandefense}, url = {https://brandefense.io/blog/apt-groups/equation-apt-group/}, language = {English}, urldate = {2024-12-02} } @online{brandefense:20230713:36:796208f, author = {Brandefense}, title = {{APT 36 Campaign – Poseidon Malware Technical Analysis}}, date = {2023-07-13}, organization = {Brandefense}, url = {https://brandefense.io/blog/apt-36-campaign-poseidon-malware-technical-analysis/}, language = {English}, urldate = {2024-08-19} } @online{brandefense:20230817:godfather:f8ee224, author = {Brandefense}, title = {{Godfather Android Banking Trojan Technical Analysis}}, date = {2023-08-17}, organization = {Brandefense}, url = {https://brandefense.io/blog/godfather-android-banking-trojan/}, language = {English}, urldate = {2023-08-23} } @online{brandel:20210422:thread:edbfa14, author = {Eric Brandel}, title = {{A thread on possibly new magecart skimmer}}, date = {2021-04-22}, organization = {Twitter (@AffableKraut)}, url = {https://twitter.com/AffableKraut/status/1385030485676544001}, language = {English}, urldate = {2021-04-28} } @online{brandel:20210715:another:384815e, author = {Eric Brandel}, title = {{Tweet on another digital skimmer/magecart script from the "q-logger" threat actor}}, date = {2021-07-15}, organization = {Twitter (@AffableKraut)}, url = {https://twitter.com/AffableKraut/status/1415425132080816133?s=20}, language = {English}, urldate = {2021-07-20} } @online{brandt:20180731:samsam:68f06ce, author = {Andrew Brandt}, title = {{SamSam guide to coverage}}, date = {2018-07-31}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2018/07/31/samsam-guide-to-coverage/}, language = {English}, urldate = {2022-03-18} } @online{brandt:20180731:sophos:908af44, author = {Andrew Brandt}, title = {{Sophos releases SamSam ransomware report}}, date = {2018-07-31}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2018/07/31/sophoslabs-releases-samsam-ransomware-report/}, language = {English}, urldate = {2022-03-18} } @online{brandt:20181129:how:a840588, author = {Andrew Brandt}, title = {{How a SamSam-like attack happens, and what you can do about it}}, date = {2018-11-29}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2018/11/29/how-a-samsam-like-attack-happens-and-what-you-can-do-about-it/}, language = {English}, urldate = {2022-03-18} } @online{brandt:20190130:matrix:1dc1113, author = {Andrew Brandt}, title = {{Matrix: Targeted, small scale, canary in the coalmine ransomware}}, date = {2019-01-30}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2019/01/30/matrix-targeted-small-scale-canary-in-the-coal-mine-ransomware/}, language = {English}, urldate = {2022-03-18} } @online{brandt:20190503:megacortex:fc2d16b, author = {Andrew Brandt}, title = {{“MegaCortex” ransomware wants to be The One}}, date = {2019-05-03}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/}, language = {English}, urldate = {2019-11-27} } @online{brandt:20190510:megacortex:6b7c935, author = {Andrew Brandt}, title = {{MegaCortex, deconstructed: mysteries mount as analysis continues}}, date = {2019-05-10}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2019/05/10/megacortex-deconstructed-mysteries-mount-as-analysis-continues/}, language = {English}, urldate = {2022-03-18} } @online{brandt:20190524:directed:1164fdf, author = {Andrew Brandt}, title = {{Directed attacks against MySQL servers deliver ransomware}}, date = {2019-05-24}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2019/05/24/gandcrab-spreading-via-directed-attacks-against-mysql-servers/}, language = {English}, urldate = {2022-03-18} } @online{brandt:20191209:snatch:a8f2825, author = {Andrew Brandt}, title = {{Snatch ransomware reboots PCs into Safe Mode to bypass protection}}, date = {2019-12-09}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/}, language = {English}, urldate = {2022-03-18} } @online{brandt:20200206:living:811742c, author = {Andrew Brandt and Mark Loman}, title = {{Living off another land: Ransomware borrows vulnerable driver to remove security software}}, date = {2020-02-06}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/}, language = {English}, urldate = {2020-02-13} } @online{brandt:20200624:glupteba:fc4095d, author = {Andrew Brandt}, title = {{Glupteba malware hides in plain sight}}, date = {2020-06-24}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/06/24/glupteba-report/?cmp=30728}, language = {English}, urldate = {2020-06-24} } @online{brandt:20200729:emotets:cb1de9b, author = {Andrew Brandt}, title = {{Emotet’s return is the canary in the coal mine}}, date = {2020-07-29}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/07/28/emotets-return-is-the-canary-in-the-coal-mine/?cmp=30728}, language = {English}, urldate = {2020-07-30} } @online{brandt:20200917:maze:714f603, author = {Andrew Brandt and Peter Mackenzie}, title = {{Maze attackers adopt Ragnar Locker virtual machine technique}}, date = {2020-09-17}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/}, language = {English}, urldate = {2020-09-21} } @online{brandt:20200924:emaildelivered:742cfe6, author = {Andrew Brandt and Andrew O'Donnell and Fraser Howard}, title = {{Email-delivered MoDi RAT attack pastes PowerShell commands}}, date = {2020-09-24}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/09/24/email-delivered-modi-rat-attack-pastes-powershell-commands}, language = {English}, urldate = {2020-09-25} } @online{brandt:20210216:conti:24c2333, author = {Andrew Brandt and Anand Ajjan}, title = {{Conti ransomware: Evasive by nature}}, date = {2021-02-16}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/02/16/conti-ransomware-evasive-by-nature/}, language = {English}, urldate = {2021-02-20} } @online{brandt:20210413:compromised:c21fba1, author = {Andrew Brandt}, title = {{Compromised Exchange server hosting cryptojacker targeting other Exchange servers}}, date = {2021-04-13}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/}, language = {English}, urldate = {2021-04-14} } @online{brandt:20210415:bazarloader:93400a1, author = {Andrew Brandt}, title = {{BazarLoader deploys a pair of novel spam vectors}}, date = {2021-04-15}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/04/15/bazarloader-deploys-a-pair-of-novel-spam-vectors}, language = {English}, urldate = {2021-04-16} } @online{brandt:20210505:intervention:f548dee, author = {Andrew Brandt and Peter Mackenzie and Vikas Singh and Gabor Szappanos}, title = {{Intervention halts a ProxyLogon-enabled attack}}, date = {2021-05-05}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/05/05/intervention-halts-a-proxylogon-enabled-attack}, language = {English}, urldate = {2021-05-07} } @online{brandt:20210528:new:4d0e375, author = {Andrew Brandt}, title = {{A new ransomware enters the fray: Epsilon Red}}, date = {2021-05-28}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/05/28/epsilonred/}, language = {English}, urldate = {2021-06-07} } @online{brandt:20210611:relentless:56d5133, author = {Andrew Brandt and Anand Ajjan and Hajnalka Kope and Mark Loman and Peter Mackenzie}, title = {{Relentless REvil, revealed: RaaS as variable as the criminals who use it}}, date = {2021-06-11}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/06/11/relentless-revil-revealed/}, language = {English}, urldate = {2021-06-16} } @online{brandt:20210617:vigilante:d05c7d7, author = {Andrew Brandt}, title = {{Vigilante malware rats out software pirates while blocking ThePirateBay}}, date = {2021-06-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/06/17/vigilante-antipiracy-malware/}, language = {English}, urldate = {2021-06-21} } @online{brandt:20210921:cring:9bd4998, author = {Andrew Brandt and Vikas Singh and Shefali Gupta and Krisztián Diriczi and Chaitanya Ghorpade}, title = {{Cring ransomware group exploits ancient ColdFusion server}}, date = {2021-09-21}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/?cmp=30728}, language = {English}, urldate = {2021-09-24} } @online{brandt:20211005:python:61cd49c, author = {Andrew Brandt and Rajesh Nataraj and Andrew O’Donnell and Mauricio Valdivieso}, title = {{Python ransomware script targets ESXi server for encryption}}, date = {2021-10-05}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/10/05/python-ransomware-script-targets-esxi-server-for-encryption/}, language = {English}, urldate = {2021-10-11} } @online{brandt:20211111:bazarloader:9328545, author = {Andrew Brandt}, title = {{BazarLoader ‘call me back’ attack abuses Windows 10 Apps mechanism}}, date = {2021-11-11}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/}, language = {English}, urldate = {2021-11-12} } @online{brandt:20211221:attackers:a529ed2, author = {Andrew Brandt and Stephen Ormandy}, title = {{Attackers test “CAB-less 40444” exploit in a dry run}}, date = {2021-12-21}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/12/21/attackers-test-cab-less-40444-exploit-in-a-dry-run/}, language = {English}, urldate = {2021-12-31} } @online{brandt:20211222:avos:b09298c, author = {Andrew Brandt and Fraser Howard and Anand Ajjan and Peter Mackenzie and Ferenc László Nagy and Sergio Bestulic and Timothy Easton}, title = {{Avos Locker remotely accesses boxes, even running in Safe Mode}}, date = {2021-12-22}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/12/22/avos-locker-remotely-accesses-boxes-even-running-in-safe-mode/}, language = {English}, urldate = {2021-12-31} } @online{brandt:20220125:windows:7d316fb, author = {Andrew Brandt}, title = {{Windows services lay the groundwork for a Midas ransomware attack}}, date = {2022-01-25}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/01/25/windows-services-lay-the-groundwork-for-a-midas-ransomware-attack/}, language = {English}, urldate = {2022-03-30} } @online{brandt:20220125:windows:d134759, author = {Andrew Brandt and Jason Jenkins}, title = {{Windows services lay the groundwork for a Midas ransomware attack}}, date = {2022-01-25}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/01/25/windows-services-lay-the-groundwork-for-a-midas-ransomware-attack/?cmp=30728}, language = {English}, urldate = {2022-01-28} } @online{brandt:20220223:dridex:51a6f80, author = {Andrew Brandt and Anand Ajjan and Colin Cowie and Abhijit Gupta and Steven Lott and Rahil Shah and Vikas Singh and Felix Weyne and Syed Zaidi and Xiaochuan Zhang}, title = {{Dridex bots deliver Entropy ransomware in recent attacks}}, date = {2022-02-23}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/?cmp=30728}, language = {English}, urldate = {2022-03-01} } @online{brandt:20220223:dridex:c1d4784, author = {Andrew Brandt}, title = {{Dridex bots deliver Entropy ransomware in recent attacks}}, date = {2022-02-23}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/}, language = {English}, urldate = {2022-03-01} } @online{brandt:20220412:attackers:f9f5c52, author = {Andrew Brandt and Angela Gunn and Melissa Kelly and Peter Mackenzie and Ferenc László Nagy and Mauricio Valdivieso and Sergio Bestulic and Johnathan Fern and Linda Smith and Matthew Everts}, title = {{Attackers linger on government agency computers before deploying Lockbit ransomware}}, date = {2022-04-12}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/04/12/attackers-linger-on-government-agency-computers-before-deploying-lockbit-ransomware/}, language = {English}, urldate = {2022-04-15} } @online{brandt:20220616:confluence:0bbf8de, author = {Andrew Brandt}, title = {{Confluence exploits used to drop ransomware on vulnerable servers}}, date = {2022-06-16}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2022/06/16/confluence-exploits-used-to-drop-ransomware-on-vulnerable-servers/}, language = {English}, urldate = {2022-06-17} } @online{brandt:20220714:blackcat:745470a, author = {Andrew Brandt and Sergio Bestulic and Harinder Bhathal and Andy French and Bill Kearney and Lee Kirkpatrick and Elida Leite and Peter Mackenzie and Robert Weiland}, title = {{BlackCat ransomware attacks not merely a byproduct of bad luck}}, date = {2022-07-14}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/}, language = {English}, urldate = {2022-07-25} } @online{brandt:20221130:lockbit:7d7598f, author = {Andrew Brandt}, title = {{LockBit 3.0 ‘Black’ attacks and leaks reveal wormable capabilities and tooling}}, date = {2022-11-30}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/11/30/lockbit-3-0-black-attacks-and-leaks-reveal-wormable-capabilities-and-tooling/}, language = {English}, urldate = {2022-12-02} } @online{brandt:20230206:qakbot:e85e83f, author = {Andrew Brandt}, title = {{Qakbot mechanizes distribution of malicious OneNote notebooks}}, date = {2023-02-06}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2023/02/06/qakbot-onenote-attacks/}, language = {English}, urldate = {2023-02-13} } @online{braue:20191105:hospital:0e1375e, author = {David Braue}, title = {{Hospital cyberattack could have been avoided}}, date = {2019-11-05}, organization = {Information Age}, url = {https://ia.acs.org.au/article/2019/hospital-cyberattack-could-have-been-avoided.html}, language = {English}, urldate = {2022-11-09} } @techreport{brave:20180515:human:b4396ac, author = {Brave}, title = {{HUMAN RIGHTS UNDER SURVEILLANCE DIGITAL THREATS AGAINST HUMAN RIGHTS DEFENDERS IN PAKISTAN}}, date = {2018-05-15}, institution = {Amnesty International}, url = {https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF}, language = {English}, urldate = {2019-12-10} } @online{brazil:20210314:how:5fcb8be, author = {Matthew Brazil}, title = {{How China’s Devastating Microsoft Hack Puts Us All at Risk}}, date = {2021-03-14}, organization = {DAILY BEAST}, url = {https://www.thedailybeast.com/how-chinas-devastating-microsoft-hack-puts-us-all-at-risk}, language = {English}, urldate = {2021-03-31} } @online{breach:20200130:tracking:bfa4550, author = {Under The Breach}, title = {{Tracking Down REvil’s “Lalartu” by utilizing multiple OSINT methods}}, date = {2020-01-30}, organization = {Under The Breach}, url = {https://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80}, language = {English}, urldate = {2020-01-31} } @online{breakdown:20170403:shadow:962f78d, author = {Malware Breakdown}, title = {{Shadow Server Domains Leading to RIG Exploit Kit Dropping Smoke Loader}}, date = {2017-04-03}, organization = {Malware Breakdown}, url = {https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/}, language = {English}, urldate = {2019-12-18} } @online{breakdown:20170724:seamless:7e55e6a, author = {Malware Breakdown}, title = {{The Seamless Campaign Drops Ramnit. Follow-up Malware: AZORult Stealer, Smoke Loader, etc.}}, date = {2017-07-24}, organization = {Malware Breakdown}, url = {https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/}, language = {English}, urldate = {2020-01-10} } @online{breakdown:20170823:seamless:3a2c794, author = {Malware Breakdown}, title = {{The Seamless Campaign Isn’t Losing Any Steam}}, date = {2017-08-23}, url = {https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/}, language = {English}, urldate = {2019-12-04} } @online{breakdown:20170911:re:5d563f4, author = {Malware Breakdown}, title = {{“Re: Details” Malspam Downloads CoreBot Banking Trojan}}, date = {2017-09-11}, organization = {Malware Breakdown}, url = {https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/}, language = {English}, urldate = {2020-01-08} } @online{breakdown:20180321:fobos:15877e7, author = {Malware Breakdown}, title = {{Fobos Malvertising Campaign Delivers Bunitu Proxy Trojan via RIG EK}}, date = {2018-03-21}, organization = {Malware Breakdown Blog}, url = {https://malwarebreakdown.com/2018/03/21/fobos-malvertising-campaign-delivers-bunitu-proxy-trojan-via-rig-ek/}, language = {English}, urldate = {2019-10-13} } @online{breen:20140505:vt:121e664, author = {Kevin Breen}, title = {{VT Comments Page on Blue Banana Sample}}, date = {2014-05-05}, url = {https://www.virustotal.com/gui/file/60faab36491e07f10bf6a3ebe66ed9238459b2af7e36118fccd50583728141a4/community}, language = {English}, urldate = {2020-10-13} } @online{breen:20230424:detecting:613b1ad, author = {Kevin Breen}, title = {{Detecting and decrypting Sliver C2 – a threat hunter’s guide}}, date = {2023-04-24}, organization = {Immersive Labs}, url = {https://www.immersivelabs.com/blog/detecting-and-decrypting-sliver-c2-a-threat-hunters-guide/}, language = {English}, urldate = {2023-06-23} } @techreport{breitenbacher:20200617:operation:7969e3a, author = {Dominik Breitenbacher and Kaspars Osis}, title = {{Operation In(ter)ception: Targeted Attacks against European Aerospace and Military Companies}}, date = {2020-06-17}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf}, language = {English}, urldate = {2020-06-17} } @online{breitenbacher:20221214:unmasking:a20b445, author = {Dominik Breitenbacher}, title = {{Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities}}, date = {2022-12-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/}, language = {English}, urldate = {2022-12-20} } @online{breitenbacher:20250318:operation:bd0a478, author = {Dominik Breitenbacher}, title = {{Operation AkaiRyū: MirrorFace invites Europe to Expo 2025 and revives ANEL backdoor}}, date = {2025-03-18}, organization = {WeLiveSecurity}, url = {https://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/}, language = {English}, urldate = {2025-03-21} } @online{brendel:20210403:hubnr:950251c, author = {Carlos Brendel}, title = {{Hubnr Botnet}}, date = {2021-04-03}, organization = {Github (carbreal)}, url = {https://github.com/carbreal/Malware_Analysis/tree/master/Hubnr_botnet}, language = {English}, urldate = {2021-04-14} } @online{brennan:20210525:cobalt:c428be0, author = {Matthew Brennan}, title = {{Cobalt Strikes Again: An Analysis of Obfuscated Malware}}, date = {2021-05-25}, organization = {Huntress Labs}, url = {https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware}, language = {English}, urldate = {2021-06-09} } @online{brennan:20210817:snakes:1b4d004, author = {Matthew Brennan}, title = {{Snakes on a Domain: An Analysis of a Python Malware Loader}}, date = {2021-08-17}, organization = {Huntress Labs}, url = {https://www.huntress.com/blog/snakes-on-a-domain-an-analysis-of-a-python-malware-loader}, language = {English}, urldate = {2021-08-20} } @online{brennan:20220218:hackers:243d8b8, author = {Matthew Brennan}, title = {{Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection}}, date = {2022-02-18}, organization = {Huntress Labs}, url = {https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection}, language = {English}, urldate = {2022-02-26} } @online{brennan:20230509:advanced:eaca988, author = {Matthew Brennan}, title = {{Advanced Cyberchef Tips - AsyncRAT Loader}}, date = {2023-05-09}, organization = {Huntress Labs}, url = {https://www.huntress.com/blog/advanced-cyberchef-tips-asyncrat-loader}, language = {English}, urldate = {2023-05-11} } @online{brenner:20170626:how:b5978ec, author = {Bill Brenner}, title = {{How Spora ransomware tries to fool antivirus}}, date = {2017-06-26}, organization = {Sophos}, url = {https://nakedsecurity.sophos.com/2017/06/26/how-spora-ransomware-tries-to-fool-antivirus/}, language = {English}, urldate = {2019-10-14} } @online{brewster:20140807:sophisticated:5f484c8, author = {Tom Brewster}, title = {{Sophisticated 'Turla' hackers spying on European governments, say researchers}}, date = {2014-08-07}, organization = {The Guardian}, url = {https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec}, language = {English}, urldate = {2020-01-05} } @online{brewster:20170215:inside:8b5faed, author = {Thomas Brewster}, title = {{Inside OilRig -- Tracking Iran's Busiest Hacker Crew On Its Global Rampage}}, date = {2017-02-15}, organization = {Forbes}, url = {https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a}, language = {English}, urldate = {2020-01-13} } @online{brewster:20170504:behind:4da1ded, author = {Thomas Brewster}, title = {{Behind The Mystery Of Russia's 'Dyre' Hackers Who Stole Millions From American Business}}, date = {2017-05-04}, organization = {Forbes}, url = {https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates}, language = {English}, urldate = {2020-01-09} } @online{brewster:20170727:with:b21b072, author = {Thomas Brewster}, title = {{With Fake News And Femmes Fatales, Iran's Spies Learn To Love Facebook}}, date = {2017-07-27}, organization = {Forbes}, url = {https://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage/}, language = {English}, urldate = {2020-01-07} } @online{brewster:20180830:hackers:d006ceb, author = {Thomas Brewster}, title = {{Hackers Are Exposing An Apple Mac Weakness In Middle East Espionage}}, date = {2018-08-30}, organization = {Forbes}, url = {https://www.forbes.com/sites/thomasbrewster/2018/08/30/apple-mac-loophole-breached-in-middle-east-hacks/}, language = {English}, urldate = {2019-11-26} } @online{brewster:20230830:fake:5e4a7a3, author = {Thomas Brewster}, title = {{A Fake Signal App Was Planted On Google Play By China-Linked Hackers}}, date = {2023-08-30}, organization = {Forbes}, url = {https://www.forbes.com/sites/thomasbrewster/2023/08/30/malicious-signal-app-planted-on-google-play-by-china-linked-cyber-spies/?sh=5873befb48e9}, language = {English}, urldate = {2023-09-11} } @online{bridewell:20230510:hunting:461fdf0, author = {Bridewell}, title = {{Hunting for Ursnif}}, date = {2023-05-10}, organization = {Bridewell}, url = {https://www.bridewell.com/insights/news/detail/hunting-for-ursnif}, language = {English}, urldate = {2023-05-15} } @online{bridewell:20230927:uncovering:de83cc6, author = {Bridewell}, title = {{Uncovering the “Easy Stealer” Infostealer}}, date = {2023-09-27}, organization = {Bridewell}, url = {https://www.bridewell.com/insights/blogs/detail/uncovering-the-easy-stealer-infostealer}, language = {English}, urldate = {2023-10-30} } @techreport{bridewell:20250624:2025:d75317d, author = {Bridewell}, title = {{2025 Cyber Threat Intelligence Report}}, date = {2025-06-24}, institution = {Bridewell}, url = {https://insights.bridewell.com/hubfs/Cyber%20Threat%20Intelligence%20Report%202025.pdf}, language = {English}, urldate = {2025-06-24} } @online{bridis:20010627:net:d6b0f69, author = {Ted Bridis}, title = {{Net Espionage Rekindles Tensions As U.S. Tries to Identify Hackers}}, date = {2001-06-27}, organization = {The Wall Street Journal}, url = {https://www.wsj.com/articles/SB993588688215931869}, language = {English}, urldate = {2023-09-25} } @online{broadcom:20220412:moqhao:d1b3561, author = {Broadcom}, title = {{MoqHao malware continues to target mobile users in Europe}}, date = {2022-04-12}, organization = {Broadcom}, url = {https://www.broadcom.com/support/security-center/protection-bulletin/moqhao-malware-continues-to-target-mobile-users-in-europe}, language = {English}, urldate = {2025-02-25} } @online{brodsky:20210511:darkside:9c81721, author = {James Brodsky}, title = {{The DarkSide of the Ransomware Pipeline}}, date = {2021-05-11}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.html}, language = {English}, urldate = {2021-05-13} } @online{bromiley:20161007:attacking:0d71422, author = {Matt Bromiley and Preston Lewis}, title = {{Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years}}, date = {2016-10-07}, organization = {FireEye}, url = {https://www.youtube.com/watch?v=fevGZs0EQu8}, language = {English}, urldate = {2020-04-17} } @online{bromiley:20190718:hard:7a6144e, author = {Matt Bromiley and Noah Klapprodt and Nick Schroeder and Jessica Rocchio}, title = {{Hard Pass: Declining APT34’s Invite to Join Their Professional Network}}, date = {2019-07-18}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html}, language = {English}, urldate = {2019-12-20} } @online{bromiley:20210216:light:5541ad4, author = {Matt Bromiley and Andrew Rector and Robert Wallace}, title = {{Light in the Dark: Hunting for SUNBURST}}, date = {2021-02-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/products-and-services/2021/02/light-in-the-dark-hunting-for-sunburst.html}, language = {English}, urldate = {2021-02-20} } @online{bromiley:20210304:detection:3b8c16f, author = {Matt Bromiley and Chris DiGiamo and Andrew Thompson and Robert Wallace}, title = {{Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities}}, date = {2021-03-04}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html}, language = {English}, urldate = {2021-03-10} } @techreport{bromium:20210317:threat:3aed551, author = {HP Bromium}, title = {{Threat Insights Report Q4-2020}}, date = {2021-03-17}, institution = {HP}, url = {https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf}, language = {English}, urldate = {2021-03-19} } @online{brook:20120725:new:67f3d60, author = {Chris Brook}, title = {{New and Improved Madi Spyware Campaign Continues}}, date = {2012-07-25}, organization = {Threatpost}, url = {https://threatpost.com/new-and-improved-madi-spyware-campaign-continues-072512/76849/}, language = {English}, urldate = {2019-12-17} } @online{brook:20140306:dexter:45b31c6, author = {Chris Brook}, title = {{Dexter, Project Hook POS Malware Campaigns Persist}}, date = {2014-03-06}, organization = {Threatpost}, url = {https://threatpost.com/dexter-project-hook-pos-malware-campaigns-persist/104655/}, language = {English}, urldate = {2021-01-29} } @online{brook:20160425:attackers:61e599a, author = {Chris Brook}, title = {{Attackers Behind GozNym Trojan Set Sights on Europe}}, date = {2016-04-25}, organization = {Threat Post}, url = {https://threatpost.com/attackers-behind-goznym-trojan-set-sights-on-europe/117647/}, language = {English}, urldate = {2019-11-23} } @online{brook:20160823:goznym:29466b9, author = {Chris Brook}, title = {{GozNym Banking Trojan Targeting German Banks}}, date = {2016-08-23}, organization = {Threatpost}, url = {https://threatpost.com/goznym-banking-trojan-targeting-german-banks/120075/}, language = {English}, urldate = {2020-01-08} } @online{brook:20171114:iceid:5a074d2, author = {Chris Brook}, title = {{IceID Banking Trojan Targeting Banks, Payment Card Providers, E-Commerce Sites}}, date = {2017-11-14}, organization = {Digital Guardian}, url = {https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites}, language = {English}, urldate = {2019-07-10} } @online{brooks:20200602:malware:bc0b560, author = {Casey Brooks}, title = {{tweet on malware called dnstunnel RAT}}, date = {2020-06-02}, organization = {Twitter (@DrunkBinary)}, url = {https://twitter.com/DrunkBinary/status/1267568386516692992}, language = {English}, urldate = {2020-06-05} } @techreport{brooks:20201210:open:5c64c56, author = {Casey Brooks and Selena Larson}, title = {{Open Source Intelligence}}, date = {2020-12-10}, institution = {Dragos}, url = {https://f.hubspotusercontent10.net/hubfs/5943619/Whitepaper-Downloads/Dragos-OSINT-Framework.pdf}, language = {English}, urldate = {2021-01-01} } @online{broom:20240605:exmatter:e654085, author = {David Broom and Gavin Hull}, title = {{Exmatter malware levels up: S-RM observes new variant with simultaneous remote code execution and data targeting}}, date = {2024-06-05}, organization = {S-RM}, url = {https://www.s-rminform.com/cyber-intelligence-briefing/exmatter-malware-levels-up}, language = {English}, urldate = {2024-06-12} } @online{brown:20181025:new:7234825, author = {Sophia Brown}, title = {{New sLoad malware downloader being leveraged by APT group TA554 to spread Ramnit}}, date = {2018-10-25}, url = {https://cyware.com/news/new-sload-malware-downloader-being-leveraged-by-apt-group-ta554-to-spread-ramnit-7d03f2d9}, language = {English}, urldate = {2019-11-22} } @online{brown:20181211:new:fa1fc12, author = {Sophia Brown}, title = {{New Satan ransomware variant ‘Lucky’ exposes 10 server-side vulnerabilities}}, date = {2018-12-11}, organization = {Cyware}, url = {https://cyware.com/news/new-satan-ransomware-variant-lucky-exposes-10-server-side-vulnerabilities-070afbd2}, language = {English}, urldate = {2020-01-07} } @online{brown:20200507:detecting:5059f43, author = {Jesse Brown}, title = {{Detecting COR_PROFILER manipulation for persistence}}, date = {2020-05-07}, organization = {Red Canary}, url = {https://redcanary.com/blog/cor_profiler-for-persistence/}, language = {English}, urldate = {2020-06-02} } @techreport{brown:20210118:egregor:a2ab774, author = {Adam Brown and Harold Rodriguez}, title = {{Egregor: The Ghost of Soviet Bears Past Haunts On}}, date = {2021-01-18}, institution = {Arete}, url = {https://areteir.com/wp-content/uploads/2021/01/01182021_Egregor_Insight.pdf}, language = {English}, urldate = {2021-02-02} } @online{brown:20220308:does:94c6c3e, author = {Rufus Brown and Van Ta and Douglas Bienstock and Geoff Ackerman and John Wolfram}, title = {{Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments}}, date = {2022-03-08}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/apt41-us-state-governments}, language = {English}, urldate = {2022-03-10} } @online{brown:20220428:lapsus:c7cd787, author = {David Brown and Michael Matthews and Rob Smallridge}, title = {{LAPSUS$: Recent techniques, tactics and procedures}}, date = {2022-04-28}, organization = {nccgroup}, url = {https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures/}, language = {English}, urldate = {2022-04-29} } @online{brubaker:20200715:financially:f217555, author = {Nathan Brubaker and Daniel Kapellmann Zafra and Keith Lunden and Ken Proska and Corey Hildebrandt}, title = {{Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families}}, date = {2020-07-15}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot}, language = {English}, urldate = {2022-07-28} } @online{brucato:20230711:scarleteel:99c59bb, author = {Alessandro Brucato}, title = {{SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto}}, date = {2023-07-11}, organization = {sysdig}, url = {https://sysdig.com/blog/scarleteel-2-0/}, language = {English}, urldate = {2023-11-17} } @online{bruce:20241003:disrupting:e6ac3fe, author = {Alyson Bruce}, title = {{Disrupting COLDRIVER: U.S. court orders seizure of domains used in Russian cyberattacks}}, date = {2024-10-03}, organization = {CitizenLab}, url = {https://citizenlab.ca/2024/10/disrupting-coldriver/}, language = {English}, urldate = {2024-11-25} } @online{bruell:20220204:cyberattack:fca25a5, author = {Alexandra Bruell and Sadie Gurman}, title = {{Cyberattack on News Corp, Believed Linked to China, Targeted Emails of Journalists, Others}}, date = {2022-02-04}, organization = {The Wall Street Journal}, url = {https://www.wsj.com/articles/cyberattack-on-news-corp-believed-linked-to-china-targeted-emails-of-journalists-others-11643979328?st=yrhf72fjgcuccqv&reflink=desktopwebshare_permalink}, language = {English}, urldate = {2022-02-07} } @online{brulez:20211120:unpacking:b26d2fb, author = {Nicolas Brulez}, title = {{Unpacking Emotet and Reversing Obfuscated Word Document}}, date = {2021-11-20}, organization = {Youtube (HEXORCIST)}, url = {https://www.youtube.com/watch?v=AkZ5TYBqcU4}, language = {English}, urldate = {2021-12-20} } @online{brulez:20220119:whispergate:a81ff16, author = {Nicolas Brulez}, title = {{WhisperGate: MBR Wiper Malware Analysis. Ukraine Cyber Attack 2022}}, date = {2022-01-19}, organization = {Youtube (HEXORCIST)}, url = {https://www.youtube.com/watch?v=2nd-f1dIfD4}, language = {English}, urldate = {2022-01-24} } @online{brumaghin:20160711:when:0155a0a, author = {Edmund Brumaghin and Warren Mercer}, title = {{When Paying Out Doesn't Pay Off}}, date = {2016-07-11}, organization = {Talos}, url = {http://blog.talosintel.com/2016/07/ranscam.html}, language = {English}, urldate = {2020-01-09} } @online{brumaghin:20160927:threat:30fd53f, author = {Edmund Brumaghin}, title = {{Threat Spotlight: GozNym}}, date = {2016-09-27}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/goznym/}, language = {English}, urldate = {2023-04-18} } @online{brumaghin:20160929:want:8e6b2f6, author = {Edmund Brumaghin}, title = {{Want Tofsee My Pictures? A Botnet Gets Aggressive}}, date = {2016-09-29}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/tofsee-spam/}, language = {English}, urldate = {2023-02-27} } @online{brumaghin:20170302:covert:32e078f, author = {Edmund Brumaghin and Colin Grady}, title = {{Covert Channels and Poor Decisions: The Tale of DNSMessenger}}, date = {2017-03-02}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2017/03/dnsmessenger.html}, language = {English}, urldate = {2023-07-05} } @online{brumaghin:20170918:ccleanup:5ba0369, author = {Edmund Brumaghin and Ross Gibb and Warren Mercer and Matthew Molyett and Craig Williams}, title = {{CCleanup: A Vast Number of Machines at Risk}}, date = {2017-09-18}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html}, language = {English}, urldate = {2020-01-08} } @online{brumaghin:20170920:ccleaner:e034063, author = {Edmund Brumaghin and Earl Carter and Warren Mercer and Matthew Molyett and Matthew Olney and Paul Rascagnères and Craig Williams}, title = {{CCleaner Command and Control Causes Concern}}, date = {2017-09-20}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html}, language = {English}, urldate = {2020-01-06} } @online{brumaghin:20171011:spoofed:9f0fc69, author = {Edmund Brumaghin and Colin Grady and Dave Maynor and @Simpo13}, title = {{Spoofed SEC Emails Distribute Evolved DNSMessenger}}, date = {2017-10-11}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html}, language = {English}, urldate = {2020-01-09} } @online{brumaghin:20171102:poisoning:c00599d, author = {Edmund Brumaghin and Earl Carter and Emmanuel Tacheau}, title = {{Poisoning the Well: Banking Trojan Targets Google Search Results}}, date = {2017-11-02}, organization = {Talos}, url = {http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html}, language = {English}, urldate = {2019-11-21} } @online{brumaghin:20180306:gozi:6146f77, author = {Edmund Brumaghin and Holger Unterbrink and Adam Weller}, title = {{Gozi ISFB Remains Active in 2018, Leverages "Dark Cloud" Botnet For Distribution}}, date = {2018-03-06}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html}, language = {English}, urldate = {2019-12-17} } @online{brumaghin:20180626:files:661b639, author = {Edmund Brumaghin and Earl Carter and Andrew Williams}, title = {{Files Cannot Be Decrypted? Challenge Accepted. Talos Releases ThanatosDecryptor}}, date = {2018-06-26}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html}, language = {English}, urldate = {2020-01-09} } @online{brumaghin:20180822:picking:925912d, author = {Edmund Brumaghin and Holger Unterbrink and Eric Kuhla and Lilia Gonzalez Medina}, title = {{Picking Apart Remcos Botnet-In-A-Box}}, date = {2018-08-22}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html}, language = {English}, urldate = {2019-10-23} } @online{brumaghin:20180926:vpnfilter:343892a, author = {Edmund Brumaghin}, title = {{VPNFilter III: More Tools for the Swiss Army Knife of Malware}}, date = {2018-09-26}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html}, language = {English}, urldate = {2019-12-17} } @online{brumaghin:20181108:metamorfo:d12fe7e, author = {Edmund Brumaghin and Warren Mercer and Paul Rascagnères and Vitor Ventura}, title = {{Metamorfo Banking Trojan Keeps Its Sights on Brazil}}, date = {2018-11-08}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html}, language = {English}, urldate = {2020-01-06} } @online{brumaghin:20190130:fake:3499d4e, author = {Edmund Brumaghin and Paul Rascagnères and Jungsoo An}, title = {{Fake Cisco Job Posting Targets Korean Candidates}}, date = {2019-01-30}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html}, language = {English}, urldate = {2023-09-07} } @online{brumaghin:20190415:new:bf931b1, author = {Edmund Brumaghin and Holger Unterbrink}, title = {{New HawkEye Reborn Variant Emerges Following Ownership Change}}, date = {2019-04-15}, organization = {Talos}, url = {https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html}, language = {English}, urldate = {2020-01-09} } @online{brumaghin:20190715:sweed:9725699, author = {Edmund Brumaghin}, title = {{SWEED: Exposing years of Agent Tesla campaigns}}, date = {2019-07-15}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html}, language = {English}, urldate = {2020-01-08} } @online{brumaghin:20190828:rat:dadd9c5, author = {Edmund Brumaghin and Holger Unterbrink}, title = {{RAT Ratatouille: Backdooring PCs with leaked RATs}}, date = {2019-08-28}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html}, language = {English}, urldate = {2020-01-13} } @online{brumaghin:20190926:divergent:2d282a0, author = {Edmund Brumaghin}, title = {{Divergent: "Fileless" NodeJS Malware Burrows Deep Within the Host}}, date = {2019-09-26}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/09/divergent-analysis.html}, language = {English}, urldate = {2019-10-24} } @online{brumaghin:20200423:threat:4f7f840, author = {Edmund Brumaghin and Amit Raut}, title = {{Threat Spotlight: MedusaLocker}}, date = {2020-04-23}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/04/medusalocker.html}, language = {English}, urldate = {2020-04-26} } @online{brumaghin:20210812:vice:c55624f, author = {Edmund Brumaghin and Joe Marshall and Arnaud Zobec}, title = {{Vice Society Leverages PrintNightmare In Ransomware Attacks}}, date = {2021-08-12}, url = {https://blog.talosintelligence.com/2021/08/vice-society-ransomware-printnightmare.html}, language = {English}, urldate = {2021-08-15} } @online{brumaghin:20210831:attracting:5d141c1, author = {Edmund Brumaghin and Vitor Ventura}, title = {{Attracting flies with Honey(gain): Adversarial abuse of proxyware}}, date = {2021-08-31}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/08/proxyware-abuse.html}, language = {English}, urldate = {2021-09-02} } @online{brumaghin:20211026:squirrelwaffle:88c5943, author = {Edmund Brumaghin and Mariano Graziano and Nick Mavis}, title = {{SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike}}, date = {2021-10-26}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html}, language = {English}, urldate = {2021-11-02} } @online{brumaghin:20220405:threat:da8955e, author = {Edmund Brumaghin and Alex Karkins}, title = {{Threat Spotlight: AsyncRAT campaigns feature new version of 3LOSH crypter}}, date = {2022-04-05}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html}, language = {English}, urldate = {2022-04-07} } @online{brumaghin:20220414:haskers:77516e0, author = {Edmund Brumaghin and Vanja Svajcer}, title = {{"Haskers Gang" Introduces New ZingoStealer}}, date = {2022-04-14}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/haskers-gang-zingostealer/}, language = {English}, urldate = {2022-11-02} } @online{brumaghin:20220414:threat:45dba55, author = {Edmund Brumaghin and Vanja Svajcer and Michael Chen}, title = {{Threat Spotlight: "Haskers Gang" Introduces New ZingoStealer}}, date = {2022-04-14}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html}, language = {English}, urldate = {2022-04-15} } @online{brumaghin:20220804:attackers:682f446, author = {Edmund Brumaghin and Azim Khodjibaev and Matt Thaxton and Arnaud Zobec}, title = {{Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns}}, date = {2022-08-04}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/dark-utilities/}, language = {English}, urldate = {2023-03-23} } @online{brumaghin:20221109:threat:151d926, author = {Edmund Brumaghin}, title = {{Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns}}, date = {2022-11-09}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/ipfs-abuse/}, language = {English}, urldate = {2022-11-11} } @online{brumaghin:20230322:emotet:fa8054c, author = {Edmund Brumaghin and Jaeson Schultz}, title = {{Emotet Resumes Spam Operations, Switches to OneNote}}, date = {2023-03-22}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/emotet-switches-to-onenote/}, language = {English}, urldate = {2023-03-23} } @online{brumaghin:20230404:typhon:8666307, author = {Edmund Brumaghin}, title = {{Typhon Reborn V2: Updated stealer features enhanced anti-analysis and evasion capabilities}}, date = {2023-04-04}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/}, language = {English}, urldate = {2023-04-08} } @online{brumaghin:20230831:sapphirestealer:59b335d, author = {Edmund Brumaghin}, title = {{SapphireStealer: Open-source information stealer enables credential and data theft}}, date = {2023-08-31}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/sapphirestealer-goes-open-source/}, language = {English}, urldate = {2023-09-01} } @online{brumaghin:20241023:highlighting:43a1751, author = {Edmund Brumaghin and Jordyn Dunk and Nicole Hoffman and Holger Unterbrink}, title = {{Highlighting TA866/Asylum Ambuscade Activity Since 2021}}, date = {2024-10-23}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/}, language = {English}, urldate = {2024-10-25} } @online{brumaghin:20241023:threat:e0d1dd3, author = {Edmund Brumaghin and Jordyn Dunk and Nicole Hoffman and Holger Unterbrink}, title = {{Threat Spotlight: WarmCookie/BadSpace}}, date = {2024-10-23}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/warmcookie-analysis/}, language = {English}, urldate = {2024-10-25} } @online{brumaghin:20250513:defining:ed8fb52, author = {Edmund Brumaghin and Asheer Malhotra and Ashley Shen and Vitor Ventura}, title = {{Defining a new methodology for modeling and tracking compartmentalized threats}}, date = {2025-05-13}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/compartmentalized-threat-modeling/}, language = {English}, urldate = {2025-05-20} } @online{brumfield:20221115:cybercrime:53e048f, author = {Cynthia Brumfield}, title = {{Cybercrime is more of a threat than nation-state hackers}}, date = {2022-11-15}, organization = {README_SYNACK}, url = {https://readme.security/cybercrime-is-more-of-a-threat-than-nation-state-hackers-6f6cccf47721}, language = {English}, urldate = {2024-02-08} } @online{bruneau:20210327:malware:91319b0, author = {Guy Bruneau}, title = {{Malware Analysis with elastic-agent and Microsoft Sandbox}}, date = {2021-03-27}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/Malware+Analysis+with+elasticagent+and+Microsoft+Sandbox/27248/}, language = {English}, urldate = {2021-03-31} } @online{bruneau:20221218:infostealer:12fb43f, author = {Guy Bruneau}, title = {{Infostealer Malware with Double Extension}}, date = {2022-12-18}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/Infostealer+Malware+with+Double+Extension/29354}, language = {English}, urldate = {2022-12-20} } @online{brunsdon:20250114:one:60f340e, author = {David Brunsdon}, title = {{One Mikro Typo: How a simple DNS misconfiguration enables malware delivery by a Russian botnet}}, date = {2025-01-14}, organization = {Infoblox}, url = {https://blogs.infoblox.com/threat-intelligence/one-mikro-typo-how-a-simple-dns-misconfiguration-enables-malware-delivery-by-a-russian-botnet/}, language = {English}, urldate = {2025-02-03} } @online{bruppacher:20220321:vpn:f61b485, author = {Benjamin Bruppacher}, title = {{VPN Appliance Forensics}}, date = {2022-03-21}, organization = {COMPASS SECURITY}, url = {https://blog.compass-security.com/2022/03/vpn-appliance-forensics/}, language = {English}, urldate = {2022-03-24} } @techreport{bruvoll:20200603:handling:7de6da3, author = {Janita A. Bruvoll and Aasmund Thuv and Geir Enemo}, title = {{Handling of ICT security incidents in Health South-East and the county governor's offices - an assessment (APT31 page-37)}}, date = {2020-06-03}, institution = {Norwegian Defence Research Establishment (FFI)}, url = {https://publications.ffi.no/nb/item/asset/dspace:6767/20-01560.pdf}, language = {Norwegian}, urldate = {2021-06-24} } @online{bryan:20210310:monitoring:479d8b5, author = {Pete Bryan}, title = {{Monitoring the Software Supply Chain with Azure Sentinel}}, date = {2021-03-10}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463}, language = {English}, urldate = {2021-03-12} } @online{bryan:20210310:sample:874c31f, author = {Pete Bryan}, title = {{Tweet on Sample KQL query for detecting usage of HAFNIUM PoC code floating ITW}}, date = {2021-03-10}, organization = {Twitter (@MSSPete)}, url = {https://twitter.com/MSSPete/status/1369749166893588480}, language = {English}, urldate = {2021-03-12} } @online{bryan:20211117:creating:b3fac06, author = {Pete Bryan}, title = {{Creating your first Microsoft Sentinel Notebook}}, date = {2021-11-17}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/creating-your-first-microsoft-sentinel-notebook/ba-p/2977745#.YZXCGrsENGQ.twitter}, language = {English}, urldate = {2021-11-19} } @online{bryant:20190213:hunting:8c671bf, author = {Josh Bryant and Robert Falcone}, title = {{Hunting Webshells: Tracking TwoFace - SANS Threat Hunting Summit 2018}}, date = {2019-02-13}, organization = {Youtube (SANS Digital Forensics & Incident Response)}, url = {https://www.youtube.com/watch?v=GjquFKa4afU}, language = {English}, urldate = {2020-01-13} } @techreport{bryant:20190708:hunting:7ce53d5, author = {Josh M. Bryant and Robert Falcone}, title = {{Hunting Webshells: Tracking TwoFace}}, date = {2019-07-08}, institution = {SANS}, url = {https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536345486.pdf}, language = {English}, urldate = {2020-01-09} } @online{bryce:20210122:grimagent:611b917, author = {Bryce}, title = {{Tweet on GRIMAGENT malware used by UNC1878 during some #RYUK intrusions in 2020}}, date = {2021-01-22}, organization = {Twitter (@bryceabdo)}, url = {https://twitter.com/bryceabdo/status/1352359414746009608}, language = {English}, urldate = {2021-02-06} } @online{bsi:20201020:die:0683ad4, author = {BSI}, title = {{Die Lage der IT-Sicherheit in Deutschland 2020}}, date = {2020-10-20}, organization = {Bundesamt für Sicherheit in der Informationstechnik}, url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2}, language = {German}, urldate = {2020-10-21} } @online{buchka:20160303:attack:fa7a7ba, author = {Nikita Buchka and Mikhail Kuzin}, title = {{Attack on Zygote: a new twist in the evolution of mobile threats}}, date = {2016-03-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/74032/}, language = {English}, urldate = {2019-12-20} } @online{buchka:20161228:switcher:a2408dd, author = {Nikita Buchka}, title = {{Switcher: Android joins the ‘attack-the-router’ club}}, date = {2016-12-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/}, language = {English}, urldate = {2019-12-20} } @online{buchka:20171218:jack:5842578, author = {Nikita Buchka and Anton Kivva and Dmitry Galov}, title = {{Jack of all trades}}, date = {2017-12-18}, organization = {Kaspersky Labs}, url = {https://securelist.com/jack-of-all-trades/83470/}, language = {English}, urldate = {2019-12-20} } @online{buchka:20180116:skygofree:4e0990c, author = {Nikita Buchka and Alexey Firsh}, title = {{Skygofree: Following in the footsteps of HackingTeam}}, date = {2018-01-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/}, language = {English}, urldate = {2019-12-20} } @online{bucket:20140330:ioc:053d0b0, author = {IOC Bucket}, title = {{IOC Bucket for Putter Panda}}, date = {2014-03-30}, organization = {IOC Bucket}, url = {https://www.iocbucket.com/iocs/7f7999ab7f223409ea9ea10cff82b064ce2a1a31}, language = {English}, urldate = {2020-01-09} } @online{bucur:20220317:avira:fe8909a, author = {Ionut Bucur and Avira Protection Labs}, title = {{Avira Labs Research Reveals Hydra Banking Trojan 2.0 targeting a wider network of German and Austrian banks}}, date = {2022-03-17}, organization = {Avira}, url = {https://www.avira.com/en/blog/avira-labs-research-reveals-hydra-banking-trojan-2-0}, language = {English}, urldate = {2022-03-17} } @online{budaca:20210413:from:5df70c8, author = {Eduard Budaca and Bogdan Botezatu}, title = {{From Cracks to Empty Wallets – How Popular Cracks Lead to Digital Currency and Data Theft}}, date = {2021-04-13}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2021/04/from-cracks-to-empty-wallets-how-popular-cracks-lead-to-digital-currency-and-data-theft/}, language = {English}, urldate = {2021-05-04} } @online{budd:20150916:operation:7889703, author = {Christopher Budd}, title = {{Operation Iron Tiger: Attackers Shift from East Asia to the United States}}, date = {2015-09-16}, organization = {Trend Micro}, url = {http://newsroom.trendmicro.com/blog/operation-iron-tiger-attackers-shift-east-asia-united-states}, language = {English}, urldate = {2019-12-17} } @online{buescher:20210514:how:23df023, author = {Armin Buescher and Gokulakrishnan S}, title = {{How Flubot targets Android phone users and their money}}, date = {2021-05-14}, organization = {NortonLifeLock}, url = {https://www.nortonlifelock.com/blogs/research-group/flubot-targets-android-phone-users}, language = {English}, urldate = {2021-05-19} } @techreport{buggenhout:2014:history:049d4d1, author = {Erik Van Buggenhout}, title = {{A history of ATM violence}}, date = {2014}, institution = {nviso}, url = {http://www.isg.rhul.ac.uk/dl/weekendconference2014/slides/Erik_VanBuggenhout.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{buguroo:20210315:toddler:ce25cc1, author = {Buguroo}, title = {{Toddler: Credential theft through overlays and accessibility event logging}}, date = {2021-03-15}, institution = {Buguroo}, url = {https://www.buguroo.com/hubfs/website/pdf/reports/buguroo-malware-report-Toddler_EN.pdf}, language = {English}, urldate = {2021-05-13} } @online{bukhteyev:20180805:ramnits:1268bad, author = {Alexey Bukhteyev}, title = {{Ramnit’s Network of Proxy Servers}}, date = {2018-08-05}, organization = {Check Point}, url = {https://research.checkpoint.com/ramnits-network-proxy-servers/}, language = {English}, urldate = {2020-01-09} } @online{bukhteyev:20191119:phorpiex:50c2cb1, author = {Alexey Bukhteyev}, title = {{Phorpiex Breakdown}}, date = {2019-11-19}, organization = {Check Point}, url = {https://research.checkpoint.com/2019/phorpiex-breakdown/}, language = {English}, urldate = {2020-01-06} } @online{bukhteyev:20210727:timeproven:d927632, author = {Alexey Bukhteyev and Raman Ladutska}, title = {{Time-proven tricks in a new environment: the macOS evolution of Formbook}}, date = {2021-07-27}, organization = {Check Point}, url = {https://research.checkpoint.com/2021/time-proven-tricks-in-a-new-environment-the-macos-evolution-of-formbook/}, language = {English}, urldate = {2021-07-29} } @online{bukhteyev:20211216:phorpiex:cef1b8e, author = {Alexey Bukhteyev}, title = {{Phorpiex botnet is back with a new Twizt: Hijacking Hundreds of crypto transactions}}, date = {2021-12-16}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/}, language = {English}, urldate = {2021-12-17} } @online{bukhteyev:20220531:xloader:f9d6f5f, author = {Alexey Bukhteyev and Raman Ladutska}, title = {{XLoader Botnet: Find Me If You Can}}, date = {2022-05-31}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/}, language = {English}, urldate = {2022-05-31} } @online{bukhteyev:20230522:cloudbased:6c7f9dd, author = {Alexey Bukhteyev and Arie Olshtein}, title = {{Cloud-based Malware Delivery: The Evolution of GuLoader}}, date = {2023-05-22}, organization = {Check Point}, url = {https://research.checkpoint.com/2023/cloud-based-malware-delivery-the-evolution-of-guloader/}, language = {English}, urldate = {2023-05-23} } @online{bukhteyev:20230919:unveiling:1ebf179, author = {Alexey Bukhteyev and Arie Olshtein}, title = {{Unveiling the Shadows: The Dark Alliance between GuLoader and Remcos}}, date = {2023-09-19}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/}, language = {English}, urldate = {2023-09-20} } @online{bunce:20190815:gootkit:1052b18, author = {Daniel Bunce}, title = {{Gootkit Banking Trojan | Deep Dive into Anti-Analysis Features}}, date = {2019-08-15}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/}, language = {English}, urldate = {2019-12-20} } @online{bunce:20190815:gootkit:480c7e8, author = {Daniel Bunce}, title = {{Gootkit Banking Trojan | Deep Dive into Anti-Analysis Features}}, date = {2019-08-15}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/gootkit-banking-trojan-deep-dive-anti-analysis-features/}, language = {English}, urldate = {2020-06-18} } @online{bunce:20190829:gootkit:b379f2c, author = {Daniel Bunce}, title = {{Gootkit Banking Trojan | Part 2: Persistence & Other Capabilities}}, date = {2019-08-29}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/gootkit-banking-trojan-persistence-other-capabilities/}, language = {English}, urldate = {2020-01-08} } @online{bunce:20200622:unpacking:8a02d84, author = {Daniel Bunce}, title = {{Unpacking Visual Basic Packers – IcedID}}, date = {2020-06-22}, organization = {zero2auto}, url = {https://zero2auto.com/2020/06/22/unpacking-visual-basic-packers/}, language = {English}, urldate = {2020-06-24} } @online{bunce:20200820:dbatloadermodiloader:6cccf7e, author = {Daniel Bunce}, title = {{DBatLoader/ModiLoader Analysis – First Stage}}, date = {2020-08-20}, organization = {Zero2Automated Blog}, url = {https://zero2auto.com/2020/08/20/dbatloader-modiloader-first-stage/}, language = {English}, urldate = {2020-08-25} } @online{bunce:20210706:new:36ccc46, author = {Daniel Bunce and 0verfl0w_}, title = {{New TA402/MOLERATS Malware – Decrypting .NET Reactor Strings}}, date = {2021-07-06}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/malware-analysis/molerats-string-decryption/}, language = {English}, urldate = {2021-07-11} } @online{bunce:20210724:quack:ddda5cd, author = {Daniel Bunce}, title = {{Quack Quack: Analysing Qakbot’s Browser Hooking Module – Part 1}}, date = {2021-07-24}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/malware-analysis/qakbot-browser-hooking-p1/}, language = {English}, urldate = {2021-08-02} } @online{bunce:20240410:resolving:12b1803, author = {Daniel Bunce}, title = {{Resolving Stack Strings with Capstone Disassembler & Unicorn in Python}}, date = {2024-04-10}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/capstone-resolving-stack-strings/}, language = {English}, urldate = {2024-04-15} } @techreport{bundeskriminalamt:20200821:mgliche:fbbf1b2, author = {Bundeskriminalamt}, title = {{Mögliche Cyberspionage mittels der Schadsoftware GOLDENSPY}}, date = {2020-08-21}, institution = {Bundeskriminalamt}, url = {https://www.bka.de/SharedDocs/Downloads/DE/IhreSicherheit/Warnhinweise/WarnhinweisGOLDENSPY.pdf}, language = {German}, urldate = {2020-08-27} } @online{bundeskriminalamt:20210127:infrastruktur:eb4ede6, author = {Bundeskriminalamt}, title = {{In­fra­struk­tur der Emo­tet-Schad­soft­wa­re zer­schla­gen}}, date = {2021-01-27}, organization = {Bundeskriminalamt}, url = {https://www.bka.de/DE/Presse/Listenseite_Pressemitteilungen/2021/Presse2021/210127_pmEmotet.html}, language = {German}, urldate = {2021-01-27} } @online{bundeskriminalamt:20220405:illegal:2a9f4fb, author = {BKA (Bundeskriminalamt)}, title = {{Illegal darknet marketplace "Hydra Market" shut down}}, date = {2022-04-05}, organization = {Bundeskriminalamt}, url = {https://www.bka.de/DE/Presse/Listenseite_Pressemitteilungen/2022/Presse2022/220405_PM_IllegalerDarknetMarktplatz.html}, language = {English}, urldate = {2022-04-15} } @online{buonopane:20190201:information:2fbf14a, author = {Paul Buonopane}, title = {{Information about lnkr5, malware distributed via Chrome extensions}}, date = {2019-02-01}, organization = {Github (Zenexer)}, url = {https://github.com/Zenexer/lnkr}, language = {English}, urldate = {2020-05-05} } @online{buonopane:20190201:lnkr:f79885e, author = {Paul Buonopane}, title = {{LNKR - Extension analysis - Flash Playlist}}, date = {2019-02-01}, organization = {Github (Zenexer)}, url = {https://github.com/Zenexer/lnkr/blob/master/recon/extensions/fanagokoaogopceablgmpndejhedkjjb/README.md}, language = {English}, urldate = {2020-05-05} } @online{burbage:20180416:rat:3c30776, author = {Paul Burbage and Mike Mimoso}, title = {{RAT Gone Rogue: Meet ARS VBS Loader}}, date = {2018-04-16}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/}, language = {English}, urldate = {2019-12-17} } @online{burbage:20180912:malware:5b7d58a, author = {Paul Burbage and Mike Mimoso}, title = {{Malware Campaign Targeting Jaxx Cryptocurrency Wallet Users Shut Down}}, date = {2018-09-12}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/malware-campaign-targets-jaxx-cryptocurrency-wallet-users/}, language = {English}, urldate = {2020-01-08} } @online{burbage:20181102:new:4781b19, author = {Paul Burbage}, title = {{Tweet on New Stealer}}, date = {2018-11-02}, organization = {Twitter (@hexlax)}, url = {https://twitter.com/hexlax/status/1058356670835908610}, language = {English}, urldate = {2020-01-07} } @online{burbage:20191228:tale:2e5f361, author = {Paul Burbage}, title = {{The Tale of the Pija-Droid Firefinch}}, date = {2019-12-28}, url = {https://medium.com/@paul.k.burbage/the-tale-of-the-pija-droid-firefinch-4d304fde5ca2}, language = {English}, urldate = {2020-02-14} } @online{burchard:20200528:berlin:c5c42b4, author = {Hans von der Burchard and Laurens Cerulus}, title = {{Berlin seeks sanctions against Russian hackers over Bundestag cyberattack}}, date = {2020-05-28}, organization = {POLITICO}, url = {https://www.politico.eu/article/berlin-sanctions-against-russian-hacker-bundestag-cyberattack-angela-merkel-gru/}, language = {English}, urldate = {2020-05-29} } @online{bureau:20121218:malicious:c863bcf, author = {Pierre-Marc Bureau}, title = {{Malicious Apache module used for content injection: Linux/Chapro.A}}, date = {2012-12-18}, organization = {ESET Research}, url = {http://blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a}, language = {English}, urldate = {2019-12-20} } @online{bureau:20130426:linuxcdorkeda:ab3e321, author = {Pierre-Marc Bureau}, title = {{Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole}}, date = {2013-04-26}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/}, language = {English}, urldate = {2019-11-14} } @online{bureau:20130925:win32napolar:aba54b1, author = {Pierre-Marc Bureau}, title = {{Win32/Napolar – A new bot on the block}}, date = {2013-09-25}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/}, language = {English}, urldate = {2019-11-14} } @online{bureau:20140318:operation:1b1bd17, author = {Pierre-Marc Bureau}, title = {{Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign}}, date = {2014-03-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/}, language = {English}, urldate = {2019-11-14} } @online{bureau:20200305:vietnam:23ec4c0, author = {Microstep Intelligence Bureau}, title = {{Vietnam National Background APT organization "Sea Lotus" used the topic of the epidemic to attack our government agencies}}, date = {2020-03-05}, organization = {Microstep Intelligence Bureau}, url = {https://m.threatbook.cn/detail/2527}, language = {Chinese}, urldate = {2020-04-26} } @online{bureau:20220907:initial:d1975b3, author = {Pierre-Marc Bureau and Google Threat Analysis Group}, title = {{Initial access broker repurposing techniques in targeted attacks against Ukraine}}, date = {2022-09-07}, organization = {Google}, url = {https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/}, language = {English}, urldate = {2022-09-13} } @online{burgess:20200821:evolution:6d5c407, author = {Josh Burgess and Steve Ginty}, title = {{The Evolution of Ransomware & Pinchy Spider's Shot at the Title}}, date = {2020-08-21}, organization = {Vimeo (RiskIQ)}, url = {https://vimeo.com/449849549}, language = {English}, urldate = {2020-08-25} } @techreport{burgess:20201209:from:1811e9c, author = {Josh Burgess and Jason Rivera}, title = {{From Zero to SixtyThe Story of North Korea’s Rapid Ascent to Becoming a Global Cyber Superpower}}, date = {2020-12-09}, institution = {CrowdStrike}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf}, language = {English}, urldate = {2020-12-11} } @online{burgess:20210420:how:53fecfc, author = {Will Burgess}, title = {{How attackers abuse Access Token Manipulation (ATT&CK T1134)}}, date = {2021-04-20}, organization = {Elastic}, url = {https://www.elastic.co/blog/how-attackers-abuse-access-token-manipulation}, language = {English}, urldate = {2021-04-28} } @online{burgess:20210914:russia:5afacc3, author = {Christopher Burgess}, title = {{Russia is fully capable of shutting down cybercrime}}, date = {2021-09-14}, organization = {CSO Online}, url = {https://www.csoonline.com/article/3632943/russia-is-fully-capable-of-shutting-down-cybercrime.html}, language = {English}, urldate = {2021-09-14} } @online{burgess:20220201:inside:0e154c3, author = {Matt Burgess}, title = {{Inside Trickbot, Russia’s Notorious Ransomware Gang}}, date = {2022-02-01}, organization = {Wired}, url = {https://www.wired.co.uk/article/trickbot-malware-group-internal-messages}, language = {English}, urldate = {2022-02-09} } @online{burgess:20220201:inside:bb20f12, author = {Matt Burgess}, title = {{Inside Trickbot, Russia’s Notorious Ransomware Gang}}, date = {2022-02-01}, organization = {Wired}, url = {https://www.wired.com/story/trickbot-malware-group-internal-messages/}, language = {English}, urldate = {2022-02-02} } @online{burgess:20240422:north:013e0fc, author = {Matt Burgess}, title = {{North Koreans Secretly Animated Amazon and Max Shows, Researchers Say}}, date = {2024-04-22}, organization = {Wired}, url = {https://www.wired.com/story/north-korea-amazon-max-animation-exposed-server/}, language = {English}, urldate = {2024-04-29} } @online{burgher:20210610:backdoordiplomacy:4ebcb1d, author = {Adam Burgher}, title = {{BackdoorDiplomacy: Upgrading from Quarian to Turian}}, date = {2021-06-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/}, language = {English}, urldate = {2022-06-08} } @online{burgher:20221207:fantasy:dcf8f84, author = {Adam Burgher}, title = {{Fantasy – a new Agrius wiper deployed through a supply‑chain attack}}, date = {2022-12-07}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/}, language = {English}, urldate = {2022-12-08} } @online{burks:20220216:quick:e515983, author = {Doug Burks}, title = {{Quick Malware Analysis: Emotet Epoch 5 and Cobalt Strike pcap from 2022-02-08}}, date = {2022-02-16}, organization = {Security Onion}, url = {https://blog.securityonion.net/2022/02/quick-malware-analysis-emotet-epoch-5.html}, language = {English}, urldate = {2022-02-17} } @online{burnel:20220225:le:9689415, author = {Florian Burnel}, title = {{Le ransomware Cuba s’en prend aux serveurs Exchange}}, date = {2022-02-25}, organization = {IT-Connect (FR)}, url = {https://www.it-connect.fr/le-ransomware-cuba-sen-prend-aux-serveurs-exchange/}, language = {French}, urldate = {2022-03-01} } @techreport{burns:20210119:remediation:044c1db, author = {Mike Burns and Matthew McWhirt and Douglas Bienstock and Nick Bennett}, title = {{Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452 (WHITE PAPER)}}, date = {2021-01-19}, institution = {Mandiant}, url = {https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf}, language = {English}, urldate = {2021-01-21} } @online{burns:20210119:remediation:76c7695, author = {Mike Burns and Matthew McWhirt and Douglas Bienstock and Nick Bennett}, title = {{Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452}}, date = {2021-01-19}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/01/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452.html}, language = {English}, urldate = {2021-01-21} } @online{burt:20190327:new:9ba6b3b, author = {Tom Burt}, title = {{New steps to protect customers from hacking}}, date = {2019-03-27}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/}, language = {English}, urldate = {2020-01-13} } @online{burt:20200310:new:251948a, author = {Tom Burt}, title = {{New action to disrupt world’s largest online criminal network}}, date = {2020-03-10}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/}, language = {English}, urldate = {2020-03-11} } @online{burt:20200707:microsoft:3300f46, author = {Tom Burt}, title = {{Microsoft takes legal action against COVID-19-related cybercrime}}, date = {2020-07-07}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/07/07/digital-crimes-unit-covid-19-cybercrime/}, language = {English}, urldate = {2020-07-08} } @online{burt:20200910:new:ec117be, author = {Tom Burt}, title = {{New cyberattacks targeting U.S. elections}}, date = {2020-09-10}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/}, language = {English}, urldate = {2020-09-10} } @online{burt:20201012:new:045c1c3, author = {Tom Burt}, title = {{New action to combat ransomware ahead of U.S. elections}}, date = {2020-10-12}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/}, language = {English}, urldate = {2020-10-12} } @online{burt:20201020:update:12549c2, author = {Tom Burt}, title = {{An update on disruption of Trickbot}}, date = {2020-10-20}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/10/20/trickbot-ransomware-disruption-update/}, language = {English}, urldate = {2020-10-23} } @online{burt:20201028:cyberattacks:89b0105, author = {Tom Burt}, title = {{Cyberattacks target international conference attendees (APT35/PHOSPHORUS)}}, date = {2020-10-28}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/}, language = {English}, urldate = {2020-10-29} } @online{burt:20201105:gitpaste12:a3f5e87, author = {Alex Burt and Trevor Pott}, title = {{Gitpaste-12: a new worming botnet with reverse shell capability spreading via GitHub and Pastebin}}, date = {2020-11-05}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/gitpaste-12}, language = {English}, urldate = {2020-11-09} } @online{burt:20201113:cyberattacks:d848567, author = {Tom Burt}, title = {{Cyberattacks targeting health care must stop}}, date = {2020-11-13}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/11/13/health-care-cyberattacks-covid-19-paris-peace-forum/}, language = {English}, urldate = {2020-11-18} } @online{burt:20201221:cyber:23a768f, author = {Tom Burt}, title = {{Cyber Mercenaries Don’t Deserve Immunity}}, date = {2020-12-21}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/12/21/cyber-immunity-nso/}, language = {English}, urldate = {2020-12-23} } @online{burt:20210302:new:622d7b8, author = {Tom Burt}, title = {{New nation-state cyberattacks (HAFNIUM)}}, date = {2021-03-02}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/}, language = {English}, urldate = {2022-04-14} } @online{burt:20210527:another:bcd55b9, author = {Tom Burt}, title = {{Another Nobelium Cyberattack}}, date = {2021-05-27}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2021/05/27/nobelium-cyberattack-nativezone-solarwinds/}, language = {English}, urldate = {2021-06-09} } @online{burt:20210530:defend:3e06dec, author = {Tom Burt}, title = {{Defend and deter}}, date = {2021-05-30}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2021/05/30/nobelium-cybersecurity-cyberattacks-phishing/}, language = {English}, urldate = {2022-04-15} } @online{burt:20211007:russian:eab9ca4, author = {Tom Burt}, title = {{Russian cyberattacks pose greater risk to governments and other insights from our annual report}}, date = {2021-10-07}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2021/10/07/digital-defense-report-2021/}, language = {English}, urldate = {2022-04-15} } @online{burt:20211024:new:3afd953, author = {Tom Burt}, title = {{New activity from Russian actor Nobelium}}, date = {2021-10-24}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2021/10/24/new-activity-from-russian-actor-nobelium/?ocid=usoc_TWITTER_M365_spl100002625922692}, language = {English}, urldate = {2021-11-02} } @online{burt:20211206:protecting:1e30e3d, author = {Tom Burt}, title = {{Protecting people from recent cyberattacks}}, date = {2021-12-06}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2021/12/06/cyberattacks-nickel-dcu-china/}, language = {English}, urldate = {2021-12-08} } @online{burt:20220115:malware:5f4e2d4, author = {Tom Burt}, title = {{Malware attacks targeting Ukraine government (DEV-0586)}}, date = {2022-01-15}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2022/01/15/mstic-malware-cyberattacks-ukraine-government/}, language = {English}, urldate = {2022-04-15} } @online{burt:20220316:blackberry:96c470c, author = {Jeff Burt}, title = {{BlackBerry says extortionists erase documents if ransom unpaid}}, date = {2022-03-16}, organization = {The Register}, url = {https://www.theregister.com/2022/03/16/blackberry_lokilocker_ransomware/}, language = {English}, urldate = {2022-03-17} } @online{burt:20220322:this:2834162, author = {Jeff Burt}, title = {{This is a BlackCat you don't want crossing your path}}, date = {2022-03-22}, organization = {The Register}, url = {https://www.theregister.com/2022/03/22/talos-ransomware-blackcat/}, language = {English}, urldate = {2022-03-23} } @online{burt:20220322:what:a42ef40, author = {Jeff Burt}, title = {{What does Go-written malware look like? Here's a sample under the microscope}}, date = {2022-03-22}, organization = {The Register}, url = {https://www.theregister.com/2022/03/22/arid-gopher-malware-deep-instinct/}, language = {English}, urldate = {2022-03-25} } @online{burt:20220407:disrupting:8f3a3d9, author = {Tom Burt}, title = {{Disrupting cyberattacks targeting Ukraine (APT28)}}, date = {2022-04-07}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2022/04/07/cyberattacks-ukraine-strontium-russia/}, language = {English}, urldate = {2022-04-12} } @online{burt:20241010:internet:8724584, author = {Jeffrey Burt}, title = {{Internet Archive is Attacked and 31 Million Files Stolen}}, date = {2024-10-10}, organization = {Security Boulevard}, url = {https://securityboulevard.com/?p=2033037}, language = {English}, urldate = {2024-11-04} } @online{burton:20211222:crowdstrike:bdf017f, author = {Randy Burton and Ian Barton}, title = {{CrowdStrike Launches Free Targeted Log4j Search Tool}}, date = {2021-12-22}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/free-targeted-log4j-search-tool/}, language = {English}, urldate = {2022-01-05} } @online{burton:20240423:muddling:723b9bf, author = {Renée Burton}, title = {{Muddling Meerkat: The Great Firewall Manipulator}}, date = {2024-04-23}, organization = {Infoblox}, url = {https://insights.infoblox.com/resources-report/infoblox-report-muddling-meerkat-the-great-firewall-manipulator}, language = {English}, urldate = {2024-05-06} } @online{bushidotoken:20200509:turkey:a764ff0, author = {BushidoToken}, title = {{Turkey targeted by Cerberus and Anubis Android banking Trojan campaigns}}, date = {2020-05-09}, organization = {BushidoToken}, url = {https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html}, language = {English}, urldate = {2020-05-13} } @online{bushidotoken:20200528:ozh:d9cd398, author = {BushidoToken}, title = {{Tweet on OZH RAT}}, date = {2020-05-28}, organization = {Twitter (@BushidoToken)}, url = {https://twitter.com/BushidoToken/status/1266075992679948289}, language = {English}, urldate = {2020-05-29} } @online{bushidotoken:20200614:deepdive:3a375ca, author = {BushidoToken}, title = {{Deep-dive: The DarkHotel APT}}, date = {2020-06-14}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html}, language = {English}, urldate = {2020-06-16} } @online{bushidotoken:20220417:lessons:d4d0595, author = {BushidoToken}, title = {{Lessons from the Conti Leaks}}, date = {2022-04-17}, organization = {BushidoToken Blog}, url = {https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html}, language = {English}, urldate = {2022-04-25} } @online{bushidotoken:20220501:gamer:0acfc22, author = {BushidoToken}, title = {{Gamer Cheater Hacker Spy}}, date = {2022-05-01}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html}, language = {English}, urldate = {2022-05-03} } @online{bushidotoken:20220626:overview:97370ff, author = {BushidoToken}, title = {{Overview of Russian GRU and SVR Cyberespionage Campaigns 1H 2022}}, date = {2022-06-26}, url = {https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html}, language = {English}, urldate = {2022-08-09} } @online{bushidotoken:20220731:space:636e570, author = {BushidoToken}, title = {{Space Invaders: Cyber Threats That Are Out Of This World}}, date = {2022-07-31}, organization = {BushidoToken Blog}, url = {https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html}, language = {English}, urldate = {2022-08-02} } @online{bushidotoken:20221126:detecting:e5cee52, author = {BushidoToken}, title = {{Detecting and Fingerprinting Infostealer Malware-as-a-Service platforms}}, date = {2022-11-26}, organization = {BushidoToken Blog}, url = {https://blog.bushidotoken.net/2022/11/detecting-and-fingerprinting.html}, language = {English}, urldate = {2022-11-28} } @online{bushidotoken:20230524:unmasking:7b4ab5b, author = {BushidoToken}, title = {{Unmasking Ransomware Using Stylometric Analysis: Shadow, 8BASE, Rancoz}}, date = {2023-05-24}, organization = {BushidoToken Blog}, url = {https://blog.bushidotoken.net/2023/05/unmasking-ransomware-using-stylometric.html}, language = {English}, urldate = {2023-08-01} } @online{bushidotoken:20230826:tracking:b81bab9, author = {BushidoToken}, title = {{Tracking Adversaries: Scattered Spider, the BlackCat affiliate}}, date = {2023-08-26}, organization = {BushidoToken Blog}, url = {https://blog.bushidotoken.net/2023/08/tracking-adversaries-scattered-spider.html}, language = {English}, urldate = {2023-11-17} } @online{bushidotoken:20240306:tracking:0b05bbf, author = {BushidoToken}, title = {{Tracking Adversaries: UAC-0050, Cracking The DaVinci Code}}, date = {2024-03-06}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2024/03/tracking-adversaries-uac-0050-cracking.html}, language = {English}, urldate = {2024-05-06} } @online{bushidotoken:20240404:about:74cdada, author = {BushidoToken}, title = {{Tweet about the SEXi Ransomware attack on IXMETRO POWERHOST}}, date = {2024-04-04}, organization = {Twitter (@BushidoToken)}, url = {https://x.com/BushidoToken/status/1775843087736025175}, language = {English}, urldate = {2024-12-11} } @online{bushidotoken:20240922:russian:bc93190, author = {BushidoToken}, title = {{The Russian APT Tool Matrix}}, date = {2024-09-22}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2024/09/the-russian-apt-tool-matrix.html}, language = {English}, urldate = {2025-02-03} } @online{bushidotoken:20250402:tracking:1b55b8c, author = {BushidoToken}, title = {{Tracking Adversaries: EvilCorp, the RansomHub affiliate}}, date = {2025-04-02}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2025/04/tracking-adversaries-evilcorp-ransomhub.html}, language = {English}, urldate = {2025-04-09} } @online{bussoletti:20230116:cybercrime:56e622c, author = {Francesco Bussoletti}, title = {{Cybercrime, RFQ from Turkey carries AgentTesla and zgRAT}}, date = {2023-01-16}, organization = {Difesa & Sicurezza}, url = {https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/}, language = {English}, urldate = {2023-09-18} } @online{bustami:20171004:continued:0703924, author = {Mo Bustami}, title = {{Continued Activity targeting the Middle East}}, date = {2017-10-04}, organization = {Security 0wnage}, url = {https://sec0wn.blogspot.com/2017/10/continued-activity-targeting-middle-east.html}, language = {English}, urldate = {2023-06-19} } @online{bustami:20180102:burping:c29dd52, author = {Mo Bustami}, title = {{Burping on MuddyWater}}, date = {2018-01-02}, organization = {Security 0wnage}, url = {https://sec0wn.blogspot.com/2018/02/burping-on-muddywater.html}, language = {English}, urldate = {2023-06-19} } @online{bustami:20180301:quick:0c82eea, author = {Mo Bustami}, title = {{A Quick Dip into MuddyWater's Recent Activity}}, date = {2018-03-01}, organization = {Security 0wnage}, url = {https://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html}, language = {English}, urldate = {2023-06-19} } @online{bustami:20180508:clearing:fbf1a99, author = {Mo Bustami}, title = {{Clearing the MuddyWater - Analysis of new MuddyWater Samples}}, date = {2018-05-08}, organization = {Security 0wnage}, url = {https://sec0wn.blogspot.com/2018/05/clearing-muddywater-analysis-of-new.html}, language = {English}, urldate = {2023-06-19} } @online{bustami:20181213:powersing:2a7b1db, author = {Mo Bustami}, title = {{POWERSING - From LNK Files To Janicab Through YouTube & Twitter}}, date = {2018-12-13}, organization = {Security 0wnage}, url = {https://sec0wn.blogspot.com/2018/12/powersing-from-lnk-files-to-janicab.html}, language = {English}, urldate = {2020-08-25} } @online{butler:20210707:elastic:8a709bf, author = {Jamie Butler}, title = {{Elastic Security prevents 100% of REvil ransomware samples}}, date = {2021-07-07}, organization = {Elastic}, url = {https://www.elastic.co/blog/elastic-security-prevents-100-percent-of-revil-ransomware-samples?utm_content=&utm_medium=social&utm_source=twitter}, language = {English}, urldate = {2021-07-12} } @online{butler:20230126:over:b62647c, author = {Zak Butler and Jonas Taege and Google Threat Analysis Group}, title = {{Over 50,000 instances of DRAGONBRIDGE activity disrupted in 2022}}, date = {2023-01-26}, organization = {Google}, url = {https://blog.google/threat-analysis-group/over-50000-instances-of-dragonbridge-activity-disrupted-in-2022/}, language = {English}, urldate = {2023-04-22} } @online{byers:20200908:ghostdnsbusters:9531dcd, author = {Nick Byers and Manabu Niseki and CERT-BR}, title = {{GhostDNSbusters: Illuminating GhostDNS Infrastructure}}, date = {2020-09-08}, organization = {Team Cymru}, url = {https://team-cymru.com/2020/09/08/ghostdnsbusters/}, language = {English}, urldate = {2020-09-15} } @online{bykkaya:20220308:contiransomwareioc:57c8ab1, author = {Arda Büyükkaya}, title = {{Conti-Ransomware-IOC}}, date = {2022-03-08}, organization = {Github (whichbuffer)}, url = {https://github.com/whichbuffer/Conti-Ransomware-IOC}, language = {English}, urldate = {2022-03-10} } @online{bykkaya:20220406:karakurt:7471190, author = {Arda Büyükkaya}, title = {{Karakurt Hacking Team Indicators of Compromise (IOC)}}, date = {2022-04-06}, organization = {Github (infinitumlabs)}, url = {https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI}, language = {English}, urldate = {2022-04-08} } @online{bykkaya:20220408:threat:cbbf292, author = {Arda Büyükkaya}, title = {{Threat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team}}, date = {2022-04-08}, organization = {Infinitum Labs}, url = {https://www.infinitumit.com.tr/en/conti-ransomware-group-behind-the-karakurt-hacking-team/}, language = {English}, urldate = {2022-04-08} } @online{bykkaya:20220804:lockbit:15879e8, author = {Arda Büyükkaya}, title = {{LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool}}, date = {2022-08-04}, organization = {YouTube (Arda Büyükkaya)}, url = {https://www.youtube.com/watch?v=C733AyPzkoc}, language = {English}, urldate = {2022-08-08} } @online{bykkaya:20220905:bumblebee:ea43ba9, author = {Arda Büyükkaya}, title = {{Bumblebee Loader Malware Analysis}}, date = {2022-09-05}, organization = {Infinitum IT}, url = {https://www.infinitumit.com.tr/bumblebee-loader-malware-analysis/}, language = {English}, urldate = {2022-09-06} } @online{bykkaya:20220925:cobalt:2820666, author = {Arda Büyükkaya}, title = {{Cobalt Strike Shellcode Loader With Rust (YouTube)}}, date = {2022-09-25}, organization = {YouTube (Arda Büyükkaya)}, url = {https://www.youtube.com/watch?v=XfUTpwZKCDU}, language = {English}, urldate = {2022-09-27} } @online{bykkaya:20230810:german:dceff76, author = {Arda Büyükkaya}, title = {{German Embassy Lure: Likely Part of Campaign Against NATO Aligned Ministries of Foreign Affairs}}, date = {2023-08-10}, organization = {EclecticIQ}, url = {https://blog.eclecticiq.com/german-embassy-lure-likely-part-of-campaign-against-nato-aligned-ministries-of-foreign-affairs#a3}, language = {English}, urldate = {2023-08-11} } @online{bykkaya:20231005:chinese:7bd80ab, author = {Arda Büyükkaya}, title = {{Chinese State-Sponsored Cyber Espionage Activity Targeting Semiconductor Industry in East Asia}}, date = {2023-10-05}, organization = {EclecticIQ}, url = {https://blog.eclecticiq.com/chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia}, language = {English}, urldate = {2023-10-06} } @online{bykkaya:20240327:operation:1812778, author = {Arda Büyükkaya}, title = {{Operation FlightNight: Indian Government Entities and Energy Sector Targeted by Cyber Espionage Campaign}}, date = {2024-03-27}, organization = {EclecticIQ}, url = {https://blog.eclecticiq.com/operation-flightnight-indian-government-entities-and-energy-sector-targeted-by-cyber-espionage-campaign}, language = {English}, urldate = {2024-03-28} } @online{bykkaya:20250211:sandworm:73ecca3, author = {Arda Büyükkaya}, title = {{Sandworm APT Targets Ukrainian Users with Trojanized Microsoft KMS Activation Tools in Cyber Espionage Campaigns}}, date = {2025-02-11}, organization = {EclecticIQ}, url = {https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns}, language = {English}, urldate = {2025-02-17} } @online{bykkaya:20250313:inside:e25e433, author = {Arda Büyükkaya}, title = {{Inside BRUTED: Black Basta (RaaS) Members Used Automated Brute Forcing Framework to Target Edge Network Devices}}, date = {2025-03-13}, organization = {EclecticIQ}, url = {https://blog.eclecticiq.com/inside-bruted-black-basta-raas-members-used-automated-brute-forcing-framework-to-target-edge-network-devices}, language = {English}, urldate = {2025-03-21} } @online{bykkaya:20250513:chinanexus:ddde13b, author = {Arda Büyükkaya}, title = {{China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures}}, date = {2025-05-13}, organization = {EclecticIQ}, url = {https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures}, language = {English}, urldate = {2025-05-20} } @online{bykkaya:20250528:pakistan:d703591, author = {Arda Büyükkaya and Alon Gal}, title = {{Pakistan Telecommunication Company (PTCL) Targeted by Bitter APT During Heightened Regional Conflict}}, date = {2025-05-28}, organization = {EclecticIQ}, url = {https://blog.eclecticiq.com/pakistan-telecommunication-company-ptcl-targeted-by-bitter-apt-during-heightened-regional-conflict}, language = {English}, urldate = {2025-06-02} } @online{byrd:20211108:desorden:8bbb3fe, author = {Terrell Byrd}, title = {{Desorden Group Reportedly Hacks Centara Hotels & Resorts Within 10 Minutes After Recovering From the First Data Breach}}, date = {2021-11-08}, organization = {BreachExchange}, url = {https://seclists.org/dataloss/2021/q4/81}, language = {English}, urldate = {2023-11-27} } @online{byteatlas:20150415:knowledge:0d028a7, author = {ByteAtlas}, title = {{Knowledge Fragment: Bruteforcing Andromeda Configuration Buffers}}, date = {2015-04-15}, url = {https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html}, language = {English}, urldate = {2020-01-07} } @online{byteraptors:20200603:wizardopium:b83073d, author = {ByteRaptors}, title = {{The WizardOpium LPE: Exploiting CVE-2019-1458}}, date = {2020-06-03}, organization = {ByteRaptors Blog}, url = {https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html}, language = {English}, urldate = {2020-06-12} } @online{c0d3inj3ct:20180524:javascript:af29dab, author = {c0d3inj3cT}, title = {{JavaScript based Bot using Github C&C}}, date = {2018-05-24}, organization = {pwncode.io blog}, url = {http://www.pwncode.io/2018/05/javascript-based-bot-using-github-c.html}, language = {English}, urldate = {2020-05-23} } @online{c0d3inj3ct:20191224:unpacking:3102f76, author = {c0d3inj3cT}, title = {{Unpacking Payload used in Bottle EK}}, date = {2019-12-24}, organization = {pwncode.io blog}, url = {http://www.pwncode.io/2019/12/unpacking-payload-used-in-bottle-ek.html}, language = {English}, urldate = {2020-03-11} } @online{c0d3inj3ct:20191225:blacknet:80468eb, author = {c0d3inj3cT}, title = {{BlackNet RAT - When you leave the Panel unprotected}}, date = {2019-12-25}, organization = {pwncode.io blog}, url = {http://www.pwncode.io/2019/12/blacknet-rat-when-you-leave-panel.html}, language = {English}, urldate = {2020-03-11} } @online{c3rb3ru5d3d53c:20211122:introduction:1daa38b, author = {c3rb3ru5d3d53c and Sergei Frankoff}, title = {{Introduction To Binlex A Binary Trait Lexer Library and Utility - Machine Learning First Steps...}}, date = {2021-11-22}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=hgz5gZB3DxE}, language = {English}, urldate = {2021-11-29} } @online{c3rb3ru5d3d53c:20221001:darkcloud:8c1f80f, author = {c3rb3ru5d3d53c}, title = {{DarkCloud Stealer Triage}}, date = {2022-10-01}, organization = {Malware Hell}, url = {https://c3rb3ru5d3d53c.github.io/malware-blog/darkcloud-stealer/}, language = {English}, urldate = {2022-11-25} } @online{c4i:20170216:breaking:b65439a, author = {IDF C4I and Ido Naor}, title = {{Breaking The Weakest Link Of The Strongest Chain}}, date = {2017-02-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/breaking-the-weakest-link-of-the-strongest-chain/77562/}, language = {English}, urldate = {2019-12-20} } @online{c4i:20170216:breaking:cc7bead, author = {IDF C4I and Ido Naor}, title = {{Breaking The Weakest Link Of The Strongest Chain}}, date = {2017-02-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/}, language = {English}, urldate = {2019-12-20} } @online{c5pider:20220911:havoc:9c6bc38, author = {C5pider}, title = {{Havoc}}, date = {2022-09-11}, organization = {Github (HavocFramework)}, url = {https://github.com/HavocFramework/Havoc}, language = {English}, urldate = {2022-10-12} } @online{c:20200608:tau:f5b25ff, author = {A C}, title = {{TAU Threat Analysis: Hakbit Ransomware}}, date = {2020-06-08}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/06/08/tau-threat-analysis-hakbit-ransomware/}, language = {English}, urldate = {2020-06-10} } @online{c:20200615:tau:c60e41f, author = {A C}, title = {{TAU Threat Analysis: Relations to Hakbit Ransomware}}, date = {2020-06-15}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/06/15/tau-threat-analysis-relations-to-hakbit-ransomware/}, language = {English}, urldate = {2020-06-16} } @online{caban:20180707:youve:b02f5ff, author = {Dan Caban and Muks Hirani}, title = {{You’ve Got Mail!}}, date = {2018-07-07}, organization = {Youtube (SteelCon)}, url = {https://www.youtube.com/watch?time_continue=1333&v=1CGAmjAV8nI}, language = {English}, urldate = {2020-01-08} } @online{cadieux:20190430:sodinokibi:d04e315, author = {Pierre Cadieux and Colin Grady and Jaeson Schultz and Matt Valites}, title = {{Sodinokibi ransomware exploits WebLogic Server vulnerability}}, date = {2019-04-30}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html}, language = {English}, urldate = {2019-12-17} } @online{cadolabs:20210118:botnet:f8ef420, author = {cadolabs}, title = {{Botnet Deploys Cloud and Container Attack Techniques}}, date = {2021-01-18}, organization = {Cado Security}, url = {https://www.cadosecurity.com/post/botnet-deploys-cloud-and-container-attack-techniques}, language = {English}, urldate = {2021-01-21} } @online{cadolabs:20210406:threat:aba341a, author = {cadolabs}, title = {{Threat Group Uses Voice Changing Software in Espionage Attempt}}, date = {2021-04-06}, organization = {Cado Security}, url = {https://www.cadosecurity.com/post/threat-group-uses-voice-changing-software-in-espionage-attempt}, language = {English}, urldate = {2021-04-06} } @online{caesar:20210419:incredible:5435b11, author = {Ed Caesar}, title = {{The Incredible Rise of North Korea’s Hacking Army}}, date = {2021-04-19}, organization = {NEW YORKER}, url = {https://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army}, language = {English}, urldate = {2021-04-20} } @online{cagedtech:20220217:nwgen:795d0ee, author = {CagedTech}, title = {{Nwgen Ransomware}}, date = {2022-02-17}, organization = {enigmasoft}, url = {https://www.enigmasoftware.com/nwgenransomware-removal/}, language = {English}, urldate = {2024-02-08} } @online{cahen:20220511:detecting:c61fd63, author = {Blake Cahen and IronNet Threat Research}, title = {{Detecting a MUMMY SPIDER campaign and Emotet infection}}, date = {2022-05-11}, organization = {IronNet}, url = {https://www.ironnet.com/blog/detecting-a-mummyspider-campaign-and-emotet-infection}, language = {English}, urldate = {2022-05-17} } @online{california:20210528:united:1a0e5db, author = {United States District Court Southern District of California}, title = {{United States of America vs Ding Xiaoyang, Cheng Qingmin, Zhu Yunmin, Wu Shurong}}, date = {2021-05-28}, url = {https://www.justice.gov/opa/press-release/file/1412916/download}, language = {English}, urldate = {2021-07-26} } @techreport{california:20230821:application:1924cc0, author = {United States District Court for the Central District of California}, title = {{Application for a Warrant by Telephone or other reliable Electronic Means}}, date = {2023-08-21}, institution = {Department of Justice}, url = {https://www.justice.gov/d9/2023-08/23mj4244_application_redacted.pdf}, language = {English}, urldate = {2023-09-01} } @techreport{california:20230823:application:5207e98, author = {United States District Court for the Central District of California}, title = {{Application and Affidavit for a Seizure Warrant by Telephone or other Reliable Electronic Means}}, date = {2023-08-23}, institution = {Department of Justice}, url = {https://www.justice.gov/d9/2023-08/23mj4251_application_redacted.pdf}, language = {English}, urldate = {2023-09-01} } @online{callow:20211028:suspected:ae61e43, author = {Brett Callow}, title = {{Tweet on suspected actor behind Payorgrief ransomware}}, date = {2021-10-28}, organization = {Twitter (@BrettCallow)}, url = {https://twitter.com/BrettCallow/status/1453557686830727177?s=20}, language = {English}, urldate = {2021-11-08} } @online{calvet:20150305:casper:be062ed, author = {Joan Calvet}, title = {{Casper Malware: After Babar and Bunny, Another Espionage Cartoon}}, date = {2015-03-05}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/}, language = {English}, urldate = {2019-11-14} } @online{camacho:20201218:negasteal:e5b291f, author = {Matthew Camacho and Raphael Centeno and Junestherry Salvador}, title = {{Negasteal Uses Hastebin for Fileless Delivery of Crysis Ransomware}}, date = {2020-12-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware}, language = {English}, urldate = {2020-12-26} } @online{camastra:20190220:spoofing:f2e825b, author = {Luigino Camastra and Jan Širmer and Adolf Středa and Lukáš Obrdlík}, title = {{Spoofing in the reeds with Rietspoof}}, date = {2019-02-20}, organization = {Avast Decoded}, url = {https://decoded.avast.io/threatintel/spoofing-in-the-reeds-with-rietspoof/}, language = {English}, urldate = {2020-01-06} } @online{camastra:20200514:planted:03eab5a, author = {Luigino Camastra}, title = {{APT Group Planted Backdoors Targeting High Profile Networks in Central Asia}}, date = {2020-05-14}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/}, language = {English}, urldate = {2020-05-14} } @online{camastra:20200514:planted:7b94cc6, author = {Luigino Camastra}, title = {{APT Group Planted Backdoors Targeting High Profile Networks in Central Asia}}, date = {2020-05-14}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia}, language = {English}, urldate = {2022-07-25} } @online{camastra:20201209:targeting:7e6cb4b, author = {Luigino Camastra and Igor Morgenstern}, title = {{APT Group Targeting Governmental Agencies in East Asia}}, date = {2020-12-09}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/?utm_source=rss&utm_medium=rss&utm_campaign=apt-group-targeting-governmental-agencies-in-east-asia}, language = {English}, urldate = {2024-10-15} } @online{camastra:20201209:targeting:952844f, author = {Luigino Camastra and Igor Morgenstern}, title = {{APT Group Targeting Governmental Agencies in East Asia}}, date = {2020-12-09}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/}, language = {English}, urldate = {2021-01-27} } @online{camastra:20201209:targeting:d3469a1, author = {Luigino Camastra and Igor Morgenstern}, title = {{APT Group Targeting Governmental Agencies in East Asia}}, date = {2020-12-09}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia}, language = {English}, urldate = {2022-07-29} } @online{camastra:20210701:backdoored:4fce28c, author = {Luigino Camastra and Igor Morgenstern and Jan Vojtěšek}, title = {{Backdoored Client from Mongolian CA MonPass}}, date = {2021-07-01}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass}, language = {English}, urldate = {2022-07-29} } @online{camastra:20210701:backdoored:6f26c16, author = {Luigino Camastra and Igor Morgenstern and Jan Vojtěšek}, title = {{Backdoored Client from Mongolian CA MonPass}}, date = {2021-07-01}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/}, language = {English}, urldate = {2022-07-25} } @online{camastra:20220322:operation:05d8831, author = {Luigino Camastra and Igor Morgenstern and Jan Holman}, title = {{Operation Dragon Castling: APT group targeting betting companies}}, date = {2022-03-22}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies}, language = {English}, urldate = {2022-08-26} } @online{camastra:20240418:from:d335c16, author = {Luigino Camastra}, title = {{From BYOVD to a 0-day: Unveiling Advanced Exploits in Cyber Recruiting Scams}}, date = {2024-04-18}, organization = {Avast}, url = {https://decoded.avast.io/luiginocamastra/from-byovd-to-a-0-day-unveiling-advanced-exploits-in-cyber-recruiting-scams/}, language = {English}, urldate = {2024-10-14} } @online{camastra:20240919:evolution:fceee1e, author = {Luigino Camastra}, title = {{Evolution of Lazarus ‘FudModule - no longer (stand)alone’}}, date = {2024-09-19}, organization = {Gen Digital}, url = {https://www.gendigital.com/blog/news/innovation/lazarus-fudmodule-v3}, language = {English}, urldate = {2024-10-14} } @online{camba:20121009:bkdrsarhusta:92d2b93, author = {Abraham Latimer Camba}, title = {{BKDR_SARHUST.A}}, date = {2012-10-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_sarhust.a}, language = {English}, urldate = {2020-01-05} } @online{camba:20130227:bkdrrarstone:8893f88, author = {Abraham Camba}, title = {{BKDR_RARSTONE: New RAT to Watch Out For}}, date = {2013-02-27}, organization = {Trend Micro}, url = {https://web.archive.org/web/20210925164035/https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/}, language = {English}, urldate = {2023-04-22} } @online{camba:20130227:bkdrrarstone:8c1d7b2, author = {Abraham Camba}, title = {{BKDR_RARSTONE: New RAT to Watch Out For}}, date = {2013-02-27}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/}, language = {English}, urldate = {2020-01-08} } @online{camba:20201120:weaponizing:e15699d, author = {Abraham Camba and Bren Matthew Ebriega and Gilbert Sison}, title = {{Weaponizing Open Source Software for Targeted Attacks}}, date = {2020-11-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html}, language = {English}, urldate = {2020-11-23} } @online{camba:20210202:finding:67f5c6b, author = {Abraham Camba and Byron Gelera and Catherine Loveria}, title = {{Finding and Decoding Multi-Step Obfuscated Malware}}, date = {2021-02-02}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/b/finding-multi-step-obfuscated-malware.html}, language = {English}, urldate = {2021-02-09} } @online{camba:20210705:tracking:6ae6ad5, author = {Abraham Camba and Catherine Loveria and Ryan Maglaque and Buddy Tancio}, title = {{Tracking Cobalt Strike: A Trend Micro Vision One Investigation}}, date = {2021-07-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/g/tracking_cobalt_strike_a_vision_one_investigation.html}, language = {English}, urldate = {2021-07-19} } @online{camba:20211217:staging:0ec37d9, author = {Abraham Camba and Jonna Santos and Gilbert Sison and Jay Yaneza}, title = {{Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager}}, date = {2021-12-17}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/l/staging-a-quack-reverse-analyzing-fileless-qakbot-stager.html}, language = {English}, urldate = {2021-12-31} } @online{cameron:20170915:welp:8da10de, author = {Dell Cameron}, title = {{Welp, Vevo Just Got Hacked}}, date = {2017-09-15}, url = {https://gizmodo.com/welp-vevo-just-got-hacked-1813390834}, language = {English}, urldate = {2019-10-17} } @online{cameron:20181030:us:45da6b7, author = {Dell Cameron}, title = {{U.S. Indicts Chinese Hacker-Spies in Conspiracy to Steal Aerospace Secrets}}, date = {2018-10-30}, organization = {Gizmodo}, url = {https://gizmodo.com/u-s-indicts-chinese-hacker-spies-in-conspiracy-to-stea-1830111695}, language = {English}, urldate = {2019-11-27} } @online{camichel:20190309:retefe:3414337, author = {Corsin Camichel}, title = {{retefe: Artefacts from various retefe campaigns}}, date = {2019-03-09}, organization = {Github (cocaman)}, url = {https://github.com/cocaman/retefe}, language = {English}, urldate = {2020-01-13} } @online{camichel:20190523:analysing:9a4f909, author = {Corsin Camichel}, title = {{Analysing "Retefe" with Sysmon and Splunk}}, date = {2019-05-23}, organization = {Vulnerability.ch Blog}, url = {https://vulnerability.ch/2019/05/analysing-retefe-with-sysmon-and-splunk/}, language = {English}, urldate = {2019-07-09} } @online{camichel:20200512:absent:f352502, author = {Corsin Camichel}, title = {{Tweet on AbSent Loader}}, date = {2020-05-12}, organization = {Twitter (@cocaman)}, url = {https://twitter.com/cocaman/status/1260069549069733888}, language = {English}, urldate = {2020-05-15} } @online{camichel:20201101:observed:abb75ee, author = {Corsin Camichel}, title = {{Observed Malware Campaigns – October 2020}}, date = {2020-11-01}, organization = {Vulnerability.ch Blog}, url = {https://vulnerability.ch/2020/11/observed-malware-campaigns-october-2020/}, language = {English}, urldate = {2020-11-02} } @online{camichel:20210425:ransomware:1a1ee7f, author = {Corsin Camichel}, title = {{Ransomware and Data Leak Site Publication Time Analysis}}, date = {2021-04-25}, organization = {Vulnerability.ch Blog}, url = {https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/}, language = {English}, urldate = {2021-04-29} } @online{camiling:20230526:new:3fe96ae, author = {Sarah Pearl Camiling and Paul John Bardon}, title = {{New Info Stealer Bandit Stealer Targets Browsers, Wallets}}, date = {2023-05-26}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_in/research/23/e/new-info-stealer-bandit-stealer-targets-browsers-wallets.html}, language = {English}, urldate = {2023-08-01} } @online{campbell:20190502:2019:1fe00f6, author = {Bryan Campbell and Proofpoint Threat Insight Team}, title = {{2019: The Return of Retefe}}, date = {2019-05-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe}, language = {English}, urldate = {2019-12-20} } @online{campbell:20190926:new:d228362, author = {Bryan Campbell and Jeremy Hedges and Proofpoint Threat Insight Team}, title = {{New WhiteShadow downloader uses Microsoft SQL to retrieve malware}}, date = {2019-09-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware}, language = {English}, urldate = {2020-02-26} } @online{campbell:20191114:ta2101:e79f6fb, author = {Bryan Campbell and Proofpoint Threat Insight Team}, title = {{TA2101 plays government imposter to distribute malware to German, Italian, and US organizations}}, date = {2019-11-14}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us}, language = {English}, urldate = {2019-11-27} } @online{campbell:20200608:analysis:500f9fe, author = {Ryan Campbell}, title = {{Analysis of Valak Maldoc}}, date = {2020-06-08}, organization = {Security Soup Blog}, url = {https://security-soup.net/analysis-of-valak-maldoc/}, language = {English}, urldate = {2020-06-08} } @online{campbell:20200831:analysis:33c982e, author = {Chris Campbell}, title = {{Analysis of the latest wave of Emotet malicious documents}}, date = {2020-08-31}, organization = {Inde}, url = {https://www.inde.nz/blog/analysis-of-the-latest-wave-of-emotet-malicious-documents}, language = {English}, urldate = {2022-04-29} } @online{campbell:20201106:quick:741d84a, author = {Ryan Campbell}, title = {{Quick Post: Spooky New PowerShell Obfuscation in Emotet Maldocs}}, date = {2020-11-06}, organization = {Security Soup Blog}, url = {https://security-soup.net/quick-post-spooky-new-powershell-obfuscation-in-emotet-maldocs/}, language = {English}, urldate = {2020-11-09} } @online{campbell:20201204:inside:9f2f036, author = {Chris Campbell}, title = {{Inside a .NET Stealer: AgentTesla}}, date = {2020-12-04}, organization = {Inde}, url = {https://www.inde.nz/blog/inside-agenttesla}, language = {English}, urldate = {2022-04-29} } @online{campbell:20210311:you:7bd2342, author = {Josh Campbell}, title = {{You Don't Know the HAFNIUM of it...}}, date = {2021-03-11}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/}, language = {English}, urldate = {2021-03-16} } @online{campbell:20210412:different:ea9739f, author = {Chris Campbell}, title = {{A Different Kind of Zoombomb}}, date = {2021-04-12}, organization = {Inde}, url = {https://www.inde.nz/blog/different-kind-of-zoombomb}, language = {English}, urldate = {2022-04-29} } @online{campbell:20210918:squirrelwaffle:5790d40, author = {Ryan Campbell}, title = {{“Squirrelwaffle” Maldoc Analysis}}, date = {2021-09-18}, organization = {Security Soup Blog}, url = {https://security-soup.net/squirrelwaffle-maldoc-analysis/}, language = {English}, urldate = {2021-09-20} } @online{campbell:20210927:doppeldridex:daa5f69, author = {Ryan Campbell}, title = {{DoppelDridex Delivered via Slack and Discord}}, date = {2021-09-27}, organization = {Security Soup Blog}, url = {https://security-soup.net/doppeldridex-delivered-via-slack-and-discord/}, language = {English}, urldate = {2021-09-29} } @online{campbell:20211020:ta551:aa5f9d9, author = {Bryan Campbell and Proofpoint Threat Insight Team}, title = {{TA551 Uses ‘SLIVER’ Red Team Tool in New Activity}}, date = {2021-10-20}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity}, language = {English}, urldate = {2021-10-26} } @online{campbell:20220315:decoding:507512a, author = {Ryan Campbell}, title = {{Decoding a DanaBot Downloader}}, date = {2022-03-15}, organization = {Security Soup Blog}, url = {https://security-soup.net/decoding-a-danabot-downloader/}, language = {English}, urldate = {2022-03-28} } @online{campbell:20220321:serpent:12b3381, author = {Bryan Campbell and Zachary Abzug and Andrew Northern and Selena Larson}, title = {{Serpent, No Swiping! New Backdoor Targets French Entities with Unique Attack Chain}}, date = {2022-03-21}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain}, language = {English}, urldate = {2022-03-22} } @online{campbell:20220419:stop:3823abd, author = {Ian Campbell}, title = {{Stop Crypto Kleptos in Their Tracks}}, date = {2022-04-19}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/stop-crypto-kleptos-in-their-tracks}, language = {English}, urldate = {2022-08-26} } @online{campbell:20220721:buy:bf7d3c4, author = {Bryan Campbell and Pim Trouerbach and Selena Larson and Proofpoint Threat Research Team}, title = {{Buy, Sell, Steal, EvilNum Targets Cryptocurrency, Forex, Commodities}}, date = {2022-07-21}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities}, language = {English}, urldate = {2022-07-25} } @online{campbell:20230223:getting:2fc517a, author = {Steven Campbell and Ross Phillips and Seth Battles and Markus Neis}, title = {{Getting Dumped: A Trust Relationship Destroyed by Lorenz}}, date = {2023-02-23}, organization = {Arctic Wolf}, url = {https://arcticwolf.com/resources/blog/lorenz-ransomware-getting-dumped/}, language = {English}, urldate = {2023-02-27} } @online{campbell:20230726:conti:8d7c03f, author = {Steven Campbell and Akshay Suthar and Connor Belfiore}, title = {{Conti and Akira: Chained Together}}, date = {2023-07-26}, organization = {Arctic Wolf}, url = {https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/}, language = {English}, urldate = {2023-07-27} } @online{campbell:20241024:arctic:19cc01b, author = {Steven Campbell and Akshay Suthar and Stefan Hostetler}, title = {{Arctic Wolf Labs Observes Increased Fog and Akira Ransomware Activity Linked to SonicWall SSL VPN}}, date = {2024-10-24}, organization = {Arctic Wolf}, url = {https://arcticwolf.com/resources/blog/arctic-wolf-labs-observes-increased-fog-and-akira-ransomware-activity-linked-to-sonicwall-ssl-vpn/}, language = {English}, urldate = {2024-10-25} } @online{can:20190313:n:bfbaff0, author = {Ahmet Bilal Can}, title = {{N Ways to Unpack Mobile Malware}}, date = {2019-03-13}, organization = {Pentest Blog}, url = {https://pentest.blog/n-ways-to-unpack-mobile-malware/}, language = {English}, urldate = {2020-01-09} } @online{can:20190718:android:5097363, author = {Ahmet Bilal Can}, title = {{Android Malware Analysis : Dissecting Hydra Dropper}}, date = {2019-07-18}, url = {https://pentest.blog/android-malware-analysis-dissecting-hydra-dropper/}, language = {English}, urldate = {2019-12-05} } @techreport{canada:2011:snowglobe:2cf6813, author = {CSE Canada}, title = {{SNOWGLOBE: From Discovery to Attribution}}, date = {2011}, institution = {Spiegel Online}, url = {http://www.spiegel.de/media/media-35683.pdf}, language = {English}, urldate = {2019-12-17} } @techreport{canada:20170809:hackers:30a0c3d, author = {CSE Canada}, title = {{Hackers are Humans too}}, date = {2017-08-09}, institution = {CSE}, url = {https://nsarchive.gwu.edu/sites/default/files/documents/3921357/Government-of-Canada-Hackers-are-Humans-Too.pdf}, language = {English}, urldate = {2022-11-17} } @online{canada:20210415:statement:2e6f28b, author = {Government of Canada}, title = {{Statement on SolarWinds Cyber Compromise}}, date = {2021-04-15}, organization = {Government of Canada}, url = {https://www.canada.ca/en/global-affairs/news/2021/04/statement-on-solarwinds-cyber-compromise.html}, language = {English}, urldate = {2021-04-16} } @online{canada:20210719:statement:e1247f4, author = {Global Affairs Canada}, title = {{Statement on China’s cyber campaigns}}, date = {2021-07-19}, organization = {Government of Canada}, url = {https://www.canada.ca/en/global-affairs/news/2021/07/statement-on-chinas-cyber-campaigns.html}, language = {English}, urldate = {2021-07-22} } @online{canada:20250619:cyber:38f692f, author = {Government of Canada}, title = {{Cyber threat bulletin: People's Republic of China cyber threat activity: PRC cyber actors target telecommunications companies as part of a global cyberespionage campaign}}, date = {2025-06-19}, organization = {Government of Canada}, url = {https://www.cyber.gc.ca/en/guidance/cyber-threat-bulletin-prc-cyber-actors-target-telecommunications-companies-global-cyberespionage-campaign}, language = {English}, urldate = {2025-06-24} } @online{canary:20200617:threat:3a7f962, author = {Red Canary}, title = {{Threat Detection: Blue Mockingbird}}, date = {2020-06-17}, organization = {Youtube (Red Canary)}, url = {https://www.youtube.com/watch?v=6t_E8KOmZSs}, language = {English}, urldate = {2020-06-19} } @online{canary:20201204:yellow:1633ca2, author = {Red Canary}, title = {{Yellow Cockatoo: Search engine redirects, in-memory remote access trojan, and more}}, date = {2020-12-04}, organization = {Red Canary}, url = {https://redcanary.com/blog/yellow-cockatoo/}, language = {English}, urldate = {2020-12-08} } @techreport{canary:20210331:2021:cd81f2d, author = {Red Canary}, title = {{2021 Threat Detection Report}}, date = {2021-03-31}, institution = {Red Canary}, url = {https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf}, language = {English}, urldate = {2021-04-06} } @techreport{canary:20220322:2022:67c40ea, author = {Red Canary}, title = {{2022 Threat Detection Report}}, date = {2022-03-22}, institution = {Red Canary}, url = {https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf}, language = {English}, urldate = {2022-03-23} } @techreport{canary:20230323:2023:aac3073, author = {Red Canary}, title = {{2023 / 5.0 Threat Dection Report: Techniques, Trend, and Takeaways}}, date = {2023-03-23}, institution = {Red Canary}, url = {https://resource.redcanary.com/rs/003-YRU-314/images/2023_ThreatDetectionReport_RedCanary.pdf}, language = {English}, urldate = {2023-03-24} } @techreport{canary:20250312:2025:6a8afce, author = {Red Canary}, title = {{2025 Threat Detection Report}}, date = {2025-03-12}, institution = {Red Canary}, url = {https://resource.redcanary.com/rs/003-YRU-314/images/2025ThreatDetectionReport_RedCanary.pdf}, language = {English}, urldate = {2025-03-21} } @online{cannell:20130725:zeroaccess:4853854, author = {Joshua Cannell}, title = {{ZeroAccess uses Self-Debugging}}, date = {2013-07-25}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2013/07/zeroaccess-anti-debug-uses-debugger/}, language = {English}, urldate = {2019-12-20} } @online{cannell:20130801:sophos:404c6a5, author = {Joshua Cannell}, title = {{Sophos Discovers ZeroAccess Using RLO}}, date = {2013-08-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2013/08/sophos-discovers-zeroaccess-using-rlo/}, language = {English}, urldate = {2019-12-20} } @online{cannell:20130926:new:428977b, author = {Joshua Cannell}, title = {{New Solarbot Malware Debuts, Creator Publicly Advertising}}, date = {2013-09-26}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2013/09/new-solarbot-malware-debuts-creator-publicly-advertising/}, language = {English}, urldate = {2019-12-20} } @online{cannings:20160616:sakula:cece262, author = {David Cannings}, title = {{Sakula: an adventure in DLL planting}}, date = {2016-06-16}, organization = {NCC Group}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/sakula-an-adventure-in-dll-planting/?page=1}, language = {English}, urldate = {2020-01-06} } @online{cannings:20170403:investigation:7deb188, author = {Rich Cannings and Jason Woloz and Neel Mehta and Ken Bodzak and Wentao Chang and Megan Ruthven}, title = {{An investigation of Chrysaor Malware on Android}}, date = {2017-04-03}, organization = {Google}, url = {https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html}, language = {English}, urldate = {2019-12-17} } @online{cannings:20170403:investigation:8de942a, author = {Rich Cannings and Jason Woloz and Neel Mehta and Ken Bodzak and Wentao Chang and Megan Ruthven}, title = {{An Investigation of Chrysaor Malware on Android}}, date = {2017-04-03}, organization = {Google}, url = {https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html}, language = {English}, urldate = {2020-01-08} } @online{cannings:20170403:technical:e27583c, author = {David Cannings}, title = {{Technical Notes on RedLeaves}}, date = {2017-04-03}, organization = {Github (nccgroup)}, url = {https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves}, language = {English}, urldate = {2020-01-06} } @online{cannings:20240626:interesting:55e000f, author = {David Cannings}, title = {{An interesting Callisto YARA rule}}, date = {2024-06-26}, organization = {edeca.net}, url = {https://edeca.net/post/2024-06-26-an-interesting-callisto-yara-rule}, language = {English}, urldate = {2024-11-25} } @online{cannings:20240626:interesting:62b9264, author = {David Cannings}, title = {{An interesting Callisto YARA rule}}, date = {2024-06-26}, organization = {edeca.net}, url = {https://edeca.net/post/2024-06-26-an-interesting-callisto-yara-rule/}, language = {English}, urldate = {2024-07-03} } @online{cannon:20171207:new:035f809, author = {Vincent Cannon and Nalani Fraser and Yogesh Londhe and Manish Sardiwal and Nick Richard and Jacqueline O’Leary}, title = {{New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit}}, date = {2017-12-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html}, language = {English}, urldate = {2019-12-20} } @online{cano:20220127:adversary:244a480, author = {Nathali Cano and Jorge Orchilles and Christopher Peacock}, title = {{Adversary Emulation Diavol Ransomware #ThreatThursday}}, date = {2022-01-27}, organization = {SCYTHE}, url = {https://www.scythe.io/library/adversary-emulation-diavol-ransomware-threatthursday}, language = {English}, urldate = {2022-02-01} } @online{cantos:20240605:phishing:7f579d4, author = {Michelle Cantos and Jamie Collier}, title = {{Phishing for Gold: Cyber Threats Facing the 2024 Paris Olympics}}, date = {2024-06-05}, organization = {Mandiant}, url = {https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-2024-paris-olympics}, language = {English}, urldate = {2024-11-25} } @online{cantrell:20230112:cyops:de2e706, author = {Kindra Cantrell}, title = {{CyOps Lighthouse: Vidar Stealer}}, date = {2023-01-12}, organization = {Cynet}, url = {https://www.cynet.com/blog/cyops-lighthouse-vidar-stealer/}, language = {English}, urldate = {2023-04-25} } @online{cao:20200324:operation:89da9bd, author = {Elliot Cao and Joseph Chen and William Gamazo Sanchez and Lilang Wu and Ecular Xu}, title = {{Operation Poisoned News: Hong Kong Users Targeted With Mobile Malware via Local News Links}}, date = {2020-03-24}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/}, language = {English}, urldate = {2020-03-25} } @techreport{cao:20200324:technical:dc23839, author = {Elliot Cao and Joseph Chen and William Gamazo Sanchez and Lilang Wu and Ecular Xu}, title = {{Technical Brief: Operation Poisoned News: Hong Kong Users Targeted with Mobile Malware via Local News Links}}, date = {2020-03-24}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf}, language = {English}, urldate = {2020-03-25} } @techreport{capcom:20210413:4th:7ce2091, author = {CAPCOM}, title = {{4th Update Regarding Data Security Incident Due to Unauthorized Access:Investigation Results}}, date = {2021-04-13}, institution = {CAPCOM}, url = {https://www.capcom.co.jp/ir/english/news/pdf/e210413.pdf}, language = {English}, urldate = {2021-04-14} } @online{capilla:20161121:android:5150467, author = {Sergi Àlvarez i Capilla}, title = {{Android malware analysis with Radare: Dissecting the Triada Trojan}}, date = {2016-11-21}, organization = {NowSecure}, url = {https://www.nowsecure.com/blog/2016/11/21/android-malware-analysis-radare-triada-trojan/}, language = {English}, urldate = {2020-01-10} } @online{capriotti:20220813:github:2be819b, author = {Diego Capriotti}, title = {{Github Repo for Pyramid}}, date = {2022-08-13}, organization = {Github (naksyn)}, url = {https://github.com/naksyn/Pyramid}, language = {English}, urldate = {2025-03-07} } @online{caragay:20150924:credit:59e0581, author = {RonJay Caragay and Michael Marcos}, title = {{Credit Card-Scraping Kasidet Builder Leads to Spike in Detections}}, date = {2015-09-24}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/credit-card-scraping-kasidet-builder-leads-to-spike-in-detections/}, language = {English}, urldate = {2020-01-13} } @techreport{carcano:20181001:triton:7863291, author = {Andrea Carcano}, title = {{TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of Industrial Control Systems, Forever}}, date = {2018-10-01}, institution = {SANS Cyber Summit}, url = {https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1538425180.pdf}, language = {English}, urldate = {2020-01-20} } @online{cardona:20240226:pantsless:ec08a3a, author = {Kyla Cardona and Ashley Allocca}, title = {{“Pantsless Data”: Decoding Chinese Cybercrime TTPs}}, date = {2024-02-26}, organization = {SpyCloud}, url = {https://spycloud.com/blog/growing-chinese-threat-actor-ecosystem/}, language = {English}, urldate = {2024-09-13} } @online{cardona:20241018:deep:a3368fb, author = {Kyla Cardona}, title = {{A Deep Dive Into the Intricate Chinese Cybercrime Ecosystem}}, date = {2024-10-18}, organization = {SpyCloud}, url = {https://spycloud.com/blog/deep-dive-chinese-cybercrime-ecosystem/}, language = {English}, urldate = {2024-10-21} } @online{care:202008:critical:415c34d, author = {CARE}, title = {{Critical Infrastructure Ransomware Attacks}}, date = {2020-08}, organization = {Temple University}, url = {https://sites.temple.edu/care/ci-rw-attacks/}, language = {English}, urldate = {2020-09-15} } @online{carhart:20210511:reasonable:9708c70, author = {Lesley Carhart}, title = {{Reasonable IR Team Expectations}}, date = {2021-05-11}, organization = {tisiphone.net blog}, url = {https://tisiphone.net/2021/05/11/reasonable-ir-team-expectations/}, language = {English}, urldate = {2021-05-13} } @online{caridi:20210721:this:17b999a, author = {Chris Caridi and Allison Wikoff}, title = {{This Chat is Being Recorded: Egregor Ransomware Negotiations Uncovered}}, date = {2021-07-21}, organization = {IBM}, url = {https://securityintelligence.com/posts/egregor-ransomware-negotiations-uncovered/}, language = {English}, urldate = {2021-07-22} } @online{carli:20170503:botnet:18f6b9a, author = {Lorenzo De Carli and Ruben Torres and Gaspar Modelo-Howard and Alok Tongaonkar and Somesh Jha}, title = {{Botnet Protocol Inference in the Presence of Encrypted Traffic}}, date = {2017-05-03}, organization = {IEEE}, url = {https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail}, language = {English}, urldate = {2023-11-14} } @online{carlisle:20230601:carbon:a215566, author = {Fae Carlisle}, title = {{Carbon Black’s TrueBot Detection}}, date = {2023-06-01}, organization = {vmware}, url = {https://blogs.vmware.com/security/2023/06/carbon-blacks-truebot-detection.html}, language = {English}, urldate = {2023-07-13} } @online{carlson:20100714:who:7563adc, author = {Benjamin Carlson}, title = {{Who Was the 12th Russian Spy at Microsoft?}}, date = {2010-07-14}, organization = {The Atlantic}, url = {https://www.theatlantic.com/international/archive/2010/07/who-was-the-12th-russian-spy-at-microsoft/344876/}, language = {English}, urldate = {2021-04-19} } @online{caron:20221111:gracewire:7b6e68f, author = {Hugo Caron}, title = {{GraceWire / FlawedGrace malware adventure}}, date = {2022-11-11}, organization = {Codesec}, url = {https://web.archive.org/web/20221115161556/https://blog.codsec.com/posts/malware/gracewire_adventure/}, language = {English}, urldate = {2023-07-16} } @online{carr:20170514:cyber:0ac720f, author = {Nick Carr}, title = {{Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations}}, date = {2017-05-14}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html}, language = {English}, urldate = {2019-12-20} } @online{carr:20170524:apt32:4060afe, author = {Nick Carr}, title = {{APT32: New Cyber Espionage Group}}, date = {2017-05-24}, organization = {BrightTALK (FireEye)}, url = {https://www.brighttalk.com/webcast/10703/261205}, language = {English}, urldate = {2020-01-07} } @online{carr:20170630:obfuscation:c3d947e, author = {Nick Carr and Daniel Bohannon}, title = {{Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques}}, date = {2017-06-30}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html}, language = {English}, urldate = {2019-12-20} } @online{carr:20180801:hunt:0fe0e15, author = {Nick Carr and Kimberly Goody and Steve Miller and Barry Vengerik}, title = {{On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation}}, date = {2018-08-01}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html}, language = {English}, urldate = {2019-12-20} } @online{carr:20181106:griffon:c7f800f, author = {Nick Carr}, title = {{Tweet on a GRIFFON sample}}, date = {2018-11-06}, organization = {Twitter (@ItsReallyNick)}, url = {https://twitter.com/ItsReallyNick/status/1059898708286939136}, language = {English}, urldate = {2019-12-17} } @online{carr:20190605:malware:a6892ae, author = {Nick Carr}, title = {{Tweet on Malware Sample}}, date = {2019-06-05}, organization = {Twitter (@ItsReallyNick)}, url = {https://twitter.com/ItsReallyNick/status/1136502701301346305}, language = {English}, urldate = {2020-01-07} } @online{carr:20191010:mahalo:917c5b2, author = {Nick Carr and Josh Yoder and Kimberly Goody and Scott Runnels and Jeremy Kennelly and Jordan Nuce}, title = {{Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques}}, date = {2019-10-10}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html}, language = {English}, urldate = {2019-11-18} } @online{carr:20191220:grunt:02cb116, author = {Nick Carr}, title = {{Tweet on GRUNT payload}}, date = {2019-12-20}, organization = {Twitter (@ItsReallyNick)}, url = {https://twitter.com/ItsReallyNick/status/1208141697282117633}, language = {English}, urldate = {2020-01-09} } @online{carr:20200114:rough:1c149da, author = {Nick Carr and Matt Bromiley}, title = {{Rough Patch: I Promise It'll Be 200 OK (Citrix ADC CVE-2019-19781)}}, date = {2020-01-14}, organization = {FireEye}, url = {https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html}, language = {English}, urldate = {2020-01-17} } @online{carr:20200601:malware:62e3d49, author = {Nick Carr}, title = {{Tweet on malware called NETFLASH}}, date = {2020-06-01}, organization = {Twitter (@ItsReallyNick)}, url = {https://twitter.com/ItsReallyNick/status/1267475216923594755}, language = {English}, urldate = {2020-06-05} } @online{carr:20201214:summarizing:67227be, author = {Nick Carr}, title = {{Tweet on summarizing post-compromise actvity of UNC2452}}, date = {2020-12-14}, organization = {Twitter (@ItsReallyNick)}, url = {https://twitter.com/ItsReallyNick/status/1338382939835478016}, language = {English}, urldate = {2020-12-14} } @online{carr:20201215:quick:5305f61, author = {Nick Carr}, title = {{A quick note from Nick Carr on COSMICGALE and SUPERNOVA that those are unrelated to UC2452 intrusion campaign}}, date = {2020-12-15}, organization = {Github (itsreallynick)}, url = {https://github.com/fireeye/sunburst_countermeasures/pull/5}, language = {English}, urldate = {2020-12-19} } @techreport{carrera:20041006:digital:5a195e2, author = {Ero Carrera and Gergely Erdélyi}, title = {{Digital genome mapping: advanced binary malware analysis}}, date = {2004-10-06}, institution = {F-Secure}, url = {https://archive.f-secure.com/weblog/archives/carrera_erdelyi_VB2004.pdf}, language = {English}, urldate = {2021-12-31} } @techreport{carrera:2010:state:687e608, author = {Ero Carrera and Peter Silberman}, title = {{State of Malware: Family Ties}}, date = {2010}, institution = {Mandiant}, url = {https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf}, language = {English}, urldate = {2022-01-28} } @online{carroll:20220105:technical:171666f, author = {Eoin Carroll}, title = {{Technical Analysis of CVE-2021-1732}}, date = {2022-01-05}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/technical-analysis-of-cve-2021-1732/}, language = {English}, urldate = {2022-01-25} } @online{carvey:20190404:mimikatz:243c11a, author = {Harlan Carvey}, title = {{Mimikatz in the Wild: Bypassing Signature-Based Detections Using the “AK47 of Cyber”}}, date = {2019-04-04}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/credential-theft-mimikatz-techniques/}, language = {English}, urldate = {2019-12-20} } @online{carvey:20230907:evolution:4432f0b, author = {Harlan Carvey}, title = {{Evolution of USB-Borne Malware, Raspberry Robin}}, date = {2023-09-07}, organization = {Huntress Labs}, url = {https://www.huntress.com/blog/evolution-of-usb-borne-malware-raspberry-robin}, language = {English}, urldate = {2023-09-11} } @online{case:20190902:digital:0f6cd23, author = {Andrew Case and Matthew Meltzer and Steven Adair}, title = {{Digital Crackdown: Large-Scale Surveillance and Exploitation of Uyghurs}}, date = {2019-09-02}, organization = {Volexity}, url = {https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/}, language = {English}, urldate = {2019-12-06} } @online{case:20200421:evil:54c1d46, author = {Andrew Case and Dave Lassalle and Matthew Meltzer and Sean Koessel and Steven Adair and Thomas Lancaster}, title = {{Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant}}, date = {2020-04-21}, organization = {Volexity}, url = {https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/}, language = {English}, urldate = {2020-04-22} } @online{caselden:20150418:operation:f2f3cba, author = {Dan Caselden and Yasir Khalid and James “Tom” Bennett and Genwei Jiang and Corbin Souffrant and Joshua Homan and Jonathan Wrolstad and Chris Phillips and Darien Kin}, title = {{Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack}}, date = {2015-04-18}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html}, language = {English}, urldate = {2019-10-16} } @online{caselden:20150623:operation:dc2929c, author = {Dan Caselden and Erica Eng}, title = {{Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign}}, date = {2015-06-23}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html}, language = {English}, urldate = {2019-12-20} } @online{cash:20201214:dark:7d54c5d, author = {Damien Cash and Matthew Meltzer and Sean Koessel and Steven Adair and Thomas Lancaster and Volexity Threat Research}, title = {{Dark Halo Leverages SolarWinds Compromise to Breach Organizations}}, date = {2020-12-14}, organization = {Volexity}, url = {https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/}, language = {English}, urldate = {2020-12-15} } @online{cash:20210115:sign:c50ae62, author = {David Cash}, title = {{Sign over Your Hashes – Stealing NetNTLM Hashes via Outlook Signatures}}, date = {2021-01-15}, organization = {nccgroup}, url = {https://research.nccgroup.com/2021/01/15/sign-over-your-hashes-stealing-netntlm-hashes-via-outlook-signatures/}, language = {English}, urldate = {2021-01-21} } @online{cash:20210527:suspected:beb9dd9, author = {Damien Cash and Josh Grunzweig and Matthew Meltzer and Sean Koessel and Steven Adair and Thomas Lancaster}, title = {{Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns}}, date = {2021-05-27}, organization = {Volexity}, url = {https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/}, language = {English}, urldate = {2021-06-09} } @online{cash:20210817:north:e84fb02, author = {Damien Cash and Josh Grunzweig and Matthew Meltzer and Steven Adair and Thomas Lancaster}, title = {{North Korean APT37 / InkySquid Infects Victims Using Browser Exploits}}, date = {2021-08-17}, organization = {Volatility Labs}, url = {https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/}, language = {English}, urldate = {2021-08-20} } @online{cash:20210824:north:aab532f, author = {Damien Cash and Josh Grunzweig and Steven Adair and Thomas Lancaster}, title = {{North Korean BLUELIGHT Special: InkySquid Deploys RokRAT}}, date = {2021-08-24}, organization = {Volexity}, url = {https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/}, language = {English}, urldate = {2021-08-31} } @online{cash:20220322:storm:236d2ad, author = {Damien Cash and Steven Adair and Thomas Lancaster}, title = {{Storm Cloud on the Horizon: GIMMICK Malware Strikes at macOS}}, date = {2022-03-22}, organization = {Volexity}, url = {https://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/}, language = {English}, urldate = {2022-03-23} } @online{cashdollar:20190613:latest:1dba306, author = {Larry Cashdollar}, title = {{Latest ECHOBOT: 26 Infection Vectors}}, date = {2019-06-13}, organization = {Akamai}, url = {https://blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html}, language = {English}, urldate = {2020-01-08} } @online{cashdollar:20210316:another:93fb703, author = {Larry Cashdollar}, title = {{Another Golang Crypto Miner On The Loose}}, date = {2021-03-16}, organization = {Akamai}, url = {https://blogs.akamai.com/sitr/2021/03/another-golang-crypto-miner-on-the-loose.html}, language = {English}, urldate = {2021-03-22} } @online{cashdollar:20210916:capoae:5ac6400, author = {Larry Cashdollar}, title = {{Capoae Malware Ramps Up: Uses Multiple Vulnerabilities and Tactics to Spread}}, date = {2021-09-16}, organization = {Akamai}, url = {https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread}, language = {English}, urldate = {2021-09-19} } @online{cashman:20201221:how:10d8756, author = {Mo Cashman and Arnab Roy}, title = {{How A Device to Cloud Architecture Defends Against the SolarWinds Supply Chain Compromise}}, date = {2020-12-21}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/how-a-device-to-cloud-architecture-defends-against-the-solarwinds-supply-chain-compromise/}, language = {English}, urldate = {2020-12-23} } @online{casperinous:20220219:ida:8fdf71c, author = {Casperinous}, title = {{IDA scripts for analysis of Colibri Loader}}, date = {2022-02-19}, organization = {Github (Casperinous)}, url = {https://github.com/Casperinous/colibri_loader}, language = {English}, urldate = {2022-03-02} } @online{casperinous:20240130:jinxloader:1d6760b, author = {Casperinous}, title = {{JinxLoader samples on YARAify}}, date = {2024-01-30}, organization = {abuse.ch}, url = {https://yaraify.abuse.ch/yarahub/rule/mal_jinxv2loader/}, language = {English}, urldate = {2024-01-31} } @online{caspi:20170504:osx:9f62c96, author = {Ofer Caspi}, title = {{OSX Malware is Catching Up, and it wants to Read Your HTTPS Traffic}}, date = {2017-05-04}, organization = {Check Point Software Technologies Ltd}, url = {http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/}, language = {English}, urldate = {2019-11-24} } @online{caspi:20170713:osxdok:b34ca60, author = {Ofer Caspi}, title = {{OSX/Dok Refuses to Go Away and It’s After Your Money}}, date = {2017-07-13}, organization = {Check Point}, url = {https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/}, language = {English}, urldate = {2020-01-05} } @online{caspi:20180724:emotet:a26725d, author = {Ofer Caspi and Ben Herzog}, title = {{Emotet: The Tricky Trojan that ‘Git Clones’}}, date = {2018-07-24}, organization = {Check Point}, url = {https://research.checkpoint.com/emotet-tricky-trojan-git-clones/}, language = {English}, urldate = {2020-01-13} } @online{caspi:20200519:trickbot:50c2a51, author = {Ofer Caspi}, title = {{TrickBot BazarLoader In-Depth}}, date = {2020-05-19}, organization = {AlienLabs}, url = {https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth}, language = {English}, urldate = {2020-05-20} } @online{caspi:20210107:malware:2ad7d86, author = {Ofer Caspi and Fernando Martinez}, title = {{Malware using new Ezuri memory loader}}, date = {2021-01-07}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/malware-using-new-ezuri-memory-loader}, language = {English}, urldate = {2021-01-11} } @online{caspi:20210127:teamtnt:8ebf267, author = {Ofer Caspi}, title = {{TeamTNT delivers malware with new detection evasion tool}}, date = {2021-01-27}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/teamtnt-delivers-malware-with-new-detection-evasion-tool}, language = {English}, urldate = {2021-01-27} } @online{caspi:20210622:darkside:2889f3c, author = {Ofer Caspi}, title = {{Darkside RaaS in Linux version}}, date = {2021-06-22}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/darkside-raas-in-linux-version}, language = {English}, urldate = {2021-06-24} } @online{caspi:20210701:revils:20b42ae, author = {Ofer Caspi and Fernando Martinez}, title = {{REvil’s new Linux version}}, date = {2021-07-01}, organization = {AT&T Cybersecurity}, url = {https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version}, language = {English}, urldate = {2021-07-02} } @online{caspi:20210802:new:65cbd77, author = {Ofer Caspi and Javier Ruiz}, title = {{New sophisticated RAT in town: FatalRat analysis}}, date = {2021-08-02}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/new-sophisticated-rat-in-town-fatalrat-analysis}, language = {English}, urldate = {2021-08-02} } @online{caspi:20210908:teamtnt:f9ad39d, author = {Ofer Caspi}, title = {{TeamTNT with new campaign aka “Chimaera”}}, date = {2021-09-08}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera}, language = {English}, urldate = {2021-09-10} } @online{caspi:20211111:att:4c2bbed, author = {Ofer Caspi}, title = {{AT&T Alien Labs finds new Golang malware (BotenaGo) targeting millions of routers and IoT devices with more than 30 exploits}}, date = {2021-11-11}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits}, language = {English}, urldate = {2021-11-17} } @online{caspi:20220126:botenago:0c74142, author = {Ofer Caspi}, title = {{BotenaGo strikes again - malware source code uploaded to GitHub}}, date = {2022-01-26}, organization = {AT&T Cybersecurity}, url = {https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github}, language = {English}, urldate = {2022-04-24} } @online{caspi:20220526:rapidly:cbc0d84, author = {Ofer Caspi}, title = {{Rapidly evolving IoT malware EnemyBot now targeting Content Management System servers and Android devices}}, date = {2022-05-26}, organization = {AT&T Cybersecurity}, url = {https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers}, language = {English}, urldate = {2022-05-31} } @online{caspi:20220906:shikitega:bee20db, author = {Ofer Caspi}, title = {{Shikitega - New stealthy malware targeting Linux}}, date = {2022-09-06}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux}, language = {English}, urldate = {2023-01-19} } @online{cass:20211019:whatta:4d969e1, author = {Zydeca Cass and Axel F and Crista Giering and Matthew Mesa and Georgi Mladenov and Brandon Murphy}, title = {{Whatta TA: TA505 Ramps Up Activity, Delivers New FlawedGrace Variant}}, date = {2021-10-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant}, language = {English}, urldate = {2021-10-24} } @online{cass:20230307:dont:61eda3a, author = {Zydeca Cass}, title = {{Don’t Answer That! Russia-Aligned TA499 Beleaguers Targets with Video Call Requests}}, date = {2023-03-07}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/dont-answer-russia-aligned-ta499-beleaguers-targets-video-call-requests}, language = {English}, urldate = {2023-12-04} } @online{castel:20210607:avaddon:9a4a8cb, author = {Loïc Castel}, title = {{Avaddon Ransomware Analysis}}, date = {2021-06-07}, organization = {ATOS}, url = {https://atos.net/en/lp/securitydive/avaddon-ransomware-analysis}, language = {English}, urldate = {2021-11-17} } @online{castel:20220707:threat:e7717e8, author = {Loïc Castel}, title = {{THREAT ALERT: Raspberry Robin Worm Abuses Windows Installer and QNAP Devices}}, date = {2022-07-07}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-alert-raspberry-robin-worm-abuses-windows-installer-and-qnap-devices}, language = {English}, urldate = {2022-07-12} } @online{castelan:20241024:investigating:38fe356, author = {Foti Castelan and Max Thauer and JP Glab and Gabby Roncone and Tufail Ahmed and Jared Wilson}, title = {{Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575)}}, date = {2024-10-24}, organization = {Mandiant}, url = {https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575/}, language = {English}, urldate = {2024-11-04} } @online{castillo:20220302:cybercrime:c1663a8, author = {Carlos del Castillo}, title = {{Cybercrime bosses warn that they will "fight back" if Russia is hacked}}, date = {2022-03-02}, organization = {elDiario}, url = {https://www.eldiario.es/tecnologia/capos-cibercrimen-avisan-contratacaran-si-hackea-rusia_1_8795458.html}, language = {Spanish}, urldate = {2022-03-04} } @online{castleman:20210127:logokit:7322a8b, author = {Adam Castleman}, title = {{LogoKit: Simple, Effective, and Deceptive}}, date = {2021-01-27}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/a068810a}, language = {English}, urldate = {2021-01-29} } @online{castleman:20210407:yanbian:dcf9de9, author = {Adam Castleman and Jordan Herman}, title = {{Yanbian Gang Malware Continues with Wide-Scale Distribution and C2}}, date = {2021-04-07}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/f88ed16f/description}, language = {English}, urldate = {2021-04-09} } @online{castleman:20210422:stealing:d799b15, author = {Adam Castleman and Jordan Herman}, title = {{Stealing All Your Information For Years With Shadow Z118 PayPal Phish Kits}}, date = {2021-04-22}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/50bcba95}, language = {English}, urldate = {2021-04-28} } @online{casualmalware:20200311:firebird:6d1f8a2, author = {casual_malware}, title = {{Tweet on FireBird RAT}}, date = {2020-03-11}, organization = {Twitter (@casual_malware)}, url = {https://twitter.com/casual_malware/status/1237775601035096064}, language = {English}, urldate = {2020-03-13} } @online{catalan:20231003:rhadamanthys:fb542d8, author = {David Catalan}, title = {{Rhadamanthys malware analysis: How infostealers use VMs to avoid analysis}}, date = {2023-10-03}, organization = {Outpost24}, url = {https://outpost24.com/blog/rhadamanthys-malware-analysis/}, language = {English}, urldate = {2023-10-05} } @online{catwithoutahat7:20210313:dearcry:3a71a24, author = {Twitter (@CatWithoutAHat7) and 0xca7}, title = {{DearCry Ransomware - A quick look 0x01}}, date = {2021-03-13}, organization = {YouTube (0xc7a)}, url = {https://www.youtube.com/watch?v=Hhx9Q2i7zGo}, language = {English}, urldate = {2022-07-01} } @online{catwithoutahat7:20210313:dearcry:85773c0, author = {Twitter (@CatWithoutAHat7)}, title = {{DearCry Ransomware - A quick look 0x02}}, date = {2021-03-13}, organization = {YouTube (0xc7a)}, url = {https://www.youtube.com/watch?v=MRTdGUy1lfw}, language = {English}, urldate = {2021-04-16} } @online{catwithoutahat7:20210313:dearcry:bb446b1, author = {Twitter (@CatWithoutAHat7)}, title = {{DearCry Ransomware - A quick look 0x00}}, date = {2021-03-13}, organization = {YouTube (0xc7a)}, url = {https://www.youtube.com/watch?v=qmCjtigVVR0}, language = {English}, urldate = {2021-04-16} } @techreport{ccc:20111008:analyse:0c4a8c9, author = {CCC}, title = {{ANALYSE EINER REGIERUNGS-MALWARE}}, date = {2011-10-08}, institution = {CCC}, url = {http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf}, language = {English}, urldate = {2020-01-07} } @online{ccncert:20181104:betabot:fd654de, author = {CCN-CERT}, title = {{BetaBot y Fleercivet, dos nuevos informes de código dañino del CCN-CERT}}, date = {2018-11-04}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html}, language = {English}, urldate = {2020-01-10} } @online{ccncert:201911:informe:69b39b5, author = {CCN-CERT}, title = {{Informe Código Dañino CCN-CERT ID-26/19}}, date = {2019-11}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/4217-ccn-cert-id-26-19-ryuk-1/file.html}, language = {Espanyol}, urldate = {2020-01-10} } @online{ccncert:202005:malware:e6aed81, author = {CCN-CERT}, title = {{Malware report CCN-CERT ID-15/20 Snake Locker}}, date = {2020-05}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/pdf/5045-ccn-cert-id-15-20-snake-locker-english-1/file.html}, language = {English}, urldate = {2020-06-10} } @online{ccncert:202103:informe:1628d52, author = {CCN-CERT}, title = {{Informe Código DañinoCCN-CERT ID-03/21: RyukRansomware}}, date = {2021-03}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/5768-ccn-cert-id-03-21-ryuk-ransomware/file.html}, language = {Spanish}, urldate = {2021-03-19} } @online{censys:20201207:advanced:2a06c59, author = {Censys}, title = {{Advanced Persistent Infrastructure Tracking}}, date = {2020-12-07}, organization = {Censys}, url = {https://censys.com/advanced-persistent-infrastructure-tracking/}, language = {English}, urldate = {2023-12-04} } @techreport{censys:20220718:russian:dfd4246, author = {Censys}, title = {{Russian Ransomware C2 Network Discovered in Censys Data}}, date = {2022-07-18}, institution = {Censys}, url = {https://5851803.fs1.hubspotusercontent-na1.net/hubfs/5851803/Russian%20Ransomware%20C2%20Network%20Discovered%20in%20Censys%20Data.pdf}, language = {English}, urldate = {2023-12-04} } @online{censys:20250425:persistent:9a534d8, author = {Censys}, title = {{The Persistent Threat of Salt Typhoon: Tracking Exposures of Potentially Targeted Devices}}, date = {2025-04-25}, organization = {Censys}, url = {https://censys.com/blog/the-persistent-threat-of-salt-typhoon-tracking-exposures-of-potentially-targeted-devices}, language = {English}, urldate = {2025-04-28} } @online{censysresearch:20250428:public:c60e3cb, author = {Github (Censys-Research)}, title = {{Public Github Archive of Scout C2}}, date = {2025-04-28}, organization = {Github (Censys Research)}, url = {https://github.com/Censys-Research/ScoutC2}, language = {English}, urldate = {2025-05-21} } @online{centeno:20180501:legitimate:bd0644c, author = {Raphael Centeno}, title = {{Legitimate Application AnyDesk Bundled with New Ransomware Variant}}, date = {2018-05-01}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/legitimate-application-anydesk-bundled-with-new-ransomware-variant/}, language = {English}, urldate = {2019-10-14} } @online{centeno:20190508:dharma:cc5ac04, author = {Raphael Centeno}, title = {{Dharma Ransomware Uses AV Tool to Distract from Malicious Activities}}, date = {2019-05-08}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/}, language = {English}, urldate = {2020-01-06} } @online{centeno:20200521:backdoor:d6d37a9, author = {Raphael Centeno and Llallum Victoria}, title = {{Backdoor, Devil Shadow Botnet Hidden in Fake Zoom Installers}}, date = {2020-05-21}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-devil-shadow-botnet-hidden-in-fake-zoom-installers/}, language = {English}, urldate = {2020-05-23} } @online{centeno:20200921:cybercriminals:0dbaa08, author = {Raphael Centeno}, title = {{Cybercriminals Distribute Backdoor With VPN Installer}}, date = {2020-09-21}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/i/wind-up-windscribe-vpn-bundled-with-backdoor.html}, language = {English}, urldate = {2020-09-23} } @online{centeno:20210205:new:33e89f1, author = {Raphael Centeno and Monte de Jesus and Don Ovid Ladores and Junestherry Salvador and Nikko Tamana and Llalum Victoria}, title = {{New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker}}, date = {2021-02-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html}, language = {English}, urldate = {2021-02-09} } @online{centeno:20210412:spike:d67dcb0, author = {Raphael Centeno and Don Ovid Ladores and Lala Manly and Junestherry Salvador and Frankylnn Uy}, title = {{A Spike in BazarCall and IcedID Activity Detected in March}}, date = {2021-04-12}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html}, language = {English}, urldate = {2021-04-14} } @online{center:20130222:recent:b3d3f80, author = {Microsoft Security Response Center}, title = {{Recent Cyberattacks}}, date = {2013-02-22}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/msrc/2013/02/22/recent-cyberattacks/}, language = {English}, urldate = {2019-12-20} } @online{center:20180330:analysis:4f1feb9, author = {Qi Anxin Threat Intelligence Center}, title = {{Analysis of the latest cyber attack activity of the APT organization against sensitive institutions in China}}, date = {2018-03-30}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/}, language = {Chinese}, urldate = {2020-01-13} } @techreport{center:201803:oilrig:b3c95ff, author = {NYOTRON ATTACK RESPONSE CENTER}, title = {{OilRig is Back with Next-Generation Tools and Techniques}}, date = {2018-03}, institution = {Nyotron}, url = {https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf}, language = {English}, urldate = {2019-10-13} } @online{center:20180523:sidewinderapttapt04:2f4c2cc, author = {Tencent Mimi Threat Intelligence Center}, title = {{SideWinder“响尾蛇”APT组织(T-APT-04):针对南亚的定向攻击威胁}}, date = {2018-05-23}, organization = {Tencent}, url = {https://s.tencent.com/research/report/479.html}, language = {Chinese}, urldate = {2020-01-06} } @techreport{center:20180614:cyber:b2150a3, author = {Cyber ​​Emergency Center}, title = {{Cyber ​​Emergency Center Report No. 3}}, date = {2018-06-14}, institution = {LAC}, url = {https://www.lac.co.jp/lacwatch/pdf/20180614_cecreport_vol3.pdf}, language = {English}, urldate = {2020-07-20} } @online{center:20180723:golden:acfd437, author = {Qi Anxin Threat Intelligence Center}, title = {{Golden Rat Organization-targeted attack in Syria}}, date = {2018-07-23}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/analysis-of-apt-c-27/}, language = {Chinese}, urldate = {2020-04-28} } @online{center:20181129:analysis:08c590c, author = {Qi Anxin Threat Intelligence Center}, title = {{Analysis Of Targeted Attack Against Pakistan By Exploiting InPage Vulnerability And Related APT Groups}}, date = {2018-11-29}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english}, language = {English}, urldate = {2020-03-02} } @online{center:20181129:analysis:d46e3e4, author = {Threat Intelligence Center}, title = {{Analysis Of Targeted Attack Against Pakistan By Exploiting InPage Vulnerability And Related APT Groups}}, date = {2018-11-29}, organization = {360 Threat Intelligence}, url = {https://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/}, language = {English}, urldate = {2022-01-03} } @online{center:20181212:donot:32e8fb0, author = {Qi Anxin Threat Intelligence Center}, title = {{Donot (APT-C-35) Group Is Targeting Pakistani Businessman Working In China}}, date = {2018-12-12}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/}, language = {English}, urldate = {2020-01-13} } @online{center:20190218:aptc36:abbf9ea, author = {Anxin Threat Intelligence Center}, title = {{APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations}}, date = {2019-02-18}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/}, language = {English}, urldate = {2020-01-09} } @online{center:20190226:disclosure:d46aaed, author = {Tencent Yujian Threat Intelligence Center}, title = {{Disclosure of SideWinder APT's attack against South Asia}}, date = {2019-02-26}, organization = {Tencent}, url = {https://s.tencent.com/research/report/659.html}, language = {Chinese}, urldate = {2021-03-04} } @online{center:20190819:konni:5af29f8, author = {East Security Response Center}, title = {{Konni APT organization emerges as an attack disguised as Russian document}}, date = {2019-08-19}, organization = {EST Security}, url = {https://blog.alyac.co.kr/2474}, language = {Korean}, urldate = {2020-01-20} } @online{center:20191212:gallium:79f6460, author = {Microsoft Threat Intelligence Center}, title = {{GALLIUM: Targeting global telecom}}, date = {2019-12-12}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/}, language = {English}, urldate = {2022-06-15} } @techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } @online{center:20200528:analysis:5b197d4, author = {Threat Intelligence Center}, title = {{Analysis of recent rattlesnake APT attacks against surrounding countries and regions}}, date = {2020-05-28}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/the-recent-rattlesnake-apt-organized-attacks-on-neighboring-countries-and-regions/}, language = {Chinese}, urldate = {2020-10-27} } @online{center:20200604::a1c780b, author = {Chianxin Virus Response Center}, title = {{脚本系贼寇之风兴起,买卖体系堪比勒索软件}}, date = {2020-06-04}, url = {https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw}, language = {Chinese}, urldate = {2020-07-16} } @online{center:20200701::fc5fdee, author = {360 Threat Intelligence Center}, title = {{游走在东欧和中亚的奇幻熊}}, date = {2020-07-01}, organization = {360}, url = {https://mp.weixin.qq.com/s/pE_6VRDk-2aTI996sff0og}, language = {Chinese}, urldate = {2020-10-26} } @online{center:20200821:recurrence:d780ef1, author = {Baidu Security Emergency Response Center}, title = {{Recurrence and research of macro attacks under macOS}}, date = {2020-08-21}, organization = {Baidu Security Emergency Response Center}, url = {https://mp.weixin.qq.com/s/a_0Vbnr38drTZAlQfoH10A}, language = {Chinese}, urldate = {2020-08-25} } @online{center:20200825:darkhotel:cf3af4b, author = {360 Threat Intelligence Center}, title = {{Darkhotel (APT-C-06) organized multiple attacks using the Thinmon backdoor framework to reveal the secrets}}, date = {2020-08-25}, organization = {360 Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/nyxZFXgrtm2-tBiV3-wiMg}, language = {Chinese}, urldate = {2020-08-25} } @online{center:20201023:apt28:099c6cd, author = {360 Threat Intelligence Center}, title = {{APT28携小众压缩包诱饵对北约、中亚目标的定向攻击分析}}, date = {2020-10-23}, organization = {360}, url = {https://mp.weixin.qq.com/s/6R7bFs9lH1I3BNdkatCC9g}, language = {Chinese}, urldate = {2020-10-26} } @online{center:20201026:analysis:81bfa52, author = {Threat Intelligence Center}, title = {{Analysis of the attack activities of the Rattlesnake organization using the Buffy bilateral agreement as bait}}, date = {2020-10-26}, organization = {Qianxin}, url = {https://www.secrss.com/articles/26507}, language = {Chinese}, urldate = {2020-10-27} } @online{center:20201030:aptc41:ede60de, author = {Threat Intelligence Center}, title = {{蓝色魔眼(APT-C-41)组织首次针对我国重要机构定向攻击活动披露}}, date = {2020-10-30}, organization = {360}, url = {https://mp.weixin.qq.com/s/5No0TR4ECVPp_Xv4joXEBg}, language = {Chinese}, urldate = {2020-11-02} } @online{center:20201030:donot:5f3e428, author = {Threat Intelligence Center}, title = {{攻击武器再升级:Donot组织利用伪造签名样本的攻击活动分析}}, date = {2020-10-30}, organization = {Qianxin}, url = {https://mp.weixin.qq.com/s/3Pa3hiuZyQBspDzH0kGSHw}, language = {Chinese}, urldate = {2020-11-02} } @online{center:20201109:analysis:ccf80c0, author = {360 Threat Intelligence Center}, title = {{Analysis of the latest targeted attacks by Lugansk against Ukraine}}, date = {2020-11-09}, organization = {360}, url = {https://mp.weixin.qq.com/s/aMj_EDmTYyAouHWFbY64-A}, language = {Chinese}, urldate = {2020-11-11} } @online{center:20201201:blade:1b3519c, author = {Qi Anxin Threat Intelligence Center}, title = {{Blade Eagle Group - Targeted attack group activities circling the Middle East and West Asia's cyberspace revealed}}, date = {2020-12-01}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/Blade-hawk-The-activities-of-targeted-the-Middle-East-and-West-Asia-are-exposed/}, language = {English}, urldate = {2022-04-15} } @online{center:20201213:customer:1f4f734, author = {Microsoft Security Response Center}, title = {{Customer Guidance on Recent Nation-State Cyber Attacks}}, date = {2020-12-13}, organization = {Microsoft}, url = {https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/}, language = {English}, urldate = {2020-12-14} } @online{center:20210315:oneclick:cafd441, author = {Microsoft Security Response Center}, title = {{One-Click Microsoft Exchange On-Premises Mitigation Tool – March 2021}}, date = {2021-03-15}, organization = {Microsoft}, url = {https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/}, language = {English}, urldate = {2021-03-22} } @online{center:20210601:rising:06299b0, author = {Rising Threat Intelligence Center}, title = {{Rising warning: APT organizes Lazarus Group to launch an attack on China}}, date = {2021-06-01}, organization = {Rising Threat Intelligence Center}, url = {https://it.rising.com.cn/dongtai/19777.html}, language = {Chinese}, urldate = {2021-06-09} } @online{center:20210602:analysis:6da7255, author = {Microstep Online Research Response Center}, title = {{Analysis of Lazarus's recent targeted attacks against military industry and other industries}}, date = {2021-06-02}, organization = {Microstep Online Research Response Center}, url = {https://mp.weixin.qq.com/s/MBH8ACSTfC6UGzf2h1BuhA}, language = {Chinese}, urldate = {2021-06-09} } @online{center:20210611:tencent:ed32dd1, author = {The Tencent Security Threat Intelligence Center}, title = {{Tencent Security Report: Purple Fox virus maliciously attacks SQL server and spreads like a worm}}, date = {2021-06-11}, organization = {Tencent}, url = {https://s.tencent.com/research/report/1322.html}, language = {Chinese}, urldate = {2021-06-22} } @online{center:20210623:kimsuky:48c6cff, author = {Microstep Online Research Response Center}, title = {{Kimsuky APT organization's targeted attacks on South Korean defense and security related departments}}, date = {2021-06-23}, organization = {Microstep Online Research Response Center}, url = {https://mp.weixin.qq.com/s/SLocYak45PoOwLtMCn0PFg}, language = {Chinese}, urldate = {2021-06-24} } @techreport{center:20210623:kimsuky:859fde5, author = {Microstep Online Research Response Center}, title = {{Kimsuky APT organization's targeted attacks on South Korean defense and security related departments (IOCs included)}}, date = {2021-06-23}, institution = {Microstep Online Research Response Center}, url = {https://raw.githubusercontent.com/blackorbird/APT_REPORT/master/kimsuky/Kimsuky%20APT%20Group%20targeted%20on%20South%20Korean%20defense%20and%20security%20departments.pdf}, language = {Chinese}, urldate = {2021-06-23} } @online{center:20210701:suspected:aedb06c, author = {Anheng Threat Intelligence Center}, title = {{Suspected HADES organization launched an attack on Ukraine with military themes}}, date = {2021-07-01}, organization = {Anheng Threat Intelligence Center}, url = {https://www.freebuf.com/news/279181.html}, language = {English}, urldate = {2021-07-11} } @online{center:20210714:old:d9d32d2, author = {Microstep Online Research Response Center}, title = {{Old trees and new flowers: Analysis of the new version of KGH spy components used by Kimsuky}}, date = {2021-07-14}, organization = {Microstep Online Research Response Center}, url = {https://mp.weixin.qq.com/s/cbaePmZSk_Ob0r486RMXyw}, language = {Chinese}, urldate = {2021-07-20} } @online{center:20210803:apt31:db50b02, author = {PT Expert Security Center}, title = {{APT31 new dropper. Target destinations: Mongolia, Russia, the U.S., and elsewhere}}, date = {2021-08-03}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/}, language = {English}, urldate = {2021-08-06} } @online{center:20210824:lockbit:730526a, author = {KELA Cyber Intelligence Center}, title = {{LockBit 2.0 Interview with Russian OSINT}}, date = {2021-08-24}, organization = {KELA}, url = {https://ke-la.com/lockbit-2-0-interview-with-russian-osint/}, language = {English}, urldate = {2021-11-02} } @online{center:20210908:trilateral:aedcf24, author = {Microstep Online Research Response Center}, title = {{Trilateral operation: years of cyberespionage against countries in south asia and the middle east (APT36)}}, date = {2021-09-08}, organization = {Microstep Intelligence Bureau}, url = {https://mp.weixin.qq.com/s/AhxP5HmROtMsFBiUxj0cFg}, language = {Chinese}, urldate = {2021-09-14} } @online{center:20210930:masters:8707c00, author = {PT Expert Security Center}, title = {{Masters of Mimicry: new APT group ChamelGang and its arsenal}}, date = {2021-09-30}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang}, language = {English}, urldate = {2021-10-14} } @online{center:20210930:masters:a5ec8ee, author = {PT Expert Security Center}, title = {{Masters of Mimicry: new APT group ChamelGang and its arsenal}}, date = {2021-09-30}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/}, language = {English}, urldate = {2021-10-22} } @online{center:20211108:aint:b92e3b4, author = {KELA Cyber Intelligence Center}, title = {{Ain’t No Actor Trustworthy Enough: The importance of validating sources}}, date = {2021-11-08}, organization = {KELA}, url = {https://ke-la.com/aint-no-actor-trustworthy-enough-the-importance-of-validating-sources/}, language = {English}, urldate = {2021-11-09} } @online{center:20211201:blacktech:b5f8a20, author = {Microstep Online Research Response Center}, title = {{BlackTech, an East Asian hacking group, has launched attacks in sectors such as finance and education}}, date = {2021-12-01}, organization = {Microstep Intelligence Bureau}, url = {https://mp.weixin.qq.com/s/m7wo0AD4yiAFfTm1Jhq2NQ}, language = {Chinese}, urldate = {2021-12-07} } @online{center:20220223:aptc58:fb10a0a, author = {360 Threat Intelligence Center}, title = {{APT-C-58 (Gorgon Group) attack warning}}, date = {2022-02-23}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s/X0kAIHOSldiFDthb4IsmbQ}, language = {Chinese}, urldate = {2022-03-01} } @online{center:20220307:i:aadcf34, author = {Cyber ​​Emergency Center}, title = {{I CAN'T HEAR YOU NOW! INTERNAL BEHAVIOR OF INFORMATION-STEALING MALWARE AND JSOC DETECTION TRENDS}}, date = {2022-03-07}, organization = {LAC WATCH}, url = {https://www.lac.co.jp/lacwatch/report/20220307_002893.html}, language = {Japanese}, urldate = {2022-04-05} } @online{center:20220322:quantum:8629794, author = {360 Threat Intelligence Center}, title = {{Quantum Attack System – NSA "APT-C-40" Hacking Organization High-end Cyber Attack Weapon Technical Analysis Report (I)}}, date = {2022-03-22}, organization = {360 Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/lzf16Fchfv1fMG3IExq7XA}, language = {Chinese}, urldate = {2022-06-27} } @online{center:20220330:vajraeleph:272518d, author = {QAX Virus Response Center}, title = {{VajraEleph, a Vajra elephant group from South Asia, reveals cyber espionage campaign against Pakistani military personnel}}, date = {2022-03-30}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s/B0ElRhbqLzs-wGQh79fTww}, language = {Chinese}, urldate = {2022-03-31} } @online{center:20220402:waves:5aa4f65, author = {360 Threat Intelligence Center}, title = {{WAVES LURKING IN THE CALM OF THE WIND AND WAVES: A DYNAMIC ANALYSIS OF THE ATTACK ACTIVITIES OF THE APT-C-00 (SEALOTUS) ORGANIZATION}}, date = {2022-04-02}, organization = {institute for advanced threats}, url = {https://mp.weixin.qq.com/s/tBQSbv55lJUipaPWFr1fKw}, language = {Chinese}, urldate = {2022-04-05} } @online{center:20220509:ransomwareasaservice:3dac44d, author = {Microsoft Threat Intelligence Center and Microsoft 365 Defender Threat Intelligence Team}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft Security}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/}, language = {English}, urldate = {2022-06-02} } @online{center:20220518:filesyncshelldll:4266601, author = {360 Threat Intelligence Center}, title = {{filesyncshell.dll hijacked? APT-C-24 Sidewinder Briefing on the Latest Attack Activity}}, date = {2022-05-18}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s/qsGxZIiTsuI7o-_XmiHLHg}, language = {Chinese}, urldate = {2022-05-25} } @online{center:20220713:next:b2e43e4, author = {KELA Cyber Intelligence Center}, title = {{The Next Generation of Info Stealers}}, date = {2022-07-13}, organization = {KELA}, url = {https://ke-la.com/information-stealers-a-new-landscape/}, language = {English}, urldate = {2022-07-18} } @online{center:20220720:abused:27d014d, author = {Qi Anxin Threat Intelligence Center}, title = {{Abused Slack Service: Analysis of APT29's Attack on Italy}}, date = {2022-07-20}, organization = {Freebuf}, url = {https://www.freebuf.com/articles/paper/339618.html}, language = {English}, urldate = {2022-10-19} } @online{center:20220804:flying:a16b831, author = {PT Expert Security Center}, title = {{Flying in the clouds: APT31 renews its attacks on Russian companies through cloud storage}}, date = {2022-08-04}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks/}, language = {English}, urldate = {2022-08-15} } @online{center:20220817:kasablanka:2a28570, author = {360 Threat Intelligence Center}, title = {{Kasablanka organizes attacks against political groups and non-profit organizations in the Middle East}}, date = {2022-08-17}, organization = {360}, url = {https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA}, language = {Chinese}, urldate = {2022-08-19} } @online{center:20230218:dont:c42bec8, author = {Qianxin Virus Response Center}, title = {{Don’t follow in the footsteps of the 4 billion data leak incident! Early warning for attacks in the financial and securities industries}}, date = {2023-02-18}, organization = {secrss}, url = {https://www.secrss.com/articles/52018}, language = {English}, urldate = {2023-09-22} } @online{center:20230313:dev1101:be64ddc, author = {Microsoft Threat Intelligence Center}, title = {{DEV-1101 enables high-volume AiTM campaigns with open-source phishing kit}}, date = {2023-03-13}, organization = {Microsoft}, url = {https://security-blog-prod-wp01.azurewebsites.net/en-us/security/blog/2023/03/13/dev-1101-enables-high-volume-aitm-campaigns-with-open-source-phishing-kit/}, language = {English}, urldate = {2023-03-20} } @online{center:20230704:suspected:d23ef71, author = {Threat Intelligence Center}, title = {{Suspected Maha Grass Organization Uses WarHawk Backdoor Variant Spyder to Spy on Multiple Countries}}, date = {2023-07-04}, organization = {Qianxin Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/ewGyvlmWUD45XTVsoxeVpg}, language = {English}, urldate = {2024-08-29} } @online{center:20230719:military:4b50865, author = {Weibu Online Research Response Center}, title = {{Military topics become the focus: The threat of fake hunter APT organizations continues to be exposed}}, date = {2023-07-19}, organization = {secrss}, url = {https://www.secrss.com/articles/56860?app=1}, language = {English}, urldate = {2023-12-15} } @online{center:20230726:apt29:dec5309, author = {Anheng Threat Intelligence Center}, title = {{APT29 recently faked the German embassy and issued a malicious PDF file}}, date = {2023-07-26}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s?__biz=MzUyMDEyNTkwNA%3D%3D&mid=2247494783&idx=1&sn=612cf3cea1ef62e04bfb6bd0ce3b6b65&chksm=f9ed80c0ce9a09d6f5edc1424df5260cb9a9cf55fe92bd922407eef960650e91ec8cc46933ab&scene=178&cur_album_id=1375769135073951745}, language = {Chinese}, urldate = {2023-07-28} } @online{center:20230828:aptc55:9eadb97, author = {360 Threat Intelligence Center}, title = {{APT-C-55 (Kimsuky) organization uses Korean domain names for malicious activities}}, date = {2023-08-28}, organization = {360}, url = {https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA%3D%3D&mid=2247493300&idx=1&sn=614dda72d95b5dfd732916aec0662598&chksm=f9c1d5bdceb65cab316de9e368fef6a997b82e96ed1a70b9b53ea8ae3c5698a8d4c95488e956&scene=178&cur_album_id=1955835290309230595}, language = {Chinese}, urldate = {2023-09-07} } @online{center:20231201:cases:8cebd12, author = {Genius Security Center}, title = {{Cases of attacks disguised as North Korean market price analysis documents, etc. CVE-2022-41128 vulnerability called with HWP, HWPX, DOCX, XLSX files}}, date = {2023-12-01}, organization = {Genians}, url = {https://www.genians.co.kr/blog/market}, language = {Korean}, urldate = {2024-01-02} } @online{center:20240219:analysis:b40f30b, author = {AhnLab SEcurity intelligence Center}, title = {{Analysis of Nood RAT Used in Attacks Against Linux (Gh0st RAT’s Variant)}}, date = {2024-02-19}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/62144/}, language = {English}, urldate = {2024-10-17} } @online{center:20240510:recruitment:3be72b5, author = {Threat Intelligence Center}, title = {{Recruitment trap for blockchain practitioners: Analysis of suspected Lazarus (APT-Q-1) stealing operations}}, date = {2024-05-10}, organization = {Qianxin Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/84lUaNSGo4lhQlpnCVUHfQ}, language = {Chinese}, urldate = {2024-09-13} } @online{center:20240705:aptc26:c541465, author = {360 Threat Intelligence Center}, title = {{APT-C-26 (Lazarus) uses PyPI to attack Windows, Linux, and macOS platforms}}, date = {2024-07-05}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA%3D%3D&mid=2247499462&idx=1&sn=7cc55f3cc2740e8818648efbec21615f}, language = {Chinese}, urldate = {2025-01-14} } @online{center:20241012:bitter:92a7e74, author = {Qianxin Threat Intelligence Center}, title = {{Bitter Group Launches New Trojan Miyarat, Domestic Users Become Primary Ttargets}}, date = {2024-10-12}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/bitter-group-launches-new-trojan-miyarat-domestic-users-become-primary-targets-en/}, language = {English}, urldate = {2024-12-20} } @online{center:20241015:analysis:9d7ee2f, author = {360 Threat Intelligence Center}, title = {{Analysis of the attack activities of APT-C-35 (belly brain worm) against a manufacturing company in South Asia}}, date = {2024-10-15}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247501270&idx=1&sn=203ae98a60ffc172cb9e06a1b95116c6&chksm=f9c1f6dfceb67fc916f29b04e9e63fe81a1f916d575ae8c32250fb954ca9619153ba864e118d&scene=178&cur_album_id=1955835290309230595}, language = {Chinese}, urldate = {2024-10-18} } @online{center:20241226:analysis:4c03a56, author = {360 Threat Intelligence Center}, title = {{Analysis of the attack activities of APT-C-26 (Lazarus) using weaponized IPMsg software}}, date = {2024-12-26}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247505438&idx=1&sn=cf1947c7af6581f4a66460ae6d14dc2f}, language = {Chinese}, urldate = {2025-01-14} } @online{center:20250424:crypters:132c0cd, author = {PT Expert Security Center}, title = {{Crypters And Tools. Part 2: Different Paws — Same Tangle}}, date = {2025-04-24}, organization = {Positive Technologies}, url = {https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/crypters-and-tools-part-2-different-paws-same-tangle}, language = {English}, urldate = {2025-04-28} } @techreport{centre:20180705:nciipc:2796c50, author = {National Critical Information Infrastructure Protection Centre}, title = {{NCIIPC Newsletter July 2018}}, date = {2018-07-05}, institution = {National Critical Information Infrastructure Protection Centre}, url = {https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf}, language = {English}, urldate = {2020-01-10} } @online{centre:20210429:saving:cdbd9ca, author = {International Computing Centre}, title = {{Saving World Health Day: UNICC and Group-IB Take Down Scam Campaign Impersonating the World Health Organization}}, date = {2021-04-29}, organization = {International Computing Centre}, url = {https://www.unicc.org/news/2021/04/29/unicc-and-group-ib-take-down-scam-campaign/}, language = {English}, urldate = {2021-05-03} } @techreport{centre:20210824:virlock:97645c6, author = {Basque Cybersecurity Centre}, title = {{VIRLOCK}}, date = {2021-08-24}, institution = {Basque Cybersecurity Centre}, url = {https://www.ciberseguridad.eus/sites/default/files/2022-04/bcsc-malware-virlock-tlpwhite_v1242.pdf}, language = {Spanish}, urldate = {2022-11-18} } @online{cepe:20100531:sasfis:7642314, author = {Joseph Cepe}, title = {{SASFIS Malware Uses a New Trick}}, date = {2010-05-31}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-malware-uses-a-new-trick/}, language = {English}, urldate = {2020-01-09} } @techreport{cepe:20100531:sasfis:c0eab28, author = {Joseph Cepe}, title = {{SASFIS Malware Uses a New Trick}}, date = {2010-05-31}, institution = {Trend Micro}, url = {https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf}, language = {English}, urldate = {2020-01-08} } @online{cepok:20230203:hookbot:27ab847, author = {Łukasz Cepok and Michał Strzelczyk}, title = {{HookBot – A New Mobile Malware}}, date = {2023-02-03}, organization = {KNF CSIRT}, url = {https://cebrf.knf.gov.pl/komunikaty/artykuly-csirt-knf/362-ostrzezenia/858-hookbot-a-new-mobile-malware}, language = {English}, urldate = {2023-02-06} } @online{cerberus:201906:twitter:97cd9de, author = {Android Cerberus}, title = {{Twitter Account of Android Cerberus}}, date = {2019-06}, organization = {Twitter (@AndroidCerberus)}, url = {https://twitter.com/AndroidCerberus}, language = {English}, urldate = {2020-01-09} } @online{cert:20160306:network:f9244d3, author = {thyssenkrupp CERT}, title = {{Network detector for Winnti malware}}, date = {2016-03-06}, organization = {Github (TKCERT)}, url = {https://github.com/TKCERT/winnti-detector}, language = {English}, urldate = {2020-01-07} } @online{cert:20160906:kzcert:3d8bb82, author = {KZ CERT}, title = {{KZ-CERT has analyzed another sample of malicious software, which is a component of targeted attacks (Targeted attacks, Advanced Persistent Threats (APT))}}, date = {2016-09-06}, organization = {KZ CERT}, url = {http://www.kz-cert.kz/page/502}, language = {Kazakh}, urldate = {2019-10-16} } @techreport{cert:20161104:from:a139d13, author = {Antiy CERT}, title = {{FROM EQUATION TO EQUATIONS}}, date = {2016-11-04}, institution = {Antiy CERT}, url = {https://www.antiy.com/response/FROM_EQUATION_TO_EQUATIONS.pdf}, language = {English}, urldate = {2020-08-18} } @online{cert:20180423:energetic:451033f, author = {Kaspersky Lab ICS CERT}, title = {{Energetic Bear/Crouching Yeti: attacks on servers}}, date = {2018-04-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/energetic-bear-crouching-yeti/85345/}, language = {English}, urldate = {2019-12-20} } @online{cert:20180522:nmap:1ee2530, author = {thyssenkrupp CERT}, title = {{Nmap Script to scan for Winnti infections}}, date = {2018-05-22}, organization = {Github (TKCERT)}, url = {https://github.com/TKCERT/winnti-nmap-script}, language = {English}, urldate = {2020-01-07} } @online{cert:20180919::c3b6955, author = {Antiy CERT}, title = {{绿斑”行动——持续多年的攻击}}, date = {2018-09-19}, url = {https://www.antiy.com/response/20180919.html}, language = {English}, urldate = {2020-08-14} } @online{cert:20190124:greyenergys:523e803, author = {Kaspersky Lab ICS CERT}, title = {{GreyEnergy’s overlap with Zebrocy}}, date = {2019-01-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/greyenergys-overlap-with-zebrocy/89506/}, language = {English}, urldate = {2019-12-20} } @online{cert:20190613:advanced:5d2e200, author = {ae CERT}, title = {{Advanced Notification of Cyber Threats against Family of Malware Giving Remote Access to Computers}}, date = {2019-06-13}, organization = {ae CERT}, url = {https://www.tra.gov.ae/assets/mTP39Tp6.pdf.aspx}, language = {English}, urldate = {2021-04-16} } @online{cert:20200522:analysis:fc8e2b2, author = {Antiy CERT}, title = {{Analysis of Ramsay components of Darkhotel's infiltration and isolation network}}, date = {2020-05-22}, organization = {Antiy CERT}, url = {https://www.antiy.cn/research/notice&report/research_report/20200522.html}, language = {Chinese}, urldate = {2020-05-23} } @online{cert:20200616:active:1c01229, author = {New Zealand CERT}, title = {{Active ransomware campaign leveraging remote access technologies}}, date = {2020-06-16}, organization = {New Zealand CERT}, url = {https://www.cert.govt.nz/it-specialists/advisories/active-ransomware-campaign-leveraging-remote-access-technologies/}, language = {English}, urldate = {2020-06-21} } @online{cert:20200617:targeted:4a2a126, author = {Kaspersky Lab ICS CERT}, title = {{Targeted attacks on industrial companies using Snake ransomware}}, date = {2020-06-17}, organization = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/alerts/2020/06/17/targeted-attacks-on-industrial-companies-using-snake-ransomware/}, language = {English}, urldate = {2020-06-18} } @techreport{cert:20200924:threat:2d7986d, author = {Kaspersky Lab ICS CERT}, title = {{Threat landscape for industrial automation systems - H1 2020}}, date = {2020-09-24}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf}, language = {English}, urldate = {2020-10-04} } @techreport{cert:20201105:attackson:62f1e26, author = {Kaspersky Lab ICS CERT and Vyacheslav Kopeytsev}, title = {{Attackson industrial enterprises using RMS and TeamViewer: new data}}, date = {2020-11-05}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/Kaspersky-Attacks-on-industrial-enterprises-using-RMS-and-TeamViewer-EN.pdf}, language = {English}, urldate = {2020-11-06} } @online{cert:20201223:solarwindsapt:a237c40, author = {Qi AnXin CERT}, title = {{从Solarwinds供应链攻击(金链熊)看APT行动中的隐蔽作战}}, date = {2020-12-23}, organization = {Qianxin}, url = {https://mp.weixin.qq.com/s/UqXC1vovKUu97569LkYm2Q}, language = {Chinese}, urldate = {2020-12-23} } @online{cert:20201228:civerids:b40d172, author = {Antiy CERT}, title = {{"Civerids" organization vs. Middle East area attack activity analysis report}}, date = {2020-12-28}, organization = {Antiy CERT}, url = {https://www.antiy.cn/research/notice&report/research_report/20201228.html}, language = {Chinese}, urldate = {2021-01-04} } @online{cert:20210126:sunburst:0170800, author = {Kaspersky Lab ICS CERT}, title = {{SunBurst industrial victims}}, date = {2021-01-26}, organization = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/reports/2021/01/26/sunburst-industrial-victims/}, language = {English}, urldate = {2021-01-27} } @online{cert:20210221:analysis:84134cb, author = {Antiy CERT}, title = {{Analysis report on the attack activities of the "Baby Elephant" against Pakistani defense manufacturers}}, date = {2021-02-21}, organization = {Antiy}, url = {https://mp.weixin.qq.com/s/y2kRbYCt94yPu-5jtcZ_AA}, language = {Chinese}, urldate = {2021-02-25} } @online{cert:20210705:analysis:3708491, author = {Antiy CERT}, title = {{Analysis of "Bitter Elephant" organization's attack activities against my country in the first half of the year}}, date = {2021-07-05}, organization = {Antiy CERT}, url = {https://www.antiy.cn/research/notice&report/research_report/20210705.html}, language = {Chinese}, urldate = {2023-02-09} } @online{cert:20210705:analysis:5047c28, author = {Antiy CERT}, title = {{Analysis of "Bitter Elephant" organization's attacks against country in the first half of the year}}, date = {2021-07-05}, organization = {Antiy}, url = {https://mp.weixin.qq.com/s/dHiYZyJXoy2LLXtElcYeog}, language = {Chinese}, urldate = {2021-07-12} } @techreport{cert:20211026:attacks:6f30d0f, author = {Kaspersky Lab ICS CERT}, title = {{APT attacks on industrial organizations in H1 2021}}, date = {2021-10-26}, institution = {Kaspersky}, url = {https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf}, language = {English}, urldate = {2021-11-08} } @online{cert:20211216:pseudomanuscrypt:808ef18, author = {Kaspersky Lab ICS CERT}, title = {{PseudoManuscrypt: a mass-scale spyware attack campaign}}, date = {2021-12-16}, url = {https://ics-cert.kaspersky.com/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/}, language = {English}, urldate = {2021-12-23} } @online{cert:20211216:pseudomanuscrypt:d59d94e, author = {Kaspersky Lab ICS CERT}, title = {{PseudoManuscrypt: a mass-scale spyware attack campaign}}, date = {2021-12-16}, organization = {Kaspersky}, url = {https://securelist.com/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/105286/}, language = {English}, urldate = {2021-12-23} } @online{cert:20220713:confucius:307a7f4, author = {Antiy CERT}, title = {{Confucius: The Angler Hidden Under CloudFlare}}, date = {2022-07-13}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s/n6XQAGtNEXfPZXp1mlwDTQ}, language = {English}, urldate = {2022-07-14} } @techreport{cert:20220808:targeted:61c5617, author = {Kaspersky Lab ICS CERT}, title = {{Targeted attack on industrial enterprises and public institutions}}, date = {2022-08-08}, institution = {Kaspersky}, url = {https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Targeted-attack-on-industrial-enterprises-and-public-institutions-En.pdf}, language = {English}, urldate = {2022-08-11} } @online{cert:20220817:irata:4ba26b9, author = {One Cert}, title = {{IRATA}}, date = {2022-08-17}, organization = {One Cert}, url = {https://onecert.ir/portal/blog/irata}, language = {English}, urldate = {2022-09-06} } @online{cert:20230324:attacks:77785a3, author = {Kaspersky Lab ICS CERT}, title = {{APT attacks on industrial organizations in H2 2022}}, date = {2023-03-24}, organization = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/publications/reports/2023/03/24/apt-attacks-on-industrial-organizations-in-h2-2022/}, language = {English}, urldate = {2023-12-04} } @online{cert:20240402:financial:fbf5379, author = {Kaspersky Lab ICS CERT}, title = {{APT and financial attacks on industrial organizations in H2 2023}}, date = {2024-04-02}, organization = {Kaspersky}, url = {https://ics-cert.kaspersky.com/publications/reports/2024/04/02/apt-and-financial-attacks-on-industrial-organizations-in-h2-2023/}, language = {English}, urldate = {2024-09-04} } @online{cert:20250214:twitter:4ab880b, author = {Deutsche Telekom CERT}, title = {{Twitter Thread on a password-protected loader observed in a vishing campaign}}, date = {2025-02-14}, organization = {Twitter (@DTCERT)}, url = {https://x.com/DTCERT/status/1890384162818802135}, language = {English}, urldate = {2025-02-19} } @online{certagid:20200713:campagna:1da46a9, author = {Cert-AgID}, title = {{Campagna sLoad v.2.9.3 veicolata via PEC}}, date = {2020-07-13}, organization = {Cert-AgID}, url = {https://cert-agid.gov.it/news/campagna-sload-v-2-9-3-veicolata-via-pec/}, language = {Italian}, urldate = {2020-07-15} } @online{certagid:20201231:simplify:1a7bcd2, author = {Cert-AgID}, title = {{Simplify Emotet parsing with Python and iced x86}}, date = {2020-12-31}, organization = {Cert-AgID}, url = {https://cert-agid.gov.it/news/malware/semplificare-lanalisi-di-emotet-con-python-e-iced-x86/}, language = {Italian}, urldate = {2021-01-05} } @online{certagid:20210125:individuato:81951d8, author = {Cert-AgID}, title = {{Individuato sito che veicola in Italia un APK malevolo}}, date = {2021-01-25}, organization = {Cert-AgID}, url = {https://cert-agid.gov.it/news/individuato-sito-che-veicola-in-italia-un-apk-malevolo/}, language = {Italian}, urldate = {2021-02-02} } @online{certagid:20210127:oscorp:94a1a19, author = {Cert-AgID}, title = {{Oscorp, il “solito” malware per Android}}, date = {2021-01-27}, organization = {Cert-AgID}, url = {https://cert-agid.gov.it/news/oscorp-il-solito-malware-per-android/}, language = {Italian}, urldate = {2021-02-02} } @online{certagid:20220708:il:c02e771, author = {Cert-AgID}, title = {{Il malware EnvyScout (APT29) è stato veicolato anche in Italia}}, date = {2022-07-08}, organization = {Cert-AgID}, url = {https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/}, language = {Italian}, urldate = {2022-10-19} } @online{certagid:20220719:analysis:ab762a7, author = {Cert-AgID}, title = {{Analysis and technical insights on the Coper malware used to attack mobile devices}}, date = {2022-07-19}, organization = {Cert-AgID}, url = {https://cert-agid.gov.it/news/analisi-e-approfondimenti-tecnici-sul-malware-coper-utilizzato-per-attaccare-dispositivi-mobili/}, language = {Italian}, urldate = {2022-07-25} } @online{certagid:20220721:tecniche:292165d, author = {Cert-AgID}, title = {{Tecniche per semplificare l’analisi del malware GuLoader}}, date = {2022-07-21}, organization = {Cert-AgID}, url = {https://cert-agid.gov.it/news/malware/tecniche-per-semplificare-lanalisi-del-malware-guloader/}, language = {Italian}, urldate = {2022-07-25} } @online{certagid:20230523:technical:ad39da1, author = {Cert-AgID}, title = {{Technical analysis and considerations on Strela malware}}, date = {2023-05-23}, organization = {Cert-AgID}, url = {https://cert-agid.gov.it/news/analisi-tecnica-e-considerazioni-sul-malware-strela/}, language = {English}, urldate = {2023-06-26} } @online{certagid:20250113:analisi:a1090f9, author = {Cert-AgID}, title = {{Analisi di una campagna Lumma Stealer con falso CAPTCHA condotta attraverso domino italiano compromesso}}, date = {2025-01-13}, organization = {Cert-AgID}, url = {https://cert-agid.gov.it/news/analisi-di-una-campagna-lumma-stealer-con-falso-captcha-condotta-attraverso-domino-italiano-compromesso/}, language = {Italian}, urldate = {2025-01-16} } @online{certbr:20210318:communiqu:cc24235, author = {CERT-BR}, title = {{Communiqué de presse: 400 systèmes informatique belges infiltrés dans le cadre d'une vulnérabilité des serveurs Microsoft Exchange}}, date = {2021-03-18}, organization = {CERT-BR}, url = {https://www.cert.be/fr/news/communique-de-presse-400-systemes-informatique-belges-infiltres-dans-le-cadre-dune}, language = {French}, urldate = {2021-03-19} } @online{certbund:20191108:spam:0630ad5, author = {CERT-Bund}, title = {{Tweet on Spam Mails containing MAZE}}, date = {2019-11-08}, organization = {Twitter (@certbund)}, url = {https://twitter.com/certbund/status/1192756294307995655}, language = {English}, urldate = {2020-01-08} } @techreport{certbund:20210319:microsoft:beb2409, author = {CERT-Bund}, title = {{Microsoft Exchange Schwachstellen Detektion und Reaktion (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)}}, date = {2021-03-19}, institution = {Bundesamt für Sicherheit in der Informationstechnik}, url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf}, language = {English}, urldate = {2021-03-22} } @techreport{certee:20210127:gamaredon:5d273c4, author = {CERT-EE}, title = {{Gamaredon Infection: From Dropper to Entry}}, date = {2021-01-27}, institution = {Estonian Information System Authority}, url = {https://www.ria.ee/sites/default/files/js/tale_of_gamaredon_infection.pdf}, language = {English}, urldate = {2021-03-31} } @online{certem:20180803:certfr:65e03cf, author = {CERT-EM}, title = {{CERT-FR ALERT BULLETIN}}, date = {2018-08-03}, organization = {CERT-EM}, url = {https://www.cert.ssi.gouv.fr/alerte/CERTFR-2018-ALE-008/}, language = {French}, urldate = {2020-01-08} } @techreport{certeu:20200603:cyber:681a7c2, author = {CERT-EU}, title = {{Cyber brief (June2020)}}, date = {2020-06-03}, institution = {CERT-EU}, url = {https://media.cert.europa.eu/static/MEMO/2020/TLP-WHITE-CERT-EU-CYBER-BRIEF-20-06%20v1.1.pdf}, language = {English}, urldate = {2020-06-05} } @techreport{certeu:20230215:jp2301:5fb4227, author = {CERT-EU and ENISA}, title = {{JP-23-01 - Sustained activity by specific threat actors}}, date = {2023-02-15}, institution = {CERT-EU}, url = {https://cert.europa.eu/static/files/TLP-CLEAR-JointPublication-23-01.pdf}, language = {English}, urldate = {2023-05-25} } @online{certfr:20191122:rapport:c457ee8, author = {CERT-FR}, title = {{RAPPORT MENACES ET INCIDENTS DU CERT-FR}}, date = {2019-11-22}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2019-CTI-009/}, language = {French}, urldate = {2020-01-07} } @online{certfr:20200318:rapport:abbc7c4, author = {CERT-FR}, title = {{Rapport Menaces et Incidents du CERT-FR: Attaques par le rançongiciel Mespinoza/Pysa}}, date = {2020-03-18}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-002/}, language = {French}, urldate = {2020-03-26} } @techreport{certfr:20200423:le:4dbca96, author = {CERT-FR}, title = {{LE GROUPE CYBERCRIMINEL SILENCE}}, date = {2020-04-23}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-004.pdf}, language = {French}, urldate = {2020-05-07} } @online{certfr:20200525:indicateurs:642332f, author = {CERT-FR}, title = {{INDICATEURS DE COMPROMISSION DU CERT-FR - Objet: Le code malveillant Dridex}}, date = {2020-05-25}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/ioc/CERTFR-2020-IOC-003/}, language = {French}, urldate = {2020-06-03} } @techreport{certfr:20200525:le:ac94f72, author = {CERT-FR}, title = {{Le Code Malveillant Dridex: Origines et Usages}}, date = {2020-05-25}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-005.pdf}, language = {French}, urldate = {2020-05-26} } @techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } @techreport{certfr:20200717:malware:5c58cdf, author = {CERT-FR}, title = {{The Malware Dridex: Origins and Uses}}, date = {2020-07-17}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf}, language = {English}, urldate = {2020-07-20} } @techreport{certfr:20200820:development:d518522, author = {CERT-FR}, title = {{Development of the Activity of the TA505 Cybercriminal Group}}, date = {2020-08-20}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf}, language = {English}, urldate = {2020-08-28} } @online{certfr:20200907:bulletin:f7b2023, author = {CERT-FR}, title = {{Bulletin d'alerte du CERT-FR: Recrudescence d’activité Emotet en France}}, date = {2020-09-07}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-019/}, language = {English}, urldate = {2020-09-15} } @techreport{certfr:20201029:le:d296223, author = {CERT-FR}, title = {{LE MALWARE-AS-A-SERVICE EMOTET}}, date = {2020-10-29}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf}, language = {English}, urldate = {2020-11-04} } @techreport{certfr:20210127:sandword:7f2e586, author = {CERT-FR}, title = {{Sandword Intrusion Set: Campaign Targeting Centreon Ssystems}}, date = {2021-01-27}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf}, language = {English}, urldate = {2021-03-02} } @techreport{certfr:20210212:malwareaaaservice:c6454b5, author = {CERT-FR}, title = {{The Malware-Aa-A-Service Emotet}}, date = {2021-02-12}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-003.pdf}, language = {English}, urldate = {2021-02-20} } @techreport{certfr:20210225:ryuk:7895e12, author = {CERT-FR}, title = {{Ryuk Ransomware}}, date = {2021-02-25}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf}, language = {English}, urldate = {2021-03-02} } @online{certfr:20210302:egregor:f0da4ec, author = {CERT-FR}, title = {{The Egregor Ransomware}}, date = {2021-03-02}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/}, language = {English}, urldate = {2021-06-29} } @techreport{certfr:20211202:phishing:c22ef4f, author = {CERT-FR}, title = {{Phishing Campaigns by the Nobelium Intrusion Set}}, date = {2021-12-02}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf}, language = {English}, urldate = {2021-12-07} } @online{certfr:20211206:phishing:c58da54, author = {CERT-FR}, title = {{Phishing campaigns by the Nobelium intrusion set}}, date = {2021-12-06}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-011/}, language = {English}, urldate = {2021-12-07} } @techreport{certfr:20250429:targeting:a623e6c, author = {CERT-FR}, title = {{Targeting and Compromise of French Entities Using the APT28 Intrusion Set}}, date = {2025-04-29}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2025-CTI-007.pdf}, language = {English}, urldate = {2025-05-02} } @techreport{certil:20170424:wave:d0c610f, author = {CERT-IL}, title = {{Wave attacks against government agencies, academia and business entities in Israel}}, date = {2017-04-24}, institution = {CERT-IL}, url = {https://www.gov.il/BlobFolder/reports/attack_il/he/CERT-IL-ALERT-W-120.pdf}, language = {Hebrew}, urldate = {2020-05-18} } @online{certopmd:20190110:dnspionage:88c7100, author = {CERT-OPMD}, title = {{[DNSPIONAGE] – Focus on internal actions}}, date = {2019-01-10}, organization = {CERT-OPMD}, url = {https://blog-cert.opmd.fr/dnspionage-focus-on-internal-actions/}, language = {English}, urldate = {2020-01-09} } @online{certpa:20190110:divergent:c0ab442, author = {Cert-PA}, title = {{“Divergent” malware Fileless}}, date = {2019-01-10}, organization = {Cert-Pa}, url = {https://www.cert-pa.it/notizie/devergent-malware-fileless/}, language = {Italian}, urldate = {2019-11-23} } @online{certpa:20200310:campagna:dac7559, author = {Cert-PA}, title = {{Campagna sLoad “Star Wars Edition” veicolata via PEC}}, date = {2020-03-10}, organization = {Cert-Pa}, url = {https://www.cert-pa.it/notizie/campagna-sload-star-wars-edition-veicolata-via-pec/}, language = {Italian}, urldate = {2020-03-11} } @online{certpa:20200323:pwndlocker:3607042, author = {Cert-PA}, title = {{PwndLocker si rinnova in ProLock Ransomware}}, date = {2020-03-23}, organization = {Cert-Pa}, url = {https://www.cert-pa.it/notizie/pwndlocker-si-rinnova-in-prolock-ransomware/}, language = {Italian}, urldate = {2020-03-25} } @techreport{certpl:20110603:botnet:fd65588, author = {CERT.PL}, title = {{Botnet Hamweq - analiza}}, date = {2011-06-03}, institution = {CERT Polska / NASK}, url = {https://www.cert.pl/wp-content/uploads/2011/06/201106_hamweq.pdf}, language = {Polish}, urldate = {2019-11-28} } @online{certpl:20141215:banatrix:ff1a5a2, author = {CERT.PL}, title = {{Banatrix – an indepth look}}, date = {2014-12-15}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/banatrix-an-indepth-look/}, language = {English}, urldate = {2019-10-23} } @online{certpl:20151110:talking:d93cf24, author = {CERT.PL}, title = {{Talking to Dridex (part 0) – inside the dropper}}, date = {2015-11-10}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/}, language = {English}, urldate = {2020-01-06} } @techreport{certpl:201512:zeusp2p:47dc4ed, author = {CERT.PL}, title = {{ZeuS-P2P monitoring and analysis}}, date = {2015-12}, institution = {CERT.PL}, url = {https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf}, language = {English}, urldate = {2020-01-13} } @online{certpl:20191118:brushaloader:f75d346, author = {CERT.PL}, title = {{Brushaloader gaining new layers like a pro}}, date = {2019-11-18}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/brushaloader-gaining-new-layers-like-a-pro/}, language = {English}, urldate = {2020-01-13} } @online{certpl:20211027:vidar:8fe3984, author = {CERT.PL}, title = {{Vidar stealer campaign targeting Baltic region and NATO entities}}, date = {2021-10-27}, organization = {CERT.PL}, url = {https://cert.pl/en/posts/2021/10/vidar-campaign/}, language = {English}, urldate = {2021-11-02} } @online{certpl:20230413:cert:fbd2671, author = {CERT.PL}, title = {{CERT Polska and SKW warn against the activities of Russian spies}}, date = {2023-04-13}, organization = {CERT.PL}, url = {https://cert.pl/posts/2023/04/kampania-szpiegowska-apt29/}, language = {Polish}, urldate = {2023-05-25} } @online{certpl:20240508:apt28:1cbb4ae, author = {CERT.PL}, title = {{APT28 campaign targeting Polish government institutions}}, date = {2024-05-08}, organization = {CERT.PL}, url = {https://cert.pl/en/posts/2024/05/apt28-campaign/}, language = {English}, urldate = {2024-05-21} } @online{certua:20180309:mass:240cdf7, author = {Cert-UA}, title = {{Mass mailing of Pterodo-type spyware}}, date = {2018-03-09}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/2807}, language = {English}, urldate = {2023-11-13} } @online{certua:20180903:bulk:09fa177, author = {Cert-UA}, title = {{Bulk mailing of spyware like Pterodo}}, date = {2018-09-03}, organization = {Cert-UA}, url = {https://cert.gov.ua/news/42}, language = {Ukrainian}, urldate = {2020-01-08} } @online{certua:20181115:pterodo:3ed19e5, author = {Cert-UA}, title = {{Виявлена підготовка до проведення кібератаки з використанням ШПЗ типу Pterodo}}, date = {2018-11-15}, organization = {Cert-UA}, url = {https://cert.gov.ua/news/46}, language = {Ukrainian}, urldate = {2020-01-13} } @online{certua:20210303:renewal:caa9029, author = {Cert-UA}, title = {{Renewal of cyber attacks using the Pterodo hacker group Armageddon/Gamaredon}}, date = {2021-03-03}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/10702}, language = {Ukrainian}, urldate = {2023-11-13} } @online{certua:20220126:fragment:f64191e, author = {Cert-UA}, title = {{Fragment of cyberattack research 14.01.2022}}, date = {2022-01-26}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/18101}, language = {Ukrainian}, urldate = {2022-01-28} } @online{certua:20220201:cyber:5efa22c, author = {Cert-UA}, title = {{Cyber attack of the UAC-0010 group (Armageddon) on the state organizations of Ukraine (CERT-UA#3787)}}, date = {2022-02-01}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/18365}, language = {Ukrainian}, urldate = {2022-09-20} } @online{certua:20220202:uac0056:c1fdb5c, author = {Cert-UA}, title = {{UAC-0056 cyberattack on Ukrainian state organizations using SaintBot and OutSteel malware (CERT-UA#3799)}}, date = {2022-02-02}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/18419}, language = {Ukrainian}, urldate = {2022-05-04} } @online{certua:20220218:information:122b8b2, author = {Cert-UA}, title = {{Information on cyberattacks 15 February 2022}}, date = {2022-02-18}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/37139}, language = {Ukrainian}, urldate = {2022-05-04} } @online{certua:20220307:uac0051:18afbc7, author = {Cert-UA}, title = {{UAC-0051 (UNC1151) Cyberattack on Ukrainian State Organizations Using MicroBackdoor Malware (CERT-UA#4109)}}, date = {2022-03-07}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/37626}, language = {Ukrainian}, urldate = {2022-03-08} } @online{certua:20220311:cyberattack:1e34a52, author = {Cert-UA}, title = {{Cyberattack on Ukrainian state authorities using the Cobalt Strike Beacon (CERT-UA#4145)}}, date = {2022-03-11}, url = {https://cert.gov.ua/article/37704}, language = {Ukrainian}, urldate = {2022-03-14} } @online{certua:20220317:uac0020:ae5d466, author = {Cert-UA}, title = {{UAC-0020 (Vermin) cyberattack on Ukrainian state organizations using the SPECTR malware (CERT-UA#4207)}}, date = {2022-03-17}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/37815}, language = {Ukrainian}, urldate = {2023-01-19} } @online{certua:20220322:cyberattack:e5a60d7, author = {Cert-UA}, title = {{Cyberattack on Ukrainian enterprises using the DoubleZero destructor program (CERT-UA # 4243)}}, date = {2022-03-22}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/38088}, language = {Ukrainian}, urldate = {2022-03-23} } @online{certua:20220322:uac0026:526ce2b, author = {Cert-UA}, title = {{Uac-0026 cyberattack using HeaderTip malware (CERT-UA#4244)}}, date = {2022-03-22}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/38097}, language = {Ukrainian}, urldate = {2022-04-04} } @online{certua:20220328:uac0056:46919e1, author = {Cert-UA}, title = {{UAC-0056 cyberattack on Ukrainian state authorities using GraphSteel and GrimPlant malware (CERT-UA#4293)}}, date = {2022-03-28}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/38374}, language = {Ukrainian}, urldate = {2022-03-31} } @online{certua:20220330:mass:5bc04fd, author = {Cert-UA}, title = {{Mass distribution of the MarsStealer malware among citizens of Ukraine and domestic organizations (CERT-UA#4315)}}, date = {2022-03-30}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/38606}, language = {Ukrainian}, urldate = {2022-04-04} } @online{certua:20220404:cyber:76667d6, author = {Cert-UA}, title = {{Cyber attack by the UAC-0010 group (Armageddon) on state institutions of the European Union countries (CERT-UA#4334)}}, date = {2022-04-04}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/39086}, language = {Ukrainian}, urldate = {2022-08-25} } @online{certua:20220404:cyber:d319b18, author = {Cert-UA}, title = {{Cyber ​​attack of UAC-0010 group (Armageddon) on state organizations of Ukraine (CERT-UA # 4378)}}, date = {2022-04-04}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/39138}, language = {Ukrainian}, urldate = {2022-04-12} } @online{certua:20220405:information:b3685e0, author = {Cert-UA}, title = {{Information on cyberattacks aimed at gaining access to Telegram accounts (CERT-UA#4360)}}, date = {2022-04-05}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/39253}, language = {Ukrainian}, urldate = {2022-04-07} } @online{certua:20220407:cyber:d3c5564, author = {Cert-UA}, title = {{Cyber attack of the UAC-0010 group (Armageddon) on the state organizations of Ukraine (CERT-UA#4434)}}, date = {2022-04-07}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/39386}, language = {Ukrainian}, urldate = {2022-08-25} } @online{certua:20220412:cyberattack:5f28c75, author = {Cert-UA}, title = {{Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)}}, date = {2022-04-12}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/39518}, language = {Ukrainian}, urldate = {2022-05-25} } @online{certua:20220414:cyberattack:915dfa7, author = {Cert-UA}, title = {{Cyberattack on Ukrainian state organizations using IcedID malware (CERT-UA#4464)}}, date = {2022-04-14}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/39609}, language = {Ukrainian}, urldate = {2022-04-20} } @online{certua:20220428:malicious:7c130c8, author = {Cert-UA}, title = {{Malicious JavaScript-code BrownFlood injected into web-sites used for DDoS attacks (CERT-UA#4553)}}, date = {2022-04-28}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/39925}, language = {Ukrainian}, urldate = {2022-05-03} } @online{certua:20220507:mass:5933c0a, author = {Cert-UA}, title = {{Mass distribution of JesterStealer malware using chemical attack themes (CERT-UA#4625)}}, date = {2022-05-07}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/40135}, language = {Ukrainian}, urldate = {2022-05-17} } @online{certua:20220512:uac0010:582178b, author = {Cert-UA}, title = {{Uac-0010 (Armageddon) cyberattacks using GammaLoad.PS1_v2 malware (CERT-UA#4634,4648)}}, date = {2022-05-12}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/40240}, language = {Ukrainian}, urldate = {2022-05-17} } @online{certua:20220610:massive:9b756c2, author = {Cert-UA}, title = {{Massive cyberattack on Media Organizations of Ukraine using crescentImp malware (CERT-UA#4797)}}, date = {2022-06-10}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/160530}, language = {Ukrainian}, urldate = {2022-07-15} } @online{certua:20220620:apt28:2c02bf5, author = {Cert-UA}, title = {{APT28 cyberattack using CredoMap malware (CERT-UA#4843)}}, date = {2022-06-20}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/341128}, language = {Ukrainian}, urldate = {2022-07-15} } @online{certua:20220620:uac0098:2a68eac, author = {Cert-UA}, title = {{UAC-0098 group cyberattack on critical infrastructure of Ukraine (CERT-UA#4842)}}, date = {2022-06-20}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/339662}, language = {Ukrainian}, urldate = {2022-07-15} } @online{certua:20220622:cyberattacks:3a05a70, author = {Cert-UA}, title = {{Cyberattacks by China-associated groups against Russian scientific and technical enterprises and government agencies (CERT-UA#4860)}}, date = {2022-06-22}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/375404}, language = {Ukrainian}, urldate = {2022-07-13} } @online{certua:20220624:cyberattack:c247b3d, author = {Cert-UA}, title = {{Cyberattack against Ukrainian telecommunications operators using DarkCrystal RAT malware (CERT-UA # 4874)}}, date = {2022-06-24}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/405538}, language = {Ukrainian}, urldate = {2022-06-27} } @online{certua:20220706:uac0056:af030ea, author = {Cert-UA}, title = {{UAC-0056 cyberattack on Ukrainian state organizations using Cobalt Strike Beacon (CERT-UA#4914)}}, date = {2022-07-06}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/619229}, language = {Ukrainian}, urldate = {2022-07-15} } @online{certua:20220711:uac0056:f690298, author = {Cert-UA}, title = {{UAC-0056 attack on Ukrainian state organizations using Cobalt Strike Beacon (CERT-UA#4941)}}, date = {2022-07-11}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/703548}, language = {Ukrainian}, urldate = {2022-07-15} } @online{certua:20220714:uac0100:6e00cea, author = {Cert-UA}, title = {{UAC-0100 - Online fraud using the subject of "monetary compensation" (CERT-UA#4964)}}, date = {2022-07-14}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/761668}, language = {Ukrainian}, urldate = {2022-07-25} } @online{certua:20220720:cyberattack:3450ba8, author = {Cert-UA}, title = {{Cyberattack on State Organizations of Ukraine using the topic OK "South" and the malicious program AgentTesla (CERT-UA#4987)}}, date = {2022-07-20}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/861292}, language = {Ukrainian}, urldate = {2022-07-25} } @online{certua:20220725:mass:92104f0, author = {Cert-UA}, title = {{Mass distribution of desktops (Formbook, Snake Keylogger) and use of Malware RelicRace/RelicSource as a means of delivery (CERT-UA#5056)}}, date = {2022-07-25}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/955924}, language = {Ukrainian}, urldate = {2022-07-28} } @online{certua:20220726:uac0010:e697f18, author = {Cert-UA}, title = {{UAC-0010 (Armageddon) cyberattacks using the GammaLoad.PS1_v2 malware (CERT-UA#5003,5013,5069,5071)}}, date = {2022-07-26}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/971405}, language = {Ukrainian}, urldate = {2022-07-28} } @online{certua:20220810:cyberattacks:5a2c3fb, author = {Cert-UA}, title = {{Cyberattacks of the UAC-0010 group (Armageddon): malicious programs GammaLoad, GammaSteel (CERT-UA#5134)}}, date = {2022-08-10}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/1229152}, language = {Ukrainian}, urldate = {2022-08-25} } @online{certua:20221222:cyber:bc80a7f, author = {Cert-UA}, title = {{Cyber ​​attack on DELTA system users using RomCom/FateGrab/StealDeal malware (CERT-UA#5709)}}, date = {2022-12-22}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/3349703}, language = {Ukrainian}, urldate = {2023-01-17} } @online{certua:20230127:cyber:b31b337, author = {Cert-UA}, title = {{Cyber attack on the Ukrinform information and communication system}}, date = {2023-01-27}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/3718487}, language = {Ukrainian}, urldate = {2023-02-03} } @online{certua:20230206:uac0050:d4f40fb, author = {Cert-UA}, title = {{UAC-0050 cyber attack against the state bodies of Ukraine using the program for remote control and surveillance Remcos (CERT-UA#5926)}}, date = {2023-02-06}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/3804703}, language = {Ukrainian}, urldate = {2023-12-28} } @online{certua:20230213:cyber:4ebbf69, author = {Cert-UA}, title = {{Cyber attack on organizations and institutions of Ukraine using the Remote Utilities program (CERT-UA#5961)}}, date = {2023-02-13}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/3863542}, language = {Ukrainian}, urldate = {2023-02-14} } @online{certua:20230221:cyber:928cd97, author = {Cert-UA}, title = {{Cyber ​​attack of the group UAC-0050 (UAC-0096) using the Remcos program (CERT-UA#6011)}}, date = {2023-02-21}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/3931296}, language = {Ukrainian}, urldate = {2023-12-28} } @online{certua:20230428:apt28:2246cc6, author = {Cert-UA}, title = {{APT28 cyberattack: distribution of emails with "instructions" on "updating the operating system" (CERT-UA#6562)}}, date = {2023-04-28}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/4492467}, language = {Ukrainian}, urldate = {2023-10-09} } @online{certua:20230522:espionage:fafdb29, author = {Cert-UA}, title = {{Espionage activity of UAC-0063 against Ukraine, Kazakhstan, Kyrgyzstan, Mongolia, Israel, India (CERT-UA#6549)}}, date = {2023-05-22}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/4697016}, language = {Ukrainian}, urldate = {2024-07-25} } @online{certua:20230619:targeted:cc30d5f, author = {Cert-UA}, title = {{Targeted UAC-0102 cyber attacks against UKR.NET service users (CERT-UA#6858)}}, date = {2023-06-19}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/4928679}, language = {Ukrainian}, urldate = {2024-08-29} } @online{certua:20230620:apt28:cdd3d5a, author = {Cert-UA}, title = {{APT28 group used three Roundcube exploits (CVE-2020-35730, CVE-2021-44026, CVE-2020-12641) during another espionage campaign (CERT-UA#6805)}}, date = {2023-06-20}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/4905829}, language = {Ukrainian}, urldate = {2023-07-11} } @online{certua:20230707:uac0057:0898b84, author = {Cert-UA}, title = {{UAC-0057 Targeted Cyber ​​Attack Against Government Agencies Using PicassoLoader/njRAT (CERT-UA#6948)}}, date = {2023-07-07}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/5098518}, language = {English}, urldate = {2024-08-29} } @online{certua:20230718:targeted:514e9c6, author = {Cert-UA}, title = {{Targeted Turla attacks (UAC-0024, UAC-0003) using CAPIBAR and KAZUAR malware (CERT-UA#6981)}}, date = {2023-07-18}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/5213167}, language = {English}, urldate = {2023-07-20} } @online{certua:20230904:apt28:5db5c7c, author = {Cert-UA}, title = {{APT28 cyberattack: msedge as a bootloader, TOR and mockbin.org/website.hook services as a control center (CERT-UA#7469)}}, date = {2023-09-04}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/5702579}, language = {Ukrainian}, urldate = {2023-09-07} } @online{certua:20231015:peculiarities:c150d45, author = {Cert-UA}, title = {{Peculiarities of destructive cyber attacks against Ukrainian providers (CERT-UA#7627)}}, date = {2023-10-15}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/6123309}, language = {Ukrainian}, urldate = {2023-10-17} } @online{certua:20231207:uac0050:a1266ae, author = {Cert-UA}, title = {{UAC-0050 mass cyberattack using RemcosRAT/MeduzaStealer against Ukraine and Poland (CERT-UA#8218)}}, date = {2023-12-07}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/6276652}, language = {Ukrainian}, urldate = {2023-12-13} } @online{certua:20231228:apt28:29b5be4, author = {Cert-UA}, title = {{APT28: From initial attack to creating threats to a domain controller in an hour}}, date = {2023-12-28}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/6276894}, language = {Ukrainian}, urldate = {2024-01-02} } @online{certua:20240224:uac0149:98db5a5, author = {Cert-UA}, title = {{UAC-0149: Targeted selective attacks against the Defense Forces of Ukraine using COOKBOX (CETRT-UA#9204)}}, date = {2024-02-24}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/6277849}, language = {English}, urldate = {2025-05-02} } @online{certua:20240418:uac0149:407d3e1, author = {Cert-UA}, title = {{UAC-0149 cyberattack exploiting Signal, CVE-2023-38831 vulnerability, and COOKBOX malware (CERT-UA#9522)}}, date = {2024-04-18}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/6278620}, language = {Ukrainian}, urldate = {2024-12-11} } @online{certua:20240419:uac0133:e56fac6, author = {Cert-UA}, title = {{UAC-0133 (Sandworm) plans for cyber sabotage on almost 20 objects of critical infrastructure of Ukraine}}, date = {2024-04-19}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/6278706}, language = {Ukrainian}, urldate = {2024-08-29} } @online{certua:20240604:uac0200:4ad8057, author = {Cert-UA}, title = {{UAC-0200: Targeted cyberattacks using DarkCrystal RAT and Signal as a trusted distribution vehicle (CERT-UA#9918)}}, date = {2024-06-04}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/6279561}, language = {Ukrainian}, urldate = {2024-06-05} } @online{certua:20240605:uac0020:6e6c380, author = {Cert-UA}, title = {{UAC-0020 (Vermin) attacks the Defense Forces of Ukraine using the SPECTR SPZ in tandem with the legitimate SyncThing ("SickSync" campaign) (CERT-UA#9934)}}, date = {2024-06-05}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/6279600}, language = {Ukrainian}, urldate = {2024-06-24} } @online{certua:20240721:uac0063:d97fbca, author = {Cert-UA}, title = {{UAC-0063 Attacks Research Institutions of Ukraine: HATVIBE + CHERRYSPY + CVE-2024-23692 (CERT-UA#10356)}}, date = {2024-07-21}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/6280129}, language = {Ukrainian}, urldate = {2025-01-17} } @online{certua:20241024:accounts:14cd29d, author = {Cert-UA}, title = {{Accounts in service UAC-0218: file theft using HOMESTEEL (CERT-UA#11717)}}, date = {2024-10-24}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/6281076}, language = {Ukrainian}, urldate = {2024-10-29} } @online{certua:20241207:targeted:9dfb25d, author = {Cert-UA}, title = {{Targeted cyberattacks UAC-0185 in relation to the Defense Forces and enterprises of defense systems of Ukraine (CRT-UA#12414)}}, date = {2024-12-07}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/6281632}, language = {Ukrainian}, urldate = {2025-03-05} } @online{certua:20250401:uac0219:54cab9c, author = {Cert-UA}, title = {{UAC-0219: Cyber ​​espionage using PowerShell stealer WRECKSTEEL (CERT-UA#14283)}}, date = {2025-04-01}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/6282902}, language = {Ukrainian}, urldate = {2025-04-25} } @online{certua:20250406:target:ef1f365, author = {Cert-UA}, title = {{Target espionage activity UAC-0226 in relation to the centers of innovation, state and law enforcement services using the GIFTEDCROOK (CERT-UA#14303)}}, date = {2025-04-06}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/6282946}, language = {Ukrainian}, urldate = {2025-05-02} } @online{certua:20250621:cyberattacks:78d85d0, author = {Cert-UA}, title = {{Cyberattacks UAC-0001 (APT28) in relation to public authorities using BEARDSHELL and COVENANT}}, date = {2025-06-21}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/6284080}, language = {Ukrainian}, urldate = {2025-06-25} } @online{ch0sys:20170615:dubrute:3cb7c5a, author = {ch0sys}, title = {{DUBrute}}, date = {2017-06-15}, organization = {Github (ch0sys)}, url = {https://github.com/ch0sys/DUBrute}, language = {English}, urldate = {2020-01-08} } @online{chakrabarthy:20250331:operation:b85c797, author = {Mahua Chakrabarthy and Sanjay Katkar and Subhajeet Singha}, title = {{Operation HollowQuill: Malware delivered into Russian R&D Networks via Research Decoy PDFs}}, date = {2025-03-31}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/operation-hollowquill-russian-rd-networks-malware-pdf/}, language = {English}, urldate = {2025-06-17} } @online{chalard:20211220:dont:0aad3db, author = {Nick Chalard}, title = {{(Don't) Bring Dridex Home for the Holidays}}, date = {2021-12-20}, organization = {InQuest}, url = {https://inquest.net/blog/2021/12/20/dont-bring-dridex-home-holidays}, language = {English}, urldate = {2021-12-22} } @online{chalupowski:20210201:bazarloader:61a163a, author = {Lilly Chalupowski}, title = {{BazarLoader Mocks Researchers in December 2020 Malspam Campaign}}, date = {2021-02-01}, organization = {GoSecure}, url = {https://www.gosecure.net/blog/2021/02/01/bazarloader-mocks-researchers-in-december-2020-malspam-campaign/}, language = {English}, urldate = {2021-02-02} } @online{chalupowski:20211102:new:b68bd68, author = {Lilly Chalupowski}, title = {{New Malware “Gameloader” in Discord Malspam Campaign Identified by GoSecure Titan Labs}}, date = {2021-11-02}, organization = {GoSecure}, url = {https://www.gosecure.net/blog/2021/11/02/new-malware-gameloader-in-discord-malspam-campaign-identified-by-gosecure-titan-labs/}, language = {English}, urldate = {2021-11-03} } @online{chan:20250529:chasing:9dc75e6, author = {Jia Yu Chan}, title = {{Chasing Eddies: New Rust-based InfoStealer used in CAPTCHA campaigns}}, date = {2025-05-29}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/eddiestealer}, language = {English}, urldate = {2025-06-02} } @online{chandra:20220824:demystifying:77609b2, author = {Adithya Chandra and Sushant Kumar Arya}, title = {{Demystifying Qbot Malware}}, date = {2022-08-24}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/demystifying-qbot-malware.html}, language = {English}, urldate = {2022-08-28} } @online{chandra:20230901:icymi:db5addb, author = {Adithya Chandra and Joao Marques and Raghav Kapoor}, title = {{ICYMI: Emotet Reappeared Early This Year, Unfortunately}}, date = {2023-09-01}, organization = {Trellix}, url = {https://www.trellix.com/blogs/research/icymi-emotet-reappeared-early-this-year-unfortunately/}, language = {English}, urldate = {2024-12-06} } @online{chandrayan:20211223:log4j:58ea562, author = {Siddhesh Chandrayan}, title = {{Log4j Vulnerabilities: Attack Insights}}, date = {2021-12-23}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks}, language = {English}, urldate = {2022-01-25} } @online{chang:20160603:sends:176f9ab, author = {Yin Hong Chang and Sudeep Singh}, title = {{APT Group Sends Spear Phishing Emails to Indian Government Officials}}, date = {2016-06-03}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html}, language = {English}, urldate = {2019-12-20} } @online{chang:20170619:erebus:dee1998, author = {Ziv Chang and Gilbert Sison and Jeanne Jocson}, title = {{Erebus Resurfaces as Linux Ransomware}}, date = {2017-06-19}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/}, language = {English}, urldate = {2020-01-08} } @techreport{chang:20220512:next:5fd8a83, author = {Leon Chang and Silvia Yeh}, title = {{The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides)}}, date = {2022-05-12}, institution = {TEAMT5}, url = {https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf}, language = {English}, urldate = {2022-08-08} } @online{chang:20240322:largescale:c94edd9, author = {Benjamin Chang and Goutam Tripathy and Pranay Kumar Chhaparwal and Anmol Maurya and Vishwa Thothathri}, title = {{Large-Scale StrelaStealer Campaign in Early 2024}}, date = {2024-03-22}, organization = {Palo Alto}, url = {https://unit42.paloaltonetworks.com/strelastealer-campaign/}, language = {English}, urldate = {2024-07-17} } @techreport{chang:20240419:chinese:0170223, author = {Che Chang and Charles Li and Greg Chen}, title = {{Chinese APT: A Master of Exploiting Edge Devices}}, date = {2024-04-19}, institution = {TEAMT5}, url = {https://i.blackhat.com/Asia-24/Presentations/Asia-24-Chen-Chinese-APT.pdf}, language = {English}, urldate = {2025-01-27} } @online{chang:20241125:game:e999422, author = {Leon M Chang and Theo Chen and Lenart Bermejo and Ted Lee}, title = {{Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions}}, date = {2024-11-25}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/24/k/earth-estries.html}, language = {English}, urldate = {2025-01-15} } @techreport{chang:20250121:game:163ed54, author = {Leon Chang and Theo Chen}, title = {{Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions}}, date = {2025-01-21}, institution = {Trend Micro}, url = {https://jsac.jpcert.or.jp/archive/2025/pdf/JSAC2025_1_5_leon-chang_theo-chen_en.pdf}, language = {English}, urldate = {2025-01-27} } @online{channell:20200612:what:af937e9, author = {Justin Channell}, title = {{What is the Gibberish Hack?}}, date = {2020-06-12}, organization = {SUCURI}, url = {https://blog.sucuri.net/2020/06/gibberish-hack.html}, language = {English}, urldate = {2020-06-16} } @online{charlie:20200713:fell:f278f19, author = {Charlie}, title = {{Fell Deeds Awake}}, date = {2020-07-13}, organization = {Cofense}, url = {https://cofenselabs.com/fell-deeds-awake/}, language = {English}, urldate = {2020-07-15} } @online{chaturvedi:20200520:latest:ca8dd12, author = {Rohit Chaturvedi and Amandeep Kumar}, title = {{Latest Version of Amadey Introduces Screen Capturing and Pushes the Remcos RAT}}, date = {2020-05-20}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/latest-version-amadey-introduces-screen-capturing-and-pushes-remcos-rat}, language = {English}, urldate = {2023-10-16} } @online{chaturvedi:20200710:deep:f2d16c7, author = {Rohit Chaturvedi and Naveen Selvan}, title = {{Deep Dive Into the M00nD3V Logger}}, date = {2020-07-10}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/deep-dive-m00nd3v-logger}, language = {English}, urldate = {2020-07-16} } @online{chaturvedi:20210414:look:02bf1e0, author = {Rohit Chaturvedi and Atinderpal Singh and Tarun Dewan}, title = {{A look at HydroJiin campaign}}, date = {2021-04-14}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign}, language = {English}, urldate = {2021-04-16} } @online{chaturvedi:20211022:new:c65f106, author = {Stuti Chaturvedi and Amandeep Kumar}, title = {{New MultiloginBot Phishing Campaign}}, date = {2021-10-22}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/new-multiloginbot-phishing-campaign}, language = {English}, urldate = {2021-11-03} } @online{chaturvedi:20220217:freecryptoscam:340b9ec, author = {Stuti Chaturvedi and Aditya Sharma}, title = {{FreeCryptoScam - A New Cryptocurrency Scam That Leads to Installation of Backdoors and Stealers}}, date = {2022-02-17}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/freecryptoscam-new-cryptocurrency-scam-leads-installation-backdoors-and}, language = {English}, urldate = {2022-03-02} } @online{chaturvedi:20220804:xfiles:46c169d, author = {Stuti Chaturvedi}, title = {{X-FILES Stealer Evolution - An Analysis and Comparison Study}}, date = {2022-08-04}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/x-files-stealer-evolution-analysis-and-comparison-study}, language = {English}, urldate = {2023-12-04} } @online{chaudhari:20171003:evolution:5462d67, author = {Pavankumar Chaudhari}, title = {{Evolution of jRAT JAVA Malware}}, date = {2017-10-03}, organization = {Seqrite}, url = {https://blogs.seqrite.com/evolution-of-jrat-java-malware/}, language = {English}, urldate = {2020-01-06} } @online{chaudhari:20200512:java:47c27e7, author = {Pavankumar Chaudhari}, title = {{Java RAT Campaign Targets Co-Operative Banks in India}}, date = {2020-05-12}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/java-rat-campaign-targets-co-operative-banks-in-india/}, language = {English}, urldate = {2020-05-23} } @online{chaudhari:20200810:gorgon:3a961be, author = {Pavankumar Chaudhari}, title = {{Gorgon APT targeting MSME sector in India}}, date = {2020-08-10}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/}, language = {English}, urldate = {2020-08-13} } @online{chaudhari:20201218:rat:50074a2, author = {Pavankumar Chaudhari}, title = {{RAT used by Chinese cyberspies infiltrating Indian businesses}}, date = {2020-12-18}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/}, language = {English}, urldate = {2020-12-18} } @techreport{chaudhari:20220727:stealthy:9b66a95, author = {Viren Chaudhari}, title = {{Stealthy Quasar Evolving to Lead the RAT Race}}, date = {2022-07-27}, institution = {Qualys}, url = {https://www.qualys.com/docs/whitepapers/qualys-wp-stealthy-quasar-evolving-to-lead-the-rat-race-v220727.pdf}, language = {English}, urldate = {2022-08-04} } @online{chaudhari:20220729:new:3f06f5c, author = {Viren Chaudhari}, title = {{New Qualys Research Report: Evolution of Quasar RAT}}, date = {2022-07-29}, organization = {Qualys}, url = {https://blog.qualys.com/vulnerabilities-threat-research/2022/07/29/new-qualys-research-report-evolution-of-quasar-rat}, language = {English}, urldate = {2022-08-04} } @techreport{chavane:20241113:threebeat:7e0758f, author = {Coline Chavane and Sekoia TDR}, title = {{A three-beat waltz: The ecosystem behind Chinese state-sponsored cyber threats}}, date = {2024-11-13}, institution = {Sekoia}, url = {https://t7f4e9n3.rocketcdn.me/wp-content/uploads/2024/11/A-three-beat-waltz-The-ecosystem-behind-Chinese-state-sponsored-cyber-threats.pdf}, language = {English}, urldate = {2024-11-17} } @online{chavez:20220725:lockbit:a660282, author = {Ivan Nicole Chavez and Byron Gelera and Katherine Casona and Nathaniel Morales and Ieriz Nicolle Gonzalez and Nathaniel Gregory Ragasa}, title = {{LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities}}, date = {2022-07-25}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html}, language = {English}, urldate = {2022-08-11} } @online{chavez:20221221:conti:d755947, author = {Ivan Nicole Chavez and Byron Gelera and Monte de Jesus and Don Ovid Ladores and Khristian Joseph Morales}, title = {{Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks}}, date = {2022-12-21}, organization = {Trendmicro}, url = {https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html}, language = {English}, urldate = {2022-12-24} } @online{chebesov:20211028:cannibal:883dcbe, author = {Ruslan Chebesov and Sergey Kokurin}, title = {{Cannibal Carders}}, date = {2021-10-28}, organization = {Group-IB}, url = {https://blog.group-ib.com/cannibal-carders}, language = {English}, urldate = {2021-11-03} } @online{chebyshev:20200225:mobile:e40c963, author = {Victor Chebyshev}, title = {{Mobile malware evolution 2019}}, date = {2020-02-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/mobile-malware-evolution-2019/96280/}, language = {English}, urldate = {2020-02-26} } @online{chechik:20221031:banking:c421ac8, author = {Or Chechik}, title = {{Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure}}, date = {2022-10-31}, organization = {paloalto Netoworks: Unit42}, url = {https://unit42.paloaltonetworks.com/banking-trojan-techniques/}, language = {English}, urldate = {2022-10-31} } @online{chechik:20240213:deep:7209033, author = {Or Chechik and Ofir Ozer}, title = {{A Deep Dive Into Malicious Direct Syscall Detection}}, date = {2024-02-13}, organization = {Palo Alto Networks Unit 42}, url = {https://www.paloaltonetworks.com/blog/security-operations/a-deep-dive-into-malicious-direct-syscall-detection/}, language = {English}, urldate = {2024-03-25} } @online{checkmal:20210726:whiteblackgroup:397b3d3, author = {CheckMal}, title = {{WhiteBlackGroup Ransomware (.encrpt3d)}}, date = {2021-07-26}, organization = {CheckMal}, url = {https://www.checkmal.com/video/read/3605/}, language = {English}, urldate = {2022-03-07} } @online{checkmal:20240415:marracrypt:75866fd, author = {CheckMal}, title = {{MarraCrypt ransomware resembles Hermes ransomware}}, date = {2024-04-15}, organization = {CheckMal}, url = {https://blog.naver.com/checkmal/223416580495}, language = {Korean}, urldate = {2025-02-26} } @techreport{checkpoint:20131212:malware:45645af, author = {Checkpoint}, title = {{Malware Research Group HIMAN Malware Analysis}}, date = {2013-12-12}, institution = {Checkpoint}, url = {https://www.checkpoint.com/threatcloud-central/downloads/check-point-himan-malware-analysis.pdf}, language = {English}, urldate = {2019-12-17} } @online{checkpoint:20190204:speakup:9fa2718, author = {Checkpoint}, title = {{SpeakUp: A New Undetected Backdoor Linux Trojan}}, date = {2019-02-04}, organization = {Checkpoint}, url = {https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/}, language = {English}, urldate = {2019-07-11} } @online{checkpoint:20200721:how:5980135, author = {Checkpoint}, title = {{How scammers are hiding their phishing trips in public clouds}}, date = {2020-07-21}, organization = {Checkpoint}, url = {https://blog.checkpoint.com/2020/07/21/how-scammers-are-hiding-their-phishing-trips-in-public-clouds/}, language = {English}, urldate = {2020-07-30} } @online{checkpoint:20211020:check:8188213, author = {Checkpoint}, title = {{Check Point response to MysterySnail vulnerability}}, date = {2021-10-20}, organization = {Checkpoint}, url = {https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk175885}, language = {English}, urldate = {2023-11-27} } @online{checkpoint:20220510:infostealer:33aee4a, author = {Checkpoint}, title = {{Info-stealer Campaign targets German Car Dealerships and Manufacturers}}, date = {2022-05-10}, organization = {Checkpoint}, url = {https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/}, language = {English}, urldate = {2022-05-13} } @online{checkpoint:20230216:operation:9eb0b67, author = {Checkpoint and Check Point Research}, title = {{Operation Silent Watch: Desktop Surveillance in Azerbaijan and Armenia}}, date = {2023-02-16}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2023/operation-silent-watch-desktop-surveillance-in-azerbaijan-and-armenia/}, language = {English}, urldate = {2023-02-17} } @online{checkpoint:20240520:bad:1092171, author = {Checkpoint}, title = {{Bad Karma, No Justice: Void Manticore Destructive Activities in Israel}}, date = {2024-05-20}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel/}, language = {English}, urldate = {2024-12-11} } @online{checkpoint:20240617:17th:f996632, author = {Checkpoint}, title = {{17th June – Threat Intelligence Report}}, date = {2024-06-17}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2024/17th-june-threat-intelligence-report/}, language = {English}, urldate = {2024-12-11} } @online{chee:20220404:uncommon:1b240dc, author = {Max Chee}, title = {{Uncommon office malware stagers}}, date = {2022-04-04}, organization = {Medium (csg-govtech)}, url = {https://medium.com/csg-govtech/uncommon-office-malware-stagers-dad49a8f2054}, language = {English}, urldate = {2022-04-07} } @online{chell:20220803:part:3f8002b, author = {Dominic Chell}, title = {{PART 3: How I Met Your Beacon – Brute Ratel}}, date = {2022-08-03}, organization = {MDSec}, url = {https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/}, language = {English}, urldate = {2022-10-06} } @online{chelmo:20200911:two:e4f5286, author = {Brook Chelmo}, title = {{Two weeks with a Russian Ransomware Cell}}, date = {2020-09-11}, organization = {RSA Conference (YouTube)}, url = {https://youtu.be/Oqg20dF8tTA}, language = {English}, urldate = {2023-10-10} } @online{chen:20140602:sinowal:6d7af96, author = {Chao Chen}, title = {{Sinowal banking trojan}}, date = {2014-06-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan}, language = {English}, urldate = {2020-01-10} } @online{chen:20151217:slembunk:df100af, author = {Zhaofeng Chen and Jimmy Su and Wu Zhou and Jing Xie and Heqing Huang}, title = {{SlemBunk: An Evolving Android Trojan Family Targeting Users of Worldwide Banking Apps}}, date = {2015-12-17}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html}, language = {English}, urldate = {2019-12-20} } @online{chen:20160314:massive:5f5a54a, author = {Joseph C. Chen}, title = {{Massive Malvertising Campaign in US Leads to Angler Exploit Kit/BEDEP}}, date = {2016-03-14}, organization = {Trend Micro}, url = {https://web.archive.org/web/20210527105724/https://blog.trendmicro.com/trendlabs-security-intelligence/malvertising-campaign-in-us-leads-to-angler-exploit-kitbedep/}, language = {English}, urldate = {2023-07-24} } @online{chen:20160622:after:aaa03f7, author = {Joseph C Chen}, title = {{After Angler: Shift in Exploit Kit Landscape and New Crypto-Ransomware Activity}}, date = {2016-06-22}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-landscape-new-crytpo-ransomware-activity/}, language = {English}, urldate = {2019-10-12} } @online{chen:20161027:blackgear:00f52d4, author = {Joey Chen and MingYen Hsieh}, title = {{BLACKGEAR Espionage Campaign Evolves, Adds Japan To Target List}}, date = {2016-10-27}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-evolves-adds-japan-target-list/}, language = {English}, urldate = {2019-12-18} } @online{chen:20171107:redbaldknightbronze:63a08fe, author = {Joey Chen and MingYen Hsieh}, title = {{REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography}}, date = {2017-11-07}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/}, language = {English}, urldate = {2020-01-09} } @online{chen:20180716:new:7ccd8b7, author = {Joseph C Chen}, title = {{New Andariel Reconnaissance Tactics Uncovered}}, date = {2018-07-16}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html}, language = {English}, urldate = {2023-08-28} } @online{chen:20180717:blackgear:69b5213, author = {Joey Chen}, title = {{Blackgear Cyberespionage Campaign Resurfaces, Abuses Social Media for C&C Communication}}, date = {2018-07-17}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-cyberespionage-campaign-resurfaces-abuses-social-media-for-cc-communication/}, language = {English}, urldate = {2020-01-13} } @online{chen:20180918:magecart:af83872, author = {Joseph C Chen}, title = {{Magecart Skimming Attack Targets Mobile Users of Hotel Chain Booking Websites}}, date = {2018-09-18}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/}, language = {English}, urldate = {2020-01-08} } @online{chen:20190418:predator:5135f9f, author = {Yueh-Ting Chen and Evgeny Ananin}, title = {{Predator the Thief: New Routes of Delivery}}, date = {2019-04-18}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html}, language = {English}, urldate = {2019-12-17} } @online{chen:20190503:mirrorthief:05f07e5, author = {Joseph C Chen}, title = {{Mirrorthief Group Uses Magecart Skimming Attack to Hit Hundreds of Campus Online Stores in US and Canada}}, date = {2019-05-03}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/}, language = {English}, urldate = {2019-11-27} } @online{chen:20191009:fin6:11bb05d, author = {Joseph C. Chen}, title = {{FIN6 Compromised E-commerce Platform via Magecart to Inject Credit Card Skimmers Into Thousands of Online Shops}}, date = {2019-10-09}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/}, language = {English}, urldate = {2020-02-25} } @techreport{chen:20191129:operation:16f5aaa, author = {Joey Chen and Hiroyuki Kakara and Masaoki Shoji}, title = {{Operation ENDTRADE:TICK: 2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data}}, date = {2019-11-29}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf}, language = {English}, urldate = {2020-06-02} } @online{chen:20191129:operation:749d75d, author = {Joey Chen and Hiroyuki Kakara and Masaoki Shoji}, title = {{Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK}}, date = {2019-11-29}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/}, language = {English}, urldate = {2019-12-17} } @online{chen:20200217:clambling:1a0bb8e, author = {Theo Chen and Zero Chen}, title = {{CLAMBLING - A New Backdoor Base On Dropbox}}, date = {2020-02-17}, organization = {Talent-Jump Technologies}, url = {http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/}, language = {English}, urldate = {2020-03-30} } @online{chen:20200512:tropic:8fff7a4, author = {Joey Chen}, title = {{Tropic Trooper’s Back: USBferry Attack Targets Air-gapped Environments}}, date = {2020-05-12}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/}, language = {English}, urldate = {2020-05-14} } @techreport{chen:20200512:tropic:a3285d0, author = {Joey Chen}, title = {{Tropic Trooper’s Back: USBferry Attack Targets Air-gapped Environments (Technical Brief)}}, date = {2020-05-12}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf}, language = {English}, urldate = {2020-05-14} } @online{chen:20200626:us:8bce65c, author = {Joseph C Chen}, title = {{US Local Government Services Targeted by New Magecart Credit Card Skimming Attack}}, date = {2020-06-26}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/us-local-government-services-targeted-by-new-magecart-credit-card-skimming-attack/}, language = {English}, urldate = {2020-06-30} } @techreport{chen:20200804:operation:4cf417f, author = {Chung-Kuan Chen and Inndy Lin and Shang-De Jiang}, title = {{Operation Chimera - APT Operation Targets Semiconductor Vendors}}, date = {2020-08-04}, institution = {BlackHat}, url = {https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf}, language = {English}, urldate = {2020-11-04} } @online{chen:20200806:water:e7860e3, author = {Marshall Chen and Loseway Lu and Yorkbing Yap and Fyodor Yarochkin}, title = {{Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts}}, date = {2020-08-06}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/water-nue-campaign-targets-c-suites-office-365-accounts/}, language = {English}, urldate = {2020-08-13} } @online{chen:20200902:cybersquatting:b5f5a8f, author = {Zhanhao Chen and Janos Szurdi}, title = {{Cybersquatting: Attackers Mimicking Domains of Major Brands Including Facebook, Apple, Amazon and Netflix to Scam Consumers}}, date = {2020-09-02}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/cybersquatting/}, language = {English}, urldate = {2021-07-02} } @online{chen:20201109:closer:b1c72cf, author = {Jin Chen and Tao Yan and Taojie Wang and Yu Fu}, title = {{A Closer Look at the Web Skimmer}}, date = {2020-11-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/web-skimmer/}, language = {English}, urldate = {2020-11-11} } @online{chen:20201209:sidewinder:a454abd, author = {Joseph C Chen and Jaromír Hořejší and Ecular Xu}, title = {{SideWinder Leverages South Asian Territorial Issues for Spear Phishing and Mobile Device Attacks}}, date = {2020-12-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html}, language = {English}, urldate = {2020-12-10} } @online{chen:20210203:hildegard:f3ca3bc, author = {Jay Chen and Aviv Sasson and Ariel Zelivansky}, title = {{Hildegard: New TeamTNT Malware Targeting Kubernetes}}, date = {2021-02-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/}, language = {English}, urldate = {2021-02-04} } @online{chen:20210707:biopass:88dcdc2, author = {Joseph C Chen and Kenney Lu and Jaromír Hořejší and Gloria Chen}, title = {{BIOPASS RAT: New Malware Sniffs Victims via Live Streaming}}, date = {2021-07-07}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html}, language = {English}, urldate = {2021-07-19} } @online{chen:20211014:analyzing:ae5c6a4, author = {Marshall Chen and Loseway Lu and Paul Pajares and Fyodor Yarochkin}, title = {{Analyzing Email Services Abused for Business Email Compromise}}, date = {2021-10-14}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_in/research/21/j/analyzing-email-services-abused-for-business-email-compromise.html}, language = {English}, urldate = {2021-10-26} } @online{chen:20211229:strategically:0d2fa74, author = {Zhanhao Chen and Daiping Liu and Wanjin Li and Jielong Xu}, title = {{Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends}}, date = {2021-12-29}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/}, language = {English}, urldate = {2022-01-05} } @techreport{chen:20220117:delving:4cd2b1c, author = {Joseph Chen and Kenney Lu and Gloria Chen and Jaromír Hořejší and Daniel Lunghi and Cedric Pernet}, title = {{Delving Deep: An Analysis of Earth Lusca’s Operations}}, date = {2022-01-17}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf}, language = {English}, urldate = {2022-07-25} } @online{chen:20220502:moshen:1969df2, author = {Joey Chen and Amitai Ben Shushan Ehrlich}, title = {{Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad}}, date = {2022-05-02}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/}, language = {English}, urldate = {2022-05-04} } @online{chen:20220609:aoqin:134698f, author = {Joey Chen}, title = {{Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years}}, date = {2022-06-09}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/}, language = {English}, urldate = {2022-06-09} } @online{chen:20220916:zeroday:4a1fc29, author = {Jin Chen and Lei Xu and Andrew Guan and Zhibin Zhang and Yu Fu}, title = {{Zero-Day Exploit Detection Using Machine Learning}}, date = {2022-09-16}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/injection-detection-machine-learning/}, language = {English}, urldate = {2022-09-30} } @online{chen:20221003:water:bfdafca, author = {Joseph Chen and Jaromír Hořejší}, title = {{Water Labbu Abuses Malicious DApps to Steal Cryptocurrency}}, date = {2022-10-03}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/j/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.html}, language = {English}, urldate = {2023-11-17} } @online{chen:20221012:wip19:672e865, author = {Joey Chen and Amitai Ben Shushan Ehrlich}, title = {{WIP19 Espionage | New Chinese APT Targets IT Service Providers and Telcos With Signed Malware}}, date = {2022-10-12}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/}, language = {English}, urldate = {2022-10-24} } @online{chen:20230217:earth:1066266, author = {Joseph C Chen and Jaromír Hořejší}, title = {{Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack}}, date = {2023-02-17}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/b/earth-kitsune-delivers-new-whiskerspy-backdoor.html}, language = {English}, urldate = {2023-02-24} } @online{chen:20230918:earth:e01f24c, author = {Joseph Chen and Jaromír Hořejší}, title = {{Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement}}, date = {2023-09-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html}, language = {English}, urldate = {2023-09-18} } @online{chen:20240801:apt41:02a9feb, author = {Joey Chen and Ashley Shen and Vitor Ventura}, title = {{APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike}}, date = {2024-08-01}, organization = {Cisco}, url = {https://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/}, language = {English}, urldate = {2025-02-03} } @online{chen:20240809:dive:70da90e, author = {Theo Chen and Ted Lee}, title = {{A Dive into Earth Baku’s Latest Campaign}}, date = {2024-08-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/24/h/earth-baku-latest-campaign.html}, language = {English}, urldate = {2024-10-21} } @online{chen:20240824:chinese:afec99d, author = {Greg Chen and Charles Li and Che Chang}, title = {{Chinese APT: A Master of Exploiting Edge Devices (Video)}}, date = {2024-08-24}, organization = {YouTube (Black Hat)}, url = {https://www.youtube.com/watch?v=PSaix1C-UMI}, language = {English}, urldate = {2025-01-27} } @online{chen:20240910:dragonrank:6990e5e, author = {Joey Chen}, title = {{DragonRank, a Chinese-speaking SEO manipulator service provider}}, date = {2024-09-10}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/dragon-rank-seo-poisoning/}, language = {English}, urldate = {2024-09-13} } @online{chen:20241114:new:a6eb9d4, author = {Joey Chen and Alex Karkins and Chetan Raghuprasad}, title = {{New PXA Stealer targets government and education sectors for sensitive information}}, date = {2024-11-14}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/new-pxa-stealer/}, language = {English}, urldate = {2025-07-07} } @online{chen:20241205:moonshine:ebbad81, author = {Joseph Chen and Daniel Lunghi}, title = {{MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks}}, date = {2024-12-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html}, language = {English}, urldate = {2025-01-15} } @online{chen:20250417:unmasking:9b3bc4f, author = {Joey Chen}, title = {{Unmasking the new XorDDoS controller and infrastructure}}, date = {2025-04-17}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/unmasking-the-new-xorddos-controller-and-infrastructure/}, language = {English}, urldate = {2025-04-28} } @online{chen:20250423:introducing:c27c53c, author = {Joey Chen and Asheer Malhotra and Ashley Shen and Vitor Ventura and Brandon White}, title = {{Introducing ToyMaker, an initial access broker working in cahoots with double extortion gangs}}, date = {2025-04-23}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/}, language = {English}, urldate = {2025-06-20} } @online{chen:20250527:earth:85300d9, author = {Joseph C Chen}, title = {{Earth Lamia Develops Custom Arsenal to Target Multiple Industries}}, date = {2025-05-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/25/e/earth-lamia.html}, language = {English}, urldate = {2025-06-03} } @online{cheng:20170421:china:8c7d327, author = {Jonathan Cheng and Josh Chin}, title = {{China Hacked South Korea Over Missile Defense, U.S. Firm Says}}, date = {2017-04-21}, organization = {The Wall Street Journal}, url = {https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403}, language = {English}, urldate = {2020-08-17} } @online{cheng:20170421:china:ab10228, author = {Jonathan Cheng and Josh Chin}, title = {{China Hacked South Korea Over Missile Defense, U.S. Firm Says}}, date = {2017-04-21}, organization = {The Wall Street Journal}, url = {https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403?emailToken=JRrydPtyYnqTg9EyZsw31FwuZ7JNEOKCXF7LaW/HM1DLsjnUp6e6wLgph560pnmiTAN/5ssf7moyADPQj2p2Gc+YkL1yi0zhIiUM9M6aj1HTYQ==}, language = {English}, urldate = {2020-01-06} } @techreport{cherepanov:20130909:hesperbot:826195c, author = {Anton Cherepanov and Robert Lipovsky}, title = {{HESPERBOT A New, Advanced Banking Trojan in the Wild}}, date = {2013-09-09}, institution = {ESET Research}, url = {https://web-assets.esetstatic.com/wls/2013/09/Hesperbot_Whitepaper.pdf}, language = {English}, urldate = {2024-07-19} } @techreport{cherepanov:20141113:roaming:1b09324, author = {Anton Cherepanov}, title = {{Roaming tiger}}, date = {2014-11-13}, institution = {ZeroNights}, url = {http://2014.zeronights.org/assets/files/slides/roaming_tiger_zeronights_2014.pdf}, language = {English}, urldate = {2020-01-09} } @online{cherepanov:20150908:carbanak:c9457cd, author = {Anton Cherepanov}, title = {{Carbanak gang is back and packing new guns}}, date = {2015-09-08}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/}, language = {English}, urldate = {2019-11-14} } @techreport{cherepanov:20160517:operation:e907b67, author = {Anton Cherepanov}, title = {{Operation Groundbait: Analysis of a surveillance toolkit}}, date = {2016-05-17}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf}, language = {English}, urldate = {2019-10-25} } @online{cherepanov:20160922:book:ec1383a, author = {Anton Cherepanov}, title = {{Book of Eli: African targeted attacks}}, date = {2016-09-22}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2016/09/22/libya-malware-analysis/}, language = {English}, urldate = {2022-02-14} } @online{cherepanov:20161213:rise:057c5f4, author = {Anton Cherepanov}, title = {{The rise of TeleBots: Analyzing disruptive KillDisk attacks}}, date = {2016-12-13}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks}, language = {English}, urldate = {2022-08-25} } @online{cherepanov:20161213:rise:d6ee3c1, author = {Anton Cherepanov}, title = {{The rise of TeleBots: Analyzing disruptive KillDisk attacks}}, date = {2016-12-13}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/}, language = {English}, urldate = {2019-12-20} } @online{cherepanov:20170523:xdata:22024fb, author = {Anton Cherepanov}, title = {{XData ransomware making rounds amid global WannaCryptor scare}}, date = {2017-05-23}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare}, language = {English}, urldate = {2022-08-25} } @online{cherepanov:20170523:xdata:98a14a3, author = {Anton Cherepanov}, title = {{XData ransomware making rounds amid global WannaCryptor scare}}, date = {2017-05-23}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare/}, language = {English}, urldate = {2020-01-13} } @online{cherepanov:20170612:industroyer:15f0bec, author = {Anton Cherepanov and Robert Lipovsky}, title = {{Industroyer: Biggest threat to industrial control systems since Stuxnet}}, date = {2017-06-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/}, language = {English}, urldate = {2019-11-14} } @techreport{cherepanov:20170612:win32industroyer:060c0e6, author = {Anton Cherepanov}, title = {{WIN32/INDUSTROYER: A new threat for industrial control systems}}, date = {2017-06-12}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf}, language = {English}, urldate = {2020-01-13} } @online{cherepanov:20170630:telebots:7991503, author = {Anton Cherepanov}, title = {{TeleBots are back: Supply‑chain attacks against Ukraine}}, date = {2017-06-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine}, language = {English}, urldate = {2022-08-25} } @online{cherepanov:20170630:telebots:84aa93d, author = {Anton Cherepanov}, title = {{TeleBots are back: Supply‑chain attacks against Ukraine}}, date = {2017-06-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/}, language = {English}, urldate = {2019-12-20} } @techreport{cherepanov:20170703:blackenergy:2403feb, author = {Anton Cherepanov and Robert Lipovsky}, title = {{BlackEnergy – what we really know about the notorious cyber attacks}}, date = {2017-07-03}, institution = {ESET Research}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Cherepanov-Lipovsky.pdf}, language = {English}, urldate = {2019-10-14} } @online{cherepanov:20170704:analysis:37c48b2, author = {Anton Cherepanov}, title = {{Analysis of TeleBots’ cunning backdoor}}, date = {2017-07-04}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/}, language = {English}, urldate = {2019-11-14} } @online{cherepanov:20171005:industroyer:4406e62, author = {Anton Cherepanov and Robert Lipovsky}, title = {{Industroyer: Biggest threat to industrial control systems since Stuxnet}}, date = {2017-10-05}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-industroyer-biggest-threat-industrial-control-systems-stuxnet/}, language = {English}, urldate = {2020-01-09} } @online{cherepanov:20180709:certificates:ae214b6, author = {Anton Cherepanov}, title = {{Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign}}, date = {2018-07-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/}, language = {English}, urldate = {2019-11-14} } @online{cherepanov:20181004:nomadic:f7cf6e3, author = {Anton Cherepanov}, title = {{Nomadic Octopus: cyber espionage in Central Asia}}, date = {2018-10-04}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/conference/vb2018/abstracts/nomadic-octopus-cyber-espionage-central-asia/}, language = {English}, urldate = {2023-12-04} } @online{cherepanov:20181011:new:8e588c3, author = {Anton Cherepanov and Robert Lipovsky}, title = {{New TeleBots backdoor: First evidence linking Industroyer to NotPetya}}, date = {2018-10-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/}, language = {English}, urldate = {2019-11-14} } @online{cherepanov:20181017:eset:c34687b, author = {Anton Cherepanov and Robert Lipovsky}, title = {{ESET unmasks ‘GREYENERGY’ cyber-espionage group}}, date = {2018-10-17}, organization = {ESET Research}, url = {https://www.eset.com/int/greyenergy-exposed/}, language = {English}, urldate = {2020-01-13} } @online{cherepanov:20181017:greyenergy:f328dbf, author = {Anton Cherepanov and Robert Lipovsky}, title = {{GreyEnergy: Updated arsenal of one of the most dangerous threat actors}}, date = {2018-10-17}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/}, language = {English}, urldate = {2020-01-07} } @techreport{cherepanov:20181018:greyenergy:9885d0c, author = {Anton Cherepanov}, title = {{GREYENERGY: A successor to BlackEnergy}}, date = {2018-10-18}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf}, language = {English}, urldate = {2020-01-09} } @online{cherepanov:20190514:plead:3140588, author = {Anton Cherepanov}, title = {{Plead malware distributed via MitM attacks at router level, misusing ASUS WebStorage}}, date = {2019-05-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/}, language = {English}, urldate = {2019-11-14} } @online{cherepanov:20200910:who:2fdc6a6, author = {Anton Cherepanov}, title = {{Who is calling? CDRThief targets Linux VoIP softswitches}}, date = {2020-09-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/}, language = {English}, urldate = {2020-09-15} } @online{cherepanov:20201116:lazarus:6b90a77, author = {Anton Cherepanov and Peter Kálnai}, title = {{Lazarus supply‑chain attack in South Korea}}, date = {2020-11-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/}, language = {English}, urldate = {2020-11-18} } @online{chester:20170813:analysis:11db4f8, author = {Adam Chester}, title = {{Analysis of APT28 hospitality malware (Part 2)}}, date = {2017-08-13}, url = {https://blog.xpnsec.com/apt28-hospitality-malware-part-2/}, language = {English}, urldate = {2020-01-08} } @online{chester:20190510:exploring:758b4e8, author = {Adam Chester}, title = {{Exploring Mimikatz - Part 1 - WDigest}}, date = {2019-05-10}, organization = {XPN Blog}, url = {https://blog.xpnsec.com/exploring-mimikatz-part-1/}, language = {English}, urldate = {2020-09-01} } @online{chester:20210128:tailoring:d3f973c, author = {Adam Chester}, title = {{Tailoring Cobalt Strike on Target}}, date = {2021-01-28}, organization = {TrustedSec}, url = {https://www.trustedsec.com/blog/tailoring-cobalt-strike-on-target/}, language = {English}, urldate = {2021-01-29} } @online{chhaparwal:20241010:lynx:0275a94, author = {Pranay Kumar Chhaparwal and Micah Yates and Benjamin Chang}, title = {{Lynx Ransomware: A Rebranding of INC Ransomware}}, date = {2024-10-10}, organization = {paloalto Netoworks: Unit42}, url = {https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/}, language = {English}, urldate = {2025-02-06} } @online{chhaparwal:20250429:gremlin:ae26eb4, author = {Pranay Kumar Chhaparwal and Benjamin Chang}, title = {{Gremlin Stealer: New Stealer on Sale in Underground Forum}}, date = {2025-04-29}, organization = {paloalto Netoworks: Unit42}, url = {https://unit42.paloaltonetworks.com/new-malware-gremlin-stealer-for-sale-on-telegram/}, language = {English}, urldate = {2025-05-26} } @online{chiang:20070403:case:5dd68c2, author = {Ken Chiang and Levi Lloyd}, title = {{A Case Study of the Rustock Rootkit and Spam Bot}}, date = {2007-04-03}, organization = {USENIX}, url = {https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/chiang/chiang_html/index.html}, language = {English}, urldate = {2019-12-17} } @online{chiaraviglio:20230518:zimperiums:c7583a2, author = {Nicolás Chiaraviglio}, title = {{Zimperium’s MTD Against OilAlpha: A Comprehensive Defense Strategy}}, date = {2023-05-18}, organization = {zimperium}, url = {https://www.zimperium.com/blog/zimperium-mtd-against-oilalpha-a-comprehensive-defense-strategy/}, language = {English}, urldate = {2023-12-04} } @techreport{chien:2011:nitro:76c8338, author = {Eric Chien and Gavin O'Gorman}, title = {{The Nitro Attacks}}, date = {2011}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf}, language = {English}, urldate = {2020-01-13} } @online{chierici:20211116:handson:38838d6, author = {Stefano Chierici}, title = {{Hands-On Muhstik Botnet: crypto-mining attacks targeting Kubernetes}}, date = {2021-11-16}, organization = {sysdig}, url = {https://sysdig.com/blog/muhstik-malware-botnet-analysis/}, language = {English}, urldate = {2021-11-25} } @online{chierzi:20211209:evolution:f5eb0ca, author = {Veronica Chierzi}, title = {{The Evolution of IoT Linux Malware Based on MITRE ATT&CK TTPs}}, date = {2021-12-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html}, language = {English}, urldate = {2022-01-05} } @online{chili:20180201:operation:305d726, author = {Ivona Alexandra Chili and Bogdan Botezatu}, title = {{Operation PZChao: a possible return of the Iron Tiger APT}}, date = {2018-02-01}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/}, language = {English}, urldate = {2020-01-05} } @online{chimino:20190206:icedid:ef0caad, author = {Itzik Chimino and Limor Kessem and Ophir Harpaz}, title = {{IcedID Operators Using ATSEngine Injection Panel to Hit E-Commerce Sites}}, date = {2019-02-06}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/icedid-operators-using-atsengine-injection-panel-to-hit-e-commerce-sites/}, language = {English}, urldate = {2020-01-08} } @online{chimino:20210623:ursnif:700b0a7, author = {Itzik Chimino}, title = {{Ursnif Leverages Cerberus to Automate Fraudulent Bank Transfers in Italy}}, date = {2021-06-23}, organization = {IBM}, url = {https://securityintelligence.com/posts/ursnif-cerberus-android-malware-bank-transfers-italy/}, language = {English}, urldate = {2021-06-24} } @online{chinnasamy:20220321:emotet:2d27f06, author = {Vinugayathri Chinnasamy}, title = {{Emotet Is Back and Is Deadlier Than Ever! A Rundown of the Emotet Malware}}, date = {2022-03-21}, organization = {Info Security}, url = {https://www.infosecurity-magazine.com/blogs/a-rundown-of-the-emotet-malware/}, language = {English}, urldate = {2022-03-22} } @online{chirgwin:20180110:taiwanese:1ccf7ce, author = {Richard Chirgwin}, title = {{Taiwanese cops give malware-laden USB sticks as prizes for security quiz}}, date = {2018-01-10}, organization = {The Register}, url = {https://www.theregister.co.uk/2018/01/10/taiwanese_police_malware/}, language = {English}, urldate = {2020-01-09} } @online{chiscariu:20210518:darkside:a38ef87, author = {Radu Emanuel Chiscariu}, title = {{DarkSide Ransomware Behavior and Techniques}}, date = {2021-05-18}, organization = {KEYSIGHT TECHNOLOGIES}, url = {https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2021/05/18/darkside_ransomware-QfsV.html}, language = {English}, urldate = {2021-09-20} } @online{chitwadgi:20210405:2020:cc3fe6d, author = {Ashutosh Chitwadgi and Ashkan Hosseini}, title = {{2020 Phishing Trends With PDF Files}}, date = {2021-04-05}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/phishing-trends-with-pdf-files/}, language = {English}, urldate = {2021-04-12} } @online{chiu:20160209:bedep:49a1511, author = {Alexander Chiu}, title = {{Bedep Lurking in Angler's Shadows}}, date = {2016-02-09}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/bedep-actor/}, language = {English}, urldate = {2023-03-23} } @online{chiu:20170331:threat:caa8838, author = {Alexander Chiu}, title = {{Threat Round-up for Mar 24 - Mar 31}}, date = {2017-03-31}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html}, language = {English}, urldate = {2021-01-25} } @online{chiu:20170621:player:b44064a, author = {Alex Chiu and Warren Mercer and Jaeson Schultz and Sean Baird and Matthew Molyett}, title = {{Player 1 Limps Back Into the Ring - Hello again, Locky!}}, date = {2017-06-21}, organization = {Cisco}, url = {http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html}, language = {English}, urldate = {2019-12-17} } @online{chlumeck:20210616:dirtymoe:9e1065a, author = {Martin Chlumecký}, title = {{DirtyMoe: Introduction and General Overview of Modularized Malware}}, date = {2021-06-16}, organization = {Avast Decoded}, url = {https://decoded.avast.io/martinchlumecky/dirtymoe-1/}, language = {English}, urldate = {2021-09-20} } @online{chlumeck:20210811:dirtymoe:4cb640e, author = {Martin Chlumecký}, title = {{DirtyMoe: Rootkit Driver}}, date = {2021-08-11}, organization = {Avast Decoded}, url = {https://decoded.avast.io/martinchlumecky/dirtymoe-rootkit-driver/}, language = {English}, urldate = {2021-09-20} } @online{chlumeck:20210917:dirtymoe:d684802, author = {Martin Chlumecký}, title = {{DirtyMoe: Code Signing Certificate}}, date = {2021-09-17}, organization = {Avast}, url = {https://decoded.avast.io/martinchlumecky/dirtymoe-3/}, language = {English}, urldate = {2021-09-20} } @online{chlumeck:20211103:dirtymoe:93da365, author = {Martin Chlumecký}, title = {{DirtyMoe: Deployment}}, date = {2021-11-03}, organization = {Avast}, url = {https://decoded.avast.io/martinchlumecky/dirtymoe-4/}, language = {English}, urldate = {2021-11-08} } @online{chlumeck:20220316:dirtymoe:48e136e, author = {Martin Chlumecký}, title = {{DirtyMoe: Worming Modules}}, date = {2022-03-16}, organization = {Avast}, url = {https://decoded.avast.io/martinchlumecky/dirtymoe-5/}, language = {English}, urldate = {2022-03-17} } @online{chlumeck:20220906:prorussian:f4b99ca, author = {Martin Chlumecký}, title = {{Pro-Russian Group Targeting Ukraine Supporters with DDoS Attacks}}, date = {2022-09-06}, organization = {Avast}, url = {https://decoded.avast.io/martinchlumecky/bobik/}, language = {English}, urldate = {2022-09-07} } @online{chlumeck:20230418:ddosia:290d3e0, author = {Martin Chlumecký}, title = {{DDosia Project: How NoName057(16) is trying to improve the efficiency of DDoS attacks}}, date = {2023-04-18}, organization = {Avast Decoded}, url = {https://decoded.avast.io/martinchlumecky/ddosia-project-how-noname05716-is-trying-to-improve-the-efficiency-of-ddos-attacks/}, language = {English}, urldate = {2023-05-05} } @online{chohan:20180816:chinese:91aaa15, author = {Sanil Chohan and Winnona Desombre and Justin Grosfelt}, title = {{Chinese Cyberespionage Originating From Tsinghua University Infrastructure}}, date = {2018-08-16}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/chinese-cyberespionage-operations/}, language = {English}, urldate = {2020-01-09} } @online{choi:20240116:detailed:cc2418b, author = {Minyeop Choi}, title = {{Detailed Analysis of DarkGate; Investigating new top-trend backdoor malware}}, date = {2024-01-16}, organization = {S2W LAB Inc.}, url = {https://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606}, language = {English}, urldate = {2024-01-17} } @online{chokepoint:20170417:azazel:0fc47c6, author = {chokepoint}, title = {{Azazel}}, date = {2017-04-17}, organization = {Github (chokepoint)}, url = {https://github.com/chokepoint/azazel}, language = {English}, urldate = {2020-01-10} } @online{chole:20220401:scammers:df7f0da, author = {Vallabh Chole and Oliver Devane}, title = {{Scammers are Exploiting Ukraine Donations}}, date = {2022-04-01}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/scammers-are-exploiting-ukraine-donations/}, language = {English}, urldate = {2022-04-07} } @online{chong:20120416:detailed:3f191a4, author = {Rong Hwa Chong}, title = {{Detailed Analysis Of Sykipot (Smartcard Proxy Variant)}}, date = {2012-04-16}, organization = {SANS}, url = {https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-sykipot-smartcard-proxy-variant-33919}, language = {English}, urldate = {2020-01-07} } @online{chong:20130401:trojanaptbanechant:3b8eea7, author = {Rong Hwa Chong}, title = {{Trojan.APT.BaneChant: In-Memory Trojan That Observes for Multiple Mouse Clicks}}, date = {2013-04-01}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html}, language = {English}, urldate = {2020-07-15} } @online{chong:20130618:trojanaptseinup:be546b7, author = {Rong Hwa Chong}, title = {{Trojan.APT.Seinup Hitting ASEAN}}, date = {2013-06-18}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/06/trojan-apt-seinup-hitting-asean.html}, language = {English}, urldate = {2021-02-04} } @online{choukde:20250708:from:a918696, author = {Aniket Choukde and Aparna Aripirala and Alisha Kadam and Akhil Reddy and Pham Duy Phuc and Alex Lanstein}, title = {{From Click to Compromise: Unveiling the Sophisticated Attack of DoNot APT Group on Southern European Government Entities}}, date = {2025-07-08}, organization = {Trellix}, url = {https://www.trellix.com/blogs/research/from-click-to-compromise-unveiling-the-sophisticated-attack-of-donot-apt-group-on-southern-european-government-entities/}, language = {English}, urldate = {2025-07-09} } @online{chris:20140501:hunting:bcefc84, author = {Chris}, title = {{Hunting Hidden Lynx: How OSINT is Crucial for APT Analysis}}, date = {2014-05-01}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/hidden-lynx-analysis/}, language = {English}, urldate = {2020-01-07} } @online{chrisjd20:20170512:powershellwebbackdoor:ceb76d4, author = {chrisjd20}, title = {{powershell_web_backdoor}}, date = {2017-05-12}, organization = {Github (chrisjd20)}, url = {https://github.com/chrisjd20/powershell_web_backdoor}, language = {English}, urldate = {2020-01-06} } @online{christian:20210302:rapid7s:b676aa4, author = {Andrew Christian}, title = {{Rapid7’s InsightIDR Enables Detection And Response to Microsoft Exchange Zero-Day}}, date = {2021-03-02}, organization = {Rapid7 Labs}, url = {https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day}, language = {English}, urldate = {2021-03-10} } @online{chronicle:20221103:gcti:dc42ba8, author = {Chronicle}, title = {{GCTI Open Source Detection Signatures}}, date = {2022-11-03}, organization = {Github (chronicle)}, url = {https://github.com/chronicle/GCTI}, language = {English}, urldate = {2022-11-25} } @online{chrysaidos:20151104:droidjack:d4ab0f5, author = {Nikolaos Chrysaidos}, title = {{DroidJack isn’t the only spying software out there: Avast discovers OmniRat}}, date = {2015-11-04}, organization = {Avast}, url = {https://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co}, language = {English}, urldate = {2019-12-10} } @online{chrysaidos:20171220:new:6ebc559, author = {Nikolaos Chrysaidos}, title = {{New version of mobile malware Catelites possibly linked to Cron cyber gang}}, date = {2017-12-20}, organization = {Avast}, url = {https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang}, language = {English}, urldate = {2020-01-07} } @online{chu:20250505:negotiations:f5f13e9, author = {Security Chu}, title = {{Negotiations with the Akira ransomware group: an ill-advised approach}}, date = {2025-05-05}, organization = {Security Chu}, url = {https://www.security-chu.com/2025/05/entidades-negociando-con-el-grupo-akira-ransomware.html}, language = {English}, urldate = {2025-05-12} } @online{chua:20220823:emotet:8e4522c, author = {Eugene Chua and Paul Jennings and Hanah Darley}, title = {{Emotet Resurgence: Cross-Industry Campaign Analysis}}, date = {2022-08-23}, organization = {Darktrace}, url = {https://de.darktrace.com/blog/emotet-resurgence-cross-industry-campaign-analysis}, language = {English}, urldate = {2022-08-30} } @techreport{chuang:20240125:unveiling:05feb41, author = {Yi-Chin Chuang and Yu-Tung Chang}, title = {{Unveiling TeleBoyi: Chinese APT Group Targeting Critical Infrastructure Worldwide}}, date = {2024-01-25}, institution = {JSAC 2024}, url = {https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_8_yi-chin_yu-tung_en.pdf}, language = {English}, urldate = {2024-01-31} } @online{chuangyu:20211222:tracking:5b23633, author = {Know Chuangyu}, title = {{APT Tracking Analytics: Transparent Tribe Attack Activity}}, date = {2021-12-22}, organization = {Know Chuangyu}, url = {https://www.4hou.com/posts/vLzM}, language = {English}, urldate = {2021-12-23} } @online{chuangyu:20220815:analysis:95970a9, author = {Know Chuangyu}, title = {{Analysis of the characteristics of new activities organized by Patchwork APT in South Asia}}, date = {2022-08-15}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s/egG0nORZFvo_rCY_zmTgVQ}, language = {Chinese}, urldate = {2022-08-18} } @online{chum1ng0:20250508:negotiations:1f5608c, author = {@chum1ng0 and Dissent}, title = {{Negotiations with the Akira ransomware group: an ill-advised approach}}, date = {2025-05-08}, organization = {DataBreaches.net}, url = {https://databreaches.net/2025/05/05/negotiations-with-the-akira-ransomware-group-an-ill-advised-approach/}, language = {English}, urldate = {2025-05-21} } @online{chumley:20140529:iranian:38c457f, author = {Cheryl K. Chumley}, title = {{Iranian hackers sucker punch U.S. defense officials with creative social-media scam}}, date = {2014-05-29}, organization = {The Washington Times}, url = {https://www.washingtontimes.com/news/2014/may/29/iranian-hackers-sucker-punch-us-defense-heads-crea/}, language = {English}, urldate = {2020-01-06} } @online{chung:20210915:phishing:15f054e, author = {Anna Chung and Swetha Balla}, title = {{Phishing Eager Travelers}}, date = {2021-09-15}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/travel-themed-phishing/}, language = {English}, urldate = {2021-09-19} } @online{chung:20230606:itg10:83811e5, author = {Joshua Chung and Melissa Frydrych and Claire Zaboeva and Agnes Ramos-Beauchamp}, title = {{ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)}}, date = {2023-06-06}, organization = {Security Intelligence}, url = {https://securityintelligence.com/posts/itg10-targeting-south-korean-entities/}, language = {English}, urldate = {2023-06-09} } @online{cibernetica:20240215:backmydata:a62ae7d, author = {Directoratul National de Securitate Cibernetica}, title = {{Backmydata Ransomware}}, date = {2024-02-15}, organization = {DNSC}, url = {https://www.dnsc.ro/vezi/document/alert-backmydata-ransomware-eng-pdf}, language = {English}, urldate = {2024-02-21} } @online{ciccarelli:20191121:going:0e7cac5, author = {Mario Ciccarelli}, title = {{Going Deep | A Guide to Reversing Smoke Loader Malware}}, date = {2019-11-21}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/}, language = {English}, urldate = {2020-01-07} } @online{cid:20140318:windigo:7fd6adb, author = {Daniel B. Cid}, title = {{Windigo Linux Analysis – Ebury and Cdorked}}, date = {2014-03-18}, url = {https://blog.sucuri.net/2014/03/windigo-linux-analysis-ebury-and-cdorked.html}, language = {English}, urldate = {2019-12-18} } @online{cieslak:20221221:malicious:e95b69a, author = {Wojciech Cieslak}, title = {{Malicious Macros Adapt to Use Microsoft Publisher to Push Ekipa RAT}}, date = {2022-12-21}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/malicious-macros-adapt-to-use-microsoft-publisher-to-push-ekipa-rat/}, language = {English}, urldate = {2023-01-05} } @online{cimpanu:20160112:trochilus:2b0bc1c, author = {Catalin Cimpanu}, title = {{Trochilus RAT Evades Antivirus Detection, Used for Cyber-Espionage in South-East Asia}}, date = {2016-01-12}, organization = {Softpedia News}, url = {https://news.softpedia.com/news/trochilus-rat-evades-antivirus-detection-used-for-cyber-espionage-in-south-east-asia-498776.shtml}, language = {English}, urldate = {2020-01-13} } @online{cimpanu:20160309:korean:06f01a0, author = {Catalin Cimpanu}, title = {{Korean Energy and Transportation Targets Attacked by OnionDog APT}}, date = {2016-03-09}, organization = {SOFTPEDIA® NEWS}, url = {http://news.softpedia.com/news/korean-energy-and-transportation-targets-attacked-by-oniondog-apt-501534.shtml}, language = {English}, urldate = {2019-12-24} } @online{cimpanu:20160911:free:c125edd, author = {Catalin Cimpanu}, title = {{Free Darktrack RAT Has the Potential of Being the Best RAT on the Market Search}}, date = {2016-09-11}, organization = {Softpedia News}, url = {http://news.softpedia.com/news/free-darktrack-rat-has-the-potential-of-being-the-best-rat-on-the-market-508179.shtml}, language = {English}, urldate = {2019-12-17} } @online{cimpanu:20161209:new:97f5c14, author = {Catalin Cimpanu}, title = {{New Exo Android Trojan Sold on Hacking Forums, Dark Web}}, date = {2016-12-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-exo-android-trojan-sold-on-hacking-forums-dark-web/}, language = {English}, urldate = {2022-06-09} } @online{cimpanu:20161209:proof:25c0bdd, author = {Catalin Cimpanu}, title = {{"Proof of Concept" CryptoWire Ransomware Spawns Lomix and UltraLocker Families}}, date = {2016-12-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170104:firecrypt:5b965cd, author = {Catalin Cimpanu}, title = {{FireCrypt Ransomware Comes With a DDoS Component}}, date = {2017-01-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170117:new:3c28f96, author = {Catalin Cimpanu}, title = {{New GhostAdmin Malware Used for Data Theft and Exfiltration}}, date = {2017-01-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170206:polish:577f33c, author = {Catalin Cimpanu}, title = {{Polish Banks Infected with Malware Hosted on Their Own Government's Site}}, date = {2017-02-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/polish-banks-infected-with-malware-hosted-on-their-own-governments-site/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170410:longhorn:97fddcb, author = {Catalin Cimpanu}, title = {{Longhorn Cyber-Espionage Group Is Actually the CIA}}, date = {2017-04-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170421:brickerbot:658d8b8, author = {Catalin Cimpanu}, title = {{BrickerBot Author Claims He Bricked Two Million Devices}}, date = {2017-04-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170622:locky:4a088f0, author = {Catalin Cimpanu}, title = {{Locky Ransomware Returns, but Targets Only Windows XP & Vista}}, date = {2017-06-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170629:ransomware:d2d7b40, author = {Catalin Cimpanu}, title = {{Ransomware Attacks Continue in Ukraine with Mysterious WannaCry Clone}}, date = {2017-06-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170826:us:0d7249a, author = {Catalin Cimpanu}, title = {{US Arrests Chinese Man Involved With Sakula Malware Used in OPM and Anthem Hacks}}, date = {2017-08-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/us-arrests-chinese-man-involved-with-sakula-malware-used-in-opm-and-anthem-hacks/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20171101:cryptoshuffler:64a3db4, author = {Catalin Cimpanu}, title = {{CryptoShuffler Stole $150,000 by Replacing Bitcoin Wallet IDs in PC Clipboards}}, date = {2017-11-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20171109:ordinypt:cc9c071, author = {Catalin Cimpanu}, title = {{Ordinypt Ransomware Intentionally Destroys Files, Currently Targeting Germany}}, date = {2017-11-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20171124:mirai:ea4773e, author = {Catalin Cimpanu}, title = {{Mirai Activity Picks up Once More After Publication of PoC Exploit Code}}, date = {2017-11-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20171211:brickerbot:52db283, author = {Catalin Cimpanu}, title = {{BrickerBot Author Retires Claiming to Have Bricked over 10 Million IoT Devices}}, date = {2017-12-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20171212:moneytaker:b5f4fbb, author = {Catalin Cimpanu}, title = {{MoneyTaker Hacker Group Steals Millions from US and Russian Banks}}, date = {2017-12-12}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/moneytaker-hacker-group-steals-millions-from-us-and-russian-banks/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180117:exobot:cde3b02, author = {Catalin Cimpanu}, title = {{Exobot Author Calls It Quits and Sells Off Banking Trojan Source Code}}, date = {2018-01-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/exobot-author-calls-it-quits-and-sells-off-banking-trojan-source-code/}, language = {English}, urldate = {2022-06-09} } @online{cimpanu:20180124:new:90c5883, author = {Catalin Cimpanu}, title = {{New HNS IoT Botnet Has Already Amassed 14K Bots}}, date = {2018-01-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180226:nanocore:4659d30, author = {Catalin Cimpanu}, title = {{Nanocore RAT Author Gets 33 Months in Prison}}, date = {2018-02-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180418:stresspaint:640ad68, author = {Catalin Cimpanu}, title = {{Stresspaint Malware Steals Facebook Credentials and Session Cookies}}, date = {2018-04-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/stresspaint-malware-steals-facebook-credentials-and-session-cookies/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180427:north:b7ed973, author = {Catalin Cimpanu}, title = {{North Korean Hackers Are up to No Good Again}}, date = {2018-04-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180508:hide:5ab3dfd, author = {Catalin Cimpanu}, title = {{"Hide and Seek" Becomes First IoT Botnet Capable of Surviving Device Reboots}}, date = {2018-05-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180612:trik:137e306, author = {Catalin Cimpanu}, title = {{Trik Spam Botnet Leaks 43 Million Email Addresses}}, date = {2018-06-12}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180614:dbger:c326e0a, author = {Catalin Cimpanu}, title = {{DBGer Ransomware Uses EternalBlue and Mimikatz to Spread Across Networks}}, date = {2018-06-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180615:chinese:e0be0ab, author = {Catalin Cimpanu}, title = {{Chinese Cyber-Espionage Group Hacked Government Data Center}}, date = {2018-06-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/chinese-cyber-espionage-group-hacked-government-data-center/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180615:hacker:e0452dd, author = {Catalin Cimpanu}, title = {{Hacker Breaches Syscoin GitHub Account and Poisons Official Client}}, date = {2018-06-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hacker-breaches-syscoin-github-account-and-poisons-official-client/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180706:hns:c7115f1, author = {Catalin Cimpanu}, title = {{HNS Evolves From IoT to Cross-Platform Botnet}}, date = {2018-07-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180719:router:38a2d38, author = {Catalin Cimpanu}, title = {{Router Crapfest: Malware Author Builds 18,000-Strong Botnet in a Day}}, date = {2018-07-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/router-crapfest-malware-author-builds-18-000-strong-botnet-in-a-day/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180723:source:1e0f06d, author = {Catalin Cimpanu}, title = {{Source Code for Exobot Android Banking Trojan Leaked Online}}, date = {2018-07-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/source-code-for-exobot-android-banking-trojan-leaked-online/}, language = {English}, urldate = {2022-06-09} } @online{cimpanu:20180728:new:b35a74a, author = {Catalin Cimpanu}, title = {{New Underminer Exploit Kit Discovered Pushing Bootkits and CoinMiners}}, date = {2018-07-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-underminer-exploit-kit-discovered-pushing-bootkits-and-coinminers/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180821:microsoft:bc5c2f0, author = {Catalin Cimpanu}, title = {{Microsoft Disrupts APT28 Hacking Campaign Aimed at US Midterm Elections}}, date = {2018-08-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180823:lazarus:e929232, author = {Catalin Cimpanu}, title = {{Lazarus Group Deploys Its First Mac Malware in Cryptocurrency Exchange Hack}}, date = {2018-08-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/lazarus-group-deploys-its-first-mac-malware-in-cryptocurrency-exchange-hack/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180824:iranian:04296ee, author = {Catalin Cimpanu}, title = {{Iranian Hackers Charged in March Are Still Actively Phishing Universities}}, date = {2018-08-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/iranian-hackers-charged-in-march-are-still-actively-phishing-universities/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180905:new:c1c9e19, author = {Catalin Cimpanu}, title = {{New Silence hacking group suspected of having ties to cyber-security industry}}, date = {2018-09-05}, organization = {ZDNet}, url = {https://www.zdnet.com/article/new-silence-hacking-group-suspected-of-having-ties-to-cyber-security-industry/}, language = {English}, urldate = {2019-12-19} } @online{cimpanu:20190116:north:8f56bd0, author = {Catalin Cimpanu}, title = {{North Korean hackers infiltrate Chile's ATM network after Skype job interview}}, date = {2019-01-16}, organization = {ZDNet}, url = {https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/}, language = {English}, urldate = {2020-01-10} } @online{cimpanu:20190214:127:78132dd, author = {Catalin Cimpanu}, title = {{127 million user records from 8 companies put up for sale on the dark web}}, date = {2019-02-14}, organization = {ZDNet}, url = {https://www.zdnet.com/article/127-million-user-records-from-8-companies-put-up-for-sale-on-the-dark-web/}, language = {English}, urldate = {2019-12-24} } @online{cimpanu:20190217:hacker:19fe800, author = {Catalin Cimpanu}, title = {{Hacker puts up for sale third round of hacked databases on the Dark Web}}, date = {2019-02-17}, organization = {ZDNet}, url = {https://www.zdnet.com/article/hacker-puts-up-for-sale-third-round-of-hacked-databases-on-the-dark-web/}, language = {English}, urldate = {2020-01-10} } @online{cimpanu:20190317:round:53521b8, author = {Catalin Cimpanu}, title = {{Round 4: Hacker returns and puts 26Mil user records for sale on the Dark Web}}, date = {2019-03-17}, organization = {ZDNet}, url = {https://www.zdnet.com/article/round-4-hacker-returns-and-puts-26mil-user-records-for-sale-on-the-dark-web/}, language = {English}, urldate = {2019-12-15} } @online{cimpanu:20190409:cybercrime:7fd4c7e, author = {Catalin Cimpanu}, title = {{Cybercrime market selling full digital fingerprints of over 60,000 users}}, date = {2019-04-09}, organization = {ZDNet}, url = {https://www.zdnet.com/article/cybercrime-market-selling-full-digital-fingerprints-of-over-60000-users/}, language = {English}, urldate = {2021-05-08} } @online{cimpanu:20190415:hacker:4b851e8, author = {Catalin Cimpanu}, title = {{A hacker has dumped nearly one billion user records over the past two months}}, date = {2019-04-15}, organization = {ZDNet}, url = {https://www.zdnet.com/article/a-hacker-has-dumped-nearly-one-billion-user-records-over-the-past-two-months/}, language = {English}, urldate = {2020-01-05} } @online{cimpanu:20190419:security:683479e, author = {Catalin Cimpanu}, title = {{Security researcher MalwareTech pleads guilty}}, date = {2019-04-19}, organization = {ZDNet}, url = {https://www.zdnet.com/article/security-researcher-malwaretech-pleads-guilty/}, language = {English}, urldate = {2020-01-13} } @online{cimpanu:20190509:new:f8a3f46, author = {Catalin Cimpanu}, title = {{New leaks of Iranian cyber-espionage operations hit Telegram and the Dark Web}}, date = {2019-05-09}, organization = {ZDNet}, url = {https://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web/}, language = {English}, urldate = {2020-01-09} } @online{cimpanu:20191010:new:3f09021, author = {Catalin Cimpanu}, title = {{New espionage malware found targeting Russian-speaking users in Eastern Europe}}, date = {2019-10-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/new-espionage-malware-found-targeting-russian-speaking-users-in-eastern-europe/}, language = {English}, urldate = {2020-01-06} } @online{cimpanu:20191120:new:f9c81de, author = {Catalin Cimpanu}, title = {{New Roboto botnet emerges targeting Linux servers running Webmin}}, date = {2019-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/new-roboto-botnet-emerges-targeting-linux-servers-running-webmin}, language = {English}, urldate = {2019-12-17} } @online{cimpanu:20191123:extensive:4db6fce, author = {Catalin Cimpanu}, title = {{Extensive hacking operation discovered in Kazakhstan}}, date = {2019-11-23}, organization = {ZDNet}, url = {https://www.zdnet.com/article/extensive-hacking-operation-discovered-in-kazakhstan/}, language = {English}, urldate = {2020-01-08} } @online{cimpanu:20200108:naive:31da98b, author = {Catalin Cimpanu}, title = {{Naive IoT botnet wastes its time mining cryptocurrency}}, date = {2020-01-08}, organization = {ZDNet}, url = {https://www.zdnet.com/article/naive-iot-botnet-wastes-its-time-mining-cryptocurrency/}, language = {English}, urldate = {2020-01-13} } @online{cimpanu:20200123:someone:fb903da, author = {Catalin Cimpanu}, title = {{Someone is uninstalling the Phorpiex malware from infected PCs and telling users to install an antivirus}}, date = {2020-01-23}, organization = {ZDNet}, url = {https://www.zdnet.com/article/someone-is-uninstalling-the-phorpiex-malware-from-infected-pcs-and-telling-users-to-install-an-antivirus/}, language = {English}, urldate = {2020-01-27} } @online{cimpanu:20200129:dod:57de65d, author = {Catalin Cimpanu}, title = {{DOD contractor suffers ransomware infection}}, date = {2020-01-29}, organization = {ZDNet}, url = {https://www.zdnet.com/article/dod-contractor-suffers-ransomware-infection/}, language = {English}, urldate = {2020-02-03} } @online{cimpanu:20200210:fbi:1904430, author = {Catalin Cimpanu}, title = {{FBI warns about ongoing attacks against software supply chain companies}}, date = {2020-02-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/}, language = {English}, urldate = {2020-02-11} } @online{cimpanu:20200220:croatias:ac07fa3, author = {Catalin Cimpanu}, title = {{Croatia's largest petrol station chain impacted by cyber-attack}}, date = {2020-02-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/croatias-largest-petrol-station-chain-impacted-by-cyber-attack/}, language = {English}, urldate = {2020-02-26} } @online{cimpanu:20200229:meet:b1d7dbd, author = {Catalin Cimpanu}, title = {{Meet the white-hat group fighting Emotet, the world's most dangerous malware}}, date = {2020-02-29}, organization = {ZDNet}, url = {https://www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/}, language = {English}, urldate = {2020-03-02} } @online{cimpanu:20200319:france:9882b07, author = {Catalin Cimpanu}, title = {{France warns of new ransomware gang targeting local governments}}, date = {2020-03-19}, organization = {ZDNet}, url = {https://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting-local-governments/}, language = {English}, urldate = {2020-03-26} } @online{cimpanu:20200327:booz:90c4f8d, author = {Catalin Cimpanu}, title = {{Booz Allen analyzed 200+ Russian hacking operations to better understand their tactics}}, date = {2020-03-27}, organization = {ZDNet}, url = {https://www.zdnet.com/article/booz-allen-analyzed-200-russian-hacking-operations-to-better-understand-their-tactics/}, language = {English}, urldate = {2020-03-27} } @online{cimpanu:20200331:fbi:91630df, author = {Catalin Cimpanu}, title = {{FBI re-sends alert about supply chain attacks for the third time in three months}}, date = {2020-03-31}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-re-sends-alert-about-supply-chain-attacks-for-the-third-time-in-three-months/}, language = {English}, urldate = {2020-04-07} } @online{cimpanu:20200427:shade:4d47bf1, author = {Catalin Cimpanu}, title = {{Shade (Troldesh) ransomware shuts down and releases decryption keys}}, date = {2020-04-27}, organization = {ZDNet}, url = {https://www.zdnet.com/article/shade-troldesh-ransomware-shuts-down-and-releases-all-decryption-keys/}, language = {English}, urldate = {2020-04-28} } @online{cimpanu:20200518:fbi:54e14c9, author = {Catalin Cimpanu}, title = {{FBI: ProLock ransomware gains access to victim networks via Qakbot infections}}, date = {2020-05-18}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-prolock-ransomware-gains-access-to-victim-networks-via-qakbot-infections/}, language = {English}, urldate = {2020-05-18} } @online{cimpanu:20200531:russian:2bdcc02, author = {Catalin Cimpanu}, title = {{Russian hacker Pavel Sitnikov arrested for sharing malware source code}}, date = {2020-05-31}, organization = {The Record}, url = {https://therecord.media/russian-hacker-pavel-sitnikov-arrested-for-sharing-malware-source-code/}, language = {English}, urldate = {2021-06-09} } @online{cimpanu:20200602:revil:883c59f, author = {Catalin Cimpanu}, title = {{REvil ransomware gang launches auction site to sell stolen data}}, date = {2020-06-02}, organization = {ZDNet}, url = {https://www.zdnet.com/article/revil-ransomware-gang-launches-auction-site-to-sell-stolen-data/}, language = {English}, urldate = {2020-06-03} } @online{cimpanu:20200603:ransomware:116ecb8, author = {Catalin Cimpanu}, title = {{Ransomware gang says it breached one of NASA's IT contractors}}, date = {2020-06-03}, organization = {ZDNet}, url = {https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/}, language = {English}, urldate = {2020-06-03} } @online{cimpanu:20200615:web:a10a55d, author = {Catalin Cimpanu}, title = {{Web skimmers found on the websites of Intersport, Claire's, and Icing}}, date = {2020-06-15}, organization = {ZDNet}, url = {https://www.zdnet.com/article/web-skimmers-found-on-the-websites-of-intersport-claires-and-icing/}, language = {English}, urldate = {2020-06-16} } @online{cimpanu:20200715:chinese:0ff06bd, author = {Catalin Cimpanu}, title = {{Chinese state hackers target Hong Kong Catholic Church}}, date = {2020-07-15}, organization = {ZDNet}, url = {https://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/}, language = {English}, urldate = {2020-07-30} } @online{cimpanu:20200729:kaspersky:d874677, author = {Catalin Cimpanu}, title = {{Kaspersky: New hacker-for-hire mercenary group is targeting European law firms}}, date = {2020-07-29}, organization = {ZDNet}, url = {https://www.zdnet.com/article/kaspersky-new-hacker-for-hire-mercenary-group-is-targeting-european-law-firms/}, language = {English}, urldate = {2020-08-18} } @online{cimpanu:20200804:ransomware:e0320ee, author = {Catalin Cimpanu}, title = {{Ransomware gang publishes tens of GBs of internal data from LG and Xerox}}, date = {2020-08-04}, organization = {ZDNet}, url = {https://www.zdnet.com/article/ransomware-gang-publishes-tens-of-gbs-of-internal-data-from-lg-and-xerox/}, language = {English}, urldate = {2020-08-18} } @online{cimpanu:20200810:fbi:10c4512, author = {Catalin Cimpanu}, title = {{FBI says an Iranian hacking group is attacking F5 networking devices}}, date = {2020-08-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices}, language = {English}, urldate = {2020-09-18} } @online{cimpanu:20200810:fbi:704abe2, author = {Catalin Cimpanu}, title = {{FBI says an Iranian hacking group is attacking F5 networking devices}}, date = {2020-08-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/}, language = {English}, urldate = {2020-08-12} } @online{cimpanu:20200901:iranian:5f8dd6c, author = {Catalin Cimpanu}, title = {{Iranian hackers are selling access to compromised companies on an underground forum}}, date = {2020-09-01}, organization = {ZDNet}, url = {https://www.zdnet.com/article/iranian-hackers-are-selling-access-to-compromised-companies-on-an-underground-forum}, language = {English}, urldate = {2020-09-18} } @online{cimpanu:20201008:german:7b88550, author = {Catalin Cimpanu}, title = {{German tech giant Software AG down after ransomware attack}}, date = {2020-10-08}, organization = {ZDNet}, url = {https://www.zdnet.com/article/german-tech-giant-software-ag-down-after-ransomware-attack/}, language = {English}, urldate = {2020-10-12} } @online{cimpanu:20201015:ubisoft:51fe666, author = {Catalin Cimpanu}, title = {{Ubisoft, Crytek data posted on ransomware gang's site}}, date = {2020-10-15}, organization = {ZDNet}, url = {https://www.zdnet.com/article/ubisoft-crytek-data-posted-on-ransomware-gangs-site/}, language = {English}, urldate = {2020-10-21} } @online{cimpanu:20201022:eu:ed3c7a4, author = {Catalin Cimpanu}, title = {{EU sanctions Russia over 2015 German Parliament hack}}, date = {2020-10-22}, organization = {ZDNet}, url = {https://www.zdnet.com/article/eu-sanctions-russia-over-2015-german-parliament-hack/}, language = {English}, urldate = {2020-10-26} } @online{cimpanu:20201104:revil:02ca78c, author = {Catalin Cimpanu}, title = {{REvil ransomware gang 'acquires' KPOT malware}}, date = {2020-11-04}, organization = {ZDNet}, url = {https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/}, language = {English}, urldate = {2020-11-06} } @online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } @online{cimpanu:20201205:ransomware:49c8fff, author = {Catalin Cimpanu}, title = {{Ransomware hits helicopter maker Kopter}}, date = {2020-12-05}, organization = {ZDNet}, url = {https://www.zdnet.com/article/ransomware-hits-helicopter-maker-kopter/}, language = {English}, urldate = {2020-12-08} } @online{cimpanu:20201208:norway:86ae7a1, author = {Catalin Cimpanu}, title = {{Norway says Russian hacking group APT28 is behind August 2020 Parliament hack}}, date = {2020-12-08}, organization = {ZDNet}, url = {https://www.zdnet.com/article/norway-says-russian-hacking-group-apt28-is-behind-august-2020-parliament-hack/}, language = {English}, urldate = {2020-12-08} } @online{cimpanu:20201217:microsoft:e52b204, author = {Catalin Cimpanu}, title = {{Microsoft confirms it was also breached in recent SolarWinds supply chain hack}}, date = {2020-12-17}, organization = {ZDNet}, url = {https://www.zdnet.com/article/microsoft-was-also-breached-in-recent-solarwinds-supply-chain-hack-report/}, language = {English}, urldate = {2020-12-18} } @online{cimpanu:20210107:londons:3d62f93, author = {Catalin Cimpanu}, title = {{Tweet on London's Hackney Council attacked by Pysa/Mespinoza ransomware}}, date = {2021-01-07}, organization = {Twitter (@campuscodi)}, url = {https://twitter.com/campuscodi/status/1347223969984897026}, language = {English}, urldate = {2021-01-11} } @online{cimpanu:20210301:first:6ded68e, author = {Catalin Cimpanu}, title = {{First Fully Weaponized Spectre Exploit Discovered Online}}, date = {2021-03-01}, organization = {The Record}, url = {https://therecord.media/first-fully-weaponized-spectre-exploit-discovered-online/}, language = {English}, urldate = {2021-03-04} } @online{cimpanu:20210308:flubot:306fd8b, author = {Catalin Cimpanu}, title = {{FluBot Malware Gang Arrested in Barcelona}}, date = {2021-03-08}, organization = {The Record}, url = {https://therecord.media/flubot-malware-gang-arrested-in-barcelona/}, language = {English}, urldate = {2021-06-29} } @online{cimpanu:20210316:frances:5c4b6c2, author = {Catalin Cimpanu}, title = {{France’s lead cybercrime investigator on the Egregor arrests, cybercrime}}, date = {2021-03-16}, organization = {The Record}, url = {https://therecord.media/frances-lead-cybercrime-investigator-on-the-egregor-arrests-cybercrime/}, language = {English}, urldate = {2021-03-22} } @online{cimpanu:20210317:missed:c4716fc, author = {Catalin Cimpanu}, title = {{Missed opportunity: Bug in LockBit ransomware allowed free decryptions}}, date = {2021-03-17}, organization = {The Record}, url = {https://therecord.media/missed-opportunity-bug-in-lockbit-ransomware-allowed-free-decryptions/}, language = {English}, urldate = {2021-03-19} } @online{cimpanu:20210329:redecho:30b16b4, author = {Catalin Cimpanu}, title = {{RedEcho group parks domains after public exposure}}, date = {2021-03-29}, organization = {The Record}, url = {https://therecord.media/redecho-group-parks-domains-after-public-exposure/}, language = {English}, urldate = {2021-03-31} } @online{cimpanu:20210413:sweden:842ab60, author = {Catalin Cimpanu}, title = {{Sweden drops Russian hacking investigation due to legal complications}}, date = {2021-04-13}, organization = {The Record}, url = {https://therecord.media/sweden-drops-russian-hacking-investigation-due-to-legal-complications/}, language = {English}, urldate = {2021-04-14} } @online{cimpanu:20210422:nightmare:ae2d421, author = {Catalin Cimpanu}, title = {{Nightmare week for security vendors: Now a Trend Micro bug is being exploited in the wild}}, date = {2021-04-22}, organization = {The Record}, url = {https://therecord.media/nightmare-week-for-security-vendors-now-a-trend-micro-bug-is-being-exploited-in-the-wild/}, language = {English}, urldate = {2021-04-29} } @online{cimpanu:20210422:ransomware:1186cfb, author = {Catalin Cimpanu}, title = {{Ransomware gang wants to short the stock price of their victims}}, date = {2021-04-22}, organization = {The Record}, url = {https://therecord.media/ransomware-gang-wants-to-short-the-stock-price-of-their-victims/}, language = {English}, urldate = {2021-04-28} } @online{cimpanu:20210425:hacking:4472d82, author = {Catalin Cimpanu}, title = {{Hacking campaign targets FileZen file-sharing network appliances}}, date = {2021-04-25}, organization = {The Record}, url = {https://therecord.media/hacking-campaign-targets-filezen-file-sharing-network-appliances/}, language = {English}, urldate = {2021-04-29} } @online{cimpanu:20210426:despite:4069a05, author = {Catalin Cimpanu}, title = {{Despite arrests in Spain, FluBot operations explode across Europe and Japan}}, date = {2021-04-26}, organization = {The Record}, url = {https://therecord.media/despite-arrests-in-spain-flubot-operations-explode-across-europe-and-japan/}, language = {English}, urldate = {2021-06-29} } @online{cimpanu:20210429:qnap:d3abf58, author = {Catalin Cimpanu}, title = {{QNAP warns of AgeLocker ransomware attacks against NAS devices}}, date = {2021-04-29}, organization = {The Record}, url = {https://therecord.media/qnap-warns-of-agelocker-ransomware-attacks-against-nas-devices/}, language = {English}, urldate = {2021-05-03} } @online{cimpanu:20210430:cybercrime:1bc5f68, author = {Catalin Cimpanu}, title = {{Cybercrime Featured DarkPath scam group loses 134 domains impersonating the WHO}}, date = {2021-04-30}, organization = {The Record}, url = {https://therecord.media/darkpath-scam-group-loses-134-domains-impersonating-the-who/}, language = {English}, urldate = {2021-05-03} } @online{cimpanu:20210502:doj:9d42ffb, author = {Catalin Cimpanu}, title = {{DOJ hiring new liaison prosecutor to hunt cybercriminals in Eastern Europe}}, date = {2021-05-02}, organization = {The Record}, url = {https://therecord.media/doj-hiring-new-liaison-prosecutor-to-hunt-cybercriminals-in-eastern-europe/}, language = {English}, urldate = {2021-05-03} } @online{cimpanu:20210505:malware:27b4343, author = {Catalin Cimpanu}, title = {{Malware group leaks millions of stolen authentication cookies}}, date = {2021-05-05}, organization = {The Record}, url = {https://therecord.media/malware-group-leaks-millions-of-stolen-authentication-cookies/}, language = {English}, urldate = {2021-05-07} } @online{cimpanu:20210508:solarwinds:501c002, author = {Catalin Cimpanu}, title = {{SolarWinds says fewer than 100 customers were impacted by supply chain attack}}, date = {2021-05-08}, organization = {The Record}, url = {https://therecord.media/solarwinds-says-fewer-than-100-customers-were-impacted-by-supply-chain-attack}, language = {English}, urldate = {2021-05-11} } @online{cimpanu:20210511:15:317b47d, author = {Catalin Cimpanu}, title = {{15% of 2020 ransomware payments carried a sanctions violations risk}}, date = {2021-05-11}, organization = {The Record}, url = {https://therecord.media/15-of-2020-ransomware-payments-carried-a-sanctions-violations-risk/}, language = {English}, urldate = {2021-05-13} } @online{cimpanu:20210511:osiris:c21f10f, author = {Catalin Cimpanu}, title = {{Osiris banking trojan shuts down as new Ares variant emerges}}, date = {2021-05-11}, organization = {The Record}, url = {https://therecord.media/osiris-banking-trojan-shuts-down-as-new-ares-variant-emerges/}, language = {English}, urldate = {2021-05-13} } @online{cimpanu:20210512:agents:975c354, author = {Catalin Cimpanu}, title = {{Agents raid home of Kansas man seeking info on botnet that infected DOD network}}, date = {2021-05-12}, organization = {The Record}, url = {https://therecord.media/agents-raid-home-of-kansas-man-seeking-info-on-botnet-that-infected-dod-network/}, language = {English}, urldate = {2021-05-13} } @online{cimpanu:20210513:popular:278e039, author = {Catalin Cimpanu}, title = {{Popular hacking forum bans ransomware ads}}, date = {2021-05-13}, organization = {The Record}, url = {https://therecord.media/popular-hacking-forum-bans-ransomware-ads/}, language = {English}, urldate = {2021-05-17} } @online{cimpanu:20210514:darkside:2760169, author = {Catalin Cimpanu}, title = {{Darkside ransomware gang says it lost control of its servers & money a day after Biden threat}}, date = {2021-05-14}, organization = {The Record}, url = {https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/}, language = {English}, urldate = {2021-05-17} } @online{cimpanu:20210517:three:afe4f03, author = {Catalin Cimpanu}, title = {{Three major hacking forums ban ransomware ads as some ransomware gangs shut down}}, date = {2021-05-17}, organization = {The Record}, url = {https://therecord.media/three-major-hacking-forums-ban-ransomware-ads-as-some-ransomware-gangs-shut-down/}, language = {English}, urldate = {2021-05-19} } @online{cimpanu:20210518:darkside:14b6690, author = {Catalin Cimpanu}, title = {{Darkside gang estimated to have made over $90 million from ransomware attacks}}, date = {2021-05-18}, organization = {The Record}, url = {https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/}, language = {English}, urldate = {2021-05-19} } @online{cimpanu:20210521:fsb:5c2ad05, author = {Catalin Cimpanu}, title = {{FSB NKTsKI: Foreign ‘cyber mercenaries’ breached Russian federal agencies}}, date = {2021-05-21}, organization = {The Record}, url = {https://therecord.media/fsb-nktski-foreign-cyber-mercenaries-breached-russian-federal-agencies/}, language = {English}, urldate = {2021-06-21} } @online{cimpanu:20210602:two:5237d2e, author = {Catalin Cimpanu}, title = {{Two Carbanak hackers sentenced to eight years in prison in Kazakhstan}}, date = {2021-06-02}, organization = {The Record}, url = {https://therecord.media/two-carbanak-hackers-sentenced-to-eight-years-in-prison-in-kazakhstan/}, language = {English}, urldate = {2021-06-16} } @online{cimpanu:20210604:epsilonred:62073f1, author = {Catalin Cimpanu}, title = {{EpsilonRed ransomware group hits one of India’s financial software powerhouses}}, date = {2021-06-04}, organization = {The Record}, url = {https://therecord.media/epsilonred-ransomware-group-hits-one-of-indias-financial-software-powerhouses/}, language = {English}, urldate = {2021-06-06} } @online{cimpanu:20210604:us:20a6d26, author = {Catalin Cimpanu}, title = {{US arrests Latvian woman who worked on Trickbot malware source code}}, date = {2021-06-04}, organization = {The Record}, url = {https://therecord.media/us-arrests-latvian-woman-who-worked-on-trickbot-malware-source-code/}, language = {English}, urldate = {2021-06-16} } @online{cimpanu:20210608:microsoft:551f598, author = {Catalin Cimpanu}, title = {{Microsoft patches six Windows zero-days, including a commercial exploit}}, date = {2021-06-08}, organization = {The Record}, url = {https://therecord.media/microsoft-patches-six-windows-zero-days-including-a-commercial-exploit/}, language = {English}, urldate = {2021-06-16} } @online{cimpanu:20210609:russian:6ad9a91, author = {Catalin Cimpanu}, title = {{Russian hackers breached Dutch police systems in 2017}}, date = {2021-06-09}, organization = {The Record}, url = {https://therecord.media/russian-hackers-breached-dutch-police-systems-in-2017/}, language = {English}, urldate = {2021-06-16} } @online{cimpanu:20210611:cybercrime:dba57e7, author = {Catalin Cimpanu}, title = {{Cybercrime Featured Avaddon ransomware operation shuts down and releases decryption keys}}, date = {2021-06-11}, organization = {The Record}, url = {https://therecord.media/avaddon-ransomware-operation-shuts-down-and-releases-decryption-keys/}, language = {English}, urldate = {2021-06-21} } @online{cimpanu:20210614:apple:45d6879, author = {Catalin Cimpanu}, title = {{Apple patches two iOS zero-days in old-gen devices}}, date = {2021-06-14}, organization = {The Record}, url = {https://therecord.media/apple-patches-two-ios-zero-days-in-old-gen-devices/}, language = {English}, urldate = {2021-06-16} } @online{cimpanu:20210614:g7:3b92056, author = {Catalin Cimpanu}, title = {{G7 calls on Russia to crack down on ransomware gangs}}, date = {2021-06-14}, organization = {The Record}, url = {https://therecord.media/g7-calls-on-russia-to-crack-down-on-ransomware-gangs/}, language = {English}, urldate = {2021-06-21} } @online{cimpanu:20210615:source:59336b0, author = {Catalin Cimpanu}, title = {{Source code for Paradise ransomware leaked on hacking forums}}, date = {2021-06-15}, organization = {The Record}, url = {https://therecord.media/source-code-for-paradise-ransomware-leaked-on-hacking-forums/}, language = {English}, urldate = {2021-06-21} } @online{cimpanu:20210616:ukrainian:141533c, author = {Catalin Cimpanu}, title = {{Ukrainian police arrest Clop ransomware members, seize server infrastructure}}, date = {2021-06-16}, organization = {The Record}, url = {https://therecord.media/ukrainian-police-arrest-clop-ransomware-members-seize-server-infrastructure/}, language = {English}, urldate = {2021-06-21} } @online{cimpanu:20210627:builder:40a8c38, author = {Catalin Cimpanu}, title = {{Builder for Babuk Locker ransomware leaked online}}, date = {2021-06-27}, organization = {The Record}, url = {https://therecord.media/builder-for-babuk-locker-ransomware-leaked-online/}, language = {English}, urldate = {2021-06-29} } @online{cimpanu:20210629:free:228fc3b, author = {Catalin Cimpanu}, title = {{Free decrypter available for Lorenz ransomware}}, date = {2021-06-29}, organization = {The Record}, url = {https://therecord.media/free-decrypter-available-for-lorenz-ransomware/}, language = {English}, urldate = {2021-06-30} } @online{cimpanu:20210630:gozi:8760ba7, author = {Catalin Cimpanu}, title = {{Gozi malware gang member arrested in Colombia}}, date = {2021-06-30}, organization = {The Record}, url = {https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/}, language = {English}, urldate = {2021-07-02} } @online{cimpanu:20210701:mongolian:1fd57de, author = {Catalin Cimpanu}, title = {{Mongolian certificate authority hacked eight times, compromised with malware}}, date = {2021-07-01}, organization = {The Record}, url = {https://therecord.media/mongolian-certificate-authority-hacked-eight-times-compromised-with-malware/}, language = {English}, urldate = {2021-07-02} } @online{cimpanu:20210702:revil:7283386, author = {Catalin Cimpanu}, title = {{REvil ransomware gang executes supply chain attack via malicious Kaseya update}}, date = {2021-07-02}, organization = {The Record}, url = {https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/}, language = {English}, urldate = {2021-07-05} } @online{cimpanu:20210702:trickbot:7d2b9f7, author = {Catalin Cimpanu}, title = {{TrickBot: New attacks see the botnet deploy new banking module, new ransomware}}, date = {2021-07-02}, organization = {The Record}, url = {https://therecord.media/trickbot-new-attacks-see-the-botnet-deploy-new-banking-module-new-ransomware/}, language = {English}, urldate = {2021-07-05} } @online{cimpanu:20210706:moroccan:66d1784, author = {Catalin Cimpanu}, title = {{Moroccan hacker Dr HeX arrested for phishing attacks, malware distribution}}, date = {2021-07-06}, organization = {The Record}, url = {https://therecord.media/moroccan-hacker-dr-hex-arrested-for-phishing-attacks-malware-distribution/}, language = {English}, urldate = {2021-07-11} } @online{cimpanu:20210709:ransomwhere:bd77fbe, author = {Catalin Cimpanu}, title = {{Ransomwhere project wants to create a database of past ransomware payments}}, date = {2021-07-09}, organization = {The Record}, url = {https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/}, language = {English}, urldate = {2021-07-20} } @online{cimpanu:20210712:over:c88e351, author = {Catalin Cimpanu}, title = {{Over 780,000 email accounts compromised by Emotet have been secured}}, date = {2021-07-12}, organization = {The Record}, url = {https://therecord.media/over-780000-email-accounts-compromised-by-emotet-have-been-secured/}, language = {English}, urldate = {2021-07-20} } @online{cimpanu:20210714:spain:447c00d, author = {Catalin Cimpanu}, title = {{Spain arrests 16 for working with the Mekotio and Grandoreiro malware gangs}}, date = {2021-07-14}, organization = {The Record}, url = {https://therecord.media/spain-arrests-16-for-distributing-the-mekotio-and-grandoreiro-banking-trojans/}, language = {English}, urldate = {2021-07-20} } @online{cimpanu:20210722:wiper:08d9833, author = {Catalin Cimpanu}, title = {{Wiper malware targeting Japanese PCs discovered ahead of Tokyo Olympics opening}}, date = {2021-07-22}, organization = {The Record}, url = {https://therecord.media/wiper-malware-targeting-japanese-pcs-discovered-ahead-of-tokyo-olympics-opening/}, language = {English}, urldate = {2021-08-20} } @online{cimpanu:20210727:blackmatter:4934eef, author = {Catalin Cimpanu}, title = {{BlackMatter ransomware targets companies with revenue of $100 million and more}}, date = {2021-07-27}, organization = {The Record}, url = {https://therecord.media/blackmatter-ransomware-targets-companies-with-revenues-of-100-million-and-more/}, language = {English}, urldate = {2021-07-29} } @online{cimpanu:20210801:decryptor:5f67ec8, author = {Catalin Cimpanu}, title = {{Decryptor released for Prometheus ransomware victims}}, date = {2021-08-01}, organization = {The Record}, url = {https://therecord.media/decryptor-released-for-prometheus-ransomware-victims/}, language = {English}, urldate = {2021-08-06} } @online{cimpanu:20210803:lemonduck:d6e7c42, author = {Catalin Cimpanu}, title = {{LemonDuck botnet evolves to allow hands-on-keyboard intrusions}}, date = {2021-08-03}, organization = {The Record}, url = {https://therecord.media/lemonduck-botnet-evolves-to-allow-hands-on-keyboard-intrusions/}, language = {English}, urldate = {2022-02-16} } @online{cimpanu:20210805:disgruntled:4a7c7d7, author = {Catalin Cimpanu}, title = {{Disgruntled ransomware affiliate leaks the Conti gang’s technical manuals}}, date = {2021-08-05}, organization = {The Record}, url = {https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/}, language = {English}, urldate = {2021-08-06} } @online{cimpanu:20210805:meet:bce8310, author = {Catalin Cimpanu}, title = {{Meet Prometheus, the secret TDS behind some of today’s malware campaigns}}, date = {2021-08-05}, organization = {The Record}, url = {https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/}, language = {English}, urldate = {2021-08-06} } @online{cimpanu:20210806:australian:8543b09, author = {Catalin Cimpanu}, title = {{Australian cybersecurity agency warns of spike in LockBit ransomware attacks}}, date = {2021-08-06}, organization = {The Record}, url = {https://therecord.media/australian-cybersecurity-agency-warns-of-spike-in-lockbit-ransomware-attacks/}, language = {English}, urldate = {2021-08-09} } @online{cimpanu:20210812:printnightmare:026bc57, author = {Catalin Cimpanu}, title = {{PrintNightmare vulnerability weaponized by Magniber ransomware gang}}, date = {2021-08-12}, organization = {The Record}, url = {https://therecord.media/printnightmare-vulnerability-weaponized-by-magniber-ransomware-gang/}, language = {English}, urldate = {2021-08-16} } @online{cimpanu:20210812:synack:c4109da, author = {Catalin Cimpanu}, title = {{SynAck ransomware gang releases decryption keys for old victims}}, date = {2021-08-12}, organization = {The Record}, url = {https://therecord.media/synack-ransomware-gang-releases-decryption-keys-for-old-victims/}, language = {English}, urldate = {2021-08-15} } @online{cimpanu:20210827:phorpiex:8cf60a5, author = {Catalin Cimpanu}, title = {{Phorpiex botnet shuts down, source code goes up for sale}}, date = {2021-08-27}, organization = {The Record}, url = {https://therecord.media/phorpiex-botnet-shuts-down-source-code-goes-up-for-sale/}, language = {English}, urldate = {2021-08-31} } @online{cimpanu:20210901:confluence:75c7c2e, author = {Catalin Cimpanu}, title = {{Confluence enterprise servers targeted with recent vulnerability}}, date = {2021-09-01}, organization = {The Record}, url = {https://therecord.media/confluence-enterprise-servers-targeted-with-recent-vulnerability/}, language = {English}, urldate = {2021-09-06} } @online{cimpanu:20210910:indonesian:fc06998, author = {Catalin Cimpanu}, title = {{Indonesian intelligence agency compromised in suspected Chinese hack}}, date = {2021-09-10}, organization = {The Record}, url = {https://therecord.media/indonesian-intelligence-agency-compromised-in-suspected-chinese-hack/}, language = {English}, urldate = {2021-09-12} } @online{cimpanu:20210919:alaska:5238129, author = {Catalin Cimpanu}, title = {{Alaska discloses ‘sophisticated’ nation-state cyberattack on health service}}, date = {2021-09-19}, organization = {The Record}, url = {https://therecord.media/alaska-discloses-sophisticated-nation-state-cyberattack-on-health-service/}, language = {English}, urldate = {2021-09-22} } @online{cimpanu:20210929:turkish:2ac5599, author = {Catalin Cimpanu}, title = {{Turkish national charged for DDoS attacks with the WireX botnet}}, date = {2021-09-29}, organization = {The Record}, url = {https://therecord.media/turkish-national-charged-for-ddos-attacks-with-the-wirex-botnet/}, language = {English}, urldate = {2021-10-13} } @online{cimpanu:20211007:google:653f25d, author = {Catalin Cimpanu}, title = {{Google notifies 14,000 Gmail users of targeted APT28 attacks}}, date = {2021-10-07}, organization = {The Record}, url = {https://therecord.media/google-notifies-14000-gmail-users-of-targeted-apt28-attacks/}, language = {English}, urldate = {2021-10-13} } @online{cimpanu:20211007:netherlands:c716790, author = {Catalin Cimpanu}, title = {{Netherlands can use intelligence or armed forces to respond to ransomware attacks}}, date = {2021-10-07}, organization = {The Record}, url = {https://therecord.media/netherlands-can-use-intelligence-or-armed-forces-to-respond-to-ransomware-attacks/}, language = {English}, urldate = {2021-10-13} } @online{cimpanu:20211019:moses:35089a3, author = {Catalin Cimpanu}, title = {{Tweet on Moses Staff}}, date = {2021-10-19}, organization = {Twitter (@campuscodi)}, url = {https://twitter.com/campuscodi/status/1450455259202166799}, language = {English}, urldate = {2022-03-07} } @online{cimpanu:20211022:darkside:27f49ba, author = {Catalin Cimpanu}, title = {{DarkSide ransomware gang moves some of its Bitcoin after REvil got hit by law enforcement}}, date = {2021-10-22}, organization = {The Record}, url = {https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/}, language = {English}, urldate = {2021-11-02} } @online{cimpanu:20211102:destructive:a5ab443, author = {Catalin Cimpanu}, title = {{‘Destructive’ cyberattack hits National Bank of Pakistan}}, date = {2021-11-02}, organization = {The Record}, url = {https://therecord.media/destructive-cyberattack-hits-national-bank-of-pakistan/}, language = {English}, urldate = {2021-11-03} } @online{cimpanu:20211103:blackmatter:04b7414, author = {Catalin Cimpanu}, title = {{BlackMatter ransomware says its shutting down due to pressure from local authorities}}, date = {2021-11-03}, organization = {The Record}, url = {https://therecord.media/blackmatter-ransomware-says-its-shutting-down-due-to-pressure-from-local-authorities/}, language = {English}, urldate = {2021-11-03} } @online{cimpanu:20211104:google:340c884, author = {Catalin Cimpanu}, title = {{Google fixes Android zero-day exploited in the wild in targeted attacks (CVE-2021-1048)}}, date = {2021-11-04}, organization = {The Record}, url = {https://therecord.media/google-fixes-android-zero-day-exploited-in-the-wild-in-targeted-attacks/}, language = {English}, urldate = {2021-11-08} } @online{cimpanu:20211108:us:42947b7, author = {Catalin Cimpanu}, title = {{US arrests and charges Ukrainian man for Kaseya ransomware attack}}, date = {2021-11-08}, organization = {The Record}, url = {https://therecord.media/us-arrests-and-charges-ukrainian-man-for-kaseya-ransomware-attack/}, language = {English}, urldate = {2021-11-09} } @online{cimpanu:20211228:iranian:0d0f5b0, author = {Catalin Cimpanu}, title = {{Iranian hackers behind Cox Media Group ransomware attack (DEV-0270)}}, date = {2021-12-28}, organization = {The Record}, url = {https://therecord.media/iranian-hackers-behind-cox-media-group-ransomware-attack/}, language = {English}, urldate = {2021-12-31} } @online{cimpanu:20220213:san:4feaacb, author = {Catalin Cimpanu}, title = {{San Francisco 49ers confirm ransomware attack}}, date = {2022-02-13}, organization = {The Record}, url = {https://therecord.media/san-francisco-49ers-confirm-ransomware-attack/}, language = {English}, urldate = {2022-02-14} } @online{cimpanu:20220216:red:e3296da, author = {Catalin Cimpanu}, title = {{Red Cross blames hack on Zoho vulnerability, suspects APT attack}}, date = {2022-02-16}, organization = {The Record}, url = {https://therecord.media/red-cross-blames-hack-on-zoho-vulnerability-suspects-apt-attack/}, language = {English}, urldate = {2022-02-19} } @online{cimpanu:20220218:academics:d2f3045, author = {Catalin Cimpanu}, title = {{Academics publish method for recovering data encrypted by the Hive ransomware}}, date = {2022-02-18}, organization = {The Record}, url = {https://therecord.media/academics-publish-method-for-recovering-data-encrypted-by-the-hive-ransomware/}, language = {English}, urldate = {2022-02-19} } @online{cimpanu:20220221:chinese:fe29003, author = {Catalin Cimpanu}, title = {{Chinese hackers linked to months-long attack on Taiwanese financial sector}}, date = {2022-02-21}, organization = {The Record}, url = {https://therecord.media/chinese-hackers-linked-to-months-long-attack-on-taiwanese-financial-sector/}, language = {English}, urldate = {2022-02-26} } @online{cimpanu:20220223:second:960453d, author = {Catalin Cimpanu}, title = {{Second data wiper attack hits Ukraine computer networks}}, date = {2022-02-23}, organization = {The Record}, url = {https://therecord.media/second-data-wiper-attack-hits-ukraine-computer-networks/}, language = {English}, urldate = {2022-03-01} } @online{cimpanu:20220224:trickbot:2f5ab4d, author = {Catalin Cimpanu}, title = {{TrickBot gang shuts down botnet after months of inactivity}}, date = {2022-02-24}, organization = {The Record}, url = {https://therecord.media/trickbot-gang-shuts-down-botnet-after-months-of-inactivity/}, language = {English}, urldate = {2022-03-01} } @online{cimpanu:20220227:conti:935e928, author = {Catalin Cimpanu}, title = {{Conti ransomware gang chats leaked by pro-Ukraine member}}, date = {2022-02-27}, organization = {The Record}, url = {https://therecord.media/conti-ransomware-gang-chats-leaked-by-pro-ukraine-member/}, language = {English}, urldate = {2022-03-01} } @online{cimpanu:20220613:risky:340aabc, author = {Catalin Cimpanu}, title = {{Risky Biz News: Google shuts down YouTube Russian propaganda channels}}, date = {2022-06-13}, organization = {Risky.biz}, url = {https://riskybiznews.substack.com/p/risky-biz-news-google-shuts-down}, language = {English}, urldate = {2024-02-08} } @online{cimpanu:20221121:risky:f1e43ca, author = {Catalin Cimpanu}, title = {{Risky Biz News: Cyber Partisans hack and disrupt Kremlin censor}}, date = {2022-11-21}, organization = {Risky.biz}, url = {https://riskybiznews.substack.com/p/risky-biz-news-cyber-partisans-hack}, language = {English}, urldate = {2024-02-08} } @online{cimpanu:20240710:risky:5db9019, author = {Catalin Cimpanu}, title = {{Risky Biz News: US takes down RT's Twitter bot farm}}, date = {2024-07-10}, organization = {Risky.biz}, url = {https://news.risky.biz/risky-biz-news-us-takes-down-rts-twitter-bot-farm/}, language = {English}, urldate = {2024-07-22} } @online{cimpanu:20240906:risky:3f8e8a3, author = {Catalin Cimpanu}, title = {{Risky Biz News: Doppelganger gets a kick in the butt from Uncle Sam}}, date = {2024-09-06}, organization = {Risky.biz}, url = {https://news.risky.biz/risky-biz-news-doppelganger-gets-a-kick-in-the-butt-from-uncle-sam/}, language = {English}, urldate = {2024-09-27} } @online{cip:20220325:who:e75f0ac, author = {State Service of Special Communication and Information Protection of Ukraine (CIP)}, title = {{Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22}}, date = {2022-03-25}, organization = {GOV.UA}, url = {https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya}, language = {English}, urldate = {2022-08-05} } @online{cip:20230309:russias:f40dc09, author = {State Service of Special Communication and Information Protection of Ukraine (CIP)}, title = {{Russia's Cyber Tactics: Lessons Learned 2022}}, date = {2023-03-09}, url = {https://cip.gov.ua/services/cm/api/attachment/download?id=53466}, language = {English}, urldate = {2023-03-13} } @online{cip:20230928:russias:25b9ce0, author = {State Service of Special Communication and Information Protection of Ukraine (CIP)}, title = {{Russia's Cyber Tactics H1' 2023}}, date = {2023-09-28}, organization = {CIP}, url = {https://cip.gov.ua/services/cm/api/attachment/download?id=60068}, language = {English}, urldate = {2023-10-09} } @online{cip:20240305:semiannual:597047c, author = {State Service of Special Communication and Information Protection of Ukraine (CIP) and paloalto Networks: Unit42}, title = {{Semi-Annual Chronicles of UAC-0006 Operations}}, date = {2024-03-05}, organization = {CIP}, url = {https://scpc.gov.ua/api/files/8e300d33-6257-4d7f-8f72-457224268343}, language = {English}, urldate = {2024-03-19} } @techreport{circl:20130329:analysis:b3c48b0, author = {CIRCL}, title = {{Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0)}}, date = {2013-03-29}, institution = {Computer Incident Response Center Luxembourg}, url = {https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf}, language = {English}, urldate = {2019-11-24} } @techreport{circl:20130529:malware:cd9f6f8, author = {CIRCL}, title = {{Malware analysis report of a Backdoor.Snifula variant}}, date = {2013-05-29}, institution = {CIRCL}, url = {https://www.circl.lu/assets/files/tr-13/tr-13-snifula-analysis-report-v1.3.pdf}, language = {English}, urldate = {2019-07-11} } @techreport{circl:20130530:analysis:e828e08, author = {CIRCL}, title = {{Analysis of a stage 3 Miniduke sample}}, date = {2013-05-30}, institution = {CIRCL}, url = {https://www.circl.lu/files/tr-14/circl-analysisreport-miniduke-stage3-public.pdf}, language = {English}, urldate = {2020-01-08} } @online{circl:20141126:tr23:fb5d867, author = {CIRCL}, title = {{TR-23 Analysis - NetWiredRC malware}}, date = {2014-11-26}, organization = {CIRCL}, url = {https://www.circl.lu/pub/tr-23/}, language = {English}, urldate = {2020-01-09} } @online{circl:2014:tr25:97f9b0e, author = {CIRCL}, title = {{TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos}}, date = {2014}, organization = {circl.lu}, url = {https://www.circl.lu/pub/tr-25/}, language = {English}, urldate = {2020-07-01} } @online{circl:20211110:tr64:37ab4d8, author = {CIRCL}, title = {{TR-64 - Exploited Exchange Servers - Mails with links to malware from known/valid senders}}, date = {2021-11-10}, organization = {CIRCL}, url = {https://www.circl.lu/pub/tr-64/}, language = {English}, urldate = {2021-11-25} } @online{cirlig:202104:pareto:eb7b26c, author = {Gabi Cirlig and Vikas Parthasarathy and Michael Moran and Michael McNally and Inna Vasilyeva and Mikhail Venkov and Federico Harrington and Adam Sell}, title = {{PARETO: A Technical Analysis}}, date = {2021-04}, organization = {humansecurity}, url = {https://www.humansecurity.com/blog/pareto-a-technical-analysis}, language = {English}, urldate = {2021-04-29} } @online{cis:20220415:top:62c8245, author = {CIS}, title = {{Top 10 Malware March 2022}}, date = {2022-04-15}, organization = {Center for Internet Security}, url = {https://www.cisecurity.org/insights/blog/top-10-malware-march-2022}, language = {English}, urldate = {2023-02-17} } @online{cisa:20170412:ics:0d94c2e, author = {CISA}, title = {{ICS Alert (ICS-ALERT-17-102-01A)}}, date = {2017-04-12}, organization = {CISA}, url = {https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A}, language = {English}, urldate = {2020-01-09} } @online{cisa:20170612:alert:7799e28, author = {CISA}, title = {{Alert (TA17-163A)}}, date = {2017-06-12}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/alerts/TA17-163A}, language = {English}, urldate = {2020-01-08} } @online{cisa:20180809:malware:71c0559, author = {CISA}, title = {{Malware Analysis Report (AR18-221A)}}, date = {2018-08-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR18-221A}, language = {English}, urldate = {2020-01-07} } @online{cisa:20190214:ar18352a:96bf02b, author = {CISA}, title = {{AR18-352A: Quasar Open-Source Remote Administration Tool}}, date = {2019-02-14}, organization = {CISA}, url = {https://www.cisa.gov/news-events/analysis-reports/ar18-352a}, language = {English}, urldate = {2024-10-17} } @online{cisa:20190314:mar1013553612:f7e3669, author = {CISA}, title = {{MAR-10135536-12 – North Korean Trojan: TYPEFRAME}}, date = {2019-03-14}, organization = {CISA}, url = {https://www.cisa.gov/news-events/analysis-reports/ar18-165a}, language = {English}, urldate = {2023-12-11} } @online{cisa:20190509:malware:0fa3b40, author = {CISA}, title = {{Malware Analysis Report (AR19-129A)}}, date = {2019-05-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR19-129A}, language = {English}, urldate = {2020-01-08} } @online{cisa:20190909:malware:f266520, author = {CISA}, title = {{Malware Analysis Report (AR19-252A)}}, date = {2019-09-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar19-252a}, language = {English}, urldate = {2020-01-07} } @online{cisa:20191031:malware:4eccc2d, author = {CISA}, title = {{Malware Analysis Report (AR19-304A)}}, date = {2019-10-31}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar19-304a}, language = {English}, urldate = {2020-01-09} } @online{cisa:2019:hidden:52ee565, author = {CISA}, title = {{HIDDEN COBRA - North Korean Malicious Cyber Activity}}, date = {2019}, organization = {CISA}, url = {https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity}, language = {English}, urldate = {2020-01-07} } @online{cisa:20200819:mar102951341v1:e21aadf, author = {CISA}, title = {{MAR-10295134-1.v1 - North Korean Remote Access Trojan: BLINDINGCAN}}, date = {2020-08-19}, organization = {CISA}, url = {https://www.cisa.gov/news-events/analysis-reports/ar20-232a}, language = {English}, urldate = {2023-08-11} } @online{cisa:20200826:alert:91b063b, author = {CISA and U.S. Department of the Treasury and FBI and U.S. Cyber Command}, title = {{Alert (AA20-239A): FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks}}, date = {2020-08-26}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa20-239a}, language = {English}, urldate = {2022-04-20} } @online{cisa:20200826:mar103017061v1:735a8fc, author = {CISA}, title = {{MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON}}, date = {2020-08-26}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a}, language = {English}, urldate = {2020-09-01} } @online{cisa:20200826:mar103017062v1:e64b3ac, author = {CISA}, title = {{MAR-10301706-2.v1 - North Korean Remote Access Tool: VIVACIOUSGIFT}}, date = {2020-08-26}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b}, language = {English}, urldate = {2020-09-01} } @techreport{cisa:20201028:aa20302a:80b6a06, author = {CISA and FBI and HHS}, title = {{AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector}}, date = {2020-10-28}, institution = {CISA}, url = {https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf}, language = {English}, urldate = {2020-11-02} } @online{cisa:20201213:active:44eb4a4, author = {CISA}, title = {{Active Exploitation of SolarWinds Software}}, date = {2020-12-13}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software}, language = {English}, urldate = {2020-12-15} } @online{cisa:20210217:malware:18c1b8e, author = {CISA}, title = {{Malware Analysis Report (AR21-048B): AppleJeus: JMT Trading}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b}, language = {English}, urldate = {2021-02-20} } @online{cisa:20210217:malware:191d7ae, author = {CISA}, title = {{Malware Analysis Report (AR21-048F): AppleJeus: Dorusio}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f}, language = {English}, urldate = {2023-06-29} } @online{cisa:20210217:malware:39df9f4, author = {CISA}, title = {{Malware Analysis Report (AR21-048A): AppleJeus: Celas Trade Pro}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a}, language = {English}, urldate = {2021-02-20} } @online{cisa:20210217:malware:47648b1, author = {CISA}, title = {{Malware Analysis Report (AR21-048G): AppleJeus: Ants2Whale}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g}, language = {English}, urldate = {2021-02-20} } @online{cisa:20210217:malware:5113e30, author = {CISA}, title = {{Malware Analysis Report (AR21-048E): AppleJeus: CoinGoTrade}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e}, language = {English}, urldate = {2023-11-30} } @online{cisa:20210217:malware:59e2d5d, author = {CISA}, title = {{Malware Analysis Report (AR21-048D): AppleJeus: Kupay Wallet}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d}, language = {English}, urldate = {2021-02-20} } @online{cisa:20210217:malware:5fa5db6, author = {CISA}, title = {{Malware Analysis Report (AR21-048C): AppleJeus: Union Crypto}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c}, language = {English}, urldate = {2023-06-29} } @online{cisa:20210303:alert:c05160a, author = {CISA}, title = {{Alert (AA21-062A): Mitigate Microsoft Exchange Server Vulnerabilities}}, date = {2021-03-03}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/alerts/aa21-062a}, language = {English}, urldate = {2021-03-10} } @online{cisa:20210310:remediating:23bf74d, author = {CISA}, title = {{Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise}}, date = {2021-03-10}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/remediating-apt-compromised-networks}, language = {English}, urldate = {2021-03-12} } @online{cisa:20210318:cisa:49f510f, author = {CISA}, title = {{CISA Hunt and Incident Response Program (CHIRP)}}, date = {2021-03-18}, organization = {Github (cisagov)}, url = {https://github.com/cisagov/CHIRP}, language = {English}, urldate = {2021-03-19} } @techreport{cisa:20210402:joint:cc385f7, author = {CISA and FBI}, title = {{Joint CSA AA21-092A: APT Actors Exploit Vulnerabilitiesto Gain Initial Access for Future Attacks}}, date = {2021-04-02}, institution = {}, url = {https://www.ic3.gov/Media/News/2021/210402.pdf}, language = {English}, urldate = {2021-04-06} } @techreport{cisa:20210426:russian:0ef89c2, author = {CISA and FBI and Department of Homeland Security}, title = {{Russian Foreign Intelligence Service (SVR)Cyber Operations: Trends and Best Practices for Network Defenders}}, date = {2021-04-26}, institution = {CISA}, url = {https://us-cert.cisa.gov/sites/default/files/publications/AA21-116A_Russian_Foreign_Intelligence_Service_Cyber_Operations_508C.pdf}, language = {English}, urldate = {2021-04-29} } @online{cisa:20210429:cisa:2edf608, author = {CISA}, title = {{CISA Identifies SUPERNOVA Malware During Incident Response}}, date = {2021-04-29}, organization = {CISA}, url = {https://www.cisa.gov/news-events/analysis-reports/ar21-112a}, language = {English}, urldate = {2023-10-05} } @online{cisa:20210506:analysis:9b259c7, author = {CISA}, title = {{Analysis Report: FiveHands Ransomware}}, date = {2021-05-06}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a}, language = {English}, urldate = {2021-05-08} } @online{cisa:20210506:mar103247841v1:408b7aa, author = {CISA}, title = {{MAR-10324784-1.v1: FiveHands Ransomware}}, date = {2021-05-06}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126b}, language = {English}, urldate = {2021-05-08} } @techreport{cisa:20210701:russian:4127fc7, author = {CISA and FBI and NSA and NCSC UK}, title = {{Russian GRU (APT28) Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments}}, date = {2021-07-01}, institution = {}, url = {https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF}, language = {English}, urldate = {2021-07-11} } @online{cisa:20210719:alert:bc070a7, author = {CISA}, title = {{Alert (AA21-200B): Chinese State-Sponsored Cyber Operations: Observed TTPs}}, date = {2021-07-19}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/alerts/aa21-200b}, language = {English}, urldate = {2021-07-22} } @online{cisa:20210728:top:78a1031, author = {CISA and Australian Cyber Security Centre (ACSC) and NCSC UK and FBI}, title = {{Top Routinely Exploited Vulnerabilities}}, date = {2021-07-28}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/alerts/aa21-209a}, language = {English}, urldate = {2021-07-29} } @techreport{cisa:20211117:cybersecurity:28e0ecc, author = {CISA}, title = {{Cybersecurity Incident & Vulnerability Response Playbooks}}, date = {2021-11-17}, institution = {CISA}, url = {https://www.cisa.gov/sites/default/files/publications/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf}, language = {English}, urldate = {2021-11-19} } @online{cisa:20211222:alert:635c59b, author = {CISA and FBI and NSA and Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (CCCS) and Computer Emergency Response Team New Zealand (CERT NZ) and New Zealand National Cyber Security Centre (NZ NCSC) and United Kingdom’s National Cyber Security Centre (NCSC-UK)}, title = {{Alert (AA21-356A) Mitigating Log4Shell and Other Log4j-Related Vulnerabilities}}, date = {2021-12-22}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa21-356a}, language = {English}, urldate = {2021-12-23} } @techreport{cisa:20220111:understanding:07bbdcf, author = {CISA and FBI and NSA}, title = {{Understanding and Mitigating Russian State- Sponsored Cyber Threats to U.S. Critical Infrastructure}}, date = {2022-01-11}, institution = {}, url = {https://media.defense.gov/2022/Jan/11/2002919950/-1/-1/1/JOINT_CSA_UNDERSTANDING_MITIGATING_RUSSIAN_CYBER_THREATS_TO_US_CRITICAL_INFRASTRUCTURE_20220111.PDF}, language = {English}, urldate = {2022-01-18} } @techreport{cisa:20220111:understanding:aae8b36, author = {CISA and FBI and NSA}, title = {{Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure}}, date = {2022-01-11}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-011A_Joint_CSA_Understanding_and_Mitigating%20_Russian_Cyber_Threats_to_US_Critical_Infrastructure_TLP-WHITE_01-10-22_v1.pdf}, language = {English}, urldate = {2022-04-07} } @techreport{cisa:20220209:alert:be2567f, author = {CISA and FBI and NSA and Australian Cyber Security Centre (ACSC) and NCSC UK}, title = {{Alert (AA22-040A) 2021 Trends Show Increased Globalized Threat of Ransomware}}, date = {2022-02-09}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-040A_2021_Trends_Show_Increased_Globalized_Threat_of_Ransomware_508.pdf}, language = {English}, urldate = {2022-04-07} } @techreport{cisa:20220223:advisory:56f6379, author = {CISA and NCSC UK and FBI and NSA}, title = {{Advisory: New Sandworm malware Cyclops Blink replaces VPNFilter}}, date = {2022-02-23}, institution = {}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-054A%20New%20Sandworm%20Malware%20Cyclops%20Blink%20Replaces%20VPN%20Filter.pdf}, language = {English}, urldate = {2022-02-26} } @online{cisa:20220223:alert:3e2924e, author = {CISA}, title = {{Alert (AA22-054A) New Sandworm Malware Cyclops Blink Replaces VPNFilter}}, date = {2022-02-23}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-054a}, language = {English}, urldate = {2022-02-26} } @online{cisa:20220226:alert:48440b6, author = {CISA}, title = {{Alert (AA22-057A) Destructive Malware Targeting Organizations in Ukraine}}, date = {2022-02-26}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-057a}, language = {English}, urldate = {2022-03-01} } @techreport{cisa:20220226:destructive:be5862b, author = {CISA and FBI}, title = {{Destructive Malware Targeting Organizations in Ukraine}}, date = {2022-02-26}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-057A_Destructive_Malware_Targeting_Organizations_in_Ukraine.pdf}, language = {English}, urldate = {2022-03-01} } @techreport{cisa:20220418:aa22108a:a0a81c6, author = {CISA and U.S. Department of the Treasury and FBI}, title = {{AA22-108A: TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies (PDF)}}, date = {2022-04-18}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-108A-TraderTraitor-North_Korea_APT_Targets_Blockchain_Companies.pdf}, language = {English}, urldate = {2022-04-20} } @online{cisa:20220418:alert:dcc72c0, author = {CISA and FBI and U.S. Department of the Treasury}, title = {{Alert (AA22-108A): TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies}}, date = {2022-04-18}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-108a}, language = {English}, urldate = {2022-04-25} } @techreport{cisa:20220420:aa22110a:4fde5d6, author = {CISA and NSA and FBI and Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (CCCS) and Government Communications Security Bureau and NCSC UK and National Crime Agency (NCA)}, title = {{AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf}, language = {English}, urldate = {2022-04-25} } @online{cisa:20220420:alert:529e28c, author = {CISA}, title = {{Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-110a}, language = {English}, urldate = {2022-04-25} } @online{cisa:20220420:tradertraitor:2bd6095, author = {CISA}, title = {{TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies}}, date = {2022-04-20}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/alerts/aa22-108a}, language = {English}, urldate = {2023-11-27} } @online{cisa:20220427:alert:e02c831, author = {CISA and NSA and FBI and Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (CCCS) and New Zealand National Cyber Security Centre (NZ NCSC) and United Kingdom’s National Cyber Security Centre (NCSC-UK)}, title = {{Alert (AA22-117A) 2021 Top Routinely Exploited Vulnerabilities}}, date = {2022-04-27}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-117a}, language = {English}, urldate = {2022-04-29} } @online{cisa:20220601:alert:f73857d, author = {CISA and FBI and Department of the Treasury (Treasury) and FINCEN}, title = {{Alert (AA22-152A): Karakurt Data Extortion Group}}, date = {2022-06-01}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-152a}, language = {English}, urldate = {2022-06-02} } @techreport{cisa:20220630:csa:59d0928, author = {CISA and FBI and Department of the Treasury (Treasury) and FINCEN}, title = {{CSA (AA22-181A): #StopRansomware: MedusaLocker}}, date = {2022-06-30}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-181A_stopransomware_medusalocker.pdf}, language = {English}, urldate = {2022-07-05} } @online{cisa:20220701:alert:12e80c1, author = {CISA and FBI and Department of the Treasury (Treasury) and FINCEN}, title = {{Alert (AA22-181A): #StopRansomware: MedusaLocker}}, date = {2022-07-01}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-181a}, language = {English}, urldate = {2022-07-05} } @online{cisa:20220811:alert:d9f4fc0, author = {CISA and FBI}, title = {{Alert (AA22-223A) #StopRansomware: Zeppelin Ransomware}}, date = {2022-08-11}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-223a}, language = {English}, urldate = {2022-08-12} } @techreport{cisa:20221201:stopransomware:de73b79, author = {CISA}, title = {{#StopRansomware: Cuba Ransomware}}, date = {2022-12-01}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/aa22-335a-stopransomware-cuba-ransomware.pdf}, language = {English}, urldate = {2022-12-02} } @online{cisa:20230209:stopransomware:d75cea9, author = {CISA}, title = {{#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities}}, date = {2023-02-09}, organization = {CISA}, url = {https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a}, language = {English}, urldate = {2024-02-08} } @online{cisa:20230302:stopransomware:09958a9, author = {CISA}, title = {{#StopRansomware: Royal Ransomware}}, date = {2023-03-02}, organization = {CISA}, url = {https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a}, language = {English}, urldate = {2023-03-04} } @online{cisa:20230509:hunting:eee110d, author = {CISA}, title = {{Hunting Russian Intelligence “Snake” Malware}}, date = {2023-05-09}, organization = {CISA}, url = {https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a}, language = {English}, urldate = {2023-05-10} } @online{cisa:20230524:aa23144a:ea45fbb, author = {CISA}, title = {{AA23-144a: People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection}}, date = {2023-05-24}, organization = {CISA}, url = {https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a}, language = {English}, urldate = {2023-05-26} } @online{cisa:20230706:increased:7ff9690, author = {CISA}, title = {{Increased Truebot Activity Infects U.S. and Canada Based Networks}}, date = {2023-07-06}, organization = {CISA}, url = {https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a}, language = {English}, urldate = {2023-07-08} } @techreport{cisa:20230727:mar10454006r1v2:212d39f, author = {CISA}, title = {{MAR-10454006-r1.v2 SUBMARINE Backdoor}}, date = {2023-07-27}, institution = {CISA}, url = {https://www.cisa.gov/sites/default/files/2023-07/MAR-10454006.r1.v2.CLEAR_.pdf}, language = {English}, urldate = {2025-01-27} } @techreport{cisa:20230727:mar10454006r2v1:4f744bd, author = {CISA}, title = {{MAR-10454006-r2.v1 SEASPY Backdoor}}, date = {2023-07-27}, institution = {CISA}, url = {https://www.cisa.gov/sites/default/files/2023-07/MAR-10454006.r2.v1.CLEAR_.pdf}, language = {English}, urldate = {2025-01-27} } @techreport{cisa:20230727:mar10454006r3v1:bc3343a, author = {CISA}, title = {{MAR-10454006-r3.v1 Exploit Payload Backdoor}}, date = {2023-07-27}, institution = {CISA}, url = {https://www.cisa.gov/sites/default/files/2023-07/MAR-10454006.r3.v1.CLEAR_.pdf}, language = {English}, urldate = {2025-01-27} } @online{cisa:20230728:cisa:6c1a592, author = {CISA}, title = {{CISA Releases Malware Analysis Reports on Barracuda Backdoors}}, date = {2023-07-28}, organization = {CISA}, url = {https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors}, language = {English}, urldate = {2023-07-31} } @online{cisa:20230728:mar10454006r1v2:4a6a9c8, author = {CISA}, title = {{MAR-10454006-r1.v2 SUBMARINE Backdoor}}, date = {2023-07-28}, url = {https://www.cisa.gov/news-events/analysis-reports/ar23-209a}, language = {English}, urldate = {2023-07-31} } @online{cisa:20230728:mar10454006r2v1:eac60db, author = {CISA}, title = {{MAR-10454006-r2.v1 SEASPY Backdoor}}, date = {2023-07-28}, organization = {CISA}, url = {https://www.cisa.gov/news-events/analysis-reports/ar23-209b}, language = {English}, urldate = {2023-07-31} } @techreport{cisa:20230808:mar10454006r4v2:33122d5, author = {CISA}, title = {{MAR-10454006.r4.v2 SEASPY and WHIRLPOOL Backdoors}}, date = {2023-08-08}, institution = {CISA}, url = {https://www.cisa.gov/sites/default/files/2023-08/MAR-10454006.r4.v2.CLEAR_.pdf}, language = {English}, urldate = {2025-01-27} } @techreport{cisa:20230817:mar10459736r1v1:aa74341, author = {CISA}, title = {{MAR-10459736.r1.v1 WHIRLPOOL Backdoor}}, date = {2023-08-17}, institution = {CISA}, url = {https://www.cisa.gov/sites/default/files/2023-08/MAR-10459736.r1.v1.CLEAR_.pdf}, language = {English}, urldate = {2025-01-27} } @techreport{cisa:20230905:mar10454006r5v1:dd82dd3, author = {CISA}, title = {{MAR-10454006.r5.v1 SUBMARINE, SKIPJACK, SEASPRAY, WHIRLPOOL, and SALTWATER Backdoors}}, date = {2023-09-05}, institution = {CISA}, url = {https://www.cisa.gov/sites/default/files/2023-09/MAR-10454006.r5.v1.CLEAR__0.pdf}, language = {English}, urldate = {2025-01-27} } @online{cisa:20230907:mar10454006r5v1:3dce99f, author = {CISA}, title = {{MAR-10454006.r5.v1 SUBMARINE, SKIPJACK, SEASPRAY, WHIRLPOOL, and SALTWATER Backdoors}}, date = {2023-09-07}, organization = {CISA}, url = {https://www.cisa.gov/news-events/analysis-reports/ar23-250a-0}, language = {English}, urldate = {2023-09-08} } @techreport{cisa:20230907:multiple:e867413, author = {CISA}, title = {{Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475}}, date = {2023-09-07}, institution = {CISA}, url = {https://www.cisa.gov/sites/default/files/2023-09/aa23-250a-apt-actors-exploit-cve-2022-47966-and-cve-2022-42475.pdf}, language = {English}, urldate = {2023-09-11} } @techreport{cisa:20231116:scattered:5864b37, author = {CISA}, title = {{Scattered Spider}}, date = {2023-11-16}, institution = {CISA}, url = {https://www.cisa.gov/sites/default/files/2023-11/aa23-320a_scattered_spider.pdf}, language = {English}, urldate = {2023-11-17} } @online{cisa:20231116:scattered:ec1932d, author = {CISA}, title = {{Scattered Spider}}, date = {2023-11-16}, organization = {CISA}, url = {https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a}, language = {English}, urldate = {2023-11-22} } @online{cisa:20231213:russian:200c7ec, author = {CISA}, title = {{Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally}}, date = {2023-12-13}, organization = {CISA}, url = {https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a}, language = {English}, urldate = {2023-12-14} } @online{cisa:20240207:mar104483621v1:141c355, author = {CISA}, title = {{MAR-10448362-1.v1 Volt Typhoon}}, date = {2024-02-07}, organization = {CISA}, url = {https://www.cisa.gov/news-events/analysis-reports/ar24-038a}, language = {English}, urldate = {2024-02-08} } @online{cisa:20240207:prc:c385766, author = {CISA}, title = {{PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure}}, date = {2024-02-07}, organization = {CISA}, url = {https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a}, language = {English}, urldate = {2024-02-08} } @online{cisa:20240329:reported:0ff8be5, author = {CISA}, title = {{Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094}}, date = {2024-03-29}, organization = {CISA}, url = {https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094}, language = {English}, urldate = {2024-04-02} } @online{cisa:20240510:aa24131a:9d730f7, author = {CISA}, title = {{AA24-131A: #StopRansomware: Black Basta}}, date = {2024-05-10}, organization = {CISA}, url = {https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a}, language = {English}, urldate = {2024-05-13} } @online{cisa:20241016:iranian:975d0b4, author = {CISA}, title = {{Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations}}, date = {2024-10-16}, organization = {CISA}, url = {https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a}, language = {English}, urldate = {2024-10-17} } @techreport{cisa:20250130:contec:d1e3a8d, author = {CISA}, title = {{Contec CMS8000 Contains a Backdoor}}, date = {2025-01-30}, institution = {CISA}, url = {https://www.cisa.gov/sites/default/files/2025-01/fact-sheet-contec-cms8000-contains-a-backdoor-508c.pdf}, language = {English}, urldate = {2025-01-31} } @online{cisa:20250219:stopransomware:4ade5c1, author = {CISA}, title = {{#StopRansomware: Ghost (Cring) Ransomware}}, date = {2025-02-19}, organization = {CISA}, url = {https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a}, language = {English}, urldate = {2025-02-20} } @techreport{ciso:20250117:threat:3a94878, author = {Office of the CISO}, title = {{Threat Horizons - H1 2025 Threat Horizons Report}}, date = {2025-01-17}, institution = {Google Cloud Security}, url = {https://services.google.com/fh/files/misc/threat_horizons_report_h1_2025.pdf}, language = {English}, urldate = {2025-03-07} } @techreport{citizenlab:20100406:shadows:0ddd0ca, author = {CitizenLab and Information Warfare Monitor and Shadowserver Foundation}, title = {{SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0}}, date = {2010-04-06}, institution = {CitizenLab}, url = {https://citizenlab.ca/wp-content/uploads/2017/05/shadows-in-the-cloud.pdf}, language = {English}, urldate = {2020-01-13} } @online{citizenlab:20200609:dark:6fc74ec, author = {CitizenLab}, title = {{Dark Basin Indicators of Compromise}}, date = {2020-06-09}, organization = {Github (citizenlab)}, url = {https://github.com/citizenlab/malware-indicators/tree/master/202006_DarkBasin}, language = {English}, urldate = {2020-11-02} } @online{citizenlab:20211108:devices:47e5c60, author = {CitizenLab}, title = {{Devices of Palestinian Human Rights Defenders Hacked with NSO Group’s Pegasus Spyware}}, date = {2021-11-08}, organization = {CitizenLab}, url = {https://citizenlab.ca/2021/11/palestinian-human-rights-defenders-hacked-nso-groups-pegasus-spyware/}, language = {English}, urldate = {2021-11-08} } @online{ciuleanu:20220520:mirai:77360aa, author = {Vlad Ciuleanu}, title = {{Mirai Malware Variants for Linux Double Down on Stronger Chips in Q1 2022}}, date = {2022-05-20}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips/}, language = {English}, urldate = {2022-05-25} } @online{civil:20210714:civil:e46ca2f, author = {Guardia Civil}, title = {{The Civil Guard dismantles an important network dedicated to committing scams through the Internet}}, date = {2021-07-14}, organization = {Guardia Civil}, url = {http://www.interior.gob.es/prensa/noticias/-/asset_publisher/GHU8Ap6ztgsg/content/id/13552853}, language = {Spanish}, urldate = {2021-07-20} } @online{civilsphereproject:20210921:capturing:60e5728, author = {civilsphereproject}, title = {{Capturing and Detecting AndroidTester Remote Access Trojan with the Emergency VPN}}, date = {2021-09-21}, organization = {civilsphereproject}, url = {https://www.civilsphereproject.org/blog/2021/9/21/capturing-and-detecting-androidtester-remote-access-trojan-with-the-emergency-vpn}, language = {English}, urldate = {2021-09-22} } @online{clapp:20210505:viruses:aab7c1a, author = {Kelsey Clapp}, title = {{Viruses to Violations - TrickBot's Shift in Tactics During the Pandemic}}, date = {2021-05-05}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/298c9fc9}, language = {English}, urldate = {2021-05-26} } @online{clapp:20210922:bom:b738b21, author = {Kelsey Clapp and Jordan Herman}, title = {{The Bom Skimmer and MageCart Group 7}}, date = {2021-09-22}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/743ea75b/description}, language = {English}, urldate = {2021-09-24} } @online{clapp:20211103:vagabon:d24a68e, author = {Kelsey Clapp}, title = {{Vagabon PhishKit - An Example of Shared Code Modularity}}, date = {2021-11-03}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/17d2262c}, language = {English}, urldate = {2021-11-08} } @online{clapp:20211203:woos:020f03d, author = {Kelsey Clapp}, title = {{Woo's There? Magecart Targets WooCommerce}}, date = {2021-12-03}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/2efc2782}, language = {English}, urldate = {2021-12-07} } @online{clapp:20220510:commodity:7703042, author = {Kelsey Clapp}, title = {{Commodity Skimming & Magecart Trends in First Quarter of 2022}}, date = {2022-05-10}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/017cf2e6}, language = {English}, urldate = {2022-05-17} } @techreport{clarke:20201130:its:1b6b681, author = {Mitchell Clarke and Tom Hall}, title = {{It's not FINished The Evolving Maturity in Ransomware Operations}}, date = {2020-11-30}, institution = {FireEye}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf}, language = {English}, urldate = {2020-12-14} } @techreport{clarke:20201209:its:c312acc, author = {Mitchell Clarke and Tom Hall}, title = {{It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)}}, date = {2020-12-09}, institution = {FireEye}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf}, language = {English}, urldate = {2020-12-15} } @online{clarke:20210324:oauth:5092c3f, author = {Itir Clarke and Assaf Friedman}, title = {{OAuth Abuse: Think SolarWinds/Solorigate Campaign with Focus on Cloud Applications}}, date = {2021-03-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/cloud-security/oauth-abuse-think-solarwindssolorigate-campaign-focus-cloud-applications}, language = {English}, urldate = {2021-03-25} } @online{cleafy:20210727:oscorp:7f7fcd5, author = {Cleafy}, title = {{Oscorp evolves into UBEL: an advanced Android malware spreading across the globe}}, date = {2021-07-27}, organization = {Cleafy}, url = {https://www.cleafy.com/cleafy-labs/ubel-oscorp-evolution}, language = {English}, urldate = {2021-07-27} } @online{cleafy:20211025:digital:48fbdf8, author = {Cleafy}, title = {{Digital banking fraud: how the Gozi malware works}}, date = {2021-10-25}, organization = {Cleafy}, url = {https://www.cleafy.com/cleafy-labs/digital-banking-fraud-how-the-gozi-malware-work}, language = {English}, urldate = {2021-11-02} } @online{cleafy:20211111:sharkbot:efbc5a5, author = {Cleafy}, title = {{SharkBot: a new generation of Android Trojans is targeting banks in Europe}}, date = {2021-11-11}, organization = {Cleafy}, url = {https://www.cleafy.com/cleafy-labs/sharkbot-a-new-generation-of-android-trojan-is-targeting-banks-in-europe}, language = {English}, urldate = {2021-11-17} } @online{cleafy:20211203:mobile:4153ff9, author = {Cleafy}, title = {{Mobile banking fraud: BRATA strikes again}}, date = {2021-12-03}, organization = {Cleafy}, url = {https://www.cleafy.com/cleafy-labs/mobile-banking-fraud-brata-strikes-again}, language = {English}, urldate = {2021-12-13} } @online{cleafy:20220124:how:b4fcbab, author = {Cleafy}, title = {{How BRATA is monitoring your bank account}}, date = {2022-01-24}, organization = {Cleafy}, url = {https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account}, language = {English}, urldate = {2022-01-25} } @online{cleafy:20220301:teabot:bc307ec, author = {Cleafy}, title = {{TeaBot is now spreading across the globe}}, date = {2022-03-01}, organization = {Cleafy}, url = {https://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe}, language = {English}, urldate = {2022-03-02} } @online{cleafy:20220627:revive:e305f85, author = {Cleafy}, title = {{Revive: from spyware to Android banking trojan}}, date = {2022-06-27}, organization = {Cleafy}, url = {https://www.cleafy.com/cleafy-labs/revive-from-spyware-to-android-banking-trojan}, language = {English}, urldate = {2022-06-29} } @online{cleafy:20221104:android:2dcfb28, author = {Cleafy}, title = {{The Android Malware’s Journey: From Google Play to banking fraud}}, date = {2022-11-04}, organization = {Cleafy}, url = {https://www.cleafy.com/cleafy-labs/the-android-malwares-journey-from-google-play-to-banking-fraud}, language = {English}, urldate = {2022-11-06} } @online{cleafy:20240909:about:595672c, author = {Cleafy}, title = {{Tweet about malware version Octo 2}}, date = {2024-09-09}, organization = {Cleafy}, url = {https://x.com/cleafylabs/status/1833145006585987374}, language = {English}, urldate = {2024-09-26} } @techreport{clearsky:201707:operationwilted:7e57e58, author = {ClearSky and Trend Micro}, title = {{OperationWilted Tulip}}, date = {2017-07}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf}, language = {English}, urldate = {2020-01-06} } @online{clearsky:20180213:enfal:e063cf1, author = {ClearSky}, title = {{Tweet on Enfal loader}}, date = {2018-02-13}, organization = {Twitter (@ClearskySec)}, url = {https://twitter.com/ClearskySec/status/963829930776723461}, language = {English}, urldate = {2019-07-10} } @techreport{clearsky:20201015:operation:dead010, author = {ClearSky}, title = {{Operation Quicksand: MuddyWater’s Offensive Attack Against Israeli Organizations}}, date = {2020-10-15}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf}, language = {English}, urldate = {2020-10-21} } @techreport{clearsky:202105:attributing:67fb261, author = {ClearSky}, title = {{Attributing Attacks Against Crypto Exchanges to LAZARUS – North Korea}}, date = {2021-05}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2021/05/CryptoCore-Lazarus-Clearsky.pdf}, language = {English}, urldate = {2021-06-09} } @techreport{clearsky:20210817:new:573e4e4, author = {ClearSky}, title = {{New Iranian Espionage Campaign By “Siamesekitten” - Lyceum}}, date = {2021-08-17}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf}, language = {English}, urldate = {2021-08-25} } @techreport{clearsky:20240104:nojustice:4df91c1, author = {ClearSky}, title = {{No-Justice Wiper - Wiper attack on Albania by Iranian APT)}}, date = {2024-01-04}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2024/01/No-Justice-Wiper.pdf}, language = {English}, urldate = {2024-04-11} } @online{clearsky:20241113:cve202443451:97b2916, author = {ClearSky}, title = {{CVE-2024-43451: A New Zero-Day Vulnerability Exploited in the wild}}, date = {2024-11-13}, organization = {ClearSky}, url = {https://www.clearskysec.com/0d-vulnerability-exploited-in-the_wild/}, language = {English}, urldate = {2024-11-15} } @techreport{clearsky:20241113:new:7eee3d1, author = {ClearSky}, title = {{New Zero-Day Vulnerability Detected: CVE-2024-43451}}, date = {2024-11-13}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2024/11/Zero-day-cve-2024-4351-report.pdf}, language = {English}, urldate = {2025-02-03} } @online{climentpommeret:20240403:raspberry:d3f8627, author = {Alice Climent-Pommeret}, title = {{Raspberry Robin and its new anti-emulation trick}}, date = {2024-04-03}, organization = {HarfangLab}, url = {https://harfanglab.io/en/insidethelab/raspberry-robin-and-its-new-anti-emulation-trick/}, language = {English}, urldate = {2024-04-08} } @online{climentpommeret:20240904:unpacking:5e2d9b8, author = {Alice Climent-Pommeret}, title = {{Unpacking the unpleasant FIN7 gift: PackXOR}}, date = {2024-09-04}, organization = {HarfangLab}, url = {https://harfanglab.io/insidethelab/unpacking-packxor/}, language = {English}, urldate = {2025-02-28} } @online{climentpommeret:20241011:hijackloader:88ce2ed, author = {Alice Climent-Pommeret}, title = {{HijackLoader evolution: abusing genuine signing certificates}}, date = {2024-10-11}, organization = {HarfangLab}, url = {https://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/}, language = {English}, urldate = {2025-02-28} } @online{clinton:20211021:stopping:3c26152, author = {Alex Clinton and Tasha Robinson}, title = {{Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign}}, date = {2021-10-21}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/}, language = {English}, urldate = {2021-11-02} } @online{cloudflare:20250317:black:db4ef1b, author = {Cloudflare}, title = {{Black Basta’s blunder: exploiting the gang’s leaked chats}}, date = {2025-03-17}, organization = {Cloudflare}, url = {https://www.cloudflare.com/threat-intelligence/research/report/black-bastas-blunder-exploiting-the-gangs-leaked-chats/}, language = {English}, urldate = {2025-03-26} } @online{cloudsek:20220728:techniques:c37b07e, author = {Cloudsek}, title = {{Techniques, Tactics & Procedures (TTPs) Employed by Hacktivist Group DragonForce Malaysia}}, date = {2022-07-28}, organization = {Cloudsek}, url = {https://cloudsek.com/threatintelligence/techniques-tactics-procedures-ttps-employed-by-hacktivist-group-dragonforce-malaysia/}, language = {English}, urldate = {2022-08-02} } @online{cloudsek:20241106:mozi:05c19aa, author = {Cloudsek}, title = {{Mozi Resurfaces as Androxgh0st Botnet: Unraveling The Latest Exploitation Wave}}, date = {2024-11-06}, organization = {Cloudsek}, url = {https://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave}, language = {English}, urldate = {2024-11-12} } @online{clueley:20200109:man:cea3f4b, author = {Graham Clueley}, title = {{Man jailed for using webcam RAT to spy on women in their bedrooms}}, date = {2020-01-09}, organization = {The State of Security}, url = {https://www.tripwire.com/state-of-security/featured/man-jailed-using-webcam-rat-women-bedrooms/}, language = {English}, urldate = {2020-01-20} } @online{clueley:20230906:pizza:5300b06, author = {Graham Clueley}, title = {{Pizza Hut Australia leaks one million customers' details, claims ShinyHunters hacking group}}, date = {2023-09-06}, organization = {Bitdefender}, url = {https://www.bitdefender.com/blog/hotforsecurity/pizza-hut-australia-leaks-one-million-customers-details-claims-shinyhunters-hacking-group/}, language = {English}, urldate = {2023-11-27} } @online{clueley:20241025:us:05ad0a6, author = {Graham Clueley}, title = {{US offers $10 million bounty for members of Iranian hacking gang}}, date = {2024-10-25}, organization = {Bitdefender}, url = {https://www.bitdefender.com/en-us/blog/hotforsecurity/us-offers-10-million-bounty-for-members-of-iranian-hacking-gang/}, language = {English}, urldate = {2024-11-04} } @online{cluley:20121113:new:627d122, author = {Graham Cluley}, title = {{New variant of Mac Trojan discovered, targeting Tibet}}, date = {2012-11-13}, organization = {Sophos}, url = {https://nakedsecurity.sophos.com/2012/11/13/new-mac-trojan/}, language = {English}, urldate = {2020-01-08} } @online{cluley:20150526:moose:4cb9940, author = {Graham Cluley}, title = {{Moose – the router worm with an appetite for social networks}}, date = {2015-05-26}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2015/05/26/moose-router-worm/}, language = {English}, urldate = {2019-12-20} } @online{cluley:20170830:new:c821389, author = {Graham Cluley}, title = {{New ESET research uncovers Gazer, the stealthy backdoor that spies on embassies}}, date = {2017-08-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/}, language = {English}, urldate = {2019-11-14} } @online{cluley:20170904:despite:6f4a25f, author = {Graham Cluley}, title = {{Despite appearances, WikiLeaks wasn’t hacked}}, date = {2017-09-04}, organization = {Graham Cluley Blog}, url = {https://www.grahamcluley.com/despite-appearances-wikileaks-wasnt-hacked/}, language = {English}, urldate = {2019-11-28} } @online{cluley:20200409:travelex:bb5a2d7, author = {Graham Cluley}, title = {{Travelex paid hackers $2.3 million worth of Bitcoin after ransomware attack}}, date = {2020-04-09}, organization = {Graham Cluley Blog}, url = {https://www.grahamcluley.com/travelex-paid-ransom/}, language = {English}, urldate = {2020-04-26} } @online{cluley:20200505:kaiji:94f85b6, author = {Graham Cluley}, title = {{Kaiji – a new strain of IoT malware seizing control and launching DDoS attacks}}, date = {2020-05-05}, organization = {Bitdefender}, url = {https://www.bitdefender.com/box/blog/iot-news/kaiji-new-strain-iot-malware-seizing-control-launching-ddos-attacks/}, language = {English}, urldate = {2020-05-06} } @techreport{cluster25:202105:not:0bf7be8, author = {Cluster25}, title = {{A Not So Fancy Game: Exploring the New SkinnyBoy Bear's Backdoor}}, date = {2021-05}, institution = {Cluster25}, url = {https://cluster25.io/wp-content/uploads/2021/05/2021-05_FancyBear.pdf}, language = {English}, urldate = {2021-06-07} } @techreport{cluster25:20210910:rattlesnake:7bbbd1f, author = {Cluster25}, title = {{A rattlesnake in the Navy}}, date = {2021-09-10}, institution = {Cluster25}, url = {https://cluster25.io/wp-content/uploads/2021/09/a_rattlesnake_in_the_navy.pdf}, language = {English}, urldate = {2021-09-12} } @techreport{cluster25:20220103:north:b362bcd, author = {Cluster25}, title = {{North Korean Group “KONNI” Targets The Russian Diplomatic Sector With New Versions Of Malware Implants}}, date = {2022-01-03}, institution = {Cluster25}, url = {https://cluster25.io/wp-content/uploads/2022/01/Konni_targeting_Russian_diplomatic_sector.pdf}, language = {English}, urldate = {2022-07-25} } @online{cluster25:20220224:ukraine:3000c86, author = {Cluster25}, title = {{Ukraine: Analysis Of The New Disk-Wiping Malware (HermeticWiper)}}, date = {2022-02-24}, url = {https://cluster25.io/2022/02/24/ukraine-analysis-of-the-new-disk-wiping-malware/}, language = {English}, urldate = {2022-03-01} } @online{cluster25:20220302:contis:27cb79d, author = {Cluster25}, title = {{Conti's Source Code: Deep-Dive Into}}, date = {2022-03-02}, organization = {Cluster25}, url = {https://cluster25.io/2022/03/02/contis-source-code-deep-dive-into/}, language = {English}, urldate = {2022-03-07} } @online{cluster25:20220308:ghostwriter:3f0d3c1, author = {Cluster25}, title = {{GhostWriter / UNC1151 adopts MicroBackdoor Variants in Cyber Operations against Ukraine}}, date = {2022-03-08}, organization = {Cluster25}, url = {https://cluster25.io/2022/03/08/ghostwriter-unc1151-adopts-microbackdoor-variants-in-cyber-operations-against-targets-in-ukraine/}, language = {English}, urldate = {2022-03-10} } @online{cluster25:20220429:lotus:c5520e5, author = {Cluster25}, title = {{The LOTUS PANDA Is Awake, Again. Analysis Of Its Last Strike.}}, date = {2022-04-29}, organization = {Cluster25}, url = {https://cluster25.io/2022/04/29/lotus-panda-awake-last-strike/}, language = {English}, urldate = {2022-04-29} } @online{cluster25:20220503:strange:1481afa, author = {Cluster25}, title = {{The Strange Link Between A Destructive Malware And A Ransomware-Gang Linked Custom Loader: IsaacWiper Vs Vatet}}, date = {2022-05-03}, organization = {Cluster25}, url = {https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/}, language = {English}, urldate = {2022-05-04} } @online{cluster25:20220513:cozy:44aa396, author = {Cluster25}, title = {{Cozy Smuggled Into The Box: APT29 Abusing Legitimate Software For Targeted Operations In Europe}}, date = {2022-05-13}, organization = {Cluster25}, url = {https://cluster25.io/2022/05/13/cozy-smuggled-into-the-box/}, language = {English}, urldate = {2022-05-17} } @online{cluster25:20220706:lockbit:5228074, author = {Cluster25}, title = {{LockBit 3.0: “Making The Ransomware Great Again”}}, date = {2022-07-06}, organization = {Cluster25}, url = {https://cluster25.io/2022/07/06/lockbit-3-0-making-the-ransomware-great-again/}, language = {English}, urldate = {2022-07-13} } @online{cluster25:20220923:in:ea96772, author = {Cluster25}, title = {{In the footsteps of the Fancy Bear: PowerPoint mouse-over event abused to deliver Graphite implants}}, date = {2022-09-23}, organization = {Cluster25}, url = {https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/}, language = {English}, urldate = {2022-09-26} } @online{cluster25:20240130:bear:2268dee, author = {Cluster25}, title = {{The Bear and The Shell: New Campaign Against Russian Opposition}}, date = {2024-01-30}, organization = {Cluster25}, url = {https://blog.cluster25.duskrise.com/2024/01/30/russian-apt-opposition}, language = {English}, urldate = {2024-02-22} } @online{cn33liz:20170605:javascript:36e302d, author = {Cn33liz}, title = {{A JavaScript and VBScript Based Empire Launcher - by Cn33liz 2017}}, date = {2017-06-05}, organization = {Github (Cn33liz)}, url = {https://github.com/Cn33liz/StarFighters}, language = {English}, urldate = {2020-04-07} } @online{cna:201901:destructive:38ed2c3, author = {Saudi Arabia CNA}, title = {{Destructive Attack “DUSTMAN” Technical Report}}, date = {2019-01}, organization = {Saudi Arabia CNA}, url = {https://www.scribd.com/document/442225568/Saudi-Arabia-CNA-report}, language = {English}, urldate = {2020-01-13} } @online{cncert:20210628:analysis:0eea3df, author = {CNCERT}, title = {{Analysis of the new P2P botnet PBot}}, date = {2021-06-28}, organization = {CN CERT}, url = {https://www.cert.org.cn/publish/main/11/2021/20210628133948926376206/20210628133948926376206_.html}, language = {Chinese}, urldate = {2021-09-14} } @online{cobb:20130502:stealthiness:6579e26, author = {Stephen Cobb}, title = {{The stealthiness of Linux/Cdorked: a clarification}}, date = {2013-05-02}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/05/02/the-stealthiness-of-linuxcdorked-a-clarification/}, language = {English}, urldate = {2019-11-14} } @online{cobli:20180618:six:c3dc8c0, author = {Claudiu Cobliș and Cristian Istrate and Cornel Punga and Andrei Ardelean}, title = {{Six Years and Counting: Inside the Complex Zacinlo Ad Fraud Operation}}, date = {2018-06-18}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/wp-content/uploads/downloads/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/}, language = {English}, urldate = {2020-07-08} } @techreport{cocomazzi:20220324:ransomware:be706fa, author = {Antonio Cocomazzi}, title = {{Ransomware Encryption Internals: A Behavioral Characterization}}, date = {2022-03-24}, institution = {SentinelOne}, url = {https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf}, language = {English}, urldate = {2022-03-25} } @online{cocomazzi:20221103:black:b0c2f05, author = {Antonio Cocomazzi}, title = {{Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor}}, date = {2022-11-03}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/}, language = {English}, urldate = {2022-11-15} } @online{cocomazzi:20221222:custombranded:3f5dd45, author = {Antonio Cocomazzi}, title = {{Custom-Branded Ransomware: The Vice Society Group and the Threat of Outsourced Development}}, date = {2022-12-22}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/}, language = {English}, urldate = {2023-01-05} } @online{cocomazzi:20230321:blackbyte:f11b8c4, author = {Antonio Cocomazzi}, title = {{Tweet on BlackByte ransomware rewrite in C++}}, date = {2023-03-21}, organization = {Twitter (@splinter_code)}, url = {https://twitter.com/splinter_code/status/1628057204954652674}, language = {English}, urldate = {2023-03-24} } @online{cocomelonc:20210904:av:06b27c5, author = {cocomelonc}, title = {{AV engines evasion for C++ simple malware: part 1}}, date = {2021-09-04}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html}, language = {English}, urldate = {2022-11-28} } @online{cocomelonc:20210906:av:215e5aa, author = {cocomelonc}, title = {{AV engines evasion for C++ simple malware: part 2}}, date = {2021-09-06}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html}, language = {English}, urldate = {2023-07-24} } @online{cocomelonc:20220327:conti:07dddfb, author = {cocomelonc}, title = {{Conti ransomware source code investigation - part 1}}, date = {2022-03-27}, url = {https://cocomelonc.github.io/investigation/2022/03/27/malw-inv-conti-1.html}, language = {English}, urldate = {2022-09-27} } @online{cocomelonc:20220402:malware:48c405d, author = {cocomelonc}, title = {{Malware development tricks. Find kernel32.dll base: asm style. C++ example.}}, date = {2022-04-02}, organization = {Github (cocomelonc)}, url = {https://cocomelonc.github.io/tutorial/2022/04/02/malware-injection-18.html}, language = {English}, urldate = {2022-04-07} } @online{cocomelonc:20220411:conti:a30496a, author = {cocomelonc}, title = {{Conti ransomware source code investigation - part 2}}, date = {2022-04-11}, url = {https://cocomelonc.github.io/investigation/2022/04/11/malw-inv-conti-2.html}, language = {English}, urldate = {2022-09-27} } @online{cocomelonc:20220420:malware:b20963e, author = {cocomelonc}, title = {{Malware development: persistence - part 1. Registry run keys. C++ example.}}, date = {2022-04-20}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html}, language = {English}, urldate = {2022-12-01} } @online{cocomelonc:20220426:malware:a69279c, author = {cocomelonc}, title = {{Malware development: persistence - part 2. Screensaver hijack. C++ example.}}, date = {2022-04-26}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2022/04/26/malware-pers-2.html}, language = {English}, urldate = {2022-12-01} } @online{cocomelonc:20220502:malware:4384b01, author = {cocomelonc}, title = {{Malware development: persistence - part 3. COM DLL hijack. Simple C++ example}}, date = {2022-05-02}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html}, language = {English}, urldate = {2022-12-01} } @online{cocomelonc:20220509:malware:1cdee23, author = {cocomelonc}, title = {{Malware development: persistence - part 4. Windows services. Simple C++ example.}}, date = {2022-05-09}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html}, language = {English}, urldate = {2022-12-01} } @online{cocomelonc:20220516:malware:ae31bde, author = {cocomelonc}, title = {{Malware development: persistence - part 6. Windows netsh helper DLL. Simple C++ example.}}, date = {2022-05-16}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2022/05/16/malware-pers-5.html}, language = {English}, urldate = {2022-12-01} } @online{cocomelonc:20220522:malware:b0a0669, author = {cocomelonc}, title = {{Malware development trick - part 29: Store binary data in registry. Simple C++ example.}}, date = {2022-05-22}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2023/05/22/malware-tricks-29.html}, language = {English}, urldate = {2023-05-23} } @online{cocomelonc:20220612:malware:e988236, author = {cocomelonc}, title = {{Malware development: persistence - part 7. Winlogon. Simple C++ example.}}, date = {2022-06-12}, url = {https://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html}, language = {English}, urldate = {2022-12-01} } @online{cocomelonc:20220721:malware:b5c2a4d, author = {cocomelonc}, title = {{Malware development tricks. Run shellcode like a Lazarus Group. C++ example.}}, date = {2022-07-21}, url = {https://cocomelonc.github.io/malware/2022/07/21/malware-tricks-22.html}, language = {English}, urldate = {2022-10-17} } @online{cocomelonc:20220730:malware:0f84be1, author = {cocomelonc}, title = {{Malware AV evasion - part 8. Encode payload via Z85}}, date = {2022-07-30}, url = {https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html}, language = {English}, urldate = {2022-12-01} } @online{cocomelonc:20220826:malware:c330f1e, author = {cocomelonc}, title = {{Malware development: persistence - part 9. Default file extension hijacking. Simple C++ example.}}, date = {2022-08-26}, url = {https://cocomelonc.github.io/malware/2022/08/26/malware-pers-9.html}, language = {English}, urldate = {2022-12-01} } @online{cocomelonc:20220906:malware:a09756f, author = {cocomelonc}, title = {{Malware development tricks: parent PID spoofing. Simple C++ example.}}, date = {2022-09-06}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2022/09/06/malware-tricks-23.html}, language = {English}, urldate = {2022-11-17} } @online{cocomelonc:20220910:malware:edaf050, author = {cocomelonc}, title = {{Malware development: persistence - part 10. Using Image File Execution Options. Simple C++ example.}}, date = {2022-09-10}, url = {https://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html}, language = {English}, urldate = {2022-10-19} } @online{cocomelonc:20220920:malware:c0e9c97, author = {cocomelonc}, title = {{Malware development: persistence - part 11. Powershell profile. Simple C++ example.}}, date = {2022-09-20}, url = {https://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html}, language = {English}, urldate = {2022-10-19} } @online{cocomelonc:20220925:techniques:3e88b21, author = {cocomelonc}, title = {{APT techniques: Access Token manipulation. Token theft. Simple C++ example.}}, date = {2022-09-25}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2022/09/25/token-theft-1.html}, language = {English}, urldate = {2022-11-10} } @online{cocomelonc:20220930:malware:eb2f3c8, author = {cocomelonc}, title = {{Malware development: persistence - part 12. Accessibility Features. Simple C++ example.}}, date = {2022-09-30}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2022/09/30/malware-pers-12.html}, language = {English}, urldate = {2022-10-14} } @online{cocomelonc:20221028:techniques:0ea2e5c, author = {cocomelonc}, title = {{APT techniques: Token theft via UpdateProcThreadAttribute. Simple C++ example.}}, date = {2022-10-28}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2022/10/28/token-theft-2.html}, language = {English}, urldate = {2022-11-11} } @online{cocomelonc:20221105:malware:d52ac5b, author = {cocomelonc}, title = {{Malware analysis: part 6. Shannon entropy. Simple python script.}}, date = {2022-11-05}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2022/11/05/malware-analysis-6.html}, language = {English}, urldate = {2022-11-11} } @online{cocomelonc:20221116:malware:69e2118, author = {cocomelonc}, title = {{Malware development: persistence - part 19. Disk Cleanup Utility. Simple C++ example.}}, date = {2022-11-16}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/persistence/2022/11/16/malware-pers-19.html}, language = {English}, urldate = {2022-11-21} } @online{cocomelonc:20221127:malware:e3f9492, author = {cocomelonc}, title = {{Malware development tricks: part 24. ListPlanting. Simple C++ example.}}, date = {2022-11-27}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2022/11/27/malware-tricks-24.html}, language = {English}, urldate = {2022-11-28} } @online{cocomelonc:20221209:malware:cff0b3d, author = {cocomelonc}, title = {{Malware development: persistence - part 20. UserInitMprLogonScript (Logon Script). Simple C++ example.}}, date = {2022-12-09}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html}, language = {English}, urldate = {2022-12-12} } @online{cocomelonc:20221221:malware:15de997, author = {cocomelonc}, title = {{Malware development tricks: part 25. EnumerateLoadedModules. Simple C++ example.}}, date = {2022-12-21}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2022/12/21/malware-tricks-25.html}, language = {English}, urldate = {2022-12-29} } @online{cocomelonc:20230104:malware:7653c80, author = {cocomelonc}, title = {{Malware development tricks: part 26. Mutex. C++ example.}}, date = {2023-01-04}, url = {https://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html}, language = {English}, urldate = {2023-01-10} } @online{cocomelonc:20230120:malware:c480361, author = {cocomelonc}, title = {{Malware development: persistence - part 21. Recycle Bin, My Documents COM extension handler. Simple C++ example.}}, date = {2023-01-20}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/persistence/2023/01/19/malware-pers-21.html}, language = {English}, urldate = {2023-01-23} } @online{cocomelonc:20230202:malware:1148f55, author = {cocomelonc}, title = {{Malware analysis: part 7. Yara rule example for CRC32. CRC32 in REvil ransomware}}, date = {2023-02-02}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2023/02/02/malware-analysis-7.html}, language = {English}, urldate = {2023-02-09} } @online{cocomelonc:20230210:malware:15c1a75, author = {cocomelonc}, title = {{Malware analysis: part 8. Yara rule example for MurmurHash2. MurmurHash2 in Conti ransomware}}, date = {2023-02-10}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2023/02/10/malware-analysis-8.html}, language = {English}, urldate = {2023-02-10} } @online{cocomelonc:20230212:malware:19bd9ec, author = {cocomelonc}, title = {{Malware AV/VM evasion - part 11: encrypt payload via DES. Simple C++ example.}}, date = {2023-02-12}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2023/02/12/malware-av-evasion-11.html}, language = {English}, urldate = {2023-03-04} } @online{cocomelonc:20230220:malware:7672472, author = {cocomelonc}, title = {{Malware AV/VM evasion - part 12: encrypt payload via TEA. Simple C++ example.}}, date = {2023-02-20}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2023/02/20/malware-av-evasion-12.html}, language = {English}, urldate = {2023-03-04} } @online{cocomelonc:20230309:malware:fe37ea5, author = {cocomelonc}, title = {{Malware AV/VM evasion - part 13: encrypt/decrypt payload via Madryga. Simple C++ example.}}, date = {2023-03-09}, organization = {Github (cocomelonc)}, url = {https://cocomelonc.github.io/malware/2023/03/09/malware-av-evasion-13.html}, language = {English}, urldate = {2023-03-30} } @online{cocomelonc:20230324:malware:972beff, author = {cocomelonc}, title = {{Malware AV/VM evasion - part 14: encrypt/decrypt payload via A5/1. Bypass Kaspersky AV. Simple C++ example.}}, date = {2023-03-24}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2023/03/24/malware-av-evasion-14.html}, language = {English}, urldate = {2023-03-30} } @online{cocomelonc:20230408:malware:a7c22c4, author = {cocomelonc}, title = {{Malware AV/VM evasion - part 15: WinAPI GetModuleHandle implementation. Simple C++ example.}}, date = {2023-04-08}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2023/04/08/malware-av-evasion-15.html}, language = {English}, urldate = {2023-05-10} } @online{cocomelonc:20230416:malware:214937b, author = {cocomelonc}, title = {{Malware AV/VM evasion - part 15: WinAPI GetProcAddress implementation. Simple C++ example.}}, date = {2023-04-16}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2023/04/16/malware-av-evasion-16.html}, language = {English}, urldate = {2023-05-10} } @online{cocomelonc:20230427:malware:07d1a14, author = {cocomelonc}, title = {{Malware development trick - part 27: WinAPI LoadLibrary implementation. Simple C++ example.}}, date = {2023-04-27}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2023/04/27/malware-tricks-27.html}, language = {English}, urldate = {2023-05-10} } @online{cocomelonc:20230508:malware:d344f4a, author = {cocomelonc}, title = {{Malware analysis report: WinDealer (LuoYu Threat Group)}}, date = {2023-05-08}, organization = {cocomelonc}, url = {https://mssplab.github.io/threat-hunting/2023/05/08/malware-analysis-windealer.html}, language = {English}, urldate = {2023-05-10} } @online{cocomelonc:20230511:malware:f557876, author = {cocomelonc}, title = {{Malware development trick - part 28: Dump lsass.exe. Simple C++ example.}}, date = {2023-05-11}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2023/05/11/malware-tricks-28.html}, language = {English}, urldate = {2023-05-15} } @online{cocomelonc:20230519:malware:3b9112f, author = {cocomelonc}, title = {{Malware source code investigation: AsyncRAT}}, date = {2023-05-19}, organization = {cocomelonc}, url = {https://mssplab.github.io/threat-hunting/2023/05/19/malware-src-asyncrat.html}, language = {English}, urldate = {2023-05-26} } @online{cocomelonc:20230526:malware:2af92da, author = {cocomelonc}, title = {{Malware development trick - part 30: Find PID via NtGetNextProcess. Simple C++ example.}}, date = {2023-05-26}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2023/05/26/malware-tricks-30.html}, language = {English}, urldate = {2023-05-30} } @online{cocomelonc:20230602:malware:6b0c57b, author = {cocomelonc}, title = {{Malware analysis report: SNOWYAMBER (+APT29 related malwares)}}, date = {2023-06-02}, organization = {MSSP Lab}, url = {https://mssplab.github.io/threat-hunting/2023/06/02/malware-analysis-apt29.html}, language = {English}, urldate = {2023-06-05} } @online{cocomelonc:20230604:malware:da9637f, author = {cocomelonc}, title = {{Malware development trick - part 31: Run shellcode via SetTimer. Simple C++ example.}}, date = {2023-06-04}, organization = {Github (cocomelonc)}, url = {https://cocomelonc.github.io/malware/2023/06/04/malware-tricks-31.html}, language = {English}, urldate = {2023-06-22} } @online{cocomelonc:20230607:malware:d2403bd, author = {cocomelonc}, title = {{Malware development trick - part 32. Syscalls - part 1. Simple C++ example.}}, date = {2023-06-07}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2023/06/07/syscalls-1.html}, language = {English}, urldate = {2023-06-22} } @online{cocomelonc:20230609:malware:c402dbb, author = {cocomelonc}, title = {{Malware development trick - part 33. Syscalls - part 2. Simple C++ example.}}, date = {2023-06-09}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2023/06/09/syscalls-2.html}, language = {English}, urldate = {2023-06-22} } @online{cocomelonc:20230615:malware:c399e93, author = {cocomelonc}, title = {{Malware analysis report: Babuk ransomware}}, date = {2023-06-15}, organization = {Github (cocomelonc)}, url = {https://mssplab.github.io/threat-hunting/2023/06/15/malware-analysis-babuk.html}, language = {English}, urldate = {2023-06-22} } @online{cocomelonc:20230619:malware:cddf668, author = {cocomelonc}, title = {{Malware AV/VM evasion - part 17: bypass UAC via fodhelper.exe. Simple C++ example.}}, date = {2023-06-19}, organization = {Github (cocomelonc)}, url = {https://cocomelonc.github.io/malware/2023/06/19/malware-av-evasion-17.html}, language = {English}, urldate = {2023-06-22} } @online{cocomelonc:20230623:malware:a6cd3d8, author = {cocomelonc}, title = {{Malware source code investigation: Paradise Ransomware}}, date = {2023-06-23}, organization = {MSSP Lab}, url = {https://mssplab.github.io/threat-hunting/2023/06/23/src-paradise.html}, language = {English}, urldate = {2023-06-26} } @online{cocomelonc:20230626:malware:8c17615, author = {cocomelonc}, title = {{Malware AV/VM evasion - part 18: encrypt/decrypt payload via modular multiplication-based block cipher. Simple C++ example.}}, date = {2023-06-26}, organization = {Github (cocomelonc)}, url = {https://cocomelonc.github.io/malware/2023/06/26/malware-av-evasion-18.html}, language = {English}, urldate = {2023-07-05} } @online{cocomelonc:20230707:malware:01cfaa2, author = {cocomelonc}, title = {{Malware development trick - part 34: Find PID via WTSEnumerateProcesses. Simple C++ example.}}, date = {2023-07-07}, organization = {Github (cocomelonc)}, url = {https://cocomelonc.github.io/malware/2023/07/07/malware-tricks-34.html}, language = {English}, urldate = {2023-07-10} } @online{cocomelonc:20230713:malware:3f2bf4a, author = {cocomelonc}, title = {{Malware analysis report: BlackCat ransomware}}, date = {2023-07-13}, organization = {MSSP Lab}, url = {https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html}, language = {English}, urldate = {2023-07-17} } @online{cocomelonc:20230715:malware:8986fa9, author = {cocomelonc}, title = {{Malware source code investigation: BlackLotus - part 1}}, date = {2023-07-15}, organization = {MSSP Lab}, url = {https://mssplab.github.io/threat-hunting/2023/07/15/malware-src-blacklotus.html}, language = {English}, urldate = {2023-07-17} } @online{cocomelonc:20230716:malware:d7e4f1a, author = {cocomelonc}, title = {{Malware development: persistence - part 22. Windows Setup. Simple C++ example.}}, date = {2023-07-16}, organization = {Github (cocomelonc)}, url = {https://cocomelonc.github.io/persistence/2023/07/16/malware-pers-22.html}, language = {English}, urldate = {2023-07-28} } @online{cocomelonc:20230726:malware:44a5642, author = {cocomelonc}, title = {{Malware development trick - part 35: Store payload in alternate data streams. Simple C++ example.}}, date = {2023-07-26}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2023/07/26/malware-tricks-35.html}, language = {English}, urldate = {2023-07-28} } @online{cocomelonc:20230813:malware:1f15d71, author = {cocomelonc}, title = {{Malware and cryptography 1: encrypt/decrypt payload via RC5. Simple C++ example.}}, date = {2023-08-13}, organization = {Github (cocomelonc)}, url = {https://cocomelonc.github.io/malware/2023/08/13/malware-cryptography-1.html}, language = {English}, urldate = {2023-08-31} } @online{cocomelonc:20230828:malware:860380d, author = {cocomelonc}, title = {{Malware and cryptography 20: encrypt/decrypt payload via Skipjack. Simple C++ example.}}, date = {2023-08-28}, organization = {Github (cocomelonc)}, url = {https://cocomelonc.github.io/malware/2023/08/28/malware-cryptography-20.html}, language = {English}, urldate = {2023-08-31} } @online{cocomelonc:20230925:malware:536902a, author = {cocomelonc}, title = {{Malware development trick - part 36: Enumerate process modules. Simple C++ example.}}, date = {2023-09-25}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2023/09/25/malware-trick-36.html}, language = {English}, urldate = {2023-09-29} } @online{cocomelonc:20231020:malware:51c7ef1, author = {cocomelonc}, title = {{Malware and cryptography 21: encrypt/decrypt payload via WAKE. Simple C++ example.}}, date = {2023-10-20}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2023/10/20/malware-cryptography-21.html}, language = {English}, urldate = {2023-12-27} } @online{cocomelonc:20231107:malware:c8124b9, author = {cocomelonc}, title = {{Malware development trick - part 37: Enumerate process modules via VirtualQueryEx. Simple C++ example.}}, date = {2023-11-07}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2023/11/07/malware-trick-37.html}, language = {English}, urldate = {2023-12-27} } @online{cocomelonc:20231123:malware:4ccb427, author = {cocomelonc}, title = {{Malware and cryptography 22: encrypt/decrypt payload via XTEA. Simple C++ example.}}, date = {2023-11-23}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2023/11/23/malware-cryptography-22.html}, language = {English}, urldate = {2023-12-27} } @online{cocomelonc:20231210:malware:62fabcf, author = {cocomelonc}, title = {{Malware development: persistence - part 23. LNK files. Simple Powershell example.}}, date = {2023-12-10}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/persistence/2023/12/10/malware-pers-23.html}, language = {English}, urldate = {2023-12-27} } @online{cocomelonc:20231213:malware:bd24c34, author = {cocomelonc}, title = {{Malware in the wild book}}, date = {2023-12-13}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/book/2023/12/13/malwild-book.html}, language = {English}, urldate = {2023-12-27} } @online{cocomelonc:20240601:malware:9565004, author = {cocomelonc}, title = {{Malware and cryptography 28: RC4 payload encryption. Simple Nim example.}}, date = {2024-06-01}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2024/06/01/malware-cryptography-28.html}, language = {English}, urldate = {2024-08-01} } @online{cocomelonc:20240612:malware:3e47630, author = {cocomelonc}, title = {{Malware development trick 39: Run payload via EnumDesktopsA. Simple Nim example.}}, date = {2024-06-12}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2024/06/12/malware-trick-39.html}, language = {English}, urldate = {2024-08-01} } @online{cocomelonc:20240616:malware:967fc38, author = {cocomelonc}, title = {{Malware development trick 40: Stealing data via legit Telegram API. Simple C example.}}, date = {2024-06-16}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2024/06/16/malware-trick-40.html}, language = {English}, urldate = {2024-11-07} } @online{cocomelonc:20240620:linux:a1444ab, author = {cocomelonc}, title = {{Linux malware development 1: Intro to kernel hacking. Simple C example.}}, date = {2024-06-20}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/linux/2024/06/20/linux-kernel-hacking-1.html}, language = {English}, urldate = {2024-08-01} } @online{cocomelonc:20240625:malware:7f64c81, author = {cocomelonc}, title = {{Malware development trick 41: Stealing data via legit VirusTotal API. Simple C example.}}, date = {2024-06-25}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2024/06/25/malware-trick-41.html}, language = {English}, urldate = {2024-08-01} } @online{cocomelonc:20240628:malware:9ad37ea, author = {cocomelonc}, title = {{Malware development trick 42: Stealing data via legit Discord Bot API. Simple C example.}}, date = {2024-06-28}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2024/06/28/malware-trick-42.html}, language = {English}, urldate = {2024-07-22} } @online{cocomelonc:20240713:malware:1bc8bc8, author = {cocomelonc}, title = {{Malware development: persistence - part 25. Create symlink from legit to evil. Simple C example.}}, date = {2024-07-13}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/persistence/2024/07/13/malware-pers-25.html}, language = {English}, urldate = {2024-07-22} } @online{cocomelonc:20240716:malware:c6b4e71, author = {cocomelonc}, title = {{Malware and cryptography 29: LOKI payload encryption. Simple C example.}}, date = {2024-07-16}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2024/07/16/malware-cryptography-29.html}, language = {English}, urldate = {2024-11-07} } @online{cocomelonc:20240721:malware:94bdabc, author = {cocomelonc}, title = {{Malware and cryptography 30: Khufu payload encryption. Simple C example.}}, date = {2024-07-21}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2024/07/21/malware-cryptography-30.html}, language = {English}, urldate = {2024-11-07} } @online{cocomelonc:20240729:malware:f066b64, author = {cocomelonc}, title = {{Malware and cryptography 31: CAST-128 payload encryption. Simple C example.}}, date = {2024-07-29}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2024/07/29/malware-cryptography-31.html}, language = {English}, urldate = {2024-11-07} } @online{cocomelonc:20240814:malware:6a04c39, author = {cocomelonc}, title = {{Malware development: persistence - part 26. Microsoft Edge - part 1. Simple C example.}}, date = {2024-08-14}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/persistence/2024/08/14/malware-pers-26.html}, language = {English}, urldate = {2024-11-07} } @online{cocomelonc:20240912:malware:37b9ed7, author = {cocomelonc}, title = {{Malware and cryptography 32: encrypt payload via FEAL-8 algorithm. Simple C example.}}, date = {2024-09-12}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2024/09/12/malware-cryptography-32.html}, language = {English}, urldate = {2024-11-07} } @online{cocomelonc:20240930:malware:640505a, author = {cocomelonc}, title = {{Malware development trick 43: Shuffle malicious payload. Simple C example.}}, date = {2024-09-30}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2024/09/30/malware-trick-43.html}, language = {English}, urldate = {2024-11-07} } @online{cocomelonc:20241020:malware:613bcc1, author = {cocomelonc}, title = {{Malware and cryptography 33: encrypt payload via Lucifer algorithm. Simple C example.}}, date = {2024-10-20}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2024/10/20/malware-cryptography-33.html}, language = {English}, urldate = {2024-11-07} } @online{cocomelonc:20241110:malware:82ccce1, author = {cocomelonc}, title = {{Malware and cryptography 34: encrypt payload via DFC algorithm. Simple C example.}}, date = {2024-11-10}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2024/11/10/malware-cryptography-34.html}, language = {English}, urldate = {2025-02-28} } @online{cocomelonc:20241122:linux:49f9e8e, author = {cocomelonc}, title = {{Linux malware development 3: linux process injection with ptrace. Simple C example.}}, date = {2024-11-22}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/linux/2024/11/22/linux-hacking-3.html}, language = {English}, urldate = {2025-02-28} } @online{cocomelonc:20241130:malware:f9a5ccf, author = {cocomelonc}, title = {{Malware and cryptography 35: encrypt payload via Treyfer algorithm. Simple C example.}}, date = {2024-11-30}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2024/11/30/malware-cryptography-35.html}, language = {English}, urldate = {2025-02-28} } @online{cocomelonc:20241216:malware:603d2d4, author = {cocomelonc}, title = {{Malware and cryptography 37 - Nonlinearity. Walsh Transform. Simple C example.}}, date = {2024-12-16}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2024/12/16/malware-cryptography-37.html}, language = {English}, urldate = {2025-02-28} } @online{cocomelonc:20241216:malware:93ddcb2, author = {cocomelonc}, title = {{Malware and cryptography 36 - random sbox generation algorithms: Fisher-Yates shuffle. Simple C example.}}, date = {2024-12-16}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2024/12/16/malware-cryptography-36.html}, language = {English}, urldate = {2025-02-28} } @online{cocomelonc:20241229:malware:634683f, author = {cocomelonc}, title = {{Malware and cryptography 38 - Encrypt/decrypt payload via Camellia cipher. S-box analyses examples. Simple C example.}}, date = {2024-12-29}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2024/12/29/malware-cryptography-38.html}, language = {English}, urldate = {2025-02-28} } @online{cocomelonc:20250116:malware:152e6f5, author = {cocomelonc}, title = {{Malware and cryptography 39 - encrypt/decrypt payload via DES-like cipher. Simple C example.}}, date = {2025-01-16}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2025/01/16/malware-cryptography-39.html}, language = {English}, urldate = {2025-02-28} } @online{cocomelonc:20250119:malware:965af92, author = {cocomelonc}, title = {{Malware development trick 44: Stealing data via legit GitHub API. Simple C example.}}, date = {2025-01-19}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2025/01/19/malware-tricks-44.html}, language = {English}, urldate = {2025-02-28} } @online{cocomelonc:20250224:malware:f6662bc, author = {cocomelonc}, title = {{Malware development trick 45: hiding and extracting payload in PNGs (with cats). Simple C example.}}, date = {2025-02-24}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2025/02/24/malware-tricks-45.html}, language = {English}, urldate = {2025-02-28} } @online{cocomelonc:20250312:malware:b73672e, author = {cocomelonc}, title = {{Malware development: persistence - part 27. Scheduled Tasks. Simple C example.}}, date = {2025-03-12}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/persistence/2025/03/12/malware-pers-27.html}, language = {English}, urldate = {2025-06-25} } @online{cocomelonc:20250319:md:4af2114, author = {cocomelonc}, title = {{MD MZ Book: Russian translation}}, date = {2025-03-19}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/book/2025/03/19/book-publication-ru.html}, language = {English}, urldate = {2025-06-25} } @online{cocomelonc:20250402:malware:b1106b8, author = {cocomelonc}, title = {{Malware and cryptography 40 - encrypt/decrypt payload via RC5. Simple Nim example.}}, date = {2025-04-02}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2025/04/02/malware-cryptography-40.html}, language = {English}, urldate = {2025-06-25} } @online{cocomelonc:20250410:malware:7420df0, author = {cocomelonc}, title = {{Malware and cryptography 41 - encrypt/decrypt payload via TEA. Simple Nim example.}}, date = {2025-04-10}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2025/04/10/malware-cryptography-41.html}, language = {English}, urldate = {2025-06-25} } @online{cocomelonc:20250501:malware:2e3f2ec, author = {cocomelonc}, title = {{Malware development trick 46: simple Windows keylogger. Simple C example.}}, date = {2025-05-01}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2025/05/01/malware-tricks-46.html}, language = {English}, urldate = {2025-06-20} } @online{cocomelonc:20250510:malware:373b2b3, author = {cocomelonc}, title = {{Malware development trick 47: simple Windows clipboard hijacking. Simple C example.}}, date = {2025-05-10}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2025/05/10/malware-tricks-47.html}, language = {English}, urldate = {2025-06-20} } @online{cocomelonc:20250519:aiya:808f6a8, author = {cocomelonc}, title = {{AIYA - Mobile malware development book. First edition}}, date = {2025-05-19}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/book/2025/05/19/aiya-mmd-book.html}, language = {English}, urldate = {2025-06-20} } @online{cocomelonc:20250529:malware:bd6870a, author = {cocomelonc}, title = {{Malware and cryptography 42 - encrypt/decrypt payload via Speck cipher. Simple C example.}}, date = {2025-05-29}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2025/05/29/malware-cryptography-42.html}, language = {English}, urldate = {2025-06-20} } @online{cocomelonc:20250603:linux:f3eafd5, author = {cocomelonc}, title = {{Linux hacking part 5: building a Linux keylogger. Simple C example}}, date = {2025-06-03}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/linux/2025/06/03/linux-hacking-5.html}, language = {English}, urldate = {2025-06-20} } @online{cocomelonc:20250612:macos:d0d1030, author = {cocomelonc}, title = {{MacOS hacking part 1: stealing data via legit Telegram API. Simple C example}}, date = {2025-06-12}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/macos/2025/06/12/malware-mac-1.html}, language = {English}, urldate = {2025-06-20} } @online{cocomelonc:20250619:macos:ddc8665, author = {cocomelonc}, title = {{MacOS hacking part 2: classic injection trick into macOS applications. Simple C example}}, date = {2025-06-19}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/macos/2025/06/19/malware-mac-2.html}, language = {English}, urldate = {2025-06-20} } @online{cocomelonc:20250623:linux:b07a337, author = {cocomelonc}, title = {{Linux hacking part 6: Linux kernel module with params. Simple C example}}, date = {2025-06-23}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/linux/2025/06/23/linux-hacking-6.html}, language = {English}, urldate = {2025-06-25} } @online{codeandsec:20141002:finfisher:3b1d9c1, author = {CodeAndSec}, title = {{FinFisher Malware Analysis - Part 2}}, date = {2014-10-02}, organization = {CodeAndSec}, url = {https://www.codeandsec.com/FinFisher-Malware-Analysis-Part-2}, language = {English}, urldate = {2020-03-19} } @online{codercto:20181220:analysis:60da1aa, author = {Codercto}, title = {{Analysis of the attack activities of Hailian Lotus APT group against large domestic investment companies}}, date = {2018-12-20}, organization = {Codercto}, url = {https://www.codercto.com/a/46729.html}, language = {Chinese}, urldate = {2020-01-07} } @online{coding:20140801:soraya:4e51b2f, author = {Coding and Security}, title = {{Soraya Malware Analysis - Dropper}}, date = {2014-08-01}, organization = {Coding and Security}, url = {https://www.codeandsec.com/Soraya-Malware-Analysis-Dropper}, language = {English}, urldate = {2020-01-09} } @online{coding:20161203:sophisticated:af2cbb4, author = {Coding and Security}, title = {{"Sophisticated" and "Genius" Shamoon 2.0 Malware Analysis}}, date = {2016-12-03}, organization = {Coding and Security}, url = {https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis}, language = {English}, urldate = {2020-01-08} } @online{coene:20220224:threat:f0dba09, author = {Michel Coene}, title = {{Threat Update – Ukraine & Russia conflict}}, date = {2022-02-24}, organization = {nviso}, url = {https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/}, language = {English}, urldate = {2022-03-01} } @online{cofense:20170323:tales:cbdee9a, author = {Cofense}, title = {{Tales from the Trenches: Loki Bot Malware}}, date = {2017-03-23}, organization = {Cofense}, url = {https://phishme.com/loki-bot-malware/}, language = {English}, urldate = {2019-12-02} } @online{cofense:20190121:kutaki:3bff835, author = {Cofense}, title = {{The Kutaki Malware Bypasses Gateways to Steal Users’ Credentials}}, date = {2019-01-21}, organization = {Cofense}, url = {https://cofense.com/kutaki-malware-bypasses-gateways-steal-users-credentials/}, language = {English}, urldate = {2020-01-06} } @online{cofense:20201029:online:867b653, author = {Cofense}, title = {{Online Leader Invites You to This Webex Phish}}, date = {2020-10-29}, organization = {Cofense}, url = {https://cofense.com/online-leader-invites-you-to-this-webex-phish/}, language = {English}, urldate = {2020-11-02} } @online{cofense:20211021:missed:0f171ba, author = {Cofense}, title = {{“Missed Voice Message,” the Latest Phishing Lure}}, date = {2021-10-21}, organization = {Cofense}, url = {https://cofense.com/blog/missed-voice-message-phish/}, language = {English}, urldate = {2021-10-26} } @online{cofense:20230307:emotet:daf5b46, author = {Cofense}, title = {{Emotet Sending Malicious Emails After Three-Month Hiatus}}, date = {2023-03-07}, organization = {Cofense}, url = {https://cofense.com/blog/emotet-sending-malicious-emails-after-three-month-hiatus/}, language = {English}, urldate = {2023-03-13} } @online{cognizant:20200418:cognizant:0e20ac0, author = {Cognizant}, title = {{Cognizant Security Incident Update}}, date = {2020-04-18}, organization = {Cognizant}, url = {https://web.archive.org/save/https://news.cognizant.com/2020-04-18-cognizant-security-update}, language = {English}, urldate = {2020-04-20} } @techreport{cognizant:20200617:notice:37fe994, author = {Cognizant}, title = {{Notice of Data Breach}}, date = {2020-06-17}, institution = {Cognizant}, url = {https://oag.ca.gov/system/files/Letter%204.pdf}, language = {English}, urldate = {2020-06-18} } @online{cohen:20180521:decrypting:37d595c, author = {Itay Cohen}, title = {{Decrypting APT33’s Dropshot Malware with Radare2 and Cutter – Part 1}}, date = {2018-05-21}, organization = {MegaBeets}, url = {https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/}, language = {English}, urldate = {2019-07-10} } @online{cohen:20180629:backswap:1605a3d, author = {Ruby Cohen and Doron Voolf}, title = {{BackSwap Defrauds Online Banking Customers Using Hidden Input Fields}}, date = {2018-06-29}, organization = {F5}, url = {https://www.f5.com/labs/articles/threat-intelligence/backswap-defrauds-online-banking-customers-using-hidden-input-fi}, language = {English}, urldate = {2020-01-10} } @online{cohen:20180820:ryuk:5756495, author = {Itay Cohen and Ben Herzog}, title = {{Ryuk Ransomware: A Targeted Campaign Break-Down}}, date = {2018-08-20}, organization = {Check Point}, url = {https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/}, language = {English}, urldate = {2019-12-10} } @online{cohen:20181130:evolution:045e447, author = {Itay Cohen}, title = {{The Evolution of BackSwap}}, date = {2018-11-30}, organization = {Check Point}, url = {https://research.checkpoint.com/the-evolution-of-backswap/}, language = {English}, urldate = {2020-01-10} } @online{cohen:20190117:qealler:3db4f96, author = {David Cohen}, title = {{Qealler — The Silent Java Credential Thief}}, date = {2019-01-17}, organization = {CyberArk}, url = {https://www.cyberark.com/threat-research-blog/qealler-the-silent-java-credential-thief/}, language = {English}, urldate = {2020-05-18} } @online{cohen:20190424:deobfuscating:581c86e, author = {Itay Cohen}, title = {{Deobfuscating APT32 Flow Graphs with Cutter and Radare2}}, date = {2019-04-24}, organization = {Check Point Research}, url = {https://research.checkpoint.com/deobfuscating-apt32-flow-graphs-with-cutter-and-radare2/}, language = {English}, urldate = {2020-05-06} } @techreport{cohen:20200224:analyzing:57cc981, author = {Ben Cohen}, title = {{Analyzing the Raccoon Stealer}}, date = {2020-02-24}, institution = {CyberArk}, url = {https://lp.cyberark.com/rs/316-CZP-275/images/CyberArk-Labs-Racoon-Malware-wp.pdf}, language = {English}, urldate = {2021-04-29} } @online{cohen:20200809:banking:8718999, author = {Remi Cohen and Debbie Walkowski}, title = {{Banking Trojans: A Reference Guide to the Malware Family Tree}}, date = {2020-08-09}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree}, language = {English}, urldate = {2021-06-29} } @online{cohen:20201002:graphology:af4c7bd, author = {Itay Cohen and Eyal Itkin}, title = {{Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints}}, date = {2020-10-02}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2020/graphology-of-an-exploit-volodya/}, language = {English}, urldate = {2020-10-06} } @online{cohen:20201026:exploit:9ec173c, author = {Itay Cohen and Eyal Itkin}, title = {{Exploit Developer Spotlight: The Story of PlayBit}}, date = {2020-10-26}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/}, language = {English}, urldate = {2020-10-27} } @online{cohen:20201125:csp:1b9a48e, author = {Idan Cohen}, title = {{CSP, the Right Solution for the Web-Skimming Pandemic?}}, date = {2020-11-25}, organization = {Reflectiz}, url = {https://medium.com/reflectiz/csp-the-right-solution-for-the-web-skimming-pandemic-acb7a4414218}, language = {English}, urldate = {2021-01-29} } @online{cohen:20201217:sunburst:7931c48, author = {Itay Cohen}, title = {{Tweet on SUNBURST malware discussing some of its evasion techniques}}, date = {2020-12-17}, organization = {Twitter (@megabeets_)}, url = {https://twitter.com/megabeets_/status/1339308801112027138}, language = {English}, urldate = {2020-12-18} } @online{cohen:20210107:meet:9fbcca8, author = {Ben Cohen}, title = {{Meet Oski Stealer: An In-depth Analysis of the Popular Credential Stealer}}, date = {2021-01-07}, organization = {CyberArk}, url = {https://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer}, language = {English}, urldate = {2021-01-11} } @online{cohen:20210629:guloaders:a569974, author = {Hido Cohen}, title = {{GuLoader’s Anti-Analysis Techniques}}, date = {2021-06-29}, organization = {Medium hidocohen}, url = {https://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195}, language = {English}, urldate = {2021-07-20} } @online{cohen:20210719:fickerstealer:6d57700, author = {Ben Cohen}, title = {{FickerStealer: A New Rust Player in the Market}}, date = {2021-07-19}, organization = {CyberArk}, url = {https://www.cyberark.com/resources/threat-research-blog/fickerstealer-a-new-rust-player-in-the-market}, language = {English}, urldate = {2021-07-26} } @online{cohen:20211028:decaf:d22e18a, author = {Hido Cohen and Michael Dereviashkin}, title = {{DECAF Ransomware: A New Golang Threat Makes Its Appearance}}, date = {2021-10-28}, organization = {Morphisec}, url = {https://blog.morphisec.com/decaf-ransomware-a-new-golang-threat-makes-its-appearance}, language = {English}, urldate = {2021-11-03} } @online{cohen:20211123:babadeda:ae0d0ac, author = {Hido Cohen and Arnold Osipov}, title = {{Babadeda Crypter targeting crypto, NFT, and DeFi communities}}, date = {2021-11-23}, organization = {Morphisec}, url = {https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities}, language = {English}, urldate = {2021-12-22} } @online{cohen:20211201:smishing:3fa90c0, author = {Shmuel Cohen}, title = {{Smishing Botnets Going Viral in Iran}}, date = {2021-12-01}, organization = {Check Point}, url = {https://research.checkpoint.com/2021/smishing-botnets-going-viral-in-iran/}, language = {English}, urldate = {2021-12-06} } @online{cohen:20220105:can:6a1ef46, author = {Golan Cohen}, title = {{Can You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature Verification putting users at risk}}, date = {2022-01-05}, organization = {Check Point}, url = {https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/}, language = {English}, urldate = {2022-01-18} } @techreport{cohen:20220214:journey:6c209dc, author = {Hido Cohen and Arnold Osipov}, title = {{Journey of a Crypto Scammer - NFT-001}}, date = {2022-02-14}, institution = {Morphisec}, url = {https://blog.morphisec.com/hubfs/Journey%20of%20a%20Crypto%20Scammer%20-%20NFT-001%20%7C%20Morphisec%20%7C%20Threat%20Report.pdf}, language = {English}, urldate = {2022-02-19} } @online{cohen:20220323:new:7356088, author = {Hido Cohen}, title = {{New JSSLoader Trojan Delivered Through XLL Files}}, date = {2022-03-23}, organization = {Morphisec}, url = {https://blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files}, language = {English}, urldate = {2022-03-25} } @online{cohen:20220330:new:b2abe2b, author = {Hido Cohen}, title = {{New Wave Of Remcos RAT Phishing Campaign}}, date = {2022-03-30}, organization = {Morphisec}, url = {https://blog.morphisec.com/remcos-trojan-analyzing-attack-chain}, language = {English}, urldate = {2022-03-31} } @online{cohen:20220408:new:6c99a64, author = {Shimi Cohen and Inbal Shalev and Irena Damsky}, title = {{New SolarMarker (Jupyter) Campaign Demonstrates the Malware’s Changing Attack Patterns}}, date = {2022-04-08}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/solarmarker-malware/}, language = {English}, urldate = {2022-04-14} } @online{cohen:20220512:new:6e12278, author = {Hido Cohen}, title = {{New SYK Crypter Distributed Via Discord}}, date = {2022-05-12}, organization = {Morphisec}, url = {https://blog.morphisec.com/syk-crypter-discord}, language = {English}, urldate = {2022-06-09} } @online{cohen:20220627:inside:ecbcb47, author = {Ben Cohen and The CyberArk Malware Research Team}, title = {{Inside Matanbuchus: A Quirky Loader}}, date = {2022-06-27}, organization = {CyberArk}, url = {https://www.cyberark.com/resources/all-blog-posts/inside-matanbuchus-a-quirky-loader}, language = {English}, urldate = {2024-03-12} } @online{cohen:20220811:aptc35:bc731cd, author = {Hido Cohen and Arnold Osipov}, title = {{APT-C-35 GETS A NEW UPGRADE}}, date = {2022-08-11}, organization = {Morphisec}, url = {https://blog.morphisec.com/apt-c-35-new-windows-framework-revealed}, language = {English}, urldate = {2023-07-24} } @online{cohen:20230302:redirection:99da152, author = {Amitai Cohen and Barak Sharoni}, title = {{Redirection Roulette: Thousands of hijacked websites in East Asia redirecting visitors to other sites}}, date = {2023-03-02}, organization = {Wiz.io}, url = {https://www.wiz.io/blog/redirection-roulette}, language = {English}, urldate = {2023-03-13} } @online{cohen:20230516:dragon:a2ec63b, author = {Itay Cohen and Radoslaw Madej}, title = {{The Dragon Who Sold his Camaro: Analyzing a Custom Router Implant}}, date = {2023-05-16}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/}, language = {English}, urldate = {2023-06-01} } @online{cohen:20230905:chae:28110b7, author = {Hido Cohen and Arnold Osipov}, title = {{Chae$ 4: New Chaes Malware Variant Targeting Financial and Logistics Customers}}, date = {2023-09-05}, organization = {Morphisec}, url = {https://blog.morphisec.com/chaes4-new-chaes-malware-variant-targeting-financial-and-logistics-customers}, language = {English}, urldate = {2023-09-06} } @online{cohen:20250227:modern:09664ee, author = {Itay Cohen}, title = {{Modern Approach to Attributing Hacktivist Groups}}, date = {2025-02-27}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2025/modern-approach-to-attributing-hacktivist-groups/}, language = {English}, urldate = {2025-02-28} } @online{coldshell:20180828:walk:fb8dcc6, author = {Coldshell}, title = {{A walk through the AcridRain Stealer}}, date = {2018-08-28}, organization = {This is Security}, url = {https://thisissecurity.stormshield.com/2018/08/28/acridrain-stealer/}, language = {English}, urldate = {2020-01-07} } @online{coldshell:20190118:nymaim:1d2e6f9, author = {Coldshell}, title = {{Nymaim deobfuscation}}, date = {2019-01-18}, organization = {Github (coldshell)}, url = {https://github.com/coldshell/Malware-Scripts/tree/master/Nymaim}, language = {English}, urldate = {2020-01-10} } @online{coldwind:20240330:xzliblzma:9a42c25, author = {Gynvael Coldwind}, title = {{xz/liblzma: Bash-stage Obfuscation Explained}}, date = {2024-03-30}, organization = {Gynvael.Coldwind//vx.log}, url = {https://gynvael.coldwind.pl/?lang=en&id=782}, language = {English}, urldate = {2024-04-02} } @online{cole:20200205:stomp:77ecf4b, author = {Rick Cole and Andrew Moore and Genevieve Stark and Blaine Stancill}, title = {{STOMP 2 DIS: Brilliance in the (Visual) Basics}}, date = {2020-02-05}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html}, language = {English}, urldate = {2020-02-09} } @online{colin:20210902:confluence:5bbf2cb, author = {Colin and GaborSzappanos}, title = {{Tweet on Confluence Server exploitation (CVE-2021-26084) in the wild and cobaltsrike activity (mentioned in replies by GaborSzappanos)}}, date = {2021-09-02}, organization = {Twitter (@th3_protoCOL)}, url = {https://twitter.com/th3_protoCOL/status/1433414685299142660?s=20}, language = {English}, urldate = {2021-09-06} } @online{columbia:20241003:civil:f1d5666, author = {US Court for the District of Columbia}, title = {{Civil Action No. 1:24-cv-02719-RC: Microsoft vs. Star Blizzard}}, date = {2024-10-03}, organization = {US Court for the District of Columbia}, url = {https://www.noticeofpleadings.com/starblizzard/}, language = {English}, urldate = {2024-11-25} } @online{command:20220112:iranian:52c412c, author = {U.S. Cyber Command}, title = {{Iranian intel cyber suite of malware uses open source tools}}, date = {2022-01-12}, organization = {U.S. Cyber Command}, url = {https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/}, language = {English}, urldate = {2022-01-25} } @techreport{commission:20211111:data:a5eddd6, author = {Federal Trade Commission}, title = {{Data Breach Response}}, date = {2021-11-11}, institution = {Federal Trade Commission}, url = {https://www.ftc.gov/system/files/documents/plain-language/pdf-0154_data-breach-response-guide-for-business-042519-508.pdf}, language = {English}, urldate = {2021-11-17} } @online{committee:20210226:weathering:6dfb09f, author = {Oversight Committee}, title = {{Weathering the Storm: The Role of Private Tech in the SolarWinds Breach and Ongoing Campaign}}, date = {2021-02-26}, organization = {YouTube (Oversight Committee)}, url = {https://www.youtube.com/watch?v=dV2QTLSecpc}, language = {English}, urldate = {2021-03-25} } @online{community:20210616:emotet:7e0fafe, author = {CSIRT-CV (the ICT Security Center of the Valencian Community)}, title = {{Emotet campaign analysis}}, date = {2021-06-16}, organization = {S2 Grupo}, url = {https://www.securityartwork.es/2021/06/16/analisis-campana-emotet/}, language = {Spanish}, urldate = {2021-06-21} } @online{comodo:20201103:versions:1db9572, author = {Comodo}, title = {{Versions of PsiXBot}}, date = {2020-11-03}, organization = {Comodo}, url = {https://blog.comodo.com/comodo-news/versions-of-psixbot/}, language = {English}, urldate = {2022-11-28} } @online{conant:20180207:rat:5f1eba8, author = {Simon Conant}, title = {{RAT Trapped? LuminosityLink Falls Foul of Vermin Eradication Efforts}}, date = {2018-02-07}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/}, language = {English}, urldate = {2019-12-20} } @online{condon:20210311:2020:3380372, author = {Caitlin Condon and Spencer McIntyre and William Vu}, title = {{2020 Vulnerability Intelligence Report}}, date = {2021-03-11}, organization = {Rapid7 Labs}, url = {https://www.rapid7.com/research/report/vulnerability-intelligence-report/}, language = {English}, urldate = {2021-03-12} } @online{condon:20230707:exploitation:1930f05, author = {Caitlin Condon}, title = {{Exploitation of Mitel MiVoice Connect SA CVE-2022-29499}}, date = {2023-07-07}, organization = {Rapid7 Labs}, url = {https://www.rapid7.com/blog/post/2022/07/07/exploitation-of-mitel-mivoice-connect-sa-cve-2022-29499/}, language = {English}, urldate = {2023-08-01} } @techreport{condor:20201028:decade:b8d7422, author = {Ruben Andrei Condor}, title = {{A Decade of WMI Abuse – an Overview of Techniques in Modern Malware}}, date = {2020-10-28}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf}, language = {English}, urldate = {2020-11-02} } @online{confiantintel:20210119:wizardupdate:9b651d0, author = {ConfiantIntel}, title = {{Tweet on WizardUpdate macOS backdoor}}, date = {2021-01-19}, organization = {Twitter (@ConfiantIntel)}, url = {https://twitter.com/ConfiantIntel/status/1351559054565535745}, language = {English}, urldate = {2021-02-06} } @online{confiantintel:20210514:osxbundlore:118ec5b, author = {ConfiantIntel}, title = {{Tweet on OSX/Bundlore Loader compiled for ARM}}, date = {2021-05-14}, organization = {Twitter (@ConfiantIntel)}, url = {https://twitter.com/ConfiantIntel/status/1393215825931288580?s=20}, language = {English}, urldate = {2021-05-17} } @online{connoisseur:20250421:public:1848c1c, author = {Cookie Connoisseur}, title = {{Tweet on public Google Drive potentially connected to DPRK activity.}}, date = {2025-04-21}, organization = {Twitter (@browsercookies)}, url = {https://x.com/browsercookies/status/1914432957898793426}, language = {English}, urldate = {2025-04-28} } @online{conrad:20220223:ransomware:9d2ec37, author = {Senan Conrad}, title = {{Ransomware Profile: ALPHV}}, date = {2022-02-23}, organization = {Emsisoft}, url = {https://blog.emsisoft.com/en/40931/ransomware-profile-alphv/}, language = {English}, urldate = {2022-03-01} } @online{constantin:20210830:lockfile:f792736, author = {Lucian Constantin}, title = {{LockFile ransomware uses intermittent encryption to evade detection}}, date = {2021-08-30}, organization = {CSO Online}, url = {https://www.csoonline.com/article/3631517/lockfile-ransomware-uses-intermittent-encryption-to-evade-detection.html}, language = {English}, urldate = {2021-08-31} } @online{constantinescu:20220322:bitrat:03c1c4c, author = {Vlad Constantinescu}, title = {{BitRAT Malware Seen Spreading Through Unofficial Microsoft Windows Activators}}, date = {2022-03-22}, organization = {Bitdefender}, url = {https://www.bitdefender.com/blog/hotforsecurity/bitrat-malware-seen-spreading-through-unofficial-microsoft-windows-activators/}, language = {English}, urldate = {2022-06-09} } @techreport{consulting:20201020:incident:275ade2, author = {F-Secure Consulting}, title = {{Incident Readiness: Preparing a proactive response to attacks}}, date = {2020-10-20}, institution = {F-Secure}, url = {https://www.f-secure.com/content/dam/f-secure/en/consulting/our-thinking/collaterals/digital/f-secure-consulting-incident-readiness-proactive-response-guide-2020.pdf}, language = {English}, urldate = {2020-10-23} } @online{consulting:20210208:national:25bf467, author = {Arsenal Consulting}, title = {{National Investigation Agency VS Sudhir Pralhad Dhawale & others Report 1}}, date = {2021-02-08}, organization = {Arsenal Consulting}, url = {https://context-cdn.washingtonpost.com/notes/prod/default/documents/b19a6f2e-55a1-4915-9c2d-5fae0110418c/note/b463d38b-2384-4bb0-a94b-b1b17223ffd0.}, language = {English}, urldate = {2021-02-25} } @online{contextis:20191003:avivore:6fd6aef, author = {Contextis}, title = {{AVIVORE – Hunting Global Aerospace through the Supply Chain}}, date = {2019-10-03}, organization = {Contextis}, url = {https://web.archive.org/web/20191208223958/https://www.contextis.com/en/blog/avivore}, language = {English}, urldate = {2023-10-05} } @online{contextis:20191003:context:9845673, author = {Contextis}, title = {{Context Identifies new AVIVORE threat group}}, date = {2019-10-03}, organization = {Contextis}, url = {https://www.contextis.com/en/news/context-identifies-new-avivore-threat-group}, language = {English}, urldate = {2022-04-05} } @techreport{contextis:20191022:avivore:421fc23, author = {Contextis}, title = {{AVIVORE - An overview of Tools, Techniques and Procedures (Whitepaper)}}, date = {2019-10-22}, institution = {Contextis}, url = {https://web.archive.org/web/20191214125833/https://contextis.com/media/downloads/AVIVORE_An_overview.pdf}, language = {English}, urldate = {2023-01-19} } @online{contextis:20200131:new:74e3724, author = {Contextis}, title = {{New AVIVORE threat group – how they operate and managing the risk}}, date = {2020-01-31}, organization = {YouTube (Context Information Security)}, url = {https://www.youtube.com/watch?v=C_TmANnbS2k}, language = {English}, urldate = {2022-04-13} } @online{contileaks:20220301:emotet:b68be9c, author = {ContiLeaks}, title = {{Tweet on Emotet final server scheme}}, date = {2022-03-01}, organization = {Twitter (@ContiLeaks)}, url = {https://twitter.com/ContiLeaks/status/1498614197202079745}, language = {English}, urldate = {2022-03-02} } @online{conwell:20210714:domain:c0fbbdd, author = {John “Turbo” Conwell}, title = {{Domain Blooms: Identifying Domain Name Themes Targeted By Threat Actors}}, date = {2021-07-14}, organization = {Medium TowardsDataScience}, url = {https://towardsdatascience.com/domain-blooms-identifying-domain-name-themes-targeted-by-threat-actors-70942fe506d4}, language = {English}, urldate = {2021-07-20} } @online{coogan:20100204:spyeye:5c54efe, author = {Peter Coogan}, title = {{SpyEye Bot versus Zeus Bot}}, date = {2010-02-04}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot}, language = {English}, urldate = {2020-01-06} } @online{coogan:20100426:spyeyes:fb53c77, author = {Peter Coogan}, title = {{SpyEye’s "Kill Zeus" Bark is Worse Than its Bite}}, date = {2010-04-26}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite}, language = {English}, urldate = {2019-12-16} } @online{cook:20210518:encounter:c4ef6d9, author = {Andrew Cook}, title = {{An Encounter With TA551/Shathak}}, date = {2021-05-18}, organization = {RECON INFOSEC}, url = {https://blog.reconinfosec.com/an-encounter-with-ta551-shathak}, language = {English}, urldate = {2021-05-25} } @online{cook:20210621:encounter:a6f5f76, author = {Andrew Cook}, title = {{An Encounter With Ransomware-as-a-Service: MEGAsync Analysis}}, date = {2021-06-21}, organization = {RECON INFOSEC}, url = {https://blog.reconinfosec.com/megasync-analysis/}, language = {English}, urldate = {2021-06-22} } @online{corbridge:20230417:butting:3254130, author = {max corbridge}, title = {{Butting Heads with a Threat Actor on an Engagement}}, date = {2023-04-17}, organization = {JUMPSEC LABS}, url = {https://labs.jumpsec.com/butting-heads-with-a-threat-actor-on-an-engagement/}, language = {English}, urldate = {2023-04-22} } @online{corera:20161010:how:29d38b3, author = {Gordon Corera}, title = {{How France's TV5 was almost destroyed by 'Russian hackers'}}, date = {2016-10-10}, organization = {BBC}, url = {https://www.bbc.com/news/technology-37590375}, language = {English}, urldate = {2020-01-09} } @online{corfield:20191111:if:426203c, author = {Gareth Corfield}, title = {{If it sounds too good to be true, it most likely is: Nobody can decrypt the Dharma ransomware}}, date = {2019-11-11}, organization = {The Register}, url = {https://www.theregister.com/2019/11/11/dharma_decryption_promises_data_recovery/}, language = {English}, urldate = {2023-08-07} } @online{corltescu:20240606:embersim:3d36f3d, author = {Dragoș Corlătescu and Alexandru Dinu and Mihaela Găman and Paul Sumedrea}, title = {{EMBERSim: A Large-Scale Databank for Boosting Similarity Search in Malware Analysis}}, date = {2024-06-06}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/embersim-large-databank-for-similarity-research-in-cybersecurity/}, language = {English}, urldate = {2024-06-28} } @online{cornateanu:20200303:extracting:a48a754, author = {Ryan Cornateanu}, title = {{Extracting Embedded Payloads From Malware}}, date = {2020-03-03}, url = {https://medium.com/@ryancor/extracting-embedded-payloads-from-malware-aaca8e9aa1a9}, language = {English}, urldate = {2020-03-04} } @online{cornateanu:20201123:genetic:cd446d2, author = {Ryan Cornateanu}, title = {{Genetic Analysis of CryptoWall Ransomware}}, date = {2020-11-23}, organization = {Medium ryancor}, url = {https://ryancor.medium.com/genetic-analysis-of-cryptowall-ransomware-843f86055c7f}, language = {English}, urldate = {2020-12-03} } @online{cornateanu:20210927:deobfuscating:bfa117a, author = {Ryan Cornateanu}, title = {{Deobfuscating PowerShell Malware Droppers}}, date = {2021-09-27}, organization = {Medium ryancor}, url = {https://ryancor.medium.com/deobfuscating-powershell-malware-droppers-b6c34499e41d}, language = {English}, urldate = {2021-11-25} } @online{corona:20230515:botnet:c0a26f7, author = {Gerardo Corona and Julio Vidal}, title = {{Botnet Fenix: New botnet going after tax payers in Mexico and Chile}}, date = {2023-05-15}, organization = {Metabase Q}, url = {https://www.metabaseq.com/threat/fenix-botnet/}, language = {English}, urldate = {2024-10-17} } @online{corp:20200416:taiwan:3029f53, author = {CyCraft Technology Corp}, title = {{Taiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures}}, date = {2020-04-16}, organization = {Medium CyCraft}, url = {https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730}, language = {English}, urldate = {2020-11-04} } @online{corp:20201008:taiwan:3a6afa1, author = {CyCraft Technology Corp}, title = {{Taiwan Government Targeted by Multiple Cyberattacks in April 2020 Part 1: Waterbear Malware}}, date = {2020-10-08}, organization = {Medium CyCraft}, url = {https://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-1980acde92b0}, language = {English}, urldate = {2020-10-23} } @online{corp:20201014:taiwan:7628b24, author = {CyCraft Technology Corp}, title = {{Taiwan Government Targeted by Multiple Cyberattacks in April 2020 Part 2: Owlproxy Malware}}, date = {2020-10-14}, organization = {Medium CyCraft}, url = {https://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20}, language = {English}, urldate = {2020-10-23} } @online{corp:20210126:threat:e637761, author = {CyCraft Technology Corp}, title = {{Threat Attribution — Chimera "Under the Radar"}}, date = {2021-01-26}, organization = {Medium cycrafttechnology}, url = {https://cycrafttechnology.medium.com/threat-attribution-chimera-under-the-radar-7c4cce390efd}, language = {English}, urldate = {2021-01-29} } @online{corp:20210602:chinalinked:487955f, author = {CyCraft Technology Corp}, title = {{China-Linked Threat Group Targets Taiwan Critical Infrastructure, Smokescreen Ransomware}}, date = {2021-06-02}, organization = {Medium CyCraft}, url = {https://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5}, language = {English}, urldate = {2021-06-09} } @online{corp:20210713:prometheus:bd4e53b, author = {CyCraft Technology Corp}, title = {{Prometheus Ransomware Decryptor}}, date = {2021-07-13}, organization = {Medium CyCraft}, url = {https://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea}, language = {English}, urldate = {2021-08-02} } @online{corp:20220222:china:76aa7e8, author = {CyCraft Technology Corp}, title = {{China Implicated in Prolonged Supply Chain Attack Targeting Taiwan Financial Sector}}, date = {2022-02-22}, url = {https://medium.com/cycraft/china-implicated-in-prolonged-supply-chain-attack-targeting-taiwan-financial-sector-264b6a1c3525}, language = {English}, urldate = {2022-02-26} } @techreport{corporation:20220929:report:1615dab, author = {NTT Security Holdings Corporation}, title = {{Report on APT Attacks by BlackTech}}, date = {2022-09-29}, institution = {NTT}, url = {https://jp.security.ntt/resources/EN-BlackTech_2021.pdf}, language = {English}, urldate = {2022-09-30} } @online{corrons:20230315:abusing:1614c8b, author = {LUIS CORRONS}, title = {{(Ab)using Adobe Acrobat Sign to distribute malware}}, date = {2023-03-15}, organization = {Avast}, url = {https://blog.avast.com/adobe-acrobat-sign-malware}, language = {English}, urldate = {2023-03-21} } @online{cortes:20171005:freemilk:1c7eb5d, author = {Juan Cortes and Esmid Idrizovic}, title = {{FreeMilk: A Highly Targeted Spear Phishing Campaign}}, date = {2017-10-05}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-freemilk-highly-targeted-spear-phishing-campaign/}, language = {English}, urldate = {2020-01-08} } @online{cortes:20171005:freemilk:a929f1b, author = {Juan Cortes and Esmid Idrizovic}, title = {{FreeMilk: A Highly Targeted Spear Phishing Campaign}}, date = {2017-10-05}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/}, language = {English}, urldate = {2019-12-20} } @online{cortes:20211216:global:815f2b2, author = {Santiago Cortes}, title = {{Global outbreak of Log4Shell}}, date = {2021-12-16}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/global-outbreak-of-log4shell}, language = {English}, urldate = {2022-01-05} } @online{corvid:20211103:unique:3709f32, author = {CORVID}, title = {{Tweet on a unique Qbot debugger dropped by an actor after compromise}}, date = {2021-11-03}, organization = {Twitter (@Corvid_Cyber)}, url = {https://twitter.com/Corvid_Cyber/status/1455844008081641472}, language = {English}, urldate = {2021-11-08} } @online{cosovan:20171005:linking:94620a3, author = {Doina Cosovan and Catalin Valeriu Lita}, title = {{Linking Xpaj and Nymaim}}, date = {2017-10-05}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/conference/vb2017/abstracts/linking-xpaj-and-nymaim}, language = {English}, urldate = {2023-08-03} } @online{costa:20220621:avos:b60a2ad, author = {Flavio Costa and Chris Neal and Guilherme Venere}, title = {{Avos ransomware group expands with new attack arsenal}}, date = {2022-06-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html}, language = {English}, urldate = {2022-06-22} } @online{costis:20200724:tau:2730a2c, author = {Andrew Costis}, title = {{TAU Threat Discovery: Cryptocurrency Clipper Malware Evolves}}, date = {2020-07-24}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/blog/tau-threat-discovery-cryptocurrency-clipper-malware-evolves/}, language = {English}, urldate = {2020-08-05} } @online{couchard:20200925:catching:f381664, author = {Guillaume Couchard and Qimin Wang and Thiam Loong Siew}, title = {{Catching Lazarus: Threat Intelligence to Real Detection Logic - Part One}}, date = {2020-09-25}, organization = {F-Secure Labs}, url = {https://labs.f-secure.com/blog/catching-lazarus-threat-intelligence-to-real-detection-logic}, language = {English}, urldate = {2020-10-05} } @online{couchard:20201023:catching:5788228, author = {Guillaume Couchard and Qimin Wang and Thiam Loong Siew}, title = {{Catching Lazarus: Threat Intelligence to Real Detection Logic - Part Two}}, date = {2020-10-23}, organization = {F-Secure Labs}, url = {https://labs.f-secure.com/blog/catching-lazarus-threat-intelligence-to-real-detection-logic-part-two}, language = {English}, urldate = {2020-10-26} } @techreport{council:20210316:foreign:99ae81b, author = {National Intelligence Council}, title = {{Foreign Threats to the 2020 US Federal Elections}}, date = {2021-03-16}, institution = {National Intelligence Council}, url = {https://assets.documentcloud.org/documents/20515476/ica-declass-16mar2129.pdf}, language = {English}, urldate = {2021-03-19} } @techreport{council:20210408:global:e8df52b, author = {National Intelligence Council}, title = {{Global Trends 2040: A more Contested World}}, date = {2021-04-08}, institution = {National Intelligence Council}, url = {https://www.dni.gov/files/ODNI/documents/assessments/GlobalTrends_2040.pdf}, language = {English}, urldate = {2021-04-16} } @techreport{council:20210409:annual:c2fd7a5, author = {National Intelligence Council}, title = {{Annual Threat Assessment of the US Intelligence Community}}, date = {2021-04-09}, institution = {National Intelligence Council}, url = {https://www.dni.gov/files/ODNI/documents/assessments/ATA-2021-Unclassified-Report.pdf}, language = {English}, urldate = {2021-04-14} } @online{coveware:20190129:phobos:8423f74, author = {CoveWare}, title = {{Phobos Ransomware, A Combo of CrySiS and Dharma}}, date = {2019-01-29}, organization = {CodeWare}, url = {https://www.coveware.com/blog/phobos-ransomware-distributed-dharma-crew}, language = {English}, urldate = {2020-01-08} } @online{coveware:20210426:ransomware:12586d5, author = {CoveWare}, title = {{Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound}}, date = {2021-04-26}, organization = {CoveWare}, url = {https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound}, language = {English}, urldate = {2021-05-13} } @online{coveware:20220127:ransomware:165f513, author = {CoveWare}, title = {{Ransomware as a Service Innovation Curve}}, date = {2022-01-27}, url = {https://www.coveware.com/blog/2022/1/26/ransomware-as-a-service-innovation-curve}, language = {English}, urldate = {2022-02-14} } @online{cowie:20220119:zloader:e87c22c, author = {Colin Cowie and Mat Gangwer and Stan Andic and Sophos MTR Team}, title = {{Zloader Installs Remote Access Backdoors and Delivers Cobalt Strike}}, date = {2022-01-19}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/}, language = {English}, urldate = {2022-01-25} } @online{cowie:20220425:choziosi:d3c9063, author = {Colin Cowie}, title = {{Choziosi Loader: Multi-platform campaign delivering browser extension malware}}, date = {2022-04-25}, organization = {th3protocol blog}, url = {https://www.th3protocol.com/2022/Choziosi-Loader}, language = {English}, urldate = {2022-05-05} } @online{cowie:20220720:ooda:6c453ab, author = {Colin Cowie and Gabor Szappanos}, title = {{OODA: X-Ops Takes On Burgeoning SQL Server Attacks}}, date = {2022-07-20}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/07/20/ooda-x-ops-takes-on-burgeoning-sql-server-attacks/}, language = {English}, urldate = {2023-05-30} } @techreport{cowie:20230421:icedid:506b299, author = {Colin Cowie and Paul Jaramillo}, title = {{IcedID: Defrosting a Recent Campaign Illustrating evolving tactics and shared infrastructure}}, date = {2023-04-21}, institution = {Sophos}, url = {https://www.first.org/resources/papers/amsterdam23/IcedID-FIRST-AMS-2023.pdf}, language = {English}, urldate = {2023-08-10} } @online{cowman:20191218:understanding:d629d14, author = {Pete Cowman}, title = {{Understanding Ransomware Series: Detecting Sodin}}, date = {2019-12-18}, organization = {Hatching.io}, url = {https://hatching.io/blog/ransomware-part2}, language = {English}, urldate = {2020-01-08} } @online{cowman:20200827:smokeloader:6b86b56, author = {Pete Cowman}, title = {{Smokeloader Analysis and More Family Detections}}, date = {2020-08-27}, organization = {Hatching.io}, url = {https://hatching.io/blog/tt-2020-08-27/}, language = {English}, urldate = {2020-09-03} } @online{cox:20200710:secret:5414fbb, author = {Joseph Cox}, title = {{The Secret Service Tried to Catch a Hacker With a Malware Booby-Trap}}, date = {2020-07-10}, organization = {Vice}, url = {https://www.vice.com/en/article/wxqz54/secret-service-network-investigative-technique-ransomware}, language = {English}, urldate = {2023-07-19} } @online{cox:20210427:cockli:be7ee57, author = {Joseph Cox}, title = {{'Cock.li' Admin Says He’s Not Surprised Russian Intelligence Uses His Site}}, date = {2021-04-27}, organization = {Vice}, url = {https://www.vice.com/en/article/dyv87z/cockli-admin-russian-intelligence-svr-fbi-dhs-cisa-report}, language = {English}, urldate = {2021-04-29} } @online{cox:20210615:ransomware:4969e93, author = {Joseph Cox}, title = {{Ransomware Gang Turns to Revenge Porn}}, date = {2021-06-15}, organization = {Vice}, url = {https://www.vice.com/en/article/z3xzby/ransomware-gang-revenge-porn-leaks-nude-images}, language = {English}, urldate = {2021-06-21} } @online{cox:20210622:cryptomining:13a5fec, author = {Oakley Cox}, title = {{Crypto-mining on a DNS server}}, date = {2021-06-22}, organization = {Darktrace}, url = {https://www.darktrace.com/en/blog/crypto-mining-on-a-dns-server/}, language = {English}, urldate = {2021-06-24} } @online{cox:20210719:amazon:ec7aab9, author = {Joseph Cox}, title = {{Amazon Shuts Down NSO Group Infrastructure}}, date = {2021-07-19}, organization = {Vice}, url = {https://www.vice.com/en/article/xgx5bw/amazon-aws-shuts-down-nso-group-infrastructure}, language = {English}, urldate = {2021-07-24} } @online{cox:20210824:how:2b6d60b, author = {Joseph Cox}, title = {{How Data Brokers Sell Access to the Backbone of the Internet}}, date = {2021-08-24}, organization = {Vice Motherboard}, url = {https://www.vice.com/en/article/jg84yy/data-brokers-netflow-data-team-cymru}, language = {English}, urldate = {2021-09-14} } @online{cox:20220214:staying:16693dd, author = {Oakley Cox}, title = {{Staying ahead of REvil’s Ransomware-as-a-Service business model}}, date = {2022-02-14}, organization = {Darktrace}, url = {https://www.darktrace.com/en/blog/staying-ahead-of-r-evils-ransomware-as-a-service-business-model/}, language = {English}, urldate = {2022-03-01} } @online{cox:20220318:open:27cb616, author = {Joseph Cox}, title = {{Open Source Maintainer Sabotages Code to Wipe Russian, Belarusian Computers}}, date = {2022-03-18}, organization = {Vice Motherboard}, url = {https://www.vice.com/en/article/dypeek/open-source-sabotage-node-ipc-wipe-russia-belraus-computers}, language = {English}, urldate = {2022-03-22} } @online{cr4sh:20210504:cr4sh:3c1597c, author = {Cr4sh}, title = {{Cr4sh / MicroBackdoor : Small and convenient C2 tool for Windows targets}}, date = {2021-05-04}, url = {https://github.com/cr4sh/microbackdoor}, language = {English}, urldate = {2021-05-04} } @online{craciun:20160129:vb2015:0ee1548, author = {Vlad Craciun and Andrei Nacu and Mihail Androinic}, title = {{VB2015 paper: It's A File Infector... It’s Ransomware... It's Virlock}}, date = {2016-01-29}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2016/12/vb2015-paper-its-file-infector-its-ransomware-its-virlock/}, language = {English}, urldate = {2022-11-18} } @online{craft:20210907:shellcode:dc30cfa, author = {Counter Craft}, title = {{Shellcode Detection Using Real-Time Kernel Monitoring}}, date = {2021-09-07}, organization = {Counter Craft}, url = {https://www.countercraftsec.com/blog/post/shellcode-detection-using-realtime-kernel-monitoring/}, language = {English}, urldate = {2021-09-14} } @online{crahmaliuc:20220311:five:9ba5aa0, author = {Radu Crahmaliuc}, title = {{Five Things You Need to Know About the Cyberwar in Ukraine}}, date = {2022-03-11}, organization = {Bitdefender}, url = {https://www.bitdefender.com/blog/hotforsecurity/five-things-you-need-to-know-about-the-cyberwar-in-ukraine/}, language = {English}, urldate = {2022-03-31} } @online{cram:20240821:chinese:95fe46a, author = {C.R.A.M.}, title = {{Chinese APT abuses MSC files with GrimResource vulnerability}}, date = {2024-08-21}, organization = {TG Soft}, url = {https://www.tgsoft.it/news/news_archivio.asp?id=1568}, language = {English}, urldate = {2024-09-26} } @online{creaktive:20180521:tiny:13fd580, author = {creaktive}, title = {{Tiny SHell}}, date = {2018-05-21}, organization = {Github (creaktive)}, url = {https://github.com/creaktive/tsh}, language = {English}, urldate = {2020-01-10} } @online{crespo:20220215:new:875538a, author = {Pablo Rincón Crespo}, title = {{New Evidence Linking Kwampirs Malware to Shamoon APTS (Technical Blog)}}, date = {2022-02-15}, organization = {Cylera}, url = {https://resources.cylera.com/new-evidence-linking-kwampirs-malware-to-shamoon-apts}, language = {English}, urldate = {2022-03-10} } @online{creus:20160926:sofacys:2c11dc9, author = {Dani Creus and Tyler Halfpop and Robert Falcone}, title = {{Sofacy’s ‘Komplex’ OS X Trojan}}, date = {2016-09-26}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/}, language = {English}, urldate = {2019-12-20} } @online{creus:20160926:sofacys:6ddbb81, author = {Dani Creus and Tyler Halfpop and Robert Falcone}, title = {{Sofacy’s ‘Komplex’ OS X Trojan}}, date = {2016-09-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/}, language = {English}, urldate = {2020-01-13} } @online{criptonizando:20200426:35:f5240ec, author = {Criptonizando}, title = {{35 mil computadores foram infectados na América Latina por malware que minerava Monero}}, date = {2020-04-26}, organization = {Criptonizando}, url = {https://criptonizando.com/35-mil-computadores-foram-infectados-na-america-latina-por-malware-que-minerava-monero/}, language = {Portoguese}, urldate = {2022-02-18} } @online{crook:20200622:dynamic:47a0942, author = {Jack Crook}, title = {{Dynamic Correlation, ML and Hunting}}, date = {2020-06-22}, organization = {FindingBad Blogspot}, url = {http://findingbad.blogspot.com/2020/06/dynamic-correlation-ml-and-hunting.html}, language = {English}, urldate = {2020-06-23} } @online{crook:20211031:measuring:f7e5ba7, author = {Jack Crook}, title = {{Measuring User Behavior}}, date = {2021-10-31}, organization = {FindingBad Blogspot}, url = {http://findingbad.blogspot.com/2021/10/measuring-user-behavior.html}, language = {English}, urldate = {2021-11-17} } @online{crovax:20210821:panda:38d0b7a, author = {Crovax}, title = {{Panda Banker Analysis Part 1}}, date = {2021-08-21}, organization = {Medium Crovax}, url = {https://medium.com/@crovax/panda-banker-analysis-part-1-d08b3a855847}, language = {English}, urldate = {2022-01-25} } @online{crovax:20211228:extracting:cd05925, author = {Crovax}, title = {{Extracting Hancitor’s Configuration with Ghidra part 1}}, date = {2021-12-28}, organization = {Medium Crovax}, url = {https://medium.com/@crovax/extracting-hancitors-configuration-with-ghidra-7963900494b5}, language = {English}, urldate = {2022-01-25} } @techreport{crowdstrike:20140609:crowdstrike:a348198, author = {CrowdStrike}, title = {{Crowdstrike Intelligence Report: Putter Panda}}, date = {2014-06-09}, institution = {CrowdStrike}, url = {https://github.com/securitykitten/malware_references/blob/master/crowdstrike-intelligence-report-putter-panda.original.pdf}, language = {English}, urldate = {2021-02-02} } @techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } @techreport{crowdstrike:20150210:global:da4da20, author = {CrowdStrike}, title = {{Global Threat Intel Report}}, date = {2015-02-10}, institution = {CrowdStrike}, url = {http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf}, language = {English}, urldate = {2020-01-09} } @techreport{crowdstrike:201610:2015:e74876c, author = {CrowdStrike}, title = {{2015 Global Threat Report}}, date = {2016-10}, institution = {CrowdStrike}, url = {https://conferences.law.stanford.edu/cyberday/wp-content/uploads/sites/10/2016/10/2a_15GlobalThreatReport_Extracted.pdf}, language = {English}, urldate = {2021-05-31} } @techreport{crowdstrike:2016:intelligence:574f45c, author = {CrowdStrike}, title = {{Intelligence Report: Emergence and Development of Core Bot}}, date = {2016}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report_BosonSpider.pdf}, language = {English}, urldate = {2021-05-31} } @techreport{crowdstrike:2018:2018:5ba6206, author = {CrowdStrike}, title = {{2018 Global Threat Report}}, date = {2018}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf}, language = {English}, urldate = {2019-12-17} } @online{crowdstrike:2019:2019:2c268c8, author = {CrowdStrike}, title = {{2019 CrowdStrike Global Threat Report}}, date = {2019}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/}, language = {English}, urldate = {2020-07-16} } @techreport{crowdstrike:2019:2019:4e50c97, author = {CrowdStrike}, title = {{2019 CrowdStrike Global Threat Report}}, date = {2019}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2019GlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-15} } @online{crowdstrike:2019:twisted:8dacf6c, author = {CrowdStrike}, title = {{Twisted Spider}}, date = {2019}, organization = {CrowdStrike}, url = {https://adversary.crowdstrike.com/adversary/twisted-spider/}, language = {English}, urldate = {2021-05-19} } @online{crowdstrike:2019:viceroy:c209ad4, author = {CrowdStrike}, title = {{Viceroy Tiger}}, date = {2019}, organization = {CrowdStrike}, url = {https://adversary.crowdstrike.com/en-US/adversary/viceroy-tiger}, language = {English}, urldate = {2022-03-16} } @techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } @techreport{crowdstrike:20200610:csit20081:a09522b, author = {CrowdStrike}, title = {{CSIT-20081 : Technical Analysis Of The Netwalker Ransomware}}, date = {2020-06-10}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf}, language = {English}, urldate = {2020-07-23} } @online{crowdstrike:2020:2019:f849658, author = {CrowdStrike}, title = {{2019 Crowdstrike Global Threat Report}}, date = {2020}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report}, language = {English}, urldate = {2020-07-23} } @techreport{crowdstrike:2020:cyber:de17ed0, author = {CrowdStrike}, title = {{Cyber Front Lines Report}}, date = {2020}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeServicesCyberFrontLines.pdf}, language = {English}, urldate = {2021-05-31} } @techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } @techreport{crowdstrike:20220216:global:755868e, author = {CrowdStrike}, title = {{Global Threat Report 2022}}, date = {2022-02-16}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2022GTR.pdf}, language = {English}, urldate = {2022-02-19} } @online{crowdstrike:20220330:who:882b277, author = {CrowdStrike}, title = {{Who is EMBER BEAR?}}, date = {2022-03-30}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/en-us/blog/who-is-ember-bear/}, language = {English}, urldate = {2025-02-18} } @online{crowdstrike:20230301:slippy:b2f0c0a, author = {CrowdStrike}, title = {{Slippy Spider}}, date = {2023-03-01}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/adversaries/slippy-spider/}, language = {English}, urldate = {2023-03-13} } @online{crowdstrike:20230314:zeus:e01a1ed, author = {CrowdStrike}, title = {{The Zeus Trojan Malware - Definition and Prevention}}, date = {2023-03-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/cybersecurity-101/malware/trojan-zeus-malware}, language = {English}, urldate = {2023-06-06} } @online{crowdstrike:20230515:hypervisor:2fc5adc, author = {CrowdStrike}, title = {{Hypervisor Jackpotting, Part 3: Lack of Antivirus Support Opens the Door to Adversary Attacks}}, date = {2023-05-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/hypervisor-jackpotting-lack-of-antivirus-support-opens-the-door-to-adversaries/}, language = {English}, urldate = {2023-07-31} } @techreport{crowdstrike:20230523:modern:2212db6, author = {CrowdStrike}, title = {{Modern Adversaries and Evasion Techniques: Why Legacy AV Is an Easy Target}}, date = {2023-05-23}, institution = {CrowdStrike}, url = {https://www.patechcon.com/wp-content/uploads/2023/08/ebook-modern-adversaries-and-evasion-techniques-2023.pdf}, language = {English}, urldate = {2025-03-05} } @techreport{crowdstrike:20230523:modern:ebaf486, author = {CrowdStrike}, title = {{Modern Adversaries and Evasion Techniques: Why Legacy AV Is an Easy Target}}, date = {2023-05-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/ebook-modern-adversaries-and-evasion-techniques-2023.pdf}, language = {English}, urldate = {2025-03-06} } @techreport{crowdstrike:20230808:crowdstrike:f829fc0, author = {CrowdStrike}, title = {{CrowdStrike 2023 Threat Hunting Report}}, date = {2023-08-08}, institution = {CrowdStrike}, url = {https://asiapacificdefencereporter.com/wp-content/uploads/2023/08/Final-CRWD-2023-Threat-Hunting-Report.pdf}, language = {English}, urldate = {2024-12-11} } @online{crowdstrike:20240101:crowdstrike:2239d1e, author = {CrowdStrike}, title = {{The CrowdStrike Global Threat Report}}, date = {2024-01-01}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/global-threat-report/}, language = {English}, urldate = {2024-02-08} } @techreport{crowdstrike:20240221:crowdstrike:5d5f82a, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Report 2024}}, date = {2024-02-21}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/GlobalThreatReport2024.pdf}, language = {English}, urldate = {2024-02-23} } @online{crowdstrike:20250222:curly:1b4cd44, author = {CrowdStrike}, title = {{Curly Spider}}, date = {2025-02-22}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/adversaries/curly-spider/}, language = {English}, urldate = {2025-03-05} } @online{crowdstrike:20250222:wandering:8a44863, author = {CrowdStrike}, title = {{Wandering Spider}}, date = {2025-02-22}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/adversaries/wandering-spider/}, language = {English}, urldate = {2025-03-04} } @techreport{crowdstrike:20250228:2025:67898f7, author = {CrowdStrike}, title = {{2025 Global Threat Report}}, date = {2025-02-28}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/CrowdStrikeGlobalThreatReport2025.pdf}, language = {English}, urldate = {2025-03-05} } @online{cru:20220412:threat:2357d34, author = {ConnectWise CRU}, title = {{Threat Profile: Avaddon}}, date = {2022-04-12}, organization = {ConnectWise}, url = {https://www.connectwise.com/resources/avaddon-profile}, language = {English}, urldate = {2022-04-13} } @online{cru:20220412:threat:6f5aace, author = {ConnectWise CRU}, title = {{Threat Profile: LockBit}}, date = {2022-04-12}, organization = {ConnectWise}, url = {https://www.connectwise.com/resources/lockbit-profile}, language = {English}, urldate = {2022-04-13} } @online{cru:20220412:threat:c1f918f, author = {ConnectWise CRU}, title = {{Threat Profile: REvil}}, date = {2022-04-12}, organization = {ConnectWise}, url = {https://www.connectwise.com/resources/revil-profile}, language = {English}, urldate = {2022-04-13} } @online{cru:20220412:threat:d5577b2, author = {ConnectWise CRU}, title = {{Threat Profile: Conti}}, date = {2022-04-12}, organization = {ConnectWise}, url = {https://www.connectwise.com/resources/conti-profile}, language = {English}, urldate = {2022-04-13} } @online{cru:20220412:threat:ea9a60f, author = {ConnectWise CRU}, title = {{Threat Profile: Hive}}, date = {2022-04-12}, organization = {ConnectWise}, url = {https://www.connectwise.com/resources/hive-profile}, language = {English}, urldate = {2022-04-13} } @online{cru:20230609:smashjacker:444dcf7, author = {ConnectWise CRU}, title = {{SmashJacker (ChromeLoader variant)}}, date = {2023-06-09}, organization = {ConnectWise}, url = {https://www.connectwise.com/blog/threat-report/smash-jacker}, language = {English}, urldate = {2023-06-12} } @online{crumpton:20240419:advanced:bf3e8c0, author = {Lex Crumpton and Charles Clancy}, title = {{Advanced Cyber Threats Impact Even the Most Prepared}}, date = {2024-04-19}, organization = {Medium MITRE-Engenuity}, url = {https://medium.com/mitre-engenuity/advanced-cyber-threats-impact-even-the-most-prepared-56444e980dc8}, language = {English}, urldate = {2024-04-23} } @online{crumpton:20240504:technical:0d8fc19, author = {Lex Crumpton}, title = {{Technical Deep Dive: Understanding the Anatomy of a Cyber Intrusion}}, date = {2024-05-04}, organization = {Medium MITRE-Engenuity}, url = {https://medium.com/mitre-engenuity/technical-deep-dive-understanding-the-anatomy-of-a-cyber-intrusion-080bddc679f3}, language = {English}, urldate = {2024-05-06} } @online{cruz:20210506:proxylogon:4920ee4, author = {Arianne Dela Cruz and Cris Tomboc and Jayson Chong and Nikki Madayag and Sean Torre}, title = {{Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party}}, date = {2021-05-06}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html}, language = {English}, urldate = {2022-02-17} } @online{cruz:20220118:new:c7bdfeb, author = {Arianne Dela Cruz and Bren Matthew Ebriega and Don Ovid Ladores and Mary Yambao}, title = {{New Ransomware Spotted: White Rabbit and Its Evasion Tactics}}, date = {2022-01-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/a/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics.html}, language = {English}, urldate = {2022-01-24} } @online{cruz:20220124:analysis:5807286, author = {Junestherry Dela Cruz}, title = {{Analysis and Impact of LockBit Ransomware’s First Linux and VMware ESXi Variant}}, date = {2022-01-24}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html}, language = {English}, urldate = {2022-01-25} } @online{cruz:20220525:new:43d8257, author = {Arianne Dela Cruz and Byron Gelera and McJustine De Guzman and Warren Sto.Tomas}, title = {{New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices}}, date = {2022-05-25}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html}, language = {English}, urldate = {2022-05-29} } @online{cruz:20230117:batloader:594298e, author = {Junestherry Dela Cruz}, title = {{Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks}}, date = {2023-01-17}, organization = {Trendmicro}, url = {https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html}, language = {English}, urldate = {2023-01-19} } @online{cruz:20230623:overview:58e7e29, author = {Arianne Dela Cruz and Paul Pajares and Ivan Nicole Chavez and Ieriz Nicolle Gonzalez and Nathaniel Morales}, title = {{An Overview of the Different Versions of the Trigona Ransomware}}, date = {2023-06-23}, organization = {Trendmicro}, url = {https://www.trendmicro.com/en_us/research/23/f/an-overview-of-the-trigona-ransomware.html}, language = {English}, urldate = {2023-07-05} } @online{cruz:20230807:latest:064e40e, author = {Junestherry Dela Cruz}, title = {{Latest Batloader Campaigns Use Pyarmor Pro for Evasion}}, date = {2023-08-07}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/h/batloader-campaigns-use-pyarmor-pro-for-evasion.html}, language = {English}, urldate = {2023-08-09} } @online{cruz:20250521:tiktok:b0b3502, author = {Junestherry Dela Cruz}, title = {{TikTok Videos Promise Pirated Apps, Deliver Vidar and StealC Infostealers Instead}}, date = {2025-05-21}, organization = {Trendmicro}, url = {https://www.trendmicro.com/en_us/research/25/e/tiktok-videos-infostealers.html}, language = {English}, urldate = {2025-05-28} } @online{cryptoinsane:20221031:about:f607cf7, author = {CryptoInsane}, title = {{Tweet about Yanluowang Leaks}}, date = {2022-10-31}, organization = {Twitter (@CryptoInsane)}, url = {https://twitter.com/CryptoInsane/status/1586967110504398853}, language = {English}, urldate = {2022-12-29} } @online{cryptolaemus:20180912:emotet:013e01b, author = {Cryptolaemus}, title = {{Emotet IOC}}, date = {2018-09-12}, organization = {Cryptolaemus Pastedump}, url = {https://paste.cryptolaemus.com}, language = {English}, urldate = {2020-01-13} } @online{cryptolaemus:20210622:ta575:895ac37, author = {Cryptolaemus and Kirk Sayre and dao ming si}, title = {{Tweet on TA575, a Dridex affiliate delivering cobaltstrike (packed withe Cryptone) directly via the macro docs}}, date = {2021-06-22}, organization = {Twitter (@Cryptolaemus1)}, url = {https://twitter.com/Cryptolaemus1/status/1407135648528711680}, language = {English}, urldate = {2021-06-22} } @online{cryptolaemus:20220419:emotet:c68608b, author = {Cryptolaemus}, title = {{#Emotet Update: 64 bit upgrade of Epoch 5}}, date = {2022-04-19}, organization = {Twitter (@Cryptolaemus1)}, url = {https://twitter.com/Cryptolaemus1/status/1516535343281025032}, language = {English}, urldate = {2022-04-20} } @online{cryptome:20121125:parastoo:b652ed3, author = {Cryptome}, title = {{Parastoo Hacks IAEA}}, date = {2012-11-25}, organization = {Cryptome}, url = {https://cryptome.org/2012/11/parastoo-hacks-iaea.htm}, language = {English}, urldate = {2020-01-06} } @online{csirt:20201029:list:5fb0206, author = {Swisscom CSIRT}, title = {{List of CobaltStrike C2's used by RYUK}}, date = {2020-10-29}, organization = {Github (Swisscom)}, url = {https://github.com/swisscom/detections/blob/main/RYUK/cobaltstrike_c2s.txt}, language = {English}, urldate = {2020-11-02} } @online{csirt:20210126:cring:f12c487, author = {Swisscom CSIRT}, title = {{Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware}}, date = {2021-01-26}, organization = {Twitter (@swisscom_csirt)}, url = {https://twitter.com/swisscom_csirt/status/1354052879158571008}, language = {English}, urldate = {2021-01-27} } @online{csirtcti:20240123:stately:02d2722, author = {CSIRT-CTI}, title = {{Stately Taurus Targets Myanmar Amidst Concerns over Military Junta’s Handling of Rebel Attacks}}, date = {2024-01-23}, organization = {CSIRT-CTI}, url = {https://csirt-cti.net/2024/01/23/stately-taurus-targets-myanmar/}, language = {English}, urldate = {2024-02-02} } @online{csirtmon:20220122:analysis:25ca045, author = {csirt-mon}, title = {{Analysis of the Cyberattack on Ukrainian Government Resources}}, date = {2022-01-22}, organization = {csirt-mon}, url = {https://csirt-mon.wp.mil.pl/pl/articles6-aktualnosci/analysis-cyberattack-ukrainian-government-resources/}, language = {English}, urldate = {2022-01-28} } @techreport{csis:2012:w32tinba:542635f, author = {Peter Kruse (CSIS) and Feike Hacquebord (Trend Micro) and Robert McArdle (Trend Micro)}, title = {{W32.Tinba (Tinybanker) The Turkish Incident}}, date = {2012}, institution = {CSIS Trend Micro}, url = {http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_w32-tinba-tinybanker.pdf}, language = {English}, urldate = {2019-12-24} } @techreport{csis:20200110:threat:7454f36, author = {CSIS}, title = {{Threat Matrix H1 2019}}, date = {2020-01-10}, institution = {CSIS}, url = {https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf}, language = {English}, urldate = {2020-01-22} } @online{csis:20210423:supply:474eb97, author = {CSIS}, title = {{Supply chain attack on the password manager Clickstudios - PASSWORDSTATE}}, date = {2021-04-23}, organization = {CSIS}, url = {https://www.csis.dk/newsroom-blog-overview/2021/moserpass-supply-chain/}, language = {English}, urldate = {2021-05-04} } @online{ctfiot:20250115:article:1c3735a, author = {CTFIOT}, title = {{Article 113: One of the Russian-Ukrainian cyberwars, a review of the first major blackout in Ukraine caused by the Sandworm APT organization}}, date = {2025-01-15}, organization = {CTFIOT}, url = {https://www.ctfiot.com/224570.html}, language = {Chinese}, urldate = {2025-02-03} } @online{cti:20241120:prospero:3342891, author = {Equipe CTI}, title = {{PROSPERO & Proton66: Tracing Uncovering the links between bulletproof networks}}, date = {2024-11-20}, organization = {Intrinsec}, url = {https://www.intrinsec.com/prospero-proton66-tracing-uncovering-the-links-between-bulletproof-networks/}, language = {English}, urldate = {2024-11-25} } @techreport{cti:20250227:doppelgnger:d860bbc, author = {Equipe CTI}, title = {{Doppelgänger: New disinformation campaigns spreading on social media through Russian networks}}, date = {2025-02-27}, institution = {Intrinsec}, url = {https://www.intrinsec.com/wp-content/uploads/2025/02/TLP-CLEAR-Doppelganger-EN-Information-report.pdf}, language = {English}, urldate = {2025-04-25} } @online{ctr:20240129:compromised:e6b2fb6, author = {HarfangLab CTR}, title = {{Compromised Routers Are Still Leveraged as Malicious Infrastructure to Target Government Organizations in Europe and the Caucasus}}, date = {2024-01-29}, organization = {HarfangLab}, url = {https://harfanglab.io/en/insidethelab/compromised-routers-infrastructure-target-europe-caucasus/}, language = {English}, urldate = {2024-02-02} } @online{ctr:20240301:comprehensive:48c3e6e, author = {HarfangLab CTR}, title = {{A Comprehensive Analysis of i-SOON’s Commercial Offering}}, date = {2024-03-01}, organization = {HarfangLab}, url = {https://harfanglab.io/en/insidethelab/isoon-leak-analysis/}, language = {English}, urldate = {2025-02-28} } @online{ctr:20240416:analysis:a6bc3ae, author = {HarfangLab CTR}, title = {{Analysis of the APT31 Indictment}}, date = {2024-04-16}, organization = {HarfangLab}, url = {https://harfanglab.io/en/insidethelab/apt31-indictment-analysis/}, language = {English}, urldate = {2025-02-28} } @online{ctr:20240422:muddywater:ae9461c, author = {HarfangLab CTR}, title = {{MuddyWater campaign abusing Atera Agents}}, date = {2024-04-22}, organization = {HarfangLab}, url = {https://harfanglab.io/en/insidethelab/muddywater-rmm-campaign/}, language = {English}, urldate = {2024-04-23} } @online{ctr:20240528:allasenha:a6c2222, author = {HarfangLab CTR}, title = {{AllaSenha: AllaKore variant leverages Azure cloud C2 to steal banking details in Latin America}}, date = {2024-05-28}, organization = {HarfangLab}, url = {https://harfanglab.io/insidethelab/allasenha-allakore-variant-azure-c2-steal-banking-latin-america/}, language = {English}, urldate = {2025-02-28} } @online{ctr:20240628:supposed:8c0a90b, author = {HarfangLab CTR}, title = {{Supposed Grasshopper: operators impersonate Israeli government and private companies to deploy open-source malware}}, date = {2024-06-28}, organization = {HarfangLab}, url = {https://harfanglab.io/insidethelab/supposed-grasshopper-operators-impersonate-israeli-gov-private-companies-deploy-open-source-malware/}, language = {English}, urldate = {2025-02-28} } @online{ctr:20240725:midyear:27c8cee, author = {HarfangLab CTR}, title = {{Mid-year Doppelgänger information operations in Europe and the US}}, date = {2024-07-25}, organization = {HarfangLab}, url = {https://harfanglab.io/insidethelab/doppelganger-operations-europe-us/}, language = {English}, urldate = {2025-02-28} } @online{ctr:20240814:cyclops:8871c72, author = {HarfangLab CTR}, title = {{Cyclops: a likely replacement for BellaCiao}}, date = {2024-08-14}, organization = {HarfangLab}, url = {https://harfanglab.io/insidethelab/cyclops-replacement-bellaciao/}, language = {English}, urldate = {2025-02-28} } @online{ctr:20250210:further:a101ed9, author = {HarfangLab CTR}, title = {{Further insights into Ivanti CSA 4.6 vulnerabilities exploitation}}, date = {2025-02-10}, organization = {HarfangLab}, url = {https://harfanglab.io/insidethelab/insights-ivanti-csa-exploitation/}, language = {English}, urldate = {2025-02-28} } @online{ctr:20250416:inside:f38d4ba, author = {HarfangLab CTR}, title = {{Inside Gamaredon’s PteroLNK: Dead Drop Resolvers and evasive Infrastructure}}, date = {2025-04-16}, organization = {HarfangLab}, url = {https://harfanglab.io/insidethelab/gamaredons-pterolnk-analysis/}, language = {English}, urldate = {2025-04-25} } @online{ctr:20250616:sadfuture:5f00d59, author = {HarfangLab CTR}, title = {{SadFuture: Mapping XDSpy latest evolution}}, date = {2025-06-16}, organization = {HarfangLab}, url = {https://harfanglab.io/insidethelab/sadfuture-xdspy-latest-evolution/}, language = {English}, urldate = {2025-06-23} } @online{ctu:20150730:sakula:8025917, author = {Dell Secureworks CTU}, title = {{Sakula Malware Family}}, date = {2015-07-30}, organization = {Secureworks}, url = {https://www.secureworks.com/research/sakula-malware-family}, language = {English}, urldate = {2020-01-06} } @online{ctu:20151007:hacker:0c336b4, author = {Dell Secureworks CTU}, title = {{Hacker Group Creates Network of Fake LinkedIn Profiles}}, date = {2015-10-07}, organization = {Dell Secureworks}, url = {https://www.secureworks.com/research/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles}, language = {English}, urldate = {2022-07-29} } @online{cube0x0:20211117:github:0551fdb, author = {cube0x0}, title = {{GitHub - cube0x0 / SharpMapExec}}, date = {2021-11-17}, organization = {Github (cube0x0)}, url = {https://github.com/cube0x0/SharpMapExec}, language = {English}, urldate = {2021-12-01} } @online{cucci:20200419:reversing:4523233, author = {Kyle Cucci}, title = {{Reversing Ryuk: A Technical Analysis of Ryuk Ransomware}}, date = {2020-04-19}, organization = {SecurityLiterate}, url = {https://securityliterate.com/reversing-ryuk-a-technical-analysis-of-ryuk-ransomware/}, language = {English}, urldate = {2020-08-13} } @online{cucci:20200819:chantays:3998ebb, author = {Kyle Cucci}, title = {{Chantay’s Resume: Investigating a CV-Themed ZLoader Malware}}, date = {2020-08-19}, organization = {SecurityLiterate}, url = {https://securityliterate.com/chantays-resume-investigating-a-cv-themed-zloader-malware-campaign/}, language = {English}, urldate = {2020-09-01} } @online{culafi:20230808:crowdstrike:bf196f5, author = {Alecander Culafi}, title = {{CrowdStrike observes massive spike in identity-based attacks}}, date = {2023-08-08}, organization = {Techtarget}, url = {https://www.techtarget.com/searchsecurity/news/366547445/CrowdStrike-observes-massive-spike-in-identity-based-attacks}, language = {English}, urldate = {2024-10-18} } @online{cummings:20191217:incident:44acf5c, author = {JJ Cummings and Dave Liebenberg}, title = {{Incident Response lessons from recent Maze ransomware attacks}}, date = {2019-12-17}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2019/12/IR-Lessons-Maze.html}, language = {English}, urldate = {2020-01-09} } @online{currie:20210621:ready:ec4a88d, author = {Gabriel Currie}, title = {{Ready for (nearly) anything: Five things to prepare for a cyber security incident}}, date = {2021-06-21}, organization = {Medium gabrielcurrie}, url = {https://gabrielcurrie.medium.com/ready-for-nearly-anything-five-things-to-prepare-for-a-cyber-security-incident-4fc49d665488}, language = {English}, urldate = {2021-11-29} } @techreport{currie:20211114:ready:7398ccf, author = {Gabriel Currie}, title = {{Ready for (nearly) anything: Five things to prepare for a cyber security incident}}, date = {2021-11-14}, institution = {Github (gabrielcurrie)}, url = {https://raw.githubusercontent.com/gabrielcurrie/conference-talks/main/2021%20-%20BSides%20London%20-%20Five%20Things%20to%20Prepare%20for%20a%20Cyber%20Incident.pdf}, language = {English}, urldate = {2021-11-29} } @online{curtis:20201019:revisited:df05745, author = {Curtis}, title = {{Revisited: Fancy Bear's New Faces...and Sandworms' too}}, date = {2020-10-19}, organization = {Riskint Blog}, url = {https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too}, language = {English}, urldate = {2020-10-23} } @online{cutler:20190515:winnti:269a852, author = {Silas Cutler and Juan Andrés Guerrero-Saade}, title = {{Winnti: More than just Windows and Gates}}, date = {2019-05-15}, organization = {Chronicle}, url = {https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a}, language = {English}, urldate = {2019-10-14} } @online{cutler:20191116:fresh:871567d, author = {Silas Cutler}, title = {{Fresh PlugX October 2019}}, date = {2019-11-16}, organization = {Silas Cutler's Blog}, url = {https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html}, language = {English}, urldate = {2020-01-07} } @online{cutler:20210114:killed:4894029, author = {Silas Cutler}, title = {{Killed In Translation}}, date = {2021-01-14}, organization = {Silas Cutler's Blog}, url = {https://silascutler.com/2021/01/14/KilledInTranslation/}, language = {English}, urldate = {2023-04-18} } @online{cutler:20220118:whispers:c986974, author = {Silas Cutler}, title = {{Whispers in the noise}}, date = {2022-01-18}, organization = {Stairwell}, url = {https://stairwell.com/news/whispers-in-the-noise-microsoft-ukraine-whispergate/}, language = {English}, urldate = {2022-01-19} } @online{cutler:20220309:hermeticwizards:3cd717d, author = {Silas Cutler}, title = {{Tweet on HermeticWizard's self-spreading mechanism}}, date = {2022-03-09}, organization = {Twitter (@silascutler)}, url = {https://twitter.com/silascutler/status/1501668345640366091}, language = {English}, urldate = {2022-03-10} } @online{cutler:20220412:analysis:561c2a2, author = {Silas Cutler}, title = {{Tweet on analysis of CADDYWIPER used alongside with INDUSTROYER2}}, date = {2022-04-12}, organization = {Twitter (@silascutler)}, url = {https://twitter.com/silascutler/status/1513870210398363651}, language = {English}, urldate = {2022-05-25} } @online{cutler:20220414:sample:06de069, author = {Silas Cutler}, title = {{Tweet on sample discovery for potential INCONTROLLER}}, date = {2022-04-14}, organization = {Twitter (@silascutler)}, url = {https://twitter.com/silascutler/status/1514366443277766656}, language = {English}, urldate = {2023-03-24} } @techreport{cutler:20220421:inkstained:cc446df, author = {Silas Cutler}, title = {{The ink-stained trail of GOLDBACKDOOR}}, date = {2022-04-21}, institution = {Stairwell}, url = {https://github.com/blackorbird/APT_REPORT/blob/master/group123/Stairwell-threat-report-The-ink-stained-trail-of-GOLDBACKDOOR.pdf}, language = {English}, urldate = {2023-10-02} } @techreport{cutler:20220706:maui:1d2ddc2, author = {Silas Cutler}, title = {{Maui Ransomware}}, date = {2022-07-06}, institution = {Stairwell}, url = {https://stairwell.com/wp-content/uploads/2022/07/Stairwell-Threat-Report-Maui-Ransomware.pdf}, language = {English}, urldate = {2022-07-06} } @online{cutler:20230823:akira:a29f423, author = {Silas Cutler}, title = {{Akira: Pulling on the chains of ransomware}}, date = {2023-08-23}, organization = {Stairwell}, url = {https://stairwell.com/resources/akira-pulling-on-the-chains-of-ransomware/}, language = {English}, urldate = {2023-08-25} } @online{cutler:20231213:kuiper:01bd573, author = {Silas Cutler}, title = {{Kuiper ransomware analysis: Stairwell’s technical report}}, date = {2023-12-13}, organization = {Stairwell}, url = {https://stairwell.com/resources/kuiper-ransomware-analysis-stairwells-technical-report/}, language = {English}, urldate = {2023-12-14} } @online{cutler:20240131:technical:9ad6d37, author = {Silas Cutler and Evelyne Diaz Araque and Vincent Zell and Alex Hegyi and Matt Richard and Chris St. Myers}, title = {{Technical analysis: The silent torrent of VileRAT}}, date = {2024-01-31}, organization = {Stairwell}, url = {https://stairwell.com/resources/technical-analysis-the-silent-torrent-of-vilerat/}, language = {English}, urldate = {2024-02-02} } @online{cutler:20250116:will:f85e4cd, author = {Silas Cutler}, title = {{Will the Real Volt Typhoon Please Stand Up?}}, date = {2025-01-16}, organization = {Censys}, url = {https://censys.com/will-the-real-volt-typhoon-please-stand-up/}, language = {English}, urldate = {2025-01-23} } @online{cyb3rjerry:20250215:dissecting:79d9374, author = {cyb3rjerry}, title = {{Dissecting a fresh BlankGrabber sample}}, date = {2025-02-15}, organization = {c-b.io}, url = {https://c-b.io/blog/dissecting_blankgrabber/}, language = {English}, urldate = {2025-02-18} } @online{cyb3rjerry:20250316:analyzing:a3bb1a6, author = {cyb3rjerry}, title = {{Analyzing the RedTiger Malware Stealer}}, date = {2025-03-16}, url = {https://c-b.io/blog/redtiger_stealer/}, language = {English}, urldate = {2025-03-21} } @online{cyb3rjerry:20250629:supper:7265473, author = {cyb3rjerry}, title = {{Supper is served}}, date = {2025-06-29}, organization = {Humpty's RE Blog}, url = {https://c-b.io/2025-06-29+-+Supper+is+served}, language = {English}, urldate = {2025-07-01} } @online{cyb3rsn0rlax:20211102:detecting:a2828eb, author = {Cyb3rSn0rlax}, title = {{Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2}}, date = {2021-11-02}, organization = {unh4ck}, url = {https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2}, language = {English}, urldate = {2021-11-03} } @online{cyber00011011:20210217:understand:2783d8d, author = {Cyber_00011011}, title = {{Understand Shellcode with CyberChef}}, date = {2021-02-17}, organization = {cyber00011011.github.io}, url = {https://cyber00011011.github.io/CookingUpCyber/}, language = {English}, urldate = {2021-02-20} } @online{cyber:20190328:unleash:f5f7048, author = {Skylight Cyber}, title = {{Unleash The Hash - ShadowHammer MAC Address List}}, date = {2019-03-28}, organization = {Skylight Cyber}, url = {https://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/}, language = {English}, urldate = {2019-10-23} } @online{cyber:20200611:snowstorm:7112209, author = {MDR Cyber}, title = {{SNOWSTORM: Hacker-for-hire and physical surveillance targeted financial analyst}}, date = {2020-06-11}, organization = {Mishcon de Reya}, url = {https://www.mishcon.com/news/snowstorm-hacker-for-hire-and-physical-surveillance-targeted-financial-analyst}, language = {English}, urldate = {2020-06-12} } @online{cyber:20220225:il:2af16d4, author = {Red Hot Cyber}, title = {{Il ransomware Conti si schiera a favore della Russia.}}, date = {2022-02-25}, organization = {Red Hot Cyber}, url = {https://www.redhotcyber.com/post/il-ransomware-conti-si-schiera-a-favore-della-russia}, language = {Italian}, urldate = {2022-03-01} } @techreport{cyber:20230206:malware:cc2dbc7, author = {Quorum Cyber}, title = {{Malware Analysis Report Vidar - Stealerware}}, date = {2023-02-06}, institution = {Quorum Cyber}, url = {https://www.quorumcyber.com/wp-content/uploads/2023/01/Malware-Analysis-Vidar.pdf}, language = {English}, urldate = {2023-04-25} } @online{cyber:20230501:rtm:42e6be9, author = {Quorum Cyber}, title = {{RTM Locker ransomware targets VMware ESXi servers}}, date = {2023-05-01}, organization = {Quorum Cyber}, url = {https://www.quorumcyber.com/threat-intelligence/rtm-locker-ransomware-targets-vmware-esxi-servers/}, language = {English}, urldate = {2023-11-13} } @online{cyber:20230728:scattered:9e96c1f, author = {Quorum Cyber}, title = {{Scattered Spider Threat Actor Profile}}, date = {2023-07-28}, organization = {Quorum Cyber}, url = {https://www.quorumcyber.com/threat-actors/scattered-spider-threat-actor-profile/}, language = {English}, urldate = {2023-11-17} } @online{cyber:20240802:sharprhino:adfcd83, author = {Quorum Cyber}, title = {{SharpRhino – New Hunters International RAT Identified by Quorum Cyber}}, date = {2024-08-02}, organization = {Quorum Cyber}, url = {https://www.quorumcyber.com/insights/sharprhino-new-hunters-international-rat-identified-by-quorum-cyber/}, language = {English}, urldate = {2024-12-02} } @techreport{cyberdefense:20250306:dossier:5c7c3ee, author = {Orange Cyberdefense}, title = {{Dossier Bybit : Le plus gros hack de l’histoire de la finance}}, date = {2025-03-06}, institution = {Orange Cyberdefense}, url = {https://www.orangecyberdefense.com/fileadmin/fr/Insight/Livres_Blancs___Reportings/Dossier_Bybit.pdf}, language = {French}, urldate = {2025-04-25} } @online{cyberflorida:20221130:malware:9da929a, author = {CyberFlorida}, title = {{Malware with Sandbox Evasion Techniques Observed Stealing Browser Cached Credentials}}, date = {2022-11-30}, organization = {CyberFlorida}, url = {https://cyberflorida.org/2022/11/arechclient2/}, language = {English}, urldate = {2023-02-06} } @online{cyberforensics:20240506:agent:009d32a, author = {Cyber-Forensics}, title = {{Agent Tesla Malware Analysis}}, date = {2024-05-06}, organization = {Cyber-Forensics}, url = {https://cyber-forensics.blog/2024/05/06/formbook-analysis/}, language = {English}, urldate = {2024-05-13} } @techreport{cyberint:2019:legit:9925ea3, author = {CyberInt}, title = {{Legit Remote Admin Tools Turn into Threat Actors' Tools}}, date = {2019}, institution = {CyberInt}, url = {https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf}, language = {English}, urldate = {2019-12-19} } @techreport{cyberint:20200127:konni:5cb8e40, author = {CyberInt}, title = {{Konni Malware 2019 Campaign}}, date = {2020-01-27}, institution = {CyberInt}, url = {https://e.cyberint.com/hubfs/Cyberint_Konni%20Malware%202019%20Campaign_Report.pdf}, language = {English}, urldate = {2022-07-25} } @online{cyberint:20201105:cerberus:c5716d3, author = {CyberInt}, title = {{Cerberus is Dead, Long Live Cerberus?}}, date = {2020-11-05}, organization = {CyberInt}, url = {https://cyberint.com/blog/research/cerberus-is-dead-long-live-cerberus/}, language = {English}, urldate = {2024-07-16} } @online{cyberint:20201210:ryuk:e74b8f6, author = {CyberInt}, title = {{Ryuk Crypto-Ransomware}}, date = {2020-12-10}, organization = {CyberInt}, url = {https://blog.cyberint.com/ryuk-crypto-ransomware}, language = {English}, urldate = {2020-12-14} } @online{cyberint:20220703:xfiles:57cd027, author = {CyberInt and Shmuel Gihon}, title = {{XFiles Stealer Campaign Abusing Follina}}, date = {2022-07-03}, organization = {CyberInt}, url = {https://cyberint.com/blog/research/xfiles-stealer-campaign-abusing-follina/}, language = {English}, urldate = {2023-05-04} } @online{cyberjack:20220308:elfshelf:2111663, author = {CyberJack}, title = {{Tweet on ELFSHELF alias for KEYPLUG}}, date = {2022-03-08}, organization = {Twitter (@CyberJack42)}, url = {https://twitter.com/CyberJack42/status/1501290277864046595}, language = {English}, urldate = {2022-03-14} } @online{cybermalveillance:20191106:outil:dfa36a5, author = {Cybermalveillance}, title = {{Outil de déchiffrement du rançongiciel (ransomware) PyLocky versions 1 et 2}}, date = {2019-11-06}, organization = {Cybermalveillance}, url = {https://www.cybermalveillance.gouv.fr/nos-articles/outil-dechiffrement-rancongiciel-ransomware-pylocky-v1-2/}, language = {French}, urldate = {2019-12-18} } @online{cybermasterv:20201127:dissecting:23d6915, author = {CyberMasterV}, title = {{Dissecting APT21 samples using a step-by-step approach}}, date = {2020-11-27}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/dissecting-apt21-samples-using-a-step-by-step-approach/}, language = {English}, urldate = {2020-12-08} } @online{cybermasterv:20201226:analyzing:b94f52e, author = {CyberMasterV}, title = {{Analyzing APT19 malware using a step-by-step method}}, date = {2020-12-26}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/analyzing-apt19-malware-using-a-step-by-step-method/}, language = {English}, urldate = {2021-01-01} } @online{cybermasterv:20210125:detailed:c27540a, author = {CyberMasterV}, title = {{A detailed analysis of ELMER Backdoor used by APT16}}, date = {2021-01-25}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/a-detailed-analysis-of-elmer-backdoor-used-by-apt16/}, language = {English}, urldate = {2021-01-27} } @online{cybermasterv:20210614:stepbystep:6b4b871, author = {CyberMasterV}, title = {{A Step-by-Step Analysis of a New Version of DarkSide Ransomware}}, date = {2021-06-14}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/a-step-by-step-analysis-of-a-new-version-of-darkside-ransomware/}, language = {English}, urldate = {2021-06-22} } @online{cybermasterv:20210803:stepbystep:2c73656, author = {CyberMasterV}, title = {{A step-by-step analysis of the new malware used by APT28/Sofacy called SkinnyBoy}}, date = {2021-08-03}, organization = {Cyber Geeks}, url = {https://cybergeeks.tech/skinnyboy-apt28/}, language = {English}, urldate = {2021-08-06} } @online{cybermasterv:20210929:how:b7fbf82, author = {CyberMasterV}, title = {{How to defeat the Russian Dukes: A step-by-step analysis of MiniDuke used by APT29/Cozy Bear}}, date = {2021-09-29}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/how-to-defeat-the-russian-dukes-a-step-by-step-analysis-of-miniduke-used-by-apt29-cozy-bear/}, language = {English}, urldate = {2021-10-14} } @online{cybermasterv:20211031:detailed:290dacf, author = {CyberMasterV}, title = {{A detailed analysis of the STOP/Djvu Ransomware}}, date = {2021-10-31}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/}, language = {English}, urldate = {2021-11-08} } @online{cybermasterv:20211130:just:d5f53c9, author = {CyberMasterV}, title = {{Just another analysis of the njRAT malware – A step-by-step approach}}, date = {2021-11-30}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/}, language = {English}, urldate = {2021-12-06} } @online{cybermasterv:20220427:reverse:09cb18a, author = {CyberMasterV}, title = {{Reverse Engineering PsExec for fun and knowledge}}, date = {2022-04-27}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/reverse-engineering-psexec-for-fun-and-knowledge/}, language = {English}, urldate = {2022-05-09} } @online{cybermasterv:20220630:how:035d973, author = {CyberMasterV}, title = {{How to Expose a Potential Cybercriminal due to Misconfigurations}}, date = {2022-06-30}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations}, language = {English}, urldate = {2022-08-31} } @online{cybermasterv:20220726:how:3f5d6fc, author = {CyberMasterV}, title = {{HOW to Analyze Linux Malware - A Case Study of Symbiote}}, date = {2022-07-26}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/how-to-analyze-linux-malware-a-case-study-of-symbiote}, language = {English}, urldate = {2022-08-31} } @online{cybermasterv:20220829:technical:c339986, author = {CyberMasterV}, title = {{A Technical Analysis of Pegasus for Android – Part 1}}, date = {2022-08-29}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1}, language = {English}, urldate = {2022-08-31} } @online{cybermasterv:20220830:chromeloader:b050f70, author = {CyberMasterV}, title = {{ChromeLoader Browser Hijacker}}, date = {2022-08-30}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/chromeloader-browser-hijacker}, language = {English}, urldate = {2022-08-31} } @online{cybermasterv:20230831:deep:94c25e1, author = {CyberMasterV}, title = {{A Deep Dive into Brute Ratel C4 Payloads}}, date = {2023-08-31}, organization = {Cyber Geeks}, url = {https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/}, language = {English}, urldate = {2023-09-04} } @online{cybermasterv:20240219:technical:6500dee, author = {CyberMasterV}, title = {{A Technical Analysis of the BackMyData Ransomware Used to Attack Hospitals in Romania}}, date = {2024-02-19}, organization = {Cyber Geeks}, url = {https://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-used-to-attack-hospitals-in-romania/}, language = {English}, urldate = {2024-02-21} } @online{cybermasterv:20250227:russian:8ce1751, author = {CyberMasterV}, title = {{Russian campaign targeting Romanian WhatsApp numbers}}, date = {2025-02-27}, organization = {Cyber Geeks}, url = {https://cybergeeks.tech/russian-campaign-targeting-romanian-whatsapp-numbers/}, language = {English}, urldate = {2025-02-28} } @online{cyberpunkleigh:20210527:apostle:f53c506, author = {cyberpunkleigh}, title = {{Apostle Ransomware Analysis}}, date = {2021-05-27}, organization = {cyberpunkleigh}, url = {https://cyberpunkleigh.wordpress.com/2021/05/27/apostle-ransomware-analysis/}, language = {English}, urldate = {2021-06-24} } @online{cyberramen:20221230:quick:b75a34c, author = {CYBER&RAMEN}, title = {{A Quick Look at ELF Bifrose (Part 1)}}, date = {2022-12-30}, organization = {Cyber And Ramen blog}, url = {https://cyberandramen.net/2022/12/30/a-quick-look-at-elf-bifrose/}, language = {English}, urldate = {2023-02-06} } @online{cybersecurity88:20250412:algerias:0e81a31, author = {CyberSecurity88}, title = {{Algeria’s Ministry of Pharmaceutical Industry Data Leaked in Retaliatory Cyberattack}}, date = {2025-04-12}, organization = {CyberSecurity88}, url = {https://cybersecurity88.com/news/algerias-ministry-of-pharmaceutical-industry-data-leaked-in-retaliatory-cyberattack/}, language = {English}, urldate = {2025-05-21} } @online{cybersecurity:201606:operation:eb6c3d9, author = {ClearSky Cybersecurity}, title = {{Operation DustySky Part 2}}, date = {2016-06}, organization = {clearskysec}, url = {https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain}, language = {English}, urldate = {2019-12-24} } @techreport{cybersecurity:20170210:ar1720045:43c91fd, author = {National Cybersecurity and Communications Integration Center}, title = {{AR-17-20045 - Enhanced Analysis of GRIZZLY STEPPE Activity}}, date = {2017-02-10}, institution = {Department of Homeland Security}, url = {https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf}, language = {English}, urldate = {2019-11-05} } @online{cybersecurity:20180720:alert:89ca0c7, author = {National Cybersecurity and Communications Integration Center}, title = {{Alert (TA18-201A) Emotet Malware}}, date = {2018-07-20}, organization = {NCCIC}, url = {https://www.us-cert.gov/ncas/alerts/TA18-201A}, language = {English}, urldate = {2019-10-27} } @online{cybersecurity:20200626:cryptocore:19a42eb, author = {Atlas Cybersecurity}, title = {{CryptoCore – Cryptocurrency Exchanges Under Attack}}, date = {2020-06-26}, organization = {Atlas Cybersecurity}, url = {https://atlas-cybersecurity.com/cyber-threats/cryptocore-cryptocurrency-exchanges-under-attack/}, language = {English}, urldate = {2021-06-08} } @online{cybersecurity:20210425:supply:a36f451, author = {Nightwatch Cybersecurity}, title = {{Supply Chain Attacks via GitHub.com Releases}}, date = {2021-04-25}, organization = {Nightwatch Cybersecurity}, url = {https://wwws.nightwatchcybersecurity.com/2021/04/25/supply-chain-attacks-via-github-com-releases/}, language = {English}, urldate = {2021-04-29} } @online{cybersecurity:20220120:comlook:ca9c0aa, author = {ClearSky Cybersecurity}, title = {{Tweet on ComLook backdoor used by Turla}}, date = {2022-01-20}, organization = {Twitter (@ClearskySec)}, url = {https://twitter.com/ClearskySec/status/1484211242474561540}, language = {English}, urldate = {2022-01-25} } @online{cybersoc:20210321:in:0d188b6, author = {Orange CyberSOC}, title = {{In the eye of our CyberSOC: Campo Loader, analysis and detection perspectives}}, date = {2021-03-21}, url = {https://orangecyberdefense.com/global/blog/cybersoc/in-the-eye-of-our-cybersoc-campo-loader-analysis-and-detection-perspectives/}, language = {English}, urldate = {2021-05-13} } @online{cybersoc:20221228:playing:8fd27e8, author = {Orange CyberSOC}, title = {{PLAYing the game}}, date = {2022-12-28}, organization = {Orange Cyberdefense}, url = {https://www.orangecyberdefense.com/global/blog/playing-the-game}, language = {English}, urldate = {2023-01-05} } @online{cyberthreat:20200501:chin:3a4fb89, author = {Cyberthreat}, title = {{Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1)}}, date = {2020-05-01}, organization = {Viettel Cybersecurity}, url = {https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/}, language = {Vietnamese}, urldate = {2020-09-09} } @online{cyberthreatinsider:20200820:global:34ee2ea, author = {cyberthreatinsider}, title = {{Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities}}, date = {2020-08-20}, organization = {sensecy}, url = {https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/}, language = {English}, urldate = {2020-11-04} } @online{cyberwar15:20230823:about:669a86e, author = {cyberwar_15}, title = {{Tweet about VT upload of "Cloud agnostic IAM permissions enumerator" from North Korea}}, date = {2023-08-23}, organization = {Twitter (@cyberwar_15)}, url = {https://twitter.com/cyberwar_15/status/1693879002707182057}, language = {English}, urldate = {2023-08-24} } @online{cyberx:20170128:radiation:141e735, author = {CyberX}, title = {{Radiation Report}}, date = {2017-01-28}, organization = {CyberX}, url = {http://get.cyberx-labs.com/radiation-report}, language = {English}, urldate = {2020-01-13} } @online{cyble:20201117:oceanlotus:d33eb97, author = {Cyble}, title = {{OceanLotus Continues With Its Cyber Espionage Operations}}, date = {2020-11-17}, organization = {cyble}, url = {https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/}, language = {English}, urldate = {2020-11-18} } @online{cyble:20210722:donot:831e206, author = {Cyble}, title = {{DoNot APT Group Delivers A Spyware Variant Of Chat App}}, date = {2021-07-22}, organization = {cyble}, url = {https://blog.cyble.com/2021/07/22/donot-apt-group-delivers-a-spyware-variant-of-chat-app/}, language = {English}, urldate = {2022-03-16} } @online{cyble:20210804:deepdive:f5d8447, author = {Cyble}, title = {{A Deep-dive Analysis of VENOMOUS Ransomware}}, date = {2021-08-04}, organization = {cyble}, url = {https://blog.cyble.com/2021/08/04/a-deep-dive-analysis-of-venomous-ransomware/}, language = {English}, urldate = {2021-08-06} } @online{cyble:20210805:blackmatter:f0b08a4, author = {Cyble}, title = {{BlackMatter Under the Lens: An Emerging Ransomware Group Looking for Affiliates}}, date = {2021-08-05}, organization = {cyble}, url = {https://blog.cyble.com/2021/08/05/blackmatter-under-the-lens-an-emerging-ransomware-group-looking-for-affiliates/}, language = {English}, urldate = {2021-08-06} } @online{cyble:20210816:deepdive:b23c978, author = {Cyble}, title = {{A Deep-dive Analysis of LOCKBIT 2.0}}, date = {2021-08-16}, organization = {cyble}, url = {https://blog.cyble.com/2021/08/16/a-deep-dive-analysis-of-lockbit-2-0/}, language = {English}, urldate = {2021-09-19} } @online{cyble:20210819:shinyhunters:58b6c1a, author = {Cyble}, title = {{ShinyHunters Selling Alleged AT&T Database with 70 million SSN and Date of birth; AT&T Denies it originated from their systems}}, date = {2021-08-19}, organization = {cyble}, url = {https://blog.cyble.com/2021/08/19/shinyhunters-selling-alleged-att-database-with-70-million-ssn-and-date-of-birth/}, language = {English}, urldate = {2021-09-19} } @online{cyble:20210820:overview:24e0326, author = {Cyble}, title = {{An Overview of FinTech Threat Landscape}}, date = {2021-08-20}, organization = {cyble}, url = {https://blog.cyble.com/2021/08/20/an-overview-of-fintech-threat-landscape/}, language = {English}, urldate = {2021-09-19} } @online{cyble:20210824:deepdive:9bd2478, author = {Cyble}, title = {{​A Deep-dive Analysis of KARMA Ransomware}}, date = {2021-08-24}, organization = {cyble}, url = {https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/}, language = {English}, urldate = {2021-09-19} } @online{cyble:20210903:spyware:72a86c9, author = {Cyble}, title = {{Spyware Variant Disguised as Korean Video App Targets Multiple Asian Countries}}, date = {2021-09-03}, organization = {cyble}, url = {https://blog.cyble.com/2021/09/03/spyware-variant-disguised-as-korean-video-app-targets-multiple-asian-countries/}, language = {English}, urldate = {2021-09-19} } @online{cyble:20210907:fake:ccb82be, author = {Cyble}, title = {{Fake Income Tax Application Targets Indian Taxpayers}}, date = {2021-09-07}, organization = {cyble}, url = {https://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/}, language = {English}, urldate = {2021-09-19} } @online{cyble:20210909:flubot:02a6d7c, author = {Cyble}, title = {{FluBot Variant Masquerading As The Default Android Voicemail App}}, date = {2021-09-09}, organization = {cyble}, url = {https://blog.cyble.com/2021/09/09/flubot-variant-masquerading-as-the-default-android-voicemail-app/}, language = {English}, urldate = {2021-09-19} } @online{cyble:20210914:deepdive:688552e, author = {Cyble}, title = {{Deep-dive Analysis of S.O.V.A. Android Banking Trojan}}, date = {2021-09-14}, organization = {cyble}, url = {https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/}, language = {English}, urldate = {2021-09-19} } @online{cyble:20210914:targets:303856b, author = {Cyble}, title = {{APT Group Targets Indian Defense Officials Through Enhanced TTPs}}, date = {2021-09-14}, organization = {cyble}, url = {https://blog.cyble.com/2021/09/14/apt-group-targets-indian-defense-officials-through-enhanced-ttps/}, language = {English}, urldate = {2021-09-19} } @online{cyble:20210915:aptc23:7f61636, author = {Cyble}, title = {{APT-C-23 Using New Variant Of Android Spyware To Target Users In The Middle East}}, date = {2021-09-15}, organization = {cyble}, url = {https://blog.cyble.com/2021/09/15/apt-c-23-using-new-variant-of-android-spyware-to-target-users-in-the-middle-east/}, language = {English}, urldate = {2021-09-22} } @online{cyble:20210917:sophisticated:b3482ca, author = {Cyble}, title = {{Sophisticated Spyware Posing as a Banking Application To Target Korean Users}}, date = {2021-09-17}, organization = {cyble}, url = {https://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/}, language = {English}, urldate = {2021-09-22} } @online{cyble:20211021:raccoon:612369d, author = {Cyble}, title = {{​​Raccoon Stealer Under the Lens: A Deep-dive Analysis}}, date = {2021-10-21}, organization = {cyble}, url = {https://blog.cyble.com/2021/10/21/raccoon-stealer-under-the-lens-a-deep-dive-analysis/}, language = {English}, urldate = {2021-10-26} } @online{cyble:20211129:pysa:4da06b5, author = {Cyble}, title = {{Pysa Ransomware Under the Lens: A Deep-Dive Analysis}}, date = {2021-11-29}, organization = {cyble}, url = {https://blog.cyble.com/2021/11/29/pysa-ransomware-under-the-lens-a-deep-dive-analysis/}, language = {English}, urldate = {2021-12-07} } @online{cyble:20211206:apt37:e9b1bba, author = {Cyble}, title = {{APT37 Using a New Android Spyware, Chinotto}}, date = {2021-12-06}, organization = {cyble}, url = {https://blog.cyble.com/2021/12/06/apt37-using-a-new-android-spyware-chinotto/}, language = {English}, urldate = {2021-12-07} } @online{cyble:20220117:avoslocker:e72ac8a, author = {Cyble}, title = {{AvosLocker Ransomware Linux Version Targets VMware ESXi Servers}}, date = {2022-01-17}, organization = {Cybleinc}, url = {https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/}, language = {English}, urldate = {2022-02-01} } @online{cyble:20220120:deep:e172620, author = {Cyble}, title = {{Deep Dive Into Ragnar_locker Ransomware Gang}}, date = {2022-01-20}, organization = {Cybleinc}, url = {https://blog.cyble.com/2022/01/20/deep-dive-into-ragnar-locker-ransomware-gang/}, language = {English}, urldate = {2022-01-25} } @online{cyble:20220128:indian:b4078b9, author = {Cyble}, title = {{Indian Army Personnel Face Remote Access Trojan Attacks}}, date = {2022-01-28}, organization = {cyble}, url = {https://blog.cyble.com/2022/01/28/indian-army-personnel-face-remote-access-trojan-attacks/}, language = {English}, urldate = {2022-02-02} } @online{cyble:20220310:aberebot:d077b97, author = {Cyble}, title = {{AbereBot Returns as Escobar}}, date = {2022-03-10}, organization = {cyble}, url = {https://blog.cyble.com/2022/03/10/aberebot-returns-as-escobar/}, language = {English}, urldate = {2022-03-14} } @online{cyble:20220311:new:dfa8c06, author = {Cyble}, title = {{New Wiper Malware Attacking Russia: Deep-Dive Into RURansom Malware}}, date = {2022-03-11}, url = {https://blog.cyble.com/2022/03/11/new-wiper-malware-attacking-russia-deep-dive-into-ruransom-malware/}, language = {English}, urldate = {2022-03-17} } @online{cyble:20220315:deep:6e5c8b7, author = {Cyble}, title = {{Deep Dive Analysis - Pandora Ransomware}}, date = {2022-03-15}, organization = {cyble}, url = {https://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/}, language = {English}, urldate = {2022-09-19} } @online{cyble:20220322:hunters:c1cb18a, author = {Cyble}, title = {{Hunters Become The Hunted: Clipper Malware Disguised As AvD Crypto Stealer}}, date = {2022-03-22}, organization = {Cybleinc}, url = {https://blog.cyble.com/2022/03/22/hunters-become-the-hunted/}, language = {English}, urldate = {2022-03-23} } @online{cyble:20220324:coper:2c91f35, author = {Cyble}, title = {{Coper Banking Trojan: Android Malware Posing As Google Play Store App Installer}}, date = {2022-03-24}, organization = {Cybleinc}, url = {https://blog.cyble.com/2022/03/24/coper-banking-trojan/}, language = {English}, urldate = {2022-03-25} } @online{cyble:20220331:deep:88a14dc, author = {Cyble}, title = {{Deep Dive Analysis - Borat RAT}}, date = {2022-03-31}, url = {https://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/}, language = {English}, urldate = {2022-04-04} } @online{cyble:20220401:dissecting:033ed24, author = {Cyble}, title = {{Dissecting Blackguard Info Stealer}}, date = {2022-04-01}, organization = {cyble}, url = {https://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/}, language = {English}, urldate = {2022-04-01} } @online{cyble:20220405:new:06e0933, author = {Cyble}, title = {{A New Info Stealer Targeting Over 30 Browsers}}, date = {2022-04-05}, organization = {cyble}, url = {https://blog.cyble.com/2022/04/05/inside-lightning-stealer/}, language = {English}, urldate = {2022-04-12} } @online{cyble:20220418:under:c48fd13, author = {Cyble}, title = {{Under The Lens: Eagle Monitor RAT - Upgraded Version Of RAT With New TTPs}}, date = {2022-04-18}, url = {https://blog.cyble.com/2022/04/18/under-the-lens-eagle-monitor-rat/}, language = {English}, urldate = {2022-04-20} } @online{cyble:20220419:fake:7acd1c5, author = {Cyble}, title = {{Fake MetaMask App Steals Cryptocurrency}}, date = {2022-04-19}, organization = {cyble}, url = {https://blog.cyble.com/2022/04/19/fake-metamask-app-steals-cryptocurrency/}, language = {English}, urldate = {2022-04-20} } @online{cyble:20220421:prynt:72c5fd3, author = {Cyble}, title = {{Prynt Stealer Spotted In The Wild}}, date = {2022-04-21}, organization = {cyble}, url = {https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/}, language = {English}, urldate = {2022-04-25} } @online{cyble:20220427:emotet:a8c919a, author = {Cyble}, title = {{Emotet Returns With New TTPs And Delivers .Lnk Files To Its Victims}}, date = {2022-04-27}, organization = {Cybleinc}, url = {https://blog.cyble.com/2022/04/27/emotet-returns-with-new-ttps-and-delivers-lnk-files-to-its-victims/}, language = {English}, urldate = {2022-05-04} } @online{cyble:20220520:malware:c20f29f, author = {Cyble}, title = {{Malware Campaign Targets InfoSec Community: Threat Actor Uses Fake Proof Of Concept To Deliver Cobalt-Strike Beacon}}, date = {2022-05-20}, organization = {Cybleinc}, url = {https://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/}, language = {English}, urldate = {2022-05-23} } @online{cyble:20220607:bumblebee:9f2dc4a, author = {Cyble}, title = {{Bumblebee Loader on The Rise}}, date = {2022-06-07}, organization = {cyble}, url = {https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/}, language = {English}, urldate = {2022-06-09} } @online{cyble:20220701:xloader:dd3b118, author = {Cyble}, title = {{Xloader Returns With New Infection Technique}}, date = {2022-07-01}, organization = {cyble}, url = {https://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/}, language = {English}, urldate = {2022-07-01} } @online{cyble:20220818:bianlian:642512f, author = {Cyble}, title = {{BianLian: New Ransomware Variant On The Rise}}, date = {2022-08-18}, organization = {cyble}, url = {https://blog.cyble.com/2022/08/18/bianlian-new-ransomware-variant-on-the-rise/}, language = {English}, urldate = {2022-10-24} } @online{cyble:20220819:evilcoder:6460624, author = {Cyble}, title = {{EvilCoder Project Selling Multiple Dangerous Tools Online}}, date = {2022-08-19}, organization = {cyble}, url = {https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/}, language = {English}, urldate = {2022-12-01} } @online{cyble:20220829:mini:1f6a3e2, author = {Cyble}, title = {{Mini Stealer: Possible Predecessor Of Parrot Stealer}}, date = {2022-08-29}, organization = {cyble}, url = {https://blog.cyble.com/2022/08/29/mini-stealer-possible-predecessor-of-parrot-stealer/}, language = {English}, urldate = {2022-09-06} } @online{cyble:20220907:bumblebee:f4baf9f, author = {Cyble}, title = {{Bumblebee Returns With New Infection Technique}}, date = {2022-09-07}, organization = {cyble}, url = {https://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/}, language = {English}, urldate = {2022-09-16} } @online{cyble:20221102:new:1c0c54e, author = {Cyble}, title = {{New Laplas Clipper Distributed via SmokeLoader}}, date = {2022-11-02}, organization = {cyble}, url = {https://blog.cyble.com/2022/11/02/new-laplas-clipper-distributed-by-smokeloader/}, language = {English}, urldate = {2023-04-06} } @online{cyble:20221108:massive:0ed7213, author = {Cyble}, title = {{Massive YouTube Campaign Targeting Over 100 Applications To Deliver Info Stealer}}, date = {2022-11-08}, organization = {cyble}, url = {https://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer/}, language = {English}, urldate = {2022-11-09} } @online{cyble:20221118:axlocker:76334d0, author = {Cyble}, title = {{AXLocker, Octocrypt, and Alice: Leading a new wave of Ransomware Campaigns}}, date = {2022-11-18}, url = {https://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns/}, language = {English}, urldate = {2022-11-21} } @online{cyble:20221207:closer:f711811, author = {Cyble}, title = {{A Closer Look At BlackMagic Ransomware}}, date = {2022-12-07}, organization = {cyble}, url = {https://blog.cyble.com/2022/12/07/a-closer-look-at-blackmagic-ransomware/}, language = {English}, urldate = {2022-12-08} } @online{cyble:20221208:mallox:99e042a, author = {Cyble}, title = {{Mallox Ransomware showing signs of Increased Activity}}, date = {2022-12-08}, organization = {Cybleinc}, url = {https://blog.cyble.com/2022/12/08/mallox-ransomware-showing-signs-of-increased-activity/}, language = {English}, urldate = {2022-12-19} } @online{cyble:20221227:pure:dead76c, author = {Cyble}, title = {{Pure coder offers multiple malware for sale in Darkweb forums}}, date = {2022-12-27}, organization = {cyble}, url = {https://cyble.com/blog/pure-coder-offers-multiple-malware-for-sale-in-darkweb-forums/}, language = {English}, urldate = {2023-12-12} } @online{cyble:20230106:lummac2:4913d43, author = {Cyble}, title = {{LummaC2 Stealer: A Potent Threat To Crypto Users}}, date = {2023-01-06}, organization = {cyble}, url = {https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/}, language = {English}, urldate = {2023-01-06} } @online{cyble:20230112:rhadamanthys:c1e900e, author = {Cyble}, title = {{Rhadamanthys: New Stealer Spreading Through Google Ads}}, date = {2023-01-12}, organization = {Cybleinc}, url = {https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/}, language = {English}, urldate = {2023-01-16} } @online{cyble:20230119:gigabud:8ccd18e, author = {Cyble}, title = {{Gigabud RAT: New Android RAT Masquerading as Government Agencies}}, date = {2023-01-19}, organization = {cyble}, url = {https://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies/}, language = {English}, urldate = {2023-03-27} } @online{cyble:20230125:rise:db7b864, author = {Cyble}, title = {{The Rise of Amadey Bot: A Growing Concern for Internet Security}}, date = {2023-01-25}, organization = {cyble}, url = {https://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/}, language = {English}, urldate = {2023-04-12} } @online{cyble:20230216:altoufan:0afde3c, author = {Cyble}, title = {{ALTOUFAN TEAM Targets the Middle East}}, date = {2023-02-16}, organization = {cyble}, url = {https://blog.cyble.com/2023/02/16/altoufan-team-targets-the-middle-east/}, language = {English}, urldate = {2025-01-29} } @online{cyble:20230217:many:101a732, author = {Cyble}, title = {{The Many Faces of Qakbot Malware: A Look at Its Diverse Distribution Methods}}, date = {2023-02-17}, organization = {cyble}, url = {https://blog.cyble.com/2023/02/17/the-many-faces-of-qakbot-malware-a-look-at-its-diverse-distribution-methods/}, language = {English}, urldate = {2023-02-21} } @online{cyble:20230309:blacksnake:fa8970a, author = {Cyble}, title = {{BlackSnake Ransomware Emerges from Chaos Ransomware’s Shadow}}, date = {2023-03-09}, url = {https://blog.cyble.com/2023/03/09/blacksnake-ransomware-emerges-from-chaos-ransomwares-shadow/}, language = {English}, urldate = {2023-03-13} } @online{cyble:20230309:nexus:3c35c34, author = {Cyble}, title = {{Nexus: The Latest Android Banking Trojan with SOVA Connections}}, date = {2023-03-09}, organization = {cyble}, url = {https://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections}, language = {English}, urldate = {2023-03-13} } @online{cyble:20230315:unmasking:a81183c, author = {Cyble}, title = {{Unmasking MedusaLocker Ransomware}}, date = {2023-03-15}, organization = {Cybleinc}, url = {https://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/}, language = {English}, urldate = {2023-03-20} } @online{cyble:20230323:cinoshi:6233dbe, author = {Cyble}, title = {{Cinoshi Project and the Dark Side of Free MaaS}}, date = {2023-03-23}, organization = {cyble}, url = {https://cyble.com/blog/cinoshi-project-and-the-dark-side-of-free-maas/}, language = {English}, urldate = {2023-08-23} } @online{cyble:20230329:creal:71dc6e7, author = {Cyble}, title = {{Creal: New Stealer Targeting Cryptocurrency Users Via Phishing Sites}}, date = {2023-03-29}, organization = {cyble}, url = {https://cyble.com/blog/creal-new-stealer-targeting-cryptocurrency-users-via-phishing-sites/}, language = {English}, urldate = {2024-04-04} } @online{cyble:20230331:comprehensive:39bc743, author = {Cyble}, title = {{A Comprehensive Analysis of the 3CX Attack}}, date = {2023-03-31}, organization = {cyble}, url = {https://blog.cyble.com/2023/03/31/a-comprehensive-analysis-of-the-3cx-attack}, language = {English}, urldate = {2023-04-02} } @online{cyble:20230413:chameleon:a65a7fa, author = {Cyble}, title = {{Chameleon: A New Android Malware Spotted In The Wild}}, date = {2023-04-13}, organization = {cyble}, url = {https://blog.cyble.com/2023/04/13/chameleon-a-new-android-malware-spotted-in-the-wild/}, language = {English}, urldate = {2023-06-22} } @online{cyble:20230420:daam:8b46773, author = {Cyble}, title = {{DAAM Android Botnet being distributed through Trojanized Applications}}, date = {2023-04-20}, organization = {Cybleinc}, url = {https://blog.cyble.com/2023/04/20/daam-android-botnet-being-distributed-through-trojanized-applications/}, language = {English}, urldate = {2023-05-10} } @online{cyble:20230426:threat:480b98f, author = {Cyble}, title = {{Threat Actor Selling New Atomic macOS (AMOS) Stealer on Telegram}}, date = {2023-04-26}, organization = {cyble}, url = {https://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/}, language = {English}, urldate = {2023-04-27} } @online{cyble:20230505:sophisticated:296eefd, author = {Cyble}, title = {{Sophisticated DarkWatchMan RAT Spreads Through Phishing Sites}}, date = {2023-05-05}, organization = {cyble}, url = {https://cyble.com/blog/sophisticated-darkwatchman-rat-spreads-through-phishing-sites/}, language = {English}, urldate = {2024-01-17} } @online{cyble:20230512:blacksuit:1dbdf02, author = {Cyble}, title = {{BlackSuit Ransomware Strikes Windows and Linux Users}}, date = {2023-05-12}, organization = {cyble}, url = {https://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/}, language = {English}, urldate = {2023-06-05} } @online{cyble:20230524:notable:f9b9f33, author = {Cyble}, title = {{Notable DDoS Attack Tools and Services Supporting Hacktivist Operations in 2023}}, date = {2023-05-24}, organization = {cyble}, url = {https://blog.cyble.com/2023/05/24/notable-ddos-attack-tools-and-services-supporting-hacktivist-operations-in-2023/}, language = {English}, urldate = {2023-11-27} } @online{cyble:20230525:invicta:d08499f, author = {Cyble and Cyble Research Labs}, title = {{Invicta Stealer Spreading Through Phony GoDaddy Refund Invoices}}, date = {2023-05-25}, organization = {cyble}, url = {https://blog.cyble.com/2023/05/25/invicta-stealer-spreading-through-phony-godaddy-refund-invoices/}, language = {English}, urldate = {2023-06-19} } @online{cyble:20230623:trojanized:b48eef2, author = {Cyble}, title = {{Trojanized Super Mario Game Installer Spreads SupremeBot Malware}}, date = {2023-06-23}, organization = {cyble}, url = {https://blog.cyble.com/2023/06/23/trojanized-super-mario-game-installer-spreads-supremebot-malware/}, language = {English}, urldate = {2023-07-02} } @online{cyble:20231010:threat:4adb5be, author = {Cyble}, title = {{Threat Actor deploys Mythic’s Athena Agent to target Russian Semiconductor Suppliers}}, date = {2023-10-10}, organization = {cyble}, url = {https://cyble.com/blog/threat-actor-deploys-mythics-athena-agent-to-target-russian-semiconductor-suppliers/}, language = {English}, urldate = {2023-10-12} } @online{cyble:20231204:trickmos:6fc37ec, author = {Cyble}, title = {{TrickMo's Return: Banking Trojan Resurgence With New Features}}, date = {2023-12-04}, organization = {cyble}, url = {https://cyble.com/blog/trickmos-return-banking-trojan-resurgence-with-new-features/}, language = {English}, urldate = {2024-10-29} } @online{cyble:20240112:sneaky:8902c3c, author = {Cyble}, title = {{Sneaky Azorult Back in Action and Goes Undetected}}, date = {2024-01-12}, organization = {cyble}, url = {https://cyble.com/blog/sneaky-azorult-back-in-action-and-goes-undetected/}, language = {English}, urldate = {2024-02-13} } @online{cyble:20240312:xehook:ef1b4d1, author = {Cyble}, title = {{Xehook Stealer: Evolution of Cinoshi’s Project Targeting Over 100 Cryptocurrencies and 2FA Extensions (paywall)}}, date = {2024-03-12}, organization = {cyble}, url = {https://cyble.com/blog/xehook-stealer-evolution-of-cinoshis-project-targeting-over-100-cryptocurrencies-and-2fa-extensions/}, language = {English}, urldate = {2024-05-17} } @online{cyble:20240516:new:0be3338, author = {Cyble}, title = {{New Antidot Android Banking Trojan Masquerading as Fake Google Play Updates}}, date = {2024-05-16}, organization = {cyble}, url = {https://cyble.com/blog/new-antidot-android-banking-trojan-masquerading-as-google-play-updates/}, language = {English}, urldate = {2025-02-12} } @online{cyble:20240520:tiny:f9d0bc7, author = {Cyble}, title = {{Tiny BackDoor Goes Undetected – Suspected Turla leveraging MSBuild to Evade detection}}, date = {2024-05-20}, organization = {cyble}, url = {https://cyble.com/blog/tiny-backdoor-goes-undetected-suspected-turla-leveraging-msbuild-to-evade-detection/}, language = {English}, urldate = {2024-10-21} } @online{cyble:20240610:vietnamese:886c1d6, author = {Cyble}, title = {{Vietnamese Entities Targeted by China-Linked Mustang Panda in Cyber Espionage}}, date = {2024-06-10}, organization = {cyble}, url = {https://cyble.com/blog/vietnamese-entities-targeted-by-china-linked-mustang-panda-in-cyber-espionage/}, language = {English}, urldate = {2024-12-16} } @online{cyble:20240814:cryptocurrency:42c6067, author = {Cyble}, title = {{Cryptocurrency Lures and Pupy RAT: Analysing the UTG-Q-010 Campaign}}, date = {2024-08-14}, organization = {cyble}, url = {https://cyble.com/blog/analysing-the-utg-q-010-campaign/}, language = {English}, urldate = {2024-09-27} } @online{cyble:20240904:intricate:6c8e6bf, author = {Cyble}, title = {{The Intricate Babylon RAT Campaign Targets Malaysian Politicians, Government}}, date = {2024-09-04}, organization = {cyble}, url = {https://cyble.com/blog/the-intricate-babylon-rat-campaign-targets-malaysian-politicians-government/}, language = {English}, urldate = {2024-09-13} } @online{cyble:20240926:nexe:4293b4a, author = {Cyble}, title = {{Nexe Backdoor Unleashed: Patchwork APT Group’s Sophisticated Evasion of Defenses}}, date = {2024-09-26}, organization = {cyble}, url = {https://cyble.com/blog/nexe-backdoor-unleashed-patchwork-apt-groups-sophisticated-evasion-of-defenses/}, language = {English}, urldate = {2024-10-21} } @online{cyble:20241014:hidden:2bd9d14, author = {Cyble}, title = {{Hidden in Plain Sight: ErrorFather’s Deadly Deployment of Cerberus}}, date = {2024-10-14}, organization = {cyble}, url = {https://cyble.com/blog/hidden-in-plain-sight-errorfathers-deadly-deployment-of-cerberus/}, language = {English}, urldate = {2024-10-15} } @online{cyble:20241029:phishing:a379dbf, author = {Cyble}, title = {{Phishing Campaign Targeting Ukraine: UAC-0215 Threatens National Security}}, date = {2024-10-29}, organization = {cyble}, url = {https://cyble.com/blog/phishing-campaign-targeting-ukraine-uac-0215/}, language = {English}, urldate = {2024-11-04} } @online{cyble:20241210:head:adc27a2, author = {Cyble}, title = {{Head Mare Group Intensifies Attacks on Russia with PhantomCore Backdoor}}, date = {2024-12-10}, organization = {cyble}, url = {https://cyble.com/blog/head-mare-deploys-phantomcore-against-russia/}, language = {English}, urldate = {2025-03-21} } @online{cyble:20250205:stealthy:07a8558, author = {Cyble}, title = {{Stealthy Attack: Dual Injection Undermines Chrome’s App-Bound Encryption}}, date = {2025-02-05}, organization = {cyble}, url = {https://cyble.com/blog/dual-injection-undermines-chromes-encryption/}, language = {English}, urldate = {2025-02-17} } @online{cyble:20250212:btmob:dccfbc6, author = {Cyble}, title = {{BTMOB RAT: Newly Discovered Android Malware Spreading via Phishing Sites}}, date = {2025-02-12}, organization = {cyble}, url = {https://cyble.com/blog/btmob-rat-newly-discovered-android-malware/}, language = {English}, urldate = {2025-05-26} } @online{cyble:20250328:tsarbot:e6d45f2, author = {Cyble}, title = {{TsarBot: A New Android Banking Trojan Targeting Over 750 Banking, Finance, and Cryptocurrency Applications}}, date = {2025-03-28}, organization = {cyble}, url = {https://cyble.com/blog/tsarbot-using-overlay-attacks-targeting-bfsi-sector/}, language = {English}, urldate = {2025-04-10} } @online{cybleinc:20201231:strongpity:bb6ab94, author = {cybleinc}, title = {{StrongPity APT Extends Global Reach with New Infrastructure}}, date = {2020-12-31}, organization = {cyble}, url = {https://cybleinc.com/2020/12/31/strongpity-apt-extends-global-reach-with-new-infrastructure/}, language = {English}, urldate = {2021-01-04} } @online{cybleinc:20210215:ngrok:32c877d, author = {cybleinc}, title = {{Ngrok Platform Abused by Hackers to Deliver a New Wave of Phishing Attacks}}, date = {2021-02-15}, organization = {cyble}, url = {https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/}, language = {English}, urldate = {2021-02-20} } @online{cybleinc:20210419:zloader:f7ffa0a, author = {cybleinc}, title = {{ZLoader Returns Through Spelevo Exploit Kit & Phishing Campaign}}, date = {2021-04-19}, organization = {Cybleinc}, url = {https://cybleinc.com/2021/04/19/zloader-returns-through-spelevo-exploit-kit-phishing-campaign/}, language = {English}, urldate = {2021-04-28} } @online{cybleinc:20210421:donot:3c9e847, author = {cybleinc}, title = {{Donot Team APT Group Is Back To Using Old Malicious Patterns}}, date = {2021-04-21}, organization = {Cybleinc}, url = {https://cybleinc.com/2021/04/21/donot-team-apt-group-is-back-to-using-old-malicious-patterns/}, language = {English}, urldate = {2023-07-24} } @online{cybleinc:20210430:transparent:1df2639, author = {cybleinc}, title = {{Transparent Tribe Operating with a New Variant of Crimson RAT}}, date = {2021-04-30}, organization = {Cybleinc}, url = {https://cybleinc.com/2021/04/30/transparent-tribe-operating-with-a-new-variant-of-crimson-rat/}, language = {English}, urldate = {2021-05-03} } @online{cybleinc:20210502:mobile:8f117f2, author = {cybleinc}, title = {{Mobile Malware App Anubis Strikes Again, Continues to Lure Users Disguised as a Fake Antivirus}}, date = {2021-05-02}, organization = {Cybleinc}, url = {https://cybleinc.com/2021/05/02/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/}, language = {English}, urldate = {2021-05-03} } @online{cybleinc:20210603:deep:0077231, author = {cybleinc}, title = {{Deep Dive into BlackCocaine Ransomware}}, date = {2021-06-03}, organization = {cyble}, url = {https://cybleinc.com/2021/06/03/nucleus-software-becomes-victim-of-the-blackcocaine-ransomware/}, language = {English}, urldate = {2021-06-07} } @online{cybleinc:20210605:prometheus:bf079f6, author = {cybleinc}, title = {{Prometheus: An Emerging Ransomware Group Using Thanos Ransomware To Target Organizations}}, date = {2021-06-05}, organization = {Cybleinc}, url = {https://blog.cyble.com/2021/06/05/prometheus-an-emerging-apt-group-using-thanos-ransomware-to-target-organizations/}, language = {English}, urldate = {2021-07-20} } @online{cybleinc:20210621:djvu:7e58962, author = {cybleinc}, title = {{DJVU Malware of STOP Ransomware Family Back with New Variant}}, date = {2021-06-21}, organization = {cyble}, url = {https://cybleinc.com/2021/06/21/djvu-malware-of-stop-ransomware-family-back-with-new-variant/}, language = {English}, urldate = {2021-06-24} } @online{cybleinc:20210622:android:fed4661, author = {cybleinc}, title = {{Android Application Disguised as Dating App Targets Indian Military Personnel}}, date = {2021-06-22}, organization = {Cybleinc}, url = {https://cybleinc.com/2021/06/22/android-application-disguised-as-dating-app-targets-indian-military-personnel/}, language = {English}, urldate = {2021-07-02} } @online{cybleinc:20210703:uncensored:f43cf7f, author = {cybleinc}, title = {{Uncensored Interview with REvil / Sodinokibi Ransomware Operators}}, date = {2021-07-03}, organization = {Cybleinc}, url = {https://cybleinc.com/2021/07/03/uncensored-interview-with-revil-sodinokibi-ransomware-operators/}, language = {English}, urldate = {2021-07-11} } @online{cybleinc:20210730:aberebot:25abf6e, author = {cybleinc}, title = {{Aberebot on the Rise: New Banking Trojan Targeting Users Through Phishing}}, date = {2021-07-30}, organization = {cyble}, url = {https://blog.cyble.com/2021/07/30/aberebot-on-the-rise-new-banking-trojan-targeting-users-through-phishing/}, language = {English}, urldate = {2021-08-02} } @online{cybleinc:20210802:deepdive:ed9c9d9, author = {cybleinc}, title = {{A Deep-Dive Analysis Of A New Wiper Malware Disguised As Tokyo Olympics Document}}, date = {2021-08-02}, organization = {Cybleinc}, url = {https://blog.cyble.com/2021/08/02/a-deep-dive-analysis-of-a-new-wiper-malware-disguised-as-tokyo-olympics-document/}, language = {English}, urldate = {2021-08-20} } @online{cybleinc:20210825:lockfile:0bc870f, author = {cybleinc}, title = {{​LockFile Ransomware: Exploiting Microsoft Exchange Vulnerabilities Using ProxyShell}}, date = {2021-08-25}, organization = {Cybleinc}, url = {https://blog.cyble.com/2021/08/25/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/}, language = {English}, urldate = {2021-08-31} } @online{cyfirma:20220531:yashma:7fb43c9, author = {cyfirma}, title = {{Yashma Ransomware Report}}, date = {2022-05-31}, organization = {Cyfirma}, url = {https://www.cyfirma.com/outofband/yashma-ransomware-report/}, language = {English}, urldate = {2022-06-11} } @online{cyfirma:20220829:cosmicduke:9cecbd7, author = {cyfirma}, title = {{CosmicDuke Malware Analysis Report}}, date = {2022-08-29}, organization = {Cyfirma}, url = {https://www.cyfirma.com/outofband/cosmicduke-malware-analysis/}, language = {English}, urldate = {2022-09-20} } @online{cyfirma:20230512:evolution:35006e7, author = {cyfirma}, title = {{Evolution of KILLNET from Hacktivism to Private Hackers Company and the Role of Sub-groups}}, date = {2023-05-12}, organization = {Cyfirma}, url = {https://www.cyfirma.com/?post_type=out-of-band&p=17397}, language = {English}, urldate = {2023-11-17} } @online{cyfirma:20231129:emerging:2fcce3d, author = {cyfirma}, title = {{Emerging MaaS Operator Sordeal Releases Nova Infostealer}}, date = {2023-11-29}, url = {https://www.cyfirma.com/outofband/emerging-maas-operator-sordeal-releases-nova-infostealer/}, language = {English}, urldate = {2023-12-27} } @online{cyfirma:20240223:xeno:e8f6b1b, author = {cyfirma}, title = {{Xeno RAT: A New Remote Access Trojan with Advance Capabilities}}, date = {2024-02-23}, organization = {Cyfirma}, url = {https://www.cyfirma.com/research/xeno-rat-a-new-remote-access-trojan-with-advance-capabilities/}, language = {English}, urldate = {2024-12-06} } @online{cyfirma:20240327:syncscheduler:48e7fd6, author = {cyfirma}, title = {{Sync-Scheduler: A Dedicated Document Stealer}}, date = {2024-03-27}, organization = {Cyfirma}, url = {https://www.cyfirma.com/research/sync-scheduler-a-dedicated-document-stealer/}, language = {English}, urldate = {2025-01-15} } @online{cyfirma:20240730:mint:c7b5a02, author = {cyfirma}, title = {{Mint Stealer: A Comprehensive Study of a Python-Based Information Stealer}}, date = {2024-07-30}, organization = {Cyfirma}, url = {https://www.cyfirma.com/research/mint-stealer-a-comprehensive-study-of-a-python-based-information-stealer/}, language = {English}, urldate = {2025-03-05} } @online{cyfirma:20240805:hamas:b300f57, author = {cyfirma}, title = {{Hamas Leadership Assassination Explainer}}, date = {2024-08-05}, organization = {Cyfirma}, url = {https://www.cyfirma.com/research/hamas-leadership-assassination-explainer/}, language = {English}, urldate = {2024-11-15} } @online{cyfirma:20241004:vilsa:1c1f09c, author = {cyfirma}, title = {{VILSA STEALER}}, date = {2024-10-04}, organization = {Cyfirma}, url = {https://www.cyfirma.com/research/vilsa-stealer/}, language = {English}, urldate = {2024-10-17} } @online{cyfirma:20250102:noneuclid:5e8091e, author = {cyfirma}, title = {{NonEuclid RAT}}, date = {2025-01-02}, organization = {Cyfirma}, url = {https://www.cyfirma.com/research/noneuclid-rat/}, language = {English}, urldate = {2025-01-09} } @online{cyfirma:20250210:tracking:42c9d40, author = {cyfirma}, title = {{Tracking Ransomware: January 2025}}, date = {2025-02-10}, organization = {Cyfirma}, url = {https://www.cyfirma.com/research/tracking-ransomware-january-2025/}, language = {English}, urldate = {2025-03-07} } @online{cyfirma:20250313:tracking:24f12c2, author = {cyfirma}, title = {{Tracking Ransomware: February 2025}}, date = {2025-03-13}, organization = {Cyfirma}, url = {https://www.cyfirma.com/research/tracking-ransomware-february-2025/}, language = {English}, urldate = {2025-03-21} } @techreport{cylance:20160406:operation:a141373, author = {Cylance}, title = {{Operation Cleaver}}, date = {2016-04-06}, institution = {Cylance}, url = {https://scadahacker.com/library/Documents/Cyber_Events/Cylance%20-%20Operation%20Cleaver%20Report.pdf}, language = {English}, urldate = {2022-07-29} } @techreport{cylance:20160406:operation:d4da7b5, author = {Cylance}, title = {{Operation Cleaver}}, date = {2016-04-06}, institution = {Cylance}, url = {https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{cylance:20181102:spyrats:67888b3, author = {Cylance}, title = {{The SpyRATs of OceanLotus}}, date = {2018-11-02}, institution = {Cylance}, url = {https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{cylera:20220308:link:2b7c36f, author = {Cylera}, title = {{The link between Kwampirs (Orangeworm) and Shamoon APTs}}, date = {2022-03-08}, institution = {Cylera}, url = {https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf}, language = {English}, urldate = {2022-03-10} } @techreport{cymmetria:2016:unveiling:da4224b, author = {Cymmetria}, title = {{Unveiling Patchwork: The Copy-Paste APT}}, date = {2016}, institution = {Cymmetria}, url = {https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf}, language = {English}, urldate = {2020-01-06} } @online{cymmetria:20170919:unveiling:e67fe90, author = {Cymmetria}, title = {{Unveiling Patchwork – a targeted attack caught with cyber deception}}, date = {2017-09-19}, organization = {Cymmetria}, url = {https://www.cymmetria.com/patchwork-targeted-attack/}, language = {English}, urldate = {2019-12-18} } @online{cymon:20250221:hows:73185e3, author = {Cymon}, title = {{How’s that for a malicious Linkc, new group launches DLS}}, date = {2025-02-21}, organization = {cyjax}, url = {https://www.cyjax.com/resources/blog/new-extortion-ransomware-group-linkc-emerges-what-you-need-to-know/}, language = {English}, urldate = {2025-03-21} } @online{cymru:20190725:unmasking:91638f6, author = {Team Cymru}, title = {{Unmasking AVE_MARIA}}, date = {2019-07-25}, organization = {Team Cymru}, url = {https://blog.team-cymru.com/2019/07/25/unmasking-ave_maria/}, language = {English}, urldate = {2020-01-08} } @online{cymru:20200219:azorult:de72301, author = {Team Cymru}, title = {{Azorult – what we see using our own tools}}, date = {2020-02-19}, organization = {Team Cymru}, url = {https://blog.team-cymru.com/2020/02/19/azorult-what-we-see-using-our-own-tools/}, language = {English}, urldate = {2020-02-26} } @online{cymru:20200325:how:b1d8c31, author = {Team Cymru}, title = {{How the Iranian Cyber Security Agency Detects Emissary Panda Malware}}, date = {2020-03-25}, organization = {Team Cymru}, url = {https://team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/}, language = {English}, urldate = {2020-07-13} } @online{cymru:20210118:apt36:e2e83ce, author = {Team Cymru}, title = {{Tweet on APT36 CrimsonRAT C2}}, date = {2021-01-18}, organization = {Twitter (@teamcymru)}, url = {https://twitter.com/teamcymru/status/1351228309632385027}, language = {English}, urldate = {2021-01-21} } @online{cymru:20220310:crimson:a646aac, author = {Team Cymru}, title = {{Tweet on Crimson RAT infrastructure used by APT36}}, date = {2022-03-10}, organization = {Twitter (@teamcymru_S2)}, url = {https://twitter.com/teamcymru_S2/status/1501955802025836546}, language = {English}, urldate = {2022-03-14} } @online{cymru:20220712:analysis:0949ce1, author = {Team Cymru}, title = {{An Analysis of Infrastructure linked to the Hagga Threat Actor}}, date = {2022-07-12}, organization = {Team Cymru}, url = {https://www.team-cymru.com/post/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor}, language = {English}, urldate = {2023-08-11} } @online{cymru:20230224:desde:d9ec280, author = {Team Cymru}, title = {{Desde Chile con Malware (From Chile with Malware)}}, date = {2023-02-24}, organization = {Team Cymru}, url = {https://www.team-cymru.com/post/from-chile-with-malware}, language = {English}, urldate = {2023-03-13} } @online{cymru:20230404:blog:94e7e30, author = {Team Cymru and S2 Research Team}, title = {{A Blog with NoName}}, date = {2023-04-04}, organization = {Team Cymru}, url = {https://www.team-cymru.com/post/a-blog-with-noname}, language = {English}, urldate = {2023-05-05} } @online{cymru:20230517:visualizing:a560ffb, author = {Team Cymru}, title = {{Visualizing QakBot Infrastructure}}, date = {2023-05-17}, organization = {Team Cymru}, url = {https://www.team-cymru.com/post/visualizing-qakbot-infrastructure}, language = {English}, urldate = {2023-05-21} } @online{cyr:20220323:mustang:3e97382, author = {Alexandre Côté Cyr}, title = {{Mustang Panda’s Hodur: Old tricks, new Korplug variant}}, date = {2022-03-23}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/}, language = {English}, urldate = {2022-03-24} } @online{cyr:20220325:mustang:4052776, author = {Alexandre Côté Cyr}, title = {{Mustang Panda's Hodur: Old stuff, new variant of Korplug}}, date = {2022-03-25}, organization = {ESET Research}, url = {https://www.welivesecurity.com/fr/2022/03/25/mustang-pandas-hodur-nouveau-korplug/}, language = {French}, urldate = {2022-03-30} } @online{cyr:20230302:mqsttang:b7dee51, author = {Alexandre Côté Cyr}, title = {{MQsTTang: Mustang Panda’s latest backdoor treads new ground with Qt and MQTT}}, date = {2023-03-02}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/}, language = {English}, urldate = {2023-03-13} } @online{cyrus:20190424:introducing:f1d4536, author = {Richie Cyrus}, title = {{Introducing Venator: A macOS tool for proactive detection}}, date = {2019-04-24}, organization = {SpecterOps}, url = {https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56}, language = {English}, urldate = {2020-01-07} } @online{cytec:20220414:404:a7dc53d, author = {DCSO CyTec and Axel Wauer}, title = {{404 — File still found}}, date = {2022-04-14}, organization = {Medium (@DCSO_CyTec)}, url = {https://medium.com/@DCSO_CyTec/404-file-still-found-d52c3834084c}, language = {English}, urldate = {2024-04-10} } @online{cytec:20240130:reporting:6dfbed2, author = {DCSO CyTec}, title = {{Reporting on Volt Typhoon’s “JDY” Botnet Administration Via Tor Sparks Questions}}, date = {2024-01-30}, organization = {DCSO}, url = {https://medium.com/@DCSO_CyTec/reporting-on-volt-typhoons-jdy-botnet-administration-via-tor-sparks-questions-c4c5f4afcae5}, language = {English}, urldate = {2024-01-31} } @online{cytec:20240319:how:7133257, author = {DCSO CyTec}, title = {{How Rogue ISPs Tamper With Geofeeds}}, date = {2024-03-19}, organization = {Medium (@DCSO_CyTec)}, url = {https://medium.com/@DCSO_CyTec/how-rogue-isps-tamper-with-geofeeds-4dbc38db4123}, language = {English}, urldate = {2024-03-25} } @online{cytec:20240409:xz:1fe2cab, author = {DCSO CyTec}, title = {{XZ Backdoor: How to check if your systems are affected}}, date = {2024-04-09}, organization = {DCSO}, url = {https://medium.com/@DCSO_CyTec/xz-backdoor-how-to-check-if-your-systems-are-affected-fb169b638271}, language = {English}, urldate = {2024-04-11} } @online{cyware:20190822:apt34:3439fde, author = {Cyware}, title = {{APT34: The Helix Kitten Cybercriminal Group Loves to Meow Middle Eastern and International Organizations}}, date = {2019-08-22}, organization = {Cyware}, url = {https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae}, language = {English}, urldate = {2021-06-29} } @online{cyware:20210214:hildegard:580418b, author = {Cyware}, title = {{Hildegard: TeamTNT’s New Feature-Rich Malware Targeting Kubernetes}}, date = {2021-02-14}, organization = {Cyware}, url = {https://cyware.com/news/hildegard-teamtnts-new-feature-rich-malware-targeting-kubernetes-6587eb45}, language = {English}, urldate = {2021-03-12} } @online{cyware:20220207:apt27:e900fc7, author = {Cyware}, title = {{APT27 Group Targets German Organizations with HyperBro}}, date = {2022-02-07}, organization = {Cyware}, url = {https://cyware.com/news/apt27-group-targets-german-organizations-with-hyperbro-2c43b7cf/}, language = {English}, urldate = {2022-02-09} } @online{cyware:20220207:newly:670676e, author = {Cyware}, title = {{Newly Found Sugar Ransomware is Now Being Offered as RaaS}}, date = {2022-02-07}, organization = {Cyware}, url = {https://cyware.com/news/newly-found-sugar-ransomware-is-now-being-offered-as-raas-641cfa69}, language = {English}, urldate = {2022-02-09} } @online{cyware:20220214:ransomware:e449514, author = {Cyware}, title = {{Ransomware Becomes Deadlier, Conti Makes the Most Money}}, date = {2022-02-14}, url = {https://cyware.com/news/ransomware-becomes-deadlier-conti-makes-the-most-money-39e17bae/}, language = {English}, urldate = {2022-02-16} } @online{cyware:20220302:trickbots:8f22fd7, author = {Cyware}, title = {{TrickBot’s AnchorDNS is Now Upgraded to AnchorMail}}, date = {2022-03-02}, organization = {Cyware}, url = {https://cyware.com/news/trickbots-anchordns-is-now-upgraded-to-anchormail-a21f5490/}, language = {English}, urldate = {2022-03-07} } @online{cyware:20220309:ragnar:21beccd, author = {Cyware}, title = {{Ragnar Locker Breached 52 Organizations and Counting, FBI Warns}}, date = {2022-03-09}, organization = {Cyware}, url = {https://cyware.com/news/ragnar-locker-breached-52-organizations-and-counting-fbi-warns-0588d220/}, language = {English}, urldate = {2022-03-10} } @online{cyware:20220504:chinese:58cae39, author = {Cyware}, title = {{Chinese Naikon Group Back with New Espionage Attack}}, date = {2022-05-04}, organization = {Cyware}, url = {https://cyware.com/news/chinese-naikon-group-back-with-new-espionage-attack-66a8413d}, language = {English}, urldate = {2022-08-22} } @online{czy:20200715:indepth:9a7c4dd, author = {Bartlomiej Czyż}, title = {{An in-depth analysis of SpyNote remote access trojan}}, date = {2020-07-15}, organization = {Relativity}, url = {https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan}, language = {English}, urldate = {2020-11-06} } @techreport{d00rt:20180706:lokibot:6508667, author = {d00rt}, title = {{LokiBot Infostealer Jihacked Version}}, date = {2018-07-06}, institution = {Github (d00rt)}, url = {https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf}, language = {English}, urldate = {2020-01-10} } @online{d00rt:20190105:emotet:8dee25a, author = {d00rt}, title = {{Emotet Research}}, date = {2019-01-05}, organization = {Github (d00rt)}, url = {https://github.com/d00rt/emotet_research}, language = {English}, urldate = {2020-01-10} } @online{d00rtrm:2019:emutet:8913da8, author = {D00RT_RM}, title = {{Emutet}}, date = {2019}, url = {https://d00rt.github.io/emotet_network_protocol/}, language = {English}, urldate = {2020-01-07} } @online{d4ntescode:20230810:titansourcecode:b3fb2bf, author = {D4NTESCODE}, title = {{TitanSourceCode}}, date = {2023-08-10}, organization = {Github (D4NTESCODE)}, url = {https://github.com/D4NTESCODE/TitanStealerSource}, language = {English}, urldate = {2023-09-04} } @online{d:20151019:github:b15ea7e, author = {Anderson D}, title = {{Github Repository for AllaKore}}, date = {2015-10-19}, organization = {Github (Anderson-D)}, url = {https://github.com/Anderson-D/AllaKore}, language = {English}, urldate = {2020-01-08} } @online{daavid:20140623:havex:21f2ca4, author = {Daavid}, title = {{Havex Hunts For ICS/SCADA Systems}}, date = {2014-06-23}, organization = {F-Secure}, url = {https://www.f-secure.com/weblog/archives/00002718.html}, language = {English}, urldate = {2020-01-09} } @online{daemon9:19970901:loki2:a6a4651, author = {daemon9}, title = {{LOKI2 (the implementation)}}, date = {1997-09-01}, organization = {Phrack Magazine}, url = {http://phrack.org/issues/51/6.html}, language = {English}, urldate = {2023-09-26} } @online{dahan:20170425:shadowwali:565d1c1, author = {Assaf Dahan}, title = {{ShadowWali: New variant of the xxmm family of backdoors}}, date = {2017-04-25}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors}, language = {English}, urldate = {2020-02-11} } @online{dahan:20170524:operation:d79be79, author = {Assaf Dahan}, title = {{Operation Cobalt Kitty: A large-scale APT in Asia carried out by the OceanLotus Group}}, date = {2017-05-24}, organization = {Cybereason}, url = {https://www.cybereason.com/labs-operation-cobalt-kitty-a-large-scale-apt-in-asia-carried-out-by-the-oceanlotus-group/}, language = {English}, urldate = {2020-01-09} } @online{dahan:20181003:new:5f6c0b5, author = {Assaf Dahan}, title = {{New Betabot campaign under the microscope}}, date = {2018-10-03}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/betabot-banking-trojan-neurevt}, language = {English}, urldate = {2020-01-06} } @online{dahan:20190312:new:a435b52, author = {Assaf Dahan and Cybereason Nocturnus}, title = {{New Ursnif Variant targets Japan packed with new Features}}, date = {2019-03-12}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features}, language = {English}, urldate = {2019-11-28} } @online{dahan:20191120:phoenix:9c5d752, author = {Assaf Dahan}, title = {{Phoenix: The Tale of the Resurrected Keylogger}}, date = {2019-11-20}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger}, language = {English}, urldate = {2020-02-11} } @online{dahan:20191211:dropping:0849f70, author = {Assaf Dahan and Lior Rochberger and Eli Salem and Mary Zhao and Niv Yona and Omer Yampel and Matt Hart}, title = {{Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware}}, date = {2019-12-11}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware}, language = {English}, urldate = {2020-01-06} } @online{dahan:20201102:back:64a6991, author = {Assaf Dahan and Lior Rochberger and Daniel Frank and Tom Fakterman}, title = {{Back to the Future: Inside the Kimsuky KGH Spyware Suite}}, date = {2020-11-02}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite}, language = {English}, urldate = {2020-11-02} } @online{dahan:20210803:deadringer:908e8d5, author = {Assaf Dahan and Lior Rochberger and Daniel Frank and Tom Fakterman}, title = {{DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos}}, date = {2021-08-03}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos}, language = {English}, urldate = {2021-08-06} } @online{dahan:20231106:agonizing:56ab41a, author = {Assaf Dahan and Daniel Frank and Or Chechik and Tom Fakterman}, title = {{Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors}}, date = {2023-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/}, language = {English}, urldate = {2024-12-11} } @online{dahl:20130503:department:8be1534, author = {Matt Dahl}, title = {{Department of Labor Strategic Web Compromise}}, date = {2013-05-03}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/department-labor-strategic-web-compromise/}, language = {English}, urldate = {2019-12-20} } @online{dahl:20131010:regional:120d284, author = {Matt Dahl}, title = {{Regional Conflict and Cyber Blowback}}, date = {2013-10-10}, organization = {CrowdStrike}, url = {https://web.archive.org/web/20160315044507/https://www.crowdstrike.com/blog/regional-conflict-and-cyber-blowback/}, language = {English}, urldate = {2020-05-18} } @online{dahl:20140513:cat:e5c45ff, author = {Matt Dahl}, title = {{Cat Scratch Fever: CrowdStrike Tracks Newly Reported Iranian Actor as FLYING KITTEN}}, date = {2014-05-13}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/}, language = {English}, urldate = {2019-12-20} } @online{dahl:20141124:i:38a6ade, author = {Matt Dahl}, title = {{I am Ironman: DEEP PANDA Uses Sakula Malware to Target Organizations in Multiple Sectors}}, date = {2014-11-24}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/ironman-deep-panda-uses-sakula-malware-target-organizations-multiple-sectors/}, language = {English}, urldate = {2019-12-20} } @online{dahl:20190125:widespread:48d15a3, author = {Matt Dahl}, title = {{Widespread DNS Hijacking Activity Targets Multiple Sectors}}, date = {2019-01-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/}, language = {English}, urldate = {2019-12-20} } @online{dahl:20200601:malware:aa6f2ab, author = {Matt Dahl}, title = {{Tweet on malware called knspy used by Donot}}, date = {2020-06-01}, organization = {Twitter (@voodoodahl1)}, url = {https://twitter.com/voodoodahl1/status/1267571622732578816}, language = {English}, urldate = {2023-07-24} } @online{dahms:20140602:molerats:8b00d0d, author = {Timothy Dahms}, title = {{Molerats, Here for Spring!}}, date = {2014-06-02}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2014/06/molerats-here-for-spring.html}, language = {English}, urldate = {2019-12-20} } @online{dai:20211214:collecting:3d6dd34, author = {Nick Dai and Ted Lee and Vickie Su}, title = {{Collecting In the Dark: Tropic Trooper Targets Transportation and Government}}, date = {2021-12-14}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html}, language = {English}, urldate = {2022-03-30} } @online{dai:20221118:earth:e3e474b, author = {Nick Dai and Vickie Su and Sunny Lu}, title = {{Earth Preta Spear-Phishing Governments Worldwide}}, date = {2022-11-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html}, language = {English}, urldate = {2023-08-03} } @online{dai:20250425:earth:9d5b4be, author = {Nick Dai and Sunny Lu}, title = {{Earth Kurma APT Campaign Targets Southeast Asian Government, Telecom Sectors}}, date = {2025-04-25}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/25/d/earth-kurma-apt-campaign.html}, language = {English}, urldate = {2025-05-22} } @online{daihes:20210113:detecting:a348691, author = {Yael Daihes}, title = {{Detecting Mylobot, unseen DGA based malware, using Deep Learning}}, date = {2021-01-13}, organization = {Akamai}, url = {https://blogs.akamai.com/sitr/2021/01/detecting-mylobot-unseen-dga-based-malware-using-deep-learning.html}, language = {English}, urldate = {2021-01-26} } @online{dailydarkweb:20240813:sensitive:102e782, author = {DailyDarkWeb}, title = {{Sensitive Israeli Ministry Data Allegedly Leaked on Dark Web}}, date = {2024-08-13}, organization = {DailyDarkWeb}, url = {https://dailydarkweb.net/sensitive-israeli-ministry-data-allegedly-leaked-on-dark-web/}, language = {English}, urldate = {2024-09-27} } @online{dailydarkweb:20240820:threat:eac207f, author = {DailyDarkWeb}, title = {{Threat Actor Claims Breach of Siam Cement Group Database}}, date = {2024-08-20}, organization = {DailyDarkWeb}, url = {https://dailydarkweb.net/threat-actor-claims-breach-of-siam-cement-group-database/}, language = {English}, urldate = {2024-10-21} } @online{dailydarkweb:20240823:threat:32b533e, author = {DailyDarkWeb}, title = {{A Threat Actor Alleged Breach of Sri Lankan Farmers Community Database}}, date = {2024-08-23}, organization = {DailyDarkWeb}, url = {https://dailydarkweb.net/a-threat-actor-alleged-breach-of-sri-lankan-farmers-community-database/}, language = {English}, urldate = {2024-09-27} } @online{dailydarkweb:20240827:threat:57289d3, author = {DailyDarkWeb}, title = {{Threat Actor Claimed to Breach Database of DimeCuba}}, date = {2024-08-27}, organization = {DailyDarkWeb}, url = {https://dailydarkweb.net/threat-actor-claimed-to-breach-database-of-dimecuba/}, language = {English}, urldate = {2024-10-21} } @online{dailydarkweb:20240903:lulzsec:84f9878, author = {DailyDarkWeb}, title = {{LulzSec Black Claims Cyberattacks on Emirati Government and Other Sector Targets}}, date = {2024-09-03}, organization = {DailyDarkWeb}, url = {https://dailydarkweb.net/lulzsec-black-claims-cyberattacks-on-emirati-government-and-other-sector-targets/}, language = {English}, urldate = {2024-11-04} } @online{dailydarkweb:20241029:darkraas:d08e888, author = {DailyDarkWeb}, title = {{DarkRaas Allegedly Breached a Major Oil and Gas Company}}, date = {2024-10-29}, organization = {DailyDarkWeb}, url = {https://dailydarkweb.net/darkraas-allegedly-breached-a-major-oil-and-gas-company/}, language = {English}, urldate = {2024-11-04} } @online{daji:20220805:dga:b184bd8, author = {Daji and suqitian}, title = {{The DGA family Orchard continues to change, and the new version generates DGA domain names using Bitcoin transaction information}}, date = {2022-08-05}, organization = {360 netlab}, url = {https://blog.netlab.360.com/orchard-dga/}, language = {Chinese}, urldate = {2022-09-21} } @online{dallas:20190326:babylon:32e6481, author = {Korben Dallas}, title = {{Tweet on Babylon RAT IOCs}}, date = {2019-03-26}, organization = {Twitter (@KorbenD_Intel)}, url = {https://twitter.com/KorbenD_Intel/status/1110654679980085262}, language = {English}, urldate = {2020-01-13} } @online{dalman:20210427:ransomware:8242ac5, author = {Josh Dalman and Kamil Janton and Eben Kaplan}, title = {{Ransomware Preparedness: A Call to Action}}, date = {2021-04-27}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/}, language = {English}, urldate = {2021-05-31} } @online{dalman:20210602:under:2e7083b, author = {Josh Dalman and Heather Smith}, title = {{Under Attack: Protecting Against Conti, DarkSide, REvil and Other Ransomware}}, date = {2021-06-02}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/}, language = {English}, urldate = {2021-06-09} } @online{dalman:20210618:ransomware:2c31db2, author = {Josh Dalman and Heather Smith}, title = {{Ransomware Actors Evolved Their Operations in 2020}}, date = {2021-06-18}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/ransomware-actors-evolved-operations-in-2020/}, language = {English}, urldate = {2021-06-22} } @techreport{damico:20230629:disk:3aabc63, author = {Luca D'Amico}, title = {{Disk Knight Worm Analysis}}, date = {2023-06-29}, institution = {}, url = {https://www.lucadamico.dev/papers/malware_analysis/DiskKnight.pdf}, language = {English}, urldate = {2023-11-13} } @online{dan:20180208:merlin:cfc9e6b, author = {Action Dan}, title = {{Merlin for Red Teams}}, date = {2018-02-08}, organization = {Lockboxx}, url = {http://lockboxx.blogspot.com/2018/02/merlin-for-red-teams.html}, language = {English}, urldate = {2020-01-09} } @online{danchev:20080610:whos:504e579, author = {Dancho Danchev}, title = {{Who's behind the GPcode ransomware?}}, date = {2008-06-10}, organization = {ZDNet}, url = {http://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/}, language = {English}, urldate = {2019-12-18} } @online{danchev:20120928:dissecting:1ee1a3f, author = {Dancho Danchev}, title = {{Dissecting 'Operation Ababil' - an OSINT Analysis}}, date = {2012-09-28}, organization = {Dancho Danchev's Blog}, url = {http://ddanchev.blogspot.com.es/2012/09/dissecting-operation-ababil-osint.html}, language = {English}, urldate = {2020-01-10} } @online{dang:20101227:adventures:a04e4f7, author = {Bruce Dang and Peter Ferrie}, title = {{Adventures in analyzing Stuxnet}}, date = {2010-12-27}, organization = {media.ccc.de}, url = {https://media.ccc.de/v/27c3-4245-en-adventures_in_analyzing_stuxnet}, language = {English}, urldate = {2022-09-12} } @online{dangu:20180123:uncovering:a3ba605, author = {Jerome Dangu}, title = {{Uncovering 2017’s Largest Malvertising Operation}}, date = {2018-01-23}, organization = {Confiant}, url = {https://blog.confiant.com/uncovering-2017s-largest-malvertising-operation-b84cd38d6b85}, language = {English}, urldate = {2019-12-24} } @online{dangu:20180305:zirconium:06d9e29, author = {Jerome Dangu}, title = {{Zirconium was one step ahead of Chrome’s redirect blocker with 0-day}}, date = {2018-03-05}, organization = {Confiant}, url = {https://blog.confiant.com/zirconium-was-one-step-ahead-of-chromes-redirect-blocker-with-0-day-2d61802efd0d}, language = {English}, urldate = {2020-01-09} } @online{dangu:20210203:malvertising:eb3d8cb, author = {Jerome Dangu}, title = {{Malvertising: Made in China}}, date = {2021-02-03}, organization = {Medium Confiant}, url = {https://blog.confiant.com/malvertising-made-in-china-f5081521b3f0}, language = {English}, urldate = {2021-02-04} } @online{dani:20220301:ukrainian:c196036, author = {Mayuresh Dani}, title = {{Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware}}, date = {2022-03-01}, organization = {Qualys}, url = {https://blog.qualys.com/vulnerabilities-threat-research/2022/03/01/ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware}, language = {English}, urldate = {2022-03-04} } @online{dannythesloth:20190608:vanilla:bcf3518, author = {DannyTheSloth}, title = {{Vanilla RAT}}, date = {2019-06-08}, organization = {Github (DannyTheSloth)}, url = {https://github.com/DannyTheSloth/VanillaRAT}, language = {English}, urldate = {2020-01-13} } @online{dantas:20220728:living:3cc6f4f, author = {Júlio Dantas and James Haughom and Julien Reisdorffer}, title = {{Living Off Windows Defender | LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool}}, date = {2022-07-28}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/}, language = {English}, urldate = {2022-08-01} } @techreport{dantzig:20191219:operation:96804be, author = {Maarten van Dantzig and Erik Schamper}, title = {{Operation Wocao: Shining a light on one of China’s hidden hacking groups}}, date = {2019-12-19}, institution = {Fox-IT}, url = {https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf}, language = {English}, urldate = {2020-01-13} } @online{dardikman:20250708:google:214372d, author = {Idan Dardikman}, title = {{Google and Microsoft Trusted Them. 2.3 Million Users Installed Them. They Were Malware.}}, date = {2025-07-08}, organization = {Koi Security}, url = {https://blog.koi.security/google-and-microsoft-trusted-them-2-3-million-users-installed-them-they-were-malware-fb4ed4f40ff5}, language = {English}, urldate = {2025-07-09} } @online{darkowl:20211022:page:90c7728, author = {Darkowl}, title = {{“Page Not Found”: REvil Darknet Services Offline After Attack Last Weekend}}, date = {2021-10-22}, organization = {Darkowl}, url = {https://www.darkowl.com/blog-content/page-not-found-revil-darknet-services-offline-after-attack-last-weekend}, language = {English}, urldate = {2021-10-26} } @online{darkowl:20220627:dark:819e3a5, author = {Darkowl}, title = {{Dark Web Cyber Group Spotlight: SiegedSec}}, date = {2022-06-27}, organization = {Darkowl}, url = {https://www.darkowl.com/blog-content/darkowl-threat-actor-spotlight-siegedsec-and-leaked-data/}, language = {English}, urldate = {2023-12-04} } @online{darkowl:20231214:2:6582a2a, author = {Darkowl}, title = {{2 Month Review of Cyber Activities in the Israel Hamas Conflict}}, date = {2023-12-14}, organization = {Darkowl}, url = {https://www.darkowl.com/blog-content/2-month-review-of-cyber-activities-in-the-israel-hamas-conflict/}, language = {English}, urldate = {2024-12-11} } @online{darkowl:20240514:what:f767545, author = {Darkowl}, title = {{What are CVEs?}}, date = {2024-05-14}, organization = {Darkowl}, url = {https://www.darkowl.com/blog-content/what-are-cves/}, language = {English}, urldate = {2025-03-07} } @online{darkquassar:20180302:tales:c6d0af0, author = {Twitter (@darkquassar)}, title = {{Tales of a Threat Hunter 2 Following the trace of WMI Backdoors & other nastiness}}, date = {2018-03-02}, organization = {eideon blog}, url = {https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/}, language = {English}, urldate = {2021-06-21} } @online{darksys0x:20230607:analysis:1acfd5e, author = {darksys0x}, title = {{Analysis and Reversing of srvnet2.sys}}, date = {2023-06-07}, organization = {darksys0x}, url = {https://darksys0x.net/Analysis-and-Reversing-of-srvnet2sys/}, language = {English}, urldate = {2023-12-04} } @online{darktrace:20220526:wormlike:26a9da3, author = {DarkTrace}, title = {{Worm-like propagation of Sysrv-hello crypto-jacking botnet: Network traffic analysis and latest TTPs}}, date = {2022-05-26}, organization = {Darktrace}, url = {https://darktrace.com/blog/worm-like-propagation-of-sysrv-hello-crypto-jacking-botnet}, language = {English}, urldate = {2022-09-06} } @online{darktrace:20230906:rise:496a284, author = {DarkTrace}, title = {{The Rise of the Lumma Info-Stealer}}, date = {2023-09-06}, organization = {Darktrace}, url = {https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer}, language = {English}, urldate = {2023-09-11} } @online{darktrace:20240726:disarming:2591df0, author = {DarkTrace}, title = {{Disarming the WarmCookie Backdoor: Darktrace’s Oven-Ready Solution}}, date = {2024-07-26}, organization = {Darktrace}, url = {https://darktrace.com/blog/disarming-the-warmcookie-backdoor-darktraces-oven-ready-solution}, language = {English}, urldate = {2024-11-15} } @online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } @online{darnell:20240815:beyond:7220085, author = {Roy Darnell}, title = {{Beyond the Hype: Unveiling the Realities of WormGPT in Cybersecurity}}, date = {2024-08-15}, url = {https://www.darkreading.com/vulnerabilities-threats/beyond-the-hype-unveiling-realities-of-wormgpt-in-cybersecurity}, language = {English}, urldate = {2025-01-26} } @online{dart:20201221:advice:dd08ada, author = {Detection and Response Team (DART)}, title = {{Advice for incident responders on recovery from systemic identity compromises}}, date = {2020-12-21}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/12/21/advice-for-incident-responders-on-recovery-from-systemic-identity-compromises/}, language = {English}, urldate = {2020-12-23} } @online{dart:20210211:web:c22c110, author = {Detection and Response Team (DART) and Microsoft 365 Defender Research Team}, title = {{Web shell attacks continue to rise}}, date = {2021-02-11}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/}, language = {English}, urldate = {2021-02-20} } @online{dart:20210920:guide:8d2760b, author = {Detection and Response Team (DART)}, title = {{A guide to combatting human-operated ransomware: Part 1}}, date = {2021-09-20}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/09/20/a-guide-to-combatting-human-operated-ransomware-part-1/}, language = {English}, urldate = {2021-09-22} } @online{dart:20210927:guide:40f51ba, author = {Detection and Response Team (DART)}, title = {{A guide to combatting human-operated ransomware: Part 2}}, date = {2021-09-27}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/09/27/a-guide-to-combatting-human-operated-ransomware-part-2/}, language = {English}, urldate = {2021-09-28} } @online{dart:20211026:protect:22b026a, author = {Detection and Response Team (DART)}, title = {{Protect your business from password sprays with Microsoft DART recommendations}}, date = {2021-10-26}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/}, language = {English}, urldate = {2021-11-03} } @online{dart:20220104:leveraging:36a7deb, author = {Microsoft Detection and Response Team (DART)}, title = {{Leveraging the Power of KQL in Incident Response}}, date = {2022-01-04}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/security-compliance-and-identity/leveraging-the-power-of-kql-in-incident-response/ba-p/3044795}, language = {English}, urldate = {2022-03-14} } @online{dart:20220311:part:13e8665, author = {Microsoft Detection and Response Team (DART)}, title = {{Part 2: LockBit 2.0 ransomware bugs and database recovery attempts}}, date = {2022-03-11}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-2-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254421}, language = {English}, urldate = {2022-03-14} } @online{dart:20220311:part:2a214e2, author = {Microsoft Detection and Response Team (DART)}, title = {{Part 1: LockBit 2.0 ransomware bugs and database recovery attempts}}, date = {2022-03-11}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354}, language = {English}, urldate = {2022-03-14} } @online{dart:20220322:dev0537:eea56dc, author = {Detection and Response Team (DART) and Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{DEV-0537 (UNC3661) criminal actor targeting organizations for data exfiltration and destruction}}, date = {2022-03-22}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/}, language = {English}, urldate = {2025-02-03} } @online{dart:20220412:tarrask:4789795, author = {Detection and Response Team (DART)}, title = {{Tarrask malware uses scheduled tasks for defense evasion}}, date = {2022-04-12}, organization = {Microsoft Security}, url = {https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/}, language = {English}, urldate = {2022-05-04} } @online{das:20210901:incredible:a90149e, author = {Aahir Das}, title = {{The Incredible Rise of DPRK’s Cyber Warfare}}, date = {2021-09-01}, organization = {CyBureau – The Institute for Cyber Policy Studies}, url = {http://blog.cybureau.org/the-incredible-rise-of-dprks-cyber-warfare/}, language = {English}, urldate = {2021-09-06} } @online{data:20140228:uroburos:f6fdb48, author = {G Data}, title = {{Uroburos - highly complex espionage software with Russian roots}}, date = {2014-02-28}, organization = {G Data Blog}, url = {https://www.gdatasoftware.com/blog/2014/02/23968-uroburos-highly-complex-espionage-software-with-russian-roots}, language = {English}, urldate = {2019-11-28} } @online{data:20140307:uroburos:22ddc69, author = {G Data}, title = {{Uroburos – Deeper travel into kernel protection mitigation}}, date = {2014-03-07}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/03/23966-uroburos-deeper-travel-into-kernel-protection-mitigation}, language = {English}, urldate = {2019-11-23} } @online{data:20140513:uroburos:a8b1175, author = {G Data}, title = {{Uroburos rootkit: Belgian Foreign Ministry stricken}}, date = {2014-05-13}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/05/23958-uroburos-rootkit-belgian-foreign-ministry-stricken}, language = {English}, urldate = {2019-10-27} } @online{data:20140602:analysis:1038a5f, author = {G Data}, title = {{Analysis of Uroburos, using WinDbg}}, date = {2014-06-02}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/06/23953-analysis-of-uroburos-using-windbg}, language = {English}, urldate = {2020-01-09} } @online{data:20140731:poweliks:250c05f, author = {G Data}, title = {{Poweliks: the persistent malware without a file}}, date = {2014-07-31}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file}, language = {English}, urldate = {2020-01-10} } @online{data:20141030:com:0da80b3, author = {G Data}, title = {{COM Object hijacking: the discreet way of persistence}}, date = {2014-10-30}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence}, language = {English}, urldate = {2020-01-07} } @techreport{data:20141031:operation:9205b87, author = {G Data}, title = {{OPERATION “TOOHASH”: HOW TARGETED ATTACKS WORK}}, date = {2014-10-31}, institution = {G Data}, url = {https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf}, language = {English}, urldate = {2024-02-02} } @online{data:20141111:uroburos:8dce097, author = {G Data}, title = {{The Uroburos case: new sophisticated RAT identified}}, date = {2014-11-11}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified}, language = {English}, urldate = {2020-01-08} } @online{data:20150115:weiterentwicklung:a65efbe, author = {G Data}, title = {{Weiterentwicklung anspruchsvoller Spyware: von Agent.BTZ zu ComRAT}}, date = {2015-01-15}, organization = {G Data}, url = {https://blog.gdata.de/2015/01/23779-weiterentwicklung-anspruchsvoller-spyware-von-agent-btz-zu-comrat}, language = {English}, urldate = {2020-01-08} } @online{data:20150120:analysis:2fe6cf2, author = {G Data}, title = {{Analysis of Project Cobra}}, date = {2015-01-20}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra}, language = {English}, urldate = {2020-01-05} } @online{data:20150218:babar:24e6c08, author = {G Data}, title = {{Babar: espionage software finally found and put under the microscope}}, date = {2015-02-18}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope}, language = {English}, urldate = {2019-12-02} } @online{data:20150507:dissecting:27b0271, author = {G Data}, title = {{Dissecting the “Kraken”}}, date = {2015-05-07}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2015/05/24280-dissecting-the-kraken}, language = {English}, urldate = {2022-03-01} } @online{data:20160411:manamecrypt:06eda37, author = {G Data}, title = {{Manamecrypt – a ransomware that takes a different route}}, date = {2016-04-11}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2016/04/28234-manamecrypt-a-ransomware-that-takes-a-different-route}, language = {English}, urldate = {2020-01-08} } @online{data:20161123:analysis:0bbfdb9, author = {G Data}, title = {{Analysis: Ursnif - spying on your data since 2007}}, date = {2016-11-23}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007}, language = {English}, urldate = {2020-01-10} } @online{data:20170512:warning:162cfc4, author = {G Data}, title = {{Warning: Massive "WannaCry" Ransomware campaign launched}}, date = {2017-05-12}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign}, language = {English}, urldate = {2020-01-13} } @online{data:20170703:who:7b53706, author = {G Data}, title = {{Who is behind Petna?}}, date = {2017-07-03}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna}, language = {English}, urldate = {2020-01-08} } @online{data:20170711:ordinypt:a3f61cf, author = {G Data}, title = {{Ordinypt hat es auf Benutzer aus Deutschland abgesehen}}, date = {2017-07-11}, organization = {G Data}, url = {https://www.gdata.de/blog/2017/11/30151-ordinypt}, language = {Deutsch}, urldate = {2020-01-08} } @online{data:20170720:rurktar:fa8bc7e, author = {G Data}, title = {{Rurktar - Spyware under Construction}}, date = {2017-07-20}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2017/07/29896-rurktar-spyware-under-construction}, language = {English}, urldate = {2020-01-09} } @online{data:20171012:emotet:c99dec0, author = {G Data}, title = {{Emotet beutet Outlook aus}}, date = {2017-10-12}, organization = {G Data}, url = {https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus}, language = {English}, urldate = {2019-12-05} } @online{data:20191121:new:cbeb2e4, author = {G Data}, title = {{New SectopRAT: Remote access malware utilizes second desktop to control browsers}}, date = {2019-11-21}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2019/11/35548-new-sectoprat-remote-access-malware-utilizes-second-desktop-to-control-browsers}, language = {English}, urldate = {2020-01-10} } @online{data:20200630:ransomware:3f071e1, author = {G Data}, title = {{Ransomware on the Rise: Buran’s transformation into Zeppelin}}, date = {2020-06-30}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2020/06/35946-burans-transformation-into-zeppelin}, language = {English}, urldate = {2020-07-02} } @online{database:20211228:implantarmilobleeda:3e30a84, author = {Padvish Threats Database}, title = {{Implant.ARM.iLOBleed.a}}, date = {2021-12-28}, organization = {Padvish Threats Database}, url = {https://threats.amnpardaz.com/en/2021/12/28/implant-arm-ilobleed-a/}, language = {English}, urldate = {2022-01-03} } @online{datadog:20241024:tenacious:e74254a, author = {Datadog}, title = {{Tenacious Pungsan: A DPRK threat actor linked to Contagious Interview}}, date = {2024-10-24}, organization = {Datadog}, url = {https://securitylabs.datadoghq.com/articles/tenacious-pungsan-dprk-threat-actor-contagious-interview/}, language = {English}, urldate = {2024-10-29} } @online{daundkar:20220323:sysjoker:d8a1ba0, author = {Sagar Daundkar and Threat Analysis Unit}, title = {{SysJoker – An Analysis of a Multi-OS RAT}}, date = {2022-03-23}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html}, language = {English}, urldate = {2022-04-04} } @online{davenport:20141218:keypoint:4c1fd04, author = {Christian Davenport}, title = {{KeyPoint network breach could affect thousands of federal workers}}, date = {2014-12-18}, organization = {The Washington Post}, url = {https://www.washingtonpost.com/business/economy/keypoint-suffers-network-breach-thousands-of-fed-workers-could-be-affected/2014/12/18/e6c7146c-86e1-11e4-a702-fa31ff4ae98e_story.html}, language = {English}, urldate = {2020-01-13} } @online{davidecanali:20210908:advance:4742243, author = {Davide Canali and Crista Giering and Tim Kromphardt and Sam Scholten}, title = {{Advance Fee Fraud: The Emergence of Elaborate Crypto Schemes}}, date = {2021-09-08}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/advance-fee-fraud-emergence-elaborate-crypto-schemes}, language = {English}, urldate = {2021-09-14} } @online{davidpur:20240123:netsupport:5a87e66, author = {Ariel Davidpur}, title = {{NetSupport RAT hits again with new IOCs}}, date = {2024-01-23}, organization = {Medium ad12347}, url = {https://medium.com/@ad12347/netsupport-rat-hits-again-with-new-iocs-37318de44cfc}, language = {English}, urldate = {2024-01-24} } @online{davidpur:20240318:operation:c72a2c1, author = {Ariel Davidpur and Peleg Cabra}, title = {{Operation PhantomBlu: New and Evasive Method Delivers NetSupport RAT}}, date = {2024-03-18}, organization = {Perception Point}, url = {https://perception-point.io/blog/operation-phantomblu-new-and-evasive-method-delivers-netsupport-rat/}, language = {English}, urldate = {2024-03-25} } @online{davies:20171117:part:cf7e1c8, author = {Lloyd Davies}, title = {{[Part 1] - Analysing the New Linux/AES.DDoS IoT Malware}}, date = {2017-11-17}, organization = {LloydLabs}, url = {https://blog.syscall.party/post/aes-ddos-analysis-part-1/}, language = {English}, urldate = {2023-07-24} } @online{davila:20200518:eleethub:d605473, author = {Asher Davila and Yang Ji}, title = {{Eleethub: A Cryptocurrency Mining Botnet with Rootkit for Self-Hiding}}, date = {2020-05-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet/}, language = {English}, urldate = {2020-05-20} } @online{davila:20241119:frostygoops:5480836, author = {Asher Davila and Chris Navarrete}, title = {{FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications}}, date = {2024-11-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/frostygoop-malware-analysis/}, language = {English}, urldate = {2025-02-03} } @techreport{davincifans101:20230325:analysis:40946b6, author = {davincifans101}, title = {{Analysis Report of Pinduoduo's Malicious Behaviors}}, date = {2023-03-25}, institution = {}, url = {https://raw.githubusercontent.com/davincifans101/pinduoduo_backdoor_detailed_report/main/report_en.pdf}, language = {English}, urldate = {2023-03-29} } @online{davis:20170921:apt33:52822d2, author = {Stuart Davis and Nick Carr}, title = {{APT33: New Insights into Iranian Cyber Espionage Group}}, date = {2017-09-21}, organization = {FireEye}, url = {https://www.brighttalk.com/webcast/10703/275683}, language = {English}, urldate = {2019-12-20} } @online{davis:20180529:mexico:d40bc2d, author = {Michelle Davis}, title = {{Mexico Foiled a $110 Million Bank Heist, Then Kept It a Secret}}, date = {2018-05-29}, organization = {Bloomberg}, url = {https://www.bloomberg.com/news/articles/2018-05-29/mexico-foiled-a-110-million-bank-heist-then-kept-it-a-secret}, language = {English}, urldate = {2020-01-07} } @online{davis:20210120:emulation:4061f1c, author = {Andrew Davis}, title = {{Emulation of Kernel Mode Rootkits With Speakeasy}}, date = {2021-01-20}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/01/emulation-of-kernel-mode-rootkits-with-speakeasy.html}, language = {English}, urldate = {2021-01-25} } @techreport{davis:20220223:empirically:fe03729, author = {Shannon Davis and SURGe}, title = {{An Empirically Comparative Analysis of Ransomware Binaries}}, date = {2022-02-23}, institution = {splunk}, url = {https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf}, language = {English}, urldate = {2022-03-25} } @online{davis:20220323:gone:56f570f, author = {Shannon Davis}, title = {{Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed}}, date = {2022-03-23}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html}, language = {English}, urldate = {2022-03-25} } @online{davis:20250227:rise:efed643, author = {Nathaniel Davis and Nina Kollars}, title = {{The Rise of the Fake Tech Workforce: State-Sponsored Infiltration of U.S. Technical Supply Chains}}, date = {2025-02-27}, organization = {WAR ON THE ROCKS}, url = {https://warontherocks.com/2025/02/the-rise-of-the-fake-tech-workforce-state-sponsored-infiltration-of-u-s-technical-supply-chains/}, language = {English}, urldate = {2025-02-28} } @online{davison:20170804:smoke:06d64d3, author = {Jason Davison}, title = {{Smoke Loader Adds Additional Obfuscation Methods to Mitigate Analysis}}, date = {2017-08-04}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/smoke-loader-adds-additional-obfuscation-methods-to-mitigate-analysis}, language = {English}, urldate = {2020-01-08} } @online{davison:20180321:trickbot:1f0576e, author = {Jason Davison}, title = {{TrickBot Banking Trojan Adapts with New Module}}, date = {2018-03-21}, organization = {Webroot}, url = {https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/}, language = {English}, urldate = {2020-01-13} } @online{dawson:20210830:hypervisor:81ca39b, author = {Michael Dawson}, title = {{Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware}}, date = {2021-08-30}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/}, language = {English}, urldate = {2021-08-31} } @online{daydaynews:20200103:waterbear:b4818c4, author = {DayDayNews}, title = {{Waterbear, a cyber espionage virus, has a new variant with its own anti-virus function}}, date = {2020-01-03}, organization = {DayDayNews}, url = {https://daydaynews.cc/zh-tw/technology/297265.html}, language = {Chinese}, urldate = {2021-04-20} } @online{daza:20220202:white:5b71f59, author = {Jason Daza and Manoj Khatiwada and Paul Brunney and Michael Wirtz and Group-IB}, title = {{White Rabbit Continued: Sardonic and F5}}, date = {2022-02-02}, organization = {lodestone}, url = {https://lodestone.com/insight/white-rabbit-continued-sardonic-and-f5/}, language = {English}, urldate = {2022-02-04} } @online{dcso:20190314:pegasusbuhtrap:2e48e0e, author = {DCSO}, title = {{Pegasus/Buhtrap analysis of the malware stage based on the leaked source code}}, date = {2019-03-14}, organization = {DCSO}, url = {https://dcso.de/2019/03/14/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code}, language = {English}, urldate = {2021-02-06} } @online{dcso:20190318:enterprise:ff92a62, author = {DCSO}, title = {{Enterprise Malware-as-a-Service: Lazarus Group and the Evolution of Ransomware}}, date = {2019-03-18}, organization = {DCSO}, url = {https://web.archive.org/web/20200922165625/https://dcso.de/2019/03/18/enterprise-malware-as-a-service/}, language = {English}, urldate = {2021-12-13} } @online{dcso:20200116:curious:15c5610, author = {DCSO}, title = {{A Curious Case of CVE-2019-19781 Palware: remove_bds}}, date = {2020-01-16}, organization = {DCSO}, url = {https://dcso.de/2020/01/16/a-curious-case-of-cve-2019-19781-palware-remove_bds/}, language = {English}, urldate = {2021-02-06} } @online{ddash:20201112:lootwodniw:03198af, author = {ddash}, title = {{Tweet on Lootwodniw}}, date = {2020-11-12}, organization = {Twitter (@ddash_ct)}, url = {https://twitter.com/ddash_ct/status/1326887125103616000}, language = {English}, urldate = {2020-12-03} } @online{ddos:20240509:cybersecurity:f83130d, author = {DDOS}, title = {{Cybersecurity Firm Hacked: Sensitive Data on Sale}}, date = {2024-05-09}, organization = {Meterpreter}, url = {https://meterpreter.org/cybersecurity-firm-hacked-sensitive-data-on-sale/}, language = {English}, urldate = {2024-09-04} } @online{de:20230424:us:baa28b6, author = {Nikhilesh De and Jesse Hamilton}, title = {{U.S. Sanctions 3 North Koreans for Supporting Hacking Group Known for Crypto Thefts}}, date = {2023-04-24}, organization = {CoinDesk}, url = {https://www.coindesk.com/policy/2023/04/24/us-sanctions-3-north-koreans-for-supporting-hacking-group-known-for-crypto-thefts/}, language = {English}, urldate = {2023-04-25} } @online{deacon:20200331:indepth:3719ebb, author = {Joshua Deacon and Lloyd Macrohon}, title = {{An In-depth Look at MailTo Ransomware, Part One of Three}}, date = {2020-03-31}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-one-of-three/}, language = {English}, urldate = {2020-04-14} } @online{deacon:20200408:indepth:c6628d7, author = {Joshua Deacon and Lloyd Macrohon}, title = {{An In-depth Look at MailTo Ransomware, Part Two of Three}}, date = {2020-04-08}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-two-of-three/}, language = {English}, urldate = {2020-04-14} } @online{deacon:20200410:indepth:13fc66f, author = {Joshua Deacon and Lloyd Macrohon}, title = {{An In-depth Look at MailTo Ransomware, Part Three of Three}}, date = {2020-04-10}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-three-of-three/}, language = {English}, urldate = {2020-04-14} } @online{deacon:20210315:hafnium:02beddd, author = {Joshua Deacon}, title = {{HAFNIUM, China Chopper and ASP.NET Runtime}}, date = {2021-03-15}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hafnium-china-chopper-and-aspnet-runtime/}, language = {English}, urldate = {2021-03-22} } @online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } @techreport{decker:20090522:pushdo:518e04c, author = {Alice Decker and David Sancho and Loucif Kharouni and Max Goncharov and Robert McArdle}, title = {{Pushdo / Cutwail Botnet}}, date = {2009-05-22}, institution = {Trend Micro}, url = {https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf}, language = {English}, urldate = {2020-01-13} } @online{decristofaro:20210803:squashing:ba231ef, author = {Michael DeCristofaro and Eric Loui and Josh Reynolds}, title = {{Squashing SPIDERS: Threat Intelligence, Threat Hunting and Rapid Response Stops SQL Injection Campaign}}, date = {2021-08-03}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-crowdstrike-stopped-an-sql-injection-campaign/}, language = {English}, urldate = {2021-08-31} } @online{decrypterfixer:20140911:torrentlocker:10d80ec, author = {DecrypterFixer}, title = {{TorrentLocker Ransomware Cracked and Decrypter has been made}}, date = {2014-09-11}, organization = {BleepingComputer Forums}, url = {http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/}, language = {English}, urldate = {2020-01-06} } @online{dedenok:20220516:html:b44d1c9, author = {Roman Dedenok}, title = {{HTML attachments in phishing e-mails}}, date = {2022-05-16}, organization = {Kaspersky}, url = {https://securelist.com/html-attachments-in-phishing-e-mails/106481/}, language = {English}, urldate = {2022-05-17} } @online{dedenok:20220923:mass:217302e, author = {Roman Dedenok and Artem Ushkov}, title = {{Mass email campaign with a pinch of targeted spam}}, date = {2022-09-23}, organization = {Kaspersky}, url = {https://securelist.com/agent-tesla-malicious-spam-campaign/107478/}, language = {English}, urldate = {2022-09-27} } @online{dedola:20200820:transparent:b63fac6, author = {Giampaolo Dedola}, title = {{Transparent Tribe: Evolution analysis, part 1}}, date = {2020-08-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/transparent-tribe-part-1/98127/}, language = {English}, urldate = {2020-08-24} } @online{dedola:20200826:transparent:b6f0422, author = {Giampaolo Dedola}, title = {{Transparent Tribe: Evolution analysis, part 2}}, date = {2020-08-26}, organization = {Kaspersky Labs}, url = {https://securelist.com/transparent-tribe-part-2/98233/}, language = {English}, urldate = {2020-08-27} } @online{dedola:20220621:toddycat:20bf8db, author = {Giampaolo Dedola}, title = {{APT ToddyCat: Unveiling an unknown APT actor attacking high-profile entities in Europe and Asia}}, date = {2022-06-21}, organization = {Kaspersky}, url = {https://securelist.com/toddycat/106799/}, language = {English}, urldate = {2022-06-22} } @online{dedola:20230523:meet:aa244e9, author = {Giampaolo Dedola}, title = {{Meet the GoldenJackal APT group. Don’t expect any howls}}, date = {2023-05-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/goldenjackal-apt-group/109677/}, language = {English}, urldate = {2023-05-23} } @online{dee:20181113:amadey:81d3bc6, author = {Dee}, title = {{Tweet on Amadey Malware}}, date = {2018-11-13}, organization = {Twitter (@ViriBack)}, url = {https://twitter.com/ViriBack/status/1062405363457118210}, language = {English}, urldate = {2020-01-07} } @online{dee:20200129:borr:528fccb, author = {Dee}, title = {{Tweet on Borr}}, date = {2020-01-29}, organization = {Twitter (@ViriBack)}, url = {https://twitter.com/ViriBack/status/1222704498923032576}, language = {English}, urldate = {2020-02-13} } @online{dee:20210826:vulturi:74e3f14, author = {Dee}, title = {{Tweet on Vulturi Stealer and it's c2 panel}}, date = {2021-08-26}, organization = {Twitter (@ViriBack)}, url = {https://twitter.com/ViriBack/status/1430604948241276928?s=20}, language = {English}, urldate = {2021-08-31} } @online{dee:20220103:live:335a0a9, author = {Dee}, title = {{Tweet on a live C2 panel for Mint stealer}}, date = {2022-01-03}, url = {https://twitter.com/ViriBack/status/1610393842787704835}, language = {English}, urldate = {2023-01-04} } @online{defense:20191111:revenge:114921b, author = {Binary Defense}, title = {{Revenge Is A Dish Best Served… Obfuscated?}}, date = {2019-11-11}, organization = {Binary Defense}, url = {https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated}, language = {English}, urldate = {2020-01-09} } @techreport{defense:20200901:military:670494d, author = {US Department of Defense}, title = {{Military and Security Developments Involving the People’s Republic of China 2020}}, date = {2020-09-01}, institution = {US Department of Defense}, url = {https://media.defense.gov/2020/Sep/01/2002488689/-1/-1/1/2020-DOD-CHINA-MILITARY-POWER-REPORT-FINAL.PDF}, language = {English}, urldate = {2020-09-01} } @online{defense:20201028:turla:6f32714, author = {Cyber Defense}, title = {{Turla uses HyperStack, Carbon, and Kazuar to compromise government entity}}, date = {2020-10-28}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity}, language = {English}, urldate = {2020-10-29} } @techreport{defense:20210216:creation:d20a363, author = {US Department of Defense}, title = {{The creation of the 2020 ComRATv4 illustration}}, date = {2021-02-16}, institution = {US Department of Defense}, url = {https://cdn.muckrock.com/foia_files/2021/02/16/21R019_RESPONSE.pdf}, language = {English}, urldate = {2021-03-25} } @online{defense:20210706:marsdeimos:ebe87c7, author = {Binary Defense}, title = {{Mars-Deimos: SolarMarker/Jupyter Infostealer (Part 1)}}, date = {2021-07-06}, organization = {Binary Defense}, url = {https://www.binarydefense.com/mars-deimos-solarmarker-jupyter-infostealer-part-1/}, language = {English}, urldate = {2021-07-24} } @online{defense:20210716:marsdeimos:c0e4144, author = {Binary Defense}, title = {{Mars-Deimos: From Jupiter to Mars and Back again (Part Two)}}, date = {2021-07-16}, organization = {Binary Defense}, url = {https://www.binarydefense.com/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/}, language = {English}, urldate = {2021-07-24} } @online{defense:20211020:two:9a20bdc, author = {US Department of Defense}, title = {{Two Individuals (Pavel Stassi & Aleksandr Skorodumov) Sentenced for Providing “Bulletproof Hosting” for Cybercriminals}}, date = {2021-10-20}, organization = {US Department of Justice}, url = {https://www.justice.gov/opa/pr/two-individuals-sentenced-providing-bulletproof-hosting-cybercriminals}, language = {English}, urldate = {2021-11-02} } @techreport{defense:20211103:military:a9c9e5f, author = {US Department of Defense}, title = {{Military and Security Developments Involving the People’s Republic of China}}, date = {2021-11-03}, institution = {US Department of Defense}, url = {https://media.defense.gov/2021/Nov/03/2002885874/-1/-1/0/2021-CMPR-FINAL.PDF}, language = {English}, urldate = {2021-11-08} } @techreport{defense:20240227:russian:d781a39, author = {US Department of Defense}, title = {{Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations}}, date = {2024-02-27}, institution = {US Department of Defense}, url = {https://media.defense.gov/2024/Feb/27/2003400753/-1/-1/0/CSA-RUSSIAN-ACTORS-USE-ROUTERS-FACILITATE-CYBER_OPERATIONS.PDF}, language = {English}, urldate = {2024-02-28} } @online{defense:20240603:wineloader:8d917f2, author = {Binary Defense and Shannon Mong}, title = {{Wineloader – Analysis of the Infection Chain}}, date = {2024-06-03}, organization = {Binary Defense}, url = {https://www.binarydefense.com/resources/blog/wineloader-analysis-of-the-infection-chain/}, language = {English}, urldate = {2024-06-05} } @techreport{defense:20250520:russian:73a0ae3, author = {US Department of Defense}, title = {{Russian GRU Targeting Western Logistics Entities and Technology Companies}}, date = {2025-05-20}, institution = {US Department of Defense}, url = {https://media.defense.gov/2025/May/21/2003719846/-1/-1/0/CSA_RUSSIAN_GRU_TARGET_LOGISTICS.PDF}, language = {English}, urldate = {2025-05-22} } @online{defty:20230509:detection:cb53ec3, author = {Troy Defty and Google}, title = {{Detection At Scale}}, date = {2023-05-09}, organization = {YouTube (Security BSides London)}, url = {https://www.youtube.com/watch?v=ZOYfNH7SfqU}, language = {English}, urldate = {2024-04-02} } @online{degirmenci:20240514:qakbot:f75c289, author = {Mert Degirmenci and Boris Larin}, title = {{QakBot attacks with Windows zero-day (CVE-2024-30051)}}, date = {2024-05-14}, organization = {Kaspersky}, url = {https://securelist.com/cve-2024-30051/112618}, language = {English}, urldate = {2024-05-21} } @online{degrippo:20200316:ta505:6cfbbb0, author = {Sherrod DeGrippo}, title = {{TA505 and Others Launch New Coronavirus Campaigns; Now the Largest Collection of Attack Types in Years}}, date = {2020-03-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack}, language = {English}, urldate = {2020-04-26} } @online{degrippo:20200622:hakbit:4d8be82, author = {Sherrod DeGrippo and Proofpoint Threat Research Team}, title = {{Hakbit Ransomware Campaign Against Germany, Austria, Switzerland}}, date = {2020-06-22}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland}, language = {English}, urldate = {2020-06-23} } @online{degrippo:20200717:ta547:cec93e0, author = {Sherrod DeGrippo}, title = {{TA547 Pivots from Ursnif Banking Trojan to Ransomware in Australian Campaign}}, date = {2020-07-17}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/security-briefs/ta547-pivots-ursnif-banking-trojan-ransomware-australian-campaign}, language = {English}, urldate = {2020-07-23} } @online{degrippo:20240320:tax:00ca923, author = {Sherrod DeGrippo}, title = {{Tax season cybersecurity: What cybercriminals want and who they target most. Is it you?}}, date = {2024-03-20}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/business/security-insider/reports/tax-season-cybersecurity-what-cybercriminals-want-and-who-they-target-most-is-it-you}, language = {English}, urldate = {2024-04-23} } @online{degroot:20211112:agenttesla:d69002b, author = {Dominik Degroot}, title = {{AgentTesla dropped via NSIS installer}}, date = {2021-11-12}, organization = {Living Code}, url = {http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/}, language = {English}, urldate = {2021-11-17} } @online{dekel:20220328:pwning:c0427db, author = {Kasif Dekel and Ronen Shustin}, title = {{Pwning Microsoft Azure Defender for IoT | Multiple Flaws Allow Remote Code Execution for All}}, date = {2022-03-28}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/pwning-microsoft-azure-defender-for-iot-multiple-flaws-allow-remote-code-execution-for-all/}, language = {English}, urldate = {2022-03-30} } @online{delamotte:20230629:rhysida:bd98b88, author = {Alex Delamotte and Jim Walter}, title = {{Rhysida Ransomware | RaaS Crawls Out of Crimeware Undergrowth to Attack Chilean Army}}, date = {2023-06-29}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/rhysida-ransomware-raas-crawls-out-of-crimeware-undergrowth-to-attack-chilean-army/}, language = {English}, urldate = {2023-07-05} } @online{delamotte:20230918:capratube:77604c8, author = {Alex Delamotte}, title = {{CapraTube | Transparent Tribe’s CapraRAT Mimics YouTube to Hijack Android Phones}}, date = {2023-09-18}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/}, language = {English}, urldate = {2023-09-20} } @online{delcher:20201203:what:9853c58, author = {Pierre Delcher}, title = {{What did DeathStalker hide between two ferns?}}, date = {2020-12-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/}, language = {English}, urldate = {2020-12-08} } @online{delcher:20220630:sessionmanager:f171df2, author = {Pierre Delcher}, title = {{The SessionManager IIS backdoor: a possibly overlooked GELSEMIUM artefact}}, date = {2022-06-30}, organization = {Kaspersky}, url = {https://securelist.com/the-sessionmanager-iis-backdoor/106868/}, language = {English}, urldate = {2022-07-05} } @online{delcher:20220810:vilerat:a47ce21, author = {Pierre Delcher and Giampaolo Dedola}, title = {{VileRAT: DeathStalker’s continuous strike at foreign and cryptocurrency exchanges}}, date = {2022-08-10}, organization = {Kaspersky}, url = {https://securelist.com/vilerat-deathstalkers-continuous-strike/107075/}, language = {English}, urldate = {2022-08-12} } @online{delcher:20230424:tomiris:2d65352, author = {Pierre Delcher and Ivan Kwiatkowski}, title = {{Tomiris called, they want their Turla malware back}}, date = {2023-04-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/}, language = {English}, urldate = {2023-04-26} } @techreport{delia:20210804:rope:495f021, author = {Daniele Cono D’Elia and Lorenzo Invidia}, title = {{Rope: Bypassing Behavioral Detection of Malware with Distributed ROP-driven Execution (white paper)}}, date = {2021-08-04}, institution = {Sapienza University of Rome}, url = {https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Rope-Bypassing-Behavioral-Detection-Of-Malware-With-Distributed-ROP-Driven-Execution-wp.pdf}, language = {English}, urldate = {2021-08-06} } @techreport{delia:20210804:rope:ceb81fd, author = {Daniele Cono D’Elia and Lorenzo Invidia}, title = {{Rope: Bypassing Behavioral Detection of Malware with Distributed ROP-driven Execution (slides)}}, date = {2021-08-04}, institution = {Sapienza University of Rome}, url = {https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Rope-Bypassing-Behavioral-Detection-Of-Malware-With-Distributed-ROP-Driven-Execution.pdf}, language = {English}, urldate = {2021-08-06} } @online{delmas:20170226:treasurehunter:cd0c965, author = {Arnaud Delmas}, title = {{TreasureHunter : A POS Malware Case Study}}, date = {2017-02-26}, url = {http://adelmas.com/blog/treasurehunter.php}, language = {English}, urldate = {2019-12-02} } @online{delmas:20170314:analyzing:1c055df, author = {Arnaud Delmas}, title = {{Analyzing and Deobfuscating FlokiBot Banking Trojan}}, date = {2017-03-14}, organization = {Arnaud Delmas}, url = {http://adelmas.com/blog/flokibot.php}, language = {English}, urldate = {2020-01-08} } @techreport{deloitte:20160914:evolution:67ad556, author = {Deloitte}, title = {{The evolution of the Nymaim Criminal Enterprise Threat Intelligence & Analytics}}, date = {2016-09-14}, institution = {Deloitte}, url = {https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-the-evolution-of-the-nymaim-criminal-enterprise.pdf}, language = {English}, urldate = {2022-03-28} } @online{deloitte:20200122:project:0a44796, author = {Deloitte}, title = {{Project Lurus}}, date = {2020-01-22}, organization = {Deloitte}, url = {https://www.cityofpensacola.com/DocumentCenter/View/18879/Deloitte-Executive-Summary-PDF}, language = {English}, urldate = {2020-02-13} } @online{delpy:20190104:mimikatz:caaf928, author = {Benjamin Delpy}, title = {{mimikatz Repository}}, date = {2019-01-04}, organization = {Github (gentilkiwi)}, url = {https://github.com/gentilkiwi/mimikatz}, language = {English}, urldate = {2020-01-07} } @online{deluca:20201020:fbi:db32b2f, author = {Alex DeLuca}, title = {{FBI Investigating Threatening Emails Sent To Democrats In Florida}}, date = {2020-10-20}, organization = {WUFT}, url = {https://www.wuft.org/news/2020/10/20/fbi-investigating-threatening-emails-sent-to-democrats-in-florida/}, language = {English}, urldate = {2020-10-23} } @online{demboski:20211119:is:d05360d, author = {Morgan Demboski}, title = {{Is a coordinated cyberattack brewing in the escalating Russian-Ukrainian conflict?}}, date = {2021-11-19}, organization = {IronNet}, url = {https://www.ironnet.com/blog/is-a-coordinated-cyberattack-brewing-in-the-escalating-russian-ukrainian-conflict}, language = {English}, urldate = {2021-11-25} } @online{demetria:20121030:jacksbot:8a7230b, author = {Johanne Demetria}, title = {{JACKSBOT Has Some Dirty Tricks up Its Sleeves}}, date = {2012-10-30}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/jacksbot-has-some-dirty-tricks-up-its-sleeves/}, language = {English}, urldate = {2020-01-06} } @techreport{demirkapi:20200805:demystifying:147bf1e, author = {Bill Demirkapi}, title = {{Demystifying Modern Windows Rootkits}}, date = {2020-08-05}, institution = {BlackHat}, url = {https://billdemirkapi.me/slides/Demystifying-Modern-Windows-Rootkits-BH.pdf}, language = {English}, urldate = {2020-08-18} } @online{demirkapi:20220107:unpacking:22f8b4a, author = {Bill Demirkapi}, title = {{Unpacking CVE-2021-40444: A Deep Technical Analysis of an Office RCE Exploit}}, date = {2022-01-07}, organization = {Bill Demirkapi's Blog}, url = {https://billdemirkapi.me/unpacking-cve-2021-40444-microsoft-office-rce/}, language = {English}, urldate = {2022-02-02} } @online{demirkapi:20220328:new:233a827, author = {Bill Demirkapi}, title = {{New documents for the Okta breach}}, date = {2022-03-28}, organization = {Threadreader (@BillDemirkapi)}, url = {https://threadreaderapp.com/thread/1508527487655067660.html}, language = {English}, urldate = {2022-03-30} } @online{demirkapi:20220404:sharing:bee2fae, author = {Bill Demirkapi}, title = {{Sharing is Caring: Abusing Shared Sections for Code Injection}}, date = {2022-04-04}, organization = {Bill Demirkapi's Blog}, url = {https://billdemirkapi.me/sharing-is-caring-abusing-shared-sections-for-code-injection/}, language = {English}, urldate = {2022-04-07} } @online{denker:20210506:ransomware:a1f31df, author = {Brandon Denker}, title = {{Ransomware: Hunting for Inhibiting System Backup or Recovery}}, date = {2021-05-06}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/}, language = {English}, urldate = {2021-05-08} } @techreport{denker:20220201:whispergate:1eca84b, author = {Brandon Denker}, title = {{WhisperGate Malware - Update}}, date = {2022-02-01}, institution = {Cyborg Security}, url = {https://info.cyborgsecurity.com/hubfs/Emerging%20Threats/WhisperGate%20Malware%20Update%20-%20Emerging%20Threat.pdf}, language = {English}, urldate = {2022-02-10} } @online{dennesen:20141201:fin4:0760295, author = {Kristen Dennesen and Jordan Berry and Barry Vengerik and Jonathan Wrolstad}, title = {{FIN4: Stealing Insider Information for an Advantage in Stock Trading?}}, date = {2014-12-01}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html}, language = {English}, urldate = {2019-12-20} } @techreport{dereszowski:20140312:uroburos:789e718, author = {Andrzej Dereszowski and Matthieu Kaczmarek}, title = {{Uroburos: the snake rootkit}}, date = {2014-03-12}, institution = {Blog (Artem Baranov)}, url = {https://artemonsecurity.com/uroburos.pdf}, language = {English}, urldate = {2022-05-25} } @techreport{dereszowski:20150211:turladevelopment:98e2483, author = {Andrzej Dereszowski}, title = {{Turla-development & operations}}, date = {2015-02-11}, institution = {FIRST Tbilisi}, url = {https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf}, language = {English}, urldate = {2020-01-06} } @online{dereviashkin:20210208:long:d1419a2, author = {Michael Dereviashkin}, title = {{Long Live, Osiris; Banking Trojan Targets German IP Addresses}}, date = {2021-02-08}, organization = {Morphisec}, url = {https://blog.morphisec.com/long-live-osiris-banking-trojan-targets-german-ip-addresses}, language = {English}, urldate = {2021-02-09} } @online{dereviashkin:20220125:new:18be3b6, author = {Michael Dereviashkin}, title = {{New Threat Campaign Identified: AsyncRAT Introduces a New Delivery Technique}}, date = {2022-01-25}, organization = {Morphisec}, url = {https://blog.morphisec.com/asyncrat-new-delivery-technique-new-threat-campaign}, language = {English}, urldate = {2022-01-28} } @online{dereviashkin:20220405:new:2f2f8a9, author = {Michael Dereviashkin}, title = {{New Analysis: The CaddyWiper Malware Attacking Ukraine}}, date = {2022-04-05}, organization = {Morphisec}, url = {https://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine}, language = {English}, urldate = {2022-04-07} } @online{desai:20150122:malvertising:cc7f1dd, author = {Deepen Desai}, title = {{Malvertising Leading To Flash Zero Day Via Angler Exploit Kit}}, date = {2015-01-22}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/malvertising-leading-flash-zero-day-angler-exploit-kit}, language = {English}, urldate = {2024-06-28} } @online{desai:201608:agent:d527844, author = {Deepen Desai}, title = {{Agent Tesla Keylogger delivered using cybersquatting}}, date = {2016-08}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting}, language = {English}, urldate = {2019-11-26} } @online{desai:20200319:new:00516c3, author = {Shivang Desai}, title = {{New Android App Offers Coronavirus Safety Mask But Delivers SMS Trojan}}, date = {2020-03-19}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/new-android-app-offers-coronavirus-safety-mask-delivers-sms-trojan}, language = {English}, urldate = {2020-03-26} } @online{desai:20200729:android:fb3b3d0, author = {Shivang Desai}, title = {{Android Spyware Targeting Tanzania Premier League}}, date = {2020-07-29}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/android-spyware-targeting-tanzania-premier-league}, language = {English}, urldate = {2020-08-05} } @online{desai:20200908:tiktok:d920a43, author = {Shivang Desai}, title = {{TikTok Spyware: A detailed analysis of spyware masquerading as TikTok}}, date = {2020-09-08}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/tiktok-spyware}, language = {English}, urldate = {2020-09-15} } @online{desai:20211116:return:936dad6, author = {Deepen Desai}, title = {{Return of Emotet malware}}, date = {2021-11-16}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/return-emotet-malware}, language = {English}, urldate = {2021-11-19} } @online{desai:20220224:hermeticwiper:7cac018, author = {Deepen Desai}, title = {{HermeticWiper & resurgence of targeted attacks on Ukraine}}, date = {2022-02-24}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/hermeticwiper-resurgence-targeted-attacks-ukraine}, language = {English}, urldate = {2022-03-02} } @online{deshappriya:20241107:sidewinders:45e3719, author = {Nimantha Deshappriya}, title = {{SideWinder’s ( T-APT-04 ) Sri Lanka Adventure}}, date = {2024-11-07}, organization = {nimanthadeshappriya.com}, url = {https://www.nimanthadeshappriya.com/post/sidewinder-s-t-apt-04-sri-lanka-adventure}, language = {English}, urldate = {2024-11-11} } @online{deshappriya:20250103:rats:5d0bdc5, author = {Nimantha Deshappriya}, title = {{RATs on the island (Remote Access Trojans in Sri Lanka's Cybersecurity Landscape)}}, date = {2025-01-03}, url = {https://www.nimanthadeshappriya.com/post/rats-on-the-island}, language = {English}, urldate = {2025-01-07} } @online{designativedave:20121116:remote:d5d4856, author = {DesignativeDave}, title = {{Remote Administration Tool for Android devices}}, date = {2012-11-16}, organization = {Github (DesignativeDave)}, url = {https://github.com/DesignativeDave/androrat}, language = {English}, urldate = {2019-11-26} } @online{desimone:20210316:detecting:4091130, author = {Joe Desimone}, title = {{Detecting Cobalt Strike with memory signatures}}, date = {2021-03-16}, organization = {Elastic}, url = {https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures}, language = {English}, urldate = {2021-03-22} } @online{desimone:20211223:elastic:0e1caf7, author = {Joe Desimone and Samir Bousseaden}, title = {{Elastic Security uncovers BLISTER malware campaign}}, date = {2021-12-23}, organization = {Elastic}, url = {https://www.elastic.co/blog/elastic-security-uncovers-blister-malware-campaign}, language = {English}, urldate = {2021-12-23} } @online{desimone:20231027:ghostpulse:d3a821a, author = {Joe Desimone and Salim Bitam}, title = {{GHOSTPULSE haunts victims using defense evasion bag o' tricks}}, date = {2023-10-27}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks}, language = {English}, urldate = {2023-11-22} } @online{desimone:20240621:grimresource:078ac78, author = {Joe Desimone and Samir Bousseaden}, title = {{GrimResource - Microsoft Management Console for initial access and evasion}}, date = {2024-06-21}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/grimresource}, language = {English}, urldate = {2024-06-24} } @online{desktopecho:20221116:owner:7ae177d, author = {DesktopECHO}, title = {{Owner of an Android TV box? May want to check if it's an active botnet member...}}, date = {2022-11-16}, organization = {XDA Forums}, url = {https://xdaforums.com/t/owner-of-an-android-tv-box-may-want-to-check-if-its-an-active-botnet-member.4519567/}, language = {English}, urldate = {2025-01-07} } @techreport{desombre:20210302:countering:de4981b, author = {Winnona Desombre and James Shires and JD Work and Robert Morgus and Patrick Howell O'Neill and Luca Allodi and Trey Herr}, title = {{Countering Cyber Proliferation: Zeroing in on Access-as-a-Service}}, date = {2021-03-02}, institution = {Atlantic Council}, url = {https://www.atlanticcouncil.org/wp-content/uploads/2021/03/Offensive-Cyber-Capabilities-Proliferation-Report-1.pdf}, language = {English}, urldate = {2021-03-04} } @online{deutsch:20201210:dutch:fe5465d, author = {Anthony Deutsch and Toby Sterling}, title = {{Dutch expel two Russian diplomats for suspected espionage}}, date = {2020-12-10}, organization = {Reuters}, url = {https://www.reuters.com/article/netherlands-russia/dutch-expel-two-russian-diplomats-for-suspected-espionage-idUSKBN28K2AT}, language = {English}, urldate = {2020-12-11} } @online{devadoss:20200629:initial:0c8ed48, author = {Dinesh Devadoss}, title = {{Tweet on initial Discovery of EvilQuest}}, date = {2020-06-29}, organization = {Twitter (@dineshdina04)}, url = {https://twitter.com/dineshdina04/status/1277668001538433025}, language = {English}, urldate = {2020-07-01} } @online{devadoss:20220509:from:658ed35, author = {Dinesh Devadoss and Phil Stokes}, title = {{From the Front Lines | Unsigned macOS oRAT Malware Gambles For The Win}}, date = {2022-05-09}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/from-the-front-lines-unsigned-macos-orat-malware-gambles-for-the-win}, language = {English}, urldate = {2022-05-11} } @online{devadoss:20220509:from:d580095, author = {Dinesh Devadoss and Phil Stokes}, title = {{From the Front Lines | Unsigned macOS oRAT Malware Gambles For The Win}}, date = {2022-05-09}, url = {https://www.sentinelone.com/blog/from-the-front-lines-unsigned-macos-orat-malware-gambles-for-the-win/}, language = {English}, urldate = {2022-05-11} } @online{devadoss:20220926:lazarus:36bd682, author = {Dinesh Devadoss and Phil Stokes}, title = {{Lazarus ‘Operation In(ter)ception’ Targets macOS Users Dreaming of Jobs in Crypto}}, date = {2022-09-26}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto}, language = {English}, urldate = {2023-08-13} } @online{devane:20160721:phishing:314ff25, author = {Oliver Devane and Mohinder Gill}, title = {{Phishing Attacks Employ Old but Effective Password Stealer}}, date = {2016-07-21}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/mcafee-labs/phishing-attacks-employ-old-effective-password-stealer/}, language = {English}, urldate = {2019-12-17} } @online{devane:20220829:malicious:721f45d, author = {Oliver Devane and Vallabh Chole}, title = {{Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users}}, date = {2022-08-29}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/malicious-cookie-stuffing-chrome-extensions-with-1-4-million-users}, language = {English}, urldate = {2022-08-31} } @online{devkar:20220225:avoslocker:4a19530, author = {Sudhir Devkar and Threat Analysis Unit}, title = {{AvosLocker – Modern Linux Ransomware Threats}}, date = {2022-02-25}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/02/avoslocker-modern-linux-ransomware-threats.html}, language = {English}, urldate = {2022-03-22} } @online{devkar:20220412:ruransom:c9abdbd, author = {Sudhir Devkar}, title = {{RuRansom – A Retaliatory Wiper}}, date = {2022-04-12}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/04/ruransom-a-retaliatory-wiper.html}, language = {English}, urldate = {2022-05-04} } @online{dewan:20211008:new:b97c20c, author = {Tarun Dewan and Lenart Brave}, title = {{New Trickbot and BazarLoader campaigns use multiple delivery vectorsi}}, date = {2021-10-08}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors}, language = {English}, urldate = {2021-10-14} } @online{dewan:20220712:rise:1cc657e, author = {Tarun Dewan and Aditya Sharma}, title = {{Rise in Qakbot attacks traced to evolving threat techniques}}, date = {2022-07-12}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques}, language = {English}, urldate = {2022-07-14} } @online{dex:20200514:energy:43e92b4, author = {Dex}, title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}}, date = {2020-05-14}, organization = {Lab52}, url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/}, language = {English}, urldate = {2020-06-10} } @online{deyalsingh:20230403:alphv:04f0dfa, author = {JASON DEYALSINGH and NICK SMITH and Eduardo Mattos and Tyler McLellan and Nick Richard}, title = {{ALPHV Ransomware Affiliate Targets Vulnerable Backup Installations to Gain Initial Access}}, date = {2023-04-03}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/alphv-ransomware-backup}, language = {English}, urldate = {2023-04-22} } @techreport{dfir:20200221:apt10:e9c3328, author = {ADEO DFIR}, title = {{APT10 Threat Analysis Report}}, date = {2020-02-21}, institution = {ADEO DFIR}, url = {https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf}, language = {English}, urldate = {2020-03-03} } @techreport{dfir:20200504:apt38:53494c3, author = {ADEO DFIR}, title = {{APT38 Lazarus Threat Analysis Report}}, date = {2020-05-04}, institution = {ADEO DFIR}, url = {https://adeo.com.tr/wp-content/uploads/2020/05/ADEO-Lazarus-APT38.pdf}, language = {English}, urldate = {2023-02-21} } @online{dgc:20220225:breaking:a96fdac, author = {Deutsche Gesellschaft für Cybersicherheit (DGC)}, title = {{Breaking news! Warning about “HermeticWiper Malware” by Russian APT Groups}}, date = {2022-02-25}, organization = {Deutsche Gesellschaft für Cybersicherheit}, url = {https://dgc.org/en/hermeticwiper-malware/}, language = {English}, urldate = {2022-03-01} } @online{dhanalakshmi:20180705:look:c39d2cb, author = {Dhanalakshmi}, title = {{A Look At Recent Tinba Banking Trojan Variant}}, date = {2018-07-05}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant}, language = {English}, urldate = {2019-11-20} } @online{dhanush:20230630:cobalt:1b48532, author = {Dhanush}, title = {{Cobalt Strike’s Deployment with Hardware Breakpoint for AMSI Bypass}}, date = {2023-06-30}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/cobalt-strikes-deployment-with-hardware-breakpoint-for-amsi-bypass/}, language = {English}, urldate = {2023-08-17} } @online{dhanush:20240723:threat:c0b6332, author = {Dhanush}, title = {{Threat actors target recent Election Results}}, date = {2024-07-23}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/threat-actors-target-recent-election-results/}, language = {English}, urldate = {2024-07-23} } @online{dhivya:20240528:threats:972cdaa, author = {Dhivya}, title = {{Threats Claimimg Breach of Decathlon May 2024 Database}}, date = {2024-05-28}, organization = {CyberSecurityNews}, url = {https://cybersecuritynews.com/threats-claimimg-breach/}, language = {English}, urldate = {2024-08-29} } @online{dhs:20181002:alert:6e24ac4, author = {Department of Homeland Security (DHS) and Department of the Treasury (Treasury) and FBI}, title = {{Alert (TA18-275A): HIDDEN COBRA – FASTCash Campaign}}, date = {2018-10-02}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/TA18-275A}, language = {English}, urldate = {2022-04-20} } @techreport{dhss:20210916:department:745be5a, author = {Department Of Health And Social Services (DHSS)}, title = {{Department of Health and Social Services 2021 Cyberattack: Frequently Asked Questions Updated Sept. 16, 2021}}, date = {2021-09-16}, institution = {Department Of Health And Social Services (DHSS)}, url = {http://dhss.alaska.gov/news/Documents/press/2021/DHSS_FAQs_FMS_Cyberattack_20210916.pdf}, language = {English}, urldate = {2022-05-03} } @online{dianae:20240711:finding:2e8399c, author = {DianaE}, title = {{Finding Malware: Detecting EMPTYSPACE with Google Security Operations}}, date = {2024-07-11}, organization = {Google}, url = {https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Detecting-EMPTYSPACE-with-Google-Security}, language = {English}, urldate = {2024-08-01} } @online{diaries:20211026:ep:e539e19, author = {DARKNET DIARIES}, title = {{EP 103: Cloud Hopper}}, date = {2021-10-26}, organization = {DARKNET DIARIES}, url = {https://darknetdiaries.com/episode/103/}, language = {English}, urldate = {2021-11-08} } @online{diaries:20220208:ep:9f11b1b, author = {DARKNET DIARIES}, title = {{EP 110: Spam Botnets}}, date = {2022-02-08}, organization = {DARKNET DIARIES}, url = {https://darknetdiaries.com/episode/110/}, language = {English}, urldate = {2022-02-14} } @online{diaz:20181205:review:834944f, author = {Vicente Diaz and Costin Raiu}, title = {{APT review of the year}}, date = {2018-12-05}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-review-of-the-year/89117/}, language = {English}, urldate = {2024-02-08} } @online{diaz:20211013:we:34996a8, author = {Vicente Diaz}, title = {{We analyzed 80 million ransomware samples – here’s what we learned}}, date = {2021-10-13}, organization = {VirusTotal}, url = {https://blog.google/technology/safety-security/we-analyzed-80-million-ransomware-samples-heres-what-we-learned/}, language = {English}, urldate = {2023-09-11} } @online{diaz:20220817:hunting:fb2520c, author = {Vicente Diaz and Alexey Firsh}, title = {{Hunting Follina}}, date = {2022-08-17}, organization = {VirusTotal}, url = {https://blog.virustotal.com/2022/08/hunting-follina.html}, language = {English}, urldate = {2022-08-22} } @online{diaz:20230420:apt43:ada14ec, author = {Vicente Diaz}, title = {{APT43: An investigation into the North Korean group’s cybercrime operations}}, date = {2023-04-20}, organization = {VirusTotal}, url = {https://blog.virustotal.com/2023/04/apt43-investigation-into-north-korean.html}, language = {English}, urldate = {2023-04-25} } @online{die:20130203:infection:ac33cd2, author = {Malware Must Die!}, title = {{The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)}}, date = {2013-02-03}, organization = {Malware Must Die!}, url = {http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html}, language = {English}, urldate = {2019-07-11} } @online{dietrich:20181130:virut:2b9101c, author = {Christian J. Dietrich}, title = {{Virut Resurrects -- Musings on long-term sinkholing}}, date = {2018-11-30}, url = {https://chrisdietri.ch/post/virut-resurrects/}, language = {English}, urldate = {2019-11-25} } @online{digiamo:20181001:cds:a580f8f, author = {Christopher DiGiamo and Nalani Fraser and Jacqueline O’Leary}, title = {{CDS 2018 | Unmasking APT X}}, date = {2018-10-01}, organization = {Youtube (FireEye Inc.)}, url = {https://youtu.be/8hJyLkLHH8Q?t=1208}, language = {English}, urldate = {2020-01-06} } @online{digitrust:20170105:qrat:d5e7b46, author = {DigiTrust}, title = {{QRAT is Living in The World of JAVA}}, date = {2017-01-05}, organization = {DigiTrust}, url = {https://www.digitrustgroup.com/java-rat-qrat/}, language = {English}, urldate = {2020-01-09} } @online{dilgen:20250220:48:6b7b82c, author = {John Dilgen}, title = {{48 Minutes: How Fast Phishing Attacks Exploit Weaknesses}}, date = {2025-02-20}, organization = {Reliaquest}, url = {https://www.reliaquest.com/blog/blink-and-theyre-in-how-rapid-phishing-attacks-exploit-weaknesses/}, language = {English}, urldate = {2025-02-25} } @techreport{dimaggio:20150806:black:af5cf27, author = {Jon DiMaggio}, title = {{The Black Vine cyberespionage group}}, date = {2015-08-06}, institution = {Symantec}, url = {https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf}, language = {English}, urldate = {2020-01-10} } @online{dimaggio:20150806:black:b0fbb35, author = {Jon DiMaggio}, title = {{The Black Vine cyberespionage group}}, date = {2015-08-06}, organization = {Symantec}, url = {https://docs.broadcom.com/doc/the-black-vine-cyberespionage-group}, language = {English}, urldate = {2022-04-25} } @online{dimaggio:20160315:suckfly:0b3835e, author = {Jon DiMaggio}, title = {{Suckfly: Revealing the secret life of your code signing certificates}}, date = {2016-03-15}, organization = {Symantec}, url = {http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates}, language = {English}, urldate = {2020-01-05} } @online{dimaggio:20160315:suckfly:a1c8359, author = {Jon DiMaggio}, title = {{Suckfly: Revealing the secret life of your code signing certificates}}, date = {2016-03-15}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{dimaggio:20160329:taiwan:4b83179, author = {Jon DiMaggio}, title = {{Taiwan targeted with new cyberespionage back door Trojan}}, date = {2016-03-29}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan}, language = {English}, urldate = {2019-12-18} } @online{dimaggio:20160329:taiwan:de4b254, author = {Jon DiMaggio}, title = {{Taiwan targeted with new cyberespionage back doorTrojan}}, date = {2016-03-29}, organization = {Symantec}, url = {https://app.box.com/s/xqh458fe1url7mgl072hhd0yxqw3x0jm}, language = {English}, urldate = {2020-01-20} } @online{dimaggio:20160428:tick:9fec91a, author = {Jon DiMaggio}, title = {{Tick cyberespionage group zeros in on Japan}}, date = {2016-04-28}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan}, language = {English}, urldate = {2020-01-10} } @online{dimaggio:20160517:indian:98dff05, author = {Jon DiMaggio}, title = {{Indian organizations targeted in Suckfly attacks}}, date = {2016-05-17}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7a60af1f-7786-446c-976b-7c71a16e9d3b&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{dimaggio:20160517:indian:baa172f, author = {Jon DiMaggio}, title = {{Indian organizations targeted in Suckfly attacks}}, date = {2016-05-17}, organization = {Symantec}, url = {http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks}, language = {English}, urldate = {2019-10-23} } @online{dimaggio:20170531:operation:1d2f585, author = {Jon DiMaggio}, title = {{Operation Bachosens: A detailed look into a long-running cyber crime campaign}}, date = {2017-05-31}, organization = {Symantec}, url = {https://medium.com/threat-intel/cybercrime-investigation-insights-bachosens-e1d6312f6b3a}, language = {English}, urldate = {2023-03-16} } @online{dimaggio:20210407:ransom:a109d6f, author = {Jon DiMaggio}, title = {{Ransom Mafia - Analysis of the World's First Ransomware Cartel}}, date = {2021-04-07}, organization = {ANALYST1}, url = {https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel}, language = {English}, urldate = {2021-06-01} } @techreport{dimaggio:20210407:ransom:a543eac, author = {Jon DiMaggio}, title = {{Ransom Mafia Analysis of the World's First Ransomware Cartel}}, date = {2021-04-07}, institution = {ANALYST1}, url = {https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf}, language = {English}, urldate = {2021-04-09} } @techreport{dimaggio:20210811:nation:815fed9, author = {Jon DiMaggio}, title = {{Nation State Ransomware}}, date = {2021-08-11}, institution = {ANALYST1}, url = {https://analyst1.com/file-assets/Nationstate_ransomware_with_consecutive_endnotes.pdf}, language = {English}, urldate = {2021-08-17} } @techreport{dimaggio:20220127:history:921d98f, author = {Jon DiMaggio}, title = {{A History of Revil}}, date = {2022-01-27}, institution = {ANALYST1}, url = {https://analyst1.com/file-assets/History-of-REvil.pdf}, language = {English}, urldate = {2022-02-01} } @online{dimaggio:20220407:north:ab16006, author = {Jon DiMaggio}, title = {{North Korea: Intelligence Assessment 2022}}, date = {2022-04-07}, organization = {ANALYST1}, url = {https://analyst1.com/digital-report/north-korea-2022-intelligence-assessment}, language = {English}, urldate = {2022-04-15} } @online{dimaggio:20230116:unlocking:adf4dd9, author = {Jon DiMaggio}, title = {{Unlocking Lockbit: A Ransomware Story}}, date = {2023-01-16}, organization = {ANALYST1}, url = {https://analyst1.com/ransomware-diaries-volume-1/}, language = {English}, urldate = {2023-01-26} } @techreport{dimaggio:20230415:ransomware:e61a4cd, author = {Jon DiMaggio}, title = {{Ransomware Diaries: Volume 2 – A Ransomware Hacker Origin Story}}, date = {2023-04-15}, institution = {ANALYST1}, url = {https://analyst1.com/wp-content/uploads/2023/04/Ransomware-diaries-vol2-v2.pdf}, language = {English}, urldate = {2023-10-30} } @online{dimaggio:202308:ransomware:43d8fc7, author = {Jon DiMaggio}, title = {{Ransomware Diaries: Volume 3 – LockBit’s Secrets}}, date = {2023-08}, organization = {ANALYST1}, url = {https://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/}, language = {English}, urldate = {2023-10-30} } @online{dimchev:20160927:new:3bba3cd, author = {Alex Dimchev}, title = {{New Voldemort/Nagini Ransomware Virus Infection}}, date = {2016-09-27}, organization = {Best Security Research}, url = {http://bestsecuritysearch.com/voldemortnagini-ransomware-virus/}, language = {English}, urldate = {2019-11-28} } @online{dimino:20120802:cridex:a9b195f, author = {Andre M. DiMino}, title = {{Cridex Analysis using Volatility}}, date = {2012-08-02}, url = {http://www.sempersecurus.org/2012/08/cridex-analysis-using-volatility.html}, language = {English}, urldate = {2019-10-23} } @online{dimino:20120803:cridex:eab5b19, author = {Andre DiMino}, title = {{Cridex Analysis using Volatility}}, date = {2012-08-03}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html}, language = {English}, urldate = {2019-12-18} } @techreport{ding:20210506:domain:501928a, author = {Tianze Ding and Junyu Zhou}, title = {{Domain Borrowing: Catch My C2 Traffic if You Can}}, date = {2021-05-06}, institution = {Tencent}, url = {https://i.blackhat.com/asia-21/Thursday-Handouts/as-21-Ding-Domain-Borrowing-Catch-My-C2-Traffic-If-You-Can.pdf}, language = {English}, urldate = {2021-09-14} } @techreport{ding:20210506:domain:853dd90, author = {Tianze Ding and Junyu Zhou}, title = {{Domain Borrowing: Catch My C2 Traffic if You Can}}, date = {2021-05-06}, institution = {Tencent}, url = {https://i.blackhat.com/asia-21/Thursday-Handouts/as-21-Ding-Domain-Borrowing-Catch-My-C2-Traffic-If-You-Can.pdf}, language = {English}, urldate = {2021-09-14} } @online{ding:20210901:domain:92aa2f7, author = {Tianze Ding and Junyu Zhou}, title = {{Domain Borrowing: Catch My C2 Traffic if You Can}}, date = {2021-09-01}, organization = {YouTube (Black Hat)}, url = {https://www.youtube.com/watch?v=eVr0kKdgM2I}, language = {English}, urldate = {2021-09-14} } @online{diplomatie:20250429:russia:b71d38a, author = {France Diplomatie}, title = {{Russia – Assignment of cyber attacks against France to the Russian military intelligence service (APT28) (29 April 2025)}}, date = {2025-04-29}, organization = {France Diplomatie}, url = {https://www.diplomatie.gouv.fr/fr/dossiers-pays/russie/evenements/evenements-de-l-annee-2025/article/russie-attribution-de-cyberattaques-contre-la-france-au-service-de}, language = {French}, urldate = {2025-05-02} } @techreport{directorate:20240409:black:b353d6a, author = {Israel National Cyber Directorate}, title = {{קבוצת התקיפה האיראנית Black Shadow}}, date = {2024-04-09}, institution = {Israel National Cyber Directorate}, url = {https://www.gov.il/BlobFolder/reports/alert_1727/he/ALERT-CERT-IL-W-1727.pdf}, language = {Hebrew}, urldate = {2024-12-11} } @online{disclosure:20221224:njrat:0b45969, author = {di.sclosu.re}, title = {{njRAT malware spreading through Discord CDN and Facebook Ads}}, date = {2022-12-24}, organization = {di.sclosu.re}, url = {https://di.sclosu.re/en/njrat-malware-spreading-through-discord-cdn-and-facebook-ads/}, language = {English}, urldate = {2023-01-10} } @online{dissent:20200526:former:dcfe145, author = {Dissent}, title = {{A former DarkSide listing shows up on REvil’s leak site}}, date = {2020-05-26}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/a-former-darkside-listing-shows-up-on-revils-leak-site/}, language = {English}, urldate = {2021-06-09} } @online{dissent:20210329:sg:7185997, author = {Dissent}, title = {{Sg: Vhive alerts consumers to cyberattack}}, date = {2021-03-29}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/sg-vhive-alerts-consumers-to-cyberattack/}, language = {English}, urldate = {2024-12-09} } @online{dissent:20210403:sg:4005165, author = {Dissent}, title = {{SG: Vhive attackers escalate, take control of furniture retailer’s email server}}, date = {2021-04-03}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/sg-vhive-attackers-escalate-take-control-of-furniture-retailers-email-server/}, language = {English}, urldate = {2024-12-09} } @online{dissent:20210412:chat:fa8aec8, author = {Dissent}, title = {{A chat with DarkSide}}, date = {2021-04-12}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/a-chat-with-darkside/}, language = {English}, urldate = {2021-04-16} } @online{dissent:20210531:babuk:4915c4b, author = {Dissent}, title = {{Babuk re-organizes as Payload Bin, offers its first leak}}, date = {2021-05-31}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/}, language = {English}, urldate = {2021-06-04} } @online{dissent:20210820:singapore:a48ba57, author = {Dissent}, title = {{Singapore real estate firm breached by ALTDOS}}, date = {2021-08-20}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/singapore-real-estate-firm-breached-by-altdos/}, language = {English}, urldate = {2024-12-09} } @online{dissent:20210825:advisories:a82883e, author = {Dissent}, title = {{Advisories are published, but are enough entities reading them and taking precautions?}}, date = {2021-08-25}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/advisories-are-published-but-are-enough-entities-reading-them-and-taking-precautions/}, language = {English}, urldate = {2024-12-09} } @online{dissent:20210920:altdos:1b8d3bb, author = {Dissent}, title = {{ALTDOS claims to have hacked one of Malaysia’s biggest conglomerates}}, date = {2021-09-20}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/altdos-claims-to-have-hacked-one-of-malaysias-biggest-conglomerates/}, language = {English}, urldate = {2024-12-09} } @online{dissent:20210926:desorden:3fabe7a, author = {Dissent}, title = {{Desorden Group claims to have stolen 200 GB of data from ABX Express}}, date = {2021-09-26}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/desorden-group-claims-to-have-stolen-200-gb-of-data-from-abx-express/}, language = {English}, urldate = {2021-09-29} } @online{dissent:20220408:east:155cde9, author = {Dissent}, title = {{East Tennessee Children’s Hospital updates information on ransomware incident}}, date = {2022-04-08}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/east-tennessee-childrens-hospital-updates-information-on-ransomware-incident/}, language = {English}, urldate = {2024-02-08} } @online{dissent:20220722:recent:dcf0f73, author = {Dissent}, title = {{Recent cyberattacks put Thai citizens’ privacy and data security at greater risk}}, date = {2022-07-22}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/recent-cyberattacks-put-thai-citizens-privacy-and-data-security-at-greater-risk/}, language = {English}, urldate = {2023-11-27} } @online{dissent:20220731:thai:20379da, author = {Dissent}, title = {{Thai entities continue to fall prey to cyberattacks and leaks}}, date = {2022-07-31}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/thai-entities-continue-to-fall-prey-to-cyberattacks-and-leaks/}, language = {English}, urldate = {2023-11-27} } @online{dissent:20220825:major:62d3f51, author = {Dissent}, title = {{Major Indonesia tollroad operator hacked by DESORDEN (Updated)}}, date = {2022-08-25}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/major-indonesia-tollroad-operator-hacked-by-desorden/}, language = {English}, urldate = {2023-11-27} } @online{dissent:20220902:customer:fde68fc, author = {Dissent}, title = {{Customer data from hundreds of Indonesian and Malaysian restaurants hacked by DESORDEN}}, date = {2022-09-02}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/customer-data-from-hundreds-of-indonesian-and-malaysian-restaurants-hacked-by-desorden/}, language = {English}, urldate = {2023-11-27} } @online{dissent:20220913:singapore:2312ad4, author = {Dissent}, title = {{Singapore corporations making progress in preventing cyberattacks}}, date = {2022-09-13}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/singapore-corporations-making-progress-in-preventing-cyberattacks/}, language = {English}, urldate = {2024-12-09} } @online{dissent:20221002:thailands:9928c7b, author = {Dissent}, title = {{Thailand’s THE ICON GROUP hacked by DESORDEN}}, date = {2022-10-02}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/thailands-the-icon-group-hacked-by-desorden/}, language = {English}, urldate = {2023-11-27} } @online{dissent:20221009:johnson:159d164, author = {Dissent}, title = {{Johnson Fitness and Wellness hit by DESORDEN Group}}, date = {2022-10-09}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/johnson-fitness-and-wellness-hit-by-desorden-group/}, language = {English}, urldate = {2023-11-27} } @online{dissent:20221104:malaysian:1a51997, author = {Dissent}, title = {{Malaysian online stock brokerage firm victim of cyberattack}}, date = {2022-11-04}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/malaysian-online-stock-brokerage-firm-victim-of-cyberattack/}, language = {English}, urldate = {2023-11-27} } @online{dissent:20230520:peachtree:ab9a345, author = {Dissent}, title = {{Peachtree Orthopedics alerts patients to cyberattack; third patient data breach in seven years}}, date = {2023-05-20}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/peachtree-orthopedics-alerts-patients-of-cyberattack-third-patient-data-breach-in-seven-years/}, language = {English}, urldate = {2023-11-27} } @online{dissent:20230726:major:72a8e3f, author = {Dissent}, title = {{Major Malaysian water utilities company hit by hackers; Ranhill offline; hackers claim databases and backups deleted}}, date = {2023-07-26}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/major-malaysian-water-utilities-company-hit-by-hackers-ranhill-offline-hackers-claim-databases-and-backups-deleted/}, language = {English}, urldate = {2023-11-27} } @online{dissent:20230831:one:e694e75, author = {Dissent}, title = {{One month later, Ranhill still hasn’t fully recovered from cyberattack}}, date = {2023-08-31}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/one-month-later-ranhill-still-hasnt-fully-recovered-from-cyberattack/}, language = {English}, urldate = {2023-11-27} } @online{dissent:20231027:hackers:a4c643a, author = {Dissent}, title = {{Hackers escalate: leak 200k CCSD students’ data; claim to still have access to CCSD email system}}, date = {2023-10-27}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/hackers-escalate-leak-200k-ccsd-students-data-claim-to-still-have-access-to-ccsd-email-system/}, language = {English}, urldate = {2023-11-17} } @online{dissent:20231102:jeffco:bd86dfa, author = {Dissent}, title = {{Jeffco Public Schools hit by the same threat actors that hit Clark County School District — and via the same way}}, date = {2023-11-02}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/jeffco-public-schools-hit-by-the-same-threat-actors-that-hit-clark-county-school-district-and-via-the-same-way/}, language = {English}, urldate = {2023-11-17} } @online{dissent:20241112:amazon:a9a8fe3, author = {Dissent}, title = {{Amazon confirms employee data breach after vendor hack}}, date = {2024-11-12}, organization = {DataBreaches.net}, url = {https://databreaches.net/2024/11/12/amazon-confirms-employee-data-breach-after-vendor-hack/}, language = {English}, urldate = {2024-11-15} } @online{dissent:20241208:is:27a5cee, author = {Dissent}, title = {{Is KillSec3 Trying to Extort Victims Using Publicly Leaked Data?}}, date = {2024-12-08}, organization = {DataBreaches.net}, url = {https://databreaches.net/2024/12/08/is-killsec3-trying-to-extort-victims-using-publicly-leaked-data/}, language = {English}, urldate = {2024-12-11} } @online{ditch:20220118:formbook:3f03c56, author = {Derek Ditch and Daniel Stepanic and Andrew Pease and Seth Goodwin}, title = {{FORMBOOK Adopts CAB-less Approach}}, date = {2022-01-18}, organization = {Elastic}, url = {https://elastic.github.io/security-research/intelligence/2022/01/01.formbook-adopts-cabless-approach/article/}, language = {English}, urldate = {2022-01-25} } @online{ditch:20220119:collecting:696e5d0, author = {Derek Ditch and Daniel Stepanic and Andrew Pease and Seth Goodwin}, title = {{Collecting Cobalt Strike Beacons with the Elastic Stack}}, date = {2022-01-19}, organization = {Elastic}, url = {https://elastic.github.io/security-research/intelligence/2022/01/02.collecting-cobalt-strike-beacons/article/}, language = {English}, urldate = {2022-01-25} } @online{ditch:20220119:extracting:39bd5e5, author = {Derek Ditch and Daniel Stepanic and Andrew Pease and Seth Goodwin}, title = {{Extracting Cobalt Strike Beacon Configurations}}, date = {2022-01-19}, organization = {Elastic}, url = {https://elastic.github.io/security-research/intelligence/2022/01/03.extracting-cobalt-strike-beacon/article/}, language = {English}, urldate = {2022-01-25} } @online{division:2000:2000:6d829fc, author = {CERT Division}, title = {{2000 CERT Advisories}}, date = {2000}, organization = {Carnegie Mellon University}, url = {https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=496186}, language = {English}, urldate = {2020-01-08} } @techreport{division:20200514:malware:34fa46f, author = {Leonardo’s Cyber Security division}, title = {{Malware Technical Insight Turla "Penquin_x64"}}, date = {2020-05-14}, institution = {Leonardo}, url = {https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf}, language = {English}, urldate = {2022-07-01} } @techreport{division:20200707:cosmic:cc97389, author = {AGARI CYBER INTELLIGENCE DIVISION}, title = {{Cosmic Lynx: The Rise of Russian BEC}}, date = {2020-07-07}, institution = {}, url = {https://www.agari.com/cyber-intelligence-research/whitepapers/acid-agari-cosmic-lynx.pdf}, language = {English}, urldate = {2020-07-08} } @online{divya:20240408:vedalia:bf41907, author = {Divya}, title = {{Vedalia APT Group Exploits Oversized LNK Files to Deliver Malware}}, date = {2024-04-08}, organization = {GBHackers on Security}, url = {https://gbhackers.com/vedalia-apt-group-exploits/}, language = {English}, urldate = {2025-05-02} } @online{dixon:20180623:oceanlotus:555d8bf, author = {Brandon Dixon and Steve Ginty}, title = {{OceanLotus 2018: Malicious Infrastructure}}, date = {2018-06-23}, organization = {passivetotal}, url = {https://community.riskiq.com/projects/53b4bd1e-dad0-306b-7712-d2a608400c8f}, language = {English}, urldate = {2019-11-16} } @techreport{dixon:2018:alphathreat:f97b446, author = {Brandon Dixon}, title = {{Alphathreat Soup Burning Actors with Data}}, date = {2018}, institution = {RiskIQ}, url = {https://hitcon.org/2018/CMT/slide-files/d1_s2_r1.pdf}, language = {English}, urldate = {2021-08-09} } @online{dixon:20240103:security:ba854a8, author = {Brandon Dixon}, title = {{Security Copilot Promptbook: Threat Actor Profile}}, date = {2024-01-03}, organization = {Applied GAI in Security}, url = {https://applied-gai-in-security.ghost.io/security-copilot-promptbook-threat-actor-profile/}, language = {English}, urldate = {2025-03-05} } @techreport{dnne:20211003:squirrelwaffle:3a35566, author = {Joel Dönne}, title = {{SquirrelWaffle - From Maldoc to Cobalt Strike}}, date = {2021-10-03}, institution = {Github (0xjxd)}, url = {https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf}, language = {English}, urldate = {2021-10-07} } @online{doan:20221218:icedid:f4a858a, author = {Berkay DOĞAN and Dilara BEHAR and Rabia EKŞİ and Zafer Yiğithan DERECİ}, title = {{IcedID Technical Analysis Report}}, date = {2022-12-18}, organization = {ZAYOTEM}, url = {https://drive.google.com/file/d/1jB0CsDvAADSrBeGxoi5gzyx8eQIiOJ2G/view}, language = {English}, urldate = {2022-12-20} } @online{doan:20221218:raccoon:f832aeb, author = {Abdül Samed DOĞAN and Emirhan KESKİN}, title = {{Raccoon Stealer Technical Analysis Report}}, date = {2022-12-18}, organization = {ZAYOTEM}, url = {https://drive.google.com/file/d/13HEi9Px8V583sRkUG4Syawuw5qwU-W9Q/view}, language = {English}, urldate = {2022-12-20} } @online{dobberstein:20220408:china:6626bbc, author = {Laura Dobberstein}, title = {{China accused of cyberattacks on Indian power grid}}, date = {2022-04-08}, organization = {The Register}, url = {https://www.theregister.com/2022/04/08/china_sponsored_attacks_india_ukraine/}, language = {English}, urldate = {2022-04-12} } @online{dobberstein:20240925:china:a911e88, author = {Laura Dobberstein}, title = {{China claims Taiwan, not civilians, behind web vandalism}}, date = {2024-09-25}, organization = {The Register}, url = {https://www.theregister.com/2024/09/25/china_anonymous_64_taiwan_accusations/}, language = {English}, urldate = {2024-11-04} } @online{dobbins:20220216:ddos:004dcc5, author = {Roland Dobbins and Steinthor Bjarnason}, title = {{DDoS Attack Campaign Targeting Multiple Organizations in Ukraine}}, date = {2022-02-16}, organization = {NetScout}, url = {https://www.netscout.com/blog/asert/ddos-attack-campaign-targeting-multiple-organizations-ukraine}, language = {English}, urldate = {2022-02-19} } @online{dobocan:20230415:dissecting:5dd8691, author = {Gabi Dobocan}, title = {{Dissecting Npm Malware: Five Packages And Their Evil Install Scripts}}, date = {2023-04-15}, organization = {Sandworm.dev}, url = {https://blog.sandworm.dev/dissecting-npm-malware-five-packages-and-their-evil-install-scripts}, language = {English}, urldate = {2023-05-10} } @online{dodia:20190315:immortal:43b3d3d, author = {Rajdeepsinh Dodia and Uday Pratap Singh}, title = {{Immortal information stealer}}, date = {2019-03-15}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/immortal-information-stealer}, language = {English}, urldate = {2020-06-08} } @online{dodia:20190808:saefko:bdc733d, author = {Rajdeepsinh Dodia and Priyanka Bhati}, title = {{Saefko: A new multi-layered RAT}}, date = {2019-08-08}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat}, language = {English}, urldate = {2019-11-26} } @online{dodia:20200116:ftcode:9e80307, author = {Rajdeepsinh Dodia and Amandeep Kumar and Atinderpal Singh}, title = {{FTCODE Ransomware - New Version Includes Stealing Capabilities}}, date = {2020-01-16}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/ftcode-ransomware--new-version-includes-stealing-capabilities}, language = {English}, urldate = {2020-01-27} } @online{dodia:20211015:atomsilo:81b4ff1, author = {Rajdeepsinh Dodia}, title = {{AtomSilo Ransomware Enters the League of Double Extortion}}, date = {2021-10-15}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/atomsilo-ransomware-enters-league-double-extortion}, language = {English}, urldate = {2021-11-03} } @online{dodia:20220323:midas:017f409, author = {Rajdeepsinh Dodia}, title = {{Midas Ransomware : Tracing the Evolution of Thanos Ransomware Variants}}, date = {2022-03-23}, organization = {Security Boulevard}, url = {https://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/}, language = {English}, urldate = {2022-03-25} } @online{dodia:20220323:midas:8b975b4, author = {Rajdeepsinh Dodia}, title = {{Midas Ransomware : Tracing the Evolution of Thanos Ransomware Variants}}, date = {2022-03-23}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants}, language = {English}, urldate = {2022-03-25} } @online{dodosec:20230401:smoothoperator:1aa2e60, author = {dodo-sec}, title = {{SmoothOperator}}, date = {2023-04-01}, organization = {Github (dodo-sec)}, url = {https://github.com/dodo-sec/Malware-Analysis/blob/main/SmoothOperator/SmoothOperator.md}, language = {English}, urldate = {2023-04-03} } @online{dodosec:20230420:analysis:0c18d26, author = {dodo-sec}, title = {{An analysis of syscall usage in Cobalt Strike Beacons}}, date = {2023-04-20}, organization = {Github (dodo-sec)}, url = {https://github.com/dodo-sec/Malware-Analysis/blob/main/Cobalt%20Strike/Indirect%20Syscalls.md}, language = {English}, urldate = {2023-04-22} } @techreport{doe:20220413:cyber:1dee54e, author = {Department of Energy (DOE) and NSA and FBI and CISA}, title = {{APT Cyber Tools Targeting ICS/SCADA Devices}}, date = {2022-04-13}, institution = {}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/Joint_Cybersecurity_Advisory_APT%20Cyber%20Tools%20Targeting%20ICS%20SCADA%20Devices.pdf}, language = {English}, urldate = {2022-04-15} } @techreport{doerr:20190808:enemy:3962b21, author = {Eric Doerr}, title = {{The Enemy Within: Modern Supply Chain Attacks}}, date = {2019-08-08}, institution = {BlackHat}, url = {https://i.blackhat.com/USA-19/Thursday/us-19-Doerr-The-Enemy-Within-Modern-Supply-Chain-Attacks.pdf}, language = {English}, urldate = {2020-08-14} } @online{doerr:20210326:securing:0f170cb, author = {Eric Doerr}, title = {{Securing our approach to domain fronting within Azure}}, date = {2021-03-26}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/03/26/securing-our-approach-to-domain-fronting-within-azure/}, language = {English}, urldate = {2021-03-30} } @online{doffman:20190816:warning:65452b4, author = {Zak Doffman}, title = {{Warning As Devious New Android Malware Hides In Fake Adobe Flash Player Installations (Updated)}}, date = {2019-08-16}, organization = {Forbes}, url = {https://www.forbes.com/sites/zakdoffman/2019/08/16/dangerous-new-android-trojan-hides-from-malware-researchers-and-taunts-them-on-twitter/}, language = {English}, urldate = {2020-01-08} } @techreport{doherty:20130917:hidden:1b7b01c, author = {Stephen Doherty and Jozsef Gegeny and Branko Spasojevic and Jonell Baltazar}, title = {{Hidden Lynx – Professional Hackers for Hire}}, date = {2013-09-17}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{doherty:20130917:hidden:72a1bd7, author = {Stephen Doherty and Jozsef Gegeny and Branko Spasojevic and Jonell Baltazar}, title = {{Hidden Lynx – Professional Hackers for Hire}}, date = {2013-09-17}, institution = {Symantec}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf}, language = {English}, urldate = {2020-04-21} } @online{doingfedtime:20240529:80000:9b97f2b, author = {DoingFedTime}, title = {{80-000 records exposed in shell data breach by threat actor}}, date = {2024-05-29}, organization = {Medium (DoingFedTime)}, url = {https://medium.com/@DoingFedTime/80-000-records-exposed-in-shell-data-breach-by-threat-actor-888-64c407dfac94}, language = {English}, urldate = {2024-09-04} } @online{dokas:20210921:using:28b3535, author = {Paul Dokas}, title = {{Using Zeek to track communication state}}, date = {2021-09-21}, organization = {Corelight}, url = {https://corelight.com/blog/using-zeek-to-track-communication-state}, language = {English}, urldate = {2021-09-22} } @online{dolas:20200731:masslogger:b17ff73, author = {Aniruddha Dolas}, title = {{MassLogger: An Emerging Spyware and Keylogger}}, date = {2020-07-31}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/masslogger-an-emerging-spyware-and-keylogger/}, language = {English}, urldate = {2020-08-05} } @online{dolas:20210505:catching:ace83fc, author = {Aniruddha Dolas and Mohd Sadique and Manohar Ghule}, title = {{Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats}}, date = {2021-05-05}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols}, language = {English}, urldate = {2021-05-08} } @online{dolgushev:20181019:darkpulsar:c98e816, author = {Andrey Dolgushev and Dmitry Tarakanov and Vasily Berdnikov}, title = {{DarkPulsar}}, date = {2018-10-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/darkpulsar/88199/}, language = {English}, urldate = {2019-12-20} } @online{dolgushev:20191105:darkuniverse:36ead28, author = {Andrey Dolgushev and Vasily Berdnikov and Alexander Fedotov}, title = {{DarkUniverse – the mysterious APT framework #27}}, date = {2019-11-05}, organization = {Kaspersky Labs}, url = {https://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/}, language = {English}, urldate = {2020-04-24} } @online{domaintools:20170321:hunt:e4d1473, author = {DomainTools}, title = {{Hunt Case Study: Hunting Campaign Indicators on Privacy Protected Attack Infrastructure}}, date = {2017-03-21}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastr}, language = {English}, urldate = {2020-05-18} } @online{domaintools:20220407:spm55:dd2a4c8, author = {DomainTools}, title = {{SPM55: Ascending the Ranks of Indonesian Phishing As A Service Offerings}}, date = {2022-04-07}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/spm55-ascending-the-ranks-of-indonesian-phishing-as-a-service-offerings}, language = {English}, urldate = {2022-04-08} } @online{domaintools:20250325:phishing:4b872fd, author = {DomainTools}, title = {{Phishing Campaign Targets Defense and Aerospace Firms Linked to Ukraine Conflict}}, date = {2025-03-25}, organization = {DomainTools}, url = {https://dti.domaintools.com/phishing-campaign-targets-defense-and-aerospace-firms-linked-to-ukraine-conflict/}, language = {English}, urldate = {2025-03-27} } @online{domaintools:20250410:newly:8ccf84d, author = {DomainTools}, title = {{Newly Registered Domains Distributing SpyNote Malware}}, date = {2025-04-10}, organization = {DomainTools}, url = {https://dti.domaintools.com/newly-registered-domains-distributing-spynote-malware/}, language = {English}, urldate = {2025-06-30} } @online{domaintools:20250527:inside:f25c01e, author = {DomainTools}, title = {{Inside a VenomRAT Malware Campaign}}, date = {2025-05-27}, organization = {DomainTools}, url = {https://dti.domaintools.com/VenomRAT/}, language = {English}, urldate = {2025-06-02} } @online{doman:20141027:scanbox:c4beb38, author = {Chris Doman and Tom Lancaster}, title = {{ScanBox framework – who’s affected, and who’s using it?}}, date = {2014-10-27}, organization = {PWC}, url = {http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html}, language = {English}, urldate = {2020-01-07} } @online{doman:20161026:moonlight:1edffaa, author = {Chris Doman}, title = {{Moonlight – Targeted attacks in the Middle East}}, date = {2016-10-26}, organization = {Unknown}, url = {https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks}, language = {English}, urldate = {2020-04-06} } @online{doman:20170612:open:b143d52, author = {Christopher Doman}, title = {{Open Source Malware - Sharing is caring?}}, date = {2017-06-12}, organization = {SlideShare}, url = {https://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring}, language = {English}, urldate = {2020-01-13} } @online{doman:20181008:delivery:8f2c9ed, author = {Chris Doman}, title = {{Delivery (Key)Boy}}, date = {2018-10-08}, organization = {AT&T Cybersecurity}, url = {https://www.alienvault.com/blogs/labs-research/delivery-keyboy}, language = {English}, urldate = {2019-10-15} } @online{doman:20190306:internet:c3afbc0, author = {Chris Doman}, title = {{Internet of Termites}}, date = {2019-03-06}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/internet-of-termites}, language = {English}, urldate = {2020-01-07} } @online{doman:20200516:recent:bb6d18e, author = {Chris Doman and James Campbell}, title = {{Recent Attacks Against Supercomputers}}, date = {2020-05-16}, organization = {Cado Security}, url = {https://www.cadosecurity.com/2020/05/16/1318/}, language = {English}, urldate = {2020-05-18} } @online{doman:20200611:ongoing:d94778b, author = {Chris Doman and James Campbell}, title = {{An Ongoing AWS Phishing Campaign}}, date = {2020-06-11}, organization = {Cado Security}, url = {https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-campaign/}, language = {English}, urldate = {2020-06-12} } @online{doman:20200817:team:01dd484, author = {Chris Doman}, title = {{Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials}}, date = {2020-08-17}, organization = {Cado Security}, url = {https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials}, language = {English}, urldate = {2021-03-12} } @online{doman:20200817:team:a654242, author = {Chris Doman and James Campbell}, title = {{Team TNT - The First Crypto-Mining Worm to Steal AWS Credentials}}, date = {2020-08-17}, organization = {Cado Security}, url = {https://www.cadosecurity.com/2020/08/17/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/}, language = {English}, urldate = {2020-08-19} } @online{doman:20201214:responding:639d2ce, author = {Christopher Doman}, title = {{Responding to Solarigate}}, date = {2020-12-14}, organization = {Cado Security}, url = {https://www.cadosecurity.com/post/responding-to-solarigate}, language = {English}, urldate = {2020-12-14} } @online{doman:20210210:punk:dd2c142, author = {Christopher Doman}, title = {{Punk Kitty Ransom - Analysing HelloKitty Ransomware Attacks}}, date = {2021-02-10}, organization = {Cado Security}, url = {https://www.cadosecurity.com/post/punk-kitty-ransom-analysing-hellokitty-ransomware-attacks}, language = {English}, urldate = {2021-02-17} } @online{doman:20210713:resources:13f690a, author = {Christopher Doman}, title = {{Resources for Investigating Cloud and Container Penetration Testing Tools}}, date = {2021-07-13}, organization = {Cado Security}, url = {https://www.cadosecurity.com/post/resources-for-investigating-cloud-and-container-penetration-testing-tools}, language = {English}, urldate = {2021-07-20} } @online{doman:20210714:triage:5a7151d, author = {Christopher Doman}, title = {{Triage analysis of Serv-U FTP user backdoor deployed by CVE-2021-35211 (DEV-0322)}}, date = {2021-07-14}, organization = {Cado Security}, url = {https://www.cadosecurity.com/post/triage-analysis-of-serv-u-ftp-user-backdoor-deployed-by-cve-2021-35211}, language = {English}, urldate = {2021-07-20} } @online{domesticus:20120423:bkdrcysxla:73fda09, author = {Domesticus}, title = {{BKDR_CYSXL.A}}, date = {2012-04-23}, organization = {enigmasoft}, url = {https://www.enigmasoftware.com/bkdrcysxla-removal/}, language = {English}, urldate = {2021-01-25} } @online{domingues:20210603:breaking:69967e5, author = {Felipe Domingues and Gustavo Palazolo}, title = {{Breaking Dridex Malware}}, date = {2021-06-03}, organization = {YouTube (FIRST)}, url = {https://www.youtube.com/watch?v=1VB15_HgUkg}, language = {English}, urldate = {2021-06-16} } @online{dominguez:20210302:ploutus:5d96786, author = {Jesus Dominguez and Ocelot Offensive Security Team}, title = {{Ploutus is back, targeting Itautec ATMs in Latin America}}, date = {2021-03-02}, organization = {Metabase Q}, url = {https://www.metabaseq.com/recursos/ploutus-is-back-targeting-itautec-atms-in-latin-america}, language = {English}, urldate = {2021-03-11} } @online{dominguez:20210823:prism:f3b6d3d, author = {Fernando Dominguez}, title = {{PRISM attacks fly under the radar}}, date = {2021-08-23}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/prism-attacks-fly-under-the-radar}, language = {English}, urldate = {2021-08-25} } @online{dominguez:20211027:code:2d1f1be, author = {Fernando Dominguez}, title = {{Code similarity analysis with r2diaphora}}, date = {2021-10-27}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/code-similarity-analysis-with-r2diaphora}, language = {English}, urldate = {2021-11-03} } @online{dominguez:20240619:levelblue:3807d64, author = {Fernando Dominguez}, title = {{LevelBlue Labs Discovers Highly Evasive, New Loader Targeting Chinese Organizations}}, date = {2024-06-19}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/highly-evasive-squidloader-targets-chinese-organizations}, language = {English}, urldate = {2024-06-24} } @online{done:20201005:darkside:d3005ca, author = {Zawadi Done}, title = {{DarkSide ransomware analysis}}, date = {2020-10-05}, organization = {Zawadi Done}, url = {https://zawadidone.nl/darkside-ransomware-analysis/}, language = {English}, urldate = {2022-02-17} } @online{dong:20201109:old:5454254, author = {Zhengyu Dong}, title = {{An Old Joker’s New Tricks: Using Github To Hide Its Payload}}, date = {2020-11-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/k/an-old-jokers-new-tricks--using-github-to-hide-its-payload.html}, language = {English}, urldate = {2020-11-19} } @online{dong:20201117:regretlocker:84dd317, author = {Chuong Dong}, title = {{RegretLocker}}, date = {2020-11-17}, organization = {Chuongdong blog}, url = {http://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/}, language = {English}, urldate = {2020-11-19} } @online{dong:20201212:contiunpacker:05a9897, author = {Chuong Dong}, title = {{ContiUnpacker: An automatic unpacker for Conti rasnomware}}, date = {2020-12-12}, organization = {Github (cdong1012)}, url = {https://github.com/cdong1012/ContiUnpacker}, language = {English}, urldate = {2020-12-14} } @online{dong:20201215:conti:afb68fe, author = {Chuong Dong}, title = {{Conti Ransomware v2}}, date = {2020-12-15}, organization = {Chuongdong blog}, url = {http://chuongdong.com/reverse%20engineering/2020/12/15/ContiRansomware/}, language = {English}, urldate = {2020-12-23} } @online{dong:20210103:babuk:b5b2e9e, author = {Chuong Dong}, title = {{Babuk Ransomware}}, date = {2021-01-03}, organization = {Chuongdong blog}, url = {http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/}, language = {English}, urldate = {2021-01-21} } @online{dong:20210116:babuk:31553f3, author = {Chuong Dong}, title = {{Babuk Ransomware v3}}, date = {2021-01-16}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2021/01/16/BabukRansomware-v3/}, language = {English}, urldate = {2021-05-13} } @online{dong:20210506:darkside:461faf9, author = {Chuong Dong}, title = {{Darkside Ransomware}}, date = {2021-05-06}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/}, language = {English}, urldate = {2021-05-13} } @online{dong:20210506:darkside:adaa792, author = {Chuong Dong}, title = {{Darkside Ransomware}}, date = {2021-05-06}, organization = {Chuongdong blog}, url = {http://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/}, language = {English}, urldate = {2021-05-11} } @online{dong:20210523:mountlocker:4b3d011, author = {Chuong Dong}, title = {{MountLocker Ransomware}}, date = {2021-05-23}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/}, language = {English}, urldate = {2021-06-16} } @online{dong:20210721:strongpity:f87c7bd, author = {Zhengyu Dong and Fyodor Yarochkin and Steven Du}, title = {{StrongPity APT Group Deploys Android Malware for the First Time}}, date = {2021-07-21}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/g/strongpity-apt-group-deploys-android-malware-for-the-first-time.html}, language = {English}, urldate = {2021-07-26} } @online{dong:20210905:blackmatter:2673021, author = {Chuong Dong}, title = {{BlackMatter Ransomware v2.0}}, date = {2021-09-05}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/}, language = {English}, urldate = {2021-09-09} } @online{dong:20211001:squirrelwaffle:24c9b06, author = {Chuong Dong}, title = {{SQUIRRELWAFFLE – Analysing the Custom Packer}}, date = {2021-10-01}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/}, language = {English}, urldate = {2021-10-14} } @online{dong:20211008:squirrelwaffle:4549cd1, author = {Chuong Dong}, title = {{SQUIRRELWAFFLE – Analysing The Main Loader}}, date = {2021-10-08}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/}, language = {English}, urldate = {2021-10-14} } @online{dong:20211013:atomsilo:9d4ce80, author = {Chuong Dong}, title = {{AtomSilo Ransomware}}, date = {2021-10-13}, organization = {Chuongdong blog}, url = {https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/}, language = {English}, urldate = {2022-02-02} } @online{dong:20211013:atomsilo:d3abf78, author = {Chuong Dong}, title = {{AtomSilo Ransomware}}, date = {2021-10-13}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2021/10/13/AtomSiloRansomware/}, language = {English}, urldate = {2022-01-25} } @online{dong:20211026:dridex:e054dc4, author = {Chuong Dong}, title = {{DRIDEX: Analysing API Obfuscation Through VEH}}, date = {2021-10-26}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/malware-analysis/dridex-veh-api-obfuscation/}, language = {English}, urldate = {2021-11-03} } @online{dong:20211123:hancitor:140d2c0, author = {Chuong Dong}, title = {{HANCITOR: Analysing The Malicious Document}}, date = {2021-11-23}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-maldoc-analysis/}, language = {English}, urldate = {2022-02-01} } @online{dong:20211217:diavol:710941d, author = {Chuong Dong}, title = {{Diavol Ransomware}}, date = {2021-12-17}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2021/12/17/DiavolRansomware/}, language = {English}, urldate = {2021-12-22} } @online{dong:20211231:hancitor:734a06a, author = {Chuong Dong}, title = {{HANCITOR: Analysing The Main Loader}}, date = {2021-12-31}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-analysing-the-main-loader/}, language = {English}, urldate = {2022-02-01} } @online{dong:20220106:rook:0b69fa6, author = {Chuong Dong}, title = {{Rook Ransomware Analysis}}, date = {2022-01-06}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2022/01/06/RookRansomware/}, language = {English}, urldate = {2022-01-12} } @online{dong:20220215:matanbuchus:cd8acc2, author = {Chuong Dong}, title = {{MATANBUCHUS: Another Loader As A Service Malware}}, date = {2022-02-15}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/matanbuchus-loader-analysis/}, language = {English}, urldate = {2022-02-17} } @online{dong:20220216:sms:96151cc, author = {Zhengyu Dong and Ryan Flores and Vladimir Kropotov and Paul Pajares and Fyodor Yarochkin}, title = {{SMS PVA Services' Use of Infected Android Phones Reveals Flaws in SMS Verification}}, date = {2022-02-16}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/b/sms-pva-services-use-of-infected-android-phones-reveals-flaws-in-sms-verification.html}, language = {English}, urldate = {2022-03-02} } @online{dong:20220319:lockbit:cafbe56, author = {Chuong Dong}, title = {{LockBit Ransomware v2.0}}, date = {2022-03-19}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2022/03/19/LockbitRansomware/}, language = {English}, urldate = {2022-03-22} } @online{dong:20220419:bazarloader:902cf53, author = {Chuong Dong}, title = {{BAZARLOADER: Unpacking An ISO File Infection}}, date = {2022-04-19}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/bazarloader-iso-file-infection/}, language = {English}, urldate = {2022-04-20} } @online{dong:20220527:bazarloader:0729146, author = {Chuong Dong}, title = {{BAZARLOADER: Analysing The Main Loader}}, date = {2022-05-27}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/analysing-the-main-bazarloader/}, language = {English}, urldate = {2022-05-29} } @online{dong:20220903:play:7d47c79, author = {Chuong Dong}, title = {{PLAY Ransomware}}, date = {2022-09-03}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2022/09/03/PLAYRansomware/}, language = {English}, urldate = {2022-09-07} } @online{donohue:20141125:regin:15d544f, author = {Brain Donohue}, title = {{Regin APT Attacks Among the Most Sophisticated Ever Analyzed}}, date = {2014-11-25}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/blog/regin-apt-most-sophisticated/6852/}, language = {English}, urldate = {2019-12-17} } @online{donohue:20220316:uncompromised:959f0d0, author = {Brian Donohue and Laura Brosnan}, title = {{Uncompromised: When REvil comes knocking}}, date = {2022-03-16}, organization = {Red Canary}, url = {https://redcanary.com/blog/uncompromised-kaseya/}, language = {English}, urldate = {2022-03-17} } @online{doraisjoncas:20120316:osximuler:badbc2e, author = {Alexis Dorais-Joncas}, title = {{OSX/Imuler updated: still a threat on Mac OS X}}, date = {2012-03-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2012/03/16/osximuler-updated-still-a-threat-on-mac-os-x/}, language = {English}, urldate = {2019-11-14} } @techreport{doraisjoncas:20211201:jumping:00bc8f5, author = {Alexis Dorais-Joncas and Facundo Muñoz}, title = {{Jumping the air gap: 15 years of nation‑state effort}}, date = {2021-12-01}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf}, language = {English}, urldate = {2021-12-17} } @online{dorfman:20200715:exclusive:6a11ebe, author = {Zach Dorfman and Kim Zetter and Jenna McLaughlin and Sean D. Naylor}, title = {{Exclusive: Secret Trump order gives CIA more powers to launch cyberattacks}}, date = {2020-07-15}, organization = {Yahoo News}, url = {https://news.yahoo.com/secret-trump-order-gives-cia-more-powers-to-launch-cyberattacks-090015219.html}, language = {English}, urldate = {2020-07-16} } @online{dorfman:20210128:in:58cbf10, author = {Zach Dorfman}, title = {{In cyber espionage, U.S. is both hunted and hunter}}, date = {2021-01-28}, organization = {axios}, url = {https://www.axios.com/american-cyber-warfare-solarwinds-d50815d6-2e03-4e3c-83ab-9d2f5e20d6f5.html}, language = {English}, urldate = {2021-01-29} } @online{dorneanu:20140707:disect:49df4ee, author = {Victor Dorneanu}, title = {{Disect Android APKs like a Pro - Static code analysis}}, date = {2014-07-07}, url = {http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/}, language = {English}, urldate = {2020-01-07} } @online{douglas:20170309:spora:7038fba, author = {Kevin Douglas}, title = {{Spora Ransomware: Understanding the HTA Infection Vector}}, date = {2017-03-09}, organization = {Tenable}, url = {https://www.linkedin.com/pulse/spora-ransomware-understanding-hta-infection-vector-kevin-douglas}, language = {English}, urldate = {2020-01-10} } @online{downey:20190422:unpacking:2cb6558, author = {Mike Downey}, title = {{Unpacking & Decrypting FlawedAmmyy}}, date = {2019-04-22}, organization = {SANS}, url = {https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930}, language = {English}, urldate = {2020-01-09} } @online{downs:20151016:surveillance:86d472f, author = {Rob Downs}, title = {{Surveillance Malware Trends: Tracking Predator Pain and HawkEye}}, date = {2015-10-16}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/}, language = {English}, urldate = {2019-12-20} } @online{doyle:20241115:iranian:094a007, author = {Kirsten Doyle}, title = {{Iranian “Dream Job” Cyber Campaign Targets Aerospace Sector}}, date = {2024-11-15}, organization = {Information Security Buzz}, url = {https://informationsecuritybuzz.com/iranian-dream-job-aerospace/}, language = {English}, urldate = {2024-12-02} } @online{dr4k0nia:20230104:unpacking:e991808, author = {dr4k0nia}, title = {{Unpacking RedLine Stealer}}, date = {2023-01-04}, url = {https://dr4k0nia.github.io/posts/Unpacking-RedLine-Stealer/}, language = {English}, urldate = {2023-01-06} } @online{dr4k0nia:20230205:analysing:a89dbe6, author = {dr4k0nia}, title = {{Analysing A Sample Of Arechclient2}}, date = {2023-02-05}, organization = {dr4k0nia}, url = {https://dr4k0nia.github.io/posts/Analysing-a-sample-of-ArechClient2/}, language = {English}, urldate = {2023-02-06} } @online{dragoni:20210622:how:9ecf77e, author = {Younes Dragoni}, title = {{How to Dissect Unusual Protocols for Troubleshooting OT Security}}, date = {2021-06-22}, organization = {Nozomi Networks}, url = {https://www.nozominetworks.com/blog/how-to-dissect-unusual-protocols-for-troubleshooting-ot-security/}, language = {English}, urldate = {2021-09-24} } @techreport{dragos:20170613:crashoverride:33b0a7e, author = {Dragos}, title = {{CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations}}, date = {2017-06-13}, institution = {Dragos}, url = {https://dragos.com/wp-content/uploads/CrashOverride-01.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{dragos:20170613:crashoverride:ee53f66, author = {Dragos}, title = {{CRASHOVERRIDE: Analysis of the Threatto Electric Grid Operations}}, date = {2017-06-13}, institution = {Dragos}, url = {https://dragos.com/blog/crashoverride/CrashOverride-01.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{dragos:20171213:trisis:43675c1, author = {Dragos}, title = {{TRISIS Malware: Analysis of Safety System Targeted Malware}}, date = {2017-12-13}, institution = {Dragos}, url = {https://dragos.com/blog/trisis/TRISIS-01.pdf}, language = {English}, urldate = {2020-01-13} } @online{dragos:2017:xenotime:2f1bfdf, author = {Dragos}, title = {{XENOTIME}}, date = {2017}, organization = {Dragos}, url = {https://www.dragos.com/threat/xenotime/}, language = {English}, urldate = {2022-10-06} } @techreport{dragos:20180301:industrial:6e4e898, author = {Dragos}, title = {{INDUSTRIAL CONTROL SYSTEM THREATS}}, date = {2018-03-01}, institution = {Dragos}, url = {https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf}, language = {English}, urldate = {2020-01-08} } @online{dragos:20180802:raspite:1873c25, author = {Dragos}, title = {{Raspite}}, date = {2018-08-02}, organization = {Dragos}, url = {https://dragos.com/blog/20180802Raspite.html}, language = {English}, urldate = {2020-01-13} } @online{dragos:20190403:allanite:46dcddd, author = {Dragos}, title = {{Allanite}}, date = {2019-04-03}, organization = {Dragos}, url = {https://dragos.com/blog/20180510Allanite.html}, language = {English}, urldate = {2020-01-09} } @techreport{dragos:20190801:global:2b76e8c, author = {Dragos}, title = {{Global Oil and Gas Cyber Threat Perspective}}, date = {2019-08-01}, institution = {Dragos}, url = {https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf}, language = {English}, urldate = {2020-01-09} } @online{dragos:2019:adversary:0237a20, author = {Dragos}, title = {{Adversary Reports}}, date = {2019}, organization = {Dragos}, url = {https://dragos.com/adversaries.html}, language = {English}, urldate = {2020-01-10} } @online{dragos:20200109:parisite:d17dd24, author = {Dragos}, title = {{PARISITE}}, date = {2020-01-09}, organization = {Dragos}, url = {https://www.dragos.com/threat/parisite}, language = {English}, urldate = {2020-09-18} } @techreport{dragos:202001:north:41ab73f, author = {Dragos}, title = {{North American Electric Cyber Threat Perspective}}, date = {2020-01}, institution = {Dragos}, url = {https://www.dragos.com/wp-content/uploads/NA-EL-Threat-Perspective-2019.pdf}, language = {English}, urldate = {2020-09-18} } @online{dragos:20200203:ekans:041a3ee, author = {Dragos}, title = {{EKANS Ransomware and ICS Operations}}, date = {2020-02-03}, organization = {Dragos}, url = {https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/}, language = {English}, urldate = {2020-02-04} } @techreport{dragos:20200224:2019:b583cc8, author = {Dragos}, title = {{2019 Year In Review: The ICS Landscape and Threat Actviity Groups}}, date = {2020-02-24}, institution = {Dragos}, url = {https://www.dragos.com/wp-content/uploads/The-ICS-Threat-Landscape.pdf}, language = {English}, urldate = {2020-09-18} } @techreport{dragos:20201112:cyber:cf5b4fd, author = {Dragos}, title = {{Cyber Threat Perspective MANUFACTURING SECTOR}}, date = {2020-11-12}, institution = {Dragos}, url = {https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf}, language = {English}, urldate = {2020-11-18} } @online{dragos:2020:wassonite:56af64a, author = {Dragos}, title = {{WASSONITE Threat Group}}, date = {2020}, organization = {Dragos}, url = {https://www.dragos.com/threat/wassonite/}, language = {English}, urldate = {2025-01-29} } @techreport{dragos:20210224:ics:772b80b, author = {Dragos}, title = {{ICS Cybersecurity Year in Review 2020}}, date = {2021-02-24}, institution = {Dragos}, url = {https://hub.dragos.com/hubfs/Year-in-Review/Dragos_2020_ICS_Cybersecurity_Year_In_Review.pdf}, language = {English}, urldate = {2021-02-25} } @online{dragos:20210329:new:6fccae8, author = {Dragos}, title = {{New ICS Threat Activity Group: STIBNITE}}, date = {2021-03-29}, organization = {Dragos}, url = {https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-stibnite/}, language = {English}, urldate = {2021-03-31} } @online{dragos:20210426:new:19b4a05, author = {Dragos}, title = {{New ICS Threat Activity Group: TALONITE}}, date = {2021-04-26}, organization = {Dragos}, url = {https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-talonite/}, language = {English}, urldate = {2021-05-04} } @techreport{dragos:20220223:2021:539931a, author = {Dragos}, title = {{2021 ICS OT Cybersecurity Year In Review}}, date = {2022-02-23}, institution = {Dragos}, url = {https://hub.dragos.com/hubfs/333%20Year%20in%20Review/2021/2021%20ICS%20OT%20Cybersecurity%20Year%20In%20Review%20-%20Dragos%202021.pdf}, language = {English}, urldate = {2022-04-12} } @techreport{dragos:20220404:european:3ef1ac2, author = {Dragos}, title = {{European Industrial Infrastructure Cyber Threat Perspective}}, date = {2022-04-04}, institution = {Dragos}, url = {https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_WP_EuropeThreatPerspective_April2022.pdf}, language = {English}, urldate = {2022-04-07} } @techreport{dragos:20220413:pipedream:6135305, author = {Dragos}, title = {{PIPEDREAM: CHERNOVITE’S Emerging Malware Targeting Industrial Control Systems}}, date = {2022-04-13}, institution = {Dragos}, url = {https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf}, language = {English}, urldate = {2025-06-11} } @online{dragos:20230414:2022:e31c255, author = {Dragos}, title = {{2022 ICS/OT Threat Landscape Recap & What to Watch for This Year}}, date = {2023-04-14}, organization = {Dragos}, url = {https://www.dragos.com/blog/2022-ics-ot-threat-landscape-recap-what-to-watch-for-this-year/}, language = {English}, urldate = {2025-01-29} } @techreport{dragos:20230414:dragos:c3b122b, author = {Dragos}, title = {{Dragos Analyzes Russian Programs Threatening Critical Civilian Infrastructure}}, date = {2023-04-14}, institution = {Dragos}, url = {https://hub.dragos.com/hubfs/Dragos_IntelBrief_Russian-Programs-Threatening-Critical_Infrastructure.pdf}, language = {English}, urldate = {2023-04-22} } @online{dragos:20230510:deconstructing:e2efdbd, author = {Dragos}, title = {{Deconstructing a Cybersecurity Event}}, date = {2023-05-10}, organization = {Dragos}, url = {https://www.dragos.com/blog/deconstructing-a-cybersecurity-event/}, language = {English}, urldate = {2023-05-15} } @online{dragos:20230712:mitigating:708bc0d, author = {Dragos}, title = {{Mitigating CVE-2023-3595 and CVE-2023-3596 Impacting Rockwell Automation ControlLogix Firmware}}, date = {2023-07-12}, organization = {Dragos}, url = {https://www.dragos.com/blog/mitigating-cves-impacting-rockwell-automation-controllogix-firmware/}, language = {English}, urldate = {2023-07-13} } @online{dragos:20240216:voltzite:4b5ab28, author = {Dragos}, title = {{VOLTZITE}}, date = {2024-02-16}, organization = {Dragos}, url = {https://www.dragos.com/threat/voltzite/}, language = {English}, urldate = {2025-05-02} } @online{dragos:20240723:protect:c1f96cc, author = {Dragos}, title = {{Protect Against the FrostyGoop ICS Malware Threat with OT Cybersecurity Basics}}, date = {2024-07-23}, organization = {Dragos}, url = {https://www.dragos.com/blog/protect-against-frostygoop-ics-malware-targeting-operational-technology/}, language = {English}, urldate = {2025-04-25} } @online{driker:20200915:rudeminer:1cea628, author = {David Driker and Amir Landau}, title = {{Rudeminer, Blacksquid and Lucifer Walk Into A Bar}}, date = {2020-09-15}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/rudeminer-blacksquid-and-lucifer-walk-into-a-bar/}, language = {English}, urldate = {2020-09-18} } @online{drstache:20200212:manabotnet:9a3d3c6, author = {DrStache}, title = {{Tweet on ManaBotnet}}, date = {2020-02-12}, organization = {Twitter (@DrStache_)}, url = {https://twitter.com/DrStache_/status/1227662001247268864}, language = {English}, urldate = {2020-02-27} } @online{drweb:20120822:first:3c5cc7e, author = {Dr.Web}, title = {{The first Trojan in history to steal Linux and Mac OS X passwords}}, date = {2012-08-22}, organization = {Dr.Web}, url = {https://news.drweb.com/show/?i=2679&lng=en&c=14}, language = {English}, urldate = {2020-01-13} } @online{drweb:20140409:backdoorgootkit112a:b63758d, author = {Dr.Web}, title = {{BackDoor.Gootkit.112—a new multi-purpose backdoor}}, date = {2014-04-09}, organization = {Dr.Web}, url = {https://news.drweb.com/show/?i=4338&lng=en}, language = {English}, urldate = {2019-07-11} } @online{drweb:20160822:trojanmutabaha1:912e922, author = {Dr.Web}, title = {{Trojan.Mutabaha.1}}, date = {2016-08-22}, organization = {Dr.Web}, url = {http://vms.drweb.ru/virus/?_is=1&i=8477920}, language = {Russian}, urldate = {2020-01-09} } @online{drweb:20160908:doctor:00c53a5, author = {Dr.Web}, title = {{Doctor Web discovers Linux Trojan written in Rust}}, date = {2016-09-08}, organization = {Dr.Web}, url = {https://news.drweb.com/show/?c=5&i=10193&lng=en}, language = {English}, urldate = {2020-01-05} } @online{drweb:20170511:macbackdoorsystemd1:c74a3ef, author = {Dr.Web}, title = {{Mac.BackDoor.Systemd.1}}, date = {2017-05-11}, organization = {Dr.Web}, url = {https://vms.drweb.com/virus/?_is=1&i=15299312&lng=en}, language = {English}, urldate = {2020-01-08} } @online{drweb:20180807:doctor:4154c38, author = {Dr.Web}, title = {{Doctor Web discovered a clipper Trojan for Android}}, date = {2018-08-07}, organization = {Dr.Web}, url = {https://news.drweb.com/show?lng=en&i=12739}, language = {English}, urldate = {2020-01-13} } @online{drweb:20190508:new:06a3aa5, author = {Dr.Web}, title = {{A new threat for macOS spreads as WhatsApp}}, date = {2019-05-08}, organization = {Dr.Web}, url = {https://news.drweb.ru/show/?i=13281&c=23}, language = {English}, urldate = {2020-01-08} } @online{drweb:20200301:backdoorspyder1:c9f5b5c, author = {Dr.Web}, title = {{BackDoor.Spyder.1}}, date = {2020-03-01}, organization = {Dr.Web}, url = {https://vms.drweb.com/virus/?i=23648386}, language = {English}, urldate = {2022-05-05} } @online{drweb:20200625:backdoorshadowpad1:a8a85c0, author = {Dr.Web}, title = {{BackDoor.ShadowPad.1}}, date = {2020-06-25}, organization = {Dr.Web}, url = {https://vms.drweb.com/virus/?i=21995048}, language = {English}, urldate = {2024-01-19} } @techreport{drweb:20200720:study:442ba99, author = {Dr.Web}, title = {{Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan}}, date = {2020-07-20}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf}, language = {English}, urldate = {2020-10-02} } @techreport{drweb:20200925:spear:aeadfac, author = {Dr.Web}, title = {{Spear phishing campaigns threaten Russian fuel and energy companies}}, date = {2020-09-25}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/september/tek_rf_article_en.pdf}, language = {English}, urldate = {2020-10-02} } @techreport{drweb:20201027:study:9f6e628, author = {Dr.Web}, title = {{Study of the ShadowPad APT backdoor and its relation to PlugX}}, date = {2020-10-27}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf}, language = {English}, urldate = {2020-10-29} } @techreport{drweb:20210301:study:f18b66b, author = {Dr.Web}, title = {{Study of the Spyder modularbackdoor for targeted attacks}}, date = {2021-03-01}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2021/march/BackDoor.Spyder.1_en.pdf}, language = {English}, urldate = {2021-03-24} } @techreport{drweb:20210402:study:31b191e, author = {Dr.Web}, title = {{Study of targeted attacks on Russian research institutes}}, date = {2021-04-02}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf}, language = {English}, urldate = {2021-04-06} } @online{drweb:20210701:android:dfee3fe, author = {Dr.Web}, title = {{Android trojans steal Facebook users’ logins and passwords}}, date = {2021-07-01}, organization = {Dr.Web}, url = {https://news.drweb.com/show/?i=14244&lng=en}, language = {English}, urldate = {2021-07-11} } @online{drweb:20220402:study:3a784e2, author = {Dr.Web}, title = {{Study of targeted attacks on Russian research institutes}}, date = {2022-04-02}, organization = {Dr.Web}, url = {https://news.drweb.ru/show/?i=14177}, language = {Russian}, urldate = {2022-08-09} } @online{drweb:20240311:study:413a053, author = {Dr.Web}, title = {{Study of a targeted attack on a Russian enterprise in the mechanical-engineering sector}}, date = {2024-03-11}, organization = {Dr.Web}, url = {https://news.drweb.com/show/?i=14823&lng=en&c=5}, language = {English}, urldate = {2024-03-18} } @techreport{drweb:20240903:study:3cde2f6, author = {Dr.Web}, title = {{Study of a targeted attack on a Russian rail freight operator}}, date = {2024-09-03}, institution = {Dr. Web}, url = {https://st.drweb.com/static/new-www/news/2024/september/Study_of_a_targeted_attack_on_a_Russian_rail_freight_operator_en.pdf}, language = {English}, urldate = {2024-10-25} } @online{drweb:20240912:void:55e6236, author = {Dr.Web}, title = {{Void captures over a million Android TV boxes}}, date = {2024-09-12}, organization = {Dr. Web}, url = {https://news.drweb.com/show/?i=14900}, language = {English}, urldate = {2025-03-06} } @techreport{dsirf:20211217:dsirf:2c4b5ce, author = {DSIRF}, title = {{DSIRF Company Presentation}}, date = {2021-12-17}, institution = {DSIRF}, url = {https://cdn.netzpolitik.org/wp-upload/2021/12/2018-08-28_DSIRF_Company-Profile-Gov.redacted.pdf}, language = {English}, urldate = {2022-08-01} } @online{dsouza:20190311:resecurity:8388bc5, author = {Melissa Dsouza}, title = {{Resecurity reports ‘IRIDUIM’ behind Citrix data breach, 200+ government agencies, oil and gas companies, and technology companies also targeted.}}, date = {2019-03-11}, organization = {Packt}, url = {https://hub.packtpub.com/resecurity-reports-iriduim-behind-citrix-data-breach-200-government-agencies-oil-and-gas-companies-and-technology-companies-also-targeted/}, language = {English}, urldate = {2020-01-10} } @online{dsouza:20240919:finding:dedea10, author = {Praveeth DSouza}, title = {{Finding Malware: Unveiling RECORDSTEALER with Google Security Operations}}, date = {2024-09-19}, organization = {Google}, url = {https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-RECORDSTEALER-with-Google-Security/ba-p/803490}, language = {English}, urldate = {2024-12-09} } @online{dsouza:20250430:finding:e1bd3f1, author = {Praveeth DSouza}, title = {{Finding Malware: Unveiling LUMMAC.V2 with Google Security Operations}}, date = {2025-04-30}, organization = {Google Cloud Community}, url = {https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-LUMMAC-V2-with-Google-Security/ba-p/899110}, language = {English}, urldate = {2025-05-20} } @online{dsu:20220204:actinium:d8bba0e, author = {Microsoft Digital Security Unit (DSU) and Microsoft Threat Intelligence}, title = {{ACTINIUM targets Ukrainian organizations}}, date = {2022-02-04}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/}, language = {English}, urldate = {2025-06-20} } @online{dsu:20220427:special:f1a2031, author = {Microsoft Digital Security Unit (DSU)}, title = {{Special Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine}}, date = {2022-04-27}, organization = {Microsoft}, url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd}, language = {English}, urldate = {2022-05-03} } @online{du:20210416:xcsset:9c5ad09, author = {Steven Du and Dechao Zhao and Luis Magisa and Ariel Neimond Lazaro}, title = {{XCSSET Quickly Adapts to macOS 11 and M1-based Macs}}, date = {2021-04-16}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/d/xcsset-quickly-adapts-to-macos-11-and-m1-based-macs.html}, language = {English}, urldate = {2021-04-28} } @online{du:20210930:mac:9a6648a, author = {Steven Du and Luis Magisa}, title = {{Mac Users Targeted by Trojanized iTerm2 App}}, date = {2021-09-30}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/mac-users-targeted-by-trojanized-iterm2-app.html}, language = {English}, urldate = {2021-10-19} } @online{duan:20201029:domain:413ffab, author = {Ruian Duan and Zhanhao Chen and Seokkyung Chung and Janos Szurdi and Jingwei Fan}, title = {{Domain Parking: A Gateway to Attackers Spreading Emotet and Impersonating McAfee}}, date = {2020-10-29}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/domain-parking/}, language = {English}, urldate = {2020-11-02} } @techreport{duarte:20220309:sockbot:a9095cc, author = {Felipe Duarte and Ido Naor}, title = {{Sockbot in GoLand}}, date = {2022-03-09}, institution = {Security Joes}, url = {https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf}, language = {English}, urldate = {2022-03-10} } @online{duarte:20220718:plugx:bfdba72, author = {Felipe Duarte}, title = {{PlugX DLL Side-Loading Technique}}, date = {2022-07-18}, organization = {YouTube (Security Joes)}, url = {https://www.youtube.com/watch?v=E2_DTQJjDYc}, language = {English}, urldate = {2022-07-19} } @techreport{duarte:20220914:dissecting:6ab0659, author = {Felipe Duarte}, title = {{Dissecting PlugX to Extract Its Crown Jewels}}, date = {2022-09-14}, institution = {Security Joes}, url = {https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf}, language = {English}, urldate = {2022-09-16} } @online{ducharme:20190911:watchbog:7f5240b, author = {Luke DuCharme and Paul Lee}, title = {{Watchbog and the Importance of Patching}}, date = {2019-09-11}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2019/09/watchbog-patching.html}, language = {English}, urldate = {2020-05-18} } @online{ducklin:20140121:digitally:4a7a4ee, author = {Paul Ducklin}, title = {{Digitally signed data-stealing malware targets Mac users in “undelivered courier item” attack}}, date = {2014-01-21}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2014/01/21/data-stealing-malware-targets-mac-users-in-undelivered-courier-item-attack/}, language = {English}, urldate = {2020-01-09} } @online{ducklin:20160229:hawkeye:e5bd59b, author = {Paul Ducklin}, title = {{The “HawkEye” attack: how cybercrooks target small businesses for big money}}, date = {2016-02-29}, organization = {Sophos}, url = {https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/}, language = {English}, urldate = {2019-11-27} } @online{ducklin:20180131:what:4aa6a12, author = {Paul Ducklin}, title = {{What are “WannaMine” attacks, and how do I avoid them?}}, date = {2018-01-31}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2018/01/31/what-are-wannamine-attacks-and-how-do-i-avoid-them/}, language = {English}, urldate = {2020-11-25} } @online{ducklin:20200624:glupteba:8f0c66a, author = {Paul Ducklin}, title = {{Glupteba - the malware that gets secret messages from the Bitcoin blockchain}}, date = {2020-06-24}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2020/06/24/glupteba-the-bot-that-gets-secret-messages-from-the-bitcoin-blockchain/}, language = {English}, urldate = {2020-06-26} } @online{ducklin:20210806:conti:9bcfb85, author = {Paul Ducklin}, title = {{Conti ransomware affiliate goes rogue, leaks “gang data”}}, date = {2021-08-06}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2021/08/06/conti-ransomware-affiliate-goes-rogue-leaks-company-data/}, language = {English}, urldate = {2022-03-18} } @online{dudek:20190410:trisis:480b199, author = {Marcin Dudek}, title = {{TRISIS / TRITON / HatMan Malware Repository}}, date = {2019-04-10}, organization = {Github (ICSrepo)}, url = {https://github.com/ICSrepo/TRISIS-TRITON-HATMAN}, language = {English}, urldate = {2019-07-09} } @online{dudek:20211231:iko:bd137c3, author = {Marcin Dudek and Michał Praszmo}, title = {{IKO activation - Malware campaign}}, date = {2021-12-31}, organization = {CERT.PL}, url = {https://cert.pl/posts/2021/12/aktywacja-aplikacji-iko/}, language = {Polish}, urldate = {2022-01-05} } @online{duhin:20230126:unpacking:8ff4776, author = {Ilan Duhin}, title = {{Unpacking Emotet Malware}}, date = {2023-01-26}, organization = {Acronis}, url = {https://medium.com/@Ilandu/emotet-unpacking-35bbe2980cfb}, language = {English}, urldate = {2023-01-27} } @online{duhin:20230129:petyanot:23c3555, author = {Ilan Duhin}, title = {{Petya/Not Petya Ransomware Analysis}}, date = {2023-01-29}, organization = {Acronis}, url = {https://medium.com/@Ilandu/petya-not-petya-ransomware-9619cbbb0786}, language = {English}, urldate = {2023-01-31} } @online{duhin:20230226:emotet:b21451d, author = {Ilan Duhin and Yossi Poberezsky}, title = {{Emotet Campaign}}, date = {2023-02-26}, organization = {Medium Ilandu}, url = {https://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5}, language = {English}, urldate = {2023-02-27} } @online{duhin:20230319:vawtrak:1cccd8c, author = {Ilan Duhin}, title = {{Vawtrak Analysis}}, date = {2023-03-19}, url = {https://medium.com/@Ilandu/vawtrak-malware-824818c1837}, language = {English}, urldate = {2023-03-20} } @online{duhin:20230405:portdoor:e39d907, author = {Ilan Duhin}, title = {{PortDoor - APT Backdoor analysis}}, date = {2023-04-05}, organization = {Medium Ilandu}, url = {https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba}, language = {English}, urldate = {2023-04-06} } @techreport{dumont:20181201:dark:20efc15, author = {Romain Dumont and Marc-Etienne M.Léveillé and Hugo Porcher}, title = {{THE DARK SIDE OF THE FORSSHE: A landscape of OpenSSH backdoors}}, date = {2018-12-01}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf}, language = {English}, urldate = {2020-01-09} } @online{dumont:20190409:oceanlotus:eb8a99f, author = {Romain Dumont}, title = {{OceanLotus: macOS malware update}}, date = {2019-04-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/}, language = {English}, urldate = {2019-11-14} } @online{dumont:20220613:technical:631941a, author = {Romain Dumont}, title = {{Technical Analysis of PureCrypter: A Fully-Functional Loader Distributing Remote Access Trojans and Information Stealers}}, date = {2022-06-13}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter}, language = {English}, urldate = {2022-07-01} } @online{dumont:20220921:technical:3feb7d0, author = {Romain Dumont}, title = {{Technical Analysis of Crytox Ransomware}}, date = {2022-09-21}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware}, language = {English}, urldate = {2022-09-30} } @online{dumont:20240828:analysis:db4e113, author = {Romain Dumont}, title = {{Analysis of two arbitrary code execution vulnerabilities affecting WPS Office}}, date = {2024-08-28}, organization = {ESET Research}, url = {https://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/}, language = {English}, urldate = {2024-12-16} } @online{dumont:20241002:separating:1ba6988, author = {Romain Dumont}, title = {{Separating the bee from the panda: CeranaKeeper making a beeline for Thailand}}, date = {2024-10-02}, organization = {ESET Research}, url = {https://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/}, language = {English}, urldate = {2024-10-18} } @online{duncan:20160509:pseudodarkleech:5dff946, author = {Brad Duncan}, title = {{PseudoDarkLeech Angler EK from 185.118.66.154 sends Bedep/CryptXXX}}, date = {2016-05-09}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2016/05/09/index.html}, language = {English}, urldate = {2023-03-23} } @online{duncan:20170117:eitest:f6e103b, author = {Brad Duncan}, title = {{EITEST RIG-V FROM 92.53.127.86 SENDS SPORA RANSOMWARE}}, date = {2017-01-17}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/01/17/index2.html}, language = {English}, urldate = {2020-01-13} } @online{duncan:20170117:vreikstadi:aea370f, author = {Brad Duncan}, title = {{Tweet on Vreikstadi Malspam}}, date = {2017-01-17}, organization = {Twitter (@malware_traffic)}, url = {https://twitter.com/malware_traffic/status/821483557990318080}, language = {English}, urldate = {2020-01-08} } @online{duncan:20170121:sage:cf422da, author = {Brad Duncan}, title = {{Sage 2.0 Ransomware}}, date = {2017-01-21}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/}, language = {English}, urldate = {2019-07-11} } @online{duncan:20170403:dhl:b9c41a9, author = {Brad Duncan}, title = {{DHL Invoice Malspam/Photo Malspam}}, date = {2017-04-03}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/04/03/index2.html}, language = {English}, urldate = {2020-01-13} } @online{duncan:20170425:20170425:dfd0f09, author = {Brian Duncan}, title = {{2017-04-25 - "GOOD MAN" CAMPAIGN RIG EK SENDS LATENTBOT}}, date = {2017-04-25}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/04/25/index.html}, language = {English}, urldate = {2019-11-29} } @online{duncan:20170509:rig:c6b2df9, author = {Brad Duncan}, title = {{RIG EK SENDS BUNITU TROJAN}}, date = {2017-05-09}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/05/09/index.html}, language = {English}, urldate = {2020-01-08} } @online{duncan:20170516:20170516:920d589, author = {Brad Duncan}, title = {{2017-05-16 - MORE EXAMPLES OF MALSPAM PUSHING JAFF RANSOMWARE}}, date = {2017-05-16}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/05/16/index.html}, language = {English}, urldate = {2020-01-07} } @online{duncan:20170612:20170612:04b2c09, author = {Brian Duncan}, title = {{2017-06-12 - LOKI BOT MALSPAM - SUBJECT: RE: PURCHASE ORDER 457211}}, date = {2017-06-12}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2017/06/12/index.html}, language = {English}, urldate = {2019-11-28} } @online{duncan:20170627:checking:23c2251, author = {Brad Duncan}, title = {{Checking out the new Petya variant}}, date = {2017-06-27}, organization = {SANS}, url = {https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/}, language = {English}, urldate = {2020-01-06} } @online{duncan:20170704:malspam:3713609, author = {Brad Duncan}, title = {{MALSPAM WITH JAVA-BASED RAT}}, date = {2017-07-04}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/07/04/index.html}, language = {English}, urldate = {2020-01-10} } @online{duncan:20170901:eitest:6388761, author = {Brad Duncan}, title = {{EITest: HoeflerText Popups Targeting Google Chrome Users Now Push RAT Malware}}, date = {2017-09-01}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/}, language = {English}, urldate = {2019-12-20} } @online{duncan:20171013:blank:71e7858, author = {Brad Duncan}, title = {{Blank Slate Malspam Stops Pushing Locky, Starts Pushing Sage 2.2 Randsomware}}, date = {2017-10-13}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/10/13/index.html}, language = {English}, urldate = {2020-01-13} } @online{duncan:20171102:20171102:dfff76e, author = {Brad Duncan}, title = {{2017-11-02 - ADVENTURES WITH SMOKE LOADER}}, date = {2017-11-02}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2017/11/02/index.html}, language = {English}, urldate = {2020-01-06} } @online{duncan:20171123:necurs:15f819e, author = {Brad Duncan}, title = {{NECURS BOTNET MALSPAM PUSHES "SCARAB" RANSOMWARE}}, date = {2017-11-23}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/11/23/index.html}, language = {English}, urldate = {2020-01-10} } @online{duncan:20171222:malspam:4a3fd87, author = {Brad Duncan}, title = {{MALSPAM USES CVE-2017-0199 TO DISTRIBUTE REMCOS RAT}}, date = {2017-12-22}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/12/22/index.html}, language = {English}, urldate = {2019-07-11} } @online{duncan:20180104:malspam:ce2dfac, author = {Brad Duncan}, title = {{MALSPAM PUSHING PCRAT/GH0ST}}, date = {2018-01-04}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2018/01/04/index.html}, language = {English}, urldate = {2019-12-24} } @online{duncan:20180201:quick:320f855, author = {Brad Duncan}, title = {{Quick Test Drive of Trickbot (It now has a Monero Module)}}, date = {2018-02-01}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2018/02/01/}, language = {English}, urldate = {2019-07-09} } @online{duncan:20180307:ransomware:504a693, author = {Brad Duncan}, title = {{Ransomware news: GlobeImposter gets a facelift, GandCrab is still out there}}, date = {2018-03-07}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/23417}, language = {English}, urldate = {2020-01-06} } @online{duncan:20181204:malspam:8e2d810, author = {Brad Duncan}, title = {{Malspam pushing Lokibot malware}}, date = {2018-12-04}, url = {https://isc.sans.edu/diary/24372}, language = {English}, urldate = {2019-10-29} } @online{duncan:20181219:malspam:b8c4580, author = {Brad Duncan}, title = {{MALSPAM PUSHING THE MYDOOM WORM IS STILL A THING}}, date = {2018-12-19}, organization = {Malware Traffic Analysis}, url = {https://www.malware-traffic-analysis.net/2018/12/19/index.html}, language = {English}, urldate = {2020-01-13} } @online{duncan:20190117:emotet:0754347, author = {Brad Duncan}, title = {{Emotet infections and follow-up malware}}, date = {2019-01-17}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/}, language = {English}, urldate = {2020-01-13} } @online{duncan:20190123:russian:150eb22, author = {Brad Duncan and Mike Harbison}, title = {{Russian Language Malspam Pushing Redaman Banking Malware}}, date = {2019-01-23}, url = {https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/}, language = {English}, urldate = {2020-01-06} } @online{duncan:20190220:more:a3216b8, author = {Brad Duncan}, title = {{More Russian language malspam pushing Shade (Troldesh) ransomware}}, date = {2019-02-20}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/More+Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24668/}, language = {English}, urldate = {2020-01-13} } @online{duncan:20190522:shade:7647744, author = {Brad Duncan}, title = {{Shade Ransomware Hits High-Tech, Wholesale, Education Sectors in U.S, Japan, India, Thailand, Canada}}, date = {2019-05-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/}, language = {English}, urldate = {2020-01-13} } @online{duncan:20190625:rig:31ecb33, author = {Brad Duncan}, title = {{Rig Exploit Kit sends Pitou.B Trojan}}, date = {2019-06-25}, organization = {SANS}, url = {https://isc.sans.edu/diary/rss/25068}, language = {English}, urldate = {2019-12-17} } @online{duncan:20190711:recent:bd25d5a, author = {Brad Duncan}, title = {{Recent AZORult activity}}, date = {2019-07-11}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/25120}, language = {English}, urldate = {2020-01-10} } @online{duncan:20191108:wireshark:f37b983, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Trickbot Infections}}, date = {2019-11-08}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/}, language = {English}, urldate = {2020-01-06} } @online{duncan:20191122:trickbot:e14933b, author = {Brad Duncan}, title = {{Trickbot Updates Password Grabber Module}}, date = {2019-11-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/}, language = {English}, urldate = {2020-01-22} } @online{duncan:20191219:valak:a793639, author = {Brad Duncan}, title = {{Tweet on Valak Malware}}, date = {2019-12-19}, organization = {Twitter (@malware_traffic)}, url = {https://twitter.com/malware_traffic/status/1207824548021886977}, language = {English}, urldate = {2020-01-05} } @online{duncan:20191223:wireshark:11f95ab, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Ursnif Infections}}, date = {2019-12-23}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-ursnif-infections/}, language = {English}, urldate = {2020-01-13} } @online{duncan:20200123:german:2c867b2, author = {Brad Duncan}, title = {{German language malspam pushes Ursnif}}, date = {2020-01-23}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/}, language = {English}, urldate = {2020-01-26} } @online{duncan:20200213:wireshark:3110e30, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Qakbot Infections}}, date = {2020-02-13}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/tutorial-qakbot-infection/}, language = {English}, urldate = {2022-10-05} } @online{duncan:20200403:guloader:4b27e7a, author = {Brad Duncan}, title = {{GuLoader: Malspam Campaign Installing NetWire RAT}}, date = {2020-04-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/}, language = {English}, urldate = {2021-01-10} } @online{duncan:20200528:goodbye:87a0245, author = {Brad Duncan}, title = {{Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module}}, date = {2020-05-28}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/}, language = {English}, urldate = {2020-05-29} } @online{duncan:20200724:evolution:a372b2b, author = {Brad Duncan}, title = {{Evolution of Valak, from Its Beginnings to Mass Distribution}}, date = {2020-07-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/valak-evolution/}, language = {English}, urldate = {2020-08-05} } @online{duncan:20200821:wireshark:d98d5ed, author = {Brad Duncan}, title = {{Wireshark Tutorial: Decrypting HTTPS Traffic}}, date = {2020-08-21}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/}, language = {English}, urldate = {2020-08-25} } @online{duncan:20200907:collection:09ab7be, author = {Brad Duncan}, title = {{Collection of recent Dridex IOCs}}, date = {2020-09-07}, organization = {Github (pan-unit42)}, url = {https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt}, language = {English}, urldate = {2020-09-15} } @online{duncan:20200910:recent:f9e103f, author = {Brad Duncan}, title = {{Recent Dridex activity}}, date = {2020-09-10}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/}, language = {English}, urldate = {2020-09-15} } @online{duncan:20200923:case:078ee7f, author = {Brad Duncan}, title = {{Case Study: Emotet Thread Hijacking, an Email Attack Technique}}, date = {2020-09-23}, organization = {paloalto Netoworks: Unit42}, url = {https://unit42.paloaltonetworks.com/emotet-thread-hijacking/}, language = {English}, urldate = {2022-11-28} } @online{duncan:20201119:threat:67ef9bd, author = {Kyle Duncan}, title = {{Threat Actor Utilizes COVID-19 Uncertainty to Target Users}}, date = {2020-11-19}, organization = {Cofense}, url = {https://cofense.com/threat-actor-utilizes-covid-19-uncertainty-to-target-users/}, language = {English}, urldate = {2020-11-23} } @online{duncan:20201209:recent:0992506, author = {Brad Duncan}, title = {{Recent Qakbot (Qbot) activity}}, date = {2020-12-09}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/26862}, language = {English}, urldate = {2020-12-10} } @online{duncan:20210107:ta551:6346c62, author = {Brad Duncan}, title = {{TA551: Email Attack Campaign Switches from Valak to IcedID}}, date = {2021-01-07}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ta551-shathak-icedid/}, language = {English}, urldate = {2021-01-11} } @online{duncan:20210113:hancitor:55f3ea5, author = {Brad Duncan}, title = {{Hancitor activity resumes after a hoilday break}}, date = {2021-01-13}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/}, language = {English}, urldate = {2021-01-21} } @online{duncan:20210119:wireshark:be0c831, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Emotet Infection Traffic}}, date = {2021-01-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/}, language = {English}, urldate = {2021-01-21} } @online{duncan:20210203:excel:8e949c9, author = {Brad Duncan}, title = {{Excel spreadsheets push SystemBC malware}}, date = {2021-02-03}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/}, language = {English}, urldate = {2021-02-04} } @online{duncan:20210330:20210329:bf22ea0, author = {Brad Duncan}, title = {{2021-03-29 BazaCall (BazarCall) Example}}, date = {2021-03-30}, organization = {YouTube ( malware-traffic-analysis.net)}, url = {https://www.youtube.com/watch?v=uAkeXCYcl4Y}, language = {English}, urldate = {2021-03-31} } @online{duncan:20210401:hancitors:8876ca1, author = {Brad Duncan}, title = {{Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool}}, date = {2021-04-01}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/}, language = {English}, urldate = {2021-04-06} } @online{duncan:20210407:wireshark:3c806d8, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Traffic from Hancitor Infections}}, date = {2021-04-07}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-hancitor-followup-malware/}, language = {English}, urldate = {2021-04-12} } @online{duncan:20210414:april:4a29cb5, author = {Brad Duncan}, title = {{April 2021 Forensic Quiz: Answers and Analysis}}, date = {2021-04-14}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/27308}, language = {English}, urldate = {2021-04-14} } @online{duncan:20210519:bazarcall:60c6562, author = {Brad Duncan}, title = {{BazarCall: Call Centers Help Spread BazarLoader Malware}}, date = {2021-05-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/bazarloader-malware/}, language = {English}, urldate = {2021-05-20} } @online{duncan:20210709:hancitor:814e815, author = {Brad Duncan}, title = {{Hancitor tries XLL as initial malware file}}, date = {2021-07-09}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/27618}, language = {English}, urldate = {2021-07-19} } @online{duncan:20210901:strrat:82432b9, author = {Brad Duncan}, title = {{STRRAT: a Java-based RAT that doesn't care if you have Java}}, date = {2021-09-01}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/27798}, language = {English}, urldate = {2021-09-02} } @online{duncan:20210917:20210917:b995435, author = {Brad Duncan}, title = {{2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike}}, date = {2021-09-17}, organization = {Malware Traffic Analysis}, url = {https://www.malware-traffic-analysis.net/2021/09/17/index.html}, language = {English}, urldate = {2021-09-20} } @online{duncan:20210929:20210929:e348fca, author = {Brad Duncan}, title = {{2021-09-29 (Wednesday) - Hancitor with Cobalt Strike}}, date = {2021-09-29}, organization = {Malware Traffic Analysis}, url = {https://malware-traffic-analysis.net/2021/09/29/index.html}, language = {English}, urldate = {2021-11-03} } @online{duncan:20210929:hancitor:e510da9, author = {Brad Duncan}, title = {{Hancitor with Cobalt Strike}}, date = {2021-09-29}, organization = {Malware Traffic Analysis}, url = {https://www.malware-traffic-analysis.net/2021/09/29/index.html}, language = {English}, urldate = {2022-02-01} } @online{duncan:20211018:case:bdd95ff, author = {Brad Duncan}, title = {{Case Study: From BazarLoader to Network Reconnaissance}}, date = {2021-10-18}, organization = {paloalto Netoworks: Unit42}, url = {https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/}, language = {English}, urldate = {2021-10-22} } @online{duncan:20211116:emotet:3545954, author = {Brad Duncan}, title = {{Emotet Returns}}, date = {2021-11-16}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/28044}, language = {English}, urldate = {2021-11-17} } @online{duncan:20211203:ta551:f71be57, author = {Brad Duncan}, title = {{TA551 (Shathak) pushes IcedID (Bokbot)}}, date = {2021-12-03}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/TA551+Shathak+pushes+IcedID+Bokbot/28092/}, language = {English}, urldate = {2021-12-06} } @online{duncan:20211216:how:6fd0b06, author = {Brad Duncan}, title = {{How the "Contact Forms" campaign tricks people}}, date = {2021-12-16}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/How+the+Contact+Forms+campaign+tricks+people/28142/}, language = {English}, urldate = {2021-12-31} } @online{duncan:20211230:agent:2b24ea4, author = {Brad Duncan}, title = {{Agent Tesla Updates SMTP Data Exfiltration Technique}}, date = {2021-12-30}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/28190}, language = {English}, urldate = {2022-01-03} } @online{duncan:20220117:iocs:2a5e814, author = {Brad Duncan}, title = {{IOCs for Astaroth/Guildma malware infection}}, date = {2022-01-17}, organization = {Github (pan-unit42)}, url = {https://github.com/pan-unit42/tweets/blob/master/2022-01-17-IOCs-for-Astaroth-Guildma-infection.txt}, language = {English}, urldate = {2022-01-25} } @online{duncan:20220119:0000:cdac125, author = {Brad Duncan}, title = {{0.0.0.0 in Emotet Spambot Traffic}}, date = {2022-01-19}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/28254}, language = {English}, urldate = {2022-01-24} } @online{duncan:20220125:emotet:9c62525, author = {Brad Duncan}, title = {{Emotet Stops Using 0.0.0.0 in Spambot Traffic}}, date = {2022-01-25}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/Emotet+Stops+Using+0000+in+Spambot+Traffic/28270/}, language = {English}, urldate = {2022-02-01} } @online{duncan:20220316:qakbot:7fe703f, author = {Brad Duncan}, title = {{Qakbot infection with Cobalt Strike and VNC activity}}, date = {2022-03-16}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/}, language = {English}, urldate = {2022-03-17} } @online{duncan:20220316:qakbot:ff11e1e, author = {Brad Duncan}, title = {{Qakbot infection with Cobalt Strike and VNC activity}}, date = {2022-03-16}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/28448}, language = {English}, urldate = {2022-03-17} } @online{duncan:20220323:arkei:b2a08f5, author = {Brad Duncan}, title = {{Arkei Variants: From Vidar to Mars Stealer}}, date = {2022-03-23}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/28468}, language = {English}, urldate = {2022-03-25} } @online{duncan:20220323:arkei:f9a44a4, author = {Brad Duncan}, title = {{Arkei Variants: From Vidar to Mars Stealer}}, date = {2022-03-23}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468}, language = {English}, urldate = {2023-04-25} } @online{duncan:20220406:windows:2685e57, author = {Brad Duncan}, title = {{Windows MetaStealer Malware}}, date = {2022-04-06}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/rss/28522}, language = {English}, urldate = {2022-06-27} } @online{duncan:20220406:windows:3802dbd, author = {Brad Duncan}, title = {{Windows MetaStealer Malware}}, date = {2022-04-06}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/}, language = {English}, urldate = {2022-05-05} } @online{duncan:20220420:aa:eb304fb, author = {Brad Duncan}, title = {{'aa' distribution Qakbot (Qbot) infection with DarkVNC traffic}}, date = {2022-04-20}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/rss/28568}, language = {English}, urldate = {2022-04-25} } @online{duncan:20220511:ta578:0a0a686, author = {Brad Duncan}, title = {{TA578 using thread-hijacked emails to push ISO files for Bumblebee malware}}, date = {2022-05-11}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/28636}, language = {English}, urldate = {2022-05-11} } @online{duncan:20220511:ta578:2128ae0, author = {Brad Duncan}, title = {{TA578 using thread-hijacked emails to push ISO files for Bumblebee malware}}, date = {2022-05-11}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/rss/28636}, language = {English}, urldate = {2022-05-17} } @online{duncan:20220517:emotet:5f61714, author = {Brad Duncan}, title = {{Emotet Summary: November 2021 Through January 2022}}, date = {2022-05-17}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/}, language = {English}, urldate = {2022-05-29} } @online{duncan:20220519:bumblebee:0703c7d, author = {Brad Duncan}, title = {{Bumblebee Malware from TransferXL URLs}}, date = {2022-05-19}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664}, language = {English}, urldate = {2023-04-06} } @online{duncan:20220519:bumblebee:20c59e6, author = {Brad Duncan}, title = {{Bumblebee Malware from TransferXL URLs}}, date = {2022-05-19}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/28664}, language = {English}, urldate = {2022-05-25} } @online{duncan:20220609:ta570:a51c1eb, author = {Brad Duncan}, title = {{TA570 Qakbot (Qbot) tries CVE-2022-30190 (Follina) exploit (ms-msdt)}}, date = {2022-06-09}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/28728}, language = {English}, urldate = {2022-06-09} } @online{duncan:20220617:malspam:25c76a4, author = {Brad Duncan}, title = {{Malspam pushes Matanbuchus malware, leads to Cobalt Strike}}, date = {2022-06-17}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/rss/28752}, language = {English}, urldate = {2022-06-22} } @online{duncan:20220707:emotet:3732ca7, author = {Brad Duncan}, title = {{Emotet infection with Cobalt Strike}}, date = {2022-07-07}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/}, language = {English}, urldate = {2022-07-12} } @online{duncan:20220727:icedid:839e33a, author = {Brad Duncan}, title = {{IcedID (Bokbot) with Dark VNC and Cobalt Strike}}, date = {2022-07-27}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28884}, language = {English}, urldate = {2022-07-28} } @online{duncan:20220803:flight:a8efd82, author = {Brad Duncan}, title = {{Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware}}, date = {2022-08-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/}, language = {English}, urldate = {2022-08-08} } @online{duncan:20220812:monster:cbf3101, author = {Brad Duncan}, title = {{Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike}}, date = {2022-08-12}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/rss/28934}, language = {English}, urldate = {2022-08-15} } @online{duncan:20220819:brazil:ba12b0c, author = {Brad Duncan}, title = {{Brazil malspam pushes Astaroth (Guildma) malware}}, date = {2022-08-19}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/Brazil+malspam+pushes+Astaroth+%28Guildma%29+malware/28962}, language = {English}, urldate = {2022-08-28} } @online{duncan:20221215:google:179f840, author = {Brad Duncan}, title = {{Google ads lead to fake software pages pushing IcedID (Bokbot)}}, date = {2022-12-15}, organization = {ISC}, url = {https://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344}, language = {English}, urldate = {2022-12-19} } @online{duncan:20230103:20230103:d0e003c, author = {Brad Duncan}, title = {{2023-01-03 (TUESDAY) - GOOGLE AD --> FAKE NOTPAD++ PAGE --> RHADAMANTHYS STEALER}}, date = {2023-01-03}, organization = {Malware Traffic Analysis}, url = {https://www.malware-traffic-analysis.net/2023/01/03/index.html}, language = {English}, urldate = {2023-02-06} } @online{duncan:20230118:malicious:df039e8, author = {Brad Duncan}, title = {{Malicious Google Ad --> Fake Notepad++ Page --> Aurora Stealer malware}}, date = {2023-01-18}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/rss/29448}, language = {English}, urldate = {2023-01-19} } @online{duncan:20230412:recent:093f8b8, author = {Brad Duncan}, title = {{Recent IcedID (Bokbot) activity}}, date = {2023-04-12}, organization = {SANS ISC}, url = {https://dshield.org/diary/Recent+IcedID+Bokbot+activity/29740/}, language = {English}, urldate = {2023-04-18} } @online{duncan:20230412:recent:66863ee, author = {Brad Duncan}, title = {{Recent IcedID (Bokbot) activity}}, date = {2023-04-12}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/29740}, language = {English}, urldate = {2023-04-18} } @online{duncan:20230530:cold:c92393b, author = {Brad Duncan}, title = {{Cold as Ice: Answers to Unit 42 Wireshark Quiz for IcedID}}, date = {2023-05-30}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-quiz-icedid-answers/}, language = {English}, urldate = {2023-08-10} } @online{duncan:20230530:malspam:8bae422, author = {Brad Duncan}, title = {{Malspam pushes ModiLoader (DBatLoader) infection for Remcos RAT}}, date = {2023-05-30}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896}, language = {English}, urldate = {2024-04-04} } @online{duncan:20230605:30:f0b7756, author = {Brad Duncan}, title = {{30 DAYS OF FORMBOOK: DAY 1, MONDAY 2023-06-05}}, date = {2023-06-05}, organization = {Malware Traffic Analysis}, url = {https://www.malware-traffic-analysis.net/2023/06/05/index.html}, language = {English}, urldate = {2023-06-06} } @online{duncan:20231003:20231003:83035de, author = {Brad Duncan}, title = {{2023-10-03 (Tuesday) - PikaBot infection with Cobalt Strike}}, date = {2023-10-03}, organization = {Malware Traffic Analysis}, url = {https://www.malware-traffic-analysis.net/2023/10/03/index.html}, language = {English}, urldate = {2023-11-13} } @online{duncan:20231120:are:9df47df, author = {Dylan Duncan}, title = {{Are DarkGate and PikaBot the new QakBot?}}, date = {2023-11-20}, organization = {Cofense}, url = {https://cofense.com/blog/are-darkgate-and-pikabot-the-new-qakbot/}, language = {English}, urldate = {2024-01-10} } @online{duncan:20240307:20240307:0e2639b, author = {Brad Duncan}, title = {{2024-03-07 (THURSDAY): LATRODECTUS INFECTION LEADS TO LUMMA STEALER}}, date = {2024-03-07}, organization = {Malware Traffic Analysis}, url = {https://www.malware-traffic-analysis.net/2024/03/07/index.html}, language = {English}, urldate = {2024-03-25} } @online{duncan:20250123:cluster:ba258c7, author = {Brad Duncan}, title = {{Cluster of Infrastructure likely used by Affiliate of Dark Scorpius (Black Basta)}}, date = {2025-01-23}, organization = {Github (PaloAltoNetworks)}, url = {https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-17-IOCs-for-infrastructure-used-by-affiliate-of-Dark-Scorpius.txt}, language = {English}, urldate = {2025-02-18} } @online{dunlop:20211111:stopping:8d94f11, author = {Cynthia Dunlop}, title = {{Stopping Cybersecurity Threats: Why Databases Matter}}, date = {2021-11-11}, organization = {scylla}, url = {https://www.scylladb.com/2021/11/11/stopping-cybersecurity-threats-why-databases-matter/}, language = {English}, urldate = {2021-11-17} } @online{dunn:20230928:scattered:cf9e5dc, author = {John E. Dunn}, title = {{The Scattered Spider Ransomware Group’s Secret Weapons? Social Engineering and Fluent English}}, date = {2023-09-28}, organization = {Ransomware.org}, url = {https://ransomware.org/blog/the-scattered-spider-ransomwares-secret-weapons-social-engineering-and-fluent-english/}, language = {English}, urldate = {2023-11-17} } @online{dunwoody:20170403:dissecting:65071e7, author = {Matthew Dunwoody}, title = {{Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY)}}, date = {2017-04-03}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html}, language = {English}, urldate = {2019-12-20} } @online{dunwoody:20170404:poshspy:dc59dda, author = {Matthew Dunwoody}, title = {{POSHSPY backdoor code}}, date = {2017-04-04}, organization = {GitHub (matthewdunwoody)}, url = {https://github.com/matthewdunwoody/POSHSPY}, language = {English}, urldate = {2019-12-18} } @online{dunwoody:20181119:not:e581291, author = {Matthew Dunwoody and Andrew Thompson and Ben Withnell and Jonathan Leathery and Michael Matonis and Nick Carr}, title = {{Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign}}, date = {2018-11-19}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html}, language = {English}, urldate = {2019-12-20} } @online{dupuy:20210310:exchange:8f65a1f, author = {Thomas Dupuy and Matthieu Faou and Mathieu Tartare}, title = {{Exchange servers under siege from at least 10 APT groups}}, date = {2021-03-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/}, language = {English}, urldate = {2021-03-11} } @techreport{dupuy:20210609:gelsemium:05483d4, author = {Thomas Dupuy and Matthieu Faou}, title = {{Gelsemium: When threat actors go gardening}}, date = {2021-06-09}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf}, language = {English}, urldate = {2021-06-09} } @online{dupuy:20210609:gelsemium:34ccc46, author = {Thomas Dupuy and Matthieu Faou}, title = {{Gelsemium: When threat actors go gardening}}, date = {2021-06-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/06/09/gelsemium-when-threat-actors-go-gardening/}, language = {English}, urldate = {2021-06-16} } @online{duquette:20130124:linuxsshdoora:0b9dc3e, author = {Sébastien Duquette}, title = {{Linux/SSHDoor.A Backdoored SSH daemon that steals passwords}}, date = {2013-01-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords/}, language = {English}, urldate = {2019-11-14} } @online{durando:20170426:bankbot:f7430c7, author = {Dario Durando and David Maciejak}, title = {{BankBot, the Prequel}}, date = {2017-04-26}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html}, language = {English}, urldate = {2019-12-17} } @online{durando:20170919:look:79fa513, author = {Dario Durando}, title = {{A Look Into The New Strain Of BankBot}}, date = {2017-09-19}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html}, language = {English}, urldate = {2020-01-13} } @online{durando:20190703:bianlian:c6f94bb, author = {Dario Durando}, title = {{BianLian: A New Wave Emerges}}, date = {2019-07-03}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html}, language = {English}, urldate = {2019-12-24} } @online{durando:20190904:funkybot:625b9ba, author = {Dario Durando}, title = {{FunkyBot: A New Android Malware Family Targeting Japan}}, date = {2019-09-04}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/funkybot-malware-targets-japan.html}, language = {English}, urldate = {2020-01-13} } @online{dutcher:20130904:sykipot:3c79c33, author = {Darin Dutcher}, title = {{Sykipot Now Targeting US Civil Aviation Sector Information}}, date = {2013-09-04}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/}, language = {English}, urldate = {2020-01-08} } @online{dutcher:20130904:sykipot:8fffe0c, author = {Darin Dutcher}, title = {{Sykipot Now Targeting US Civil Aviation Sector Information}}, date = {2013-09-04}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/}, language = {English}, urldate = {2019-12-05} } @online{dvilyanski:20210324:taking:f561bbf, author = {Mike Dvilyanski and Nathaniel Gleicher}, title = {{Taking Action Against Hackers in China}}, date = {2021-03-24}, organization = {Facebook}, url = {https://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/}, language = {English}, urldate = {2021-03-25} } @online{dvilyanski:20210421:taking:23e0fb2, author = {Mike Dvilyanski and David Agranovich}, title = {{Taking Action Against Hackers in Palestine}}, date = {2021-04-21}, organization = {Facebook}, url = {https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/}, language = {English}, urldate = {2021-04-28} } @online{dvilyanski:20210715:taking:10d945f, author = {Mike Dvilyanski and David Agranovich}, title = {{Taking Action Against Hackers in Iran}}, date = {2021-07-15}, organization = {Facebook}, url = {https://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/}, language = {English}, urldate = {2021-07-20} } @online{dvilyanski:20211116:taking:7d056cc, author = {Mike Dvilyanski and David Agranovich}, title = {{Taking Action Against Hackers in Pakistan and Syria}}, date = {2021-11-16}, organization = {META}, url = {https://about.fb.com/news/2021/11/taking-action-against-hackers-in-pakistan-and-syria/}, language = {English}, urldate = {2021-11-17} } @online{dwoskin:20190220:microsoft:9d4cb73, author = {Elizabeth Dwoskin and Craig Timberg}, title = {{Microsoft says it has found another Russian operation targeting prominent think tanks}}, date = {2019-02-20}, organization = {Washington Post}, url = {https://www.washingtonpost.com/technology/2019/02/20/microsoft-says-it-has-found-another-russian-operation-targeting-prominent-think-tanks/?utm_term=.870ff11468ae}, language = {English}, urldate = {2019-11-29} } @online{dwyer:20220304:new:c661960, author = {John Dwyer and Kevin Henson}, title = {{New Wiper Malware Used Against Ukranian Organizations}}, date = {2022-03-04}, organization = {IBM}, url = {https://securityintelligence.com/posts/new-wiper-malware-used-against-ukranian-organizations/}, language = {English}, urldate = {2022-03-07} } @online{dwyer:20230320:when:3f1345c, author = {John Dwyer}, title = {{When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule}}, date = {2023-03-20}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/defensive-considerations-lazarus-fudmodule/}, language = {English}, urldate = {2023-03-21} } @online{dwyer:20230330:xforce:75bb496, author = {John Dwyer and Fred Chidsey and Joseph Lozowski}, title = {{X-Force Prevents Zero Day from Going Anywhere}}, date = {2023-03-30}, organization = {IBM}, url = {https://securityintelligence.com/posts/x-force-prevents-zero-day-from-going-anywhere}, language = {English}, urldate = {2023-04-06} } @online{e:20240320:python:2423702, author = {Shanmugasundharam E}, title = {{Python Ciphering : Delving into Evil Ant’s Ransomware’s Tactics}}, date = {2024-03-20}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/python-ciphering-delving-into-evil-ants-ransomwares-tactics/}, language = {English}, urldate = {2024-03-25} } @online{eakin:20250131:attackers:706c9dd, author = {Blake Eakin}, title = {{Attackers Leveraging Microsoft Teams Defaults and Quick Assist for Social Engineering Attacks}}, date = {2025-01-31}, organization = {ConnectWise}, url = {https://www.linkedin.com/pulse/attackers-leveraging-microsoft-teams-defaults-quick-assist-p1u5c}, language = {English}, urldate = {2025-03-25} } @online{earnshaw:20220405:thwarting:03a6217, author = {Earle Maui Earnshaw and Mohamed Fahmy and Ian Kenefick and Ryan Maglaque and Abdelrhman Sharshar and Lucas Silva}, title = {{Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload (IoCs)}}, date = {2022-04-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/d/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload/iocs-thwarting-loaders-socgholish-blister.txt}, language = {English}, urldate = {2022-05-05} } @online{earnshaw:20220405:thwarting:26d6d77, author = {Earle Earnshaw and Mohamed Fahmy and Ian Kenefick and Ryan Maglaque and Abdelrhman Sharshar and Lucas Silva}, title = {{Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload}}, date = {2022-04-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html}, language = {English}, urldate = {2023-02-06} } @online{earnshaw:20220405:thwarting:af5a4fd, author = {Earle Maui Earnshaw and Mohamed Fahmy and Ian Kenefick and Ryan Maglaque and Abdelrhman Sharshar and Lucas Silva}, title = {{Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload}}, date = {2022-04-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html}, language = {English}, urldate = {2022-05-05} } @online{earnshaw:20230606:xollam:289ed56, author = {Earle Maui Earnshaw and Nathaniel Morales and Katherine Casona and Don Ovid Ladores}, title = {{Xollam, the Latest Face of TargetCompany}}, date = {2023-06-06}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/f/xollam-the-latest-face-of-targetcompany.html}, language = {English}, urldate = {2023-09-13} } @online{earp:20210202:how:923f969, author = {Madeline Earp}, title = {{How Vietnam-based hacking operation OceanLotus targets journalists}}, date = {2021-02-02}, organization = {Committee to Protect Journalists}, url = {https://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists}, language = {English}, urldate = {2021-02-04} } @online{east:20150619:russian:fe2f7aa, author = {London South East}, title = {{Russian Hackers Suspected In Cyberattack On German Parliament}}, date = {2015-06-19}, organization = {London South East}, url = {http://www.lse.co.uk/AllNews.asp?code=kwdwehme&headline=Russian_Hackers_Suspected_In_Cyberattack_On_German_Parliament}, language = {English}, urldate = {2020-01-05} } @online{easton:20181022:chalubo:f8c9b96, author = {Timothy Easton}, title = {{Chalubo botnet wants to DDoS from your server or IoT device}}, date = {2018-10-22}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2018/10/22/chalubo-botnet-wants-to-ddos-from-your-server-or-iot-device/}, language = {English}, urldate = {2024-06-28} } @online{eastston:20230215:distributed:52e6451, author = {eastston}, title = {{Distributed Malware Exploiting Vulnerable Innorix: Andariel}}, date = {2023-02-15}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/47751/}, language = {Korean}, urldate = {2023-02-21} } @online{eaton:20210519:colonial:8185b82, author = {Collin Eaton}, title = {{Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom}}, date = {2021-05-19}, organization = {The Wall Street Journal}, url = {https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636}, language = {English}, urldate = {2021-05-19} } @techreport{ebach:20170622:analysis:25ecd34, author = {Luca Ebach}, title = {{Analysis Results of Zeus.Variant.Panda}}, date = {2017-06-22}, institution = {G Data}, url = {https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf}, language = {English}, urldate = {2019-12-02} } @online{ebach:20200831:trickbot:c975ec5, author = {Luca Ebach}, title = {{Trickbot rdpscanDll – Transforming Candidate Credentials for Brute-Forcing RDP Servers}}, date = {2020-08-31}, organization = {cyber.wtf blog}, url = {https://cyber.wtf/2020/08/31/trickbot-rdpscandll-password-transof/}, language = {English}, urldate = {2020-08-31} } @online{ebach:20211115:guess:81c7df8, author = {Luca Ebach}, title = {{Guess who’s back}}, date = {2021-11-15}, organization = {cyber.wtf blog}, url = {https://cyber.wtf/2021/11/15/guess-whos-back/}, language = {English}, urldate = {2021-11-17} } @online{ebach:20220223:what:0a4496e, author = {Luca Ebach}, title = {{What the Pack(er)?}}, date = {2022-02-23}, organization = {cyber.wtf blog}, url = {https://cyber.wtf/2022/03/23/what-the-packer/}, language = {English}, urldate = {2022-03-25} } @online{ebriega:20220114:ransomwin32whiterabbityacaet:85d2e5a, author = {Bren Matthew Ebriega}, title = {{Ransom.Win32.WHITERABBIT.YACAET}}, date = {2022-01-14}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Ransom.Win32.WHITERABBIT.YACAET}, language = {English}, urldate = {2023-04-25} } @online{eckardt:20230209:defeating:d89bf8b, author = {Hendrik Eckardt}, title = {{Defeating VMProtect’s Latest Tricks}}, date = {2023-02-09}, organization = {cyber.wtf blog}, url = {https://cyber.wtf/2023/02/09/defeating-vmprotects-latest-tricks/}, language = {English}, urldate = {2023-07-31} } @online{eckardt:20231206:csharpstreamer:d3502c4, author = {Hendrik Eckardt}, title = {{The csharp-streamer RAT}}, date = {2023-12-06}, organization = {cyber.wtf blog}, url = {https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/}, language = {English}, urldate = {2024-01-03} } @online{eckels:20201109:wow64hooks:a0c0b3e, author = {Stephen Eckels}, title = {{WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques}}, date = {2020-11-09}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/11/wow64-subsystem-internals-and-hooking-techniques.html}, language = {English}, urldate = {2020-11-11} } @online{eckels:20201224:sunburst:3fcb239, author = {Stephen Eckels and Jay Smith and William Ballenthin}, title = {{SUNBURST Additional Technical Details}}, date = {2020-12-24}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html}, language = {English}, urldate = {2020-12-26} } @online{eckman:20201007:ghostdnsbusters:9a32391, author = {Brian Eckman}, title = {{GhostDNSbusters (Part 2)}}, date = {2020-10-07}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2020/10/07/ghostdnsbusters-part-2/}, language = {English}, urldate = {2020-10-12} } @online{eclypsium:20201203:trickbot:7b5b0eb, author = {Eclypsium}, title = {{TrickBot Now Offers ‘TrickBoot’: Persist, Brick, Profit}}, date = {2020-12-03}, organization = {Eclypsium}, url = {https://eclypsium.com/2020/12/03/trickbot-now-offers-trickboot-persist-brick-profit/}, language = {English}, urldate = {2020-12-03} } @online{eclypsium:20220602:conti:abb9754, author = {Eclypsium}, title = {{Conti Targets Critical Firmware}}, date = {2022-06-02}, organization = {Eclypsium}, url = {https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/}, language = {English}, urldate = {2022-06-04} } @techreport{ecucert:20220323:aptc36:7f5e46b, author = {EcuCert}, title = {{APT-C-36 Advanced Persistent Threat Campaign Could be present in Ecuador}}, date = {2022-03-23}, institution = {EcuCert}, url = {https://www.ecucert.gob.ec/wp-content/uploads/2022/03/alerta-APTs-2022-03-23.pdf}, language = {Spanish}, urldate = {2023-12-04} } @online{eddieivan01:20200222:iox:92b910c, author = {EddieIvan01}, title = {{iox}}, date = {2020-02-22}, organization = {Github (EddieIvan01)}, url = {https://github.com/EddieIvan01/iox}, language = {English}, urldate = {2025-07-07} } @online{eden:20210615:defenders:57a0d03, author = {Daniel Eden}, title = {{A Defender's Perspective of SSL VPN Exploitation}}, date = {2021-06-15}, organization = {PARAFLARE}, url = {https://paraflare.com/a-defenders-perspective-of-ssl-vpn-exploitation/}, language = {English}, urldate = {2022-03-07} } @online{edgecombe:20210804:flubot:fdd81a2, author = {Graham Edgecombe}, title = {{FluBot malware spreads to Australia}}, date = {2021-08-04}, organization = {Netcraft}, url = {https://news.netcraft.com/archives/2021/08/04/flubot-malware-spreads-to-australia.html}, language = {English}, urldate = {2021-08-20} } @online{editor:20170118:flashback:4ac713f, author = {Editor}, title = {{Flashback Wednesday: Pakistani Brain}}, date = {2017-01-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/01/18/flashback-wednesday-pakistani-brain/}, language = {English}, urldate = {2019-11-14} } @online{editor:20170627:new:4f7cbcd, author = {Editor}, title = {{New WannaCryptor‑like ransomware attack hits globally: All you need to know}}, date = {2017-06-27}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine}, language = {English}, urldate = {2022-08-25} } @online{editor:20171024:kiev:b706a68, author = {Editor}, title = {{Kiev metro hit with a new variant of the infamous Diskcoder ransomware}}, date = {2017-10-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/?utm_content=buffer8ffe4&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer}, language = {English}, urldate = {2019-11-14} } @online{editor:20230419:new:7711798, author = {Editor}, title = {{A new group of Shadow ransomware attacks large industrial enterprises in Russia}}, date = {2023-04-19}, organization = {F.A.C.C.T.}, url = {https://habr.com/ru/companies/f_a_c_c_t/news/730034/}, language = {Russian}, urldate = {2023-04-28} } @online{editorial:20240627:azzasec:cf73e2c, author = {Editorial}, title = {{AzzaSec, NoName Cyberattackers Join Hands to Potentially Target Pro-Ukriane Allies}}, date = {2024-06-27}, organization = {The Cyber Express}, url = {https://thecyberexpress.com/azzasec-noname-join-hands-to-target-ukriane/}, language = {English}, urldate = {2024-10-18} } @online{edmondson:20190118:black:e66dcec, author = {Mark Edmondson}, title = {{BLACK ENERGY – Analysis}}, date = {2019-01-18}, url = {https://marcusedmondson.com/2019/01/18/black-energy-analysis/}, language = {English}, urldate = {2020-01-08} } @techreport{edwards:2011:survey:e95ca12, author = {Jeff Edwards and Jose Nazario}, title = {{A Survey of Contemporary Chinese DDoS Malware}}, date = {2011}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2011/Edwards-Nazario-VB2011.pdf}, language = {English}, urldate = {2020-01-06} } @techreport{edwards:20161016:hajime:e095dad, author = {Sam Edwards and Ioannis Profetis}, title = {{Hajime: Analysis of a decentralizedinternet worm for IoT devices}}, date = {2016-10-16}, institution = {RapidityNetworks}, url = {https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf}, language = {English}, urldate = {2020-01-09} } @online{edwards:20211231:compromised:3ee8044, author = {Zach Edwards}, title = {{Compromised Godaddy Infrastructure Attacking Numerous U.S. Government Websites to Promote “Canadian Pharmacy” Scam Websites}}, date = {2021-12-31}, organization = {victory medium}, url = {https://victorymedium.com/godaddy-global-issues-canadian-pharmacy-injections/}, language = {English}, urldate = {2022-01-25} } @online{edwards:20220628:smashandgrab:115e907, author = {Joseph Edwards}, title = {{Smash-and-grab: AstraLocker 2.0 pushes ransomware direct from Office docs}}, date = {2022-06-28}, organization = {Reversing Labs}, url = {https://blog.reversinglabs.com/blog/smash-and-grab-astralocker-2-pushes-ransomware-direct-from-office-docs}, language = {English}, urldate = {2022-06-30} } @online{edwards:20220727:threat:6aaf018, author = {Joseph Edwards}, title = {{Threat analysis: Follina exploit fuels 'live-off-the-land' attacks}}, date = {2022-07-27}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/threat-analysis-follina-exploit-powers-live-off-the-land-attacks}, language = {English}, urldate = {2022-08-08} } @online{edwards:20220804:gwisinlocker:51aeb36, author = {Joseph Edwards}, title = {{GwisinLocker ransomware targets South Korean industrial and pharma firms}}, date = {2022-08-04}, organization = {Reversing Labs}, url = {https://blog.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies}, language = {English}, urldate = {2022-08-12} } @online{effect:20250620:zoom:cc77fb6, author = {Field Effect and Daniel Albrecht and Sean Alexander and Elena Lapina}, title = {{Zoom & doom: BlueNoroff call opens the door}}, date = {2025-06-20}, organization = {Field Effect}, url = {https://fieldeffect.com/blog/zoom-doom-bluenoroff-call-opens-the-door}, language = {English}, urldate = {2025-07-01} } @online{ehmke:20200820:webinar:cad7a98, author = {Kyle Ehmke}, title = {{[webinar] Proactive Infrastructure Hunting with ThreatConnect & DomainTools}}, date = {2020-08-20}, organization = {ThreatConnect}, url = {https://threatconnect.com/resource/proactive-infrastructure-hunting-with-threatconnect-domaintools/}, language = {English}, urldate = {2020-09-06} } @techreport{ehrlich:20210525:from:ebe10c3, author = {Amitai Ben Shushan Ehrlich}, title = {{From Wiper to Ransomware: The Evolution of Agrius}}, date = {2021-05-25}, institution = {SentinelOne}, url = {https://www.sentinelone.com/wp-content/uploads/2021/05/SentinelLabs_From-Wiper-to-Ransomware-The-Evolution-of-Agrius.pdf}, language = {English}, urldate = {2022-12-08} } @online{ehrlich:20210930:new:c3f26e0, author = {Amitai Ben Shushan Ehrlich}, title = {{New Version Of Apostle Ransomware Reemerges In Targeted Attack On Higher Education}}, date = {2021-09-30}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/new-version-of-apostle-ransomware-reemerges-in-targeted-attack-on-higher-education/}, language = {English}, urldate = {2021-10-11} } @online{ehrlich:20220112:wading:52a8e3a, author = {Amitai Ben Shushan Ehrlich}, title = {{Wading Through Muddy Waters | Recent Activity of an Iranian State-Sponsored Threat Actor}}, date = {2022-01-12}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/}, language = {English}, urldate = {2022-01-18} } @online{ehrlich:20220315:threat:7f64477, author = {Amitai Ben Shushan Ehrlich}, title = {{Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software}}, date = {2022-03-15}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/}, language = {English}, urldate = {2022-03-17} } @online{ehrlich:20220901:pypi:6865bf4, author = {Amitai Ben Shushan Ehrlich}, title = {{PyPI Phishing Campaign | JuiceLedger Threat Actor Pivots From Fake Apps to Supply Chain Attacks}}, date = {2022-09-01}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/pypi-phishing-campaign-juiceledger-threat-actor-pivots-from-fake-apps-to-supply-chain-attacks/}, language = {English}, urldate = {2022-09-06} } @online{ehrlich:202209:mystery:fc2eb1e, author = {Amitai Ben Shushan Ehrlich and Aleksandar Milenkoski and Juan Andrés Guerrero-Saade}, title = {{The Mystery of Metador | An Unattributed Threat Hiding in Telcos, ISPs, and Universities}}, date = {2022-09}, organization = {Sentinel LABS}, url = {https://assets.sentinelone.com/sentinellabs22/metador}, language = {English}, urldate = {2022-09-30} } @online{eidgenossenschaft:20190812:trojaner:60574cc, author = {Schweizerische Eidgenossenschaft}, title = {{Trojaner Emotet greift Unternehmensnetzwerke an}}, date = {2019-08-12}, organization = {Schweizerische Eidgenossenschaft}, url = {https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/Trojaner_Emotet_greift_Unternehmensnetzwerke_an.html}, language = {German}, urldate = {2020-01-08} } @online{eisenkraft:20190619:check:0a79b2b, author = {Kobi Eisenkraft and Moshe Hayun}, title = {{Check Point’s Threat Emulation Stops Large-Scale Phishing Campaign in Germany}}, date = {2019-06-19}, organization = {Check Point}, url = {https://blog.checkpoint.com/2019/06/19/sandblast-agent-phishing-germany-campaign-security-hack-ransomware/}, language = {English}, urldate = {2020-01-08} } @online{eitani:20230201:headcrab:e174e29, author = {Asaf Eitani and Nitzan Yaakov}, title = {{HeadCrab: A Novel State-of-the-Art Redis Malware in a Global Campaign}}, date = {2023-02-01}, organization = {Aquasec}, url = {https://www.aquasec.com/blog/headcrab-attacks-servers-worldwide-with-novel-state-of-art-redis-malware/}, language = {English}, urldate = {2024-09-13} } @online{eitani:20240129:headcrab:c919d72, author = {Asaf Eitani and Nitzan Yaakov}, title = {{HeadCrab 2.0: Evolving Threat in Redis Malware Landscape}}, date = {2024-01-29}, organization = {Aquasec}, url = {https://www.aquasec.com/blog/headcrab-2-0-evolving-threat-in-redis-malware-landscape/}, language = {English}, urldate = {2024-09-13} } @techreport{eker:20181112:national:b091aae, author = {Ensar Şeker and İhsan Burak Tolga}, title = {{National Cyber Security Organisation: TURKEY}}, date = {2018-11-12}, institution = {ccdcoe}, url = {https://ccdcoe.org/uploads/2018/10/CS_organisation_TUR_112018_FINAL.pdf}, language = {English}, urldate = {2022-02-02} } @online{elastic:20200630:detection:79c8fbe, author = {Elastic}, title = {{Detection Rules by Elastic}}, date = {2020-06-30}, organization = {Github (elastic)}, url = {https://github.com/elastic/detection-rules}, language = {English}, urldate = {2020-07-02} } @online{elastic:20240507:elastic:c4399d1, author = {Elastic}, title = {{Elastic Security - GhostEngine YARA Rule}}, date = {2024-05-07}, organization = {Elastic}, url = {https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_Trojan_GhostEngine.yar}, language = {English}, urldate = {2024-06-04} } @online{elastic:20240508:elastic:db8f1d1, author = {Elastic}, title = {{Elastic Security - WarmCookie YARA Rule}}, date = {2024-05-08}, organization = {Elastic}, url = {https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_Trojan_WarmCookie.yar}, language = {English}, urldate = {2024-05-24} } @online{elastio:201609:fs0ciety:6a40383, author = {elastio}, title = {{Fs0ciety Locker}}, date = {2016-09}, url = {https://elastio.com/detectable-ransomware/fs0ciety-locker/}, language = {English}, urldate = {2024-04-29} } @online{eldeeb:20190820:source:66124bb, author = {Sherif Eldeeb}, title = {{Source code: TinyMet}}, date = {2019-08-20}, organization = {Github (SherifEldeeb)}, url = {https://github.com/SherifEldeeb/TinyMet}, language = {English}, urldate = {2020-02-13} } @online{elder:20190625:ransomware:4b72d11, author = {Jeff Elder}, title = {{Ransomware strain Troldesh spikes again – Avast tracks new attacks}}, date = {2019-06-25}, organization = {Avast}, url = {https://blog.avast.com/ransomware-strain-troldesh-spikes}, language = {English}, urldate = {2020-01-09} } @online{eldritch:20250411:interview:9a29eb5, author = {Mauro Eldritch}, title = {{Interview with the Chollima}}, date = {2025-04-11}, organization = {Bitso Quetzal Team}, url = {https://quetzal.bitso.com/p/interview-with-the-chollima}, language = {English}, urldate = {2025-04-28} } @online{electric:20220413:schneider:d9acfdc, author = {Schneider Electric}, title = {{Schneider Electric Security Bulletin SESB-2022-01: APT Cyber Tools Targeting ICS/SCADA Devices}}, date = {2022-04-13}, organization = {Schneider Electric}, url = {https://download.schneider-electric.com/files?p_Doc_Ref=SESB-2022-01}, language = {English}, urldate = {2022-04-15} } @online{electron:20230824:xworm:aaa5b9f, author = {Electron and kinoshi and glebyao}, title = {{XWorm: Technical Analysis of a New Malware Version}}, date = {2023-08-24}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/}, language = {English}, urldate = {2023-08-30} } @online{elevenpaths:20180511:new:8c874e9, author = {ElevenPaths}, title = {{New report: Malware attacks Chilean banks and bypasses SmartScreen, by exploiting DLL Hijacking within popular software}}, date = {2018-05-11}, organization = {Think Big}, url = {http://blog.en.elevenpaths.com/2018/05/new-report-malware-attacks-chilean.html}, language = {English}, urldate = {2020-01-08} } @online{elford:20230208:asyncrat:46601a3, author = {Michael Elford}, title = {{AsyncRAT: Analysing the Three Stages of Execution}}, date = {2023-02-08}, organization = {Huntress Labs}, url = {https://medium.com/@hcksyd/asyncrat-analysing-the-three-stages-of-execution-378b343216bf}, language = {English}, urldate = {2023-02-09} } @online{elias:20220125:prime:20a5b0c, author = {Marc Elias and Christiaan Beek and Alexandre Mundo and Leandro Velasco and Max Kersten}, title = {{Prime Minister’s Office Compromised: Details of Recent Espionage Campaign}}, date = {2022-01-25}, organization = {Trellix}, url = {https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html}, language = {English}, urldate = {2022-01-25} } @online{elias:20220418:conti:b15356d, author = {Marc Elias and Jambul Tologonov and Alexandre Mundo}, title = {{Conti Group Targets ESXi Hypervisors With its Linux Variant}}, date = {2022-04-18}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-group-targets-esxi-hypervisors-with-its-linux-variant.html}, language = {English}, urldate = {2022-04-20} } @online{ellahi:20220407:bypass:97f186e, author = {Osama Ellahi}, title = {{Bypass Multi Factor Authentication (MFA) of OUTLOOK}}, date = {2022-04-07}, organization = {Medium osamaellahi}, url = {https://osamaellahi.medium.com/the-art-of-defense-evasion-part-3-bypass-multi-factor-authentication-mfa-26d3a87dea0f}, language = {English}, urldate = {2024-03-18} } @online{ellahi:20220702:spoofing:f113f02, author = {Osama Ellahi}, title = {{Spoofing Email, Message, IP and UserAgent}}, date = {2022-07-02}, organization = {Medium osamaellahi}, url = {https://osamaellahi.medium.com/the-art-of-defense-evasion-part-4-spoofing-3a3d6ece5ff}, language = {English}, urldate = {2024-03-18} } @online{ellahi:20231021:malware:202b8f4, author = {Osama Ellahi}, title = {{Malware analysis NJ RAT 0.7NC & 0.6.4}}, date = {2023-10-21}, organization = {Infosec Writeups}, url = {https://infosecwriteups.com/unfolding-nj-rat-07nc-and-064d14b875c7cd8-d14b875c7cd8}, language = {English}, urldate = {2024-03-18} } @online{ellahi:20231123:malware:a3f6fdf, author = {Osama Ellahi}, title = {{Malware analysis Remcos RAT- 4.9.2 Pro}}, date = {2023-11-23}, organization = {Infosec Writeups}, url = {https://infosecwriteups.com/unfolding-remcos-rat-4-9-2-pro-dfb3cb25bbd1}, language = {English}, urldate = {2024-03-18} } @online{ellahi:20240206:unfolding:3f7a2c7, author = {Osama Ellahi}, title = {{Unfolding Agent Tesla: The Art of Credentials Harvesting.}}, date = {2024-02-06}, organization = {Medium osamaellahi}, url = {https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-f1a988cfd137}, language = {English}, urldate = {2024-03-12} } @online{ellahi:20240805:how:d9eaee3, author = {Osama Ellahi}, title = {{How attacker achive Email Spoofing, Message Spoofing, IP and UserAgent Spoofing}}, date = {2024-08-05}, organization = {BreachNova}, url = {https://breachnova.com/blog.php?id=26}, language = {English}, urldate = {2024-08-15} } @online{ellahi:20240809:full:0206248, author = {Osama Ellahi}, title = {{Full analysis on NJRAT}}, date = {2024-08-09}, organization = {BreachNova}, url = {https://breachnova.com/blog.php?id=27}, language = {English}, urldate = {2024-08-15} } @online{elley:20180830:globeimposter:ccc8f6f, author = {Elley}, title = {{GlobeImposter which has more than 20 variants, is still wildly growing}}, date = {2018-08-30}, organization = {360 Total Security}, url = {https://blog.360totalsecurity.com/en/globeimposter-which-has-more-than-20-variants-is-still-wildly-growing/}, language = {English}, urldate = {2022-02-14} } @online{elliptic:20210719:revil:12b16d1, author = {Elliptic}, title = {{REvil Revealed - Tracking a Ransomware Negotiation and Payment}}, date = {2021-07-19}, organization = {Elliptic}, url = {https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment}, language = {English}, urldate = {2021-07-20} } @online{elliptic:20220506:ofac:10381ac, author = {Elliptic}, title = {{OFAC Sanctions Virtual Asset Mixer For the First Time to Combat North Korea’s Lazarus Group}}, date = {2022-05-06}, organization = {Elliptic}, url = {https://www.elliptic.co/blog/ofac-sanctions-virtual-asset-mixer-for-the-first-time-to-combat-north-koreas-lazarus-group}, language = {English}, urldate = {2022-05-24} } @online{ellis:20210223:surge:ceb4d8d, author = {Jessica Ellis}, title = {{Surge in ZLoader Attacks Observed}}, date = {2021-02-23}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/surge-in-zloader-attacks-observed}, language = {English}, urldate = {2021-02-25} } @online{ellis:20210421:zloader:09056bd, author = {Jessica Ellis}, title = {{ZLoader Dominates Email Payloads in Q1}}, date = {2021-04-21}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/zloader-dominates-email-payloads-in-q1}, language = {English}, urldate = {2021-04-28} } @online{ellis:20210504:alien:3773dbb, author = {Jessica Ellis}, title = {{Alien Mobile Malware Evades Detection, Increases Targets}}, date = {2021-05-04}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/alien-mobile-malware-evades-detection-increases-targets}, language = {English}, urldate = {2021-05-07} } @online{elnoty:20220206:deep:d85c241, author = {Abdallah Elnoty}, title = {{Deep Analysis of Vidar Information Stealer}}, date = {2022-02-06}, organization = {Github (eln0ty)}, url = {https://eln0ty.github.io/malware%20analysis/vidar/}, language = {English}, urldate = {2022-02-17} } @online{elnoty:20220216:playing:e5e3895, author = {Abdallah Elnoty}, title = {{Playing with AsyncRAT}}, date = {2022-02-16}, url = {https://eln0ty.github.io/malware%20analysis/asyncRAT/}, language = {English}, urldate = {2022-02-17} } @online{elnoty:20220304:hermeticwiperfoxblade:55a9f09, author = {Abdallah Elnoty}, title = {{HermeticWiper/FoxBlade Analysis (in-depth)}}, date = {2022-03-04}, organization = {Github (eln0ty)}, url = {https://eln0ty.github.io/malware%20analysis/HermeticWiper/}, language = {English}, urldate = {2022-03-04} } @online{elnoty:20220317:icedid:0b8ef27, author = {Abdallah Elnoty}, title = {{IcedID Analysis}}, date = {2022-03-17}, organization = {Github (eln0ty)}, url = {https://eln0ty.github.io/malware%20analysis/IcedID/}, language = {English}, urldate = {2022-03-22} } @online{elrefaei:20240815:tusk:3a6f8bd, author = {Elsayed Elrefaei and AbdulRhman Alfaifi}, title = {{Tusk campaign uses infostealers and clippers for financial gain}}, date = {2024-08-15}, organization = {Kaspersky}, url = {https://securelist.com/tusk-infostealers-campaign/113367/}, language = {English}, urldate = {2024-09-02} } @online{elsad:20211117:astaroth:04788ff, author = {Amer Elsad}, title = {{Astaroth: Banking Trojan}}, date = {2021-11-17}, organization = {ARMOR}, url = {https://www.armor.com/resources/threat-intelligence/astaroth-banking-trojan/}, language = {English}, urldate = {2021-12-01} } @online{elsad:20220609:lockbit:3cfa609, author = {Amer Elsad and JR Gumarin and Abigail Barr}, title = {{LockBit 2.0: How This RaaS Operates and How to Protect Against It}}, date = {2022-06-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/lockbit-2-ransomware/}, language = {English}, urldate = {2022-06-11} } @online{elsad:20220825:threat:b1026e7, author = {Amer Elsad}, title = {{Threat Assessment: Black Basta Ransomware}}, date = {2022-08-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware}, language = {English}, urldate = {2022-08-30} } @online{elsad:20220825:threat:b3514ed, author = {Amer Elsad}, title = {{Threat Assessment: Black Basta Ransomware}}, date = {2022-08-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/}, language = {English}, urldate = {2022-10-05} } @online{elsheimy:20240904:azorult:a0f02b6, author = {Mostafa ElSheimy and ANY.RUN}, title = {{AZORult Malware: Technical Analysis}}, date = {2024-09-04}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/azorult-malware-analysis/}, language = {English}, urldate = {2024-10-30} } @online{elsheimy:20241023:darkcomet:e40f811, author = {Mostafa ElSheimy and ANY.RUN}, title = {{DarkComet RAT: Technical Analysis of Attack Chain}}, date = {2024-10-23}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/darkcomet-rat-technical-analysis/}, language = {English}, urldate = {2024-10-30} } @online{elshinbary:20200505:deep:f5661cb, author = {Abdallah Elshinbary}, title = {{Deep Analysis of Ryuk Ransomware}}, date = {2020-05-05}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/}, language = {English}, urldate = {2020-05-10} } @online{elshinbary:20200621:deep:1a39a3f, author = {Abdallah Elshinbary}, title = {{Deep Analysis of SmokeLoader}}, date = {2020-06-21}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/smokeloader/}, language = {English}, urldate = {2020-06-22} } @online{elshinbary:20200704:deep:bdfbd8a, author = {Abdallah Elshinbary}, title = {{Deep Analysis of Anubis Banking Malware}}, date = {2020-07-04}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/}, language = {English}, urldate = {2020-07-06} } @online{elshinbary:20200715:deep:9b38d20, author = {Abdallah Elshinbary}, title = {{Deep Analysis of QBot Banking Trojan}}, date = {2020-07-15}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/qbot-banking-trojan/}, language = {English}, urldate = {2020-07-16} } @online{elshinbary:20220808:yara:f9ea382, author = {Abdallah Elshinbary}, title = {{YARA for config extraction}}, date = {2022-08-08}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/tutorials/yara-for-config-extraction/}, language = {English}, urldate = {2022-08-09} } @online{elshinbary:20230715:deep:ae926ed, author = {Abdallah Elshinbary}, title = {{Deep Analysis of GCleaner}}, date = {2023-07-15}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/gcleaner-loader/}, language = {English}, urldate = {2023-07-19} } @online{elshinbary:20250604:bitter:534f4da, author = {Abdallah Elshinbary and Jonas Wagner and Konstantin Klinger and Nick Attfield}, title = {{The Bitter End: Unraveling Eight Years of Espionage Antics – Part Two}}, date = {2025-06-04}, organization = {Threatray}, url = {https://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two}, language = {English}, urldate = {2025-06-05} } @techreport{elwell:20181001:attcking:3c6d888, author = {Regina Elwell and Katie Nickels}, title = {{ATT&CKing FIN7}}, date = {2018-10-01}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf}, language = {English}, urldate = {2020-06-25} } @online{elzyat:20240326:comprehensive:6f73e8f, author = {Zyad Elzyat}, title = {{Comprehensive Analysis of EMOTET Malware: Part 1}}, date = {2024-03-26}, organization = {Medium zyadlzyatsoc}, url = {https://medium.com/@zyadlzyatsoc/comprehensive-analysis-of-emotet-malware-part-1-by-zyad-elzyat-35d5cf33a3c0}, language = {English}, urldate = {2024-05-21} } @online{elzyat:20240613:inside:f418335, author = {Zyad Elzyat}, title = {{Inside LATRODECTUS: A Dive into Malware Tactics and Mitigation}}, date = {2024-06-13}, organization = {Medium (@zyadlzyatsoc)}, url = {https://medium.com/@zyadlzyatsoc/inside-latrodectus-a-dive-into-malware-tactics-and-mitigation-5629cdb109ea}, language = {English}, urldate = {2024-06-28} } @online{embeeresearch:20221011:havoc:3bc6fb5, author = {Embee_research and Huntress Labs}, title = {{Tweet on Havoc C2 - Static Detection Via Ntdll API Hashes}}, date = {2022-10-11}, organization = {Twitter (@embee_research)}, url = {https://twitter.com/embee_research/status/1579668721777643520?s=20&t=nDJOv1Yf5mQZKCou7qMrhQ}, language = {English}, urldate = {2022-11-21} } @online{embeeresearch:20221012:tweets:3284cd3, author = {Embee_research and Huntress Labs}, title = {{Tweets on detection of Brute Ratel via API Hashes}}, date = {2022-10-12}, organization = {Twitter (@embee_research)}, url = {https://twitter.com/embee_research/status/1580030303950995456?s=20&t=0vfXnrCXaVSX-P-hiSrFwA}, language = {English}, urldate = {2022-11-21} } @online{embeeresearch:20230109:malware:5e61384, author = {Embee_research}, title = {{Malware Analysis - VBS Decoding With Cyberchef (Nanocore Loader)}}, date = {2023-01-09}, organization = {YouTube (Embee Research)}, url = {https://youtu.be/NVnJImFm6P8}, language = {English}, urldate = {2024-01-10} } @online{embeeresearch:20230202:xworm:1ec6edf, author = {Embee_research}, title = {{Xworm Loader Analysis - Decoding Malware Scripts and Extracting C2's with DnSpy and CyberChef}}, date = {2023-02-02}, organization = {YouTube (Embee Research)}, url = {https://youtu.be/tenNFzM-MM0}, language = {English}, urldate = {2024-02-02} } @online{embeeresearch:20230408:dcrat:8151f7a, author = {Embee_research}, title = {{Dcrat - Manual De-obfuscation of .NET Malware}}, date = {2023-04-08}, organization = {Twitter (@embee_research)}, url = {https://embeeresearch.io/dcrat-manual-de-obfuscation/}, language = {English}, urldate = {2024-06-05} } @online{embeeresearch:20230515:quasar:6a364a0, author = {Embee_research}, title = {{Quasar Rat Analysis - Identification of 64 Quasar Servers Using Shodan and Censys}}, date = {2023-05-15}, organization = {embeeresearch}, url = {https://embee-research.ghost.io/hunting-quasar-rat-shodan}, language = {English}, urldate = {2023-05-16} } @online{embeeresearch:20230518:identifying:a7f1165, author = {Embee_research}, title = {{Identifying Laplas Infrastructure Using Shodan and Censys}}, date = {2023-05-18}, organization = {Twitter (@embee_research)}, url = {https://embee-research.ghost.io/laplas-clipper-infrastructure/}, language = {English}, urldate = {2023-05-26} } @online{embeeresearch:20230519:analysis:92de1d2, author = {Embee_research}, title = {{Analysis of Amadey Bot Infrastructure Using Shodan}}, date = {2023-05-19}, organization = {Twitter (@embee_research)}, url = {https://embee-research.ghost.io/amadey-bot-infrastructure/}, language = {English}, urldate = {2023-05-21} } @online{embeeresearch:20230608:practical:61d0677, author = {Embee_research}, title = {{Practical Queries for Identifying Malware Infrastructure: An informal page for storing Censys/Shodan queries}}, date = {2023-06-08}, organization = {Twitter (@embee_research)}, url = {https://embeeresearch.io/shodan-censys-queries/}, language = {English}, urldate = {2024-06-05} } @online{embeeresearch:20230624:smokeloader:9b36b55, author = {Embee_research}, title = {{SmokeLoader - Malware Analysis and Decoding With Procmon}}, date = {2023-06-24}, organization = {Twitter (@embee_research)}, url = {https://embee-research.ghost.io/smokeloader-analysis-with-procmon/}, language = {English}, urldate = {2023-06-24} } @online{embeeresearch:20230711:tweets:ab48f14, author = {Embee_research}, title = {{Tweets on Ransomware Infrastructure Analysis With Censys and GrabbrApp}}, date = {2023-07-11}, organization = {Twitter (@embee_research)}, url = {https://twitter.com/embee_research/status/1678631524374020098?s=46}, language = {English}, urldate = {2023-07-16} } @online{embeeresearch:20230823:extracting:f1277f5, author = {Embee_research and Huntress Labs}, title = {{Extracting Xworm from Bloated Golang Executable}}, date = {2023-08-23}, organization = {Twitter (@embee_research)}, url = {https://x.com/embee_research/status/1694635899903152619}, language = {English}, urldate = {2023-08-25} } @online{embeeresearch:20231004:developing:c147c2f, author = {Embee_research}, title = {{Developing Yara Signatures for Malware - Practical Examples}}, date = {2023-10-04}, organization = {Twitter (@embee_research)}, url = {https://embee-research.ghost.io/practical-signatures-for-identifying-malware-with-yara/}, language = {English}, urldate = {2023-10-05} } @online{embeeresearch:20231005:introduction:4edb3e1, author = {Embee_research}, title = {{Introduction to DotNet Configuration Extraction - RevengeRAT}}, date = {2023-10-05}, organization = {Twitter (@embee_research)}, url = {https://embee-research.ghost.io/introduction-to-dotnet-configuration-extraction-revengerat/}, language = {English}, urldate = {2023-10-05} } @online{embeeresearch:20231010:how:3f9d14e, author = {Embee_research}, title = {{How To Develop Yara Rules for .NET Malware Using IL ByteCodes}}, date = {2023-10-10}, organization = {Twitter (@embee_research)}, url = {https://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/}, language = {English}, urldate = {2023-10-10} } @online{embeeresearch:20231016:decoding:f01af37, author = {Embee_research}, title = {{Decoding a Simple Visual Basic (.vbs) Script - DarkGate Loader}}, date = {2023-10-16}, organization = {Twitter (@embee_research)}, url = {https://embeeresearch.io/decoding-a-simple-visual-basic-vbs-script-darkgate-loader/}, language = {English}, urldate = {2024-06-05} } @online{embeeresearch:20231018:ghidra:1253f8d, author = {Embee_research}, title = {{Ghidra Tutorial - Using Entropy To Locate a Cobalt Strike Decryption Function}}, date = {2023-10-18}, organization = {Twitter (@embee_research)}, url = {https://embeeresearch.io/ghidra-entropy-analysis-locating-decryption-functions/}, language = {English}, urldate = {2024-06-05} } @online{embeeresearch:20231020:decoding:85adeaa, author = {Embee_research}, title = {{Decoding a Cobalt Strike .hta Loader Using CyberChef and Emulation}}, date = {2023-10-20}, organization = {Twitter (@embee_research)}, url = {https://embee-research.ghost.io/malware-analysis-decoding-a-simple-hta-loader/}, language = {English}, urldate = {2023-10-20} } @online{embeeresearch:20231023:cobalt:0c88305, author = {Embee_research}, title = {{Cobalt Strike .VBS Loader - Decoding with Advanced CyberChef and Emulation}}, date = {2023-10-23}, organization = {Twitter (@embee_research)}, url = {https://embee-research.ghost.io/decoding-a-cobalt-strike-vba-loader-with-cyberchef/}, language = {English}, urldate = {2023-10-30} } @online{embeeresearch:20231027:remcos:af5fa30, author = {Embee_research}, title = {{Remcos Downloader Analysis - Manual Deobfuscation of Visual Basic and Powershell}}, date = {2023-10-27}, organization = {Twitter (@embee_research)}, url = {https://embeeresearch.io/decoding-a-remcos-loader-script-visual-basic-deobfuscation/}, language = {English}, urldate = {2024-06-05} } @online{embeeresearch:20231030:unpacking:f1c6a1f, author = {Embee_research}, title = {{Unpacking .NET Malware With Process Hacker and Dnspy}}, date = {2023-10-30}, organization = {Twitter (@embee_research)}, url = {https://embeeresearch.io/unpacking-net-malware-with-process-hacker/}, language = {English}, urldate = {2024-06-05} } @online{embeeresearch:20231101:malware:897262b, author = {Embee_research}, title = {{Malware Unpacking With Memory Dumps - Intermediate Methods (Pe-Sieve, Process Hacker, Hxd and Pe-bear)}}, date = {2023-11-01}, organization = {Twitter (@embee_research)}, url = {https://embeeresearch.io/unpacking-malware-using-process-hacker-and-memory-inspection/}, language = {English}, urldate = {2024-06-05} } @online{embeeresearch:20231106:unpacking:a3f7c0b, author = {Embee_research}, title = {{Unpacking Malware With Hardware Breakpoints - Cobalt Strike}}, date = {2023-11-06}, organization = {Twitter (@embee_research)}, url = {https://embeeresearch.io/unpacking-malware-with-hardware-breakpoints-cobalt-strike/}, language = {English}, urldate = {2024-06-05} } @online{embeeresearch:20231115:identifying:c375df2, author = {Embee_research}, title = {{Identifying Simple Pivot Points in Malware Infrastructure - RisePro Stealer}}, date = {2023-11-15}, organization = {Twitter (@embee_research)}, url = {https://embee-research.ghost.io/identifying-risepro-panels-using-censys/}, language = {English}, urldate = {2023-11-17} } @online{embeeresearch:20231119:combining:fa48682, author = {Embee_research}, title = {{Combining Pivot Points to Identify Malware Infrastructure - Redline, Smokeloader and Cobalt Strike}}, date = {2023-11-19}, organization = {Twitter (@embee_research)}, url = {https://embee-research.ghost.io/combining-pivot-points-to-identify-malware-infrastructure-redline-smokeloader-and-cobalt-strike/}, language = {English}, urldate = {2023-11-22} } @online{embeeresearch:20231122:practical:1847814, author = {Embee_research}, title = {{Practical Queries for Malware Infrastructure - Part 3 (Advanced Examples)}}, date = {2023-11-22}, organization = {Twitter (@embee_research)}, url = {https://embeeresearch.io/practical-queries-for-malware-infrastructure-part-3/}, language = {English}, urldate = {2024-06-05} } @online{embeeresearch:20231126:identifying:8b70097, author = {Embee_research}, title = {{Identifying Suspected PrivateLoader Servers with Censys}}, date = {2023-11-26}, organization = {Twitter (@embee_research)}, url = {https://embee-research.ghost.io/identifying-privateloader-servers-with-censys/}, language = {English}, urldate = {2023-11-27} } @online{embeeresearch:20231127:building:3dd782a, author = {Embee_research}, title = {{Building Threat Intel Queries Utilising Regex and TLS Certificates - (BianLian)}}, date = {2023-11-27}, organization = {Twitter (@embee_research)}, url = {https://embee-research.ghost.io/building-advanced-censys-queries-utilising-regex-bianlian/}, language = {English}, urldate = {2023-11-27} } @online{embeeresearch:20231130:advanced:4afa89a, author = {Embee_research}, title = {{Advanced Threat Intel Queries - Catching 83 Qakbot Servers with Regex, Censys and TLS Certificates}}, date = {2023-11-30}, organization = {Twitter (@embee_research)}, url = {https://embee-research.ghost.io/advanced-threat-intel-queries-catching-83-qakbot-servers-with-regex-censys-and-tls-certificates/}, language = {English}, urldate = {2023-11-30} } @online{embeeresearch:20231206:ghidra:23a001f, author = {Embee_research}, title = {{Ghidra Basics - Identifying, Decoding and Fixing Encrypted Strings}}, date = {2023-12-06}, organization = {Twitter (@embee_research)}, url = {https://embee-research.ghost.io/ghidra-basics-identifying-and-decoding-encrypted-strings/}, language = {English}, urldate = {2023-12-11} } @online{embeeresearch:20231208:ghidra:109804e, author = {Embee_research}, title = {{Ghidra Basics - Manual Shellcode Analysis and C2 Extraction}}, date = {2023-12-08}, organization = {Twitter (@embee_research)}, url = {https://embeeresearch.io/ghidra-basics-shellcode-analysis/}, language = {English}, urldate = {2024-06-05} } @online{embeeresearch:20231219:free:6d94afe, author = {Embee_research}, title = {{Free Ghidra Tutorials for Beginners}}, date = {2023-12-19}, organization = {Twitter (@embee_research)}, url = {https://x.com/embee_research/status/1736758775326146778}, language = {English}, urldate = {2023-12-19} } @online{embeeresearch:20231220:defeating:86e3ad0, author = {Embee_research}, title = {{Defeating Obfuscated Malware Scripts - Cobalt Strike}}, date = {2023-12-20}, organization = {Twitter (@embee_research)}, url = {https://x.com/embee_research/status/1737325167024738425?s=46}, language = {English}, urldate = {2023-12-27} } @online{embeeresearch:20240108:javascript:6454514, author = {Embee_research}, title = {{Javascript Malware Analysis - Decoding an AgentTesla Loader}}, date = {2024-01-08}, organization = {YouTube (Embee Research)}, url = {https://youtu.be/7AifHTCldZI}, language = {English}, urldate = {2024-01-09} } @online{embeeresearch:20240108:malware:940fbc7, author = {Embee_research}, title = {{Malware Analysis - Powershell decoding and .NET C2 Extraction (Quasar RAT)}}, date = {2024-01-08}, organization = {YouTube (Embee Research)}, url = {https://www.youtube.com/watch?v=yimh33nSOt8}, language = {English}, urldate = {2024-01-09} } @online{embeeresearch:20240108:malware:96359e1, author = {Embee_research}, title = {{Malware Analysis - Decoding Obfuscated Powershell and HTA Files (Lumma Stealer)}}, date = {2024-01-08}, organization = {YouTube (Embee Research)}, url = {https://www.youtube.com/watch?v=lmMA4WYJEOY}, language = {English}, urldate = {2024-01-09} } @online{embeeresearch:20240108:malware:d17ac11, author = {Embee_research}, title = {{Malware Analysis - Simple Javascript Decoding and C2 Extraction (Redline Stealer)}}, date = {2024-01-08}, organization = {YouTube (Embee Research)}, url = {https://www.youtube.com/watch?v=05-1Olqf6qw}, language = {English}, urldate = {2024-01-09} } @online{embeeresearch:20240113:cobalt:63b1702, author = {Embee_research}, title = {{Cobalt Strike Shellcode Analysis and C2 Extraction}}, date = {2024-01-13}, organization = {YouTube (Embee Research)}, url = {https://youtu.be/_VZCocEFHgk?feature=shared}, language = {English}, urldate = {2024-01-15} } @online{embeeresearch:20240121:manual:834d01b, author = {Embee_research}, title = {{Manual Malware Decoding With Procmon - Pikabot}}, date = {2024-01-21}, organization = {YouTube (Embee Research)}, url = {https://www.youtube.com/watch?v=lBuZ7cvl24Y}, language = {English}, urldate = {2024-02-22} } @online{embeeresearch:20240201:xworm:fc9c4d3, author = {Embee_research}, title = {{Xworm Malware Analysis - Unravelling Multi-stage Malware with CyberChef and DnSpy}}, date = {2024-02-01}, organization = {YouTube (Embee Research)}, url = {https://www.youtube.com/watch?v=tenNFzM-MM0}, language = {English}, urldate = {2024-02-06} } @online{embeeresearch:20240208:cobalt:74ebf72, author = {Embee_research}, title = {{Cobalt Strike Decoding and C2 Extraction - 3 Minute Malware Analysis Speedrun}}, date = {2024-02-08}, organization = {YouTube (Embee Research)}, url = {https://www.youtube.com/watch?v=YDtLmhw_nTo}, language = {English}, urldate = {2024-02-08} } @online{embeeresearch:20240209:beginners:1696144, author = {Embee_research and Censys}, title = {{A Beginners Guide to Tracking Malware Infrastructure}}, date = {2024-02-09}, organization = {Censys}, url = {https://censys.com/a-beginners-guide-to-tracking-malware-infrastructure/}, language = {English}, urldate = {2024-02-12} } @online{embeeresearch:20240209:guloader:ea6c995, author = {Embee_research}, title = {{Guloader Decoding With Cyberchef}}, date = {2024-02-09}, organization = {YouTube (Embee Research)}, url = {https://youtu.be/Lt07O3XSNJQ}, language = {English}, urldate = {2024-02-09} } @online{embeeresearch:20240220:stealc:0d9dc65, author = {Embee_research}, title = {{StealC Loader Analysis - Decoding Powershell Malware With CyberChef}}, date = {2024-02-20}, organization = {YouTube (Embee Research)}, url = {https://www.youtube.com/watch?v=-1nVs-O1ubw}, language = {English}, urldate = {2024-02-21} } @online{embeeresearch:20240225:my:81c13e2, author = {Embee_research}, title = {{My Longest CyberChef Recipe Ever - 22 Operation Configuration Extractor}}, date = {2024-02-25}, organization = {YouTube (Embee Research)}, url = {https://www.youtube.com/watch?v=CIg4TXFJRK0}, language = {English}, urldate = {2024-02-26} } @online{embeeresearch:20240226:advanced:805c193, author = {Embee_research}, title = {{Advanced CyberChef Techniques for Configuration Extraction - Detailed Walkthrough and Examples}}, date = {2024-02-26}, organization = {Twitter (@embee_research)}, url = {https://embeeresearch.io/advanced-cyberchef-operations-netsupport/}, language = {English}, urldate = {2024-06-05} } @online{embeeresearch:20240311:xworm:17201ac, author = {Embee_research}, title = {{Xworm Script Analysis and Deobfuscation}}, date = {2024-03-11}, organization = {YouTube (Embee Research)}, url = {https://youtu.be/ln23TT9PcmI}, language = {English}, urldate = {2024-03-12} } @online{embeeresearch:20240325:latrodectus:02cbe0b, author = {Embee_research}, title = {{Latrodectus Deobfuscation - Removal of Junk Comments and Self-Referencing Code}}, date = {2024-03-25}, organization = {embeeresearch}, url = {https://www.embeeresearch.io/latrodectus-script-deobfuscation/}, language = {English}, urldate = {2024-04-10} } @online{embeeresearch:20240327:uncovering:150c150, author = {Embee_research}, title = {{Uncovering Malicious Infrastructure with DNS Pivoting}}, date = {2024-03-27}, organization = {Twitter (@embee_research)}, url = {https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/}, language = {English}, urldate = {2024-03-28} } @online{embeeresearch:20240330:uncovering:361fd63, author = {Embee_research}, title = {{Uncovering APT Infrastructure with Passive DNS Pivoting}}, date = {2024-03-30}, organization = {Twitter (@embee_research)}, url = {https://embee-research.ghost.io/uncovering-apt-infrastructure-with-passive-dns-pivoting/}, language = {English}, urldate = {2024-04-02} } @online{embeeresearch:20240401:passive:6588a98, author = {Embee_research}, title = {{Passive DNS For Phishing Link Analysis - Identifying 36 Latrodectus Domains With Historical Records and 302 Redirects}}, date = {2024-04-01}, organization = {Twitter (@embee_research)}, url = {https://embeeresearch.io/phishing-domain-analysis-with-passive-dns-latrodectus/}, language = {English}, urldate = {2024-06-05} } @online{embeeresearch:20240404:tls:23760c9, author = {Embee_research}, title = {{TLS Certificate For Threat Intelligence - Identifying MatanBuchus Domains Through Hardcoded Certificate Values}}, date = {2024-04-04}, organization = {Twitter (@embee_research)}, url = {https://www.embeeresearch.io/tls-certificates-for-threat-intel-dns/}, language = {English}, urldate = {2024-04-08} } @online{embeeresearch:20240411:tracking:e1a1436, author = {Embee_research}, title = {{Tracking Malicious Infrastructure With DNS Records - Vultur Banking Trojan}}, date = {2024-04-11}, organization = {Twitter (@embee_research)}, url = {https://embeeresearch.io/infrastructure-tracking-locating-vultur-domains-with-passive-dns/}, language = {English}, urldate = {2024-04-15} } @online{embeeresearch:20240515:revealing:efb56f1, author = {Embee_research}, title = {{Revealing Spammer Infrastructure With Passive DNS - 226 Toll-Themed Domains Targeting Australia}}, date = {2024-05-15}, organization = {Twitter (@embee_research)}, url = {https://www.validin.com/blog/revealing-spammer-infrastructure-with-passive-dns-au-toll-smishing/}, language = {English}, urldate = {2024-05-17} } @online{embeeresearch:20240521:tweets:5e6d56f, author = {Embee_research}, title = {{Tweets on decoding a Latrodectus loader}}, date = {2024-05-21}, organization = {Twitter (@embee_research)}, url = {https://x.com/embee_research/status/1792826263738208343}, language = {English}, urldate = {2024-05-21} } @online{embeeresearch:20240523:tracking:92bd00c, author = {Embee_research}, title = {{Tracking APT SideWinder With DNS Records}}, date = {2024-05-23}, organization = {Twitter (@embee_research)}, url = {https://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/}, language = {English}, urldate = {2024-06-24} } @online{embeeresearch:20240722:beginners:ec16cf8, author = {Embee_research and Censys}, title = {{A Beginner’s Guide to Hunting Malicious Open Directories}}, date = {2024-07-22}, organization = {Censys}, url = {https://censys.com/a-beginners-guide-to-hunting-open-directories/}, language = {English}, urldate = {2024-07-24} } @online{embeeresearch:20240804:decoding:ec08f49, author = {Embee_research}, title = {{Decoding a Cobalt Strike Downloader Script With CyberChef}}, date = {2024-08-04}, organization = {Twitter (@embee_research)}, url = {https://www.embeeresearch.io/decoding-a-cobalt-strike-downloader-script-with-cyberchef/}, language = {English}, urldate = {2024-08-15} } @online{embeeresearch:20240903:advanced:db5b845, author = {Embee_research}, title = {{Advanced Cyberchef Techniques - Defeating Nanocore Obfuscation With Math and Flow Control}}, date = {2024-09-03}, organization = {Twitter (@embee_research)}, url = {https://www.embeeresearch.io/advanced-cyberchef-techniques-defeating-nanocore-obfuscation-with-math-and-flow-control/}, language = {English}, urldate = {2024-09-04} } @techreport{emerson:20210804:kitten:7033b95, author = {Richard Emerson and Allison Wikoff}, title = {{The Kitten that Charmed Me: The 9 Lives of a Nation State Attacker}}, date = {2021-08-04}, institution = {BlackHat}, url = {https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-The-Kitten-That-Charmed-Me-The-9-Lives-Of-A-Nation-State-Attacker.pdf}, language = {English}, urldate = {2021-08-23} } @online{emissaryspider:20230617:ransomwaredescendants:209b648, author = {EmissarySpider}, title = {{ransomware-descendants}}, date = {2023-06-17}, organization = {Github (EmissarySpider)}, url = {https://github.com/EmissarySpider/ransomware-descendants}, language = {English}, urldate = {2023-07-11} } @online{emm:20191204:review:2877298, author = {David Emm}, title = {{APT review: what the world’s threat actors got up to in 2019}}, date = {2019-12-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/ksb-2019-review-of-the-year/95394/}, language = {English}, urldate = {2024-02-08} } @online{emm:20200531:it:2ac44ec, author = {David Emm}, title = {{IT threat evolution Q1 2021}}, date = {2020-05-31}, organization = {Kaspersky}, url = {https://securelist.com/it-threat-evolution-q1-2021/102382/}, language = {English}, urldate = {2021-06-09} } @online{emm:20200903:it:99f6d5f, author = {David Emm}, title = {{IT threat evolution Q2 2020}}, date = {2020-09-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/it-threat-evolution-q2-2020/98230}, language = {English}, urldate = {2022-08-28} } @online{emm:20230830:it:50afaa5, author = {David Emm}, title = {{IT threat evolution in Q2 2023}}, date = {2023-08-30}, organization = {Kaspersky Labs}, url = {https://securelist.com/it-threat-evolution-q2-2023/110355/}, language = {English}, urldate = {2023-12-04} } @online{emsisoft:20161223:emsisoft:0ffcdde, author = {Emsisoft}, title = {{Emsisoft Decryptor for GlobeImposter}}, date = {2016-12-23}, url = {https://www.emsisoft.com/ransomware-decryption-tools/globeimposter}, language = {English}, urldate = {2022-02-14} } @online{emsisoft:20220707:astralocker:4fc94a1, author = {Emsisoft}, title = {{AstraLocker decryptor}}, date = {2022-07-07}, organization = {Emsisoft}, url = {https://www.emsisoft.com/ransomware-decryption-tools/astralocker}, language = {English}, urldate = {2022-07-12} } @online{enconado:20220517:in:c234e4d, author = {Berman Enconado and Laurie Kirk}, title = {{In hot pursuit of ‘cryware’: Defending hot wallets from attacks}}, date = {2022-05-17}, organization = {Microsoft Security}, url = {https://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/}, language = {English}, urldate = {2022-05-25} } @online{endo:20180803:volatility:4597ce0, author = {Takuya Endo and Yukako Uchida}, title = {{Volatility Plugin for Detecting Cobalt Strike Beacon}}, date = {2018-08-03}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html}, language = {English}, urldate = {2019-07-11} } @techreport{eng:2011:nitro:656e464, author = {Erica Eng and Gavin O'Gorman}, title = {{The Nitro Attacks: Stealing Secrets from the Chemical Industry}}, date = {2011}, institution = {Symantec}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf}, language = {English}, urldate = {2020-04-21} } @online{engineer:20230330:20230329:49be400, author = {CS ENGINEER}, title = {{2023-03-29 // SITUATIONAL AWARENESS // CrowdStrike Tracking Active Intrusion Campaign Targeting 3CX Customers}}, date = {2023-03-30}, organization = {CrowdStrike}, url = {https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/}, language = {English}, urldate = {2023-04-02} } @online{engineering:20241120:threat:c70e6c3, author = {Spur Engineering}, title = {{The Threat of Residential Proxies to Sanctions Compliance}}, date = {2024-11-20}, organization = {SPUR}, url = {https://spur.us/the-threat-of-residential-proxies-to-sanctions-compliance/}, language = {English}, urldate = {2025-01-30} } @online{engineering:20241219:astrill:bcead7c, author = {Spur Engineering}, title = {{Astrill VPN and DPRK Remote Worker Fraud}}, date = {2024-12-19}, organization = {SPUR}, url = {https://spur.us/astrill-vpn-and-remote-worker-fraud/}, language = {English}, urldate = {2025-01-30} } @online{englert:20220225:reverse:fb0652a, author = {Thomas Englert}, title = {{Reverse Engineering | Hermetic Wiper}}, date = {2022-02-25}, organization = {EnglertOne}, url = {https://www.englert.one/hermetic-wiper-reverse-code-engineering}, language = {English}, urldate = {2022-03-01} } @online{enki:20210204:internet:cf43566, author = {ENKI}, title = {{Internet Explorer 0day 분석}}, date = {2021-02-04}, organization = {ENKI}, url = {https://enki.co.kr/blog/2021/02/04/ie_0day.html}, language = {Korean}, urldate = {2021-02-04} } @online{entdark:20170530:bankbot:4cb608c, author = {entdark}, title = {{Bankbot on Google Play}}, date = {2017-05-30}, organization = {Koodous}, url = {http://blog.koodous.com/2017/05/bankbot-on-google-play.html}, language = {English}, urldate = {2020-01-13} } @online{enum0x539:20220621:qvoidtokengrabber:ac4cdf7, author = {Enum0x539}, title = {{Qvoid-Token-Grabber}}, date = {2022-06-21}, url = {https://github.com/Enum0x539/Qvoid-Token-Grabber}, language = {English}, urldate = {2022-07-13} } @online{erdogan:20220512:network:3befbe5, author = {Onur Mustafa Erdogan and María José Erquiaga}, title = {{Network Footprints of Gamaredon Group}}, date = {2022-05-12}, organization = {Cisco}, url = {https://blogs.cisco.com/security/network-footprints-of-gamaredon-group}, language = {English}, urldate = {2022-05-17} } @online{erdogan:20220809:raspberry:3652ff7, author = {Onur Mustafa Erdogan}, title = {{Raspberry Robin: Highly Evasive Worm Spreads over External Disks}}, date = {2022-08-09}, organization = {Cisco}, url = {https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-external-disks}, language = {English}, urldate = {2022-08-22} } @online{eremin:20190322:azorult:3080ee5, author = {Alexander Eremin}, title = {{AZORult++: Rewriting history}}, date = {2019-03-22}, organization = {Kaspersky Labs}, url = {https://securelist.com/azorult-analysis-history/89922/}, language = {English}, urldate = {2019-12-20} } @online{eremin:20200324:people:752ed0f, author = {Alexander Eremin}, title = {{People infected with coronavirus are all around you, says Ginp Trojan}}, date = {2020-03-24}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/blog/ginp-trojan-coronavirus-finder/34338/}, language = {English}, urldate = {2020-03-26} } @online{eremin:20200623:oh:4e55504, author = {Alexander Eremin}, title = {{Oh, what a boot-iful mornin’ Rovnix bootkit back in business}}, date = {2020-06-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/oh-what-a-boot-iful-mornin/97365}, language = {English}, urldate = {2020-06-23} } @online{ergene:20210302:hunting:a538456, author = {Mehmet Ergene}, title = {{Hunting for the Behavior: Scheduled Tasks}}, date = {2021-03-02}, organization = {Medium Mehmet Ergene}, url = {https://mergene.medium.com/hunting-for-the-behavior-scheduled-tasks-9efe0b8ade40}, language = {English}, urldate = {2021-03-04} } @online{ergene:20210512:enterprise:09742df, author = {Mehmet Ergene}, title = {{Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 1}}, date = {2021-05-12}, organization = {Medium Mehmet Ergene}, url = {https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-machine-learning-and-277c4c30304f}, language = {English}, urldate = {2021-05-26} } @online{ergene:20210519:enterprise:f7fb481, author = {Mehmet Ergene}, title = {{Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 2}}, date = {2021-05-19}, organization = {Medium Mehmet Ergene}, url = {https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-ml-and-kql-part-2-bff46cfc1e7e}, language = {English}, urldate = {2021-05-26} } @online{ergene:20210601:detecting:5c4b6ff, author = {Mehmet Ergene}, title = {{Detecting Initial Access: HTML Smuggling and ISO Images — Part 1}}, date = {2021-06-01}, organization = {Medium mergene}, url = {https://mergene.medium.com/detecting-initial-access-html-smuggling-and-iso-images-part-1-c4f953edd13f}, language = {English}, urldate = {2021-06-09} } @online{ergene:20210601:detecting:d2d5dd8, author = {Mehmet Ergene}, title = {{Detecting Initial Access: HTML Smuggling and ISO Images — Part 2}}, date = {2021-06-01}, organization = {Medium mergene}, url = {https://mergene.medium.com/detecting-initial-access-html-smuggling-and-iso-images-part-2-f8dd600430e2}, language = {English}, urldate = {2021-06-09} } @online{eriksen:20250331:malware:19d995c, author = {Charlie Eriksen}, title = {{Malware hiding in plain sight: Spying on North Korean Hackers}}, date = {2025-03-31}, organization = {Aikido}, url = {https://www.aikido.dev/blog/malware-hiding-in-plain-sight-spying-on-north-korean-hackers}, language = {English}, urldate = {2025-05-19} } @online{erlich:20181025:game:af49ad1, author = {Chen Erlich and Yakov Goldberg}, title = {{Game of Trojans: Dissecting the #Khalesi Infostealer Malware}}, date = {2018-10-25}, organization = {enSilo}, url = {https://blog.ensilo.com/game-of-trojans-dissecting-khalesi-infostealer-malware}, language = {English}, urldate = {2020-01-06} } @online{erlich:20190716:avast:b3dec63, author = {Chen Erlich}, title = {{The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable}}, date = {2019-07-16}, organization = {enSilo}, url = {https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767}, language = {English}, urldate = {2020-04-13} } @online{erlich:20220504:operation:0d23595, author = {Chen Erlich and Fusao Tanida and Ofir Ozer and Akihiro Tomita and Niv Yona and Daniel Frank and Assaf Dahan}, title = {{Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques}}, date = {2022-05-04}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques}, language = {English}, urldate = {2022-05-09} } @online{erlich:20220504:operation:e40ec58, author = {Chen Erlich and Fusao Tanida and Ofir Ozer and Akihiro Tomita and Niv Yona and Daniel Frank and Assaf Dahan}, title = {{Operation CuckooBees: A Winnti Malware Arsenal Deep-Dive}}, date = {2022-05-04}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive}, language = {English}, urldate = {2022-05-05} } @online{erquiaga:20190412:analysis:bb76a6f, author = {María José Erquiaga}, title = {{Analysis of an IRC based Botnet}}, date = {2019-04-12}, organization = {Stratosphere Lab}, url = {https://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet}, language = {English}, urldate = {2020-01-10} } @online{erquiaga:20220328:emotet:d36774a, author = {María José Erquiaga and Onur Erdogan and Adela Jezkova}, title = {{Emotet is Back}}, date = {2022-03-28}, organization = {Cisco}, url = {https://blogs.cisco.com/security/emotet-is-back}, language = {English}, urldate = {2022-03-30} } @online{eschweiler:20181025:cutwail:494e458, author = {Sebastian Eschweiler and Brett Stone-Gross and Bex Hartley}, title = {{Cutwail Spam Campaign Uses Steganography to Distribute URLZone}}, date = {2018-10-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/}, language = {English}, urldate = {2019-12-20} } @online{escinsecurity:20180129:weekly:2cd5b6e, author = {EscInSecurity}, title = {{Weekly TrickBot Analysis - End of w/c 22-Jan-2018 to 1000119}}, date = {2018-01-29}, organization = {EscInSecurity}, url = {https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html}, language = {English}, urldate = {2020-01-09} } @online{esentire:20210405:hackers:d45f86f, author = {eSentire}, title = {{Hackers Spearphish Professionals on LinkedIn with Fake Job Offers, Infecting them with Malware, Warns eSentire}}, date = {2021-04-05}, organization = {eSentire}, url = {https://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire}, language = {English}, urldate = {2023-01-25} } @online{esentire:20210413:hackers:bc5d7af, author = {eSentire}, title = {{Hackers Flood the Web with 100,000 Malicious Pages, Promising Professionals Free Business Forms, But Delivering Malware, Reports eSentire}}, date = {2021-04-13}, organization = {eSentire}, url = {https://www.esentire.com/security-advisories/hackers-flood-the-web-with-100-000-malicious-pages-promising-professionals-free-business-forms-but-are-delivering-malware-reports-esentire}, language = {English}, urldate = {2021-04-16} } @online{esentire:20210721:notorious:9d3ca65, author = {eSentire}, title = {{Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm Using Fake Legal Complaint Against Jack Daniels’ Owner, Brown-Forman Inc.}}, date = {2021-07-21}, organization = {eSentire}, url = {https://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc}, language = {English}, urldate = {2021-07-26} } @online{esentire:20210921:ransomware:ef864ed, author = {eSentire}, title = {{Ransomware Hackers Attack a Top Safety Testing Org. Using Tactics and Techniques Borrowed from Chinese Espionage Groups}}, date = {2021-09-21}, organization = {eSentire}, url = {https://www.esentire.com/security-advisories/ransomware-hackers-attack-a-top-safety-testing-org-using-tactics-and-techniques-borrowed-from-chinese-espionage-groups}, language = {English}, urldate = {2023-12-28} } @online{esentire:20211118:emotet:ded09a3, author = {eSentire}, title = {{Emotet Activity Identified}}, date = {2021-11-18}, organization = {eSentire}, url = {https://www.esentire.com/security-advisories/emotet-activity-identified}, language = {English}, urldate = {2021-11-19} } @online{esentire:20220321:esentire:d07192a, author = {eSentire}, title = {{eSentire Threat Intelligence Malware Analysis: HermeticWiper & PartyTicket}}, date = {2022-03-21}, organization = {eSentire}, url = {https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket}, language = {English}, urldate = {2022-03-25} } @online{esentire:20230112:gootloader:f7d653f, author = {eSentire}, title = {{Gootloader Malware Leads to Cobalt Strike and Hand-on-Keyboard Activity}}, date = {2023-01-12}, organization = {eSentire}, url = {https://www.esentire.com/blog/gootloader-leads-to-cobalt-strike-and-hand-on-keyboard-activity}, language = {English}, urldate = {2023-01-16} } @online{esentire:20230907:case:fd86e6b, author = {eSentire}, title = {{The Case of LummaC2 v4.0}}, date = {2023-09-07}, organization = {eSentire}, url = {https://www.esentire.com/blog/the-case-of-lummac2-v4-0}, language = {English}, urldate = {2023-09-12} } @online{esentire:20231030:nitrogen:9862977, author = {eSentire}, title = {{Nitrogen Campaign 2.0: Reloads with Enhanced Capabilities Leading to ALPHV/BlackCat Ransomware}}, date = {2023-10-30}, organization = {eSentire}, url = {https://www.esentire.com/blog/nitrogen-campaign-2-0-reloads-with-enhanced-capabilities-leading-to-alphv-blackcat-ransomware}, language = {English}, urldate = {2024-10-09} } @online{esentire:20231207:danabots:ff51ddf, author = {eSentire}, title = {{DanaBot's Latest Move: Deploying Latrodectus}}, date = {2023-12-07}, organization = {eSentire}, url = {https://www.esentire.com/blog/danabots-latest-move-deploying-icedid}, language = {English}, urldate = {2024-01-05} } @online{esentire:20240409:unraveling:2bdf211, author = {eSentire}, title = {{Unraveling Not AZORult but Koi Loader: A Precursor to Koi Stealer}}, date = {2024-04-09}, organization = {eSentire}, url = {https://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer}, language = {English}, urldate = {2024-07-10} } @online{esentire:20240529:fake:fb78f83, author = {eSentire}, title = {{Fake Browser Updates delivering BitRAT and Lumma Stealer}}, date = {2024-05-29}, organization = {eSentire}, url = {https://www.esentire.com/blog/fake-browser-updates-delivering-bitrat-and-lumma-stealer}, language = {English}, urldate = {2024-06-04} } @online{esentire:20241114:bored:85deff9, author = {eSentire}, title = {{Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure Pt.2}}, date = {2024-11-14}, organization = {eSentire}, url = {https://www.esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2}, language = {English}, urldate = {2024-11-29} } @online{esentire:20250130:ongoing:47ebbeb, author = {eSentire}, title = {{Ongoing Email Bombing Campaigns leading to Remote Access and Post-Exploitation}}, date = {2025-01-30}, organization = {eSentire}, url = {https://www.esentire.com/security-advisories/ongoing-email-bombing-campaigns-leading-to-remote-access-and-post-exploitation}, language = {English}, urldate = {2025-03-25} } @online{eset:20090805:pc:16d1905, author = {Eset}, title = {{PC Users Threatened by Conficker Worm and new Internet-browser Modifier}}, date = {2009-08-05}, organization = {ESET Research}, url = {https://www.eset.com/int/about/newsroom/press-releases/announcements/press-threatsense-report-july-2009/}, language = {English}, urldate = {2020-03-19} } @online{eset:20170627:new:891fe4f, author = {Eset}, title = {{New WannaCryptor‑like ransomware attack hits globally: All you need to know}}, date = {2017-06-27}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine/}, language = {English}, urldate = {2020-01-08} } @techreport{eset:201801:diplomats:89688b4, author = {Eset}, title = {{Diplomats in Eastern Europe bitten by a Turla mosquito}}, date = {2018-01}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf}, language = {English}, urldate = {2020-01-08} } @online{eset:20200423:eset:ac2e55b, author = {Eset}, title = {{ESET researchers disrupt cryptomining botnet VictoryGate}}, date = {2020-04-23}, organization = {ESET Research}, url = {https://www.eset.com/int/about/newsroom/press-releases/research/eset-researchers-disrupt-cryptomining-botnet-victorygate/}, language = {English}, urldate = {2022-02-19} } @online{esetresearch:20220504:twitter:48f1a89, author = {Twitter (@ESETresearch)}, title = {{Twitter thread on code similarity analysis, focussing on IsaacWiper and recent Cluster25 publication}}, date = {2022-05-04}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1521910890072842240}, language = {English}, urldate = {2022-05-05} } @online{esparza:20091001:detecting:3586ef7, author = {Jose Miguel Esparza}, title = {{Detecting ZeuS}}, date = {2009-10-01}, organization = {Eternal Todo}, url = {http://eternal-todo.com/blog/detecting-zeus}, language = {English}, urldate = {2020-01-10} } @online{esparza:20091106:new:f49d94c, author = {Jose Miguel Esparza}, title = {{New ZeuS binary}}, date = {2009-11-06}, organization = {Eternal Todo}, url = {http://eternal-todo.com/blog/new-zeus-binary}, language = {English}, urldate = {2020-01-08} } @online{esparza:20100202:zeus:c1a8f1f, author = {Jose Miguel Esparza}, title = {{ZeuS spreading via Facebook}}, date = {2010-02-02}, organization = {EternalTODO Blog}, url = {http://eternal-todo.com/blog/zeus-spreading-facebook}, language = {English}, urldate = {2019-07-11} } @online{esparza:20130901:yet:d6bf0b6, author = {Jose Miguel Esparza}, title = {{Yet another Andromeda / Gamarue analysis}}, date = {2013-09-01}, organization = {Eternal Todo}, url = {https://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis}, language = {English}, urldate = {2020-01-10} } @online{esparza:20141005:dissecting:93f306b, author = {Jose Miguel Esparza}, title = {{Dissecting SmokeLoader (or Yulia's sweet ass proposition)}}, date = {2014-10-05}, organization = {Eternal Todo}, url = {https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo}, language = {English}, urldate = {2020-01-13} } @online{esparza:20150417:andromedagamarue:2330f4e, author = {Jose Miguel Esparza}, title = {{Andromeda/Gamarue bot loves JSON too (new versions details)}}, date = {2015-04-17}, organization = {Eternal Todo}, url = {https://eternal-todo.com/blog/andromeda-gamarue-loves-json}, language = {English}, urldate = {2020-01-10} } @online{esparza:20191106:spanish:eaf5520, author = {Jose Miguel Esparza and Blueliv Team}, title = {{Spanish consultancy Everis suffers BitPaymer ransomware attack: a brief analysis}}, date = {2019-11-06}, organization = {Blueliv}, url = {https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/everis-bitpaymer-ransomware-attack-analysis-dridex/}, language = {English}, urldate = {2020-01-08} } @online{esparza:20220708:ransomware:990e207, author = {Jose Miguel Esparza}, title = {{Ransomware as a Service: Behind the Scenes}}, date = {2022-07-08}, organization = {Blueliv}, url = {https://outpost24.com/blog/Ransomware-as-a-service-behind-the-scenes}, language = {English}, urldate = {2022-07-20} } @online{estes:20230523:scratching:a781f78, author = {Ryan Estes}, title = {{Scratching the Surface of Rhysida Ransomware}}, date = {2023-05-23}, organization = {Secplicity}, url = {https://www.secplicity.org/2023/05/23/scratching-the-surface-of-rhysida-ransomware/}, language = {English}, urldate = {2023-06-19} } @online{ettlinger:20211109:invisible:7436e05, author = {Wolfgang Ettlinger}, title = {{The Invisible JavaScript Backdoor}}, date = {2021-11-09}, organization = {Certitude}, url = {https://certitude.consulting/blog/en/invisible-backdoor/}, language = {English}, urldate = {2021-12-06} } @online{eun:20230308:chm:cb594f7, author = {Ye Eun}, title = {{CHM malware (Kimsuky) disguised questionnaires related to North Korea}}, date = {2023-03-08}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/48960/}, language = {Korean}, urldate = {2023-03-20} } @online{eun:20230901:malicious:612f451, author = {Ye Eun}, title = {{Malicious LNK that distributes backdoors: RedEyes (ScarCruft)}}, date = {2023-09-01}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/56526/}, language = {Korean}, urldate = {2023-09-07} } @techreport{eurepoc:20230206:advanced:fd9937f, author = {EuRepoC}, title = {{Advanced Persistent Threat Profile: APT28 - Exploiting Democratic Vulnerabilities in Cyberspace}}, date = {2023-02-06}, institution = {EuRepoC}, url = {https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_APT_28_4856c0a0ac.pdf}, language = {English}, urldate = {2023-02-21} } @online{eurojust:20210127:worlds:d416adc, author = {Eurojust}, title = {{World’s most dangerous malware EMOTET disrupted through global action}}, date = {2021-01-27}, organization = {Eurojust}, url = {https://www.eurojust.europa.eu/worlds-most-dangerous-malware-emotet-disrupted-through-global-action}, language = {English}, urldate = {2021-01-27} } @online{europol:20140710:global:63da679, author = {Europol}, title = {{Global Action Targeting Shylock Malware}}, date = {2014-07-10}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/global-action-targeting-shylock-malware}, language = {English}, urldate = {2019-12-18} } @online{europol:20171204:andromeda:2024e4d, author = {Europol}, title = {{Andromeda botnet dismantled in international cyber operation}}, date = {2017-12-04}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation}, language = {English}, urldate = {2020-01-09} } @online{europol:20181025:pay:d82bbfc, author = {Europol}, title = {{Pay No More: universal GandCrab decryption tool released for free on No More Ransom}}, date = {2018-10-25}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom}, language = {English}, urldate = {2019-11-26} } @online{europol:20190516:goznym:37f6fa9, author = {Europol}, title = {{GOZNYM MALWARE: CYBERCRIMINAL NETWORK DISMANTLED IN INTERNATIONAL OPERATION}}, date = {2019-05-16}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/goznym-malware-cybercriminal-network-dismantled-in-international-operation}, language = {English}, urldate = {2019-12-18} } @online{europol:20201217:spain:9b7a4ef, author = {Europol}, title = {{Spain dismantles top Russian-speaking organised crime network that had infiltrated public institutions}}, date = {2020-12-17}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/spain-dismantles-top-russian-speaking-organised-crime-network-had-infiltrated-public-institutions}, language = {English}, urldate = {2020-12-18} } @online{europol:20211029:12:5c0fd59, author = {Europol}, title = {{12 targeted for involvement in ransomware attacks against critical infrastructure}}, date = {2021-10-29}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure}, language = {English}, urldate = {2021-11-02} } @online{europol:20211108:five:20be45a, author = {Europol}, title = {{Five Affiliates to Sodinokibi/REvil Unplugged}}, date = {2021-11-08}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/five-affiliates-to-sodinokibi/revil-unplugged}, language = {English}, urldate = {2021-11-08} } @online{europol:20220601:takedown:237ca0d, author = {Europol}, title = {{Takedown of SMS-based FluBot spyware infecting Android phones}}, date = {2022-06-01}, organization = {Europol}, url = {https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones}, language = {English}, urldate = {2022-06-02} } @online{europol:20221215:global:89ae24e, author = {Europol}, title = {{Global crackdown against DDoS services shuts down most popular platforms}}, date = {2022-12-15}, organization = {Europol}, url = {https://www.europol.europa.eu/media-press/newsroom/news/global-crackdown-against-ddos-services-shuts-down-most-popular-platforms}, language = {English}, urldate = {2023-06-19} } @online{europol:20240212:international:438a1a6, author = {Europol}, title = {{International cybercrime malware service targeting thousands of unsuspecting consumers dismantled}}, date = {2024-02-12}, organization = {Europol}, url = {https://www.europol.europa.eu/media-press/newsroom/news/international-cybercrime-malware-service-targeting-thousands-of-unsuspecting-consumers-dismantled}, language = {English}, urldate = {2024-02-13} } @online{europol:20240220:law:ad22c16, author = {Europol}, title = {{Law enforcement disrupt world’s biggest ransomware operation}}, date = {2024-02-20}, organization = {Europol}, url = {https://www.europol.europa.eu/media-press/newsroom/news/law-enforcement-disrupt-worlds-biggest-ransomware-operation}, language = {English}, urldate = {2024-02-20} } @online{europol:20240530:largest:561606f, author = {Europol}, title = {{Largest ever operation against botnets hits dropper malware ecosystem}}, date = {2024-05-30}, organization = {Europol}, url = {https://www.europol.europa.eu/media-press/newsroom/news/largest-ever-operation-against-botnets-hits-dropper-malware-ecosystem}, language = {English}, urldate = {2024-06-12} } @online{europol:20250409:operation:a1b62b2, author = {Europol}, title = {{Operation Endgame follow-up leads to five detentions and interrogations as well as server takedowns}}, date = {2025-04-09}, organization = {Europol}, url = {https://www.europol.europa.eu/media-press/newsroom/news/operation-endgame-follow-leads-to-five-detentions-and-interrogations-well-server-takedowns}, language = {English}, urldate = {2025-04-09} } @online{europol:20250507:ddosforhire:a8ac825, author = {Europol}, title = {{DDoS-for-hire empire brought down: Poland arrests 4 administrators, US seizes 9 domains}}, date = {2025-05-07}, organization = {Europol}, url = {https://www.europol.europa.eu/media-press/newsroom/news/ddos-for-hire-empire-brought-down-poland-arrests-4-administrators-us-seizes-9-domains}, language = {English}, urldate = {2025-05-20} } @online{europol:20250520:europol:0f78162, author = {Europol}, title = {{Europol and Microsoft disrupt world’s largest infostealer Lumma}}, date = {2025-05-20}, organization = {Europol}, url = {https://www.europol.europa.eu/media-press/newsroom/news/europol-and-microsoft-disrupt-world%E2%80%99s-largest-infostealer-lumma}, language = {English}, urldate = {2025-05-22} } @online{evans:20190917:cryptocurrency:8f3a9e9, author = {Christopher Evans and David Liebenberg}, title = {{Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”}}, date = {2019-09-17}, organization = {Talos}, url = {https://blog.talosintelligence.com/2019/09/panda-evolution.html}, language = {English}, urldate = {2019-10-31} } @online{evans:20200711:injecting:3d78e32, author = {Peter Evans and Rodel Mendrez}, title = {{Injecting Magecart into Magento Global Config}}, date = {2020-07-11}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/injecting-magecart-into-magento-global-config/}, language = {English}, urldate = {2020-07-15} } @online{evans:20210513:catching:eaa13e2, author = {Kieran Evans}, title = {{Catching the White Stork in Flight}}, date = {2021-05-13}, organization = {AWAKE}, url = {https://awakesecurity.com/blog/catching-the-white-stork-in-flight/}, language = {English}, urldate = {2021-09-19} } @techreport{evenden:20210804:whoops:38ad484, author = {David Evenden}, title = {{Whoops, I Accidentally Helped Start the Offensive Intel Branch of a Foreign Intel Service}}, date = {2021-08-04}, institution = {BlackHat}, url = {https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Whoops-I-Accidentally-Helped-Start-The-Offensive-Intel-Branch-Of-A-Foreign-Intel-Service.pdf}, language = {English}, urldate = {2021-09-22} } @online{everts:20220215:vulnerable:9c3b451, author = {Matthew Everts and Stephen McNally}, title = {{Vulnerable Exchange server hit by Squirrelwaffle and financial fraud}}, date = {2022-02-15}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/02/15/vulnerable-exchange-server-hit-by-squirrelwaffle-and-financial-fraud/}, language = {English}, urldate = {2022-02-17} } @online{evild3ad:20110430:bkatrojaner:f7e6f23, author = {evild3ad}, title = {{BKA-Trojaner (Ransomware)}}, date = {2011-04-30}, organization = {evild3ad blog}, url = {https://www.evild3ad.com/405/bka-trojaner-ransomware/}, language = {English}, urldate = {2020-01-06} } @online{ewane:20170609:macspy:608f090, author = {Peter Ewane}, title = {{MacSpy: OS X Mac RAT as a Service}}, date = {2017-06-09}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service}, language = {English}, urldate = {2019-12-04} } @techreport{ewhitehats:20180809:kovter:3181581, author = {eWhitehats}, title = {{Kovter Uncovered: Malware Teardown}}, date = {2018-08-09}, institution = {Github (ewhitehats)}, url = {https://github.com/ewhitehats/kovterTools/blob/master/KovterWhitepaper.pdf}, language = {English}, urldate = {2020-01-09} } @online{exatrack:20230328:mlofe:6ca8f29, author = {ExaTrack}, title = {{Mélofée: a new alien malware in the Panda's toolset targeting Linux hosts}}, date = {2023-03-28}, organization = {ExaTrack}, url = {https://blog.exatrack.com/melofee/}, language = {English}, urldate = {2023-03-29} } @techreport{excellence:20210619:russias:27ef3e8, author = {NATO Strategic CommunicationsCentre of Excellence}, title = {{Russia's Strategy in Cyberspace}}, date = {2021-06-19}, institution = {NATO}, url = {https://stratcomcoe.org/cuploads/pfiles/Nato-Cyber-Report_15-06-2021.pdf}, language = {English}, urldate = {2021-06-24} } @online{exchange:20240105:tomb:6fa9c93, author = {IBM X-Force Exchange}, title = {{Tomb Crypter and ChrGetPdsi Stealer Analysis Report (INT00011701)}}, date = {2024-01-05}, organization = {IBM}, url = {https://exchange.xforce.ibmcloud.com/malware-analysis/guid:2f96dded08ec1c2dd039fca21378050c}, language = {English}, urldate = {2024-05-14} } @online{experts:20211202:structured:74127b2, author = {Microsoft Threat Experts}, title = {{Structured threat hunting: One way Microsoft Threat Experts prioritizes customer defense}}, date = {2021-12-02}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/12/02/structured-threat-hunting-one-way-microsoft-threat-experts-prioritizes-customer-defense/}, language = {English}, urldate = {2021-12-06} } @online{experts:20220824:looking:599689a, author = {Microsoft Security Experts}, title = {{Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks}}, date = {2022-08-24}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks}, language = {English}, urldate = {2022-08-30} } @online{experts:20220908:art:b42106d, author = {Microsoft Security Experts and Microsoft Detection and Response Team (DART)}, title = {{The art and science behind Microsoft threat hunting: Part 1}}, date = {2022-09-08}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/09/08/part-1-the-art-and-science-of-threat-hunting/}, language = {English}, urldate = {2022-09-13} } @online{experts:20220921:art:657254d, author = {Microsoft Security Experts and Microsoft Detection and Response Team (DART)}, title = {{The art and science behind Microsoft threat hunting: Part 2}}, date = {2022-09-21}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/09/21/the-art-and-science-behind-microsoft-threat-hunting-part-2/}, language = {English}, urldate = {2022-09-26} } @online{express:20230127:old:95851ce, author = {The Cyber Express}, title = {{Old Bot in New Bottle: Amadey Botnet Back in Action Via Phishing Sites}}, date = {2023-01-27}, organization = {cyble}, url = {https://thecyberexpress.com/amadey-botnet-back-via-phishing-sites/}, language = {English}, urldate = {2023-04-12} } @online{eybisi:20190407:mobile:c60bdb5, author = {Eybisi}, title = {{Mobile Malware Analysis : Tricks used in Anubis}}, date = {2019-04-07}, organization = {Eybisi}, url = {https://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/}, language = {English}, urldate = {2020-01-08} } @online{ezat:20240526:qakbot:d014fca, author = {Mohamed Ezat}, title = {{QakBOT v5 Deep Malware Analysis}}, date = {2024-05-26}, organization = {ZW01f}, url = {https://zw01f.github.io/malware%20analysis/qakbot/}, language = {English}, urldate = {2024-06-05} } @online{ezat:20240630:deep:8eeaeb5, author = {Mohamed Ezat}, title = {{Deep Analysis of Snake (404 keylogger)}}, date = {2024-06-30}, organization = {ZW01f}, url = {https://zw01f.github.io/malware%20analysis/snake/}, language = {English}, urldate = {2024-07-03} } @online{ezat:20250301:indepth:3afd1f1, author = {Mohamed Ezat}, title = {{An in-depth analysis of APT37’s latest campaign}}, date = {2025-03-01}, organization = {ZW01f}, url = {https://zw01f.github.io/malware%20analysis/apt37/}, language = {English}, urldate = {2025-03-10} } @online{ezat:20250401:autocolor:eb90fbc, author = {Mohamed Ezat}, title = {{Auto-color - Linux backdoor}}, date = {2025-04-01}, organization = {ZW01f}, url = {https://zw01f.github.io/malware%20analysis/auto-color/}, language = {English}, urldate = {2025-04-01} } @online{f0rb1dd3n:20190304:reptile:cc8715f, author = {f0rb1dd3n}, title = {{Reptile}}, date = {2019-03-04}, organization = {Github (f0rb1dd3n)}, url = {https://github.com/f0rb1dd3n/Reptile}, language = {English}, urldate = {2020-01-10} } @online{f:20160512:hancitor:9c250c0, author = {Axel F and Matthew Mesa}, title = {{Hancitor and Ruckguv Reappear, Updated and With Vawtrak On Deck}}, date = {2016-05-12}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear}, language = {English}, urldate = {2019-12-20} } @online{f:20160707:nettraveler:a613df3, author = {Axel F}, title = {{NetTraveler APT Targets Russian, European Interests}}, date = {2016-07-07}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests}, language = {English}, urldate = {2019-12-20} } @online{f:20170427:targets:b3540fd, author = {Axel F}, title = {{APT Targets Financial Analysts with CVE-2017-0199}}, date = {2017-04-27}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts}, language = {English}, urldate = {2019-12-20} } @online{f:20171016:leviathan:a898346, author = {Axel F and Pierre T}, title = {{Leviathan: Espionage actor spearphishes maritime and defense targets}}, date = {2017-10-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets}, language = {English}, urldate = {2019-12-20} } @online{f:20190515:threat:06b415a, author = {Axel F and Proofpoint Threat Insight Team}, title = {{Threat Actor Profile: TA542, From Banker to Malware Distribution Service}}, date = {2019-05-15}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service}, language = {English}, urldate = {2019-12-20} } @online{f:20200318:coronavirus:8fe12a3, author = {Axel F and Sam Scholten}, title = {{Coronavirus Threat Landscape Update}}, date = {2020-03-18}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update}, language = {English}, urldate = {2020-03-26} } @online{f:20200828:comprehensive:df5ff9b, author = {Axel F and Proofpoint Threat Research Team}, title = {{A Comprehensive Look at Emotet’s Summer 2020 Return}}, date = {2020-08-28}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return}, language = {English}, urldate = {2020-08-30} } @online{f:20201001:emotet:59780d9, author = {Axel F and Proofpoint Threat Research Team}, title = {{Emotet Makes Timely Adoption of Political and Elections Lures}}, date = {2020-10-01}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/emotet-makes-timely-adoption-political-and-elections-lures}, language = {English}, urldate = {2020-10-05} } @online{f:20210610:ransom:749613f, author = {Axel F}, title = {{Ransom DDoS Extortion Actor “Fancy Lazarus” Returns}}, date = {2021-06-10}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/ransom-ddos-extortion-actor-fancy-lazarus-returns}, language = {English}, urldate = {2021-06-16} } @online{f:20211028:ta575:c1cfdd7, author = {Axel F and Selena Larson}, title = {{TA575 Uses ‘Squid Game’ Lures to Distribute Dridex malware}}, date = {2021-10-28}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/ta575-uses-squid-game-lures-distribute-dridex-malware}, language = {English}, urldate = {2021-11-03} } @online{f:20220426:emotet:afb4f87, author = {Axel F}, title = {{Emotet Tests New Delivery Techniques}}, date = {2022-04-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/emotet-tests-new-delivery-techniques}, language = {English}, urldate = {2022-04-29} } @online{f:20220830:nanocore:86aa443, author = {John F}, title = {{NanoCore RAT Hunting Guide}}, date = {2022-08-30}, organization = {Medium the_abjuri5t}, url = {https://medium.com/@the_abjuri5t/nanocore-rat-hunting-guide-cb185473c1e0}, language = {English}, urldate = {2022-08-30} } @online{f:20230208:screentime:6bc258a, author = {Axel F}, title = {{Screentime: Sometimes It Feels Like Somebody's Watching Me}}, date = {2023-02-08}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me}, language = {English}, urldate = {2023-02-13} } @online{f:20231030:security:b0c3022, author = {Axel F and Selena Larson}, title = {{Security Brief: TA571 Delivers IcedID Forked Loader}}, date = {2023-10-30}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta571-delivers-icedid-forked-loader}, language = {English}, urldate = {2024-12-11} } @online{f:20231221:battleroyal:9e62e80, author = {Axel F and Dusty Miller and Tommy Madjar and Selena Larson}, title = {{BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates}}, date = {2023-12-21}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates}, language = {English}, urldate = {2024-01-03} } @online{f:20240213:bumblebee:fcffd51, author = {Axel F and Selena Larson}, title = {{Bumblebee Buzzes Back in Black}}, date = {2024-02-13}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-black}, language = {English}, urldate = {2024-02-15} } @online{fabien:20250203:legionloader:f819854, author = {Lefebvre Fabien and Pezier Pierre-Henri}, title = {{LegionLoader exposed}}, date = {2025-02-03}, organization = {TEHTRIS}, url = {https://tehtris.com/en/blog/legionloader-exposed/}, language = {English}, urldate = {2025-02-04} } @online{fabien:20250627:rage:3dbc1c8, author = {Lefebvre Fabien}, title = {{Rage Against the Powershell - Qilin in the Name}}, date = {2025-06-27}, organization = {TEHTRIS}, url = {https://tehtris.com/en/blog/rage-against-the-powershell-qilin-in-the-name/}, language = {English}, urldate = {2025-06-30} } @online{facebook:20130215:protecting:491c151, author = {Facebook}, title = {{Protecting People On Facebook}}, date = {2013-02-15}, organization = {Facebook}, url = {https://www.facebook.com/notes/facebook-security/protecting-people-on-facebook/10151249208250766}, language = {English}, urldate = {2020-01-13} } @techreport{facebook:20200901:august:b00a9e2, author = {Facebook}, title = {{August 2020 Coordinated Inauthentic Behavior Report}}, date = {2020-09-01}, institution = {Facebook}, url = {https://about.fb.com/wp-content/uploads/2020/09/August-2020-CIB-Report.pdf}, language = {English}, urldate = {2020-09-01} } @techreport{facebook:20210406:march:b34b593, author = {Facebook}, title = {{March 2021 Coordinated Inauthentic Behavior Report}}, date = {2021-04-06}, institution = {Facebook}, url = {https://about.fb.com/wp-content/uploads/2021/04/March-2021-CIB-Report.pdf}, language = {English}, urldate = {2021-04-09} } @techreport{facebook:20210506:april:efdf147, author = {Facebook}, title = {{April 2021 Coordinated Inauthentic Behavior Report}}, date = {2021-05-06}, institution = {Facebook}, url = {https://about.fb.com/wp-content/uploads/2021/05/April-2021-CIB-Report.pdf}, language = {English}, urldate = {2021-05-08} } @techreport{facebook:20210526:threat:4b3c264, author = {Facebook}, title = {{Threat Report: The State of Influence Operations 2017-2020}}, date = {2021-05-26}, institution = {Facebook}, url = {https://about.fb.com/wp-content/uploads/2021/05/IO-Threat-Report-May-20-2021.pdf}, language = {English}, urldate = {2021-06-11} } @techreport{facebook:20210810:july:2907d50, author = {Facebook}, title = {{July 2021 Coordinated Inauthentic Behavior Report}}, date = {2021-08-10}, institution = {Facebook}, url = {https://about.fb.com/wp-content/uploads/2021/08/July-2021-CIB-Report.pdf}, language = {English}, urldate = {2021-09-14} } @techreport{facebook:20211010:september:e6a16a6, author = {Facebook}, title = {{September 2021 Coordinated Inauthentic Behavior Report}}, date = {2021-10-10}, institution = {Facebook}, url = {https://about.fb.com/wp-content/uploads/2021/10/Sept-2021-CIB-Report.pdf}, language = {English}, urldate = {2021-10-25} } @techreport{fagerland:2012:many:c938856, author = {Snorre Fagerland}, title = {{The many faces of Gh0st Rat}}, date = {2012}, institution = {Norman ASA}, url = {https://web.archive.org/web/20170311192337/http://download01.norman.no:80/documents/ThemanyfacesofGh0stRat.pdf}, language = {English}, urldate = {2023-04-08} } @techreport{fagerland:201305:operation:3bb0505, author = {Snorre Fagerland and Morten Kråkvik and Jonathan Camp and Ned Moran}, title = {{Operation Hangover}}, date = {2013-05}, institution = {Norman Shark}, url = {https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2013/2013.05.20.Operation_Hangover/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf}, language = {English}, urldate = {2021-05-19} } @techreport{fagerland:20131105:operation:20a8699, author = {Snorre Fagerland}, title = {{Operation Hangover: Unveiling an Indian Cyberattack Infrastructure}}, date = {2013-11-05}, institution = {F-Secure}, url = {https://github.com/jack8daniels2/threat-INTel/blob/master/2013/Unveiling-an-Indian-Cyberattack-Infrastructure-appendixes.pdf}, language = {English}, urldate = {2023-10-05} } @techreport{fagerland:20131211:chinese:b7bb523, author = {Snorre Fagerland}, title = {{The Chinese Malware Complexes: The Maudi Surveillance Operation}}, date = {2013-12-11}, institution = {Norman Shark}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2012/NormanShark-MaudiOperation.pdf}, language = {English}, urldate = {2020-01-27} } @online{fagerland:20141209:blue:0d254a1, author = {Snorre Fagerland and Waylon Grange}, title = {{Blue Coat Exposes “The Inception Framework”; Very Sophisticated, Layered Malware Attack Targeted at Military, Diplomats, and Business Execs}}, date = {2014-12-09}, organization = {Blue Coat}, url = {https://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware}, language = {English}, urldate = {2020-04-21} } @techreport{fagerland:20141209:inception:1966734, author = {Snorre Fagerland and Waylon Grange}, title = {{The Inception Framework: Cloud-hosted APT}}, date = {2014-12-09}, institution = {Blue Coat}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/bcs_wp_InceptionReport_EN_v12914.pdf}, language = {English}, urldate = {2020-04-21} } @online{fagerland:201602:from:78bc745, author = {Snorre Fagerland}, title = {{From Seoul to Sony The History of the Darkseoul Group and the Sony Intrusion Malware Destover}}, date = {2016-02}, organization = {Blue Coat Systems Inc}, url = {https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4}, language = {English}, urldate = {2020-08-18} } @online{fahmy:20211117:analyzing:c6c52d1, author = {Mohamed Fahmy and Abdelrhman Sharshar and Sherif Magdy and Ryan Maglaque}, title = {{Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR}}, date = {2021-11-17}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html}, language = {English}, urldate = {2021-11-18} } @online{fahmy:20211119:squirrelwaffle:1e8fa78, author = {Mohamed Fahmy and Sherif Magdy and Abdelrhman Sharshar}, title = {{Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains}}, date = {2021-11-19}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html}, language = {English}, urldate = {2021-11-25} } @online{fahmy:20220825:new:62162e8, author = {Mohamed Fahmy and Nathaniel Gregory Ragasa and Earle Maui Earnshaw and Bahaa Yamany and Jeffrey Francis Bonaobra and Jay Yaneza}, title = {{New Golang Ransomware Agenda Customizes Attacks}}, date = {2022-08-25}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html}, language = {English}, urldate = {2022-08-30} } @online{fahmy:20220825:new:6f3ec79, author = {Mohamed Fahmy and Nathaniel Gregory Ragasa and Earle Maui Earnshaw and Bahaa Yamany and Jeffrey Francis Bonaobra and Jay Yaneza}, title = {{New Golang Ransomware Agenda Customizes Attacks (IoCs)}}, date = {2022-08-25}, organization = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/new-golang-ransomware-agenda-customizes-attacks/IOCs-blog-New%20Golang%20Ransomware%20Agenda%20Customizes%20Attacks.txt}, language = {English}, urldate = {2022-08-30} } @online{fahmy:20230202:new:7d997ea, author = {Mohamed Fahmy and Sherif Magdy and Mahmoud Zohdy}, title = {{New APT34 Malware Targets The Middle East}}, date = {2023-02-02}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html}, language = {English}, urldate = {2023-02-03} } @online{fahmy:20241011:earth:2b5e05e, author = {Mohamed Fahmy and Bahaa Yamany and Ahmed Kamal and Nick Dai}, title = {{Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East}}, date = {2024-10-11}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks.html}, language = {English}, urldate = {2024-11-04} } @online{fahmy:20241011:earth:e0ca078, author = {Mohamed Fahmy and Bahaa Yamany and Ahmed Kamal and Nick Dai}, title = {{Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against UAE and Gulf Regions}}, date = {2024-10-11}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks-uae-gulf-regions.html}, language = {English}, urldate = {2024-10-17} } @online{faithfull:20241114:elephant:4c1fd0d, author = {Roman Faithfull}, title = {{An elephant in Kairos: data-leak site emerges for new extortion group}}, date = {2024-11-14}, organization = {cyjax}, url = {https://www.cyjax.com/resources/blog/an-elephant-in-kairos-data-leak-site-emerges-for-new-extortion-group/}, language = {English}, urldate = {2024-12-02} } @online{fakterman:20200903:no:7719da5, author = {Tom Fakterman}, title = {{No Rest for the Wicked: Evilnum Unleashes PyVil RAT}}, date = {2020-09-03}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat}, language = {English}, urldate = {2020-09-04} } @online{fakterman:20201119:cybereason:da3ab54, author = {Tom Fakterman and Assaf Dahan}, title = {{Cybereason vs. MedusaLocker Ransomware}}, date = {2020-11-19}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/medusalocker-ransomware}, language = {English}, urldate = {2020-11-23} } @online{fakterman:20210216:cybereason:bc5074c, author = {Tom Fakterman}, title = {{Cybereason vs. NetWalker Ransomware}}, date = {2021-02-16}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-netwalker-ransomware}, language = {English}, urldate = {2021-02-20} } @online{fakterman:20210706:cybereason:1e0b80a, author = {Tom Fakterman}, title = {{Cybereason vs. REvil Ransomware: The Kaseya Chronicles}}, date = {2021-07-06}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs-revil-ransomware-the-kaseya-chronicles}, language = {English}, urldate = {2021-07-12} } @online{fakterman:20211006:operation:9a1ec21, author = {Tom Fakterman and Daniel Frank and Chen Erlich and Assaf Dahan}, title = {{Operation GhostShell: Novel RAT Targets Global Aerospace and Telecoms Firms}}, date = {2021-10-06}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms}, language = {English}, urldate = {2021-10-24} } @online{fakterman:20220201:strifewater:a2694c3, author = {Tom Fakterman}, title = {{StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations}}, date = {2022-02-01}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations}, language = {English}, urldate = {2022-02-02} } @online{fakterman:20220301:cybereason:b40f6c6, author = {Tom Fakterman and Ohav Peri}, title = {{Cybereason vs. BlackCat Ransomware}}, date = {2022-03-01}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware}, language = {English}, urldate = {2022-03-07} } @online{fal:20241217:badbox:0551327, author = {Pedro Falé}, title = {{BADBOX Botnet Is Back}}, date = {2024-12-17}, organization = {BitSight}, url = {https://www.bitsight.com/blog/badbox-botnet-back}, language = {English}, urldate = {2024-12-20} } @online{falcone:20150518:cmstar:3d947f0, author = {Robert Falcone}, title = {{Cmstar Downloader: Lurid and Enfal’s New Cousin}}, date = {2015-05-18}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20150727:ups:ae69e4c, author = {Robert Falcone and Richard Wartell}, title = {{UPS: Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload}}, date = {2015-07-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20150923:chinese:4faf76a, author = {Robert Falcone and Jen Miller-Osborn}, title = {{Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media}}, date = {2015-09-23}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20150923:chinese:7210cf9, author = {Robert Falcone and Jen Miller-Osborn}, title = {{Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media}}, date = {2015-09-23}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20151110:bookworm:41d48c9, author = {Robert Falcone and Mike Scott and Juan Cortes}, title = {{Bookworm Trojan: A Model of Modular Architecture}}, date = {2015-11-10}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/bookworm-trojan-a-model-of-modular-architecture/}, language = {English}, urldate = {2022-09-19} } @online{falcone:20151218:attack:e1f82ab, author = {Robert Falcone and Jen Miller-Osborn}, title = {{Attack on French Diplomat Linked to Operation Lotus Blossom}}, date = {2015-12-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/}, language = {English}, urldate = {2020-01-06} } @online{falcone:20160124:scarlet:c5ef791, author = {Robert Falcone and Jen Miller-Osborn}, title = {{Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists}}, date = {2016-01-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/scarlet-mimic-years-long-espionage-targets-minority-activists/}, language = {English}, urldate = {2020-01-08} } @online{falcone:20160203:emissary:704f38b, author = {Robert Falcone and Jen Miller-Osborn}, title = {{Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?}}, date = {2016-02-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/}, language = {English}, urldate = {2021-02-04} } @online{falcone:20160203:emissary:99f3e21, author = {Robert Falcone and Jen Miller-Osborn}, title = {{Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?}}, date = {2016-02-03}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20160325:projectm:afcff3a, author = {Robert Falcone and Simon Conant}, title = {{ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe}}, date = {2016-03-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe}, language = {English}, urldate = {2020-01-10} } @online{falcone:20160526:oilrig:89b6b4d, author = {Robert Falcone and Bryan Lee}, title = {{The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor}}, date = {2016-05-26}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20160526:oilrig:99f488f, author = {Robert Falcone and Bryan Lee}, title = {{The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor}}, date = {2016-05-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/}, language = {English}, urldate = {2020-01-13} } @online{falcone:20160614:new:0c98099, author = {Robert Falcone and Bryan Lee}, title = {{New Sofacy Attacks Against US Government Agency}}, date = {2016-06-14}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/}, language = {English}, urldate = {2019-10-29} } @online{falcone:20160614:new:1ba80fd, author = {Robert Falcone and Bryan Lee}, title = {{New Sofacy Attacks Against US Government Agency}}, date = {2016-06-14}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20160614:new:b51d1ab, author = {Robert Falcone and Bryan Lee}, title = {{New Sofacy Attacks Against US Government Agency}}, date = {2016-06-14}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/}, language = {English}, urldate = {2020-09-15} } @online{falcone:20160726:attack:2df4ff7, author = {Robert Falcone and Jen Miller-Osborn}, title = {{Attack Delivers ‘9002’ Trojan Through Google Drive}}, date = {2016-07-26}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20161017:dealerschoice:14aaca9, author = {Robert Falcone and Bryan Lee}, title = {{‘DealersChoice’ is Sofacy’s Flash Player Exploit Platform}}, date = {2016-10-17}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20161130:shamoon:6befcf1, author = {Robert Falcone}, title = {{Shamoon 2: Return of the Disttrack Wiper}}, date = {2016-11-30}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412}, language = {English}, urldate = {2019-12-20} } @online{falcone:20161215:let:d1d1011, author = {Robert Falcone and Bryan Lee}, title = {{Let It Ride: The Sofacy Group’s DealersChoice Attacks Continue}}, date = {2016-12-15}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/}, language = {English}, urldate = {2020-01-07} } @online{falcone:20170109:second:2e36550, author = {Robert Falcone}, title = {{Second Wave of Shamoon 2 Attacks Identified}}, date = {2017-01-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/}, language = {English}, urldate = {2020-01-07} } @online{falcone:20170214:xagentosx:33ef060, author = {Robert Falcone}, title = {{XAgentOSX: Sofacy’s XAgent macOS Tool}}, date = {2017-02-14}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20170326:shamoon:8a62f1a, author = {Robert Falcone and Bryan Lee}, title = {{Shamoon 2: Delivering Disttrack}}, date = {2017-03-26}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20170427:oilrig:fd3e813, author = {Robert Falcone}, title = {{OilRig Actors Provide a Glimpse into Development and Testing Efforts}}, date = {2017-04-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/}, language = {English}, urldate = {2020-01-07} } @online{falcone:20170727:oilrig:36046ef, author = {Robert Falcone and Bryan Lee}, title = {{OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group}}, date = {2017-07-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/}, language = {English}, urldate = {2019-11-16} } @online{falcone:20170731:twoface:8fe5f2d, author = {Robert Falcone and Bryan Lee}, title = {{TwoFace Webshell: Persistent Access Point for Lateral Movement}}, date = {2017-07-31}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/}, language = {English}, urldate = {2020-01-07} } @online{falcone:20170926:striking:45926d9, author = {Robert Falcone and Bryan Lee}, title = {{Striking Oil: A Closer Look at Adversary Infrastructure}}, date = {2017-09-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/}, language = {English}, urldate = {2020-01-08} } @online{falcone:20170926:striking:f9aa319, author = {Robert Falcone and Bryan Lee}, title = {{Striking Oil: A Closer Look at Adversary Infrastructure}}, date = {2017-09-26}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20171009:oilrig:71ea256, author = {Robert Falcone and Bryan Lee}, title = {{OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan}}, date = {2017-10-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/}, language = {English}, urldate = {2019-10-14} } @online{falcone:20171108:oilrig:a8a3089, author = {Robert Falcone}, title = {{OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan}}, date = {2017-11-08}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20171211:oilrig:8d7f26f, author = {Robert Falcone}, title = {{OilRig Performs Tests on the TwoFace Webshell}}, date = {2017-12-11}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/}, language = {English}, urldate = {2020-01-10} } @online{falcone:20180125:oilrig:80920f0, author = {Robert Falcone}, title = {{OilRig uses RGDoor IIS Backdoor on Targets in the Middle East}}, date = {2018-01-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/}, language = {English}, urldate = {2020-01-08} } @online{falcone:20180125:oilrig:ac00139, author = {Robert Falcone}, title = {{OilRig uses RGDoor IIS Backdoor on Targets in the Middle East}}, date = {2018-01-25}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20180727:new:90cdd2c, author = {Robert Falcone and Bryan Lee and Tom Lancaster}, title = {{New Threat Actor Group DarkHydrus Targets Middle East Government}}, date = {2018-07-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20180802:gorgon:06112b1, author = {Robert Falcone and David Fuertes and Josh Grunzweig and Kyle Wilhoit}, title = {{The Gorgon Group: Slithering Between Nation State and Cybercrime}}, date = {2018-08-02}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20180802:gorgon:8a338cc, author = {Robert Falcone and David Fuertes and Josh Grunzweig and Kyle Wilhoit}, title = {{The Gorgon Group: Slithering Between Nation State and Cybercrime}}, date = {2018-08-02}, url = {https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/}, language = {English}, urldate = {2019-11-29} } @online{falcone:20180807:darkhydrus:d449ea2, author = {Robert Falcone}, title = {{DarkHydrus Uses Phishery to Harvest Credentials in the Middle East}}, date = {2018-08-07}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-darkhydrus-uses-phishery-harvest-credentials-middle-east/}, language = {English}, urldate = {2020-01-09} } @online{falcone:20181116:analyzing:037fccb, author = {Robert Falcone and Kyle Wilhoit}, title = {{Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery}}, date = {2018-11-16}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-analyzing-oilrigs-ops-tempo-testing-weaponization-delivery/}, language = {English}, urldate = {2020-01-09} } @online{falcone:20181120:sofacy:b1ef88a, author = {Robert Falcone and Bryan Lee}, title = {{Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan}}, date = {2018-11-20}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20181120:sofacy:bb4fd84, author = {Robert Falcone and Bryan Lee}, title = {{Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan}}, date = {2018-11-20}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/}, language = {English}, urldate = {2020-01-08} } @online{falcone:20181213:shamoon:1623fe7, author = {Robert Falcone}, title = {{Shamoon 3 Targets Oil and Gas Organization}}, date = {2018-12-13}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/}, language = {English}, urldate = {2020-01-10} } @online{falcone:20181218:sofacy:3573b82, author = {Robert Falcone}, title = {{Sofacy Creates New ‘Go’ Variant of Zebrocy Tool}}, date = {2018-12-18}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/}, language = {English}, urldate = {2020-01-07} } @online{falcone:20190108:darkhydrus:3996fa4, author = {Robert Falcone and Bryan Lee}, title = {{DarkHydrus delivers new Trojan that can use Google Drive for C2 communications}}, date = {2019-01-08}, organization = {paloalto Netoworks: Unit42}, url = {https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/}, language = {English}, urldate = {2020-01-07} } @online{falcone:20190304:new:5bf1cea, author = {Robert Falcone and Brittany Ash}, title = {{New Python-Based Payload MechaFlounder Used by Chafer}}, date = {2019-03-04}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/}, language = {English}, urldate = {2019-12-24} } @online{falcone:20190416:dns:fed953e, author = {Robert Falcone}, title = {{DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling}}, date = {2019-04-16}, url = {https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/}, language = {English}, urldate = {2019-12-03} } @online{falcone:20190417:aggah:f17c88f, author = {Robert Falcone and Brittany Ash}, title = {{Aggah Campaign: Bit.ly, BlogSpot, and Pastebin Used for C2 in Large Scale Campaign}}, date = {2019-04-17}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/}, language = {English}, urldate = {2020-01-07} } @online{falcone:20190528:emissary:dc0f942, author = {Robert Falcone and Tom Lancaster}, title = {{Emissary Panda Attacks Middle East Government Sharepoint Servers}}, date = {2019-05-28}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/}, language = {English}, urldate = {2021-04-16} } @online{falcone:20190923:xhunt:7d50e81, author = {Robert Falcone and Brittany Barbehenn}, title = {{xHunt Campaign: Attacks on Kuwait Shipping and Transportation Organizations}}, date = {2019-09-23}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/}, language = {English}, urldate = {2020-11-09} } @online{falcone:20191010:xhunt:df8aa36, author = {Robert Falcone and Brittany Barbehenn}, title = {{xHunt Campaign: New PowerShell Backdoor Blocked Through DNS Tunnel Detection}}, date = {2019-10-10}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/}, language = {English}, urldate = {2020-11-11} } @online{falcone:20191204:xhunt:9f95e2e, author = {Robert Falcone}, title = {{xHunt Campaign: xHunt Actor’s Cheat Sheet}}, date = {2019-12-04}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/xhunt-actors-cheat-sheet/}, language = {English}, urldate = {2020-11-09} } @online{falcone:20200127:xhunt:9d0527b, author = {Robert Falcone and Brittany Barbehenn}, title = {{xHunt Campaign: New Watering Hole Identified for Credential Harvesting}}, date = {2020-01-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/xhunt-campaign-new-watering-hole-identified-for-credential-harvesting/}, language = {English}, urldate = {2020-11-09} } @online{falcone:20200303:molerats:990b000, author = {Robert Falcone and Bryan Lee and Alex Hinchliffe}, title = {{Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations}}, date = {2020-03-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/}, language = {English}, urldate = {2020-03-03} } @online{falcone:20200722:oilrig:4c26a7f, author = {Robert Falcone}, title = {{OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory}}, date = {2020-07-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/}, language = {English}, urldate = {2020-07-23} } @online{falcone:20200904:thanos:b5eb551, author = {Robert Falcone}, title = {{Thanos Ransomware: Destructive Variant Targeting State-Run Organizations in the Middle East and North Africa}}, date = {2020-09-04}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/thanos-ransomware/}, language = {English}, urldate = {2020-09-06} } @online{falcone:20201109:xhunt:1d9f468, author = {Robert Falcone}, title = {{xHunt Campaign: Newly Discovered Backdoors Using Deleted Email Drafts and DNS Tunneling for Command and Control}}, date = {2020-11-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/}, language = {English}, urldate = {2020-11-09} } @online{falcone:20210111:xhunt:20574a1, author = {Robert Falcone}, title = {{xHunt Campaign: New BumbleBee Webshell and SSH Tunnels Used for Lateral Movement}}, date = {2021-01-11}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/}, language = {English}, urldate = {2022-08-08} } @online{falcone:20210415:actor:8428e3f, author = {Robert Falcone}, title = {{Actor Exploits Microsoft Exchange Server Vulnerabilities, Cortex XDR Blocks Harvesting of Credentials}}, date = {2021-04-15}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/}, language = {English}, urldate = {2021-04-19} } @online{falcone:20210429:new:df553b4, author = {Robert Falcone and Simon Conant}, title = {{New Shameless Commodity Cryptocurrency Stealer (WeSteal) and Commodity RAT (WeControl)}}, date = {2021-04-29}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/westeal/}, language = {English}, urldate = {2021-05-19} } @online{falcone:20210715:mespinoza:cabb0ab, author = {Robert Falcone and Alex Hinchliffe and Quinn Cooke}, title = {{Mespinoza Ransomware Gang Calls Victims “Partners,” Attacks with Gasket, "MagicSocks" Tools}}, date = {2021-07-15}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/}, language = {English}, urldate = {2021-07-20} } @online{falcone:20211107:targeted:121be00, author = {Robert Falcone and Jeff White and Peter Renals}, title = {{Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer}}, date = {2021-11-07}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/}, language = {English}, urldate = {2021-12-02} } @online{falcone:20211202:expands:dfaebce, author = {Robert Falcone and Peter Renals}, title = {{APT Expands Attack on ManageEngine With Active Campaign Against ServiceDesk Plus}}, date = {2021-12-02}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/}, language = {English}, urldate = {2021-12-02} } @online{falcone:20220120:threat:4aad471, author = {Robert Falcone and Mike Harbison and Josh Grunzweig}, title = {{Threat Brief: Ongoing Russia and Ukraine Cyber Conflict}}, date = {2022-01-20}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/}, language = {English}, urldate = {2022-01-24} } @techreport{falliere:2009:zeus:73559c2, author = {Nicolas Falliere and Eric Chien}, title = {{Zeus: King of the Bots}}, date = {2009}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf}, language = {English}, urldate = {2020-01-07} } @techreport{falliere:201107:sality:85158ba, author = {Nicolas Falliere}, title = {{Sality: Story of a Peerto-Peer Viral Network}}, date = {2011-07}, institution = {Symantec}, url = {https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf}, language = {English}, urldate = {2019-11-28} } @techreport{falliere:2012:w32qakbot:974b5b5, author = {Nicolas Falliere}, title = {{W32.Qakbot in Detail}}, date = {2012}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf}, language = {English}, urldate = {2019-11-28} } @techreport{fang:20220324:keeping:45451fa, author = {Cifer Fang and Vladimir Kropotov and Loseway Lu and Qi Sun and Fyodor Yarochkin}, title = {{Keeping Assets Safe From Cryptocurrency Scams and Schemes (Technical Brief)}}, date = {2022-03-24}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/an-investigation-of-cryptocurrency-scams-and-schemes/technical_brief_keeping_assets_safe_from_cryptocurrency_scams_and_schemes.pdf}, language = {English}, urldate = {2022-03-28} } @online{fang:20220516:fake:f395f7d, author = {Cifer Fang and Ford Qin and Zhengyu Dong}, title = {{Fake Mobile Apps Steal Facebook Credentials, Cryptocurrency-Related Keys}}, date = {2022-05-16}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/e/fake-mobile-apps-steal-facebook-credentials--crypto-related-keys.html}, language = {English}, urldate = {2022-05-17} } @techreport{faou:201702:read:03c3c9e, author = {Matthieu Faou and Jean-Ian Boutin}, title = {{Read The Manual: A Guide to the RTM Banking Trojan}}, date = {2017-02}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf}, language = {English}, urldate = {2019-11-25} } @online{faou:20180905:powerpool:5cde83e, author = {Matthieu Faou}, title = {{PowerPool malware exploits ALPC LPE zero‑day vulnerability}}, date = {2018-09-05}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/}, language = {English}, urldate = {2019-11-14} } @online{faou:20190507:turla:0300283, author = {Matthieu Faou}, title = {{Turla LightNeuron: An email too far}}, date = {2019-05-07}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/05/07/turla-lightneuron-email-too-far/}, language = {English}, urldate = {2019-11-14} } @online{faou:20190529:dive:3afd32e, author = {Matthieu Faou and Romain Dumont}, title = {{A dive into Turla PowerShell usage}}, date = {2019-05-29}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/}, language = {English}, urldate = {2019-11-14} } @techreport{faou:201905:turla:5a8a05f, author = {Matthieu Faou}, title = {{TURLA LIGHTNEURON: One email away from remote code execution}}, date = {2019-05}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{faou:20191017:operation:b695c9b, author = {Matthieu Faou and Mathieu Tartare and Thomas Dupuy}, title = {{OPERATION GHOST The Dukes aren’t back — they never left}}, date = {2019-10-17}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf}, language = {English}, urldate = {2020-05-18} } @online{faou:20200312:tracking:913d16e, author = {Matthieu Faou}, title = {{Tracking Turla: New backdoor delivered via Armenian watering holes}}, date = {2020-03-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/}, language = {English}, urldate = {2020-03-13} } @online{faou:20200526:from:804e2da, author = {Matthieu Faou}, title = {{From Agent.BTZ to ComRAT v4: A ten‑year journey}}, date = {2020-05-26}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/}, language = {English}, urldate = {2020-05-27} } @techreport{faou:20200526:from:89e2854, author = {Matthieu Faou}, title = {{From Agent.BTZ to ComRAT v4: A ten‑year journey (White Paper)}}, date = {2020-05-26}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf}, language = {English}, urldate = {2020-05-27} } @online{faou:20200902:kryptocibule:9fb272b, author = {Matthieu Faou and Alexandre Côté Cyr}, title = {{KryptoCibule: The multitasking multicurrency cryptostealer}}, date = {2020-09-02}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/}, language = {English}, urldate = {2020-09-03} } @techreport{faou:20200930:xdspy:3189c15, author = {Matthieu Faou and Francis Labelle}, title = {{XDSPY: STEALING GOVERNMENT SECRETS SINCE 2011}}, date = {2020-09-30}, institution = {Virus Bulletin}, url = {https://vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf}, language = {English}, urldate = {2020-10-08} } @online{faou:20201001:xdspy:33a6429, author = {Matthieu Faou}, title = {{XDSpy Indicators of Compromise}}, date = {2020-10-01}, organization = {Github (eset)}, url = {https://github.com/eset/malware-ioc/tree/master/xdspy/}, language = {English}, urldate = {2020-10-08} } @online{faou:20201002:xdspy:c3724c7, author = {Matthieu Faou}, title = {{XDSpy: Stealing government secrets since 2011}}, date = {2020-10-02}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/}, language = {English}, urldate = {2020-10-05} } @online{faou:20201202:turla:7f8c935, author = {Matthieu Faou}, title = {{Turla Crutch: Keeping the “back door” open}}, date = {2020-12-02}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/}, language = {English}, urldate = {2020-12-08} } @online{faou:20211116:strategic:303fda6, author = {Matthieu Faou}, title = {{Strategic web compromises in the Middle East with a pinch of Candiru}}, date = {2021-11-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/}, language = {English}, urldate = {2021-11-17} } @online{faou:20220427:lookback:112a66b, author = {Matthieu Faou and Alexandre Côté Cyr}, title = {{A lookback under the TA410 umbrella: Its cyberespionage TTPs and activity}}, date = {2022-04-27}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/}, language = {English}, urldate = {2022-04-29} } @techreport{faou:20230810:moustachedbouncer:0c86798, author = {Matthieu Faou}, title = {{MoustachedBouncer AitM-powered surveillance via Belarus ISPs}}, date = {2023-08-10}, institution = {ESET Research}, url = {https://i.blackhat.com/BH-US-23/Presentations/US-23-MatthieuFaou-MoustachedBouncer.pdf}, language = {English}, urldate = {2023-08-11} } @online{faou:20230810:moustachedbouncer:f85e2d8, author = {Matthieu Faou}, title = {{MoustachedBouncer: Espionage against foreign diplomats in Belarus}}, date = {2023-08-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/}, language = {English}, urldate = {2023-08-10} } @online{faou:20231025:winter:e46457b, author = {Matthieu Faou}, title = {{Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers}}, date = {2023-10-25}, organization = {ESET Research}, url = {https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/}, language = {English}, urldate = {2023-12-04} } @online{faou:20250320:operation:e83c45e, author = {Matthieu Faou}, title = {{Operation FishMedley}}, date = {2025-03-20}, organization = {ESET Research}, url = {https://www.welivesecurity.com/en/eset-research/operation-fishmedley/}, language = {English}, urldate = {2025-03-21} } @online{faou:20250515:operation:b141a4e, author = {Matthieu Faou}, title = {{Operation RoundPress}}, date = {2025-05-15}, organization = {ESET Research}, url = {https://www.welivesecurity.com/en/eset-research/operation-roundpress/}, language = {English}, urldate = {2025-05-20} } @online{faouzi:20150929:andromeda:06d70c0, author = {Ayoub Faouzi}, title = {{Andromeda Bot Analysis part 1}}, date = {2015-09-29}, organization = {InfoSec Institute}, url = {http://resources.infosecinstitute.com/andromeda-bot-analysis/}, language = {English}, urldate = {2020-01-13} } @online{faouzi:20150929:andromeda:543098f, author = {Ayoub Faouzi}, title = {{Andromeda Bot Analysis part 2}}, date = {2015-09-29}, organization = {InfoSec Institute}, url = {http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/}, language = {English}, urldate = {2020-01-07} } @online{faouzi:20151009:beta:fffb6be, author = {Ayoub Faouzi}, title = {{Beta Bot Analysis: Part 1}}, date = {2015-10-09}, organization = {InfoSec Institute}, url = {http://resources.infosecinstitute.com/beta-bot-analysis-part-1/#gref}, language = {English}, urldate = {2020-01-07} } @online{faraz:20250417:breaking:7956674, author = {Hassan Faraz and Mohamed Talaat}, title = {{Breaking the B0 ransomware: Investigation & Decryption}}, date = {2025-04-17}, organization = {Porthas}, url = {https://www.porthas.com/blog/b0-ransomware-decryption/}, language = {English}, urldate = {2025-05-02} } @online{fareed:20210602:lemonduck:d9bb177, author = {Fareed}, title = {{Lemon-Duck Cryptominer Technical Analysis}}, date = {2021-06-02}, organization = {NetbyteSEC}, url = {https://notes.netbytesec.com/2021/06/lemon-duck-cryptominer-technical.html}, language = {English}, urldate = {2022-02-14} } @online{fareed:20210919:discovering:19f2d6b, author = {Fareed}, title = {{Discovering Linux ELF Beacon of Cobalt Strike Tool}}, date = {2021-09-19}, organization = {NetbyteSEC}, url = {https://notes.netbytesec.com/2021/09/discovering-linux-elf-beacon-of-cobalt_18.html}, language = {English}, urldate = {2022-02-14} } @online{fareed:20220405:rtf:8e99ba1, author = {Fareed and Rosamira and Taqi}, title = {{RTF template injection sample targeting Malaysia}}, date = {2022-04-05}, organization = {NetbyteSEC}, url = {https://notes.netbytesec.com/2022/04/rtf-template-injection-sample-targeting-Malaysia.html}, language = {English}, urldate = {2023-03-13} } @online{fareed:20220519:scam:1d261f3, author = {Fareed}, title = {{Scam and Malicious APK targeting Malaysian: MyMaidKL Technical Analysis}}, date = {2022-05-19}, organization = {NetbyteSEC}, url = {https://notes.netbytesec.com/2022/05/scam-and-malicious-apk-targeting.html}, language = {English}, urldate = {2022-10-30} } @online{fareed:20220603:cve202230190:229539f, author = {Fareed}, title = {{CVE-2022-30190 aka "Follina" MSDT: Advisory and Technical Analysis}}, date = {2022-06-03}, organization = {NetbyteSEC}, url = {https://notes.netbytesec.com/2022/06/cve-2022-30190-aka-follina-msdt.html}, language = {English}, urldate = {2022-10-30} } @online{fareed:20220905:scam:4f9ce37, author = {Fareed and Rosamira and Taqi}, title = {{Scam Android app steals Bank Credentials and SMS: MyPetronas APK}}, date = {2022-09-05}, organization = {NetbyteSEC}, url = {https://notes.netbytesec.com/2022/09/scam-android-app-steals-bank.html}, language = {English}, urldate = {2023-03-13} } @online{farghaly:20230724:deep:8d9f996, author = {Mostafa Farghaly}, title = {{Deep Analysis of Vidar Stealer}}, date = {2023-07-24}, organization = {M4lcode}, url = {https://m4lcode.github.io/malware%20analysis/vidar/}, language = {English}, urldate = {2024-01-30} } @online{farghly:20240301:taking:13e05ea, author = {Aziz Farghly}, title = {{Taking a deep dive into SmokeLoader}}, date = {2024-03-01}, organization = {farghlymal github.io}, url = {https://farghlymal.github.io/SmokeLoader-Analysis/}, language = {English}, urldate = {2024-03-04} } @online{faria:20200701:threat:54ff8db, author = {John Faria}, title = {{Threat Bulletin: Cutting-off the Command-and-Control Infrastructure of CollectorGoomba}}, date = {2020-07-01}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/cutting-off-command-and-control-infrastructure-collectorgoomba-threat-bulletin}, language = {English}, urldate = {2020-07-02} } @online{faria:20200701:threat:b9163dc, author = {John Faria}, title = {{Threat Bulletin: Cutting-off the Command-and-Control Infrastructure of CollectorGoomba}}, date = {2020-07-01}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/cutting-off-command-and-control-infrastructure-collectorgoomba-threat-bulletin/}, language = {English}, urldate = {2020-07-02} } @online{faria:20231023:advice:d6f6b92, author = {John Faria}, title = {{Advice For Catching a RedLine Stealer}}, date = {2023-10-23}, organization = {SarlackLab}, url = {https://medium.com/@the_abjuri5t/advice-for-catching-a-redline-stealer-dca126867193}, language = {English}, urldate = {2023-12-11} } @online{farina:20190111:avemaria:a3fd77c, author = {Antonio Farina and Luca Mella and Antonio Pirozzi}, title = {{The “AVE_MARIA” Malware}}, date = {2019-01-11}, organization = {Cybaze-Yorio Z-Lab}, url = {https://blog.yoroi.company/research/the-ave_maria-malware/}, language = {English}, urldate = {2019-11-26} } @online{farina:20190207:ursnif:f25be00, author = {Antonio Farina and Davide Testa and Antonio Pirozzi}, title = {{Ursnif: Long Live the Steganography!}}, date = {2019-02-07}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/ursnif-long-live-the-steganography/}, language = {English}, urldate = {2022-02-02} } @online{farina:20190702:loocipher:3ec598c, author = {Antonio Farina and Antonio Pirozzi and Luca Mella}, title = {{LooCipher: The New Infernal Ransomware}}, date = {2019-07-02}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/loocipher-the-new-infernal-ransomware/}, language = {English}, urldate = {2023-09-11} } @online{farina:20190924:or:901ce1d, author = {Antonio Farina and Luca Mella}, title = {{APT or not APT? What's Behind the Aggah Campaign}}, date = {2019-09-24}, organization = {Yoroi}, url = {https://yoroi.company/research/apt-or-not-apt-whats-behind-the-aggah-campaign/}, language = {English}, urldate = {2021-06-16} } @online{farina:20191220:unveiling:0abaa1d, author = {Antonio Farina and Luca Mella and Antonio Pirozzi}, title = {{Unveiling JsOutProx: A New Enterprise Grade Implant}}, date = {2019-12-20}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/unveiling-jsoutprox-a-new-enterprise-grade-implant/}, language = {English}, urldate = {2021-06-16} } @techreport{farinholt:20200126:dark:9c2f434, author = {Brown Farinholt and Mohammad Rezaeirad and Damon McCoy and Kirill Levchenko}, title = {{Dark Matter: Uncovering the DarkComet RAT Ecosystem}}, date = {2020-01-26}, institution = {}, url = {https://www.sysnet.ucsd.edu/sysnet/miscpapers/darkmatter-www20.pdf}, language = {English}, urldate = {2020-03-07} } @online{fauzi:20210121:solarwinds:7388fbc, author = {Fareed Fauzi}, title = {{Solarwinds Attack: Sunburst's DLL Technical Analysis}}, date = {2021-01-21}, organization = {NetbyteSEC}, url = {https://notes.netbytesec.com/2021/01/solarwinds-attack-sunbursts-dll.html}, language = {English}, urldate = {2022-02-14} } @online{fbi:20171011:wanted:4a62837, author = {FBI}, title = {{Wanted By The FBI: SamSam Subjects}}, date = {2017-10-11}, organization = {FBI}, url = {https://www.justice.gov/opa/press-release/file/1114746/download}, language = {English}, urldate = {2022-03-18} } @online{fbi:20181220:chinese:06e7a78, author = {FBI}, title = {{Chinese Hackers Indicted - Members of APT 10 Group Targeted Intellectual Property and Confidential Business Information}}, date = {2018-12-20}, organization = {FBI}, url = {https://www.fbi.gov/news/stories/chinese-hackers-indicted-122018}, language = {English}, urldate = {2019-11-28} } @online{fbi:20200325:fbi:f2ba305, author = {FBI}, title = {{FBI Flash CP-000111-MW: Kwampirs Malware Indicators of Compromise Employed in Ongoing Cyber Supply Chain Campaign Targeting Global Industries}}, date = {2020-03-25}, organization = {FBI}, url = {http://www.documentcloud.org/documents/6821581-FLASH-CP-000111-MW-Downgraded-Version.html}, language = {English}, urldate = {2020-04-07} } @techreport{fbi:20200527:alert:6d31e17, author = {FBI}, title = {{Alert Number MI-000148-MW: APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity}}, date = {2020-05-27}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/210527.pdf}, language = {English}, urldate = {2021-06-04} } @online{fbi:20200710:wanted:737f2a9, author = {FBI}, title = {{Wanted poster: CHINA MSS GUANGDONG STATE SECURITY DEPARTMENT HACKERS}}, date = {2020-07-10}, organization = {FBI}, url = {https://www.justice.gov/opa/press-release/file/1295986/download}, language = {English}, urldate = {2022-07-25} } @techreport{fbi:20200728:indicators:7dada00, author = {FBI}, title = {{Indicators Associated with Netwalker Ransomware}}, date = {2020-07-28}, institution = {FBI}, url = {https://www.ic3.gov/media/news/2020/200929-2.pdf}, language = {English}, urldate = {2020-10-05} } @techreport{fbi:20200823:ac000129tt:39b2ab4, author = {FBI}, title = {{AC-000129-TT: Chinese Government-Mandated Tax Software Contains Malware, Enabling Backdoor Access}}, date = {2020-08-23}, institution = {FBI}, url = {https://www.ic3.gov/media/news/2020/200728.pdf}, language = {English}, urldate = {2020-08-27} } @techreport{fbi:20200824:ac000131mw:ad03507, author = {FBI}, title = {{AC-000131-MW: Tactics, Techniques, and Procedures Associated with Malware within Chinese Government-Mandated Tax Software}}, date = {2020-08-24}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2020/201103-1.pdf}, language = {English}, urldate = {2020-11-09} } @techreport{fbi:20200910:fbi:596f87c, author = {FBI and National Cyber Investigative Joint Task Force (NCIJTF)}, title = {{FBI PIN NUMBER 20200910-001: Cyber Actors Conduct CredentialStuffing Attacks Against US Financial Sector}}, date = {2020-09-10}, institution = {FBI}, url = {https://www.ic3.gov/media/news/2020/200929-1.pdf}, language = {English}, urldate = {2020-10-05} } @techreport{fbi:20200916:fbi:76fd945, author = {FBI}, title = {{FBI Flash AC-000133-TT: Indictment of China-Based Cyber Actors Associated with APT 41for Intrusion Activities}}, date = {2020-09-16}, institution = {FBI}, url = {https://assets.documentcloud.org/documents/7210602/FLASH-AC-000133-TT-Published.pdf}, language = {English}, urldate = {2020-09-18} } @techreport{fbi:20200917:fbi:144c69c, author = {FBI}, title = {{FBI FLASH ME-000134-MW: Indicators of Compromise Associated with Rana Intelligence Computing, also known as APT39, Chafer, Cadelspy, Remexi, and ITG07}}, date = {2020-09-17}, institution = {FBI}, url = {https://www.ic3.gov/media/news/2020/200917-2.pdf}, language = {English}, urldate = {2020-09-23} } @techreport{fbi:20200917:fbi:9893ba0, author = {FBI}, title = {{FBI PIN Number 20200917-001: IRGC-Associated Cyber Operations Against US Company Networks}}, date = {2020-09-17}, institution = {FBI}, url = {https://www.ic3.gov/media/news/2020/200917-1.pdf}, language = {English}, urldate = {2020-09-23} } @online{fbi:20200922:alert:61bd784, author = {FBI}, title = {{Alert Number I-092220-PSA: Foreign Actors and Cybercriminals Likely to Spread Disinformation Regarding 2020 Election Results}}, date = {2020-09-22}, organization = {FBI}, url = {https://www.ic3.gov/media/2020/200922.aspx}, language = {English}, urldate = {2020-09-25} } @online{fbi:20200924:alert:7ae81a3, author = {FBI}, title = {{Alert Number I-092420-PSA: Cyber Threats to Voting Processes Could Slow But Not Prevent Voting}}, date = {2020-09-24}, organization = {FBI}, url = {https://www.ic3.gov/media/2020/200924.aspx}, language = {English}, urldate = {2020-09-25} } @online{fbi:20200928:alert:62dc80c, author = {FBI}, title = {{Alert Number I-092820-PSA: False Claims of Hacked Voter Information Likely Intended to Cast Doubt on Legitimacy of U.S. Elections}}, date = {2020-09-28}, organization = {FBI}, url = {https://www.ic3.gov/media/2020/200928.aspx}, language = {English}, urldate = {2020-10-05} } @online{fbi:20200930:alert:cc6c032, author = {FBI}, title = {{Alert Number I-093020-PSA: Distributed Denial of Service Attacks Could Hinder Access to Voting Information, Would Not Prevent Voting}}, date = {2020-09-30}, organization = {FBI}, url = {https://www.ic3.gov/media/2020/200930.aspx}, language = {English}, urldate = {2020-10-05} } @online{fbi:20201001:alert:f641a9f, author = {FBI}, title = {{Alert Number I-100120-PSA: Foreign Actors Likely to Use Online Journals to Spread Disinformation Regarding 2020 Elections}}, date = {2020-10-01}, organization = {FBI}, url = {https://www.ic3.gov/media/2020/201001.aspx}, language = {English}, urldate = {2020-10-05} } @online{fbi:20201002:alert:ad3b2e0, author = {FBI}, title = {{Alert Number I-100220-PSA: Spoofed Internet Domains and Email Accounts Pose Cyber and Disinformation Risks to Voters}}, date = {2020-10-02}, organization = {FBI}, url = {https://www.ic3.gov/media/2020/201002.aspx}, language = {English}, urldate = {2020-10-05} } @techreport{fbi:20201014:cp000135dm:13d0f65, author = {FBI}, title = {{CP-000135-DM: Unattributed Entities Register Domains Spoofing the US Census Bureau’s Websites, Likely for Malicious Use}}, date = {2020-10-14}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2020/201106.pdf}, language = {English}, urldate = {2020-11-09} } @techreport{fbi:20201014:fbi:1a924aa, author = {FBI}, title = {{FBI FLASH MU-000136-MW: Cyber ActorsTarget Misconfigured SonarQube Instances to Access Proprietary Source Code of US Government Agencies and Businesses}}, date = {2020-10-14}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2020/201103-3.pdf}, language = {English}, urldate = {2020-11-09} } @online{fbi:20201019:gru:8a34c71, author = {FBI}, title = {{GRU HACKERS' DESTRUCTIVE MALWARE AND INTERNATIONAL CYBER ATTACKS}}, date = {2020-10-19}, organization = {FBI}, url = {https://www.fbi.gov/wanted/cyber/gru-hackers-destructive-malware-and-international-cyber-attacks}, language = {English}, urldate = {2020-10-19} } @techreport{fbi:20201029:alert:6b115f0, author = {FBI}, title = {{Alert Number ME-000138-TT: Indicators of Compromise Pertaining to Iranian Interference in the 2020 US Presidential Election}}, date = {2020-10-29}, institution = {FBI}, url = {https://ic3.gov/Media/News/2020/201030.pdf}, language = {English}, urldate = {2020-11-02} } @techreport{fbi:20201119:mu000140mw:680c1f8, author = {FBI}, title = {{MU-000140-MW: Indicators of Compromise Associated with Ragnar Locker Ransomware}}, date = {2020-11-19}, institution = {FBI}, url = {https://www.waterisac.org/system/files/articles/FLASH-MU-000140-MW.pdf}, language = {English}, urldate = {2020-11-23} } @online{fbi:20201123:alert:b813e71, author = {FBI}, title = {{Alert Number I-112320-PSA: Spoofed FBI Internet Domains Pose Cyber and Disinformation Risks}}, date = {2020-11-23}, organization = {FBI}, url = {https://www.ic3.gov/Media/Y2020/PSA201123}, language = {English}, urldate = {2020-11-25} } @techreport{fbi:20201210:pin:8657b3e, author = {FBI}, title = {{PIN Number 20201210-001: DoppelPaymer Ransomware Attacks on Critical Infrastructure Impact Critical Services}}, date = {2020-12-10}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2020/201215-1.pdf}, language = {English}, urldate = {2020-12-19} } @online{fbi:20201222:pin:ea37578, author = {FBI}, title = {{PIN Number 20201222-001: Advanced Persistent Threat Actors Leverage SolarWinds Vulnerabilities}}, date = {2020-12-22}, organization = {FBI}, url = {https://drive.google.com/file/d/1R79Q1oC18GmKK8FYBoYEt0vYF7SpsvQI/view}, language = {English}, urldate = {2020-12-26} } @online{fbi:20201223:iranian:e252f2e, author = {FBI}, title = {{Iranian Cyber Actors Responsible for Website Threatening U.S. Election Officials}}, date = {2020-12-23}, organization = {FBI}, url = {https://www.fbi.gov/news/pressrel/press-releases/iranian-cyber-actors-responsible-for-website-threatening-us-election-officials}, language = {English}, urldate = {2020-12-26} } @techreport{fbi:20210106:pin:66d55ca, author = {FBI}, title = {{PIN Number 20210106-001: Egregor Ransomware Targets Businesses Worldwide, Attempting to Extort Businesses by Publicly Releasing Exfiltrated Data}}, date = {2021-01-06}, institution = {FBI}, url = {https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf}, language = {English}, urldate = {2021-01-11} } @techreport{fbi:20210114:pin:7f4c168, author = {FBI}, title = {{PIN Number 20210114-001: Cyber Criminals Exploit Network Access and Privilege Escalation}}, date = {2021-01-14}, institution = {FBI}, url = {https://assets.documentcloud.org/documents/20458329/cyber-criminals-exploit-network-access-and-privilege-escalation-bleepingcomputer-210115.pdf}, language = {English}, urldate = {2021-01-21} } @techreport{fbi:20210211:alert:6f596af, author = {FBI and CISA}, title = {{Alert (AA21-042A): Compromise of U.S. Water Treatment Facility}}, date = {2021-02-11}, institution = {US-CERT}, url = {https://us-cert.cisa.gov/sites/default/files/publications/AA21-042A_Joint_Cybersecurity_Advisory_Compromise_of_U.S._Drinking_Treatment_Facility.pdf}, language = {English}, urldate = {2021-02-20} } @techreport{fbi:20210310:compromise:8ad3a9c, author = {FBI and CISA}, title = {{Compromise of Microsoft Exchange Server}}, date = {2021-03-10}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/210310.pdf}, language = {English}, urldate = {2021-03-12} } @techreport{fbi:20210316:alert:69b1a21, author = {FBI}, title = {{Alert Number CP-000142-MW: Increase in PYSA Ransomware Targeting Education Institutions}}, date = {2021-03-16}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/210316.pdf}, language = {English}, urldate = {2021-03-22} } @techreport{fbi:20210323:alert:e4d63f0, author = {FBI}, title = {{Alert Number CU-000143-MW: Mamba Ransomware Weaponizing DiskCryptor}}, date = {2021-03-23}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/210323.pdf}, language = {English}, urldate = {2021-03-25} } @online{fbi:20210413:alert:c52e054, author = {FBI}, title = {{Alert Number I-041321-PSA: Rise In Use of Cryptocurrency In Business Email Compromise Schemes}}, date = {2021-04-13}, organization = {FBI}, url = {https://www.ic3.gov/Media/Y2021/PSA210413}, language = {English}, urldate = {2021-04-14} } @techreport{fbi:20210512:pin:65820ee, author = {FBI}, title = {{PIN Number 20210512-001: Spear-Phishing Attack Directing Recipients to Download a Fake Windows Application Impersonating a Financial Institution}}, date = {2021-05-12}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/210513.pdf}, language = {English}, urldate = {2021-05-19} } @techreport{fbi:20210520:alert:65d3256, author = {FBI}, title = {{Alert Number CP-000147-MW: Conti Ransomware Attacks Impact Healthcare and First Responder Networks}}, date = {2021-05-20}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/210521.pdf}, language = {English}, urldate = {2021-05-26} } @online{fbi:20210528:wanted:ac99de8, author = {FBI}, title = {{Wanted by the FBI: Zhu Yunmin, Wu Shurong, Ding Xiaoyang, Cheng Qingmin}}, date = {2021-05-28}, url = {https://www.justice.gov/opa/press-release/file/1412921/download}, language = {English}, urldate = {2021-07-26} } @techreport{fbi:20210719:pin:5feb5ed, author = {FBI}, title = {{PIN Number 20210719-001: Potential for Malicious Cyber Activities to Disrupt the 2020 Tokyo Summer Olympics}}, date = {2021-07-19}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/210719.pdf}, language = {English}, urldate = {2021-07-26} } @techreport{fbi:20210823:indicators:3308f26, author = {FBI}, title = {{Indicators of Compromise Associated with OnePercent Group Ransomware}}, date = {2021-08-23}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/210823.pdf}, language = {English}, urldate = {2021-08-24} } @techreport{fbi:20210825:mc000150mw:39f2584, author = {FBI}, title = {{MC-000150-MW: Indicators of Compromise Associated with Hive Ransomware}}, date = {2021-08-25}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/210825.pdf}, language = {English}, urldate = {2021-08-30} } @techreport{fbi:20211025:cu000153mw:f4b0c29, author = {FBI}, title = {{CU-000153-MW: Indicators of Compromise Associated with Ranzy Locker Ransomware}}, date = {2021-10-25}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/211026.pdf}, language = {English}, urldate = {2021-11-03} } @techreport{fbi:20211028:cu000154mw:086d032, author = {FBI}, title = {{CU-000154-MW: Tactics, Techniques, and Indicators of Compromise Associated with Hello Kitty/FiveHands Ransomware}}, date = {2021-10-28}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/211029.pdf}, language = {English}, urldate = {2021-11-03} } @techreport{fbi:20211101:pin:a9b78d3, author = {FBI}, title = {{PIN Number 20211101-001: Ransomware Actors Use Significant Financial Events and Stock Valuation to Facilitate Targeting and Extortion of Victims}}, date = {2021-11-01}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/211101.pdf}, language = {English}, urldate = {2021-11-03} } @online{fbi:20211108:wanted:f676a91, author = {FBI}, title = {{WANTED poster for Yevhgyeniy Polyanin (REvil affiliate)}}, date = {2021-11-08}, organization = {FBI}, url = {https://www.fbi.gov/wanted/cyber/yevgyeniy-igoryevich-polyanin}, language = {English}, urldate = {2021-11-09} } @techreport{fbi:20211116:ac000155mw:6acf3ec, author = {FBI}, title = {{AC-000155-MW: An APT Group Exploiting a 0-day in FatPipe WARP, MPVPN, and IPVPN Software}}, date = {2021-11-16}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/211117-2.pdf}, language = {English}, urldate = {2021-11-18} } @techreport{fbi:20211117:alert:e4ba10a, author = {FBI and CISA and Australian Cyber Security Centre (ACSC) and NCSC UK}, title = {{Alert (AA21-321A): Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities}}, date = {2021-11-17}, institution = {CISA}, url = {https://us-cert.cisa.gov/sites/default/files/publications/AA21-321A-Iranian%20Government-Sponsored%20APT%20Actors%20Exploiting%20Microsoft%20Exchange%20and%20Fortinet%20Vulnerabilities.pdf}, language = {English}, urldate = {2022-01-03} } @techreport{fbi:20211202:cu000156mw:b256f8b, author = {FBI}, title = {{CU-000156-MW: Indicators of Compromise Associated with Cuba Ransomware}}, date = {2021-12-02}, institution = {FBI}, url = {https://web.archive.org/web/20241115025929/https://www.ic3.gov/CSA/2021/211203-2.pdf}, language = {English}, urldate = {2025-03-05} } @techreport{fbi:20211217:ac000159mw:03082da, author = {FBI}, title = {{AC-000159-MW: APT Actors Exploiting Newly-Identified Zero Day in ManageEngine Desktop Central (CVE-2021-44515)}}, date = {2021-12-17}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/211220.pdf}, language = {English}, urldate = {2021-12-23} } @techreport{fbi:20220119:cu000161mw:19f7d2b, author = {FBI}, title = {{CU-000161-MW: Indicators of Compromise Associated with Diavol Ransomware}}, date = {2022-01-19}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2022/220120.pdf}, language = {English}, urldate = {2022-01-24} } @techreport{fbi:20220126:pin20220126001:a725beb, author = {FBI}, title = {{PIN-20220126-001 Context and Recommendations to Protect Against Malicious Activity by Iranian Cyber Group Emennet Pasargad}}, date = {2022-01-26}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2022/220126.pdf}, language = {English}, urldate = {2022-02-01} } @techreport{fbi:20220207:cu000162mw:4b54d23, author = {FBI}, title = {{CU-000162-MW: Indicators of Compromise Associated with LockBit 2.0 Ransomware}}, date = {2022-02-07}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2022/220204.pdf}, language = {English}, urldate = {2022-02-09} } @techreport{fbi:20220208:statement:ad399bc, author = {FBI}, title = {{Statement of Facts Supporting the Provisional Arrest of Sebastien Vachon-Desiardins}}, date = {2022-02-08}, institution = {FBI}, url = {https://s3.documentcloud.org/documents/21199896/vachon-desjardins-court-docs.pdf}, language = {English}, urldate = {2022-02-09} } @techreport{fbi:20220209:2021:df515ea, author = {FBI and NSA and CISA and Australian Cyber Security Centre (ACSC) and United Kingdom’s National Cyber Security Centre (NCSC-UK)}, title = {{2021 Trends Show Increased Globalized Threat of Ransomware}}, date = {2022-02-09}, institution = {}, url = {https://www.ncsc.gov.uk/files/2021%20Trends%20show%20increased%20globalised%20threat%20of%20ransomware.pdf}, language = {English}, urldate = {2022-04-05} } @online{fbi:20220224:alert:f9ae76b, author = {FBI and CISA and CNMF and NCSC UK}, title = {{Alert (AA22-055A) Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks}}, date = {2022-02-24}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-055a}, language = {English}, urldate = {2022-03-01} } @techreport{fbi:20220224:iranian:9117e42, author = {FBI and CISA and CNMF and NCSC UK and NSA}, title = {{Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks}}, date = {2022-02-24}, institution = {}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf}, language = {English}, urldate = {2022-03-01} } @techreport{fbi:20220307:fbi:c8c1b8f, author = {FBI}, title = {{FBI Flash CU-000163-MW: RagnarLocker Ransomware Indicators of Compromise}}, date = {2022-03-07}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2022/220307.pdf}, language = {English}, urldate = {2022-03-08} } @techreport{fbi:20220324:pin:d54bbb9, author = {FBI}, title = {{PIN Number 20220324-001 TRITON Malware Remains Threat to Global Critical Infrastructure Industrial Control Systems (ICS)}}, date = {2022-03-24}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2022/220325.pdf}, language = {English}, urldate = {2022-03-25} } @techreport{fbi:20220419:fbi:05194a3, author = {FBI}, title = {{FBI Flash CU-000167-MW: BlackCat/ALPHV Ransomware Indicators of Compromise}}, date = {2022-04-19}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2022/220420.pdf}, language = {English}, urldate = {2022-05-04} } @techreport{fbi:20220516:fbi:0ff55a3, author = {FBI}, title = {{FBI Flash MC-000170-MW: Cyber Actors Scrape Credit Card Data from US Business’ Online Checkout Page and Maintain Persistence by Injecting Malicious PHP Code}}, date = {2022-05-16}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2022/220516.pdf}, language = {English}, urldate = {2022-05-25} } @techreport{fbi:20220601:joint:366b0d0, author = {FBI and CISA and Department of the Treasury (Treasury) and FINCEN}, title = {{Joint Cybersecurity Advisory (Product ID AA22-152A): Karakurt Data Extortion Group}}, date = {2022-06-01}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-152A_Karakurt_Data_Extortion_Group.pdf}, language = {English}, urldate = {2022-06-02} } @online{fbi:20220706:alert:4231af8, author = {FBI and CISA and Department of the Treasury (Treasury)}, title = {{Alert (AA22-187A): North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector}}, date = {2022-07-06}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-187a}, language = {English}, urldate = {2022-07-13} } @techreport{fbi:20220706:csa:fcffb49, author = {FBI and CISA and Department of the Treasury (Treasury)}, title = {{CSA AA22-187A: North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector (PDF)}}, date = {2022-07-06}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/aa22-187a-north-korean%20state-sponsored-cyber-actors-use-maui-ransomware-to-target-the-hph-sector.pdf}, language = {English}, urldate = {2022-07-13} } @techreport{fbi:20220811:stopransomware:d37ee96, author = {FBI and CISA}, title = {{#StopRansomware: Zeppelin Ransomware (PDF)}}, date = {2022-08-11}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-223A_Zeppelin_CSA.pdf}, language = {English}, urldate = {2022-08-15} } @online{fbi:20220914:alert:c9a3789, author = {FBI and US-CERT and NSA and U.S. Cyber Command and U.S. Department of the Treasury and Australian Cyber Security Centre (ACSC) and CSE Canada and NCSC UK}, title = {{Alert (AA22-257A): Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations}}, date = {2022-09-14}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-257a}, language = {English}, urldate = {2022-09-20} } @techreport{fbi:20220921:aa22264a:9ac5793, author = {FBI and CISA}, title = {{AA22-264A: Iranian State Actors Conduct Cyber Operations Against the Government of Albania (PDF)}}, date = {2022-09-21}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/aa22-264a-iranian-cyber-actors-conduct-cyber-operations-against-the-government-of-albania.pdf}, language = {English}, urldate = {2022-09-26} } @online{fbi:20220921:alert:215e4f3, author = {FBI and CISA}, title = {{Alert (AA22-264A) Iranian State Actors Conduct Cyber Operations Against the Government of Albania}}, date = {2022-09-21}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-264a}, language = {English}, urldate = {2022-09-26} } @techreport{fbi:20230614:understanding:05abf47, author = {FBI and MS-ISAC and Australian Cyber Security Centre (ACSC) and Bundesamt für Sicherheit in der Informationstechnik (BSI) and NCSC UK and Canadian Centre for Cyber Security (CCCS) and ANSSI and CERT NZ and New Zealand National Cyber Security Centre (NZ NCSC)}, title = {{Understanding Ransomware Threat Actors: Lockbit}}, date = {2023-06-14}, institution = {CISA}, url = {https://www.cisa.gov/sites/default/files/2023-06/aa23-165a_understanding_TA_LockBit_0.pdf}, language = {English}, urldate = {2023-06-19} } @online{fbi:20230822:fbi:d2626af, author = {FBI}, title = {{FBI Identifies Cryptocurrency Funds Stolen by DPRK}}, date = {2023-08-22}, organization = {FBI}, url = {https://www.fbi.gov/news/press-releases/fbi-identifies-cryptocurrency-funds-stolen-by-dprk}, language = {English}, urldate = {2023-08-25} } @online{fbi:20230829:fbi:808169e, author = {FBI}, title = {{FBI, Partners Dismantle Qakbot Infrastructure in Multinational Cyber Takedown}}, date = {2023-08-29}, organization = {FBI}, url = {https://www.fbi.gov/news/stories/fbi-partners-dismantle-qakbot-infrastructure-in-multinational-cyber-takedown}, language = {English}, urldate = {2023-08-30} } @techreport{fbi:20240918:peoples:ac8fe67, author = {FBI and CNMF and NSA and ASD and GCSB and NCSC UK and CSE Canada}, title = {{People’s Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations}}, date = {2024-09-18}, institution = {}, url = {https://media.defense.gov/2024/Sep/18/2003547016/-1/-1/0/CSA-PRC-LINKED-ACTORS-BOTNET.PDF}, language = {English}, urldate = {2024-09-23} } @online{fbi:20241223:fbi:2e268fb, author = {FBI and DC3 and NPA}, title = {{FBI, DC3, and NPA Identification of North Korean Cyber Actors, Tracked as TraderTraitor, Responsible for Theft of $308 Million USD from Bitcoin.DMM.com}}, date = {2024-12-23}, organization = {FBI}, url = {https://www.fbi.gov/news/press-releases/fbi-dc3-and-npa-identification-of-north-korean-cyber-actors-tracked-as-tradertraitor-responsible-for-theft-of-308-million-from-bitcoindmmcom}, language = {English}, urldate = {2025-01-09} } @online{fbi:20250312:medusa:29b065f, author = {FBI and CISA and MS-ISAC}, title = {{Medusa Ransomware}}, date = {2025-03-12}, organization = {CISA}, url = {https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a}, language = {English}, urldate = {2025-03-25} } @online{fbi:20250507:alert:98fd69f, author = {FBI}, title = {{Alert Number: I-050725-PSA Cyber Criminal Proxy Services Exploiting End of Life Routers}}, date = {2025-05-07}, organization = {FBI}, url = {https://www.ic3.gov/PSA/2025/PSA250507}, language = {English}, urldate = {2025-05-20} } @techreport{fbi:20250507:cyber:05ac455, author = {FBI}, title = {{Cyber Criminal Services Target End-of-Life Routers to Launch Attacks and Hide Their Activities}}, date = {2025-05-07}, institution = {FBI}, url = {https://www.ic3.gov/CSA/2025/250507.pdf}, language = {English}, urldate = {2025-05-20} } @online{fbi:20250605:alert:1781e89, author = {FBI}, title = {{Alert Number: I-060525-PSA - Home Internet Connected Devices Facilitate Criminal Activity}}, date = {2025-06-05}, organization = {FBI}, url = {https://www.ic3.gov/PSA/2025/PSA250605#fn2}, language = {English}, urldate = {2025-06-06} } @techreport{fedasiuk:202105:chinas:c014489, author = {Ryan Fedasiuk and Emily Weinstein and Anna Puglisi}, title = {{China’s Foreign Technology Wish List}}, date = {2021-05}, institution = {CSET}, url = {https://cset.georgetown.edu/wp-content/uploads/CSET-Chinas-Foreign-Technology-Wish-List.pdf}, language = {English}, urldate = {2021-06-11} } @online{feeley:20190215:sinful:729f693, author = {Brendon Feeley and Bex Hartley}, title = {{“Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web}}, date = {2019-02-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/}, language = {English}, urldate = {2019-12-20} } @online{feeley:20190306:pinchy:f5060bd, author = {Brendon Feeley and Bex Hartley and Sergei Frankoff}, title = {{PINCHY SPIDER Affiliates Adopt “Big Game Hunting” Tactics to Distribute GandCrab Ransomware}}, date = {2019-03-06}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/}, language = {English}, urldate = {2019-12-20} } @online{feeley:20190320:new:07bf05b, author = {Brendon Feeley and Brett Stone-Gross}, title = {{New Evidence Proves Ongoing WIZARD SPIDER / LUNAR SPIDER Collaboration}}, date = {2019-03-20}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/}, language = {English}, urldate = {2019-12-20} } @online{felix:20210415:dridexs:a39e123, author = {Felix}, title = {{Tweet on Dridex's evasion technique}}, date = {2021-04-15}, organization = {Twitter (@felixw3000)}, url = {https://twitter.com/felixw3000/status/1382614469713530883?s=20}, language = {English}, urldate = {2021-05-25} } @online{felix:20220504:twitter:0fb7e35, author = {Felix}, title = {{Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.}}, date = {2022-05-04}, organization = {Twitter (@felixw3000)}, url = {https://twitter.com/felixw3000/status/1521816045769662468}, language = {English}, urldate = {2022-05-09} } @online{fenstermacher:20230622:goot:936a660, author = {Caroline Fenstermacher}, title = {{Goot to Loot - How a Gootloader Infection Led to Credential Access}}, date = {2023-06-22}, organization = {Reliaquest}, url = {https://www.reliaquest.com/blog/gootloader-infection-credential-access/}, language = {English}, urldate = {2023-07-31} } @online{ferati:20230512:automating:ff9c21c, author = {Egxona Ferati and META}, title = {{Automating Threat Detection and Response at Scale - Egxona Ferati}}, date = {2023-05-12}, organization = {YouTube (BSides Prishtina)}, url = {https://www.youtube.com/watch?v=fO3-r6DQuu4}, language = {English}, urldate = {2024-04-02} } @online{fernandez:20190823:ransomware:dffa5db, author = {Manny Fernandez and David E. Sanger and Marina Trahan Martinez}, title = {{Ransomware Attacks Are Testing Resolve of Cities Across America}}, date = {2019-08-23}, organization = {The New York Times}, url = {https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html}, language = {English}, urldate = {2020-01-13} } @online{fernandez:20221003:bumblebee:25732bf, author = {Marc Salinas Fernandez}, title = {{Bumblebee: increasing its capacity and evolving its TTPs}}, date = {2022-10-03}, organization = {Check Point}, url = {https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/}, language = {English}, urldate = {2022-10-07} } @online{fernandez:20230105:blindeagle:28f3d1c, author = {Marc Salinas Fernandez}, title = {{Blindeagle Targeting Ecuador with Sharpened Tools}}, date = {2023-01-05}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools/}, language = {English}, urldate = {2023-12-04} } @online{fernandez:20230524:agrius:5c033e5, author = {Marc Salinas Fernandez and Jiri Vinopal}, title = {{Agrius Deploys MoneyBird in Targeted Attacks against Israeli Organizations}}, date = {2023-05-24}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/}, language = {English}, urldate = {2023-06-01} } @online{fernandez:20231121:platform:8f14760, author = {Marc Salinas Fernandez}, title = {{The Platform Matters: A Comparative Study on Linux and Windows Ransomware Attacks}}, date = {2023-11-21}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/}, language = {English}, urldate = {2023-12-27} } @online{fernndez:20201013:tracing:14bb6fa, author = {Gerardo Fernández and Vicente Diaz}, title = {{Tracing fresh Ryuk campaigns itw}}, date = {2020-10-13}, organization = {VirusTotal}, url = {https://blog.virustotal.com/2020/10/tracing-fresh-ryuk-campaigns-itw.html}, language = {English}, urldate = {2020-10-23} } @online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } @online{fernndez:20211119:la:2cbc6a0, author = {Germán Fernández}, title = {{La Botnet de EMOTET reinicia ataques en Chile y LATAM}}, date = {2021-11-19}, organization = {CRONUP}, url = {https://www.cronup.com/la-botnet-de-emotet-reinicia-ataques-en-chile-y-latinoamerica/}, language = {Spanish}, urldate = {2021-11-25} } @online{fernndez:20230418:crosslock:647cd34, author = {Germán Fernández}, title = {{Tweet on CrossLock}}, date = {2023-04-18}, organization = {Twitter (@1ZRR4H)}, url = {https://twitter.com/1ZRR4H/status/1648232869809078273}, language = {English}, urldate = {2023-04-25} } @online{ferrell:20200618:hiding:c2db03f, author = {John Ferrell}, title = {{Hiding In Plain Sight}}, date = {2020-06-18}, organization = {Medium Huntress Labs}, url = {https://blog.huntresslabs.com/hiding-in-plain-sight-556469e0a4e}, language = {English}, urldate = {2020-06-19} } @online{fielenbach:20250429:nitrogen:30cf6e2, author = {Maurice Fielenbach}, title = {{Nitrogen Dropping Cobalt Strike – A Combination of “Chemical Elements”}}, date = {2025-04-29}, organization = {Nextron Systems}, url = {https://www.nextron-systems.com/2025/04/29/nitrogen-dropping-cobalt-strike-a-combination-of-chemical-elements/}, language = {English}, urldate = {2025-05-12} } @online{fier:20211208:double:d7f9207, author = {Justin Fier}, title = {{The double extortion business: Conti Ransomware Gang finds new avenues of negotiation}}, date = {2021-12-08}, organization = {Darktrace}, url = {https://www.darktrace.com/en/blog/the-double-extortion-business-conti-ransomware-gang-finds-new-avenues-of-negotiation/}, language = {English}, urldate = {2021-12-09} } @online{fierro:20220315:caddywiper:6504bd2, author = {Christopher Del Fierro and John Dwyer}, title = {{CaddyWiper: Third Wiper Malware Targeting Ukrainian Organizations}}, date = {2022-03-15}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/caddywiper-malware-targeting-ukrainian-organizations/}, language = {English}, urldate = {2022-03-16} } @online{figueroa:20201022:inside:228798e, author = {Marco Figueroa}, title = {{An Inside Look at How Ryuk Evolved Its Encryption and Evasion Techniques}}, date = {2020-10-22}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/an-inside-look-at-how-ryuk-evolved-its-encryption-and-evasion-techniques/}, language = {English}, urldate = {2020-10-26} } @online{figueroa:20201223:solarwinds:993b625, author = {Marco Figueroa and James Haughom and Jim Walter}, title = {{SolarWinds | Understanding & Detecting the SUPERNOVA Webshell Trojan}}, date = {2020-12-23}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/solarwinds-understanding-detecting-the-supernova-webshell-trojan}, language = {English}, urldate = {2022-07-25} } @online{figueroa:20201223:solarwinds:ff463f0, author = {Marco Figueroa and James Haughom and Jim Walter}, title = {{SolarWinds | Understanding & Detecting the SUPERNOVA Webshell Trojan}}, date = {2020-12-23}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/solarwinds-understanding-detecting-the-supernova-webshell-trojan/}, language = {English}, urldate = {2020-12-26} } @online{figueroa:20210104:building:37407a6, author = {Marco Figueroa}, title = {{Building a Custom Malware Analysis Lab Environment}}, date = {2021-01-04}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/}, language = {English}, urldate = {2021-01-13} } @online{figueroa:20210419:deep:f5cf649, author = {Marco Figueroa}, title = {{A Deep Dive into Zebrocy’s Dropper Docs}}, date = {2021-04-19}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/a-deep-dive-into-zebrocys-dropper-docs/}, language = {English}, urldate = {2021-04-20} } @online{figueroa:20210520:caught:04692f1, author = {Marco Figueroa}, title = {{Caught in the Cloud | How a Monero Cryptominer Exploits Docker Containers}}, date = {2021-05-20}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/caught-in-the-cloud-how-a-monero-cryptominer-exploits-docker-containers/}, language = {English}, urldate = {2021-05-26} } @online{figueroa:20210624:evasive:7f0d507, author = {Marco Figueroa}, title = {{Evasive Maneuvers | Massive IcedID Campaign Aims For Stealth with Benign Macros}}, date = {2021-06-24}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/evasive-maneuvers-massive-icedid-campaign-aims-for-stealth-with-benign-macros/}, language = {English}, urldate = {2021-06-29} } @online{figueroa:20220309:conti:d237b64, author = {Marco Figueroa and Napoleon Bing and Bernard Silvestrini}, title = {{The Conti Leaks | Insight into a Ransomware Unicorn}}, date = {2022-03-09}, organization = {BreachQuest}, url = {https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/}, language = {English}, urldate = {2022-03-14} } @online{fikri:20210909:hancitor:ca9ad27, author = {Nidal Fikri}, title = {{Hancitor Loader | RE & Config Extraction}}, date = {2021-09-09}, organization = {Cyber-Anubis}, url = {https://cyber-anubis.github.io/malware%20analysis/hancitor/}, language = {English}, urldate = {2021-09-10} } @online{fikri:20210927:redline:37cd84a, author = {Nidal Fikri}, title = {{RedLine Infostealer | Detailed Reverse Engineering}}, date = {2021-09-27}, organization = {Cyber-Anubis}, url = {https://cyber-anubis.github.io/malware%20analysis/redline/}, language = {English}, urldate = {2021-10-05} } @online{fikri:20211121:dridex:b9218fa, author = {Nidal Fikri}, title = {{Dridex Trojan | Defeating Anti-Analysis | Strings Decryption | C&C Extraction}}, date = {2021-11-21}, organization = {Cyber-Anubis}, url = {https://cyber-anubis.github.io/malware%20analysis/dridex/}, language = {English}, urldate = {2021-12-01} } @techreport{filik:20210727:darkside:1a80ce5, author = {Halil Filik}, title = {{DarkSide Ransomware Technical Analysis Report}}, date = {2021-07-27}, institution = {ZAYOTEM}, url = {https://github.com/Haxrein/Malware-Analysis-Reports/blob/main/darkside_ransomware_technical_analysis_report.pdf}, language = {English}, urldate = {2021-08-18} } @online{filik:20211113:alien:55f533e, author = {Halil Filik and Mustafa Günel}, title = {{Alien Technical Analysis Report}}, date = {2021-11-13}, organization = {ZAYOTEM}, url = {https://drive.google.com/file/d/1qd7Nqjhe2vyGZ5bGm6gVw0mM1D6YDolu/view?usp=sharing}, language = {English}, urldate = {2022-01-05} } @online{financiero:20240309:new:b95583a, author = {CSIRT Financiero}, title = {{New Backdoor Activity Socks5Systemz}}, date = {2024-03-09}, organization = {Asobancaria}, url = {https://csirtasobancaria.com/nueva-actividad-del-backdoor-socks5systemz}, language = {English}, urldate = {2024-06-05} } @techreport{fincen:20220317:indicators:4c36c4d, author = {FINCEN and FBI and U.S. Department of the Treasury}, title = {{Indicators of Compromise Associated with AvosLocker Ransomware}}, date = {2022-03-17}, institution = {IC3}, url = {https://www.ic3.gov/Media/News/2022/220318.pdf}, language = {English}, urldate = {2022-03-22} } @online{finch:20210122:malware:dd89716, author = {Finch}, title = {{Malware Analysis Report No2}}, date = {2021-01-22}, organization = {Github (Finch4)}, url = {https://github.com/Finch4/Malware-Analysis-Reports/blob/main/13e0f258cfbe3aece8a7e6d29ceb5697/README.md}, language = {English}, urldate = {2021-01-26} } @online{finch:20210518:analysis:434b2ec, author = {Finch}, title = {{Analysis of MountLocker}}, date = {2021-05-18}, organization = {Github (Finch4)}, url = {https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker}, language = {English}, urldate = {2021-05-26} } @online{finch:20210628:delta:eeea60b, author = {Finch}, title = {{Delta Ransomware Analysis}}, date = {2021-06-28}, organization = {Github (Finch4)}, url = {https://github.com/Finch4/Malware-Analysis-Reports/tree/master/Delta%20Ransomware}, language = {English}, urldate = {2021-07-20} } @techreport{finch:20220214:snowflake:4d523eb, author = {Finch}, title = {{SnowFlake Stealer}}, date = {2022-02-14}, institution = {Github (Finch4)}, url = {https://github.com/Finch4/Malware-Analysis-Reports/blob/master/SnowFlake%20Stealer/SnowFlake%20Stealer%20Analysis.pdf}, language = {English}, urldate = {2023-08-07} } @techreport{finch:20220217:gosteal:87b2201, author = {Finch}, title = {{GoSteal Analysis}}, date = {2022-02-17}, institution = {Github (Finch4)}, url = {https://github.com/Finch4/Malware-Analysis-Reports/blob/master/GoSteal/GoSteal%20Analysis.pdf}, language = {English}, urldate = {2023-01-19} } @online{finkle:20130219:exclusive:fc04bd6, author = {Jim Finkle and Joseph Menn}, title = {{Exclusive: Apple, Macs hit by hackers who targeted Facebook}}, date = {2013-02-19}, organization = {Reuters}, url = {https://www.reuters.com/article/us-apple-hackers/exclusive-apple-macs-hit-by-hackers-who-targeted-facebook-idUSBRE91I10920130219}, language = {English}, urldate = {2020-01-09} } @online{finkle:20170105:taiwan:1c7585c, author = {Jim Finkle and J.R. Wu}, title = {{Taiwan ATM heist linked to European hacking spree: security firm}}, date = {2017-01-05}, organization = {Reuters}, url = {https://www.reuters.com/article/us-taiwan-cyber-atms/taiwan-atm-heist-linked-to-european-hacking-spree-security-firm-idUSKBN14P0CX}, language = {English}, urldate = {2020-01-07} } @online{finn:20250605:newly:64b7a01, author = {Jacob Finn and Dmytro Korzhevin and Asheer Malhotra}, title = {{Newly identified wiper malware “PathWiper” targets critical infrastructure in Ukraine}}, date = {2025-06-05}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/pathwiper-targets-ukraine/}, language = {English}, urldate = {2025-06-05} } @techreport{fireeye:20130219:apt1:8d8a51a, author = {FireEye}, title = {{APT1: Exposing One of China’s Cyber Espionage Units}}, date = {2013-02-19}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf}, language = {English}, urldate = {2020-01-06} } @techreport{fireeye:20140808:sidewinder:ddc16cd, author = {FireEye}, title = {{Sidewinder Targeted Attack Against Android in the Golden Age of AD Libraries}}, date = {2014-08-08}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/fireeye-sidewinder-targeted-attack.pdf}, language = {English}, urldate = {2021-03-04} } @techreport{fireeye:20140813:operation:acd2e2d, author = {FireEye}, title = {{Operation Saffron Rose}}, date = {2014-08-13}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf}, language = {English}, urldate = {2023-02-17} } @techreport{fireeye:2014:apt28:27799d1, author = {FireEye}, title = {{APT28}}, date = {2014}, institution = {FireEye}, url = {http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{fireeye:2014:apt28:277f9ab, author = {FireEye}, title = {{APT28: A Windows into Russia's Cyber Espionage Operations?}}, date = {2014}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf}, language = {English}, urldate = {2019-12-04} } @techreport{fireeye:2014:operation:2160679, author = {FireEye}, title = {{Operation Quantum Entanglement}}, date = {2014}, institution = {FireEye}, url = {http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf}, language = {English}, urldate = {2021-04-29} } @techreport{fireeye:20150415:apt30:d09a09c, author = {FireEye}, title = {{APT30 and the Mechanics of a Long-Running Cyber Espionage Campaign}}, date = {2015-04-15}, institution = {FireEye}, url = {https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf}, language = {English}, urldate = {2022-08-25} } @techreport{fireeye:201504:apt30:0129bf7, author = {FireEye}, title = {{APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION}}, date = {2015-04}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf}, language = {English}, urldate = {2020-01-07} } @techreport{fireeye:201505:hiding:8695fc2, author = {FireEye}, title = {{HIDING IN PLAIN SIGHT: FIREEYE AND MICROSOFT EXPOSE OBFUSCATION TACTIC}}, date = {2015-05}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf}, language = {English}, urldate = {2019-12-19} } @online{fireeye:20150729:hammertoss:96456d6, author = {FireEye}, title = {{HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group}}, date = {2015-07-29}, organization = {Youtube (FireEye Inc.)}, url = {https://www.youtube.com/watch?v=UE9suwyuic8}, language = {English}, urldate = {2021-02-10} } @techreport{fireeye:20150908:two:c836c9a, author = {FireEye}, title = {{Two for One: Microsoft Office Encapsulated PostScriptand Windows Privilege Escalation Zero-Days}}, date = {2015-09-08}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/twoforonefinal.pdf}, language = {English}, urldate = {2020-01-20} } @techreport{fireeye:201511:pinpointing:03765ec, author = {FireEye}, title = {{PINPOINTING TARGETS: Exploiting Web Analytics to Ensnare Victims}}, date = {2015-11}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{fireeye:20160308:southeast:cc3c8de, author = {FireEye}, title = {{SOUTHEAST ASIA: AN EVOLVING CYBER THREAT LANDSCAPE}}, date = {2016-03-08}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf}, language = {English}, urldate = {2020-01-06} } @techreport{fireeye:20160426:apt31:ecc41bd, author = {FireEye}, title = {{APT31 Threat Group Profile}}, date = {2016-04-26}, institution = {FireEye}, url = {https://github.com/GuardaCyber/APT-Groups-and-Operations/blob/master/Reports/FireEye%20Intel%20-%20APT31%20Threat%20Group%20Profile.pdf}, language = {English}, urldate = {2019-10-13} } @techreport{fireeye:201604:follow:5df2e81, author = {FireEye}, title = {{Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6}}, date = {2016-04}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf}, language = {English}, urldate = {2020-04-23} } @online{fireeye:20160608:spear:0d7a2c9, author = {FireEye}, title = {{Spear Phishing Attacks: Why They are Successful and How to Stop Them}}, date = {2016-06-08}, organization = {FireEye}, url = {https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html}, language = {English}, urldate = {2020-01-09} } @online{fireeye:20170314:mtrend:0ea7d30, author = {FireEye}, title = {{M-Trend 2017: A View From the Front Lines}}, date = {2017-03-14}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2017}, language = {English}, urldate = {2020-06-03} } @techreport{fireeye:20170420:mtrends:787631e, author = {FireEye}, title = {{M-Trends 2017}}, date = {2017-04-20}, institution = {Mandiant}, url = {https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf}, language = {English}, urldate = {2023-08-15} } @techreport{fireeye:20170616:fin10:aa62677, author = {FireEye}, title = {{FIN10: Anatomy of a Cyber Extortion Operation}}, date = {2017-06-16}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf}, language = {English}, urldate = {2020-01-08} } @online{fireeye:20171201:advanced:da42c60, author = {FireEye}, title = {{Advanced Persistent Threat Groups}}, date = {2017-12-01}, organization = {FireEye}, url = {https://www.fireeye.com/current-threats/apt-groups.html}, language = {English}, urldate = {2020-01-07} } @online{fireeye:20180203:attacks:c65eb33, author = {FireEye}, title = {{Attacks Leveraging Adobe Zero-Day (CVE-2018-4878) – Threat Attribution, Attack Scenario and Recommendations}}, date = {2018-02-03}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/02/attacks-leveraging-adobe-zero-day.html}, language = {English}, urldate = {2020-04-06} } @online{fireeye:20180220:apt37:2ca8466, author = {FireEye}, title = {{APT37 (Reaper): The Overlooked North Korean Actor}}, date = {2018-02-20}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-korean-actor.html}, language = {English}, urldate = {2019-12-20} } @techreport{fireeye:20180220:apt37:bc54ada, author = {FireEye}, title = {{APT37 (REAPER) The Overlooked North Korean Actor}}, date = {2018-02-20}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf}, language = {English}, urldate = {2021-11-03} } @online{fireeye:20180316:suspected:2a77316, author = {FireEye}, title = {{Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries}}, date = {2018-03-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html}, language = {English}, urldate = {2019-12-20} } @online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } @techreport{fireeye:2018:apt38:c81b87d, author = {FireEye}, title = {{APT38}}, date = {2018}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf}, language = {English}, urldate = {2020-01-07} } @techreport{fireeye:2018:forrester:ae307d3, author = {FireEye}, title = {{The Forrester New Wave™: External Threat Intelligence Services, Q3 2018.}}, date = {2018}, institution = {FireEye}, url = {http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{fireeye:2018:mtrends2018:f07ca60, author = {FireEye}, title = {{M-TRENDS2018}}, date = {2018}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf}, language = {English}, urldate = {2020-01-08} } @online{fireeye:20190411:mtrend:597b240, author = {FireEye}, title = {{M-Trend 2019}}, date = {2019-04-11}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2019}, language = {English}, urldate = {2020-01-10} } @online{fireeye:20190809:double:40f736e, author = {FireEye}, title = {{Double Dragon APT41, a dual espionage and cyber crime operation}}, date = {2019-08-09}, organization = {FireEye}, url = {https://content.fireeye.com/apt-41/rpt-apt41/}, language = {English}, urldate = {2019-12-18} } @online{fireeye:20190904:apt41:43d6dab, author = {FireEye}, title = {{APT41: Double Dragon APT41, a dual espionage and cyber crime operation}}, date = {2019-09-04}, organization = {FireEye}, url = {https://content.fireeye.com/apt-41/rpt-apt41}, language = {English}, urldate = {2020-01-13} } @online{fireeye:20190904:apt41:b5d6780, author = {FireEye}, title = {{APT41: Double Dragon APT41, a dual espionage and cyber crime operation}}, date = {2019-09-04}, organization = {FireEye}, url = {https://content.fireeye.com/api/pdfproxy?id=86840}, language = {English}, urldate = {2020-01-13} } @techreport{fireeye:20190906:ransomware:fb16cd8, author = {FireEye and Mandiant}, title = {{Ransomware Protection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening and Containment}}, date = {2019-09-06}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/wp-ransomware-protection-and-containment-strategies.pdf}, language = {English}, urldate = {2020-11-02} } @online{fireeye:20200117:state:c000016, author = {FireEye}, title = {{State of the Hack: Spotlight Iran - from Cain & Abel to full SANDSPY}}, date = {2020-01-17}, organization = {FireEye}, url = {https://youtu.be/pBDu8EGWRC4?t=2492}, language = {English}, urldate = {2020-09-18} } @online{fireeye:20200219:mtrends:193613a, author = {FireEye}, title = {{M-Trends 2020}}, date = {2020-02-19}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2020}, language = {English}, urldate = {2020-02-20} } @online{fireeye:20201208:unauthorized:c480412, author = {FireEye}, title = {{Unauthorized Access of FireEye Red Team Tools}}, date = {2020-12-08}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html}, language = {English}, urldate = {2020-12-15} } @online{fireeye:20201209:fireeye:36cafd8, author = {FireEye}, title = {{Fireeye RED TEAM tool countermeasures}}, date = {2020-12-09}, organization = {Github (fireeye)}, url = {https://github.com/fireeye/red_team_tool_countermeasures}, language = {English}, urldate = {2020-12-14} } @online{fireeye:20201213:sunburst:04e594f, author = {FireEye}, title = {{SUNBURST Countermeasures}}, date = {2020-12-13}, organization = {Github (fireeye)}, url = {https://github.com/fireeye/sunburst_countermeasures}, language = {English}, urldate = {2020-12-19} } @online{fireeye:20201216:sunburst:310ef08, author = {FireEye}, title = {{Tweet on SUNBURST from FireEye detailing some additional information}}, date = {2020-12-16}, organization = {Twitter (@FireEye)}, url = {https://twitter.com/FireEye/status/1339295983583244302}, language = {English}, urldate = {2020-12-17} } @online{fireeye:202012:solarwinds:4ce144e, author = {FireEye}, title = {{Solarwinds Breach Resource Center}}, date = {2020-12}, organization = {FireEye}, url = {https://www.fireeye.com/current-threats/sunburst-malware.html}, language = {English}, urldate = {2021-03-02} } @online{fireeye:20210119:mandiant:26223c8, author = {FireEye}, title = {{Mandiant Azure AD Investigator: Focusing on UNC2452 TTPs}}, date = {2021-01-19}, organization = {Github (fireeye)}, url = {https://github.com/fireeye/Mandiant-Azure-AD-Investigator}, language = {English}, urldate = {2021-01-21} } @techreport{fireeye:20210301:accellion:46e70cd, author = {FireEye and Mandiant}, title = {{ACCELLION, INC. File Transfer Appliance (FTA) Security Assessment}}, date = {2021-03-01}, institution = {FireEye}, url = {https://www.accellion.com/sites/default/files/trust-center/accellion-fta-attack-mandiant-report-full.pdf}, language = {English}, urldate = {2021-03-11} } @online{fireeye:20210420:fireeye:287db5f, author = {FireEye and Mandiant}, title = {{FireEye Mandiant PulseSecure Exploitation Countermeasures}}, date = {2021-04-20}, organization = {Github (fireeye)}, url = {https://github.com/fireeye/pulsesecure_exploitation_countermeasures/}, language = {English}, urldate = {2021-04-20} } @online{firsh:20180503:whos:19ffd6f, author = {Alexey Firsh}, title = {{Who’s who in the Zoo}}, date = {2018-05-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/whos-who-in-the-zoo/85394/}, language = {English}, urldate = {2020-05-18} } @online{firsh:20180503:whos:79a3074, author = {Alexey Firsh}, title = {{Who’s who in the Zoo}}, date = {2018-05-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/whos-who-in-the-zoo/85394}, language = {English}, urldate = {2019-12-20} } @techreport{firsh:20180503:whos:b1957dc, author = {Alexey Firsh}, title = {{WHO’S WHO IN THEZOO. CYBERESPIONAGE OPERATION TARGETS ANDROID USERS IN THE MIDDLE EAST.}}, date = {2018-05-03}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf}, language = {English}, urldate = {2020-01-09} } @online{firsh:20180829:busygasper:bf544dd, author = {Alexey Firsh}, title = {{BusyGasper – the unfriendly spy}}, date = {2018-08-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/busygasper-the-unfriendly-spy/87627/}, language = {English}, urldate = {2019-12-20} } @online{firsh:20200326:ios:9898c0f, author = {Alexey Firsh and Kurt Baumgartner and Brian Bartholomew}, title = {{iOS exploit chain deploys LightSpy feature-rich malware}}, date = {2020-03-26}, organization = {Kaspersky Labs}, url = {https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/}, language = {English}, urldate = {2020-03-27} } @online{firsh:20200428:hiding:97cbb7b, author = {Alexey Firsh and Lev Pikman}, title = {{Hiding in plain sight: PhantomLance walks into a market}}, date = {2020-04-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-phantomlance/96772/}, language = {English}, urldate = {2020-05-05} } @online{fischer:20171217:r77:84201c1, author = {Martin Fischer}, title = {{r77 Rootkit}}, date = {2017-12-17}, organization = {Github (bytecode77)}, url = {https://github.com/bytecode77/r77-rootkit}, language = {English}, urldate = {2023-04-28} } @online{fiser:20201218:teamtnt:3d5abe1, author = {David Fiser}, title = {{TeamTNT Now Deploying DDoS-Capable IRC Bot TNTbotinger}}, date = {2020-12-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html}, language = {English}, urldate = {2020-12-23} } @online{fiser:20210422:torbased:375fc9a, author = {David Fiser and Alfredo Oliveira}, title = {{Tor-Based Botnet Malware Targets Linux Systems, Abuses Cloud Management Tools}}, date = {2021-04-22}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/d/tor-based-botnet-malware-targets-linux-systems-abuses-cloud-management-tools.html}, language = {English}, urldate = {2021-04-28} } @online{fiser:20210518:teamtnts:ecbffb9, author = {David Fiser and Alfredo Oliveira}, title = {{TeamTNT’s Extended Credential Harvester Targets Cloud Services, Other Software}}, date = {2021-05-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/e/teamtnt-extended-credential-harvester-targets-cloud-services-other-software.html}, language = {English}, urldate = {2021-05-19} } @techreport{fiser:20210720:tracking:9085bb7, author = {David Fiser and Alfredo Oliveira}, title = {{Tracking the Activities of TeamTNT: A Closer Look at a Cloud-Focused Malicious Actor Group}}, date = {2021-07-20}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf}, language = {English}, urldate = {2021-07-26} } @online{fiser:20211103:teamtnt:180af48, author = {David Fiser and Alfredo Oliveira}, title = {{TeamTNT Upgrades Arsenal, Refines Focus on Kubernetes and GPU Environments}}, date = {2021-11-03}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_ae/research/21/k/teamtnt-upgrades-arsenal-refines-focus-on-kubernetes-and-gpu-env.html}, language = {English}, urldate = {2021-11-08} } @online{fiser:20211111:teamtnt:fe67ef2, author = {David Fiser and Alfredo Oliveira}, title = {{TeamTNT Upgrades Arsenal, Refines Focus on Kubernetes and GPU Environments}}, date = {2021-11-11}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/k/teamtnt-upgrades-arsenal-refines-focus-on-kubernetes-and-gpu-env.html}, language = {English}, urldate = {2021-11-12} } @online{fiser:20211115:groups:f889118, author = {David Fiser and Alfredo Oliveira}, title = {{Groups Target Alibaba ECS Instances for Cryptojacking}}, date = {2021-11-15}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_in/research/21/k/groups-target-alibaba-ecs-instances-for-cryptojacking.html}, language = {English}, urldate = {2021-11-19} } @online{fiser:20221212:linux:62f9491, author = {David Fiser and Alfredo Oliveira}, title = {{Linux Cryptocurrency Mining Attacks Enhanced via CHAOS RAT}}, date = {2022-12-12}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html}, language = {English}, urldate = {2022-12-14} } @online{fishbein:20200728:watch:cf3e499, author = {Nicole Fishbein and Michael Kajiloti}, title = {{Watch Your Containers: Doki Infecting Docker Servers in the Cloud}}, date = {2020-07-28}, organization = {Intezer}, url = {https://www.intezer.com/container-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/}, language = {English}, urldate = {2020-07-30} } @online{fishbein:20200908:attackers:46e4aab, author = {Nicole Fishbein}, title = {{Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks}}, date = {2020-09-08}, organization = {Intezer}, url = {https://www.intezer.com/blog/cloud-workload-protection/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/}, language = {English}, urldate = {2020-09-15} } @online{fishbein:20201001:storm:5dbbfae, author = {Nicole Fishbein and Avigayil Mechtinger}, title = {{A Storm is Brewing: IPStorm Now Has Linux Malware}}, date = {2020-10-01}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/}, language = {English}, urldate = {2020-10-05} } @online{fishbein:20210113:rare:b2fe9e5, author = {Nicole Fishbein}, title = {{A Rare Look Inside a Cryptojacking Campaign and its Profit}}, date = {2021-01-13}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/a-rare-look-inside-a-cryptojacking-campaign-and-its-profit/}, language = {English}, urldate = {2021-01-18} } @online{fishbein:20210406:rocke:bf33dc9, author = {Nicole Fishbein}, title = {{Rocke Group Actively Targeting the Cloud: Wants Your SSH Keys}}, date = {2021-04-06}, organization = {Intezer}, url = {https://www.intezer.com/blog/cloud-security/rocke-group-actively-targeting-the-cloud-wants-your-ssh-keys}, language = {English}, urldate = {2021-04-06} } @online{fishbein:20220706:orbit:eacf07e, author = {Nicole Fishbein}, title = {{OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow}}, date = {2022-07-06}, organization = {Intezer}, url = {https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/}, language = {English}, urldate = {2022-07-12} } @online{fishbein:20221110:how:6b334be, author = {Nicole Fishbein}, title = {{How LNK Files Are Abused by Threat Actors}}, date = {2022-11-10}, organization = {Intezer}, url = {https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/}, language = {English}, urldate = {2022-11-11} } @online{fishbein:20230524:cryptoclippy:349975b, author = {Nicole Fishbein}, title = {{CryptoClippy is Evolving to Pilfer Even More Financial Data}}, date = {2023-05-24}, organization = {Intezer}, url = {https://intezer.com/blog/research/cryptoclippy-evolves-to-pilfer-more-financial-data/}, language = {English}, urldate = {2023-12-27} } @online{fishbein:20231220:operation:6448397, author = {Nicole Fishbein and Ryan Robinson}, title = {{Operation HamsaUpdate: A Sophisticated Campaign Delivering Wipers Puts Israeli Infrastructure at Risk}}, date = {2023-12-20}, organization = {Intezer}, url = {https://intezer.com/blog/research/stealth-wiper-israeli-infrastructure/}, language = {English}, urldate = {2024-10-18} } @online{fishelov:20220414:industroyer2:31408b6, author = {Maayan Fishelov}, title = {{Industroyer2: ICS Networks need to heighten vigilance - SCADAfence}}, date = {2022-04-14}, organization = {SCADAfence}, url = {https://blog.scadafence.com/industroyer2-attack}, language = {English}, urldate = {2022-05-25} } @online{fisher:20130320:researchers:dcff6dc, author = {Dennis Fisher}, title = {{Researchers Uncover ‘TeamSpy’ Attack Campaign Against Government, Research Targets}}, date = {2013-03-20}, url = {https://threatpost.com/researchers-uncover-teamspy-attack-campaign-targeting-government-research-targets-032013/77646/}, language = {English}, urldate = {2019-11-20} } @online{fisher:20190212:groups:6605dcc, author = {Dennis Fisher}, title = {{APT Groups Moving Down the Supply Chain}}, date = {2019-02-12}, organization = {Duo}, url = {https://duo.com/decipher/apt-groups-moving-down-the-supply-chain}, language = {English}, urldate = {2019-11-26} } @online{fisher:20201016:trickbot:be18c46, author = {Dennis Fisher}, title = {{Trickbot Up to Its Old Tricks}}, date = {2020-10-16}, organization = {Duo}, url = {https://duo.com/decipher/trickbot-up-to-its-old-tricks}, language = {English}, urldate = {2020-10-23} } @online{fisher:20230408:deriving:79162c2, author = {Scott Fisher}, title = {{Deriving Insight from Threat Actor Infrastructure}}, date = {2023-04-08}, organization = {Team Cymru}, url = {https://www.youtube.com/watch?v=kfl_2_NBVGc}, language = {English}, urldate = {2023-07-31} } @online{fitzgerald:20100422:qakbot:0c164f0, author = {Patrick Fitzgerald}, title = {{Qakbot Steals 2GB of Confidential Data per Week}}, date = {2010-04-22}, organization = {Symantec}, url = {https://web.archive.org/web/20130530033754/http://www.symantec.com/connect/blogs/qakbot-steals-2gb-confidential-data-week}, language = {English}, urldate = {2023-08-30} } @techreport{fitzgibbon:20090401:confickerc:bb043d2, author = {Niall Fitzgibbon and Mike Wood}, title = {{Conficker.C A Technical Analysis}}, date = {2009-04-01}, institution = {Sophos Labs}, url = {https://www.sophos.com/fr-fr/medialibrary/PDFs/marketing%20material/confickeranalysis.pdf}, language = {English}, urldate = {2019-12-17} } @online{fitzpatrick:20211012:continued:e1f2eb4, author = {Brett Fitzpatrick and Joey Fitzpatrick and Morgan Demboski and Peter Rydzynski and IronNet Threat Research}, title = {{Continued Exploitation of CVE-2021-26084}}, date = {2021-10-12}, organization = {IronNet}, url = {https://www.ironnet.com/blog/continued-exploitation-of-cve-2021-26084}, language = {English}, urldate = {2021-10-25} } @online{flade:20200505:brenjagd:96d209e, author = {Florian Flade and Georg Mascolo}, title = {{Bärenjagd}}, date = {2020-05-05}, url = {https://www.sueddeutsche.de/politik/hack-bundestag-angriff-russland-1.4891668}, language = {English}, urldate = {2020-05-05} } @online{flade:20210422:der:63f6e18, author = {Florian Flade and Hakan Tanriverdi}, title = {{Der Mann in Merkels Rechner - Jagd auf Putins Hacker}}, date = {2021-04-22}, organization = {BR.DE}, url = {https://www.br.de/mediathek/podcast/der-mann-in-merkels-rechner-jagd-auf-putins-hacker/853}, language = {German}, urldate = {2021-04-28} } @online{flade:20220217:elite:e26cfcd, author = {Florian Flade and Lea Frey and Hakan Tanriverdi}, title = {{The Elite Hackers of the FSB (Linking Turla to FSB)}}, date = {2022-02-17}, organization = {BR.DE}, url = {https://interaktiv.br.de/elite-hacker-fsb/en/index.html}, language = {English}, urldate = {2022-02-19} } @online{flashpoint:20151207:flashpoint:3f5aee6, author = {Flashpoint and Talos}, title = {{Flashpoint and Talos Analyze the Curious Case of the flokibot Connector}}, date = {2015-12-07}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/flokibot-curious-case-brazilian-connector/}, language = {English}, urldate = {2019-11-20} } @online{flashpoint:20161003:multipurpose:436518b, author = {Flashpoint}, title = {{Multi-Purpose “Floki Bot” Emerges as New Malware Kit}}, date = {2016-10-03}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/cybercrime/floki-bot-emerges-new-malware-kit/}, language = {English}, urldate = {2020-01-07} } @online{flashpoint:20170126:dridex:2ca4920, author = {Flashpoint}, title = {{Dridex Banking Trojan Returns, Leverages New UAC Bypass Method}}, date = {2017-01-26}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/}, language = {English}, urldate = {2020-01-08} } @online{flashpoint:20170525:linguistic:70ffc44, author = {Flashpoint}, title = {{Linguistic Analysis of WannaCry Ransomware Messages Suggests Chinese-Speaking Authors}}, date = {2017-05-25}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/}, language = {English}, urldate = {2019-12-10} } @online{flashpoint:20170727:new:bb5c883, author = {Flashpoint}, title = {{New Version of “Trickbot” Adds Worm Propagation Module}}, date = {2017-07-27}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/}, language = {English}, urldate = {2020-01-13} } @online{flashpoint:20170825:wirex:2f29c36, author = {Flashpoint}, title = {{The WireX Botnet: How Industry Collaboration Disrupted a DDoS Attack}}, date = {2017-08-25}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/wirex-botnet-industry-collaboration/}, language = {English}, urldate = {2020-01-08} } @online{flashpoint:20180510:treasurehunter:d6e33c1, author = {Flashpoint}, title = {{TreasureHunter Point-of-Sale Malware and Builder Source Code Leaked}}, date = {2018-05-10}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/treasurehunter-source-code-leaked/}, language = {English}, urldate = {2020-01-08} } @techreport{flashpoint:202007:zeppelin:8c54ff6, author = {Flashpoint}, title = {{Zeppelin Ransomware Analysis}}, date = {2020-07}, institution = {Flashpoint}, url = {https://storage.pardot.com/272312/124918/Flashpoint_Hunt_Team___Zeppelin_Ransomware_Analysis.pdf}, language = {English}, urldate = {2020-08-14} } @online{flashpoint:20210223:new:4f8b993, author = {Flashpoint}, title = {{New Mysterious Operators Usurp Elite Russian Hacker Forum “Verified”}}, date = {2021-02-23}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/new-mysterious-operators-usurp-elite-russian-hacker-forum-verified/}, language = {English}, urldate = {2021-02-25} } @online{flashpoint:20210304:breaking:f6dfffc, author = {Flashpoint}, title = {{Breaking: Elite Cybercrime Forum “Maza” Breached by Unknown Attacker}}, date = {2021-03-04}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/breelite-cybercrime-forum-maza-breached-by-unknown-attacker/}, language = {English}, urldate = {2021-03-04} } @online{flashpoint:20210311:cl0p:666bd6f, author = {Flashpoint}, title = {{CL0P and REvil Escalate Their Ransomware Tactics}}, date = {2021-03-11}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/}, language = {English}, urldate = {2021-03-12} } @online{flashpoint:20210430:second:53c20b4, author = {Flashpoint}, title = {{A Second Iranian State-Sponsored Ransomware Operation “Project Signal” Emerges}}, date = {2021-04-30}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/second-iranian-ransomware-operation-project-signal-emerges/}, language = {English}, urldate = {2021-05-03} } @online{flashpoint:20210511:darkside:32c4e89, author = {Flashpoint}, title = {{DarkSide Ransomware Links to REvil Group Difficult to Dismiss}}, date = {2021-05-11}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/}, language = {English}, urldate = {2021-05-13} } @techreport{flashpoint:20210525:hydra:2088738, author = {Flashpoint and Chainalysis}, title = {{Hydra: Where The Crypto Money Laundering Trail Goes Dark}}, date = {2021-05-25}, institution = {}, url = {https://storage.pardot.com/272312/1621903351Nn9y2MzH/Flashpoint_Chainalysis_Hydra_Crypto_Cybercrime_Research.pdf}, language = {English}, urldate = {2021-05-26} } @online{flashpoint:20210727:chatter:08a4080, author = {Flashpoint}, title = {{Chatter Indicates BlackMatter as REvil Successor}}, date = {2021-07-27}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/chatter-indicates-blackmatter-as-revil-successor/}, language = {English}, urldate = {2021-08-02} } @online{flashpoint:20210810:revil:8be7760, author = {Flashpoint}, title = {{REvil Master Key for Kaseya Attack Posted to XSS}}, date = {2021-08-10}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/possible-universal-revil-master-key-posted-to-xss/}, language = {English}, urldate = {2021-08-11} } @online{flashpoint:20210928:revils:ffcbfac, author = {Flashpoint}, title = {{REvil’s “Cryptobackdoor” Con: Ransomware Group’s Tactics Roil Affiliates, Sparking a Fallout}}, date = {2021-09-28}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/revils-cryptobackdoor-con-ransomware-groups-tactics-roil-affiliates-sparking-a-fallout/}, language = {English}, urldate = {2021-10-13} } @online{flashpoint:20210929:russian:565e147, author = {Flashpoint}, title = {{Russian hacker Q&A: An Interview With REvil-Affiliated Ransomware Contractor}}, date = {2021-09-29}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/interview-with-revil-affiliated-ransomware-contractor/}, language = {English}, urldate = {2021-10-26} } @online{flashpoint:20211018:revil:104ed52, author = {Flashpoint}, title = {{REvil Disappears Again: ‘Something Is Rotten in the State of Ransomware’}}, date = {2021-10-18}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/revil-disappears-again/}, language = {English}, urldate = {2021-10-24} } @online{flashpoint:20211116:ramp:c1804cf, author = {Flashpoint}, title = {{RAMP Ransomware’s Apparent Overture to Chinese Threat Actors}}, date = {2021-11-16}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/ramp-ransomware-chinese-threat-actors/}, language = {English}, urldate = {2021-11-18} } @online{flashpoint:20220209:russia:3367b7a, author = {Flashpoint}, title = {{Russia Seizes Ferum, Sky-Fraud, UAS, and Trump’s Dumps—and Signals More Takedowns to Come}}, date = {2022-02-09}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/press-post/russia-seizes-ferum-skyfraud-uas-trumpsdumps-carding-forums/}, language = {English}, urldate = {2022-02-14} } @online{flashpoint:20221007:analysis:0272a7a, author = {Flashpoint}, title = {{Analysis of CISA releases Advisory on Top CVEs Exploited Chinese State-Sponsored Groups}}, date = {2022-10-07}, organization = {Flashpoint}, url = {https://securityboulevard.com/2022/10/analysis-of-cisa-releases-advisory-on-top-cves-exploited-chinese-state-sponsored-groups/}, language = {English}, urldate = {2024-02-08} } @online{flashpoint:20221026:prokremlin:a116dc1, author = {Flashpoint}, title = {{Pro-Kremlin Hacktivist Groups Seeking Impact By Courting Notoriety}}, date = {2022-10-26}, organization = {Flashpoint}, url = {https://flashpoint.io/blog/pro-kremlin-hacktivist-groups/}, language = {English}, urldate = {2024-09-27} } @online{flashpoint:20230306:private:ad3b11a, author = {Flashpoint}, title = {{Private Malware for Sale: A Closer Look at AresLoader}}, date = {2023-03-06}, organization = {Flashpoint}, url = {https://flashpoint.io/blog/private-malware-for-sale-aresloader/}, language = {English}, urldate = {2023-04-08} } @online{flashpoint:20230717:new:8917d13, author = {Flashpoint}, title = {{The New Release of Danabot Version 3: What You Need to Know}}, date = {2023-07-17}, organization = {Flashpoint}, url = {https://flashpoint.io/blog/danabot-version-3-what-you-need-to-know/}, language = {English}, urldate = {2023-07-25} } @online{flashpoint:20250522:operation:77606a0, author = {Flashpoint}, title = {{Operation Endgame: Global Law Enforcement Takes Down DanaBot Malware Scheme}}, date = {2025-05-22}, organization = {Flashpoint}, url = {https://flashpoint.io/blog/operation-endgame-danabot-malware/}, language = {English}, urldate = {2025-05-26} } @online{fleischer:20210420:zeroday:0641c6a, author = {Josh Fleischer and Chris DiGiamo and Alex Pennino}, title = {{Zero-Day Exploits in SonicWall Email Security Lead to Enterprise Compromise}}, date = {2021-04-20}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/04/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise.html}, language = {English}, urldate = {2021-04-28} } @techreport{flores:20120106:official:5984bcc, author = {Rick Flores}, title = {{Official Malware Report: Malware Reverse Engineering}}, date = {2012-01-06}, institution = {Exploit-DB}, url = {https://www.exploit-db.com/docs/english/18387-malware-reverse-engineering-part-1---static-analysis.pdf}, language = {English}, urldate = {2020-01-09} } @online{flores:20201201:impact:415bf2e, author = {Ryan Flores}, title = {{The Impact of Modern Ransomware on Manufacturing Networks}}, date = {2020-12-01}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html}, language = {English}, urldate = {2020-12-08} } @online{flores:20220426:how:28d9476, author = {Ryan Flores and Stephen Hilt and Lord Alfred Remorin}, title = {{How Cybercriminals Abuse Cloud Tunneling Services}}, date = {2022-04-26}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services}, language = {English}, urldate = {2022-05-03} } @techreport{florida:20250404:united:7fafec8, author = {US District Court Middle District of Florida}, title = {{United States of America v. Noah Michael Urban}}, date = {2025-04-04}, institution = {US District Court Middle District of Florida}, url = {https://storage.courtlistener.com/recap/gov.uscourts.flmd.422789/gov.uscourts.flmd.422789.66.0.pdf}, language = {English}, urldate = {2025-04-09} } @online{florio:20070717:trojangpcodere:f491e6b, author = {Elia Florio}, title = {{Trojan.Gpcoder.E}}, date = {2007-07-17}, organization = {Symantec}, url = {https://www.symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99&tabid=2}, language = {English}, urldate = {2020-01-10} } @online{florio:20071101:exotic:8c0c4cd, author = {Elia Florio}, title = {{Exotic website}}, date = {2007-11-01}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2007/11/spam-kernel}, language = {English}, urldate = {2025-05-26} } @online{flossman:20170216:viperrat:85bc048, author = {Michael Flossman}, title = {{ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar}}, date = {2017-02-16}, organization = {Lookout}, url = {https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/}, language = {English}, urldate = {2020-01-13} } @online{flossman:20170831:lookout:4dc3061, author = {Michael Flossman}, title = {{Lookout discovers sophisticated xRAT malware tied to 2014 “Xsser / mRAT” surveillance campaign against Hong Kong protesters}}, date = {2017-08-31}, organization = {Lookout}, url = {https://blog.lookout.com/xrat-mobile-threat}, language = {English}, urldate = {2020-01-09} } @online{flossman:20171020:jaderat:946d7ac, author = {Michael Flossman}, title = {{JadeRAT mobile surveillanceware spikes in espionage activity}}, date = {2017-10-20}, organization = {Lookout}, url = {https://blog.lookout.com/mobile-threat-jaderat}, language = {English}, urldate = {2020-01-08} } @online{flossman:20171116:tropic:4cd1fde, author = {Michael Flossman}, title = {{Tropic Trooper goes mobile with Titan surveillanceware}}, date = {2017-11-16}, organization = {Lookout}, url = {https://blog.lookout.com/titan-mobile-threat}, language = {English}, urldate = {2020-01-06} } @techreport{flossman:20210421:technical:455f5b5, author = {Michael Flossman and Michael Scott}, title = {{Technical Paper // Taking Action Against Arid Viper}}, date = {2021-04-21}, institution = {Facebook}, url = {https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf}, language = {English}, urldate = {2021-04-28} } @online{fofabot:20240202:practical:0b1d6b9, author = {Fofabot}, title = {{Practical FOFA Asset Expansion: APT-C-23 Android Malware}}, date = {2024-02-02}, organization = {Medium Fofabot}, url = {https://medium.com/@fofabot/practical-fofa-asset-expansion-apt-c-23-android-malware-7964b6625c6d}, language = {English}, urldate = {2024-02-05} } @online{fois:20190111:threat:5be977b, author = {Quentin Fois}, title = {{Threat Actor “Cold River”: Network Traffic Analysis and a Deep Dive on Agent Drable}}, date = {2019-01-11}, organization = {Lastline}, url = {https://www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/}, language = {English}, urldate = {2020-01-09} } @online{fois:20210708:icedid:47da76d, author = {Quentin Fois and Pavankumar Chaudhari}, title = {{IcedID: Analysis and Detection}}, date = {2021-07-08}, organization = {vmware}, url = {https://blogs.vmware.com/security/2021/07/icedid-analysis-and-detection.html}, language = {English}, urldate = {2021-07-20} } @online{fois:20210723:yara:e9a8a22, author = {Quentin Fois and Pavankumar Chaudhari}, title = {{YARA rules, IOCs and Scripts for extracting IcedID C2s}}, date = {2021-07-23}, organization = {Github (Lastline-Inc)}, url = {https://github.com/Lastline-Inc/iocs-tools/tree/main/2021-07-IcedID-Part-2}, language = {English}, urldate = {2021-07-27} } @online{fois:20210726:hunting:ff1181b, author = {Quentin Fois and Pavankumar Chaudhari}, title = {{Hunting IcedID and unpacking automation with Qiling}}, date = {2021-07-26}, organization = {vmware}, url = {https://blogs.vmware.com/security/2021/07/hunting-icedid-and-unpacking-automation-with-qiling.html}, language = {English}, urldate = {2021-07-27} } @online{fokker:20181030:fallout:fa86aca, author = {John Fokker and Marc Rivero López}, title = {{Fallout Exploit Kit Releases the Kraken Ransomware on Its Victims}}, date = {2018-10-30}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/mcafee-labs/fallout-exploit-kit-releases-the-kraken-ransomware-on-its-victims/}, language = {English}, urldate = {2019-12-17} } @online{fokker:20190109:ryuk:350f477, author = {John Fokker and Christiaan Beek}, title = {{Ryuk Ransomware Attack: Rush to Attribution Misses the Point}}, date = {2019-01-09}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/}, language = {English}, urldate = {2020-01-09} } @online{fokker:20211107:who:f8f6ef2, author = {John Fokker and Raj Samani}, title = {{Who Will Bend the Knee in RaaS Game of Thrones in 2022?}}, date = {2021-11-07}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/who-will-bend-the-knee-in-raas-game-of-thrones-in-2022/}, language = {English}, urldate = {2021-11-08} } @online{fokker:20220331:conti:3bc2974, author = {John Fokker and Jambul Tologonov}, title = {{Conti Leaks: Examining the Panama Papers of Ransomware}}, date = {2022-03-31}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html}, language = {English}, urldate = {2022-04-07} } @online{fokker:20250318:analysis:0f1934c, author = {John Fokker and Jambul Tologonov}, title = {{Analysis of Black Basta Ransomware Chat Leaks}}, date = {2025-03-18}, organization = {Trellix}, url = {https://www.trellix.com/blogs/research/analysis-of-black-basta-ransomware-chat-leaks/}, language = {English}, urldate = {2025-03-25} } @online{fold:20240327:analyzing:bb0276f, author = {Scottish Fold}, title = {{Analyzing the new Donex Ransomware}}, date = {2024-03-27}, organization = {dissect.ing}, url = {https://dissect.ing/posts/donex/}, language = {English}, urldate = {2024-04-29} } @online{fold:20240419:exploiting:d2b6498, author = {Scottish Fold}, title = {{Exploiting a cryptographic vulnerability inside the Donex Ransomware}}, date = {2024-04-19}, organization = {dissect.ing}, url = {https://dissect.ing/posts/donex-pt2/}, language = {English}, urldate = {2024-04-29} } @techreport{fontarensky:20140711:eye:2641a17, author = {Ivan Fontarensky and Fabien Perigaud and Ronan Mouchoux and Cedric Pernet and David Bizeul}, title = {{The Eye of the Tiger}}, date = {2014-07-11}, institution = {Airbus Defence & Space}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/2014.07.11.Pitty_Tiger/Pitty_Tiger_Final_Report.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{fontarensky:2014:eye:a4c3c1b, author = {Ivan Fontarensky and Fabien Perigaud and Ronan Mouchoux and Cedric Pernet and David Bizeul}, title = {{The Eye of the Tiger}}, date = {2014}, institution = {Airbus Defence & Space}, url = {https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{forces:20210506:finnish:a534e3b, author = {The Finnish Defense Forces}, title = {{Finnish Military Intelligence Review 2021}}, date = {2021-05-06}, institution = {The Finnish Defense Forces}, url = {https://assets.documentcloud.org/documents/20699312/pv_sotilastiedustelu_raportti_www_eng.pdf}, language = {English}, urldate = {2021-05-08} } @techreport{ford:20220922:is:9ff086f, author = {Eric Ford and Ben Nichols}, title = {{Is Gootloader Working with a Foreign Intelligence Service?}}, date = {2022-09-22}, institution = {deepwatch}, url = {https://5556002.fs1.hubspotusercontent-na1.net/hubfs/5556002/2022%20PDF%20Download%20Assets/ADA%20Compliant%20pdfs/Reports/PUBLIC_Gootloader%20-%20Foreign%20Intelligence%20Service.pdf}, language = {English}, urldate = {2022-09-30} } @online{formosa:20240326:darkside:27765e6, author = {Chris Formosa and Steve Rudd and Ryan English and Danny Adamitis}, title = {{The Darkside Of TheMoon}}, date = {2024-03-26}, organization = {Lumen}, url = {https://blog.lumen.com/the-darkside-of-themoon}, language = {English}, urldate = {2024-03-28} } @online{formosa:20250509:classic:9906da2, author = {Chris Formosa and Ryan English}, title = {{Classic Rock: Hunting a Botnet that preys on the Old}}, date = {2025-05-09}, organization = {Lumen}, url = {https://blog.lumen.com/black-lotus-labs-helps-demolish-major-criminal-proxy-network/}, language = {English}, urldate = {2025-05-21} } @online{fortgale:20231206:nebula:db8ef9b, author = {Fortgale}, title = {{Nebula Broker: offensive operations made in Italy}}, date = {2023-12-06}, organization = {Fortgale}, url = {https://fortgale.com/blog/featured/nebula-broker-offensive-operations-italy/}, language = {English}, urldate = {2024-01-31} } @online{fortiguard:20111017:w32yunsiptrpws:512809e, author = {FortiGuard}, title = {{W32/Yunsip!tr.pws}}, date = {2011-10-17}, organization = {FortiGuard Labs}, url = {https://www.fortiguard.com/encyclopedia/virus/3229143}, language = {English}, urldate = {2022-07-01} } @online{fortiguard:20141130:w32hiasmatr:55fad29, author = {FortiGuard}, title = {{W32/HiAsm.A!tr}}, date = {2014-11-30}, organization = {Fortinet}, url = {https://fortiguard.fortinet.com/encyclopedia/virus/6488677}, language = {English}, urldate = {2022-01-11} } @online{fortiguard:20190228:empiremonkey:9163175, author = {FortiGuard}, title = {{EmpireMonkey malware distribution}}, date = {2019-02-28}, organization = {Fortiguard}, url = {https://fortiguard.com/encyclopedia/botnet/7630456}, language = {English}, urldate = {2020-03-22} } @online{fortiguard:20190423:fakedefend:a5206fa, author = {FortiGuard}, title = {{FakeDefend}}, date = {2019-04-23}, organization = {Fortinet}, url = {https://www.fortiguard.com/encyclopedia/virus/5543975/android-fakedefend-c-tr}, language = {English}, urldate = {2024-04-29} } @online{fortiguard:20190510:activity:4b58c05, author = {FortiGuard}, title = {{Activity Summary - Week Ending May 10, 2019}}, date = {2019-05-10}, organization = {Fortiguard}, url = {https://fortiguard.com/resources/threat-brief/2019/05/10/fortiguard-threat-intelligence-brief-may-10-2019}, language = {English}, urldate = {2019-11-28} } @online{fortinet:20181113:enter:3638569, author = {Fortinet}, title = {{Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign}}, date = {2018-11-13}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign}, language = {English}, urldate = {2023-08-17} } @online{fortinet:20221115:billbug:9b45b3b, author = {Fortinet}, title = {{APT Billbug Victimized Asian Certification Authority and Government Agencies}}, date = {2022-11-15}, organization = {Fortinet}, url = {https://fortiguard.fortinet.com/threat-signal-report/4879}, language = {English}, urldate = {2025-05-20} } @online{fortinet:20240723:exploiting:ebdcd7c, author = {Fortinet}, title = {{Exploiting CVE-2024-21412: A Stealer Campaign Unleashed}}, date = {2024-07-23}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed}, language = {English}, urldate = {2024-08-29} } @online{fortuna:20230223:how:5b24b34, author = {Andrea Fortuna}, title = {{How to detect Brute Ratel activities}}, date = {2023-02-23}, organization = {Andrea Fortuna's Blog}, url = {https://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities}, language = {English}, urldate = {2023-05-10} } @online{fossat:20250512:opensource:45efcab, author = {Maxence Fossat}, title = {{Open-source toolset of an Ivanti CSA attacker}}, date = {2025-05-12}, organization = {Synacktiv}, url = {https://www.synacktiv.com/en/publications/open-source-toolset-of-an-ivanti-csa-attacker}, language = {English}, urldate = {2025-07-08} } @online{foster:20200729:ghostwriter:0d042f4, author = {Lee Foster and Sam Riddell and David Mainor and Gabby Roncone}, title = {{'Ghostwriter' Influence Campaign: Unknown Actors Leverage Website Compromises and Fabricated Content to Push Narratives Aligned With Russian Security Interests}}, date = {2020-07-29}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/07/ghostwriter-influence-campaign.html}, language = {English}, urldate = {2021-04-06} } @online{foster:20210428:ghostwriter:3455770, author = {Lee Foster and David Mainor and Ben Read and Sam Riddell and Gabby Roncone and Lindsay Smith and Alden Wahlstrom}, title = {{Ghostwriter Update: Cyber Espionage Group UNC1151 Likely Conducts Ghostwriter Influence Activity}}, date = {2021-04-28}, organization = {FireEye}, url = {https://content.fireeye.com/web-assets/rpt-unc1151-ghostwriter-update}, language = {English}, urldate = {2021-05-03} } @online{fouche:20230724:norway:276f6e4, author = {Gwladys Fouche and Louise Rasmussen and Terje Solsvik}, title = {{Norway government ministries hit by cyber attack}}, date = {2023-07-24}, organization = {Reuters}, url = {https://www.reuters.com/technology/norway-government-ministries-hit-by-cyber-attack-2023-07-24/}, language = {English}, urldate = {2023-07-24} } @online{foulger:20220825:detecting:95564b0, author = {Emma Foulger and Max Heinemeyer}, title = {{Detecting the Unknown: Revealing Uncategorized Ransomware Using Darktrace}}, date = {2022-08-25}, organization = {Darktrace}, url = {https://de.darktrace.com/blog/detecting-the-unknown-revealing-uncategorised-ransomware-using-darktrace}, language = {English}, urldate = {2022-08-30} } @online{foundation:20190516:goznym:37cf686, author = {The Shadowserver Foundation}, title = {{Goznym Indictments – action following on from successful Avalanche Operations}}, date = {2019-05-16}, organization = {The Shadowserver Foundation}, url = {https://www.shadowserver.org/news/goznym-indictments-action-following-on-from-successful-avalanche-operations/}, language = {English}, urldate = {2020-01-10} } @online{foundation:20200315:has:80a92d5, author = {Shadowserver Foundation}, title = {{Has The Sun Set On The Necurs Botnet?}}, date = {2020-03-15}, organization = {The Shadowserver Foundation}, url = {https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/}, language = {English}, urldate = {2020-03-17} } @online{foundation:20220223:shadowserver:39a0ab3, author = {Shadowserver Foundation}, title = {{Shadowserver Special Reports – Cyclops Blink}}, date = {2022-02-23}, organization = {The Shadowserver Foundation}, url = {https://www.shadowserver.org/news/shadowserver-special-reports-cyclops-blink/}, language = {English}, urldate = {2022-05-05} } @online{foundation:20230829:qakbot:dcbcf53, author = {Shadowserver Foundation}, title = {{Qakbot Botnet Disruption}}, date = {2023-08-29}, organization = {The Shadowserver Foundation}, url = {https://www.shadowserver.org/news/qakbot-botnet-disruption/}, language = {English}, urldate = {2023-08-29} } @online{foxkera:20220506:github:8f0d95a, author = {foxkera}, title = {{Github Repository for Mineping}}, date = {2022-05-06}, organization = {Github (foxkera)}, url = {https://github.com/foxkera/mineping}, language = {English}, urldate = {2024-10-21} } @online{fr3dhk:20200610:masslogger:c1f2c2f, author = {FR3D.HK}, title = {{MassLogger - Frankenstein's Creation}}, date = {2020-06-10}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/masslogger-frankenstein-s-creation}, language = {English}, urldate = {2020-06-18} } @online{fr3dhk:20201006:ixware:9d39aa5, author = {FR3D.HK}, title = {{IXWare - Kids will be skids}}, date = {2020-10-06}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/ixware-kids-will-be-skids}, language = {English}, urldate = {2020-10-19} } @online{fr3dhk:20220213:colibri:c5fadd3, author = {FR3D.HK}, title = {{Colibri Loader - Back to basics}}, date = {2022-02-13}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/colibri-loader-back-to-basics}, language = {English}, urldate = {2022-03-02} } @online{fr4:20211116:about:7000822, author = {Fr4}, title = {{Tweet about Aberebot source code put up for sale by the developer}}, date = {2021-11-16}, organization = {Twitter (@_icebre4ker_)}, url = {https://twitter.com/_icebre4ker_/status/1460527428544176128}, language = {English}, urldate = {2021-11-19} } @online{fr4:20220628:revive:7582d22, author = {Fr4}, title = {{Revive and Coper are using similar phishing template and app}}, date = {2022-06-28}, organization = {Twitter (@_icebre4ker_)}, url = {https://twitter.com/_icebre4ker_/status/1541875982684094465}, language = {English}, urldate = {2022-06-29} } @online{france:20200122:wannamine:6e6ab42, author = {Sophos France}, title = {{WannaMine : Même les cybercriminels veulent avoir leur mot à dire sur le Brexit !}}, date = {2020-01-22}, organization = {Sophos}, url = {https://news.sophos.com/fr-fr/2020/01/22/wannamine-meme-cybercriminels-veulent-avoir-mot-a-dire-sur-brexit/}, language = {French}, urldate = {2020-11-25} } @online{franceschibicchierai:20150218:meet:2f64fcb, author = {Lorenzo Franceschi-Bicchierai}, title = {{Meet Babar, a New Malware Almost Certainly Created by France}}, date = {2015-02-18}, organization = {Vice Motherboard}, url = {https://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france}, language = {English}, urldate = {2020-01-10} } @online{franceschibicchierai:20150705:spy:30cea5b, author = {Lorenzo Franceschi-Bicchierai}, title = {{Spy Tech Company 'Hacking Team' Gets Hacked}}, date = {2015-07-05}, organization = {Vice}, url = {https://www.vice.com/en_us/article/gvye3m/spy-tech-company-hacking-team-gets-hacked}, language = {English}, urldate = {2019-10-14} } @online{franceschibicchierai:20170921:this:b59488a, author = {Lorenzo Franceschi-Bicchierai}, title = {{This Ransomware Demands Nudes Instead of Bitcoin}}, date = {2017-09-21}, organization = {Vice}, url = {https://motherboard.vice.com/en_us/article/yw3w47/this-ransomware-demands-nudes-instead-of-bitcoin}, language = {English}, urldate = {2019-10-29} } @online{franceschibicchierai:20190329:researchers:5987d8a, author = {Lorenzo Franceschi-Bicchierai and Riccardo Coluccini}, title = {{Researchers Find Google Play Store Apps Were Actually Government Malware}}, date = {2019-03-29}, organization = {Vice Motherboard}, url = {https://motherboard.vice.com/en_us/article/43z93g/hackers-hid-android-malware-in-google-play-store-exodus-esurv}, language = {English}, urldate = {2020-01-06} } @online{franceschibicchierai:20190401:prosecutors:7880fc0, author = {Lorenzo Franceschi-Bicchierai}, title = {{Prosecutors Launch Investigation Into Company That Put Malware on Google Play Store}}, date = {2019-04-01}, organization = {Vice Motherboard}, url = {https://motherboard.vice.com/en_us/article/eveeq4/prosecutors-investigation-esurv-exodus-malware-on-google-play-store}, language = {English}, urldate = {2020-01-08} } @online{franceschibicchierai:20200721:worlds:666e813, author = {Lorenzo Franceschi-Bicchierai}, title = {{'World's Most Wanted Man' Involved in Bizarre Attempt to Buy Hacking Tools}}, date = {2020-07-21}, organization = {Vice}, url = {https://www.vice.com/en_us/article/jgxvdx/jan-marsalek-wirecard-bizarre-attempt-to-buy-hacking-team-spyware}, language = {English}, urldate = {2020-07-30} } @online{franceschibicchierai:20210203:spyware:f8a3acb, author = {Lorenzo Franceschi-Bicchierai and Joseph Cox}, title = {{A Spyware Vendor Seemingly Made a Fake WhatsApp to Hack Targets}}, date = {2021-02-03}, organization = {Vice Motherboard}, url = {https://www.vice.com/en/article/akdqwa/a-spyware-vendor-seemingly-made-a-fake-whatsapp-to-hack-targets}, language = {English}, urldate = {2021-02-04} } @online{franceschibicchierai:20210414:meet:0a23d2a, author = {Lorenzo Franceschi-Bicchierai}, title = {{Meet The Ransomware Gang Behind One of the Biggest Supply Chain Hacks Ever}}, date = {2021-04-14}, organization = {Vice}, url = {https://www.vice.com/en/article/wx5eyx/meet-the-ransomware-gang-behind-one-of-the-biggest-supply-chain-hacks-ever}, language = {English}, urldate = {2021-04-14} } @online{franceschibicchierai:20210628:hackers:fde0c9d, author = {Lorenzo Franceschi-Bicchierai}, title = {{Hackers Tricked Microsoft Into Certifying Malware That Could Spy on Users}}, date = {2021-06-28}, organization = {Vice Motherboard}, url = {https://www.vice.com/en/article/pkbzxv/hackers-tricked-microsoft-into-certifying-malware-that-could-spy-on-users}, language = {English}, urldate = {2021-07-08} } @online{franceschibicchierai:20231003:fbi:d1417d6, author = {Lorenzo Franceschi-Bicchierai}, title = {{FBI most-wanted Russian hacker reveals why he burned his passport}}, date = {2023-10-03}, organization = {TechCrunch}, url = {https://techcrunch.com/2023/10/03/fbi-most-wanted-russian-hacker-reveals-why-he-burned-his-passport/?tpcc=tcplustwitter}, language = {English}, urldate = {2024-04-11} } @online{franceschibicchierai:20250523:mysterious:16641f2, author = {Lorenzo Franceschi-Bicchierai}, title = {{Mysterious hacking group Careto was run by the Spanish government, sources say}}, date = {2025-05-23}, organization = {TechCrunch}, url = {https://techcrunch.com/2025/05/23/mysterious-hacking-group-careto-was-run-by-the-spanish-government-sources-say/}, language = {English}, urldate = {2025-05-26} } @online{francisca:20210322:malspam:7d33257, author = {Mary Muthu Francisca}, title = {{MalSpam Campaigns Download njRAT from Paste Sites}}, date = {2021-03-22}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=21904}, language = {English}, urldate = {2021-03-25} } @online{francisca:20210604:glupteba:f7ec1dc, author = {Mary Muthu Francisca}, title = {{Glupteba back on track spreading via EternalBlue exploits}}, date = {2021-06-04}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=22319}, language = {English}, urldate = {2021-06-21} } @online{frank:20200430:eventbot:f5a167d, author = {Daniel Frank and Lior Rochberger and Yaron Rimmer and Assaf Dahan}, title = {{EVENTBOT: A NEW MOBILE BANKING TROJAN IS BORN}}, date = {2020-04-30}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born}, language = {English}, urldate = {2020-05-04} } @techreport{frank:20200716:bazar:1349d7d, author = {Daniel Frank and Mary Zhao and Assaf Dahan}, title = {{A Bazar of Tricks: Following Team9’s Development Cycles (IOCs)}}, date = {2020-07-16}, institution = {Cybereason}, url = {https://www.cybereason.com/hubfs/A%20Bazar%20of%20Tricks%20Following%20Team9%E2%80%99s%20Development%20Cycles%20IOCs.pdf}, language = {English}, urldate = {2021-05-08} } @online{frank:20200716:bazar:3ed900d, author = {Daniel Frank and Mary Zhao and Assaf Dahan}, title = {{A Bazar of Tricks: Following Team9’s Development Cycles}}, date = {2020-07-16}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles}, language = {English}, urldate = {2020-07-16} } @online{frank:20210126:cybereason:8b4d681, author = {Daniel Frank}, title = {{Cybereason vs. RansomEXX Ransomware}}, date = {2021-01-26}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware}, language = {English}, urldate = {2021-01-27} } @online{frank:20210318:cybereason:22a301a, author = {Daniel Frank}, title = {{Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware}}, date = {2021-03-18}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers}, language = {English}, urldate = {2021-03-19} } @online{frank:20220201:powerless:2b9c48c, author = {Daniel Frank}, title = {{PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage}}, date = {2022-02-01}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage}, language = {English}, urldate = {2022-02-02} } @online{frank:20220430:portdoor:1dca82a, author = {Daniel Frank and Assaf Dahan}, title = {{PortDoor: New Chinese APT Backdoor Attack Targets Russian Defense Sector}}, date = {2022-04-30}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/research/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector}, language = {English}, urldate = {2022-08-09} } @online{frank:20231031:over:def0823, author = {Daniel Frank and Tom Fakterman}, title = {{Over the Kazuar’s Nest: Cracking Down on a Freshly Hatched Backdoor Used by Pensive Ursa (Aka Turla)}}, date = {2023-10-31}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/pensive-ursa-uses-upgraded-kazuar-backdoor/}, language = {English}, urldate = {2023-11-14} } @online{frank:20240523:operation:472aed2, author = {Daniel Frank and Lior Rochberger}, title = {{Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia}}, date = {2024-05-23}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/operation-diplomatic-specter/}, language = {English}, urldate = {2024-06-05} } @online{frank:20240926:unraveling:a198843, author = {Daniel Frank and Lior Rochberger}, title = {{Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy}}, date = {2024-09-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/}, language = {English}, urldate = {2024-10-15} } @online{franklin:20160602:suckfly:0b3ee55, author = {Doug Franklin}, title = {{Suckfly APT}}, date = {2016-06-02}, organization = {IBM X-Force Exchange}, url = {https://exchange.xforce.ibmcloud.com/collection/Suckfly-APT-aa8af56fd12d25c98fc49ca5341160ab}, language = {English}, urldate = {2022-08-30} } @online{frankoff:20141204:inside:80c0fea, author = {Sergei Frankoff}, title = {{Inside The New Asprox/Kuluoz (October 2013 - January 2014)}}, date = {2014-12-04}, url = {http://oalabs.openanalysis.net/2014/12/04/inside-the-new-asprox-kuluoz-october-2013-january-2014/}, language = {English}, urldate = {2020-01-08} } @online{frankoff:20150520:bedep:30da731, author = {Sergei Frankoff}, title = {{Bedep Ad-Fraud Botnet Analysis – Exposing the Mechanics Behind 153.6M Defrauded Ad Impressions A Day}}, date = {2015-05-20}, organization = {Sentrant}, url = {https://sentrant.com/2015/05/20/bedep-ad-fraud-botnet-analysis-exposing-the-mechanics-behind-153-6m-defrauded-ad-impressions-a-day/index.html}, language = {English}, urldate = {2022-09-20} } @online{frankoff:20180111:unpacking:bd095df, author = {Sergei Frankoff}, title = {{Unpacking Pykspa Malware With Python and IDA Pro - Subscriber Request Part 1}}, date = {2018-01-11}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=HfSQlC76_s4}, language = {English}, urldate = {2019-11-29} } @online{frankoff:20180304:unpacking:4d7dc7c, author = {Sergei Frankoff}, title = {{Unpacking Gootkit Malware With IDA Pro and X64dbg - Subscriber Request}}, date = {2018-03-04}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=242Tn0IL2jE}, language = {English}, urldate = {2020-01-08} } @online{frankoff:20180312:python:eb6b9f5, author = {Sergei Frankoff}, title = {{Python decryptor for newer AdWind config file}}, date = {2018-03-12}, organization = {Github (herrcore)}, url = {https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885}, language = {English}, urldate = {2020-01-09} } @online{frankoff:20180520:unpacking:7db8c96, author = {Sergei Frankoff}, title = {{Unpacking Gootkit Part 2 - Debugging Anti-Analysis Tricks With IDA Pro and x64dbg}}, date = {2018-05-20}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=QgUlPvEE4aw}, language = {English}, urldate = {2020-01-08} } @online{frankoff:20181026:unpacking:b6155cc, author = {Sergei Frankoff}, title = {{Unpacking Bokbot / IcedID Malware - Part 1}}, date = {2018-10-26}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=wObF9n2UIAM}, language = {English}, urldate = {2020-01-08} } @online{frankoff:20181114:big:723025d, author = {Sergei Frankoff and Bex Hartley}, title = {{Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware}}, date = {2018-11-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{frankoff:20190822:remcos:b86c5bd, author = {Sergei Frankoff}, title = {{Remcos RAT Unpacked From VB6 With x64dbg Debugger}}, date = {2019-08-22}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=DIH4SvKuktM}, language = {English}, urldate = {2020-01-10} } @online{frankoff:20200126:ida:a8194b4, author = {Sergei Frankoff and Sean Wilson}, title = {{IDA Pro Automated String Decryption For REvil Ransomware}}, date = {2020-01-26}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=l2P5CMH9TE0}, language = {English}, urldate = {2020-01-27} } @online{frankoff:20200530:irc:a711f6e, author = {Sergei Frankoff}, title = {{IRC Botnet Reverse Engineering Part 1 - Preparing Binary for Analysis in IDA PRO}}, date = {2020-05-30}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=JPvcLLYR0tE}, language = {English}, urldate = {2020-06-05} } @online{frankoff:20200713:how:fd519be, author = {Sergei Frankoff and OALabs}, title = {{How To Sinkhole A Botnet}}, date = {2020-07-13}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=FAFuSO9oAl0}, language = {English}, urldate = {2020-07-16} } @online{frankoff:20201210:malware:0a70511, author = {Sergei Frankoff}, title = {{Malware Triage Analyzing PrnLoader Used To Drop Emotet}}, date = {2020-12-10}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=5_-oR_135ss}, language = {English}, urldate = {2020-12-18} } @online{frankoff:20210127:ida:15a720f, author = {Sergei Frankoff}, title = {{IDA Pro Decompiler Basics Microcode and x86 Calling Conventions}}, date = {2021-01-27}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=T0tdj1WDioM}, language = {English}, urldate = {2021-01-27} } @online{frankoff:20210519:reverse:f2f9d20, author = {Sergei Frankoff}, title = {{Reverse Engineering Warzone RAT - Part 1}}, date = {2021-05-19}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=81fdvmGmRvM}, language = {English}, urldate = {2021-05-26} } @online{frankoff:20210731:python3:e022fc4, author = {Sergei Frankoff}, title = {{Python3 Tips For Reverse Engineers}}, date = {2021-07-31}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=TrAwfQlfDd8}, language = {English}, urldate = {2021-08-02} } @online{frankoff:20210927:live:83ccb1f, author = {Sergei Frankoff}, title = {{Live Coding A Squirrelwaffle Malware Config Extractor}}, date = {2021-09-27}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=9X2P7aFKSw0}, language = {English}, urldate = {2021-10-05} } @online{frankoff:20220302:botleggers:1cb3ac9, author = {Sergei Frankoff and Sean Wilson}, title = {{Botleggers Exposed - Analysis of The Conti Leaks Malware}}, date = {2022-03-02}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=uORuVVQzZ0A}, language = {English}, urldate = {2022-03-07} } @online{frankoff:20220512:taking:8bf052d, author = {Sergei Frankoff}, title = {{Taking a look at Bumblebee loader}}, date = {2022-05-12}, organization = {OALabs}, url = {https://research.openanalysis.net/bumblebee/malware/loader/unpacking/2022/05/12/bumblebee_loader.html}, language = {English}, urldate = {2022-05-17} } @online{frankoff:20220619:matanbuchus:0a0a9dc, author = {Sergei Frankoff}, title = {{Matanbuchus Triage Notes}}, date = {2022-06-19}, organization = {OALabs}, url = {https://research.openanalysis.net/matanbuchus/loader/yara/triage/dumpulator/emulation/2022/06/19/matanbuchus-triage.html}, language = {English}, urldate = {2022-06-27} } @online{frankoff:20220825:smokeloader:d02283f, author = {Sergei Frankoff}, title = {{SmokeLoader Triage Taking a look how Smoke Loader works}}, date = {2022-08-25}, organization = {OALabs}, url = {https://research.openanalysis.net/smoke/smokeloader/loader/config/yara/triage/2022/08/25/smokeloader.html}, language = {English}, urldate = {2022-08-31} } @online{frankoff:20230212:esxiargs:442f901, author = {Sergei Frankoff and Fabian Wosar}, title = {{ESXiArgs Ransomware Analysis with @fwosar}}, date = {2023-02-12}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=bBcvqxPdjoI}, language = {English}, urldate = {2023-02-13} } @online{frankoff:20230226:pikabot:5e4a367, author = {Sergei Frankoff}, title = {{PikaBot Tiny loader that seems very familiar}}, date = {2023-02-26}, organization = {OALabs}, url = {https://research.openanalysis.net/pikabot/yara/config/loader/2023/02/26/pikabot.html}, language = {English}, urldate = {2023-11-13} } @online{frankoff:20230316:cryptbot:9cd940b, author = {Sergei Frankoff}, title = {{CryptBot}}, date = {2023-03-16}, organization = {OALabs}, url = {https://research.openanalysis.net/cryptbot/botnet/yara/config/2023/03/16/cryptbot.html}, language = {English}, urldate = {2023-05-02} } @online{frankoff:20230330:3cx:244fb6e, author = {Sergei Frankoff}, title = {{3CX Supply Chain Attack}}, date = {2023-03-30}, organization = {OALabs}, url = {https://research.openanalysis.net/3cx/northkorea/apt/triage/2023/03/30/3cx-malware.html#Functionality}, language = {English}, urldate = {2023-04-06} } @online{frankoff:20230402:aresloader:c216327, author = {Sergei Frankoff}, title = {{AresLoader Taking a closer look at this new loader}}, date = {2023-04-02}, organization = {OALabs}, url = {https://research.openanalysis.net/ares/aresloader/loader/2023/04/02/aresloader.html}, language = {English}, urldate = {2023-04-22} } @online{frankoff:20230406:photoloader:76a4798, author = {Sergei Frankoff}, title = {{PhotoLoader ICEDID}}, date = {2023-04-06}, organization = {OALabs}, url = {https://research.openanalysis.net/icedid/bokbot/photoloader/config/2023/04/06/photoloader.html}, language = {English}, urldate = {2023-05-02} } @online{frankoff:20230413:quasar:3ad6058, author = {Sergei Frankoff}, title = {{Quasar Chaos: Open Source Ransomware Meets Open Source RAT}}, date = {2023-04-13}, organization = {OALabs}, url = {https://research.openanalysis.net/quasar/chaos/rat/ransomware/2023/04/13/quasar-chaos.html}, language = {English}, urldate = {2023-05-02} } @online{frankoff:20230416:xorstringsnet:79d9991, author = {Sergei Frankoff}, title = {{XORStringsNet}}, date = {2023-04-16}, organization = {OALabs}, url = {https://research.openanalysis.net/dotnet/xorstringsnet/agenttesla/2023/04/16/xorstringsnet.html}, language = {English}, urldate = {2023-05-02} } @online{frankoff:20230420:cryptnet:17135c2, author = {Sergei Frankoff}, title = {{CryptNET Ransomware}}, date = {2023-04-20}, organization = {OALabs}, url = {https://research.openanalysis.net/dotnet/cryptnet/ransomware/2023/04/20/cryptnet.html}, language = {English}, urldate = {2023-05-02} } @online{frankoff:20230423:in2al5dp3in4er:7117c1b, author = {Sergei Frankoff}, title = {{in2al5dp3in4er Loader}}, date = {2023-04-23}, organization = {OALabs}, url = {https://research.openanalysis.net/in2al5dp3in4er/loader/analysis/sandbox/invalid%20printer/2023/04/23/in2al5dp3in4er.html}, language = {English}, urldate = {2023-05-02} } @online{frankoff:20230507:strelastealer:664452e, author = {Sergei Frankoff}, title = {{StrelaStealer Under the radar email credential stealer in development}}, date = {2023-05-07}, organization = {OALabs}, url = {https://research.openanalysis.net/strelastealer/stealer/2023/05/07/streala.html}, language = {English}, urldate = {2023-06-26} } @online{frankoff:20230716:lobshot:fc9d3c4, author = {Sergei Frankoff}, title = {{Lobshot: Lobshot a basic hVNC bot}}, date = {2023-07-16}, organization = {OALabs}, url = {https://research.openanalysis.net/lobshot/bot/hvnc/triage/2023/07/16/lobshot.html}, language = {English}, urldate = {2023-07-21} } @online{frankoff:20230731:bandit:9ecabaf, author = {Sergei Frankoff}, title = {{Bandit Stealer Garbled}}, date = {2023-07-31}, organization = {OALabs}, url = {https://research.openanalysis.net/bandit/stealer/garble/go/obfuscation/2023/07/31/bandit-garble.html}, language = {English}, urldate = {2023-07-31} } @online{frankoff:20230803:golang:daf6565, author = {Sergei Frankoff}, title = {{Golang Garble String Decryption}}, date = {2023-08-03}, organization = {OALabs}, url = {https://research.openanalysis.net/garble/go/obfuscation/strings/2023/08/03/garble.html}, language = {English}, urldate = {2023-08-07} } @online{frankoff:20231212:tips:c87d188, author = {Sergei Frankoff}, title = {{Tips For Analyzing Delphi Binaries in IDA (Danabot)}}, date = {2023-12-12}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=04RsqP_P9Ss}, language = {English}, urldate = {2023-12-14} } @online{frankoff:20240930:latrodectus:474db63, author = {Sergei Frankoff}, title = {{Latrodectus Extracting new AES encrypted strings from this RAT}}, date = {2024-09-30}, organization = {OALabs}, url = {https://research.openanalysis.net/latrodectus/config/emulation/2024/09/30/latrodectus.html}, language = {English}, urldate = {2024-10-24} } @online{frankoff:20241206:cryptbot:4b37758, author = {Sergei Frankoff}, title = {{CryptBot Evolution Tracking the many iterations of this stealer}}, date = {2024-12-06}, organization = {OALabs}, url = {https://research.openanalysis.net/cryptbot/botnet/yara/config/2024/12/06/cryptbot2.html#Version-3.2-(Timeline-unknown)}, language = {English}, urldate = {2024-12-13} } @online{frankoff:20241210:live:0cea8d3, author = {Sergei Frankoff}, title = {{Live Stream VOD: The Many Faces of CryptBot (Paywall)}}, date = {2024-12-10}, organization = {Patreon (OALABS)}, url = {https://www.patreon.com/posts/live-stream-vod-117643974}, language = {English}, urldate = {2024-12-13} } @online{frankowicz:20160512:latentbot:9506f35, author = {Kamil Frankowicz}, title = {{LatentBot – modularny i silnie zaciemniony bot}}, date = {2016-05-12}, organization = {CERT.PL}, url = {https://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/}, language = {Polish}, urldate = {2019-12-18} } @online{frankowicz:20160810:cryptxxx:1ee108b, author = {Kamil Frankowicz}, title = {{CryptXXX \ CrypMIC – intensywnie dystrybuowany ransomware w ramach exploit-kitów}}, date = {2016-08-10}, organization = {CERT.PL}, url = {https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/}, language = {Polish}, urldate = {2019-10-14} } @online{franois:20220505:blister:9404a29, author = {Cyril François and Daniel Stepanic and Salim Bitam}, title = {{BLISTER Loader}}, date = {2022-05-05}, organization = {Elastic}, url = {https://elastic.github.io/security-research/malware/2022/05/02.blister/article/}, language = {English}, urldate = {2022-05-09} } @online{franois:20220727:exploring:67dc644, author = {Cyril François and Andrew Pease and Seth Goodwin}, title = {{Exploring the QBOT Attack Pattern}}, date = {2022-07-27}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern}, language = {English}, urldate = {2022-08-05} } @online{franois:20220727:qbot:82146d1, author = {Cyril François and Derek Ditch}, title = {{QBOT Configuration Extractor}}, date = {2022-07-27}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/qbot-configuration-extractor}, language = {English}, urldate = {2022-08-05} } @online{franois:20220824:qbot:152ef8d, author = {Cyril François}, title = {{QBOT Malware Analysis}}, date = {2022-08-24}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/qbot-malware-analysis}, language = {English}, urldate = {2022-08-30} } @online{franois:20230317:thawing:b8065d4, author = {Cyril François and Daniel Stepanic}, title = {{Thawing the permafrost of ICEDID Summary}}, date = {2023-03-17}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary}, language = {English}, urldate = {2023-03-20} } @online{franois:20230504:unpacking:7f892ff, author = {Cyril François}, title = {{Unpacking ICEDID}}, date = {2023-05-04}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/unpacking-icedid}, language = {English}, urldate = {2023-05-05} } @online{franois:20230609:elastic:42d37cb, author = {Cyril François and Daniel Stepanic and Seth Goodwin}, title = {{Elastic charms SPECTRALVIPER}}, date = {2023-06-09}, organization = {Elastic}, url = {https://www.elastic.co/fr/security-labs/elastic-charms-spectralviper}, language = {English}, urldate = {2023-07-26} } @online{franois:20230609:elastic:910c520, author = {Cyril François and Daniel Stepanic and Seth Goodwin}, title = {{Elastic charms SPECTRALVIPER}}, date = {2023-06-09}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/elastic-charms-spectralviper}, language = {English}, urldate = {2023-07-26} } @online{franois:20231013:disclosing:d78b876, author = {Cyril François}, title = {{Disclosing the BLOODALCHEMY backdoor}}, date = {2023-10-13}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor}, language = {English}, urldate = {2023-11-14} } @online{franois:20240424:dissecting:5d33bcd, author = {Cyril François and Samir Bousseaden}, title = {{Dissecting REMCOS RAT: An in- depth analysis of a widespread 2024 malware, Part One}}, date = {2024-04-24}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/dissecting-remcos-rat-part-one}, language = {English}, urldate = {2024-05-08} } @online{franois:20240430:dissecting:66a80d6, author = {Cyril François and Samir Bousseaden}, title = {{Dissecting REMCOS RAT: An in- depth analysis of a widespread 2024 malware, Part Two}}, date = {2024-04-30}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/dissecting-remcos-rat-part-two}, language = {English}, urldate = {2024-05-08} } @online{franois:20240503:dissecting:54a0b6e, author = {Cyril François and Samir Bousseaden}, title = {{Dissecting REMCOS RAT: An in- depth analysis of a widespread 2024 malware, Part Three}}, date = {2024-05-03}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/dissecting-remcos-rat-part-three}, language = {English}, urldate = {2024-05-08} } @online{franois:20240510:dissecting:89f9d72, author = {Cyril François and Samir Bousseaden}, title = {{Dissecting REMCOS RAT: An in- depth analysis of a widespread 2024 malware, Part Four}}, date = {2024-05-10}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/dissecting-remcos-rat-part-four}, language = {English}, urldate = {2024-05-13} } @online{franois:20250213:youve:aa1fbfa, author = {Cyril François and Jia Yu Chan and Salim Bitam and Daniel Stepanic}, title = {{You've Got Malware: FINALDRAFT Hides in Your Drafts}}, date = {2025-02-13}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/finaldraft}, language = {English}, urldate = {2025-02-17} } @online{fraser:20190807:apt41:ce48314, author = {Nalani Fraser and Fred Plan and Jacqueline O’Leary and Vincent Cannon and Raymond Leong and Dan Perez and Chi-en Shen}, title = {{APT41: A Dual Espionage and Cyber Crime Operation}}, date = {2019-08-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html}, language = {English}, urldate = {2019-12-20} } @techreport{fraser:20191119:achievement:30aad54, author = {Nalani Fraser and Kelli Vanderlee}, title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}}, date = {2019-11-19}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf}, language = {English}, urldate = {2022-09-12} } @online{fraser:20210520:response:649c607, author = {joshua fraser}, title = {{Response When Minutes Matter: When Good Tools Are Used for (R)Evil}}, date = {2021-05-20}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-falcon-complete-thwarted-a-revil-ransomware-attack/}, language = {English}, urldate = {2021-06-09} } @online{fratantonio:20210514:slides:116b0b3, author = {Yanick Fratantonio}, title = {{Slides & Recordings for Mobile security trainings}}, date = {2021-05-14}, organization = {MOBISEC}, url = {https://mobisec.reyammer.io/slides}, language = {English}, urldate = {2021-05-25} } @online{freed:20200925:baltimore:296e7d1, author = {Benjamin Freed}, title = {{Baltimore ransomware attack was early attempt at data extortion, new report shows}}, date = {2020-09-25}, organization = {StateScoop}, url = {https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/}, language = {English}, urldate = {2021-05-28} } @online{freeman:20241216:iocontrol:1950a28, author = {Michael Freeman}, title = {{IOControl Malware: What’s New, What’s Not?}}, date = {2024-12-16}, organization = {Armis}, url = {https://www.armis.com/blog/iocontrol-malware-whats-new-whats-not/}, language = {English}, urldate = {2025-06-11} } @online{french:20191204:ransomware:92a6fae, author = {David French}, title = {{Ransomware, interrupted: Sodinokibi and the supply chain}}, date = {2019-12-04}, organization = {Elastic}, url = {https://www.elastic.co/blog/ransomware-interrupted-sodinokibi-and-the-supply-chain}, language = {English}, urldate = {2020-06-30} } @online{french:20231119:look:e1f25f7, author = {Ian French}, title = {{A Look at IPStorm - Cross-Platform Malware Written in Go}}, date = {2023-11-19}, organization = {MalDbg}, url = {https://maldbg.com/ipstorm-golang-malware-windows}, language = {English}, urldate = {2023-11-22} } @online{frenchcisco:20210406:github:33bf219, author = {FrenchCisco}, title = {{Github Repository: RATel}}, date = {2021-04-06}, organization = {Github (FrenchCisco)}, url = {https://github.com/FrenchCisco/RATel}, language = {English}, urldate = {2023-02-27} } @online{freund:20240329:initial:67ca2a2, author = {Andres Freund}, title = {{Initial email disclosing suspected backdoor in xz tarballs}}, date = {2024-03-29}, organization = {Openwall}, url = {https://www.openwall.com/lists/oss-security/2024/03/29/4}, language = {English}, urldate = {2024-04-02} } @online{freyit:20220124:new:b377b46, author = {freyit}, title = {{New TransparenTribe Operation: Targeting India with weaponized COVID-19 lure documents}}, date = {2022-01-24}, organization = {Lab52}, url = {https://lab52.io/blog/new-transparentribe-operation-targeting-india-with-weaponized-covid-19-lure-documents/}, language = {English}, urldate = {2022-01-28} } @online{freyit:20220324:another:4578bc2, author = {freyit}, title = {{Another cyber espionage campaign in the Russia-Ukrainian ongoing cyber attacks}}, date = {2022-03-24}, organization = {Lab52}, url = {https://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/}, language = {English}, urldate = {2022-03-25} } @online{frielingsdorf:20240325:clipping:23a9ebf, author = {Matthias Frielingsdorf}, title = {{Clipping Wings: Our Analysis of a Pegasus Spyware Sample}}, date = {2024-03-25}, organization = {iVerify}, url = {https://www.iverify.io/post/clipping-wings-our-analysis-of-a-pegasus-spyware-sample}, language = {English}, urldate = {2024-03-28} } @online{fritzbger:20210121:silencing:5e231f5, author = {Søren Fritzbøger}, title = {{Silencing Microsoft Defender for Endpoint using firewall rules}}, date = {2021-01-21}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/silencing-microsoft-defender-for-endpoint-using-firewall-rules-3839a8bf8d18}, language = {English}, urldate = {2021-02-06} } @online{froes:20210106:expanding:c61590d, author = {Leandro Froes}, title = {{Expanding Range and Improving Speed: A RansomExx Approach}}, date = {2021-01-06}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html}, language = {English}, urldate = {2021-01-11} } @online{froes:20230417:indepth:2f1ae34, author = {Leandro Froes}, title = {{An in-depth look at the Golang Windows calls}}, date = {2023-04-17}, organization = {Leandro's blog}, url = {https://leandrofroes.github.io/posts/An-in-depth-look-at-Golang-Windows-calls/}, language = {English}, urldate = {2023-04-22} } @online{froes:20230704:reversing:95bf851, author = {Leandro Froes}, title = {{Reversing a recent IcedID Crypter}}, date = {2023-07-04}, url = {https://leandrofroes.github.io/posts/Reversing-a-recent-IcedID-Crypter/}, language = {English}, urldate = {2023-08-10} } @online{froes:20231101:new:145f312, author = {Leandro Froes}, title = {{New DarkGate Variant Uses a New Loading Approach}}, date = {2023-11-01}, organization = {Netskope}, url = {https://www.netskope.com/jp/blog/new-darkgate-variant-uses-a-new-loading-approach}, language = {English}, urldate = {2023-11-13} } @online{froes:20240826:static:6c407d5, author = {Leandro Froes}, title = {{Static Unpacker for Latrodectus}}, date = {2024-08-26}, organization = {Netskope}, url = {https://github.com/leandrofroes/malware-research/blob/main/Latrodectus/latrodectus_static_unpacker.py}, language = {English}, urldate = {2024-09-02} } @online{froes:20240829:latrodectus:3a35ab2, author = {Leandro Froes}, title = {{Latrodectus Rapid Evolution Continues With Latest New Payload Features}}, date = {2024-08-29}, organization = {Netskope}, url = {https://www.netskope.com/de/blog/latrodectus-rapid-evolution-continues-with-latest-new-payload-features}, language = {English}, urldate = {2024-10-23} } @online{froes:20240829:latrodectus:edb988b, author = {Leandro Froes}, title = {{Latrodectus Rapid Evolution Continues With Latest New Payload Features}}, date = {2024-08-29}, organization = {Netskope}, url = {https://www.netskope.com/blog/latrodectus-rapid-evolution-continues-with-latest-new-payload-features}, language = {English}, urldate = {2024-09-02} } @online{froes:20241018:new:907b24c, author = {Leandro Froes}, title = {{New Bumblebee Loader Infection Chain Signals Possible Resurgence}}, date = {2024-10-18}, organization = {Netskope}, url = {https://www.netskope.com/blog/new-bumblebee-loader-infection-chain-signals-possible-resurgence}, language = {English}, urldate = {2024-10-23} } @online{froes:20250123:lumma:fa4230f, author = {Leandro Froes}, title = {{Lumma Stealer: Fake CAPTCHAs & New Techniques to Evade Detection}}, date = {2025-01-23}, organization = {Netskope}, url = {https://www.netskope.com/blog/lumma-stealer-fake-captchas-new-techniques-to-evade-detection}, language = {English}, urldate = {2025-01-31} } @online{frydrych:20200414:ta505:9b31f77, author = {Melissa Frydrych}, title = {{TA505 Continues to Infect Networks With SDBbot RAT}}, date = {2020-04-14}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/}, language = {English}, urldate = {2023-02-17} } @online{frydrych:20210414:update:1f0791f, author = {Melissa Frydrych and Claire Zaboeva}, title = {{An Update: The COVID-19 Vaccine’s Global Cold Chain Continues to Be a Target}}, date = {2021-04-14}, organization = {IBM}, url = {https://securityintelligence.com/posts/covid-19-vaccine-global-cold-chain-security/}, language = {English}, urldate = {2021-04-16} } @online{frydrych:20210712:roboski:1f66418, author = {Melissa Frydrych and Claire Zaboeva and Dan Dash}, title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}}, date = {2021-07-12}, organization = {IBM}, url = {https://securityintelligence.com/posts/roboski-global-recovery-automation/}, language = {English}, urldate = {2021-07-20} } @online{frydrych:20210712:roboski:a3c66bf, author = {Melissa Frydrych and Claire Zaboeva and Dan Dash}, title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}}, date = {2021-07-12}, organization = {Cipher Tech Solutions}, url = {https://www.ciphertechsolutions.com/roboski-global-recovery-automation/}, language = {English}, urldate = {2021-07-20} } @online{frydrych:20220426:hive0117:2ddea35, author = {Melissa Frydrych and Claire Zaboeva and David Bryant}, title = {{Hive0117 Continues Fileless Malware Delivery in Eastern Europe}}, date = {2022-04-26}, organization = {IBM}, url = {https://securityintelligence.com/posts/hive00117-fileless-malware-delivery-eastern-europe/}, language = {English}, urldate = {2022-05-04} } @online{fsb:20220114:unlawful:58f711c, author = {FSB}, title = {{Unlawful Activities of Members of an Organized Criminal Community were suppressed}}, date = {2022-01-14}, organization = {FSB}, url = {http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10439388%40fsbMessage.html}, language = {English}, urldate = {2022-01-25} } @techreport{fuentes:20210608:modern:a5dd52c, author = {Mayra Fuentes and Feike Hacquebord and Stephen Hilt and Ian Kenefick and Vladimir Kropotov and Robert McArdle and Fernando Mercês and David Sancho}, title = {{Modern Ransomware’s Double Extortion Tactics and How to Protect Enterprises Against Them}}, date = {2021-06-08}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-modern-ransomwares-double-extortion-tactics.pdf}, language = {English}, urldate = {2021-06-16} } @online{fumik0:20181015:predator:9c3fcd9, author = {fumik0}, title = {{Predator The Thief: In-depth analysis (v2.3.5)}}, date = {2018-10-15}, organization = {fumik0 blog}, url = {https://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/}, language = {English}, urldate = {2020-01-10} } @online{fumik0:20181224:lets:f7dfc2c, author = {fumik0}, title = {{Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis)}}, date = {2018-12-24}, organization = {fumik0 blog}, url = {https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/}, language = {English}, urldate = {2022-01-12} } @online{fumik0:2018:entry:62d5ae4, author = {fumik0}, title = {{Entry on Rarog}}, date = {2018}, organization = {fumik0 malware tracker}, url = {https://tracker.fumik0.com/malware/Rarog}, language = {English}, urldate = {2020-01-08} } @online{fumik0:20190503:lets:39770a3, author = {fumik0}, title = {{Let’s nuke Megumin Trojan}}, date = {2019-05-03}, organization = {fumik0 blog}, url = {https://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/}, language = {English}, urldate = {2019-11-28} } @online{fumik0:20210504:rm3:41d6969, author = {fumik0 and the RIFT Team and Fox IT}, title = {{RM3 – Curiosities of the wildest banking malware}}, date = {2021-05-04}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/}, language = {English}, urldate = {2021-05-04} } @online{fumik0:20210504:rm3:cd994e6, author = {fumik0 and NCC RIFT}, title = {{RM3 – Curiosities of the wildest banking malware}}, date = {2021-05-04}, organization = {NCC Group}, url = {https://research.nccgroup.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/}, language = {English}, urldate = {2021-05-19} } @online{fumik0:20210624:lu0bot:9b9e569, author = {fumik0}, title = {{Lu0bot – An unknown NodeJS malware using UDP}}, date = {2021-06-24}, organization = {fumik0 blog}, url = {https://fumik0.com/2021/06/24/lu0bot-an-unknown-nodejs-malware-using-udp/}, language = {English}, urldate = {2021-06-25} } @online{fumik0:20220816:lumma:76d543a, author = {fumik0}, title = {{Tweet on Lumma Stealer based on Mars Stealer}}, date = {2022-08-16}, organization = {Twitter (@fumik0_)}, url = {https://twitter.com/fumik0_/status/1559474920152875008}, language = {English}, urldate = {2022-08-28} } @online{fumko:20190325:lets:e773175, author = {fumko}, title = {{Let’s play with Qulab, an exotic malware developed in AutoIT}}, date = {2019-03-25}, url = {https://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/}, language = {English}, urldate = {2020-01-05} } @online{fumko:20190524:overview:7963f07, author = {fumko}, title = {{Overview of Proton Bot, another loader in the wild!}}, date = {2019-05-24}, url = {https://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/}, language = {English}, urldate = {2019-12-19} } @online{fumko:20210424:anatomy:b261ccd, author = {fumko}, title = {{Anatomy of a simple and popular packer}}, date = {2021-04-24}, organization = {fumik0 blog}, url = {https://fumik0.com/2021/04/24/anatomy-of-a-simple-and-popular-packer/}, language = {English}, urldate = {2021-04-29} } @online{funko:20191225:lets:599836d, author = {funko}, title = {{Let’s play (again) with Predator the thief}}, date = {2019-12-25}, url = {https://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/}, language = {English}, urldate = {2020-01-08} } @techreport{future:20221129:suspected:199acb1, author = {Recorded Future}, title = {{Suspected Iran-Nexus TAG-56 Uses UAE Forum Lure for Credential Theft Against US Think Tank}}, date = {2022-11-29}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-1129.pdf}, language = {English}, urldate = {2022-12-02} } @online{future:20221205:exposing:702c2a5, author = {Recorded Future}, title = {{Exposing TAG-53’s Credential Harvesting Infrastructure Used for Russia-Aligned Espionage Operations}}, date = {2022-12-05}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/exposing-tag-53-credential-harvesting-infrastructure-for-russia-aligned-espionage-operations}, language = {English}, urldate = {2022-12-06} } @online{future:20250213:inside:400675e, author = {Recorded Future}, title = {{Inside the Scam: North Korea’s IT Worker Threat}}, date = {2025-02-13}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/research/inside-the-scam-north-koreas-it-worker-threat}, language = {English}, urldate = {2025-02-17} } @techreport{future:20250613:grayalpha:1e52e62, author = {Recorded Future}, title = {{GrayAlpha Uses Diverse Infection Vectors to Deploy PowerNet Loader and NetSupport RAT}}, date = {2025-06-13}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2025-0613.pdf}, language = {English}, urldate = {2025-07-07} } @online{g0njxa:20231116:approaching:82a667f, author = {g0njxa}, title = {{Approaching stealers devs : a brief interview with LummaC2}}, date = {2023-11-16}, organization = {Medium g0njxa}, url = {https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11}, language = {English}, urldate = {2023-11-22} } @online{g0njxa:20231124:approaching:714240a, author = {g0njxa}, title = {{Approaching stealers devs : a brief interview with Recordbreaker}}, date = {2023-11-24}, organization = {Medium g0njxa}, url = {https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-recordbreaker-f6400c11d58b}, language = {English}, urldate = {2023-12-15} } @online{g0njxa:20231128:approaching:ef17fe1, author = {g0njxa}, title = {{Approaching stealers devs : a brief interview with Meduza}}, date = {2023-11-28}, organization = {Medium g0njxa}, url = {https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-meduza-f1bbd2efb84f}, language = {English}, urldate = {2023-12-15} } @online{g0njxa:20231130:approaching:956e09d, author = {g0njxa}, title = {{Approaching stealers devs : a brief interview with Vidar}}, date = {2023-11-30}, organization = {Medium g0njxa}, url = {https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-vidar-2c0a62a73087}, language = {English}, urldate = {2023-12-15} } @online{g0njxa:20231205:approaching:a4125eb, author = {g0njxa}, title = {{Approaching stealers devs : a brief interview with StealC}}, date = {2023-12-05}, organization = {Medium g0njxa}, url = {https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af}, language = {English}, urldate = {2023-12-15} } @online{g0njxa:20231208:approaching:0e3d9c5, author = {g0njxa}, title = {{Approaching stealers devs : a brief interview with Meta}}, date = {2023-12-08}, organization = {Medium g0njxa}, url = {https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-meta-8ae628dfab8c}, language = {English}, urldate = {2023-12-15} } @online{g0njxa:20240201:installskey:c7ec1da, author = {g0njxa}, title = {{Installskey Rewind 2023}}, date = {2024-02-01}, organization = {Medium g0njxa}, url = {https://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65}, language = {English}, urldate = {2024-02-06} } @online{g0njxa:20240205:highlighting:4163baa, author = {@g0njxa}, title = {{Tweet Highlighting the Integration of GhostSocks Service into Lumma Stealer}}, date = {2024-02-05}, url = {https://twitter.com/g0njxa/status/1754630820650696875}, language = {English}, urldate = {2024-04-04} } @online{g:20211021:apache:1785882, author = {Nataraja G}, title = {{Apache HTTP Server CVE-2021-42013 and CVE-2021-41773 Exploited in the Wild}}, date = {2021-10-21}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/enterprise-cloud-and-transformation/apache-http-server-cve-2021-42013-and-cve-2021-41773-exploited}, language = {English}, urldate = {2021-11-02} } @online{g:20240314:unveiling:2e9c8ac, author = {Amaury G. and Livia Tibirna and Grégoire Clermont and Marine PICHON and Vincent HINDERER and Maël SARP and Ziad MASLAH}, title = {{Unveiling the depths of Residential Proxies providers}}, date = {2024-03-14}, organization = {Sekoia}, url = {https://blog.sekoia.io/unveiling-the-depths-of-residential-proxies-providers/}, language = {English}, urldate = {2024-03-18} } @online{g:20250113:doubletap:153d22f, author = {Amaury G. and Maxime A. and Erwan Chevalier and Félix Aime}, title = {{Double-Tap Campaign: Russia-nexus APT possibly related to APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations}}, date = {2025-01-13}, organization = {Sekoia}, url = {https://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/#h-iii-hatvibe-and-cherryspy-infection-chain}, language = {English}, urldate = {2025-01-17} } @online{g:20250113:doubletap:f5e12bd, author = {Amaury G. and Maxime A. and Erwan Chevalier and Félix Aime}, title = {{Double-Tap Campaign: Russia-nexus APT possibly related to APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations}}, date = {2025-01-13}, organization = {Sekoia}, url = {https://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/}, language = {English}, urldate = {2025-02-03} } @online{g:20250331:from:2dd54c5, author = {Amaury G. and Coline Chavane and Félix Aime and Sekoia TDR}, title = {{From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic}}, date = {2025-03-31}, organization = {Sekoia}, url = {https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/}, language = {English}, urldate = {2025-04-09} } @online{gadaix:20170512:commsec:d06b216, author = {Emmanuel Gadaix}, title = {{COMMSEC D2 - A Surprise Encounter With A Telco APT}}, date = {2017-05-12}, organization = {YouTube (Hack In The Box Security Conference)}, url = {https://www.youtube.com/watch?v=xCU47bJoLho}, language = {English}, urldate = {2023-03-24} } @online{gadhave:20220508:ursnif:4e8605b, author = {Amit Gadhave}, title = {{Ursnif Malware Banks on News Events for Phishing Attacks}}, date = {2022-05-08}, organization = {Qualys}, url = {https://blog.qualys.com/vulnerabilities-threat-research/2022/05/08/ursnif-malware-banks-on-news-events-for-phishing-attacks}, language = {English}, urldate = {2022-05-17} } @online{gaffie:20200819:respondermultirelay:191b62a, author = {Laurent Gaffie}, title = {{Responder/MultiRelay}}, date = {2020-08-19}, organization = {Github (lgandx)}, url = {https://github.com/lgandx/Responder}, language = {English}, urldate = {2020-08-24} } @online{gahlot:20201026:threat:7eeb763, author = {Ashish Gahlot}, title = {{Threat Hunting for Avaddon Ransomware}}, date = {2020-10-26}, organization = {AWAKE}, url = {https://awakesecurity.com/blog/threat-hunting-for-avaddon-ransomware/}, language = {English}, urldate = {2020-11-02} } @online{gahlot:20201110:threat:e9c7a9c, author = {Ashish Gahlot}, title = {{Threat Hunting for REvil Ransomware}}, date = {2020-11-10}, organization = {AP News}, url = {https://awakesecurity.com/blog/threat-hunting-for-revil-ransomware/}, language = {English}, urldate = {2020-11-12} } @online{gahr:201710:lokibot:45755da, author = {Wesley Gahr and Pham Duy Phuc and Niels Croese}, title = {{LokiBot - The first hybrid Android malware}}, date = {2017-10}, organization = {Threat Fabric}, url = {https://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html}, language = {English}, urldate = {2019-12-19} } @techreport{gaiscert:20200527:dridex:90bd3bd, author = {GAIS-CERT}, title = {{Dridex Banking Trojan Technical Analysis Report}}, date = {2020-05-27}, institution = {GAIS-CERT}, url = {https://gaissecurity.com/uploads/csirt/EN-Dridex-banking-trojan.pdf}, language = {English}, urldate = {2020-06-24} } @online{gal:20220124:trickbot:8a030b3, author = {Michael Gal and Segev Fogel and Itzik Chimino and Limor Kessem and Charlotte Hammond}, title = {{TrickBot Bolsters Layered Defenses to Prevent Injection Research}}, date = {2022-01-24}, organization = {IBM}, url = {https://securityintelligence.com/posts/trickbot-bolsters-layered-defenses-prevent-injection/}, language = {English}, urldate = {2022-01-25} } @online{gali:20230418:how:84d68aa, author = {Dianne Gali and Daniel Simpson and Stacyrch140}, title = {{How Microsoft names threat actors}}, date = {2023-04-18}, organization = {Microsoft}, url = {https://learn.microsoft.com/de-de/microsoft-365/security/intelligence/microsoft-threat-actor-naming}, language = {English}, urldate = {2023-04-18} } @online{galiette:20220810:novel:9849ff4, author = {Anthony Galiette and Daniel Bunce and Doel Santos and Shawn Westfall}, title = {{Novel News on Cuba Ransomware: Greetings From Tropical Scorpius}}, date = {2022-08-10}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/}, language = {English}, urldate = {2022-08-11} } @online{gall:20210601:critical:5609446, author = {Ram Gall}, title = {{Critical 0-day in Fancy Product Designer Under Active Attack}}, date = {2021-06-01}, organization = {wordfence}, url = {https://www.wordfence.com/blog/2021/06/critical-0-day-in-fancy-product-designer-under-active-attack/}, language = {English}, urldate = {2021-06-09} } @online{gallagher:20150805:newly:dc763a1, author = {Sean Gallagher}, title = {{Newly discovered Chinese hacking group hacked 100+ websites to use as “watering holes”}}, date = {2015-08-05}, organization = {Ars Technica}, url = {https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/}, language = {English}, urldate = {2020-01-06} } @online{gallagher:20170421:researchers:f1ea70c, author = {Sean Gallagher}, title = {{Researchers claim China trying to hack South Korea missile defense efforts}}, date = {2017-04-21}, organization = {Ars Technica}, url = {https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/}, language = {English}, urldate = {2020-01-08} } @online{gallagher:20190508:robbinhood:a7fdd3f, author = {Sean Gallagher}, title = {{“RobbinHood” ransomware takes down Baltimore City government networks}}, date = {2019-05-08}, organization = {Ars Technica}, url = {https://arstechnica.com/information-technology/2019/05/baltimore-city-government-hit-by-robbinhood-ransomware/}, language = {English}, urldate = {2019-12-18} } @online{gallagher:20200202:agent:81dd245, author = {Sean Gallagher and Markel Picado}, title = {{Agent Tesla amps up information stealing attacks}}, date = {2020-02-02}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2021/02/02/agent-tesla-amps-up-information-stealing-attacks/}, language = {English}, urldate = {2021-02-04} } @online{gallagher:20200727:prolock:4992cfc, author = {Sean Gallagher}, title = {{ProLock ransomware gives you the first 8 kilobytes of decryption for free}}, date = {2020-07-27}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/07/27/prolock-ransomware-gives-you-the-first-8-kilobytes-of-decryption-for-free/}, language = {English}, urldate = {2020-07-30} } @online{gallagher:20200812:color:9deb334, author = {Sean Gallagher}, title = {{Color by numbers: inside a Dharma ransomware-as-a-service attack}}, date = {2020-08-12}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/}, language = {English}, urldate = {2022-03-18} } @online{gallagher:20201014:theyre:99f5d1e, author = {Sean Gallagher}, title = {{They’re back: inside a new Ryuk ransomware attack}}, date = {2020-10-14}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/}, language = {English}, urldate = {2020-10-16} } @online{gallagher:20201021:lockbit:13c4faa, author = {Sean Gallagher}, title = {{LockBit uses automated attack tools to identify tasty targets}}, date = {2020-10-21}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/10/21/lockbit-attackers-uses-automated-attack-tools-to-identify-tasty-targets}, language = {English}, urldate = {2020-10-23} } @online{gallagher:20201028:hacks:8e1d051, author = {Sean Gallagher and Peter Mackenzie and Elida Leite and Syed Shahram and Bill Kearny and Anand Ajjan and Brett Cove and Gabor Szappanos}, title = {{Hacks for sale: inside the Buer Loader malware-as-a-service}}, date = {2020-10-28}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/}, language = {English}, urldate = {2020-11-02} } @online{gallagher:20201208:egregor:fe48cfd, author = {Sean Gallagher and Anand Aijan and Gabor Szappanos and Syed Shahram and Bill Kearney and Mark Loman and Peter Mackenzie and Sergio Bestulic}, title = {{Egregor ransomware: Maze’s heir apparent}}, date = {2020-12-08}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/}, language = {English}, urldate = {2020-12-08} } @online{gallagher:20201216:ransomware:0b0fdf2, author = {Sean Gallagher and Sivagnanam Gn}, title = {{Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor}}, date = {2020-12-16}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/12/16/systembc/}, language = {English}, urldate = {2020-12-17} } @online{gallagher:20210421:nearly:53964a7, author = {Sean Gallagher and Suriya Natarajan and Anand Aijan and Michael Wood and Sivagnanam Gn and Markel Picado and Andrew Brandt}, title = {{Nearly half of malware now use TLS to conceal communications}}, date = {2021-04-21}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/}, language = {English}, urldate = {2021-04-28} } @online{gallagher:20210511:defenders:a4c7f9c, author = {Sean Gallagher and Mark Loman and Peter Mackenzie and Yusuf Arslan Polat and Gabor Szappanos and Suriya Natarajan and Szabolcs Lévai and Ferenc László Nagy}, title = {{A defender’s view inside a DarkSide ransomware attack}}, date = {2021-05-11}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/05/11/a-defenders-view-inside-a-darkside-ransomware-attack/}, language = {English}, urldate = {2021-05-13} } @online{gallagher:20210602:amsi:084d0ba, author = {Sean Gallagher}, title = {{AMSI bypasses remain tricks of the malware trade}}, date = {2021-06-02}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/}, language = {English}, urldate = {2021-06-09} } @online{gallagher:20210722:malware:ca3a4e3, author = {Sean Gallagher and Andrew Brandt}, title = {{Malware increasingly targets Discord for abuse}}, date = {2021-07-22}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/07/22/malware-increasingly-targets-discord-for-abuse}, language = {English}, urldate = {2021-07-27} } @online{gallagher:20210901:fake:07752c0, author = {Sean Gallagher and Yusuf Polat and Anand Ajjan and Andrew Brandt}, title = {{Fake pirated software sites serve up malware droppers as a service}}, date = {2021-09-01}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/09/01/fake-pirated-software-sites-serve-up-malware-droppers-as-a-service/}, language = {English}, urldate = {2021-09-09} } @online{gallagher:20210903:conti:db20680, author = {Sean Gallagher and Peter Mackenzie and Anand Ajjan and Andrew Ludgate and Gabor Szappanos and Sergio Bestulic and Syed Zaidi}, title = {{Conti affiliates use ProxyShell Exchange exploit in ransomware attacks}}, date = {2021-09-03}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/}, language = {English}, urldate = {2021-09-06} } @online{gallagher:20210923:phishing:0753a1d, author = {Sean Gallagher}, title = {{Phishing and malware actors abuse Google Forms for credentials, data exfiltration}}, date = {2021-09-23}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/09/23/phishing-and-malware-actors-abuse-google-forms-for-credentials-data-exfiltration/}, language = {English}, urldate = {2021-09-28} } @online{gallagher:20211004:atom:782b979, author = {Sean Gallagher and Vikas Singh and Krisztián Diriczi and Kajal Katiyar and Chaitanya Ghorpade and Rahil Shah}, title = {{Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack}}, date = {2021-10-04}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/}, language = {English}, urldate = {2021-10-11} } @online{gallagher:20211024:node:3619389, author = {Sean Gallagher}, title = {{Node poisoning: hijacked package delivers coin miner and credential-stealing backdoor}}, date = {2021-10-24}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/10/24/node-poisoning-hijacked-package-delivers-coin-miner-and-credential-stealing-backdoor}, language = {English}, urldate = {2021-11-02} } @online{gallagher:20211118:new:31668c5, author = {Sean Gallagher and Vikas Singh and Robert Weiland and Elida Leite and Kyle Link and Ratul Ghosh and Harinder Bhathal and Sergio Bestuilic and Ferenc László Nagy and Rahul Dugar and Nirav Parekh and Gabor Szappanos}, title = {{New ransomware actor uses password-protected archives to bypass encryption protection}}, date = {2021-11-18}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/11/18/new-ransomware-actor-uses-password-protected-archives-to-bypass-encryption-protection/?cmp=30728}, language = {English}, urldate = {2021-11-19} } @online{gallagher:20211118:new:7fc4407, author = {Sean Gallagher}, title = {{New ransomware actor uses password protected archives to bypass encryption protection}}, date = {2021-11-18}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/11/18/new-ransomware-actor-uses-password-protected-archives-to-bypass-encryption-protection/}, language = {English}, urldate = {2022-03-22} } @online{gallagher:20211212:log4shell:0609a1c, author = {Sean Gallagher}, title = {{Log4Shell Hell: anatomy of an exploit outbreak}}, date = {2021-12-12}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/12/12/log4shell-hell-anatomy-of-an-exploit-outbreak/}, language = {English}, urldate = {2021-12-31} } @online{gallagher:20211217:inside:0da2770, author = {Sean Gallagher and Hardik Shah}, title = {{Inside the code: How the Log4Shell exploit works}}, date = {2021-12-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/12/17/inside-the-code-how-the-log4shell-exploit-works/}, language = {English}, urldate = {2021-12-31} } @online{gallagher:20211220:logjam:682b229, author = {Sean Gallagher}, title = {{Logjam: Log4j exploit attempts continue in globally distributed scans, attacks}}, date = {2021-12-20}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/12/20/logjam-log4j-exploit-attempts-continue-in-globally-distributed-scans-attacks/}, language = {English}, urldate = {2021-12-31} } @online{gallagher:20220228:conti:bcf09a0, author = {Sean Gallagher}, title = {{Conti and Karma actors attack healthcare provider at same time through ProxyShell exploits}}, date = {2022-02-28}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/02/28/conti-and-karma-actors-attack-healthcare-provider-at-same-time-through-proxyshell-exploits/?cmp=30728}, language = {English}, urldate = {2022-03-02} } @online{gallagher:20220818:cookie:74bd0f5, author = {Sean Gallagher}, title = {{Cookie stealing: the new perimeter bypass}}, date = {2022-08-18}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass}, language = {English}, urldate = {2022-08-22} } @online{galov:20201201:dox:85fa427, author = {Dmitry Galov and Vladislav Tushkanov and Leonid Bezvershenko}, title = {{Dox, steal, reveal. Where does your personal data end up?}}, date = {2020-12-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/dox-steal-reveal/99577/}, language = {English}, urldate = {2020-12-08} } @online{galov:20210512:ransomware:439cee0, author = {Dmitry Galov and Leonid Bezvershenko and Ivan Kwiatkowski}, title = {{Ransomware world in 2021: who, how and why}}, date = {2021-05-12}, organization = {Kaspersky}, url = {https://securelist.com/ransomware-world-in-2021/102169/}, language = {English}, urldate = {2021-05-13} } @online{galperin:20140119:vietnamese:6ff15b6, author = {Eva Galperin and Morgan Marquis-Boire}, title = {{Vietnamese Malware Gets Very Personal}}, date = {2014-01-19}, organization = {Electronic Frontier Foundation}, url = {https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal}, language = {English}, urldate = {2020-01-13} } @techreport{galperin:201608:operation:38ba7ff, author = {Eva Galperin and Cooper Quintin and Morgan Marquis-Boire and Claudio Guarnieri}, title = {{Operation Manul}}, date = {2016-08}, institution = {Electronic Frontier Foundation}, url = {https://www.eff.org/files/2018/01/29/operation-manul.pdf}, language = {English}, urldate = {2020-06-08} } @online{gamble:20201215:finding:50ef51c, author = {John Gamble}, title = {{Finding SUNBURST Backdoor with Zeek Logs & Corelight}}, date = {2020-12-15}, organization = {Corelight}, url = {https://corelight.blog/2020/12/15/finding-sunburst-backdoor-with-zeek-logs-and-corelight/}, language = {English}, urldate = {2020-12-15} } @online{gamblin:20170715:mirai:72ffffb, author = {Jerry Gamblin}, title = {{Mirai BotNet Source Code}}, date = {2017-07-15}, organization = {Github (jgamblin)}, url = {https://github.com/jgamblin/Mirai-Source-Code}, language = {English}, urldate = {2019-12-17} } @online{gandhi:20160810:android:81912fe, author = {Viral Gandhi}, title = {{Android Marcher: Continuously Evolving Mobile Malware}}, date = {2016-08-10}, organization = {Zscaler}, url = {https://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware}, language = {English}, urldate = {2020-01-10} } @online{gandler:20200330:zeus:bef1da7, author = {Amir Gandler and Limor Kessem}, title = {{Zeus Sphinx Trojan Awakens Amidst Coronavirus Spam Frenzy}}, date = {2020-03-30}, organization = {IBM}, url = {https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/}, language = {English}, urldate = {2020-04-01} } @online{gannon:20250310:trump:60703e5, author = {Max Gannon}, title = {{Trump Cryptocurrency Delivers ConnectWise RAT}}, date = {2025-03-10}, organization = {Cofense}, url = {https://cofense.com/blog/trump-cryptocurrency-delivers-connectwise-rat}, language = {English}, urldate = {2025-03-11} } @online{ganti:2004:mydoom:461c630, author = {Srinivas Ganti}, title = {{MyDoom and its backdoor}}, date = {2004}, organization = {GIAC}, url = {https://www.giac.org/paper/gcih/619/mydoom-backdoor/106503}, language = {English}, urldate = {2019-12-05} } @online{ganti:20211109:brief:07addb6, author = {Vivek Ganti and Omer Yoachimik}, title = {{A Brief History of the Meris Botnet}}, date = {2021-11-09}, organization = {Cloudflare}, url = {https://blog.cloudflare.com/meris-botnet/}, language = {English}, urldate = {2021-11-17} } @online{garage4hackers:20140921:reversing:33b3a34, author = {garage4hackers}, title = {{Reversing Tinba: World's smallest trojan-banker DGA Code}}, date = {2014-09-21}, organization = {garage4hackers}, url = {http://garage4hackers.com/entry.php?b=3086}, language = {English}, urldate = {2019-07-11} } @online{garca:201910:geost:fb6829c, author = {Sebastian García and María José Erquiaga and Anna Shirokova}, title = {{Geost botnet. The story of the discovery of a new Android banking trojan from an OpSec error}}, date = {2019-10}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/}, language = {English}, urldate = {2020-12-08} } @online{garca:20210331:dissecting:dd2cdc3, author = {Sebastian García and Kamila Babayeva}, title = {{Dissecting a RAT. Analysis of the AndroRAT}}, date = {2021-03-31}, organization = {Stratosphere Lab}, url = {https://www.stratosphereips.org/blog/2021/3/29/dissecting-a-rat-analysis-of-the-androrat}, language = {English}, urldate = {2021-03-31} } @online{garcia:20231201:new:618f9fb, author = {Chema Garcia}, title = {{New Tool Set Found Used Against Organizations in the Middle East, Africa and the US}}, date = {2023-12-01}, url = {https://unit42.paloaltonetworks.com/new-toolset-targets-middle-east-africa-usa/}, language = {English}, urldate = {2024-06-04} } @online{gardiner:20210106:how:b9e3a36, author = {Matthew Gardiner}, title = {{How to Slam a Door on the Cutwail Botnet: Enforce DMARC}}, date = {2021-01-06}, organization = {Mimecast}, url = {https://www.mimecast.com/blog/how-to-slam-a-door-on-the-cutwail-botnet-enforce-dmarc/}, language = {English}, urldate = {2021-01-27} } @online{gardner:20220505:sample:66178f9, author = {Christopher Gardner}, title = {{The Sample: Beating the Malware Piñata}}, date = {2022-05-05}, organization = {BrightTALK (Mandiant)}, url = {https://www.brighttalk.com/webcast/7451/538775}, language = {English}, urldate = {2022-06-09} } @online{gardner:20250213:multiple:954358d, author = {Charlie Gardner and Steven Adair and Tom Lancaster}, title = {{Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication}}, date = {2025-02-13}, organization = {Volexity}, url = {https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/}, language = {English}, urldate = {2025-02-17} } @online{gardner:20250422:phishing:f468c29, author = {Charlie Gardner and Josh Duke and Matthew Meltzer and Sean Koessel and Steven Adair and Tom Lancaster}, title = {{Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows}}, date = {2025-04-22}, organization = {Volexity}, url = {https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/}, language = {English}, urldate = {2025-04-28} } @online{gardo:20160323:new:c7c1042, author = {Tomáš Gardoň}, title = {{New self‑protecting USB trojan able to avoid detection}}, date = {2016-03-23}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/}, language = {English}, urldate = {2019-12-20} } @online{gardo:20170822:gamescom:764a8eb, author = {Tomáš Gardoň}, title = {{Gamescom 2017: It’s all fun and games until black hats step in}}, date = {2017-08-22}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/}, language = {English}, urldate = {2019-11-14} } @online{garkava:20221107:inside:43d468a, author = {Taisiia Garkava and Dillon Ashmore}, title = {{Inside the Yanluowang Leak: Organization, Members, and Tactics}}, date = {2022-11-07}, organization = {Darktrace}, url = {https://de.darktrace.com/blog/inside-the-yanluowang-leak-organization-members-and-tactics}, language = {English}, urldate = {2022-11-07} } @online{garkava:20230623:observerstealer:5699a93, author = {Taisiia Garkava}, title = {{ObserverStealer: Unmasking the New Contender in Cyber Crime}}, date = {2023-06-23}, organization = {Medium}, url = {https://medium.com/@cyberhust1er/observerstealer-unmasking-the-new-contender-in-cyber-crime-6e54a40d801d}, language = {English}, urldate = {2023-06-27} } @online{garnett:20210517:case:a8ef9cf, author = {Brad Garnett}, title = {{Case Study: Incident Response is a relationship-driven business}}, date = {2021-05-17}, organization = {Talos}, url = {https://blog.talosintelligence.com/2021/05/ctir-case-study.html}, language = {English}, urldate = {2021-05-25} } @online{gastesi:20100907:zeus:330336f, author = {Mikel Gastesi}, title = {{ZeuS: The missing link}}, date = {2010-09-07}, organization = {S21sec}, url = {https://www.s21sec.com/en/zeus-the-missing-link/}, language = {English}, urldate = {2020-01-17} } @online{gat:20231213:teamcity:dd2af7b, author = {Amey Gat and Mark Robson and John Simmons and Ken Evans and Jared Betts and Angelo Cris Deveraturda and Hongkei Chan and Jayesh Zala}, title = {{TeamCity Intrusion Saga: APT29 Suspected Among the Attackers Exploiting CVE-2023-42793}}, date = {2023-12-13}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793}, language = {English}, urldate = {2023-12-14} } @online{gatewatcher:20230720:zipfilesmakeitbiggertoavoidedrdetection:48b15b6, author = {Gatewatcher}, title = {{zip-files-make-it-bigger-to-avoid-edr-detection}}, date = {2023-07-20}, organization = {Gatewatcher}, url = {https://www.gatewatcher.com/en/lab/zip-files-make-it-bigger-to-avoid-edr-detection/}, language = {English}, urldate = {2024-04-15} } @online{gatewatcher:20231215:utilisation:b5467f3, author = {Gatewatcher}, title = {{Utilisation de faux profils Steam : Vidar Stealer prend les commandes}}, date = {2023-12-15}, organization = {Gatewatcher}, url = {https://www.gatewatcher.com/lab/utilisation-de-faux-profils-steam-vidar-prend-les-commandes/}, language = {French}, urldate = {2024-04-15} } @online{gatewatcher:20240301:cyber:5caa4af, author = {Gatewatcher}, title = {{CYBER THREATS SEMESTER REPORT (July - December 2023) (paywall)}}, date = {2024-03-01}, organization = {Gatewatcher}, url = {https://info.gatewatcher.com/en/cyber-threats-semester-report-july-december-2023}, language = {English}, urldate = {2024-06-28} } @online{gatewatcher:20240507:cybercrimes:4025ea4, author = {Gatewatcher}, title = {{Cybercrime's Anatomy Threats to the Healthcare World}}, date = {2024-05-07}, organization = {Gatewatcher}, url = {https://www.gatewatcher.com/lab/cybercrimes-anatomy-les-menaces-sur-le-monde-de-la-sante/}, language = {French}, urldate = {2024-05-07} } @online{gatlan:20190517:teamviewer:563f298, author = {Sergiu Gatlan}, title = {{TeamViewer Confirms Undisclosed Breach From 2016}}, date = {2019-05-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/}, language = {English}, urldate = {2019-12-20} } @online{gatlan:20191018:maze:fb2c4b6, author = {Sergiu Gatlan}, title = {{Maze Ransomware Now Delivered by Spelevo Exploit Kit}}, date = {2019-10-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/}, language = {English}, urldate = {2019-12-17} } @online{gatlan:20191118:linux:3b44951, author = {Sergiu Gatlan}, title = {{Linux, Windows Users Targeted With New ACBackdoor Malware}}, date = {2019-11-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/}, language = {English}, urldate = {2020-01-13} } @online{gatlan:20191209:snatch:04dbbf3, author = {Sergiu Gatlan}, title = {{Snatch Ransomware Reboots to Windows Safe Mode to Bypass AV Tools}}, date = {2019-12-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/snatch-ransomware-reboots-to-windows-safe-mode-to-bypass-av-tools/}, language = {English}, urldate = {2020-01-07} } @online{gatlan:20200110:sodinokibi:73cbf66, author = {Sergiu Gatlan}, title = {{Sodinokibi Ransomware Hits New York Airport Systems}}, date = {2020-01-10}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-new-york-airport-systems/}, language = {English}, urldate = {2020-01-20} } @online{gatlan:20200123:sodinokibi:86b1d46, author = {Sergiu Gatlan}, title = {{Sodinokibi Ransomware Threatens to Publish Data of Automotive Group}}, date = {2020-01-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-threatens-to-publish-data-of-automotive-group/}, language = {English}, urldate = {2020-01-23} } @online{gatlan:20200207:ta505:7a8e5a2, author = {Sergiu Gatlan}, title = {{TA505 Hackers Behind Maastricht University Ransomware Attack}}, date = {2020-02-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/}, language = {English}, urldate = {2020-02-13} } @online{gatlan:20200330:banking:9d302f2, author = {Sergiu Gatlan}, title = {{Banking Malware Spreading via COVID-19 Relief Payment Phishing}}, date = {2020-03-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/banking-malware-spreading-via-covid-19-relief-payment-phishing/}, language = {English}, urldate = {2020-04-01} } @online{gatlan:20200403:microsoft:c12a844, author = {Sergiu Gatlan}, title = {{Microsoft: Emotet Took Down a Network by Overheating All Computers}}, date = {2020-04-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-emotet-took-down-a-network-by-overheating-all-computers/}, language = {English}, urldate = {2020-04-08} } @online{gatlan:20200414:ragnarlocker:2a77ec4, author = {Sergiu Gatlan}, title = {{RagnarLocker ransomware hits EDP energy giant, asks for €10M}}, date = {2020-04-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/}, language = {English}, urldate = {2020-04-16} } @online{gatlan:20200616:chipmaker:0e801b8, author = {Sergiu Gatlan}, title = {{Chipmaker MaxLinear reports data breach after Maze Ransomware attack}}, date = {2020-06-16}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/chipmaker-maxlinear-reports-data-breach-after-maze-ransomware-attack/}, language = {English}, urldate = {2020-06-17} } @online{gatlan:20200626:admin:044ef9a, author = {Sergiu Gatlan}, title = {{Admin of carding portal behind $568M in losses pleads guilty}}, date = {2020-06-26}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/admin-of-carding-portal-behind-568m-in-losses-pleads-guilty/}, language = {English}, urldate = {2020-06-29} } @online{gatlan:20200630:evilquest:b90c9ad, author = {Sergiu Gatlan}, title = {{EvilQuest wiper uses ransomware cover to steal files from Macs}}, date = {2020-06-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/evilquest-wiper-uses-ransomware-cover-to-steal-files-from-macs/}, language = {English}, urldate = {2020-07-01} } @online{gatlan:20200724:garmin:05d9247, author = {Sergiu Gatlan}, title = {{Garmin outage caused by confirmed WastedLocker ransomware attack}}, date = {2020-07-24}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/}, language = {English}, urldate = {2020-07-30} } @online{gatlan:20200728:emotet:37429c5, author = {Sergiu Gatlan}, title = {{Emotet malware now steals your email attachments to attack contacts}}, date = {2020-07-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-your-email-attachments-to-attack-contacts/}, language = {English}, urldate = {2020-07-30} } @online{gatlan:20201105:brazils:f1f0810, author = {Sergiu Gatlan}, title = {{Brazil's court system under massive RansomExx ransomware attack}}, date = {2020-11-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/brazils-court-system-under-massive-ransomexx-ransomware-attack/}, language = {English}, urldate = {2020-11-09} } @online{gatlan:20201113:biotech:cbe6093, author = {Sergiu Gatlan}, title = {{Biotech research firm Miltenyi Biotec hit by ransomware, data leaked}}, date = {2020-11-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/biotech-research-firm-miltenyi-biotec-hit-by-ransomware-data-leaked/}, language = {English}, urldate = {2020-11-19} } @online{gatlan:20201222:biden:e871104, author = {Sergiu Gatlan}, title = {{Biden blasts Trump administration over SolarWinds attack response}}, date = {2020-12-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/biden-blasts-trump-administration-over-solarwinds-attack-response/}, language = {English}, urldate = {2020-12-23} } @online{gatlan:20201230:emotet:1f2a80b, author = {Sergiu Gatlan}, title = {{Emotet malware hits Lithuania's National Public Health Center}}, date = {2020-12-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-malware-hits-lithuanias-national-public-health-center/}, language = {English}, urldate = {2021-01-05} } @online{gatlan:20210104:translink:628f0c4, author = {Sergiu Gatlan}, title = {{TransLink confirms ransomware data theft, still restoring systems}}, date = {2021-01-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/translink-confirms-ransomware-data-theft-still-restoring-systems/}, language = {English}, urldate = {2021-01-05} } @online{gatlan:20210126:mimecast:ef80465, author = {Sergiu Gatlan}, title = {{Mimecast links security breach to SolarWinds hackers}}, date = {2021-01-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mimecast-links-security-breach-to-solarwinds-hackers/}, language = {English}, urldate = {2021-01-27} } @online{gatlan:20210205:microsoft:183d590, author = {Sergiu Gatlan}, title = {{Microsoft warns of increasing OAuth Office 365 phishing attacks}}, date = {2021-02-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-warns-of-increasing-oauth-office-365-phishing-attacks/}, language = {English}, urldate = {2021-02-06} } @online{gatlan:20210224:nasa:646b084, author = {Sergiu Gatlan}, title = {{NASA and the FAA were also breached by the SolarWinds hackers}}, date = {2021-02-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/nasa-and-the-faa-were-also-breached-by-the-solarwinds-hackers/}, language = {English}, urldate = {2021-02-25} } @online{gatlan:20210325:evil:5b966ff, author = {Sergiu Gatlan}, title = {{Evil Corp switches to Hades ransomware to evade sanctions}}, date = {2021-03-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/}, language = {English}, urldate = {2021-03-30} } @online{gatlan:20210420:revil:4193bfe, author = {Sergiu Gatlan}, title = {{REvil gang tries to extort Apple, threatens to sell stolen blueprints}}, date = {2021-04-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revil-gang-tries-to-extort-apple-threatens-to-sell-stolen-blueprints/}, language = {English}, urldate = {2021-04-28} } @online{gatlan:20210428:cyberspies:718be29, author = {Sergiu Gatlan}, title = {{Cyberspies target military organizations with new Nebulae backdoor}}, date = {2021-04-28}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/cyberspies-target-military-organizations-with-new-nebulae-backdoor/}, language = {English}, urldate = {2022-02-04} } @online{gatlan:20210514:qnap:9af65b9, author = {Sergiu Gatlan}, title = {{QNAP warns of eCh0raix ransomware attacks, Roon Server zero-day}}, date = {2021-05-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/qnap-warns-of-ech0raix-ransomware-attacks-roon-server-zero-day/}, language = {English}, urldate = {2021-05-17} } @online{gatlan:20210519:may:58b7206, author = {Sergiu Gatlan}, title = {{May Android security updates patch 4 zero-days exploited in the wild}}, date = {2021-05-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/may-android-security-updates-patch-4-zero-days-exploited-in-the-wild/}, language = {English}, urldate = {2021-05-26} } @online{gatlan:20210601:critical:7d2b953, author = {Sergiu Gatlan}, title = {{Critical WordPress plugin zero-day under active exploitation}}, date = {2021-06-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/critical-wordpress-plugin-zero-day-under-active-exploitation/}, language = {English}, urldate = {2021-06-09} } @online{gatlan:20210603:chinese:016ede0, author = {Sergiu Gatlan}, title = {{Chinese threat actors hacked NYC MTA using Pulse Secure zero-day}}, date = {2021-06-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/chinese-threat-actors-hacked-nyc-mta-using-pulse-secure-zero-day/}, language = {English}, urldate = {2021-06-09} } @online{gatlan:20210604:freakout:0ccc055, author = {Sergiu Gatlan}, title = {{FreakOut malware worms its way into vulnerable VMware servers}}, date = {2021-06-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/freakout-malware-worms-its-way-into-vulnerable-vmware-servers/}, language = {English}, urldate = {2021-06-16} } @online{gatlan:20210616:us:90c8776, author = {Sergiu Gatlan}, title = {{US convicts Russian national behind Kelihos botnet crypting service}}, date = {2021-06-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/us-convicts-russian-national-behind-kelihos-botnet-crypting-service/}, language = {English}, urldate = {2021-07-02} } @online{gatlan:20210618:poland:624cade, author = {Sergiu Gatlan}, title = {{Poland blames Russia for breach, theft of Polish officials' emails}}, date = {2021-06-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/poland-blames-russia-for-breach-theft-of-polish-officials-emails/}, language = {English}, urldate = {2021-06-22} } @online{gatlan:20210703:us:6685629, author = {Sergiu Gatlan}, title = {{US chemical distributor shares info on DarkSide ransomware data theft}}, date = {2021-07-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/us-chemical-distributor-shares-info-on-darkside-ransomware-data-theft/}, language = {English}, urldate = {2021-07-11} } @online{gatlan:20210708:morgan:4ea5e71, author = {Sergiu Gatlan}, title = {{Morgan Stanley reports data breach after vendor Accellion hack}}, date = {2021-07-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/morgan-stanley-reports-data-breach-after-vendor-accellion-hack/}, language = {English}, urldate = {2021-07-19} } @online{gatlan:20210712:solarwinds:5f00d9a, author = {Sergiu Gatlan}, title = {{SolarWinds patches critical Serv-U vulnerability (CVE-2021-35211) exploited in the wild}}, date = {2021-07-12}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/solarwinds-patches-critical-serv-u-vulnerability-exploited-in-the-wild/}, language = {English}, urldate = {2021-07-20} } @online{gatlan:20210717:hellokitty:96a6fe5, author = {Sergiu Gatlan}, title = {{HelloKitty ransomware is targeting vulnerable SonicWall devices}}, date = {2021-07-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-is-targeting-vulnerable-sonicwall-devices/}, language = {English}, urldate = {2021-07-20} } @online{gatlan:20210719:iphones:43158e9, author = {Sergiu Gatlan}, title = {{iPhones running latest iOS hacked to deploy NSO Group spyware}}, date = {2021-07-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/iphones-running-latest-ios-hacked-to-deploy-nso-group-spyware/}, language = {English}, urldate = {2021-07-26} } @online{gatlan:20210722:ransomware:7dfb7af, author = {Sergiu Gatlan}, title = {{Ransomware gang breached CNA’s network via fake browser update}}, date = {2021-07-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-gang-breached-cna-s-network-via-fake-browser-update/}, language = {English}, urldate = {2021-07-26} } @online{gatlan:20210727:uc:4b59fb1, author = {Sergiu Gatlan}, title = {{UC San Diego Health discloses data breach after phishing attack}}, date = {2021-07-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/uc-san-diego-health-discloses-data-breach-after-phishing-attack/}, language = {English}, urldate = {2021-07-29} } @online{gatlan:20210730:doj:27f36c0, author = {Sergiu Gatlan}, title = {{DOJ: SolarWinds hackers breached emails from 27 US Attorneys’ offices}}, date = {2021-07-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/doj-solarwinds-hackers-breached-emails-from-27-us-attorneys-offices/}, language = {English}, urldate = {2021-08-02} } @online{gatlan:20210804:energy:687b773, author = {Sergiu Gatlan}, title = {{Energy group ERG reports minor disruptions after ransomware attack}}, date = {2021-08-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/energy-group-erg-reports-minor-disruptions-after-ransomware-attack/}, language = {English}, urldate = {2021-08-06} } @online{gatlan:20210809:synology:4cf97c4, author = {Sergiu Gatlan}, title = {{Synology warns of malware infecting NAS devices with ransomware}}, date = {2021-08-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/synology-warns-of-malware-infecting-nas-devices-with-ransomware/}, language = {English}, urldate = {2021-08-09} } @online{gatlan:20210810:crytek:59f98bc, author = {Sergiu Gatlan}, title = {{Crytek confirms Egregor ransomware attack, customer data theft}}, date = {2021-08-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/}, language = {English}, urldate = {2021-08-11} } @online{gatlan:20210902:autodesk:a947f3f, author = {Sergiu Gatlan}, title = {{Autodesk reveals it was targeted by Russian SolarWinds hackers}}, date = {2021-09-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/autodesk-reveals-it-was-targeted-by-russian-solarwinds-hackers/}, language = {English}, urldate = {2021-09-06} } @online{gatlan:20220126:german:06fb2dc, author = {Sergiu Gatlan}, title = {{German govt warns of APT27 hackers backdooring business networks}}, date = {2022-01-26}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/german-govt-warns-of-apt27-hackers-backdooring-business-networks/}, language = {English}, urldate = {2022-01-31} } @online{gatlan:20220127:taiwanese:287d9cf, author = {Sergiu Gatlan}, title = {{Taiwanese Apple and Tesla contractor hit by Conti ransomware}}, date = {2022-01-27}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/taiwanese-apple-and-tesla-contractor-hit-by-conti-ransomware/}, language = {English}, urldate = {2022-02-01} } @online{gatlan:20220201:cyberspies:ea8a796, author = {Sergiu Gatlan}, title = {{Cyberspies linked to Memento ransomware use new PowerShell malware}}, date = {2022-02-01}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/cyberspies-linked-to-memento-ransomware-use-new-powershell-malware/}, language = {English}, urldate = {2022-02-04} } @online{gatlan:20220204:hhs:2f39dbe, author = {Sergiu Gatlan}, title = {{HHS: Conti ransomware encrypted 80% of Ireland's HSE IT systems}}, date = {2022-02-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hhs-conti-ransomware-encrypted-80-percent-of-irelands-hse-it-systems/}, language = {English}, urldate = {2022-02-17} } @online{gatlan:20220207:free:98f37bd, author = {Sergiu Gatlan}, title = {{Free decryptor released for TargetCompany ransomware victims}}, date = {2022-02-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-targetcompany-ransomware-victims/}, language = {English}, urldate = {2022-02-19} } @online{gatlan:20220208:netwalker:716341a, author = {Sergiu Gatlan}, title = {{NetWalker ransomware affiliate sentenced to 80 months in prison}}, date = {2022-02-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/netwalker-ransomware-affiliate-sentenced-to-80-months-in-prison/}, language = {English}, urldate = {2022-02-09} } @online{gatlan:20220209:meta:e9ad250, author = {Sergiu Gatlan}, title = {{Meta and Chime sue Nigerians behind Facebook, Instagram phishing}}, date = {2022-02-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/meta-and-chime-sue-nigerians-behind-facebook-instagram-phishing/}, language = {English}, urldate = {2022-02-10} } @online{gatlan:20220214:fbi:faaad75, author = {Sergiu Gatlan}, title = {{FBI: BlackByte ransomware breached US critical infrastructure}}, date = {2022-02-14}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/fbi-blackbyte-ransomware-breached-us-critical-infrastructure/}, language = {English}, urldate = {2022-02-16} } @online{gatlan:20220218:new:6472349, author = {Sergiu Gatlan}, title = {{New Golang botnet empties Windows users’ cryptocurrency wallets}}, date = {2022-02-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-golang-botnet-empties-windows-users-cryptocurrency-wallets/}, language = {English}, urldate = {2022-03-02} } @online{gatlan:20220224:defense:c29562d, author = {Sergiu Gatlan}, title = {{Defense contractors hit by stealthy SockDetour Windows backdoor}}, date = {2022-02-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/defense-contractors-hit-by-stealthy-sockdetour-windows-backdoor/}, language = {English}, urldate = {2022-03-10} } @online{gatlan:20220228:meta:70850f0, author = {Sergiu Gatlan}, title = {{Meta: Ukrainian officials, military targeted by Ghostwriter hackers}}, date = {2022-02-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/meta-ukrainian-officials-military-targeted-by-ghostwriter-hackers}, language = {English}, urldate = {2022-07-25} } @online{gatlan:20220228:meta:7d5b51a, author = {Sergiu Gatlan}, title = {{Meta: Ukrainian officials, military targeted by Ghostwriter hackers}}, date = {2022-02-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/meta-ukrainian-officials-military-targeted-by-ghostwriter-hackers/}, language = {English}, urldate = {2022-03-07} } @online{gatlan:20220307:fbi:37b1274, author = {Sergiu Gatlan}, title = {{FBI: Ransomware gang breached 52 US critical infrastructure orgs}}, date = {2022-03-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fbi-ransomware-gang-breached-52-us-critical-infrastructure-orgs/}, language = {English}, urldate = {2022-03-08} } @online{gatlan:20220314:new:b53c7a5, author = {Sergiu Gatlan}, title = {{New CaddyWiper data wiping malware hits Ukrainian networks}}, date = {2022-03-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-caddywiper-data-wiping-malware-hits-ukrainian-networks/}, language = {English}, urldate = {2022-03-17} } @online{gatlan:20220331:viasat:bdb9f30, author = {Sergiu Gatlan}, title = {{Viasat confirms satellite modems were wiped with AcidRain malware}}, date = {2022-03-31}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/viasat-confirms-satellite-modems-were-wiped-with-acidrain-malware/}, language = {English}, urldate = {2022-04-04} } @online{gatlan:20220406:us:25e5e8b, author = {Sergiu Gatlan}, title = {{US disrupts Russian Cyclops Blink botnet before being used in attacks}}, date = {2022-04-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/us-disrupts-russian-cyclops-blink-botnet-before-being-used-in-attacks/}, language = {English}, urldate = {2022-04-07} } @online{gatlan:20220411:cisa:3a96fe3, author = {Sergiu Gatlan}, title = {{CISA warns orgs of WatchGuard bug exploited by Russian state hackers}}, date = {2022-04-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cisa-warns-orgs-of-watchguard-bug-exploited-by-russian-state-hackers/}, language = {English}, urldate = {2022-05-04} } @online{gatlan:20220411:qbot:7f1ddc7, author = {Sergiu Gatlan}, title = {{Qbot malware switches to new Windows Installer infection vector}}, date = {2022-04-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/qbot-malware-switches-to-new-windows-installer-infection-vector/}, language = {English}, urldate = {2022-05-04} } @online{gatlan:20220418:free:d6f6e7a, author = {Sergiu Gatlan}, title = {{Free decryptor released for Yanluowang ransomware victims}}, date = {2022-04-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-yanluowang-ransomware-victims/}, language = {English}, urldate = {2022-04-20} } @online{gatlan:20220522:google:d2a26d5, author = {Sergiu Gatlan}, title = {{Google: Predator spyware infected Android devices using zero-days}}, date = {2022-05-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/google-predator-spyware-infected-android-devices-using-zero-days/}, language = {English}, urldate = {2022-05-24} } @online{gatlan:20220528:clop:bb8abda, author = {Sergiu Gatlan}, title = {{Clop ransomware gang is back, hits 21 victims in a single month}}, date = {2022-05-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/clop-ransomware-gang-is-back-hits-21-victims-in-a-single-month/}, language = {English}, urldate = {2022-07-13} } @online{gatlan:20220621:microsoft:dc02b91, author = {Sergiu Gatlan}, title = {{Microsoft Exchange servers hacked by new ToddyCat APT gang}}, date = {2022-06-21}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-toddycat-apt-group-targets-exchange-servers-in-asia-europe/}, language = {English}, urldate = {2022-06-27} } @online{gatlan:20220704:astralocker:02fcfe5, author = {Sergiu Gatlan}, title = {{AstraLocker ransomware shuts down and releases decryptors}}, date = {2022-07-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/astralocker-ransomware-shuts-down-and-releases-decryptors/}, language = {English}, urldate = {2022-08-05} } @online{gatlan:20221013:trend:dddaad7, author = {Sergiu Gatlan}, title = {{Trend Micro warns of actively exploited Apex One RCE vulnerability (CVE-2022-40139)}}, date = {2022-10-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trend-micro-warns-of-actively-exploited-apex-one-rce-vulnerability/}, language = {English}, urldate = {2023-08-01} } @online{gatlan:20221027:microsoft:e274158, author = {Sergiu Gatlan}, title = {{Microsoft links Raspberry Robin worm to Clop ransomware attacks}}, date = {2022-10-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-links-raspberry-robin-worm-to-clop-ransomware-attacks/}, language = {English}, urldate = {2022-11-11} } @online{gatlan:20230104:rackspace:217fd72, author = {Sergiu Gatlan}, title = {{Rackspace confirms Play ransomware was behind recent cyberattack}}, date = {2023-01-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/rackspace-confirms-play-ransomware-was-behind-recent-cyberattack/}, language = {English}, urldate = {2023-01-05} } @online{gatlan:20230203:massive:23e9bbc, author = {Sergiu Gatlan}, title = {{Massive ESXiArgs ransomware attack targets VMware ESXi servers worldwide}}, date = {2023-02-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/}, language = {English}, urldate = {2023-02-09} } @online{gatlan:20240215:zeus:a2ee668, author = {Sergiu Gatlan}, title = {{Zeus, IcedID malware gangs leader pleads guilty, faces 40 years in prison}}, date = {2024-02-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/zeus-icedid-malware-gangs-leader-pleads-guilty-faces-40-years-in-prison/}, language = {English}, urldate = {2024-02-16} } @online{gatlan:20240606:new:54c2938, author = {Sergiu Gatlan}, title = {{New Gitloker attacks wipe GitHub repos in extortion scheme}}, date = {2024-06-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-gitloker-attacks-wipe-github-repos-in-extortion-scheme/}, language = {English}, urldate = {2024-12-11} } @online{gatlan:20241218:raccoon:a20134c, author = {Sergiu Gatlan}, title = {{Raccoon Stealer malware operator gets 5 years in prison after guilty plea}}, date = {2024-12-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/raccoon-stealer-malware-operator-gets-5-years-in-prison-after-guilty-plea/amp/}, language = {English}, urldate = {2024-12-20} } @online{gaucheler:20210715:visual:79b00a1, author = {Mathieu Gaucheler and Ariel Jungheit and Kaspersky and Vicente Diaz}, title = {{Visual investigations - Speed up your IR, Forensic Analysis and Hunting}}, date = {2021-07-15}, organization = {BrightTALK}, url = {https://www.brighttalk.com/webcast/18282/493986}, language = {English}, urldate = {2021-11-03} } @online{gavriel:20180103:new:34da39b, author = {Hod Gavriel}, title = {{New LockPoS Malware Injection Technique}}, date = {2018-01-03}, organization = {Cyberbit}, url = {https://www.cyberbit.com/new-lockpos-malware-injection-technique/}, language = {English}, urldate = {2019-11-28} } @online{gavriel:20180411:new:9ed9a94, author = {Hod Gavriel and Boris Erbesfeld}, title = {{New ‘Early Bird’ Code Injection Technique Discovered}}, date = {2018-04-11}, organization = {Cyberbit}, url = {https://www.cyberbit.com/new-early-bird-code-injection-technique-discovered/}, language = {English}, urldate = {2020-08-21} } @online{gavriel:20180806:backswap:f13384a, author = {Hod Gavriel and Boris Erbesfeld}, title = {{BackSwap Banker Malware Hides Inside Replicas of Legitimate Programs}}, date = {2018-08-06}, organization = {Cyberbit}, url = {https://www.cyberbit.com/backswap-banker-malware-hides-inside-replicas-of-legitimate-programs/}, language = {English}, urldate = {2020-08-21} } @online{gavriel:20180814:latest:7df6364, author = {Hod Gavriel}, title = {{Latest Trickbot Variant has New Tricks Up Its Sleeve}}, date = {2018-08-14}, organization = {Cyberbit}, url = {https://www.cyberbit.com/latest-trickbot-variant-has-new-tricks-up-its-sleeve/}, language = {English}, urldate = {2020-08-21} } @online{gavriel:20190130:new:6e4ec87, author = {Hod Gavriel}, title = {{New Ursnif Malware Variant – a Stunning Matryoshka (Матрёшка)}}, date = {2019-01-30}, organization = {Cyberbit}, url = {https://www.cyberbit.com/new-ursnif-malware-variant/}, language = {English}, urldate = {2020-08-21} } @online{gavriel:20190612:formbook:8dc2df9, author = {Hod Gavriel}, title = {{Formbook Research Hints Large Data Theft Attack Brewing}}, date = {2019-06-12}, organization = {Cyberbit}, url = {https://www.cyberbit.com/formbook-research-hints-large-data-theft-attack-brewing/}, language = {English}, urldate = {2020-08-21} } @online{gavriel:20190813:hawkeye:379a3e4, author = {Hod Gavriel}, title = {{HawkEye Malware Changes Keylogging Technique}}, date = {2019-08-13}, organization = {Cyberbit}, url = {https://www.cyberbit.com/hawkeye-malware-keylogging-technique/}, language = {English}, urldate = {2020-08-21} } @online{gavriel:20191121:dtrack:fe6fbbc, author = {Hod Gavriel}, title = {{Dtrack: In-depth analysis of APT on a nuclear power plant}}, date = {2019-11-21}, organization = {Cyberbit}, url = {https://www.cyberbit.com/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/}, language = {English}, urldate = {2024-03-25} } @techreport{gazer:201708:gazing:b454362, author = {Gazing at Gazer and Turla’s new second stage backdoor}, title = {{Gazing at Gazer Turla’s new second stage backdoor}}, date = {2017-08}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf}, language = {English}, urldate = {2020-01-08} } @online{gbrindisi:20160323:gozi:aa28233, author = {gbrindisi}, title = {{Gozi ISFB Sourceccode}}, date = {2016-03-23}, organization = {Github (gbrindisi)}, url = {https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb}, language = {English}, urldate = {2020-01-13} } @online{gdanski:20211101:from:dc06d28, author = {Aaron Gdanski and Limor Kessem}, title = {{From Thanos to Prometheus: When Ransomware Encryption Goes Wrong}}, date = {2021-11-01}, organization = {IBM}, url = {https://securityintelligence.com/posts/ransomware-encryption-goes-wrong/}, language = {English}, urldate = {2021-11-08} } @online{gdata:20180629:where:6b57825, author = {G-Data}, title = {{Where we go, we don't need files: Analysis of fileless malware "Rozena"}}, date = {2018-06-29}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena}, language = {English}, urldate = {2020-01-13} } @online{gdata:20190509:strange:2e58aae, author = {G-Data}, title = {{Strange Bits: HTML Smuggling and GitHub Hosted Malware}}, date = {2019-05-09}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2019/05/31695-strange-bits-smuggling-malware-github}, language = {English}, urldate = {2019-12-10} } @online{gdata:20201118:business:f4eda3a, author = {G-Data}, title = {{Business as usual: Criminal Activities in Times of a Global Pandemic}}, date = {2020-11-18}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire}, language = {English}, urldate = {2020-11-23} } @online{ge:20110909:bios:c162598, author = {Livian Ge}, title = {{BIOS Threat is Showing up Again!}}, date = {2011-09-09}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/bios-threat-showing-again}, language = {English}, urldate = {2019-12-10} } @online{gebbett:20210817:resurgent:177637f, author = {Sean Gebbett}, title = {{Resurgent FluBot malware targets German and Polish banks}}, date = {2021-08-17}, organization = {Netcraft}, url = {https://news.netcraft.com/archives/2021/08/17/resurgent-flubot-malware-targets-german-and-polish-banks.html}, language = {English}, urldate = {2021-08-20} } @online{geekypanda:20230219:infostealer:6b8487a, author = {GeekyPanda}, title = {{The Infostealer Pie: Python Malware Analysis}}, date = {2023-02-19}, organization = {Geeky Panda Tales}, url = {https://geekypandatales.wordpress.com/2023/02/19/the-infostealer-pie-python-malware-analysis/}, language = {English}, urldate = {2023-02-21} } @online{geenens:20180201:jenx:8b824f5, author = {Pascal Geenens}, title = {{JenX – Los Calvos de San Calvicie}}, date = {2018-02-01}, organization = {Radware Blog}, url = {https://blog.radware.com/security/2018/02/jenx-los-calvos-de-san-calvicie/}, language = {English}, urldate = {2019-07-10} } @online{geenens:20240819:megamedusa:8226c0e, author = {Pascal Geenens}, title = {{MegaMedusa, RipperSec’s Public Web DDoS Attack Tool}}, date = {2024-08-19}, organization = {Radware}, url = {https://www.radware.com/blog/security/2024/08/megamedusa-rippersec-public-web-ddos-attack-tool/}, language = {English}, urldate = {2024-11-04} } @techreport{geffner:20130719:endtoend:0b46196, author = {Jason Geffner}, title = {{End-to-End Analysis of a Domain Generating Algorithm Malware Family}}, date = {2013-07-19}, institution = {BlackHat}, url = {https://paper.bobylive.com/Meeting_Papers/BlackHat/USA-2013/US-13-Geffner-End-To-End-Analysis-of-a-Domain-Generating-Algorithm-Malware-Family-WP.pdf}, language = {English}, urldate = {2022-04-25} } @online{gelb:20230802:lazarus:e85d0ab, author = {Yehuda Gelb}, title = {{Lazarus Group Launches First Open Source Supply Chain Attacks Targeting Crypto Sector}}, date = {2023-08-02}, organization = {Checkmarx}, url = {https://medium.com/checkmarx-security/lazarus-group-launches-first-open-source-supply-chain-attacks-targeting-crypto-sector-cabc626e404e}, language = {English}, urldate = {2023-09-04} } @online{gelera:20210223:analysis:a4c0c51, author = {Byron Gelera and Janus Agcaoili}, title = {{An Analysis of the Nefilim Ransomware}}, date = {2021-02-23}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/b/nefilim-ransomware.html}, language = {English}, urldate = {2021-02-25} } @techreport{gemini:20200707:full:283dfdd, author = {GEMINI}, title = {{Full list of all the 570+ sites that the Keeper gang hacked since April 2017}}, date = {2020-07-07}, institution = {}, url = {https://geminiadvisory.io/wp-content/uploads/2020/07/Appendix-C-1.pdf}, language = {English}, urldate = {2020-07-08} } @online{gemini:20200707:keeper:b2f882b, author = {GEMINI}, title = {{"Keeper" Magecart Group Infects 570 Sites}}, date = {2020-07-07}, url = {https://geminiadvisory.io/keeper-magecart-group-infects-570-sites/}, language = {English}, urldate = {2020-07-08} } @online{gemini:20201119:chinese:ffd0136, author = {GEMINI}, title = {{Chinese Scam Shops Lure Black Friday Shoppers}}, date = {2020-11-19}, organization = {GEMINI}, url = {https://geminiadvisory.io/chinese-scam-shops/}, language = {English}, urldate = {2020-11-23} } @online{gemini:20210115:jokers:10dc84b, author = {GEMINI}, title = {{Joker’s Stash, the Largest Carding Marketplace, Shuts Down}}, date = {2021-01-15}, organization = {GEMINI}, url = {https://geminiadvisory.io/jokers-stash-shuts-down/}, language = {English}, urldate = {2021-01-21} } @online{gemini:20210219:alleged:55485b4, author = {GEMINI}, title = {{Alleged Hydra Market Operators Identified}}, date = {2021-02-19}, organization = {GEMINI}, url = {https://geminiadvisory.io/alleged-hydra-market-operators-identified/}, language = {English}, urldate = {2021-02-20} } @online{gemini:20211021:fin7:88af67e, author = {GEMINI}, title = {{FIN7 Recruits Talent For Push Into Ransomware}}, date = {2021-10-21}, organization = {GEMINI}, url = {https://geminiadvisory.io/fin7-ransomware-bastion-secure}, language = {English}, urldate = {2021-10-26} } @online{gemini:20211206:magecart:b89c803, author = {GEMINI}, title = {{Magecart Groups Abuse Google Tag Manager}}, date = {2021-12-06}, organization = {GEMINI}, url = {https://geminiadvisory.io/magecart-google-tag-manager/}, language = {English}, urldate = {2021-12-07} } @online{gemini:20220113:fin7:1e3784d, author = {GEMINI}, title = {{FIN7 Uses Flash Drives to Spread Remote Access Trojan}}, date = {2022-01-13}, organization = {Recorded Future}, url = {https://geminiadvisory.io/fin7-flash-drives-spread-remote-access-trojan/}, language = {English}, urldate = {2022-01-24} } @online{gencay:202306:blackcat:092ab10, author = {Kerime Gencay}, title = {{BlackCat Ransomware Analysis Report (Paywall)}}, date = {2023-06}, organization = {Infinitum IT}, url = {https://www.infinitumit.com.tr/en/black-cat-alphv-ransomware-group/}, language = {English}, urldate = {2024-03-25} } @online{gencay:202307:big:6c66341, author = {Kerime Gencay}, title = {{Big Head Ransomware Report (Paywall)}}, date = {2023-07}, organization = {Infinitum IT}, url = {https://www.infinitumit.com.tr/en/big-head-ransomware-report/}, language = {English}, urldate = {2024-03-25} } @online{gencay:202308:white:4605f0d, author = {Kerime Gencay}, title = {{White Snake Stealer Analysis Report (Paywall)}}, date = {2023-08}, organization = {Infinitum IT}, url = {https://www.infinitumit.com.tr/en/white-snake-stealer-report/}, language = {English}, urldate = {2024-03-25} } @online{gencay:202310:agent:c1ab766, author = {Kerime Gencay}, title = {{Agent Tesla Technical Analysis Report (Paywall)}}, date = {2023-10}, organization = {Infinitum IT}, url = {https://www.infinitumit.com.tr/agent-tesla-malware-raporu/}, language = {English}, urldate = {2024-03-25} } @online{gencay:20231220:ghostlocker:8fd9a85, author = {Kerime Gencay}, title = {{GhostLocker Ransomware Analysis Report (Paywall)}}, date = {2023-12-20}, organization = {ThreatMon}, url = {https://threatmon.io/ghostlocker-ransomware-analysis/}, language = {English}, urldate = {2024-03-25} } @online{gencay:202402:dcrat:1a97659, author = {Kerime Gencay}, title = {{DcRat Technical Analysis Report (Paywall)}}, date = {2024-02}, organization = {Infinitum IT}, url = {https://www.infinitumit.com.tr/dcrat-malware-analiz-raporu/}, language = {Turkish}, urldate = {2024-03-25} } @online{gencay:20240318:planet:ac0b6a5, author = {Kerime Gencay}, title = {{Planet Stealer Malware Analysis Report (Paywall)}}, date = {2024-03-18}, organization = {ThreatMon}, url = {https://threatmon.io/planet-stealer-malware-analysis-report/}, language = {English}, urldate = {2024-03-25} } @online{gencay:20240401:risepro:3fd6e29, author = {Kerime Gencay}, title = {{RisePro Stealer Malware Analysis Report}}, date = {2024-04-01}, organization = {ThreatMon}, url = {https://www.linkedin.com/posts/threatmon_risepro-stealer-malware-analysis-report-ugcPost-7180497665137221633-aUGL?utm_source=share&utm_medium=member_desktop}, language = {English}, urldate = {2024-04-02} } @online{gencay:20240403:xz:4b6b579, author = {Kerime Gencay}, title = {{XZ Utils Backdoor Research Report CVE-2024-3094}}, date = {2024-04-03}, organization = {ThreatMon}, url = {https://www.linkedin.com/posts/threatmon_xz-utils-backdoor-cve-2024-3094-activity-7181228442791641088-rw2a?utm_source=share&utm_medium=member_desktop}, language = {English}, urldate = {2024-04-04} } @techreport{gencay:20240429:understanding:7852bf1, author = {Kerime Gencay and MalwareR&DTeam}, title = {{Understanding the 'Kapeka' Backdoor: Detailed Analysis by APT44}}, date = {2024-04-29}, institution = {ThreatMon}, url = {https://threatmon.io/storage/understanding-the-kapeka-backdoor-detailed-analysis-by-apt44.pdf}, language = {English}, urldate = {2024-05-15} } @online{generale:20150413:analyzing:2a4956d, author = {CERT Societe Generale}, title = {{Analyzing Gootkit's persistence mechanism (new ASEP inside!)}}, date = {2015-04-13}, organization = {CERT Societe Generale}, url = {http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html}, language = {English}, urldate = {2020-01-13} } @online{genheimer:20190728:third:ede6ba2, author = {Marius Genheimer}, title = {{Third time's the charm? Analysing WannaCry samples}}, date = {2019-07-28}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20190730:picking:cea78ea, author = {Marius Genheimer}, title = {{Picking Locky}}, date = {2019-07-30}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/picking-locky.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20190731:tfw:3fa5aba, author = {Marius Genheimer}, title = {{TFW Ransomware is only your side hustle...}}, date = {2019-07-31}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/tfw-ransomware-is-only-your-side-hustle.html}, language = {English}, urldate = {2020-01-10} } @online{genheimer:20190810:germanwipers:96d9745, author = {Marius Genheimer}, title = {{GermanWiper's big Brother? GandGrab's kid ? Sodinokibi!}}, date = {2019-08-10}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20190907:malicious:37195ec, author = {Marius Genheimer}, title = {{Malicious RATatouille}}, date = {2019-09-07}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/malicious-ratatouille.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20190924:return:f85ef19, author = {Marius Genheimer}, title = {{Return of the Mummy - Welcome back, Emotet}}, date = {2019-09-24}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/return-of-the-mummy-welcome-back-emotet.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191002:nicht:20adbf8, author = {Marius Genheimer}, title = {{Nicht so goot - Breaking down Gootkit and Jasper (+ FTCODE)}}, date = {2019-10-02}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191026:earnquickbtcwithhiddentearmp4:b77f350, author = {Marius Genheimer}, title = {{Earn-quick-BTC-with-Hiddentear.mp4 / About Open Source Ransomware}}, date = {2019-10-26}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/earn-quick-btc-with-hiddentearmp4-about-open-source-ransomware.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191029:osiris:55e249f, author = {Marius Genheimer}, title = {{Osiris, the god of afterlife...and banking malware?!}}, date = {2019-10-29}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/osiris-the-god-of-afterlifeand-banking-malware.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191105:try:3aafee6, author = {Marius Genheimer}, title = {{Try not to stare - MedusaLocker at a glance}}, date = {2019-11-05}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191119:quick:b7c4538, author = {Marius Genheimer}, title = {{Quick and painless - Reversing DeathRansom / "Wacatac"}}, date = {2019-11-19}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/quick-and-painless-reversing-deathransom-wacatac.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191202:god:79aa57d, author = {Marius Genheimer}, title = {{God save the Queen [...] 'cause Ransom is money - SaveTheQueen Encryptor}}, date = {2019-12-02}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/god-save-the-queen-cause-ransom-is-money-savethequeen-encryptor.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191211:projectexe:72f2c37, author = {Marius Genheimer}, title = {{A "Project.exe" that should have stayed in a drawer - MZRevenge / MaMo434376}}, date = {2019-12-11}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/a-projectexe-that-should-have-stayed-in-a-drawer-mzrevenge-mamo434376.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191214:another:7c9c60a, author = {Marius Genheimer}, title = {{Another one for the collection - Mespinoza (Pysa) Ransomware}}, date = {2019-12-14}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html}, language = {English}, urldate = {2020-01-26} } @online{genheimer:20191223:i:516e8d0, author = {Marius Genheimer}, title = {{I literally can't think of a fitting pun - MrDec Ransomware}}, date = {2019-12-23}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/i-literally-cant-think-of-a-fitting-pun-mrdec-ransomware.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20200102:nice:266b137, author = {Marius Genheimer}, title = {{"Nice decorating. Let me guess, Satan?" - Dot / MZP Ransomware}}, date = {2020-01-02}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/nice-decorating-let-me-guess-satan-dot-mzp-ransomware.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20200109:not:187b390, author = {Marius Genheimer}, title = {{Not so nice after all - Afrodita Ransomware}}, date = {2020-01-09}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/not-so-nice-after-all-afrodita-ransomware.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20200123:opposite:b471c6b, author = {Marius Genheimer}, title = {{The Opposite of Fileless Malware - NodeJS Ransomware}}, date = {2020-01-23}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/the-opposite-of-fileless-malware-nodejs-ransomware.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20200318:why:545326b, author = {Marius Genheimer}, title = {{Why would you even bother?! - JavaLocker}}, date = {2020-03-18}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/why-would-you-even-bother-javalocker.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20200320:jamba:9d5bb76, author = {Marius Genheimer}, title = {{Jamba Superdeal: Helo Sir, you want to buy mask? - Corona Safety Mask SMS Scam}}, date = {2020-03-20}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/jamba-superdeal-helo-sir-you-want-to-buy-mask-corona-safety-mask-sms-scam.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20200413:blame:b258b2b, author = {Marius Genheimer}, title = {{The Blame Game - About False Flags and overwritten MBRs}}, date = {2020-04-13}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html}, language = {English}, urldate = {2020-04-15} } @online{genheimer:20200617:deicer:de78cca, author = {Marius Genheimer}, title = {{deICEr: A Go tool for extracting config from IcedID second stage Loaders}}, date = {2020-06-17}, organization = {Github (f0wl)}, url = {https://github.com/f0wl/deICEr}, language = {English}, urldate = {2020-06-18} } @online{genheimer:20201223:between:e482082, author = {Marius Genheimer}, title = {{Between a rock and a hard place - Exploring Mount Locker Ransomware}}, date = {2020-12-23}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/between-a-rock-and-a-hard-place-exploring-mount-locker-ransomware.html}, language = {English}, urldate = {2021-01-21} } @online{genheimer:20210109:ezuriunpack:59f3343, author = {Marius Genheimer}, title = {{ezuri_unpack}}, date = {2021-01-09}, organization = {Github (f0wl)}, url = {https://github.com/f0wl/ezuri_unpack}, language = {English}, urldate = {2021-01-11} } @online{genheimer:20210705:revil:7f67df1, author = {Marius Genheimer}, title = {{REvil Linux Configuration Extractor}}, date = {2021-07-05}, organization = {Github (f0wl)}, url = {https://github.com/f0wl/REconfig-linux}, language = {English}, urldate = {2021-07-05} } @online{genheimer:20211114:static:944e6c7, author = {Marius Genheimer}, title = {{A static config extractor for the main component of DanaBot}}, date = {2021-11-14}, organization = {Twitter (@f0wlsec)}, url = {https://twitter.com/f0wlsec/status/1459892481760411649}, language = {English}, urldate = {2021-11-19} } @online{genheimer:20211210:blackcatconf:1720a59, author = {Marius Genheimer}, title = {{BlackCatConf - Static Configuration Extractor for BlackCat Ransomware}}, date = {2021-12-10}, organization = {Dissecting Malware}, url = {https://github.com/f0wl/blackCatConf}, language = {English}, urldate = {2022-01-10} } @online{genheimer:20220316:quick:f97769c, author = {Marius Genheimer}, title = {{Quick revs: Pandora Ransomware - The Box has been open for a while...}}, date = {2022-03-16}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/blog/pandora/}, language = {English}, urldate = {2022-03-17} } @online{genians:20250304:analysis:3fce082, author = {Genians}, title = {{Analysis of Kimsuky Group association with emergency martial arts-themed APT attack}}, date = {2025-03-04}, organization = {Genians}, url = {https://www.genians.co.kr/blog/threat_intelligence/apt-attacks-martial-law}, language = {Korean}, urldate = {2025-03-07} } @online{genians:20250512:analysis:39f0a62, author = {Genians}, title = {{Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea (Operation. ToyBox Story)}}, date = {2025-05-12}, organization = {Genians}, url = {https://www.genians.co.kr/en/blog/threat_intelligence/toybox-story}, language = {English}, urldate = {2025-05-20} } @online{genians:20250609:analysis:2bad527, author = {Genians}, title = {{Analysis of the Triple Combo Threat of the Kimsuky Group}}, date = {2025-06-09}, organization = {Genians}, url = {https://www.genians.co.kr/en/blog/threat_intelligence/triple-combo}, language = {English}, urldate = {2025-06-11} } @online{gennari:20211101:two:a38e7a4, author = {Jeffrey Gennari}, title = {{Two Tools for Malware Analysis and Reverse Engineering in Ghidra}}, date = {2021-11-01}, organization = {Software Engineering Institute}, url = {https://insights.sei.cmu.edu/blog/two-tools-for-malware-analysis-and-reverse-engineering-in-ghidra/}, language = {English}, urldate = {2021-11-08} } @online{george:20210617:analysis:6e4b8ac, author = {Brandon George}, title = {{Analysis of Hancitor – When Boring Begets Beacon}}, date = {2021-06-17}, organization = {Binary Defense}, url = {https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon}, language = {English}, urldate = {2021-06-22} } @online{georgia:20200901:us:69ac101, author = {U.S. Embassy in Georgia}, title = {{U.S. Embassy statement on September 1, 2020 cyberattack against Georgian Ministry of Health}}, date = {2020-09-01}, organization = {U.S. Embassy in Georgia}, url = {https://ge.usembassy.gov/u-s-embassy-statement-on-september-1-2020-cyberattack-against-georgian-ministry-of-health/}, language = {English}, urldate = {2020-09-06} } @online{georgia:20220413:court:368da90, author = {UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF GEORGIA}, title = {{Court order for taking down Zloader Infrastructure}}, date = {2022-04-13}, organization = {UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF GEORGIA}, url = {https://noticeofpleadings.com/zloader/}, language = {English}, urldate = {2022-04-20} } @online{georgiev:20191011:7:a4962f1, author = {Roman Georgiev}, title = {{За российскими дипломатами 7 лет следят с помощью шпионского ПО}}, date = {2019-10-11}, organization = {c news}, url = {https://safe.cnews.ru/news/top/2019-10-11_za_rossijskimi_diplomatami}, language = {Russian}, urldate = {2019-11-29} } @online{gheorghe:20160705:new:8f65d0c, author = {Alexandra Gheorghe}, title = {{New Backdoor Allows Full Access to Mac Systems, Bitdefender Warns}}, date = {2016-07-05}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2016/07/new-mac-backdoor-nukes-os-x-systems/}, language = {English}, urldate = {2020-01-08} } @online{ghita:20210628:new:85c558c, author = {Alexandru Ghita}, title = {{New Ransomware Variant Uses Golang Packer}}, date = {2021-06-28}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/}, language = {English}, urldate = {2021-06-29} } @online{ghost:20211029:pink:1464c64, author = {Ghost}, title = {{Pink, a botnet that competed with the vendor to control the massive infected devices}}, date = {2021-10-29}, organization = {360 netlab}, url = {https://blog.netlab.360.com/pink-en/}, language = {English}, urldate = {2021-11-03} } @online{ghost:20220225:details:66e35e3, author = {Ghost}, title = {{Details of the DDoS attacks we have seen recently against Ukraine and Russia}}, date = {2022-02-25}, organization = {360 netlab}, url = {https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/}, language = {Chinese}, urldate = {2022-03-01} } @online{ghost:20220225:some:268b2df, author = {Ghost}, title = {{Some details of the DDoS attacks targeting Ukraine and Russia in recent days}}, date = {2022-02-25}, organization = {360 netlab}, url = {https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/}, language = {English}, urldate = {2022-03-02} } @online{ghoulsec:20201203:mal:8f39c1a, author = {GhouLSec}, title = {{[Mal Series #13] Darkside Ransom}}, date = {2020-12-03}, organization = {Medium GhouLSec}, url = {https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6}, language = {English}, urldate = {2021-01-26} } @online{gi7w0rm:20220217:tweets:a96e458, author = {Gi7w0rm}, title = {{Tweets on win.prometei caught via Cowrie}}, date = {2022-02-17}, organization = {Twitter (@Honeymoon_IoC)}, url = {https://twitter.com/honeymoon_ioc/status/1494311182550904840}, language = {English}, urldate = {2022-02-17} } @online{gi7w0rm:20221220:twitter:82cd3da, author = {Gi7w0rm}, title = {{Twitter posts discussing recent sighting of Laplas}}, date = {2022-12-20}, organization = {Twitter (@Gi7w0rm)}, url = {https://twitter.com/Gi7w0rm/status/1604999633792647169}, language = {English}, urldate = {2022-12-20} } @online{gi7w0rm:20230118:long:7a6333e, author = {Gi7w0rm}, title = {{A long way to SectopRat}}, date = {2023-01-18}, organization = {Twitter (@Gi7w0rm)}, url = {https://medium.com/@gi7w0rm/a-long-way-to-sectoprat-eb2f0aad6ec8}, language = {English}, urldate = {2023-01-18} } @online{gi7w0rm:20230608:dynamicrat:232d63a, author = {Gi7w0rm}, title = {{DynamicRAT — A full-fledged Java Rat}}, date = {2023-06-08}, url = {https://gi7w0rm.medium.com/dynamicrat-a-full-fledged-java-rat-1a2dabb11694}, language = {English}, urldate = {2023-06-09} } @online{gi7w0rm:20230708:cloudeye:1fba0b1, author = {Gi7w0rm}, title = {{CloudEyE — From .lnk to Shellcode}}, date = {2023-07-08}, url = {https://gi7w0rm.medium.com/cloudeye-from-lnk-to-shellcode-4b5f1d6d877}, language = {English}, urldate = {2023-07-10} } @online{gi7w0rm:20230908:uncovering:e0089d9, author = {Gi7w0rm}, title = {{Uncovering DDGroup — A long-time threat actor}}, date = {2023-09-08}, url = {https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4}, language = {English}, urldate = {2023-09-08} } @online{gi7w0rm:20240613:operation:e61c394, author = {Gi7w0rm and Asheer Malhotra and Vitor Ventura}, title = {{Operation Celestial Force employs mobile and desktop malware to target Indian entities}}, date = {2024-06-13}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/cosmic-leopard/}, language = {English}, urldate = {2024-10-18} } @online{giacobozzi:20241109:bluehat:2618c54, author = {Rachel Giacobozzi}, title = {{BlueHat 2024: S17: MSTIC - A Threat Intelligence Year in Review}}, date = {2024-11-09}, organization = {Youtube (Microsoft Security Response Center (MSRC))}, url = {https://youtu.be/U7p0J8aMZhM?t=193}, language = {English}, urldate = {2025-03-05} } @online{giacobozzi:20241109:bluehat:abf7f14, author = {Rachel Giacobozzi}, title = {{BlueHat 2024: S17: MSTIC - A Threat Intelligence Year in Review}}, date = {2024-11-09}, organization = {Microsoft}, url = {https://www.youtube.com/watch?v=U7p0J8aMZhM&t=193s}, language = {English}, urldate = {2025-03-05} } @online{giagone:20171120:cobalt:fb5c2ed, author = {Ronnie Giagone and Lenart Bermejo and Fyodor Yarochkin}, title = {{Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks}}, date = {2017-11-20}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/}, language = {English}, urldate = {2019-10-29} } @online{giang:20191104:nemty:6f237c6, author = {Nguyen Hoang Giang and Eduardo Altares and Muhammad Hasib Latif}, title = {{Nemty Ransomware Expands Its Reach, Also Delivered by Trik Botnet}}, date = {2019-11-04}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet}, language = {English}, urldate = {2020-06-02} } @online{giang:20200330:emotet:6034d14, author = {Nguyen Hoang Giang and Mingwei Zhang}, title = {{Emotet: Dangerous Malware Keeps on Evolving}}, date = {2020-03-30}, organization = {Symantec}, url = {https://medium.com/threat-intel/emotet-dangerous-malware-keeps-on-evolving-ac84aadbb8de}, language = {English}, urldate = {2020-04-01} } @online{gibb:20180410:icedid:f1a3ff2, author = {Ross Gibb and Daphne Galme and Michael Gorelik}, title = {{IcedID Banking Trojan Teams up with Ursnif/Dreambot for Distribution}}, date = {2018-04-10}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html}, language = {English}, urldate = {2019-12-17} } @online{gibson:20220126:log4u:3f2992b, author = {Ryan Gibson and Codi Starks and Will Ikard}, title = {{Log4U, Shell4Me}}, date = {2022-01-26}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/01/log4u-shell4me}, language = {English}, urldate = {2022-01-31} } @online{giczewski:20201117:trickbot:1bbf92a, author = {Robert Giczewski}, title = {{Trickbot tricks again}}, date = {2020-11-17}, organization = {malware.love}, url = {https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/17/trickbots-latest-trick.html}, language = {English}, urldate = {2020-11-19} } @online{giczewski:20201122:trickbot:06baa84, author = {Robert Giczewski}, title = {{Trickbot tricks again [UPDATE]}}, date = {2020-11-22}, organization = {malware.love}, url = {https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/22/trickbot-fake-ips-part2.html}, language = {English}, urldate = {2020-11-23} } @online{giczewski:20201127:having:7cd6ae8, author = {Robert Giczewski}, title = {{Having fun with a Ursnif VBS dropper}}, date = {2020-11-27}, organization = {malware.love}, url = {https://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html}, language = {English}, urldate = {2020-12-01} } @online{giczewski:20210519:python:68d9fc6, author = {Robert Giczewski}, title = {{Python stealer distribution via excel maldoc}}, date = {2021-05-19}, organization = {malware.love}, url = {https://malware.love/malware_analysis/reverse_engineering/2021/05/19/unknown-python-stealer.html}, language = {English}, urldate = {2021-05-25} } @online{giczewski:20230212:truebot:80ae897, author = {Robert Giczewski}, title = {{TrueBot Analysis Part I - A short glimpse into packed TrueBot samples}}, date = {2023-02-12}, organization = {malware.love}, url = {https://malware.love/malware_analysis/reverse_engineering/2023/02/12/analyzing-truebot-packer.html}, language = {English}, urldate = {2023-02-21} } @online{giczewski:20230218:truebot:f49edbb, author = {Robert Giczewski}, title = {{TrueBot Analysis Part II - Static unpacker}}, date = {2023-02-18}, organization = {malware.love}, url = {https://malware.love/malware_analysis/reverse_engineering/2023/02/18/analyzing-truebot-static-unpacking.html}, language = {English}, urldate = {2023-02-21} } @online{giczewski:20230331:truebot:ec9e860, author = {Robert Giczewski}, title = {{TrueBot Analysis Part III - Capabilities}}, date = {2023-03-31}, organization = {malware.love}, url = {https://malware.love/malware_analysis/reverse_engineering/2023/03/31/analyzing-truebot-capabilities.html}, language = {English}, urldate = {2023-04-03} } @online{giczewski:20230713:truebot:784a076, author = {Robert Giczewski}, title = {{TrueBot Analysis Part IV - Config Extraction}}, date = {2023-07-13}, organization = {malware.love}, url = {https://malware.love/malware_analysis/reverse_engineering/config_extraction/2023/07/13/truebot-config-extractor.html}, language = {English}, urldate = {2023-10-09} } @online{gielewska:20210813:ghostwriter:d39a4a6, author = {Anna Gielewska and Julia Dauksza}, title = {{The Ghostwriter Scenario (UNC1151)}}, date = {2021-08-13}, organization = {vsquare}, url = {https://vsquare.org/the-ghostwriter-scenario/}, language = {English}, urldate = {2021-08-25} } @online{gielewska:20220319:behind:67036b9, author = {Anna Gielewska and Julia Dauksza and Konrad Szczygieł}, title = {{Behind the hack-and-leak scandal in Poland (UNC1151)}}, date = {2022-03-19}, organization = {vsquare}, url = {https://vsquare.org/behind-the-hack-and-leak-scandal-in-poland/}, language = {English}, urldate = {2022-03-28} } @online{giering:20210427:flubot:3b61899, author = {Crista Giering and fnaves and Andrew Conway and Adam McNeil}, title = {{FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon}}, date = {2021-04-27}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon}, language = {English}, urldate = {2021-05-04} } @online{giering:20220714:above:06891ca, author = {Crista Giering and Joshua Miller and Michael Raggi and Proofpoint Threat Research Team}, title = {{Above the Fold and in Your Inbox: Tracing State-Aligned Activity Targeting Journalists, Media}}, date = {2022-07-14}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists}, language = {English}, urldate = {2022-07-15} } @online{giffen:20211021:initial:fb65ad9, author = {Trevor Giffen}, title = {{Initial Access Broker Landscape}}, date = {2021-10-21}, organization = {curatedintel}, url = {https://www.curatedintel.org/2021/10/initial-access-broker-landscape.html?spref=tw}, language = {English}, urldate = {2021-11-02} } @online{gihon:20220222:like:5154c54, author = {Shmuel Gihon}, title = {{Like Father Like Son? New Mars Stealer}}, date = {2022-02-22}, organization = {CyberInt}, url = {https://cyberint.com/blog/research/mars-stealer/}, language = {English}, urldate = {2022-03-23} } @online{gihon:20220619:blackguard:43ebdca, author = {Shmuel Gihon}, title = {{BlackGuard Stealer Targets the Gaming Community}}, date = {2022-06-19}, organization = {CyberInt}, url = {https://cyberint.com/blog/research/blackguard-stealer/}, language = {English}, urldate = {2022-06-22} } @online{gilberti:20201214:solarwinds:394f5d5, author = {Nick Gilberti and Tyler Hudak}, title = {{SolarWinds Orion and UNC2452 – Summary and Recommendations}}, date = {2020-12-14}, organization = {TrustedSec}, url = {https://www.trustedsec.com/blog/solarwinds-orion-and-unc2452-summary-and-recommendations/}, language = {English}, urldate = {2020-12-16} } @online{gilboa:20211027:evading:4950377, author = {Asaf Gilboa}, title = {{Evading EDR Detection with Reentrancy Abuse}}, date = {2021-10-27}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/blog/evading-antivirus-detection-with-inline-hooks}, language = {English}, urldate = {2021-11-19} } @online{giles:20220714:rapid:f667bce, author = {Alexander Giles}, title = {{Rapid Response: The Ngrok Incident Guide}}, date = {2022-07-14}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/07/14/rapid-response-the-ngrok-incident-guide/}, language = {English}, urldate = {2022-07-25} } @online{gill:20220421:understanding:65e50fe, author = {Andy Gill}, title = {{Understanding Cobalt Strike Profiles - Updated For Cobalt Strike 4.6}}, date = {2022-04-21}, organization = {ZeroSec}, url = {https://blog.zsec.uk/cobalt-strike-profiles/}, language = {English}, urldate = {2022-04-24} } @online{gillespie:20160811:smrss32:0f85a72, author = {Michael Gillespie}, title = {{Smrss32 (.encrypted) Ransomware Help & Support - _HOW_TO_Decrypt.bmp}}, date = {2016-08-11}, organization = {BleepingComputer Forums}, url = {https://www.bleepingcomputer.com/forums/t/623132/smrss32-encrypted-ransomware-help-support-how-to-decryptbmp/}, language = {English}, urldate = {2019-07-09} } @online{gillespie:20180306:cryakl:4a313ab, author = {Michael Gillespie}, title = {{Tweet on Cryakl}}, date = {2018-03-06}, organization = {Twitter (@demonslay335)}, url = {https://twitter.com/demonslay335/status/971164798376468481}, language = {English}, urldate = {2020-01-07} } @online{gillespie:20181117:analyzing:7ff3264, author = {Michael Gillespie}, title = {{Analyzing Ransomware - Reversing Basic .NET Ransomware}}, date = {2018-11-17}, organization = {Youtube (Demonslay335)}, url = {https://www.youtube.com/watch?v=7gCU31ScJgk}, language = {English}, urldate = {2020-01-08} } @online{gillespie:20181117:analyzing:ecd5641, author = {Michael Gillespie}, title = {{Analyzing Ransomware - Beginner Static Analysis}}, date = {2018-11-17}, organization = {Youtube (Demonslay335)}, url = {https://www.youtube.com/watch?v=9nuo-AGg4p4}, language = {English}, urldate = {2021-12-13} } @online{gillespie:20200923:ironcat:12f0892, author = {Michael Gillespie}, title = {{Tweet on Ironcat (Sodinokibi imposter)}}, date = {2020-09-23}, organization = {Twitter (@demonslay335)}, url = {https://twitter.com/demonslay335/status/1308827693312548864}, language = {English}, urldate = {2020-09-24} } @online{ginty:20200821:pinchy:24fe21a, author = {Steve Ginty}, title = {{Pinchy Spider: Ransomware Infrastructure Connected to Dark Web Marketplace}}, date = {2020-08-21}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/3315064b}, language = {English}, urldate = {2020-09-01} } @online{ginty:20201014:wellmarked:9176303, author = {Steve Ginty and Jon Gross}, title = {{A Well-Marked Trail: Journeying through OceanLotus's Infrastructure}}, date = {2020-10-14}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/f0320980}, language = {English}, urldate = {2020-10-23} } @online{ginty:20201028:domain:a285cb1, author = {Steve Ginty}, title = {{Domain Impersonation Targets Saudi Arabian Government Ministries}}, date = {2020-10-28}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/4fff4b0f}, language = {English}, urldate = {2020-11-02} } @online{girnus:20230117:earth:f1cba60, author = {Peter Girnus and Aliakbar Zahravi}, title = {{Earth Bogle: Campaigns Target the Middle East with Geopolitical Lures}}, date = {2023-01-17}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/a/earth-bogle-campaigns-target-middle-east-with-geopolitical-lures.html}, language = {English}, urldate = {2023-01-19} } @online{girnus:20231120:cve202346604:a07428f, author = {Peter Girnus}, title = {{CVE-2023-46604 (Apache ActiveMQ) Exploited to Infect Systems With Cryptominers and Rootkits}}, date = {2023-11-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/k/cve-2023-46604-exploited-by-kinsing.html}, language = {English}, urldate = {2023-11-23} } @online{girnus:20240112:cve202336025:c7ccbab, author = {Peter Girnus and Aliakbar Zahravi and Simon Zuckerbraun}, title = {{CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign}}, date = {2024-01-12}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html}, language = {English}, urldate = {2024-01-26} } @online{girnus:20240213:water:be3f22e, author = {Peter Girnus and Aliakbar Zahravi and Simon Zuckerbraun}, title = {{Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day}}, date = {2024-02-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html}, language = {English}, urldate = {2024-02-14} } @online{girnus:20240313:cve202421412:6a1f397, author = {Peter Girnus and Aliakbar Zahravi and Simon Zuckerbraun}, title = {{CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign}}, date = {2024-03-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html}, language = {English}, urldate = {2024-03-18} } @online{girnus:20240715:cve202438112:055fadc, author = {Peter Girnus and Aliakbar Zahravi}, title = {{CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks}}, date = {2024-07-15}, organization = {Trendmicro}, url = {https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html}, language = {English}, urldate = {2024-07-22} } @online{girnus:20240715:cve202438112:f8b93f1, author = {Peter Girnus and Aliakbar Zahravi}, title = {{CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks}}, date = {2024-07-15}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html?}, language = {English}, urldate = {2024-07-22} } @online{girnus:20250204:cve20250411:ce9b083, author = {Peter Girnus}, title = {{CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks}}, date = {2025-02-04}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html}, language = {English}, urldate = {2025-02-06} } @online{giuliani:20110709:zeroaccess:1827c67, author = {Marco Giuliani}, title = {{ZeroAccess – an advanced kernel mode rootkit}}, date = {2011-07-09}, organization = {Prevx}, url = {https://malwaretips.com/attachments/zeroaccess_analysis-pdf.606/}, language = {English}, urldate = {2025-06-20} } @online{giuliani:20110913:mebromi:2d33f8d, author = {Marco Giuliani}, title = {{Mebromi: the first BIOS rootkit in the wild}}, date = {2011-09-13}, organization = {Webroot}, url = {https://www.webroot.com//blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/}, language = {English}, urldate = {2020-01-08} } @online{giuseppe:20220105:sidecopy:546a0eb, author = {Claudio Di Giuseppe}, title = {{SIDECOPY APT: From Windows to *nix}}, date = {2022-01-05}, organization = {Telsy}, url = {https://www.telsy.com/sidecopy-apt-from-windows-to-nix/}, language = {English}, urldate = {2022-01-10} } @techreport{giusto:20210517:sex:a7a21b4, author = {Denise Giusto and Cecilia Pastorino}, title = {{Sex in the Digital Era: How Secure are Smart Sex Toys?}}, date = {2021-05-17}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/05/eset_android_stalkerware_vulnerabilities.pdf}, language = {English}, urldate = {2021-05-19} } @online{glass:20240611:play:1f57a36, author = {George Glass and Laurie Iacono and Keith Wojcieszek}, title = {{PLAY Ransomware Group Gains Access via Citrix Bleed Vulnerability}}, date = {2024-06-11}, organization = {Kroll}, url = {https://www.kroll.com/en/insights/publications/cyber/play-ransomware-gains-access-citrix-bleed-vulnerability}, language = {English}, urldate = {2025-01-20} } @online{glass:20240814:redlinestealer:2c44b25, author = {George Glass and Laurie Iacono and Keith Wojcieszek}, title = {{REDLINESTEALER Malware Driving the Initial Access Broker Market}}, date = {2024-08-14}, organization = {Kroll}, url = {https://www.kroll.com/en/insights/publications/cyber/redlinestealer-malware}, language = {English}, urldate = {2025-01-20} } @online{glass:20241112:lummastealer:519626e, author = {George Glass and Ryan Hicks}, title = {{LUMMASTEALER Delivered Via PowerShell Social Engineering}}, date = {2024-11-12}, organization = {Kroll}, url = {https://www.kroll.com/en/insights/publications/cyber/lummastealer-delivered-via-powershell-social-engineering}, language = {English}, urldate = {2025-01-20} } @online{glass:20241118:carbanak:a41472b, author = {George Glass and Dave Truman}, title = {{CARBANAK (aka ANUNAK) Distributed via IDATLOADER (aka HIJACKLOADER)}}, date = {2024-11-18}, organization = {Kroll}, url = {https://www.kroll.com/en/insights/publications/cyber/carbanak-anunak-distributed-via-idatloader-hijackloader}, language = {English}, urldate = {2025-01-20} } @online{glass:20250502:prelude:911699f, author = {George Glass and Dave Truman and Marc Messer}, title = {{Prelude: Crypto Heist Causes HAVOC}}, date = {2025-05-02}, organization = {Kroll}, url = {https://www.kroll.com/en/insights/publications/cyber/prelude-crypto-heist-causes-havoc}, language = {English}, urldate = {2025-05-20} } @online{gleicher:20200922:removing:8fe26cd, author = {Nathaniel Gleicher}, title = {{Removing Coordinated Inauthentic Behavior}}, date = {2020-09-22}, organization = {Facebook}, url = {https://about.fb.com/news/2020/09/removing-coordinated-inauthentic-behavior-china-philippines/}, language = {English}, urldate = {2020-09-24} } @online{gleicher:20200924:removing:595f9bf, author = {Nathaniel Gleicher}, title = {{Removing Coordinated Inauthentic Behavior}}, date = {2020-09-24}, organization = {Facebook}, url = {https://about.fb.com/news/2020/09/removing-coordinated-inauthentic-behavior-russia/}, language = {English}, urldate = {2020-09-25} } @online{gleicher:20201210:taking:8581c10, author = {Nathaniel Gleicher and Mike Dvilyanski}, title = {{Taking Action Against Hackers in Bangladesh and Vietnam}}, date = {2020-12-10}, organization = {Facebook}, url = {https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam}, language = {English}, urldate = {2020-12-15} } @online{gleicher:20201210:taking:fd014bd, author = {Nathaniel Gleicher and Mike Dvilyanski}, title = {{Taking Action Against Hackers in Bangladesh and Vietnam}}, date = {2020-12-10}, organization = {Facebook}, url = {https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/}, language = {English}, urldate = {2020-12-11} } @online{gleicher:20201215:removing:6d0ca62, author = {Nathaniel Gleicher and David Agranovich}, title = {{Removing Coordinated Inauthentic Behavior from France and Russia}}, date = {2020-12-15}, organization = {Facebook}, url = {https://about.fb.com/news/2020/12/removing-coordinated-inauthentic-behavior-france-russia/}, language = {English}, urldate = {2020-12-18} } @online{gleicher:20210616:removing:f504d5d, author = {Nathaniel Gleicher}, title = {{Removing Coordinated Inauthentic Behavior From Ethiopia}}, date = {2021-06-16}, organization = {Facebook}, url = {https://about.fb.com/news/2021/06/removing-coordinated-inauthentic-behavior-from-ethiopia/}, language = {English}, urldate = {2021-06-21} } @online{gler:20230809:understanding:3bdab25, author = {Emre Güler}, title = {{Understanding BumbleBee: The delivery of Bumblee}}, date = {2023-08-09}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/understanding-bumblebee-loader-the-delivery/}, language = {English}, urldate = {2024-01-15} } @online{gler:20230818:understanding:588ce3c, author = {Emre Güler}, title = {{Understanding BumbleBee: The malicious behavior of BumbleBee}}, date = {2023-08-18}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/understanding-bumblebee-the-malicious-behavior/}, language = {English}, urldate = {2024-01-15} } @online{gler:20230901:understanding:31a1541, author = {Emre Güler}, title = {{Understanding BumbleBee: BumbleBee’s malware configuration and clusters}}, date = {2023-09-01}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/understanding-bumblebee-the-malware-configuration-and-clusters/}, language = {English}, urldate = {2024-01-15} } @online{glimps:20220713:lockbit:c4e0803, author = {GLIMPS}, title = {{Lockbit 3.0}}, date = {2022-07-13}, organization = {GLIMPS}, url = {https://www.glimps.fr/lockbit3-0/}, language = {French}, urldate = {2022-07-18} } @online{glimps:20230414:lockbit:093a8a2, author = {GLIMPS}, title = {{Lockbit changes color}}, date = {2023-04-14}, organization = {GLIMPS}, url = {https://www.glimps.fr/dcouverte-dune-nouvelle-version-du-ramsomware-lockbit/}, language = {French}, urldate = {2023-04-22} } @online{global:20171027:big:916374a, author = {F-Secure Global}, title = {{The big difference with Bad Rabbit}}, date = {2017-10-27}, organization = {F-Secure}, url = {https://labsblog.f-secure.com/2017/10/27/the-big-difference-with-bad-rabbit/}, language = {English}, urldate = {2020-01-07} } @online{global:20190328:analysis:8b788ab, author = {F-Secure Global}, title = {{Analysis of ShadowHammer ASUS Attack First Stage Payload}}, date = {2019-03-28}, organization = {F-Secure}, url = {https://countercept.com/blog/analysis-shadowhammer-asus-attack-first-stage-payload/}, language = {English}, urldate = {2020-01-08} } @online{global:20190417:dukes:5dc47f5, author = {F-Secure Global}, title = {{The Dukes: 7 Years Of Russian Cyber-Espionage}}, date = {2019-04-17}, organization = {Malware Reversing Blog}, url = {https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/}, language = {English}, urldate = {2024-10-14} } @online{glover:20220714:expert:ebfc173, author = {Claudia Glover}, title = {{Expert doubts Altahrea Team’s claims about Israel power plant fire}}, date = {2022-07-14}, organization = {TechMonitor}, url = {https://techmonitor.ai/technology/cybersecurity/alahrea-team-power-plant-fire-israel}, language = {English}, urldate = {2023-11-27} } @online{glozshtein:20210308:investigating:7454f88, author = {Yonit Glozshtein}, title = {{Investigating the Print Spooler EoP exploitation}}, date = {2021-03-08}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/investigating-the-print-spooler-eop-exploitation/ba-p/2166463}, language = {English}, urldate = {2021-03-11} } @online{glushko:20240531:proven:5a26173, author = {Bogdan Glushko}, title = {{Proven Data Restores PowerHost’s VMware Backups After SEXi Ransomware Attack}}, date = {2024-05-31}, organization = {Cybersecurity Insiders}, url = {https://www.cybersecurity-insiders.com/proven-data-restores-powerhosts-vmware-backups-after-sexi-ransomware-attack/}, language = {English}, urldate = {2024-12-11} } @online{glyc3rius:20231003:stealc:9085f93, author = {Glyc3rius}, title = {{Stealc Malware Analysis}}, date = {2023-10-03}, url = {https://glyc3rius.github.io/2023/10/stealc/}, language = {English}, urldate = {2023-10-09} } @online{glyc3rius:20240211:analysing:810de11, author = {Glyc3rius}, title = {{Analysing STOP Ransomware}}, date = {2024-02-11}, organization = {glyc3rius.github.io}, url = {https://glyc3rius.github.io/2024/02/stop/}, language = {English}, urldate = {2024-02-13} } @online{glyer:20200325:this:0bc322f, author = {Christopher Glyer and Dan Perez and Sarah Jones and Steve Miller}, title = {{This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits}}, date = {2020-03-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html}, language = {English}, urldate = {2020-04-14} } @online{glyer:20220111:cn:250fa8a, author = {Christopher Glyer}, title = {{Tweet on CN based ransomware operator using log4shell to deploy NightSky}}, date = {2022-01-11}, organization = {Twitter (@cglyer)}, url = {https://twitter.com/cglyer/status/1480734487000453121}, language = {English}, urldate = {2022-07-25} } @online{glyer:20220111:thread:ae5ec3d, author = {Christopher Glyer}, title = {{Thread on DEV-0401, a china based ransomware operator exploiting VMware Horizon with log4shell and deploying NightSky ransomware}}, date = {2022-01-11}, organization = {Twitter (@cglyer)}, url = {https://twitter.com/cglyer/status/1480742363991580674}, language = {English}, urldate = {2022-01-25} } @online{glyer:20220711:lapsusdev0537:2f66745, author = {Christopher Glyer}, title = {{Tweet on LAPSUS$/DEV-0537}}, date = {2022-07-11}, organization = {Twitter (@cglyer)}, url = {https://twitter.com/cglyer/status/1546297609215696897}, language = {English}, urldate = {2024-02-08} } @online{glyer:20230202:lions:b21e15a, author = {Christopher Glyer and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Lions, Tigers, and Infostealers - Oh my!}}, date = {2023-02-02}, organization = {YouTube (SLEUTHCON)}, url = {https://www.youtube.com/watch?v=NI_Yw2t9zoo}, language = {English}, urldate = {2023-04-25} } @online{gmbh:20210517:icedidanalysis:e985983, author = {Deutsche Telekom Security GmbH}, title = {{icedid_analysis}}, date = {2021-05-17}, organization = {Github (telekom-security)}, url = {https://github.com/telekom-security/icedid_analysis}, language = {English}, urldate = {2021-05-17} } @online{goddard:20211117:proxynoshell:c2b592e, author = {Joshua Goddard}, title = {{ProxyNoShell: A Change in Tactics Exploiting ProxyShell Vulnerabilities}}, date = {2021-11-17}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/change-tactics-proxyshell-vulnerabilities}, language = {English}, urldate = {2021-11-19} } @online{goet:20200110:hitchhikers:03fefe9, author = {Maarten Goet}, title = {{A hitchhikers guide to the cybersecurity galaxy}}, date = {2020-01-10}, organization = {Youtube (Azure Thursday)}, url = {https://www.youtube.com/watch?v=fBFm2fiEPTg}, language = {English}, urldate = {2020-06-16} } @online{gol:20231026:threat:21d8507, author = {parth gol}, title = {{Threat Hunting: Detecting Browser Credential Stealing [T1555.003]}}, date = {2023-10-26}, organization = {Fourcore}, url = {https://fourcore.io/blogs/threat-hunting-browser-credential-stealing}, language = {English}, urldate = {2024-04-15} } @online{golak:20190625:icedid:0a3e153, author = {Dawid Golak}, title = {{IcedID aka #Bokbot Analysis with Ghidra}}, date = {2019-06-25}, url = {https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766}, language = {English}, urldate = {2019-12-02} } @online{gold:20140122:iran:17a7c15, author = {Steve Gold}, title = {{Iran and Russia blamed for state-sponsored espionage}}, date = {2014-01-22}, organization = {SC Magazine}, url = {https://web.archive.org/web/20161020180305/http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/}, language = {English}, urldate = {2023-10-05} } @online{gold:20140122:iran:b9a3b8e, author = {Steve Gold}, title = {{Iran and Russia blamed for state-sponsored espionage}}, date = {2014-01-22}, organization = {SC Magazine}, url = {https://web.archive.org/web/20140129192702/https://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/}, language = {English}, urldate = {2020-06-08} } @online{gold:20220324:microsoft:1a7616f, author = {Jon Gold}, title = {{Microsoft help files repurposed to contain Vidar malware in new campaign}}, date = {2022-03-24}, organization = {CSO Online}, url = {https://www.csoonline.com/article/3654849/microsoft-help-files-repurposed-to-contain-vidar-malware-in-new-campaign.html}, language = {English}, urldate = {2022-03-25} } @techreport{goldberg:201509:variant:0121be8, author = {Yakov Goldberg and Maayan Fishelov}, title = {{A Variant of the Network Worm Win32 Allaple has been Spotted in the Wild}}, date = {2015-09}, institution = {Trapx Security}, url = {https://trapx.com/wp-content/uploads/2017/08/White_Paper_TrapX_AllapleWorm.pdf}, language = {English}, urldate = {2019-11-16} } @online{goldberg:20180606:operation:64e4fac, author = {Daniel Goldberg and Ofri Ziv and Mor Matal}, title = {{Operation Prowli: Monetizing 40,000 Victim Machines}}, date = {2018-06-06}, organization = {Guardicore}, url = {https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining/}, language = {English}, urldate = {2019-10-14} } @online{goldberg:20200608:bondnet:b877e9a, author = {Daniel Goldberg}, title = {{The Bondnet Army}}, date = {2020-06-08}, organization = {Akamai}, url = {https://www.akamai.com/blog/security/the-bondnet-army}, language = {English}, urldate = {2024-12-11} } @online{goldberg:20250509:lumma:4769f88, author = {Ben Goldberg and Haigh Minassian and Imane Ismail and Sushmita Shetty and Andrew Petrus}, title = {{Lumma Stealer, coming and going}}, date = {2025-05-09}, organization = {Sophos X-Ops}, url = {https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/}, language = {English}, urldate = {2025-05-20} } @online{golden:20210524:colonial:5724053, author = {Daniel Golden and Renee Dudley}, title = {{The Colonial pipeline ransomware hackers had a secret weapon: self-promoting cybersecurity firms}}, date = {2021-05-24}, organization = {MIT Technology Review}, url = {https://www.technologyreview.com/2021/05/24/1025195/colonial-pipeline-ransomware-bitdefender/}, language = {English}, urldate = {2021-06-16} } @online{goldencrown:20040415:mydoom:38c5e17, author = {Matt Goldencrown}, title = {{MyDoom is Your Doom: An Analysis of the MyDoom Virus}}, date = {2004-04-15}, organization = {SANS GIAC}, url = {https://www.giac.org/paper/gcih/568/mydoom-dom-anlysis-mydoom-virus/106069}, language = {English}, urldate = {2019-11-26} } @online{golderman:20210615:insights:d3fc7b6, author = {Shai Golderman}, title = {{Insights Into an Excel 4.0 Macro Attack using Qakbot Malware}}, date = {2021-06-15}, organization = {Perception Point}, url = {https://perception-point.io/insights-into-an-excel-4-0-macro-attack-using-qakbot-malware}, language = {English}, urldate = {2021-06-21} } @online{goldsmith:20201218:selfdelusion:be7b367, author = {Jack Goldsmith}, title = {{Self-Delusion on the Russia Hack}}, date = {2020-12-18}, organization = {THE DISPATCH}, url = {https://thedispatch.com/p/self-delusion-on-the-russia-hack}, language = {English}, urldate = {2020-12-19} } @online{goliate:20150818:ransomware:be29cd4, author = {goliate}, title = {{ransomware open-sources}}, date = {2015-08-18}, organization = {Github (goliate)}, url = {https://github.com/goliate/hidden-tear}, language = {English}, urldate = {2020-01-13} } @online{golovanov:20170404:atmitch:1ed35bc, author = {Sergey Golovanov}, title = {{ATMitch: remote administration of ATMs}}, date = {2017-04-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/sas/77918/atmitch-remote-administration-of-atms/}, language = {English}, urldate = {2019-12-20} } @online{golovanov:20210303:new:a0a7492, author = {Sergey Golovanov}, title = {{New targeted RTM attacks}}, date = {2021-03-03}, organization = {Kaspersky Labs}, url = {https://securelist.ru/new-targeted-attacks-rtm/100720/}, language = {Russian}, urldate = {2021-03-04} } @online{golovin:20200109:smartphone:b68309e, author = {Igor Golovin}, title = {{Smartphone shopaholic}}, date = {2020-01-09}, organization = {Kaspersky}, url = {https://securelist.com/smartphone-shopaholic/95544/}, language = {English}, urldate = {2025-05-09} } @online{golovin:20200407:unkillable:1478367, author = {Igor Golovin}, title = {{Unkillable xHelper and a Trojan matryoshka}}, date = {2020-04-07}, organization = {Kaspersky Labs}, url = {https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/}, language = {English}, urldate = {2022-08-28} } @online{golovin:20200706:pig:c3a73df, author = {Igor Golovin and Anton Kivva}, title = {{Pig in a poke: smartphone adware}}, date = {2020-07-06}, organization = {Kaspersky Labs}, url = {https://securelist.com/pig-in-a-poke-smartphone-adware/97607/}, language = {English}, urldate = {2020-07-08} } @online{golovin:20210409:malicious:dba01da, author = {Igor Golovin and Anton Kivva}, title = {{Malicious code in APKPure app}}, date = {2021-04-09}, organization = {Kaspersky}, url = {https://securelist.com/apkpure-android-app-store-infected/101845/}, language = {English}, urldate = {2021-04-12} } @online{golovin:20210824:triada:9c97294, author = {Igor Golovin}, title = {{Triada Trojan in WhatsApp MOD}}, date = {2021-08-24}, organization = {Kaspersky}, url = {https://securelist.com/triada-trojan-in-whatsapp-mod/103679/}, language = {English}, urldate = {2021-08-25} } @online{golovin:20220411:fakecalls:f777aa6, author = {Igor Golovin}, title = {{Fakecalls: a talking Trojan}}, date = {2022-04-11}, organization = {Kaspersky}, url = {https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/}, language = {English}, urldate = {2022-05-04} } @online{golovin:20220506:mobile:a4d0859, author = {Igor Golovin}, title = {{Mobile subscription Trojans and their little tricks}}, date = {2022-05-06}, organization = {Kaspersky}, url = {https://securelist.com/mobile-subscription-trojans-and-their-tricks/106412/}, language = {English}, urldate = {2022-05-08} } @online{golubin:20250623:threat:479ffa7, author = {Artem Golubin}, title = {{Threat Hunting Introduction: Cobalt Strike}}, date = {2025-06-23}, organization = {Rushter}, url = {https://rushter.com/blog/threat-hunting-cobalt-strike/}, language = {English}, urldate = {2025-06-24} } @online{gomez:20130207:ladyboyle:5927b00, author = {J. Gomez and Thoufique Haq}, title = {{LadyBoyle Comes to Town with a New Exploit}}, date = {2013-02-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html}, language = {English}, urldate = {2019-12-20} } @online{gomez:20210311:detection:e16ec1f, author = {Fran Gomez}, title = {{Detection and Investigation Using Devo: HAFNIUM 0-day Exploits on Microsoft Exchange Service}}, date = {2021-03-11}, organization = {DEVO}, url = {https://www.devo.com/blog/detect-and-investigate-hafnium-using-devo/}, language = {English}, urldate = {2021-03-12} } @online{gomez:20210513:dont:4c0730c, author = {Justin Gomez}, title = {{'Don't panic,' Biden tells Americans facing gasoline shortages from pipeline attack}}, date = {2021-05-13}, organization = {ABC News}, url = {https://abcnews.go.com/Politics/biden-speak-colonial-pipeline-attack-americans-face-gasoline/story?id=77666212}, language = {English}, urldate = {2021-05-17} } @online{gomez:20211110:stories:4ce1168, author = {Josh Gomez}, title = {{Stories from the SOC - Powershell, Proxyshell, Conti TTPs OH MY!}}, date = {2021-11-10}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-powershell-proxyshell-conti-ttps-oh-my}, language = {English}, urldate = {2021-11-17} } @online{gonzalez:20210806:inside:073bbcb, author = {Miguel Gonzalez and Jesus Dominguez}, title = {{Inside DarkSide, the ransomware that attacked Colonial Pipeline}}, date = {2021-08-06}, organization = {metabaseq}, url = {https://www.metabaseq.com/recursos/inside-darkside-the-ransomware-that-attacked-colonial-pipeline#}, language = {Spanish}, urldate = {2022-04-05} } @online{gonzalez:20220509:examining:c372e74, author = {Ieriz Nicolle Gonzalez and Ivan Nicole Chavez and Katherine Casona and Nathaniel Morales}, title = {{Examining the Black Basta Ransomware’s Infection Routine}}, date = {2022-05-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html}, language = {English}, urldate = {2022-05-17} } @online{gonzalez:20220602:yourcyanide:0e8d1cb, author = {Ieriz Nicolle Gonzalez and Nathaniel Morales and Monte de Jesus}, title = {{YourCyanide: A CMD-Based Ransomware With Multiple Layers of Obfuscation}}, date = {2022-06-02}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html}, language = {English}, urldate = {2022-06-07} } @online{gonzalez:20220804:formbook:f3addb8, author = {Stu Gonzalez}, title = {{Formbook and Remcos Backdoor RAT by ConnectWise CRU}}, date = {2022-08-04}, organization = {ConnectWise}, url = {https://www.connectwise.com/resources/formbook-remcos-rat}, language = {English}, urldate = {2022-08-08} } @online{goodin:20110914:malware:c1e8db0, author = {Dan Goodin}, title = {{Malware burrows deep into computer BIOS to escape AV}}, date = {2011-09-14}, organization = {The Register}, url = {http://www.theregister.co.uk/2011/09/14/bios_rootkit_discovered/}, language = {English}, urldate = {2020-01-06} } @online{goodin:20150216:how:4e36cde, author = {Dan Goodin}, title = {{How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last}}, date = {2015-02-16}, organization = {Ars Technica}, url = {https://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/}, language = {English}, urldate = {2019-12-06} } @online{goodin:20150415:elite:eaaea2d, author = {Dan Goodin}, title = {{Elite cyber crime group strikes back after attack by rival APT gang}}, date = {2015-04-15}, organization = {Ars Technica}, url = {http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/}, language = {English}, urldate = {2019-11-29} } @online{goodin:20170118:newly:2b58256, author = {Dan Goodin}, title = {{Newly discovered Mac malware found in the wild also works well on Linux}}, date = {2017-01-18}, organization = {Ars Technica}, url = {https://arstechnica.com/security/2017/01/newly-discovered-mac-malware-may-have-circulated-in-the-wild-for-2-years/}, language = {English}, urldate = {2020-01-13} } @online{goodin:20170725:perverse:998aed8, author = {Dan Goodin}, title = {{“Perverse” malware infecting hundreds of Macs remained undetected for years}}, date = {2017-07-25}, organization = {Ars Technica}, url = {https://arstechnica.com/security/2017/07/perverse-malware-infecting-hundreds-of-macs-remained-undetected-for-years/}, language = {English}, urldate = {2020-01-13} } @online{goodin:20180418:tens:ad8fd3a, author = {Dan Goodin}, title = {{Tens of thousands of Facebook accounts compromised in days by malware}}, date = {2018-04-18}, organization = {Ars Technica}, url = {https://arstechnica.com/information-technology/2018/04/tens-of-thousands-of-facebook-accounts-compromised-in-days-by-malware/}, language = {English}, urldate = {2019-11-23} } @online{goodin:20190606:google:f1f32d4, author = {Dan Goodin}, title = {{Google confirms that advanced backdoor came preinstalled on Android devices}}, date = {2019-06-06}, organization = {Ars Technica}, url = {https://arstechnica.com/information-technology/2019/06/google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android-devices/}, language = {English}, urldate = {2020-01-13} } @online{goodin:20240126:life:81e9ee4, author = {Dan Goodin}, title = {{The life and times of Cozy Bear, the Russian hackers who just hit Microsoft and HPE}}, date = {2024-01-26}, organization = {Ars Technica}, url = {https://arstechnica.com/security/2024/01/the-life-and-times-of-cozy-bear-the-russian-hackers-who-just-hit-microsoft-and-hpe/}, language = {English}, urldate = {2024-02-09} } @online{goodwin:20210715:fighting:7732e75, author = {Cristin Goodwin}, title = {{Fighting cyberweapons built by private businesses}}, date = {2021-07-15}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2021/07/15/cyberweapons-cybersecurity-sourgum-malware/}, language = {English}, urldate = {2021-07-20} } @online{goodwin:20211103:understanding:01669de, author = {Cristin Goodwin}, title = {{Understanding Nation State Threats}}, date = {2021-11-03}, organization = {Microsoft}, url = {https://myignite.microsoft.com/sessions/bab2fd78-cb64-4630-910d-559eb3c9fd5f?source=sessions}, language = {English}, urldate = {2021-11-08} } @online{goodwin:20220222:crowdstrike:0518322, author = {Joseph Goodwin and Aspen Lindblom}, title = {{CrowdStrike Research Investigates Exploit Behavior to Strengthen Customer Protection}}, date = {2022-02-22}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/exploit-research-strengthens-customer-protection/}, language = {English}, urldate = {2022-03-02} } @online{goodwin:20221031:icedids:df089be, author = {Seth Goodwin and Derek Ditch and Daniel Stepanic and Andrew Pease}, title = {{ICEDIDs network infrastructure is alive and well}}, date = {2022-10-31}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/icedids-network-infrastructure-is-alive-and-well}, language = {English}, urldate = {2022-11-02} } @online{goody:20190111:nasty:3c872d4, author = {Kimberly Goody and Jeremy Kennelly and Jaideep Natu and Christopher Glyer}, title = {{A Nasty Trick: From Credential Theft Malware to Business Disruption}}, date = {2019-01-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html}, language = {English}, urldate = {2019-12-20} } @online{goody:20200507:navigating:7147cb7, author = {Kimberly Goody and Jeremy Kennelly and Joshua Shilko}, title = {{Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents}}, date = {2020-05-07}, organization = {FireEye Inc}, url = {https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html}, language = {English}, urldate = {2020-05-11} } @online{goody:20200521:navigating:a2eae5f, author = {Kimberly Goody and Jeremy Kennelly}, title = {{Navigating MAZE: Analysis of a Rising Ransomware Threat}}, date = {2020-05-21}, organization = {BrightTALK (FireEye)}, url = {https://www.brighttalk.com/webcast/7451/408167/navigating-maze-analysis-of-a-rising-ransomware-threat}, language = {English}, urldate = {2020-06-05} } @online{goody:20201028:unhappy:c0d2e4b, author = {Kimberly Goody and Jeremy Kennelly and Joshua Shilko and Steve Elovitz and Douglas Bienstock}, title = {{Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser}}, date = {2020-10-28}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html}, language = {English}, urldate = {2020-11-02} } @online{goody:20230203:float:5150a2b, author = {Kimberly Goody and Genevieve Stark}, title = {{Float Like a Butterfly Sting Like a Bee}}, date = {2023-02-03}, organization = {Mandiant}, url = {https://www.youtube.com/watch?v=pIXl79IPkLI}, language = {English}, urldate = {2023-02-21} } @techreport{google:20211207:complaint:f4ad8d1, author = {Google}, title = {{Complaint for Damages and Injunctive Relief against DMITRY STAROVIKOV and ALEXANDER FILIPPOV}}, date = {2021-12-07}, institution = {Google}, url = {https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/1_Complaint.pdf}, language = {English}, urldate = {2021-12-08} } @techreport{google:20230426:cryptbot:ea44d7c, author = {Google}, title = {{CryptBot complaint against Zubair Saeed, Raheel Arshad and Mohammad Rasheed Siddiqui}}, date = {2023-04-26}, institution = {United States District Court (Southern District of New York)}, url = {https://regmedia.co.uk/2023/04/28/handout_google_cryptbot_complaint.pdf}, language = {English}, urldate = {2023-05-02} } @online{google:20240813:finding:6fba44f, author = {Google}, title = {{Finding Malware: Unveiling NUMOZYLOD with Google Security Operations}}, date = {2024-08-13}, organization = {Google}, url = {https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-NUMOZYLOD-with-Google-Security/ba-p/789551}, language = {English}, urldate = {2024-08-19} } @online{gootloadersites:20230105:gootloader:7f1b176, author = {gootloadersites}, title = {{Gootloader Command & Control}}, date = {2023-01-05}, url = {https://gootloader.wordpress.com/2023/01/05/gootloader-command-control/}, language = {English}, urldate = {2023-07-28} } @online{gootloadersites:20230105:what:96f644b, author = {gootloadersites}, title = {{What is Gootloader?}}, date = {2023-01-05}, url = {https://gootloader.wordpress.com/2023/01/05/what-is-gootloader/}, language = {English}, urldate = {2023-07-28} } @online{gootloadersites:20240214:mygame:6115568, author = {gootloadersites}, title = {{My-Game Retired? Latest Changes to Gootloader}}, date = {2024-02-14}, organization = {GootLoader Wordpress}, url = {https://gootloader.wordpress.com/2024/02/14/my-game-retired-latest-changes-to-gootloader/}, language = {English}, urldate = {2024-02-16} } @online{gootloadersites:20240624:gootloaders:dd3a6a6, author = {gootloadersites}, title = {{Gootloader’s New Hideout Revealed: The Malware Hunt in WordPress’ Shadows}}, date = {2024-06-24}, organization = {GootLoader Wordpress}, url = {https://gootloader.wordpress.com/2024/06/24/gootloaders-new-hideout-revealed-the-malware-hunt-in-wordpress-shadows/}, language = {English}, urldate = {2024-06-24} } @online{gootloadersites:20250331:gootloader:0f2ef07, author = {gootloadersites}, title = {{Gootloader Returns: Malware Hidden in Google Ads for Legal Documents}}, date = {2025-03-31}, organization = {GootLoader Wordpress}, url = {https://gootloader.wordpress.com/2025/03/31/gootloader-returns-malware-hidden-in-google-ads-for-legal-documents/}, language = {English}, urldate = {2025-04-01} } @online{gordon:20200510:intro:f42bbd3, author = {Daniel Gordon}, title = {{Intro Sec Con 2020: Daniel Gordon - Threat Intelligence 101}}, date = {2020-05-10}, organization = {YouTube ( IntroSecCon Videos)}, url = {https://www.youtube.com/watch?v=CdpRTWYN-ro}, language = {English}, urldate = {2021-02-24} } @online{gordon:20200720:what:b88e81f, author = {Daniel Gordon}, title = {{What even is Winnti?}}, date = {2020-07-20}, organization = {Risky.biz}, url = {https://risky.biz/whatiswinnti/}, language = {English}, urldate = {2020-08-18} } @online{gordon:20201028:many:6ac3611, author = {Daniel Gordon and Brett Winterford}, title = {{The many personalities of Lazarus}}, date = {2020-10-28}, organization = {Risky.biz}, url = {https://risky.biz/laz/}, language = {English}, urldate = {2020-11-02} } @online{gordon:20210119:oh:9ab2636, author = {Daniel Gordon}, title = {{Oh, So You Got IOCs? Being a Good CTI Consumer}}, date = {2021-01-19}, organization = {Medium validhorizon}, url = {https://validhorizon.medium.com/oh-so-you-got-iocs-being-a-good-cti-consumer-ef7e104dbbd6}, language = {English}, urldate = {2021-02-06} } @online{gordon:20210307:russian:92027af, author = {Michael R. Gordon and Dustin Volz}, title = {{Russian Disinformation Campaign Aims to Undermine Confidence in Pfizer, Other Covid-19 Vaccines, U.S. Officials Say}}, date = {2021-03-07}, organization = {The Wall Street Journal}, url = {https://www.wsj.com/articles/russian-disinformation-campaign-aims-to-undermine-confidence-in-pfizer-other-covid-19-vaccines-u-s-officials-say-11615129200}, language = {English}, urldate = {2021-03-10} } @online{gordon:20210415:us:9e1a6eb, author = {Michael R. Gordon and Vivian Salama and Anna Hirtenstein}, title = {{U.S. Puts Fresh Sanctions on Russia Over Hacking, Election Interference}}, date = {2021-04-15}, organization = {The Wall Street Journal}, url = {https://www.wsj.com/articles/biden-signs-executive-order-targeting-harmful-foreign-activities-by-russian-government-11618490399}, language = {English}, urldate = {2021-04-16} } @online{gorelik:20170416:morphisec:e6a75af, author = {Michael Gorelik}, title = {{Morphisec Discovers New Fileless Attack Framework}}, date = {2017-04-16}, organization = {Morphisec}, url = {https://blog.morphisec.com/fileless-attack-framework-discovery}, language = {English}, urldate = {2023-06-19} } @online{gorelik:20170427:iranian:4ab7f08, author = {Michael Gorelik}, title = {{Iranian Fileless Attack Infiltrates Israeli Organizations}}, date = {2017-04-27}, organization = {Morphisec}, url = {https://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability}, language = {English}, urldate = {2020-07-30} } @online{gorelik:20170427:iranian:827f6f3, author = {Michael Gorelik}, title = {{Iranian Fileless Attack Infiltrates Israeli Organizations}}, date = {2017-04-27}, organization = {Morphisec}, url = {http://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability}, language = {English}, urldate = {2019-12-04} } @online{gorelik:20170609:fin7:3b251c4, author = {Michael Gorelik}, title = {{FIN7 Takes Another Bite at the Restaurant Industry}}, date = {2017-06-09}, organization = {Morphisec}, url = {http://blog.morphisec.com/fin7-attacks-restaurant-industry}, language = {English}, urldate = {2019-12-04} } @online{gorelik:20170609:fin7:3be08a2, author = {Michael Gorelik}, title = {{FIN7 Takes Another Bite at the Restaurant Industry}}, date = {2017-06-09}, organization = {Morphisec}, url = {https://blog.morphisec.com/fin7-attacks-restaurant-industry}, language = {English}, urldate = {2020-09-04} } @online{gorelik:20170918:morphisec:501cc93, author = {Michael Gorelik}, title = {{Morphisec Discovers CCleaner Backdoor Saving Millions of Avast Users}}, date = {2017-09-18}, organization = {Morphisec}, url = {http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor}, language = {English}, urldate = {2020-01-08} } @online{gorelik:20171013:fin7:36ef13a, author = {Michael Gorelik}, title = {{FIN7 Dissected: Hackers Accelerate Pace of Innovation}}, date = {2017-10-13}, organization = {Morphisec}, url = {https://blog.morphisec.com/fin7-attack-modifications-revealed}, language = {English}, urldate = {2020-09-04} } @online{gorelik:20171013:fin7:d52a75d, author = {Michael Gorelik}, title = {{FIN7 Dissected: Hackers Accelerate Pace of Innovation}}, date = {2017-10-13}, organization = {Morphisec}, url = {http://blog.morphisec.com/fin7-attack-modifications-revealed}, language = {English}, urldate = {2019-11-29} } @online{gorelik:20181008:cobalt:dece0e0, author = {Michael Gorelik}, title = {{Cobalt Group 2.0}}, date = {2018-10-08}, organization = {Morphisec}, url = {https://blog.morphisec.com/cobalt-gang-2.0}, language = {English}, urldate = {2020-01-05} } @online{gorelik:20181121:fin7:02ad475, author = {Michael Gorelik}, title = {{FIN7 Not Finished – Morphisec Spots New Campaign}}, date = {2018-11-21}, organization = {mor}, url = {http://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign}, language = {English}, urldate = {2020-01-08} } @online{gorelik:20181221:fin7:d71e1b0, author = {Michael Gorelik}, title = {{FIN7 Not Finished - Morphisec Spots New Campaign}}, date = {2018-12-21}, organization = {Morphisec}, url = {https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign}, language = {English}, urldate = {2020-09-04} } @online{gorelik:20190227:new:5296a0b, author = {Michael Gorelik and Alon Groisman}, title = {{New Global Cyber Attack on Point of Sale Sytem}}, date = {2019-02-27}, organization = {Morphisec}, url = {http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems}, language = {English}, urldate = {2020-01-09} } @online{gorelik:20200228:trickbot:678683b, author = {Michael Gorelik}, title = {{Trickbot Delivery Method Gets a New Upgrade Focusing on Windows 10}}, date = {2020-02-28}, organization = {Morphisec}, url = {https://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows}, language = {English}, urldate = {2020-03-03} } @online{gorelik:20200616:crystalbit:1906ecc, author = {Michael Gorelik}, title = {{CrystalBit / Apple Double DLL Hijack -- From fraudulent software bundle downloads to an evasive miner raging campaign}}, date = {2020-06-16}, organization = {Morphisec}, url = {https://blog.morphisec.com/crystalbit-apple-double-dll-hijack}, language = {English}, urldate = {2020-06-16} } @online{gorelik:20201105:agent:1cefe08, author = {Michael Gorelik}, title = {{Agent Tesla: A Day in a Life of IR}}, date = {2020-11-05}, organization = {Morphisec}, url = {https://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir}, language = {English}, urldate = {2020-11-09} } @online{gorelik:20210402:fair:6f62577, author = {Michael Gorelik}, title = {{The “Fair” Upgrade Variant of Phobos Ransomware}}, date = {2021-04-02}, organization = {Morphisec}, url = {https://blog.morphisec.com/the-fair-upgrade-variant-of-phobos-ransomware}, language = {English}, urldate = {2023-08-14} } @online{gorelik:20210602:google:eb1bf13, author = {Michael Gorelik}, title = {{Google PPC Ads Deliver Redline, Taurus, and mini-Redline Infostealers}}, date = {2021-06-02}, organization = {Morphisec}, url = {https://blog.morphisec.com/google-ppc-ads-deliver-redline-taurus-and-mini-redline-infostealers}, language = {English}, urldate = {2021-06-16} } @online{gorelik:20220120:log4j:99fd2e0, author = {Michael Gorelik}, title = {{Log4j Exploit Hits Again: Vulnerable VMWare Horizon Servers at Risk}}, date = {2022-01-20}, organization = {Morphisec}, url = {https://blog.morphisec.com/log4j-exploit-hits-again-vulnerable-vmware-horizon-servers-at-risk}, language = {English}, urldate = {2022-01-25} } @online{gosecure:20210913:bluestealer:62a42aa, author = {GoSecure}, title = {{Tweet on BlueStealer}}, date = {2021-09-13}, organization = {Twitter (@GoSecure_Inc)}, url = {https://twitter.com/GoSecure_Inc/status/1437435265350397957}, language = {English}, urldate = {2021-09-22} } @online{gosecure:20210922:gosecure:c1946aa, author = {GoSecure}, title = {{GoSecure Titan Labs Technical Report: BluStealer Malware Threat}}, date = {2021-09-22}, organization = {GoSecure}, url = {https://www.gosecure.net/blog/2021/09/22/gosecure-titan-labs-technical-report-blustealer-malware-threat/}, language = {English}, urldate = {2021-09-23} } @online{gostev:20120528:flame:4aa29b8, author = {Alexander Gostev}, title = {{The Flame: Questions and Answers}}, date = {2012-05-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-flame-questions-and-answers-51/34344/}, language = {English}, urldate = {2020-01-06} } @online{gostev:20140312:agentbtz:8f1988f, author = {Alexander Gostev}, title = {{Agent.btz: a Source of Inspiration?}}, date = {2014-03-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/}, language = {English}, urldate = {2019-12-20} } @online{gottesman:20151006:moker:1b8240a, author = {Yotam Gottesman}, title = {{MOKER, PART 1: DISSECTING A NEW APT UNDER THE MICROSCOPE}}, date = {2015-10-06}, organization = {enSilo}, url = {https://breakingmalware.com/malware/moker-part-1-dissecting-a-new-apt-under-the-microscope/}, language = {English}, urldate = {2020-01-07} } @online{gottesman:20151006:moker:ed878d9, author = {Yotam Gottesman}, title = {{MOKER: A NEW APT DISCOVERED WITHIN A SENSITIVE NETWORK}}, date = {2015-10-06}, organization = {enSilo}, url = {http://blog.ensilo.com/moker-a-new-apt-discovered-within-a-sensitive-network}, language = {English}, urldate = {2019-07-09} } @online{gottesman:20151008:moker:4a42451, author = {Yotam Gottesman}, title = {{MOKER, PART 2: CAPABILITIES}}, date = {2015-10-08}, organization = {enSilo}, url = {https://breakingmalware.com/malware/moker-part-2-capabilities/}, language = {English}, urldate = {2020-01-08} } @online{gough:20210923:detecting:b1e724e, author = {Michael Gough}, title = {{Detecting and Hunting for the PetitPotam NTLM Relay Attack}}, date = {2021-09-23}, organization = {NCC Group}, url = {https://research.nccgroup.com/2021/09/23/detecting-and-hunting-for-the-petitpotam-ntlm-relay-attack/}, language = {English}, urldate = {2021-09-29} } @online{gould:20210513:threat:6115cfb, author = {Tara Gould and Gage Mele}, title = {{Threat Actors Use MSBuild to Deliver RATs Filelessly}}, date = {2021-05-13}, organization = {Anomali}, url = {https://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly}, language = {English}, urldate = {2021-05-17} } @online{gould:20211006:inside:9391014, author = {Tara Gould}, title = {{Inside TeamTNT’s Impressive Arsenal: A Look Into A TeamTNT Server}}, date = {2021-10-06}, organization = {Anomali}, url = {https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server}, language = {English}, urldate = {2021-10-11} } @online{gould:20240201:from:70e0e76, author = {Tara Gould}, title = {{From the Depths: Analyzing the Cthulhu Stealer Malware for macOS}}, date = {2024-02-01}, organization = {Cado Security}, url = {https://www.cadosecurity.com/blog/from-the-depths-analyzing-the-cthulhu-stealer-malware-for-macos}, language = {English}, urldate = {2024-10-15} } @online{gould:20240912:from:b7984d3, author = {Tara Gould and Nate Bill}, title = {{From Automation to Exploitation: The Growing Misuse of Selenium Grid for Cryptomining and Proxyjacking}}, date = {2024-09-12}, organization = {Cado Security}, url = {https://www.cadosecurity.com/blog/from-automation-to-exploitation-the-growing-misuse-of-selenium-grid-for-cryptomining-and-proxyjacking}, language = {English}, urldate = {2024-10-29} } @online{gould:20250528:pumabot:2a70ddb, author = {Tara Gould}, title = {{PumaBot: Novel Botnet Targeting IoT Surveillance Devices}}, date = {2025-05-28}, organization = {Darktrace}, url = {https://www.darktrace.com/blog/pumabot-novel-botnet-targeting-iot-surveillance-devices}, language = {English}, urldate = {2025-06-02} } @online{goutin:20220524:malware:e85b49b, author = {Florian Goutin}, title = {{Malware Analysis: Trickbot}}, date = {2022-05-24}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/05/malware-analysis-trickbot.html}, language = {English}, urldate = {2022-05-29} } @online{govcertch:20150911:analysing:e00b8ce, author = {GovCERT.ch}, title = {{Analysing a new eBanking Trojan called Fobber}}, date = {2015-09-11}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/12/analysing-a-new-ebanking-trojan-called-fobber}, language = {English}, urldate = {2019-11-29} } @techreport{govcertch:20150911:fobber:a23b812, author = {GovCERT.ch}, title = {{Fobber Analysis}}, date = {2015-09-11}, institution = {GovCERT.ch}, url = {http://www.govcert.admin.ch/downloads/whitepapers/govcertch_fobber_analysis.pdf}, language = {English}, urldate = {2019-12-17} } @techreport{govcertch:20160523:case:b6612e9, author = {GovCERT.ch}, title = {{APT Case RUAG - Technical Report}}, date = {2016-05-23}, institution = {MELANI GovCERT}, url = {https://www.govcert.ch/downloads/whitepapers/Report_Ruag-Espionage-Case.pdf}, language = {English}, urldate = {2022-08-05} } @online{govcertch:20161222:tofsee:8a6f36b, author = {GovCERT.ch}, title = {{Tofsee Spambot features .ch DGA - Reversal and Countermesaures}}, date = {2016-12-22}, organization = {GovCERT.ch}, url = {https://www.govcert.ch/blog/tofsee-spambot-features-.ch-dga-reversal-and-countermesaures/}, language = {English}, urldate = {2023-02-27} } @online{govcertch:20170130:sage:022d593, author = {GovCERT.ch}, title = {{Sage 2.0 comes with IP Generation Algorithm (IPGA)}}, date = {2017-01-30}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/27/saga-2.0-comes-with-ip-generation-algorithm-ipga}, language = {English}, urldate = {2019-11-29} } @online{govcertch:20170803:retefe:07f6df3, author = {GovCERT.ch}, title = {{The Retefe Saga}}, date = {2017-08-03}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/33/the-retefe-saga}, language = {English}, urldate = {2020-01-13} } @online{govcertch:20181108:reversing:87c494c, author = {GovCERT.ch}, title = {{Reversing Retefe}}, date = {2018-11-08}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/35/reversing-retefe}, language = {English}, urldate = {2019-11-21} } @online{govcertch:20190509:severe:2767782, author = {GovCERT.ch}, title = {{Severe Ransomware Attacks Against Swiss SMEs}}, date = {2019-05-09}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes}, language = {English}, urldate = {2019-07-11} } @online{govcertch:20190514:rise:8fd8ef4, author = {GovCERT.ch}, title = {{The Rise of Dridex and the Role of ESPs}}, date = {2019-05-14}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps}, language = {English}, urldate = {2020-01-09} } @online{govcertch:20190925:trickbot:8346dd7, author = {GovCERT.ch}, title = {{Trickbot - An analysis of data collected from the botnet}}, date = {2019-09-25}, organization = {GovCERT.ch}, url = {https://www.govcert.ch/blog/37/trickbot-an-analysis-of-data-collected-from-the-botnet}, language = {English}, urldate = {2020-01-08} } @online{govcertch:20200220:analysis:18301ef, author = {GovCERT.ch}, title = {{Analysis of an Unusual HawkEye Sample}}, date = {2020-02-20}, organization = {GovCERT.ch}, url = {https://www.govcert.ch/blog/analysis-of-an-unusual-hawkeye-sample/}, language = {English}, urldate = {2020-02-20} } @techreport{govcertch:20220916:unflattening:ac739a3, author = {GovCERT.ch}, title = {{Unflattening ConfuserEx .NET Code in IDA}}, date = {2022-09-16}, institution = {GovCERT.ch}, url = {https://www.govcert.ch/downloads/whitepapers/Unflattening-ConfuserEx-Code-in-IDA.pdf}, language = {English}, urldate = {2022-09-19} } @online{govcertch:20240627:poseidon:71ffc53, author = {GovCERT.ch}, title = {{Poseidon Stealer malspam campaign targeting Swiss macOS users}}, date = {2024-06-27}, organization = {GovCERT.ch}, url = {https://github.com/govcert-ch/CTI/tree/main/20240627_macOS_PoseidonStealer}, language = {English}, urldate = {2024-07-03} } @online{government:202102:cybersecurity:14a7dfd, author = {Massachusetts Government}, title = {{Cybersecurity Advisory for Public Water Suppliers}}, date = {2021-02}, organization = {Massachusetts Government}, url = {https://www.mass.gov/service-details/cybersecurity-advisory-for-public-water-suppliers}, language = {English}, urldate = {2021-02-20} } @online{govpl:20230413:espionage:089263f, author = {gov.pl}, title = {{Espionage campaign linked to Russian intelligence services}}, date = {2023-04-13}, organization = {GOV.PL}, url = {https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services}, language = {English}, urldate = {2023-04-18} } @online{govuk:20231207:uk:f9d2572, author = {Gov.UK}, title = {{UK exposes attempted Russian cyber interference in politics and democratic processes}}, date = {2023-12-07}, organization = {GOV.UK}, url = {https://www.gov.uk/government/news/uk-exposes-attempted-russian-cyber-interference-in-politics-and-democratic-processes}, language = {English}, urldate = {2024-11-25} } @online{goydenko:20201127:investigation:7d12cee, author = {Denis Goydenko and Alexey Vishnyakov}, title = {{Investigation with a twist: an accidental APT attack and averted data destruction}}, date = {2020-11-27}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/}, language = {English}, urldate = {2020-12-01} } @online{graeber:20201208:why:31709f3, author = {Matt Graeber}, title = {{The why, what, and how of threat research}}, date = {2020-12-08}, organization = {Red Canary}, url = {https://redcanary.com/blog/threat-research-questions}, language = {English}, urldate = {2020-12-10} } @online{graff:20170321:inside:3dc9a2d, author = {Garrett M. Graff and Chad Hagen}, title = {{Inside the Hunt for Russia’s Most Notorious Hacker}}, date = {2017-03-21}, organization = {Wired}, url = {https://www.wired.com/2017/03/russian-hacker-spy-botnet/}, language = {English}, urldate = {2021-07-20} } @online{graff:20170321:inside:dc89cf2, author = {Garrett M. Graff}, title = {{Inside the Hunt for Russia's Most Notorious Hacker}}, date = {2017-03-21}, organization = {Wired}, url = {https://www.wired.com/?p=2171700}, language = {English}, urldate = {2020-01-13} } @online{graff:20171104:how:7a25415, author = {Garrett M. Graff}, title = {{How the FBI Took Down Russia's Spam King—And His Massive Botnet}}, date = {2017-11-04}, organization = {Wired}, url = {https://www.wired.com/2017/04/fbi-took-russias-spam-king-massive-botnet/}, language = {English}, urldate = {2019-12-03} } @online{graham:20161229:some:111da12, author = {Robert Graham}, title = {{Some notes on IoCs}}, date = {2016-12-29}, organization = {Errata Security}, url = {https://blog.erratasec.com/2016/12/some-notes-on-iocs.html}, language = {English}, urldate = {2020-01-06} } @online{graham:20170629:nonpetya:c470dd8, author = {Robert Graham}, title = {{NonPetya: no evidence it was a "smokescreen"}}, date = {2017-06-29}, url = {http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html}, language = {English}, urldate = {2020-01-07} } @online{graham:20231205:emulating:4ebce86, author = {Austin Graham}, title = {{Emulating Qakbot with Austin Graham}}, date = {2023-12-05}, organization = {YouTube (SecureWorks)}, url = {https://www.youtube.com/watch?v=WcFfgEZwEgM}, language = {English}, urldate = {2024-01-30} } @techreport{grandy:20200924:offensive:8c9687e, author = {Matt Grandy and Joe Leon}, title = {{Offensive Maldocs in 2020}}, date = {2020-09-24}, institution = {Github (FortyNorthSecurity)}, url = {https://github.com/FortyNorthSecurity/Presentations/blob/master/Offensive%20Maldocs%20in%202020.pdf}, language = {English}, urldate = {2020-09-25} } @online{grange:20141209:blue:63864e2, author = {Waylon Grange}, title = {{Blue Coat Exposes “The Inception Framework”; Very Sophisticated, Layered Malware Attack Targeted at Military, Diplomats, and Bus}}, date = {2014-12-09}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/blue-coat-exposes-inception-framework-very-sophisticated-layered-malware-attack-targeted-milit}, language = {English}, urldate = {2019-12-20} } @online{grange:20170418:hajime:b2ed231, author = {Waylon Grange}, title = {{Hajime worm battles Mirai for control of the Internet of Things}}, date = {2017-04-18}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things}, language = {English}, urldate = {2019-12-06} } @online{grange:20200713:anchordns:d83e6f5, author = {Waylon Grange}, title = {{Anchor_dns malware goes cross platform}}, date = {2020-07-13}, organization = {Stage 2 Security}, url = {https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30}, language = {English}, urldate = {2020-07-16} } @techreport{gray:20210118:identifying:88395ca, author = {Jason Gray and Daniele Sgandurra and Lorenzo Cavallaro}, title = {{Identifying Authorship Style in Malicious Binaries: Techniques, Challenges & Datasets}}, date = {2021-01-18}, institution = {Arxiv}, url = {https://arxiv.org/pdf/2101.06124.pdf}, language = {English}, urldate = {2021-01-21} } @techreport{gray:2022:money:7cffc36, author = {Ian W. Gray and Jack Cable and Benjamin Brown and Vlad Cuiujuclu and Damon McCoy}, title = {{Money Over Morals: A Business Analysis of Conti Ransomware}}, date = {2022}, institution = {Symposium on Electronic Crime Research}, url = {https://damonmccoy.com/papers/Ransomware_eCrime22.pdf}, language = {English}, urldate = {2023-04-22} } @online{graziano:20170130:eyepyramid:a15d7c0, author = {Mariano Graziano and Paul Rascagnères}, title = {{EyePyramid: An Archaeological Journey}}, date = {2017-01-30}, organization = {Cisco}, url = {http://blog.talosintel.com/2017/01/Eye-Pyramid.html}, language = {English}, urldate = {2019-11-22} } @online{great:20120717:madi:ddf85da, author = {GReAT}, title = {{The Madi Campaign – Part I}}, date = {2012-07-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-madi-campaign-part-i-5/33693/}, language = {English}, urldate = {2019-12-20} } @online{great:20120726:madi:d4f911e, author = {GReAT}, title = {{The Madi Campaign – Part II}}, date = {2012-07-26}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-madi-campaign-part-ii-53/33701/}, language = {English}, urldate = {2019-12-20} } @online{great:20120816:shamoon:143efb8, author = {GReAT}, title = {{Shamoon the Wiper – Copycats at Work}}, date = {2012-08-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/shamoon-the-wiper-copycats-at-work/}, language = {English}, urldate = {2019-12-20} } @online{great:20130114:red:0e66739, author = {GReAT}, title = {{The “Red October” Campaign – An Advanced Cyber Espionage Network Targeting Diplomatic and Government Agencies}}, date = {2013-01-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-red-october-campaign/57647}, language = {English}, urldate = {2022-08-25} } @online{great:20130114:red:a347681, author = {GReAT}, title = {{“Red October” Diplomatic Cyber Attacks Investigation}}, date = {2013-01-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740}, language = {English}, urldate = {2022-08-25} } @online{great:20130114:red:ac55753, author = {GReAT}, title = {{"Red October" Diplomatic Cyber Attacks Investigation}}, date = {2013-01-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/}, language = {English}, urldate = {2020-04-06} } @online{great:20130117:red:77d6972, author = {GReAT}, title = {{“Red October” – Part Two, the Modules}}, date = {2013-01-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/red-october-part-two-the-modules/57645}, language = {English}, urldate = {2022-08-25} } @techreport{great:20130320:teamspy:10e8000, author = {GReAT}, title = {{The ‘TeamSpy’ Story -Abusing TeamViewer in Cyberespionage Campaigns}}, date = {2013-03-20}, institution = {Kaspersky Labs}, url = {https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20134928/theteamspystory_final_t2.pdf}, language = {English}, urldate = {2020-01-08} } @online{great:20130320:teamspy:2e6f353, author = {GReAT}, title = {{The TeamSpy Crew Attacks – Abusing TeamViewer for Cyberespionage}}, date = {2013-03-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/}, language = {English}, urldate = {2019-12-20} } @online{great:20130411:winnti:b1c0d83, author = {GReAT}, title = {{Winnti. More than just a game}}, date = {2013-04-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/winnti-more-than-just-a-game/37029/}, language = {English}, urldate = {2019-12-20} } @online{great:20130411:winnti:f53a759, author = {GReAT}, title = {{Winnti FAQ. More Than Just a Game}}, date = {2013-04-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/winnti-faq-more-than-just-a-game/57585/}, language = {English}, urldate = {2019-12-20} } @techreport{great:201304:winnti:c8e6f40, author = {GReAT}, title = {{Winnti - More than just a game}}, date = {2013-04}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf}, language = {English}, urldate = {2019-07-11} } @online{great:20130604:kaspersky:070481d, author = {GReAT}, title = {{Kaspersky Lab Uncovers ‘Operation NetTraveler,’ a Global Cyberespionage Campaign Targeting Government-Affiliated Organizations and Research Institutes}}, date = {2013-06-04}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/about/press-releases/2013_kaspersky-lab-uncovers--operation-nettraveler--a-global-cyberespionage-campaign-targeting-government-affiliated-organizations-and-research-institutes}, language = {English}, urldate = {2020-01-13} } @online{great:20130604:nettraveler:a9ac0f1, author = {GReAT}, title = {{“NetTraveler is Running!” – Red Star APT Attacks Compromise High-Profile Victims}}, date = {2013-06-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/}, language = {English}, urldate = {2019-12-20} } @online{great:20130925:icefog:7f2dd2b, author = {GReAT}, title = {{The Icefog APT: A Tale of Cloak and Three Daggers}}, date = {2013-09-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-icefog-apt-a-tale-of-cloak-and-three-daggers/57331/}, language = {English}, urldate = {2019-12-20} } @online{great:20140210:caretomask:1aa235f, author = {GReAT}, title = {{The Careto/Mask APT: Frequently Asked Questions}}, date = {2014-02-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-caretomask-apt-frequently-asked-questions/58254/}, language = {English}, urldate = {2019-12-20} } @online{great:20140807:epic:ba080b6, author = {GReAT}, title = {{The Epic Turla Operation}}, date = {2014-08-07}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-epic-turla-operation/65545/}, language = {English}, urldate = {2019-12-20} } @online{great:20140807:epic:f8b0803, author = {GReAT}, title = {{The Epic Turla Operation}}, date = {2014-08-07}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/65545/the-epic-turla-operation/}, language = {English}, urldate = {2021-07-02} } @online{great:20140820:el:c4534ec, author = {GReAT}, title = {{“El Machete”}}, date = {2014-08-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/el-machete/66108/}, language = {English}, urldate = {2019-12-20} } @online{great:20141110:darkhotel:19e4934, author = {GReAT}, title = {{The Darkhotel APT}}, date = {2014-11-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-darkhotel-apt/66779/}, language = {English}, urldate = {2019-12-20} } @online{great:20141110:darkhotel:b1f9560, author = {GReAT}, title = {{The Darkhotel APT}}, date = {2014-11-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/66779/the-darkhotel-apt/}, language = {English}, urldate = {2019-12-20} } @online{great:20141124:regin:281a556, author = {GReAT}, title = {{Regin: nation-state ownage of GSM networks}}, date = {2014-11-24}, organization = {Kaspersky}, url = {https://securelist.com/regin-nation-state-ownage-of-gsm-networks/67741/}, language = {English}, urldate = {2022-03-22} } @online{great:20141210:cloud:493b7e0, author = {GReAT}, title = {{Cloud Atlas: RedOctober APT is back in style}}, date = {2014-12-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083}, language = {English}, urldate = {2022-08-25} } @online{great:20141210:cloud:ccb4794, author = {GReAT}, title = {{Cloud Atlas: RedOctober APT is back in style}}, date = {2014-12-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/}, language = {English}, urldate = {2019-12-20} } @online{great:20150216:equation:7b95c72, author = {GReAT}, title = {{Equation: The Death Star of Malware Galaxy}}, date = {2015-02-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/#_1}, language = {English}, urldate = {2019-12-20} } @online{great:20150216:equation:ad81ead, author = {GReAT}, title = {{Equation: The Death Star of Malware Galaxy}}, date = {2015-02-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/}, language = {English}, urldate = {2022-05-23} } @online{great:201502:carbanak:1b262fc, author = {GReAT}, title = {{Carbanak APT: The Great Bank Robbery}}, date = {2015-02}, organization = {Kaspersky SAS}, url = {https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe}, language = {English}, urldate = {2020-05-18} } @techreport{great:201502:carbanak:22f5e49, author = {GReAT}, title = {{CARBANAK APTTHE GREAT BANK ROBBERY}}, date = {2015-02}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf}, language = {English}, urldate = {2020-01-06} } @techreport{great:201502:desert:0826d08, author = {GReAT}, title = {{The Desert Falcons Targeted Attacks}}, date = {2015-02}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064309/The-Desert-Falcons-targeted-attacks.pdf}, language = {English}, urldate = {2020-04-06} } @online{great:20150306:animals:f15e26a, author = {GReAT}, title = {{Animals in the APT Farm}}, date = {2015-03-06}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/69114/animals-in-the-apt-farm/}, language = {English}, urldate = {2019-12-20} } @online{great:20150311:inside:28cec3e, author = {GReAT}, title = {{Inside the EquationDrug Espionage Platform}}, date = {2015-03-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/inside-the-equationdrug-espionage-platform/69203/}, language = {English}, urldate = {2019-12-20} } @online{great:20150610:mystery:c1ef5c2, author = {GReAT}, title = {{The Mystery of Duqu 2.0: a sophisticated cyberespionage actor returns}}, date = {2015-06-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/}, language = {English}, urldate = {2020-03-09} } @online{great:20150708:wild:4e853a7, author = {GReAT}, title = {{Wild Neutron – Economic espionage threat actor returns with new tricks}}, date = {2015-07-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/}, language = {English}, urldate = {2019-12-20} } @online{great:20150708:wild:ee7c858, author = {GReAT}, title = {{Wild Neutron – Economic espionage threat actor returns with new tricks}}, date = {2015-07-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/}, language = {English}, urldate = {2019-12-20} } @online{great:20150810:darkhotels:3c831d5, author = {GReAT}, title = {{Darkhotel’s attacks in 2015}}, date = {2015-08-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/}, language = {English}, urldate = {2019-12-20} } @online{great:20151204:sofacy:664b5a8, author = {GReAT}, title = {{Sofacy APT hits high profile targets with updated toolset}}, date = {2015-12-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/}, language = {English}, urldate = {2019-12-20} } @online{great:20151204:sofacy:b437b35, author = {GReAT}, title = {{Sofacy APT hits high profile targets with updated toolset}}, date = {2015-12-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/}, language = {English}, urldate = {2020-08-30} } @online{great:20160128:blackenergy:3c2a914, author = {GReAT}, title = {{BlackEnergy APT Attacks in Ukraine employ spearphishing with Word documents}}, date = {2016-01-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/}, language = {English}, urldate = {2019-12-20} } @online{great:20160208:aptstyle:5b3a24e, author = {GReAT and Computer Incidents Investigation Department}, title = {{APT-style bank robberies increase with Metel, GCMAN and Carbanak 2.0 attacks}}, date = {2016-02-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/}, language = {English}, urldate = {2019-12-20} } @online{great:20160209:poseidon:61725f7, author = {GReAT}, title = {{Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage}}, date = {2016-02-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/}, language = {English}, urldate = {2019-12-20} } @online{great:20160427:freezer:13a8a66, author = {GReAT}, title = {{Freezer Paper around Free Meat (Repackaging Open Source BeEF for Tracking and More)}}, date = {2016-04-27}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/}, language = {English}, urldate = {2019-10-18} } @online{great:20160427:freezer:bec7033, author = {GReAT}, title = {{Freezer Paper around Free Meat}}, date = {2016-04-27}, organization = {Kaspersky Labs}, url = {https://securelist.com/freezer-paper-around-free-meat/74503/}, language = {English}, urldate = {2019-12-20} } @online{great:20160517:atm:f05ffb9, author = {GReAT and Olga Kochetova and Alexey Osipov}, title = {{ATM infector}}, date = {2016-05-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/atm-infector/74772/}, language = {English}, urldate = {2019-12-20} } @online{great:20160525:cve20152545:7006bff, author = {GReAT}, title = {{CVE-2015-2545: overview of current threats}}, date = {2016-05-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/}, language = {English}, urldate = {2019-12-20} } @online{great:20160708:dropping:273c1df, author = {GReAT}, title = {{The Dropping Elephant – aggressive cyber-espionage in the Asian region}}, date = {2016-07-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-dropping-elephant-actor/75328/}, language = {English}, urldate = {2019-12-20} } @online{great:20160808:projectsauron:503a441, author = {GReAT}, title = {{ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms}}, date = {2016-08-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/}, language = {English}, urldate = {2019-12-20} } @techreport{great:20160909:projectsauron:9114f84, author = {GReAT}, title = {{THE PROJECTSAURON APT}}, date = {2016-09-09}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf}, language = {English}, urldate = {2019-11-02} } @online{great:20160929:teamxrat:880e95a, author = {GReAT and Anton Ivanov and Fedor Sinitsyn}, title = {{TeamXRat: Brazilian cybercrime meets ransomware}}, date = {2016-09-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{great:20170112:eyepyramid:18aa9df, author = {GReAT}, title = {{The “EyePyramid” attacks}}, date = {2017-01-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/}, language = {English}, urldate = {2019-12-20} } @online{great:20170221:newish:1c13271, author = {GReAT}, title = {{New(ish) Mirai Spreader Poses New Risks}}, date = {2017-02-21}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/}, language = {English}, urldate = {2019-12-20} } @techreport{great:20170307:from:3af6ed0, author = {GReAT}, title = {{FROM SHAMOON TO STONEDRILL: Wipers attacking Saudi organizations and beyond}}, date = {2017-03-07}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf}, language = {English}, urldate = {2020-01-15} } @online{great:20170403:lazarus:033fcf7, author = {GReAT}, title = {{Lazarus under the Hood}}, date = {2017-04-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-under-the-hood/77908/}, language = {English}, urldate = {2023-08-14} } @online{great:20170403:lazarus:689432c, author = {GReAT}, title = {{Lazarus under the Hood}}, date = {2017-04-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/sas/77908/lazarus-under-the-hood/}, language = {English}, urldate = {2019-12-20} } @online{great:20170411:unraveling:8be3efd, author = {GReAT}, title = {{Unraveling the Lamberts Toolkit}}, date = {2017-04-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/}, language = {English}, urldate = {2019-12-20} } @online{great:20170512:wannacry:b24b188, author = {GReAT}, title = {{WannaCry ransomware used in widespread attacks all over the world}}, date = {2017-05-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/}, language = {English}, urldate = {2019-12-20} } @online{great:20170627:schroedingers:43c7e28, author = {GReAT}, title = {{Schroedinger’s Pet(ya)}}, date = {2017-06-27}, organization = {Kaspersky Labs}, url = {https://securelist.com/schroedingers-petya/78870/}, language = {English}, urldate = {2019-12-20} } @online{great:20170630:from:d91b457, author = {GReAT}, title = {{From BlackEnergy to ExPetr}}, date = {2017-06-30}, organization = {Kaspersky Labs}, url = {https://securelist.com/from-blackenergy-to-expetr/78937/}, language = {English}, urldate = {2019-12-20} } @online{great:20170808:trends:97fe26d, author = {GReAT}, title = {{APT Trends report Q2 2017}}, date = {2017-08-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2017/79332/}, language = {English}, urldate = {2023-12-04} } @online{great:20170815:shadowpad:3d5b9a0, author = {GReAT}, title = {{ShadowPad in corporate networks}}, date = {2017-08-15}, organization = {Kaspersky Labs}, url = {https://securelist.com/shadowpad-in-corporate-networks/81432/}, language = {English}, urldate = {2019-12-20} } @online{great:20170830:introducing:80a9653, author = {GReAT}, title = {{Introducing WhiteBear}}, date = {2017-08-30}, organization = {Kaspersky Labs}, url = {https://securelist.com/introducing-whitebear/81638/}, language = {English}, urldate = {2019-12-20} } @online{great:20171016:blackoasis:b447418, author = {GReAT}, title = {{BlackOasis APT and new targeted attacks leveraging zero-day exploit}}, date = {2017-10-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/}, language = {English}, urldate = {2019-12-20} } @online{great:20171101:silence:b22eae0, author = {GReAT}, title = {{Silence – a new Trojan attacking financial organizations}}, date = {2017-11-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-silence/83009/}, language = {English}, urldate = {2019-12-20} } @online{great:20180220:slice:0f910f7, author = {GReAT}, title = {{A Slice of 2017 Sofacy Activity}}, date = {2018-02-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-slice-of-2017-sofacy-activity/83930/}, language = {English}, urldate = {2024-07-10} } @online{great:20180308:devils:3373375, author = {GReAT}, title = {{The devil’s in the Rich header}}, date = {2018-03-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-devils-in-the-rich-header/84348/}, language = {English}, urldate = {2019-12-20} } @online{great:20180308:olympicdestroyer:79780c9, author = {GReAT}, title = {{OlympicDestroyer is here to trick the industry}}, date = {2018-03-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/}, language = {English}, urldate = {2019-12-20} } @online{great:20180309:masha:636eab4, author = {GReAT}, title = {{Masha and these Bears - 2018 Sofacy Activity}}, date = {2018-03-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/masha-and-these-bears/84311/}, language = {English}, urldate = {2020-08-28} } @techreport{great:201803:icefog:2e293e6, author = {GReAT}, title = {{The 'Icefog' APT: A Tale of Cloak and Three Daggers}}, date = {2018-03}, institution = {Kaspersky Labs}, url = {https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20133739/icefog.pdf}, language = {English}, urldate = {2020-01-13} } @online{great:20180412:operation:fdc83bc, author = {GReAT}, title = {{Operation Parliament, who is doing what?}}, date = {2018-04-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-parliament-who-is-doing-what/85237/}, language = {English}, urldate = {2019-12-20} } @online{great:20180412:trends:babf7f6, author = {GReAT}, title = {{APT Trends report Q1 2018}}, date = {2018-04-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q1-2018/85280/}, language = {English}, urldate = {2020-01-08} } @online{great:20180524:vpnfilter:cb1c89f, author = {GReAT}, title = {{VPNFilter EXIF to C2 mechanism analysed}}, date = {2018-05-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/}, language = {English}, urldate = {2019-12-20} } @online{great:20180619:hades:99ff28a, author = {GReAT}, title = {{Hades, the actor behind Olympic Destroyer is still alive}}, date = {2018-06-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/olympic-destroyer-is-still-alive/86169/}, language = {English}, urldate = {2019-12-20} } @online{great:20180710:trends:4651c7b, author = {GReAT}, title = {{APT Trends Report Q2 2018}}, date = {2018-07-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2018/86487/}, language = {English}, urldate = {2019-12-20} } @online{great:20180821:dark:430988e, author = {GReAT}, title = {{Dark Tequila Añejo}}, date = {2018-08-21}, organization = {Kaspersky Labs}, url = {https://securelist.com/dark-tequila-anejo/87528/}, language = {English}, urldate = {2019-12-20} } @online{great:20180823:operation:c1011d3, author = {GReAT}, title = {{Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware}}, date = {2018-08-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-applejeus/87553/}, language = {English}, urldate = {2019-12-20} } @online{great:20180910:luckymouse:e309805, author = {GReAT}, title = {{LuckyMouse signs malicious NDISProxy driver with certificate of Chinese IT company}}, date = {2018-09-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/luckymouse-ndisproxy-driver/87914/}, language = {English}, urldate = {2019-12-20} } @online{great:20181004:shedding:5f22310, author = {GReAT}, title = {{Shedding Skin – Turla’s Fresh Faces}}, date = {2018-10-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/shedding-skin-turlas-fresh-faces/88069/}, language = {English}, urldate = {2023-01-10} } @online{great:20181010:muddywater:12992b3, author = {GReAT}, title = {{MuddyWater expands operations}}, date = {2018-10-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/muddywater/88059/}, language = {English}, urldate = {2019-12-20} } @online{great:20181015:octopusinfested:1f464bf, author = {GReAT}, title = {{Octopus-infested seas of Central Asia}}, date = {2018-10-15}, organization = {Kaspersky Labs}, url = {https://securelist.com/octopus-infested-seas-of-central-asia/88200/}, language = {English}, urldate = {2019-12-20} } @online{great:20190111:zebrocy:671fed1, author = {GReAT}, title = {{A Zebrocy Go Downloader}}, date = {2019-01-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-zebrocy-go-downloader/89419/}, language = {English}, urldate = {2019-12-20} } @online{great:20190311:predatory:63ab818, author = {GReAT}, title = {{A predatory tale: Who’s afraid of the thief?}}, date = {2019-03-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-predatory-tale/89779}, language = {English}, urldate = {2019-12-20} } @online{great:20190325:operation:c4bf341, author = {GReAT and AMR}, title = {{Operation ShadowHammer}}, date = {2019-03-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-shadowhammer/89992/}, language = {English}, urldate = {2019-12-20} } @online{great:20190326:cryptocurrency:c95b701, author = {GReAT}, title = {{Cryptocurrency businesses still being targeted by Lazarus}}, date = {2019-03-26}, organization = {Kaspersky Labs}, url = {https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/}, language = {English}, urldate = {2019-12-20} } @online{great:20190328:return:be8d0b5, author = {GReAT}, title = {{The return of the BOM}}, date = {2019-03-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-return-of-the-bom/90065/}, language = {English}, urldate = {2019-12-20} } @online{great:20190404:basbanke:d59ada6, author = {GReAT}, title = {{BasBanke: Trend-setting Brazilian banking Trojan}}, date = {2019-04-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/basbanke-trend-setting-brazilian-banking-trojan/90365/}, language = {English}, urldate = {2021-04-14} } @online{great:20190423:operation:20b8f83, author = {GReAT and AMR}, title = {{Operation ShadowHammer: a high-profile supply chain attack}}, date = {2019-04-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/}, language = {English}, urldate = {2019-12-20} } @online{great:20190513:scarcruft:eb8bb1c, author = {GReAT}, title = {{ScarCruft continues to evolve, introduces Bluetooth harvester}}, date = {2019-05-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/}, language = {English}, urldate = {2019-12-20} } @online{great:20190603:zebrocys:25be7a9, author = {GReAT}, title = {{Zebrocy’s Multilanguage Malware Salad}}, date = {2019-06-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/zebrocys-multilanguage-malware-salad/90680/}, language = {English}, urldate = {2019-12-20} } @online{great:20190626:viceleaker:7145f5f, author = {GReAT}, title = {{ViceLeaker Operation: mobile espionage targeting Middle East}}, date = {2019-06-26}, organization = {Kaspersky Labs}, url = {https://securelist.com/fanning-the-flames-viceleaker-operation/90877/}, language = {English}, urldate = {2019-12-20} } @online{great:20190710:new:f1277c3, author = {GReAT and AMR}, title = {{New FinSpy iOS and Android implants revealed ITW}}, date = {2019-07-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/}, language = {English}, urldate = {2019-12-20} } @online{great:20190801:trends:2aa8746, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897}, language = {English}, urldate = {2022-08-26} } @online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } @online{great:20190812:recent:2328908, author = {GReAT}, title = {{Recent Cloud Atlas activity}}, date = {2019-08-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/recent-cloud-atlas-activity/92016}, language = {English}, urldate = {2022-08-26} } @online{great:20190812:recent:3a35688, author = {GReAT}, title = {{Recent Cloud Atlas activity}}, date = {2019-08-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/recent-cloud-atlas-activity/92016/}, language = {English}, urldate = {2019-12-20} } @online{great:20190829:fully:a86ed11, author = {GReAT}, title = {{Fully equipped Spying Android RAT from Brazil: BRATA}}, date = {2019-08-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/spying-android-rat-from-brazil-brata/92775/}, language = {English}, urldate = {2019-12-20} } @online{great:20191003:compfun:fd13b9e, author = {GReAT}, title = {{COMpfun successor Reductor infects files on the fly to compromise TLS traffic}}, date = {2019-10-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/compfun-successor-reductor/93633/}, language = {English}, urldate = {2020-01-08} } @online{great:20191016:trends:4ba1e88, author = {GReAT}, title = {{APT trends report Q3 2019}}, date = {2019-10-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2019/94530/}, language = {English}, urldate = {2024-02-08} } @online{great:20191128:revengehotels:4fd8ea9, author = {GReAT}, title = {{RevengeHotels: cybercrime targeting hotel front desks worldwide}}, date = {2019-11-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/revengehotels/95229/}, language = {English}, urldate = {2020-01-09} } @online{great:20200108:operation:ea445d5, author = {GReAT}, title = {{Operation AppleJeus Sequel}}, date = {2020-01-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-applejeus-sequel/95596/}, language = {English}, urldate = {2020-01-13} } @online{great:20200430:trends:a55ece4, author = {GReAT}, title = {{APT trends report Q1 2020}}, date = {2020-04-30}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q1-2020/96826/}, language = {English}, urldate = {2024-02-08} } @online{great:20200508:naikons:f1646a6, author = {GReAT}, title = {{Naikon’s Aria}}, date = {2020-05-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/naikons-aria/96899/}, language = {English}, urldate = {2020-07-06} } @online{great:20200514:compfun:eda09d1, author = {GReAT}, title = {{COMpfun authors spoof visa application with HTTP status-based Trojan}}, date = {2020-05-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/compfun-http-status-based-trojan/96874/}, language = {English}, urldate = {2020-05-14} } @online{great:20200603:cycldek:ed9a830, author = {GReAT and Mark Lechtik and Giampaolo Dedola}, title = {{Cycldek: Bridging the (air) gap}}, date = {2020-06-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/cycldek-bridging-the-air-gap/97157/}, language = {English}, urldate = {2020-06-03} } @online{great:20200714:tetrade:c97f76a, author = {GReAT}, title = {{The Tetrade: Brazilian banking malware goes global}}, date = {2020-07-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-tetrade-brazilian-banking-malware/97779/}, language = {English}, urldate = {2020-07-15} } @online{great:20200722:mata:591e184, author = {GReAT}, title = {{MATA: Multi-platform targeted malware framework}}, date = {2020-07-22}, organization = {Kaspersky Labs}, url = {https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/}, language = {English}, urldate = {2020-07-23} } @online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } @online{great:20200729:trends:aa08607, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937}, language = {English}, urldate = {2022-09-06} } @online{great:20200910:overview:f751b73, author = {GReAT}, title = {{An overview of targeted attacks and APTs on Linux}}, date = {2020-09-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/}, language = {English}, urldate = {2020-10-05} } @online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } @online{great:20201109:ghimob:d93dd04, author = {GReAT}, title = {{Ghimob: a Tétrade threat actor moves to infect mobile devices}}, date = {2020-11-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/ghimob-tetrade-threat-mobile-devices/99228/}, language = {English}, urldate = {2020-11-11} } @online{great:20201203:annual:f4d9cc1, author = {GReAT}, title = {{APT annual review: What the world’s threat actors got up to in 2020}}, date = {2020-12-03}, organization = {Kaspersky}, url = {https://securelist.com/apt-annual-review-what-the-worlds-threat-actors-got-up-to-in-2020/99574/}, language = {English}, urldate = {2023-11-17} } @online{great:20210427:trends:e1c92a3, author = {GReAT}, title = {{APT trends report Q1 2021}}, date = {2021-04-27}, organization = {Kaspersky}, url = {https://securelist.com/apt-trends-report-q1-2021/101967/}, language = {English}, urldate = {2021-04-29} } @online{great:20210517:bizarro:78b09ca, author = {GReAT}, title = {{Bizarro banking Trojan expands its attacks to Europe}}, date = {2021-05-17}, organization = {Kaspersky}, url = {https://securelist.com/bizarro-banking-trojan-expands-its-attacks-to-europe/102258/}, language = {English}, urldate = {2021-05-17} } @online{great:20210616:ferocious:02ea7b8, author = {GReAT}, title = {{Ferocious Kitten: 6 years of covert surveillance in Iran}}, date = {2021-06-16}, organization = {Kaspersky}, url = {https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/}, language = {English}, urldate = {2021-06-21} } @online{great:20210928:finspy:52097c8, author = {GReAT}, title = {{FinSpy: unseen findings}}, date = {2021-09-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/finspy-unseen-findings/104322/}, language = {English}, urldate = {2021-10-08} } @online{great:20211026:trends:99fd183, author = {GReAT}, title = {{APT trends report Q3 2021}}, date = {2021-10-26}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2021/104708}, language = {English}, urldate = {2022-08-26} } @online{great:20211026:trends:d8feedd, author = {GReAT}, title = {{APT trends report Q3 2021}}, date = {2021-10-26}, organization = {Kaspersky}, url = {https://securelist.com/apt-trends-report-q3-2021/104708/}, language = {English}, urldate = {2021-11-03} } @online{great:20211129:scarcruft:986e7f4, author = {GReAT}, title = {{ScarCruft surveilling North Korean defectors and human rights activists}}, date = {2021-11-29}, organization = {Kaspersky}, url = {https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/}, language = {English}, urldate = {2021-12-07} } @online{great:20220301:elections:1f89f9b, author = {GReAT}, title = {{Elections GoRansom – a smoke screen for the HermeticWiper attack}}, date = {2022-03-01}, organization = {Kaspersky}, url = {https://securelist.com/elections-goransom-and-hermeticwiper-attack/105960/}, language = {English}, urldate = {2022-03-02} } @online{great:20220314:webinar:f6bfb3c, author = {GReAT}, title = {{Webinar on cyberattacks in Ukraine – summary and Q&A}}, date = {2022-03-14}, organization = {Kaspersky}, url = {https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/}, language = {English}, urldate = {2022-04-05} } @online{great:20220331:lazarus:540b96e, author = {GReAT}, title = {{Lazarus Trojanized DeFi app for delivering malware}}, date = {2022-03-31}, organization = {Kaspersky}, url = {https://securelist.com/lazarus-trojanized-defi-app/106195/}, language = {English}, urldate = {2023-07-28} } @online{great:20220407:bad:162aae7, author = {GReAT}, title = {{A Bad Luck BlackCat}}, date = {2022-04-07}, organization = {Kaspersky}, url = {https://securelist.com/a-bad-luck-blackcat/106254/}, language = {English}, urldate = {2022-04-12} } @techreport{great:20220407:bad:ebb997d, author = {GReAT}, title = {{A Bad Luck BlackCat}}, date = {2022-04-07}, institution = {Kaspersky}, url = {https://go.kaspersky.com/rs/802-IJN-240/images/TR_BlackCat_Report.pdf}, language = {English}, urldate = {2022-04-25} } @online{great:20220427:trends:171ea53, author = {GReAT}, title = {{APT trends report Q1 2022}}, date = {2022-04-27}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q1-2022/106351/}, language = {English}, urldate = {2024-02-08} } @online{great:20220511:new:a56bc90, author = {GReAT}, title = {{New ransomware trends in 2022}}, date = {2022-05-11}, organization = {Kaspersky}, url = {https://securelist.com/new-ransomware-trends-in-2022/106457/}, language = {English}, urldate = {2022-05-17} } @online{great:20220602:windealer:04ad2d0, author = {GReAT}, title = {{WinDealer dealing on the side}}, date = {2022-06-02}, organization = {Kaspersky Labs}, url = {https://securelist.com/windealer-dealing-on-the-side/105946/}, language = {English}, urldate = {2022-06-04} } @online{great:20220602:windealer:a54c8c9, author = {GReAT}, title = {{WinDealer dealing on the side}}, date = {2022-06-02}, organization = {Kaspersky Labs}, url = {https://securelist.com/windealer-dealing-on-the-side/105946}, language = {English}, urldate = {2022-07-25} } @online{great:20220725:cosmicstrand:c1e791b, author = {GReAT}, title = {{CosmicStrand: the discovery of a sophisticated UEFI firmware rootkit}}, date = {2022-07-25}, organization = {Kaspersky}, url = {https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/}, language = {English}, urldate = {2022-07-25} } @online{great:20220728:trends:6c4bd3e, author = {GReAT}, title = {{APT trends report Q2 2022}}, date = {2022-07-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2022/106995/}, language = {English}, urldate = {2024-02-08} } @online{great:20220928:prilex:63ddfb7, author = {GReAT}, title = {{Prilex: the pricey prickle credit card complex}}, date = {2022-09-28}, organization = {Kaspersky}, url = {https://securelist.com/prilex-atm-pos-malware-evolution/107551/}, language = {English}, urldate = {2022-09-30} } @online{great:20221003:defttorero:da8a03c, author = {GReAT}, title = {{DeftTorero: tactics, techniques and procedures of intrusions revealed}}, date = {2022-10-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/}, language = {English}, urldate = {2022-10-07} } @online{great:20221208:deathstalker:a171c50, author = {GReAT}, title = {{DeathStalker targets legal entities with new Janicab variant}}, date = {2022-12-08}, organization = {Kaspersky}, url = {https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/}, language = {English}, urldate = {2022-12-14} } @online{great:20221214:reassessing:94f663f, author = {GReAT and Kaspersky Lab ICS CERT}, title = {{Reassessing cyberwarfare. Lessons learned in 2022}}, date = {2022-12-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/reassessing-cyberwarfare-lessons-learned-in-2022/108328/}, language = {English}, urldate = {2022-12-14} } @online{great:20230119:roaming:46b7adb, author = {GReAT}, title = {{Roaming Mantis implements new DNS changer in its malicious mobile app in 2022}}, date = {2023-01-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/108464/}, language = {English}, urldate = {2023-01-19} } @online{great:20230622:lockbit:a9c1d00, author = {GReAT}, title = {{LockBit Green and phishing that targets organizations}}, date = {2023-06-22}, organization = {Kaspersky Labs}, url = {https://securelist.com/crimeware-report-lockbit-switchsymb/110068/}, language = {English}, urldate = {2023-07-11} } @online{great:20230628:andariels:21f9242, author = {GReAT}, title = {{Andariel’s silly mistakes and a new malware family}}, date = {2023-06-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-andariel-mistakes-and-easyrat/110119/}, language = {English}, urldate = {2023-07-11} } @online{great:20231016:hack:8cfe2d2, author = {GReAT}, title = {{A hack in hand is worth two in the bush}}, date = {2023-10-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-hack-in-hand-is-worth-two-in-the-bush/110794/}, language = {English}, urldate = {2023-12-04} } @online{great:20231017:trends:d53ea17, author = {GReAT}, title = {{APT trends report Q3 2023}}, date = {2023-10-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2023/110752/}, language = {English}, urldate = {2023-12-04} } @techreport{great:20231018:updated:4d78dec, author = {GReAT and Kaspersky Lab ICS CERT}, title = {{Updated MATA attacks industrial companies in Eastern Europe}}, date = {2023-10-18}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/10/18092216/Updated-MATA-attacks-Eastern-Europe_full-report_ENG.pdf}, language = {English}, urldate = {2023-10-18} } @online{great:20231213:fakesg:df2d4da, author = {GReAT}, title = {{FakeSG campaign, Akira ransomware and AMOS macOS stealer}}, date = {2023-12-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/crimeware-report-fakesg-akira-amos/111483/}, language = {English}, urldate = {2024-02-08} } @online{great:20240522:stealers:defb26e, author = {GReAT}, title = {{Stealers, stealers and more stealers}}, date = {2024-05-22}, organization = {Kaspersky Labs}, url = {https://securelist.com/crimeware-report-stealers/112633/}, language = {English}, urldate = {2024-09-13} } @online{great:20240708:cloudsorcerer:e245c90, author = {GReAT}, title = {{CloudSorcerer – A new APT targeting Russian government entities}}, date = {2024-07-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/}, language = {English}, urldate = {2024-10-21} } @online{great:20241022:grandoreiro:0393180, author = {GReAT}, title = {{Grandoreiro, the global trojan with grandiose ambitions}}, date = {2024-10-22}, organization = {Kaspersky Labs}, url = {https://securelist.com/grandoreiro-banking-trojan/114257/}, language = {English}, urldate = {2024-10-23} } @online{great:20250417:ironhusky:6b51197, author = {GReAT}, title = {{IronHusky updates the forgotten MysterySnail RAT to target Russia and Mongolia}}, date = {2025-04-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/mysterysnail-new-version/116226/}, language = {English}, urldate = {2025-04-27} } @online{greco:20210428:un:2464b6b, author = {Andrea Greco}, title = {{Un sospetto attacco telematico blocca le filiali della Bcc di Roma}}, date = {2021-04-28}, organization = {La Repubblica}, url = {https://www.repubblica.it/economia/finanza/2021/04/28/news/un_sospetto_attacco_telematico_blocca_le_filiali_della_bcc_di_roma-298485827/}, language = {Italian}, urldate = {2021-05-03} } @online{green:20210722:behavorial:a35860b, author = {Travis Green}, title = {{Behavorial xbits with Suricata}}, date = {2021-07-22}, organization = {travisgreen blog}, url = {https://travisgreen.net/2021/07/22/behavioral-xbits.html}, language = {English}, urldate = {2021-07-26} } @online{green:20221028:windowscarvingsystembc:536f406, author = {Matt Green}, title = {{Windows.Carving.SystemBC - SystemBC RAT configuration Purser for Velociraptor}}, date = {2022-10-28}, organization = {velociraptor}, url = {https://docs.velociraptor.app/exchange/artifacts/pages/systembc/}, language = {English}, urldate = {2023-07-31} } @online{green:20230123:black:dd89d21, author = {Stephen Green and Elio Biasiotto}, title = {{Black Basta – Technical Analysis}}, date = {2023-01-23}, organization = {Kroll}, url = {https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis}, language = {English}, urldate = {2023-04-22} } @online{green:20230202:hive:4624808, author = {Stephen Green and Elio Biasiotto}, title = {{Hive Ransomware Technical Analysis and Initial Access Discovery}}, date = {2023-02-02}, organization = {Kroll}, url = {https://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery}, language = {English}, urldate = {2023-04-22} } @online{green:20230405:automating:ef8b30e, author = {Matt Green}, title = {{Automating Qakbot Decode At Scale}}, date = {2023-04-05}, organization = {velociraptor}, url = {https://docs.velociraptor.app/blog/2023/2023-04-05-qakbot/}, language = {English}, urldate = {2023-04-18} } @online{green:20230418:automating:5252cc0, author = {Matt Green}, title = {{Automating Qakbot Detection at Scale With Velociraptor}}, date = {2023-04-18}, organization = {Rapid7 Labs}, url = {https://www.rapid7.com/blog/post/2023/04/18/automating-qakbot-detection-at-scale-with/}, language = {English}, urldate = {2023-04-25} } @online{greenberg:20170920:ccleaner:3590e9c, author = {Andy Greenberg}, title = {{The CCleaner Malware Fiasco Targeted at Least 18 Specific Tech Firms}}, date = {2017-09-20}, organization = {Wired}, url = {https://www.wired.com/story/ccleaner-malware-targeted-tech-firms}, language = {English}, urldate = {2019-12-16} } @online{greenberg:20171024:new:5359735, author = {Andy Greenberg}, title = {{New Ransomware Linked to NotPetya Sweeps Russia and Ukraine}}, date = {2017-10-24}, organization = {Wired}, url = {https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/}, language = {English}, urldate = {2020-01-06} } @online{greenberg:20171109:he:5442358, author = {Andy Greenberg}, title = {{He Perfected a Password-Hacking Tool—Then the Russians Came Calling}}, date = {2017-11-09}, organization = {Wired}, url = {https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/}, language = {English}, urldate = {2020-01-08} } @online{greenberg:20180822:untold:9dcac56, author = {Andy Greenberg}, title = {{The Untold Story of NotPetya, the Most Devastating Cyberattack in History}}, date = {2018-08-22}, organization = {Wired}, url = {https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/}, language = {English}, urldate = {2022-07-29} } @online{greenberg:20191017:untold:c257d22, author = {Andy Greenberg}, title = {{The Untold Story of the 2018 Olympics Cyberattack, the Most Deceptive Hack in History}}, date = {2019-10-17}, organization = {Wired}, url = {https://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/}, language = {English}, urldate = {2020-01-13} } @online{greenberg:20200528:nsa:c35f45e, author = {Andy Greenberg}, title = {{NSA: Russia's Sandworm Hackers Have Hijacked Mail Servers}}, date = {2020-05-28}, organization = {Wired}, url = {https://www.wired.com/story/nsa-sandworm-exim-mail-server-warning/}, language = {English}, urldate = {2020-05-29} } @online{greenberg:20200716:iranian:4cc83df, author = {Andy Greenberg}, title = {{Iranian Spies Accidentally Leaked Videos of Themselves Hacking}}, date = {2020-07-16}, organization = {Wired}, url = {https://www.wired.com/story/iran-apt35-hacking-video/}, language = {English}, urldate = {2020-07-16} } @online{greenberg:20200724:russias:689bbb1, author = {Andy Greenberg}, title = {{Russia's GRU Hackers Hit US Government and Energy Targets}}, date = {2020-07-24}, organization = {Wired}, url = {https://www.wired.com/story/russia-fancy-bear-us-hacking-campaign-government-energy/}, language = {English}, urldate = {2020-07-30} } @online{greenberg:20200806:chinese:32c43e3, author = {Andy Greenberg}, title = {{Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry}}, date = {2020-08-06}, organization = {Wired}, url = {https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/}, language = {English}, urldate = {2020-11-04} } @online{greenberg:20201001:russias:3440982, author = {Andy Greenberg}, title = {{Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency}}, date = {2020-10-01}, organization = {Wired}, url = {https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/}, language = {English}, urldate = {2020-10-05} } @online{greenberg:20201019:us:89aec2c, author = {Andy Greenberg}, title = {{US Indicts Sandworm, Russia's Most Destructive Cyberwar Unit}}, date = {2020-10-19}, organization = {Wired}, url = {https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/}, language = {English}, urldate = {2020-10-19} } @online{greenberg:20201026:russian:22b05dd, author = {Andy Greenberg}, title = {{The Russian Hackers (BERSERK BEAR) Playing 'Chekhov's Gun' With US Infrastructure}}, date = {2020-10-26}, organization = {Wired}, url = {https://www.wired.com/story/berserk-bear-russia-infrastructure-hacking/}, language = {English}, urldate = {2020-10-29} } @online{greenberg:20210118:trumps:0b59228, author = {Andy Greenberg}, title = {{Trump’s Worst, Most Bizarre Statements About ‘the Cyber’}}, date = {2021-01-18}, organization = {Wired}, url = {https://www.wired.com/story/trump-cyber-worst-quotes-statements-hackers-ukraine-russia/}, language = {English}, urldate = {2021-01-21} } @online{greenberg:20210208:hacker:89a1efa, author = {Andy Greenberg}, title = {{A Hacker Tried to Poison a Florida City's Water Supply, Officials Say}}, date = {2021-02-08}, organization = {Wired}, url = {https://www.wired.com/story/oldsmar-florida-water-utility-hack/}, language = {English}, urldate = {2021-02-09} } @online{greenberg:20210215:france:b543876, author = {Andy Greenberg}, title = {{France Ties Russia's Sandworm to a Multiyear Hacking Spree}}, date = {2021-02-15}, organization = {Wired}, url = {https://www.wired.com/story/sandworm-centreon-russia-hack/}, language = {English}, urldate = {2021-02-20} } @online{greenberg:20210305:chinese:119ea98, author = {Andy Greenberg}, title = {{Chinese Hacking Spree Hit an ‘Astronomical’ Number of Victims}}, date = {2021-03-05}, organization = {Wired}, url = {https://www.wired.com/story/china-microsoft-exchange-server-hack-victims/}, language = {English}, urldate = {2021-03-06} } @online{greenberg:20210520:full:8e8ec72, author = {Andy Greenberg}, title = {{The Full Story of the Stunning RSA Hack Can Finally Be Told}}, date = {2021-05-20}, organization = {Wired}, url = {https://www.wired.com/story/the-full-story-of-the-stunning-rsa-hack-can-finally-be-told/}, language = {English}, urldate = {2021-05-26} } @online{greenberg:20210531:hacker:8874190, author = {Andy Greenberg}, title = {{Hacker Lexicon: What Is a Supply Chain Attack?}}, date = {2021-05-31}, organization = {Wired}, url = {https://www.wired.com/story/hacker-lexicon-what-is-a-supply-chain-attack/}, language = {English}, urldate = {2022-10-17} } @online{greenberg:20210607:ransomware:73f5da4, author = {Andy Greenberg}, title = {{Ransomware Struck Another Pipeline Firm—and 70GB of Data Leaked}}, date = {2021-06-07}, organization = {Wired}, url = {https://www.wired.com/story/linestar-pipeline-ransomware-leak}, language = {English}, urldate = {2021-06-16} } @online{greenberg:20240403:mystery:e9a6b98, author = {Andy Greenberg and Matt Burgess}, title = {{The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind}}, date = {2024-04-03}, organization = {Wired}, url = {https://www.wired.com/story/jia-tan-xz-backdoor/}, language = {English}, urldate = {2024-04-04} } @online{greenberg:20240908:strange:0068d8b, author = {Andy Greenberg}, title = {{A (Strange) Interview With the Russian-Military-Linked Hackers Targeting US Water Utilities}}, date = {2024-09-08}, organization = {Wired}, url = {https://www.wired.com/story/cyber-army-of-russia-interview/}, language = {English}, urldate = {2024-09-13} } @online{greenberg:20241122:russian:324cd1e, author = {Andy Greenberg}, title = {{Russian Spies Jumped From One Network to Another Via Wi-Fi in an Unprecedented Hack}}, date = {2024-11-22}, organization = {Wired}, url = {https://www.wired.com/story/russia-gru-apt28-wifi-daisy-chain-breach/}, language = {English}, urldate = {2025-02-03} } @online{greenplan:20220807:config:db5873e, author = {greenplan}, title = {{Config Extractor per DanaBot (PARTE 1)}}, date = {2022-08-07}, organization = {Malverse}, url = {https://malverse.it/costruiamo-un-config-extractor-per-danabot-parte-1}, language = {English}, urldate = {2022-08-31} } @online{greenplan:20220910:realizziamo:2eaa6a4, author = {greenplan}, title = {{Realizziamo un C&C Server in Python (Bankshot)}}, date = {2022-09-10}, organization = {Malverse}, url = {https://malverse.it/analisi-bankshot-copperhedge}, language = {Italian}, urldate = {2022-09-26} } @online{greenplan:20221017:stack:5c74181, author = {greenplan}, title = {{Stack String Decryption with Ghidra Emulator (Orchard)}}, date = {2022-10-17}, organization = {Malverse}, url = {https://malverse.it/stack-string-decryptor-con-ghidra-emulator-orchard}, language = {Italian}, urldate = {2022-10-18} } @online{greenplan:20250126:binary:628ec85, author = {greenplan}, title = {{[BINARY REFINERY] (Emmenhtal) - Deobfuscation stage JavaScript and PowerShell}}, date = {2025-01-26}, organization = {Youtube (greenplan)}, url = {https://www.youtube.com/watch?v=8AjP39OXs2c}, language = {Italian}, urldate = {2025-03-25} } @online{greenplan:20250201:binary:72507bd, author = {greenplan}, title = {{[BINARY REFINERY] (Emmenhtal) - Deobfuscation of AES encryption and writing of a Unit (PART 2)}}, date = {2025-02-01}, organization = {Youtube (greenplan)}, url = {https://www.youtube.com/watch?v=NP9M-QhbzTQ}, language = {Italian}, urldate = {2025-03-25} } @online{greenplan:20250215:binary:78749f8, author = {greenplan}, title = {{[BINARY REFINERY] (Emmenhtal) - Deobfuscation of a custom obfuscation algorithm}}, date = {2025-02-15}, organization = {Youtube (greenplan)}, url = {https://www.youtube.com/watch?v=FJht41Jht5Y}, language = {Italian}, urldate = {2025-03-25} } @online{greenplan:20250222:binary:b4bc6e0, author = {greenplan}, title = {{[BINARY REFINERY] (MintsLoader) - Deobfuscation of a simple XOR to get the URL}}, date = {2025-02-22}, organization = {Youtube (greenplan)}, url = {https://www.youtube.com/watch?v=Ep8STRLKS6I}, language = {Italian}, urldate = {2025-03-25} } @online{greenplan:20250307:binary:8644bd0, author = {greenplan}, title = {{[BINARY REFINERY] (MintsLoader) - Writing a Unit to deobfuscated JavaScript payload}}, date = {2025-03-07}, organization = {Youtube (greenplan)}, url = {https://www.youtube.com/watch?v=yqM9ekIRlMA}, language = {Italian}, urldate = {2025-03-25} } @online{greenplan:20250325:binary:b3a155b, author = {greenplan}, title = {{[BINARY REFINERY] (StegoCampaign) - Scrittura di una Unit per ottenere il C2}}, date = {2025-03-25}, organization = {Youtube (greenplan)}, url = {https://www.youtube.com/watch?v=Y81z1CF8z2U}, language = {Italian}, urldate = {2025-04-10} } @online{greenplan:20250326:binary:1f16669, author = {greenplan}, title = {{[BINARY REFINERY] (StegoCampaign) - Deobfuscation of a VBScript stage (PART 1)}}, date = {2025-03-26}, organization = {Youtube (greenplan)}, url = {https://www.youtube.com/watch?v=Rpm7AHMG8Hg}, language = {Italian}, urldate = {2025-04-10} } @online{greenplan:20250404:binary:911deac, author = {greenplan}, title = {{[BINARY REFINERY] (StegoCampaign) - Deobfuscation of a VBScript stage (PART 2)}}, date = {2025-04-04}, organization = {Youtube (greenplan)}, url = {https://www.youtube.com/watch?v=qGN5CPGEjIw}, language = {Italian}, urldate = {2025-04-10} } @online{greenwood:20220104:purple:98da376, author = {John Greenwood}, title = {{Purple Fox malware is actively distributed via Telegram Installers}}, date = {2022-01-04}, organization = {The Cyber Security Times}, url = {https://www.thecybersecuritytimes.com/purple-fox-malware-is-actively-distributed-via-telegram-installers/}, language = {English}, urldate = {2022-01-06} } @online{greer:20220505:malware:d2996ea, author = {Chris Greer}, title = {{MALWARE Analysis with Wireshark // TRICKBOT Infection}}, date = {2022-05-05}, organization = {YouTube (Chris Greer)}, url = {https://www.youtube.com/watch?v=Brx4cygfmg8}, language = {English}, urldate = {2022-05-05} } @online{greetham:20200527:detecting:ec59314, author = {Aaron Greetham}, title = {{Detecting Rclone – An Effective Tool for Exfiltration}}, date = {2020-05-27}, organization = {NCC Group}, url = {https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/}, language = {English}, urldate = {2021-06-11} } @online{greig:20220202:blackcat:dba8722, author = {Jonathan Greig}, title = {{BlackCat ransomware implicated in attack on German oil companies}}, date = {2022-02-02}, organization = {ZDNet}, url = {https://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/}, language = {English}, urldate = {2022-02-07} } @online{greig:20220228:microsoft:0e59d45, author = {Jonathan Greig}, title = {{Microsoft finds FoxBlade malware on Ukrainian systems, removes RT from Windows app store}}, date = {2022-02-28}, organization = {ZDNet}, url = {https://www.zdnet.com/article/microsoft-finds-foxblade-malware-on-ukrainian-systems-removing-rt-from-windows-app-store/}, language = {English}, urldate = {2022-03-07} } @online{greig:20220330:hive:b23a103, author = {Jonathan Greig}, title = {{Hive ransomware shuts down California health care organization}}, date = {2022-03-30}, organization = {The Record}, url = {https://therecord.media/hive-ransomware-shuts-down-california-health-care-organization/}, language = {English}, urldate = {2022-03-31} } @online{greig:20220429:german:d7fd313, author = {Jonathan Greig}, title = {{German wind farm operator confirms cybersecurity incident}}, date = {2022-04-29}, organization = {The Record}, url = {https://therecord.media/german-wind-farm-operator-confirms-cybersecurity-incident-after-ransomware-group/}, language = {English}, urldate = {2022-05-03} } @online{greig:20230120:samsung:e23b450, author = {Jonathan Greig}, title = {{Samsung investigating claims of hack on South Korea systems, internal employee platform}}, date = {2023-01-20}, organization = {The Record}, url = {https://therecord.media/samsung-investigating-claims-of-hack-on-south-korea-systems-internal-employee-platform/}, language = {English}, urldate = {2023-12-04} } @online{greig:20230704:fort:2dec664, author = {Jonathan Greig}, title = {{Fort Worth officials say leaked data came from Public Information Act request}}, date = {2023-07-04}, organization = {The Record}, url = {https://therecord.media/fort-worth-officials-say-leaked-data-was-public}, language = {English}, urldate = {2023-12-04} } @online{greig:20230918:scattered:9d42750, author = {Jonathan Greig}, title = {{"Scattered Spider" group launches ransomware attacks while expanding targets in hospitality, retail}}, date = {2023-09-18}, organization = {The Record}, url = {https://therecord.media/scattered-spider-ransomware-attacks-hospitality-retail}, language = {English}, urldate = {2023-11-17} } @online{greig:20231003:nato:f72b8d9, author = {Jonathan Greig}, title = {{NATO 'actively addressing' alleged cyberattack affecting some websites}}, date = {2023-10-03}, organization = {The Record}, url = {https://therecord.media/nato-siegedsec-unclassified-websites-alleged-cyberattack}, language = {English}, urldate = {2023-12-04} } @online{greig:20231015:colonial:c3336af, author = {Jonathan Greig}, title = {{Colonial Pipeline attributes ransomware claims to ‘unrelated’ third-party data breach}}, date = {2023-10-15}, organization = {The Record}, url = {https://therecord.media/colonial-pipeline-attributes-ransomware-claims-to-unrelated-third-party-breach}, language = {English}, urldate = {2023-12-04} } @online{greig:20231204:florida:d5fca3c, author = {Jonathan Greig}, title = {{Florida water agency latest to confirm cyber incident as feds warn of nation-state attacks}}, date = {2023-12-04}, organization = {The Record}, url = {https://therecord.media/florida-water-agency-ransomware-cisa-warning-utilities}, language = {English}, urldate = {2023-12-05} } @online{greksza:20250226:inside:299cfb6, author = {Balazs Greksza and Domenico de Vitto and Rhys Downing and Manupriya Sharma}, title = {{Inside BlackBasta: What Leaked Conversations Reveal About Their Ransomware Operations}}, date = {2025-02-26}, organization = {Ontinue}, url = {https://www.ontinue.com/resource/inside-black-basta-leaked-coversations/}, language = {English}, urldate = {2025-03-26} } @online{greminger:20150618:so:28825c8, author = {Slavo Greminger}, title = {{So Long, and Thanks for All the Domains}}, date = {2015-06-18}, organization = {SWITCH Security Blog}, url = {https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/}, language = {English}, urldate = {2019-07-11} } @online{gretzky:20180710:evilginx:420c3c0, author = {Kuba Gretzky}, title = {{Evilginx}}, date = {2018-07-10}, organization = {Github (kgretzky)}, url = {https://github.com/kgretzky/evilginx2}, language = {English}, urldate = {2024-03-18} } @online{griffin:20160808:monsoon:ac7eb5b, author = {Nicholas Griffin}, title = {{MONSOON - Analysis Of An APT Campaign}}, date = {2016-08-08}, organization = {Forcepoint}, url = {https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign}, language = {English}, urldate = {2020-04-06} } @online{griffin:20160922:zeus:94d0df7, author = {Nicholas Griffin}, title = {{Zeus Delivered by DELoader to Defraud Customers of Canadian Banks}}, date = {2016-09-22}, organization = {Forcepoint}, url = {https://www.forcepoint.com/blog/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks}, language = {English}, urldate = {2020-01-13} } @online{griffin:20160928:highly:c9c3359, author = {Nicholas Griffin}, title = {{Highly Evasive Code Injection Awaits User Interaction Before Delivering Malware}}, date = {2016-09-28}, organization = {Forcepoint}, url = {https://www.forcepoint.com/blog/security-labs/highly-evasive-code-injection-awaits-user-interaction-delivering-malware}, language = {English}, urldate = {2020-01-09} } @online{griffin:20170117:carbanak:68e7e00, author = {Nicholas Griffin}, title = {{Carbanak Group uses Google for malware command-and-control}}, date = {2017-01-17}, organization = {Forcepoint}, url = {https://www.forcepoint.com/blog/x-labs/carbanak-group-uses-google-malware-command-and-control}, language = {English}, urldate = {2020-05-27} } @online{grill:20170313:detecting:b90625c, author = {Bernhard Grill and Megan Ruthven and Xin Zhao}, title = {{Detecting and eliminating Chamois, a fraud botnet on Android}}, date = {2017-03-13}, organization = {Google}, url = {https://android-developers.googleblog.com/2017/03/detecting-and-eliminating-chamois-fraud.html}, language = {English}, urldate = {2020-01-06} } @online{grimminck:20201226:spoofing:a0a5622, author = {Stefan Grimminck}, title = {{Spoofing JARM signatures. I am the Cobalt Strike server now!}}, date = {2020-12-26}, organization = {Medium grimminck}, url = {https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b}, language = {English}, urldate = {2021-01-01} } @online{grischenko:20221221:godfather:fbc2595, author = {Artem Grischenko}, title = {{Godfather: A banking Trojan that is impossible to refuse}}, date = {2022-12-21}, organization = {Group-IB}, url = {https://blog.group-ib.com/godfather-trojan}, language = {English}, urldate = {2022-12-24} } @online{grll:20201218:nordkorea:510c3c7, author = {Philipp Grüll and Hakan Tanriverdi}, title = {{Nordkorea in Verdacht: Cyberspionage gegen deutsche Rüstungskonzerne}}, date = {2020-12-18}, organization = {Tagesschau}, url = {https://www.tagesschau.de/investigativ/br-recherche/cyberspionage-ruestung-nordkorea-105.html}, language = {German}, urldate = {2021-01-11} } @online{grnlund:20210307:tracking:2d920fd, author = {Rasmus Grönlund}, title = {{Tracking Microsoft Exchange Zero-Day ProxyLogon and HAFNIUM}}, date = {2021-03-07}, organization = {TRUESEC}, url = {https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/}, language = {English}, urldate = {2021-03-12} } @online{gro:20210128:look:3255e9f, author = {Samuel Groß}, title = {{A Look at iMessage in iOS 14}}, date = {2021-01-28}, organization = {Google Project Zero}, url = {https://googleprojectzero.blogspot.com/2021/01/a-look-at-imessage-in-ios-14.html}, language = {English}, urldate = {2021-01-29} } @online{gro:20220331:forcedentry:31ef814, author = {Samuel Groß and Ian Beer and Google Project Zero}, title = {{FORCEDENTRY: Sandbox Escape}}, date = {2022-03-31}, organization = {Google}, url = {https://googleprojectzero.blogspot.com/2022/03/forcedentry-sandbox-escape.html}, language = {English}, urldate = {2022-03-31} } @online{grob:20210520:analysis:1b7ae0b, author = {Jennifer Grob}, title = {{Analysis of Infrastructure used by DarkSide Affiliates}}, date = {2021-05-20}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/fdf74f23}, language = {English}, urldate = {2021-05-26} } @online{grob:20210602:review:df29e01, author = {Jennifer Grob}, title = {{Review of Sysrv-hello Cryptjacking Botnet}}, date = {2021-06-02}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/98f391f9}, language = {English}, urldate = {2021-06-16} } @online{grob:20210630:bulletproof:5d71486, author = {Jennifer Grob and Jordan Herman}, title = {{Bulletproof Hosting Services: Investigating Media Land LLC}}, date = {2021-06-30}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/49db7be3}, language = {English}, urldate = {2021-07-02} } @online{grob:20210728:use:8287989, author = {Jennifer Grob and Jordan Herman}, title = {{Use of XAMPP Web Component to Identify Agent Tesla Infrastructure}}, date = {2021-07-28}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/40000d46}, language = {English}, urldate = {2021-07-29} } @online{grob:20210908:bulletproof:902e9f2, author = {Jennifer Grob}, title = {{Bulletproof Hosting Services: Investigating Flowspec}}, date = {2021-09-08}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/2a36a7d2/description}, language = {English}, urldate = {2021-09-10} } @online{grob:20211020:overview:f51c170, author = {Jennifer Grob}, title = {{Overview of Malware Hosted on Discord's Content Delivery Network}}, date = {2021-10-20}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/fe25847f}, language = {English}, urldate = {2021-10-26} } @online{grob:20211117:aggah:67f2411, author = {Jennifer Grob}, title = {{Aggah Campaign Replaces Crypto Currency Addresses with Their Own}}, date = {2021-11-17}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/09514842}, language = {English}, urldate = {2021-11-18} } @online{grob:20220301:riskiq:660957b, author = {Jennifer Grob}, title = {{RiskIQ: Fraudulent Website Spoofing UNHCR for Ukrainian Refugees Seeks Bitcoin Donations}}, date = {2022-03-01}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/1531a4e2}, language = {English}, urldate = {2022-03-07} } @online{grob:20220302:riskiq:38b8181, author = {Jennifer Grob}, title = {{RiskIQ: Malware Linked to Upwork Post Seeking Content Writer for a "Newly Developed Application" Deploys DCRat}}, date = {2022-03-02}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/50c77491}, language = {English}, urldate = {2022-03-07} } @online{grob:20220316:riskiq:6615264, author = {Jennifer Grob and RiskIQ}, title = {{RiskIQ: Website Spoofed Ukrainian "Official site of the PrivatBank Charitable Foundation" to Skim Credit Card Data}}, date = {2022-03-16}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/57a3509b}, language = {English}, urldate = {2022-03-22} } @online{grob:20220316:riskiq:be037c6, author = {Jennifer Grob and RiskIQ}, title = {{RiskIQ: Suspicious Domain Claiming Support for Ukraine Associated with Malware File}}, date = {2022-03-16}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/8f476ce5/indicators}, language = {English}, urldate = {2022-03-22} } @online{grob:20220318:riskiq:3c630e5, author = {Jennifer Grob and RiskIQ}, title = {{RiskIQ: Fraudulent Website Attempts to Collect Donations in Support of Ukraine Humanitarian Fund (UHF)}}, date = {2022-03-18}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/c9a9e8a6}, language = {English}, urldate = {2022-03-22} } @online{grob:20220418:riskiq:d5109f2, author = {Jennifer Grob}, title = {{RiskIQ: Trickbot Rickroll}}, date = {2022-04-18}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/04ec92f4}, language = {English}, urldate = {2022-04-20} } @online{grob:20220419:riskiq:7156e3c, author = {Jennifer Grob}, title = {{RiskIQ: Legitimate WordPress Site Hosts Malicious Content}}, date = {2022-04-19}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/3929ede0/description}, language = {English}, urldate = {2022-04-25} } @online{grob:20220510:riskiq:e6dc6a0, author = {Jennifer Grob}, title = {{RiskIQ: VBScript Hosted on BlogSpot URL Deploys Malware Associated with NyanCat}}, date = {2022-05-10}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/0a8a0248}, language = {English}, urldate = {2022-05-17} } @online{grob:20220616:riskiq:319bce7, author = {Jennifer Grob}, title = {{RiskIQ: New ManaTools Panel Identified}}, date = {2022-06-16}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/69dfdba2}, language = {English}, urldate = {2022-07-01} } @online{groenewoud:20240519:panix:edfae9f, author = {Ruben Groenewoud}, title = {{PANIX - Persistence Against *NIX}}, date = {2024-05-19}, organization = {Github (Aegrah)}, url = {https://github.com/Aegrah/PANIX}, language = {English}, urldate = {2025-02-28} } @online{groenewoud:20250227:linux:02b185d, author = {Ruben Groenewoud}, title = {{Linux Detection Engineering - The Grand Finale on Linux Persistence}}, date = {2025-02-27}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/the-grand-finale-on-linux-persistence}, language = {English}, urldate = {2025-02-28} } @online{groisman:20190301:threat:aaf612e, author = {Alon Groisman}, title = {{Threat Alert: AVE Maria infostealer on the rise}}, date = {2019-03-01}, organization = {Morphisec}, url = {http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery}, language = {English}, urldate = {2020-01-09} } @online{groisman:20210309:minebridge:bd80b6a, author = {Alon Groisman}, title = {{MineBridge Is on the Rise, With a Sophisticated Delivery Mechanism}}, date = {2021-03-09}, organization = {Morphisec}, url = {https://blog.morphisec.com/minebridge-on-the-rise-sophisticated-delivery-mechanism}, language = {English}, urldate = {2021-03-11} } @online{grooten:20180427:gravityrat:40749fa, author = {Martijn Grooten}, title = {{GravityRAT malware takes your system's temperature}}, date = {2018-04-27}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/blog/2018/04/gravityrat-malware-takes-your-systems-temperature/}, language = {English}, urldate = {2020-01-13} } @online{grooten:20210201:pivoting:71e78c9, author = {Martijn Grooten}, title = {{Pivoting: finding malware domains without seeing malicious activity}}, date = {2021-02-01}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/pivoting-finding-malware-domains-without-seeing-malicious-activity}, language = {English}, urldate = {2022-05-05} } @online{grooten:20210215:more:d06b030, author = {Martijn Grooten}, title = {{More LodaRAT infrastructure targeting Bangladesh uncovered}}, date = {2021-02-15}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/more-lodarat-infrastructure-targeting-bangladesh-uncovered}, language = {English}, urldate = {2022-06-09} } @online{grooten:20210331:icedid:42c6051, author = {Martijn Grooten}, title = {{IcedID Command and Control Infrastructure}}, date = {2021-03-31}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/icedid-command-and-control-infrastructure}, language = {English}, urldate = {2022-06-09} } @online{grooten:20210413:malicious:094869a, author = {Martijn Grooten}, title = {{Malicious infrastructure as a service}}, date = {2021-04-13}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/malicious-infrastructure-as-a-service}, language = {English}, urldate = {2022-06-09} } @online{gross:20150513:cylance:57a5597, author = {Jon Gross}, title = {{Cylance SPEAR Team: A Threat Actor Resurfaces}}, date = {2015-05-13}, organization = {Cylance}, url = {https://blog.cylance.com/spear-a-threat-actor-resurfaces}, language = {English}, urldate = {2019-10-15} } @techreport{gross:20160223:operation:424641b, author = {Jon Gross and Cylance SPEAR Team}, title = {{Operation Dust Storm}}, date = {2016-02-23}, institution = {Cylance}, url = {https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf}, language = {English}, urldate = {2020-01-09} } @online{gross:20170227:deception:3690880, author = {Jon Gross}, title = {{The Deception Project: A New Japanese-Centric Threat}}, date = {2017-02-27}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/the-deception-project-a-new-japanese-centric-threat.html}, language = {English}, urldate = {2020-01-09} } @online{gross:20170227:deception:c424a01, author = {Jon Gross}, title = {{The Deception Project: A New Japanese-Centric Threat}}, date = {2017-02-27}, organization = {Threat Vector}, url = {https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html}, language = {English}, urldate = {2020-01-05} } @online{gross:20200819:riskiq:94e5ccf, author = {Jon Gross and Cory Kennedy}, title = {{RiskIQ Adventures in Cookie Land - Part 1}}, date = {2020-08-19}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/5fe2da7f}, language = {English}, urldate = {2020-09-23} } @online{gross:20200916:riskiq:da4b864, author = {Jon Gross}, title = {{RiskIQ: Adventures in Cookie Land - Part 2}}, date = {2020-09-16}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/56fa1b2f}, language = {English}, urldate = {2020-09-23} } @online{gross:20200930:diving:8e26441, author = {Jon Gross}, title = {{Diving Into DONOT's Mobile Rabbit Hole}}, date = {2020-09-30}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/6f60db72}, language = {English}, urldate = {2023-07-24} } @online{gross:20210318:cobalt:5392fb0, author = {Ben Gross}, title = {{Cobalt Strike – Post-Exploitation Attackers Toolkit}}, date = {2021-03-18}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2021/03/18/cobalt-strike-post-exploitation-attackers-toolkit/}, language = {English}, urldate = {2021-06-22} } @online{group:20161009:siteintel:906676a, author = {SITE Intelligence Group}, title = {{SiteIntel: Cyber Caliphate Army}}, date = {2016-10-09}, url = {https://ent.siteintelgroup.com/index.php?option=com_customproperties&view=search&task=tag&bind_to_category=content:37&tagId=697}, language = {English}, urldate = {2020-05-27} } @online{group:20180816:chinese:cd91b33, author = {Insikt Group and Sanil Chohan and Winnona Desombre and Justin Grosfelt}, title = {{Chinese Cyberespionage Originating From Tsinghua University Infrastructure}}, date = {2018-08-16}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/chinese-cyberespionage-operations}, language = {English}, urldate = {2023-05-15} } @online{group:20181113:chinese:6141b55, author = {Insikt Group}, title = {{Chinese Threat Actor TEMP.Periscope Targets UK-Based Engineering Company Using Russian APT Techniques}}, date = {2018-11-13}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/chinese-threat-actor-tempperiscope/}, language = {English}, urldate = {2020-01-13} } @techreport{group:20190206:apt10:74d18e7, author = {Insikt Group and Rapid7}, title = {{APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign}}, date = {2019-02-06}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf}, language = {English}, urldate = {2019-12-17} } @techreport{group:20190206:apt10:9c61d0b, author = {Insikt Group and Rapid7}, title = {{APT10 Targeted NorwegianMSP and US Companies in Sustained Campaign}}, date = {2019-02-06}, institution = {Recorded Future}, url = {http://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf}, language = {English}, urldate = {2020-01-06} } @techreport{group:20191211:operation:beb8ce0, author = {Insikt Group®}, title = {{Operation Gamework: Infrastructure Overlaps Found Between BlueAlpha and Iranian APTs}}, date = {2019-12-11}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2019-1212.pdf}, language = {English}, urldate = {2022-08-25} } @techreport{group:20200123:european:c3ca9e3, author = {Insikt Group}, title = {{European Energy Sector Organization Targeted by PupyRAT Malware in Late 2019}}, date = {2020-01-23}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf}, language = {English}, urldate = {2020-01-27} } @techreport{group:20200312:swallowing:2ec2856, author = {Insikt Group}, title = {{Swallowing the Snake’s Tail: Tracking Turla Infrastructure}}, date = {2020-03-12}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0312.pdf}, language = {English}, urldate = {2023-01-19} } @online{group:20200312:swallowing:b1becb5, author = {Insikt Group}, title = {{Swallowing the Snake’s Tail: Tracking Turla Infrastructure}}, date = {2020-03-12}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/turla-apt-infrastructure/}, language = {English}, urldate = {2020-03-13} } @online{group:20200531:dtrack:d91f05d, author = {Shadow Chaser Group}, title = {{Tweet on DTRACK malware}}, date = {2020-05-31}, organization = {Twitter (ShadowChasing1)}, url = {https://twitter.com/ShadowChasing1/status/1399369260577681426?s=20}, language = {English}, urldate = {2021-06-09} } @techreport{group:20200610:new:fbd9342, author = {Insikt Group®}, title = {{New Ransomware-as-a-Service Tool ‘Thanos’ Shows Connections to ‘Hakbit}}, date = {2020-06-10}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0610.pdf}, language = {English}, urldate = {2020-06-11} } @online{group:20200615:striking:8fdf4bb, author = {Exploit Development Group}, title = {{Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability}}, date = {2020-06-15}, organization = {NCC Group}, url = {https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/}, language = {English}, urldate = {2020-06-16} } @techreport{group:20200729:chinese:1929fcd, author = {Insikt Group}, title = {{Chinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations}}, date = {2020-07-29}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf}, language = {English}, urldate = {2020-07-30} } @techreport{group:20200903:russianrelated:448f739, author = {Insikt Group®}, title = {{Russian-related Threats to the 2020 U.S. Presidential Election}}, date = {2020-09-03}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0903.pdf}, language = {English}, urldate = {2020-09-06} } @techreport{group:20200915:back:2c78a6f, author = {Insikt Group®}, title = {{Back Despite Disruption: RedDelta Resumes Operations}}, date = {2020-09-15}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf}, language = {English}, urldate = {2020-09-16} } @techreport{group:20201016:banking:bcbd283, author = {Insikt Group®}, title = {{Banking Web Injects Are Top Cyber Threat For Financial Sector}}, date = {2020-10-16}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-1016.pdf}, language = {English}, urldate = {2020-10-23} } @techreport{group:20201027:pulse:9a5781b, author = {Insikt Group®}, title = {{Pulse Report:Insikt Group Discovers Global Credential Harvesting Campaign Using FiercePhish Open Source Framework}}, date = {2020-10-27}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-1027.pdf}, language = {English}, urldate = {2020-11-02} } @online{group:20201103:infyaptfoudre:e546c27, author = {Shadow Chaser Group}, title = {{美人鱼(Infy)APT组织的归来——使用最新的Foudre后门进行攻击活动的分析}}, date = {2020-11-03}, organization = {Gcow-Sec}, url = {https://cloud.tencent.com/developer/article/1738806}, language = {Chinese}, urldate = {2020-11-04} } @techreport{group:20201104:ransomwareasaservice:5ccfc55, author = {Insikt Group®}, title = {{Ransomware-as-a-Service Becomes Increasingly Accessible via Social Media and Open Sources}}, date = {2020-11-04}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-1104.pdf}, language = {English}, urldate = {2020-11-06} } @techreport{group:20201110:new:97e5657, author = {Insikt Group®}, title = {{New APT32 Malware Campaign Targets Cambodian Government}}, date = {2020-11-10}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-1110.pdf}, language = {English}, urldate = {2020-11-11} } @techreport{group:20201203:egregor:a56f637, author = {Insikt Group®}, title = {{Egregor Ransomware, Used in a String of High-Profile Attacks, Shows Connections to QakBot}}, date = {2020-12-03}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf}, language = {English}, urldate = {2020-12-08} } @online{group:20201204:tibet:42fc885, author = {Insikt Group®}, title = {{Tibet and Taiwan Targeted in Spearphishing Campaigns Using MESSAGEMANIFOLD Malware}}, date = {2020-12-04}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/messagemanifold-malware-spearphishing-campaigns/}, language = {English}, urldate = {2020-12-08} } @techreport{group:20201210:exploit:9c6663c, author = {Insikt Group®}, title = {{Exploit Kits though in Decline, Remain Powerful Tool for Delivering Malware}}, date = {2020-12-10}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-1210.pdf}, language = {English}, urldate = {2020-12-14} } @techreport{group:20210107:aversary:9771829, author = {Insikt Group®}, title = {{Aversary Infrastructure Report 2020: A Defender's View}}, date = {2021-01-07}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf}, language = {English}, urldate = {2021-01-11} } @online{group:20210217:dont:807d211, author = {Strategic Threat Advisory Group and Falcon OverWatch Team}, title = {{Don’t Get Schooled: Understanding the Threats to the Academic Industry}}, date = {2021-02-17}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/academia-threat-landscape-2020-analysis/}, language = {English}, urldate = {2021-02-20} } @techreport{group:20210225:business:9e4763a, author = {Insikt Group®}, title = {{The Business of Fraud: An Overview of How Cybercrime Gets Monetized}}, date = {2021-02-25}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0224.pdf}, language = {English}, urldate = {2021-02-26} } @techreport{group:20210228:chinalinked:2fb1230, author = {Insikt Group®}, title = {{China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions}}, date = {2021-02-28}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf}, language = {English}, urldate = {2021-03-04} } @online{group:20210228:chinalinked:ce3b62d, author = {Insikt Group®}, title = {{China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions}}, date = {2021-02-28}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/redecho-targeting-indian-power-sector/}, language = {English}, urldate = {2021-03-31} } @techreport{group:20210312:dewmode:c28007f, author = {Insikt Group®}, title = {{DEWMODE Web Shell Used on Accellion FTA Appliances}}, date = {2021-03-12}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/mtp-2021-0312.pdf}, language = {English}, urldate = {2021-03-16} } @online{group:20210317:chinalinked:65b251b, author = {Insikt Group®}, title = {{China-linked TA428 Continues to Target Russia and Mongolia IT Companies}}, date = {2021-03-17}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/china-linked-ta428-threat-group}, language = {English}, urldate = {2021-03-19} } @techreport{group:20210324:myanmar:f99a20a, author = {Insikt Group®}, title = {{Myanmar Coup and Internet Censorship Pushes Civilians to Underground Forums, Dark Web}}, date = {2021-03-24}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0324.pdf}, language = {English}, urldate = {2021-03-25} } @online{group:20210325:suspected:5b0078f, author = {Insikt Group®}, title = {{Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers}}, date = {2021-03-25}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/}, language = {English}, urldate = {2021-03-30} } @techreport{group:20210421:iranlinked:3eb0720, author = {Insikt Group®}, title = {{Iran-Linked Threat Actor The MABNA Institute’s Operations in 2020}}, date = {2021-04-21}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0421.pdf}, language = {English}, urldate = {2021-05-04} } @online{group:20210505:chinas:0d77f3f, author = {Insikt Group®}, title = {{China’s PLA Unit 61419 Purchasing Foreign Antivirus Products, Likely for Exploitation}}, date = {2021-05-05}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/china-pla-unit-purchasing-antivirus-exploitation/}, language = {English}, urldate = {2021-05-08} } @techreport{group:20210511:business:36b4351, author = {Insikt Group®}, title = {{The Business of Fraud: Drops and Mules}}, date = {2021-05-11}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0511.pdf}, language = {English}, urldate = {2021-05-21} } @techreport{group:20210602:threats:d878fa3, author = {Insikt Group®}, title = {{Threats to Asian Communities in North America, Europe, and Oceania}}, date = {2021-06-02}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0602.pdf}, language = {English}, urldate = {2021-06-16} } @online{group:20210603:oauths:50516b7, author = {Secureworks Adversary Group and Counter Threat Unit ResearchTeam}, title = {{OAuth’s Device Code Flow Abused in Phishing Attacks}}, date = {2021-06-03}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/oauths-device-code-flow-abused-in-phishing-attacks}, language = {English}, urldate = {2021-06-22} } @techreport{group:20210616:threat:d585785, author = {Insikt Group®}, title = {{Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries}}, date = {2021-06-16}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf}, language = {English}, urldate = {2022-07-29} } @online{group:20210708:chinese:4a012a2, author = {Insikt Group}, title = {{Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling}}, date = {2021-07-08}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan}, language = {English}, urldate = {2022-07-25} } @online{group:20210708:chinese:98d34d3, author = {Insikt Group®}, title = {{Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling}}, date = {2021-07-08}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/}, language = {English}, urldate = {2021-07-12} } @techreport{group:20210715:threats:c0bb112, author = {Insikt Group®}, title = {{Threats to the 2020 Tokyo Olympic Games}}, date = {2021-07-15}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0715.pdf}, language = {English}, urldate = {2021-07-20} } @online{group:20210727:blackmatter:db85bfb, author = {Insikt Group®}, title = {{BlackMatter Ransomware Emerges As Successor to DarkSide, REvil}}, date = {2021-07-27}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/}, language = {English}, urldate = {2021-07-29} } @techreport{group:20210727:chinas:6cab907, author = {Insikt Group®}, title = {{China’s Digital Colonialism: Espionage and Repression Along the Digital Silk Road}}, date = {2021-07-27}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0727.pdf}, language = {English}, urldate = {2021-07-29} } @techreport{group:20210729:beijing:553baa8, author = {Insikt Group®}, title = {{“Beijing One Pass” Employee Benefits Software Exhibits Spyware Characteristics}}, date = {2021-07-29}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0729.pdf}, language = {English}, urldate = {2021-08-02} } @techreport{group:20210804:protect:283486d, author = {Insikt Group®}, title = {{Protect Against BlackMatter Ransomware Before It’s Offered}}, date = {2021-08-04}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/MTP-2021-0804.pdf}, language = {English}, urldate = {2021-08-06} } @online{group:20210811:amid:63ffd85, author = {Insikt Group®}, title = {{Amid Boom in Phishing, Fraudsters Target Customers of Small and Mid-sized Banks}}, date = {2021-08-11}, organization = {GEMINI}, url = {https://geminiadvisory.io/amid-phishing-boom-fraudsters-target-small-and-mid-sized-banks/}, language = {English}, urldate = {2021-09-10} } @techreport{group:20210817:operation:65bec11, author = {Insikt Group®}, title = {{Operation Secondary Infektion Continues Targeting Democratic Institutions and Regional Geopolitics}}, date = {2021-08-17}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0817.pdf}, language = {English}, urldate = {2021-09-10} } @online{group:20210818:china:f0a7872, author = {Insikt Group®}, title = {{China Propaganda Network Targets BBC Media, UK in Large-Scale Influence Campaign}}, date = {2021-08-18}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/china-propaganda-targets-bbc-uk/}, language = {English}, urldate = {2021-09-10} } @techreport{group:20210825:business:3b66301, author = {Insikt Group®}, title = {{The Business of Fraud SIM Swapping}}, date = {2021-08-25}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0825.pdf}, language = {English}, urldate = {2021-09-10} } @techreport{group:20210909:dark:cd6bb6a, author = {Insikt Group}, title = {{Dark Covenant: Connections Between the Russian State and Criminal Actors}}, date = {2021-09-09}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf}, language = {English}, urldate = {2021-09-10} } @techreport{group:20210914:fullspectrum:fdc7b06, author = {Insikt Group®}, title = {{Full-Spectrum Cobalt Strike Detection}}, date = {2021-09-14}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf}, language = {English}, urldate = {2021-09-19} } @techreport{group:20210921:chinalinked:8959683, author = {Insikt Group®}, title = {{China-Linked Group TAG-28 Targets India’s “The Times Group” and UIDAI (Aadhaar) Government Agency With Winnti Malware}}, date = {2021-09-21}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0921.pdf}, language = {English}, urldate = {2021-10-11} } @online{group:20210928:4:069b441, author = {Insikt Group®}, title = {{4 Chinese APT Groups Identified Targeting Mail Server of Afghan Telecommunications Firm Roshan}}, date = {2021-09-28}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/}, language = {English}, urldate = {2021-10-11} } @techreport{group:20210928:business:ea7e9d5, author = {Insikt Group®}, title = {{The Business of Fraud: Laundering Funds in the Criminal Underground}}, date = {2021-09-28}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0928.pdf}, language = {English}, urldate = {2021-10-11} } @techreport{group:20211005:illegal:e392c73, author = {Insikt Group®}, title = {{Illegal Activities Endure on China's Dark Web Despite Strict Internet Control}}, date = {2021-10-05}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-1005.pdf}, language = {English}, urldate = {2021-10-11} } @techreport{group:20211014:redline:66899ec, author = {Insikt Group®}, title = {{RedLine Stealer Is Key Source of Identity Data for Criminal Shops}}, date = {2021-10-14}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/mtp-2021-1014.pdf}, language = {English}, urldate = {2021-10-24} } @online{group:20211019:wethenorth:25e1d7a, author = {Insikt Group®}, title = {{WeTheNorth: A New Canadian Dark Web Marketplace}}, date = {2021-10-19}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/wethenorth-canadian-dark-web/}, language = {English}, urldate = {2021-10-26} } @techreport{group:20211020:operation:4aa3fa8, author = {Insikt Group®}, title = {{Operation Secondary Infektion Targets Pfizer Vaccine}}, date = {2021-10-20}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-1020.pdf}, language = {English}, urldate = {2021-10-26} } @techreport{group:20211026:operation:d62f1dd, author = {Insikt Group®}, title = {{Operation Secondary Infektion Impersonates Swedish Riksdag, Targets European Audiences}}, date = {2021-10-26}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-1026.pdf}, language = {English}, urldate = {2021-11-03} } @online{group:20211028:termination:4175963, author = {Insikt Group®}, title = {{Termination of Federal Unemployment Programs Represents Turning Point for Fraudsters}}, date = {2021-10-28}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/termination-federal-unemployment-programs-turning-point-fraudsters/}, language = {English}, urldate = {2021-11-03} } @techreport{group:20211112:business:6d6cffa, author = {Insikt Group®}, title = {{The Business of Fraud: Botnet Malware Dissemination}}, date = {2021-11-12}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf}, language = {English}, urldate = {2021-11-17} } @techreport{group:20211116:cyber:0ae037b, author = {Insikt Group®}, title = {{Cyber Threats to Veterans in 2021: Spam and Scams Exploit Support for Veterans}}, date = {2021-11-16}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-1116.pdf}, language = {English}, urldate = {2021-11-19} } @techreport{group:20211208:chinese:98ded4d, author = {Insikt Group®}, title = {{Chinese State-Sponsored Cyber Espionage Activity Supports Expansion of Regional Power and Influence in Southeast Asia}}, date = {2021-12-08}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf}, language = {English}, urldate = {2021-12-23} } @online{group:20211214:full:565c012, author = {Insikt Group}, title = {{Full Spectrum Detections for 5 Popular Web Shells: Alfa, SharPyShell, Krypton, ASPXSpy, and TWOFACE}}, date = {2021-12-14}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/full-spectrum-detections-five-popular-web-shells}, language = {English}, urldate = {2022-07-05} } @online{group:20211214:full:5bf0cac, author = {Insikt Group®}, title = {{Full Spectrum Detections for 5 Popular Web Shells: Alfa, SharPyShell, Krypton, ASPXSpy, and TWOFACE}}, date = {2021-12-14}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/full-spectrum-detections-five-popular-web-shells/}, language = {English}, urldate = {2022-01-24} } @online{group:20211221:chinas:f8995bd, author = {Insikt Group® and Charity Wright}, title = {{China’s Narrative War on Democracy}}, date = {2021-12-21}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/chinas-narrative-war-democracy/}, language = {English}, urldate = {2022-01-24} } @techreport{group:20220111:combating:fff1c8d, author = {Insikt Group®}, title = {{Combating Human Trafficking With Threat Intelligence}}, date = {2022-01-11}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0111.pdf}, language = {English}, urldate = {2022-01-24} } @techreport{group:20220118:2021:9cff6fc, author = {Insikt Group®}, title = {{2021 Adversary Infrastructure Report}}, date = {2022-01-18}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf}, language = {English}, urldate = {2022-01-24} } @techreport{group:20220126:threats:43033da, author = {Insikt Group®}, title = {{Threats to the 2022 Winter Olympics}}, date = {2022-01-26}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/ta-2022-0126.pdf}, language = {English}, urldate = {2022-01-31} } @online{group:20220128:whispergate:304e5df, author = {Insikt Group®}, title = {{WhisperGate Malware Corrupts Computers in Ukraine}}, date = {2022-01-28}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/whispergate-malware-corrupts-computers-ukraine/}, language = {English}, urldate = {2022-02-04} } @techreport{group:20220203:elephants:d06354f, author = {Insikt Group®}, title = {{Elephants Must Learn to Street Dance: The Chinese Communist Party’s Appeal to Youth in Overseas Propaganda}}, date = {2022-02-03}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/ta-2022-0203.pdf}, language = {English}, urldate = {2022-02-10} } @online{group:20220218:executive:4b26e68, author = {Insikt Group®}, title = {{Executive Overview of Russian Aggression Against Ukraine}}, date = {2022-02-18}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/executive-overview-of-russian-aggression-against-ukraine/}, language = {English}, urldate = {2022-02-26} } @techreport{group:20220302:hermeticwiper:66c202b, author = {Insikt Group}, title = {{HermeticWiper and PartyTicket Targeting Computers in Ukraine}}, date = {2022-03-02}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/mtp-2022-0302.pdf}, language = {English}, urldate = {2022-03-04} } @techreport{group:20220307:2021:758281e, author = {Insikt Group®}, title = {{2021 Brand Intelligence Trends}}, date = {2022-03-07}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0307.pdf}, language = {English}, urldate = {2022-03-22} } @online{group:20220308:media:066824f, author = {Insikt Group®}, title = {{The Media Environment and Domestic Public Opinion in China Toward Russia’s War On Ukraine}}, date = {2022-03-08}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/media-environment-domestic-public-opinion-china-russias-war-ukraine/}, language = {English}, urldate = {2022-03-22} } @techreport{group:20220310:inside:cd11c0a, author = {Insikt Group®}, title = {{Inside China’s National Defense Mobilization Reform: Capacity Surveys, Mobilization Resources, and “New-Type” Militias}}, date = {2022-03-10}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/ta-2022-0310.pdf}, language = {English}, urldate = {2022-03-22} } @techreport{group:20220315:2021:a379e48, author = {Insikt Group®}, title = {{2021 Malware and TTP Threat Landscape}}, date = {2022-03-15}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0315.pdf}, language = {English}, urldate = {2022-03-22} } @techreport{group:20220318:ghostwriter:907199b, author = {Insikt Group®}, title = {{Ghostwriter in the Shell: Expanding on Mandiant’s Attribution of UNC1151 to Belarus}}, date = {2022-03-18}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0318.pdf}, language = {English}, urldate = {2022-03-22} } @techreport{group:20220324:isaacwiper:82f3d6d, author = {Insikt Group}, title = {{IsaacWiper Continues Trend of Wiper Attacks Against Ukraine}}, date = {2022-03-24}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/mtp-2022-0324.pdf}, language = {English}, urldate = {2022-03-25} } @online{group:20220324:isaacwiper:ee6aace, author = {Insikt Group®}, title = {{IsaacWiper Continues Trend of Wiper Attacks Against Ukraine}}, date = {2022-03-24}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/isaacwiper-continues-trend-wiper-attacks-against-ukraine/}, language = {English}, urldate = {2022-03-25} } @techreport{group:20220324:russian:b033b71, author = {Insikt Group®}, title = {{Russian State-Sponsored Amplification of Bio Lab Disinformation Amid War in Ukraine}}, date = {2022-03-24}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0324.pdf}, language = {English}, urldate = {2022-05-05} } @online{group:20220330:social:cd7cb6f, author = {Insikt Group}, title = {{Social Engineering Remains Key Tradecraft for Iranian APTs}}, date = {2022-03-30}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/social-engineering-remains-key-tradecraft-for-iranian-apts/}, language = {English}, urldate = {2022-04-05} } @techreport{group:20220330:social:e36c4e5, author = {Insikt Group}, title = {{Social Engineering Remains Key Tradecraft for Iranian APTs}}, date = {2022-03-30}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0330.pdf}, language = {English}, urldate = {2022-04-05} } @online{group:20220331:chinalinked:505848d, author = {Insikt Group}, title = {{China-Linked Group TAG-28 Targets India’s “The Times Group” and UIDAI (Aadhaar) Government Agency With Winnti Malware}}, date = {2022-03-31}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/blog/china-linked-tag-28-targets-indias-the-times-group}, language = {English}, urldate = {2024-02-08} } @online{group:20220406:continued:cdf57e5, author = {Insikt Group}, title = {{Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group}}, date = {2022-04-06}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/continued-targeting-of-indian-power-grid-assets/}, language = {English}, urldate = {2022-04-12} } @techreport{group:20220406:continued:dcee8d2, author = {Insikt Group®}, title = {{Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group (TAG-38)}}, date = {2022-04-06}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/ta-2022-0406.pdf}, language = {English}, urldate = {2022-08-05} } @techreport{group:20220503:solardeflection:1470221, author = {Insikt Group®}, title = {{SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse}}, date = {2022-05-03}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0503.pdf}, language = {English}, urldate = {2022-05-04} } @online{group:20220503:solardeflection:5419c1a, author = {Insikt Group}, title = {{SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse}}, date = {2022-05-03}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/solardeflection-c2-infrastructure-used-by-nobelium-in-company-brand-misuse/}, language = {English}, urldate = {2022-05-06} } @techreport{group:20220719:amid:e54f780, author = {Insikt Group®}, title = {{Amid Rising Magecart Attacks on Online Ordering Platforms, Recent Campaigns Infect 311 Restaurants}}, date = {2022-07-19}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0719.pdf}, language = {English}, urldate = {2022-07-25} } @techreport{group:20220802:initial:5caddb5, author = {Insikt Group}, title = {{Initial Access Brokers Are Key to Rise in Ransomware Attacks}}, date = {2022-08-02}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf}, language = {English}, urldate = {2022-08-05} } @techreport{group:20220816:redalpha:5bfb9a3, author = {Insikt Group®}, title = {{RedAlpha Conducts Multi-Year Credential Theft Campaign Targeting Global Humanitarian, Think Tank, and Government Organizations}}, date = {2022-08-16}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/ta-2022-0816.pdf}, language = {English}, urldate = {2022-08-30} } @techreport{group:20220919:russianexus:e07ed8e, author = {Insikt Group®}, title = {{Russia-Nexus UAC-0113 Emulating Telecommunication Providers in Ukraine}}, date = {2022-09-19}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0919.pdf}, language = {English}, urldate = {2022-09-26} } @techreport{group:20220920:threat:b6666bd, author = {Insikt Group®}, title = {{Threat Actors Continue to Abuse Google Tag Manager for Payment Card e-Skimming}}, date = {2022-09-20}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0920.pdf}, language = {English}, urldate = {2022-09-26} } @techreport{group:20220922:chinese:9349a24, author = {Insikt Group®}, title = {{Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets}}, date = {2022-09-22}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0922.pdf}, language = {English}, urldate = {2022-09-26} } @techreport{group:20220928:1:eb11b21, author = {Insikt Group®}, title = {{1 KEY FOR 1 LOCK: The Chinese Communist Party’s Strategy for Targeted Propaganda}}, date = {2022-09-28}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/ta-2022-0928.pdf}, language = {English}, urldate = {2022-09-30} } @online{group:20221129:suspected:117e3c8, author = {Insikt Group}, title = {{Suspected Iran-Nexus TAG-56 Uses UAE Forum Lure for Credential Theft Against US Think Tank}}, date = {2022-11-29}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/suspected-iran-nexus-tag-56-uses-uae-forum-lure-for-credential-theft-against-us-think-tank}, language = {English}, urldate = {2023-11-17} } @online{group:20221205:exposing:4181968, author = {Insikt Group}, title = {{Exposing TAG-53’s Credential Harvesting Infrastructure Used for Russia-Aligned Espionage Operations}}, date = {2022-12-05}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/exposing-tag-53-credential-harvesting-infrastructure-for-russia-aligned-espionage-operations?utm_campaign=PostBeyond&utm_source=Twitter&utm_medium=359877&utm_term=Exposing+TAG-53%E2%80%99s+Credential+Harvesting+Infrastructure+Used+for+Russia-Aligned+Espionage+Operations}, language = {English}, urldate = {2023-01-03} } @techreport{group:20221205:exposing:b80717f, author = {Insikt Group}, title = {{Exposing TAG-53’s Credential Harvesting Infrastructure Used for Russia-Aligned Espionage Operations}}, date = {2022-12-05}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-1205.pdf}, language = {English}, urldate = {2023-01-03} } @techreport{group:20221222:reddelta:7469cca, author = {Insikt Group}, title = {{RedDelta Targets European Government Organizations and Continues to Iterate Custom PlugX Variant}}, date = {2022-12-22}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-1223.pdf}, language = {English}, urldate = {2024-07-17} } @techreport{group:20230126:bluebravo:9d6aa62, author = {Insikt Group}, title = {{BlueBravo Uses Ambassador Lure to Deploy GraphicalNeutrino Malware}}, date = {2023-01-26}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2023-0127.pdf}, language = {English}, urldate = {2023-02-02} } @techreport{group:20230215:fog:0d99aaa, author = {Google Threat Analysis Group and Mandiant}, title = {{Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape}}, date = {2023-02-15}, institution = {Google}, url = {https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf}, language = {English}, urldate = {2023-03-13} } @techreport{group:20230330:with:95ccd1c, author = {Insikt Group}, title = {{With KEYPLUG, China’s RedGolf Spies On, Steals From Wide Field of Targets}}, date = {2023-03-30}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf}, language = {English}, urldate = {2023-07-27} } @online{group:20230419:ukraine:a273927, author = {Google Threat Analysis Group}, title = {{Ukraine remains Russia’s biggest cyber focus in 2023}}, date = {2023-04-19}, organization = {Google}, url = {https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/}, language = {English}, urldate = {2023-07-12} } @online{group:20230420:xiaoqiyinggenesis:4bc08b2, author = {Insikt Group}, title = {{Xiaoqiying/Genesis Day Threat Actor Group Targets South Korea, Taiwan}}, date = {2023-04-20}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/xiaoqiying-genesis-day-threat-actor-group-targets-south-korea-taiwan}, language = {English}, urldate = {2023-12-04} } @online{group:20230516:oilalpha:bed1acd, author = {Insikt Group}, title = {{OilAlpha: A Likely Pro-Houthi Group Targeting Entities Across the Arabian Peninsula}}, date = {2023-05-16}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/oilalpha-likely-pro-houthi-group-targeting-arabian-peninsula}, language = {English}, urldate = {2023-12-04} } @techreport{group:20230620:bluedelta:3a84c78, author = {Insikt Group}, title = {{BlueDelta Exploits Ukrainian Government Roundcube Mail Servers to Support Espionage Activities}}, date = {2023-06-20}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2023-0620.pdf}, language = {English}, urldate = {2023-07-11} } @online{group:20230620:bluedelta:a2c6423, author = {Insikt Group}, title = {{BlueDelta Exploits Ukrainian Government Roundcube Mail Servers to Support Espionage Activities}}, date = {2023-06-20}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/bluedelta-exploits-ukrainian-government-roundcube-mail-servers}, language = {English}, urldate = {2023-07-11} } @techreport{group:20230727:bluebravo:b456f7d, author = {Insikt Group}, title = {{BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware}}, date = {2023-07-27}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2023-0727-1.pdf}, language = {English}, urldate = {2023-07-28} } @techreport{group:20230802:bluecharlie:04c90f9, author = {Insikt Group}, title = {{BlueCharlie, Previously Tracked as TAG 53, Continues to Deploy New Infrastructure in 2023}}, date = {2023-08-02}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2023-0802.pdf}, language = {English}, urldate = {2023-08-03} } @online{group:20230802:bluecharlie:9374ec9, author = {Insikt Group}, title = {{BlueCharlie, Previously Tracked as TAG-53, Continues to Deploy New Infrastructure in 2023}}, date = {2023-08-02}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/research/bluecharlie-previously-tracked-as-tag-53-continues-to-deploy-new-infrastructure-in-2023}, language = {English}, urldate = {2024-11-25} } @online{group:20230802:bluecharlie:a86e294, author = {Insikt Group}, title = {{BlueCharlie, Previously Tracked as TAG-53, Continues to Deploy New Infrastructure in 2023}}, date = {2023-08-02}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/bluecharlie-previously-tracked-as-tag-53-continues-to-deploy-new-infrastructure-in-2023}, language = {English}, urldate = {2023-08-03} } @techreport{group:20230807:redhotel:ee4dd20, author = {Insikt Group}, title = {{RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale}}, date = {2023-08-07}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf}, language = {English}, urldate = {2023-08-09} } @techreport{group:20230919:multiyear:84b50f8, author = {Insikt Group}, title = {{Multi-year Chinese APT Campaign Targets South Korean Academic, Government, and Political Entities}}, date = {2023-09-19}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2023-0919.pdf}, language = {English}, urldate = {2023-09-20} } @online{group:20231031:prolific:e4f06e8, author = {Infoblox Threat Intelligence Group}, title = {{Prolific Puma: Shadowy Link Shortening Service Enables Cybercrime}}, date = {2023-10-31}, organization = {Infoblox}, url = {https://blogs.infoblox.com/cyber-threat-intelligence/prolific-puma-shadowy-link-shortening-service-enables-cybercrime/}, language = {English}, urldate = {2023-11-13} } @techreport{group:20240109:2023:2f0c4c3, author = {Insikt Group}, title = {{2023 Adversary Infrastructure Report}}, date = {2024-01-09}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2024-1209.pdf}, language = {English}, urldate = {2024-01-10} } @techreport{group:20240217:russiaaligned:77aebac, author = {Insikt Group}, title = {{Russia-Aligned TAG-70 Targets European Government and Military Mail Servers in New Espionage Campaign}}, date = {2024-02-17}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2024-0217.pdf}, language = {English}, urldate = {2024-02-20} } @online{group:20240513:exploring:b009010, author = {Insikt Group}, title = {{Exploring the Depths of SolarMarker's Multi-tiered Infrastructure}}, date = {2024-05-13}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/exploring-the-depths-of-solarmarkers-multi-tiered-infrastructure}, language = {English}, urldate = {2024-05-15} } @online{group:20240530:grus:103ceb8, author = {Insikt Group}, title = {{GRU's BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns}}, date = {2024-05-30}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/research/grus-bluedelta-targets-key-networks-in-europe-with-multi-phase-espionage-camp}, language = {English}, urldate = {2024-12-16} } @techreport{group:20240530:grus:a238aff, author = {Insikt Group}, title = {{GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns}}, date = {2024-05-30}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/CTA-RU-2024-0530.pdf}, language = {English}, urldate = {2024-12-16} } @online{group:20240612:insights:b9e390b, author = {Google Threat Analysis Group and Mandiant}, title = {{Insights on Cyber Threats Targeting Users and Enterprises in Brazil}}, date = {2024-06-12}, organization = {Google}, url = {https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-targeting-brazil}, language = {English}, urldate = {2024-12-11} } @online{group:20240617:travels:2958a03, author = {Insikt Group}, title = {{The Travels of “markopolo”: Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications}}, date = {2024-06-17}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/the-travels-of-markopolo-self-proclaimed-meeting-software-vortax-spreads-infostealers}, language = {English}, urldate = {2024-12-09} } @online{group:20240624:chinese:f515aee, author = {Insikt Group}, title = {{Chinese State-Sponsored RedJuliett Intensifies Taiwanese Cyber Espionage via Network Perimeter Exploitation}}, date = {2024-06-24}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/redjuliett-intensifies-taiwanese-cyber-espionage-via-network-perimeter}, language = {English}, urldate = {2024-12-09} } @techreport{group:20240716:tag100:17773bf, author = {Insikt Group}, title = {{TAG-100 Uses Open-Source Tools in Suspected Global Espionage Campaign, Compromising Two Asia-Pacific Intergovernmental Bodies}}, date = {2024-07-16}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2024-0716.pdf}, language = {English}, urldate = {2024-07-22} } @online{group:20240716:tag100:c7d86b7, author = {Insikt Group}, title = {{TAG-100 Uses Open-Source Tools in Suspected Global Espionage Campaign, Compromising Two Asia-Pacific Intergovernmental Bodies}}, date = {2024-07-16}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/research/tag-100-uses-open-source-tools-in-suspected-global-espionage-campaign}, language = {English}, urldate = {2025-02-19} } @techreport{group:20240926:rhadamanthys:caf357d, author = {Insikt Group}, title = {{Rhadamanthys Stealer Adds Innovative AI Feature in Version 0.7.0}}, date = {2024-09-26}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/mtp-2024-0926.pdf}, language = {English}, urldate = {2024-09-27} } @techreport{group:20241009:outmaneuvering:79a2a27, author = {Insikt Group}, title = {{Outmaneuvering Rhysida: How Advanced Threat Intelligence Shields Critical Infrastructure from Ransomware}}, date = {2024-10-09}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2024-1009.pdf}, language = {English}, urldate = {2024-11-14} } @techreport{group:20241024:russian:66d9023, author = {Insikt Group}, title = {{Russian Strategic Information Attack for Catastrophic Effect}}, date = {2024-10-24}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/ta-ru-2024-1024.pdf}, language = {English}, urldate = {2025-02-03} } @online{group:20241028:hybrid:3210e9d, author = {Google Threat Analysis Group}, title = {{Hybrid Russian Espionage and Influence Campaign Aims to Compromise Ukrainian Military Recruits and Deliver Anti-Mobilization Narratives}}, date = {2024-10-28}, organization = {Google}, url = {https://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives?hl=en}, language = {English}, urldate = {2024-10-29} } @online{group:20241028:hybrid:bf511ac, author = {Google Threat Analysis Group}, title = {{Hybrid Russian Espionage and Influence Campaign Aims to Compromise Ukrainian Military Recruits and Deliver Anti-Mobilization Narratives | Google Cloud Blog}}, date = {2024-10-28}, organization = {Google}, url = {https://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives}, language = {English}, urldate = {2025-02-03} } @online{group:20241112:chinanexus:25f27f5, author = {Insikt Group}, title = {{China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike}}, date = {2024-11-12}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/research/china-nexus-tag-112-compromises-tibetan-websites}, language = {English}, urldate = {2024-12-06} } @techreport{group:20241112:chinanexus:b904cb9, author = {Insikt Group}, title = {{China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike}}, date = {2024-11-12}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-cn-2024-1112.pdf}, language = {English}, urldate = {2024-11-17} } @techreport{group:20241121:russiaaligned:6f1eeb2, author = {Insikt Group}, title = {{Russia-Aligned TAG-110 Targets Asia and Europe with HATVIBE and CHERRYSPY}}, date = {2024-11-21}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/CTA-RU-2024-1121.pdf}, language = {English}, urldate = {2025-02-01} } @techreport{group:20241205:bluealpha:fcd45e1, author = {Insikt Group}, title = {{BlueAlpha Abuses Cloudflare Tunneling Service for GammaDrop Staging Infrastructure}}, date = {2024-12-05}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-ru-2024-1205.pdf}, language = {English}, urldate = {2025-02-03} } @online{group:20250107:unveiling:a1c2ccc, author = {Insikt Group}, title = {{Unveiling Russian Surveillance Tech Expansion in Central Asia and Latin America}}, date = {2025-01-07}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/research/tracking-deployment-russian-surveillance-technologies-central-asia-latin-america}, language = {English}, urldate = {2025-02-03} } @techreport{group:20250109:chinese:3971888, author = {Insikt Group}, title = {{Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain}}, date = {2025-01-09}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-cn-2025-0109.pdf}, language = {English}, urldate = {2025-01-15} } @online{group:20250130:tag124s:0ae2622, author = {Insikt Group}, title = {{TAG-124’s Multi-Layered TDS Infrastructure and Extensive User Base}}, date = {2025-01-30}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/research/tag-124-multi-layered-tds-infrastructure-extensive-user-base}, language = {English}, urldate = {2025-05-20} } @techreport{group:20250130:tag124s:5bf75fd, author = {Insikt Group}, title = {{TAG-124’s Multi-Layered TDS Infrastructure and Extensive User Base}}, date = {2025-01-30}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2025-0130.pdf}, language = {English}, urldate = {2025-05-20} } @online{group:20250213:redmike:1e11cf2, author = {Insikt Group}, title = {{RedMike (Salt Typhoon) Exploits Vulnerable Cisco Devices of Global Telecommunications Providers}}, date = {2025-02-13}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/research/redmike-salt-typhoon-exploits-vulnerable-devices}, language = {English}, urldate = {2025-02-13} } @online{group:20250327:phishing:d050046, author = {Infoblox Threat Intelligence Group}, title = {{A Phishing Tale of DoH and DNS MX Abuse}}, date = {2025-03-27}, organization = {Infoblox}, url = {https://blogs.infoblox.com/threat-intelligence/a-phishing-tale-of-doh-and-dns-mx-abuse/}, language = {English}, urldate = {2025-04-09} } @online{group:20250429:uncovering:b651687, author = {Insikt Group}, title = {{Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting}}, date = {2025-04-29}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting}, language = {English}, urldate = {2025-05-01} } @techreport{group:20250501:terrastealerv2:5840361, author = {Insikt Group}, title = {{TerraStealerV2 and TerraLogger: Golden Chickens' New Malware Families Discovered}}, date = {2025-05-01}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2025-0501.pdf}, language = {English}, urldate = {2025-05-12} } @online{group:20250501:terrastealerv2:da9f5d6, author = {Insikt Group® and Insikt Group}, title = {{TerraStealerV2 and TerraLogger: Golden Chickens' New Malware Families Discovered}}, date = {2025-05-01}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/research/terrastealerv2-and-terralogger}, language = {English}, urldate = {2025-05-19} } @online{group:20250506:telegram:0939c46, author = {Infoblox Threat Intelligence Group}, title = {{Telegram Tango: Dancing with a Scammer}}, date = {2025-05-06}, organization = {Infoblox}, url = {https://blogs.infoblox.com/threat-intelligence/telegram-tango-dancing-with-a-scammer/}, language = {English}, urldate = {2025-05-20} } @techreport{group:20250522:russiaaligned:2969601, author = {Insikt Group}, title = {{Russia-Aligned TAG-110 Targets Tajikistan with Macro-Enabled Word Templates}}, date = {2025-05-22}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2025-0522.pdf}, language = {English}, urldate = {2025-05-26} } @online{group:20250522:russiaaligned:b68b14a, author = {Insikt Group}, title = {{Russia-Aligned TAG-110 Targets Tajikistan with Macro-Enabled Word Documents}}, date = {2025-05-22}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/research/russia-aligned-tag-110-targets-tajikistan-with-macro-enabled}, language = {English}, urldate = {2025-05-26} } @online{group:20250612:vexing:0f1f219, author = {Infoblox Threat Intelligence Group}, title = {{Vexing and Vicious: The Eerie Relationship between WordPress Hackers and an Adtech Cabal}}, date = {2025-06-12}, organization = {Infoblox}, url = {https://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/}, language = {English}, urldate = {2025-06-20} } @online{group:20250613:grayalpha:b338a6f, author = {Insikt Group}, title = {{GrayAlpha Uses Diverse Infection Vectors to Deploy PowerNet Loader and NetSupport RAT}}, date = {2025-06-13}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/research/grayalpha-uses-diverse-infection-vectors-deploy-powernet-loader-netsupport-rat}, language = {English}, urldate = {2025-06-17} } @techreport{groupib:201603:buhtrap:65fd758, author = {Group-IB}, title = {{BUHTRAP: The Evolution of Targetted Attacks Against Financial Instituitions}}, date = {2016-03}, institution = {Group-IB}, url = {https://www.group-ib.com/brochures/gib-buhtrap-report.pdf}, language = {English}, urldate = {2020-01-12} } @techreport{groupib:2016:analysis:1fb7334, author = {Group-IB}, title = {{Analysis of Attacks against Trading and Bank Card Systems}}, date = {2016}, institution = {Group-IB}, url = {https://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf}, language = {English}, urldate = {2021-02-09} } @online{groupib:2016:cron:ef29ee9, author = {Group-IB}, title = {{Cron has fallen}}, date = {2016}, organization = {Group-IB}, url = {http://blog.group-ib.com/cron}, language = {English}, urldate = {2020-01-13} } @online{groupib:20170330:hitech:c13f74b, author = {Group-IB}, title = {{Hi-Tech Crime Trends 2016}}, date = {2017-03-30}, organization = {Group-IB}, url = {https://www.slideshare.net/Group-IB/hitech-crime-trends-2016-73985957}, language = {English}, urldate = {2021-02-09} } @techreport{groupib:20170530:lazarus:642e890, author = {Group-IB}, title = {{Lazarus Arisen: Architecture, Techniques and Attribution}}, date = {2017-05-30}, institution = {Group-IB}, url = {https://raw.githubusercontent.com/eric-erki/APT_CyberCriminal_Campagin_Collections/master/2017/2017.05.30.Lazarus_Arisen/Group-IB_Lazarus.pdf}, language = {English}, urldate = {2023-08-10} } @techreport{groupib:20171211:moneytaker:49776be, author = {Group-IB}, title = {{MoneyTaker 1.5 YEARS OF SILENT OPERATIONS}}, date = {2017-12-11}, institution = {Group-IB}, url = {https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf}, language = {English}, urldate = {2021-02-09} } @techreport{groupib:2017:hitech:c572a55, author = {Group-IB}, title = {{Hi-Tech Crime Trends 2017}}, date = {2017}, institution = {Group-IB}, url = {http://www.jard.me/source/brochure/10_1508253838.pdf}, language = {English}, urldate = {2021-02-09} } @techreport{groupib:20180522:anunak:97d0646, author = {Group-IB and Fox-IT}, title = {{Anunak: APT against financial institutions}}, date = {2018-05-22}, institution = {Group-IB}, url = {https://www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf}, language = {English}, urldate = {2020-01-06} } @online{groupib:20180905:silence:6886d17, author = {Group-IB}, title = {{Silence: Moving into the Darkside}}, date = {2018-09-05}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/silence}, language = {English}, urldate = {2019-12-18} } @online{groupib:201810:hitech:420711f, author = {Group-IB}, title = {{Hi-Tech Crime Trends 2018}}, date = {2018-10}, organization = {Group-IB}, url = {https://explore.group-ib.com/htct/hi-tech_crime_2018}, language = {English}, urldate = {2022-04-25} } @techreport{groupib:2018:evolution:888e07c, author = {Group-IB}, title = {{The evolution of ransomware and its distribution methods}}, date = {2018}, institution = {Group-IB}, url = {https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Ransomware_whitepaper_eng.pdf}, language = {English}, urldate = {2021-02-09} } @online{groupib:20190328:groupib:e9956d2, author = {Group-IB and Pavel Krylov and Rustam Mirkasymov}, title = {{Group-IB uncovers Android Trojan named «Gustuff» capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications}}, date = {2019-03-28}, organization = {Group-IB}, url = {https://www.group-ib.com/media/gustuff/}, language = {English}, urldate = {2019-07-09} } @online{groupib:20190529:catching:7efa4c2, author = {Group-IB}, title = {{Catching fish in muddy waters}}, date = {2019-05-29}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/muddywater/}, language = {English}, urldate = {2023-06-19} } @online{groupib:201908:attacks:9da5611, author = {Group-IB}, title = {{Attacks by Silence}}, date = {2019-08}, organization = {Group-IB}, url = {https://www.group-ib.com/resources/threat-research/silence.html}, language = {English}, urldate = {2020-01-07} } @techreport{groupib:201908:silence:1845381, author = {Group-IB}, title = {{Silence 2.0 - Going Global}}, date = {2019-08}, institution = {Group-IB}, url = {https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf}, language = {English}, urldate = {2019-12-17} } @online{groupib:202008:redcurl:90777d5, author = {Group-IB}, title = {{RedCurl: The Pentest You Didn’t Know About}}, date = {2020-08}, organization = {Group-IB}, url = {https://go.group-ib.com/report-redcurl-en?_gl=1*t8hou9*_ga*MTY4NTg1NzA4Ny4xNzA4MDk1MjMx*_ga_QMES53K3Y2*MTcwODA5NTIzMC4xLjEuMTcwODA5NjAyNy45LjAuMA..}, language = {English}, urldate = {2024-02-16} } @techreport{groupib:202008:redcurl:f95e316, author = {Group-IB}, title = {{RedCurl: The pentest you didn’t know about}}, date = {2020-08}, institution = {Group-IB}, url = {https://edu.anarcho-copy.org/Against%20Security%20&%20%20Self%20Security/Group-IB%20RedCurl.pdf}, language = {English}, urldate = {2021-03-02} } @techreport{groupib:20201201:egregor:37e5698, author = {Group-IB and Oleg Skulkin and Semyon Rogachev and Roman Rezvukhin}, title = {{Egregor ransomware: The legacy of Maze lives on}}, date = {2020-12-01}, institution = {Group-IB}, url = {https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf}, language = {English}, urldate = {2021-01-21} } @online{groupib:20210405:kremlin:8dce4d6, author = {Group-IB}, title = {{Kremlin RATs from Nigeria}}, date = {2021-04-05}, organization = {Group-IB}, url = {https://blog.group-ib.com/rats_nigeria}, language = {English}, urldate = {2021-06-16} } @online{groupib:20210702:brothers:0b68ead, author = {Group-IB}, title = {{The Brothers Grim - The reversing tale of GrimAgent malware used by Ryuk}}, date = {2021-07-02}, organization = {Group-IB}, url = {https://gibnc.group-ib.com/s/Group-IB_GrimAgent_analysis#pdfviewer}, language = {English}, urldate = {2021-07-06} } @online{groupib:20211110:redcurl:696c9a3, author = {Group-IB}, title = {{REDCURL: The awakening}}, date = {2021-11-10}, organization = {Group-IB}, url = {https://go.group-ib.com/report-redcurl-awakening-en}, language = {English}, urldate = {2023-07-27} } @online{groupib:20211117:redcurl:eee79f0, author = {Group-IB}, title = {{RedCurl: The awakening}}, date = {2021-11-17}, organization = {Group-IB}, url = {https://explore.group-ib.com/redcurl-english-reports/report-redcurl2-eng}, language = {English}, urldate = {2021-11-19} } @online{groupib:20220811:challenge:114c383, author = {Group-IB}, title = {{Challenge accepted Detecting MaliBot, a fresh Android banking trojan, with a Fraud Protection solution}}, date = {2022-08-11}, organization = {Group-IB}, url = {https://blog.group-ib.com/malibot}, language = {English}, urldate = {2022-08-17} } @online{groupib:20221103:opera1er:19d5499, author = {Group-IB}, title = {{OPERA1ER: Playing god without permission}}, date = {2022-11-03}, organization = {Group-IB}, url = {https://explore.group-ib.com/opera1er-eng/report-opera1er-eng}, language = {English}, urldate = {2022-11-06} } @online{groupib:20230111:dark:70a89b8, author = {Group-IB}, title = {{Dark Pink: New APT group targets governmental, military organizations in APAC, Europe}}, date = {2023-01-11}, organization = {Group-IB}, url = {https://www.group-ib.com/media-center/press-releases/dark-pink-apt/}, language = {English}, urldate = {2023-03-24} } @online{groupib:20230331:36gate:9107003, author = {Group-IB}, title = {{36gate: supply chain attack}}, date = {2023-03-31}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/3cx-supply-chain-attack/?utm_source=twitter&utm_campaign=3cx-blog&utm_medium=social}, language = {English}, urldate = {2023-04-02} } @online{groupib:20231005:lets:08bd64c, author = {Group-IB}, title = {{Let's dig deeper: dissecting the new Android Trojan GoldDigger with Group-IB Fraud Matrix}}, date = {2023-10-05}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/golddigger-fraud-matrix/}, language = {English}, urldate = {2023-10-09} } @online{groupib:20240621:boolka:1e8cba4, author = {Group-IB}, title = {{Boolka Unveiled: From web attacks to modular malware}}, date = {2024-06-21}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/boolka/}, language = {English}, urldate = {2024-10-21} } @online{groupib:20240626:craxs:6a998e2, author = {Group-IB}, title = {{Craxs Rat, the master tool behind fake app scams and banking fraud}}, date = {2024-06-26}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/craxs-rat-malware/}, language = {English}, urldate = {2025-01-07} } @online{groupib:20250313:clickfix:0acf5b0, author = {Group-IB}, title = {{ClickFix: The Social Engineering Technique Hackers Use to Manipulate Victims}}, date = {2025-03-13}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims/}, language = {English}, urldate = {2025-03-14} } @online{groupibgib:20220916:uber:255f13d, author = {Twitter (@GroupIB_GIB)}, title = {{Tweet on Uber Employees potentially infected with Raccoon and Vidar stealer}}, date = {2022-09-16}, organization = {Group-IB}, url = {https://twitter.com/GroupIB_GIB/status/1570821174736850945}, language = {English}, urldate = {2022-09-19} } @online{grozev:20200505:who:bd9d865, author = {Christo Grozev}, title = {{Who Is Dmitry Badin, The GRU Hacker Indicted By Germany Over The Bundestag Hacks?}}, date = {2020-05-05}, organization = {Bellingcat}, url = {https://www.bellingcat.com/news/2020/05/05/who-is-dmitry-badin-the-gru-hacker-indicted-by-germany-over-the-bundestag-hacks/}, language = {English}, urldate = {2020-05-05} } @online{grozev:20250531:hidden:c6dfffa, author = {Christo Grozev and Roman Dobrokhotov and Michael Weiss}, title = {{Hidden Bear: The GRU hackers of Russia’s most notorious kill squad}}, date = {2025-05-31}, organization = {The Insider}, url = {https://theins.press/en/inv/281731}, language = {English}, urldate = {2025-06-02} } @online{gruber:20210804:understanding:ad8ac48, author = {Jan Gruber}, title = {{Understanding BlackMatter's API Hashing}}, date = {2021-08-04}, url = {https://blog.digital-investigations.info/2021-08-05-understanding-blackmatters-api-hashing.html}, language = {English}, urldate = {2021-08-09} } @online{grujars:20191213:squad:437183d, author = {GrujaRS}, title = {{Tweet on Squad Ransomware}}, date = {2019-12-13}, organization = {Twitter (@GrujaRS)}, url = {https://twitter.com/GrujaRS/status/1205566219971125249}, language = {English}, urldate = {2020-01-08} } @online{grujars:20191227:yarraq:bdde865, author = {GrujaRS}, title = {{Tweet on Yarraq Ransomware}}, date = {2019-12-27}, organization = {Twitter (@GrujaRS)}, url = {https://twitter.com/GrujaRS/status/1210541690349662209}, language = {English}, urldate = {2020-01-13} } @online{grujars:20200322:new:d94c371, author = {GrujaRS}, title = {{New #VHD (virtual hard disk)#Ransomware extension .vhd!}}, date = {2020-03-22}, url = {https://twitter.com/GrujaRS/status/1241657443282825217}, language = {English}, urldate = {2020-03-27} } @online{grujars:20200427:about:54c4b58, author = {GrujaRS}, title = {{Tweet about spotting goCryptoLocker in the wild}}, date = {2020-04-27}, organization = {Twitter (@GrujaRS)}, url = {https://twitter.com/GrujaRS/status/1254657823478353920}, language = {English}, urldate = {2020-04-28} } @online{grujars:20200821:new:2433327, author = {GrujaRS}, title = {{New #Morseop #Ransomware}}, date = {2020-08-21}, organization = {Twitter (@GrujaRS)}, url = {https://twitter.com/GrujaRS/status/1296856836944076802?s=20}, language = {English}, urldate = {2021-12-17} } @online{grunzweig:20121213:dexter:339a8fd, author = {Josh Grunzweig}, title = {{The Dexter Malware: Getting Your Hands Dirty}}, date = {2012-12-13}, organization = {SpiderLabs Blog}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Dexter-Malware--Getting-Your-Hands-Dirty/}, language = {English}, urldate = {2020-01-06} } @online{grunzweig:20130508:alina:4b70c89, author = {Josh Grunzweig}, title = {{Alina: Casting a Shadow on POS}}, date = {2013-05-08}, organization = {SpiderLabs Blog}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Casting-a-Shadow-on-POS/}, language = {English}, urldate = {2020-01-09} } @online{grunzweig:20130517:alina:f668aaf, author = {Josh Grunzweig}, title = {{Alina: Following The Shadow Part 1}}, date = {2013-05-17}, organization = {Trustwave}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-1/}, language = {English}, urldate = {2019-12-17} } @online{grunzweig:20130603:alina:2c8f3e9, author = {Josh Grunzweig}, title = {{Alina: Following The Shadow Part 2}}, date = {2013-06-03}, organization = {Trustwave}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-2/}, language = {English}, urldate = {2019-12-17} } @online{grunzweig:20131209:curious:8c64525, author = {Josh Grunzweig}, title = {{The Curious Case of the Malicious IIS Module}}, date = {2013-12-09}, organization = {Trustwave}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Curious-Case-of-the-Malicious-IIS-Module/}, language = {English}, urldate = {2019-12-04} } @online{grunzweig:20140715:unit:0cf98cb, author = {Josh Grunzweig}, title = {{Unit 42 Technical Analysis: Seaduke}}, date = {2014-07-15}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/}, language = {English}, urldate = {2020-08-19} } @online{grunzweig:20150319:findpos:87059f2, author = {Josh Grunzweig}, title = {{FindPOS: New POS Malware Family Discovered}}, date = {2015-03-19}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20151009:latest:c328965, author = {Josh Grunzweig}, title = {{Latest TeslaCrypt Ransomware Borrows Code From Carberp Trojan}}, date = {2015-10-09}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/10/latest-teslacrypt-ransomware-borrows-code-from-carberp-trojan/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20160122:new:f7cb504, author = {Josh Grunzweig and Bryan Lee}, title = {{New Attacks Linked to C0d0so0 Group}}, date = {2016-01-22}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20160311:powersniff:ca6c14f, author = {Josh Grunzweig and Brandon Levene}, title = {{PowerSniff Malware Used in Macro-based Attacks}}, date = {2016-03-11}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/}, language = {English}, urldate = {2020-01-08} } @online{grunzweig:20160314:digital:b6ddc60, author = {Josh Grunzweig and Robert Falcone and Bryan Lee}, title = {{Digital Quartermaster Scenario Demonstrated in Attacks Against the Mongolian Government}}, date = {2016-03-14}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20160502:prince:bd368e1, author = {Josh Grunzweig}, title = {{Prince of Persia Hashes}}, date = {2016-05-02}, organization = {Github (pan-unit42)}, url = {https://github.com/pan-unit42/iocs/blob/master/prince_of_persia/hashes.csv}, language = {English}, urldate = {2020-01-08} } @online{grunzweig:20160524:new:d1cd669, author = {Josh Grunzweig and Mike Scott and Bryan Lee}, title = {{New Wekby Attacks Use DNS Requests As Command and Control Mechanism}}, date = {2016-05-24}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20160708:investigating:576bb94, author = {Josh Grunzweig}, title = {{Investigating the LuminosityLink Remote Access Trojan Configuration}}, date = {2016-07-08}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20160816:aveo:6f3cf5c, author = {Josh Grunzweig and Robert Falcone}, title = {{Aveo Malware Family Targets Japanese Speaking Users}}, date = {2016-08-16}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20161004:oilrig:2e3b9e0, author = {Josh Grunzweig and Robert Falcone}, title = {{OilRig Malware Campaign Updates Toolset and Expands Targets}}, date = {2016-10-04}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/}, language = {English}, urldate = {2019-10-22} } @online{grunzweig:20161004:oilrig:72c4b0e, author = {Josh Grunzweig and Robert Falcone}, title = {{OilRig Malware Campaign Updates Toolset and Expands Targets}}, date = {2016-10-04}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20170105:dragonok:2b228f2, author = {Josh Grunzweig}, title = {{DragonOK Updates Toolset and Targets Multiple Geographic Regions}}, date = {2017-01-05}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/}, language = {English}, urldate = {2019-12-17} } @online{grunzweig:20170105:dragonok:f5f73f6, author = {Josh Grunzweig}, title = {{DragonOK Updates Toolset and Targets Multiple Geographic Regions}}, date = {2017-01-05}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20170315:nexuslogger:5530c6b, author = {Josh Grunzweig}, title = {{NexusLogger: A New Cloud-based Keylogger Enters the Market}}, date = {2017-03-15}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/03/unit42-nexuslogger-new-cloud-based-keylogger-enters-market/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20170420:cardinal:dbe903e, author = {Josh Grunzweig}, title = {{Cardinal RAT Active for Over Two Years}}, date = {2017-04-20}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736&adbid=855028404965433346&adbpl=tw&adbpr=4487645412}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20170928:threat:835bf8e, author = {Josh Grunzweig and Robert Falcone}, title = {{Threat Actors Target Government of Belarus Using CMSTAR Trojan}}, date = {2017-09-28}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20170928:threat:8a5db81, author = {Josh Grunzweig and Robert Falcone}, title = {{Threat Actors Target Government of Belarus Using CMSTAR Trojan}}, date = {2017-09-28}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan}, language = {English}, urldate = {2022-07-25} } @online{grunzweig:20171110:new:12fdedb, author = {Josh Grunzweig and Jen Miller-Osborn}, title = {{New Malware with Ties to SunOrcal Discovered}}, date = {2017-11-10}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20180126:tophat:42d9f5d, author = {Josh Grunzweig}, title = {{The TopHat Campaign: Attacks Within The Middle East Region Using Popular Third-Party Services}}, date = {2018-01-26}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20180417:squirtdanger:86b0da6, author = {Josh Grunzweig and Brandon Levene and Kyle Wilhoit and Pat Litke}, title = {{SquirtDanger: The Swiss Army Knife Malware from Veteran Malware Author TheBottle}}, date = {2018-04-17}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/04/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20180927:new:d33c053, author = {Josh Grunzweig and Bryan Lee}, title = {{New KONNI Malware attacking Eurasia and Southeast Asia}}, date = {2018-09-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20181001:nokki:b458c95, author = {Josh Grunzweig}, title = {{NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT}}, date = {2018-10-01}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20190225:multiple:5d7b857, author = {Josh Grunzweig and Brittany Ash}, title = {{Multiple ArtraDownloader Variants Used by BITTER to Target Pakistan}}, date = {2019-02-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/}, language = {English}, urldate = {2019-12-10} } @online{grunzweig:20191129:fractured:65257b7, author = {Josh Grunzweig and Kyle Wilhoit}, title = {{The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia}}, date = {2019-11-29}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/}, language = {English}, urldate = {2020-01-12} } @online{grunzweig:20210302:operation:44c264f, author = {Josh Grunzweig and Matthew Meltzer and Sean Koessel and Steven Adair and Thomas Lancaster}, title = {{Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities}}, date = {2021-03-02}, organization = {Volexity}, url = {https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/}, language = {English}, urldate = {2021-03-07} } @online{grzegorzewski:20210315:incorporating:af7087a, author = {Mark Grzegorzewski and Christopher Marsh}, title = {{Incorporating the Cyberspace Domain: How Russia and China Exploit Asymmetric Advantages in Great Power Competition}}, date = {2021-03-15}, organization = {Modern War Institute}, url = {https://mwi.usma.edu/incorporating-the-cyberspace-domain-how-russia-and-china-exploit-asymmetric-advantages-in-great-power-competition/}, language = {English}, urldate = {2021-03-22} } @online{gtsc:20210303:mild:5077cff, author = {GTSC}, title = {{'Mild' update on Microsoft Exchange 0day security vulnerability being used to attack organizations in Vietnam}}, date = {2021-03-03}, organization = {GTSC}, url = {https://gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html}, language = {Vietnamese}, urldate = {2022-09-08} } @online{gu:20171030:coin:5a1f004, author = {Jason Gu and Veo Zhang and Seven Shen}, title = {{Coin Miner Mobile Malware Returns, Hits Google Play}}, date = {2017-10-30}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/coin-miner-mobile-malware-returns-hits-google-play/}, language = {English}, urldate = {2019-12-24} } @online{gu:20191106:vine:c52aca2, author = {Lion Gu and Bowen Pan}, title = {{A vine climbing over the Great Firewall: a long‑term attack against China}}, date = {2019-11-06}, organization = {VirusBulletin}, url = {https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/}, language = {English}, urldate = {2025-05-21} } @techreport{gu:2019:vine:df5dbfb, author = {Lion Gu and Bowen Pan}, title = {{A vine climbing over the Great Firewall: A long-term attack against China}}, date = {2019}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf}, language = {English}, urldate = {2020-01-08} } @online{guan:20211014:attackers:ff202a1, author = {Yue Guan and Jin Chen and Leo Olson and Wayne Xin and Daiping Liu}, title = {{Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes}}, date = {2021-10-14}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/exploits-interactsh/}, language = {English}, urldate = {2021-10-25} } @online{guardian:20210718:guardians:7ba7cb7, author = {The Guardian}, title = {{The Guardian's covereage on Pegasus Project}}, date = {2021-07-18}, organization = {The Guardian}, url = {https://www.theguardian.com/news/series/pegasus-project}, language = {English}, urldate = {2021-07-24} } @online{guardicore:20200630:botnet:9a0cb16, author = {Guardicore}, title = {{Botnet Encyclopedia}}, date = {2020-06-30}, organization = {Guardicore}, url = {https://www.guardicore.com/botnet-encyclopedia/}, language = {English}, urldate = {2020-07-02} } @online{guarino:20190614:houdini:d6c63fa, author = {Nick Guarino and Aaron Riley}, title = {{Houdini Worm Transformed in New Phishing Attack}}, date = {2019-06-14}, organization = {Cofense}, url = {https://cofense.com/houdini-worm-transformed-new-phishing-attack/}, language = {English}, urldate = {2020-01-08} } @online{guarnieri:20130607:keyboy:58ebd77, author = {Claudio Guarnieri and Mark Schloesser}, title = {{KeyBoy, Targeted Attacks against Vietnam and India}}, date = {2013-06-07}, organization = {Rapid7 Labs}, url = {https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/}, language = {English}, urldate = {2019-12-20} } @online{guarnieri:20150619:digital:6c1a11b, author = {Claudio Guarnieri}, title = {{Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag}}, date = {2015-06-19}, organization = {Netzpolitik.org}, url = {https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/}, language = {English}, urldate = {2020-01-10} } @techreport{guarnieri:201608:iran:d15568e, author = {Claudio Guarnieri and Collin Anderson}, title = {{Iran and the Soft Warfor Internet Dominance}}, date = {2016-08}, institution = {Black Hat}, url = {https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf}, language = {English}, urldate = {2019-11-26} } @online{guarnieri:20170206:ikittens:b5486bb, author = {Claudio Guarnieri and Collin Anderson}, title = {{iKittens: Iranian Actor Resurfaces with Malware for Mac (MacDownloader)}}, date = {2017-02-06}, organization = {Iran Threats}, url = {https://iranthreats.github.io/resources/macdownloader-macos-malware/}, language = {English}, urldate = {2020-01-09} } @online{guarnieri:20210803:pegasus:56d3815, author = {Claudio Guarnieri}, title = {{The Pegasus Project}}, date = {2021-08-03}, organization = {nex.sx}, url = {https://nex.sx/blog/2021/08/03/the-pegasus-project.html}, language = {English}, urldate = {2021-08-06} } @online{gubi:20181017:emergence:670b6fd, author = {Israel Gubi}, title = {{The Emergence of the New Azorult 3.3}}, date = {2018-10-17}, organization = {Check Point}, url = {https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/}, language = {English}, urldate = {2020-01-07} } @online{gubi:20190709:2019:38d9134, author = {Israel Gubi}, title = {{The 2019 Resurgence of Smokeloader}}, date = {2019-07-09}, organization = {Check Point}, url = {https://research.checkpoint.com/2019-resurgence-of-smokeloader/}, language = {English}, urldate = {2020-01-10} } @techreport{guerrerosaade:20170403:penquins:ab46ff3, author = {Juan Andrés Guerrero-Saade and Costin Raiu and Daniel Moore and Thomas Rid}, title = {{Penquin’s Moonlit Maze}}, date = {2017-04-03}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180251/Penquins_Moonlit_Maze_PDF_eng.pdf}, language = {English}, urldate = {2023-09-25} } @techreport{guerrerosaade:20170825:walking:040671b, author = {Juan Andrés Guerrero-Saade and Costin Raiu}, title = {{Walking in your Enemy's Shadow: When Fourth-Party Collection becomes Attribution Hell}}, date = {2017-08-25}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170728/Guerrero-Saade-Raiu-VB2017.pdf}, language = {English}, urldate = {2022-10-06} } @online{guerrerosaade:20171224:turla:dd95598, author = {Juan Andrés Guerrero-Saade}, title = {{Tweet on Turla Penquin}}, date = {2017-12-24}, organization = {Twitter (@juanandres_gs)}, url = {https://twitter.com/juanandres_gs/status/944741575837528064}, language = {English}, urldate = {2020-01-06} } @techreport{guerrerosaade:201803:penquins:1c6305e, author = {Juan Andrés Guerrero-Saade and Costin Raiu and Daniel Moore and Thomas Rid}, title = {{Penquin's Moonlit Maze}}, date = {2018-03}, institution = {Kaspersky Labs}, url = {https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_PDF_eng.pdf}, language = {English}, urldate = {2019-11-25} } @online{guerrerosaade:20180626:redalpha:58724c7, author = {Juan Andrés Guerrero-Saade and Sanil Chohan}, title = {{RedAlpha: New Campaigns Discovered Targeting the Tibetan Community}}, date = {2018-06-26}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/redalpha-cyber-campaigns/}, language = {English}, urldate = {2020-01-07} } @techreport{guerrerosaade:20180626:redalpha:c7f1df0, author = {Juan Andrés Guerrero-Saade and Sanil Chohan}, title = {{RedAlpha: New Campaigns Discovered Targeting theTibetan Community}}, date = {2018-06-26}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2018-0626.pdf}, language = {English}, urldate = {2020-01-09} } @techreport{guerrerosaade:20190409:flame:4ce4c10, author = {Juan Andrés Guerrero-Saade and Silas Cutler}, title = {{Flame 2.0: Risen from the Ashes}}, date = {2019-04-09}, institution = {Chronicle Security}, url = {https://github.com/juanandresgs/papers/raw/master/Flame%202.0%20Risen%20from%20the%20Ashes.pdf}, language = {English}, urldate = {2022-11-18} } @techreport{guerrerosaade:20190409:oldest:062ea25, author = {Juan Andrés Guerrero-Saade and Silas Cutler}, title = {{The Oldest Stuxnet Component Dials Up}}, date = {2019-04-09}, institution = {Chronicle Security}, url = {https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf}, language = {English}, urldate = {2019-12-04} } @online{guerrerosaade:20200422:nazar:0c5eef8, author = {Juan Andrés Guerrero-Saade}, title = {{Nazar: A Lost Amulet}}, date = {2020-04-22}, organization = {EpicTurla}, url = {https://www.epicturla.com/blog/the-lost-nazar}, language = {English}, urldate = {2020-05-05} } @online{guerrerosaade:20200526:acidbox:06edc14, author = {Juan Andrés Guerrero-Saade}, title = {{ACIDBOX Clustering}}, date = {2020-05-26}, organization = {EpicTurla}, url = {https://www.epicturla.com/blog/acidbox-clustering}, language = {English}, urldate = {2020-06-29} } @online{guerrerosaade:20200528:sysinturla:8cad820, author = {Juan Andrés Guerrero-Saade}, title = {{SysInTURLA}}, date = {2020-05-28}, organization = {EpicTurla}, url = {https://www.epicturla.com/blog/sysinturla}, language = {English}, urldate = {2020-05-29} } @online{guerrerosaade:20201213:work:734dea4, author = {Juan Andrés Guerrero-Saade}, title = {{The Work of Cyber in the Age of Mechanical Reproduction}}, date = {2020-12-13}, organization = {HITBSecConf}, url = {https://www.youtube.com/watch?v=VnzP00DZlx4}, language = {English}, urldate = {2021-02-06} } @online{guerrerosaade:20210205:voltron:953cec2, author = {Juan Andrés Guerrero-Saade}, title = {{Voltron STA The curious case of 0xFancyFilter}}, date = {2021-02-05}, organization = {EpicTurla}, url = {https://www.epicturla.com/previous-works/hitb2020-voltron-sta}, language = {English}, urldate = {2021-02-06} } @online{guerrerosaade:20210601:noblebaron:20dd227, author = {Juan Andrés Guerrero-Saade}, title = {{NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks}}, date = {2021-06-01}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/}, language = {English}, urldate = {2021-06-09} } @online{guerrerosaade:20210608:thundercats:86527af, author = {Juan Andrés Guerrero-Saade}, title = {{ThunderCats Hack the FSB | Your Taxes Didn’t Pay For This Op}}, date = {2021-06-08}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op}, language = {English}, urldate = {2022-07-29} } @online{guerrerosaade:20210608:thundercats:8eac3cd, author = {Juan Andrés Guerrero-Saade}, title = {{ThunderCats Hack the FSB | Your Taxes Didn’t Pay For This Op}}, date = {2021-06-08}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/}, language = {English}, urldate = {2021-06-09} } @online{guerrerosaade:20210729:meteorexpress:0e9bb5a, author = {Juan Andrés Guerrero-Saade}, title = {{MeteorExpress | Mysterious Wiper Paralyzes Iranian Trains with Epic Troll}}, date = {2021-07-29}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/}, language = {English}, urldate = {2021-07-29} } @techreport{guerrerosaade:20210908:egomaniac:9397249, author = {Juan Andrés Guerrero-Saade and Igor Tsemakhovich}, title = {{Egomaniac: An Unscrupulous Turkish-Nexus Threat Actor}}, date = {2021-09-08}, institution = {SentinelOne}, url = {https://www.sentinelone.com/wp-content/uploads/2021/09/SentinelOne_-SentinelLabs_EGoManiac_WP_V4.pdf}, language = {English}, urldate = {2021-10-24} } @online{guerrerosaade:20220223:hermeticwiper:b218dda, author = {Juan Andrés Guerrero-Saade}, title = {{HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine}}, date = {2022-02-23}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/}, language = {English}, urldate = {2022-03-01} } @online{guerrerosaade:20220331:acidrain:723eb80, author = {Juan Andrés Guerrero-Saade}, title = {{AcidRain | A Modem Wiper Rains Down on Europe}}, date = {2022-03-31}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/}, language = {English}, urldate = {2022-03-31} } @online{guerrerosaade:20220519:cratedepression:7453bfd, author = {Juan Andrés Guerrero-Saade}, title = {{CrateDepression | Rust Supply-Chain Attack Infects Cloud CI Pipelines with Go Malware}}, date = {2022-05-19}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/cratedepression-rust-supply-chain-attack-infects-cloud-ci-pipelines-with-go-malware/}, language = {English}, urldate = {2022-05-24} } @online{guerrerosaade:20220922:mystery:225b76e, author = {Juan Andrés Guerrero-Saade and Amitai Ben Shushan Ehrlich and Aleksandar Milenkoski}, title = {{The Mystery of Metador | An Unattributed Threat Hiding in Telcos, ISPs, and Universities}}, date = {2022-09-22}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/}, language = {English}, urldate = {2023-12-04} } @online{guerrerosaade:20230329:smoothoperator:42df1eb, author = {Juan Andrés Guerrero-Saade}, title = {{SmoothOperator | Ongoing Campaign Trojanizes 3CXDesktopApp in Supply Chain Attack}}, date = {2023-03-29}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/}, language = {English}, urldate = {2023-03-30} } @online{guerrerosaade:20240318:twitter:644ee6e, author = {Juan Andrés Guerrero-Saade}, title = {{Twitter thread on the sample identified}}, date = {2024-03-18}, organization = {Twitter (@juanandres_gs)}, url = {https://twitter.com/juanandres_gs/status/1769726024600768959}, language = {English}, urldate = {2024-03-19} } @online{guertin:20200109:pha:deb82eb, author = {Alec Guertin and Vadim Kotov}, title = {{PHA Family Highlights: Bread (and Friends)}}, date = {2020-01-09}, organization = {Google}, url = {https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html}, language = {English}, urldate = {2020-01-20} } @online{guibernau:20220429:attack:52c55b9, author = {Francis Guibernau and Jackson Wells}, title = {{Attack Graph Response to UNC1151 Continued Targeting of Ukraine}}, date = {2022-04-29}, organization = {AttackIQ}, url = {https://attackiq.com/2022/04/29/attack-graph-response-to-unc1151-continued-targeting-of-ukraine/}, language = {English}, urldate = {2022-05-04} } @online{guibernau:20230105:emulating:04eb5ed, author = {Francis Guibernau and Ken Towne}, title = {{Emulating the Highly Sophisticated North Korean Adversary Lazarus Group}}, date = {2023-01-05}, organization = {AttackIQ}, url = {https://www.attackiq.com/2023/01/05/emulating-the-highly-sophisticated-north-korean-adversary-lazarus-group/}, language = {English}, urldate = {2023-01-10} } @online{guillois:20200729:sodinokibi:6d76347, author = {Nicolas Guillois}, title = {{Sodinokibi / REvil Malware Analysis}}, date = {2020-07-29}, organization = {AmosSys}, url = {https://blog.amossys.fr/sodinokibi-malware-analysis.html}, language = {English}, urldate = {2020-08-31} } @online{guinet:20200829:emulating:45c0c16, author = {Adrien Guinet}, title = {{Emulating NotPetya bootloader with Miasm}}, date = {2020-08-29}, organization = {Aguinet}, url = {https://aguinet.github.io//blog/2020/08/29/miasm-bootloader.html}, language = {English}, urldate = {2020-09-04} } @online{guirakhoo:20200312:how:cf2276f, author = {Alex Guirakhoo}, title = {{How cybercriminals are taking advantage of COVID-19: Scams, fraud, and misinformation}}, date = {2020-03-12}, organization = {Digital Shadows}, url = {https://www.digitalshadows.com/blog-and-research/how-cybercriminals-are-taking-advantage-of-covid-19-scams-fraud-misinformation/}, language = {English}, urldate = {2020-03-19} } @online{gull:20190810:select:56061b1, author = {Omer Gull}, title = {{SELECT code_execution FROM * USING SQLite;}}, date = {2019-08-10}, organization = {Check Point}, url = {https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/}, language = {English}, urldate = {2020-02-09} } @online{gupta:20220707:abcsoup:3a37549, author = {Nipun Gupta}, title = {{ABCsoup: The Malicious Adware Extension with 350 Variants}}, date = {2022-07-07}, organization = {zimperium}, url = {https://blog.zimperium.com/abc-soup-the-malicious-adware-extension-with-350-variants/}, language = {English}, urldate = {2022-07-12} } @online{gurney:20220520:metastealer:d3c2f0e, author = {Peter Gurney}, title = {{Metastealer – filling the Racoon void}}, date = {2022-05-20}, organization = {nccgroup}, url = {https://research.nccgroup.com/2022/05/20/metastealer-filling-the-racoon-void/}, language = {English}, urldate = {2023-01-31} } @online{guru:20240613:guest:4643c3f, author = {Guru}, title = {{Guest Blog: Ox Security on learning from the Recent GitHub Extortion Campaigns}}, date = {2024-06-13}, organization = {IT Security Guru}, url = {https://www.itsecurityguru.org/2024/06/13/guest-blog-proactive-application-security-learning-from-the-recent-github-extortion-campaigns/}, language = {English}, urldate = {2024-12-11} } @online{gurubaran:20220316:destructive:f915ddf, author = {Gurubaran}, title = {{Destructive Data Wiper Malware Targeting high-profile Ukrainian Organizations}}, date = {2022-03-16}, organization = {Cyber Security News}, url = {https://cybersecuritynews.com/destructive-data-wiper-malware/}, language = {English}, urldate = {2022-03-17} } @online{gurubaran:20220324:gimmick:c00d183, author = {Gurubaran}, title = {{GIMMICK Malware Attacks macOS to Attack Organizations Across Asia}}, date = {2022-03-24}, organization = {Cyber Security News}, url = {https://cybersecuritynews.com/gimmick-malware-attacks/}, language = {English}, urldate = {2022-03-25} } @online{gurubaran:20220404:acidrain:e53d7e4, author = {Gurubaran}, title = {{AcidRain Wiper Malware hit Routers and Modems, Haults Communication}}, date = {2022-04-04}, organization = {Cyber Security News}, url = {https://cybersecuritynews.com/acidrain-wiper-malware/}, language = {English}, urldate = {2022-04-07} } @online{gutierrez:20121220:trojanstabuniq:3e7b380, author = {Fred Gutierrez}, title = {{Trojan.Stabuniq Found on Financial Institution Servers}}, date = {2012-12-20}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers}, language = {English}, urldate = {2020-01-10} } @online{gutierrez:20201216:adversary:3b3781a, author = {Fred Gutierrez and Val Saengphaibul}, title = {{Adversary Playbook: JavaScript RAT Looking for that Government Cheese}}, date = {2020-12-16}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese}, language = {English}, urldate = {2021-01-18} } @online{gutierrez:20210503:spearphishing:4dced65, author = {Fred Gutierrez and Val Saengphaibul}, title = {{Spearphishing Attack Uses COVID-21 Lure to Target Ukrainian Government}}, date = {2021-05-03}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/spearphishing-attack-uses-covid-21-lure-to-target-ukrainian-government}, language = {English}, urldate = {2021-05-04} } @online{gutierrez:20210517:newly:65d872f, author = {Fred Gutierrez and Gayathri Thirugnanasambandam and Val Saengphaibul}, title = {{Newly Discovered Function in DarkSide Ransomware Variant Targets Disk Partitions}}, date = {2021-05-17}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions}, language = {English}, urldate = {2021-05-19} } @online{gutierrez:20220224:nobelium:46d943e, author = {Fred Gutierrez}, title = {{Nobelium Returns to the Political World Stage}}, date = {2022-02-24}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage}, language = {English}, urldate = {2022-03-02} } @online{gutierrez:20220511:please:f67f45c, author = {Fred Gutierrez}, title = {{Please Confirm You Received Our APT}}, date = {2022-05-11}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt}, language = {English}, urldate = {2022-05-17} } @online{gutierrez:20220602:threat:6713237, author = {Fred Gutierrez and Shunichi Imano and James Slaughter and Gergely Revay}, title = {{Threat Actors Prey on Eager Travelers}}, date = {2022-06-02}, organization = {FortiGuard Labs}, url = {https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers}, language = {English}, urldate = {2022-06-15} } @online{gutirrez:20200929:cerberus:91f4508, author = {Norman Gutiérrez}, title = {{Cerberus and Alien: the malware that has put Android in a tight spot}}, date = {2020-09-29}, organization = {The Missing Report}, url = {https://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/}, language = {English}, urldate = {2021-07-20} } @online{gutnikov:20220803:ddos:d7e5854, author = {Alexander Gutnikov and Oleg Kupreev and Yaroslav Shmelev}, title = {{DDoS attacks in Q2 2022}}, date = {2022-08-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/ddos-attacks-in-q2-2022/107025/}, language = {English}, urldate = {2023-12-04} } @online{guttman:20180620:meet:6ecec40, author = {Dalya Guttman}, title = {{Meet MyloBot – A New Highly Sophisticated Never-Seen-Before Botnet That’s Out In The Wild}}, date = {2018-06-20}, organization = {Deep instinct}, url = {https://www.deepinstinct.com/2018/06/20/meet-mylobot-a-new-highly-sophisticated-never-seen-before-botnet-thats-out-in-the-wild/}, language = {English}, urldate = {2021-11-19} } @online{guy:20220130:how:27007ac, author = {The Devops Guy}, title = {{How I reversed a NodeJS malware and found the author}}, date = {2022-01-30}, organization = {Itnext}, url = {https://itnext.io/how-i-reversed-a-nodejs-malware-and-found-the-author-7dd9531b389f}, language = {English}, urldate = {2022-02-04} } @online{gyujin:20250212:suspected:169d81b, author = {Shin Gyu-jin}, title = {{Suspected North Korean hacker hacks a large number of data from a government document system developer}}, date = {2025-02-12}, organization = {Donga}, url = {https://www.donga.com/news/Society/article/all/20250212/131012660/2}, language = {Korean}, urldate = {2025-02-18} } @online{gzkk:20210610:netwire:e6fa34d, author = {Fatma Nur Gözüküçük and Fatma Helin Çakmak and Hakan Soysal and Halil Filik and Yasin Mersin}, title = {{NetWire Technical Analysis Report}}, date = {2021-06-10}, organization = {ZAYOTEM}, url = {https://drive.google.com/file/d/1dD2sWYES_hrPsoql4G0aVF9ILIxAS4Fd/view}, language = {English}, urldate = {2021-06-16} } @online{h4ck:20141108:review:85ad7e4, author = {H4ck}, title = {{Review of jSpy a RAT from jSpy.net}}, date = {2014-11-08}, organization = {How-To-Hack.net}, url = {https://how-to-hack.net/hacking-guides/review-of-jspy-rat-jspy-net/}, language = {English}, urldate = {2019-07-31} } @online{h:20200316:new:60f8c3d, author = {Jeremy H and Axel F and Proofpoint Threat Insight Team}, title = {{New RedLine Stealer Distributed Using Coronavirus-themed Email Campaign}}, date = {2020-03-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign}, language = {English}, urldate = {2020-03-17} } @online{haag:20210104:malleable:ab64356, author = {Michael Haag}, title = {{Malleable C2 Profiles and You}}, date = {2021-01-04}, organization = {Medium haggis-m}, url = {https://haggis-m.medium.com/malleable-c2-profiles-and-you-7c7ab43e7929}, language = {English}, urldate = {2021-01-05} } @online{haag:20220228:parsing:7eb8f68, author = {The Haag}, title = {{Tweet on parsing Daxin driver metadata using powershell}}, date = {2022-02-28}, organization = {Twitter (@M_haggis)}, url = {https://twitter.com/M_haggis/status/1498399791276912640}, language = {English}, urldate = {2022-03-07} } @online{hackdig:20160217:russian:41104f7, author = {HackDig}, title = {{Russian Police Prevented Massive Banking Sector Cyber Attack}}, date = {2016-02-17}, url = {http://webcache.googleusercontent.com/search?q=cache:TWoHHzH9gU0J:en.hackdig.com/02/39538.htm}, language = {English}, urldate = {2020-06-03} } @online{hackdig:20200812:antiys:0d7e73e, author = {HackDig}, title = {{Antiy's analysis report on the recent APT attacks against the Green Spot organization}}, date = {2020-08-12}, url = {http://www.hackdig.com/08/hack-107672.htm}, language = {Chinese}, urldate = {2020-08-14} } @online{hacker:20171011:more:9040492, author = {Wraith Hacker}, title = {{More info on 'Evolved DNSMessenger'}}, date = {2017-10-11}, organization = {Wraith Hacker Blog}, url = {http://wraithhacker.com/2017/10/11/more-info-on-evolved-dnsmessenger/}, language = {English}, urldate = {2019-10-12} } @online{hacker:20210409:investigating:2b6f30a, author = {Emily Hacker and Justin Carroll and Microsoft 365 Defender Threat Intelligence Team}, title = {{Investigating a unique “form” of email delivery for IcedID malware}}, date = {2021-04-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/}, language = {English}, urldate = {2021-04-12} } @online{hacking:20201229:how:401dbfb, author = {Guided Hacking}, title = {{How to Unpack Ramnit Dropper - Malware Unpacking Tutorial 2}}, date = {2020-12-29}, organization = {Youtube (Guided Hacking)}, url = {https://www.youtube.com/watch?v=l6ZunH6YG0A}, language = {English}, urldate = {2021-01-11} } @online{hacking:20220311:malware:5ba0aa9, author = {Black Hat Ethical Hacking}, title = {{Malware Posing as Russia DDoS Tool Bites Ukraine Hackers}}, date = {2022-03-11}, url = {https://www.blackhatethicalhacking.com/news/malware-posing-as-russia-ddos-tool-bites-ukraine-hackers/}, language = {English}, urldate = {2022-03-14} } @online{hacking:20230503:polyglot:dade492, author = {Guided Hacking}, title = {{PolyGlot Malware Analysis​ - IcedID Stager}}, date = {2023-05-03}, organization = {Youtube (Guided Hacking)}, url = {https://www.youtube.com/watch?v=4j8t9kFLFIY}, language = {English}, urldate = {2023-05-05} } @online{hackirby:20231025:skuld:72f2c7f, author = {hackirby}, title = {{Skuld Stealer}}, date = {2023-10-25}, organization = {Github (hackirby)}, url = {https://github.com/hackirby/skuld}, language = {English}, urldate = {2025-06-25} } @online{hackmanac:20240307:duvel:0b767c1, author = {HackManac}, title = {{Duvel reportedly compromised by Stormous ransomware group}}, date = {2024-03-07}, organization = {Twitter (@H4ckManac)}, url = {https://twitter.com/H4ckManac/status/1765707886246723617}, language = {English}, urldate = {2024-05-14} } @online{hackmanac:20240709:data:2783017, author = {HackManac}, title = {{Tweet on data breaches caused by 888 group}}, date = {2024-07-09}, organization = {Twitter (@H4ckManac)}, url = {https://twitter.com/H4ckManac/status/1810569160180515171}, language = {English}, urldate = {2024-08-29} } @online{hacknpatch:20220315:exploring:5399622, author = {HackNPatch}, title = {{Tweet on Exploring CaddyWiper API resolution}}, date = {2022-03-15}, organization = {Twitter (@HackNPatch)}, url = {https://twitter.com/HackPatch/status/1503538555611607042}, language = {English}, urldate = {2022-03-28} } @online{hacks4pancakes:20170628:why:8053178, author = {hacks4pancakes}, title = {{Why NotPetya Kept Me Awake (& You Should Worry Too)}}, date = {2017-06-28}, url = {https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/}, language = {English}, urldate = {2020-01-09} } @online{hacktivities:20220130:rig:bcf7a45, author = {Medium (Hacktivities)}, title = {{Rig Exploitation Kit Infection — Malware Traffic Analysis}}, date = {2022-01-30}, organization = {Medium System Weakness}, url = {https://systemweakness.com/rig-exploitation-kit-infection-malware-traffic-analysis-70fd1b430fdc}, language = {English}, urldate = {2022-02-02} } @online{hacquebord:20151022:pawn:8231722, author = {Feike Hacquebord}, title = {{Pawn Storm Targets MH17 Investigation Team}}, date = {2015-10-22}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-mh17-investigation-team/}, language = {English}, urldate = {2020-01-10} } @online{hacquebord:20191212:more:a1e84b7, author = {Feike Hacquebord and Cedric Pernet and Kenney Lu}, title = {{More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting}}, date = {2019-12-12}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/}, language = {English}, urldate = {2020-01-13} } @techreport{hacquebord:20200311:pawn:d7ef8ae, author = {Feike Hacquebord}, title = {{Pawn Storm in 2019: A Year of Scanning and Credential Phishing on High-Profile Targets}}, date = {2020-03-11}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-pawn-storm-in-2019.pdf}, language = {English}, urldate = {2020-03-19} } @online{hacquebord:20201217:pawn:0e42861, author = {Feike Hacquebord and Lord Alfred Remorin}, title = {{Pawn Storm’s Lack of Sophistication as a Strategy}}, date = {2020-12-17}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html}, language = {English}, urldate = {2020-12-19} } @online{hacquebord:20220317:cyclops:14c374f, author = {Feike Hacquebord and Stephen Hilt and Fernando Mercês}, title = {{Cyclops Blink Sets Sights on Asus Routers}}, date = {2022-03-17}, organization = {Trendmicro}, url = {https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html}, language = {English}, urldate = {2022-03-17} } @techreport{hacquebord:20220317:cyclops:dea832b, author = {Feike Hacquebord and Stephen Hilt and Fernando Mercês}, title = {{Cyclops Blink Sets Sights on Asus Routers (Appendix)}}, date = {2022-03-17}, institution = {Trendmicro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyclops-blink-sets-sights-on-asus-routers/Appendix_Cyclops%20Blink%20Sets%20Sights%20on%20ASUS%20Routers.pdf}, language = {English}, urldate = {2022-03-17} } @online{hacquebord:20221108:deimosc2:961543e, author = {Feike Hacquebord and Stephen Hilt and Fernando Mercês}, title = {{DeimosC2: What SOC Analysts and Incident Responders Need to Know About This C&C Framework}}, date = {2022-11-08}, url = {https://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html}, language = {English}, urldate = {2023-02-21} } @online{hacquebord:20230530:void:83fcde4, author = {Feike Hacquebord and Stephen Hilt and Fernando Mercês and Lord Alfred Remorin}, title = {{Void Rabisu’s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors’ Goals}}, date = {2023-05-30}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html}, language = {English}, urldate = {2023-05-30} } @online{hacquebord:20240131:pawn:876f2e6, author = {Feike Hacquebord and Fernando Mercês}, title = {{Pawn Storm Uses Brute Force and Stealth Against High-Value Targets}}, date = {2024-01-31}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/24/a/pawn-storm-uses-brute-force-and-stealth.html}, language = {English}, urldate = {2024-02-02} } @online{hacquebord:20240501:router:ffa44c4, author = {Feike Hacquebord and Fernando Mercês}, title = {{Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks}}, date = {2024-05-01}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_in/research/24/e/router-roulette.html}, language = {English}, urldate = {2024-12-20} } @online{hacquebord:20241118:inside:5e55f74, author = {Feike Hacquebord and Fernando Mercês}, title = {{Inside Water Barghest’s Rapid Exploit-to-Market Strategy for IoT Devices}}, date = {2024-11-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/24/k/water-barghest.html}, language = {English}, urldate = {2024-11-25} } @online{hacquebord:20241118:inside:aba5987, author = {Feike Hacquebord and Fernando Mercês}, title = {{Inside Water Barghests Rapid Exploit-to-Market Strategy for IoT Devices}}, date = {2024-11-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/de_de/research/24/k/water-barghest.html}, language = {English}, urldate = {2024-11-25} } @online{hacquebord:20241217:earth:0fd223d, author = {Feike Hacquebord and Stephen Hilt}, title = {{Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks}}, date = {2024-12-17}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html}, language = {English}, urldate = {2025-02-03} } @online{hacquebord:20250423:russian:20f3c10, author = {Feike Hacquebord and Stephen Hilt}, title = {{Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations}}, date = {2025-04-23}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html}, language = {English}, urldate = {2025-04-27} } @online{hada:20201015:pandas:962b364, author = {Hiroki Hada}, title = {{Panda’s New Arsenal: Part 1 Tmanger}}, date = {2020-10-15}, organization = {NTT Security}, url = {https://insight-jp.nttsecurity.com/post/102gi9b/pandas-new-arsenal-part-1-tmanger}, language = {Japanese}, urldate = {2020-10-19} } @online{hada:20201118:pandas:f87f080, author = {Hiroki Hada}, title = {{Panda’s New Arsenal: Part 2 Albaniiutas}}, date = {2020-11-18}, organization = {NTT Security}, url = {https://insight-jp.nttsecurity.com/post/102gkfp/pandas-new-arsenal-part-2-albaniiutas}, language = {Japanese}, urldate = {2020-11-25} } @online{hada:20201211:pandas:b182e4e, author = {Hiroki Hada}, title = {{Panda’s New Arsenal: Part 3 Smanager}}, date = {2020-12-11}, organization = {NTT Security}, url = {https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager}, language = {Japanese}, urldate = {2021-01-01} } @online{hada:20210218:ncctrojan:04c46fc, author = {Hiroki Hada}, title = {{nccTrojan used in targeted attack by TA428 group against defense and aviation organizations}}, date = {2021-02-18}, organization = {NTT Security}, url = {https://insight-jp.nttsecurity.com/post/102gr6l/ta428ncctrojan}, language = {Japanese}, urldate = {2021-02-18} } @online{hada:20210310:pseudogatespelevo:79a6fdf, author = {Hiroki Hada}, title = {{日本を標的としたPseudoGateキャンペーンによるSpelevo Exploit Kitを用いた攻撃について}}, date = {2021-03-10}, organization = {NTT Security}, url = {https://insight-jp.nttsecurity.com/post/102gsqj/pseudogatespelevo-exploit-kit}, language = {Japanese}, urldate = {2021-03-11} } @online{hada:20211008:malware:bfcbd46, author = {Hiroki Hada and Rintaro Koike and Fumio Ozawa}, title = {{Malware Flagpro used by targeted attack group BlackTech}}, date = {2021-10-08}, organization = {NTT}, url = {https://insight-jp.nttsecurity.com/post/102h7vx/blacktechflagpro}, language = {Japanese}, urldate = {2021-10-24} } @online{hada:20211228:flagpro:1263fb7, author = {Hiroki Hada}, title = {{Flagpro: The new malware used by BlackTech}}, date = {2021-12-28}, organization = {NTT}, url = {https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech}, language = {English}, urldate = {2021-12-31} } @online{hadar:20180116:globeimposter:6a2afda, author = {Alon Hadar}, title = {{GlobeImposter Ransomware}}, date = {2018-01-16}, organization = {enSilo}, url = {https://blog.ensilo.com/globeimposter-ransomware-technical}, language = {English}, urldate = {2019-07-09} } @online{hadi:20201214:learning:f4175a9, author = {Ali Hadi}, title = {{Learning about .NET Malware by Going Over the SUNBURST SolarWinds Backdoor}}, date = {2020-12-14}, organization = {Youtube (Ali Hadi)}, url = {https://www.youtube.com/watch?v=cMauHTV-lJg}, language = {English}, urldate = {2020-12-18} } @online{hage:20240419:vwkonzern:d1f96ac, author = {Simon Hage and Christoph Giesen and Hakan Tanriverdi}, title = {{VW-Konzern wurde jahrelang ausspioniert – von China?}}, date = {2024-04-19}, organization = {Spiegel Online}, url = {https://archive.is/LJFEF}, language = {German}, urldate = {2024-04-19} } @online{hahn:20161027:procleanerexe:bde4a80, author = {Karsten Hahn}, title = {{Tweet on procleaner.exe}}, date = {2016-10-27}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/791535679905927168}, language = {English}, urldate = {2019-11-26} } @online{hahn:20161218:unlock92:31d2259, author = {Karsten Hahn}, title = {{Tweet on Unlock92 Ransomware}}, date = {2016-12-18}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/810753660737073153}, language = {English}, urldate = {2020-01-07} } @online{hahn:20161219:cryptoblock:cd82b17, author = {Karsten Hahn}, title = {{Tweet on CryptoBlock}}, date = {2016-12-19}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/810770490491043840}, language = {English}, urldate = {2020-01-06} } @online{hahn:20161221:manifestus:d86e48c, author = {Karsten Hahn}, title = {{Tweet on Manifestus Ransomware}}, date = {2016-12-21}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/811587154983981056}, language = {English}, urldate = {2020-01-13} } @online{hahn:20161224:derialock:4ab9ba7, author = {Karsten Hahn}, title = {{Tweet on DeriaLock}}, date = {2016-12-24}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/812601286088597505}, language = {English}, urldate = {2019-11-26} } @online{hahn:20161224:kokokrypt:fb647ed, author = {Karsten Hahn}, title = {{Tweet on KoKoKrypt}}, date = {2016-12-24}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/812726545173401600}, language = {English}, urldate = {2020-01-08} } @online{hahn:20170105:comradecircle:246172d, author = {Karsten Hahn}, title = {{Tweet on ComradeCircle Ransomware}}, date = {2017-01-05}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/816926371867926528}, language = {English}, urldate = {2020-01-13} } @online{hahn:20170118:spora:43d64d0, author = {Karsten Hahn}, title = {{Spora - the Shortcut Worm that is also a Ransomware}}, date = {2017-01-18}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware}, language = {English}, urldate = {2019-10-15} } @online{hahn:20171203:malware:b8a77b5, author = {Karsten Hahn}, title = {{Malware Analysis - ROKRAT Unpacking from Injected Shellcode}}, date = {2017-12-03}, url = {https://www.youtube.com/watch?v=uoBQE5s2ba4}, language = {English}, urldate = {2020-01-12} } @online{hahn:20180109:hiddentear:372b79c, author = {Karsten Hahn}, title = {{Tweet on HiddenTear Sample}}, date = {2018-01-09}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/950787783353884672}, language = {English}, urldate = {2019-12-04} } @online{hahn:20190520:yggdrasil:5a23fde, author = {Karsten Hahn}, title = {{Tweet on Yggdrasil / CinaRAT}}, date = {2019-05-20}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/1130455143504318466}, language = {English}, urldate = {2020-01-13} } @online{hahn:20190612:ransomware:9bc503f, author = {Karsten Hahn}, title = {{Ransomware identification for the judicious analyst}}, date = {2019-06-12}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2019/06/31666-ransomware-identification-for-the-judicious-analyst}, language = {English}, urldate = {2024-11-25} } @online{hahn:20190812:malware:99a7057, author = {Karsten Hahn}, title = {{Malware Naming Hell Part 1: Taming the mess of AV detection names}}, date = {2019-08-12}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2019/08/35146-taming-the-mess-of-av-detection-names}, language = {English}, urldate = {2024-11-25} } @online{hahn:20191121:stop:a5c8118, author = {Karsten Hahn and Stefan Karpenstein}, title = {{STOP Ransomware: Finger weg von illegalen Software-Downloads}}, date = {2019-11-21}, organization = {G Data}, url = {https://www.gdata.de/blog/1970/01/-35391-finger-weg-von-illegalen-software-downloads}, language = {English}, urldate = {2020-01-10} } @online{hahn:20200206:40000:3a0d792, author = {Karsten Hahn}, title = {{40,000 CryptBot Downloads per Day: Bitbucket Abused as Malware Slinger}}, date = {2020-02-06}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2020/02/35802-bitbucket-abused-as-malware-slinger}, language = {English}, urldate = {2020-04-02} } @online{hahn:20200402:pekraut:479527e, author = {Karsten Hahn}, title = {{Pekraut - German RAT starts gnawing}}, date = {2020-04-02}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2020/04/35849-pekraut-german-rat-starts-gnawing}, language = {English}, urldate = {2020-04-06} } @online{hahn:20200412:kokokrypt:570299f, author = {Karsten Hahn}, title = {{Tweet on KokoKrypt decryption}}, date = {2020-04-12}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/1249386991197847558}, language = {English}, urldate = {2024-05-15} } @online{hahn:20200616:new:124c3d1, author = {Karsten Hahn}, title = {{New Java STRRAT ships with .crimson ransomware module}}, date = {2020-06-16}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/strrat-crimson}, language = {English}, urldate = {2020-06-16} } @online{hahn:20200624:discordtokenstealer:2b4cc58, author = {Karsten Hahn}, title = {{Tweet on DiscordTokenStealer}}, date = {2020-06-24}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/1275731035184156675}, language = {English}, urldate = {2020-06-24} } @online{hahn:20200901:dll:2af82dc, author = {Karsten Hahn}, title = {{DLL Fixer leads to Cyrat Ransomware}}, date = {2020-09-01}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/cyrat-ransomware}, language = {English}, urldate = {2020-09-01} } @online{hahn:20201021:trat:389d7f3, author = {Karsten Hahn}, title = {{T-RAT 2.0: Malware control via smartphone}}, date = {2020-10-21}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/trat-control-via-smartphone}, language = {English}, urldate = {2024-05-14} } @online{hahn:20201105:babax:3e78762, author = {Karsten Hahn}, title = {{Babax stealer rebrands to Osno, installs rootkit}}, date = {2020-11-05}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2020/11/36459-babax-stealer-rebrands-to-osno-installs-rootkit}, language = {English}, urldate = {2020-11-06} } @online{hahn:20201201:icerat:bc43ba0, author = {Karsten Hahn}, title = {{IceRat evades antivirus by running PHP on Java VM}}, date = {2020-12-01}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp}, language = {English}, urldate = {2020-12-03} } @online{hahn:20210123:malware:36b6878, author = {Karsten Hahn}, title = {{Malware Analysis - Fileless GooLoad static analysis and unpacking}}, date = {2021-01-23}, organization = {Youtube (MalwareAnalysisForHedgehogs)}, url = {https://www.youtube.com/watch?v=BcFbkjUVc7o}, language = {English}, urldate = {2021-04-14} } @online{hahn:20210128:sn0wslogger:962b2fd, author = {Karsten Hahn}, title = {{Tweet on Sn0wsLogger malware}}, date = {2021-01-28}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/1354806038805897216}, language = {English}, urldate = {2021-01-29} } @online{hahn:20210217:sectoprat:f578681, author = {Karsten Hahn}, title = {{SectopRAT: New version adds encrypted communication}}, date = {2021-02-17}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2021/02/36633-new-version-adds-encrypted-communication}, language = {English}, urldate = {2023-02-06} } @online{hahn:20210607:malware:12e4c70, author = {Karsten Hahn}, title = {{Malware family naming hell is our own fault}}, date = {2021-06-07}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/malware-family-naming-hell}, language = {English}, urldate = {2021-06-09} } @online{hahn:20210608:picture:5667a54, author = {Karsten Hahn}, title = {{Picture this: Malware Hides in Steam Profile Images}}, date = {2021-06-08}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2021/06/36861-malware-hides-in-steam-profile-images}, language = {English}, urldate = {2023-09-04} } @online{hahn:20210617:network:63e106b, author = {Karsten Hahn}, title = {{Tweet on Network filter rootkit driver signed by Microsoft}}, date = {2021-06-17}, organization = {struppigel}, url = {https://twitter.com/struppigel/status/1405483373280235520}, language = {English}, urldate = {2021-06-22} } @online{hahn:20210625:microsoft:7ba11af, author = {Karsten Hahn and Takahiro Haruyama and Johann Aydinbas and Florian Roth}, title = {{Microsoft signed a malicious Netfilter rootkit}}, date = {2021-06-25}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/microsoft-signed-a-malicious-netfilter-rootkit}, language = {English}, urldate = {2021-06-29} } @online{hahn:20210930:all:8e82a0c, author = {Karsten Hahn}, title = {{All your hashes are belong to us: An overview of malware hashing algorithms}}, date = {2021-09-30}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2021/09/an-overview-of-malware-hashing-algorithms}, language = {English}, urldate = {2021-10-20} } @online{hahn:20220119:malware:293c00c, author = {Karsten Hahn}, title = {{Malware vaccines can prevent pandemics, yet are rarely used}}, date = {2022-01-19}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2022/01/malware-vaccines}, language = {English}, urldate = {2023-03-24} } @online{hahn:20220203:qr:16d5c91, author = {Karsten Hahn}, title = {{QR codes on Twitter deliver malicious Chrome extension}}, date = {2022-02-03}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2022/01/37236-qr-codes-on-twitter-deliver-malicious-chrome-extension}, language = {English}, urldate = {2023-11-23} } @online{hahn:20220214:allcome:4f9515e, author = {Karsten Hahn}, title = {{Allcome clipbanker is a newcomer in underground forums}}, date = {2022-02-14}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2022/02/37239-allcome-clipbanker-is-a-newcomer-in-malware-underground-forums}, language = {English}, urldate = {2022-09-28} } @online{hahn:20220228:gofing:a128982, author = {Karsten Hahn}, title = {{Tweet on Gofing discovery}}, date = {2022-02-28}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/1498229809675214849}, language = {English}, urldate = {2022-03-18} } @online{hahn:20220308:kazyloader:9ce00d5, author = {Karsten Hahn}, title = {{Tweet on KazyLoader}}, date = {2022-03-08}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/1501105224819392516}, language = {English}, urldate = {2022-03-08} } @online{hahn:20220309:tweets:85df9d1, author = {Karsten Hahn}, title = {{Tweets detailing NominatusToxicBattery}}, date = {2022-03-09}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/1501473254787198977}, language = {English}, urldate = {2022-11-21} } @online{hahn:20220324:ginzo:3ae1c21, author = {Karsten Hahn}, title = {{Tweet on Ginzo Stealer}}, date = {2022-03-24}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/1506933328599044100}, language = {English}, urldate = {2022-03-28} } @online{hahn:20220421:criminals:fe00666, author = {Karsten Hahn}, title = {{Criminals provide Ginzo stealer for free, now it is gaining traction}}, date = {2022-04-21}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2022/03/ginzo-free-malware}, language = {English}, urldate = {2024-05-06} } @online{hahn:20220715:real:c056bce, author = {Karsten Hahn}, title = {{The real reason why malware detection is hard—and underestimated}}, date = {2022-07-15}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2022/06/37445-malware-detection-is-hard}, language = {English}, urldate = {2024-11-25} } @online{hahn:20220905:icarus:ed666f8, author = {Karsten Hahn}, title = {{Icarus Stealer}}, date = {2022-09-05}, url = {https://twitter.com/struppigel/status/1566685309093511170}, language = {English}, urldate = {2022-10-14} } @online{hahn:20220921:identifying:6c43476, author = {Karsten Hahn}, title = {{Identifying file manipulation in system files}}, date = {2022-09-21}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2022/09/37511-detecting-file-manipulation-in-system-files}, language = {English}, urldate = {2024-11-25} } @online{hahn:20221125:python:ec3b5d3, author = {Karsten Hahn}, title = {{Python script to decode NightHawk strings}}, date = {2022-11-25}, organization = {Github (struppigel)}, url = {https://github.com/struppigel/hedgehog-tools/blob/main/nighthawk_str_decoder.py}, language = {English}, urldate = {2022-11-28} } @online{hahn:20230403:malware:892e68e, author = {Karsten Hahn}, title = {{Malware Analysis - 3CX SmoothOperator ffmpeg.dll with Binary Ninja}}, date = {2023-04-03}, organization = {Youtube (MalwareAnalysisForHedgehogs)}, url = {https://www.youtube.com/watch?v=fTX-vgSEfjk}, language = {English}, urldate = {2023-04-06} } @online{hahn:20230426:malware:f3053c4, author = {Karsten Hahn}, title = {{Malware Theory - Packer identifiers don"t tell you if a file is packed}}, date = {2023-04-26}, organization = {Youtube (MalwareAnalysisForHedgehogs)}, url = {https://www.youtube.com/watch?v=ozyBOXpKm1I}, language = {English}, urldate = {2023-04-27} } @online{hahn:20230819:malware:71324c3, author = {Karsten Hahn}, title = {{Malware Analysis - Agniane Stealer, Native Stub to .NET Unpacking}}, date = {2023-08-19}, organization = {Youtube (MalwareAnalysisForHedgehogs)}, url = {https://www.youtube.com/watch?v=-KJ0HIvmVl0}, language = {English}, urldate = {2023-08-31} } @online{hahn:20231209:ast:11514a4, author = {Karsten Hahn}, title = {{AST based GootLoader unpacker, C2 extractor and deobfuscator}}, date = {2023-12-09}, organization = {Github (struppigel)}, url = {https://github.com/struppigel/hedgehog-tools/tree/main/gootloader}, language = {English}, urldate = {2023-12-14} } @online{hahn:20240612:new:611e6ea, author = {Karsten Hahn and Anna Lvova}, title = {{New backdoor BadSpace delivered by high-ranking infected websites}}, date = {2024-06-12}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2024/06/37947-badspace-backdoor}, language = {English}, urldate = {2024-06-12} } @online{hahn:20240926:bbtok:b55a40a, author = {Karsten Hahn and Marius Benthin}, title = {{BBTok Targeting Brazil: Deobfuscating the .NET Loader with dnlib and PowerShell}}, date = {2024-09-26}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2024/09/38039-bbtok-deobfuscating-net-loader}, language = {English}, urldate = {2024-09-27} } @online{hahn:20250127:malware:7826fbf, author = {Karsten Hahn}, title = {{Malware Analysis - Binary Refinery URL extraction of Multi-Layered PoshLoader for LummaStealer}}, date = {2025-01-27}, organization = {Youtube (MalwareAnalysisForHedgehogs)}, url = {https://www.youtube.com/watch?v=kHU_sPtubCk}, language = {English}, urldate = {2025-01-31} } @online{hahn:20250516:printer:000bcba, author = {Karsten Hahn}, title = {{Printer company provided infected software downloads for half a year}}, date = {2025-05-16}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2025/05/38200-printer-infected-software-downloads}, language = {English}, urldate = {2025-05-19} } @online{hahn:20250623:connectunwise:e82a2c2, author = {Karsten Hahn and Lance Go}, title = {{ConnectUnwise: Threat actors abuse ConnectWise as builder for signed malware}}, date = {2025-06-23}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware}, language = {English}, urldate = {2025-06-30} } @online{haigh:20200707:configuring:a0cb3d9, author = {Matthew Haigh and Trevor Haskell}, title = {{Configuring a Windows Domain to Dynamically Analyze an Obfuscated Lateral Movement Tool}}, date = {2020-07-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/07/configuring-windows-domain-dynamically-analyze-obfuscated-lateral-movement-tool.html}, language = {English}, urldate = {2020-08-18} } @online{hajime:20180328:quick:2874046, author = {Hajime}, title = {{Quick summary about the Port 8291 scan}}, date = {2018-03-28}, organization = {Netlab}, url = {https://blog.netlab.360.com/quick-summary-port-8291-scan-en/}, language = {English}, urldate = {2020-01-07} } @techreport{hajime:20200117:operation:ef488fd, author = {Takai Hajime}, title = {{Operation Bitter Biscuit}}, date = {2020-01-17}, institution = {NTT Security}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_3_takai_jp.pdf}, language = {Japanese}, urldate = {2020-07-20} } @online{hajime:20201003:unveiling:826bb2b, author = {Takai Hajime and Shogo Hayashi and Rintaro Koike}, title = {{Unveiling the CryptoMimic}}, date = {2020-10-03}, organization = {VB Localhost}, url = {https://vb2020.vblocalhost.com/conference/presentations/unveiling-the-cryptomimic/}, language = {English}, urldate = {2023-05-24} } @online{hakobyan:20231011:hacker:100866d, author = {Narek Hakobyan}, title = {{Hacker Group “Caracal Kitten” Targets KDP Activists With Malware}}, date = {2023-10-11}, organization = {Deform}, url = {https://deform.co/hacker-group-caracal-kitten-targets-kdp-activists-with-malware/}, language = {English}, urldate = {2023-10-12} } @online{haley:20210601:contrarian:6aff18c, author = {Kevin Haley and Jake Williams}, title = {{A Contrarian View on SolarWinds}}, date = {2021-06-01}, organization = {SANS}, url = {https://www.sans.org/webcasts/contrarian-view-solarwinds-119515}, language = {English}, urldate = {2021-06-21} } @online{halfpop:20220512:harmful:163b756, author = {Tyler Halfpop}, title = {{Harmful Help: Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla}}, date = {2022-05-12}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent-tesla/}, language = {English}, urldate = {2022-05-17} } @techreport{hall:202001:mandiant:25e38ef, author = {Tom Hall and Mitchell Clarke and Mandiant}, title = {{Mandiant IR Grab Bag of Attacker Activity}}, date = {2020-01}, institution = {FireEye}, url = {https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf}, language = {English}, urldate = {2021-04-16} } @online{hall:20201015:moobots:2aaf302, author = {Chris Hall}, title = {{Moobot's Cloud Migration}}, date = {2020-10-15}, organization = {lacework}, url = {https://www.lacework.com/moobots-cloud-migration/}, language = {English}, urldate = {2020-10-23} } @online{hall:20201110:meet:a741348, author = {Chris Hall}, title = {{Meet Muhstik – IoT Botnet Infecting Cloud Servers}}, date = {2020-11-10}, organization = {lacework}, url = {https://www.lacework.com/meet-muhstik-iot-botnet-infecting-cloud-servers/}, language = {English}, urldate = {2020-11-12} } @online{hall:20210127:groundhog:ba8acfe, author = {Chris Hall}, title = {{Groundhog Botnet Rapidly Infecting Cloud}}, date = {2021-01-27}, organization = {lacework}, url = {https://www.lacework.com/groundhog-botnet-rapidly-infecting-cloud/}, language = {English}, urldate = {2021-01-29} } @online{hall:20210318:kek:94c6e57, author = {Chris Hall}, title = {{The “Kek Security” Network}}, date = {2021-03-18}, organization = {lacework}, url = {https://www.lacework.com/blog/the-kek-security-network/}, language = {English}, urldate = {2023-03-17} } @online{hall:20210422:sysrvhello:2c8a477, author = {Chris Hall and Jared Stroud}, title = {{Sysrv-Hello Expands Infrastructure}}, date = {2021-04-22}, organization = {lacework}, url = {https://www.lacework.com/sysrv-hello-expands-infrastructure/}, language = {English}, urldate = {2022-05-25} } @online{hall:20210504:cpuminer:db7b10e, author = {Chris Hall}, title = {{Cpuminer & Friends}}, date = {2021-05-04}, organization = {Lacework Labs}, url = {https://www.lacework.com/cpuminer-friends/}, language = {English}, urldate = {2021-05-08} } @online{hall:20210610:keksec:53918f5, author = {Chris Hall}, title = {{Keksec & Tsunami-Ryuk}}, date = {2021-06-10}, organization = {lacework}, url = {https://www.lacework.com/keksec-tsunami-ryuk/}, language = {English}, urldate = {2021-06-16} } @online{hall:20220512:malware:ff2f6a5, author = {Chris Hall and Jared Stroud}, title = {{Malware targeting latest F5 vulnerability}}, date = {2022-05-12}, organization = {Lacework Labs}, url = {https://www.lacework.com/blog/malware-targeting-latest-f5-vulnerability/}, language = {English}, urldate = {2022-05-17} } @online{hall:20220607:kinsing:8e96c1f, author = {Chris Hall}, title = {{Kinsing & Dark.IoT botnet among threats targeting CVE-2022-26134}}, date = {2022-06-07}, organization = {Lacework Labs}, url = {https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/}, language = {English}, urldate = {2022-06-15} } @online{hall:20241230:catching:ff257bf, author = {Chris Hall}, title = {{Catching "EC2 Grouper"- no indicators required!}}, date = {2024-12-30}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/catching-ec2-grouper-no-indicators-required}, language = {English}, urldate = {2025-01-14} } @online{hallbeck:20220505:contileaks:bf91010, author = {Ryan Hallbeck}, title = {{Contileaks: Identifying, Extracting, & Modeling Bitcoin Addresses}}, date = {2022-05-05}, organization = {YouTube (The Vertex Project)}, url = {https://www.youtube.com/watch?v=cYx7sQRbjGA}, language = {English}, urldate = {2022-05-18} } @online{hamacher:20191221:how:9d026a8, author = {Adriana Hamacher}, title = {{How ransomware exploded in the age of Bitcoin}}, date = {2019-12-21}, organization = {Decrypt}, url = {https://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc}, language = {English}, urldate = {2020-01-13} } @online{hamada:20160725:patchwork:77fa6bb, author = {Joji Hamada}, title = {{Patchwork cyberespionage group expands targets from governments to wide range of industries}}, date = {2016-07-25}, organization = {Symantec}, url = {http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries}, language = {English}, urldate = {2020-01-13} } @online{hamdan:20200929:getting:c01923a, author = {Kareem Hamdan and Lucas Miller}, title = {{Getting the Bacon from the Beacon}}, date = {2020-09-29}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/}, language = {English}, urldate = {2020-10-05} } @online{hamdan:20230206:malware:9082500, author = {Motasem Hamdan}, title = {{Malware Analysis Basics: Dissecting PE (Portable Executable) Headers | TryHackMe}}, date = {2023-02-06}, organization = {Youtube (Motasem Hamdan)}, url = {https://www.youtube.com/watch?v=f0SZb5vyOHc}, language = {English}, urldate = {2023-02-13} } @online{hamdouni:20250521:obfuscation:5c7b05e, author = {Tesnim Hamdouni and Ian Kretz and Andy Giron and Eslam Salem}, title = {{The obfuscation game: MUT-9332 targets Solidity developers via malicious VS Code extensions}}, date = {2025-05-21}, organization = {Datadog}, url = {https://securitylabs.datadoghq.com/articles/mut-9332-malicious-solidity-vscode-extensions/#infection-chains-and-intermediate-payloads}, language = {English}, urldate = {2025-05-22} } @techreport{hamilton:20221013:same:8e18bf4, author = {Booz Allen Hamilton}, title = {{Same Cloak, More Dagger: Decoding how the People's Republic of China uses Cyberattacks}}, date = {2022-10-13}, institution = {Booz Allen Hamilton}, url = {https://www.boozallen.com/content/dam/home/pdf/natsec/china-cyber-report.pdf}, language = {English}, urldate = {2022-10-24} } @techreport{hammond:20210128:analyzing:2f8dae2, author = {John Hammond}, title = {{Analyzing Ryuk Another Link in the Cyber Attack Chain}}, date = {2021-01-28}, institution = {Huntress Labs}, url = {https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit___John_Hammond_Huntress___Analyzing_Ryuk.pdf}, language = {English}, urldate = {2021-01-29} } @online{hammond:20210301:mozi:5b3568d, author = {John Hammond}, title = {{Mozi Malware - Finding Breadcrumbs...}}, date = {2021-03-01}, organization = {YouTube (John Hammond)}, url = {https://www.youtube.com/watch?v=cDFO_MRlg3M}, language = {English}, urldate = {2022-02-19} } @online{hammond:20210303:rapid:7c97ee5, author = {John Hammond}, title = {{Rapid Response: Mass Exploitation of On-Prem Exchange Servers}}, date = {2021-03-03}, organization = {Huntress Labs}, url = {https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers}, language = {English}, urldate = {2021-03-10} } @online{hammond:20210309:hafnium:dc2de8d, author = {John Hammond}, title = {{HAFNIUM - Post-Exploitation Analysis from Microsoft Exchange}}, date = {2021-03-09}, organization = {YouTube (John Hammond)}, url = {https://www.youtube.com/watch?v=rn-6t7OygGk}, language = {English}, urldate = {2021-03-12} } @online{hammond:20210405:from:6062bef, author = {John Hammond}, title = {{From PowerShell to Payload: An Analysis of Weaponized Malware}}, date = {2021-04-05}, organization = {Huntress Labs}, url = {https://www.huntress.com/blog/from-powershell-to-payload-an-analysis-of-weaponized-malware}, language = {English}, urldate = {2021-05-26} } @online{hammond:20210713:jscript:ba194e0, author = {John Hammond}, title = {{JScript Deobfuscation - More WSHRAT (Malware Analysis)}}, date = {2021-07-13}, organization = {YouTube (John Hammond)}, url = {https://www.youtube.com/watch?v=XDAiS6KBDOs}, language = {English}, urldate = {2021-07-26} } @online{hammond:20210720:security:50ec27a, author = {John Hammond}, title = {{Security Researchers’ Hunt to Discover Origins of the Kaseya VSA Mass Ransomware Incident}}, date = {2021-07-20}, organization = {Huntress Labs}, url = {https://www.huntress.com/blog/security-researchers-hunt-to-discover-origins-of-the-kaseya-vsa-mass-ransomware-incident}, language = {English}, urldate = {2021-07-26} } @online{hammond:20210817:analysis:03981d3, author = {Charlotte Hammond and Chris Caridi}, title = {{Analysis of Diavol Ransomware Reveals Possible Link to TrickBot Gang}}, date = {2021-08-17}, organization = {IBM X-Force Exchange}, url = {https://securityintelligence.com/posts/analysis-of-diavol-ransomware-link-trickbot-gang/}, language = {English}, urldate = {2021-08-18} } @online{hammond:20210819:microsoft:a25f571, author = {John Hammond}, title = {{Microsoft Exchange Servers Still Vulnerable to ProxyShell Exploit}}, date = {2021-08-19}, organization = {Huntress Labs}, url = {https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit}, language = {English}, urldate = {2021-08-25} } @online{hammond:20210922:snip3:319b687, author = {John Hammond}, title = {{Snip3 Crypter/RAT Loader - DcRat MALWARE ANALYSIS}}, date = {2021-09-22}, organization = {YouTube (John Hammond)}, url = {https://www.youtube.com/watch?v=ElqmQDySy48}, language = {English}, urldate = {2021-09-23} } @online{hammond:20220218:uncovering:1c5162c, author = {John Hammond}, title = {{Uncovering NETWIRE Malware - Discovery & Deobfuscation}}, date = {2022-02-18}, organization = {YouTube (John Hammond)}, url = {https://www.youtube.com/watch?v=TeQdZxP0RYY}, language = {English}, urldate = {2022-02-19} } @online{hammond:20220225:trickbot:fdf2254, author = {Charlotte Hammond and Ole Villadsen}, title = {{Trickbot Group’s AnchorDNS Backdoor Upgrades to AnchorMail}}, date = {2022-02-25}, organization = {IBM}, url = {https://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/}, language = {English}, urldate = {2022-03-02} } @online{hammond:20220301:targeted:c462269, author = {John Hammond}, title = {{Targeted APT Activity: BABYSHARK Is Out for Blood}}, date = {2022-03-01}, organization = {Huntress Labs}, url = {https://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood}, language = {English}, urldate = {2022-03-07} } @online{hammond:20220519:itg23:eab10e2, author = {Charlotte Hammond and Ole Villadsen and Golo Mühr}, title = {{ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups}}, date = {2022-05-19}, organization = {IBM}, url = {https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/}, language = {English}, urldate = {2022-05-25} } @online{hammond:20220818:from:501e8ac, author = {Charlotte Hammond and Ole Villadsen}, title = {{From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers}}, date = {2022-08-18}, organization = {IBM}, url = {https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest}, language = {English}, urldate = {2022-08-28} } @online{hammond:20221004:havoc:ba93acc, author = {John Hammond}, title = {{HAVOC C2 - Demon Bypasses Windows 11 Defender}}, date = {2022-10-04}, organization = {YouTube (John Hammond)}, url = {https://www.youtube.com/watch?v=ErPKP4Ms28s}, language = {English}, urldate = {2022-10-12} } @online{hammond:20221122:ransomexx:e8b9e72, author = {Charlotte Hammond}, title = {{RansomExx upgrades to rust}}, date = {2022-11-22}, organization = {IBM Security}, url = {https://securityintelligence.com/x-force/ransomexx-upgrades-rust/}, language = {English}, urldate = {2024-01-08} } @online{hammond:20230330:3cx:bba6690, author = {John Hammond}, title = {{3CX VoIP Software Compromise & Supply Chain Threats}}, date = {2023-03-30}, organization = {Huntress Labs}, url = {https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats}, language = {English}, urldate = {2023-04-02} } @online{hammond:20230414:exconti:67eb7a8, author = {Charlotte Hammond and Ole Villadsen}, title = {{Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor}}, date = {2023-04-14}, organization = {IBM}, url = {https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor}, language = {English}, urldate = {2023-04-18} } @online{hammond:20230414:exconti:6b1a7b5, author = {Charlotte Hammond and Ole Villadsen}, title = {{Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor}}, date = {2023-04-14}, organization = {Security Intelligence}, url = {https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor/}, language = {English}, urldate = {2023-04-17} } @online{hammond:20230627:trickbotconti:5e1f20d, author = {Charlotte Hammond and Ole Villadsen}, title = {{The Trickbot/Conti Crypters: Where Are They Now?}}, date = {2023-06-27}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/}, language = {English}, urldate = {2023-07-31} } @online{hammond:20231121:stealthy:057553f, author = {Charlotte Hammond and Ole Villadsen and Kat Metrick}, title = {{Stealthy WailingCrab Malware misuses MQTT Messaging Protocol}}, date = {2023-11-21}, organization = {IBM}, url = {https://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/}, language = {English}, urldate = {2023-11-27} } @online{hammond:20240205:pikabot:b0bf95b, author = {John Hammond and Ryan Chapman}, title = {{PikaBot Malware Analysis: Debugging in Visual Studio}}, date = {2024-02-05}, organization = {YouTube (John Hammond)}, url = {https://www.youtube.com/watch?v=k2rH0ISuMwE}, language = {English}, urldate = {2024-02-22} } @online{hammond:20250312:leaked:af548f6, author = {John Hammond}, title = {{LEAKED Russian Hackers Internal Chats}}, date = {2025-03-12}, organization = {YouTube (John Hammond)}, url = {https://www.youtube.com/watch?v=cH7BYWbtsfI}, language = {English}, urldate = {2025-03-25} } @online{hammou:20220429:privateloader:1378b6b, author = {Souhail Hammou}, title = {{Privateloader – The Malware Behind A Havoc-Wreaking Pay-Per-Install Service}}, date = {2022-04-29}, organization = {Intel 471}, url = {https://www.youtube.com/watch?v=Ldp7eESQotM}, language = {English}, urldate = {2022-05-09} } @online{hammou:20230413:from:ec710d3, author = {Souhail Hammou and Jorge Rodriguez}, title = {{From GhostNet to PseudoManuscrypt - The evolution of Gh0st RAT}}, date = {2023-04-13}, organization = {Intel 471}, url = {https://www.youtube.com/watch?v=uakw2HMGZ-I}, language = {English}, urldate = {2023-06-23} } @online{hamzeloofard:20200131:new:5d058ea, author = {Shahab Hamzeloofard}, title = {{New wave of PlugX targets Hong Kong}}, date = {2020-01-31}, organization = {Avira}, url = {https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/}, language = {English}, urldate = {2020-02-10} } @online{han:20171120:android:c3f825c, author = {Inhee Han}, title = {{Android Malware Appears Linked to Lazarus Cybercrime Group}}, date = {2017-11-20}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/#sf174581990}, language = {English}, urldate = {2019-12-17} } @online{handler:20230322:5x5conflict:51d39a5, author = {Simon Handler}, title = {{The 5x5—Conflict in Ukraine’s information environment}}, date = {2023-03-22}, organization = {Atlantic Council}, url = {https://www.atlanticcouncil.org/content-series/the-5x5/the-5x5-conflict-in-ukraines-information-environment/}, language = {English}, urldate = {2023-04-25} } @online{hanel:20190110:big:7e10bdf, author = {Alexander Hanel}, title = {{Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware}}, date = {2019-01-10}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{hanel:20191101:wizard:a34a09e, author = {Alexander Hanel and Brett Stone-Gross}, title = {{WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN}}, date = {2019-11-01}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{hanel:20210831:sidoh:8a5c018, author = {Alexander Hanel}, title = {{Sidoh: WIZARD SPIDER’s Mysterious Exfiltration Tool}}, date = {2021-08-31}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/sidoh-wizard-spiders-mysterious-exfiltration-tool/}, language = {English}, urldate = {2021-09-02} } @online{hankins:20201202:automated:7a91425, author = {Jamie Hankins}, title = {{Automated string de-gobfuscation}}, date = {2020-12-02}, organization = {Kryptos Logic}, url = {https://www.kryptoslogic.com/blog/2020/12/automated-string-de-gobfuscation/}, language = {English}, urldate = {2020-12-08} } @online{hanrahan:20220316:suspected:325fc01, author = {Josh Hanrahan}, title = {{Suspected Conti Ransomware Activity in the Auto Manufacturing Sector}}, date = {2022-03-16}, organization = {Dragos}, url = {https://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/}, language = {English}, urldate = {2022-03-17} } @online{hanrahan:20240222:voltzite:935c067, author = {Josh Hanrahan}, title = {{VOLTZITE Espionage Operations Targeting U.S. Critical Systems}}, date = {2024-02-22}, organization = {Dragos}, url = {https://hub.dragos.com/hubfs/116-Datasheets/Dragos_SB_IntelVOLTZITE_Feb24_FINAL_r4.pdf?hsLang=en}, language = {English}, urldate = {2025-01-07} } @online{hansen:20211207:new:d707355, author = {Royal Hansen and Halimah DeLaine Prado}, title = {{New action to combat cyber crime}}, date = {2021-12-07}, organization = {Google}, url = {https://blog.google/technology/safety-security/new-action-combat-cyber-crime/}, language = {English}, urldate = {2021-12-08} } @online{hanson:20220714:trojan:831b636, author = {Sam Hanson}, title = {{The Trojan Horse Malware & Password “Cracking” Ecosystem Targeting Industrial Operators}}, date = {2022-07-14}, organization = {Dragos}, url = {https://www.dragos.com/blog/the-trojan-horse-malware-password-cracking-ecosystem-targeting-industrial-operators/}, language = {English}, urldate = {2022-07-18} } @online{hanson:20230505:deep:40a46bc, author = {Sam Hanson}, title = {{Deep Dive Into PIPEDREAM’s OPC UA Module, MOUSEHOLE}}, date = {2023-05-05}, organization = {Dragos}, url = {https://www.dragos.com/blog/pipedream-mousehole-opcua-module/}, language = {English}, urldate = {2023-05-08} } @online{hao:20191109:apt34:550c673, author = {Mina Hao}, title = {{APT34 Event Analysis Report}}, date = {2019-11-09}, organization = {NSFOCUS}, url = {https://nsfocusglobal.com/apt34-event-analysis-report/}, language = {English}, urldate = {2020-03-09} } @online{haoming:20181129:analysis:6192262, author = {haoming}, title = {{Analysis Report of the Xorddos Malware Family}}, date = {2018-11-29}, organization = {NSFOCUS}, url = {https://blog.nsfocusglobal.com/threats/vulnerability-analysis/analysis-report-of-the-xorddos-malware-family/}, language = {English}, urldate = {2020-01-06} } @online{haoming:20181206:satan:69932c8, author = {haoming}, title = {{SATAN variant analysis & handling guide}}, date = {2018-12-06}, organization = {NSFOCUS}, url = {http://blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/}, language = {English}, urldate = {2019-10-15} } @online{haq:20121002:blackhole:23fe078, author = {Thoufique Haq}, title = {{Blackhole Exploit Kit – Rise and Evolution}}, date = {2012-10-02}, organization = {SonicWall}, url = {https://blog.sonicwall.com/en-us/2012/10/research-paper-blackhole-exploit-kit-rise-and-evolution-sep-17-2012/}, language = {English}, urldate = {2024-08-01} } @online{haq:20130924:now:3cc13be, author = {Thoufique Haq and Ned Moran}, title = {{Now You See Me - H-worm by Houdini}}, date = {2013-09-24}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html}, language = {English}, urldate = {2019-12-20} } @online{haq:20131031:know:e772ee9, author = {Thoufique Haq and Ned Moran}, title = {{Know Your Enemy: Tracking A Rapidly Evolving APT Actor}}, date = {2013-10-31}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html}, language = {English}, urldate = {2019-12-20} } @techreport{haq:20140930:operation:ce4e85c, author = {Thoufique Haq and Ned Moran and Sai Vashisht and Mike Scott}, title = {{OPERATION QUANTUM ENTANGLEMENT}}, date = {2014-09-30}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf}, language = {English}, urldate = {2020-01-08} } @online{haq:20150915:in:3e2de15, author = {Thoufique Haq and Aleksey F}, title = {{In Pursuit of Optical Fibers and Troop Intel: Targeted Attack Distributes PlugX in Russia}}, date = {2015-09-15}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia}, language = {English}, urldate = {2024-08-01} } @online{haq:20150924:meet:af24228, author = {Thoufique Haq}, title = {{Meet GreenDispenser: A New Breed of ATM Malware}}, date = {2015-09-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/Meet-GreenDispenser}, language = {English}, urldate = {2024-08-01} } @online{harakhavik:20190620:danabot:238fce9, author = {Yaroslav Harakhavik and Aliaksandr Chailytko}, title = {{DanaBot Demands a Ransom Payment}}, date = {2019-06-20}, organization = {Check Point}, url = {https://research.checkpoint.com/danabot-demands-a-ransom-payment/}, language = {English}, urldate = {2020-01-07} } @online{harakhavik:20200203:warzone:18606cf, author = {Yaroslav Harakhavik}, title = {{Warzone: Behind the enemy lines}}, date = {2020-02-03}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/}, language = {English}, urldate = {2020-02-03} } @online{harang:20201214:sophosreversinglabs:20ea30b, author = {Richard Harang}, title = {{Sophos-ReversingLabs (SOREL) 20 Million sample malware dataset}}, date = {2020-12-14}, organization = {Sophos}, url = {https://ai.sophos.com/2020/12/14/sophos-reversinglabs-sorel-20-million-sample-malware-dataset/}, language = {English}, urldate = {2020-12-15} } @online{harbison:20180413:say:920b109, author = {Mike Harbison and Simon Conant}, title = {{Say “Cheese”: WebMonitor RAT Comes with C2-as-a-Service (C2aaS)}}, date = {2018-04-13}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/}, language = {English}, urldate = {2019-12-20} } @online{harbison:20180713:upatre:8d5e804, author = {Mike Harbison and Brittany Ash}, title = {{Upatre Continued to Evolve with new Anti-Analysis Techniques}}, date = {2018-07-13}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/}, language = {English}, urldate = {2019-12-20} } @online{harbison:20190326:born:4d914c3, author = {Mike Harbison}, title = {{Born This Way? Origins of LockerGoga}}, date = {2019-03-26}, organization = {paloalto Netoworks: Unit42}, url = {https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/}, language = {English}, urldate = {2024-03-13} } @online{harbison:20210727:thor:5d6d793, author = {Mike Harbison and Alex Hinchliffe}, title = {{THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group}}, date = {2021-07-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/thor-plugx-variant/}, language = {English}, urldate = {2021-07-29} } @online{harbison:20220705:when:277492d, author = {Mike Harbison and Peter Renals}, title = {{When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors}}, date = {2022-07-05}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/brute-ratel-c4-tool}, language = {English}, urldate = {2022-07-12} } @online{harbison:20220705:when:7a1f44b, author = {Mike Harbison}, title = {{When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors}}, date = {2022-07-05}, url = {https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/}, language = {English}, urldate = {2022-07-13} } @online{harbison:20220719:russian:acbf388, author = {Mike Harbison and Peter Renals}, title = {{Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive}}, date = {2022-07-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/}, language = {English}, urldate = {2022-07-19} } @online{harbison:20230126:chinese:a83622f, author = {Mike Harbison and Jen Miller-Osborn}, title = {{Chinese PlugX Malware Hidden in Your USB Devices?}}, date = {2023-01-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/}, language = {English}, urldate = {2023-01-27} } @online{hardcastle:20220309:ragnar:0c09884, author = {Jessica Lyons Hardcastle}, title = {{Ragnar ransomware gang hit 52 critical US orgs, says FBI}}, date = {2022-03-09}, organization = {The Register}, url = {https://www.theregister.com/2022/03/09/fbi_says_ragnar_locker_ransomware/}, language = {English}, urldate = {2022-03-10} } @online{hardcastle:20220318:cyclops:5a6072d, author = {Jessica Lyons Hardcastle}, title = {{Cyclops Blink malware sets up shop in ASUS routers}}, date = {2022-03-18}, organization = {The Register}, url = {https://www.theregister.com/2022/03/18/cyclops_asus_routers/}, language = {English}, urldate = {2022-03-22} } @online{hardcastle:20230310:fbi:f026768, author = {Jessica Lyons Hardcastle}, title = {{FBI and international cops catch a NetWire RAT}}, date = {2023-03-10}, organization = {The Register}, url = {https://www.theregister.com/2023/03/10/fbi_netwire_seizure/}, language = {English}, urldate = {2023-03-13} } @online{hardin:20221114:batloader:879d974, author = {Bethany Hardin and Lavine Oluoch and Tatiana Vollbrecht and Deborah Snyder and Nikki Benoit}, title = {{BATLOADER: The Evasive Downloader Malware}}, date = {2022-11-14}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html}, language = {English}, urldate = {2022-11-28} } @online{hardy:20170427:advanced:d1d61c4, author = {Colin Hardy}, title = {{Advanced Banload Analysis}}, date = {2017-04-27}, organization = {ColinGuru}, url = {https://colin.guru/index.php?title=Advanced_Banload_Analysis}, language = {English}, urldate = {2019-12-10} } @online{hardy:20201215:cyberchef:9f25c79, author = {Colin Hardy}, title = {{Tweet on CyberChef recipe to extract and decode strings from #SolarWinds malware binaries.}}, date = {2020-12-15}, organization = {Twitter @cybercdh)}, url = {https://twitter.com/cybercdh/status/1338885244246765569}, language = {English}, urldate = {2020-12-17} } @online{hardy:20201215:some:5b19d5f, author = {Colin Hardy}, title = {{Tweet on some more capabilties of SUNBURST backdoor}}, date = {2020-12-15}, organization = {Twitter @cybercdh)}, url = {https://twitter.com/cybercdh/status/1338975171093336067}, language = {English}, urldate = {2020-12-18} } @online{hardy:20201216:3:c3e0e68, author = {Colin Hardy}, title = {{Tweet on 3 key actions SUNBURST performs as soon as it's invoked}}, date = {2020-12-16}, organization = {Twitter @cybercdh)}, url = {https://twitter.com/cybercdh/status/1339241246024404994}, language = {English}, urldate = {2020-12-18} } @online{hardy:20201217:sunburst:059bdbe, author = {Colin Hardy}, title = {{SUNBURST SolarWinds Malware - Tools, Tactics and Methods to get you started with Reverse Engineering}}, date = {2020-12-17}, organization = {Youtube (Colin Hardy)}, url = {https://www.youtube.com/watch?v=JoMwrkijTZ8}, language = {English}, urldate = {2020-12-18} } @online{hardy:20201222:sunburst:78b5056, author = {Colin Hardy}, title = {{SUNBURST SolarWinds RECON - Malware Reverse Engineering, OSINT and Identifying Victims}}, date = {2020-12-22}, organization = {Youtube (Colin Hardy)}, url = {https://www.youtube.com/watch?v=mbGN1xqy1jY}, language = {English}, urldate = {2020-12-23} } @online{hardy:20201231:supernova:f852a43, author = {Colin Hardy}, title = {{SUPERNOVA - Everything you need to know to Reverse Engineer an APT WebShell}}, date = {2020-12-31}, organization = {Youtube (Colin Hardy)}, url = {https://www.youtube.com/watch?v=7WX5fCEzTlA}, language = {English}, urldate = {2021-01-04} } @online{haritash:20210322:new:91a4776, author = {Chaitanya Haritash and Shayak Tarafdar}, title = {{New Spear Phishing Campaign using Army Welfare Education Society’s Scholarship form}}, date = {2021-03-22}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/new-spear-phishing-campaign-using-army-welfare-education-societys-scholarship-form/}, language = {English}, urldate = {2021-03-25} } @techreport{haritash:20210709:seqrite:8d36786, author = {Chaitanya Haritash and Nihar Deshpande and Shayak Tarafdar}, title = {{Seqrite uncovers second wave of Operation SideCopy targeting Indian critical infrastructure PSUs}}, date = {2021-07-09}, institution = {Seqrite}, url = {https://www.seqrite.com/documents/en/white-papers/Whitepaper-OperationSideCopy.pdf}, language = {English}, urldate = {2021-07-20} } @online{harley:20110302:tdl4:9071c3f, author = {David Harley}, title = {{TDL4 and Glupteba: Piggyback PiggyBugs}}, date = {2011-03-02}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/}, language = {English}, urldate = {2019-11-14} } @online{harley:20110714:cycbot:9e18833, author = {David Harley}, title = {{Cycbot: Ready to Ride}}, date = {2011-07-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2011/07/14/cycbot-ready-to-ride/}, language = {English}, urldate = {2019-11-14} } @online{harmon:20190731:systembc:d98f03c, author = {Kade Harmon and Kafeine and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{SystemBC is like Christmas in July for SOCKS5 Malware and Exploit Kits}}, date = {2019-07-31}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits}, language = {English}, urldate = {2019-12-20} } @online{harpaz:20180215:trickbots:2cf1b53, author = {Ophir Harpaz and Magal Baz and Limor Kessem}, title = {{TrickBot’s Cryptocurrency Hunger: Tricking the Bitcoin Out of Wallets}}, date = {2018-02-15}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/}, language = {English}, urldate = {2020-01-06} } @online{harpaz:20200401:vollgar:b10972a, author = {Ophir Harpaz}, title = {{THE VOLLGAR CAMPAIGN: MS-SQL SERVERS UNDER ATTACK}}, date = {2020-04-01}, organization = {Guardicore}, url = {https://www.guardicore.com/2020/04/vollgar-ms-sql-servers-under-attack/}, language = {English}, urldate = {2020-04-07} } @online{harpaz:20200819:fritzfrog:c2548e5, author = {Ophir Harpaz}, title = {{FritzFrog: A New Generation Of Peer-To-Peer Botnets}}, date = {2020-08-19}, organization = {Akamai}, url = {https://www.akamai.com/blog/security/fritzfrog-a-new-generation-of-peer-to-peer-botnets}, language = {English}, urldate = {2024-03-25} } @online{harpaz:20201210:pleasereadme:cd5b2b6, author = {Ophir Harpaz and Omri Marom}, title = {{PLEASE_READ_ME: The Opportunistic Ransomware Devastating MySQL Servers}}, date = {2020-12-10}, organization = {Guardicore}, url = {https://www.guardicore.com/labs/please-read-me-opportunistic-ransomware-devastating-mysql-servers/}, language = {English}, urldate = {2020-12-14} } @online{harris:20211019:lightbasin:a69fe0b, author = {Jamie Harris and Dan Meyer}, title = {{LightBasin: A Roaming Threat to Telecommunications Companies}}, date = {2021-10-19}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/}, language = {English}, urldate = {2021-10-24} } @online{harris:20220525:hunting:48d53ea, author = {Jamie Harris}, title = {{Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun}}, date = {2022-05-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/}, language = {English}, urldate = {2022-05-29} } @online{hart:20210126:ransomware:00b2e07, author = {Jamie Hart}, title = {{Ransomware: Analyzing the data from 2020}}, date = {2021-01-26}, organization = {Digital Shadows}, url = {https://www.digitalshadows.com/blog-and-research/ransomware-analyzing-the-data-from-2020/}, language = {English}, urldate = {2021-02-06} } @online{hartong:20201214:fireeye:d7c17f5, author = {Olaf Hartong}, title = {{FireEye Sunburst KQL Detections}}, date = {2020-12-14}, url = {https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f}, language = {English}, urldate = {2020-12-15} } @online{hartrell:20220408:get:ca47429, author = {Greg Hartrell}, title = {{Get a handle on cd00r: The invisible backdoor}}, date = {2022-04-08}, organization = {GIAC}, url = {https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631}, language = {English}, urldate = {2025-01-24} } @online{hartzell:20220127:programs:788148e, author = {Matthew Hartzell}, title = {{Programs Hacking Programs: How to Extract Memory Information to Spot Linux Malware}}, date = {2022-01-27}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-to-extract-memory-information-to-spot-linux-malware/}, language = {English}, urldate = {2022-02-01} } @online{harush:20221007:lofygang:eb11d25, author = {Jossef Harush and Tal Folkman and Aviad Gershon and Raphael Silva and Roman Chikunov and Dor Tumarkin and Yehuda Gelb}, title = {{LofyGang – Software Supply Chain Attackers; Organized, Persistent, and Operating for Over a Year}}, date = {2022-10-07}, organization = {Checkmarx}, url = {https://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year/}, language = {English}, urldate = {2023-12-04} } @online{haruyama:20190904:cb:7c71995, author = {Takahiro Haruyama}, title = {{CB TAU Threat Intelligence Notification: Winnti Malware 4.0}}, date = {2019-09-04}, organization = {CarbonBlack}, url = {https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-winnti-malware-4-0/}, language = {English}, urldate = {2019-12-17} } @techreport{haruyama:20191024:defeating:4016e1f, author = {Takahiro Haruyama}, title = {{Defeating APT10 Compiler-level Obfuscations}}, date = {2019-10-24}, institution = {Carbon Black}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Haruyama.pdf}, language = {English}, urldate = {2020-03-03} } @online{haruyama:20191120:active:a64fb9a, author = {Takahiro Haruyama}, title = {{Active C2 Discovery Using Protocol Emulation Part1 (HYDSEVEN NetWire)}}, date = {2019-11-20}, organization = {vmware}, url = {https://blogs.vmware.com/security/2019/11/active-c2-discovery-using-protocol-emulation-part1-hydseven-netwire.html}, language = {English}, urldate = {2024-11-25} } @online{haruyama:20200220:threat:aa4ef11, author = {Takahiro Haruyama}, title = {{Threat Analysis: Active C2 Discovery Using Protocol Emulation Part2 (Winnti 4.0)}}, date = {2020-02-20}, organization = {Carbon Black}, url = {https://www.carbonblack.com/2020/02/20/threat-analysis-active-c2-discovery-using-protocol-emulation-part2-winnti-4-0/}, language = {English}, urldate = {2020-02-21} } @online{haruyama:20200922:detecting:9952ada, author = {Takahiro Haruyama and Omar Elgebaly}, title = {{Detecting Threats in Real-time With Active C2 Information}}, date = {2020-09-22}, organization = {vmware}, url = {https://blogs.vmware.com/security/2020/09/detecting-threats-in-real-time-with-active-c2-information.html}, language = {English}, urldate = {2024-11-25} } @techreport{haruyama:20210224:knock:f4903a2, author = {Takahiro Haruyama}, title = {{Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation}}, date = {2021-02-24}, institution = {VMWare Carbon Black}, url = {https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf}, language = {Japanese}, urldate = {2021-02-26} } @online{haruyama:20210615:detecting:63536a8, author = {Takahiro Haruyama}, title = {{Detecting UEFI Bootkits in the Wild (Part 1)}}, date = {2021-06-15}, organization = {vmware}, url = {https://blogs.vmware.com/security/2021/06/detecting-uefi-bootkits-in-the-wild-part-1.html}, language = {English}, urldate = {2024-11-25} } @online{haruyama:20211116:monitoring:e4ca54e, author = {Takahiro Haruyama}, title = {{Monitoring Winnti 4.0 C2 Servers for Two Years}}, date = {2021-11-16}, organization = {vmware}, url = {https://blogs.vmware.com/security/2021/11/monitoring-winnti-4-0-c2-servers-for-two-years.html}, language = {English}, urldate = {2021-11-17} } @techreport{haruyama:20220919:tracking:bffa146, author = {Takahiro Haruyama}, title = {{Tracking the entire iceberg - long-term APT malware C2 protocol emulation and scanning}}, date = {2022-09-19}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Tracking-the-entire-iceberg-long-term-APT-malware-C2-protocol-emulation-and-scanning.pdf}, language = {English}, urldate = {2022-11-01} } @online{haruyama:20220926:tracking:c09a48a, author = {Takahiro Haruyama}, title = {{Tracking the entire iceberg long term APT malware C2 protocol emulation and scanning}}, date = {2022-09-26}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=qk9XLDBLPXg}, language = {English}, urldate = {2024-04-11} } @techreport{haruyama:20221025:tracking:1f60260, author = {Takahiro Haruyama}, title = {{Tracking the entire iceberg: long-term APT malware C2 protocol emulation and scanning}}, date = {2022-10-25}, institution = {VMware Threat Analysis Unit}, url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2022/slides/VB2022-Tracking-the-entire-iceberg.pdf}, language = {English}, urldate = {2022-11-01} } @online{haruyama:20221027:threat:2ca123d, author = {Takahiro Haruyama}, title = {{Threat Analysis: Active C2 Discovery Using Protocol Emulation Part3 (ShadowPad)}}, date = {2022-10-27}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/10/threat-analysis-active-c2-discovery-using-protocol-emulation-part3-shadowpad.html}, language = {English}, urldate = {2024-11-25} } @online{haruyama:20221121:threat:7972abc, author = {Takahiro Haruyama and Threat Analysis Unit}, title = {{Threat Analysis: Active C2 Discovery Using Protocol Emulation Part4 (Dacls, aka MATA)}}, date = {2022-11-21}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/11/threat-analysis-active-c2-discovery-using-protocol-emulation-part4-dacls-aka-mata.html}, language = {English}, urldate = {2024-11-25} } @online{haruyama:20230114:cb22tracking:b935eca, author = {Takahiro Haruyama}, title = {{[CB22]Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulation and Scanning}}, date = {2023-01-14}, organization = {YouTube (CODE BLUE)}, url = {https://www.youtube.com/watch?v=JF86NQG7M6U}, language = {English}, urldate = {2024-11-25} } @techreport{haruyama:20240701:art:cd7ab24, author = {Takahiro Haruyama}, title = {{The Art of Malware C2 Scanning - How to Reverse and Emulate Protocol Obfuscated by Compiler}}, date = {2024-07-01}, institution = {Speakerdeck (takahiro_haruyama)}, url = {https://files.speakerdeck.com/presentations/6d01e26c85a444d0a3f888e45629635f/hodur_recon2024.pdf}, language = {English}, urldate = {2024-07-10} } @online{harwell:20210718:nso:d4edcd7, author = {Drew Harwell and Craig Timberg}, title = {{NSO Group vows to investigate potential spyware abuse following Pegasus Project investigation}}, date = {2021-07-18}, organization = {Washington Post}, url = {https://www.washingtonpost.com/technology/2021/07/18/reactions-pegasus-project-nso/}, language = {English}, urldate = {2021-07-21} } @online{hasbini:20150928:gaza:0c6e96e, author = {Mohamad Amin Hasbini and Ghareeb Saad}, title = {{Gaza cybergang, where’s your IR team?}}, date = {2015-09-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/}, language = {English}, urldate = {2019-12-20} } @online{hasbini:20160817:operation:9bfa7d2, author = {Mohamad Amin Hasbini}, title = {{Operation Ghoul: targeted attacks on industrial and engineering organizations}}, date = {2016-08-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/75718/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/}, language = {English}, urldate = {2019-12-20} } @online{hasbini:20160817:operation:db73206, author = {Mohamad Amin Hasbini}, title = {{Operation Ghoul: targeted attacks on industrial and engineering organizations}}, date = {2016-08-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/75718/}, language = {English}, urldate = {2024-02-08} } @online{hasbini:20171030:gaza:7c531cc, author = {Mohamad Amin Hasbini and Ghareeb Saad}, title = {{Gaza Cybergang – updated activity in 2017:}}, date = {2017-10-30}, organization = {Kaspersky Labs}, url = {https://securelist.com/gaza-cybergang-updated-2017-activity/82765/}, language = {English}, urldate = {2019-12-20} } @online{haschek:20200608:a1:b166c86, author = {Christian Haschek}, title = {{The A1 Telekom Austria Hack}}, date = {2020-06-08}, organization = {Christian Haschek's Blog}, url = {https://blog.haschek.at/2020/the-a1-telekom-hack.html}, language = {English}, urldate = {2020-06-11} } @online{hasegawa:20181106:threat:ad2bfae, author = {Tatsuya Hasegawa}, title = {{Threat Spotlight: Inside VSSDestroy Ransomware (variant of Matrix Ransom)}}, date = {2018-11-06}, organization = {Cylance}, url = {https://blogs.blackberry.com/en/2018/11/threat-spotlight-inside-vssdestroy-ransomware}, language = {English}, urldate = {2021-02-06} } @online{hasegawa:20190313:blackberry:328f6a5, author = {Tatsuya Hasegawa}, title = {{BlackBerry Cylance vs. Tinba Banking Trojan}}, date = {2019-03-13}, organization = {Cylance}, url = {https://blogs.blackberry.com/en/2019/03/blackberry-cylance-vs-tinba-banking-trojan}, language = {English}, urldate = {2021-02-06} } @online{hasegawa:20191029:threat:180cf21, author = {Tatsuya Hasegawa}, title = {{Threat Spotlight: Neshta File Infector Endures}}, date = {2019-10-29}, organization = {Blackberry}, url = {https://threatvector.cylance.com/en_us/home/threat-spotlight-neshta-file-infector-endures.html}, language = {English}, urldate = {2021-02-06} } @online{hasegawa:20200413:threat:57b739e, author = {Tatsuya Hasegawa and Masaki Kasuya}, title = {{Threat Spotlight: Gootkit Banking Trojan}}, date = {2020-04-13}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan}, language = {English}, urldate = {2020-11-23} } @online{hasherezade:20150713:revisiting:391fe73, author = {hasherezade}, title = {{Revisiting The Bunitu Trojan}}, date = {2015-07-13}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20150819:inside:1828f15, author = {hasherezade}, title = {{Inside Neutrino botnet builder}}, date = {2015-08-19}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20151104:technical:abd2b27, author = {hasherezade}, title = {{A Technical Look At Dyreza}}, date = {2015-11-04}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20151209:inside:746ef5f, author = {hasherezade and Malwarebytes Labs}, title = {{Inside Chimera Ransomware - the first 'doxingware' in wild}}, date = {2015-12-09}, organization = {Malwarebytes Labs}, url = {https://www.malwarebytes.com/blog/news/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild}, language = {English}, urldate = {2023-06-12} } @online{hasherezade:20160202:dma:5d599e2, author = {hasherezade}, title = {{DMA Locker: New Ransomware, But No Reason To Panic}}, date = {2016-02-02}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160209:dma:1fe0c43, author = {hasherezade}, title = {{DMA Locker Strikes Back}}, date = {2016-02-09}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-strikes-back/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160301:look:fe35696, author = {hasherezade}, title = {{Look Into Locky Ransomware}}, date = {2016-03-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160311:cerber:f1fb954, author = {hasherezade}, title = {{Cerber ransomware: new, but mature}}, date = {2016-03-11}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160324:maktub:fbe0f56, author = {hasherezade}, title = {{Maktub Locker – Beautiful And Dangerous}}, date = {2016-03-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160506:7ev3n:6b6cfb1, author = {hasherezade}, title = {{7ev3n ransomware turning ‘HONE$T’}}, date = {2016-05-06}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/05/7ev3n-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160519:petya:25c555f, author = {hasherezade}, title = {{Petya and Mischa – Ransomware Duet (Part 1)}}, date = {2016-05-19}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/05/petya-and-mischa-ransomware-duet-p1/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160523:dma:352692f, author = {hasherezade}, title = {{DMA Locker 4.0: Known ransomware preparing for a massive distribution}}, date = {2016-05-23}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160610:petya:a9a7d37, author = {hasherezade}, title = {{Petya and Mischa: ransomware duet (part 2)}}, date = {2016-06-10}, organization = {Malwarebytes Labs}, url = {https://www.malwarebytes.com/blog/news/2016/06/petya-and-mischa-ransomware-duet-p2}, language = {English}, urldate = {2023-10-09} } @online{hasherezade:20160625:rokku:be9fc6d, author = {hasherezade}, title = {{Rokku Ransomware shows possible link with Chimera}}, date = {2016-06-25}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/}, language = {English}, urldate = {2020-12-20} } @online{hasherezade:20161117:princess:378c704, author = {hasherezade}, title = {{Princess Locker decryptor}}, date = {2016-11-17}, organization = {hasherezade's 1001 nights}, url = {https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/}, language = {English}, urldate = {2020-01-10} } @online{hasherezade:20170614:unpacking:a820fac, author = {hasherezade}, title = {{Unpacking YoungLotus malware}}, date = {2017-06-14}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=AUGxYhE_CUY}, language = {English}, urldate = {2020-01-06} } @online{hasherezade:20171215:unpacking:8c8d58c, author = {hasherezade}, title = {{Unpacking Magniber ransomware with PE-sieve (former: 'hook_finder')}}, date = {2017-12-15}, url = {https://www.youtube.com/watch?v=lqWJaaofNf4}, language = {English}, urldate = {2019-10-23} } @online{hasherezade:20171230:unpacking:5477bb2, author = {hasherezade}, title = {{Unpacking TrickBot with PE-sieve}}, date = {2017-12-30}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=lTywPmZEU1A}, language = {English}, urldate = {2020-01-06} } @online{hasherezade:20180117:coin:6f17887, author = {hasherezade}, title = {{A coin miner with a “Heaven’s Gate”}}, date = {2018-01-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/}, language = {English}, urldate = {2022-01-24} } @online{hasherezade:201801:coin:7ef1583, author = {hasherezade}, title = {{A coin miner with a “Heaven’s Gate”}}, date = {2018-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/amp/}, language = {English}, urldate = {2019-12-04} } @online{hasherezade:20180223:avzhan:299cc86, author = {hasherezade}, title = {{Avzhan DDoS bot dropped by Chinese drive-by attack}}, date = {2018-02-23}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/02/avzhan-ddos-bot-dropped-by-chinese-drive-by-attack/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20180301:blast:6bec8e3, author = {hasherezade}, title = {{Blast from the past: stowaway Virut delivered with Chinese DDoS bot}}, date = {2018-03-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/03/blast-from-the-past-stowaway-virut-delivered-with-chinese-ddos-bot/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20180314:hermes:45a9a60, author = {hasherezade and Jérôme Segura and Vasilios Hioureas}, title = {{Hermes ransomware distributed to South Koreans via recent Flash zero-day}}, date = {2018-03-14}, organization = {Malwarebytes Labs}, url = {https://www.malwarebytes.com/blog/news/2018/03/hermes-ransomware-distributed-to-south-koreans-via-recent-flash-zero-day}, language = {English}, urldate = {2023-06-01} } @online{hasherezade:20180319:unpacking:150cdac, author = {hasherezade}, title = {{Unpacking Ursnif}}, date = {2018-03-19}, url = {https://www.youtube.com/watch?v=jlc7Ahp8Iqg}, language = {English}, urldate = {2019-12-24} } @online{hasherezade:20180331:deobfuscating:39c1be0, author = {hasherezade}, title = {{Deobfuscating TrickBot's strings with libPeConv}}, date = {2018-03-31}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=KMcSAlS9zGE}, language = {English}, urldate = {2020-01-13} } @online{hasherezade:20180716:magniber:60ffbb3, author = {hasherezade and Jérôme Segura}, title = {{Magniber ransomware improves, expands within Asia}}, date = {2018-07-16}, organization = {Malwarebytes Labs}, url = {https://www.malwarebytes.com/blog/news/2018/07/magniber-ransomware-improves-expands-within-asia}, language = {English}, urldate = {2023-09-12} } @online{hasherezade:20180726:hidden:76d28ed, author = {hasherezade and Jérôme Segura}, title = {{‘Hidden Bee’ miner delivered via improved drive-by download toolkit}}, date = {2018-07-26}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/07/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit/}, language = {English}, urldate = {2019-10-21} } @online{hasherezade:20180830:reversing:21b283b, author = {hasherezade}, title = {{Reversing malware in a custom format: Hidden Bee elements}}, date = {2018-08-30}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/08/reversing-malware-in-a-custom-format-hidden-bee-elements/}, language = {English}, urldate = {2022-02-01} } @online{hasherezade:20181112:whats:e44d5f3, author = {hasherezade}, title = {{What’s new in TrickBot? Deobfuscating elements}}, date = {2018-11-12}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20190321:unpacking:8c38703, author = {hasherezade}, title = {{Unpacking Baldr stealer}}, date = {2019-03-21}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=E2V4kB_gtcQ}, language = {English}, urldate = {2019-07-11} } @online{hasherezade:20190406:unpacking:dc6a1be, author = {hasherezade}, title = {{Unpacking ISFB (including the custom 'PX' format)}}, date = {2019-04-06}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=KvOpNznu_3w}, language = {English}, urldate = {2019-11-29} } @online{hasherezade:20190531:hidden:14f8a1c, author = {hasherezade}, title = {{Hidden Bee: Let’s go down the rabbit hole}}, date = {2019-05-31}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2019/05/hidden-bee-lets-go-down-the-rabbit-hole/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20190724:deep:c7d1aed, author = {hasherezade}, title = {{A deep dive into Phobos ransomware}}, date = {2019-07-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2019/07/a-deep-dive-into-phobos-ransomware/}, language = {English}, urldate = {2020-01-13} } @online{hasherezade:20190815:hidden:d93c104, author = {hasherezade}, title = {{The Hidden Bee infection chain, part 1: the stegano pack}}, date = {2019-08-15}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2019/08/the-hidden-bee-infection-chain-part-1-the-stegano-pack/}, language = {English}, urldate = {2019-12-20} } @techreport{hasherezade:20200521:silent:95b5ce7, author = {hasherezade and prsecurity}, title = {{The “Silent Night” Zloader/Zbot}}, date = {2020-05-21}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/05/The-Silent-Night-Zloader-Zbot_Final.pdf}, language = {English}, urldate = {2020-05-23} } @online{hasherezade:20200531:revisiting:cb8df95, author = {hasherezade}, title = {{Revisiting the NSIS-based crypter}}, date = {2020-05-31}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2021/05/revisiting-the-nsis-based-crypter/}, language = {English}, urldate = {2021-06-09} } @online{hasherezade:20201130:german:72b40c6, author = {hasherezade and Jérôme Segura}, title = {{German users targeted with Gootkit banker or REvil ransomware}}, date = {2020-11-30}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/}, language = {English}, urldate = {2020-12-03} } @online{hasherezade:20210723:avoslocker:54f3a60, author = {hasherezade}, title = {{AvosLocker enters the ransomware scene, asks for partners}}, date = {2021-07-23}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners/}, language = {English}, urldate = {2021-07-26} } @online{hasherezade:20230330:magniber:1005a71, author = {hasherezade}, title = {{Magniber ransomware analysis: Tiny Tracer in action}}, date = {2023-03-30}, organization = {hasherezade's 1001 nights}, url = {https://hshrzd.wordpress.com/2023/03/30/magniber-ransomware-analysis/}, language = {English}, urldate = {2023-04-28} } @online{hasherezade:20230831:from:dbe4160, author = {hasherezade}, title = {{From Hidden Bee to Rhadamanthys - The Evolution of Custom Executable Formats}}, date = {2023-08-31}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2023/from-hidden-bee-to-rhadamanthys-the-evolution-of-custom-executable-formats/}, language = {English}, urldate = {2023-09-01} } @online{hasherezade:20231214:rhadamanthys:d38e409, author = {hasherezade}, title = {{Rhadamanthys v0.5.0 – A Deep Dive into the Stealer’s Components}}, date = {2023-12-14}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/}, language = {English}, urldate = {2023-12-19} } @online{hashmi:20201109:exploitation:6556ad5, author = {Ahmed Al Hashmi and Joseph Francis and Mylene Villacorte}, title = {{The Exploitation of CVE-2020-0688 in the UAE}}, date = {2020-11-09}, organization = {Digital14}, url = {https://www.digital14.com/Microsoft-exchange-vulnerability.html}, language = {English}, urldate = {2021-02-02} } @online{hassold:20180326:silent:9ce69cd, author = {Crane Hassold}, title = {{Silent Librarian: More to the Story of the Iranian Mabna Institute Indictment}}, date = {2018-03-26}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/silent-librarian-more-to-the-story-of-the-iranian-mabna-institute-indictment}, language = {English}, urldate = {2020-01-07} } @online{hassold:20180405:silent:288fac9, author = {Crane Hassold}, title = {{Silent Librarian University Attacks Continue Unabated in Days Following Indictment}}, date = {2018-04-05}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/silent-librarian-university-attacks-continue-unabated-in-days-following-indictment}, language = {English}, urldate = {2019-10-23} } @online{hassold:20210211:cosmic:593cd81, author = {Crane Hassold}, title = {{Cosmic Lynx Returns in 2021 with Updated Tricks}}, date = {2021-02-11}, organization = {AGARI}, url = {https://www.agari.com/email-security-blog/cosmic-lynx-returns-2021/}, language = {English}, urldate = {2021-02-20} } @online{hassold:20220913:back:1ceafb3, author = {Crane Hassold}, title = {{Back to School: BEC Group Targets Teachers with Payroll Diversion Attacks}}, date = {2022-09-13}, organization = {Abnormal}, url = {https://intelligence.abnormalsecurity.com/blog/bec-group-targets-teachers-payroll-diversion-attacks}, language = {English}, urldate = {2022-09-19} } @online{haughom:20180806:reversing:8b4d9cf, author = {James Haughom}, title = {{Reversing Cerber - RaaS}}, date = {2018-08-06}, organization = {rinse and REpeat analysis}, url = {https://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html}, language = {English}, urldate = {2020-01-08} } @online{haughom:20200310:iqy:1844f48, author = {James Haughom}, title = {{IQY files and Paradise Ransomware}}, date = {2020-03-10}, organization = {Lastline}, url = {https://www.lastline.com/labsblog/iqy-files-and-paradise-ransomware/}, language = {English}, urldate = {2020-06-17} } @online{haughom:20200602:evolution:3286d87, author = {James Haughom and Stefano Ortolani}, title = {{Evolution of Excel 4.0 Macro Weaponization}}, date = {2020-06-02}, organization = {Lastline Labs}, url = {https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/}, language = {English}, urldate = {2020-06-03} } @online{haughom:20201218:solarwinds:8e1f0c5, author = {James Haughom}, title = {{SolarWinds SUNBURST Backdoor: Inside the APT Campaign}}, date = {2020-12-18}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/}, language = {English}, urldate = {2020-12-19} } @online{haughom:20220329:from:5e4b8cc, author = {James Haughom and Antonis Terefos and Jim Walter and Jeff Cavanaugh and Nick Fox and Shai Tilias}, title = {{From the Front Lines | Hive Ransomware Deploys Novel IPfuscation Technique To Avoid Detection}}, date = {2022-03-29}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/}, language = {English}, urldate = {2022-03-31} } @online{haughom:20220418:from:b73f12b, author = {James Haughom}, title = {{From the Front Lines | Peering into A PYSA Ransomware Attack}}, date = {2022-04-18}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/}, language = {English}, urldate = {2022-04-20} } @online{haughom:20220427:lockbit:da3d5d1, author = {James Haughom and Júlio Dantas and Jim Walter}, title = {{LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility}}, date = {2022-04-27}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/}, language = {English}, urldate = {2022-04-29} } @online{haughom:20220427:lockbit:f0328ef, author = {James Haughom and Júlio Dantas and Jim Walter}, title = {{LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility}}, date = {2022-04-27}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility}, language = {English}, urldate = {2022-07-25} } @online{hauri:20230310:press:2f66b1e, author = {HAURI}, title = {{[Press Release] Beware of malicious code infection impersonating a national advisory organization}}, date = {2023-03-10}, organization = {HAURI}, url = {https://www.hauri.co.kr/security/notice_view.html?intSeq=533}, language = {Korean}, urldate = {2023-03-20} } @online{hauri:20231110:detailed:2940d5f, author = {HAURI}, title = {{Detailed analysis report: Malware disguised as Putty (Lazarus APT)}}, date = {2023-11-10}, organization = {HAURI}, url = {https://download.hauri.net/DownSource/down/dwn_detail_down.html?uid=55}, language = {Korean}, urldate = {2023-11-17} } @online{hausding:20170707:94:4d1e639, author = {Michael Hausding}, title = {{94 .ch & .li domain names hijacked and used for drive-by}}, date = {2017-07-07}, organization = {SWITCH Security Blog}, url = {https://securityblog.switch.ch/2017/07/07/94-ch-li-domain-names-hijacked-and-used-for-drive-by/}, language = {English}, urldate = {2020-01-07} } @online{hausknecht:20200722:github:82e2b88, author = {Ryan Hausknecht}, title = {{Github Repository for PowerZure}}, date = {2020-07-22}, organization = {Github (hausec)}, url = {https://github.com/hausec/PowerZure}, language = {English}, urldate = {2020-08-18} } @techreport{haver:20220119:peoples:58d824b, author = {Zachary Haver and Roderick Lee and Morgan Clemens and Kenneth Allen and Insikt Group®}, title = {{The People's Liberation Army in the South China Sea: An Organizational Guide}}, date = {2022-01-19}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0119.pdf}, language = {English}, urldate = {2022-01-24} } @online{haver:20220316:chinas:194572d, author = {Zoe Haver and Insikt Group®}, title = {{China’s Government Is Learning From Russia’s Cyberattacks Against Ukraine}}, date = {2022-03-16}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/chinas-government-is-learning-from-russias-cyberattacks-against-ukraine/}, language = {English}, urldate = {2022-03-22} } @online{hawley:20190129:apt39:926a2a1, author = {Sarah Hawley and Ben Read and Cristiana Brafman-Kittner and Nalani Fraser and Andrew Thompson and Yuri Rozhansky and Sanaz Yashar}, title = {{APT39: An Iranian Cyber Espionage Group Focused on Personal Information}}, date = {2019-01-29}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html}, language = {English}, urldate = {2019-12-20} } @online{hawley:20230105:turla:f1d8f9b, author = {Sarah Hawley and Gabby Roncone and Tyler McLellan and Eduardo Mattos and John Wolfram}, title = {{Turla: A Galaxy of Opportunity}}, date = {2023-01-05}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/turla-galaxy-opportunity}, language = {English}, urldate = {2023-01-05} } @online{haxrob:20240227:gtpdoor:c989768, author = {haxrob}, title = {{GTPDOOR - A novel backdoor tailored for covert access over the roaming exchange}}, date = {2024-02-27}, organization = {Doubleagent.net}, url = {https://doubleagent.net/telecommunications/backdoor/gtp/2024/02/27/GTPDOOR-COVERT-TELCO-BACKDOOR}, language = {English}, urldate = {2024-03-04} } @online{haxrob:20240228:series:0ca6461, author = {haxrob}, title = {{Tweet series regarding GTPDOOR}}, date = {2024-02-28}, organization = {Twitter (@haxrob)}, url = {https://nitter.poast.org/haxrob/status/1762821513680732222}, language = {English}, urldate = {2024-03-04} } @online{haxrob:20241013:fastcash:78a6f65, author = {haxrob}, title = {{FASTCash for Linux}}, date = {2024-10-13}, organization = {Doubleagent.net}, url = {https://doubleagent.net/fastcash-for-linux/}, language = {English}, urldate = {2024-12-09} } @online{haxrob:20250602:bpfdoor:430c3b7, author = {haxrob}, title = {{BPFDoor Part 2 - The Present}}, date = {2025-06-02}, organization = {haxrob.net}, url = {https://haxrob.net/bpfdoor-past-and-present-part-2/}, language = {English}, urldate = {2025-06-05} } @online{haxrob:20250602:bpfdoor:581fba6, author = {haxrob}, title = {{BPFDoor - Part 1 - The past}}, date = {2025-06-02}, organization = {haxrob.net}, url = {https://haxrob.net/bpfdoor-past-and-present-part-1/}, language = {English}, urldate = {2025-06-05} } @online{hay:20190405:spammed:82cb5e3, author = {Phil Hay and Rodel Mendrez}, title = {{Spammed PNG file hides LokiBot}}, date = {2019-04-05}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/spammed-png-file-hides-lokibot/}, language = {English}, urldate = {2022-08-15} } @online{hayashi:20130430:linuxcdorked:5456e0a, author = {Kaoru Hayashi and Joseph Bingham and Takayoshi Nakayama}, title = {{Linux.Cdorked}}, date = {2013-04-30}, organization = {Symantec}, url = {https://www.symantec.com/security-center/writeup/2013-050214-5501-99}, language = {English}, urldate = {2019-12-06} } @online{hayashi:20160509:krbanker:c59923f, author = {Kaoru Hayashi and Vicky Ray}, title = {{KRBanker Targets South Korea Through Adware and Exploit Kits}}, date = {2016-05-09}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/}, language = {English}, urldate = {2019-12-20} } @online{hayashi:20160623:tracking:5dbdac5, author = {Kaoru Hayashi}, title = {{Tracking Elirks Variants in Japan: Similarities to Previous Attacks}}, date = {2016-06-23}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-tracking-elirks-variants-in-japan-similarities-to-previous-attacks/}, language = {English}, urldate = {2023-08-29} } @online{hayashi:20160915:mile:302680e, author = {Kaoru Hayashi}, title = {{MILE TEA: Cyber Espionage Campaign Targets Asia Pacific Businesses and Government Agencies}}, date = {2016-09-15}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/}, language = {English}, urldate = {2019-12-20} } @online{hayashi:20170215:banking:c5e917c, author = {Kaoru Hayashi}, title = {{Banking Trojans: Ursnif Global Distribution Networks Identified}}, date = {2017-02-15}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/}, language = {English}, urldate = {2019-10-25} } @online{hayashi:20170725:tick:d89ab89, author = {Kaoru Hayashi}, title = {{“Tick” Group Continues Attacks}}, date = {2017-07-25}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/}, language = {English}, urldate = {2019-12-20} } @online{hayashi:20180731:bisonal:2ca3a6b, author = {Kaoru Hayashi and Vicky Ray}, title = {{Bisonal Malware Used in Attacks Against Russia and South Korea}}, date = {2018-07-31}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/}, language = {English}, urldate = {2019-12-20} } @online{hayashi:20180731:bisonal:8ca9ce6, author = {Kaoru Hayashi and Vicky Ray}, title = {{Bisonal Malware Used in Attacks Against Russia and South Korea}}, date = {2018-07-31}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/}, language = {English}, urldate = {2020-07-20} } @online{hayashi:20181219:analysis:41c2b03, author = {Kaoru Hayashi}, title = {{Analysis of Smoke Loader in New Tsunami Campaign}}, date = {2018-12-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/analysis-of-smoke-loader-in-new-tsunami-campaign/}, language = {English}, urldate = {2023-05-23} } @online{haynes:20210727:irans:b102e93, author = {Deborah Haynes}, title = {{Iran's Secret Cyber Files}}, date = {2021-07-27}, organization = {Skynews}, url = {https://news.sky.com/story/irans-secret-cyber-files-on-how-cargo-ships-and-petrol-stations-could-be-attacked-12364871}, language = {English}, urldate = {2021-07-27} } @online{hazmalware:20161227:analysis:4038ecb, author = {Hazmalware}, title = {{ANALYSIS OF AUGUST STEALER MALWARE}}, date = {2016-12-27}, url = {https://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html}, language = {English}, urldate = {2019-11-22} } @online{hazum:20200709:new:5e06825, author = {Aviran Hazum and Bogdan Melnykov and Israel Wernik}, title = {{New Joker variant hits Google Play with an old trick}}, date = {2020-07-09}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/}, language = {English}, urldate = {2020-07-11} } @online{hazum:20201203:vulnerability:6459e24, author = {Aviran Hazum and Jonathan Shimonovich}, title = {{Vulnerability in Google Play Core Library Remains Unpatched in Google Play Applications}}, date = {2020-12-03}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2020/vulnerability-in-google-play-core-library-remains-unpatched-in-google-play-applications/}, language = {English}, urldate = {2020-12-08} } @online{hazum:20210112:going:c4c115d, author = {Aviran Hazum and Alex Shamshur and Raman Ladutska and Ohad Mana and Israel Wernik}, title = {{Going Rogue- a Mastermind behind Android Malware Returns with a New RAT}}, date = {2021-01-12}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/}, language = {English}, urldate = {2021-01-21} } @online{hazum:20210309:clast82:8a3878c, author = {Aviran Hazum and Bohdan Melnykov and Israel Wernik}, title = {{Clast82 – A new Dropper on Google Play Dropping the AlienBot Banker and MRAT}}, date = {2021-03-09}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2021/clast82-a-new-dropper-on-google-play-dropping-the-alienbot-banker-and-mrat/}, language = {English}, urldate = {2021-03-11} } @online{hazum:20210407:new:791d14e, author = {Aviran Hazum and Bodgan Melnykov and Israel Wenik}, title = {{New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp}}, date = {2021-04-07}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/}, language = {English}, urldate = {2021-04-09} } @techreport{hc3:20201002:report:0ca373f, author = {Health Sector Cybersecurity Coordination Center (HC3)}, title = {{Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns}}, date = {2020-10-02}, institution = {Health Sector Cybersecurity Coordination Center (HC3)}, url = {https://www.hhs.gov/sites/default/files/bazarloader.pdf}, language = {English}, urldate = {2020-11-02} } @techreport{hc3:20210902:demystifying:afc61dc, author = {Health Sector Cybersecurity Coordination Center (HC3)}, title = {{Demystifying BlackMatter}}, date = {2021-09-02}, institution = {US Department of Health and Human Services}, url = {https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf}, language = {English}, urldate = {2021-11-02} } @techreport{hc3:20220106:mespinozagoldburlapcyborg:b783bdb, author = {Health Sector Cybersecurity Coordination Center (HC3)}, title = {{Mespinoza/GoldBurlap/CYBORG SPIDER}}, date = {2022-01-06}, institution = {Health Sector Cybersecurity Coordination Center (HC3)}, url = {https://www.hhs.gov/sites/default/files/mespinoza-goldburlap-cyborgspider-analystnote-tlpwhite.pdf}, language = {English}, urldate = {2022-05-13} } @online{he:20240119:parrot:974f584, author = {Zhanglin He and Ben Zhang and Billy Melicher and Qi Deng and Bo Qu and Brad Duncan}, title = {{Parrot TDS: A Persistent and Evolving Malware Campaign}}, date = {2024-01-19}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/}, language = {English}, urldate = {2024-01-31} } @techreport{heal:2018:complete:96388ed, author = {Quick Heal}, title = {{The Complete story of EMOTET Most prominent Malware of 2018}}, date = {2018}, institution = {Quick Heal}, url = {https://quickheal.co.in/documents/technical-paper/Whitepaper_HowToPM.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{heal:20220401:multistaged:ca03aba, author = {Quick Heal}, title = {{Multi-Staged JSOutProx RAT Target Indian Co-Operative Banks and Finance Companies}}, date = {2022-04-01}, institution = {Quick Heal}, url = {https://www.seqrite.com/documents/en/white-papers/whitepaper-multi-staged-jsoutprox-rat-target-indian-co-operative-banks-and-finance-companies.pdf}, language = {English}, urldate = {2022-04-05} } @online{healey:2011:spectrum:d61794d, author = {Jason Healey}, title = {{The Spectrum of National Responsibility for Cyberattacks}}, date = {2011}, organization = {The Brown Journal of World Affairs}, url = {https://www.jstor.org/stable/24590776?seq=1}, language = {English}, urldate = {2021-05-13} } @online{heapoverflow:20250104:solara:89fd6d0, author = {heapoverflow}, title = {{"Solara" Roblox Executor Malware}}, date = {2025-01-04}, organization = {revdiaries.com}, url = {https://revdiaries.com/post/solara-malware-analysis}, language = {English}, urldate = {2025-02-18} } @online{heasley:20240112:slipping:dd94712, author = {Cian Heasley}, title = {{Slipping The Net: Qakbot, Emotet And Defense Evasion}}, date = {2024-01-12}, organization = {YouTube (BSides Cambridge UK)}, url = {https://www.youtube.com/watch?v=cmJpRncrAp0}, language = {English}, urldate = {2024-01-30} } @online{hechler:20210208:what:f742cf1, author = {David Hechler}, title = {{What Is the Point of These Nation-State Indictments?}}, date = {2021-02-08}, organization = {Lawfare Blog}, url = {https://www.lawfareblog.com/what-point-these-nation-state-indictments}, language = {English}, urldate = {2021-02-18} } @online{hedges:20250616:amatera:aba53cd, author = {Jeremy Hedges and Tommy Madjar and Proofpoint Threat Research Team}, title = {{Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication}}, date = {2025-06-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication}, language = {English}, urldate = {2025-06-26} } @online{hegde:20201117:nibiru:7a0faf4, author = {Nikhil Hegde}, title = {{Nibiru ransomware variant decryptor}}, date = {2020-11-17}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/11/Nibiru-ransomware.html}, language = {English}, urldate = {2020-11-19} } @online{hegde:20220605:loading:917dd2b, author = {Niranjan Hegde}, title = {{Loading GootLoader}}, date = {2022-06-05}, organization = {Dino Hacks}, url = {https://dinohacks.blogspot.com/2022/06/loading-gootloader.html}, language = {English}, urldate = {2022-06-09} } @online{hegde:20221203:nighthawk:df5c791, author = {Nikhil Hegde}, title = {{Nighthawk DLL Payload Configuration Parser}}, date = {2022-12-03}, organization = {Github (kevoreilly)}, url = {https://github.com/kevoreilly/CAPEv2/blob/master/modules/processing/parsers/CAPE/Nighthawk.py}, language = {English}, urldate = {2022-12-12} } @online{hegde:20230113:getting:4fc0a8e, author = {Nikhil Hegde}, title = {{Getting Rusty and Stringy with Luna Ransomware}}, date = {2023-01-13}, organization = {nikhilh-20}, url = {https://nikhilh-20.github.io/blog/luna_ransomware/}, language = {English}, urldate = {2023-01-13} } @online{hegde:20230331:3cx:7fb285c, author = {Rohit Hegde and Niraj Shivtarkar and Meghraj Nandanwar}, title = {{3CX Supply Chain Attack Campaign Campaign Analysis}}, date = {2023-03-31}, organization = {Zscaler}, url = {https://www.zscaler.com/security-research/3CX-supply-chain-attack-analysis-march-2023}, language = {English}, urldate = {2023-04-02} } @online{hegde:20230518:looking:24677ca, author = {Nikhil Hegde}, title = {{Looking Closer at BPF Bytecode in BPFDoor}}, date = {2023-05-18}, url = {https://nikhilh-20.github.io/blog/cbpf_bpfdoor/}, language = {English}, urldate = {2023-05-21} } @online{hegde:20240107:inc:80e0f3e, author = {Nikhil Hegde}, title = {{INC Linux Ransomware - Sandboxing with ELFEN and Analysis}}, date = {2024-01-07}, organization = {nikhilh-20}, url = {https://nikhilh-20.github.io/blog/inc_ransomware/}, language = {English}, urldate = {2024-01-08} } @online{hegde:20240115:noabot:0f0fab8, author = {Nikhil Hegde}, title = {{NoaBot Botnet - Sandboxing with ELFEN and Analysis}}, date = {2024-01-15}, organization = {nikhilh-20}, url = {https://nikhilh-20.github.io/blog/noabot_botnet/}, language = {English}, urldate = {2024-01-19} } @online{hegde:20240929:process:fb9098a, author = {Nikhil Hegde}, title = {{Process Injection in BugSleep Loader}}, date = {2024-09-29}, organization = {nikhilh-20}, url = {https://nikhilh-20.github.io/blog/inject_bugsleep/}, language = {English}, urldate = {2024-10-01} } @online{hegde:20241004:emansrepo:fada91a, author = {Nikhil Hegde}, title = {{Emansrepo Infostealer - PyInstaller, Deobfuscation and LLM}}, date = {2024-10-04}, organization = {nikhilh-20}, url = {https://nikhilh-20.github.io/blog/emansrepo_deobfuscation/}, language = {English}, urldate = {2024-11-04} } @online{hegde:20241031:deobfuscating:0040d2b, author = {Nikhil Hegde}, title = {{Deobfuscating JavaScript Malware Using Abstract Syntax Trees}}, date = {2024-10-31}, organization = {nikhilh-20}, url = {https://nikhilh-20.github.io/blog/deob_js_ast/}, language = {English}, urldate = {2024-11-04} } @online{hegel:20170711:winnti:e03c673, author = {Tom Hegel and Nate Marx}, title = {{Winnti (LEAD/APT17) Evolution - Going Open Source}}, date = {2017-07-11}, organization = {401 TRG}, url = {https://401trg.pw/winnti-evolution-going-open-source/}, language = {English}, urldate = {2019-12-18} } @online{hegel:20171016:update:9033e56, author = {Tom Hegel}, title = {{An Update on Winnti (LEAD/APT17)}}, date = {2017-10-16}, organization = {401TRG}, url = {https://401trg.pw/an-update-on-winnti/}, language = {English}, urldate = {2019-08-05} } @online{hegel:20180503:burning:2837854, author = {Tom Hegel}, title = {{Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers}}, date = {2018-05-03}, organization = {ProtectWise}, url = {https://401trg.com/burning-umbrella/}, language = {English}, urldate = {2019-10-15} } @techreport{hegel:20210113:global:72b7b9d, author = {Tom Hegel}, title = {{A Global Perspective of the SideWinder APT}}, date = {2021-01-13}, institution = {AlienVault}, url = {https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf}, language = {English}, urldate = {2021-01-18} } @online{hegel:20210413:carbine:c4dd5ef, author = {Tom Hegel}, title = {{Carbine Loader Cryptojacking Campaign}}, date = {2021-04-13}, organization = {lacework}, url = {https://www.lacework.com/carbine-loader-cryptojacking-campaign/}, language = {English}, urldate = {2021-04-20} } @online{hegel:20210621:threat:105ce11, author = {Tom Hegel}, title = {{Threat Hunting SSH Keys – Bash Script Feature Pivoting}}, date = {2021-06-21}, organization = {lacework}, url = {https://www.lacework.com/blog/threat-hunting-ssh-keys-bash-script-feature-pivoting/}, language = {English}, urldate = {2021-06-24} } @techreport{hegel:20220209:modified:3c039c6, author = {Tom Hegel and Juan Andrés Guerrero-Saade}, title = {{Modified Elephant APT and a Decade of Fabricating Evidence}}, date = {2022-02-09}, institution = {SentinelOne}, url = {https://www.sentinelone.com/wp-content/uploads/2022/02/Modified-Elephant-APT-and-a-Decade-of-Fabricating-Evidence-SentinelLabs.pdf}, language = {English}, urldate = {2022-02-14} } @online{hegel:20220209:modifiedelephant:b004138, author = {Tom Hegel}, title = {{ModifiedElephant APT and a Decade of Fabricating Evidence}}, date = {2022-02-09}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/}, language = {English}, urldate = {2022-02-14} } @online{hegel:20220324:chinese:39b373a, author = {Tom Hegel}, title = {{Chinese Threat Actor Scarab Targeting Ukraine}}, date = {2022-03-24}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine}, language = {English}, urldate = {2022-03-29} } @online{hegel:20220324:chinese:d541fb8, author = {Tom Hegel}, title = {{Chinese Threat Actor Scarab Targeting Ukraine}}, date = {2022-03-24}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/}, language = {English}, urldate = {2022-03-25} } @online{hegel:20220707:targets:174ab91, author = {Tom Hegel}, title = {{Targets of Interest - Russian Organizations Increasingly Under Attack By Chinese APTs}}, date = {2022-07-07}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/}, language = {English}, urldate = {2022-07-12} } @online{hegel:20220718:from:21160ee, author = {Tom Hegel}, title = {{From the Front Lines | 8220 Gang Massively Expands Cloud Botnet to 30,000 Infected Hosts}}, date = {2022-07-18}, organization = {Fortinet}, url = {https://www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts}, language = {English}, urldate = {2022-07-25} } @online{hegel:20220718:from:c06bc4b, author = {Tom Hegel}, title = {{From the Front Lines | 8220 Gang Massively Expands Cloud Botnet to 30,000 Infected Hosts}}, date = {2022-07-18}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/}, language = {English}, urldate = {2024-07-10} } @online{hegel:20220922:void:edb8cef, author = {Tom Hegel}, title = {{Void Balaur | The Sprawling Infrastructure of a Careless Mercenary}}, date = {2022-09-22}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/}, language = {English}, urldate = {2022-09-27} } @online{hegel:20230112:noname05716:b3cb836, author = {Tom Hegel and Aleksandar Milenkoski}, title = {{NoName057(16) – The Pro-Russian Hacktivist Group Targeting NATO}}, date = {2023-01-12}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/}, language = {English}, urldate = {2023-02-17} } @online{hegel:20230316:winter:5e43881, author = {Tom Hegel}, title = {{Winter Vivern | Uncovering a Wave of Global Espionage}}, date = {2023-03-16}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/}, language = {English}, urldate = {2023-03-20} } @online{hegel:20230504:kimsuky:6f04a16, author = {Tom Hegel}, title = {{Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign}}, date = {2023-05-04}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/}, language = {English}, urldate = {2023-05-05} } @online{hegel:20230720:jumpcloud:691c0c8, author = {Tom Hegel}, title = {{JumpCloud Intrusion | Attacker Infrastructure Links Compromise to North Korean APT Activity}}, date = {2023-07-20}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/jumpcloud-intrusion-attacker-infrastructure-links-compromise-to-north-korean-apt-activity/}, language = {English}, urldate = {2023-07-24} } @online{hegel:20230801:illicit:d18e46c, author = {Tom Hegel}, title = {{Illicit Brand Impersonation | A Threat Hunting Approach}}, date = {2023-08-01}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/illicit-brand-impersonation-a-threat-hunting-approach/}, language = {English}, urldate = {2023-08-03} } @online{hegel:20230807:comrades:d449b68, author = {Tom Hegel and Aleksandar Milenkoski}, title = {{Comrades in Arms? | North Korea Compromises Sanctioned Russian Missile Engineering Company}}, date = {2023-08-07}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/comrades-in-arms-north-korea-compromises-sanctioned-russian-missile-engineering-company/}, language = {English}, urldate = {2023-08-07} } @online{hegel:20230921:cyber:9a6bb38, author = {Tom Hegel}, title = {{Cyber Soft Power | China’s Continental Takeover}}, date = {2023-09-21}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/cyber-soft-power-chinas-continental-takeover/}, language = {English}, urldate = {2023-09-22} } @online{hegel:20231024:israelhamas:313d369, author = {Tom Hegel and Aleksandar Milenkoski}, title = {{The Israel-Hamas War | Cyber Domain State-Sponsored Activity of Interest}}, date = {2023-10-24}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest/}, language = {English}, urldate = {2023-11-27} } @online{hegel:20250225:ghostwriter:a0e7925, author = {Tom Hegel}, title = {{Ghostwriter | New Campaign Targets Ukrainian Government and Belarusian Opposition}}, date = {2025-02-25}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/ghostwriter-new-campaign-targets-ukrainian-government-and-belarusian-opposition/}, language = {English}, urldate = {2025-02-28} } @online{hegel:20250428:top:d52820d, author = {Tom Hegel and Aleksandar Milenkoski and Jim Walter}, title = {{Top Tier Target | What It Takes to Defend a Cybersecurity Company from Today’s Adversaries}}, date = {2025-04-28}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/top-tier-target-what-it-takes-to-defend-a-cybersecurity-company-from-todays-adversaries/}, language = {English}, urldate = {2025-05-21} } @online{hegel:20250609:follow:caac7df, author = {Tom Hegel and Aleksandar Milenkoski}, title = {{Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets}}, date = {2025-06-09}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/}, language = {English}, urldate = {2025-06-13} } @online{hein:20211119:im:ebe4c69, author = {Jan-Philipp Hein}, title = {{Im Rätsel um gruselige Spionage-Software führt die Spur über Wirecard in den Kreml}}, date = {2021-11-19}, organization = {FOCUS}, url = {https://www.focus.de/politik/vorab-aus-dem-focus-volle-kontrolle-ueber-zielcomputer-das-raetsel-um-die-spionage-app-fuehrt-ueber-wirecard-zu-putin_id_24442733.html}, language = {German}, urldate = {2022-08-01} } @online{heinemeyer:20200402:catching:b7f137d, author = {Max Heinemeyer}, title = {{Catching APT41 exploiting a zero-day vulnerability}}, date = {2020-04-02}, organization = {Darktrace}, url = {https://www.darktrace.com/en/blog/catching-apt-41-exploiting-a-zero-day-vulnerability/}, language = {English}, urldate = {2020-04-13} } @online{heinemeyer:20200723:resurgence:75f36ef, author = {Max Heinemeyer}, title = {{The resurgence of the Ursnif banking trojan}}, date = {2020-07-23}, organization = {Darktrace}, url = {https://www.darktrace.com/en/blog/the-resurgence-of-the-ursnif-banking-trojan/}, language = {English}, urldate = {2021-06-29} } @online{heinemeyer:20210423:apt35:24eeaad, author = {Max Heinemeyer}, title = {{APT35 ‘Charming Kitten' discovered in a pre-infected environment}}, date = {2021-04-23}, organization = {Darktrace}, url = {https://www.darktrace.com/en/blog/apt-35-charming-kitten-discovered-in-a-pre-infected-environment/}, language = {English}, urldate = {2021-04-29} } @online{heinemeyer:20210720:data:ae1a230, author = {Max Heinemeyer}, title = {{Data exfiltration in Latin America}}, date = {2021-07-20}, organization = {Darktrace}, url = {https://www.darktrace.com/en/blog/data-exfiltration-in-latin-america/}, language = {English}, urldate = {2021-07-26} } @online{helen:20210315:conficker:5ecef70, author = {Helen}, title = {{Conficker - One of the Most Prevalent & Complex Windows Worms}}, date = {2021-03-15}, organization = {MiniTool}, url = {https://www.minitool.com/backup-tips/conficker-worm.html}, language = {English}, urldate = {2021-04-06} } @online{helixo32:20230706:nimblackout:8095842, author = {Helixo32}, title = {{NimBlackout}}, date = {2023-07-06}, organization = {Github (Helixo32)}, url = {https://github.com/Helixo32/NimBlackout}, language = {English}, urldate = {2023-07-10} } @online{hellen:20220323:tracking:7c5d017, author = {Ian Hellen}, title = {{Tracking cyber intruders with Jupyter and Python}}, date = {2022-03-23}, organization = {PythonBytes}, url = {https://pythonbytes.fm/episodes/show/276/tracking-cyber-intruders-with-jupyter-and-python}, language = {English}, urldate = {2022-03-28} } @online{heller:20210126:nefilim:6b20ee0, author = {Michael Heller and David Anderson and Peter Mackenzie and Sergio Bestulic and Bill Kearney}, title = {{Nefilim Ransomware Attack Uses “Ghost” Credentials}}, date = {2021-01-26}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/}, language = {English}, urldate = {2021-02-18} } @online{heller:20210216:conti:9090709, author = {Michael Heller}, title = {{A Conti ransomware attack day-by-day}}, date = {2021-02-16}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/02/16/conti-ransomware-attack-day-by-day/}, language = {English}, urldate = {2021-02-20} } @online{heller:20210331:sophos:43ef878, author = {Michael Heller}, title = {{Sophos MTR in Real Time: What is Astro Locker Team?}}, date = {2021-03-31}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/03/31/sophos-mtr-in-real-time-what-is-astro-locker-team/}, language = {English}, urldate = {2021-04-06} } @online{helling:20200516:high:cf7dadf, author = {Robert Helling}, title = {{High Performance Hackers}}, date = {2020-05-16}, organization = {atdotde}, url = {https://atdotde.blogspot.com/2020/05/high-performance-hackers.html}, language = {English}, urldate = {2020-05-18} } @online{hellscream:20220314:reversing:43075bc, author = {Ferib Hellscream}, title = {{Reversing Common Obfuscation Techniques}}, date = {2022-03-14}, organization = {ferib.dev Blog}, url = {https://ferib.dev/blog.php?l=post/Reversing_Common_Obfuscation_Techniques&t=t}, language = {English}, urldate = {2022-03-28} } @online{helme:20210614:introducing:67342bd, author = {Scott Helme}, title = {{Introducing Script Watch: Detect Magecart style attacks, fast!}}, date = {2021-06-14}, organization = {scotthelme.co.uk}, url = {https://scotthelme.co.uk/introducing-script-watch-detect-magecart-style-attacks-fast/?utm_source=dlvr.it&utm_medium=twitter}, language = {English}, urldate = {2021-06-21} } @online{helming:20210513:domain:792cc58, author = {Tim Helming and John “Turbo” Conwell}, title = {{Domain Blooms: Identifying Domain Name Themes Targeted By Threat Actors}}, date = {2021-05-13}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/domain-blooms-identifying-domain-name-themes-targeted-by-threat-actors}, language = {English}, urldate = {2021-05-17} } @online{helming:20210525:indicators:bbe2bdb, author = {Tim Helming}, title = {{Indicators Over Cocktails: Exporting Indicators from Iris (UNC1151)}}, date = {2021-05-25}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/indicators-over-cocktails-exporting-indicators-from-iris}, language = {English}, urldate = {2021-06-16} } @techreport{hemenway:20200630:playing:8a25265, author = {Chad Hemenway and Josh Burgess and Chris Cwalina and Scot Lippenholz}, title = {{Playing Chess Against Nation-State and Ransomware Threat Actors}}, date = {2020-06-30}, institution = {CrowdStrike}, url = {https://f.hubspotusercontent20.net/hubfs/2558521/Final.CrowdStrike.6.30.pdf}, language = {English}, urldate = {2021-01-29} } @online{hencinski:20211126:twitter:ca58fb5, author = {Jon Hencinski}, title = {{Twitter Thread on weelky MDR recap from expel.io}}, date = {2021-11-26}, organization = {Twitter (@jhencinski)}, url = {https://twitter.com/jhencinski/status/1464268732096815105}, language = {English}, urldate = {2021-11-29} } @online{henderson:20180711:chinese:f0f3cbc, author = {Scott Henderson and Steve Miller and Dan Perez and Marcin Siedlarz and Ben Wilson and Ben Read}, title = {{Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July 2018 Elections and Reveals Broad Operations Globally}}, date = {2018-07-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html}, language = {English}, urldate = {2019-12-20} } @online{henderson:20200422:vietnamese:d9dc0db, author = {Scott Henderson and Gabby Roncone and Sarah Jones and John Hultquist and Ben Read}, title = {{Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage}}, date = {2020-04-22}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html}, language = {English}, urldate = {2020-04-26} } @online{henderson:20230119:suspected:39b0731, author = {Scott Henderson and Cristiana Kittner and Sarah Hawley and Mark Lechtik}, title = {{Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475)}}, date = {2023-01-19}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw}, language = {English}, urldate = {2023-01-20} } @online{henderson:20241220:jingle:d4a31fa, author = {Lewis Henderson}, title = {{Jingle Shells: How Virtual Offices Enable a Facade of Legitimacy}}, date = {2024-12-20}, organization = {Team Cymru}, url = {https://www.team-cymru.com/post/how-virtual-offices-enable-a-facade-of-legitimacy}, language = {English}, urldate = {2025-01-02} } @online{hendi:20210610:crowdstrike:ed1b61b, author = {Farid Hendi and Liviu Arsene}, title = {{CrowdStrike Falcon Protects Customers from Recent COZY BEAR Sophisticated Phishing Campaign}}, date = {2021-06-10}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-crowdstrike-protects-against-recent-cozy-bear-phishing-campaign/}, language = {English}, urldate = {2021-06-24} } @online{henkel:20200818:decrypt:e395f6d, author = {Mario Henkel}, title = {{Decrypt MassLogger 2.4.0.0 configuration}}, date = {2020-08-18}, organization = {Medium mariohenkel}, url = {https://medium.com/@mariohenkel/decrypt-masslogger-2-4-0-0-configuration-eff3ee0720a7}, language = {English}, urldate = {2020-08-18} } @online{henkel:20200903:decrypting:16cd7a9, author = {Mario Henkel}, title = {{Decrypting AgentTesla strings and config}}, date = {2020-09-03}, organization = {Medium mariohenkel}, url = {https://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4}, language = {English}, urldate = {2020-09-03} } @online{henkel:20200910:decrypting:2bcb10d, author = {Mario Henkel}, title = {{Decrypting NanoCore config and dump all plugins}}, date = {2020-09-10}, organization = {Medium mariohenkel}, url = {https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52}, language = {English}, urldate = {2020-09-10} } @online{henkel:20210206:decrypting:1013bd8, author = {Mario Henkel}, title = {{Decrypting AzoRult traffic for fun and profit}}, date = {2021-02-06}, organization = {Medium mariohenkel}, url = {https://mariohenkel.medium.com/decrypting-azorult-traffic-for-fun-and-profit-9f28d8638b05}, language = {English}, urldate = {2021-02-06} } @online{henriksen:20210228:finding:bef72b0, author = {Michael Henriksen}, title = {{Finding Evil Go Packages}}, date = {2021-02-28}, organization = {michenriksen blog}, url = {https://michenriksen.com/blog/finding-evil-go-packages/}, language = {English}, urldate = {2021-03-18} } @online{henry:20220412:qbot:9dd8d54, author = {Joseph Henry}, title = {{Qbot Botnet Deploys Malware Payloads Through Malicious Windows Installers}}, date = {2022-04-12}, organization = {Tech Times}, url = {https://www.techtimes.com/articles/274190/20220412/qbot-botnet-deploys-malware-payloads-through-malicious-windows-installers.htm}, language = {English}, urldate = {2022-05-04} } @online{henson:20220202:trickbot:fd4964d, author = {Kevin Henson}, title = {{TrickBot Gang Uses Template-Based Metaprogramming in Bazar Malware}}, date = {2022-02-02}, organization = {IBM}, url = {https://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/}, language = {English}, urldate = {2022-02-04} } @online{henson:20220526:black:f789f1b, author = {Kevin Henson and Dave McMillen}, title = {{Black Basta Besting Your Network?}}, date = {2022-05-26}, organization = {IBM}, url = {https://securityintelligence.com/posts/black-basta-ransomware-group-besting-network/}, language = {English}, urldate = {2022-06-09} } @online{henson:20220901:raspberry:b5b5946, author = {Kevin Henson and Emmy Ebanks}, title = {{Raspberry Robin and Dridex: Two Birds of a Feather}}, date = {2022-09-01}, organization = {IBM}, url = {https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/}, language = {English}, urldate = {2022-09-06} } @online{hepfer:20220223:recap:48c7c69, author = {Manuel Hepfer}, title = {{Re-cap: The Untold Story of NotPetya, The Most Devastating Cyberattack in History}}, date = {2022-02-23}, organization = {ISTARI}, url = {https://istari-global.com/spotlight/the-untold-story-of-notpetya/}, language = {English}, urldate = {2022-03-01} } @online{heppner:20170227:betabot:68ba19f, author = {Ted Heppner}, title = {{Betabot: Configuration Data Extraction}}, date = {2017-02-27}, organization = {Sophos}, url = {https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en}, language = {English}, urldate = {2020-01-13} } @online{herman:20200207:magecart:185b67b, author = {Jordan Herman}, title = {{Magecart Group 12’s Latest: Actors Behind Attacks on Olympics Ticket Re-sellers Deftly Swapped Domains to Continue Campaign}}, date = {2020-02-07}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/magecart-group-12-olympics/}, language = {English}, urldate = {2020-02-09} } @online{herman:20200609:misconfigured:75c6908, author = {Jordan Herman}, title = {{Misconfigured Amazon S3 Buckets Continue to be a Launchpad for Malicious Code}}, date = {2020-06-09}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/misconfigured-s3-buckets/}, language = {English}, urldate = {2020-06-10} } @online{herman:20200902:inter:93b8c50, author = {Jordan Herman}, title = {{The Inter Skimmer Kit}}, date = {2020-09-02}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/30f22a00}, language = {English}, urldate = {2020-09-04} } @online{herman:20201111:magecart:8137a1f, author = {Jordan Herman}, title = {{Magecart Group 12: End of Life Magento Sites Infested with Ants and Cockroaches}}, date = {2020-11-11}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/fda1f967}, language = {English}, urldate = {2020-11-18} } @online{herman:20201118:grelos:7b6e4d2, author = {Jordan Herman}, title = {{The Grelos Skimmer: A New Variant}}, date = {2020-11-18}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/8c4b4a7a}, language = {English}, urldate = {2020-11-23} } @online{herman:20210114:medialand:3f603bd, author = {Jordan Herman}, title = {{MediaLand: Magecart and Bulletproof Hosting}}, date = {2021-01-14}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/5bea32aa}, language = {English}, urldate = {2021-01-21} } @online{herman:20210224:turkey:2d3f340, author = {Jordan Herman}, title = {{Turkey Dog: Cerberus and Anubis Banking Trojans Target Turkish Speakers}}, date = {2021-02-24}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/85b3db8c}, language = {English}, urldate = {2021-02-25} } @online{herman:20210526:mobileinter:bfb90e8, author = {Jordan Herman}, title = {{The MobileInter Skimmer: Hosted by Google, Hiding in Images}}, date = {2021-05-26}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/8109e7ab}, language = {English}, urldate = {2021-06-09} } @online{herman:20210616:bit2check:760db1e, author = {Jordan Herman}, title = {{Bit2Check: Investigating Actors in the Carding Space}}, date = {2021-06-16}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/f1e8399e}, language = {English}, urldate = {2021-06-21} } @online{herman:20210714:bulletproof:6b4372f, author = {Jordan Herman}, title = {{Bulletproof Hosting Services: Investigating Media Land LLC, Part 2}}, date = {2021-07-14}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/7b83636f}, language = {English}, urldate = {2021-07-20} } @online{herman:20210825:eitest:e4c2c31, author = {Jordan Herman}, title = {{EITest: Linkages to the Ongoing Malware Delivery Campaign Referred to as "Gootloader"}}, date = {2021-08-25}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/f5d5ed38}, language = {English}, urldate = {2021-08-30} } @online{herman:20211006:malware:7f7f055, author = {Jordan Herman}, title = {{Malware Distribution with Mana Tools}}, date = {2021-10-06}, organization = {zimperium}, url = {https://community.riskiq.com/article/56e28880}, language = {English}, urldate = {2021-10-11} } @online{herman:20211201:bulletproof:1ada142, author = {Jordan Herman}, title = {{Bulletproof Hosting Services: Investigating Shinjiru Technology Sdn Bhd}}, date = {2021-12-01}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/cb658730}, language = {English}, urldate = {2021-12-23} } @online{herman:20211213:riskiq:82a7631, author = {Jordan Herman}, title = {{RiskIQ: Connections between Nanocore, Netwire, and AsyncRAT and Vjw0rm dynamic DNS C2 infrastructure}}, date = {2021-12-13}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/24759ad2}, language = {English}, urldate = {2022-01-18} } @online{herman:20220114:riskiq:f4f5b68, author = {Jordan Herman}, title = {{RiskIQ: Unique SSL Certificates and JARM Hash Connected to Emotet and Dridex C2 Servers}}, date = {2022-01-14}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/2cd1c003}, language = {English}, urldate = {2022-01-18} } @online{herman:20220614:riskiq:2007c54, author = {Jordan Herman}, title = {{RiskIQ: Identifying BumbleBee Command and Control Servers}}, date = {2022-06-14}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/0b211905/description}, language = {English}, urldate = {2023-04-06} } @online{herman:20220729:falling:12d2d82, author = {Jordan Herman}, title = {{Falling Into a Nest of Vipers or: "Why'd it have to be snakes?" (Microsoft Threat Intelligence Brief)}}, date = {2022-07-29}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/f3179571}, language = {English}, urldate = {2022-09-19} } @online{hern:20170703:notpetya:ba6bc6c, author = {Alex Hern}, title = {{'NotPetya' malware attacks could warrant retaliation, says Nato affiliated-researcher}}, date = {2017-07-03}, organization = {The Guardian}, url = {https://www.theguardian.com/technology/2017/jul/03/notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-minarik}, language = {English}, urldate = {2019-07-11} } @online{hernandez:20170622:new:a5cf2c6, author = {Erye Hernandez and Danny Tsechansky}, title = {{The New and Improved macOS Backdoor from OceanLotus}}, date = {2017-06-22}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/}, language = {English}, urldate = {2019-12-20} } @online{hernandez:20200529:phishers:2759c33, author = {Elmer Hernandez}, title = {{Phishers Cast a Wider Net in the African Banking Sector}}, date = {2020-05-29}, organization = {Cofense}, url = {https://cofense.com/phishers-cast-wider-net-african-banking-sector/}, language = {English}, urldate = {2020-06-02} } @online{hernandez:20210311:autohotkey:27bb61f, author = {Elmer Hernandez}, title = {{AutoHotKey Leveraged by Metamorfo/Mekotio Banking Trojan}}, date = {2021-03-11}, organization = {Cofense}, url = {https://cofense.com/blog/autohotkey-banking-trojan/}, language = {English}, urldate = {2021-03-12} } @online{hernandez:20210903:pst:a8de902, author = {Adrian Sanchez Hernandez and Govand Sinjari and Joshua Goddard and Brendan McKeague and John Wolfram and Alex Pennino and Andrew Rector and Harris Ansari and Yash Gupta}, title = {{PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers}}, date = {2021-09-03}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html}, language = {English}, urldate = {2021-09-06} } @online{hernandez:20211111:analyzing:8107f2e, author = {Erye Hernandez and Google Threat Analysis Group}, title = {{Analyzing a watering hole campaign using macOS exploits}}, date = {2021-11-11}, organization = {Google}, url = {https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/}, language = {English}, urldate = {2021-11-17} } @online{hernandez:20220119:one:b4b3bf7, author = {Adrian Sanchez Hernandez and Paul Tarter and Ervin James Ocampo}, title = {{One Source to Rule Them All: Chasing AVADDON Ransomware}}, date = {2022-01-19}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/chasing-avaddon-ransomware}, language = {English}, urldate = {2022-01-24} } @online{hernndez:20240711:crystalray:fabcf72, author = {Miguel Hernández}, title = {{CRYSTALRAY: Inside the Operations of a Rising Threat Actor Exploiting OSS Tools}}, date = {2024-07-11}, organization = {sysdig}, url = {https://sysdig.com/blog/crystalray-rising-threat-actor-exploiting-oss-tools/}, language = {English}, urldate = {2024-07-22} } @techreport{herr:20200729:breaking:d37db04, author = {Trey Herr and June Lee and William Loomis and Stewart Scott}, title = {{BREAKING TRUST: Shades of Crisis Across an Insecure Software Supply Chain}}, date = {2020-07-29}, institution = {Atlantic Council}, url = {https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf}, language = {English}, urldate = {2020-08-05} } @online{herrald:20210421:monitoring:088de4c, author = {Dave Herrald and Mick Baccio and James Brodsky and Tamara Chacon and Shannon Davis and Kelly Huang and Ryan Kovar and Marcus LaFerrerra and Michael Natkin and John Stoner and Bill Wright}, title = {{Monitoring Pulse Connect Secure With Splunk (CISA Emergency Directive 21-03)}}, date = {2021-04-21}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/monitoring-pulse-connect-secure-with-splunk-cisa-emergency-directive-21-03.html}, language = {English}, urldate = {2021-04-28} } @online{herrcore:20240303:github:86e6882, author = {herrcore}, title = {{GitHub Bug Used to Infect Game Hackers With Lua Malware}}, date = {2024-03-03}, organization = {OALabs}, url = {https://research.openanalysis.net/github/lua/2024/03/03/lua-malware.html}, language = {Lua}, urldate = {2024-04-23} } @online{herwig:20190224:measurement:01d44af, author = {Stephen Herwig and Katura Harvey and George Hughey and Richard Roberts and Dave Levin}, title = {{Measurement and Analysis of Hajime, a Peer-to-peer IoT Botnet}}, date = {2019-02-24}, organization = {NDSS}, url = {https://par.nsf.gov/servlets/purl/10096257}, language = {English}, urldate = {2020-10-12} } @online{herzog:20181014:godzilla:0f2194a, author = {Ben Herzog}, title = {{Godzilla Loader and the Long Tail of Malware}}, date = {2018-10-14}, organization = {Check Point}, url = {https://research.checkpoint.com/godzilla-loader-and-the-long-tail-of-malware/}, language = {English}, urldate = {2020-01-09} } @online{herzog:20190520:malware:dac1524, author = {Ben Herzog}, title = {{Malware Against the C Monoculture}}, date = {2019-05-20}, organization = {Check Point}, url = {https://research.checkpoint.com/malware-against-the-c-monoculture/}, language = {English}, urldate = {2019-10-14} } @online{heumann:20220502:detecting:6a1c708, author = {Maurice Heumann}, title = {{Detecting Hypervisor-assisted Hooking}}, date = {2022-05-02}, organization = {Maurice's Blog}, url = {https://momo5502.com/blog/?p=255}, language = {English}, urldate = {2022-05-09} } @online{hfiref0x:20150328:uacme:f1b9f62, author = {hfiref0x}, title = {{UACME}}, date = {2015-03-28}, organization = {Github (hfiref0x)}, url = {https://github.com/hfiref0x/UACME}, language = {English}, urldate = {2020-01-06} } @online{hfiref0x:20190419:tdl:31ca191, author = {hfiref0x}, title = {{TDL (Turla Driver Loader) Repository}}, date = {2019-04-19}, organization = {Github (hfiref0x)}, url = {https://github.com/hfiref0x/TDL}, language = {English}, urldate = {2020-01-08} } @online{hfiref0x:20200120:dustman:70f16bf, author = {hfiref0x}, title = {{Dustman APT: Art of Copy-Paste}}, date = {2020-01-20}, organization = {The Vault Blog}, url = {https://swapcontext.blogspot.com/2020/01/dustman-apt-art-of-copy-paste.html}, language = {English}, urldate = {2020-01-22} } @techreport{hhs:20220120:log4j:fb35fe9, author = {HHS}, title = {{Log4J Vulnerabilities and the Health Sector}}, date = {2022-01-20}, institution = {US Department of Health and Human Services}, url = {https://www.hhs.gov/sites/default/files/log4j-vulnerabilities-health-sector.pdf}, language = {English}, urldate = {2022-01-24} } @online{hickey:20220301:how:5c93535, author = {Wade Hickey}, title = {{How I Cracked CONTI Ransomware Group’s Leaked Source Code ZIP File}}, date = {2022-03-01}, organization = {Medium whickey000}, url = {https://medium.com/@whickey000/how-i-cracked-conti-ransomware-groups-leaked-source-code-zip-file-e15d54663a8}, language = {English}, urldate = {2022-03-02} } @online{hickman:20210618:conti:9b8903f, author = {Richard Hickman}, title = {{Conti Ransomware Gang: An Overview}}, date = {2021-06-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/conti-ransomware-gang/}, language = {English}, urldate = {2021-07-02} } @online{hicks:20240705:clearfake:cec1c97, author = {Ryan Hicks}, title = {{CLEARFAKE Update Tricks Victim into Executing Malicious PowerShell Code}}, date = {2024-07-05}, organization = {Kroll}, url = {https://www.kroll.com/en/insights/publications/cyber/clearfake-update-tricks-victim-executing-malicious-powershell-code}, language = {English}, urldate = {2024-08-15} } @online{hicret:20210610:lokibot:f9a874a, author = {Taha HİCRET and Sinan BAYKAN and Harun YAKUT and Bilal BAKARTEPE}, title = {{LokiBot Technical Analysis Report}}, date = {2021-06-10}, organization = {ZAYOTEM}, url = {https://drive.google.com/file/d/144cOnM6fxfuBeP0V2JQshp8C0Zlk_0kH/view}, language = {English}, urldate = {2021-06-16} } @online{higgins:20151013:prolific:0b6089c, author = {Kelly Jackson Higgins}, title = {{Prolific Cybercrime Gang Favors Legit Login Credentials}}, date = {2015-10-13}, organization = {DARKReading}, url = {https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?}, language = {English}, urldate = {2020-01-10} } @online{higgins:20160209:chinese:1d80f84, author = {Kelly Jackson Higgins}, title = {{Chinese Cyberspies Pivot To Russia In Wake Of Obama-Xi Pact}}, date = {2016-02-09}, organization = {DARKReading}, url = {http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242}, language = {English}, urldate = {2020-01-09} } @online{higgins:20190924:iranian:4966d90, author = {Kelly Jackson Higgins}, title = {{Iranian Government Hackers Target US Veterans}}, date = {2019-09-24}, organization = {DARKReading}, url = {https://www.darkreading.com/threat-intelligence/iranian-government-hackers-target-us-veterans/d/d-id/1335897}, language = {English}, urldate = {2020-03-22} } @online{hild:20210702:ransomware:5ab9422, author = {Niels den Hild}, title = {{Ransomware attack}}, date = {2021-07-02}, organization = {Velzart}, url = {https://velzart.nl/blog/ransomeware/}, language = {Dutch}, urldate = {2021-07-26} } @online{hildaboo:20230414:shatteredglass:7c208e1, author = {Hildaboo}, title = {{SHATTEREDGLASS Server Emulator}}, date = {2023-04-14}, organization = {Github (Hildaboo)}, url = {https://github.com/Hildaboo/Unidentified081Server}, language = {English}, urldate = {2024-08-01} } @online{hildebrandt:20220413:incontroller:0f05d07, author = {Corey Hildebrandt and Daniel Kapellmann Zafra and Keith Lunden and Ken Proska and Muhammad Umair and Nathan Brubaker and Rob Caldwell}, title = {{INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems}}, date = {2022-04-13}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool}, language = {English}, urldate = {2025-04-10} } @online{hill:20211019:good:77ceb68, author = {Jason Hill}, title = {{Good for Evil: DeepBlueMagic Ransomware Group Abuses Legit Encryption Tools}}, date = {2021-10-19}, organization = {Varonis}, url = {https://www.varonis.com/blog/deepbluemagic-ransomware}, language = {English}, urldate = {2022-07-05} } @online{hill:20220126:alphv:dd754b8, author = {Jason Hill}, title = {{ALPHV (BlackCat) Ransomware}}, date = {2022-01-26}, organization = {Varonis}, url = {https://www.varonis.com/blog/alphv-blackcat-ransomware}, language = {English}, urldate = {2022-01-31} } @online{hill:20250313:work:75703d2, author = {Jason Hill}, title = {{Work Hard, Pay Harder!}}, date = {2025-03-13}, organization = {Infoblox}, url = {https://blogs.infoblox.com/threat-intelligence/work-hard-pay-harder/}, language = {English}, urldate = {2025-03-14} } @online{hilt:20160914:bksod:f75ef88, author = {Stephen Hilt and William Gamazo Sanchez}, title = {{BkSoD by Ransomware: HDDCryptor Uses Commercial Tools to Encrypt Network Shares and Lock HDDs}}, date = {2016-09-14}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/}, language = {English}, urldate = {2020-01-09} } @online{hilt:20170824:malicious:7a258f4, author = {Stephen Hilt and Lord Alfred Remorin}, title = {{Malicious Chrome Extensions Stealing Roblox In-Game Currency, Sending Cookies via Discord}}, date = {2017-08-24}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/malicous-chrome-extensions-stealing-roblox-game-currency-sending-cookies-via-discord/}, language = {English}, urldate = {2019-12-16} } @online{hilt:20210119:vpnfilter:7d2a08a, author = {Stephen Hilt and Fernando Mercês}, title = {{VPNFilter Two Years Later: Routers Still Compromised}}, date = {2021-01-19}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html}, language = {English}, urldate = {2021-01-21} } @techreport{hilt:20220120:backing:9498542, author = {Stephen Hilt and Fernando Mercês}, title = {{Backing Your Backup Defending NAS Devices Against Evolving Threats}}, date = {2022-01-20}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/pdf/wp-backing-your-backup-defending-nas-devices-against-evolving-threats.pdf}, language = {English}, urldate = {2022-01-24} } @online{hinchliffe:20170831:updated:fd02a16, author = {Alex Hinchliffe and Jen Miller-Osborn}, title = {{Updated KHRAT Malware Used in Cambodia Attacks}}, date = {2017-08-31}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/}, language = {English}, urldate = {2019-12-20} } @online{hinchliffe:20180313:henbox:4d61efe, author = {Alex Hinchliffe and Mike Harbison and Jen Miller-Osborn and Tom Lancaster}, title = {{HenBox: The Chickens Come Home to Roost}}, date = {2018-03-13}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/}, language = {English}, urldate = {2020-01-09} } @online{hinchliffe:20190226:farseer:62554e3, author = {Alex Hinchliffe and Mike Harbison}, title = {{Farseer: Previously Unknown Malware Family bolsters the Chinese armoury}}, date = {2019-02-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/}, language = {English}, urldate = {2020-01-08} } @online{hinchliffe:20191003:pkplug:4a43ea5, author = {Alex Hinchliffe}, title = {{PKPLUG: Chinese Cyber Espionage Group Attacking Asia}}, date = {2019-10-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/}, language = {English}, urldate = {2020-01-07} } @online{hinchliffe:20200302:pulling:35771e7, author = {Alex Hinchliffe}, title = {{Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary}}, date = {2020-03-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/}, language = {English}, urldate = {2020-03-02} } @online{hinchliffe:20200511:updated:02c3515, author = {Alex Hinchliffe and Robert Falcone}, title = {{Updated BackConfig Malware Targeting Government and Military Organizations in South Asia}}, date = {2020-05-11}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/}, language = {English}, urldate = {2022-03-16} } @online{hinchliffe:20200730:threat:e1b5ad9, author = {Alex Hinchliffe and Doel Santos and Adrian McCabe and Robert Falcone}, title = {{Threat Assessment: WastedLocker Ransomware}}, date = {2020-07-30}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wastedlocker/}, language = {English}, urldate = {2021-06-09} } @techreport{hines:20040130:mydoomb:1946152, author = {Eric S. Hines}, title = {{MyDoom.B Worm Analysis}}, date = {2004-01-30}, institution = {Applied Watch Technologies}, url = {http://ivanlef0u.fr/repo/madchat/vxdevl/papers/analysis/mydoom_b_analysis.pdf}, language = {English}, urldate = {2019-10-14} } @online{hirani:20190109:global:a8835bb, author = {Muks Hirani and Sarah Jones and Ben Read}, title = {{Global DNS Hijacking Campaign: DNS Record Manipulation at Scale}}, date = {2019-01-09}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/global-dns-hijacking-campaign-dns-record-manipulation-at-scale}, language = {English}, urldate = {2023-08-11} } @online{hirani:20190110:global:a53ec6a, author = {Muks Hirani and Sarah Jones and Ben Read}, title = {{Global DNS Hijacking Campaign: DNS Record Manipulation at Scale}}, date = {2019-01-10}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html}, language = {English}, urldate = {2019-12-20} } @online{hiroaki:20190827:ta505:9bcbff1, author = {Hara Hiroaki and Jaromír Hořejší and Loseway Lu}, title = {{TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy}}, date = {2019-08-27}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/}, language = {English}, urldate = {2019-11-27} } @online{hiroaki:20210824:earth:709abd7, author = {Hara Hiroaki and Ted Lee}, title = {{Earth Baku Returns}}, date = {2021-08-24}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/earth-baku-returns}, language = {English}, urldate = {2024-09-02} } @techreport{hiroaki:20210825:earth:776384f, author = {Hara Hiroaki and Ted Lee}, title = {{Earth Baku An APT Group Targeting Indo-Pacific Countries With New Stealth Loaders and Backdoor}}, date = {2021-08-25}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf}, language = {English}, urldate = {2024-09-02} } @techreport{hiroaki:20220125:ambiguously:a846748, author = {Hara Hiroaki}, title = {{Ambiguously Black: The Current State of Earth Hundun's Arsenal}}, date = {2022-01-25}, institution = {Trend Micro}, url = {https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_8_hara_en.pdf}, language = {English}, urldate = {2022-04-04} } @online{hiroaki:20221109:hack:131479e, author = {Hara Hiroaki and Ted Lee}, title = {{Hack the Real Box: APT41’s New Subgroup Earth Longzhi}}, date = {2022-11-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html}, language = {English}, urldate = {2023-12-04} } @online{hiroaki:20230216:invitation:19ecea0, author = {Hara Hiroaki and Yuka Higashi and Masaoki Shoji}, title = {{Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns}}, date = {2023-02-16}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html}, language = {English}, urldate = {2023-02-17} } @techreport{hiroaki:20240126:spot:f9d8998, author = {Hara Hiroaki and Masaoki Shoji and Yuka Higashi and Vickie Su and Nick Dai}, title = {{Spot the Difference: An Analysis of the New LODEINFO Campaign by Earth Kasha}}, date = {2024-01-26}, institution = {Trendmicro}, url = {https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_2_7_hara_shoji_higashi_vickie-su_nick-dai_en.pdf}, language = {English}, urldate = {2024-07-24} } @online{hiroaki:20241126:guess:ad31561, author = {Hara Hiroaki}, title = {{Guess Who’s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024}}, date = {2024-11-26}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html}, language = {English}, urldate = {2025-02-19} } @online{hivemind:20230908:carderbee:f42e2a4, author = {The Hivemind}, title = {{Carderbee Targets Hong Kong in Supply Chain Attack}}, date = {2023-09-08}, organization = {PolySwarm Tech Team}, url = {https://blog.polyswarm.io/carderbee-targets-hong-kong-in-supply-chain-attack}, language = {English}, urldate = {2023-12-04} } @online{hivemind:20250623:famous:50a220d, author = {The Hivemind}, title = {{Famous Chollima’s PylangGhost}}, date = {2025-06-23}, organization = {PolySwarm Tech Team}, url = {https://blog.polyswarm.io/famous-chollimas-pylangghost}, language = {English}, urldate = {2025-06-25} } @online{hiyoshi:20220511:operation:b5a845d, author = {Ryu Hiyoshi}, title = {{Operation RestyLink: Targeted attack campaign targeting Japanese companies}}, date = {2022-05-11}, organization = {NTT}, url = {https://insight-jp.nttsecurity.com/post/102ho8o/operation-restylink}, language = {Japanese}, urldate = {2022-05-11} } @online{hiyoshi:20230208:steelclover:0f3b85a, author = {Ryu Hiyoshi}, title = {{SteelClover Attacks Distributing Malware Via Google Ads Increased}}, date = {2023-02-08}, organization = {NTT Security}, url = {https://insight-jp.nttsecurity.com/post/102i7af/steelclovergoogle}, language = {English}, urldate = {2023-02-13} } @online{hjelmvik:20141027:full:83d84ee, author = {Erik Hjelmvik}, title = {{Full Disclosure of Havex Trojans}}, date = {2014-10-27}, organization = {Netresec}, url = {http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans}, language = {English}, urldate = {2019-11-29} } @online{hjelmvik:20201217:reassembling:2a2f222, author = {Erik Hjelmvik}, title = {{Reassembling Victim Domain Fragments from SUNBURST DNS}}, date = {2020-12-17}, organization = {Netresec}, url = {https://www.netresec.com/?page=Blog&month=2020-12&post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS}, language = {English}, urldate = {2020-12-18} } @online{hjelmvik:20201229:extracting:1640842, author = {Erik Hjelmvik}, title = {{Extracting Security Products from SUNBURST DNS Beacons}}, date = {2020-12-29}, organization = {Netresec}, url = {https://www.netresec.com/?page=Blog&month=2020-12&post=Extracting-Security-Products-from-SUNBURST-DNS-Beacons}, language = {English}, urldate = {2021-01-04} } @online{hjelmvik:20210104:finding:d869bd9, author = {Erik Hjelmvik}, title = {{Finding Targeted SUNBURST Victims with pDNS}}, date = {2021-01-04}, organization = {Netresec}, url = {https://netresec.com/?b=2113a6a}, language = {English}, urldate = {2021-01-05} } @online{hjelmvik:20210111:robust:5683220, author = {Erik Hjelmvik}, title = {{Robust Indicators of Compromise for SUNBURST}}, date = {2021-01-11}, organization = {Netresec}, url = {https://netresec.com/?b=211f30f}, language = {English}, urldate = {2021-01-21} } @online{hjelmvik:20210125:twentythree:d3fad49, author = {Erik Hjelmvik}, title = {{Twenty-three SUNBURST Targets Identified}}, date = {2021-01-25}, organization = {Netresec}, url = {https://netresec.com/?b=211cd21}, language = {English}, urldate = {2021-01-25} } @online{hjelmvik:20210217:targeting:6deceed, author = {Erik Hjelmvik}, title = {{Targeting Process for the SolarWinds Backdoor}}, date = {2021-02-17}, organization = {Netresec}, url = {https://netresec.com/?b=212a6ad}, language = {English}, urldate = {2021-02-18} } @online{hjelmvik:20210419:analysing:c6bff49, author = {Erik Hjelmvik}, title = {{Analysing a malware PCAP with IcedID and Cobalt Strike traffic}}, date = {2021-04-19}, organization = {Netresec}, url = {https://netresec.com/?b=214d7ff}, language = {English}, urldate = {2021-04-20} } @online{hjelmvik:20220425:industroyer2:ed9e211, author = {Erik Hjelmvik}, title = {{Industroyer2 IEC-104 Analysis}}, date = {2022-04-25}, organization = {Netresec}, url = {https://www.netresec.com/?page=Blog&month=2022-04&post=Industroyer2-IEC-104-Analysis}, language = {English}, urldate = {2022-04-29} } @online{hjelmvik:20220509:emotet:ce90938, author = {Erik Hjelmvik}, title = {{Emotet C2 and Spam Traffic Video}}, date = {2022-05-09}, organization = {Netresec}, url = {https://www.netresec.com/?page=Blog&month=2022-05&post=Emotet-C2-and-Spam-Traffic-Video}, language = {English}, urldate = {2022-05-09} } @online{hjelmvik:20221012:icedid:ac8a79c, author = {Erik Hjelmvik}, title = {{IcedID BackConnect Protocol}}, date = {2022-10-12}, organization = {Netresec}, url = {https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol}, language = {English}, urldate = {2023-02-16} } @online{hjelmvik:20230215:how:db64f7c, author = {Erik Hjelmvik}, title = {{How to Identify IcedID Network Traffic}}, date = {2023-02-15}, organization = {Netresec}, url = {https://www.netresec.com/?page=Blog&month=2023-02&post=How-to-Identify-IcedID-Network-Traffic}, language = {English}, urldate = {2023-02-16} } @online{hjelmvik:20230302:qakbot:978553c, author = {Erik Hjelmvik}, title = {{QakBot C2 Traffic}}, date = {2023-03-02}, organization = {Netresec}, url = {https://www.netresec.com/?page=Blog&month=2023-03&post=QakBot-C2-Traffic}, language = {English}, urldate = {2023-03-04} } @online{hjelmvik:20230426:evilextractor:d01c18d, author = {Erik Hjelmvik}, title = {{EvilExtractor Network Forensics}}, date = {2023-04-26}, organization = {Netresec}, url = {https://www.netresec.com/?page=Blog&month=2023-04&post=EvilExtractor-Network-Forensics}, language = {English}, urldate = {2023-04-26} } @online{hjelmvik:20231012:forensic:ea2e803, author = {Erik Hjelmvik}, title = {{Forensic Timeline of an IcedID Infection}}, date = {2023-10-12}, organization = {Netresec}, url = {https://www.netresec.com/?page=Blog&month=2023-10&post=Forensic-Timeline-of-an-IcedID-Infection}, language = {English}, urldate = {2023-10-13} } @online{hjelmvik:20240104:hunting:35d001f, author = {Erik Hjelmvik}, title = {{Hunting for Cobalt Strike in PCAP}}, date = {2024-01-04}, organization = {Netresec}, url = {https://www.netresec.com/?page=Blog&month=2024-01&post=Hunting-for-Cobalt-Strike-in-PCAP}, language = {English}, urldate = {2024-01-04} } @online{hjelmvik:20250428:decoding:c88cd60, author = {Erik Hjelmvik}, title = {{Decoding njRAT traffic with NetworkMiner}}, date = {2025-04-28}, organization = {Netresec}, url = {https://netresec.com/?b=2541a39}, language = {English}, urldate = {2025-04-28} } @online{hjelmvik:20250609:detecting:a80766d, author = {Erik Hjelmvik}, title = {{Detecting PureLogs traffic with CapLoader}}, date = {2025-06-09}, organization = {Netresec}, url = {https://www.netresec.com/?page=Blog&month=2025-06&post=Detecting-PureLogs-traffic-with-CapLoader}, language = {English}, urldate = {2025-06-11} } @online{hjelmvik:20250702:purelogs:4d1b604, author = {Erik Hjelmvik}, title = {{PureLogs Forensics}}, date = {2025-07-02}, organization = {Netresec}, url = {https://www.netresec.com/?page=Blog&month=2025-07&post=PureLogs-Forensics}, language = {English}, urldate = {2025-07-07} } @online{hk:20191223:darkrat:953f204, author = {Fred HK}, title = {{DarkRat - Hacking a malware control panel}}, date = {2019-12-23}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/darkrat-hacking-a-malware-control-panel}, language = {English}, urldate = {2022-04-15} } @online{hk:20200222:nexus:9be70b1, author = {Fred HK}, title = {{Nexus - Just another stealer}}, date = {2020-02-22}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/nexus-just-another-stealer}, language = {English}, urldate = {2022-04-15} } @online{hk:20200429:gazorp:3aef446, author = {Fred HK}, title = {{Gazorp - Thieving from thieves}}, date = {2020-04-29}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/gazorp-thieving-from-thieves}, language = {English}, urldate = {2020-05-06} } @online{hk:20200810:diamondfox:d2a194b, author = {Fred HK}, title = {{DiamondFox - Bank Robbers will be replaced}}, date = {2020-08-10}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced}, language = {English}, urldate = {2020-08-12} } @online{hk:20210330:campo:bf657d8, author = {Fred HK}, title = {{Campo Loader - Simple but effective}}, date = {2021-03-30}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/campo-loader-simple-but-effective}, language = {English}, urldate = {2021-04-09} } @online{hk:20220316:cryptbot:9903e3f, author = {Fred HK}, title = {{CryptBot - Too good to be true}}, date = {2022-03-16}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/cryptbot-too-good-to-be-true}, language = {English}, urldate = {2022-04-15} } @online{hk:20220802:paradies:732370a, author = {Fred HK and Guided Hacking}, title = {{Paradies Clipper - Crypto Jacker Malware Analysis}}, date = {2022-08-02}, organization = {Youtube (Guided Hacking)}, url = {https://www.youtube.com/watch?v=wjoH9jW2EPQ}, language = {English}, urldate = {2022-08-15} } @online{hladik:20200730:obscured:41a50f3, author = {Joseph Hladik and Josh Fleischer}, title = {{Obscured by Clouds: Insights into Office 365 Attacks and How Mandiant Managed Defense Investigates}}, date = {2020-07-30}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/07/insights-into-office-365-attacks-and-how-managed-defense-investigates.html}, language = {English}, urldate = {2020-08-05} } @online{hlavek:20201221:russian:804662f, author = {Adam Hlavek and Kimberly Ortiz}, title = {{Russian cyber attack campaigns and actors}}, date = {2020-12-21}, organization = {IronNet}, url = {https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors}, language = {English}, urldate = {2021-01-05} } @online{hlavek:20201224:china:723bed3, author = {Adam Hlavek}, title = {{China cyber attacks: the current threat landscape}}, date = {2020-12-24}, organization = {IronNet}, url = {https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape}, language = {English}, urldate = {2021-01-01} } @online{hmkang92:20200409:malware:ba76407, author = {hmkang92}, title = {{Malware analysis (Emergency inquiry for Coronavirus response in Jeollanam-do.hwp)}}, date = {2020-04-09}, organization = {suspected.tistory.com}, url = {https://suspected.tistory.com/269}, language = {Korean}, urldate = {2021-04-06} } @online{ho:20210222:masslogger:632f622, author = {Anh ho}, title = {{MassLogger v3: a .NET stealer with serious obfuscation}}, date = {2021-02-22}, organization = {Avast Decoded}, url = {https://decoded.avast.io/anhho/masslogger-v3-a-net-stealer-with-serious-obfuscation/}, language = {English}, urldate = {2021-02-25} } @online{ho:20210920:blustealer:9beaf4b, author = {Anh ho}, title = {{BluStealer: from SpyEx to ThunderFox}}, date = {2021-09-20}, organization = {Avast Decoded}, url = {https://decoded.avast.io/anhho/blustealer/}, language = {English}, urldate = {2021-09-22} } @online{ho:20220125:chasing:f22d873, author = {Anh ho and Igor Morgenstern}, title = {{Chasing Chaes Kill Chain}}, date = {2022-01-25}, organization = {Avast}, url = {https://decoded.avast.io/anhho/chasing-chaes-kill-chain/}, language = {English}, urldate = {2022-01-28} } @online{ho:20240307:evasive:0c5058d, author = {Anh ho and Facundo Muñoz}, title = {{Evasive Panda leverages Monlam Festival to target Tibetans}}, date = {2024-03-07}, organization = {ESET Research}, url = {https://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/}, language = {English}, urldate = {2024-10-01} } @online{ho:20241028:cloudscout:66abb03, author = {Anh ho}, title = {{CloudScout: Evasive Panda scouting cloud services}}, date = {2024-10-28}, organization = {ESET Research}, url = {https://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/}, language = {English}, urldate = {2024-10-29} } @online{hoangnch:20220409:method:a04f679, author = {HoangNCH}, title = {{Method of analyzing and unpacking compressed PE (Portable Executable) files}}, date = {2022-04-09}, organization = {HackMD.io (@antoinenguyen09)}, url = {https://hackmd.io/@antoinenguyen09/Hy0a2mb0t}, language = {Vietnamese}, urldate = {2022-04-29} } @online{hobbs:20210216:hacker:a06d324, author = {Tawnell D. Hobbs and Sara Randazzo}, title = {{Hacker Claims to Have Stolen Files Belonging to Prominent Law Firm Jones Day}}, date = {2021-02-16}, organization = {The Wall Street Journal}, url = {https://www.wsj.com/articles/hacker-claims-to-have-stolen-files-belonging-to-prominent-law-firm-jones-day-11613514532}, language = {English}, urldate = {2021-02-20} } @online{hoej:20130619:your:e6cab54, author = {Jaromír Hořejší}, title = {{Your Facebook connection is now secured! Thank you for your support!}}, date = {2013-06-19}, organization = {Avast}, url = {https://blog.avast.com/2013/06/18/your-facebook-connection-is-now-secured/}, language = {English}, urldate = {2023-05-17} } @online{hoej:20161226:alphabet:3e422a6, author = {Jaromír Hořejší}, title = {{Tweet on Alphabet Ransomware}}, date = {2016-12-26}, organization = {Twitter (@JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/813714602466877440}, language = {English}, urldate = {2019-10-15} } @online{hoej:20161227:adamlocker:9266526, author = {Jaromír Hořejší}, title = {{Tweet on AdamLocker}}, date = {2016-12-27}, organization = {Twitter (@JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/813712587997249536}, language = {English}, urldate = {2020-01-10} } @online{hoej:20161227:shelllocker:e32df2e, author = {Jaromír Hořejší}, title = {{Tweet on ShellLocker}}, date = {2016-12-27}, organization = {Twitter (JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/813726714228604928}, language = {English}, urldate = {2019-12-10} } @online{hoej:20161227:venuslocker:0a9196a, author = {Jaromír Hořejší}, title = {{Tweet on VenusLocker}}, date = {2016-12-27}, organization = {Twitter (@JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/813690129088937984}, language = {English}, urldate = {2020-01-09} } @online{hoej:20170102:new:adaeda4, author = {Jaromír Hořejší}, title = {{Tweet on new ransomware}}, date = {2017-01-02}, organization = {Twitter (JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/815949909648150528}, language = {English}, urldate = {2019-12-04} } @online{hoej:20170102:ransomware:d94c3dd, author = {Jaromír Hořejší}, title = {{Tweet on Ransomware}}, date = {2017-01-02}, organization = {Twitter (JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/815861135882780673}, language = {English}, urldate = {2020-01-09} } @online{hoej:20170103:red:ed15894, author = {Jaromír Hořejší}, title = {{Tweet on Red Alert}}, date = {2017-01-03}, organization = {Twitter (@JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/816237293073797121}, language = {English}, urldate = {2020-01-09} } @online{hoej:20170106:cockblocker:90b91b4, author = {Jaromír Hořejší}, title = {{Tweet on Cockblocker Ransomware}}, date = {2017-01-06}, organization = {Twitter (JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/817311664391524352}, language = {English}, urldate = {2020-01-08} } @online{hoej:20170109:virustotal:0db44ac, author = {Jaromír Hořejší}, title = {{Tweet on Virustotal Sample}}, date = {2017-01-09}, organization = {Twitter (@JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/818369717371027456}, language = {English}, urldate = {2020-01-05} } @online{hoej:20170413:deeper:8749414, author = {Jaromír Hořejší}, title = {{A deeper look into malware abusing TeamViewer}}, date = {2017-04-13}, organization = {Avast}, url = {https://blog.avast.com/a-deeper-look-into-malware-abusing-teamviewer}, language = {English}, urldate = {2021-03-16} } @online{hoej:20170622:filecoder:ac5445f, author = {Jaromír Hořejší}, title = {{Tweet on Filecoder}}, date = {2017-06-22}, organization = {Twitter (@JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/877811773826641920}, language = {English}, urldate = {2020-01-13} } @online{hoej:20171005:syscon:48eb01a, author = {Jaromír Hořejší}, title = {{SYSCON Backdoor Uses FTP as a C&C Channel}}, date = {2017-10-05}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/}, language = {English}, urldate = {2019-10-14} } @online{hoej:20180312:campaign:00eb661, author = {Jaromír Hořejší}, title = {{Campaign Possibly Connected to “MuddyWater” Surfaces in the Middle East and Central Asia}}, date = {2018-03-12}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/}, language = {English}, urldate = {2020-01-13} } @online{hoej:20180314:tropic:352cf22, author = {Jaromír Hořejší and Joey Chen and Joseph C. Chen}, title = {{Tropic Trooper’s New Strategy}}, date = {2018-03-14}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/}, language = {English}, urldate = {2020-01-09} } @online{hoej:20180404:new:16fe860, author = {Jaromír Hořejší}, title = {{New MacOS Backdoor Linked to OceanLotus Found}}, date = {2018-04-04}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/}, language = {English}, urldate = {2020-01-13} } @online{hoej:20180821:operation:0383469, author = {Jaromír Hořejší and Joseph C Chen and Kawabata Kohei and Kenney Lu}, title = {{Operation Red Signature Targets South Korean Companies}}, date = {2018-08-21}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_my/research/18/h/supply-chain-attack-operation-red-signature-targets-south-korean-organizations.html}, language = {English}, urldate = {2024-02-08} } @online{hoej:20180821:supply:d426e6b, author = {Jaromír Hořejší and Joseph C. Chen and Kawabata Kohei and Kenney Lu}, title = {{Supply Chain Attack Operation Red Signature Targets South Korean Organizations}}, date = {2018-08-21}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/}, language = {English}, urldate = {2020-01-06} } @online{hoej:20190904:glupteba:230e916, author = {Jaromír Hořejší and Joseph C. Chen}, title = {{Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions}}, date = {2019-09-04}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/}, language = {English}, urldate = {2020-01-10} } @techreport{hoej:20191001:new:4a49a90, author = {Jaromír Hořejší and Joseph C. Chen}, title = {{New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign}}, date = {2019-10-01}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/Tech-Brief-New-Fileless-Botnet-Novter-Distributed-by-KovCoreG-Malvertising-Campaign.pdf}, language = {English}, urldate = {2019-12-18} } @online{hoej:20191001:new:feb95a9, author = {Jaromír Hořejší and Joseph C. Chen}, title = {{New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign}}, date = {2019-10-01}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-fileless-botnet-novter-distributed-by-kovcoreg-malvertising-campaign/}, language = {English}, urldate = {2019-10-15} } @techreport{hoej:20200311:operation:782b803, author = {Jaromír Hořejší and Joseph Chen}, title = {{Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan: Technical Brief}}, date = {2020-03-11}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/pdf/Tech%20Brief_Operation%20Overtrap%20Targets%20Japanese%20Online%20Banking%20Users.pdf}, language = {English}, urldate = {2020-03-11} } @online{hoej:20200311:operation:f03d64e, author = {Jaromír Hořejší and Joseph Chen}, title = {{Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan}}, date = {2020-03-11}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/operation-overtrap-targets-japanese-online-banking-users-via-bottle-exploit-kit-and-brand-new-cinobi-banking-trojan/}, language = {English}, urldate = {2020-03-11} } @techreport{hoej:20201003:earth:688aaf8, author = {Jaromír Hořejší and Daniel Lunghi and Cedric Pernet and Kazuki Fujisawa}, title = {{Earth Akhlut: Exploring the Tools, Tactics, and Procedures of an Advanced Threat Actor Operating a Large Infrastructure}}, date = {2020-10-03}, institution = {Trend Micro}, url = {https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf}, language = {English}, urldate = {2020-10-06} } @online{hoej:20201124:analysis:9e93ede, author = {Jaromír Hořejší and David Fiser}, title = {{Analysis of Kinsing Malware's Use of Rootkit}}, date = {2020-11-24}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html}, language = {English}, urldate = {2020-11-25} } @techreport{hoej:20210428:water:479b0ec, author = {Jaromír Hořejší and Joseph C Chen}, title = {{Water Pamola Attacked Online Shops Via Malicious Orders (APPENDIX)}}, date = {2021-04-28}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/Appendix_Water-Pamola-Attacked-Online-Shops-Via-Malicious-Orders.pdf}, language = {English}, urldate = {2021-05-08} } @online{hoej:20210428:water:f769ce2, author = {Jaromír Hořejší and Joseph C Chen}, title = {{Water Pamola Attacked Online Shops Via Malicious Orders}}, date = {2021-04-28}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html}, language = {English}, urldate = {2021-05-04} } @online{hoej:20210809:cinobi:8d229dc, author = {Jaromír Hořejší and Joseph C. Chen}, title = {{Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising}}, date = {2021-08-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/h/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html}, language = {English}, urldate = {2021-08-09} } @online{hoej:20210913:aptc36:6493c40, author = {Jaromír Hořejší and Daniel Lunghi}, title = {{APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs}}, date = {2021-09-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_ph/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html}, language = {English}, urldate = {2023-12-04} } @online{hoej:20210913:aptc36:9b97238, author = {Jaromír Hořejší and Daniel Lunghi}, title = {{APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs}}, date = {2021-09-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html}, language = {English}, urldate = {2021-09-14} } @online{hoej:20210913:aptc36:d6456f8, author = {Jaromír Hořejší and Daniel Lunghi}, title = {{APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs (IOCs)}}, date = {2021-09-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt}, language = {English}, urldate = {2021-09-14} } @online{hoej:20211129:campaign:6e23cf5, author = {Jaromír Hořejší}, title = {{Campaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites}}, date = {2021-11-29}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html}, language = {English}, urldate = {2021-12-07} } @online{hoej:20220308:new:7d4d70f, author = {Jaromír Hořejší and Cedric Pernet}, title = {{New RURansom Wiper Targets Russia}}, date = {2022-03-08}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/c/new-ruransom-wiper-targets-russia.html}, language = {English}, urldate = {2022-03-10} } @online{hoej:20220811:copperstealer:9382550, author = {Jaromír Hořejší and Joseph C Chen}, title = {{CopperStealer Distributes Malicious Chromium-based Browser Extension to Steal Cryptocurrencies}}, date = {2022-08-11}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/h/copperstealer-distributes-malicious-chromium-browser-extension-steal-cryptocurrencies.html}, language = {English}, urldate = {2022-08-15} } @online{hoej:20230329:new:705592f, author = {Jaromír Hořejší and Joseph C Chen}, title = {{New OpcJacker Malware Distributed via Fake VPN Malvertising}}, date = {2023-03-29}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html}, language = {English}, urldate = {2023-04-25} } @online{hoej:20230515:water:b49c18f, author = {Jaromír Hořejší and Joseph C Chen}, title = {{Water Orthrus's New Campaigns Deliver Rootkit and Phishing Modules}}, date = {2023-05-15}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/e/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules.html}, language = {English}, urldate = {2024-12-11} } @online{hoej:20241016:fake:c127b55, author = {Jaromír Hořejší and Nitesh Surana}, title = {{Fake LockBit, Real Damage: Ransomware Samples Abuse AWS S3 to Steal Data}}, date = {2024-10-16}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_in/research/24/j/fake-lockbit-real-damage-ransomware-samples-abuse-aws-s3-to-stea.html}, language = {English}, urldate = {2024-10-18} } @online{hoej:20250618:fake:45eabeb, author = {Jaromír Hořejší and Antonis Terefos}, title = {{Fake Minecraft mods distributed by the Stargazers Ghost Network to steal gamers’ data}}, date = {2025-06-18}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2025/minecraft-mod-malware-stargazers/}, language = {English}, urldate = {2025-06-20} } @online{hoffman:20141125:curious:57f7b6a, author = {Nick Hoffman}, title = {{Curious Korlia}}, date = {2014-11-25}, organization = {Adventures in Security}, url = {https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2014-11-25-curious-korlia.md}, language = {English}, urldate = {2022-09-19} } @online{hoffman:20141126:getmypass:5028f5e, author = {Nick Hoffman}, title = {{Getmypass Point of Sale Malware}}, date = {2014-11-26}, url = {https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2014-11-26-getmypass-point-of-sale-malware.md}, language = {English}, urldate = {2022-09-19} } @online{hoffman:20141201:lusypos:3df4156, author = {Nick Hoffman}, title = {{LusyPOS and Tor}}, date = {2014-12-01}, organization = {SecurityKitten Blog}, url = {https://securitykitten.github.io/2014/12/01/lusypos-and-tor.html}, language = {English}, urldate = {2019-08-07} } @online{hoffman:20150108:getmypass:1fa4beb, author = {Nick Hoffman}, title = {{Getmypass Point of Sale Malware Update}}, date = {2015-01-08}, organization = {SecurityKitten Blog}, url = {https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2015-01-08-getmypass-point-of-sale-malware-update.md}, language = {English}, urldate = {2022-09-19} } @online{hoffman:20150111:mozart:025c466, author = {Nick Hoffman}, title = {{The Mozart RAM Scraper}}, date = {2015-01-11}, organization = {Security Kitten Blog}, url = {https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2015-01-11-the-mozart-ram-scraper.md}, language = {English}, urldate = {2022-09-19} } @online{hoffman:20150714:bernhardpos:c1e10e7, author = {Nick Hoffman}, title = {{BernhardPOS}}, date = {2015-07-14}, url = {https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2015-07-14-bernhardpos.md}, language = {English}, urldate = {2022-09-19} } @online{hoffman:20151116:introducing:eed78d1, author = {Nick Hoffman}, title = {{Introducing LogPOS}}, date = {2015-11-16}, url = {https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2015-11-16-logpos-new-point-of-sale-malware-using-mailslots.md}, language = {English}, urldate = {2022-09-19} } @online{hoffman:20161115:scanpos:4f3423a, author = {Nick Hoffman}, title = {{ScanPOS, new POS malware being distributed by Kronos}}, date = {2016-11-15}, url = {https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2016-11-15-scanpos.md}, language = {English}, urldate = {2022-09-19} } @online{hoffman:20161128:klrd:dc173ab, author = {Nick Hoffman}, title = {{The KLRD Keylogger}}, date = {2016-11-28}, organization = {SecurityKitten Blog}, url = {https://securitykitten.github.io/2016/11/28/the-klrd-keylogger.html}, language = {English}, urldate = {2020-01-08} } @online{hoffman:20161214:mikey:300fbdb, author = {Nick Hoffman}, title = {{MiKey - A Linux keylogger}}, date = {2016-12-14}, organization = {Adventures in Security}, url = {https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2016-12-14-mikey.md}, language = {English}, urldate = {2022-09-19} } @techreport{hoffman:20170215:deep:37a8ef5, author = {Nick Hoffman and Jeremy Humble}, title = {{Deep Dive on the DragonOK Rambo Backdoor}}, date = {2017-02-15}, institution = {Morphick}, url = {https://github.com/m0n0ph1/APT_CyberCriminal_Campagin_Collections-1/blob/master/2017/2017.02.15.deep-dive-dragonok-rambo-backdoor/Deep%20Dive%20on%20the%20DragonOK%20Rambo%20Backdoor%20_%20Morphick%20Cyber%20Security.pdf}, language = {English}, urldate = {2020-04-08} } @online{hoffman:20170215:rambo:fef31fe, author = {Nick Hoffman}, title = {{The Rambo Backdoor}}, date = {2017-02-15}, organization = {Adventures in Security}, url = {https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2017-02-15-the-rambo-backdoor.md}, language = {English}, urldate = {2022-09-19} } @online{hoffman:20210511:recommendations:d69cee0, author = {Mike Hoffman and Tom Winston}, title = {{Recommendations Following the Colonial Pipeline Cyber Attack}}, date = {2021-05-11}, organization = {Dragos}, url = {https://www.dragos.com/blog/industry-news/recommendations-following-the-colonial-pipeline-cyber-attack/}, language = {English}, urldate = {2021-05-13} } @online{hoffman:20230726:incident:4731c33, author = {Nicole Hoffman}, title = {{Incident Response trends Q2 2023: Data theft extortion rises, while healthcare is still most-targeted vertical}}, date = {2023-07-26}, organization = {Talos}, url = {https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/}, language = {English}, urldate = {2023-08-03} } @online{hofman:20210422:turning:5a7be75, author = {Omer Hofman}, title = {{Turning Telegram toxic: ‘ToxicEye’ RAT is the latest to use Telegram for command & control}}, date = {2021-04-22}, organization = {Check Point}, url = {https://blog.checkpoint.com/2021/04/22/turning-telegram-toxic-new-toxiceye-rat-is-the-latest-to-use-telegram-for-command-control/}, language = {English}, urldate = {2021-04-28} } @online{hogan:20220212:how:6c29dca, author = {James Hogan}, title = {{How RAT Malware Is Using Telegram to Evade Detection}}, date = {2022-02-12}, organization = {Bollyinside}, url = {https://www.bollyinside.com/articles/how-rat-malware-is-using-telegram-to-evade-detection/}, language = {English}, urldate = {2022-02-14} } @online{hoganburney:20210719:fighting:ab1687b, author = {Amy Hogan-Burney and Microsoft Digital Crimes Unit}, title = {{Fighting an emerging cybercrime trend}}, date = {2021-07-19}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2021/07/19/cybercrime-homoglyphs-dcu-court-order/}, language = {English}, urldate = {2021-07-26} } @online{hoganburney:20220413:notorious:30afb78, author = {Amy Hogan-Burney}, title = {{Notorious cybercrime gang’s botnet disrupted}}, date = {2022-04-13}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/}, language = {English}, urldate = {2022-04-15} } @online{hoganburney:20231213:disrupting:5483d0a, author = {Amy Hogan-Burney}, title = {{Disrupting the gateway services to cybercrime}}, date = {2023-12-13}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2023/12/13/cybercrime-cybersecurity-storm-1152-fraudulent-accounts/}, language = {English}, urldate = {2024-02-08} } @techreport{holban:201805:mtrends:b30aba2, author = {Anca Holban}, title = {{M-Trends May 2018: From the field}}, date = {2018-05}, institution = {FireEye}, url = {https://mkd-cirt.mk/wp-content/uploads/2018/08/20181009_3_1_M-Trends2018-May-2018-compressed.pdf}, language = {English}, urldate = {2020-01-06} } @online{holdings:20220511:analysis:646c94e, author = {NTT Security Holdings}, title = {{Analysis of an Iranian APTs “E400” PowGoop Variant Reveals Dozens of Control Servers Dating Back to 2020}}, date = {2022-05-11}, organization = {NTT Security Holdings}, url = {https://www.security.ntt/blog/analysis-of-an-iranian-apts-e400-powgoop-variant}, language = {English}, urldate = {2022-05-25} } @online{holdings:20241224:contagious:f66cdda, author = {NTT Security Holdings}, title = {{Contagious Interview Uses New Malware Otter Cookie}}, date = {2024-12-24}, organization = {NTT Security Holdings}, url = {https://jp.security.ntt/tech_blog/contagious-interview-ottercookie}, language = {Japanese}, urldate = {2025-01-02} } @online{holland:20190719:analysis:06a9a1c, author = {Alex Holland}, title = {{An Analysis of L0rdix RAT, Panel and Builder}}, date = {2019-07-19}, organization = {HP}, url = {https://www.bromium.com/an-analysis-of-l0rdix-rat-panel-and-builder/}, language = {English}, urldate = {2020-01-07} } @online{holland:20190801:decrypting:3885751, author = {Alex Holland}, title = {{Decrypting L0rdix RAT’s C2}}, date = {2019-08-01}, organization = {Bromium}, url = {https://www.bromium.com/decrypting-l0rdix-rats-c2/}, language = {English}, urldate = {2020-01-07} } @online{holland:20190903:deobfuscating:22e33f3, author = {Alex Holland}, title = {{Deobfuscating Ostap: TrickBot’s 34,000 Line JavaScript Downloader}}, date = {2019-09-03}, organization = {Bromium}, url = {https://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/}, language = {English}, urldate = {2020-01-06} } @online{holland:20190905:l0rdix:2472b65, author = {Alex Holland}, title = {{l0rdix C2 traffic decryptor}}, date = {2019-09-05}, organization = {Github (cryptogramfan)}, url = {https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/decrypt_l0rdix_c2.py}, language = {English}, urldate = {2020-01-13} } @online{holland:20190912:ostap:9374bd2, author = {Alex Holland}, title = {{Ostap Deobfuscation script}}, date = {2019-09-12}, organization = {Github (cryptogramfan)}, url = {https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/deobfuscate_ostap.py}, language = {English}, urldate = {2020-01-06} } @online{holland:20200621:investigating:1dc98a0, author = {Alex Holland}, title = {{Investigating Threats in HP Sure Controller 4.2: TVRAT}}, date = {2020-06-21}, organization = {Bromium}, url = {https://threatresearch.ext.hp.com/investigating-threats-in-hp-sure-controller-4-2/}, language = {English}, urldate = {2020-07-11} } @online{holland:20201008:droppers:b8a580e, author = {Alex Holland}, title = {{Droppers, Downloaders and TrickBot: Detecting a Stealthy COVID-19-themed Campaign using Toolmarks}}, date = {2020-10-08}, organization = {Bromium}, url = {https://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/}, language = {English}, urldate = {2020-10-29} } @online{holland:20201127:aggah:7dd38ba, author = {Alex Holland}, title = {{Aggah Campaign’s Latest Tactics: Victimology, PowerPoint Dropper and Cryptocurrency Stealer}}, date = {2020-11-27}, organization = {HP}, url = {https://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/}, language = {English}, urldate = {2020-11-27} } @online{holland:20231121:tracking:02f967b, author = {Aidan Holland}, title = {{Tracking Vidar Infrastructure with Censys}}, date = {2023-11-21}, organization = {Censys}, url = {https://censys.com/tracking-vidar-infrastructure/}, language = {English}, urldate = {2023-12-04} } @online{holland:20250204:unpacking:fef3e57, author = {Aidan Holland}, title = {{Unpacking the BADBOX Botnet with Censys}}, date = {2025-02-04}, organization = {Censys}, url = {https://censys.com/unpacking-the-badbox-botnet/}, language = {English}, urldate = {2025-02-10} } @online{holt:20220321:sandworm:0e54095, author = {Rene Holt}, title = {{Sandworm: A tale of disruption told anew}}, date = {2022-03-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/03/21/sandworm-tale-disruption-told-anew/}, language = {English}, urldate = {2022-03-25} } @online{holt:20220616:how:d3225fc, author = {Rene Holt}, title = {{How Emotet is changing tactics in response to Microsoft’s tightening of Office macro security}}, date = {2022-06-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/06/16/how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security/}, language = {English}, urldate = {2022-06-17} } @online{holub:20211019:strrat:4522f11, author = {Artsiom Holub}, title = {{STRRAT, ZLoader, and HoneyGain}}, date = {2021-10-19}, organization = {Cisco}, url = {https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-strrat-zloader-honeygain}, language = {English}, urldate = {2021-10-26} } @online{holzner:20250415:cybersoc:7a79ee7, author = {Friedl Holzner and André Henschel}, title = {{CyberSOC Insights: Analysis of a Black Basta Attack Campaign}}, date = {2025-04-15}, organization = {Orange Cyberdefense}, url = {https://www.orangecyberdefense.com/de/blog/threat/cybersoc-insights-analyse-einer-black-basta-angriffskampagne}, language = {German}, urldate = {2025-04-25} } @techreport{honeywell:202006:usb:0b58405, author = {Honeywell}, title = {{USB Security-Myths vs. Reality}}, date = {2020-06}, institution = {}, url = {http://honeywellprocess.blob.core.windows.net/public/Marketing/White-Paper-USB-Security-Myths-vs-Reality.pdf}, language = {English}, urldate = {2020-07-15} } @online{hopfengetraenk:20190525:fasdisassembler:aed58f5, author = {Hopfengetraenk}, title = {{Fas-Disassembler for Visuallisp 0.8}}, date = {2019-05-25}, organization = {Github (Hopfengetraenk)}, url = {https://github.com/Hopfengetraenk/Fas-Disasm}, language = {English}, urldate = {2020-01-13} } @online{hopkins:20210126:ghostdnsbusters:d295f93, author = {Josh Hopkins and Manabu Niseki and CERT-BR}, title = {{GhostDNSbusters (Part 3) Illuminating GhostDNS Infrastructure}}, date = {2021-01-26}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2021/01/26/illuminating-ghostdns-infrastructure-part-3/}, language = {English}, urldate = {2021-01-29} } @online{hopkins:20210315:fin8:838cdc2, author = {Josh Hopkins}, title = {{FIN8: BADHATCH Threat Indicator Enrichmen}}, date = {2021-03-15}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2021/03/15/fin8-badhatch-threat-indicator-enrichment/}, language = {English}, urldate = {2021-03-18} } @online{hopkins:20210519:tracking:45749be, author = {Josh Hopkins and Andy Kraus and Nick Byers}, title = {{Tracking BokBot Infrastructure Mapping a Vast and Currently Active BokBot Network}}, date = {2021-05-19}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2021/05/19/tracking-bokbot-infrastructure/}, language = {English}, urldate = {2021-05-26} } @online{hopkins:20210811:moqhao:91b7e4c, author = {Josh Hopkins}, title = {{MoqHao Part 1.5: High-Level Trends of Recent Campaigns Targeting Japan}}, date = {2021-08-11}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2021/08/11/moqhao-part-1-5-high-level-trends-of-recent-campaigns-targeting-japan/}, language = {English}, urldate = {2022-03-28} } @online{hopkins:20220126:analysis:4513e29, author = {Josh Hopkins}, title = {{Analysis of a Management IP Address linked to Molerats APT}}, date = {2022-01-26}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2022/01/26/analysis-of-a-management-ip-address-linked-to-molerats-apt/}, language = {English}, urldate = {2022-02-02} } @online{hopkins:20220323:raccoon:8af8713, author = {Josh Hopkins and Brian Eckman and Andy Kraus and Paul Welte}, title = {{Raccoon Stealer – An Insight into Victim “Gates”}}, date = {2022-03-23}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2022/03/23/raccoon-stealer-an-insight-into-victim-gates/}, language = {English}, urldate = {2022-03-25} } @online{hopkins:20220407:moqhao:459286e, author = {Josh Hopkins}, title = {{MoqHao Part 2: Continued European Expansion}}, date = {2022-04-07}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2022/04/07/moqhao-part-2-continued-european-expansion/}, language = {English}, urldate = {2022-04-12} } @techreport{hork:20191206:demystifying:1285ddd, author = {Juraj Horňák and Jakub Souček}, title = {{Demystifying banking trojans from Latin America}}, date = {2019-12-06}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Soucek-Hornak-DemystifyingBankingTrojansFromLatinAmerica.pdf}, language = {English}, urldate = {2020-05-05} } @online{horowitz:20211104:dods:dbfa6a1, author = {Michael C. Horowitz and Lauren A. Kahn}, title = {{DoD's 2021 China Military Power Report: How Advances in AI and Emerging Technologies Will Shape China’s Military}}, date = {2021-11-04}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/blog/dods-2021-china-military-power-report-how-advances-ai-and-emerging-technologies-will-shape}, language = {English}, urldate = {2021-11-08} } @online{hosseini:20170718:ten:600fd92, author = {Ashkan Hosseini}, title = {{Ten process injection techniques: A technical survey of common and trending process injection techniques}}, date = {2017-07-18}, organization = {Elastic}, url = {https://www.elastic.co/de/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process}, language = {English}, urldate = {2020-07-15} } @online{hosseini:20170718:ten:af036b3, author = {Ashkan Hosseini}, title = {{Ten process injection techniques: A technical survey of common and trending process injection techniques}}, date = {2017-07-18}, organization = {Elastic}, url = {https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process}, language = {English}, urldate = {2020-07-15} } @online{hosseini:20170718:ten:fa1e393, author = {Ashkan Hosseini}, title = {{Ten Process Injection Techniques: A Technical Survey of Common and Trending Process Injection Techniques}}, date = {2017-07-18}, organization = {Endgame}, url = {https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process}, language = {English}, urldate = {2020-01-09} } @online{hostetler:20240104:followon:7c99700, author = {Stefan Hostetler and Steven Campbell}, title = {{Follow-On Extortion Campaign Targeting Victims of Akira and Royal Ransomware}}, date = {2024-01-04}, organization = {Arctic Wolf}, url = {https://arcticwolf.com/resources/blog/follow-on-extortion-campaign-targeting-victims-of-akira-and-royal-ransomware/}, language = {English}, urldate = {2024-01-05} } @online{hotsauce:20230320:detailed:d141765, author = {HOTSAUCE and S2W TALON}, title = {{Detailed Analysis of Cryptocurrency Phishing Through Famous YouTube Channel Hacking}}, date = {2023-03-20}, organization = {Medium s2wlab}, url = {https://medium.com/s2wblog/detailed-analysis-of-cryptocurrency-phishing-through-famous-youtube-channel-hacking-cd40de8dce6f}, language = {Korean}, urldate = {2023-03-21} } @online{hotsauce:20240105:story:bb20949, author = {HOTSAUCE and S2W TALON}, title = {{Story of H2 2023: A Deep Dive into Data Leakage and Commerce in Chinese Telegram}}, date = {2024-01-05}, organization = {Medium s2wlab}, url = {https://medium.com/s2wblog/story-of-h2-2023-a-deep-dive-into-data-leakage-and-commerce-in-chinese-telegram-9903c3e70538}, language = {Korean}, urldate = {2024-01-12} } @online{hough:20231017:prospernot:0726780, author = {Oliver Hough}, title = {{PROSPERNOT (PROSPERO-AS) The Little AS That Could. Part 1}}, date = {2023-10-17}, url = {https://oliverhough.io/prospernot-prospero-as-the-little-as-that-could-part-1/}, language = {English}, urldate = {2023-10-17} } @online{houliuyang:20220401:what:f58905c, author = {houliuyang and 黄安欣}, title = {{What Our Honeypot Sees Just One Day After The Spring4Shell Advisory}}, date = {2022-04-01}, organization = {360 netlab}, url = {https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/}, language = {English}, urldate = {2022-04-13} } @online{house:20210719:united:31243f3, author = {THE WHITE HOUSE}, title = {{The United States, Joined by Allies and Partners, Attributes Malicious Cyber Activity and Irresponsible State Behavior to the People’s Republic of China}}, date = {2021-07-19}, organization = {THE WHITE HOUSE}, url = {https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/19/the-united-states-joined-by-allies-and-partners-attributes-malicious-cyber-activity-and-irresponsible-state-behavior-to-the-peoples-republic-of-china/}, language = {English}, urldate = {2021-07-24} } @online{houspanossian:20240617:info:5464bca, author = {Alejandro Houspanossian}, title = {{Info Stealing Campaign Uses DLL Sideloading Through Legitimate Cisco Webex’s Binaries for Initial Execution and Defense Evasion}}, date = {2024-06-17}, organization = {Trellix}, url = {https://www.trellix.com/blogs/research/how-attackers-repackaged-a-threat-into-something-that-looked-benign/}, language = {English}, urldate = {2024-08-01} } @online{houtekamer:20210402:cesspool:7540607, author = {Carola Houtekamer and Rik Wassens}, title = {{The cesspool of the internet is to be found in a village in North Holland}}, date = {2021-04-02}, organization = {NRC Handelsblad}, url = {https://www.nrc.nl/nieuws/2021/04/02/the-cesspool-of-the-internet-is-to-be-found-in-a-village-in-north-holland-a4038369}, language = {English}, urldate = {2024-03-12} } @online{hovious:20211004:how:03b7d93, author = {James Hovious}, title = {{How to Write a Hancitor Extractor in Go}}, date = {2021-10-04}, organization = {pid4.io}, url = {https://pid4.io/posts/how_to_write_a_hancitor_extractor/}, language = {English}, urldate = {2021-10-11} } @online{hpp:20200507:ruhruniversitt:7991318, author = {hpp}, title = {{Ruhr-Universität Bochum meldet Computerangriff}}, date = {2020-05-07}, organization = {Der Spiegel}, url = {https://www.spiegel.de/netzwelt/web/ruhr-uni-bochum-offenbar-opfer-von-computerangriff-a-c42754cc-72dc-4d34-8b58-bb0008619c05?utm_source=dlvr.it&utm_medium=twitter#ref=rss}, language = {English}, urldate = {2020-07-06} } @online{hrka:20191126:stantinko:0fbdd59, author = {Vladislav Hrčka}, title = {{Stantinko botnet adds cryptomining to its pool of criminal activities}}, date = {2019-11-26}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/11/26/stantinko-botnet-adds-cryptomining-criminal-activities/}, language = {English}, urldate = {2020-01-12} } @online{hrka:20200319:stantinkos:b6a60f8, author = {Vladislav Hrčka}, title = {{Stantinko’s new cryptominer features unique obfuscation techniques}}, date = {2020-03-19}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/03/19/stantinko-new-cryptominer-unique-obfuscation-techniques/}, language = {English}, urldate = {2020-03-26} } @online{hrka:20200807:stadeo:9fc4787, author = {Vladislav Hrčka}, title = {{Stadeo: Deobfuscating Stantinko and more}}, date = {2020-08-07}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/08/07/stadeo-deobfuscating-stantinko-and-more/}, language = {English}, urldate = {2020-08-14} } @online{hrka:20211007:fontonlake:03cadd5, author = {Vladislav Hrčka}, title = {{FontOnLake: Previously unknown malware family targeting Linux}}, date = {2021-10-07}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/}, language = {English}, urldate = {2021-10-11} } @online{hrka:20211027:wslink:39610dc, author = {Vladislav Hrčka}, title = {{Wslink: Unique and undocumented malicious loader that runs as a server}}, date = {2021-10-27}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/10/27/wslink-unique-undocumented-malicious-loader-runs-server/}, language = {English}, urldate = {2021-12-06} } @techreport{hrka:202203:under:04f52d9, author = {Vladislav Hrčka}, title = {{Under the hood of Wslink’s multilayered virtual machine}}, date = {2022-03}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2022/03/eset_wsliknkvm.pdf}, language = {English}, urldate = {2022-03-30} } @online{hrka:20220914:you:3850b85, author = {Vladislav Hrčka and Mathieu Tartare and Thibaut Passilly}, title = {{You never walk alone: The SideWalk backdoor gets a Linux variant}}, date = {2022-09-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/}, language = {English}, urldate = {2022-09-19} } @online{hrka:20230223:winordll64:73e8cbf, author = {Vladislav Hrčka}, title = {{WinorDLL64: A backdoor from the vast Lazarus arsenal?}}, date = {2023-02-23}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2023/02/23/winordll64-backdoor-vast-lazarus-arsenal/}, language = {English}, urldate = {2023-02-27} } @online{hromcov:20180607:invisimole:5c5f0ed, author = {Zuzana Hromcová}, title = {{InvisiMole: Surprisingly equipped spyware, undercover since 2013}}, date = {2018-06-07}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/}, language = {English}, urldate = {2019-11-14} } @online{hromcov:20190708:malicious:f712ebc, author = {Zuzana Hromcová}, title = {{Malicious campaign targets South Korean users with backdoor‑laced torrents}}, date = {2019-07-08}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/}, language = {English}, urldate = {2019-11-14} } @online{hromcov:20190718:okrum:3841a95, author = {Zuzana Hromcová}, title = {{Okrum: Ke3chang group targets diplomatic missions}}, date = {2019-07-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/}, language = {English}, urldate = {2019-11-14} } @online{hromcov:20190814:in:4da809c, author = {Zuzana Hromcová}, title = {{In the Balkans, businesses are under fire from a double‑barreled weapon}}, date = {2019-08-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/}, language = {English}, urldate = {2019-11-14} } @online{hromcov:20191010:eset:70f9671, author = {Zuzana Hromcová}, title = {{ESET discovers Attor, a spy platform with curious GSM fingerprinting}}, date = {2019-10-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform}, language = {English}, urldate = {2020-04-06} } @online{hromcov:20191010:eset:d4155ed, author = {Zuzana Hromcová}, title = {{ESET discovers Attor, a spy platform with curious GSM fingerprinting}}, date = {2019-10-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/}, language = {English}, urldate = {2020-02-13} } @techreport{hromcov:201910:at:3b4754e, author = {Zuzana Hromcová}, title = {{AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM}}, date = {2019-10}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{hromcov:20200608:invisimole:70a4dc1, author = {Zuzana Hromcová and Anton Cherepanov}, title = {{InvisiMole: The Hidden Part of the Story - Unearthing InvisiMole's Espionage Toolset and Strategic Cooperations}}, date = {2020-06-08}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf}, language = {English}, urldate = {2020-06-29} } @online{hromcov:20200618:digging:285d02f, author = {Zuzana Hromcová and Anton Cherepanov}, title = {{Digging up InvisiMole’s hidden arsenal}}, date = {2020-06-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/}, language = {English}, urldate = {2020-06-29} } @online{hromcov:20200618:digging:35a04cc, author = {Zuzana Hromcová and Anton Cherepanov}, title = {{Digging up InvisiMole’s hidden arsenal}}, date = {2020-06-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal}, language = {English}, urldate = {2022-08-25} } @techreport{hromcov:20210804:anatomy:2bcd04b, author = {Zuzana Hromcová}, title = {{Anatomy of Native IIS Malware (slides)}}, date = {2021-08-04}, institution = {ESET Research}, url = {https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware.pdf}, language = {English}, urldate = {2021-08-06} } @techreport{hromcov:20210804:anatomy:e1c9d94, author = {Zuzana Hromcová}, title = {{Anatomy of Native IIS Malware (white papaer)}}, date = {2021-08-04}, institution = {ESET Research}, url = {https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf}, language = {English}, urldate = {2021-08-06} } @online{hromcov:20210806:anatomy:27b293f, author = {Zuzana Hromcová and Anton Cherepanov}, title = {{Anatomy of native IIS malware}}, date = {2021-08-06}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/08/06/anatomy-native-iis-malware/}, language = {English}, urldate = {2021-08-09} } @online{hromcov:20210806:iistealer:d9957ab, author = {Zuzana Hromcová}, title = {{IIStealer: A server‑side threat to e‑commerce transactions}}, date = {2021-08-06}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/08/06/iistealer-server-side-threat-ecommerce-transactions/}, language = {English}, urldate = {2021-08-09} } @online{hromcov:20210809:iispy:c0b6ad3, author = {Zuzana Hromcová}, title = {{IISpy: A complex server‑side backdoor with anti‑forensic features}}, date = {2021-08-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/08/09/iispy-complex-server-side-backdoor-antiforensic-features/}, language = {English}, urldate = {2021-09-19} } @online{hromcov:20210811:iiserpent:7f68773, author = {Zuzana Hromcová}, title = {{IISerpent: Malware‑driven SEO fraud as a service}}, date = {2021-08-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/08/11/iiserpent-malware-driven-seo-fraud-service/}, language = {English}, urldate = {2021-08-16} } @online{hromcov:20230921:oilrigs:f3caa7e, author = {Zuzana Hromcová}, title = {{OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes}}, date = {2023-09-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/}, language = {English}, urldate = {2023-10-06} } @online{hron:20200925:fresh:41ed4d0, author = {Martin Hron}, title = {{The Fresh Smell of ransomed coffee}}, date = {2020-09-25}, organization = {Avast Decoded}, url = {https://decoded.avast.io/martinhron/the-fresh-smell-of-ransomed-coffee/}, language = {English}, urldate = {2020-09-25} } @online{hron:20220318:mris:47b15bc, author = {Martin Hron}, title = {{Mēris and TrickBot standing on the shoulders of giants}}, date = {2022-03-18}, organization = {Avast}, url = {https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/}, language = {English}, urldate = {2022-03-23} } @techreport{hse:20211203:conti:eae1edb, author = {HSE}, title = {{Conti cyber attack on the HSE}}, date = {2021-12-03}, institution = {HSE}, url = {https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf}, language = {English}, urldate = {2022-02-07} } @online{hsieh:20210819:shadowpad:04bbb1e, author = {Yi-Jhen Hsieh and Joey Chen}, title = {{ShadowPad | A Masterpiece of Privately Sold Malware in Chinese Espionage}}, date = {2021-08-19}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/}, language = {English}, urldate = {2021-08-23} } @techreport{hsieh:20210823:shadowpad:58780f1, author = {Yi-Jhen Hsieh and Joey Chen}, title = {{ShadowPad: the Masterpiece of Privately Sold Malware in Chinese Espionage}}, date = {2021-08-23}, institution = {SentinelOne}, url = {https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20ShadowPad%20-%20A%20Masterpiece%20of%20Privately%20Sold%20Malware%20in%20Chinese%20Espionage%20-%20Yi-Jhen%20Hsieh%20&%20Joey%20Chen.pdf}, language = {English}, urldate = {2022-07-18} } @online{hsieh:20210901:shadowpad:f9ae111, author = {Yi-Jhen Hsieh and Joey Chen}, title = {{SHADOWPAD: Chinese Espionage Malware-as-a-Service}}, date = {2021-09-01}, organization = {YouTube (Hack In The Box Security Conference)}, url = {https://www.youtube.com/watch?v=IRh6R8o1Q7U}, language = {English}, urldate = {2022-08-08} } @online{hsieh:20211104:shadowpad:8dbd5c7, author = {Yi-Jhen Hsieh and Joey Chen}, title = {{ShadowPad: the masterpiece of privately sold malware in Chinese espionage}}, date = {2021-11-04}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=r1zAVX_HnJg}, language = {English}, urldate = {2022-08-08} } @online{hsu:20200319:new:f5530d2, author = {Ken Hsu and Zhibin Zhang and Ruchna Nigam}, title = {{New Mirai Variant Targets Zyxel Network-Attached Storage Devices}}, date = {2020-03-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/new-mirai-variant-mukashi/}, language = {English}, urldate = {2023-08-28} } @online{hsu:20200403:grandstream:9d7d8a0, author = {Ken Hsu and Haozhe Zhang and Zhibin Zhang and Ruchna Nigam}, title = {{Grandstream and DrayTek Devices Exploited to Power New Hoaxcalls DDoS Botnet}}, date = {2020-04-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/}, language = {English}, urldate = {2023-08-28} } @online{hsu:20200624:lucifer:5fc044c, author = {Ken Hsu and Durgesh Sangvikar and Zhibin Zhang and Chris Navarrete}, title = {{Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices}}, date = {2020-06-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/}, language = {English}, urldate = {2020-06-24} } @online{hsu:20201014:two:aa1efb9, author = {Ken Hsu and Yue Guan and Vaibhav Singhal and Qi Deng}, title = {{Two New IoT Vulnerabilities Identified with Mirai Payloads}}, date = {2020-10-14}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-payloads/}, language = {English}, urldate = {2020-10-23} } @online{hsu:20210408:attackers:c68051d, author = {Ken Hsu and Vaibhav Singhal and Ashutosh Chitwadgi}, title = {{Attackers Conducting Cryptojacking Operation Against U.S. Education Organizations}}, date = {2021-04-08}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/attackers-conducting-cryptojacking-u-s-education-organizations/}, language = {English}, urldate = {2021-04-12} } @online{hsu:20211113:threat:597b1a0, author = {Still Hsu}, title = {{Threat Spotlight - Domain Fronting}}, date = {2021-11-13}, organization = {Just Still}, url = {https://stillu.cc/threat-spotlight/2021/11/13/domain-fronting-fastly/}, language = {English}, urldate = {2021-11-18} } @techreport{hsu:20230126:brief:5a0716d, author = {Still Hsu}, title = {{Brief History of MustangPanda and its PlugX Evolution}}, date = {2023-01-26}, institution = {TEAMT5}, url = {https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_2_LT4.pdf}, language = {English}, urldate = {2023-02-09} } @techreport{hsu:20230818:unmasking:61bd6b5, author = {Still Hsu and Zih-Cing Liao}, title = {{Unmasking CamoFei: An In-depth Analysis of an Emerging APT Group Focused on Healthcare Sectors in East Asia}}, date = {2023-08-18}, institution = {TEAMT5}, url = {https://hitcon.org/2023/CMT/slide/Unmasking%20CamoFei_An%20In-depth%20Analysis%20of%20an%20Emerging%20APT%20Group%20Focused%20on%20Healthcare%20Sectors%20in%20East%20Asia.pdf}, language = {English}, urldate = {2024-02-28} } @techreport{hsu:20240823:sailing:1d3d2cb, author = {Still Hsu}, title = {{Sailing the Seven SEAs: Deep Dive into Polaris' Arsenal and Intelligence Insights}}, date = {2024-08-23}, institution = {TEAMT5}, url = {https://hitcon.org/2024/CMT/slides/Sailing_the_Seven_SEAs_Deep_Dive_into_Polaris_Arsenal_and_Intelligence_Insights.pdf}, language = {English}, urldate = {2024-10-09} } @online{httenhain:20211003:using:5663851, author = {Jesko Hüttenhain}, title = {{Using Windows Sandbox for Malware Analysis}}, date = {2021-10-03}, organization = {blag.nullteilerfrei.de}, url = {https://blag.nullteilerfrei.de/2021/10/03/using-windows-sandbox-for-malware-analysis/}, language = {English}, urldate = {2021-11-29} } @online{httenhain:20221202:refinery:ee32690, author = {Jesko Hüttenhain}, title = {{The Refinery Files 0x06: Qakbot Decoder}}, date = {2022-12-02}, organization = {Github (binref)}, url = {https://github.com/binref/refinery/blob/master/tutorials/tbr-files.v0x06.Qakbot.Decoder.ipynb}, language = {English}, urldate = {2022-12-02} } @online{hu:20210324:fake:c715b76, author = {Lucas Hu}, title = {{Fake Websites Used in COVID-19 Themed Phishing Attacks, Impersonating Brands Like Pfizer and BioNTech}}, date = {2021-03-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/covid-19-themed-phishing-attacks/}, language = {English}, urldate = {2021-03-25} } @online{hu:20210910:phishingjs:289c504, author = {Lucas Hu}, title = {{PhishingJS: A Deep Learning Model for JavaScript-Based Phishing Detection}}, date = {2021-09-10}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/javascript-based-phishing/}, language = {English}, urldate = {2021-09-14} } @online{hu:20220325:mining:287a2e7, author = {Yun Zheng Hu}, title = {{Mining data from Cobalt Strike beacons}}, date = {2022-03-25}, organization = {nccgroup}, url = {https://research.nccgroup.com/2022/03/25/mining-data-from-cobalt-strike-beacons/}, language = {English}, urldate = {2022-03-28} } @online{hu:20220823:legitimate:5496feb, author = {Lucas Hu}, title = {{Legitimate SaaS Platforms Being Used to Host Phishing Attacks}}, date = {2022-08-23}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/platform-abuse-phishing/}, language = {English}, urldate = {2022-09-20} } @online{huang:20150212:mobile:057aef0, author = {Simon Huang}, title = {{Mobile Malware Gang Steals Millions from South Korean Users}}, date = {2015-02-12}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-malware-gang-steals-millions-from-south-korean-users/}, language = {English}, urldate = {2021-04-19} } @online{huang:20160301:shrouded:2a15cdd, author = {Razor Huang}, title = {{Shrouded Crossbow Creators Behind BIFROSE for UNIX}}, date = {2016-03-01}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/16/c/threat-actors-behind-shrouded-crossbow-creates-bifrose-for-unix.html}, language = {English}, urldate = {2021-04-06} } @online{huang:20170705:security:8819459, author = {Kevin Y. Huang}, title = {{Security 101: The Impact of Cryptocurrency-Mining Malware}}, date = {2017-07-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-the-impact-of-cryptocurrency-mining-malware}, language = {English}, urldate = {2020-01-07} } @techreport{huang:20180726:tracking:b51d0ee, author = {Danny Yuxing Huang and Maxwell Matthaios Aliapoulios and Vector Guo Li and Luca Invernizzi and Kylie McRoberts and Elie Bursztein and Jonathan Levin and Kirill Levchenko and Alex C. Snoeren and Damon McCoy}, title = {{Tracking Ransomware End-to-end}}, date = {2018-07-26}, institution = {IEEE Symposium on Security and Privacy (SP)}, url = {https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf}, language = {English}, urldate = {2021-04-16} } @online{huang:20201123:zoom:b9540f5, author = {Kaizhe Huang}, title = {{Zoom into Kinsing}}, date = {2020-11-23}, organization = {sysdig}, url = {https://sysdig.com/blog/zoom-into-kinsing-kdevtmpfsi/}, language = {English}, urldate = {2022-07-25} } @online{hubbl3:20210714:xls:2c44e9c, author = {Hubbl3}, title = {{XLS Entanglement}}, date = {2021-07-14}, organization = {BC SECURITY}, url = {https://www.bc-security.org/post/xls-entanglement/}, language = {English}, urldate = {2021-07-20} } @online{huberman:20190521:atlas:ec3e24b, author = {David Huberman}, title = {{ATLAS III Webinar 5: Cybersecurity Basics}}, date = {2019-05-21}, organization = {ICANN}, url = {https://icann.zoom.us/recording/play/AhQB4AQyjCuEJGz2wQQans0Xqkz3su8swGLQoORJhdECw9ttz0TbuyzBlue85gIY}, language = {English}, urldate = {2023-08-11} } @techreport{huberman:20190521:cybersecurity:17d57c8, author = {David Huberman}, title = {{Cybersecurity & the ICANN Ecosystem}}, date = {2019-05-21}, institution = {ICANN}, url = {https://community.icann.org/download/attachments/109483867/Cybersecurity%20and%20the%20ICANN%20Ecosystem.pdf}, language = {English}, urldate = {2023-08-11} } @online{hudson:20210719:us:37c4208, author = {John Hudson and Ellen Nakashima}, title = {{U.S., allies accuse China of hacking Microsoft and condoning other cyberattacks (APT40)}}, date = {2021-07-19}, organization = {Washington Post}, url = {https://www.washingtonpost.com/national-security/microsoft-hack-china-biden-nato/2021/07/19/a90ac7b4-e827-11eb-84a2-d93bc0b50294_story.html}, language = {English}, urldate = {2021-07-24} } @online{hudson:20220505:studying:da3c36c, author = {Austin Hudson}, title = {{Studying “Next Generation Malware” - NightHawk’s Attempt At Obfuscate and Sleep}}, date = {2022-05-05}, organization = {Suspicious Actor}, url = {https://web.archive.org/web/20220505170100/https://suspicious.actor/2022/05/05/mdsec-nighthawk-study.html}, language = {English}, urldate = {2022-12-02} } @online{hudson:20230203:ave:688ad0d, author = {Chad Hudson}, title = {{Ave Maria and the Chambers of Warzone RAT}}, date = {2023-02-03}, organization = {Huntress Labs}, url = {https://www.huntress.com/blog/ave-maria-and-the-chambers-of-warzone-rat}, language = {English}, urldate = {2023-02-03} } @online{huey:20210507:lemon:0d46f81, author = {Caitlin Huey and Andrew Windsor and Edmund Brumaghin}, title = {{Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs}}, date = {2021-05-07}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html}, language = {English}, urldate = {2022-02-16} } @online{huey:20210902:translated:dfdc05f, author = {Caitlin Huey and David Liebenberg and Azim Khodjibaev and Dmytro Korzhevin}, title = {{Translated: Talos' insights from the recently leaked Conti ransomware playbook}}, date = {2021-09-02}, organization = {Talos}, url = {https://blog.talosintelligence.com/2021/09/Conti-leak-translation.html}, language = {English}, urldate = {2021-09-06} } @online{huiseong:20220922:quick:9184019, author = {Yang HuiSeong and Jeong Hyunsik}, title = {{Quick Overview of Leaked LockBit 3.0 (Black) builder program}}, date = {2022-09-22}, organization = {Medium s2wlab}, url = {https://medium.com/s2wblog/quick-overview-of-leaked-lockbit-3-0-black-builder-program-880ae511d085}, language = {English}, urldate = {2022-10-24} } @online{hulcoop:20161117:its:b644801, author = {Adam Hulcoop and Matt Brooks and Etienne Maynier and John Scott-Railton and Masashi Crete-Nishihata}, title = {{It’s Parliamentary - KeyBoy and the targeting of the Tibetan Community}}, date = {2016-11-17}, organization = {CitizenLab}, url = {https://citizenlab.ca/2016/11/parliament-keyboy/}, language = {English}, urldate = {2019-07-11} } @online{hultquist:20190416:spear:a0125cb, author = {John Hultquist and Ben Read and Oleg Bondarenko and Chi-en Shen}, title = {{Spear Phishing Campaign Targets Ukraine Government and Military; Infrastructure Reveals Potential Link to So-Called Luhansk People's Republic}}, date = {2019-04-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html}, language = {English}, urldate = {2019-12-20} } @online{hultquist:20220120:anticipating:8005282, author = {John Hultquist}, title = {{Anticipating Cyber Threats as the Ukraine Crisis Escalates}}, date = {2022-01-20}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/ukraine-crisis-cyber-threats}, language = {English}, urldate = {2022-01-24} } @online{hultquist:20220120:anticipating:b2d356a, author = {John Hultquist and Matthew McWhirt}, title = {{Anticipating and Preparing for Russian Cyber Activity}}, date = {2022-01-20}, organization = {BrightTALK (Mandiant)}, url = {https://www.brighttalk.com/webcast/7451/527124}, language = {English}, urldate = {2022-02-14} } @techreport{hummert:20220308:mobile:753e936, author = {Christian Hummert and Dirk Pawlaszczyk}, title = {{Mobile Forensics – The File Format Handbook}}, date = {2022-03-08}, institution = {Springer}, url = {https://link.springer.com/content/pdf/10.1007%2F978-3-030-98467-0.pdf}, language = {English}, urldate = {2022-05-09} } @online{humphrey:20180612:cve20178570:4d94250, author = {Ben Humphrey}, title = {{CVE-2017-8570 RTF and the Sisfader RAT}}, date = {2018-06-12}, organization = {NCC Group}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/}, language = {English}, urldate = {2020-01-07} } @online{humphrey:20181122:turla:de7f30a, author = {Ben Humphrey}, title = {{Turla PNG Dropper is back}}, date = {2018-11-22}, organization = {nccgroup}, url = {https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/}, language = {English}, urldate = {2023-06-19} } @online{hungenberg:20191106:emotet:1605954, author = {Thomas Hungenberg}, title = {{Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail}}, date = {2019-11-06}, organization = {Heise Security}, url = {https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html}, language = {German}, urldate = {2020-01-06} } @online{hunter:20181120:l0rdix:bf0024c, author = {Ben Hunter}, title = {{L0RDIX: MULTIPURPOSE ATTACK TOOL}}, date = {2018-11-20}, organization = {enSilo}, url = {https://blog.ensilo.com/l0rdix-attack-tool}, language = {English}, urldate = {2019-12-17} } @online{hunter:20190524:uncovering:7d8776e, author = {Ben Hunter}, title = {{Uncovering new Activity by APT10}}, date = {2019-05-24}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-}, language = {English}, urldate = {2020-11-04} } @online{hunter:20200701:ekans:46605bc, author = {Ben Hunter and Fred Gutierrez}, title = {{EKANS Ransomware Targeting OT ICS Systems}}, date = {2020-07-01}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems}, language = {English}, urldate = {2020-07-06} } @online{huntio:20240201:accidental:2e2e025, author = {Hunt.io}, title = {{The Accidental Malware Repository: Hunting & Collecting Malware Via Open Directories (Part 1)}}, date = {2024-02-01}, organization = {Hunt.io}, url = {https://hunt.io/blog/hunting-and-collecting-malware-via-open-directories-part-1}, language = {English}, urldate = {2024-09-26} } @online{huntio:20240409:blueshell:fb479cc, author = {Hunt.io}, title = {{BlueShell: Four Years On, Still A Formidable Threat}}, date = {2024-04-09}, organization = {Hunt.io}, url = {https://hunt.io/blog/blueshell-four-years-on-still-a-formidable-threat}, language = {English}, urldate = {2024-06-28} } @online{huntio:20240530:solarmarker:2b2b86d, author = {Hunt.io}, title = {{SolarMarker: Hunt Insights and Findings}}, date = {2024-05-30}, organization = {Hunt.io}, url = {https://hunt.io/blog/solarmarker-hunt-insight-and-findings}, language = {English}, urldate = {2024-08-29} } @online{huntio:20240606:tracking:b939354, author = {Hunt.io}, title = {{Tracking LightSpy: Certificates as Windows into Adversary Behavior}}, date = {2024-06-06}, organization = {Hunt.io}, url = {https://hunt.io/blog/tracking-lightspy-certificates-as-windows-into-adversary-behavior}, language = {English}, urldate = {2024-09-13} } @online{huntio:20240625:good:f2ecaac, author = {Hunt.io}, title = {{Good Game, Gone Bad: Xeno RAT Spread Via .gg Domains and GitHub}}, date = {2024-06-25}, organization = {Hunt.io}, url = {https://hunt.io/blog/good-game-gone-bad-xeno-rat-spread-via-gg-domains-and-github}, language = {English}, urldate = {2024-09-04} } @online{huntio:20240723:simple:9fec1f2, author = {Hunt.io}, title = {{A Simple Approach to Discovering Oyster Backdoor Infrastructure}}, date = {2024-07-23}, organization = {Hunt.io}, url = {https://hunt.io/blog/a-simple-approach-to-discovering-oyster-backdoor-infrastructure}, language = {English}, urldate = {2024-07-25} } @online{huntio:20240829:latrodectus:9f4c776, author = {Hunt.io}, title = {{Latrodectus Malware Masquerades as AhnLab Security Software to Infect Victims}}, date = {2024-08-29}, organization = {Hunt.io}, url = {https://hunt.io/blog/latrodectus-malware-masquerades-as-ahnlab-security-software-to-infect-victims}, language = {English}, urldate = {2024-09-02} } @online{huntio:20240903:toneshell:c3bf32e, author = {Hunt.io}, title = {{ToneShell Backdoor Used to Target Attendees of the IISS Defence Summit}}, date = {2024-09-03}, organization = {Hunt.io}, url = {https://hunt.io/blog/toneshell-backdoor-used-to-target-attendees-of-the-iiss-defence-summit}, language = {English}, urldate = {2024-09-11} } @online{huntio:202409:echoes:89cdb44, author = {Hunt.io}, title = {{Echoes of Stargazer Goblin: Analyzing Shared TTPs from an Open Directory}}, date = {2024-09}, organization = {Hunt.io}, url = {https://hunt.io/blog/echoes-of-stargazer-goblin-analyzing-shared-ttps-from-an-open-directory}, language = {English}, urldate = {2024-10-01} } @online{huntio:20241008:inside:80560a5, author = {Hunt.io}, title = {{Inside a Cybercriminal’s Server: DDoS Tools, Spyware APKs, and Phishing Pages}}, date = {2024-10-08}, organization = {Hunt.io}, url = {https://hunt.io/blog/inside-a-cybercriminal-s-server-ddos-tools-spyware-apks-and-phishing-pages}, language = {English}, urldate = {2024-10-09} } @online{huntio:20241010:unmasking:a088931, author = {Hunt.io}, title = {{Unmasking Adversary Infrastructure: How Certificates and Redirects Exposed Earth Baxia and PlugX Activity}}, date = {2024-10-10}, organization = {Hunt.io}, url = {https://hunt.io/blog/unmasking-adversary-infrastructure-how-certificates-and-redirects-exposed-earth-baxia-and-plugx-activity}, language = {English}, urldate = {2025-03-21} } @online{huntio:20241017:from:4350f51, author = {Hunt.io}, title = {{From Warm to Burned: Shedding Light on Updated WarmCookie Infrastructure}}, date = {2024-10-17}, organization = {Hunt.io}, url = {https://hunt.io/blog/from-warm-to-burned-shedding-light-on-updated-warmcookie-infrastructure}, language = {English}, urldate = {2024-10-18} } @online{huntio:20241024:rekoobe:9b3d7e1, author = {Hunt.io}, title = {{Rekoobe Backdoor Discovered in Open Directory, Possibly Targeting TradingView Users}}, date = {2024-10-24}, organization = {Hunt.io}, url = {https://hunt.io/blog/rekoobe-backdoor-discovered-in-open-directory-possibly-targeting-tradingview-users}, language = {English}, urldate = {2024-10-25} } @online{huntio:20241031:tricks:e5d9eef, author = {Hunt.io}, title = {{Tricks, Treats, and Threats: Cobalt Strike & the Goblin Lurking in Plain Sight}}, date = {2024-10-31}, organization = {Hunt.io}, url = {https://hunt.io/blog/tricks-treats-threats-cobalt-strike-the-goblin-lurking-in-plain-sight}, language = {English}, urldate = {2024-11-05} } @online{huntio:20241105:runningrats:068502c, author = {Hunt.io}, title = {{RunningRAT’s Next Move: From Remote Access to Crypto Mining for Profit}}, date = {2024-11-05}, organization = {Hunt.io}, url = {https://hunt.io/blog/runningrat-from-remote-access-to-crypto-mining}, language = {English}, urldate = {2024-11-15} } @online{huntio:20241112:targeting:708cf6d, author = {Hunt.io}, title = {{Targeting Innovation: Sliver C2 and Ligolo-ng Used in Operation Aimed at Y Combinator}}, date = {2024-11-12}, organization = {Hunt.io}, url = {https://hunt.io/blog/sliver-c2-ligolo-ng-targeting-yc}, language = {English}, urldate = {2024-11-15} } @online{huntio:20241119:xenorat:36522d5, author = {Hunt.io}, title = {{XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method}}, date = {2024-11-19}, organization = {Hunt.io}, url = {https://hunt.io/blog/xenorat-excel-xll-confuserex-as-access-method}, language = {English}, urldate = {2024-11-25} } @online{huntio:20241121:darkpeonys:0bbcde0, author = {Hunt.io}, title = {{DarkPeony’s Trail: Certificate Patterns Point to Sustained Campaign Infrastructure}}, date = {2024-11-21}, organization = {Hunt.io}, url = {https://hunt.io/blog/darkpeony-certificate-patterns}, language = {English}, urldate = {2025-03-21} } @online{huntio:20241128:uncovering:62d5e5b, author = {Hunt.io}, title = {{Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies}}, date = {2024-11-28}, organization = {Hunt.io}, url = {https://hunt.io/blog/uncovering-threat-actor-tactics-xworm-delivery-strategies}, language = {English}, urldate = {2024-12-11} } @online{huntio:20241203:rare:408f2c2, author = {Hunt.io}, title = {{Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity}}, date = {2024-12-03}, organization = {Hunt.io}, url = {https://hunt.io/blog/rare-watermark-links-cobalt-strike-team-servers-to-ongoing-suspicious-activity}, language = {English}, urldate = {2024-12-11} } @online{huntio:20241210:million:236e638, author = {Hunt.io}, title = {{“Million OK !!!!” and the Naver Facade: Tracking Recent Suspected Kimsuky Infrastructure}}, date = {2024-12-10}, organization = {Hunt.io}, url = {https://hunt.io/blog/million-ok-naver-facade-kimsuky-tracking}, language = {English}, urldate = {2024-12-11} } @online{huntio:20241212:oysters:8e5fa5d, author = {Hunt.io}, title = {{Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors}}, date = {2024-12-12}, organization = {Hunt.io}, url = {https://hunt.io/blog/oysters-trail-resurgence-infrastructure-ransomware-cybercrime}, language = {English}, urldate = {2025-01-07} } @online{huntio:20250107:golang:9eedde0, author = {Hunt.io}, title = {{Golang Beacons and VS Code Tunnels: Tracking a Cobalt Strike Server Leveraging Trusted Infrastructure}}, date = {2025-01-07}, organization = {Hunt.io}, url = {https://hunt.io/blog/golang-beacons-vs-code-tunnels-tracking-cobalt-strike}, language = {English}, urldate = {2025-01-29} } @online{huntio:20250123:mapping:cb6b83a, author = {Hunt.io}, title = {{Mapping Suspected KEYPLUG Infrastructure: TLS Certificates, GhostWolf, and RedGolf/APT41 Activity}}, date = {2025-01-23}, organization = {Hunt.io}, url = {https://hunt.io/blog/keyplug-infrastructure-tls-certificates-ghostwolf-activity}, language = {English}, urldate = {2025-01-29} } @online{huntio:20250128:sparkrat:24e63f4, author = {Hunt.io}, title = {{SparkRAT: Server Detection, macOS Activity, and Malicious Connections}}, date = {2025-01-28}, organization = {Hunt.io}, url = {https://hunt.io/blog/sparkrat-server-detection-macos-activity-and-malicious-connections}, language = {English}, urldate = {2025-01-29} } @online{huntio:20250204:greenspot:da72f9d, author = {Hunt.io}, title = {{GreenSpot APT Targets 163.com Users with Fake Download Pages & Spoofed Domains}}, date = {2025-02-04}, organization = {Hunt.io}, url = {https://hunt.io/blog/greenspot-apt-targets-163com-fake-downloads-spoofing}, language = {English}, urldate = {2025-03-07} } @online{huntio:20250206:smokeloader:50e99cd, author = {Hunt.io}, title = {{SmokeLoader Malware Found in Open Directories Targeting Ukraine’s Auto & Banking Industries}}, date = {2025-02-06}, organization = {Hunt.io}, url = {https://hunt.io/blog/smokeloader-malware-found-in-open-directories-targeting-ukraine-s-auto-banking-industries}, language = {English}, urldate = {2025-03-07} } @online{huntio:20250212:tracking:08a4155, author = {Hunt.io}, title = {{Tracking Pyramid C2: Identifying Post-Exploitation Servers in Hunt}}, date = {2025-02-12}, organization = {Hunt.io}, url = {https://hunt.io/blog/tracking-pyramid-c2-identifying-post-exploitation-servers}, language = {English}, urldate = {2025-03-07} } @online{huntio:20250220:lightspy:58bb267, author = {Hunt.io}, title = {{LightSpy Expands Command List to Include Social Media Platforms}}, date = {2025-02-20}, organization = {Hunt.io}, url = {https://hunt.io/blog/lightspy-malware-targets-facebook-instagram}, language = {English}, urldate = {2025-03-07} } @online{huntio:20250227:uncovering:bdf996c, author = {Hunt.io}, title = {{Uncovering Joker’s C2 Network: How Hunt’s SSL History Exposed Its Infrastructure}}, date = {2025-02-27}, organization = {Hunt.io}, url = {https://hunt.io/blog/uncovering-joker-c2-network}, language = {English}, urldate = {2025-03-07} } @online{huntio:20250304:exposing:ba4bf57, author = {Hunt.io}, title = {{Exposing Russian EFF Impersonators: The Inside Story on Stealc & Pyramid C2}}, date = {2025-03-04}, organization = {Hunt.io}, url = {https://hunt.io/blog/russian-speaking-actors-impersonate-etf-distribute-stealc-pyramid-c2}, language = {English}, urldate = {2025-03-07} } @online{huntio:20250311:jspspy:e2feb92, author = {Hunt.io}, title = {{JSPSpy and ‘filebroser’: A Custom File Management Tool in Webshell Infrastructure}}, date = {2025-03-11}, organization = {Hunt.io}, url = {https://hunt.io/blog/jspspy-filebroser-custom-webshell-management}, language = {English}, urldate = {2025-03-14} } @online{huntio:20250401:same:f8fda2d, author = {Hunt.io}, title = {{Same Russian-Speaking Threat Actor, New Tactics: Abuse of Cloudflare Services for Phishing and Telegram to Filter Victim IPs}}, date = {2025-04-01}, organization = {Hunt.io}, url = {https://hunt.io/blog/russian-actor-cloudflare-phishing-telegram-c2}, language = {English}, urldate = {2025-04-28} } @online{huntio:20250408:statesponsored:c1dc656, author = {Hunt.io}, title = {{State-Sponsored Tactics: How Gamaredon and ShadowPad Operate and Rotate Their Infrastructure}}, date = {2025-04-08}, organization = {Hunt.io}, url = {https://hunt.io/blog/state-sponsored-activity-gamaredon-shadowpad}, language = {English}, urldate = {2025-04-09} } @online{huntio:20250505:apt36style:c11c9b5, author = {Hunt.io}, title = {{APT36-Style ClickFix Attack Spoofs Indian Ministry to Target Windows & Linux}}, date = {2025-05-05}, organization = {Hunt.io}, url = {https://hunt.io/blog/apt36-clickfix-campaign-indian-ministry-of-defence}, language = {English}, urldate = {2025-05-20} } @online{huntio:20250605:abusing:e6702c1, author = {Hunt.io}, title = {{Abusing Paste.ee to Deploy XWorm and AsyncRAT Across Global C2 Infrastructure}}, date = {2025-06-05}, organization = {Hunt.io}, url = {https://hunt.io/blog/pasteee-xworm-asyncrat-infrastructure}, language = {English}, urldate = {2025-06-11} } @online{huntio:20250619:cobalt:8023619, author = {Hunt.io}, title = {{Cobalt Strike Operators Leverage PowerShell Loaders Across Chinese, Russian, and Global Infrastructure}}, date = {2025-06-19}, organization = {Hunt.io}, url = {https://hunt.io/blog/cobaltstrike-powershell-loader-chinese-russian-infrastructure}, language = {English}, urldate = {2025-06-24} } @online{huntley:20201016:how:baafd73, author = {Shane Huntley and Google Threat Analysis Group}, title = {{How we're tackling evolving online threats}}, date = {2020-10-16}, organization = {Google}, url = {https://blog.google/threat-analysis-group/how-were-tackling-evolving-online-threats}, language = {English}, urldate = {2020-10-23} } @online{huntley:20201117:tag:74d7811, author = {Shane Huntley and Google Threat Analysis Group}, title = {{TAG Bulletin: Q4 2020}}, date = {2020-11-17}, organization = {Google}, url = {https://blog.google/threat-analysis-group/tag-bulletin-q4-2020/}, language = {English}, urldate = {2020-11-19} } @online{huntley:20210216:tag:5cfe8eb, author = {Shane Huntley and Google Threat Analysis Group}, title = {{TAG Bulletin: Q1 2021}}, date = {2021-02-16}, organization = {Google}, url = {https://blog.google/threat-analysis-group/tag-bulletin-q1-2021/}, language = {English}, urldate = {2021-02-18} } @online{huntley:20211029:tag:49e2993, author = {Shane Huntley and Google Threat Analysis Group}, title = {{TAG Bulletin: Q3 2021}}, date = {2021-10-29}, organization = {Google}, url = {https://blog.google/threat-analysis-group/tag-bulletin-q3-2021/}, language = {English}, urldate = {2021-11-17} } @online{huntley:20211202:tag:0e0e268, author = {Shane Huntley and Google Threat Analysis Group}, title = {{TAG Bulletin: Q4 2021}}, date = {2021-12-02}, organization = {Google}, url = {https://blog.google/threat-analysis-group/tag-bulletin-q4-2021/}, language = {English}, urldate = {2021-12-08} } @online{huntley:20211207:disrupting:9fd4ab7, author = {Shane Huntley and Luca Nagy and Google Threat Analysis Group}, title = {{Disrupting the Glupteba operation}}, date = {2021-12-07}, organization = {Google}, url = {https://blog.google/threat-analysis-group/disrupting-glupteba-operation/}, language = {English}, urldate = {2021-12-08} } @online{huntley:20220301:tag:7979933, author = {Shane Huntley and Google Threat Analysis Group}, title = {{TAG Bulletin: Q1 2022}}, date = {2022-03-01}, organization = {Google}, url = {https://blog.google/threat-analysis-group/tag-bulletin-q1-2022/}, language = {English}, urldate = {2022-03-02} } @online{huntley:20220307:update:0381e70, author = {Shane Huntley and Google Threat Analysis Group}, title = {{An update on the threat landscape (APT28, UNC1151, MUSTANG PANDA)}}, date = {2022-03-07}, organization = {Google}, url = {https://blog.google/threat-analysis-group/update-threat-landscape-ukraine/}, language = {English}, urldate = {2022-03-08} } @online{huntley:20220308:apt31:9193a1d, author = {Shane Huntley and Google Threat Analysis Group}, title = {{Tweet on APT31 phishing campaign targeting high profile Gmail users affiliated with the U.S. government in February}}, date = {2022-03-08}, organization = {Twitter (@ShaneHuntley)}, url = {https://twitter.com/ShaneHuntley/status/1501224764530069504}, language = {English}, urldate = {2022-03-10} } @online{huntley:20220630:countering:ce81f7e, author = {Shane Huntley and Google Threat Analysis Group}, title = {{Countering hack-for-hire groups}}, date = {2022-06-30}, organization = {Google}, url = {https://blog.google/threat-analysis-group/countering-hack-for-hire-groups/}, language = {English}, urldate = {2022-07-15} } @online{huntley:20220712:tag:75b230d, author = {Shane Huntley and Google Threat Analysis Group}, title = {{TAG Bulletin: Q2 2022}}, date = {2022-07-12}, organization = {Google}, url = {https://blog.google/threat-analysis-group/tag-bulletin-q2-2022/}, language = {English}, urldate = {2022-07-15} } @online{huntley:20230216:fog:de676ba, author = {Shane Huntley}, title = {{Fog of war: how the Ukraine conflict transformed the cyber threat landscape}}, date = {2023-02-16}, organization = {Google}, url = {https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/}, language = {English}, urldate = {2023-02-16} } @online{huntley:20230330:tag:d29d831, author = {Shane Huntley and Google Threat Analysis Group}, title = {{TAG Bulletin: Q1 2023}}, date = {2023-03-30}, organization = {Google}, url = {https://blog.google/threat-analysis-group/tag-bulletin-q1-2023/}, language = {English}, urldate = {2023-04-22} } @online{huntress:20220115:threat:cb103f0, author = {Team Huntress}, title = {{Threat Advisory: VMware Horizon Servers Actively Being Hit With Cobalt Strike (by DEV-0401)}}, date = {2022-01-15}, organization = {Huntress Labs}, url = {https://www.huntress.com/blog/cybersecurity-advisory-vmware-horizon-servers-actively-being-hit-with-cobalt-strike}, language = {English}, urldate = {2022-03-07} } @online{huntress:20241114:its:b8e1039, author = {Team Huntress}, title = {{It’s Not Safe to Pay SafePay}}, date = {2024-11-14}, organization = {Huntress Labs}, url = {https://www.huntress.com/blog/its-not-safe-to-pay-safepay}, language = {English}, urldate = {2025-05-28} } @techreport{huq:201409:pos:e79a593, author = {Numaan Huq}, title = {{PoS RAM Scraper Malware}}, date = {2014-09}, institution = {Wired}, url = {https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf}, language = {English}, urldate = {2020-01-07} } @online{huq:20160919:untangling:daa62bd, author = {Numaan Huq}, title = {{Untangling the Ripper ATM Malware}}, date = {2016-09-19}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-ripper-atm-malware/}, language = {English}, urldate = {2019-11-26} } @online{hurk:20191010:nemty:3be8553, author = {Frank van den Hurk}, title = {{Nemty update: decryptors for Nemty 1.5 and 1.6}}, date = {2019-10-10}, organization = {Tesorion}, url = {https://www.tesorion.nl/en/posts/nemty-update-decryptors-for-nemty-1-5-and-1-6/}, language = {English}, urldate = {2021-12-01} } @online{hurley:20170703:notpetya:1453645, author = {Shaun Hurley and Karan Sood}, title = {{NotPetya Technical Analysis Part II: Further Findings and Potential for MBR Recovery}}, date = {2017-07-03}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/petrwrap-technical-analysis-part-2-further-findings-and-potential-for-mbr-recovery/}, language = {English}, urldate = {2019-12-20} } @online{hurley:20190103:digging:5219f6d, author = {Shaun Hurley and James Scalise}, title = {{Digging into BokBot’s Core Module}}, date = {2019-01-03}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/digging-into-bokbots-core-module/}, language = {English}, urldate = {2019-12-20} } @online{hurley:20190321:interception:7e57329, author = {Shaun Hurley and James Scalise}, title = {{Interception: Dissecting BokBot’s “Man in the Browser”}}, date = {2019-03-21}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/bokbots-man-in-the-browser-overview/}, language = {English}, urldate = {2019-12-20} } @online{hurley:20200501:many:22ed72c, author = {Shaun Hurley}, title = {{The Many Paths Through Maze}}, date = {2020-05-01}, organization = {CrowdStrike}, url = {https://web.archive.org/web/20200522065530/https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/}, language = {English}, urldate = {2025-05-28} } @online{hurley:20211207:critical:959de2e, author = {Shaun Hurley}, title = {{Critical Hit: How DoppelPaymer Hunts and Kills Windows Processes}}, date = {2021-12-07}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-doppelpaymer-hunts-and-kills-windows-processes/}, language = {English}, urldate = {2021-12-08} } @online{huskyhacks:20220117:whispergate:8223b85, author = {Matt | HuskyHacks}, title = {{WhisperGate Wiper Malware Analysis Live Thread}}, date = {2022-01-17}, organization = {Twitter (@HuskyHacksMK)}, url = {https://twitter.com/HuskyHacksMK/status/1482876242047258628}, language = {English}, urldate = {2022-01-25} } @online{huss:20151111:abaddonpos:ca72c4c, author = {Darien Huss}, title = {{AbaddonPOS: A new point of sale threat linked to Vawtrak}}, date = {2015-11-11}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak}, language = {English}, urldate = {2019-12-20} } @online{huss:20160128:exploring:7f85d44, author = {Darien Huss}, title = {{Exploring Bergard: Old Malware with New Tricks}}, date = {2016-01-28}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks}, language = {English}, urldate = {2019-12-20} } @techreport{huss:20160301:operation:65330f0, author = {Darien Huss}, title = {{Operation Transparent Tribe}}, date = {2016-03-01}, institution = {Proofpoint}, url = {https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf}, language = {English}, urldate = {2019-12-02} } @online{huss:20170202:oops:ea454d5, author = {Darien Huss and Pierre T and Axel F and Proofpoint Staff}, title = {{Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX}}, date = {2017-02-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx}, language = {English}, urldate = {2019-12-20} } @online{huss:20170817:turla:b519667, author = {Darien Huss}, title = {{Turla APT actor refreshes KopiLuwak JavaScript backdoor for use in G20-themed attack}}, date = {2017-08-17}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack}, language = {English}, urldate = {2019-12-20} } @online{huss:20170825:operation:87e2e2b, author = {Darien Huss and Matthew Mesa}, title = {{Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures}}, date = {2017-08-25}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures}, language = {English}, urldate = {2019-12-20} } @techreport{huss:20171219:north:b2da03e, author = {Darien Huss}, title = {{North Korea Bitten by Bitcoin Bug}}, date = {2017-12-19}, institution = {Proofpoint}, url = {https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf}, language = {English}, urldate = {2019-10-18} } @online{huss:20171219:north:e5ef6da, author = {Darien Huss}, title = {{North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group}}, date = {2017-12-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new}, language = {English}, urldate = {2019-12-20} } @techreport{huss:20180129:north:438b45d, author = {Darien Huss}, title = {{North Korea Bitten by Bitcoin Bug}}, date = {2018-01-29}, institution = {Proofpoint}, url = {https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug-180129.pdf}, language = {English}, urldate = {2020-01-05} } @online{huss:20211027:finickyfrogfishwslink:ad743d9, author = {Darien Huss}, title = {{Tweet on FinickyFrogfish/Wslink malware used by TA444}}, date = {2021-10-27}, organization = {Twitter (@darienhuss)}, url = {https://twitter.com/darienhuss/status/1453342652682981378}, language = {English}, urldate = {2021-12-06} } @online{huss:20211118:triple:62c1c14, author = {Darien Huss and Selena Larson}, title = {{Triple Threat: North Korea-Aligned TA406 Scams, Spies, and Steals}}, date = {2021-11-18}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/triple-threat-north-korea-aligned-ta406-scams-spies-and-steals}, language = {English}, urldate = {2021-12-15} } @techreport{huss:20211118:triple:dd07fa8, author = {Darien Huss and Selena Larson}, title = {{Triple Threat: North Korea-Aligned TA406 Steals, Scams and Spies}}, date = {2021-11-18}, institution = {Proofpoint}, url = {https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA406-steals-scams-spies.pdf}, language = {English}, urldate = {2021-12-15} } @online{hussey:20200625:golden:51322e2, author = {Brian Hussey}, title = {{The Golden Tax Department and the Emergence of GoldenSpy Malware}}, date = {2020-06-25}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/}, language = {English}, urldate = {2020-06-26} } @online{hussey:20200630:goldenspy:1ecdff8, author = {Brian Hussey}, title = {{GoldenSpy: Chapter Two - The Uninstaller}}, date = {2020-06-30}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-two-the-uninstaller/}, language = {English}, urldate = {2020-07-02} } @online{hussey:20200702:goldenspy:31c222a, author = {Brian Hussey}, title = {{GoldenSpy Chapter 3: New and Improved Uninstaller}}, date = {2020-07-02}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-3-new-and-improved-uninstaller/}, language = {English}, urldate = {2020-07-15} } @online{hussey:20200714:goldenspy:a870540, author = {Brian Hussey}, title = {{GoldenSpy Chapter 4: GoldenHelper Malware Embedded in Official Golden Tax Software}}, date = {2020-07-14}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-4-goldenhelper-malware-embedded-in-official-golden-tax-software/}, language = {English}, urldate = {2020-07-15} } @online{hutchins:20211117:indepth:8fa7808, author = {Marcus Hutchins}, title = {{An in-depth look at hacking back, active defense, and cyber letters of marque}}, date = {2021-11-17}, organization = {MalwareTech}, url = {https://www.malwaretech.com/2021/11/an-in-depth-look-at-hacking-back-active-defense-and-cyber-letters-of-marque.html}, language = {English}, urldate = {2021-11-19} } @online{hutchinson:20250305:initial:28847ff, author = {Spence Hutchinson}, title = {{Initial Takeaways from the Black Basta Chat Leaks}}, date = {2025-03-05}, organization = {eSentire}, url = {https://www.esentire.com/blog/initial-takeaways-from-the-black-basta-chat-leaks}, language = {English}, urldate = {2025-03-25} } @online{huynh:20200806:bypassing:83c2a87, author = {Nhan Huynh}, title = {{Bypassing MassLogger Anti-Analysis — a Man-in-the-Middle Approach}}, date = {2020-08-06}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/08/bypassing-masslogger-anti-analysis-man-in-the-middle-approach.html}, language = {English}, urldate = {2020-08-12} } @online{huynh:20240502:dissecting:8e1859a, author = {Nhan Huynh and Hoang Nguyen and Thai Duong}, title = {{Dissecting LOCKBIT v3 ransomware}}, date = {2024-05-02}, organization = {calif.io}, url = {https://blog.calif.io/p/dissecting-lockbit-v3-ransomware}, language = {English}, urldate = {2024-05-13} } @online{hvistendahl:20201217:russian:af455a9, author = {Mara Hvistendahl and Micah Lee and Jordan Smith}, title = {{Russian Hackers Have Been Inside Austin City Network for Months}}, date = {2020-12-17}, organization = {The Intercept}, url = {https://theintercept.com/2020/12/17/russia-hack-austin-texas/}, language = {English}, urldate = {2020-12-23} } @online{hyabcd:20210707:purplefox:af42cde, author = {hyabcd}, title = {{Tweet on purplefox exploiting PrintNightmare (CVE-2021-34527) vulnerability in cryptocurrency mining campaign}}, date = {2021-07-07}, organization = {Twitter (@C0rk1_H)}, url = {https://twitter.com/C0rk1_H/status/1412801973628272641?s=20}, language = {English}, urldate = {2021-07-19} } @online{hybridanalysis:20150413:sqlconnt1exe:86539cc, author = {Hybrid-Analysis}, title = {{sqlconnt1.exe}}, date = {2015-04-13}, organization = {Hybrid-Analysis}, url = {https://www.hybrid-analysis.com/sample/5d631d77401615d53f3ce3dbc2bfee5d934602dc35d488aa7cebf9b3ff1c4816?environmentId=2}, language = {English}, urldate = {2020-01-13} } @online{hybridanalysis:20180208:analysis:70d43bc, author = {Hybrid-Analysis}, title = {{Analysis Run}}, date = {2018-02-08}, organization = {Hybrid-Analysis}, url = {https://www.hybrid-analysis.com/sample/dfc56a704b5e031f3b0d2d0ea1d06f9157758ad950483b44ac4b77d33293cb38?environmentId=100}, language = {English}, urldate = {2020-01-08} } @online{hydro:20190416:cyber:ada48a4, author = {Norsk Hydro}, title = {{The cyber attack rescue operation in Hydro Toulouse}}, date = {2019-04-16}, organization = {Youtube (Norsk Hydro)}, url = {https://www.youtube.com/watch?v=o6eEN0mUakM}, language = {English}, urldate = {2020-01-13} } @online{hypen:20210715:vidar:a1d1821, author = {Hypen}, title = {{Vidar Stealer C&C Server List}}, date = {2021-07-15}, organization = {Twitter (@hypen1117)}, url = {https://docs.google.com/spreadsheets/d/1nx42rdMdkCrvlmACDi3CHseyG87iSV1Y6rGZYq_-oDk}, language = {English}, urldate = {2021-07-20} } @online{hyppnen:20110828:windows:e9fb853, author = {Mikko Hyppönen}, title = {{Windows Remote Desktop Worm "Morto" Spreading}}, date = {2011-08-28}, organization = {F-Secure}, url = {https://www.f-secure.com/weblog/archives/00002227.html}, language = {English}, urldate = {2019-07-11} } @techreport{hyvrinen:20150817:dukes:4a0e858, author = {Noora Hyvärinen and F-Secure Threat Intelligence Team}, title = {{THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE}}, date = {2015-08-17}, institution = {F-Secure Labs}, url = {https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf}, language = {English}, urldate = {2022-11-15} } @online{iacob:20220812:anatomy:b13ce32, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 1: Common Techniques}}, date = {2022-08-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/}, language = {English}, urldate = {2023-01-19} } @online{iacob:20220824:anatomy:64f6451, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 2: Third-Party Drivers}}, date = {2022-08-24}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-2}, language = {English}, urldate = {2022-08-31} } @online{iacob:20220926:anatomy:248e6ff, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 3: Input/Output Controls}}, date = {2022-09-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/}, language = {English}, urldate = {2022-09-29} } @online{iacono:20230213:royal:c789fcc, author = {Laurie Iacono and Stephen Green}, title = {{Royal Ransomware Deep Dive}}, date = {2023-02-13}, organization = {Kroll}, url = {https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive}, language = {English}, urldate = {2023-04-22} } @online{iasiello:20240102:critical:a57f237, author = {Emilio Iasiello}, title = {{Critical Infrastructure Remains the Brass Ring for Cyber Attackers in 2024}}, date = {2024-01-02}, organization = {OODA Loop}, url = {https://www.oodaloop.com/archive/2024/01/02/critical-infrastructure-remains-the-brass-ring-for-cyber-attackers-in-2024/}, language = {English}, urldate = {2024-02-08} } @online{ibm:20231223:icenova:4d4a506, author = {IBM}, title = {{IceNova Malware Profile}}, date = {2023-12-23}, organization = {IBM}, url = {https://exchange.xforce.ibmcloud.com/malware-analysis/guid:dab8a02f9161933bc2eff5ba4a5f8412}, language = {English}, urldate = {2024-03-12} } @online{ibm:20240125:broomstick:5fcf2d4, author = {IBM}, title = {{Broomstick Analysis Report (IRIS-17079)}}, date = {2024-01-25}, organization = {IBM}, url = {https://exchange.xforce.ibmcloud.com/malware-analysis/guid:df2b52d89c5c0edfdf7bdaa6f67dd714}, language = {English}, urldate = {2024-02-28} } @online{ibrahim:20240619:behind:39d8ec0, author = {Ahmed Mohamed Ibrahim and Aliakbar Zahravi and Peter Girnus}, title = {{Behind the Great Wall: Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 C&C Framework}}, date = {2024-06-19}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html}, language = {English}, urldate = {2024-12-09} } @online{ibrahim:20240628:examining:925463b, author = {Ahmed Mohamed Ibrahim and Shubham Singh and Sunil Bharti}, title = {{Examining Water Sigbin's Infection Routine Leading to an XMRig Cryptominer}}, date = {2024-06-28}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html}, language = {English}, urldate = {2024-09-04} } @online{ibrahim:20250328:deep:7c420d8, author = {Ahmed Mohamed Ibrahim and Aliakbar Zahravi}, title = {{A Deep Dive into Water Gamayun’s Arsenal and Infrastructure}}, date = {2025-03-28}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html}, language = {English}, urldate = {2025-04-11} } @online{ic3:20250226:alert:00da0cf, author = {IC3}, title = {{Alert Number: I-022625-PSA - North Korea Responsible for $1.5 Billion Bybit Hack}}, date = {2025-02-26}, organization = {FBI}, url = {https://www.ic3.gov/PSA/2025/PSA250226}, language = {English}, urldate = {2025-02-28} } @online{icc:20250630:icc:98548f8, author = {ICC}, title = {{ICC detects and contains new sophisticated cyber security incident}}, date = {2025-06-30}, organization = {ICC}, url = {https://www.icc-cpi.int/news/icc-detects-and-contains-new-sophisticated-cyber-security-incident}, language = {English}, urldate = {2025-07-01} } @online{icebre4ker:20210717:new:0dbc455, author = {_icebre4ker_}, title = {{Tweet: new version of Teabot targeting also Portugal banks}}, date = {2021-07-17}, organization = {Twitter (@_icebre4ker_)}, url = {https://twitter.com/_icebre4ker_/status/1416409813467156482}, language = {English}, urldate = {2021-07-20} } @online{icebre4ker:20220124:vultur:3eda891, author = {_icebre4ker_}, title = {{Vultur Dropper on Google Play Store}}, date = {2022-01-24}, organization = {Twitter (@_icebre4ker_)}, url = {https://twitter.com/_icebre4ker_/status/1485651238175846400}, language = {English}, urldate = {2022-02-02} } @online{ickert:20250417:threat:0f1b7ca, author = {Max Ickert}, title = {{Threat Actor Profile: SheByte Phishing-as-a-Service}}, date = {2025-04-17}, organization = {FORTRA}, url = {https://www.fortra.com/blog/threat-actor-profile-shebyte-phishing-service}, language = {English}, urldate = {2025-04-25} } @online{icrc:20210615:avoiding:f035402, author = {ICRC}, title = {{Avoiding Civilian Harm from Military Cyber Operations during Armed Conflicts}}, date = {2021-06-15}, organization = {ICRC}, url = {https://shop.icrc.org/download/ebook?sku=4539/002-ebook}, language = {English}, urldate = {2021-06-21} } @online{iddon:20200922:mtr:77e8701, author = {Greg Iddon}, title = {{MTR Casebook: Blocking a $15 million Maze ransomware attack}}, date = {2020-09-22}, organization = {Sophos SecOps}, url = {https://news.sophos.com/en-us/2020/09/22/mtr-casebook-blocking-a-15-million-maze-ransomware-attack/}, language = {English}, urldate = {2022-03-18} } @online{iddon:20201027:mtr:3b62ca9, author = {Greg Iddon}, title = {{MTR Casebook: An active adversary caught in the act}}, date = {2020-10-27}, organization = {Sophos Managed Threat Response (MTR)}, url = {https://news.sophos.com/en-us/2020/10/27/mtr-casebook-an-active-adversary-caught-in-the-act/}, language = {English}, urldate = {2020-11-02} } @online{iddon:20210203:mtr:8eb9950, author = {Greg Iddon}, title = {{MTR casebook: Uncovering a backdoor implant in a SolarWinds Orion server}}, date = {2021-02-03}, organization = {Sophos Managed Threat Response (MTR)}, url = {https://news.sophos.com/en-us/2021/02/03/mtr-casebook-uncovering-a-backdoor-implant-in-a-solarwinds-orion-server/}, language = {English}, urldate = {2021-02-04} } @online{iddon:20210823:proxyshell:5568890, author = {Greg Iddon}, title = {{ProxyShell vulnerabilities in Microsoft Exchange: What to do}}, date = {2021-08-23}, organization = {Sophos SecOps}, url = {https://news.sophos.com/en-us/2021/08/23/proxyshell-vulnerabilities-in-microsoft-exchange-what-to-do/}, language = {English}, urldate = {2022-03-18} } @online{idf:20170205:hamas:b96235f, author = {IDF}, title = {{Hamas Uses Fake Facebook Profiles to Target Israeli Soldiers}}, date = {2017-02-05}, organization = {IDF}, url = {https://www.idf.il/en/minisites/hamas/hamas-uses-fake-facebook-profiles-to-target-israeli-soldiers/}, language = {English}, urldate = {2019-12-31} } @online{idrizovic:20221227:navigating:4cd52c5, author = {Esmid Idrizovic and Bob Jung and Daniel Raygoza and Sean Hughes}, title = {{Navigating the Vast Ocean of Sandbox Evasions}}, date = {2022-12-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/sandbox-evasion-memory-detection/}, language = {English}, urldate = {2022-12-29} } @online{ihm:20201216:skimming:608e648, author = {Mia Ihm and Cory Kennedy and Jordan Herman}, title = {{Skimming a Little Off the Top: Meyhod’s Skimming Methods Hit Hairloss Specialists}}, date = {2020-12-16}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/14924d61}, language = {English}, urldate = {2020-12-17} } @online{ii:20181220:with:8e827ba, author = {Augusto Remillano II and Mark Vicente}, title = {{With Mirai Comes Miori: IoT Botnet Delivered via ThinkPHP Remote Code Execution Exploit}}, date = {2018-12-20}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/}, language = {English}, urldate = {2019-11-29} } @online{ii:20190507:cve20193396:42de798, author = {Augusto Remillano II and Robert Malagad}, title = {{CVE-2019-3396 Redux: Confluence Vulnerability Exploited to Deliver Cryptocurrency Miner With Rootkit}}, date = {2019-05-07}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit/}, language = {English}, urldate = {2020-01-13} } @online{ii:20200622:xorddos:d41d1a7, author = {Augusto Remillano II}, title = {{XORDDoS, Kaiji Botnet Malware Variants Target Exposed Docker Servers}}, date = {2020-06-22}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/}, language = {English}, urldate = {2020-06-24} } @online{ii:20200908:exposed:baa98d4, author = {Augusto Remillano II}, title = {{Exposed Docker Server Abused to Drop Cryptominer, DDoS Bot}}, date = {2020-09-08}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/i/exposed-docker-server-abused-to-drop-cryptominer-ddos-bot-.html}, language = {English}, urldate = {2020-09-23} } @online{iiamaleks:20211101:from:2348d47, author = {@iiamaleks and @samaritan_o}, title = {{From Zero to Domain Admin}}, date = {2021-11-01}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/}, language = {English}, urldate = {2021-11-03} } @online{iinas:20230830:trickbot:31efb65, author = {Vincas Čižiūnas}, title = {{Trickbot in Light of Trickleaks Data}}, date = {2023-08-30}, organization = {Nisos}, url = {https://www.nisos.com/research/trickbot-trickleaks-data-analysis/}, language = {English}, urldate = {2023-09-01} } @online{ikan:20210311:exploits:2bf3a8a, author = {Adi Ikan and Lotem Finkelsteen and Yaniv Balmas and Sagi Tzadik}, title = {{Exploits on Organizations Worldwide Tripled after Microsoft’s Revelation of Four Zero-days}}, date = {2021-03-11}, organization = {Check Point}, url = {https://blog.checkpoint.com/2021/03/11/exploits-on-organizations-worldwide/}, language = {English}, urldate = {2021-03-16} } @online{ilascu:20180822:turla:b3753aa, author = {Ionut Ilascu}, title = {{Turla Outlook Backdoor Uses Clever Tactics for Stealth and Persistence}}, date = {2018-08-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20180830:cobalt:a5490e1, author = {Ionut Ilascu}, title = {{Cobalt Hacking Group Tests Banks In Russia and Romania}}, date = {2018-08-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cobalt-hacking-group-tests-banks-in-russia-and-romania/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20180905:windows:8d74121, author = {Ionut Ilascu}, title = {{Windows Task Scheduler Zero Day Exploited by Malware}}, date = {2018-09-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/windows-task-scheduler-zero-day-exploited-by-malware/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20180907:domestic:18a5d5c, author = {Ionut Ilascu}, title = {{Domestic Kitten APT Operates in Silence Since 2016}}, date = {2018-09-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/}, language = {English}, urldate = {2021-02-09} } @online{ilascu:20180911:british:392218c, author = {Ionut Ilascu}, title = {{British Airways Fell Victim To Card Scraping Attack}}, date = {2018-09-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/british-airways-fell-victim-to-card-scraping-attack/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20180927:apt28:12917be, author = {Ionut Ilascu}, title = {{APT28 Uses LoJax, First UEFI Rootkit Seen in the Wild}}, date = {2018-09-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20181001:report:67e6316, author = {Ionut Ilascu}, title = {{Report Ties North Korean Attacks to New Malware, Linked by Word Macros}}, date = {2018-10-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20181009:magecart:fc6ccf4, author = {Ionut Ilascu}, title = {{Magecart Group Compromises Plugin Used in Thousands of Stores, Makes Rookie Mistake}}, date = {2018-10-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/magecart-group-compromises-plugin-used-in-thousands-of-stores-makes-rookie-mistake/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20181121:magecart:e366b8b, author = {Ionut Ilascu}, title = {{MageCart Group Sabotages Rival to Ruin Data and Reputation}}, date = {2018-11-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/magecart-group-sabotages-rival-to-ruin-data-and-reputation/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20181207:netbooks:a99cef1, author = {Ionut Ilascu}, title = {{Netbooks, RPis, & Bash Bunny Gear - Attacking Banks from the Inside}}, date = {2018-12-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/netbooks-rpis-and-bash-bunny-gear-attacking-banks-from-the-inside/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190107:gandcrab:8167b7f, author = {Ionut Ilascu}, title = {{GandCrab Operators Use Vidar Infostealer as a Forerunner}}, date = {2019-01-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190110:ta505:12f4881, author = {Ionut Ilascu}, title = {{TA505 Group Adopts New ServHelper Backdoor and FlawedGrace RAT}}, date = {2019-01-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190123:new:113a751, author = {Ionut Ilascu}, title = {{New Anatova Ransomware Supports Modules for Extra Functionality}}, date = {2019-01-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-anatova-ransomware-supports-modules-for-extra-functionality/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190130:new:5c2d8da, author = {Ionut Ilascu}, title = {{New LockerGoga Ransomware Allegedly Used in Altran Attack}}, date = {2019-01-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190222:cr1ptt0r:990b8aa, author = {Ionut Ilascu}, title = {{Cr1ptT0r Ransomware Infects D-Link NAS Devices, Targets Embedded Systems}}, date = {2019-02-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cr1ptt0r-ransomware-infects-d-link-nas-devices-targets-embedded-systems/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190303:op:89fdbdd, author = {Ionut Ilascu}, title = {{Op 'Sharpshooter' Connected to North Korea's Lazarus Group}}, date = {2019-03-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/op-sharpshooter-connected-to-north-koreas-lazarus-group/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190626:new:3ea2210, author = {Ionut Ilascu}, title = {{New Silex Malware Trashes IoT Devices Using Default Passwords}}, date = {2019-06-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-silex-malware-trashes-iot-devices-using-default-passwords/}, language = {English}, urldate = {2020-01-08} } @online{ilascu:20190806:new:a045b9f, author = {Ionut Ilascu}, title = {{New Echobot Botnet Variant Uses Over 50 Exploits to Propagate}}, date = {2019-08-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-echobot-botnet-variant-uses-over-50-exploits-to-propagate/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190826:new:20f0561, author = {Ionut Ilascu}, title = {{New Nemty Ransomware May Spread via Compromised RDP Connections}}, date = {2019-08-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/}, language = {English}, urldate = {2020-01-07} } @online{ilascu:20190830:look:9a976c7, author = {Ionut Ilascu}, title = {{A Look Inside the Highly Profitable Sodinokibi Ransomware Business}}, date = {2019-08-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/a-look-inside-the-highly-profitable-sodinokibi-ransomware-business/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190903:nemty:459166a, author = {Ionut Ilascu}, title = {{Nemty Ransomware Gets Distribution from RIG Exploit Kit}}, date = {2019-09-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distribution-from-rig-exploit-kit/}, language = {English}, urldate = {2020-01-08} } @online{ilascu:20190908:fake:3f0addd, author = {Ionut Ilascu}, title = {{Fake PayPal Site Spreads Nemty Ransomware}}, date = {2019-09-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fake-paypal-site-spreads-nemty-ransomware/}, language = {English}, urldate = {2020-01-13} } @online{ilascu:20191115:new:533f0a6, author = {Ionut Ilascu}, title = {{New NextCry Ransomware Encrypts Data on NextCloud Linux Servers}}, date = {2019-11-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-nextcry-ransomware-encrypts-data-on-nextcloud-linux-servers/}, language = {English}, urldate = {2020-01-06} } @online{ilascu:20200106:sodinokibi:1feb8a3, author = {Ionut Ilascu}, title = {{Sodinokibi Ransomware Hits Travelex, Demands $3 Million}}, date = {2020-01-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/}, language = {English}, urldate = {2020-01-13} } @online{ilascu:20200526:new:5905063, author = {Ionut Ilascu}, title = {{New [F]Unicorn ransomware hits Italy via fake COVID-19 infection map}}, date = {2020-05-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-f-unicorn-ransomware-hits-italy-via-fake-covid-19-infection-map/}, language = {English}, urldate = {2020-06-08} } @online{ilascu:20200528:michigan:a52712f, author = {Ionut Ilascu}, title = {{Michigan State University network breached in ransomware attack}}, date = {2020-05-28}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/michigan-state-university-network-breached-in-ransomware-attack/}, language = {English}, urldate = {2020-05-29} } @online{ilascu:20200608:honda:59ddaf6, author = {Ionut Ilascu}, title = {{Honda investigates possible ransomware attack, networks impacted}}, date = {2020-06-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/honda-investigates-possible-ransomware-attack-networks-impacted/}, language = {English}, urldate = {2020-06-10} } @online{ilascu:20200613:black:f18a453, author = {Ionut Ilascu}, title = {{Black Kingdom ransomware hacks networks with Pulse VPN flaws}}, date = {2020-06-13}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/black-kingdom-ransomware-hacks-networks-with-pulse-vpn-flaws/}, language = {English}, urldate = {2020-06-16} } @online{ilascu:20200623:ryuk:c63b0c6, author = {Ionut Ilascu}, title = {{Ryuk ransomware deployed two weeks after Trickbot infection}}, date = {2020-06-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-deployed-two-weeks-after-trickbot-infection/}, language = {English}, urldate = {2020-06-30} } @online{ilascu:20200731:gandcrab:f2cd6ef, author = {Ionut Ilascu}, title = {{GandCrab ransomware operator arrested in Belarus}}, date = {2020-07-31}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-operator-arrested-in-belarus/}, language = {English}, urldate = {2020-08-05} } @online{ilascu:20201027:enel:cd901d2, author = {Ionut Ilascu}, title = {{Enel Group hit by ransomware again, Netwalker demands $14 million}}, date = {2020-10-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million/}, language = {English}, urldate = {2020-10-29} } @online{ilascu:20201029:revil:e6b68d1, author = {Ionut Ilascu}, title = {{REvil ransomware gang claims over $100 million profit in a year}}, date = {2020-10-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/}, language = {English}, urldate = {2020-11-02} } @online{ilascu:20201109:fake:c6dd7b3, author = {Ionut Ilascu}, title = {{Fake Microsoft Teams updates lead to Cobalt Strike deployment}}, date = {2020-11-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/}, language = {English}, urldate = {2020-11-11} } @online{ilascu:20210104:chinas:9677dc6, author = {Ionut Ilascu}, title = {{China's APT hackers move to ransomware attacks}}, date = {2021-01-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/}, language = {English}, urldate = {2021-01-11} } @online{ilascu:20210518:darkside:d8e345b, author = {Ionut Ilascu}, title = {{DarkSide ransomware made $90 million in just nine months}}, date = {2021-05-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/}, language = {English}, urldate = {2021-06-07} } @online{ilascu:20210521:darkside:13af9fa, author = {Ionut Ilascu}, title = {{DarkSide affiliates claim gang's bitcoins in deposit on hacker forum}}, date = {2021-05-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/darkside-affiliates-claim-gangs-bitcoins-in-deposit-on-hacker-forum/}, language = {English}, urldate = {2021-05-26} } @online{ilascu:20210701:babuk:81a1235, author = {Ionut Ilascu}, title = {{Babuk ransomware is back, uses new version on corporate networks}}, date = {2021-07-01}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/babuk-ransomware-is-back-uses-new-version-on-corporate-networks/}, language = {English}, urldate = {2021-07-02} } @online{ilascu:20210714:bazarbackdoor:b63046e, author = {Ionut Ilascu}, title = {{BazarBackdoor sneaks in through nested RAR and ZIP archives}}, date = {2021-07-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/bazarbackdoor-sneaks-in-through-nested-rar-and-zip-archives/}, language = {English}, urldate = {2021-07-26} } @online{ilascu:20210818:diavol:a12e37f, author = {Ionut Ilascu}, title = {{Diavol ransomware sample shows stronger connection to TrickBot gang}}, date = {2021-08-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/diavol-ransomware-sample-shows-stronger-connection-to-trickbot-gang/}, language = {English}, urldate = {2021-08-18} } @online{ilascu:20210826:ragnarok:71e3d60, author = {Ionut Ilascu}, title = {{Ragnarok ransomware releases master decryptor after shutdown}}, date = {2021-08-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-releases-master-decryptor-after-shutdown/}, language = {English}, urldate = {2021-08-31} } @online{ilascu:20210907:microsoft:3cfe82b, author = {Ionut Ilascu}, title = {{Microsoft shares temp fix for ongoing Office 365 zero-day attacks ( CVE-2021-40444)}}, date = {2021-09-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-shares-temp-fix-for-ongoing-office-365-zero-day-attacks/}, language = {English}, urldate = {2021-09-10} } @online{ilascu:20210908:zoho:c667e60, author = {Ionut Ilascu}, title = {{Zoho patches actively exploited critical ADSelfService Plus bug (CVE-2021-40539)}}, date = {2021-09-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/zoho-patches-actively-exploited-critical-adselfservice-plus-bug/}, language = {English}, urldate = {2021-09-10} } @online{ilascu:20210923:revil:a4c0eea, author = {Ionut Ilascu}, title = {{REVil ransomware devs added a backdoor to cheat affiliates}}, date = {2021-09-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revil-ransomware-devs-added-a-backdoor-to-cheat-affiliates/}, language = {English}, urldate = {2021-09-23} } @online{ilascu:20211022:darkside:89e4ee2, author = {Ionut Ilascu}, title = {{DarkSide ransomware rushes to cash out $7 million in Bitcoin}}, date = {2021-10-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/}, language = {English}, urldate = {2021-11-02} } @online{ilascu:20211130:yanluowang:9cc8a2f, author = {Ionut Ilascu}, title = {{Yanluowang ransomware operation matures with experienced affiliates}}, date = {2021-11-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/yanluowang-ransomware-operation-matures-with-experienced-affiliates/}, language = {English}, urldate = {2021-11-30} } @online{ilascu:20220112:hackers:e8e7709, author = {Ionut Ilascu}, title = {{Hackers take over diplomat's email, target Russian deputy minister}}, date = {2022-01-12}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/hackers-take-over-diplomats-email-target-russian-deputy-minister/}, language = {English}, urldate = {2022-07-25} } @online{ilascu:20220215:unskilled:1bf1eb3, author = {Ionut Ilascu}, title = {{Unskilled hacker linked to years of attacks on aviation, transport sectors}}, date = {2022-02-15}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/}, language = {English}, urldate = {2022-02-17} } @online{ilascu:20220218:conti:9a7f82b, author = {Ionut Ilascu}, title = {{Conti ransomware gang takes over TrickBot malware operation}}, date = {2022-02-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/}, language = {English}, urldate = {2022-02-19} } @online{ilascu:20220223:nsalinked:556c453, author = {Ionut Ilascu}, title = {{NSA-linked Bvp47 Linux backdoor widely undetected for 10 years}}, date = {2022-02-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/nsa-linked-bvp47-linux-backdoor-widely-undetected-for-10-years/}, language = {English}, urldate = {2022-03-01} } @online{ilascu:20220309:cisa:63f18cd, author = {Ionut Ilascu}, title = {{CISA updates Conti ransomware alert with nearly 100 domain names}}, date = {2022-03-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/}, language = {English}, urldate = {2022-03-10} } @online{ilascu:20220311:lockbit:07a9679, author = {Ionut Ilascu}, title = {{LockBit ransomware gang claims attack on Bridgestone Americas}}, date = {2022-03-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-claims-attack-on-bridgestone-americas/}, language = {English}, urldate = {2022-03-14} } @online{ilascu:20220405:chinese:1774637, author = {Ionut Ilascu}, title = {{Chinese hackers abuse VLC Media Player to launch malware loader}}, date = {2022-04-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/chinese-hackers-abuse-vlc-media-player-to-launch-malware-loader/}, language = {English}, urldate = {2022-04-07} } @online{ilascu:20220415:karakurt:6fc6399, author = {Ionut Ilascu}, title = {{Karakurt revealed as data extortion arm of Conti cybercrime syndicate}}, date = {2022-04-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/}, language = {English}, urldate = {2022-05-04} } @online{ilascu:20220420:revils:fcf6ae6, author = {Ionut Ilascu}, title = {{REvil's TOR sites come alive to redirect to new ransomware operation}}, date = {2022-04-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revils-tor-sites-come-alive-to-redirect-to-new-ransomware-operation/}, language = {English}, urldate = {2022-04-24} } @online{ilascu:20220426:emotet:d0b6f50, author = {Ionut Ilascu}, title = {{Emotet malware now installs via PowerShell in Windows shortcut files}}, date = {2022-04-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-malware-now-installs-via-powershell-in-windows-shortcut-files/}, language = {English}, urldate = {2022-04-29} } @online{ilascu:20220428:new:b351960, author = {Ionut Ilascu}, title = {{New Bumblebee malware replaces Conti's BazarLoader in cyberattacks}}, date = {2022-04-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-bumblebee-malware-replaces-contis-bazarloader-in-cyberattacks/}, language = {English}, urldate = {2022-07-01} } @online{ilascu:20220828:lockbit:cf396a1, author = {Ionut Ilascu}, title = {{LockBit ransomware gang gets aggressive with triple-extortion tactic}}, date = {2022-08-28}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-gets-aggressive-with-triple-extortion-tactic/}, language = {English}, urldate = {2022-08-30} } @online{ilascu:20240403:microsoft:4fc5148, author = {Ionut Ilascu}, title = {{Microsoft still unsure how hackers stole MSA key in 2023 Exchange attack}}, date = {2024-04-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-still-unsure-how-hackers-stole-msa-key-in-2023-exchange-attack/}, language = {English}, urldate = {2024-04-04} } @online{ilbaroni:20210412:unpacking:1dffd16, author = {ilbaroni}, title = {{Unpacking RAGNARLOCKER via emulation}}, date = {2021-04-12}, url = {http://reversing.fun/posts/2021/04/15/unpacking_ragnarlocker_via_emulation.html}, language = {English}, urldate = {2022-01-05} } @online{ilbaroni:20210608:lokibot:26e4005, author = {ilbaroni}, title = {{LOKIBOT - A commodity malware}}, date = {2021-06-08}, url = {http://reversing.fun/posts/2021/06/08/lokibot.html}, language = {English}, urldate = {2022-01-05} } @online{ilbaroni:20220102:mmon:51d45d7, author = {ilbaroni}, title = {{MMON (aka KAPTOXA)}}, date = {2022-01-02}, organization = {ReversingFun}, url = {http://reversing.fun/posts/2022/01/02/mmon.html}, language = {English}, urldate = {2022-01-05} } @online{ilbaroni:20220130:pointofsale:a931ea0, author = {ilbaroni}, title = {{Point-of-Sale malware - RTPOS}}, date = {2022-01-30}, url = {http://reversing.fun/posts/2022/01/30/rtpos.html}, language = {English}, urldate = {2022-02-01} } @online{ilgayev:20200827:old:8859e51, author = {Alex Ilgayev}, title = {{An Old Bot’s Nasty New Tricks: Exploring Qbot’s Latest Attack Methods}}, date = {2020-08-27}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/}, language = {English}, urldate = {2020-08-31} } @online{ilgayev:20210311:playing:02bde36, author = {Alex Ilgayev}, title = {{Playing in the (Windows) Sandbox}}, date = {2021-03-11}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2021/playing-in-the-windows-sandbox/}, language = {English}, urldate = {2021-03-16} } @online{ilgayev:20210419:qakbots:b3b929c, author = {Alex Ilgayev}, title = {{Tweet on QakBot's additional decryption mechanism}}, date = {2021-04-19}, organization = {Twitter (@_alex_il_)}, url = {https://twitter.com/_alex_il_/status/1384094623270727685}, language = {English}, urldate = {2021-04-20} } @online{ilgayev:20210526:melting:40f5caf, author = {Alex Ilgayev}, title = {{Melting Ice – Tracking IcedID Servers with a few simple steps}}, date = {2021-05-26}, organization = {Check Point}, url = {https://research.checkpoint.com/2021/melting-ice-tracking-icedid-servers-with-a-few-simple-steps/}, language = {English}, urldate = {2021-06-09} } @online{ilgayev:20210706:revil:500a59e, author = {Alex Ilgayev}, title = {{Tweet on REvil ransomware actor using vulnerable defender executable in its infection flow in early may before Kaseya attack}}, date = {2021-07-06}, organization = {Twitter (@_alex_il_)}, url = {https://twitter.com/_alex_il_/status/1412403420217159694}, language = {English}, urldate = {2021-07-26} } @online{im4wasp:20230731:github:f84a4f7, author = {Im4wasp}, title = {{Github Repo for W4SP-Stealer-V2}}, date = {2023-07-31}, organization = {Github (Im4wasp)}, url = {https://github.com/Im4wasp/W4SP-Stealer-V2/tree/main}, language = {English}, urldate = {2024-09-27} } @online{imano:20100511:qakbot:00f96fd, author = {Shunichi Imano}, title = {{Qakbot, Data Thief Unmasked: Part I}}, date = {2010-05-11}, organization = {Symantec}, url = {https://web.archive.org/web/20110909041410/http://www.symantec.com/connect/blogs/qakbot-data-thief-unmasked-part-i}, language = {English}, urldate = {2023-08-30} } @online{imano:20110311:trojankoredos:414e359, author = {Shunichi Imano}, title = {{Trojan.Koredos Comes with an Unwelcomed Surprise}}, date = {2011-03-11}, organization = {Symantec}, url = {https://web.archive.org/web/20131123012339/https://www.symantec.com/connect/blogs/trojankoredos-comes-unwelcomed-surprise}, language = {English}, urldate = {2020-04-21} } @online{imano:20110311:trojankoredos:c3aa3c6, author = {Shunichi Imano}, title = {{Trojan.Koredos Comes with an Unwelcomed Surprise}}, date = {2011-03-11}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/trojankoredos-comes-unwelcomed-surprise}, language = {English}, urldate = {2020-01-10} } @online{imano:20210726:wiper:cc926ab, author = {Shunichi Imano and Fred Gutierrez}, title = {{Wiper Malware Riding the 2021 Tokyo Olympic Games}}, date = {2021-07-26}, organization = {Fortninet}, url = {https://www.fortinet.com/blog/threat-research/wiper-malware-riding-tokyo-olympic-games}, language = {English}, urldate = {2021-08-20} } @online{imano:20210930:ranion:f6137ac, author = {Shunichi Imano and Fred Gutierrez}, title = {{Ranion Ransomware - Quiet and Persistent RaaS}}, date = {2021-09-30}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/ranion-ransomware-quiet-and-persistent-raas}, language = {English}, urldate = {2021-10-24} } @online{imano:20211028:chaos:7725fa9, author = {Shunichi Imano and Fred Gutierrez}, title = {{Chaos Ransomware Variant in Fake Minecraft Alt List Brings Destruction to Japanese Gamers}}, date = {2021-10-28}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-in-fake-minecraft-alt-list-brings-destruction}, language = {English}, urldate = {2021-11-03} } @online{imano:20211111:to:52e0c90, author = {Shunichi Imano and Fred Gutierrez}, title = {{To Joke or Not to Joke: COVID-22 Brings Disaster to MBR}}, date = {2021-11-11}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/to-joke-or-not-to-joke-covid-22-brings-disaster-to-mbr}, language = {English}, urldate = {2021-11-17} } @online{imano:20220110:covid:c51ead7, author = {Shunichi Imano and Fred Gutierrez}, title = {{COVID Omicron Variant Lure Used to Distribute RedLine Stealer}}, date = {2022-01-10}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/omicron-variant-lure-used-to-distribute-redline-stealer}, language = {English}, urldate = {2022-01-18} } @online{imano:20220214:nft:eedc95b, author = {Shunichi Imano and James Slaughter and Fred Gutierrez}, title = {{NFT Lure Used to Distribute BitRAT}}, date = {2022-02-14}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/nft-lure-used-to-distribute-bitrat}, language = {English}, urldate = {2022-11-21} } @online{imano:20220323:bad:06c3501, author = {Shunichi Imano and Val Saengphaibul}, title = {{Bad Actors Trying to Capitalize on Current Events via Shameless Email Scams}}, date = {2022-03-23}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams}, language = {English}, urldate = {2022-03-25} } @online{imano:20220601:cve202230190:e43f2d3, author = {Shunichi Imano and James Slaughter and Fred Gutierrez}, title = {{CVE-2022-30190: Microsoft Support Diagnostic Tool (MSDT) RCE Vulnerability “Follina”}}, date = {2022-06-01}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day}, language = {English}, urldate = {2022-06-07} } @online{imano:20220804:ransomware:64610c9, author = {Shunichi Imano and James Slaughter}, title = {{Ransomware Roundup: Redeemer, Beamed, and More}}, date = {2022-08-04}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/ransomware-roundup-redeemer-beamed-and-more}, language = {English}, urldate = {2022-08-11} } @online{imano:20220818:ransomware:a073b3f, author = {Shunichi Imano and James Slaughter}, title = {{Ransomware Roundup: Gwisin, Kriptor, Cuba, and More}}, date = {2022-08-18}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/ransomware-roundup-gwisin-kriptor-cuba-and-more}, language = {English}, urldate = {2022-08-28} } @online{imano:20220822:tale:9a74924, author = {Shunichi Imano and Fred Gutierrez}, title = {{A Tale of PivNoxy and Chinoxy Puppeteer}}, date = {2022-08-22}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis}, language = {English}, urldate = {2022-08-28} } @online{imano:20221013:ransomware:d68098e, author = {Shunichi Imano and James Slaughter}, title = {{Ransomware Roundup: Royal Ransomware}}, date = {2022-10-13}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/ransomware-roundup-royal-ransomware}, language = {English}, urldate = {2022-10-25} } @online{imano:20221110:ransomware:f3245bf, author = {Shunichi Imano and James Slaughter}, title = {{Ransomware Roundup: New Inlock and Xorist Variants}}, date = {2022-11-10}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/Ransomware-Roundup-New-Inlock-and-Xorist-Variants}, language = {English}, urldate = {2022-11-21} } @online{imano:20221208:ransomware:b3584f6, author = {Shunichi Imano and Fred Gutierrez}, title = {{Ransomware Roundup – New Vohuk, ScareCrow, and AERST Variants}}, date = {2022-12-08}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-vohuk-scarecrow-and-aerst-variants}, language = {English}, urldate = {2022-12-19} } @online{imano:20221222:ransomware:87594cb, author = {Shunichi Imano and James Slaughter}, title = {{Ransomware Roundup – Play Ransomware}}, date = {2022-12-22}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/ransomware-roundup-play-ransomware}, language = {English}, urldate = {2022-12-24} } @online{imano:20230202:ransomware:f06b57a, author = {Shunichi Imano}, title = {{Ransomware Roundup – Trigona Ransomware}}, date = {2023-02-02}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/ransomware-roundup-trigona-ransomware}, language = {English}, urldate = {2023-02-06} } @online{imano:20241129:ransomware:536995f, author = {Shunichi Imano and Fred Gutierrez}, title = {{Ransomware Roundup - Interlock}}, date = {2024-11-29}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/ransomware-roundup-interlock}, language = {English}, urldate = {2025-04-17} } @online{imano:20250516:ransomware:2e351e9, author = {Shunichi Imano and Fred Gutierrez}, title = {{Ransomware Roundup – VanHelsing}}, date = {2025-05-16}, url = {https://www.fortinet.com/blog/threat-research/ransomware-roundup-vanhelsing}, language = {English}, urldate = {2025-05-20} } @online{imp0rtp3:20210812:uncovering:3fa6059, author = {imp0rtp3}, title = {{Uncovering Tetris – a Full Surveillance Kit Running in your Browser}}, date = {2021-08-12}, organization = {imp0rtp3 blog}, url = {https://imp0rtp3.wordpress.com/2021/08/12/tetris/}, language = {English}, urldate = {2021-08-24} } @online{imp0rtp3:20211125:deep:c984127, author = {imp0rtp3}, title = {{A Deep Dive Into SoWaT: APT31’s Multifunctional Router Implant}}, date = {2021-11-25}, organization = {imp0rtp3 blog}, url = {https://imp0rtp3.wordpress.com/2021/11/25/sowat/}, language = {English}, urldate = {2021-12-17} } @online{impe:20210416:combating:a198b55, author = {Koen Van Impe}, title = {{Combating Sleeper Threats With MTTD}}, date = {2021-04-16}, organization = {IBM}, url = {https://securityintelligence.com/articles/sleeper-threats-mean-time-to-detect/}, language = {English}, urldate = {2021-04-20} } @online{impe:20210808:legal:13e77d6, author = {Koen Van Impe}, title = {{Legal and cooperation frameworks between CSIRTs and law enforcement agencies}}, date = {2021-08-08}, organization = {vanimpe}, url = {https://www.vanimpe.eu/2021/08/08/legal-and-cooperation-frameworks-between-csirts-and-law-enforcement-agencies/}, language = {English}, urldate = {2021-08-16} } @online{ims0rry:20171230:analysis:f221c40, author = {ims0rry}, title = {{Analysis DarkSky Botnet}}, date = {2017-12-30}, organization = {Telegra.ph blog}, url = {http://telegra.ph/Analiz-botneta-DarkSky-12-30}, language = {English}, urldate = {2020-01-08} } @techreport{inc:20190508:2019:3c20a3b, author = {Verizon Communications Inc.}, title = {{2019 Data Breach Investigations Report}}, date = {2019-05-08}, institution = {Verizon Communications Inc.}, url = {https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf}, language = {English}, urldate = {2020-05-10} } @online{inc:20240124:endless:f749a16, author = {ITOCHU Cyber & Intelligence Inc.}, title = {{The Endless Struggle Against APT10: Insights from LODEINFO v0.6.6 - v0.7.3 Analysis}}, date = {2024-01-24}, organization = {ITOCHU}, url = {https://blog-en.itochuci.co.jp/entry/2024/01/24/134100}, language = {English}, urldate = {2024-07-24} } @online{inc:20240523:malware:8e2e481, author = {ITOCHU Cyber & Intelligence Inc.}, title = {{Malware Transmutation! - Unveiling the Hidden Traces of BloodAlchemy}}, date = {2024-05-23}, organization = {ITOCHU}, url = {https://blog-en.itochuci.co.jp/entry/2024/05/23/090000}, language = {English}, urldate = {2024-12-09} } @techreport{incd:20241104:deep:1d22e61, author = {Israel National Cyber Directorate (INCD)}, title = {{Deep Drive Analysis of the BeaverTail Infostealer}}, date = {2024-11-04}, institution = {Israel National Cyber Directorate (INCD)}, url = {https://www.gov.il/BlobFolder/reports/beavertail/he/Analyzing%20the%20BeaverTail%20Infostealer.pdf}, language = {English}, urldate = {2024-12-16} } @online{incibe:20200408:ransomware:61b8c41, author = {INCIBE}, title = {{Ransomware NetWalker: análisis y medidas preventivas}}, date = {2020-04-08}, organization = {INCIBE-CERT}, url = {https://www.incibe-cert.es/blog/ransomware-netwalker-analisis-y-medidas-preventivas}, language = {Spanish}, urldate = {2020-04-14} } @techreport{incibe:20211216:hive:22d0add, author = {INCIBE}, title = {{Hive Analysis Study}}, date = {2021-12-16}, institution = {INCIBE-CERT}, url = {https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_hive_2021_v1.pdf}, language = {Spanish}, urldate = {2022-01-25} } @techreport{incibe:20220602:grandoreiro:0371f2a, author = {INCIBE}, title = {{Grandoreiro analysis study}}, date = {2022-06-02}, institution = {INCIBE-CERT}, url = {https://www.incibe.es/sites/default/files/contenidos/estudios/doc/incibe-cert_study_grandoreiro_analysis_2022_v1.pdf}, language = {English}, urldate = {2023-08-30} } @techreport{incibe:20220906:estudio:20f14b0, author = {INCIBE}, title = {{Estudio del análisis de Nobelium}}, date = {2022-09-06}, institution = {INCIBE-CERT}, url = {https://www.incibe.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf}, language = {Spanish}, urldate = {2024-02-02} } @online{indonesia:20220127:malware:8bcfff1, author = {Threat Lab Indonesia}, title = {{Malware Analysis Emotet Infection}}, date = {2022-01-27}, organization = {Threat Lab Indonesia}, url = {https://blog.threatlab.info/malware-analysis-emotet-infection/}, language = {Indonesian}, urldate = {2022-02-02} } @online{informaii:20210722:cyber:03cb12f, author = {Serviciul Român de Informații}, title = {{Cyber ​​attack with PHOBOS ransomware application}}, date = {2021-07-22}, organization = {Serviciul Român de Informații}, url = {https://www.sri.ro/articole/atac-cibernetic-cu-aplicatia-ransomware-phobos}, language = {Romanian}, urldate = {2021-07-26} } @online{infoskirmish:20171126:source:5c10b38, author = {infoskirmish}, title = {{Source Code of HIVE}}, date = {2017-11-26}, organization = {Github (infoskirmish)}, url = {https://github.com/infoskirmish/hive}, language = {English}, urldate = {2023-02-01} } @online{inglot:2017:attacker:3af6c23, author = {Bart Inglot and Byrne Ghavalas}, title = {{ATTACKER ANTICS: Illustrations of Ingenuity}}, date = {2017}, organization = {FireEye}, url = {https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx}, language = {English}, urldate = {2020-01-08} } @online{inman:20220606:shining:4e6cd58, author = {Ross Inman and Peter Gurney}, title = {{Shining the Light on Black Basta}}, date = {2022-06-06}, organization = {NCC Group}, url = {https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/}, language = {English}, urldate = {2022-06-07} } @online{inman:20220819:back:11abc41, author = {Ross Inman}, title = {{Back in Black: Unlocking a LockBit 3.0 Ransomware Attack}}, date = {2022-08-19}, organization = {nccgroup}, url = {https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack}, language = {English}, urldate = {2022-08-22} } @online{inocencio:20140829:new:43a114a, author = {Rhena Inocencio}, title = {{New BlackPOS Malware Emerges in the Wild, Targets Retail Accounts}}, date = {2014-08-29}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/}, language = {English}, urldate = {2020-01-10} } @online{inocencio:20141113:bashlite:647137b, author = {Rhena Inocencio}, title = {{BASHLITE Affects Devices Running on BusyBox}}, date = {2014-11-13}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/}, language = {English}, urldate = {2019-07-10} } @online{inotgreen:20240208:xiebroc2:92a4f49, author = {INotGreen}, title = {{XiebroC2}}, date = {2024-02-08}, url = {https://github.com/INotGreen/XiebroC2}, language = {Chinese}, urldate = {2025-04-25} } @online{inquest:20200720:tweets:8920a27, author = {InQuest}, title = {{Tweets on PowerPepper decryption}}, date = {2020-07-20}, organization = {Twitter (@InQuest)}, url = {https://twitter.com/InQuest/status/1285295975347650562}, language = {English}, urldate = {2020-12-08} } @online{insaneforensics:20200823:dispatches:0a019d4, author = {Insane-Forensics}, title = {{Dispatches from Drovorub: Network Threat Hunting for Russia GRU GTsSS' Malware at Scale}}, date = {2020-08-23}, organization = {Github (Insane-Forensics)}, url = {https://github.com/Insane-Forensics/drovorub-hunt}, language = {English}, urldate = {2020-08-25} } @online{insight:20230418:ta581:745cfb5, author = {Threat Insight}, title = {{Tweet on TA581 using Keitaro TDS URL to download a .MSI file to deliver BumbleBee malware}}, date = {2023-04-18}, organization = {Twitter (@threatinsight)}, url = {https://twitter.com/threatinsight/status/1648330456364883968}, language = {English}, urldate = {2023-04-22} } @online{insight:20230714:tweets:e33d6c6, author = {Threat Insight}, title = {{Tweets on Discovery of WikiLoader}}, date = {2023-07-14}, organization = {Proofpoint}, url = {https://twitter.com/threatinsight/status/1679864625544978432}, language = {English}, urldate = {2023-07-16} } @online{insight:20241022:twitter:1354adf, author = {Threat Insight}, title = {{Twitter Thread attributing Voldemort to TA415 (APT41, BrassTyphoon)}}, date = {2024-10-22}, organization = {Twitter (@threatinsight)}, url = {https://x.com/threatinsight/status/1848745326884360548}, language = {English}, urldate = {2024-10-23} } @online{insights:20200406:mcafee:7fdc3d4, author = {McAfee Insights}, title = {{McAfee Insights: Vicious Panda: The COVID Campaign}}, date = {2020-04-06}, organization = {McAfee}, url = {https://kc.mcafee.com/corporate/index?page=content&id=KB92636&locale=en_US}, language = {English}, urldate = {2020-05-14} } @online{insights:20250221:trm:26ad07a, author = {TRM Insights}, title = {{TRM Links North Korea to Record $1.5 Billion Record Hack}}, date = {2025-02-21}, organization = {TRM Labs}, url = {https://www.trmlabs.com/post/trm-links-north-korea-to-record-1-5-billion-record-hack}, language = {English}, urldate = {2025-02-25} } @online{institute:20110419:tdss:9ffae6b, author = {Infosec Institute}, title = {{TDSS part 1: The x64 Dollar Question}}, date = {2011-04-19}, organization = {InfoSec Institute}, url = {http://resources.infosecinstitute.com/tdss4-part-1/}, language = {English}, urldate = {2020-01-06} } @online{institute:20200228:profiling:ebaa39b, author = {Financial Security Institute}, title = {{Profiling of TA505 Threat Group That Continues to Attack the Financial Sector}}, date = {2020-02-28}, organization = {Financial Security Institute}, url = {https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do}, language = {English}, urldate = {2020-02-28} } @online{institute:20201215:operation:899bf4d, author = {Advanced Threat Institute}, title = {{Operation Falling Eagle-the secret of the most influential supply chain attack in history}}, date = {2020-12-15}, organization = {360 Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/lh7y_KHUxag_-pcFBC7d0Q}, language = {Chinese}, urldate = {2020-12-18} } @online{institute:20201216:aptc47clickonce:8643850, author = {Advanced Threat Institute}, title = {{旺刺组织(APT-C-47)使用ClickOnce技术的攻击活动披露}}, date = {2020-12-16}, organization = {360 Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/h_MUJfa3QGM9SqT_kzcdHQ}, language = {Chinese}, urldate = {2021-01-01} } @online{institute:20210121:disclosure:7709c9e, author = {Advanced Threat Institute}, title = {{Disclosure of Manling Flower Organization (APT-C-08) using Warzone RAT attack}}, date = {2021-01-21}, organization = {360 Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/C09P0al1nhsyyujHRp0FAw}, language = {Chinese}, urldate = {2021-01-26} } @online{institute:20210126:shell:b75c032, author = {Advanced Threat Institute}, title = {{Shell Break-Lazarus (APT-C-26) organized targeted attacks against security researchers to reveal the secret}}, date = {2021-01-26}, organization = {360 Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/W-C_tKVnXco8C3ctgAjoNQ}, language = {Chinese}, urldate = {2021-01-27} } @online{institute:20210420:transparent:1033b04, author = {Advanced Threat Institute}, title = {{Transparent Tribe uses the new crown vaccine hotspot to analyze the targeted attacks on the Indian medical industry}}, date = {2021-04-20}, organization = {360 Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/ELYDvdMiiy4FZ3KpmAddZQ}, language = {Chinese}, urldate = {2021-04-28} } @online{institute:20210716:aptc61:4736008, author = {Advanced Threat Institute}, title = {{APT-C-61 attacks against South Asia}}, date = {2021-07-16}, organization = {360 Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/Jpw7TqyPzOy57RAZDQdlWA}, language = {Chinese}, urldate = {2021-07-20} } @online{institute:20210727:summary:219ae9b, author = {Advanced Threat Institute}, title = {{Summary of Kimsuky's secret stealing activities in the first half of 2021}}, date = {2021-07-27}, organization = {360 Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/og8mfnqoKZsHlOJdIDKYgQ}, language = {Chinese}, urldate = {2021-07-27} } @online{institute:20210802:operation:af54e15, author = {Advanced Threat Institute}, title = {{Operation Hunting - The latest attack by the CNC (APT-C-48) has been revealed}}, date = {2021-08-02}, organization = {360 Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/dMFyLxsErYUZX7BQyBL9YQ}, language = {Chinese}, urldate = {2021-08-02} } @online{institute:20210901:aptc56:0f08cce, author = {Advanced Threat Institute}, title = {{APT-C-56 (Transparent Tribe) Latest Attack Analysis and Associated Suspected Gorgon Group Attack Analysis Alert}}, date = {2021-09-01}, organization = {360 Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/xUM2x89GuB8uP6otN612Fg}, language = {Chinese}, urldate = {2021-09-09} } @online{institute:20211119:it:0807b7c, author = {advanced threat research institute}, title = {{It is suspected that the APT-C-55 organization used the commercial software Web Browser Password Viewer to carry out the attack}}, date = {2021-11-19}, organization = {360 Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/QDI912ogVKyyKFYdKvBGdQ}, language = {Chinese}, urldate = {2021-12-07} } @online{institute:20220225:ukraine:eb66e34, author = {CyberPeace Institute}, title = {{UKRAINE: Timeline of Cyberattacks}}, date = {2022-02-25}, url = {https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks}, language = {English}, urldate = {2022-03-01} } @online{intel:20211022:darkside:8c61341, author = {Elliptic Intel}, title = {{DarkSide bitcoins on the move following government cyberattack against REvil ransomware group}}, date = {2021-10-22}, organization = {Elliptic}, url = {https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group}, language = {English}, urldate = {2021-11-02} } @online{intel:20211118:conti:4806ab9, author = {Elliptic Intel}, title = {{Conti Ransomware Nets at Least $25.5 Million in Four Months}}, date = {2021-11-18}, organization = {Elliptic}, url = {https://www.elliptic.co/blog/conti-ransomware-nets-at-least-25.5-million-in-four-months}, language = {English}, urldate = {2021-11-19} } @online{intel:20230329:crowdstrike:cafb1f8, author = {Research & Threat Intel}, title = {{CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers}}, date = {2023-03-29}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/}, language = {English}, urldate = {2023-03-30} } @online{intelhoney:20201121:reversing:e62deae, author = {Twitter (@intel_honey)}, title = {{Reversing Anubis Malware}}, date = {2020-11-21}, organization = {Medium Intel-Honey}, url = {https://intel-honey.medium.com/reversing-anubis-malware-93f28d154bbb}, language = {English}, urldate = {2020-11-23} } @online{intelligence:20110519:win32expiro:e6195d7, author = {Microsoft Security Intelligence}, title = {{Win32/Expiro}}, date = {2011-05-19}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Expiro}, language = {English}, urldate = {2022-02-16} } @techreport{intelligence:20140317:snake:6d2f730, author = {BAE Systems Applied Intelligence}, title = {{Snake Campaign & Espionage Toolkit}}, date = {2014-03-17}, institution = {BAE Systems}, url = {https://artemonsecurity.com/snake_whitepaper.pdf}, language = {English}, urldate = {2022-10-20} } @techreport{intelligence:201405:into:e8ffc24, author = {ASERT Threat Intelligence}, title = {{Into the Light of Day:Uncovering Ongoing and Historical Point of Sale Malware and Attack Campaigns}}, date = {2014-05}, institution = {Arbor Networks}, url = {http://pages.arbornetworks.com/rs/arbor/images/ASERT%20Threat%20Intelligence%20Brief%202014-06%20Uncovering%20PoS%20Malware%20and%20Attack%20Campaigns.pdf}, language = {English}, urldate = {2020-01-06} } @techreport{intelligence:201507:hammertoss:9275999, author = {FireEye Threat Intelligence}, title = {{HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group}}, date = {2015-07}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf}, language = {English}, urldate = {2019-10-23} } @online{intelligence:20151201:chinabased:8836a81, author = {FireEye Threat Intelligence}, title = {{China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets}}, date = {2015-12-01}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html}, language = {English}, urldate = {2019-12-20} } @online{intelligence:20160128:centerpos:551f13b, author = {FireEye Threat Intelligence}, title = {{CenterPOS: An Evolving POS Threat}}, date = {2016-01-28}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html}, language = {English}, urldate = {2019-12-20} } @techreport{intelligence:20170110:apt28:2f371ee, author = {FireEye iSIGHT Intelligence}, title = {{APT28: At The Center Of The Storm}}, date = {2017-01-10}, institution = {FireEye}, url = {https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf}, language = {English}, urldate = {2022-05-04} } @online{intelligence:20170212:lazarus:dd99beb, author = {BAE Systems Applied Intelligence}, title = {{Lazarus & Watering-hole attacks}}, date = {2017-02-12}, organization = {BAE Systems}, url = {https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html}, language = {English}, urldate = {2023-08-13} } @online{intelligence:20170406:apt10:08847cf, author = {FireEye iSIGHT Intelligence}, title = {{APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat}}, date = {2017-04-06}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html}, language = {English}, urldate = {2019-12-20} } @online{intelligence:20170815:trojanwin32neconyda:76ad1da, author = {Microsoft Security Intelligence}, title = {{Trojan:Win32/Neconyd.A}}, date = {2017-08-15}, url = {https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Neconyd.A}, language = {English}, urldate = {2024-05-21} } @online{intelligence:20181023:triton:95a881f, author = {FireEye Intelligence}, title = {{TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers}}, date = {2018-10-23}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html}, language = {English}, urldate = {2019-12-20} } @online{intelligence:20190313:tefosteal:24e56c1, author = {Microsoft Security Intelligence}, title = {{Tweet on Tefosteal}}, date = {2019-03-13}, organization = {Twitter (@WDSecurity)}, url = {https://twitter.com/WDSecurity/status/1105990738993504256}, language = {English}, urldate = {2020-01-05} } @online{intelligence:20190315:flash:c7544fd, author = {Threat Intelligence}, title = {{Flash Bulletin: Emotet Epoch 1 Changes its C2 Communication}}, date = {2019-03-15}, organization = {Cofense}, url = {https://cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/}, language = {English}, urldate = {2019-10-23} } @online{intelligence:20190328:cryptomix:622c0b3, author = {CB TAU Threat Intelligence}, title = {{CryptoMix Clop Ransomware Disables Startup Repair, Removes & Edits Shadow Volume Copies}}, date = {2019-03-28}, organization = {Carbon Black}, url = {https://www.carbonblack.com/blog/cb-tau-threat-intelligence-notification-cryptomix-clop-ransomware-disables-startup-repair-removes-edits-shadow-volume-copies/}, language = {English}, urldate = {2021-07-02} } @online{intelligence:20190509:toptier:004045c, author = {Advanced Intelligence}, title = {{Top-Tier Russian Hacking Collective Claims Breaches of Three Major Anti-Virus Companies}}, date = {2019-05-09}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/blog/top-tier-russian-hacking-collective-claims-breaches-of-three-major-anti-virus-companies}, language = {English}, urldate = {2020-01-09} } @online{intelligence:20191111:operation:3bc93dc, author = {PT ESC Threat Intelligence}, title = {{Operation TA505, part four. Twins}}, date = {2019-11-11}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/operation-ta505-part4/}, language = {Russian}, urldate = {2020-11-23} } @online{intelligence:20200414:lazarus:e451b26, author = {Qi'anxin Threat Intelligence}, title = {{The Lazarus APT organization uses the new crown epidemic bait to target a targeted attack analysis of a country}}, date = {2020-04-14}, organization = {Qianxin}, url = {https://www.secrss.com/articles/18635}, language = {Chinese}, urldate = {2021-04-06} } @online{intelligence:20200519:netwalker:4681272, author = {Advanced Intelligence and Bridgit Sullivan and Daniel Frey}, title = {{NetWalker Ransomware Group Enters Advanced Targeting “Game”}}, date = {2020-05-19}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/netwalker-ransomware-group-enters-advanced-targeting-game}, language = {English}, urldate = {2020-05-23} } @online{intelligence:20200520:operation:7f6282e, author = {PT ESC Threat Intelligence}, title = {{Operation TA505: how we analyzed new tools from the creators of the Dridex trojan, Locky ransomware, and Neutrino botnet}}, date = {2020-05-20}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/}, language = {English}, urldate = {2020-06-05} } @online{intelligence:20200522:operation:6e4f978, author = {PT ESC Threat Intelligence}, title = {{Operation TA505: investigating the ServHelper backdoor with NetSupport RAT. Part 2.}}, date = {2020-05-22}, organization = {Positive Technologies}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/}, language = {English}, urldate = {2020-11-23} } @online{intelligence:20200524:operation:2ce432b, author = {PT ESC Threat Intelligence}, title = {{Operation TA505: network infrastructure. Part 3.}}, date = {2020-05-24}, organization = {Positive Technologies}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/}, language = {English}, urldate = {2020-11-23} } @online{intelligence:20200604:covid19:45fa7ba, author = {PT ESC Threat Intelligence}, title = {{COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group}}, date = {2020-06-04}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/}, language = {English}, urldate = {2020-06-05} } @online{intelligence:20200616:cobalt:2071fd2, author = {PT ESC Threat Intelligence}, title = {{Cobalt: tactics and tools update}}, date = {2020-06-16}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/cobalt_upd_ttps/}, language = {English}, urldate = {2020-06-16} } @online{intelligence:20200617:thread:b4b74d5, author = {Microsoft Security Intelligence}, title = {{A tweet thread on TA505 using CAPTCHA to avoid detection and infecting victims with FlawedGrace}}, date = {2020-06-17}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1273359829390655488}, language = {English}, urldate = {2020-06-18} } @online{intelligence:20200710:dark:a29ccb4, author = {Advanced Intelligence}, title = {{The Dark Web of Intrigue: How REvil Used the Underground Ecosystem to Form an Extortion Cartel}}, date = {2020-07-10}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel}, language = {English}, urldate = {2020-07-13} } @online{intelligence:20200825:apt:0ad132f, author = {Qi'anxin Threat Intelligence}, title = {{南亚APT组织“透明部落”在移动端上与对手的较量}}, date = {2020-08-25}, organization = {Qianxin}, url = {https://www.secrss.com/articles/24995}, language = {Chinese}, urldate = {2020-08-25} } @online{intelligence:20200827:anubis:e53422c, author = {Microsoft Security Intelligence}, title = {{Tweet on Anubis Stealer}}, date = {2020-08-27}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1298752223321546754}, language = {English}, urldate = {2020-09-01} } @techreport{intelligence:20200930:china:9e6570a, author = {House Permanent Select Committee on Intelligence}, title = {{The China Deep Dive: A Report on the Intelligence Community’s Capabilities and Competencies with Respect to the People’s Republic of China}}, date = {2020-09-30}, institution = {House Permanent Select Committee on Intelligence}, url = {https://intelligence.house.gov/uploadedfiles/hpsci_china_deep_dive_redacted_summary_9.29.20.pdf}, language = {English}, urldate = {2020-10-04} } @online{intelligence:20201006:ta505:a34d957, author = {Microsoft Security Intelligence}, title = {{Tweet on TA505 threat actor exploiting Zerologon (CVE-2020-1472) Vulnerability}}, date = {2020-10-06}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1313598440719355904}, language = {English}, urldate = {2020-10-08} } @online{intelligence:20201213:trojanmsilsolorigatebdha:f470d89, author = {Microsoft Security Intelligence}, title = {{Trojan:MSIL/Solorigate.B!dha}}, date = {2020-12-13}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:MSIL/Solorigate.B!dha}, language = {English}, urldate = {2020-12-14} } @online{intelligence:20210114:higaisa:4676ec7, author = {PT ESC Threat Intelligence}, title = {{Higaisa or Winnti? APT41 backdoors, old and new}}, date = {2021-01-14}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/}, language = {English}, urldate = {2021-02-09} } @online{intelligence:20210125:ryuk:25a96a7, author = {Advanced Intelligence}, title = {{Tweet on Ryuk Ransomware group's post exploitation tactics including usage of Keethief tool}}, date = {2021-01-25}, organization = {Twitter (@IntelAdvanced)}, url = {https://twitter.com/IntelAdvanced/status/1353546534676258816}, language = {English}, urldate = {2021-01-25} } @online{intelligence:20210201:active:0a4f59f, author = {Advanced Intelligence}, title = {{Tweet on Active Directory Exploitation by RYUK "one" group}}, date = {2021-02-01}, organization = {Twitter (@IntelAdvanced)}, url = {https://twitter.com/IntelAdvanced/status/1356114606780002308}, language = {English}, urldate = {2021-02-04} } @online{intelligence:20210302:gootkit:30182a1, author = {Microsoft Security Intelligence}, title = {{Tweet on Gootkit malware campaign}}, date = {2021-03-02}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1366542130731094021}, language = {English}, urldate = {2021-03-04} } @online{intelligence:20210427:lazarus:64179a4, author = {PT ESC Threat Intelligence}, title = {{Lazarus Group Recruitment: Threat Hunters vs Head Hunters}}, date = {2021-04-27}, organization = {Positive Technologies}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/}, language = {English}, urldate = {2021-04-29} } @online{intelligence:20210511:analysis:dd512ff, author = {Qi'anxin Threat Intelligence}, title = {{Analysis of a series of attacks by the suspected Lazarus organization using Daewoo Shipyard as relevant bait}}, date = {2021-05-11}, organization = {Qianxin}, url = {https://www.freebuf.com/articles/paper/272517.html}, language = {English}, urldate = {2021-05-13} } @online{intelligence:20210511:snip3:69a4650, author = {Microsoft Security Intelligence}, title = {{Tweet on Snip3 crypter delivering AsyncRAT or AgentTesla}}, date = {2021-05-11}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1392219299696152578}, language = {English}, urldate = {2021-05-13} } @online{intelligence:20210520:javabased:ce966f5, author = {Microsoft Security Intelligence}, title = {{Tweet on Java-based STRRAT malware campaign distributed via email}}, date = {2021-05-20}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1395138347601854465}, language = {English}, urldate = {2021-05-25} } @online{intelligence:20210528:web:bb73260, author = {Malwarebytes Threat Intelligence}, title = {{Tweet on web skimmer hiding JavaScript inside images for exfiltration}}, date = {2021-05-28}, organization = {Twitter (@MBThreatIntel)}, url = {https://twitter.com/MBThreatIntel/status/1398037002923110400?s=20}, language = {English}, urldate = {2021-06-09} } @online{intelligence:20210611:solarmarkerjupyter:86c4f14, author = {Microsoft Security Intelligence}, title = {{Tweet on solarmarker/Jupyter malware}}, date = {2021-06-11}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1403461397283950597}, language = {English}, urldate = {2021-06-21} } @online{intelligence:20210706:malspam:083ba5a, author = {Malwarebytes Threat Intelligence}, title = {{Tweet on a malspam campaign that is taking advantage of Kaseya VSA ransomware attack to drop CobaltStrike}}, date = {2021-07-06}, organization = {Twitter (@MBThreatIntel)}, url = {https://twitter.com/MBThreatIntel/status/1412518446013812737}, language = {English}, urldate = {2021-07-09} } @online{intelligence:20210715:protecting:5d3ad79, author = {Microsoft Threat Intelligence}, title = {{Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware}}, date = {2021-07-15}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/}, language = {English}, urldate = {2024-02-08} } @online{intelligence:20210716:magecart:3ba6f5b, author = {Malwarebytes Threat Intelligence}, title = {{Tweet on Magecart skimmer using steganography}}, date = {2021-07-16}, organization = {Twitter (@MBThreatIntel)}, url = {https://twitter.com/MBThreatIntel/status/1416101496022724609}, language = {English}, urldate = {2021-07-20} } @online{intelligence:20210724:attackers:4a3d443, author = {Microsoft Security Intelligence}, title = {{Tweet on attackers increasingly using HTML smuggling in phishing and other email campaigns to deliver Casbaneiro}}, date = {2021-07-24}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1418706916922986504}, language = {English}, urldate = {2021-08-02} } @online{intelligence:20210729:bazacall:a24d9e6, author = {Microsoft Defender Threat Intelligence}, title = {{BazaCall: Phony call centers lead to exfiltration and ransomware}}, date = {2021-07-29}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/}, language = {English}, urldate = {2023-01-03} } @online{intelligence:20210925:thread:afea874, author = {Microsoft Security Intelligence}, title = {{Thread on Malicious Android apps posing as bank loan services are being widely distributed to targets in Asia}}, date = {2021-09-25}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1441524497924833282?s=20}, language = {English}, urldate = {2021-09-28} } @online{intelligence:20210930:masters:4394504, author = {PT ESC Threat Intelligence}, title = {{Masters of Mimicry: new APT group ChamelGang and its arsenal}}, date = {2021-09-30}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3}, language = {English}, urldate = {2021-11-29} } @online{intelligence:20211011:moving:3b0eaec, author = {Accenture Cyber Threat Intelligence}, title = {{Moving Left of the Ransomware Boom}}, date = {2021-10-11}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom}, language = {English}, urldate = {2021-11-03} } @online{intelligence:20211019:adwaremacosadloada:3119765, author = {Microsoft Security Intelligence}, title = {{Adware:MacOS/Adload.A}}, date = {2021-10-19}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Adware:MacOS/Adload.A&threatId=312991}, language = {English}, urldate = {2023-09-07} } @online{intelligence:20211021:new:11cf9aa, author = {Microsoft Security Intelligence}, title = {{Tweet on new variant of mac malware UpdateAgent/WizardUpdate}}, date = {2021-10-21}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1451279679059488773}, language = {English}, urldate = {2021-10-26} } @online{intelligence:20211116:evolving:b7be384, author = {Microsoft Threat Intelligence}, title = {{Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021}}, date = {2021-11-16}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/}, language = {English}, urldate = {2023-12-04} } @online{intelligence:20220125:hacktivist:70c301f, author = {Curated Intelligence}, title = {{Hacktivist group shares details related to Belarusian Railways hack}}, date = {2022-01-25}, organization = {Curated Intelligence}, url = {https://www.curatedintel.org/2022/01/hacktivist-group-shares-details-related.html}, language = {English}, urldate = {2022-01-28} } @online{intelligence:20220223:new:7beccbc, author = {Symantec Threat Intelligence}, title = {{Tweet on new wiper malware being used in attacks on Ukraine}}, date = {2022-02-23}, organization = {Twitter (@threatintel)}, url = {https://twitter.com/threatintel/status/1496578746014437376}, language = {English}, urldate = {2022-03-01} } @online{intelligence:20220304:hermeticwiper:ba69b2a, author = {Malwarebytes Threat Intelligence}, title = {{HermeticWiper: A detailed analysis of the destructive malware that targeted Ukraine}}, date = {2022-03-04}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2022/03/hermeticwiper-a-detailed-analysis-of-the-destructive-malware-that-targeted-ukraine/}, language = {English}, urldate = {2022-03-04} } @online{intelligence:20220411:dprknexus:48d0d85, author = {APT + Intelligence}, title = {{DPRK-Nexus Adversary Targets South-Korean Individuals In A New Chapter of Kitty Phishing Operation}}, date = {2022-04-11}, organization = {Cluster25}, url = {https://cluster25.io/2022/04/11/dprk-nexus-adversary-new-kitty-phishing/}, language = {English}, urldate = {2022-05-04} } @online{intelligence:20220506:twitter:7a00df8, author = {Microsoft Security Intelligence}, title = {{Twitter Thread on initial infeciton of SocGholish/ FAKEUPDATES campaigns lead to BLISTER Loader, CobaltStrike, Lockbit and followed by Hands On Keyboard activity}}, date = {2022-05-06}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1522690116979855360}, language = {English}, urldate = {2022-05-09} } @online{intelligence:20220602:to:e15831c, author = {Mandiant Intelligence}, title = {{To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions}}, date = {2022-06-02}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions}, language = {English}, urldate = {2022-06-04} } @online{intelligence:20220611:dev0401:bcc7b7a, author = {Microsoft Threat Intelligence}, title = {{Tweet on DEV-0401, DEV-0234 exploiting Confluence RCE CVE-2022-26134}}, date = {2022-06-11}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1535417776290111489}, language = {English}, urldate = {2024-02-09} } @online{intelligence:20220613:many:67e9284, author = {Microsoft Threat Intelligence}, title = {{The many lives of BlackCat ransomware}}, date = {2022-06-13}, organization = {Microsoft}, url = {http://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/}, language = {English}, urldate = {2024-02-08} } @online{intelligence:20220628:proprc:a0e2412, author = {Mandiant Threat Intelligence}, title = {{Pro-PRC DRAGONBRIDGE Influence Campaign Targets Rare Earths Mining Companies in Attempt to Thwart Rivalry to PRC Market Dominance}}, date = {2022-06-28}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/dragonbridge-targets-rare-earths-mining-companies}, language = {English}, urldate = {2022-07-05} } @online{intelligence:20220720:evacuation:edd478e, author = {Mandiant Threat Intelligence}, title = {{Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities}}, date = {2022-07-20}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/spear-phish-ukrainian-entities}, language = {English}, urldate = {2022-07-25} } @online{intelligence:20220804:flying:99dfe7f, author = {PT ESC Threat Intelligence}, title = {{Flying in the clouds: APT31 renews its attacks on Russian companies through cloud storage}}, date = {2022-08-04}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks}, language = {English}, urldate = {2022-08-09} } @online{intelligence:20220907:apt42:51f534e, author = {Mandiant Intelligence}, title = {{APT42: Crooked Charms, Cons, and Compromises}}, date = {2022-09-07}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/apt42-charms-cons-compromises}, language = {English}, urldate = {2022-09-08} } @online{intelligence:20220907:apt42:6fe2ee4, author = {Mandiant Intelligence}, title = {{APT42: Crooked Charms, Cons and Compromises}}, date = {2022-09-07}, organization = {Mandiant}, url = {https://www.mandiant.com/media/17826}, language = {English}, urldate = {2022-09-08} } @online{intelligence:20220907:profiling:26b424d, author = {Microsoft Security Threat Intelligence}, title = {{Profiling DEV-0270: PHOSPHORUS’ ransomware operations}}, date = {2022-09-07}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/}, language = {English}, urldate = {2022-09-13} } @online{intelligence:20220908:microsoft:66fa6e4, author = {Microsoft Security Threat Intelligence}, title = {{Microsoft investigates Iranian attacks against the Albanian government}}, date = {2022-09-08}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government}, language = {English}, urldate = {2022-09-13} } @online{intelligence:20220913:advintels:ea02331, author = {Advanced Intelligence}, title = {{AdvIntel's State of Emotet aka "SpmTools" Displays Over Million Compromised Machines Through 2022}}, date = {2022-09-13}, organization = {AdvIntel}, url = {https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022}, language = {English}, urldate = {2022-09-19} } @online{intelligence:20220917:click:75b12e0, author = {Microsoft Threat Intelligence}, title = {{Tweet on click fraud activity DEV-0796}}, date = {2022-09-17}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1570911625841983489}, language = {English}, urldate = {2024-02-08} } @online{intelligence:20220923:gru:511ea47, author = {Mandiant Intelligence}, title = {{GRU: Rise of the (Telegram) MinIOns}}, date = {2022-09-23}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/gru-rise-telegram-minions}, language = {English}, urldate = {2022-09-26} } @online{intelligence:20220929:zinc:4b8e6c0, author = {Microsoft Security Threat Intelligence and LinkedIn Threat Prevention and Defense}, title = {{ZINC weaponizing open-source software}}, date = {2022-09-29}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/}, language = {English}, urldate = {2023-11-14} } @online{intelligence:20220930:analyzing:115d508, author = {Microsoft Security Threat Intelligence}, title = {{Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082}}, date = {2022-09-30}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082}, language = {English}, urldate = {2022-10-17} } @online{intelligence:20221005:detecting:76c0e4f, author = {Microsoft Security Threat Intelligence}, title = {{Detecting and preventing LSASS credential dumping attacks}}, date = {2022-10-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/}, language = {English}, urldate = {2022-10-17} } @online{intelligence:20221014:new:96a6fbd, author = {Microsoft Security Threat Intelligence}, title = {{New “Prestige” ransomware impacts organizations in Ukraine and Poland}}, date = {2022-10-14}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/}, language = {English}, urldate = {2022-10-14} } @online{intelligence:20221022:dev0952:21116ee, author = {Microsoft Security Threat Intelligence}, title = {{DEV-0952 deploys Daixin ransomware at hospitals}}, date = {2022-10-22}, organization = {Microsoft}, url = {https://community.riskiq.com/article/2f515d18}, language = {English}, urldate = {2022-10-24} } @online{intelligence:20221025:dev0832:5d16a04, author = {Microsoft Security Threat Intelligence}, title = {{DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector}}, date = {2022-10-25}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/}, language = {English}, urldate = {2023-02-03} } @online{intelligence:20221026:proprc:b90d48e, author = {Mandiant Intelligence}, title = {{Pro-PRC DRAGONBRIDGE Influence Campaign Leverages New TTPs to Aggressively Target U.S. Interests, Including Midterm Elections}}, date = {2022-10-26}, organization = {Mandiant}, url = {https://cloud.google.com/blog/topics/threat-intelligence/prc-dragonbridge-influence-elections/}, language = {English}, urldate = {2024-07-03} } @online{intelligence:20221027:raspberry:44ac615, author = {Microsoft Threat Intelligence}, title = {{Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity}}, date = {2022-10-27}, organization = {Microsoft}, url = {http://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/}, language = {English}, urldate = {2023-11-17} } @online{intelligence:20221027:raspberry:b6d1ce4, author = {Microsoft Security Threat Intelligence}, title = {{Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity}}, date = {2022-10-27}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/}, language = {English}, urldate = {2023-03-13} } @online{intelligence:20221117:dev0569:86675d7, author = {Microsoft Security Threat Intelligence}, title = {{DEV-0569 finds new ways to deliver Royal ransomware, various payloads}}, date = {2022-11-17}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/}, language = {English}, urldate = {2023-01-05} } @online{intelligence:20221213:i:70ab22a, author = {Mandiant Intelligence}, title = {{I Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed Malware}}, date = {2022-12-13}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware}, language = {English}, urldate = {2022-12-24} } @online{intelligence:20221215:mccrash:5a0c3a2, author = {Microsoft Threat Intelligence}, title = {{MCCrash: Cross-platform DDoS botnet targets private Minecraft servers}}, date = {2022-12-15}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2022/12/15/mccrash-cross-platform-ddos-botnet-targets-private-minecraft-servers/}, language = {English}, urldate = {2023-11-17} } @online{intelligence:20221221:microsoft:3e9b011, author = {Microsoft Security Threat Intelligence}, title = {{Microsoft research uncovers new Zerobot capabilities}}, date = {2022-12-21}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/}, language = {English}, urldate = {2022-12-29} } @online{intelligence:20230309:stealing:3112fc7, author = {Mandiant Intelligence}, title = {{Stealing the LIGHTSHOW (Part One) — North Korea's UNC2970}}, date = {2023-03-09}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970}, language = {English}, urldate = {2023-03-13} } @online{intelligence:20230309:stealing:649068b, author = {Mandiant Intelligence}, title = {{Stealing the LIGHTSHOW (Part Two) — LIGHTSHIFT and LIGHTSHOW}}, date = {2023-03-09}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/lightshift-and-lightshow}, language = {English}, urldate = {2023-07-05} } @techreport{intelligence:20230315:year:01e29b1, author = {Microsoft Threat Intelligence}, title = {{A year of Russian hybrid warfare in Ukraine}}, date = {2023-03-15}, institution = {Microsoft}, url = {https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf}, language = {English}, urldate = {2023-04-25} } @online{intelligence:20230407:mercury:7727e83, author = {Microsoft Threat Intelligence}, title = {{MERCURY and DEV-1084: Destructive attack on hybrid environment}}, date = {2023-04-07}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/}, language = {English}, urldate = {2023-04-18} } @online{intelligence:20230411:dev0196:1589080, author = {Microsoft Threat Intelligence}, title = {{DEV-0196: QuaDream’s “KingsPawn” malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia}}, date = {2023-04-11}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/}, language = {English}, urldate = {2023-04-18} } @online{intelligence:20230413:threat:a445e97, author = {Microsoft Threat Intelligence}, title = {{Threat actors strive to cause Tax Day headaches}}, date = {2023-04-13}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2023/04/13/threat-actors-strive-to-cause-tax-day-headaches/}, language = {English}, urldate = {2023-04-18} } @online{intelligence:20230418:nationstate:11efa4c, author = {Microsoft Threat Intelligence}, title = {{Nation-state threat actor PHOSPHORUS refines tradecraft to attack high-value targets}}, date = {2023-04-18}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/}, language = {English}, urldate = {2023-04-22} } @online{intelligence:20230524:volt:e7b8951, author = {Microsoft Threat Intelligence}, title = {{Volt Typhoon targets US critical infrastructure with living-off-the-land techniques}}, date = {2023-05-24}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/}, language = {English}, urldate = {2023-05-26} } @online{intelligence:20230608:detecting:d2163a2, author = {Microsoft Threat Intelligence}, title = {{Detecting and mitigating a multi-stage AiTM phishing and BEC campaign}}, date = {2023-06-08}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/}, language = {English}, urldate = {2024-02-08} } @online{intelligence:20230614:cadet:c02303d, author = {Microsoft Threat Intelligence}, title = {{Cadet Blizzard emerges as a novel and distinct Russian threat actor}}, date = {2023-06-14}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/}, language = {English}, urldate = {2023-07-11} } @online{intelligence:20230714:analysis:78678b4, author = {Microsoft Threat Intelligence}, title = {{Analysis of Storm-0558 techniques for unauthorized email access}}, date = {2023-07-14}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/}, language = {English}, urldate = {2023-07-31} } @online{intelligence:20230718:stealth:789e8b1, author = {Mandiant Intelligence}, title = {{Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection}}, date = {2023-07-18}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/chinese-espionage-tactics}, language = {English}, urldate = {2023-07-19} } @online{intelligence:20230719:targeted:a0e926e, author = {Microsoft Threat Intelligence}, title = {{Tweet on targeted attacks against the defense sector in Ukraine and Eastern Europe by the threat actor Secret Blizzard}}, date = {2023-07-19}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/msftsecintel/status/1681695399084539908}, language = {English}, urldate = {2023-07-20} } @online{intelligence:20230720:killnet:d435c7f, author = {Mandiant Intelligence}, title = {{KillNet Showcases New Capabilities While Repeating Older Tactics}}, date = {2023-07-20}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/killnet-new-capabilities-older-tactics}, language = {English}, urldate = {2023-07-31} } @online{intelligence:20230802:midnight:5a9de36, author = {Microsoft Threat Intelligence}, title = {{Midnight Blizzard conducts targeted social engineering over Microsoft Teams}}, date = {2023-08-02}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/}, language = {English}, urldate = {2023-08-03} } @online{intelligence:20230824:flax:7a9270d, author = {Microsoft Threat Intelligence}, title = {{Flax Typhoon using legitimate software to quietly access Taiwanese organizations}}, date = {2023-08-24}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/}, language = {English}, urldate = {2023-08-25} } @online{intelligence:20230828:aitm:80a8090, author = {Microsoft Threat Intelligence}, title = {{Tweet on AiTM phishing trends}}, date = {2023-08-28}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1696273952870367320}, language = {English}, urldate = {2024-02-08} } @online{intelligence:20230911:about:e53f947, author = {Symantec Threat Intelligence}, title = {{Tweet about Symantec discovering a new variant of SiestaGraph}}, date = {2023-09-11}, organization = {Symantec}, url = {https://x.com/threatintel/status/1701259256199090217}, language = {English}, urldate = {2023-09-18} } @online{intelligence:20230912:malware:3a31afc, author = {Microsoft Threat Intelligence}, title = {{Malware distributor Storm-0324 facilitates ransomware access}}, date = {2023-09-12}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2023/09/12/malware-distributor-storm-0324-facilitates-ransomware-access/}, language = {English}, urldate = {2023-09-13} } @online{intelligence:20230914:peach:c76361c, author = {Microsoft Threat Intelligence}, title = {{Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets}}, date = {2023-09-14}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/}, language = {English}, urldate = {2024-07-25} } @online{intelligence:20231011:storm0062:280ecc3, author = {Microsoft Threat Intelligence}, title = {{Tweet on Storm-0062 exploiting CVE-2023-22515}}, date = {2023-10-11}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1711871732644970856}, language = {English}, urldate = {2023-12-04} } @online{intelligence:20231013:storm1575:302717e, author = {Microsoft Threat Intelligence}, title = {{Tweet on Storm-1575 and Dadsec phishing platform}}, date = {2023-10-13}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1712936244987019704?lang=en}, language = {English}, urldate = {2024-02-08} } @online{intelligence:20231018:multiple:1533f8e, author = {Microsoft Threat Intelligence}, title = {{Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability}}, date = {2023-10-18}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/}, language = {English}, urldate = {2023-10-20} } @online{intelligence:20231109:microsoft:c78177f, author = {Microsoft Threat Intelligence}, title = {{Microsoft shares threat intelligence at CYBERWARCON 2023}}, date = {2023-11-09}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2023/11/09/microsoft-shares-threat-intelligence-at-cyberwarcon-2023/}, language = {English}, urldate = {2024-02-08} } @online{intelligence:20231122:diamond:59a70c1, author = {Microsoft Threat Intelligence}, title = {{Diamond Sleet supply chain compromise distributes a modified CyberLink installer}}, date = {2023-11-22}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/}, language = {English}, urldate = {2023-11-23} } @online{intelligence:20231201:about:c7bd0da, author = {Microsoft Threat Intelligence}, title = {{Tweet about Storm-1044 and Storm-0216, Danabot leading to Cactus ransomware}}, date = {2023-12-01}, organization = {Twitter (@MsftSecIntel)}, url = {https://x.com/MsftSecIntel/status/1730383711437283757}, language = {English}, urldate = {2025-03-05} } @online{intelligence:20231201:danabot:42f696b, author = {Microsoft Threat Intelligence}, title = {{Tweet on Danabot leading to cactus ransomware}}, date = {2023-12-01}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1730383711437283757}, language = {English}, urldate = {2024-02-08} } @online{intelligence:20231205:tortoise:3c03917, author = {PwC Threat Intelligence}, title = {{The Tortoise and The Malwahare}}, date = {2023-12-05}, organization = {PWC}, url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/tortoise-and-malwahare.html}, language = {English}, urldate = {2024-01-03} } @online{intelligence:20231207:star:9d81eea, author = {Microsoft Threat Intelligence}, title = {{Star Blizzard increases sophistication and evasion in ongoing attacks}}, date = {2023-12-07}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/}, language = {English}, urldate = {2023-12-27} } @online{intelligence:20231212:threat:c9464fb, author = {Microsoft Threat Intelligence}, title = {{Threat actors misuse OAuth applications to automate financially driven attacks}}, date = {2023-12-12}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/}, language = {English}, urldate = {2023-12-13} } @online{intelligence:20240117:new:64ebbe9, author = {Microsoft Threat Intelligence}, title = {{New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs}}, date = {2024-01-17}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/}, language = {English}, urldate = {2024-03-28} } @online{intelligence:20240125:midnight:50a69fb, author = {Microsoft Threat Intelligence}, title = {{Midnight Blizzard: Guidance for responders on nation-state attack}}, date = {2024-01-25}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/}, language = {English}, urldate = {2024-01-26} } @online{intelligence:20240206:deadend:54cc0f9, author = {Threat Intelligence}, title = {{Dead-end job: ResumeLooters gang infects websites with XSS scripts and SQL injections to vacuum up job seekers' personal data and CVs}}, date = {2024-02-06}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/resumelooters/}, language = {English}, urldate = {2024-02-09} } @online{intelligence:20240207:iran:1b0fd46, author = {Microsoft Threat Intelligence}, title = {{Iran surges cyber-enabled influence operations in support of Hamas}}, date = {2024-02-07}, organization = {Microsoft}, url = {https://go.microsoft.com/fwlink/?linkid=2263321&clcid=0x409&culture=en-us&country=us}, language = {English}, urldate = {2024-04-29} } @online{intelligence:20240211:scano:2a8bf71, author = {Microsoft Security Intelligence}, title = {{Scano}}, date = {2024-02-11}, url = {https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Scano&threatId=-2147382494}, language = {English}, urldate = {2024-04-29} } @online{intelligence:20240422:analyzing:5cb3448, author = {Microsoft Threat Intelligence}, title = {{Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials}}, date = {2024-04-22}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/}, language = {English}, urldate = {2024-05-21} } @online{intelligence:20240515:threat:6b74109, author = {Microsoft Threat Intelligence}, title = {{Threat actors misusing Quick Assist in social engineering attacks leading to ransomware}}, date = {2024-05-15}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/}, language = {English}, urldate = {2024-05-17} } @online{intelligence:20240515:threat:f3992ab, author = {Microsoft Threat Intelligence}, title = {{Threat actors misusing Quick Assist in social engineering attacks leading to ransomware}}, date = {2024-05-15}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware}, language = {English}, urldate = {2024-11-25} } @online{intelligence:20240528:moonstone:6e771a3, author = {Microsoft Threat Intelligence}, title = {{Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks}}, date = {2024-05-28}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/}, language = {English}, urldate = {2024-09-13} } @online{intelligence:20240605:ransomhub:d2f3a6f, author = {Symantec Threat Intelligence}, title = {{RansomHub: New Ransomware has Origins in Older Knight}}, date = {2024-06-05}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomhub-knight-ransomware}, language = {English}, urldate = {2024-09-06} } @online{intelligence:20240701:anonymous:4bf8bc2, author = {Dark Web Intelligence}, title = {{Tweet on Anonymous KSA}}, date = {2024-07-01}, organization = {Twitter (@DailyDarkWeb)}, url = {https://x.com/DailyDarkWeb/status/1807783849608286296}, language = {English}, urldate = {2025-02-19} } @online{intelligence:20240830:north:3ffaf60, author = {Microsoft Threat Intelligence}, title = {{North Korean threat actor Citrine Sleet exploiting Chromium zero-day}}, date = {2024-08-30}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/}, language = {English}, urldate = {2024-09-13} } @online{intelligence:20240926:storm0501:1bcfb37, author = {Microsoft Threat Intelligence}, title = {{Storm-0501: Ransomware attacks expanding to hybrid cloud environments}}, date = {2024-09-26}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/}, language = {English}, urldate = {2024-10-01} } @online{intelligence:20241017:new:50712d2, author = {Microsoft Threat Intelligence}, title = {{New macOS vulnerability, “HM Surf”, could lead to unauthorized data access}}, date = {2024-10-17}, organization = {Microsoft Security}, url = {https://www.microsoft.com/en-us/security/blog/2024/10/17/new-macos-vulnerability-hm-surf-could-lead-to-unauthorized-data-access/}, language = {English}, urldate = {2024-10-18} } @online{intelligence:20241029:midnight:c86b64d, author = {Microsoft Threat Intelligence}, title = {{Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files}}, date = {2024-10-29}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/}, language = {English}, urldate = {2024-10-30} } @online{intelligence:20241031:chinese:18591e6, author = {Microsoft Threat Intelligence}, title = {{Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network}}, date = {2024-10-31}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2024/10/31/chinese-threat-actor-storm-0940-uses-credentials-from-password-spray-attacks-from-a-covert-network/}, language = {English}, urldate = {2024-11-04} } @online{intelligence:20241122:microsoft:6528fe2, author = {Microsoft Threat Intelligence}, title = {{Microsoft shares latest intelligence on North Korean and Chinese threat actors at CYBERWARCON}}, date = {2024-11-22}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2024/11/22/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon/}, language = {English}, urldate = {2025-02-19} } @online{intelligence:20241202:storm1811:48d0655, author = {Red Canary Intelligence}, title = {{Storm-1811 exploits RMM tools to drop Black Basta ransomware}}, date = {2024-12-02}, organization = {Red Canary}, url = {https://redcanary.com/blog/threat-intelligence/storm-1811-black-basta/}, language = {English}, urldate = {2025-03-05} } @online{intelligence:20241204:frequent:606bf59, author = {Microsoft Threat Intelligence}, title = {{Frequent freeloader part I: Secret Blizzard compromising Storm-0156 infrastructure for espionage}}, date = {2024-12-04}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage/}, language = {English}, urldate = {2024-12-09} } @online{intelligence:20241211:frequent:5477371, author = {Microsoft Threat Intelligence}, title = {{Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine}}, date = {2024-12-11}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/}, language = {English}, urldate = {2024-12-11} } @online{intelligence:20250116:new:365c8ea, author = {Microsoft Threat Intelligence}, title = {{New Star Blizzard spear-phishing campaign targets WhatsApp accounts}}, date = {2025-01-16}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/}, language = {English}, urldate = {2025-02-03} } @online{intelligence:20250121:twitter:5afc20d, author = {Microsoft Threat Intelligence}, title = {{Twitter Thread describing spotting of ReedBed in a Storm-1811 campaign}}, date = {2025-01-21}, organization = {Twitter (@MsftSecIntel)}, url = {https://x.com/MsftSecIntel/status/1881751635598139714}, language = {English}, urldate = {2025-02-18} } @online{intelligence:20250206:code:b437f48, author = {Microsoft Threat Intelligence}, title = {{Code injection attacks using publicly disclosed ASP.NET machine keys}}, date = {2025-02-06}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2025/02/06/code-injection-attacks-using-publicly-disclosed-asp-net-machine-keys/}, language = {English}, urldate = {2025-02-17} } @online{intelligence:20250211:twitter:dfb0cb1, author = {Microsoft Threat Intelligence}, title = {{Twitter Thread on a new Kimsuky tactic inciting admins to paste powershell}}, date = {2025-02-11}, organization = {Twitter (@MsftSecIntel)}, url = {https://x.com/MsftSecIntel/status/1889407814604296490}, language = {English}, urldate = {2025-02-13} } @online{intelligence:20250212:badpilot:bf2e2f7, author = {Microsoft Threat Intelligence}, title = {{The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation}}, date = {2025-02-12}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/}, language = {English}, urldate = {2025-02-13} } @online{intelligence:20250213:storm2372:d8db45b, author = {Microsoft Threat Intelligence}, title = {{Storm-2372 conducts device code phishing campaign}}, date = {2025-02-13}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/}, language = {English}, urldate = {2025-02-17} } @online{intelligence:20250305:silk:1a3a855, author = {Microsoft Threat Intelligence}, title = {{Silk Typhoon targeting IT supply chain}}, date = {2025-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2025/03/05/silk-typhoon-targeting-it-supply-chain/}, language = {English}, urldate = {2025-03-07} } @online{intelligence:20250306:about:ac08da3, author = {Microsoft Threat Intelligence}, title = {{Tweet about Moonstone Sleet dropping Qilin ransomware}}, date = {2025-03-06}, organization = {Twitter (@MsftSecIntel)}, url = {https://x.com/MsftSecIntel/status/1897738961348374621}, language = {English}, urldate = {2025-03-07} } @online{intelligence:20250403:threat:6ed68e3, author = {Microsoft Threat Intelligence}, title = {{Threat actors leverage tax season to deploy tax-themed phishing campaigns}}, date = {2025-04-03}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2025/04/03/threat-actors-leverage-tax-season-to-deploy-tax-themed-phishing-campaigns/}, language = {English}, urldate = {2025-04-25} } @online{intelligence:20250408:exploitation:04866bf, author = {Microsoft Threat Intelligence}, title = {{Exploitation of CLFS zero-day leads to ransomware activity}}, date = {2025-04-08}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/}, language = {English}, urldate = {2025-04-25} } @online{intelligence:20250423:understanding:fb9d12e, author = {Microsoft Threat Intelligence}, title = {{Understanding the threat landscape for Kubernetes and containerized assets}}, date = {2025-04-23}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2025/04/23/understanding-the-threat-landscape-for-kubernetes-and-containerized-assets/}, language = {English}, urldate = {2025-04-28} } @online{intelligence:20250527:new:45f66ea, author = {Microsoft Threat Intelligence}, title = {{New Russia-affiliated actor Void Blizzard targets critical sectors for espionage}}, date = {2025-05-27}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/}, language = {English}, urldate = {2025-05-28} } @online{intelligence:20250620:about:c01e1d4, author = {Threat Intelligence}, title = {{Tweet about wiper deployed against Albania by Druidfly}}, date = {2025-06-20}, organization = {Twitter (@threatintel)}, url = {https://x.com/threatintel/status/1936049254432231444}, language = {English}, urldate = {2025-06-23} } @online{intelligence:20250630:jasper:cd65614, author = {Microsoft Threat Intelligence}, title = {{Jasper Sleet: North Korean remote IT workers’ evolving tactics to infiltrate organizations}}, date = {2025-06-30}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-organizations/}, language = {English}, urldate = {2025-07-07} } @online{international:20170301:how:fb75ef9, author = {FraudWatch International}, title = {{How Does the Trickbot Malware Work?}}, date = {2017-03-01}, organization = {FraudWatch International}, url = {https://blog.fraudwatchinternational.com/malware/trickbot-malware-works}, language = {English}, urldate = {2020-01-08} } @online{international:20180515:pakistan:c41a7ec, author = {Amnesty International}, title = {{PAKISTAN: HUMAN RIGHTS UNDER SURVEILLANCE}}, date = {2018-05-15}, organization = {Amnesty International}, url = {https://www.amnesty.org/en/documents/asa33/8366/2018/en/}, language = {English}, urldate = {2019-11-28} } @online{international:20200312:targeted:927393f, author = {Amnesty International}, title = {{Targeted Surveillance Attacks in Uzbekistan: An Old Threat with New Techniques}}, date = {2020-03-12}, organization = {Amnesty International}, url = {https://www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/}, language = {English}, urldate = {2022-10-06} } @online{international:20200615:india:2e4e60b, author = {Amnesty International}, title = {{India: Human Rights Defenders Targeted by a Coordinated Spyware Operation}}, date = {2020-06-15}, organization = {Amnesty International}, url = {https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/}, language = {English}, urldate = {2020-06-16} } @online{international:20200925:germanmade:49d85d3, author = {Amnesty International}, title = {{German-made FinSpy spyware found in Egypt, and Mac and Linux versions revealed}}, date = {2020-09-25}, organization = {Amnesty International}, url = {https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/}, language = {English}, urldate = {2020-09-25} } @techreport{international:20210224:click:aec5095, author = {Amnesty International}, title = {{Click and Bait: Vietnamese Human Rights Defenders Targeted with Spyware Attacks}}, date = {2021-02-24}, institution = {Amnesty International}, url = {https://www.amnesty.de/sites/default/files/2021-02/Amnesty-Bericht-Vietnam-Click-And-Bait-Blogger-Deutschland-Spionage-Menschenrechtsverteidiger-Februar-2021.pdf}, language = {English}, urldate = {2021-02-25} } @online{international:20210224:overview:95b80e0, author = {Amnesty International}, title = {{Overview of Ocean Lotus Samples used to target Vietnamese Human Rights Defenders}}, date = {2021-02-24}, organization = {Github (AmnestyTech)}, url = {https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam}, language = {English}, urldate = {2021-02-25} } @online{international:20210718:forensic:bd37b30, author = {Amnesty International}, title = {{Forensic Methodology Report: How to catch NSO Group’s Pegasus}}, date = {2021-07-18}, organization = {Amnesty International}, url = {https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/}, language = {English}, urldate = {2021-07-21} } @online{international:20210718:forensic:eea0359, author = {Amnesty International}, title = {{Forensic Methodology Report: Pegasus Forensic Traces per Target}}, date = {2021-07-18}, organization = {Amnesty International}, url = {https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/}, language = {English}, urldate = {2021-07-21} } @online{international:20210718:massive:77579f1, author = {Amnesty International}, title = {{Massive data leak reveals Israeli NSO Group's spyware used to target activists, journalists, and political leaders globally}}, date = {2021-07-18}, organization = {Amnesty International}, url = {https://www.amnesty.org/en/latest/news/2021/07/the-pegasus-project/}, language = {English}, urldate = {2021-07-26} } @online{international:20210718:nso:e92b282, author = {Amnesty International}, title = {{NSO Group Pegasus Indicator of Compromise}}, date = {2021-07-18}, organization = {Github (AmnestyTech)}, url = {https://github.com/AmnestyTech/investigations/tree/master/2021-07-18_nso}, language = {English}, urldate = {2021-07-24} } @techreport{international:20211007:hackersforhire:4147fd6, author = {Amnesty International}, title = {{Hackers-for-Hire in West Africa - Activist in Togo attacked with Indian-made Spyware}}, date = {2021-10-07}, institution = {Amnesty International}, url = {https://www.amnesty.org/en/wp-content/uploads/2021/10/AFR5747562021ENGLISH.pdf}, language = {English}, urldate = {2021-11-02} } @online{interpol:20250611:20000:fe29d19, author = {Interpol}, title = {{20,000 malicious IPs and domains taken down in INTERPOL infostealer crackdown}}, date = {2025-06-11}, organization = {Interpol}, url = {https://www.interpol.int/News-and-Events/News/2025/20-000-malicious-IPs-and-domains-taken-down-in-INTERPOL-infostealer-crackdown}, language = {English}, urldate = {2025-06-20} } @online{intezer:20190920:russian:27d9f67, author = {Intezer}, title = {{Russian Cybercrime Group FullofDeep Behind QNAPCrypt Ransomware Campaigns}}, date = {2019-09-20}, organization = {Intezer}, url = {https://www.intezer.com/blog-russian-cybercrime-group-fullofdeep-behind-qnapcrypt-ransomware-campaigns/}, language = {English}, urldate = {2020-01-08} } @online{intezer:20200806:gosh:f982c3c, author = {Intezer}, title = {{Tweet on GOSH}}, date = {2020-08-06}, organization = {Twitter (@IntezerLabs)}, url = {https://twitter.com/IntezerLabs/status/1291355808811409408}, language = {English}, urldate = {2020-08-18} } @online{intezer:20200923:about:ad24ad8, author = {Intezer}, title = {{Tweet about PWNLNX}}, date = {2020-09-23}, organization = {Twitter (@IntezerLabs)}, url = {https://x.com/IntezerLabs/status/1308740144120213506?ref=blog.xlab.qianxin.com}, language = {English}, urldate = {2024-12-20} } @online{intezer:20201112:agelocker:d63b5bc, author = {Intezer}, title = {{Tweet on Agelocker}}, date = {2020-11-12}, organization = {Twitter (@IntezerLabs)}, url = {https://twitter.com/IntezerLabs/status/1326880812344676352}, language = {English}, urldate = {2020-11-18} } @online{intezer:20201221:top:9529707, author = {Intezer}, title = {{Top Linux Cloud Threats of 2020}}, date = {2020-12-21}, organization = {Intezer}, url = {https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/}, language = {English}, urldate = {2020-12-26} } @techreport{intezer:20210225:year:eb47cd1, author = {Intezer}, title = {{Year of the Gopher A 2020 Go Malware Round-Up}}, date = {2021-02-25}, institution = {Intezer}, url = {https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf}, language = {English}, urldate = {2021-06-30} } @online{intezer:20210623:linux:310f62b, author = {Intezer}, title = {{Tweet on linux version of Derusbi}}, date = {2021-06-23}, organization = {Twitter (@IntezerLabs)}, url = {https://twitter.com/IntezerLabs/status/1407676522534735873?s=20}, language = {English}, urldate = {2021-07-26} } @online{intezer:20210629:unknown:1f1f2d3, author = {Intezer}, title = {{Tweet on unknown elf backdoor based on an open source remote shell named "amcsh"}}, date = {2021-06-29}, organization = {Twitter (@IntezerLabs)}, url = {https://twitter.com/IntezerLabs/status/1409844721992749059}, language = {English}, urldate = {2021-08-11} } @techreport{intezer:202109:teamtnt:425ab21, author = {Intezer}, title = {{TeamTNT: Cryptomining Explosion}}, date = {2021-09}, institution = {Intezer}, url = {https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf}, language = {English}, urldate = {2021-09-19} } @online{intezer:20220218:teamtnt:354772f, author = {Intezer}, title = {{TeamTNT Cryptomining Explosion}}, date = {2022-02-18}, organization = {Intezer}, url = {https://www.intezer.com/blog/malware-analysis/teamtnt-cryptomining-explosion/}, language = {English}, urldate = {2022-02-26} } @online{intezerlabs:20200511:ldpreload:b3e622b, author = {Twitter (IntezerLabs)}, title = {{Tweet on LD-PRELOAD userland rootkit}}, date = {2020-05-11}, organization = {Intezer}, url = {https://twitter.com/IntezerLabs/status/1259818964848386048}, language = {English}, urldate = {2020-05-18} } @online{intezerlabs:20201105:ngioweb:e145908, author = {Twitter (IntezerLabs)}, title = {{Tweet on Ngioweb botnet}}, date = {2020-11-05}, organization = {Intezer}, url = {https://twitter.com/IntezerLabs/status/1324346324683206657}, language = {English}, urldate = {2020-11-06} } @online{intezerlabs:20201214:linux:85c179b, author = {Twitter (IntezerLabs)}, title = {{Tweet on linux variant of Prometei botnet}}, date = {2020-12-14}, organization = {Intezer}, url = {https://twitter.com/IntezerLabs/status/1338480158249013250}, language = {English}, urldate = {2020-12-15} } @online{intezerlabs:20211026:linux:53febe2, author = {Twitter (IntezerLabs)}, title = {{Tweet on Linux version of REvil ransomware}}, date = {2021-10-26}, organization = {Intezer}, url = {https://twitter.com/IntezerLabs/status/1452980772953071619}, language = {English}, urldate = {2021-11-03} } @online{intrinsec:20220126:alphv:5f751bd, author = {Intrinsec}, title = {{ALPHV ransomware gang analysis}}, date = {2022-01-26}, organization = {Intrinsec}, url = {https://www.intrinsec.com/alphv-ransomware-gang-analysis/}, language = {English}, urldate = {2022-11-07} } @online{intrinsec:20220126:alphv:9f00db5, author = {Intrinsec}, title = {{ALPHV ransomware gang analysis}}, date = {2022-01-26}, organization = {Intrinsec}, url = {https://www.intrinsec.com/alphv-ransomware-gang-analysis}, language = {English}, urldate = {2022-02-01} } @techreport{intrinsec:20220331:highprofile:e629533, author = {Intrinsec}, title = {{High-Profile Data Theft Intrusion Set LAPSUS}}, date = {2022-03-31}, institution = {Intrinsec}, url = {https://www.intrinsec.com/wp-content/uploads/2022/03/INTRINSEC-LAPSUS-Intrusion-Set-20220324.pdf}, language = {English}, urldate = {2022-11-07} } @online{intrinsec:20221018:apt27:1977039, author = {Intrinsec and CERT Intrinsec}, title = {{APT27 – One Year To Exfiltrate Them All: Intrusion In-Depth Analysis}}, date = {2022-10-18}, organization = {Intrinsec}, url = {https://www.intrinsec.com/apt27-analysis/}, language = {English}, urldate = {2022-11-07} } @online{intrinsec:20230109:emotet:202716f, author = {Intrinsec and CTI Intrinsec}, title = {{Emotet returns and deploys loaders}}, date = {2023-01-09}, organization = {Intrinsec}, url = {https://www.intrinsec.com/emotet-returns-and-deploys-loaders/}, language = {English}, urldate = {2023-08-14} } @online{intrinsec:20230116:proxynotshell:b9b864c, author = {Intrinsec}, title = {{ProxyNotShell – OWASSRF – Merry Xchange}}, date = {2023-01-16}, organization = {Intrinsec}, url = {https://www.intrinsec.com/proxynotshell-owassrf-merry-xchange/}, language = {English}, urldate = {2023-03-13} } @online{intrinsec:20230214:vicesociety:2dffe2e, author = {Intrinsec and CTI Intrinsec}, title = {{Vice-Society spreads its own ransomware}}, date = {2023-02-14}, organization = {Intrinsec}, url = {https://www.intrinsec.com/vice-society-spreads-its-own-ransomware/}, language = {English}, urldate = {2023-02-15} } @online{intrinsec:20230907:tweets:c954acb, author = {CTI Intrinsec}, title = {{Tweets on Bumblebee campaign spreading via Html smuggling downloading RAR archive with European Central Bank PDF lure and folder containing Bumblebee EXE payload.}}, date = {2023-09-07}, organization = {Twitter (@Intrisec)}, url = {https://twitter.com/Intrinsec/status/1699779830294970856}, language = {English}, urldate = {2023-09-12} } @techreport{intrinsec:20230929:ongoing:4c83347, author = {CTI Intrinsec and Intrinsec}, title = {{Ongoing threats targeting the energy industry}}, date = {2023-09-29}, institution = {Intrinsec}, url = {https://www.intrinsec.com/wp-content/uploads/2023/09/TLP-CLEAR-20230912-EN-GuLoader-Information-report.pdf}, language = {English}, urldate = {2023-10-02} } @online{intrinsec:20231004:about:f58a039, author = {CTI Intrinsec}, title = {{Tweet about new Bumblebee campaign leveraging CVE-2023-38831}}, date = {2023-10-04}, organization = {Twitter (@Intrisec)}, url = {https://twitter.com/Intrinsec/status/1709609529070010447}, language = {English}, urldate = {2023-10-05} } @online{intrinsec:20231017:lumma:ad1631a, author = {CTI Intrinsec}, title = {{Lumma Stealer actively deployed in multiple campaigns}}, date = {2023-10-17}, organization = {Intrinsec}, url = {https://www.intrinsec.com/lumma_stealer_actively_deployed_in_multiple_campaigns/}, language = {English}, urldate = {2023-10-18} } @online{intrinsec:20231128:akirats:d49a021, author = {Intrinsec and CERT Intrinsec}, title = {{Aki-RATs – Command and Control Party}}, date = {2023-11-28}, organization = {Intrinsec}, url = {https://www.intrinsec.com/akira_ransomware/}, language = {English}, urldate = {2023-12-14} } @techreport{intrinsec:20240430:matanbuchus:2a972ae, author = {Intrinsec}, title = {{Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery}}, date = {2024-04-30}, institution = {Intrinsec}, url = {https://www.intrinsec.com/wp-content/uploads/2024/04/TLP-CLEAR-Matanbuchus-Co-Code-Emulation-and-Cybercrime-Infrastructure-Discovery-1.pdf}, language = {English}, urldate = {2024-06-05} } @techreport{intrinsec:20241121:prospero:e7dfbb7, author = {CTI Intrinsec and Intrinsec}, title = {{PROSPERO & Proton66: Uncovering the links between bulletproof networks}}, date = {2024-11-21}, institution = {Intrinsec}, url = {https://www.intrinsec.com/wp-content/uploads/2024/11/TLP-CLEAR-PROSPERO-Proton66-Uncovering-the-links-between-bulletproof-networks.pdf}, language = {English}, urldate = {2024-11-25} } @techreport{intrinsec:20241230:cryptbot:1c5b9c6, author = {CTI Intrinsec}, title = {{CryptBot: Hunting for initial access vectors}}, date = {2024-12-30}, institution = {Intrinsec}, url = {https://www.intrinsec.com/wp-content/uploads/2024/12/TLP-CLEAR-CryptBot-Hunting-for-intial-access-vectors.pdf}, language = {English}, urldate = {2025-01-07} } @techreport{intrinsec:20250124:premium:6bd02eb, author = {CTI Intrinsec}, title = {{"Premium panel": phishing tool used in longstanding campaigns worldwide}}, date = {2025-01-24}, institution = {Intrinsec}, url = {https://www.intrinsec.com/wp-content/uploads/2025/01/TLP-CLEAR-Live-Control-Panel-Premium-EN.pdf}, language = {English}, urldate = {2025-01-31} } @techreport{intrinsec:20250130:telegram:92d05f1, author = {CTI Intrinsec}, title = {{Telegram Stories: voice spoofers, tools and operating modes}}, date = {2025-01-30}, institution = {Intrinsec}, url = {https://www.intrinsec.com/wp-content/uploads/2025/01/spoofers-vocaux-outils-et-modes-operatoires-3.pdf}, language = {French}, urldate = {2025-01-31} } @online{intrusiontruth:20170418:coming:77c59b3, author = {Intrusiontruth}, title = {{Coming Soon…}}, date = {2017-04-18}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2017/04/18/coming-soon/}, language = {English}, urldate = {2021-05-17} } @online{intrusiontruth:20170426:who:549d14b, author = {Intrusiontruth}, title = {{Who is behind this Chinese espionage group stealing our intellectual property?}}, date = {2017-04-26}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2017/04/26/who-is-behind-this-chinese-espionage-group-stealing-our-intellectual-property/}, language = {English}, urldate = {2021-05-17} } @online{intrusiontruth:20170502:who:494f100, author = {Intrusiontruth}, title = {{Who is Mr Wu?}}, date = {2017-05-02}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2017/05/02/who-is-mr-wu/}, language = {English}, urldate = {2021-05-17} } @online{intrusiontruth:20170505:who:0c710c8, author = {Intrusiontruth}, title = {{Who is Mr Dong?}}, date = {2017-05-05}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2017/05/05/who-is-mr-dong/}, language = {English}, urldate = {2021-05-17} } @online{intrusiontruth:20170509:apt3:4014a9f, author = {Intrusiontruth}, title = {{APT3 is Boyusec, a Chinese Intelligence Contractor}}, date = {2017-05-09}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/}, language = {English}, urldate = {2020-01-07} } @online{intrusiontruth:20180522:destruction:0e412da, author = {Intrusiontruth}, title = {{The destruction of APT3}}, date = {2018-05-22}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2018/05/22/the-destruction-of-apt3/}, language = {English}, urldate = {2021-05-17} } @online{intrusiontruth:20180717:who:de9d84f, author = {Intrusiontruth}, title = {{Who was behind this unprecedented Cyber attack on Western infrastructure?}}, date = {2018-07-17}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2018/07/17/who-was-behind-this-unprecedented-cyber-attack-on-western-infrastructure/}, language = {English}, urldate = {2021-05-17} } @online{intrusiontruth:20180730:who:d5c76e4, author = {Intrusiontruth}, title = {{Who is Mr Zheng?}}, date = {2018-07-30}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2018/07/30/who-is-mr-zheng/}, language = {English}, urldate = {2021-05-17} } @online{intrusiontruth:20180802:who:f2cb650, author = {Intrusiontruth}, title = {{Who is Mr Gao?}}, date = {2018-08-02}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2018/08/02/who-is-mr-gao/}, language = {English}, urldate = {2021-05-17} } @online{intrusiontruth:20180806:who:d068d97, author = {Intrusiontruth}, title = {{Who is Mr Zhang?}}, date = {2018-08-06}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2018/08/06/who-is-mr-zhang/}, language = {English}, urldate = {2021-05-17} } @online{intrusiontruth:20180809:more:7304bdd, author = {Intrusiontruth}, title = {{More on Huaying Haitai and Laoying Baichaun, the companies associated with APT10. Is there a state connection?}}, date = {2018-08-09}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2018/08/09/was-apt10-the-work-of-individuals-a-company-or-the-state/}, language = {English}, urldate = {2021-05-17} } @online{intrusiontruth:20180815:apt10:dd24d0a, author = {Intrusiontruth}, title = {{APT10 was managed by the Tianjin bureau of the Chinese Ministry of State Security}}, date = {2018-08-15}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2018/08/15/apt10-was-managed-by-the-tianjin-bureau-of-the-chinese-ministry-of-state-security/}, language = {English}, urldate = {2021-05-17} } @online{intrusiontruth:20180831:who:1a3669a, author = {Intrusiontruth}, title = {{Who is Mr An, and was he working for APT10?}}, date = {2018-08-31}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2018/08/31/who-is-mr-an-and-was-he-working-for-apt10/}, language = {English}, urldate = {2021-05-17} } @online{intrusiontruth:20190715:is:bf6852d, author = {Intrusiontruth}, title = {{Is there a pattern?}}, date = {2019-07-15}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2019/07/15/is-there-a-pattern/}, language = {English}, urldate = {2021-05-17} } @online{intrusiontruth:20190717:who:401c78d, author = {Intrusiontruth}, title = {{Who is Mr Guo?}}, date = {2019-07-17}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2019/07/17/who-is-mr-guo/}, language = {English}, urldate = {2021-05-17} } @online{intrusiontruth:20190719:who:fe17eab, author = {Intrusiontruth}, title = {{Who is Mr Wang?}}, date = {2019-07-19}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2019/07/19/who-is-mr-wang/}, language = {English}, urldate = {2021-05-17} } @online{intrusiontruth:20190722:who:2f85a8a, author = {Intrusiontruth}, title = {{Who is Mr Zeng?}}, date = {2019-07-22}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2019/07/22/who-is-mr-zeng/}, language = {English}, urldate = {2021-05-17} } @online{intrusiontruth:20190724:apt17:6b9a666, author = {Intrusiontruth}, title = {{APT17 is run by the Jinan bureau of the Chinese Ministry of State Security}}, date = {2019-07-24}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2019/07/24/apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security/}, language = {English}, urldate = {2020-04-21} } @online{intrusiontruth:20190725:encore:3f99d34, author = {Intrusiontruth}, title = {{Encore! APT17 hacked Chinese targets and offered the data for sale}}, date = {2019-07-25}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2019/07/25/encore-apt17-hacked-chinese-targets-and-offered-the-data-for-sale/}, language = {English}, urldate = {2021-05-17} } @online{intrusiontruth:20200109:what:bc9bc31, author = {Intrusiontruth}, title = {{What is the Hainan Xiandun Technology Development Company?}}, date = {2020-01-09}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2020/01/09/what-is-the-hainan-xiandun-technology-development-company}, language = {English}, urldate = {2020-04-16} } @online{intrusiontruth:20200110:who:32afb65, author = {Intrusiontruth}, title = {{Who is Mr Gu?}}, date = {2020-01-10}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2020/01/10/who-is-mr-gu}, language = {English}, urldate = {2020-04-16} } @online{intrusiontruth:20200113:who:e54190c, author = {Intrusiontruth}, title = {{Who else works for this cover company network?}}, date = {2020-01-13}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2020/01/13/who-else-works-for-this-cover-company-network}, language = {English}, urldate = {2020-04-16} } @online{intrusiontruth:20200114:who:a06a6c3, author = {Intrusiontruth}, title = {{Who is Mr Ding?}}, date = {2020-01-14}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2020/01/14/who-is-mr-ding}, language = {English}, urldate = {2020-04-16} } @online{intrusiontruth:20200115:hainan:093f6f2, author = {Intrusiontruth}, title = {{Hainan Xiandun Technology Company is APT40}}, date = {2020-01-15}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40}, language = {English}, urldate = {2020-04-16} } @online{intrusiontruth:20200116:apt40:187edc3, author = {Intrusiontruth}, title = {{APT40 is run by the Hainan department of the Chinese Ministry of State Security}}, date = {2020-01-16}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2020/01/16/apt40-is-run-by-the-hainan-department-of-the-chinese-ministry-of-state-security/}, language = {English}, urldate = {2021-05-17} } @online{intrusiontruth:20210506:with:a398f7e, author = {Intrusiontruth}, title = {{An APT with no name}}, date = {2021-05-06}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2021/05/06/an-apt-with-no-name/}, language = {English}, urldate = {2021-05-08} } @online{intrusiontruth:20210506:with:b154214, author = {Intrusiontruth}, title = {{An APT with no name}}, date = {2021-05-06}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2021/05/06/an-apt-with-no-name}, language = {English}, urldate = {2022-07-25} } @online{intrusiontruth:20210513:who:02a2b55, author = {Intrusiontruth}, title = {{Who is Mr. Zhao?}}, date = {2021-05-13}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2021/05/13/who-is-mr-zhao/}, language = {English}, urldate = {2021-05-13} } @online{intrusiontruth:20210729:incompetent:925d0eb, author = {Intrusiontruth}, title = {{An (in)Competent Cyber Program – A brief cyber history of the 'CCP'}}, date = {2021-07-29}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2021/07/29/an-incompetent-cyber-program-a-brief-cyber-history-of-the-ccp/}, language = {English}, urldate = {2021-08-02} } @online{intrusiontruth:20210920:hello:f0e7d87, author = {Intrusiontruth}, title = {{Hello Lionel Richie}}, date = {2021-09-20}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2021/09/20/hello-lionel-richie/}, language = {English}, urldate = {2021-09-20} } @online{intrusiontruth:20220720:apt41:245a512, author = {Intrusiontruth}, title = {{APT41: A Case Sudy}}, date = {2022-07-20}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2022/07/20/apt41/}, language = {English}, urldate = {2022-07-25} } @online{inversecos:20210412:ttps:c13745e, author = {inversecos}, title = {{Tweet on TTPs associated with Hades Ransomware}}, date = {2021-04-12}, organization = {Twitter (@inversecos)}, url = {https://twitter.com/inversecos/status/1381477874046169089?s=20}, language = {English}, urldate = {2021-04-14} } @online{inversecos:20210924:thread:01232d1, author = {inversecos}, title = {{A thread on TTPs of Prometheus Ransomware attacks}}, date = {2021-09-24}, organization = {Twitter (@inversecos)}, url = {https://twitter.com/inversecos/status/1441252744258461699?s=20}, language = {English}, urldate = {2021-09-29} } @online{inversecos:20211105:ttps:2b9481e, author = {inversecos}, title = {{TTPs used by Pysa Ransonmware group}}, date = {2021-11-05}, organization = {Twitter (@inversecos)}, url = {https://twitter.com/inversecos/status/1456486725664993287}, language = {English}, urldate = {2021-11-08} } @techreport{investigation:20220211:joint:3c91f4c, author = {Federal Bureau of Investigation and U.S. Secret Service (USSS)}, title = {{JOINT CYBERSECURITY ADVISORY: Indicators of Compromise Associated with BlackByte Ransomware}}, date = {2022-02-11}, institution = {}, url = {https://www.ic3.gov/Media/News/2022/220211.pdf}, language = {English}, urldate = {2022-02-14} } @online{ion:20240130:evolution:6cfac61, author = {Diana Ion and Jae Young Kim and Muhammad Umair and Panagiotis Antoniou and Yash Gupta}, title = {{Evolution of UNC4990: Uncovering USB Malware's Hidden Depths}}, date = {2024-01-30}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/unc4990-evolution-usb-malware}, language = {English}, urldate = {2024-01-31} } @online{ip:20231203:skidsec:56eca96, author = {Criminal IP}, title = {{SkidSec Hacker Group Announces Plans to Spread North Korean Propaganda Through Hacked Printers in South Korea}}, date = {2023-12-03}, organization = {Medium OSINT Team}, url = {https://medium.com/@criminalip/skidsec-hacker-group-announces-plans-to-spread-north-korean-propaganda-through-hacked-printers-in-fdd314178dc4}, language = {English}, urldate = {2024-10-18} } @online{ipj:20160920:hackers:fae1710, author = {ipj and kl}, title = {{Hackers lurking, parliamentarians told}}, date = {2016-09-20}, organization = {Deutsche Welle}, url = {https://www.dw.com/en/hackers-lurking-parliamentarians-told/a-19564630}, language = {English}, urldate = {2020-09-15} } @online{ippsec:20220706:reversing:542aecd, author = {IppSec}, title = {{Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?}}, date = {2022-07-06}, organization = {YouTube (IppSec)}, url = {https://www.youtube.com/watch?v=a7W6rhkpVSM}, language = {English}, urldate = {2023-03-24} } @techreport{ireland:20210516:ransomware:b091d9b, author = {NCSC Ireland}, title = {{Ransomware Attack on Health Sector - UPDATE 2021-05-16}}, date = {2021-05-16}, institution = {NCSC Ireland}, url = {https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf}, language = {English}, urldate = {2021-05-17} } @online{ireland:20220412:industroyer2:aa61be3, author = {ESET Ireland}, title = {{Industroyer2: Industroyer reloaded}}, date = {2022-04-12}, organization = {ESET Research}, url = {https://blog.eset.ie/2022/04/12/industroyer2-industroyer-reloaded/}, language = {English}, urldate = {2022-05-04} } @online{irinco:20121016:dorkbot:68250e7, author = {Bernadette Irinco}, title = {{The DORKBOT Rises}}, date = {2012-10-16}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/the-dorkbot-rises/}, language = {English}, urldate = {2021-02-09} } @online{iris:20191209:new:cc73a24, author = {IBM IRIS}, title = {{New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East}}, date = {2019-12-09}, organization = {IBM Security}, url = {https://www.ibm.com/downloads/cas/OAJ4VZNJ}, language = {English}, urldate = {2020-01-09} } @online{iris:20200616:cloud:e15a0d5, author = {IBM Security X-Force® Incident Responseand Intelligence Services (IRIS)}, title = {{Cloud ThreatLandscape Report 2020}}, date = {2020-06-16}, organization = {IBM}, url = {https://www.ibm.com/downloads/cas/Z81AVOY7}, language = {English}, urldate = {2020-06-17} } @online{iris:20221129:cargobay:9f0719a, author = {IBM IRIS}, title = {{CargoBay BlackHat Backdoor Analysis Report (IRIS-14738)}}, date = {2022-11-29}, organization = {IBM X-Force Exchange}, url = {https://exchange.xforce.ibmcloud.com/malware-analysis/guid:87abff769352d8208e403331c86eb95f}, language = {English}, urldate = {2023-02-17} } @online{irmer:20150217:angry:d09af85, author = {Jan Širmer}, title = {{Angry Android hacker hides Xbot malware in popular application icons}}, date = {2015-02-17}, organization = {Avast}, url = {https://blog.avast.com/2015/02/17/angry-android-hacker-hides-xbot-malware-in-popular-application-icons/}, language = {English}, urldate = {2019-12-24} } @online{irmer:20191023:spoofing:369e661, author = {Jan Širmer and Luigino Camastra and Adolf Středa}, title = {{Spoofing in the reeds with Rietspoof}}, date = {2019-10-23}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-spoofing-reeds-rietspoof/}, language = {English}, urldate = {2020-01-27} } @online{irokova:20241121:bag:e7c3ec6, author = {Anna Širokova}, title = {{A Bag of RATs: VenomRAT vs. AsyncRAT}}, date = {2024-11-21}, organization = {Rapid7}, url = {https://www.rapid7.com/blog/post/2024/11/21/a-bag-of-rats-venomrat-vs-asyncrat/}, language = {English}, urldate = {2025-04-28} } @online{irokova:20250528:nsis:5766864, author = {Anna Širokova and Ivan Feigl}, title = {{NSIS Abuse and sRDI Shellcode: Anatomy of the Winos 4.0 Campaign}}, date = {2025-05-28}, organization = {Rapid7}, url = {https://www.rapid7.com/blog/post/2025/05/22/nsis-abuse-and-srdi-shellcode-anatomy-of-the-winos-4-0-campaign/}, language = {English}, urldate = {2025-06-02} } @online{ironnet:20201231:solarwindssunburst:1422ef4, author = {IronNet}, title = {{SolarWinds/SUNBURST: Behavioral analytics and Collective Defense in action}}, date = {2020-12-31}, organization = {IronNet}, url = {https://www.ironnet.com/blog/solarwinds/sunburst-behavioral-analytics-and-collective-defense-in-action}, language = {English}, urldate = {2021-01-05} } @techreport{isac:20190603:15:e048911, author = {WATER ISAC}, title = {{15 Cybersecurity Fundamentals for Water and Wastewater Utilities}}, date = {2019-06-03}, institution = {WATER ISAC}, url = {https://www.waterisac.org/system/files/articles/15%20Cybersecurity%20Fundamentals%20%28WaterISAC%29.pdf}, language = {English}, urldate = {2021-02-20} } @online{isac:20220902:bianlian:9b32eb7, author = {Retail & Hospitality ISAC}, title = {{BianLian Ransomware Expanding C2 Infrastructure and Operational Tempo}}, date = {2022-09-02}, url = {https://rhisac.org/threat-intelligence/bianlian-ransomware-expanding-c2-infrastructure-and-operational-tempo/}, language = {English}, urldate = {2022-09-30} } @online{ishikawa:20171218:relationship:fb13bae, author = {Yoshihiro Ishikawa}, title = {{Relationship between PlugX and attacker group "DragonOK"}}, date = {2017-12-18}, organization = {LAC}, url = {https://www.lac.co.jp/lacwatch/people/20171218_001445.html}, language = {Japanese}, urldate = {2019-11-22} } @online{ishikawa:20180521:confirmed:ad336b5, author = {Yoshihiro Ishikawa}, title = {{Confirmed new attacks by APT attacker group menuPass (APT10)}}, date = {2018-05-21}, organization = {LAC}, url = {https://www.lac.co.jp/lacwatch/people/20180521_001638.html}, language = {Japanese}, urldate = {2019-10-27} } @techreport{ishikawa:20181201:lets:73b0c60, author = {Yoshihiro Ishikawa and Shinichi Nagano}, title = {{Let's go with a Go RAT!}}, date = {2018-12-01}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf}, language = {English}, urldate = {2020-04-28} } @online{ishikawa:20201201:urgent:a936143, author = {Yoshihiro Ishikawa}, title = {{[Urgent Report] Targeted attack by "SigLoader" that exploits Microsoft's digital signature file confirmed}}, date = {2020-12-01}, organization = {LAC}, url = {https://www.lac.co.jp/lacwatch/report/20201201_002363.html}, language = {Japanese}, urldate = {2022-12-20} } @online{ishikawa:20210521:targeted:2ab5e2c, author = {Yoshihiro Ishikawa}, title = {{Targeted attack by 'Cobalt Strike loader' that exploits Microsoft's digital signature-Attacker group APT41}}, date = {2021-05-21}, organization = {LAC}, url = {https://www.lac.co.jp/lacwatch/report/20210521_002618.html}, language = {Japanese}, urldate = {2024-09-02} } @online{ishikawa:20221117:chinabased:2fb560f, author = {Yoshihiro Ishikawa}, title = {{China-based Mustang Panda is a targeted attack with malware "Claimloader", may affect Japan}}, date = {2022-11-17}, organization = {LAC WATCH}, url = {https://www.lac.co.jp/lacwatch/report/20221117_003189.html}, language = {English}, urldate = {2023-08-03} } @techreport{ishikawa:20230924:lets:474b0c0, author = {Yoshihiro Ishikawa and Takuma Matsumoto}, title = {{Let's GO Door with KCP}}, date = {2023-09-24}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lets-go-door-with-KCP.pdf}, language = {English}, urldate = {2024-12-13} } @online{ishikawa:20240605:thumtais:7db12fb, author = {Yoshihiro Ishikawa}, title = {{Thumtais, a malware targeting Japanese organizations}}, date = {2024-06-05}, organization = {LAC}, url = {https://www.lac.co.jp/lacwatch/report/20240605_004019.html}, language = {Japanese}, urldate = {2025-06-16} } @online{ishikawa:20250514:continued:e6fce99, author = {Yoshihiro Ishikawa}, title = {{Continued EAGERBEE (Thumtais) malware activity}}, date = {2025-05-14}, organization = {LAC}, url = {https://www.lac.co.jp/lacwatch/report/20250514_004379.html}, language = {Japanese}, urldate = {2025-06-03} } @online{ishimaru:20150820:new:0b39f40, author = {Suguru Ishimaru}, title = {{New activity of the Blue Termite APT}}, date = {2015-08-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/}, language = {English}, urldate = {2019-12-20} } @online{ishimaru:20150820:new:d553aa4, author = {Suguru Ishimaru}, title = {{New activity of the Blue Termite APT}}, date = {2015-08-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/new-activity-of-the-blue-termite-apt/71876/}, language = {English}, urldate = {2019-12-20} } @online{ishimaru:20180416:roaming:42ebd00, author = {Suguru Ishimaru}, title = {{Roaming Mantis uses DNS hijacking to infect Android smartphones}}, date = {2018-04-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/}, language = {English}, urldate = {2019-12-20} } @online{ishimaru:20180518:roaming:3e5185f, author = {Suguru Ishimaru}, title = {{Roaming Mantis dabbles in mining and phishing multilingually}}, date = {2018-05-18}, organization = {Kaspersky Labs}, url = {https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/}, language = {English}, urldate = {2019-12-20} } @techreport{ishimaru:2019:roaming:23097da, author = {Suguru Ishimaru and Manabu Niseki and Hiroaki Ogawa}, title = {{Roaming Mantis: an Anatomy of a DNS Hijacking Campaign}}, date = {2019}, institution = {Kaspersky Labs}, url = {https://hitcon.org/2019/CMT/slide-files/d2_s1_r1.pdf}, language = {English}, urldate = {2022-07-13} } @online{ishimaru:20200227:roaming:3e14d12, author = {Suguru Ishimaru}, title = {{Roaming Mantis, part V: Distributed in 2019 using SMiShing and enhanced anti-researcher techniques}}, date = {2020-02-27}, organization = {Kaspersky Labs}, url = {https://securelist.com/roaming-mantis-part-v/96250/}, language = {English}, urldate = {2022-07-13} } @online{ishimaru:20220207:roaming:ad64d8c, author = {Suguru Ishimaru}, title = {{Roaming Mantis reaches Europe}}, date = {2022-02-07}, organization = {Kaspersky Labs}, url = {https://securelist.com/roaming-mantis-reaches-europe/105596/}, language = {English}, urldate = {2022-07-13} } @online{ishimaru:20221031:apt10:c9040fd, author = {Suguru Ishimaru}, title = {{APT10: Tracking down LODEINFO 2022, part II}}, date = {2022-10-31}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/}, language = {English}, urldate = {2022-12-29} } @online{ishimaru:20221031:apt10:d6c1888, author = {Suguru Ishimaru}, title = {{APT10: Tracking down LODEINFO 2022, part I}}, date = {2022-10-31}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/}, language = {English}, urldate = {2022-12-29} } @online{ishimaru:20240229:unleashing:7b3befb, author = {Suguru Ishimaru}, title = {{Unleashing the Secrets:A Full Analysis for the Complex LODEINFO v0.7.1}}, date = {2024-02-29}, organization = {YouTube (Kaspersky Tech)}, url = {https://www.youtube.com/watch?v=zSEySLeWrMQ}, language = {English}, urldate = {2024-07-24} } @online{ishu:20230113:tweets:31114ef, author = {Ishu}, title = {{Tweets on updates regarding Lumma Stealer}}, date = {2023-01-13}, organization = {Twitter (@Ishusoka)}, url = {https://twitter.com/Ishusoka/status/1614028229307928582}, language = {English}, urldate = {2023-01-18} } @online{issuemakerslab:201705:operation:6dc3206, author = {IssueMakersLab}, title = {{Operation GoldenAxe}}, date = {2017-05}, organization = {IssueMakersLab}, url = {http://www.issuemakerslab.com/research3/}, language = {English}, urldate = {2023-08-28} } @techreport{istrate:2015:new:254e212, author = {Cristian Istrate and Andrei Ardelean and Claudiu Cobliș and Marius Tivadar}, title = {{New Pacifier APT Components Point to Russian-Linked Turla Group}}, date = {2015}, institution = {Bitdefender}, url = {https://pdfhost.io/v/F0@QElMu2_MacProStorage_2017FinalBitdefenderWhitepaperNetrepserA4en_ENBitdefenderWhitepaperNetrepserA4en_ENindd.pdf}, language = {English}, urldate = {2023-02-13} } @online{it:20130905:large:48926bb, author = {Fox IT}, title = {{Large botnet cause of recent Tor network overload}}, date = {2013-09-05}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2013/09/05/large-botnet-cause-of-recent-tor-network-overload/}, language = {English}, urldate = {2021-09-19} } @online{it:20160615:mofang:59e7ad3, author = {Fox IT}, title = {{Mofang: A politically motivated information stealing adversary}}, date = {2016-06-15}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/}, language = {English}, urldate = {2019-11-27} } @online{it:20190226:identifying:689104d, author = {Fox IT}, title = {{Identifying Cobalt Strike team servers in the wild}}, date = {2019-02-26}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/}, language = {English}, urldate = {2020-10-25} } @online{it:20190226:supreme:d4cad36, author = {dfir it!}, title = {{The Supreme Backdoor Factory}}, date = {2019-02-26}, organization = {dfir it!}, url = {https://dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/}, language = {English}, urldate = {2020-01-06} } @online{it:20191219:operation:64c0cd9, author = {Fox IT}, title = {{Operation Wocao : Shining a light on one of China’s hidden hacking groups}}, date = {2019-12-19}, organization = {Fox-IT}, url = {https://www.fox-it.com/nl/actueel/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/}, language = {English}, urldate = {2020-01-07} } @online{it:20211108:ta505:6ac8d13, author = {Fox IT}, title = {{TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access}}, date = {2021-11-08}, organization = {nccgroup}, url = {https://blog.fox-it.com/2021/11/08/ta505-exploits-solarwinds-serv-u-vulnerability-cve-2021-35211-for-initial-access/}, language = {English}, urldate = {2021-11-09} } @online{it:20220620:charming:b356ff2, author = {infinitum IT}, title = {{Charming Kitten (APT35)}}, date = {2022-06-20}, organization = {Infinitum IT}, url = {https://www.infinitumit.com.tr/apt-35/}, language = {Turkish}, urldate = {2022-06-22} } @online{it:20220816:flubot:b7f7d24, author = {infinitum IT}, title = {{FluBot Android Malware Analysis}}, date = {2022-08-16}, organization = {Infinitum IT}, url = {https://www.infinitumit.com.tr/flubot-zararlisi/}, language = {Turkish}, urldate = {2022-08-17} } @techreport{it:20220822:targeting:7076d75, author = {infinitum IT}, title = {{APT Group Targeting Government Institutions in Turkey}}, date = {2022-08-22}, institution = {Github (infinitumlabs)}, url = {https://raw.githubusercontent.com/infinitumitlabs/Threat-Spotlight-Archives/main/Threat%20Spotlight%20T%C3%BCrkiye'deki%20Devlet%20Kurumlar%C4%B1n%C4%B1%20Hedef%20Alan%20APT%20Grubu.pdf}, language = {Turkish}, urldate = {2022-08-28} } @online{ita:20200807:new:c2e5979, author = {CSIRT ITA}, title = {{New Phishing-As-A-Service framework}}, date = {2020-08-07}, organization = {CSIRT Italia}, url = {https://csirt.gov.it/contenuti/phishing-as-a-service-framework}, language = {Italian}, urldate = {2020-08-10} } @techreport{italia:20210421:windigo:213e6a9, author = {CSIRT Italia}, title = {{Windigo footprints: an Ebury variant}}, date = {2021-04-21}, institution = {CSIRT Italia}, url = {https://www.acn.gov.it/portale/documents/20119/586040/CSIRT_Italiano_Windigo_Ebury_Variant.pdf}, language = {English}, urldate = {2025-01-23} } @online{itkin:20210222:story:6f59f06, author = {Eyal Itkin and Itay Cohen}, title = {{The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day}}, date = {2021-02-22}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2021/the-story-of-jian/}, language = {English}, urldate = {2021-02-25} } @online{itkin:20210222:story:a3a3da9, author = {Eyal Itkin and Itay Cohen}, title = {{The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day}}, date = {2021-02-22}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2021/the-story-of-jian}, language = {English}, urldate = {2021-07-22} } @online{iubatti:20220617:brata:5b4cc52, author = {Francesco Iubatti and Alessandro Strino}, title = {{BRATA is evolving into an Advanced Persistent Threat}}, date = {2022-06-17}, organization = {Cleafy}, url = {https://www.cleafy.com/cleafy-labs/brata-is-evolving-into-an-advanced-persistent-threat}, language = {English}, urldate = {2022-06-22} } @online{iubatti:20220811:sova:e3cc78b, author = {Francesco Iubatti and Federico Valentini}, title = {{SOVA malware is back and is evolving rapidly}}, date = {2022-08-11}, organization = {Cleafy}, url = {https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly}, language = {English}, urldate = {2022-08-15} } @online{iubatti:20230321:nexus:e4a7788, author = {Francesco Iubatti and Alessandro Strino and Federico Valentini}, title = {{Nexus: a new Android botnet?}}, date = {2023-03-21}, organization = {Cleafy}, url = {https://www.cleafy.com/cleafy-labs/nexus-a-new-android-botnet}, language = {English}, urldate = {2023-03-21} } @online{iubatti:20230731:spynote:6507c5a, author = {Francesco Iubatti}, title = {{SpyNote continues to attack financial institutions}}, date = {2023-07-31}, organization = {Cleafy}, url = {https://www.cleafy.com/cleafy-labs/spynote-continues-to-attack-financial-institutions}, language = {English}, urldate = {2023-07-31} } @online{iubatti:20240110:analysis:4f5a78e, author = {Francesco Iubatti}, title = {{Analysis of an Info Stealer — Chapter 2: The iOS App}}, date = {2024-01-10}, organization = {Medium icebre4ker}, url = {https://medium.com/@icebre4ker/analysis-of-an-info-stealer-chapter-2-the-ios-app-0529e7b45405}, language = {English}, urldate = {2024-01-11} } @online{iubatti:20240221:stealthy:7d4fd9f, author = {Francesco Iubatti}, title = {{A stealthy threat uncovered: TeaBot on Google Play Store}}, date = {2024-02-21}, organization = {Cleafy}, url = {https://www.cleafy.com/cleafy-labs/a-stealthy-threat-uncovered-teabot-on-google-play-store}, language = {English}, urldate = {2024-02-22} } @online{iuzvyk:20230925:securonix:af6d775, author = {D. Iuzvyk and Tim Peck and Oleg Kolesnikov}, title = {{Securonix Threat Labs Security Advisory: New STARK#VORTEX Attack Campaign: Threat Actors Use Drone Manual Lures to Deliver MerlinAgent Payloads}}, date = {2023-09-25}, organization = {Securonix}, url = {https://www.securonix.com/blog/threat-labs-security-advisory-new-starkvortex-attack-campaign-threat-actors-use-drone-manual-lures-to-deliver-merlinagent-payloads/}, language = {English}, urldate = {2023-10-09} } @online{ivan:20230925:ransomware:61b5db0, author = {Tom Ivan}, title = {{A ransomware group claims to have breached ‘all Sony systems’}}, date = {2023-09-25}, organization = {Video Games Chronicle}, url = {https://www.videogameschronicle.com/news/a-ransomware-group-claims-to-have-beached-all-sony-systems/}, language = {English}, urldate = {2023-12-04} } @online{ivanov:20140301:chewbacca:5c7ac17, author = {Ivo Ivanov}, title = {{ChewBacca – A TOR Based POS Malware}}, date = {2014-03-01}, organization = {Vinsula}, url = {http://vinsula.com/2014/03/01/chewbacca-tor-based-pos-malware/}, language = {English}, urldate = {2019-11-26} } @online{ivanov:20161003:polyglot:6fe8657, author = {Anton Ivanov and Orkhan Mamedov and Fedor Sinitsyn}, title = {{Polyglot – the fake CTB-locker}}, date = {2016-10-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/}, language = {English}, urldate = {2019-12-20} } @online{ivanov:20161020:rotorcrypt:2bfa6f3, author = {Andrew Ivanov}, title = {{RotorCrypt (RotoCrypt) Ransomware Tar Ransomware}}, date = {2016-10-20}, url = {https://id-ransomware.blogspot.com/2016/10/rotorcrypt-ransomware.html}, language = {Russian}, urldate = {2019-11-23} } @online{ivanov:20170314:petrwrap:646653c, author = {Anton Ivanov and Fedor Sinitsyn}, title = {{PetrWrap: the new Petya-based ransomware used in targeted attacks}}, date = {2017-03-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/}, language = {English}, urldate = {2019-12-20} } @online{ivanov:20170424:xpan:018ead2, author = {Anton Ivanov and Fabio Assolini and Fedor Sinitsyn and Santiago Pontiroli}, title = {{XPan, I am your father}}, date = {2017-04-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/78110/xpan-i-am-your-father/}, language = {English}, urldate = {2019-12-20} } @online{ivanov:20170628:expetrpetyanotpetya:903b1fc, author = {Anton Ivanov and Orkhan Mamedov}, title = {{ExPetr/Petya/NotPetya is a Wiper, Not Ransomware}}, date = {2017-06-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/}, language = {English}, urldate = {2019-12-20} } @online{ivanov:20170704:in:06c2d59, author = {Anton Ivanov and Orkhan Mamedov}, title = {{In ExPetr/Petya’s shadow, FakeCry ransomware wave hits Ukraine}}, date = {2017-07-04}, organization = {Kaspersky}, url = {https://securelist.com/in-expetrpetyas-shadow-fakecry-ransomware-wave-hits-ukraine/78973/}, language = {English}, urldate = {2023-07-24} } @online{ivanov:20170809:return:124e8c1, author = {Anton Ivanov and Orkhan Mamedov}, title = {{The return of Mamba ransomware}}, date = {2017-08-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-return-of-mamba-ransomware/79403/}, language = {English}, urldate = {2019-12-20} } @online{ivanov:20171027:xiaoba:16e3621, author = {Andrew Ivanov}, title = {{XiaoBa Ransomware}}, date = {2017-10-27}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2017/10/xiaoba-ransomware.html}, language = {Russian}, urldate = {2020-03-19} } @online{ivanov:20171202:scarabey:802d653, author = {Andrew Ivanov}, title = {{Scarabey Ransomware}}, date = {2017-12-02}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2017/12/scarabey-ransomware.html}, language = {Russian}, urldate = {2019-12-17} } @online{ivanov:20180208:mbrlock:2c9f6d5, author = {Andrew Ivanov}, title = {{MBRlock Ransomware}}, date = {2018-02-08}, organization = {ID Ransomware}, url = {http://id-ransomware.blogspot.com.tr/2018/02/mbrlock-hax-ransomware.html}, language = {Russian}, urldate = {2019-12-17} } @online{ivanov:20180507:synack:2a41ea0, author = {Anton Ivanov and Fedor Sinitsyn and Orkhan Mamedov}, title = {{SynAck targeted ransomware uses the Doppelgänging technique}}, date = {2018-05-07}, organization = {Kaspersky Labs}, url = {https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/}, language = {English}, urldate = {2019-12-20} } @online{ivanov:20180914:rektware:836d8ac, author = {Andrew Ivanov}, title = {{Rektware Ransomware}}, date = {2018-09-14}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2018/09/rektware-ransomware.html}, language = {Russian}, urldate = {2020-03-22} } @online{ivanov:20190203:maoloa:52e7c7f, author = {Andrew Ivanov}, title = {{Maoloa Ransomware}}, date = {2019-02-03}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/02/maoloa-ransomware.html}, language = {English}, urldate = {2019-11-28} } @online{ivanov:20190703:lilocked:0eb5e17, author = {Andrew Ivanov}, title = {{Lilocked Ransomware}}, date = {2019-07-03}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/07/lilu-lilocked-ransomware.html}, language = {Russian}, urldate = {2019-12-17} } @online{ivanov:20190905:netwalker:902cacb, author = {Andrew Ivanov}, title = {{Netwalker Ransomware}}, date = {2019-09-05}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/09/koko-ransomware.html}, language = {Russian}, urldate = {2020-03-22} } @online{ivanov:20191004:scarecrow:0d5bfe4, author = {Andrew Ivanov}, title = {{ScareCrow Ransomware}}, date = {2019-10-04}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/10/scarecrow-ransomware.html}, language = {Russian}, urldate = {2020-08-05} } @online{ivanov:20191011:mespinoza:e9cd17e, author = {Andrew Ivanov}, title = {{Mespinoza Ransomware}}, date = {2019-10-11}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/10/mespinoza-ransomware.html}, language = {English}, urldate = {2020-03-26} } @online{ivanov:20191015:medusalocker:132bb68, author = {Andrew Ivanov}, title = {{MedusaLocker Ransomware}}, date = {2019-10-15}, url = {http://id-ransomware.blogspot.com/2019/10/medusalocker-ransomware.html}, language = {English}, urldate = {2020-01-07} } @online{ivanov:20191019:abcd:06360d3, author = {Andrew Ivanov}, title = {{ABCD Ransomware LockBit Ransomware}}, date = {2019-10-19}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/search?q=lockbit}, language = {Russian}, urldate = {2020-03-28} } @online{ivanov:20191020:infodot:47e0fd2, author = {Andrew Ivanov}, title = {{InfoDot Ransomware}}, date = {2019-10-20}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/10/infodot-ransomware.html}, language = {Russian}, urldate = {2020-04-01} } @online{ivanov:20191023:pwndlocker:d776ac5, author = {Andrew Ivanov}, title = {{PwndLocker Ransomware}}, date = {2019-10-23}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/10/pwndlocker-ransomware.html}, language = {Russian}, urldate = {2020-03-03} } @online{ivanov:20191025:hdmr:de88a6d, author = {Andrew Ivanov}, title = {{HDMR, GO-SPORT}}, date = {2019-10-25}, url = {http://id-ransomware.blogspot.com/2019/10/hdmr-ransomware.html}, language = {Russian}, urldate = {2020-01-08} } @online{ivanov:20191104:hakbit:473fb88, author = {Andrew Ivanov}, title = {{Hakbit Ransomware}}, date = {2019-11-04}, organization = {ID Ransomware}, url = {http://id-ransomware.blogspot.com/2019/11/hakbit-ransomware.html}, language = {Russian}, urldate = {2020-01-10} } @online{ivanov:20191113:antefrigus:ad4c113, author = {Andrew Ivanov}, title = {{AnteFrigus Ransomware}}, date = {2019-11-13}, organization = {ID Ransomware}, url = {http://id-ransomware.blogspot.com/2019/11/antefrigus-ransomware.html}, language = {English}, urldate = {2020-01-08} } @online{ivanov:20191119:wacatac:c1815bb, author = {Andrew Ivanov}, title = {{Tweet on Wacatac Ransomware}}, date = {2019-11-19}, organization = {Twitter (@Amigo_A_)}, url = {https://twitter.com/Amigo_A_/status/1196898012645220354}, language = {English}, urldate = {2020-01-08} } @online{ivanov:20191119:wacatac:e257783, author = {Andrew Ivanov}, title = {{Wacatac Ransomware}}, date = {2019-11-19}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/11/wacatac-ransomware.html}, language = {Russian}, urldate = {2020-01-08} } @online{ivanov:20191122:turkstatik:ada70a9, author = {Andrew Ivanov}, title = {{TurkStatik Ransomware}}, date = {2019-11-22}, url = {http://id-ransomware.blogspot.com/2019/10/fuxsocy-encryptor-ransomware.html}, language = {English}, urldate = {2019-11-28} } @online{ivanov:20191205:redrum:bc66b75, author = {Andrew Ivanov}, title = {{RedRum Ransomware}}, date = {2019-12-05}, url = {https://id-ransomware.blogspot.com/2019/12/redrum-ransomware.html}, language = {Russian}, urldate = {2020-12-23} } @online{ivanov:20191219:chernolocker:1d71ebd, author = {Andrew Ivanov}, title = {{ChernoLocker Ransomware}}, date = {2019-12-19}, url = {https://id-ransomware.blogspot.com/2019/12/chernolocker-ransomware.html}, language = {Russian}, urldate = {2020-01-26} } @online{ivanov:20191231:cuba:53a177c, author = {Andrew Ivanov}, title = {{Cuba Ransomware}}, date = {2019-12-31}, url = {https://id-ransomware.blogspot.com/2019/12/cuba-ransomware.html}, language = {Russian}, urldate = {2020-06-11} } @online{ivanov:20200109:ako:79016d7, author = {Andrew Ivanov}, title = {{Ako, MedusaReborn}}, date = {2020-01-09}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/01/ako-ransomware.html}, language = {English}, urldate = {2020-05-18} } @online{ivanov:20200125:cryptopatronum:4adacea, author = {Andrew Ivanov}, title = {{cryptopatronum ransomware}}, date = {2020-01-25}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/01/cryptopatronum-ransomware.html}, language = {Russian}, urldate = {2020-02-03} } @online{ivanov:20200130:thecursedmurderer:a2a7e72, author = {Andrew Ivanov}, title = {{TheCursedMurderer Ransomware}}, date = {2020-01-30}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/01/thecursedmurderer-ransomware.html}, language = {Russian}, urldate = {2020-02-10} } @online{ivanov:20200201:fct:ba54e92, author = {Andrew Ivanov}, title = {{FCT Ransomware}}, date = {2020-02-01}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/02/fct-ransomware.html}, language = {Russian}, urldate = {2020-02-10} } @online{ivanov:20200203:passlock:a72c982, author = {Andrew Ivanov}, title = {{PassLock Ransomware}}, date = {2020-02-03}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com}, language = {Russian}, urldate = {2020-02-10} } @online{ivanov:20200204:ragnarlocker:7e8d324, author = {Andrew Ivanov}, title = {{RagnarLocker Ransomware}}, date = {2020-02-04}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/02/ragnarlocker-ransomware.html}, language = {Russian}, urldate = {2020-04-15} } @online{ivanov:20200206:sfile:d731e7d, author = {Andrew Ivanov}, title = {{Sfile Ransomware}}, date = {2020-02-06}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/02/sfile2-ransomware.html}, language = {Russian}, urldate = {2021-12-17} } @online{ivanov:20200217:gibberish:b003dbc, author = {Andrew Ivanov}, title = {{Gibberish Ransomware}}, date = {2020-02-17}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/02/gibberish-ransomware.html}, language = {Russian}, urldate = {2020-03-22} } @online{ivanov:20200225:blackkingdom:5c73f86, author = {Andrew Ivanov}, title = {{BlackKingdom Ransomware}}, date = {2020-02-25}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/02/blackkingdom-ransomware.html}, language = {Russian}, urldate = {2020-06-16} } @online{ivanov:20200301:cryptodarkrubix:6720abd, author = {Andrew Ivanov}, title = {{CryptoDarkRubix Ransomware}}, date = {2020-03-01}, url = {https://id-ransomware.blogspot.com/2020/03/cryptodarkrubix-ransomware.html}, language = {Russian}, urldate = {2020-07-30} } @online{ivanov:20200307:javalocker:4b44b72, author = {Andrew Ivanov}, title = {{JavaLocker Ransomware}}, date = {2020-03-07}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/javalocker-ransomware.html}, language = {Russian}, urldate = {2020-03-22} } @online{ivanov:20200311:coronavirus:1b3c4d6, author = {Andrew Ivanov}, title = {{CoronaVirus Ransomware}}, date = {2020-03-11}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/coronavirus-ransomware.html}, language = {Russian}, urldate = {2020-03-22} } @online{ivanov:20200312:teslarvng:0ab7628, author = {Andrew Ivanov}, title = {{Teslarvng Ransomware Yakuza Ransomware}}, date = {2020-03-12}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/teslarvng-ransomware.html}, language = {Russian}, urldate = {2020-03-27} } @online{ivanov:20200314:nefilim:329ccf1, author = {Andrew Ivanov}, title = {{Nefilim Ransomware}}, date = {2020-03-14}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/nefilim-ransomware.html}, language = {English}, urldate = {2020-03-22} } @online{ivanov:20200314:rekensom:1e0a54a, author = {Andrew Ivanov}, title = {{RekenSom Ransomware}}, date = {2020-03-14}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/rekensom-ransomware.html}, language = {Russian}, urldate = {2020-03-22} } @online{ivanov:20200317:prolock:3aa858f, author = {Andrew Ivanov}, title = {{ProLock Ransomware}}, date = {2020-03-17}, url = {https://id-ransomware.blogspot.com/2020/03/prolock-ransomware.html}, language = {Russian}, urldate = {2020-04-06} } @online{ivanov:20200318:sekhmet:0463cdb, author = {Andrew Ivanov}, title = {{Sekhmet Ransomware}}, date = {2020-03-18}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/sekhmet-ransomware.html}, language = {Russian}, urldate = {2020-03-28} } @online{ivanov:20200324:kekw:ef9d6a6, author = {Andrew Ivanov}, title = {{KEKW Ransomware KEKW-Locker Ransomware}}, date = {2020-03-24}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/kekw-ransomware.html}, language = {Russian}, urldate = {2020-03-28} } @online{ivanov:20200331:wannaren:0ab1946, author = {Andrew Ivanov}, title = {{WannaRen Ransomware}}, date = {2020-03-31}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/wannaren-ransomware.html}, language = {Russian}, urldate = {2020-04-20} } @online{ivanov:20200401:jeno:379b0a1, author = {Andrew Ivanov}, title = {{Jeno Ransomware}}, date = {2020-04-01}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/04/jeno-ransomware.html}, language = {Russian}, urldate = {2020-04-20} } @online{ivanov:20200410:void:3b7f0d1, author = {Andrew Ivanov}, title = {{Void Ransomware}}, date = {2020-04-10}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/04/void-voidcrypt-ransomware.html}, language = {Russian}, urldate = {2020-04-13} } @online{ivanov:20200419:sadogo:0a661a2, author = {Andrew Ivanov}, title = {{Sadogo Ransomware}}, date = {2020-04-19}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/04/sadogo-ransomware.html}, language = {Russian}, urldate = {2020-04-20} } @online{ivanov:20200426:gocryptolocker:116e256, author = {Andrew Ivanov}, title = {{goCryptoLocker}}, date = {2020-04-26}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/04/gocryptolocker-ransomware.html}, language = {Russian}, urldate = {2020-05-02} } @online{ivanov:20200505:kupidon:2ed3a22, author = {Andrew Ivanov}, title = {{Kupidon Ransomware}}, date = {2020-05-05}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/05/kupidon-ransomware.html}, language = {English}, urldate = {2022-09-08} } @online{ivanov:20200617:ransomexx:ab0e087, author = {Andrew Ivanov}, title = {{RansomEXX Ransomware}}, date = {2020-06-17}, url = {https://id-ransomware.blogspot.com/2020/06/ransomexx-ransomware.html}, language = {Russian}, urldate = {2020-07-08} } @online{ivanov:20200707:silentdeath:fed1f53, author = {Andrew Ivanov}, title = {{SilentDeath Ransomware}}, date = {2020-07-07}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/07/silentdeath-ransomware.html}, language = {Russian}, urldate = {2020-08-05} } @online{ivanov:20200716:fastwind:5e4367c, author = {Andrew Ivanov}, title = {{FastWind Ransomware}}, date = {2020-07-16}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/07/fastwind-ransomware.html}, language = {Russian}, urldate = {2020-08-05} } @online{ivanov:20200810:darkside:2c93936, author = {Andrew Ivanov}, title = {{DarkSide Ransomware}}, date = {2020-08-10}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/08/darkside-ransomware.html}, language = {English}, urldate = {2020-11-17} } @online{ivanov:20200818:thunderx:0d8f847, author = {Andrew Ivanov}, title = {{ThunderX Ransomware}}, date = {2020-08-18}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/08/thunderx-ransomware.html}, language = {English}, urldate = {2020-09-15} } @online{ivanov:20200825:cyrat:62cd54c, author = {Andrew Ivanov}, title = {{Cyrat Ransomware}}, date = {2020-08-25}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/08/cyrat-ransomware.html}, language = {English}, urldate = {2020-09-01} } @online{ivanov:20200830:z3:21024c4, author = {Andrew Ivanov}, title = {{Z3 Ransomware}}, date = {2020-08-30}, url = {https://id-ransomware.blogspot.com/2020/08/z3-ransomware.html}, language = {Russian}, urldate = {2020-09-15} } @online{ivanov:20200831:xp10:f6f0110, author = {Andrew Ivanov}, title = {{XP10 Ransomware}}, date = {2020-08-31}, url = {https://id-ransomware.blogspot.com/2020/08/xp10-ransomware.html}, language = {Russian}, urldate = {2020-09-15} } @online{ivanov:20200918:egregor:c790f36, author = {Andrew Ivanov}, title = {{Egregor Ransomware}}, date = {2020-09-18}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/09/egregor-ransomware.html}, language = {Russian}, urldate = {2020-11-04} } @online{ivanov:20201014:lv:249dc00, author = {Andrew Ivanov}, title = {{LV Ransomware}}, date = {2020-10-14}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/10/lv-ransomware.html}, language = {English}, urldate = {2021-05-13} } @online{ivanov:20201025:metadatabin:54442a7, author = {Andrew Ivanov}, title = {{MetadataBin Ransomware}}, date = {2020-10-25}, url = {https://id-ransomware.blogspot.com/2020/10/metadata-bin-ransomware.html}, language = {Russian}, urldate = {2020-10-29} } @online{ivanov:20201027:mars:a275f99, author = {Andrew Ivanov}, title = {{Mars Ransomware}}, date = {2020-10-27}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/10/mars-ransomware.html}, language = {Russian}, urldate = {2022-09-07} } @online{ivanov:20201113:hellokitty:d65136d, author = {Andrew Ivanov}, title = {{HelloKitty Ransomware}}, date = {2020-11-13}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/11/hellokitty-ransomware.html}, language = {English}, urldate = {2021-02-10} } @online{ivanov:20210510:prometheus:ca33dd5, author = {Andrew Ivanov}, title = {{Prometheus Ransomware Haron Ransomware}}, date = {2021-05-10}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2021/05/prometheus-ransomware.html}, language = {English}, urldate = {2021-08-02} } @online{ivanov:20210615:targetcompany:3c62eb6, author = {Andrew Ivanov}, title = {{TargetCompany Ransomware}}, date = {2021-06-15}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2021/06/tohnichi-ransomware.html}, language = {Russian}, urldate = {2022-02-10} } @online{ivanov:20210618:0xxx:e0e788e, author = {Andrew Ivanov}, title = {{0xxx Ransomware}}, date = {2021-06-18}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2021/06/0xxx-ransomware.html}, language = {Russian}, urldate = {2022-09-07} } @online{ivanov:20210706:avoslocker:67cfc5a, author = {Andrew Ivanov}, title = {{AvosLocker Ransomware}}, date = {2021-07-06}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2021/07/avoslocker-ransomware.html}, language = {Russian}, urldate = {2021-07-20} } @online{ivanov:20210801:blackmatter:a344018, author = {Andrew Ivanov}, title = {{BlackMatter Ransomware}}, date = {2021-08-01}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2021/07/blackmatter-ransomware.html}, language = {Russian}, urldate = {2021-08-02} } @online{ivanov:20211201:blackcat:e87a771, author = {Andrew Ivanov}, title = {{BlackCat Ransomware}}, date = {2021-12-01}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2021/12/blackcat-ransomware.html}, language = {Russian}, urldate = {2022-01-03} } @online{ivanov:20220822:meow:f74830b, author = {Andrew Ivanov}, title = {{Meow Ransomware}}, date = {2022-08-22}, url = {https://id-ransomware.blogspot.com/2022/09/meow-ransomware.html}, language = {Russian}, urldate = {2022-09-19} } @online{ivanyuk:20191024:popular:e70c137, author = {Alexander Ivanyuk}, title = {{Popular Backup Solutions Easily Disabled by Recent HILDACRYPT Ransomware}}, date = {2019-10-24}, organization = {Acronis}, url = {https://www.acronis.com/en-eu/blog/posts/popular-backup-solutions-easily-disabled-recent-hildacrypt-ransomware/}, language = {English}, urldate = {2023-10-10} } @techreport{iverify:20250409:abusing:9b6bbd9, author = {iVerify}, title = {{Abusing Data in the Middle}}, date = {2025-04-09}, institution = {iVerify}, url = {https://40052983.fs1.hubspotusercontent-na1.net/hubfs/40052983/iVerify-Abusing-Data-in-the-Middle.pdf}, language = {English}, urldate = {2025-04-28} } @online{iwcommunityfr:20240410:leak:610ad0a, author = {IWcommunityFR}, title = {{Leak of Epsilon Stealer's source code}}, date = {2024-04-10}, organization = {Github (KekraLoader)}, url = {https://web.archive.org/20240626101253/https://github.com/KekraLoader/Epsilon-Stealer/tree/b258f04b9caf1f00527a7190c7ed00ad17ce96b1}, language = {English}, urldate = {2024-12-09} } @online{iyzvyk:20220315:detecting:b507962, author = {Den Iyzvyk and Oleg Kolesnikov and Tim Peck}, title = {{Detecting EnemyBot – Securonix Initial Coverage Advisory}}, date = {2022-03-15}, organization = {Securonix}, url = {https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/}, language = {English}, urldate = {2024-11-06} } @online{iyzvyk:20220330:new:1908f30, author = {Den Iyzvyk and Oleg Kolesnikov and Tim Peck}, title = {{New TACTICAL#OCTOPUS Attack Campaign Targets US Entities with Malware Bundled in Tax-Themed Documents}}, date = {2022-03-30}, organization = {Securonix}, url = {https://www.securonix.com/blog/new-tacticaloctopus-attack-campaign-targets-us-entities-with-malware-bundled-in-tax-themed-documents/}, language = {English}, urldate = {2024-11-06} } @online{iyzvyk:20220720:stiffbizon:ae896da, author = {Den Iyzvyk and Oleg Kolesnikov and Tim Peck}, title = {{STIFF#BIZON Detection Using Securonix – New Attack Campaign Observed Possibly Linked to Konni/APT37 (North Korea) - Securonix}}, date = {2022-07-20}, organization = {Securonix Threat Labs}, url = {https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/}, language = {English}, urldate = {2024-11-06} } @online{iyzvyk:20220829:securonix:a15320a, author = {Den Iyzvyk and Oleg Kolesnikov and Tim Peck}, title = {{Securonix Threat Labs Security Advisory: New Golang Attack Campaign GO#WEBBFUSCATOR Leverages Office Macros and James Webb Images to Infect Systems}}, date = {2022-08-29}, organization = {Securonix}, url = {https://www.securonix.com/blog/golang-attack-campaign-gowebbfuscator-leverages-office-macros-and-james-webb-images-to-infect-systems/}, language = {English}, urldate = {2024-11-06} } @online{iyzvyk:20220928:securonix:7e14e6e, author = {Den Iyzvyk and Oleg Kolesnikov and Tim Peck}, title = {{Securonix Threat Labs Security Advisory: Detecting STEEP#MAVERICK: New Covert Attack Campaign Targeting Military Contractors}}, date = {2022-09-28}, organization = {Securonix}, url = {https://www.securonix.com/blog/detecting-steepmaverick-new-covert-attack-campaign-targeting-military-contractors/}, language = {English}, urldate = {2024-11-06} } @online{iyzvyk:20230125:securonix:866c376, author = {Den Iyzvyk and Oleg Kolesnikov and Tim Peck}, title = {{Securonix Security Advisory: Python-Based PY#RATION Attack Campaign Leverages Fernet Encryption and Websockets to Avoid Detection}}, date = {2023-01-25}, organization = {Securonix}, url = {https://www.securonix.com/blog/security-advisory-python-based-pyration-attack-campaign/}, language = {English}, urldate = {2024-11-06} } @online{iyzvyk:20230420:new:a864a61, author = {Den Iyzvyk and Oleg Kolesnikov and Tim Peck}, title = {{New OCX#HARVESTER Attack Campaign Leverages a Modernized More_eggs Suite to Target Victims}}, date = {2023-04-20}, organization = {Securonix}, url = {https://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/}, language = {English}, urldate = {2023-04-25} } @online{iyzvyk:20230512:ongoing:2bad7b3, author = {Den Iyzvyk and Tim Peck and Oleg Kolesnikov}, title = {{Ongoing MEME#4CHAN Attack/Phishing Campaign uses Meme-Filled Code to Drop XWorm Payloads}}, date = {2023-05-12}, organization = {Securonix}, url = {https://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/}, language = {English}, urldate = {2023-05-16} } @online{iyzvyk:20230623:detecting:bdc70ce, author = {Den Iyzvyk and Oleg Kolesnikov and Tim Peck}, title = {{Detecting New MULTI#STORM Attack Campaign Involving Python-based Loader Masquerading as OneDrive Utilities to Drop Multiple RAT Payloads With Security Analytics}}, date = {2023-06-23}, organization = {Securonix}, url = {https://www.securonix.com/securonix-threat-labs-security-advisory-multistorm-leverages-python-based-loader-as-onedrive-utilities-to-drop-rat-payloads/}, language = {English}, urldate = {2024-11-06} } @online{iyzvyk:20240201:analysis:a2333db, author = {Den Iyzvyk and Tim Peck and Oleg Kolesnikov}, title = {{Analysis and Detection of STEADY#URSA Attack Campaign Targeting Ukraine Military Dropping New Covert SUBTLE-PAWS PowerShell Backdoor}}, date = {2024-02-01}, organization = {Securonix}, url = {https://www.securonix.com/blog/security-advisory-steadyursa-attack-campaign-targets-ukraine-military/}, language = {English}, urldate = {2024-02-05} } @online{iyzvyk:20240318:analysis:c1d7a97, author = {Den Iyzvyk and Oleg Kolesnikov and Tim Peck}, title = {{Analysis of New DEEP#GOSU Attack Campaign Likely Associated with North Korean Kimsuky Targeting Victims with Stealthy Malware}}, date = {2024-03-18}, organization = {Securonix}, url = {https://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/}, language = {English}, urldate = {2024-11-06} } @online{iyzvyk:20240424:analysis:ea97284, author = {Den Iyzvyk and Oleg Kolesnikov and Tim Peck}, title = {{Analysis of Ongoing FROZEN#SHADOW Attack Campaign Leveraging SSLoad Malware and RMM Software for Domain Takeover}}, date = {2024-04-24}, organization = {Securonix}, url = {https://www.securonix.com/blog/securonix-threat-research-security-advisory-frozenshadow-attack-campaign/}, language = {English}, urldate = {2024-06-28} } @online{iyzvyk:20240829:from:4644ec1, author = {Den Iyzvyk and Tim Peck}, title = {{From Cobalt Strike to Mimikatz: A Deep Dive into the SLOW#TEMPEST Campaign Targeting Chinese Users}}, date = {2024-08-29}, organization = {Securonix}, url = {https://www.securonix.com/blog/from-cobalt-strike-to-mimikatz-slowtempest/}, language = {English}, urldate = {2024-09-02} } @online{iyzvyk:20241003:shroudedsleep:6a6a793, author = {Den Iyzvyk and Tim Peck}, title = {{SHROUDED#SLEEP: A Deep Dive into North Korea’s Ongoing Campaign Against Southeast Asia}}, date = {2024-10-03}, organization = {Securonix}, url = {https://www.securonix.com/blog/shroudedsleep-a-deep-dive-into-north-koreas-ongoing-campaign-against-southeast-asia/}, language = {English}, urldate = {2024-10-18} } @online{iyzvyk:20241104:crontrap:c620122, author = {Den Iyzvyk and Tim Peck}, title = {{CRON#TRAP: Emulated Linux Environments as the Latest Tactic in Malware Staging}}, date = {2024-11-04}, organization = {Securonix}, url = {https://www.securonix.com/blog/crontrap-emulated-linux-environments-as-the-latest-tactic-in-malware-staging/}, language = {English}, urldate = {2024-11-05} } @online{j:20181218:scumbag:720cb3c, author = {Lokesh J}, title = {{Scumbag Combo: Agent Tesla and XpertRAT}}, date = {2018-12-18}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=15672}, language = {English}, urldate = {2020-01-06} } @online{j:20200413:guloader:a8374ed, author = {Lokesh J}, title = {{GuLoader delivers RATs and Spies in Disguise}}, date = {2020-04-13}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=20156}, language = {English}, urldate = {2021-01-10} } @online{j:20210217:guloader:c652eb6, author = {Lokesh J}, title = {{GuLoader Snowballs via MalSpam Campaigns}}, date = {2021-02-17}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=21725Lokesh}, language = {English}, urldate = {2021-03-31} } @online{j:20210219:github:4fa7b0e, author = {Partheeban J}, title = {{GitHub – Home to AsyncRAT Backdoor}}, date = {2021-02-19}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=21759}, language = {English}, urldate = {2021-03-31} } @online{j:20210623:java:d992617, author = {Lokesh J}, title = {{Java Plug-Ins Delivering Zloader}}, date = {2021-06-23}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=22458}, language = {English}, urldate = {2021-06-24} } @online{jaalma:20221231:analyzing:f57c355, author = {Jaalma}, title = {{Analyzing a VIDAR Infostealer Sample}}, date = {2022-12-31}, organization = {Jaalma's Blog}, url = {https://blog.jaalma.io/vidar-infostealer-analysis/}, language = {English}, urldate = {2023-04-25} } @online{jackson:20070320:gozi:701fe90, author = {Don Jackson}, title = {{Gozi Trojan}}, date = {2007-03-20}, organization = {Secureworks}, url = {https://www.secureworks.com/research/gozi}, language = {English}, urldate = {2020-01-10} } @online{jackson:20141219:unrelenting:f3f3ccf, author = {Don Jackson}, title = {{The unrelenting evolution of Vawtrak}}, date = {2014-12-19}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak}, language = {English}, urldate = {2019-11-04} } @online{jackson:20200505:tinker:34ae7ae, author = {Ben Jackson and Will Bonner}, title = {{Tinker Telco Soldier Spy}}, date = {2020-05-05}, organization = {Troopers Conference}, url = {https://troopers.de/troopers22/talks/7cv8pz}, language = {English}, urldate = {2022-05-08} } @online{jackson:20200714:python:6b03611, author = {Austin Jackson}, title = {{PYTHON MALWARE ON THE RISE}}, date = {2020-07-14}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/}, language = {English}, urldate = {2020-12-23} } @online{jackson:20201215:threat:00bfb46, author = {Austin Jackson}, title = {{Threat Hunt Deep Dives: SolarWinds Supply Chain Compromise (Solorigate / SUNBURST Backdoor)}}, date = {2020-12-15}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/threat-hunt-deep-dives-solarwinds-supply-chain-compromise-solorigate-sunburst-backdoor/}, language = {English}, urldate = {2020-12-23} } @online{jackson:20220505:tinker:2cde4e9, author = {Ben Jackson and Will Bonner}, title = {{Tinker Telco Soldier Spy (to be given 2022-06-27)}}, date = {2022-05-05}, organization = {Troopers Conference}, url = {https://troopers.de/troopers22/talks/7cv8pz/}, language = {English}, urldate = {2022-05-06} } @online{jacquais:20180109:bestkorea:94b6c7a, author = {Jacquais}, title = {{BestKorea}}, date = {2018-01-09}, url = {https://github.com/Jacquais/BestKorea}, language = {English}, urldate = {2020-03-13} } @online{jaeger:20210720:timesketch:f09cd55, author = {alexander jaeger}, title = {{Tweet on timesketch timeline for Pegasus related activities}}, date = {2021-07-20}, organization = {Twitter (@alexanderjaeger)}, url = {https://twitter.com/alexanderjaeger/status/1417447732030189569}, language = {English}, urldate = {2021-08-02} } @online{jaekwang:20230214:ttps:9a2bc51, author = {Lee Jae-kwang and Park Yong-gyu and Choi Kwang-Hee}, title = {{TTPs $ ScarCruft Tracking Note}}, date = {2023-02-14}, organization = {ThorCERT}, url = {https://thorcert.notion.site/TTPs-ScarCruft-Tracking-Note-67acee42e4ba47398183db9fc7792aff}, language = {Korean}, urldate = {2023-02-14} } @online{jain:20221005:analysis:6dd7539, author = {Shatak Jain and Aditya Sharma}, title = {{Analysis of LilithBot Malware and Eternity Threat Group}}, date = {2022-10-05}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group}, language = {English}, urldate = {2023-03-23} } @online{jain:20230214:havoc:cce9217, author = {Shatak Jain and Niraj Shivtarkar}, title = {{Havoc Across the Cyberspace}}, date = {2023-02-14}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/havoc-across-cyberspace}, language = {English}, urldate = {2023-02-16} } @online{jain:20230418:introducing:4367edf, author = {Shatak Jain and Meghraj Nandanwar}, title = {{Introducing DevOpt: A Multifunctional Backdoor Arsenal}}, date = {2023-04-18}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/introducing-devopt-multifunctional-backdoor-arsenal}, language = {English}, urldate = {2023-04-22} } @online{jain:20230621:ransomware:be11024, author = {Shatak Jain and Gurkirat Singh}, title = {{Ransomware Redefined: RedEnergy Stealer-as-a-Ransomware attacks}}, date = {2023-06-21}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/ransomware-redefined-redenergy-stealer-ransomware-attacks}, language = {English}, urldate = {2023-07-11} } @online{jallepalli:20190326:winrar:dff4878, author = {Dileep Kumar Jallepalli}, title = {{WinRAR Zero-day Abused in Multiple Campaigns}}, date = {2019-03-26}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/03/winrar-zero-day-abused-in-multiple-campaigns.html}, language = {English}, urldate = {2019-12-20} } @online{james:20111026:tsunami:7815511, author = {Peter James}, title = {{Tsunami Backdoor Can Be Used for Denial of Service Attacks}}, date = {2011-10-26}, organization = {Intego}, url = {https://www.intego.com/mac-security-blog/tsunami-backdoor-can-be-used-for-denial-of-service-attacks}, language = {English}, urldate = {2019-10-25} } @online{james:20240329:gist:0b40b85, author = {Sam James}, title = {{Gist with XZ Backdoor analysis}}, date = {2024-03-29}, organization = {Github (thesamsam)}, url = {https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27}, language = {English}, urldate = {2024-04-02} } @online{james:20240603:reversing:50c2cf0, author = {James}, title = {{Reversing Atomic macOS Stealer: Binaries, Backdoors & Browser Theft}}, date = {2024-06-03}, organization = {SpyCloud}, url = {https://spycloud.com/blog/reverse-engineering-atomic-macos-stealer/}, language = {English}, urldate = {2024-09-13} } @online{james:20240906:curious:b86cfa2, author = {James}, title = {{The Curious Case of an Open Source Stealer: Phemedrone}}, date = {2024-09-06}, organization = {SpyCloud}, url = {https://spycloud.com/blog/phemedrone-stealer/}, language = {English}, urldate = {2024-09-13} } @online{james:20241219:lummac2:439a076, author = {James}, title = {{LummaC2 Revisited: What’s Making this Stealer Stealthier and More Lethal}}, date = {2024-12-19}, organization = {SpyCloud}, url = {https://spycloud.com/blog/lummac2-malware-stealthier-capabilities/}, language = {English}, urldate = {2025-02-21} } @online{james:20250325:hunt:9c525a4, author = {James}, title = {{On the Hunt for Ghost(Socks)}}, date = {2025-03-25}, organization = {SpyCloud}, url = {https://spycloud.com/blog/on-the-hunt-for-ghostsocks/}, language = {English}, urldate = {2025-03-26} } @online{jamesinthebox:20181001:dga:c78b3d8, author = {James_inthe_box}, title = {{Tweet on DGA using TLD xyz}}, date = {2018-10-01}, organization = {Twitter (@James_inthe_box)}, url = {https://twitter.com/James_inthe_box/status/1046844087469391872}, language = {English}, urldate = {2020-01-08} } @online{jamesinthebox:20200512:himera:39130f2, author = {James_inthe_box}, title = {{Tweet on Himera Loader}}, date = {2020-05-12}, organization = {Twitter (@James_inthe_box)}, url = {https://twitter.com/James_inthe_box/status/1260191589789392898}, language = {English}, urldate = {2020-05-18} } @online{jamesinthebox:20200814:echelon:699dd29, author = {James_inthe_box}, title = {{Tweet on Echelon Stealer}}, date = {2020-08-14}, organization = {Twitter (@James_inthe_box)}, url = {https://twitter.com/James_inthe_box/status/1294088216807534593}, language = {English}, urldate = {2020-08-14} } @online{jamesinthebox:20210203:tiwtter:34b6440, author = {James_inthe_box}, title = {{Tiwtter thread on Nim rewrite of Bazarloader}}, date = {2021-02-03}, organization = {Twitter (@James_inthe_box)}, url = {https://twitter.com/James_inthe_box/status/1357009652857196546}, language = {English}, urldate = {2021-02-17} } @online{jamesinthebox:20210603:askarloader:582c855, author = {James_inthe_box}, title = {{Tweet on AskarLoader malware}}, date = {2021-06-03}, organization = {Twitter (@James_inthe_box)}, url = {https://twitter.com/James_inthe_box/status/1400175671792472068}, language = {English}, urldate = {2021-06-21} } @online{jamesinthebox:20210607:characteristic:1e8d734, author = {James_inthe_box}, title = {{Tweet on characteristic strings in snake keylogger}}, date = {2021-06-07}, organization = {Twitter (@James_inthe_box)}, url = {https://twitter.com/James_inthe_box/status/1401921257109561353}, language = {English}, urldate = {2021-06-08} } @online{jameswt:20200525:fuckunicorn:8136f92, author = {JamesWT}, title = {{Tweet on FuckUnicorn instance of HiddenTear}}, date = {2020-05-25}, organization = {Twitter (@JAMESWT_MHT)}, url = {https://twitter.com/JAMESWT_MHT/status/1264828072001495041}, language = {English}, urldate = {2020-06-08} } @online{jameswt:20210501:linux:150fb0f, author = {JamesWT}, title = {{Tweet on linux version of DarkSide ransomware}}, date = {2021-05-01}, organization = {Twitter (@JAMESWT_MHT)}, url = {https://twitter.com/JAMESWT_MHT/status/1388301138437578757}, language = {English}, urldate = {2021-05-13} } @online{jameswt:20231013:tweets:b2a26b5, author = {JamesWT}, title = {{Tweets on Wikiloader delivering ISFB}}, date = {2023-10-13}, organization = {Twitter (@JAMESWT_MHT)}, url = {https://twitter.com/JAMESWT_MHT/status/1712783250446328114?t=iLKXzsZuS1TTa0i9sZFkQA&s=19}, language = {English}, urldate = {2023-10-16} } @online{jamie:20200331:lokibot:f927742, author = {Jamie}, title = {{LokiBot: Getting Equation Editor Shellcode}}, date = {2020-03-31}, organization = {Click All the Things! Blog}, url = {https://clickallthethings.wordpress.com/2020/03/31/lokibot-getting-equation-editor-shellcode/}, language = {English}, urldate = {2020-04-07} } @online{jamie:20200619:zloader:dd6729d, author = {Jamie}, title = {{zloader: VBA, R1C1 References, and Other Tomfoolery}}, date = {2020-06-19}, organization = {Click All the Things! Blog}, url = {https://clickallthethings.wordpress.com/2020/06/19/zloader-vba-r1c1-references-and-other-tomfoolery/}, language = {English}, urldate = {2020-06-21} } @online{jamie:20201216:snake404:7b8d820, author = {Jamie}, title = {{Snake/404 Keylogger, BIFF, and Covering Tracks?: An unusual maldoc}}, date = {2020-12-16}, organization = {Click All the Things! Blog}, url = {https://clickallthethings.wordpress.com/2020/12/16/snake-404-keylogger-biff-and-covering-tracks-an-unusual-maldoc/}, language = {English}, urldate = {2020-12-18} } @online{jamie:20210202:xlsb:d82b047, author = {Jamie}, title = {{XLSB: Analyzing a Microsoft Excel Binary Spreadsheet}}, date = {2021-02-02}, organization = {Click All the Things! Blog}, url = {https://clickallthethings.wordpress.com/2021/02/02/xlsb-analyzing-a-microsoft-excel-binary-spreadsheet/}, language = {English}, urldate = {2021-02-04} } @online{jang:20210426:microsoft:9ccf07e, author = {Min-Chang Jang}, title = {{Microsoft Exchange From Deserialization to Post-Auth RCE (CVE-2021–28482)}}, date = {2021-04-26}, organization = {Medium testbnull}, url = {https://testbnull.medium.com/microsoft-exchange-from-deserialization-to-post-auth-rce-cve-2021-28482-e713001d915f}, language = {Vietnamese}, urldate = {2021-06-07} } @online{jang:20211022:50:28a6ec4, author = {Jang}, title = {{50 Shades of SolarWinds Orion Deserialization (Part 1: CVE-2021–35215)}}, date = {2021-10-22}, organization = {Medium Jang}, url = {https://testbnull.medium.com/50-shades-of-solarwinds-orion-deserialization-part-1-cve-2021-35215-2e5764e0e4f2}, language = {English}, urldate = {2021-10-26} } @online{janofsky:20200528:selfdescribed:f1ba0f2, author = {Adam Janofsky}, title = {{Self-described “king of fraud” is convicted for role in Methbot scam}}, date = {2020-05-28}, organization = {The Record}, url = {https://therecord.media/self-described-king-of-fraud-is-convicted-for-role-in-methbot-scam/}, language = {English}, urldate = {2021-06-09} } @online{janofsky:20210219:cyber:e883fe3, author = {Adam Janofsky and Timo Steffens}, title = {{Cyber Attribution Is More Art Than Science. This Researcher Has a Plan to Change That}}, date = {2021-02-19}, organization = {The Record}, url = {https://therecord.media/cyber-attribution-is-more-art-than-science-this-researcher-has-a-plan-to-change-that/}, language = {English}, urldate = {2021-02-20} } @online{janofsky:20210519:qlocker:96d964a, author = {Adam Janofsky}, title = {{Qlocker ransomware shuts down after extorting hundreds of QNAP users}}, date = {2021-05-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/qlocker-ransomware-shuts-down-after-extorting-hundreds-of-qnap-users/}, language = {English}, urldate = {2021-05-26} } @online{janofsky:20210519:solarwinds:5c31adf, author = {Adam Janofsky}, title = {{SolarWinds CEO apologizes for blaming an intern, says attack may have started in January 2019}}, date = {2021-05-19}, organization = {The Record}, url = {https://therecord.media/solarwinds-ceo-apologizes-for-blaming-an-intern-says-attack-may-have-started-in-january-2019/}, language = {English}, urldate = {2021-05-26} } @online{jansen:20200902:machine:2a2ed0a, author = {Joost Jansen}, title = {{Machine learning from idea to reality: a PowerShell case study}}, date = {2020-09-02}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2020/09/02/machine-learning-from-idea-to-reality-a-powershell-case-study/}, language = {English}, urldate = {2020-09-03} } @online{jansen:20210112:abusing:c38eeb6, author = {Wouter Jansen}, title = {{Abusing cloud services to fly under the radar}}, date = {2021-01-12}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/}, language = {English}, urldate = {2021-01-18} } @online{japan:20210719:cases:7aac86a, author = {Ministry of Foreign Affairs of Japan}, title = {{Cases of cyberattacks including those by a group known as APT40 which the Chinese government is behind (Statement by Press Secretary YOSHIDA Tomoyuki)}}, date = {2021-07-19}, organization = {Ministry of Foreign Affairs of Japan}, url = {https://www.mofa.go.jp/press/danwa/press6e_000312.html}, language = {English}, urldate = {2021-07-22} } @online{jaramillo:20230509:akira:55a936a, author = {Paul Jaramillo}, title = {{Akira Ransomware is “bringin’ 1988 back”}}, date = {2023-05-09}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2023/05/09/akira-ransomware-is-bringin-88-back/}, language = {English}, urldate = {2023-05-11} } @online{jarosz:20230823:malwareasaservice:020b650, author = {Aleksander W. Jarosz}, title = {{Malware-as-a-Service: Redline Stealer Variants Demonstrate a Low-Barrier-to-Entry Threat}}, date = {2023-08-23}, organization = {EclecticIQ}, url = {https://blog.eclecticiq.com/redline-stealer-variants-demonstrate-a-low-barrier-to-entry-threat}, language = {English}, urldate = {2023-08-25} } @online{jarvis:20131218:cryptolocker:a15fe52, author = {Keith Jarvis}, title = {{CryptoLocker Ransomware}}, date = {2013-12-18}, organization = {Secureworks}, url = {https://www.secureworks.com/research/cryptolocker-ransomware}, language = {English}, urldate = {2019-11-27} } @online{javers:20210423:axis:c729317, author = {Eamon Javers}, title = {{Axis of REvil: What we know about the hacker collective taunting Apple}}, date = {2021-04-23}, organization = {CNBC}, url = {https://www.cnbc.com/2021/04/23/axis-of-revil-inside-the-hacker-collective-taunting-apple.html}, language = {English}, urldate = {2021-04-29} } @online{jayanand:20211111:is:b8f1a8b, author = {Niranjan Jayanand}, title = {{Is SquirrelWaffle the New Emotet? How to Detect the Latest MalSpam Loader}}, date = {2021-11-11}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/is-squirrelwaffle-the-new-emotet-how-to-detect-the-latest-malspam-loader/}, language = {English}, urldate = {2021-11-12} } @online{jayanand:20220606:from:0fa017a, author = {Niranjan Jayanand}, title = {{From the Front Lines | Another Rebrand? Mindware and SFile Ransomware Technical Breakdown}}, date = {2022-06-06}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/from-the-front-lines-another-rebrand-mindware-and-sfile-ransomware-technical-breakdown/}, language = {English}, urldate = {2022-06-09} } @online{jazi:20200416:new:6b7cb7a, author = {Hossein Jazi}, title = {{New AgentTesla variant steals WiFi credentials}}, date = {2020-04-16}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2020/04/new-agenttesla-variant-steals-wifi-credentials/}, language = {English}, urldate = {2020-04-16} } @online{jazi:20200506:new:7723083, author = {Hossein Jazi and Thomas Reed and Jérôme Segura}, title = {{New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app}}, date = {2020-05-06}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/}, language = {English}, urldate = {2020-05-07} } @online{jazi:20200603:new:96bf302, author = {Hossein Jazi and Jérôme Segura}, title = {{New LNK attack tied to Higaisa APT discovered}}, date = {2020-06-03}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/}, language = {English}, urldate = {2020-06-05} } @online{jazi:20200617:multistage:6358f3f, author = {Hossein Jazi and Jérôme Segura}, title = {{Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature}}, date = {2020-06-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/}, language = {English}, urldate = {2020-06-19} } @online{jazi:20200721:chinese:1cac516, author = {Hossein Jazi and Jérôme Segura}, title = {{Chinese APT group targets India and Hong Kong using new variant of MgBot malware}}, date = {2020-07-21}, organization = {Malwarebytes Labs}, url = {https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware}, language = {English}, urldate = {2022-07-25} } @online{jazi:20200721:chinese:da6a239, author = {Hossein Jazi and Jérôme Segura}, title = {{Chinese APT group targets India and Hong Kong using new variant of MgBot malware}}, date = {2020-07-21}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/}, language = {English}, urldate = {2020-07-22} } @online{jazi:20200930:evasive:0a411f9, author = {Hossein Jazi and Jérôme Segura}, title = {{Evasive Panda}}, date = {2020-09-30}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=LeKi0KfzOow&list=PLffioUnqXWkdzWcZXH-bzPVgcs2R4r7iS&index=1&t=2154s}, language = {English}, urldate = {2022-07-25} } @techreport{jazi:20200930:evasive:7d02ab3, author = {Hossein Jazi and Jérôme Segura}, title = {{Evasive Panda}}, date = {2020-09-30}, institution = {Malwarebytes}, url = {https://vb2020.vblocalhost.com/uploads/VB2020-43.pdf}, language = {English}, urldate = {2022-07-25} } @online{jazi:20201006:release:11f16dc, author = {Hossein Jazi and Jérôme Segura}, title = {{Release the Kraken: Fileless APT attack abuses Windows Error Reporting service}}, date = {2020-10-06}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service}, language = {English}, urldate = {2020-10-08} } @online{jazi:20210106:retrohunting:65f1492, author = {Hossein Jazi}, title = {{Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat}}, date = {2021-01-06}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/}, language = {English}, urldate = {2021-01-11} } @techreport{jazi:20210224:lazyscripter:433f4bc, author = {Hossein Jazi}, title = {{LazyScripter: From Empire to double RAT}}, date = {2021-02-24}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2021/02/LazyScripter.pdf}, language = {English}, urldate = {2021-02-25} } @online{jazi:20210305:new:eb1e365, author = {Hossein Jazi}, title = {{New steganography attack targets Azerbaijan}}, date = {2021-03-05}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2021/03/new-steganography-attack-targets-azerbaijan/}, language = {English}, urldate = {2021-03-22} } @online{jazi:20210406:aurora:af2fbd7, author = {Hossein Jazi}, title = {{Aurora campaign: Attacking Azerbaijan using multiple RATs}}, date = {2021-04-06}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2021/04/aurora-campaign-attacking-azerbaijan-using-multiple-rats/}, language = {English}, urldate = {2021-04-09} } @online{jazi:20210419:lazarus:1790273, author = {Hossein Jazi}, title = {{Lazarus APT conceals malicious code within BMP image to drop its RAT}}, date = {2021-04-19}, organization = {Malwarebytes}, url = {https://www.malwarebytes.com/blog/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat}, language = {English}, urldate = {2023-09-22} } @online{jazi:20210419:lazarus:dd2c372, author = {Hossein Jazi}, title = {{Lazarus APT conceals malicious code within BMP image to drop its RAT}}, date = {2021-04-19}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/}, language = {English}, urldate = {2021-06-25} } @online{jazi:20210601:kimsuky:922141b, author = {Hossein Jazi}, title = {{Kimsuky APT continues to target South Korean government using AppleSeed backdoor}}, date = {2021-06-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/}, language = {English}, urldate = {2021-06-09} } @online{jazi:20210728:crimea:02098e0, author = {Hossein Jazi}, title = {{Crimea “manifesto” deploys VBA Rat using double attack vectors}}, date = {2021-07-28}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2021/07/crimea-manifesto-deploys-vba-rat-using-double-attack-vectors/}, language = {English}, urldate = {2021-08-02} } @online{jazi:20210820:new:2efd65e, author = {Hossein Jazi}, title = {{New variant of Konni malware used in campaign targetting Russia}}, date = {2021-08-20}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/}, language = {English}, urldate = {2021-08-25} } @online{jazi:20211112:multistage:e70f6d0, author = {Hossein Jazi}, title = {{A multi-stage PowerShell based attack targets Kazakhstan}}, date = {2021-11-12}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/}, language = {English}, urldate = {2021-11-17} } @online{jazi:20211202:sidecopy:9e7363c, author = {Hossein Jazi and Threat Intelligence Team}, title = {{SideCopy APT: Connecting lures to victims, payloads to infrastructure}}, date = {2021-12-02}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/}, language = {English}, urldate = {2021-12-06} } @online{jazi:20220329:new:21f3605, author = {Hossein Jazi}, title = {{New spear phishing campaign targets Russian dissidents}}, date = {2022-03-29}, organization = {Malwarebytes Labs}, url = {https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/}, language = {English}, urldate = {2022-03-31} } @online{jazi:20230719:observation:b97d029, author = {Hossein Jazi}, title = {{Tweet on observation with Korean targeting, suspecting Lazarus}}, date = {2023-07-19}, organization = {Twitter (@h2jazi)}, url = {https://twitter.com/h2jazi/status/1681426768597778440}, language = {English}, urldate = {2023-07-24} } @online{jedynak:20170104:technical:9cf0ab7, author = {Jarosław Jedynak}, title = {{Technical analysis of CryptoMix/CryptFile2 ransomware}}, date = {2017-01-04}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/}, language = {English}, urldate = {2020-01-13} } @online{jedynak:20170130:nymaim:d5553e6, author = {Jarosław Jedynak}, title = {{Nymaim revisited}}, date = {2017-01-30}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/nymaim-revisited/}, language = {English}, urldate = {2020-01-09} } @online{jedynak:20170214:sage:c9187b1, author = {Jarosław Jedynak}, title = {{Sage 2.0 analysis}}, date = {2017-02-14}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/sage-2-0-analysis/}, language = {English}, urldate = {2020-01-13} } @online{jedynak:20170530:mole:868f8ea, author = {Jarosław Jedynak}, title = {{Mole ransomware: analysis and decryptor}}, date = {2017-05-30}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/}, language = {English}, urldate = {2019-12-17} } @online{jedynak:20171019:deeper:f2e50ae, author = {Jarosław Jedynak}, title = {{A deeper look at Tofsee modules}}, date = {2017-10-19}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/}, language = {English}, urldate = {2020-01-06} } @online{jedynak:20230223:tale:4a0d4cd, author = {Jarosław Jedynak and Michał Praszmo}, title = {{A tale of Phobos - how we almost cracked a ransomware using CUDA}}, date = {2023-02-23}, organization = {CERT.PL}, url = {https://cert.pl/en/posts/2023/02/breaking-phobos/}, language = {English}, urldate = {2023-02-27} } @online{jedynak:20231024:malware:8c5cd79, author = {Jarosław Jedynak}, title = {{Malware stories: Deworming the XWorm}}, date = {2023-10-24}, organization = {CERT.PL}, url = {https://cert.pl/en/posts/2023/10/deworming-the-xworm/}, language = {English}, urldate = {2023-10-30} } @online{jeff0falltrades:20200610:frat:6a40185, author = {jeFF0Falltrades and James_inthe_box and _re_fox}, title = {{FRat Reporting, YARA, and IoCs}}, date = {2020-06-10}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/frat.md}, language = {English}, urldate = {2020-06-12} } @online{jeff:20220218:dynamically:5629608, author = {jeff}, title = {{Dynamically extracting the encryption key from a simple ransomware}}, date = {2022-02-18}, organization = {0x00sec}, url = {https://0x00sec.org/t/dynamically-extracting-the-encryption-key-from-a-simple-ransomware/28379}, language = {English}, urldate = {2022-03-28} } @online{jefferson:20230731:chinabacked:b3e5da9, author = {Greg Jefferson}, title = {{China-Backed Hackers Threaten Texas Military Sites, Utilities}}, date = {2023-07-31}, organization = {Medium (csg-govtech)}, url = {https://www.govtech.com/security/china-backed-hackers-threaten-texas-military-sites-utilities}, language = {English}, urldate = {2023-08-25} } @online{jenderal92:20250208:github:562a650, author = {Jenderal92}, title = {{Github Repository for Shin Webshell}}, date = {2025-02-08}, organization = {Github (@Jenderal92)}, url = {https://github.com/Jenderal92/KC5}, language = {English}, urldate = {2025-02-10} } @online{jenkins:20211206:suspected:d9da4ec, author = {Luke Jenkins and Sarah Hawley and Parnian Najafi and Doug Bienstock and Luis Rocha and Marius Fodoreanu and Mitchell Clarke and Manfred Erjak and Josh Madeley and Ashraf Abdalhalim and Juraj Sucik and Wojciech Ledzion and Gabriella Roncone and Jonathan Leathery and Ben Read and Microsoft Threat Intelligence Center (MSTIC) and Microsoft Detection and Response Team (DART)}, title = {{Suspected Russian Activity Targeting Government and Business Entities Around the Globe (UNC2452)}}, date = {2021-12-06}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/russian-targeting-gov-business}, language = {English}, urldate = {2021-12-07} } @online{jenkins:20220804:likely:37b622e, author = {Luke Jenkins and Emiel Haeghebaert and Alice Revelli and Ben Read}, title = {{Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations}}, date = {2022-08-04}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against}, language = {English}, urldate = {2022-08-08} } @online{jenkins:20220804:roadsweep:2e4edb3, author = {Luke Jenkins and Emiel Haeghebaert and Alice Revelli and Ben Read}, title = {{ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations}}, date = {2022-08-04}, organization = {Mandiant}, url = {https://cloud.google.com/blog/topics/threat-intelligence/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against?e=48754805&hl=en}, language = {English}, urldate = {2024-10-18} } @online{jenkins:20230922:backchannel:6da10a8, author = {Luke Jenkins and Josh Atkins and Dan Black}, title = {{Backchannel Diplomacy: APT29’s Rapidly Evolving Diplomatic Phishing Operations}}, date = {2023-09-22}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing}, language = {English}, urldate = {2023-10-18} } @online{jenkins:20240322:apt29:13a90c0, author = {Luke Jenkins and Dan Black}, title = {{APT29 Uses WINELOADER to Target German Political Parties}}, date = {2024-03-22}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties}, language = {English}, urldate = {2024-07-19} } @online{jennings:20170417:python:d5a3654, author = {Luke Jennings}, title = {{Python script for decoding DOUBLEPULSAR}}, date = {2017-04-17}, organization = {Github (countercept)}, url = {https://github.com/countercept/doublepulsar-c2-traffic-decryptor}, language = {English}, urldate = {2020-01-08} } @online{jensen:20201218:strategic:0c28573, author = {Benjamin Jensen and Brandon Valeriano and Mark Montgomery}, title = {{The Strategic Implications of SolarWinds}}, date = {2020-12-18}, organization = {Lawfare Blog}, url = {https://www.lawfareblog.com/strategic-implications-solarwinds}, language = {English}, urldate = {2020-12-19} } @online{jesus:20210504:new:38799c6, author = {Monte de Jesus and Fyodor Yarochkin and Paul Pajares}, title = {{New Panda Stealer Targets Cryptocurrency Wallets}}, date = {2021-05-04}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/e/new-panda-stealer-targets-cryptocurrency-wallets-.html}, language = {English}, urldate = {2021-05-04} } @online{jesus:20210810:chaos:153f943, author = {Monte de Jesus and Don Ovid Ladores}, title = {{Chaos Ransomware: A Proof of Concept With Potentially Dangerous Applications}}, date = {2021-08-10}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html}, language = {English}, urldate = {2021-08-23} } @online{jewell:20210914:north:ac59990, author = {Ethan Jewell and Jeongmin Kim}, title = {{North Korea-linked account poses as KBS scriptwriter to dupe DPRK watchers}}, date = {2021-09-14}, organization = {NK News}, url = {https://www.nknews.org/2021/09/north-korea-linked-account-poses-as-kbs-scriptwriter-to-dupe-dprk-watchers}, language = {English}, urldate = {2021-09-22} } @online{jewell:20221115:north:7e50d11, author = {Ethan Jewell}, title = {{North Korean hackers targeted Ukraine as it fought off Russia’s invasion: Report}}, date = {2022-11-15}, organization = {NK News}, url = {https://www.nknews.org/pro/north-korean-hackers-targeted-ukraine-as-it-fought-off-russias-invasion-report/}, language = {English}, urldate = {2022-12-20} } @online{jger:20211103:use:b2d1e54, author = {Alexander Jäger}, title = {{Use EVTX files on VirusTotal with Timesketch and Sigma (Part1)}}, date = {2021-11-03}, organization = {open source dfir}, url = {https://osdfir.blogspot.com/2021/11/use-evtx-files-on-virustotal-part1.html}, language = {English}, urldate = {2021-11-17} } @online{jger:20211110:use:c259abd, author = {Alexander Jäger}, title = {{Use EVTX files on VirusTotal with Timesketch and Sigma (Part 2)}}, date = {2021-11-10}, organization = {open source dfir}, url = {https://osdfir.blogspot.com/2021/11/use-evtx-files-on-virustotal-part2.html}, language = {English}, urldate = {2021-11-17} } @online{jhangju:20220407:officenode:c90d341, author = {Jhangju}, title = {{office-node (OFFODE) - This is POC of how an attacker automate user's responce and bypass outlook}}, date = {2022-04-07}, organization = {Github (Jhangju)}, url = {https://github.com/Jhangju/offode}, language = {English}, urldate = {2024-03-18} } @online{ji:20210926:insights:51c06b8, author = {Jie Ji}, title = {{Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2}}, date = {2021-09-26}, organization = {NSFOCUS}, url = {https://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/}, language = {English}, urldate = {2021-11-25} } @online{jia:20201209:njrat:f7f3b49, author = {Yanhui Jia and Chris Navarrete and Haozhe Zhang}, title = {{njRAT Spreading Through Active Pastebin Command and Control Tunnel}}, date = {2020-12-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/njrat-pastebin-command-and-control}, language = {English}, urldate = {2020-12-11} } @online{jia:20210409:emotet:c376dd2, author = {Yanhui Jia and Chris Navarrete}, title = {{Emotet Command and Control Case Study}}, date = {2021-04-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/emotet-command-and-control/}, language = {English}, urldate = {2021-04-12} } @techreport{jiang:20150910:hangul:2e0fc13, author = {Genwei Jiang and Josiah Kimble}, title = {{Hangul Word Processor (HWP)Zero-Day: possible ties to North Korean threat actors}}, date = {2015-09-10}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/FireEye_HWP_ZeroDay.pdf}, language = {English}, urldate = {2020-01-13} } @online{jiang:20151216:eps:3db357c, author = {Genwei Jiang and Dan Caselden and Ryann Winters}, title = {{The EPS Awakens}}, date = {2015-12-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html}, language = {English}, urldate = {2019-12-20} } @online{jiayu:20180124:mykings:63bef87, author = {JiaYu}, title = {{MyKings: A massively multiple botnet}}, date = {2018-01-24}, url = {http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/}, language = {Chinese}, urldate = {2019-11-20} } @online{jiayu:20180613:ddgminingbotnet:b19f331, author = {JiaYu}, title = {{DDG.Mining.Botnet 近期活动分析}}, date = {2018-06-13}, organization = {Netlab}, url = {https://blog.netlab.360.com/ddg-mining-botnet-jin-qi-huo-dong-fen-xi/}, language = {English}, urldate = {2021-09-28} } @online{jiayu:20180712:old:2f1985f, author = {JiaYu}, title = {{Old Botnets never Die, and DDG REFUSE to Fade Away}}, date = {2018-07-12}, organization = {Netlab}, url = {https://blog.netlab.360.com/old-botnets-never-die-and-ddg-refuse-to-fade-away/}, language = {English}, urldate = {2021-09-28} } @online{jiayu:20180801:threat:a4bd5e8, author = {JiaYu}, title = {{Threat Alert: DDG 3013 is Out}}, date = {2018-08-01}, organization = {Netlab}, url = {https://blog.netlab.360.com/threat-alert-ddg-3013-is-out/}, language = {English}, urldate = {2021-09-28} } @online{jiayu:20181228:analysis:00e7736, author = {JiaYu}, title = {{analysis of the infrastructure renewal and corresponding mode of transmission of the "double-gun" trojan horse}}, date = {2018-12-28}, organization = {Netlab}, url = {https://blog.netlab.360.com/shuang-qiang-mu-ma-ji-chu-she-shi-geng-xin-ji-xiang-ying-chuan-bo-fang-shi-fen-xi/}, language = {Chinese}, urldate = {2021-10-24} } @online{jiayu:20190507:systemdminerwhen:c8e3748, author = {JiaYu}, title = {{SystemdMiner,when a botnet borrows another botnet’s infrastructure}}, date = {2019-05-07}, organization = {Netlab}, url = {https://blog.netlab.360.com/systemdminer-when-a-botnet-borrows-another-botnets-infrastructure/}, language = {English}, urldate = {2021-10-24} } @online{jiayu:20200408:ddg:49aee2c, author = {JiaYu}, title = {{DDG botnet, round X, is there an ending?}}, date = {2020-04-08}, organization = {Netlab}, url = {https://blog.netlab.360.com/ddg-botnet-round-x-is-there-an-ending/}, language = {English}, urldate = {2021-09-28} } @online{jiayu:20201006:heh:48e69cc, author = {JiaYu}, title = {{HEH, a new IoT P2P Botnet going after weak telnet services}}, date = {2020-10-06}, organization = {360 netlab}, url = {https://blog.netlab.360.com/heh-an-iot-p2p-botnet/}, language = {English}, urldate = {2020-10-07} } @online{jiayu:20201120:blackrota:ee43da1, author = {JiaYu}, title = {{Blackrota, a highly obfuscated backdoor developed by Go}}, date = {2020-11-20}, organization = {360 netlab}, url = {https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go/}, language = {Chinese}, urldate = {2020-11-23} } @online{jiayu:20201124:blackrota:8a46a54, author = {JiaYu}, title = {{Blackrota, a heavily obfuscated backdoor written in Go}}, date = {2020-11-24}, organization = {360 netlab}, url = {https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-en/}, language = {English}, urldate = {2020-12-03} } @online{jiayu:20210201:ddg:b8e4fae, author = {JiaYu}, title = {{DDG: A Mining Botnet Aiming at Database Servers}}, date = {2021-02-01}, organization = {Netlab}, url = {https://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/}, language = {English}, urldate = {2023-05-15} } @online{jiayu:20210309:threat:fa2a2a3, author = {JiaYu}, title = {{Threat Alert: z0Miner Is Spreading quickly by Exploiting ElasticSearch and Jenkins Vulnerabilities}}, date = {2021-03-09}, organization = {360 netlab}, url = {https://blog.netlab.360.com/threat-alert-z0miner-is-spreading-quickly-by-exploiting-elasticsearch-and-jenkins-vulnerabilities/}, language = {English}, urldate = {2021-03-11} } @online{jili:20221017:chinas:2a5dea2, author = {Bulelani Jili}, title = {{China’s surveillance ecosystem and the global spread of its tools}}, date = {2022-10-17}, organization = {Atlantic Council}, url = {https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/chinese-surveillance-ecosystem-and-the-global-spread-of-its-tools/}, language = {English}, urldate = {2024-09-13} } @online{jin:20190117:malware:f880151, author = {Xingyu Jin and Claud Xiao}, title = {{Malware Used by “Rocke” Group Evolves to Evade Detection by Cloud Security Products}}, date = {2019-01-17}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/}, language = {English}, urldate = {2020-01-07} } @online{jin:20210722:updated:1a824a7, author = {Mickey Jin and Steven Du}, title = {{Updated XCSSET Malware Targets Telegram, Other Apps}}, date = {2021-07-22}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/g/updated-xcsset-malware-targets-telegram--other-apps.html}, language = {English}, urldate = {2021-07-26} } @online{jin:20210915:analyzing:9fb1dec, author = {Mickey Jin}, title = {{Analyzing The ForcedEntry Zero-Click iPhone Exploit Used By Pegasus (CVE-2021-30860)}}, date = {2021-09-15}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html}, language = {English}, urldate = {2021-09-19} } @online{jin:20220810:quantum:cbe3e82, author = {Xingyu Jin and Google Project Zero}, title = {{The quantum state of Linux kernel garbage collection CVE-2021-0920 (Part I)}}, date = {2022-08-10}, organization = {Google}, url = {https://googleprojectzero.blogspot.com/2022/08/the-quantum-state-of-linux-kernel.html}, language = {English}, urldate = {2022-08-11} } @online{jindanlong:20201201:hunting:b9e2674, author = {jindanlong}, title = {{Hunting Beacons}}, date = {2020-12-01}, organization = {360.cn}, url = {https://quake.360.cn/quake/#/reportDetail?id=5fc6fedd191038c3b25c4950}, language = {English}, urldate = {2021-01-10} } @online{jinye:20191217:lazarus:f97fffd, author = {Jinye and GenShen Ye}, title = {{Lazarus Group uses Dacls RAT to attack Linux platform}}, date = {2019-12-17}, organization = {Netlab}, url = {https://blog.netlab.360.com/dacls-the-dual-platform-rat/}, language = {Chinese}, urldate = {2020-01-07} } @online{jinye:20200523:new:20aa28f, author = {Jinye}, title = {{New activity of DoubleGuns Group, control hundreds of thousands of bots via public cloud service}}, date = {2020-05-23}, organization = {360 netlab}, url = {https://blog.netlab.360.com/shuangqiang/}, language = {English}, urldate = {2020-05-26} } @online{jinye:20210121:necropyinstallerdga:895bc13, author = {Jinye}, title = {{Necro在频繁升级,新版本开始使用PyInstaller和DGA}}, date = {2021-01-21}, organization = {Netlab}, url = {https://blog.netlab.360.com/not-really-new-pyhton-ddos-bot-n3cr0m0rph-necromorph/}, language = {Chinese}, urldate = {2021-01-25} } @online{jinye:20210122:necro:31b428b, author = {Jinye}, title = {{Necro is going to version 3 and using PyInstaller and DGA}}, date = {2021-01-22}, organization = {360 netlab}, url = {https://blog.netlab.360.com/necro/}, language = {English}, urldate = {2024-01-12} } @online{jinye:20210304:gafgtyttor:ba71f67, author = {Jinye}, title = {{Gafgtyt_tor and Necro are on the move again}}, date = {2021-03-04}, organization = {360 netlab}, url = {https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/}, language = {English}, urldate = {2021-03-06} } @online{jinye:20210318:necro:e22f5c1, author = {Jinye and YANG XU}, title = {{Necro upgrades again, using Tor + dynamic domain DGA and aiming at both Windows & Linux}}, date = {2021-03-18}, organization = {360 netlab}, url = {https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/}, language = {English}, urldate = {2021-03-19} } @online{jitu:20240830:anatomy:322db48, author = {Tonmoy Jitu}, title = {{Anatomy of a Lumma Stealer Attack via Fake CAPTCHA Pages - Part 1}}, date = {2024-08-30}, organization = {Denwp Research}, url = {https://denwp.com/anatomy-of-a-lumma-stealer/}, language = {English}, urldate = {2024-10-14} } @online{jitu:20240909:dissecting:a49e8e8, author = {Tonmoy Jitu}, title = {{Dissecting Lumma Malware: Analyzing the Fake CAPTCHA and Obfuscation Techniques - Part 2}}, date = {2024-09-09}, organization = {Denwp Research}, url = {https://denwp.com/dissecting-lumma-malware/}, language = {English}, urldate = {2024-10-14} } @online{jitu:20250320:reversing:8638608, author = {Tonmoy Jitu}, title = {{Reversing FUD AMOS Stealer}}, date = {2025-03-20}, organization = {Denwp Research}, url = {https://denwp.com/amos-stealer-fud/}, language = {English}, urldate = {2025-03-21} } @online{jitu:20250517:moreeggs:8431453, author = {Tonmoy Jitu}, title = {{More_Eggs? A Venom Spider Backdoor Targeting HR}}, date = {2025-05-17}, organization = {Denwp Research}, url = {https://denwp.com/more-eggs-venom-spider-phishing-campaign/}, language = {English}, urldate = {2025-05-28} } @online{jnok:20190128:russia:579f446, author = {Juraj Jánošík}, title = {{Russia hit by new wave of ransomware spam}}, date = {2019-01-28}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/}, language = {English}, urldate = {2019-11-14} } @online{jobmann:20220224:ibm:deaac04, author = {Anne Jobmann and Claire Zaboeva and Richard Emerson and Christopher Del Fierro and John Dwyer}, title = {{IBM Security X-Force Research Advisory: New Destructive Malware Used In Cyber Attacks on Ukraine}}, date = {2022-02-24}, organization = {IBM}, url = {https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/}, language = {English}, urldate = {2022-03-02} } @online{joe:20170127:deep:d365b7e, author = {Joe}, title = {{Deep Analysis of Android Ransom Charger}}, date = {2017-01-27}, organization = {Joe's Security}, url = {http://blog.joesecurity.org/2017/01/deep-analysis-of-android-ransom-charger.html}, language = {English}, urldate = {2020-01-08} } @online{joe:20181118:cozybear:4801301, author = {Joe}, title = {{CozyBear – In from the Cold?}}, date = {2018-11-18}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2018/11/18/cozybear-in-from-the-cold/}, language = {English}, urldate = {2020-01-09} } @online{johannes:20170131:malicious:ed4f2fb, author = {Johannes}, title = {{Malicious Office files using fileless UAC bypass to drop KEYBASE malware}}, date = {2017-01-31}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Malicious+Office+files+using+fileless+UAC+bypass+to+drop+KEYBASE+malware/22011/}, language = {English}, urldate = {2020-01-08} } @online{john:20201028:macos:15c0a45, author = {John}, title = {{Tweet on macOS version of Manuscrypt}}, date = {2020-10-28}, organization = {Twitter (@BitsOfBinary)}, url = {https://twitter.com/BitsOfBinary/status/1321488299932983296}, language = {English}, urldate = {2020-12-03} } @online{johnson:20120906:elderwood:513c2a6, author = {A L Johnson}, title = {{The Elderwood Project}}, date = {2012-09-06}, organization = {Broadcom}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=3b0d679a-3707-4075-a2a9-37d1af16d411&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2023-10-05} } @online{johnson:20130219:apt1:ee9c94f, author = {A L Johnson}, title = {{APT1: Q&A on Attacks by the Comment Crew}}, date = {2013-02-19}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=f1265df5-6e5e-4fcc-9828-d4ddbbafd3d7&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{johnson:20150713:forkmeiamfamous:64957d9, author = {A L Johnson}, title = {{“Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory}}, date = {2015-07-13}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6ab66701-25d7-4685-ae9d-93d63708a11c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-08-19} } @online{johnson:20151026:duuzer:e87f194, author = {A L Johnson}, title = {{Duuzer back door Trojan targets South Korea to take over computers}}, date = {2015-10-26}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{johnson:20160222:russian:cc3bc7b, author = {A L Johnson}, title = {{Russian bank employees received fake job offers in targeted email attack}}, date = {2016-02-22}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8e498912-44f8-4ea0-ac50-4544f0fedd6c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{johnson:20160808:strider:49d9d44, author = {A L Johnson}, title = {{Strider: Cyberespionage group turns eye of Sauron on targets}}, date = {2016-08-08}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{johnson:20161130:shamoon:50feb7c, author = {A L Johnson}, title = {{Shamoon: Back from the dead and destructive as ever}}, date = {2016-11-30}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{johnson:20170212:attackers:2fdd5b5, author = {A L Johnson}, title = {{Attackers target dozens of global banks with new malware}}, date = {2017-02-12}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/viewdocument/attackers-target-dozens-of-global-b}, language = {English}, urldate = {2023-08-13} } @online{johnson:20170212:attackers:c338fa3, author = {A L Johnson}, title = {{Attackers target dozens of global banks with new malware}}, date = {2017-02-12}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware}, language = {English}, urldate = {2020-04-21} } @online{johnson:20170227:shamoon:0188f39, author = {A L Johnson}, title = {{Shamoon: Multi-staged destructive attacks limited to specific targets}}, date = {2017-02-27}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{johnson:20170410:longhorn:811e6dc, author = {A L Johnson}, title = {{Longhorn: Tools used by cyberespionage group linked to Vault 7}}, date = {2017-04-10}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{johnson:20171214:attackers:6b0be76, author = {Blake Johnson and Dan Caban and Marina Krotofil and Dan Scali and Nathan Brubaker and Christopher Glyer}, title = {{Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure}}, date = {2017-12-14}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html}, language = {English}, urldate = {2019-12-20} } @online{johnson:20180515:swedish:47c0265, author = {Simon Johnson and Olof Swahnberg and Niklas Pollard and Hugh Lawson}, title = {{Swedish sports body says anti-doping unit hit by hacking attack}}, date = {2018-05-15}, organization = {Reuters}, url = {https://www.reuters.com/article/us-sweden-doping/swedish-sports-body-says-anti-doping-unit-hit-by-hacking-attack-idUSKCN1IG2GN}, language = {English}, urldate = {2019-12-10} } @online{johnson:20210601:evadere:68fba5e, author = {Jonathan Johnson}, title = {{Evadere Classifications}}, date = {2021-06-01}, organization = {SpecterOps}, url = {https://posts.specterops.io/evadere-classifications-8851a429c94b}, language = {English}, urldate = {2021-06-09} } @online{johnson:20220405:bypassing:2397ea1, author = {Jonathan Johnson}, title = {{Bypassing Access Mask Auditing Strategies}}, date = {2022-04-05}, organization = {Medium jsecurity101}, url = {https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158}, language = {English}, urldate = {2022-04-15} } @online{johnson:20230420:3cx:9ef2c90, author = {JEFF JOHNSON and Fred Plan and ADRIAN SANCHEZ and RENATO FONTANA and Jake Nicastro and Dimiter Andonov and Marius Fodoreanu and DANIEL SCOTT}, title = {{3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible}}, date = {2023-04-20}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise}, language = {English}, urldate = {2023-04-25} } @online{johnson:20241107:unwrapping:cb60d10, author = {Aliza Johnson and Chetan Raghuprasad and Elio Biasiotto and Michael Szeliga}, title = {{Unwrapping the emerging Interlock ransomware attack}}, date = {2024-11-07}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/emerging-interlock-ransomware/}, language = {English}, urldate = {2025-05-21} } @online{johnston:20210326:imperva:a78367a, author = {Daniel Johnston}, title = {{Imperva Observes Hive of Activity Following Hafnium Microsoft Exchange Disclosures}}, date = {2021-03-26}, organization = {Imperva}, url = {https://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/}, language = {English}, urldate = {2021-03-30} } @online{johnston:20231214:imperva:276b9ee, author = {Daniel Johnston}, title = {{Imperva Detects Undocumented 8220 Gang Activities}}, date = {2023-12-14}, organization = {Imperva}, url = {https://www.imperva.com/blog/imperva-detects-undocumented-8220-gang-activities/}, language = {English}, urldate = {2024-09-04} } @online{jon:20220127:malware:e37a723, author = {Jon}, title = {{Malware Analysis —Manual Unpacking of Redaman}}, date = {2022-01-27}, organization = {Medium jonahacks}, url = {https://jonahacks.medium.com/malware-analysis-manual-unpacking-of-redaman-ec1782352cfb}, language = {English}, urldate = {2022-04-04} } @techreport{jones:20160426:new:78ff145, author = {Jason Jones}, title = {{New Poison Ivy Activity Targeting Myanmar, Asian Countries}}, date = {2016-04-26}, institution = {Github (CyberMonitor)}, url = {https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf}, language = {English}, urldate = {2019-12-17} } @online{jones:20230424:opensource:a0f5347, author = {Austin Jones}, title = {{Open-Source Gh0st RAT Still Haunting Inboxes 15 Years After Release}}, date = {2023-04-24}, organization = {Cofense}, url = {https://cofense.com/blog/open-source-gh0st-rat-still-haunting-inboxes-15-years-after-release/}, language = {English}, urldate = {2023-04-26} } @online{jones:20231116:blackcat:4be2570, author = {Connor Jones}, title = {{BlackCat plays with malvertising traps to lure corporate victims}}, date = {2023-11-16}, organization = {The Register}, url = {https://www.theregister.com/2023/11/16/blackcat_ransomware_luring_corporate_targets/}, language = {English}, urldate = {2023-11-17} } @techreport{jornet:20211026:babuk:6e0cc22, author = {Aaron Jornet}, title = {{Babuk Ransomware}}, date = {2021-10-26}, institution = {Github (vc0RExor)}, url = {https://raw.githubusercontent.com/vc0RExor/Malware-Threat-Reports/main/Ransomware/Babuk/Babuk_Ransomware_EN_2021_05.pdf}, language = {English}, urldate = {2022-01-25} } @online{jornet:20211223:snip3:ec5bfe1, author = {Aaron Jornet}, title = {{Snip3, an investigation into malware}}, date = {2021-12-23}, organization = {thinkbig blog}, url = {https://empresas.blogthinkbig.com/snip3-investigacion-malware/}, language = {Spanish}, urldate = {2022-01-25} } @techreport{jornet:20231112:swiss:b57bb8f, author = {Aaron Jornet}, title = {{The Swiss Knife: SystemBC | Coroxy}}, date = {2023-11-12}, institution = {Github (vc0RExor)}, url = {https://github.com/vc0RExor/Malware-Threat-Reports/blob/main/The%20Swiss%20Knife%20-%20SystemBC%20%7C%20Coroxy/The%20Swiss%20Knife-SystemBC_EN.pdf}, language = {English}, urldate = {2023-12-14} } @online{jornet:20250331:darkcloud:97773eb, author = {Aaron Jornet and vc0RExor}, title = {{DarkCloud Stealer}}, date = {2025-03-31}, organization = {rexorvc0}, url = {https://rexorvc0.com/2025/03/31/DarkCloud/}, language = {English}, urldate = {2025-05-23} } @online{josh:20210610:hiding:dc7d429, author = {Josh}, title = {{Hiding your syscalls}}, date = {2021-06-10}, organization = {Twitter (@passthehashbrwn)}, url = {https://passthehashbrowns.github.io/hiding-your-syscalls}, language = {English}, urldate = {2021-06-21} } @online{joshi:20210309:hafnium:6b313e8, author = {Gorang Joshi and Anil Gupta and Saravanan Mohan}, title = {{Hafnium – Active Exploitation of Microsoft Exchange and Lateral Movement}}, date = {2021-03-09}, organization = {Attivo NETWORKS}, url = {https://attivonetworks.com/hafnium-active-exploitation-of-microsoft-exchange-and-lateral-movement/}, language = {English}, urldate = {2021-03-11} } @online{joshi:20210518:problemchild:8a7d615, author = {Apoorva Joshi and Disha Dasgupta and Craig Chamberlain}, title = {{ProblemChild: Detecting living-off-the-land attacks using the Elastic Stack}}, date = {2021-05-18}, organization = {Elastic}, url = {https://www.elastic.co/blog/problemchild-detecting-living-off-the-land-attacks}, language = {English}, urldate = {2021-05-19} } @techreport{joske:20191125:china:ebe3278, author = {Alex Joske}, title = {{The China Defence Universities Tracker - Exploring the military and security links of China’s universities}}, date = {2019-11-25}, institution = {Australian Strategic Policy Institute}, url = {https://s3-ap-southeast-2.amazonaws.com/ad-aspi/2019-11/The%20China%20Defence%20Universities%20Tracker_0.pdf}, language = {English}, urldate = {2021-01-29} } @online{joven:20160603:cooking:a48c0f8, author = {Rommel Abraham D Joven}, title = {{Cooking Up Autumn (Herbst) Ransomware}}, date = {2016-06-03}, organization = {Fortinet}, url = {https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware}, language = {English}, urldate = {2020-01-08} } @online{joven:20170609:macransom:56a318d, author = {Rommel Joven and Wayne Chin Yick Low}, title = {{MacRansom: Offered as Ransomware as a Service}}, date = {2017-06-09}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/06/09/macransom-offered-as-ransomware-as-a-service}, language = {English}, urldate = {2020-01-05} } @online{joven:20180517:wicked:913857a, author = {Rommel Joven and Kenny Yang}, title = {{A Wicked Family of Bots}}, date = {2018-05-17}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html}, language = {English}, urldate = {2020-01-05} } @online{joven:20190627:inter:2cde728, author = {Rommel Joven}, title = {{Inter: Skimmer For All}}, date = {2019-06-27}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html}, language = {English}, urldate = {2020-01-10} } @online{joven:20230711:spies:14f8fb8, author = {Rommel Joven and Ng Choon Kiat}, title = {{The Spies Who Loved You: Infected USB Drives to Steal Secrets}}, date = {2023-07-11}, organization = {Google}, url = {https://cloud.google.com/blog/topics/threat-intelligence/infected-usb-steal-secrets/}, language = {English}, urldate = {2025-03-26} } @online{joven:20230711:spies:5594cd9, author = {Rommel Joven and Ng Choon Kiat}, title = {{The Spies Who Loved You: Infected USB Drives to Steal Secrets}}, date = {2023-07-11}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/infected-usb-steal-secrets}, language = {English}, urldate = {2023-07-31} } @online{jpcert:20160216:banking:43d5789, author = {JPCert}, title = {{Banking Trojan “Citadel” Returns}}, date = {2016-02-16}, organization = {JPCERT/CC}, url = {http://blog.jpcert.or.jp/2016/02/banking-trojan--27d6.html}, language = {English}, urldate = {2019-12-19} } @online{jpcertcc:20180731:scanner:d1757d9, author = {JPCERT/CC}, title = {{Scanner for CobaltStrike}}, date = {2018-07-31}, organization = {Github (JPCERTCC)}, url = {https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py}, language = {English}, urldate = {2020-01-13} } @online{jpcertcc:20191210:updated:86aee30, author = {JPCERT/CC}, title = {{[Updated] Alert Regarding Emotet Malware Infection}}, date = {2019-12-10}, organization = {JPCERT/CC}, url = {https://www.jpcert.or.jp/english/at/2019/at190044.html}, language = {English}, urldate = {2020-01-09} } @online{jpcertcc:20210119:lodeinfo:3f1354c, author = {JPCERT/CC}, title = {{Tweet on LODEINFO ver 0.47 spotted ITW targeting Japan}}, date = {2021-01-19}, organization = {Twitter (@jpcert_ac)}, url = {https://twitter.com/jpcert_ac/status/1351355443730255872}, language = {Japanese}, urldate = {2021-01-21} } @online{jr0driguezb:20181009:malware:89b0393, author = {JR0driguezB}, title = {{Malware Configs - Pandabanker}}, date = {2018-10-09}, organization = {Github (JR0driguezB)}, url = {https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker}, language = {English}, urldate = {2020-01-07} } @online{jr:20151102:shifu:700438c, author = {Floser Bacurio Jr. and Wayne Low}, title = {{Shifu – the rise of a self-destructive banking trojan}}, date = {2015-11-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2015/11/shifu-rise-self-destructive-banking-trojan}, language = {English}, urldate = {2020-01-09} } @online{jr:20160829:german:f88cef5, author = {Floser Bacurio Jr. and Joie Salvio}, title = {{German Speakers Targeted by SPAM Leading to Ozone RAT}}, date = {2016-08-29}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/german-speakers-targeted-by-spam-leading-to-ozone-rat.html}, language = {English}, urldate = {2020-01-13} } @online{jsac:20220322:jsac:3a7429e, author = {JSAC}, title = {{JSAC 2022 -Day 1-}}, date = {2022-03-22}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2022/03/jsac2022report1.html}, language = {English}, urldate = {2025-05-02} } @online{jullian:20180112:analyzing:572a942, author = {Rémi Jullian}, title = {{Analyzing an Agent Tesla campaign: from a word document to the attacker credentials}}, date = {2018-01-12}, organization = {Stormshield}, url = {https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/}, language = {English}, urldate = {2019-07-10} } @online{jullian:20180329:indepth:badef63, author = {Rémi Jullian}, title = {{In-depth Formbook malware analysis – Obfuscation and process injection}}, date = {2018-03-29}, organization = {Stormshield}, url = {https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/}, language = {English}, urldate = {2020-01-10} } @techreport{jullian:20181205:formbook:40cf2ad, author = {Rémi Jullian}, title = {{FORMBOOK In-depth malware analysis}}, date = {2018-12-05}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Jullian-In-depth-Formbook-Malware-Analysis.pdf}, language = {English}, urldate = {2019-12-17} } @techreport{jung:20200930:another:5edbad3, author = {Paul Jung}, title = {{Another Threat Actor day...}}, date = {2020-09-30}, institution = {CERT-XLM}, url = {https://vblocalhost.com/uploads/VB2020-Jung.pdf}, language = {English}, urldate = {2020-12-08} } @online{juracko:20210408:are:a7f76e6, author = {Filip Jurčacko}, title = {{(Are you) afreight of the dark? Watch out for Vyveva, new Lazarus backdoor}}, date = {2021-04-08}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/04/08/are-you-afreight-dark-watch-out-vyveva-new-lazarus-backdoor/}, language = {English}, urldate = {2023-09-18} } @online{juracko:20221130:whos:f177390, author = {Filip Jurčacko}, title = {{Who’s swimming in South Korean waters? Meet ScarCruft’s Dolphin}}, date = {2022-11-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin/}, language = {English}, urldate = {2022-12-01} } @online{juracko:20240515:to:dc3bef4, author = {Filip Jurčacko}, title = {{To the Moon and back(doors): Lunar landing in diplomatic missions}}, date = {2024-05-15}, organization = {ESET Research}, url = {https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/}, language = {English}, urldate = {2024-05-21} } @online{jurez:20171121:new:828279e, author = {Oscar Juárez}, title = {{New banking malware in Brazil - XPCTRA RAT ANALYSIS}}, date = {2017-11-21}, organization = {bugaroo}, url = {https://www.buguroo.com/en/blog/bank-malware-in-brazil-xpctra-rat-analysis}, language = {English}, urldate = {2020-01-08} } @online{jursa:20200520:ghostdns:43190d5, author = {David Jursa and Simi Musilova and Jan Rubín and Alexej Savčin}, title = {{GhostDNS Source Code Leaked}}, date = {2020-05-20}, organization = {Avast Decoded}, url = {https://decoded.avast.io/simonamusilova/ghostdns-source-code-leaked/}, language = {English}, urldate = {2020-05-23} } @online{justanotherengineer:20231121:unmasking:68727c8, author = {JustAnother-Engineer}, title = {{Unmasking NJRat: A Deep Dive into a Notorious Remote Access Trojan Part1}}, date = {2023-11-21}, organization = {Medium infoSec Write-ups}, url = {https://infosecwriteups.com/part1-static-code-analysis-of-the-rat-njrat-2f273408df43}, language = {English}, urldate = {2023-11-22} } @online{justice:20160122:united:587b68a, author = {Department of Justice}, title = {{United States District Court Southern District New York vs. ITSEC Team}}, date = {2016-01-22}, organization = {Department of Justice}, url = {https://www.justice.gov/usao-sdny/file/835061/download}, language = {English}, urldate = {2022-07-29} } @online{justice:20170410:justice:f1767d7, author = {US Department of Justice}, title = {{Justice Department Announces Actions to Dismantle Kelihos Botnet}}, date = {2017-04-10}, organization = {US Department of Justice}, url = {https://www.justice.gov/opa/pr/justice-department-announces-actions-dismantle-kelihos-botnet-0}, language = {English}, urldate = {2019-12-03} } @online{justice:20171211:united:3fee774, author = {United States Department of Justice}, title = {{United States of America v. MIHAI ALEXANDRU ISVANCA and EVELINE CISMARU}}, date = {2017-12-11}, organization = {United States Department of Justice}, url = {https://www.justice.gov/usao-dc/press-release/file/1021186/download}, language = {English}, urldate = {2023-07-19} } @online{justice:20180110:phillip:d3877cf, author = {U.S. Department of Justice}, title = {{Phillip Durachinsky Indictment}}, date = {2018-01-10}, url = {https://www.documentcloud.org/documents/4346338-Phillip-Durachinsky-Indictment.html}, language = {English}, urldate = {2019-12-24} } @online{justice:20180323:nine:51457d0, author = {United States Department of Justice}, title = {{Nine Iranians Charged With Conducting Massive Cyber Theft Campaign on Behalf of the Islamic Revolutionary Guard Corps}}, date = {2018-03-23}, organization = {United States Department of Justice}, url = {https://www.justice.gov/usao-sdny/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic}, language = {English}, urldate = {2019-10-23} } @online{justice:20180323:nine:51c3fd6, author = {Department of Justice}, title = {{Nine Iranians Charged With Conducting Massive Cyber Theft Campaign on Behalf of the Islamic Revolutionary Guard Corps}}, date = {2018-03-23}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary}, language = {English}, urldate = {2019-12-17} } @online{justice:20180618:joshua:7362ccc, author = {Department of Justice}, title = {{Joshua Adam Schulte Charged with the Unauthorized Disclosure of Classified Information and Other Offenses Relating to the Theft of Classified Material from the Central Intelligence Agency}}, date = {2018-06-18}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/joshua-adam-schulte-charged-unauthorized-disclosure-classified-information-and-other-offenses}, language = {English}, urldate = {2019-11-26} } @online{justice:20181212:indictment:d897f0c, author = {US Department of Justice}, title = {{Indictment against Andrey Turchin aka fxmsp}}, date = {2018-12-12}, organization = {US Department of Justice}, url = {https://www.justice.gov/usao-wdwa/press-release/file/1292541/download}, language = {English}, urldate = {2020-07-08} } @online{justice:20200626:russian:276b274, author = {Department of Justice}, title = {{Russian National (Aleksei Burkov, Cardplanet) Sentenced to Prison for Operating Websites Devoted to Fraud and Malicious Cyber Activities}}, date = {2020-06-26}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/russian-national-sentenced-prison-operating-websites-devoted-fraud-and-malicious-cyber}, language = {English}, urldate = {2020-06-29} } @online{justice:20200707:united:fe6b9b3, author = {Department of Justice}, title = {{United States District Court for the Eastern District of Washington vs. Li Xiaoyu (oro0lxy) and Dong Jiazhi}}, date = {2020-07-07}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/press-release/file/1295981/download}, language = {English}, urldate = {2022-07-25} } @online{justice:20200721:two:81b000b, author = {Department of Justice}, title = {{Two Chinese Hackers Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including COVID-19 Research}}, date = {2020-07-21}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion}, language = {English}, urldate = {2022-07-25} } @online{justice:20200731:malware:f004207, author = {Department of Justice}, title = {{Malware Author Pleads Guilty for Role in Transnational Cybercrime Organization Responsible for more than $568 Million in Losses}}, date = {2020-07-31}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/malware-author-pleads-guilty-role-transnational-cybercrime-organization-responsible-more-568}, language = {English}, urldate = {2020-08-05} } @online{justice:20200813:global:fd1a7c6, author = {Department of Justice}, title = {{Global Disruption of Three Terror Finance Cyber-Enabled Campaigns}}, date = {2020-08-13}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/global-disruption-three-terror-finance-cyber-enabled-campaigns}, language = {English}, urldate = {2020-08-14} } @online{justice:20200916:seven:d4591b9, author = {Department of Justice}, title = {{Seven International Cyber Defendants, Including “Apt41” Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally}}, date = {2020-09-16}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer}, language = {English}, urldate = {2020-09-18} } @online{justice:20201007:92:fa152b9, author = {Department of Justice}, title = {{92 domain names that were unlawfully used by Iran’s Islamic Revolutionary Guard Corps (IRGC) to engage in a global disinformation campaign}}, date = {2020-10-07}, organization = {Department of Justice}, url = {https://www.justice.gov/usao-ndca/press-release/file/1325981/download}, language = {English}, urldate = {2020-10-12} } @online{justice:20201007:united:b364424, author = {Department of Justice}, title = {{United States Seizes Domain Names Used by Iran’s Islamic Revolutionary Guard Corps}}, date = {2020-10-07}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/united-states-seizes-domain-names-used-iran-s-islamic-revolutionary-guard-corps}, language = {English}, urldate = {2020-10-12} } @online{justice:20201015:officials:b340951, author = {Department of Justice}, title = {{Officials Announce International Operation Targeting Transnational Criminal Organization QQAAZZ that Provided Money Laundering Services to High-Level Cybercriminals}}, date = {2020-10-15}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization}, language = {English}, urldate = {2020-10-23} } @online{justice:20201020:six:8e508cd, author = {Department of Justice}, title = {{Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace}}, date = {2020-10-20}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/press-release/file/1328521/download}, language = {English}, urldate = {2020-10-23} } @online{justice:20201104:united:1d7e2f9, author = {US Department of Justice}, title = {{United States Seizes 27 Additional Domain Names Used by Iran’s Islamic Revolutionary Guard Corps to Further a Global, Covert Influence Campaign}}, date = {2020-11-04}, organization = {US Department of Justice}, url = {https://www.justice.gov/opa/pr/united-states-seizes-27-additional-domain-names-used-iran-s-islamic-revolutionary-guard-corps}, language = {English}, urldate = {2020-11-06} } @online{justice:20210106:department:b7e85eb, author = {Department of Justice}, title = {{Department of Justice Statement on Solarwinds Update}}, date = {2021-01-06}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/department-justice-statement-solarwinds-update}, language = {English}, urldate = {2021-01-11} } @online{justice:20210127:department:ea07837, author = {Department of Justice}, title = {{Department of Justice Launches Global Action Against NetWalker Ransomware}}, date = {2021-01-27}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware}, language = {English}, urldate = {2021-01-29} } @online{justice:20210127:indictment:5199031, author = {Department of Justice}, title = {{INDICTMENT of SEBASTIEN VACHON-DESJARDINS for using Netwalker ransomware to commit crime}}, date = {2021-01-27}, organization = {Department of Justice}, url = {https://www.justice.gov/usao-mdfl/press-release/file/1360846/download}, language = {English}, urldate = {2021-01-29} } @online{justice:20210128:emotet:cb82f8e, author = {Department of Justice}, title = {{Emotet Botnet Disrupted in International Cyber Operation}}, date = {2021-01-28}, organization = {Department of Homeland Security}, url = {https://www.justice.gov/opa/pr/emotet-botnet-disrupted-international-cyber-operation}, language = {English}, urldate = {2021-02-01} } @online{justice:20210217:three:9c91607, author = {US Department of Justice}, title = {{Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe}}, date = {2021-02-17}, organization = {US Department of Defense}, url = {https://www.justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and}, language = {English}, urldate = {2021-02-20} } @techreport{justice:20210316:foreign:fe59715, author = {Department of Justice and Department of Homeland Security and CISA}, title = {{Foreign Interference Targeting Election Infrastructure or Political Organization, Campaign, or Candidate InfrastructureRelated to the 2020 US Related to the 2020 US Federal Elections}}, date = {2021-03-16}, institution = {Department of Homeland Security}, url = {https://www.dhs.gov/sites/default/files/publications/21_0311_key-findings-and-recommendations-related-to-2020-elections_0.pdf}, language = {English}, urldate = {2021-03-19} } @online{justice:20210413:justice:97a1ad5, author = {Department of Justice}, title = {{Justice Department announces court-authorized effort to disrupt exploitation of Microsoft Exchange Server vulnerabilities}}, date = {2021-04-13}, organization = {Department of Justice}, url = {https://www.justice.gov/usao-sdtx/pr/justice-department-announces-court-authorized-effort-disrupt-exploitation-microsoft}, language = {English}, urldate = {2021-04-14} } @online{justice:20210709:dark:a7f8831, author = {Department of Justice}, title = {{Dark Web User Known As “The Bull” Charged In Insider Trading Scheme}}, date = {2021-07-09}, organization = {Department of Justice}, url = {https://www.justice.gov/usao-sdny/pr/dark-web-user-known-bull-charged-insider-trading-scheme}, language = {English}, urldate = {2021-07-20} } @online{justice:20210721:estonian:c0153f6, author = {Department of Justice}, title = {{Estonian Citizen Pleads Guilty to Computer Fraud and Abuse (Pavel Tsurkan)}}, date = {2021-07-21}, organization = {Department of Justice}, url = {https://www.justice.gov/usao-ak/pr/estonian-citizen-pleads-guilty-computer-fraud-and-abuse}, language = {English}, urldate = {2021-07-26} } @online{justice:20210908:ukrainian:493bf23, author = {US Department of Justice}, title = {{Ukrainian Cyber Criminal Extradited For Decrypting The Credentials Of Thousands Of Computers Across The World And Selling Them On A Dark Web Website (Glib Oleksandr Ivanov-Tolpintsev)}}, date = {2021-09-08}, organization = {US Department of Justice}, url = {https://www.justice.gov/usao-mdfl/pr/ukrainian-cyber-criminal-extradited-decrypting-credentials-thousands-computers-across}, language = {English}, urldate = {2021-09-10} } @online{justice:20210929:federal:acc7b4c, author = {US Department of Justice}, title = {{Federal Indictment in Chicago Charges Turkish National With Directing Cyber Attack on Multinational Hospitality Company}}, date = {2021-09-29}, organization = {United States Department of Justice}, url = {https://www.justice.gov/usao-ndil/pr/federal-indictment-chicago-charges-turkish-national-directing-cyber-attack}, language = {English}, urldate = {2021-10-13} } @online{justice:20211028:indictment:24d4225, author = {Department of Justice}, title = {{Indictment: Russian National (Vladimir Dunaev) Extradited to United States to Face Charges for Alleged Role in Cybercriminal Organization}}, date = {2021-10-28}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/press-release/file/1445241/download}, language = {English}, urldate = {2021-11-03} } @online{justice:20211028:russian:52deb25, author = {Department of Justice}, title = {{Russian National (Vladimir Dunaev) Extradited to United States to Face Charges for Alleged Role in Cybercriminal Organization}}, date = {2021-10-28}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/russian-national-extradited-united-states-face-charges-alleged-role-cybercriminal}, language = {English}, urldate = {2021-11-02} } @online{justice:20211105:jury:1419f3f, author = {Department of Justice}, title = {{Jury Convicts Chinese Intelligence Officer of Espionage Crimes, Attempting to Steal Trade Secrets (Yanjun Xu)}}, date = {2021-11-05}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/jury-convicts-chinese-intelligence-officer-espionage-crimes-attempting-steal-trade-secrets}, language = {English}, urldate = {2021-11-08} } @techreport{justice:20211108:indictment:56ab8a3, author = {Department of Justice}, title = {{Indictment of Yaroslav Vasinskyi (REvil affiliate)}}, date = {2021-11-08}, institution = {Department of Justice}, url = {https://storage.courtlistener.com/recap/gov.uscourts.txnd.351760/gov.uscourts.txnd.351760.1.0_3.pdf}, language = {English}, urldate = {2021-11-09} } @techreport{justice:20211108:indictment:5a7badb, author = {Department of Justice}, title = {{Indictment of Yevgeniy Polyanin, one off the REvil affliates}}, date = {2021-11-08}, institution = {Department of Justice}, url = {https://storage.courtlistener.com/recap/gov.uscourts.txnd.352371/gov.uscourts.txnd.352371.1.0_1.pdf}, language = {English}, urldate = {2021-11-09} } @online{justice:20211108:ukrainian:e3b0544, author = {Department of Justice}, title = {{Ukrainian Arrested and Charged with Ransomware Attack on Kaseya}}, date = {2021-11-08}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya}, language = {English}, urldate = {2021-11-09} } @online{justice:20211118:indictment:a404903, author = {Department of Justice}, title = {{Indictment of Seyyed Mohammad Hosein Musa Kazemi}}, date = {2021-11-18}, organization = {US Department of Justice}, url = {https://www.justice.gov/opa/press-release/file/1449226/download}, language = {English}, urldate = {2021-11-19} } @online{justice:20211118:two:02496af, author = {Department of Justice}, title = {{Two Iranian Nationals Charged for Cyber-Enabled Disinformation and Threat Campaign Designed to Influence the 2020 U.S. Presidential Election ( Seyyed Mohammad Hosein Musa Kazemi & Sajjad Kashian )}}, date = {2021-11-18}, organization = {US Department of Justice}, url = {https://www.justice.gov/opa/pr/two-iranian-nationals-charged-cyber-enabled-disinformation-and-threat-campaign-designed}, language = {English}, urldate = {2021-11-19} } @online{justice:20220324:four:2a9459f, author = {Department of Justice}, title = {{Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide (Evgeny Viktorovich Gladkikh, Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, Marat Valeryevich Tyukov)}}, date = {2022-03-24}, organization = {US Department of Justice}, url = {https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical}, language = {English}, urldate = {2022-03-25} } @online{justice:20220324:indictment:14b7747, author = {Department of Justice}, title = {{Indictment of Evgeny Viktorovich Gladkikh}}, date = {2022-03-24}, organization = {US Department of Justice}, url = {https://www.justice.gov/opa/press-release/file/1486831/download}, language = {English}, urldate = {2022-03-25} } @online{justice:20220324:indictment:3d6e03f, author = {Department of Justice}, title = {{Indictment of Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukov}}, date = {2022-03-24}, organization = {US Department of Justice}, url = {https://www.justice.gov/opa/press-release/file/1486836/download}, language = {English}, urldate = {2022-03-25} } @online{justice:20220325:cybercriminal:d7b5921, author = {Department of Justice}, title = {{Cybercriminal Connected to Multimillion Dollar Ransomware Attacks Sentenced for Online Fraud Schemes}}, date = {2022-03-25}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/cybercriminal-connected-multimillion-dollar-ransomware-attacks-sentenced-online-fraud-schemes}, language = {English}, urldate = {2022-04-04} } @online{justice:20220405:indictment:c138f67, author = {Department of Justice}, title = {{Indictment of Dmitry Olegovich Pavlov in connection with his operation and administration of the servers used to run Hydra}}, date = {2022-04-05}, organization = {US Department of Justice}, url = {https://www.justice.gov/opa/press-release/file/1490906/download}, language = {English}, urldate = {2022-05-05} } @online{justice:20220405:justice:29e6f9e, author = {Department of Justice}, title = {{Justice Department Investigation Leads to Shutdown of Largest Online Darknet Marketplace}}, date = {2022-04-05}, organization = {US Department of Justice}, url = {https://www.justice.gov/opa/pr/justice-department-investigation-leads-shutdown-largest-online-darknet-marketplace}, language = {English}, urldate = {2022-05-05} } @online{justice:20220406:attorney:9b39115, author = {Department of Justice}, title = {{Attorney General Merrick B. Garland Announces Enforcement Actions to Disrupt and Prosecute Russian Criminal Activity (video)}}, date = {2022-04-06}, organization = {US Department of Justice}, url = {https://www.justice.gov/opa/video/attorney-general-merrick-b-garland-announces-enforcement-actions-disrupt-and-prosecute}, language = {English}, urldate = {2022-05-05} } @online{justice:20220406:edca:290419e, author = {Department of Justice}, title = {{EDCA Search Warrant Package (CyclopsBlink)}}, date = {2022-04-06}, organization = {US Department of Justice}, url = {https://www.justice.gov/opa/press-release/file/1491281/download}, language = {English}, urldate = {2022-05-05} } @online{justice:20220406:justice:69ca499, author = {Department of Justice}, title = {{Justice Department Announces Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate (GRU)}}, date = {2022-04-06}, organization = {US Department of Justice}, url = {https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-botnet-controlled-russian-federation}, language = {English}, urldate = {2022-05-05} } @online{justice:20220407:denys:13c6efe, author = {Department of Justice}, title = {{Denys Iarmak, Member of hacking group (FIN7) sentenced for scheme that compromised tens of millions of debit and credit cards}}, date = {2022-04-07}, organization = {US Department of Justice}, url = {https://www.justice.gov/usao-wdwa/pr/member-hacking-group-sentenced-scheme-compromised-tens-millions-debit-and-credit-cards}, language = {English}, urldate = {2022-04-12} } @techreport{justice:20220511:iceapple:608746f, author = {Adrian Justice and CrowdStrike Overwatch Team}, title = {{IceApple: A Novel Internet Information Services (IIS) Post-Exploitation Framework}}, date = {2022-05-11}, institution = {CrowdStrike}, url = {https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework.pdf}, language = {English}, urldate = {2022-05-11} } @online{justice:20220511:proactive:a23c54f, author = {Adrian Justice}, title = {{Proactive Threat Hunting Bears Fruit: Falcon OverWatch Detects Novel IceApple Post-Exploitation Framework}}, date = {2022-05-11}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/falcon-overwatch-detects-iceapple-framework/}, language = {English}, urldate = {2022-05-11} } @online{justice:20220516:hacker:4fd1f83, author = {Department of Justice}, title = {{Hacker and Ransomware Designer Charged for Use and Sale of Ransomware, and Profit Sharing Arrangements with Cybercriminals (APPLICATION FOR AN ARREST WARRANT)}}, date = {2022-05-16}, url = {https://www.justice.gov/usao-edny/press-release/file/1505981/download}, language = {English}, urldate = {2022-05-25} } @online{justice:20221025:newly:498b1f4, author = {U.S. Department of Justice}, title = {{Newly Unsealed Indictment Charges Ukrainian National with International Cybercrime Operation}}, date = {2022-10-25}, url = {https://www.justice.gov/usao-wdtx/pr/newly-unsealed-indictment-charges-ukrainian-national-international-cybercrime-operation}, language = {English}, urldate = {2022-10-31} } @online{justice:20230418:us:c93d9fe, author = {Department of Justice}, title = {{U.S. Citizens and Russian Intelligence Officers Charged with Conspiring to Use U.S. Citizens as Illegal Agents of the Russian Government}}, date = {2023-04-18}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/us-citizens-and-russian-intelligence-officers-charged-conspiring-use-us-citizens-illegal}, language = {English}, urldate = {2023-04-25} } @online{justice:20230829:documents:f0371e8, author = {Department of Justice}, title = {{Documents and Resources related to the Disruption of the QakBot Malware and Botnet}}, date = {2023-08-29}, organization = {US Department of Justice}, url = {https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources}, language = {English}, urldate = {2023-08-30} } @online{justice:20230829:qakbot:12c7e7b, author = {US Department of Justice}, title = {{Qakbot Malware Disrupted in International Cyber Takedown}}, date = {2023-08-29}, organization = {US Department of Justice}, url = {https://www.justice.gov/usao-cdca/pr/qakbot-malware-disrupted-international-cyber-takedown}, language = {English}, urldate = {2023-08-30} } @techreport{justice:20240918:courtauthorized:d5985f8, author = {U.S. Department of Justice}, title = {{Court-Authorized Operation Disrupts Worldwide Botnet Used by People’s Republic of China State-Sponsored Hackers}}, date = {2024-09-18}, institution = {}, url = {https://www.justice.gov/d9/2024-09/redacted_24-mj-1484_signed_search_and_seizure_warrant_for_disclosure.pdf}, language = {English}, urldate = {2024-09-23} } @techreport{justice:20241010:update:63a6212, author = {US Department of Justice and NSA and CNMF and NCSC UK}, title = {{Update on SVR Cyber Operations and Vulnerability Exploitation}}, date = {2024-10-10}, institution = {US Department of Defense}, url = {https://media.defense.gov/2024/Oct/09/2003562611/-1/-1/0/CSA-UPDATE-ON-SVR-CYBER-OPS.PDF}, language = {English}, urldate = {2025-02-03} } @online{justin:20181217:apt39:6e13cad, author = {Justin}, title = {{Tweet on APT39}}, date = {2018-12-17}, organization = {Twitter (@MJDutch)}, url = {https://twitter.com/MJDutch/status/1074820959784321026?s=19}, language = {English}, urldate = {2020-01-08} } @online{jw:20200325:trickbot:17b0dc3, author = {JW}, title = {{Trickbot to Ryuk in Two Hours}}, date = {2020-03-25}, organization = {Wilbur Security}, url = {https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/}, language = {English}, urldate = {2020-03-26} } @online{k8gege:20221001:ladon:da5e743, author = {k8gege}, title = {{Ladon hacking framework}}, date = {2022-10-01}, organization = {Github (k8gege)}, url = {https://github.com/k8gege/Ladon}, language = {English}, urldate = {2022-10-14} } @online{k:20110130:gpcode:53d8cac, author = {Steven K}, title = {{GpCode Ransomware 2010 Simple Analysis}}, date = {2011-01-30}, url = {http://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html}, language = {English}, urldate = {2019-12-24} } @techreport{k:2018:in:87e5693, author = {Taha K.}, title = {{IN THE TRAILS OF WINDSHIFTAPT}}, date = {2018}, institution = {DarkMatter}, url = {https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf}, language = {English}, urldate = {2020-01-08} } @online{k:20210913:beware:9092ec2, author = {Lathashree K}, title = {{Beware of this Lock Screen App}}, date = {2021-09-13}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/beware-of-this-lock-screen-app/}, language = {English}, urldate = {2023-04-26} } @online{k:20220518:steer:1759000, author = {Lathashree K}, title = {{Steer Clear of Instant Loan Apps}}, date = {2022-05-18}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/steer-clear-of-instant-loan-apps/}, language = {English}, urldate = {2023-04-26} } @online{k:20221207:upsurge:58df189, author = {Lathashree K}, title = {{An upsurge of new Android Banking Trojan “Zanubis”}}, date = {2022-12-07}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/an-upsurge-of-new-android-banking-trojan-zanubis/}, language = {English}, urldate = {2023-04-25} } @online{k:20230330:goatrat:c19eec5, author = {Lathashree K}, title = {{GoatRAT Attacks Automated Payment Systems}}, date = {2023-03-30}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/goatrat-attacks-automated-payment-systems/}, language = {English}, urldate = {2023-04-25} } @techreport{kaczmarczyck:20201207:spotlight:a65ba49, author = {Fabian Kaczmarczyck and Bernhard Grill and Luca Invernizzi and Cecilia M. Procopiuc and Jennifer Pullman and David Tao and Borbala Benko and Elie Bursztein}, title = {{Spotlight: Malware Lead Generation at Scale}}, date = {2020-12-07}, institution = {Google}, url = {https://storage.googleapis.com/pub-tools-public-publication-data/pdf/5987ab07bad53af0a980f35849a86a655793bb17.pdf}, language = {English}, urldate = {2021-04-16} } @techreport{kaczmarczyck:2021:burning:f3c8da6, author = {Fabian Kaczmarczyck}, title = {{Burning the Haystack: Malware Lead Generation at Scale}}, date = {2021}, institution = {Google}, url = {https://www.acsac.org/2020/files/web/malware_lead_generation_slides.pdf}, language = {English}, urldate = {2021-11-02} } @online{kaczyski:20210618:statement:a8fa14a, author = {Jarosław Kaczyński}, title = {{Statement by the Vice-President of the Council of Ministers, Chairman of the Committee for National Security and Defense Affairs, Jarosław Kaczyński (about UNC1151)}}, date = {2021-06-18}, organization = {GOV.PL}, url = {https://www.gov.pl/web/premier/oswiadczenie-wiceprezesa-rady-ministrow-przewodniczacego-komitetu-ds-bezpieczenstwa-narodowego-i-spraw-obronnych-jaroslawa-kaczynskiego2}, language = {Polish}, urldate = {2021-06-24} } @online{kadiev:20101220:end:0a62065, author = {Alexei Kadiev}, title = {{End of the Line for the Bredolab Botnet?}}, date = {2010-12-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/}, language = {English}, urldate = {2019-12-20} } @online{kafeine:20120816:inside:5dd3a54, author = {Kafeine}, title = {{Inside Upas Kit (1.0.1.1) aka Rombrast C&C - Botnet Control Panel}}, date = {2012-08-16}, organization = {Malware Don't Need Coffee}, url = {https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html}, language = {English}, urldate = {2020-01-10} } @online{kafeine:20121129:inside:cff4761, author = {Kafeine}, title = {{Inside view of Lyposit aka (for its friends) Lucky LOCKER}}, date = {2012-11-29}, organization = {Malware Don't Need Coffee}, url = {http://malware.dontneedcoffee.com/2012/11/inside-view-of-lyposit-aka-for-its.html}, language = {English}, urldate = {2019-12-18} } @online{kafeine:20130521:unveiling:1b90bcf, author = {Kafeine}, title = {{Unveiling the Locker Bomba (aka Lucky Locker v0.6 aka Lyposit/Adneukine)}}, date = {2013-05-21}, organization = {Malware Don't Need Coffee}, url = {http://malware.dontneedcoffee.com/2013/05/unveiling-locker-bomba-aka-lucky-locker.html}, language = {English}, urldate = {2020-01-10} } @online{kafeine:20140618:neutrino:a72cb23, author = {Kafeine}, title = {{Neutrino Bot (aka MS:Win32/Kasidet)}}, date = {2014-06-18}, organization = {Malware Don't Need Coffee}, url = {http://malware.dontneedcoffee.com/2014/06/neutrino-bot-aka-kasidet.html}, language = {English}, urldate = {2020-01-10} } @online{kafeine:20150304:new:0c67206, author = {Kafeine}, title = {{New crypto ransomware in town : CryptoFortress}}, date = {2015-03-04}, organization = {Malware Don't Need Coffee}, url = {http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html}, language = {English}, urldate = {2019-11-29} } @online{kafeine:20160414:bedep:38da8b4, author = {Kafeine}, title = {{Bedep has raised its game vs Bot Zombies}}, date = {2016-04-14}, organization = {Malware Don't Need Coffee}, url = {https://malware.dontneedcoffee.com/2016/04/bedepantiVM.html}, language = {English}, urldate = {2023-03-23} } @online{kafeine:20170515:adylkuzz:c94b40e, author = {Kafeine}, title = {{Adylkuzz Cryptocurrency Mining Malware Spreading for Weeks Via EternalBlue/DoublePulsar}}, date = {2017-05-15}, organization = {Proofpoint}, url = {https://web.archive.org/web/20170609161432/https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar}, language = {English}, urldate = {2025-03-27} } @online{kafeine:20170620:adgholas:8ca8d57, author = {Kafeine}, title = {{AdGholas Malvertising Campaign Using Astrum EK to Deliver Mole Ransomware}}, date = {2017-06-20}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware}, language = {English}, urldate = {2019-12-20} } @online{kafeine:20170814:threat:60f3a3e, author = {Kafeine}, title = {{Threat actor goes on a Chrome extension hijacking spree}}, date = {2017-08-14}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree}, language = {English}, urldate = {2024-12-11} } @online{kafeine:20171016:coalabot:28f848f, author = {Kafeine}, title = {{CoalaBot: http Ddos Bot}}, date = {2017-10-16}, organization = {Malware Don't Need Coffee}, url = {https://malware.dontneedcoffee.com/2017/10/coalabot-http-ddos-bot.html}, language = {English}, urldate = {2020-01-10} } @online{kafeine:20171019:apt28:927b889, author = {Kafeine and Pierre T}, title = {{APT28 racing to exploit CVE-2017-11292 Flash vulnerability before patches are deployed}}, date = {2017-10-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed}, language = {English}, urldate = {2019-12-20} } @online{kafeine:20180131:smominru:5a6c554, author = {Kafeine}, title = {{Smominru Monero mining botnet making millions for operators}}, date = {2018-01-31}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators}, language = {English}, urldate = {2019-12-20} } @online{kafeine:20190203:fallout:00a924c, author = {Kafeine}, title = {{Tweet on Fallout Exploit Kit}}, date = {2019-02-03}, organization = {Twitter (@kafeine)}, url = {https://twitter.com/kafeine/status/1092000556598677504}, language = {English}, urldate = {2020-01-07} } @online{kafeine:20190722:brushaloader:487137c, author = {Kafeine and Proofpoint Threat Insight Team}, title = {{BrushaLoader still sweeping up victims one year later}}, date = {2019-07-22}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later}, language = {English}, urldate = {2019-12-20} } @online{kafka:20170921:new:8bcb309, author = {Filip Kafka}, title = {{New FinFisher surveillance campaigns: Internet providers involved?}}, date = {2017-09-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/}, language = {English}, urldate = {2019-11-14} } @online{kafka:20171208:strongpity2:116d419, author = {Filip Kafka}, title = {{StrongPity2 spyware replaces FinFisher in MitM campaign – ISP involved?}}, date = {2017-12-08}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/}, language = {English}, urldate = {2019-11-14} } @techreport{kafka:20180124:esets:246a0d4, author = {Filip Kafka}, title = {{ESET’S GUIDE TODEOBFUSCATING AND DEVIRTUALIZING FINFISHER}}, date = {2018-01-24}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf}, language = {English}, urldate = {2020-01-13} } @online{kafka:20180309:new:9d79d4b, author = {Filip Kafka}, title = {{New traces of Hacking Team in the wild}}, date = {2018-03-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/}, language = {English}, urldate = {2019-11-14} } @online{kafka:201901:vb2018:7d81852, author = {Filip Kafka}, title = {{VB2018 paper: From Hacking Team to hacked team to...?}}, date = {2019-01}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-hacking-team-hacked-team/}, language = {English}, urldate = {2020-01-13} } @online{kai5263499:20170222:bella:2b93625, author = {kai5263499}, title = {{Bella: A pure python, post-exploitation, data mining tool and remote administration tool for macOS.}}, date = {2017-02-22}, organization = {Github (kai5263499)}, url = {https://github.com/kai5263499/Bella}, language = {English}, urldate = {2020-01-06} } @online{kajiloti:20191112:purelocker:9d8244d, author = {Michael Kajiloti}, title = {{PureLocker: New Ransomware-as-a-Service Being Used in Targeted Attacks Against Servers}}, date = {2019-11-12}, organization = {Intezer}, url = {https://www.intezer.com/blog-purelocker-ransomware-being-used-in-targeted-attacks-against-servers/}, language = {English}, urldate = {2020-01-13} } @online{kajiloti:20200330:fantastic:c01db60, author = {Michael Kajiloti}, title = {{Fantastic payloads and where we find them}}, date = {2020-03-30}, organization = {Intezer}, url = {https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them}, language = {English}, urldate = {2020-04-07} } @online{kakiuchi:20201221:active:6c42aad, author = {Yurika Kakiuchi}, title = {{Active Directory 侵害と推奨対策}}, date = {2020-12-21}, organization = {SlideShare (yurikamuraki5)}, url = {https://www.slideshare.net/yurikamuraki5/active-directory-240348605}, language = {Japanese}, urldate = {2021-02-06} } @online{kalember:20220303:proofpoint:a74b82c, author = {Ryan Kalember}, title = {{Proofpoint is Closely Monitoring the Rapidly Evolving Threat Landscape Related to Ukraine and Russia}}, date = {2022-03-03}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/corporate-news/proofpoint-closely-monitoring-rapidly-evolving-threat-landscape-related-ukraine}, language = {English}, urldate = {2022-03-07} } @online{kalev:20210620:dangerous:807860a, author = {Oded Kalev}, title = {{Dangerous Phishing Campaign for Harvesting Credentials using an HTML Attachment}}, date = {2021-06-20}, organization = {Perception Point}, url = {https://perception-point.io/dangerous-phishing-campaign-for-harvesting-credentials-using-an-html-attachment/}, language = {English}, urldate = {2021-06-24} } @online{kalinin:20230504:not:44e1fd7, author = {Dmitry Kalinin}, title = {{Not quite an Easter egg: a new family of Trojan subscribers on Google Play}}, date = {2023-05-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/fleckpe-a-new-family-of-trojan-subscribers-on-google-play/109643/}, language = {English}, urldate = {2023-05-08} } @online{kalinin:20240417:soumnibot:0b7dfda, author = {Dmitry Kalinin}, title = {{SoumniBot: the new Android banker’s unique techniques}}, date = {2024-04-17}, organization = {Kaspersky}, url = {https://securelist.com/soumnibot-android-banker-obfuscates-app-manifest/112334/}, language = {English}, urldate = {2024-04-19} } @online{kalo:20210317:hidden:7757b8d, author = {Jakub Kaloč}, title = {{Hidden menace: Peeling back the secrets of OnionCrypter}}, date = {2021-03-17}, organization = {Avast Decoded}, url = {https://decoded.avast.io/jakubkaloc/onion-crypter/}, language = {English}, urldate = {2021-03-19} } @online{kalo:20230706:whats:72b3767, author = {Jakub Kaloč}, title = {{What’s up with Emotet?}}, date = {2023-07-06}, organization = {WeLiveSecurity}, url = {https://www.welivesecurity.com/2023/07/06/whats-up-with-emotet/}, language = {English}, urldate = {2023-07-10} } @online{kamble:20220720:lockbit:e4515c8, author = {Vishal Kamble and Lahu Khatal}, title = {{LockBit: Ransomware Puts Servers in the Crosshairs}}, date = {2022-07-20}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockbit-targets-servers}, language = {English}, urldate = {2022-07-20} } @online{kamei:20241211:attack:9c0cfd7, author = {Tomoya Kamei}, title = {{Attack Exploiting Legitimate Service by APT-C-60}}, date = {2024-12-11}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2024/12/APT-C-60.html}, language = {English}, urldate = {2024-12-16} } @online{kamluk:20140114:icefog:bc79c50, author = {Vitaly Kamluk and Igor Soumenkov and Costin Raiu}, title = {{The Icefog APT Hits US Targets With Java Backdoor}}, date = {2014-01-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-icefog-apt-hits-us-targets-with-java-backdoor/58209/}, language = {English}, urldate = {2019-12-20} } @online{kamp:20230911:from:8f50b29, author = {Joshua Kamp and Alberto Segura}, title = {{From ERMAC to Hook: Investigating the technical differences between two Android malware variants}}, date = {2023-09-11}, organization = {NCC Group}, url = {https://research.nccgroup.com/2023/09/11/from-ermac-to-hook-investigating-the-technical-differences-between-two-android-malware-variants/}, language = {English}, urldate = {2023-12-27} } @online{kamp:20240328:android:d471691, author = {Joshua Kamp}, title = {{Android Malware Vultur Expands Its Wingspan}}, date = {2024-03-28}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2024/03/28/android-malware-vultur-expands-its-wingspan}, language = {English}, urldate = {2024-03-28} } @online{kan:20170417:new:6eb33c6, author = {Michael Kan}, title = {{New NSA leak may expose its bank spying, Windows exploits}}, date = {2017-04-17}, organization = {CSO Online}, url = {https://www.csoonline.com/article/3190055/new-nsa-leak-may-expose-its-bank-spying-windows-exploits.html}, language = {English}, urldate = {2019-12-24} } @online{kandefelt:20201210:cybereason:0267d5e, author = {Joakim Kandefelt}, title = {{Cybereason vs. Ryuk Ransomware}}, date = {2020-12-10}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware}, language = {English}, urldate = {2020-12-14} } @online{kaplan:20240820:cybervolk:5841c48, author = {Aziz Kaplan and ThreatMon and ThreatMon Malware Research Team}, title = {{CyberVolk Ransomware Technical Malware Analysis Report}}, date = {2024-08-20}, organization = {ThreatMon}, url = {https://www.linkedin.com/posts/threatmon_cybervolk-ransomware-technical-malware-ugcPost-7231601991859290112-Z2c0?utm_source=share&utm_medium=member_desktop}, language = {English}, urldate = {2024-09-02} } @online{kaplan:20250123:helldown:2a4ea88, author = {Aziz Kaplan and ThreatMon and ThreatMon Malware Research Team}, title = {{Helldown Ransomware Malware Analysis Report}}, date = {2025-01-23}, organization = {ThreatMon}, url = {https://www.linkedin.com/posts/threatmon_helldown-ransomware-malware-technical-analysis-activity-7288187849458245633-cyFk}, language = {English}, urldate = {2025-01-24} } @online{kaplan:20250226:fog:da67420, author = {Aziz Kaplan and ThreatMon and ThreatMon Malware Research Team}, title = {{FOG Ransomware Attacks the Energy Sector in Turkey}}, date = {2025-02-26}, organization = {ThreatMon}, url = {https://www.linkedin.com/posts/threatmon_fog-ransomware-attacks-the-energy-sector-ugcPost-7299885491531792384-eKTo}, language = {English}, urldate = {2025-05-02} } @online{kaplan:20250311:new:8629551, author = {Aziz Kaplan and ThreatMon and ThreatMon Malware Research Team}, title = {{New Ermac Variant - Android Banking Trojan & Botnet}}, date = {2025-03-11}, organization = {ThreatMon}, url = {https://www.linkedin.com/posts/threatmon_rising-threat-ermac-variant-activity-7305193522180071426-J8c5}, language = {English}, urldate = {2025-03-12} } @online{kapur:20221006:evolution:788af5e, author = {Daksh Kapur}, title = {{Evolution of BazarCall Social Engineering Tactics}}, date = {2022-10-06}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/research/evolution-of-bazarcall-social-engineering-tactics.html}, language = {English}, urldate = {2023-01-03} } @online{kapur:20230124:cyberattacks:0a05372, author = {Daksh Kapur and Tomer Shloman and Robert Venal and John Fokker}, title = {{Cyberattacks Targeting Ukraine Increase 20-fold at End of 2022 Fueled by Russia-linked Gamaredon Activity}}, date = {2023-01-24}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/research/cyberattacks-targeting-ukraine-increase.html}, language = {English}, urldate = {2023-01-25} } @online{karcher:20240331:information:36c15da, author = {Michael Karcher}, title = {{Information about the liblzma (xz-utils) backdoor}}, date = {2024-03-31}, organization = {Github (karcherm)}, url = {https://github.com/karcherm/xz-malware}, language = {English}, urldate = {2024-04-02} } @online{kargalev:20220408:scammers:3db4e65, author = {Yaroslav Kargalev and Daniil Glukhov}, title = {{Scammers make off with $1.6 million in crypto Fake giveaways hit bitcoiners again. Now on YouTube}}, date = {2022-04-08}, organization = {Group-IB}, url = {https://blog.group-ib.com/fake-crypto-giveaway}, language = {English}, urldate = {2022-05-05} } @online{kargalev:20220609:swiss:1382ebc, author = {Yaroslav Kargalev and Ivan Lebedev}, title = {{Swiss Army Knife Phishing Group-IB identifies massive campaign capable of targeting clients of major Vietnamese banks}}, date = {2022-06-09}, organization = {Group-IB}, url = {https://blog.group-ib.com/phishing-vietnam-banks}, language = {English}, urldate = {2022-08-17} } @techreport{karim:20190408:trails:83a8378, author = {Taha Karim}, title = {{Trails of WindShift}}, date = {2019-04-08}, institution = {SANS Cyber Security Summit}, url = {https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf}, language = {English}, urldate = {2020-01-20} } @online{karim:20191210:new:b423605, author = {Taha Karim}, title = {{New macOS Bundlore Loader Analysis}}, date = {2019-12-10}, organization = {Confiant}, url = {https://blog.confiant.com/new-macos-bundlore-loader-analysis-ca16d19c058c}, language = {English}, urldate = {2020-01-07} } @online{karim:20200713:internet:be95d1e, author = {Taha Karim}, title = {{Internet Explorer CVE-2019–1367 Exploitation — part 1}}, date = {2020-07-13}, organization = {Confiant}, url = {https://blog.confiant.com/internet-explorer-cve-2019-1367-exploitation-part-1-7ff08b7dcc8b}, language = {English}, urldate = {2020-07-15} } @online{karim:20200713:internet:d7f7dd7, author = {Taha Karim}, title = {{Internet Explorer CVE-2019–1367 In the wild Exploitation - prelude}}, date = {2020-07-13}, organization = {Confiant}, url = {https://blog.confiant.com/internet-explorer-cve-2019-1367-in-the-wild-exploitation-prelude-ef546f19cd30}, language = {English}, urldate = {2020-07-15} } @online{karim:20200714:internet:a2f6f67, author = {Taha Karim}, title = {{Internet Explorer CVE-2019–1367 Exploitation — part 3}}, date = {2020-07-14}, organization = {Confiant}, url = {https://blog.confiant.com/internet-explorer-cve-2019-1367-exploitation-part-3-a92d3011b38}, language = {English}, urldate = {2020-07-15} } @online{karim:20201214:one:5d9f92c, author = {Taha Karim}, title = {{Tweet on a one liner to decrypt SUNBURST backdoor}}, date = {2020-12-14}, organization = {Twitter (@lordx64)}, url = {https://twitter.com/lordx64/status/1338526166051934213}, language = {English}, urldate = {2020-12-15} } @online{karim:20210424:initial:b6d138f, author = {Taha Karim}, title = {{Initial analysis of PasswordState supply chain attack backdoor code}}, date = {2021-04-24}, organization = {Medium lordx64}, url = {https://lordx64.medium.com/initial-analysis-of-passwordstate-supply-chain-attack-backdoor-code-aaff1df389e4}, language = {English}, urldate = {2021-04-29} } @online{karim:20211018:profiling:5e4f3a5, author = {Taha Karim}, title = {{Profiling hackers using the Malvertising Attack Matrix by Confiant}}, date = {2021-10-18}, organization = {Medium Confiant}, url = {https://blog.confiant.com/profiling-hackers-using-the-malvertising-attack-matrix-by-confiant-9341838887b7}, language = {English}, urldate = {2021-10-26} } @online{karmi:20200104:look:441fa96, author = {Doron Karmi}, title = {{A Look Into Konni 2019 Campaign}}, date = {2020-01-04}, organization = {Medium d-hunter}, url = {https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b}, language = {English}, urldate = {2020-01-17} } @online{karpin:20161107:little:598f939, author = {Julia Karpin and Shaul Vilkomir-Preisman and Anna Dorfman}, title = {{Little Trickbot Growing Up: New Campaign}}, date = {2016-11-07}, organization = {F5 Labs}, url = {https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412}, language = {English}, urldate = {2020-01-06} } @online{karpin:20180711:tackling:b80ad4a, author = {Julia Karpin}, title = {{Tackling Gootkit's Traps}}, date = {2018-07-11}, organization = {F5}, url = {https://www.f5.com/labs/articles/threat-intelligence/tackling-gootkit-s-traps}, language = {English}, urldate = {2019-12-17} } @techreport{karve:201608:diving:6f604b3, author = {Sanchit Karve and Guilherme Venere and Mark Olea}, title = {{DIVING INTO PINKSLIPBOT’S LATEST CAMPAIGN}}, date = {2016-08}, institution = {Intel Security}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf}, language = {English}, urldate = {2019-11-27} } @online{kaseya:20210703:kaseya:c03dd88, author = {Kaseya}, title = {{Kaseya VSA Detection Tool}}, date = {2021-07-03}, organization = {Kaseya}, url = {https://kaseya.app.box.com/s/0ysvgss7w48nxh8k1xt7fqhbcjxhas40}, language = {English}, urldate = {2021-07-11} } @online{kaseya:20210703:updates:cfff645, author = {Kaseya}, title = {{Updates Regarding VSA Security Incident}}, date = {2021-07-03}, organization = {Kaseya}, url = {https://www.kaseya.com/potential-attack-on-kaseya-vsa/}, language = {English}, urldate = {2021-07-12} } @online{kashi:20210306:blue:6d4f020, author = {Rohit Kashi}, title = {{Blue Hexagon Security Advisory: Microsoft Exchange Server 0-days}}, date = {2021-03-06}, organization = {BLUEHEXAGON}, url = {https://medium.com/deep-learning-for-cybersecurity/blue-hexagon-security-advisory-microsoft-exchange-server-0-days-83f49d528d34}, language = {English}, urldate = {2021-03-11} } @online{kashiwagi:20211229:japan:b5d1e71, author = {Ryoma Kashiwagi}, title = {{Japan aerospace cyberattacks show link to Chinese military: police (PLA Unit 61419)}}, date = {2021-12-29}, organization = {Nikkei Asia}, url = {https://asia.nikkei.com/Business/Technology/Japan-aerospace-cyberattacks-show-link-to-Chinese-military-police}, language = {English}, urldate = {2021-12-31} } @online{kasiviswanathan:20220428:ransomware:95feafb, author = {Karthikeyan C Kasiviswanathan and Vishal Kamble}, title = {{Ransomware: How Attackers are Breaching Corporate Networks}}, date = {2022-04-28}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker}, language = {English}, urldate = {2022-05-04} } @online{kasiviswanathan:20220608:attackers:6a247ab, author = {Karthikeyan C Kasiviswanathan and Yuvaraj Megavarnadu}, title = {{Attackers Exploit MSDT Follina Bug to Drop RAT, Infostealer}}, date = {2022-06-08}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/follina-msdt-exploit-malware}, language = {English}, urldate = {2022-07-20} } @online{kasmani:20210410:malware:e2000de, author = {AhmedS Kasmani}, title = {{Malware Analysis: IcedID Banking Trojan JavaScript Dropper}}, date = {2021-04-10}, organization = {Youtube (AhmedS Kasmani)}, url = {https://www.youtube.com/watch?v=oZ4bwnjcXWg}, language = {English}, urldate = {2021-04-12} } @online{kasmani:20210419:malware:72a87a6, author = {AhmedS Kasmani}, title = {{Malware Analysis of a Password Stealer}}, date = {2021-04-19}, organization = {Youtube (AhmedS Kasmani)}, url = {https://www.youtube.com/watch?v=MaPXDCq-Gf4}, language = {English}, urldate = {2021-04-21} } @online{kasmani:20210518:malware:5921c55, author = {AhmedS Kasmani}, title = {{Malware Analysis: Agent Tesla Part 1/2 Extraction of final payload from dropper.}}, date = {2021-05-18}, organization = {Youtube (AhmedS Kasmani)}, url = {https://www.youtube.com/watch?v=Q9_1xNbVQPY}, language = {English}, urldate = {2021-05-19} } @online{kasmani:20210529:analysis:96b0902, author = {AhmedS Kasmani}, title = {{Analysis of ICEID Malware Installer DLL}}, date = {2021-05-29}, organization = {Youtube (AhmedS Kasmani)}, url = {https://www.youtube.com/watch?v=wMXD4Sv1Alw}, language = {English}, urldate = {2021-06-04} } @online{kasmani:20210625:analysis:a738f5c, author = {AhmedS Kasmani}, title = {{Analysis of malware dropped by Nobelium}}, date = {2021-06-25}, organization = {Youtube (AhmedS Kasmani)}, url = {https://www.youtube.com/watch?v=HURRI781tq8}, language = {English}, urldate = {2021-06-29} } @online{kasmani:20210710:analysis:35afafd, author = {AhmedS Kasmani}, title = {{Analysis of AppleJeus Malware by Lazarus Group}}, date = {2021-07-10}, organization = {Youtube (AhmedS Kasmani)}, url = {https://www.youtube.com/watch?v=1NkzTKkEM2k}, language = {English}, urldate = {2021-07-20} } @online{kasmani:20210725:analysis:e1196c2, author = {AhmedS Kasmani}, title = {{Analysis of Malware from Kaseya/Revil Supply Chain attack.}}, date = {2021-07-25}, organization = {Youtube (AhmedS Kasmani)}, url = {https://www.youtube.com/watch?v=P8o6GItci5w}, language = {English}, urldate = {2021-08-02} } @online{kasmani:20220602:zloader:a5a0759, author = {AhmedS Kasmani}, title = {{Zloader Malware Analysis - 1. Unpacking First stage.}}, date = {2022-06-02}, organization = {Youtube (AhmedS Kasmani)}, url = {https://www.youtube.com/watch?v=mhX-UoaYnOM}, language = {English}, urldate = {2022-06-04} } @online{kasmani:20221208:vidar:2ea18d3, author = {AhmedS Kasmani}, title = {{Vidar Stealer Malware Analysis}}, date = {2022-12-08}, organization = {Youtube (AhmedS Kasmani)}, url = {https://www.youtube.com/watch?v=lxdlNOaHJQA}, language = {English}, urldate = {2023-04-25} } @online{kasmani:20250312:initial:ab60af8, author = {AhmedS Kasmani}, title = {{Initial Analysis of Black Basta Chat Leaks}}, date = {2025-03-12}, organization = {Youtube (AhmedS Kasmani)}, url = {https://www.youtube.com/watch?v=bJILHYLX4C4}, language = {English}, urldate = {2025-03-27} } @online{kaspersky:20040325:nyxem:4373b3d, author = {Kaspersky}, title = {{Nyxem}}, date = {2004-03-25}, url = {https://threats.kaspersky.com/en/threat/Email-Worm.Win32.Nyxem/}, language = {English}, urldate = {2024-04-29} } @online{kaspersky:20060626:erpresser:6c57dc7, author = {Kaspersky}, title = {{Erpresser}}, date = {2006-06-26}, organization = {Kaspersky Labs}, url = {https://de.securelist.com/analysis/59479/erpresser/}, language = {German}, urldate = {2020-01-08} } @online{kaspersky:20120717:kaspersky:bbbf635, author = {Kaspersky}, title = {{Kaspersky Lab and Seculert Announce ‘Madi,’ a Newly Discovered Cyber-Espionage Campaign in the Middle East}}, date = {2012-07-17}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/about/press-releases/2012_kaspersky-lab-and-seculert-announce--madi--a-newly-discovered-cyber-espionage-campaign-in-the-middle-east}, language = {English}, urldate = {2019-12-10} } @techreport{kaspersky:201402:unveiling:4e5e91c, author = {Kaspersky}, title = {{Unveiling “Careto” - The Masked APT}}, date = {2014-02}, institution = {Kaspersky Labs}, url = {https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20133638/unveilingthemask_v1.0.pdf}, language = {English}, urldate = {2019-10-12} } @online{kaspersky:20140827:nettraveler:5469ce3, author = {Kaspersky}, title = {{NetTraveler Gets a Makeover for 10th Anniversary}}, date = {2014-08-27}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/about/press-releases/2014_nettraveler-gets-a-makeover-for-10th-anniversary}, language = {English}, urldate = {2020-01-13} } @techreport{kaspersky:201502:equation:3c079fb, author = {Kaspersky}, title = {{Equation Group: Questions and Answers}}, date = {2015-02}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf}, language = {English}, urldate = {2020-01-08} } @online{kaspersky:20161214:kaspersky:ec35c7b, author = {Kaspersky}, title = {{Kaspersky Security Bulletin 2016. Review of the year. Overall statistics for 2016}}, date = {2016-12-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/kaspersky-security-bulletin-2016-executive-summary/76858/}, language = {English}, urldate = {2024-02-08} } @techreport{kaspersky:20170307:from:2d853ae, author = {Kaspersky}, title = {{From Shamoon to Stonedrill}}, date = {2017-03-07}, institution = {Kaspersky Labs}, url = {https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf}, language = {English}, urldate = {2020-01-09} } @online{kaspersky:20170426:chinas:5f3150f, author = {Kaspersky}, title = {{China's Evolving Cyber Operations: A Look into APT19's Shift in Tactics}}, date = {2017-04-26}, organization = {Youtube (Kaspersky)}, url = {https://www.youtube.com/watch?v=FC9ARZIZglI}, language = {English}, urldate = {2022-09-12} } @online{kaspersky:20170501:crouching:a5be2eb, author = {Kaspersky}, title = {{Crouching Yeti (Energetic Bear) Malware}}, date = {2017-05-01}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat}, language = {English}, urldate = {2020-01-10} } @online{kaspersky:20170824:naikon:9ad7610, author = {Kaspersky}, title = {{Naikon Targeted Attacks}}, date = {2017-08-24}, organization = {Kaspersky Labs}, url = {https://usa.kaspersky.com/resource-center/threats/naikon-targeted-attacks}, language = {English}, urldate = {2022-08-22} } @online{kaspersky:20180717:return:1dcb99e, author = {Kaspersky}, title = {{The return of Fantomas, or how we deciphered Cryakl}}, date = {2018-07-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-return-of-fantomas-or-how-we-deciphered-cryakl/86511/}, language = {English}, urldate = {2019-12-20} } @online{kaspersky:20190520:video:148e81f, author = {Kaspersky}, title = {{Video: Operation ShadowHammer: Costin Raiu and Vitaly Kamlyuk at #TheSAS2019}}, date = {2019-05-20}, organization = {YouTube}, url = {https://www.youtube.com/watch?v=T5wPwvLrBYU}, language = {English}, urldate = {2020-01-08} } @online{kaspersky:20191029:shadedecryptor:4a5e5f4, author = {Kaspersky}, title = {{ShadeDecryptor tool}}, date = {2019-10-29}, organization = {Kaspersky Labs}, url = {https://support.kaspersky.com/13059}, language = {English}, urldate = {2020-01-09} } @online{kaspersky:20191211:story:d54a08a, author = {Kaspersky}, title = {{Story of the year 2019: Cities under ransomware siege}}, date = {2019-12-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/}, language = {English}, urldate = {2020-01-13} } @online{kaspersky:20200423:look:4e5d7ab, author = {Kaspersky}, title = {{A look at the ATM/PoS malware landscape from 2017-2019}}, date = {2020-04-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/atm-pos-malware-landscape-2017-2019/96750/}, language = {English}, urldate = {2020-04-26} } @online{kaspersky:20210331:financial:3371aa0, author = {Kaspersky}, title = {{Financial Cyberthreats in 2020}}, date = {2021-03-31}, organization = {Kaspersky}, url = {https://securelist.com/financial-cyberthreats-in-2020/101638/}, language = {English}, urldate = {2021-04-06} } @online{kaspersky:20210705:revil:a8a2af3, author = {Kaspersky}, title = {{REvil ransomware attack against MSPs and its clients around the world}}, date = {2021-07-05}, organization = {Kaspersky}, url = {https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/}, language = {English}, urldate = {2021-07-09} } @online{kaspersky:20210729:ghostemperor:c9ddfe4, author = {Kaspersky}, title = {{GhostEmperor: Chinese-speaking APT targets high-profile victims using unknown rootkit}}, date = {2021-07-29}, organization = {Kaspersky}, url = {https://www.kaspersky.com/about/press-releases/2021_ghostemperor-chinese-speaking-apt-targets-high-profile-victims-using-unknown-rootkit}, language = {English}, urldate = {2021-10-07} } @online{kaspersky:20211216:pseudomanuscrypt:a2a5303, author = {Kaspersky}, title = {{PseudoManuscrypt: a mass-scale spyware attack campaign}}, date = {2021-12-16}, organization = {Kaspersky ICS CERT}, url = {https://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/}, language = {English}, urldate = {2023-02-06} } @online{kaspersky:20220301:ransomware:159de87, author = {Kaspersky}, title = {{Ransomware as a distraction}}, date = {2022-03-01}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/blog/hermeticransom-hermeticwiper-attacks-2022/43825/}, language = {English}, urldate = {2022-03-08} } @techreport{kaspersky:20220401:state:634da4c, author = {Kaspersky}, title = {{The State of Stalkerware in 2021}}, date = {2022-04-01}, institution = {Kaspersky}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/04/12075509/EN_The-State-of-Stalkerware-2021.pdf}, language = {English}, urldate = {2022-05-04} } @online{kaspersky:20220411:fakecalls:2084a19, author = {Kaspersky}, title = {{Fakecalls: a talking Trojan}}, date = {2022-04-11}, url = {https://www.kaspersky.com.au/blog/fakecalls-banking-trojan/30379/}, language = {English}, urldate = {2023-05-05} } @online{kaspersky:20220412:state:9e364f8, author = {Kaspersky}, title = {{The State of Stalkerware in 2021}}, date = {2022-04-12}, organization = {Kaspersky}, url = {https://securelist.com/the-state-of-stalkerware-in-2021/106193/}, language = {English}, urldate = {2022-05-04} } @online{kaspersky:20220816:threat:80d718e, author = {Kaspersky}, title = {{Threat in your browser: what dangers innocent-looking extensions hold for users}}, date = {2022-08-16}, organization = {Kaspersky}, url = {https://securelist.com/threat-in-your-browser-extensions/107181}, language = {English}, urldate = {2022-08-17} } @online{kaspersky:20230803:whats:0d716ed, author = {Kaspersky}, title = {{What’s happening in the world of crimeware: Emotet, DarkGate and LokiBot}}, date = {2023-08-03}, organization = {Kaspersky}, url = {https://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/}, language = {English}, urldate = {2023-08-03} } @online{kaspersky:20240902:head:f39c2dc, author = {Kaspersky}, title = {{Head Mare: adventures of a unicorn in Russia and Belarus}}, date = {2024-09-02}, organization = {Kaspersky Labs}, url = {https://securelist.com/head-mare-hacktivists/113555/}, language = {English}, urldate = {2025-03-21} } @online{kaspersky:20241007:awaken:82227be, author = {Kaspersky}, title = {{Awaken Likho is awake: new techniques of an APT group}}, date = {2024-10-07}, organization = {Kaspersky Labs}, url = {https://securelist.com/awaken-likho-apt-new-implant-campaign/114101/}, language = {English}, urldate = {2024-10-18} } @online{kaspersky:20241218:analysis:f49ee2e, author = {Kaspersky}, title = {{Analysis of Cyber Anarchy Squad attacks targeting Russian and Belarusian organizations}}, date = {2024-12-18}, organization = {Kaspersky Labs}, url = {https://securelist.com/cyber-anarchy-squad-attacks-with-uncommon-trojans/114990/}, language = {English}, urldate = {2025-03-07} } @online{kaspersky:20250221:angry:785af00, author = {Kaspersky}, title = {{Angry Likho: Old beasts in a new forest}}, date = {2025-02-21}, organization = {Kaspersky Labs}, url = {https://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/}, language = {English}, urldate = {2025-02-25} } @online{kaspersky:20250609:sleep:0c17a69, author = {Kaspersky}, title = {{Sleep with one eye open: how Librarian Ghouls steal data by night}}, date = {2025-06-09}, organization = {Kaspersky}, url = {https://securelist.com/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto/116536/}, language = {English}, urldate = {2025-06-11} } @online{kass:20220323:lokilocker:a64c4a8, author = {D. Howard Kass}, title = {{LokiLocker Ransomware May Use False Flag to Avoid Identification}}, date = {2022-03-23}, organization = {MSSPAlert}, url = {https://www.msspalert.com/cybersecurity-research/lokilocker-ransomware-may-use-false-flag-to-avoid-identification/}, language = {English}, urldate = {2022-03-24} } @techreport{kasua02:20220617:reverse:b218c67, author = {Twitter (@kasua02)}, title = {{A reverse engineer primer on Qakbot Dll Stager: From initial execution to multithreading.}}, date = {2022-06-17}, institution = {Github (NtQuerySystemInformation)}, url = {https://raw.githubusercontent.com/NtQuerySystemInformation/Malware-RE-papers/main/Qakbot%20report.pdf}, language = {English}, urldate = {2022-07-01} } @online{kasuya:20200108:threat:3efa417, author = {Masaki Kasuya}, title = {{Threat Spotlight: Amadey Bot Targets Non-Russian Users}}, date = {2020-01-08}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot}, language = {English}, urldate = {2022-01-12} } @techreport{kasuya:20240125:study:2f92559, author = {Masaki Kasuya}, title = {{A Study on Long-Term Trends about Amadey C2 Infrastructure}}, date = {2024-01-25}, institution = {JSAC 2024}, url = {https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_1_kasuya_en.pdf}, language = {English}, urldate = {2024-01-31} } @online{kasza:20161025:houdinis:d57d422, author = {Anthony Kasza}, title = {{Houdini’s Magic Reappearance}}, date = {2016-10-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/}, language = {English}, urldate = {2019-11-17} } @online{kasza:20161025:houdinis:f8fba8f, author = {Anthony Kasza}, title = {{Houdini’s Magic Reappearance}}, date = {2016-10-25}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance/?adbsc=social67221546&adbid=790972447373668352&adbpl=tw&adbpr=4487645412}, language = {English}, urldate = {2019-12-20} } @online{kasza:20170227:gamaredon:322eb5f, author = {Anthony Kasza and Dominik Reichel}, title = {{The Gamaredon Group Toolset Evolution}}, date = {2017-02-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/}, language = {English}, urldate = {2019-12-20} } @online{kasza:20170227:gamaredon:3d28d34, author = {Anthony Kasza and Dominik Reichel}, title = {{The Gamaredon Group Toolset Evolution}}, date = {2017-02-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution/}, language = {English}, urldate = {2020-01-09} } @online{kasza:20170227:gamaredon:a88c3f8, author = {Anthony Kasza and Dominik Reichel}, title = {{The Gamaredon Group Toolset Evolution}}, date = {2017-02-27}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution}, language = {English}, urldate = {2019-12-20} } @online{kasza:20170227:gamaredon:da1102c, author = {Anthony Kasza and Dominik Reichel}, title = {{The Gamaredon Group Toolset Evolution}}, date = {2017-02-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution}, language = {English}, urldate = {2022-08-25} } @online{kasza:20170407:blockbuster:0e430d3, author = {Anthony Kasza and Micah Yates}, title = {{The Blockbuster Sequel}}, date = {2017-04-07}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/}, language = {English}, urldate = {2019-12-20} } @online{kasza:20170814:blockbuster:79266d5, author = {Anthony Kasza}, title = {{The Blockbuster Saga Continues}}, date = {2017-08-14}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/}, language = {English}, urldate = {2019-12-20} } @online{kasza:20171120:operation:0bc8efe, author = {Anthony Kasza and Juan Cortes and Micah Yates}, title = {{Operation Blockbuster Goes Mobile}}, date = {2017-11-20}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-operation-blockbuster-goes-mobile/}, language = {English}, urldate = {2019-12-24} } @online{kate:20200119:bayworld:2cc2212, author = {kate}, title = {{BayWorld event, Cyber Attack Against Foreign Trade Industry}}, date = {2020-01-19}, organization = {360}, url = {https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/}, language = {English}, urldate = {2020-02-03} } @online{kate:20200509:clodcore:6e24986, author = {kate}, title = {{ClodCore: A malware family that delivers mining modules through cloud control}}, date = {2020-05-09}, organization = {360 Total Security}, url = {https://blog.360totalsecurity.com/en/clodcore-a-malware-family-that-delivers-mining-modules-through-cloud-control/}, language = {English}, urldate = {2020-05-18} } @online{kate:20200514:vendetta:06e3cde, author = {kate}, title = {{Vendetta - new threat actor from Europe}}, date = {2020-05-14}, organization = {360 Total Security}, url = {https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/}, language = {English}, urldate = {2020-05-18} } @online{kate:20200925:aptc43:15a3501, author = {kate}, title = {{APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries - HpReact campaign}}, date = {2020-09-25}, organization = {360 Total Security}, url = {https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/}, language = {English}, urldate = {2020-10-02} } @online{kate:20201014:secret:814bae5, author = {kate}, title = {{Secret Stealing Trojan Active in Brazil Releases the New Framework SolarSys}}, date = {2020-10-14}, organization = {360 Total Security}, url = {https://blog.360totalsecurity.com/en/secret-stealing-trojan-active-in-brazil-releases-the-new-framework-solarsys/}, language = {English}, urldate = {2020-10-23} } @online{kate:20201120:360:949bcc5, author = {kate}, title = {{360 File-less Attack Protection Intercepts the Banker Trojan BBtok Active in Mexico}}, date = {2020-11-20}, organization = {360}, url = {https://blog.360totalsecurity.com/en/360-file-less-attack-protection-intercepts-the-banker-trojan-bbtok-active-in-mexico/}, language = {English}, urldate = {2020-11-25} } @online{kate:20210225:darkworld:c49b538, author = {kate}, title = {{DarkWorld Ransomware}}, date = {2021-02-25}, organization = {360 Total Security}, url = {https://blog.360totalsecurity.com/en/darkworld-ransomware/}, language = {English}, urldate = {2021-02-25} } @online{kate:20210402:txt:1216a3c, author = {kate}, title = {{A “txt file” can steal all your secrets}}, date = {2021-04-02}, organization = {360 Total Security}, url = {https://blog.360totalsecurity.com/en/a-txt-file-can-steal-all-your-secrets/?web_view=true}, language = {English}, urldate = {2021-04-06} } @online{kate:20210521:darksides:fd45119, author = {kate}, title = {{DarkSide’s Targeted Ransomware Analysis Report for Critical U.S. Infrastructure}}, date = {2021-05-21}, organization = {360 Total Security}, url = {https://blog.360totalsecurity.com/en/darksides-targeted-ransomware-analysis-report-for-critical-u-s-infrastructure-2/}, language = {English}, urldate = {2021-05-26} } @online{kate:20210729:netfilter:27b34a6, author = {kate}, title = {{“Netfilter Rootkit II ” Continues to Hold WHQL Signatures}}, date = {2021-07-29}, organization = {360 Total Security}, url = {https://blog.360totalsecurity.com/en/netfilter-rootkit-ii-continues-to-hold-whql-signatures/}, language = {English}, urldate = {2021-08-02} } @online{katechondic:20220310:additional:5dd63e9, author = {Katechondic}, title = {{Tweet on additional computer names "desktop-g1i8n3f" & "desktop-j6llo2k", seen with Crimson RAT C2 infrastructure used by APT36}}, date = {2022-03-10}, organization = {Twitter (@Katechondic)}, url = {https://twitter.com/katechondic/status/1502206599166939137}, language = {English}, urldate = {2022-03-14} } @online{katechondic:20220809:malware:2d6d764, author = {Katechondic}, title = {{Tweet on malware, suspected to be from China based actor, targeting Taiwan}}, date = {2022-08-09}, organization = {Twitter (@Katechondic)}, url = {https://twitter.com/katechondic/status/1556940169483264000}, language = {English}, urldate = {2022-09-19} } @techreport{kathawala:20210520:cybergate:7e8eb1a, author = {Hussain Kathawala}, title = {{CyberGate Threat Report}}, date = {2021-05-20}, institution = {SubexSecure}, url = {https://sectrio.com/wp-content/uploads/2021/08/cybergate-threat-report.pdf}, language = {English}, urldate = {2023-02-17} } @online{kathiresan:20230123:titan:2ea755f, author = {Karthickkumar Kathiresan and Shilpesh Trivedi}, title = {{The Titan Stealer: Notorious Telegram Malware Campaign - Uptycs}}, date = {2023-01-23}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/titan-stealer-telegram-malware-campaign}, language = {English}, urldate = {2023-01-26} } @online{katkar:20250430:advisory:00cdbb7, author = {Sanjay Katkar and Mahua Chakrabarthy}, title = {{Advisory: Pahalgam Attack themed decoys used by APT36 to target the Indian Government}}, date = {2025-04-30}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/advisory-pahalgam-attack-themed-decoys-used-by-apt36-to-target-the-indian-government/}, language = {English}, urldate = {2025-05-20} } @online{kats:20210512:encrypted:f9de112, author = {Daniel Kats and David Zhuang}, title = {{Encrypted Chat Apps Doubling as Illegal Marketplaces}}, date = {2021-05-12}, organization = {NortonLifeLock}, url = {https://www.nortonlifelock.com/blogs/research-group/chat-apps-illegal-marketplaces}, language = {English}, urldate = {2021-05-19} } @online{katsuki:20120820:crisis:60cb26b, author = {Takashi Katsuki}, title = {{Crisis for Windows Sneaks onto Virtual Machines}}, date = {2012-08-20}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines}, language = {English}, urldate = {2020-01-10} } @online{katsuki:20121116:malware:9268919, author = {Takashi Katsuki}, title = {{Malware Targeting Windows 8 Uses Google Docs}}, date = {2012-11-16}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs}, language = {English}, urldate = {2020-01-10} } @online{katz:20220414:blinding:335f714, author = {Uri Katz}, title = {{Blinding Snort: Breaking The Modbus OT Preprocessor}}, date = {2022-04-14}, organization = {Claroty}, url = {https://claroty.com/2022/04/14/blog-research-blinding-snort-breaking-the-modbus-ot-preprocessor/}, language = {English}, urldate = {2022-04-29} } @online{kavanagh:20210706:operation:315c918, author = {Stephen Kavanagh and Dmitry Volkov}, title = {{Operation Lyrebird: Group-IB assists INTERPOL in identifying suspect behind numerous cybercrimes worldwide}}, date = {2021-07-06}, organization = {Group-IB}, url = {https://www.group-ib.com/media/gib-interpol-lyrebird/}, language = {English}, urldate = {2021-07-11} } @online{kawaii:20191022:new:0d66066, author = {Jagaimo Kawaii}, title = {{New PatchWork Spearphishing Attack}}, date = {2019-10-22}, organization = {Lab52}, url = {https://lab52.io/blog/new-patchwork-campaign-against-pakistan/}, language = {English}, urldate = {2020-01-13} } @online{kawaii:20200109:ta428:2230af2, author = {Jagaimo Kawaii}, title = {{TA428 Group abusing recent conflict between Iran and USA}}, date = {2020-01-09}, organization = {Lab52}, url = {https://lab52.io/blog/icefog-apt-group-abusing-recent-conflict-between-iran-and-eeuu/}, language = {English}, urldate = {2021-02-06} } @online{kawaii:20200113:apt27:4c2f818, author = {Jagaimo Kawaii}, title = {{APT27 ZxShell RootKit module updates}}, date = {2020-01-13}, organization = {Lab52}, url = {https://lab52.io/blog/apt27-rootkit-updates/}, language = {English}, urldate = {2020-01-13} } @online{kawaii:20200602:mustang:2cf125a, author = {Jagaimo Kawaii}, title = {{Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers}}, date = {2020-06-02}, organization = {Lab52}, url = {https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/}, language = {English}, urldate = {2020-06-03} } @online{kawaii:20200826:twisted:b91cfb5, author = {Jagaimo Kawaii}, title = {{A twisted malware infection chain}}, date = {2020-08-26}, organization = {Lab52}, url = {https://lab52.io/blog/a-twisted-malware-infection-chain/}, language = {English}, urldate = {2020-08-31} } @online{kawaii:20220112:tokyox:809eda0, author = {Jagaimo Kawaii}, title = {{TokyoX: DLL side-loading an unknown artifact (Part 2)}}, date = {2022-01-12}, organization = {Lab52}, url = {https://lab52.io/blog/tokyox-dll-side-loading-an-unknown-artifact-part-2/}, language = {English}, urldate = {2022-01-18} } @online{kawaii:20220228:looking:9f8bf67, author = {Jagaimo Kawaii}, title = {{Looking for Penquins in the Wild}}, date = {2022-02-28}, organization = {Lab52}, url = {https://lab52.io/blog/looking-for-penquins-in-the-wild/}, language = {English}, urldate = {2022-03-02} } @techreport{kawar:20220824:malware:2eeaafb, author = {Rad Kawar}, title = {{Malware Madness: EXCEPTION edition}}, date = {2022-08-24}, institution = {Github (rad9800)}, url = {https://github.com/rad9800/talks/blob/main/MALWARE_MADNESS.pdf}, language = {English}, urldate = {2022-08-28} } @online{kawar:20221116:writing:5bf0a41, author = {Rad Kawar}, title = {{Writing Tiny, Stealthy & Reliable Malware}}, date = {2022-11-16}, organization = {Ruptura InfoSecurity}, url = {https://ruptura-infosec.com/blog/writing-tiny-stealthy-reliable-malware/}, language = {English}, urldate = {2022-11-18} } @online{kay:20210604:colonial:959c12f, author = {Roger Kay}, title = {{Colonial Pipeline Ransomware Hack Unleashes Flood of Related Phishing Attempts}}, date = {2021-06-04}, organization = {Inky}, url = {https://www.inky.com/blog/colonial-pipeline-ransomware-hack-unleashes-flood-of-related-phishing-attempts}, language = {English}, urldate = {2021-06-16} } @online{kay:20211014:phishers:6a5ed18, author = {Roger Kay}, title = {{Phishers Get Clever, Use Math Symbols for Verizon Logo}}, date = {2021-10-14}, organization = {Inky}, url = {https://www.inky.com/blog/phishers-get-clever-use-math-symbols-for-verizon-logo}, language = {English}, urldate = {2021-10-25} } @online{kay:20211028:urgency:459b56e, author = {Roger Kay}, title = {{Urgency, Mail Relay Serve Phishers Well on Craigslist}}, date = {2021-10-28}, organization = {Inky}, url = {https://www.inky.com/blog/urgency-mail-relay-serve-phishers-well-on-craigslist}, language = {English}, urldate = {2021-11-03} } @online{kay:20220120:fresh:577fae2, author = {Roger Kay}, title = {{Fresh Phish: Phishers Lure Victims with Fake Invites to Bid on Nonexistent Federal Projects}}, date = {2022-01-20}, organization = {Inky}, url = {https://www.inky.com/blog/fresh-phish-phishers-lure-victims-with-fake-invites-to-bid-on-nonexistent-federal-projects}, language = {English}, urldate = {2022-01-24} } @online{kay:20220504:fresh:e1cef9c, author = {Roger Kay}, title = {{Fresh Phish: Britain’s National Health Service Infected by Massive Phishing Campaign}}, date = {2022-05-04}, organization = {Inky}, url = {https://www.inky.com/en/blog/fresh-phish-britains-national-health-service-infected-by-massive-phishing-campaign}, language = {English}, urldate = {2022-05-05} } @online{kayal:20191002:domestic:f400298, author = {Aseel Kayal and Lotem Finkelstein}, title = {{Domestic Kitten: an Iranian surveillance program}}, date = {2019-10-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/conference/vb2019/abstracts/domestic-kitten-iranian-surveillance-program}, language = {English}, urldate = {2021-02-09} } @techreport{kayal:20211007:lyceum:395a41f, author = {Aseel Kayal and Mark Lechtik and Paul Rascagnères}, title = {{LYCEUM Reborn: Counterintelligence in the Middle East}}, date = {2021-10-07}, institution = {Kaspersky}, url = {https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf}, language = {English}, urldate = {2021-10-25} } @online{kaykc:20221218:mars:dc1db9a, author = {Ömer Faruk Kayıkcı and Nisanur Çıldız and Meryem Ahıskalı}, title = {{Mars Stealer Technical Analysis Report}}, date = {2022-12-18}, organization = {ZAYOTEM}, url = {https://drive.google.com/file/d/14cmYxzowVLyuiS5qDGOKzgI2_vak2Fve/view}, language = {English}, urldate = {2022-12-20} } @online{kazantsev:20200504:atm:20ca401, author = {Anatoly Kazantsev}, title = {{ATM malware targets Wincor and Diebold ATMs}}, date = {2020-05-04}, organization = {Avira}, url = {https://insights.oem.avira.com/atm-malware-targets-wincor-and-diebold-atms/}, language = {English}, urldate = {2020-05-18} } @techreport{kazymirskyi:20250408:deep:96d020b, author = {Nikita Kazymirskyi and Serhii Melnyk}, title = {{A deep Dive into the Leaked Black Basta Chat Logs}}, date = {2025-04-08}, institution = {Trustwave}, url = {https://www.trustwave.com/hubfs/Web/Library/Documents_pdf/A_Deep_Dive_into_the_Leaked_Black_Basta_Chat_Logs.pdf}, language = {English}, urldate = {2025-04-10} } @online{kb:20170203:zeus:02a798a, author = {Manuel K.-B.}, title = {{Zeus Panda Webinjects: a case study}}, date = {2017-02-03}, url = {https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/}, language = {English}, urldate = {2019-11-22} } @online{kb:20170313:zeus:9a4fbcd, author = {Manuel K.-B.}, title = {{Zeus Panda Webinjects: Don’t trust your eyes}}, date = {2017-03-13}, url = {https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/}, language = {English}, urldate = {2020-01-13} } @techreport{kchler:20210220:does:b22da85, author = {Alexander Küchler and Alessandro Mantovani and Yufei Han and Leyla Bilge and Davide Balzarotti}, title = {{Does Every Second Count? Time-based Evolution of Malware Behavior in Sandboxes}}, date = {2021-02-20}, institution = {NDSS}, url = {http://s3.eurecom.fr/docs/ndss21_kuechler.pdf}, language = {English}, urldate = {2021-02-04} } @online{keast:20240902:hacktivist:aa4981f, author = {Jake Keast}, title = {{The Hacktivist Response to UK Foreign Policy}}, date = {2024-09-02}, organization = {cyjax}, url = {https://www.cyjax.com/the-hacktivist-response-to-uk-foreign-policy/}, language = {English}, urldate = {2024-11-15} } @online{keijser:20220315:analysis:648df73, author = {Nicklas Keijser}, title = {{Analysis of CaddyWiper, wiper targeting Ukraine}}, date = {2022-03-15}, organization = {TRUESEC}, url = {https://www.truesec.com/hub/blog/analysis-of-caddywiper-wiper-targeting-ukraine}, language = {English}, urldate = {2022-03-16} } @online{keijser:20240830:dissecting:c05cca8, author = {Nicklas Keijser and Mattias Wåhlén}, title = {{Dissecting the Cicada}}, date = {2024-08-30}, organization = {TRUESEC}, url = {https://www.truesec.com/hub/blog/dissecting-the-cicada}, language = {English}, urldate = {2024-12-06} } @online{keller:20170512:global:2ee68f6, author = {Holger Keller}, title = {{Global WannaCry ransomware outbreak uses known NSA exploits}}, date = {2017-05-12}, organization = {Emsisoft}, url = {http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/}, language = {English}, urldate = {2019-12-10} } @techreport{kellermann:20200528:modern:8155ea4, author = {Tom Kellermann and Ryan Murphy}, title = {{Modern Bank Heists 3.0}}, date = {2020-05-28}, institution = {VMWare Carbon Black}, url = {https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmwcb-report-modern-bank-heists-2020.pdf}, language = {English}, urldate = {2022-04-25} } @online{kelley:20250228:javaghosts:d61c9f5, author = {Margaret Kelley}, title = {{JavaGhost’s Persistent Phishing Attacks From the Cloud}}, date = {2025-02-28}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/javaghost-cloud-phishing/}, language = {English}, urldate = {2025-03-07} } @online{kelly:20141020:orcarat:236c19f, author = {Dan Kelly and Tom Lancaster}, title = {{OrcaRAT - A whale of a tale}}, date = {2014-10-20}, organization = {PWC}, url = {http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html}, language = {English}, urldate = {2019-11-24} } @online{kelly:20240103:cybersecurity:c3e6eda, author = {Sean Kelly}, title = {{Cybersecurity News: Google $5B suit settled, Orbit Chain loses $80M, FDA cyber agreement}}, date = {2024-01-03}, organization = {CISO Series}, url = {https://cisoseries.com/cyber-security-headlines-google-5b-suit-settled-orbit-chain-loses-80m-fda-cyber-agreement/}, language = {English}, urldate = {2024-09-27} } @online{kelly:20250716:phish:be90db0, author = {Mark Kelly and Proofpoint Threat Research Team}, title = {{Phish and Chips: China-Aligned Espionage Actors Ramp Up Taiwan Semiconductor Industry Targeting}}, date = {2025-07-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting}, language = {English}, urldate = {2025-07-17} } @online{ken:20201218:high:c99a8a3, author = {Ken}, title = {{High Value Malicious Domains.}}, date = {2020-12-18}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/high-value-malicious-domains}, language = {English}, urldate = {2022-07-13} } @online{ken:20201221:investigating:70b6ddb, author = {Ken}, title = {{Investigating Crimeware Name Servers}}, date = {2020-12-21}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/evolution-cyber-attack}, language = {English}, urldate = {2022-07-13} } @online{ken:20210205:behavior:dd1346e, author = {Ken}, title = {{Behavior Clustering just got easier using new characteristics.}}, date = {2021-02-05}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/behavior-clustering-just-got-easier-using-new-characteristics}, language = {English}, urldate = {2022-07-13} } @online{kenefick:20180910:closer:b2e9b2a, author = {Ian Kenefick}, title = {{A Closer Look at the Locky Poser, PyLocky Ransomware}}, date = {2018-09-10}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-locky-poser-pylocky-ransomware/}, language = {English}, urldate = {2020-01-13} } @techreport{kenefick:20211112:prelude:781d4d7, author = {Ian Kenefick and Vladimir Kropotov}, title = {{The Prelude to Ransomware: A Look into Current QAKBOT Capabilities and Global Activities}}, date = {2021-11-12}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/pdf/Technical-Brief---The-Prelude-to-Ransomware-A-Look-into-Current-QAKBOT-Capabilities-and-Activity.pdf}, language = {English}, urldate = {2021-11-17} } @online{kenefick:20211113:qakbot:3138b93, author = {Ian Kenefick and Vladimir Kropotov}, title = {{QAKBOT Loader Returns With New Techniques and Tools}}, date = {2021-11-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/k/qakbot-loader-returns-with-new-techniques-and-tools.html}, language = {English}, urldate = {2021-11-17} } @online{kenefick:20211123:bazarloader:794de7c, author = {Ian Kenefick}, title = {{BazarLoader Adds Compromised Installers, ISO to Arrival and Delivery Vectors}}, date = {2021-11-23}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html}, language = {English}, urldate = {2021-11-26} } @online{kenefick:20220121:emotet:daddaf1, author = {Ian Kenefick}, title = {{Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware}}, date = {2022-01-21}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/a/emotet-spam-abuses-unconventional-ip-address-formats-spread-malware.html}, language = {English}, urldate = {2022-01-25} } @online{kenefick:20221012:black:17505c9, author = {Ian Kenefick and Lucas Silva and Nicole Hernandez}, title = {{Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike}}, date = {2022-10-12}, organization = {Trend Micro}, url = {https://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html}, language = {English}, urldate = {2023-05-23} } @online{kenefick:20221223:icedid:df95b05, author = {Ian Kenefick}, title = {{IcedID Botnet Distributors Abuse Google PPC to Distribute Malware}}, date = {2022-12-23}, organization = {Trendmicro}, url = {https://www.trendmicro.com/en_ie/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html}, language = {English}, urldate = {2022-12-24} } @online{kenefick:20230313:emotet:7dc342d, author = {Ian Kenefick}, title = {{Emotet Returns, Now Adopts Binary Padding for Evasion}}, date = {2023-03-13}, organization = {Trendmicro}, url = {https://www.trendmicro.com/en_no/research/23/c/emotet-returns-now-adopts-binary-padding-for-evasion.html}, language = {English}, urldate = {2023-03-14} } @online{kenin:20171219:brickerbot:4cbdce8, author = {Simon Kenin}, title = {{BrickerBot mod_plaintext Analysis}}, date = {2017-12-19}, organization = {Trustwave}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/BrickerBot-mod_plaintext-Analysis/}, language = {English}, urldate = {2020-01-08} } @online{kenin:20190314:attacker:807e3e6, author = {Simon Kenin}, title = {{Attacker Tracking Users Seeking Pakistani Passport}}, date = {2019-03-14}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/attacker-tracking-users-seeking-pakistani-passport/}, language = {English}, urldate = {2020-10-02} } @online{kenin:20220321:what:8802a1d, author = {Simon Kenin and Asaf Gilboa}, title = {{What is Arid Gopher? An Analysis of a New, Never-Before-Seen Malware Variant}}, date = {2022-03-21}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant}, language = {English}, urldate = {2022-03-25} } @online{kenin:20220601:iranian:c17b320, author = {Simon Kenin}, title = {{Iranian Threat Actor Continues to Develop Mass Exploitation Tools}}, date = {2022-06-01}, organization = {Deep instinct}, url = {https://www.deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools}, language = {English}, urldate = {2022-07-13} } @online{kenin:20221208:new:d8e2d7f, author = {Simon Kenin and Deep Instinct Threat Lab}, title = {{New MuddyWater Threat: Old Kitten; New Tricks}}, date = {2022-12-08}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/blog/new-muddywater-threat-old-kitten-new-tricks}, language = {English}, urldate = {2022-12-10} } @online{kenin:20230309:ducktail:1f4fcc3, author = {Simon Kenin}, title = {{DUCKTAIL: Threat Operation Re-emerges with New LNK, PowerShell, and Other Custom Tactics to Avoid Detection}}, date = {2023-03-09}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/blog/ducktail-threat-operation-re-emerges-with-new-lnk-powershell-and-other-custom-tactics-to-avoid-detection}, language = {English}, urldate = {2023-03-24} } @online{kenin:20230629:phonyc2:fd380e4, author = {Simon Kenin and Deep Instinct Threat Lab}, title = {{PhonyC2: Revealing a New Malicious Command & Control Framework by MuddyWater}}, date = {2023-06-29}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater}, language = {English}, urldate = {2023-07-02} } @online{kenin:20231101:muddywater:207da5a, author = {Simon Kenin and Deep Instinct Threat Lab}, title = {{MuddyWater eN-Able spear-phishing with new TTPs}}, date = {2023-11-01}, organization = {Deep instinct}, url = {https://www.deepinstinct.com/blog/muddywater-en-able-spear-phishing-with-new-ttps}, language = {English}, urldate = {2024-01-09} } @online{kenin:20231108:muddyc2go:5dc9c78, author = {Simon Kenin and Deep Instinct Threat Lab}, title = {{MuddyC2Go – Latest C2 Framework Used by Iranian APT MuddyWater Spotted in Israel}}, date = {2023-11-08}, organization = {Deep instinct}, url = {https://www.deepinstinct.com/blog/muddyc2go-latest-c2-framework-used-by-iranian-apt-muddywater-spotted-in-israel}, language = {English}, urldate = {2024-01-09} } @online{kenin:20240404:darkbeatc2:d049eab, author = {Simon Kenin}, title = {{DarkBeatC2: The Latest MuddyWater Attack Framework}}, date = {2024-04-04}, organization = {Deep instinct}, url = {https://www.deepinstinct.com/blog/darkbeatc2-the-latest-muddywater-attack-framework}, language = {English}, urldate = {2024-04-08} } @online{kennedy:20191006:go:82e5c38, author = {Joakim Kennedy}, title = {{Go under the hood: Eris Ransomware}}, date = {2019-10-06}, organization = {Playhouse}, url = {https://lekstu.ga/posts/go-under-the-hood-eris/}, language = {English}, urldate = {2020-01-10} } @online{kennedy:20200810:anomali:241a19b, author = {Joakim Kennedy and Rory Gould}, title = {{Anomali Threat Research Releases First Public Analysis of Smaug Ransomware as a Service}}, date = {2020-08-10}, organization = {Anomali}, url = {https://www.anomali.com/blog/anomali-threat-research-releases-first-public-analysis-of-smaug-ransomware-as-a-service}, language = {English}, urldate = {2020-09-15} } @online{kennedy:20201202:shadow:76686c6, author = {Corian Kennedy}, title = {{Shadow Academy: Hiding in the shadows of Mabna Institute}}, date = {2020-12-02}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/44eb0802}, language = {English}, urldate = {2020-12-10} } @online{kennedy:20201209:zebra:1c73168, author = {Joakim Kennedy}, title = {{A Zebra in Gopher's Clothing: Russian APT Uses COVID-19 Lures to Deliver Zebrocy}}, date = {2020-12-09}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/}, language = {English}, urldate = {2020-12-10} } @online{kennedy:20210302:when:b33af31, author = {Joakim Kennedy}, title = {{When Viruses Mutate: Did SunCrypt Ransomware Evolve from QNAPCrypt?}}, date = {2021-03-02}, organization = {Intezer}, url = {https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt}, language = {English}, urldate = {2021-03-04} } @online{kennedy:20210420:habitsrat:0cfa312, author = {Joakim Kennedy}, title = {{HabitsRAT Used to Target Linux and Windows Servers}}, date = {2021-04-20}, organization = {Intezer}, url = {https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/}, language = {English}, urldate = {2021-04-28} } @online{kennedy:20210420:habitsrat:66ff4cf, author = {Joakim Kennedy}, title = {{HabitsRAT Used to Target Linux and Windows Servers}}, date = {2021-04-20}, organization = {Intezer}, url = {https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/}, language = {English}, urldate = {2021-04-20} } @online{kennedy:20211116:new:f76a9f4, author = {Joakim Kennedy and Alik Koldobsky}, title = {{New Type of Supply Chain Attack Could Put Popular Admin Tools at Risk}}, date = {2021-11-16}, organization = {Intezer}, url = {https://www.intezer.com/blog/malware-analysis/chainjacking-supply-chain-attack-puts-popular-admin-tools-at-risk/}, language = {English}, urldate = {2021-11-18} } @online{kennedy:20220328:new:cede4da, author = {Joakim Kennedy and Ryan Robinson}, title = {{New Conversation Hijacking Campaign Delivering IcedID}}, date = {2022-03-28}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/}, language = {English}, urldate = {2022-04-05} } @online{kennedy:20220404:elephant:b2c14b1, author = {Joakim Kennedy and Nicole Fishbein}, title = {{Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations}}, date = {2022-04-04}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/}, language = {English}, urldate = {2022-04-07} } @online{kennedy:20220609:symbiote:fcc031b, author = {Joakim Kennedy and The BlackBerry Research & Intelligence Team}, title = {{Symbiote: A New, Nearly-Impossible-to-Detect Linux Threat}}, date = {2022-06-09}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat}, language = {English}, urldate = {2022-06-09} } @online{kennedy:20220629:ytstealer:0c2bc5c, author = {Joakim Kennedy}, title = {{YTStealer Malware: “YouTube Cookies! Om Nom Nom Nom”}}, date = {2022-06-29}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/ytstealer-malware-youtube-cookies/}, language = {English}, urldate = {2022-06-30} } @online{kent:20161220:backdoorpralice:4bbc640, author = {Nolan Kent}, title = {{Backdoor.Pralice}}, date = {2016-12-20}, organization = {Symantec}, url = {https://www.symantec.com/security-center/writeup/2016-122104-0203-99}, language = {English}, urldate = {2019-07-09} } @online{kenttl:20210401:zero:76c0fc0, author = {Mikko Kenttälä}, title = {{Zero click vulnerability in Apple’s macOS Mail}}, date = {2021-04-01}, organization = {Medium mikko-kenttala}, url = {https://mikko-kenttala.medium.com/zero-click-vulnerability-in-apples-macos-mail-59e0c14b106c}, language = {English}, urldate = {2021-04-06} } @online{keplinger:20250416:exposed:ca9337d, author = {Keegan Keplinger and Aurora Johnson}, title = {{Exposed Credentials & Ransomware Operations: Using LLMs to Digest 200K Messages from the Black Basta Chats}}, date = {2025-04-16}, organization = {SpyCloud}, url = {https://spycloud.com/blog/digesting-messages-from-the-black-basta-chats/}, language = {English}, urldate = {2025-04-25} } @online{kerman:20210913:attackers:17a94ae, author = {Daniel Kerman}, title = {{Attackers exploit CVE-2021-26084 for XMRig crypto mining on affected Confluence servers}}, date = {2021-09-13}, organization = {Imperva}, url = {https://www.imperva.com/blog/attackers-exploit-cve-2021-26084-for-xmrig-crypto-mining-on-affected-confluence-servers/}, language = {English}, urldate = {2021-09-14} } @online{kerner:20170406:chinese:81730df, author = {Sean Michael Kerner}, title = {{Chinese Nation-State Hackers Target U.S in Operation TradeSecret}}, date = {2017-04-06}, organization = {eWeek}, url = {https://www.eweek.com/security/chinese-nation-state-hackers-target-u.s-in-operation-tradesecret}, language = {English}, urldate = {2020-01-08} } @online{kerner:20210311:whitelist:840f503, author = {Rotem Kerner}, title = {{Whitelist Me, Maybe? “Netbounce” Threat Actor Tries A Bold Approach To Evade Detection}}, date = {2021-03-11}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/netbounce-threat-actor-tries-bold-approach-to-evade-detection}, language = {English}, urldate = {2021-03-16} } @online{kerr:20180213:stopping:14ebecf, author = {Devon Kerr}, title = {{Stopping Olympic Destroyer: New Process Injection Insights}}, date = {2018-02-13}, organization = {Endgame}, url = {https://www.endgame.com/blog/technical-blog/stopping-olympic-destroyer-new-process-injection-insights}, language = {English}, urldate = {2020-01-08} } @online{kerr:20210304:detection:eb05792, author = {Devon Kerr}, title = {{Detection and Response for HAFNIUM Activity}}, date = {2021-03-04}, organization = {Elastic}, url = {https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289}, language = {English}, urldate = {2021-03-10} } @online{kersten:20190216:emotet:7cb0628, author = {Max Kersten}, title = {{Emotet droppers}}, date = {2019-02-16}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/}, language = {English}, urldate = {2020-01-09} } @online{kersten:20191014:corona:60d807b, author = {Max Kersten}, title = {{Corona DDoS bot}}, date = {2019-10-14}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/corona-ddos-bot/}, language = {English}, urldate = {2021-11-03} } @online{kersten:20200120:ticket:ad7af1c, author = {Max Kersten}, title = {{Ticket resellers infected with a credit card skimmer}}, date = {2020-01-20}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/2020/01/20/ticket-resellers-infected-with-a-credit-card-skimmer/}, language = {English}, urldate = {2020-01-27} } @online{kersten:20200217:following:07470c1, author = {Max Kersten}, title = {{Following the tracks of MageCart 12}}, date = {2020-02-17}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/2020/02/17/following-the-tracks-of-magecart-12/}, language = {English}, urldate = {2020-02-20} } @online{kersten:20200224:closing:9d39fcf, author = {Max Kersten}, title = {{Closing in on MageCart 12}}, date = {2020-02-24}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/2020/02/24/closing-in-on-magecart-12/}, language = {English}, urldate = {2020-02-25} } @online{kersten:20200326:azorult:5d5ee1f, author = {Max Kersten}, title = {{Azorult loader stages}}, date = {2020-03-26}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/azorult-loader-stages/}, language = {English}, urldate = {2020-03-26} } @online{kersten:20200414:emotet:ec18d45, author = {Max Kersten}, title = {{Emotet JavaScript downloader}}, date = {2020-04-14}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-javascript-downloader/}, language = {English}, urldate = {2020-04-14} } @online{kersten:20200826:rezer0v4:3bc357a, author = {Max Kersten}, title = {{ReZer0v4 loader}}, date = {2020-08-26}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/}, language = {English}, urldate = {2020-08-27} } @online{kersten:20200917:automatic:8b19414, author = {Max Kersten}, title = {{Automatic ReZer0 payload and configuration extraction}}, date = {2020-09-17}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/analysis-scripts/automatic-rezer0-payload-and-configuration-extraction/}, language = {English}, urldate = {2020-09-18} } @online{kersten:20210209:ghidra:0e7f66c, author = {Max Kersten}, title = {{Ghidra script to decrypt strings in Amadey 1.09}}, date = {2021-02-09}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-decrypt-strings-in-amadey-1-09/}, language = {English}, urldate = {2021-02-09} } @online{kersten:20210725:ghidra:00c108d, author = {Max Kersten}, title = {{Ghidra script to decrypt a string array in XOR DDoS}}, date = {2021-07-25}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-decrypt-a-string-array-in-xor-ddos/}, language = {English}, urldate = {2021-08-02} } @online{kersten:20210804:see:9533247, author = {Max Kersten}, title = {{See Ya Sharp: A Loader’s Tale}}, date = {2021-08-04}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/see-ya-sharp-a-loaders-tale/}, language = {English}, urldate = {2021-08-06} } @online{kersten:20210908:how:5c39aac, author = {Max Kersten and John Fokker and Thibault Seret}, title = {{How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates}}, date = {2021-09-08}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/}, language = {English}, urldate = {2021-09-12} } @online{kersten:20220117:short:d913f54, author = {Max Kersten}, title = {{Tweet on short analysis of WHISPERGATE stage 3 malware}}, date = {2022-01-17}, organization = {Twitter (@Libranalysis)}, url = {https://twitter.com/Libranalysis/status/1483128221956808704}, language = {English}, urldate = {2022-01-25} } @online{kersten:20220201:dumping:2784605, author = {Max Kersten}, title = {{Dumping WhisperGate’s wiper from an Eazfuscator obfuscated loader}}, date = {2022-02-01}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/dumping-whispergates-wiper-from-an-eazfuscator-obfuscated-loader/}, language = {English}, urldate = {2022-02-02} } @online{kersten:20220302:digging:42a2aaf, author = {Max Kersten}, title = {{Digging into HermeticWiper}}, date = {2022-03-02}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/digging-into-hermeticwiper.html}, language = {English}, urldate = {2022-03-04} } @online{kersten:20220328:plugx:37256d5, author = {Max Kersten and Marc Elias}, title = {{PlugX: A Talisman to Behold}}, date = {2022-03-28}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html}, language = {English}, urldate = {2022-03-30} } @online{kersten:20220412:ghidra:4afe367, author = {Max Kersten}, title = {{Ghidra script to handle stack strings}}, date = {2022-04-12}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-handle-stack-strings/}, language = {English}, urldate = {2022-04-20} } @online{kersten:20221115:wipermania:b44cf18, author = {Max Kersten}, title = {{Wipermania: An All You Can Wipe Buffet}}, date = {2022-11-15}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/research/wipermania-an-all-you-can-wipe-buffet.html}, language = {English}, urldate = {2022-11-21} } @online{kersten:20230413:read:013379f, author = {Max Kersten}, title = {{Read The Manual Locker: A Private RaaS Provider}}, date = {2023-04-13}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/research/read-the-manual-locker-a-private-raas-provider.html}, language = {English}, urldate = {2023-04-18} } @online{kersten:20240117:kuiper:1ed9bf4, author = {Max Kersten}, title = {{Kuiper Ransomware’s Evolution}}, date = {2024-01-17}, organization = {Trellix}, url = {https://www.trellix.com/about/newsroom/stories/research/the-evolution-of-the-kuiper-ransomware/}, language = {English}, urldate = {2024-01-17} } @online{kersten:20240430:pouring:69daedb, author = {Max Kersten}, title = {{Pouring Acid Rain}}, date = {2024-04-30}, organization = {Trellix}, url = {https://www.trellix.com/blogs/research/pouring-acid-rain/}, language = {English}, urldate = {2024-05-06} } @online{keshet:20161109:tricks:c3ab510, author = {Lior Keshet}, title = {{Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations}}, date = {2016-11-09}, url = {https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/}, language = {English}, urldate = {2019-10-17} } @online{keshet:20170104:exposing:fd0938e, author = {Lior Keshet}, title = {{Exposing an AV-Disabling Driver Just in Time for Lunch}}, date = {2017-01-04}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/exposing-av-disabling-drivers-just-in-time-for-lunch/}, language = {English}, urldate = {2020-01-10} } @online{keshet:20170110:client:5352952, author = {Lior Keshet and Limor Kessem}, title = {{Client Maximus: New Remote Overlay Malware Highlights Rising Malcode Sophistication in Brazil}}, date = {2017-01-10}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/client-maximus-new-remote-overlay-malware-highlights-rising-malcode-sophistication-in-brazil/}, language = {English}, urldate = {2020-01-07} } @online{keskin:20230526:stop:4b93bad, author = {Emirhan KESKİN}, title = {{Stop Ransomware}}, date = {2023-05-26}, organization = {ZAYOTEM}, url = {https://drive.google.com/file/d/1L8mkylrCJyd-817-45RA6gIFCCX4oaOv/view}, language = {English}, urldate = {2023-05-30} } @online{kessem:20130807:thieves:f60d69b, author = {Limor Kessem}, title = {{Thieves Reaching for Linux—”Hand of Thief” Trojan Targets Linux #INTH3WILD}}, date = {2013-08-07}, organization = {RSA}, url = {https://web.archive.org/web/20130815040638/https://blogs.rsa.com/thieves-reaching-for-linux-hand-of-thief-trojan-targets-linux-inth3wild/}, language = {English}, urldate = {2020-03-02} } @online{kessem:20150812:tinba:250e880, author = {Limor Kessem}, title = {{Tinba Trojan Sets Its Sights on Romania}}, date = {2015-08-12}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/tinba-trojan-sets-its-sights-on-romania/}, language = {English}, urldate = {2020-01-06} } @online{kessem:20150831:shifu:389070d, author = {Limor Kessem and Ilya Kolmanovich and Denis Laskov}, title = {{Shifu: ‘Masterful’ New Banking Trojan Is Attacking 14 Japanese Banks}}, date = {2015-08-31}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/}, language = {English}, urldate = {2020-10-23} } @online{kessem:20160414:meet:16351ef, author = {Limor Kessem and Lior Keshet}, title = {{Meet GozNym: The Banking Malware Offspring of Gozi ISFB and Nymaim}}, date = {2016-04-14}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/}, language = {English}, urldate = {2020-01-06} } @online{kessem:20160708:gootkit:ed75518, author = {Limor Kessem}, title = {{GootKit: Bobbing and Weaving to Avoid Prying Eyes}}, date = {2016-07-08}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/}, language = {English}, urldate = {2020-01-07} } @online{kessem:20160816:brazil:0bc05a3, author = {Limor Kessem and Denis Laskov and Ziv Eli}, title = {{Brazil Can’t Catch a Break: After Panda Comes the Sphinx}}, date = {2016-08-16}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/}, language = {English}, urldate = {2020-01-08} } @online{kessem:20160920:meanwhile:7b7a093, author = {Limor Kessem and Hanan Natan and Denis Laskov}, title = {{Meanwhile in Britain, Qadars v3 Hardens Evasion, Targets 18 UK Banks}}, date = {2016-09-20}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/}, language = {English}, urldate = {2019-12-17} } @online{kessem:20170126:around:eaefc0c, author = {Limor Kessem}, title = {{Around the World With Zeus Sphinx: From Canada to Australia and Back}}, date = {2017-01-26}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/around-the-world-with-zeus-sphinx-from-canada-to-australia-and-back/}, language = {English}, urldate = {2020-01-07} } @online{kessem:20170328:nukebot:2b33bbb, author = {Limor Kessem and Ilya Kolmanovich}, title = {{The NukeBot Trojan, a Bruised Ego and a Surprising Source Code Leak}}, date = {2017-03-28}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/}, language = {English}, urldate = {2020-01-05} } @online{kessem:20170615:zeus:7c4b8e4, author = {Limor Kessem}, title = {{Zeus Sphinx Pushes Empty Configuration Files — What Has the Sphinx Got Cooking?}}, date = {2017-06-15}, url = {https://securityintelligence.com/zeus-sphinx-pushes-empty-configuration-files-what-has-the-sphinx-got-cooking/}, language = {English}, urldate = {2019-12-02} } @online{kessem:20170727:after:10c4ba5, author = {Limor Kessem and Shachar Gritzman}, title = {{After Big Takedown Efforts, 20 More BankBot Mobile Malware Apps Make It Into Google Play}}, date = {2017-07-27}, organization = {Security Intelligence}, url = {https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/}, language = {English}, urldate = {2019-12-06} } @online{kessem:20171011:trickbot:57ebc20, author = {Limor Kessem}, title = {{TrickBot Takes to Latin America, Continues to Expand Its Global Reach}}, date = {2017-10-11}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach/}, language = {English}, urldate = {2020-01-08} } @online{kessem:20171113:new:bb937fd, author = {Limor Kessem and Maor Wiesen and Tal Darsan and Tomer Agayev}, title = {{New Banking Trojan IcedID Discovered by IBM X-Force Research}}, date = {2017-11-13}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/}, language = {English}, urldate = {2019-11-27} } @online{kessem:20180822:backswap:73c04f5, author = {Limor Kessem}, title = {{BackSwap Malware Now Targets Six Banks in Spain}}, date = {2018-08-22}, organization = {IBM}, url = {https://securityintelligence.com/backswap-malware-now-targets-six-banks-in-spain/}, language = {English}, urldate = {2019-12-20} } @online{kessem:20180904:camubot:d0c8b12, author = {Limor Kessem and Maor Wiesen}, title = {{CamuBot: New Financial Malware Targets Brazilian Banking Customers}}, date = {2018-09-04}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/camubot-new-financial-malware-targets-brazilian-banking-customers/}, language = {English}, urldate = {2020-01-13} } @online{kessem:20190516:goznym:cb4a177, author = {Limor Kessem}, title = {{GozNym Closure Comes in the Shape of a Europol and DOJ Arrest Operation}}, date = {2019-05-16}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/goznym-closure-comes-in-the-shape-of-a-europol-and-doj-arrest-operation/}, language = {English}, urldate = {2019-12-05} } @online{kessem:20210428:sodinokibi:38fd348, author = {Limor Kessem}, title = {{The Sodinokibi Chronicles: A (R)Evil Cybercrime Gang Disrupts Organizations for Trade Secrets and Cash}}, date = {2021-04-28}, organization = {IBM}, url = {https://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupt-trade-secrets/}, language = {English}, urldate = {2021-05-03} } @online{kessem:20210510:shedding:c49ddab, author = {Limor Kessem}, title = {{Shedding Light on the DarkSide Ransomware Attack}}, date = {2021-05-10}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/darkside-oil-pipeline-ransomware-attack/}, language = {English}, urldate = {2021-05-11} } @online{kessem:20220131:topranking:4f697c1, author = {Limor Kessem and Itzik Chimino}, title = {{Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data}}, date = {2022-01-31}, organization = {IBM}, url = {https://securityintelligence.com/posts/ramnit-banking-trojan-stealing-card-data/}, language = {English}, urldate = {2022-02-02} } @online{kestenberg:20240417:attackers:6ee606e, author = {Hagai Ran Kestenberg and Yossi Weizman}, title = {{Attackers exploiting new critical OpenMetadata vulnerabilities on Kubernetes clusters}}, date = {2024-04-17}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2024/04/17/attackers-exploiting-new-critical-openmetadata-vulnerabilities-on-kubernetes-clusters/}, language = {English}, urldate = {2024-04-23} } @online{kgnfth:20220424:github:214a0da, author = {kgnfth}, title = {{Github Repository for Stealerium}}, date = {2022-04-24}, organization = {Github (Stealerium)}, url = {https://github.com/Stealerium/Stealerium}, language = {English}, urldate = {2023-02-13} } @online{khader:20250421:unmasking:10dbcde, author = {Mohideen Abdul Khader}, title = {{Unmasking the Evolving Threat: A Deep Dive into the Latest Version of Lumma InfoStealer with Code Flow Obfuscation}}, date = {2025-04-21}, organization = {Trellix}, url = {https://www.trellix.com/en-ca/blogs/research/lumma-stealer-analysis/}, language = {English}, urldate = {2025-05-19} } @techreport{khadgi:20240301:comprehensive:53a5ef7, author = {Nischal khadgi}, title = {{A Comprehensive Overview on Stealer Malware Families}}, date = {2024-03-01}, institution = {Logpoint}, url = {https://www.logpoint.com/wp-content/uploads/2024/03/logpoint-etpr-a-comprehensive-overview-on-stealer-malware-families.pdf}, language = {English}, urldate = {2025-06-25} } @online{khaitan:20240202:decoding:425473f, author = {Ashish Khaitan}, title = {{Decoding KillNet 2.0 and Sylhet Gang-SG Cyberattack Plans for 2024}}, date = {2024-02-02}, organization = {The Cyber Express}, url = {https://thecyberexpress.com/killnet-2-0-and-sylhet-gang-hackers/}, language = {English}, urldate = {2024-11-15} } @online{khaitan:20240612:hack:a73fdd3, author = {Ashish Khaitan}, title = {{Hack Alert: SN Blackmeta Claims Cyberattack on Snapchat Over Explicit Content and Alleged Political Bias!}}, date = {2024-06-12}, organization = {The Cyber Express}, url = {https://thecyberexpress.com/sn-blackmeta-claim-snapchat-cyberattack/}, language = {English}, urldate = {2024-11-04} } @online{khalil:20230606:redline:615fc1d, author = {Michelle Khalil}, title = {{RedLine Technical Analysis Report}}, date = {2023-06-06}, organization = {Apophis133}, url = {https://web.archive.org/web/20230606224056/https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152}, language = {English}, urldate = {2023-07-08} } @online{khan:20210831:exposing:c1c5458, author = {Ahmad Muneeb Khan and Syed Hasan Akhtar}, title = {{Exposing Sidewinder’s Arsenal against Windows}}, date = {2021-08-31}, organization = {ebryx}, url = {https://blog.ebryx.com/2021/08/31/exposing-sidewinders-arsenal-against-windows.html}, language = {English}, urldate = {2021-11-17} } @online{khan:20211026:unraveling:d14a1e9, author = {Ahmad Muneeb Khan and Syed Hasan Akhtar and Farrukh Shahzad}, title = {{Unraveling Confucius’ Espionage Campaigns}}, date = {2021-10-26}, organization = {ebryx}, url = {https://blog.ebryx.com/2021/10/26/unraveling-confucius-espionage-campaigns.html}, language = {English}, urldate = {2021-11-17} } @online{khan:20220810:bluesky:a8e0325, author = {Muhammad Umer Khan and Lee Wei and Yang Ji and Wenjun Hu}, title = {{BlueSky Ransomware: Fast Encryption via Multithreading}}, date = {2022-08-10}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/bluesky-ransomware/}, language = {English}, urldate = {2022-09-06} } @online{khan:20230921:secrets:528e7f1, author = {Shayan Ahmed Khan}, title = {{Secrets of commercial RATs! NanoCore dissected}}, date = {2023-09-21}, organization = {Medium shaddy43}, url = {https://medium.com/@shaddy43/secrets-of-commercial-rats-nanocore-dissected-69e1213b34c3}, language = {English}, urldate = {2024-05-07} } @online{khan:20231113:decrypting:084fa51, author = {Shayan Ahmed Khan}, title = {{Decrypting the Mystery of MedusaLocker}}, date = {2023-11-13}, organization = {Medium shaddy43}, url = {https://medium.com/@shaddy43/decrypting-the-mystery-of-medusalocker-7128795cf9f0}, language = {English}, urldate = {2024-05-07} } @online{khan:20231126:from:ac9a982, author = {Shayan Ahmed Khan}, title = {{From Infection to Encryption: Tracing the Impact of RYUK Ransomware}}, date = {2023-11-26}, organization = {Medium shaddy43}, url = {https://medium.com/@shaddy43/from-infection-to-encryption-tracing-the-impact-of-ryuk-ransomware-64bd8656781c}, language = {English}, urldate = {2024-05-07} } @online{khan:20240124:layers:a567afe, author = {Shayan Ahmed Khan}, title = {{Layers of Deception: Analyzing the Complex Stages of XLoader 4.3 Malware Evolution}}, date = {2024-01-24}, organization = {Medium shaddy43}, url = {https://medium.com/@shaddy43/layers-of-deception-analyzing-the-complex-stages-of-xloader-4-3-malware-evolution-2dcb550b98d9}, language = {English}, urldate = {2024-05-21} } @online{khan:20241028:emotet:26c4ca8, author = {Shayan Ahmed Khan}, title = {{Emotet Malware Analysis}}, date = {2024-10-28}, organization = {Medium shaddy43}, url = {https://shaddy43.github.io/MalwareAnalysisSeries/Emotet/}, language = {English}, urldate = {2024-10-29} } @online{khandelwal:20200608:red:ff4aae7, author = {Shantanu Khandelwal}, title = {{Red Team: Using SharpChisel to exfil internal network}}, date = {2020-06-08}, organization = {Medium shantanukhande}, url = {https://medium.com/@shantanukhande/red-team-using-sharpchisel-to-exfil-internal-network-e1b07ed9b49}, language = {English}, urldate = {2020-08-18} } @online{khandelwal:20241015:phish:7875983, author = {Gourav Khandelwal and Akash Chaudhuri and Matthew Mesa and Sagar Patil and Uri Oren and Krithika Ramakrishnan}, title = {{Phish, Click, Breach: Hunting for a Sophisticated Cyber Attack}}, date = {2024-10-15}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/phish-click-breach-hunting-for-a-sophisticated-cyber-attack/4267916}, language = {English}, urldate = {2025-03-05} } @techreport{khanna:20210506:threat:61ba9ba, author = {Anurag Khanna and Thirumalai Natarajan Muthiah}, title = {{Threat Hunting in Active Directory Environment}}, date = {2021-05-06}, institution = {Black Hat}, url = {https://i.blackhat.com/asia-21/Thursday-Handouts/as-21-Khanna-Threat-Hunting-In-Active-Directory-Environment.pdf}, language = {English}, urldate = {2021-09-22} } @online{khanna:20210901:threat:e4d67de, author = {Anurag Khanna and Thirumalai Natarajan Muthiah}, title = {{Threat Hunting in Active Directory Environment}}, date = {2021-09-01}, organization = {YouTube (Black Hat)}, url = {https://www.youtube.com/watch?v=lBIaLmvVpBE}, language = {English}, urldate = {2021-09-22} } @online{khanse:20170301:poorly:1107be6, author = {Anand Khanse}, title = {{Poorly coded Lamdelin Lockscreen Ransomware lets you in using Alt+F4}}, date = {2017-03-01}, organization = {The Windows Club}, url = {http://news.thewindowsclub.com/poorly-coded-lamdelin-lockscreen-ransomware-alt-f4-88576/}, language = {English}, urldate = {2019-07-09} } @online{khanzada:20220215:new:822e8f9, author = {Saqib Khanzada and Tyler Halfpop and Micah Yates and Brad Duncan}, title = {{New Emotet Infection Method}}, date = {2022-02-15}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/new-emotet-infection-method/}, language = {English}, urldate = {2022-02-17} } @online{khanzada:20220519:weaponization:969a179, author = {Saqib Khanzada}, title = {{Weaponization of Excel Add-Ins Part 2: Dridex Infection Chain Case Studies}}, date = {2022-05-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain}, language = {English}, urldate = {2022-05-23} } @online{kharouni:20100121:sasfis:8634992, author = {Loucif Kharouni}, title = {{SASFIS Fizzles in the Background}}, date = {2010-01-21}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-fizzles-in-the-background/}, language = {English}, urldate = {2019-12-18} } @techreport{kharouni:20141027:operation:1b13f15, author = {Loucif Kharouni and Feike Hacquebord and Numaan Huq and Jim Gogolinski and Fernando Mercês and Alfred Remorin and Douglas Otis}, title = {{Operation Pawn Storm: Using Decoys to Evade Detection}}, date = {2014-10-27}, institution = {Trend Micro}, url = {https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf}, language = {English}, urldate = {2020-09-15} } @techreport{kharouni:201410:operation:f1d1705, author = {Loucif Kharouni and Feike Hacquebord and Numaan Huq and Jim Gogolinski and Fernando Mercês and Alfred Remorin and Douglas Otis}, title = {{Operation Pawn Storm: Using Decoys to Evade Detection}}, date = {2014-10}, institution = {Trend Micro}, url = {http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf}, language = {English}, urldate = {2019-11-28} } @online{khasaia:20170717:wmighost:20b59d3, author = {Lasha Khasaia}, title = {{WMIGhost / Wimmie - WMI malware}}, date = {2017-07-17}, organization = {Secrary Blog}, url = {https://secrary.com/ReversingMalware/WMIGhost/}, language = {English}, urldate = {2019-12-24} } @online{khasaia:20180319:reversing:f6a3e7c, author = {Lasha Khasaia}, title = {{Reversing iBank Trojan [Injection Phase]}}, date = {2018-03-19}, organization = {Secrary}, url = {https://secrary.com/ReversingMalware/iBank/}, language = {English}, urldate = {2019-10-29} } @online{khasaia:20180628:brief:d854824, author = {Lasha Khasaia}, title = {{A Brief Overview of the AMMYY RAT Downloader}}, date = {2018-06-28}, organization = {Secrary Blog}, url = {https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/}, language = {English}, urldate = {2020-01-13} } @online{khlief:20210113:reviving:552c0e8, author = {Ahmed Khlief}, title = {{Reviving MuddyC3 Used by MuddyWater (IRAN) APT}}, date = {2021-01-13}, organization = {Shells.System blog}, url = {https://shells.systems/reviving-leaked-muddyc3-used-by-muddywater-apt/}, language = {English}, urldate = {2021-02-20} } @techreport{khodjibaev:20210104:interview:6735752, author = {Azim Khodjibaev and Dmytro Korzhevin and Kendall McKay}, title = {{Interview with a LockBit ransomware operator}}, date = {2021-01-04}, institution = {Cisco Talos}, url = {https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/481/original/010421_LockBit_Interview.pdf}, language = {English}, urldate = {2021-02-17} } @online{khr0x:20230926:analyzing:56547e6, author = {khr0x and Jane}, title = {{Analyzing Lu0Bot: A Node.js Malware with Near-Unlimited Capabilities}}, date = {2023-09-26}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/lu0bot-analysis/}, language = {English}, urldate = {2024-06-10} } @online{khr0x:20240116:full:af15d6c, author = {khr0x and Jane and Maksim Mikhailov}, title = {{A Full Analysis of the Pure Malware Family: Unique and Growing Threat}}, date = {2024-01-16}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/pure-malware-family-analysis/}, language = {English}, urldate = {2024-01-31} } @online{kiat:20220201:zoom:c13e3eb, author = {Ng Choon Kiat and Angelo Del Rosario and Martin Co}, title = {{Zoom For You — SEO Poisoning to Distribute BATLOADER and Atera Agent}}, date = {2022-02-01}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/seo-poisoning-batloader-atera}, language = {English}, urldate = {2022-12-08} } @online{kichatov:20250128:cats:cdbed20, author = {Nikolay Kichatov and Sharmine Low and Pietro Albuquerque}, title = {{Cat’s out of the bag: Lynx Ransomware-as-a-Service}}, date = {2025-01-28}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/}, language = {English}, urldate = {2025-02-17} } @online{kien:20210113:re019:5b00767, author = {Tran Trung Kien and m4n0w4r}, title = {{[RE019] From A to X analyzing some real cases which used recent Emotet samples}}, date = {2021-01-13}, organization = {VinCSS}, url = {https://blog.vincss.net/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-emotet-samples/}, language = {English}, urldate = {2024-02-06} } @online{kien:20210318:re021:00caf5b, author = {Tran Trung Kien and m4n0w4r}, title = {{[RE021] Qakbot analysis – Dangerous malware has been around for more than a decade}}, date = {2021-03-18}, organization = {VinCSS}, url = {https://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/}, language = {English}, urldate = {2024-02-06} } @online{kien:20220321:quicknote:4be36f8, author = {Tran Trung Kien and m4n0w4r}, title = {{[QuickNote] Analysis of Pandora ransomware}}, date = {2022-03-21}, organization = {VinCSS}, url = {https://kienmanowar.wordpress.com/2022/03/21/quicknote-analysis-of-pandora-ransomware/}, language = {English}, urldate = {2022-03-22} } @online{kien:20230325:quicknote:c2b9de4, author = {Tran Trung Kien and m4n0w4r}, title = {{[QuickNote] Decrypting the C2 configuration of Warzone RAT}}, date = {2023-03-25}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2023/03/25/quicknote-decrypting-the-c2-configuration-of-warzone-rat/}, language = {English}, urldate = {2023-03-27} } @online{kien:20230408:quicknote:e44f40f, author = {Tran Trung Kien and m4n0w4r}, title = {{[QuickNote] Uncovering Suspected Malware Distributed By Individuals from Vietnam}}, date = {2023-04-08}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/}, language = {English}, urldate = {2023-04-08} } @online{kien:20230706:quicknote:20dc1f1, author = {Tran Trung Kien and m4n0w4r}, title = {{[QuickNote] Examining Formbook Campaign via Phishing Emails}}, date = {2023-07-06}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2023/07/06/quicknote-examining-formbook-campaign-via-phishing-emails/}, language = {English}, urldate = {2023-07-13} } @online{kien:20240106:quicknote:95134c3, author = {Tran Trung Kien and m4n0w4r}, title = {{[QuickNote] Technical Analysis of recent Pikabot Core Module}}, date = {2024-01-06}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2024/01/06/quicknote-technical-analysis-of-recent-pikabot-core-module/}, language = {English}, urldate = {2024-01-08} } @online{kien:20240912:quicknote:c03d98c, author = {Tran Trung Kien and m4n0w4r}, title = {{[QuickNote] The Xworm malware is being spread through a phishing email}}, date = {2024-09-12}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2024/09/12/quicknote-the-xworm-malware-is-being-spread-through-a-phishing-email/}, language = {English}, urldate = {2024-09-13} } @online{killbit:20201214:applying:75d0dde, author = {killbit}, title = {{Applying the Diamond Model to Cognizant (MSP) vs. Maze Ransomware}}, date = {2020-12-14}, organization = {Medium Killbit}, url = {https://killbit.medium.com/applying-the-diamond-model-to-cognizant-msp-and-maze-ransomware-and-a-policy-assessment-498f01bd723f}, language = {English}, urldate = {2020-12-17} } @online{kilmer:20201117:iranian:c6dfdd8, author = {Riley Kilmer}, title = {{Iranian APT Utilizing Commercial VPN Services}}, date = {2020-11-17}, organization = {SPUR}, url = {https://spur.us/iranian-apt-utilizing-commercial-vpn-services/}, language = {English}, urldate = {2024-03-28} } @online{kilmer:20221127:big:4e99c84, author = {Riley Kilmer}, title = {{Big Socks to Fill: Tracking the Next 911RE}}, date = {2022-11-27}, organization = {SPUR}, url = {https://spur.us/big-socks-to-fill-tracking-the-next-911re/}, language = {English}, urldate = {2024-03-28} } @online{kilmer:20230517:identifying:cd304f7, author = {Riley Kilmer}, title = {{Identifying the Nexus of Scaled Ad Fraud}}, date = {2023-05-17}, organization = {SPUR}, url = {https://spur.us/identifying-the-nexus-of-scaled-ad-fraud/}, language = {English}, urldate = {2024-03-28} } @online{kilmer:20230726:christmas:5221879, author = {Riley Kilmer}, title = {{Christmas in July: A finely wrapped Malware Proxy Service}}, date = {2023-07-26}, organization = {SPUR}, url = {https://spur.us/2023/07/christmas-in-july-a-finely-wrapped-proxy-service/}, language = {English}, urldate = {2023-07-31} } @online{kim:20180720:cyberattack:ac7f5e4, author = {Jack Kim}, title = {{Cyberattack on Singapore health database steals details of 1.5 million, including PM}}, date = {2018-07-20}, organization = {Reuters}, url = {https://www.reuters.com/article/us-singapore-cyberattack/cyberattack-on-singapore-health-database-steals-details-of-1-5-million-including-pm-idUSKBN1KA14J}, language = {English}, urldate = {2020-01-08} } @techreport{kim:20191004:kimsuky:5780914, author = {Jaeki Kim and Kyoung-ju Kwak and Min-Chang Jang}, title = {{Kimsuky group: tracking the king of the spear-phishing}}, date = {2019-10-04}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf}, language = {English}, urldate = {2020-09-23} } @online{kim:20200310:kimsuky:f634a21, author = {Jaeki Kim and Kyoung-Ju Kwak (郭炅周) and Min-Chang Jang}, title = {{Kimsuky group: tracking the king of the spear phishing}}, date = {2020-03-10}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/}, language = {English}, urldate = {2020-09-23} } @online{kim:20210524:deep:6cef7f7, author = {Seunghoe Kim}, title = {{Deep Analysis of Raccoon Stealer}}, date = {2021-05-24}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/deep-analysis-of-raccoon-stealer-5da8cbbc4949}, language = {Korean}, urldate = {2021-06-16} } @techreport{kim:20210625:attack:d4ae440, author = {Kayoung Kim and Dongwook Kim and Taewoo Lee and Seulgi Lee}, title = {{Attack patterns in AD environment}}, date = {2021-06-25}, institution = {KrCert}, url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2808&attach_file_id=EpF2808.pdf}, language = {English}, urldate = {2021-06-29} } @online{kim:20210707:deep:3903b28, author = {Seunghoe Kim}, title = {{Deep analysis of KPOT Stealer}}, date = {2021-07-07}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/deep-analysis-of-kpot-stealer-fb1d2be9c5dd}, language = {English}, urldate = {2021-07-09} } @online{kim:20210714:matryoshka:6c8d267, author = {Jaeki Kim}, title = {{Matryoshka : Variant of ROKRAT, APT37 (Scarcruft)}}, date = {2021-07-14}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/matryoshka-variant-of-rokrat-apt37-scarcruft-69774ea7bf48}, language = {English}, urldate = {2021-07-20} } @online{kim:20210722:w4:c901bea, author = {Denise Dasom Kim and Jungyeon Lim and Yeonghyeon Jeong and Sujin Lim}, title = {{W4 July | EN | Story of the week: Ransomware on the Darkweb}}, date = {2021-07-22}, organization = {S2W LAB Inc.}, url = {https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a}, language = {English}, urldate = {2021-07-26} } @online{kim:20211007:operation:6b8234f, author = {Jaeki Kim and Sojun Ryu and Kyoung-ju Kwak}, title = {{Operation Newton: Hi Kimsuky? Did an Apple(seed) really fall on Newton’s head?}}, date = {2021-10-07}, organization = {S2W Inc.}, url = {https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/}, language = {English}, urldate = {2021-10-14} } @techreport{kim:20220218:method:4b41876, author = {Giyoon Kim and Soram Kim and Soojin Kang and Jongsung Kim}, title = {{A Method for Decrypting Data Infected with Hive Ransomware}}, date = {2022-02-18}, institution = {Kookmin University}, url = {https://arxiv.org/pdf/2202.08477.pdf}, language = {English}, urldate = {2022-02-19} } @online{kim:20220303:deep:3cac6e2, author = {Jiho Kim}, title = {{Deep Analysis of Redline Stealer: Leaked Credential with WCF}}, date = {2022-03-03}, organization = {Medium s2wlab}, url = {https://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904}, language = {English}, urldate = {2022-03-07} } @online{kim:20220401:rising:8510271, author = {Jiho Kim}, title = {{Rising Stealer in Q1 2022: BlackGuard Stealer}}, date = {2022-04-01}, organization = {Medium s2wlab}, url = {https://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5}, language = {English}, urldate = {2022-04-15} } @online{kim:20220512:history:03c1535, author = {Jiho Kim}, title = {{The History of BlackGuard Stealer}}, date = {2022-05-12}, organization = {Medium s2wlab}, url = {https://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4}, language = {English}, urldate = {2022-05-17} } @online{kim:20230227:lumma:9f3f99f, author = {Jiho Kim and Lee Sebin}, title = {{Lumma Stealer targets YouTubers via Spear-phishing Email}}, date = {2023-02-27}, organization = {Medium s2wlab}, url = {https://medium.com/s2wblog/lumma-stealer-targets-youtubers-via-spear-phishing-email-ade740d486f7}, language = {English}, urldate = {2023-03-13} } @techreport{kim:20240125:lazarus:d66d8ee, author = {Dongwook Kim and Seulgi Lee}, title = {{Lazarus Group’s Large-scale Threats via Watering Hole and Financial Software}}, date = {2024-01-25}, institution = {JSAC 2024}, url = {https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_6_dongwook-kim_seulgi-lee_en.pdf}, language = {English}, urldate = {2024-01-31} } @online{kim:20240207:kimsuky:0c3931d, author = {Jiho Kim and Sebin Lee}, title = {{Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer}}, date = {2024-02-07}, organization = {Medium s2wlab}, url = {https://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2}, language = {English}, urldate = {2024-02-09} } @techreport{kim:20250121:analysis:d3eed03, author = {Dongwook Kim and Seulgi Lee}, title = {{Analysis of Attack Strategies Targeting Centralized Management Solutions}}, date = {2025-01-21}, institution = {KrCert}, url = {https://jsac.jpcert.or.jp/archive/2025/pdf/JSAC2025_1_7_dongwook-kim_seulgi-lee_en.pdf}, language = {English}, urldate = {2025-03-27} } @online{kimayong:20180213:new:b8d70e2, author = {Paul Kimayong}, title = {{New Gootkit Banking Trojan variant pushes the limits on evasive behavior}}, date = {2018-02-13}, organization = {Juniper}, url = {https://forums.juniper.net/t5/Security-Now/New-Gootkit-Banking-Trojan-variant-pushes-the-limits-on-evasive/ba-p/319055}, language = {English}, urldate = {2019-12-10} } @online{kimayong:20180521:nukebot:dcd8985, author = {Paul Kimayong}, title = {{Nukebot Banking Trojan targeting people in France}}, date = {2018-05-21}, organization = {Juniper}, url = {https://forums.juniper.net/t5/Threat-Research/Nukebot-Banking-Trojan-targeting-people-in-France/ba-p/326702}, language = {English}, urldate = {2019-11-22} } @online{kimayong:20190926:masad:0f8ea5a, author = {Paul Kimayong}, title = {{Masad Stealer: Exfiltrating using Telegram}}, date = {2019-09-26}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/masad-stealer-exfiltrating-using-telegram}, language = {English}, urldate = {2020-09-03} } @online{kimayong:20200618:covid19:4bb5511, author = {Paul Kimayong}, title = {{COVID-19 and FMLA Campaigns used to install new IcedID banking malware}}, date = {2020-06-18}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware}, language = {English}, urldate = {2020-06-23} } @online{kimayong:20200812:icedid:b40f8b4, author = {Paul Kimayong}, title = {{IcedID Campaign Strikes Back}}, date = {2020-08-12}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/iceid-campaign-strikes-back}, language = {English}, urldate = {2020-08-27} } @online{kimayong:20201005:new:739309f, author = {Paul Kimayong}, title = {{New pastebin-like service used in multiple malware campaigns}}, date = {2020-10-05}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns}, language = {English}, urldate = {2020-10-07} } @online{kimayong:20201201:darkirc:f22ae7d, author = {Paul Kimayong}, title = {{DarkIRC bot exploits recent Oracle WebLogic vulnerability}}, date = {2020-12-01}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/darkirc-bot-exploits-oracle-weblogic-vulnerability}, language = {English}, urldate = {2021-03-30} } @online{kimayong:20210408:sysrv:c1cbc71, author = {Paul Kimayong}, title = {{Sysrv Botnet Expands and Gains Persistence}}, date = {2021-04-08}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence}, language = {English}, urldate = {2021-04-12} } @online{kimayong:20210908:aggah:8508369, author = {Paul Kimayong}, title = {{Aggah Malware Campaign Expands to Zendesk and GitHub to Host Its Malware}}, date = {2021-09-08}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/security/aggah-malware-campaign-expands-to-zendesk-and-github-to-host-its-malware}, language = {English}, urldate = {2021-09-10} } @online{kimayong:20211011:necro:9b112bd, author = {Paul Kimayong}, title = {{Necro Python Botnet Goes After Vulnerable VisualTools DVR}}, date = {2021-10-11}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/necro-python-botnet-goes-after-vulnerable-visualtools-dvr}, language = {English}, urldate = {2021-10-25} } @online{kimayong:20220324:muhstik:b70f2b9, author = {Paul Kimayong}, title = {{Muhstik Gang targets Redis Servers}}, date = {2022-03-24}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers}, language = {English}, urldate = {2022-03-28} } @online{kimayong:20220831:asbit:611ae9b, author = {Paul Kimayong}, title = {{Asbit: An Emerging Remote Desktop Trojan}}, date = {2022-08-31}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/asbit-an-emerging-remote-desktop-trojan}, language = {English}, urldate = {2022-09-01} } @online{kimayong:20230828:dreambus:8065a04, author = {Paul Kimayong}, title = {{DreamBus Botnet Resurfaces, Targets RocketMQ vulnerability}}, date = {2023-08-28}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability}, language = {English}, urldate = {2023-08-31} } @online{kimberly:20110804:analysis:fcb91de, author = {Kimberly}, title = {{Analysis of ngrBot}}, date = {2011-08-04}, organization = {Stop Malvertising Rootkits}, url = {http://stopmalvertising.com/rootkits/analysis-of-ngrbot.html}, language = {English}, urldate = {2019-12-04} } @online{kimberly:20120420:analysis:6fe646f, author = {Kimberly}, title = {{Analysis of DarkMegi aka NpcDark}}, date = {2012-04-20}, organization = {StopMalvertising}, url = {http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html}, language = {English}, urldate = {2020-01-09} } @online{kimberly:20140427:analysis:a034e60, author = {Kimberly}, title = {{Analysis of the Predator Pain Keylogger}}, date = {2014-04-27}, organization = {StopMalvertising}, url = {http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html}, language = {English}, urldate = {2019-11-24} } @online{kimberly:20140716:mini:58ac768, author = {Kimberly}, title = {{Mini Analysis of the TinyBanker Tinba}}, date = {2014-07-16}, organization = {StopMalvertising}, url = {http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html}, language = {English}, urldate = {2020-01-08} } @online{kimberly:20140831:introduction:eb2cc6b, author = {Kimberly}, title = {{Introduction to the ZeroLocker ransomware}}, date = {2014-08-31}, organization = {StopMalvertising}, url = {http://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html}, language = {English}, urldate = {2020-01-13} } @online{kimberly:20191010:malware:032ed3c, author = {Kimberly}, title = {{Tweet on Malware Sample}}, date = {2019-10-10}, organization = {Twitter (@StopMalvertisin)}, url = {https://twitter.com/StopMalvertisin/status/1182505434231398401}, language = {English}, urldate = {2020-01-10} } @online{kimura:20230109:gootkit:585185a, author = {Hitomi Kimura and Ryan Maglaque and Fe Cureg and Trent Bessell}, title = {{Gootkit Loader Actively Targets Australian Healthcare Industry}}, date = {2023-01-09}, organization = {Trendmicro}, url = {https://www.trendmicro.com/en_us/research/23/a/gootkit-loader-actively-targets-the-australian-healthcare-indust.html}, language = {English}, urldate = {2023-11-13} } @online{king:20200212:ryuk:720c14e, author = {Rachel E. King and AC}, title = {{Ryuk Ransomware Technical Analysis}}, date = {2020-02-12}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/blog/vmware-carbon-black-tau-ryuk-ransomware-technical-analysis/}, language = {English}, urldate = {2020-11-19} } @online{kingdom:20220324:uk:c1b6350, author = {Government of United Kingdom}, title = {{UK exposes Russian spy agency behind cyber incidents}}, date = {2022-03-24}, organization = {Government of United Kingdom}, url = {https://www.gov.uk/government/news/uk-exposes-russian-spy-agency-behind-cyber-incidents}, language = {English}, urldate = {2022-03-25} } @online{kingdom:20220405:russias:58a2500, author = {Government of United Kingdom}, title = {{Russia's FSB malign activity: factsheet}}, date = {2022-04-05}, organization = {Government of United Kingdom}, url = {https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet}, language = {English}, urldate = {2022-04-07} } @online{kingkimgim:20230213:dalbit:a256572, author = {kingkimgim}, title = {{Dalbit (m00nlight): Chinese Hacker Group’s APT Attack Campaign}}, date = {2023-02-13}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/47455/}, language = {English}, urldate = {2023-11-17} } @online{kinion:20250620:zooming:4c81449, author = {Kenneth Kinion}, title = {{Zooming through BlueNoroff Indicators with Validin}}, date = {2025-06-20}, organization = {Validin}, url = {https://www.validin.com/blog/zooming_through_bluenoroff_pivots/}, language = {English}, urldate = {2025-06-23} } @online{kino:20200220:lodeinfo:9842ab1, author = {Kota Kino}, title = {{日本国内の組織を狙ったマルウエアLODEINFO}}, date = {2020-02-20}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/ja/2020/02/LODEINFO.html}, language = {Japanese}, urldate = {2020-02-27} } @online{kino:20200227:malware:a3da71c, author = {Kota Kino}, title = {{Malware “LODEINFO” Targeting Japan}}, date = {2020-02-27}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2020/02/malware-lodeinfo-targeting-japan.html}, language = {English}, urldate = {2022-12-20} } @online{kino:20200611:lodeinfo:104e43a, author = {Kota Kino}, title = {{マルウエアLODEINFOの進化 (Evolution of Malware LODEINFO)}}, date = {2020-06-11}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/ja/2020/06/LODEINFO-2.html}, language = {Japanese}, urldate = {2020-06-12} } @online{kino:20201210:attack:cd8c552, author = {Kota Kino}, title = {{Attack Activities by Quasar Family}}, date = {2020-12-10}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html}, language = {English}, urldate = {2020-12-10} } @online{kino:20210218:further:c4352ca, author = {Kota Kino}, title = {{Further Updates in LODEINFO Malware}}, date = {2021-02-18}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html}, language = {English}, urldate = {2021-02-18} } @online{kino:20210604:php:9178d39, author = {Kota Kino}, title = {{PHP Malware Used in Lucky Visitor Scam}}, date = {2021-06-04}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2021/06/php_malware.html}, language = {English}, urldate = {2021-06-16} } @online{kipp:20201216:trend:29b2a2d, author = {Jesse Kipp and Malavika Balachandran Tadeusz}, title = {{Trend data on the SolarWinds Orion compromise}}, date = {2020-12-16}, organization = {Cloudflare}, url = {https://blog.cloudflare.com/solarwinds-orion-compromise-trend-data/}, language = {English}, urldate = {2020-12-18} } @online{kirchgaessner:20210718:revealed:564f1ee, author = {Stephanie Kirchgaessner and Paul Lewis and David Pegg and Sam Cutler and Nina Lakhani and Michael Safi}, title = {{Revealed: leak uncovers global abuse of cyber-surveillance weapon}}, date = {2021-07-18}, organization = {The Guardian}, url = {https://www.theguardian.com/world/2021/jul/18/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus}, language = {English}, urldate = {2021-07-24} } @online{kirchgaessner:20210718:saudis:df03df6, author = {Stephanie Kirchgaessner}, title = {{Saudis behind NSO spyware attack on Jamal Khashoggi’s family, leak suggests}}, date = {2021-07-18}, organization = {The Guardian}, url = {https://www.theguardian.com/world/2021/jul/18/nso-spyware-used-to-target-family-of-jamal-khashoggi-leaked-data-shows-saudis-pegasus}, language = {English}, urldate = {2021-07-24} } @online{kirichenko:20230911:from:7fe2d83, author = {Alexander Kirichenko and Gleb Ivanov}, title = {{From Caribbean shores to your devices: analyzing Cuba ransomware}}, date = {2023-09-11}, organization = {Kaspersky}, url = {https://securelist.com/cuba-ransomware/110533/}, language = {English}, urldate = {2023-09-13} } @online{kirk:20110726:spyeye:a7ad044, author = {Jeremy Kirk}, title = {{SpyEye Trojan defeating online banking defenses}}, date = {2011-07-26}, organization = {Computerworld}, url = {https://www.computerworld.com/article/2509482/spyeye-trojan-defeating-online-banking-defenses.html}, language = {English}, urldate = {2020-01-13} } @online{kirk:20120104:spyeye:3ecb013, author = {Jeremy Kirk}, title = {{SpyEye Malware Borrows Zeus Trick to Mask Fraud}}, date = {2012-01-04}, organization = {PCWorld}, url = {https://www.pcworld.com/article/247252/spyeye_malware_borrows_zeus_trick_to_mask_fraud.html}, language = {English}, urldate = {2020-01-08} } @online{kirk:20160221:source:dfeba08, author = {Jeremy Kirk}, title = {{Source code for powerful Android banking malware is leaked}}, date = {2016-02-21}, url = {https://www.pcworld.com/article/3035725/source-code-for-powerful-android-banking-malware-is-leaked.html}, language = {English}, urldate = {2019-10-29} } @online{kirk:20220404:ransomware:168f0da, author = {Jeremy Kirk}, title = {{The Ransomware Files, Episode 6: Kaseya and REvil}}, date = {2022-04-04}, organization = {Bankinfo Security}, url = {https://www.bankinfosecurity.com/interviews/ransomware-files-episode-6-kaseya-revil-i-5045}, language = {English}, urldate = {2022-04-07} } @online{kirk:20230302:bluehat:e91d4c1, author = {Laurie Kirk}, title = {{BlueHat 2023 Lightning Talk: Android Malware Obfuscation}}, date = {2023-03-02}, organization = {YouTube (Microsoft Security)}, url = {https://www.youtube.com/watch?v=sP57_65hQbM}, language = {English}, urldate = {2023-03-13} } @online{kirk:20230922:unmasking:45aeb08, author = {Laurie Kirk}, title = {{Unmasking the Godfather}}, date = {2023-09-22}, organization = {Github (LaurieWired)}, url = {https://github.com/LaurieWired/StrangeLoop}, language = {English}, urldate = {2023-10-10} } @online{kirtar:20230828:defender:46345ce, author = {Kirtar}, title = {{Defender Experts Chronicles: A Deep Dive into Storm-0867}}, date = {2023-08-28}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/microsoft-security-experts-blog/defender-experts-chronicles-a-deep-dive-into-storm-0867/ba-p/3911769}, language = {English}, urldate = {2024-02-08} } @techreport{kisa:20201215:operation:3972195, author = {KISA}, title = {{Operation MUZABI}}, date = {2020-12-15}, institution = {KISA}, url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf}, language = {Korean}, urldate = {2020-12-16} } @techreport{kisa:20220914:ttps7:cd9faff, author = {KISA}, title = {{TTPs#7: Analysis on Lateral Movement Strategy Using SMB/Admin Share}}, date = {2022-09-14}, institution = {KISA}, url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=3669&attach_file_id=EpF3669.pdf}, language = {English}, urldate = {2022-09-19} } @online{kivilevich:20200530:exposing:638865b, author = {Victoria Kivilevich and Sharon Bitton}, title = {{Exposing the UAE’s Underground Digital Dangers: The Attack Surface of One of the Most Digitally Advanced Countries in the Arab World}}, date = {2020-05-30}, organization = {KELA}, url = {https://ke-la.com/exposing-the-uaes-underground-digital-dangers-the-attack-surface-of-one-of-the-most-digitally-advanced-countries-in-the-arab-world/}, language = {English}, urldate = {2021-06-09} } @online{kivilevich:20200824:torum:c048dcb, author = {Victoria Kivilevich}, title = {{Torum is Dead. Long Live CryptBB?}}, date = {2020-08-24}, organization = {KELA}, url = {https://ke-la.com/torum-is-dead-long-live-cryptbb/}, language = {English}, urldate = {2021-05-08} } @online{kivilevich:20200825:how:5db6a82, author = {Victoria Kivilevich}, title = {{How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing}}, date = {2020-08-25}, organization = {KELA}, url = {https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/}, language = {English}, urldate = {2021-05-07} } @online{kivilevich:20200914:back:f0623ee, author = {Victoria Kivilevich and Sharon Bitton}, title = {{Back to School: Why Cybercriminals Continue to Target the Education Sector | Part Two}}, date = {2020-09-14}, organization = {KELA}, url = {https://ke-la.com/back-to-school-why-cybercriminals-continue-to-target-the-education-sector-2/}, language = {English}, urldate = {2021-05-07} } @online{kivilevich:20200918:initial:3f08285, author = {Victoria Kivilevich and Raveed Laeb}, title = {{The Initial Access Broker’s Toolbox – Remote Monitoring and Management}}, date = {2020-09-18}, organization = {KELA}, url = {https://ke-la.com/the-initial-access-brokers-toolbox-remote-monitoring-and-management/}, language = {English}, urldate = {2021-05-07} } @online{kivilevich:20201001:to:fd3aa09, author = {Victoria Kivilevich}, title = {{To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem}}, date = {2020-10-01}, organization = {KELA}, url = {https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/}, language = {English}, urldate = {2021-05-07} } @online{kivilevich:20201118:zooming:f28a9c1, author = {Victoria Kivilevich}, title = {{Zooming into Darknet Threats Targeting Japanese Organizations}}, date = {2020-11-18}, organization = {KELA}, url = {https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/}, language = {English}, urldate = {2020-11-19} } @online{kivilevich:20201203:easy:bae365d, author = {Victoria Kivilevich}, title = {{Easy Way In? 5 Ransomware Victims Had Their Pulse Secure VPN Credentials Leaked}}, date = {2020-12-03}, organization = {KELA}, url = {https://ke-la.com/easy-way-in-5-ransomware-victims-had-their-pulse-secure-vpn-credentials-leaked/}, language = {English}, urldate = {2021-01-01} } @online{kivilevich:20210131:1:1bd60a2, author = {Victoria Kivilevich}, title = {{$1 Million is Just the Beginning: Q4 2020 in Network Access Sales}}, date = {2021-01-31}, organization = {KELA}, url = {https://ke-la.com/1-million-is-just-the-beginning-q4-2020-in-network-access-sales/}, language = {English}, urldate = {2021-02-02} } @online{kivilevich:20210216:dark:01ba056, author = {Victoria Kivilevich and Sharon Bitton}, title = {{Dark Net Markets Going Out of Business: Where are Users Headed to Next?}}, date = {2021-02-16}, organization = {KELA}, url = {https://ke-la.com/dark-net-markets-going-out-of-business-where-are-users-headed-to-next/}, language = {English}, urldate = {2021-03-30} } @online{kivilevich:20210708:ransomware:2078c8b, author = {Victoria Kivilevich}, title = {{Ransomware Gangs are Starting to Look Like Ocean’s 11}}, date = {2021-07-08}, organization = {KELA}, url = {https://ke-la.com/ransomware-gangs-are-starting-to-look-like-oceans-11/}, language = {English}, urldate = {2021-07-12} } @online{kivilevich:20210728:new:7d537c8, author = {Victoria Kivilevich}, title = {{New Russian-Speaking Forum – A New Place for RaaS?}}, date = {2021-07-28}, organization = {KELA}, url = {https://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/}, language = {English}, urldate = {2021-07-29} } @online{kivilevich:20210802:all:fcdcc7e, author = {Victoria Kivilevich}, title = {{All Access Pass: Five Trends with Initial Access Brokers}}, date = {2021-08-02}, organization = {KELA}, url = {https://ke-la.com/all-access-pass-five-trends-with-initial-access-brokers/}, language = {English}, urldate = {2021-08-02} } @online{kivilevich:20210906:ideal:737307f, author = {Victoria Kivilevich}, title = {{The Ideal Ransomware Victim: What Attackers Are Looking For}}, date = {2021-09-06}, organization = {KELA}, url = {https://ke-la.com/the-ideal-ransomware-victim-what-attackers-are-looking-for/}, language = {English}, urldate = {2021-11-02} } @online{kivilevich:20211025:will:44e51be, author = {Victoria Kivilevich}, title = {{Will the REvil Story Finally be Over?}}, date = {2021-10-25}, organization = {KELA}, url = {https://ke-la.com/will-the-revils-story-finally-be-over/}, language = {English}, urldate = {2021-11-09} } @online{kivva:20160606:everyone:ee770c6, author = {Anton Kivva}, title = {{Everyone sees not what they want to see}}, date = {2016-06-06}, organization = {Kaspersky Labs}, url = {https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/}, language = {English}, urldate = {2019-12-20} } @online{kiwi:20110428:un:4c39d1d, author = {Gentil Kiwi}, title = {{Un observateur d’événements aveugle…}}, date = {2011-04-28}, url = {http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle}, language = {English}, urldate = {2020-01-07} } @online{kiyotaka:20180329:chessmaster:c48e1c0, author = {Tamada Kiyotaka and MingYen Hsieh}, title = {{ChessMaster Adds Updated Tools to Its Arsenal}}, date = {2018-03-29}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/}, language = {English}, urldate = {2020-01-08} } @techreport{kiyotaka:20200117:is:969ff38, author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru}, title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}}, date = {2020-01-17}, institution = {Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf}, language = {English}, urldate = {2020-04-06} } @online{klason:20180809:bokbot:499f316, author = {Alfred Klason}, title = {{Bokbot: The (re)birth of a banker}}, date = {2018-08-09}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/}, language = {English}, urldate = {2019-12-20} } @online{kleczynski:20210119:malwarebytes:2fe3d7d, author = {Marcin Kleczynski}, title = {{Malwarebytes targeted by Nation State Actor implicated in SolarWinds breach. Evidence suggests abuse of privileged access to Microsoft Office 365 and Azure environments}}, date = {2021-01-19}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/malwarebytes-news/2021/01/malwarebytes-targeted-by-nation-state-actor-implicated-in-solarwinds-breach-evidence-suggests-abuse-of-privileged-access-to-microsoft-office-365-and-azure-environments/}, language = {English}, urldate = {2021-01-21} } @online{kleemola:20130802:surtr:a1bc558, author = {Katie Kleemola and Seth Hardy}, title = {{Surtr Malware Family Targeting the Tibetan Community}}, date = {2013-08-02}, organization = {CitizenLab}, url = {https://citizenlab.ca/2013/08/surtr-malware-family-targeting-the-tibetan-community/}, language = {English}, urldate = {2021-01-29} } @online{klein:20120215:merchant:b6f5565, author = {Amit Klein}, title = {{Merchant of Fraud Returns: Shylock Polymorphic Financial Malware Infections on the Rise}}, date = {2012-02-15}, organization = {Security Intelligence}, url = {https://securityintelligence.com/merchant-of-fraud-returns-shylock-polymorphic-financial-malware-infections-on-the-rise/}, language = {English}, urldate = {2019-11-23} } @online{klein:20210222:economic:904a7ed, author = {Beatriz Pimenta Klein}, title = {{Economic Growth, Digital Inclusion, & Specialized Crime: Financial Cyber Fraud in LATAM}}, date = {2021-02-22}, organization = {AdvIntel}, url = {https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam}, language = {English}, urldate = {2022-02-16} } @online{klein:20230613:ics:4c41f7a, author = {Beatriz Pimenta Klein}, title = {{ICS attack classifications: differentiating between cyberwarfare, cyberterrorism, and hacktivism}}, date = {2023-06-13}, organization = {Outpost24}, url = {https://outpost24.com/blog/ics-attack-classifications/}, language = {English}, urldate = {2023-12-28} } @online{kleinhen:20190603:code:3634038, author = {Derek Kleinhen}, title = {{Code Analysis of Basic Cryptomining Malware}}, date = {2019-06-03}, organization = {Kindred Security}, url = {https://kindredsec.com/2019/06/03/code-analysis-of-basic-cryptomining-malware/}, language = {English}, urldate = {2020-01-06} } @techreport{kleinhen:20191210:swort:ab1b863, author = {Derek Kleinhen}, title = {{Swort PowerShell Stager Analysis}}, date = {2019-12-10}, institution = {Github (itsKindred)}, url = {https://github.com/itsKindred/malware-analysis-writeups/blob/master/swrort-dropper/swrort-stager-analysis.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{kleinhen:20191224:bashar:944cfdf, author = {Derek Kleinhen}, title = {{Bashar Bachir Infection Chain Analysis}}, date = {2019-12-24}, institution = {Github (itsKindred)}, url = {https://github.com/itsKindred/malware-analysis-writeups/blob/master/bashar-bachir-chain/bashar-bachir-analysis.pdf}, language = {English}, urldate = {2020-01-10} } @online{kleissner:20130326:behind:d12032a, author = {Peter Kleissner}, title = {{Behind MultiBanker, what the security industry doesn’t tell you and its money mule network}}, date = {2013-03-26}, organization = {Kleissner & Associates}, url = {http://blog.kleissner.org/?p=69}, language = {English}, urldate = {2019-12-20} } @online{kleissner:20130521:news:b67b754, author = {Peter Kleissner}, title = {{News on MultiBanker, features now a jabber p2p functionality}}, date = {2013-05-21}, organization = {Kleissner & Associates}, url = {http://blog.kleissner.org/?p=192}, language = {English}, urldate = {2020-01-08} } @online{kleissner:20150610:pony:2dbaf47, author = {Peter Kleissner}, title = {{Pony + Pkybot + Automated Transfer System = Banker}}, date = {2015-06-10}, organization = {Kleissner & Associates}, url = {http://blog.kleissner.org/?p=788}, language = {English}, urldate = {2020-01-08} } @techreport{kleissner:20151202:sality:791ea01, author = {Peter Kleissner}, title = {{Sality: 2003 - Today}}, date = {2015-12-02}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2015/12/OK-P18-Kleissner-Sality.pdf}, language = {English}, urldate = {2020-01-13} } @online{kleiton0x7e:20210208:evade:2136d7f, author = {kleiton0x7e}, title = {{Evade EDR with Shellcode Injection and gain persistence using Registry Run Keys}}, date = {2021-02-08}, organization = {Medium kurtikleiton}, url = {https://kurtikleiton.medium.com/evade-avs-edr-with-shellcode-injection-159dde4dba1a}, language = {English}, urldate = {2021-02-09} } @online{klepfish:20220304:imperva:10dce07, author = {Nelli Klepfish}, title = {{Imperva Mitigates Ransom DDoS Attack Measuring 2.5 Million Requests per Second}}, date = {2022-03-04}, organization = {Imperva}, url = {https://www.imperva.com/blog/imperva-mitigates-ransom-ddos-attack-measuring-2-5-million-requests-per-second/}, language = {English}, urldate = {2022-03-07} } @online{kleymenov:20210519:colonial:e537383, author = {Alexey Kleymenov}, title = {{Colonial Pipeline Ransomware Attack: Revealing How DarkSide Works}}, date = {2021-05-19}, organization = {Nozomi Networks}, url = {https://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/}, language = {English}, urldate = {2021-05-26} } @online{kleymenov:20220125:how:3c38376, author = {Alexey Kleymenov}, title = {{How to Analyze Malware for Technical Writing}}, date = {2022-01-25}, organization = {Nozomi Networks}, url = {https://www.nozominetworks.com/blog/how-to-analyze-malware-for-technical-writing/}, language = {English}, urldate = {2022-02-02} } @online{klijnsma:20151130:inside:801d2d4, author = {Yonathan Klijnsma}, title = {{Inside Braviax/FakeRean: An analysis and history of a FakeAV family}}, date = {2015-11-30}, organization = {0x3A Security}, url = {https://0x3asecurity.wordpress.com/2015/11/30/134260124544/}, language = {English}, urldate = {2019-07-09} } @techreport{klijnsma:20160517:mofang:7035a61, author = {Yonathan Klijnsma and Danny Heppener and Mitchel Sahertian and Krijn de Mik and Maarten van Dantzig and Yun Zheng Hu and Lennart Haagsma and Martin van Hensbergen and Erik de Jong}, title = {{Mofang: A politically motivated information stealing adversary}}, date = {2016-05-17}, institution = {Fox-IT}, url = {https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf}, language = {English}, urldate = {2020-01-09} } @online{klijnsma:20171025:down:8d41ef5, author = {Yonathan Klijnsma}, title = {{Down the Rabbit Hole: Tracking the BadRabbit Ransomware to a Long Ongoing Campaign of Target Selection}}, date = {2017-10-25}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/badrabbit/}, language = {English}, urldate = {2020-01-10} } @online{klijnsma:20171026:new:8298949, author = {Yonathan Klijnsma}, title = {{New htpRAT Gives Complete Remote Control Capabilities to Chinese Cyber Threat Actors}}, date = {2017-10-26}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/htprat/}, language = {English}, urldate = {2020-01-09} } @online{klijnsma:20171102:new:d98411c, author = {Yonathan Klijnsma}, title = {{New Insights into Energetic Bear’s Watering Hole Cyber Attacks on Turkish Critical Infrastructure}}, date = {2017-11-02}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/energetic-bear/}, language = {English}, urldate = {2020-01-13} } @online{klijnsma:20171128:gaffe:7c5097a, author = {Yonathan Klijnsma}, title = {{Gaffe Reveals Full List of Targets in Spear Phishing Attack Using Cobalt Strike Against Financial Institutions}}, date = {2017-11-28}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/cobalt-strike/}, language = {English}, urldate = {2020-01-13} } @online{klijnsma:20171220:mining:4b3dc11, author = {Yonathan Klijnsma}, title = {{Mining Insights: Infrastructure Analysis of Lazarus Group Cyber Attacks on the Cryptocurrency Industry}}, date = {2017-12-20}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/}, language = {English}, urldate = {2020-01-13} } @online{klijnsma:20180116:first:9184887, author = {Yonathan Klijnsma}, title = {{First Activities of Cobalt Group in 2018: Spear Phishing Russian Banks}}, date = {2018-01-16}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/}, language = {English}, urldate = {2019-11-26} } @online{klijnsma:20180123:espionage:f3d28b0, author = {Yonathan Klijnsma}, title = {{Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors}}, date = {2018-01-23}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/}, language = {English}, urldate = {2019-12-24} } @online{klijnsma:20180709:inside:e92fff2, author = {Yonathan Klijnsma and Jordan Herman}, title = {{Inside and Beyond Ticketmaster: The Many Breaches of Magecart}}, date = {2018-07-09}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/}, language = {English}, urldate = {2020-01-12} } @online{klijnsma:20190228:magecart:e2b0173, author = {Yonathan Klijnsma}, title = {{Magecart Group 4: Never Gone, Always Advancing – Professionals In Cybercrime}}, date = {2019-02-28}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/magecart-group-4-always-advancing/}, language = {English}, urldate = {2020-01-06} } @online{klijnsma:20200318:magecart:2ee4a78, author = {Yonathan Klijnsma}, title = {{Magecart Group 8 Blends into NutriBullet.com Adding To Their Growing List of Victims}}, date = {2020-03-18}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/magecart-nutribullet/}, language = {English}, urldate = {2020-03-19} } @online{kline:20170810:globe:382859f, author = {Amanda Kline}, title = {{Globe Imposter Ransomware Makes a New Run}}, date = {2017-08-10}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/globe-imposter-ransomware-makes-a-new-run}, language = {English}, urldate = {2020-01-07} } @online{klinger:20200526:passive:8d29e47, author = {Konstantin Klinger}, title = {{Passive DNS for Threat Detection & Hunting (Discussing some infrastructure related to APT32)}}, date = {2020-05-26}, organization = {Youtube (GRIMM Cyber)}, url = {https://www.youtube.com/watch?v=ftjDH65kw6E}, language = {English}, urldate = {2020-10-12} } @online{klinger:20210617:new:2641c84, author = {Konstantin Klinger and Dennis Schwarz and Selena Larson}, title = {{New TA402 Molerats Malware Targets Governments in the Middle East}}, date = {2021-06-17}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east}, language = {English}, urldate = {2021-06-21} } @online{klinger:20220208:ugg:dc05453, author = {Konstantin Klinger and Joshua Miller and Georgi Mladenov}, title = {{Ugg Boots 4 Sale: A Tale of Palestinian-Aligned Espionage}}, date = {2022-02-08}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionage}, language = {English}, urldate = {2022-02-09} } @online{klnai:20130408:banking:20bce4c, author = {Peter Kálnai}, title = {{Banking Trojan Carberp: An Epitaph?}}, date = {2013-04-08}, organization = {Avast}, url = {https://blog.avast.com/2013/04/08/carberp_epitaph/}, language = {English}, urldate = {2020-02-25} } @online{klnai:20130722:multisystem:907e0a4, author = {Peter Kálnai}, title = {{Multisystem Trojan Janicab attacks Windows and MacOSX via scripts}}, date = {2013-07-22}, organization = {Avast}, url = {https://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/}, language = {English}, urldate = {2020-05-20} } @online{klnai:20130827:linux:02c05c7, author = {Peter Kálnai}, title = {{Linux Trojan “Hand of Thief” ungloved}}, date = {2013-08-27}, organization = {Avast}, url = {https://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/}, language = {English}, urldate = {2020-03-02} } @online{klnai:20130925:win3264napolar:4f16ddc, author = {Peter Kálnai}, title = {{Win32/64:Napolar: New Trojan shines on the cyber crime-scene}}, date = {2013-09-25}, organization = {Avast}, url = {https://blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/}, language = {English}, urldate = {2020-02-26} } @techreport{klnai:20131029:dissecting:30488b5, author = {Peter Kálnai and Jaromír Hořejší}, title = {{Dissecting Banking Trojan Carberp}}, date = {2013-10-29}, institution = {RSA Conference}, url = {https://web.archive.org/web/20150713145858/http://www.rsaconference.com/writable/presentations/file_upload/ht-t06-dissecting-banking-trojan-carberp_copy1.pdf}, language = {English}, urldate = {2020-02-27} } @online{klnai:20150106:linux:d8e30ec, author = {Peter Kálnai}, title = {{Linux DDoS Trojan hiding itself with an embedded rootkit}}, date = {2015-01-06}, organization = {Avast}, url = {https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/}, language = {English}, urldate = {2020-02-25} } @techreport{klnai:201509:ddos:21c35c6, author = {Peter Kálnai and Jaromír Hořejší}, title = {{DDOS TROJAN: A MALICIOUS CONCEPT THAT CONQUERED THE ELF FORMAT}}, date = {2015-09}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2015/KalnaiHorejsi-VB2015.pdf}, language = {English}, urldate = {2023-08-31} } @online{klnai:20160101:notes:100f4d8, author = {Peter Kálnai and Jaromír Hořejší}, title = {{Notes on click fraud: American story}}, date = {2016-01-01}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2016/01/paper-notes-click-fraud-american-story/}, language = {English}, urldate = {2020-03-04} } @online{klnai:20161220:new:05597b1, author = {Peter Kálnai and Michal Malík}, title = {{New Linux/Rakos threat: devices and servers under SSH scan (again)}}, date = {2016-12-20}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/}, language = {English}, urldate = {2019-11-14} } @online{klnai:20161220:new:4044e88, author = {Peter Kálnai and Michal Malík}, title = {{New Linux/Rakos threat: devices and servers under SSH scan (again)}}, date = {2016-12-20}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/}, language = {English}, urldate = {2019-12-20} } @online{klnai:20170216:demystifying:7ae8785, author = {Peter Kálnai}, title = {{Demystifying targeted malware used against Polish banks}}, date = {2017-02-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/}, language = {English}, urldate = {2019-11-14} } @online{klnai:20170928:moneymaking:ac6e685, author = {Peter Kálnai and Michal Poslušný}, title = {{Money‑making machine: Monero‑mining malware}}, date = {2017-09-28}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/09/28/monero-money-mining-malware/}, language = {English}, urldate = {2019-11-14} } @online{klnai:20180403:lazarus:14ff18c, author = {Peter Kálnai and Anton Cherepanov}, title = {{Lazarus KillDisks Central American casino}}, date = {2018-04-03}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/}, language = {English}, urldate = {2023-03-27} } @techreport{klnai:20181003:lazarus:bebf0ad, author = {Peter Kálnai and Michal Poslušný}, title = {{Lazarus Group A Mahjong Game Played with Different Sets of Tiles}}, date = {2018-10-03}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf}, language = {English}, urldate = {2023-08-31} } @online{klnai:20200514:mikroceen:3e541ad, author = {Peter Kálnai}, title = {{Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia}}, date = {2020-05-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia}, language = {English}, urldate = {2022-07-25} } @online{klnai:20200514:mikroceen:b259a8c, author = {Peter Kálnai}, title = {{Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia}}, date = {2020-05-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/}, language = {English}, urldate = {2020-05-14} } @online{klnai:20220816:twitter:cb6878b, author = {Peter Kálnai and Dominik Breitenbacher}, title = {{Twitter thread about Operation In(ter)ception for macOS}}, date = {2022-08-16}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1559553324998955010}, language = {English}, urldate = {2023-08-14} } @online{klnai:20220930:amazonthemed:bf959b5, author = {Peter Kálnai}, title = {{Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium}}, date = {2022-09-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/}, language = {English}, urldate = {2023-11-27} } @techreport{klnai:20220930:lazarus:efbd75d, author = {Peter Kálnai and Matěj Havránek}, title = {{Lazarus & BYOVD: evil to the Windows core}}, date = {2022-09-30}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Lazarus-and-BYOVD-evil-to-the-Windows-core.pdf}, language = {English}, urldate = {2023-07-11} } @online{klnai:20230420:linux:fd293b6, author = {Peter Kálnai and Marc-Etienne M.Léveillé}, title = {{Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack}}, date = {2023-04-20}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack}, language = {English}, urldate = {2023-12-14} } @online{klnai:20230929:lazarus:130bcd5, author = {Peter Kálnai}, title = {{Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company}}, date = {2023-09-29}, organization = {ESET Research}, url = {https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/}, language = {English}, urldate = {2023-10-18} } @techreport{klnai:20231004:lazarus:9c0141c, author = {Peter Kálnai}, title = {{Lazarus Campaigns and Backdoors in 2022-23}}, date = {2023-10-04}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf}, language = {English}, urldate = {2023-12-19} } @online{klopsch:20200322:mustang:56f3768, author = {Andreas Klopsch}, title = {{Mustang Panda joins the COVID-19 bandwagon}}, date = {2020-03-22}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/}, language = {English}, urldate = {2020-03-27} } @online{klopsch:20200330:old:ed1f6ef, author = {Andreas Klopsch}, title = {{An old enemy – Diving into QBot part 1}}, date = {2020-03-30}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-1/}, language = {English}, urldate = {2020-04-01} } @online{klopsch:20200505:old:84beb5b, author = {Andreas Klopsch}, title = {{An old enemy – Diving into QBot part 3}}, date = {2020-05-05}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/}, language = {English}, urldate = {2020-05-05} } @online{klopsch:20200524:examining:842b499, author = {Andreas Klopsch}, title = {{Examining Smokeloader’s Anti Hooking technique}}, date = {2020-05-24}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/examining-smokeloaders-anti-hooking-technique/}, language = {English}, urldate = {2020-05-25} } @online{klopsch:20200610:harmful:c46175f, author = {Andreas Klopsch}, title = {{Harmful Logging - Diving into MassLogger}}, date = {2020-06-10}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2020/06/36129-harmful-logging-diving-into-masslogger}, language = {English}, urldate = {2020-06-10} } @online{klopsch:20200621:upnp:f54abe6, author = {Andreas Klopsch}, title = {{UpnP – Messing up Security since years}}, date = {2020-06-21}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/upnp-messing-up-security-since-years/}, language = {English}, urldate = {2020-06-22} } @online{klopsch:20200712:deobfuscating:a374688, author = {Andreas Klopsch}, title = {{Deobfuscating DanaBot’s API Hashing}}, date = {2020-07-12}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/deobfuscating-danabots-api-hashing/}, language = {English}, urldate = {2020-07-15} } @online{klopsch:20210124:catching:3a3897f, author = {Andreas Klopsch}, title = {{Catching Debuggers with Section Hashing}}, date = {2021-01-24}, organization = {malwareandstuff blog}, url = {https://malwareandstuff.com/catching-debuggers-with-section-hashing/}, language = {English}, urldate = {2021-02-06} } @online{klopsch:20210822:peb:c8b9cea, author = {Andreas Klopsch}, title = {{PEB: Where Magic Is Stored}}, date = {2021-08-22}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/peb-where-magic-is-stored/}, language = {English}, urldate = {2021-09-19} } @online{klopsch:20220504:attacking:750e07f, author = {Andreas Klopsch}, title = {{Attacking Emotet’s Control Flow Flattening}}, date = {2022-05-04}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/05/04/attacking-emotets-control-flow-flattening/}, language = {English}, urldate = {2022-05-05} } @online{klopsch:20221004:remove:a8a9121, author = {Andreas Klopsch}, title = {{Remove All The Callbacks – BlackByte Ransomware Disables EDR Via RTCore64.sys Abuse}}, date = {2022-10-04}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns/}, language = {English}, urldate = {2022-10-24} } @online{klopsch:20221213:signed:9d26a63, author = {Andreas Klopsch and Andrew Brandt}, title = {{Signed driver malware moves up the software trust chain}}, date = {2022-12-13}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/12/13/signed-driver-malware-moves-up-the-software-trust-chain/}, language = {English}, urldate = {2023-09-13} } @online{klopsch:20230419:aukill:cebf5d8, author = {Andreas Klopsch}, title = {{‘AuKill’ EDR killer malware abuses Process Explorer driver}}, date = {2023-04-19}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/}, language = {English}, urldate = {2023-04-22} } @online{klys:20210124:only:57d75f9, author = {Przemyslaw Klys}, title = {{The only command you will ever need to understand and fix your Group Policies (GPO)}}, date = {2021-01-24}, organization = {evotec}, url = {https://evotec.xyz/the-only-command-you-will-ever-need-to-understand-and-fix-your-group-policies-gpo/}, language = {English}, urldate = {2021-02-06} } @online{kmerolla:20150731:otx:0dc083c, author = {KMEROLLA}, title = {{OTX Pulse on PlugX}}, date = {2015-07-31}, organization = {AlienVault}, url = {https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393/}, language = {English}, urldate = {2020-01-08} } @online{kmerolla:20150731:otx:7c24069, author = {KMEROLLA}, title = {{OTX: FBI Flash #68 (PlugX)}}, date = {2015-07-31}, organization = {AlienVault OTX}, url = {https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393}, language = {English}, urldate = {2022-08-30} } @online{kn0sorganization:20230529:blacklotus:a73a7a0, author = {kn0s-organization}, title = {{BlackLotus stage 2 bootkit-rootkit analysis}}, date = {2023-05-29}, url = {https://kn0s-organization.gitbook.io/blacklotus-analysis-stage2-bootkit-rootkit-stage/}, language = {English}, urldate = {2023-06-05} } @online{knapczyk:20220818:overview:a12950c, author = {Pawel Knapczyk}, title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}}, date = {2022-08-18}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war}, language = {English}, urldate = {2022-08-22} } @online{knapczyk:20220818:overview:bf3eca2, author = {Pawel Knapczyk}, title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}}, date = {2022-08-18}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/}, language = {English}, urldate = {2022-08-28} } @online{knapczyk:20250414:proton66:7832092, author = {Pawel Knapczyk and Dawid Nesterowicz}, title = {{Proton66 Part 1: Mass Scanning and Exploit Campaigns}}, date = {2025-04-14}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-1-mass-scanning-and-exploit-campaigns/}, language = {English}, urldate = {2025-04-25} } @online{knapczyk:20250417:proton66:c216cd5, author = {Pawel Knapczyk and Dawid Nesterowicz}, title = {{Proton66 Part 2: Compromised WordPress Pages and Malware Campaigns}}, date = {2025-04-17}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-2-compromised-wordpress-pages-and-malware-campaigns/}, language = {English}, urldate = {2025-04-25} } @online{knight0x07:20240110:analyzing:1cf13da, author = {knight0x07 and 0x4427}, title = {{Analyzing APT28’s OCEANMAP Backdoor & Exploring its C2 Server Artifacts}}, date = {2024-01-10}, organization = {Medium knight0x07}, url = {https://medium.com/@knight0x07/analyzing-apt28s-oceanmap-backdoor-exploring-its-c2-server-artifacts-db2c3cb4556b}, language = {English}, urldate = {2024-01-24} } @online{knight:20190930:cb:a21cf30, author = {Scott Knight}, title = {{CB Threat Analysis Unit: Technical Analysis of “Crosswalk”}}, date = {2019-09-30}, organization = {vmware}, url = {https://www.carbonblack.com/2019/09/30/cb-threat-analysis-unit-technical-analysis-of-crosswalk/}, language = {English}, urldate = {2020-04-21} } @online{knight:20200326:dukes:df85f94, author = {Scott Knight}, title = {{The Dukes of Moscow}}, date = {2020-03-26}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/}, language = {English}, urldate = {2020-05-18} } @online{knight:20200416:evolution:39b90c0, author = {Scott Knight}, title = {{The Evolution of Lazarus}}, date = {2020-04-16}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/}, language = {English}, urldate = {2020-04-17} } @online{knockel:20200507:we:04af3df, author = {Jeffrey Knockel and Christopher Parsons and Lotus Ruan and Ruohan Xiong and Jedidiah Crandall and Ron Deibert}, title = {{We Chat, They Watch: How International Users Unwittingly Build up WeChat’s Chinese Censorship Apparatus}}, date = {2020-05-07}, organization = {The Citizenlab}, url = {https://citizenlab.ca/2020/05/we-chat-they-watch/}, language = {English}, urldate = {2020-05-07} } @online{knowbe4:20150909:pony:9ec426a, author = {KnowBe4}, title = {{Pony Stealer Malware}}, date = {2015-09-09}, organization = {KnowBe4}, url = {https://www.knowbe4.com/pony-stealer}, language = {English}, urldate = {2022-06-08} } @online{knowlton:20100825:military:dc8aa06, author = {Brian Knowlton}, title = {{Military Computer Attack Confirmed}}, date = {2010-08-25}, organization = {The New York Times}, url = {https://www.nytimes.com/2010/08/26/technology/26cyber.html}, language = {English}, urldate = {2019-11-29} } @online{knownsec:20210412:sidewinders:30d5f41, author = {Knownsec}, title = {{APT SideWinder's latest attack on a certain region in South Asia}}, date = {2021-04-12}, organization = {Knownsec}, url = {https://www.freebuf.com/articles/network/269251.html}, language = {Chinese}, urldate = {2021-04-14} } @online{knudsen:2022:lapsus:467ba4f, author = {Afonso Knudsen and Inês Véstia}, title = {{Lapsus$ Group (DEV-0537/UNC3661) - an emerging dark net threat actor leveraging insider threats-or was it?}}, date = {2022}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor}, language = {English}, urldate = {2022-07-15} } @online{knudsen:2022:portuguese:7bb7939, author = {Afonso Knudsen}, title = {{Portuguese Bank phishing}}, date = {2022}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/portuguese-bank-phishing}, language = {English}, urldate = {2022-07-13} } @online{knutsen:20171119:iranian:654e55f, author = {ELISE KNUTSEN}, title = {{Iranian agents blackmailed BBC reporter with ‘naked photo’ threats}}, date = {2017-11-19}, organization = {Arab News}, url = {http://www.arabnews.com/node/1195681/media}, language = {English}, urldate = {2019-12-17} } @online{koczwara:20210722:cobalt:f102b02, author = {Michael Koczwara}, title = {{Cobalt Strike Hunting — simple PCAP and Beacon Analysis}}, date = {2021-07-22}, organization = {Medium michaelkoczwara}, url = {https://michaelkoczwara.medium.com/cobalt-strike-hunting-simple-pcap-and-beacon-analysis-f51c36ce6811}, language = {English}, urldate = {2021-07-22} } @online{koczwara:20210817:cobalt:64689eb, author = {Michael Koczwara}, title = {{Cobalt Strike Hunting — DLL Hijacking/Attack Analysis}}, date = {2021-08-17}, organization = {Medium michaelkoczwara}, url = {https://michaelkoczwara.medium.com/cobalt-strike-hunting-dll-hijacking-attack-analysis-ffbf8fd66a4e}, language = {English}, urldate = {2021-09-09} } @online{koczwara:20210902:cobalt:40a1888, author = {Michael Koczwara}, title = {{Cobalt Strike PowerShell Payload Analysis}}, date = {2021-09-02}, organization = {Medium michaelkoczwara}, url = {https://michaelkoczwara.medium.com/cobalt-strike-powershell-payload-analysis-eecf74b3c2f7}, language = {English}, urldate = {2021-09-09} } @online{koczwara:20210907:cobalt:7af112e, author = {Michael Koczwara}, title = {{Cobalt Strike C2 Hunting with Shodan}}, date = {2021-09-07}, organization = {Medium michaelkoczwara}, url = {https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2}, language = {English}, urldate = {2021-09-09} } @online{koczwara:20210912:mapping:8a5f43a, author = {Michael Koczwara}, title = {{Mapping and Pivoting from Cobalt Strike C2 Infrastructure Attributed to CVE-2021-40444}}, date = {2021-09-12}, organization = {Medium michaelkoczwara}, url = {https://michaelkoczwara.medium.com/mapping-and-pivoting-cobalt-strike-c2-infrastructure-attributed-to-cve-2021-40444-438786fcd68a}, language = {English}, urldate = {2022-01-28} } @online{koczwara:20220331:lapsus:5e2e01b, author = {Michael Koczwara}, title = {{LAPSUS$ TTP’s}}, date = {2022-03-31}, organization = {Medium michaelkoczwara}, url = {https://michaelkoczwara.medium.com/lapsus-ttps-431d1ca21e80}, language = {English}, urldate = {2022-04-04} } @online{koczwara:20220901:hunting:45c54de, author = {Michael Koczwara}, title = {{Hunting C2/Adversaries Infrastructure with Shodan and Censys}}, date = {2022-09-01}, organization = {Medium michaelkoczwara}, url = {https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f}, language = {English}, urldate = {2023-01-19} } @online{koczwara:20230428:hunting:8290d1c, author = {Michael Koczwara}, title = {{Tweet on hunting BRC4 infrastructure}}, date = {2023-04-28}, organization = {Twitter (@MichalKoczwara)}, url = {https://twitter.com/MichalKoczwara/status/1652067563545800705}, language = {English}, urldate = {2023-05-25} } @online{koduru:20230412:maximizing:167d572, author = {Bhargav koduru}, title = {{Maximizing Threat Detections of Qakbot with Osquery}}, date = {2023-04-12}, organization = {loginsoft}, url = {https://research.loginsoft.com/threat-research/blog-maximizing-threat-detections-of-qakbot-with-osquery/}, language = {English}, urldate = {2023-04-14} } @online{koehl:20200924:microsoft:2df24ab, author = {Ben Koehl and Joe Hannon}, title = {{Microsoft Security—detecting empires in the cloud}}, date = {2020-09-24}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/}, language = {English}, urldate = {2023-05-24} } @online{koehl:20200924:microsoft:adbe527, author = {Ben Koehl and Joe Hannon and Microsoft Identity Security Team}, title = {{Microsoft Security—detecting empires in the cloud}}, date = {2020-09-24}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/}, language = {English}, urldate = {2020-09-24} } @online{koehl:20210721:anssi:d77e4ad, author = {Ben Koehl}, title = {{Tweet on an ANSSI report detailing APT31 intrusions in France}}, date = {2021-07-21}, organization = {Twitter (@bkMSFT)}, url = {https://twitter.com/bkMSFT/status/1417823714922610689}, language = {English}, urldate = {2021-12-17} } @online{koessel:20190911:vulnerable:2e388dc, author = {Sean Koessel and Steven Adair}, title = {{Vulnerable Private Networks: Corporate VPNs Exploited in the Wild}}, date = {2019-09-11}, organization = {Volexity}, url = {https://www.volexity.com/blog/2019/09/11/vulnerable-private-networks-corporate-vpns-exploited-in-the-wild/}, language = {English}, urldate = {2021-05-04} } @online{koessel:20241122:nearest:c43687d, author = {Sean Koessel and Steven Adair and Tom Lancaster}, title = {{The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access}}, date = {2024-11-22}, organization = {Volexity}, url = {https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/}, language = {English}, urldate = {2024-11-25} } @online{kohei:20160720:crypmic:b272a4c, author = {Kawabata Kohei}, title = {{CrypMIC Ransomware Wants to Follow CryptXXX’s Footsteps}}, date = {2016-07-20}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/}, language = {English}, urldate = {2020-01-09} } @online{kohli:20210112:new:ecf1e3b, author = {Pankaj Kohli and Andrew Brandt}, title = {{New Android spyware targets users in Pakistan}}, date = {2021-01-12}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/01/12/new-android-spyware-targets-users-in-pakistan/}, language = {English}, urldate = {2021-01-18} } @online{kohli:20211123:android:614480a, author = {Pankaj Kohli}, title = {{Android APT spyware, targeting Middle East victims, enhances evasiveness}}, date = {2021-11-23}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/}, language = {English}, urldate = {2021-12-07} } @online{koike:20230612:about:5ded319, author = {Rintaro Koike}, title = {{About PowerHarbor, a new malware used by SteelClover}}, date = {2023-06-12}, organization = {NTT Security}, url = {https://insight-jp.nttsecurity.com/post/102ignh/steelcloverpowerharbor}, language = {Japanese}, urldate = {2023-06-19} } @online{koike:20240822:appdomainmanager:b2f4176, author = {Rintaro Koike}, title = {{AppDomainManager Injectionを悪用したマルウェアによる攻撃について}}, date = {2024-08-22}, organization = {NTT}, url = {https://jp.security.ntt/tech_blog/appdomainmanager-injection}, language = {Japanese}, urldate = {2024-09-26} } @online{koike:20240822:attacks:1b25200, author = {Rintaro Koike and Ryu Hiyoshi}, title = {{Attacks by malware abusing AppDomainManager Injection}}, date = {2024-08-22}, organization = {NTT Security}, url = {https://jp.security.ntt/tech_blog/appdomainmanager-injection-en}, language = {English}, urldate = {2024-09-13} } @online{kokurin:20210508:when:d913040, author = {Sergei Kokurin}, title = {{When Karma Comes Back: The rise and fall of illicit cardshop breached twice in two years}}, date = {2021-05-08}, organization = {Group-IB}, url = {https://blog.group-ib.com/swarmshop}, language = {English}, urldate = {2021-06-16} } @online{kokurin:20210806:bold:ef8beba, author = {Sergey Kokurin}, title = {{Bold ad campaign}}, date = {2021-08-06}, organization = {Group-IB}, url = {https://blog.group-ib.com/awc}, language = {English}, urldate = {2021-11-02} } @online{kolesnikov:20180911:kronososiris:ab69b91, author = {Oleg Kolesnikov and Harshvardhan Parashar}, title = {{KRONOS/Osiris Banking Trojan Attack}}, date = {2018-09-11}, organization = {Securonix}, url = {https://www.securonix.com/securonix-threat-research-kronos-osiris-banking-trojan-attack}, language = {English}, urldate = {2020-01-09} } @techreport{kolesnikov:20200728:detecting:f743725, author = {Oleg Kolesnikov}, title = {{Detecting WastedLocker Ransomware Using Security Analytics}}, date = {2020-07-28}, institution = {Securonix}, url = {https://www.securonix.com/web/wp-content/uploads/2020/08/Securonix_Threat_Research_WastedLocker_Ransomware.pdf}, language = {English}, urldate = {2020-11-04} } @techreport{kolesnikov:20201208:detecting:ba06a76, author = {Oleg Kolesnikov and Den Iyzvyk}, title = {{Detecting SolarWinds/SUNBURST/ECLIPSER Supply Chain Attacks}}, date = {2020-12-08}, institution = {Securonix}, url = {https://www.securonix.com/web/wp-content/uploads/2020/12/threat_research_solarwinds_sunburst_eclipser_supply_chain.pdf}, language = {English}, urldate = {2021-01-10} } @online{kolesnikov:20240109:new:c892273, author = {Oleg Kolesnikov and Den Iyzvyk and Tim Peck}, title = {{New RE#TURGENCE Attack Campaign: Turkish Hackers Target MSSQL Servers to Deliver Domain-Wide MIMIC Ransomware}}, date = {2024-01-09}, organization = {Securonix}, url = {https://www.securonix.com/blog/securonix-threat-research-security-advisory-new-returgence-attack-campaign-turkish-hackers-target-mssql-servers-to-deliver-domain-wide-mimic-ransomware/}, language = {English}, urldate = {2024-01-11} } @techreport{kollars:20210201:pathologies:8ed00d3, author = {Nina Kollars and Benjamin Schechter}, title = {{Pathologies of Obfuscation:Nobody Understands Cyber Operations or Wargaming}}, date = {2021-02-01}, institution = {Atlantic Council}, url = {https://www.atlanticcouncil.org/wp-content/uploads/2021/02/Pathologies-of-Obfuscation.pdf}, language = {English}, urldate = {2021-02-04} } @online{kolotouros:20210208:reverse:a034919, author = {Dimitris Kolotouros and Marios Levogiannis}, title = {{Reverse engineering Emotet – Our approach to protect GRNET against the trojan}}, date = {2021-02-08}, organization = {GRNET CERT}, url = {https://cert.grnet.gr/en/blog/reverse-engineering-emotet/}, language = {English}, urldate = {2021-02-09} } @online{komarov:20160909:govrat:292ff22, author = {Andrew Komarov}, title = {{GOVRAT V2.0 - Attacking US military and government}}, date = {2016-09-09}, organization = {InfoArmor}, url = {https://www.yumpu.com/en/document/view/55930175/govrat-v20}, language = {English}, urldate = {2019-10-15} } @online{kone:20241022:incident:7835701, author = {Adams Kone}, title = {{Incident Response: Analysis of recent version of BRC4}}, date = {2024-10-22}, organization = {Airbus}, url = {https://www.protect.airbus.com/blog/incident-response-analysis-of-recent-version-of-brc4/}, language = {English}, urldate = {2024-11-07} } @online{konov:20200925:magento:21a7de0, author = {Krasimir Konov}, title = {{Magento Credit Card Stealing Malware: gstaticapi}}, date = {2020-09-25}, organization = {SUCURI}, url = {https://blog.sucuri.net/2020/09/magento-credit-card-stealing-malware-gstaticapi.html}, language = {English}, urldate = {2020-10-05} } @online{konov:20201217:dangers:7af8ed3, author = {Krasimir Konov}, title = {{The Dangers of Using Abandoned Plugins & Themes}}, date = {2020-12-17}, organization = {SUCURI}, url = {https://blog.sucuri.net/2020/12/the-dangers-of-using-abandoned-plugins-themes.html}, language = {English}, urldate = {2020-12-19} } @online{konovich:20211104:blackboxing:d196d93, author = {Vladimir Konovich and Alexei Stennikov}, title = {{Blackboxing Diebold-Nixdorf ATMs}}, date = {2021-11-04}, organization = {Speakedeck (ptswarm)}, url = {https://speakerdeck.com/ptswarm/blackboxing-diebold-nixdorf-atms}, language = {English}, urldate = {2021-11-08} } @online{konst:20210305:detect:a6abfa6, author = {Andrew Konst}, title = {{Detect webshells dropped on Microsoft Exchange servers after 0day compromises}}, date = {2021-03-05}, organization = {Github (cert-lv)}, url = {https://github.com/cert-lv/exchange_webshell_detection}, language = {English}, urldate = {2021-03-10} } @online{koomen:20231101:popping:05205f6, author = {Mick Koomen}, title = {{Popping Blisters for research: An overview of past payloads and exploring recent developments}}, date = {2023-11-01}, organization = {nccgroup}, url = {https://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/}, language = {English}, urldate = {2023-11-14} } @online{kopeck:20220124:web:0c4cbcc, author = {Pavlína Kopecká}, title = {{Web Skimming Attacks Using Google Tag Manager}}, date = {2022-01-24}, organization = {Avast}, url = {https://decoded.avast.io/pavlinakopecka/web-skimming-attacks-using-google-tag-manager/}, language = {English}, urldate = {2022-01-25} } @techreport{kopeytsev:20200528:steganography:8f5230a, author = {Vyacheslav Kopeytsev}, title = {{Steganography in targeted attacks on industrial enterprises}}, date = {2020-05-28}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/KASPERSKY_Steganography_in_targeted_attacks_EN.pdf}, language = {English}, urldate = {2020-05-29} } @online{kopeytsev:20210225:lazarus:c887c21, author = {Vyacheslav Kopeytsev and Seongsu Park}, title = {{Lazarus targets defense industry with ThreatNeedle}}, date = {2021-02-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-threatneedle/100803/}, language = {English}, urldate = {2023-07-24} } @techreport{kopeytsev:20210407:vulnerability:986c647, author = {Vyacheslav Kopeytsev}, title = {{Vulnerability in Fortigate VPN servers is exploited in Cring ransomware attacks}}, date = {2021-04-07}, institution = {Kaspersky}, url = {https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Vulnerability-in-Fortigate-VPN-servers-is-exploited-in-Cring-ransomware-attacks-En.pdf}, language = {English}, urldate = {2021-04-30} } @online{kopriva:20200203:analysis:c531bd3, author = {Jan Kopriva}, title = {{Analysis of a triple-encrypted AZORult downloader}}, date = {2020-02-03}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/Analysis+of+a+tripleencrypted+AZORult+downloader/25768/}, language = {English}, urldate = {2020-02-10} } @online{kopriva:20210211:agent:e27e397, author = {Jan Kopriva}, title = {{Agent Tesla hidden in a historical anti-malware tool}}, date = {2021-02-11}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/27088}, language = {English}, urldate = {2021-02-20} } @online{kopriva:20210406:malspam:817a035, author = {Jan Kopriva}, title = {{Malspam with Lokibot vs. Outlook and RFCs}}, date = {2021-04-06}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/27282}, language = {English}, urldate = {2021-04-06} } @online{kopriva:20210419:hunting:021a759, author = {Jan Kopriva}, title = {{Hunting phishing websites with favicon hashes}}, date = {2021-04-19}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/Hunting+phishing+websites+with+favicon+hashes/27326/}, language = {English}, urldate = {2021-04-20} } @online{kopriva:20211220:powerpoint:917c614, author = {Jan Kopriva and Alef Nula}, title = {{PowerPoint attachments, Agent Tesla and code reuse in malware}}, date = {2021-12-20}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/PowerPoint+attachments+Agent+Tesla+and+code+reuse+in+malware/28154/}, language = {English}, urldate = {2021-12-31} } @online{kopriva:20211231:do:8a36b66, author = {Jan Kopriva}, title = {{Do you want your Agent Tesla in the 300 MB or 8 kB package?}}, date = {2021-12-31}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/28202}, language = {English}, urldate = {2022-01-05} } @online{korchemny:20241106:new:5995bbd, author = {Kirill Korchemny}, title = {{New SteelFox Trojan mimics software activators, stealing sensitive data and mining cryptocurrency}}, date = {2024-11-06}, organization = {Kaspersky Labs}, url = {https://securelist.com/steelfox-trojan-drops-stealer-and-miner/114414/}, language = {English}, urldate = {2024-11-07} } @online{korczynski:20190813:state:a4ad074, author = {David Korczynski}, title = {{The state of advanced code injections}}, date = {2019-08-13}, organization = {Adalogics}, url = {https://adalogics.com/blog/the-state-of-advanced-code-injections}, language = {English}, urldate = {2020-01-13} } @online{koren:20161101:ursnif:a5e4fcd, author = {Ariel Koren}, title = {{Ursnif Malware: Deep Technical Dive}}, date = {2016-11-01}, organization = {Ariel Koren's Blog}, url = {https://arielkoren.com/blog/2016/11/01/ursnif-malware-deep-technical-dive/}, language = {English}, urldate = {2020-01-10} } @online{koren:20161102:nymaim:26e076d, author = {Ariel Koren}, title = {{Nymaim Malware: Deep Technical Dive – Adventures in Evasive Malware}}, date = {2016-11-02}, organization = {Ariel Koren's Blog}, url = {https://arielkoren.com/blog/2016/11/02/nymaim-deep-technical-dive-adventures-in-evasive-malware/}, language = {English}, urldate = {2020-01-08} } @online{koriat:20160617:in:f42b6a0, author = {Oren Koriat}, title = {{In The Wild: Mobile Malware Implements New Features}}, date = {2016-06-17}, organization = {Check Point}, url = {https://blog.checkpoint.com/2016/06/17/in-the-wild-mobile-malware-implements-new-features/}, language = {English}, urldate = {2020-01-08} } @online{korte:20240521:phobos:acb2998, author = {Frank de Korte}, title = {{Phobos ransomware launches new leak site and pivots towards double extortion}}, date = {2024-05-21}, organization = {S-RM}, url = {https://www.s-rminform.com/latest-insights/cyber-threat-advisory-phobos-ransomware-launches-new-leak-site-and-pivots-towards-extortion}, language = {English}, urldate = {2024-07-10} } @online{korzhevin:20241017:uat5647:5bccac5, author = {Dmytro Korzhevin and Asheer Malhotra and Vanja Svajcer and Vitor Ventura}, title = {{UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants}}, date = {2024-10-17}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/uat-5647-romcom/}, language = {English}, urldate = {2024-10-29} } @online{kos:20210111:initial:cfb0867, author = {Dávid Kosť}, title = {{Tweet on Initial access of Avaddon Ransomware group from an IR engagement}}, date = {2021-01-11}, organization = {Twitter (@dk_samper)}, url = {https://twitter.com/dk_samper/status/1348560784285167617}, language = {English}, urldate = {2021-01-21} } @online{kosayev:20191007:dissecting:161f586, author = {Uriel Kosayev}, title = {{Dissecting Ardamax Keylogger}}, date = {2019-10-07}, organization = {TrainSec Academy}, url = {https://trainsec.net/library/dissecting-ardamax-keylogger/}, language = {English}, urldate = {2025-01-07} } @online{kosayev:20210822:malware:cf3b942, author = {Uriel Kosayev}, title = {{Malware Analysis - Mirai Botnet Huawei Exploit}}, date = {2021-08-22}, organization = {YouTube (Uriel Kosayev)}, url = {https://www.youtube.com/watch?v=KVJyYTie-Dc}, language = {English}, urldate = {2021-08-25} } @online{kosayev:20211014:darkside:c4648ce, author = {Uriel Kosayev}, title = {{DarkSide Ransomware Reverse Engineering}}, date = {2021-10-14}, organization = {YouTube (Uriel Kosayev)}, url = {https://www.youtube.com/watch?v=NIiEcOryLpI}, language = {English}, urldate = {2021-11-02} } @online{koskas:20201218:sunburst:c79fb22, author = {Gladys Koskas}, title = {{SUNBURST indicator detection in QRadar}}, date = {2020-12-18}, organization = {IBM}, url = {https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2020/12/18/sunburst-indicator-detection-in-qradar}, language = {English}, urldate = {2021-01-10} } @online{kostas:20230718:ursnif:294f10f, author = {Kostas}, title = {{Ursnif VS Italy: Il PDF del Destino}}, date = {2023-07-18}, organization = {Kostas TS}, url = {https://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072}, language = {English}, urldate = {2023-07-20} } @online{kostina:20240901:german:df89db1, author = {Ivanna Kostina and KATERYNA TYSHCHENKO}, title = {{German air traffic control suffered cyberattack, likely by pro-Russian group of hackers}}, date = {2024-09-01}, organization = {Ukrainska Pravda}, url = {https://www.pravda.com.ua/eng/news/2024/09/1/7472966/}, language = {English}, urldate = {2025-02-03} } @online{kotowicz:20150517:newest:1b5db0b, author = {Maciej Kotowicz}, title = {{Newest addition to a happy family: KBOT}}, date = {2015-05-17}, organization = {CERT.PL}, url = {https://lokalhost.pl/txt/newest_addition_to_happy_family_kbot.17.05.2015.txt}, language = {English}, urldate = {2020-04-06} } @online{kotowicz:20170529:gozi:96e962d, author = {Maciej Kotowicz}, title = {{Gozi Tree}}, date = {2017-05-29}, organization = {Lokalhost.pl}, url = {https://lokalhost.pl/gozi_tree.txt}, language = {English}, urldate = {2020-01-08} } @online{kotowicz:20170702:isfb:2fe662b, author = {Maciej Kotowicz}, title = {{ISFB: Still Live and Kicking}}, date = {2017-07-02}, organization = {CERT.PL}, url = {https://journal.cecyf.fr/ojs/index.php/cybin/article/view/15}, language = {English}, urldate = {2020-01-13} } @techreport{kotowicz:20171006:peering:668c82e, author = {Maciej Kotowicz and Jarosław Jedynak}, title = {{Peering into spam botnets}}, date = {2017-10-06}, institution = {CERT.PL}, url = {https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf}, language = {English}, urldate = {2020-04-06} } @online{kotowicz:20200226:abusing:2a32e8e, author = {Maciej Kotowicz}, title = {{(Ab)using bash-fu to analyze recent Aggah sample}}, date = {2020-02-26}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/basfu_aggah/}, language = {English}, urldate = {2020-02-27} } @online{kotowicz:20200321:royal:da8fd16, author = {Maciej Kotowicz}, title = {{On the Royal Road}}, date = {2020-03-21}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/on_the_royal_road/}, language = {English}, urldate = {2020-03-24} } @online{kotowicz:20200423:quick:ce2218e, author = {Maciej Kotowicz}, title = {{Quick look at Nazar backdoor - Capabilities}}, date = {2020-04-23}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/nazar_eyservice/}, language = {English}, urldate = {2020-05-05} } @online{kotowicz:20200427:quick:e6bf310, author = {Maciej Kotowicz}, title = {{Quick look at Nazar's backdoor - Network Communication}}, date = {2020-04-27}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/nazar_eyservice_comm/}, language = {English}, urldate = {2020-05-05} } @online{kotowicz:20200515:in:e687019, author = {Maciej Kotowicz}, title = {{In depth analysis of Lazarus validator}}, date = {2020-05-15}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/lazarus_validator/}, language = {English}, urldate = {2020-05-19} } @online{kotowicz:20200622:venomrat:129ba02, author = {Maciej Kotowicz}, title = {{VenomRAT - new, hackforums grade, reincarnation of QuassarRAT}}, date = {2020-06-22}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/venom/}, language = {English}, urldate = {2020-06-25} } @online{koustek:20170512:wannacry:ff9bc08, author = {Jakub Křoustek}, title = {{WannaCry ransomware that infected Telefonica and NHS hospitals is spreading aggressively, with over 50,000 attacks so far today}}, date = {2017-05-12}, organization = {Avast}, url = {https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today}, language = {English}, urldate = {2020-01-07} } @online{koustek:20190122:frequently:67caefe, author = {Jakub Křoustek}, title = {{Frequently updated Twitter thread with many Dharma samples}}, date = {2019-01-22}, organization = {Twitter (@JakubKroustek)}, url = {https://twitter.com/JakubKroustek/status/1087808550309675009}, language = {English}, urldate = {2021-05-19} } @online{koutroumpis:20210201:relay:596413f, author = {Petros Koutroumpis}, title = {{Relay Attacks via Cobalt Strike Beacons}}, date = {2021-02-01}, organization = {pkb1s.github.io}, url = {https://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/}, language = {English}, urldate = {2021-02-04} } @techreport{kovac:20210603:eset:31e1aff, author = {roman kovac}, title = {{ESET Threat Report T 1 2021}}, date = {2021-06-03}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/05/eset_threat_report_t12021.pdf}, language = {English}, urldate = {2021-06-16} } @online{kovacs:20170719:darkhotel:03c4181, author = {Eduard Kovacs}, title = {{'DarkHotel' APT Uses New Methods to Target Politicians}}, date = {2017-07-19}, organization = {SecurityWeek}, url = {https://www.securityweek.com/darkhotel-apt-uses-new-methods-target-politicians}, language = {English}, urldate = {2020-01-09} } @online{kovacs:20220214:sophisticated:6c68472, author = {Eduard Kovacs}, title = {{Sophisticated FritzFrog P2P Botnet Returns After Long Break}}, date = {2022-02-14}, organization = {SecurityWeek}, url = {https://www.securityweek.com/sophisticated-fritzfrog-p2p-botnet-returns-after-long-break}, language = {English}, urldate = {2022-02-16} } @online{kovacs:20240415:destructive:a4a6d21, author = {Eduard Kovacs}, title = {{Destructive ICS Malware ‘Fuxnet’ Used by Ukraine Against Russian Infrastructure}}, date = {2024-04-15}, organization = {SecurityWeek}, url = {https://www.securityweek.com/destructive-ics-malware-fuxnet-used-by-ukraine-against-russian-infrastructure/}, language = {English}, urldate = {2025-05-02} } @online{kovar:20201031:ryuk:735f563, author = {Ryan Kovar}, title = {{Ryuk and Splunk Detections}}, date = {2020-10-31}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/ryuk-and-splunk-detections.html}, language = {English}, urldate = {2020-11-02} } @online{kovar:20201214:using:7fa58c8, author = {Ryan Kovar}, title = {{Using Splunk to Detect Sunburst Backdoor}}, date = {2020-12-14}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html}, language = {English}, urldate = {2020-12-15} } @online{kovar:20210303:detecting:f8ba84c, author = {Ryan Kovar}, title = {{Detecting HAFNIUM Exchange Server Zero-Day Activity in Splunk}}, date = {2021-03-03}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html}, language = {English}, urldate = {2021-03-10} } @online{kovar:20210705:kaseya:e1684ef, author = {Ryan Kovar}, title = {{Kaseya, Sera. What REvil Shall Encrypt, Shall Encrypt}}, date = {2021-07-05}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/kaseya-sera-what-revil-shall-encrypt-shall-encrypt.html}, language = {English}, urldate = {2021-07-26} } @online{kozy:20141002:occupy:bda8f35, author = {Adam Kozy}, title = {{Occupy Central: The Umbrella Revolution and Chinese Intelligence}}, date = {2014-10-02}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/occupy-central-the-umbrella-revolution-and-chinese-intelligence/}, language = {English}, urldate = {2020-05-11} } @online{kozy:20150223:cyber:d6b26b8, author = {Adam Kozy}, title = {{Cyber Kung-Fu: The Great Firewall Art of DNS Poisoning}}, date = {2015-02-23}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/cyber-kung-fu-great-firewall-art-dns-poisoning/}, language = {English}, urldate = {2020-05-11} } @online{kozy:20150601:rhetoric:365c0d1, author = {Adam Kozy}, title = {{Rhetoric Foreshadows Cyber Activity in the South China Sea}}, date = {2015-06-01}, organization = {CrowdStrike}, url = {http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/}, language = {English}, urldate = {2019-12-20} } @techreport{kozy:20150806:bringing:a7978d5, author = {Adam Kozy and Johannes Gilger}, title = {{Bringing A Cannon To A Knife Fight}}, date = {2015-08-06}, institution = {CrowdStrike}, url = {https://www.blackhat.com/docs/us-15/materials/us-15-Kozy-Bringing-A-Cannon-To-A-Knife-Fight.pdf}, language = {English}, urldate = {2020-05-11} } @online{kozy:20151230:bringing:616e8d1, author = {Adam Kozy and Johannes Gilger}, title = {{Bringing A Cannon To A Knife Fight}}, date = {2015-12-30}, organization = {CrowdStrike}, url = {https://www.youtube.com/watch?v=wewFYh8pQrY}, language = {English}, urldate = {2020-05-11} } @online{kozy:20171220:end:218a388, author = {Adam Kozy}, title = {{An End to “Smash-and-Grab” and a Move to More Targeted Approaches}}, date = {2017-12-20}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/an-end-to-smash-and-grab-more-targeted-approaches/}, language = {English}, urldate = {2020-05-11} } @online{kozy:20180830:two:7e5235f, author = {Adam Kozy}, title = {{Two Birds, One STONE PANDA}}, date = {2018-08-30}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/two-birds-one-stone-panda/}, language = {English}, urldate = {2020-05-11} } @techreport{kozy:20220217:testimony:692e499, author = {Adam Kozy}, title = {{Testimony before the U.S.-China Economic and Security Review Commission Hearing on “China’s Cyber Capabilities: Warfare, Espionage, and Implications for the United States”}}, date = {2022-02-17}, institution = {SinaCyber}, url = {https://www.uscc.gov/sites/default/files/2022-02/Adam_Kozy_Testimony.pdf}, language = {English}, urldate = {2022-05-23} } @online{kpn:20200121:ftcode:358aca5, author = {KPN}, title = {{FTCODE: taking over (a portion of) the botnet}}, date = {2020-01-21}, organization = {KPN}, url = {https://www.kpn.com/security-blogs/FTCODE-taking-over-a-portion-of-the-botnet.htm}, language = {English}, urldate = {2020-01-22} } @online{kpn:20200128:tracking:6c628f3, author = {KPN}, title = {{Tracking REvil}}, date = {2020-01-28}, organization = {KPN}, url = {https://www.kpn.com/security-blogs/Tracking-REvil.htm}, language = {English}, urldate = {2020-01-28} } @online{krabs:20180302:analysing:7b1f12f, author = {Mr. Krabs}, title = {{Analysing Remcos RAT’s executable}}, date = {2018-03-02}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/}, language = {English}, urldate = {2019-07-31} } @online{krabs:20190213:analyzing:404862f, author = {Mr. Krabs}, title = {{Analyzing Amadey – a simple native malware}}, date = {2019-02-13}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/}, language = {English}, urldate = {2020-01-08} } @online{krabs:20190604:taking:be0ac28, author = {Mr. Krabs}, title = {{Taking a look at Baldr stealer}}, date = {2019-06-04}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2019/06/04/taking-a-look-at-baldr-stealer/}, language = {English}, urldate = {2019-12-10} } @online{krabs:20191205:buer:9c3cf72, author = {Mr. Krabs}, title = {{Buer Loader, new Russian loader on the market with interesting persistence}}, date = {2019-12-05}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2019/12/05/buer-loader-new-russian-loader-on-the-market-with-interesting-persistence/}, language = {English}, urldate = {2020-01-08} } @online{krabs:20200822:bitrat:ce5d899, author = {Mr. Krabs}, title = {{BitRAT – The Latest in Copy-pasted Malware by Incompetent Developers}}, date = {2020-08-22}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/}, language = {English}, urldate = {2020-08-25} } @online{krabs:20200904:bitrat:bd0d3cd, author = {Mr. Krabs}, title = {{BitRAT pt. 2: Hidden Browser, SOCKS5 proxy, and UnknownProducts Unmasked}}, date = {2020-09-04}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2020/09/04/bitrat-pt-2-hidden-browser-socks5-proxy-and-unknownproducts-unmasked/}, language = {English}, urldate = {2020-09-05} } @online{krabs:20201024:gacrux:a82613c, author = {Mr. Krabs}, title = {{Gacrux – a basic C malware with a custom PE loader}}, date = {2020-10-24}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2020/10/24/gacrux-a-basic-c-malware-with-a-custom-pe-loader/}, language = {English}, urldate = {2020-10-29} } @online{krabs:20201024:gacrux:decf52f, author = {Mr. Krabs}, title = {{Gacrux – a basic C malware with a custom PE loader}}, date = {2020-10-24}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2020/10/24/gacrux-a-basic-c-malware-with-a-custom-pe-loader}, language = {English}, urldate = {2020-10-26} } @online{krabs:20220328:betabot:7fd9fe0, author = {Mr. Krabs}, title = {{Betabot in the Rearview Mirror}}, date = {2022-03-28}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2022/03/28/betabot-in-the-rearview-mirror/}, language = {English}, urldate = {2022-04-04} } @online{krabsonsecurity:20201023:interesting:215d0bc, author = {@krabsonsecurity}, title = {{Tweet: An interesting tidbit: it has a Mach-O bin}}, date = {2020-10-23}, url = {https://twitter.com/krabsonsecurity/status/1319463908952969216}, language = {English}, urldate = {2021-07-06} } @online{krakenlabs:20250306:unveiling:fce610d, author = {KrakenLabs}, title = {{Unveiling EncryptHub: Analysis of a multi-stage malware campaign}}, date = {2025-03-06}, organization = {Outpost24}, url = {https://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/}, language = {English}, urldate = {2025-03-07} } @online{kramarz:20220316:preparing:18d6601, author = {Yuri Kramarz}, title = {{Preparing for denial-of-service attacks with Talos Incident Response}}, date = {2022-03-16}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2022/03/preparing-for-denial-of-service-attacks.html}, language = {English}, urldate = {2022-03-18} } @online{kramer:20200529:secret:f7c5498, author = {Andrew E. Kramer and Michael Schwirtz and Anton Troianovski}, title = {{Secret Chats Show How Cybergang Became a Ransomware Powerhouse}}, date = {2020-05-29}, organization = {The New York Times}, url = {https://www.nytimes.com/2021/05/29/world/europe/ransomware-russia-darkside.html}, language = {English}, urldate = {2021-06-09} } @online{krastev:20180719:killswitch:487a882, author = {Ventsislav Krastev}, title = {{Killswitch File Now Available for GandCrab v4.1.2 Ransomware}}, date = {2018-07-19}, organization = {Sensors Tech Forum}, url = {https://sensorstechforum.com/killswitch-file-now-available-gandcrab-v4-1-2-ransomware/}, language = {English}, urldate = {2020-01-07} } @online{krastev:20180903:lockymap:1e8c9cd, author = {Ventsislav Krastev}, title = {{.lockymap Files Virus (PyLocky Ransomware) – Remove and Restore Data}}, date = {2018-09-03}, organization = {SensorTechForums}, url = {https://sensorstechforum.com/lockymap-files-virus-pylocky-ransomware-remove-restore-data/}, language = {English}, urldate = {2020-01-13} } @online{krasuski:20160902:necurs:d01f298, author = {Adam Krasuski}, title = {{Necurs – hybrid spam botnet}}, date = {2016-09-02}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/}, language = {English}, urldate = {2019-11-20} } @online{krasuski:20160916:tofsee:79a1d35, author = {Adam Krasuski}, title = {{Tofsee – modular spambot}}, date = {2016-09-16}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/tofsee-en/}, language = {English}, urldate = {2020-01-13} } @online{kraus:20210120:moqhao:e1742ce, author = {Andy Kraus}, title = {{MoqHao Part 1: Identifying Phishing Infrastructure}}, date = {2021-01-20}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2021/01/20/moqhao-part-1-identifying-phishing-infrastructure/}, language = {English}, urldate = {2022-04-12} } @online{kraus:20210708:enriching:09e07f6, author = {Andy Kraus and Dan Heywood}, title = {{Enriching Threat Intelligence for the Carbine Loader Crypto-jacking Campaign}}, date = {2021-07-08}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2021/07/08/enriching-threat-intelligence-for-the-carbine-loader-crypto-jacking-campaign/}, language = {English}, urldate = {2021-07-11} } @online{kraus:20230419:rorschach:835da83, author = {Simone Kraus}, title = {{Rorschach Ransomware Analysis with Attack Flow}}, date = {2023-04-19}, organization = {Medium (@simone.kraus)}, url = {https://medium.com/@simone.kraus/rorschach-ransomware-analysis-with-attack-flow-7fa5ff613a75}, language = {English}, urldate = {2023-04-25} } @online{kraus:20230907:critical:0746f72, author = {Simone Kraus}, title = {{Critical Energy Infrastructure Facility Attack In Ukraine}}, date = {2023-09-07}, organization = {Medium (@simone.kraus)}, url = {https://medium.com/@simone.kraus/critical-engergy-infrastructure-facility-in-ukraine-attack-b15638f6a402}, language = {English}, urldate = {2023-09-11} } @online{kraus:20231210:rhysida:61c6a59, author = {Simone Kraus}, title = {{Rhysida Ransomware and the Detection Opportunities}}, date = {2023-12-10}, organization = {Detect FYI}, url = {https://detect.fyi/rhysida-ransomware-and-the-detection-opportunities-3599e9a02bb2}, language = {English}, urldate = {2024-02-08} } @online{krautface:20200709:gist:5cfc2d0, author = {krautface}, title = {{Gist with observed grelos skimmer}}, date = {2020-07-09}, organization = {Github (krautface)}, url = {https://gist.github.com/krautface/2c017f220f2a24141bdeb70f76e7e745}, language = {English}, urldate = {2020-11-19} } @online{kravtsov:20210917:scamdemic:c4c950c, author = {Yakov Kravtsov and Evgeny Egorov}, title = {{Scamdemic outbreak Scammers attack users in Middle Eastern countries}}, date = {2021-09-17}, organization = {Group-IB}, url = {https://blog.group-ib.com/middle-east-scam}, language = {English}, urldate = {2021-11-02} } @online{kravtsov:20211221:readymade:14395a0, author = {Yakov Kravtsov and Yvgeny Egorov}, title = {{Ready-made fraud Behind the scenes of targeted scams}}, date = {2021-12-21}, organization = {Group-IB}, url = {https://blog.group-ib.com/target}, language = {English}, urldate = {2022-01-24} } @techreport{krcert:20200401:operation:d6916ea, author = {KrCERT}, title = {{OPERATION BOOKCODES TTPs #1}}, date = {2020-04-01}, institution = {KISA}, url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2452&attach_file_id=EpF2452.pdf}, language = {English}, urldate = {2023-07-05} } @techreport{krcert:20200629:operation:bbe9f5c, author = {KrCERT}, title = {{OPERATION BOOKCODES TTPs #2}}, date = {2020-06-29}, institution = {KISA}, url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2612&attach_file_id=EpF2612.pdf}, language = {English}, urldate = {2023-07-05} } @techreport{krcert:20200911:analysis:490f2e3, author = {KrCERT}, title = {{Analysis of attacker's strategy of using malicious code}}, date = {2020-09-11}, institution = {KISA}, url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2517&attach_file_id=EpF2517.pdf}, language = {Korean}, urldate = {2020-09-15} } @techreport{krcert:20201215:operation:4784750, author = {KrCERT}, title = {{Operation MUZABI}}, date = {2020-12-15}, institution = {KISA}, url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf}, language = {Korean}, urldate = {2021-06-04} } @techreport{krcert:20210427:2020:6bbe129, author = {KrCERT}, title = {{2020 Ransomware Trends & Analysis Report}}, date = {2021-04-27}, institution = {KISA}, url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2716&attach_file_id=EpF2716.pdf}, language = {English}, urldate = {2021-06-21} } @techreport{krcert:20210902:ttps6:3198c89, author = {KrCERT}, title = {{TTPs#6 Targeted Watering Hole Attack Strategy Analysis (SILENT CHOLLIMA)}}, date = {2021-09-02}, institution = {KrCert}, url = {https://www.krcert.or.kr/filedownload.do?attach_file_seq=3277&attach_file_id=EpF3277.pdf}, language = {Korean}, urldate = {2021-09-09} } @online{krcert:20221205:ttps9:b319cfe, author = {KrCERT}, title = {{TTPs#9: Analyzing the attack strategy monitoring the daily life of individuals}}, date = {2022-12-05}, organization = {KISA}, url = {https://www.boho.or.kr/data/reportView.do?bulletin_writing_sequence=67064}, language = {Korean}, urldate = {2023-01-25} } @online{krebs:20100401:spyeye:d557888, author = {Brian Krebs}, title = {{SpyEye vs. ZeuS Rivalry}}, date = {2010-04-01}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2010/04/spyeye-vs-zeus-rivalry/}, language = {English}, urldate = {2019-11-28} } @online{krebs:20100917:spyeye:92d9e7f, author = {Brian Krebs}, title = {{SpyEye Botnet’s Bogus Billing Feature}}, date = {2010-09-17}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2010/09/spyeye-botnets-bogus-billing-feature/}, language = {English}, urldate = {2019-10-15} } @online{krebs:20110328:microsoft:dab0119, author = {Brian Krebs}, title = {{Microsoft Hunting Rustock Controllers}}, date = {2011-03-28}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/}, language = {English}, urldate = {2019-07-11} } @online{krebs:20110426:spyeye:b9e984e, author = {Brian Krebs}, title = {{SpyEye Targets Opera, Google Chrome Users}}, date = {2011-04-26}, url = {https://krebsonsecurity.com/2011/04/spyeye-targets-opera-google-chrome-users/}, language = {English}, urldate = {2020-01-08} } @online{krebs:20110728:trojan:2335232, author = {Brian Krebs}, title = {{Trojan Tricks Victims Into Transferring Funds}}, date = {2011-07-28}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/}, language = {English}, urldate = {2019-12-20} } @online{krebs:20120919:blog:c9b0499, author = {Brian Krebs}, title = {{Blog Posts on Nitol}}, date = {2012-09-19}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/tag/nitol/}, language = {English}, urldate = {2020-01-13} } @online{krebs:20130118:polish:d1c0560, author = {Brian Krebs}, title = {{Polish Takedown Targets ‘Virut’ Botnet}}, date = {2013-01-18}, url = {https://krebsonsecurity.com/2013/01/polish-takedown-targets-virut-botnet/}, language = {English}, urldate = {2019-12-18} } @online{krebs:20130813:inside:5859892, author = {Brian Krebs}, title = {{Inside a ‘Reveton’ Ransomware Operation}}, date = {2013-08-13}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2012/08/inside-a-reveton-ransomware-operation/}, language = {English}, urldate = {2021-02-04} } @online{krebs:20150209:anthem:1631cd7, author = {Brian Krebs}, title = {{Anthem Breach May Have Started in April 2014}}, date = {2015-02-09}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/}, language = {English}, urldate = {2019-11-29} } @online{krebs:20150515:carefirst:2847408, author = {Brian Krebs}, title = {{Carefirst Blue Cross Breach Hits 1.1M}}, date = {2015-05-15}, url = {https://krebsonsecurity.com/2015/05/carefirst-blue-cross-breach-hits-1-1m/}, language = {English}, urldate = {2020-01-05} } @online{krebs:20150615:catching:d4edaea, author = {Brian Krebs}, title = {{Catching Up on the OPM Breach}}, date = {2015-06-15}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2015/06/catching-up-on-the-opm-breach/}, language = {English}, urldate = {2020-01-09} } @online{krebs:20160721:canadian:5c7f22f, author = {Brian Krebs}, title = {{Canadian Man Behind Popular ‘Orcus RAT’}}, date = {2016-07-21}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/}, language = {English}, urldate = {2019-07-11} } @online{krebs:20160921:krebsonsecurity:259c3cd, author = {Brian Krebs}, title = {{KrebsOnSecurity Hit With Record DDoS}}, date = {2016-09-21}, url = {https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/}, language = {English}, urldate = {2019-12-18} } @online{krebs:20161001:source:796f0bc, author = {Brian Krebs}, title = {{Source Code for IoT Botnet ‘Mirai’ Released}}, date = {2016-10-01}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/}, language = {English}, urldate = {2019-07-10} } @online{krebs:20170301:ransomware:ead8101, author = {Brian Krebs}, title = {{Ransomware for Dummies: Anyone Can Do It}}, date = {2017-03-01}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2017/03/ransomware-for-dummies-anyone-can-do-it/}, language = {English}, urldate = {2020-01-09} } @online{krebs:20170406:selfproclaimed:542e91e, author = {Brian Krebs}, title = {{Self-Proclaimed ‘Nuclear Bot’ Author Weighs U.S. Job Offer}}, date = {2017-04-06}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/tag/nuclear-bot/}, language = {English}, urldate = {2019-07-27} } @online{krebs:20170512:uk:11a7e5a, author = {Brian Krebs}, title = {{U.K. Hospitals Hit in Widespread Ransomware Attack}}, date = {2017-05-12}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/}, language = {English}, urldate = {2020-01-06} } @online{krebs:20170828:tech:4df59f2, author = {Brian Krebs}, title = {{Tech Firms Team Up to Take Down ‘WireX’ Android DDoS Botnet}}, date = {2017-08-28}, url = {https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/}, language = {English}, urldate = {2019-11-17} } @online{krebs:20171023:reaper:8341031, author = {Brian Krebs}, title = {{Reaper: Calm Before the IoT Security Storm?}}, date = {2017-10-23}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm}, language = {English}, urldate = {2020-01-10} } @online{krebs:20171127:who:8490729, author = {Brian Krebs}, title = {{WHO WAS THE NSA CONTRACTOR ARRESTED FOR LEAKING THE ‘SHADOW BROKERS’ HACKING TOOLS?}}, date = {2017-11-27}, organization = {Blacklake}, url = {https://blacklakesecurity.com/who-was-the-nsa-contractor-arrested-for-leaking-the-shadow-brokers-hacking-tools/}, language = {English}, urldate = {2019-11-25} } @online{krebs:20171213:mirai:bd2cb74, author = {Brian Krebs}, title = {{Mirai IoT Botnet Co-Authors Plead Guilty}}, date = {2017-12-13}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/}, language = {English}, urldate = {2020-01-08} } @online{krebs:201807:luminositylink:1d9ce64, author = {Brian Krebs}, title = {{‘LuminosityLink RAT’ Author Pleads Guilty}}, date = {2018-07}, url = {https://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/}, language = {English}, urldate = {2019-10-23} } @online{krebs:20180902:alleged:caf0cb2, author = {Brian Krebs}, title = {{Alleged ‘Satori’ IoT Botnet Operator Sought Media Spotlight, Got Indicted}}, date = {2018-09-02}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/}, language = {English}, urldate = {2020-01-13} } @online{krebs:20190218:deep:0f75439, author = {Brian Krebs}, title = {{A Deep Dive on the Recent Widespread DNS Hijacking Attacks}}, date = {2019-02-18}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/tag/dnspionage/}, language = {English}, urldate = {2019-11-29} } @online{krebs:20190402:canadian:4743d2d, author = {Brian Krebs}, title = {{Canadian Police Raid ‘Orcus RAT’ Author}}, date = {2019-04-02}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/04/canadian-police-raid-orcus-rat-author/}, language = {English}, urldate = {2019-12-19} } @online{krebs:20190422:whos:2004970, author = {Brian Krebs}, title = {{Who’s Behind the RevCode WebMonitor RAT?}}, date = {2019-04-22}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/04/whos-behind-the-revcode-webmonitor-rat/}, language = {English}, urldate = {2020-01-13} } @online{krebs:20190603:report:e065d06, author = {Brian Krebs}, title = {{Report: No ‘Eternal Blue’ Exploit Found in Baltimore City Ransomware}}, date = {2019-06-03}, url = {https://krebsonsecurity.com/2019/06/report-no-eternal-blue-exploit-found-in-baltimore-city-ransomware/}, language = {English}, urldate = {2019-10-17} } @online{krebs:20190708:whos:54977ab, author = {Brian Krebs}, title = {{Who’s Behind the GandCrab Ransomware?}}, date = {2019-07-08}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/}, language = {English}, urldate = {2020-01-07} } @online{krebs:20190715:is:4e715d7, author = {Brian Krebs}, title = {{Is ‘REvil’ the New GandCrab Ransomware?}}, date = {2019-07-15}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/07/is-revil-the-new-gandcrab-ransomware/}, language = {English}, urldate = {2020-01-06} } @online{krebs:20191001:mariposa:a422c50, author = {Brian Krebs}, title = {{Mariposa Botnet Author, Darkcode Crime Forum Admin Arrested in Germany}}, date = {2019-10-01}, url = {https://krebsonsecurity.com/2019/10/mariposa-botnet-author-darkcode-crime-forum-admin-arrested-in-germany/}, language = {English}, urldate = {2020-01-10} } @online{krebs:20191216:ransomware:f4d7d8c, author = {Brian Krebs}, title = {{Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up}}, date = {2019-12-16}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/}, language = {English}, urldate = {2020-01-08} } @online{krebs:20191217:nuclear:88151cd, author = {Brian Krebs}, title = {{Nuclear Bot Author Arrested in Sextortion Case}}, date = {2019-12-17}, url = {https://krebsonsecurity.com/2019/12/nuclear-bot-author-arrested-in-sextortion-case/}, language = {English}, urldate = {2020-01-07} } @online{krebs:20191219:inside:c7595ad, author = {Brian Krebs}, title = {{Inside ‘Evil Corp,’ a $100M Cybercrime Menace}}, date = {2019-12-19}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/}, language = {English}, urldate = {2020-11-02} } @online{krebs:20200320:case:ae196f4, author = {Brian Krebs}, title = {{The Case for Limiting Your Browser Extensions}}, date = {2020-03-20}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2020/03/the-case-for-limiting-your-browser-extensions/}, language = {English}, urldate = {2020-05-05} } @online{krebs:20200506:europes:2f8ce94, author = {Brian Krebs}, title = {{Europe’s Largest Private Hospital Operator Fresenius Hit by Ransomware}}, date = {2020-05-06}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2020/05/europes-largest-private-hospital-operator-fresenius-hit-by-ransomware}, language = {English}, urldate = {2020-05-13} } @online{krebs:20200511:ransomware:2d96270, author = {Brian Krebs}, title = {{Ransomware Hit ATM Giant Diebold Nixdorf}}, date = {2020-05-11}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2020/05/ransomware-hit-atm-giant-diebold-nixdorf/}, language = {English}, urldate = {2020-05-13} } @online{krebs:20200804:part:4857631, author = {Hamish Krebs}, title = {{Part 1: analysing MedusaLocker ransomware}}, date = {2020-08-04}, organization = {Theta}, url = {https://www.theta.co.nz/news-blogs/cyber-security-blog/part-1-analysing-medusalocker-ransomware/}, language = {English}, urldate = {2022-04-29} } @online{krebs:20200805:part:c2763da, author = {Hamish Krebs}, title = {{Part 2: Analysing MedusaLocker ransomware}}, date = {2020-08-05}, organization = {Theta}, url = {https://www.theta.co.nz/news-blogs/cyber-security-blog/part-2-analysing-medusalocker-ransomware/}, language = {English}, urldate = {2022-04-29} } @online{krebs:20200806:part:c8d7eeb, author = {Hamish Krebs}, title = {{Part 3: analysing MedusaLocker ransomware}}, date = {2020-08-06}, organization = {Theta}, url = {https://www.theta.co.nz/news-blogs/cyber-security-blog/part-3-analysing-medusalocker-ransomware/}, language = {English}, urldate = {2022-04-29} } @online{krebs:20201002:attacks:a6dc6e3, author = {Brian Krebs}, title = {{Attacks Aimed at Disrupting the Trickbot Botnet}}, date = {2020-10-02}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbot-botnet/}, language = {English}, urldate = {2020-10-05} } @online{krebs:20201028:fbi:26b9480, author = {Brian Krebs}, title = {{FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals}}, date = {2020-10-28}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2020/10/fbi-dhs-hhs-warn-of-imminent-credible-ransomware-threat-against-u-s-hospitals/}, language = {English}, urldate = {2020-11-02} } @online{krebs:20201110:ransomware:91d390a, author = {Brian Krebs}, title = {{Ransomware Group Turns to Facebook Ads}}, date = {2020-11-10}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2020/11/ransomware-group-turns-to-facebook-ads/}, language = {English}, urldate = {2020-11-11} } @online{krebs:20201204:snakes:7932d5f, author = {Hamish Krebs}, title = {{Snakes & Ladders: the offensive use of Python on Windows}}, date = {2020-12-04}, organization = {Theta}, url = {https://www.theta.co.nz/news-blogs/cyber-security-blog/snakes-ladders-the-offensive-use-of-python-on-windows/}, language = {English}, urldate = {2022-04-29} } @online{krebs:20210127:arrest:94e1e04, author = {Brian Krebs}, title = {{Arrest, Seizures Tied to Netwalker Ransomware}}, date = {2021-01-27}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/01/arrest-seizures-tied-to-netwalker-ransomware}, language = {English}, urldate = {2021-01-29} } @online{krebs:20210127:international:dc5699a, author = {Brian Krebs}, title = {{International Action Targets Emotet Crimeware}}, date = {2021-01-27}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/01/international-action-targets-emotet-crimeware}, language = {English}, urldate = {2021-01-29} } @online{krebs:20210328:no:6c85c9a, author = {Brian Krebs}, title = {{No, I Did Not Hack Your MS Exchange Server}}, date = {2021-03-28}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/03/no-i-did-not-hack-your-ms-exchange-server/}, language = {English}, urldate = {2021-03-31} } @online{krebs:20210511:closer:aa8982f, author = {Brian Krebs}, title = {{A Closer Look at the DarkSide Ransomware Gang}}, date = {2021-05-11}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/}, language = {English}, urldate = {2021-05-13} } @online{krebs:20210514:darkside:0a2cf92, author = {Brian Krebs}, title = {{DarkSide Ransomware Gang Quits After Servers, Bitcoin Stash Seized}}, date = {2021-05-14}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/05/darkside-ransomware-gang-quits-after-servers-bitcoin-stash-seized/}, language = {English}, urldate = {2021-05-17} } @online{krebs:20210607:adventures:3fc77bf, author = {Brian Krebs}, title = {{Adventures in Contacting the Russian FSB}}, date = {2021-06-07}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/06/adventures-in-contacting-the-russian-fsb/}, language = {English}, urldate = {2021-06-09} } @online{krebs:20210616:ukrainian:e0e117f, author = {Brian Krebs}, title = {{Ukrainian Police Nab Six Tied to CLOP Ransomware}}, date = {2021-06-16}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/06/ukrainian-police-nab-six-tied-to-clop-ransomware/}, language = {English}, urldate = {2021-06-21} } @online{krebs:20210805:ransomware:0962b82, author = {Brian Krebs}, title = {{Ransomware Gangs and the Name Game Distraction}}, date = {2021-08-05}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/}, language = {English}, urldate = {2021-12-13} } @online{krebs:20211025:conti:786ccff, author = {Brian Krebs}, title = {{Conti Ransom Gang Starts Selling Access to Victims}}, date = {2021-10-25}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/10/conti-ransom-gang-starts-selling-access-to-victims/}, language = {English}, urldate = {2021-11-03} } @online{krebs:20211108:revil:8306da2, author = {Brian Krebs}, title = {{REvil Ransom Arrest, $6M Seizure, and $10M Reward}}, date = {2021-11-08}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/11/revil-ransom-arrest-6m-seizure-and-10m-reward/}, language = {English}, urldate = {2021-11-09} } @online{krebs:20211203:who:0e59797, author = {Brian Krebs}, title = {{Who Is the Network Access Broker ‘Babam’?}}, date = {2021-12-03}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/12/who-is-the-network-access-broker-babam/}, language = {English}, urldate = {2021-12-06} } @online{krebs:20211204:pivoting:62ccb7a, author = {Hamish Krebs}, title = {{Pivoting through malicious infrastructure: from ZoomPortable to Windscribe}}, date = {2021-12-04}, organization = {Theta}, url = {https://www.theta.co.nz/news-blogs/cyber-security-blog/pivoting-through-malicious-infrastructure-from-zoomportable-to-windscribe/}, language = {English}, urldate = {2022-04-29} } @online{krebs:20220128:who:bc8131a, author = {Brian Krebs}, title = {{Who Wrote the ALPHV/BlackCat Ransomware Strain?}}, date = {2022-01-28}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/}, language = {English}, urldate = {2022-02-07} } @online{krebs:20220214:wazawaka:abd559f, author = {Brian Krebs}, title = {{Wazawaka Goes Waka Waka}}, date = {2022-02-14}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2022/02/wazawaka-goes-waka-waka/}, language = {English}, urldate = {2022-02-19} } @online{krebs:20220302:conti:03b0358, author = {Brian Krebs}, title = {{Conti Ransomware Group Diaries, Part II: The Office}}, date = {2022-03-02}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/}, language = {English}, urldate = {2022-03-07} } @online{krebs:20220323:closer:411208b, author = {Brian Krebs}, title = {{A Closer Look at the LAPSUS$ Data Extortion Group}}, date = {2022-03-23}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/}, language = {English}, urldate = {2022-03-24} } @online{krebs:20220628:link:355a5e2, author = {Brian Krebs}, title = {{The Link Between AWM Proxy & the Glupteba Botnet}}, date = {2022-06-28}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2022/06/the-link-between-awm-proxy-the-glupteba-botnet/?utm_source=dlvr.it&utm_medium=twitter}, language = {English}, urldate = {2022-08-15} } @online{krebs:20221115:top:3354e4e, author = {Brian Krebs}, title = {{Top Zeus Botnet Suspect “Tank” Arrested in Geneva}}, date = {2022-11-15}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2022/11/top-zeus-botnet-suspect-tank-arrested-in-geneva/}, language = {English}, urldate = {2024-02-16} } @online{krebs:20230418:giving:500620b, author = {Brian Krebs}, title = {{Giving a Face to the Malware Proxy Service ‘Faceless’}}, date = {2023-04-18}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2023/04/giving-a-face-to-the-malware-proxy-service-faceless/}, language = {English}, urldate = {2024-03-28} } @online{krebs:20230516:russian:b526450, author = {Brian Krebs}, title = {{Russian Hacker “Wazawaka” Indicted for Ransomware}}, date = {2023-05-16}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/}, language = {English}, urldate = {2023-05-21} } @online{krebs:20230725:who:55175fa, author = {Brian Krebs}, title = {{Who and What is Behind the Malware Proxy Service SocksEscort?}}, date = {2023-07-25}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2023/07/who-and-what-is-behind-the-malware-proxy-service-socksescort/}, language = {English}, urldate = {2023-07-31} } @online{krebs:20230829:us:bd6f194, author = {Brian Krebs}, title = {{U.S. Hacks QakBot, Quietly Removes Botnet Infections}}, date = {2023-08-29}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2023/08/u-s-hacks-qakbot-quietly-removes-botnet-infections/}, language = {English}, urldate = {2023-08-31} } @online{krebs:20230913:fbi:447f640, author = {Brian Krebs}, title = {{FBI Hacker Dropped Stolen Airbus Data on 9/11}}, date = {2023-09-13}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2023/09/fbi-hacker-dropped-stolen-airbus-data-on-9-11/}, language = {English}, urldate = {2024-12-16} } @online{krebs:20230918:whos:a141b00, author = {Brian Krebs}, title = {{Who's Behind the 8Base Ransomware Website?}}, date = {2023-09-18}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2023/09/whos-behind-the-8base-ransomware-website/}, language = {English}, urldate = {2023-09-22} } @online{krebs:20240507:us:6fa7e93, author = {Brian Krebs}, title = {{U.S. Charges Russian Man as Boss of LockBit Ransomware Group}}, date = {2024-05-07}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2024/05/u-s-charges-russian-man-as-boss-of-lockbit-ransomware-group/}, language = {English}, urldate = {2024-05-13} } @online{krebs:20240524:stark:7e3e2a1, author = {Brian Krebs}, title = {{Stark Industries Solutions: An Iron Hammer in the Cloud}}, date = {2024-05-24}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2024/05/stark-industries-solutions-an-iron-hammer-in-the-cloud/}, language = {English}, urldate = {2024-06-05} } @online{krebs:20250228:notorious:1825a4a, author = {Brian Krebs}, title = {{Notorious Malware, Spam Host “Prospero” Moves to Kaspersky Lab}}, date = {2025-02-28}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2025/02/notorious-malware-spam-host-prospero-moves-to-kaspersky-lab/}, language = {English}, urldate = {2025-03-05} } @online{krebs:20250520:krebsonsecurity:5727fdc, author = {Brian Krebs}, title = {{KrebsOnSecurity Hit With Near-Record 6.3 Tbps DDoS}}, date = {2025-05-20}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2025/05/krebsonsecurity-hit-with-near-record-6-3-tbps-ddos/}, language = {English}, urldate = {2025-05-26} } @online{krebs:20250522:oops:c120133, author = {Brian Krebs}, title = {{Oops: DanaBot Malware Devs Infected Their Own PCs}}, date = {2025-05-22}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2025/05/oops-danabot-malware-devs-infected-their-own-pcs/}, language = {English}, urldate = {2025-05-26} } @online{krejci:20220712:analysis:de83dd7, author = {Kyle Krejci}, title = {{An Analysis of Infrastructure linked to the Hagga Threat Actor}}, date = {2022-07-12}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2022/07/12/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor}, language = {English}, urldate = {2022-07-15} } @online{kremez:20151226:backdoor:4552c35, author = {Vitali Kremez}, title = {{Backdoor: Win32/Hesetox.A: vSkimmer POS Malware Analysis }}, date = {2015-12-26}, organization = {Flashpoint}, url = {http://vkremez.weebly.com/cyber-security/-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis}, language = {English}, urldate = {2019-12-24} } @online{kremez:20170724:lets:8b64c6c, author = {Vitali Kremez}, title = {{Let's Learn: Reversing Credential and Payment Card Information Stealer 'AZORult V2'}}, date = {2017-07-24}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html}, language = {English}, urldate = {2020-01-06} } @online{kremez:20170818:extracted:cdbd2f4, author = {Vitali Kremez}, title = {{Tweet on extracted config from Gootkit}}, date = {2017-08-18}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/898549340121288704}, language = {English}, urldate = {2020-01-06} } @online{kremez:20171105:lets:c732c05, author = {Vitali Kremez}, title = {{Let's Learn: Lethic Spambot & Survey of Anti-Analysis Techniques}}, date = {2017-11-05}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2017/11/lets-learn-lethic-spambot-survey-of.html}, language = {English}, urldate = {2020-01-07} } @online{kremez:20171112:lets:4db8d74, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Golroted Trojan's Process Hollowing Technique & UAC Bypass in HKCU\Environment}}, date = {2017-11-12}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2017/11/lets-learn-dissecting-golroted-trojans.html}, language = {English}, urldate = {2020-01-06} } @online{kremez:20171121:lets:5fb17b0, author = {Vitali Kremez}, title = {{Let's Learn: Trickbot Socks5 Backconnect Module In Detail}}, date = {2017-11-21}, url = {http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html}, language = {English}, urldate = {2019-11-22} } @online{kremez:20171122:trickbot:faea11e, author = {Vitali Kremez}, title = {{Trickbot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model}}, date = {2017-11-22}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/}, language = {English}, urldate = {2019-12-10} } @online{kremez:20171213:update:50a1f16, author = {Vitali Kremez}, title = {{Update: Let's Learn: Reversing FIN6 "GratefulPOS" aka "FrameworkPOS" Point-of-Sale Malware in-Depth}}, date = {2017-12-13}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html}, language = {English}, urldate = {2020-01-08} } @online{kremez:20171219:lets:030e09a, author = {Vitali Kremez}, title = {{Let's Learn: Introducing New Trickbot LDAP "DomainGrabber" Module}}, date = {2017-12-19}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html}, language = {English}, urldate = {2019-11-23} } @online{kremez:20171227:lets:5c2d27f, author = {Vitali Kremez}, title = {{Let's Learn: Cutlet ATM Malware Internals}}, date = {2017-12-27}, url = {http://www.vkremez.com/2017/12/lets-learn-cutlet-atm-malware-internals.html}, language = {English}, urldate = {2019-07-22} } @online{kremez:20180129:lets:450880d, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting FormBook Infostealer Malware: Crypter & "RunLib.dll"}}, date = {2018-01-29}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html}, language = {English}, urldate = {2020-01-10} } @online{kremez:20180222:lets:6fd91bb, author = {Vitali Kremez}, title = {{Let's Learn: Deeper Dive into Ramnit Banker "VNC IFSB" Remote Control Module}}, date = {2018-02-22}, url = {http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html}, language = {English}, urldate = {2019-12-04} } @online{kremez:20180325:lets:070366d, author = {Vitali Kremez}, title = {{Let's Learn: Internals of Iranian-Based Threat Group "Chafer" Malware: Autoit and PowerShell Persistence}}, date = {2018-03-25}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/03/investigating-iranian-threat-group.html}, language = {English}, urldate = {2019-10-13} } @online{kremez:20180403:lets:b45dd50, author = {Vitali Kremez}, title = {{Let's Learn: Trickbot Implements Network Collector Module Leveraging CMD, WMI & LDAP}}, date = {2018-04-03}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html}, language = {English}, urldate = {2019-07-27} } @online{kremez:20180413:lets:3dd37f4, author = {Vitali Kremez}, title = {{Let's Learn: In-Depth Dive into Gootkit Banker Version 4 Malware Analysis}}, date = {2018-04-13}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2018/04/lets-learn-in-depth-dive-into-gootkit.html}, language = {English}, urldate = {2019-10-23} } @online{kremez:20180729:lets:8f04eed, author = {Vitali Kremez}, title = {{Let's Learn: In-Depth Reversing of Qakbot "qbot" Banker Part 1}}, date = {2018-07-29}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html}, language = {English}, urldate = {2020-01-06} } @online{kremez:20180805:lets:489101d, author = {Vitali Kremez}, title = {{Let's Learn: Diving into the Latest "Ramnit" Banker Malware via "sLoad" PowerShell}}, date = {2018-08-05}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/08/lets-learn-in-depth-into-latest-ramnit.html}, language = {English}, urldate = {2020-01-10} } @online{kremez:20180820:lets:d3f938c, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Panda Banker & Modules: Webinject, Grabber & Keylogger DLL Modules}}, date = {2018-08-20}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html}, language = {English}, urldate = {2019-10-23} } @online{kremez:20180825:lets:f8147ab, author = {Vitali Kremez}, title = {{Let's Learn: In-Depth Reversing of Recent Gozi ISFB Banking Malware Version 2.16/2.17 (portion of ISFB v3) & "loader.dll/client.dll"}}, date = {2018-08-25}, url = {https://www.vkremez.com/2018/08/lets-learn-in-depth-reversing-of-recent.html}, language = {English}, urldate = {2019-11-25} } @online{kremez:20180907:lets:8515a2b, author = {Vitali Kremez}, title = {{Let's Learn: Deeper Dive into "IcedID"/"BokBot" Banking Malware: Part 1}}, date = {2018-09-07}, url = {https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html}, language = {English}, urldate = {2020-01-08} } @online{kremez:20181031:lets:e59c3f8, author = {Vitali Kremez}, title = {{Let's Learn: Exploring ZeusVM Banking Malware Hooking Engine}}, date = {2018-10-31}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/10/lets-learn-exploring-zeusvm-banking.html}, language = {English}, urldate = {2019-12-24} } @online{kremez:20181105:lets:aed7583, author = {Vitali Kremez}, title = {{Let's Learn: In-Depth Reversing of Hancitor Dropper/Loader: 2016 vs 2018 Malware Progression}}, date = {2018-11-05}, url = {https://www.vkremez.com/2018/11/lets-learn-in-depth-reversing-of.html}, language = {English}, urldate = {2020-01-07} } @online{kremez:20181107:lets:d4ffc27, author = {Vitali Kremez}, title = {{Let’s Learn: Introducing Latest TrickBot Point-of-Sale Finder Module}}, date = {2018-11-07}, url = {https://www.vkremez.com/2018/11/lets-learn-introducing-latest-trickbot.html}, language = {English}, urldate = {2019-11-17} } @online{kremez:20181113:lets:dd6d4d7, author = {Vitali Kremez}, title = {{Let's Learn: Dissect Panda Banking Malware's "libinject" Process Injection Module}}, date = {2018-11-13}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2018/01/lets-learn-dissect-panda-banking.html}, language = {English}, urldate = {2020-01-13} } @online{kremez:20181127:lets:e9928d7, author = {Vitali Kremez}, title = {{Let's Learn: In-Depth on Sofacy Cannon Loader/Backdoor Review}}, date = {2018-11-27}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/11/lets-learn-in-depth-on-sofacy-canon.html}, language = {English}, urldate = {2020-01-13} } @online{kremez:20181210:lets:f947fb1, author = {Vitali Kremez}, title = {{Let's Learn: Reviewing Sofacy's "Zebrocy" C++ Loader: Advanced Insight}}, date = {2018-12-10}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/12/lets-learn-reviewing-sofacys-zebrocy-c.html}, language = {English}, urldate = {2020-01-09} } @online{kremez:20181221:lets:46e594a, author = {Vitali Kremez}, title = {{Let's Learn: In-Depth on APT28/Sofacy Zebrocy Golang Loader}}, date = {2018-12-21}, url = {https://www.vkremez.com/2018/12/lets-learn-dissecting-apt28sofacy.html}, language = {English}, urldate = {2019-12-24} } @online{kremez:20190107:lets:07f4941, author = {Vitali Kremez}, title = {{Let's Learn: Deeper Dive into Gamaredon Group Pteranodon Implant Version '_512'}}, date = {2019-01-07}, url = {https://www.vkremez.com/2019/01/lets-learn-deeper-dive-into-gamaredon.html}, language = {English}, urldate = {2020-01-07} } @online{kremez:20190115:disclosure:0e74c4e, author = {Vitali Kremez}, title = {{Disclosure of Chilean Redbanc Intrusion Leads to Lazarus Ties}}, date = {2019-01-15}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/}, language = {English}, urldate = {2019-08-08} } @online{kremez:20190117:turla:1eff5e6, author = {Vitali Kremez}, title = {{Tweet on Turla Outlook Backdoor}}, date = {2019-01-17}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1085820673811992576}, language = {English}, urldate = {2020-01-13} } @online{kremez:20190328:lets:9a07122, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Operation ShadowHammer Shellcode Internals in crt_ExitProcess}}, date = {2019-03-28}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2019/03/lets-learn-dissecting-operation.html}, language = {English}, urldate = {2020-01-10} } @online{kremez:20190413:decoded:c9b46a9, author = {Vitali Kremez}, title = {{Decoded Turla Powershell Implant}}, date = {2019-04-13}, organization = {GitHub}, url = {https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-04-13-Possible-Turla-PowerShell-Implant.ps1}, language = {English}, urldate = {2019-07-11} } @online{kremez:20190425:ransomware:4093d36, author = {Vitali Kremez}, title = {{Tweet on Ransomware}}, date = {2019-04-25}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1121440931759128576}, language = {English}, urldate = {2020-01-05} } @online{kremez:20190509:robinhood:187f468, author = {Vitali Kremez}, title = {{RobinHood Ransomware “CoolMaker” Functions Not So Cool}}, date = {2019-05-09}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/}, language = {English}, urldate = {2020-01-06} } @online{kremez:20190604:inside:d633c6f, author = {Vitali Kremez}, title = {{Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vitali Kremez}}, date = {2019-06-04}, organization = {SlideShare}, url = {https://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez}, language = {English}, urldate = {2020-01-13} } @online{kremez:20190619:macho:641b90d, author = {Vitali Kremez}, title = {{Tweet on Mach-O & PE32 Payloads}}, date = {2019-06-19}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1141540229951709184}, language = {English}, urldate = {2020-01-07} } @online{kremez:20190712:atm:9918194, author = {Vitali Kremez}, title = {{ATM Malware Pin/PAN Card Offline Skimmer XFSADM}}, date = {2019-07-12}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1149454961740255232}, language = {English}, urldate = {2019-11-17} } @online{kremez:20190824:notes:486e04c, author = {Vitali Kremez}, title = {{Notes on Nemty Ransomware}}, date = {2019-08-24}, organization = {Github (k-vitali)}, url = {https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-08-24-nemty-ransomware-notes.vk.raw}, language = {English}, urldate = {2020-01-13} } @online{kremez:20190911:stealeruploader:0d4c48f, author = {Vitali Kremez}, title = {{Tweet on Stealer/Uploader}}, date = {2019-09-11}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1171782155581689858}, language = {English}, urldate = {2020-01-07} } @online{kremez:20191011:possible:3be065d, author = {Vitali Kremez}, title = {{Possible Lazarus x86 Malware (AppleJeus)}}, date = {2019-10-11}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1182730637016481793}, language = {English}, urldate = {2019-11-23} } @online{kremez:20191017:lets:d41b75a, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading App Distribution: "snowman" & ADVObfuscator}}, date = {2019-10-17}, url = {https://www.vkremez.com/2019/10/lets-learn-dissecting-lazarus-windows.html}, language = {English}, urldate = {2020-01-08} } @online{kremez:20191024:how:e6d838d, author = {Vitali Kremez}, title = {{How TrickBot Malware Hooking Engine Targets Windows 10 Browsers}}, date = {2019-10-24}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/how-trickbot-hooking-engine-targets-windows-10-browsers/}, language = {English}, urldate = {2020-07-03} } @online{kremez:20191105:possible:e2886d4, author = {Vitali Kremez}, title = {{Tweet on Possible Snatch}}, date = {2019-11-05}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1191414501297528832}, language = {English}, urldate = {2020-01-08} } @online{kremez:20191202:socelars:8d5d01c, author = {Vitali Kremez}, title = {{Tweet on Socelars Stealer}}, date = {2019-12-02}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1201584107928653824}, language = {English}, urldate = {2020-01-17} } @online{kremez:20191210:anchor:c0fc51c, author = {Vitali Kremez and Joshua Platt and Jason Reaves}, title = {{Anchor Project | The Deadly Planeswalker: How The TrickBot Group United High-Tech Crimeware & APT}}, date = {2019-12-10}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/}, language = {English}, urldate = {2023-04-06} } @online{kremez:20200109:toptier:4f8de90, author = {Vitali Kremez and Joshua Platt and Jason Reaves}, title = {{Top-Tier Russian Organized Cybercrime Group Unveils Fileless Stealthy “PowerTrick” Backdoor for High-Value Targets}}, date = {2020-01-09}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/}, language = {English}, urldate = {2020-01-13} } @online{kremez:20200125:extracted:3eb7aef, author = {Vitali Kremez}, title = {{Extracted Config for Ragnarok Ransomware}}, date = {2020-01-25}, organization = {Github (k-vitali)}, url = {https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-01-26-ragnarok-cfg-vk.notes.raw}, language = {English}, urldate = {2020-01-28} } @online{kremez:20200205:prorussian:4fab984, author = {Vitali Kremez}, title = {{Pro-Russian CyberSpy Gamaredon Intensifies Ukrainian Security Targeting}}, date = {2020-02-05}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/}, language = {English}, urldate = {2020-02-09} } @online{kremez:20200227:lets:8b6f2b8, author = {Vitali Kremez}, title = {{Let’s Learn: Inside Parallax RAT Malware: Process Hollowing Injection & Process Doppelgänging API Mix: Part I}}, date = {2020-02-27}, url = {https://www.vkremez.com/2020/02/lets-learn-inside-parallax-rat-malware.html}, language = {English}, urldate = {2020-03-25} } @online{kremez:20200421:signed:0a546c1, author = {Vitali Kremez}, title = {{Tweet on Signed GuLoader}}, date = {2020-04-21}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1252678206852907011}, language = {English}, urldate = {2021-01-05} } @online{kremez:20200424:trickbot:3773039, author = {Vitali Kremez}, title = {{TrickBot "BazarBackdoor" Process Hollowing Injection Primer}}, date = {2020-04-24}, url = {https://www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html}, language = {English}, urldate = {2020-05-02} } @online{kremez:20200429:some:2fb831b, author = {Vitali Kremez}, title = {{Some Insight into GuLoader family}}, date = {2020-04-29}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1255537954304524288}, language = {English}, urldate = {2021-01-05} } @online{kremez:20200504:guloader:5d6f001, author = {Vitali Kremez}, title = {{GuLoader API Loader Algorithm}}, date = {2020-05-04}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1257206565146370050}, language = {English}, urldate = {2021-01-05} } @online{kremez:20200519:netwalker:7ad1e7c, author = {Vitali Kremez}, title = {{Netwalker Ransomware - From Static Reverse Engineering to Automatic Extraction}}, date = {2020-05-19}, organization = {zero2auto}, url = {https://zero2auto.com/2020/05/19/netwalker-re/}, language = {English}, urldate = {2020-06-02} } @online{kremez:20200617:signed:f8eecc6, author = {Vitali Kremez and malwrhunterteam}, title = {{Tweet on signed Tinymet payload (V.02) used by TA505}}, date = {2020-06-17}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1273292957429510150}, language = {English}, urldate = {2020-06-18} } @online{kremez:20200710:yara:9b51a77, author = {Vitali Kremez and Christiaan Beek and Tom Ueltschi and Hilko Bengen and Jo Johnson and Cooper Quintin and Wyatt Roersma and Tomislav Pericin}, title = {{YARA Rules talks and presentation of REVERSING 2020}}, date = {2020-07-10}, organization = {ReversingLabs}, url = {https://register.reversinglabs.com/reversing2020/session-videos}, language = {English}, urldate = {2020-07-11} } @online{kremez:20200711:trickbot:602fd73, author = {Vitali Kremez}, title = {{TrickBot Group Launches Test Module Alerting on Fraud Activity}}, date = {2020-07-11}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/trickbot-group-launches-test-module-alerting-on-fraud-activity}, language = {English}, urldate = {2020-07-13} } @online{kremez:20200814:zloader:cbd9ad5, author = {Vitali Kremez}, title = {{Tweet on Zloader infection leading to Cobaltstrike Installation}}, date = {2020-08-14}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1294320579311435776}, language = {English}, urldate = {2020-11-09} } @online{kremez:20201106:anatomy:b2ce3ae, author = {Vitali Kremez}, title = {{Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike}}, date = {2020-11-06}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike}, language = {English}, urldate = {2020-11-09} } @online{kremez:20201117:new:2098c0a, author = {Vitali Kremez}, title = {{Tweet on a new fileless TrickBot loading method using code from MemoryModule}}, date = {2020-11-17}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1328578336021483522}, language = {English}, urldate = {2020-12-14} } @online{kremez:20201119:trickbot:32c7d08, author = {Vitali Kremez}, title = {{Tweet on Trickbot Group pushing LIGHTBOT powershell script to gather information about AD Server}}, date = {2020-11-19}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1329511151202349057}, language = {English}, urldate = {2020-11-23} } @online{kremez:20210107:crime:4c6f5c3, author = {Vitali Kremez and Brian Carter and HYAS}, title = {{Crime Laundering Primer: Inside Ryuk Crime (Crypto) Ledger & Risky Asian Crypto Traders}}, date = {2021-01-07}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/crime-laundering-primer-inside-ryuk-crime-crypto-ledger-risky-asian-crypto-traders}, language = {English}, urldate = {2021-01-11} } @online{kremez:20210129:analysis:7cb6acd, author = {Vitali Kremez}, title = {{Tweet on analysis of Vovalex ransomware written in DLang}}, date = {2021-01-29}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1355196321964109824}, language = {English}, urldate = {2021-02-06} } @online{kremez:20210324:revil:ae29dd2, author = {Vitali Kremez}, title = {{Tweet on REvil ransomware}}, date = {2021-03-24}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1374571480370061312?s=20}, language = {English}, urldate = {2021-03-31} } @online{kremez:20210417:adversary:197fcfa, author = {Vitali Kremez and Al Calleo and Yelisey Boguslavskiy}, title = {{Adversary Dossier: Ryuk Ransomware Anatomy of an Attack in 2021}}, date = {2021-04-17}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/adversary-dossier-ryuk-ransomware-anatomy-of-an-attack-in-2021}, language = {English}, urldate = {2021-04-19} } @online{kremez:20210514:from:958e38d, author = {Vitali Kremez}, title = {{From Dawn to "Silent Night": "DarkSide Ransomware" Initial Attack Vector Evolution}}, date = {2021-05-14}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/from-dawn-to-silent-night-darkside-ransomware-initial-attack-vector-evolution}, language = {English}, urldate = {2021-05-17} } @online{kremez:20210608:from:62f4d20, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{From QBot...with REvil Ransomware: Initial Attack Exposure of JBS}}, date = {2021-06-08}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/from-qbot-with-revil-ransomware-initial-attack-exposure-of-jbs}, language = {English}, urldate = {2021-06-09} } @online{kremez:20210616:rise:8cfe240, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{The Rise & Demise of Multi-Million Ransomware Business Empire}}, date = {2021-06-16}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/the-rise-demise-of-multi-million-ransomware-business-empire}, language = {English}, urldate = {2021-06-21} } @online{kremez:20210628:elf:3036ab2, author = {Vitali Kremez}, title = {{Tweet on ELF version of REvil}}, date = {2021-06-28}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1409601311092490248}, language = {English}, urldate = {2021-06-29} } @online{kremez:20210629:linux:1b5367c, author = {Vitali Kremez}, title = {{Tweet on Linux version of REvil ransomware}}, date = {2021-06-29}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1409601311092490248?s=20}, language = {English}, urldate = {2021-06-29} } @online{kremez:20210702:revil:2a1c66a, author = {Vitali Kremez}, title = {{Tweet on Revil ransomware analysis used in Kaseya attack}}, date = {2021-07-02}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1411066870350942213}, language = {English}, urldate = {2021-07-24} } @online{kremez:20210805:linux:e3796ad, author = {Vitali Kremez}, title = {{Tweet on Linux variant of BlackMatter}}, date = {2021-08-05}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1423188690126266370}, language = {English}, urldate = {2021-08-09} } @online{kremez:20210811:secret:5c5f06c, author = {Vitali Kremez}, title = {{Secret "Backdoor" Behind Conti Ransomware Operation: Introducing Atera Agent}}, date = {2021-08-11}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent}, language = {English}, urldate = {2021-08-31} } @online{kremez:20210817:hunting:1dc14d0, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Hunting for Corporate Insurance Policies: Indicators of [Ransom] Exfiltration}}, date = {2021-08-17}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations}, language = {English}, urldate = {2021-08-31} } @online{kremez:20210929:backup:4aebe4e, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Backup “Removal” Solutions - From Conti Ransomware With Love}}, date = {2021-09-29}, organization = {Advanced Intelligence}, url = {https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love}, language = {English}, urldate = {2021-10-20} } @online{kremez:20211217:ransomware:767cb9b, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Ransomware Advisory: Log4Shell Exploitation for Initial Access & Lateral Movement}}, date = {2021-12-17}, organization = {Advanced Intelligence}, url = {https://www.advintel.io/post/ransomware-advisory-log4shell-exploitation-for-initial-access-lateral-movement}, language = {English}, urldate = {2021-12-20} } @online{kremez:20220223:24:59b3a28, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{24 Hours From Log4Shell to Local Admin: Deep-Dive Into Conti Gang Attack on Fortune 500 (DFIR)}}, date = {2022-02-23}, organization = {AdvIntel}, url = {https://www.advintel.io/post/24-hours-from-log4shell-to-local-admin-deep-dive-into-conti-gang-attack-on-fortune-500-dfir}, language = {English}, urldate = {2022-03-01} } @online{kremez:20220418:enter:2f9b689, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group}}, date = {2022-04-18}, organization = {AdvIntel}, url = {https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group}, language = {English}, urldate = {2022-05-17} } @online{kremez:20220501:revil:6146a35, author = {Vitali Kremez}, title = {{REvil Reborn Ransom Config}}, date = {2022-05-01}, organization = {Github (k-vitali)}, url = {https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2022-05-01-revil-reborn-ransom.vk.cfg.txt}, language = {English}, urldate = {2022-05-04} } @online{kremez:20220517:hydra:16615d9, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Hydra with Three Heads: BlackByte & The Future of Ransomware Subsidiary Groups}}, date = {2022-05-17}, organization = {Advanced Intelligence}, url = {https://www.advintel.io/post/hydra-with-three-heads-blackbyte-the-future-of-ransomware-subsidiary-groups}, language = {English}, urldate = {2022-05-25} } @online{kremez:20220607:blackcat:3dc977e, author = {Vitali Kremez and Marley Smith and Yelisey Boguslavskiy}, title = {{BlackCat — In a Shifting Threat Landscape, It Helps to Land on Your Feet: Tech Dive}}, date = {2022-06-07}, organization = {AdvIntel}, url = {https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive}, language = {English}, urldate = {2022-06-08} } @online{kremez:20220720:anatomy:cd94a81, author = {Vitali Kremez and Yelisey Boguslavskiy and Marley Smith}, title = {{Anatomy of Attack: Truth Behind the Costa Rica Government Ransomware 5-Day Intrusion}}, date = {2022-07-20}, organization = {Advanced Intelligence}, url = {https://www.advintel.io/post/anatomy-of-attack-truth-behind-the-costa-rica-government-ransomware-5-day-intrusion}, language = {English}, urldate = {2022-07-25} } @online{kreminchuker:20191218:echobot:2fe9511, author = {Eli Kreminchuker and Maxim Zavodchik and Raymond Pompon}, title = {{Echobot Malware Now up to 71 Exploits, Targeting SCADA}}, date = {2019-12-18}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/threat-intelligence/echobot-malware-now-up-to-71-exploits--targeting-scada}, language = {English}, urldate = {2020-01-10} } @online{kreuzer:20211228:crowdstrike:32ba306, author = {Timo Kreuzer and Yarden Shafir and satoshi tanda and Blair Foster}, title = {{CrowdStrike Strengthens Exploit Protection Using Intel CPU Telemetry}}, date = {2021-12-28}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/introducing-falcon-hardware-enhanced-exploit-detection/}, language = {English}, urldate = {2022-01-03} } @online{kreyenberg:20200228:mysterious:ed48f62, author = {Hannah Kreyenberg}, title = {{Mysterious spam campaign: A security analysis}}, date = {2020-02-28}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/mysterious-spam-campaign/}, language = {English}, urldate = {2020-06-16} } @online{kringel:20220301:what:0acaa94, author = {Ido Kringel}, title = {{What is HermeticWiper – An Analysis of the Malware and Larger Threat Landscape in the Russian Ukrainian War}}, date = {2022-03-01}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/blog/hermeticwiper-malware-the-russian-ukrainian-cyber-war}, language = {English}, urldate = {2022-03-07} } @online{krishnan:20210113:passive:8e5ce1b, author = {Rakesh Krishnan and Coinmonks}, title = {{Passive Income of Cyber Criminals: Dissecting Bitcoin Multiplier Scam}}, date = {2021-01-13}, organization = {Medium Coinmonks}, url = {https://medium.com/coinmonks/passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372}, language = {English}, urldate = {2021-01-21} } @online{krishnan:20250315:iocs:2ae0ca5, author = {Rakesh Krishnan}, title = {{IoCs for Anubis Backdoor}}, date = {2025-03-15}, organization = {Github (TheRavenFile)}, url = {https://github.com/TheRavenFile/Daily-Hunt/blob/main/Anubis%20Backdoor}, language = {English}, urldate = {2025-03-26} } @online{kristal:20200511:anatomy:4ece947, author = {Gal Kristal}, title = {{The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration}}, date = {2020-05-11}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/}, language = {English}, urldate = {2020-05-13} } @online{kristal:20200609:cobaltstrikeparser:a023ac8, author = {Gal Kristal}, title = {{CobaltStrikeParser}}, date = {2020-06-09}, organization = {Github (Sentinel-One)}, url = {https://github.com/Sentinel-One/CobaltStrikeParser/blob/master/parse_beacon_config.py}, language = {English}, urldate = {2020-09-15} } @online{kristal:20201019:purple:46e7ffb, author = {Gal Kristal}, title = {{Purple Fox EK | New CVEs, Steganography, and Virtualization Added to Attack Flow}}, date = {2020-10-19}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/purple-fox-ek-new-cves-steganography-and-virtualization-added-to-attack-flow/}, language = {English}, urldate = {2023-08-23} } @online{kristal:20210804:hotcobalt:136e715, author = {Gal Kristal}, title = {{Hotcobalt – New Cobalt Strike DoS Vulnerability That Lets You Halt Operations}}, date = {2021-08-04}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/}, language = {English}, urldate = {2021-08-06} } @online{krivobokov:20220906:propalestinian:53a7780, author = {David Krivobokov}, title = {{Pro-Palestinian Hacking Group Compromises Berghof PLCs in Israel}}, date = {2022-09-06}, organization = {Otorio}, url = {https://www.otorio.com/blog/pro-palestinian-hacking-group-compromises-berghof-plcs-in-israel/}, language = {English}, urldate = {2022-09-19} } @techreport{kropotov:20201006:hacker:ddb4108, author = {Vladimir Kropotov and Robert McArdle and Fyodor Yarochkin}, title = {{The Hacker Infrastructure and Underground Hosting: Cybercrime Modi Operandi and OpSec}}, date = {2020-10-06}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-the-hacker-infrastructure-and-underground-hosting-cybercrime-modi-operandi-and-opsec.pdf}, language = {English}, urldate = {2021-11-08} } @techreport{kropotov:2020:hacker:34fa1c6, author = {Vladimir Kropotov and Robert McArdle and Fyodor Yarochkin}, title = {{The Hacker Infrastructureand Underground Hosting:Services Used by Criminals}}, date = {2020}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-the-hacker-infrastructure-and-underground-hosting-services-used-by-criminals.pdf}, language = {English}, urldate = {2020-11-09} } @online{kroshinsky:20220928:investigating:17c6c32, author = {Roman Kroshinsky and Pavle Culum}, title = {{Investigating Web Shells}}, date = {2022-09-28}, organization = {Gigamon}, url = {https://blog.gigamon.com/2022/09/28/investigating-web-shells/}, language = {English}, urldate = {2022-09-30} } @online{krouse:20240926:chinalinked:b160c35, author = {Sarah Krouse and Robert McMillan and Dustin Volz}, title = {{China-Linked Hackers Breach U.S. Internet Providers in New ‘Salt Typhoon’ Cyberattack}}, date = {2024-09-26}, organization = {The Wall Street Journal}, url = {https://www.wsj.com/politics/national-security/china-cyberattack-internet-providers-260bd835}, language = {English}, urldate = {2024-10-01} } @online{krueger:20191015:lowkey:aab2f5e, author = {Tobias Krueger}, title = {{LOWKEY: Hunting for the Missing Volume Serial ID}}, date = {2019-10-15}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html}, language = {English}, urldate = {2019-12-10} } @online{kruglov:20220119:campaigns:777f4f0, author = {Kirill Kruglov}, title = {{Campaigns abusing corporate trusted infrastructure hunt for corporate credentials on ICS networks}}, date = {2022-01-19}, organization = {Kaspersky}, url = {https://ics-cert.kaspersky.com/publications/reports/2022/1/19/campaigns-abusing-corporate-trusted-infrastructure-hunt-for-corporate-credentials-on-ics-networks}, language = {English}, urldate = {2022-01-24} } @techreport{krysiuk:2013:trojanbamital:1c4d921, author = {Piotr Krysiuk and Vikram Thakur}, title = {{Trojan.Bamital}}, date = {2013}, institution = {Symantec}, url = {https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/trojan-bamital-13-en.pdf}, language = {English}, urldate = {2019-12-24} } @online{kscert:20151105:sphinx:0414ca2, author = {kscert}, title = {{Sphinx Moth: Expanding our knowledge of the “Wild Neutron” / “Morpho” APT}}, date = {2015-11-05}, organization = {Kudelski Security}, url = {https://research.kudelskisecurity.com/2015/11/05/sphinx-moth-expanding-our-knowledge-of-the-wild-neutron-morpho-apt/}, language = {English}, urldate = {2020-01-10} } @online{ksch58:20231215:github:8c12d25, author = {KSCH-58}, title = {{Github Repo for Malicord}}, date = {2023-12-15}, url = {https://github.com/ElasBlueWHale2/Malicord}, language = {English}, urldate = {2024-01-03} } @online{kubic:20210126:ongoing:c57f443, author = {Chris Kubic}, title = {{Ongoing Analysis of SolarWinds Impacts}}, date = {2021-01-26}, organization = {Fidelis}, url = {https://fidelissecurity.com/threatgeek/data-protection/ongoing-analysis-solarwinds-impact/}, language = {English}, urldate = {2021-01-27} } @online{kubovich:20180703:hamas:372b78f, author = {Yaniv Kubovich}, title = {{Hamas Cyber Ops Spied on Hundreds of Israeli Soldiers Using Fake World Cup, Dating Apps}}, date = {2018-07-03}, organization = {Haaretz}, url = {https://www.haaretz.com/israel-news/hamas-cyber-ops-spied-on-israeli-soldiers-using-fake-world-cup-app-1.6241773}, language = {English}, urldate = {2019-11-29} } @online{kucherin:20210111:sunburst:a4ecf12, author = {Georgy Kucherin and Igor Kuznetsov and Costin Raiu}, title = {{Sunburst backdoor – code overlaps with Kazuar}}, date = {2021-01-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/sunburst-backdoor-kazuar/99981/}, language = {English}, urldate = {2021-01-11} } @online{kucherin:20230403:alternative:280883c, author = {Georgy Kucherin}, title = {{Tweet on an alternative Guporam sample}}, date = {2023-04-03}, organization = {Twitter (@kucher1n)}, url = {https://twitter.com/kucher1n/status/1642886340105601029?t=3GCn-ZhDjqWEMXya_PKseg}, language = {English}, urldate = {2023-04-08} } @online{kucherin:20230403:not:ddfeb19, author = {Georgy Kucherin}, title = {{Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack}}, date = {2023-04-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344}, language = {English}, urldate = {2023-04-08} } @online{kucherin:20230621:dissecting:2caf8b9, author = {Georgy Kucherin and Leonid Bezvershenko and Igor Kuznetsov}, title = {{Dissecting TriangleDB, a Triangulation spyware implant}}, date = {2023-06-21}, organization = {Kaspersky Labs}, url = {https://securelist.com/triangledb-triangulation-implant/110050/}, language = {English}, urldate = {2023-06-26} } @online{kucherin:20231023:outstanding:85bd740, author = {Georgy Kucherin and Leonid Bezvershenko and Valentin Pashkov}, title = {{The outstanding stealth of Operation Triangulation}}, date = {2023-10-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/triangulation-validators-modules/110847/}, language = {English}, urldate = {2024-02-08} } @techreport{kucherin:20240924:mask:61c003e, author = {Georgy Kucherin and Marc Rivero López}, title = {{The Mask Has Been Unmasked Again}}, date = {2024-09-24}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2024/papers/The-Mask-has-been-unmasked-again.pdf}, language = {English}, urldate = {2024-12-16} } @online{kucherin:20250224:gitvenom:7e0a5ba, author = {Georgy Kucherin and João Godinho}, title = {{The GitVenom campaign: cryptocurrency theft using GitHub}}, date = {2025-02-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/gitvenom-campaign/115694/}, language = {English}, urldate = {2025-02-25} } @online{kudkar:20210116:oski:a0abdb1, author = {Isha Kudkar}, title = {{Oski Stealer : A Credential Theft Malware}}, date = {2021-01-16}, organization = {Medium}, url = {https://medium.com/shallvhack/oski-stealer-a-credential-theft-malware-b9bba5164601}, language = {English}, urldate = {2022-01-12} } @online{kuhn:20190724:guesswho:1b23cb0, author = {John Kuhn}, title = {{GuessWho Ransomware – A Variant of Rapid Ransomware}}, date = {2019-07-24}, organization = {IBM X-Force Exchange}, url = {https://exchange.xforce.ibmcloud.com/collection/GuessWho-Ransomware-A-Variant-of-Rapid-Ransomware-ef226b9792fa4c1e34fa4c587db04145}, language = {English}, urldate = {2020-01-10} } @online{kuhn:20210510:how:5f1953b, author = {Thomas Kuhn}, title = {{How one of the largest hacker networks in the world was paralyzed}}, date = {2021-05-10}, organization = {Wirtschaftswoche}, url = {https://www.wiwo.de/my/technologie/digitale-welt/emotet-netzwerk-wie-eines-der-groessten-hacker-netzwerke-der-welt-lahmgelegt-wurde/27164048.html}, language = {German}, urldate = {2021-05-13} } @online{kujawa:20120609:you:c8d15e0, author = {Adam Kujawa}, title = {{You dirty RAT! Part 1: DarkComet}}, date = {2012-06-09}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/}, language = {English}, urldate = {2019-12-20} } @online{kujawa:20120615:you:307c877, author = {Adam Kujawa}, title = {{You Dirty RAT! Part 2 – BlackShades NET}}, date = {2012-06-15}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/}, language = {English}, urldate = {2019-12-20} } @online{kujawa:20120621:blackshades:3002f8a, author = {Adam Kujawa}, title = {{BlackShades in Syria}}, date = {2012-06-21}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/}, language = {English}, urldate = {2019-12-20} } @online{kujawa:20121005:dark:192d4aa, author = {Adam Kujawa}, title = {{Dark Comet 2: Electric Boogaloo}}, date = {2012-10-05}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/}, language = {English}, urldate = {2019-12-20} } @online{kujawa:20140530:taking:d9b729e, author = {Adam Kujawa}, title = {{Taking off the Blackshades}}, date = {2014-05-30}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/}, language = {English}, urldate = {2019-12-20} } @techreport{kujawa:20200210:2020:3fdaf12, author = {Adam Kujawa and Wendy Zamora and Jérôme Segura and Thomas Reed and Nathan Collier and Jovi Umawing and Chris Boyd and Pieter Arntz and David Ruiz}, title = {{2020 State of Malware Report}}, date = {2020-02-10}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf}, language = {English}, urldate = {2020-02-13} } @online{kumar:20170122:russian:a19c81e, author = {Mohit Kumar}, title = {{Russian Hacker behind 'NeverQuest' Malware, Wanted by FBI, Is Arrested in Spain}}, date = {2017-01-22}, organization = {The Hacker News}, url = {http://thehackernews.com/2017/01/neverquest-fbi-hacker.html}, language = {English}, urldate = {2019-12-18} } @online{kumar:20200626:taurus:4d00888, author = {Avinash Kumar and Uday Pratap Singh}, title = {{Taurus: The New Stealer in Town}}, date = {2020-06-26}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/taurus-new-stealer-town}, language = {English}, urldate = {2020-08-13} } @techreport{kumar:202006:mobile:a277975, author = {Apurva Kumar and Christoph Hebeisen and Kristin Del Rosso}, title = {{Mobile APT SurveillanceCampaigns Targeting Uyghurs A collection of long-running Android tooling connected to a Chinese mAPT actor}}, date = {2020-06}, institution = {Lookout}, url = {https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf}, language = {English}, urldate = {2020-07-02} } @online{kumar:20200701:multiyear:5ce3699, author = {Apurva Kumar and Christoph Hebeisen and Kristin Del Rosso}, title = {{Multiyear Surveillance Campaigns Discovered Targeting Uyghurs}}, date = {2020-07-01}, organization = {Lookout}, url = {https://blog.lookout.com/multiyear-surveillance-campaigns-discovered-targeting-uyghurs}, language = {English}, urldate = {2020-07-02} } @online{kumar:20200916:malware:60f39c3, author = {Avinash Kumar and Aditya Sharma}, title = {{Malware Leveraging XML-RPC Vulnerability to Exploit WordPress Sites}}, date = {2020-09-16}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/malware-leveraging-xml-rpc-vulnerability-exploit-wordpress-sites}, language = {English}, urldate = {2020-09-23} } @online{kumar:20210210:lookout:164ed92, author = {Apurva Kumar and Kristin Del Rosso}, title = {{Lookout Discovers Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict}}, date = {2021-02-10}, organization = {Lookout}, url = {https://blog.lookout.com/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict}, language = {English}, urldate = {2021-02-20} } @online{kumar:20210928:squirrelwaffle:9b1cffc, author = {Avinash Kumar and Brett Stone-Gross}, title = {{Squirrelwaffle: New Loader Delivering Cobalt Strike}}, date = {2021-09-28}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike}, language = {English}, urldate = {2021-10-11} } @online{kumar:20220406:ffdroider:7f5ad65, author = {Avinash Kumar and Niraj Shivtarkar}, title = {{FFDroider Stealer Targeting Social Media Platform Users}}, date = {2022-04-06}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users}, language = {English}, urldate = {2022-04-29} } @online{kumar:20220510:malicious:453b20e, author = {Srujan Kumar}, title = {{Malicious PDF Document Analysis - Lazyscripter}}, date = {2022-05-10}, organization = {Github (SrujanKumar-K)}, url = {https://github.com/SrujanKumar-K/Blogpost/tree/main/LazyScripter}, language = {English}, urldate = {2022-05-11} } @online{kumar:20230711:breaking:7b075ed, author = {Bablu Kumar}, title = {{Breaking into the Bandit Stealer Malware Infrastructure}}, date = {2023-07-11}, organization = {Cloudsek}, url = {https://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure}, language = {English}, urldate = {2023-08-01} } @online{kumar:20231005:securonix:90f7802, author = {Dheeraj Kumar and Ella Dragun}, title = {{Securonix Threat Labs Monthly Intelligence Insights – September 2023}}, date = {2023-10-05}, organization = {Securonix}, url = {https://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-september-2023/}, language = {English}, urldate = {2024-09-27} } @online{kumar:20241213:vipkeylogger:d37225c, author = {Prashant Kumar}, title = {{VIPKeyLogger Infostealer in the Wild}}, date = {2024-12-13}, organization = {Forcepoint}, url = {https://www.forcepoint.com/blog/x-labs/vipkeylogger-infostealer-malware}, language = {English}, urldate = {2025-04-09} } @online{kundaliya:20190411:lazarus:2ad8687, author = {Dev Kundaliya}, title = {{Lazarus rises: Warning over new HOPLIGHT malware linked with North Korea}}, date = {2019-04-11}, organization = {Computing.co.uk}, url = {https://www.computing.co.uk/ctg/news/3074007/lazarus-rises-warning-over-new-hoplight-malware-linked-with-north-korea}, language = {English}, urldate = {2020-01-06} } @online{kundaliya:20191224:warning:6ffa2c8, author = {Dev Kundaliya}, title = {{Warning over LockerGoga and MegaCortex ransomware attacks targeting private industry in western countries}}, date = {2019-12-24}, url = {https://www.computing.co.uk/ctg/news/3084818/warning-over-lockergoga-and-megacortex-ransomware-attacks-targeting-private-industry-in-western-countries}, language = {English}, urldate = {2020-01-06} } @techreport{kuo:20210507:we:cd620c1, author = {Jhih-Lin Kuo and Zih-Cing Liao}, title = {{"We Are About to Land": How CloudDragon Turns a Nightmare Into Reality}}, date = {2021-05-07}, institution = {TEAMT5}, url = {https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf}, language = {English}, urldate = {2021-09-14} } @online{kuo:20210611:dissecting:cd60a32, author = {Linda Kuo and Zih-Cing Liao}, title = {{Dissecting Phishing Techniques Of CloudDragon APT}}, date = {2021-06-11}, organization = {YouTube (Hack In The Box Security Conference)}, url = {https://www.youtube.com/watch?v=Dv2_DK3tRgI}, language = {English}, urldate = {2021-06-22} } @techreport{kuo:20210611:story:897e55c, author = {Linda Kuo and Zih-Cing Liao}, title = {{Story of the ‘Phisherman’ -Dissecting Phishing Techniques of CloudDragon APT (slides)}}, date = {2021-06-11}, institution = {TEAMT5}, url = {https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf}, language = {English}, urldate = {2021-06-22} } @online{kupchik:20220615:panchans:3b4d766, author = {Stiv Kupchik}, title = {{Panchan’s Mining Rig: New Golang Peer-to-Peer Botnet Says “Hi!”}}, date = {2022-06-15}, organization = {Akamai}, url = {https://www.akamai.com/blog/security/new-p2p-botnet-panchan}, language = {English}, urldate = {2022-07-01} } @online{kupchik:20230412:investigating:ced1ec2, author = {Stiv Kupchik}, title = {{Investigating the resurgence of the Mexals campaign}}, date = {2023-04-12}, organization = {Akamai}, url = {https://www.akamai.com/blog/security-research/mexals-cryptojacking-malware-resurgence}, language = {English}, urldate = {2023-06-19} } @online{kupchik:20240110:you:b2f4e07, author = {Stiv Kupchik}, title = {{You Had Me at Hi — Mirai-Based NoaBot Makes an Appearance}}, date = {2024-01-10}, organization = {Akamai}, url = {https://www.akamai.com/blog/security-research/mirai-based-noabot-crypto-mining}, language = {English}, urldate = {2024-01-11} } @online{kupczyk:20211109:scheming:04a8e46, author = {Lukas Kupczyk and Max Julian Hofmann}, title = {{Scheming with URLs: One-Click Attack Surface in Linux Desktop Environments}}, date = {2021-11-09}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/one-click-attack-surface-in-linux-desktop-environments/}, language = {English}, urldate = {2021-11-17} } @online{kupreev:20201204:chronicles:faab5a6, author = {Oleg Kupreev}, title = {{The chronicles of Emotet}}, date = {2020-12-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-chronicles-of-emotet/99660/}, language = {English}, urldate = {2020-12-08} } @online{kupreev:20211019:trickbot:f7cfc04, author = {Oleg Kupreev}, title = {{Trickbot module descriptions}}, date = {2021-10-19}, organization = {Kaspersky}, url = {https://securelist.com/trickbot-module-descriptions/104603/}, language = {English}, urldate = {2021-10-24} } @online{kupreev:20220915:selfspreading:a51b997, author = {Oleg Kupreev}, title = {{Self-spreading stealer attacks gamers via YouTube}}, date = {2022-09-15}, organization = {Kaspersky}, url = {https://securelist.com/self-spreading-stealer-attacks-gamers-via-youtube/107407/}, language = {English}, urldate = {2022-09-16} } @online{kupreev:20250410:goffee:adb0ca3, author = {Oleg Kupreev}, title = {{GOFFEE continues to attack organizations in Russia}}, date = {2025-04-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/goffee-apt-new-attacks/116139/}, language = {English}, urldate = {2025-05-02} } @online{kuprins:20190903:analysis:2b5a874, author = {Aleksejs Kuprins}, title = {{Analysis of Joker — A Spy & Premium Subscription Bot on GooglePlay}}, date = {2019-09-03}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451}, language = {English}, urldate = {2020-01-06} } @online{kuprins:20200625:roamingmantis:256a9f9, author = {Aleksejs Kuprins}, title = {{The RoamingMantis Group’s Expansion to European Apple Accounts and Android Devices}}, date = {2020-06-25}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681}, language = {English}, urldate = {2020-06-25} } @online{kuprins:20210316:brief:895027b, author = {Aleksejs Kuprins}, title = {{The Brief Glory of Cabassous/FluBot — a private Android banking botnet}}, date = {2021-03-16}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027}, language = {English}, urldate = {2021-03-24} } @online{kurolapnik:20200226:whats:930c58d, author = {Leon Kurolapnik and Raveed Laeb}, title = {{What’s Dead May Never Die: AZORult Infostealer Decommissioned Again}}, date = {2020-02-26}, organization = {KELA}, url = {https://ke-la.com/whats-dead-may-never-die-azorult-infostealer-decommissioned-again/}, language = {English}, urldate = {2021-05-07} } @online{kushnir:20220105:elephant:1bbf7d7, author = {Amnon Kushnir and Noam Lifshitz and Yoav Mazor and Oren Biderman and Boaz Wasserman and Itay Shohat and Arie Zilberstein}, title = {{Elephant Beetle: Uncovering an Organized Financial-Theft Operation}}, date = {2022-01-05}, organization = {SYGNIA}, url = {https://blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operation}, language = {English}, urldate = {2022-01-06} } @techreport{kuvshinov:20210708:how:2e5a659, author = {Denis Kuvshinov}, title = {{How winnti APT grouping works}}, date = {2021-07-08}, institution = {PTSecurity}, url = {https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf}, language = {Russian}, urldate = {2021-09-20} } @online{kuvshinov:20210708:how:ea6d201, author = {Denis Kuvshinov}, title = {{How winnti APT grouping works}}, date = {2021-07-08}, organization = {YouTube (PT Product Update)}, url = {https://www.youtube.com/watch?v=_fstHQSK-kk}, language = {Russian}, urldate = {2021-09-20} } @online{kuvshinov:20230927:dark:55ee6a9, author = {Denis Kuvshinov and Maxim Andreev}, title = {{Dark River. You can't see them, but they're there}}, date = {2023-09-27}, organization = {Positive Technologies}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/dark-river-you-can-t-see-them-but-they-re-there/}, language = {English}, urldate = {2023-10-05} } @online{kuzin:20140710:versatile:0c64d25, author = {Mikhail Kuzin}, title = {{Versatile DDoS Trojan for Linux}}, date = {2014-07-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/versatile-ddos-trojan-for-linux/64361/}, language = {English}, urldate = {2019-12-20} } @online{kuzin:20180720:calisto:09350f7, author = {Mikhail Kuzin and Sergey Zelensky}, title = {{Calisto Trojan for macOS}}, date = {2018-07-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/calisto-trojan-for-macos/86543/}, language = {English}, urldate = {2019-12-20} } @online{kuzin:20210318:convuster:f45769a, author = {Mikhail Kuzin and Ilya Mogilin}, title = {{Convuster: macOS adware now in Rust}}, date = {2021-03-18}, organization = {Kaspersky Labs}, url = {https://securelist.com/convuster-macos-adware-in-rust/101258}, language = {English}, urldate = {2021-04-16} } @online{kuzmenko:20190618:plurox:14d4e0d, author = {Anton Kuzmenko}, title = {{Plurox: Modular backdoor}}, date = {2019-06-18}, organization = {Kaspersky Labs}, url = {https://securelist.com/plurox-modular-backdoor/91213/}, language = {English}, urldate = {2019-12-20} } @online{kuzmenko:20201022:trail:70c41e9, author = {Anton Kuzmenko}, title = {{On the trail of the XMRig miner}}, date = {2020-10-22}, organization = {Kaspersky Labs}, url = {https://securelist.com/miner-xmrig/99151/}, language = {English}, urldate = {2020-10-27} } @online{kuzmenko:20210607:gootkit:dde97ac, author = {Anton Kuzmenko}, title = {{Gootkit: the cautious Trojan}}, date = {2021-06-07}, organization = {Kaspersky}, url = {https://securelist.com/gootkit-the-cautious-trojan/102731/}, language = {English}, urldate = {2021-06-16} } @online{kuzmenko:20210624:malicious:83a5c83, author = {Anton Kuzmenko}, title = {{Malicious spam campaigns delivering banking Trojans}}, date = {2021-06-24}, organization = {Kaspersky}, url = {https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917}, language = {English}, urldate = {2021-06-25} } @online{kuzmenko:20210902:qakbot:219d23c, author = {Anton Kuzmenko and Oleg Kupreev and Haim Zigel}, title = {{QakBot Technical Analysis}}, date = {2021-09-02}, organization = {Kaspersky}, url = {https://securelist.com/qakbot-technical-analysis/103931/}, language = {English}, urldate = {2021-09-06} } @online{kuznetsov:20130314:new:148c189, author = {Igor Kuznetsov and Costin Raiu}, title = {{New Uyghur and Tibetan Themed Attacks Using PDF Exploits}}, date = {2013-03-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/new-uyghur-and-tibetan-themed-attacks-using-pdf-exploits/35465}, language = {English}, urldate = {2020-04-24} } @online{kuznetsov:20201218:sunburst:85b411a, author = {Igor Kuznetsov and Costin Raiu}, title = {{Sunburst: connecting the dots in the DNS requests}}, date = {2020-12-18}, organization = {Kaspersky Labs}, url = {https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862/}, language = {English}, urldate = {2020-12-18} } @online{kuznetsov:20220728:lofylife:0d316b3, author = {Igor Kuznetsov and Leonid Bezvershenko}, title = {{LofyLife: malicious npm packages steal Discord tokens and bank card data}}, date = {2022-07-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/lofylife-malicious-npm-packages/107014/}, language = {English}, urldate = {2022-08-28} } @online{kuznetsov:20220728:lofylife:44645c7, author = {Igor Kuznetsov and Leonid Bezvershenko}, title = {{LofyLife: malicious npm packages steal Discord tokens and bank card data}}, date = {2022-07-28}, organization = {Kaspersky}, url = {https://securelist.com/lofylife-malicious-npm-packages/107014}, language = {English}, urldate = {2022-08-28} } @online{kuznetsov:20230601:operation:ad8eded, author = {Igor Kuznetsov and Valentin Pashkov and Leonid Bezvershenko and Georgy Kucherin}, title = {{Operation Triangulation: iOS devices targeted with previously unknown malware}}, date = {2023-06-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-triangulation/109842/}, language = {English}, urldate = {2023-06-01} } @online{kuznetsov:20250325:operation:5d0395a, author = {Igor Kuznetsov and Boris Larin}, title = {{Operation ForumTroll: APT attack with Google Chrome zero-day exploit chain}}, date = {2025-03-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-forumtroll/115989/}, language = {English}, urldate = {2025-03-27} } @online{kuznetsov:20250422:russian:ba0f413, author = {Igor Kuznetsov and Georgy Kucherin and Alexander Demidov}, title = {{Russian organizations targeted by backdoor masquerading as secure networking software updates}}, date = {2025-04-22}, organization = {Kaspersky Labs}, url = {https://securelist.com/new-backdoor-mimics-security-software-update/116246/}, language = {English}, urldate = {2025-04-28} } @online{kwak:2017:campaign:b60b366, author = {Kay Kwak (Kyoung-Ju Kwak)}, title = {{Campaign Rifle: Andariel, The Maiden of Anguish}}, date = {2017}, organization = {FSI}, url = {https://mega.nz/file/lkh1gY5C#93FUlwTwl0y27cfM0jtm4SYnWbtk06d0qoDg1e4eQ6s}, language = {English}, urldate = {2023-08-28} } @online{kwiatkowski:20200331:holy:857c397, author = {Ivan Kwiatkowski and Félix Aime and Pierre Delcher}, title = {{Holy water: ongoing targeted water-holing attack in Asia}}, date = {2020-03-31}, organization = {Kaspersky Labs}, url = {https://securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/}, language = {English}, urldate = {2020-04-07} } @online{kwiatkowski:20200728:lazarus:5b1523a, author = {Ivan Kwiatkowski and Pierre Delcher and Félix Aime}, title = {{Lazarus on the hunt for big game}}, date = {2020-07-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/}, language = {English}, urldate = {2020-07-30} } @online{kwiatkowski:20200824:lifting:fd3c725, author = {Ivan Kwiatkowski and Pierre Delcher and Maher Yamout}, title = {{Lifting the veil on DeathStalker, a mercenary triumvirate}}, date = {2020-08-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/deathstalker-mercenary-triumvirate/98177/}, language = {English}, urldate = {2020-08-25} } @online{kwiatkowski:20201015:iamtheking:1c3917e, author = {Ivan Kwiatkowski and Pierre Delcher and Félix Aime}, title = {{IAmTheKing and the SlothfulMedia malware family}}, date = {2020-10-15}, organization = {Kaspersky Labs}, url = {https://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/}, language = {English}, urldate = {2020-10-16} } @online{kwiatkowski:20210405:leap:9f488d4, author = {Ivan Kwiatkowski and Pierre Delcher and Mark Lechtik}, title = {{The leap of a Cycldek-related threat actor}}, date = {2021-04-05}, organization = {Kaspersky}, url = {https://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/}, language = {English}, urldate = {2021-04-14} } @online{kwiatkowski:20210929:darkhalo:d81f7d2, author = {Ivan Kwiatkowski and Pierre Delcher}, title = {{DarkHalo after SolarWinds: the Tomiris connection (UNC2849)}}, date = {2021-09-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/}, language = {English}, urldate = {2021-11-30} } @online{kwiatkowski:20211027:extracting:14de2bc, author = {Ivan Kwiatkowski}, title = {{Extracting type information from Go binaries}}, date = {2021-10-27}, organization = {Kaspersky}, url = {https://securelist.com/extracting-type-information-from-go-binaries/104715/}, language = {English}, urldate = {2021-11-03} } @online{kwiatkowski:20230519:go:09f3501, author = {Ivan Kwiatkowski}, title = {{Go reverse-engineering workshop}}, date = {2023-05-19}, organization = {YouTube (NorthSec)}, url = {https://www.youtube.com/watch?v=koZkHEJqPrU}, language = {English}, urldate = {2023-11-27} } @online{kwiatkowski:20240115:introduction:bcb0fca, author = {Ivan Kwiatkowski}, title = {{An Introduction to Reverse Engineering .NET AOT Applications}}, date = {2024-01-15}, organization = {HarfangLab}, url = {https://harfanglab.io/en/insidethelab/reverse-engineering-ida-pro-aot-net/}, language = {English}, urldate = {2024-01-18} } @online{laan:20160828:feintcloud:628f6af, author = {Wladimir J. van der Laan}, title = {{FEINTCLOUD}}, date = {2016-08-28}, organization = {Laanwj's Blog}, url = {https://laanwj.github.io/2016/08/28/feintcloud.html}, language = {English}, urldate = {2020-01-13} } @online{laan:20160904:blatsting:26f14e8, author = {Wladimir J. van der Laan}, title = {{BLATSTING Command-and-Control protocol}}, date = {2016-09-04}, organization = {Laanwj's Blog}, url = {https://laanwj.github.io/2016/09/04/blatsting-command-and-control.html}, language = {English}, urldate = {2019-07-11} } @online{laan:20160911:buzzdirection:2f24cce, author = {Wladimir J. van der Laan}, title = {{BUZZDIRECTION: BLATSTING reloaded}}, date = {2016-09-11}, organization = {Laanwj's Blog}, url = {https://laanwj.github.io/2016/09/11/buzzdirection.html}, language = {English}, urldate = {2020-01-08} } @online{laanwj:20160822:blatsting:11dc652, author = {Laanwj}, title = {{BLATSTING FUNKSPIEL}}, date = {2016-08-22}, url = {https://laanwj.github.io/2016/08/22/blatsting.html}, language = {English}, urldate = {2020-01-07} } @online{laanwj:20160901:tadaqueous:c25857a, author = {Laanwj}, title = {{TADAQUEOUS moments}}, date = {2016-09-01}, url = {https://laanwj.github.io/2016/09/01/tadaqueos.html}, language = {English}, urldate = {2020-01-07} } @online{laanwj:20160906:blatsting:67dc773, author = {Laanwj}, title = {{Blatsting C&C Transcript}}, date = {2016-09-06}, url = {https://laanwj.github.io/2016/09/09/blatsting-lp-transcript.html}, language = {English}, urldate = {2019-12-04} } @online{laanwj:20160913:curious:fa20b98, author = {Laanwj}, title = {{The curious case of BLATSTING's RSA implementation}}, date = {2016-09-13}, url = {https://laanwj.github.io/2016/09/13/blatsting-rsa.html}, language = {English}, urldate = {2020-01-09} } @online{laanwj:20160917:few:2572d3c, author = {Laanwj}, title = {{A few notes on SECONDDATE's C&C protocol}}, date = {2016-09-17}, url = {https://laanwj.github.io/2016/09/17/seconddate-cnc.html}, language = {English}, urldate = {2020-01-07} } @online{laaouissi:20240514:panni:88739af, author = {Yassir Laaouissi}, title = {{Panni pelmeni: Turla loves dumplings}}, date = {2024-05-14}, organization = {YouTube (botconf eu)}, url = {https://youtu.be/z2xUevYS-mg?t=1334}, language = {English}, urldate = {2024-07-17} } @online{lab52:20190313:orangeworm:396a091, author = {Lab52}, title = {{ORANGEWORM GROUP – KWAMPIRS ANALYSIS UPDATE}}, date = {2019-03-13}, organization = {Security Art Work}, url = {https://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/}, language = {English}, urldate = {2020-01-06} } @online{lab52:20190402:wirte:24a604b, author = {Lab52}, title = {{WIRTE Group attacking the Middle East}}, date = {2019-04-02}, organization = {Lab52}, url = {https://lab52.io/blog/wirte-group-attacking-the-middle-east/}, language = {English}, urldate = {2023-11-17} } @online{lab52:20200609:recent:c5c6aa7, author = {Lab52}, title = {{Recent FK_Undead rootkit samples found in the wild}}, date = {2020-06-09}, organization = {Lab52}, url = {https://lab52.io/blog/recent-fk-undead-rootkit-samples-found-in-the-wild/}, language = {English}, urldate = {2020-06-10} } @online{lab52:20210429:chimera:0540b27, author = {Lab52}, title = {{Chimera APT updates on its OwlProxy malware}}, date = {2021-04-29}, organization = {Lab52}, url = {https://lab52.io/blog/chimera-apt-updates-on-its-owlproxy-malware/}, language = {English}, urldate = {2021-05-04} } @online{lab52:20220309:very:b667537, author = {Lab52}, title = {{Very very lazy Lazyscripter’s scripts: double compromise in a single obfuscation}}, date = {2022-03-09}, organization = {Lab52}, url = {https://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/}, language = {English}, urldate = {2022-03-10} } @online{lab52:20220401:complete:277239c, author = {Lab52}, title = {{Complete dissection of an APK with a suspicious C2 Server}}, date = {2022-04-01}, organization = {Lab52}, url = {https://lab52.io/blog/complete-dissection-of-an-apk-with-a-suspicious-c2-server/}, language = {English}, urldate = {2022-06-27} } @online{lab52:20220621:muddywaters:3e100a8, author = {Lab52}, title = {{MuddyWater’s “light” first-stager targetting Middle East}}, date = {2022-06-21}, url = {https://lab52.io/blog/muddywaters-light-first-stager-targetting-middle-east/}, language = {English}, urldate = {2022-06-22} } @online{lab52:20230315:aptc36:af5893a, author = {Lab52}, title = {{APT-C-36: from NjRAT to LimeRAT}}, date = {2023-03-15}, organization = {Lab52}, url = {https://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/}, language = {English}, urldate = {2024-04-29} } @online{lab52:20230503:new:1056613, author = {Lab52}, title = {{New Mustang Panda’s campaing against Australia}}, date = {2023-05-03}, organization = {Lab52}, url = {https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/}, language = {English}, urldate = {2023-05-08} } @online{lab52:20230525:new:beca5c2, author = {Lab52}, title = {{New tricks of APT29 – update on the CERT.PL report}}, date = {2023-05-25}, organization = {Lab52}, url = {https://lab52.io/blog/2162-2/}, language = {English}, urldate = {2023-07-13} } @online{lab52:20230707:beyond:8a89022, author = {Lab52}, title = {{Beyond appearances: unknown actor using APT29’s TTP against Chinese users}}, date = {2023-07-07}, organization = {Lab52}, url = {https://lab52.io/blog/beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users/}, language = {English}, urldate = {2023-07-13} } @online{lab52:20230712:new:aad5f7c, author = {Lab52}, title = {{New invitation from APT29 to use CCleaner}}, date = {2023-07-12}, organization = {Lab52}, url = {https://lab52.io/blog/2344-2/}, language = {English}, urldate = {2023-07-13} } @online{lab52:20240219:pelmeni:b1a324c, author = {Lab52}, title = {{Pelmeni Wrapper: New Wrapper of Kazuar (Turla Backdoor)}}, date = {2024-02-19}, organization = {Lab52}, url = {https://lab52.io/blog/pelmeni-wrapper-new-wrapper-of-kazuar-turla-backdoor/?ref=news.risky.biz}, language = {English}, urldate = {2024-05-21} } @techreport{lab:20120531:skywiper:5435097, author = {CrySyS Lab}, title = {{sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks}}, date = {2012-05-31}, institution = {CrySyS Lab}, url = {https://www.crysys.hu/publications/files/skywiper.pdf}, language = {English}, urldate = {2020-01-06} } @techreport{lab:20130320:teamspy:d2d8b88, author = {CrySyS Lab}, title = {{TeamSpy –Obshie manevri. Ispolzovat' tolko s razreshenija S-a.}}, date = {2013-03-20}, institution = {CrySyS Lab}, url = {https://www.crysys.hu/publications/files/teamspy.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{lab:20141124:regin:b19cdc4, author = {Kaspersky Lab}, title = {{The Regin Platform Nation-State Ownage Of GSM Networks}}, date = {2014-11-24}, institution = {Kaspersky}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf}, language = {English}, urldate = {2022-03-22} } @online{lab:20161108:spamtorte:7e33792, author = {Verint Research Lab}, title = {{SPAMTORTE VERSION 2: DISCOVERY OF AN ADVANCED, MULTILAYERED SPAMBOT CAMPAIGN THAT IS BACK WITH A VENGEANCE}}, date = {2016-11-08}, organization = {Verint}, url = {https://cis.verint.com/2016/11/08/spamtorte-version-2/}, language = {English}, urldate = {2020-12-20} } @online{lab:20170404:chasing:b9789da, author = {Kaspersky Lab}, title = {{Chasing Lazarus: A Hunt for the Infamous Hackers to Prevent Large Bank Robberies}}, date = {2017-04-04}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/about/press-releases/2017_chasing-lazarus-a-hunt-for-the-infamous-hackers-to-prevent-large-bank-robberies}, language = {English}, urldate = {2019-12-24} } @techreport{lab:201803:lazarus:3fd5ac4, author = {Kaspersky Lab}, title = {{Lazarus under the Hood}}, date = {2018-03}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf}, language = {English}, urldate = {2020-01-07} } @online{lab:20181213:return:786b4e0, author = {Certfa Lab}, title = {{The Return of The Charming Kitten}}, date = {2018-12-13}, organization = {Certfa}, url = {https://blog.certfa.com/posts/the-return-of-the-charming-kitten/}, language = {English}, urldate = {2020-01-13} } @online{lab:20190716:analysis:26c4f96, author = {G DATA Security Lab}, title = {{Analysis: Server-side polymorphism & PowerShell backdoors}}, date = {2019-07-16}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2019/07/35061-server-side-polymorphism-powershell-backdoors}, language = {English}, urldate = {2022-03-31} } @online{lab:20191209:caution:05ff83a, author = {EmsiSoft Malware Lab}, title = {{Caution! Ryuk Ransomware decryptor damages larger files, even if you pay}}, date = {2019-12-09}, organization = {Emsisoft}, url = {https://blog.emsisoft.com/en/35023/bug-in-latest-ryuk-decryptor-may-cause-data-loss/}, language = {English}, urldate = {2020-01-07} } @online{lab:20200130:fake:8ef4342, author = {Certfa Lab}, title = {{Fake Interview: The New Activity of Charming Kitten}}, date = {2020-01-30}, organization = {Certfa Lab}, url = {https://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/}, language = {English}, urldate = {2020-03-03} } @online{lab:20200505:awaiting:513382e, author = {Security Lab}, title = {{Awaiting the Inevitable Return of Emotet}}, date = {2020-05-05}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/awaiting-the-inevitable-return-of-emotet/}, language = {English}, urldate = {2020-05-05} } @online{lab:20200519:information:eb0a182, author = {Security Lab}, title = {{Information Stealer Campaign Targeting German HR Contacts}}, date = {2020-05-19}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/information-stealer-campaign-targeting-german-hr-contacts/}, language = {English}, urldate = {2020-05-29} } @online{lab:20200605:avaddon:399af6f, author = {Security Lab}, title = {{Avaddon: From seeking affiliates to in-the-wild in 2 days}}, date = {2020-06-05}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/avaddon-from-seeking-affiliates-to-in-the-wild-in-2-days/}, language = {English}, urldate = {2020-06-08} } @online{lab:20200612:trickbot:2bf54ef, author = {Security Lab}, title = {{Trickbot Malspam Leveraging Black Lives Matter as Lure}}, date = {2020-06-12}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/trickbot-malspam-leveraging-black-lives-matter-as-lure/}, language = {English}, urldate = {2020-07-01} } @online{lab:20200616:qakbot:0353100, author = {Security Lab}, title = {{QakBot malspam leading to ProLock: Nothing personal just business}}, date = {2020-06-16}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/}, language = {English}, urldate = {2020-07-01} } @online{lab:20200707:clop:12bb60d, author = {Hornetsecurity Security Lab}, title = {{Clop, Clop! It’s a TA505 HTML malspam analysis}}, date = {2020-07-07}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/}, language = {English}, urldate = {2020-07-30} } @online{lab:20200709:servhelper:13899fd, author = {G DATA Security Lab}, title = {{ServHelper: Hidden Miners}}, date = {2020-07-09}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2020/07/36122-hidden-miners}, language = {English}, urldate = {2020-07-16} } @online{lab:20200718:firefox:4293555, author = {Hornetsecurity Security Lab}, title = {{Firefox Send sends Ursnif malware}}, date = {2020-07-18}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/firefox-send-sends-ursnif-malware/}, language = {English}, urldate = {2020-08-21} } @online{lab:20200720:emotet:f918eaf, author = {Hornetsecurity Security Lab}, title = {{Emotet is back}}, date = {2020-07-20}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/emotet-is-back/}, language = {English}, urldate = {2020-07-30} } @online{lab:20200731:webshells:4963ea5, author = {Hornetsecurity Security Lab}, title = {{The webshells powering Emotet}}, date = {2020-07-31}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-informationen-en/webshells-powering-emotet/}, language = {English}, urldate = {2020-08-21} } @online{lab:20200824:emotet:252c8de, author = {Security Lab}, title = {{Emotet Update increases Downloads}}, date = {2020-08-24}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/emotet-update-increases-downloads/}, language = {English}, urldate = {2020-08-30} } @online{lab:20201013:bazarloader:9a2d75b, author = {Security Lab}, title = {{BazarLoader Campaign with Fake Termination Emails}}, date = {2020-10-13}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/threat-research/bazarloader-campaign-with-fake-termination-emails/}, language = {English}, urldate = {2020-10-19} } @online{lab:20201016:vba:577dd47, author = {Hornetsecurity Security Lab}, title = {{VBA Purging Malspam Campaigns}}, date = {2020-10-16}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/}, language = {English}, urldate = {2020-12-08} } @online{lab:20201023:leakwareransomwarehybrid:ae1de8e, author = {Hornetsecurity Security Lab}, title = {{Leakware-Ransomware-Hybrid Attacks}}, date = {2020-10-23}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/}, language = {English}, urldate = {2020-12-08} } @online{lab:20201112:operation:62e5d84, author = {Hunting Shadow Lab}, title = {{Operation Gold Hunting: Targeting the Cutting-Edge Technology Industry}}, date = {2020-11-12}, organization = {Anheng Threat Intelligence Center}, url = {https://ti.dbappsecurity.com.cn/blog/index.php/2020/11/12/operation-gold-hunting/}, language = {English}, urldate = {2021-06-22} } @online{lab:20201215:qakbot:9397167, author = {Hornetsecurity Security Lab}, title = {{QakBot reducing its on disk artifacts}}, date = {2020-12-15}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/}, language = {English}, urldate = {2020-12-16} } @online{lab:20210108:charming:c820ee6, author = {Certfa Lab}, title = {{Charming Kitten’s Christmas Gift}}, date = {2021-01-08}, organization = {Certfa}, url = {https://blog.certfa.com/posts/charming-kitten-christmas-gift/}, language = {English}, urldate = {2021-01-18} } @online{lab:20210126:undefeated:d5066ad, author = {Hunting Shadow Lab}, title = {{Undefeated, hackers use Visual Studio compiler features to target binary vulnerabilities security researcher}}, date = {2021-01-26}, organization = {Anheng Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/UBD0hyXUooYuDrpsz8-MtQ}, language = {Chinese}, urldate = {2021-01-27} } @online{lab:20210128:bazarloaders:ee499c8, author = {Hornetsecurity Security Lab}, title = {{BazarLoader’s Elaborate Flower Shop Lure}}, date = {2021-01-28}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/threat-research/bazarloaders-elaborate-flower-shop-lure/}, language = {English}, urldate = {2021-01-29} } @online{lab:20210128:emotet:863df45, author = {Hornetsecurity Security Lab}, title = {{Emotet Botnet Takedown}}, date = {2021-01-28}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/threat-research/emotet-botnet-takedown/}, language = {English}, urldate = {2021-01-29} } @online{lab:20210210:windows:be9d863, author = {Hunting Shadow Lab}, title = {{Windows kernel zero-day exploit (CVE-2021-1732) is used by BITTER APT in targeted attack}}, date = {2021-02-10}, organization = {Anheng Threat Intelligence Center}, url = {https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/}, language = {English}, urldate = {2021-02-17} } @online{lab:20210215:ransomware:ca4ee32, author = {EmsiSoft Malware Lab}, title = {{Ransomware Profile: Egregor}}, date = {2021-02-15}, organization = {Emsisoft}, url = {https://blog.emsisoft.com/en/37810/ransomware-profile-egregor/}, language = {English}, urldate = {2021-02-20} } @online{lab:20210329:zloader:15eeb9b, author = {Hornetsecurity Security Lab}, title = {{Zloader email campaign using MHTML to download and decrypt XLS}}, date = {2021-03-29}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/threat-research/zloader-email-campaign-using-mhtml-to-download-and-decrypt-xls/}, language = {English}, urldate = {2021-03-31} } @online{lab:20210510:analysis:7cf4e42, author = {Hunting Shadow Lab}, title = {{Analysis of U.S. Oil Products Pipeline Operators Suspended by Ransomware Attacks}}, date = {2021-05-10}, organization = {Anheng Threat Intelligence Center}, url = {http://ti.dbappsecurity.com.cn/blog/index.php/2021/05/10/darkside/}, language = {Chinese}, urldate = {2021-06-22} } @online{lab:20211116:comeback:7f2b540, author = {Security Lab}, title = {{Comeback of Emotet}}, date = {2021-11-16}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/threat-research/comeback-emotet/}, language = {English}, urldate = {2021-11-25} } @online{lab:20220217:vmprotect:5459808, author = {Shh0ya Security Lab}, title = {{VMProtect Analysis 1.0: VMP Mutation Fix}}, date = {2022-02-17}, organization = {Github (shhoya)}, url = {https://shhoya.github.io/vmp_vmpmk.html}, language = {Korean}, urldate = {2022-02-18} } @techreport{lab:20220222:bvp47:0b9392d, author = {Pangu Lab}, title = {{Bvp47 - Top-tier Backdoor of US NSA Equation Group}}, date = {2022-02-22}, institution = {Pangu Lab}, url = {https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf}, language = {English}, urldate = {2022-03-01} } @online{lab:20220223:bvp47:c8f2a2f, author = {Pangu Lab}, title = {{The Bvp47 - a Top-tier Backdoor of US NSA Equation Group}}, date = {2022-02-23}, organization = {Pangu Lab}, url = {https://www.pangulab.cn/en/post/the_bvp47_a_top-tier_backdoor_of_us_nsa_equation_group/}, language = {English}, urldate = {2022-03-01} } @online{lab:20220317:analysis:90c9558, author = {NioGuard Security Lab}, title = {{Analysis of CaddyWiper}}, date = {2022-03-17}, organization = {NioGuard}, url = {https://www.nioguard.com/2022/03/analysis-of-caddywiper.html}, language = {English}, urldate = {2022-03-22} } @techreport{lab:20220411:bvp47:1265bad, author = {Pangu Lab}, title = {{Bvp47 Technical Details Report II}}, date = {2022-04-11}, institution = {Pangu Lab}, url = {https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group_ii.en.pdf}, language = {English}, urldate = {2022-09-19} } @online{lab:20220412:recent:2a11b0c, author = {360 Beacon Lab}, title = {{Recent attacks by Bahamut group revealed}}, date = {2022-04-12}, organization = {360 Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/YAAybJBAvxqrQWYDg31BBw}, language = {Chinese}, urldate = {2022-04-15} } @online{lab:20220824:dark:e9615d7, author = {Deep Instinct Threat Lab}, title = {{The Dark Side of Bumblebee Malware Loader}}, date = {2022-08-24}, organization = {Deep instinct}, url = {https://www.deepinstinct.com/blog/the-dark-side-of-bumblebee-malware-loader}, language = {English}, urldate = {2022-09-06} } @online{lab:20220908:charming:a4197b8, author = {Certfa Lab}, title = {{Charming Kitten: "Can We Have A Meeting?" Important puzzle pieces of Charming Kitten's cyber espionage operations}}, date = {2022-09-08}, organization = {Certfa}, url = {https://blog.certfa.com/posts/charming-kitten-can-we-wave-a-meeting/}, language = {English}, urldate = {2022-09-13} } @online{lab:20221011:russian:8fb06ac, author = {Deep Instinct Threat Lab}, title = {{The Russian SpyAgent – a Decade Later and RAT Tools Remain at Risk}}, date = {2022-10-11}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/blog/the-russian-spyagent-a-decade-later-and-rat-tools-remain-at-risk}, language = {English}, urldate = {2022-10-14} } @online{lab:20221206:analysis:d045827, author = {360 Beacon Lab}, title = {{Analysis of suspected APT-C-56 (Transparent Tribe) attacks against terrorism}}, date = {2022-12-06}, organization = {360 Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/J_A12SOX0k5TOYFAegBv_w}, language = {Chinese}, urldate = {2022-12-24} } @online{lab:20230317:cve202323397:5746da0, author = {Deep Instinct Threat Lab}, title = {{CVE-2023-23397: Exploitations in the Wild – What You Need to Know}}, date = {2023-03-17}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/blog/cve-2023-23397-exploitations-in-the-wild-what-you-need-to-know}, language = {English}, urldate = {2024-02-02} } @online{lab:20230510:bpfdoor:d22b474, author = {Deep Instinct Threat Lab}, title = {{BPFDoor Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game}}, date = {2023-05-10}, organization = {Deep instinct}, url = {https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game}, language = {English}, urldate = {2023-05-11} } @online{lab:20240304:shadow:7d05823, author = {Hunting Shadow Lab}, title = {{Shadow Hunting: Analysis of APT37’s attack activities against South Korea using North Korean political topics}}, date = {2024-03-04}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s?__biz=MzUyMDEyNTkwNA%3D%3D&mid=2247496455&idx=1&sn=0e3af7d734671a41c9d796e7f33b085d&chksm=f9ed9fb8ce9a16ae8e9714f116e0812994e0e3d13eb75d05182e623372fc5b979d70cf403f39&scene=178&cur_album_id=1375769135073951745}, language = {Chinese}, urldate = {2024-03-05} } @online{lab:20240313:risepro:2620d5d, author = {GDATA Security Lab}, title = {{RisePro stealer targets Github users in “gitgub” campaign}}, date = {2024-03-13}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2024/03/37885-risepro-stealer-campaign-github}, language = {English}, urldate = {2024-05-13} } @online{lab:20240807:cmoon:c425f7c, author = {Kaspersky Lab}, title = {{Новый червь CMoon распространяется через скомпрометированный сайт}}, date = {2024-08-07}, organization = {Kaspersky}, url = {https://securelist.ru/how-the-cmoon-worm-collects-data/109988/#}, language = {Russian}, urldate = {2024-09-23} } @online{laboratory:20210105:attack:828ee7a, author = {Clairvoyance Safety Laboratory}, title = {{Attack from Mustang Panda? My rabbit is back!}}, date = {2021-01-05}, organization = {Sangfor}, url = {https://www.4hou.com/posts/VoPM}, language = {Japanese}, urldate = {2021-01-10} } @online{laboratory:20210105:red:9ddfb7a, author = {Clairvoyance Safety Laboratory}, title = {{Red team's perspective on the TTPs in Sunburst's backdoor}}, date = {2021-01-05}, organization = {Sangfor}, url = {https://www.4hou.com/posts/KzZR}, language = {Chinese}, urldate = {2021-01-11} } @online{laboratory:20210129:stumbzarusaptlazarus:4d0bf52, author = {Fuying Laboratory}, title = {{认识STUMBzarus——APT组织Lazarus近期定向攻击组件深入分析}}, date = {2021-01-29}, organization = {NSFOCUS}, url = {http://blog.nsfocus.net/stumbzarus-apt-lazarus/}, language = {Chinese}, urldate = {2023-08-03} } @online{laboratory:20210611:nigerian:201d2fa, author = {Fuying Laboratory}, title = {{Nigerian Hacker Organization SWEED is Distributing Phishing Documents Targeting the Logistics Industry}}, date = {2021-06-11}, organization = {NSFOCUS}, url = {http://blog.nsfocus.net/sweed-611/}, language = {Chinese}, urldate = {2021-06-16} } @online{laboratory:20210615:pjobrat:df97e9c, author = {360 Fiberhome Laboratory}, title = {{PJobRAT: Spyware targeting Indian military personnel}}, date = {2021-06-15}, organization = {360 Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/VTHvmRTeu3dw8HFyusKLqQ}, language = {Chinese}, urldate = {2021-06-21} } @online{laboratory:20210618:ryuk:2330d16, author = {Fuying Laboratory}, title = {{Ryuk Botnet, Simps Botnet, Gods of Destny Botnet}}, date = {2021-06-18}, organization = {NSFOCUS}, url = {http://blog.nsfocus.net/ryuk-botnet/}, language = {Chinese}, urldate = {2021-06-22} } @online{laboratory:20221228:analysis:138e703, author = {Fuying Laboratory}, title = {{Analysis of Cyber Attacks by APT Organization Confucius Against IBO Anti-Terrorism Operations in Pakistan}}, date = {2022-12-28}, organization = {NSFOCUS}, url = {https://blog.nsfocus.net/aptconfuciuspakistanibo/}, language = {Chinese}, urldate = {2023-11-17} } @online{labs:20071022:malwareentwicklung:8050999, author = {Kaspersky Labs}, title = {{Malware-Entwicklung im ersten Halbjahr 2007}}, date = {2007-10-22}, organization = {Kaspersky Labs}, url = {https://de.securelist.com/malware-entwicklung-im-ersten-halbjahr-2007/59574/}, language = {German}, urldate = {2020-03-19} } @online{labs:2009:kaspersky:546f640, author = {Kaspersky Labs}, title = {{Kaspersky Lab analyses new version of Kido (Conficker)}}, date = {2009}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/about/press-releases/2009_kaspersky-lab-analyses-new-version-of-kido--conficker}, language = {English}, urldate = {2019-11-25} } @online{labs:20100107:lethic:a2a617b, author = {M86 Security Labs}, title = {{Lethic}}, date = {2010-01-07}, organization = {M86 Security Labs}, url = {https://web.archive.org/web/20101031045748/http://www.m86security.com/labs/spambotitem.asp?article=1205}, language = {English}, urldate = {2025-03-21} } @online{labs:20101025:businesses:684dcbd, author = {RSA FraudAction Research Labs}, title = {{Businesses Beware: Qakbot Spreads like a Worm, Stings like a Trojan}}, date = {2010-10-25}, organization = {RSA}, url = {https://web.archive.org/web/20120206174705/http://blogs.rsa.com/rsafarl/businesses-beware-qakbot-spreads-like-a-worm-stings-like-a-trojan/}, language = {English}, urldate = {2023-08-30} } @online{labs:20140417:quick:6a0fa31, author = {Nettitude Labs}, title = {{A quick analysis of the latest Shadow Brokers dump}}, date = {2014-04-17}, organization = {Nettitude Labs}, url = {https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/}, language = {English}, urldate = {2019-12-19} } @techreport{labs:20140703:cosmicduke:dbbee08, author = {F-Secure Labs}, title = {{COSMICDUKE: Cosmu with a twist of MiniDuke}}, date = {2014-07-03}, institution = {F-Secure}, url = {https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf}, language = {English}, urldate = {2022-09-20} } @online{labs:20140904:pitou:211eac4, author = {F-Secure Labs}, title = {{PITOU: The "silent" resurrection of the notorious Srizbi kernel spambot}}, date = {2014-09-04}, organization = {F-Secure}, url = {http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.565.9211&rep=rep1&type=pdf}, language = {English}, urldate = {2021-09-09} } @online{labs:20141114:onionduke:dc56d5c, author = {F-Secure Labs}, title = {{OnionDuke: APT Attacks Via the Tor Network}}, date = {2014-11-14}, organization = {F-Secure}, url = {https://www.f-secure.com/weblog/archives/00002764.html}, language = {English}, urldate = {2020-01-09} } @online{labs:20150304:you:edeb053, author = {BriMor Labs}, title = {{And you get a POS malware name...and you get a POS malware name....and you get a POS malware name....}}, date = {2015-03-04}, organization = {BriMor Labs}, url = {https://www.brimorlabsblog.com/2015/03/and-you-get-pos-malware-nameand-you-get.html}, language = {English}, urldate = {2019-11-29} } @online{labs:20150805:whos:972f567, author = {Malwarebytes Labs}, title = {{Who’s Behind Your Proxy? Uncovering Bunitu’s Secrets}}, date = {2015-08-05}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2015/08/whos-behind-your-proxy-uncovering-bunitus-secrets/}, language = {English}, urldate = {2019-12-20} } @online{labs:20150917:dukes:767fbef, author = {F-Secure Labs}, title = {{The Dukes: 7 Years Of Russian Cyber-Espionage}}, date = {2015-09-17}, organization = {F-Secure}, url = {https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/}, language = {English}, urldate = {2020-01-13} } @techreport{labs:201509:dukes:035f864, author = {F-Secure Labs}, title = {{The Dukes - 7 Years of Russian Cyberespionage}}, date = {2015-09}, institution = {F-Secure}, url = {https://blog.f-secure.com/wp-content/uploads/2020/03/F-Secure_Dukes_Whitepaper.pdf}, language = {English}, urldate = {2022-10-20} } @online{labs:20160318:teslacrypt:5c7daff, author = {Malwarebytes Labs}, title = {{Teslacrypt Spam Campaign: “Unpaid Issue…”}}, date = {2016-03-18}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/03/teslacrypt-spam-campaign-unpaid-issue/}, language = {English}, urldate = {2019-12-20} } @online{labs:20160401:petya:b3dfd23, author = {Malwarebytes Labs}, title = {{Petya – Taking Ransomware To The Low Level}}, date = {2016-04-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{labs:20160714:untangling:c16cc34, author = {Malwarebytes Labs}, title = {{Untangling Kovter’s persistence methods}}, date = {2016-07-14}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/}, language = {English}, urldate = {2019-12-20} } @online{labs:20160718:third:4b06b46, author = {Malwarebytes Labs}, title = {{Third time (un)lucky – improved Petya is out}}, date = {2016-07-18}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-improved-petya-is-out/}, language = {English}, urldate = {2019-12-20} } @techreport{labs:20160805:nanhaishu:cee830d, author = {F-Secure Labs}, title = {{NANHAISHU: RATing the South China Sea}}, date = {2016-08-05}, institution = {F-Secure}, url = {https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf}, language = {English}, urldate = {2020-01-13} } @online{labs:20160805:smoke:afada56, author = {Malwarebytes Labs}, title = {{Smoke Loader – downloader with a smokescreen still alive}}, date = {2016-08-05}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/}, language = {English}, urldate = {2019-12-20} } @online{labs:20160815:shakti:e11f9b7, author = {Malwarebytes Labs}, title = {{Shakti Trojan: Document Thief}}, date = {2016-08-15}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-documents/}, language = {English}, urldate = {2019-12-20} } @online{labs:20160825:unpacking:66173f5, author = {Malwarebytes Labs}, title = {{Unpacking the spyware disguised as antivirus}}, date = {2016-08-25}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/}, language = {English}, urldate = {2019-12-20} } @online{labs:201608:shakti:2c08a62, author = {Malwarebytes Labs}, title = {{Shakti Trojan: Technical Analysis}}, date = {2016-08}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-technical-analysis/amp/}, language = {English}, urldate = {2019-12-19} } @online{labs:20161024:introducing:e59ac27, author = {Malwarebytes Labs}, title = {{Introducing TrickBot, Dyreza’s successor}}, date = {2016-10-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/}, language = {English}, urldate = {2019-12-20} } @online{labs:20161110:floki:cb97f8d, author = {Malwarebytes Labs}, title = {{Floki Bot and the stealthy dropper}}, date = {2016-11-10}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/}, language = {English}, urldate = {2019-12-20} } @online{labs:20161121:princesslocker:9a8ec57, author = {Malwarebytes Labs}, title = {{PrincessLocker – ransomware with not so royal encryption}}, date = {2016-11-21}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{labs:20161215:goldeneye:234318b, author = {Malwarebytes Labs}, title = {{Goldeneye Ransomware – the Petya/Mischa combo rebranded}}, date = {2016-12-15}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170126:zbot:b625eef, author = {Malwarebytes Labs}, title = {{Zbot with legitimate applications on board}}, date = {2017-01-26}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170131:locky:92db484, author = {Malwarebytes Labs}, title = {{Locky Bart ransomware and backend server analysis}}, date = {2017-01-31}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170227:new:e13a158, author = {Malwarebytes Labs}, title = {{New Neutrino Bot comes in a protective loader}}, date = {2017-02-27}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170310:explained:4186cb4, author = {Malwarebytes Labs}, title = {{Explained: Spora ransomware}}, date = {2017-03-10}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170315:vaccinating:751a95c, author = {Minerva Labs}, title = {{Vaccinating against Spora ransomware: a proof-of-concept tool by Minerva}}, date = {2017-03-15}, organization = {Github (MinervaLabsResearch)}, url = {https://github.com/MinervaLabsResearch/SporaVaccination}, language = {English}, urldate = {2019-10-23} } @online{labs:20170317:diamond:67bf9e6, author = {Malwarebytes Labs}, title = {{Diamond Fox – part 1: introduction and unpacking}}, date = {2017-03-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170329:explained:dc19964, author = {Malwarebytes Labs}, title = {{Explained: Sage ransomware}}, date = {2017-03-29}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/03/explained-sage-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170406:diamond:5788882, author = {Malwarebytes Labs}, title = {{Diamond Fox – part 2: let’s dive in the code}}, date = {2017-04-06}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170413:callisto:3bf4157, author = {F-Secure Labs}, title = {{Callisto Group}}, date = {2017-04-13}, organization = {F-Secure}, url = {https://web.archive.org/web/20170417102235/https://www.f-secure.com/documents/996508/1030745/callisto-group}, language = {English}, urldate = {2023-10-05} } @online{labs:20170421:elusive:3f45f0e, author = {Malwarebytes Labs}, title = {{Elusive Moker Trojan is back}}, date = {2017-04-21}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/04/elusive-moker-trojan/}, language = {English}, urldate = {2019-12-20} } @techreport{labs:201704:callisto:5e97cb4, author = {F-Secure Labs}, title = {{CALLISTO GROUP}}, date = {2017-04}, institution = {F-Secure}, url = {https://www.f-secure.com/content/dam/f-secure/en/labs/whitepapers/Callisto_Group.pdf}, language = {English}, urldate = {2022-03-31} } @online{labs:20170629:eternalpetya:bdd5896, author = {Malwarebytes Labs}, title = {{EternalPetya and the lost Salsa20 key}}, date = {2017-06-29}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170630:eternalpetya:122fb36, author = {Malwarebytes Labs}, title = {{EternalPetya – yet another stolen piece in the package?}}, date = {2017-06-30}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-package/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170712:net:7efe3ac, author = {Malwarebytes Labs}, title = {{A .NET malware abusing legitimate ffmpeg}}, date = {2017-07-12}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170714:keeping:0759a8b, author = {Malwarebytes Labs}, title = {{Keeping up with the Petyas: Demystifying the malware family}}, date = {2017-07-14}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170724:bye:ffc2434, author = {Malwarebytes Labs}, title = {{Bye, bye Petya! Decryptor for old versions released.}}, date = {2017-07-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/}, language = {English}, urldate = {2019-12-20} } @online{labs:201707:trickbot:e738eaf, author = {Ring Zero Labs}, title = {{TrickBot Banking Trojan - DOC00039217.doc}}, date = {2017-07}, organization = {Ring Zero Labs}, url = {https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html}, language = {English}, urldate = {2020-01-10} } @online{labs:20170801:trickbot:222d8bc, author = {Malwarebytes Labs}, title = {{TrickBot comes up with new tricks: attacking Outlook and browsing data}}, date = {2017-08-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170818:inside:f145bae, author = {Malwarebytes Labs}, title = {{Inside the Kronos malware – part 1}}, date = {2017-08-18}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170829:inside:a4e7a99, author = {Malwarebytes Labs}, title = {{Inside the Kronos malware – part 2}}, date = {2017-08-29}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170926:elaborate:bed9adc, author = {Malwarebytes Labs}, title = {{Elaborate scripting-fu used in espionage attack against Saudi Arabia Government entity}}, date = {2017-09-26}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/}, language = {English}, urldate = {2019-12-20} } @online{labs:20171018:magniber:2ae5250, author = {Malwarebytes Labs}, title = {{Magniber ransomware: exclusively for South Koreans}}, date = {2017-10-18}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/}, language = {English}, urldate = {2019-12-20} } @online{labs:20171113:match:b967fde, author = {Obscurity Labs}, title = {{Match Made In The Shadows: Part [3]}}, date = {2017-11-13}, organization = {Obscurity Labs}, url = {https://obscuritylabs.com/blog/2017/11/13/match-made-in-the-shadows-part-3/}, language = {English}, urldate = {2020-05-07} } @online{labs:20171228:pandazeuss:0d9ab97, author = {Spamhaus Malware Labs}, title = {{PandaZeuS’s Christmas Gift: Change in the Encryption scheme}}, date = {2017-12-28}, organization = {Spamhaus}, url = {https://www.spamhaus.org/news/article/771/}, language = {English}, urldate = {2020-01-05} } @online{labs:20180130:gandcrab:86c30cb, author = {Malwarebytes Labs}, title = {{GandCrab ransomware distributed by RIG and GrandSoft exploit kits (updated)}}, date = {2018-01-30}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/}, language = {English}, urldate = {2019-12-20} } @online{labs:20180328:indepth:574e8fd, author = {Malwarebytes Labs}, title = {{An in-depth malware analysis of QuantLoader}}, date = {2018-03-28}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/}, language = {English}, urldate = {2019-12-20} } @online{labs:20180416:smoke:b91b833, author = {Spamhaus Malware Labs}, title = {{Smoke Loader malware improves after Microsoft spoils its Campaign}}, date = {2018-04-16}, organization = {Spamhaus}, url = {https://www.spamhaus.org/news/article/774/smoke-loader-improves-encryption-after-microsoft-spoils-its-campaign}, language = {English}, urldate = {2020-01-08} } @online{labs:20181115:mylobot:4f8ccb3, author = {LabsBlack Lotus Labs}, title = {{Mylobot Continues Global Infections}}, date = {2018-11-15}, organization = {Centurylink}, url = {https://blog.centurylink.com/mylobot-continues-global-infections/}, language = {English}, urldate = {2019-12-24} } @online{labs:20181205:trickbots:b45d588, author = {VIPRE Labs}, title = {{Trickbot’s Tricks}}, date = {2018-12-05}, organization = {VIPRE}, url = {https://labs.vipre.com/trickbots-tricks/}, language = {English}, urldate = {2020-01-09} } @online{labs:20190131:new:2305ded, author = {Black Lotus Labs}, title = {{A New Phase Of TheMoon}}, date = {2019-01-31}, organization = {Lumen}, url = {https://blog.lumen.com/a-new-phase-of-themoon/}, language = {English}, urldate = {2024-03-28} } @online{labs:20190311:attackers:013804a, author = {Minerva Labs}, title = {{Attackers Insert Themselves into the Email Conversation to Spread Malware}}, date = {2019-03-11}, organization = {Minerva}, url = {https://blog.minerva-labs.com/attackers-insert-themselves-into-the-email-conversation-to-spread-malware}, language = {English}, urldate = {2020-01-08} } @online{labs:20190327:emotet:388559f, author = {Spamhaus Malware Labs}, title = {{Emotet adds a further layer of camouflage}}, date = {2019-03-27}, organization = {Spamhaus}, url = {https://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage}, language = {English}, urldate = {2020-01-06} } @online{labs:20190409:say:9be09c3, author = {Malwarebytes Labs}, title = {{Say hello to Baldr, a new stealer on the market}}, date = {2019-04-09}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/}, language = {English}, urldate = {2019-12-20} } @online{labs:20190508:fin7:6874fc6, author = {Kaspersky Labs}, title = {{Fin7 hacking group targets more than 130 companies after leaders’ arrest}}, date = {2019-05-08}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest}, language = {English}, urldate = {2020-03-22} } @online{labs:20190509:deflect:070aad4, author = {Deflect Labs}, title = {{Deflect Labs Report #6: Phishing and Web Attacks Targeting Uzbek Human Right Activists and Independent Media}}, date = {2019-05-09}, organization = {eQualitie}, url = {https://equalit.ie/deflect-labs-report-6/}, language = {English}, urldate = {2022-10-06} } @online{labs:20191002:mcafee:1a04182, author = {McAfee Labs}, title = {{McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us}}, date = {2019-10-02}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/}, language = {English}, urldate = {2019-12-22} } @online{labs:2019:ransommegacortex:5d35576, author = {Malwarebytes Labs}, title = {{Ransom.Megacortex}}, date = {2019}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/detections/ransom-megacortex/}, language = {English}, urldate = {2020-01-10} } @online{labs:20200125:indonesian:1f0de05, author = {Sanguine Labs}, title = {{Indonesian Magecart hackers arrested}}, date = {2020-01-25}, organization = {Sanguine Security}, url = {https://sansec.io/labs/2020/01/25/magecart-hackers-arrested/}, language = {English}, urldate = {2020-01-27} } @online{labs:20200324:new:88d7b1d, author = {Avira Protection Labs}, title = {{A new technique to analyze FormBook malware infections}}, date = {2020-03-24}, organization = {Avira}, url = {https://insights.oem.avira.com/a-new-technique-to-analyze-formbook-malware-infections/}, language = {English}, urldate = {2020-04-01} } @online{labs:20200328:indepth:9049cf2, author = {Avira Protection Labs}, title = {{In-depth analysis of a Cerberus trojan variant}}, date = {2020-03-28}, organization = {Avira}, url = {https://insights.oem.avira.com/in-depth-analysis-of-a-cerberus-trojan-variant/}, language = {English}, urldate = {2020-04-01} } @online{labs:20200413:new:f16a8b5, author = {Black Lotus Labs}, title = {{New Mozi Malware Family Quietly Amasses IoT Bots}}, date = {2020-04-13}, organization = {Centurylink}, url = {https://blog.centurylink.com/new-mozi-malware-family-quietly-amasses-iot-bots/}, language = {English}, urldate = {2020-04-26} } @online{labs:20200520:unloading:ae230f0, author = {VIPRE Labs}, title = {{Unloading the GuLoader}}, date = {2020-05-20}, organization = {VIPRE}, url = {https://labs.vipre.com/unloading-the-guloader/}, language = {English}, urldate = {2021-01-10} } @techreport{labs:20200521:cybercrime:d38d2da, author = {Malwarebytes Labs}, title = {{Cybercrime tactics and techniques}}, date = {2020-05-21}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf}, language = {English}, urldate = {2020-06-03} } @online{labs:20200623:new:8b4b4e3, author = {Avira Protection Labs}, title = {{New Mirai variant Aisuru detects Cowrie opensource honeypots}}, date = {2020-06-23}, organization = {Avira}, url = {https://insights.oem.avira.com/new-mirai-variant-aisuru-detects-cowrie-opensource-honeypots/}, language = {English}, urldate = {2020-06-24} } @online{labs:20200701:alina:1c5d0e8, author = {Black Lotus Labs}, title = {{Alina Point of Sale Malware Still Lurking in DNS}}, date = {2020-07-01}, organization = {Centurylink}, url = {https://blog.centurylink.com/alina-point-of-sale-malware-still-lurking-in-dns/}, language = {English}, urldate = {2020-07-06} } @online{labs:20200729:operation:e4abd0a, author = {McAfee Labs}, title = {{Operation (노스 스타) North Star A Job Offer That’s Too Good to be True?}}, date = {2020-07-29}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/}, language = {English}, urldate = {2023-07-31} } @online{labs:20200730:dissecting:f58344d, author = {WILDFIRE LABS}, title = {{Dissecting Ragnar Locker: The Case Of EDP}}, date = {2020-07-30}, organization = {WILDIRE LABS}, url = {https://blog.blazeinfosec.com/dissecting-ragnar-locker-the-case-of-edp/}, language = {English}, urldate = {2020-11-09} } @techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } @online{labs:20200813:matiex:d134dfd, author = {K7 Labs}, title = {{Matiex on Sale Underground}}, date = {2020-08-13}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/matiex-on-sale-underground/}, language = {English}, urldate = {2022-07-01} } @online{labs:20200818:lazarus:f2dadaa, author = {F-Secure Labs}, title = {{Lazarus Group: Campaign Targeting the Cryptocurrency Vertical}}, date = {2020-08-18}, organization = {F-Secure Labs}, url = {https://labs.f-secure.com/publications/ti-report-lazarus-group-cryptocurrency-vertical/}, language = {English}, urldate = {2020-08-27} } @online{labs:20201002:appgate:f0b069c, author = {AppGate Labs}, title = {{Appgate Labs Analyzes New Family Of Ransomware - Egregor}}, date = {2020-10-02}, organization = {AppGate}, url = {https://www.appgate.com/news-press/appgate-labs-analyzes-new-family-of-ransomware-egregor}, language = {English}, urldate = {2020-10-05} } @online{labs:20201003:ta505:b03fbee, author = {Avira Protection Labs}, title = {{TA505 targets the Americas in a new campaign}}, date = {2020-10-03}, organization = {Avira}, url = {https://insights.oem.avira.com/ta505-apt-group-targets-americas/}, language = {English}, urldate = {2020-10-05} } @online{labs:20201006:ta505:70566d9, author = {Avira Protection Labs}, title = {{TA505 targets the Americas in a new campaign}}, date = {2020-10-06}, organization = {Avira}, url = {https://www.avira.com/en/blog/ta505-apt-group-targets-americas}, language = {English}, urldate = {2020-12-08} } @online{labs:20201012:look:7b422f7, author = {Black Lotus Labs}, title = {{A Look Inside The TrickBot Botnet}}, date = {2020-10-12}, organization = {Lumen}, url = {https://blog.lumen.com/a-look-inside-the-trickbot-botnet/}, language = {English}, urldate = {2020-10-12} } @online{labs:20201020:katana:4dc0a7b, author = {Avira Protection Labs}, title = {{Katana: a new variant of the Mirai botnet}}, date = {2020-10-20}, organization = {Avira}, url = {https://prod-blog.avira.com/katana-a-new-variant-of-the-mirai-botnet}, language = {English}, urldate = {2020-10-23} } @techreport{labs:20201029:mcafee:84eed4e, author = {McAfee Labs}, title = {{McAfee Labs Threat Advisory Ransom-Ryuk}}, date = {2020-10-29}, institution = {McAfee}, url = {https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/91000/KB91844/en_US/McAfee%20Labs%20Threat%20Advisory%20-%20Ransom-Ryukv6.pdf}, language = {English}, urldate = {2020-11-02} } @online{labs:20201105:attack:4efe608, author = {WILDFIRE LABS}, title = {{Attack of the clones: Git clients remote code execution}}, date = {2020-11-05}, organization = {WILDFIRE LABS}, url = {https://blog.blazeinfosec.com/attack-of-the-clones-github-desktop-remote-code-execution/}, language = {English}, urldate = {2020-11-09} } @online{labs:20201111:wroba:86e0d42, author = {Avira Protection Labs}, title = {{Wroba Android banking trojan targets Japan}}, date = {2020-11-11}, organization = {Avira}, url = {https://www.avira.com/en/blog/the-android-banking-trojan-wroba-shifts-attack-from-south-korea-to-target-users-in-japan}, language = {English}, urldate = {2021-02-09} } @online{labs:20201118:android:2ab0b44, author = {Stratosphere Labs}, title = {{Android Mischief Dataset}}, date = {2020-11-18}, organization = {Stratosphere Laboratory}, url = {https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset}, language = {English}, urldate = {2024-01-31} } @online{labs:20201207:gafgyt:62e7155, author = {Avira Protection Labs}, title = {{A Gafgyt variant that exploits Pulse Secure CVE-2020-8218}}, date = {2020-12-07}, organization = {Avira}, url = {https://www.avira.com/en/blog/a-gafgyt-variant-that-exploits-pulse-secure-cve-2020-8218}, language = {English}, urldate = {2020-12-09} } @online{labs:20201224:dark:302e061, author = {K7 Labs and Partheeban J}, title = {{Dark Side Of BlackNET RAT}}, date = {2020-12-24}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=21365}, language = {English}, urldate = {2020-12-26} } @online{labs:20210105:teamtnt:8508ba0, author = {Lacework Labs}, title = {{TeamTNT Builds Botnet from Chinese Cloud Servers}}, date = {2021-01-05}, organization = {Lacework Labs}, url = {https://www.lacework.com/teamtnt-builds-botnet-from-chinese-cloud-servers/}, language = {English}, urldate = {2021-03-12} } @online{labs:20210208:after:3e97412, author = {Safebreach Labs and Checkpoint Research}, title = {{After Lightning Comes Thunder}}, date = {2021-02-08}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2021/after-lightning-comes-thunder/}, language = {English}, urldate = {2021-02-09} } @online{labs:20210225:preventing:c968dbc, author = {Minerva Labs}, title = {{Preventing AgentTelsa Infiltration}}, date = {2021-02-25}, organization = {Minerva}, url = {https://blog.minerva-labs.com/preventing-agenttesla}, language = {English}, urldate = {2021-02-25} } @online{labs:20210303:mass:a0ef74d, author = {Huntress Labs}, title = {{Mass exploitation of on-prem Exchange servers :(}}, date = {2021-03-03}, organization = {Huntress Labs}, url = {https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers}, language = {English}, urldate = {2021-03-10} } @online{labs:20210304:operation:1187712, author = {Huntress Labs}, title = {{Operation Exchange Marauder}}, date = {2021-03-04}, organization = {Huntress Labs}, url = {https://www.huntress.com/hubfs/Videos/Webinars/Overlay-Mass_Exploitation_of_Exchange.mp4}, language = {English}, urldate = {2021-03-06} } @techreport{labs:20210305:operation:1248e05, author = {Huntress Labs}, title = {{Operation Exchange Marauder}}, date = {2021-03-05}, institution = {Huntress Labs}, url = {https://www.huntress.com/hubfs/Mass%20Exploitation%20of%20Microsoft%20Exchange%20(2).pdf}, language = {English}, urldate = {2021-03-06} } @online{labs:20210318:buer:bbd7d97, author = {VIPRE Labs}, title = {{Buer Loader Found in an Unusual Email Attachment}}, date = {2021-03-18}, organization = {VIPRE}, url = {https://labs.vipre.com/buer-loader-found-in-an-unusual-email-attachment/}, language = {English}, urldate = {2022-04-20} } @online{labs:20210325:perkiler:3733a75, author = {Malwarebytes Labs}, title = {{Perkiler malware turns to SMB brute force to spread}}, date = {2021-03-25}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/trojans/2021/03/perkiler-malware-turns-to-smb-brute-force-to-spread/}, language = {English}, urldate = {2021-03-30} } @techreport{labs:20210330:attack:1d19df0, author = {F-Secure Labs}, title = {{Attack landscape update: Ransomware 2.0, automated recon, and supply chain attacks}}, date = {2021-03-30}, institution = {F-Secure}, url = {https://blog-assets.f-secure.com/wp-content/uploads/2021/03/30120359/attack-landscape-update-h1-2021.pdf}, language = {English}, urldate = {2021-03-31} } @techreport{labs:202103:edge:e5ed3f7, author = {TWO SIX LABS}, title = {{Edge of the Art in Vulnerability Research}}, date = {2021-03}, institution = {AIR FORCE RESEARCH LABORATORY INFORMATION DIRECTORATE}, url = {https://apps.dtic.mil/sti/pdfs/AD1126216.pdf}, language = {English}, urldate = {2021-06-16} } @online{labs:20210407:icedid:d178d16, author = {Minerva Labs}, title = {{IcedID - A New Threat In Office Attachments}}, date = {2021-04-07}, organization = {Minerva}, url = {https://blog.minerva-labs.com/icedid-maas}, language = {English}, urldate = {2021-04-09} } @online{labs:20210407:threat:d965e73, author = {Nozomi Networks Labs}, title = {{Threat Intelligence: Analysis of the SBIDIOT IoT Malware}}, date = {2021-04-07}, organization = {Nozomi Networks}, url = {https://www.nozominetworks.com/blog/threat-intelligence-analysis-of-the-sbidiot-iot-malware/}, language = {English}, urldate = {2021-10-24} } @online{labs:20210413:moobot:6449696, author = {Alien Labs}, title = {{Moobot updates its infrastructure and targets vulnerable Tenda routers}}, date = {2021-04-13}, organization = {AlienLabs}, url = {https://otx.alienvault.com/pulse/6075b645942d5adf9bb8949b}, language = {English}, urldate = {2021-04-14} } @online{labs:20210422:lunar:b350736, author = {ET Labs}, title = {{Tweet on Lunar Builder exfiltrating data via Discord webhook}}, date = {2021-04-22}, organization = {Twitter (@ET_Labs)}, url = {https://twitter.com/ET_Labs/status/1385351516664389633}, language = {English}, urldate = {2021-05-25} } @techreport{labs:20210422:spamhaus:4a32a4d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q1 2021}}, date = {2021-04-22}, institution = {Spamhaus}, url = {https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf}, language = {English}, urldate = {2021-04-28} } @online{labs:20210422:sysrvhello:0caeeb1, author = {Lacework Labs}, title = {{Sysrv-Hello Expands Infrastructure}}, date = {2021-04-22}, url = {https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/}, language = {English}, urldate = {2022-05-31} } @online{labs:20210427:redline:f60a1c6, author = {Minerva Labs}, title = {{RedLine Stealer Masquerades as Telegram Installer}}, date = {2021-04-27}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/redline-stealer-masquerades-as-telegram-installer}, language = {English}, urldate = {2021-05-04} } @online{labs:20210525:taking:101064a, author = {Lacework Labs}, title = {{Taking TeamTNT’s Docker Images Offline}}, date = {2021-05-25}, organization = {lacework}, url = {https://www.lacework.com/taking-teamtnt-docker-images-offline/}, language = {English}, urldate = {2021-06-16} } @online{labs:20210621:darkside:9f1da07, author = {AT&T Alien Labs}, title = {{Darkside RaaS in Linux version}}, date = {2021-06-21}, organization = {AlienVault}, url = {https://otx.alienvault.com/pulse/60d0afbc395c24edefb33bb9}, language = {English}, urldate = {2021-06-22} } @online{labs:20210621:sload:523f242, author = {Minerva Labs}, title = {{Sload Targeting Europe Again}}, date = {2021-06-21}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/sload-targeting-europe-again}, language = {English}, urldate = {2021-06-22} } @online{labs:20210622:suspected:b50b23e, author = {Black Lotus Labs}, title = {{Suspected Pakistani Actor Compromises Indian Power Company with New ReverseRat}}, date = {2021-06-22}, organization = {Lumen}, url = {https://blog.lumen.com/suspected-pakistani-actor-compromises-indian-power-company-with-new-reverserat/}, language = {English}, urldate = {2021-12-15} } @online{labs:20210702:crticial:5dd39d2, author = {Huntress Labs}, title = {{Crticial Ransomware Incident in Progress}}, date = {2021-07-02}, organization = {Huntress Labs}, url = {https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/}, language = {English}, urldate = {2021-07-24} } @online{labs:20210707:crackonosh:e1190c0, author = {Minerva Labs}, title = {{Crackonosh - The Hidden Crypto Mining Malware}}, date = {2021-07-07}, organization = {MinervaLabs}, url = {https://blog.minerva-labs.com/crackonosh-the-hidden-crypto-mining-malware}, language = {English}, urldate = {2021-09-12} } @techreport{labs:20210707:ryuk:ee88024, author = {McAfee Labs}, title = {{Ryuk Ransomware Now Targeting Webservers}}, date = {2021-07-07}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-ryuk-ransomware-targeting-webservers.pdf}, language = {English}, urldate = {2021-07-11} } @online{labs:20210708:hancitor:b015f59, author = {McAfee Labs}, title = {{Hancitor Making Use of Cookies to Prevent URL Scraping}}, date = {2021-07-08}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hancitor-making-use-of-cookies-to-prevent-url-scraping}, language = {English}, urldate = {2022-04-20} } @online{labs:20210722:taurus:1c48969, author = {Minerva Labs}, title = {{Taurus Loader: User-Guided Infection}}, date = {2021-07-22}, organization = {Minerva}, url = {https://blog.minerva-labs.com/taurus-user-guided-infection}, language = {English}, urldate = {2021-07-26} } @online{labs:20210805:trystero:69ae6fb, author = {InQuest Labs}, title = {{The Trystero Project}}, date = {2021-08-05}, organization = {InQuest}, url = {https://labs.inquest.net/trystero}, language = {English}, urldate = {2021-08-09} } @online{labs:20210809:thwarting:cff4148, author = {Minerva Labs}, title = {{Thwarting Jupyter Stealer}}, date = {2021-08-09}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/new-iocs-of-jupyter-stealer}, language = {English}, urldate = {2021-12-17} } @online{labs:20210811:reverserat:f7b36de, author = {Black Lotus Labs}, title = {{ReverseRat Reemerges With A (Night)Fury New Campaign And New Developments, Same Familiar Side-Actor}}, date = {2021-08-11}, organization = {Lumen}, url = {https://blog.lumen.com/reverserat-reemerges-with-a-nightfury-new-campaign-and-new-developments-same-familiar-side-actor/}, language = {English}, urldate = {2022-01-25} } @online{labs:20210826:become:f38fe74, author = {Minerva Labs}, title = {{Become A VIP Victim With New Discord Distributed Malware}}, date = {2021-08-26}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/become-a-vip-victim-with-new-discord-distributed-malware}, language = {English}, urldate = {2021-09-12} } @online{labs:20210827:proxyshell:a4650f1, author = {Morphisec Labs}, title = {{ProxyShell Exchange Exploitation Now Leads To An Increasing Amount Of Cobaltstrike Backdoors}}, date = {2021-08-27}, organization = {Morphisec}, url = {https://blog.morphisec.com/proxyshell-exchange-exploitation-now-leads-to-an-increasing-amount-of-cobaltstrike-backdoors}, language = {English}, urldate = {2021-08-31} } @online{labs:20210831:blackmatter:26abef6, author = {Minerva Labs}, title = {{BlackMatter - The New Star Of Ransomware}}, date = {2021-08-31}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/blackmatter}, language = {English}, urldate = {2021-09-12} } @online{labs:20210831:cobalt:47e2c20, author = {BreakPoint Labs}, title = {{Cobalt Strike and Ransomware – Tracking An Effective Ransomware Campaign}}, date = {2021-08-31}, organization = {BreakPoint Labs}, url = {https://breakpoint-labs.com/blog/cobalt-strike-and-ransomware-tracking-an-effective-ransomware-campaign/}, language = {English}, urldate = {2021-09-23} } @online{labs:20210908:muhstik:f7875d9, author = {Lacework Labs}, title = {{Muhstik Takes Aim at Confluence CVE 2021-26084}}, date = {2021-09-08}, organization = {lacework}, url = {https://www.lacework.com/blog/muhstik-takes-aim-at-confluence-cve-2021-26084/}, language = {English}, urldate = {2021-09-12} } @online{labs:20210909:pysa:3115858, author = {Lacework Labs}, title = {{PYSA Ransomware Gang adds Linux Support}}, date = {2021-09-09}, organization = {Lacework Labs}, url = {https://www.lacework.com/blog/pysa-ransomware-gang-adds-linux-support/}, language = {English}, urldate = {2021-09-10} } @online{labs:20210916:no:7a40fbb, author = {Black Lotus Labs}, title = {{No Longer Just Theory: Black Lotus Labs Uncovers Linux Executables Deployed as Stealth Windows Loaders}}, date = {2021-09-16}, organization = {Lumen}, url = {https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/}, language = {English}, urldate = {2022-01-25} } @online{labs:20210921:blackmatter:61b1b27, author = {Nozomi Networks Labs}, title = {{BlackMatter Ransomware Technical Analysis and Tools from Nozomi Networks Labs}}, date = {2021-09-21}, organization = {Nozomi Networks}, url = {https://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/}, language = {English}, urldate = {2021-09-24} } @online{labs:20210923:vidar:36d9ecf, author = {Minerva Labs}, title = {{Vidar Stealer Evasion Arsenal}}, date = {2021-09-23}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/vidar-stealer-evasion-arsenal}, language = {English}, urldate = {2021-10-05} } @techreport{labs:20210930:ghostemperors:7e9a06a, author = {Kaspersky Labs}, title = {{GhostEmperor’s infection chain and post-exploitation toolset: technical detail}}, date = {2021-09-30}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/30094337/GhostEmperor_technical-details_PDF_eng.pdf}, language = {English}, urldate = {2024-10-21} } @online{labs:20210930:mirai:014ab03, author = {Lacework Labs}, title = {{Mirai goes Stealth – TLS & IoT Malware}}, date = {2021-09-30}, organization = {lacework}, url = {https://www.lacework.com/blog/mirai-goes-stealth-tls-iot-malware/}, language = {English}, urldate = {2021-10-11} } @online{labs:20211013:spytech:1e11e26, author = {Lacework Labs}, title = {{“Spytech Necro” – Keksec’s Latest Python Malware}}, date = {2021-10-13}, organization = {lacework}, url = {https://www.lacework.com/blog/spytech-necro-keksecs-latest-python-malware/}, language = {English}, urldate = {2021-10-25} } @online{labs:20211015:memory:53ea6d8, author = {Volatility Labs}, title = {{Memory Forensics R&D Illustrated: Detecting Mimikatz's Skeleton Key Attack}}, date = {2021-10-15}, organization = {Volatility Labs}, url = {https://volatility-labs.blogspot.com/2021/10/memory-forensics-r-illustrated.html}, language = {English}, urldate = {2021-11-17} } @techreport{labs:20211018:operation:9612cbf, author = {Norton Labs}, title = {{Operation Exorcist - 7 Years of Targeted Attacks against the Roman Catholic Church}}, date = {2021-10-18}, institution = {NortonLifeLock}, url = {https://www.nortonlifelock.com/sites/default/files/2021-10/OPERATION%20EXORCIST%20White%20Paper.pdf}, language = {English}, urldate = {2021-12-15} } @online{labs:20211025:teamtnt:61b4157, author = {Lacework Labs}, title = {{TeamTNT Continues to Target Exposed Docker API}}, date = {2021-10-25}, organization = {lacework}, url = {https://www.lacework.com/blog/teamtnt-continues-to-target-exposed-docker-api/}, language = {English}, urldate = {2021-11-03} } @online{labs:20211109:new:411a8fd, author = {Minerva Labs}, title = {{A New DatopLoader Delivers QakBot Trojan}}, date = {2021-11-09}, organization = {MinervaLabs}, url = {https://blog.minerva-labs.com/a-new-datoploader-delivers-qakbot-trojan}, language = {English}, urldate = {2021-11-17} } @online{labs:20211202:abc:84ea824, author = {Lacework Labs}, title = {{ABC Botnet Attacks on the Rise}}, date = {2021-12-02}, organization = {lacework}, url = {https://www.lacework.com/blog/abc-botnet-attacks-on-the-rise/}, language = {English}, urldate = {2021-12-06} } @online{labs:20211203:trickbot:9dd4feb, author = {GoSecure Titan Labs}, title = {{TrickBot Leverages Zoom Work from Home Interview Malspam, Heaven’s Gate and… Spamhaus?}}, date = {2021-12-03}, organization = {GoSecure}, url = {https://www.gosecure.net/blog/2021/12/03/trickbot-leverages-zoom-work-from-home-interview-malspam-heavens-gate-and-spamhaus/}, language = {English}, urldate = {2022-02-26} } @techreport{labs:20220120:spamhaus:2739e3a, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q4 2021}}, date = {2022-01-20}, institution = {Spamhaus}, url = {https://www.spamhaus.com/custom-content/uploads/2022/01/2021-Q4-Botnet-Threat-Update.pdf}, language = {English}, urldate = {2022-01-24} } @online{labs:20220128:log4j:ee487ec, author = {Morphisec Labs}, title = {{Log4j Exploit Hits Again: Vulnerable Unifi Network Application (Ubiquiti) at Risk}}, date = {2022-01-28}, organization = {Morphisec}, url = {https://blog.morphisec.com/log4j-exploit-targets-vulnerable-unifi-network-applications}, language = {English}, urldate = {2022-02-02} } @online{labs:20220210:malicious:73085b5, author = {GoSecure Titan Labs}, title = {{Malicious Chrome Browser Extension Exposed: ChromeBack Leverages Silent Extension Loading}}, date = {2022-02-10}, organization = {GoSecure}, url = {https://www.gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/}, language = {English}, urldate = {2022-03-02} } @online{labs:20220301:how:a8606f9, author = {Nozomi Networks Labs}, title = {{How IoT Botnets Evade Detection and Analysis}}, date = {2022-03-01}, organization = {Nozomi Networks}, url = {https://www.nozominetworks.com/blog/how-iot-botnets-evade-detection-and-analysis/}, language = {English}, urldate = {2022-03-07} } @online{labs:20220302:conti:52c16db, author = {CyberArk Labs}, title = {{Conti Group Leaked!}}, date = {2022-03-02}, organization = {CyberArk}, url = {https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked}, language = {English}, urldate = {2022-03-03} } @online{labs:20220308:what:c99735b, author = {Black Lotus Labs}, title = {{What Global Network Visibility Reveals about the Resurgence of One of the World’s Most Notorious Botnets}}, date = {2022-03-08}, organization = {Lumen}, url = {https://blog.lumen.com/emotet-redux/}, language = {English}, urldate = {2022-03-10} } @online{labs:20220312:quick:ef9cb00, author = {ET Labs}, title = {{A quick thread examining the network artifacts of the HermeticWizard spreading}}, date = {2022-03-12}, organization = {Twitter (@ET_Labs)}, url = {https://twitter.com/ET_Labs/status/1502494650640351236}, language = {English}, urldate = {2022-03-28} } @online{labs:202203:detecting:6136462, author = {Securonix Threat Labs}, title = {{Detecting the EnemyBot Botnet – Securonix Initial Coverage Advisory}}, date = {2022-03}, organization = {Securonix}, url = {https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory}, language = {English}, urldate = {2022-04-07} } @online{labs:20220406:trm:84a2174, author = {TRM Labs}, title = {{TRM Analysis Corroborates Suspected Ties Between Conti and Ryuk Ransomware Groups and Wizard Spider}}, date = {2022-04-06}, organization = {TRM Labs}, url = {https://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider}, language = {English}, urldate = {2022-05-05} } @online{labs:20220418:new:5cad966, author = {Nozomi Networks Labs}, title = {{New BotenaGo Variant Discovered by Nozomi Networks Labs}}, date = {2022-04-18}, organization = {Nozomi Networks}, url = {https://www.nozominetworks.com/blog/new-botenago-variant-discovered-by-nozomi-networks-labs/}, language = {English}, urldate = {2022-04-20} } @online{labs:20220421:analysis:3074750, author = {Vedere Labs}, title = {{Analysis of an ALPHV incident}}, date = {2022-04-21}, organization = {Forescout}, url = {https://www.forescout.com/resources/analysis-of-an-alphv-incident}, language = {English}, urldate = {2022-04-24} } @online{labs:20220425:new:7b1c795, author = {Morphisec Labs}, title = {{New Core Impact Backdoor Delivered Via VMware Vulnerability}}, date = {2022-04-25}, organization = {Morphisec}, url = {https://blog.morphisec.com/vmware-identity-manager-attack-backdoor}, language = {English}, urldate = {2022-04-29} } @online{labs:20220427:industroyer2:a037c0d, author = {Nozomi Networks Labs}, title = {{Industroyer2: Nozomi Networks Labs Analyzes the IEC 104 Payload}}, date = {2022-04-27}, organization = {Nozomi Networks}, url = {https://www.nozominetworks.com/blog/industroyer2-nozomi-networks-labs-analyzes-the-iec-104-payload/}, language = {English}, urldate = {2022-04-29} } @online{labs:20220506:rebranded:5c7bea5, author = {Cyble Research Labs}, title = {{Rebranded Babuk Ransomware In Action: DarkAngels Ransomware Performs Targeted Attack}}, date = {2022-05-06}, organization = {cyble}, url = {https://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/}, language = {English}, urldate = {2022-05-11} } @online{labs:20220512:closer:049ae54, author = {Cyble Research Labs}, title = {{A Closer Look At Eternity Malware: Threat Actors Leveraging Telegram To Build Malware}}, date = {2022-05-12}, organization = {cyble}, url = {https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/}, language = {English}, urldate = {2022-05-25} } @online{labs:20220525:ermac:57e992b, author = {Cyble Research Labs}, title = {{ERMAC Back In Action: Latest Version Of Android Banking Trojan Targets Over 400 Applications}}, date = {2022-05-25}, organization = {cyble}, url = {https://blog.cyble.com/2022/05/25/ermac-back-in-action/}, language = {English}, urldate = {2022-05-29} } @online{labs:20220601:hazard:ae4579d, author = {Cyble Research Labs}, title = {{Hazard Token Grabber: Upgraded Version Of Stealer Targeting Discord Users}}, date = {2022-06-01}, organization = {cyble}, url = {https://blog.cyble.com/2022/06/01/hazard-token-grabber/}, language = {English}, urldate = {2022-06-02} } @online{labs:20220613:hydra:b8c7a23, author = {Cyble Research Labs}, title = {{Hydra Android Malware Distributed Via Play Store}}, date = {2022-06-13}, organization = {cyble}, url = {https://blog.cyble.com/2022/06/13/hydra-android-malware-distributed-via-play-store/}, language = {English}, urldate = {2022-06-15} } @online{labs:20220623:matanbuchus:45ed604, author = {Cyble Research Labs}, title = {{Matanbuchus Loader Resurfaces}}, date = {2022-06-23}, organization = {cyble}, url = {https://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/}, language = {English}, urldate = {2022-08-15} } @online{labs:20220628:zuorat:f60583e, author = {Black Lotus Labs}, title = {{ZuoRAT Hijacks SOHO Routers To Silently Stalk Networks}}, date = {2022-06-28}, organization = {Lumen}, url = {https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/}, language = {English}, urldate = {2022-06-30} } @online{labs:20220629:bahamut:2a1b786, author = {Cyble Research Labs}, title = {{Bahamut Android Malware Returns With New Spying Capabilities}}, date = {2022-06-29}, organization = {cyble}, url = {https://blog.cyble.com/2022/06/29/bahamut-android-malware-returns-with-new-spying-capabilities/}, language = {English}, urldate = {2022-07-05} } @online{labs:20220630:pennywise:f83ef14, author = {Cyble Research Labs}, title = {{PennyWise Stealer: An Evasive Infostealer Leveraging YouTube To Infect Users}}, date = {2022-06-30}, organization = {cyble}, url = {https://blog.cyble.com/2022/06/30/infostealer/}, language = {English}, urldate = {2022-07-05} } @online{labs:20220705:lockbit:3ff51ed, author = {Cyble Research Labs}, title = {{Lockbit 3.0 – Ransomware Group Launches New Version}}, date = {2022-07-05}, organization = {cyble}, url = {https://blog.cyble.com/2022/07/05/lockbit-3-0-ransomware-group-launches-new-version/}, language = {English}, urldate = {2022-07-13} } @online{labs:20220707:nomercy:f13d4c1, author = {Cyble Research Labs}, title = {{NoMercy Stealer Adding New Features: New Stealer Rapidly Evolving Into Clipper Malware}}, date = {2022-07-07}, organization = {cyble}, url = {https://blog.cyble.com/2022/07/07/nomercy-stealer-adding-new-features/}, language = {English}, urldate = {2022-07-12} } @online{labs:20220712:new:4cf4a94, author = {Cyble Research Labs}, title = {{New Ransomware Groups On The Rise: “RedAlert,” LILITH And 0mega Leading A Wave Of Ransomware Campaigns}}, date = {2022-07-12}, organization = {cyble}, url = {https://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/}, language = {English}, urldate = {2022-07-14} } @online{labs:20220718:ransomware:69b4e95, author = {FortiGuard Labs}, title = {{Ransomware Roundup: Protecting Against New Variants}}, date = {2022-07-18}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-variants}, language = {English}, urldate = {2022-07-25} } @online{labs:20220727:targeted:aa69498, author = {Cyble Research Labs}, title = {{Targeted Attacks Being Carried Out Via DLL SideLoading}}, date = {2022-07-27}, organization = {cyble}, url = {https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/}, language = {English}, urldate = {2022-08-15} } @online{labs:20220802:fake:9770cab, author = {Cyble Research Labs}, title = {{Fake Atomic Wallet Website Distributing Mars Stealer}}, date = {2022-08-02}, organization = {cyble}, url = {https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/}, language = {English}, urldate = {2022-08-08} } @online{labs:20220809:bitter:022e356, author = {Cyble Research Labs}, title = {{Bitter APT Group Using “Dracarys” Android Spyware}}, date = {2022-08-09}, organization = {cyble}, url = {https://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/}, language = {English}, urldate = {2022-08-15} } @online{labs:20220922:watch:0f6c6c3, author = {Morphisec Labs}, title = {{Watch Out For The New NFT-001}}, date = {2022-09-22}, organization = {Morphisec}, url = {https://blog.morphisec.com/nft-malware-new-evasion-abilities}, language = {English}, urldate = {2022-11-21} } @online{labs:20220927:chaos:1389681, author = {Black Lotus Labs}, title = {{Chaos Is A Go-Based Swiss Army Knife Of Malware (IOCs)}}, date = {2022-09-27}, organization = {Github (blacklotuslabs)}, url = {https://github.com/blacklotuslabs/IOCs/blob/main/Chaos_IoCs.txt}, language = {English}, urldate = {2022-09-30} } @online{labs:20220928:chaos:9918c3d, author = {Black Lotus Labs}, title = {{Chaos Is A Go-Based Swiss Army Knife Of Malware}}, date = {2022-09-28}, organization = {Lumen}, url = {https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/}, language = {English}, urldate = {2022-09-30} } @techreport{labs:20221013:spamhaus:43e3190, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q3 2022}}, date = {2022-10-13}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2022-12-29} } @online{labs:20221020:new:b8a4b5a, author = {Cyble Research Labs}, title = {{New Temp Stealer Spreading Via Free & Cracked Software}}, date = {2022-10-20}, organization = {cyble}, url = {https://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer/}, language = {English}, urldate = {2022-11-21} } @online{labs:20221102:could:b265e1e, author = {Nozomi Networks Labs}, title = {{Could Threat Actors Be Downgrading Their Malware to Evade Detection?}}, date = {2022-11-02}, organization = {NOZOMI Network Labs}, url = {https://www.nozominetworks.com/blog/could-threat-actors-be-downgrading-their-malware-to-evade-detection/}, language = {English}, urldate = {2022-11-03} } @online{labs:20221206:androxgh0st:bb1d2d5, author = {Lacework Labs}, title = {{AndroxGh0st – the python malware exploiting your AWS keys}}, date = {2022-12-06}, organization = {Lacework Labs}, url = {https://web.archive.org/web/20240715165609/https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys}, language = {English}, urldate = {2025-05-21} } @online{labs:20221207:new:b712384, author = {Morphisec Labs}, title = {{New Babuk Ransomware Found in Major Attack}}, date = {2022-12-07}, organization = {Morphisec}, url = {https://blog.morphisec.com/babuk-ransomware-variant-major-attack}, language = {English}, urldate = {2022-12-29} } @online{labs:20221215:tracking:8584547, author = {Nozomi Networks Labs}, title = {{Tracking Malicious Glupteba Activity Through the Blockchain}}, date = {2022-12-15}, organization = {NOZOMI Network Labs}, url = {https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/}, language = {English}, urldate = {2023-01-18} } @online{labs:20230306:new:5e68769, author = {Black Lotus Labs}, title = {{New HiatusRAT Router Malware Covertly Spies On Victims}}, date = {2023-03-06}, organization = {Lumen}, url = {https://blog.lumen.com/new-hiatusrat-router-malware-covertly-spies-on-victims/}, language = {English}, urldate = {2023-03-13} } @online{labs:20230330:3cx:32dbee5, author = {FortiGuard Labs}, title = {{3CX Desktop App Compromised (CVE-2023-29059)}}, date = {2023-03-30}, organization = {Fortiguard}, url = {https://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromised}, language = {English}, urldate = {2023-04-02} } @techreport{labs:20230412:spamhaus:aa309d1, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q1 2023}}, date = {2023-04-12}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2023-04-18} } @online{labs:20230413:not:177ad92, author = {CyberArk Labs}, title = {{The (Not so) Secret War on Discord}}, date = {2023-04-13}, organization = {CyberArk}, url = {https://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord}, language = {English}, urldate = {2023-04-22} } @online{labs:20230417:noname05716:b559057, author = {B42 Labs}, title = {{Noname057(16) Attack Tracker}}, date = {2023-04-17}, organization = {BE42LATE}, url = {https://noname.be42late.co/}, language = {English}, urldate = {2023-05-23} } @online{labs:20230601:qakbot:5dbdbb8, author = {Black Lotus Labs}, title = {{Qakbot: Retool, Reinfect, Recycle}}, date = {2023-06-01}, organization = {Lumen}, url = {https://blog.lumen.com/qakbot-retool-reinfect-recycle/}, language = {English}, urldate = {2023-06-02} } @techreport{labs:20230711:spamhaus:4e2885e, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2023}}, date = {2023-07-11}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2023-07-22} } @online{labs:20230712:routers:e2ed598, author = {Black Lotus Labs}, title = {{Routers From The Underground: Exposing AVrecon}}, date = {2023-07-12}, organization = {Lumen}, url = {https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/}, language = {English}, urldate = {2023-07-21} } @online{labs:20230727:update:67b9dd6, author = {Black Lotus Labs}, title = {{Tweet on update on AVrecon bot's migration to new infrastructure}}, date = {2023-07-27}, organization = {X (@BlackLotusLabs)}, url = {https://twitter.com/BlackLotusLabs/status/1684290046235484160}, language = {English}, urldate = {2023-07-31} } @online{labs:20230803:darkgate:3d23432, author = {Aon’s Cyber Labs}, title = {{DarkGate Keylogger Analysis: Masterofnone}}, date = {2023-08-03}, organization = {Aon}, url = {https://www.aon.com/cyber-solutions/aon_cyber_labs/darkgate-keylogger-analysis-masterofnone/}, language = {English}, urldate = {2023-08-07} } @online{labs:20230817:no:8cc16d8, author = {Black Lotus Labs}, title = {{No Rest For The Wicked: HiatusRAT Takes Little Time Off In A Return To Action}}, date = {2023-08-17}, organization = {Lumen}, url = {https://blog.lumen.com/hiatusrat-takes-little-time-off-in-a-return-to-action/}, language = {English}, urldate = {2023-08-21} } @techreport{labs:20231012:spamhaus:cc0ff5c, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q3 2023}}, date = {2023-10-12}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2023-10-17} } @online{labs:20231114:taking:e66ae86, author = {Black Lotus Labs}, title = {{Taking The Elevator Down To Ring 0}}, date = {2023-11-14}, organization = {Lumen}, url = {https://blog.lumen.com/taking-the-elevator-down-to-ring-0/}, language = {English}, urldate = {2024-03-12} } @online{labs:20231213:routers:6185414, author = {Black Lotus Labs}, title = {{Routers Roasting on an Open Firewall: the KV-botnet Investigation}}, date = {2023-12-13}, organization = {Lumen}, url = {https://blog.lumen.com/routers-roasting-on-an-open-firewall-the-kv-botnet-investigation/}, language = {English}, urldate = {2023-12-14} } @online{labs:20231227:pivoting:b03da26, author = {StrikeReady Labs}, title = {{Pivoting through a Sea of indicators to spot Turtles}}, date = {2023-12-27}, organization = {StrikeReady}, url = {https://blog.strikeready.com/blog/pivoting-through-a-sea-of-indicators-to-spot-turtles/}, language = {English}, urldate = {2024-02-15} } @techreport{labs:20240112:spamhaus:1249ec1, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q4 2023}}, date = {2024-01-12}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/Q4%202023%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2024-01-15} } @online{labs:20240116:p2pinfect:0d3b778, author = {Nozomi Networks Labs}, title = {{P2PInfect Worm Evolves to Target a New Platform}}, date = {2024-01-16}, organization = {NOZOMI Network Labs}, url = {https://www.nozominetworks.com/blog/p2pinfect-worm-evolves-to-target-a-new-platform}, language = {English}, urldate = {2024-01-23} } @online{labs:20240207:kvbotnet:8c23494, author = {Black Lotus Labs}, title = {{KV-Botnet: Don’t call it a Comeback}}, date = {2024-02-07}, organization = {Lumen}, url = {https://blog.lumen.com/kv-botnet-dont-call-it-a-comeback/}, language = {English}, urldate = {2024-02-09} } @online{labs:20240228:toot:7642d91, author = {Spamhaus Malware Labs}, title = {{Toot about SmokeLoader dropping Xehook Stealer}}, date = {2024-02-28}, organization = {Spamhaus}, url = {https://infosec.exchange/@spamhaus/112008862430254522}, language = {English}, urldate = {2024-03-01} } @online{labs:20240229:dont:6661650, author = {StrikeReady Labs}, title = {{Don't get BITTER about being targeted -- fight back with the help of the community.}}, date = {2024-02-29}, organization = {StrikeReady}, url = {https://blog.strikeready.com/blog/dont-get-bitter-about-being-targeted--fight-back-with-the-help-of-the-community./}, language = {English}, urldate = {2024-03-04} } @online{labs:20240402:all:073b7f7, author = {Forescout Vedere Labs}, title = {{“All your base are belong to us” – A probe into Chinese-connected devices in US networks}}, date = {2024-04-02}, organization = {Forescout}, url = {https://www.forescout.com/blog/probe-into-chinese-connected-devices-in-us-networks/}, language = {English}, urldate = {2024-04-04} } @online{labs:20240409:havoc:c1f0c84, author = {Immersive Labs}, title = {{Havoc C2 Framework – A Defensive Operator’s Guide}}, date = {2024-04-09}, organization = {Immersive Labs}, url = {https://www.immersivelabs.com/blog/havoc-c2-framework-a-defensive-operators-guide/}, language = {English}, urldate = {2024-05-13} } @online{labs:20240530:pumpkin:0478441, author = {Black Lotus Labs}, title = {{The Pumpkin Eclipse}}, date = {2024-05-30}, organization = {Lumen}, url = {https://blog.lumen.com/the-pumpkin-eclipse/}, language = {English}, urldate = {2024-09-13} } @online{labs:20240530:pumpkin:812d611, author = {Black Lotus Labs}, title = {{The Pumpkin Eclipse}}, date = {2024-05-30}, organization = {Centurylink}, url = {https://blog.centurylink.com/the-pumpkin-eclipse/}, language = {English}, urldate = {2024-06-28} } @techreport{labs:20240709:spamhaus:10248e5, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update January to June 2024}}, date = {2024-07-09}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2024-07-22} } @online{labs:20240718:emerging:6d566fa, author = {Forescout Vedere Labs}, title = {{Emerging IoT Wiper Malware: Kaden and New LOLFME Botnet Variants}}, date = {2024-07-18}, organization = {Forescout}, url = {https://www.forescout.com/blog/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet/}, language = {English}, urldate = {2024-08-01} } @online{labs:20240808:double:75eede1, author = {Cyble Research Labs}, title = {{Double Trouble: Latrodectus and ACR Stealer observed spreading via Google Authenticator Phishing Site}}, date = {2024-08-08}, organization = {cyble}, url = {https://cyble.com/blog/double-trouble-latrodectus-and-acr-stealer-observed-spreading-via-google-authenticator-phishing-site/}, language = {English}, urldate = {2024-08-15} } @online{labs:20240815:beyond:a763ef0, author = {Elastic Security Labs}, title = {{Beyond the wail: deconstructing the BANSHEE infostealer}}, date = {2024-08-15}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/beyond-the-wail?ultron=esl:_threat_research%2Besl_blog_post&blade=twitter&hulk=social&utm_content=14389248623&linkId=549532028}, language = {English}, urldate = {2024-08-23} } @online{labs:20240827:taking:7e1844e, author = {Black Lotus Labs}, title = {{Taking the Crossroads: The Versa Director Zero-Day Exploitation}}, date = {2024-08-27}, organization = {Lumen}, url = {https://blog.lumen.com/taking-the-crossroads-the-versa-director-zero-day-exploitation/}, language = {English}, urldate = {2024-09-13} } @online{labs:20240918:derailing:8d9adbd, author = {Black Lotus Labs}, title = {{Derailing The Raptor Train}}, date = {2024-09-18}, organization = {Lumen}, url = {https://blog.lumen.com/derailing-the-raptor-train/}, language = {English}, urldate = {2024-09-23} } @online{labs:20240918:derailing:fd9a6c6, author = {Black Lotus Labs}, title = {{Derailing the Raptor Train}}, date = {2024-09-18}, organization = {Lumen}, url = {https://assets.lumen.com/is/content/Lumen/raptor-train-handbook-copy}, language = {English}, urldate = {2024-09-23} } @online{labs:20240930:fakeupdates:4cbae72, author = {Gen Threat Labs}, title = {{Tweet on FAKEUPDATES pushing WARMCOOKIE backdoor via compromised websites targeting France}}, date = {2024-09-30}, organization = {X (@GenThreatLabs)}, url = {https://x.com/GenThreatLabs/status/1840762181668741130}, language = {English}, urldate = {2024-10-18} } @online{labs:20241023:ics:8174662, author = {Vedere Labs}, title = {{ICS Threats: Malware Targeting OT? It’s More Common Than You Think}}, date = {2024-10-23}, organization = {Forescout}, url = {https://www.forescout.com/blog/targeting-ot-security-ics-threats-malware/}, language = {English}, urldate = {2024-12-09} } @online{labs:20241031:toot:db9563a, author = {Spamhaus Malware Labs}, title = {{Toot about Darkgate / SSLoad targeting Ukraine}}, date = {2024-10-31}, organization = {Spamhaus}, url = {https://infosec.exchange/@spamhaus/113402246487904714}, language = {English}, urldate = {2024-11-05} } @online{labs:20241119:one:5c34349, author = {Black Lotus Labs}, title = {{One Sock Fits All: The Use And Abuse Of The NSOCKS Botnet}}, date = {2024-11-19}, organization = {Lumen}, url = {https://blog.lumen.com/one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet/}, language = {English}, urldate = {2024-12-09} } @online{labs:20241128:ru:b7929ca, author = {StrikeReady Labs}, title = {{RU APT targeting Energy Infrastructure (Unknown unknowns, part 3)}}, date = {2024-11-28}, organization = {StrikeReady}, url = {https://strikeready.com/blog/ru-apt-targeting-energy-infrastructure-unknown-unknowns-part-3/}, language = {English}, urldate = {2024-12-06} } @online{labs:20241204:snowblind:f4e54f7, author = {Black Lotus Labs and Danny Adamitis and Ryan English}, title = {{Snowblind: The Invisible Hand of Secret Blizzard}}, date = {2024-12-04}, organization = {Lumen}, url = {https://blog.lumen.com/snowblind-the-invisible-hand-of-secret-blizzard/}, language = {English}, urldate = {2024-12-12} } @online{labs:20241212:under:d2e9e47, author = {Elastic Security Labs and Salim Bitam and Daniel Stepanic and Seth Goodwin and Jia Yu Chan}, title = {{Under the SADBRIDGE with GOSAR: QUASAR Gets a Golang Rewrite}}, date = {2024-12-12}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/under-the-sadbridge-with-gosar}, language = {English}, urldate = {2025-01-02} } @online{labs:20241230:advancing:8afb195, author = {TRAC Labs}, title = {{Advancing Through the Cyberfront, LegionLoader Commander}}, date = {2024-12-30}, organization = {Medium TRAC Labs}, url = {https://trac-labs.com/advancing-through-the-cyberfront-legionloader-commander-6af38ebe39d4}, language = {English}, urldate = {2025-01-07} } @online{labs:20250109:hexalocker:5b78475, author = {Cyble Research Labs}, title = {{HexaLocker V2: Skuld Stealer Paving the Way prior to Encryption}}, date = {2025-01-09}, organization = {cyble}, url = {https://cyble.com/blog/hexalocker-v2-being-proliferated-by-skuld-stealer/}, language = {English}, urldate = {2025-06-30} } @techreport{labs:20250110:spamhaus:5519f13, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update July to December 2024}}, date = {2025-01-10}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/Jul-Dec%202024%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2025-01-14} } @online{labs:20250123:jmagic:ad33755, author = {Black Lotus Labs}, title = {{The J-Magic Show: Magic Packets and Where to find them}}, date = {2025-01-23}, organization = {Lumen}, url = {https://blog.lumen.com/the-j-magic-show-magic-packets-and-where-to-find-them/}, language = {English}, urldate = {2025-01-24} } @online{labs:20250215:dont:2105520, author = {TRAC Labs}, title = {{Don’t Ghost the SocGholish: GhostWeaver Backdoor}}, date = {2025-02-15}, organization = {Medium TRAC Labs}, url = {https://trac-labs.com/dont-ghost-the-socgholish-ghostweaver-backdoor-574154dd9983}, language = {English}, urldate = {2025-02-18} } @online{labs:20250410:autopsy:94b7bd1, author = {TRAC Labs}, title = {{Autopsy of a Failed Stealer: StealC v2}}, date = {2025-04-10}, organization = {Medium TRAC Labs}, url = {https://trac-labs.com/autopsy-of-a-failed-stealer-stealc-v2-a4e32da04396}, language = {English}, urldate = {2025-04-11} } @online{labs:20250415:hunting:96a2c9a, author = {Beazley Security Labs}, title = {{Hunting Mice In Tunnels II - Fake CAPTCHAs and Ransomware}}, date = {2025-04-15}, organization = {Beazley Security Labs}, url = {https://labs.beazley.security/articles/hunting-mice-in-tunnels-ii-fake-captchas-and-ransomware}, language = {English}, urldate = {2025-05-07} } @online{labs:20250509:classic:ab99261, author = {Black Lotus Labs}, title = {{Classic Rock: Hunting a Botnet that preys on the Old}}, date = {2025-05-09}, organization = {Lumen}, url = {https://blog.lumen.com/black-lotus-labs-criminal-proxy-network/}, language = {English}, urldate = {2025-05-20} } @online{laceworklabs:20210318:dga:9b57724, author = {lacework-labs}, title = {{DGA and decoder scripts for n3cr0morph IRC malware}}, date = {2021-03-18}, organization = {Github (lacework)}, url = {https://github.com/lacework/lacework-labs/tree/master/keksec}, language = {English}, urldate = {2021-03-25} } @online{ladores:20170907:emotet:bf3075c, author = {Don Ladores}, title = {{EMOTET Returns, Starts Spreading via Spam Botnet}}, date = {2017-09-07}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/}, language = {English}, urldate = {2019-11-28} } @online{ladores:20200922:mispadu:8a2a4c1, author = {Don Ladores and Raphael Centeno}, title = {{Mispadu Banking Trojan Resurfaces}}, date = {2020-09-22}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/mispadu-banking-trojan-resurfaces}, language = {English}, urldate = {2020-09-24} } @online{ladores:20210301:povlsomware:d683693, author = {Don Ovid Ladores}, title = {{Povlsomware Ransomware Features Cobalt Strike Compatibility}}, date = {2021-03-01}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/c/povlsomware-ransomware-features-cobalt-strike-compatibility.html}, language = {English}, urldate = {2021-04-06} } @online{ladores:20211210:new:baec85c, author = {Don Ovid Ladores}, title = {{New Yanluowang Ransomware Found to be Code-Signed, Terminates Database-Related Processes}}, date = {2021-12-10}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/l/yanluowang-ransomware-code-signed-terminates-database-processes.html}, language = {English}, urldate = {2021-12-31} } @online{ladores:20220309:new:b6c2c2a, author = {Don Ovid Ladores}, title = {{New Nokoyawa Ransomware Possibly Related to Hive}}, date = {2022-03-09}, organization = {Trendmicro}, url = {https://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-to-hive-.html}, language = {English}, urldate = {2022-03-10} } @online{ladores:20220608:cuba:2b4a6df, author = {Don Ovid Ladores}, title = {{Cuba Ransomware Group’s New Variant Found Using Optimized Infection Techniques}}, date = {2022-06-08}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html}, language = {English}, urldate = {2022-06-09} } @online{ladores:20220906:play:9f034be, author = {Don Ovid Ladores and Lucas Silva and Scott Burden and Janus Agcaoili and Ivan Nicole Chavez and Ian Kenefick and Ieriz Nicolle Gonzalez and Paul Pajares}, title = {{Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa}}, date = {2022-09-06}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html}, language = {English}, urldate = {2022-09-07} } @online{ladores:20230418:analysis:311d003, author = {Don Ovid Ladores}, title = {{An Analysis of the BabLock (aka Rorschach) Ransomware}}, date = {2023-04-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/d/an-analysis-of-the-bablock-ransomware.html}, language = {English}, urldate = {2023-04-25} } @online{ladores:20230418:analysis:66f6ed6, author = {Don Ovid Ladores}, title = {{An Analysis of the BabLock (aka Rorschach) Ransomware (IoCs)}}, date = {2023-04-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/d/an-analysis-of-the-bablock-ransomware-/iocs-an-analysis-of-the-babLock-ransomware.txt}, language = {English}, urldate = {2023-04-25} } @online{ladores:20230424:vipersoftx:5563816, author = {Don Ovid Ladores}, title = {{ViperSoftX Updates Encryption, Steals Data}}, date = {2023-04-24}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html}, language = {English}, urldate = {2023-10-05} } @online{ladores:20230428:rapture:fbc5047, author = {Don Ovid Ladores and Ian Kenefick and Earle Maui Earnshaw}, title = {{Rapture, a Ransomware Family With Similarities to Paradise}}, date = {2023-04-28}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/d/rapture-a-ransomware-family-with-similarities-to-paradise.html}, language = {English}, urldate = {2023-05-03} } @online{ladutska:20211208:when:16ee92b, author = {Raman Ladutska and Aliaksandr Trafimchuk and David Driker and Yali Magiel}, title = {{When old friends meet again: why Emotet chose Trickbot for rebirth}}, date = {2021-12-08}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/}, language = {English}, urldate = {2022-02-18} } @online{laeb:20200126:one:cf0bb50, author = {Raveed Laeb}, title = {{One Attacker’s Trash is Another Attacker’s Treasure: A New Ecosystem Drives Cybercrime Innovation}}, date = {2020-01-26}, organization = {KELA}, url = {https://ke-la.com/one-attackers-trash-is-another-attackers-treasure/}, language = {English}, urldate = {2021-05-08} } @online{laeb:20200221:exploring:179689d, author = {Raveed Laeb}, title = {{Exploring the Genesis Supply Chain for Fun and Profit: Part 1 – Misadventures in GUIDology}}, date = {2020-02-21}, organization = {KELA}, url = {https://ke-la.com/exploring-the-genesis-supply-chain-for-fun-and-profit/}, language = {English}, urldate = {2020-02-26} } @online{laeb:20200513:accessasaservice:caaac1b, author = {Raveed Laeb}, title = {{Access-as-a-Service – Remote Access Markets in the Cybercrime Underground}}, date = {2020-05-13}, organization = {KELA}, url = {https://ke-la.com/access-as-a-service-remote-access-markets-in-the-cybercrime-underground/}, language = {English}, urldate = {2021-05-07} } @online{laeb:20200608:schrodingers:6ebbf4a, author = {Raveed Laeb}, title = {{Schrodinger’s Threat – MagBo Adapts Access Control Policies}}, date = {2020-06-08}, organization = {KELA}, url = {https://ke-la.com/schrodingers-threat-magbo-adapts-access-control-policies/}, language = {English}, urldate = {2021-05-07} } @online{laeb:20200722:slacking:8cb7d81, author = {Raveed Laeb}, title = {{Slacking Off – Slack and the Corporate Attack Surface Landscape}}, date = {2020-07-22}, organization = {KELA}, url = {https://ke-la.com/slacking-off-slack-and-the-corporate-attack-surface-landscape/}, language = {English}, urldate = {2021-05-07} } @online{laeb:20200806:secret:7a5b64c, author = {Raveed Laeb and Victoria Kivilevich}, title = {{The Secret Life of an Initial Access Broker}}, date = {2020-08-06}, organization = {KELA}, url = {https://ke-la.com/the-secret-life-of-an-initial-access-broker/}, language = {English}, urldate = {2021-05-07} } @online{laeb:20201012:kelas:2c54882, author = {Raveed Laeb and Victoria Kivilevich}, title = {{KELA’s 100 Over 100: September 2020 in Network Access Sales}}, date = {2020-10-12}, organization = {KELA}, url = {https://ke-la.com/kelas-100-over-100-september2020-in-network-access-sales/}, language = {English}, urldate = {2020-10-23} } @online{laferrera:20210108:golden:d31442a, author = {Marcus LaFerrera and John Stoner and Lily Lee and James Brodsky and Ryan Kovar}, title = {{A Golden SAML Journey: SolarWinds Continued}}, date = {2021-01-08}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html}, language = {English}, urldate = {2021-01-11} } @online{laferrera:20211026:higher:9e4b682, author = {Marcus LaFerrera}, title = {{High(er) Fidelity Software Supply Chain Attack Detection}}, date = {2021-10-26}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/high-er-fidelity-software-supply-chain-attack-detection.html}, language = {English}, urldate = {2021-11-03} } @online{laflamme:20211102:cobalt:d09aa11, author = {Olivier Laflamme}, title = {{Cobalt Strike Process Injection}}, date = {2021-11-02}, organization = {boschko.ca blog}, url = {https://boschko.ca/cobalt-strike-process-injection/}, language = {English}, urldate = {2021-11-29} } @online{lagrimas:20121009:sasfis:5e95a5a, author = {Dianne Lagrimas}, title = {{SASFIS}}, date = {2012-10-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/sasfis}, language = {English}, urldate = {2020-01-08} } @online{lagrimas:20150409:beebone:cd0b76b, author = {Dianne Lagrimas}, title = {{Beebone Botnet Takedown: Trend Micro Solutions}}, date = {2015-04-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/beebone-botnet-takedown-trend-micro-solutions}, language = {English}, urldate = {2020-08-24} } @online{lahav:20190711:pykspa:9a2e7e7, author = {Lior Lahav}, title = {{Pykspa V2 DGA Updated to Become Selective}}, date = {2019-07-11}, organization = {Akamai}, url = {https://blogs.akamai.com/sitr/2019/07/pykspa-v2-dga-updated-to-become-selective.html}, language = {English}, urldate = {2025-03-21} } @online{lakhani:20210718:revealed:3a4962f, author = {Nina Lakhani}, title = {{Revealed: murdered journalist’s number selected by Mexican NSO client}}, date = {2021-07-18}, organization = {The Guardian}, url = {https://www.theguardian.com/news/2021/jul/18/revealed-murdered-journalist-number-selected-mexico-nso-client-cecilio-pineda-birto}, language = {English}, urldate = {2021-07-24} } @online{lakshmaman:20210115:researchers:d524572, author = {Ravie Lakshmaman}, title = {{Researchers Disclose Undocumented Chinese Malware Used in Recent Attacks}}, date = {2021-01-15}, organization = {The Hacker News}, url = {https://thehackernews.com/2021/01/researchers-disclose-undocumented.html}, language = {English}, urldate = {2021-06-29} } @online{lakshmaman:20220511:bitter:7b6f318, author = {Ravie Lakshmaman}, title = {{Bitter APT Hackers Add Bangladesh to Their List of Targets in South Asia}}, date = {2022-05-11}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/05/bitter-apt-hackers-add-bangladesh-to.html}, language = {English}, urldate = {2022-06-02} } @online{lakshmanan:20210828:lockfile:aa9e07a, author = {Ravie Lakshmanan}, title = {{LockFile Ransomware Bypasses Protection Using Intermittent File Encryption}}, date = {2021-08-28}, organization = {The Hacker News}, url = {https://thehackernews.com/2021/08/lockfile-ransomware-bypasses-protection.html}, language = {English}, urldate = {2021-08-31} } @online{lakshmanan:20220126:hackers:6168cce, author = {Ravie Lakshmanan}, title = {{Hackers Using New Evasive Technique to Deliver AsyncRAT Malware}}, date = {2022-01-26}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/01/hackers-using-new-evasive-technique-to.html}, language = {English}, urldate = {2022-01-31} } @online{lakshmanan:20220127:widespread:9d2fe29, author = {Ravie Lakshmanan}, title = {{Widespread FluBot and TeaBot Malware Campaigns Targeting Android Devices}}, date = {2022-01-27}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/01/widespread-flubot-and-teabot-malware.html}, language = {English}, urldate = {2022-01-31} } @online{lakshmanan:20220206:chinese:e5193ae, author = {Ravie Lakshmanan}, title = {{Chinese Hackers Target Taiwanese Financial Institutions with a new Stealthy Backdoor}}, date = {2022-02-06}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/chinese-hackers-target-taiwanese.html}, language = {English}, urldate = {2022-02-09} } @online{lakshmanan:20220208:palestinian:8763e1d, author = {Ravie Lakshmanan}, title = {{Palestinian Hackers Use New NimbleMamba Implant in Recent Attacks}}, date = {2022-02-08}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/palestinian-hackers-using-new.html}, language = {English}, urldate = {2022-02-09} } @online{lakshmanan:20220209:iranian:4050573, author = {Ravie Lakshmanan}, title = {{Iranian Hackers Using New Marlin Backdoor in 'Out to Sea' Espionage Campaign}}, date = {2022-02-09}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/iranian-hackers-using-new-marlin.html}, language = {English}, urldate = {2022-02-09} } @online{lakshmanan:20220215:researchers:834fc13, author = {Ravie Lakshmanan}, title = {{Researchers Link ShadowPad Malware Attacks to Chinese Ministry and PLA}}, date = {2022-02-15}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/researchers-link-shadowpad-malware.html}, language = {English}, urldate = {2022-02-17} } @online{lakshmanan:20220219:master:8d77715, author = {Ravie Lakshmanan}, title = {{Master Key for Hive Ransomware Retrieved Using a Flaw in its Encryption Algorithm}}, date = {2022-02-19}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html}, language = {English}, urldate = {2022-02-26} } @online{lakshmanan:20220221:iranian:b31d17f, author = {Ravie Lakshmanan}, title = {{Iranian State Broadcaster IRIB Hit by Destructive Wiper Malware}}, date = {2022-02-21}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/iranian-state-broadcaster-irib-hits-by_21.html}, language = {English}, urldate = {2022-02-26} } @online{lakshmanan:20220223:chinese:06abbe8, author = {Ravie Lakshmanan}, title = {{Chinese Experts Uncover Details of Equation Group's Bvp47 Covert Hacking Tool}}, date = {2022-02-23}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/chinese-experts-uncover-details-of.html}, language = {English}, urldate = {2022-03-01} } @online{lakshmanan:20220223:new:d894c7d, author = {Ravie Lakshmanan}, title = {{New Wiper Malware Targeting Ukraine Amid Russia's Military Operation}}, date = {2022-02-23}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/new-wiper-malware-targeting-ukraine.html}, language = {English}, urldate = {2022-03-01} } @online{lakshmanan:20220224:notorious:c5e1556, author = {Ravie Lakshmanan}, title = {{Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure}}, date = {2022-02-24}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html}, language = {English}, urldate = {2022-03-04} } @online{lakshmanan:20220224:trickbot:7e86d52, author = {Ravie Lakshmanan}, title = {{TrickBot Gang Likely Shifting Operations to Switch to New Malware}}, date = {2022-02-24}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html}, language = {English}, urldate = {2022-03-01} } @online{lakshmanan:20220225:new:8bd8395, author = {Ravie Lakshmanan}, title = {{New "SockDetour" Fileless, Socketless Backdoor Targets U.S. Defense Contractors}}, date = {2022-02-25}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/new-sockdetour-fileless-socketless.html}, language = {English}, urldate = {2022-03-10} } @online{lakshmanan:20220225:putin:09a1fea, author = {Ravie Lakshmanan}, title = {{Putin Warns Russian Critical Infrastructure to Brace for Potential Cyber Attacks}}, date = {2022-02-25}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/putin-warns-russian-critical.html}, language = {English}, urldate = {2022-03-01} } @online{lakshmanan:20220301:second:994dc73, author = {Ravie Lakshmanan}, title = {{Second New 'IsaacWiper' Data Wiper Targets Ukraine After Russian Invasion}}, date = {2022-03-01}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/03/second-new-isaacwiper-data-wiper.html}, language = {English}, urldate = {2022-03-07} } @online{lakshmanan:20220302:hackers:d53340b, author = {Ravie Lakshmanan}, title = {{Hackers Begin Weaponizing TCP Middlebox Reflection for Amplified DDoS Attacks}}, date = {2022-03-02}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/03/hackers-begin-weaponizing-tcp-middlebox.html}, language = {English}, urldate = {2022-03-07} } @online{lakshmanan:20220310:iranian:b7eb161, author = {Ravie Lakshmanan}, title = {{Iranian Hackers Targeting Turkey and Arabian Peninsula in New Malware Campaign}}, date = {2022-03-10}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/03/iranian-hackers-targeting-turkey-and.html}, language = {English}, urldate = {2022-03-14} } @online{lakshmanan:20220314:researchers:ac40d04, author = {Ravie Lakshmanan}, title = {{Researchers Find New Evidence Linking Kwampirs Malware to Shamoon APT Hackers}}, date = {2022-03-14}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/03/researchers-find-new-evidence-linking.html}, language = {English}, urldate = {2022-03-15} } @online{lakshmanan:20220315:caddywiper:f70771d, author = {Ravie Lakshmanan}, title = {{CaddyWiper: Yet Another Data Wiping Malware Targeting Ukrainian Networks}}, date = {2022-03-15}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/03/caddywiper-yet-another-data-wiping.html}, language = {English}, urldate = {2022-03-17} } @online{lakshmanan:20220322:microsoft:3373c3d, author = {Ravie Lakshmanan}, title = {{Microsoft and Okta Confirm Breach by LAPSUS$ Extortion Group}}, date = {2022-03-22}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/03/microsoft-and-okta-confirm-breach-by.html}, language = {English}, urldate = {2022-03-23} } @online{lakshmanan:20220323:abuse:6b8c004, author = {Ravie Lakshmanan}, title = {{abuse mikrotik router by GLUPTEBA malware}}, date = {2022-03-23}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.html}, language = {English}, urldate = {2022-03-28} } @online{lakshmanan:20220328:purple:a7adcb0, author = {Ravie Lakshmanan}, title = {{'Purple Fox' Hackers Spotted Using New Variant of FatalRAT in Recent Malware Attacks}}, date = {2022-03-28}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html}, language = {English}, urldate = {2022-03-29} } @online{lakshmanan:20220329:largescale:08ca599, author = {Ravie Lakshmanan}, title = {{A Large-Scale Supply Chain Attack Distributed Over 800 Malicious NPM Packages}}, date = {2022-03-29}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/03/a-threat-actor-dubbed-red-lili-has-been.html}, language = {English}, urldate = {2022-03-30} } @online{lakshmanan:20220401:chinese:0b445c6, author = {Ravie Lakshmanan}, title = {{Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit}}, date = {2022-04-01}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html}, language = {English}, urldate = {2022-04-04} } @online{lakshmanan:20220404:experts:f7333df, author = {Ravie Lakshmanan}, title = {{Experts Shed Light on BlackGuard Infostealer Malware Sold on Russian Hacking Forums}}, date = {2022-04-04}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/04/experts-shed-light-on-blackguard.html}, language = {English}, urldate = {2022-04-07} } @online{lakshmanan:20220407:first:bb2dab0, author = {Ravie Lakshmanan}, title = {{First Malware Targeting AWS Lambda Serverless Platform Discovered}}, date = {2022-04-07}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/04/first-malware-targeting-aws-lambda.html}, language = {English}, urldate = {2022-04-12} } @online{lakshmanan:20220407:hamaslinked:89351c7, author = {Ravie Lakshmanan}, title = {{Hamas-linked Hackers Targeting High-Ranking Israelis Using 'Catfish' Lures}}, date = {2022-04-07}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/04/hamas-linked-hackers-targeting-high.html}, language = {English}, urldate = {2022-06-09} } @online{lakshmanan:20220407:new:1ec9392, author = {Ravie Lakshmanan}, title = {{New Octo Banking Trojan Spreading via Fake Apps on Google Play Store}}, date = {2022-04-07}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/04/new-octo-banking-trojan-spreading-via.html}, language = {English}, urldate = {2022-04-12} } @online{lakshmanan:20220408:hackers:71f1a10, author = {Ravie Lakshmanan}, title = {{Hackers Exploiting Spring4Shell Vulnerability to Deploy Mirai Botnet Malware}}, date = {2022-04-08}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/04/hackers-exploiting-spring4shell.html}, language = {English}, urldate = {2022-04-12} } @online{lakshmanan:20220408:microsoft:f01c170, author = {Ravie Lakshmanan}, title = {{Microsoft Obtains Court Order to Take Down Domains Used to Target Ukraine}}, date = {2022-04-08}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/04/microsoft-obtains-court-order-to-take.html}, language = {English}, urldate = {2022-04-25} } @online{lakshmanan:20220408:researchers:245d67d, author = {Ravie Lakshmanan}, title = {{Researchers Connect BlackCat Ransomware with Past BlackMatter Malware Activity}}, date = {2022-04-08}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html}, language = {English}, urldate = {2022-04-12} } @online{lakshmanan:20220411:researchers:2e6147c, author = {Ravie Lakshmanan}, title = {{Researchers warn of FFDroider and Lightning info-stealers targeting users in the wild}}, date = {2022-04-11}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/04/researchers-warn-of-ffdroider-and.html}, language = {English}, urldate = {2022-05-04} } @online{lakshmanan:20220506:this:e7fb654, author = {Ravie Lakshmanan}, title = {{This New Fileless Malware Hides Shellcode in Windows Event Logs}}, date = {2022-05-06}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html}, language = {English}, urldate = {2022-05-08} } @online{lakshmanan:20220520:cytroxs:64172d5, author = {Ravie Lakshmanan}, title = {{Cytrox's Predator Spyware Targeted Android Users with Zero-Day Exploits}}, date = {2022-05-20}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/05/cytroxs-predator-spyware-target-android.html}, language = {English}, urldate = {2022-05-24} } @online{lakshmanan:20220730:microsoft:0f1459e, author = {Ravie Lakshmanan}, title = {{Microsoft Links Raspberry Robin USB Worm to Russian Evil Corp Hackers}}, date = {2022-07-30}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/07/microsoft-links-raspberry-robin-usb.html?_m=3n%2e009a%2e2800%2ejp0ao0cjb8%2e1shm}, language = {English}, urldate = {2022-08-02} } @online{lakshmanan:20230120:chinese:4df7900, author = {Ravie Lakshmanan}, title = {{Chinese Hackers Exploited Recent Fortinet Flaw as 0-Day to Drop Malware}}, date = {2023-01-20}, organization = {The Hacker News}, url = {https://thehackernews.com/2023/01/new-chinese-malware-spotted-exploiting.html}, language = {English}, urldate = {2023-01-20} } @online{lakshmanan:20240610:moreeggs:7490449, author = {Ravie Lakshmanan}, title = {{More_eggs Malware Disguised as Resumes Targets Recruiters in Phishing Attack}}, date = {2024-06-10}, organization = {The Hacker News}, url = {https://thehackernews.com/2024/06/moreeggs-malware-disguised-as-resumes.html}, language = {English}, urldate = {2024-09-11} } @online{lakshmanan:20250212:north:019fd8c, author = {Ravie Lakshmanan}, title = {{North Korean Hackers Exploit PowerShell Trick to Hijack Devices in New Cyberattack}}, date = {2025-02-12}, organization = {The Hacker News}, url = {https://thehackernews.com/2025/02/north-korean-hackers-exploit-powershell.html}, language = {English}, urldate = {2025-02-13} } @online{lakshmanan:20250311:blind:8ebcf5c, author = {Ravie Lakshmanan}, title = {{Blind Eagle Hacks Colombian Institutions Using NTLM Flaw, RATs and GitHub-Based Attacks}}, date = {2025-03-11}, organization = {The Hacker News}, url = {https://thehackernews.com/2025/03/blind-eagle-hacks-colombian.html}, language = {English}, urldate = {2025-03-12} } @online{lakshmanan:20250404:opsec:bd53bfa, author = {Ravie Lakshmanan}, title = {{OPSEC Failure Exposes Coquettte's Malware Campaigns on Bulletproof Hosting Servers}}, date = {2025-04-04}, organization = {The Hacker News}, url = {https://thehackernews.com/2025/04/opsec-failure-exposes-coquetttes.html}, language = {English}, urldate = {2025-04-09} } @techreport{lama:20220301:malware:865ab35, author = {Dipankar Lama}, title = {{Malware Analysis Report: WannaCry Ransomware}}, date = {2022-03-01}, institution = {Github (0xZuk0)}, url = {https://github.com/0xZuk0/rules-of-yaras/blob/main/reports/Wannacry%20Ransomware%20Report.pdf}, language = {English}, urldate = {2022-03-07} } @online{lamb:2022:bumblebee:133c06b, author = {Michael Lamb}, title = {{Bumblebee Malware Loader: Threat Analysis}}, date = {2022}, organization = {aspirets}, url = {https://www.aspirets.com/blog/bumblebee-malware-loader-threat-analysis/}, language = {English}, urldate = {2023-04-06} } @online{lambdamamba:20230123:strange:131bbb7, author = {Lena (LambdaMamba)}, title = {{A "strange font" Smishing Campaign that changes behaviour based on User-Agent, and abuses Duck DNS}}, date = {2023-01-23}, organization = {Medium System Weakness}, url = {https://systemweakness.com/a-strange-font-smishing-that-changes-behaviour-based-on-user-agent-and-abuses-duck-dns-1c1a45863ff7}, language = {English}, urldate = {2024-01-08} } @online{lambdamamba:20230219:investigating:a7eda6b, author = {Lena (LambdaMamba)}, title = {{Investigating a Fake KDDI Smishing Campaign that abuses Duck DNS}}, date = {2023-02-19}, organization = {Medium System Weakness}, url = {https://systemweakness.com/investigating-a-fake-mobile-payment-smishing-that-abuses-duck-dns-d07c72468ba8}, language = {English}, urldate = {2024-01-08} } @online{lambdamamba:20231005:analyzing:db8f96e, author = {Lena (LambdaMamba)}, title = {{Analyzing Snake Keylogger in ANY.RUN: a Full Walkthrough}}, date = {2023-10-05}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/analyzing-snake-keylogger/}, language = {English}, urldate = {2024-01-08} } @online{lambdamamba:20240130:crackedcantil:6daafee, author = {Lena (LambdaMamba)}, title = {{CrackedCantil: A Malware Symphony Breakdown - PrivateLoader, Smoke, Lumma, RedLine, RisePro, Amadey, Stealc, Socks5Systemz, STOP}}, date = {2024-01-30}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/crackedcantil-breakdown/}, language = {English}, urldate = {2024-02-05} } @online{lambdamamba:20240204:crackedcantil:9db31a1, author = {LambdaMamba}, title = {{CrackedCantil: A Malware Symphony Breakdown}}, date = {2024-02-04}, organization = {Infostealers}, url = {https://www.infostealers.com/article/crackedcantil-a-malware-symphony-breakdown/}, language = {English}, urldate = {2024-02-08} } @online{lambdamamba:20240325:reverse:7320843, author = {Lena (LambdaMamba)}, title = {{Reverse Engineering Snake Keylogger: Full .NET Malware Analysis Walkthrough}}, date = {2024-03-25}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/}, language = {English}, urldate = {2024-06-10} } @online{lambert:20171004:turla:904593f, author = {John Lambert}, title = {{Tweet on Turla JS backdoor}}, date = {2017-10-04}, organization = {Twitter (@JohnLaTwC)}, url = {https://twitter.com/JohnLaTwC/status/915590893155098629}, language = {English}, urldate = {2019-10-23} } @online{lambert:20180220:evilosx:4d3473b, author = {John Lambert}, title = {{Tweet on EvilOSX}}, date = {2018-02-20}, organization = {Twitter (@JohnLaTwC)}, url = {https://twitter.com/JohnLaTwC/status/966139336436498432}, language = {English}, urldate = {2020-01-09} } @online{lambert:20180408:conminer:79fa45b, author = {John Lambert}, title = {{Tweet on ConMiner WebAssembly}}, date = {2018-04-08}, organization = {Twitter (@JohnLaTwC)}, url = {https://twitter.com/JohnLaTwC/status/983011262731714565}, language = {English}, urldate = {2020-01-13} } @online{lambert:20180408:cryptonight:e09e793, author = {John Lambert}, title = {{Cryptonight currency miner WASM}}, date = {2018-04-08}, organization = {Gist (JohnLaTwC)}, url = {https://gist.github.com/JohnLaTwC/112483eb9aed27dd2184966711c722ec}, language = {English}, urldate = {2019-11-29} } @online{lambert:20190417:unidentified:bae45d7, author = {John Lambert}, title = {{Tweet on an unidentified VBS Backdoor}}, date = {2019-04-17}, organization = {Twitter (JohnLaTwC)}, url = {https://twitter.com/JohnLaTwC/status/1118278148993339392}, language = {English}, urldate = {2019-07-11} } @online{lambert:20190501:frameworkpos:376a823, author = {Tony Lambert}, title = {{FrameworkPOS and the adequate persistent threat}}, date = {2019-05-01}, organization = {Red Canary}, url = {https://redcanary.com/blog/frameworkpos-and-the-adequate-persistent-threat/}, language = {English}, urldate = {2020-01-29} } @online{lambert:20200507:introducing:04e15eb, author = {Tony Lambert}, title = {{Introducing Blue Mockingbird}}, date = {2020-05-07}, organization = {Red Canary}, url = {https://redcanary.com/blog/blue-mockingbird-cryptominer/}, language = {English}, urldate = {2020-06-02} } @online{lambert:20200722:connecting:eb1b19a, author = {Tony Lambert}, title = {{Connecting Kinsing malware to Citrix and SaltStack campaigns}}, date = {2020-07-22}, organization = {Red Canary}, url = {https://redcanary.com/blog/kinsing-malware-citrix-saltstack/}, language = {English}, urldate = {2020-07-30} } @online{lambert:20201213:important:fb15c1b, author = {John Lambert}, title = {{Important steps for customers to protect themselves from recent nation-state cyberattacks}}, date = {2020-12-13}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/}, language = {English}, urldate = {2020-12-14} } @online{lambert:20210106:hunting:272410b, author = {Tony Lambert}, title = {{Hunting for GetSystem in offensive security tools}}, date = {2021-01-06}, organization = {Red Canary}, url = {https://redcanary.com/blog/getsystem-offsec/}, language = {English}, urldate = {2021-01-11} } @online{lambert:20210218:clipping:ec693c2, author = {Tony Lambert}, title = {{Clipping Silver Sparrow’s wings: Outing macOS malware before it takes flight}}, date = {2021-02-18}, organization = {Red Canary}, url = {https://redcanary.com/blog/clipping-silver-sparrows-wings/#technical-analysis}, language = {English}, urldate = {2021-02-20} } @online{lambert:20210309:microsoft:6a37334, author = {Tony Lambert and Brian Donohue and Katie Nickels}, title = {{Microsoft Exchange server exploitation: how to detect, mitigate, and stay calm}}, date = {2021-03-09}, organization = {Red Canary}, url = {https://redcanary.com/blog/microsoft-exchange-attacks}, language = {English}, urldate = {2021-03-11} } @online{lambert:20210805:when:aeb7b10, author = {Tony Lambert and Brian Donohue and Dan Cotton}, title = {{When Dridex and Cobalt Strike give you Grief}}, date = {2021-08-05}, organization = {Red Canary}, url = {https://redcanary.com/blog/grief-ransomware/}, language = {English}, urldate = {2021-09-10} } @online{lambert:20211110:hunt:8ab9e28, author = {John Lambert}, title = {{The hunt for NOBELIUM, the most sophisticated nation-state attack in history}}, date = {2021-11-10}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/11/10/the-hunt-for-nobelium-the-most-sophisticated-nation-state-attack-in-history/}, language = {English}, urldate = {2021-11-17} } @techreport{lambert:20211202:kmspico:4e3afa7, author = {Tony Lambert}, title = {{KMSPico and Cryptbot: A spicy combo}}, date = {2021-12-02}, institution = {Red Canary}, url = {https://redcanary.com/wp-content/uploads/2021/12/KMSPico-V5.pdf}, language = {English}, urldate = {2021-12-07} } @online{lambert:20220101:analyzing:1512a76, author = {Tony Lambert}, title = {{Analyzing an IcedID Loader Document}}, date = {2022-01-01}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/analyzing-icedid-document/}, language = {English}, urldate = {2022-01-25} } @online{lambert:20220102:analyzing:7f13565, author = {Tony Lambert}, title = {{Analyzing a Magnitude EK Appx Package Dropping Magniber}}, date = {2022-01-02}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/}, language = {English}, urldate = {2022-01-25} } @online{lambert:20220103:tale:bfd0711, author = {Tony Lambert}, title = {{A Tale of Two Dropper Scripts for Agent Tesla}}, date = {2022-01-03}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/a-tale-of-two-dropper-scripts/}, language = {English}, urldate = {2022-01-25} } @online{lambert:20220104:extracting:176a37c, author = {Tony Lambert}, title = {{Extracting Indicators from a Packed Mirai Sample}}, date = {2022-01-04}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/extracting-indicators-from-packed-mirai/}, language = {English}, urldate = {2022-01-25} } @online{lambert:20220109:inspecting:4681f0a, author = {Tony Lambert}, title = {{Inspecting a PowerShell Cobalt Strike Beacon}}, date = {2022-01-09}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/}, language = {English}, urldate = {2022-01-25} } @online{lambert:20220116:analyzing:2c8a9db, author = {Tony Lambert}, title = {{Analyzing a CACTUSTORCH HTA Leading to Cobalt Strike}}, date = {2022-01-16}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/analyzing-cactustorch-hta-cobaltstrike/}, language = {English}, urldate = {2022-01-25} } @online{lambert:20220117:emotets:85bf9d4, author = {Tony Lambert}, title = {{Emotet's Excel 4.0 Macros Dropping DLLs}}, date = {2022-01-17}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/emotet-excel4-macro-analysis/}, language = {English}, urldate = {2022-01-25} } @online{lambert:20220122:bazariso:b5e9a03, author = {Tony Lambert}, title = {{BazarISO Analysis - Loading with Advpack.dll}}, date = {2022-01-22}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/bazariso-analysis-advpack/}, language = {English}, urldate = {2022-01-28} } @online{lambert:20220123:hcrypt:0b8945b, author = {Tony Lambert}, title = {{HCrypt Injecting BitRAT using PowerShell, HTAs, and .NET}}, date = {2022-01-23}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/hcrypt-injecting-bitrat-analysis/}, language = {English}, urldate = {2022-01-25} } @online{lambert:20220127:guloader:c165a2c, author = {Tony Lambert}, title = {{GuLoader Executing Shellcode Using Callback Functions}}, date = {2022-01-27}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/guloader-executing-shellcode-callbacks/}, language = {English}, urldate = {2022-02-01} } @online{lambert:20220202:strrat:c81498a, author = {Tony Lambert}, title = {{STRRAT Attached to a MSI File}}, date = {2022-02-02}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/strrat-attached-to-msi/}, language = {English}, urldate = {2022-02-04} } @online{lambert:20220203:njrat:88ea206, author = {Tony Lambert}, title = {{njRAT Installed from a MSI}}, date = {2022-02-03}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/njrat-installed-from-msi/}, language = {English}, urldate = {2022-02-04} } @online{lambert:20220206:agenttesla:6d362f7, author = {Tony Lambert}, title = {{AgentTesla From RTF Exploitation to .NET Tradecraft}}, date = {2022-02-06}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/agenttesla-rtf-dotnet-tradecraft/}, language = {English}, urldate = {2022-02-07} } @online{lambert:20220211:xloaderformbook:1f69d72, author = {Tony Lambert}, title = {{XLoader/Formbook Distributed by Encrypted VelvetSweatshop Spreadsheets}}, date = {2022-02-11}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/}, language = {English}, urldate = {2022-02-14} } @online{lambert:20220212:analyzing:cea05eb, author = {Tony Lambert}, title = {{Analyzing a Stealer MSI using msitools}}, date = {2022-02-12}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/analyzing-stealer-msi-using-msitools/}, language = {English}, urldate = {2022-02-14} } @online{lambert:20220303:zero:fcfe985, author = {Wes Lambert}, title = {{Zero Dollar Detection and Response Orchestration with n8n, Security Onion, TheHive, and Velociraptor}}, date = {2022-03-03}, organization = {Medium Wes Lambert}, url = {https://wlambertts.medium.com/zero-dollar-detection-and-response-orchestration-with-n8n-security-onion-thehive-and-10b5e685e2a1}, language = {English}, urldate = {2022-03-25} } @online{lambert:20220326:agenttesla:edea93d, author = {Tony Lambert}, title = {{An AgentTesla Sample Using VBA Macros and Certutil}}, date = {2022-03-26}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/agenttesla-vba-certutil-download/}, language = {English}, urldate = {2022-03-28} } @online{lambert:20220416:snip3:6d70f31, author = {Tony Lambert}, title = {{Snip3 Crypter used with DCRat via VBScript}}, date = {2022-04-16}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/snip3-crypter-dcrat-vbs/}, language = {English}, urldate = {2022-04-29} } @online{lambert:20220424:shortcut:b1a00dd, author = {Tony Lambert}, title = {{Shortcut to Emotet, an odd TTP change}}, date = {2022-04-24}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/shortcut-to-emotet-ttp-change/}, language = {English}, urldate = {2022-04-25} } @online{lambert:20220512:goot:1fc62fa, author = {Tony Lambert and Lauren Podber}, title = {{The Goot cause: Detecting Gootloader and its follow-on activity}}, date = {2022-05-12}, organization = {Red Canary}, url = {https://redcanary.com/blog/gootloader}, language = {English}, urldate = {2022-05-13} } @techreport{lambert:20220512:gootloader:4562030, author = {Tony Lambert and Lauren Podber}, title = {{Gootloader and Cobalt Strike malware analysis}}, date = {2022-05-12}, institution = {Red Canary}, url = {https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf}, language = {English}, urldate = {2022-05-13} } @online{lambert:20220513:analyzing:4491815, author = {Tony Lambert}, title = {{Analyzing a Pirrit adware installer}}, date = {2022-05-13}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/analyzing-pirrit-adware-installer/}, language = {English}, urldate = {2022-07-13} } @online{lambert:20220807:analyzing:9e98830, author = {Tony Lambert}, title = {{Analyzing .NET Core Single File Samples (DUCKTAIL Case Study)}}, date = {2022-08-07}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/analyzing-net-core-single-file-ducktail/}, language = {English}, urldate = {2022-08-09} } @online{lambert:20230723:malware:895c64a, author = {Tony Lambert}, title = {{Malware via VHD Files, an Excellent Choice}}, date = {2023-07-23}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/vhd-malware-an-excellent-choice/}, language = {English}, urldate = {2023-09-04} } @online{lambert:20250212:defying:de8e47d, author = {Tony Lambert and Phil Hagen}, title = {{Defying tunneling: A Wicked approach to detecting malicious network traffic}}, date = {2025-02-12}, organization = {Red Canary}, url = {https://redcanary.com/blog/threat-detection/network-traffic-tunneling/}, language = {English}, urldate = {2025-02-17} } @online{lamos:20171218:collaborative:1231f31, author = {Robert Lamos}, title = {{Collaborative Takedown Kills IoT Worm 'Satori'}}, date = {2017-12-18}, organization = {eWeek}, url = {http://www.eweek.com/security/collaborative-takedown-kills-iot-worm-satori}, language = {English}, urldate = {2019-12-20} } @online{lancaster:20140919:malware:b8ce62a, author = {Tom Lancaster}, title = {{Malware microevolution}}, date = {2014-09-19}, organization = {PWC}, url = {http://pwc.blogs.com/cyber_security_updates/2014/09/malware-microevolution.html}, language = {English}, urldate = {2020-01-08} } @online{lancaster:20150427:attacks:8467adc, author = {Tom Lancaster}, title = {{Attacks against Israeli & Palestinian interests}}, date = {2015-04-27}, organization = {PWC}, url = {https://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html}, language = {English}, urldate = {2020-01-08} } @online{lancaster:20160928:confucius:24e8de3, author = {Tom Lancaster and Micah Yates}, title = {{Confucius Says…Malware Families Get Further By Abusing Legitimate Websites}}, date = {2016-09-28}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/}, language = {English}, urldate = {2019-12-20} } @online{lancaster:20170627:paranoid:f933eb4, author = {Tom Lancaster and Esmid Idrizovic}, title = {{Paranoid PlugX}}, date = {2017-06-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/}, language = {English}, urldate = {2019-12-20} } @online{lancaster:20171114:muddying:aa0467a, author = {Tom Lancaster}, title = {{Muddying the Water: Targeted Attacks in the Middle East}}, date = {2017-11-14}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/}, language = {English}, urldate = {2020-01-08} } @online{lancaster:20180129:vermin:eea5a83, author = {Tom Lancaster and Juan Cortes}, title = {{VERMIN: Quasar RAT and Custom Malware Used In Ukraine}}, date = {2018-01-29}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/}, language = {English}, urldate = {2019-12-20} } @online{lancaster:20181105:inception:09bda7d, author = {Tom Lancaster}, title = {{Inception Attackers Target Europe with Year-old Office Vulnerability}}, date = {2018-11-05}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability}, language = {English}, urldate = {2022-08-26} } @online{lancaster:20181105:inception:4eb9f99, author = {Tom Lancaster}, title = {{Inception Attackers Target Europe with Year-old Office Vulnerability}}, date = {2018-11-05}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/}, language = {English}, urldate = {2019-12-20} } @online{lancaster:20190319:cardinal:b75240f, author = {Tom Lancaster and Josh Grunzweig}, title = {{Cardinal RAT Sins Again, Targets Israeli Fin-Tech Firms}}, date = {2019-03-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/}, language = {English}, urldate = {2020-01-13} } @online{landau:20210615:what:78dc82d, author = {Gabriel Landau}, title = {{What you need to know about Process Ghosting, a new executable image tampering attack}}, date = {2021-06-15}, organization = {Elastic}, url = {https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack}, language = {English}, urldate = {2021-06-21} } @online{landau:20220202:sandboxing:31d023c, author = {Gabriel Landau}, title = {{Sandboxing Antimalware Products for Fun and Profit}}, date = {2022-02-02}, organization = {Elastic}, url = {https://elastic.github.io/security-research/whitepapers/2022/02/02.sandboxing-antimalware-products-for-fun-and-profit/article/}, language = {English}, urldate = {2022-03-07} } @online{landers:20220617:srdi:240589a, author = {Nick Landers}, title = {{sRDI - Shellcode Reflective DLL Injection}}, date = {2022-06-17}, organization = {Github (monoxgas)}, url = {https://github.com/monoxgas/sRDI}, language = {English}, urldate = {2023-10-13} } @online{landesman:20130501:linuxcdorked:348acc3, author = {Mary Landesman}, title = {{Linux/CDorked FAQs}}, date = {2013-05-01}, organization = {Cisco}, url = {https://blogs.cisco.com/security/linuxcdorked-faqs}, language = {English}, urldate = {2020-01-09} } @online{landewe:20201125:microsoft:8e34f00, author = {Michael Landewe}, title = {{Microsoft Teams: New Attack Form Almost Takes Down Global Financial Institution}}, date = {2020-11-25}, organization = {Avanan}, url = {https://www.avanan.com/blog/proof-of-concept-teams-malware-attack-found-in-wild}, language = {English}, urldate = {2020-12-01} } @online{landry:20160505:sophisticated:8ba2d0d, author = {Joseph Landry}, title = {{Sophisticated New Packer Identified in CryptXXX Ransomware Sample}}, date = {2016-05-05}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/sophisticated-new-packer-identified-in-cryptxxx-ransomware-sample/}, language = {English}, urldate = {2020-12-20} } @online{landry:20160712:malware:c5d817c, author = {Joseph Landry and Udi Shamir}, title = {{Malware Discovered – SFG: Furtim Malware Analysis}}, date = {2016-07-12}, url = {https://sentinelone.com/blogs/sfg-furtims-parent/}, language = {English}, urldate = {2019-12-05} } @online{langton:20201214:everything:6b8dda8, author = {Asher Langton}, title = {{Everything but the kitchen sink: more attacks from the Gitpaste-12 worm}}, date = {2020-12-14}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/everything-but-the-kitchen-sink-more-attacks-from-the-gitpaste-12-worm}, language = {English}, urldate = {2020-12-17} } @online{langton:20210426:linux:4c4d942, author = {Asher Langton}, title = {{Linux Servers Hijacked to Implant SSH Backdoor}}, date = {2021-04-26}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor}, language = {English}, urldate = {2021-05-04} } @online{langton:20210827:realtek:71aea1b, author = {Asher Langton}, title = {{RealTek CVE-2021-35394 Exploited in the Wild}}, date = {2021-08-27}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/realtek-cve-2021-35394-exploited-in-the-wild}, language = {English}, urldate = {2021-08-31} } @online{langton:20210902:attacks:f9b9494, author = {Asher Langton and Alex Burt}, title = {{Attacks Continue Against Realtek Vulnerabilities}}, date = {2021-09-02}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/attacks-continue-against-realtek-vulnerabilities}, language = {English}, urldate = {2021-09-06} } @techreport{lanstein:2013:apts:2b30193, author = {Alex Lanstein}, title = {{APTs By The Dozen: Dissecting Advanced Attacks}}, date = {2013}, institution = {FireEye}, url = {https://web.archive.org/web/20130920120931/https:/www.rsaconference.com/writable/presentations/file_upload/cle-t04_final_v1.pdf}, language = {English}, urldate = {2020-08-14} } @online{lanstein:20140325:spear:762baf1, author = {Alex Lanstein and Ned Moran}, title = {{Spear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight MH 370}}, date = {2014-03-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html}, language = {English}, urldate = {2019-12-20} } @online{lanstein:20210604:unc2652nobelium:460c6ab, author = {Alex Lanstein}, title = {{Tweet on UNC2652/NOBELIUM targeting IOS users exploiting CVE-​2021-1879}}, date = {2021-06-04}, organization = {Twitter (@alex_lanstein)}, url = {https://twitter.com/alex_lanstein/status/1399829754887524354}, language = {English}, urldate = {2021-07-26} } @online{lanstein:20210716:attacks:e5901e5, author = {Alex Lanstein}, title = {{Tweet on attacks from UNC2652/NOBELIUM}}, date = {2021-07-16}, organization = {Twitter (@alex_lanstein)}, url = {https://twitter.com/alex_lanstein/status/1415761111891148800}, language = {English}, urldate = {2021-07-20} } @online{lanstein:20210726:bitter:8ab79ce, author = {Alex Lanstein}, title = {{Tweet on BITTER group widely targeting diplomats in Yangon}}, date = {2021-07-26}, organization = {Twitter (@alex_lanstein)}, url = {https://twitter.com/alex_lanstein/status/1419502826561097728}, language = {English}, urldate = {2021-08-02} } @online{lanzendorfer:20201211:investigating:273e6fb, author = {Marc Lanzendorfer}, title = {{Investigating the Gootkit Loader}}, date = {2020-12-11}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/l/investigating-the-gootkit-loader.html}, language = {English}, urldate = {2020-12-14} } @online{lapienyt:20220314:new:965eae1, author = {Jurgita Lapienytė}, title = {{New destructive wiper malware deployed in Ukraine}}, date = {2022-03-14}, organization = {Cybernews}, url = {https://cybernews.com/cyber-war/new-destructive-wiper-malware-deployed-in-ukraine/}, language = {English}, urldate = {2022-03-15} } @online{lapusneanu:20230616:fragments:68dc640, author = {Andrei Lapusneanu and Bogdan Botezatu}, title = {{Fragments of Cross-Platform Backdoor Hint at Larger Mac OS Attack}}, date = {2023-06-16}, organization = {Bitdefender}, url = {https://www.bitdefender.com/blog/labs/fragments-of-cross-platform-backdoor-hint-at-larger-mac-os-attack/}, language = {English}, urldate = {2023-06-27} } @online{lapusneanu:20240227:when:c55e08b, author = {Andrei Lapusneanu}, title = {{When Stealers Converge: New Variant of Atomic Stealer in the Wild}}, date = {2024-02-27}, organization = {Bitdefender}, url = {https://www.bitdefender.com/blog/labs/when-stealers-converge-new-variant-of-atomic-stealer-in-the-wild/}, language = {English}, urldate = {2024-03-18} } @online{largent:20180606:vpnfilter:157380d, author = {William Largent}, title = {{VPNFilter Update - VPNFilter exploits endpoints, targets new devices}}, date = {2018-06-06}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/06/vpnfilter-update.html?m=1}, language = {English}, urldate = {2019-12-10} } @online{larin:20180208:how:73fd187, author = {Boris Larin and Vladislav Stolyarov}, title = {{How not to use a driver to execute code with kernel privileges}}, date = {2018-02-08}, organization = {Kaspersky}, url = {https://securelist.com/elevation-of-privileges-in-namco-driver/83707/}, language = {English}, urldate = {2022-04-12} } @online{larin:20180509:king:395c5c8, author = {Boris Larin and Anton Ivanov and Vladislav Stolyarov}, title = {{The King is dead. Long live the King!}}, date = {2018-05-09}, organization = {Kaspersky}, url = {https://securelist.com/root-cause-analysis-of-cve-2018-8174/85486/}, language = {English}, urldate = {2022-04-12} } @online{larin:20181114:new:4fe240d, author = {Boris Larin and Anton Ivanov and Vladislav Stolyarov}, title = {{A new exploit for zero-day vulnerability CVE-2018-8589}}, date = {2018-11-14}, organization = {Kaspersky}, url = {https://securelist.com/a-new-exploit-for-zero-day-vulnerability-cve-2018-8589/88845/}, language = {English}, urldate = {2022-04-12} } @online{larin:20181212:zeroday:4c8907e, author = {Boris Larin and Vladislav Stolyarov and Anton Ivanov}, title = {{Zero-day in Windows Kernel Transaction Manager (CVE-2018-8611)}}, date = {2018-12-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/zero-day-in-windows-kernel-transaction-manager-cve-2018-8611/89253/}, language = {English}, urldate = {2019-12-20} } @online{larin:20200528:zeroday:e7fee04, author = {Boris Larin and Alexey Kulaev}, title = {{The zero-day exploits of Operation WizardOpium}}, date = {2020-05-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-zero-day-exploits-of-operation-wizardopium/97086/}, language = {English}, urldate = {2020-05-29} } @online{larin:20200624:magnitude:90a4a71, author = {Boris Larin}, title = {{Magnitude exploit kit - evolution}}, date = {2020-06-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/magnitude-exploit-kit-evolution/97436/}, language = {English}, urldate = {2020-06-24} } @online{larin:20200812:internet:91fcf4e, author = {Boris Larin}, title = {{Internet Explorer and Windows zero-day exploits used in Operation PowerFall}}, date = {2020-08-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/}, language = {English}, urldate = {2020-08-12} } @online{larin:20200902:operation:e5c12ad, author = {Boris Larin}, title = {{Operation PowerFall: CVE-2020-0986 and variants}}, date = {2020-09-02}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/}, language = {English}, urldate = {2020-09-03} } @online{larin:20210413:zeroday:8f9d6e3, author = {Boris Larin and Brian Bartholomew and Costin Raiu}, title = {{Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild}}, date = {2021-04-13}, organization = {Kaspersky}, url = {https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/}, language = {English}, urldate = {2021-04-14} } @online{larin:20210608:puzzlemaker:43c7dfa, author = {Boris Larin and Costin Raiu and Alexey Kulaev}, title = {{PuzzleMaker attacks with Chrome zero-day exploit chain}}, date = {2021-06-08}, organization = {Kaspersky}, url = {https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/}, language = {English}, urldate = {2021-06-16} } @online{larin:20211012:mysterysnail:35bdc92, author = {Boris Larin and Costin Raiu}, title = {{MysterySnail attacks with Windows zero-day}}, date = {2021-10-12}, url = {https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/}, language = {English}, urldate = {2021-10-14} } @online{larin:20231227:operation:42513fd, author = {Boris Larin and Leonid Bezvershenko and Georgy Kucherin and Igor Kuznetsov and Valentin Pashkov and Mikhail Vinogradov}, title = {{Operation Triangulation: The last (hardware) mystery}}, date = {2023-12-27}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/}, language = {English}, urldate = {2024-01-02} } @online{larin:20231227:operation:6302ae4, author = {Boris Larin and Leonid Bezvershenko and Georgy Kucherin}, title = {{Operation Triangulation: What You Get When Attack iPhones of Researchers}}, date = {2023-12-27}, organization = {Chaos Communication Congress}, url = {https://media.ccc.de/v/37c3-11859-operation_triangulation_what_you_get_when_attack_iphones_of_researchers}, language = {English}, urldate = {2024-01-02} } @online{larin:20241023:crypto:1b529df, author = {Boris Larin}, title = {{The Crypto Game of Lazarus APT: Investors vs. Zero-days}}, date = {2024-10-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-apt-steals-crypto-with-a-tank-game/114282/}, language = {English}, urldate = {2024-10-25} } @online{larinier:20180716:sidewinder:cb05fe4, author = {Sébastien Larinier}, title = {{APT Sidewinder: Tricks powershell, Anti Forensics and execution side loading}}, date = {2018-07-16}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c}, language = {English}, urldate = {2020-01-13} } @online{larinier:20180731:malicious:571d2df, author = {Sébastien Larinier}, title = {{Malicious document targets Vietnamese officials}}, date = {2018-07-31}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?}, language = {English}, urldate = {2020-03-04} } @online{larinier:20180731:malicious:5e45e30, author = {Sébastien Larinier}, title = {{Malicious document targets Vietnamese officials}}, date = {2018-07-31}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a}, language = {English}, urldate = {2023-11-27} } @online{larinier:20180802:goblin:0aa8168, author = {Sébastien Larinier}, title = {{Goblin Panda against the Bears}}, date = {2018-08-02}, url = {https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4}, language = {English}, urldate = {2019-07-11} } @online{larinier:20180828:when:0389d90, author = {Sébastien Larinier}, title = {{When a malware is more complex than the paper}}, date = {2018-08-28}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257}, language = {English}, urldate = {2020-01-13} } @online{larinier:20190202:unpacking:894335d, author = {Sébastien Larinier}, title = {{Unpacking Clop}}, date = {2019-02-02}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/unpacking-clop-416b83718e0f}, language = {English}, urldate = {2020-01-06} } @online{larinier:20190502:goblin:a0118b4, author = {Sébastien Larinier}, title = {{Goblin Panda continues to target Vietnam}}, date = {2019-05-02}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6}, language = {English}, urldate = {2019-10-23} } @online{larinier:20190708:copy:99b120f, author = {Sébastien Larinier}, title = {{Copy cat of APT Sidewinder ?}}, date = {2019-07-08}, organization = {Medium Sebdraven}, url = {https://sebdraven.medium.com/copy-cat-of-apt-sidewinder-1893059ca68d}, language = {English}, urldate = {2023-04-22} } @online{larinier:20200207:40:9415c5c, author = {Sébastien Larinier}, title = {{APT 40 in Malaysia}}, date = {2020-02-07}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/apt-40-in-malaysia-61ed9c9642e9}, language = {English}, urldate = {2020-02-09} } @online{larinier:20200320:new:3da1211, author = {Sébastien Larinier}, title = {{New version of chinoxy backdoor using COVID19 alerts document lure}}, date = {2020-03-20}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746}, language = {English}, urldate = {2020-03-26} } @online{larinier:20200708:how:7d692bb, author = {Sébastien Larinier}, title = {{How to unpack Chinoxy backdoor and decipher the configuration of the backdoor}}, date = {2020-07-08}, organization = {Medium (@sevdraven)}, url = {https://medium.com/@Sebdraven/how-to-unpack-chinoxy-backdoor-and-decipher-the-configuration-of-the-backdoor-4ffd98ca2a02}, language = {English}, urldate = {2020-07-11} } @online{larinier:20201126:actor:449d888, author = {Sébastien Larinier}, title = {{Actor behind Operation LagTime targets Russia}}, date = {2020-11-26}, organization = {Medium Sebdraven}, url = {https://sebdraven.medium.com/actor-behind-operation-lagtime-targets-russia-f8c277dc52a9}, language = {English}, urldate = {2021-02-26} } @online{larinier:20210105:link:91ecfb1, author = {Sébastien Larinier}, title = {{Tweet on link between Babuk and Vasa locker}}, date = {2021-01-05}, organization = {Twitter (@Sebdraven)}, url = {https://twitter.com/Sebdraven/status/1346377590525845504}, language = {English}, urldate = {2021-01-10} } @online{larinier:20220131:whisperkill:a46b908, author = {Sébastien Larinier}, title = {{WhisperKill vs WhiteBlackCrypt: un petit soucis de fichiers…}}, date = {2022-01-31}, organization = {Medium Sebdraven}, url = {https://sebdraven.medium.com/whisperkill-vs-whiteblackcrypt-un-petit-soucis-de-fichiers-9c4dcd013316}, language = {French}, urldate = {2022-03-07} } @online{larinier:20230224:ioctl:6389112, author = {Sébastien Larinier}, title = {{Tweet on IOCTL manipulation in TDL4 and HermeticWiper}}, date = {2023-02-24}, organization = {Twitter (@Sebdraven)}, url = {https://twitter.com/Sebdraven/status/1496878431719473155}, language = {English}, urldate = {2023-05-25} } @online{larrieu:20211101:diving:a732a35, author = {Heather Larrieu and Curt Wilson and Katrina Hill}, title = {{Diving into double extortion campaigns}}, date = {2021-11-01}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/double-extortion-campaigns}, language = {English}, urldate = {2021-11-03} } @online{larsen:20230615:barracuda:598d642, author = {Austin Larsen and John Palmisano and Mathew Potaczek and John Wolfram and Matthew McWhirt and Jakub Jozwiak and Fernando Tomlinson and Josh Villanueva and Alyssa Glickman}, title = {{Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China}}, date = {2023-06-15}, organization = {Google}, url = {https://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/}, language = {English}, urldate = {2025-01-27} } @online{larsen:20230615:barracuda:f81b131, author = {Austin Larsen and John Palmisano and Mathew Potaczek and John Wolfram and Matthew McWhirt}, title = {{Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China}}, date = {2023-06-15}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally}, language = {English}, urldate = {2023-06-19} } @online{larsen:20230724:north:cce7489, author = {Austin Larsen and Dan Kelly and Joseph Pisano and Mark Golembiewski and Matt Williams and Paige Godvin}, title = {{North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack}}, date = {2023-07-24}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/north-korea-supply-chain}, language = {English}, urldate = {2023-07-24} } @online{larsen:20230829:diving:0e25f27, author = {Austin Larsen and John Palmisano and John Wolfram and Mathew Potaczek and Michael Raggi}, title = {{Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868)}}, date = {2023-08-29}, organization = {Google}, url = {https://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation/}, language = {English}, urldate = {2025-01-27} } @online{larsen:20230829:diving:2555400, author = {Austin Larsen and John Palmisano and John Wolfram and Mathew Potaczek and Michael Raggi}, title = {{Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868)}}, date = {2023-08-29}, organization = {Mandiant}, url = {https://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation}, language = {English}, urldate = {2025-01-28} } @techreport{larson:20201216:assessing:9a5adb8, author = {Selena Larson and Camille Singleton and IBM SECURITY X-FORCE}, title = {{Assessing Ransomware and Extortion Activities Impacting Industrial Organizations: Ransomware in ICS Environments}}, date = {2020-12-16}, institution = {Dragos}, url = {https://f.hubspotusercontent10.net/hubfs/5943619/Whitepaper-Downloads/Ransomware_in_ICS_Environments_Whitepaper_10_12_20.pdf}, language = {English}, urldate = {2020-12-17} } @online{larson:20210415:threat:cdfef32, author = {Selena Larson}, title = {{Threat Actors Pair Tax-Themed Lures With COVID-19, Healthcare Themes}}, date = {2021-04-15}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes}, language = {English}, urldate = {2021-08-23} } @online{larson:20210616:first:2e436a0, author = {Selena Larson and Daniel Blackford and Garrett M. Graff}, title = {{The First Step: Initial Access Leads to Ransomware}}, date = {2021-06-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware}, language = {English}, urldate = {2021-06-21} } @online{larson:20210629:cobalt:99ad5a0, author = {Selena Larson and Daniel Blackford}, title = {{Cobalt Strike: Favorite Tool from APT to Crimeware}}, date = {2021-06-29}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware}, language = {English}, urldate = {2021-06-29} } @online{larson:20210701:malware:6c6fb99, author = {Selena Larson and Bryan Campbell}, title = {{Malware Masquerades as Privacy Tool}}, date = {2021-07-01}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/malware-masquerades-privacy-tool}, language = {English}, urldate = {2021-07-11} } @online{larson:20210929:ta544:ab2f0d3, author = {Selena Larson and Proofpoint Staff}, title = {{TA544 Targets Italian Organizations with Ursnif Malware}}, date = {2021-09-29}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/security-briefs/ta544-targets-italian-organizations-ursnif-malware}, language = {English}, urldate = {2021-10-11} } @online{larson:20211027:new:0d80a57, author = {Selena Larson and Joe Wise}, title = {{New Threat Actor Spoofs Philippine Government, COVID-19 Health Data in Widespread RAT Campaigns}}, date = {2021-10-27}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread}, language = {English}, urldate = {2021-11-03} } @online{larson:20211104:caught:a80a9f0, author = {Selena Larson and Sam Scholten and Timothy Kromphardt}, title = {{Caught Beneath the Landline: A 411 on Telephone Oriented Attack Delivery}}, date = {2021-11-04}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-delivery}, language = {English}, urldate = {2021-11-08} } @online{larson:20211207:university:1fd4da4, author = {Selena Larson and Jake G}, title = {{University Targeted Credential Phishing Campaigns Use COVID-19, Omicron Themes}}, date = {2021-12-07}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/university-targeted-credential-phishing-campaigns-use-covid-19-omicron-themes}, language = {English}, urldate = {2021-12-08} } @online{larson:20220215:charting:0205206, author = {Selena Larson and Joe Wise}, title = {{Charting TA2541's Flight}}, date = {2022-02-15}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight}, language = {English}, urldate = {2022-02-16} } @online{larson:20240306:ta4903:6fa5603, author = {Selena Larson and Jake G and Dusty Miller}, title = {{TA4903: Actor Spoofs U.S. Government, Small Businesses in Phishing, BEC Bids}}, date = {2024-03-06}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/ta4903-actor-spoofs-us-government-small-businesses-phishing-bec-bids}, language = {English}, urldate = {2024-08-29} } @online{lasha:20170701:remcos:984d85c, author = {lasha}, title = {{Remcos RAT}}, date = {2017-07-01}, organization = {Secrary Blog}, url = {https://secrary.com/ReversingMalware/RemcosRAT/}, language = {English}, urldate = {2020-01-09} } @online{lasq:20180723:deobfuscating:dd200d6, author = {Lasq}, title = {{Deobfuscating Emotet’s powershell payload}}, date = {2018-07-23}, organization = {MalFind}, url = {https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/}, language = {English}, urldate = {2020-01-09} } @online{lasq:20220203:analyzing:7e58c93, author = {Lasq}, title = {{Analyzing WhisperGate - destructive malware targeting Ukraine - part 1}}, date = {2022-02-03}, organization = {YouTube (Malfind Labs)}, url = {https://www.youtube.com/watch?v=Ek3URIaC5O8}, language = {English}, urldate = {2022-02-07} } @online{latvia:20210415:latvias:9f5fa8a, author = {Ministry of foreign affairs of the Republic of Latvia}, title = {{Latvia’s statement following the announcement by the United States of actions to respond to the Russian Federation’s destabilizing activities (Deadlink)}}, date = {2021-04-15}, organization = {Ministry of foreign affairs of the Republic of Latvia}, url = {https://www.mfa.gov.lv/en/news/latest-news/67813-latvia-s-statement-following-the-announcement-by-the-united-states-of-actions-to-respond-to-the-russian-federation-s-destabilizing-activities}, language = {English}, urldate = {2021-08-02} } @online{lau:20220215:analysis:150f133, author = {Tim Lau}, title = {{Analysis of Microsoft CVE-2022-21907}}, date = {2022-02-15}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/analysis-of-microsoft-cve-2022-21907}, language = {English}, urldate = {2022-02-19} } @online{lau:20250218:inside:ce6a967, author = {Lina Lau}, title = {{An inside look at NSA (Equation Group) TTPs from China’s lense}}, date = {2025-02-18}, organization = {inversecos}, url = {https://www.inversecos.com/2025/02/an-inside-look-at-nsa-equation-group.html}, language = {English}, urldate = {2025-02-19} } @online{lazic:20220203:investigating:b588416, author = {Michael Lazic}, title = {{Investigating Lateral Movement — WMI and Scheduled Tasks}}, date = {2022-02-03}, organization = {Gigamon}, url = {https://blog.gigamon.com/2022/02/03/investigating-lateral-movement-wmi-and-scheduled-tasks/}, language = {English}, urldate = {2022-02-10} } @online{lc4m:20200626:lalala:922eb17, author = {lc4m}, title = {{Tweet on LALALA stealer and how its name was chosen}}, date = {2020-06-26}, organization = {Twitter (@luc4m)}, url = {https://twitter.com/luc4m/status/1276477397102145538}, language = {English}, urldate = {2020-06-30} } @techreport{league:20210211:ctil:69c2ab8, author = {CTI LEAGUE}, title = {{CTIL Darknet Report – 2021}}, date = {2021-02-11}, institution = {CTI LEAGUE}, url = {https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf}, language = {English}, urldate = {2021-02-20} } @online{leal:20201105:alfa:a79687b, author = {Luke Leal}, title = {{ALFA TEaM Shell ~ v4.1-Tesla: A Feature Update Analysis}}, date = {2020-11-05}, organization = {SUCURI}, url = {https://blog.sucuri.net/2020/11/alfa-team-shell-v4-1-tesla-a-feature-update-analysis.html}, language = {English}, urldate = {2020-11-09} } @online{leal:20201126:hackers:7ab5846, author = {Luke Leal}, title = {{Hackers Love Expired Domains}}, date = {2020-11-26}, organization = {SUCURI}, url = {https://blog.sucuri.net/2020/11/hackers-love-expired-domains.html}, language = {English}, urldate = {2020-12-01} } @online{leal:20201201:free:68dac25, author = {Luke Leal}, title = {{“Free” Symchanger Malware Tricks Users Into Installing Backdoor}}, date = {2020-12-01}, organization = {SUCURI}, url = {https://blog.sucuri.net/2020/12/free-symchanger-malware-tricks-users-into-installing-backdoor.html}, language = {English}, urldate = {2020-12-08} } @online{leal:20201204:obfuscation:89d85ee, author = {Luke Leal}, title = {{Obfuscation Techniques in MARIJUANA Shell “Bypass”}}, date = {2020-12-04}, organization = {SUCURI}, url = {https://blog.sucuri.net/2020/12/obfuscation-techniques-in-marijuana-shell-bypass.html}, language = {English}, urldate = {2020-12-10} } @online{leal:20210114:realtime:8580298, author = {Luke Leal}, title = {{Real-Time Phishing Kit Targets Brazilian Central Bank}}, date = {2021-01-14}, organization = {SUCURI}, url = {https://blog.sucuri.net/2021/01/real-time-phishing-kit-targets-brazilian-central-bank.html}, language = {English}, urldate = {2021-01-18} } @online{leal:20220809:fake:2046fc6, author = {Luke Leal}, title = {{Fake Instagram Verification & Twitter Badge Phishing}}, date = {2022-08-09}, organization = {SUCURI}, url = {https://blog.sucuri.net/2022/08/fake-instagram-verification-twitter-badge-phishing.html}, language = {English}, urldate = {2022-08-17} } @online{leardi:20220508:tracking:8f52310, author = {Michael Leardi and Joey Fitzpatrick and Brent Eskridge}, title = {{Tracking Cobalt Strike Servers Used in Cyberattacks on Ukraine}}, date = {2022-05-08}, organization = {IronNet}, url = {https://www.ironnet.com/blog/tracking-cobalt-strike-servers-used-in-cyberattacks-on-ukraine}, language = {English}, urldate = {2022-05-09} } @online{lebedev:20210412:deep:9094f6c, author = {Ivan Lebedev}, title = {{Deep water: exploring phishing kits}}, date = {2021-04-12}, organization = {Group-IB}, url = {https://blog.group-ib.com/phishing-kits}, language = {English}, urldate = {2021-06-16} } @online{lechtik:20180204:dorkbot:7c9daf2, author = {Mark Lechtik}, title = {{DorkBot: An Investigation}}, date = {2018-02-04}, organization = {Check Point}, url = {https://research.checkpoint.com/dorkbot-an-investigation/}, language = {English}, urldate = {2020-01-09} } @online{lechtik:20180612:deep:67efc2c, author = {Mark Lechtik}, title = {{Deep Dive into UPAS Kit vs. Kronos}}, date = {2018-06-12}, organization = {Check Point Research}, url = {https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/}, language = {English}, urldate = {2020-01-07} } @online{lechtik:20200507:north:3cfaf43, author = {Mark Lechtik and Ariel Jugnheit}, title = {{The North Korean AV Anthology: a unique look on DPRK’s Anti-Virus market}}, date = {2020-05-07}, organization = {AVAR}, url = {https://drive.google.com/file/d/1lq0Sjw4FKBxf017Ss7W7uGMvs7CgFzcA/view}, language = {English}, urldate = {2020-05-07} } @online{lechtik:20200924:cycldek:8b488b1, author = {Mark Lechtik and Giampaolo Dedola}, title = {{Cycldek aka Goblin Panda: Chronicles of the Goblin}}, date = {2020-09-24}, organization = {CARO}, url = {https://drive.google.com/file/d/11otA_VmL061KcFC5MhDYuNdIKHYbpyrd/view}, language = {English}, urldate = {2020-09-25} } @online{lechtik:20201005:mosaicregressor:32f008c, author = {Mark Lechtik and Igor Kuznetsov and Yury Parshin}, title = {{MosaicRegressor: Lurking in the Shadows of UEFI}}, date = {2020-10-05}, organization = {Kaspersky}, url = {https://securelist.com/mosaicregressor/}, language = {English}, urldate = {2022-04-25} } @online{lechtik:20201005:mosaicregressor:66ce234, author = {Mark Lechtik and Igor Kuznetsov}, title = {{MosaicRegressor: Lurking in the Shadows of UEFI}}, date = {2020-10-05}, organization = {Kaspersky Labs}, url = {https://securelist.com/mosaicregressor/98849/}, language = {English}, urldate = {2020-10-08} } @techreport{lechtik:20201005:mosaicregressor:9e14a30, author = {Mark Lechtik and Igor Kuznetsov}, title = {{MosaicRegressor: Lurking in the Shadows of UEFI (Technical Details)}}, date = {2020-10-05}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/05094208/MosaicRegressor_Technical-details.pdf}, language = {English}, urldate = {2020-10-08} } @online{lechtik:20210506:operation:b437cc1, author = {Mark Lechtik and Giampaolo Dedola}, title = {{Operation TunnelSnake}}, date = {2021-05-06}, organization = {Kaspersky}, url = {https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831/}, language = {English}, urldate = {2021-05-08} } @online{lechtik:20210714:luminousmoth:a5cf19d, author = {Mark Lechtik and Paul Rascagnères and Aseel Kayal}, title = {{LuminousMoth APT: Sweeping attacks for the chosen few}}, date = {2021-07-14}, organization = {Kaspersky}, url = {https://securelist.com/apt-luminousmoth/103332/}, language = {English}, urldate = {2021-07-20} } @online{lechtik:20210930:ghostemperor:f7bdb63, author = {Mark Lechtik and Aseel Kayal and Paul Rascagnères and Vasily Berdnikov}, title = {{GhostEmperor: From ProxyLogon to kernel mode}}, date = {2021-09-30}, organization = {Kaspersky}, url = {https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/}, language = {English}, urldate = {2021-10-05} } @online{lechtik:20220120:moonbounce:cd173f1, author = {Mark Lechtik and Vasily Berdnikov and Denis Legezo and Ilya Borisov}, title = {{MoonBounce: the dark side of UEFI firmware}}, date = {2022-01-20}, organization = {Kaspersky}, url = {https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/}, language = {English}, urldate = {2022-01-24} } @techreport{lechtik:20220120:technical:fa16a24, author = {Mark Lechtik and Vasily Berdnikov and Denis Legezo and Ilya Borisov}, title = {{Technical details of MoonBounce’s implementation}}, date = {2022-01-20}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/19115831/MoonBounce_technical-details_eng.pdf}, language = {English}, urldate = {2022-01-25} } @online{lecigne:20200605:exploits:37a164b, author = {Clement Lecigne and Google Threat Analysis Group}, title = {{Exploits of a TAG analyst chasing in the wild (video)}}, date = {2020-06-05}, organization = {Google}, url = {https://static.sstic.org/videos2020/1080p/cloture_2020.mp4}, language = {French}, urldate = {2022-05-23} } @techreport{lecigne:20200605:exploits:f7ed07e, author = {Clement Lecigne and Google Threat Analysis Group}, title = {{Exploits of a TAG analyst chasing in the wild (slides)}}, date = {2020-06-05}, institution = {Google}, url = {https://www.sstic.org/media/SSTIC2020/SSTIC-actes/cloture_2020/SSTIC2020-Slides-cloture_2020-lecigne.pdf}, language = {English}, urldate = {2022-05-23} } @online{lecigne:20220519:protecting:847f98a, author = {Clement Lecigne and Christian Resell and Google Threat Analysis Group}, title = {{Protecting Android users from 0-Day attacks}}, date = {2022-05-19}, organization = {Google}, url = {https://blog.google/threat-analysis-group/protecting-android-users-from-0-day-attacks/}, language = {English}, urldate = {2022-05-25} } @online{lecigne:20221207:internet:c6ec713, author = {Clement Lecigne and Benoit Sevens}, title = {{Internet Explorer 0-day exploited by North Korean actor APT37}}, date = {2022-12-07}, organization = {Google}, url = {https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/}, language = {English}, urldate = {2022-12-08} } @online{lecigne:20230329:spyware:908f754, author = {Clement Lecigne and Google Threat Analysis Group}, title = {{Spyware vendors use 0-days and n-days against popular platforms}}, date = {2023-03-29}, organization = {Google}, url = {https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/}, language = {English}, urldate = {2023-04-22} } @online{lecigne:20230907:active:d42dacb, author = {Clement Lecigne and Maddie Stone and Google Threat Analysis Group}, title = {{Active North Korean campaign targeting security researchers}}, date = {2023-09-07}, organization = {Google}, url = {https://blog.google/threat-analysis-group/active-north-korean-campaign-targeting-security-researchers/}, language = {English}, urldate = {2023-09-08} } @online{lecigne:20240829:statebacked:8f0ea7a, author = {Clement Lecigne and Josh Atkins and Luke Jenkins}, title = {{State-backed attackers and commercial surveillance vendors repeatedly use the same exploits}}, date = {2024-08-29}, organization = {Google}, url = {https://blog.google/threat-analysis-group/state-backed-attackers-and-commercial-surveillance-vendors-repeatedly-use-the-same-exploits/}, language = {English}, urldate = {2024-09-13} } @techreport{lecigne:20241006:caught:73b51d9, author = {Clement Lecigne and Google Threat Analysis Group}, title = {{Caught in the wild - Past, present and future}}, date = {2024-10-06}, institution = {Google}, url = {https://www.hexacon.fr/slides/Lecigne-Caught_in_the_wild,past,present,future..pdf}, language = {English}, urldate = {2024-11-11} } @online{lecigne:20241106:caught:4710af1, author = {Clement Lecigne and Google Threat Analysis Group}, title = {{Caught in the wild - Past, present and future}}, date = {2024-11-06}, organization = {YouTube ( Hexacon)}, url = {https://www.youtube.com/watch?v=2zrcemxCg4Y}, language = {English}, urldate = {2024-11-11} } @online{ledbetter:20210328:suncrypt:121d53e, author = {David Ledbetter}, title = {{SunCrypt, PowerShell obfuscation, shellcode and more yara}}, date = {2021-03-28}, organization = {PC's Xcetra Support}, url = {https://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/}, language = {English}, urldate = {2021-03-31} } @online{ledbetter:20211116:excel:a63e7d6, author = {David Ledbetter}, title = {{Excel 4 macro code obfuscation}}, date = {2021-11-16}, organization = {PC's Xcetra Support}, url = {https://pcsxcetrasupport3.wordpress.com/2021/11/16/excel-4-macro-code-obfuscation/}, language = {English}, urldate = {2021-11-25} } @online{ledbetter:20220829:office:efe24cb, author = {David Ledbetter}, title = {{Office Files, RTF files, Shellcode and more shenanigans}}, date = {2022-08-29}, organization = {InQuest}, url = {https://inquest.net/blog/2022/08/29/office-files-rtf-files-shellcode-and-more-shenanigans}, language = {English}, urldate = {2022-08-31} } @online{lee:20150720:watering:0a84edb, author = {Bryan Lee and Josh Grunzweig}, title = {{Watering Hole Attack on Aerospace Firm Exploits CVE-2015-5122 to Install IsSpace Backdoor}}, date = {2015-07-20}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/}, language = {English}, urldate = {2020-02-13} } @online{lee:20151222:bbsrat:d5ec63d, author = {Bryan Lee and Josh Grunzweig}, title = {{BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger}}, date = {2015-12-22}, url = {https://unit42.paloaltonetworks.com/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/}, language = {English}, urldate = {2019-11-21} } @online{lee:20160109:confirmation:a5aeb08, author = {Robert M. Lee}, title = {{Confirmation of a Coordinated Attack on the Ukrainian Power Grid}}, date = {2016-01-09}, organization = {Industrial Control Systems}, url = {https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid}, language = {English}, urldate = {2020-01-07} } @online{lee:20160212:look:1483b5a, author = {Bryan Lee and Rob Downs}, title = {{A Look Into Fysbis: Sofacy’s Linux Backdoor}}, date = {2016-02-12}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/a-look-into-fysbis-sofacys-linux-backdoor/}, language = {English}, urldate = {2020-01-13} } @online{lee:20160212:look:4113ea1, author = {Bryan Lee and Rob Downs}, title = {{A Look Into Fysbis: Sofacy’s Linux Backdoor}}, date = {2016-02-12}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/}, language = {English}, urldate = {2019-12-20} } @online{lee:20160217:oceanlotus:b309baf, author = {Eddie Lee}, title = {{OceanLotus for OS X – an Application Bundle Pretending to be an Adobe Flash Update}}, date = {2016-02-17}, organization = {AT&T Cybersecurity}, url = {https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update}, language = {English}, urldate = {2020-01-09} } @online{lee:20160321:os:892f883, author = {Eddie Lee and Krishna Kona}, title = {{OS X Malware Samples Analyzed}}, date = {2016-03-21}, organization = {AT&T Cybersecurity}, url = {https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed}, language = {English}, urldate = {2019-11-17} } @online{lee:20170215:magic:d143d8f, author = {Bryan Lee and Robert Falcone}, title = {{Magic Hound Campaign Attacks Saudi Targets}}, date = {2017-02-15}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-magic-hound-campaign-attacks-saudi-targets/}, language = {English}, urldate = {2020-01-09} } @online{lee:20170215:magic:e0b1b72, author = {Bryan Lee and Robert Falcone}, title = {{Magic Hound Campaign Attacks Saudi Targets}}, date = {2017-02-15}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/}, language = {English}, urldate = {2019-09-22} } @online{lee:201712:trisis:978f131, author = {Robert M. Lee}, title = {{TRISIS: Analyzing Safety System Targeting Malware}}, date = {2017-12}, organization = {Dragos}, url = {https://dragos.com/resource/trisis-analyzing-safety-system-targeting-malware/}, language = {English}, urldate = {2019-12-17} } @online{lee:20180223:oopsie:3a5deb8, author = {Bryan Lee and Robert Falcone}, title = {{OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan}}, date = {2018-02-23}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/}, language = {English}, urldate = {2020-01-13} } @online{lee:20180223:oopsie:f09d30f, author = {Bryan Lee and Robert Falcone}, title = {{OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan}}, date = {2018-02-23}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/}, language = {English}, urldate = {2019-12-20} } @online{lee:20180228:sofacy:04fead3, author = {Bryan Lee and Mike Harbison and Robert Falcone}, title = {{Sofacy Attacks Multiple Government Entities}}, date = {2018-02-28}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/}, language = {English}, urldate = {2020-01-06} } @online{lee:20180606:sofacy:6d3e723, author = {Bryan Lee and Robert Falcone}, title = {{Sofacy Group’s Parallel Attacks}}, date = {2018-06-06}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/}, language = {English}, urldate = {2019-12-20} } @online{lee:20180725:oilrig:d332c68, author = {Bryan Lee and Robert Falcone}, title = {{OilRig Targets Technology Service Provider and Government Agency with QUADAGENT}}, date = {2018-07-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/}, language = {English}, urldate = {2019-11-29} } @online{lee:20181212:dear:0d9a44e, author = {Bryan Lee and Robert Falcone}, title = {{Dear Joohn: The Sofacy Group’s Global Campaign}}, date = {2018-12-12}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/}, language = {English}, urldate = {2020-01-08} } @online{lee:20190430:behind:01b3010, author = {Bryan Lee and Robert Falcone}, title = {{Behind the Scenes with OilRig}}, date = {2019-04-30}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/behind-the-scenes-with-oilrig/}, language = {English}, urldate = {2020-01-06} } @online{lee:20190523:one:4d2b33e, author = {Martin Lee}, title = {{One year later: The VPNFilter catastrophe that wasn't}}, date = {2019-05-23}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/05/one-year-later-vpnfilter-catastrophe.html}, language = {English}, urldate = {2019-07-09} } @online{lee:20190905:cb:5dd9651, author = {Swee Lai Lee}, title = {{CB Threat Analysis Unit Technical Breakdown: GermanWiper Ransomware}}, date = {2019-09-05}, organization = {vmware}, url = {https://www.carbonblack.com/2019/09/05/cb-threat-analysis-unit-technical-breakdown-germanwiper-ransomware/}, language = {English}, urldate = {2020-01-06} } @online{lee:20191209:trickbot:48d9da3, author = {Bryan Lee and Brittany Ash and Mike Harbison}, title = {{TrickBot Campaign Uses Fake Payroll Emails to Conduct Phishing Attacks}}, date = {2019-12-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/trickbot-campaign-uses-fake-payroll-emails-to-conduct-phishing-attacks/}, language = {English}, urldate = {2020-01-22} } @online{lee:20200413:apt41:fdd4c46, author = {Bryan Lee and Robert Falcone and Jen Miller-Osborn}, title = {{APT41 Using New Speculoos Backdoor to Target Organizations Globally}}, date = {2020-04-13}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/}, language = {English}, urldate = {2020-04-14} } @online{lee:20200813:attribution:ced59ff, author = {Martin Lee and Paul Rascagnères and Vitor Ventura}, title = {{Attribution: A Puzzle}}, date = {2020-08-13}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2020/08/attribution-puzzle.html}, language = {English}, urldate = {2020-08-14} } @online{lee:202011:vjw0rm:7a5eb04, author = {Chris Lee}, title = {{Vjw0rm Is Back With New Tactics}}, date = {2020-11}, organization = {AppRiver}, url = {https://appriver.com/resources/blog/november-2020/vjw0rm-back-new-tactics}, language = {English}, urldate = {2021-10-05} } @online{lee:20201215:symrise:e60ff65, author = {Minhee Lee}, title = {{Tweet on Symrise group hit by Clop Ransomware}}, date = {2020-12-15}, organization = {Twitter (@darb0ng)}, url = {https://twitter.com/darb0ng/status/1338692764121251840}, language = {English}, urldate = {2020-12-15} } @techreport{lee:20211007:operation:0e74d68, author = {Taewoo Lee and Dongwook Kim and Byeongjae Kim}, title = {{Operation Bookcodes – targeting South Korea}}, date = {2021-10-07}, institution = {Virus Bulletin}, url = {https://vblocalhost.com/uploads/VB2021-Lee-etal.pdf}, language = {English}, urldate = {2023-07-24} } @online{lee:20220502:pipedream:0316f77, author = {Robert M. Lee}, title = {{PIPEDREAM – Most Flexible & Capable ICS Malware To Date}}, date = {2022-05-02}, organization = {YouTube (S4 Events)}, url = {https://www.youtube.com/watch?v=H82sbIwFxt4}, language = {English}, urldate = {2025-06-13} } @online{lee:20230127:ttps:7fa02fb, author = {Taewoo Lee and Dongwook Kim and Seulgi Lee}, title = {{TTPs #9: Analyzing Attack Strategies to Monitor Individuals' Daily Lives}}, date = {2023-01-27}, organization = {ThorCERT}, url = {https://thorcert.notion.site/TTPs-9-f04ce99784874947978bd2947738ac92}, language = {Korean}, urldate = {2023-02-14} } @online{lee:20230208:earth:8a60ce3, author = {Ted Lee}, title = {{Earth Zhulong: Familiar Patterns Target Southeast Asian Firms}}, date = {2023-02-08}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/b/earth-zhulong-familiar-patterns-target-southeast-asian-firms.html}, language = {English}, urldate = {2023-11-27} } @online{lee:20230308:suspected:ebbc1c8, author = {DANIEL LEE and Stephen Eckels and Ben Read}, title = {{Suspected Chinese Campaign to Persist on SonicWall Devices, Highlights Importance of Monitoring Edge Devices}}, date = {2023-03-08}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall}, language = {English}, urldate = {2023-04-22} } @online{lee:20230316:beeware:1ad83b4, author = {Frank Lee and Scott Roland}, title = {{Bee-Ware of Trigona, An Emerging Ransomware Strain}}, date = {2023-03-16}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/trigona-ransomware-update/}, language = {English}, urldate = {2023-03-20} } @online{lee:20230413:north:d400059, author = {Jean Lee and Michael Barnhart and Mandiant}, title = {{The North Korean Cyber Threat}}, date = {2023-04-13}, organization = {YouTube (The Korea Society)}, url = {https://www.youtube.com/watch?v=hFQvn0ig-Ic}, language = {English}, urldate = {2023-04-22} } @online{lee:20230502:attack:c33db79, author = {Ted Lee and Hara Hiroaki}, title = {{Attack on Security Titans: Earth Longzhi Returns With New Tricks}}, date = {2023-05-02}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html}, language = {English}, urldate = {2023-05-04} } @online{lee:20230830:earth:c1b8496, author = {Ted Lee and Lenart Bermejo and Hara Hiroaki and Leon M Chang and Gilbert Sison}, title = {{Earth Estries Targets Government, Tech for Cyberespionage}}, date = {2023-08-30}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html}, language = {English}, urldate = {2023-12-04} } @online{lee:20231106:jupyter:58d6320, author = {Swee Lai Lee and Bria Beathley and Abe Schneider and Alan Ngo}, title = {{Jupyter Rising: An Update on Jupyter Infostealer}}, date = {2023-11-06}, organization = {VMWare Carbon Black}, url = {https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html}, language = {English}, urldate = {2023-11-17} } @online{lee:20240822:peaklight:258e9ed, author = {Aaron Lee and Praveeth DSouza}, title = {{PEAKLIGHT: Decoding the Stealthy Memory-Only Malware}}, date = {2024-08-22}, organization = {Mandiant}, url = {https://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/}, language = {English}, urldate = {2024-12-13} } @online{lee:20240906:tidrone:4bbff5d, author = {Pierre Lee and Vickie Su}, title = {{TIDRONE Targets Military and Satellite Industries in Taiwan}}, date = {2024-09-06}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/24/i/tidrone-targets-military-and-satellite-industries-in-taiwan.html}, language = {English}, urldate = {2024-10-21} } @online{lee:20240919:earth:45195b6, author = {Ted Lee and Cyris Tseng and Pierre Lee and Sunny Lu and Philip Chen}, title = {{Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC (IoCs)}}, date = {2024-09-19}, organization = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/i/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac/IOCs%20-%20Earth%20Baxia%20Uses%20Spear-Phishing%20and%20GeoServer%20Exploit%20to%20Target%20APAC.txt}, language = {English}, urldate = {2024-09-26} } @online{lee:20240919:earth:57874f8, author = {Ted Lee and Cyris Tseng and Pierre Lee and Sunny Lu and Philip Chen}, title = {{Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC}}, date = {2024-09-19}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html}, language = {English}, urldate = {2024-09-26} } @online{lee:20241108:breaking:a5dc8d8, author = {Ted Lee and Leon M Chang and Lenart Bermejo}, title = {{Breaking Down Earth Estries' Persistent TTPs in Prolonged Cyber Operations}}, date = {2024-11-08}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html}, language = {English}, urldate = {2024-11-17} } @online{lee:20250513:earth:f88cd5f, author = {Pierre Lee and Vickie Su and Philip Chen}, title = {{Earth Ammit Disrupts Drone Supply Chains Through Coordinated Multi-Wave Attacks in Taiwan}}, date = {2025-05-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/25/e/earth-ammit.html}, language = {English}, urldate = {2025-05-22} } @online{lefton:20240710:cve20244577:95786de, author = {Kyle Lefton and Allen West and Sam Tinklenberg}, title = {{CVE-2024-4577 Exploits in the Wild One Day After Disclosure}}, date = {2024-07-10}, organization = {Akamai}, url = {https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure}, language = {English}, urldate = {2024-07-29} } @online{lefton:20250506:here:7ae1df7, author = {Kyle Lefton}, title = {{Here Comes Mirai: IoT Devices RSVP to Active Exploitation}}, date = {2025-05-06}, organization = {Akamai}, url = {https://www.akamai.com/blog/security-research/active-exploitation-mirai-geovision-iot-botnet}, language = {English}, urldate = {2025-05-20} } @online{legezo:20161123:inpage:4e588c5, author = {Denis Legezo}, title = {{InPage zero-day exploit used to attack financial institutions in Asia}}, date = {2016-11-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/76717/}, language = {English}, urldate = {2022-01-03} } @online{legezo:20180613:luckymouse:26f9860, author = {Denis Legezo}, title = {{LuckyMouse hits national data center to organize country-level waterholing campaign}}, date = {2018-06-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/luckymouse-hits-national-data-center/86083/}, language = {English}, urldate = {2019-12-20} } @online{legezo:20190130:chafer:bb3ce4d, author = {Denis Legezo}, title = {{Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities}}, date = {2019-01-30}, organization = {Kaspersky Labs}, url = {https://securelist.com/chafer-used-remexi-malware/89538/}, language = {English}, urldate = {2019-12-20} } @online{legezo:20200324:wildpressure:add6905, author = {Denis Legezo}, title = {{WildPressure targets industrial-related entities in the Middle East}}, date = {2020-03-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/}, language = {English}, urldate = {2020-03-26} } @online{legezo:20200518:microcin:b3147b6, author = {Denis Legezo}, title = {{Microcin Decryptor}}, date = {2020-05-18}, organization = {Github (dlegezo)}, url = {https://github.com/dlegezo/common}, language = {English}, urldate = {2020-05-19} } @online{legezo:20200619:microcin:122f2ca, author = {Denis Legezo}, title = {{Microcin is here With asynchronous sockets, steganography, GitLab ban and a sock}}, date = {2020-06-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/microcin-is-here/97353/}, language = {English}, urldate = {2020-06-21} } @online{legezo:20200619:microcin:c832dc1, author = {Denis Legezo}, title = {{Microcin is here}}, date = {2020-06-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/microcin-is-here/97353}, language = {English}, urldate = {2022-07-25} } @online{legezo:20201008:montysthree:77664e4, author = {Denis Legezo}, title = {{MontysThree: Industrial espionage with steganography and a Russian accent on both sides}}, date = {2020-10-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/montysthree-industrial-espionage/98972/}, language = {English}, urldate = {2020-10-12} } @online{legezo:20210707:wildpressure:0bdf5ef, author = {Denis Legezo}, title = {{WildPressure targets the macOS platform}}, date = {2021-07-07}, organization = {Kaspersky}, url = {https://securelist.com/wildpressure-targets-macos/103072/}, language = {English}, urldate = {2021-07-09} } @online{legezo:20220504:new:02f705f, author = {Denis Legezo}, title = {{A new secret stash for “fileless” malware}}, date = {2022-05-04}, organization = {Kaspersky}, url = {https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/}, language = {English}, urldate = {2022-05-09} } @online{legezo:20220505:new:2825dcc, author = {Denis Legezo}, title = {{New secret stash for "fileless" malware}}, date = {2022-05-05}, organization = {Youtube (Kaspersky)}, url = {https://www.youtube.com/watch?v=FT5hVGaR0YI}, language = {English}, urldate = {2022-05-25} } @online{lehmann:20170821:infinitylock:ea82543, author = {Max Lehmann}, title = {{InfinityLock Ransomware}}, date = {2017-08-21}, organization = {Anti-spyware 101}, url = {https://anti-spyware-101.com/remove-infinitylock-ransomware}, language = {English}, urldate = {2023-07-02} } @online{lehti:20150722:duke:8f54e8b, author = {Artturi Lehtiö}, title = {{Duke APT group's latest tools: cloud services and Linux support}}, date = {2015-07-22}, organization = {F-Secure}, url = {https://www.f-secure.com/weblog/archives/00002822.html}, language = {English}, urldate = {2019-10-15} } @online{lei:20180124:lazarus:63d2701, author = {CH Lei and Fyodor Yarochkin and Lenart Bermejo and Philippe Z Lin and Razor Huang}, title = {{Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More}}, date = {2018-01-24}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/}, language = {English}, urldate = {2020-01-08} } @online{lei:20220906:mirai:7fbf864, author = {Chao Lei and Zhibin Zhang and Cecilia Hu and Aveek Das}, title = {{Mirai Variant MooBot Targeting D-Link Devices}}, date = {2022-09-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/moobot-d-link-devices/}, language = {English}, urldate = {2022-09-16} } @online{lella:20210729:enisa:159308a, author = {Ifigeneia Lella and Marianthi Theocharidou and Eleni Tsekmezoglou and Apostolos Malatras and Sebastian García and Veronica Valeros and Volker Distelrath and Konstantinos Moulinos}, title = {{ENISA Threat Landscape for Supply Chain Attacks}}, date = {2021-07-29}, organization = {ENISA}, url = {https://www.enisa.europa.eu/publications/threat-landscape-for-supply-chain-attacks/at_download/fullReport}, language = {English}, urldate = {2021-07-29} } @online{lella:20220729:enisa:5967745, author = {Ifigeneia Lella and Eleni Tsekmezoglou and Rossen Naydenov and Apostolos Malatras and Sebastian García and Veronica Valeros}, title = {{ENISA Threat Landscape for Ransomware Attacks}}, date = {2022-07-29}, organization = {ENISA}, url = {https://www.enisa.europa.eu/publications/enisa-threat-landscape-for-ransomware-attacks}, language = {English}, urldate = {2022-08-28} } @online{leloup:20210718:from:8ac3091, author = {Damien Leloup}, title = {{From Rabat to Paris, Morocco does not let go of journalists}}, date = {2021-07-18}, organization = {Lemonde}, url = {https://www.lemonde.fr/projet-pegasus/article/2021/07/18/au-maroc-comme-en-france-des-journalistes-mis-sous-surveillance-avec-le-logiciel-pegasus_6088654_6088648.html}, language = {French}, urldate = {2021-07-24} } @online{lembright:20220721:russian:3f0d6db, author = {Matt Lembright}, title = {{Russian Ransomware C2 Network Discovered in Censys Data}}, date = {2022-07-21}, organization = {Censys}, url = {https://censys.com/russian-ransomware-c2-network-discovered-in-censys-data/}, language = {English}, urldate = {2023-12-04} } @online{lemon:20210310:microsoft:47b2c67, author = {Josh Lemon}, title = {{Microsoft Exchange & the HAFNIUM Threat Actor}}, date = {2021-03-10}, organization = {Lemon's InfoSec Ramblings}, url = {https://blog.joshlemon.com.au/hafnium-exchange-attacks/}, language = {English}, urldate = {2021-03-11} } @online{leon:20181024:waiting:5fdf295, author = {Leon}, title = {{Waiting for goDoH}}, date = {2018-10-24}, organization = {Sensepost}, url = {https://sensepost.com/blog/2018/waiting-for-godoh/}, language = {English}, urldate = {2020-01-06} } @online{leonard:20171209:10:8af1565, author = {Billy Leonard and Google Threat Analysis Group}, title = {{10 Years of Targeted Credential Phishing}}, date = {2017-12-09}, organization = {BlueHat Security Conference}, url = {https://www.slideshare.net/MSbluehat/10-years-of-targeted-credential-phishing-billy-leonard}, language = {English}, urldate = {2021-05-17} } @online{leonard:20210721:apt31:95e177c, author = {Billy Leonard}, title = {{Tweet on APT31 using a router implant.}}, date = {2021-07-21}, organization = {Twitter (@billyleonard)}, url = {https://twitter.com/billyleonard/status/1417910729005490177}, language = {English}, urldate = {2021-12-17} } @online{leonard:20211007:iocs:db42716, author = {Billy Leonard and Google Threat Analysis Group}, title = {{Tweet on IOCs related to APT28}}, date = {2021-10-07}, organization = {Twitter (@billyleonard)}, url = {https://twitter.com/billyleonard/status/1446226367008313344}, language = {English}, urldate = {2021-11-17} } @online{leonard:20211110:rekoobe:2f64840, author = {Billy Leonard and Google Threat Analysis Group}, title = {{Tweet on Rekoobe (used by APT31), being a fork of open source tool called Tiny SHell, used by different actor since at least 2012}}, date = {2021-11-10}, organization = {Twitter (@billyleonard)}, url = {https://twitter.com/billyleonard/status/1458531997576572929}, language = {English}, urldate = {2021-11-17} } @online{leonard:20220114:apt28:6c659cc, author = {Billy Leonard and Google Threat Analysis Group}, title = {{Tweet on APT28 credential phishing campaigns targeting Ukraine}}, date = {2022-01-14}, organization = {Twitter (@billyleonard)}, url = {https://twitter.com/billyleonard/status/1482034733072752640}, language = {English}, urldate = {2022-01-18} } @online{leonard:20220330:tracking:faab472, author = {Billy Leonard and Google Threat Analysis Group}, title = {{Tracking cyber activity in Eastern Europe}}, date = {2022-03-30}, organization = {Google}, url = {https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/}, language = {English}, urldate = {2022-03-31} } @online{leonard:20220330:tracking:ff3709f, author = {Billy Leonard}, title = {{Tracking cyber activity in Eastern Europe}}, date = {2022-03-30}, organization = {Google}, url = {https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe}, language = {English}, urldate = {2022-05-08} } @online{leonard:20220503:update:cee4563, author = {Billy Leonard and Google Threat Analysis Group}, title = {{Update on cyber activity in Eastern Europe}}, date = {2022-05-03}, organization = {Google}, url = {https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/}, language = {English}, urldate = {2022-05-04} } @online{leonard:20220503:update:e2039f6, author = {Billy Leonard}, title = {{Update on cyber activity in Eastern Europe}}, date = {2022-05-03}, organization = {Google}, url = {https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe}, language = {English}, urldate = {2022-08-25} } @online{leonard:20220708:twiiter:d77eb54, author = {Billy Leonard}, title = {{Twiiter thread about some recent Turla activity spoofing the Azov Regiment ... but targeting Android users.}}, date = {2022-07-08}, organization = {Twitter (@billyleonard)}, url = {https://twitter.com/billyleonard/status/1545461166377508865}, language = {English}, urldate = {2022-07-25} } @online{leonard:20220719:continued:2a97da1, author = {Billy Leonard}, title = {{Continued cyber activity in Eastern Europe observed by TAG}}, date = {2022-07-19}, organization = {Google}, url = {https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag}, language = {English}, urldate = {2022-08-05} } @online{leonard:20220719:continued:e1dd77e, author = {Billy Leonard}, title = {{Continued cyber activity in Eastern Europe observed by TAG}}, date = {2022-07-19}, organization = {Google}, url = {https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag/}, language = {English}, urldate = {2022-07-25} } @online{leonard:20230419:ukraine:6c3440b, author = {Billy Leonard and Google Threat Analysis Group}, title = {{Ukraine remains Russia’s biggest cyber focus in 2023}}, date = {2023-04-19}, organization = {Google}, url = {https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023}, language = {English}, urldate = {2023-04-22} } @online{leong:20191031:messagetap:823e994, author = {Raymond Leong and Dan Perez and Tyler Dean}, title = {{MESSAGETAP: Who’s Reading Your Text Messages?}}, date = {2019-10-31}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html}, language = {English}, urldate = {2019-12-18} } @online{leopard:20171108:analysis:a6a1a01, author = {Security Leopard}, title = {{Analysis of an active USB flash drive virus}}, date = {2017-11-08}, organization = {Freebuf}, url = {http://www.freebuf.com/column/153424.html}, language = {Chinese}, urldate = {2020-01-13} } @online{leopard:20180619:hidden:7eceae4, author = {Security Leopard}, title = {{"Hidden Bee" strikes: Kingsoft Internet Security intercepts the world's first Bootkit-class mining botnet}}, date = {2018-06-19}, url = {https://www.freebuf.com/column/175106.html}, language = {Chinese}, urldate = {2019-11-17} } @online{lepore:20190918:chirp:44c11e9, author = {Jonathan Lepore}, title = {{Chirp of the PoisonFrog}}, date = {2019-09-18}, organization = {IronNet}, url = {https://ironnet.com/blog/chirp-of-the-poisonfrog/}, language = {English}, urldate = {2020-01-09} } @online{lepore:20200206:dns:c7069f1, author = {Jonathan Lepore}, title = {{DNS Tunneling Series, Part 3: The Siren Song of RogueRobin}}, date = {2020-02-06}, organization = {IronNet}, url = {https://ironnet.com/blog/dns-tunneling-series-part-3-the-siren-song-of-roguerobin/}, language = {English}, urldate = {2020-02-13} } @online{lesnewich:20230125:ta444:ae76e7b, author = {Greg Lesnewich and Proofpoint Threat Research Team}, title = {{TA444: The APT Startup Aimed at Acquisition (of Your Funds)}}, date = {2023-01-25}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds}, language = {English}, urldate = {2023-01-25} } @online{lesnewich:20231205:ta422s:a757704, author = {Greg Lesnewich and Crista Giering and Proofpoint Threat Research Team}, title = {{TA422’s Dedicated Exploitation Loop—the Same Week After Week}}, date = {2023-12-05}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week}, language = {English}, urldate = {2023-12-05} } @online{lesnewich:20240105:tweets:09c1409, author = {Greg Lesnewich}, title = {{Tweets about a SpectralBlur a macOS sample}}, date = {2024-01-05}, organization = {Twitter (@greglesnewich)}, url = {https://twitter.com/greglesnewich/status/1742575613834084684}, language = {English}, urldate = {2024-03-18} } @online{lesnewich:20240227:with:bef3f5d, author = {Greg Lesnewich}, title = {{Tweet with context on TA421 / APT29 / Midnight Blizzard / BlueBravo / Cozy Bear}}, date = {2024-02-27}, organization = {Twitter (@greglesnewich)}, url = {https://twitter.com/greglesnewich/status/1762549311294804145}, language = {English}, urldate = {2024-03-04} } @online{lesnewich:20250513:ta406:21189e7, author = {Greg Lesnewich and Saher Naumaan and Mark Kelly}, title = {{TA406 Pivots to the Front}}, date = {2025-05-13}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/ta406-pivots-front}, language = {English}, urldate = {2025-05-20} } @online{letailleur:20240129:krustyloader:5734e23, author = {Theo Letailleur}, title = {{KrustyLoader - Rust malware linked to Ivanti ConnectSecure compromises}}, date = {2024-01-29}, organization = {Synacktiv}, url = {https://www.synacktiv.com/publications/krustyloader-rust-malware-linked-to-ivanti-connectsecure-compromises}, language = {English}, urldate = {2024-02-05} } @online{letailleur:20240818:lapsus:ea135c5, author = {Theo Letailleur}, title = {{LAPSUS$ is dead, long live HexaLocker?}}, date = {2024-08-18}, organization = {Synacktiv}, url = {https://www.synacktiv.com/publications/lapsus-is-dead-long-live-hexalocker.html}, language = {English}, urldate = {2025-06-26} } @online{levene:20150820:retefe:b3a0c4f, author = {Brandon Levene and Robert Falcone and Josh Grunzweig and Bryan Lee and Ryan Olson}, title = {{Retefe Banking Trojan Targets Sweden, Switzerland and Japan}}, date = {2015-08-20}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/}, language = {English}, urldate = {2019-12-20} } @online{levene:20170328:dimnie:a19c996, author = {Brandon Levene and Dominik Reichel and Esmid Idrizovic}, title = {{Dimnie: Hiding in Plain Sight}}, date = {2017-03-28}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/}, language = {English}, urldate = {2019-12-20} } @online{levene:20170503:kazuar:84e99e2, author = {Brandon Levene and Robert Falcone and Tyler Halfpop}, title = {{Kazuar: Multiplatform Espionage Backdoor with API Access}}, date = {2017-05-03}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/}, language = {English}, urldate = {2019-12-20} } @online{levene:20170503:kazuar:b869345, author = {Brandon Levene and Robert Falcone and Tyler Halfpop}, title = {{Kazuar: Multiplatform Espionage Backdoor with API Access}}, date = {2017-05-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-kazuar-multiplatform-espionage-backdoor-api-access/}, language = {English}, urldate = {2020-01-09} } @online{levene:20171101:everybody:9473c82, author = {Brandon Levene and Brandon Young and Dominik Reichel}, title = {{Everybody Gets One: QtBot Used to Distribute Trickbot and Locky}}, date = {2017-11-01}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/11/unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky/}, language = {English}, urldate = {2019-12-20} } @online{levene:20180305:sure:13de36e, author = {Brandon Levene and Josh Grunzweig}, title = {{Sure, I’ll take that! New ComboJack Malware Alters Clipboards to Steal Cryptocurrency}}, date = {2018-03-05}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/03/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/}, language = {English}, urldate = {2019-12-20} } @online{levene:20180307:patchwork:8973699, author = {Brandon Levene and Josh Grunzweig and Brittany Ash}, title = {{Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent}}, date = {2018-03-07}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/}, language = {English}, urldate = {2019-12-20} } @online{levin:20230214:writing:acb4846, author = {Claire Levin}, title = {{Writing a decryptor for Jaff ransomware}}, date = {2023-02-14}, organization = {Github (clairelevin)}, url = {https://clairelevin.github.io/malware/2023/02/14/jaff.html}, language = {English}, urldate = {2023-02-21} } @online{levrard:20230203:ransomware:928b750, author = {Julien Levrard}, title = {{Ransomware targeting VMware ESXi}}, date = {2023-02-03}, organization = {OVHcloud}, url = {https://blog.ovhcloud.com/ransomware-targeting-vmware-esxi/}, language = {English}, urldate = {2023-02-06} } @online{levy:20210217:detect:e5bdc1b, author = {Ariel Levy}, title = {{Detect and prevent the SolarWinds build-time code injection attack}}, date = {2021-02-17}, organization = {apirro}, url = {https://blog.apiiro.com/detect-and-prevent-the-solarwinds-build-time-code-injection-attack}, language = {English}, urldate = {2021-02-20} } @online{lewis:20181122:turla:99cb1b2, author = {Matt Lewis}, title = {{Turla PNG Dropper is back}}, date = {2018-11-22}, organization = {nccgroup}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/}, language = {English}, urldate = {2023-08-11} } @techreport{lewis:20210510:machine:4663735, author = {Emily Lewis and Alex Wilkinson and Toni Mlinarević}, title = {{Machine Learning for Static Malware Analysis}}, date = {2021-05-10}, institution = {University College London}, url = {https://research.nccgroup.com/wp-content/uploads/2021/05/NCC_CDT_report.pdf}, language = {English}, urldate = {2021-06-22} } @techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } @online{lexfo:20201002:lockbit:3dc988e, author = {Lexfo}, title = {{Lockbit analysis}}, date = {2020-10-02}, organization = {Lexfo}, url = {https://blog.lexfo.fr/lockbit-malware.html}, language = {English}, urldate = {2020-10-23} } @online{lexfo:20210406:dridex:a3b6f4f, author = {Lexfo}, title = {{Dridex Loader Analysis}}, date = {2021-04-06}, organization = {Lexfo}, url = {https://blog.lexfo.fr/dridex-malware.html}, language = {English}, urldate = {2021-04-09} } @online{lexfo:20210920:danabot:1f9e842, author = {Lexfo}, title = {{DanaBot Communications Update}}, date = {2021-09-20}, organization = {Lexfo}, url = {https://blog.lexfo.fr/danabot-malware.html}, language = {English}, urldate = {2021-09-28} } @online{lexfo:20220302:avoslocker:840ae39, author = {Lexfo}, title = {{AvosLocker Ransomware Linux Version Analysis}}, date = {2022-03-02}, organization = {Lexfo}, url = {https://blog.lexfo.fr/Avoslocker.html}, language = {English}, urldate = {2022-04-20} } @online{lexfo:20220411:obfuscated:ef3d555, author = {Lexfo}, title = {{Obfuscated obfuscation}}, date = {2022-04-11}, organization = {Lexfo}, url = {https://blog.lexfo.fr/dexguard.html}, language = {English}, urldate = {2022-04-20} } @online{lexfo:20241003:stealc:4d6b8cf, author = {Lexfo}, title = {{StealC Malware Analysis Part 2}}, date = {2024-10-03}, organization = {Lexfo}, url = {https://blog.lexfo.fr/StealC_malware_analysis_part2.html}, language = {English}, urldate = {2025-01-31} } @online{lexfo:20241003:stealc:6dbac74, author = {Lexfo}, title = {{StealC Malware Analysis Part 1}}, date = {2024-10-03}, organization = {Lexfo}, url = {https://blog.lexfo.fr/StealC_malware_analysis_part1.html}, language = {English}, urldate = {2025-01-31} } @online{lexfo:20241003:stealc:fc0862b, author = {Lexfo}, title = {{StealC Malware Analysis Part 3}}, date = {2024-10-03}, organization = {Lexfo}, url = {https://blog.lexfo.fr/StealC_malware_analysis_part3.html}, language = {English}, urldate = {2025-01-31} } @online{leyden:20120604:small:eb760a3, author = {John Leyden}, title = {{Small banking Trojan poses major risk}}, date = {2012-06-04}, url = {http://www.theregister.co.uk/2012/06/04/small_banking_trojan/}, language = {English}, urldate = {2020-01-08} } @online{leyden:20200723:who:992d2f0, author = {John Leyden}, title = {{Who is behind APT29? What we know about this nation-state cybercrime group}}, date = {2020-07-23}, organization = {The Daily Swig}, url = {https://portswigger.net/daily-swig/amp/who-is-behind-apt29-what-we-know-about-this-nation-state-cybercrime-group}, language = {English}, urldate = {2021-03-31} } @online{lezama:20210810:fast:0b4334e, author = {Giancarlo Lezama}, title = {{Fast Insights for a Microsoft-Signed Netfilter Rootkit}}, date = {2021-08-10}, organization = {Intezer}, url = {https://www.intezer.com/blog/malware-analysis/fast-insights-for-a-microsoft-signed-netfilter-rootkit/}, language = {English}, urldate = {2021-08-25} } @online{li:20111013:detailed:650b25e, author = {Frankie Fu Kay Li}, title = {{A Detailed Analysis of an Advanced Persistent Threat Malware}}, date = {2011-10-13}, url = {https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware-33814}, language = {English}, urldate = {2019-10-14} } @online{li:20111014:detailed:1358fa2, author = {Frankie Fu Kay Li}, title = {{A Detailed Analysis of an Advanced Persistent Threat Malware}}, date = {2011-10-14}, organization = {SANS}, url = {https://www.sans.org/white-papers/33814/}, language = {English}, urldate = {2024-02-02} } @online{li:20150122:scarab:f03d89c, author = {Yi Li}, title = {{Scarab attackers took aim at select Russian targets since 2012}}, date = {2015-01-22}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8bfa7311-fdd9-4f8d-b813-1ab6c9d2c363}, language = {English}, urldate = {2022-09-20} } @online{li:20151013:new:34dc6b1, author = {Brooks Li and Feike Hacquebord and Peter Pi}, title = {{New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries}}, date = {2015-10-13}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/}, language = {English}, urldate = {2019-10-15} } @online{li:20151013:new:f451b34, author = {Brooks Li and Feike Hacquebord and Peter Pi}, title = {{New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries}}, date = {2015-10-13}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/}, language = {English}, urldate = {2019-12-19} } @online{li:20210510:threat:bcb06cf, author = {Charles Li}, title = {{APT Threat Landscape of Taiwan in 2020}}, date = {2021-05-10}, organization = {TEAMT5}, url = {https://teamt5.org/en/posts/apt-threat-landscape-of-taiwan-in-2020/}, language = {English}, urldate = {2021-05-25} } @online{li:20211216:winnti:adce3fa, author = {Charles Li and Aragorn Tseng and Peter Syu and Tom Lai}, title = {{Winnti is Coming - Evolution after Prosecution}}, date = {2021-12-16}, organization = {TEAMT5}, url = {https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021}, language = {English}, urldate = {2023-04-28} } @techreport{li:20220511:to:12668fe, author = {Charles Li and Che Chang}, title = {{To loot or Not to Loot? That Is Not a Question - When State-Nexus APT Targets Online Entertainment Industry}}, date = {2022-05-11}, institution = {TEAMT5}, url = {https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf}, language = {English}, urldate = {2022-08-15} } @online{li:20220722:reverse:3fa4adf, author = {Xusheng Li}, title = {{Reverse Engineering a Cobalt Strike Dropper With Binary Ninja}}, date = {2022-07-22}, organization = {Binary Ninja}, url = {https://binary.ninja/2022/07/22/reverse-engineering-cobalt-strike.html}, language = {English}, urldate = {2022-07-25} } @online{lia:20241017:correlating:dabd625, author = {LIA}, title = {{Correlating Vidar Stealer Build IDs Based on Loader Tasks}}, date = {2024-10-17}, organization = {Loader Insight Agency}, url = {https://insights.loaderinsight.agency/posts/vidar-build-id-correlation/}, language = {English}, urldate = {2024-10-25} } @online{liansecurity:20230409:nexus:fa44da0, author = {LianSecurity}, title = {{Nexus Android Trojan Analysis Report}}, date = {2023-04-09}, organization = {LianSecurity}, url = {https://liansecurity.com/#/main/news/RWt_ZocBrFZDfCElFqw_/detail}, language = {English}, urldate = {2023-04-12} } @online{liansecurity:20231201:boomslang:4946653, author = {LianSecurity}, title = {{BOOMSLANG Mobile fraud family analysis}}, date = {2023-12-01}, organization = {LianSecurity}, url = {https://www.liansecurity.com/#/main/news/mlRmJIwB203zX1eeD8-r/detail}, language = {English}, urldate = {2023-12-04} } @online{liao:20231221:bandook:7d2d6f5, author = {Pei Han Liao}, title = {{Bandook - A Persistent Threat That Keeps Evolving}}, date = {2023-12-21}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/bandook-persistent-threat-that-keeps-evolving}, language = {English}, urldate = {2024-01-05} } @online{liao:20240619:fickle:7a2340d, author = {Pei Han Liao}, title = {{Fickle Stealer Distributed via Multiple Attack Chain}}, date = {2024-06-19}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/fickle-stealer-distributed-via-multiple-attack-chain}, language = {English}, urldate = {2025-03-10} } @online{liao:20240903:emansrepo:e1cdf15, author = {Pei Han Liao}, title = {{Emansrepo Stealer: Multi-Vector Attack Chains}}, date = {2024-09-03}, organization = {FortiGuard Labs}, url = {https://www.fortinet.com/blog/threat-research/emansrepo-stealer-multi-vector-attack-chains}, language = {English}, urldate = {2024-10-01} } @online{liao:20241202:smokeloader:8c4be23, author = {Pei Han Liao}, title = {{SmokeLoader Attack Targets Companies in Taiwan}}, date = {2024-12-02}, organization = {FortiGuard Labs}, url = {https://www.fortinet.com/blog/threat-research/sophisticated-attack-targets-taiwan-with-smokeloader}, language = {English}, urldate = {2024-12-11} } @online{liao:20250227:winos:aa4f72e, author = {Pei Han Liao}, title = {{Winos 4.0 Spreads via Impersonation of Official Email to Target Users in Taiwan}}, date = {2025-02-27}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/winos-spreads-via-impersonation-of-official-email-to-target-users-in-taiwan}, language = {English}, urldate = {2025-02-28} } @online{liber:20221230:cyber:63533ed, author = {Ovi Liber}, title = {{Cyber Threat Report: RambleOn Android Malware - Detailed analysis report of cyber threat targeting journalist in South Korea through APT phishing campaign with malicious APK}}, date = {2022-12-30}, organization = {Interlab}, url = {https://interlab.or.kr/archives/2567}, language = {English}, urldate = {2023-02-21} } @online{liber:20230420:uncovering:5eb2c36, author = {Ovi Liber and INTERLAB}, title = {{Uncovering nation state watering hole credential harvesting campaigns targeting human rights activists by APT threat group UCID902}}, date = {2023-04-20}, organization = {Interlab}, url = {https://interlab.or.kr/archives/18979}, language = {English}, urldate = {2023-04-22} } @online{liber:20230831:reverse:d51cedc, author = {Ovi Liber}, title = {{Reverse engineering SuperBear RAT}}, date = {2023-08-31}, organization = {SystemError}, url = {https://0x0v1.com/posts/superbear/superbear/}, language = {English}, urldate = {2023-09-04} } @online{licudine:20220808:malware:05fc2dc, author = {Karlo Licudine}, title = {{Malware sandbox evasion in x64 assembly by checking ram size - Part 1}}, date = {2022-08-08}, organization = {AccidentalRebel}, url = {https://www.accidentalrebel.com/malware-sandbox-evasion-in-x64-assembly-by-checking-ram-size-part-1.html}, language = {English}, urldate = {2022-08-15} } @online{licudine:20220815:malware:277837c, author = {Karlo Licudine}, title = {{Malware sandbox evasion in x64 assembly by checking ram size - Part 2}}, date = {2022-08-15}, organization = {AccidentalRebel}, url = {https://www.accidentalrebel.com/malware-sandbox-evasion-in-x64-assembly-by-checking-ram-size-part-2.html}, language = {English}, urldate = {2022-08-18} } @online{liebenberg:20180830:rocke:7bdc336, author = {David Liebenberg}, title = {{Rocke: The Champion of Monero Miners}}, date = {2018-08-30}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html}, language = {English}, urldate = {2020-05-18} } @online{liebenberg:20200615:quarterly:c2dcd77, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly report: Incident Response trends in Summer 2020}}, date = {2020-06-15}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/06/CTIR-trends-q3-2020.html#more}, language = {English}, urldate = {2020-06-19} } @online{liebenberg:20200901:quarterly:c02962b, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends in Summer 2020}}, date = {2020-09-01}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html}, language = {English}, urldate = {2020-09-03} } @online{liebenberg:20201209:quarterly:9ed3062, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends from Fall 2020}}, date = {2020-12-09}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html}, language = {English}, urldate = {2020-12-10} } @online{liebenberg:20210324:quarterly:4707c30, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends from Winter 2020-21}}, date = {2021-03-24}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html}, language = {English}, urldate = {2021-03-25} } @online{lied:20190519:skreddersydd:e16c8d8, author = {Henrik Lied and Peter Svaar and Dennis Ravndal and Anders Brekke and Kristine Hirsti}, title = {{Skreddersydd dobbeltangrep mot Hydro}}, date = {2019-05-19}, organization = {nrk}, url = {https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202}, language = {Norwegian}, urldate = {2019-11-21} } @techreport{lifars:202005:xmrigbased:5e57232, author = {LIFARS}, title = {{XMRig-based CoinMinersby Blue Mockingbird Threat Actor}}, date = {2020-05}, institution = {LIFARS}, url = {https://lifars.com/wp-content/uploads/2020/06/Cryptocurrency-Miners-XMRig-Based-CoinMiner-by-Blue-Mockingbird-Group.pdf}, language = {English}, urldate = {2020-06-19} } @online{lifars:20210319:dearcry:9e33116, author = {LIFARS}, title = {{DearCry Ransomware}}, date = {2021-03-19}, organization = {YouTube (LIFARS LLC)}, url = {https://www.youtube.com/watch?v=6lSfxsrs61s&t=5s}, language = {English}, urldate = {2021-04-12} } @techreport{lifars:20210325:dearcry:16ca9fb, author = {LIFARS}, title = {{DearCry Ransomware Malware Analysis and Reverse Engineering}}, date = {2021-03-25}, institution = {LIFARS}, url = {https://lifars.com/wp-content/uploads/2021/04/DearCry_Ransomware.pdf}, language = {English}, urldate = {2021-04-16} } @online{lifars:20220112:forensics:c6391d1, author = {LIFARS}, title = {{Forensics Analysis of the NSO Group’s Pegasus Spyware}}, date = {2022-01-12}, url = {https://lifars.com/2022/01/forensics-analysis-of-the-nso-groups-pegasus-spyware/}, language = {English}, urldate = {2022-01-24} } @online{lifars:20220112:newly:118dea5, author = {LIFARS}, title = {{Newly Found Malware Threatens IoT Devices}}, date = {2022-01-12}, url = {https://lifars.com/2022/01/newly-found-malware-threatens-iot-devices/}, language = {English}, urldate = {2022-01-24} } @online{lifars:20220303:closer:f29cc25, author = {LIFARS}, title = {{A Closer Look at the Russian Actors Targeting Organizations in Ukraine}}, date = {2022-03-03}, organization = {LIFARS}, url = {https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/}, language = {English}, urldate = {2022-03-04} } @online{life:20210717:candirus:1bbda44, author = {Eyes on Life}, title = {{Candiru's Spyware: How It Works And Attacking Journalists, Activists And Many More}}, date = {2021-07-17}, organization = {Eyes on Life}, url = {https://www.eyesonlife.org/Features/Science_and_Technology/Candirus_Spyware_How_It_Works_And_Attackng_Journalists_Activists_And_Many_More}, language = {English}, urldate = {2022-04-20} } @techreport{ligh:20061113:malware:d305d70, author = {Micael Ligh}, title = {{Malware Case Study - ZeusMalware}}, date = {2006-11-13}, institution = {Secure Science Corporation}, url = {https://www.mnin.org/write/ZeusMalware.pdf}, language = {English}, urldate = {2019-11-23} } @online{ligh:20121212:unpacking:612f008, author = {Michael Hale Ligh}, title = {{Unpacking Dexter POS "Memory Dump Parsing" Malware}}, date = {2012-12-12}, organization = {Volatility Labs}, url = {https://volatility-labs.blogspot.com/2012/12/unpacking-dexter-pos-memory-dump.html}, language = {English}, urldate = {2020-01-13} } @techreport{lilly:20200609:past:d6656a1, author = {Bilyana Lilly and Joe Cheravitch}, title = {{The Past, Present, and Future of Russia’s Cyber Strategy and Forces}}, date = {2020-06-09}, institution = {RAND Corporation}, url = {https://ccdcoe.org/uploads/2020/05/CyCon_2020_8_Lilly_Cheravitch.pdf}, language = {English}, urldate = {2020-06-10} } @online{lim:20201122:election:c851b74, author = {Yihao Lim}, title = {{Election Cyber Threats in the Asia-Pacific Region}}, date = {2020-11-22}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/11/election-cyber-threats-in-the-asia-pacific-region.html}, language = {English}, urldate = {2020-11-23} } @online{lim:20210719:evade:51a9e1f, author = {Mark Lim}, title = {{Evade Sandboxes With a Single Bit – the Trap Flag}}, date = {2021-07-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/single-bit-trap-flag-intel-cpu/}, language = {English}, urldate = {2021-07-26} } @online{lim:20220425:defeating:3da4840, author = {Mark Lim}, title = {{Defeating BazarLoader Anti-Analysis Techniques}}, date = {2022-04-25}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/bazarloader-anti-analysis-techniques/}, language = {English}, urldate = {2022-04-29} } @online{lim:20220624:there:7a3b762, author = {Mark Lim and Riley Porter}, title = {{There Is More Than One Way to Sleep: Dive Deep Into the Implementations of API Hammering by Various Malware Families}}, date = {2022-06-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/api-hammering-malware-families/}, language = {English}, urldate = {2022-06-27} } @online{lim:20220927:more:5992cc3, author = {Mark Lim}, title = {{More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID}}, date = {2022-09-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload/}, language = {English}, urldate = {2022-09-30} } @online{lim:20230503:teasing:eef7ae4, author = {Mark Lim and Daniel Raygoza and Bob Jung}, title = {{Teasing the Secrets From Threat Actors: Malware Configuration Parsing at Scale}}, date = {2023-05-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/teasing-secrets-malware-configuration-parsing}, language = {English}, urldate = {2023-05-04} } @online{limerat:20191016:limerat:da2782c, author = {LimeRat}, title = {{LimeRat}}, date = {2019-10-16}, url = {https://www.youtube.com/watch?v=x-g-ZLeX8GM}, language = {English}, urldate = {2019-10-16} } @online{limerboy:20200125:gocryptolocker:eee8d0a, author = {LimerBoy}, title = {{goCryptoLocker}}, date = {2020-01-25}, url = {https://github.com/LimerBoy/goCryptoLocker/blob/master/main.go}, language = {English}, urldate = {2020-04-28} } @online{limerboy:20200216:inferno:835a010, author = {LimerBoy}, title = {{Inferno}}, date = {2020-02-16}, url = {https://github.com/LimerBoy/Inferno}, language = {English}, urldate = {2020-03-13} } @online{limerboy:20200312:adamantiumthief:ba2b907, author = {LimerBoy}, title = {{Adamantium-Thief}}, date = {2020-03-12}, url = {https://github.com/LimerBoy/Adamantium-Thief}, language = {English}, urldate = {2020-03-13} } @online{limerboy:20201029:stormkitty:ffeabb6, author = {LimerBoy}, title = {{StormKitty}}, date = {2020-10-29}, organization = {GitHub (LimerBoy)}, url = {https://web.archive.org/web/20230403114012/https://github.com/LimerBoy/StormKitty}, language = {English}, urldate = {2025-05-02} } @online{lin:20150205:anatomy:91eb612, author = {Michael Lin and Derek Gooley}, title = {{Anatomy of a Brute Force Campaign: The Story of Hee Thai Limited}}, date = {2015-02-05}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html}, language = {English}, urldate = {2019-12-20} } @online{lin:20171031:expiro:3270051, author = {Xiaobing Lin}, title = {{Expiro Malware Is Back and Even Harder to Remove}}, date = {2017-10-31}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/expiro-infects-encrypts-files-to-complicate-repair/}, language = {English}, urldate = {2022-02-16} } @online{lin:20211022:recent:248c7d4, author = {Cara Lin}, title = {{Recent Attack Uses Vulnerability on Confluence Server}}, date = {2021-10-22}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/recent-attack-uses-vulnerability-on-confluence-server}, language = {English}, urldate = {2021-10-26} } @online{lin:20211206:miraibased:4a259da, author = {Cara Lin}, title = {{Mirai-based Botnet - Moobot Targets Hikvision Vulnerability}}, date = {2021-12-06}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability}, language = {English}, urldate = {2021-12-08} } @online{lin:20220418:trends:fab9950, author = {Erin Lin}, title = {{Trends in the Recent Emotet Maldoc Outbreak}}, date = {2022-04-18}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak}, language = {English}, urldate = {2022-04-20} } @online{lin:20220706:from:1196ee3, author = {Cara Lin}, title = {{From Follina to Rozena - Leveraging Discord to Distribute a Backdoor}}, date = {2022-07-06}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/follina-rozena-leveraging-discord-to-distribute-a-backdoor}, language = {English}, urldate = {2022-07-12} } @online{lin:20220707:notable:71d2df3, author = {Erin Lin}, title = {{Notable Droppers Emerge in Recent Threat Campaigns}}, date = {2022-07-07}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns}, language = {English}, urldate = {2022-07-15} } @online{lin:20221020:mirai:6945658, author = {Cara Lin}, title = {{Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability}}, date = {2022-10-20}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability}, language = {English}, urldate = {2022-11-21} } @online{lin:20230420:evilextractor:eacfdcb, author = {Cara Lin}, title = {{EvilExtractor – All-in-One Stealer}}, date = {2023-04-20}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/evil-extractor-all-in-one-stealer}, language = {English}, urldate = {2023-04-25} } @online{lin:20230712:lokibot:f77d705, author = {Cara Lin}, title = {{LokiBot Campaign Targets Microsoft Office Document Using Vulnerabilities and Macros}}, date = {2023-07-12}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros}, language = {English}, urldate = {2023-07-19} } @online{lin:20230911:originbotnet:1568400, author = {Cara Lin}, title = {{OriginBotnet Spreads via Malicious Word Document}}, date = {2023-09-11}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document}, language = {English}, urldate = {2023-12-11} } @online{lin:20231009:iz1h9:99ef4a9, author = {Cara Lin}, title = {{IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits}}, date = {2023-10-09}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits}, language = {English}, urldate = {2023-10-11} } @online{lin:20231128:gotitan:9d216eb, author = {Cara Lin}, title = {{GoTitan Botnet - Ongoing Exploitation on Apache ActiveMQ}}, date = {2023-11-28}, organization = {FortiGuard Labs}, url = {https://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq}, language = {English}, urldate = {2023-12-11} } @online{lin:20240108:deceptive:a2ec81b, author = {Cara Lin}, title = {{Deceptive Cracked Software Spreads Lumma Variant on YouTube}}, date = {2024-01-08}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube}, language = {English}, urldate = {2024-01-10} } @online{lin:20240404:cutting:cec9197, author = {Matt Lin and Austin Larsen and John Wolfram and Ashley Pearson and Josh Murchie and Lukasz Lamparski and Joseph Pisano and Ryan Hall and Ron Craft and Shawn Chew and Billy Wong and Tyler McLellan}, title = {{Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies}}, date = {2024-04-04}, organization = {Mandiant}, url = {https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement}, language = {English}, urldate = {2025-05-26} } @online{lin:20240905:threat:79cd4f3, author = {Cara Lin and Vincent Li}, title = {{Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401}}, date = {2024-09-05}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401}, language = {English}, urldate = {2025-07-02} } @online{linares:20240717:fake:f8d8358, author = {Greg Linares and Alden Schmidt and Matt Anderson}, title = {{Fake Browser Updates Lead to BOINC Volunteer Computing Software}}, date = {2024-07-17}, organization = {Huntress Labs}, url = {https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software}, language = {English}, urldate = {2024-12-02} } @online{lindblom:20210719:shlayer:5fc616d, author = {Aspen Lindblom and Joseph Godwin and Chris Sheldon}, title = {{Shlayer Malvertising Campaigns Still Using Flash Update Disguise}}, date = {2021-07-19}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/}, language = {English}, urldate = {2021-07-26} } @online{lines:20190415:cobalt:7b3c086, author = {Neil Lines}, title = {{Cobalt Strike. Walkthrough for Red Teamers}}, date = {2019-04-15}, organization = {PenTestPartners}, url = {https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/}, language = {English}, urldate = {2019-12-17} } @online{ling:20220512:github:1006921, author = {Jing Ling}, title = {{Github Repository for NetSpy}}, date = {2022-05-12}, organization = {Github (shmilylty)}, url = {https://github.com/shmilylty/netspy}, language = {Chinese}, urldate = {2023-10-11} } @online{link:20190422:dadstache:5444490, author = {Suspicious Link}, title = {{Tweet on DADSTACHE payload}}, date = {2019-04-22}, organization = {Twitter (@killamjr)}, url = {https://twitter.com/killamjr/status/1204584085395517440}, language = {English}, urldate = {2020-01-06} } @online{linkcabin:20160123:imminent:fe72c42, author = {LinkCabin}, title = {{Imminent Monitor 4 RAT Analysis – A Glance}}, date = {2016-01-23}, organization = {LinkCabin}, url = {https://itsjack.cc/blog/2016/01/imminent-monitor-4-rat-analysis-a-glance/}, language = {English}, urldate = {2020-01-09} } @online{linkcabin:20201003:malware:9ac8043, author = {LinkCabin}, title = {{Malware Analysis: Stealer - Mutex Check, Stackstrings, IDA (Part 1)}}, date = {2020-10-03}, organization = {Youtube (L!NK)}, url = {https://www.youtube.com/watch?v=5KHZSmBeMps}, language = {English}, urldate = {2020-11-25} } @online{linkcabin:20201018:malware:fa0c6a0, author = {LinkCabin}, title = {{Malware Analysis: Stealer - XOR, CyberChef, x64Dbg Scripting (Part 2)}}, date = {2020-10-18}, organization = {Youtube (L!NK)}, url = {https://www.youtube.com/watch?v=1dbepxN2YD8}, language = {English}, urldate = {2020-11-25} } @online{lipovsky:20141014:cve20144114:49123f0, author = {Robert Lipovsky}, title = {{CVE‑2014‑4114: Details on August BlackEnergy PowerPoint Campaigns}}, date = {2014-10-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2014/10/14/cve-2014-4114-details-august-blackenergy-powerpoint-campaigns/}, language = {English}, urldate = {2019-11-14} } @online{lipovsky:20141112:korplug:b5b58cc, author = {Robert Lipovsky}, title = {{Korplug military targeted attacks: Afghanistan & Tajikistan}}, date = {2014-11-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/}, language = {English}, urldate = {2019-12-20} } @online{lipovsky:20150730:operation:3e5afee, author = {Robert Lipovsky and Anton Cherepanov}, title = {{Operation Potao Express: Analysis of a cyber‑espionage toolkit}}, date = {2015-07-30}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2015/07/30/operation-potao-express/}, language = {English}, urldate = {2019-12-20} } @techreport{lipovsky:20150730:operation:bfe3508, author = {Robert Lipovsky and Anton Cherepanov}, title = {{Operation Potao Express: Analysis of a cyber‑espionage toolkit}}, date = {2015-07-30}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf}, language = {English}, urldate = {2020-02-25} } @online{lipovsky:20160518:operation:1c9edf8, author = {Robert Lipovsky and Anton Cherepanov}, title = {{Operation Groundbait: Espionage in Ukrainian war zones}}, date = {2016-05-18}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2016/05/18/groundbait}, language = {English}, urldate = {2020-01-08} } @online{lipovsky:20170105:killdisk:43eba48, author = {Robert Lipovsky and Peter Kálnai}, title = {{KillDisk now targeting Linux: Demands $250K ransom, but can’t decrypt}}, date = {2017-01-05}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/}, language = {English}, urldate = {2019-12-10} } @online{lipovsky:20170105:killdisk:5d49eac, author = {Robert Lipovsky and Peter Kálnai}, title = {{KillDisk now targeting Linux: Demands $250K ransom, but can’t decrypt}}, date = {2017-01-05}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt}, language = {English}, urldate = {2022-08-25} } @techreport{lipovsky:20210429:eset:ff67b6c, author = {Robert Lipovsky and Matthieu Faou and Tony Anscombe and Andy Garth and Daniel Chromek}, title = {{ESET Industry Report on Government: Targeted but not alone}}, date = {2021-04-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf}, language = {English}, urldate = {2021-05-03} } @online{lisichkin:20200119:analyzing:1f21f30, author = {Dan Lisichkin}, title = {{Analyzing Modern Malware Techniques - Part 1}}, date = {2020-01-19}, organization = {0x00sec}, url = {https://0x00sec.org/t/analyzing-modern-malware-techniques-part-1/18663}, language = {English}, urldate = {2020-01-27} } @online{lisichkin:20200204:analyzing:bba72ea, author = {Dan Lisichkin}, title = {{Analyzing Modern Malware Techniques - Part 3: A case of Powershell, Excel 4 Macros and VB6}}, date = {2020-02-04}, organization = {0x00sec}, url = {https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943}, language = {English}, urldate = {2020-02-08} } @online{lisichkin:20200218:analyzing:f805dad, author = {Dan Lisichkin}, title = {{Analyzing Modern Malware Techniques Part 4: I’m afraid of no packer(Part 1 of 2)}}, date = {2020-02-18}, organization = {Github (DanusMinimus)}, url = {https://danusminimus.github.io/Analyzing-Modern-Malware-Techniques-Part-4/}, language = {English}, urldate = {2020-02-25} } @online{lisichkin:20200427:master:1cfb192, author = {Dan Lisichkin}, title = {{Master of RATs - How to create your own Tracker}}, date = {2020-04-27}, organization = {0x00sec}, url = {https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848}, language = {English}, urldate = {2020-04-28} } @online{lisichkin:20200605:zero2auto:ecc4713, author = {Dan Lisichkin}, title = {{Zero2Auto - Netwalker Walk through}}, date = {2020-06-05}, organization = {Github (DanusMinimus)}, url = {https://danusminimus.github.io/Zero2Auto-Netwalker-Walkthrough/}, language = {English}, urldate = {2020-06-08} } @techreport{liska:20211115:ransomware:b3f53da, author = {Allan Liska}, title = {{Ransomware - Understand. Prevent. Recover.}}, date = {2021-11-15}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/Ransomware-understand-prevent-recover.pdf}, language = {English}, urldate = {2021-11-17} } @online{liskin:20170918:undocumented:46e11f4, author = {Alexander Liskin and Anton Ivanov and Andrey Kryukov}, title = {{An (un)documented Word feature abused by attackers}}, date = {2017-09-18}, organization = {Kaspersky Labs}, url = {https://securelist.com/an-undocumented-word-feature-abused-by-attackers/81899}, language = {English}, urldate = {2022-08-26} } @online{lister:20220727:privateloader:e408698, author = {Sam Lister and Shuh Chin Goh}, title = {{PrivateLoader: Network-Based Indicators of Compromise}}, date = {2022-07-27}, organization = {Darktrace}, url = {https://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise}, language = {English}, urldate = {2022-08-30} } @online{liston:20100527:sasfis:c963466, author = {Kevin Liston}, title = {{Sasfis Propagation}}, date = {2010-05-27}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Sasfis+Propagation/8860/}, language = {English}, urldate = {2020-01-08} } @online{lite:20210306:scan:f7b0dbe, author = {THOR Lite}, title = {{Scan for HAFNIUM Exploitation Evidence with THOR Lite}}, date = {2021-03-06}, organization = {Nextron Systems}, url = {https://www.nextron-systems.com/2021/03/06/scan-for-hafnium-exploitation-evidence-with-thor-lite}, language = {English}, urldate = {2021-03-10} } @techreport{lithuania:202103:national:677541d, author = {State Security Department of the Republic of Lithuania}, title = {{National Threat Assessment 2021}}, date = {2021-03}, institution = {State Security Department of the Republic of Lithuania}, url = {https://www.vsd.lt/wp-content/uploads/2021/03/2021-EN-el_.pdf}, language = {English}, urldate = {2021-03-25} } @online{litvak:20190717:evilgnome:0874eda, author = {Paul Litvak}, title = {{EvilGnome: Rare Malware Spying on Linux Desktop Users}}, date = {2019-07-17}, organization = {Intezer}, url = {https://www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/}, language = {English}, urldate = {2020-01-10} } @online{litvak:20190724:watching:abc3541, author = {Paul Litvak and Ignacio Sanmillan}, title = {{Watching the WatchBog: New BlueKeep Scanner and Linux Exploits}}, date = {2019-07-24}, organization = {Intezer}, url = {https://intezer.com/blog/linux/watching-the-watchbog-new-bluekeep-scanner-and-linux-exploits/}, language = {English}, urldate = {2020-05-18} } @online{litvak:20200130:new:e013fd0, author = {Paul Litvak and Michael Kajiloti}, title = {{New Iranian Campaign Tailored to US Companies Utilizes an Updated Toolset}}, date = {2020-01-30}, organization = {Intezer}, url = {https://intezer.com/blog-new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/}, language = {English}, urldate = {2020-02-03} } @online{litvak:20200504:kaiji:6b90937, author = {Paul Litvak}, title = {{Kaiji: New Chinese Linux malware turning to Golang}}, date = {2020-05-04}, organization = {Intezer}, url = {https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/}, language = {English}, urldate = {2020-05-06} } @online{litvak:20200521:evolution:a14bf60, author = {Paul Litvak}, title = {{The Evolution of APT15’s Codebase 2020}}, date = {2020-05-21}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/}, language = {English}, urldate = {2020-05-23} } @online{litvak:20200903:turning:e83e450, author = {Paul Litvak}, title = {{Turning Open Source Against Malware}}, date = {2020-09-03}, organization = {Intezer}, url = {https://www.intezer.com/blog/threat-hunting/turning-open-source-against-malware/}, language = {English}, urldate = {2020-09-06} } @online{litvak:20210127:how:6561882, author = {Paul Litvak}, title = {{How We Hacked Azure Functions and Escaped Docker}}, date = {2021-01-27}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/how-we-hacked-azure-functions-and-escaped-docker/}, language = {English}, urldate = {2021-01-27} } @techreport{liu:20151203:automatically:7e1f412, author = {Ya Liu}, title = {{Automatically Classifying Unknown Bots by The REGISTER Messages}}, date = {2015-12-03}, institution = {360 Internet Security Center}, url = {https://www.botconf.eu/wp-content/uploads/2015/12/OK-P13-Liu-Ya-Automatically-Classify-Unknown-Bots-by-The-Register-Messages.pdf}, language = {English}, urldate = {2023-07-24} } @online{liu:20161020:themoon:c9d999d, author = {Bing Liu}, title = {{TheMoon - A P2P botnet targeting Home Routers}}, date = {2016-10-20}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/themoon-a-p2p-botnet-targeting-home-routers}, language = {English}, urldate = {2020-09-21} } @online{liu:2018:tracking:2ca5e73, author = {Ya Liu and Hui Wang}, title = {{Tracking Mirai variants (Appendix: Hashes)}}, date = {2018}, organization = {Qihoo 360 Technology}, url = {https://www.virusbulletin.com/virusbulletin/2018/12/vb2018-paper-tracking-mirai-variants/#h2-appendix-sample-sha256-hashes}, language = {English}, urldate = {2019-11-27} } @online{liu:20200706:gafgyt:9fb2ccc, author = {Ya Liu}, title = {{The Gafgyt variant vbot seen in its 31 campaigns}}, date = {2020-07-06}, organization = {360 netlab}, url = {https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/}, language = {English}, urldate = {2020-07-06} } @techreport{liu:20200930:lightweight:9631f10, author = {Ya Liu}, title = {{Lightweight Emulation based IOC Extraction for Gafgyt Botnets}}, date = {2020-09-30}, institution = {Qihoo 360 Technology}, url = {https://vb2020.vblocalhost.com/uploads/VB2020-Liu.pdf}, language = {English}, urldate = {2024-04-04} } @online{liveoverflow:20190505:unpacking:25df4ad, author = {LiveOverflow and Sergei Frankoff and Sean Wilson}, title = {{Unpacking Redaman Malware & Basics of Self-Injection Packers - ft. OALabs}}, date = {2019-05-05}, organization = {Youtube (LiveOverflow)}, url = {https://www.youtube.com/watch?v=YXnNO3TipvM}, language = {English}, urldate = {2020-01-13} } @online{llimos:20181101:trickbot:7d0ea94, author = {Noel Anthony Llimos and Carl Maverick Pascual}, title = {{Trickbot Shows Off New Trick: Password Grabber Module}}, date = {2018-11-01}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module}, language = {English}, urldate = {2020-01-06} } @online{llimos:20190805:latest:62ba94b, author = {Noel Anthony Llimos and Michael Jhon Ofiaza}, title = {{Latest Trickbot Campaign Delivered via Highly Obfuscated JS File}}, date = {2019-08-05}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/}, language = {English}, urldate = {2020-01-23} } @online{llimos:20230815:raccoon:4aeeaa5, author = {Noel Anthony Llimos}, title = {{Raccoon Stealer Announce Return After Hiatus}}, date = {2023-08-15}, organization = {CyberInt}, url = {https://cyberint.com/blog/financial-services/raccoon-stealer/}, language = {English}, urldate = {2023-08-16} } @online{lloyd:20210703:twitter:b42ed13, author = {Lloyd}, title = {{Twitter Thread on Revil sideloading DLL used in Kaseya attack}}, date = {2021-07-03}, organization = {Twitter (@LloydLabs)}, url = {https://twitter.com/LloydLabs/status/1411098844209819648}, language = {English}, urldate = {2021-07-24} } @online{lmntrix:20221106:analysis:af3394b, author = {LMNTRIX}, title = {{Analysis Of Netwire RAT}}, date = {2022-11-06}, organization = {LMNTRIX}, url = {https://lmntrix.com/lab/analysis-of-netwire-rat/}, language = {English}, urldate = {2022-12-05} } @techreport{lobo:20231030:new:7b951c5, author = {Pedro Lobo}, title = {{New Lampion Banking Trojan Variant in the wild}}, date = {2023-10-30}, institution = {Layer8}, url = {https://www.layer8.pt/PDFs/New%20Lampion%20banking%20Trojan%20variant%20in%20the%20wild.pdf}, language = {English}, urldate = {2023-11-13} } @online{locklear:20170607:russian:65a8aed, author = {Mallory Locklear}, title = {{Russian malware link hid in a comment on Britney Spears' Instagram}}, date = {2017-06-07}, organization = {engadget}, url = {https://www.engadget.com/2017/06/07/russian-malware-hidden-britney-spears-instagram/}, language = {English}, urldate = {2020-01-08} } @online{lodestone:2021:white:63afb19, author = {Lodestone}, title = {{White Rabbit Ransomware and the F5 Backdoor}}, date = {2021}, organization = {lodestone}, url = {https://lodestone.com/insight/white-rabbit-ransomware-and-the-f5-backdoor/}, language = {English}, urldate = {2022-02-04} } @online{lodi:20171205:nearly:c0a9413, author = {Matteo Lodi}, title = {{Nearly undetectable Qarallax RAT spreading via spam}}, date = {2017-12-05}, organization = {Certego}, url = {http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/}, language = {English}, urldate = {2019-12-17} } @online{lodi:20181123:sload:28fb962, author = {Matteo Lodi}, title = {{Sload hits Italy. Unveil the power of powershell as a downloader}}, date = {2018-11-23}, organization = {Certego}, url = {https://www.certego.net/en/news/sload-hits-italy-unveil-the-power-of-powershell-as-a-downloader/}, language = {English}, urldate = {2020-01-13} } @online{lodi:20190214:malware:93db4e1, author = {Matteo Lodi}, title = {{Malware Tales: Gootkit}}, date = {2019-02-14}, organization = {Certego}, url = {https://www.certego.net/en/news/malware-tales-gootkit/}, language = {English}, urldate = {2020-01-06} } @online{lodi:20190614:malware:c93f3de, author = {Matteo Lodi}, title = {{Malware Tales: Sodinokibi}}, date = {2019-06-14}, organization = {Certego}, url = {https://www.certego.net/en/news/malware-tales-sodinokibi/}, language = {English}, urldate = {2019-12-17} } @online{lodi:20191002:malware:4f9442c, author = {Matteo Lodi and Marco Bompani}, title = {{Malware Tales: FTCODE}}, date = {2019-10-02}, organization = {Certego}, url = {https://www.certego.net/en/news/malware-tales-ftcode/}, language = {English}, urldate = {2020-01-07} } @online{lodi:20200507:ursnif:5654de4, author = {Matteo Lodi}, title = {{Ursnif beacon decryptor}}, date = {2020-05-07}, organization = {Github (mlodic)}, url = {https://github.com/mlodic/ursnif_beacon_decryptor}, language = {English}, urldate = {2020-05-07} } @online{loeb:20170919:security:dab264f, author = {Larry Loeb}, title = {{Security Utility Abuses Supply Chain for a Malware Attack}}, date = {2017-09-19}, organization = {Security Intelligence}, url = {https://securityintelligence.com/news/security-utility-abuses-supply-chain-for-a-malware-attack/}, language = {English}, urldate = {2024-12-06} } @online{logan:20210525:teamtnt:1f700b6, author = {Magno Logan and David Fiser}, title = {{TeamTNT Targets Kubernetes, Nearly 50,000 IPs Compromised in Worm-like Attack}}, date = {2021-05-25}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/e/teamtnt-targets-kubernetes--nearly-50-000-ips-compromised.html}, language = {English}, urldate = {2021-06-16} } @online{loganathan:202504:latrodectus:f86ee6a, author = {Hema Loganathan}, title = {{Latrodectus Malware Delivered via Telegram Bot/Chat API}}, date = {2025-04}, organization = {Reversing Stories}, url = {https://jmp-esp.org/2025/04/01/latrodectus-malware-delivered-via-telegram-bot-chat-api/}, language = {English}, urldate = {2025-07-14} } @online{loganathan:202504:ursamispadu:71d0afe, author = {Hema Loganathan}, title = {{URSA/MISPADU InfoStealer}}, date = {2025-04}, organization = {Reversing Stories}, url = {https://jmp-esp.org/2025/03/30/ursa-mispadu/}, language = {English}, urldate = {2025-07-14} } @online{logic:20180801:inside:e5a8e2c, author = {Kryptos Logic}, title = {{Inside Look at Emotet's Global Victims and Malspam Qakbot Payloads}}, date = {2018-08-01}, organization = {Kryptos Logic}, url = {https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html}, language = {English}, urldate = {2020-01-09} } @online{logic:20181031:emotet:ab7226f, author = {Kryptos Logic}, title = {{Emotet Awakens With New Campaign of Mass Email Exfiltration}}, date = {2018-10-31}, organization = {Kryptos Logic}, url = {https://blog.kryptoslogic.com/malware/2018/10/31/emotet-email-theft.html}, language = {English}, urldate = {2020-01-08} } @techreport{logpoint:20220525:buzz:13c148a, author = {Logpoint}, title = {{Buzz of the Bumblebee – A new malicious loader}}, date = {2022-05-25}, institution = {Logpoint}, url = {https://www.logpoint.com/wp-content/uploads/2022/05/buzz-of-the-bumblebee-a-new-malicious-loader-threat-report-no-3.pdf}, language = {English}, urldate = {2023-04-06} } @online{loman:20200804:wastedlockers:753972a, author = {Mark Loman and Anand Ajjan}, title = {{WastedLocker’s techniques point to a familiar heritage}}, date = {2020-08-04}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/08/04/wastedlocker-techniques-point-to-a-familiar-heritage/}, language = {English}, urldate = {2022-03-22} } @online{loman:20210315:dearcry:a7ac407, author = {Mark Loman}, title = {{DearCry ransomware attacks exploit Exchange server vulnerabilities}}, date = {2021-03-15}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/}, language = {English}, urldate = {2021-04-16} } @online{loman:20210323:black:527bf66, author = {Mark Loman}, title = {{Black Kingdom ransomware begins appearing on Exchange servers}}, date = {2021-03-23}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/03/23/black-kingdom/}, language = {English}, urldate = {2021-03-25} } @online{loman:20210324:black:c1494bc, author = {Mark Loman}, title = {{Black Kingdom ransomware begins appearing on Exchange servers}}, date = {2021-03-24}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/03/23/black-kingdom/?cmp=30728}, language = {English}, urldate = {2021-03-25} } @online{loman:20210704:independence:56ff257, author = {Mark Loman and Sean Gallagher and Anand Ajjan}, title = {{Independence Day: REvil uses supply chain exploit to attack hundreds of businesses}}, date = {2021-07-04}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses}, language = {English}, urldate = {2021-07-26} } @online{loman:20210809:blackmatter:d7606f3, author = {Mark Loman}, title = {{BlackMatter ransomware emerges from the shadow of DarkSide}}, date = {2021-08-09}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/}, language = {English}, urldate = {2021-08-25} } @online{loman:20210827:lockfile:cc8483f, author = {Mark Loman}, title = {{LockFile ransomware’s box of tricks: intermittent encryption and evasion}}, date = {2021-08-27}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/08/27/lockfile-ransomwares-box-of-tricks-intermittent-encryption-and-evasion/}, language = {English}, urldate = {2021-08-30} } @online{loman:20231220:cryptoguard:ea05218, author = {Mark Loman and Matt Wixey}, title = {{CryptoGuard: An asymmetric approach to the ransomware battle}}, date = {2023-12-20}, organization = {Sophos X-Ops}, url = {https://news.sophos.com/en-us/2023/12/20/cryptoguard-an-asymmetric-approach-to-the-ransomware-battle/}, language = {English}, urldate = {2024-02-08} } @techreport{lomboni:20220615:backdoor:8d43d9e, author = {Charles Lomboni and Venkat Rajgor and Felipe Duarte}, title = {{Backdoor via XFF: Mysterious Threat Actor Under Radar}}, date = {2022-06-15}, institution = {Security Joes}, url = {https://secjoes-reports.s3.eu-central-1.amazonaws.com/Backdoor%2Bvia%2BXFF%2BMysterious%2BThreat%2BActor%2BUnder%2BRadar.pdf}, language = {English}, urldate = {2022-06-16} } @online{londhe:20170725:hawkeye:a4071fa, author = {Yogesh Londhe and Swapnil Patil}, title = {{HawkEye Credential Theft Malware Distributed in Recent Phishing Campaign}}, date = {2017-07-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html}, language = {English}, urldate = {2019-12-20} } @online{londhe:20230309:cinoshi:32d4133, author = {Yogesh Londhe}, title = {{Tweet on Cinoshi Setaler}}, date = {2023-03-09}, organization = {X (@suyog41)}, url = {https://twitter.com/suyog41/status/1633807752127475713?s=20}, language = {English}, urldate = {2023-08-22} } @online{londhe:20230808:twitter:427ec5c, author = {Yogesh Londhe}, title = {{Twitter Thread describing the Stealer}}, date = {2023-08-08}, organization = {Twitter (@suyog41)}, url = {https://twitter.com/suyog41/status/1688797716447432704}, language = {English}, urldate = {2023-08-11} } @online{long:20230316:fbi:71dd0c3, author = {Joshua Long}, title = {{FBI shuts down 11-year-old NetWire RAT malware}}, date = {2023-03-16}, organization = {Intego}, url = {https://www.intego.com/mac-security-blog/fbi-shuts-down-11-year-old-netwire-rat-malware/}, language = {English}, urldate = {2023-07-24} } @online{long:20240905:new:89451b6, author = {Joshua Long}, title = {{New macOS malware HZ RAT gives attackers backdoor access to Macs}}, date = {2024-09-05}, organization = {Intego}, url = {https://www.intego.com/mac-security-blog/new-macos-malware-hz-rat-gives-attackers-backdoor-access-to-macs/}, language = {English}, urldate = {2024-09-13} } @online{longden:20220217:phishers:859fd2b, author = {Jake Longden}, title = {{Phishers Spoof Power BI to Visualize Your Credential Data}}, date = {2022-02-17}, organization = {Cofense}, url = {https://cofense.com/blog/phishers-spoof-power-bi-to-visualize-your-credential-data}, language = {English}, urldate = {2022-02-19} } @online{lontzetidis:20241228:lumma:cccd70c, author = {Efstratios Lontzetidis}, title = {{Lumma 2024: Dominating the Info-Stealer Market}}, date = {2024-12-28}, organization = {Medium s.lontzetidis}, url = {https://medium.com/@s.lontzetidis/lumma-2024-dominating-the-info-stealer-market-070e7d8fa3d6}, language = {English}, urldate = {2025-01-23} } @online{lontzetidis:20250116:lazarus:881963d, author = {Efstratios Lontzetidis}, title = {{Lazarus APT: Techniques for Hunting Contagious Interview}}, date = {2025-01-16}, organization = {Validin}, url = {https://www.validin.com/blog/inoculating_contagious_interview_with_validin/}, language = {English}, urldate = {2025-01-23} } @techreport{lookingglass:20150428:operation:68a342f, author = {LookingGlass}, title = {{Operation Armageddon: Cyber Espionage as a Strategic Component of Russian Modern Warfare}}, date = {2015-04-28}, institution = {LookingGlass}, url = {https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{lookout:201704:pegasus:b9392ab, author = {Lookout}, title = {{Pegasus for Android: Technical Analysis and Findings of Chrysaor}}, date = {2017-04}, institution = {Lookout}, url = {https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf}, language = {English}, urldate = {2020-01-07} } @online{lookout:20180514:stealth:ebcc067, author = {Lookout}, title = {{Stealth Mango & Tangelo Technical Report}}, date = {2018-05-14}, organization = {Lookout}, url = {https://www.lookout.com/info/stealth-mango-report-ty}, language = {English}, urldate = {2020-01-13} } @techreport{lookout:201907:monokle:d2b6e7b, author = {Lookout}, title = {{Monokle: The Mobile Surveillance Tooling of the Special Technology Center}}, date = {2019-07}, institution = {Lookout}, url = {https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf}, language = {English}, urldate = {2019-12-04} } @online{lookout:20250312:lookout:c7a611f, author = {Lookout}, title = {{Lookout Discovers New Spyware by North Korean APT37}}, date = {2025-03-12}, organization = {Lookout}, url = {https://www.lookout.com/threat-intelligence/article/lookout-discovers-new-spyware-by-north-korean-apt37}, language = {English}, urldate = {2025-03-13} } @online{loop:20240104:pilfered:5181e44, author = {OODA Loop}, title = {{Pilfered Data From Iranian Insurance and Food Delivery Firms Leaked Online}}, date = {2024-01-04}, organization = {OODA Loop}, url = {https://www.oodaloop.com/briefs/2024/01/04/pilfered-data-from-iranian-insurance-and-food-delivery-firms-leaked-online/}, language = {English}, urldate = {2024-09-27} } @online{loop:20240821:toyota:beb427b, author = {OODA Loop}, title = {{Toyota Customer, Employee Data Leaked in Confirmed Data Breach}}, date = {2024-08-21}, organization = {OODA Loop}, url = {https://www.oodaloop.com/briefs/2024/08/21/toyota-customer-employee-data-leaked-in-confirmed-data-breach/}, language = {English}, urldate = {2024-10-21} } @online{lopera:20200824:rats:2bb29dc, author = {Diana Lopera}, title = {{RATs and Spam: The Node.JS QRAT}}, date = {2020-08-24}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rats-and-spam-the-nodejs-qrat/}, language = {English}, urldate = {2020-11-26} } @online{lopera:20201001:evasive:c15da47, author = {Diana Lopera}, title = {{Evasive URLs in Spam: Part 2}}, date = {2020-10-01}, organization = {SpiderLabs Blog}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/evasive-urls-in-spam-part-2/}, language = {English}, urldate = {2020-10-12} } @online{lopera:20210106:trump:c82445d, author = {Diana Lopera}, title = {{A Trump Sex Video? No, It's a RAT!}}, date = {2021-01-06}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/updated-qnode-rat-downloader-distributed-as-trump-video-scandal/}, language = {English}, urldate = {2021-01-11} } @online{lopera:20210311:image:dbb9908, author = {Diana Lopera}, title = {{Image File Trickery Part II: Fake Icon Delivers NanoCore}}, date = {2021-03-11}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/image-file-trickery-part-ii-fake-icon-delivers-nanocore/}, language = {English}, urldate = {2021-03-16} } @online{lopera:20210624:yet:5a8a4c5, author = {Diana Lopera}, title = {{Yet Another Archive Format Smuggling Malware}}, date = {2021-06-24}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/another-archive-format-smuggling-malware/}, language = {English}, urldate = {2021-06-29} } @online{lopera:20220324:vidar:ec04874, author = {Diana Lopera}, title = {{Vidar Malware Launcher Concealed in Help File}}, date = {2022-03-24}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vidar-malware-launcher-concealed-in-help-file/}, language = {English}, urldate = {2022-03-25} } @online{lopez:20200215:python:7a23d37, author = {Nathan Lopez}, title = {{Python Remote Administration Tool (RAT)}}, date = {2020-02-15}, organization = {Github (nathanlopez)}, url = {https://github.com/nathanlopez/Stitch}, language = {English}, urldate = {2020-04-07} } @online{lorber:20210205:cinarat:772720f, author = {Nadav Lorber}, title = {{CinaRAT Resurfaces with New Evasive Tactics and Techniques}}, date = {2021-02-05}, organization = {Morphisec}, url = {https://blog.morphisec.com/cinarat-resurfaces-with-new-evasive-tactics-and-techniques}, language = {English}, urldate = {2021-02-09} } @online{lorber:20210316:tracking:2d8ef0b, author = {Nadav Lorber}, title = {{Tracking HCrypt: An Active Crypter as a Service}}, date = {2021-03-16}, organization = {Morphisec}, url = {https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service}, language = {English}, urldate = {2021-05-13} } @online{lorber:20210507:revealing:add3b8a, author = {Nadav Lorber}, title = {{Revealing the ‘Snip3’ Crypter, a Highly Evasive RAT Loader}}, date = {2021-05-07}, organization = {Morphisec}, url = {https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader}, language = {English}, urldate = {2021-05-13} } @online{lorber:20210921:new:117cc51, author = {Nadav Lorber}, title = {{New Jupyter Evasive Delivery through MSI Installer}}, date = {2021-09-21}, organization = {Morphisec}, url = {https://blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer}, language = {English}, urldate = {2021-09-22} } @online{lorber:20241216:coinlurker:e3f53a8, author = {Nadav Lorber and Morphisec Labs}, title = {{CoinLurker: The Stealer Powering the Next Generation of Fake Updates}}, date = {2024-12-16}, organization = {Morphisec}, url = {https://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates}, language = {English}, urldate = {2025-01-26} } @online{lorber:20250414:new:851b2a6, author = {Nadav Lorber}, title = {{New Malware Variant Identified: ResolverRAT Enters the Maze}}, date = {2025-04-14}, organization = {Morphisec}, url = {https://www.morphisec.com/blog/new-malware-variant-identified-resolverrat-enters-the-maze/}, language = {English}, urldate = {2025-04-15} } @online{lord:20130201:keeping:b006baa, author = {Bob Lord}, title = {{Keeping our users secure}}, date = {2013-02-01}, organization = {Twitter}, url = {https://blog.twitter.com/official/en_us/a/2013/keeping-our-users-secure.html}, language = {English}, urldate = {2020-01-07} } @online{lorenzen:20210629:danmarks:261ec5e, author = {Mads Lorenzen}, title = {{Danmarks National Bank hacked as part of 'the world's most sophisticated hacker attack' (NOBELIUM)}}, date = {2021-06-29}, organization = {VERSION2}, url = {https://www.version2.dk/artikel/danmarks-nationalbank-hacket-led-verdens-mest-sofistikerede-hackerangreb-1092886}, language = {Danish}, urldate = {2021-06-29} } @online{loui:20210226:hypervisor:8dadf9c, author = {Eric Loui and Sergei Frankoff}, title = {{Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact}}, date = {2021-02-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout}, language = {English}, urldate = {2021-05-26} } @online{loui:20210309:jackpotting:1dcc95b, author = {Eric Loui and Sergei Frankoff}, title = {{Jackpotting ESXi Servers For Maximum Encryption | Eric Loui & Sergei Frankoff | SANS CTI Summit 2021}}, date = {2021-03-09}, organization = {Youtube (SANS Digital Forensics and Incident Response)}, url = {https://www.youtube.com/watch?v=qxPXxWMI2i4}, language = {English}, urldate = {2021-05-31} } @online{loui:20210830:carbon:66be3f3, author = {Eric Loui and Josh Reynolds}, title = {{CARBON SPIDER Embraces Big Game Hunting, Part 1}}, date = {2021-08-30}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/}, language = {English}, urldate = {2021-08-31} } @online{loui:20211104:carbon:e3ef021, author = {Eric Loui and Josh Reynolds}, title = {{CARBON SPIDER Embraces Big Game Hunting, Part 2}}, date = {2021-11-04}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/}, language = {English}, urldate = {2021-11-08} } @online{loui:2021:hypervisor:ade976a, author = {Eric Loui and Sergei Frankoff}, title = {{Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact}}, date = {2021}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/}, language = {English}, urldate = {2021-05-31} } @online{loveria:20231213:vishing:e956bef, author = {Catherine Loveria and Jovit Samaniego and Gabriel Nicoleta and Aprilyn Borja}, title = {{Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion}}, date = {2023-12-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html}, language = {English}, urldate = {2025-02-17} } @online{loveria:20250303:black:e7f7560, author = {Catherine Loveria and Stephen Carbery and Jovit Samaniego and Adam O'Connor and Ian Kenefick and Gabriel Cardoso and Lucas Silva and Jack Walsh}, title = {{Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal}}, date = {2025-03-03}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomware-backconnect.html}, language = {English}, urldate = {2025-03-05} } @online{low:20220803:journey:7d7b2ae, author = {Wayne Chin Yick Low}, title = {{Journey to Network Protocol Fuzzing – Dissecting Microsoft IMAP Client Protocol}}, date = {2022-08-03}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/analyzing-microsoft-imap-client-protocol}, language = {English}, urldate = {2022-08-11} } @online{low:20231207:curse:6e9f2c8, author = {Sharmine Low}, title = {{Curse of the Krasue: New Linux Remote Access Trojan targets Thailand}}, date = {2023-12-07}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/krasue-rat/}, language = {English}, urldate = {2023-12-12} } @online{low:20240904:lazarus:36e4598, author = {Sharmine Low}, title = {{APT Lazarus: Eager Crypto Beavers, Video calls and Games}}, date = {2024-09-04}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/apt-lazarus-python-scripts/}, language = {English}, urldate = {2025-01-29} } @online{lozhkin:20230612:sneaky:aca8ca8, author = {Sergey Lozhkin}, title = {{Sneaky DoubleFinger loads GreetingGhoul targeting your cryptocurrency}}, date = {2023-06-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptocurrency-stealer/109982/}, language = {English}, urldate = {2023-08-03} } @online{lpez:20210617:black:f563c4b, author = {Marc Rivero López}, title = {{Black Kingdom ransomware}}, date = {2021-06-17}, organization = {Kaspersky}, url = {https://securelist.com/black-kingdom-ransomware/102873/}, language = {English}, urldate = {2021-06-21} } @online{lpez:20211006:to:8e09f8a, author = {Martina López}, title = {{To the moon and hack: Fake SafeMoon app drops malware to spy on you}}, date = {2021-10-06}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/10/06/moon-hack-fake-safemoon-cryptocurrency-app-drops-malware-spy/}, language = {English}, urldate = {2021-10-11} } @online{lpez:20220720:luna:176a613, author = {Marc Rivero López and Jornt van der Wiel and Dmitry Galov and Sergey Lozhkin}, title = {{Luna and Black Basta — new ransomware for Windows, Linux and ESXi}}, date = {2022-07-20}, organization = {Kaspersky}, url = {https://securelist.com/luna-black-basta-ransomware/106950}, language = {English}, urldate = {2022-07-25} } @online{lpez:20241212:mask:c95193c, author = {Georgy Kucherin & Marc Rivero López}, title = {{The Mask Has Been Unmasked Again}}, date = {2024-12-12}, organization = {Kaspersky}, url = {https://securelist.com/careto-is-back/114942/}, language = {English}, urldate = {2024-12-16} } @online{ltd:20200618:behind:a5e168d, author = {Security division of NTT Ltd.}, title = {{Behind the scenes of the Emotet Infrastructure}}, date = {2020-06-18}, organization = {NTT Security}, url = {https://hello.global.ntt/en-us/insights/blog/behind-the-scenes-of-the-emotet-infrastructure}, language = {English}, urldate = {2020-06-20} } @online{ltd:20200706:trickbot:9612912, author = {Security division of NTT Ltd.}, title = {{TrickBot variant “Anchor_DNS” communicating over DNS}}, date = {2020-07-06}, organization = {NTT}, url = {https://hello.global.ntt/en-us/insights/blog/trickbot-variant-communicating-over-dns}, language = {English}, urldate = {2020-07-30} } @online{ltd:20200720:shellbot:adab896, author = {Security division of NTT Ltd.}, title = {{Shellbot victim overlap with Emotet network infrastructure}}, date = {2020-07-20}, organization = {NTT}, url = {https://hello.global.ntt/en-us/insights/blog/shellbot-victim-overlap-with-emotet-network-infrastructure}, language = {English}, urldate = {2020-07-30} } @techreport{ltd:20210429:operations:a7ad0d4, author = {Threat Detection NTT Ltd.}, title = {{The Operations of Winnti group}}, date = {2021-04-29}, institution = {NTT}, url = {https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf}, language = {English}, urldate = {2021-08-09} } @online{lu:20170126:deep:70f2c9e, author = {Kai Lu}, title = {{Deep Analysis of Android Rootnik Malware Using Advanced Anti-Debug and Anti-Hook, Part I: Debugging in The Scope of Native Layer}}, date = {2017-01-26}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/01/24/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-i-debugging-in-the-scope-of-native-layer}, language = {English}, urldate = {2020-01-10} } @online{lu:20170126:deep:d965de0, author = {Kai Lu}, title = {{Deep Analysis of Android Rootnik Malware Using Advanced Anti-Debug and Anti-Hook, Part II: Analysis of The Scope of Java}}, date = {2017-01-26}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java}, language = {English}, urldate = {2020-01-08} } @online{lu:20190606:deep:0ac679a, author = {Kai Lu}, title = {{A Deep Dive into the Emotet Malware}}, date = {2019-06-06}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html}, language = {English}, urldate = {2020-01-07} } @online{lu:20190616:deep:ba89738, author = {Kai Lu}, title = {{A Deep Dive Into IcedID Malware: Part II - Analysis of the Core IcedID Payload (Parent Process)}}, date = {2019-06-16}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-two.html}, language = {English}, urldate = {2019-11-27} } @online{lu:20190709:deep:90d708f, author = {Kai Lu}, title = {{A Deep Dive Into IcedID Malware: Part I - Unpacking, Hooking and Process Injection}}, date = {2019-07-09}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-one.html}, language = {English}, urldate = {2020-01-08} } @online{lu:20190722:deep:a4bdd84, author = {Kai Lu}, title = {{A Deep Dive Into IcedID Malware: Part III - Analysis of Child Processes}}, date = {2019-07-22}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/deep-dive-icedid-malware-analysis-of-child-processes.html}, language = {English}, urldate = {2020-01-13} } @online{lu:20240220:earth:69f6c10, author = {Sunny Lu and Pierre Lee}, title = {{Earth Preta Campaign Uses DOPLUGS to Target Asia}}, date = {2024-02-20}, organization = {Trendmicro}, url = {https://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html}, language = {English}, urldate = {2024-07-10} } @online{lubiedo:20200608:dark:6e9abe3, author = {Twitter (@_lubiedo)}, title = {{Dark Nexus: the old, the new and the ugly}}, date = {2020-06-08}, organization = {Stratosphere Lab}, url = {https://www.stratosphereips.org/blog/2020/6/8/dark-nexus-the-old-the-new-and-the-ugly}, language = {English}, urldate = {2020-06-10} } @online{luce:20190308:iranianbacked:5b34dea, author = {Dan De Luce and Courtney Kube}, title = {{Iranian-backed hackers stole data from major U.S. government contractor}}, date = {2019-03-08}, organization = {NBC}, url = {https://www.nbcnews.com/politics/national-security/iranian-backed-hackers-stole-data-major-u-s-government-contractor-n980986}, language = {English}, urldate = {2020-01-13} } @online{luce:20240514:chinalinked:a12d82b, author = {Dan De Luce and Jean-Nicholas Fievet}, title = {{China-linked group uses malware to try to spy on commercial shipping, new report says}}, date = {2024-05-14}, organization = {NBC}, url = {https://www.nbcnews.com/news/world/china-linked-group-malware-spy-commercial-shipping-cargo-report-eset-rcna152129}, language = {English}, urldate = {2024-09-13} } @online{lucia:20181221:apt28:466f390, author = {Emanuele De Lucia}, title = {{APT28 / Sofacy – SedUploader under the Christmas tree}}, date = {2018-12-21}, url = {https://www.emanueledelucia.net/apt28-sofacy-seduploader-under-the-christmas-tree/}, language = {English}, urldate = {2020-03-30} } @online{lucia:20200925:vs:5b8c949, author = {Emanuele De Lucia}, title = {{APT vs Internet Service Providers}}, date = {2020-09-25}, url = {https://drive.google.com/file/d/1oA4YSwXLxEF-EXJcrM76Bc4_7ZfBGYE4/view}, language = {English}, urldate = {2020-10-02} } @online{lucia:20210125:affiliates:cd12c6f, author = {Emanuele De Lucia}, title = {{Affiliates vs Hunters: Fighting the DarkSide}}, date = {2021-01-25}, organization = {SOC Prime}, url = {https://socprime.com/blog/affiliates-vs-hunters-fighting-the-darkside/}, language = {English}, urldate = {2021-01-26} } @online{lucia:20211105:bigboss:bcea512, author = {Emanuele De Lucia}, title = {{The BigBoss Rules: Something about one of the Uroburos’ RPC-based backdoors}}, date = {2021-11-05}, organization = {Emanuele De Lucia on Security}, url = {https://www.emanueledelucia.net/the-bigboss-rules-something-about-one-of-the-uroburos-rpc-based-backdoors/}, language = {English}, urldate = {2021-11-08} } @online{lucia:20241019:hey:78b7caa, author = {Emanuele De Lucia}, title = {{“Hey ESET, Wait for the Leak”: Dissecting the “OctoberSeventh” Wiper targeting ESET customers in Israel}}, date = {2024-10-19}, organization = {Emanuele De Lucia on Security}, url = {https://www.emanueledelucia.net/hey-eset-wait-for-the-leak-dissecting-the-octoberseventh-wiper-targeting-eset-customers-in-israel/}, language = {English}, urldate = {2024-12-16} } @online{luckyduck:20151216:facebook:3632e6d, author = {LuckyDuck}, title = {{Facebook page advertising DarkTrack RAT}}, date = {2015-12-16}, organization = {Facebook (darktrackrat)}, url = {https://www.facebook.com/darktrackrat/}, language = {English}, urldate = {2020-01-08} } @online{luis:20170224:necurs:629636f, author = {Sofia Luis}, title = {{Necurs Proxy Module With DDOS Features}}, date = {2017-02-24}, organization = {BitSight}, url = {https://www.bitsighttech.com/blog/necurs-proxy-module-with-ddos-features}, language = {English}, urldate = {2019-12-06} } @online{lukaszewski:20210720:hancitors:1baf2f1, author = {Mateusz Lukaszewski}, title = {{Hancitor’s Multi-Step Delivery Process}}, date = {2021-07-20}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/hancitor-multi-step-delivery-process-malware-analysis-spotlight/}, language = {English}, urldate = {2021-08-02} } @online{lunden:20210525:crimes:6597645, author = {Keith Lunden and Daniel Kapellmann Zafra and Nathan Brubaker}, title = {{Crimes of Opportunity: Increasing Frequency of Low Sophistication Operational Technology Compromises}}, date = {2021-05-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/05/increasing-low-sophistication-operational-technology-compromises.html}, language = {English}, urldate = {2021-06-16} } @online{lunghi:20171211:untangling:5f00f99, author = {Daniel Lunghi and Jaromír Hořejší and Cedric Pernet}, title = {{Untangling the Patchwork Cyberespionage Group}}, date = {2017-12-11}, organization = {Trend Micro}, url = {https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite}, language = {English}, urldate = {2019-10-21} } @online{lunghi:20180829:bahamut:b915eba, author = {Daniel Lunghi and Ecular Xu}, title = {{Bahamut, Confucius and Patchwork Connected to Urpage}}, date = {2018-08-29}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/18/h/the-urpage-connection-to-bahamut-confucius-and-patchwork.html}, language = {English}, urldate = {2024-02-08} } @online{lunghi:20180829:urpage:0f63a4b, author = {Daniel Lunghi and Ecular Xu}, title = {{The Urpage Connection to Bahamut, Confucius and Patchwork}}, date = {2018-08-29}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/}, language = {English}, urldate = {2020-01-06} } @techreport{lunghi:20181009:untangling:348f703, author = {Daniel Lunghi and Jaromír Hořejší and Cedric Pernet}, title = {{Untangling the Patchwork Espionage Group}}, date = {2018-10-09}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf}, language = {English}, urldate = {2020-01-06} } @online{lunghi:20190610:muddywater:b87a78a, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools}}, date = {2019-06-10}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/}, language = {English}, urldate = {2019-11-27} } @techreport{lunghi:20190610:new:4f86b75, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{New MuddyWater Activities Uncovered: Threat Actors Used Multi-Stage Backdoors, New Post-Exploitation Tools, Android Malware, and More}}, date = {2019-06-10}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{lunghi:20191002:abusing:3c9a1b7, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{Abusing third-party cloud services in targeted attacks}}, date = {2019-10-02}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-LunghiHorejsi.pdf}, language = {English}, urldate = {2020-01-13} } @online{lunghi:20200218:uncovering:93b0937, author = {Daniel Lunghi and Cedric Pernet and Kenney Lu and Jamz Yaneza}, title = {{Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations}}, date = {2020-02-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia}, language = {English}, urldate = {2020-02-20} } @techreport{lunghi:20200218:uncovering:d96f725, author = {Daniel Lunghi and Cedric Pernet and Kenney Lu and Jamz Yaneza}, title = {{Uncovering DRBControl}}, date = {2020-02-18}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf}, language = {English}, urldate = {2020-04-01} } @techreport{lunghi:20200603:how:4f28e63, author = {Daniel Lunghi}, title = {{How to perform long term monitoring of careless threat actors}}, date = {2020-06-03}, institution = {Trend Micro}, url = {https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf}, language = {English}, urldate = {2020-06-05} } @online{lunghi:20210409:iron:402e62f, author = {Daniel Lunghi and Kenney Lu}, title = {{Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware}}, date = {2021-04-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html}, language = {English}, urldate = {2021-04-09} } @techreport{lunghi:20210602:taking:49c7b1f, author = {Daniel Lunghi}, title = {{Taking Advantage of PE Metadata,or How To Complete your Favorite ThreatActor’s Sample Collection (Paper)}}, date = {2021-06-02}, institution = {Trend Micro}, url = {https://www.sstic.org/media/SSTIC2021/SSTIC-actes/Taking_Advantage_of_PE_Metadata_or_How_To_Complete/SSTIC2021-Article-Taking_Advantage_of_PE_Metadata_or_How_To_Complete_your_Favorite_Threat_Actor_Sample_Collection-lunghi.pdf}, language = {English}, urldate = {2021-06-11} } @techreport{lunghi:20210602:taking:f1bdefc, author = {Daniel Lunghi}, title = {{Taking Advantage of PE Metadata, or How To Complete Your Favorite Threat Actor’s Sample Collection}}, date = {2021-06-02}, institution = {Trend Micro}, url = {https://www.sstic.org/media/SSTIC2021/SSTIC-actes/Taking_Advantage_of_PE_Metadata_or_How_To_Complete/SSTIC2021-Slides-Taking_Advantage_of_PE_Metadata_or_How_To_Complete_your_Favorite_Threat_Actor_Sample_Collection-lunghi.pdf}, language = {English}, urldate = {2021-06-09} } @online{lunghi:20210817:confucius:f0f4578, author = {Daniel Lunghi}, title = {{Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military}}, date = {2021-08-17}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html}, language = {English}, urldate = {2021-08-23} } @online{lunghi:20220427:new:9068f6e, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware}}, date = {2022-04-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html}, language = {English}, urldate = {2023-04-18} } @techreport{lunghi:20220427:operation:bdba881, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{Operation Gambling Puppet}}, date = {2022-04-27}, institution = {Trendmicro}, url = {https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf}, language = {English}, urldate = {2022-07-25} } @online{lunghi:20220507:operation:749c341, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{Operation Gamblingpuppet: Analysis Of A Multiplatform Campaign Targeting Online Gambling Customers}}, date = {2022-05-07}, organization = {YouTube (botconf eu)}, url = {https://www.youtube.com/watch?v=QXGO4RJaUPQ}, language = {English}, urldate = {2022-07-25} } @techreport{lunghi:20220523:operation:e3c402b, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{Operation Earth Berberoka}}, date = {2022-05-23}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf}, language = {English}, urldate = {2022-07-25} } @online{lunghi:20220812:iron:38c15d7, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users (IOCs)}}, date = {2022-08-12}, organization = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/iron-tiger-compromises-chat-application-mimi,-targets-windows,-mac,-and-linux-users/IOCs-IronTiger-compromises-chat-application-mimi-targets-windows-mac-linux-users.txt}, language = {English}, urldate = {2022-08-18} } @online{lunghi:20220812:iron:c55d0cd, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users}}, date = {2022-08-12}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html}, language = {English}, urldate = {2022-08-18} } @online{lunghi:20230301:iron:20d88cd, author = {Daniel Lunghi}, title = {{Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting}}, date = {2023-03-01}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html}, language = {English}, urldate = {2023-03-13} } @online{lunghi:20230714:possible:94fad78, author = {Daniel Lunghi}, title = {{Possible Supply-Chain Attack Targeting Pakistani Government Delivers Shadowpad}}, date = {2023-07-14}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html}, language = {English}, urldate = {2023-09-04} } @techreport{lunghi:20231004:possible:288a5ec, author = {Daniel Lunghi}, title = {{Possible supply chain attack targeting Pakistan government delivers ShadowPad}}, date = {2023-10-04}, institution = {Trend Micro}, url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Possible-supply-chain-attack-targeting-South-Asian-government-delivers-Shadowpad.pdf}, language = {English}, urldate = {2024-04-11} } @techreport{lunghi:20231004:possible:4af4998, author = {Daniel Lunghi}, title = {{Possible supply chain attack targeting Pakistan government delivers Shadowpad (Slides)}}, date = {2023-10-04}, institution = {Trend Micro}, url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2023/slides/Slides-Possible-supply-chain-attack-targeting-South-Asian-government-delivers-Shadowpad.pdf}, language = {English}, urldate = {2024-04-11} } @online{lunghi:20231107:possible:8734ebc, author = {Daniel Lunghi}, title = {{Possible supply chain attack targeting South Asian government delivers Shadowpad}}, date = {2023-11-07}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=i52MH-YFEeo}, language = {English}, urldate = {2024-04-11} } @online{lunghi:20240318:earth:b75c520, author = {Daniel Lunghi and Joseph C Chen}, title = {{Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks}}, date = {2024-03-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/24/c/earth-krahang.html}, language = {English}, urldate = {2024-04-11} } @online{lunghi:20250220:updated:6b71efa, author = {Daniel Lunghi}, title = {{Updated Shadowpad Malware Leads to Ransomware Deployment}}, date = {2025-02-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/25/b/updated-shadowpad-malware-leads-to-ransomware-deployment.html}, language = {English}, urldate = {2025-03-07} } @online{lunghi:20250220:updated:bc82dd3, author = {Daniel Lunghi}, title = {{Updated Shadowpad Malware Leads to Ransomware Deployment}}, date = {2025-02-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/fr_fr/research/25/b/updated-shadowpad-malware-leads-to-ransomware-deployment.html}, language = {English}, urldate = {2025-02-21} } @online{lussier:20210115:detecting:fecd6c3, author = {Dan Lussier}, title = {{Detecting Malicious C2 Activity -SpawnAs & SMB Lateral Movement in CobaltStrike}}, date = {2021-01-15}, organization = {Medium Dansec}, url = {https://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64}, language = {English}, urldate = {2021-01-21} } @online{lvarez:20220713:go:6ffedb7, author = {David Álvarez}, title = {{Go malware on the rise}}, date = {2022-07-13}, organization = {Avast}, url = {https://decoded.avast.io/davidalvarez/go-malware-on-the-rise/}, language = {English}, urldate = {2022-07-15} } @online{lynch:20150623:exclusive:3fbed86, author = {Sarah N. Lynch and Joseph Menn}, title = {{Exclusive: SEC hunts hackers who stole corporate emails to trade stocks}}, date = {2015-06-23}, organization = {Reuters}, url = {https://www.reuters.com/article/2015/06/23/us-hackers-insidertrading-idUSKBN0P31M720150623}, language = {English}, urldate = {2020-01-08} } @online{lynch:20160419:multigrain:94e7443, author = {Cian Lynch and Dimiter Andonov and Claudiu Teodorescu}, title = {{MULTIGRAIN – Point of Sale Attackers Make an Unhealthy Addition to the Pantry}}, date = {2016-04-19}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html}, language = {English}, urldate = {2019-12-20} } @online{lyngaas:20190509:chinese:90e8320, author = {Sean Lyngaas}, title = {{Chinese national indicted for 2015 Anthem breach}}, date = {2019-05-09}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/anthem-breach-indictment-chinese-national/}, language = {English}, urldate = {2020-01-13} } @online{lyngaas:20200528:german:0be9cc3, author = {Sean Lyngaas}, title = {{German intelligence agencies warn of Russian hacking threats to critical infrastructure}}, date = {2020-05-28}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/german-intelligence-memo-berserk-bear-critical-infrastructure/}, language = {English}, urldate = {2020-05-29} } @online{lyngaas:20200528:israeli:481ca71, author = {Sean Lyngaas}, title = {{Israeli official confirms attempted cyberattack on water systems}}, date = {2020-05-28}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/israel-cyberattacks-water-iran-yigal-unna/}, language = {English}, urldate = {2020-05-29} } @online{lyngaas:20201019:industry:8c1a41e, author = {Sean Lyngaas}, title = {{Industry alert pins state, local government hacking on suspected Russian group (Temp.Isotope)}}, date = {2020-10-19}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/russia-temp-isotope-election-security-mandiant/}, language = {English}, urldate = {2020-10-23} } @online{lyngaas:20201021:muddywater:00082e2, author = {Sean Lyngaas}, title = {{'MuddyWater' spies suspected in attacks against Middle East governments, telecoms}}, date = {2020-10-21}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/muddywater-iran-symantec-middle-east/}, language = {English}, urldate = {2020-10-23} } @online{lyngaas:20210416:fin7:4441665, author = {Sean Lyngaas}, title = {{FIN7 'technical guru' sentenced to 10 years in prison}}, date = {2021-04-16}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/fedir-hladyr-fin7-sentencing-prison/}, language = {English}, urldate = {2021-04-19} } @online{lyngaas:20210601:exus:8b4d1b4, author = {Sean Lyngaas}, title = {{Ex-US ambassador, anti-corruption activists in Ukraine were targets of suspected Russian phishing}}, date = {2021-06-01}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/russia-espionage-europe-human-rights/}, language = {English}, urldate = {2021-06-09} } @online{lyngaas:20220202:us:7122665, author = {Sean Lyngaas}, title = {{US officials prepare for potential Russian cyberattacks as Ukraine standoff continues}}, date = {2022-02-02}, organization = {CNN}, url = {https://edition.cnn.com/2022/02/02/politics/fbi-ukraine-cyber-russia/index.html}, language = {English}, urldate = {2022-02-02} } @online{lypko:20250306:deciphering:f503d3c, author = {Oleg Lypko and Estelle Ruellan and Tammy Harper}, title = {{Deciphering Black Basta’s Infrastructure from the Chat Leak}}, date = {2025-03-06}, organization = {flare}, url = {https://flare.io/learn/resources/blog/deciphering-black-bastas-infrastructure-from-the-chat-le}, language = {English}, urldate = {2025-03-25} } @online{lytzki:20220407:revenge:9f4c4e4, author = {Igal Lytzki}, title = {{Revenge RAT Malware is back: From Microsoft Excel macros to Remote Access Trojan}}, date = {2022-04-07}, organization = {Perception Point}, url = {https://perception-point.io/revenge-rat-back-from-microsoft-excel-macros/}, language = {English}, urldate = {2022-06-09} } @online{lytzki:20220821:behind:e6e884e, author = {Igal Lytzki}, title = {{Behind the Attack: Remcos RAT}}, date = {2022-08-21}, organization = {Perception Point}, url = {https://perception-point.io/behind-the-attack-remcos-rat/}, language = {English}, urldate = {2022-09-22} } @online{lytzki:20220929:doenerium:06e117e, author = {Igal Lytzki}, title = {{Doenerium: It’s Not a Crime to Steal From Thieves}}, date = {2022-09-29}, organization = {Perception Point}, url = {https://perception-point.io/doenerium-malware/}, language = {English}, urldate = {2022-09-30} } @online{lytzki:20230206:behind:0604cde, author = {Igal Lytzki}, title = {{Behind the Attack: Paradies Clipper Malware}}, date = {2023-02-06}, organization = {Perception Point}, url = {https://perception-point.io/blog/behind-the-attack-paradies-clipper-malware/}, language = {English}, urldate = {2023-02-09} } @online{lytzki:20230716:manipulated:f37546f, author = {Igal Lytzki}, title = {{Manipulated Caiman: The Sophisticated Snare of Mexico’s Banking Predators}}, date = {2023-07-16}, organization = {Perception Point}, url = {https://perception-point.io/blog/manipulated-caiman-the-sophisticated-snare-of-mexicos-banking-predators-technical-edition/}, language = {English}, urldate = {2024-03-13} } @online{lytzki:20231121:xworm:ae4f2eb, author = {Igal Lytzki}, title = {{XWorm Malware: Exploring C&C Communication}}, date = {2023-11-21}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/}, language = {English}, urldate = {2023-11-22} } @techreport{lyu:20250121:follow:262037f, author = {JeongGak Lyu}, title = {{Follow the Clues - Everyday is lazarus.day}}, date = {2025-01-21}, institution = {Financial Security Institute}, url = {https://jsac.jpcert.or.jp/archive/2025/pdf/JSAC2025_1_6_jeonggak-lyu_en.pdf}, language = {English}, urldate = {2025-03-27} } @online{m0br3v:20210721:copera:edaa852, author = {@m0br3v}, title = {{The Coper―a new Android banking trojan targeting Colombian users}}, date = {2021-07-21}, organization = {Doctor Web}, url = {https://news.drweb.com/show/?p=0&lng=en&i=14259&c=0}, language = {English}, urldate = {2021-07-22} } @online{m0n0ph1:20170418:github:63a0bd5, author = {m0n0ph1}, title = {{Github repository for trochilus RAT}}, date = {2017-04-18}, organization = {Github (m0n0ph1)}, url = {https://github.com/m0n0ph1/malware-1/tree/master/Trochilus}, language = {English}, urldate = {2020-01-06} } @online{m0rv4i:20211112:malware:fd14776, author = {m0rv4i}, title = {{Malware Analysis: Syscalls: Examining how to analyse malware that uses syscalls as opposed to API calls}}, date = {2021-11-12}, organization = {jmpesp.me}, url = {https://jmpesp.me/malware-analysis-syscalls-example/}, language = {English}, urldate = {2021-11-17} } @online{m3h51n:20220327:malware:b1e1deb, author = {M3H51N}, title = {{Malware Analysis — NanoCore Rat}}, date = {2022-03-27}, organization = {Medium M3H51N}, url = {https://medium.com/@M3HS1N/malware-analysis-nanocore-rat-6cae8c6df918}, language = {English}, urldate = {2022-04-04} } @online{m4lcode:20240118:detect:be45db8, author = {M4lcode and Mostafa Farghaly}, title = {{Detect Mortis Locker Ransomware with YARA}}, date = {2024-01-18}, url = {https://m4lcode.github.io/malware%20analysis/Mortis-Locker-YARA-Rule/}, language = {English}, urldate = {2024-02-05} } @online{m4lcode:20240315:matanbuchus:d0ab15d, author = {M4lcode}, title = {{Matanbuchus Loader Detailed Analysis}}, date = {2024-03-15}, organization = {cyber5w}, url = {https://blog.cyber5w.com/matanbuchus-loader-analysis}, language = {English}, urldate = {2024-04-10} } @online{m4lcode:20240321:cryptnet:ca9a3be, author = {M4lcode}, title = {{CryptNet Ransomware Detailed Analysis}}, date = {2024-03-21}, organization = {cyber5w}, url = {https://blog.cyber5w.com/cryptnet-ransomware-analysis}, language = {English}, urldate = {2024-04-10} } @online{m4lcode:20240407:gafgyt:0c48b42, author = {M4lcode}, title = {{Gafgyt Backdoor Analysis}}, date = {2024-04-07}, organization = {cyber5w}, url = {https://blog.cyber5w.com/gafgyt-backdoor-analysis}, language = {English}, urldate = {2024-04-10} } @online{m4lcode:20240413:analysis:bef44a8, author = {M4lcode and cyber5w}, title = {{Analysis of malicious Microsoft office macros}}, date = {2024-04-13}, organization = {cyber5w}, url = {https://blog.cyber5w.com/analyzing-macro-enabled-office-documents}, language = {English}, urldate = {2024-05-17} } @online{m4lcode:20240429:how:31baad6, author = {M4lcode and cyber5w}, title = {{How to unpack Death Ransomware}}, date = {2024-04-29}, organization = {cyber5w}, url = {https://blog.cyber5w.com/the-most-known-unpacking-technique}, language = {English}, urldate = {2024-05-17} } @online{m4lcode:20240728:cybergate:56e6332, author = {M4lcode and cyber5w}, title = {{CyberGate Technical Analysis}}, date = {2024-07-28}, organization = {cyber5w}, url = {https://blog.cyber5w.com/cybergate-malware-analysis}, language = {English}, urldate = {2024-08-15} } @online{m4lcode:20250224:six:556489d, author = {M4lcode}, title = {{Six Months Undetected: Analysis of archive.org hosted .NET PE Injector}}, date = {2025-02-24}, organization = {DeXpose}, url = {https://blog.dexpose.io/analysis-of-archive-org-hosted-pe-injector}, language = {English}, urldate = {2025-07-07} } @online{m4lcode:20250303:purelogs:ec29d4d, author = {M4lcode}, title = {{PureLogs Deep Analysis: Evasion, Data Theft, and Encryption Mechanism}}, date = {2025-03-03}, organization = {DeXpose}, url = {https://blog.dexpose.io/purelogger-deep-analysis-evasion-data-theft-and-encryption-mechanism/}, language = {English}, urldate = {2025-07-07} } @online{m4lcode:20250315:understanding:12a39bc, author = {M4lcode}, title = {{Understanding SalatStealer: Features and Impact}}, date = {2025-03-15}, organization = {DeXpose}, url = {https://blog.dexpose.io/understanding-salatstealer-features-and-impact/}, language = {English}, urldate = {2025-06-17} } @online{m4lcode:20250411:flesh:3c403c7, author = {M4lcode}, title = {{Flesh Stealer: A Report on Multivector Data Theft}}, date = {2025-04-11}, organization = {DeXpose}, url = {https://blog.dexpose.io/flesh-stealer-a-report-on-multivector-data-theft/}, language = {English}, urldate = {2025-06-17} } @online{m4lcode:20250623:anydesk:8be7abf, author = {M4lcode}, title = {{AnyDesk Clone Drops .NET Loader with AES Encrypted Payload and AV Evasion Delivering Phemedrone Stealer}}, date = {2025-06-23}, organization = {DeXpose}, url = {https://blog.dexpose.io/anydesk-clone-drops-net-loader-with-aes-encrypted-payload-and-av-evasion-delivering-phemedrone-stealer}, language = {English}, urldate = {2025-07-07} } @online{m4n0w4r:20181103:l:d496fbd, author = {m4n0w4r}, title = {{Là 1937CN hay OceanLotus hay Lazarus …}}, date = {2018-11-03}, url = {https://tradahacking.vn/l%C3%A0-1937cn-hay-oceanlotus-hay-lazarus-6ca15fe1b241}, language = {Vietnamese}, urldate = {2020-03-11} } @online{m4n0w4r:20190103:another:2f48120, author = {m4n0w4r}, title = {{Another malicious document with CVE-2017–11882}}, date = {2019-01-03}, url = {https://tradahacking.vn/another-malicious-document-with-cve-2017-11882-839e9c0bbf2f}, language = {Vietnamese}, urldate = {2020-03-11} } @online{m4n0w4r:20190531:thng:c687d46, author = {m4n0w4r}, title = {{Thưởng tết….}}, date = {2019-05-31}, organization = {TradaHacking}, url = {https://tradahacking.vn/th%C6%B0%E1%BB%9Fng-t%E1%BA%BFt-fbcbbed49da7}, language = {Vietnamese}, urldate = {2020-01-10} } @online{m4n0w4r:20190627:tc:90087b2, author = {m4n0w4r}, title = {{Tốc kí một sample sử dụng CVE_2018_20250 (Target VN)}}, date = {2019-06-27}, url = {https://tradahacking.vn/t%E1%BB%91c-k%C3%AD-m%E1%BB%99t-sample-s%E1%BB%AD-d%E1%BB%A5ng-cve-2018-20250-target-vn-3ba306bf3d83}, language = {Vietnamese}, urldate = {2020-03-11} } @online{m4n0w4r:20191008:mt:a14c60d, author = {m4n0w4r}, title = {{Một sample nhắm vào Bank ở VN}}, date = {2019-10-08}, url = {https://tradahacking.vn/%C4%91%E1%BB%A3t-r%E1%BB%93i-t%C3%B4i-c%C3%B3-%C4%91%C4%83ng-m%E1%BB%99t-status-xin-d%E1%BA%A1o-tr%C3%AAn-fb-may-qu%C3%A1-c%C5%A9ng-c%C3%B3-v%C3%A0i-b%E1%BA%A1n-nhi%E1%BB%87t-t%C3%ACnh-g%E1%BB%ADi-cho-537b19ee3468}, language = {Vietnamese}, urldate = {2020-03-11} } @online{m4n0w4r:20191219:re009:fc59940, author = {m4n0w4r}, title = {{[RE009] Analysis of malicious code "PLAN, KEY TASKS IN 2020.doc" attached to phishing email}}, date = {2019-12-19}, organization = {VinCSS}, url = {https://blog.vincss.net/vi/re009-phan-tich-ma-doc-ke-hoach-nhiem-vu-trong-tam-nam-2020-doc-dinh-kem-email-phishing-2/}, language = {Vietnamese}, urldate = {2024-02-06} } @online{m4n0w4r:20200109:heres:9f5328c, author = {m4n0w4r and Tran Trung Kien}, title = {{Here's what Macro malware is available}}, date = {2020-01-09}, organization = {VinCSS}, url = {https://blog.vincss.net/vi/cac-ki-thuat-macro-malware-pho-bien-2/}, language = {Vietnamese}, urldate = {2024-02-06} } @online{m4n0w4r:20200310:re012:43d61e3, author = {m4n0w4r}, title = {{[RE012] Analysis of malware taking advantage of the Covid-19 epidemic to spread fake "Directive of Prime Minister Nguyen Xuan Phuc" - Part 1}}, date = {2020-03-10}, organization = {VinCSS}, url = {https://blog.vincss.net/vi/re012-1-phan-tich-ma-doc-loi-dung-dich-covid-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-nguyen-xuan-phuc-phan-1-2/}, language = {Vietnamese}, urldate = {2024-02-06} } @online{m4n0w4r:20200319:analysis:461fca7, author = {m4n0w4r}, title = {{Analysis of malware taking advantage of the Covid-19 epidemic to spread fake "Directive of Prime Minister Nguyen Xuan Phuc" - Part 2}}, date = {2020-03-19}, organization = {VinCSS}, url = {https://blog.vincss.net/vi/re012-2-phan-tich-ma-doc-loi-dung-dich-covid-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-nguyen-xuan-phuc-phan-2-2/}, language = {Vietnamese}, urldate = {2024-02-06} } @online{m4n0w4r:20200406:re015:25d6bde, author = {m4n0w4r and Tran Trung Kien}, title = {{[RE015] “Heaven’s Gate” An old but effective technique}}, date = {2020-04-06}, organization = {VinCSS}, url = {https://blog.vincss.net/vi/re015-heavens-gate-mot-ki-thuat-cu-nhung-hieu-qua-2/}, language = {Vietnamese}, urldate = {2024-02-06} } @online{m4n0w4r:20200505:guloader:926315b, author = {m4n0w4r and Dang Dinh Phuong}, title = {{GuLoader AntiVM Techniques}}, date = {2020-05-05}, organization = {VinCSS}, url = {https://blog.vincss.net/vi/re014-guloader-antivm-techniques/}, language = {Vietnamese}, urldate = {2024-02-06} } @online{m4n0w4r:20200627:quick:4b18a32, author = {m4n0w4r}, title = {{Quick analysis note about GuLoader (or CloudEyE)}}, date = {2020-06-27}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2020/06/27/quick-analysis-note-about-guloader-or-cloudeye/}, language = {English}, urldate = {2020-07-13} } @online{m4n0w4r:20200816:manual:7a970b8, author = {m4n0w4r}, title = {{Manual Unpacking IcedID Write-up}}, date = {2020-08-16}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/}, language = {English}, urldate = {2020-08-20} } @online{m4n0w4r:20200911:re016:5134994, author = {m4n0w4r}, title = {{[RE016] Malware Analysis: ModiLoader}}, date = {2020-09-11}, organization = {VinCSS}, url = {https://blog.vincss.net/re016-malware-analysis-modiloader/}, language = {English}, urldate = {2024-02-06} } @online{m4n0w4r:20210511:quick:34539c5, author = {m4n0w4r}, title = {{Quick analysis note about DealPly (Adware)}}, date = {2021-05-11}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/}, language = {English}, urldate = {2021-05-19} } @online{m4n0w4r:20210524:re022:97829ca, author = {m4n0w4r and Trương Quốc Ngân}, title = {{[RE022] Part 1: Quick analysis of malicious sample forging the official dispatch of the Central Inspection Committee}}, date = {2021-05-24}, organization = {VinCSS}, url = {https://blog.vincss.net/re022-part-1-quick-analysis-of-malicious-sample-forging-the-official-dispatch-of-the-central-inspection-committee/}, language = {English}, urldate = {2024-02-06} } @online{m4n0w4r:20210804:quicknote:791df11, author = {m4n0w4r and Tran Trung Kien}, title = {{[QuickNote] MountLocker – Some pseudo-code snippets}}, date = {2021-08-04}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/}, language = {English}, urldate = {2021-09-09} } @online{m4n0w4r:20210906:quick:0a892b2, author = {m4n0w4r}, title = {{Quick analysis CobaltStrike loader and shellcode}}, date = {2021-09-06}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2021/09/06/quick-analysis-cobaltstrike-loader-and-shellcode/}, language = {English}, urldate = {2021-09-10} } @online{m4n0w4r:20211027:re025:52c8a55, author = {m4n0w4r and Tran Trung Kien}, title = {{[RE025] TrickBot ... many tricks}}, date = {2021-10-27}, organization = {VinCSS}, url = {https://blog.vincss.net/re025-trickbot-many-tricks/}, language = {English}, urldate = {2024-02-06} } @online{m4n0w4r:20211116:short:97d45fa, author = {m4n0w4r}, title = {{Tweet on short analysis of QakBot}}, date = {2021-11-16}, organization = {Twitter (@kienbigmummy)}, url = {https://twitter.com/kienbigmummy/status/1460537501676802051}, language = {English}, urldate = {2021-11-19} } @online{m4n0w4r:20220123:quicknote:852995b, author = {m4n0w4r and Tran Trung Kien}, title = {{[QuickNote] Emotet epoch4 & epoch5 tactics}}, date = {2022-01-23}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/}, language = {English}, urldate = {2022-01-25} } @online{m4n0w4r:20220126:quicknote:caae223, author = {m4n0w4r and Tran Trung Kien}, title = {{[QuickNote] Analysis of malware suspected to be an APT attack targeting Vietnam}}, date = {2022-01-26}, organization = {VinCSS}, url = {https://kienmanowar.wordpress.com/2022/01/26/quicknote-analysis-of-malware-suspected-to-be-an-apt-attack-targeting-vietnam/}, language = {English}, urldate = {2023-07-24} } @online{m4n0w4r:20220224:quicknote:bea9238, author = {m4n0w4r and Tran Trung Kien}, title = {{[QuickNote] Techniques for decrypting BazarLoader strings}}, date = {2022-02-24}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2022/02/24/quicknote-techniques-for-decrypting-bazarloader-strings/}, language = {English}, urldate = {2022-03-01} } @online{m4n0w4r:20220425:re026:6e05ed2, author = {m4n0w4r and Tran Trung Kien}, title = {{[RE026] A Deep Dive into Zloader - the Silent Night}}, date = {2022-04-25}, organization = {VinCSS}, url = {https://blog.vincss.net/re026-a-deep-dive-into-zloader-the-silent-night/}, language = {English}, urldate = {2024-02-06} } @online{m4n0w4r:20220520:re027:38348db, author = {m4n0w4r and Tran Trung Kien and Dang Dinh Phuong}, title = {{[RE027] China-based APT Mustang Panda might have still continued their attack activities against organizations in Vietnam}}, date = {2022-05-20}, organization = {VinCSS}, url = {https://blog.vincss.net/re027-china-based-apt-mustang-panda-might-still-have-continued-their-attack-activities-against-organizations-in-vietnam/}, language = {English}, urldate = {2024-02-06} } @online{m4n0w4r:20220604:quicknote:dc79142, author = {m4n0w4r and Tran Trung Kien}, title = {{[QuickNote] CobaltStrike SMB Beacon Analysis}}, date = {2022-06-04}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/}, language = {English}, urldate = {2022-06-07} } @techreport{m4n0w4r:20220909:mustang:120306a, author = {m4n0w4r}, title = {{“Mustang Panda” – Enemy at the gate}}, date = {2022-09-09}, institution = {Github (m4now4r)}, url = {https://raw.githubusercontent.com/m4now4r/Presentations/main/MustangPanda%20-%20Enemy%20at%20the%20gate_final.pdf}, language = {English}, urldate = {2022-09-26} } @online{m4n0w4r:20221217:quicknote:9b33765, author = {m4n0w4r and Tran Trung Kien}, title = {{[QuickNote] VidarStealer Analysis}}, date = {2022-12-17}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2022/12/17/quicknote-vidarstealer-analysis/}, language = {English}, urldate = {2022-12-19} } @online{m4n0w4r:20221219:z2abimonthly:8edee72, author = {m4n0w4r and Tran Trung Kien}, title = {{[Z2A]Bimonthly malware challege – Emotet (Back From the Dead)}}, date = {2022-12-19}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2022/12/19/z2abimonthly-malware-challege-emotet-back-from-the-dead/}, language = {English}, urldate = {2022-12-20} } @online{m4n0w4r:20221227:diving:857147e, author = {m4n0w4r and Tran Trung Kien}, title = {{Diving into a PlugX sample of Mustang Panda group}}, date = {2022-12-27}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/}, language = {English}, urldate = {2022-12-29} } @online{m4n0w4r:20230109:quicknote:5a8b18c, author = {m4n0w4r and Tran Trung Kien}, title = {{[QuickNote] Another nice PlugX sample}}, date = {2023-01-09}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2023/01/09/quicknote-another-nice-plugx-sample/}, language = {English}, urldate = {2023-01-10} } @online{m4n0w4r:20230522:case:c053ed3, author = {m4n0w4r}, title = {{[Case study] Decrypt strings using Dumpulator}}, date = {2023-05-22}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2023/05/22/case-study-decrypt-strings-using-dumpulator/}, language = {English}, urldate = {2023-05-25} } @techreport{m4n0w4r:20230911:unveiling:869d357, author = {m4n0w4r}, title = {{Unveiling Qakbot Exploring one of the Most Active Threat Actors}}, date = {2023-09-11}, institution = {Github (m4now4r)}, url = {https://github.com/m4now4r/Presentations/blob/main/Unveiling%20Qakbot%3A%20Exploring%20one%20of%20the%20Most%20Active%20Threat%20Actors/Unveiling%20Qakbot_Exploring%20one%20of%20the%20Most%20Active%20Threat%20Actors.pdf}, language = {English}, urldate = {2024-02-21} } @online{m4n0w4r:20240409:quicknote:74ac210, author = {m4n0w4r and Tran Trung Kien}, title = {{[QuickNote] Phishing email distributes WarZone RAT via DBatLoader}}, date = {2024-04-09}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/}, language = {English}, urldate = {2024-04-10} } @online{m4n0w4r:20240424:quicknote:0389087, author = {m4n0w4r and Tran Trung Kien}, title = {{[QuickNote] Qakbot 5.0 – Decrypt strings and configuration}}, date = {2024-04-24}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2024/04/24/quicknote-qakbot-5-0-decrypt-strings-and-configuration/}, language = {English}, urldate = {2024-04-29} } @online{m4n0w4r:20240606:quicknote:77f0c47, author = {m4n0w4r and Tran Trung Kien}, title = {{[QuickNote] DarkGate – Make AutoIt Great Again}}, date = {2024-06-06}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2024/06/06/quicknote-darkgate-make-autoit-great-again/}, language = {English}, urldate = {2024-06-10} } @online{m4n0w4r:20240810:quicknote:679fa50, author = {m4n0w4r and Tran Trung Kien}, title = {{[QuickNote] Retrieve unknown python stealer from PyInstaller}}, date = {2024-08-10}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2024/08/10/quicknote-retrieve-unknown-python-stealer-from-pyinstaller/}, language = {English}, urldate = {2024-08-15} } @online{m:20170216:nefarious:a0ed57b, author = {Winston M}, title = {{Nefarious Macro Malware drops “Loki Bot” to steal sensitive information across GCC countries!}}, date = {2017-02-16}, organization = {Cysinfo}, url = {https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/}, language = {English}, urldate = {2019-10-23} } @online{m:20200827:revisiting:bac6d3b, author = {Facundo M}, title = {{Revisiting EquationGroup’s FANNY… or is it DEMENTIAWHEEL?}}, date = {2020-08-27}, organization = {fmnagisa wordpress}, url = {https://fmnagisa.wordpress.com/2020/08/27/revisiting-equationgroups-fanny-worm-or-dementiawheel/}, language = {English}, urldate = {2020-10-04} } @online{m:20230203:threat:055d818, author = {Pavan Karthick M and Deepanjli Paulraj}, title = {{Threat Actors Abuse AI-Generated Youtube Videos to Spread Stealer Malware}}, date = {2023-02-03}, organization = {Cloudsek}, url = {https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware}, language = {English}, urldate = {2024-05-14} } @online{m:20240203:from:f1d4ab5, author = {Pavan Karthick M}, title = {{From Discussion Forums to Malware Mayhem: The Alarming Rise of Abuse on Google Groups and Usenet}}, date = {2024-02-03}, organization = {Cloudsek}, url = {https://www.cloudsek.com/blog/from-discussion-forums-to-malware-mayhem-the-alarming-rise-of-abuse-on-google-groups-and-usenet}, language = {English}, urldate = {2024-02-05} } @online{m:20240211:unpacking:c095752, author = {Otávio M.}, title = {{Unpacking an Emotet trojan}}, date = {2024-02-11}, organization = {Estrellas's Blog}, url = {https://estr3llas.github.io/unpacking-an-emotet-trojan/}, language = {English}, urldate = {2024-04-15} } @online{m:20240212:unveiling:d28fb73, author = {Otávio M.}, title = {{Unveiling custom packers: A comprehensive guide}}, date = {2024-02-12}, organization = {Estrellas's Blog}, url = {https://estr3llas.github.io/unveiling-custom-packers-a-comprehensive-guide/}, language = {English}, urldate = {2024-04-15} } @online{m:20240330:gluptebas:b0a962f, author = {Otávio M.}, title = {{Glupteba's .NET dropper deep dive.}}, date = {2024-03-30}, organization = {Estrellas's Blog}, url = {https://estr3llas.github.io/gluptebas-dotnet-dropper-deep-dive/}, language = {English}, urldate = {2024-04-15} } @online{m:20240417:redline:e600865, author = {Mohansundaram M and Neil Tyagi}, title = {{Redline Stealer: A Novel Approach}}, date = {2024-04-17}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/redline-stealer-a-novel-approach/}, language = {English}, urldate = {2024-05-06} } @online{ma:20200831:in:4af10a4, author = {Yanlong Ma and GenShen Ye and Ye Jin}, title = {{In the wild QNAP NAS attacks}}, date = {2020-08-31}, organization = {Netlab}, url = {https://blog.netlab.360.com/in-the-wild-qnap-nas-attacks-en/}, language = {English}, urldate = {2020-09-01} } @online{ma:20201203:another:bb8fa99, author = {Yanlong Ma and GenShen Ye}, title = {{Another LILIN DVR 0-day being used to spread Mirai}}, date = {2020-12-03}, organization = {360 netlab}, url = {https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/}, language = {English}, urldate = {2020-12-08} } @online{ma:20210305:qnap:c353950, author = {Yanlong Ma and JiaYu and GenShen Ye}, title = {{QNAP NAS users, make sure you check your system}}, date = {2021-03-05}, organization = {360 netlab}, url = {https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/}, language = {English}, urldate = {2021-03-22} } @online{mabutas:20200511:new:aa2bbd7, author = {Gabrielle Joyce Mabutas and Kazuki Fujisawa}, title = {{New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability}}, date = {2020-05-11}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability}, language = {English}, urldate = {2020-06-03} } @online{mabutas:20200511:new:e25ce4e, author = {Gabrielle Joyce Mabutas and Kazuki Fujisawa}, title = {{New MacOS Dacls RAT Backdoor Show Lazarus’ Multi-Platform Attack Capability}}, date = {2020-05-11}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/}, language = {English}, urldate = {2020-05-11} } @online{macarthur:20220407:ukraine:99bef5a, author = {Will MacArthur and Nick Chalard}, title = {{Ukraine CyberWar Overview}}, date = {2022-04-07}, organization = {InQuest}, url = {https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview}, language = {English}, urldate = {2022-04-29} } @techreport{maccaglia:20220718:fin13:bcc74d2, author = {Stefano Maccaglia and Will Gragido}, title = {{FIN13 (Elephant Beetle): Viva la Threat! Anatomy of a Fintech Attack}}, date = {2022-07-18}, institution = {NetWitness}, url = {https://www.netwitness.com/wp-content/uploads/FIN13-Elephant-Beetle-NetWitness.pdf}, language = {English}, urldate = {2022-08-05} } @online{maccarone:20221006:amazon:2723756, author = {Andre Maccarone and John Ailes and Chapin Bryce}, title = {{Amazon Web Services: Exploring The Cost Of Exfil}}, date = {2022-10-06}, organization = {Aon}, url = {https://www.aon.com/cyber-solutions/aon_cyber_labs/amazon-web-services-exploring-the-cost-of-exfil/}, language = {English}, urldate = {2023-05-02} } @online{maciejak:20210624:ghosts:75b5f92, author = {David Maciejak and Joie Salvio}, title = {{The Ghosts of Mirai}}, date = {2021-06-24}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai}, language = {English}, urldate = {2021-06-29} } @techreport{mackenzie:20180801:samsam:73fdb9a, author = {Peter Mackenzie and Dorka Palotay and Andrew Brandt and Mark Stockley and Luca Nagy and Simon Porter and Hajnalka Kope and Claire Mackenzie}, title = {{SamSam: The (Almost) Six Million Dollar Ransomware}}, date = {2018-08-01}, institution = {SophosLabs}, url = {https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf}, language = {English}, urldate = {2022-03-22} } @techreport{mackenzie:20190917:wannacry:250bb80, author = {Peter Mackenzie}, title = {{WannaCry Aftershock}}, date = {2019-09-17}, institution = {SophosLabs}, url = {https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/WannaCry-Aftershock.pdf}, language = {English}, urldate = {2022-03-22} } @online{mackenzie:20190918:wannacry:7aeb8e1, author = {Peter Mackenzie}, title = {{The WannaCry hangover}}, date = {2019-09-18}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2019/09/18/the-wannacry-hangover/}, language = {English}, urldate = {2022-03-18} } @online{mackenzie:20210117:conti:db7f1cb, author = {Peter Mackenzie}, title = {{Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders}}, date = {2021-01-17}, organization = {Twitter (@AltShiftPrtScn)}, url = {https://twitter.com/AltShiftPrtScn/status/1350755169965924352}, language = {English}, urldate = {2021-01-21} } @online{mackenzie:20210216:what:9c9f413, author = {Peter Mackenzie and Tilly Travers}, title = {{What to expect when you’ve been hit with Conti ransomware}}, date = {2021-02-16}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/02/16/what-to-expect-when-youve-been-hit-with-conti-ransomware/}, language = {English}, urldate = {2021-02-20} } @online{mackenzie:20210422:twwet:62355c6, author = {Peter Mackenzie}, title = {{Twwet On TTPs seen in IR used by DOPPEL SPIDER}}, date = {2021-04-22}, organization = {Twitter (@AltShiftPrtScn)}, url = {https://twitter.com/AltShiftPrtScn/status/1385103712918642688}, language = {English}, urldate = {2021-05-25} } @online{mackenzie:20210612:thread:eac742a, author = {Peter Mackenzie}, title = {{A thread on RagnarLocker ransomware group's TTP seen in an Incident Response}}, date = {2021-06-12}, organization = {Twitter (@AltShiftPrtScn)}, url = {https://twitter.com/AltShiftPrtScn/status/1403707430765273095}, language = {English}, urldate = {2021-06-21} } @online{mackenzie:20210721:conti:085858b, author = {Peter Mackenzie}, title = {{Tweet on Conti ransomware actor installing AnyDesk for remote access in victim environment}}, date = {2021-07-21}, organization = {Twitter (@AltShiftPrtScn)}, url = {https://twitter.com/AltShiftPrtScn/status/1417849181012647938}, language = {English}, urldate = {2021-07-22} } @online{mackenzie:20210805:conti:8ba71b6, author = {Peter Mackenzie}, title = {{Tweet on Conti ransomware affiliates using AnyDesk, Atera, Splashtop, Remote Utilities and ScreenConnect to maintain network access}}, date = {2021-08-05}, organization = {Twitter (@AltShiftPrtScn)}, url = {https://twitter.com/AltShiftPrtScn/status/1423188974298861571}, language = {English}, urldate = {2021-08-06} } @online{mackenzie:20210805:lorenz:c5b406d, author = {Peter Mackenzie}, title = {{Tweet on Lorenz ransomware tricking user into allowing OAuth permissions to "Thunderbird with ExQuilla" for O365}}, date = {2021-08-05}, organization = {Twitter (@AltShiftPrtScn)}, url = {https://twitter.com/AltShiftPrtScn/status/1423190900516302860?s=20}, language = {English}, urldate = {2021-08-06} } @online{maclachlan:20220914:its:1d63d78, author = {James Maclachlan and Mathew Potaczek and Nino Isakovic and Matt Williams and Yash Gupta}, title = {{It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp}}, date = {2022-09-14}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing}, language = {English}, urldate = {2023-10-18} } @online{macnica:20171204:new:4bfec6c, author = {Macnica}, title = {{New method of macro malware disguised as defense-related files}}, date = {2017-12-04}, organization = {Macnica}, url = {http://blog.macnica.net/blog/2017/12/post-8c22.html}, language = {Japanese}, urldate = {2020-01-06} } @techreport{macnica:20200701:business:6ddbc7b, author = {Macnica and ITOCHU Corporation}, title = {{Business Email Scams and Countermeasures, Clever tricks of cyber crimes that cause huge damage}}, date = {2020-07-01}, institution = {}, url = {https://www.macnica.net/pdf/macnica_wp_0729.pdf}, language = {Japanese}, urldate = {2020-08-05} } @online{macrohon:20210504:pingback:4988e88, author = {Lloyd Macrohon and Rodel Mendrez}, title = {{Pingback: Backdoor At The End Of The ICMP Tunnel}}, date = {2021-05-04}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/}, language = {English}, urldate = {2021-05-04} } @online{macrohon:20220113:decrypting:274747e, author = {Lloyd Macrohon and Rodel Mendrez}, title = {{Decrypting Qakbot’s Encrypted Registry Keys}}, date = {2022-01-13}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-qakbots-encrypted-registry-keys/}, language = {English}, urldate = {2022-01-25} } @online{madasamy:20240208:unmaskingthedotstealer:eefea9c, author = {Uma Madasamy}, title = {{Unmasking-the-dot-stealer}}, date = {2024-02-08}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/unmasking-the-dot-stealer/}, language = {English}, urldate = {2024-02-09} } @online{madasamy:20240903:luxy:720c4ce, author = {Uma Madasamy}, title = {{Luxy: A Stealer and a Ransomware in one}}, date = {2024-09-03}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/luxy-a-stealer-and-a-ransomware-in-one/}, language = {English}, urldate = {2025-02-13} } @online{madasamy:20250614:spectraransomware:4aa2793, author = {Uma Madasamy}, title = {{SpectraRansomware}}, date = {2025-06-14}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/the-spectre-of-spectraransomware/}, language = {English}, urldate = {2025-06-18} } @online{madayag:20210921:cryptominer:39afc6e, author = {Nikki Madayag and Josefino Fajilago IV}, title = {{Cryptominer z0Miner Uses Newly Discovered Vulnerability CVE-2021-26084 to Its Advantage}}, date = {2021-09-21}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/cryptominer-z0miner-uses-newly-discovered-vulnerability-cve-2021.html}, language = {English}, urldate = {2021-09-28} } @online{madjar:20240304:ta577s:8e4b041, author = {Tommy Madjar and Kelsey Merriman and Selena Larson}, title = {{TA577’s Unusual Attack Chain Leads to NTLM Data Theft}}, date = {2024-03-04}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/ta577s-unusual-attack-chain-leads-ntlm-data-theft}, language = {English}, urldate = {2024-03-05} } @online{madjar:20240410:security:87be793, author = {Tommy Madjar and Selena Larson}, title = {{Security Brief: TA547 Targets German Organizations with Rhadamanthys Stealer}}, date = {2024-04-10}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta547-targets-german-organizations-rhadamanthys-stealer}, language = {English}, urldate = {2024-04-11} } @online{madjar:20240829:malware:de4cedd, author = {Tommy Madjar and Pim Trouerbach and Selena Larson}, title = {{The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers “Voldemort”}}, date = {2024-08-29}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort}, language = {English}, urldate = {2024-09-11} } @online{madjar:20241118:security:3223454, author = {Tommy Madjar and Selena Larson and Proofpoint Threat Research Team}, title = {{Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape}}, date = {2024-11-18}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape}, language = {English}, urldate = {2025-06-02} } @online{maganu:20211025:webassembly:91e667b, author = {Mihai Maganu}, title = {{WebAssembly Is Abused by eCriminals to Hide Malware}}, date = {2021-10-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/ecriminals-increasingly-use-webassembly-to-hide-malware/}, language = {English}, urldate = {2021-11-03} } @online{maganu:20220113:linuxtargeted:66d730c, author = {Mihai Maganu}, title = {{Linux-Targeted Malware Increases by 35% in 2021: XorDDoS, Mirai and Mozi Most Prevalent}}, date = {2022-01-13}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/}, language = {English}, urldate = {2022-01-18} } @online{magazine:20161212:inside:0f139d0, author = {SC Magazine}, title = {{Inside DiamondFox}}, date = {2016-12-12}, organization = {SC Magazine}, url = {https://www.scmagazine.com/inside-diamondfox/article/578478/}, language = {English}, urldate = {2020-01-13} } @online{magdy:20220325:purple:6bf07f5, author = {Sherif Magdy and Abdelrhman Sharshar and Jay Yaneza}, title = {{Purple Fox Uses New Arrival Vector and Improves Malware Arsenal}}, date = {2022-03-25}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html}, language = {English}, urldate = {2023-08-23} } @online{magdy:20220325:purple:bb817d9, author = {Sherif Magdy and Abdelrhman Sharshar and Jay Yaneza}, title = {{Purple Fox Uses New Arrival Vector and Improves Malware Arsenal}}, date = {2022-03-25}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_in/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html}, language = {English}, urldate = {2022-03-28} } @techreport{magdy:20220325:purple:ef08c67, author = {Sherif Magdy and Abdelrhman Sharshar and Jay Yaneza}, title = {{Purple Fox Uses New Arrival Vector and Improves Malware Arsenal (Technical Brief)}}, date = {2022-03-25}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal/Technical%20Brief%20-%20A%20Look%20Into%20Purple%20Fox%E2%80%99s%20New%20Arrival%20Vector.pdf}, language = {English}, urldate = {2022-03-28} } @online{magdy:20220325:purple:fffddcf, author = {Sherif Magdy and Abdelrhman Sharshar and Jay Yaneza}, title = {{Purple Fox Uses New Arrival Vector and Improves Malware Arsenal (IOCs)}}, date = {2022-03-25}, organization = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal/IOCs-Purple-Fox.txt}, language = {English}, urldate = {2022-03-28} } @online{magdy:20240905:tropic:d70260b, author = {Sherif Magdy}, title = {{Tropic Trooper spies on government entities in the Middle East}}, date = {2024-09-05}, organization = {Kaspersky Labs}, url = {https://securelist.com/new-tropic-trooper-web-shell-infection/113737/}, language = {English}, urldate = {2024-09-13} } @online{mager:20160419:your:df8bb48, author = {Mark Mager}, title = {{Your Package Has Been Successfully Encrypted: TeslaCrypt 4.1A and the Malware Attack Chain}}, date = {2016-04-19}, organization = {Endgame}, url = {https://www.endgame.com/blog/technical-blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack}, language = {English}, urldate = {2020-01-13} } @online{magic:20201220:tracking:9d75102, author = {Security Magic}, title = {{Tracking Jupyter Malware}}, date = {2020-12-20}, organization = {Security Magic}, url = {https://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html}, language = {English}, urldate = {2021-06-29} } @online{magisa:20190920:mac:c83a228, author = {Luis Magisa}, title = {{Mac Malware that Spoofs Trading App Steals User Information, Uploads it to Website}}, date = {2019-09-20}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website/}, language = {English}, urldate = {2020-05-19} } @online{magisa:20201127:new:851ac9b, author = {Luis Magisa and Steven Du}, title = {{New MacOS Backdoor Connected to OceanLotus Surfaces}}, date = {2020-11-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html}, language = {English}, urldate = {2020-12-01} } @online{magisa:20210622:nukesped:533d027, author = {Luis Magisa and Ariel Neimond Lazaro}, title = {{NukeSped Copies Fileless Code From Bundlore, Leaves It Unused}}, date = {2021-06-22}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_hk/research/21/f/nukesped-copies-fileless-code-from-bundlore--leaves-it-unused.html}, language = {English}, urldate = {2021-06-23} } @online{maglaque:20210804:supply:1b4bee6, author = {Ryan Maglaque and Jessie Prevost and Joelson Soares and Janus Agcaoili}, title = {{Supply Chain Attacks from a Managed Detection and Response Perspective}}, date = {2021-08-04}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/h/supply-chain-attacks-from-a-managed-detection-and-response-persp.html}, language = {English}, urldate = {2021-08-31} } @online{maglaque:20210927:fake:e02e3a3, author = {Ryan Maglaque and Joelson Soares and Gilbert Sison and Arianne Dela Cruz and Warren Sto.Tomas}, title = {{Fake Installers Drop Malware and Open Doors for Opportunistic Attackers}}, date = {2021-09-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html}, language = {English}, urldate = {2021-10-05} } @online{maharjan:20200515:malware:8c6907f, author = {Nishan Maharjan}, title = {{Malware Analysis: Snake Ransomware}}, date = {2020-05-15}, url = {https://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017}, language = {English}, urldate = {2020-05-19} } @online{mahr:20240420:new:220c5ef, author = {Axel Mahr}, title = {{New Robust Technique for Reliably Identifying AsyncRAT/DcRAT/VenomRAT Servers}}, date = {2024-04-20}, organization = {Axel's IT Security Research}, url = {https://axmahr.github.io/posts/asyncrat-detection/}, language = {English}, urldate = {2024-04-23} } @online{mahr:20241214:how:0473261, author = {Axel Mahr}, title = {{How to Identify XenoRAT C2 Servers}}, date = {2024-12-14}, organization = {Axel's IT Security Research}, url = {https://axmahr.github.io/posts/xenorat-detection/}, language = {English}, urldate = {2024-12-16} } @online{mai1zhi2:20211110:mai1zhi2:d2364a1, author = {mai1zhi2}, title = {{mai1zhi2 / SharpBeacon - CobaltStrike Beacon written in .Net 4}}, date = {2021-11-10}, url = {https://github.com/mai1zhi2/SharpBeacon}, language = {Chinese Simplified}, urldate = {2021-11-10} } @online{maiffret:20170311:wikileaks:5ca94e5, author = {Marc Maiffret}, title = {{Wikileaks Vault7 JQJSNICKER code leak}}, date = {2017-03-11}, organization = {Marc Maiffret's Blog}, url = {http://marcmaiffret.com/vault7/}, language = {English}, urldate = {2020-01-13} } @online{mak:20160517:newest:d00afc9, author = {mak}, title = {{Newest addition to a happy family: KBOT}}, date = {2016-05-17}, organization = {CERT.PL}, url = {http://www.cert.pl/news/11379}, language = {English}, urldate = {2020-02-18} } @online{makrushin:20180313:time:7171143, author = {Denis Makrushin and Yury Namestnikov}, title = {{Time of death? A therapeutic postmortem of connected medicine}}, date = {2018-03-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/time-of-death-connected-medicine/84315/}, language = {English}, urldate = {2019-12-20} } @online{malayke:20200820:use:77d3957, author = {Malayke}, title = {{Use ZoomEye to track multiple Redteam C&C post-penetration attack frameworks}}, date = {2020-08-20}, organization = {Seebug Paper}, url = {https://paper.seebug.org/1301/}, language = {Chinese}, urldate = {2020-08-24} } @online{malbot:20180629:recent:508e44b, author = {MalBot}, title = {{Recent LiteHTTP activities and IOCs}}, date = {2018-06-29}, organization = {Malware.News}, url = {https://malware.news/t/recent-litehttp-activities-and-iocs/21053}, language = {English}, urldate = {2020-01-08} } @online{maleats:20210510:overview:50ff3b3, author = {mal_eats}, title = {{Overview of Campo, a new attack campaign targeting Japan}}, date = {2021-05-10}, organization = {Mal-Eats}, url = {https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/}, language = {English}, urldate = {2021-05-13} } @online{maleats:20210511:campo:0305ab9, author = {mal_eats}, title = {{Campo, a New Attack Campaign Targeting Japan}}, date = {2021-05-11}, organization = {Mal-Eats}, url = {https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/}, language = {English}, urldate = {2021-06-01} } @online{malgamy:20220112:deep:e4c8f1e, author = {MalGamy}, title = {{Deep analysis agent tesla malware}}, date = {2022-01-12}, url = {https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/}, language = {English}, urldate = {2022-01-25} } @online{malgamy:20221212:yara:cf16de2, author = {MalGamy}, title = {{YARA rule for Vohuk ransomware}}, date = {2022-12-12}, organization = {Github (MalGamy)}, url = {https://github.com/MalGamy/YARA_Rules/blob/main/vohuk.yara}, language = {English}, urldate = {2022-12-12} } @online{malgamy:20221225:detect:d6f4256, author = {MalGamy}, title = {{Detect Nokoyawa ransomware With YARA Rule}}, date = {2022-12-25}, organization = {MalGamy}, url = {https://malgamy.github.io/malware-analysis/Nokoyawa/}, language = {English}, urldate = {2022-12-29} } @online{malgamy:20221225:yara:138a03b, author = {MalGamy}, title = {{yara}}, date = {2022-12-25}, organization = {Github (MalGamy)}, url = {https://github.com/MalGamy/YARA_Rules/blob/main/Nokoyawa.yara}, language = {English}, urldate = {2022-12-29} } @online{malgamy:20230207:approach:ef67110, author = {MalGamy}, title = {{The Approach of TA413 for Tibetan Targets}}, date = {2023-02-07}, organization = {MalGamy}, url = {https://malgamy.github.io/malware-analysis/The-Approach-of-TA413-for-Tibetan-Targets/#third-stage}, language = {English}, urldate = {2023-02-09} } @online{malhotra:20200220:obliquerat:588aa08, author = {Asheer Malhotra}, title = {{ObliqueRAT: New RAT hits victims' endpoints via malicious documents}}, date = {2020-02-20}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html}, language = {English}, urldate = {2020-02-25} } @online{malhotra:20200413:how:6ea81f8, author = {Suraj Malhotra}, title = {{How Analysing an AgentTesla Could Lead To Attackers Inbox - Part I}}, date = {2020-04-13}, url = {https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-1/}, language = {English}, urldate = {2020-04-15} } @online{malhotra:20200415:how:6cfc199, author = {Suraj Malhotra}, title = {{How Analysing an AgentTesla Could Lead To Attackers Inbox - Part II}}, date = {2020-04-15}, url = {https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-2/}, language = {English}, urldate = {2020-04-20} } @online{malhotra:20200622:indigodrop:6d5e7e1, author = {Asheer Malhotra}, title = {{IndigoDrop spreads via military-themed lures to deliver Cobalt Strike}}, date = {2020-06-22}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html}, language = {English}, urldate = {2020-06-24} } @online{malhotra:20201112:crat:1761f4e, author = {Asheer Malhotra}, title = {{CRAT wants to plunder your endpoints}}, date = {2020-11-12}, organization = {Talos}, url = {https://blog.talosintelligence.com/2020/11/crat-and-plugins.html}, language = {English}, urldate = {2020-11-18} } @online{malhotra:20210302:obliquerat:f7504fa, author = {Asheer Malhotra}, title = {{ObliqueRAT returns with new campaign using hijacked websites}}, date = {2021-03-02}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html}, language = {English}, urldate = {2021-03-04} } @online{malhotra:20210513:transparent:9993964, author = {Asheer Malhotra and Justin Thattil and Kendall McKay}, title = {{Transparent Tribe APT expands its Windows malware arsenal}}, date = {2021-05-13}, organization = {Talos}, url = {https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html}, language = {English}, urldate = {2021-05-13} } @online{malhotra:20210626:modeflattener:49328fc, author = {Suraj Malhotra}, title = {{MODeflattener - Miasm's OLLVM Deflattener}}, date = {2021-06-26}, organization = {mrt4ntr4}, url = {https://mrt4ntr4.github.io/MODeflattener/}, language = {English}, urldate = {2021-07-02} } @online{malhotra:20210702:insidecopy:c85188c, author = {Asheer Malhotra and Justin Thattil}, title = {{InSideCopy: How this APT continues to evolve its arsenal}}, date = {2021-07-02}, organization = {Cisco}, url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388}, language = {English}, urldate = {2022-01-25} } @techreport{malhotra:20210707:insidecopy:107d438, author = {Asheer Malhotra and Justin Thattil}, title = {{InSideCopy: How this APT continues to evolve its arsenal}}, date = {2021-07-07}, institution = {Talos}, url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf}, language = {English}, urldate = {2021-07-09} } @online{malhotra:20210707:insidecopy:ac5b778, author = {Asheer Malhotra and Justin Thattil}, title = {{InSideCopy: How this APT continues to evolve its arsenal (Network IOCs)}}, date = {2021-07-07}, organization = {Talos}, url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479}, language = {English}, urldate = {2021-07-09} } @online{malhotra:20210707:insidecopy:e6b25bb, author = {Asheer Malhotra and Justin Thattil}, title = {{InSideCopy: How this APT continues to evolve its arsenal (IOCs)}}, date = {2021-07-07}, organization = {Talos}, url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt}, language = {English}, urldate = {2021-07-09} } @online{malhotra:20210707:insidecopy:eca169d, author = {Asheer Malhotra and Justin Thattil}, title = {{InSideCopy: How this APT continues to evolve its arsenal}}, date = {2021-07-07}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2021/07/sidecopy.html}, language = {English}, urldate = {2021-07-08} } @online{malhotra:20210819:malicious:e04d4c9, author = {Asheer Malhotra and Vitor Ventura and Vanja Svajcer}, title = {{Malicious Campaign Targets Latin America: The seller, The operator and a curious link}}, date = {2021-08-19}, organization = {Talos}, url = {https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html}, language = {English}, urldate = {2021-08-30} } @online{malhotra:20210923:operation:056c76c, author = {Asheer Malhotra and Vanja Svajcer and Justin Thattil}, title = {{Operation “Armor Piercer:” Targeted attacks in the Indian subcontinent using commercial RATs}}, date = {2021-09-23}, organization = {Talos}, url = {https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html}, language = {English}, urldate = {2021-10-05} } @online{malhotra:20211019:malicious:6889662, author = {Asheer Malhotra}, title = {{Malicious campaign uses a barrage of commodity RATs to target Afghanistan and India}}, date = {2021-10-19}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html}, language = {English}, urldate = {2021-11-02} } @online{malhotra:20220131:iranian:8eb6c17, author = {Asheer Malhotra and Vitor Ventura}, title = {{Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables}}, date = {2022-01-31}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html}, language = {English}, urldate = {2022-02-02} } @online{malhotra:20220202:arid:420217a, author = {Asheer Malhotra and Vitor Ventura}, title = {{Arid Viper APT targets Palestine with new wave of politically themed phishing attacks, malware}}, date = {2022-02-02}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html}, language = {English}, urldate = {2022-02-04} } @online{malhotra:20220329:transparent:dcf66a7, author = {Asheer Malhotra and Justin Thattil and Kendall McKay}, title = {{Transparent Tribe campaign uses new bespoke malware to target Indian government officials}}, date = {2022-03-29}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html?m=1}, language = {English}, urldate = {2022-03-30} } @online{malhotra:20220802:manjusaka:706c14a, author = {Asheer Malhotra and Vitor Ventura}, title = {{Manjusaka: A Chinese sibling of Sliver and Cobalt Strike}}, date = {2022-08-02}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html}, language = {English}, urldate = {2022-08-02} } @online{malhotra:20220915:gamaredon:e8a0cbc, author = {Asheer Malhotra and Guilherme Venere}, title = {{Gamaredon APT targets Ukrainian government agencies in new campaign}}, date = {2022-09-15}, organization = {Talos}, url = {https://blog.talosintelligence.com/2022/09/gamaredon-apt-targets-ukrainian-agencies.html}, language = {English}, urldate = {2022-09-19} } @online{malhotra:20230314:talos:f709c24, author = {Asheer Malhotra and Vitor Ventura}, title = {{Talos uncovers espionage campaigns targeting CIS countries, embassies and EU health care agency}}, date = {2023-03-14}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/}, language = {English}, urldate = {2023-03-20} } @online{malhotra:20230525:its:a79abe4, author = {Asheer Malhotra}, title = {{it’s all Magic(RAT) – A look into recent North Korean nation-state attacks}}, date = {2023-05-25}, organization = {YouTube (BSidesCharm)}, url = {https://www.youtube.com/watch?v=nUjxH1gW53s}, language = {English}, urldate = {2023-08-28} } @online{malhotra:20230824:lazarus:094409b, author = {Asheer Malhotra and Vitor Ventura and Jungsoo An}, title = {{Lazarus Group's infrastructure reuse leads to discovery of new malware}}, date = {2023-08-24}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/lazarus-collectionrat/}, language = {English}, urldate = {2023-08-28} } @online{malhotra:20230824:lazarus:f5c3c14, author = {Asheer Malhotra and Vitor Ventura and Jungsoo An}, title = {{Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT}}, date = {2023-08-24}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/lazarus-quiterat/}, language = {English}, urldate = {2023-08-25} } @online{malhotra:20230919:new:a39af36, author = {Asheer Malhotra and Caitlin Huey and Sean Taylor and Vitor Ventura and Arnaud Zobec}, title = {{New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants}}, date = {2023-09-19}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/introducing-shrouded-snooper/}, language = {English}, urldate = {2023-09-20} } @online{malhotra:20231025:kazakhstanassociated:5ed7b93, author = {Asheer Malhotra and Vitor Ventura}, title = {{Kazakhstan-associated YoroTrooper disguises origin of attacks as Azerbaijan}}, date = {2023-10-25}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/attributing-yorotrooper/}, language = {English}, urldate = {2023-12-04} } @online{malhotra:20240215:tinyturla:34090fa, author = {Asheer Malhotra and Holger Unterbrink and Vitor Ventura and Arnaud Zobec}, title = {{TinyTurla Next Generation - Turla APT spies on Polish NGOs}}, date = {2024-02-15}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/tinyturla-next-generation/}, language = {English}, urldate = {2024-02-16} } @online{malhotra:20240530:lilacsquid:6a33ce8, author = {Asheer Malhotra}, title = {{LilacSquid: The stealthy trilogy of PurpleInk, InkBox and InkLoader}}, date = {2024-05-30}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/lilacsquid/}, language = {English}, urldate = {2024-10-09} } @online{malhotra:20240821:moonpeak:1ea98ba, author = {Asheer Malhotra and Guilherme Venere and Vitor Ventura}, title = {{MoonPeak malware from North Korean actors unveils new details on attacker infrastructure}}, date = {2024-08-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/}, language = {English}, urldate = {2024-10-21} } @online{malhotra:20250320:uat5918:f2b1f7d, author = {Asheer Malhotra and Brandon White and Jungsoo An and Vitor Ventura}, title = {{UAT-5918 targets critical infrastructure entities in Taiwan}}, date = {2025-03-20}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/}, language = {English}, urldate = {2025-06-24} } @online{malhotra:20250522:uat6382:cc7c12c, author = {Asheer Malhotra and Brandon White}, title = {{UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware}}, date = {2025-05-22}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/}, language = {English}, urldate = {2025-05-26} } @online{malihi:20231101:redline:07a33c0, author = {Idan Malihi}, title = {{RedLine Stealer Malware Analysis}}, date = {2023-11-01}, url = {https://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab}, language = {English}, urldate = {2023-11-13} } @online{malihi:20240309:revealing:c44f4d3, author = {Idan Malihi}, title = {{Revealing the Abyss Ransomware}}, date = {2024-03-09}, url = {https://idanmalihi.com/revealing-the-abyss-ransomware/}, language = {English}, urldate = {2025-03-10} } @online{malihi:20240603:bibi:85c29e2, author = {Idan Malihi}, title = {{BiBi Wiper: A Malware Analysis Amidst the Israel-Hamas-ISIS Conflict}}, date = {2024-06-03}, organization = {Cyfox}, url = {https://idanmalihi.com/bibi-wiper-a-malware-analysis-amidst-the-israel-hamas-isis-conflict/}, language = {English}, urldate = {2024-12-16} } @online{malihi:202408:dissecting:83c37f0, author = {Idan Malihi}, title = {{Dissecting Agent Tesla: Unveiling Threat Vectors and Defense Mechanisms}}, date = {2024-08}, url = {https://idanmalihi.com/dissecting-agent-tesla-unveiling-threat-vectors-and-defense-mechanisms/}, language = {English}, urldate = {2025-03-10} } @online{malihi:20241026:eset:c2471dc, author = {Idan Malihi}, title = {{ESET Wiper: Iranian APT Group Toufan’s Politically Motivated Attack on Israeli Firms}}, date = {2024-10-26}, organization = {Cyfox}, url = {https://idanmalihi.com/eset-wiper-iranian-apt-group-toufans-politically-motivated-attack-on-israeli-firms/}, language = {English}, urldate = {2024-12-16} } @online{malihi:20250311:dragonforce:5028640, author = {Idan Malihi and Yaniv Azran}, title = {{DragonForce Ransomware: Unveiling Its Tactics and Impact}}, date = {2025-03-11}, organization = {Idan Malihi}, url = {https://idanmalihi.com/dragonforce-ransomware-unveiling-its-tactics-and-impact/}, language = {English}, urldate = {2025-03-12} } @online{malina:20200210:kbot:87338ae, author = {Anna Malina}, title = {{KBOT: sometimes they come back}}, date = {2020-02-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/kbot-sometimes-they-come-back/96157/}, language = {English}, urldate = {2020-02-25} } @online{malk:20170327:linux:2a57a66, author = {Michal Malík}, title = {{Tweet on Linux IRC Bot}}, date = {2017-03-27}, organization = {Twitter (@michalmalik)}, url = {https://twitter.com/michalmalik/status/846368624147353601}, language = {English}, urldate = {2020-01-13} } @online{malk:20210909:habitsrat:a156cf3, author = {Michal Malík}, title = {{Tweet on HabitsRAT for Linux}}, date = {2021-09-09}, organization = {Twitter(@michalmalik)}, url = {https://twitter.com/michalmalik/status/1435918937162715139}, language = {English}, urldate = {2021-09-10} } @online{malone:20201222:identifying:259fcd9, author = {Matt Malone and Adam Pennington}, title = {{Identifying UNC2452-Related Techniques for ATT&CK}}, date = {2020-12-22}, organization = {Medium mitre-attack}, url = {https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714}, language = {English}, urldate = {2020-12-23} } @online{malpedia:20091025:malpedia:6f22737, author = {Malpedia}, title = {{Malpedia IcyHeart Page (Placeholder)}}, date = {2009-10-25}, url = {https://malpedia.caad.fkie.fraunhofer.de/details/win.icyheart}, language = {English}, urldate = {2020-03-19} } @online{malpedia:2018:family:7ea1bb3, author = {Malpedia}, title = {{Family Description: KleptoParasite Stealer}}, date = {2018}, organization = {Malpedia}, url = {https://malpedia.caad.fkie.fraunhofer.de/details/win.kleptoparasite_stealer}, language = {English}, urldate = {2020-01-13} } @online{malpedia:20200114:family:940a88a, author = {Malpedia}, title = {{Family Page for GuLoader}}, date = {2020-01-14}, organization = {Malpedia}, url = {https://malpedia.caad.fkie.fraunhofer.de/details/win.guloader}, language = {English}, urldate = {2020-01-14} } @online{malpedia:20200114:family:9f9eb7d, author = {Malpedia}, title = {{Family Page for FastLoader}}, date = {2020-01-14}, organization = {Malpedia}, url = {https://malpedia.caad.fkie.fraunhofer.de/details/win.fastloader}, language = {English}, urldate = {2020-01-14} } @online{malpedia:20200309:pyunidentified001:d3ca5d0, author = {Malpedia}, title = {{py.unidentified_001}}, date = {2020-03-09}, url = {https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_001}, language = {English}, urldate = {2020-03-11} } @online{malpedia:20200309:pyunidentified002:47cb3c0, author = {Malpedia}, title = {{py.unidentified_002}}, date = {2020-03-09}, url = {https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_002}, language = {English}, urldate = {2020-03-11} } @online{malpedia:20200309:pyunidentified003:9893d71, author = {Malpedia}, title = {{py.unidentified_003}}, date = {2020-03-09}, url = {https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_003}, language = {English}, urldate = {2020-03-11} } @online{malpedia:20200513:malpedia:bf0a6fb, author = {Malpedia}, title = {{Malpedia Family Page for Kiralock (Placeholder)}}, date = {2020-05-13}, url = {https://malpedia.caad.fkie.fraunhofer.de/details/win.kiralock}, language = {English}, urldate = {2020-05-14} } @online{malpedia:20200515:dbatloader:e08eb1b, author = {Malpedia}, title = {{DBatLoader}}, date = {2020-05-15}, url = {https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader}, language = {English}, urldate = {2020-05-18} } @online{malpedia:20210220:malpedia:db1282e, author = {Malpedia}, title = {{Malpedia Website for Malware Family Team TNT}}, date = {2021-02-20}, organization = {Malpedia}, url = {https://malpedia.caad.fkie.fraunhofer.de/details/elf.teamtnt}, language = {English}, urldate = {2021-03-12} } @online{malpedia:20210304:malpedia:b8ffad2, author = {Malpedia}, title = {{Malpedia Page for family Sidewinder}}, date = {2021-03-04}, organization = {Malpedia}, url = {https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewinder}, language = {English}, urldate = {2021-03-12} } @online{malpedia:20220407:malpedia:9d3108e, author = {Malpedia}, title = {{Malpedia Page for GraphSteel}}, date = {2022-04-07}, organization = {Malpedia}, url = {https://malpedia.caad.fkie.fraunhofer.de/details/win.graphsteel}, language = {English}, urldate = {2022-05-05} } @online{maltego:20180719:forum:423247d, author = {Maltego}, title = {{Forum thread with announcement for Eredel Stealer}}, date = {2018-07-19}, organization = {Nulled.to Forums (Google webcache)}, url = {https://webcache.googleusercontent.com/search?q=cache:3hU62-Lr2t8J:https://www.nulled.to/topic/486274-eredel-stealer-lite-private-having-control-via-the-web-panel-multifunctional-stealer/+&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-ab}, language = {English}, urldate = {2020-01-15} } @online{malvica:20200202:uncovering:ec2d3da, author = {Matteo Malvica}, title = {{Uncovering Mimikatz ‘msv’ and collecting credentials through PyKD}}, date = {2020-02-02}, organization = {uf0 Blog}, url = {https://www.matteomalvica.com/blog/2020/01/30/mimikatz-lsass-dump-windg-pykd/}, language = {English}, urldate = {2020-02-03} } @online{malvica:20220411:irqls:da9c191, author = {Matteo Malvica}, title = {{IRQLs Close Encounters of the Rootkit Kind}}, date = {2022-04-11}, organization = {Offensive Security}, url = {https://www.offensive-security.com/offsec/irqls-close-encounters/}, language = {English}, urldate = {2022-05-04} } @online{malware4all:20210504:grab:184a10a, author = {malware4all}, title = {{Grab your own copy of Phenakite iOS malware today}}, date = {2021-05-04}, organization = {malware4all}, url = {https://malware4all.blogspot.com/2021/05/grab-your-own-copy-phenakite-ios.html}, language = {English}, urldate = {2021-05-12} } @online{malwarebreakdown:20170403:shadow:d023630, author = {MalwareBreakdown}, title = {{Shadow Server Domains Leading to RIG Exploit Kit Dropping Smoke Loader. Downloaded Neutrino Bot (AKA Kasidet).}}, date = {2017-04-03}, organization = {Malware Breakdown}, url = {https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet}, language = {English}, urldate = {2019-07-10} } @online{malwarebreakdown:20171010:malvertising:657b019, author = {MalwareBreakdown}, title = {{Malvertising Campaign Uses RIG EK to Drop Quant Loader which Downloads FormBook.}}, date = {2017-10-10}, organization = {MalwareBreakdown}, url = {https://malwarebreakdown.com/2017/10/10/malvertising-campaign-uses-rig-ek-to-drop-quant-loader-which-downloads-formbook/}, language = {English}, urldate = {2019-11-29} } @online{malwarebreakdown:20171112:seamless:0a1c207, author = {MalwareBreakdown}, title = {{Seamless Campaign Delivers Ramnit via RIG EK at 188.225.82.158. Follow-up Malware is AZORult Stealer.}}, date = {2017-11-12}, url = {https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/}, language = {English}, urldate = {2019-12-17} } @online{malwarebreakdown:20180111:malspam:994cbfe, author = {MalwareBreakdown}, title = {{Malspam Entitled “Invoice attched for your reference” Delivers Agent Tesla Keylogger}}, date = {2018-01-11}, organization = {MalwareBreakdown}, url = {https://malwarebreakdown.com/2018/01/11/malspam-entitled-invoice-attched-for-your-reference-delivers-agent-tesla-keylogger/}, language = {English}, urldate = {2019-11-29} } @online{malwarebytes:20170608:latentbot:9f46488, author = {Malwarebytes}, title = {{LatentBot piece by piece}}, date = {2017-06-08}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/}, language = {English}, urldate = {2019-11-16} } @online{malwarebytes:20210721:life:2751d60, author = {Malwarebytes}, title = {{The life and death of the ZeuS Trojan}}, date = {2021-07-21}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/101/2021/07/the-life-and-death-of-the-zeus-trojan/}, language = {English}, urldate = {2021-07-22} } @techreport{malwarebytes:20221121:20221121:f4c6d35, author = {Malwarebytes}, title = {{2022-11-21 Threat Intel Report}}, date = {2022-11-21}, institution = {Malwarebytes}, url = {https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf}, language = {English}, urldate = {2022-11-25} } @online{malwarehunterteam:20161020:quasar:f530cea, author = {MalwareHunterTeam}, title = {{Tweet on Quasar RAT}}, date = {2016-10-20}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/789153556255342596}, language = {English}, urldate = {2019-07-11} } @online{malwarehunterteam:20161020:ransomware:6c23f80, author = {MalwareHunterTeam}, title = {{Tweet on Ransomware}}, date = {2016-10-20}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/789161704106127360}, language = {English}, urldate = {2020-01-06} } @online{malwarehunterteam:20161109:bandok:eddf860, author = {MalwareHunterTeam}, title = {{Tweet on Bandok}}, date = {2016-11-09}, organization = {Twitter (MalwareHunterTeam)}, url = {https://twitter.com/malwrhunterteam/status/796425285197561856}, language = {English}, urldate = {2020-06-05} } @online{malwarehunterteam:20170921:malware:48bf254, author = {MalwareHunterTeam}, title = {{Tweet on Malware Sample}}, date = {2017-09-21}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/910952333084971008}, language = {English}, urldate = {2019-12-19} } @online{malwarehunterteam:20180323:rapid:31feb13, author = {MalwareHunterTeam}, title = {{Tweet on Rapid Ransomware 2.0}}, date = {2018-03-23}, organization = {Twitter (MalwareHunterTeam)}, url = {https://twitter.com/malwrhunterteam/status/977275481765613569}, language = {English}, urldate = {2019-12-10} } @online{malwarehunterteam:20180529:aurora:867bacc, author = {MalwareHunterTeam}, title = {{Tweet on Aurora / OneKeyLocker Ransomware}}, date = {2018-05-29}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/1001461507513880576}, language = {English}, urldate = {2020-03-02} } @online{malwarehunterteam:20190206:ransomware:af1a446, author = {MalwareHunterTeam}, title = {{Tweet on Ransomware Sample}}, date = {2019-02-06}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/1093136163836174339}, language = {English}, urldate = {2020-01-13} } @online{malwarehunterteam:20190215:malware:2512b91, author = {MalwareHunterTeam}, title = {{Tweet on Malware Sample}}, date = {2019-02-15}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/1096363455769202688}, language = {English}, urldate = {2019-11-29} } @online{malwarehunterteam:20200211:parallax:e157478, author = {MalwareHunterTeam}, title = {{Tweet on Parallax RAT}}, date = {2020-02-11}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/1227196799997431809}, language = {English}, urldate = {2020-02-13} } @online{malwarehunterteam:20200413:xploitspy:2fd474f, author = {MalwareHunterTeam}, title = {{Tweet on XploitSPY}}, date = {2020-04-13}, organization = {Twitter (MalwareHunterTeam)}, url = {https://twitter.com/malwrhunterteam/status/1249768400806653952}, language = {English}, urldate = {2020-07-07} } @online{malwarehunterteam:20200415:spymax:4ac5dc7, author = {MalwareHunterTeam}, title = {{Tweet on SpyMax sample}}, date = {2020-04-15}, organization = {Twitter (MalwareHunterTeam)}, url = {https://twitter.com/malwrhunterteam/status/1250412485808717826}, language = {English}, urldate = {2020-07-07} } @online{malwarehunterteam:20200706:tweets:b223019, author = {MalwareHunterTeam and Lukáš Štefanko}, title = {{Tweets on Basbanke}}, date = {2020-07-06}, url = {https://twitter.com/LukasStefanko/status/1280243673100402690}, language = {English}, urldate = {2020-08-18} } @online{malwarehunterteam:20201028:about:c60b1d0, author = {MalwareHunterTeam}, title = {{Tweet about RegretLocker from MHT}}, date = {2020-10-28}, url = {https://twitter.com/malwrhunterteam/status/1321375502179905536}, language = {English}, urldate = {2020-11-04} } @online{malwarehunterteam:20201212:itg18:953bd6a, author = {MalwareHunterTeam}, title = {{Tweet on ITG18 android implant}}, date = {2020-12-12}, organization = {Twitter (MalwareHunterTeam)}, url = {https://twitter.com/malwrhunterteam/status/1337684036374945792}, language = {English}, urldate = {2021-08-23} } @online{malwarehunterteam:20210102:knot:66922b6, author = {MalwareHunterTeam}, title = {{Tweet on Knot Ransomware}}, date = {2021-01-02}, organization = {Twitter (MalwareHunterTeam)}, url = {https://twitter.com/malwrhunterteam/status/1345313324825780226}, language = {English}, urldate = {2021-01-04} } @online{malwarehunterteam:20210120:vovalex:2550f30, author = {MalwareHunterTeam}, title = {{Tweet on Vovalex ransomware}}, date = {2021-01-20}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/1351808079164276736}, language = {English}, urldate = {2021-02-06} } @online{malwarehunterteam:20210211:one:7cecd47, author = {MalwareHunterTeam}, title = {{Tweet on one of the first Fedex-themed lures for FluBot}}, date = {2021-02-11}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/1359939300238983172}, language = {English}, urldate = {2021-06-29} } @online{malwarehunterteam:20210825:hydravariant:6583196, author = {MalwareHunterTeam}, title = {{Tweet on Hydra-variant with Dutch ransom note}}, date = {2021-08-25}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/1430616882231578624}, language = {English}, urldate = {2021-08-27} } @online{malwarehunterteam:20211228:ragnarlocker:0b54dec, author = {MalwareHunterTeam}, title = {{Tweet on RagnarLocker Linux variant}}, date = {2021-12-28}, organization = {Twitter (MalwareHunterTeam)}, url = {https://twitter.com/malwrhunterteam/status/1475568201673105409}, language = {English}, urldate = {2022-02-04} } @online{malwarehunterteam:20220112:with:460a754, author = {MalwareHunterTeam}, title = {{Tweet with original discovery of VajraSpy}}, date = {2022-01-12}, organization = {Twitter (MalwareHunterTeam)}, url = {https://twitter.com/malwrhunterteam/status/1481312752782258176}, language = {English}, urldate = {2022-03-31} } @online{malwarehunterteam:20220811:bianlian:32ad6a5, author = {MalwareHunterTeam}, title = {{Tweet on BianLian Ransomware}}, date = {2022-08-11}, url = {https://twitter.com/malwrhunterteam/status/1558548947584548865}, language = {English}, urldate = {2022-09-30} } @online{malwarehunterteam:20230416:macos:d32010d, author = {MalwareHunterTeam}, title = {{Tweet on MacOS Lockbit sample}}, date = {2023-04-16}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/1647384505550876675}, language = {English}, urldate = {2023-04-25} } @online{malwarehunterteam:20230808:about:3ebfd02, author = {MalwareHunterTeam}, title = {{Tweet about INC ransomware}}, date = {2023-08-08}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/1689029459255373826}, language = {English}, urldate = {2024-01-03} } @online{malwarehunterteam:20230810:sample:41b581f, author = {MalwareHunterTeam}, title = {{Tweet on the sample discovery}}, date = {2023-08-10}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/1689533484597952514}, language = {English}, urldate = {2023-08-11} } @online{malwarehunterteam:20231113:linux:f0f5f71, author = {MalwareHunterTeam}, title = {{Tweet on Linux version of Rhysida}}, date = {2023-11-13}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/1724165711356993736}, language = {English}, urldate = {2023-11-14} } @online{malwarehunterteam:20231113:qilin:ebf1cb5, author = {MalwareHunterTeam}, title = {{Tweet on Qilin Linux Locker}}, date = {2023-11-13}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/1724521714845937822}, language = {English}, urldate = {2023-12-04} } @online{malwareintelligence:20090711:special:df61090, author = {MalwareIntelligence}, title = {{Special!!! ZeuS Botnet for Dummies}}, date = {2009-07-11}, organization = {MalwareIntelligence}, url = {http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html}, language = {English}, urldate = {2020-01-07} } @online{malwareintelligence:20100315:new:d307b96, author = {MalwareIntelligence}, title = {{New phishing campaign against Facebook led by Zeus}}, date = {2010-03-15}, organization = {MalwareIntelligence}, url = {http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html}, language = {English}, urldate = {2020-01-07} } @online{malwarelu:20120722:xtreme:ada355e, author = {Malware.lu}, title = {{Xtreme RAT analysis}}, date = {2012-07-22}, organization = {Malware.lu}, url = {https://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html}, language = {English}, urldate = {2020-01-08} } @online{malwaremustdie:20210926:interesting:9298c65, author = {malwaremustdie}, title = {{Tweet on Interesting way to hide hardcoded tcp/port of bindshell shellcode on OSX}}, date = {2021-09-26}, organization = {Twitter (@malwaremustd1e)}, url = {https://twitter.com/malwaremustd1e/status/1442016700384235524}, language = {English}, urldate = {2021-09-28} } @online{malwareninja:20110927:debugging:0033a33, author = {malwareninja}, title = {{Debugging Injected Code with IDA Pro}}, date = {2011-09-27}, url = {https://malwarereversing.wordpress.com/2011/09/27/debugging-injected-code-with-ida-pro/}, language = {English}, urldate = {2019-08-07} } @online{malwarequinn:20210305:hafnium:b517725, author = {MalwareQuinn}, title = {{Hafnium Exchange Vuln Detection - KQL}}, date = {2021-03-05}, organization = {Pastebin (MALWAREQUINN)}, url = {https://pastebin.com/J4L3r2RS}, language = {English}, urldate = {2021-03-10} } @online{malwaretech:20130813:powerloader:9853b70, author = {MalwareTech}, title = {{PowerLoader Injection – Something truly amazing}}, date = {2013-08-13}, organization = {MalwareTech}, url = {https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html}, language = {English}, urldate = {2020-07-15} } @online{malwaretech:20140506:rovnix:737e795, author = {MalwareTech}, title = {{Rovnix new “evolution”}}, date = {2014-05-06}, organization = {MalwareTech}, url = {http://www.malwaretech.com/2014/05/rovnix-new-evolution.html}, language = {English}, urldate = {2020-01-08} } @online{malwaretech:20170513:how:1036ae2, author = {MalwareTech}, title = {{How to Accidentally Stop a Global Cyber Attacks}}, date = {2017-05-13}, organization = {MalwareTech}, url = {https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html}, language = {English}, urldate = {2019-11-25} } @online{malwatch:20200827:wintrojanagenttesla:8c6e4f6, author = {MalWatch}, title = {{Win.Trojan.AgentTesla - Malware analysis & threat intelligence report}}, date = {2020-08-27}, organization = {MalWatch}, url = {https://malwatch.github.io/posts/agent-tesla-malware-analysis/}, language = {English}, urldate = {2020-08-28} } @online{malwation:20200908:malware:1814f92, author = {malwation}, title = {{Malware Config Extraction Diaries #1 – GuLoader}}, date = {2020-09-08}, organization = {MALWATION}, url = {https://malwation.com/malware-config-extraction-diaries-1-guloader/}, language = {English}, urldate = {2021-01-10} } @online{malwation:20210510:icedid:0637539, author = {malwation}, title = {{IcedID Malware Technical Analysis Report}}, date = {2021-05-10}, organization = {MALWATION}, url = {https://malwation.com/icedid-malware-technical-analysis-report/}, language = {English}, urldate = {2021-07-02} } @online{malwrhunterteam:20180322:first:1ac9c3a, author = {malwrhunterteam}, title = {{First Twitter thread on AVCrypt}}, date = {2018-03-22}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/976925447043846145}, language = {English}, urldate = {2022-11-15} } @online{malwrhunterteam:20180519:rapid:b25afd8, author = {malwrhunterteam}, title = {{Tweet on Rapid 2 ransomware}}, date = {2018-05-19}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/997748495888076800}, language = {English}, urldate = {2020-01-06} } @online{malwrhunterteam:20190115:israbye:a23a44b, author = {malwrhunterteam}, title = {{Tweet on Israbye}}, date = {2019-01-15}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/1085162243795369984}, language = {English}, urldate = {2020-01-06} } @online{malwrhunterteam:20190211:vegalocker:2828b6f, author = {malwrhunterteam}, title = {{Tweet on VegaLocker}}, date = {2019-02-11}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/1095024267459284992}, language = {English}, urldate = {2020-01-08} } @online{malwrhunterteam:20191212:dmr:dc8b2ad, author = {malwrhunterteam}, title = {{Tweet on DMR Ransomware}}, date = {2019-12-12}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/1205096379711918080/photo/1}, language = {English}, urldate = {2020-01-09} } @online{malwrhunterteam:20200109:bitpylock:17860f7, author = {malwrhunterteam}, title = {{Tweet on BitPyLock}}, date = {2020-01-09}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/1215252402988822529}, language = {English}, urldate = {2020-01-13} } @online{malwrhunterteam:20211102:linux:df56e42, author = {malwrhunterteam}, title = {{Tweet on linux version of Hive Ransomware group's command to shut down ESXI VMs}}, date = {2021-11-02}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/1455628865229950979}, language = {English}, urldate = {2021-11-17} } @online{malwrologist:20180328:multistage:0fade2d, author = {Malwrologist}, title = {{Multi-stage Powershell script (Brownies)}}, date = {2018-03-28}, url = {https://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/}, language = {English}, urldate = {2020-01-08} } @online{malwrologist:20200407:malware:b0d12ef, author = {Malwrologist}, title = {{Malware Analysis in Action - Episode 2}}, date = {2020-04-07}, organization = {Youtube (DissectMalware)}, url = {https://www.youtube.com/watch?v=QBoj6GB79wM}, language = {English}, urldate = {2020-04-26} } @online{malyutin:2020:threat:0895d39, author = {Max Malyutin}, title = {{Threat Research Report: Clipbanker – 13 Second Attack}}, date = {2020}, organization = {Cynet}, url = {https://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/}, language = {English}, urldate = {2020-09-02} } @online{malyutin:20210630:shelob:1c93f5d, author = {Max Malyutin}, title = {{Shelob Moonlight – Spinning a Larger Web From IcedID to CONTI, a Trojan and Ransomware collaboration}}, date = {2021-06-30}, organization = {Cynet}, url = {https://www.cynet.com/attack-techniques-hands-on/shelob-moonlight-spinning-a-larger-web/}, language = {English}, urldate = {2021-07-20} } @online{malyutin:20210927:virtual:cd72501, author = {Max Malyutin}, title = {{A Virtual Baffle to Battle Squirrelwaffle}}, date = {2021-09-27}, organization = {Cynet}, url = {https://www.cynet.com/understanding-squirrelwaffle/}, language = {English}, urldate = {2021-09-28} } @online{malyutin:20210928:how:139921e, author = {Max Malyutin}, title = {{Tweet on how to debug SquirrelWaffle}}, date = {2021-09-28}, organization = {Twitter (@Max_Mal_)}, url = {https://twitter.com/Max_Mal_/status/1442496131410190339}, language = {English}, urldate = {2021-09-28} } @online{malyutin:20211111:duck:897cc6f, author = {Max Malyutin}, title = {{A Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation}}, date = {2021-11-11}, organization = {Cynet}, url = {https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/}, language = {English}, urldate = {2021-11-25} } @online{malyutin:20220224:new:014251e, author = {Max Malyutin}, title = {{New Wave of Emotet – When Project X Turns Into Y}}, date = {2022-02-24}, organization = {Cynet}, url = {https://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/}, language = {English}, urldate = {2022-05-04} } @online{malyutin:20220414:orion:9db6814, author = {Max Malyutin}, title = {{Orion Threat Alert: Flight of the BumbleBee}}, date = {2022-04-14}, organization = {Cynet}, url = {https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/}, language = {English}, urldate = {2022-05-04} } @online{malyutin:20221031:orion:49e3b5c, author = {Max Malyutin}, title = {{Orion Threat Alert: Qakbot TTPs Arsenal and the Black Basta Ransomware}}, date = {2022-10-31}, organization = {Cynet}, url = {https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/}, language = {English}, urldate = {2022-11-15} } @online{mamedov:20171024:bad:3c21717, author = {Orkhan Mamedov and Fedor Sinitsyn and Anton Ivanov}, title = {{Bad Rabbit ransomware}}, date = {2017-10-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/bad-rabbit-ransomware/82851/}, language = {English}, urldate = {2019-12-20} } @online{mamedov:20180813:keypass:154cf0f, author = {Orkhan Mamedov and Fedor Sinitsyn}, title = {{KeyPass ransomware}}, date = {2018-08-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/keypass-ransomware/87412/}, language = {English}, urldate = {2019-12-20} } @online{mamedov:20190703:sodin:74c101f, author = {Orkhan Mamedov and Artur Pakulov and Fedor Sinitsyn}, title = {{Sodin ransomware exploits Windows vulnerability and processor architecture}}, date = {2019-07-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/sodin-ransomware/91473/}, language = {English}, urldate = {2019-12-20} } @online{mammen:20210830:new:de3acd2, author = {Brock Mammen and Haozhe Zhang}, title = {{New Mirai Variant Targets WebSVN Command Injection Vulnerability (CVE-2021-32305)}}, date = {2021-08-30}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/}, language = {English}, urldate = {2021-08-31} } @online{manager:2013:netsupport:f3fadef, author = {NetSupport Manager}, title = {{NetSupport Manager Website}}, date = {2013}, organization = {NetSupport Manager}, url = {http://www.netsupportmanager.com/index.asp}, language = {English}, urldate = {2020-01-07} } @online{manager:20180110:analysis:3a5fe83, author = {Tencent Computer Manager}, title = {{Analysis of BlackTech's latest APT attack}}, date = {2018-01-10}, organization = {Freebuf}, url = {http://www.freebuf.com/column/159865.html}, language = {English}, urldate = {2020-01-08} } @online{manahan:20130121:shylock:981b444, author = {Mark Joseph Manahan}, title = {{Shylock Not the Lone Threat Targeting Skype}}, date = {2013-01-21}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/}, language = {English}, urldate = {2020-01-13} } @online{manaster:20220322:analyzing:908d98b, author = {Cole Manaster and Pierson Clair}, title = {{Analyzing Exmatter: A Ransomware Data Exfiltration Tool}}, date = {2022-03-22}, organization = {Kroll}, url = {https://www.kroll.com/en/insights/publications/cyber/analyzing-exmatter-ransomware-data-exfiltration-tool}, language = {English}, urldate = {2022-04-29} } @online{manaster:20220527:emotet:77000c1, author = {Cole Manaster and George Glass and Elio Biasiotto}, title = {{Emotet Analysis: New LNKs in the Infection Chain – The Monitor, Issue 20}}, date = {2022-05-27}, organization = {Kroll}, url = {https://www.kroll.com/en/insights/publications/cyber/monitor/emotet-analysis-new-lnk-in-the-infection-chain}, language = {English}, urldate = {2022-05-31} } @online{mandia:20201208:fireeye:6def127, author = {Kevin Mandia}, title = {{FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community}}, date = {2020-12-08}, organization = {FireEye}, url = {https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html}, language = {English}, urldate = {2020-12-09} } @online{mandia:20201213:global:fe25276, author = {Kevin Mandia}, title = {{Global Intrusion Campaign Leverages Software Supply Chain Compromise}}, date = {2020-12-13}, organization = {FireEye}, url = {https://www.fireeye.com/blog/products-and-services/2020/12/global-intrusion-campaign-leverages-software-supply-chain-compromise.html}, language = {English}, urldate = {2020-12-15} } @online{mandiant:20130220:1:7fa9646, author = {Mandiant}, title = {{APT 1 Malware Arsenal Technical Annex}}, date = {2013-02-20}, organization = {FireEye}, url = {https://www.slideshare.net/YuryChemerkin/appendix-c-digital-the-malware-arsenal}, language = {Mandiant}, urldate = {2020-01-08} } @techreport{mandiant:2018:apt1:b76cc4d, author = {Mandiant}, title = {{APT1}}, date = {2018}, institution = {Mandiant}, url = {https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{mandiant:20200729:ghostwriter:c81a10a, author = {Mandiant}, title = {{‘Ghostwriter’ Influence Campaign: Unknown Actors Leverage Website Compromises and Fabricated Content to Push Narratives Aligned with Russian Security Interests}}, date = {2020-07-29}, institution = {Mandiant}, url = {https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/Ghostwriter-Influence-Campaign.pdf}, language = {English}, urldate = {2020-07-30} } @online{mandiant:20210902:advanced:5263576, author = {Mandiant}, title = {{Advanced Persistent Threats (APTs)}}, date = {2021-09-02}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/apt-groups#apt19}, language = {English}, urldate = {2022-07-25} } @online{mandiant:2021:mtrends:4d981a4, author = {Mandiant}, title = {{M-TRENDS 2021}}, date = {2021}, organization = {Mandiant}, url = {https://www.mandiant.com/media/10916/download}, language = {English}, urldate = {2021-11-02} } @online{mandiant:20220226:trending:a445d4a, author = {Mandiant}, title = {{TRENDING EVIL Q1 2022}}, date = {2022-02-26}, organization = {Mandiant}, url = {https://experience.mandiant.com/trending-evil/p/1}, language = {English}, urldate = {2022-03-14} } @online{mandiant:20220313:apt41:988051c, author = {Mandiant}, title = {{APT41 (Double Dragon): A Dual Espionage and Cyber Crime Operation}}, date = {2022-03-13}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/report-apt41-double-dragon-a-dual-espionage-and-cyber-crime-operation}, language = {English}, urldate = {2022-08-30} } @online{mandiant:20220422:fin7:6cfc5d9, author = {Mandiant}, title = {{FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7}}, date = {2022-04-22}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/evolution-of-fin7}, language = {English}, urldate = {2023-12-12} } @online{mandiant:20220427:assembling:a7068b9, author = {Mandiant}, title = {{Assembling the Russian Nesting Doll: UNC2452 Merged into APT29}}, date = {2022-04-27}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/unc2452-merged-into-apt29}, language = {English}, urldate = {2022-04-29} } @online{mandiant:20220602:trending:0bcdbc4, author = {Mandiant}, title = {{TRENDING EVIL Q2 2022}}, date = {2022-06-02}, organization = {Mandiant}, url = {https://experience.mandiant.com/trending-evil-2/p/1}, language = {English}, urldate = {2022-06-07} } @online{mandiant:20220804:advanced:afb8956, author = {Mandiant}, title = {{Advanced Persistent Threats (APTs)}}, date = {2022-08-04}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/insights/apt-groups}, language = {English}, urldate = {2022-08-30} } @online{mandiant:20221215:trojanized:07a1d55, author = {Mandiant}, title = {{Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government}}, date = {2022-12-15}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government}, language = {English}, urldate = {2022-12-20} } @online{mandiant:20230418:mtrends:af1a28e, author = {Mandiant}, title = {{M-Trends 2023}}, date = {2023-04-18}, organization = {Mandiant}, url = {https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023}, language = {English}, urldate = {2023-04-18} } @techreport{mandiant:20230420:mtrends:331f5da, author = {Mandiant}, title = {{M-Trends 2023 Mandiant Special Report}}, date = {2023-04-20}, institution = {Mandiant}, url = {https://services.google.com/fh/files/misc/m_trends_2023_report.pdf}, language = {English}, urldate = {2025-03-05} } @online{mandiant:20230613:vmware:cca5f88, author = {Mandiant}, title = {{VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors}}, date = {2023-06-13}, organization = {Mandiant}, url = {https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypass}, language = {English}, urldate = {2024-06-24} } @online{mandiant:20230630:barracuda:77a19ad, author = {Mandiant}, title = {{Barracuda ESG: CVE-2023-2868 Hardening Recommendations}}, date = {2023-06-30}, organization = {Mandiant}, url = {https://mandiant.widen.net/s/qwlxddwdg6/barracuda-cve-2023-2868-hardening}, language = {English}, urldate = {2025-01-27} } @online{mandiant:20240119:chinese:7d86bce, author = {Mandiant}, title = {{Chinese Espionage Group UNC3886 Found Exploiting CVE-2023-34048 Since Late 2021}}, date = {2024-01-19}, organization = {Mandiant}, url = {https://cloud.google.com/blog/topics/threat-intelligence/chinese-vmware-exploitation-since-2021/}, language = {English}, urldate = {2024-06-24} } @techreport{mandiant:20240422:mtrends:21b3f10, author = {Mandiant}, title = {{M-Trends 2024 Special Report}}, date = {2024-04-22}, institution = {Mandiant}, url = {https://services.google.com/fh/files/misc/m-trends-2024.pdf}, language = {English}, urldate = {2025-03-05} } @techreport{mandiant:20240508:mtrends:42bbf6a, author = {Mandiant}, title = {{M-Trends 2024 Special Report: Chinese Espionage Operations Targeting The Visibility Gap}}, date = {2024-05-08}, institution = {Mandiant}, url = {https://services.google.com/fh/files/misc/01-chinese-espionage-article-m-trends-2024.pdf}, language = {English}, urldate = {2024-11-17} } @online{mandiant:20240610:unc5537:9f20515, author = {Mandiant}, title = {{UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion}}, date = {2024-06-10}, organization = {Mandiant}, url = {https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion}, language = {English}, urldate = {2024-12-11} } @online{mandiant:20240618:cloaked:24d583e, author = {Mandiant}, title = {{Cloaked and Covert: Uncovering UNC3886 Espionage Operations}}, date = {2024-06-18}, organization = {Mandiant}, url = {https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations}, language = {English}, urldate = {2024-06-24} } @online{mandiant:20240917:offer:a36352e, author = {Mandiant}, title = {{An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader}}, date = {2024-09-17}, organization = {Mandiant}, url = {https://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader?hl=en}, language = {English}, urldate = {2025-01-15} } @online{mandiant:20241024:investigating:e11a2b4, author = {Mandiant and Foti Castelan and Max Thauer and JP Glab and Gabby Roncone and Tufail Ahmed and Jared Wilson}, title = {{Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575)}}, date = {2024-10-24}, organization = {Mandiant}, url = {https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575}, language = {English}, urldate = {2024-10-29} } @techreport{mandiant:20250424:mtrends:a796859, author = {Mandiant}, title = {{M-Trends 2025 Report}}, date = {2025-04-24}, institution = {Mandiant}, url = {https://services.google.com/fh/files/misc/m-trends-2025-en.pdf}, language = {English}, urldate = {2025-04-28} } @online{mandiant:20250506:defending:29e2bfe, author = {Mandiant}, title = {{Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines}}, date = {2025-05-06}, organization = {Mandiant}, url = {https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations}, language = {English}, urldate = {2025-05-20} } @online{mandiant:20250506:defending:9eda4b9, author = {Mandiant}, title = {{Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines}}, date = {2025-05-06}, organization = {Mandiant}, url = {https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations}, language = {English}, urldate = {2025-05-20} } @online{mane:20190924:quick:dc2dbb3, author = {Digvijay Mane}, title = {{Quick Heal reports 29 malicious apps with 10 million+ downloads on Google Play Store}}, date = {2019-09-24}, organization = {Quick Heal}, url = {https://blogs.quickheal.com/quick-heal-reports-29-malicious-apps-10-million-downloads-google-play-store/}, language = {English}, urldate = {2025-06-13} } @online{mane:20210122:stay:6ba5915, author = {Digvijay Mane}, title = {{Stay Alert, Joker still making its way on Google Play Store!}}, date = {2021-01-22}, organization = {Quick Heal}, url = {https://blogs.quickheal.com/stay-alert-joker-still-making-its-way-on-google-play-store/}, language = {English}, urldate = {2025-06-13} } @online{mane:20210512:nefilim:c8ef990, author = {Bajrang Mane}, title = {{Nefilim Ransomware}}, date = {2021-05-12}, organization = {Qualys}, url = {https://blog.qualys.com/vulnerabilities-research/2021/05/12/nefilim-ransomware}, language = {English}, urldate = {2021-05-13} } @online{mane:20210611:google:770e1c1, author = {Digvijay Mane}, title = {{Google Play store applications laced with Joker malware yet again}}, date = {2021-06-11}, organization = {Quick Heal}, url = {https://blogs.quickheal.com/google-play-store-applications-laced-with-joker-malware-yet-again/}, language = {English}, urldate = {2025-06-13} } @online{mane:20220117:chaos:911b0fa, author = {Bajrang Mane}, title = {{The Chaos Ransomware Can Be Ravaging}}, date = {2022-01-17}, organization = {Qualys}, url = {https://blog.qualys.com/vulnerabilities-threat-research/2022/01/17/the-chaos-ransomware-can-be-ravaging}, language = {English}, urldate = {2022-02-04} } @online{mane:20220314:stay:4e11090, author = {Digvijay Mane}, title = {{Stay Alert of Facebook Credential Stealer Applications Stealing User’s Credentials.}}, date = {2022-03-14}, organization = {Quick Heal}, url = {https://blogs.quickheal.com/stay-alert-of-facebook-credential-stealer-applications-stealing-users-credentials/}, language = {English}, urldate = {2025-06-13} } @online{mane:20220728:autolaunching:72e3915, author = {Digvijay Mane}, title = {{Auto-launching HiddAd on Google Play Store found in more than 6 million downloads}}, date = {2022-07-28}, organization = {Quick Heal}, url = {https://blogs.quickheal.com/auto-launching-hiddad-on-google-play-store-found-in-more-than-6-million-downloads/}, language = {English}, urldate = {2025-06-13} } @online{mane:20221223:protect:90f5918, author = {Digvijay Mane}, title = {{Protect yourself from Vishing Attack!!}}, date = {2022-12-23}, organization = {Quick Heal}, url = {https://blogs.quickheal.com/protect-yourself-from-vishing-attack/}, language = {English}, urldate = {2025-06-13} } @online{mane:20230830:battling:30bd38c, author = {Digvijay Mane}, title = {{Battling the Death Trap of Malicious Loan Apps}}, date = {2023-08-30}, organization = {Quick Heal}, url = {https://blogs.quickheal.com/battling-the-death-trap-of-malicious-loan-apps/}, language = {English}, urldate = {2025-06-13} } @online{mane:20240123:popup:6b97752, author = {Digvijay Mane}, title = {{Pop-up Ad Alert! Beware of Unrealistic Claims on your Smartphones}}, date = {2024-01-23}, organization = {Quick Heal}, url = {https://blogs.quickheal.com/pop-up-ad-alert-beware-of-unrealistic-claims-on-your-smartphones/}, language = {English}, urldate = {2025-06-13} } @online{mane:20240322:beware:5239afb, author = {Digvijay Mane}, title = {{Beware: Malicious Android Malware Disguised as Government Alerts.}}, date = {2024-03-22}, url = {https://blogs.quickheal.com/beware-malicious-android-malware-disguised-as-government-alerts/}, language = {English}, urldate = {2025-06-13} } @online{mane:20240910:rise:61da271, author = {Digvijay Mane}, title = {{The Rise in APK Malware via WhatsApp – Exploiting Trust and Urgency}}, date = {2024-09-10}, url = {https://www.quickheal.co.in/knowledge-centre/rising-apk-malware-via-whatsapp/?srsltid=AfmBOooT9fc1iydav1HEYWWOA-mAsYbWHt994gFWsOhkxpq2YytxdIG4}, language = {English}, urldate = {2025-06-13} } @online{mane:20250409:beware:73863d9, author = {Digvijay Mane}, title = {{Beware! Fake ‘NextGen mParivahan’ Malware Returns with Enhanced Stealth and Data Theft}}, date = {2025-04-09}, url = {https://www.seqrite.com/blog/beware-fake-nextgen-mparivahan-malware-returns-with-enhanced-stealth-and-data-theft/}, language = {English}, urldate = {2025-06-13} } @online{maniar:20200808:phirautee:7ce9bc0, author = {Viral Maniar}, title = {{Phirautee - DEFCON28 - Writing Ransomware using Living off the Land (LotL) Tactics}}, date = {2020-08-08}, organization = {Speakerdeck (Viralmaniar)}, url = {https://speakerdeck.com/viralmaniar/phirautee-defcon28-writing-ransomware-using-living-off-the-land-lotl-tactics}, language = {English}, urldate = {2021-05-08} } @techreport{manky:20220223:global:e523054, author = {Derek Manky}, title = {{Global Threat Landscape Report A Semiannual Report by FortiGuard Labs}}, date = {2022-02-23}, institution = {Fortinet}, url = {https://www.fortinet.com/content/dam/maindam/PUBLIC/02_MARKETING/08_Report/report-q1-2022-threat%20landscape.pdf}, language = {English}, urldate = {2022-03-08} } @online{mann:20220909:lampion:daaabc4, author = {Andy Mann and Dylan Main}, title = {{Lampion Trojan Utilizes New Delivery through Cloud-Based Sharing}}, date = {2022-09-09}, organization = {Cofense}, url = {https://cofense.com/blog/lampion-trojan-utilizes-new-delivery-through-cloud-based-sharing}, language = {English}, urldate = {2022-09-13} } @online{mannar:20240911:akira:03b4d47, author = {T B L N Shashank Mannar}, title = {{Akira Ransomware: The Evolution of a Major Threat}}, date = {2024-09-11}, organization = {loginsoft}, url = {https://www.loginsoft.com/post/akira-ransomware-the-evolution-of-a-major-threat}, language = {English}, urldate = {2024-09-26} } @online{mannar:20240918:medusa:be36bfd, author = {T B L N Shashank Mannar}, title = {{Medusa Ransomware: Evolving Tactics in Modern Cyber Extortion}}, date = {2024-09-18}, organization = {loginsoft}, url = {https://www.loginsoft.com/post/medusa-ransomware-evolving-tactics-in-modern-cyber-extortion}, language = {English}, urldate = {2024-09-26} } @online{mannon:20130918:new:378691a, author = {Chris Mannon and Sachin Deodhar}, title = {{A New Wave Of WIN32/CAPHAW Attacks - A ThreatLabZ Analysis}}, date = {2013-09-18}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/new-wave-win32caphaw-attacks-threatlabz-analysis}, language = {English}, urldate = {2022-12-15} } @online{mannon:20150311:malvertising:8a04865, author = {Chris Mannon}, title = {{Malvertising Targeting European Transit Users}}, date = {2015-03-11}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/malvertising-targeting-european-transit-users}, language = {English}, urldate = {2019-10-14} } @online{manocha:20220831:ryuk:478c7d7, author = {Hardik Manocha}, title = {{Ryuk Ransomware: History, Timeline, And Adversary Simulation}}, date = {2022-08-31}, organization = {Fourcore}, url = {https://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp}, language = {English}, urldate = {2022-09-13} } @online{mansfield:20201216:tracking:25540bd, author = {Paul Mansfield}, title = {{Tracking and combatting an evolving danger: Ransomware extortion}}, date = {2020-12-16}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion}, language = {English}, urldate = {2020-12-17} } @online{mansfield:20221205:popularity:9c1ed9c, author = {Paul Mansfield and Thomas Willkan}, title = {{Popularity spikes for information stealer malware on the dark web}}, date = {2022-12-05}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/security/information-stealer-malware-on-dark-web}, language = {English}, urldate = {2023-04-28} } @online{mantri:20200708:operation:bee5008, author = {Kalpesh Mantri}, title = {{Operation ‘Honey Trap’: APT36 Targets Defense Organizations in India}}, date = {2020-07-08}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/}, language = {English}, urldate = {2020-07-13} } @techreport{mantri:20200923:operation:1bb33e6, author = {Kalpesh Mantri and Pawan CHaudhari and Goutam Tripathy}, title = {{Operation SideCopy: An insight into Transparent Tribe’s sub-division which has been incorrectly attributed for years}}, date = {2020-09-23}, institution = {Seqrite}, url = {https://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf}, language = {English}, urldate = {2020-09-25} } @online{mantri:20200923:operation:7e7788f, author = {Kalpesh Mantri}, title = {{Operation SideCopy!}}, date = {2020-09-23}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/operation-sidecopy/}, language = {English}, urldate = {2022-01-10} } @online{manuel:20110902:zeus:cd9266e, author = {Jasper Manuel}, title = {{ZeuS Gets Another Update}}, date = {2011-09-02}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/zeus-gets-another-update/}, language = {English}, urldate = {2019-10-28} } @online{manuel:20170405:indepth:8481b41, author = {Jasper Manuel and Artem Semenchenko}, title = {{In-Depth Look at New Variant of MONSOON APT Backdoor, Part 2}}, date = {2017-04-05}, organization = {Fortninet}, url = {http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2}, language = {English}, urldate = {2019-10-13} } @online{manuel:20170405:indepth:f5fe3b5, author = {Jasper Manuel and Artem Semenchenko}, title = {{In-Depth Look at New Variant of MONSOON APT Backdoor, Part 1}}, date = {2017-04-05}, organization = {Fortinet}, url = {http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1}, language = {English}, urldate = {2020-01-06} } @online{manuel:20170815:quick:ab09ae8, author = {Jasper Manuel}, title = {{A Quick Look at a New KONNI RAT Variant}}, date = {2017-08-15}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant}, language = {English}, urldate = {2020-01-09} } @online{manuel:20170905:rehashed:c3d5a4c, author = {Jasper Manuel and Artem Semenchenko}, title = {{Rehashed RAT Used in APT Campaign Against Vietnamese Organizations}}, date = {2017-09-05}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations}, language = {English}, urldate = {2019-10-23} } @online{manuel:20180416:searching:2fd67ee, author = {Jasper Manuel}, title = {{Searching for the Reuse of Mirai Code: Hide ‘N Seek Bot}}, date = {2018-04-16}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/searching-for-the-reuse-of-mirai-code--hide--n-seek-bot.html}, language = {English}, urldate = {2020-01-08} } @online{manuel:20180708:hussarini:ce47cdc, author = {Jasper Manuel and Rommel Joven}, title = {{Hussarini – Targeted Cyber Attack in the Philippines}}, date = {2018-07-08}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html}, language = {English}, urldate = {2019-10-17} } @online{manuel:20190710:loocipher:279c185, author = {Jasper Manuel}, title = {{LooCipher: Can Encrypted Files Be Recovered From Hell?}}, date = {2019-07-10}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/loocipher-can-encrypted-files-be-recovered.html}, language = {English}, urldate = {2023-09-11} } @online{maor:20140711:father:7c022b3, author = {Etay Maor}, title = {{The Father of Zeus: Kronos Malware Discovered}}, date = {2014-07-11}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/}, language = {English}, urldate = {2020-01-09} } @online{maor:20200116:downloader:f60aa07, author = {Maor}, title = {{Tweet on Downloader}}, date = {2020-01-16}, organization = {Twitter (@M11Sec)}, url = {https://twitter.com/M11Sec/status/1217781224204357633}, language = {English}, urldate = {2020-01-20} } @online{marc:20200925:turla:06db824, author = {Marc}, title = {{Turla Carbon System}}, date = {2020-09-25}, organization = {Github (sisoma2)}, url = {https://github.com/sisoma2/malware_analysis/tree/master/turla_carbon}, language = {English}, urldate = {2020-10-02} } @techreport{marcelli:20220222:how:75eb4eb, author = {Andrea Marcelli and Mariano Graziano and Xabier Ugarte-Pedrero and Yanick Fratantonio and Mohamad Mansouri and Davide Balzarotti}, title = {{How Machine Learning Is Solving the Binary Function Similarity Problem}}, date = {2022-02-22}, institution = {USENIX}, url = {https://www.usenix.org/system/files/sec22fall_marcelli.pdf}, language = {English}, urldate = {2022-05-05} } @online{marcos:20150122:new:1fdb830, author = {Michael Marcos}, title = {{New RATs Emerge from Leaked Njw0rm Source Code}}, date = {2015-01-22}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/}, language = {English}, urldate = {2019-12-17} } @online{marczak:20160529:keep:8f48d9e, author = {Bill Marczak and John Scott-Railton}, title = {{Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents}}, date = {2016-05-29}, organization = {CitizenLab}, url = {https://citizenlab.ca/2016/05/stealth-falcon/}, language = {English}, urldate = {2020-04-06} } @online{marczak:20171206:champing:4cb4525, author = {Bill Marczak and Geoffrey Alexander and Sarah McKune and John Scott-Railton and Ron Deibert}, title = {{Champing at the Cyberbit Ethiopian Dissidents Targeted with New Commercial Spyware}}, date = {2017-12-06}, organization = {The Citizen Lab}, url = {https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/}, language = {English}, urldate = {2019-11-23} } @online{marczak:20180309:sandvines:14ef912, author = {Bill Marczak and Jakub Dalek and Sarah McKune and Adam Senft and John Scott-Railton and Ron Deibert}, title = {{Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?}}, date = {2018-03-09}, url = {https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/}, language = {English}, urldate = {2020-01-05} } @online{marczak:20180918:hide:2c8e5f5, author = {Bill Marczak and John Scott-Railton and Sarah McKune and Bahr Abdul Razzak and Ron Deibert}, title = {{Hide and Seek: Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries}}, date = {2018-09-18}, organization = {The Citizenlab}, url = {https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/}, language = {English}, urldate = {2019-11-21} } @online{marczak:20190924:missing:95ad19a, author = {Bill Marczak and Adam Hulcoop and Etienne Maynier and Bahr Abdul Razzak and Masashi Crete-Nishihata and John Scott-Railton and and Ron Deibert}, title = {{Missing Link Tibetan Groups Targeted with 1-Click Mobile Exploits}}, date = {2019-09-24}, organization = {The Citizen Lab}, url = {https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/}, language = {English}, urldate = {2019-12-20} } @online{marczak:20200128:stopping:cda3173, author = {Bill Marczak and Siena Anstis and Masashi Crete-Nishihata and John Scott-Railton and Ron Deibert}, title = {{Stopping the Press: New York Times Journalist Targeted by Saudi-linked Pegasus Spyware Operator}}, date = {2020-01-28}, organization = {CitizenLab}, url = {https://citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/}, language = {English}, urldate = {2020-01-28} } @online{marczak:20201201:running:d233962, author = {Bill Marczak and John Scott-Railton and Siddharth Prakash Rao and Siena Anstis and Ron Deibert}, title = {{Running in Circles Uncovering the Clients of Cyberespionage Firm Circles}}, date = {2020-12-01}, organization = {CitizenLab}, url = {https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/}, language = {English}, urldate = {2020-12-08} } @online{marczak:20201220:great:b1e1f98, author = {Bill Marczak and John Scott-Railton and Noura Al-Jizawi and Siena Anstis and Ron Deibert}, title = {{The Great iPwn Journalists Hacked with Suspected NSO Group iMessage ‘Zero-Click’ Exploit}}, date = {2020-12-20}, organization = {CitizenLab}, url = {https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/}, language = {English}, urldate = {2022-01-24} } @online{marczak:20210715:hooking:7f3adbe, author = {Bill Marczak and John Scott-Railton and Kristin Berdan and Bahr Abdul Razzak and Ron Deibert}, title = {{Hooking Candiru Another Mercenary Spyware Vendor Comes into Focus}}, date = {2021-07-15}, organization = {CitizenLab}, url = {https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/}, language = {English}, urldate = {2021-07-20} } @online{marczak:20210718:independent:f943436, author = {Bill Marczak and John Scott-Railton and Siena Anstis and Ron Deibert}, title = {{Independent Peer Review of Amnesty International’s Forensic Methods for Identifying Pegasus Spyware}}, date = {2021-07-18}, organization = {CitizenLab}, url = {https://citizenlab.ca/2021/07/amnesty-peer-review/}, language = {English}, urldate = {2021-07-21} } @online{marczak:20210718:twitter:d1f4dfe, author = {Bill Marczak}, title = {{Twitter thread with a couple of interesting bits from AmnestyTech's new report on Pegasus}}, date = {2021-07-18}, organization = {Twitter (@billmarczak)}, url = {https://twitter.com/billmarczak/status/1416801439402262529}, language = {English}, urldate = {2021-07-24} } @online{marczak:20210824:from:6363bde, author = {Bill Marczak and Ali Abdulemam and Noura Al-Jizawi and Siena Anstis and Kristin Berdan and John Scott-Railton and Ron Deibert}, title = {{From Pearl to Pegasus Bahraini Government Hacks Activists with NSO Group Zero-Click iPhone Exploits}}, date = {2021-08-24}, organization = {CitizenLab}, url = {https://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/}, language = {English}, urldate = {2021-08-24} } @online{marczak:20210913:forcedentry:7427f45, author = {Bill Marczak and John Scott-Railton and Bahr Abdul Razzak and Noura Al-Jizawi and Siena Anstis and Kristin Berdan and Ron Deibert}, title = {{FORCEDENTRY NSO Group iMessage Zero-Click Exploit Captured in the Wild (CVE-2021-30860)}}, date = {2021-09-13}, organization = {CitizenLab}, url = {https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/}, language = {English}, urldate = {2021-09-14} } @online{marczak:20211024:breaking:26acce3, author = {Bill Marczak and John Scott-Railton and Siena Anstis and Bahr Abdul Razzak and Ron Deibert}, title = {{Breaking the News New York Times Journalist Ben Hubbard Hacked with Pegasus after Reporting on Previous Hacking Attempts}}, date = {2021-10-24}, organization = {CitizenLab}, url = {https://citizenlab.ca/2021/10/breaking-news-new-york-times-journalist-ben-hubbard-pegasus/}, language = {English}, urldate = {2021-11-02} } @online{marczak:20230411:sweet:cc99ea2, author = {Bill Marczak and John Scott-Railton and Astrid Perry and Noura Al-Jizawi and Siena Anstis and Zoe Panday and Emma Lyon and Bahr Abdul Razzak and Ron Deibert}, title = {{Sweet QuaDreams: A First Look at Spyware Vendor QuaDream’s Exploits, Victims, and Customers}}, date = {2023-04-11}, organization = {CitizenLab}, url = {https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/}, language = {English}, urldate = {2024-02-08} } @online{marczak:20230418:triple:c523e60, author = {Bill Marczak and John Scott-Railton and Bahr Abdul Razzak and Ron Deibert}, title = {{Triple Threat: NSO Group’s Pegasus Spyware Returns in 2022 with a Trio of iOS 15 and iOS 16 Zero-Click Exploit Chains}}, date = {2023-04-18}, organization = {CitizenLab}, url = {https://citizenlab.ca/2023/04/nso-groups-pegasus-spyware-returns-in-2022/}, language = {English}, urldate = {2023-04-18} } @online{marczak:20250612:graphite:ced4567, author = {Bill Marczak and John Scott-Railton}, title = {{Graphite Caught: First Forensic Confirmation of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted}}, date = {2025-06-12}, organization = {CitizenLab}, url = {https://citizenlab.ca/2025/06/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted/}, language = {English}, urldate = {2025-06-20} } @online{marelus:20220224:new:dc2f291, author = {Moshe Marelus}, title = {{New Malware Capable of Controlling Social Media Accounts Infects 5,000+ Machines and is actively being Distributed via Gaming Applications on Microsoft’s Official Store}}, date = {2022-02-24}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2022/new-malware-capable-of-controlling-social-media-accounts-infects-5000-machines-and-is-actively-being-distributed-via-gaming-applications-on-microsofts-official-store/}, language = {English}, urldate = {2022-03-01} } @online{marelus:20220829:check:4b8b83f, author = {Moshe Marelus}, title = {{Check Point Research detects Crypto Miner malware disguised as Google translate desktop and other legitimate applications}}, date = {2022-08-29}, organization = {Check Point}, url = {https://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications}, language = {English}, urldate = {2022-08-31} } @online{margolin:20220516:new:41ff816, author = {Hagar Margolin}, title = {{New Ransomware Group: RansomHouse – Is it Real or Fake?}}, date = {2022-05-16}, organization = {Webz.io}, url = {https://webz.io/dwp/new-ransomware-group-ransomhouse-is-it-real-or-fake/}, language = {English}, urldate = {2022-05-25} } @online{marinho:20170829:second:582ba7f, author = {Renato Marinho}, title = {{Second Google Chrome Extension Banker Malware in Two Weeks}}, date = {2017-08-29}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/22766}, language = {English}, urldate = {2020-01-08} } @online{marinho:20170926:xpctra:f648aa4, author = {Renato Marinho}, title = {{XPCTRA Malware Steals Banking and Digital Wallet User's Credentials}}, date = {2017-09-26}, organization = {ISC}, url = {https://isc.sans.edu/forums/diary/XPCTRA+Malware+Steals+Banking+and+Digital+Wallet+Users+Credentials/22868/}, language = {English}, urldate = {2019-11-26} } @online{marinho:20171206:exploring:f4a89fa, author = {Renato Marinho and Raimir Holanda}, title = {{Exploring a P2P Transient Botnet - From Discovery to Enumeration}}, date = {2017-12-06}, organization = {Botconf}, url = {https://journal.cecyf.fr/ojs/index.php/cybin/article/view/16/22}, language = {English}, urldate = {2020-01-09} } @online{marinho:20200531:guildma:0cad27c, author = {Renato Marinho}, title = {{Guildma is now using Finger and Signed Binary Proxy Execution to evade defenses}}, date = {2020-05-31}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/27482}, language = {English}, urldate = {2021-06-09} } @online{marinho:20201103:attackers:9b3762b, author = {Renato Marinho}, title = {{Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike}}, date = {2020-11-03}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/26752}, language = {English}, urldate = {2020-11-06} } @online{marinho:20211228:attackers:48320eb, author = {Renato Marinho}, title = {{Attackers are abusing MSBuild to evade defenses and implant Cobalt Strike beacons}}, date = {2021-12-28}, organization = {Morphus Labs}, url = {https://morphuslabs.com/attackers-are-abusing-msbuild-to-evade-defenses-and-implant-cobalt-strike-beacons-edac4ab84f42}, language = {English}, urldate = {2021-12-31} } @online{marinho:20220613:translating:633e46a, author = {Renato Marinho}, title = {{Translating Saitama's DNS tunneling messages}}, date = {2022-06-13}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/Translating+Saitama%27s+DNS+tunneling+messages/28738}, language = {English}, urldate = {2022-06-16} } @online{mark:20190522:trickbot:277256b, author = {sneakymonk3y (Mark)}, title = {{TRICKBOT - Analysis}}, date = {2019-05-22}, url = {https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/}, language = {English}, urldate = {2020-01-06} } @online{markus:20210205:exploits:3fbf70d, author = {Nadav Markus and Efi Barkayev and Gal De Leon}, title = {{Exploits in the Wild for WordPress File Manager RCE Vulnerability (CVE-2020-25213)}}, date = {2021-02-05}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/cve-2020-25213/}, language = {English}, urldate = {2021-02-09} } @online{marn:20190729:analysis:c32955f, author = {Alberto Marín}, title = {{An analysis of a spam distribution botnet: the inner workings of Onliner Spambot}}, date = {2019-07-29}, organization = {Blueliv}, url = {https://outpost24.com/blog/an-analysis-of-a-spam-distribution-botnet}, language = {English}, urldate = {2023-01-25} } @online{marn:20201214:using:e81621e, author = {Alberto Marín and Carlos Rubio and Blueliv Labs Team}, title = {{Using Qiling Framework to Unpack TA505 packed samples}}, date = {2020-12-14}, organization = {Blueliv}, url = {https://outpost24.com/blog/using-qiling-framework-to-unpack-ta505-packed-samples/}, language = {English}, urldate = {2023-08-03} } @online{marn:20210507:indepth:1b9ec2f, author = {Alberto Marín}, title = {{An In-Depth analysis of the new Taurus Stealer}}, date = {2021-05-07}, organization = {Blueliv}, url = {https://outpost24.com/blog/an-in-depth-analysis-of-the-new-taurus-stealer/}, language = {English}, urldate = {2023-08-07} } @online{marn:20230405:everything:44474d9, author = {Alberto Marín}, title = {{Everything you need to know about the LummaC2 Stealer: Leveraging IDA Python and Unicorn to deobfuscate Windows API Hashing}}, date = {2023-04-05}, organization = {Outpost24}, url = {https://outpost24.com/blog/everything-you-need-to-know-lummac2-stealer}, language = {English}, urldate = {2023-04-12} } @online{marn:20231120:unveiling:5bde1c0, author = {Alberto Marín}, title = {{Unveiling LummaC2 stealer’s novel Anti-Sandbox technique: Leveraging trigonometry for human behavior detection}}, date = {2023-11-20}, organization = {Outpost24}, url = {https://outpost24.com/blog/lummac2-anti-sandbox-technique-trigonometry-human-detection/}, language = {English}, urldate = {2023-11-22} } @online{marquardt:20230825:darkgate:e063af0, author = {Fabian Marquardt}, title = {{DarkGate configuration extractor}}, date = {2023-08-25}, organization = {Github (telekom-security)}, url = {https://github.com/telekom-security/malware_analysis/blob/main/darkgate/extractor.py}, language = {English}, urldate = {2023-08-25} } @online{marquardt:20230825:shining:967cdac, author = {Fabian Marquardt}, title = {{Shining some light on the DarkGate loader}}, date = {2023-08-25}, organization = {Telekom}, url = {https://github.security.telekom.com/2023/08/darkgate-loader.html}, language = {English}, urldate = {2023-08-25} } @online{marques:20160331:evolution:90e1373, author = {Thiago Marques}, title = {{The evolution of Brazilian Malware}}, date = {2016-03-31}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-evolution-of-brazilian-malware/74325/#rat}, language = {English}, urldate = {2019-12-20} } @online{mars:20220406:wannahusky:0f8a9a7, author = {Mars}, title = {{WannaHusky Malware Analysis w/ YARA + TTPs}}, date = {2022-04-06}, organization = {Medium mars0x}, url = {https://medium.com/@mars0x/wannahusky-malware-analysis-w-yara-ttps-2069fb479909}, language = {English}, urldate = {2022-04-08} } @online{marschalek:20141216:evilbunny:8e78c65, author = {Marion Marschalek}, title = {{EvilBunny: Malware Instrumented By Lua}}, date = {2014-12-16}, organization = {Cyphort}, url = {https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/}, language = {English}, urldate = {2020-06-08} } @online{marschalek:20150218:babar:f8c92b6, author = {Marion Marschalek}, title = {{Babar: Suspected Nation State Spyware In The Spotlight}}, date = {2015-02-18}, organization = {Cyphort}, url = {https://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/}, language = {English}, urldate = {2020-06-08} } @online{marschalek:20150218:shooting:91fead0, author = {Marion Marschalek}, title = {{Shooting Elephants}}, date = {2015-02-18}, organization = {Cyphort}, url = {https://drive.google.com/a/cyphort.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/}, language = {English}, urldate = {2020-01-08} } @online{marshanski:20201012:front:686add1, author = {Roman Marshanski and Vitali Kremez}, title = {{"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon}}, date = {2020-10-12}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon}, language = {English}, urldate = {2020-10-13} } @online{marten4n6:20180817:evilosx:f44da6e, author = {Marten4n6}, title = {{EvilOSX}}, date = {2018-08-17}, organization = {Github (Marten4n6)}, url = {https://github.com/Marten4n6/EvilOSX}, language = {English}, urldate = {2020-01-09} } @online{martin:20100125:leveraging:2c0f7d8, author = {Ernesto Martin}, title = {{Leveraging ZeuS to send spam through social networks}}, date = {2010-01-25}, url = {http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html}, language = {English}, urldate = {2019-10-28} } @online{martin:20160304:tracing:ca8f6d7, author = {David Martin}, title = {{Tracing the Lineage of DarkSeoul}}, date = {2016-03-04}, organization = {SANS}, url = {https://www.sans.org/reading-room/whitepapers/critical/tracing-lineage-darkseoul-36787}, language = {English}, urldate = {2019-12-17} } @online{martin:20191127:threat:e91b6bf, author = {Adam Martin}, title = {{Threat Spotlight: Machete Info-Stealer}}, date = {2019-11-27}, organization = {ThreatVector}, url = {https://threatvector.cylance.com/en_us/home/threat-spotlight-machete-info-stealer.html}, language = {English}, urldate = {2020-01-08} } @online{martin:20200703:attack:1454a0d, author = {Anartz Martin}, title = {{Attack Detection Fundamentals: Code Execution and Persistence - Lab #1}}, date = {2020-07-03}, organization = {F-Secure Labs}, url = {https://labs.f-secure.com/blog/attack-detection-fundamentals-code-execution-and-persistence-lab-1/}, language = {English}, urldate = {2020-09-21} } @online{martin:20201027:purchase:efee82d, author = {Adam Martin and Nathaniel Sagibanda and Kian Buckley Maher and Cofense Phishing Defense Center}, title = {{Purchase Order Phishing, the Everlasting Phishing Tactic}}, date = {2020-10-27}, organization = {Cofense}, url = {https://cofense.com/purchase-order-phishing-the-everlasting-phishing-tactic/}, language = {English}, urldate = {2020-11-02} } @online{martin:20210528:woocommerce:838c718, author = {Ben Martin}, title = {{WooCommerce Credit Card Skimmer Hides in Plain Sight}}, date = {2021-05-28}, organization = {SUCURI}, url = {https://blog.sucuri.net/2021/05/woocommerce-credit-card-skimmer.html}, language = {English}, urldate = {2021-06-16} } @online{martin:20210707:magecart:936a43d, author = {Ben Martin}, title = {{Magecart Swiper Uses Unorthodox Concatenation}}, date = {2021-07-07}, organization = {SUCURI}, url = {https://blog.sucuri.net/2021/07/magecart-swiper-uses-unorthodox-concatenation.html}, language = {English}, urldate = {2021-07-20} } @online{martin:20210728:stylish:741bbed, author = {Ben Martin}, title = {{Stylish Magento Card Stealer loads Without Script Tags}}, date = {2021-07-28}, organization = {SUCURI}, url = {https://blog.sucuri.net/2021/07/stylish-magento-card-stealer-loads-without-script-tags.html}, language = {English}, urldate = {2021-07-29} } @online{martin:20210901:analysis:9bb20fb, author = {Ben Martin}, title = {{Analysis of a Phishing Kit (that targets Chase Bank)}}, date = {2021-09-01}, organization = {SUCURI}, url = {https://blog.sucuri.net/2021/09/analysis-of-a-phishing-kit-that-targets-chase-bank.html}, language = {English}, urldate = {2021-09-06} } @online{martin:20211115:fake:2be64ec, author = {Ben Martin}, title = {{Fake Ransomware Infection Spooks Website Owners}}, date = {2021-11-15}, organization = {SUCURI}, url = {https://blog.sucuri.net/2021/11/fake-ransomware-infection-spooks-website-owners.html}, language = {English}, urldate = {2021-11-18} } @online{martin:20221031:mondelez:a33b8ce, author = {Alexander Martin}, title = {{Mondelez and Zurich reach settlement in NotPetya cyberattack insurance suit}}, date = {2022-10-31}, organization = {The Record}, url = {https://therecord.media/mondelez-and-zurich-reach-settlement-in-notpetya-cyberattack-insurance-suit/}, language = {English}, urldate = {2022-11-03} } @online{martin:20221220:russian:e1ac521, author = {Alexander Martin}, title = {{Russian hackers targeted petroleum refining company in NATO state}}, date = {2022-12-20}, organization = {The Record}, url = {https://therecord.media/russian-hackers-targeted-petroleum-refining-company-in-nato-state/}, language = {English}, urldate = {2023-01-02} } @online{martin:20230623:clop:ed4b8f0, author = {Jones Martin}, title = {{Clop Ransomware: History, Timeline, And Adversary Simulation}}, date = {2023-06-23}, organization = {Fourcore}, url = {https://fourcore.io/blogs/clop-ransomware-history-adversary-simulation}, language = {English}, urldate = {2023-07-28} } @online{martin:20231025:fakeupdateru:f9cf3f2, author = {Ben Martin}, title = {{FakeUpdateRU Chrome Update Infection Spreads Trojan Malware}}, date = {2023-10-25}, organization = {SUCURI}, url = {https://blog.sucuri.net/2023/10/fakeupdateru-chrome-update-infection-spreads-trojan-malware.html}, language = {English}, urldate = {2023-11-13} } @online{martin:20231207:uk:0555eee, author = {Alexander Martin}, title = {{UK names FSB unit behind hack-and-leak campaigns, summons Russian ambassador}}, date = {2023-12-07}, organization = {The Record}, url = {https://therecord.media/uk-names-fsb-unit-behind-hack-and-leak-operation}, language = {English}, urldate = {2023-12-27} } @online{martin:20241001:eduard:738b3e7, author = {Alexander Martin}, title = {{Eduard Benderskiy: Western authorities link Russian intelligence officer to Evil Corp cybercrime empire}}, date = {2024-10-01}, organization = {The Record}, url = {https://therecord.media/evil-corp-cybercrime-eduard-benderskiy-russian-intelligence}, language = {English}, urldate = {2025-02-03} } @online{martineau:20210706:understanding:b8b39b6, author = {John Martineau}, title = {{Understanding REvil: The Ransomware Gang Behind the Kaseya Attack}}, date = {2021-07-06}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/revil-threat-actors/}, language = {English}, urldate = {2021-07-08} } @online{martinez:20200115:alien:a57585f, author = {Fernando Martinez}, title = {{Alien Labs 2019 Analysis of Threat Groups Molerats and APT-C-37}}, date = {2020-01-15}, organization = {AT&T Cybersecurity}, url = {https://cybersecurity.att.com/blogs/labs-research/alien-labs-2019-analysis-of-threat-groups-molerats-and-apt-c-37}, language = {English}, urldate = {2020-01-22} } @online{martinez:20201126:using:2d0ccc3, author = {Emiliano Martinez}, title = {{Using similarity to expand context and map out threat campaigns}}, date = {2020-11-26}, organization = {VirusTotal}, url = {https://blog.virustotal.com/2020/11/using-similarity-to-expand-context-and.html}, language = {English}, urldate = {2020-12-03} } @online{martinez:20210614:malware:0b975d7, author = {Fernando Martinez}, title = {{Malware hosting domain Cyberium fanning out Mirai variants}}, date = {2021-06-14}, organization = {AlienVault}, url = {https://cybersecurity.att.com/blogs/labs-research/malware-hosting-domain-cyberium-fanning-out-mirai-variants}, language = {English}, urldate = {2021-06-21} } @online{martinez:20210706:lazarus:99dc50f, author = {Fernando Martinez}, title = {{Lazarus campaign TTPs and evolution}}, date = {2021-07-06}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/lazarus-campaign-ttps-and-evolution}, language = {English}, urldate = {2021-07-11} } @online{martinez:20210722:fraud:9f095b0, author = {Roberto Martinez and Anton Ushakov}, title = {{The Fraud Family Fraud-as-a-Service operation targeting Dutch residents}}, date = {2021-07-22}, organization = {Group-IB}, url = {https://blog.group-ib.com/fraud_family_nl/}, language = {English}, urldate = {2021-07-22} } @online{martinez:20220502:analysis:e5d626b, author = {Fernando Martinez}, title = {{Analysis on recent wiper attacks: examples and how wiper malware works}}, date = {2022-05-02}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works}, language = {English}, urldate = {2022-05-04} } @online{martinez:20220825:roasting:adb6ea2, author = {Roberto Martinez and Rustam Mirkasymov}, title = {{Roasting 0ktapus: The phishing campaign going after Okta identity credentials}}, date = {2022-08-25}, organization = {Group-IB}, url = {https://blog.group-ib.com/0ktapus}, language = {English}, urldate = {2022-08-30} } @online{martinez:20220829:crypto:b9c06fe, author = {Fernando Martinez}, title = {{Crypto miners’ latest techniques}}, date = {2022-08-29}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/crypto-miners-latest-techniques}, language = {English}, urldate = {2022-08-31} } @online{martinez:20230131:vidar:32a27bd, author = {Roberto Martinez}, title = {{Vidar Info-Stealer Malware Distributed via Malvertising on Google}}, date = {2023-01-31}, organization = {Darktrace}, url = {https://darktrace.com/blog/vidar-info-stealer-malware-distributed-via-malvertising-on-google}, language = {English}, urldate = {2023-02-01} } @online{martinez:20230322:new:e2a79b6, author = {Roberto Martinez and Taisiia Garkava}, title = {{New loader on the bloc - AresLoader}}, date = {2023-03-22}, organization = {Intel 471}, url = {https://intel471.com/blog/new-loader-on-the-bloc-aresloader}, language = {English}, urldate = {2023-04-14} } @online{martinez:20240105:asyncrat:e74d426, author = {Fernando Martinez}, title = {{AsyncRAT loader: Obfuscation, DGAs, decoys and Govno}}, date = {2024-01-05}, organization = {AlienLabs}, url = {https://cybersecurity.att.com/blogs/labs-research/asyncrat-loader-obfuscation-dgas-decoys-and-govno}, language = {English}, urldate = {2024-12-06} } @online{martinez:20241101:ngioweb:061a9ca, author = {Fernando Martinez}, title = {{Ngioweb Remains Active 7 Years Later}}, date = {2024-11-01}, organization = {LevelBlue}, url = {https://levelblue.com/blogs/labs-research/ngioweb-remains-active-7-years-later}, language = {English}, urldate = {2024-11-25} } @online{martire:20181127:sload:0540bde, author = {Luigi Martire and Luca Mella}, title = {{The SLoad Powershell Threat is Expanding to Italy}}, date = {2018-11-27}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/the-sload-powershell-threat-is-expanding-to-italy/}, language = {English}, urldate = {2022-02-02} } @online{martire:20190326:ursnif:1d301b8, author = {Luigi Martire and Davide Testa and Luca Mella}, title = {{The Ursnif Gangs keep Threatening Italy}}, date = {2019-03-26}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/the-ursnif-gangs-keep-threatening-italy/}, language = {English}, urldate = {2022-02-02} } @online{martire:20190409:limerat:90dd4a3, author = {Luigi Martire and Luca Mella}, title = {{LimeRAT spreads in the wild}}, date = {2019-04-09}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/limerat-spreads-in-the-wild/}, language = {English}, urldate = {2022-02-02} } @online{martire:20190516:stealthy:930aa98, author = {Luigi Martire and Davide Testa and Antonio Pirozzi and Luca Mella}, title = {{The Stealthy Email Stealer in the TA505 Arsenal}}, date = {2019-05-16}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/}, language = {English}, urldate = {2019-10-14} } @online{martire:20190608:evolution:c9d130c, author = {Luigi Martire and Davide Testa and Luca Mella and ZLAB-Yoroi}, title = {{The Evolution of Aggah: From Roma225 to the RG Campaign}}, date = {2019-06-08}, organization = {Yoroi}, url = {https://yoroi.company/research/the-evolution-of-aggah-from-roma225-to-the-rg-campaign/}, language = {English}, urldate = {2021-06-16} } @online{martire:20200127:aggah:9ed3380, author = {Luigi Martire and Luca Mella}, title = {{Aggah: How to run a botnet without renting a Server (for more than a year)}}, date = {2020-01-27}, organization = {Yoroi}, url = {https://yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/}, language = {English}, urldate = {2021-06-16} } @online{martire:20200221:transparent:eb18469, author = {Luigi Martire and Pietro Melillo and Antonio Pirozzi}, title = {{Transparent Tribe: Four Years Later}}, date = {2020-02-21}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/transparent-tribe-four-years-later}, language = {English}, urldate = {2020-03-06} } @online{martire:20200506:new:4e0c27b, author = {Luigi Martire and Davide Testa and Luca Mella}, title = {{New Cyber Operation Targets Italy: Digging Into the Netwire Attack Chain}}, date = {2020-05-06}, organization = {Yoroi}, url = {https://yoroi.company/research/new-cyber-operation-targets-italy-digging-into-the-netwire-attack-chain/}, language = {English}, urldate = {2021-06-16} } @online{martire:20200522:cybercriminal:97a41b3, author = {Luigi Martire and Giacomo d'Onofrio and Antonio Pirozzi and Luca Mella}, title = {{Cyber-Criminal espionage Operation insists on Italian Manufacturing}}, date = {2020-05-22}, organization = {Yoroi}, url = {https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/}, language = {English}, urldate = {2022-02-02} } @online{martire:20201130:shadows:2ef4813, author = {Luigi Martire and Antonio Pirozzi and Luca Mella}, title = {{Shadows From The Past Threaten Italian Enterprises}}, date = {2020-11-30}, organization = {Yoroi}, url = {https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/}, language = {English}, urldate = {2021-06-16} } @online{martire:20210112:opening:806667c, author = {Luigi Martire and Antonio Pirozzi and Luca Mella}, title = {{Opening “STEELCORGI”: A Sophisticated APT Swiss Army Knife}}, date = {2021-01-12}, organization = {Yoroi}, url = {https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/}, language = {English}, urldate = {2021-07-20} } @online{martire:20210204:connecting:9d49c15, author = {Luigi Martire and Luca Mella}, title = {{Connecting the dots inside the Italian APT Landscape}}, date = {2021-02-04}, organization = {Yoroi}, url = {https://yoroi.company/research/connecting-the-dots-inside-the-italian-apt-landscape/}, language = {English}, urldate = {2021-06-16} } @online{martire:20210316:threatening:9158d9b, author = {Luigi Martire and Luca Mella}, title = {{Threatening within Budget: How WSH-RAT is abused by Cyber-Crooks}}, date = {2021-03-16}, organization = {Yoroi}, url = {https://yoroi.company/research/threatening-within-budget-how-wsh-rat-is-abused-by-cyber-crooks/}, language = {English}, urldate = {2021-06-16} } @online{martire:20210629:wayback:fc8fa84, author = {Luigi Martire and Luca Mella}, title = {{The "WayBack” Campaign: a Large Scale Operation Hiding in Plain Sight}}, date = {2021-06-29}, organization = {Yoroi}, url = {https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/}, language = {English}, urldate = {2021-06-29} } @online{martire:20210831:financial:e78f0cc, author = {Luigi Martire and Luca Mella and Yoroi}, title = {{Financial Institutions in the Sight of New JsOutProx Attack Waves}}, date = {2021-08-31}, organization = {Yoroi}, url = {https://yoroi.company/research/financial-institutions-in-the-sight-of-new-jsoutprox-attack-waves/}, language = {English}, urldate = {2021-09-09} } @online{martire:20210924:hunting:d29a5e6, author = {Luigi Martire and Luca Mella}, title = {{Hunting the LockBit Gang's Exfiltration Infrastructures}}, date = {2021-09-24}, organization = {Yoroi}, url = {https://yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/}, language = {English}, urldate = {2021-09-24} } @online{martire:202110:spectre:d4c34d7, author = {Luigi Martire and Carmelo Ragusa and Luca Mella}, title = {{Spectre v4.0: the speed of malware threats after the pandemics}}, date = {2021-10}, organization = {Yoroi}, url = {https://yoroi.company/research/spectre-v4-0-the-speed-of-malware-threats-after-the-pandemics/}, language = {English}, urldate = {2021-10-22} } @online{martire:20211116:office:2dba65a, author = {Luigi Martire and Carmelo Ragusa and Luca Mella}, title = {{Office Documents: May the XLL technique change the threat Landscape in 2022?}}, date = {2021-11-16}, organization = {Yoroi}, url = {https://yoroi.company/research/office-documents-may-the-xll-technique-change-the-threat-landscape-in-2022/}, language = {English}, urldate = {2021-11-17} } @online{martire:20211217:serverless:1d4e81c, author = {Luigi Martire and Carmelo Ragusa and Luca Mella}, title = {{Serverless InfoStealer delivered in Est European Countries}}, date = {2021-12-17}, organization = {Yoroi}, url = {https://yoroi.company/research/serverless-infostealer-delivered-in-est-european-countries/}, language = {English}, urldate = {2021-12-17} } @online{martire:20220226:diskkillhermeticwiper:b3582b9, author = {Luigi Martire and Carmelo Ragusa and Luca Mella}, title = {{DiskKill/HermeticWiper, a disruptive cyber-weapon targeting Ukraine’s critical infrastructures}}, date = {2022-02-26}, organization = {Yoroi}, url = {https://yoroi.company/research/diskkill-hermeticwiper-a-disruptive-cyber-weapon-targeting-ukraines-critical-infrastructures/}, language = {English}, urldate = {2022-03-10} } @online{martire:20220308:conti:bc6c20c, author = {Luigi Martire and Carmelo Ragusa and Luca Mella}, title = {{Conti Ransomware source code: a well-designed COTS ransomware}}, date = {2022-03-08}, organization = {Yoroi}, url = {https://yoroi.company/research/conti-ransomware-source-code-a-well-designed-cots-ransomware/}, language = {English}, urldate = {2022-03-10} } @techreport{martire:20220722:footsteps:138e516, author = {Luigi Martire and Carmelo Ragusa}, title = {{On The Footsteps of Hive Ransomware}}, date = {2022-07-22}, institution = {Yoroi}, url = {https://yoroi.company/wp-content/uploads/2022/07/Yoroi-On-The-Footsteps-of-Hive-Ransomware.pdf}, language = {English}, urldate = {2022-07-28} } @online{martire:20220726:footsteps:cd2ba49, author = {Luigi Martire and Carmelo Ragusa}, title = {{On the FootSteps of Hive Ransomware}}, date = {2022-07-26}, organization = {Yoroi}, url = {https://yoroi.company/research/on-the-footsteps-of-hive-ransomware/}, language = {English}, urldate = {2022-07-28} } @online{martire:20220930:dissecting:6f63f37, author = {Luigi Martire and Carmelo Ragusa}, title = {{Dissecting BlueSky Ransomware Payload}}, date = {2022-09-30}, organization = {Yoroi}, url = {https://yoroi.company/research/dissecting-bluesky-ransomware-payload/}, language = {English}, urldate = {2022-09-30} } @online{martire:20221117:reconstructing:5b546b1, author = {Luigi Martire and Carmelo Ragusa}, title = {{Reconstructing the last activities of Royal Ransomware}}, date = {2022-11-17}, organization = {Yoroi}, url = {https://yoroi.company/research/reconstructing-the-last-activities-of-royal-ransomware/}, language = {English}, urldate = {2022-11-18} } @online{martire:20230215:hunting:eb09f70, author = {Luigi Martire and Carmelo Ragusa}, title = {{Hunting Cyber Evil Ratels: From the targeted attacks to the widespread usage of Brute Ratel}}, date = {2023-02-15}, organization = {Yoroi}, url = {https://web.archive.org/web/20230216110153/https://yoroi.company/research/hunting-cyber-evil-ratels-from-the-targeted-attacks-to-the-widespread-usage-of-brute-ratel/}, language = {English}, urldate = {2023-02-16} } @online{martire:20230329:ducktail:2358e56, author = {Luigi Martire and Carmelo Ragusa}, title = {{DuckTail: Dissecting a complex infection chain started from social engineering}}, date = {2023-03-29}, organization = {Yoroi}, url = {https://yoroi.company/research/ducktail-dissecting-a-complex-infection-chain-started-from-social-engineering/}, language = {English}, urldate = {2023-04-18} } @online{martire:20230413:money:e20f9ee, author = {Luigi Martire and Carmelo Ragusa}, title = {{Money Ransomware: The Latest Double Extortion Group}}, date = {2023-04-13}, organization = {Yoroi}, url = {https://yoroi.company/research/money-ransomware-the-latest-double-extortion-group/}, language = {English}, urldate = {2023-04-18} } @online{martire:20231206:unveiling:d2c35aa, author = {Luigi Martire and Carmelo Ragusa}, title = {{Unveiling “Vetta Loader”: A custom loader hitting Italy and spread through infected USB Drives}}, date = {2023-12-06}, url = {https://yoroi.company/en/research/unveiling-vetta-loader-a-custom-loader-hitting-italy-and-spread-through-infected-usb-drives/}, language = {English}, urldate = {2023-12-12} } @online{martire:20231218:innovation:65bb5e8, author = {Luigi Martire and Carmelo Ragusa}, title = {{Innovation in Cyber Intrusions: The Evolution of TA544}}, date = {2023-12-18}, organization = {Yoroi}, url = {https://web.archive.org/web/20231219110155/https://yoroi.company/en/research/innovation-in-cyber-intrusions-the-evolution-of-ta544/}, language = {English}, urldate = {2023-12-27} } @online{martire:20240521:uncovering:b06d1dc, author = {Luigi Martire and Carmelo Ragusa}, title = {{Uncovering an undetected KeyPlug implant attacking industries in Italy}}, date = {2024-05-21}, organization = {Yoroi}, url = {https://web.archive.org/web/20240523105313/https://yoroi.company/en/research/uncovering-an-undetected-keyplug-implant-attacking-industries-in-italy/}, language = {English}, urldate = {2024-06-05} } @techreport{martire:20250520:sarcoma:695a41c, author = {Luigi Martire and Pierluigi Paganini}, title = {{Sarcoma Ransomware Unveiled: Anatomy of a Double Extortion Gang}}, date = {2025-05-20}, institution = {}, url = {https://securityaffairs.com/wp-content/uploads/2025/05/Sarcoma-Ransomware.pdf}, language = {English}, urldate = {2025-05-23} } @online{martnez:20200505:aptc36:42d885b, author = {Jose Luis Sánchez Martínez}, title = {{APT-C-36}}, date = {2020-05-05}, organization = {MITRE ATT&CK}, url = {https://attack.mitre.org/groups/G0099/}, language = {English}, urldate = {2023-12-04} } @online{martnez:20220601:analyzing:f24391a, author = {Jose Luis Sánchez Martínez}, title = {{Analyzing AsyncRAT distributed in Colombia}}, date = {2022-06-01}, organization = {Github (jstnk9)}, url = {https://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/}, language = {English}, urldate = {2022-06-02} } @online{marty:20241014:water:7bbf399, author = {Charles Adrian Marty and Kim Benedict Victorio and Adriel Isidro and Christian Alpuerto and Mark Jason Co and Lorenzo Laureano and Andre Filipe Codod and Adremel Redondo}, title = {{Water Makara Uses Obfuscated JavaScript in Spear Phishing Campaign, Targets Brazil With Astaroth Malware}}, date = {2024-10-14}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/24/j/water-makara-uses-obfuscated-javascript-in-spear-phishing-campai.html}, language = {English}, urldate = {2024-11-04} } @online{martyanov:20220309:raccoon:b35569a, author = {Vladimir Martyanov}, title = {{Raccoon Stealer: “Trash panda” abuses Telegram}}, date = {2022-03-09}, organization = {Avast}, url = {https://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram}, language = {English}, urldate = {2022-03-10} } @online{martyanov:20220414:zloader:23c520a, author = {Vladimir Martyanov}, title = {{Zloader 2: The Silent Night}}, date = {2022-04-14}, organization = {Avast Decoded}, url = {https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/}, language = {English}, urldate = {2022-04-15} } @online{martyn:20210124:visualdoor:3e91780, author = {Darren Martyn}, title = {{VisualDoor: SonicWall SSL-VPN Exploit}}, date = {2021-01-24}, organization = {Darren’s Website}, url = {https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/amp/?__twitter_impression=true}, language = {English}, urldate = {2021-01-25} } @online{maruccia:20241202:hacking:73812ec, author = {Alfonso Maruccia}, title = {{Hacking group claims to have cracked Microsoft's software licensing security on a massive scale}}, date = {2024-12-02}, organization = {TechSpot}, url = {https://www.techspot.com/news/105785-mas-developers-achieve-major-breakthrough-windows-office-cracking.html}, language = {English}, urldate = {2025-02-19} } @online{marvi:20220929:bad:4f02da8, author = {Alexander Marvi and Jeremy Koppen and Tufail Ahmed and Jonathan Lepore}, title = {{Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors}}, date = {2022-09-29}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence}, language = {English}, urldate = {2022-09-30} } @online{marvi:20220929:bad:8fc7be3, author = {Alexander Marvi and Greg Blaum}, title = {{Bad VIB(E)s Part Two: Detection and Hardening within ESXi Hypervisors}}, date = {2022-09-29}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/esxi-hypervisors-detection-hardening}, language = {English}, urldate = {2022-09-30} } @online{marvi:20230316:fortinet:d6ae40c, author = {Alexander Marvi and BRAD SLAYBAUGH and DAN EBREO and Tufail Ahmed and Muhammad Umair and TINA JOHNSON}, title = {{Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation}}, date = {2023-03-16}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem}, language = {English}, urldate = {2023-04-22} } @online{marvi:20230613:vmware:ab644e2, author = {Alexander Marvi and BRAD SLAYBAUGH and Ron Craft and Rufus Brown}, title = {{VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors (UNC3886)}}, date = {2023-06-13}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass}, language = {English}, urldate = {2023-07-31} } @online{marvi:20230628:detection:4a20fad, author = {Alexander Marvi and Greg Blaum and Ron Craft}, title = {{Detection, Containment, and Hardening Opportunities for Privileged Guest Operations, Anomalous Behavior, and VMCI Backdoors on Compromised VMware Hosts}}, date = {2023-06-28}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/vmware-detection-containment-hardening}, language = {English}, urldate = {2023-07-31} } @online{masabuchi:20230529:gobrat:551d8d2, author = {Yuma Masabuchi}, title = {{GobRAT malware written in Go language targeting Linux routers}}, date = {2023-05-29}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2023/05/gobrat.html}, language = {English}, urldate = {2023-05-30} } @online{masada:20241003:protecting:b55bbc9, author = {Steven Masada}, title = {{Protecting Democratic Institutions from Cyber Threats}}, date = {2024-10-03}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2024/10/03/protecting-democratic-institutions-from-cyber-threats/}, language = {English}, urldate = {2024-12-02} } @online{masada:20250227:disrupting:631ffff, author = {Steven Masada}, title = {{Disrupting a global cybercrime network abusing generative AI}}, date = {2025-02-27}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2025/02/27/disrupting-cybercrime-abusing-gen-ai/}, language = {English}, urldate = {2025-02-28} } @online{masada:20250521:disrupting:fb849be, author = {Steven Masada}, title = {{Disrupting Lumma Stealer: Microsoft leads global action against favored cybercrime tool}}, date = {2025-05-21}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2025/05/21/microsoft-leads-global-action-against-favored-cybercrime-tool/}, language = {English}, urldate = {2025-05-22} } @online{mascarenhas:20160823:russian:17f62ab, author = {Hyacinth Mascarenhas}, title = {{Russian hackers 'Fancy Bear' likely breached Olympic drug-testing agency and DNC, experts say}}, date = {2016-08-23}, organization = {International Business Times}, url = {http://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508}, language = {English}, urldate = {2020-01-08} } @online{mascarenhas:20160823:russian:9531f82, author = {Hyacinth Mascarenhas}, title = {{Russian hackers 'Fancy Bear' likely breached Olympic drug-testing agency and DNC, experts say}}, date = {2016-08-23}, organization = {International Business Times}, url = {https://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508}, language = {English}, urldate = {2020-09-15} } @online{maslennikov:20111006:zeusinthemobile:ea34d2e, author = {Denis Maslennikov}, title = {{ZeuS-in-the-Mobile – Facts and Theories}}, date = {2011-10-06}, organization = {Kaspersky Labs}, url = {https://securelist.com/zeus-in-the-mobile-facts-and-theories/36424/}, language = {English}, urldate = {2020-02-04} } @online{mass:20150114:catching:33c67af, author = {Tony Massé}, title = {{Catching the “Inception Framework” Phishing Attack}}, date = {2015-01-14}, organization = {LogRhythm}, url = {https://logrhythm.com/blog/catching-the-inception-framework-phishing-attack/}, language = {English}, urldate = {2020-04-21} } @online{mass:20150114:catching:841eb77, author = {Tony Massé}, title = {{Catching the “Inception Framework” Phishing Attack}}, date = {2015-01-14}, organization = {LogRhythm}, url = {https://logrhythm.com/blog/catching-the-inception-framework-phishing-attack}, language = {English}, urldate = {2022-08-25} } @online{mastadamus:20220321:anatomy:5e52c7b, author = {Mastadamus}, title = {{Anatomy of An Mirai Botnet Attack}}, date = {2022-03-21}, organization = {Azure DevOps (Mastadamus)}, url = {https://dev.azure.com/Mastadamus/Mirai%20Botnet%20Analysis/_wiki/wikis/Mirai-Botnet-Analysis.wiki/12/Anatomy-of-An-Mirai-Botnet-Attack}, language = {English}, urldate = {2022-03-22} } @online{masters:20220914:threat:5694e61, author = {Derrick Masters and Loïc Castel}, title = {{THREAT ANALYSIS REPORT: Abusing Notepad++ Plugins for Evasion and Persistence}}, date = {2022-09-14}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-report-abusing-notepad-plugins-for-evasion-and-persistence}, language = {English}, urldate = {2022-09-19} } @techreport{masters:20231007:taking:9105360, author = {Derrick Masters}, title = {{Taking Shortcuts: Using LNK files for initial infection and persistence}}, date = {2023-10-07}, institution = {Cybereason}, url = {https://www.cybereason.com/hubfs/Insights/Research/threat-analysis-purple-team-taking-shortcuts-LNK-files.pdf}, language = {English}, urldate = {2023-10-09} } @online{masters:20231030:managed:29df3dd, author = {Jim Masters}, title = {{Managed Security Services Provider (MSSP) Market News: 30 October 2023}}, date = {2023-10-30}, organization = {MSSPAlert}, url = {https://www.msspalert.com/news/managed-security-services-provider-mssp-market-news-30-october-2023}, language = {English}, urldate = {2023-11-17} } @online{masubuchi:20210527:attacks:4327680, author = {Yuma Masubuchi}, title = {{Attacks Embedding XMRig on Compromised Servers}}, date = {2021-05-27}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2021/05/xmrig.html}, language = {English}, urldate = {2021-06-16} } @online{masubuchi:20210712:attack:a8f8d3b, author = {Yuma Masubuchi and Shusei Tomonaga}, title = {{Attack Exploiting XSS Vulnerability in E-commerce Websites}}, date = {2021-07-12}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2021/07/water_pamola.html}, language = {English}, urldate = {2021-07-20} } @online{masubuchi:20211026:malware:44bce23, author = {Yuma Masubuchi}, title = {{Malware WinDealer used by LuoYu Attack Group}}, date = {2021-10-26}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2021/10/windealer.html}, language = {English}, urldate = {2021-11-03} } @online{masubuchi:20230712:dangerouspassword:76fadc7, author = {Yuma Masubuchi}, title = {{DangerousPassword attacks targeting developers' Windows, macOS, and Linux environments}}, date = {2023-07-12}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/ja/2023/07/dangerouspassword_dev.html}, language = {Japanese}, urldate = {2023-07-16} } @online{masubuchi:20230828:maldoc:6a38ecd, author = {Yuma Masubuchi and Kota Kino}, title = {{MalDoc in PDF - Detection bypass by embedding a malicious Word file into a PDF file –}}, date = {2023-08-28}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2023/08/maldocinpdf.html}, language = {English}, urldate = {2023-08-28} } @online{mateescu:20200504:android:53b02bf, author = {Adina Mateescu and Silviu Stahie}, title = {{Android SLocker Variant Uses Coronavirus Scare to Take Android Hostage}}, date = {2020-05-04}, organization = {Bitdefender}, url = {https://www.bitdefender.com/en-us/blog/labs/android-slocker-variant-uses-coronavirus-scare-to-take-android-hostage}, language = {English}, urldate = {2025-02-25} } @online{mateo:20250311:aiassisted:88ea2b5, author = {Cj Arsley Mateo and Jacob Santos and Darrel Tristan Virtusio and Junestherry Dela Cruz and Paul John Bardon}, title = {{AI-Assisted Fake GitHub Repositories Fuel SmartLoader and LummaStealer Distribution}}, date = {2025-03-11}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/25/c/ai-assisted-fake-github-repositories.html}, language = {English}, urldate = {2025-03-12} } @online{mathews:20220804:top:2e6e156, author = {Michael Mathews and RIFT: Research and Intelligence Fusion Team}, title = {{Top of the Pops: Three common ransomware entry techniques}}, date = {2022-08-04}, organization = {nccgroup}, url = {https://research.nccgroup.com/2022/08/04/top-of-the-pops-three-common-ransomware-entry-techniques}, language = {English}, urldate = {2022-08-22} } @online{mathur:20220621:rise:71e04f0, author = {Lakshya Mathur}, title = {{Rise of LNK (Shortcut files) Malware}}, date = {2022-06-21}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/}, language = {English}, urldate = {2022-07-05} } @online{matousek:20241220:emmenhtal:68545c3, author = {Alexandre Matousek and Marine PICHON}, title = {{Tweet on Emmenhtal v2}}, date = {2024-12-20}, organization = {Twitter (@CERTCyberdef)}, url = {https://x.com/CERTCyberdef/status/1870137789402014155}, language = {English}, urldate = {2025-03-14} } @techreport{matrosov:20110103:stuxnet:420d733, author = {Aleksandr Matrosov and Eugene Rodionov and David Harley and Juraj Malcho}, title = {{Stuxnet Under the Microscope}}, date = {2011-01-03}, institution = {ESET Research}, url = {https://www.welivesecurity.com/media_files/white-papers/Stuxnet_Under_the_Microscope.pdf}, language = {English}, urldate = {2019-12-20} } @techreport{matrosov:20120302:win32carberp:638558a, author = {Aleksandr Matrosov and Eugene Rodionov and Dmitry Volkov and David Harley}, title = {{Win32/Carberp: When You're in a Black Hole, Stop Digging}}, date = {2012-03-02}, institution = {ESET Research}, url = {https://cdn1.esetstatic.com/eset/US/resources/docs/white-papers/white-papers-win-32-carberp.pdf}, language = {English}, urldate = {2020-02-11} } @online{matrosov:20120605:smartcard:88d7163, author = {Aleksandr Matrosov}, title = {{Smartcard vulnerabilities in modern banking malware}}, date = {2012-06-05}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/}, language = {English}, urldate = {2019-11-14} } @online{matrosov:20120713:rovnix:7988101, author = {Aleksandr Matrosov}, title = {{Rovnix bootkit framework updated}}, date = {2012-07-13}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2012/07/13/rovnix-bootkit-framework-updated/}, language = {English}, urldate = {2019-11-14} } @online{matrosov:20121219:win32spyranbyus:955d383, author = {Aleksandr Matrosov}, title = {{Win32/Spy.Ranbyus modifying Java code in RBS Ukraine systems}}, date = {2012-12-19}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/}, language = {English}, urldate = {2019-11-14} } @online{matrosov:20130204:what:56f7bcb, author = {Aleksandr Matrosov}, title = {{What do Win32/Redyms and TDL4 have in common?}}, date = {2013-02-04}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/02/04/what-do-win32redyms-and-tdl4-have-in-common/}, language = {English}, urldate = {2019-11-14} } @online{matrosov:20130225:caphaw:b265b3f, author = {Aleksandr Matrosov}, title = {{Caphaw attacking major European banks using webinject plugin}}, date = {2013-02-25}, organization = {WeLiveSecurity}, url = {https://www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/}, language = {English}, urldate = {2023-05-23} } @online{matrosov:20130313:how:c50943e, author = {Aleksandr Matrosov}, title = {{How Theola malware uses a Chrome plugin for banking fraud}}, date = {2013-03-13}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/}, language = {English}, urldate = {2019-11-14} } @online{matrosov:20230309:untold:ccb6198, author = {Aleksandr Matrosov}, title = {{The Untold Story of the BlackLotus UEFI Bootkit}}, date = {2023-03-09}, organization = {binarly}, url = {https://www.binarly.io/posts/The_Untold_Story_of_the_BlackLotus_UEFI_Bootkit/index.html}, language = {English}, urldate = {2023-03-20} } @online{matsakis:20180110:hack:73c4c38, author = {Louise Matsakis}, title = {{Hack Brief: Russian Hackers Release Apparent IOC Emails in Wake of Olympic Ban}}, date = {2018-01-10}, organization = {Wired}, url = {https://www.wired.com/story/russian-fancy-bears-hackers-release-apparent-ioc-emails/}, language = {English}, urldate = {2020-01-13} } @online{matsuda:20160126:urlzone:dd8e32e, author = {Ayako Matsuda and Lennard Galang and Sudeep Singh and Joonho Sa and Shinsuke Honjo}, title = {{URLZone Zones in on Japan}}, date = {2016-01-26}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2016/01/urlzone_zones_inon.html}, language = {English}, urldate = {2019-12-20} } @online{matsuda:20180913:apt10:689e4bb, author = {Ayako Matsuda and Irshad Muhammad}, title = {{APT10 Targeting Japanese Corporations Using Updated TTPs}}, date = {2018-09-13}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html}, language = {English}, urldate = {2019-12-20} } @online{matsumoto:20201106:emotetzloader:ba310e4, author = {Matsumoto and Takagen and Ishikawa}, title = {{分析レポート:Emotetの裏で動くバンキングマルウェア「Zloader」に注意}}, date = {2020-11-06}, organization = {LAC WATCH}, url = {https://www.lac.co.jp/lacwatch/people/20201106_002321.html}, language = {Japanese}, urldate = {2020-11-09} } @online{matsumoto:20221130:evolution:29e9b4c, author = {Matsumoto}, title = {{Evolution of the PlugX loader}}, date = {2022-11-30}, organization = {FFRI Security}, url = {https://engineers.ffri.jp/entry/2022/11/30/141346}, language = {Japanese}, urldate = {2022-12-01} } @online{matt:20200210:suspected:d2241fe, author = {Matt}, title = {{Suspected Sapphire Mushroom (APT-C-12) malicious LNK files}}, date = {2020-02-10}, organization = {Bit of Hex Blog}, url = {https://bitofhex.com/2020/02/10/sapphire-mushroom-lnk-files/}, language = {English}, urldate = {2020-02-13} } @online{matthew:20221114:twitter:9b57525, author = {Matthew}, title = {{Twitter thread on Yara Signatures for Qakbot Encryption Routines}}, date = {2022-11-14}, organization = {Twitter (@embee_research)}, url = {https://twitter.com/embee_research/status/1592067841154756610?s=20}, language = {English}, urldate = {2022-11-18} } @online{matthew:20230410:redline:397ebbf, author = {Matthew}, title = {{Redline Stealer - Static Analysis and C2 Extraction}}, date = {2023-04-10}, organization = {Twitter (@embee_research)}, url = {https://embeeresearch.io/redline-stealer-basic-static-analysis-and-c2-extraction/}, language = {English}, urldate = {2024-06-05} } @online{matthew:20230507:agenttesla:65bf8af, author = {Matthew}, title = {{AgentTesla - Full Loader Analysis - Resolving API Hashes Using Conditional Breakpoints}}, date = {2023-05-07}, organization = {Twitter (@embee_research)}, url = {https://embee-research.ghost.io/agenttesla-full-analysis-api-hashing/}, language = {English}, urldate = {2023-05-08} } @online{matthews:20220505:north:22bd1ef, author = {Michael Matthews and Nikolaos Pantazopoulos}, title = {{North Korea’s Lazarus: their initial access trade-craft using social media and social engineering}}, date = {2022-05-05}, organization = {NCC Group}, url = {https://research.nccgroup.com/2022/05/05/north-koreas-lazarus-and-their-initial-access-trade-craft-using-social-media-and-social-engineering/}, language = {English}, urldate = {2022-05-05} } @online{mattia:20240620:medusa:c5f01ec, author = {Simone Mattia and Federico Valentini}, title = {{Medusa Reborn: A New Compact Variant Discovered}}, date = {2024-06-20}, organization = {Cleafy}, url = {https://www.cleafy.com/cleafy-labs/medusa-reborn-a-new-compact-variant-discovered}, language = {English}, urldate = {2024-06-28} } @online{mattia:20241204:droidbot:6a16657, author = {Simone Mattia and Alessandro Strino and Federico Valentini}, title = {{DroidBot: Insights from a new Turkish MaaS fraud operation}}, date = {2024-12-04}, organization = {Cleafy}, url = {https://www.cleafy.com/cleafy-labs/droidbot-insights-from-a-new-turkish-maas-fraud-operation}, language = {English}, urldate = {2024-12-06} } @online{mattos:20211120:velociraptor:bc6d897, author = {Eduardo Mattos}, title = {{Tweet on Velociraptor artifact analysis for Emotet}}, date = {2021-11-20}, organization = {Twitter (@eduardfir)}, url = {https://twitter.com/eduardfir/status/1461856030292422659}, language = {English}, urldate = {2021-11-25} } @online{mattos:20220226:yours:2cd2d24, author = {Eduardo Mattos and Rob Homewood}, title = {{Yours Truly, Signed AV Driver: Weaponizing An Antivirus Driver}}, date = {2022-02-26}, organization = {Aon}, url = {https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/}, language = {English}, urldate = {2022-03-22} } @online{mattos:20220226:yours:aa5994a, author = {Eduardo Mattos and Rob Homewood}, title = {{Yours Truly, Signed AV Driver: Weaponizing An Antivirus Driver}}, date = {2022-02-26}, organization = {Aon}, url = {https://cyber.aon.com/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/}, language = {English}, urldate = {2022-03-01} } @online{matveeva:20170815:secrets:c15cac1, author = {Vesta Matveeva}, title = {{Secrets of Cobalt}}, date = {2017-08-15}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/cobalt}, language = {English}, urldate = {2019-12-15} } @online{matveeva:20200127:operation:0a2260a, author = {Vesta Matveeva}, title = {{Operation Night Fury: Group-IB helps take down a cybergang behind the infection of hundreds of websites all over the world}}, date = {2020-01-27}, organization = {Group-IB}, url = {https://www.group-ib.com/media/night-fury/}, language = {English}, urldate = {2020-01-28} } @online{matveeva:20220128:shedding:7c736f5, author = {Vesta Matveeva and Iaroslav Polianskii}, title = {{Shedding light on the dark web}}, date = {2022-01-28}, organization = {Group-IB}, url = {https://blog.group-ib.com/ml-in-investigations}, language = {English}, urldate = {2022-02-04} } @online{mauronz:20190327:analysis:99db548, author = {mauronz}, title = {{Analysis of the ShadowHammer backdoor}}, date = {2019-03-27}, organization = {mauronz blog}, url = {https://mauronz.github.io/shadowhammer-backdoor}, language = {English}, urldate = {2020-01-06} } @online{maurya:20211112:golang:aadabd9, author = {Anmol Maurya}, title = {{Golang Malware Is More than a Fad: Financial Motivation Drives Adoption}}, date = {2021-11-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/financial-motivation-drives-golang-malware-adoption/}, language = {English}, urldate = {2021-11-17} } @online{maurya:20220111:tellyouthepass:b31fcb8, author = {Anmol Maurya}, title = {{TellYouThePass Ransomware Analysis Reveals a Modern Reinterpretation Using Golang}}, date = {2022-01-11}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/}, language = {English}, urldate = {2022-01-18} } @online{mave12:20210113:github:efbd925, author = {Mave12}, title = {{Github Repository: BlackNET 3.7.0.1}}, date = {2021-01-13}, organization = {Github (Mave12)}, url = {https://github.com/mave12/BlackNET-3.7.0.1}, language = {English}, urldate = {2022-01-12} } @techreport{maverits:20241231:apt28:edb7884, author = {Maverits}, title = {{APT28 the long hand of Russian interests}}, date = {2024-12-31}, institution = {Maverits}, url = {https://github.com/blackorbird/APT_REPORT/blob/master/APT28/APT28%20the%20long%20hand%20of%20Russian%20interests.pdf}, language = {English}, urldate = {2025-02-17} } @techreport{mavis:20200921:art:d9702a4, author = {Nick Mavis and Joe Marshall and JON MUNSHAW}, title = {{The art and science of detecting Cobalt Strike}}, date = {2020-09-21}, institution = {Cisco Talos}, url = {https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf}, language = {English}, urldate = {2020-09-23} } @online{maximciuc:20170901:ehdevel:6440974, author = {Alexandru Maximciuc and Cristina Vatamanu}, title = {{EHDevel – The story of a continuously improving advanced threat creation toolkit}}, date = {2017-09-01}, organization = {Bitdefender}, url = {https://www.bitdefender.com/blog/labs/ehdevel-the-story-of-a-continuously-improving-advanced-threat-creation-toolkit/}, language = {English}, urldate = {2024-08-19} } @techreport{maximciuc:20220825:hiding:365d9e5, author = {Alexandru Maximciuc and Victor Vrabie}, title = {{Hiding in the Shadows: Investigation of a Corporate Espionage Attack}}, date = {2022-08-25}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/421/Bitdefender-PR-Whitepaper-IndEs-creat6269-en-EN.pdf}, language = {English}, urldate = {2022-09-19} } @online{maynier:20201220:analyzing:3e15960, author = {Etienne Maynier}, title = {{Analyzing Cobalt Strike for Fun and Profit}}, date = {2020-12-20}, organization = {Randhome}, url = {https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/}, language = {English}, urldate = {2020-12-23} } @online{maynor:20170705:medoc:58bcc4a, author = {David Maynor and Aleksandar Nikolic and Matt Olney and Yves Younan}, title = {{The MeDoc Connection}}, date = {2017-07-05}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/07/the-medoc-connection.html}, language = {English}, urldate = {2020-01-13} } @online{mayor:20210305:exchange:632ca07, author = {Louie Mayor}, title = {{Exchange Server IIS dropping web shells and other artifacts}}, date = {2021-03-05}, organization = {Microsoft}, url = {https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/exchange-iis-worker-dropping-webshell.md}, language = {English}, urldate = {2021-03-10} } @online{mazerik:20150227:scanbox:867abf2, author = {Ryan Mazerik}, title = {{ScanBox Framework}}, date = {2015-02-27}, organization = {InfoSec Institute}, url = {http://resources.infosecinstitute.com/scanbox-framework/}, language = {English}, urldate = {2020-01-13} } @online{mazurenko:20231212:ukrainian:dfb4fca, author = {Alona Mazurenko}, title = {{Ukrainian intelligence attacks and paralyses Russia's tax system}}, date = {2023-12-12}, organization = {Ukrainska Pravda}, url = {https://www.pravda.com.ua/eng/news/2023/12/12/7432737/}, language = {English}, urldate = {2023-12-13} } @techreport{mbsd:20211027:lockbit20:f61ede8, author = {MBSD}, title = {{ランサムウェア「LockBit2.0」の内部構造を紐}}, date = {2021-10-27}, institution = {MBSD}, url = {https://www.mbsd.jp/2021/10/27/assets/images/MBSD_WhitePaper_A-deep-dive-analysis-of-LockBit2.0_Ransomware.pdf}, language = {Japanese}, urldate = {2021-11-03} } @online{mbsd:20220303:infection:9d66ae5, author = {MBSD}, title = {{Infection and explanation of "Hermetic Wiper", a destructive malware targeting Ukraine}}, date = {2022-03-03}, organization = {YouTube (MBSD)}, url = {https://www.youtube.com/watch?v=sUlW45c9izU}, language = {Japanese}, urldate = {2022-03-07} } @techreport{mbsd:20220308:contileaks:1c34368, author = {MBSD}, title = {{ContiLeaks}}, date = {2022-03-08}, institution = {MBSD}, url = {https://www.mbsd.jp/2022/03/08/assets/images/MBSD_Summary_of_ContiLeaks_Rev3.pdf}, language = {Japanese}, urldate = {2022-03-14} } @online{mcafee:20120405:darkshell:d8a6514, author = {McAfee}, title = {{Darkshell DDOS Botnet Evolves With Variants}}, date = {2012-04-05}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/darkshell-ddos-botnet-evolves-with-variants/}, language = {English}, urldate = {2021-04-14} } @online{mcafee:20130321:vskimmer:c441afa, author = {McAfee}, title = {{VSkimmer Botnet Targets Credit Card Payment Terminals}}, date = {2013-03-21}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/mcafee-labs/vskimmer-botnet-targets-credit-card-payment-terminals/}, language = {English}, urldate = {2019-10-15} } @online{mcafee:20140215:examining:520652d, author = {McAfee}, title = {{Examining Your Very Own Sefnit Trojan}}, date = {2014-02-15}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/sefnit-trojan-just/}, language = {English}, urldate = {2021-09-19} } @online{mcafee:20140715:targeted:06d811a, author = {McAfee}, title = {{Targeted Attacks on French Company Exploit Multiple Word Vulnerabilities}}, date = {2014-07-15}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/mcafee-labs/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/}, language = {English}, urldate = {2019-11-22} } @online{mcafee:20140715:targeted:dc6a405, author = {McAfee}, title = {{Targeted Attacks on French Company Exploit Multiple Word Vulnerabilities}}, date = {2014-07-15}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/}, language = {English}, urldate = {2019-12-24} } @techreport{mcafee:201706:mcafee:9fb6783, author = {McAfee}, title = {{McAfee Labs Threats Report}}, date = {2017-06}, institution = {McAfee}, url = {https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf}, language = {English}, urldate = {2020-01-06} } @online{mcafee:20170704:important:78128be, author = {McAfee}, title = {{Important information about Night Dragon}}, date = {2017-07-04}, organization = {McAfee}, url = {https://kc.mcafee.com/corporate/index?page=content&id=KB71150}, language = {English}, urldate = {2020-01-06} } @online{mcafee:20200828:mvision:0bd3a1e, author = {McAfee}, title = {{MVISION Insights: Wastedlocker Ransomware}}, date = {2020-08-28}, organization = {McAfee}, url = {https://kc.mcafee.com/corporate/index?page=content&id=KB93302&locale=en_US}, language = {English}, urldate = {2020-10-02} } @online{mccabe:20190221:shifting:2ea5e4a, author = {Adran McCabe}, title = {{Shifting in the Wind: WINDSHIFT Attacks Target Middle Eastern Governments}}, date = {2019-02-21}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/shifting-in-the-wind-windshift-attacks-target-middle-eastern-governments/}, language = {English}, urldate = {2020-01-10} } @online{mccabe:20200123:fractured:399ff15, author = {Adrian McCabe and Unit42}, title = {{The Fractured Statue Campaign: U.S. Government Targeted in Spear-Phishing Attacks}}, date = {2020-01-23}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/}, language = {English}, urldate = {2020-01-26} } @online{mccabe:20200414:malicious:9481b60, author = {Adrian McCabe and Vicky Ray and Juan Cortes}, title = {{Malicious Attackers Target Government and Medical Organizations With COVID-19 Themed Phishing Campaigns}}, date = {2020-04-14}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/}, language = {English}, urldate = {2020-04-14} } @online{mccay:20231026:smartapesg:34c667a, author = {Jonathan Mccay}, title = {{SmartApeSG}}, date = {2023-10-26}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/smartapesg-4605157a5b80}, language = {English}, urldate = {2023-11-14} } @online{mccombs:20180125:wannamine:4af3a66, author = {Ryan McCombs and Jason Barnes and Karan Sood and Ian Barton}, title = {{WannaMine Cryptomining: Harmless Nuisance or Disruptive Threat?}}, date = {2018-01-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/cryptomining-harmless-nuisance-disruptive-threat/}, language = {English}, urldate = {2020-11-25} } @online{mcconkey:20150414:following:02e29b8, author = {Kris McConkey}, title = {{Following APT OpSec failures}}, date = {2015-04-14}, organization = {Youtube (Kaspersky)}, url = {https://www.youtube.com/watch?v=NFJqD-LcpIg}, language = {English}, urldate = {2022-08-30} } @online{mcconkey:20160907:with:1cca78a, author = {Kris McConkey}, title = {{Tweet with hashes on APT3}}, date = {2016-09-07}, organization = {Twitter (smoothimpact)}, url = {https://twitter.com/smoothimpact/status/773631684038107136}, language = {English}, urldate = {2019-12-17} } @online{mcconkey:20170608:seven:da7d43c, author = {Kris McConkey}, title = {{THE SEVEN YEAR ITCH}}, date = {2017-06-08}, organization = {Youtube (Kaspersky)}, url = {https://youtu.be/DDA2uSxjVWY?t=344}, language = {English}, urldate = {2020-01-09} } @online{mcconkey:20200218:tracking:b1acf1a, author = {Kris McConkey and Sveva Vittoria Scenarelli}, title = {{Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 1}}, date = {2020-02-18}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html}, language = {English}, urldate = {2020-02-26} } @online{mcconkey:20200309:tracking:1979cbf, author = {Kris McConkey and Sveva Vittoria Scenarelli}, title = {{Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 1}}, date = {2020-03-09}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html}, language = {English}, urldate = {2021-05-03} } @online{mcconkey:20200309:tracking:5a16ab4, author = {Kris McConkey and Sveva Vittoria Scenarelli}, title = {{Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 2}}, date = {2020-03-09}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html}, language = {English}, urldate = {2020-07-13} } @online{mcconkey:20201030:around:b83b01a, author = {Kris McConkey}, title = {{Around the world in 80 days 4.2bn packets}}, date = {2020-10-30}, organization = {YouTube (Kaspersky Tech)}, url = {https://www.youtube.com/watch?v=YCwyc6SctYs}, language = {English}, urldate = {2024-04-11} } @online{mcconkey:20240221:labscon23:7828d7b, author = {Kris McConkey}, title = {{LABSCon23 Replay | Chasing Shadows | The rise of a prolific espionage actor}}, date = {2024-02-21}, organization = {YouTube (SentinelOne)}, url = {https://www.youtube.com/watch?v=-7Swd1ZetiQ}, language = {English}, urldate = {2024-03-04} } @online{mccormack:20110827:mortoa:3f5b3b0, author = {Matt McCormack}, title = {{Morto.A}}, date = {2011-08-27}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Morto.A}, language = {English}, urldate = {2020-01-06} } @techreport{mccormack:2015:why:fa3d041, author = {Matt McCormack}, title = {{WHY ATTACKER TOOLSETS DO WHAT THEY DO}}, date = {2015}, institution = {Ruxcon}, url = {http://2015.ruxcon.org.au/assets/2015/slides/Ruxcon%202015%20-%20McCormack.pdf}, language = {English}, urldate = {2020-01-08} } @online{mcdaid:20220209:hiddenart:7ad1850, author = {Cathal McDaid}, title = {{HiddenArt – A Russian-linked SS7 Threat Actor}}, date = {2022-02-09}, organization = {ENEA}, url = {https://www.enea.com/insights/the-hunt-for-hiddenart/}, language = {English}, urldate = {2023-12-04} } @online{mcdonald:20091222:qakbot:fb2517b, author = {John McDonald and Masaki Suenaga and Takayoshi Nakayama}, title = {{Qakbot, Data Thief Unmasked: Part II}}, date = {2009-12-22}, organization = {Symantec}, url = {https://web.archive.org/web/20110406012907/http://www.symantec.com/connect/blogs/qakbot-data-thief-unmasked-part-ii}, language = {English}, urldate = {2023-08-30} } @online{mcdonald:20110629:inside:a85984a, author = {John McDonald}, title = {{Inside a Back Door Attack}}, date = {2011-06-29}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/inside-back-door-attack}, language = {English}, urldate = {2020-01-06} } @online{mcdonald:20110629:inside:b955948, author = {John McDonald}, title = {{Inside a Back Door Attack}}, date = {2011-06-29}, organization = {Symantec}, url = {https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack}, language = {English}, urldate = {2020-04-21} } @online{mcdonald:20210918:hunting:2da3ec2, author = {Russell McDonald}, title = {{Hunting for OMI Vulnerability Exploitation with Azure Sentinel}}, date = {2021-09-18}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093}, language = {English}, urldate = {2021-09-22} } @online{mcelroy:20210325:web:38010a7, author = {Tom McElroy}, title = {{Web Shell Threat Hunting with Azure Sentinel}}, date = {2021-03-25}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968}, language = {English}, urldate = {2021-03-30} } @online{mceoin:20230826:clearfake:ccdc544, author = {Randy McEoin}, title = {{ClearFake Malware Analysis}}, date = {2023-08-26}, organization = {rmceoin.github.io}, url = {https://rmceoin.github.io/malware-analysis/clearfake/}, language = {English}, urldate = {2023-10-20} } @online{mcgarr:20200526:know:d091e19, author = {Connor McGarr}, title = {{Know Your Enemy: Exploiting the Dell BIOS Driver Vulnerability to Defend Against It}}, date = {2020-05-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/cve-2021-21551-learning-through-exploitation/}, language = {English}, urldate = {2021-06-09} } @online{mcgarr:20210109:malware:dde1353, author = {Connor McGarr}, title = {{Malware Development: Leveraging Beacon Object Files for Remote Process Injection via Thread Hijacking}}, date = {2021-01-09}, organization = {Connor McGarr's Blog}, url = {https://connormcgarr.github.io/thread-hijacking/}, language = {English}, urldate = {2021-01-11} } @online{mcgraw:20240510:ongoing:ce463b1, author = {Tyler McGraw and Thomas Elkins and Evan McCann}, title = {{Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators}}, date = {2024-05-10}, organization = {Rapid7 Labs}, url = {https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/}, language = {English}, urldate = {2024-05-21} } @online{mcgraw:20240812:ongoing:a4164d7, author = {Tyler McGraw}, title = {{Ongoing Social Engineering Campaign Refreshes Payloads}}, date = {2024-08-12}, organization = {Rapid7}, url = {https://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/}, language = {English}, urldate = {2025-02-25} } @online{mcgraw:20241204:black:391604a, author = {Tyler McGraw}, title = {{Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware}}, date = {2024-12-04}, organization = {Rapid7}, url = {https://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/}, language = {English}, urldate = {2025-02-25} } @techreport{mcguire:20210408:nation:5ee2c5e, author = {Michael McGuire}, title = {{Nation States, Cyberconflict and the Web of Profit}}, date = {2021-04-08}, institution = {HP}, url = {https://threatresearch.ext.hp.com/wp-content/uploads/2021/04/hp-bps-web-of-profit-report_APR_2021.pdf}, language = {English}, urldate = {2021-04-12} } @online{mcguire:20210916:analysis:107f9ed, author = {Tom McGuire}, title = {{Analysis of CVE-2021-30860 the flaw and fix of a zero-click vulnerability, exploited in the wild}}, date = {2021-09-16}, organization = {Objective-See}, url = {https://objective-see.com/blog/blog_0x67.html}, language = {English}, urldate = {2021-09-19} } @online{mckay:20200611:tor2mine:ee5dda6, author = {Kendall McKay and Joe Marshall}, title = {{Tor2Mine is up to their old tricks — and adds a few new ones}}, date = {2020-06-11}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html}, language = {English}, urldate = {2020-06-12} } @techreport{mckay:20220502:conti:330e34b, author = {Kendall McKay and Paul Eubanks and JAIME FILSON}, title = {{Conti and Hive ransomware operations: Leveraging victim chats for insights}}, date = {2022-05-02}, institution = {Cisco Talos}, url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf}, language = {English}, urldate = {2022-05-04} } @online{mckay:20220503:conti:c764c61, author = {Kendall McKay and Paul Eubanks. and JAIME FILSON}, title = {{Conti and Hive ransomware operations: Leveraging victim chats for insights}}, date = {2022-05-03}, organization = {Cisco}, url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf?1651576098}, language = {English}, urldate = {2022-05-04} } @online{mckeague:20190405:picksix:d101a59, author = {Brendan McKeague and Van Ta and Ben Fedore and Geoff Ackerman and Alex Pennino and Andrew Thompson and Douglas Bienstock}, title = {{Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware}}, date = {2019-04-05}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html}, language = {English}, urldate = {2019-12-20} } @online{mckerchar:20201214:incident:fa87d28, author = {Ross McKerchar}, title = {{Incident response playbook for responding to SolarWinds Orion compromise}}, date = {2020-12-14}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/12/14/solarwinds-playbook/}, language = {English}, urldate = {2020-12-15} } @online{mckerchar:20241031:pacific:2b2394f, author = {Ross McKerchar and Andrew Brandt}, title = {{Pacific Rim timeline: Information for defenders from a braid of interlocking attack campaigns}}, date = {2024-10-31}, organization = {Sophos X-Ops}, url = {https://news.sophos.com/en-us/2024/10/31/pacific-rim-timeline/}, language = {English}, urldate = {2024-11-04} } @online{mckerchar:20241031:pacific:b8fba6f, author = {Ross McKerchar}, title = {{Pacific Rim: Inside the Counter-Offensive—The TTPs Used to Neutralize China-Based Threats}}, date = {2024-10-31}, organization = {Sophos X-Ops}, url = {https://news.sophos.com/en-us/2024/10/31/pacific-rim-neutralizing-china-based-threat/}, language = {English}, urldate = {2024-11-04} } @techreport{mclaren:20220325:how:05e2664, author = {Conor McLaren and Dragos}, title = {{How Dragos Activity Groups Obtain Initial Access into Industrial Environments}}, date = {2022-03-25}, institution = {Dragos}, url = {https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_Intel_WP_InitAccess-IndEnvirons-Final.pdf}, language = {English}, urldate = {2022-04-12} } @online{mclellan:20210429:unc2447:2ad0d96, author = {Tyler McLellan and Justin Moore and Raymond Leong}, title = {{UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat}}, date = {2021-04-29}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html}, language = {English}, urldate = {2022-03-07} } @online{mclellan:20210616:smoking:a03a78c, author = {Tyler McLellan and Robert Dean and Justin Moore and Nick Harbour and Mike Hunhoff and Jared Wilson and Jordan Nuce}, title = {{Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise}}, date = {2021-06-16}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise}, language = {English}, urldate = {2021-12-01} } @online{mclellan:20210616:smoking:aa78ae0, author = {Tyler McLellan and Robert Dean and Justin Moore and Nick Harbour and Mike Hunhoff and Jared Wilson and Jordan Nuce}, title = {{Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise}}, date = {2021-06-16}, organization = {Mandiant}, url = {https://cloud.google.com/blog/topics/threat-intelligence/darkside-affiliate-supply-chain-software-compromise}, language = {English}, urldate = {2025-02-19} } @online{mclellan:20210616:smoking:fa6559d, author = {Tyler McLellan and Robert Dean and Justin Moore and Nick Harbour and Mike Hunhoff and Jared Wilson}, title = {{Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise}}, date = {2021-06-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html}, language = {English}, urldate = {2021-12-01} } @online{mclellan:20211121:twitter:018d4b1, author = {Tyler McLellan and Twitter (@ffforward)}, title = {{Twitter Thread about UNC1500 phishing using QAKBOT}}, date = {2021-11-21}, organization = {Twitter (@tylabs)}, url = {https://twitter.com/tylabs/status/1462195377277476871}, language = {English}, urldate = {2021-11-29} } @online{mclellan:20211129:kittengif:efb8036, author = {Tyler McLellan and Brandan Schondorfer}, title = {{Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again}}, date = {2021-11-29}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/sabbath-ransomware-affiliate}, language = {English}, urldate = {2021-11-30} } @online{mclellan:20220223:exchange:9b09c31, author = {Tyler McLellan and Joshua Shilko and Shambavi Sadayappan}, title = {{(Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware}}, date = {2022-02-23}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/unc2596-cuba-ransomware}, language = {English}, urldate = {2023-09-13} } @online{mclellan:20240112:cutting:ddcb05d, author = {Tyler McLellan and John Wolfram and Gabby Roncone and Matt Lin and Robert Wallace and Dimiter Andonov}, title = {{Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation}}, date = {2024-01-12}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day}, language = {English}, urldate = {2024-01-12} } @online{mcmahon:20170807:statesponsored:593ff09, author = {Cathal McMahon}, title = {{'State-sponsored' hackers targeted EirGrid electricity network in 'devious attack'}}, date = {2017-08-07}, organization = {Independent.ie}, url = {https://www.independent.ie/irish-news/statesponsored-hackers-targeted-eirgrid-electricity-network-in-devious-attack-36005921.html}, language = {English}, urldate = {2020-01-07} } @online{mcmillan:20210202:hackers:57bcb4b, author = {Robert McMillan}, title = {{Hackers Lurked in SolarWinds Email System for at Least 9 Months, CEO Says}}, date = {2021-02-02}, organization = {The Wall Street Journal}, url = {https://www.wsj.com/articles/hackers-lurked-in-solarwinds-email-system-for-at-least-9-months-ceo-says-11612317963?mod=e2tw}, language = {English}, urldate = {2021-02-04} } @online{mcmillen:20160923:dissecting:d132103, author = {Dave McMillen}, title = {{Dissecting a Hacktivist’s DDoS Tool: Saphyra Revealed}}, date = {2016-09-23}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/dissecting-hacktivists-ddos-tool-saphyra-revealed/}, language = {English}, urldate = {2020-01-13} } @online{mcmillen:20210311:dridex:1140b01, author = {Dave McMillen and Limor Kessem}, title = {{Dridex Campaign Propelled by Cutwail Botnet and Poisonous PowerShell Scripts}}, date = {2021-03-11}, organization = {IBM}, url = {https://securityintelligence.com/dridex-campaign-propelled-by-cutwail-botnet-and-powershell/}, language = {English}, urldate = {2021-03-12} } @online{mcneil:20170519:how:fac33a7, author = {Adam McNeil}, title = {{How did the WannaCry ransomworm spread?}}, date = {2017-05-19}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/}, language = {English}, urldate = {2019-12-20} } @online{mcree:20210928:zircolite:a9dbceb, author = {Russ McRee}, title = {{Zircolite vs Defense Evasion & Nobellium FoggyWeb}}, date = {2021-09-28}, organization = {HolisticInfosec}, url = {https://holisticinfosec.io/post/2021-09-28-zircolite/}, language = {English}, urldate = {2021-10-11} } @online{mcwhirt:20170503:to:0acd52b, author = {Matthew McWhirt and Jon Erickson and DJ Palombo}, title = {{To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence}}, date = {2017-05-03}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html}, language = {English}, urldate = {2019-12-20} } @online{mcwhirt:20211215:log4shell:9216a09, author = {Matthew McWhirt and John Hultquist}, title = {{Log4Shell Initial Exploitation and Mitigation Recommendations}}, date = {2021-12-15}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/log4shell-recommendations}, language = {English}, urldate = {2021-12-31} } @online{mcwhirt:20220114:proactive:5ecb6a7, author = {Matthew McWhirt and Daniel Smith and Omar Toor and Bryan Turner}, title = {{Proactive Preparation and Hardening to Protect Against Destructive Attacks}}, date = {2022-01-14}, organization = {Mandiant}, url = {https://www.mandiant.com/media/14506/download}, language = {English}, urldate = {2022-01-18} } @online{mcwhirt:20230710:defend:9fcdf9f, author = {Matthew McWhirt and Thirumalai Natarajan Muthiah and Phil Pearce and Jennifer Guzzetta}, title = {{Defend Against the Latest Active Directory Certificate Services Threats}}, date = {2023-07-10}, organization = {Mandiant}, url = {https://www.mandiant.com/blog/resources/defend-ad-cs-threats}, language = {English}, urldate = {2023-07-31} } @online{mead:20200609:web:825fd05, author = {Rob Mead and Tom McElroy}, title = {{Web shell threat hunting with Azure Sentinel and Microsoft Threat Protection}}, date = {2020-06-09}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel-and-microsoft/ba-p/1448065}, language = {English}, urldate = {2020-06-10} } @online{mechtinger:20200616:elf:7057d58, author = {Aviygayil Mechtinger}, title = {{ELF Malware Analysis 101: Linux Threats No Longer an Afterthought}}, date = {2020-06-16}, organization = {Intezer}, url = {https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought}, language = {English}, urldate = {2020-06-16} } @online{mechtinger:20200819:elf:b19773d, author = {Avigayil Mechtinger}, title = {{ELF Malware Analysis 101 Part 2: Initial Analysis}}, date = {2020-08-19}, organization = {Intezer}, url = {https://www.intezer.com/blog/linux/elf-malware-analysis-101-initial-analysis}, language = {English}, urldate = {2020-08-24} } @online{mechtinger:20201124:stantinkos:0b1bea9, author = {Avigayil Mechtinger}, title = {{Stantinko’s Proxy After Your Apache Server}}, date = {2020-11-24}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/stantinkos-proxy-after-your-apache-server/}, language = {English}, urldate = {2020-11-25} } @online{mechtinger:20201229:early:b25a2da, author = {Avigayil Mechtinger}, title = {{Early Bird Catches the Worm: New Golang Worm Drops XMRig Miner on Servers}}, date = {2020-12-29}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/}, language = {English}, urldate = {2021-01-05} } @online{mechtinger:20210105:operation:f1c8f31, author = {Avigayil Mechtinger}, title = {{Operation ElectroRAT: Attacker Creates Fake Companies to Drain Your Crypto Wallets}}, date = {2021-01-05}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/}, language = {English}, urldate = {2021-01-11} } @online{mechtinger:20210217:elf:8a511f1, author = {Avigayil Mechtinger}, title = {{ELF Malware Analysis 101: Part 3 - Advanced Analysis}}, date = {2021-02-17}, organization = {Intezer}, url = {https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/}, language = {English}, urldate = {2021-02-18} } @online{mechtinger:20210310:new:1e588f7, author = {Avigayil Mechtinger and Joakim Kennedy}, title = {{New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor}}, date = {2021-03-10}, organization = {Intezer}, url = {https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/}, language = {English}, urldate = {2021-03-11} } @online{mechtinger:20210714:targeted:ca00788, author = {Avigayil Mechtinger}, title = {{Targeted Phishing Attack against Ukrainian Government Expands to Georgia}}, date = {2021-07-14}, organization = {Intezer}, url = {https://www.intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/}, language = {English}, urldate = {2021-07-20} } @online{mechtinger:20210913:vermilion:ff1ee5f, author = {Avigayil Mechtinger and Ryan Robinson and Joakim Kennedy}, title = {{Vermilion Strike: Linux and Windows Re-implementation of Cobalt Strike}}, date = {2021-09-13}, organization = {Intezer}, url = {https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/}, language = {English}, urldate = {2021-09-14} } @online{mechtinger:20220111:new:09e24da, author = {Avigayil Mechtinger and Ryan Robinson and Nicole Fishbein}, title = {{New SysJoker Backdoor Targets Windows, Linux, and macOS}}, date = {2022-01-11}, organization = {Intezer}, url = {https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/}, language = {English}, urldate = {2022-01-13} } @online{mechtinger:20250331:cpuhu:66ddb22, author = {Avigayil Mechtinger and Yaara Shriki and Gili Tikochinski}, title = {{CPU_HU: Fileless cryptominer targeting exposed PostgreSQL with over 1.5K victims}}, date = {2025-03-31}, organization = {Wiz.io}, url = {https://www.wiz.io/blog/postgresql-cryptomining}, language = {English}, urldate = {2025-04-25} } @online{mecra:20210116:irans:6a80adc, author = {MECRA}, title = {{Iran’s Cyber Campaign, and Coercive Recruitment Methods}}, date = {2021-01-16}, organization = {MECRA}, url = {https://www.mideastcenter.org/post/iran-s-cyber-campaign-and-coercive-recruitment-methods}, language = {English}, urldate = {2021-01-18} } @online{medina:20161130:bladabindi:22e025f, author = {Lilia Elena Gonzalez Medina}, title = {{Bladabindi Remains A Constant Threat By Using Dynamic DNS Services}}, date = {2016-11-30}, organization = {Fortinet}, url = {https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services}, language = {English}, urldate = {2020-01-09} } @online{medvedev:20210415:hunting:d53ca2b, author = {Anton Medvedev and Vadim Khrykov and Demyan Sokolin}, title = {{Hunting Down MS Exchange Attacks. Part 1. ProxyLogon (CVE-2021–26855, 26858, 27065, 26857)}}, date = {2021-04-15}, organization = {Medium BI.ZONE}, url = {https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c}, language = {English}, urldate = {2021-06-21} } @online{medvedev:20210616:hunting:4e9be2a, author = {Anton Medvedev and Vadim Khrykov}, title = {{Hunting Down MS Exchange Attacks. Part 2 (CVE-2020–0688, CVE-2020–16875, CVE-2021–24085)}}, date = {2021-06-16}, organization = {Medium BI.ZONE}, url = {https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-2-cve-2020-0688-cve-2020-16875-cve-2021-24085-8355ec0917c}, language = {English}, urldate = {2021-06-21} } @online{megabeets:20180618:decrypting:42e2d5f, author = {Megabeets}, title = {{Decrypting APT33’s Dropshot Malware with Radare2 and Cutter – Part 2}}, date = {2018-06-18}, url = {https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-2/}, language = {English}, urldate = {2019-10-14} } @techreport{mehta:20140905:peering:8ce5720, author = {Neel Mehta and Billy Leonard and Shane Huntiey}, title = {{Peering Into the Aquarium: Analysis of a Sophisticated Multi-Stage Malware Family}}, date = {2014-09-05}, institution = {Google}, url = {https://assets.documentcloud.org/documents/3461560/Google-Aquarium-Clean.pdf}, language = {English}, urldate = {2020-07-30} } @online{mehta:20210923:financially:8f507b2, author = {Neel Mehta and Google Threat Analysis Group}, title = {{Financially motivated actor breaks certificate parsing to avoid detection}}, date = {2021-09-23}, organization = {Google}, url = {https://blog.google/threat-analysis-group/financially-motivated-actor-breaks-certificate-parsing-avoid-detection/}, language = {English}, urldate = {2021-09-29} } @online{meiri:20201110:new:d83faa6, author = {Gal Meiri}, title = {{A new skimmer uses WebSockets and a fake credit card form to steal sensitive data}}, date = {2020-11-10}, organization = {Akamai}, url = {https://blogs.akamai.com/2020/11/a-new-skimmer-uses-websockets-and-a-fake-credit-card-form-to-steal-sensitive-data.html}, language = {English}, urldate = {2020-11-11} } @online{meisner:20130222:bamital:68e57a9, author = {Jeffrey Meisner}, title = {{Bamital Botnet Takedown Is Successful; Cleanup Underway}}, date = {2013-02-22}, organization = {Microsoft}, url = {https://blogs.microsoft.com/blog/2013/02/22/bamital-botnet-takedown-is-successful-cleanup-underway/}, language = {English}, urldate = {2020-01-08} } @online{meister:20201014:german:be3eea7, author = {Andre Meister}, title = {{German Made State Malware Company FinFisher Raided}}, date = {2020-10-14}, organization = {Netzpolitik.org}, url = {https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/}, language = {English}, urldate = {2020-10-15} } @online{meister:20211217:wir:b75b5ff, author = {Andre Meister}, title = {{Wir enthüllen den Staatstrojaner „Subzero“ aus Österreich}}, date = {2021-12-17}, organization = {Netzpolitik.org}, url = {https://netzpolitik.org/2021/dsirf-wir-enthuellen-den-staatstrojaner-subzero-aus-oesterreich/}, language = {Deutsch}, urldate = {2022-08-01} } @online{meister:20220328:staatstrojanerhersteller:1cf4c79, author = {Andre Meister}, title = {{Staatstrojaner-Hersteller FinFisher „ist geschlossen und bleibt es auch“}}, date = {2022-03-28}, organization = {Netzpolitik.org}, url = {https://netzpolitik.org/2022/nach-pfaendung-staatstrojaner-hersteller-finfisher-ist-geschlossen-und-bleibt-es-auch/}, language = {English}, urldate = {2023-03-24} } @online{melber:20210615:how:6df7083, author = {Derek Melber}, title = {{How to Protect Active Directory Against Ransomware Attacks}}, date = {2021-06-15}, organization = {Tenable}, url = {https://www.tenable.com/blog/how-to-protect-active-directory-against-ransomware-attacks}, language = {English}, urldate = {2021-06-21} } @online{mele:20210210:probable:0e70381, author = {Gage Mele and Winston Marydasan and Yury Polozov and Anomali Threat Research}, title = {{Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies}}, date = {2021-02-10}, organization = {Anomali}, url = {https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies}, language = {English}, urldate = {2023-06-19} } @online{mele:20210331:bahamut:2f5dcae, author = {Gage Mele and Tara Gould and Winston Marydasan and Yury Polozov}, title = {{Bahamut Possibly Responsible for Multi-Stage Infection Chain Campaign}}, date = {2021-03-31}, organization = {Anomali}, url = {https://www.anomali.com/blog/bahamut-possibly-responsible-for-multi-stage-infection-chain-campaign}, language = {English}, urldate = {2021-04-06} } @online{mele:20210419:primitive:25a3c2c, author = {Gage Mele and Yury Polozov and Tara Gould}, title = {{PRIMITIVE BEAR (Gamaredon) Targets Ukraine with Timely Themes}}, date = {2021-04-19}, organization = {Anomali}, url = {https://www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes}, language = {English}, urldate = {2021-04-20} } @online{mele:20210902:cybercrime:335c7cb, author = {Gage Mele and Tara Gould and Rory Gould and Sean Townsend}, title = {{Cybercrime Group FIN7 Using Windows 11 Alpha-Themed Docs to Drop Javascript Backdoor}}, date = {2021-09-02}, organization = {Anomali}, url = {https://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor}, language = {English}, urldate = {2021-09-09} } @online{melgarejo:20141127:new:57b87ff, author = {Anthony Joe Melgarejo}, title = {{New PoS Malware Kicks off Holiday Shopping Weekend}}, date = {2014-11-27}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-pos-malware-kicks-off-holiday-shopping-weekend/}, language = {English}, urldate = {2019-11-29} } @online{melick:20210713:joker:8a701fd, author = {Richard Melick}, title = {{Joker Is Still No Laughing Matter}}, date = {2021-07-13}, organization = {zimperium}, url = {https://web.archive.org/web/20210714010827/https://blog.zimperium.com/joker-is-still-no-laughing-matter/}, language = {English}, urldate = {2021-07-24} } @online{melikov:20210416:unearthing:4ff003c, author = {Dmitry Melikov}, title = {{Unearthing Hancitor Infrastructure}}, date = {2021-04-16}, organization = {InQuest}, url = {https://inquest.net/blog/2021/04/16/unearthing-hancitor-infrastructure}, language = {English}, urldate = {2021-04-28} } @online{melikov:20210526:pschain:e8cbc2d, author = {Dmitry Melikov}, title = {{PSChain}}, date = {2021-05-26}, organization = {InQuest}, url = {https://inquest.net/blog/2021/05/26/pschain}, language = {English}, urldate = {2021-06-09} } @online{melikov:20210823:kimsuky:e899bfa, author = {Dmitry Melikov}, title = {{Kimsuky Espionage Campaign}}, date = {2021-08-23}, organization = {InQuest}, url = {https://inquest.net/blog/2021/08/23/kimsuky-espionage-campaign}, language = {English}, urldate = {2021-08-30} } @online{melikov:20211102:adults:cc39000, author = {Dmitry Melikov}, title = {{Adults Only Malware Lures}}, date = {2021-11-02}, organization = {InQuest}, url = {https://inquest.net/blog/2021/11/02/adults-only-malware-lures}, language = {English}, urldate = {2021-11-08} } @online{melikov:20220330:cloud:f8d985e, author = {Dmitry Melikov}, title = {{Cloud Atlas Maldoc}}, date = {2022-03-30}, organization = {InQuest}, url = {https://inquest.net/blog/2022/03/30/cloud-atlas-maldoc}, language = {English}, urldate = {2022-08-02} } @online{melikov:20220418:nobelium:536804e, author = {Dmitry Melikov}, title = {{Nobelium - Israeli Embassy Maldoc}}, date = {2022-04-18}, organization = {InQuest}, url = {https://inquest.net/blog/2022/04/18/nobelium-israeli-embassy-maldoc}, language = {English}, urldate = {2022-05-09} } @online{melikov:20240606:kimsuky:8ccdb7c, author = {Dmitry Melikov}, title = {{Kimsuky is targeting an arms manufacturer in Europe.}}, date = {2024-06-06}, organization = {Blackberry}, url = {https://www.linkedin.com/pulse/kimsuky-targeting-arms-manufacturer-europe-dmitry-melikov-dquge}, language = {English}, urldate = {2025-02-12} } @online{melillo:20250220:linkc:2dec460, author = {Pietro Melillo}, title = {{Linkc Ransomware: The New Cybercriminal Group Targeting Artificial Intelligence Data}}, date = {2025-02-20}, organization = {RedHotCyber}, url = {https://www.redhotcyber.com/en/post/linkc-ransomware-the-new-cybercriminal-group-targeting-artificial-intelligence-data/#google_vignette}, language = {English}, urldate = {2025-03-21} } @online{mella:20230217:tweets:d3d9f65, author = {Luca Mella}, title = {{Tweets about Darkbit's intermittent encryption}}, date = {2023-02-17}, organization = {Twitter (@luc4m)}, url = {https://twitter.com/luc4m/status/1626535098039271425}, language = {English}, urldate = {2023-02-17} } @online{mella:20230312:makop:66ffdb8, author = {Luca Mella}, title = {{Makop: The Toolkit of a Criminal Gang}}, date = {2023-03-12}, url = {https://medium.com/@lcam/makop-the-toolkit-of-a-criminal-gang-53cd44563c11}, language = {English}, urldate = {2023-03-13} } @online{mella:20230326:updates:deb3c61, author = {Luca Mella}, title = {{Updates from the MaaS: new threats delivered through NullMixer}}, date = {2023-03-26}, url = {https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1}, language = {English}, urldate = {2024-12-09} } @online{mella:20230417:data:4a1e593, author = {Luca Mella}, title = {{Data Insights from Russian Cyber Militants: NoName05716}}, date = {2023-04-17}, organization = {Medium (@lcam)}, url = {https://medium.com/@lcam/data-insights-from-russian-cyber-militants-noname057-c9b7431f8352}, language = {English}, urldate = {2024-11-25} } @online{mella:20231003:lighting:38ade3d, author = {Luca Mella}, title = {{Lighting the Exfiltration Infrastructure of a LockBit Affiliate (and more)}}, date = {2023-10-03}, url = {https://medium.com/@lcam/lighting-the-exfiltration-infrastructure-of-a-lockbit-affiliate-and-more-f57fbb7a4e79}, language = {English}, urldate = {2023-10-05} } @online{mella:20241122:how:c5ef827, author = {Luca Mella}, title = {{How to target European SME with Ransomware? Through Zyxel!}}, date = {2024-11-22}, organization = {Medium (@lcam)}, url = {https://medium.com/@lcam/how-to-target-european-smes-with-ransomware-through-zyxel-c9779e96369a}, language = {English}, urldate = {2024-11-25} } @online{mella:20250613:pxa:a818fe2, author = {Luca Mella}, title = {{Tweet on PXA Stealer targeting Italy}}, date = {2025-06-13}, organization = {Twitter (@luc4m)}, url = {https://x.com/luc4m/status/1934864757619900789}, language = {English}, urldate = {2025-07-09} } @online{melnykov:20230314:south:327b0f8, author = {Bohdan Melnykov and Raman Ladutska}, title = {{South Korean Android Banking Menace - Fakecalls}}, date = {2023-03-14}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2023/south-korean-android-banking-menace-fakecalls/}, language = {English}, urldate = {2023-05-08} } @online{melson:20210130:horuseyes:28144f9, author = {Paul Melson}, title = {{Tweet on HorusEyes RAT}}, date = {2021-01-30}, organization = {Twiiter (@pmelson)}, url = {https://twitter.com/pmelson/status/1355243750109413384}, language = {English}, urldate = {2021-02-06} } @online{meltx0r:20190919:emissary:361f1fd, author = {MeltX0R}, title = {{Emissary Panda APT: Recent infrastructure and RAT analysis}}, date = {2019-09-19}, url = {https://meltx0r.github.io/tech/2019/09/19/emissary-panda-apt.html}, language = {English}, urldate = {2020-01-09} } @online{meltx0r:20191024:10242019:6438b53, author = {MeltX0R}, title = {{10/24/2019 - APT28: Targeted attacks against mining corporations in Kazakhstan}}, date = {2019-10-24}, organization = {MeltX0R Security}, url = {https://meltx0r.github.io/tech/2019/10/24/apt28.html}, language = {English}, urldate = {2020-01-07} } @online{meltx0r:20200212:goblin:e79762e, author = {MeltX0R}, title = {{Goblin Panda APT: Recent infrastructure and RAT analysis}}, date = {2020-02-12}, organization = {MeltX0R Security}, url = {https://meltx0r.github.io/tech/2020/02/12/goblin-panda-apt.html}, language = {English}, urldate = {2020-02-25} } @online{meltzer:20180607:patchwork:5b8d3c8, author = {Matthew Meltzer and Sean Koessel and Steven Adair}, title = {{Patchwork APT Group Targets US Think Tanks}}, date = {2018-06-07}, organization = {Volexity}, url = {https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/}, language = {English}, urldate = {2020-01-08} } @online{meltzer:20201216:sunburst:6866abc, author = {Josh Meltzer}, title = {{SUNBURST: SolarWinds Supply-Chain Attack}}, date = {2020-12-16}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/blog/sunburst-solarwinds-supply-chain-attack/}, language = {English}, urldate = {2020-12-23} } @online{meltzer:20240110:active:bdabfa2, author = {Matthew Meltzer and Robert Jan Mora and Sean Koessel and Steven Adair and Thomas Lancaster}, title = {{Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN}}, date = {2024-01-10}, organization = {Volexity}, url = {https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/}, language = {English}, urldate = {2024-04-23} } @online{menahem:20220301:dga:b23e7a1, author = {Elad Menahem}, title = {{The DGA Algorithm Used by Dealply and Bujo Campaigns}}, date = {2022-03-01}, organization = {Cato Networks}, url = {https://www.catonetworks.com/blog/the-dga-algorithm-used-by-dealply-and-bujo/}, language = {English}, urldate = {2023-04-25} } @online{mendona:20230216:mass:0c83118, author = {Raphael Mendonça}, title = {{Mass Attack buhtiRansom - CVE-2022–47986}}, date = {2023-02-16}, organization = {ThreatZero}, url = {https://blog.threatzero.io/buhtiransom-934b4ed3c3fd}, language = {English}, urldate = {2023-03-14} } @online{mendona:20230304:kl:7f80664, author = {Raphael Mendonça}, title = {{KL Remota -  Brazilian Malware Bank}}, date = {2023-03-04}, organization = {ThreatZero}, url = {https://blog.threatzero.io/kl-remota-brazilian-malware-bank-244ac569fb33}, language = {English}, urldate = {2023-03-13} } @online{mendona:20230613:snatch:7d6b9e2, author = {Raphael Mendonça}, title = {{Snatch Ransomware — Techniques and Procedures}}, date = {2023-06-13}, url = {https://raphaelmendonca.medium.com/snatch-ransomware-techniques-and-procedures-d025388b8aec}, language = {English}, urldate = {2023-06-19} } @online{mendrez:20090317:gheg:9c244e1, author = {Rodel Mendrez}, title = {{Gheg spambot}}, date = {2009-03-17}, organization = {Marshal8e6}, url = {https://web.archive.org/web/20090428005953/http://www.marshal8e6.com/trace/i/Gheg,spambot.897~.asp}, language = {English}, urldate = {2023-03-16} } @online{mendrez:20150923:quaverse:9d9d163, author = {Rodel Mendrez}, title = {{Quaverse RAT: Remote-Access-as-a-Service}}, date = {2015-09-23}, organization = {SpiderLabs Blog}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/}, language = {English}, urldate = {2020-01-06} } @online{mendrez:20160701:how:0434028, author = {Rodel Mendrez}, title = {{How I Cracked a Keylogger and Ended Up in Someone's Inbox}}, date = {2016-07-01}, organization = {SpiderLabs Blog}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keylogger-and-Ended-Up-in-Someone-s-Inbox/}, language = {English}, urldate = {2019-07-11} } @online{mendrez:20191220:undressing:1412c9a, author = {Rodel Mendrez}, title = {{Undressing the REvil}}, date = {2019-12-20}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/undressing-the-revil/}, language = {English}, urldate = {2021-07-09} } @online{mendrez:20200622:pillowmint:c696f56, author = {Rodel Mendrez}, title = {{Pillowmint: FIN7’s Monkey Thief}}, date = {2020-06-22}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/}, language = {English}, urldate = {2020-06-24} } @online{mendrez:20210212:many:560778f, author = {Rodel Mendrez and Diana Lopera}, title = {{The Many Roads Leading To Agent Tesla}}, date = {2021-02-12}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-many-roads-leading-to-agent-tesla/}, language = {English}, urldate = {2021-02-18} } @online{mendrez:20210707:diving:1c04c81, author = {Rodel Mendrez and Nikita Kazymirskyi}, title = {{Diving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails}}, date = {2021-07-07}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/}, language = {English}, urldate = {2021-07-09} } @online{mendrez:20211015:blackbyte:22439d3, author = {Rodel Mendrez and Lloyd Macrohon}, title = {{BlackByte Ransomware – Pt 2. Code Obfuscation Analysis}}, date = {2021-10-15}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-2-code-obfuscation-analysis/}, language = {English}, urldate = {2021-11-03} } @online{mendrez:20211015:blackbyte:4dfd5aa, author = {Rodel Mendrez and Lloyd Macrohon}, title = {{BlackByte Ransomware – Pt. 1 In-depth Analysis}}, date = {2021-10-15}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/}, language = {English}, urldate = {2021-11-03} } @online{mendrez:20221208:trojanized:bd135b7, author = {Rodel Mendrez and Phil Hay and Diana Lopera}, title = {{Trojanized OneNote Document Leads to Formbook Malware}}, date = {2022-12-08}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/}, language = {English}, urldate = {2022-12-19} } @online{mendrez:20230810:gootloader:ec828a1, author = {Rodel Mendrez}, title = {{Gootloader: Why your Legal Document Search May End in Misery}}, date = {2023-08-10}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/gootloader-why-your-legal-document-search-may-end-in-misery/}, language = {English}, urldate = {2023-08-11} } @techreport{menes:20200619:sodinokibi:7326035, author = {Jorge Barelles Menes and Pablo Cardós Marqués and Aaron Jornet Sales and Javier Muñoz Alcázar}, title = {{Sodinokibi Malware report}}, date = {2020-06-19}, institution = {Panda Security}, url = {https://www.pandasecurity.com/emailhtml/2007-CAM-RANSOMWARE-AD360-WG/2006-Report-Sodinokibi-EN.pdf}, language = {English}, urldate = {2021-05-11} } @online{menn:20201218:exclusive:6d70b30, author = {Joseph Menn}, title = {{Exclusive: Microsoft breached in suspected Russian hack using SolarWinds - sources}}, date = {2020-12-18}, organization = {Reuters}, url = {https://www.reuters.com/article/uk-global-cyber-microsoft-exclusive-idUKKBN28R3BS}, language = {English}, urldate = {2020-12-18} } @online{menn:20210421:codecov:b1d07ab, author = {Joseph Menn and Raphael Satter}, title = {{Codecov hackers breached hundreds of restricted customer sites - sources}}, date = {2021-04-21}, organization = {Reuters}, url = {https://www.reuters.com/technology/codecov-hackers-breached-hundreds-restricted-customer-sites-sources-2021-04-19/}, language = {English}, urldate = {2021-04-28} } @online{menn:20211022:exclusive:f70f465, author = {Joseph Menn and Christopher Bing}, title = {{EXCLUSIVE Governments turn tables on ransomware gang REvil by pushing it offline}}, date = {2021-10-22}, organization = {Reuters}, url = {https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/}, language = {English}, urldate = {2021-10-26} } @online{mercado:20190822:asruex:9284e85, author = {Ian Mercado and Mhica Romero}, title = {{Asruex Backdoor Variant Infects Word Documents and PDFs Through Old MS Office and Adobe Vulnerabilities}}, date = {2019-08-22}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnerabilities/}, language = {English}, urldate = {2020-01-13} } @online{mercer:20170223:korean:3864abc, author = {Warren Mercer and Paul Rascagnères}, title = {{Korean MalDoc Drops Evil New Years Presents}}, date = {2017-02-23}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/02/korean-maldoc.html}, language = {English}, urldate = {2020-01-13} } @online{mercer:20170403:introducing:d17f359, author = {Warren Mercer and Paul Rascagnères and Matthew Molyett}, title = {{Introducing ROKRAT}}, date = {2017-04-03}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/04/introducing-rokrat.html}, language = {English}, urldate = {2020-01-09} } @online{mercer:20171022:cyber:b26ac86, author = {Warren Mercer and Paul Rascagnères and Vitor Ventura}, title = {{“Cyber Conflict” Decoy Document Used In Real Cyber Conflict}}, date = {2017-10-22}, organization = {Cisco}, url = {http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html}, language = {English}, urldate = {2020-01-07} } @online{mercer:20171128:rokrat:dec34fb, author = {Warren Mercer and Paul Rascagnères and Jungsoo An}, title = {{ROKRAT Reloaded}}, date = {2017-11-28}, organization = {Cisco}, url = {http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html}, language = {English}, urldate = {2019-11-22} } @techreport{mercer:2017:introducing:04e2ff1, author = {Warren Mercer and Paul Rascagnères}, title = {{Introducing ROKRAT}}, date = {2017}, institution = {Cisco Talos}, url = {http://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/002/191/original/Talos_RokRatWhitePaper.pdf}, language = {English}, urldate = {2019-12-20} } @online{mercer:20180116:korea:02f4c3c, author = {Warren Mercer and Paul Rascagnères}, title = {{Korea In The Crosshairs}}, date = {2018-01-16}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html}, language = {English}, urldate = {2020-04-06} } @online{mercer:20180116:korea:f462331, author = {Warren Mercer and Paul Rascagnères and Jungsoo An}, title = {{Korea In The Crosshairs}}, date = {2018-01-16}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html}, language = {English}, urldate = {2020-01-06} } @online{mercer:20180212:olympic:f3f8f87, author = {Warren Mercer and Paul Rascagnères and Ben Baker and Matthew Molyett}, title = {{Olympic Destroyer Takes Aim At Winter Olympics}}, date = {2018-02-12}, organization = {Cisco}, url = {http://blog.talosintelligence.com/2018/02/olympic-destroyer.html}, language = {English}, urldate = {2019-11-20} } @online{mercer:20180228:cannibalrat:ed06099, author = {Warren Mercer and Vitor Ventura}, title = {{CannibalRAT targets Brazil}}, date = {2018-02-28}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2018/02/cannibalrat-targets-brazil.html}, language = {English}, urldate = {2020-01-06} } @online{mercer:20180402:fake:f803f5b, author = {Warren Mercer and Paul Rascagnères and Vitor Ventura and Jungsoo An}, title = {{Fake AV Investigation Unearths KevDroid, New Android Malware}}, date = {2018-04-02}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html}, language = {English}, urldate = {2020-01-06} } @online{mercer:20180426:gravityrat:5e9a4bd, author = {Warren Mercer and Paul Rascagnères}, title = {{GravityRAT - The Two-Year Evolution Of An APT Targeting India}}, date = {2018-04-26}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html}, language = {English}, urldate = {2020-01-10} } @online{mercer:20180531:navrat:bf68765, author = {Warren Mercer and Paul Rascagnères and Jungsoo An}, title = {{NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea}}, date = {2018-05-31}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/05/navrat.html?m=1}, language = {English}, urldate = {2020-01-08} } @online{mercer:20180620:my:9c08115, author = {Warren Mercer and Paul Rascagnères}, title = {{My Little FormBook}}, date = {2018-06-20}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/06/my-little-formbook.html}, language = {English}, urldate = {2020-01-06} } @online{mercer:20181127:dnspionage:7f0b0f3, author = {Warren Mercer and Paul Rascagnères}, title = {{DNSpionage Campaign Targets Middle East}}, date = {2018-11-27}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html}, language = {English}, urldate = {2020-05-18} } @online{mercer:20190204:exilerat:1f7c57c, author = {Warren Mercer and Paul Rascagnères and Jaeson Schultz}, title = {{ExileRAT shares C2 with LuckyCat, targets Tibet}}, date = {2019-02-04}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html}, language = {English}, urldate = {2020-01-07} } @online{mercer:20190313:glitchpos:a94f15c, author = {Warren Mercer and Paul Rascagnères and Ben Baker}, title = {{GlitchPOS: New PoS malware for sale}}, date = {2019-03-13}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html}, language = {English}, urldate = {2019-10-29} } @online{mercer:20190423:dnspionage:509e055, author = {Warren Mercer and Paul Rascagnères}, title = {{DNSpionage brings out the Karkoff}}, date = {2019-04-23}, organization = {Talos}, url = {https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html}, language = {English}, urldate = {2019-12-20} } @online{mercer:20190924:how:ac2b53e, author = {Warren Mercer and Paul Rascagnères and Jungsoo An}, title = {{How Tortoiseshell created a fake veteran hiring website to host malware}}, date = {2019-09-24}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html}, language = {English}, urldate = {2019-12-02} } @online{mercer:20191107:dns:cd6b2d9, author = {Warren Mercer and Paul Rascagnères}, title = {{DNS on FIre}}, date = {2019-11-07}, organization = {Virus Bulletin}, url = {https://www.youtube.com/watch?v=ws1k44ZhJ3g}, language = {English}, urldate = {2023-08-11} } @techreport{mercer:20191107:dns:fd516d8, author = {Warren Mercer and Paul Rascagnères}, title = {{DNS on Fire}}, date = {2019-11-07}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2019/VB2019-Mercer-Rascagneres.pdf}, language = {English}, urldate = {2023-08-11} } @online{mercer:20200116:jhonerat:b41f102, author = {Warren Mercer and Paul Rascagnères and Vitor Ventura and Eric Kuhla}, title = {{JhoneRAT: Cloud based python RAT targeting Middle Eastern countries}}, date = {2020-01-16}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/01/jhonerat.html}, language = {English}, urldate = {2020-01-27} } @online{mercer:20200305:bisonal:7885944, author = {Warren Mercer and Paul Rascagnères and Vitor Ventura}, title = {{Bisonal: 10 years of play}}, date = {2020-03-05}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html}, language = {English}, urldate = {2020-03-05} } @online{mercer:20200416:poetrat:ab5659a, author = {Warren Mercer and Paul Rascagnères and Vitor Ventura}, title = {{PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors}}, date = {2020-04-16}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html}, language = {English}, urldate = {2020-05-05} } @online{mercer:20200519:wolf:8e65365, author = {Warren Mercer and Paul Rascagnères and Vitor Ventura}, title = {{The wolf is back...}}, date = {2020-05-19}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html}, language = {English}, urldate = {2020-05-20} } @online{mercer:20200629:promethium:e80cd47, author = {Warren Mercer and Paul Rascagnères and Vitor Ventura}, title = {{PROMETHIUM extends global reach with StrongPity3 APT}}, date = {2020-06-29}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html}, language = {English}, urldate = {2020-06-30} } @online{mercer:20201006:poetrat:17f845e, author = {Warren Mercer and Paul Rascagnères and Vitor Ventura}, title = {{PoetRAT: Malware targeting public and private sector in Azerbaijan evolves}}, date = {2020-10-06}, organization = {Talos}, url = {https://blog.talosintelligence.com/2020/10/poetrat-update.html}, language = {English}, urldate = {2020-10-07} } @online{mercer:20201029:donots:850f31b, author = {Warren Mercer and Paul Rascagnères and Vitor Ventura}, title = {{DoNot’s Firestarter abuses Google Firebase Cloud Messaging to spread}}, date = {2020-10-29}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/10/donot-firestarter.html}, language = {English}, urldate = {2023-07-24} } @online{mercer:20210209:kasablanka:63078fc, author = {Warren Mercer and Chris Neal and Vitor Ventura}, title = {{Kasablanka Group's LodaRAT improves espionage capabilities on Android and Windows}}, date = {2021-02-09}, organization = {Talos}, url = {https://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html}, language = {English}, urldate = {2021-02-09} } @online{mercer:20210526:elizabethan:40a80e7, author = {Warren Mercer and Vitor Ventura}, title = {{Elizabethan England has nothing on modern-day Russia}}, date = {2021-05-26}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/05/privateer-groups.html}, language = {English}, urldate = {2021-06-16} } @techreport{mercs:20140127:cpl:3e3d5a8, author = {Fernando Mercês}, title = {{CPL Malware: Malicious Control Panel Items}}, date = {2014-01-27}, institution = {Trend Micro}, url = {https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf}, language = {English}, urldate = {2021-11-19} } @online{mercs:20160905:pokmonthemed:6bf567c, author = {Fernando Mercês}, title = {{Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems}}, date = {2016-09-05}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/}, language = {English}, urldate = {2020-01-10} } @online{mercs:20180607:new:760f179, author = {Fernando Mercês}, title = {{New KillDisk Variant Hits Latin American Financial Organizations Again}}, date = {2018-06-07}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-latin-american-financial-organizations-again/}, language = {English}, urldate = {2020-01-09} } @online{mercs:20200728:mirai:3538243, author = {Fernando Mercês}, title = {{Mirai Botnet Exploit Weaponized to Attack IoT Devices via CVE-2020-5902}}, date = {2020-07-28}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902/}, language = {English}, urldate = {2020-07-30} } @online{mercs:20211015:ransomware:c944933, author = {Fernando Mercês}, title = {{Ransomware Operators Found Using New "Franchise" Business Model}}, date = {2021-10-15}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html}, language = {English}, urldate = {2021-10-24} } @online{mercs:20230713:detecting:41237c5, author = {Fernando Mercês}, title = {{Detecting BPFDoor Backdoor Variants Abusing BPF Filters}}, date = {2023-07-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html}, language = {English}, urldate = {2023-07-16} } @online{mercs:20241118:inside:fa49eb1, author = {Fernando Mercês and Feike Hacquebord}, title = {{Inside Water Barghest’s Rapid Exploit-to-Market Strategy for IoT Devices}}, date = {2024-11-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/pt_br/research/24/k/water-barghest.html}, language = {English}, urldate = {2024-11-25} } @online{mercs:20250414:bpfdoors:4375048, author = {Fernando Mercês}, title = {{BPFDoor’s Hidden Controller Used Against Asia, Middle East Targets}}, date = {2025-04-14}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.html}, language = {English}, urldate = {2025-04-14} } @online{merino:20200504:ragnarok:8c86924, author = {Borja Merino}, title = {{Ragnarok Stopper: development of a vaccine}}, date = {2020-05-04}, organization = {blackarrow}, url = {https://www.tarlogic.com/blog/ragnarok-malware-stopper-vaccine/}, language = {English}, urldate = {2023-10-09} } @online{merino:20201013:attackers:48848a5, author = {Borja Merino}, title = {{Attackers Abuse MobileIron’s RCE to deliver Kaiten}}, date = {2020-10-13}, organization = {blackarrow}, url = {https://www.blackarrow.net/attackers-abuse-mobileirons-rce-to-deliver-kaiten/}, language = {English}, urldate = {2020-10-23} } @online{merino:20230918:hijackloader:e047216, author = {Borja Merino}, title = {{HijackLoader Targets Hotels: A Technical Analysis}}, date = {2023-09-18}, organization = {Alpine Security}, url = {https://alpine-sec.medium.com/hijackloader-targets-hotels-a-technical-analysis-c2795fc4f3a3}, language = {English}, urldate = {2023-09-29} } @online{merriman:20191204:buer:6c413aa, author = {Kelsey Merriman and Dennis Schwarz and Kafeine and Axel F}, title = {{Buer, a new loader emerges in the underground marketplace}}, date = {2019-12-04}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace}, language = {English}, urldate = {2020-01-06} } @online{merriman:20210503:new:cd4d275, author = {Kelsey Merriman and Bryan Campbell and Selena Larson and Proofpoint Threat Research Team}, title = {{New Variant of Buer Loader Written in Rust}}, date = {2021-05-03}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust}, language = {English}, urldate = {2021-05-03} } @online{merriman:20220428:this:4b5ea2a, author = {Kelsey Merriman and Pim Trouerbach}, title = {{This isn't Optimus Prime's Bumblebee but it's Still Transforming}}, date = {2022-04-28}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming}, language = {English}, urldate = {2022-04-29} } @online{merriman:20230318:ta579:3af0e58, author = {Kelsey Merriman}, title = {{Tweet on TA579 distributing AresLoader via WeTransfer URLs}}, date = {2023-03-18}, organization = {Twitter (@k3dg3)}, url = {https://twitter.com/k3dg3/status/1636873721200746496}, language = {English}, urldate = {2023-04-14} } @online{merriman:20230731:out:7b1b646, author = {Kelsey Merriman and Pim Trouerbach}, title = {{Out of the Sandbox: WikiLoader Digs Sophisticated Evasion}}, date = {2023-07-31}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion}, language = {English}, urldate = {2023-08-08} } @online{merriman:20231212:security:31c3e35, author = {Kelsey Merriman and Selena Larson and Xavier Chambrier}, title = {{Security Brief: TA4557 Targets Recruiters Directly via Email}}, date = {2023-12-12}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta4557-targets-recruiters-directly-email}, language = {English}, urldate = {2025-01-14} } @online{merritt:20141218:alina:5e41e7c, author = {Eric Merritt}, title = {{Alina POS malware 'sparks' off a new variant}}, date = {2014-12-18}, organization = {SpiderLabs Blog}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina-POS-malware--sparks--off-a-new-variant/}, language = {English}, urldate = {2020-01-09} } @online{merritt:20150415:new:ed6921d, author = {Eric Merritt}, title = {{New POS Malware Emerges - Punkey}}, date = {2015-04-15}, organization = {Trustwave}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/}, language = {English}, urldate = {2020-01-08} } @online{merritt:20151116:shining:5fb21ce, author = {Eric Merritt}, title = {{Shining the Spotlight on Cherry Picker PoS Malware}}, date = {2015-11-16}, organization = {SpiderLabs Blog}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/Shining-the-Spotlight-on-Cherry-Picker-PoS-Malware/}, language = {English}, urldate = {2020-01-08} } @online{merritt:20151117:new:c3bb63a, author = {Eric Merritt}, title = {{New Memory Scraping Technique in Cherry Picker PoS Malware}}, date = {2015-11-17}, organization = {SpiderLabs Blog}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Memory-Scraping-Technique-in-Cherry-Picker-PoS-Malware/}, language = {English}, urldate = {2020-01-13} } @online{mertens:20170708:vbscript:e2baa5d, author = {Xavier Mertens}, title = {{A VBScript with Obfuscated Base64 Data}}, date = {2017-07-08}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/22590}, language = {English}, urldate = {2020-01-13} } @online{mertens:20180519:malicious:85c0a91, author = {Xavier Mertens}, title = {{Malicious Powershell Targeting UK Bank Customers}}, date = {2018-05-19}, url = {https://isc.sans.edu/forums/diary/Malicious+Powershell+Targeting+UK+Bank+Customers/23675/}, language = {English}, urldate = {2020-01-13} } @online{mertens:20200523:agenttesla:eba0b0c, author = {Xavier Mertens}, title = {{AgentTesla Delivered via a Malicious PowerPoint Add-In}}, date = {2020-05-23}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/AgentTesla+Delivered+via+a+Malicious+PowerPoint+AddIn/26162/}, language = {English}, urldate = {2020-05-27} } @online{mertens:20200714:simple:13f2a87, author = {Xavier Mertens}, title = {{Simple DGA Spotted in a Malicious PowerShell}}, date = {2020-07-14}, organization = {blog.rootshell.be}, url = {https://blog.rootshell.be/2020/07/14/simple-dga-spotted-in-a-malicious-powershell/}, language = {English}, urldate = {2025-06-05} } @online{mertens:20201119:powershell:72b44bf, author = {Xavier Mertens}, title = {{PowerShell Dropper Delivering Formbook}}, date = {2020-11-19}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/diary/26806}, language = {English}, urldate = {2020-11-19} } @online{mertens:20201224:malicious:df6eb1a, author = {Xavier Mertens}, title = {{Malicious Word Document Delivering an Octopus Backdoor}}, date = {2020-12-24}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/26918}, language = {English}, urldate = {2021-01-04} } @online{mertens:20210121:powershell:904be1b, author = {Xavier Mertens}, title = {{Powershell Dropping a REvil Ransomware}}, date = {2021-01-21}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/27012}, language = {English}, urldate = {2021-01-21} } @online{mertens:20210122:another:340e841, author = {Xavier Mertens}, title = {{Another File Extension to Block in your MTA: .jnlp}}, date = {2021-01-22}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/Another+File+Extension+to+Block+in+your+MTA+jnlp/27018/}, language = {English}, urldate = {2021-01-25} } @online{mertens:20210212:agenttesla:228400f, author = {Xavier Mertens}, title = {{AgentTesla Dropped Through Automatic Click in Microsoft Help File}}, date = {2021-02-12}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/27092}, language = {English}, urldate = {2021-02-18} } @online{mertens:20210329:jumping:1da0c41, author = {Xavier Mertens}, title = {{Jumping into Shellcode}}, date = {2021-03-29}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/Jumping+into+Shellcode/27256/}, language = {English}, urldate = {2021-03-31} } @online{mertens:20210331:quick:56fcc20, author = {Xavier Mertens}, title = {{Quick Analysis of a Modular InfoStealer}}, date = {2021-03-31}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/27264}, language = {English}, urldate = {2021-03-31} } @online{mertens:20210724:agenttesla:2876aef, author = {Xavier Mertens}, title = {{Agent.Tesla Dropped via a .daa Image and Talking to Telegram}}, date = {2021-07-24}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/27666}, language = {English}, urldate = {2021-07-26} } @online{mertens:20220120:redline:87c27db, author = {Xavier Mertens}, title = {{RedLine Stealer Delivered Through FTP}}, date = {2022-01-20}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/RedLine+Stealer+Delivered+Through+FTP/28258/}, language = {English}, urldate = {2022-01-24} } @online{mertens:20220120:sans:bc9b319, author = {Xavier Mertens}, title = {{[SANS ISC] RedLine Stealer Delivered Through FTP}}, date = {2022-01-20}, organization = {blog.rootshell.be}, url = {https://blog.rootshell.be/2022/01/20/sans-isc-redline-stealer-delivered-through-ftp/}, language = {English}, urldate = {2022-02-01} } @online{mertens:20220211:sans:7273063, author = {Xavier Mertens}, title = {{[SANS ISC] CinaRAT Delivered Through HTML ID Attributes}}, date = {2022-02-11}, organization = {blog.rootshell.be}, url = {https://blog.rootshell.be/2022/02/11/sans-isc-cinarat-delivered-through-html-id-attributes/}, language = {English}, urldate = {2022-02-14} } @online{mertens:20220218:remcos:c302a64, author = {Xavier Mertens}, title = {{Remcos RAT Delivered Through Double Compressed Archive}}, date = {2022-02-18}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/Remcos+RAT+Delivered+Through+Double+Compressed+Archive/28354/}, language = {English}, urldate = {2022-02-18} } @online{mertens:20220325:xlsb:21fdeaf, author = {Xavier Mertens}, title = {{XLSB Files: Because Binary is Stealthier Than XML}}, date = {2022-03-25}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/XLSB+Files+Because+Binary+is+Stealthier+Than+XML/28476/}, language = {English}, urldate = {2022-03-25} } @online{mertens:20220425:simple:cf5a852, author = {Xavier Mertens}, title = {{Simple PDF Linking to Malicious Content}}, date = {2022-04-25}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/Simple+PDF+Linking+to+Malicious+Content/28582/}, language = {English}, urldate = {2022-04-25} } @online{mertens:20220509:octopus:e3787d9, author = {Xavier Mertens}, title = {{Octopus Backdoor is Back with a New Embedded Obfuscated Bat File}}, date = {2022-05-09}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/28628}, language = {English}, urldate = {2022-05-17} } @online{mertens:20220520:zip:eb3e2f6, author = {Xavier Mertens}, title = {{A 'Zip Bomb' to Bypass Security Controls & Sandboxes}}, date = {2022-05-20}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/A+Zip+Bomb+to+Bypass+Security+Controls+Sandboxes/28670/}, language = {English}, urldate = {2022-05-25} } @online{mertens:20220616:houdini:1d61640, author = {Xavier Mertens}, title = {{Houdini is Back Delivered Through a JavaScript Dropper}}, date = {2022-06-16}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/Houdini+is+Back+Delivered+Through+a+JavaScript+Dropper/28746/}, language = {English}, urldate = {2022-06-17} } @online{mertens:20221007:powershell:9c2a18b, author = {Xavier Mertens}, title = {{Powershell Backdoor with DGA Capability}}, date = {2022-10-07}, organization = {ISC}, url = {https://isc.sans.edu/diary/Powershell+Backdoor+with+DGA+Capability/29122}, language = {English}, urldate = {2025-06-05} } @online{mertens:20231101:malware:c5ceeb2, author = {Xavier Mertens}, title = {{Malware Dropped Through a ZPAQ Archive}}, date = {2023-11-01}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/Malware+Dropped+Through+a+ZPAQ+Archive/30366/}, language = {English}, urldate = {2023-11-13} } @online{mertens:20250103:swaetrat:3733954, author = {Xavier Mertens}, title = {{SwaetRAT Delivery Through Python}}, date = {2025-01-03}, organization = {SANS ISC}, url = {https://dshield.org/diary/SwaetRAT+Delivery+Through+Python/31554/}, language = {English}, urldate = {2025-01-07} } @online{mesa:20160510:setting:2b54ce3, author = {Matthew Mesa and Darien Huss}, title = {{Setting Sights On Retail: AbaddonPOS Now Targeting Specific POS Software}}, date = {2016-05-10}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software}, language = {English}, urldate = {2019-12-20} } @online{mesa:20170601:microsoft:77dd3ab, author = {Matthew Mesa and Axel F and Pierre T and Travis Green}, title = {{Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by Cobalt Group to Target Financial Institutions}}, date = {2017-06-01}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target}, language = {English}, urldate = {2019-12-20} } @online{mesa:20170731:fin7carbanak:2eef6f2, author = {Matthew Mesa and Darien Huss}, title = {{FIN7/Carbanak threat actor unleashes Bateleur JScript backdoor}}, date = {2017-07-31}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor}, language = {English}, urldate = {2019-12-20} } @online{mesa:20180830:psix:18563f6, author = {Matthew Mesa}, title = {{Tweet on PsiX}}, date = {2018-08-30}, organization = {Twitter (@mesa_matt)}, url = {https://twitter.com/mesa_matt/status/1035211747957923840}, language = {English}, urldate = {2019-12-06} } @online{mesa:20190702:ta505:7f99961, author = {Matthew Mesa and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States}}, date = {2019-07-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south}, language = {English}, urldate = {2019-11-26} } @online{meskauskas:20201029:egregor:786d487, author = {Tomas Meskauskas}, title = {{Egregor: Sekhmet’s Cousin}}, date = {2020-10-29}, organization = {Security Boulevard}, url = {https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/}, language = {English}, urldate = {2020-10-29} } @online{meskauskas:20210810:pcrisk:839582a, author = {Tomas Meskauskas}, title = {{PCRisk description for Shurk Steal}}, date = {2021-08-10}, organization = {PCrisk}, url = {https://www.pcrisk.com/removal-guides/21513-shurk-steal-malware}, language = {English}, urldate = {2024-04-03} } @online{meskauskas:20210916:harma:9d6fa81, author = {Tomas Meskauskas}, title = {{.harma (Ouroboros) ransomware from the operating system}}, date = {2021-09-16}, organization = {PCrisk}, url = {https://www.pcrisk.com/removal-guides/16844-harma-ouroboros-ransomware}, language = {English}, urldate = {2023-05-10} } @online{meskauskas:20240205:how:5bd83fd, author = {Tomas Meskauskas}, title = {{How to remove CrackedCantil from the operating system}}, date = {2024-02-05}, organization = {PCrisk}, url = {https://www.pcrisk.com/removal-guides/28989-crackedcantil-malware}, language = {English}, urldate = {2024-02-05} } @online{meskauskas:20240318:force:66b8269, author = {Tomas Meskauskas}, title = {{FORCE (.FORCE) ransomware virus – removal and decryption options}}, date = {2024-03-18}, organization = {PCrisk}, url = {https://www.pcrisk.com/removal-guides/29391-force-ransomware}, language = {English}, urldate = {2024-03-25} } @techreport{meslay:20240605:reverse:16c975b, author = {Charles Meslay}, title = {{The reverse engineering of malicious code in the ITC - Analysis of the evolution of a chain of infection (Slides)}}, date = {2024-06-05}, institution = {Sekoia}, url = {https://www.sstic.org/media/SSTIC2024/SSTIC-actes/la_retro-ingnierie_de_code_malveillant_dans_la_cti/SSTIC2024-Slides-la_retro-ingnierie_de_code_malveillant_dans_la_cti_-_analyse_de_levolution_dune_chaine_dinfection-meslay.pdf}, language = {French}, urldate = {2024-06-24} } @online{meslay:20240605:reverse:d073031, author = {Charles Meslay}, title = {{Reverse engineering of malicious code in CTI - Analysis of the evolution of an infection chain (Video)}}, date = {2024-06-05}, organization = {SSTIC}, url = {https://static.sstic.org/videos2024/1080p/la_retro-ingnierie_de_code_malveillant_dans_la_cti_-_analyse_de_levolution_dune_chaine_dinfection.mp4}, language = {French}, urldate = {2024-06-24} } @techreport{meslay:20240605:reverse:d6b0229, author = {Charles Meslay}, title = {{Reverse engineering of malicious code in CTI - Analysis of the evolution of an infection chain (Paper)}}, date = {2024-06-05}, institution = {Sekoia}, url = {https://www.sstic.org/media/SSTIC2024/SSTIC-actes/la_retro-ingnierie_de_code_malveillant_dans_la_cti/SSTIC2024-Article-la_retro-ingnierie_de_code_malveillant_dans_la_cti_-_analyse_de_levolution_dune_chaine_dinfection-meslay.pdf}, language = {French}, urldate = {2024-06-24} } @online{messer:20240313:leslieloader:98dd9e2, author = {Marc Messer}, title = {{LESLIELOADER – Undocumented Loader Observed}}, date = {2024-03-13}, organization = {Kroll}, url = {https://www.kroll.com/en/insights/publications/cyber/leslieloader-undocumented-loader-observed}, language = {Endlish}, urldate = {2025-01-23} } @techreport{meta:20211101:october:a25f241, author = {META}, title = {{October 2021 Coordinated Inauthentic Behavior Report}}, date = {2021-11-01}, institution = {META}, url = {https://about.fb.com/wp-content/uploads/2021/11/October-2021-CIB-Report.pdf}, language = {English}, urldate = {2021-11-03} } @online{meta:20220226:metas:b01fa9a, author = {META}, title = {{Meta’s Ongoing Efforts Regarding Russia’s Invasion of Ukraine}}, date = {2022-02-26}, organization = {META}, url = {https://about.fb.com/news/2022/02/metas-ongoing-efforts-regarding-russias-invasion-of-ukraine/}, language = {English}, urldate = {2022-03-02} } @techreport{meta:202204:adversarial:92d4268, author = {META}, title = {{Adversarial Threat Report}}, date = {2022-04}, institution = {}, url = {https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf}, language = {English}, urldate = {2022-04-12} } @online{metaswan:20200226:lazarus:0bf422f, author = {MetaSwan}, title = {{Lazarus group's Brambul worm of the former Wannacry - 2}}, date = {2020-02-26}, organization = {MetaSwan's Lab}, url = {https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-2}, language = {English}, urldate = {2022-03-02} } @online{metaswan:20200226:lazarus:1cacde4, author = {MetaSwan}, title = {{Lazarus group's Brambul worm of the former Wannacry - 1}}, date = {2020-02-26}, organization = {MetaSwan's Lab}, url = {https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1}, language = {English}, urldate = {2022-03-02} } @online{metaswan:20200304:kimsuky:86badd0, author = {MetaSwan}, title = {{Kimsuky group's resume impersonation malware}}, date = {2020-03-04}, organization = {MetaSwan's Lab}, url = {https://metaswan.github.io/posts/Malware-Kimsuky-group's-resume-impersonation-malware}, language = {English}, urldate = {2020-03-06} } @online{metzger:20170523:ocean:55fb4cf, author = {Max Metzger}, title = {{Ocean Lotus Group/APT 32 identified as Vietnamese APT group}}, date = {2017-05-23}, organization = {SC Magazine UK}, url = {https://www.scmagazineuk.com/ocean-lotus-groupapt-32-identified-as-vietnamese-apt-group/article/663565/}, language = {English}, urldate = {2019-12-18} } @online{meurer:20180815:necurs:cfffc46, author = {Jason Meurer and Darrel Rendell}, title = {{Necurs Targeting Banks with PUB File that Drops FlawedAmmyy}}, date = {2018-08-15}, organization = {Cofense}, url = {https://cofense.com/necurs-targeting-banks-pub-file-drops-flawedammyy/}, language = {English}, urldate = {2020-01-08} } @online{meurer:20200611:all:cc2e167, author = {Jason Meurer}, title = {{All You Need Is Text: Second Wave}}, date = {2020-06-11}, organization = {Cofense}, url = {https://cofenselabs.com/all-you-need-is-text-second-wave/}, language = {English}, urldate = {2020-06-12} } @online{meyers:20130322:who:2309c24, author = {Adam Meyers}, title = {{Who is Anchor Panda}}, date = {2013-03-22}, organization = {CrowdStrike}, url = {http://www.crowdstrike.com/blog/whois-anchor-panda/}, language = {English}, urldate = {2019-12-20} } @online{meyers:20130329:whois:2abbd69, author = {Adam Meyers}, title = {{Whois Numbered Panda}}, date = {2013-03-29}, organization = {CrowdStrike}, url = {http://www.crowdstrike.com/blog/whois-numbered-panda/}, language = {English}, urldate = {2019-12-20} } @online{meyers:20130404:who:f1b0932, author = {Adam Meyers}, title = {{Who is Clever Kitten}}, date = {2013-04-04}, organization = {CrowdStrike}, url = {http://www.crowdstrike.com/blog/whois-clever-kitten/}, language = {English}, urldate = {2019-12-20} } @online{meyers:20130412:who:920beea, author = {Adam Meyers}, title = {{Who is Samurai Panda}}, date = {2013-04-12}, organization = {CrowdStrike}, url = {http://www.crowdstrike.com/blog/whois-samurai-panda/}, language = {English}, urldate = {2019-12-20} } @online{meyers:20131016:crowdcasts:e7d1620, author = {Adam Meyers}, title = {{CrowdCasts Monthly: You Have an Adversary Problem}}, date = {2013-10-16}, organization = {CrowdStrike}, url = {http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem}, language = {English}, urldate = {2020-01-09} } @online{meyers:20131106:viceroy:9e41682, author = {Adam Meyers}, title = {{VICEROY TIGER Delivers New Zero-Day Exploit}}, date = {2013-11-06}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/viceroy-tiger-delivers-new-zero-day-exploit/index.html}, language = {English}, urldate = {2022-03-16} } @online{meyers:20160801:crowdstrikes:9926803, author = {Adam Meyers}, title = {{CrowdStrike’s New Methodology for Tracking eCrime}}, date = {2016-08-01}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/ecrime-ecosystem/}, language = {English}, urldate = {2021-05-31} } @online{meyers:20180208:meet:39f25b3, author = {Adam Meyers}, title = {{Meet CrowdStrike’s Adversary of the Month for February: MUMMY SPIDER}}, date = {2018-02-08}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/}, language = {English}, urldate = {2019-12-20} } @online{meyers:20180518:meet:79af163, author = {Adam Meyers}, title = {{Meet CrowdStrike’s Adversary of the Month for May: MYTHIC LEOPARD}}, date = {2018-05-18}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/adversary-of-the-month-for-may/}, language = {English}, urldate = {2019-12-20} } @online{meyers:20180615:meet:475521f, author = {Adam Meyers}, title = {{Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA}}, date = {2018-06-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/}, language = {English}, urldate = {2019-12-20} } @online{meyers:20180726:meet:af48096, author = {Adam Meyers}, title = {{Meet CrowdStrike’s Adversary of the Month for July: WICKED SPIDER}}, date = {2018-07-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/}, language = {English}, urldate = {2019-12-20} } @online{meyers:20180829:meet:ceb250f, author = {Adam Meyers}, title = {{Meet CrowdStrike’s Adversary of the Month for August: GOBLIN PANDA}}, date = {2018-08-29}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/}, language = {English}, urldate = {2019-12-20} } @online{meyers:20180928:meet:3f0bdcc, author = {Adam Meyers}, title = {{Meet CrowdStrike’s Adversary of the Month for September: COBALT SPIDER}}, date = {2018-09-28}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-september-cobalt-spider/}, language = {English}, urldate = {2019-12-20} } @online{meyers:20181026:meet:e967dbc, author = {Adam Meyers}, title = {{Meet CrowdStrike’s Adversary of the Month for October: DUNGEON SPIDER}}, date = {2018-10-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-october-dungeon-spider/}, language = {English}, urldate = {2019-12-20} } @online{meyers:20181127:meet:d6b13f0, author = {Adam Meyers}, title = {{Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN}}, date = {2018-11-27}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/}, language = {English}, urldate = {2019-12-20} } @online{meyers:20210706:evolution:7d985ff, author = {Adam Meyers}, title = {{The Evolution of PINCHY SPIDER from GandCrab to REvil}}, date = {2021-07-06}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/}, language = {English}, urldate = {2021-07-19} } @online{mez0:20201201:cobalt:38336ed, author = {mez0}, title = {{Cobalt Strike PowerShell Execution}}, date = {2020-12-01}, organization = {mez0.cc}, url = {https://mez0.cc/posts/cobaltstrike-powershell-exec/}, language = {English}, urldate = {2020-12-14} } @online{mezo:20230526:moneybird:04fd991, author = {Mezo}, title = {{Moneybird Ransomware}}, date = {2023-05-26}, organization = {enigmasoft}, url = {https://www.enigmasoftware.com/moneybirdransomware-removal/}, language = {English}, urldate = {2024-02-08} } @online{mezo:20240415:cve20243400:d7e442c, author = {Mezo}, title = {{CVE-2024-3400 Vulnerability}}, date = {2024-04-15}, organization = {enigmasoft}, url = {https://www.enigmasoftware.com/cve20243400vulnerability-removal/}, language = {English}, urldate = {2025-05-02} } @online{mezo:20240416:fuxnet:49b482f, author = {Mezo}, title = {{Fuxnet ICS Malware}}, date = {2024-04-16}, organization = {enigmasoft}, url = {https://www.enigmasoftware.com/fuxneticsmalware-removal/}, language = {English}, urldate = {2025-05-02} } @online{mh:20250605:analysis:74609db, author = {mh}, title = {{Analysis of Spyware That Helped to Compromise a Syrian Army from Within}}, date = {2025-06-05}, organization = {Mobile-Hacker}, url = {https://www.mobile-hacker.com/2025/06/05/analysis-of-spyware-that-helped-to-compromise-a-syrian-army-from-within/#google_vignette}, language = {English}, urldate = {2025-06-05} } @online{mhr:20141112:strela:4645786, author = {Golo Mühr and Joe Fasulo and Charlotte Hammond}, title = {{Strela Stealer: Today’s invoice is tomorrow’s phish}}, date = {2014-11-12}, organization = {IBM X-Force}, url = {https://www.ibm.com/think/x-force/strela-stealer-todays-invoice-tomorrows-phish}, language = {English}, urldate = {2025-05-21} } @online{mhr:20231106:gootbot:e37a082, author = {Golo Mühr and Ole Villadsen}, title = {{GootBot – Gootloader’s new approach to post-exploitation}}, date = {2023-11-06}, organization = {Security Intelligence}, url = {https://securityintelligence.com/x-force/gootbot-gootloaders-new-approach-to-post-exploitation/}, language = {English}, urldate = {2023-11-27} } @online{mhr:20231208:itg05:696ef5b, author = {Golo Mühr and Claire Zaboeva and Joe Fasulo}, title = {{ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware}}, date = {2023-12-08}, organization = {Security Intelligence}, url = {https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/}, language = {English}, urldate = {2023-12-12} } @online{mhr:20240516:grandoreiro:1dbb7e6, author = {Golo Mühr and Melissa Frydrych}, title = {{Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns}}, date = {2024-05-16}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/}, language = {English}, urldate = {2024-06-04} } @online{mhr:20240726:hive0137:8ada9f8, author = {Golo Mühr and Joe Fasulo}, title = {{Hive0137 and AI-supplemented malware distribution}}, date = {2024-07-26}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/x-force/hive0137-on-ai-journey/}, language = {English}, urldate = {2024-08-29} } @online{mhr:20250325:ibm:34e2f72, author = {Golo Mühr}, title = {{IBM X-Force discovers new Sheriff Backdoor used to target Ukraine}}, date = {2025-03-25}, organization = {IBM X-Force}, url = {https://www.ibm.com/think/news/x-force-discovers-new-sheriff-backdoor-target-ukraine}, language = {English}, urldate = {2025-04-10} } @online{mi:20140402:tofsee:ad7e66f, author = {Ryan Mi}, title = {{Tofsee botnet}}, date = {2014-04-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2014/04/tofsee-botnet}, language = {English}, urldate = {2023-02-27} } @online{michael:20200506:039:49d4744, author = {Melissa Michael and Artturi Lehtiö}, title = {{039| Deconstructing the Dukes: A Researcher’s Retrospective of APT29}}, date = {2020-05-06}, organization = {F-Secure Labs}, url = {https://blog.f-secure.com/podcast-dukes-apt29/}, language = {English}, urldate = {2020-07-06} } @online{michel:20180328:dissecting:ee6a118, author = {Robert Michel}, title = {{Dissecting Olympic Destroyer – a walk-through}}, date = {2018-03-28}, url = {https://cyber.wtf/2018/03/28/dissecting-olympic-destroyer-a-walk-through/}, language = {English}, urldate = {2019-12-06} } @techreport{michel:20220328:forging:9860016, author = {Georges-Bastien Michel}, title = {{Forging golden hammer against Android software protection tools - A deep dive inside anti-reverse & universal bypass with Frida}}, date = {2022-03-28}, institution = {InsomniHack 2022}, url = {https://raw.githubusercontent.com/FrenchYeti/unrasp/main/Slides/Forging_golden_hammer_against_android_app_protections_INSO22_FINAL.pdf}, language = {English}, urldate = {2022-09-20} } @online{micro:20121013:wormemudbotjp:d857ae4, author = {Trend Micro}, title = {{WORM_EMUDBOT.JP}}, date = {2012-10-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_emudbot.jp}, language = {English}, urldate = {2020-08-13} } @online{micro:20121129:whats:f711a5b, author = {Trend Micro}, title = {{What’s the Fuss with WORM_VOBFUS?}}, date = {2012-11-29}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/whats-the-fuss-with-worm_vobfus/}, language = {English}, urldate = {2020-01-09} } @online{micro:20141208:hack:6a3ba20, author = {Trend Micro}, title = {{The Hack of Sony Pictures: What We Know and What You Need to Know}}, date = {2014-12-08}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/the-hack-of-sony-pictures-what-you-need-to-know}, language = {English}, urldate = {2020-01-08} } @online{micro:20141211:evolution:3236919, author = {Trend Micro}, title = {{The Evolution of Point-of-Sale (PoS) Malware}}, date = {2014-12-11}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-evolution-of-point-of-sale-pos-malware}, language = {English}, urldate = {2020-01-06} } @online{micro:20150319:rocket:3046dd1, author = {Trend Micro}, title = {{Rocket Kitten Showing Its Claws: Operation Woolen-GoldFish and the GHOLE campaign}}, date = {2015-03-19}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing}, language = {English}, urldate = {2020-01-06} } @online{micro:20150412:simda:162eaad, author = {Trend Micro}, title = {{SIMDA: A Botnet Takedown}}, date = {2015-04-12}, organization = {Trend Micro}, url = {https://web.archive.org/web/20150619155915/https://blog.trendmicro.com/trendlabs-security-intelligence/simda-a-botnet-takedown/}, language = {English}, urldate = {2025-02-10} } @online{micro:20160615:unsupported:bb47ff7, author = {Trend Micro}, title = {{Unsupported TeamViewer Versions Exploited For Backdoors, Keylogging}}, date = {2016-06-15}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/unsupported-teamviewer-versions-exploited-backdoors-keylogging}, language = {English}, urldate = {2020-07-15} } @techreport{micro:20161004:fastpos:0542130, author = {Trend Micro}, title = {{FastPOS Updates in Time for the Retail Sale Season (Appendix)}}, date = {2016-10-04}, institution = {Trend Micro}, url = {http://documents.trendmicro.com/assets/Appendix%20-%20FastPOS%20Updates%20in%20Time%20for%20the%20Retail%20Sale%20Season.pdf}, language = {English}, urldate = {2020-01-09} } @online{micro:20170110:ransomware:795b337, author = {Trend Micro}, title = {{Ransomware Recap: Dec. 19 - Dec. 31, 2016}}, date = {2017-01-10}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-dec-19-dec-31-2016}, language = {English}, urldate = {2020-01-06} } @online{micro:20170202:ransomware:00fe853, author = {Trend Micro}, title = {{Ransomware Recap: January 14 - 29, 2017}}, date = {2017-02-02}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-january-14-29-2017}, language = {English}, urldate = {2022-11-18} } @online{micro:20170817:hbo:dc8cfa0, author = {Trend Micro}, title = {{HBO Twitter and Facebook Accounts Hacked by OurMine}}, date = {2017-08-17}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/hbo-twitter-and-facebook-accounts-hacked-by-ourmine}, language = {English}, urldate = {2019-10-23} } @online{micro:20170821:cyberespionage:db82222, author = {Trend Micro}, title = {{Cyberespionage Group Turla Deploys Backdoor Ahead of G20 Task Force Summit}}, date = {2017-08-21}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/vn/security/news/cyber-attacks/cyberespionage-group-turla-deploys-backdoor-ahead-of-g20-summit}, language = {English}, urldate = {2019-11-29} } @online{micro:20170920:red:40a3bad, author = {Trend Micro}, title = {{Red Alert 2.0 Android Trojan Spreads Via Third Party App Stores}}, date = {2017-09-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/red-alert-2-0-android-trojan-spreads-via-third-party-app-stores}, language = {English}, urldate = {2020-01-08} } @online{micro:20180208:shurl0ckr:d7067fc, author = {Trend Micro}, title = {{ShurL0ckr Ransomware as a Service Peddled on Dark Web, can Reportedly Bypass Cloud Applications}}, date = {2018-02-08}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/shurl0ckr-ransomware-as-a-service-peddled-on-dark-web-can-reportedly-bypass-cloud-applications}, language = {English}, urldate = {2020-01-13} } @online{micro:20180420:xloader:e46474f, author = {Trend Micro}, title = {{XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing}}, date = {2018-04-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/18/d/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing.html}, language = {English}, urldate = {2021-07-07} } @online{micro:20181116:exploring:be1e153, author = {Trend Micro}, title = {{Exploring Emotet: Examining Emotet’s Activities, Infrastructure}}, date = {2018-11-16}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/}, language = {English}, urldate = {2020-01-12} } @online{micro:20190118:spotted:94d5c03, author = {Trend Micro}, title = {{Spotted: JobCrypter Ransomware Variant With New Encryption Routines, Captures Desktop Screenshots}}, date = {2019-01-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/jobcrypter-ransomware-with-new-routines-for-encryption-desktop-screenshots}, language = {English}, urldate = {2021-06-16} } @online{micro:20190212:trickbot:73576ba, author = {Trend Micro}, title = {{Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire}}, date = {2019-02-12}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/}, language = {English}, urldate = {2020-01-12} } @techreport{micro:20190704:latest:dd6099a, author = {Trend Micro}, title = {{Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi}}, date = {2019-07-04}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/Tech-Brief-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi.pdf}, language = {English}, urldate = {2020-01-13} } @online{micro:20200323:nefilim:aaca451, author = {Trend Micro}, title = {{Nefilim Ransomware Threatens to Expose Stolen Data}}, date = {2020-03-23}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/nefilim-ransomware-threatens-to-expose-stolen-data}, language = {English}, urldate = {2020-06-22} } @online{micro:20200427:behind:da9ae72, author = {Trend Micro}, title = {{Group Behind TrickBot Spreads Fileless BazarBackdoor}}, date = {2020-04-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/group-behind-trickbot-spreads-fileless-bazarbackdoor}, language = {English}, urldate = {2020-05-02} } @online{micro:20200708:new:ee4cbf8, author = {Trend Micro}, title = {{New Mirai Variant Expands Arsenal, Exploits CVE-2020-10173}}, date = {2020-07-08}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173/}, language = {English}, urldate = {2020-07-13} } @online{micro:20200813:lemon:d025023, author = {Trend Micro}, title = {{Lemon Duck Cryptocurrency-mining Malware Information}}, date = {2020-08-13}, url = {https://success.trendmicro.com/solution/000261916}, language = {English}, urldate = {2022-02-14} } @online{micro:20200918:us:7900e6a, author = {Trend Micro}, title = {{U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks}}, date = {2020-09-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html}, language = {English}, urldate = {2020-09-23} } @online{micro:20201215:overview:70fc66a, author = {Trend Micro}, title = {{Overview of Recent Sunburst Targeted Attacks}}, date = {2020-12-15}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/l/overview-of-recent-sunburst-targeted-attacks.html}, language = {English}, urldate = {2020-12-16} } @online{micro:20210129:chopper:6dfb7c6, author = {Trend Micro}, title = {{Chopper ASPX web shell used in targeted attack}}, date = {2021-01-29}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html}, language = {English}, urldate = {2021-02-02} } @online{micro:20210326:alleged:ce2115c, author = {Trend Micro}, title = {{Alleged Members of Egregor Ransomware Cartel Arrested}}, date = {2021-03-26}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/c/egregor-ransomware-cartel-members-arrested.html}, language = {English}, urldate = {2021-04-28} } @online{micro:20210420:carbanak:87a72d6, author = {Trend Micro}, title = {{Carbanak and FIN7 Attack Techniques}}, date = {2021-04-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/d/carbanak-and-fin7-attack-techniques.html}, language = {English}, urldate = {2021-04-28} } @online{micro:20210628:nefilim:1a904b2, author = {Trend Micro}, title = {{Nefilim Ransomware Attack Through a MITRE Att&ck Lens}}, date = {2021-06-28}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/f/nefilim-modern-ransomware-attack-story.html}, language = {English}, urldate = {2021-07-05} } @online{micro:20210909:remote:17382af, author = {Trend Micro}, title = {{Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs}}, date = {2021-09-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html}, language = {English}, urldate = {2023-04-06} } @online{micro:20210929:zloader:606c2c8, author = {Trend Micro}, title = {{Zloader Campaigns at a Glance (IOCs)}}, date = {2021-09-29}, organization = {Trend Micro}, url = {https://documents.trendmicro.com/assets/txt/IOCs-zloader-campaigns-at-a-glance.txt}, language = {English}, urldate = {2021-10-20} } @online{micro:20210929:zloader:fb242b9, author = {Trend Micro}, title = {{Zloader Campaigns at a Glance}}, date = {2021-09-29}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/zloader-campaigns-at-a-glance}, language = {English}, urldate = {2021-10-19} } @online{micro:20211116:global:5b996d3, author = {Trend Micro}, title = {{Global Operations Lead to Arrests of Alleged Members of GandCrab/REvil and Cl0p Cartels}}, date = {2021-11-16}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html}, language = {English}, urldate = {2021-11-18} } @online{micro:20211201:ransomware:8af82b0, author = {Trend Micro}, title = {{Ransomware Spotlight: Conti}}, date = {2021-12-01}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-conti}, language = {English}, urldate = {2022-03-02} } @online{micro:20220124:investigating:5e9386a, author = {Trend Micro}, title = {{Investigating APT36 or Earth Karkaddan’s Attack Chain and Malware Arsenal}}, date = {2022-01-24}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html}, language = {English}, urldate = {2022-01-25} } @techreport{micro:20220124:investigating:7727327, author = {Trend Micro}, title = {{Investigating APT36 or Earth Karkaddan’s Attack Chain and Malware Arsenal}}, date = {2022-01-24}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/Earth%20Karkaddan%20APT-%20Adversary%20Intelligence%20and%20Monitoring%20Report.pdf}, language = {English}, urldate = {2022-01-25} } @online{micro:20220124:investigating:a7e6049, author = {Trend Micro}, title = {{Investigating APT36 or Earth Karkaddan’s Attack Chain and Malware Arsenal (IOCs)}}, date = {2022-01-24}, organization = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/IoCs_Investigating%20APT36%20or%20Earth%20Karkaddan%20Attack%20Chain%20and%20Malware%20Arsenal.rtf}, language = {English}, urldate = {2022-01-25} } @online{micro:20220125:tianyspy:344c003, author = {Trend Micro}, title = {{TianySpy Malware Uses Smishing Disguised as Message From Telco}}, date = {2022-01-25}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html}, language = {English}, urldate = {2022-01-28} } @online{micro:20220606:closing:7414aab, author = {Trend Micro}, title = {{Closing the Door: DeadBolt Ransomware Locks Out Vendors With Multitiered Extortion Scheme}}, date = {2022-06-06}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html}, language = {English}, urldate = {2022-06-09} } @online{micro:20220824:looking:d8aa41d, author = {Trend Micro}, title = {{Looking into the Void - Targeting Bulletproof Hosts to Block Attacks Early in the Kill Chain}}, date = {2022-08-24}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/no/security/news/cybercrime-and-digital-threats/looking-into-the-void-probing-a-top-bulletproof-hosting-service}, language = {English}, urldate = {2022-08-30} } @online{micro:20220901:ransomware:8eda6e4, author = {Trend Micro}, title = {{Ransomware Spotlight Black Basta}}, date = {2022-09-01}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta}, language = {English}, urldate = {2022-09-19} } @online{micro:20230203:tgtoxic:a238924, author = {Trend Micro}, title = {{TgToxic Malware’s Automated Framework Targets Southeast Asia Android Users}}, date = {2023-02-03}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/b/tgtoxic-malware-targets-southeast-asia-android-users.html}, language = {English}, urldate = {2025-02-28} } @online{micro:20230531:investigating:77b7e51, author = {Trend Micro and Katherine Casona and Ivan Nicole Chavez and Ieriz Nicolle Gonzalez and Jeffrey Francis Bonaobra}, title = {{Investigating BlackSuit Ransomware’s Similarities to Royal}}, date = {2023-05-31}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html}, language = {English}, urldate = {2023-06-05} } @online{micro:20241119:spot:f6846fa, author = {Trend Micro}, title = {{Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella}}, date = {2024-11-19}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html}, language = {English}, urldate = {2025-02-19} } @online{microsoft:20110308:wormwin32yimfocaa:d2c4ecc, author = {Microsoft}, title = {{Worm:Win32/Yimfoca.A}}, date = {2011-03-08}, organization = {Microsoft Security Intelligence}, url = {https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Yimfoca.A}, language = {English}, urldate = {2019-12-17} } @techreport{microsoft:20151120:microsoft:d41c5ad, author = {Microsoft}, title = {{Microsoft Security Intelligence Report Volume 19}}, date = {2015-11-20}, institution = {Microsoft}, url = {http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf}, language = {English}, urldate = {2020-01-13} } @online{microsoft:20170915:trojanspywin32usteal:a2a860e, author = {Microsoft}, title = {{TrojanSpy:Win32/Usteal}}, date = {2017-09-15}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Usteal}, language = {English}, urldate = {2020-01-08} } @online{microsoft:20170915:trojanwin32enviserva:6ea9ea7, author = {Microsoft}, title = {{Trojan:Win32/Enviserv.A}}, date = {2017-09-15}, organization = {Microsoft Security Intelligence}, url = {https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Enviserv.A}, language = {English}, urldate = {2020-07-03} } @online{microsoft:20170915:trojanwin32spyeye:c1c6062, author = {Microsoft}, title = {{Trojan:Win32/Spyeye}}, date = {2017-09-15}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FSpyeye}, language = {English}, urldate = {2019-11-24} } @online{microsoft:20190121:hacktoolwin32remoteadmin:b0c34fd, author = {Microsoft}, title = {{HackTool:Win32/RemoteAdmin}}, date = {2019-01-21}, organization = {Microsoft Security Intelligence}, url = {https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=hacktool:win32/remoteadmin&ThreatID=2147731874}, language = {English}, urldate = {2020-05-18} } @online{microsoft:20190410:analysis:b4bc793, author = {Microsoft}, title = {{Analysis of a targeted attack exploiting the WinRAR CVE-2018-20250 vulnerability}}, date = {2019-04-10}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2019/04/10/analysis-of-a-targeted-attack-exploiting-the-winrar-cve-2018-20250-vulnerability/}, language = {English}, urldate = {2023-09-12} } @techreport{microsoft:20200929:microsoft:6e5d7b0, author = {Microsoft}, title = {{Microsoft Digital Defense Report}}, date = {2020-09-29}, institution = {Microsoft}, url = {https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf}, language = {English}, urldate = {2020-10-05} } @techreport{microsoft:20201221:case:eb6d265, author = {Microsoft and Google and Cisco and Github and LinkedIn and VMWare and Internet Association and WhatsApp}, title = {{Case: 20-16408: WhatsApp et al. vs NSO Group}}, date = {2020-12-21}, institution = {US Court of Appeals for the Ninth Court}, url = {https://blogs.microsoft.com/wp-content/uploads/prod/sites/5/2020/12/NSO-v.-WhatsApp-Amicus-Brief-Microsoft-et-al.-as-filed.pdf}, language = {English}, urldate = {2020-12-23} } @online{microsoft:20210128:microsoft:9c8f303, author = {Microsoft}, title = {{Microsoft 365 Defender webinar: Protect, Detect, and Respond to Solorigate using M365 Defender}}, date = {2021-01-28}, organization = {YouTube (Microsoft Security Community)}, url = {https://www.youtube.com/watch?v=-Vsgmw2G4Wo}, language = {English}, urldate = {2021-03-19} } @techreport{microsoft:20210209:3:b3e5b24, author = {Microsoft}, title = {{3 Ways to Mitigate Risk When Using Private Package Feeds}}, date = {2021-02-09}, institution = {Microsoft}, url = {https://azure.microsoft.com/mediahandler/files/resourcefiles/3-ways-to-mitigate-risk-using-private-package-feeds/3%20Ways%20to%20Mitigate%20Risk%20When%20Using%20Private%20Package%20Feeds%20-%20v1.0.pdf}, language = {English}, urldate = {2021-02-10} } @online{microsoft:20210225:codeql:a43a525, author = {Microsoft}, title = {{CodeQL queries to hunt for Solorigate activity}}, date = {2021-02-25}, organization = {Microsoft}, url = {https://github.com/github/codeql/tree/main/csharp/ql/src/experimental/Security%20Features/campaign}, language = {English}, urldate = {2021-02-25} } @online{microsoft:20210301:detect:330c71c, author = {Microsoft}, title = {{Detect and defend against the recent nation-state cyber attack}}, date = {2021-03-01}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/business/threat-protection/solorigate-detection-guidance}, language = {English}, urldate = {2021-03-04} } @online{microsoft:20210302:microsoft365defenderhuntingqueries:dcc8507, author = {Microsoft}, title = {{Microsoft-365-Defender-Hunting-Queries for hunting Gootkit malware delivery and C2}}, date = {2021-03-02}, organization = {Github (microsoft)}, url = {https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Delivery/Gootkit-malware.md}, language = {English}, urldate = {2021-03-04} } @online{microsoft:20210306:security:7dca242, author = {Microsoft}, title = {{Security scripts}}, date = {2021-03-06}, organization = {Github (microsoft)}, url = {https://github.com/microsoft/CSS-Exchange/tree/main/Security}, language = {English}, urldate = {2021-03-10} } @online{microsoft:20210318:how:2acd7e5, author = {Microsoft}, title = {{How to protect against Microsoft Exchange Server}}, date = {2021-03-18}, organization = {YouTube (Microsoft Security)}, url = {https://www.youtube.com/playlist?list=PL3ZTgFEc7Lytavbz30fR2J8qQYVGW83me}, language = {English}, urldate = {2021-03-19} } @online{microsoft:20210507:human:7ec8b2e, author = {Microsoft}, title = {{Human operated ransomware}}, date = {2021-05-07}, organization = {Microsoft}, url = {https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware}, language = {English}, urldate = {2021-06-01} } @online{microsoft:20210512:incident:deaeb30, author = {Microsoft}, title = {{Incident response playbooks}}, date = {2021-05-12}, organization = {Microsoft}, url = {https://docs.microsoft.com/en-us/security/compass/incident-response-playbooks}, language = {English}, urldate = {2021-05-25} } @online{microsoft:20210520:microsoft:41112d3, author = {Microsoft}, title = {{Microsoft 365 Defender Hunting Queries for hunting multiple threat actors' TTPs and malwares}}, date = {2021-05-20}, organization = {Github (microsoft)}, url = {https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries}, language = {English}, urldate = {2021-05-25} } @online{microsoft:20211007:microsoft:793e473, author = {Microsoft}, title = {{Microsoft Digital Defense Report - October 2021}}, date = {2021-10-07}, organization = {Microsoft}, url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi}, language = {English}, urldate = {2021-10-11} } @online{microsoft:202110:microsoft:a6643ed, author = {Microsoft}, title = {{Microsoft Digital Defense Report}}, date = {2021-10}, organization = {Microsoft}, url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi?id=101738}, language = {English}, urldate = {2023-08-11} } @online{microsoft:20211206:complaint:035d577, author = {Microsoft}, title = {{Complaint filed by Microsoft against NICKEL/APT15}}, date = {2021-12-06}, organization = {Notice of Pleadings}, url = {https://noticeofpleadings.com/nickel/#}, language = {English}, urldate = {2021-12-08} } @online{microsoft:20220115:destructive:77ac2f5, author = {Microsoft and Microsoft Security Intelligence and Microsoft Digital Security Unit (DSU) and Microsoft Detection and Response Team (DART) and Microsoft 365 Defender Threat Intelligence Team}, title = {{Destructive malware targeting Ukrainian organizations (DEV-0586)}}, date = {2022-01-15}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/}, language = {English}, urldate = {2022-01-18} } @techreport{microsoft:20220131:identity:07b7e16, author = {Microsoft}, title = {{Identity is the New Battelground}}, date = {2022-01-31}, institution = {Microsoft}, url = {https://news.microsoft.com/wp-content/uploads/prod/sites/626/2022/02/Cyber-Signals-E-1.pdf}, language = {English}, urldate = {2022-02-04} } @online{microsoft:20220822:extortion:67c26d4, author = {Microsoft}, title = {{Extortion Economics - Ransomware’s new business model}}, date = {2022-08-22}, organization = {Microsoft}, url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v}, language = {English}, urldate = {2022-08-31} } @online{microsoft:20230202:iran:867a633, author = {Microsoft}, title = {{Iran responsible for Charlie Hebdo attacks}}, date = {2023-02-02}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/business/security-insider/threat-briefs/iran-response-for-charlie-hebdo-attacks/}, language = {English}, urldate = {2024-02-08} } @techreport{microsoft:20230330:cracked:08c67c0, author = {Microsoft and Fortra and HEALTH-ISAC}, title = {{Cracked Cobalt Strike (1:23-cv-02447)}}, date = {2023-03-30}, institution = {United States District Court (Eastern District of New York)}, url = {https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf}, language = {English}, urldate = {2023-04-28} } @online{microsoft:20230711:storm0978:98ba63b, author = {Microsoft}, title = {{Storm-0978 attacks reveal financial and espionage motives}}, date = {2023-07-11}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/}, language = {English}, urldate = {2023-07-13} } @online{microsoft:2023:microsoft:4469acf, author = {Microsoft}, title = {{Microsoft Digital Defense Report 2023}}, date = {2023}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2023}, language = {English}, urldate = {2023-12-04} } @online{microsoft:20240221:exploitpythoncve20241709adha:7b268a1, author = {Microsoft}, title = {{Exploit:Python/CVE-2024-1709.A!dha}}, date = {2024-02-21}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Python/CVE-2024-1709.A!dha&ThreatID=2147903327}, language = {English}, urldate = {2025-03-05} } @online{microsoft:20240918:about:f84435b, author = {Microsoft}, title = {{Tweet about threat actor Vanilla Tempest}}, date = {2024-09-18}, organization = {Twitter (@MsftSecIntel)}, url = {https://x.com/MsftSecIntel/status/1836456406276342215}, language = {English}, urldate = {2024-10-18} } @online{microsoft:20241024:about:e1b780b, author = {Microsoft}, title = {{Tweet about Storm-0506 and Black Basta}}, date = {2024-10-24}, organization = {Microsoft}, url = {https://x.com/MsftSecIntel/status/1849518751080644921}, language = {English}, urldate = {2025-03-05} } @online{microsoftroot9b:201706:shelltea:a318e75, author = {Microsoftroot9b}, title = {{SHELLTEA + POSLURP MALWARE: MEMORY-RESIDENT POINT-OF-SALE MALWARE ATTACKS INDUSTRY}}, date = {2017-06}, organization = {root9b}, url = {https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/FakeRean#technicalDiv}, language = {English}, urldate = {2020-01-08} } @online{mieghem:20220418:blueprint:c4009ef, author = {Vincent Van Mieghem}, title = {{A blueprint for evading industry leading endpoint protection in 2022}}, date = {2022-04-18}, organization = {vanmieghem}, url = {https://vanmieghem.io/blueprint-for-evading-edr-in-2022/}, language = {English}, urldate = {2022-04-20} } @online{mieres:20100219:spyeye:244807f, author = {Jorge Mieres}, title = {{SpyEye Bot (Part two). Conversations with the creator of crimeware}}, date = {2010-02-19}, organization = {MalwareIntelligence}, url = {http://malwareint.blogspot.com/2010/02/spyeye-bot-part-two-conversations-with.html}, language = {English}, urldate = {2020-01-13} } @online{mieres:20100220:facebook:13a2eb5, author = {Jorge Mieres}, title = {{Facebook & VISA phishing campaign proposed by ZeuS}}, date = {2010-02-20}, organization = {MalwareIntelligence}, url = {http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html}, language = {English}, urldate = {2020-01-06} } @online{mieres:20100419:zeus:5a230a6, author = {Jorge Mieres}, title = {{ZeuS on IRS Scam remains actively exploited}}, date = {2010-04-19}, organization = {MalwareIntelligence}, url = {http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html}, language = {English}, urldate = {2019-11-27} } @online{mieres:20110824:ice:2dd7e13, author = {Jorge Mieres}, title = {{Ice IX, the first crimeware based on the leaked ZeuS sources}}, date = {2011-08-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/ice-ix-the-first-crimeware-based-on-the-leaked-zeus-sources/29577/}, language = {English}, urldate = {2020-03-02} } @online{migawariiv:20221124:recent:98d1c2e, author = {MigawariIV}, title = {{Tweet on recent Bifrose activity}}, date = {2022-11-24}, organization = {Twitter (@strinsert1Na)}, url = {https://twitter.com/strinsert1Na/status/1595553530579890176}, language = {English}, urldate = {2022-11-25} } @online{migdal:20220208:brbbot:5172f60, author = {Itay Migdal}, title = {{Brbbot Analysis}}, date = {2022-02-08}, url = {https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Brbbot/Brbbot.md}, language = {English}, urldate = {2022-02-09} } @online{migdal:20220208:conficker:fab2a1c, author = {Itay Migdal}, title = {{Conficker Analysis}}, date = {2022-02-08}, url = {https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Conficker/Conficker.md}, language = {English}, urldate = {2022-02-09} } @online{migdal:20220208:hawkeye:81b1bb6, author = {Itay Migdal}, title = {{HawkEye Analysis}}, date = {2022-02-08}, url = {https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md}, language = {English}, urldate = {2022-02-09} } @online{migdal:20220208:remcos:e52c6ec, author = {Itay Migdal}, title = {{Remcos Analysis}}, date = {2022-02-08}, url = {https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/Remcos.md}, language = {English}, urldate = {2022-02-09} } @online{migdal:20220208:revengerat:c55bec4, author = {Itay Migdal}, title = {{RevengeRAT Analysis}}, date = {2022-02-08}, url = {https://github.com/itaymigdal/malware-analysis-writeups/blob/main/RevengeRAT/RevengeRAT.md}, language = {English}, urldate = {2022-02-09} } @online{migdal:20220213:kovter:baab57a, author = {Itay Migdal}, title = {{Kovter Analysis}}, date = {2022-02-13}, url = {https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Kovter/Kovter.md}, language = {English}, urldate = {2022-02-14} } @online{migdal:20221008:nimboc2:f266f13, author = {Itay Migdal}, title = {{Nimbo-C2 - A new C2 Framework}}, date = {2022-10-08}, organization = {Github (itaymigdal)}, url = {https://github.com/itaymigdal/Nimbo-C2}, language = {English}, urldate = {2022-10-10} } @online{migdal:20230420:pichichih0ll0wer:5416669, author = {Itay Migdal}, title = {{PichichiH0ll0wer - New Process hollowing loader}}, date = {2023-04-20}, url = {https://github.com/itaymigdal/PichichiH0ll0wer}, language = {English}, urldate = {2023-04-22} } @online{migdal:20230630:formbook:9f7bd1b, author = {Itay Migdal}, title = {{Formbook unpacking}}, date = {2023-06-30}, organization = {Github (itaymigdal)}, url = {https://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md}, language = {English}, urldate = {2023-07-05} } @online{migdal:20240909:poshito:bda13f7, author = {Itay Migdal}, title = {{Poshito - New Telegram C2}}, date = {2024-09-09}, organization = {Github (itaymigdal)}, url = {https://github.com/itaymigdal/Poshito}, language = {English}, urldate = {2024-11-15} } @online{mik:20210610:revil:ea22471, author = {Krijn de Mik}, title = {{REvil: the usage of legitimate remote admin tooling}}, date = {2021-06-10}, organization = {HUNT & HACKETT}, url = {https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling}, language = {English}, urldate = {2021-06-16} } @online{mik:20211022:advanced:e22d6f6, author = {Krijn de Mik}, title = {{Advanced IP Scanner: the preferred scanner in the A(P)T toolbox}}, date = {2021-10-22}, organization = {HUNT & HACKETT}, url = {https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox}, language = {English}, urldate = {2021-11-02} } @online{miker:20211216:spiderrat:e0c4858, author = {MikeR}, title = {{Tweet on SPIDERRAT malware used by CIRCUIT PANDA}}, date = {2021-12-16}, organization = {Twitter (@nahamike01)}, url = {https://twitter.com/nahamike01/status/1471496800582664193?s=20}, language = {English}, urldate = {2022-01-17} } @online{miker:20220330:detecting:99079cc, author = {MikeR}, title = {{Detecting COM Object Tasks by DarkHotel}}, date = {2022-03-30}, organization = {Cyber And Ramen blog}, url = {https://cyberandramen.net/2022/03/30/detecting-com-object-tasks-by-darkhotel/}, language = {English}, urldate = {2022-04-05} } @online{mikhailov:20231128:risepro:9e5dc7e, author = {Maksim Mikhailov}, title = {{RisePro Malware Analysis: Exploring C2 Communication of a New Version}}, date = {2023-11-28}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/risepro-malware-communication-analysis/}, language = {English}, urldate = {2023-11-30} } @online{mikko:20111008:possible:a0424c6, author = {Mikko}, title = {{Possible Governmental Backdoor Found ("Case R2D2")}}, date = {2011-10-08}, organization = {F-Secure}, url = {https://www.f-secure.com/weblog/archives/00002249.html}, language = {English}, urldate = {2020-01-05} } @online{mikkola:20220508:bzz:ee88973, author = {Jouni Mikkola}, title = {{Bzz.. Bzz.. Bumblebee loader}}, date = {2022-05-08}, organization = {Threat hunting with hints of incident response}, url = {https://threathunt.blog/bzz-bzz-bumblebee-loader}, language = {English}, urldate = {2023-04-06} } @online{mikrotik:20210915:mris:16880f6, author = {MikroTik}, title = {{Mēris botnet}}, date = {2021-09-15}, organization = {MikroTik}, url = {https://blog.mikrotik.com/security/meris-botnet.html}, language = {English}, urldate = {2021-09-19} } @online{milenkoski:20210922:threat:cba08ae, author = {Aleksandar Milenkoski and Eli Salem}, title = {{Threat Analysis Report: PrintNightmare and Magniber Ransomware}}, date = {2021-09-22}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware}, language = {English}, urldate = {2021-09-28} } @online{milenkoski:20210927:threat:843919b, author = {Aleksandar Milenkoski}, title = {{Threat Analysis Report: Inside the Destructive PYSA Ransomware}}, date = {2021-09-27}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware}, language = {English}, urldate = {2021-09-28} } @online{milenkoski:20211028:threat:8d45698, author = {Aleksandar Milenkoski and Brian Janower}, title = {{THREAT ANALYSIS REPORT: Snake Infostealer Malware}}, date = {2021-10-28}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware}, language = {English}, urldate = {2021-11-03} } @online{milenkoski:20211109:threat:9f898c9, author = {Aleksandar Milenkoski and Eli Salem}, title = {{THREAT ANALYSIS REPORT: From Shatak Emails to the Conti Ransomware}}, date = {2021-11-09}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware}, language = {English}, urldate = {2022-02-09} } @online{milenkoski:20211216:inside:40c2e51, author = {Aleksandar Milenkoski and Kotaro Ogino}, title = {{Inside the LockBit Arsenal - The StealBit Exfiltration Tool}}, date = {2021-12-16}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool}, language = {English}, urldate = {2022-02-04} } @online{milenkoski:20220425:threat:14aee4f, author = {Aleksandar Milenkoski and Loïc Castel and Yonatan Gidnian}, title = {{THREAT ANALYSIS REPORT: SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems}}, date = {2022-04-25}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems}, language = {English}, urldate = {2022-04-29} } @online{milenkoski:20220908:crimeware:9c7be9a, author = {Aleksandar Milenkoski and Jim Walter}, title = {{Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection}}, date = {2022-09-08}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/}, language = {English}, urldate = {2022-09-10} } @techreport{milenkoski:20220922:mystery:bd4bb11, author = {Aleksandar Milenkoski and Juan Andrés Guerrero-Saade and Amitai Ben and Shushan Ehrlich}, title = {{The Mystery of Metador | An Unattributed Threat Hiding in Telcos, ISPs, and Universities}}, date = {2022-09-22}, institution = {SentinelOne}, url = {https://www.sentinelone.com/wp-content/uploads/2022/09/S1_-SentinelLabs_Metador.pdf}, language = {English}, urldate = {2022-09-30} } @online{milenkoski:20221107:socgholish:63649b2, author = {Aleksandar Milenkoski}, title = {{SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders}}, date = {2022-11-07}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders/}, language = {English}, urldate = {2022-12-01} } @online{milenkoski:20221201:mystery:01fd910, author = {Aleksandar Milenkoski}, title = {{The Mystery of Metador | Unpicking Mafalda’s Anti-Analysis Techniques}}, date = {2022-12-01}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/the-mystery-of-metador-unpicking-mafaldas-anti-analysis-techniques/}, language = {English}, urldate = {2023-12-04} } @online{milenkoski:20230124:dragonspark:828f0d3, author = {Aleksandar Milenkoski}, title = {{DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation}}, date = {2023-01-24}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/}, language = {English}, urldate = {2023-01-25} } @online{milenkoski:20230216:wip26:637cfde, author = {Aleksandar Milenkoski and Collin Farr and Joey Chen and QGroup}, title = {{WIP26 Espionage | Threat Actors Abuse Cloud Infrastructure in Targeted Telco Attacks}}, date = {2023-02-16}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/}, language = {English}, urldate = {2023-05-24} } @online{milenkoski:20230323:operation:2263a72, author = {Aleksandar Milenkoski and Juan Andrés Guerrero-Saade and Joey Chen and QGroup}, title = {{Operation Tainted Love | Chinese APTs Target Telcos in New Attacks}}, date = {2023-03-23}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/}, language = {English}, urldate = {2023-03-27} } @online{milenkoski:20230523:kimsuky:dd0cbc4, author = {Aleksandar Milenkoski}, title = {{Kimsuky | Ongoing Campaign Using Tailored Reconnaissance Toolkit}}, date = {2023-05-23}, url = {https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/}, language = {English}, urldate = {2023-05-30} } @online{milenkoski:20230606:kimsuky:67b5083, author = {Aleksandar Milenkoski}, title = {{Kimsuky Strikes Again: New Social Engineering Campaign Aims to Steal Credentials and Gather Strategic Intelligence}}, date = {2023-06-06}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/kimsuky-new-social-engineering-campaign-aims-to-steal-credentials-and-gather-strategic-intelligence/}, language = {English}, urldate = {2023-06-09} } @online{milenkoski:20230817:chinese:75e4289, author = {Aleksandar Milenkoski and Tom Hegel}, title = {{Chinese Entanglement | DLL Hijacking in the Asian Gambling Sector}}, date = {2023-08-17}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/}, language = {English}, urldate = {2023-08-22} } @online{milenkoski:20230921:sandman:4735b8d, author = {Aleksandar Milenkoski and QGroup}, title = {{Sandman APT | A Mystery Group Targeting Telcos with a LuaJIT Toolkit}}, date = {2023-09-21}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/}, language = {English}, urldate = {2023-09-28} } @online{milenkoski:20231211:sandman:7de9c39, author = {Aleksandar Milenkoski and Bendik Hagen}, title = {{Sandman APT | China-Based Adversaries Embrace Lua}}, date = {2023-12-11}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/}, language = {English}, urldate = {2023-12-12} } @online{milenkoski:20231214:gaza:24a4d02, author = {Aleksandar Milenkoski}, title = {{Gaza Cybergang | Unified Front Targeting Hamas Opposition}}, date = {2023-12-14}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/gaza-cybergang-unified-front-targeting-hamas-opposition/}, language = {English}, urldate = {2024-11-04} } @online{milenkoski:20240122:scarcruft:16381f9, author = {Aleksandar Milenkoski and Tom Hegel}, title = {{ScarCruft | Attackers Gather Strategic Intelligence and Target Cybersecurity Professionals}}, date = {2024-01-22}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/}, language = {English}, urldate = {2024-01-22} } @online{milenkoski:20240222:doppelgnger:20b8aa3, author = {Aleksandar Milenkoski}, title = {{Doppelgänger | Russia-Aligned Influence Operation Targets Germany}}, date = {2024-02-22}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/doppelganger-russia-aligned-influence-operation-targets-germany/}, language = {English}, urldate = {2024-02-23} } @online{milenkoski:20240626:chamelgang:f572e84, author = {Aleksandar Milenkoski and Julian-Ferdinand Vögele}, title = {{ChamelGang & Friends | Cyberespionage Groups Attacking Critical Infrastructure with Ransomware}}, date = {2024-06-26}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/chamelgang-attacking-critical-infrastructure-with-ransomware/}, language = {English}, urldate = {2024-09-04} } @online{miles:20140221:cve:fec48e2, author = {Ed Miles}, title = {{CVE 2014-0322 Malware - Sakurel (Feb 21, 2014)}}, date = {2014-02-21}, organization = {SonicWall}, url = {https://web.archive.org/web/20151001235506/https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=654}, language = {English}, urldate = {2022-06-02} } @online{miles:20161201:cnacom:392e12a, author = {Ed Miles}, title = {{CNACOM - Open Source Exploitation via Strategic Web Compromise}}, date = {2016-12-01}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise}, language = {English}, urldate = {2019-10-12} } @online{mili:20190910:mirai:906e0a9, author = {Josip Milić}, title = {{Mirai Botnet Continues to Plague IoT Space}}, date = {2019-09-10}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/mirai-botnet-continues-to-plague-iot-space}, language = {English}, urldate = {2020-01-13} } @online{milisic:20230111:t95h616malware:df3991e, author = {Daniel Milisic}, title = {{T95-H616-Malware}}, date = {2023-01-11}, organization = {Github (DesktopECHO)}, url = {https://github.com/DesktopECHO/T95-H616-Malware}, language = {English}, urldate = {2024-12-20} } @online{milkream:20200608:first:5a359a9, author = {milkream}, title = {{First public tweet on cyber incident that Honda & Enelint was hit by Snake/Ekans ransomware}}, date = {2020-06-08}, organization = {Twitter (@milkr3am)}, url = {https://twitter.com/milkr3am/status/1270019326976786432}, language = {English}, urldate = {2020-06-11} } @online{milkream:20210127:all:e3c3773, author = {milkream}, title = {{Tweet on all Emotet epoch pushing payload to self remove emotet malware on 2021-04-25}}, date = {2021-01-27}, organization = {Twitter (@milkr3am)}, url = {https://twitter.com/milkr3am/status/1354459859912192002}, language = {English}, urldate = {2021-01-29} } @online{miller:20150624:stealthy:9bceed3, author = {Chris Miller}, title = {{Stealthy Cyberespionage Campaign Attacks With Social Engineering}}, date = {2015-06-24}, organization = {Spiceworks}, url = {https://community.spiceworks.com/topic/1028936-stealthy-cyberespionage-campaign-attacks-with-social-engineering}, language = {English}, urldate = {2019-12-10} } @online{miller:20160112:magnificent:2aeb339, author = {John Miller and Barry Vengerik}, title = {{The Magnificent FIN7: Revealing a Cybercriminal Threat Group}}, date = {2016-01-12}, organization = {FireEye}, url = {https://www.infosecurityeurope.com/__novadocuments/367989?v=636338290033030000}, language = {English}, urldate = {2019-11-21} } @online{miller:20191021:shikata:4cc9011, author = {Steve Miller and Evan Reese and Nick Carr}, title = {{Shikata Ga Nai Encoder Still Going Strong}}, date = {2019-10-21}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html}, language = {English}, urldate = {2020-11-04} } @online{miller:20200515:sogu:cc5a1fc, author = {Steve Miller}, title = {{Tweet on SOGU development timeline, including TIGERPLUG IOCs}}, date = {2020-05-15}, organization = {Twitter (@stvemillertime)}, url = {https://twitter.com/stvemillertime/status/1261263000960450562}, language = {English}, urldate = {2020-05-18} } @online{miller:20200528:tclient:cc952e5, author = {Steve Miller}, title = {{Tweet on TClient / FIRESHADOW used by Tropic Trooper}}, date = {2020-05-28}, organization = {Twitter (@stvemillertime)}, url = {https://twitter.com/stvemillertime/status/1266050369370677249}, language = {English}, urldate = {2020-06-05} } @online{miller:20201112:splunking:26a0bd8, author = {Dusty Miller}, title = {{Splunking with Sysmon Part 4: Detecting Trickbot}}, date = {2020-11-12}, organization = {Hurricane Labs}, url = {https://hurricanelabs.com/splunk-tutorials/splunking-with-sysmon-part-4-detecting-trickbot/}, language = {English}, urldate = {2021-01-18} } @online{miller:20210330:badblood:3cab448, author = {Joshua Miller and Proofpoint Threat Research Team}, title = {{BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns}}, date = {2021-03-30}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential}, language = {English}, urldate = {2021-03-31} } @online{miller:20210712:operation:c819876, author = {Joshua Miller and Crista Giering and Threat Research Team}, title = {{Operation SpoofedScholars: A Conversation with TA453}}, date = {2021-07-12}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453}, language = {English}, urldate = {2021-07-20} } @online{miller:20210728:i:23e9aad, author = {Joshua Miller and Michael Raggi and Crista Giering}, title = {{I Knew You Were Trouble: TA456 Targets Defense Contractor with Alluring Social Media Persona}}, date = {2021-07-28}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media}, language = {English}, urldate = {2021-07-29} } @online{miller:20220228:quick:fd1e487, author = {Steve Miller}, title = {{Quick n’ dirty detection research: Building a labeled malware corpus for YARA testing}}, date = {2022-02-28}, organization = {Stairwell}, url = {https://stairwell.com/news/threat-research-detection-research-labeled-malware-corpus-yara-testing}, language = {English}, urldate = {2022-03-02} } @online{miller:20220407:ta455:32fe370, author = {Joshua Miller}, title = {{Tweet on TA455 (Iranian threat actor) IoCs}}, date = {2022-04-07}, organization = {Twitter (@ChicagoCyber)}, url = {https://twitter.com/ChicagoCyber/status/1512071759712817156}, language = {English}, urldate = {2022-04-12} } @techreport{miller:20220427:origin:1fbc10e, author = {Steve Miller and Silas Cutler}, title = {{The origin story of APT32 macros: The StrikeSuit Gi}}, date = {2022-04-27}, institution = {Stairwell}, url = {https://assets.stairwell.com/hubfs/Marketing-Assets/Stairwell-threat-report-The-origin-of-APT32-macros.pdf}, language = {English}, urldate = {2023-09-11} } @techreport{miller:20220427:origin:2e68a5f, author = {Steve Miller and Silas Cutler}, title = {{The origin story of APT32 macros: The StrikeSuit Gift that keeps giving}}, date = {2022-04-27}, institution = {Stairwell}, url = {https://stairwell.com/wp-content/uploads/2022/04/Stairwell-threat-report-The-origin-of-APT32-macros.pdf}, language = {English}, urldate = {2022-05-04} } @online{miller:20220913:look:781be66, author = {Joshua Miller and Kyle Eaton and Alexander Rausch}, title = {{Look What You Made Me Do: TA453 Uses Multi-Persona Impersonation to Capitalize on FOMO}}, date = {2022-09-13}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/ta453-uses-multi-persona-impersonation-capitalize-fomo}, language = {English}, urldate = {2022-09-19} } @online{miller:20230111:increasing:b0201c6, author = {Eoin Miller}, title = {{Increasing The Sting of HIVE Ransomware}}, date = {2023-01-11}, organization = {Rapid7 Labs}, url = {https://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/}, language = {English}, urldate = {2023-01-13} } @online{miller:20231114:ta402:268c67c, author = {Joshua Miller}, title = {{TA402 Uses Complex IronWind Infection Chains to Target Middle East-Based Government Entities}}, date = {2023-11-14}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/ta402-uses-complex-ironwind-infection-chains-target-middle-east-based-government}, language = {English}, urldate = {2023-11-14} } @online{millerosborn:20140919:recent:40ee862, author = {Jen Miller-Osborn and Ryan Olson}, title = {{Recent Watering Hole Attacks Attributed to APT Group “th3bug” Using Poison Ivy}}, date = {2014-09-19}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/}, language = {English}, urldate = {2019-12-20} } @online{millerosborn:20140919:recent:edf1ed3, author = {Jen Miller-Osborn and Ryan Olson}, title = {{Recent Watering Hole Attacks Attributed to APT Group “th3bug” Using Poison Ivy}}, date = {2014-09-19}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/}, language = {English}, urldate = {2019-12-20} } @online{millerosborn:20141003:new:44982b6, author = {Jen Miller-Osborn}, title = {{New Indicators of Compromise for APT Group Nitro Uncovered}}, date = {2014-10-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/new-indicators-compromise-apt-group-nitro-uncovered/}, language = {English}, urldate = {2020-01-08} } @online{millerosborn:20150414:unit:201dee9, author = {Jen Miller-Osborn and Josh Grunzweig}, title = {{Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets}}, date = {2015-04-14}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/}, language = {English}, urldate = {2019-12-20} } @online{millerosborn:20150414:unit:571f368, author = {Jen Miller-Osborn and Josh Grunzweig}, title = {{Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets}}, date = {2015-04-14}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/}, language = {English}, urldate = {2020-01-06} } @online{millerosborn:20170216:menupass:4aebb40, author = {Jen Miller-Osborn and Josh Grunzweig}, title = {{menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations}}, date = {2017-02-16}, url = {https://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/}, language = {English}, urldate = {2019-11-21} } @online{millerosborn:20170216:menupass:a829340, author = {Jen Miller-Osborn and Josh Grunzweig}, title = {{menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations}}, date = {2017-02-16}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/}, language = {English}, urldate = {2019-12-20} } @online{millerosborn:20170330:trochilus:6c1c703, author = {Jen Miller-Osborn and Josh Grunzweig}, title = {{Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations}}, date = {2017-03-30}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/}, language = {English}, urldate = {2019-12-10} } @online{millerosborn:20170330:trochilus:bface4b, author = {Jen Miller-Osborn and Josh Grunzweig}, title = {{Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations}}, date = {2017-03-30}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/}, language = {English}, urldate = {2019-12-20} } @online{millerosborn:20191217:rancor:998fe1c, author = {Jen Miller-Osborn and Mike Harbison}, title = {{Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia}}, date = {2019-12-17}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/}, language = {English}, urldate = {2020-01-08} } @online{mills:20211223:hacker:e84b55b, author = {Paul Mills}, title = {{Hacker gains access to Hewlett-Packard 9000 EPYC server hardware to mine the cryptocurrency Raptoreum using Java exploit}}, date = {2021-12-23}, organization = {newswires}, url = {https://www.einnews.com/pr_news/558959060/hacker-gains-access-to-hewlett-packard-9000-epyc-server-hardware-to-mine-the-cryptocurrency-raptoreum-using-java-exploit}, language = {English}, urldate = {2021-12-31} } @techreport{mimecast:20210203:ta551shathak:4bd9a01, author = {Mimecast and Nettitude}, title = {{TA551/Shathak Threat Research}}, date = {2021-02-03}, institution = {}, url = {https://www.mimecast.com/globalassets/documents/whitepapers/taa551-treatresearch_final-1.15.21.pdf}, language = {English}, urldate = {2021-05-26} } @online{mimecast:20210316:incident:2c3e79a, author = {Mimecast}, title = {{Incident Report}}, date = {2021-03-16}, organization = {Mimecast}, url = {https://www.mimecast.com/incident-report/}, language = {English}, urldate = {2021-03-22} } @online{mimoso:20140819:gang:ddbcb8b, author = {Michael Mimoso}, title = {{APT Gang Branches Out to Medical Espionage in Community Health Breach}}, date = {2014-08-19}, url = {https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828}, language = {English}, urldate = {2019-11-25} } @online{mimoso:20141209:linux:67f8948, author = {Michael Mimoso}, title = {{Linux Modules Connected to Turla APT Discovered}}, date = {2014-12-09}, organization = {Threatpost}, url = {https://threatpost.com/linux-modules-connected-to-turla-apt-discovered/109765/}, language = {English}, urldate = {2019-11-26} } @online{mimoso:20151006:targeted:4259814, author = {Michael Mimoso}, title = {{Targeted Attack Exposes OWA Weakness}}, date = {2015-10-06}, organization = {Threatpost}, url = {https://threatpost.com/targeted-attack-exposes-owa-weakness/114925/}, language = {English}, urldate = {2019-10-13} } @online{mimoso:20160224:operation:811ccca, author = {Michael Mimoso}, title = {{Operation Blockbuster Coalition Ties Destructive Attacks to Lazarus Group}}, date = {2016-02-24}, organization = {Threatpost}, url = {https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/}, language = {English}, urldate = {2020-01-06} } @online{mimoso:20160617:scarcruft:4b357f7, author = {Michael Mimoso}, title = {{ScarCruft APT Group Used Latest Flash Zero Day in Two Dozen Attacks}}, date = {2016-06-17}, organization = {Threatpost}, url = {https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/}, language = {English}, urldate = {2019-10-28} } @online{mimoso:20170316:fileless:5e773a6, author = {Michael Mimoso}, title = {{Fileless Malware Campaigns Tied to Same Attacker}}, date = {2017-03-16}, organization = {Threatpost}, url = {https://threatpost.com/fileless-malware-campaigns-tied-to-same-attacker/124369/}, language = {English}, urldate = {2020-01-06} } @online{mimoso:20170403:lazarus:c824fd6, author = {Michael Mimoso}, title = {{Lazarus APT Spinoff Linked to Banking Hacks}}, date = {2017-04-03}, organization = {Threatpost}, url = {https://threatpost.com/lazarus-apt-spinoff-linked-to-banking-hacks/124746/}, language = {English}, urldate = {2020-01-10} } @online{mimoso:20170410:shadowbrokers:99e90bc, author = {Michael Mimoso}, title = {{ShadowBrokers Dump More Equation Group Hacks, Auction File Password}}, date = {2017-04-10}, organization = {Threatpost}, url = {https://threatpost.com/shadowbrokers-dump-more-equation-group-hacks-auction-file-password/124882/}, language = {English}, urldate = {2020-01-10} } @online{mimoso:20170508:handbrake:4e1bbea, author = {Michael Mimoso}, title = {{HandBrake for Mac Compromised with Proton Spyware}}, date = {2017-05-08}, url = {https://threatpost.com/handbrake-for-mac-compromised-with-proton-spyware/125518/}, language = {English}, urldate = {2019-11-29} } @techreport{minakawa:20230125:fighting:676ecb9, author = {Ryo Minakawa and Daisuke Saika and Hiroki Kubokawa}, title = {{Fighting to LODEINFO Investigation for Continuous Cyberespionage Based on Open Source}}, date = {2023-01-25}, institution = {N.F.Laboratories Inc.}, url = {https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_6_minakawa-saika-kubokawa_en.pdf}, language = {English}, urldate = {2024-07-24} } @techreport{minakawa:20240125:operation:b43ccc5, author = {Ryo Minakawa and Kaichi Sameshima and Atsushi Kanda}, title = {{Operation So-seki: You Are a Threat Actor. As Yet You Have No Name}}, date = {2024-01-25}, institution = {JSAC 2024}, url = {https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_4_minakawa_kanda_sameshima_en.pdf}, language = {English}, urldate = {2024-01-31} } @techreport{minervalabs:20151123:copykittens:0405a55, author = {MinervaLabs and ClearSky}, title = {{CopyKittens Attack Group}}, date = {2015-11-23}, institution = {MinervaLabs}, url = {https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf}, language = {English}, urldate = {2020-01-07} } @online{minervalabs:20210112:slamming:89461b1, author = {MinervaLabs}, title = {{Slamming The Backdoor On BazarLoader}}, date = {2021-01-12}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/slamming-the-backdoor-on-bazarloader}, language = {English}, urldate = {2021-01-21} } @online{minks:20211005:rebol:53830a0, author = {Oscar Minks}, title = {{The REBOL Yell: A New Novel REBOL Exploit}}, date = {2021-10-05}, organization = {FRSecure}, url = {https://frsecure.com/blog/the-rebol-yell-new-rebol-exploit/}, language = {English}, urldate = {2021-10-14} } @online{minkwon:20230124:urgent:71e54e3, author = {Gil Min-kwon}, title = {{[Urgent] A Chinese hacker organization that declared hacking war on Korea..."KISA will hack" notice}}, date = {2023-01-24}, organization = {DailySecU}, url = {https://www.dailysecu.com/news/articleView.html?idxno=143020}, language = {English}, urldate = {2023-01-24} } @online{minseok:20180221:dprk:5de56c6, author = {CHA Minseok}, title = {{Tweet on DPRK APT groups}}, date = {2018-02-21}, organization = {Twitter (@mstoned7)}, url = {https://twitter.com/mstoned7/status/966126706107953152}, language = {English}, urldate = {2020-01-09} } @online{minseok:20200407:operation:8f59223, author = {CHA Minseok}, title = {{Tweet on Operation Shadow Force}}, date = {2020-04-07}, organization = {AhnLab}, url = {https://mobile.twitter.com/mstoned7/status/1247361687570673664}, language = {English}, urldate = {2020-05-18} } @online{minton:20201222:leftover:656cc14, author = {Jai Minton}, title = {{Leftover Lunch: Finding, Hunting and Eradicating Spicy Hot Pot, a Persistent Browser Hijacking Rootkit}}, date = {2020-12-22}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/spicy-hot-pot-rootkit-explained/}, language = {English}, urldate = {2020-12-23} } @online{minton:20210321:twitter:8e65e84, author = {Jai Minton}, title = {{Twitter Thread with analysis of .NET China Chopper}}, date = {2021-03-21}, organization = {Twitter (@CyberRaiju)}, url = {https://twitter.com/CyberRaiju/status/1373582619707867136}, language = {English}, urldate = {2023-09-11} } @online{minton:20211004:strrat:ce3bc16, author = {Jai Minton}, title = {{STRRAT Analysis}}, date = {2021-10-04}, organization = {JPMinty}, url = {https://www.jaiminton.com/reverse-engineering/strrat}, language = {English}, urldate = {2021-10-05} } @online{minton:20211009:reverse:b389130, author = {Jai Minton}, title = {{Reverse Engineering Analysis Lab - STRRAT}}, date = {2021-10-09}, organization = {JPMinty}, url = {https://www.jaiminton.com/reverse-engineering/strrat#}, language = {English}, urldate = {2021-12-09} } @online{minton:20230516:remcos:55b425b, author = {Jai Minton}, title = {{Remcos RAT - Malware Analysis Lab}}, date = {2023-05-16}, organization = {CyberRaiju}, url = {https://www.jaiminton.com/reverse-engineering/remcos#}, language = {English}, urldate = {2023-05-21} } @online{minton:20240808:x:c9434e6, author = {Jai Minton}, title = {{X}}, date = {2024-08-08}, organization = {Huntress Labs}, url = {https://x.com/CyberRaiju/status/1893450184224362946}, language = {English}, urldate = {2025-03-21} } @online{mirkasymov:20180529:cobalt:b344169, author = {Rustam Mirkasymov}, title = {{Cobalt Renaissance: new attacks and joint operations}}, date = {2018-05-29}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/renaissance}, language = {English}, urldate = {2019-10-22} } @online{mirkasymov:20200923:big:c5c62a3, author = {Rustam Mirkasymov and Oleg Skulkin}, title = {{Big Game Hunting: Now in Russia}}, date = {2020-09-23}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/oldgremlin}, language = {English}, urldate = {2020-09-24} } @online{mirkasymov:20221103:financially:cd6ff5b, author = {Rustam Mirkasymov}, title = {{Financially motivated, dangerously activated: OPERA1ER APT in Africa}}, date = {2022-11-03}, organization = {Group-IB}, url = {https://blog.group-ib.com/opera1er-apt}, language = {English}, urldate = {2023-01-19} } @online{misgav:20191226:introducing:1c33aa5, author = {Omri Misgav}, title = {{Introducing BIOLOAD: FIN7 BOOSTWRITE’s Lost Twin}}, date = {2019-12-26}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/bioload-fin7-boostwrite-lost-twin.html}, language = {English}, urldate = {2021-01-25} } @online{misgav:20220812:swan:8691537, author = {Omri Misgav}, title = {{The Swan Song for Driver Signature Enforcement Tampering}}, date = {2022-08-12}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/driver-signature-enforcement-tampering}, language = {English}, urldate = {2022-08-28} } @online{misraa:20220729:raccoon:6937d2e, author = {Sarthak Misraa}, title = {{Raccoon Stealer v2: The Latest Generation of the Raccoon Family}}, date = {2022-07-29}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family}, language = {English}, urldate = {2022-08-02} } @online{misraa:20240410:xz:57d0fa8, author = {Sarthak Misraa and Antonio Pirozzi}, title = {{XZ Utils Backdoor | Threat Actor Planned to Inject Further Vulnerabilities}}, date = {2024-04-10}, organization = {2024-04-10}, url = {https://www.sentinelone.com/blog/xz-utils-backdoor-threat-actor-planned-to-inject-further-vulnerabilities/}, language = {English}, urldate = {2024-04-15} } @online{mitchell:20220506:attempted:cd11636, author = {Aiden Mitchell}, title = {{Attempted AsyncRAT via .vbs}}, date = {2022-05-06}, organization = {Mitchell's Musings}, url = {https://aidenmitchell.ca/asyncrat-via-vbs/}, language = {English}, urldate = {2022-05-11} } @online{mitre:2015:mitre:90e0feb, author = {MITRE}, title = {{MITRE ATT&CK}}, date = {2015}, organization = {MITRE}, url = {https://attack.mitre.org}, language = {English}, urldate = {2020-01-07} } @online{mitre:20170531:apt18:deb24dc, author = {MITRE}, title = {{APT18}}, date = {2017-05-31}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0026}, language = {English}, urldate = {2022-07-05} } @online{mitre:20181017:software:84822e8, author = {MITRE}, title = {{Software Description: More_eggs}}, date = {2018-10-17}, organization = {MITRE ATT&CK}, url = {https://attack.mitre.org/software/S0284/}, language = {English}, urldate = {2020-01-10} } @online{mitre:20190322:apt30:83830f2, author = {MITRE}, title = {{APT30}}, date = {2019-03-22}, organization = {MITRE}, url = {https://attack.mitre.org/wiki/Group/G0013}, language = {English}, urldate = {2020-01-09} } @online{mitre:20190528:flawedammyy:c4f6363, author = {MITRE}, title = {{FlawedAmmyy}}, date = {2019-05-28}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0381/}, language = {English}, urldate = {2020-01-13} } @online{mitre:20191011:credential:8272dc5, author = {MITRE}, title = {{Credential Dumping}}, date = {2019-10-11}, organization = {MITRE}, url = {https://attack.mitre.org/wiki/Technique/T1003}, language = {English}, urldate = {2020-01-13} } @techreport{mitre:20211103:threatinformed:b1206af, author = {MITRE}, title = {{Threat-Informed Defense Adoption Handbook: September 2021 Edition, Volume 1}}, date = {2021-11-03}, institution = {MITRE}, url = {https://info.mitre-engenuity.org/hubfs/CTID/Threat_Informed_Defense_Adoption_Handbook_Sept2021.pdf}, language = {English}, urldate = {2021-11-08} } @online{mitre:2021:groups:35abb07, author = {MITRE}, title = {{Groups Overview of MITRE}}, date = {2021}, url = {https://attack.mitre.org/wiki/Groups}, language = {English}, urldate = {2021-07-26} } @online{mitre:20220609:mitre:c7f5700, author = {MITRE}, title = {{MITRE actor profile for Ember Bear}}, date = {2022-06-09}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G1003/}, language = {English}, urldate = {2025-02-18} } @online{mittal:20140604:introducing:48a5fec, author = {Nikhil Mittal}, title = {{Introducing Antak - A webshell which utilizes powershell}}, date = {2014-06-04}, organization = {Lab of a Penetration Tester}, url = {http://www.labofapenetrationtester.com/2014/06/introducing-antak.html}, language = {English}, urldate = {2020-01-08} } @online{mittal:20150819:antak:6b613d2, author = {Nikil Mittal}, title = {{Antak WebShell}}, date = {2015-08-19}, organization = {Github (samratashok)}, url = {https://github.com/samratashok/nishang/blob/master/Antak-WebShell/antak.aspx}, language = {English}, urldate = {2019-12-18} } @online{mittleman:20250311:cato:09ebd5b, author = {Matan Mittleman and Ofek Vardi}, title = {{Cato CTRL Threat Research: Ballista – New IoT Botnet Targeting Thousands of TP-Link Archer Routers}}, date = {2025-03-11}, organization = {Cato Networks}, url = {https://www.catonetworks.com/blog/cato-ctrl-ballista-new-iot-botnet-targeting-thousands-of-tp-link-archer-routers/}, language = {English}, urldate = {2025-03-26} } @techreport{mivd:20240206:ministry:4293dee, author = {MIVD and AIVD}, title = {{Ministry of Defense of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT}}, date = {2024-02-06}, institution = {NCSC NL}, url = {https://www.ncsc.nl/binaries/ncsc/documenten/publicaties/2024/februari/6/mivd-aivd-advisory-coathanger-tlp-clear/TLP-CLEAR+MIVD+AIVD+Advisory+COATHANGER.pdf}, language = {English}, urldate = {2024-02-07} } @online{mizrahi:20250508:multilayered:33654a1, author = {Ran Mizrahi}, title = {{Multilayered Email Attack: How a PDF Invoice and Geo-Fencing Led to RAT Malware}}, date = {2025-05-08}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/multilayered-email-attack-how-a-pdf-invoice-and-geofencing-led-to-rat-malware}, language = {English}, urldate = {2025-05-20} } @online{ml10:20200115:aptc36:2ece45d, author = {ml10}, title = {{APT-C-36 recent activity analysis}}, date = {2020-01-15}, organization = {Lab52}, url = {https://lab52.io/blog/apt-c-36-recent-activity-analysis/}, language = {English}, urldate = {2020-01-20} } @online{ml10:20220110:tokyox:ac76bdb, author = {ml10}, title = {{TokyoX: DLL side-loading an unknown artifact}}, date = {2022-01-10}, organization = {Lab52}, url = {https://lab52.io/blog/tokyox-dll-side-loading-an-unknown-artifact/}, language = {English}, urldate = {2022-01-18} } @online{mladenov:20190312:nymaim:c35a90d, author = {Georgi Mladenov}, title = {{Nymaim config decoded}}, date = {2019-03-12}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/nymaim-config-decoded}, language = {English}, urldate = {2019-12-20} } @online{mller:20150911:csi:56aa614, author = {Markus Möller}, title = {{CSI MacMark: Janicab}}, date = {2015-09-11}, organization = {MacMark}, url = {https://www.macmark.de/blog/osx_blog_2013-08-a.php}, language = {German}, urldate = {2020-05-19} } @techreport{mlveill:20120920:osxflashback:8029369, author = {Marc-Etienne M.Léveillé}, title = {{OSX/Flashback: The First Malware to Infect Hundreds of Thousands of Apple Mac}}, date = {2012-09-20}, institution = {ESET Research}, url = {https://web-assets.esetstatic.com/wls/200x/white-papers/osx_flashback.pdf}, language = {English}, urldate = {2024-06-12} } @online{mlveill:20140221:indepth:3ee584f, author = {Marc-Etienne M.Léveillé}, title = {{An In‑depth Analysis of Linux/Ebury}}, date = {2014-02-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/}, language = {English}, urldate = {2019-11-14} } @online{mlveill:20150309:cryptofortress:8ff6323, author = {Marc-Etienne M.Léveillé}, title = {{CryptoFortress mimics TorrentLocker but is a different ransomware}}, date = {2015-03-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2015/03/09/cryptofortress-mimics-torrentlocker-different-ransomware/}, language = {English}, urldate = {2019-11-14} } @techreport{mlveill:20150428:unboxing:647ba0d, author = {Marc-Etienne M.Léveillé}, title = {{Unboxing Linux/Mumblehard: Muttering spam from your servers}}, date = {2015-04-28}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf}, language = {English}, urldate = {2022-05-11} } @online{mlveill:20160706:new:f0cfc2c, author = {Marc-Etienne M.Léveillé}, title = {{New OSX/Keydnap malware is hungry for credentials}}, date = {2016-07-06}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/}, language = {English}, urldate = {2019-12-20} } @online{mlveill:20170222:new:effd5eb, author = {Marc-Etienne M.Léveillé}, title = {{New crypto‑ransomware hits macOS}}, date = {2017-02-22}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/}, language = {English}, urldate = {2019-12-20} } @online{mlveill:20170824:bad:78b7a5e, author = {Marc-Etienne M.Léveillé}, title = {{Bad Rabbit: Not‑Petya is back with improved ransomware}}, date = {2017-08-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back}, language = {English}, urldate = {2022-08-25} } @online{mlveill:20171024:bad:5653a57, author = {Marc-Etienne M.Léveillé}, title = {{Bad Rabbit: Not‑Petya is back with improved ransomware}}, date = {2017-10-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/}, language = {English}, urldate = {2019-07-11} } @online{mlveill:20181205:dark:ac089e8, author = {Marc-Etienne M.Léveillé}, title = {{The Dark Side of the ForSSHe}}, date = {2018-12-05}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/}, language = {English}, urldate = {2019-11-14} } @online{mlveill:20190311:gaming:8449e78, author = {Marc-Etienne M.Léveillé}, title = {{Gaming industry still in the scope of attackers in Asia}}, date = {2019-03-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/}, language = {English}, urldate = {2020-01-13} } @techreport{mlveill:20191007:connecting:e59d4c8, author = {Marc-Etienne M.Léveillé and Mathieu Tartare}, title = {{CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group}}, date = {2019-10-07}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{mlveill:20200202:tlp:39ce93c, author = {Marc-Etienne M.Léveillé and Ignacio Sanmillan}, title = {{TLP: WHITE A WILD KOBALOS APPEARSTricksy Linux malware goes after HPCs}}, date = {2020-02-02}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf}, language = {English}, urldate = {2021-02-04} } @online{mlveill:20200716:mac:405cc1d, author = {Marc-Etienne M.Léveillé}, title = {{Mac cryptocurrency trading application rebranded, bundled with malware}}, date = {2020-07-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/}, language = {English}, urldate = {2020-07-16} } @online{mlveill:20210202:kobalos:5bb5548, author = {Marc-Etienne M.Léveillé and Ignacio Sanmillan}, title = {{Kobalos – A complex Linux threat to high performance computing infrastructure}}, date = {2021-02-02}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/}, language = {English}, urldate = {2021-02-02} } @online{mlveill:20220125:watering:e1afb71, author = {Marc-Etienne M.Léveillé and Anton Cherepanov}, title = {{Watering hole deploys new macOS malware, DazzleSpy, in Asia}}, date = {2022-01-25}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/}, language = {English}, urldate = {2022-01-25} } @online{mlveill:20220719:i:d9dc1d5, author = {Marc-Etienne M.Léveillé}, title = {{I see what you did there: A look at the CloudMensis macOS spyware}}, date = {2022-07-19}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/}, language = {English}, urldate = {2022-07-20} } @techreport{mlveill:20240513:ebury:ca7dc05, author = {Marc-Etienne M.Léveillé}, title = {{Ebury is alive but unseen: 400k Linux servers compromised for cryptocurrency theft and financial gain}}, date = {2024-05-13}, institution = {ESET Research}, url = {https://web-assets.esetstatic.com/wls/en/papers/white-papers/ebury-is-alive-but-unseen.pdf}, language = {English}, urldate = {2024-05-17} } @online{mlveill:20240514:ebury:59c1ae8, author = {Marc-Etienne M.Léveillé}, title = {{Ebury is alive but unseen: 400k Linux servers compromised for cryptocurrency theft and financial gain}}, date = {2024-05-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/en/eset-research/ebury-alive-unseen-400k-linux-servers-compromised-cryptotheft-financial-gain/}, language = {English}, urldate = {2024-05-17} } @online{mlwrdssctng:20180808:export:88ba897, author = {MLWRDSSCTNG}, title = {{Export JRAT/Adwind Config with x32dbg}}, date = {2018-08-08}, organization = {Dissecting Malware}, url = {https://dissectingmalware.blogspot.com/2018/08/export-jratadwind-config-with-x32dbg.html}, language = {English}, urldate = {2019-12-19} } @online{mmd0xff:20200311:rhombus:ba8d25f, author = {mmd0xff}, title = {{RHOMBUS an ELF bot installer/dropper}}, date = {2020-03-11}, organization = {MalwareMustDie}, url = {https://old.reddit.com/r/LinuxMalware/comments/fh3zar/memo_rhombus_an_elf_bot_installerdropper/}, language = {English}, urldate = {2020-03-25} } @online{modderkolk:20170204:russen:2dcb3d1, author = {Huib Modderkolk}, title = {{Russen faalden bij hackpogingen ambtenaren op Nederlandse ministeries}}, date = {2017-02-04}, organization = {de Volkskrant}, url = {https://www.volkskrant.nl/cultuur-media/russen-faalden-bij-hackpogingen-ambtenaren-op-nederlandse-ministeries~b77ff391/}, language = {Dutch}, urldate = {2019-12-19} } @online{modderkolk:20210306:russian:fbfe2fb, author = {Huib Modderkolk}, title = {{Russian and Chinese hackers gained access to EMA}}, date = {2021-03-06}, organization = {de Volkskrant}, url = {https://www.volkskrant.nl/nieuws-achtergrond/russian-and-chinese-hackers-gained-access-to-ema~bdc61ba59}, language = {English}, urldate = {2021-03-06} } @online{moench:20190624:backdoorpowerton:0fef32a, author = {Benjamin Moench}, title = {{Backdoor.Powerton}}, date = {2019-06-24}, organization = {Symantec}, url = {https://www.symantec.com/security-center/writeup/2019-062513-4935-99}, language = {English}, urldate = {2020-01-12} } @online{moffitt:20160829:fantom:c2ca17c, author = {Tyler Moffitt}, title = {{Fantom ransomware impersonates Windows update}}, date = {2016-08-29}, organization = {Webroot}, url = {https://www.webroot.com/blog/2016/08/29/fantom-ransomware-windows-update/}, language = {English}, urldate = {2020-01-09} } @online{mogilin:20210312:good:b3d6b00, author = {Ilya Mogilin}, title = {{Good old malware for the new Apple Silicon platform}}, date = {2021-03-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/malware-for-the-new-apple-silicon-platform/101137/}, language = {English}, urldate = {2021-03-19} } @online{mogilin:20210318:convuster:10a3a52, author = {Ilya Mogilin and Mikhail Kuzin}, title = {{Convuster: macOS adware now in Rust}}, date = {2021-03-18}, url = {https://securelist.com/convuster-macos-adware-in-rust/101258/}, language = {English}, urldate = {2021-04-16} } @online{mohammed:20200326:discover:9d1869f, author = {Hersh Mohammed}, title = {{Discover Malware Android}}, date = {2020-03-26}, organization = {Telegraph}, url = {https://telegra.ph/Discover-Malware-Android-03-26}, language = {Kurdish}, urldate = {2022-04-15} } @online{mohankumar:20170424:fin7:6aec2b4, author = {Saravanan Mohankumar and Nick Carr and Yogesh Londhe and Barry Vengerik and Dominik Weber}, title = {{FIN7 Evolution and the Phishing LNK}}, date = {2017-04-24}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html}, language = {English}, urldate = {2019-12-20} } @online{mohanta:20201229:revenge:7c79587, author = {Abhijit Mohanta}, title = {{Revenge RAT targeting users in South America}}, date = {2020-12-29}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america}, language = {English}, urldate = {2021-01-25} } @online{mohanta:20210112:confucius:865bcc8, author = {Abhijit Mohanta and Ashwin Vamshi}, title = {{Confucius APT deploys Warzone RAT}}, date = {2021-01-12}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat}, language = {English}, urldate = {2021-01-13} } @online{mokbel:20170718:linux:e43d04b, author = {Mohamad Mokbel and Tim Yeh and Brian Cayanan}, title = {{Linux Users Urged to Update as a New Threat Exploits SambaCry}}, date = {2017-07-18}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/linux-users-urged-update-new-threat-exploits-sambacry}, language = {English}, urldate = {2020-01-09} } @techreport{mokbel:20181213:tildeb:99fb939, author = {Mohamad Mokbel}, title = {{Tildeb: An Implant from the Shadow Brokers’ Leak}}, date = {2018-12-13}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/tech-brief-tildeb-analyzing-the-18-year-old-implant-from-the-shadow-brokers-leak.pdf}, language = {English}, urldate = {2021-09-19} } @online{mokbel:20190422:cc:23b1202, author = {Mohamad Mokbel}, title = {{C/C++ Runtime Library Code Tampering in Supply Chain}}, date = {2019-04-22}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html}, language = {English}, urldate = {2021-09-19} } @online{mokbel:20200721:vopcde:26d48d0, author = {Mohamad Mokbel}, title = {{vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)}}, date = {2020-07-21}, organization = {YouTube ( OPCDE with Matt Suiche)}, url = {https://www.youtube.com/watch?v=FttiysUZmDw}, language = {English}, urldate = {2021-10-24} } @techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } @online{moldovan:20240627:analyzing:0df489c, author = {Andrei Moldovan}, title = {{Analyzing the Shift in Ransomware Dynamics: The Impact of Law Enforcement and Future Outlooks}}, date = {2024-06-27}, organization = {QuoIntelligence}, url = {https://quointelligence.eu/2024/06/analyzing-shift-in-ransomware-dynamics/}, language = {English}, urldate = {2024-11-15} } @online{molige:20250313:new:c445758, author = {Sai Molige and Forescout Research}, title = {{New Ransomware Operator Exploits Fortinet Vulnerability Duo}}, date = {2025-03-13}, organization = {Forescout}, url = {https://www.forescout.com/blog/new-ransomware-operator-exploits-fortinet-vulnerability-duo/}, language = {English}, urldate = {2025-03-21} } @online{molige:20250508:threat:7741265, author = {Sai Molige and Luca Barba}, title = {{Threat Analysis: SAP Vulnerability Exploited in the Wild by Chinese Threat Actor}}, date = {2025-05-08}, organization = {Forescout}, url = {https://www.forescout.com/blog/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor/}, language = {English}, urldate = {2025-05-20} } @online{molina:20230905:multiplatform:5d2f2a3, author = {Joel Gámez Molina}, title = {{MultiPlatform HTTP Reverse Shell}}, date = {2023-09-05}, organization = {Github (JoelGMSec)}, url = {https://github.com/JoelGMSec/HTTP-Shell}, language = {English}, urldate = {2024-02-22} } @online{molyett:20170803:taking:b5c69af, author = {Matthew Molyett}, title = {{Taking the FIRST look at Crypt0l0cker}}, date = {2017-08-03}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/08/first-look-crypt0l0cker.html}, language = {English}, urldate = {2019-11-26} } @online{molyett:20170905:graftor:d4dda71, author = {Matthew Molyett and Holger Unterbrink}, title = {{Graftor - But I Never Asked for This…}}, date = {2017-09-05}, organization = {Talos Intelligence}, url = {https://malware.news/t/graftor-but-i-never-asked-for-this/14857}, language = {English}, urldate = {2023-09-28} } @techreport{monitor:20090328:tracking:dffad13, author = {Information Warfare Monitor}, title = {{Tracking GhostNet: Investigating a Cyber Espionage Network}}, date = {2009-03-28}, institution = {Infinitum Labs}, url = {http://www.nartv.org/mirror/ghostnet.pdf}, language = {English}, urldate = {2022-09-30} } @online{monnier:20210205:kobalos:e8f562f, author = {David Monnier}, title = {{Kobalos Malware Mapping Potentially Impacted Networks and IP Address Mapping}}, date = {2021-02-05}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2021/02/05/kobalos-malware-mapping/}, language = {English}, urldate = {2021-02-06} } @online{montalbano:20201119:exploits:f40feb2, author = {Elizabeth Montalbano}, title = {{APT Exploits Microsoft Zerologon Bug: Targets Japanese Companies}}, date = {2020-11-19}, organization = {Threatpost}, url = {https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/}, language = {English}, urldate = {2020-11-23} } @online{montalbano:20210730:novel:03970b0, author = {Elizabeth Montalbano}, title = {{Novel Meteor Wiper Used in Attack that Crippled Iranian Train System}}, date = {2021-07-30}, organization = {Threatpost}, url = {https://threatpost.com/novel-meteor-wiper-used-in-attack-that-crippled-iranian-train-system/168262/}, language = {English}, urldate = {2021-08-03} } @online{montalbano:20210806:angry:5c2b1ff, author = {Elizabeth Montalbano}, title = {{Angry Affiliate Leaks Conti Ransomware Gang Playbook}}, date = {2021-08-06}, organization = {Threat Post}, url = {https://threatpost.com/affiliate-leaks-conti-ransomware-playbook/168442/}, language = {English}, urldate = {2022-02-14} } @online{montalbano:20220215:ta2541:7e201a7, author = {Elizabeth Montalbano}, title = {{TA2541: APT Has Been Shooting RATs at Aviation for Years}}, date = {2022-02-15}, organization = {Threat Post}, url = {https://threatpost.com/ta2541-apt-rats-aviation/178422/}, language = {English}, urldate = {2022-02-17} } @online{montalbano:20220216:emotet:a1297ac, author = {Elizabeth Montalbano}, title = {{Emotet Now Spreading Through Malicious Excel Files}}, date = {2022-02-16}, organization = {Threat Post}, url = {https://threatpost.com/emotet-spreading-malicious-excel-files/178444/}, language = {English}, urldate = {2022-02-18} } @online{montalbano:20220329:exchange:ff88f41, author = {Elizabeth Montalbano}, title = {{Exchange Servers Speared in IcedID Phishing Campaign}}, date = {2022-03-29}, organization = {Threat Post}, url = {https://threatpost.com/exchange-servers-speared-in-icedid-phishing-campaign/179137/}, language = {English}, urldate = {2022-03-31} } @online{montalbano:20220817:lazarus:cbcaf72, author = {Elizabeth Montalbano}, title = {{APT Lazarus Targets Engineers with macOS Malware}}, date = {2022-08-17}, organization = {Threatpost}, url = {https://threatpost.com/apt-lazarus-macos-malware/180426/}, language = {English}, urldate = {2022-08-28} } @online{montalbano:20240522:novel:3cf988c, author = {Elizabeth Montalbano}, title = {{Novel EDR-Killing 'GhostEngine' Malware Is Built for Stealth}}, date = {2024-05-22}, organization = {DARKReading}, url = {https://www.darkreading.com/cyberattacks-data-breaches/novel-edr-killing-ghostengine-malware-stealth}, language = {English}, urldate = {2024-06-05} } @online{montalbano:20240620:vortax:b246499, author = {Elizabeth Montalbano}, title = {{'Vortax' Meeting Software Builds Elaborate Branding, Spreads Infostealers}}, date = {2024-06-20}, organization = {DARKReading}, url = {https://www.darkreading.com/remote-workforce/vortax-meeting-software-branding-spreads-infostealers}, language = {English}, urldate = {2024-12-09} } @online{montenegro:20191112:weeding:acdd228, author = {Collin Montenegro and Mark Robinson}, title = {{Weeding out WannaMine v4.0: Analyzing and Remediating This Mineware Nightmare}}, date = {2019-11-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/weeding-out-wannamine-v4-0-analyzing-and-remediating-this-mineware-nightmare/}, language = {English}, urldate = {2020-11-25} } @online{montesino:20190508:get:ed8ceb4, author = {Francis Montesino}, title = {{Get Smart with Enhanced Memory Dumping in VMRay Analyzer 3.0}}, date = {2019-05-08}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/smart-memory-dumping/}, language = {English}, urldate = {2020-01-13} } @online{montonen:20201218:combining:13fef73, author = {Camilla Montonen and Justin Ibarra}, title = {{Combining supervised and unsupervised machine learning for DGA detection}}, date = {2020-12-18}, organization = {Elastic}, url = {https://www.elastic.co/blog/supervised-and-unsupervised-machine-learning-for-dga-detection}, language = {English}, urldate = {2020-12-18} } @online{montysecurity:20240508:from:96707f3, author = {montysecurity}, title = {{From OSINT to Disk: Wave Stealer Analysis}}, date = {2024-05-08}, organization = {Medium (montysecurity)}, url = {https://montysecurity.medium.com/from-osint-to-disk-wave-stealer-analysis-2010d2e340f0}, language = {English}, urldate = {2024-06-28} } @online{moon:20180801:arrests:6c6b4d2, author = {Paul Moon}, title = {{Arrests Put New Focus on CARBON SPIDER Adversary Group}}, date = {2018-08-01}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/}, language = {English}, urldate = {2019-12-20} } @online{moon:20250618:masslogger:f7ff779, author = {Prashil Moon}, title = {{Masslogger Fileless Variant – Spreads via .VBE, Hides in Registry}}, date = {2025-06-18}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/masslogger-fileless-vbe-registry-malware/}, language = {English}, urldate = {2025-06-25} } @online{moonlock:20250213:cybercrooks:1b53ece, author = {Moonlock}, title = {{Cybercrooks Are Using Fake Job Listings to Steal Crypto}}, date = {2025-02-13}, organization = {Moonlock}, url = {https://hackernoon.com/cybercrooks-are-using-fake-job-listings-to-steal-crypto}, language = {English}, urldate = {2025-05-21} } @online{moore:20200430:anomali:a12ce9e, author = {Sara Moore and Joakim Kennedy and Parthiban R and Rory Gould}, title = {{Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center}}, date = {2020-04-30}, organization = {Anomali}, url = {https://www.anomali.com/blog/anomali-suspects-that-china-backed-apt-pirate-panda-may-be-seeking-access-to-vietnam-government-data-center}, language = {English}, urldate = {2020-05-04} } @online{moore:20201102:live:1632e2d, author = {Justin Moore and Wojciech Ledzion and Luis Rocha and Adrian Pisarczyk and Daniel Caban and Sara Rincon and Daniel Susin and Antonio Monaca}, title = {{Live off the Land? How About Bringing Your Own Island? An Overview of UNC1945}}, date = {2020-11-02}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html}, language = {English}, urldate = {2020-11-06} } @online{moore:20201112:living:a1593bb, author = {Justin Moore and Jacob Thompson}, title = {{Living Off The Land on a Private Island: An Overview of UNC1945}}, date = {2020-11-12}, organization = {BrightTALK (FireEye)}, url = {https://www.brighttalk.com/webcast/7451/451508}, language = {English}, urldate = {2020-12-15} } @online{moore:20210222:cyber:a641e26, author = {Andrew Moore and Genevieve Stark and Isif Ibrahima and Van Ta and Kimberly Goody}, title = {{Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion}}, date = {2021-02-22}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html}, language = {English}, urldate = {2021-02-25} } @online{moore:20230915:weaponising:debcaf2, author = {Phill Moore and Zach Stanford and Suyash Tripathi and Yogesh Khatri}, title = {{Weaponising VMs to bypass EDR – Akira ransomware}}, date = {2023-09-15}, organization = {CyberCX}, url = {https://cybercx.com.au/blog/akira-ransomware/}, language = {English}, urldate = {2023-09-15} } @online{morag:20200825:deep:7e5782d, author = {Assaf Morag}, title = {{Deep Analysis of TeamTNT Techniques Using Container Images to Attack}}, date = {2020-08-25}, organization = {Aqua Nautilus}, url = {https://www.aquasec.com/blog/container-security-tnt-container-attack/}, language = {English}, urldate = {2024-10-21} } @online{morag:20200930:threat:bbffcaf, author = {Assaf Morag}, title = {{Threat Alert: TeamTNT is Back and Attacking Vulnerable Redis Servers}}, date = {2020-09-30}, organization = {Aqua Nautilus}, url = {https://www.aquasec.com/blog/container-attacks-on-redis-servers/}, language = {English}, urldate = {2024-10-21} } @online{morag:20201202:threat:38ea6ef, author = {Assaf Morag and Idan Revivo}, title = {{Threat Alert: Fileless Malware Executing in Containers}}, date = {2020-12-02}, organization = {Aqua Nautilus}, url = {https://www.aquasec.com/blog/fileless-malware-container-security/}, language = {English}, urldate = {2024-10-21} } @online{morag:20210217:threat:b99a6f4, author = {Assaf Morag}, title = {{Threat Alert: TeamTNT Pwn Campaign Against Docker and K8s Environments}}, date = {2021-02-17}, organization = {Aquasec}, url = {https://blog.aquasec.com/teamtnt-campaign-against-docker-kubernetes-environment}, language = {English}, urldate = {2021-02-20} } @online{morag:20211222:stopping:891ec3c, author = {Assaf Morag}, title = {{Stopping a DreamBus Botnet Attack with Aqua’s CNDR}}, date = {2021-12-22}, organization = {Aqua Nautilus}, url = {https://www.aquasec.com/blog/aqua-cndr-stop-dreambus-botnet-attack/}, language = {English}, urldate = {2024-10-21} } @online{morag:20220329:threat:e86f441, author = {Assaf Morag}, title = {{Threat Alert: First Python Ransomware Attack Targeting Jupyter Notebooks}}, date = {2022-03-29}, organization = {Aquasec}, url = {https://blog.aquasec.com/python-ransomware-jupyter-notebook}, language = {English}, urldate = {2022-04-05} } @online{morag:20220915:threat:b35ec09, author = {Assaf Morag and Asaf Eitani}, title = {{Threat Alert: New Malware in the Cloud By TeamTNT}}, date = {2022-09-15}, organization = {Aquasec}, url = {https://blog.aquasec.com/new-malware-in-the-cloud-by-teamtnt}, language = {English}, urldate = {2022-09-19} } @online{morag:20230705:threat:ce7eb04, author = {Assaf Morag and Ofek Itach}, title = {{Threat Alert: Anatomy of Silentbob’s Cloud Attack}}, date = {2023-07-05}, organization = {Aqua Nautilus}, url = {https://www.aquasec.com/blog/threat-alert-anatomy-of-silentbobs-cloud-attack/}, language = {English}, urldate = {2024-10-21} } @online{morag:20230713:teamtnt:3f538be, author = {Assaf Morag and Ofek Itach}, title = {{TeamTNT Reemerged with New Aggressive Cloud Campaign}}, date = {2023-07-13}, organization = {Aqua Nautilus}, url = {https://www.aquasec.com/blog/teamtnt-reemerged-with-new-aggressive-cloud-campaign/}, language = {English}, urldate = {2024-10-21} } @online{morag:20230829:kinsing:88bf3f3, author = {Assaf Morag and Nitzan Yaakov}, title = {{Kinsing Malware Exploits Novel Openfire Vulnerability}}, date = {2023-08-29}, organization = {Aqua Nautilus}, url = {https://www.aquasec.com/blog/kinsing-malware-exploits-novel-openfire-vulnerability/}, language = {English}, urldate = {2024-10-21} } @online{morag:20231103:looney:cb605c4, author = {Assaf Morag}, title = {{Looney Tunables Vulnerability Exploited by Kinsing}}, date = {2023-11-03}, organization = {Aqua Nautilus}, url = {https://www.aquasec.com/blog/loony-tunables-vulnerability-exploited-by-kinsing/}, language = {English}, urldate = {2024-10-21} } @online{morag:20240802:panamorfi:beab9e7, author = {Assaf Morag}, title = {{Panamorfi: A New Discord DDoS Campaign}}, date = {2024-08-02}, organization = {Aqua Nautilus}, url = {https://www.aquasec.com/blog/panamorfi-a-new-discord-ddos-campaign/}, language = {English}, urldate = {2024-10-21} } @online{morag:20240814:gafgyt:74f8a33, author = {Assaf Morag}, title = {{Gafgyt Malware Variant Exploits GPU Power and Cloud Native Environments}}, date = {2024-08-14}, organization = {Aquasec}, url = {https://www.aquasec.com/blog/gafgyt-malware-variant-exploits-gpu-power-and-cloud-native-environments/}, language = {English}, urldate = {2024-09-11} } @online{morag:20240819:pgmem:a316876, author = {Assaf Morag}, title = {{PG_MEM: A Malware Hidden in the Postgres Processes}}, date = {2024-08-19}, organization = {Aquasec}, url = {https://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/}, language = {English}, urldate = {2024-09-13} } @online{morag:20240913:hadooken:fd897f0, author = {Assaf Morag}, title = {{Hadooken Malware Targets Weblogic Applications}}, date = {2024-09-13}, organization = {Aqua Nautilus}, url = {https://www.aquasec.com/blog/hadooken-malware-targets-weblogic-applications/}, language = {English}, urldate = {2024-10-21} } @online{morag:20241003:perfctl:20e43f5, author = {Assaf Morag and Idan Revivo}, title = {{perfctl: A Stealthy Malware Targeting Millions of Linux Servers}}, date = {2024-10-03}, organization = {Aqua}, url = {https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/}, language = {English}, urldate = {2024-10-17} } @online{morales:20220706:brandnew:3a02441, author = {Nathaniel Morales and Monte de Jesus and Ivan Nicole Chavez and Bren Matthew Ebriega and Joshua Paul Ignacio}, title = {{Brand-New HavanaCrypt Ransomware Poses as Google Software Update App, Uses Microsoft Hosting Service IP Address as C&C Server}}, date = {2022-07-06}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/g/brand-new-havanacrypt-ransomware-poses-as-google-software-update.html}, language = {English}, urldate = {2022-07-12} } @online{morales:20220802:solidbit:a4f9af7, author = {Nathaniel Morales and Ivan Nicole Chavez and Monte de Jesus and Lala Manly and Nathaniel Gregory Ragasa}, title = {{SolidBit Ransomware Enters the RaaS Scene and Takes Aim at Gamers and Social Media Users With New Variant}}, date = {2022-08-02}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/h/solidbit-ransomware-enters-the-raas-scene-and-takes-aim-at-gamer.html}, language = {English}, urldate = {2022-08-08} } @online{morales:20221216:agenda:7d354dd, author = {Nathaniel Morales and Ivan Nicole Chavez and Nathaniel Gregory Ragasa and Don Ovid Ladores and Jeffrey Francis Bonaobra and Monte de Jesus}, title = {{Agenda Ransomware Uses Rust to Target More Vital Industries}}, date = {2022-12-16}, organization = {Trendmicro}, url = {https://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html}, language = {English}, urldate = {2022-12-20} } @online{morales:20230126:new:c7aa03b, author = {Nathaniel Morales and Earle Maui Earnshaw and Don Ovid Ladores and Nick Dai and Nathaniel Gregory Ragasa}, title = {{New Mimic Ransomware Abuses Everything APIs for its Encryption Process}}, date = {2023-01-26}, organization = {Trendmicro}, url = {https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html}, language = {English}, urldate = {2023-01-31} } @online{morales:20230220:royal:36bcea3, author = {Nathaniel Morales and Ivan Nicole Chavez and Byron Gelera}, title = {{Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers}}, date = {2023-02-20}, organization = {Trendmicro}, url = {https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html}, language = {English}, urldate = {2023-03-04} } @online{morales:20230509:managed:63d09f1, author = {Khristian Joseph Morales and Gilbert Sison}, title = {{Managed XDR Investigation of Ducktail in Trend Micro Vision One}}, date = {2023-05-09}, organization = {Trendmicro}, url = {https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html}, language = {English}, urldate = {2023-05-11} } @online{morales:20230814:monti:0b3d5e7, author = {Nathaniel Morales and Joshua Paul Ignacio}, title = {{Monti Ransomware Unleashes a New Encryptor for Linux}}, date = {2023-08-14}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/h/monti-ransomware-unleashes-a-new-encryptor-for-linux.html}, language = {English}, urldate = {2023-08-16} } @online{morales:20240205:philippines:bc3af2a, author = {Neil Jerome Morales and Michael Perry}, title = {{Philippines wards off cyber attacks from China-based hackers}}, date = {2024-02-05}, organization = {Reuters}, url = {https://www.reuters.com/world/asia-pacific/philippines-wards-off-cyber-attacks-china-based-hackers-2024-02-05/}, language = {English}, urldate = {2024-02-06} } @online{morales:20240421:fog:56808af, author = {Nathaniel Morales and Sarah Pearl Camiling}, title = {{FOG Ransomware Spread by Cybercriminals Claiming Ties to DOGE}}, date = {2024-04-21}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_be/research/25/d/fog-ransomware-concealed-within-binary-loaders-linking-themselve.html}, language = {English}, urldate = {2025-05-02} } @online{moran:20130520:ready:6a59df8, author = {Ned Moran}, title = {{Ready for Summer: The Sunshop Campaign}}, date = {2013-05-20}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html}, language = {English}, urldate = {2019-12-20} } @online{moran:20130921:operation:0289318, author = {Ned Moran and Nart Villeneuve}, title = {{Operation DeputyDog: Zero-Day (CVE-2013-3893) Attack Against Japanese Targets}}, date = {2013-09-21}, organization = {FireEye}, url = {https://web.archive.org/web/20130924130243/https://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html}, language = {English}, urldate = {2020-06-08} } @online{moran:20140312:detailed:79efe09, author = {Ned Moran and Mike Oppenheim}, title = {{A Detailed Examination of the Siesta Campaign}}, date = {2014-03-12}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2014/03/a-detailed-examination-of-the-siesta-campaign.html}, language = {English}, urldate = {2019-12-20} } @online{moran:20140903:darwins:1b05935, author = {Ned Moran and Mike Oppenheim}, title = {{Darwin’s Favorite APT Group}}, date = {2014-09-03}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html}, language = {English}, urldate = {2019-12-20} } @online{moran:20141121:operation:18b04d9, author = {Ned Moran and Mike Scott and Mike Oppenheim and Joshua Homan}, title = {{Operation Double Tap}}, date = {2014-11-21}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html}, language = {English}, urldate = {2019-12-20} } @techreport{moran:20150810:italian:26b33c4, author = {Ned Moran and Ben Koehl}, title = {{The Italian Connection: An analysis of exploit supply chains and digital quartermasters}}, date = {2015-08-10}, institution = {shadowserver}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf}, language = {English}, urldate = {2020-01-07} } @online{moran:20200506:side:eeb6cac, author = {Ned Moran}, title = {{Tweet on side effects of Doxing in the context OilRig}}, date = {2020-05-06}, organization = {Twitter (@moranned)}, url = {https://twitter.com/moranned/status/1258040513883766784}, language = {English}, urldate = {2020-05-07} } @online{mordekoviz:20210630:smb:93a9547, author = {Liad Mordekoviz and Ophir Harpaz}, title = {{SMB Worm “Indexsinas” Uses Lateral Movement to Infect Whole Networks}}, date = {2021-06-30}, organization = {Guardicore}, url = {https://www.guardicore.com/labs/smb-worm-indexsinas/}, language = {English}, urldate = {2021-07-02} } @online{more:20211118:conti:f09071f, author = {Ghanshyam More}, title = {{Conti Ransomware}}, date = {2021-11-18}, organization = {Qualys}, url = {https://blog.qualys.com/vulnerabilities-threat-research/2021/11/18/conti-ransomware}, language = {English}, urldate = {2022-03-02} } @online{more:20220202:catching:aca19c0, author = {Ghanshyam More}, title = {{Catching the RAT called Agent Tesla}}, date = {2022-02-02}, organization = {Qualys}, url = {https://blog.qualys.com/vulnerabilities-threat-research/2022/02/02/catching-the-rat-called-agent-tesla}, language = {English}, urldate = {2022-02-04} } @online{more:20220306:avoslocker:6a51fd8, author = {Ghanshyam More}, title = {{AvosLocker Ransomware Behavior Examined on Windows & Linux}}, date = {2022-03-06}, organization = {Qualys}, url = {https://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux}, language = {English}, urldate = {2022-03-10} } @online{morgan:20231018:governmentbacked:c2d85f5, author = {Kate Morgan}, title = {{Government-backed actors exploiting WinRAR vulnerability}}, date = {2023-10-18}, organization = {Google}, url = {https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/}, language = {English}, urldate = {2023-12-04} } @online{morimolymoly:20230802:hui:99bb65d, author = {morimolymoly}, title = {{HUI Loader — Malware Analysis Note}}, date = {2023-08-02}, organization = {Medium (@morimolymoly)}, url = {https://medium.com/@morimolymoly/hui-loader-malware-analysis-note-4fa0e1c791d3}, language = {English}, urldate = {2023-08-25} } @online{morley:20130208:bit9:edaa56d, author = {Patrick Morley}, title = {{Bit9 and Our Customers’ Security}}, date = {2013-02-08}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2013/02/08/bit9-and-our-customers-security/}, language = {English}, urldate = {2020-05-18} } @techreport{morphisec:20210211:analysis:97c0b96, author = {Morphisec}, title = {{An Analysis of the Egregor Ransomware}}, date = {2021-02-11}, institution = {Morphisec}, url = {https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/EGREGOR%20REPORT%20WEB%20FINAL.pdf}, language = {English}, urldate = {2021-02-18} } @online{morphisec:20210705:realtime:9a19062, author = {Morphisec}, title = {{Real-Time Prevention of the Kaseya VSA Supply Chain REvil Ransomware Attack}}, date = {2021-07-05}, organization = {Morphisec}, url = {https://blog.morphisec.com/real-time-prevention-of-the-kaseya-vsa-supply-chain-revil-ransomware-attack}, language = {English}, urldate = {2021-07-21} } @online{morris:20200528:sandworm:1268b2c, author = {Andrew Morris}, title = {{Tweet on Sandworm threat actor exploiting CVE-2019-10149}}, date = {2020-05-28}, organization = {Twitter (@Andrew___Morris)}, url = {https://twitter.com/Andrew___Morris/status/1266067003640512514?s=20}, language = {English}, urldate = {2020-05-29} } @online{morris:20210930:ransomexx:2ca1e51, author = {Brenton Morris}, title = {{RansomEXX, Fixing Corrupted Ransom}}, date = {2021-09-30}, organization = {Medium proferosec-osm}, url = {https://medium.com/proferosec-osm/ransomexx-fixing-corrupted-ransom-8e379bcaf701}, language = {English}, urldate = {2021-10-20} } @online{morris:20220425:static:ae1f9c2, author = {Brenton Morris}, title = {{Static unpacker and decoder for Hello Kitty Packer}}, date = {2022-04-25}, organization = {Medium proferosec-osm}, url = {https://medium.com/proferosec-osm/static-unpacker-and-decoder-for-hello-kitty-packer-91a3e8844cb7}, language = {English}, urldate = {2022-04-29} } @online{morrison:20130119:cooperative:686af83, author = {Thomas Morrison}, title = {{Cooperative Efforts To Shut Down Virut Botnet}}, date = {2013-01-19}, organization = {Spamhaus}, url = {https://www.spamhaus.org/news/article/690/cooperative-efforts-to-shut-down-virut-botnet}, language = {English}, urldate = {2019-12-03} } @online{morrow:20210415:rise:73d9a21, author = {Dax Morrow and Ofer Caspi}, title = {{The rise of QakBot}}, date = {2021-04-15}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot}, language = {English}, urldate = {2021-04-16} } @online{morrow:20220719:prestashop:55554b0, author = {Matt Morrow}, title = {{PrestaShop Skimmer Concealed in One Page Checkout Module}}, date = {2022-07-19}, organization = {SUCURI}, url = {https://blog.sucuri.net/2022/07/prestashop-skimmer-concealed-in-one-page-checkout-module.html}, language = {English}, urldate = {2022-07-25} } @online{morsy:20210404:technical:197b7c7, author = {Mahmoud Morsy}, title = {{Technical report of AgentTesla}}, date = {2021-04-04}, organization = {menshaway blogspot}, url = {https://menshaway.blogspot.com/2021/04/agenttesla-malware.html}, language = {English}, urldate = {2021-04-06} } @online{morte:20091111:trojanwin32opachki:14a1a8d, author = {Malekal Morte}, title = {{Trojan:Win32/Opachki : redirections Google}}, date = {2009-11-11}, organization = {Malekal}, url = {https://forum.malekal.com/viewtopic.php?t=21806}, language = {English}, urldate = {2020-01-09} } @online{mosajjal:20220326:analysis:b94c029, author = {Ali Mosajjal}, title = {{Analysis of a Caddy Wiper Sample Targeting Ukraine}}, date = {2022-03-26}, organization = {n0p Blog}, url = {https://n0p.me/2022/03/2022-03-26-caddywiper/}, language = {English}, urldate = {2022-03-28} } @online{mosch:20210131:tale:ab5d7d7, author = {Fabian Mosch}, title = {{A tale of EDR bypass methods}}, date = {2021-01-31}, organization = {s3cur3th1ssh1t.github.io}, url = {https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/}, language = {English}, urldate = {2021-02-02} } @online{moses:20211117:ransomware:5d7431b, author = {Thomas Moses and Sarang Sonawane and Liviu Arsene}, title = {{Ransomware (R)evolution Plagues Organizations, But CrowdStrike Protection Never Wavers}}, date = {2021-11-17}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-crowdstrike-prevents-volume-shadow-tampering-by-lockbit-ransomware/}, language = {English}, urldate = {2021-11-19} } @online{moses:20241024:amazon:f6c63ef, author = {CJ Moses}, title = {{Amazon identified internet domains abused by APT29}}, date = {2024-10-24}, organization = {Amazon}, url = {https://aws.amazon.com/blogs/security/amazon-identified-internet-domains-abused-by-apt29/}, language = {English}, urldate = {2025-02-03} } @online{moshailov:20170313:moving:91556bc, author = {Roy Moshailov}, title = {{Moving Target Defense Blog}}, date = {2017-03-13}, organization = {Morphisec}, url = {http://blog.morphisec.com/andromeda-tactics-analyzed}, language = {English}, urldate = {2020-01-13} } @online{mostwanted002:20221201:malware:c0d4dc7, author = {mostwanted002}, title = {{Malware Analysis and Triage Report : PirateStealer - Discord_beta.exe}}, date = {2022-12-01}, url = {https://mostwanted002.page/post/malware-analysis-and-triage-report-piratestealer}, language = {English}, urldate = {2023-10-09} } @online{motheram:20250530:tracking:a329a5d, author = {Himaja Motheram}, title = {{Tracking AyySSHush: a Newly Discovered ASUS Router Botnet Campaign}}, date = {2025-05-30}, organization = {Censys}, url = {https://censys.com/blog/tracking-ayysshush-a-newly-discovered-asus-router-botnet-campaign}, language = {English}, urldate = {2025-06-02} } @online{motoda:20250507:additional:97805fc, author = {Masaya Motoda and Rintaro Koike}, title = {{Additional Features of OtterCookie Malware Used by WaterPlum}}, date = {2025-05-07}, organization = {NTT Security}, url = {https://jp.security.ntt/tech_blog/en-waterplum-ottercookie}, language = {English}, urldate = {2025-05-12} } @online{mouse:20210729:ntlm:7f97289, author = {Rasta Mouse}, title = {{NTLM Relaying via Cobalt Strike}}, date = {2021-07-29}, organization = {Rasta Mouse}, url = {https://rastamouse.me/ntlm-relaying-via-cobalt-strike/}, language = {English}, urldate = {2021-07-29} } @online{mouton:20141114:regeorg:6befd0c, author = {Willem Mouton and Sam Hunter and Etienne Stalmans}, title = {{reGeorg}}, date = {2014-11-14}, organization = {Sensepost}, url = {https://sensepost.com/discover/tools/reGeorg/}, language = {English}, urldate = {2020-01-13} } @online{moutos:20240229:dissecting:836692b, author = {John Moutos}, title = {{Dissecting DarkGate: Modular Malware Delivery and Persistence as a Service}}, date = {2024-02-29}, organization = {SANS ISC}, url = {https://dshield.org/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700/}, language = {English}, urldate = {2024-03-01} } @online{moutos:20240404:slicing:0dd8198, author = {John Moutos}, title = {{Slicing up DoNex with Binary Ninja}}, date = {2024-04-04}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/30812}, language = {English}, urldate = {2024-04-15} } @online{moveax27:20230723:unpacking:ea6fb5f, author = {mov_eax_27}, title = {{Unpacking an Emotet Trojan}}, date = {2023-07-23}, organization = {Medium infoSec Write-ups}, url = {https://infosecwriteups.com/unpacking-emotet-trojan-dac7e6119a0a}, language = {English}, urldate = {2023-10-10} } @online{moyal:20180711:notcarbanak:b87716e, author = {Omri Segev Moyal}, title = {{NotCarbanak Mystery - Source Code Leak}}, date = {2018-07-11}, organization = {GelosSnake Blog}, url = {https://malware-research.org/carbanak-source-code-leaked/}, language = {English}, urldate = {2020-01-08} } @online{moyal:20211022:list:7934934, author = {Omri Segev Moyal}, title = {{Tweet on List of wallets used by Darkside/Blackmatter Operator to split out the money}}, date = {2021-10-22}, organization = {Twitter (@GelosSnake)}, url = {https://twitter.com/GelosSnake/status/1451465959894667275}, language = {English}, urldate = {2021-11-02} } @online{mozur:20210826:spies:3fe7b2b, author = {Paul Mozur and Chris Buckley}, title = {{Spies for Hire: China’s New Breed of Hackers Blends Espionage and Entrepreneurship}}, date = {2021-08-26}, organization = {The New York Times}, url = {https://www.nytimes.com/2021/08/26/technology/china-hackers.html}, language = {English}, urldate = {2021-09-12} } @online{mrfr05t:20191212:mrpeter:8ba7456, author = {mrfr05t}, title = {{Mr.Peter}}, date = {2019-12-12}, url = {https://github.com/mrfr05t/Mr.Peter}, language = {English}, urldate = {2020-03-13} } @online{mrun1k0d3r:20170912:thundershell:8d97ff3, author = {Mr-Un1k0d3r}, title = {{ThunderShell}}, date = {2017-09-12}, organization = {Github (Mr-Un1k0d3r)}, url = {https://github.com/Mr-Un1k0d3r/ThunderShell}, language = {English}, urldate = {2020-01-08} } @online{msec1203:20200620:analysis:3279dbd, author = {msec1203}, title = {{Analysis of LODEINFO Maldoc}}, date = {2020-06-20}, organization = {Cyber And Ramen blog}, url = {https://www.cyberandramen.net/2020/06/analysis-of-lodeinfo-maldoc.html}, language = {English}, urldate = {2020-06-21} } @online{msrc:20230906:results:7ed992f, author = {Microsoft Security Response Center (MSRC)}, title = {{Results of Major Technical Investigations for Storm-0558 Key Acquisition}}, date = {2023-09-06}, organization = {Microsoft}, url = {https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition}, language = {English}, urldate = {2023-09-11} } @online{mstic:20200910:strontium:eeaafcd, author = {Microsoft Threat Intelligence Center (MSTIC)}, title = {{STRONTIUM: Detecting new patterns in credential harvesting}}, date = {2020-09-10}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/}, language = {English}, urldate = {2020-09-15} } @online{mstic:20210128:zinc:9c8aff4, author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Threat Intelligence Team}, title = {{ZINC attacks against security researchers}}, date = {2021-01-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/}, language = {English}, urldate = {2021-01-29} } @online{mstic:20210302:hafnium:58ec0a0, author = {Microsoft Threat Intelligence Center (MSTIC)}, title = {{HAFNIUM targeting Exchange Servers with 0-day exploits}}, date = {2021-03-02}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/}, language = {English}, urldate = {2021-03-04} } @online{mstic:20210302:hafnium:c7d8588, author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Threat Intelligence Team and Microsoft 365 Security}, title = {{HAFNIUM targeting Exchange Servers with 0-day exploits}}, date = {2021-03-02}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers}, language = {English}, urldate = {2021-03-07} } @online{mstic:20210528:breaking:f55e372, author = {Microsoft Threat Intelligence Center (MSTIC)}, title = {{Breaking down NOBELIUM’s latest early-stage toolset}}, date = {2021-05-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/}, language = {English}, urldate = {2022-05-17} } @online{mstic:20210601:new:83aee4c, author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Threat Intelligence Team}, title = {{New sophisticated email-based attack from NOBELIUM}}, date = {2021-06-01}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/}, language = {English}, urldate = {2021-06-09} } @online{mstic:20210713:microsoft:5394367, author = {Microsoft Threat Intelligence Center (MSTIC)}, title = {{Microsoft discovers threat actor (DEV-0322) targeting SolarWinds Serv-U software with 0-day exploit}}, date = {2021-07-13}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/}, language = {English}, urldate = {2021-07-20} } @online{mstic:20210714:microsoft:6701699, author = {Microsoft Threat Intelligence Center (MSTIC)}, title = {{Microsoft delivers comprehensive solution to battle rise in consent phishing emails}}, date = {2021-07-14}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/07/14/microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-emails/}, language = {English}, urldate = {2021-07-20} } @online{mstic:20210715:protecting:8e27c6c, author = {Microsoft Threat Intelligence Center (MSTIC)}, title = {{Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware}}, date = {2021-07-15}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/}, language = {English}, urldate = {2021-07-20} } @online{mstic:20211011:iranlinked:0d8f98a, author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU)}, title = {{Iran-linked DEV-0343 targeting defense, GIS, and maritime sectors}}, date = {2021-10-11}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/}, language = {English}, urldate = {2021-10-26} } @online{mstic:20211025:nobelium:ce29e06, author = {Microsoft Threat Intelligence Center (MSTIC)}, title = {{NOBELIUM targeting delegated administrative privileges to facilitate broader attacks}}, date = {2021-10-25}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/}, language = {English}, urldate = {2021-11-02} } @online{mstic:20211108:threat:0d18523, author = {Microsoft Threat Intelligence Center (MSTIC)}, title = {{Threat actor DEV-0322 exploiting ZOHO ManageEngine ADSelfService Plus}}, date = {2021-11-08}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/}, language = {English}, urldate = {2021-11-09} } @online{mstic:20211116:evolving:9bd9d2e, author = {Microsoft Threat Intelligence Center (MSTIC)}, title = {{Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021}}, date = {2021-11-16}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/}, language = {English}, urldate = {2021-11-17} } @online{mstic:20211118:iranian:911ab04, author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU)}, title = {{Iranian targeting of IT sector on the rise}}, date = {2021-11-18}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/}, language = {English}, urldate = {2021-11-19} } @online{mstic:20211206:nickel:115c365, author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU)}, title = {{NICKEL targeting government organizations across Latin America and Europe}}, date = {2021-12-06}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe/}, language = {English}, urldate = {2021-12-08} } @online{mstic:20220204:actinium:46543a2, author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU)}, title = {{ACTINIUM targets Ukrainian organizations}}, date = {2022-02-04}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations}, language = {English}, urldate = {2022-08-25} } @online{mstic:20220204:actinium:739151c, author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU)}, title = {{ACTINIUM targets Ukrainian organizations}}, date = {2022-02-04}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/}, language = {English}, urldate = {2022-02-07} } @online{mstic:20220602:exposing:b85423c, author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU)}, title = {{Exposing POLONIUM activity and infrastructure targeting Israeli organizations}}, date = {2022-06-02}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/}, language = {English}, urldate = {2022-06-02} } @online{mstic:20220705:hive:840b6e9, author = {Microsoft Threat Intelligence Center (MSTIC)}, title = {{Hive ransomware gets upgrades in Rust}}, date = {2022-07-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/}, language = {English}, urldate = {2022-07-13} } @online{mstic:20220712:from:3d3a8e3, author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team}, title = {{From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud}}, date = {2022-07-12}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/}, language = {English}, urldate = {2022-07-15} } @online{mstic:20220714:north:876e680, author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU)}, title = {{North Korean threat actor (H0lyGh0st /DEV-0530) targets small and midsize businesses with H0lyGh0st ransomware}}, date = {2022-07-14}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/}, language = {English}, urldate = {2022-07-15} } @online{mstic:20220727:untangling:27dd5d0, author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) and RiskIQ}, title = {{Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits}}, date = {2022-07-27}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/}, language = {English}, urldate = {2022-08-15} } @online{mstic:20220815:disrupting:528a65e, author = {Microsoft Threat Intelligence Center (MSTIC) and Office 365 Threat Research Team and Digital Threat Analysis Center (DTAC)}, title = {{Disrupting SEABORGIUM’s ongoing phishing operations}}, date = {2022-08-15}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/}, language = {English}, urldate = {2022-08-17} } @online{mstic:20220815:disrupting:6429d3a, author = {Microsoft Threat Intelligence Center (MSTIC) and Office 365 Threat Research Team and Digital Threat Analysis Center (DTAC)}, title = {{Disrupting SEABORGIUM’s ongoing phishing operations}}, date = {2022-08-15}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations}, language = {English}, urldate = {2022-08-18} } @online{mstic:20220824:magicweb:1bb7204, author = {Microsoft Threat Intelligence Center (MSTIC) and Detection and Response Team (DART) and Microsoft 365 Defender Team}, title = {{MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone}}, date = {2022-08-24}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/}, language = {English}, urldate = {2022-08-28} } @online{mstic:20220825:mercury:a02a670, author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team and Microsoft 365 Defender Threat Intelligence Team}, title = {{MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations}}, date = {2022-08-25}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations}, language = {English}, urldate = {2022-08-30} } @online{mstic:20221010:dev0832:07768a3, author = {Microsoft Threat Intelligence Center (MSTIC)}, title = {{DEV-0832 Leverages Commodity Tools in Opportunistic Ransomware Campaigns}}, date = {2022-10-10}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/47766fbd}, language = {English}, urldate = {2022-10-19} } @techreport{mtac:20230901:russias:76e3f04, author = {Microsoft Threat Analysis Center (MTAC)}, title = {{Russia’s influence networks in Sahel activated after coups}}, date = {2023-09-01}, institution = {Microsoft}, url = {https://blogs.microsoft.com/wp-content/uploads/prod/sites/5/2023/09/Sahel-Gabon-Coup-Playbook-PDF.pdf}, language = {English}, urldate = {2023-09-08} } @online{mtac:20230907:sophistication:0ef654f, author = {Microsoft Threat Analysis Center (MTAC)}, title = {{Sophistication, scope, and scale: Digital threats from East Asia increase in breadth and effectiveness}}, date = {2023-09-07}, organization = {Microsoft}, url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1aFyW}, language = {English}, urldate = {2023-09-11} } @techreport{mtac:20240401:same:de2327b, author = {Microsoft Threat Analysis Center (MTAC)}, title = {{Same targets, new playbooks: East Asia threat actors employ unique methods}}, date = {2024-04-01}, institution = {Microsoft}, url = {https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/MTAC-East-Asia-Report.pdf}, language = {English}, urldate = {2024-04-29} } @techreport{mtac:20240417:nationstates:7d0adad, author = {Microsoft Threat Analysis Center (MTAC)}, title = {{Nation-states engage in US-focused influence operations ahead of US presidential election}}, date = {2024-04-17}, institution = {Microsoft}, url = {https://blogs.microsoft.com/wp-content/uploads/prod/sites/5/2024/04/MTAC-Report-Elections-Report-Nation-states-engage-in-US-focused-influence-operations-ahead-of-US-presidential-election-04172024.pdf}, language = {English}, urldate = {2024-04-23} } @online{mtr:20210305:hafnium:b186219, author = {SOPHOS MTR}, title = {{HAFNIUM: Advice about the new nation-state attack}}, date = {2021-03-05}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/03/05/hafnium-advice-about-the-new-nation-state-attack/}, language = {English}, urldate = {2021-03-12} } @online{mudge:20191205:cobalt:219044e, author = {Raphael Mudge}, title = {{Cobalt Strike 4.0 – Bring Your Own Weaponization}}, date = {2019-12-05}, url = {https://blog.cobaltstrike.com/}, language = {English}, urldate = {2019-12-06} } @online{mudge:20200304:cobalt:176b61e, author = {Raphael Mudge}, title = {{Cobalt Strike joins Core Impact at HelpSystems, LLC}}, date = {2020-03-04}, organization = {Cobalt Strike}, url = {https://blog.cobaltstrike.com/2020/03/04/cobalt-strike-joins-core-impact-at-helpsystems-llc/}, language = {English}, urldate = {2020-03-04} } @online{mudge:20200619:beacon:bc8ae77, author = {Raphael Mudge}, title = {{Beacon Object Files - Luser Demo}}, date = {2020-06-19}, organization = {Youtube (Raphael Mudge)}, url = {https://www.youtube.com/watch?v=gfYswA_Ronw}, language = {English}, urldate = {2020-06-23} } @online{mudge:20201106:cobalt:05fe8fc, author = {Raphael Mudge}, title = {{Cobalt Strike 4.2 – Everything but the kitchen sink}}, date = {2020-11-06}, organization = {Cobalt Strike}, url = {https://blog.cobaltstrike.com/2020/11/06/cobalt-strike-4-2-everything-but-the-kitchen-sink/}, language = {English}, urldate = {2020-11-09} } @online{mudge:20201208:red:8ccdfcf, author = {Raphael Mudge}, title = {{A Red Teamer Plays with JARM}}, date = {2020-12-08}, organization = {Cobalt Strike}, url = {https://blog.cobaltstrike.com/2020/12/08/a-red-teamer-plays-with-jarm/}, language = {English}, urldate = {2021-01-11} } @online{mudge:20210209:learn:c08b657, author = {Raphael Mudge}, title = {{Learn Pipe Fitting for all of your Offense Projects}}, date = {2021-02-09}, organization = {Cobalt Strike}, url = {https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/}, language = {English}, urldate = {2021-02-10} } @online{muffin:20240429:analysis:6741cee, author = {Muffin}, title = {{Analysis of Sarwent loader: Old ways die hard}}, date = {2024-04-29}, organization = {Securite360.net}, url = {https://securite360.net/analysis-of-serwent-loadercaption-checking-if-common-security-tools-are-running-on-the-host-analysis-of-serwent-loader}, language = {English}, urldate = {2025-03-05} } @online{muffin:20240603:unveiling:1deeed2, author = {Muffin}, title = {{Unveiling Sharp Panda’s New Loader}}, date = {2024-06-03}, organization = {Securite360.net}, url = {https://securite360.net/unveiling-sharp-pandas-new-loader}, language = {English}, urldate = {2024-12-20} } @online{muffin:20241213:painful:fa6c889, author = {Muffin}, title = {{A Painful Quickheal}}, date = {2024-12-13}, organization = {Securite360.net}, url = {https://securite360.net/a-painful-quickheal}, language = {English}, urldate = {2024-12-16} } @online{muffin:20250227:how:d4bfcc0, author = {Muffin}, title = {{How Long Can a Vulnerable Server Stay Clean on the Internet? A Honeypot Tale}}, date = {2025-02-27}, organization = {Securite360.net}, url = {https://securite360.net/how-long-can-a-vulnerable-server-stay-clean-on-the-internet-a-honeypot-tale}, language = {English}, urldate = {2025-02-28} } @online{muhammad:20180514:deep:d434cb2, author = {Irshad Muhammad and Shahzad Ahmed and Hassan Faizan and Zain Gardezi}, title = {{A Deep Dive Into RIG Exploit Kit Delivering Grobios Trojan}}, date = {2018-05-14}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html}, language = {English}, urldate = {2019-12-20} } @online{muhammad:20201122:analyzing:d3915d0, author = {Irshad Muhammad}, title = {{Analyzing an Emotet Dropper and Writing a Python Script to Statically Unpack Payload.}}, date = {2020-11-22}, organization = {Irshad's Blog}, url = {https://mirshadx.wordpress.com/2020/11/22/analyzing-an-emotet-dropper-and-writing-a-python-script-to-statically-unpack-payload/}, language = {English}, urldate = {2020-11-23} } @online{muhammad:20210106:deep:8fa3a1f, author = {Irshad Muhammad and Holger Unterbrink}, title = {{A Deep Dive into Lokibot Infection Chain}}, date = {2021-01-06}, organization = {Talos}, url = {https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html}, language = {English}, urldate = {2021-01-10} } @online{muhan:20230214:hangeul:7b909eb, author = {muhan}, title = {{Hangeul (HWP) malware using steganography: RedEyes (ScarCruft)}}, date = {2023-02-14}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/47622/}, language = {Korean}, urldate = {2023-02-21} } @online{muir:20211214:analysis:fb34f1a, author = {Matt Muir}, title = {{Analysis of Novel Khonsari Ransomware Deployed by the Log4Shell Vulnerability}}, date = {2021-12-14}, organization = {Cado Security}, url = {https://www.cadosecurity.com/analysis-of-novel-khonsari-ransomware-deployed-by-the-log4shell-vulnerability/}, language = {English}, urldate = {2022-01-18} } @online{muir:20211221:continued:61d7698, author = {Matt Muir}, title = {{The Continued Evolution of Abcbot}}, date = {2021-12-21}, organization = {Cado Security}, url = {https://www.cadosecurity.com/the-continued-evolution-of-abcbot/}, language = {English}, urldate = {2022-01-05} } @online{muir:20220110:abcbot:ace96ad, author = {Matt Muir}, title = {{Abcbot - An Evolution of Xanthe}}, date = {2022-01-10}, organization = {Cado Security}, url = {https://www.cadosecurity.com/abcbot-an-evolution-of-xanthe/}, language = {English}, urldate = {2022-01-17} } @online{muir:20220406:cado:8544515, author = {Matt Muir and Chris Doman and Al Carchrie and Paul Scott}, title = {{Cado Discovers Denonia: The First Malware Specifically Targeting Lambda}}, date = {2022-04-06}, organization = {Cado Security}, url = {https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/}, language = {English}, urldate = {2022-08-08} } @online{muir:20220518:linux:047bb4d, author = {Matt Muir}, title = {{Linux Attack Techniques: Dynamic Linker Hijacking with LD Preload}}, date = {2022-05-18}, organization = {Cado Security}, url = {https://www.cadosecurity.com/linux-attack-techniques-dynamic-linker-hijacking-with-ld-preload}, language = {English}, urldate = {2022-05-25} } @online{muir:20230920:cado:0769cd6, author = {Matt Muir}, title = {{Cado Security Labs Researchers Witness a 600X Increase in P2Pinfect Traffic}}, date = {2023-09-20}, organization = {Cado Security}, url = {https://www.cadosecurity.com/cado-security-labs-researchers-witness-a-600x-increase-in-p2pinfect-traffic/}, language = {English}, urldate = {2023-12-12} } @online{muir:20231204:p2pinfect:9bec92b, author = {Matt Muir}, title = {{P2Pinfect - New Variant Targets MIPS Devices}}, date = {2023-12-04}, organization = {Cado Security}, url = {https://www.cadosecurity.com/p2pinfect-new-variant-targets-mips-devices/}, language = {English}, urldate = {2023-12-05} } @online{mulliner:20190105:getting:664dba2, author = {Collin Mulliner}, title = {{Getting 'rid' of pre-installed Malware on my YellYouth Android Tablet}}, date = {2019-01-05}, url = {https://www.mulliner.org/blog/blosxom.cgi/security/yellyouth_android_malware.html}, language = {English}, urldate = {2019-11-28} } @online{mullins:20220207:trellix:07fa2d5, author = {Taylor Mullins}, title = {{Trellix Global Defenders: Invasion of the Information Snatchers - Protecting against RedLine Infostealer}}, date = {2022-02-07}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/trellix-global-defenders-invaders-of-the-information-snatchers.html}, language = {English}, urldate = {2022-02-09} } @online{mullins:20220228:trellix:5428964, author = {Taylor Mullins}, title = {{Trellix Global Defenders: Cyberattacks Targeting Ukraine and HermeticWiper Protections}}, date = {2022-02-28}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/defenders-blog-on-cyberattacks-targeting-ukraine.html}, language = {English}, urldate = {2022-03-07} } @online{mullins:20220228:trellix:6ab8bac, author = {Taylor Mullins}, title = {{Trellix Global Defenders: Analysis and Protections for BlackByte Ransomware}}, date = {2022-02-28}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/trellix-global-defenders-analysis-and-protections-for-blackbyte-ransomware.html}, language = {English}, urldate = {2022-03-07} } @online{mullins:20220228:trellix:de4afa3, author = {Taylor Mullins}, title = {{Trellix Global Defenders: Analysis and Protections for RagnarLocker Ransomware}}, date = {2022-02-28}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/analysis-and-protections-for-ragnarlocker-ransomware.html}, language = {English}, urldate = {2022-04-07} } @online{mundalik:20231123:unveiling:f04694e, author = {Suraj Mundalik}, title = {{Unveiling the Deceptive Dance: Phobos Ransomware Masquerading As VX-Underground}}, date = {2023-11-23}, organization = {Qualys}, url = {https://blog.qualys.com/vulnerabilities-threat-research/2023/11/23/unveiling-the-deceptive-dance-phobos-ransomware-masquerading-as-vx-underground}, language = {English}, urldate = {2024-01-31} } @online{mundo:20190122:happy:da0a9e1, author = {Alexandre Mundo}, title = {{Happy New Year 2019! Anatova is here!}}, date = {2019-01-22}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/happy-new-year-2019-anatova-is-here/}, language = {English}, urldate = {2020-01-09} } @online{mundo:20190801:clop:fa3429f, author = {Alexandre Mundo and Marc Rivero López}, title = {{Clop Ransomware}}, date = {2019-08-01}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/clop-ransomware/}, language = {English}, urldate = {2020-01-06} } @online{mundo:20191105:buran:4c6f9f5, author = {Alexandre Mundo and Marc Rivero López}, title = {{Buran Ransomware; the Evolution of VegaLocker}}, date = {2019-11-05}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/buran-ransomware-the-evolution-of-vegalocker/}, language = {English}, urldate = {2020-08-30} } @online{mundo:20200326:ransomware:05f2b18, author = {Alexandre Mundo}, title = {{Ransomware Maze}}, date = {2020-03-26}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/}, language = {English}, urldate = {2020-03-26} } @online{mundo:20200402:nemty:96afa32, author = {Alexandre Mundo and Marc Rivero López}, title = {{Nemty Ransomware – Learning by Doing}}, date = {2020-04-02}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/}, language = {English}, urldate = {2020-04-08} } @online{mundo:20200609:ragnarlocker:1f58a4a, author = {Alexandre Mundo}, title = {{RagnarLocker Ransomware Threatens to Release Confidential Information}}, date = {2020-06-09}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ragnarlocker-ransomware-threatens-to-release-confidential-information}, language = {English}, urldate = {2020-06-10} } @techreport{mundo:20210224:technical:4d09445, author = {Alexandre Mundo and Thibault Seret and Thomas Roccia and John Fokker}, title = {{Technical Analysis of Babuk Ransomware}}, date = {2021-02-24}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf}, language = {English}, urldate = {2021-02-25} } @online{mundo:20210922:blackmatter:75b98d9, author = {Alexandre Mundo and Marc Elias}, title = {{BlackMatter Ransomware Analysis; The Dark Side Returns}}, date = {2021-09-22}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/enterprise/blackmatter-ransomware-analysis-the-dark-side-returns/}, language = {English}, urldate = {2021-09-23} } @online{mundo:20230403:royal:43c339b, author = {Alexandre Mundo and Max Kersten}, title = {{A Royal Analysis of Royal Ransom}}, date = {2023-04-03}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/research/a-royal-analysis-of-royal-ransom.html}, language = {English}, urldate = {2023-04-06} } @online{mundo:20231129:akira:043e663, author = {Alexandre Mundo and Max Kersten}, title = {{Akira Ransomware}}, date = {2023-11-29}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/research/akira-ransomware.html}, language = {English}, urldate = {2024-02-08} } @online{mundo:20231129:akira:5965a88, author = {Alexandre Mundo and Max Kersten}, title = {{Akira Ransomware}}, date = {2023-11-29}, organization = {Trellix}, url = {https://www.trellix.com/about/newsroom/stories/research/akira-ransomware/}, language = {English}, urldate = {2023-11-30} } @online{munshaw:20201221:2020:4a88f84, author = {JON MUNSHAW}, title = {{2020: The year in malware}}, date = {2020-12-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html}, language = {English}, urldate = {2020-12-26} } @online{munshaw:20220503:conti:ae16fc1, author = {JON MUNSHAW}, title = {{Conti and Hive ransomware operations: What we learned from these groups' victim chats}}, date = {2022-05-03}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2022/05/conti-and-hive-ransomware-operations.html}, language = {English}, urldate = {2022-05-04} } @online{munshaw:20230928:security:98925a0, author = {Jonathan Munshaw}, title = {{The security pitfalls of social media sites offering ID-based authentication}}, date = {2023-09-28}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/threat-source-newsletter-sept-28-2023/}, language = {English}, urldate = {2023-12-04} } @online{munson:20200622:quick:1045211, author = {Dave Munson}, title = {{Quick Wins with Network Flow Analysis}}, date = {2020-06-22}, organization = {Team Cymru}, url = {https://web.archive.org/web/20220128032410/https://team-cymru.com/blog/2020/06/22/quick-wins-with-network-flow-analysis/}, language = {English}, urldate = {2022-03-28} } @online{muoz:20200528:octopus:308272c, author = {Alvaro Muñoz}, title = {{The Octopus Scanner Malware: Attacking the open source supply chain}}, date = {2020-05-28}, organization = {Github Security Lab}, url = {https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain}, language = {English}, urldate = {2020-05-29} } @online{muoz:20200531:ransomware:3549ba1, author = {Facundo Muñoz}, title = {{Ransomware Avaddon: principales características}}, date = {2020-05-31}, organization = {ESET Research}, url = {https://www.welivesecurity.com/la-es/2021/05/31/ransomware-avaddon-principales-caracteristicas/}, language = {Spanish}, urldate = {2021-06-09} } @online{muoz:20200928:emerald:07900c2, author = {Facundo Muñoz}, title = {{The Emerald Connection: EquationGroup collaboration with Stuxnet}}, date = {2020-09-28}, organization = {fmmresearch wordpress}, url = {https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/}, language = {English}, urldate = {2020-10-04} } @techreport{muoz:20200928:emerald:1e7fceb, author = {Facundo Muñoz}, title = {{The Emerald Connection: Equation Group collaboration with Stuxnet}}, date = {2020-09-28}, institution = {fmmresearch wordpress}, url = {https://fmmresearch.files.wordpress.com/2020/09/theemeraldconnectionreport_fmmr-2.pdf}, language = {English}, urldate = {2020-10-04} } @online{muoz:20210406:janeleiro:b85a738, author = {Facundo Muñoz and Matías Porolli}, title = {{Janeleiro, the time traveler: A new old banking trojan in Brazil}}, date = {2021-04-06}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/}, language = {English}, urldate = {2021-04-06} } @online{muoz:20220118:donot:724cf3f, author = {Facundo Muñoz and Matías Porolli}, title = {{DoNot Go! Do not respawn!}}, date = {2022-01-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/}, language = {English}, urldate = {2022-01-18} } @online{muoz:20230314:slow:328edad, author = {Facundo Muñoz}, title = {{The slow Tick‑ing time bomb: Tick APT group compromise of a DLP software developer in East Asia}}, date = {2023-03-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2023/03/14/slow-ticking-time-bomb-tick-apt-group-dlp-software-developer-east-asia/}, language = {English}, urldate = {2023-03-20} } @online{muoz:20230426:evasive:ee1ca61, author = {Facundo Muñoz}, title = {{Evasive Panda APT group delivers malware via updates for popular Chinese software}}, date = {2023-04-26}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/}, language = {English}, urldate = {2023-04-27} } @techreport{muoz:20240125:nspx30:0292130, author = {Facundo Muñoz}, title = {{NSPX30: A sophisticated AitM-enabled implant evolving since 2005}}, date = {2024-01-25}, institution = {JSAC 2024}, url = {https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_2_facundo_en.pdf}, language = {English}, urldate = {2024-02-02} } @online{muoz:20240125:nspx30:f3fe290, author = {Facundo Muñoz}, title = {{NSPX30: A sophisticated AitM-enabled implant evolving since 2005}}, date = {2024-01-25}, organization = {ESET Research}, url = {https://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/}, language = {English}, urldate = {2024-02-02} } @online{muoz:20250122:plushdaemon:ec9ad61, author = {Facundo Muñoz}, title = {{PlushDaemon compromises supply chain of Korean VPN service}}, date = {2025-01-22}, organization = {ESET Research}, url = {https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/}, language = {English}, urldate = {2025-01-27} } @online{murchie:20240729:unc4393:8407cd6, author = {Josh Murchie and Ashley Pearson and Joseph Pisano and Jake Nicastro and Joshua Shilko and Raymond Leong}, title = {{UNC4393 Goes Gently into the SILENTNIGHT}}, date = {2024-07-29}, organization = {Mandiant}, url = {https://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight}, language = {English}, urldate = {2024-08-29} } @online{murchu:20071031:trojanbayrob:fe79efb, author = {Liam O Murchu}, title = {{Trojan.Bayrob Strikes Again!}}, date = {2007-10-31}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/trojanbayrob-strikes-again-1}, language = {English}, urldate = {2020-01-13} } @online{murillo:20231120:netsupport:772540b, author = {Alex Murillo and Alan Ngo and Abe Schneider and Fae Carlisle and Nikki Benoit}, title = {{NetSupport RAT: The RAT King Returns}}, date = {2023-11-20}, organization = {vmware}, url = {https://blogs.vmware.com/security/2023/11/netsupport-rat-the-rat-king-returns.html}, language = {English}, urldate = {2023-11-22} } @online{muroni:20200805:emotet:0fe027e, author = {Francesco Muroni}, title = {{Emotet API+string deobfuscator (v0.1)}}, date = {2020-08-05}, organization = {Github (mauronz)}, url = {https://github.com/mauronz/binja-emotet}, language = {English}, urldate = {2020-08-18} } @online{murphy:20180515:ir:ac5b561, author = {Keven Murphy and Stefano Maccaglia}, title = {{IR in Heterogeneous Environment}}, date = {2018-05-15}, organization = {BSides Detroit}, url = {https://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment}, language = {English}, urldate = {2020-07-20} } @online{murphy:20200525:elastic:a743893, author = {Brent Murphy and David French and Jamie Butler}, title = {{The Elastic Guide to Threat Hunting}}, date = {2020-05-25}, organization = {Elastic}, url = {https://www.elastic.co/pdf/elastic-guide-to-threat-hunting}, language = {English}, urldate = {2020-06-08} } @online{murphy:20210318:now:d4bd40e, author = {Brandon Murphy and Dennis Schwarz and Jack Mott and Proofpoint Threat Research Team}, title = {{Now You See It, Now You Don’t: CopperStealer Performs Widespread Theft}}, date = {2021-03-18}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft}, language = {English}, urldate = {2021-03-19} } @online{mushtaq:20090304:bancos:7666ba2, author = {Atif Mushtaq}, title = {{‘Bancos’ - A Brazilian Crook}}, date = {2009-03-04}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2009/03/bancos-a-brazilian-crook.html}, language = {English}, urldate = {2021-01-25} } @online{mushtaq:20101027:bredolab:a2bb79f, author = {Atif Mushtaq}, title = {{Bredolab - It's not the size of the dog in the fight..}}, date = {2010-10-27}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2010/10/bredolab-its-not-the-size-of-the-dog-in-fight.html}, language = {English}, urldate = {2019-12-20} } @online{mushtaq:20101214:leouncia:35e77c5, author = {Atif Mushtaq}, title = {{Leouncia - Yet Another Backdoor - Part 2}}, date = {2010-12-14}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor-part-2.html}, language = {English}, urldate = {2019-12-20} } @online{mushtaq:20101214:leouncia:f19bf03, author = {Atif Mushtaq}, title = {{Leouncia - Yet Another Backdoor}}, date = {2010-12-14}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor.html}, language = {English}, urldate = {2019-12-20} } @online{mushtaq:20110322:harnig:eaf602a, author = {Atif Mushtaq}, title = {{Harnig Botnet: a retreating army}}, date = {2011-03-22}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2011/03/a-retreating-army.html}, language = {English}, urldate = {2019-10-15} } @online{mushtaq:20110809:harnig:7920bd4, author = {Atif Mushtaq}, title = {{Harnig is Back}}, date = {2011-08-09}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2011/08/harnig-is-back.html}, language = {English}, urldate = {2019-12-20} } @online{muzi:20210702:skip:09c3cd8, author = {muzi}, title = {{Skip the Middleman: Dridex Document to Cobalt Strike}}, date = {2021-07-02}, organization = {MalwareBookReports}, url = {https://malwarebookreports.com/cryptone-cobalt-strike/}, language = {English}, urldate = {2021-07-06} } @online{muzi:20210902:crossplatform:31ac1a5, author = {muzi}, title = {{Cross-Platform Java Dropper: Snake and XLoader (Mac Version)}}, date = {2021-09-02}, organization = {MalwareBookReports}, url = {https://malwarebookreports.com/cross-platform-java-dropper-snake-and-xloader-mac-version/}, language = {English}, urldate = {2022-03-25} } @online{muzi:20211206:agent:5a2c732, author = {muzi}, title = {{AGENT TESLAGGAH}}, date = {2021-12-06}, organization = {MalwareBookReports}, url = {https://malwarebookreports.com/agent-teslaggah/}, language = {English}, urldate = {2021-12-07} } @online{muzi:20220115:bazarloader:68ae068, author = {muzi}, title = {{BazarLoader - Back from Holiday Break}}, date = {2022-01-15}, organization = {MalwareBookReports}, url = {https://malwarebookreports.com/bazarloader-back-from-holiday-break/}, language = {English}, urldate = {2022-01-25} } @online{muzi:20220708:cruloader:ee30473, author = {muzi}, title = {{CRULOADER: ZERO2AUTO}}, date = {2022-07-08}, organization = {MalwareBookReports}, url = {https://malwarebookreports.com/cruloader-zero2auto/}, language = {English}, urldate = {2023-08-07} } @online{muzi:20220722:trash:35e5803, author = {muzi}, title = {{THE TRASH PANDA REEMERGES FROM THE DUMPSTER: RACCOON STEALER V2}}, date = {2022-07-22}, organization = {MalwareBookReports}, url = {https://malwarebookreports.com/the-trash-panda-reemerges-from-the-dumpster-raccoon-stealer-v2/}, language = {English}, urldate = {2023-08-07} } @online{muzi:20220806:look:840677d, author = {muzi}, title = {{A LOOK BACK AT BAZARLOADER’S DGA}}, date = {2022-08-06}, organization = {MalwareBookReports}, url = {https://malwarebookreports.com/a-look-back-at-bazarloaders-dga/}, language = {English}, urldate = {2023-08-07} } @online{muzi:20230629:guloader:f6bfa8f, author = {muzi}, title = {{GuLoader: Navigating a Maze of Intricacy}}, date = {2023-06-29}, organization = {MalwareBookReports}, url = {https://malwarebookreports.com/guloader-navigating-a-maze-of-intricacy/}, language = {English}, urldate = {2023-07-05} } @online{mvaks:20250209:analysis:61a04f5, author = {mvaks}, title = {{Analysis of malicious mobile applications impersonating popular Polish apps — OLX, Allegro, IKO}}, date = {2025-02-09}, organization = {Medium (@mvaks)}, url = {https://medium.com/@mvaks/analysis-of-malicious-mobile-applications-impersonating-popular-polish-apps-olx-allegro-iko-7dab879a320d}, language = {English}, urldate = {2025-06-11} } @online{mvaks:20250212:two:12a0087, author = {mvaks}, title = {{Two tales and one Antidot(e) — a new mobile malware campaign in Poland}}, date = {2025-02-12}, organization = {Medium (@mvaks)}, url = {https://medium.com/@mvaks/two-tales-and-one-antidot-e-a-new-mobile-malware-campaign-in-poland-de704997096f}, language = {English}, urldate = {2025-06-11} } @online{mvaks:20250528:bombardino:a438bdf, author = {mvaks}, title = {{Bombardino Crocodilo in Poland — analysis of IKO Lokaty mobile malware campaign}}, date = {2025-05-28}, organization = {Medium (@mvaks)}, url = {https://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3}, language = {English}, urldate = {2025-06-11} } @online{mvaks:20250531:crocodilus:5b75795, author = {mvaks}, title = {{Crocodilus in the wild: Mapping the campaign in Poland}}, date = {2025-05-31}, organization = {Medium (@mvaks)}, url = {https://medium.com/@mvaks/crocodilus-in-the-wild-mapping-the-campaign-in-poland-15d3078eb954}, language = {English}, urldate = {2025-06-11} } @online{mvtproject:20210718:mobile:15d676b, author = {mvt-project}, title = {{Mobile Verification Toolkit}}, date = {2021-07-18}, organization = {Github (mvt-project)}, url = {https://github.com/mvt-project/mvt}, language = {English}, urldate = {2021-07-24} } @online{mycert:20200208:ma774022020:4b7fd13, author = {MyCERT}, title = {{MA-774.022020: MyCERT Advisory - Espionage Campaign Based On Technical Indicators}}, date = {2020-02-08}, organization = {MyCERT}, url = {https://www.mycert.org.my/portal/advisory?id=MA-774.022020}, language = {English}, urldate = {2020-08-17} } @online{myers:20120724:new:2dbd887, author = {Lysa Myers}, title = {{New Apple Mac Trojan Called OSX/Crisis Discovered}}, date = {2012-07-24}, organization = {The Mac Security Blog}, url = {https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?}, language = {English}, urldate = {2020-01-09} } @online{myers:20121012:new:33ecff1, author = {Lysa Myers}, title = {{New Multiplatform Backdoor Jacksbot Discovered}}, date = {2012-10-12}, organization = {The Mac Security Blog}, url = {https://www.intego.com/mac-security-blog/new-multiplatform-backdoor-jacksbot-discovered}, language = {English}, urldate = {2020-01-09} } @online{myers:20170509:carbon:63860ae, author = {Jared Myers}, title = {{Carbon Black Threat Research Dissects Red Leaves Malware, Which Leverages DLL Side Loading}}, date = {2017-05-09}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2017/05/09/carbon-black-threat-research-dissects-red-leaves-malware-leverages-dll-side-loading/}, language = {English}, urldate = {2020-03-11} } @online{myers:20170818:threat:6ee2607, author = {Jared Myers}, title = {{Threat Analysis: Carbon Black Threat Research Dissects PNG Dropper}}, date = {2017-08-18}, organization = {vmware}, url = {https://www.carbonblack.com/2017/08/18/threat-analysis-carbon-black-threat-research-dissects-png-dropper/}, language = {English}, urldate = {2020-01-09} } @online{myers:20180227:threat:11a58a0, author = {Jared Myers}, title = {{Threat Analysis: ROKRAT Malware}}, date = {2018-02-27}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/}, language = {English}, urldate = {2019-10-23} } @online{myers:20180710:carbon:cc54d00, author = {Jared Myers}, title = {{Carbon Black TAU Threat Analysis: Recent Dharma Ransomware Highlights Attackers’ Continued Use of Open-Source Tools}}, date = {2018-07-10}, organization = {Carbon Black}, url = {https://www.carbonblack.com/2018/07/10/carbon-black-tau-threat-analysis-recent-dharma-ransomware-highlights-attackers-continued-use-open-source-tools/}, language = {English}, urldate = {2020-01-10} } @online{myers:20200521:tau:4f64594, author = {Jared Myers}, title = {{TAU Technical Report: New Attack Combines TinyPOS With Living-off-the-Land Techniques for Scraping Credit Card Data}}, date = {2020-05-21}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/05/21/tau-technical-report-new-attack-combines-tinypos-with-living-off-the-land-techniques-for-scraping-credit-card-data/}, language = {English}, urldate = {2020-05-23} } @online{myngerbayev:20200617:click:fe87ba2, author = {Michael Myngerbayev}, title = {{A Click from the Backyard | Analysis of CVE-2020-9332, a Vulnerable USB Redirection Software}}, date = {2020-06-17}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/click-from-the-backyard-cve-2020-9332/}, language = {English}, urldate = {2020-06-19} } @online{myonlinesecurity:20170820:return:cf54ed9, author = {MyOnlineSecurity}, title = {{return of fake UPS cannot deliver malspam with an updated nemucod ransomware and Kovter payload}}, date = {2017-08-20}, organization = {MyOnlineSecurity}, url = {http://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/}, language = {English}, urldate = {2020-11-26} } @online{myonlinesecurity:20190313:fake:b89ed04, author = {MyOnlineSecurity}, title = {{Fake CDC Flu Pandemic Warning delivers Gandcrab 5.2 ransomware}}, date = {2019-03-13}, organization = {MyOnlineSecurity}, url = {https://web.archive.org/web/20190331091056/https://myonlinesecurity.co.uk/fake-cdc-flu-pandemic-warning-delivers-gandcrab-5-2-ransomware/}, language = {English}, urldate = {2020-11-26} } @online{myonlinesecurity:20190625:more:a611b77, author = {MyOnlineSecurity}, title = {{More AgentTesla keylogger and Nanocore RAT in one bundle}}, date = {2019-06-25}, organization = {MyOnlineSecurity}, url = {https://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/}, language = {English}, urldate = {2019-11-27} } @online{myre:20201221:how:a411419, author = {Greg Myre and Laurel Wamsley}, title = {{How A Cybersecurity Firm Uncovered The Massive Computer Hack}}, date = {2020-12-21}, organization = {npr}, url = {https://www.npr.org/2020/12/21/948843356/how-a-cybersecurity-firm-uncovered-the-massive-computer-hack}, language = {English}, urldate = {2020-12-23} } @online{mythicagents:20220516:apollo:c6fa8d1, author = {MythicAgents}, title = {{Apollo on Github}}, date = {2022-05-16}, organization = {Github (MythicAgents)}, url = {https://github.com/MythicAgents/Apollo}, language = {English}, urldate = {2022-11-05} } @online{mzorich:20220228:detecting:7fd9162, author = {mzorich}, title = {{Detecting malware kill chains with Defender and Microsoft Sentinel}}, date = {2022-02-28}, organization = {Microsoft Sentinel 101}, url = {https://learnsentinel.blog/2022/02/28/detecting-malware-kill-chains-with-defender-and-microsoft-sentinel/}, language = {English}, urldate = {2022-03-02} } @online{n1nj4sec:20190822:pupy:a822ccd, author = {n1nj4sec}, title = {{Pupy RAT}}, date = {2019-08-22}, organization = {Github (n1nj4sec)}, url = {https://github.com/n1nj4sec/pupy}, language = {English}, urldate = {2020-01-07} } @online{n:20220816:asyncrat:024d336, author = {Pawan Kumar N}, title = {{AsyncRAT C2 Framework: Overview, Technical Analysis & Detection}}, date = {2022-08-16}, organization = {Qualys}, url = {https://blog.qualys.com/vulnerabilities-threat-research/2022/08/16/asyncrat-c2-framework-overview-technical-analysis-and-detection}, language = {English}, urldate = {2022-08-17} } @online{n:20250220:aptc28:e51640d, author = {Balaji N}, title = {{APT-C-28 Group Launched New Cyber Attack With Fileless RokRat Malware}}, date = {2025-02-20}, organization = {Cyber Security News}, url = {https://cybersecuritynews.com/apt-c-28-group-launched-new-cyber-attack-with-fileless-rokrat-malware/}, language = {English}, urldate = {2025-02-21} } @online{nadji:20210728:telegram:c6c506a, author = {Yacin Nadji}, title = {{Telegram Zeek, you’re my main notice}}, date = {2021-07-28}, organization = {Corelight}, url = {https://corelight.blog/2021/07/28/telegram-zeek-youre-my-main-notice/}, language = {English}, urldate = {2021-08-02} } @online{nadler:20190227:ramnit:e00b14d, author = {Asaf Nadler}, title = {{Ramnit in the UK}}, date = {2019-02-27}, organization = {Akamai}, url = {https://blogs.akamai.com/2019/02/ramnit-in-the-uk.html}, language = {English}, urldate = {2020-07-03} } @online{nafisi:20201226:active:6d96005, author = {Ramin Nafisi}, title = {{Tweet on active exploitation of 0day vulnerability in the SolarWinds Orion}}, date = {2020-12-26}, organization = {Twitter (@MalwareRE)}, url = {https://twitter.com/MalwareRE/status/1342888881373503488}, language = {English}, urldate = {2021-01-01} } @online{nafisi:20210304:goldmax:3fa3f68, author = {Ramin Nafisi and Andrea Lelli and Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Threat Intelligence Team}, title = {{GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence}}, date = {2021-03-04}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware}, language = {English}, urldate = {2021-03-06} } @online{nafisi:20210304:goldmax:f699172, author = {Ramin Nafisi and Andrea Lelli}, title = {{GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence}}, date = {2021-03-04}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/}, language = {English}, urldate = {2021-03-07} } @online{nafisi:20210927:foggyweb:3a85efc, author = {Ramin Nafisi and Microsoft Threat Intelligence Center (MSTIC)}, title = {{FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor}}, date = {2021-09-27}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/}, language = {English}, urldate = {2021-09-28} } @techreport{nagaraja:200903:snooping:97d62e1, author = {Shishir Nagaraja and Ross Anderson}, title = {{The snooping dragon:social-malware surveillanceof the Tibetan movement}}, date = {2009-03}, institution = {}, url = {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf}, language = {English}, urldate = {2019-11-08} } @techreport{nagy:201811:enter:55f745e, author = {Luca Nagy}, title = {{Enter the Matrix (Ransomware)}}, date = {2018-11}, institution = {Sophos}, url = {https://www.blackhoodie.re/assets/archive/Matrix_Ransomware_blackhoodie.pdf}, language = {English}, urldate = {2019-12-20} } @techreport{nagy:20190129:matrix:1c5ce00, author = {Luca Nagy}, title = {{Matrix: A Low-key Targeted Ransomware}}, date = {2019-01-29}, institution = {SophosLabs}, url = {https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-matrix-report.pdf}, language = {English}, urldate = {2022-03-18} } @online{nagy:20190305:gandcrab:1ed654f, author = {Luca Nagy and Suriya Natarajan and Vikas Singh}, title = {{GandCrab 101: All about the most widely distributed ransomware of the moment}}, date = {2019-03-05}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2019/03/05/gandcrab-101-all-about-the-most-widely-distributed-ransomware-of-the-moment/}, language = {English}, urldate = {2022-03-18} } @online{nagy:20200218:nearly:8ff363f, author = {Luca Nagy}, title = {{Nearly a quarter of malware now communicates using TLS}}, date = {2020-02-18}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/}, language = {English}, urldate = {2020-02-27} } @online{nagy:20221024:uncovering:803597f, author = {Luca Nagy and Google Threat Analysis Group}, title = {{Uncovering a broad criminal ecosystem powered by one of the largest botnets}}, date = {2022-10-24}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=5Gz6_I-wl0E}, language = {English}, urldate = {2024-04-15} } @techreport{nagy:202210:uncovering:713dd5b, author = {Luca Nagy and Google Threat Analysis Group}, title = {{Uncovering a broad criminal ecosystem powered by one of the largest botnets, Glupteba.}}, date = {2022-10}, institution = {Youtube (Virus Bulletin)}, url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Uncovering-a-broad-criminal-ecosystem-powered-by-one-of-the-largest-botnets-Glupteba.pdf}, language = {English}, urldate = {2024-04-15} } @techreport{nagy:202210:uncovering:ab28dc3, author = {Luca Nagy and Google Threat Analysis Group}, title = {{Uncovering a broad criminal ecosystem powered by one of the largest botnets, Glupteba. (slides)}}, date = {2022-10}, institution = {Youtube (Virus Bulletin)}, url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2022/slides/VB2022-Uncovering-a-broad-criminal-ecosystem-Glupteba.pdf}, language = {English}, urldate = {2024-04-15} } @online{nahman:20201019:new:587d93c, author = {Chen Nahman and Ofir Ozer and Limor Kessem}, title = {{New Vizom Malware Discovered Targets Brazilian Bank Customers with Remote Overlay Attacks}}, date = {2020-10-19}, organization = {IBM Security}, url = {https://securityintelligence.com/posts/vizom-malware-targets-brazilian-bank-customers-remote-overlay/}, language = {English}, urldate = {2020-10-23} } @online{naik:20240921:malware:0b3a73a, author = {Mandar Naik}, title = {{Malware Analysis - PXRECVOWEIWOEI}}, date = {2024-09-21}, url = {https://mandarnaik016.in/blog/2024-09-21-malware-analysis-pxrecvoweiwoei/}, language = {English}, urldate = {2024-10-14} } @online{naik:20241005:malware:dce0459, author = {Mandar Naik}, title = {{Malware Analysis - Lumma Stealer}}, date = {2024-10-05}, url = {https://mandarnaik016.in/blog/2024-10-05-malware-analysis-lumma-stealer/}, language = {English}, urldate = {2024-10-14} } @online{nair:20210312:spearphishing:6df60be, author = {Prajeet Nair}, title = {{Spear-Phishing Campaign Distributes Nim-Based Malware}}, date = {2021-03-12}, organization = {HealthcareInfoSecurity}, url = {https://www.healthcareinfosecurity.com/spear-phishing-campaign-distributes-nim-based-malware-a-16176}, language = {English}, urldate = {2021-06-29} } @online{nair:20220225:muddywater:62fb30e, author = {Prajeet Nair}, title = {{MuddyWater Targets Critical Infrastructure in Asia, Europe}}, date = {2022-02-25}, organization = {infoRisk TODAY}, url = {https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611}, language = {English}, urldate = {2022-03-04} } @online{nair:20220312:iranian:86d630b, author = {Prajeet Nair}, title = {{Iranian APT: New Methods to Target Turkey, Arabian Peninsula}}, date = {2022-03-12}, organization = {GovInfo Security}, url = {https://www.govinfosecurity.com/iranian-apt-new-methods-to-target-turkey-arabian-peninsula-a-18706}, language = {English}, urldate = {2022-03-14} } @online{nair:20220402:cyber:6b4f95f, author = {Prajeet Nair}, title = {{Cyber Espionage Actor Deploying Malware Using Excel}}, date = {2022-04-02}, organization = {GovInfo Security}, url = {https://www.govinfosecurity.com/cyber-espionage-actor-deploying-malware-using-excel-a-18830}, language = {English}, urldate = {2022-04-06} } @online{nairuzabulhul:20170428:keyplexer:c7407b6, author = {nairuzabulhul}, title = {{KeyPlexer}}, date = {2017-04-28}, url = {https://github.com/nairuzabulhul/KeyPlexer}, language = {English}, urldate = {2020-03-13} } @techreport{nakajima:20210224:malware:0f5ff88, author = {Shota Nakajima and Hara Hiroaki}, title = {{Malware Analysis at Scale - Defeating Emotet by Ghidra}}, date = {2021-02-24}, institution = {Allsafe}, url = {https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_workshop_malware-analysis_jp.pdf}, language = {English}, urldate = {2021-02-26} } @online{nakamura:20170126:malware:273897c, author = {Yu Nakamura}, title = {{Malware ChChes interacts with C & C server using Cookie header}}, date = {2017-01-26}, organization = {JPCERT/CC}, url = {https://www.jpcert.or.jp/magazine/acreport-ChChes.html}, language = {Japanese}, urldate = {2019-07-09} } @online{nakamura:20170821:detecting:98daf4d, author = {Yu Nakamura}, title = {{Detecting Datper Malware from Proxy Logs}}, date = {2017-08-21}, organization = {JPCERT/CC}, url = {http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html}, language = {English}, urldate = {2020-01-13} } @online{nakash:20241126:stealth:420b97e, author = {Gal Nakash}, title = {{Stealth in the Cloud: How APT36's ElizaRAT is Redefining Cyber Espionage}}, date = {2024-11-26}, organization = {Reco AI}, url = {https://www.reco.ai/blog/how-apt36-elizarat-redefines-cyber-espionage}, language = {English}, urldate = {2025-02-19} } @online{nakashima:20180113:russian:fce58a2, author = {Ellen Nakashima}, title = {{Russian military was behind ‘NotPetya’ cyberattack in Ukraine, CIA concludes}}, date = {2018-01-13}, organization = {The Washington Post}, url = {https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html}, language = {English}, urldate = {2020-01-06} } @online{nakashima:20201010:cyber:9f29985, author = {Ellen Nakashima}, title = {{Cyber Command has sought to disrupt the world’s largest botnet, hoping to reduce its potential impact on the election}}, date = {2020-10-10}, organization = {The Washington Post}, url = {https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html}, language = {English}, urldate = {2020-10-12} } @online{nakashima:20201117:fewer:fcd9b91, author = {Ellen Nakashima}, title = {{Fewer opportunities and a changed political environment in the U.S. may have curbed Moscow’s election interference this year, analysts say}}, date = {2020-11-17}, organization = {The Washington Post}, url = {https://www.washingtonpost.com/national-security/russia-failed-to-mount-major-election-interference-operations-in-2020-analysts-say/2020/11/16/72c62b0c-1880-11eb-82db-60b15c874105_story.html}, language = {English}, urldate = {2020-11-19} } @online{nakashima:20201219:trump:c3cadbf, author = {Ellen Nakashima}, title = {{Trump, contradicting Pompeo, downplays gravity of massive cyberattack against U.S. government, as well as Russia’s role}}, date = {2020-12-19}, organization = {The Washington Post}, url = {https://www.washingtonpost.com/national-security/russia-is-behind-the-broad-ongoing-cyber-spy-campaign-against-the-us-government-and-private-sector-pompeo-says/2020/12/19/8c850cf0-41b3-11eb-8bc0-ae155bee4aff_story.html}, language = {English}, urldate = {2020-12-19} } @online{nakashima:20201223:fbi:855ce0d, author = {Ellen Nakashima and Amy Gardner and Aaron C. Davis}, title = {{FBI links Iran to online hit list targeting top officials who’ve refuted Trump’s election fraud claims}}, date = {2020-12-23}, organization = {The Washington Post}, url = {https://www.washingtonpost.com/national-security/iran-election-fraud-violence/2020/12/22/4a28e9ba-44a8-11eb-a277-49a6d1f9dff1_story.html}, language = {English}, urldate = {2020-12-23} } @online{nakashima:20201226:russian:bbba501, author = {Ellen Nakashima}, title = {{Russian hackers compromised Microsoft cloud customers through third party, putting emails and other data at risk}}, date = {2020-12-26}, organization = {The Washington Post}, url = {https://www.washingtonpost.com/national-security/russia-hack-microsoft-cloud/2020/12/24/dbfaa9c6-4590-11eb-975c-d17b8815a66d_story.html}, language = {English}, urldate = {2021-01-01} } @online{nakashima:20210921:fbi:ce8f168, author = {Ellen Nakashima and Rachel Lerman}, title = {{FBI held back ransomware decryption key from businesses to run operation targeting hackers}}, date = {2021-09-21}, organization = {Washington Post}, url = {https://www.washingtonpost.com/national-security/ransomware-fbi-revil-decryption-key/2021/09/21/4a9417d0-f15f-11eb-a452-4da5fe48582d_story.html}, language = {English}, urldate = {2021-10-05} } @online{nakashima:20231211:chinas:74f61ca, author = {Ellen Nakashima and Joseph Menn}, title = {{China’s cyber army is invading critical U.S. services}}, date = {2023-12-11}, organization = {Washington Post}, url = {https://www.washingtonpost.com/technology/2023/12/11/china-hacking-hawaii-pacific-taiwan-conflict/}, language = {English}, urldate = {2023-12-12} } @online{nakatsuru:20151119:decrypting:8be1808, author = {You Nakatsuru}, title = {{Decrypting Strings in Emdivi}}, date = {2015-11-19}, organization = {JPCERT/CC}, url = {http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html}, language = {English}, urldate = {2019-11-28} } @techreport{nakatsuru:20190118:understanding:15cc8b9, author = {You Nakatsuru}, title = {{Understanding Command and Control - An Anatomy of xxmm Communication}}, date = {2019-01-18}, institution = {Dell Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2019/pdf/JSAC2019_8_nakatsuru_en.pdf}, language = {English}, urldate = {2019-12-10} } @online{nalim:20210528:darkside:5eb7387, author = {Mina Nalim}, title = {{DarkSide on Linux: Virtual Machines Targeted}}, date = {2021-05-28}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html}, language = {English}, urldate = {2021-06-01} } @online{namestnikov:20141218:chthonic:74e24b9, author = {Yury Namestnikov and Vladimir Kuskov and Oleg Kupreev}, title = {{Chthonic: a new modification of ZeuS}}, date = {2014-12-18}, organization = {Kaspersky Labs}, url = {https://securelist.com/chthonic-a-new-modification-of-zeus/68176/}, language = {English}, urldate = {2019-12-20} } @online{namestnikov:20190508:fin75:443b111, author = {Yury Namestnikov and Félix Aime}, title = {{FIN7.5: the infamous cybercrime rig “FIN7” continues its activities}}, date = {2019-05-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/}, language = {English}, urldate = {2019-12-20} } @online{nan:20230913:analysis:9aecc86, author = {Nan and XWS}, title = {{Analysis of the recent offensive operations conducted by North Korean APT groups}}, date = {2023-09-13}, organization = {Seebug Paper}, url = {https://paper.seebug.org/3031/}, language = {English}, urldate = {2024-02-08} } @online{nandanwar:20230301:onenote:07aefe0, author = {Meghraj Nandanwar and Shatak Jain}, title = {{OneNote: A Growing Threat for Malware Distribution}}, date = {2023-03-01}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution}, language = {English}, urldate = {2023-03-13} } @online{nandanwar:20230327:dbatloader:a8f205c, author = {Meghraj Nandanwar and Satyam Singh}, title = {{DBatLoader: Actively Distributing Malwares Targeting European Businesses}}, date = {2023-03-27}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/dbatloader-actively-distributing-malwares-targeting-european-businesses}, language = {English}, urldate = {2023-03-29} } @online{nandanwar:20230725:hibernating:7cf0533, author = {Meghraj Nandanwar and Satyam Singh and Pradeep Mahato}, title = {{Hibernating Qakbot: A Comprehensive Study and In-depth Campaign Analysis}}, date = {2023-07-25}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/hibernating-qakbot-comprehensive-study-and-depth-campaign-analysis}, language = {English}, urldate = {2023-07-31} } @online{naor:20190302:israeli:f2685e6, author = {Ido Naor}, title = {{An Israeli website nagish[.]co[.]il was compromised and one of its subdomains (embedded in dozens of websites (including gov and media) became temporary water holes for Israeli residents.}}, date = {2019-03-02}, url = {https://twitter.com/IdoNaor1/status/1101936940297924608}, language = {English}, urldate = {2019-10-17} } @online{naor:20220804:sockbot:c6eedb6, author = {Ido Naor and Felipe Duarte}, title = {{Sockbot In Goland - Linking APT Actors With Ransomware Gangs}}, date = {2022-08-04}, organization = {YouTube (Security Joes)}, url = {https://www.youtube.com/watch?v=CAMnuhg-Qos}, language = {English}, urldate = {2022-08-08} } @online{naosec:20180101:analyzing:0efde89, author = {nao_sec}, title = {{Analyzing Ramnit used in Seamless campaign}}, date = {2018-01-01}, organization = {nao_sec blog}, url = {http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html}, language = {English}, urldate = {2020-01-08} } @online{naosec:20190427:analyzing:27f1d35, author = {nao_sec}, title = {{Analyzing Amadey}}, date = {2019-04-27}, organization = {nao_sec}, url = {https://nao-sec.org/2019/04/Analyzing-amadey.html}, language = {English}, urldate = {2020-01-08} } @online{naosec:20200129:overhead:ec0aeb5, author = {nao_sec}, title = {{An Overhead View of the Royal Road}}, date = {2020-01-29}, organization = {nao_sec blog}, url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html}, language = {English}, urldate = {2020-02-03} } @online{naosec:20210104:royal:041b9d3, author = {nao_sec}, title = {{Royal Road! Re:Dive}}, date = {2021-01-04}, organization = {nao_sec blog}, url = {https://nao-sec.org/2021/01/royal-road-redive.html}, language = {English}, urldate = {2021-01-05} } @online{naosec:20210415:exploit:b5fe0b8, author = {nao_sec}, title = {{Exploit Kit still sharpens a sword}}, date = {2021-04-15}, organization = {nao_sec blog}, url = {https://nao-sec.org/2021/04/exploit-kit-still-sharpens-a-sword.html}, language = {English}, urldate = {2021-04-20} } @online{naosec:20241016:icepeony:ee09ccc, author = {nao_sec}, title = {{IcePeony with the '996' work culture}}, date = {2024-10-16}, organization = {nao_sec}, url = {https://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html}, language = {English}, urldate = {2024-11-04} } @online{narang:20201012:cve20201472:ab699e9, author = {Satnam Narang}, title = {{CVE-2020-1472: Advanced Persistent Threat Actors Use Zerologon Vulnerability In Exploit Chain with Unpatched Vulnerabilities}}, date = {2020-10-12}, organization = {Tenable}, url = {https://www.tenable.com/blog/cve-2020-1472-advanced-persistent-threat-actors-use-zerologon-vulnerability-in-exploit-chain}, language = {English}, urldate = {2023-02-17} } @online{nash:20210510:rise:2ec5f2e, author = {A J Nash}, title = {{Rise of the Chief Intelligence Officer (CINO)}}, date = {2021-05-10}, organization = {Anomali}, url = {https://www.anomali.com/blog/rise-of-the-chief-intelligence-officer-cino}, language = {English}, urldate = {2021-05-13} } @online{natan:20130924:how:a770f31, author = {Hanan Natan}, title = {{How to extract BetaBot config info}}, date = {2013-09-24}, url = {http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html}, language = {English}, urldate = {2019-11-25} } @online{natan:20150515:rovnix:870b5a4, author = {Hanan Natan}, title = {{Rovnix Dropper Analysis (TrojanDropper:Win32/Rovnix.P)}}, date = {2015-05-15}, organization = {Malware Digger}, url = {http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html}, language = {English}, urldate = {2019-11-05} } @online{natan:20150626:rovnix:e6022ec, author = {Hanan Natan}, title = {{Rovnix Payload Analysis}}, date = {2015-06-26}, url = {http://www.malwaredigger.com/2015/06/rovnix-payload-and-plugin-analysis.html}, language = {English}, urldate = {2019-12-24} } @online{nataraj:20191001:lemonduck:9b1cce6, author = {Rajesh Nataraj and Vikas Singh and Michael Wood}, title = {{Lemon_Duck PowerShell malware cryptojacks enterprise networks}}, date = {2019-10-01}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2019/10/01/lemon_duck-powershell-malware-cryptojacks-enterprise-networks/}, language = {English}, urldate = {2022-02-19} } @online{nataraj:20210507:new:79ec788, author = {Rajesh Nataraj}, title = {{New Lemon Duck variants exploiting Microsoft Exchange Server}}, date = {2021-05-07}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728}, language = {English}, urldate = {2022-02-16} } @online{natarajan:20220818:hardwarebased:3c88744, author = {Suriyaraj Natarajan and Andrea Lelli and Amitrajit Banerjee and Microsoft 365 Defender Research Team}, title = {{Hardware-based threat defense against increasingly complex cryptojackers}}, date = {2022-08-18}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/08/18/hardware-based-threat-defense-against-increasingly-complex-cryptojackers}, language = {English}, urldate = {2022-08-18} } @online{nation:20201220:transcript:42ee02c, author = {Face the Nation}, title = {{Transcript: Kevin Mandia on "Face the Nation," December 20, 2020}}, date = {2020-12-20}, organization = {CBS News}, url = {https://www.cbsnews.com/news/transcript-kevin-mandia-on-face-the-nation-december-20-2020/}, language = {English}, urldate = {2021-01-01} } @online{nato:20210415:north:823013b, author = {NATO}, title = {{North Atlantic Council Statement following the announcement by the United States of actions with regard to Russia}}, date = {2021-04-15}, organization = {North Atlantic Treaty Organization}, url = {https://www.nato.int/cps/en/natolive/official_texts_183168.htm?selectedLocale=en}, language = {English}, urldate = {2021-04-16} } @techreport{natvig:20210421:run:6b843e0, author = {Kurt Natvig}, title = {{Run Your Malicious VBA Macros Anywhere!}}, date = {2021-04-21}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2021/202104-run-your-malicious-vba-anywhere.pdf}, language = {English}, urldate = {2021-04-28} } @online{naumaan:20181008:bsides:26586e2, author = {Saher Naumaan}, title = {{BSides Belfast 2018: Lazarus On The Rise: Insights From SWIFT Bank Attacks}}, date = {2018-10-08}, organization = {Youtube Video}, url = {https://youtu.be/_kzFNQySEMw?t=789}, language = {English}, urldate = {2019-10-15} } @online{naumaan:20250417:around:bbc808a, author = {Saher Naumaan and Mark Kelly and Greg Lesnewich and Josh Miller}, title = {{Around the World in 90 Days: State-Sponsored Actors Try ClickFix}}, date = {2025-04-17}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix}, language = {English}, urldate = {2025-04-28} } @online{naumov:20230814:breaking:9fe9961, author = {Pavel Naumov and Artem Grischenko}, title = {{Breaking down Gigabud banking malware with Group-IB Fraud Matrix}}, date = {2023-08-14}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/gigabud-banking-malware/}, language = {English}, urldate = {2023-08-30} } @online{naumovax:20240901:suspected:adc9848, author = {X (@naumovax)}, title = {{Suspected PrivateLoader}}, date = {2024-09-01}, url = {https://x.com/naumovax/status/1841092516302504155}, language = {English}, urldate = {2024-11-25} } @techreport{nautilus:20210622:attacks:c19add6, author = {TEAM Nautilus}, title = {{Attacks in the Wild on the Container Supply Chain and Infrastructure}}, date = {2021-06-22}, institution = {Aqua}, url = {https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf}, language = {English}, urldate = {2021-06-23} } @techreport{nautilus:20240503:kinsing:54cb1f6, author = {Aqua Nautilus}, title = {{Kinsing Demystified: A Comprehensive Technical Guide}}, date = {2024-05-03}, institution = {Aqua Nautilus}, url = {https://1665891.fs1.hubspotusercontent-na1.net/hubfs/1665891/Threat%20reports/AquaSecurity_Kinsing_Demystified_Technical_Guide.pdf}, language = {English}, urldate = {2024-05-13} } @online{navali:20220815:detecting:5abdd3d, author = {Vikram Navali}, title = {{Detecting a Rogue Domain Controller – DCShadow Attack}}, date = {2022-08-15}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/detecting-a-rogue-domain-controller-dcshadow-attack/}, language = {English}, urldate = {2022-08-18} } @online{navarrete:20210308:attack:6238643, author = {Chris Navarrete and Yanhui Jia and Matthew Tennis and Durgesh Sangvikar and Rongbo Shao}, title = {{Attack Chain Overview: Emotet in December 2020 and January 2021}}, date = {2021-03-08}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/}, language = {English}, urldate = {2021-03-11} } @online{navarrete:20220316:cobalt:015f5df, author = {Chris Navarrete and Durgesh Sangvikar and Andrew Guan and Yu Fu and Yanhui Jia and Siddhart Shibiraj}, title = {{Cobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect}}, date = {2022-03-16}, organization = {paloalto Netoworks: Unit42}, url = {https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/}, language = {English}, urldate = {2022-03-18} } @online{navarrete:20220506:cobalt:8248108, author = {Chris Navarrete and Durgesh Sangvikar and Yu Fu and Yanhui Jia and Siddhart Shibiraj}, title = {{Cobalt Strike Analysis and Tutorial: CS Metadata Encoding and Decoding}}, date = {2022-05-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/}, language = {English}, urldate = {2022-05-09} } @online{navarrete:20220713:cobalt:dd907c3, author = {Chris Navarrete and Durgesh Sangvikar and Yu Fu and Yanhui Jia and Siddhart Shibiraj}, title = {{Cobalt Strike Analysis and Tutorial: CS Metadata Encryption and Decryption}}, date = {2022-07-13}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encryption-decryption/}, language = {English}, urldate = {2022-07-15} } @online{naveen:20220607:phishing:704f5f7, author = {Jyothi Naveen and Kiran Raj}, title = {{Phishing Campaigns featuring Ursnif Trojan on the Rise}}, date = {2022-06-07}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/phishing-campaigns-featuring-ursnif-trojan/}, language = {English}, urldate = {2022-06-15} } @online{naves:20210923:tanglebot:6c8a246, author = {Felipe Naves and Andrew Conway and W. Stuart Jones and Adam McNeil}, title = {{TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures}}, date = {2021-09-23}, organization = {Cloudmark}, url = {https://www.cloudmark.com/en/blog/mobile/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19}, language = {English}, urldate = {2021-09-28} } @online{naves:20211004:mobile:e0f89e7, author = {Felipe Naves and Adam McNeil and Andrew Conway}, title = {{Mobile Malware: TangleBot Untangled}}, date = {2021-10-04}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/mobile-malware-tanglebot-untangled}, language = {English}, urldate = {2021-10-24} } @online{nayyar:20100615:clash:8d2f45c, author = {Harshit Nayyar}, title = {{Clash of the Titans: ZeuS v SpyEye}}, date = {2010-06-15}, organization = {SANS}, url = {https://www.sans.org/reading-room/whitepapers/malicious/clash-titans-zeus-spyeye-33393}, language = {English}, urldate = {2020-01-09} } @techreport{nazario:200710:blackenergy:f414256, author = {Jose Nazario}, title = {{BlackEnergy DDoS Bot Analysis}}, date = {2007-10}, institution = {Arbor Networks}, url = {http://pds15.egloos.com/pds/201001/01/66/BlackEnergy_DDoS_Bot_Analysis.pdf}, language = {English}, urldate = {2022-04-25} } @online{nazarov:20220623:hateful:9c6bf9a, author = {Nikita Nazarov and Vasily Davydov and Natalya Shornikova and Vladislav Burtsev and Danila Nasonov}, title = {{The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)}}, date = {2022-06-23}, organization = {Kaspersky}, url = {https://securelist.com/modern-ransomware-groups-ttps/106824/}, language = {English}, urldate = {2022-06-27} } @techreport{nazarov:20220623:hateful:bae0681, author = {Nikita Nazarov and Vasily Davydov and Natalya Shornikova and Vladislav Burtsev and Danila Nasonov}, title = {{The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs}}, date = {2022-06-23}, institution = {Kaspersky}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf}, language = {English}, urldate = {2022-06-27} } @techreport{nazarov:20231109:modern:5e2cdb2, author = {Nikita Nazarov and Kirill Mitrofanov and Alexander Kirichenko and Vladislav Burtsev and Natalya Shornikova and Vasily Berdnikov and Sergey Kireev}, title = {{Modern Asian APT Groups}}, date = {2023-11-09}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/11/09055246/Modern-Asian-APT-groups-TTPs_report_eng.pdf}, language = {English}, urldate = {2023-12-15} } @online{nca:20240220:international:fc1102d, author = {National Crime Agency (NCA)}, title = {{International investigation disrupts the world’s most harmful cyber crime group}}, date = {2024-02-20}, organization = {National Crime Agency}, url = {https://nationalcrimeagency.gov.uk/news/nca-leads-international-investigation-targeting-worlds-most-harmful-ransomware-group}, language = {English}, urldate = {2024-02-20} } @online{nccgroup:20210131:itw:c033bfc, author = {NCCGroup}, title = {{Tweet on ITW exploitation of 0-day in SonicWall SMA 100 series}}, date = {2021-01-31}, organization = {Twitter (@NCCGroupInfosec)}, url = {https://twitter.com/NCCGroupInfosec/status/1355850304596680705}, language = {English}, urldate = {2021-02-02} } @online{nccgroup:20210614:incremental:da01496, author = {NCCGroup and Fox-IT Data Science Team}, title = {{Incremental Machine Learning by Example: Detecting Suspicious Activity with Zeek Data Streams, River, and JA3 Hashes}}, date = {2021-06-14}, organization = {nccgroup}, url = {https://research.nccgroup.com/2021/06/14/incremental-machine-leaning-by-example-detecting-suspicious-activity-with-zeek-data-streams-river-and-ja3-hashes/}, language = {English}, urldate = {2021-06-21} } @online{nccgroup:20211011:snapmc:d2395ab, author = {NCCGroup}, title = {{SnapMC skips ransomware, steals data}}, date = {2021-10-11}, organization = {NCC Group}, url = {https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/}, language = {English}, urldate = {2021-10-25} } @techreport{nccic:20171218:malware:42d9be2, author = {NCCIC}, title = {{Malware Analysis Report on Hatman}}, date = {2017-12-18}, institution = {NCCIC}, url = {https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf}, language = {English}, urldate = {2020-01-09} } @techreport{nccic:20180309:malware:191ad79, author = {NCCIC}, title = {{Malware Analysis Report Sharpknot}}, date = {2018-03-09}, institution = {NCCIC}, url = {https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf}, language = {English}, urldate = {2019-11-25} } @techreport{nccic:20180410:mar1735201:b351b8c, author = {NCCIC}, title = {{MAR-17-352-01 HatMan - Safety System Targeted Malware (Update A)}}, date = {2018-04-10}, institution = {NCCIC}, url = {https://us-cert.cisa.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20A%29_S508C.PDF}, language = {English}, urldate = {2021-08-09} } @techreport{ncscuk:20230418:jaguar:421e6fb, author = {United Kingdom’s National Cyber Security Centre (NCSC-UK)}, title = {{Jaguar Tooth - Cisco IOS malware that collects device information and enables backdoor access}}, date = {2023-04-18}, institution = {NCSC UK}, url = {https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/jaguar-tooth/NCSC-MAR-Jaguar-Tooth.pdf}, language = {English}, urldate = {2023-04-22} } @techreport{neagu:20210518:new:52eb07f, author = {Mihai Neagu and Bogdan Botezatu and George Mihali and Aron Radu and Ștefan Trifescu}, title = {{New WastedLoader Campaign Delivered Through RIG Exploit Kit}}, date = {2021-05-18}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf}, language = {English}, urldate = {2021-05-19} } @techreport{neagu:20220418:redline:9eb0a9a, author = {Mihai Neagu}, title = {{RedLine Stealer Analysis}}, date = {2022-04-18}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/415/Bitdefender-PR-Whitepaper-RedLine-creat6109-en-EN.pdf}, language = {English}, urldate = {2022-04-29} } @techreport{neagu:20220427:redline:98fb07b, author = {Mihai Neagu}, title = {{RedLine Stealer Resurfaces in Fresh RIG Exploit Kit Campaign}}, date = {2022-04-27}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/415/Bitdefender-PR-Whitepaper-RedLine-creat6109-en-EN.pdf}, language = {English}, urldate = {2022-06-02} } @online{neal:20200212:loda:3334939, author = {Chris Neal}, title = {{Loda RAT Grows Up}}, date = {2020-02-12}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html}, language = {English}, urldate = {2020-02-13} } @online{neal:20200331:trickbot:dcf5314, author = {Chris Neal}, title = {{Trickbot: A primer}}, date = {2020-03-31}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/03/trickbot-primer.html}, language = {English}, urldate = {2020-04-01} } @online{neal:20200929:lodarat:d1cf82f, author = {Chris Neal}, title = {{LodaRAT Update: Alive and Well}}, date = {2020-09-29}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html}, language = {English}, urldate = {2020-10-04} } @online{neal:20220310:wednesday:fc375b1, author = {Chris Neal}, title = {{WEDNESDAY, MARCH 9, 2022 Threat advisory: Cybercriminals compromise users with malware disguised as pro-Ukraine cyber tools}}, date = {2022-03-10}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.html}, language = {English}, urldate = {2022-03-14} } @online{neal:20221117:get:dc7734e, author = {Chris Neal}, title = {{Get a Loda This: LodaRAT meets new friends}}, date = {2022-11-17}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/get-a-loda-this/}, language = {English}, urldate = {2023-12-04} } @online{neduchal:20220613:linux:67027a5, author = {Jan Neduchal and David Álvarez}, title = {{Linux Threat Hunting: ‘Syslogk’ a kernel rootkit found under development in the wild}}, date = {2022-06-13}, organization = {Avast Decoded}, url = {https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/}, language = {English}, urldate = {2022-06-15} } @techreport{neemani:20200312:lost:80ccbd2, author = {Dor Neemani and Omer Fishel and Hod Gavriel}, title = {{Lost in the Maze}}, date = {2020-03-12}, institution = {Cyberbit}, url = {https://www.docdroid.net/dUpPY5s/maze.pdf}, language = {English}, urldate = {2020-03-22} } @online{neemani:20210701:diavol:d1ed746, author = {Dor Neemani and Asaf Rubinfeld}, title = {{Diavol - A New Ransomware Used By Wizard Spider?}}, date = {2021-07-01}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider}, language = {English}, urldate = {2021-12-15} } @online{neeraj:20211119:exmatter:c7d7d45, author = {neeraj}, title = {{Tweet on Exmatter, custom data exfiltration tool, used by Blackmatter ransomware group}}, date = {2021-11-19}, organization = {Twitter (@knight0x07)}, url = {https://twitter.com/knight0x07/status/1461787168037240834?s=20}, language = {English}, urldate = {2021-11-29} } @online{neeraj:20220118:thread:f5c7756, author = {neeraj}, title = {{Thread on yet another comprehensive analysis of WHISPERGATE}}, date = {2022-01-18}, organization = {Twitter (@knight0x07)}, url = {https://twitter.com/knight0x07/status/1483401072102502400}, language = {English}, urldate = {2022-01-31} } @online{neeraj:20250227:nailaoloader:669b9c4, author = {neeraj}, title = {{NailaoLoader: Hiding Execution Flow via Patching}}, date = {2025-02-27}, organization = {Github (knight0x07)}, url = {https://github.com/knight0x07/NailaoLoader-Hiding-Execution-Flow}, language = {English}, urldate = {2025-03-05} } @online{neff:20220224:threat:93f498c, author = {Mitch Neff}, title = {{Threat Advisory: Current executive guidance for ongoing cyberattacks in Ukraine}}, date = {2022-02-24}, organization = {Talos}, url = {https://blog.talosintelligence.com/2022/02/current-executive-guidance-for-ongoing.html}, language = {English}, urldate = {2022-03-01} } @techreport{neis:20210115:cracking:b1c1684, author = {Markus Neis}, title = {{Cracking a Soft Cell is Harder Than You Think}}, date = {2021-01-15}, institution = {Swisscom}, url = {https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf}, language = {English}, urldate = {2021-01-18} } @online{neis:20220912:chiseling:58925b9, author = {Markus Neis and Ross Phillips and Steven Campbell and Teresa Whitmore and Alex Ammons and Arctic Wolf Labs Team}, title = {{Chiseling In: Lorenz Ransomware Group Cracks MiVoice And Calls Back For Free}}, date = {2022-09-12}, organization = {Arctic Wolf}, url = {https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/}, language = {English}, urldate = {2022-09-15} } @techreport{nejad:20220726:ducktail:04c6c82, author = {Mohammad Kazem Hassan Nejad}, title = {{DUCKTAIL: An infostealer malware targeting Facebook Business accounts}}, date = {2022-07-26}, institution = {WithSecure}, url = {https://labs.withsecure.com/content/dam/labs/docs/WithSecure_Research_DUCKTAIL.pdf}, language = {English}, urldate = {2023-11-14} } @techreport{nejad:20240417:kapeka:4aa6f9d, author = {Mohammad Kazem Hassan Nejad}, title = {{KAPEKA A novel backdoor spotted in Eastern Europe}}, date = {2024-04-17}, institution = {WithSecure}, url = {https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Research-Kapeka.pdf}, language = {English}, urldate = {2024-04-17} } @online{nelson:20160122:impact:3c6330e, author = {Nell Nelson}, title = {{The Impact of Dragonfly Malware on Industrial Control Systems}}, date = {2016-01-22}, organization = {SANS}, url = {https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672}, language = {English}, urldate = {2020-01-08} } @online{nelson:20171003:flusihoc:6240b1c, author = {TJ Nelson}, title = {{The Flusihoc Dynasty, A Long Standing DDoS Botnet}}, date = {2017-10-03}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/}, language = {English}, urldate = {2020-01-06} } @online{nelson:20171218:medusahttp:6bf896f, author = {TJ Nelson}, title = {{MedusaHTTP DDoS Slithers Back into the Spotlight}}, date = {2017-12-18}, organization = {Arbor Networks}, url = {https://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/}, language = {English}, urldate = {2019-12-18} } @online{nelson:20220324:chinese:da166ef, author = {Nate Nelson}, title = {{Chinese APT Combines Fresh Hodur RAT with Complex Anti-Detection}}, date = {2022-03-24}, organization = {Threat Post}, url = {https://threatpost.com/chinese-apt-combines-fresh-hodur-rat-with-complex-anti-detection/179084/}, language = {English}, urldate = {2022-03-25} } @online{nelson:20220324:microsoft:027f9d7, author = {Nate Nelson}, title = {{Microsoft Help Files Disguise Vidar Malware}}, date = {2022-03-24}, organization = {Threat Post}, url = {https://threatpost.com/microsoft-help-files-vidar-malware/179078/}, language = {English}, urldate = {2022-03-25} } @online{nelson:20230803:russian:fc161cb, author = {Nate Nelson}, title = {{Russian APT 'BlueCharlie' Swaps Infrastructure to Evade Detection}}, date = {2023-08-03}, organization = {DARKReading}, url = {https://www.darkreading.com/attacks-breaches/russian-apt-bluecharlie-swaps-infrastructure-to-evade-detection}, language = {English}, urldate = {2023-08-03} } @online{nelson:20240419:evil:abbd9f0, author = {Nate Nelson}, title = {{Evil XDR: Researcher Turns Palo Alto Software Into Perfect Malware}}, date = {2024-04-19}, organization = {DARKReading}, url = {https://www.darkreading.com/application-security/evil-xdr-researcher-turns-palo-alto-software-into-perfect-malware}, language = {English}, urldate = {2024-04-29} } @online{nemes:20171128:newly:b2b9018, author = {Sandor Nemes and Abhay Vaish}, title = {{Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection}}, date = {2017-11-28}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html}, language = {English}, urldate = {2019-12-20} } @online{nemes:20180318:spying:1484329, author = {Sandor Nemes}, title = {{Spying on botnets}}, date = {2018-03-18}, organization = {YouTube (BSidesBudapest - IT Security Conference)}, url = {https://www.youtube.com/watch?v=kifEqpRoZns}, language = {English}, urldate = {2024-11-25} } @online{nemes:20200109:saigon:d0a0c27, author = {Sandor Nemes and Zander Work}, title = {{SAIGON, the Mysterious Ursnif Fork}}, date = {2020-01-09}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html}, language = {English}, urldate = {2020-01-13} } @online{nemes:20221019:from:e7513af, author = {Sandor Nemes and Sulian Lebegue and Jesse Valdez}, title = {{From RM3 to LDR4: URSNIF Leaves Banking Fraud Behind}}, date = {2022-10-19}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/rm3-ldr4-ursnif-banking-fraud}, language = {English}, urldate = {2023-01-13} } @online{neosoc:20201210:icedid:b05d899, author = {NeoSOC}, title = {{マルウェア「IcedID」の検知傾向と感染に至るプロセスを徹底解説}}, date = {2020-12-10}, organization = {NRI SECURE}, url = {https://www.nri-secure.co.jp/blog/explaining-the-tendency-of-malware-icedid}, language = {Japanese}, urldate = {2020-12-11} } @online{netbytesec:20210228:deobfuscating:a975d4c, author = {NetbyteSEC}, title = {{Deobfuscating Emotet Macro Document and Powershell Command}}, date = {2021-02-28}, url = {https://notes.netbytesec.com/2021/02/deobfuscating-emotet-macro-and.html}, language = {English}, urldate = {2022-02-14} } @online{netenrich:20151006:cutting:6815c15, author = {Netenrich}, title = {{CUTTING KITTEN}}, date = {2015-10-06}, organization = {Netenrich}, url = {https://know.netenrich.com/threatintel/threat_actor/Cutting%20Kitten}, language = {English}, urldate = {2022-07-29} } @online{netlab:20171205:warning:fbac66a, author = {360 Netlab}, title = {{Warning: Satori, a Mirai Branch Is Spreading in Worm Style on Port 37215 and 52869}}, date = {2017-12-05}, organization = {360 netlab}, url = {http://blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/}, language = {English}, urldate = {2020-01-09} } @online{netlab:20180718:botnet:f218bd8, author = {360 Netlab}, title = {{Tweet on Botnet}}, date = {2018-07-18}, organization = {Twitter (@360Netlab)}, url = {https://twitter.com/360Netlab/status/1019759516789821441}, language = {English}, urldate = {2020-01-13} } @online{netlab:20220419:public:0ce406b, author = {360 Netlab}, title = {{Public Cloud Cybersecurity Threat Intelligence (202203)}}, date = {2022-04-19}, organization = {360}, url = {https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/}, language = {English}, urldate = {2022-04-25} } @online{netlab:20220805:new:d4f6a02, author = {360 Netlab}, title = {{A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information}}, date = {2022-08-05}, organization = {360 netlab}, url = {https://blog.netlab.360.com/a-new-botnet-orchard-generates-dga-domains-with-bitcoin-transaction-information/}, language = {English}, urldate = {2022-08-30} } @online{nettitude:20200101:repository:640d828, author = {Nettitude}, title = {{Repository for Python Server for PoshC2}}, date = {2020-01-01}, organization = {Github (nettitude)}, url = {https://github.com/nettitude/PoshC2_Python/}, language = {English}, urldate = {2020-01-08} } @techreport{networks:20160613:survey:c78b147, author = {Macnica Networks}, title = {{Survey of the actual situation of the large-scale cyber spy activity that hit Japan | 1st edition}}, date = {2016-06-13}, institution = {Macnica Networks}, url = {https://www.macnica.net/file/security_report_20160613.pdf}, language = {Japanese}, urldate = {2021-03-02} } @techreport{networks:20181001:trends:17b1db5, author = {Macnica Networks}, title = {{Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018}}, date = {2018-10-01}, institution = {Macnica Networks}, url = {https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf}, language = {Japanese}, urldate = {2021-03-02} } @techreport{networks:20190401:trends:cf738dc, author = {Macnica Networks}, title = {{Trends in Cyber ​​Espionage Targeting Japan 2nd Half of 2018}}, date = {2019-04-01}, institution = {Macnica Networks}, url = {https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf}, language = {Japanese}, urldate = {2021-03-02} } @techreport{networks:201904:oceanlotus:8ceeac3, author = {Macnica Networks}, title = {{OceanLotus Attack on Southeast Asian Automotive Industry}}, date = {2019-04}, institution = {Macnica Networks}, url = {https://www.macnica.net/file/mpression_automobile.pdf}, language = {Japanese}, urldate = {2021-03-02} } @techreport{networks:20191001:trends:30fb713, author = {Macnica Networks}, title = {{Trends in Cyber ​​Espionage Targeting Japan 1st Half of 2019}}, date = {2019-10-01}, institution = {Macnica Networks}, url = {https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf}, language = {Japanese}, urldate = {2021-03-02} } @online{networks:20200128:tick:e511a29, author = {Macnica Networks}, title = {{Tick ​​Group Aiming at Japanese Manufacturing}}, date = {2020-01-28}, organization = {Macnica Networks}, url = {https://www.macnica.net/mpressioncss/feature_05.html/}, language = {Japanese}, urldate = {2021-01-01} } @techreport{networks:20240501:reality:7e01ce4, author = {Macnica Networks}, title = {{The Reality of Targeted Attacks and Countermeasures: Trends in Cyber Espionage (Targeted Attacks) Targeting Japan FY2023}}, date = {2024-05-01}, institution = {Macnica}, url = {https://www.macnica.co.jp/business/security/security-reports/pdf/cyberespionage_report_2023.pdf}, language = {Japanese}, urldate = {2024-07-24} } @online{neuberger:20210217:update:f24ad1e, author = {Anne Neuberger}, title = {{Update on Investigaton on Solarwinds supply chain attack from the Deputy National Security Advisor}}, date = {2021-02-17}, organization = {YouTube (The White House)}, url = {https://youtu.be/Ta_vatZ24Cs?t=59}, language = {English}, urldate = {2021-02-18} } @online{neuberger:20210629:cyber:dbbba1d, author = {Anne Neuberger and Dmitri Alperovitch}, title = {{Cyber Strategy in the Biden Era: A Conversation with Anne Neuberger}}, date = {2021-06-29}, organization = {Silverado Policy Accelerator}, url = {https://www.youtube.com/watch?v=vm4p1_qDO2M}, language = {English}, urldate = {2021-06-29} } @online{neumann:20180208:udpos:57b42e3, author = {Robert Neumann and Luke Somerville}, title = {{UDPoS - exfiltrating credit card data via DNS}}, date = {2018-02-08}, organization = {Forcepoint}, url = {https://www.forcepoint.com/blog/x-labs/udpos-exfiltrating-credit-card-data-dns}, language = {English}, urldate = {2019-11-25} } @online{neumann:20181128:autocad:fd33ef6, author = {Robert Neumann}, title = {{AutoCAD Malware - Computer Aided Theft}}, date = {2018-11-28}, organization = {Forcepoint}, url = {https://www.forcepoint.com/blog/security-labs/autocad-malware-computer-aided-theft}, language = {English}, urldate = {2020-01-10} } @techreport{neumann:20190430:tinypos:b8d391f, author = {Robert Neumann}, title = {{TinyPOS: An analysis of a Point-Of-Sale malware ecosystem}}, date = {2019-04-30}, institution = {Forcepoint}, url = {https://www.forcepoint.com/sites/default/files/resources/files/report-tinypos-analysis-en.pdf}, language = {English}, urldate = {2019-12-19} } @online{neumann:20191226:finspydokumentation:6ec7c63, author = {Linus Neumann}, title = {{FinSpy-Dokumentation}}, date = {2019-12-26}, organization = {Github (Linuzifer)}, url = {https://github.com/linuzifer/FinSpy-Dokumentation}, language = {English}, urldate = {2020-01-08} } @online{neumann:20210305:advancements:674749e, author = {Robert Neumann and Kurt Natvig}, title = {{Advancements in Invoicing - A highly sophisticated way to distribute ZLoader}}, date = {2021-03-05}, organization = {Forcepoint}, url = {https://www.forcepoint.com/blog/x-labs/invoicing-spam-campaigns-malware-zloader}, language = {English}, urldate = {2021-03-30} } @online{neupane:20200524:using:2f77c1c, author = {Ajaya Neupane and Stefan Achleitner}, title = {{Using AI to Detect Malicious C2 Traffic}}, date = {2020-05-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/c2-traffic/}, language = {English}, urldate = {2021-06-09} } @online{neville:20131004:zeroaccess:187bf5f, author = {Alan Neville and Ross Gibb}, title = {{ZeroAccess Indepth}}, date = {2013-10-04}, organization = {Symantec}, url = {https://docs.broadcom.com/doc/zeroaccess-indepth-13-en}, language = {English}, urldate = {2025-06-20} } @online{newman:20170712:iranian:5dd7386, author = {Lily Hay Newman}, title = {{Iranian Hackers Have Been Infiltrating Critical Infrastructure Companies}}, date = {2017-07-12}, organization = {Wired}, url = {https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/}, language = {English}, urldate = {2020-01-08} } @online{newman:20180404:billiondollar:e03f005, author = {Lily Hay Newman}, title = {{The Billion-Dollar Hacking Group Behind a String of Big Breaches}}, date = {2018-04-04}, organization = {Wired}, url = {https://www.wired.com/story/fin7-carbanak-hacking-group-behind-a-string-of-big-breaches/}, language = {English}, urldate = {2025-01-26} } @online{newman:20181128:russian:811b704, author = {Lily Hay Newman}, title = {{Russian Hackers Haven't Stopped Probing the US Power Grid (Temp.Isotope)}}, date = {2018-11-28}, organization = {Wired}, url = {https://www.wired.com/story/russian-hackers-us-power-grid-attacks/}, language = {English}, urldate = {2020-10-23} } @online{newman:20210323:modpipe:cc931fb, author = {Niall Newman and Mark Shelhart}, title = {{ModPipe Malware has a new module that siphons Credit Card Data}}, date = {2021-03-23}, organization = {Foregenix}, url = {https://www.foregenix.com/blog/modpipe-malware-has-a-new-module-that-siphons-payment-card-data}, language = {English}, urldate = {2021-03-25} } @online{newman:20211116:ghostwriter:970c096, author = {Lily Hay Newman}, title = {{‘Ghostwriter’ Looks Like a Purely Russian Op - Except It's Not}}, date = {2021-11-16}, organization = {Wired}, url = {https://www.wired.com/story/ghostwriter-hackers-belarus-russia-misinformationo/}, language = {English}, urldate = {2021-11-17} } @online{news:20150619:russian:7295c92, author = {Alliance News}, title = {{Russian Hackers Suspected In Cyberattack On German Parliament}}, date = {2015-06-19}, organization = {London South East}, url = {https://www.lse.co.uk/AllNews.asp?code=kwdwehme&headline=Russian_Hackers_Suspected_In_Cyberattack_On_German_Parliament}, language = {English}, urldate = {2020-09-15} } @online{news:20160804:iranian:5f8a693, author = {SecurityWeek News}, title = {{Iranian Actor "Group5" Targeting Syrian Opposition}}, date = {2016-08-04}, organization = {SecurityWeek}, url = {https://www.securityweek.com/iranian-actor-group5-targeting-syrian-opposition}, language = {English}, urldate = {2019-12-17} } @online{news:20180821:microsoft:f0674db, author = {BBC News}, title = {{Microsoft claims win over 'Russian political hackers'}}, date = {2018-08-21}, organization = {BBC}, url = {https://www.bbc.co.uk/news/technology-45257081}, language = {English}, urldate = {2019-10-30} } @online{news:20181004:russian:92336c6, author = {MSN News}, title = {{Russian hackers accused of targeting UN chemical weapons watchdog, MH17 files}}, date = {2018-10-04}, organization = {Unknown}, url = {https://www.msn.com/en-nz/news/world/russian-hackers-accused-of-targeting-un-chemical-weapons-watchdog-mh17-files/ar-BBNV2ny}, language = {English}, urldate = {2020-04-06} } @online{news:20200626:russian:a1216ac, author = {BBC News}, title = {{Russian hacker group Evil Corp targets US workers at home}}, date = {2020-06-26}, organization = {BBC}, url = {https://www.bbc.com/news/world-us-canada-53195749}, language = {English}, urldate = {2020-11-02} } @online{news:20211110:playstation:be4ced5, author = {malware news}, title = {{Playstation 5 hacked—twice!}}, date = {2021-11-10}, organization = {Malware.News}, url = {https://malware.news/t/playstation-5-hacked-twice/54441/1}, language = {English}, urldate = {2024-09-27} } @online{news:20220406:ukraine:129d66a, author = {The Hacker News}, title = {{Ukraine Warns of Cyber attack Aiming to Hack Users' Telegram Messenger Accounts}}, date = {2022-04-06}, organization = {Vulners}, url = {https://vulners.com/thn/THN:4C1C2CD10F20E08DD74D465450DF3F17?utm_source=rss&utm_medium=rss&utm_campaign=rss}, language = {English}, urldate = {2023-11-27} } @online{news:20221102:missile:c05bfe5, author = {CySecurity News}, title = {{Missile Supplier MBDA Breach Disclosed by CloudSEK}}, date = {2022-11-02}, organization = {CySecurity News}, url = {https://www.cysecurity.news/2022/11/missile-supplier-mbda-breach-disclosed.html}, language = {English}, urldate = {2024-12-09} } @online{news:20230923:transunion:2b000f3, author = {CySecurity News}, title = {{TransUnion Refutes Data Breach Reports Amid Hacker's Claims}}, date = {2023-09-23}, organization = {CySecurity News}, url = {https://www.cysecurity.news/2023/09/transunion-refutes-data-breach-reports.html}, language = {English}, urldate = {2025-05-02} } @online{news:20240129:blackwood:8966d0e, author = {Security News}, title = {{Blackwood APT Group Has a New DLL Loader}}, date = {2024-01-29}, organization = {SonicWall}, url = {https://blog.sonicwall.com/en-us/2024/01/blackwood-apt-group-has-a-new-dll-loader/}, language = {English}, urldate = {2024-02-08} } @online{news:20240427:cryptocurrency:a5760b9, author = {CySecurity News}, title = {{Cryptocurrency Chaos: El Salvador's Bitcoin Wallet Code Leaked, Privacy at Risk}}, date = {2024-04-27}, organization = {CySecurity News}, url = {https://www.cysecurity.news/2024/04/cryptocurrency-chaos-el-salvadors.html}, language = {English}, urldate = {2024-12-11} } @online{news:20240617:truist:27dd659, author = {CySecurity News}, title = {{Truist Bank Confirms Data Breach After Information Surfaces on Hacking Forum}}, date = {2024-06-17}, organization = {CySecurity News}, url = {https://www.cysecurity.news/2024/06/truist-bank-confirms-data-breach-after.html}, language = {English}, urldate = {2024-12-11} } @online{news:20240624:infamous:b14e112, author = {CySecurity News}, title = {{Infamous Hacker IntelBroker Breaches Apple's Security, Leaks Internal Tool Source Code}}, date = {2024-06-24}, organization = {CySecurity News}, url = {https://www.cysecurity.news/2024/06/infamous-hacker-intelbroker-breaches.html}, language = {English}, urldate = {2024-09-04} } @online{news:20240827:autoit:bf27792, author = {Security News}, title = {{AutoIT Bot Targets Gmail Accounts First}}, date = {2024-08-27}, organization = {SonicWall}, url = {https://blog.sonicwall.com/en-us/2024/08/autoit-bot-targets-gmail-accounts-first/}, language = {English}, urldate = {2024-09-13} } @online{newsroom:20231228:new:0f92431, author = {Newsroom}, title = {{New Rugmi Malware Loader Surges with Hundreds of Daily Detections}}, date = {2023-12-28}, organization = {The Hacker News}, url = {https://thehackernews.com/2023/12/new-rugmi-malware-loader-surges-with.html}, language = {English}, urldate = {2024-01-02} } @online{newsroom:20240206:beware:2f5be34, author = {Newsroom}, title = {{Beware: Fake Facebook Job Ads Spreading 'Ov3r_Stealer' to Steal Crypto and Credentials}}, date = {2024-02-06}, organization = {The Hacker News}, url = {https://thehackernews.com/2024/02/beware-fake-facebook-job-ads-spreading.html?m=1}, language = {English}, urldate = {2024-02-07} } @online{newsroom:20240318:apt28:0bb8481, author = {Newsroom}, title = {{APT28 Hacker Group Targeting Europe, Americas, Asia in Widespread Phishing Scheme}}, date = {2024-03-18}, organization = {The Hacker News}, url = {https://thehackernews.com/2024/03/apt28-hacker-group-targeting-europe.html?m=1}, language = {English}, urldate = {2024-03-27} } @online{ng:20250310:prevent:de7daef, author = {Ken Ng}, title = {{Prevent, Detect, Contain: LevelBlue MDR’s Guide Against Black Basta Affiliates’ Attacks}}, date = {2025-03-10}, organization = {LevelBlue}, url = {https://cyber.levelblue.com/m/356d41d295da03cc/original/WP-LevelBlue-MDRs-Guide-Against-Black-Basta.docx}, language = {English}, urldate = {2025-03-25} } @online{ngn:20201219:re0172:c0a6b21, author = {Trương Quốc Ngân}, title = {{[RE017-2] Phân tích kỹ thuật dòng mã độc mới được sử dụng để tấn công chuỗi cung ứng nhắm vào Ban Cơ yếu Chính phủ Việt Nam của nhóm tin tặc Panda Trung Quốc (Phần 2)}}, date = {2020-12-19}, organization = {VinCSS}, url = {https://blog.vincss.net/2020/12/re017-2-phan-tich-ky-thuat-dong-ma-doc-moi-co-nhieu-dau-hieu-lien-quan-toi-nhom-tin-tac-Panda.html}, language = {English}, urldate = {2020-12-19} } @online{ngn:20201219:re0181:bd0904c, author = {Trương Quốc Ngân}, title = {{[RE018-1] Analyzing new malware of China Panda hacker group used to attack supply chain against Vietnam Government Certification Authority - Part 1}}, date = {2020-12-19}, organization = {VinCSS}, url = {https://blog.vincss.net/2020/12/re018-1-analyzing-new-malware-of-china-panda-hacker-group-used-to-attack-supply-chain-against-vietnam-government-certification-authority.html}, language = {English}, urldate = {2020-12-23} } @online{ngn:20201225:re0182:4a2ca92, author = {Trương Quốc Ngân}, title = {{[RE018-2] Analyzing new malware of China Panda hacker group used to attack supply chain against Vietnam Government Certification Authority - Part 2}}, date = {2020-12-25}, organization = {VinCSS}, url = {https://blog.vincss.net/2020/12/re018-2-analyzing-new-malware-of-china-panda-hacker-group-used-to-attack-supply-chain-against-vietnam-government-certification-authority.html?m=1}, language = {English}, urldate = {2020-12-26} } @online{ngn:20210217:re020:76db05d, author = {Trương Quốc Ngân}, title = {{[RE020] ElephantRAT (Kunming version): our latest discovered RAT of Panda and the similarities with recently Smanager RAT}}, date = {2021-02-17}, organization = {VinCSS}, url = {https://blog.vincss.net/2021/02/re020-elephantrat-kunming-version-our-latest-discovered-RAT-of-Panda.html}, language = {English}, urldate = {2021-02-20} } @online{ngn:20210703:re023:cc6ccb9, author = {Trương Quốc Ngân and Dang Dinh Phuong}, title = {{[RE023] Quick analysis and removal tool of a series of new malware variant of Panda group that has recently targeted to Vietnam VGCA}}, date = {2021-07-03}, organization = {VinCSS}, url = {https://blog.vincss.net/2021/07/re023-quick-analysis-and-removal-tool-series-of-new-malware-variant-of-Panda-group-that-has-recently-targeted-to-Vietnam-VGCA.html}, language = {English}, urldate = {2021-07-05} } @online{nguyen:20190202:wordbased:89a23db, author = {Bach Nguyen}, title = {{Word-based Malware Attack}}, date = {2019-02-02}, organization = {CyStack}, url = {https://blog.cystack.net/word-based-malware-attack/}, language = {English}, urldate = {2019-12-20} } @online{nguyen:20211228:attack:3bd88b5, author = {Trung Nguyen and Son Nguyen and Chau Ha and Chau Nguyen and Khoi Vu and Duong Tran}, title = {{The attack on ONUS – A real-life case of the Log4Shell vulnerability}}, date = {2021-12-28}, organization = {CyStack}, url = {https://cystack.net/research/the-attack-on-onus-a-real-life-case-of-the-log4shell-vulnerability}, language = {English}, urldate = {2022-01-05} } @online{nguyen:20220307:prophet:1acbba8, author = {Chris Nguyen and Eric Loui}, title = {{PROPHET SPIDER Exploits Citrix ShareFile Remote Code Execution Vulnerability CVE-2021-22941 to Deliver Webshell}}, date = {2022-03-07}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/prophet-spider-exploits-citrix-sharefile/}, language = {English}, urldate = {2022-03-08} } @online{nguyen:20240619:new:edcf29a, author = {Nguyen Nguyen and BartBlaze}, title = {{New North Korean based backdoor packs a punch}}, date = {2024-06-19}, url = {https://cyberarmor.tech/new-north-korean-based-backdoor-packs-a-punch/}, language = {English}, urldate = {2024-06-24} } @online{niakanlahiji:20190309:analyzing:b88d299, author = {Amirreza Niakanlahiji}, title = {{Analyzing Sophisticated PowerShell Targeting Japan}}, date = {2019-03-09}, organization = {InQuest}, url = {http://blog.inquest.net/blog/2019/03/09/Analyzing-Sophisticated-PowerShell-Targeting-Japan/}, language = {English}, urldate = {2019-12-24} } @online{nicchi:20231115:investigating:f9d3365, author = {Andrew Nicchi and John Simmons and Amey Gat and Mark Robson}, title = {{Investigating the New Rhysida Ransomware}}, date = {2023-11-15}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/investigating-the-new-rhysida-ransomware}, language = {English}, urldate = {2023-11-22} } @online{nichols:20190410:lazarus:33958ca, author = {Shaun Nichols}, title = {{Lazarus Group rises again from the digital grave with Hoplight malware for all}}, date = {2019-04-10}, organization = {The Register}, url = {https://www.theregister.co.uk/2019/04/10/lazarus_group_malware/}, language = {English}, urldate = {2019-12-24} } @online{nichols:20200117:friendly:ab2be11, author = {Shaun Nichols}, title = {{'Friendly' hackers are seemingly fixing the Citrix server hole – and leaving a nasty present behind}}, date = {2020-01-17}, organization = {The Register}, url = {https://www.theregister.co.uk/2020/01/17/hackers_patch_citrix_vulnerability/}, language = {English}, urldate = {2020-05-18} } @online{nick:20250106:hangro:e5108ae, author = {Nick}, title = {{Hangro: Investigating North Korean VPN Infrastructure Part 1}}, date = {2025-01-06}, organization = {North Korean Internet}, url = {https://nkinternet.wordpress.com/2025/01/06/hangro-north-korean-vpn-infrastructure/}, language = {English}, urldate = {2025-01-09} } @online{nickels:20201028:spooky:3bf0a0a, author = {Katie Nickels and Van Ta and Aaron Stephens}, title = {{Spooky RYUKy: The Return of UNC1878 | SANS STAR Webcast}}, date = {2020-10-28}, organization = {Youtube (SANS Institute)}, url = {https://www.youtube.com/watch?v=CgDtm05qApE}, language = {English}, urldate = {2020-11-04} } @online{nickels:20210223:cyber:974230c, author = {Katie Nickels}, title = {{A Cyber Threat Intelligence Self-Study Plan: Part 1}}, date = {2021-02-23}, organization = {Medium (Katie’s Five Cents)}, url = {https://medium.com/katies-five-cents/a-cyber-threat-intelligence-self-study-plan-part-1-968b5a8daf9a}, language = {English}, urldate = {2021-02-25} } @online{nickels:20210308:star:083eb29, author = {Katie Nickels and Adam Pennington and Jen Burns}, title = {{STAR Webcast: Making sense of SolarWinds through the lens of MITRE ATT&CK(R)}}, date = {2021-03-08}, organization = {Youtube (SANS Digital Forensics and Incident Response)}, url = {https://www.youtube.com/watch?v=LA-XE5Jy2kU}, language = {English}, urldate = {2021-03-11} } @online{nickels:20210727:sans:7432e9e, author = {Katie Nickels and John Hammond}, title = {{SANS Threat Analysis Rundown - Kaseya VSA attack}}, date = {2021-07-27}, organization = {Youtube (SANS Institute)}, url = {https://www.youtube.com/watch?v=tZVFMVm5GAk}, language = {English}, urldate = {2021-08-02} } @online{nickels:20220822:cyber:7fd8ac5, author = {Katie Nickels}, title = {{A Cyber Threat Intelligence Self-Study Plan: Part 2}}, date = {2022-08-22}, organization = {Medium (Katie’s Five Cents)}, url = {https://medium.com/katies-five-cents/a-cyber-threat-intelligence-self-study-plan-part-2-d04b7a529d36}, language = {English}, urldate = {2022-08-28} } @online{nickle:20201216:lookout:089b35a, author = {Robert Nickle and Apurva Kumar and Justin Albrecht and Diane Wee}, title = {{Lookout Discovers New Spyware Used by Sextortionists to Blackmail iOS and Android Users}}, date = {2020-12-16}, organization = {Lookout}, url = {https://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail}, language = {English}, urldate = {2020-12-17} } @online{nicolao:201901:inside:a4c68f3, author = {Gabriela Nicolao}, title = {{Inside Formbook infostealer}}, date = {2019-01}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/}, language = {English}, urldate = {2019-12-18} } @techreport{nicolao:2019:shinigamis:8397861, author = {Gabriela Nicolao and Luciano Martins}, title = {{Shinigami's Revenge: The Long Tail of Ryuk Malware}}, date = {2019}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-NicolaoMartins.pdf}, language = {English}, urldate = {2020-01-05} } @online{nicolo:20230411:security:f759e09, author = {Leeann Nicolo}, title = {{Security Alert: Royal Ransomware Targeting Firewalls}}, date = {2023-04-11}, organization = {Coalition}, url = {https://www.coalitioninc.com/blog/active-exploitation-firewalls}, language = {English}, urldate = {2023-04-26} } @online{nieto:20140418:troj64wowlikvt:a785d3a, author = {Alvin John Nieto}, title = {{TROJ64_WOWLIK.VT}}, date = {2014-04-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj64_wowlik.vt}, language = {English}, urldate = {2020-01-13} } @online{nieuws:20210923:rtl:dae3de4, author = {RTL Nieuws}, title = {{RTL was victim ransomware attack, cyber criminals make 8500 euro loot}}, date = {2021-09-23}, organization = {rtlnieuws}, url = {https://www.rtlnieuws.nl/nieuws/nederland/artikel/5255983/rtl-nederland-ransomware-aanval-cybercriminelen-losgeld}, language = {Dutch}, urldate = {2021-09-29} } @online{nigam:20160121:android:e62019c, author = {Ruchna Nigam}, title = {{Android Spywaller: Firewall-Style Antivirus Blocking}}, date = {2016-01-21}, organization = {FortiGuard Labs}, url = {https://www.fortinet.com/blog/threat-research/android-spywaller-firewall-style-antivirus-blocking}, language = {English}, urldate = {2023-08-29} } @online{nigam:20160122:cve20154400:25cc9f4, author = {Ruchna Nigam}, title = {{CVE-2015-4400 : Backdoorbot, Network Configuration Leak on a Connected Doorbell}}, date = {2016-01-22}, organization = {FortiGuard Labs}, url = {https://www.fortinet.com/blog/threat-research/cve-2015-4400-backdoorbot-network-configuration-leak-on-a-connected-doorbell}, language = {English}, urldate = {2023-08-29} } @online{nigam:20160331:stored:a24df28, author = {Ruchna Nigam}, title = {{Stored XSS Vulnerabilites on Foscam}}, date = {2016-03-31}, organization = {FortiGuard Labs}, url = {https://www.fortinet.com/blog/threat-research/stored-xss-vulnerabilites-on-foscam-3}, language = {English}, urldate = {2023-08-29} } @online{nigam:20160405:scada:c3688b0, author = {Ruchna Nigam}, title = {{SCADA Security Report 2016}}, date = {2016-04-05}, organization = {FortiGuard Labs}, url = {https://www.fortinet.com/blog/threat-research/scada-security-report-2016}, language = {English}, urldate = {2023-08-29} } @online{nigam:20180320:telerat:b8d1aa5, author = {Ruchna Nigam and Kyle Wilhoit}, title = {{TeleRAT: Another Android Trojan Leveraging Telegram’s Bot API to Target Iranian Users}}, date = {2018-03-20}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/}, language = {English}, urldate = {2019-12-20} } @online{nigam:20180405:reaper:d4da0f8, author = {Ruchna Nigam}, title = {{Reaper Group’s Updated Mobile Arsenal}}, date = {2018-04-05}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/}, language = {English}, urldate = {2019-12-20} } @online{nigam:20180720:unit:e044686, author = {Ruchna Nigam}, title = {{Unit 42 Finds New Mirai and Gafgyt IoT/Linux Botnet Campaigns}}, date = {2018-07-20}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/}, language = {English}, urldate = {2019-12-20} } @online{nigam:20180909:multiexploit:c3960d3, author = {Ruchna Nigam}, title = {{Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall}}, date = {2018-09-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/}, language = {English}, urldate = {2023-08-28} } @online{nigam:20190318:new:fba8b9b, author = {Ruchna Nigam}, title = {{New Mirai Variant Targets Enterprise Wireless Presentation & Display Systems}}, date = {2019-03-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/}, language = {English}, urldate = {2023-08-28} } @online{nigam:20190408:mirai:b25b562, author = {Ruchna Nigam}, title = {{Mirai Compiled for New Processors Surfaces in the Wild}}, date = {2019-04-08}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/}, language = {English}, urldate = {2019-11-26} } @online{nigam:20190606:new:916134e, author = {Ruchna Nigam}, title = {{New Mirai Variant Adds 8 New Exploits, Targets Additional IoT Devices}}, date = {2019-06-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/}, language = {English}, urldate = {2020-03-09} } @online{nigam:20190612:hide:fb1d18e, author = {Ruchna Nigam}, title = {{Hide ‘N Seek Botnet Updates Arsenal with Exploits Against Nexus Repository Manager & ThinkPHP}}, date = {2019-06-12}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/hide-n-seek-botnet-updates-arsenal-with-exploits-against-nexus-repository-manager-thinkphp/}, language = {English}, urldate = {2023-08-28} } @online{nigam:20191213:mirai:ac58c7e, author = {Ruchna Nigam}, title = {{Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities}}, date = {2019-12-13}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/}, language = {English}, urldate = {2023-08-28} } @online{nigam:20200514:mirai:65d9d83, author = {Ruchna Nigam}, title = {{Mirai and Hoaxcalls Botnets Target Legacy Symantec Web Gateways}}, date = {2020-05-14}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/}, language = {English}, urldate = {2020-05-18} } @online{nigam:20210810:new:ee88c46, author = {Ruchna Nigam and Haozhe Zhang and Zhibin Zhang}, title = {{New eCh0raix Ransomware Variant Targets QNAP and Synology Network-Attached Storage Devices}}, date = {2021-08-10}, organization = {paloalto Netoworks: Unit42}, url = {https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/}, language = {English}, urldate = {2021-08-20} } @online{nigam:20210824:ransomware:dfd3e4b, author = {Ruchna Nigam and Doel Santos}, title = {{Ransomware Groups to Watch: Emerging Threats}}, date = {2021-08-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/emerging-ransomware-groups/}, language = {English}, urldate = {2021-08-24} } @online{nigam:20220520:threat:b0d781e, author = {Ruchna Nigam}, title = {{Threat Brief: VMware Vulnerabilities Exploited in the Wild (CVE-2022-22954 and Others)}}, date = {2022-05-20}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/}, language = {English}, urldate = {2023-08-28} } @online{nigam:20240821:technical:6be1966, author = {Ruchna Nigam}, title = {{Technical Analysis of Copybara}}, date = {2024-08-21}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/technical-analysis-copybara}, language = {English}, urldate = {2024-08-23} } @online{nightfallgt:20210412:nitro:03bef54, author = {NightfallGT}, title = {{Nitro Ransomware - Proof of Concept}}, date = {2021-04-12}, organization = {Github (NightfallGT)}, url = {https://github.com/nightfallgt/nitro-ransomware}, language = {English}, urldate = {2021-08-27} } @online{nightfallgt:20210604:mercurialgrabber:a189b04, author = {NightfallGT}, title = {{MercurialGrabber Github Repository}}, date = {2021-06-04}, organization = {Github (NightfallGT)}, url = {https://github.com/NightfallGT/Mercurial-Grabber}, language = {English}, urldate = {2021-12-22} } @techreport{nimmo:20200616:secondary:518280b, author = {Ben Nimmo and Camille François and C. Shawn Eib and Lea Ronzaud and Rodrigo Ferreira and Chris Hernon and Tim Kostelancik}, title = {{Secondary Infektion}}, date = {2020-06-16}, institution = {Graphika}, url = {https://secondaryinfektion.org/downloads/secondary-infektion-report.pdf}, language = {English}, urldate = {2020-06-17} } @techreport{nimmo:20200922:operation:cd29547, author = {Ben Nimmo and C. Shawn Eib and Lea Ronzaud}, title = {{Operation Naval Gazing: Facebook Takes Down Inauthentic Chinese Network}}, date = {2020-09-22}, institution = {Graphika}, url = {https://public-assets.graphika.com/reports/graphika_report_naval_gazing.pdf}, language = {English}, urldate = {2020-09-24} } @techreport{nimmo:20200924:gru:ec2f5db, author = {Ben Nimmo and Camille François and C. Shawn Eib and Lea Ronzaud and Joseph Carter}, title = {{GRU and the Minions: Further Exposures of Russian Military Assets Across Platforms, 2013-2020}}, date = {2020-09-24}, institution = {Graphika}, url = {https://public-assets.graphika.com/reports/graphika_report_gru_minions.pdf}, language = {English}, urldate = {2020-09-25} } @techreport{nimmo:20210204:spamouflage:6ebd5cb, author = {Ben Nimmo and Ira Hubert and Yang Cheng}, title = {{Spamouflage Breakout: Chinese Spam Network Finally Starts To Gain Some Traction}}, date = {2021-02-04}, institution = {Graphika}, url = {https://public-assets.graphika.com/reports/graphika_report_spamouflage_breakout.pdf}, language = {English}, urldate = {2021-02-04} } @techreport{nimmo:20220804:quarterly:012f23e, author = {Ben Nimmo and David Agranovich and Margarita Franklin and Mike Dvilyanski and Nathaniel Gleicher}, title = {{Quarterly Adversarial Threat Report AUGUST 2022}}, date = {2022-08-04}, institution = {META}, url = {https://about.fb.com/wp-content/uploads/2022/08/Quarterly-Adversarial-Threat-Report-Q2-2022.pdf}, language = {English}, urldate = {2022-08-11} } @online{nimmo:20230503:metas:b21c75a, author = {Ben Nimmo and Nathaniel Gleicher}, title = {{Meta’s Adversarial Threat Report, First Quarter 2023}}, date = {2023-05-03}, organization = {META}, url = {https://about.fb.com/news/2023/05/metas-adversarial-threat-report-first-quarter-2023/}, language = {English}, urldate = {2023-05-04} } @online{ninja:20200202:reversing:872f4fb, author = {Ghidra Ninja}, title = {{Reversing WannaCry Part 2 - Diving into the malware with #Ghidra}}, date = {2020-02-02}, organization = {Youtube (Ghidra Ninja)}, url = {https://www.youtube.com/watch?v=Q90uZS3taG0}, language = {English}, urldate = {2020-02-09} } @online{ninja:20230126:hiding:3ea1a8c, author = {Paranoid Ninja}, title = {{Hiding In PlainSight - Proxying DLL Loads To Hide From ETWTI Stack Tracing}}, date = {2023-01-26}, organization = {Dark Vortex}, url = {https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/}, language = {English}, urldate = {2023-02-21} } @online{ninja:20230129:hiding:1b59393, author = {Paranoid Ninja}, title = {{Hiding In PlainSight - Indirect Syscall is Dead! Long Live Custom Call Stacks}}, date = {2023-01-29}, organization = {Dark Vortex}, url = {https://0xdarkvortex.dev/hiding-in-plainsight/}, language = {English}, urldate = {2023-02-21} } @online{ninovic:20211206:attack:65a8a15, author = {Melanie Ninovic}, title = {{Attack Lifecycle Detection of an Operational Technology Breach}}, date = {2021-12-06}, organization = {PARAFLARE}, url = {https://paraflare.com/attack-lifecycle-detection-of-an-operational-technology-breach/}, language = {English}, urldate = {2022-03-07} } @online{nisgaard:20220214:var:75495c9, author = {Allan Nisgaard and Marcel Mirzaei-Fard and Kenrik Moltke and Ingeborg Munk Toft}, title = {{Var tæt på at slukke tusindvis af vindmøller: Nu fortæller Vestas om cyberangreb}}, date = {2022-02-14}, organization = {DR.DK}, url = {https://www.dr.dk/nyheder/viden/teknologi/frygtede-skulle-lukke-alle-vindmoeller-nu-aabner-vestas-op-om-hacking-angreb}, language = {Danish}, urldate = {2022-02-14} } @techreport{nisos:20220519:fronton:566aa02, author = {Nisos}, title = {{Fronton: A Botnet for Creation, Command, and Control of Coordinated Inauthentic Behavior}}, date = {2022-05-19}, institution = {Nisos}, url = {https://6068438.fs1.hubspotusercontent-na1.net/hubfs/6068438/fronton-report.pdf}, language = {English}, urldate = {2022-05-25} } @online{nisos:20230106:coldriver:6393e7e, author = {Nisos}, title = {{Coldriver Group Research Report}}, date = {2023-01-06}, organization = {Nisos}, url = {https://www.nisos.com/blog/coldriver-group-report/}, language = {English}, urldate = {2023-08-03} } @online{nisos:20250304:likely:6824f4b, author = {Nisos}, title = {{Likely DPRK Network Backstops on GitHub, Targets Companies Globally}}, date = {2025-03-04}, organization = {Nisos}, url = {https://nisos.com/research/dprk-github-employment-fraud/}, language = {English}, urldate = {2025-03-07} } @online{nitert:20220303:luci:3b608e9, author = {Bex Nitert}, title = {{Luci Spools The Fun With Phobos Ransomware}}, date = {2022-03-03}, organization = {PARAFLARE}, url = {https://paraflare.com/luci-spools-the-fun-with-phobos-ransomware/}, language = {English}, urldate = {2022-03-07} } @techreport{niwa:20210224:a41apt:d20a784, author = {Yusuke Niwa and Motohiko Sato and Hajime Yanagishita and Charles Li and Suguru Ishimaru}, title = {{A41APT case - Analysis of the Stealth APT Campaign Threatening Japan}}, date = {2021-02-24}, institution = {}, url = {https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf}, language = {English}, urldate = {2021-02-26} } @techreport{niwa:20240823:pirates:7559d97, author = {Yusuke Niwa and Suguru Ishimaru}, title = {{Pirates of The Nang Hai: Follow the Artifacts No One Know}}, date = {2024-08-23}, institution = {ITOCHU}, url = {https://hitcon.org/2024/CMT/slides/Pirates_of_The_Nang_Hai_Follow_the_Artifacts_of_Tropic_Trooper,_No_One_Knows.pdf}, language = {English}, urldate = {2024-10-23} } @online{nizar:20210304:icedid:bfcc689, author = {Dor Nizar and Roy Moshailov}, title = {{IcedID Banking Trojan Uses COVID-19 Pandemic to Lure New Victims}}, date = {2021-03-04}, organization = {F5}, url = {https://www.f5.com/labs/articles/threat-intelligence/icedid-banking-trojan-uses-covid-19-pandemic-to-lure-new-victims}, language = {English}, urldate = {2021-03-06} } @online{nizar:20220113:flubots:3141376, author = {Dor Nizar and Roy Moshailov}, title = {{FluBot’s Authors Employ Creative and Sophisticated Techniques to Achieve Their Goals in Version 5.0 and Beyond}}, date = {2022-01-13}, organization = {F5}, url = {https://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond}, language = {English}, urldate = {2022-01-25} } @online{nizar:20220615:f5:6dbb3f2, author = {Dor Nizar and Malcolm Heath and Sander Vinberg and David Warburton}, title = {{F5 Labs Investigates MaliBot}}, date = {2022-06-15}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/threat-intelligence/f5-labs-investigates-malibot}, language = {English}, urldate = {2022-07-01} } @online{nizar:20240717:return:b939529, author = {Dor Nizar}, title = {{The Return of Ghost Emperor’s Demodex}}, date = {2024-07-17}, organization = {SYGNIA}, url = {https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/}, language = {English}, urldate = {2024-08-15} } @online{njccic:20160706:7ev3n:49aa061, author = {NJCCIC}, title = {{7ev3n}}, date = {2016-07-06}, organization = {NJCCIC}, url = {https://www.cyber.nj.gov/threat-profiles/ransomware-variants/7ev3n}, language = {English}, urldate = {2020-01-13} } @online{njccic:20160825:njccic:f59c9b8, author = {NJCCIC}, title = {{NJCCIC Threat Profile: Spy-Agent}}, date = {2016-08-25}, organization = {NJCCIC}, url = {https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/spy-agent}, language = {English}, urldate = {2020-07-15} } @online{njccic:20170316:majikpos:75a0a22, author = {NJCCIC}, title = {{MajikPOS}}, date = {2017-03-16}, organization = {NJCCIC}, url = {https://www.cyber.nj.gov/threat-profiles/pos-malware-variants/majikpos}, language = {English}, urldate = {2020-01-10} } @online{nl:20191002:servers:08fffed, author = {Politie NL}, title = {{Servers botnet offline}}, date = {2019-10-02}, organization = {Politie NL}, url = {https://www.politie.nl/nieuws/2019/oktober/2/11-servers-botnet-offline.html}, language = {English}, urldate = {2020-01-08} } @online{nl:20210217:politie:a27a279, author = {Politie NL}, title = {{Politie bestrijdt cybercrime via Nederlandse infrastructuur}}, date = {2021-02-17}, organization = {Politie NL}, url = {https://www.politie.nl/nieuws/2021/februari/17/politie-bestrijdt-cybercrime-via-nederlandse-infrastructuur.html}, language = {Dutch}, urldate = {2021-02-20} } @online{nl:20210519:aanhouding:652b479, author = {Politie NL}, title = {{Aanhouding in onderzoek naar cybercrime}}, date = {2021-05-19}, organization = {Politie NL}, url = {https://www.politie.nl/nieuws/2021/mei/19/04-aanhouding-in-onderzoek-naar-cybercrime.html}, language = {Dutch}, urldate = {2021-05-20} } @online{nocturnus:20180918:vai:5118173, author = {Cybereason Nocturnus}, title = {{VAI MALANDRA: A LOOK INTO THE LIFECYCLE OF BRAZILIAN FINANCIAL MALWARE: PART ONE}}, date = {2018-09-18}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking}, language = {English}, urldate = {2019-11-28} } @online{nocturnus:20190425:threat:63e7d51, author = {Cybereason Nocturnus}, title = {{Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware}}, date = {2019-04-25}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware}, language = {English}, urldate = {2020-01-08} } @online{nocturnus:20190625:operation:21efa8f, author = {Cybereason Nocturnus}, title = {{OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS}}, date = {2019-06-25}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers}, language = {English}, urldate = {2022-07-01} } @online{nocturnus:20191024:hunting:79a2141, author = {Cybereason Nocturnus and Assaf Dahan and Lior Rochberger}, title = {{Hunting Raccoon: The new Masked Bandit on the Block}}, date = {2019-10-24}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block}, language = {English}, urldate = {2019-12-03} } @online{nocturnus:20200213:new:4006ede, author = {Cybereason Nocturnus}, title = {{New Cyber Espionage Campaigns Targeting Palestinians - Part 2: The Discovery of the New, Mysterious Pierogi Backdoor}}, date = {2020-02-13}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor}, language = {English}, urldate = {2020-02-13} } @online{nocturnus:20200213:new:ca8e240, author = {Cybereason Nocturnus}, title = {{New Cyber Espionage Campaigns Targeting Palestinians - Part 1: The Spark Campaign}}, date = {2020-02-13}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one}, language = {English}, urldate = {2020-02-13} } @online{nocturnus:20200922:outlaw:e50621a, author = {Cybereason Nocturnus}, title = {{Tweet on Outlaw Group using IRCBot, SSH bruteforce tool, port Scanner, and an XMRIG crypto miner for their hacking operation}}, date = {2020-09-22}, organization = {Twitter (@Nocturnus)}, url = {https://twitter.com/Nocturnus/status/1308430959512092673}, language = {English}, urldate = {2020-09-25} } @online{nocturnus:20201122:new:fe7e4a3, author = {Cybereason Nocturnus}, title = {{Tweet on new modular stealer that steals passwords, credit cards data, cryptocurrency wallets and downloads further plugins.}}, date = {2020-11-22}, organization = {Twitter (@Nocturnus)}, url = {https://twitter.com/Nocturnus/status/1330545589591879681}, language = {English}, urldate = {2020-11-23} } @online{nocturnus:20201209:new:ef00418, author = {Cybereason Nocturnus}, title = {{New Malware Arsenal Abusing Cloud Platforms in Middle East Espionage Campaign}}, date = {2020-12-09}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign}, language = {English}, urldate = {2020-12-10} } @online{nocturnus:20210401:cybereason:9e1c43e, author = {Cybereason Nocturnus}, title = {{Cybereason vs. DarkSide Ransomware}}, date = {2021-04-01}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware}, language = {English}, urldate = {2021-05-11} } @online{nocturnus:20210715:cybereason:06113e5, author = {Cybereason Nocturnus}, title = {{cybereason vs. prometheus ransomware}}, date = {2021-07-15}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware}, language = {English}, urldate = {2021-08-03} } @online{nocturnus:20220406:operation:5add58e, author = {Cybereason Nocturnus}, title = {{Operation Bearded Barbie: APT-C-23 Campaign Targeting Israeli Officials}}, date = {2022-04-06}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials}, language = {English}, urldate = {2022-06-27} } @online{nocturnus:20220406:operation:f2775e3, author = {Cybereason Nocturnus}, title = {{Operation Bearded Barbie: APT-C-23 Campaign Targeting Israeli Officials}}, date = {2022-04-06}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials#iocs}, language = {English}, urldate = {2022-06-09} } @online{noerenberg:20200617:attck:934d73c, author = {Erika Noerenberg and Matt Graeber and Adam Pennington and David Kaplan}, title = {{ATT&CK® Deep Dive: Process Injection}}, date = {2020-06-17}, organization = {Youtube (Red Canary)}, url = {https://redcanary.com/resources/webinars/deep-dive-process-injection/}, language = {English}, urldate = {2020-06-19} } @online{noerenberg:20210719:remcos:fdf8bd6, author = {Erika Noerenberg}, title = {{Remcos RAT delivered via Visual Basic}}, date = {2021-07-19}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/}, language = {English}, urldate = {2021-07-26} } @online{nofix:20240210:krustyloader:09665dd, author = {Nofix}, title = {{KrustyLoader - About stripped Rust symbol recovery}}, date = {2024-02-10}, organization = {Nofix.re}, url = {https://nofix.re/posts/2024-11-02-rust-symbs/}, language = {English}, urldate = {2025-02-21} } @online{nofix:20240308:krustyloader:90f9aa8, author = {Nofix}, title = {{KrustyLoader - Leveraging rust compilation artifacts to obtain reliable compilation timestamps and pivoting}}, date = {2024-03-08}, organization = {Nofix.re}, url = {https://nofix.re/posts/2024-08-03-arti-rust/}, language = {English}, urldate = {2025-02-21} } @online{nohi:20240729:ransomware:0fd38cd, author = {Danielle Kuznets Nohi and Edan Zwick and Meitar Pinto and Charles-Edouard Bettan and Vaibhav Deshmukh}, title = {{Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption}}, date = {2024-07-29}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/}, language = {English}, urldate = {2024-08-29} } @online{none:20171026:reversinglabs:d3543db, author = {None}, title = {{ReversingLabs' YARA rule detects BadRabbit encryption routine specifics}}, date = {2017-10-26}, organization = {Reversing Labs}, url = {https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-badrabbit-encryption-routine-specifics.html}, language = {English}, urldate = {2019-10-17} } @online{nonepizza:20200520:pandabanker:da5cd3c, author = {nonepizza}, title = {{(PandaBanker Analysis) Fixing Corrupted PE Headers and Unmapping an Executable}}, date = {2020-05-20}, organization = {Youtube (nonepizza)}, url = {https://www.youtube.com/watch?v=J7VOfAJvxEY}, language = {English}, urldate = {2020-05-29} } @online{nordenlund:20230906:darkgate:cbe3f9b, author = {Jakob Nordenlund}, title = {{DarkGate Loader Malware Delivered via Microsoft Teams}}, date = {2023-09-06}, organization = {TRUESEC}, url = {https://www.truesec.com/hub/blog/darkgate-loader-delivered-via-teams}, language = {English}, urldate = {2023-09-08} } @online{norfolk:20190122:lazarus:74b5983, author = {Norfolk}, title = {{A Lazarus Keylogger- PSLogger}}, date = {2019-01-22}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/a-lazarus-keylogger-pslogger/}, language = {English}, urldate = {2020-01-10} } @online{norfolk:20190410:osint:7dfb7d1, author = {Norfolk}, title = {{OSINT Reporting Regarding DPRK and TA505 Overlap}}, date = {2019-04-10}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/osint-reporting-on-dprk-and-ta505-overlap/}, language = {English}, urldate = {2020-01-06} } @online{norfolk:20191223:pos:5862d6d, author = {Norfolk}, title = {{POS Malware Used at Fuel Pumps}}, date = {2019-12-23}, url = {https://norfolkinfosec.com/pos-malware-used-at-fuel-pumps/}, language = {English}, urldate = {2020-01-07} } @online{norfolk:20191231:fuel:37d7e73, author = {Norfolk}, title = {{Fuel Pumps II – PoSlurp.B}}, date = {2019-12-31}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/fuel-pumps-ii-poslurp-b/}, language = {English}, urldate = {2020-01-08} } @online{norfolk:20221003:some:115e620, author = {Norfolk}, title = {{Some Notes on VIRTUALGATE}}, date = {2022-10-03}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/some-notes-on-virtualgate/}, language = {English}, urldate = {2022-10-05} } @online{normandie:20191119:une:d09ec98, author = {Rédaction Normandie}, title = {{Une rançon après la cyberattaque au CHU de Rouen ? Ce que réclament les pirates}}, date = {2019-11-19}, organization = {ACTU}, url = {https://actu.fr/normandie/rouen_76540/une-rancon-apres-cyberattaque-chu-rouen-ce-reclament-pirates_29475649.html}, language = {French}, urldate = {2019-12-05} } @online{northern:20220511:nerbian:bd26bbb, author = {Andrew Northern and Pim Trouerbach and Tony Robinson and Axel F}, title = {{Nerbian RAT Using COVID-19 Themes Features Sophisticated Evasion Techniques}}, date = {2022-05-11}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/nerbian-rat-using-covid-19-themes-features-sophisticated-evasion-techniques}, language = {English}, urldate = {2022-05-11} } @online{northern:20230226:ta569:94f2453, author = {Andrew Northern}, title = {{TA569: SocGholish and Beyond}}, date = {2023-02-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond}, language = {English}, urldate = {2024-01-18} } @online{norton:20171219:novel:2a852a7, author = {Andy Norton}, title = {{Novel Excel Spreadsheet Attack Launches Password Stealing Malware Loki Bot}}, date = {2017-12-19}, organization = {Lastline}, url = {https://www.lastline.com/blog/password-stealing-malware-loki-bot/}, language = {English}, urldate = {2020-01-13} } @online{noutsos:20200701:dll:00c6e85, author = {Lampros Noutsos and Oliver Fay}, title = {{DLL Search Order Hijacking}}, date = {2020-07-01}, organization = {Contextis}, url = {https://www.contextis.com/en/blog/dll-search-order-hijacking}, language = {English}, urldate = {2022-04-06} } @online{noutsos:20211020:persistence:9d0e41d, author = {Lampros Noutsos}, title = {{Persistence and Privilege Escalation on Windows via Print Processors}}, date = {2021-10-20}, organization = {Twitter (@lampnout)}, url = {https://stmxcsr.com/persistence/print-processor.html}, language = {English}, urldate = {2021-11-03} } @online{novak:20180420:researchers:6764b0e, author = {Jay Novak and Matthew Pennington}, title = {{Researchers Discover New variants of APT34 Malware}}, date = {2018-04-20}, organization = {Booz Allen Hamilton}, url = {https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2}, language = {English}, urldate = {2020-01-06} } @techreport{novetta:20141028:derusbi:aae275a, author = {Novetta}, title = {{Derusbi (Server Variant) Analysis}}, date = {2014-10-28}, institution = {Novetta}, url = {http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf}, language = {English}, urldate = {2020-01-06} } @techreport{novetta:20141028:operation:439ddab, author = {Novetta}, title = {{Operation SMN: Axiom Threat Actor Group Report}}, date = {2014-10-28}, institution = {Novetta}, url = {https://web.archive.org/web/20150420064803/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf}, language = {English}, urldate = {2025-04-17} } @techreport{novetta:201411:zoxpng:91e81c6, author = {Novetta}, title = {{ZoxPNG Analysis}}, date = {2014-11}, institution = {Novetta}, url = {http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf}, language = {English}, urldate = {2020-05-07} } @techreport{novetta:20150406:winnti:acc4030, author = {Novetta}, title = {{WINNTI ANALYSIS}}, date = {2015-04-06}, institution = {Novetta}, url = {https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{novetta:201602:operation:c3cadae, author = {Novetta}, title = {{Operation Blockbuster}}, date = {2016-02}, institution = {Novetta}, url = {https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf}, language = {English}, urldate = {2020-01-13} } @online{novk:20220407:parrot:9c74f9b, author = {Pavel Novák and Jan Rubín}, title = {{Parrot TDS takes over web servers and threatens millions}}, date = {2022-04-07}, organization = {Avast Decoded}, url = {https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/}, language = {English}, urldate = {2022-04-08} } @online{novk:20220608:crypto:e07011c, author = {Pavel Novák}, title = {{Crypto stealing campaign spread via fake cracked software}}, date = {2022-06-08}, organization = {Avast}, url = {https://blog.avast.com/fakecrack-campaign}, language = {English}, urldate = {2022-06-17} } @online{nozominetworks:20190125:toolkit:c87f77f, author = {NozomiNetworks}, title = {{Toolkit collection developed to help malware analysts dissecting and detecting the packer used by GreyEnergy samples.}}, date = {2019-01-25}, organization = {Github (NozomiNetworks)}, url = {https://github.com/NozomiNetworks/greyenergy-unpacker}, language = {English}, urldate = {2020-01-09} } @online{nrw:20230306:schlag:5e5d84b, author = {Landeskriminalamt NRW}, title = {{Schlag gegen international agierendes Netzwerk von Cyber-Kriminellen}}, date = {2023-03-06}, organization = {Landeskriminalamt NRW}, url = {https://lka.polizei.nrw/presse/schlag-gegen-international-agierendes-netzwerk-von-cyber-kriminellen}, language = {German}, urldate = {2023-03-23} } @online{nsa:20200813:nsa:7f5e901, author = {NSA}, title = {{NSA and FBI Expose Russian Previously Undisclosed Malware “Drovorub” in Cybersecurity Advisory}}, date = {2020-08-13}, organization = {NSA}, url = {https://www.nsa.gov/news-features/press-room/Article/2311407/nsa-and-fbi-expose-russian-previously-undisclosed-malware-drovorub-in-cybersecu/}, language = {English}, urldate = {2020-08-17} } @techreport{nsa:20200814:drovorub:ee701f6, author = {NSA}, title = {{Drovorub Malware: Fact Sheet & FAQs}}, date = {2020-08-14}, institution = {NSA}, url = {https://www.nsa.gov/portals/75/documents/resources/cybersecurity-professionals/DROVORUB-Fact%20sheet%20and%20FAQs.pdf}, language = {English}, urldate = {2023-03-27} } @techreport{nsa:20201207:russian:9dbda97, author = {NSA}, title = {{Russian State-Sponsored Actors Exploiting Vulnerability in VMware® Workspace ONE Access Using Compromised Credentials}}, date = {2020-12-07}, institution = {NSA}, url = {https://media.defense.gov/2020/Dec/07/2002547071/-1/-1/0/CSA_VMWARE%20ACCESS_U_OO_195076_20.PDF}, language = {English}, urldate = {2020-12-08} } @techreport{nsa:20201217:detecting:2191982, author = {NSA}, title = {{Detecting Abuse of Authentication Mechanisms}}, date = {2020-12-17}, institution = {NSA}, url = {https://media.defense.gov/2020/Dec/17/2002554125/-1/-1/0/AUTHENTICATION_MECHANISMS_CSA_U_OO_198854_20.PDF}, language = {English}, urldate = {2020-12-18} } @online{nsa:20210105:joint:ba51a6d, author = {NSA and FBI and CISA and ODNI}, title = {{Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA)}}, date = {2021-01-05}, url = {https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure}, language = {English}, urldate = {2022-10-17} } @techreport{nsa:20210415:russian:9c18f60, author = {NSA and CISA and FBI}, title = {{Russian SVR Targets U.S. and Allied Networks}}, date = {2021-04-15}, institution = {}, url = {https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF_US_ALLIES_UOO13234021.PDF}, language = {English}, urldate = {2021-04-16} } @techreport{nsa:20220303:network:c5b4b09, author = {NSA}, title = {{Network Infrastructure Security Guidance}}, date = {2022-03-03}, institution = {NSA}, url = {https://media.defense.gov/2022/Mar/01/2002947139/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDANCE_20220301.PDF}, language = {English}, urldate = {2022-03-07} } @techreport{nsa:20230209:stopransomware:87d3a94, author = {NSA and FBI and CISA and HHS and ROK and DSA}, title = {{#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities}}, date = {2023-02-09}, institution = {}, url = {https://media.defense.gov/2023/Feb/09/2003159161/-1/-1/0/CSA_RANSOMWARE_ATTACKS_ON_CI_FUND_DPRK_ACTIVITIES.PDF}, language = {English}, urldate = {2023-08-25} } @techreport{nsfocus:20181008:nuggetphantom:1a8f696, author = {NSFOCUS}, title = {{NuggetPhantom Analysis Report}}, date = {2018-10-08}, institution = {NSFOCUS}, url = {https://staging.nsfocusglobal.com/wp-content/uploads/2018/10/NuggetPhantom-Analysis-Report-V4.1.pdf}, language = {English}, urldate = {2021-09-20} } @online{nsfocus:20200605:githubjava:0a5197d, author = {NSFOCUS}, title = {{供应链攻击事件——针对Github中Java项目的定向攻击}}, date = {2020-06-05}, organization = {NSFOCUS}, url = {http://blog.nsfocus.net/github-ocs-0605/}, language = {Chinese}, urldate = {2020-06-08} } @online{nsfocus:20200908:groupdarkhotelrat:f6ecf8c, author = {NSFOCUS}, title = {{APT GROUP系列——DARKHOTEL之窃密与RAT篇}}, date = {2020-09-08}, organization = {NSFOCUS}, url = {http://blog.nsfocus.net/darkhotel-3-0908/}, language = {Chinese}, urldate = {2020-09-15} } @online{nsfocus:20210104:steganography:d039571, author = {NSFOCUS}, title = {{Steganography, Little Fire Dragon and AGENTVX: A Detailed Analysis of APT Organization EVILNUM's New Attack Activities}}, date = {2021-01-04}, organization = {NSFOCUS}, url = {http://blog.nsfocus.net/agentvxapt-evilnum/}, language = {Chinese}, urldate = {2022-01-25} } @online{nsfocus:20210805:lorec53:a834b09, author = {NSFOCUS}, title = {{LOREC53 Organizational Analysis Report - Attack Activity Part}}, date = {2021-08-05}, organization = {NSFOCUS}, url = {http://blog.nsfocus.net/lorec-53/}, language = {Chinese}, urldate = {2021-08-06} } @techreport{nsfocus:20211123:2021:a73b9aa, author = {NSFOCUS}, title = {{2021 Analysis Report on Lorec53 Group}}, date = {2021-11-23}, institution = {NSFOCUS}, url = {https://nsfocusglobal.com/wp-content/uploads/2021/11/Analysis-Report-on-Lorec53-Group.pdf}, language = {English}, urldate = {2024-12-11} } @online{nsfocus:20220530:operation:676690f, author = {NSFOCUS}, title = {{Operation DarkCasino: In-Depth Analysis of Recent Attacks by APT Group EVILNUM}}, date = {2022-05-30}, organization = {NSFOCUS}, url = {http://blog.nsfocus.net/darkcasino-apt-evilnum/}, language = {Chinese}, urldate = {2022-08-08} } @online{nsfocus:20220818:new:05df980, author = {NSFOCUS}, title = {{New APT group MURENSHARK investigative report: Torpedoes hit Turkish Navy}}, date = {2022-08-18}, organization = {NSFOCUS}, url = {http://blog.nsfocus.net/murenshark/}, language = {English}, urldate = {2022-08-28} } @online{nsfocus:20220818:new:223b88b, author = {NSFOCUS}, title = {{New APT group MURENSHARK investigative report: Torpedoes hit Turkish Navy}}, date = {2022-08-18}, organization = {NSFOCUS}, url = {http://blog.nsfocus.net/murenshark}, language = {Chinese}, urldate = {2022-08-22} } @online{nsfocus:20230830:apt34:0be5a70, author = {NSFOCUS}, title = {{APT34 Unleashes New Wave of Phishing Attack with Variant of SideTwist Trojan}}, date = {2023-08-30}, organization = {NSFOCUS}, url = {https://nsfocusglobal.com/apt34-unleashes-new-wave-of-phishing-attack-with-variant-of-sidetwist-trojan/}, language = {English}, urldate = {2023-09-07} } @online{nsfocus:20230925:warning:51a3324, author = {NSFOCUS}, title = {{Warning: Newly Discovered APT Attacker AtlasCross Exploits Red Cross Blood Drive Phishing for Cyberattack}}, date = {2023-09-25}, organization = {NSFOCUS}, url = {https://nsfocusglobal.com/warning-newly-discovered-apt-attacker-atlascross-exploits-red-cross-blood-drive-phishing-for-cyberattack/}, language = {English}, urldate = {2023-10-16} } @online{nsfocus:20231110:new:f2ce1ec, author = {NSFOCUS}, title = {{The New APT Group DarkCasino and the Global Surge in WinRAR 0-Day Exploits}}, date = {2023-11-10}, organization = {NSFOCUS}, url = {https://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/}, language = {English}, urldate = {2023-11-17} } @online{nsfocus:20240808:new:a8ff395, author = {NSFOCUS}, title = {{New APT Group Actor240524: A Closer Look at Its Cyber Tactics Against Azerbaijan and Israel}}, date = {2024-08-08}, organization = {NSFOCUS}, url = {https://nsfocusglobal.com/new-apt-group-actor240524-a-closer-look-at-its-cyber-tactics-against-azerbaijan-and-israel/}, language = {English}, urldate = {2024-10-21} } @online{ntop:20220518:how:b94772c, author = {ntop}, title = {{How ntopng monitors IEC 60870-5-104 traffic}}, date = {2022-05-18}, organization = {ntop}, url = {https://www.ntop.org/cybersecurity/how-ntopng-monitors-iec-60870-5-104-traffic/}, language = {English}, urldate = {2022-05-25} } @online{ntopcode:20180116:anatomy:23e57c1, author = {ntopcode}, title = {{Anatomy of the thread suspension mechanism in Windows (Windows Internals)}}, date = {2018-01-16}, organization = {Opcode Security research}, url = {https://ntopcode.wordpress.com/2018/01/16/anatomy-of-the-thread-suspension-mechanism-in-windows-windows-internals/}, language = {English}, urldate = {2022-04-15} } @online{ntopcode:20180226:anatomy:38d732a, author = {ntopcode}, title = {{Anatomy of the Process Environment Block (PEB) (Windows Internals)}}, date = {2018-02-26}, organization = {Opcode Security research}, url = {https://ntopcode.wordpress.com/2018/02/26/anatomy-of-the-process-environment-block-peb-windows-internals/}, language = {English}, urldate = {2022-04-15} } @online{ntt:20211019:layered:92e34d1, author = {Threat Detection Team Security division of NTT}, title = {{The layered infrastructure operated by APT29}}, date = {2021-10-19}, organization = {NTT}, url = {https://services.global.ntt/en-us/insights/blog/the-layered-infrastructure-operated-by-apt29}, language = {English}, urldate = {2021-12-31} } @online{ntunmapviewofsection:20210506:short:1045831, author = {NtUnmapViewOfSection}, title = {{Tweet on short analysis of Nebulae Backdoor}}, date = {2021-05-06}, organization = {Twitter (@SyscallE)}, url = {https://twitter.com/SyscallE/status/1390339497804636166}, language = {English}, urldate = {2021-05-08} } @online{nuce:20170307:fin7:0e12ba2, author = {Jordan Nuce and Barry Vengerik and Steve Miller}, title = {{FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings}}, date = {2017-03-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html}, language = {English}, urldate = {2019-12-20} } @online{nuce:20210511:shining:2397158, author = {Jordan Nuce and Jeremy Kennelly and Kimberly Goody and Andrew Moore and Alyssa Rahman and Matt Williams and Brendan McKeague and Jared Wilson}, title = {{Shining a Light on DARKSIDE Ransomware Operations}}, date = {2021-05-11}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations}, language = {English}, urldate = {2025-02-19} } @online{nuce:20210511:shining:339d137, author = {Jordan Nuce and Jeremy Kennelly and Kimberly Goody and Andrew Moore and Alyssa Rahman and Brendan McKeague and Jared Wilson}, title = {{Shining a Light on DARKSIDE Ransomware Operations}}, date = {2021-05-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html}, language = {English}, urldate = {2021-05-13} } @online{nugent:20230721:exploitation:ef4ffa7, author = {James Nugent and Foti Castelan and Doug Bienstock and Justin Moore and Josh Murchie}, title = {{Exploitation of Citrix Zero-Day by Possible Espionage Actors (CVE-2023-3519)}}, date = {2023-07-21}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/citrix-zero-day-espionage}, language = {English}, urldate = {2023-07-31} } @online{nullarray:20151015:archivist:6981443, author = {NullArray}, title = {{Archivist}}, date = {2015-10-15}, url = {https://github.com/NullArray/Archivist}, language = {English}, urldate = {2020-03-13} } @online{nullixx:20230830:phemedrone:42abca5, author = {nullixx}, title = {{Phemedrone Stealer - The best open source Stealer​}}, date = {2023-08-30}, url = {https://github.com/nullixx/Phemedrone-Stealer/blob/master/README.md}, language = {English}, urldate = {2024-01-09} } @online{nusenu:20190509:tracking:3b972bb, author = {nusenu}, title = {{Tracking One Year of Malicious Tor Exit Relay Activities (Part II)}}, date = {2019-05-09}, organization = {Medium nusenu}, url = {https://nusenu.medium.com/tracking-one-year-of-malicious-tor-exit-relay-activities-part-ii-85c80875c5df}, language = {English}, urldate = {2021-05-11} } @online{nusenu:20211130:is:99e6cf1, author = {nusenu}, title = {{Is "KAX17" performing de-anonymization Attacks against Tor Users?}}, date = {2021-11-30}, organization = {Medium nusenu}, url = {https://nusenu.medium.com/is-kax17-performing-de-anonymization-attacks-against-tor-users-42e566defce8}, language = {English}, urldate = {2021-12-06} } @online{nutland:20240828:blackbyte:2b168f1, author = {James Nutland and Craig Jackson and Terryn Valikodath}, title = {{BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks}}, date = {2024-08-28}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecraft-with-newly-disclosed-vulnerabilities-to-support-ongoing-attacks/}, language = {English}, urldate = {2024-08-29} } @online{nworah:20240926:how:eb35f77, author = {Benjamin Nworah}, title = {{How Wazuh detects and responds to Mint Stealer}}, date = {2024-09-26}, organization = {wazuh}, url = {https://wazuh.com/blog/how-wazuh-detects-and-responds-to-mint-stealer/}, language = {English}, urldate = {2025-03-05} } @online{nyanxcat:20180827:limeminer:1abaede, author = {NYAN-x-CAT}, title = {{Lime-Miner}}, date = {2018-08-27}, organization = {Github Repository}, url = {https://github.com/NYAN-x-CAT/Lime-Miner}, language = {English}, urldate = {2019-10-12} } @online{nyanxcat:20190119:asyncrat:8df5e7e, author = {NYAN-x-CAT}, title = {{AsyncRAT: Open-Source Remote Administration Tool For Windows C# (RAT)}}, date = {2019-01-19}, organization = {Github (NYAN-x-CAT)}, url = {https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/}, language = {English}, urldate = {2020-01-08} } @online{nyanxcat:20190512:lime:55bdb21, author = {NYAN-x-CAT}, title = {{Lime Downloader v4.2}}, date = {2019-05-12}, organization = {Github (NYAN-x-CAT)}, url = {https://github.com/NYAN-x-CAT/Lime-Downloader}, language = {English}, urldate = {2020-01-09} } @online{nyanxcat:20190624:limerat:2274c0c, author = {NYAN-x-CAT}, title = {{LimeRAT | Simple, yet powerful remote administration tool for Windows (RAT)}}, date = {2019-06-24}, organization = {Github (NYAN-x-CAT)}, url = {https://github.com/NYAN-x-CAT/Lime-RAT/}, language = {English}, urldate = {2020-01-07} } @online{nyx0:20150225:pony:17f5bd3, author = {nyx0}, title = {{Pony Sourcecode}}, date = {2015-02-25}, organization = {Github (nyx0)}, url = {https://github.com/nyx0/Pony}, language = {English}, urldate = {2020-01-09} } @online{nz:20200907:emotet:e7965c2, author = {CERT NZ}, title = {{Emotet Malware being spread via email}}, date = {2020-09-07}, organization = {CERT NZ}, url = {https://www.cert.govt.nz/it-specialists/advisories/emotet-malware-being-spread-via-email/}, language = {English}, urldate = {2020-09-15} } @online{nz:20210419:microsoft:70f3a4e, author = {CERT NZ}, title = {{Microsoft 365 phishing using fake voicemail messages}}, date = {2021-04-19}, organization = {CERT NZ}, url = {https://www.cert.govt.nz/individuals/alerts/microsoft-365-phishing-using-fake-voicemail/}, language = {English}, urldate = {2021-04-20} } @online{nz:20210810:how:0ae7c1a, author = {CERT NZ}, title = {{How ransomware happens and how to stop it}}, date = {2021-08-10}, organization = {CERT NZ}, url = {https://www.cert.govt.nz/it-specialists/guides/how-ransomware-happens-and-how-to-stop-it/}, language = {English}, urldate = {2021-08-25} } @online{nz:20211001:text:7c16350, author = {CERT NZ}, title = {{Text message scam infecting Android phones with FluBot}}, date = {2021-10-01}, organization = {CERT NZ}, url = {https://www.cert.govt.nz/individuals/news-and-events/parcel-delivery-text-message-infecting-android-phones/}, language = {English}, urldate = {2021-10-20} } @online{oalabs:20180620:unpacking:e4d59a4, author = {OALabs}, title = {{Unpacking and Extracting TrickBot Malware Configuration With x64dbg and Python}}, date = {2018-06-20}, url = {https://www.youtube.com/watch?v=EdchPEHnohw}, language = {English}, urldate = {2019-12-24} } @online{oalabs:20210721:warzone:d391d61, author = {OALabs}, title = {{Warzone RAT Config Extraction With Python and IDA Pro}}, date = {2021-07-21}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=-G82xh9m4hc}, language = {English}, urldate = {2021-07-22} } @online{oalabs:20210810:leaked:4d4be75, author = {OALabs}, title = {{Leaked Conti Ransomware Playbook - Red Team Reacts}}, date = {2021-08-10}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=hmaWy9QIC7c}, language = {English}, urldate = {2021-08-25} } @online{oalabs:20211004:reverse:470cd80, author = {OALabs}, title = {{Reverse engineered the Hancitor DLL and built a static config extractor}}, date = {2021-10-04}, organization = {Github (OALabs)}, url = {https://github.com/OALabs/Lab-Notes/blob/main/Hancitor/hancitor.ipynb}, language = {English}, urldate = {2021-12-02} } @online{oalabs:20220121:whispergate:e235152, author = {OALabs}, title = {{WhisperGate Malware}}, date = {2022-01-21}, organization = {Github (OALabs)}, url = {https://github.com/OALabs/Lab-Notes/blob/main/WhisperGate/WhisperGate.ipynb}, language = {English}, urldate = {2022-01-25} } @online{oalabs:20220201:how:5af03e0, author = {OALabs}, title = {{How To Unpack VMProtect 3 (x64) Night Sky Ransomware With VMPDump [Patreon Unlocked]}}, date = {2022-02-01}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=Yzt_zOO8pDM}, language = {English}, urldate = {2022-02-02} } @online{oalabs:20231112:pikabot:c0db27d, author = {OALabs}, title = {{PikaBot Is Back With a Vengeance}}, date = {2023-11-12}, organization = {OALabs}, url = {https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html}, language = {English}, urldate = {2023-11-27} } @online{oalabs:20231119:pikabot:321bcd8, author = {OALabs}, title = {{PikaBot Is Back With a Vengeance - Part 2}}, date = {2023-11-19}, organization = {OALabs}, url = {https://research.openanalysis.net/pikabot/debugging/string%20decryption/emulation/memulator/2023/11/19/new-pikabot-strings.html}, language = {English}, urldate = {2023-11-27} } @online{objectivesee:20170510:osxprotonb:31502a9, author = {Objective-See}, title = {{OSX/Proton.B}}, date = {2017-05-10}, organization = {Objective-See}, url = {https://objective-see.com/blog/blog_0x1F.html}, language = {English}, urldate = {2020-01-09} } @online{objectivesee:20191203:lazarus:028af2b, author = {Objective-See}, title = {{Lazarus Group Goes 'Fileless'}}, date = {2019-12-03}, organization = {Objective-See}, url = {https://objective-see.com/blog/blog_0x51.html}, language = {English}, urldate = {2020-01-13} } @techreport{obrien:20160216:dridex:7abdc31, author = {Dick O'Brien}, title = {{Dridex: Tidal waves of spam pushing dangerous financial Trojan}}, date = {2016-02-16}, institution = {Symantec}, url = {https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dridex-financial-trojan.pdf}, language = {English}, urldate = {2020-01-08} } @online{obst:20231221:bpf:acf97cc, author = {Valentin Obst and Martin Clauß}, title = {{BPF Memory Forensics with Volatility 3}}, date = {2023-12-21}, url = {https://lolcads.github.io/posts/2023/12/bpf_memory_forensics_with_volatility3/}, language = {English}, urldate = {2024-03-19} } @online{oconnor:20250314:socgholishs:8269aab, author = {Adam O'Connor and Ian Kenefick and Jack Walsh and Lucas Silva and Laura Medina}, title = {{SocGholish’s Intrusion Techniques Facilitate Distribution of RansomHub Ransomware}}, date = {2025-03-14}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html}, language = {English}, urldate = {2025-03-14} } @online{odonnell:20180423:muhstik:668faf9, author = {Lindsey O'Donnell}, title = {{Muhstik Botnet Exploits Highly Critical Drupal Bug}}, date = {2018-04-23}, organization = {Threatpost}, url = {https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/}, language = {English}, urldate = {2020-01-05} } @online{odonnell:20191118:pipka:5fafde5, author = {Lindsey O'Donnell}, title = {{Pipka Card Skimmer Removes Itself After Infecting eCommerce Sites}}, date = {2019-11-18}, organization = {Threatpost}, url = {https://threatpost.com/pipka-card-skimmer-removes-itself-after-infecting-ecommerce-sites/150341/}, language = {English}, urldate = {2020-03-01} } @online{odonnellwelch:20240419:decade:8e7bc03, author = {Lindsey O’Donnell-Welch and Dan Black and Gabby Roncone}, title = {{A Decade of Sandworm: Digging into APT44’s Past and Future With Mandiant}}, date = {2024-04-19}, organization = {YouTube (Decipher)}, url = {https://www.youtube.com/watch?v=WlUa22LvM6U}, language = {English}, urldate = {2024-04-23} } @online{of0xcc:20210218:one:9a5f079, author = {of0x.cc}, title = {{One thousand and one ways to copy your shellcode to memory (VBA Macros)}}, date = {2021-02-18}, organization = {of0x.cc}, url = {https://adepts.of0x.cc/alternatives-copy-shellcode/}, language = {English}, urldate = {2021-02-20} } @online{office:20201019:uk:7ead390, author = {ForeignCommonwealth & Development Office and Dominic Raab}, title = {{UK exposes series of Russian cyber attacks against Olympic and Paralympic Games}}, date = {2020-10-19}, organization = {UK Government}, url = {https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games}, language = {English}, urldate = {2020-10-23} } @online{office:20210415:russia:c3c6e21, author = {Foreign Commonwealth & Development Office}, title = {{Russia: UK exposes Russian involvement in SolarWinds cyber compromise}}, date = {2021-04-15}, organization = {GOV.UK}, url = {https://www.gov.uk/government/news/russia-uk-exposes-russian-involvement-in-solarwinds-cyber-compromise}, language = {English}, urldate = {2021-04-16} } @online{office:20210416:highlevel:dc56276, author = {U.S. Attorney’s Office and Western District of Washington}, title = {{High-level organizer of notorious hacking group FIN7 sentenced to ten years in prison for scheme that compromised tens of millions of debit and credit cards}}, date = {2021-04-16}, organization = {US Department of Justice}, url = {https://www.justice.gov/usao-wdwa/pr/high-level-organizer-notorious-hacking-group-fin7-sentenced-ten-years-prison-scheme}, language = {English}, urldate = {2021-04-19} } @online{office:20230123:fbi:172d0d8, author = {FBI National Press Office}, title = {{FBI Confirms Lazarus Group Cyber Actors Responsible for Harmony's Horizon Bridge Currency Theft}}, date = {2023-01-23}, organization = {FBI}, url = {https://www.fbi.gov/news/press-releases/fbi-confirms-lazarus-group-apt38-cyber-actors-responsible-for-harmonys-horizon-bridge-currency-theft}, language = {English}, urldate = {2023-01-25} } @online{office:20240905:gru:1958216, author = {Prosecutor's Office}, title = {{A GRU military unit launched cyberattacks against Estonian authorities}}, date = {2024-09-05}, organization = {Republic of Estonia}, url = {https://www.prokuratuur.ee/en/news/gru-military-unit-launched-cyberattacks-against-estonian-authorities}, language = {English}, urldate = {2025-02-03} } @techreport{ogawa:20200117:100:035a7dd, author = {Hiroaki Ogawa and Manabu Niseki}, title = {{100 more behind cockroaches?}}, date = {2020-01-17}, institution = {}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf}, language = {English}, urldate = {2020-01-17} } @online{ogino:20220908:threat:2ec8deb, author = {Kotaro Ogino and Yuki Shibuya and Aleksandar Milenkoski}, title = {{Threat Analysis Report: PlugX RAT Loader Evolution}}, date = {2022-09-08}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-report-plugx-rat-loader-evolution}, language = {English}, urldate = {2022-09-13} } @online{ogino:20221205:threat:b2ffad4, author = {Kotaro Ogino and Ralph Villanueva and Robin Plumer}, title = {{Threat Analysis: MSI - Masquerading as a Software Installer}}, date = {2022-12-05}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer}, language = {English}, urldate = {2022-12-05} } @techreport{ogorman:20120906:elderwood:d45a02b, author = {Gavin O'Gorman and Geoff McDonald}, title = {{The Elderwood Project}}, date = {2012-09-06}, institution = {Symantec}, url = {https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf}, language = {English}, urldate = {2019-11-29} } @techreport{ogorman:20120907:elderwood:4247c36, author = {Gavin O'Gorman and Geoff McDonald}, title = {{The Elderwood Project}}, date = {2012-09-07}, institution = {Symantec}, url = {https://www.infopoint-security.de/medien/the-elderwood-project.pdf}, language = {English}, urldate = {2020-07-11} } @online{ogorman:20150122:scarab:6f14aaf, author = {Gavin O'Gorman}, title = {{Scarab attackers took aim at select Russian targets since 2012}}, date = {2015-01-22}, organization = {Symantec}, url = {https://web.archive.org/web/20150124025612/http://www.symantec.com:80/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012}, language = {English}, urldate = {2022-03-29} } @online{oh:20160609:reverseengineering:e26dd54, author = {Jeong Wook Oh}, title = {{Reverse-engineering DUBNIUM}}, date = {2016-06-09}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/}, language = {English}, urldate = {2019-10-13} } @online{ohpe:20190114:juicy:d9ac671, author = {OHPE}, title = {{Juicy Potato (abusing the golden privileges)}}, date = {2019-01-14}, organization = {Github (ohpe)}, url = {https://github.com/ohpe/juicy-potato}, language = {English}, urldate = {2020-06-19} } @online{okamoto:20210722:analysis:486a6f2, author = {Katsuyuki Okamoto}, title = {{Analysis of "[Urgent] Damage report regarding the occurrence of cyber attacks, etc. associated with the Tokyo Olympics.exe"}}, date = {2021-07-22}, organization = {Trend Micro}, url = {https://blog.trendmicro.co.jp/archives/28319}, language = {Japanese}, urldate = {2021-08-20} } @techreport{oklahoma:20250507:case:b42f660, author = {U.S. Attorney's Officea Northern District of Oklahoma}, title = {{Case 4:25-cr-00160-JDR: Indictment of Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, Aleksandr Aleksandrovich Shishkin and Dmitriy Rubtsov}}, date = {2025-05-07}, institution = {US Department of Justice}, url = {https://s3.documentcloud.org/documents/25935130/anyproxy-and-5socks-indictment.pdf}, language = {English}, urldate = {2025-05-20} } @online{oklahoma:20250509:botnet:36daadf, author = {U.S. Attorney's Office, Northern District of Oklahoma}, title = {{Botnet Dismantled in International Operation, Russian and Kazakhstani Administrators Indicted}}, date = {2025-05-09}, organization = {US Department of Justice}, url = {https://www.justice.gov/usao-ndok/pr/botnet-dismantled-international-operation-russian-and-kazakhstani-administrators}, language = {English}, urldate = {2025-05-21} } @online{okorokov:20201207:massive:177c4eb, author = {Victor Okorokov}, title = {{Massive malicious campaign by FakeSecurity JS-sniffer}}, date = {2020-12-07}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/fakesecurity}, language = {English}, urldate = {2020-12-08} } @online{okorokov:20201223:new:b6c974d, author = {Viktor Okorokov}, title = {{New attacks by UltraRank group}}, date = {2020-12-23}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/ultrarank}, language = {English}, urldate = {2020-12-26} } @online{okorokov:20210315:javascript:ec4f3b6, author = {Victor Okorokov}, title = {{JavaScript sniffers' new tricks: Analysis of the E1RB JS sniffer family}}, date = {2021-03-15}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/e1rb}, language = {English}, urldate = {2021-03-18} } @online{okorokov:20210414:lazarus:6f74781, author = {Victor Okorokov}, title = {{Lazarus BTC Changer Back in action with JS sniffers redesigned to steal crypto}}, date = {2021-04-14}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/btc_changer}, language = {English}, urldate = {2021-06-16} } @online{okorokov:20210506:grelosgtm:7324b2c, author = {Viktor Okorokov}, title = {{GrelosGTM group abuses Google Tag Manager to attack e-commerce websites}}, date = {2021-05-06}, organization = {Group-IB}, url = {https://blog.group-ib.com/grelosgtm}, language = {English}, urldate = {2021-06-16} } @online{okorokov:20210805:prometheus:38ab6a6, author = {Viktor Okorokov and Nikita Rostovcev}, title = {{Prometheus TDS The key to success for Campo Loader, Hancitor, IcedID, and QBot}}, date = {2021-08-05}, organization = {Group-IB}, url = {https://blog.group-ib.com/prometheus-tds}, language = {English}, urldate = {2021-08-06} } @online{okorokov:20220817:switching:1ffd85f, author = {Victor Okorokov}, title = {{Switching side jobs Links between ATMZOW JS-sniffer and Hancitor}}, date = {2022-08-17}, organization = {Group-IB}, url = {https://blog.group-ib.com/switching-side-jobs}, language = {English}, urldate = {2022-08-22} } @online{olak:20221218:netwire:b9000cb, author = {Enes Şakir Çolak}, title = {{NetWire Technical Analysis Report}}, date = {2022-12-18}, organization = {ZAYOTEM}, url = {https://drive.google.com/file/d/13prt2ve_sHNRRiGthB07qtfuinftJX35/view}, language = {English}, urldate = {2022-12-20} } @online{oleary:20170920:insights:27e8253, author = {Jacqueline O’Leary and Josiah Kimble and Kelli Vanderlee and Nalani Fraser}, title = {{Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware}}, date = {2017-09-20}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html}, language = {English}, urldate = {2019-12-20} } @techreport{oleary:20211116:finding:e8594dd, author = {T.J. O'Leary and Tom Bonner and Marta Janus and Dean Given and Eoin Wickens and Jim Simpson}, title = {{Finding Beacons in the dark}}, date = {2021-11-16}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/bb-ebook-finding-beacons-in-the-dark.pdf}, language = {English}, urldate = {2021-11-18} } @online{oleg:20240101:russian:fd4efd4, author = {Oleg}, title = {{Russian Language Cybercriminal Forums - An Excursion Into The Core Of The Underground Ecosystem.}}, date = {2024-01-01}, organization = {Cybercrime Diaries}, url = {https://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-an-excursion-into-the-core-of-the-underground-ecosystem}, language = {English}, urldate = {2024-02-09} } @online{oleg:20240111:russian:242d0c1, author = {Oleg}, title = {{Russian Language Cybercriminal Forums - Steep Investments And Hefty Profits.}}, date = {2024-01-11}, organization = {Cybercrime Diaries}, url = {https://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-steep-investments-and-hefty-profits}, language = {English}, urldate = {2024-02-09} } @online{oleg:20240208:russian:d189c30, author = {Oleg}, title = {{Russian Language Cybercriminal Forums – Analyzing The Most Active And Renowned Communities.}}, date = {2024-02-08}, organization = {Cybercrime Diaries}, url = {https://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-analyzing-the-most-active-and-renowned-communities}, language = {English}, urldate = {2024-02-09} } @online{olenick:20170808:hbo:dbb42ba, author = {Doug Olenick}, title = {{HBO breach accomplished with hard work by hacker, poor security practices by victim}}, date = {2017-08-08}, organization = {SC Magazine}, url = {https://www.scmagazine.com/home/security-news/cybercrime/hbo-breach-accomplished-with-hard-work-by-hacker-poor-security-practices-by-victim/}, language = {English}, urldate = {2020-01-13} } @online{olenick:20190603:gandcrab:9ed3174, author = {Doug Olenick}, title = {{GandCrab ransomware operators put in retirement papers}}, date = {2019-06-03}, organization = {SC Magazine}, url = {https://www.scmagazine.com/home/security-news/ransomware/gandcrab-ransomware-operators-put-in-retirement-papers/}, language = {English}, urldate = {2020-01-08} } @online{oliveau:20201119:purgalicious:08e1df3, author = {Andrew Oliveau and Alyssa Rahman and Brett Hawkins}, title = {{Purgalicious VBA: Macro Obfuscation With VBA Purging}}, date = {2020-11-19}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/11/purgalicious-vba-macro-obfuscation-with-vba-purging.html}, language = {English}, urldate = {2020-11-23} } @online{oliveau:20230719:escalating:3ffa562, author = {Andrew Oliveau}, title = {{Escalating Privileges via Third-Party Windows Installers}}, date = {2023-07-19}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/privileges-third-party-windows-installers}, language = {English}, urldate = {2023-07-31} } @online{oliveira:20210209:threat:79b5467, author = {Alfredo Oliveira and David Fiser}, title = {{Threat actors now target Docker via container escape features}}, date = {2021-02-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/b/threat-actors-now-target-docker-via-container-escape-features.html}, language = {English}, urldate = {2021-02-10} } @online{oliveira:20210727:threat:dd84d57, author = {Alfredo Oliveira and David Fiser}, title = {{Threat Actors Exploit Misconfigured Apache Hadoop YARN}}, date = {2021-07-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/g/threat-actors-exploit-misconfigured-apache-hadoop-yarn.html}, language = {English}, urldate = {2021-08-31} } @online{oliveira:20211008:actors:329ccc0, author = {Alfredo Oliveira and David Fiser}, title = {{Actors Target Huawei Cloud Using Upgraded Linux Malware}}, date = {2021-10-08}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/j/actors-target-huawei-cloud-using-upgraded-linux-malware-.html}, language = {English}, urldate = {2021-10-24} } @online{oliveira:20220721:alibaba:bef01c3, author = {Alfredo Oliveira and David Fiser}, title = {{Alibaba OSS Buckets Compromised to Distribute Malicious Shell Scripts via Steganography}}, date = {2022-07-21}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/g/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-sc.html}, language = {English}, urldate = {2022-07-25} } @online{olney:20230418:statesponsored:9bf8908, author = {Matthew Olney}, title = {{State-sponsored campaigns target global network infrastructure}}, date = {2023-04-18}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/state-sponsored-campaigns-target-global-network-infrastructure/}, language = {English}, urldate = {2023-04-22} } @online{olshtein:20211103:mekotio:19a7e5a, author = {Arie Olshtein and Abedalla Hadra}, title = {{Mekotio Banker Returns with Improved Stealth and Ancient Encryption}}, date = {2021-11-03}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2021/mekotio-banker-returns-with-improved-stealth-and-ancient-encryption/}, language = {English}, urldate = {2021-11-03} } @online{olshtein:20230130:following:e442fcc, author = {Arie Olshtein}, title = {{Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware}}, date = {2023-01-30}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/}, language = {English}, urldate = {2023-01-31} } @online{olson:20150810:whats:37ceef6, author = {Ryan Olson}, title = {{What’s Next in Malware After Kuluoz?}}, date = {2015-08-10}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/08/whats-next-in-malware-after-kuluoz/}, language = {English}, urldate = {2019-12-20} } @online{olson:20171215:introducing:5d2ce88, author = {Ryan Olson}, title = {{Introducing the Adversary Playbook: First up, OilRig}}, date = {2017-12-15}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-introducing-the-adversary-playbook-first-up-oilrig/}, language = {English}, urldate = {2020-01-08} } @online{olsson:20210107:avoiding:e492089, author = {Sebastian Olsson}, title = {{Avoiding supply-chain attacks similar to SolarWinds Orion’s (SUNBURST)}}, date = {2021-01-07}, organization = {TRUESEC}, url = {https://blog.truesec.com/2021/01/07/avoiding-supply-chain-attacks-similar-to-solarwinds-orions-sunburst}, language = {English}, urldate = {2021-01-11} } @online{olsson:20211025:uaparserjs:4de6d3c, author = {Sebastian Olsson}, title = {{UAParser.js npm Package Supply Chain Attack: Impact and Response}}, date = {2021-10-25}, organization = {TRUESEC}, url = {https://www.truesec.com/hub/blog/uaparser-js-npm-package-supply-chain-attack-impact-and-response}, language = {English}, urldate = {2021-11-08} } @online{oluoch:20230817:scattered:4586155, author = {Phelix Oluoch}, title = {{Scattered Spider: The Modus Operandi}}, date = {2023-08-17}, organization = {Trellix}, url = {https://www.trellix.com/about/newsroom/stories/research/scattered-spider-the-modus-operandi/}, language = {English}, urldate = {2023-11-17} } @online{olyniychuk:20230222:new:7164a10, author = {Daryna Olyniychuk}, title = {{New Phishing Attack Detection Attributed to the UAC-0050 and UAC-0096 Groups Spreading Remcos Spyware}}, date = {2023-02-22}, organization = {SOC Prime}, url = {https://socprime.com/blog/new-phishing-attack-detection-attributed-to-the-uac-0050-and-uac-0096-groups-spreading-remcos-spyware/}, language = {English}, urldate = {2023-12-28} } @online{olyniychuk:20231109:agonizing:c77eb65, author = {Daryna Olyniychuk}, title = {{Agonizing Serpens Attack Detection: Iran-Backed Hackers Target Israeli Tech Firms and Educational Institutions}}, date = {2023-11-09}, organization = {SOC Prime}, url = {https://socprime.com/blog/agonizing-serpens-attack-detection-iran-backed-hackers-target-israeli-tech-firms-and-educational-institutions/}, language = {English}, urldate = {2024-02-08} } @online{omeara:20190325:api:eca9d8e, author = {Kyle O'Meara}, title = {{API Hashing Tool, Imagine That}}, date = {2019-03-25}, organization = {Carnegie Mellon University}, url = {https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html}, language = {English}, urldate = {2019-08-05} } @online{omeara:20200323:snake:67fbc1b, author = {Kyle O'Meara}, title = {{Snake Ransomware Analysis Updates}}, date = {2020-03-23}, organization = {Carnegie Mellon University}, url = {https://insights.sei.cmu.edu/cert/2020/03/snake-ransomware-analysis-updates.html}, language = {English}, urldate = {2020-03-28} } @online{omernik:20191016:lnkr:5612e9a, author = {John Omernik}, title = {{LNKR: More than Just a Browser Extension}}, date = {2019-10-16}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/lnkr-browser-extension/}, language = {English}, urldate = {2020-03-04} } @online{one:20240530:disrupting:c684cda, author = {Cloudforce One}, title = {{Disrupting FlyingYeti's campaign targeting Ukraine}}, date = {2024-05-30}, organization = {Cloudflare}, url = {https://www.cloudflare.com/threat-intelligence/research/report/disrupting-flyingyetis-campaign-targeting-ukrainev/}, language = {English}, urldate = {2025-02-19} } @online{one:20240530:disrupting:f4572d3, author = {Cloudforce One}, title = {{Disrupting FlyingYeti's campaign targeting Ukraine}}, date = {2024-05-30}, organization = {Cloudflare}, url = {https://blog.cloudflare.com/disrupting-flyingyeti-campaign-targeting-ukraine}, language = {English}, urldate = {2024-12-11} } @online{one:20240925:unraveling:831c746, author = {Cloudforce One}, title = {{Unraveling SloppyLemming’s Operations Across South Asia}}, date = {2024-09-25}, organization = {Cloudflare}, url = {https://blog.cloudflare.com/unraveling-sloppylemming-operations/}, language = {English}, urldate = {2024-09-27} } @online{oneill:20170410:doj:d09e1f5, author = {Patrick Howell O'Neill}, title = {{DOJ moves to topple Kelihos, one of the world's largest botnets}}, date = {2017-04-10}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/doj-kelihos-botnet-peter-levashov-severa/}, language = {English}, urldate = {2020-01-09} } @online{oneill:20180824:cobalt:3285531, author = {Patrick Howell O'Neill}, title = {{Cobalt Dickens threat group looks to be similar to indicted hackers}}, date = {2018-08-24}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/cobalt-dickens-iran-mabna-institiute-dell-secureworks/}, language = {English}, urldate = {2020-01-08} } @online{oneill:20210326:googles:7524453, author = {Patrick Howell O'Neill}, title = {{Google’s top security teams unilaterally shut down a counterterrorism operation}}, date = {2021-03-26}, organization = {MIT Technology Review}, url = {https://www.technologyreview.com/2021/03/26/1021318/google-security-shut-down-counter-terrorist-us-ally/}, language = {English}, urldate = {2021-03-30} } @online{oneill:20210415:1:ca03d75, author = {Patrick Howell O'Neill}, title = {{The $1 billion Russian cyber company that the US says hacks for Moscow}}, date = {2021-04-15}, organization = {MIT Technology Review}, url = {https://www.technologyreview.com/2021/04/15/1022895/us-sanctions-russia-positive-hacking/}, language = {English}, urldate = {2021-04-16} } @online{oneill:20210506:how:880a61c, author = {Patrick Howell O'Neill}, title = {{How China turned a prize-winning iPhone hack against the Uyghurs}}, date = {2021-05-06}, organization = {MIT Technology Review}, url = {https://www.technologyreview.com/2021/05/06/1024621/china-apple-spy-uyghur-hacker-tianfu/}, language = {English}, urldate = {2021-05-08} } @online{oneill:20210708:inside:bbfb1bf, author = {Patrick Howell O'Neill}, title = {{Inside the FBI, Russia, and Ukraine’s failed cybercrime investigation}}, date = {2021-07-08}, organization = {MIT Technology Review}, url = {https://www.technologyreview.com/2021/07/08/1027999/fbi-russia-ukraine-cybercrime-investigation-ransomware/}, language = {English}, urldate = {2021-07-09} } @online{oneill:20210826:hackers:67d4d78, author = {Patrick Howell O'Neill}, title = {{Hackers are trying to topple Belarus’s dictator, with help from the inside}}, date = {2021-08-26}, organization = {MIT Technology Review}, url = {https://www.technologyreview.com/2021/08/26/1033205/belarus-cyber-partisans-lukashenko-hack-opposition/}, language = {English}, urldate = {2021-09-14} } @online{oneill:20211108:grim:14b249a, author = {Patrick Howell O'Neill}, title = {{“A grim outlook”: How cyber surveillance is booming on a global scale}}, date = {2021-11-08}, organization = {MIT Technology Review}, url = {https://www.technologyreview.com/2021/11/08/1039395/grim-outlook-cyber-boom-atlantic-council-report/}, language = {English}, urldate = {2021-11-17} } @online{oneill:20211228:hackerforhire:b07ecab, author = {Patrick Howell O'Neill}, title = {{The hacker-for-hire industry is now too big to fail}}, date = {2021-12-28}, organization = {MIT Technology Review}, url = {https://www.technologyreview.com/2021/12/28/1043029/the-hacker-for-hire-industry-is-now-too-big-to-fail/}, language = {English}, urldate = {2021-12-31} } @online{onek1lo:20200204:borr:bd9a635, author = {one_k1lo}, title = {{Borr Malware}}, date = {2020-02-04}, url = {https://telegra.ph/Borr-Malware-02-04}, language = {English}, urldate = {2020-02-13} } @online{onek1lo:20200204:borrstealer:aeba9af, author = {one_k1lo}, title = {{Borr-Stealer: Repository with decompiled code}}, date = {2020-02-04}, organization = {Github (onek1lo)}, url = {https://github.com/onek1lo/Borr-Stealer}, language = {English}, urldate = {2020-02-13} } @online{onion:20230921:quick:0827096, author = {Security Onion}, title = {{Quick Malware Analysis: PIKABOT INFECTION WITH COBALT STRIKE pcap from 2023-05-23}}, date = {2023-09-21}, organization = {Security Onion}, url = {https://blog.securityonion.net/2023/09/quick-malware-analysis-pikabot.html}, language = {English}, urldate = {2023-11-13} } @online{online:20120113:cyber:de2ee6e, author = {Middle East Online}, title = {{Cyber war: 'Gaza hackers' deface Israel fire service website}}, date = {2012-01-13}, organization = {Middle East Online}, url = {https://middle-east-online.com/en/cyber-war-gaza-hackers-deface-israel-fire-service-website}, language = {English}, urldate = {2019-10-12} } @online{online:20231111:unified:6b03621, author = {Precision PC Online}, title = {{A Unified Front Against Cyber Mercenaries}}, date = {2023-11-11}, organization = {Precision PC Online}, url = {https://precisionpconline.com/a-unified-front-against-cyber-mercenaries/}, language = {English}, urldate = {2024-02-08} } @online{onofri:20240207:hijackloader:06aa64a, author = {Donato Onofri and Emanuele Calvelli}, title = {{HijackLoader Expands Techniques to Improve Defense Evasion}}, date = {2024-02-07}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/hijackloader-expands-techniques/}, language = {English}, urldate = {2024-02-08} } @online{onwa:20250107:turla:6fbf8c5, author = {Ameer Onwa}, title = {{Turla Cyber Campaign Targeting Pakistan’s Critical Infrastructure}}, date = {2025-01-07}, organization = {SOCRadar}, url = {https://socradar.io/turla-cyber-campaign-pakistans-critical-infrastructure/}, language = {English}, urldate = {2025-02-03} } @online{oosthoek:20200714:cyber:9064dc4, author = {Kris Oosthoek and Christian Doerr}, title = {{Cyber Threat Intelligence: A Product Without aProcess?}}, date = {2020-07-14}, organization = {International Journal of Intelligence and Counter Intelligence}, url = {https://www.tandfonline.com/doi/pdf/10.1080/08850607.2020.1780062?needAccess=true}, language = {English}, urldate = {2021-06-16} } @online{opa334:20210324:about:36ec57d, author = {opa334}, title = {{Tweet about hashes for Postlo}}, date = {2021-03-24}, organization = {Twitter (@opa334dev)}, url = {https://twitter.com/opa334dev/status/1374754519268098051}, language = {English}, urldate = {2021-06-21} } @online{opacki:20230627:piotr:beae455, author = {Michał Łopacki and Piotr Zarzycki}, title = {{Piotr Zarzycki, Michał Łopacki - Proxy dla przestępców na Twoim urządzeniu [OMH 2022]}}, date = {2023-06-27}, organization = {Youtube (PROIDEA Events)}, url = {https://www.youtube.com/watch?v=tXzcjO1QaHs}, language = {Polish}, urldate = {2025-05-20} } @online{openfacto:20201221:unit:da1fe07, author = {OpenFacto}, title = {{UNIT 68240 Meet Russia’s DARPA}}, date = {2020-12-21}, organization = {OpenFacto}, url = {https://drive.google.com/file/d/1X2r8GGQrVZsgSA6mekBqcRKz4o2zbNJ0/view}, language = {English}, urldate = {2021-02-09} } @online{openhuntingio:20231202:threat:2d4aed7, author = {openhunting.io}, title = {{Threat Hunting Malware Infrastructure}}, date = {2023-12-02}, organization = {openhunting.io}, url = {https://www.linkedin.com/feed/update/urn:li:activity:7137086303329783808/}, language = {English}, urldate = {2023-12-04} } @online{operations:20231109:imperial:8a2f4d0, author = {Counter Adversary Operations}, title = {{IMPERIAL KITTEN Deploys Novel Malware Families in Middle East-Focused Operations}}, date = {2023-11-09}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/}, language = {English}, urldate = {2023-11-14} } @online{operations:20240725:hacktivist:7118991, author = {Counter Adversary Operations}, title = {{Hacktivist Entity USDoD Claims to Have Leaked CrowdStrike’s Threat Actor List}}, date = {2024-07-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/hacktivist-usdod-claims-to-have-leaked-threat-actor-list/}, language = {English}, urldate = {2024-08-29} } @online{operations:20241119:unveiling:c331139, author = {Counter Adversary Operations}, title = {{Unveiling LIMINAL PANDA: A Closer Look at China's Cyber Threats to the Telecom Sector}}, date = {2024-11-19}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/en-us/blog/liminal-panda-telecom-sector-threats/}, language = {English}, urldate = {2025-01-15} } @online{operations:20250702:crowdstrike:9d99cb4, author = {Counter Adversary Operations}, title = {{CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries}}, date = {2025-07-02}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/en-us/blog/crowdstrike-services-observes-scattered-spider-escalate-attacks/}, language = {English}, urldate = {2025-07-07} } @online{operator:20210917:default:aaaa15c, author = {Intel Operator}, title = {{The default: 63 6f 62 61 6c 74 strike}}, date = {2021-09-17}, organization = {Medium inteloperator}, url = {https://inteloperator.medium.com/the-default-63-6f-62-61-6c-74-strike-8ac9ee0de1b7}, language = {English}, urldate = {2021-09-19} } @online{oppenheim:20170602:qakbot:ffff91a, author = {Mike Oppenheim and Kevin Zuk and Matan Meir and Limor Kessem}, title = {{QakBot Banking Trojan Causes Massive Active Directory Lockouts}}, date = {2017-06-02}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/}, language = {English}, urldate = {2020-01-10} } @online{ops:20221228:underground:d247ef5, author = {DARK OPS}, title = {{The Underground Economist: Volume 2, Issue 24}}, date = {2022-12-28}, organization = {ZeroFox}, url = {https://www.zerofox.com/blog/the-underground-economist-volume-2-issue-24/}, language = {English}, urldate = {2023-04-14} } @online{or10n:20200524:reverse:49c2ad8, author = {oR10n}, title = {{Reverse Engineering the Mustang Panda PlugX Loader}}, date = {2020-05-24}, organization = {or10nlabs}, url = {https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-loader}, language = {English}, urldate = {2021-06-24} } @online{or10n:20200705:reverse:60298dc, author = {oR10n}, title = {{Reverse Engineering the Mustang Panda PlugX RAT – Extracting the Config}}, date = {2020-07-05}, organization = {or10nlabs}, url = {https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-rat-extracting-the-config/}, language = {English}, urldate = {2021-06-24} } @online{or10n:20200720:reverse:bcb6023, author = {oR10n}, title = {{Reverse Engineering the New Mustang Panda PlugX Downloader}}, date = {2020-07-20}, organization = {or10nlabs}, url = {https://or10nlabs.tech/reverse-engineering-the-new-mustang-panda-plugx-downloader/}, language = {English}, urldate = {2021-06-24} } @online{or:20220713:uncovering:7e215ef, author = {Jonathan Bar Or and Microsoft 365 Defender Research Team}, title = {{Uncovering a macOS App Sandbox escape vulnerability: A deep dive into CVE-2022-26706}}, date = {2022-07-13}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/07/13/uncovering-a-macos-app-sandbox-escape-vulnerability-a-deep-dive-into-cve-2022-26706/}, language = {English}, urldate = {2022-08-18} } @online{or:20221001:analysismexico:2e2e2bc, author = {Diego Oré}, title = {{Analysis-Mexico data hack exposes government cybersecurity vulnerability}}, date = {2022-10-01}, organization = {Yahoo Finance}, url = {https://finance.yahoo.com/news/analysis-mexico-data-hack-exposes-003101651.html}, language = {English}, urldate = {2023-12-04} } @online{orbac:20250424:understanding:eb5944c, author = {Utku Çorbacı}, title = {{Understanding Alcatraz ~ Obfuscator Analysis [EN]}}, date = {2025-04-24}, organization = {0xreverse}, url = {https://0xreverse.com/understanding-alcatraz-obfuscator-analysis-en}, language = {English}, urldate = {2025-04-25} } @online{orchilles:20200611:threatthursday:b0ccbb8, author = {Jorge Orchilles}, title = {{#ThreatThursday - Buhtrap}}, date = {2020-06-11}, organization = {SCYTHE}, url = {https://www.scythe.io/library/threatthursday-buhtrap}, language = {English}, urldate = {2020-06-16} } @online{orchilles:20200618:threatthursday:e53136d, author = {Jorge Orchilles}, title = {{#ThreatThursday - APT33}}, date = {2020-06-18}, organization = {SCYTHE}, url = {https://www.scythe.io/library/threatthursday-apt33}, language = {English}, urldate = {2020-06-19} } @online{orchilles:20201105:threatthursday:a3297b9, author = {Jorge Orchilles and Sean Lyngaas}, title = {{#ThreatThursday - Ryuk}}, date = {2020-11-05}, organization = {SCYTHE}, url = {https://www.scythe.io/library/threatthursday-ryuk}, language = {English}, urldate = {2020-11-06} } @online{ordonez:20220502:avoslocker:3e0cddd, author = {Christoper Ordonez and Alvin Nieto}, title = {{AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell}}, date = {2022-05-02}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html}, language = {English}, urldate = {2022-05-04} } @techreport{oreilly:20130326:plugxpayload:d355f49, author = {Kevin O’Reilly}, title = {{PlugX–Payload Extraction}}, date = {2013-03-26}, institution = {Contextis}, url = {https://web.archive.org/web/20200424035112/https://go.contextis.com/rs/140-OCV-459/images/White%20Paper_PlugX%20-%20Payload%20Extraction.pdf}, language = {English}, urldate = {2023-01-19} } @online{oreilly:20190619:malware:a2f7812, author = {Kevin O’Reilly}, title = {{The Malware CAPE: Automated Extraction of Configuration and Payloads from Sophisticated Malware}}, date = {2019-06-19}, organization = {YouTube (44CON Information Security Conference)}, url = {https://www.youtube.com/watch?v=qEwBGGgWgOM}, language = {English}, urldate = {2022-04-04} } @techreport{oreilly:20191207:endtoend:84340da, author = {Kevin O’Reilly and Keith Jarvis}, title = {{End-to-end Botnet Monitoring... Botconf 2019}}, date = {2019-12-07}, institution = {Secureworks}, url = {https://www.botconf.eu/wp-content/uploads/2019/12/B2019-OReilly-Jarvis-End-to-end-Botnet-Monitoring.pdf}, language = {English}, urldate = {2021-11-08} } @online{oreilly:20240412:doomedloader:247a0a3, author = {Kevin O’Reilly}, title = {{DoomedLoader YARA rule}}, date = {2024-04-12}, organization = {Github (kevoreilly)}, url = {https://github.com/kevoreilly/CAPEv2/blob/master/data/yara/CAPE/DoomedLoader.yar}, language = {English}, urldate = {2024-06-04} } @online{orini:20220803:reversing:2536312, author = {Gabriele Orini}, title = {{Reversing Golang Developed Ransomware: SNAKE}}, date = {2022-08-03}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/analysing-snake-ransomware/}, language = {English}, urldate = {2022-08-28} } @online{orionwl:20160923:seconddate:12ca0d9, author = {@orionwl}, title = {{SECONDDATE in action}}, date = {2016-09-23}, organization = {Laanwj's Blog}, url = {https://laanwj.github.io/2016/09/23/seconddate-adventures.html}, language = {English}, urldate = {2019-10-18} } @online{orland:20211108:hacking:b0b7f74, author = {Kyle Orland}, title = {{Hacking group says it has found encryption keys needed to unlock the PS5 [Updated]}}, date = {2021-11-08}, organization = {Ars Technica}, url = {https://arstechnica.com/gaming/2021/11/uncovered-ps5-encryption-keys-are-the-first-step-to-unlocking-the-console/}, language = {English}, urldate = {2024-09-27} } @online{orlando:20220112:2021:d68b80f, author = {Guillaume Orlando}, title = {{2021 Gorgon Group APT Operation}}, date = {2022-01-12}, url = {https://guillaumeorlando.github.io/GorgonInfectionchain}, language = {English}, urldate = {2022-01-13} } @online{orlando:20220112:malware:520c370, author = {Guillaume Orlando}, title = {{Malware Analysis - AgentTesla v3}}, date = {2022-01-12}, url = {https://guillaumeorlando.github.io/AgentTesla}, language = {English}, urldate = {2024-04-04} } @online{orleans:20200831:who:9513ae1, author = {Alex Orleans}, title = {{Who Is PIONEER KITTEN?}}, date = {2020-08-31}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/who-is-pioneer-kitten}, language = {English}, urldate = {2020-09-18} } @online{orleans:20200901:who:12a9daa, author = {Alex Orleans}, title = {{Who Is PIONEER KITTEN?}}, date = {2020-09-01}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/who-is-pioneer-kitten/}, language = {English}, urldate = {2020-09-01} } @online{orleans:20201023:last:c05dd4d, author = {Alex Orleans}, title = {{A Last Clever Knot?}}, date = {2020-10-23}, organization = {Medium Horkos}, url = {https://horkos.medium.com/a-last-clever-knot-26fd26765e8d}, language = {English}, urldate = {2020-10-29} } @online{ortega:20180814:antihooking:b194a7c, author = {Alberto Ortega}, title = {{Anti-Hooking checks of SmokeLoader 2018}}, date = {2018-08-14}, organization = {Plug it, play it, burn it, rip it}, url = {https://blog.badtrace.com/post/anti-hooking-checks-of-smokeloader-2018/}, language = {English}, urldate = {2020-01-13} } @online{ortiz:20211222:establishing:41e5885, author = {Markel Picado Ortiz}, title = {{Establishing the TigerRAT and TigerDownloader Malware Families}}, date = {2021-12-22}, organization = {Threatray}, url = {https://www.threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families}, language = {English}, urldate = {2024-08-15} } @online{ortloff:20160129:from:d5b48fa, author = {Stefan Ortloff}, title = {{From Linux to Windows – New Family of Cross-Platform Desktop Backdoors Discovered}}, date = {2016-01-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/}, language = {English}, urldate = {2019-12-20} } @online{ortloff:20160907:missing:2e26376, author = {Stefan Ortloff}, title = {{The Missing Piece – Sophisticated OS X Backdoor Discovered}}, date = {2016-09-07}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/}, language = {English}, urldate = {2019-12-20} } @online{ortolani:20220629:lateral:2da51bb, author = {Stefano Ortolani and Giovanni Vigna}, title = {{Lateral Movement in the Real World: A Quantitative Analysis}}, date = {2022-06-29}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/06/lateral-movement-in-the-real-world-a-quantitative-analysis.html}, language = {English}, urldate = {2022-08-31} } @online{osakond:20240905:estonia:150a343, author = {avalike suhete osakond}, title = {{Estonia names Russia’s military intelligence in a first-ever attribution of cyberattacks}}, date = {2024-09-05}, organization = {Estonian Ministry of Foreign Affairs}, url = {https://vm.ee/en/news/estonia-names-russias-military-intelligence-first-ever-attribution-cyberattacks}, language = {English}, urldate = {2025-02-03} } @online{osborne:20201008:waterbear:9d810b3, author = {Charlie Osborne}, title = {{Waterbear malware used in attack wave against government agencies}}, date = {2020-10-08}, organization = {ZDNet}, url = {https://www.zdnet.com/article/waterbear-malware-used-in-attack-wave-against-government-agencies/}, language = {English}, urldate = {2021-04-20} } @online{osborne:20201105:capcom:3667890, author = {Charlie Osborne}, title = {{Capcom quietly discloses cyberattack impacting email, file servers}}, date = {2020-11-05}, organization = {ZDNet}, url = {https://www.zdnet.com/article/capcom-quietly-discloses-cyberattack-impacting-email-file-servers/}, language = {English}, urldate = {2020-11-06} } @online{osborne:20210203:ursnif:936317a, author = {Charlie Osborne}, title = {{Ursnif Trojan has targeted over 100 Italian banks}}, date = {2021-02-03}, organization = {ZDNet}, url = {https://www.zdnet.com/article/ursnif-trojan-has-targeted-over-100-italian-banks/}, language = {English}, urldate = {2021-06-29} } @online{osborne:20220330:this:2d04340, author = {Charlie Osborne}, title = {{This new ransomware targets data visualization tool Jupyter Notebook}}, date = {2022-03-30}, organization = {ZDNet}, url = {https://www.zdnet.com/article/this-new-ransomware-targets-data-visualization-tool-jupyter-notebook/}, language = {English}, urldate = {2022-03-31} } @online{osborne:20220331:meet:b772b8f, author = {Charlie Osborne}, title = {{Meet BlackGuard: a new infostealer peddled on Russian hacker forums}}, date = {2022-03-31}, organization = {ZDNet}, url = {https://www.zdnet.com/article/meet-blackguard-a-new-infostealer-peddled-on-russian-hacker-forums/}, language = {English}, urldate = {2022-04-04} } @online{oshaughnessy:20230119:vidar:669a33d, author = {Isaac O'Shaughnessy}, title = {{Vidar Stealer Picks Up Steam!}}, date = {2023-01-19}, organization = {Emerging Threats}, url = {https://community.emergingthreats.net/t/vidar-stealer-picks-up-steam/271}, language = {English}, urldate = {2023-04-25} } @online{osipov:20190513:look:7526002, author = {Arnold Osipov}, title = {{A Look At Hworm / Houdini aka Njrat}}, date = {2019-05-13}, organization = {Morphisec}, url = {http://blog.morphisec.com/hworm-houdini-aka-njrat}, language = {English}, urldate = {2020-01-05} } @online{osipov:20200130:trickbot:da5c80d, author = {Arnold Osipov}, title = {{Trickbot Trojan Leveraging a New Windows 10 UAC Bypass}}, date = {2020-01-30}, organization = {Morphisec}, url = {https://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass}, language = {English}, urldate = {2020-02-03} } @online{osipov:20200318:parallax:fa4b01d, author = {Arnold Osipov}, title = {{Parallax: The new RAT on the block}}, date = {2020-03-18}, organization = {Morphisec}, url = {https://blog.morphisec.com/parallax-rat-active-status}, language = {English}, urldate = {2020-03-25} } @online{osipov:20200402:guloader:af464fe, author = {Arnold Osipov}, title = {{GuLoader: The RAT Downloader}}, date = {2020-04-02}, organization = {Morphisec}, url = {https://blog.morphisec.com/guloader-the-rat-downloader}, language = {English}, urldate = {2021-01-10} } @online{osipov:20200602:ursnifgozi:2e20c85, author = {Arnold Osipov}, title = {{Ursnif/Gozi Delivery - Excel Macro 4.0 Utilization Uptick & OCR Bypass}}, date = {2020-06-02}, organization = {Morphisec}, url = {https://blog.morphisec.com/ursnif/gozi-delivery-excel-macro-4.0-utilization-uptick-ocr-bypass}, language = {English}, urldate = {2020-06-25} } @online{osipov:20200624:obfuscated:74bfeed, author = {Arnold Osipov}, title = {{Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex}}, date = {2020-06-24}, organization = {Morphisec}, url = {https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex}, language = {English}, urldate = {2020-06-25} } @online{osipov:20200820:qakbot:a7e14ef, author = {Arnold Osipov}, title = {{QakBot (QBot) Maldoc Campaign Introduces Two New Techniques into Its Arsenal}}, date = {2020-08-20}, organization = {Morphisec}, url = {https://blog.morphisec.com/qakbot-qbot-maldoc-two-new-techniques}, language = {English}, urldate = {2020-08-25} } @online{osipov:20201112:threat:05d4acd, author = {Arnold Osipov}, title = {{Threat Profile: JUPYTER INFOSTEALER}}, date = {2020-11-12}, organization = {Morphisec}, url = {https://blog.morphisec.com/jupyter-infostealer-backdoor-introduction}, language = {English}, urldate = {2021-12-17} } @techreport{osipov:20210104:threat:b875307, author = {Arnold Osipov}, title = {{Threat Profile the Evolution of the FIN7 JSSLoader}}, date = {2021-01-04}, institution = {Morphisec}, url = {https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/FIN7%20JSSLOADER%20FINAL%20WEB.pdf}, language = {English}, urldate = {2021-01-05} } @online{osipov:20210514:ahk:2da8d24, author = {Arnold Osipov}, title = {{AHK RAT Loader Used in Unique Delivery Campaigns}}, date = {2021-05-14}, organization = {Morphisec}, url = {https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns}, language = {English}, urldate = {2021-05-17} } @online{osipov:20211014:explosive:d6c6eb7, author = {Arnold Osipov}, title = {{Explosive New MirrorBlast Campaign Targets Financial Companies}}, date = {2021-10-14}, organization = {Morphisec}, url = {https://blog.morphisec.com/explosive-new-mirrorblast-campaign-targets-financial-companies}, language = {English}, urldate = {2021-10-24} } @online{osipov:20220329:exclusive:37a9d8b, author = {Arnold Osipov}, title = {{Exclusive Threat Research: Mars (Stealer) Attacks!}}, date = {2022-03-29}, organization = {Morphisec}, url = {https://blog.morphisec.com/threat-research-mars-stealer}, language = {English}, urldate = {2022-03-31} } @online{osipov:20230307:sys01:675aea6, author = {Arnold Osipov}, title = {{SYS01 Stealer}}, date = {2023-03-07}, organization = {Morphisec}, url = {https://blog.morphisec.com/sys01stealer-facebook-info-stealer}, language = {English}, urldate = {2023-03-13} } @online{osipov:20230418:what:516436d, author = {Arnold Osipov and Michael Dereviashkin}, title = {{What Makes Invalid Printer Loader So Stealthy?}}, date = {2023-04-18}, organization = {Morphisec}, url = {https://blog.morphisec.com/in2al5d-p3in4er}, language = {English}, urldate = {2023-04-22} } @online{osipov:20230629:guloader:bed6b31, author = {Arnold Osipov}, title = {{GuLoader Campaign Targets Law Firms in the US}}, date = {2023-06-29}, organization = {Morphisec}, url = {https://blog.morphisec.com/guloader-campaign-targets-law-firms-in-the-us}, language = {English}, urldate = {2024-04-04} } @online{osipov:20240118:chae:7b62bdb, author = {Arnold Osipov}, title = {{Chae$ Chronicles: Version 4.1 Dedicated to Morphisec Researchers}}, date = {2024-01-18}, organization = {Morphisec}, url = {https://blog.morphisec.com/chaes-chronicles}, language = {English}, urldate = {2024-02-02} } @techreport{osipov:20240118:chae:c2ebc7d, author = {Arnold Osipov}, title = {{Chae$ Chronicles: Version 4.1 Dedicated to Morphisec Researchers}}, date = {2024-01-18}, institution = {Morphisec}, url = {https://www.morphisec.com/hubfs/Chae$_Chronicles_Chaes4.1.pdf}, language = {English}, urldate = {2024-02-02} } @online{osipov:20240606:howling:c1d5091, author = {Arnold Osipov}, title = {{Howling at the Inbox: Sticky Werewolf’s Latest Malicious Aviation Attacks}}, date = {2024-06-06}, organization = {Morphisec}, url = {https://www.morphisec.com/blog/sticky-werewolfs-aviation-attacks/}, language = {English}, urldate = {2025-03-07} } @online{osis:20180717:deep:56fcfcf, author = {Kaspars Osis}, title = {{A deep dive down the Vermin RAThole}}, date = {2018-07-17}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/}, language = {English}, urldate = {2019-11-14} } @online{ostrovsky:20170301:gootkit:ab4991e, author = {Gadi Ostrovsky and Limor Kessem}, title = {{GootKit Developers Dress It Up With Web Traffic Proxy}}, date = {2017-03-01}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/gootkit-developers-dress-it-up-with-web-traffic-proxy/}, language = {English}, urldate = {2020-01-07} } @online{ostrovsky:20171108:overlay:ad4efd8, author = {Gadi Ostrovsky and Limor Kessem}, title = {{Overlay RAT Malware Uses AutoIt Scripting to Bypass Antivirus Detection}}, date = {2017-11-08}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/overlay-rat-malware-uses-autoit-scripting-to-bypass-antivirus-detection/}, language = {English}, urldate = {2019-12-10} } @online{osxreverser:20140216:analysis:448d0df, author = {osxreverser}, title = {{Analysis of CoinThief/A "dropper"}}, date = {2014-02-16}, organization = {Put As blog}, url = {https://reverse.put.as/2014/02/16/analysis-of-cointhiefa-dropper/}, language = {English}, urldate = {2020-01-06} } @online{osxreverser:20200926:finfisher:55d2223, author = {osxreverser}, title = {{The Finfisher Tales, Chapter 1: The dropper}}, date = {2020-09-26}, organization = {Reverse.Put.As}, url = {https://reverse.put.as/2020/09/26/the-finfisher-tales-chapter-1/}, language = {English}, urldate = {2020-10-05} } @online{otto:20210602:call:ad8156c, author = {Greg Otto}, title = {{Call for crimes? Russian-language forum runs contest for cryptocurrency hacks}}, date = {2021-06-02}, organization = {Intel 471}, url = {https://intel471.com/blog/call-for-crimes-russian-language-forum-runs-contest-for-cryptocurrency-hacks}, language = {English}, urldate = {2021-06-24} } @online{otto:20210623:cybercriminals:63b3308, author = {Greg Otto}, title = {{Cybercriminals shop around for schemes targeting retail}}, date = {2021-06-23}, organization = {Intel 471}, url = {https://intel471.com/blog/retail-cybercrime-threats-2021}, language = {English}, urldate = {2021-06-24} } @online{ouadia:20211026:detecting:2a3e2fa, author = {Hamza OUADIA}, title = {{Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1}}, date = {2021-10-26}, organization = {unh4ck}, url = {https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1}, language = {English}, urldate = {2021-11-03} } @techreport{ouytsel:20220413:malware:f8279a1, author = {Charles-Henry Bertrand Van Ouytsel and Axel Legay}, title = {{Malware Analysis with Symbolic Execution and Graph Kernel}}, date = {2022-04-13}, institution = {Universit ́e Catholique de Louvain}, url = {https://arxiv.org/pdf/2204.05632.pdf}, language = {English}, urldate = {2022-04-15} } @online{ovadia:20220419:hive:51c5eb7, author = {Nadav Ovadia}, title = {{Hive Ransomware Analysis}}, date = {2022-04-19}, organization = {Varonis}, url = {https://www.varonis.com/blog/hive-ransomware-analysis}, language = {English}, urldate = {2022-04-25} } @online{ovi:20230925:rearchive:72332ff, author = {Ovi}, title = {{REArchive: Reverse engineering APT37’s GOLDBACKDOOR dropper}}, date = {2023-09-25}, organization = {0x0v1}, url = {https://www.0x0v1.com/rearchive-goldbackdoor/}, language = {English}, urldate = {2023-10-02} } @online{ovi:20240301:apt37s:c4f93e0, author = {Ovi}, title = {{APT37's ROKRAT HWP Object Linking and Embedding}}, date = {2024-03-01}, organization = {0x0v1}, url = {https://www.0x0v1.com/rearchive-rokrat-hwp/}, language = {English}, urldate = {2024-03-04} } @online{owaida:20200716:highprofile:9e5eb1d, author = {Amer Owaida}, title = {{High‑profile Twitter accounts hacked to promote Bitcoin scam}}, date = {2020-07-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/07/16/high-profile-twitter-accounts-hacked-bitcoin-scam/}, language = {English}, urldate = {2020-07-16} } @online{owaida:20210318:beware:2218ccd, author = {Amer Owaida}, title = {{Beware Android trojan posing as Clubhouse app}}, date = {2021-03-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/03/18/beware-android-trojan-posing-clubhouse-app/}, language = {English}, urldate = {2021-03-25} } @online{owen:20210504:detecting:8e2a985, author = {Owen}, title = {{Detecting Lateral Movement via WinRM Using KQL}}, date = {2021-05-04}, organization = {in.security}, url = {https://in.security/detecting-lateral-movement-via-winrm-using-kql/}, language = {English}, urldate = {2021-05-07} } @online{owens:20210427:macos:489e558, author = {Cedric Owens}, title = {{macOS Gatekeeper Bypass (2021 Edition)}}, date = {2021-04-27}, organization = {Medium Cedric Owens}, url = {https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508}, language = {English}, urldate = {2021-04-29} } @techreport{ozawa:20200819:operation:445be8c, author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike}, title = {{Operation LagTime IT: Colorful Panda Footprint}}, date = {2020-08-19}, institution = {NTT Security}, url = {https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf}, language = {English}, urldate = {2022-07-29} } @techreport{ozawa:20200828:operation:e0feab5, author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike}, title = {{Operation Lagtime IT: Colourful Panda Footprint}}, date = {2020-08-28}, institution = {NTT}, url = {https://vb2020.vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf}, language = {English}, urldate = {2022-07-25} } @techreport{ozawa:20200930:operation:04593f6, author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike}, title = {{Operation LagTime IT: colourful Panda footprint (Slides)}}, date = {2020-09-30}, institution = {NTT Security}, url = {https://vblocalhost.com/uploads/VB2020-20.pdf}, language = {English}, urldate = {2021-02-06} } @techreport{ozawa:20200930:operation:1efe218, author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike}, title = {{Operation LagTime IT: colourful Panda footprint}}, date = {2020-09-30}, institution = {NTT Security}, url = {https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf}, language = {English}, urldate = {2021-01-25} } @online{ozawa:20210108:operation:18eec5e, author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike}, title = {{Operation LagTime IT: colourful Panda footprint}}, date = {2021-01-08}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=1WfPlgtfWnQ}, language = {English}, urldate = {2021-02-06} } @online{p:20220408:cryptoclip:146cd1c, author = {Vigneshwaran P}, title = {{CryptoClip Hijacker}}, date = {2022-04-08}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/cryptoclip-hijacker/}, language = {English}, urldate = {2024-04-23} } @online{p:20220727:credential:8fa4754, author = {Vigneshwaran P}, title = {{Credential Stealer RedLine Reemerges}}, date = {2022-07-27}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/credential-stealer-redline-reemerges/}, language = {English}, urldate = {2024-04-18} } @online{p:20230202:ransomed:7d736c8, author = {Vigneshwaran P}, title = {{Ransomed by Warlock Dark Army “OFFICIALS”}}, date = {2023-02-02}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/ransomed-by-warlock-dark-army-officials/}, language = {English}, urldate = {2024-04-23} } @online{p:20230223:donot:3806844, author = {Vigneshwaran P}, title = {{The DoNot APT}}, date = {2023-02-23}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/the-donot-apt/}, language = {English}, urldate = {2023-07-24} } @online{p:20230725:akiras:71513eb, author = {Vigneshwaran P}, title = {{Akira’s Play with Linux}}, date = {2023-07-25}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/akiras-play-with-linux/}, language = {English}, urldate = {2023-08-21} } @online{p:20240102:open:da3401d, author = {Sekar P}, title = {{Open Source Stealers (OSS) – Python}}, date = {2024-01-02}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/open-source-stealers-oss-python/}, language = {English}, urldate = {2025-02-06} } @online{p:20240326:unknown:4c02a21, author = {Vigneshwaran P}, title = {{Unknown TTPs of Remcos RAT}}, date = {2024-03-26}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/unknown-ttps-of-remcos-rat/}, language = {English}, urldate = {2024-04-23} } @online{pacag:20170531:necurs:07ea4cc, author = {Homer Pacag}, title = {{Necurs Recurs}}, date = {2017-05-31}, organization = {Trustwave}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/}, language = {English}, urldate = {2019-12-19} } @online{pacag:20200722:lockscreen:e3c212d, author = {Homer Pacag}, title = {{Lockscreen Ransomware Phishing Leads To Google Play Card Scam}}, date = {2020-07-22}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/lockscreen-ransomware-phishing-leads-to-google-play-card-scam/}, language = {English}, urldate = {2020-07-30} } @online{pacag:20220316:attack:2206ea8, author = {Homer Pacag}, title = {{The Attack of the Chameleon Phishing Page}}, date = {2022-03-16}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-attack-of-the-chameleon-phishing-page/}, language = {English}, urldate = {2022-03-17} } @techreport{paciorek:20230907:ransomedvc:e5cdabe, author = {Karol Paciorek}, title = {{RANSOMED[.]VC - forum, ransomware or hacktivists?}}, date = {2023-09-07}, institution = {KNF CSIRT}, url = {https://cebrf.knf.gov.pl/images/RANSOMEDVC_-_ANALYSIS_KP_en.pdf}, language = {English}, urldate = {2023-10-09} } @online{packt:20210420:what:e5cdffb, author = {Packt}, title = {{What Is Cyber Threat Intelligence?}}, date = {2021-04-20}, organization = {Medium Packt}, url = {https://packt.medium.com/what-is-cyber-threat-intelligence-7f369e5d773b}, language = {English}, urldate = {2021-06-16} } @online{packtsecurity:20220602:secpro:91d88bd, author = {packtsecurity}, title = {{A SecPro Super Issue: Understanding LockBit}}, date = {2022-06-02}, organization = {Packt}, url = {https://security.packt.com/understanding-lockbit/}, language = {English}, urldate = {2022-10-06} } @online{paf:20160607:story:f92c17c, author = {PAF and mirak}, title = {{The Story of yet another ransom-fail-ware}}, date = {2016-06-07}, organization = {Sogeti}, url = {http://web.archive.org/web/20191008053714/http://esec-lab.sogeti.com/posts/2016/06/07/the-story-of-yet-another-ransomfailware.html}, language = {English}, urldate = {2023-05-30} } @online{paganini:1900:hackers:a750343, author = {Pierluigi Paganini}, title = {{Hackers Broke Into the Celeb London Bridge Plastic Surgery Clinic}}, date = {1900}, organization = {Security Affairs}, url = {http://securityaffairs.co/wordpress/64782/data-breach/london-bridge-plastic-surgery-hack.html}, language = {English}, urldate = {2023-11-27} } @online{paganini:20150217:ali:b9323a0, author = {Pierluigi Paganini}, title = {{Ali Baba, the APT group from the Middle East}}, date = {2015-02-17}, organization = {SecurityAffairs}, url = {https://securityaffairs.co/wordpress/33682/cyber-crime/ali-baba-apt-middle-east.html}, language = {English}, urldate = {2022-07-29} } @online{paganini:20150219:arid:c2612d7, author = {Pierluigi Paganini}, title = {{Arid Viper – Israel entities targeted by malware packaged with sex video}}, date = {2015-02-19}, organization = {Security Affairs}, url = {http://securityaffairs.co/wordpress/33785/cyber-crime/arid-viper-israel-sex-video.html}, language = {English}, urldate = {2020-01-06} } @online{paganini:20150708:animal:bd9d9dc, author = {Pierluigi Paganini}, title = {{Animal Farm APT and the Shadow of French Intelligence}}, date = {2015-07-08}, organization = {Infosec}, url = {https://resources.infosecinstitute.com/animal-farm-apt-and-the-shadow-of-france-intelligence/}, language = {English}, urldate = {2019-12-19} } @online{paganini:20150826:sphinx:dfbcee8, author = {Pierluigi Paganini}, title = {{Sphinx, a new variant of Zeus available for sale in the underground}}, date = {2015-08-26}, organization = {Security Affairs}, url = {https://securityaffairs.co/wordpress/39592/cyber-crime/sphinx-variant-zeus-trojan.html}, language = {English}, urldate = {2020-01-08} } @online{paganini:20160707:new:7c765a2, author = {Pierluigi Paganini}, title = {{New threat dubbed Zepto Ransomware is spreading out with a new email spam campaign. It is a variant of the recent Locky Ransomware.}}, date = {2016-07-07}, url = {http://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html}, language = {English}, urldate = {2019-11-22} } @online{paganini:20160731:china:ff06fa8, author = {Pierluigi Paganini}, title = {{China 1937CN Team Hackers Attack Airports in Vietnam}}, date = {2016-07-31}, organization = {Security Affairs}, url = {http://securityaffairs.co/wordpress/49876/hacking/china-1937cn-team-vietnam.html}, language = {English}, urldate = {2023-11-27} } @online{paganini:20170216:iranian:917f46c, author = {Pierluigi Paganini}, title = {{Iranian hackers behind the Magic Hound campaign linked to Shamoon}}, date = {2017-02-16}, organization = {SecurityAffairs}, url = {https://securityaffairs.co/wordpress/56348/intelligence/magic-hound-campaign.html}, language = {English}, urldate = {2022-07-29} } @online{paganini:20170901:vxer:d2f951b, author = {Pierluigi Paganini}, title = {{Vxer is offering Cobian RAT in the underground, but it is backdoored}}, date = {2017-09-01}, organization = {Security Affairs}, url = {https://securityaffairs.co/wordpress/62573/malware/cobian-rat-backdoor.html}, language = {English}, urldate = {2020-01-06} } @online{paganini:20170906:shadowbrokers:5909aa9, author = {Pierluigi Paganini}, title = {{ShadowBrokers are back demanding nearly $4m and offering 2 dumps per month}}, date = {2017-09-06}, organization = {SecurityAffairs}, url = {http://securityaffairs.co/wordpress/62770/hacking/shadowbrokers-return.html}, language = {English}, urldate = {2019-12-18} } @online{paganini:20180122:op:589613e, author = {Pierluigi Paganini}, title = {{Op EvilTraffic CSE CybSec ZLAB Malware Analysis Report – Exclusive, tens of thousands of compromised sites involved in a new massive malvertising campaign}}, date = {2018-01-22}, organization = {Security Affairs}, url = {http://securityaffairs.co/wordpress/68059/cyber-crime/eviltraffic-malvertising-campaign.html}, language = {English}, urldate = {2020-01-08} } @online{paganini:20200229:sodinokibi:799a623, author = {Pierluigi Paganini}, title = {{Sodinokibi Ransomware gang threatens to disclose data from Kenneth Cole fashion firm}}, date = {2020-02-29}, organization = {Security Affairs}, url = {https://securityaffairs.co/wordpress/98694/malware/sodinokibi-kenneth-cole-data-breach.html}, language = {English}, urldate = {2020-03-11} } @online{paganini:20220202:experts:0eedd89, author = {Pierluigi Paganini}, title = {{Experts warn of a spike in APT35 activity and a possible link to Memento ransomware op}}, date = {2022-02-02}, organization = {SecurityAffairs}, url = {https://securityaffairs.co/wordpress/127526/apt/apt35-spike-memento-op.html}, language = {English}, urldate = {2022-02-04} } @online{paganini:20220207:avast:12bb4e5, author = {Pierluigi Paganini}, title = {{Avast released a free decryptor for TargetCompany ransomware}}, date = {2022-02-07}, organization = {SecurityAffairs}, url = {https://securityaffairs.co/wordpress/127761/malware/targetcompany-ransomware-decryptor.html}, language = {English}, urldate = {2022-02-10} } @online{paganini:20220209:master:b0b64b8, author = {Pierluigi Paganini}, title = {{Master decryption keys for Maze, Egregor, and Sekhmet ransomware leaked online}}, date = {2022-02-09}, organization = {Security Affairs}, url = {https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html}, language = {English}, urldate = {2022-02-10} } @online{paganini:20220220:conti:a6d57b1, author = {Pierluigi Paganini}, title = {{The Conti ransomware group takes over TrickBot malware operation and plans to replace it with BazarBackdoor malware.}}, date = {2022-02-20}, organization = {Security Affairs}, url = {https://securityaffairs.co/wordpress/128190/cyber-crime/conti-ransomware-takes-over-trickbot.html}, language = {English}, urldate = {2022-02-26} } @online{paganini:20220221:flaw:0b723b0, author = {Pierluigi Paganini}, title = {{A flaw in the encryption algorithm of Hive Ransomware allows retrieving encrypted files}}, date = {2022-02-21}, organization = {Security Affairs}, url = {https://securityaffairs.co/wordpress/128232/security/recover-files-hive-ransomware.html}, language = {English}, urldate = {2022-02-26} } @online{paganini:20220313:hidden:c809849, author = {Pierluigi Paganini}, title = {{The hidden C2: Lampion trojan release 212 is on the rise and using a C2 server for two years}}, date = {2022-03-13}, organization = {Security Affairs}, url = {https://securityaffairs.co/wordpress/128975/malware/hidden-c2-lampion-trojan-release-212.html}, language = {English}, urldate = {2022-03-14} } @online{paganini:20220315:caddywiper:13b5403, author = {Pierluigi Paganini}, title = {{CaddyWiper, a new data wiper hits Ukraine}}, date = {2022-03-15}, organization = {SecurityAffairs}, url = {https://securityaffairs.co/wordpress/129069/cyber-warfare-2/caddywiper-wiper-hits-ukraine.html}, language = {English}, urldate = {2022-03-15} } @online{paganini:20220323:its:93ae664, author = {Pierluigi Paganini}, title = {{It’s official, Lapsus$ gang compromised a Microsoft employee’s account}}, date = {2022-03-23}, organization = {SecurityAffairs}, url = {https://securityaffairs.co/wordpress/129391/hacking/lapsus-gang-compromised-microsoft-employees-account.html}, language = {English}, urldate = {2022-03-25} } @online{paganini:20220711:anubis:f2a0277, author = {Pierluigi Paganini}, title = {{Anubis Networks is back with new C2 server}}, date = {2022-07-11}, organization = {Security Affairs}, url = {https://securityaffairs.co/wordpress/133115/hacking/anubis-networks-new-c2.html}, language = {English}, urldate = {2022-07-12} } @online{paganini:20220731:threat:899e6f4, author = {Pierluigi Paganini}, title = {{Threat actor claims to have hacked European manufacturer of missiles MBDA}}, date = {2022-07-31}, organization = {Security Affairs}, url = {https://securityaffairs.co/wordpress/133881/data-breach/mbda-alleged-data-breach.html}, language = {English}, urldate = {2024-12-09} } @online{paganini:20230201:new:4605a53, author = {Pierluigi Paganini}, title = {{New LockBit Green ransomware variant borrows code from Conti ransomware}}, date = {2023-02-01}, organization = {Security Affairs}, url = {https://securityaffairs.com/141666/cyber-crime/lockbit-green-ransomware-variant.html}, language = {English}, urldate = {2023-02-02} } @online{paganini:20230927:ransomedvc:d78d33e, author = {Pierluigi Paganini}, title = {{‘Ransomed.VC’ in the Spotlight – What is Known About the Ransomware Group Targeting Sony and NTT Docomo}}, date = {2023-09-27}, organization = {SecurityAffairs}, url = {https://securityaffairs.com/151550/data-breach/ransomed-vc-sony-ntt-alleged-attacks.html}, language = {English}, urldate = {2023-12-04} } @online{paganini:20240422:hackers:f168d4a, author = {Pierluigi Paganini}, title = {{Hackers threaten to leak a copy of the World-Check database used to assess potential risks associated with entities}}, date = {2024-04-22}, organization = {Security Affairs}, url = {https://securityaffairs.com/162136/cyber-crime/hackers-threaten-leak-world-check.html}, language = {English}, urldate = {2025-05-02} } @online{paganini:20240506:el:8d58173, author = {Pierluigi Paganini}, title = {{El Salvador suffered a massive leak of biometric data}}, date = {2024-05-06}, organization = {Security Affairs}, url = {https://securityaffairs.com/162790/data-breach/el-salvador-massive-leak-biometric-data.html}, language = {English}, urldate = {2024-12-11} } @online{paganini:20240607:pandabuy:cfcb506, author = {Pierluigi Paganini}, title = {{Pandabuy was extorted twice by the same Threat Actor}}, date = {2024-06-07}, organization = {Security Affairs}, url = {https://securityaffairs.com/164263/cyber-crime/pandabuy-extorted-again.html}, language = {English}, urldate = {2024-09-04} } @online{paganini:20241126:source:de579b3, author = {Pierluigi Paganini}, title = {{The source code of Banshee Stealer leaked online}}, date = {2024-11-26}, organization = {Security Affairs}, url = {https://securityaffairs.com/171423/malware/the-source-code-of-banshee-stealer-leaked-online.html}, language = {English}, urldate = {2024-11-26} } @online{paganoni:20150810:fobber:ac48fa7, author = {Sergio Paganoni}, title = {{Fobber Code Decryption}}, date = {2015-08-10}, organization = {Coding Stuffs}, url = {http://blog.wizche.ch/fobber/malware/analysis/2015/08/10/fobber-encryption.html}, language = {English}, urldate = {2020-01-10} } @online{page:20231020:authorities:27ebfa9, author = {Carly Page}, title = {{Authorities confirm RagnarLocker ransomware taken down during international sting}}, date = {2023-10-20}, organization = {TechCrunch}, url = {https://techcrunch.com/2023/10/20/ragnarlocker-ransomware-dark-web-portal-seized-in-international-sting/?guccounter=1}, language = {English}, urldate = {2024-03-18} } @online{pak:20190807:moqhao:9a44d6c, author = {Chanung Pak and Yukihiro Okutomi}, title = {{MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play}}, date = {2019-08-07}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/}, language = {English}, urldate = {2020-01-08} } @online{pak:20210903:phishing:2c9380d, author = {Chanung Pak}, title = {{Phishing Android Malware Targets Taxpayers in India}}, date = {2021-09-03}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/phishing-android-malware-targets-taxpayers-in-india/}, language = {English}, urldate = {2021-09-09} } @online{pal:20220331:how:c5195a9, author = {Debashis Pal}, title = {{How to: Detect and prevent common data exfiltration attacks}}, date = {2022-03-31}, organization = {APNIC}, url = {https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/}, language = {English}, urldate = {2022-05-05} } @online{palantir:20200708:restricting:07ad467, author = {Palantir}, title = {{Restricting SMB-based lateral movement in a Windows environment}}, date = {2020-07-08}, url = {https://medium.com/palantir/restricting-smb-based-lateral-movement-in-a-windows-environment-ed033b888721}, language = {English}, urldate = {2020-07-11} } @online{palazolo:20200918:reverse:689e4cb, author = {Gustavo Palazolo and Felipe Duarte}, title = {{Reverse Engineering Dridex and Automating IOC Extraction}}, date = {2020-09-18}, organization = {AppGate}, url = {https://www.appgate.com/blog/reverse-engineering-dridex-and-automating-ioc-extraction}, language = {English}, urldate = {2020-09-25} } @online{palazolo:20201115:ransomexx:86689d1, author = {Gustavo Palazolo}, title = {{RansomEXX — Análise do Ransomware Utilizado no Ataque ao STJ}}, date = {2020-11-15}, organization = {Medium GustavoPalazolo}, url = {https://gustavopalazolo.medium.com/ransomexx-an%C3%A1lise-do-ransomware-utilizado-no-ataque-ao-stj-918001ec8195}, language = {Portuguese}, urldate = {2020-12-10} } @online{palazolo:20210707:netskope:5b5bd6c, author = {Gustavo Palazolo}, title = {{Netskope Threat Coverage: REvil}}, date = {2021-07-07}, organization = {Netskope}, url = {https://www.netskope.com/blog/netskope-threat-coverage-revil}, language = {English}, urldate = {2021-07-19} } @online{palazolo:20210812:netskope:b320543, author = {Gustavo Palazolo}, title = {{Netskope Threat Coverage: LockBit}}, date = {2021-08-12}, organization = {Netskope}, url = {https://www.netskope.com/blog/netskope-threat-coverage-lockbit}, language = {English}, urldate = {2021-09-02} } @online{palazolo:20210823:netskope:356b783, author = {Gustavo Palazolo}, title = {{Netskope Threat Coverage: BlackMatter}}, date = {2021-08-23}, organization = {Netskope}, url = {https://www.netskope.com/blog/netskope-threat-coverage-blackmatter}, language = {English}, urldate = {2021-08-25} } @online{palazolo:20210910:hive:e875859, author = {Gustavo Palazolo}, title = {{Hive Ransomware: Actively Targeting Hospitals}}, date = {2021-09-10}, organization = {Netskope}, url = {https://www.netskope.com/blog/hive-ransomware-actively-targeting-hospitals}, language = {English}, urldate = {2021-09-14} } @online{palazolo:20211007:squirrelwaffle:3506816, author = {Gustavo Palazolo and Ghanashyam Satpathy}, title = {{SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot}}, date = {2021-10-07}, organization = {Netskope}, url = {https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot}, language = {English}, urldate = {2021-10-11} } @online{palazolo:20211021:dbatloader:7074875, author = {Gustavo Palazolo}, title = {{DBatLoader: Abusing Discord to Deliver Warzone RAT}}, date = {2021-10-21}, organization = {Netskope}, url = {https://www.netskope.com/blog/dbatloader-abusing-discord-to-deliver-warzone-rat}, language = {English}, urldate = {2021-10-26} } @online{palazolo:20211118:netskope:39d2098, author = {Gustavo Palazolo and Ghanashyam Satpathy}, title = {{Netskope Threat Coverage: The Return of Emotet}}, date = {2021-11-18}, organization = {Netskope}, url = {https://www.netskope.com/blog/netskope-threat-coverage-the-return-of-emotet}, language = {English}, urldate = {2021-11-25} } @online{palazolo:20220112:abusing:47afdc2, author = {Gustavo Palazolo}, title = {{Abusing Microsoft Office Using Malicious Web Archive Files}}, date = {2022-01-12}, organization = {Netskope}, url = {https://www.netskope.com/blog/abusing-microsoft-office-using-malicious-web-archive-files}, language = {English}, urldate = {2022-01-18} } @online{palazolo:20220124:infected:65db665, author = {Gustavo Palazolo and Ghanashyam Satpathy}, title = {{Infected PowerPoint Files Using Cloud Services to Deliver Multiple Malware}}, date = {2022-01-24}, organization = {Netskope}, url = {https://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware}, language = {English}, urldate = {2022-01-28} } @online{palazolo:20220126:netskope:8a29793, author = {Gustavo Palazolo}, title = {{Netskope Threat Coverage: WhisperGate}}, date = {2022-01-26}, organization = {Netskope}, url = {https://www.netskope.com/blog/netskope-threat-coverage-whispergate}, language = {English}, urldate = {2022-01-31} } @online{palazolo:20220311:new:68467fb, author = {Gustavo Palazolo}, title = {{New Formbook Campaign Delivered Through Phishing Emails}}, date = {2022-03-11}, organization = {Netskope}, url = {https://www.netskope.com/blog/new-formbook-campaign-delivered-through-phishing-emails}, language = {English}, urldate = {2022-03-14} } @online{palazolo:20220506:emotet:44a2595, author = {Gustavo Palazolo}, title = {{Emotet: New Delivery Mechanism to Bypass VBA Protection}}, date = {2022-05-06}, organization = {Netskope}, url = {https://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection}, language = {English}, urldate = {2022-05-09} } @online{palazolo:20220512:redline:2a91da2, author = {Gustavo Palazolo}, title = {{RedLine Stealer Campaign Using Binance Mystery Box Videos to Spread GitHub-Hosted Payload}}, date = {2022-05-12}, organization = {Netskope}, url = {https://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload}, language = {English}, urldate = {2022-05-17} } @online{palazolo:20220627:emotet:e01f0fb, author = {Gustavo Palazolo}, title = {{Emotet: Still Abusing Microsoft Office Macros}}, date = {2022-06-27}, organization = {Netskope}, url = {https://www.netskope.com/blog/emotet-still-abusing-microsoft-office-macros}, language = {English}, urldate = {2022-06-30} } @online{palazolo:20220804:ousaban:270a6b9, author = {Gustavo Palazolo}, title = {{Ousaban: LATAM Banking Malware Abusing Cloud Services}}, date = {2022-08-04}, organization = {Netskope}, url = {https://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services}, language = {English}, urldate = {2022-08-05} } @online{palazolo:20220829:asyncrat:62d95df, author = {Gustavo Palazolo}, title = {{AsyncRAT: Using Fully Undetected Downloader}}, date = {2022-08-29}, organization = {Netskope}, url = {https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader}, language = {English}, urldate = {2022-09-13} } @online{palazolo:20221109:blackcat:8205dee, author = {Gustavo Palazolo}, title = {{BlackCat Ransomware: Tactics and Techniques From a Targeted Attack}}, date = {2022-11-09}, organization = {Netskope}, url = {https://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack}, language = {English}, urldate = {2022-11-18} } @online{palmer:20160422:ghost:dda6514, author = {Isaac Palmer}, title = {{The Ghost Dragon}}, date = {2016-04-22}, organization = {Cylance}, url = {https://blog.cylance.com/the-ghost-dragon}, language = {English}, urldate = {2020-01-08} } @online{palmer:20180122:this:cce88e0, author = {Danny Palmer}, title = {{This hacking gang just updated the malware it uses against UK targets}}, date = {2018-01-22}, organization = {ZDNet}, url = {https://www.zdnet.com/article/this-hacking-gang-just-updated-the-malware-it-uses-against-uk-targets/}, language = {English}, urldate = {2020-01-13} } @online{palmer:20210920:building:c0bbbbd, author = {Adam Palmer and Jesper Eneberg}, title = {{Building an Open Source IDS IPS service for Gateway Load Balancer}}, date = {2021-09-20}, organization = {Amazon}, url = {https://aws.amazon.com/blogs/networking-and-content-delivery/building-an-open-source-ids-ips-service-for-gateway-load-balancer/}, language = {English}, urldate = {2022-03-07} } @techreport{palmer:20211022:building:d955106, author = {Adam Palmer and Nick Coval}, title = {{Building an open source IDS/IPS service on AWS with Suricata}}, date = {2021-10-22}, institution = {Amazon}, url = {https://suricon.net/wp-content/uploads/2021/10/SURICON2021-CovalPalmer-Building-Open-Source-IDS-with-Suricata.pdf}, language = {English}, urldate = {2022-03-07} } @online{palmer:20220223:security:a2a6eeb, author = {Danny Palmer}, title = {{Security warning: Hackers are using this new malware to target firewall appliances}}, date = {2022-02-23}, organization = {ZDNet}, url = {https://www-zdnet-com.cdn.ampproject.org/c/s/www.zdnet.com/google-amp/article/security-warning-hackers-are-using-this-new-malware-to-target-firewall-appliances/}, language = {English}, urldate = {2022-03-01} } @online{palotay:201804:samsam:9ca3687, author = {Dorka Palotay and Peter Mackenzie}, title = {{SamSam Ransomware Chooses Its Targets Carefully}}, date = {2018-04}, organization = {Sophos}, url = {https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/samsam-ransomware-chooses-its-targets-carefully-wpna.aspx}, language = {English}, urldate = {2019-12-20} } @online{palotay:20210922:sysrv:7ac3438, author = {Dorka Palotay}, title = {{The Sysrv Botnet and How It Evolved}}, date = {2021-09-22}, organization = {CUJOAI}, url = {https://cujo.com/the-sysrv-botnet-and-how-it-evolved/}, language = {English}, urldate = {2021-09-29} } @online{pancak3lullz:20200430:first:1bc2560, author = {@pancak3lullz}, title = {{First public tweet on MASS Logger}}, date = {2020-04-30}, organization = {Twitter (@pancak3lullz)}, url = {https://twitter.com/pancak3lullz/status/1255893734241304576}, language = {English}, urldate = {2020-05-18} } @online{pankov:20170403:moonlight:6ce6041, author = {Nikolay Pankov}, title = {{Moonlight Maze: Lessons from history}}, date = {2017-04-03}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/blog/moonlight-maze-the-lessons/6713/}, language = {English}, urldate = {2020-01-09} } @online{panopio:20240123:kasseika:6a79d3e, author = {Emmanuel Panopio and Christian Jason Geollegue and Julius Keith Estrellado and Christian Alpuerto and Shawn Austin Santos and Emmanuel Roll and Rhio Manaog and Gerald Fernandez and Don Ovid Ladores and Raighen Sanchez and Raymart Yambot and Francesca Villasanta and Sophia Nilette Robles}, title = {{Kasseika Ransomware Deploys BYOVD Attacks, Abuses PsExec and Exploits Martini Driver}}, date = {2024-01-23}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html}, language = {English}, urldate = {2024-02-02} } @online{pantazopoulos:20170622:lokibot:cb24973, author = {Rob Pantazopoulos}, title = {{Loki-Bot: InformationStealer, Keylogger, &More!}}, date = {2017-06-22}, organization = {SANS Institute Information Security Reading Room}, url = {https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850}, language = {English}, urldate = {2019-07-11} } @online{pantazopoulos:20180417:decoding:7d5f713, author = {Nikolaos Pantazopoulos}, title = {{Decoding network data from a Gh0st RAT variant}}, date = {2018-04-17}, organization = {NCC Group}, url = {https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/}, language = {English}, urldate = {2022-09-20} } @online{pantazopoulos:20180420:decoding:b4ca1d1, author = {Nikolaos Pantazopoulos}, title = {{Decoding network data from a Gh0st RAT variant}}, date = {2018-04-20}, organization = {NCC Group}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/}, language = {English}, urldate = {2022-10-07} } @online{pantazopoulos:20180518:emissary:ed9583a, author = {Nikolaos Pantazopoulos and Thomas Henry}, title = {{Emissary Panda – A potential new malicious tool}}, date = {2018-05-18}, organization = {NCC Group}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/}, language = {English}, urldate = {2021-03-22} } @online{pantazopoulos:20200602:indepth:bc09c9f, author = {Nikolaos Pantazopoulos and Stefano Antenucci}, title = {{In-depth analysis of the new Team9 malware family}}, date = {2020-06-02}, organization = {NCC Group}, url = {https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/}, language = {English}, urldate = {2020-06-03} } @online{pantazopoulos:20200602:indepth:f43e58f, author = {Nikolaos Pantazopoulos and Stefano Antenucci and NCC RIFT}, title = {{In-depth analysis of the new Team9 malware family}}, date = {2020-06-02}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/}, language = {English}, urldate = {2020-06-03} } @online{pantazopoulos:20200623:wastedlocker:112d6b3, author = {Nikolaos Pantazopoulos and Stefano Antenucci and Michael Sandee}, title = {{WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group}}, date = {2020-06-23}, organization = {NCC Group}, url = {https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/}, language = {English}, urldate = {2020-06-23} } @online{pantazopoulos:20211201:tracking:b67c8f7, author = {Nikolaos Pantazopoulos and Michael Sandee}, title = {{Tracking a P2P network related to TA505}}, date = {2021-12-01}, organization = {NCC Group}, url = {https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/}, language = {English}, urldate = {2021-12-01} } @online{pantazopoulos:20220331:continuation:b38514d, author = {Nikolaos Pantazopoulos and Alex Jessop and Simon Biggs and RIFT: Research and Intelligence Fusion Team}, title = {{Conti-nuation: methods and techniques observed in operations post the leaks}}, date = {2022-03-31}, organization = {nccgroup}, url = {https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/}, language = {English}, urldate = {2022-03-31} } @online{pantazopoulos:20230221:technical:f0dc423, author = {Nikolaos Pantazopoulos and Sarthak Misraa}, title = {{Technical Analysis of Rhadamanthys Obfuscation Techniques}}, date = {2023-02-21}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/technical-analysis-rhadamanthys-obfuscation-techniques}, language = {English}, urldate = {2023-08-16} } @online{pantazopoulos:20240212:devolution:1e3cab5, author = {Nikolaos Pantazopoulos}, title = {{The (D)Evolution of Pikabot}}, date = {2024-02-12}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/d-evolution-pikabot}, language = {English}, urldate = {2024-02-13} } @online{pantazopoulos:20240408:automating:454f93b, author = {Nikolaos Pantazopoulos}, title = {{Automating Pikabot’s String Deobfuscation}}, date = {2024-04-08}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/automating-pikabot-s-string-deobfuscation}, language = {English}, urldate = {2024-04-10} } @online{pantazopoulos:20241119:unraveling:54eba32, author = {Nikolaos Pantazopoulos}, title = {{Unraveling Raspberry Robin's Layers: Analyzing Obfuscation Techniques and Core Mechanisms}}, date = {2024-11-19}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/unraveling-raspberry-robin-s-layers-analyzing-obfuscation-techniques-and}, language = {English}, urldate = {2025-03-27} } @online{pantig:20121221:infostealer:775f6fa, author = {Jason Pantig}, title = {{Infostealer Dexter Targets Checkout Systems}}, date = {2012-12-21}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/infostealer-dexter-targets-checkout-systems/}, language = {English}, urldate = {2020-01-08} } @online{paquetclouston:20161102:exposing:a60a684, author = {Masarah Paquet-Clouston}, title = {{Exposing the EGO MARKET: the cybercrime performed by the Linux/Moose botnet}}, date = {2016-11-02}, organization = {GoSecure}, url = {http://gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/}, language = {English}, urldate = {2019-11-22} } @techreport{paquetclouston:20181003:uncovering:1788496, author = {Masarah Paquet-Clouston and Olivier Bilodeau}, title = {{Uncovering the Wholesale Industry of Social Media Fraud: From Botnets to Bulk Reseller Panels}}, date = {2018-10-03}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Paquet-Clouston.pdf}, language = {English}, urldate = {2020-01-13} } @online{paquetclouston:20201202:deep:86e72b5, author = {Masarah Paquet-Clouston}, title = {{Deep Dive into an Obfuscation-as-a-Service for Android Malware}}, date = {2020-12-02}, organization = {GoSecure}, url = {https://www.gosecure.net/blog/2020/12/02/deep-dive-into-an-obfuscation-as-a-service-for-android-malware/}, language = {English}, urldate = {2020-12-08} } @online{parata:20180226:analyzing:07c666d, author = {Antonio Parata}, title = {{Analyzing the nasty .NET protection of the Ploutus.D malware}}, date = {2018-02-26}, organization = {Secure coding and more blog}, url = {http://antonioparata.blogspot.co.uk/2018/02/analyzing-nasty-net-protection-of.html}, language = {English}, urldate = {2020-01-06} } @online{parata:20211110:ploutus:7b4ca7b, author = {Antonio Parata}, title = {{Ploutus ATM Malware Case Study: Automated Deobfuscation of a Strongly Obfuscated .NET Binary}}, date = {2021-11-10}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/ploutus-atm-malware-deobfuscation-case-study}, language = {English}, urldate = {2021-11-17} } @online{parata:20220121:analyzing:53d0a8a, author = {Antonio Parata}, title = {{Analyzing an IDA Pro anti-decompilation code}}, date = {2022-01-21}, organization = {Twitte (@s4tan)}, url = {https://antonioparata.blogspot.com/2022/01/analyzing-ida-pro-anti-decompilation.html}, language = {English}, urldate = {2022-01-25} } @online{parilli:20211215:no:b7a3405, author = {Alessandro Parilli and James Maclachlan}, title = {{No Unaccompanied Miners: Supply Chain Compromises Through Node.js Packages (UNC3379)}}, date = {2021-12-15}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/supply-chain-node-js}, language = {English}, urldate = {2021-12-31} } @online{parisi:20221202:not:7f9fee4, author = {Tim Parisi}, title = {{Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies}}, date = {2022-12-02}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/}, language = {English}, urldate = {2022-12-14} } @techreport{park:20200330:behind:7c5548e, author = {Seongsu Park}, title = {{Behind the Mask of ScarCruft}}, date = {2020-03-30}, institution = {Kaspersky SAS}, url = {https://github.com/ssp4rk/slides/blob/master/2019SAS_Behind_of_the_Mask_of_ScarCruft.pdf}, language = {English}, urldate = {2020-03-31} } @online{park:20201223:lazarus:a1413a8, author = {Seongsu Park}, title = {{Lazarus covets COVID-19-related intelligence}}, date = {2020-12-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/}, language = {English}, urldate = {2023-07-08} } @online{park:20210615:andariel:1e000a0, author = {Seongsu Park}, title = {{Andariel evolves to target South Korea with ransomware}}, date = {2021-06-15}, organization = {Kaspersky}, url = {https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/}, language = {English}, urldate = {2023-09-22} } @techreport{park:20211008:multiuniverse:87fc078, author = {Seongsu Park}, title = {{Multi-universe of adversary: multiple campaigns of the Lazarus group and their connections}}, date = {2021-10-08}, institution = {Virus Bulletin}, url = {https://vblocalhost.com/uploads/VB2021-Park.pdf}, language = {English}, urldate = {2023-07-24} } @online{park:20220113:bluenoroff:a3ce5e4, author = {Seongsu Park and Vitaly Kamluk}, title = {{The BlueNoroff cryptocurrency hunt is still on}}, date = {2022-01-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/}, language = {English}, urldate = {2023-08-10} } @online{park:20220813:attribution:a689611, author = {Seongsu Park}, title = {{Attribution and Bias: My terrible mistakes in threat intelligence attribution}}, date = {2022-08-13}, organization = {YoutTube (Blue Team Village)}, url = {https://www.youtube.com/watch?v=rjA0Vf75cYk}, language = {English}, urldate = {2022-09-19} } @online{park:20220825:kimsukys:8ae4c1f, author = {Seongsu Park}, title = {{Kimsuky’s GoldDragon cluster and its C2 operations}}, date = {2022-08-25}, organization = {Kaspersky}, url = {https://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/}, language = {English}, urldate = {2022-08-28} } @online{park:20221227:bluenoroff:383c86f, author = {Seongsu Park}, title = {{BlueNoroff introduces new methods bypassing MoTW}}, date = {2022-12-27}, organization = {Kaspersky}, url = {https://securelist.com/bluenoroff-methods-bypass-motw/108383/}, language = {English}, urldate = {2023-06-29} } @online{park:20230412:following:851b624, author = {Seongsu Park}, title = {{Following the Lazarus group by tracking DeathNote campaign}}, date = {2023-04-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-lazarus-group-deathnote-campaign/109490/}, language = {English}, urldate = {2023-11-27} } @online{park:20231027:cascade:444482f, author = {Seongsu Park}, title = {{A cascade of compromise: unveiling Lazarus’ new campaign}}, date = {2023-10-27}, organization = {Kaspersky}, url = {https://securelist.com/unveiling-lazarus-new-campaign/110888/}, language = {English}, urldate = {2023-11-13} } @online{parker:20250116:virus:781e28f, author = {Eric Parker}, title = {{The Virus That Draws "I Am Sorry !!!!!" Over All JPEG Files}}, date = {2025-01-16}, organization = {Youtube (Eric Parker)}, url = {https://www.youtube.com/watch?v=uyWDe7DTHLE}, language = {English}, urldate = {2025-04-07} } @online{parkour:20090531:confickera:06cef86, author = {Mila Parkour}, title = {{Conficker.A binaries}}, date = {2009-05-31}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2009/05/win32conficker.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20090602:win32updateexe:f82553c, author = {Mila Parkour}, title = {{win32update.exe MD5 eec80fd4c7fc5cf5522f0ca4eb2d9c6f}}, date = {2009-06-02}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2009/06/win32updateexe-md5-eec80fd4c7fc5cf5522f.html}, language = {English}, urldate = {2021-01-25} } @online{parkour:20091102:new:007f430, author = {Mila Parkour}, title = {{New banking trojan W32.Silon -msjet51.dll}}, date = {2009-11-02}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2009/11/new-banking-trojan-w32silon-msjet51dll.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20091102:win32opachkia:22466d3, author = {Mila Parkour}, title = {{Win32/Opachki.A - Trojan that removes Zeus (but it is not benign)}}, date = {2009-11-02}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2009/11/win32opachkia-trojan-that-removes-zeus.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20100117:jan:6c0bb52, author = {Mila Parkour}, title = {{Jan 17 Trojan Darkmoon.B EXE Haiti relief from santi_nidas@yahoo.com 17 Jan 2010 13:15:02 -0800 PST}}, date = {2010-01-17}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2010/01/jan-17-trojan-darkmoonb-exe-haiti.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20100208:list:95ec809, author = {Mila Parkour}, title = {{List of Aurora / Hydraq / Roarur files}}, date = {2010-02-08}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2010/02/list-of-aurora-hydraq-roarur-files.html}, language = {English}, urldate = {2019-11-17} } @online{parkour:20100307:march:94846ca, author = {Mila Parkour}, title = {{March 2010 Opachki Trojan update and sample}}, date = {2010-03-07}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2010/03/march-2010-opachki-trojan-update-and.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20100528:cve20093129:6e71df9, author = {Mila Parkour}, title = {{CVE-2009-3129 XLS for office 2002-2007 with fud keylogger EIDHR from david@humanright-watch.org}}, date = {2010-05-28}, organization = {ContagioDump}, url = {https://contagiodump.blogspot.com/2010/06/may-28-cve-2009-3129-xls-for-office.html}, language = {English}, urldate = {2020-01-27} } @online{parkour:20100714:zeus:996ba0d, author = {Mila Parkour}, title = {{ZeuS Version scheme by the trojan author}}, date = {2010-07-14}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20100730:cve20102568:cd50e27, author = {Mila Parkour}, title = {{CVE-2010-2568 keylogger Win32/Chymine.A}}, date = {2010-07-30}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2010/07/cve-2010-2568-keylogger-win32chyminea.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20100801:zeus:3a2cfe8, author = {Mila Parkour}, title = {{Zeus Trojan Research Links}}, date = {2010-08-01}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html}, language = {English}, urldate = {2019-12-04} } @online{parkour:20110109:jan:c77a27e, author = {Mila Parkour}, title = {{Jan 6 CVE-2010-3333 DOC with info theft trojan from the American Chamber of Commerce}}, date = {2011-01-09}, organization = {Contagio Dump}, url = {https://contagiodump.blogspot.com/2011/01/jan-6-cve-2010-3333-with-info-theft.html}, language = {English}, urldate = {2019-12-17} } @online{parkour:20110224:zeroaccess:4085fd4, author = {Mila Parkour}, title = {{ZeroAccess / Max++ / Smiscer Crimeware Rootkit sample for Step-by-Step Reverse Engineering by Giuseppe Bonfa - << (Update 2011 version available)}}, date = {2011-02-24}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2010/11/zeroaccess-max-smiscer-crimeware.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20110525:w32qakbot:b814de0, author = {Mila Parkour}, title = {{W32.Qakbot aka W32/Pinkslipbot or infostealer worm}}, date = {2011-05-25}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2010/11/template.html}, language = {English}, urldate = {2019-11-21} } @online{parkour:20110707:rootkit:501fe3d, author = {Mila Parkour}, title = {{Rootkit TDL-4 (TDSS, Alureon.DX, Olmarik, TDL) 32-bit and 64-bit Sample + Analysis links - Update July 7}}, date = {2011-07-07}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html}, language = {English}, urldate = {2019-12-18} } @online{parkour:20110727:jul:7a63577, author = {Mila Parkour}, title = {{Jul 25 Mac Olyx backdoor + Gh0st Backdoor in RAR archive related to July 2009 Ürümqi riots in China (Samples included)}}, date = {2011-07-27}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20110829:aug:235ded1, author = {Mila Parkour}, title = {{Aug 28 Morto / Tsclient - RDP worm with DDoS features}}, date = {2011-08-29}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20110919:mebromi:687fbb9, author = {Mila Parkour}, title = {{Mebromi BIOS rootkit affecting Award BIOS (aka "BMW" virus)}}, date = {2011-09-19}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2011/09/mebromi-bios-rootkit-affecting-award.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20110921:sept:726c3e3, author = {Mila Parkour}, title = {{Sept 21 Greedy Shylock - financial malware}}, date = {2011-09-21}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20111006:sep:df13936, author = {Mila Parkour}, title = {{Sep 28 CVE-2010-3333 Manuscript with Taidoor (Trojan.Matryoshka by CyberESI)}}, date = {2011-10-06}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2011/10/sep-28-cve-2010-3333-manuscript-with.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20111007:rustock:d35b63c, author = {Mila Parkour}, title = {{Rustock samples and analysis links. Rustock.C, E, I, J and other variants}}, date = {2011-10-07}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2011/10/rustock-samples-and-analysis-links.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20120112:blackhole:c99cf1f, author = {Mila Parkour}, title = {{Blackhole Ramnit - samples and analysis}}, date = {2012-01-12}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20120201:tdl4:e13618a, author = {Mila Parkour}, title = {{TDL4 - Purple Haze (Pihar) Variant - sample and analysis}}, date = {2012-02-01}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20120410:osxflashbacko:d4b68cc, author = {Mila Parkour}, title = {{OSX/Flashback.O sample + some domains}}, date = {2012-04-10}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2012/04/osxflashbacko-sample-some-domains.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20120412:osxflashbackk:66ad254, author = {Mila Parkour}, title = {{OSX/Flashback.K sample + Mac OS malware study set (30+ older samples)}}, date = {2012-04-12}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2012/04/osxflashbackk-sample-mac-os-malware.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20120418:darkmegi:5f1a7a7, author = {Mila Parkour}, title = {{DarkMegi rootkit - sample (distributed via Blackhole)}}, date = {2012-04-18}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20120606:tinba:4159446, author = {Mila Parkour}, title = {{Tinba / Zusy - tiny banker trojan}}, date = {2012-06-06}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/06/amazon.html}, language = {English}, urldate = {2019-07-08} } @online{parkour:20120621:rat:2186087, author = {Mila Parkour}, title = {{RAT samples from Syrian Targeted attacks - Blackshades RAT, XTreme RAT, Dark Comet RAT used by Syrian Electronic Army}}, date = {2012-06-21}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20120624:medrea:8836ce2, author = {Mila Parkour}, title = {{Medre.A - AutoCAD worm samples}}, date = {2012-06-24}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/06/medrea-autocad-worm-samples.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20120810:gauss:ebf09d7, author = {Mila Parkour}, title = {{Gauss samples - Nation-state cyber-surveillance + Banking trojan}}, date = {2012-08-10}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2012/08/gauss-samples-nation-state-cyber.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20120817:shamoon:efffab1, author = {Mila Parkour}, title = {{Shamoon or DistTrack.A samples}}, date = {2012-08-17}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20121114:photoszip:07d9915, author = {Mila Parkour}, title = {{Group Photos.zip OSX/Revir | OSX/iMuler samples March 2012-November 2012}}, date = {2012-11-14}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20121205:osxdockstera:5963755, author = {Mila Parkour}, title = {{OSX/Dockster.A and Win32/Trojan.Agent.AXMO Samples, pcaps, OSX malware analysis tools}}, date = {2012-12-05}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2012/12/osxdockstera-and-win32trojanagentaxmo.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20121206:nov:248e69a, author = {Mila Parkour}, title = {{Nov 2012 - W32.Narilam Sample}}, date = {2012-12-06}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2012/12/nov-2012-w32narilam-sample.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20121207:aug:b10c5f6, author = {Mila Parkour}, title = {{Aug 2012 Backdoor.Wirenet - OSX and Linux}}, date = {2012-12-07}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20121207:aug:d59b277, author = {Mila Parkour}, title = {{Aug 2012 W32.Crisis and OSX.Crisis - JAR file Samples - APT}}, date = {2012-12-07}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20121207:nov:0d14c03, author = {Mila Parkour}, title = {{Nov 2012 Worm Vobfus Samples}}, date = {2012-12-07}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/12/nov-2012-worm-vobfus-samples.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20121207:nov:c57f8ac, author = {Mila Parkour}, title = {{Nov 2012 - Backdoor.W32.Makadocs Sample}}, date = {2012-12-07}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20121217:sample:11833fa, author = {Mila Parkour}, title = {{Sample for Sanny / Win32.Daws in CVE-2012-0158 "ACEAN Regional Security Forum" targeting Russian companies}}, date = {2012-12-17}, organization = {ContagioDump}, url = {https://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html}, language = {English}, urldate = {2019-07-11} } @online{parkour:20121217:sample:41ced20, author = {Mila Parkour}, title = {{Sample for Sanny / Win32.Daws in CVE-2012-0158 "ACEAN Regional Security Forum" targeting Russian companies}}, date = {2012-12-17}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20121223:dec:04b8065, author = {Mila Parkour}, title = {{Dec 2012 Dexter - POS Infostealer samples and information}}, date = {2012-12-23}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20121224:dec:927ddb9, author = {Mila Parkour}, title = {{Dec 2012 Linux.Chapro - trojan Apache iframer}}, date = {2012-12-24}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20121224:dec:c19ac14, author = {Mila Parkour}, title = {{Dec. 2012 Trojan.Stabuniq samples - financial infostealer trojan}}, date = {2012-12-24}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20121226:zeroaccess:bf8d569, author = {Mila Parkour}, title = {{ZeroAccess / Sirefef Rootkit - 5 fresh samples}}, date = {2012-12-26}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20130118:dec:099934d, author = {Mila Parkour}, title = {{Dec 2012 Batchwiper Samples}}, date = {2013-01-18}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2012/12/batchwiper-samples.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20130216:jan:b49195c, author = {Mila Parkour}, title = {{Jan 2013 - Linux SSHDoor - sample}}, date = {2013-02-16}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2013/02/linux-sshdoor-sample.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20130812:taleret:3969585, author = {Mila Parkour}, title = {{Taleret strings - APT (1)}}, date = {2013-08-12}, organization = {ContagioExchange}, url = {http://contagioexchange.blogspot.com/2013/08/taleret-strings-apt-1.html}, language = {English}, urldate = {2019-07-11} } @online{parkour:20141115:onionduke:6c548c4, author = {Mila Parkour}, title = {{OnionDuke samples}}, date = {2014-11-15}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2014/11/onionduke-samples.html}, language = {English}, urldate = {2019-12-20} } @online{parkour:20160703:android:b1026ec, author = {Mila Parkour and Tim Strazzere}, title = {{Android Triada modular trojan}}, date = {2016-07-03}, organization = {Contagio Dump}, url = {http://contagiominidump.blogspot.de/2016/07/android-triada-modular-trojan.html}, language = {English}, urldate = {2020-01-06} } @online{parkour:20170220:part:c54b5de, author = {Mila Parkour}, title = {{Part I. Russian APT - APT28 collection of samples including OSX XAgent}}, date = {2017-02-20}, organization = {Contagio Dump}, url = {https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html}, language = {English}, urldate = {2019-11-26} } @online{parkour:20180320:rootkit:880ab10, author = {Mila Parkour}, title = {{Rootkit Umbreon / Umreon - x86, ARM samples}}, date = {2018-03-20}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2018/03/rootkit-umbreon-umreon-x86-arm-samples.html}, language = {English}, urldate = {2019-12-20} } @techreport{parliament:20200721:report:43a2e23, author = {The Intelligence and Security Committee of Parliament}, title = {{Report on Russian disinformation campaign by Intelligence and Security Committee of Parliament}}, date = {2020-07-21}, institution = {}, url = {https://b1cba9b3-a-5e6631fd-s-sites.googlegroups.com/a/independent.gov.uk/isc/files/20200721_HC632_CCS001_CCS1019402408-001_ISC_Russia_Report_Web_Accessible.pdf}, language = {English}, urldate = {2020-07-30} } @online{parsa:20210908:hook:4dff1b6, author = {Arash Parsa}, title = {{Hook Heaps and Live Free}}, date = {2021-09-08}, organization = {Arash's Blog}, url = {https://www.arashparsa.com/hook-heaps-and-live-free/}, language = {English}, urldate = {2021-09-10} } @online{parsa:20220131:analyzing:c496cc6, author = {Arash Parsa}, title = {{Analyzing Malware with Hooks, Stomps and Return-addresses}}, date = {2022-01-31}, organization = {CyberArk}, url = {https://www.cyberark.com/resources/threat-research/analyzing-malware-with-hooks-stomps-and-return-addresses-2}, language = {English}, urldate = {2022-05-09} } @online{parsa:20220312:analyzing:5b0c5f2, author = {Arash Parsa}, title = {{Analyzing Malware with Hooks, Stomps, and Return-addresses}}, date = {2022-03-12}, organization = {Arash's Blog}, url = {https://www.arashparsa.com/catching-a-malware-with-no-name/}, language = {English}, urldate = {2022-03-28} } @online{parsons:20220413:what:0c08ace, author = {Adam Parsons}, title = {{What is going on with Lapsus$?}}, date = {2022-04-13}, organization = {Cyfirma}, url = {https://www.cyfirma.com/blogs/what-is-going-on-with-lapsus/}, language = {English}, urldate = {2022-04-15} } @online{parsons:20250125:sophos:a880d3a, author = {Mark Parsons and Colin Cowie and Daniel Souter and Hunter Neal and Anthony Bradshaw and Sean Gallagher and Sean Baird}, title = {{Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing”}}, date = {2025-01-25}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2025/01/21/sophos-mdr-tracks-two-ransomware-campaigns-using-email-bombing-microsoft-teams-vishing/}, language = {English}, urldate = {2025-02-18} } @techreport{partners:20140528:newscaster:cc8ba66, author = {iSIGHT Partners}, title = {{NEWSCASTER: An Iranian Threat Within Social Networks}}, date = {2014-05-28}, institution = {iSIGHT Partners (FireEye)}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks/file-2581720763-pdf.pdf}, language = {English}, urldate = {2019-10-15} } @online{partridge:20221214:50:7b9de0e, author = {Chris Partridge}, title = {{50 Domains Worth Blocking: The Evolution of ViperSoftX's Underreported DGA}}, date = {2022-12-14}, url = {https://chris.partridge.tech/2022/evolution-of-vipersoftx-dga}, language = {English}, urldate = {2023-08-10} } @online{partridge:20250223:hackers:756a39c, author = {Joanna Partridge}, title = {{Hackers steal $1.5bn from crypto exchange in ‘biggest digital heist ever’}}, date = {2025-02-23}, organization = {The Guardian}, url = {https://www.theguardian.com/technology/2025/feb/23/crypto-exchange-seeks-bybit-ethereum-stolen-digital-wallet}, language = {English}, urldate = {2025-02-25} } @online{parys:20170526:trickbots:c1b84e1, author = {Bart Parys}, title = {{TrickBot’s bag of tricks}}, date = {2017-05-26}, organization = {PWC}, url = {http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html}, language = {English}, urldate = {2020-06-18} } @online{parys:20171102:keyboys:b57094e, author = {Bart Parys}, title = {{The KeyBoys are back in town}}, date = {2017-11-02}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html}, language = {English}, urldate = {2020-06-18} } @techreport{parys:20180423:hogfish:4dc2531, author = {Bart Parys}, title = {{HOGFISH REDLEAVES CAMPAIGN: HOGFISH (APT10) targets Japan with RedLeaves implants in “new battle”}}, date = {2018-04-23}, institution = {Accenture Security}, url = {https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf}, language = {English}, urldate = {2020-06-18} } @techreport{parys:20180423:hogfish:8cf32f8, author = {Bart Parys}, title = {{HOGFISH REDLEAVES CAMPAIGN: HOGFISH (APT10) targets Japan with RedLeaves implants in “new battle”}}, date = {2018-04-23}, institution = {Accenture Security}, url = {https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf}, language = {English}, urldate = {2020-06-18} } @techreport{parys:2018:dragonfish:68a7bc2, author = {Bart Parys and Joshua Ray}, title = {{Dragonfish delivers New Form of Elise Malware targeting ASEAN Defence Ministers' Meeting and Associates}}, date = {2018}, institution = {Accenture}, url = {https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf}, language = {English}, urldate = {2020-06-18} } @online{parys:20220323:hunting:1610697, author = {Bart Parys}, title = {{Hunting Emotet campaigns with Kusto}}, date = {2022-03-23}, organization = {NVISO Labs}, url = {https://blog.nviso.eu/2022/03/23/hunting-emotet-campaigns-with-kusto/}, language = {English}, urldate = {2022-03-24} } @techreport{pasca:20210810:detailed:40b9c7e, author = {Vlad Pasca}, title = {{A Detailed Analysis of The Last Version of Conti Ransomware}}, date = {2021-08-10}, institution = {LIFARS}, url = {https://lifars.com/wp-content/uploads/2021/10/ContiRansomware_Whitepaper.pdf}, language = {English}, urldate = {2022-01-20} } @techreport{pasca:20210813:makop:3945430, author = {Vlad Pasca}, title = {{Makop Ransomware}}, date = {2021-08-13}, institution = {LIFARS}, url = {https://lifars.com/wp-content/uploads/2021/08/Makop-Ransomware-Whitepaper-case-studyNEW-1.pdf}, language = {English}, urldate = {2022-01-20} } @techreport{pasca:20210902:vjw0rm:76a2d2e, author = {Vlad Pasca}, title = {{Vjw0rm Worm/RAT}}, date = {2021-09-02}, institution = {LIFARS}, url = {https://lifars.com/wp-content/uploads/2021/09/Vjw0rm-.pdf}, language = {English}, urldate = {2022-01-20} } @techreport{pasca:20210907:detailed:2e29866, author = {Vlad Pasca}, title = {{A Detailed Analysis of Lazarus’ RAT Called FALLCHILL}}, date = {2021-09-07}, institution = {LIFARS}, url = {https://lifars.com/wp-content/uploads/2021/09/Lazarus.pdf}, language = {English}, urldate = {2022-01-20} } @techreport{pasca:20211230:deep:a307971, author = {Vlad Pasca}, title = {{A Deep Dive into The Grief Ransomware’s Capabilities}}, date = {2021-12-30}, institution = {LIFARS}, url = {https://lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf}, language = {English}, urldate = {2022-01-25} } @online{pasca:20220120:detailed:87c1f12, author = {Vlad Pasca}, title = {{A Detailed Analysis of WhisperGate Targeting Ukrainian Organizations}}, date = {2022-01-20}, organization = {LIFARS}, url = {https://lifars.com/2022/01/a-detailed-analysis-of-whispergate-targeting-ukrainian-organizations/}, language = {English}, urldate = {2022-01-24} } @online{pasca:20220131:detailed:262ea52, author = {Vlad Pasca}, title = {{A Detailed Analysis Of Lazarus APT Malware Disguised As Notepad++ Shell Extension}}, date = {2022-01-31}, organization = {Cyber Geeks}, url = {https://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/}, language = {English}, urldate = {2023-07-24} } @techreport{pasca:20220214:detailed:a0a0fde, author = {Vlad Pasca}, title = {{A Detailed Analysis of The LockBit Ransomware}}, date = {2022-02-14}, institution = {LIFARS}, url = {https://lifars.com/wp-content/uploads/2022/02/LockBitRansomware_Whitepaper.pdf}, language = {English}, urldate = {2022-03-01} } @online{pasca:20220224:how:77b74bc, author = {Vlad Pasca}, title = {{How to Decrypt the Files Encrypted by the Hive Ransomware}}, date = {2022-02-24}, organization = {LIFARS}, url = {https://lifars.com/2022/02/how-to-decrypt-the-files-encrypted-by-the-hive-ransomware/}, language = {English}, urldate = {2022-03-01} } @online{pasca:20220228:how:0e715ab, author = {Vlad Pasca}, title = {{How to Analyze Malicious Documents – Case Study of an Attack Targeting Ukrainian Organization}}, date = {2022-02-28}, organization = {Cyber Geeks}, url = {https://cybergeeks.tech/how-to-analyze-malicious-documents-case-study-of-an-attack-targeting-ukraine-organizations/}, language = {English}, urldate = {2022-03-07} } @online{pasca:20220328:stepbystep:7d92613, author = {Vlad Pasca}, title = {{A Step-by-Step Analysis of the Russian APT Turla Backdoor called TinyTurla}}, date = {2022-03-28}, organization = {Cyber Geeks (CyberMasterV)}, url = {https://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/}, language = {English}, urldate = {2022-03-29} } @techreport{pasca:20220412:detailed:132144b, author = {Vlad Pasca}, title = {{A Detailed Analysis of The SunCrypt Ransomware}}, date = {2022-04-12}, institution = {LIFARS}, url = {https://cdn.pathfactory.com/assets/10555/contents/394789/0dd521f8-aa64-4517-834e-bc852e9ab95d.pdf}, language = {English}, urldate = {2022-04-24} } @techreport{pasca:20220502:deep:e3a4dd8, author = {Vlad Pasca}, title = {{A Deep Dive into AvosLocker Ransomware}}, date = {2022-05-02}, institution = {LIFARS}, url = {https://cdn.pathfactory.com/assets/10555/contents/400686/13f4424c-05b4-46db-bb9c-6bf9b5436ec4.pdf}, language = {English}, urldate = {2022-05-08} } @online{pasca:20220613:detailed:f49a7e1, author = {Vlad Pasca}, title = {{A Detailed Analysis Of The Last Version Of REvil Ransomware (Download PDF)}}, date = {2022-06-13}, organization = {SecurityScorecard}, url = {https://securityscorecard.com/research/a-detailed-analysis-of-the-last-version-of-revil-ransomware}, language = {English}, urldate = {2022-06-15} } @online{pasca:20220630:how:78e5c24, author = {Vlad Pasca}, title = {{How to Expose a Potential Cybercriminal due to Misconfigurations}}, date = {2022-06-30}, organization = {Cyber Geeks (CyberMasterV)}, url = {https://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations/}, language = {English}, urldate = {2022-07-05} } @online{pasca:20220718:deep:86577a8, author = {Vlad Pasca}, title = {{A Deep Dive Into ALPHV/BlackCat Ransomware}}, date = {2022-07-18}, organization = {SecurityScorecard}, url = {https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware}, language = {English}, urldate = {2022-07-19} } @online{pasca:20220726:how:f891a3c, author = {Vlad Pasca}, title = {{How To Analyze Linux Malware – A Case Study Of Symbiote}}, date = {2022-07-26}, organization = {Cyber Geeks}, url = {https://cybergeeks.tech/how-to-analyze-linux-malware-a-case-study-of-symbiote/}, language = {English}, urldate = {2022-07-28} } @online{pasca:20220801:detailed:769e20c, author = {Vlad Pasca}, title = {{A Detailed Analysis of the RedLine Stealer}}, date = {2022-08-01}, organization = {SecurityScorecard}, url = {https://securityscorecard.com/research/detailed-analysis-redline-stealer}, language = {English}, urldate = {2022-08-02} } @online{pasca:20220801:detailed:d5d5235, author = {Vlad Pasca}, title = {{A Detailed Analysis of the RedLine Stealer}}, date = {2022-08-01}, organization = {SecurityScorecard}, url = {https://securityscorecard.pathfactory.com/all/a-detailed-analysis}, language = {English}, urldate = {2022-08-02} } @online{pasca:20220815:deep:5f7d67c, author = {Vlad Pasca}, title = {{A Deep Dive Into Black Basta Ransomware}}, date = {2022-08-15}, organization = {SecurityScorecard}, url = {https://securityscorecard.pathfactory.com/all/a-deep-dive-into-bla}, language = {English}, urldate = {2022-08-17} } @online{pasca:20220815:deep:f0ad4f2, author = {Vlad Pasca}, title = {{A Deep Dive Into Black Basta Ransomware}}, date = {2022-08-15}, organization = {SecurityScorecard}, url = {https://securityscorecard.com/research/a-deep-dive-into-black-basta-ransomware}, language = {English}, urldate = {2022-08-17} } @online{pasca:20220906:ttps:e1c70ed, author = {Vlad Pasca}, title = {{TTPs Associated With a New Version of the BlackCat Ransomware}}, date = {2022-09-06}, organization = {SecurityScorecard}, url = {https://securityscorecard.com/blog/ttps-associated-with-new-version-of-blackcat-ransomware}, language = {English}, urldate = {2022-09-10} } @online{pasca:20220914:detailed:f0a7a7f, author = {Vlad Pasca}, title = {{A Detailed Analysis of the Quantum Ransomware}}, date = {2022-09-14}, organization = {SecurityScorecard}, url = {https://securityscorecard.pathfactory.com/research/quantum-ransomware}, language = {English}, urldate = {2022-09-15} } @online{pasca:20220922:technical:96bb05e, author = {Vlad Pasca}, title = {{A Technical Analysis Of The Leaked LOCKBIT 3.0 Builder}}, date = {2022-09-22}, organization = {Cyber Geeks}, url = {https://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-builder/}, language = {English}, urldate = {2022-09-26} } @online{pasca:20220927:deep:203b1f0, author = {Vlad Pasca}, title = {{A Deep Dive Into the APT28’s stealer called CredoMap}}, date = {2022-09-27}, organization = {SecurityScorecard}, url = {https://securityscorecard.com/research/apt28s-stealer-called-credomap}, language = {English}, urldate = {2022-09-29} } @online{pasca:20220927:technical:3b1f571, author = {Vlad Pasca}, title = {{A technical analysis of Pegasus for Android – Part 2}}, date = {2022-09-27}, organization = {Cyber Geeks}, url = {https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-2/}, language = {English}, urldate = {2022-09-29} } @techreport{pasca:20221017:detailed:49eab43, author = {Vlad Pasca}, title = {{A Detailed Analysis of the Gafgyt Malware Targeting IoT Devices}}, date = {2022-10-17}, institution = {SecurityScorecard}, url = {https://securityscorecard.com/wp-content/uploads/2024/01/Report-A-Detailed-Analysis-Of-The-Gafgyt-Malware-Targeting-IoT-Devices.pdf}, language = {English}, urldate = {2024-04-04} } @online{pasca:20221031:technical:d4f90e3, author = {Vlad Pasca}, title = {{A Technical Analysis of Pegasus for Android - Part 3}}, date = {2022-10-31}, organization = {Cyber Geeks}, url = {https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/}, language = {English}, urldate = {2022-11-01} } @online{pasca:20221127:technical:c2326cf, author = {Vlad Pasca}, title = {{A Technical Analysis of Royal Ransomware}}, date = {2022-11-27}, organization = {SecurityScorecard}, url = {https://securityscorecard.pathfactory.com/research/the-royal-ransomware}, language = {English}, urldate = {2022-11-28} } @online{pasca:20230110:how:f3b9788, author = {Vlad Pasca}, title = {{How to Analyze JavaScript Malware – A Case Study of Vjw0rm}}, date = {2023-01-10}, organization = {SecurityScorecard}, url = {https://resources.securityscorecard.com/research/acasestudyofVjw0rm#page=1}, language = {English}, urldate = {2023-01-18} } @online{pasca:20230207:detailed:c563c16, author = {Vlad Pasca}, title = {{A Detailed Analysis of a New Stealer Called Stealerium}}, date = {2023-02-07}, organization = {SecurityScorecard}, url = {https://resources.securityscorecard.com/research/stealerium-detailed-analysis}, language = {English}, urldate = {2023-02-13} } @techreport{pasca:20230504:how:a820c7a, author = {Vlad Pasca}, title = {{How to Analyze Java Malware – A Case Study of STRRAT}}, date = {2023-05-04}, institution = {SecurityScorecard}, url = {https://securityscorecard.com/wp-content/uploads/2024/01/How-to-Analyze-Java-Malware-%E2%80%93-A-Case-Study-of-STRRAT.pdf}, language = {English}, urldate = {2025-07-17} } @online{pasca:20230717:technical:d344cce, author = {Vlad Pasca}, title = {{A technical analysis of the Quasar-forked RAT called VoidRAT}}, date = {2023-07-17}, organization = {SecurityScorecard}, url = {https://resources.securityscorecard.com/research/technical-analysis-of-the-quasar-forked-rat-called-void-rat}, language = {English}, urldate = {2023-07-20} } @online{pasca:20230913:detailed:e8e910b, author = {Vlad Pasca}, title = {{A detailed analysis of the Money Message Ransomware}}, date = {2023-09-13}, organization = {SecurityScorecard}, url = {https://resources.securityscorecard.com/research/analysis-money-message-ransomware}, language = {English}, urldate = {2023-09-20} } @online{pasca:20230927:deep:2958d5b, author = {Vlad Pasca}, title = {{A Deep Dive into Brute Ratel C4 payloads – Part 2}}, date = {2023-09-27}, organization = {Cyber Geeks}, url = {https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/}, language = {English}, urldate = {2023-09-29} } @online{pascual:20190214:wormwin32pyfiledelaa:c49f8a0, author = {Carl Maverick Pascual}, title = {{Worm.Win32.PYFILEDEL.AA}}, date = {2019-02-14}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm.win32.pyfiledel.aa}, language = {English}, urldate = {2022-11-02} } @online{pascual:20190919:fileless:3c07209, author = {Maverick Pascual}, title = {{Fileless Cryptocurrency-Miner GhostMiner Weaponizes WMI Objects, Kills Other Cryptocurrency-Mining Payloads}}, date = {2019-09-19}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/fileless-cryptocurrency-miner-ghostminer-weaponizes-wmi-objects-kills-other-cryptocurrency-mining-payloads/}, language = {English}, urldate = {2020-01-07} } @online{passilly:20210824:sidewalk:75d39db, author = {Thibaut Passilly and Mathieu Tartare}, title = {{The SideWalk may be as dangerous as the CROSSWALK}}, date = {2021-08-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/}, language = {English}, urldate = {2021-08-31} } @online{passilly:20220906:worok:0c106ac, author = {Thibaut Passilly}, title = {{Worok: The big picture}}, date = {2022-09-06}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/09/06/worok-big-picture/}, language = {English}, urldate = {2022-09-10} } @online{patel:20220408:cve202222965:53968ea, author = {Deep Patel and Nitesh Surana and Ashish Verma}, title = {{CVE-2022-22965: Analyzing the Exploitation of Spring4Shell Vulnerability in Weaponizing and Executing the Mirai Botnet Malware}}, date = {2022-04-08}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html}, language = {English}, urldate = {2022-04-13} } @online{paterra:20201208:understanding:d16755c, author = {Tony Paterra}, title = {{Understanding BEC Scams: Supplier Invoicing Fraud}}, date = {2020-12-08}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/cybersecurity-essentials/understanding-bec-scams-supplier-invoicing-fraud}, language = {English}, urldate = {2020-12-10} } @online{paterson:20210505:flubot:c917ba6, author = {Jon Paterson}, title = {{Flubot vs. Zimperium}}, date = {2021-05-05}, organization = {zimperium}, url = {https://blog.zimperium.com/flubot-vs-zimperium/}, language = {English}, urldate = {2021-05-08} } @online{pathtofile:20201128:hunting:21f38be, author = {pat_h/to/file}, title = {{Hunting Koadic Pt. 2 - JARM Fingerprinting}}, date = {2020-11-28}, organization = {pat_h/to/file}, url = {https://blog.tofile.dev/2020/11/28/koadic_jarm.html}, language = {English}, urldate = {2020-12-08} } @online{patil:20180117:microsoft:f1f50e0, author = {Swapnil Patil and Yogesh Londhe}, title = {{Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware in Recent Campaign}}, date = {2018-01-17}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/01/microsoft-office-vulnerabilities-used-to-distribute-zyklon-malware.html}, language = {English}, urldate = {2019-12-20} } @online{patil:20180726:microsoft:f03d7c7, author = {Swapnil Patil}, title = {{Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign}}, date = {2018-07-26}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html}, language = {English}, urldate = {2019-12-20} } @online{patil:20190605:government:ad9e70d, author = {Swapnil Patil}, title = {{Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities}}, date = {2019-06-05}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html}, language = {English}, urldate = {2019-12-20} } @online{patil:20211021:multistaged:7dcd0d7, author = {Sameer Patil}, title = {{Multi-Staged JSOutProx RAT Targets Indian Co-operative Banks and Finance Companies}}, date = {2021-10-21}, organization = {Quick Heal}, url = {https://blogs.quickheal.com/multi-staged-jsoutprox-rat-targets-indian-cooperative-banks-and-finance-companies/}, language = {English}, urldate = {2021-11-02} } @online{patil:20211102:hunting:ff5418b, author = {Ashwin Patil}, title = {{Hunting for potential network beaconing patterns using Apache Spark via Azure Synapse – Part 1}}, date = {2021-11-02}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-potential-network-beaconing-patterns-using-apache/ba-p/2916179}, language = {English}, urldate = {2021-11-19} } @online{patterson:202101:snake:630eaec, author = {Eric Patterson}, title = {{Snake Keylogger Slithers Through Malspam}}, date = {2021-01}, organization = {Infoblox}, url = {https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--102}, language = {English}, urldate = {2021-05-26} } @online{pattni:20250414:slow:1a5068a, author = {Prashil Pattni}, title = {{Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware}}, date = {2025-04-14}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/}, language = {English}, urldate = {2025-04-15} } @online{paul:20170205:detailed:3a65aaf, author = {Gregory Paul and Shaunak}, title = {{Detailed threat analysis of Shamoon 2.0 Malware}}, date = {2017-02-05}, organization = {VinRansomware}, url = {http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware}, language = {English}, urldate = {2020-01-09} } @online{paul:20200722:analysing:2de83d7, author = {Newton Paul}, title = {{Analysing Fileless Malware: Cobalt Strike Beacon}}, date = {2020-07-22}, organization = {On the Hunt}, url = {https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/}, language = {English}, urldate = {2020-07-24} } @online{payet:20130528:south:97facdb, author = {Lionel Payet}, title = {{South Korean Financial Companies Targeted by Castov}}, date = {2013-05-28}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/south-korean-financial-companies-targeted-castov}, language = {English}, urldate = {2020-01-06} } @online{payet:20130529:south:3242988, author = {Lionel Payet}, title = {{South Korean Financial Companies Targeted by Castov}}, date = {2013-05-29}, organization = {Symantec}, url = {https://web.archive.org/web/20130607233212/https://www.symantec.com/connect/blogs/south-korean-financial-companies-targeted-castov}, language = {English}, urldate = {2020-04-21} } @online{paz:20161021:bitter:5d8ac74, author = {Rolanda Dela Paz}, title = {{BITTER: a targeted attack against Pakistan}}, date = {2016-10-21}, organization = {Forcepoint}, url = {https://www.forcepoint.com/blog/security-labs/bitter-targeted-attack-against-pakistan}, language = {English}, urldate = {2020-01-13} } @online{paz:20170329:trojanized:867a7ca, author = {Roland Dela Paz}, title = {{Trojanized Adobe installer used to install DragonOK’s new custom backdoor}}, date = {2017-03-29}, organization = {Forcepoint}, url = {https://www.forcepoint.com/de/blog/x-labs/trojanized-adobe-installer-used-install-dragonok-s-new-custom-backdoor}, language = {English}, urldate = {2020-04-06} } @online{pearson:20240404:cutting:aa67bb2, author = {Ashley Pearson and Austin Larsen and Billy Wong and John Wolfram and Joseph Pisano and Josh Murchie and Lukasz Lamparski and Matt Lin and Ron Craft and Ryan Hall and Shawn Chew and Tyler McLellan}, title = {{Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies}}, date = {2024-04-04}, organization = {Mandiant}, url = {https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement?hl=en}, language = {English}, urldate = {2024-10-29} } @online{pease:20250213:from:51764cc, author = {Andrew Pease and Seth Goodwin}, title = {{From South America to Southeast Asia: The Fragile Web of REF7707}}, date = {2025-02-13}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/fragile-web-ref7707}, language = {English}, urldate = {2025-04-25} } @online{peck:20231023:from:4784a88, author = {Jared Peck}, title = {{From Copacabana to Barcelona: The Cross-Continental Threat of Brazilian Banking Malware}}, date = {2023-10-23}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/copacabana-barcelona-cross-continental-threat-brazilian-banking-malware}, language = {English}, urldate = {2023-11-14} } @online{peck:20250213:analyzing:c31daf4, author = {Tim Peck and Den Iyzvyk}, title = {{Analyzing DEEP#DRIVE: North Korean Threat Actors Observed Exploiting Trusted Platforms for Targeted Attacks}}, date = {2025-02-13}, organization = {Securonix}, url = {https://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/}, language = {English}, urldate = {2025-03-11} } @online{peck:20250313:analyzing:40be34c, author = {Tim Peck and Den Iyzvyk}, title = {{Analyzing OBSCURE#BAT Threat Actors Lure Victims into Executing Malicious Batch Scripts to Deploy Stealthy Rootkits}}, date = {2025-03-13}, organization = {Securonix}, url = {https://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits}, language = {English}, urldate = {2025-03-21} } @online{peko:20230324:bypassing:a6439f7, author = {peko}, title = {{Bypassing Qakbot Anti-Analysis}}, date = {2023-03-24}, organization = {Lab52}, url = {https://lab52.io/blog/bypassing-qakbot-anti-analysis-tactics/}, language = {English}, urldate = {2023-03-27} } @techreport{pellegrino:20211117:deep:404458b, author = {Gaetano Pellegrino}, title = {{Deep Analysis of a Recent Lokibot Attack}}, date = {2021-11-17}, institution = {Infoblox}, url = {https://www.infoblox.com/wp-content/uploads/infoblox-whitepaper-deep-analysis-of-a-recent-lokibot-attack.pdf}, language = {English}, urldate = {2022-01-03} } @online{pellegrino:20220410:qakbot:d46c1cc, author = {Gaetano Pellegrino}, title = {{Qakbot Series: String Obfuscation}}, date = {2022-04-10}, organization = {Malwarology}, url = {https://www.malwarology.com/2022/04/qakbot-series-string-obfuscation/}, language = {English}, urldate = {2022-05-29} } @online{pellegrino:20220413:qakbot:4bc5d74, author = {Gaetano Pellegrino}, title = {{Qakbot Series: Configuration Extraction}}, date = {2022-04-13}, organization = {Malwarology}, url = {https://www.malwarology.com/2022/04/qakbot-series-configuration-extraction/}, language = {English}, urldate = {2022-05-29} } @online{pellegrino:20220416:qakbot:0b60d1c, author = {Gaetano Pellegrino}, title = {{Qakbot Series: Process Injection}}, date = {2022-04-16}, organization = {Malwarology}, url = {https://www.malwarology.com/2022/04/qakbot-series-process-injection/}, language = {English}, urldate = {2022-05-31} } @online{pellegrino:20220417:qakbot:6af138c, author = {Gaetano Pellegrino}, title = {{Qakbot Series: API Hashing}}, date = {2022-04-17}, organization = {Malwarology}, url = {https://www.malwarology.com/2022/04/qakbot-series-api-hashing/}, language = {English}, urldate = {2022-05-29} } @online{pellegrino:20220524:janicab:c04ed61, author = {Gaetano Pellegrino}, title = {{Janicab Series: First Steps in the Infection Chain}}, date = {2022-05-24}, organization = {Malwarology}, url = {https://www.malwarology.com/2022/05/janicab-series-first-steps-in-the-infection-chain/}, language = {English}, urldate = {2022-05-29} } @online{pellegrino:20220526:janicab:92c671c, author = {Gaetano Pellegrino}, title = {{Janicab Series: Further Steps in the Infection Chain}}, date = {2022-05-26}, organization = {Malwarology}, url = {https://www.malwarology.com/2022/05/janicab-series-further-steps-in-the-infection-chain/}, language = {English}, urldate = {2022-05-29} } @online{pellegrino:20220527:janicab:f14d487, author = {Gaetano Pellegrino}, title = {{Janicab Series: The Core Artifact}}, date = {2022-05-27}, organization = {Malwarology}, url = {https://www.malwarology.com/2022/05/janicab-series-the-core-artifact/}, language = {English}, urldate = {2022-05-29} } @online{pellegrino:20220531:janicab:f2b2798, author = {Gaetano Pellegrino}, title = {{Janicab Series: Attibution and IoCs}}, date = {2022-05-31}, organization = {Malwarology}, url = {https://www.malwarology.com/2022/05/janicab-series-attibution-and-iocs/}, language = {English}, urldate = {2022-05-31} } @online{pellegrino:20230810:janelarat:e6f32e6, author = {Gaetano Pellegrino and Sudeep Singh}, title = {{JanelaRAT - Repurposed BX RAT variant targeting FinTech users in the LATAM region}}, date = {2023-08-10}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/janelarat-repurposed-bx-rat-variant-targeting-latam-fintech}, language = {English}, urldate = {2023-08-11} } @online{pellegrino:20240905:blindeagle:8f36b31, author = {Gaetano Pellegrino}, title = {{BlindEagle Targets Colombian Insurance Sector with BlotchyQuasar}}, date = {2024-09-05}, organization = {Zscaler}, url = {https://www.zscaler.com/it/blogs/security-research/blindeagle-targets-colombian-insurance-sector-blotchyquasar}, language = {English}, urldate = {2025-01-23} } @online{pellett:20210722:incident:f7b26d9, author = {Kyle Pellett and Ryan Gott and Tyler Fornes and Evan Reichard}, title = {{Incident report: Spotting SocGholish WordPress injection}}, date = {2021-07-22}, organization = {Expel}, url = {https://expel.io/blog/incident-report-spotting-socgholish-wordpress-injection/}, language = {English}, urldate = {2022-03-08} } @online{pellett:20220825:moreeggs:f309813, author = {Kyle Pellett and Andrew Jerry}, title = {{MORE_EGGS and Some LinkedIn Resumé Spearphishing}}, date = {2022-08-25}, organization = {Expel}, url = {https://expel.com/blog/more-eggs-and-some-linkedin-resume-spearphishing}, language = {English}, urldate = {2022-08-31} } @online{pellitteri:20211102:malware:f179adb, author = {Alberto Pellitteri}, title = {{Malware analysis: Hands-On Shellbot malware}}, date = {2021-11-02}, organization = {sysdig}, url = {https://sysdig.com/blog/malware-analysis-shellbot-sysdig/}, language = {English}, urldate = {2021-11-08} } @online{pellitteri:20211207:threat:1b9039a, author = {Alberto Pellitteri}, title = {{Threat news: TeamTNT stealing credentials using EC2 Instance Metadata}}, date = {2021-12-07}, organization = {sysdig}, url = {https://sysdig.com/blog/teamtnt-aws-credentials/}, language = {English}, urldate = {2021-12-08} } @online{pellitteri:20230228:scarleteel:a6ce698, author = {Alberto Pellitteri}, title = {{SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft}}, date = {2023-02-28}, organization = {sysdig}, url = {https://sysdig.com/blog/cloud-breach-terraform-data-theft/}, language = {English}, urldate = {2023-11-17} } @online{pennino:20190819:game:b6ef5a0, author = {Alex Pennino and Matt Bromiley}, title = {{GAME OVER: Detecting and Stopping an APT41 Operation}}, date = {2019-08-19}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html}, language = {English}, urldate = {2020-01-06} } @online{penny:20231114:hostinghunter:7126ee3, author = {Joshua Penny}, title = {{HostingHunter Series: CHANG WAY TECHNOLOGIES CO. LIMITED}}, date = {2023-11-14}, organization = {Medium joshuapenny88}, url = {https://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65}, language = {English}, urldate = {2024-02-28} } @online{penny:20231218:analysing:6341c6f, author = {Joshua Penny}, title = {{Analysing a Widespread Microsoft 365 Credential Harvesting Campaign}}, date = {2023-12-18}, organization = {Bridewell}, url = {https://www.bridewell.com/insights/blogs/detail/analysing-widespread-microsoft365-credential-harvesting-campaign}, language = {English}, urldate = {2024-02-08} } @online{pereira:20180202:break:b0556dc, author = {Tiago Pereira}, title = {{Break Out Of The Tinynuke Malware}}, date = {2018-02-02}, organization = {BitSight}, url = {https://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet}, language = {English}, urldate = {2020-01-06} } @online{pereira:20210916:operation:133992d, author = {Tiago Pereira and Vitor Ventura}, title = {{Operation Layover: How we tracked an attack on the aviation industry to five years of compromise}}, date = {2021-09-16}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html}, language = {English}, urldate = {2021-09-19} } @online{pereira:20211004:threat:9f493e1, author = {Tiago Pereira}, title = {{Threat hunting in large datasets by clustering security events}}, date = {2021-10-04}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html}, language = {English}, urldate = {2021-10-20} } @online{pereira:20211202:magnat:15dcabb, author = {Tiago Pereira}, title = {{Magnat campaigns use malvertising to deliver information stealer, backdoor and malicious Chrome extension}}, date = {2021-12-02}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html}, language = {English}, urldate = {2021-12-07} } @online{pereira:20220317:from:592c847, author = {Tiago Pereira and Caitlin Huey}, title = {{From BlackMatter to BlackCat: Analyzing two attacks from one affiliate}}, date = {2022-03-17}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html}, language = {English}, urldate = {2022-03-18} } @online{pereira:20221208:breaking:7f00030, author = {Tiago Pereira}, title = {{Breaking the silence - Recent Truebot activity}}, date = {2022-12-08}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/}, language = {English}, urldate = {2022-12-12} } @online{perekalin:20180309:cloning:0d5b18d, author = {Alex Perekalin}, title = {{Cloning chip-and-PIN cards: Brazilian job}}, date = {2018-03-09}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/blog/chip-n-pin-cloning/21502}, language = {English}, urldate = {2019-12-05} } @online{peretz:20210305:earth:54153f7, author = {Adi Peretz and Erick Thek and Trend Micro Research}, title = {{Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East}}, date = {2021-03-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html}, language = {English}, urldate = {2023-06-19} } @online{perez:20161031:second:cd0db8c, author = {Roi Perez}, title = {{Second Shadow Brokers dump released}}, date = {2016-10-31}, organization = {SC Magazine UK}, url = {https://www.scmagazineuk.com/second-shadow-brokers-dump-released/article/1476023}, language = {English}, urldate = {2020-01-08} } @online{perez:20181224:hashes:9a4fc8c, author = {Dan Perez}, title = {{Tweet on hashes for CROSSWALK}}, date = {2018-12-24}, organization = {Twitter (@MrDanPerez)}, url = {https://twitter.com/MrDanPerez/status/1159459082534825986}, language = {English}, urldate = {2019-11-27} } @online{perez:20190219:apt40:f6c06bb, author = {Dan Perez}, title = {{APT40 dropper}}, date = {2019-02-19}, organization = {Twitter (@MrDanPerez)}, url = {https://twitter.com/MrDanPerez/status/1097881406661902337}, language = {English}, urldate = {2019-10-23} } @online{perez:20190808:winnti:6c0b6b0, author = {Dan Perez}, title = {{Tweet on Winnti and HIGHNOON}}, date = {2019-08-08}, organization = {Twitter (@MrDanPerez)}, url = {https://twitter.com/MrDanPerez/status/1159461995013378048}, language = {English}, urldate = {2020-01-13} } @online{perez:20200115:deep:7a467be, author = {Ori Perez}, title = {{Deep Dive into the Lyceum Danbot Malware}}, date = {2020-01-15}, organization = {CyberX}, url = {https://cyberx-labs.com/blog/deep-dive-into-the-lyceum-danbot-malware/}, language = {English}, urldate = {2020-02-02} } @online{perez:20210420:check:986d162, author = {Dan Perez and Sarah Jones and Greg Wood and Stephen Eckels and Stroz Friedberg and Joshua Villanueva and Regina Elwell and Jonathan Lepore and Dimiter Andonov and Josh Triplett and Jacob Thompson}, title = {{Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day}}, date = {2021-04-20}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html}, language = {English}, urldate = {2021-04-21} } @online{perez:20210506:unc302:86259b3, author = {Dan Perez}, title = {{Tweet on UNC302 / oro0lxy using ColdFusion}}, date = {2021-05-06}, organization = {Twitter (@MrDanPerez)}, url = {https://twitter.com/MrDanPerez/status/1390285821786394624}, language = {English}, urldate = {2022-07-25} } @online{perez:20210527:rechecking:cd4a304, author = {Dan Perez and Sarah Jones and Greg Wood and Stephen Eckels and Emiel Haeghebaert}, title = {{Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices}}, date = {2021-05-27}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html}, language = {English}, urldate = {2021-06-09} } @online{perez:20220519:interactive:52f215d, author = {Adrian Perez}, title = {{Interactive Phishing: Using Chatbot-like Web Applications to Harvest Information}}, date = {2022-05-19}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/interactive-phishing-using-chatbot-like-web-applications-to-harvest-information}, language = {English}, urldate = {2022-08-17} } @online{pericin:20190327:forging:a9c71d8, author = {Tomislav Pericin}, title = {{Forging the ShadowHammer}}, date = {2019-03-27}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/forging-the-shadowhammer}, language = {English}, urldate = {2020-01-06} } @online{pericin:20190805:catching:4aeb984, author = {Tomislav Pericin}, title = {{Catching lateral movement in internal emails}}, date = {2019-08-05}, organization = {Reversing Labs}, url = {https://blog.reversinglabs.com/blog/catching-lateral-movement-in-internal-emails}, language = {English}, urldate = {2020-07-15} } @online{pericin:20201216:sunburst:02a2fd8, author = {Tomislav Pericin}, title = {{SunBurst: the next level of stealth SolarWinds compromise exploited through sophistication and patience}}, date = {2020-12-16}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth}, language = {English}, urldate = {2020-12-17} } @online{perigaud:20140106:plugx:16410d7, author = {Fabien Perigaud}, title = {{PlugX: some uncovered points}}, date = {2014-01-06}, organization = {Airbus}, url = {http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html}, language = {English}, urldate = {2020-01-08} } @online{perigaud:20151215:newcomers:73beb0c, author = {Fabien Perigaud}, title = {{Newcomers in the Derusbi family}}, date = {2015-12-15}, organization = {Airbus Defence & Space}, url = {https://web.archive.org/web/20151216071054/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family}, language = {English}, urldate = {2020-02-27} } @online{perlow:20190206:some:8835f31, author = {Kevin Perlow}, title = {{Some Notes on the Silence Proxy}}, date = {2019-02-06}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/some-notes-on-the-silence-proxy/}, language = {English}, urldate = {2020-05-19} } @online{perlow:20190211:how:05b5d9a, author = {Kevin Perlow}, title = {{How the Silence Downloader Has Evolved Over Time}}, date = {2019-02-11}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/how-the-silence-downloader-has-evolved-over-time/}, language = {English}, urldate = {2020-05-19} } @online{perlow:20190225:how:d4a68d6, author = {Kevin Perlow}, title = {{How To: Analyzing a Malicious Hangul Word Processor Document from a DPRK Threat Actor Group}}, date = {2019-02-25}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/how-to-analyzing-a-malicious-hangul-word-processor-document-from-a-dprk-threat-actor-group/}, language = {English}, urldate = {2020-05-19} } @online{perlow:20190324:jeshell:439ae8b, author = {Kevin Perlow}, title = {{JEShell: An OceanLotus (APT32) Backdoor}}, date = {2019-03-24}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/}, language = {English}, urldate = {2020-05-19} } @online{perlow:20190403:possible:0a08c3a, author = {Kevin Perlow}, title = {{Possible ShadowHammer Targeting (Low Confidence)}}, date = {2019-04-03}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/possible-shadowhammer-targeting-low-confidence/}, language = {English}, urldate = {2020-05-19} } @online{perlow:20190507:filesnfer:36164a2, author = {Kevin Perlow}, title = {{“Filesnfer” Tool (C#, Python)}}, date = {2019-05-07}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/filesnfer-tool-c-python/}, language = {English}, urldate = {2020-05-19} } @online{perlow:20190605:possible:47a6f30, author = {Kevin Perlow}, title = {{Possible Turla HTTP Listener}}, date = {2019-06-05}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/http-listener/}, language = {English}, urldate = {2020-05-19} } @online{perlow:20190721:emissary:dbd4bd3, author = {Kevin Perlow}, title = {{Emissary Panda DLL Backdoor}}, date = {2019-07-21}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/emissary-panda-dll-backdoor/}, language = {English}, urldate = {2021-04-16} } @online{perlow:20190722:apt33:3258e71, author = {Kevin Perlow}, title = {{APT33 PowerShell Malware}}, date = {2019-07-22}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/apt33-powershell-malware/}, language = {English}, urldate = {2020-05-19} } @online{perlow:20190722:lazarus:b7111b1, author = {Kevin Perlow}, title = {{The Lazarus Injector}}, date = {2019-07-22}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/the-lazarus-injector/}, language = {English}, urldate = {2020-05-19} } @online{perlow:20190731:dprk:5a12842, author = {Kevin Perlow}, title = {{Tweet on DPRK malware}}, date = {2019-07-31}, organization = {Twitter (@KevinPerlow)}, url = {https://twitter.com/kevinperlow/status/1156406115472760835}, language = {English}, urldate = {2020-01-08} } @online{perlow:20190811:updated:b23bfc9, author = {Kevin Perlow}, title = {{Updated #Lazarus Keylogger (uploaded June)}}, date = {2019-08-11}, organization = {Twitter (@KevinPerlow)}, url = {https://twitter.com/KevinPerlow/status/1160766519615381504}, language = {English}, urldate = {2022-11-21} } @online{perlow:20191002:another:31638d8, author = {Kevin Perlow}, title = {{Another Lazarus Injector}}, date = {2019-10-02}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/another-lazarus-injector/}, language = {English}, urldate = {2020-05-19} } @online{perlow:20200327:first:6b7c827, author = {Kevin Perlow}, title = {{The First Stage of ShadowHammer}}, date = {2020-03-27}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/the-first-stage-of-shadowhammer/}, language = {English}, urldate = {2020-05-19} } @online{perlow:20200330:new:a5c6c8b, author = {Kevin Perlow}, title = {{A New Look at Old Dragonfly Malware (Goodor)}}, date = {2020-03-30}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/a-new-look-at-old-dragonfly-malware-goodor/}, language = {English}, urldate = {2020-03-30} } @online{perlow:20200518:looking:eaa7bde, author = {Kevin Perlow}, title = {{Looking Back at LiteDuke}}, date = {2020-05-18}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/looking-back-at-liteduke/}, language = {English}, urldate = {2020-05-18} } @techreport{perlow:20200805:fastcash:5e6b73a, author = {Kevin Perlow}, title = {{FASTCash and Associated Intrusion Techniques}}, date = {2020-08-05}, institution = {BlackHat}, url = {https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud-wp.pdf}, language = {English}, urldate = {2020-08-14} } @techreport{perlow:20200805:fastcashand:301d8ce, author = {Kevin Perlow}, title = {{FASTCashand INJX_PURE: How Threat Actors Use Public Standards for Financial Fraud}}, date = {2020-08-05}, institution = {BlackHat}, url = {https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf}, language = {English}, urldate = {2020-08-14} } @online{perlow:20201102:tinypos:876ddb3, author = {Kevin Perlow}, title = {{TinyPOS and ProLocker: An Odd Relationship}}, date = {2020-11-02}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/}, language = {English}, urldate = {2020-11-09} } @online{perlow:20210126:dprk:04391b6, author = {Kevin Perlow}, title = {{DPRK Malware Targeting Security Researchers}}, date = {2021-01-26}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/dprk-malware-targeting-security-researchers/}, language = {English}, urldate = {2021-01-27} } @online{perlow:20210201:dprk:e53f059, author = {Kevin Perlow}, title = {{DPRK Targeting Researchers II: .Sys Payload and Registry Hunting}}, date = {2021-02-01}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/dprk-targeting-researchers-ii-sys-payload-and-registry-hunting/}, language = {English}, urldate = {2021-02-02} } @online{perlow:20210226:fastcash:2daf61f, author = {Kevin Perlow}, title = {{FASTCash and INJX_Pure: How Threat Actors Use Public Standards for Financial Fraud}}, date = {2021-02-26}, organization = {YouTube (Black Hat)}, url = {https://www.youtube.com/watch?v=zGvQPtejX9w}, language = {English}, urldate = {2021-03-04} } @online{perlroth:20160611:chinese:5c3698f, author = {Nicole Perlroth}, title = {{The Chinese Hackers in the Back Office}}, date = {2016-06-11}, organization = {The New York Times}, url = {https://www.nytimes.com/2016/06/12/technology/the-chinese-hackers-in-the-back-office.html}, language = {English}, urldate = {2020-01-13} } @techreport{pernet:20150319:operation:a0443b7, author = {Cedric Pernet and Kenney Lu}, title = {{Operation WOOLEN-GOLDFISH: When Kittens Go Phishing}}, date = {2015-03-19}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/wp/wp-operation-woolen-goldfish.pdf}, language = {English}, urldate = {2022-04-29} } @techreport{pernet:20150324:operation:65e881c, author = {Cedric Pernet and Kenney Lu}, title = {{Operation Woolen-Goldfish: When Kittens Go Phishing}}, date = {2015-03-24}, institution = {Trend Micro}, url = {http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf}, language = {English}, urldate = {2019-07-09} } @online{pernet:20150330:fake:3b24447, author = {Cedric Pernet and Dark Luo}, title = {{Fake Judicial Spam Leads to Backdoor with Fake Certificate Authority}}, date = {2015-03-30}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/fake-judicial-spam-leads-to-backdoor-with-fake-certificate-authority/}, language = {English}, urldate = {2020-01-10} } @techreport{pernet:20150901:spy:18a0fca, author = {Cedric Pernet and Eyal Sela}, title = {{The Spy Kittens Are Back:Rocket Kitten 2}}, date = {2015-09-01}, institution = {Trend Micro}, url = {https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{pernet:20150901:spy:66fcfab, author = {Cedric Pernet and Eyal Sela}, title = {{The Spy Kittens Are Back: Rocket Kitten 2}}, date = {2015-09-01}, institution = {Trend Micro}, url = {https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf}, language = {English}, urldate = {2020-01-08} } @online{pernet:20170322:winnti:44f428b, author = {Cedric Pernet}, title = {{Winnti Abuses GitHub for C&C Communications}}, date = {2017-03-22}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/}, language = {English}, urldate = {2020-01-07} } @online{pernet:20170322:winnti:bfd35bc, author = {Cedric Pernet}, title = {{Winnti Abuses GitHub for C&C Communications}}, date = {2017-03-22}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/}, language = {English}, urldate = {2019-07-09} } @online{pernet:20190307:new:593e5b1, author = {Cedric Pernet and Daniel Lunghi and Jaromír Hořejší and Joseph Chen}, title = {{New SLUB Backdoor Uses GitHub, Communicates via Slack}}, date = {2019-03-07}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/}, language = {English}, urldate = {2019-10-18} } @online{pernet:20201006:french:39018f2, author = {Cedric Pernet}, title = {{French companies Under Attack from Clever BEC Scam}}, date = {2020-10-06}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/j/french-companies-under-attack-from-clever-bec-scam.html}, language = {English}, urldate = {2020-10-07} } @online{pernet:20210430:how:2434ac6, author = {Cedric Pernet and Fyodor Yarochkin and Vladimir Kropotov}, title = {{How Cybercriminals Abuse OpenBullet for Credential Stuffing}}, date = {2021-04-30}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/d/how-cybercriminals-abuse-openbullet-for-credential-stuffing-.html}, language = {English}, urldate = {2021-05-03} } @online{pernet:20230316:ipfs:6f479ce, author = {Cedric Pernet and Jaromír Hořejší and Loseway Lu}, title = {{IPFS: A New Data Frontier or a New Cybercriminal Hideout?}}, date = {2023-03-16}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout}, language = {English}, urldate = {2023-03-20} } @online{pernet:20240904:earth:fb408a4, author = {Cedric Pernet and Jaromír Hořejší}, title = {{Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion}}, date = {2024-09-04}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html}, language = {English}, urldate = {2024-09-13} } @online{persianov:20190317:emotet:ee3ed0b, author = {Sveatoslav Persianov}, title = {{Emotet malware analysis. Part 1}}, date = {2019-03-17}, organization = {Persianov on Security}, url = {https://persianov.net/emotet-malware-analysis-part-1}, language = {English}, urldate = {2019-12-17} } @online{persianov:20190407:emotet:0aeaa67, author = {Sveatoslav Persianov}, title = {{Emotet malware analysis. Part 2}}, date = {2019-04-07}, url = {https://persianov.net/emotet-malware-analysis-part-2}, language = {English}, urldate = {2020-01-05} } @online{persianov:20190824:windows:82a4a68, author = {Sveatoslav Persianov}, title = {{Windows worms. Forbix worm analysis}}, date = {2019-08-24}, organization = {Persianov on Security}, url = {https://persianov.net/windows-worms-forbix-worm-analysis}, language = {English}, urldate = {2020-01-07} } @online{peteroy:20200113:emotet:60abae1, author = {William Peteroy and Ed Miles}, title = {{Emotet: Not your Run-of-the-mill Malware}}, date = {2020-01-13}, organization = {Gigamon}, url = {https://atr-blog.gigamon.com/2020/01/13/emotet-not-your-run-of-the-mill-malware/}, language = {English}, urldate = {2020-01-17} } @online{petrov:20200119:vk:ba7d8e7, author = {Andrey Petrov}, title = {{VK post on PIRAT RAT}}, date = {2020-01-19}, url = {https://vk.com/m228228?w=wall306895781_177}, language = {Russian}, urldate = {2020-03-09} } @online{petus:20240617:reverse:4d05f2d, author = {Andrew Petus}, title = {{Reverse Engineering Redosdru String Decryption}}, date = {2024-06-17}, organization = {medium Andrew Petus}, url = {https://medium.com/@andrew.petrus/reverse-engineering-redosdru-string-decryption-595599087dbb}, language = {English}, urldate = {2024-12-09} } @online{ph4ntonn:20210318:github:37ed28b, author = {ph4ntonn}, title = {{Github repository for STOWAWAY}}, date = {2021-03-18}, organization = {Github (ph4ntonn)}, url = {https://github.com/ph4ntonn/Stowaway}, language = {English}, urldate = {2022-12-20} } @online{phuc:20230307:qakbot:a1aef8e, author = {Pham Duy Phuc and Raghav Kapoor and John Fokker and Alejandro Houspanossian and Mathanraj Thangaraju}, title = {{Qakbot Evolves to OneNote Malware Distribution}}, date = {2023-03-07}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/research/qakbot-evolves-to-onenote-malware-distribution.html}, language = {English}, urldate = {2023-03-13} } @online{phuong:20200305:re011:4496e8a, author = {Dang Dinh Phuong}, title = {{[RE011] Unpack crypter của malware Netwire bằng x64dbg}}, date = {2020-03-05}, organization = {VinCSS}, url = {https://blog.vincss.net/2020/03/re011-unpack-crypter-cua-malware-netwire-bang-x64dbg.html}, language = {Vietnamese}, urldate = {2020-03-11} } @online{physicaldrive0:20150304:pos:7a7e44f, author = {PhysicalDrive0}, title = {{Tweet on POS Malware}}, date = {2015-03-04}, organization = {Twitter (@PhysicalDrive0)}, url = {https://twitter.com/physicaldrive0/status/573109512145649664}, language = {English}, urldate = {2020-01-05} } @online{physicaldrive0:20151127:modpos:afe6082, author = {PhysicalDrive0}, title = {{Tweet on ModPOS}}, date = {2015-11-27}, organization = {Twitter (@PhysicalDrive0)}, url = {https://twitter.com/physicaldrive0/status/670258429202530306}, language = {English}, urldate = {2020-01-13} } @online{physicaldrive0:20161012:strongpity:86fba4e, author = {PhysicalDrive0}, title = {{Tweet on StrongPity}}, date = {2016-10-12}, organization = {Twitter (@PhysicalDrive0)}, url = {https://twitter.com/physicaldrive0/status/786293008278970368}, language = {English}, urldate = {2020-01-06} } @online{physicaldrive0:20161116:raxir:1ecf09c, author = {PhysicalDrive0}, title = {{Tweet on Raxir}}, date = {2016-11-16}, organization = {Twitter (@PhysicalDrive0)}, url = {https://twitter.com/PhysicalDrive0/statuses/798825019316916224}, language = {English}, urldate = {2020-01-08} } @online{physicaldrive0:20170207:with:3b33d7c, author = {PhysicalDrive0}, title = {{Tweet with Sample}}, date = {2017-02-07}, organization = {Twitter (@PhysicalDrive0)}, url = {https://twitter.com/PhysicalDrive0/status/828915536268492800}, language = {English}, urldate = {2020-01-13} } @online{physicaldrive0:20170210:mirai:51440a0, author = {@PhysicalDrive0}, title = {{Tweet on Mirai Windows Version}}, date = {2017-02-10}, organization = {Twitter (@PhysicalDrive0)}, url = {https://twitter.com/PhysicalDrive0/status/830070569202749440}, language = {English}, urldate = {2019-07-09} } @online{physicaldrive0:20170218:badencript:998b871, author = {PhysicalDrive0}, title = {{Tweet on BadEncript}}, date = {2017-02-18}, organization = {Twitter (@PhysicalDrive0)}, url = {https://twitter.com/PhysicalDrive0/status/833067081981710336}, language = {English}, urldate = {2020-01-10} } @online{physicaldrive0:20170317:hash:0dba50f, author = {PhysicalDrive0}, title = {{Tweet on hash for Nexus Keylogger}}, date = {2017-03-17}, organization = {Twitter (PhysicalDrive0)}, url = {https://twitter.com/PhysicalDrive0/status/842853292124360706}, language = {English}, urldate = {2019-12-17} } @online{physicaldrive0:20170323:xagent:74f4c95, author = {PhysicalDrive0}, title = {{Tweet on XAgent for macOS}}, date = {2017-03-23}, organization = {Twitter (PhysicalDrive0)}, url = {https://twitter.com/PhysicalDrive0/status/845009226388918273}, language = {English}, urldate = {2019-12-17} } @online{piazza:20200614:cti:4c27701, author = {Andy Piazza}, title = {{CTI is Better Served with Context: Getting better value from IOCs}}, date = {2020-06-14}, organization = {Medium (Andy Piazza)}, url = {https://klrgrz.medium.com/cti-is-better-served-with-context-getting-better-value-from-iocs-496343741f80}, language = {English}, urldate = {2021-11-02} } @online{picado:20191112:reversing:de8a8b6, author = {Markel Picado}, title = {{Reversing Qakbot}}, date = {2019-11-12}, organization = {Hatching.io}, url = {https://hatching.io/blog/reversing-qakbot}, language = {English}, urldate = {2020-01-07} } @online{picado:20200514:raticate:6334722, author = {Markel Picado}, title = {{RATicate: an attacker’s waves of information-stealing malware}}, date = {2020-05-14}, organization = {SophosLabs}, url = {https://news.sophos.com/en-us/2020/05/14/raticate/}, language = {English}, urldate = {2020-05-18} } @online{picado:20200714:raticate:85d260a, author = {Markel Picado and Sean Gallagher}, title = {{RATicate upgrades “RATs as a Service” attacks with commercial “crypter”}}, date = {2020-07-14}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728}, language = {English}, urldate = {2020-07-15} } @techreport{picado:20210121:spear:3893769, author = {Markel Picado}, title = {{Spear Phishing Targeting ICS Supply Chain - Analysis}}, date = {2021-01-21}, institution = {DENEXUS}, url = {https://www.denexus.io/wp-content/uploads/2021/02/Threat-actor-targeting-gas-oil-supply-chains_public.pdf}, language = {English}, urldate = {2021-03-05} } @online{picado:20220225:threat:0aca3d0, author = {Markel Picado and Carlos Rubio}, title = {{Threat updates – A new IcedID GZipLoader variant}}, date = {2022-02-25}, organization = {Threatray}, url = {https://threatray.com/blog/a-new-icedid-gziploader-variant/}, language = {English}, urldate = {2022-03-02} } @online{pichon:20240314:unveiling:76b9569, author = {Marine PICHON and Vincent HINDERER and Maël SARP and Ziad MASLAH and Livia Tibirna and Amaury G. and Grégoire Clermont}, title = {{Unveiling the depths of residential proxies providers}}, date = {2024-03-14}, organization = {Orange Cyberdefense}, url = {https://www.orangecyberdefense.com/global/blog/research/residential-proxies}, language = {English}, urldate = {2024-03-28} } @online{pichon:20240814:emmenhtal:cb943a8, author = {Marine PICHON and Alexandre Matousek and Simon Vernin}, title = {{Emmenhtal: a little-known loader distributing commodity infostealers worldwide}}, date = {2024-08-14}, organization = {Orange Cyberdefense}, url = {https://www.orangecyberdefense.com/global/blog/cert-news/emmenhtal-a-little-known-loader-distributing-commodity-infostealers-worldwide}, language = {English}, urldate = {2024-08-23} } @online{pichon:20241024:mintsloader:0a62c5a, author = {Marine PICHON and Alexis Bonnefoi and Vincent HINDERER}, title = {{MintsLoader}}, date = {2024-10-24}, organization = {Orange Cyberdefense}, url = {https://github.com/cert-orangecyberdefense/mintsloader}, language = {English}, urldate = {2024-10-25} } @online{pichon:20241024:twitter:52bca17, author = {Marine PICHON and Alexis Bonnefoi and Vincent HINDERER}, title = {{Twitter Thread about MintsLoader}}, date = {2024-10-24}, organization = {Orange Cyberdefense}, url = {https://x.com/CERTCyberdef/status/1849392561024065779}, language = {English}, urldate = {2024-10-25} } @online{pichon:20241120:hidden:7400cae, author = {Marine PICHON and Piotr Malachiński}, title = {{The hidden network: How China unites state, corporate, and academic assets for cyber offensive campaigns}}, date = {2024-11-20}, organization = {Orange Cyberdefense}, url = {https://research.cert.orangecyberdefense.com/hidden-network/report.html}, language = {English}, urldate = {2024-12-02} } @online{pichon:20241205:edam:37cc5db, author = {Marine PICHON and Alexandre Matousek}, title = {{Edam Dropper}}, date = {2024-12-05}, organization = {Orange Cyberdefense}, url = {https://github.com/cert-orangecyberdefense/edam}, language = {English}, urldate = {2024-12-06} } @online{pichon:20250218:iocs:4ada8d3, author = {Marine PICHON and Alexis Bonnefoi}, title = {{IOCs Green Nailao campaign (NailaoLocker, ShadowPad)}}, date = {2025-02-18}, organization = {Orange Cyberdefense}, url = {https://github.com/cert-orangecyberdefense/cti/tree/main/green_nailao}, language = {English}, urldate = {2025-02-20} } @online{pichon:20250314:emmenhtal:d98d1ce, author = {Marine PICHON and Alexandre Matousek}, title = {{Tweet on Emmenhtal v3}}, date = {2025-03-14}, organization = {Twitter (@CERTCyberdef)}, url = {https://x.com/CERTCyberdef/status/1900460479778030013}, language = {English}, urldate = {2025-03-14} } @online{pichon:20250616:from:8db2ec8, author = {Marine PICHON and Alexis Bonnefoi}, title = {{From SambaSpy to Sorillus: Dancing through a multi-language phishing campaign in Europe}}, date = {2025-06-16}, organization = {Orange Cyberdefense}, url = {https://www.orangecyberdefense.com/global/blog/cert-news/from-sambaspy-to-sorillus-dancing-through-a-multi-language-phishing-campaign-in-europe}, language = {English}, urldate = {2025-06-23} } @online{picolet:20210416:transparent:645e443, author = {Joshua Picolet}, title = {{Transparent Tribe APT Infrastructure Mapping Part 1: A High-Level Study of CrimsonRAT Infrastructure October 2020 – March 2021}}, date = {2021-04-16}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2021/04/16/transparent-tribe-apt-infrastructure-mapping/}, language = {English}, urldate = {2021-04-19} } @online{picolet:20210702:transparent:329d046, author = {Joshua Picolet}, title = {{Transparent Tribe APT Infrastructure Mapping Part 2: A Deeper Dive into the Identification of CrimsonRAT Infrastructure}}, date = {2021-07-02}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2021/07/02/transparent-tribe-apt-infrastructure-mapping-2/}, language = {English}, urldate = {2021-07-11} } @online{picolet:20220429:sliver:44c5312, author = {Joshua Picolet}, title = {{Sliver Case Study: Assessing Common Offensive Security Tools The Use of the Sliver C2 Framework for Malicious Purposes}}, date = {2022-04-29}, organization = {Team Cymru}, url = {https://www.team-cymru.com/post/sliver-case-study-assessing-common-offensive-security-tools}, language = {English}, urldate = {2022-11-02} } @online{piddannavar:20230603:technical:9cbdb89, author = {Mallikarjun Piddannavar}, title = {{Technical Analysis of Bandit Stealer}}, date = {2023-06-03}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/technical-analysis-bandit-stealer}, language = {English}, urldate = {2023-07-05} } @online{piddannavar:20230822:agniane:bb46275, author = {Mallikarjun Piddannavar}, title = {{Agniane Stealer: Dark Web’s Crypto Threat}}, date = {2023-08-22}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/agniane-stealer-dark-webs-crypto-threat}, language = {English}, urldate = {2023-08-25} } @online{pierre:20210112:multiple:5dc89a7, author = {Pierre}, title = {{Multiple vulnerabilities found in FiberHome HG6245D routers}}, date = {2021-01-12}, organization = {pierrekim blog}, url = {https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html}, language = {English}, urldate = {2021-01-21} } @online{pilkey:20200716:us:aae453e, author = {Adam Pilkey}, title = {{US, UK, and Canada’s COVID-19 research targeted by APT29}}, date = {2020-07-16}, organization = {F-Secure}, url = {https://blog.f-secure.com/covid-19-vaccines/}, language = {English}, urldate = {2020-07-17} } @online{pimental:20180112:sonja:114dec9, author = {Jacob Pimental}, title = {{Sonja Analysis}}, date = {2018-01-12}, organization = {Medium}, url = {https://medium.com/@jacob16682/snojan-analysis-bb3982fb1bb9}, language = {English}, urldate = {2020-01-05} } @online{pimental:20190505:unpacking:3b96fc8, author = {Jacob Pimental}, title = {{Unpacking NanoCore Sample Using AutoIT}}, date = {2019-05-05}, organization = {GoggleHeadedHacker Blog}, url = {https://goggleheadedhacker.com/blog/post/11}, language = {English}, urldate = {2019-12-18} } @online{pimental:20190701:robbinhood:2e0e1fe, author = {Jacob Pimental}, title = {{Robbinhood Malware Analysis with Radare2}}, date = {2019-07-01}, organization = {GoggleHeadedHacker Blog}, url = {https://goggleheadedhacker.com/blog/post/12}, language = {English}, urldate = {2020-01-13} } @online{pimental:20191124:ta505:fb32d29, author = {Jacob Pimental}, title = {{TA505 Get2 Analysis}}, date = {2019-11-24}, url = {https://www.goggleheadedhacker.com/blog/post/13}, language = {English}, urldate = {2019-12-17} } @online{pimental:20200125:olympic:55cba30, author = {Jacob Pimental}, title = {{Olympic Ticket Reseller Magecart Infection}}, date = {2020-01-25}, organization = {GoggleHeadedHacker Blog}, url = {https://www.goggleheadedhacker.com/blog/post/14}, language = {English}, urldate = {2020-01-27} } @online{pimental:20210317:automatic:04d3eda, author = {Jacob Pimental}, title = {{Automatic Gobfuscator Deobfuscation with EKANS Ransomware}}, date = {2021-03-17}, organization = {GoggleHeadedHacker Blog}, url = {https://www.goggleheadedhacker.com/blog/post/22}, language = {English}, urldate = {2021-03-19} } @online{pimental:20210324:antianalysis:5f10bfa, author = {Jacob Pimental}, title = {{Anti-Analysis Techniques Used in Excel 4.0 Macros}}, date = {2021-03-24}, organization = {GoggleHeadedHacker Blog}, url = {https://www.goggleheadedhacker.com/blog/post/23}, language = {English}, urldate = {2021-10-19} } @online{pimental:20210502:sodinokibi:8c1c93c, author = {Jacob Pimental}, title = {{Sodinokibi Ransomware Analysis}}, date = {2021-05-02}, organization = {GoggleHeadedHacker Blog}, url = {https://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis}, language = {English}, urldate = {2021-05-08} } @online{pimental:20210508:cyberchef:150e910, author = {Jacob Pimental}, title = {{Tweet on CyberChef recipe to extract Revil Ransomware configuration}}, date = {2021-05-08}, organization = {Twitter (@Jacob_Pimental)}, url = {https://twitter.com/Jacob_Pimental/status/1391055792774729728}, language = {English}, urldate = {2021-05-13} } @online{pimental:20210528:revil:62832fa, author = {Jacob Pimental}, title = {{Tweet on REvil ver 2.07}}, date = {2021-05-28}, organization = {Twitter (@Jacob_Pimental)}, url = {https://twitter.com/Jacob_Pimental/status/1398356030489251842?s=20}, language = {English}, urldate = {2021-06-21} } @online{pimental:20210825:reverse:1468827, author = {Jacob Pimental}, title = {{Reverse Engineering Crypto Functions: RC4 and Salsa20}}, date = {2021-08-25}, organization = {GoggleHeadedHacker Blog}, url = {https://www.goggleheadedhacker.com/blog/post/reversing-crypto-functions}, language = {English}, urldate = {2021-08-31} } @online{pingios:20210125:attribution:51aca51, author = {Anastasios Pingios}, title = {{On attribution: APT28, APT29…Turla: No, they are NOT the same}}, date = {2021-01-25}, organization = {xorl %eax}, url = {https://xorl.wordpress.com/2021/01/25/on-attribution-apt28-apt29-turla-no-they-are-not-the-same/}, language = {English}, urldate = {2021-01-27} } @online{pingios:20210416:russias:72a28f1, author = {Anastasios Pingios}, title = {{Russia’s Cyber Operations Groups}}, date = {2021-04-16}, organization = {xorl %eax, %eax}, url = {https://xorl.wordpress.com/2021/04/16/russias-cyber-operations-groups/}, language = {English}, urldate = {2021-04-19} } @online{pingios:20210418:us:489347a, author = {Anastasios Pingios}, title = {{US Cyber Operations Groups}}, date = {2021-04-18}, organization = {xorl %eax, %eax}, url = {https://xorl.wordpress.com/2021/04/18/us-cyber-operations-groups/}, language = {English}, urldate = {2021-04-20} } @online{pingios:20210420:chinese:043d6ed, author = {Anastasios Pingios}, title = {{Chinese Cyber Operations Groups}}, date = {2021-04-20}, organization = {xorl %eax, %eax}, url = {https://xorl.wordpress.com/2021/04/20/chinese-cyber-operations-groups/}, language = {English}, urldate = {2021-04-28} } @online{pingios:20210422:gentle:01201be, author = {Anastasios Pingios}, title = {{A gentle introduction to building a threat intelligence team}}, date = {2021-04-22}, organization = {xorl %eax, %eax}, url = {https://docs.google.com/presentation/d/1mrDttPZreFZg_q5RG9EGjtBzbd5cpyA1Y9CzhyQiDj0}, language = {English}, urldate = {2021-05-08} } @online{pingios:20210423:analysis:d263296, author = {Anastasios Pingios}, title = {{Analysis of the CardingMafia March 2021 data breach}}, date = {2021-04-23}, organization = {xorl %eax, %eax}, url = {https://xorl.wordpress.com/2021/04/23/analysis-of-the-cardingmafia-march-2021-data-breach/}, language = {English}, urldate = {2021-05-08} } @online{pingios:20210424:north:eee942a, author = {Anastasios Pingios}, title = {{North Korea (DPRK) Cyber Operations Groups}}, date = {2021-04-24}, organization = {xorl %eax, %eax}, url = {https://xorl.wordpress.com/2021/04/24/north-korea-dprk-cyber-operations-groups/}, language = {English}, urldate = {2021-05-08} } @online{pingios:20210428:eu:cb032ed, author = {Anastasios Pingios}, title = {{EU Cyber Operations Groups}}, date = {2021-04-28}, organization = {xorl %eax, %eax}, url = {https://xorl.wordpress.com/2021/04/28/eu-cyber-operations-groups/}, language = {English}, urldate = {2021-05-03} } @online{pingios:20210503:exploitation:b2c98a9, author = {Anastasios Pingios}, title = {{Exploitation of data breaches for executive protection}}, date = {2021-05-03}, organization = {xorl %eax, %eax}, url = {https://xorl.wordpress.com/2021/05/03/exploitation-of-data-breaches-for-executive-protection/}, language = {English}, urldate = {2021-05-08} } @online{pingios:20210506:iran:7acb8a7, author = {Anastasios Pingios}, title = {{Iran Cyber Operations Groups}}, date = {2021-05-06}, organization = {xorl %eax, %eax}, url = {https://xorl.wordpress.com/2021/05/06/iran-cyber-operations-groups/}, language = {English}, urldate = {2021-05-08} } @online{pinkas:20190402:triple:10a3e37, author = {Noa Pinkas and Lior Rochberger and Matan Zatz}, title = {{Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk}}, date = {2019-04-02}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware}, language = {English}, urldate = {2020-01-09} } @techreport{pinto:20180808:triton:7c9e25d, author = {Alessandro Di Pinto and Younes Dragoni and Andrea Carcano}, title = {{TRITON: The First ICS Cyber Attack on Safety Instrument Systems}}, date = {2018-08-08}, institution = {Nozomi Networks}, url = {https://www.nozominetworks.com//downloads/US/Nozomi-Networks-TRITON-The-First-SIS-Cyberattack.pdf}, language = {English}, urldate = {2021-09-24} } @online{pinto:20190212:greyenergy:1acfcdf, author = {Alessandro Di Pinto}, title = {{GreyEnergy Malware Research Paper: Maldoc to Backdoor}}, date = {2019-02-12}, organization = {Nozomi Networks}, url = {https://www.nozominetworks.com/2019/02/12/blog/greyenergy-malware-research-paper-maldoc-to-backdoor/}, language = {English}, urldate = {2020-01-10} } @online{pinto:20201013:overcoming:91cef54, author = {Alessandro Di Pinto}, title = {{Overcoming the Challenges of Detecting P2P Botnets on Your Network}}, date = {2020-10-13}, organization = {Nozomi Networks}, url = {https://www.nozominetworks.com/blog/overcoming-the-challenges-of-detecting-p2p-botnets-on-your-network/}, language = {English}, urldate = {2021-09-28} } @online{pippi:20191024:ftdecryptor:d1b2fb5, author = {Gabriele Pippi}, title = {{FTdecryptor: a simple password-based FTCODE decryptor}}, date = {2019-10-24}, organization = {Certego}, url = {https://www.certego.net/en/news/ftdecryptor-a-simple-password-based-ftcode-decryptor/}, language = {English}, urldate = {2019-11-23} } @techreport{pirozzi:20180122:operation:260c7d7, author = {Antonio Pirozzi and Antonio Farina and Luigi Martire}, title = {{Operation EvilTraffic}}, date = {2018-01-22}, institution = {Yoroi}, url = {https://cybaze.it/download/zlab/20180121_CSE_Massive_Malvertising_Report.pdf}, language = {English}, urldate = {2020-04-21} } @online{pirozzi:20200428:outlaw:e4da556, author = {Antonio Pirozzi and Luigi Martire and Pierluigi Paganini}, title = {{Outlaw is Back, a New Crypto-Botnet Targets European Organizations}}, date = {2020-04-28}, organization = {Yoroi}, url = {https://yoroi.company/research/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations/}, language = {English}, urldate = {2021-06-16} } @online{pirozzi:20210616:gootloader:b2ba777, author = {Antonio Pirozzi}, title = {{Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets}}, date = {2021-06-16}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/}, language = {English}, urldate = {2021-06-21} } @online{pirozzi:20210913:hide:345ced5, author = {Antonio Pirozzi and Antonio Cocomazzi}, title = {{Hide and Seek | New Zloader Infection Chain Comes With Improved Stealth and Evasion Mechanisms}}, date = {2021-09-13}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/hide-and-seek-new-zloader-infection-chain-comes-with-improved-stealth-and-evasion-mechanisms/}, language = {English}, urldate = {2021-09-14} } @online{pirozzi:20220223:sanctions:aae1c98, author = {Antonio Pirozzi and Antonis Terefos and Idan Weizman}, title = {{Sanctions Be Damned | From Dridex to Macaw, The Evolution of Evil Corp}}, date = {2022-02-23}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/}, language = {English}, urldate = {2022-02-26} } @techreport{pirozzi:202202:sanctions:2213742, author = {Antonio Pirozzi and Antonis Terefos and Idan Weizman}, title = {{Sanctions be Damned | From Dridex To Macaw, The Evolution of Evil Corp}}, date = {2022-02}, institution = {Sentinel LABS}, url = {https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf}, language = {English}, urldate = {2022-05-17} } @online{pisarev:20200529:icedid:9627fda, author = {Ivan Pisarev}, title = {{IcedID: When ice burns through bank accounts}}, date = {2020-05-29}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/icedid}, language = {English}, urldate = {2020-06-02} } @online{pisarev:20211118:awakening:5bb7c5e, author = {Ivan Pisarev}, title = {{The awakening: Group-IB uncovers new corporate espionage attacks by RedCurl}}, date = {2021-11-18}, organization = {Group-IB}, url = {https://www.group-ib.com/media/red-curl-threat-report/}, language = {English}, urldate = {2021-11-19} } @online{pisarev:20220414:old:8265433, author = {Ivan Pisarev}, title = {{Old Gremlins, new methods}}, date = {2022-04-14}, organization = {Group-IB}, url = {https://blog.group-ib.com/oldgremlin_comeback}, language = {English}, urldate = {2022-04-15} } @online{pisarev:20220414:old:e440e88, author = {Ivan Pisarev}, title = {{Old Gremlins, new methods}}, date = {2022-04-14}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/oldgremlin-comeback/}, language = {English}, urldate = {2023-07-11} } @online{pistelli:20230328:reversing:6838d55, author = {Erik Pistelli}, title = {{Reversing Complex PowerShell Malware}}, date = {2023-03-28}, organization = {Cerbero}, url = {https://blog.cerbero.io/?p=2617}, language = {English}, urldate = {2023-04-03} } @online{piton:20210117:backdooring:fa3eabe, author = {Markus Piéton}, title = {{Backdooring MSBuild}}, date = {2021-01-17}, organization = {a12d404}, url = {https://www.a12d404.net/ranting/2021/01/17/msbuild-backdoor.html}, language = {English}, urldate = {2021-01-21} } @techreport{pittman:20231212:unraveling:7ba5598, author = {Rob Pittman}, title = {{Unraveling BatLoader and FakeBat}}, date = {2023-12-12}, institution = {eSentire}, url = {https://esentire-dot-com-assets.s3.amazonaws.com/assets/resourcefiles/eSentire-Unraveling_BatLoader_and_FakeBat.pdf}, language = {English}, urldate = {2024-06-05} } @online{placeholder:2022:malpedia:f4e5083, author = {Placeholder}, title = {{Malpedia Entry for PyAesLoader}}, date = {2022}, organization = {Malpedia}, url = {https://malpedia.caad.fkie.fraunhofer.de/details/py.pyaesloader}, language = {English}, urldate = {2023-03-23} } @online{plan:20190304:apt40:4f394e2, author = {Fred Plan and Nalani Fraser and Jacqueline O’Leary and Vincent Cannon and Ben Read}, title = {{APT40: Examining a China-Nexus Espionage Actor}}, date = {2019-03-04}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html}, language = {English}, urldate = {2019-12-20} } @online{plan:20230328:apt43:2cb37c1, author = {Fred Plan and Van Ta and Michael Barnhart and JEFF JOHNSON and Dan Perez and JOE DOBSON}, title = {{APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations}}, date = {2023-03-28}, organization = {Mandiant}, url = {https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report}, language = {English}, urldate = {2023-04-25} } @online{plan:20230328:apt43:878de2c, author = {Fred Plan and Van Ta and Michael Barnhart and Jeffery Johnson and Dan Perez and JOE DOBSON}, title = {{APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations}}, date = {2023-03-28}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime-espionage}, language = {English}, urldate = {2023-08-11} } @online{plankers:20210921:vmsa20210020:03f2366, author = {Bob Plankers}, title = {{VMSA-2021-0020: What You Need to Know (CVE-2021-22005)}}, date = {2021-09-21}, organization = {vmware}, url = {https://blogs.vmware.com/vsphere/2021/09/vmsa-2021-0020-what-you-need-to-know.html}, language = {English}, urldate = {2021-09-28} } @online{platt:20190320:fin7:a7fe335, author = {Joshua Platt and Jason Reaves}, title = {{FIN7 Revisited: Inside Astra Panel and SQLRat Malware}}, date = {2019-03-20}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/}, language = {English}, urldate = {2020-01-10} } @online{platt:20190320:fin7:bac265f, author = {Joshua Platt and Jason Reaves}, title = {{FIN7 Revisited: Inside Astra Panel and SQLRat Malware}}, date = {2019-03-20}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/}, language = {English}, urldate = {2019-12-18} } @online{platt:20200622:inside:b381dd5, author = {Joshua Platt and Jason Reaves}, title = {{Inside a TrickBot Cobalt Strike Attack Server}}, date = {2020-06-22}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/}, language = {English}, urldate = {2020-06-23} } @online{platt:20210301:investigation:a7851d5, author = {Joshua Platt and Jason Reaves}, title = {{Investigation into the state of Nim malware}}, date = {2021-03-01}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811}, language = {English}, urldate = {2021-03-04} } @online{platt:20210301:nimar:c26af08, author = {Joshua Platt and Jason Reaves}, title = {{Nimar Loader}}, date = {2021-03-01}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e}, language = {English}, urldate = {2021-03-04} } @online{platt:20210503:buerloader:2aa3e3f, author = {Joshua Platt and Jason Reaves}, title = {{BuerLoader Updates}}, date = {2021-05-03}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/buerloader-updates-3e34c1949b96}, language = {English}, urldate = {2021-05-04} } @online{platt:20210607:inside:6c363a7, author = {Joshua Platt and Jason Reaves}, title = {{Inside the SystemBC Malware-As-A-Service}}, date = {2021-06-07}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6}, language = {English}, urldate = {2021-06-08} } @online{platt:20220201:sugar:ba25cd3, author = {Joshua Platt and Jonathan Mccay and Jason Reaves}, title = {{Sugar Ransomware, a new RaaS}}, date = {2022-02-01}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb}, language = {English}, urldate = {2022-02-02} } @online{platt:20220804:icedid:546c931, author = {Joshua Platt and Jason Reaves}, title = {{IcedID leverages PrivateLoader}}, date = {2022-08-04}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f}, language = {English}, urldate = {2022-08-11} } @online{platt:20250228:agent:f44bb1d, author = {Joshua Platt}, title = {{Agent AI, Basta Parser Extraordinaire}}, date = {2025-02-28}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/agent-ai-basta-parser-extraordinaire-24edfc59992a}, language = {English}, urldate = {2025-03-26} } @online{playerv:20220402:emotet:712f2ab, author = {Player-V}, title = {{Emotet Analysis Part 1: Unpacking}}, date = {2022-04-02}, organization = {Github (pl-v)}, url = {https://pl-v.github.io/plv/posts/Emotet-unpacking/}, language = {English}, urldate = {2022-04-08} } @online{plc:20160714:technical:a0afcbd, author = {NCC Group PLC}, title = {{Technical Notes on Sakula}}, date = {2016-07-14}, organization = {Github (nccgroup)}, url = {https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula}, language = {English}, urldate = {2020-01-08} } @online{plc:20180316:royal:7ff57f8, author = {NCC Group PLC}, title = {{Royal APT - APT15 Repository}}, date = {2018-03-16}, organization = {Github (nccgroup)}, url = {https://github.com/nccgroup/Royal_APT}, language = {English}, urldate = {2020-01-09} } @online{plohmann:20141104:idapatchwork:db14073, author = {Daniel Plohmann}, title = {{IDApatchwork Repository}}, date = {2014-11-04}, organization = {BitBucket}, url = {https://bitbucket.org/daniel_plohmann/idapatchwork}, language = {English}, urldate = {2020-01-09} } @techreport{plohmann:2014:patchwork:4d0d260, author = {Daniel Plohmann}, title = {{Patchwork: Stitching against malware families with IDA Pro}}, date = {2014}, institution = {Fraunhofer FKIE}, url = {https://public.gdatasoftware.com/Web/Landingpages/DE/GI-Spring2014/slides/004_plohmann.pdf}, language = {English}, urldate = {2020-01-09} } @online{plohmann:20150818:knowledge:78bb6cf, author = {Daniel Plohmann}, title = {{Knowledge Fragment: Unwrapping Fobber}}, date = {2015-08-18}, organization = {ByteAtlas}, url = {http://byte-atlas.blogspot.ch/2015/08/knowledge-fragment-unwrapping-fobber.html}, language = {English}, urldate = {2020-01-10} } @online{plohmann:20200710:knowledge:358aef1, author = {Daniel Plohmann}, title = {{Knowledge Fragment: Casting Sandbox Necromancy on DADSTACHE}}, date = {2020-07-10}, organization = {ByteAtlas}, url = {https://danielplohmann.github.io/blog/2020/07/10/kf-sandbox-necromancy.html}, language = {English}, urldate = {2020-07-11} } @online{po:20200116:new:e2639f7, author = {Cang Po and Sang Duo}, title = {{New Outbreak of h2Miner Worms Exploiting Redis RCE Detected}}, date = {2020-01-16}, organization = {Alibaba}, url = {https://www.alibabacloud.com/blog/new-outbreak-of-h2miner-worms-exploiting-redis-rce-detected_595743}, language = {English}, urldate = {2020-05-18} } @online{podber:20220505:raspberry:ebc51e8, author = {Lauren Podber and Stef Rand}, title = {{Raspberry Robin gets the worm early}}, date = {2022-05-05}, organization = {Red Canary}, url = {https://redcanary.com/blog/raspberry-robin/}, language = {English}, urldate = {2022-05-06} } @online{podcast:20210418:1:9532c26, author = {BBC Podcast}, title = {{1. Hacking Hollywood}}, date = {2021-04-18}, organization = {BBC}, url = {https://www.bbc.co.uk/programmes/p09dx4p1}, language = {English}, urldate = {2021-08-02} } @online{podcast:20210425:2:aefbc2e, author = {BBC Podcast}, title = {{2. Disaster movie}}, date = {2021-04-25}, organization = {BBC}, url = {https://www.bbc.co.uk/programmes/p09fktyl}, language = {English}, urldate = {2021-08-02} } @online{podcast:20210502:3:87736fd, author = {BBC Podcast}, title = {{3. Superdollars}}, date = {2021-05-02}, organization = {BBC}, url = {https://www.bbc.co.uk/programmes/p09g8p4n}, language = {English}, urldate = {2021-08-02} } @online{podlosky:20210317:indrik:65d1f3f, author = {Adam Podlosky and Brendon Feeley}, title = {{INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions}}, date = {2021-03-17}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/}, language = {English}, urldate = {2021-03-19} } @techreport{point:20150330:volatile:35cc0a6, author = {Check Point}, title = {{Volatile Cedar}}, date = {2015-03-30}, institution = {Check Point}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf}, language = {English}, urldate = {2022-10-07} } @online{point:20150601:troldesh:19531cf, author = {Check Point}, title = {{“Troldesh” – New Ransomware from Russia}}, date = {2015-06-01}, organization = {Check Point}, url = {https://blog.checkpoint.com/2015/06/01/troldesh-new-ransomware-from-russia/}, language = {English}, urldate = {2019-11-25} } @online{point:20150609:new:73a136b, author = {Check Point}, title = {{New Data: Volatile Cedar Malware Campaign}}, date = {2015-06-09}, organization = {Check Point}, url = {https://blog.checkpoint.com/2015/06/09/new-data-volatile-cedar/}, language = {English}, urldate = {2020-01-13} } @online{point:20151104:offline:c78ce9c, author = {Check Point}, title = {{“Offline” Ransomware Encrypts Your Data without C&C Communication}}, date = {2015-11-04}, organization = {Check Point}, url = {https://blog.checkpoint.com/2015/11/04/offline-ransomware-encrypts-your-data-without-cc-communication/}, language = {English}, urldate = {2020-09-15} } @techreport{point:201511:rocket:2e2b21c, author = {Check Point}, title = {{ROCKET KIT TEN: A CAMPAIGN WITH 9 LIVES}}, date = {2015-11}, institution = {Check Point}, url = {https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf}, language = {English}, urldate = {2020-01-07} } @techreport{point:201607:from:fc635c5, author = {Check Point}, title = {{From HummingBad to Worse}}, date = {2016-07}, institution = {Check Point}, url = {http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf}, language = {English}, urldate = {2020-01-06} } @online{point:20170124:charger:7ef6390, author = {Check Point}, title = {{Charger Malware Calls and Raises the Risk on Google Play}}, date = {2017-01-24}, organization = {Check Point}, url = {http://blog.checkpoint.com/2017/01/24/charger-malware/}, language = {English}, urldate = {2020-01-06} } @online{point:20170310:preinstalled:9cebe0f, author = {Check Point}, title = {{Preinstalled Malware Targeting Mobile Users}}, date = {2017-03-10}, organization = {Check Point}, url = {http://blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/}, language = {English}, urldate = {2019-12-18} } @online{point:20170510:diamondfox:018fbdb, author = {Check Point}, title = {{DiamondFox modular malware – a one-stop shop}}, date = {2017-05-10}, organization = {Check Point}, url = {http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/}, language = {English}, urldate = {2019-12-18} } @online{point:20170601:fireball:7689185, author = {Check Point}, title = {{FIREBALL – The Chinese Malware of 250 Million Computers Infected}}, date = {2017-06-01}, organization = {Check Point}, url = {http://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/}, language = {English}, urldate = {2020-01-08} } @online{point:20171019:new:364e629, author = {Check Point}, title = {{A New IoT Botnet Storm is Coming}}, date = {2017-10-19}, organization = {Check Point}, url = {https://research.checkpoint.com/new-iot-botnet-storm-coming/}, language = {English}, urldate = {2019-12-10} } @online{point:20190219:north:2d1cfbe, author = {Check Point}, title = {{North Korea Turns Against New Targets?!}}, date = {2019-02-19}, organization = {Check Point Research}, url = {https://research.checkpoint.com/north-korea-turns-against-russian-targets/}, language = {English}, urldate = {2019-10-21} } @online{point:20190227:protecting:fd60a96, author = {Check Point}, title = {{Protecting Against WinRAR Vulnerabilities}}, date = {2019-02-27}, organization = {Check Point}, url = {https://blog.checkpoint.com/2019/02/27/protecting-against-winrar-vulnerabilities/}, language = {English}, urldate = {2020-01-07} } @online{point:20190422:finteam:142589a, author = {Check Point}, title = {{FINTEAM: Trojanized TeamViewer Against Government Targets}}, date = {2019-04-22}, organization = {Check Point}, url = {https://research.checkpoint.com/finteam-trojanized-teamviewer-against-government-targets/}, language = {English}, urldate = {2023-07-24} } @techreport{point:20191230:threat:e0f0191, author = {Check Point}, title = {{THREAT INTELLIGENCE REPORT}}, date = {2019-12-30}, institution = {Check Point}, url = {https://research.checkpoint.com/wp-content/uploads/2019/12/Threat_Intelligence_News_2019-12-30.pdf}, language = {English}, urldate = {2020-01-08} } @online{point:20200312:vicious:1d97e93, author = {Check Point}, title = {{Vicious Panda: The COVID Campaign}}, date = {2020-03-12}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign}, language = {English}, urldate = {2022-07-25} } @online{point:20220218:evilplayout:1ddf5e3, author = {Check Point}, title = {{EvilPlayout: Attack Against Iran’s State Broadcaster}}, date = {2022-02-18}, organization = {Check Point}, url = {https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/}, language = {English}, urldate = {2022-03-02} } @online{point:20220307:lapsus:007ba79, author = {Check Point}, title = {{Lapsus$ Ransomware gang uses stolen source code to disguise malware files as trustworthy. Check Point customers remain protected}}, date = {2022-03-07}, organization = {Check Point Research}, url = {https://blog.checkpoint.com/2022/03/07/lapsus-ransomware-gang-uses-stolen-source-code-to-disguise-malware-files-as-trustworthy-check-point-customers-remain-protected/}, language = {English}, urldate = {2022-03-25} } @online{point:20230106:opwnai:7510ff2, author = {Check Point}, title = {{OpwnAI: Cybercriminals Starting to use ChatGPT}}, date = {2023-01-06}, organization = {Check Point}, url = {https://research.checkpoint.com/2023/opwnai-cybercriminals-starting-to-use-chatgpt/}, language = {English}, urldate = {2023-01-06} } @online{point:20230410:march:144c1ad, author = {Check Point}, title = {{March 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute Malicious OneNote Files}}, date = {2023-04-10}, organization = {Check Point}, url = {https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/}, language = {English}, urldate = {2023-04-12} } @online{point:20231030:evolving:f4d29a7, author = {Check Point}, title = {{Evolving Cyber Dynamics Amidst the Israel-Hamas Conflict}}, date = {2023-10-30}, organization = {Check Point Research}, url = {https://blog.checkpoint.com/security/evolving-cyber-dynamics-amidst-the-israel-hamas-conflict/}, language = {English}, urldate = {2024-11-15} } @online{point:20231212:november:92064e9, author = {Check Point}, title = {{November 2023’s Most Wanted Malware: New AsyncRAT Campaign Discovered while FakeUpdates Re-Entered the Top Ten after Brief Hiatus}}, date = {2023-12-12}, organization = {Check Point Research}, url = {https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/}, language = {English}, urldate = {2023-12-13} } @online{point:20240331:malware:6bd750f, author = {Check Point}, title = {{Malware Spotlight: Linodas aka DinodasRAT for Linux}}, date = {2024-03-31}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2024/29676/}, language = {English}, urldate = {2024-04-11} } @online{point:20240523:chinese:f5b9da9, author = {Check Point}, title = {{Chinese Espionage Campaign Expands to Target Africa and The Caribbean}}, date = {2024-05-23}, organization = {Check Point}, url = {https://blog.checkpoint.com/research/chinese-espionage-campaign-expands-to-target-africa-and-the-caribbean/}, language = {English}, urldate = {2024-06-05} } @online{point:20240904:hacktivists:8008abe, author = {Check Point}, title = {{Hacktivists Call for Release of Telegram Founder with #FreeDurov DDoS Campaign}}, date = {2024-09-04}, organization = {Check Point}, url = {https://blog.checkpoint.com/security/hacktivists-call-for-release-of-telegram-founder-with-freedurov-ddos-campaign/}, language = {English}, urldate = {2024-11-04} } @online{point:20250612:from:f7b490f, author = {Check Point}, title = {{From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery}}, date = {2025-06-12}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2025/from-trust-to-threat-hijacked-discord-invites-used-for-multi-stage-malware-delivery/}, language = {English}, urldate = {2025-06-25} } @online{pokharel:20190130:analysis:df83b7e, author = {Samip Pokharel}, title = {{Analysis of NetWiredRC trojan}}, date = {2019-01-30}, url = {https://maskop9.wordpress.com/2019/01/30/analysis-of-netwiredrc-trojan/}, language = {English}, urldate = {2020-01-13} } @online{pokharel:20190206:analysis:56aa0a1, author = {Samip Pokharel}, title = {{Analysis of multiplatform Java Jacksbot Backdoor}}, date = {2019-02-06}, url = {https://maskop9.wordpress.com/2019/02/06/analysis-of-jacksbot-backdoor/}, language = {English}, urldate = {2020-01-08} } @online{poland:20210415:statement:3a57d39, author = {Ministry of Foreign Affairs Republic of Poland}, title = {{Statement on Solar Winds Orion cyberattacks}}, date = {2021-04-15}, organization = {Ministry of Foreign Affairs Republic of Poland}, url = {https://www.gov.pl/web/diplomacy/statement-on-solar-winds-orion-cyberattacks}, language = {English}, urldate = {2021-04-16} } @online{poland:20220719:development:a66f04f, author = {CERT Poland}, title = {{Development of UNC1151/Ghostwriter attack techniques}}, date = {2022-07-19}, organization = {CERT Poland}, url = {https://cert.pl/posts/2022/07/techniki-unc1151/}, language = {Polish}, urldate = {2022-07-25} } @online{poland:20221230:russian:e27c8ad, author = {Government Plenipotentiary for the Security of Information Space of the Republic of Poland}, title = {{Russian cyberattacks}}, date = {2022-12-30}, organization = {GOV.PL}, url = {https://www.gov.pl/web/special-services/russian-cyberattacks}, language = {English}, urldate = {2023-02-17} } @online{polat:20210803:trash:6611883, author = {Yusuf Arslan Polat and Sean Gallagher}, title = {{Trash Panda as a Service: Raccoon Stealer steals cookies, cryptocoins, and more}}, date = {2021-08-03}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/08/03/trash-panda-as-a-service-raccoon-stealer-steals-cookies-cryptocoins-and-more/}, language = {English}, urldate = {2021-08-06} } @online{poliisi:20210318:eduskunnan:cb59032, author = {Poliisi}, title = {{Eduskunnan tietojärjestelmiin kohdistuneen tietomurron tutkinnassa selvitetään yhteyttä APT31-toimijaan}}, date = {2021-03-18}, organization = {Poliisi}, url = {https://poliisi.fi/-/eduskunnan-tietojarjestelmiin-kohdistuneen-tietomurron-tutkinnassa-selvitetaan-yhteytta-apt31-toimijaan}, language = {Finnish}, urldate = {2021-07-22} } @online{politics:20200526:eus:d779e87, author = {Guest Blogger for Net Politics}, title = {{The EU’s Response to SolarWinds}}, date = {2020-05-26}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/blog/eus-response-solarwinds}, language = {English}, urldate = {2021-06-09} } @online{polityuk:20170118:ukraines:88cbe2f, author = {Pavel Polityuk and Oleg Vukmanovic and Stephen Jewkes}, title = {{Ukraine's power outage was a cyber attack: Ukrenergo}}, date = {2017-01-18}, organization = {Reuters}, url = {https://www.reuters.com/article/us-ukraine-cyber-attack-energy-idUSKBN1521BA}, language = {English}, urldate = {2020-01-07} } @online{poloboc:20220221:watch:e30f452, author = {Alexandru Poloboc}, title = {{Watch out, the Kraken botnet can easily bypass Defender and steal your crypto}}, date = {2022-02-21}, organization = {Windows Report}, url = {https://windowsreport.com/kraken-botnet/}, language = {English}, urldate = {2022-03-02} } @online{polovinkin:20230111:dark:abb723d, author = {Andrey Polovinkin}, title = {{Dark Pink - New APT hitting Asia-Pacific, Europe that goes deeper and darker}}, date = {2023-01-11}, organization = {Group-IB}, url = {https://blog.group-ib.com/dark-pink-apt}, language = {English}, urldate = {2023-01-12} } @online{polovinkin:20230531:dark:08e95be, author = {Andrey Polovinkin}, title = {{Dark Pink. Episode 2}}, date = {2023-05-31}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/dark-pink-episode-2/}, language = {English}, urldate = {2024-12-11} } @online{polozov:20201019:possible:699adf6, author = {Yury Polozov}, title = {{Possible Identity of a Kuwaiti Hacker NYANxCAT}}, date = {2020-10-19}, organization = {Red Sky Alliance}, url = {https://redskyalliance.org/xindustry/possible-identity-of-a-kuwaiti-hacker-nyanxcat}, language = {English}, urldate = {2022-05-17} } @online{polyswarm:20221006:nullmixer:180953c, author = {PolySwarm}, title = {{NullMixer Drops Multiple Malware Families}}, date = {2022-10-06}, url = {https://blog.polyswarm.io/nullmixer-drops-multiple-malware-families}, language = {English}, urldate = {2022-11-12} } @online{pomerantsev:20191127::4345ace, author = {Ilya Pomerantsev}, title = {{Кейлоггер с сюрпризом: анализ клавиатурного шпиона и деанон его разработчика}}, date = {2019-11-27}, organization = {Group-IB}, url = {https://habr.com/ru/company/group-ib/blog/477198/}, language = {Russian}, urldate = {2020-03-23} } @online{pontiroli:20250520:from:18ae162, author = {Santiago Pontiroli and Jozsef Gegeny and Prakas Thevendaran}, title = {{From banks to battalions: SideWinder’s attacks on South Asia’s public sector}}, date = {2025-05-20}, organization = {Acronis}, url = {https://www.acronis.com/en-us/cyber-protection-center/posts/from-banks-to-battalions-sidewinders-attacks-on-south-asias-public-sector/}, language = {English}, urldate = {2025-05-21} } @online{pooler:20190611:cpu:1608551, author = {pooler}, title = {{CPU miner for Litecoin and Bitcoin}}, date = {2019-06-11}, organization = {Github (pooler)}, url = {https://github.com/pooler/cpuminer}, language = {English}, urldate = {2020-01-09} } @online{popa:20220401:bert:08bcb1b, author = {Cristian Popa}, title = {{BERT Embeddings: A Modern Machine-learning Approach for Detecting Malware from Command Lines (Part 2 of 2)}}, date = {2022-04-01}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/bert-embeddings-new-approach-for-command-line-anomaly-detection-part-2/}, language = {English}, urldate = {2022-04-05} } @online{popovici:20240405:powerhosts:c11819c, author = {Madalina Popovici}, title = {{Powerhost’s ESXi Servers Encrypted with New SEXi Ransomware}}, date = {2024-04-05}, organization = {Heimdal Security}, url = {https://heimdalsecurity.com/blog/powerhosts-esxi-servers-encrypted-with-new-sexi-ransomware/}, language = {English}, urldate = {2024-12-11} } @techreport{porolli:201505:cpl:f373211, author = {Matías Porolli and Pablo Ramos}, title = {{CPL Malware in Brazil: Somewhere Between Banking Trojans and Malicious Emails}}, date = {2015-05}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2015/05/CPL-Malware-in-Brasil-zx02m.pdf}, language = {English}, urldate = {2019-12-17} } @online{porolli:20200709:more:24d8b63, author = {Matías Porolli}, title = {{More evil: A deep look at Evilnum and its toolset}}, date = {2020-07-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/}, language = {English}, urldate = {2020-07-11} } @online{porolli:20200710:evilnumindicators:639ec06, author = {Matías Porolli}, title = {{Evilnum — Indicators of Compromise}}, date = {2020-07-10}, organization = {Github (eset)}, url = {https://github.com/eset/malware-ioc/tree/master/evilnum}, language = {English}, urldate = {2020-07-11} } @online{porolli:20210111:operation:409662d, author = {Matías Porolli}, title = {{Operation Spalax: Targeted malware attacks in Colombia}}, date = {2021-01-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/}, language = {English}, urldate = {2021-01-18} } @online{porolli:20221011:polonium:1dbdd2d, author = {Matías Porolli}, title = {{POLONIUM targets Israel with Creepy malware}}, date = {2022-10-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/}, language = {English}, urldate = {2022-10-12} } @online{porras:20090308:conficker:e525ea4, author = {Phillip Porras and Hassen Saidi and Vinod Yegneswaran}, title = {{Conficker C Analysis}}, date = {2009-03-08}, organization = {SRI International}, url = {http://www.csl.sri.com/users/vinod/papers/Conficker/addendumC/index.html}, language = {English}, urldate = {2020-01-06} } @online{porras:20190425:meet:75dbab7, author = {Edgar Felipe Duarte Porras}, title = {{Meet Lucifer: A New International Trojan}}, date = {2019-04-25}, organization = {AppGate}, url = {https://blog.easysol.net/meet-lucifer-international-trojan/}, language = {English}, urldate = {2020-01-07} } @online{porta:20200607:penquin:cde32fc, author = {Silvio La Porta and Antonio Villani}, title = {{The Penquin is in da house}}, date = {2020-06-07}, organization = {Youtube (OPCDE)}, url = {https://www.youtube.com/watch?v=JXsjRUxx47E}, language = {English}, urldate = {2020-06-10} } @techreport{portuguez:20100628:case:d50ed65, author = {Ace Portuguez}, title = {{The Case of Trojan DownLoader "TDL3"}}, date = {2010-06-28}, institution = {F-Secure Labs}, url = {https://archive.f-secure.com/weblog/archives/The_Case_of__TDL3.pdf}, language = {English}, urldate = {2022-01-25} } @online{poslun:20180126:friedex:3c3f46b, author = {Michal Poslušný}, title = {{FriedEx: BitPaymer ransomware the work of Dridex authors}}, date = {2018-01-26}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/}, language = {English}, urldate = {2019-11-14} } @online{poslun:20180525:backswap:709ad89, author = {Michal Poslušný}, title = {{BackSwap malware finds innovative ways to empty bank accounts}}, date = {2018-05-25}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/}, language = {English}, urldate = {2019-11-14} } @online{poslun:20200131:rich:c25f156, author = {Michal Poslušný and Peter Kálnai}, title = {{Rich Headers: leveraging this mysterious artifact of the PE format}}, date = {2020-01-31}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/}, language = {English}, urldate = {2020-02-03} } @online{poslun:20220111:signed:1c59d41, author = {Michal Poslušný}, title = {{Signed kernel drivers – Unguarded gateway to Windows’ core}}, date = {2022-01-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/}, language = {English}, urldate = {2022-01-18} } @online{potaczek:20220316:have:42cad90, author = {Mathew Potaczek and Takahiro Sugiyama and Logeswaran Nadarajan and Yu Nakamura and Joshua Homan and Martin Co and Sylvain Hirsch}, title = {{Have Your Cake and Eat it Too? An Overview of UNC2891}}, date = {2022-03-16}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/unc2891-overview}, language = {English}, urldate = {2022-03-17} } @online{potts:20190102:analysis:19d4780, author = {Pepper Potts}, title = {{Analysis of Neutrino Bot Sample (dated 2018-08-27)}}, date = {2019-01-02}, organization = {PepperMalware Blog}, url = {http://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html}, language = {English}, urldate = {2020-01-06} } @online{potts:20190305:quick:773aabc, author = {Pepper Potts}, title = {{Quick Analysis of a Trickbot Sample with NSA's Ghidra SRE Framework}}, date = {2019-03-05}, organization = {PepperMalware Blog}, url = {http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html}, language = {English}, urldate = {2019-12-19} } @online{potts:20190318:analysis:69c984a, author = {Pepper Potts}, title = {{Analysis of .Net Stealer GrandSteal}}, date = {2019-03-18}, organization = {PepperMalware Blog}, url = {http://www.peppermalware.com/2019/03/analysis-of-net-stealer-grandsteal-2019.html}, language = {English}, urldate = {2020-01-08} } @online{potts:20190318:analysis:74d47aa, author = {Pepper Potts}, title = {{Analysis of BlackMoon (Banking Trojan)'s Evolution, And The Possibility of a Latest Version Under Development}}, date = {2019-03-18}, url = {https://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html}, language = {English}, urldate = {2019-11-28} } @online{potts:20190603:apt34:d5442c2, author = {Pepper Potts}, title = {{Tweet on APT34}}, date = {2019-06-03}, organization = {Twitter (@P3pperP0tts)}, url = {https://twitter.com/P3pperP0tts/status/1135503765287657472}, language = {English}, urldate = {2020-01-13} } @online{potts:20191105:brief:d108a29, author = {Pepper Potts}, title = {{Brief analysis of Redaman Banking Malware (v0.6.0.2) Sample}}, date = {2019-11-05}, organization = {PepperMalware Blog}, url = {http://www.peppermalware.com/2019/11/brief-analysis-of-redaman-banking.html}, language = {English}, urldate = {2020-01-08} } @online{poudel:20241022:latrodectus:7e037ac, author = {Swachchhanda Shrawan Poudel}, title = {{Latrodectus: The Wrath of Black Widow}}, date = {2024-10-22}, organization = {Logpoint}, url = {https://www.logpoint.com/en/blog/latrodectus-the-wrath-of-black-widow/}, language = {English}, urldate = {2024-10-24} } @techreport{pourcelot:20220511:tricephalic:d8d6265, author = {Tristan Pourcelot}, title = {{Tricephalic Hellkeeper: a tale of a passive backdoor}}, date = {2022-05-11}, institution = {ExaTrack}, url = {https://exatrack.com/public/Tricephalic_Hellkeeper.pdf}, language = {English}, urldate = {2022-05-25} } @online{pradhan:20220208:lolzarus:8040174, author = {Akshat Pradhan}, title = {{LolZarus: Lazarus Group Incorporating Lolbins into Campaigns}}, date = {2022-02-08}, organization = {Qualys}, url = {https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns}, language = {English}, urldate = {2022-02-09} } @techreport{pradhan:20220615:fake:f00033d, author = {Akshat Pradhan}, title = {{Fake Cracked Software Caught Peddling Redline Stealers}}, date = {2022-06-15}, institution = {Qualys}, url = {https://www.qualys.com/docs/whitepapers/qualys-wp-fake-cracked-software-caught-peddling-redline-stealers-v220606.pdf}, language = {English}, urldate = {2022-06-17} } @online{pradhan:20230103:bitrat:60d704b, author = {Akshat Pradhan}, title = {{BitRAT Now Sharing Sensitive Bank Data as a Lure}}, date = {2023-01-03}, organization = {Qualys}, url = {https://blog.qualys.com/vulnerabilities-threat-research/2023/01/03/bitrat-now-sharing-sensitive-bank-data-as-a-lure}, language = {English}, urldate = {2023-01-04} } @techreport{prakash:2009:rootkit:83f212e, author = {Chandra Prakash}, title = {{Rootkit Installation and Obfuscation in Rustock}}, date = {2009}, institution = {Sunbelt Malware Research Labs}, url = {http://sunbeltsecurity.com/dl/Rootkit%20Installation%20and%20Obfuscation%20in%20Rustock.pdf}, language = {English}, urldate = {2019-07-09} } @online{prakash:20201112:hunting:08069d5, author = {Ajeet Prakash}, title = {{Hunting for Barium using Azure Sentinel}}, date = {2020-11-12}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-barium-using-azure-sentinel/ba-p/1875913}, language = {English}, urldate = {2020-11-18} } @online{prakash:20210401:wireshark:4778091, author = {Vijay Prakash and Brad Duncan}, title = {{Wireshark Tutorial: Decrypting RDP Traffic}}, date = {2021-04-01}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-rdp-traffic/}, language = {English}, urldate = {2021-04-09} } @online{prakki:20220810:indian:96b0a9e, author = {Sathwik Ram Prakki}, title = {{Indian Power Sector targeted with latest LockBit 3.0 variant}}, date = {2022-08-10}, organization = {Quick Heal}, url = {https://Page-Not-Found-404.com}, language = {English}, urldate = {2024-07-25} } @online{prakki:20230111:calling:9f18ed3, author = {Sathwik Ram Prakki}, title = {{Calling from the Underground: An alternative way to penetrate corporate networks}}, date = {2023-01-11}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/calling-from-the-underground-an-alternative-way-to-penetrate-corporate-networks}, language = {English}, urldate = {2023-06-09} } @online{prakki:20230201:uncovering:16a8f71, author = {Sathwik Ram Prakki}, title = {{Uncovering LockBit Black’s Attack Chain and Anti-forensic activity}}, date = {2023-02-01}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/uncovering-lockbit-blacks-attack-chain-and-anti-forensic-activity/}, language = {English}, urldate = {2023-03-13} } @online{prakki:20230315:sidecopy:627ecfc, author = {Sathwik Ram Prakki}, title = {{SideCopy Continues to Target Indian Defense Organization}}, date = {2023-03-15}, organization = {Seqrite}, url = {https://www.seqrite.com/resources/sidecopy-continues-to-target-indian-defense-organization}, language = {English}, urldate = {2023-06-09} } @online{prakki:20230502:transparent:4cb2266, author = {Sathwik Ram Prakki}, title = {{Transparent Tribe APT actively lures Indian Army amidst increased targeting of Educational Institutions}}, date = {2023-05-02}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/transparent-tribe-apt-actively-lures-indian-army-amidst-increased-targeting-of-educational-institutions}, language = {English}, urldate = {2023-06-09} } @online{prakki:20230615:double:13ffdae, author = {Sathwik Ram Prakki}, title = {{Double Action, Triple Infection, and a New RAT: SideCopy’s Persistent Targeting of Indian Defence}}, date = {2023-06-15}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/double-action-triple-infection-and-a-new-rat-sidecopys-persistent-targeting-of-indian-defence}, language = {English}, urldate = {2023-06-19} } @online{prakki:20231106:sidecopys:03c64cf, author = {Sathwik Ram Prakki}, title = {{SideCopy’s Multi-platform Onslaught: Leveraging WinRAR Zero-Day and Linux Variant of Ares RAT}}, date = {2023-11-06}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/}, language = {English}, urldate = {2023-11-13} } @online{prakki:20231221:operation:dd408db, author = {Sathwik Ram Prakki}, title = {{Operation RusticWeb targets Indian Govt: From Rust-based malware to Web-service exfiltration}}, date = {2023-12-21}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/}, language = {English}, urldate = {2023-12-27} } @online{prakki:20240424:pakistani:3934fb8, author = {Sathwik Ram Prakki}, title = {{Pakistani APTs Escalate Attacks on Indian Gov. Seqrite Labs Unveils Threats and Connections}}, date = {2024-04-24}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/}, language = {English}, urldate = {2024-05-13} } @online{prakki:20240725:umbrella:83882b9, author = {Sathwik Ram Prakki}, title = {{Umbrella of Pakistani Threats: Converging Tactics of Cyber-operations Targeting India}}, date = {2024-07-25}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/}, language = {English}, urldate = {2024-10-21} } @online{prakki:20250408:goodbye:b8123fc, author = {Sathwik Ram Prakki}, title = {{Goodbye HTA, Hello MSI: New TTPs and Clusters of an APT driven by Multi-Platform Attacks}}, date = {2025-04-08}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/}, language = {English}, urldate = {2025-04-09} } @online{praszmo:20170929:ramnit:0ab2a9e, author = {Michał Praszmo}, title = {{Ramnit – in-depth analysis}}, date = {2017-09-29}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/}, language = {English}, urldate = {2020-01-13} } @online{praszmo:20180718:dissecting:aa5eca1, author = {Michał Praszmo}, title = {{Dissecting Smoke Loader}}, date = {2018-07-18}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/dissecting-smoke-loader/}, language = {English}, urldate = {2020-01-13} } @online{praszmo:20190502:detricking:43a7dc1, author = {Michał Praszmo}, title = {{Detricking TrickBot Loader}}, date = {2019-05-02}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/detricking-trickbot-loader/}, language = {English}, urldate = {2020-01-08} } @online{praszmo:20200218:whats:2790998, author = {Michał Praszmo}, title = {{What’s up Emotet?}}, date = {2020-02-18}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/whats-up-emotet/}, language = {English}, urldate = {2020-02-18} } @online{praszmo:20210413:keeping:a524af7, author = {Michał Praszmo}, title = {{Keeping an eye on CloudEyE (GuLoader) - Reverse engineering the loader}}, date = {2021-04-13}, organization = {CERT Polska / NASK}, url = {https://cert.pl/en/posts/2021/04/keeping-an-eye-on-guloader-reverse-engineering-the-loader/}, language = {English}, urldate = {2021-04-14} } @online{prentice:20240920:cybersecurity:728f354, author = {Steve Prentice}, title = {{Cybersecurity News: INC targets healthcare, Providence schools cyberattack, Apple iPads bricked}}, date = {2024-09-20}, organization = {CISO Series}, url = {https://cisoseries.com/cybersecurity-news-inc-targets-healthcare-providence-schools-cyberattack-apple-ipads-bricked/}, language = {English}, urldate = {2024-10-18} } @online{prescott:20211208:chasing:3921a35, author = {Adam Prescott}, title = {{Chasing Shadows: A deep dive into the latest obfuscation methods being used by ShadowPad}}, date = {2021-12-08}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html}, language = {English}, urldate = {2021-12-13} } @online{press:20210622:polish:9425a2a, author = {The Associated Press}, title = {{Polish intelligence agencies link cyberattack to Russia (UNC1151)}}, date = {2021-06-22}, organization = {ABC News}, url = {https://abcnews.go.com/International/wireStory/polish-intelligence-agencies-link-cyberattack-russia-78420183}, language = {English}, urldate = {2021-06-24} } @online{press:20250415:china:80893ad, author = {The Associated Press}, title = {{China Pursuing 3 Alleged US Operatives Over Cyberattacks During Asian Games}}, date = {2025-04-15}, organization = {SecurityWeek}, url = {https://www.securityweek.com/china-pursuing-3-alleged-us-operatives-over-cyberattacks-during-asian-games/}, language = {English}, urldate = {2025-04-16} } @online{presstv:20220727:iraqi:1d80844, author = {PressTV}, title = {{Iraqi hacker group 'ALtahrea Team' targets Israeli IT, e-commerce companies in major cyber attack: Reports}}, date = {2022-07-27}, organization = {PressTV}, url = {https://www.presstv.ir/Detail/2022/07/27/686324/Iraqi-hacker-group--ALtahrea-Team--targets-Israeli-IT,-e-commerce-companies-with-major-cyber-attack}, language = {English}, urldate = {2023-11-27} } @online{prevailion:20200319:curious:082e652, author = {Prevailion}, title = {{The Curious Case of the Criminal Curriculum Vitae}}, date = {2020-03-19}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/03/the-curious-case-of-criminal-curriculum.html}, language = {English}, urldate = {2020-06-30} } @online{prevailion:20210728:cert:296a6ee, author = {Prevailion}, title = {{Cert Safari: Leveraging TLS Certificates to Hunt Evil}}, date = {2021-07-28}, organization = {Prevailion}, url = {https://www.prevailion.com/cert-safari-leveraging-tls-certificates-to-hunt-evil/}, language = {English}, urldate = {2021-08-02} } @online{prevailion:20210901:diving:a8fed12, author = {Prevailion}, title = {{Diving Deep into UNC1151’s Infrastructure: Ghostwriter and beyond}}, date = {2021-09-01}, organization = {Prevailion}, url = {https://www.prevailion.com/diving-deep-into-unc1151s-infrastructure-ghostwriter-and-beyond/}, language = {English}, urldate = {2021-09-02} } @online{prevailion:20211109:who:f88228a, author = {Prevailion and Accenture Cyber Threat Intelligence}, title = {{Who are latest targets of cyber group Lyceum?}}, date = {2021-11-09}, organization = {Prevailion}, url = {https://www.prevailion.com/latest-targets-of-cyber-group-lyceum/}, language = {English}, urldate = {2021-11-09} } @online{prevailion:20220330:wizard:6eb38a7, author = {Prevailion}, title = {{Wizard Spider continues to confound}}, date = {2022-03-30}, organization = {Prevailion}, url = {https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903}, language = {English}, urldate = {2022-03-31} } @online{prevenity:20140811:mht:d828ead, author = {Prevenity}, title = {{mht, MS12-27 and * malware * .info}}, date = {2014-08-11}, url = {http://malware.prevenity.com/2014/08/malware-info.html}, language = {Polish}, urldate = {2019-11-28} } @online{prez:20220203:analysis:73b6f36, author = {David Álvarez Pérez and Jan Neduchal}, title = {{Analysis of Attack Against National Games of China Systems}}, date = {2022-02-03}, organization = {Avast}, url = {https://decoded.avast.io/janneduchal/analysis-of-attack-against-national-games-of-china-systems/}, language = {English}, urldate = {2022-02-04} } @techreport{prez:20220305:effectiveness:9106401, author = {Miguel Martín Pérez}, title = {{Effectiveness of Similarity Digest Algorithms for Binary Code Similarity in Memory Forensic Analysis}}, date = {2022-03-05}, institution = {University of Zaragoza}, url = {https://webdiis.unizar.es/~ricardo/files/PhDs/MMartinPerez-PhD-Thesis.pdf}, language = {English}, urldate = {2022-05-05} } @online{price:20241203:take:74d4987, author = {Adam Price}, title = {{Take Me Down to Funksec Town: Funksec Ransomware DLS Emergence}}, date = {2024-12-03}, organization = {cyjax}, url = {https://www.cyjax.com/resources/blog/take-me-down-to-funksec-town-funksec-ransomware-dls-emergence/}, language = {English}, urldate = {2025-02-19} } @techreport{pricewaterhousecoopers:201704:operation:cb50712, author = {PricewaterhouseCoopers}, title = {{Operation Cloud Hopper: Technical Annex}}, date = {2017-04}, institution = {PricewaterhouseCoopers}, url = {https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf}, language = {English}, urldate = {2019-10-15} } @online{priego:20210702:brothers:74e06d3, author = {Albert Priego}, title = {{The Brothers Grim - The reversing tale of GrimAgent malware used by Ryuk}}, date = {2021-07-02}, organization = {Group-IB}, url = {https://blog.group-ib.com/grimagent}, language = {English}, urldate = {2021-07-05} } @online{priego:20220624:we:0ed77e2, author = {Albert Priego}, title = {{We see you, Gozi Hunting the latest TTPs used for delivering the Trojan}}, date = {2022-06-24}, organization = {Group-IB}, url = {https://blog.group-ib.com/gozi-latest-ttps}, language = {English}, urldate = {2022-08-17} } @online{priest:20210718:jamal:f7e1b52, author = {Dana Priest and Souad Mekhennet and Arthur Bouvart}, title = {{Jamal Khashoggi’s wife targeted with spyware before his death}}, date = {2021-07-18}, organization = {Washington Post}, url = {https://www.washingtonpost.com/investigations/interactive/2021/jamal-khashoggi-wife-fiancee-cellphone-hack/?itid=co_pegasus_5}, language = {English}, urldate = {2021-07-21} } @online{priest:20210718:private:0c3f8ae, author = {Dana Priest and Craig Timberg and Souad Mekhennet}, title = {{Private spy software sold by NSO Group found on cellphones worldwide}}, date = {2021-07-18}, organization = {Washington Post}, url = {https://www.washingtonpost.com/investigations/interactive/2021/nso-spyware-pegasus-cellphones/}, language = {English}, urldate = {2021-07-21} } @online{prime:20180511:attackers:38ad511, author = {SOC Prime}, title = {{Attackers Exploit DLL Hijacking to Bypass SmartScreen}}, date = {2018-05-11}, organization = {SOC Prime}, url = {https://socprime.com/en/news/attackers-exploit-dll-hijacking-to-bypass-smartscreen/}, language = {English}, urldate = {2019-12-03} } @online{pripoae:20201009:theres:c8329f4, author = {Silvia Pripoae and Silviu Stahie}, title = {{There’s a New a Golang-written RAT in Town}}, date = {2020-10-09}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/10/theres-a-new-a-golang-written-rat-in-town/}, language = {English}, urldate = {2021-06-30} } @techreport{pripoae:20201015:looking:9414244, author = {Silvia Pripoae and Liviu Arsene}, title = {{Looking Into the Eye of the Interplanetary Storm}}, date = {2020-10-15}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/376/Bitdefender-Whitepaper-IPStorm.pdf}, language = {English}, urldate = {2020-10-23} } @online{pripoae:20210324:golang:3b5156a, author = {Silvia Pripoae and Silviu Stahie}, title = {{Golang Bot Starts Targeting WordPress Websites}}, date = {2021-03-24}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2021/03/golang-bot-starts-targeting-wordpress-websites/}, language = {English}, urldate = {2021-03-25} } @online{prizmant:20210607:siloscape:b3b03a8, author = {Daniel Prizmant}, title = {{Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments}}, date = {2021-06-07}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/siloscape/}, language = {English}, urldate = {2021-06-09} } @techreport{pro:20230525:pikabot:460f4b0, author = {Hive Pro}, title = {{Pikabot A Stealthy Backdoor with Ingenious Evasion Tactics}}, date = {2023-05-25}, institution = {Hive Pro}, url = {https://www.hivepro.com/wp-content/uploads/2023/05/Pikabot-A-Stealthy-Backdoor-with-Ingenious-Evasion-Tactics_TA2023246.pdf}, language = {English}, urldate = {2023-11-13} } @online{prochzka:20250522:danabot:941dafe, author = {Tomáš Procházka}, title = {{Danabot: Analyzing a fallen empire}}, date = {2025-05-22}, organization = {ESET Research}, url = {https://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/}, language = {English}, urldate = {2025-05-26} } @online{prodaft:20200731:opblueraven:9e58e0c, author = {PRODAFT}, title = {{OpBlueRaven: Unveiling Fin7/Carbanak - Part 1 : Tirion}}, date = {2020-07-31}, organization = {PRODAFT Threat Intelligence}, url = {https://threatintel.blog/OPBlueRaven-Part1/}, language = {English}, urldate = {2022-03-23} } @online{prodaft:20200901:opblueraven:ca6fb44, author = {PRODAFT}, title = {{OpBlueRaven: Unveiling Fin7/Carbanak - Part II : BadUSB Attacks}}, date = {2020-09-01}, organization = {PRODAFT Threat Intelligence}, url = {https://threatintel.blog/OPBlueRaven-Part2/}, language = {English}, urldate = {2022-03-23} } @techreport{prodaft:20201115:brunhilda:a15b197, author = {PRODAFT}, title = {{BRUNHILDA - DaaS Malware Analysis Report}}, date = {2020-11-15}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/reports/BrunHilda_DaaS.pdf}, language = {English}, urldate = {2022-03-22} } @techreport{prodaft:20210308:flubot:c691c53, author = {PRODAFT}, title = {{FluBot - Malware Analysis Report}}, date = {2021-03-08}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/reports/FluBot_4.pdf}, language = {English}, urldate = {2022-03-23} } @techreport{prodaft:20210318:silverfish:f203208, author = {PRODAFT}, title = {{SilverFish GroupThreat Actor Report}}, date = {2021-03-18}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf}, language = {English}, urldate = {2021-04-06} } @techreport{prodaft:20210618:lockbit:783c679, author = {PRODAFT}, title = {{LockBit RaaS In-Depth Analysis}}, date = {2021-06-18}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf}, language = {English}, urldate = {2021-06-22} } @techreport{prodaft:20210716:toddler:5fd814e, author = {PRODAFT}, title = {{Toddler - Mobile Banking Botnet Analysis Report}}, date = {2021-07-16}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/reports/Toddler___TLPWHITE_V2.pdf}, language = {English}, urldate = {2022-03-22} } @techreport{prodaft:20211028:solarmarker:6c54c24, author = {PRODAFT}, title = {{Solarmarker In-Depth Analysis}}, date = {2021-10-28}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/reports/Solarmarker_TLPWHITEv2.pdf}, language = {English}, urldate = {2021-11-03} } @techreport{prodaft:20211118:conti:d10b80f, author = {PRODAFT}, title = {{Conti Ransomware Group In-Depth Analysis}}, date = {2021-11-18}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/reports/Conti_TLPWHITE_v1.6_WVcSEtc.pdf}, language = {English}, urldate = {2021-11-19} } @online{prodaft:20220413:pysa:c002315, author = {PRODAFT}, title = {{[PYSA] Ransomware Group In-Depth Analysis}}, date = {2022-04-13}, organization = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/resource/detail/pysa-ransomware-group-depth-analysis}, language = {English}, urldate = {2022-04-15} } @techreport{prodaft:20220414:pysa:8b23b04, author = {PRODAFT}, title = {{PYSA (Mespinoza) In-Depth Analysis}}, date = {2022-04-14}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/reports/PYSA_TLPWHITE_3.0.pdf}, language = {English}, urldate = {2022-04-15} } @techreport{prodaft:20220518:wizard:e7ee1c4, author = {PRODAFT}, title = {{Wizard Spider In-Depth Analysis}}, date = {2022-05-18}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf}, language = {English}, urldate = {2022-05-25} } @techreport{prodaft:20220905:ta505:2925f26, author = {PRODAFT}, title = {{TA505 Group’s TeslaGun In-Depth Analysis}}, date = {2022-09-05}, institution = {PRODAFT}, url = {https://prodaft.com/m/reports/TeslaGun_TLPWHITE.pdf}, language = {English}, urldate = {2022-09-10} } @techreport{prodaft:20220906:ta505:ed4c7e9, author = {PRODAFT}, title = {{TA505 Group’s TeslaGun In-Depth Analysis}}, date = {2022-09-06}, institution = {PRODAFT}, url = {https://www.prodaft.com/m/reports/TeslaGun_TLPWHITE.pdf}, language = {English}, urldate = {2022-12-20} } @techreport{prodaft:20221222:fin7:d005722, author = {PRODAFT}, title = {{Fin7 Unveiled: A deep dive into notorious cybercrime gang}}, date = {2022-12-22}, institution = {PRODAFT}, url = {https://www.prodaft.com/m/reports/FIN7_TLPCLEAR.pdf}, language = {English}, urldate = {2023-01-05} } @online{prodaft:20230104:unc1151:5df9af7, author = {PRODAFT}, title = {{UNC1151 Group Indicators of Compromise (IOC)}}, date = {2023-01-04}, organization = {PRODAFT}, url = {https://github.com/prodaft/malware-ioc/tree/master/UNC1151}, language = {English}, urldate = {2023-01-05} } @techreport{prodaft:20230227:rig:72076aa, author = {PRODAFT}, title = {{RIG Exploit Kit: In-Depth Analysis}}, date = {2023-02-27}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf}, language = {English}, urldate = {2023-05-08} } @techreport{prodaft:20230427:nomadic:2c51de5, author = {PRODAFT}, title = {{Nomadic Octopus’ Paperbug Campaign}}, date = {2023-04-27}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/reports/PAPERBUG_TLPWHITE-1.pdf}, language = {English}, urldate = {2023-05-08} } @online{prodaft:202308:organic:4714845, author = {PRODAFT}, title = {{An organic relationship between the #Rhysida and #ViceSociety ransomware teams}}, date = {2023-08}, organization = {LinkedIn (PRODAFT)}, url = {https://www.linkedin.com/posts/prodaft_organic-relationship-between-rhysida-vice-activity-7091777236663427072-NQEs}, language = {English}, urldate = {2023-08-10} } @online{prodaft:20230907:pti257:051897c, author = {PRODAFT}, title = {{PTI-257 (ex-Wizard Spider) - IOCs}}, date = {2023-09-07}, organization = {PRODAFT}, url = {https://github.com/prodaft/malware-ioc/tree/master/PTI-257}, language = {English}, urldate = {2023-09-18} } @online{prodaft:20230922:darkgate:23e4b9e, author = {PRODAFT}, title = {{DarkGate IOCs}}, date = {2023-09-22}, organization = {PRODAFT}, url = {https://github.com/prodaft/malware-ioc/blob/master/PTI-66/DarkGate.md}, language = {English}, urldate = {2023-10-11} } @online{prodaft:20231222:smoke:c070b8b, author = {PRODAFT}, title = {{Smoke and Mirrors: Understanding The Workings of Wazawaka}}, date = {2023-12-22}, organization = {PRODAFT}, url = {https://resources.prodaft.com/wazawaka-report}, language = {English}, urldate = {2023-12-27} } @online{prodaft:20250219:larva208:e3d66fe, author = {PRODAFT}, title = {{LARVA-208}}, date = {2025-02-19}, organization = {PRODAFT}, url = {https://catalyst.prodaft.com/public/report/larva-208/overview}, language = {English}, urldate = {2025-02-25} } @online{prodaft:20250304:ragnar:34e29b5, author = {PRODAFT}, title = {{Ragnar Loader Indicators of Compromise (IOC)}}, date = {2025-03-04}, organization = {Github (prodaft)}, url = {https://github.com/prodaft/malware-ioc/tree/master/RagnarLoader}, language = {English}, urldate = {2025-03-06} } @online{prodaft:20250311:iocs:b1cd799, author = {PRODAFT}, title = {{IOCs for Anubis Backdoor}}, date = {2025-03-11}, organization = {Github (prodaft)}, url = {https://github.com/prodaft/malware-ioc/blob/master/SavageLadybug/AnubisBackdoor.md}, language = {English}, urldate = {2025-03-13} } @online{prodaft:20250618:antidot:f158213, author = {PRODAFT}, title = {{AntiDot}}, date = {2025-06-18}, organization = {PRODAFT}, url = {https://catalyst.prodaft.com/public/report/antidot/overview}, language = {English}, urldate = {2025-06-20} } @online{prodi:20220429:using:731242b, author = {Paolo Di Prodi}, title = {{Using EPSS to Predict Threats and Secure Your Network}}, date = {2022-04-29}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/predict-threats-and-secure-networks-with-epss}, language = {English}, urldate = {2022-05-09} } @online{prodromou:20230420:security:7224e80, author = {Agathocles Prodromou}, title = {{Security Update Thursday 20 April 2023 – Initial Intrusion Vector Found}}, date = {2023-04-20}, organization = {3CX}, url = {https://www.3cx.com/blog/news/mandiant-security-update2/}, language = {English}, urldate = {2023-04-25} } @techreport{profero:20210104:apt27:a281786, author = {Profero and SecurityJoes}, title = {{APT27 Turns to Ransomware}}, date = {2021-01-04}, institution = {Profero}, url = {https://shared-public-reports.s3-eu-west-1.amazonaws.com/APT27+turns+to+ransomware.pdf}, language = {English}, urldate = {2021-01-10} } @techreport{profero:20210505:cuba:bc183e8, author = {Profero and SecurityJoes}, title = {{Cuba Ransomware Group on a Roll}}, date = {2021-05-05}, institution = {Profero}, url = {https://shared-public-reports.s3-eu-west-1.amazonaws.com/Cuba+Ransomware+Group+-+on+a+roll.pdf}, language = {English}, urldate = {2021-05-07} } @techreport{profero:20210622:secrets:1781171, author = {Profero and SecurityJoes}, title = {{Secrets Behind Ever101 Ransomware}}, date = {2021-06-22}, institution = {Profero}, url = {https://shared-public-reports.s3.eu-west-1.amazonaws.com/Secrets_behind_the_mysterious_ever101_ransomware.pdf}, language = {English}, urldate = {2021-06-23} } @online{profetis:20180330:hajimehashes:2ffd471, author = {Ioannis Profetis}, title = {{hajime_hashes}}, date = {2018-03-30}, organization = {Github (Psychotropos)}, url = {https://github.com/Psychotropos/hajime_hashes}, language = {English}, urldate = {2020-01-09} } @online{proofpoint:20160726:threat:076e87a, author = {Proofpoint}, title = {{Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan}}, date = {2016-07-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan}, language = {English}, urldate = {2019-07-09} } @online{proofpoint:20190314:daily:859e554, author = {Proofpoint}, title = {{Daily Ruleset Update Summary 2019/03/14}}, date = {2019-03-14}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/daily-ruleset-update-summary-20190314}, language = {English}, urldate = {2021-06-08} } @online{proofpoint:20191016:ta505:9bca8d0, author = {Proofpoint}, title = {{TA505 Timeline}}, date = {2019-10-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/sites/default/files/ta505_timeline_final4_0.png}, language = {English}, urldate = {2020-01-08} } @online{proofpoint:20200902:chinese:823d99c, author = {Proofpoint}, title = {{Chinese APT TA413 Resumes Targeting of Tibet Following COVID-19 Themed Economic Espionage Campaign Delivering Sepulcher Malware Targeting Europe}}, date = {2020-09-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/chinese-apt-ta413-resumes-targeting-tibet-following-covid-19-themed-economic}, language = {English}, urldate = {2020-09-02} } @online{proofpoint:20210924:daily:403b8bd, author = {Proofpoint}, title = {{Daily Ruleset Update Summary 2021/09/24}}, date = {2021-09-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/daily-ruleset-update-summary-20210924}, language = {English}, urldate = {2021-10-05} } @online{proofpoint:20220124:dtpacker:6d34c1b, author = {Proofpoint}, title = {{DTPacker – a .NET Packer with a Curious Password}}, date = {2022-01-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1}, language = {English}, urldate = {2022-01-25} } @online{proofpoint:20240617:from:3cbd348, author = {Proofpoint}, title = {{From Clipboard to Compromise: A PowerShell Self-Pwn}}, date = {2024-06-17}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn}, language = {English}, urldate = {2024-06-24} } @online{prosegur:20191127:incident:bd76c3f, author = {Prosegur}, title = {{Tweet on Incident of Information Security}}, date = {2019-11-27}, organization = {Twitter (@Prosegur)}, url = {https://twitter.com/Prosegur/status/1199732264386596864}, language = {English}, urldate = {2020-01-09} } @online{proska:20211027:portable:437b9c1, author = {Ken Proska and Corey Hildebrandt and Daniel Kapellmann Zafra and Nathan Brubaker}, title = {{Portable Executable File Infecting Malware Is Increasingly Found in OT Networks}}, date = {2021-10-27}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/pe-file-infecting-malware-ot}, language = {English}, urldate = {2021-11-08} } @online{proska:20230525:cosmicenergy:bb4b9a9, author = {Ken Proska and Daniel Kapellmann Zafra and Keith Lunden and Corey Hildebrandt and Rushikesh Nandedkar and Nathan Brubaker}, title = {{COSMICENERGY: New OT Malware Possibly Related To Russian Emergency Response Exercises}}, date = {2023-05-25}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/cosmicenergy-ot-malware-russian-response}, language = {English}, urldate = {2023-05-26} } @online{proska:20231109:sandworm:2079242, author = {Ken Proska and John Wolfram and Jared Wilson and Keith Lunden and Daniel Kapellmann Zafra and Nathan Brubaker and Tyler McLellan and Chris Sistrunk}, title = {{Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology}}, date = {2023-11-09}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology}, language = {English}, urldate = {2024-03-18} } @online{provecho:20230613:skuld:98784f9, author = {Ernesto Fernández Provecho}, title = {{Skuld: The Infostealer that Speaks Golang}}, date = {2023-06-13}, organization = {Trellix}, url = {https://www.trellix.com/blogs/research/skuld-the-infostealer-that-speaks-golang/}, language = {English}, urldate = {2025-06-25} } @online{provecho:20231121:continued:8a0bc28, author = {Ernesto Fernández Provecho and Pham Duy Phuc and Ciana Driscoll and Vinoo Thomas}, title = {{The Continued Evolution of the DarkGate Malware-as-a-Service}}, date = {2023-11-21}, organization = {Trellix}, url = {https://www.trellix.com/about/newsroom/stories/research/the-continued-evolution-of-the-darkgate-malware-as-a-service/}, language = {English}, urldate = {2023-11-27} } @online{prsecurity:20191222:casual:4e2cfc3, author = {prsecurity}, title = {{Casual Analysis of Valak C2}}, date = {2019-12-22}, url = {https://medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7}, language = {English}, urldate = {2020-01-26} } @online{pst:20210617:investigation:79eb262, author = {Norwegian Police Security Service (PST)}, title = {{The investigation of the computer network operation (by APT31) against public administration offices is closed}}, date = {2021-06-17}, organization = {Norwegian Police Security Service (PST)}, url = {https://pst.no/alle-artikler/pressemeldinger/etterforskningen-av-datanettverksoperasjonen-mot-fylkesmannsembetene-er-avsluttet/}, language = {Norwegian}, urldate = {2021-06-24} } @online{psychotropos:2015:hajime:c1e0d18, author = {Psychotropos}, title = {{Hajime: A follow-up}}, date = {2015}, url = {https://x86.re/blog/hajime-a-follow-up/}, language = {English}, urldate = {2019-11-27} } @online{ptsecurity:20191031:calypso:adaf761, author = {PTSecurity}, title = {{Calypso APT: new group attacking state institutions}}, date = {2019-10-31}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/}, language = {English}, urldate = {2020-01-12} } @online{ptsecurity:20200417:mlw:583a7fe, author = {PTSecurity}, title = {{Mlw #41: новый сложный загрузчик APT-группировки TA505}}, date = {2020-04-17}, organization = {Youtube (Positive Technologies)}, url = {https://www.youtube.com/watch?v=k3sM88o_maM}, language = {Russian}, urldate = {2020-10-08} } @techreport{ptsecurity:20200908:shadowpad:2903f45, author = {PTSecurity}, title = {{ShadowPad: new activity from the Winnti group}}, date = {2020-09-08}, institution = {PTSecurity}, url = {https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf}, language = {English}, urldate = {2020-10-08} } @online{ptsecurity:20210114:higaisa:326f8ea, author = {PTSecurity}, title = {{Higaisa or Winnti? APT41 backdoors, old and new}}, date = {2021-01-14}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2}, language = {English}, urldate = {2021-01-18} } @online{ptsecurity:20210218:httpswwwptsecuritycomwwenanalyticsantisandboxtechniques:d616c1f, author = {PTSecurity}, title = {{https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/}}, date = {2021-02-18}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/}, language = {English}, urldate = {2021-02-25} } @online{ptsecurity:20210412:paas:1d06836, author = {PTSecurity}, title = {{PaaS, or how hackers evade antivirus software}}, date = {2021-04-12}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/}, language = {English}, urldate = {2021-04-12} } @online{ptsecurity:20221209:cloud:8e95b60, author = {PTSecurity}, title = {{APT Cloud Atlas: Unbroken Threat}}, date = {2022-12-09}, organization = {Positive Technologies}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt-cloud-atlas-unbroken-threat/}, language = {English}, urldate = {2022-12-20} } @online{ptsecurity:20230718:space:762049d, author = {PTSecurity}, title = {{Space Pirates: a look into the group's unconventional techniques, new attack vectors, and tools}}, date = {2023-07-18}, organization = {Positive Technologies}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4}, language = {English}, urldate = {2023-07-19} } @online{ptsecurity:20231130:hellhounds:4eef1a0, author = {PTSecurity}, title = {{Hellhounds: operation Lahat}}, date = {2023-11-30}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat/}, language = {English}, urldate = {2024-04-15} } @online{pulsedive:20240122:pikabot:0a18441, author = {Pulsedive}, title = {{Pikabot distirbution methods and capabilities}}, date = {2024-01-22}, organization = {Pulsedive}, url = {https://blog.pulsedive.com/pikabot/}, language = {English}, urldate = {2024-01-26} } @online{pun1sh3r:20151012:keybase:38b6bd4, author = {PuN1sh_3r}, title = {{Keybase Logger/Clipboard/CredsStealer campaign}}, date = {2015-10-12}, organization = {th3l4b}, url = {https://th3l4b.blogspot.com/2015/10/keybase-loggerclipboardcredsstealer.html}, language = {English}, urldate = {2019-12-10} } @online{pun:20121101:tracking:1ca7e96, author = {Micky Pun}, title = {{Tracking the 2012 Sasfis campaign}}, date = {2012-11-01}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2012/11/tracking-2012-sasfis-campaign}, language = {English}, urldate = {2020-01-09} } @online{pun:20150227:vb2014:66e07ea, author = {Micky Pun and Neo Tan}, title = {{VB2014 paper: The pluginer - Caphaw}}, date = {2015-02-27}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw}, language = {English}, urldate = {2019-12-18} } @techreport{pun:20151008:catching:368d81d, author = {Micky Pun and Eric Leung and Neo Tan}, title = {{Catching the silent whisper: Understanding the Derusbi family tree}}, date = {2015-10-08}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf}, language = {English}, urldate = {2020-02-27} } @online{puodzius:20180117:zumanek:785cd1c, author = {Cassius Puodzius}, title = {{Zumanek: novo malware tenta roubar credenciais de serviços das vítimas}}, date = {2018-01-17}, organization = {ESET Research}, url = {https://www.welivesecurity.com/br/2018/01/17/zumanek-malware-tenta-roubar-credenciais-de-servicos/}, language = {Portugese}, urldate = {2022-01-05} } @online{puri:20210701:warzone:becd74e, author = {Ayush Puri}, title = {{WARZONE RAT – Beware Of The Trojan Malware Stealing Data Triggering From Various Office Documents}}, date = {2021-07-01}, organization = {Quick Heal}, url = {https://blogs.quickheal.com/warzone-rat-beware-of-the-trojan-malware-stealing-data-triggering-from-various-office-documents/}, language = {English}, urldate = {2021-07-11} } @online{push:20210615:infratagging:b608334, author = {Silent Push}, title = {{Infra-Tagging -a new tool in Cyber Threat Intelligence}}, date = {2021-06-15}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/infra-tagging-a-new-tool-in-cyber-threat-intelligence}, language = {English}, urldate = {2022-07-13} } @online{push:20210716:attacks:3935d27, author = {Silent Push}, title = {{Attacks Are Tailored to You—Your Intelligence Should Be, Too.}}, date = {2021-07-16}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/targeted-attacks-and-generic-defense-dont-match}, language = {English}, urldate = {2022-07-13} } @online{push:20210729:using:6619e05, author = {Silent Push}, title = {{Using the Silent Push app and API to find punycode domains}}, date = {2021-07-29}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/using-the-silent-push-app-and-api-to-find-punycode-domains}, language = {English}, urldate = {2022-07-13} } @online{push:20210915:bad:1adfc97, author = {Silent Push}, title = {{Bad ASes}}, date = {2021-09-15}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/bad-ases}, language = {English}, urldate = {2022-07-13} } @online{push:20210929:evaluating:e4d134d, author = {Silent Push}, title = {{Evaluating the Value of Security Intelligence Feeds with Silent Push}}, date = {2021-09-29}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/evaluating-the-value-of-security-feeds-with-silent-push}, language = {English}, urldate = {2022-07-13} } @online{push:20220503:subdomain:fc6b1b2, author = {Silent Push}, title = {{Subdomain Takeovers and 1.1 million “dangling” risks}}, date = {2022-05-03}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/subdomain-takeovers-and-other-dangling-risks}, language = {English}, urldate = {2022-07-18} } @online{push:20220624:we:819afca, author = {Silent Push}, title = {{“We need to talk about subdomain takeovers…”}}, date = {2022-06-24}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/we-need-to-talk-about-subdomain-takeovers}, language = {English}, urldate = {2022-07-18} } @online{push:20220721:its:4b8af67, author = {Silent Push}, title = {{It’s time to close the door on open directories}}, date = {2022-07-21}, organization = {Silentpush}, url = {https://www.silentpush.com/blog/its-time-to-close-the-door-on-open-directories}, language = {English}, urldate = {2022-09-19} } @online{push:20220813:early:33c6a33, author = {Silent Push}, title = {{Early Analysis of the Twilio phishing attack-it is the tip of the iceberg}}, date = {2022-08-13}, organization = {Silentpush}, url = {https://www.silentpush.com/blog/analysis-of-the-twilio-phishing-attack}, language = {English}, urldate = {2022-09-19} } @online{push:2022:consequences:765e347, author = {Silent Push}, title = {{Consequences- The Conti Leaks and future problems}}, date = {2022}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/consequences-the-conti-leaks-and-future-problems}, language = {English}, urldate = {2022-07-15} } @online{push:2022:credit:6e641e0, author = {Silent Push}, title = {{Credit card phishing using NHS Covid Pass as a lure}}, date = {2022}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/credit-card-phishing-using-nhs-covid-pass-as-a-lure}, language = {English}, urldate = {2022-07-15} } @online{push:2022:dangers:5050684, author = {Silent Push}, title = {{The Dangers of Spoofing}}, date = {2022}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/the-dangers-of-spoofing}, language = {English}, urldate = {2022-07-13} } @online{push:2022:explore:12205cf, author = {Silent Push}, title = {{Explore Historic DNS -search with risk scores}}, date = {2022}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/explore-historic-dns-search-with-risk-scores}, language = {English}, urldate = {2022-07-15} } @online{push:2022:log4shell:ddacb5b, author = {Silent Push}, title = {{Log4shell: a threat intelligence perspective}}, date = {2022}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/log4shell-a-threat-intelligence-perspective}, language = {English}, urldate = {2022-07-15} } @online{push:2022:manipulaters:ac71d95, author = {Silent Push}, title = {{The Manipulaters Team Blog Post}}, date = {2022}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/the-manipulaters-team-blog-post}, language = {English}, urldate = {2022-07-15} } @online{push:2022:phishing:54ea657, author = {Silent Push}, title = {{Phishing sites on bulletproof hosting infrastructure}}, date = {2022}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/phishing-sites-on-bulletproof-hosting-infrastructure}, language = {English}, urldate = {2022-07-15} } @online{push:2022:phishing:6d06bab, author = {Silent Push}, title = {{Phishing infrastructure used to target US government contractors}}, date = {2022}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/phishing-infrastructure-used-to-target-us-government-contractors}, language = {English}, urldate = {2022-07-15} } @online{push:2022:portuguese:d2c78e9, author = {Silent Push}, title = {{Portuguese Bank phishing (Portuguese version)}}, date = {2022}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/portuguese-bank-phishing-aajlw}, language = {Portuguese}, urldate = {2022-07-13} } @online{push:2022:privacy:921213d, author = {Silent Push}, title = {{Privacy tools (not) for you}}, date = {2022}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/privacy-tools-not-for-you}, language = {English}, urldate = {2022-07-18} } @online{push:2022:usps:44820f4, author = {Silent Push}, title = {{USPS phishing on a bulletproof hosting network}}, date = {2022}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/usps-phishing-on-a-bulletproof-hosting-network}, language = {English}, urldate = {2022-07-15} } @online{push:20230907:from:455edff, author = {Silent Push}, title = {{'From Russia with a 71': Uncovering Gamaredon's fast flux infrastructure. New apex domains and ASN/IP diversity patterns discovered}}, date = {2023-09-07}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/from-russia-with-a-71}, language = {English}, urldate = {2023-09-08} } @online{push:20241022:triad:2cba43a, author = {Silent Push}, title = {{Triad Nexus: Silent Push exposes FUNNULL CDN hosting DGA domains for suspect Chinese gambling sites, investment scams, a retail phishing campaign, and a polyfill.io supply chain attack impacting 110,000+ sites}}, date = {2024-10-22}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/triad-nexus-funnull/}, language = {English}, urldate = {2024-10-25} } @online{push:20241211:silent:08be8bd, author = {Silent Push}, title = {{Silent Push Unwraps the AIZ—Aggressive Inventory Zombies—Retail & Crypto Phishing Network Campaign}}, date = {2024-12-11}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/aiz-retail-crypto-phishing/}, language = {English}, urldate = {2025-02-19} } @online{push:20250220:tracking:3b836c9, author = {Silent Push}, title = {{Tweet on Tracking ValleyRAT Domains with ICP Licenses}}, date = {2025-02-20}, organization = {Silent Push}, url = {https://x.com/silentpush/status/1892458955189686553}, language = {English}, urldate = {2025-02-20} } @online{push:20250424:contagious:6ba1ba1, author = {Silent Push}, title = {{Contagious Interview (DPRK) Launches a New Campaign Creating Three Front Companies to Deliver a Trio of Malware: BeaverTail, InvisibleFerret, and OtterCookie}}, date = {2025-04-24}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/contagious-interview-front-companies/}, language = {English}, urldate = {2025-04-25} } @online{puzan:20231205:bluenoroff:96f4596, author = {Sergey Puzan}, title = {{BlueNoroff: new Trojan attacking macOS users}}, date = {2023-12-05}, organization = {Kaspersky Labs}, url = {https://securelist.com/bluenoroff-new-macos-malware/111290/}, language = {English}, urldate = {2023-12-27} } @online{pwc:20221205:blue:65bf05b, author = {PWC}, title = {{Blue Callisto orbits around US Laboratories in 2022}}, date = {2022-12-05}, organization = {PWC}, url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/blue-callisto-orbits-around-us.html}, language = {English}, urldate = {2022-12-06} } @techreport{pwc:20230320:cyber:cd7de4f, author = {PWC}, title = {{Cyber Threats 2022: A Year in Retrospect}}, date = {2023-03-20}, institution = {PWC}, url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/pdf/2022-year-in-retrospect-report.pdf}, language = {English}, urldate = {2025-03-10} } @online{pwndefend:20220604:honeypot:2e64e87, author = {pwndefend}, title = {{Honeypot Payload Analysis Example}}, date = {2022-06-04}, organization = {pwndefend}, url = {https://www.pwndefend.com/2022/06/04/cve-2022-26134-honeypot-payload-analysis-example/}, language = {English}, urldate = {2022-10-06} } @online{pylyf:20191207:networm:7273d0e, author = {pylyf}, title = {{NetWorm}}, date = {2019-12-07}, url = {https://github.com/pylyf/NetWorm}, language = {English}, urldate = {2020-03-13} } @online{pyorre:20210601:backdoors:577a28b, author = {Josh Pyorre}, title = {{Backdoors, RATs, Loaders evasion techniques}}, date = {2021-06-01}, organization = {Cisco}, url = {https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques}, language = {English}, urldate = {2021-06-24} } @online{pyorre:20211118:blackmatter:e9e9bbf, author = {Josh Pyorre}, title = {{BlackMatter, LockBit, and THOR}}, date = {2021-11-18}, organization = {Cisco}, url = {https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor}, language = {English}, urldate = {2022-03-28} } @online{pyzhov:20250615:team46:48b2243, author = {Stanislav Pyzhov and Vladislav Lunin}, title = {{Team46 and TaxOff: two sides of the same coin}}, date = {2025-06-15}, organization = {Positive Technologies}, url = {https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/team46-and-taxoff-two-sides-of-the-same-coin}, language = {English}, urldate = {2025-06-20} } @online{qassamcyberfighters:20120918:qassamcyberfighterss:272bb82, author = {QassamCyberFighters}, title = {{QassamCyberFighters's Pastebin}}, date = {2012-09-18}, organization = {Pastebin}, url = {http://pastebin.com/u/QassamCyberFighters}, language = {English}, urldate = {2019-10-14} } @online{qin:20200605:new:7251449, author = {Ford Qin}, title = {{New Tekya Ad Fraud Found on Google Play}}, date = {2020-06-05}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-tekya-ad-fraud-found-on-google-play/}, language = {English}, urldate = {2020-06-10} } @online{qnap:20200608:ech0raix:e56ecba, author = {QNAP}, title = {{eCh0raix Ransomware}}, date = {2020-06-08}, organization = {QNAP}, url = {https://www.qnap.com/en/security-advisory/QSA-20-02}, language = {English}, urldate = {2020-06-12} } @online{qrator:20210909:mris:a8262ab, author = {Qrator}, title = {{Mēris botnet, climbing to the record}}, date = {2021-09-09}, organization = {Qrator Labs}, url = {https://blog.qrator.net/en/meris-botnet-climbing-to-the-record_142/}, language = {English}, urldate = {2021-09-14} } @online{quangnh89:20171029:sality:c8a91cd, author = {quangnh89}, title = {{Sality Configuration Extractor (sality_extractor.py)}}, date = {2017-10-29}, url = {https://gist.githubusercontent.com/quangnh89/41deada8a936a1877a6c6c757ce73800/raw/41f27388a11a606e1d6a7596dcb6469578e79321/sality_extractor.py}, language = {Python}, urldate = {2021-05-08} } @online{quigley:20250129:scatterbrain:3237376, author = {Conor Quigley and Luke Jenkins and Nino Isakovic}, title = {{ScatterBrain: Unmasking the Shadow of PoisonPlug's Obfuscator}}, date = {2025-01-29}, organization = {Google}, url = {https://cloud.google.com/blog/topics/threat-intelligence/scatterbrain-unmasking-poisonplug-obfuscator}, language = {English}, urldate = {2025-01-29} } @online{quill:20250222:lazarus:d071ae1, author = {Vince Quill}, title = {{Lazarus Group moves funds to multiple wallets as Bybit offers bounty}}, date = {2025-02-22}, organization = {Cointelegraph}, url = {https://cointelegraph.com/news/lazarus-moves-funds-multiple-wallets-bybit-offers-bounty}, language = {English}, urldate = {2025-02-25} } @online{quinn:20191220:updated:2408ee7, author = {James Quinn}, title = {{An Updated ServHelper Tunnel Variant}}, date = {2019-12-20}, organization = {Binary Defense}, url = {https://www.binarydefense.com/an-updated-servhelper-tunnel-variant/}, language = {English}, urldate = {2020-01-13} } @online{quinn:20200207:emotet:07de43a, author = {James Quinn}, title = {{Emotet Evolves With New Wi-Fi Spreader}}, date = {2020-02-07}, organization = {Binary Defense}, url = {https://www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader/}, language = {English}, urldate = {2020-02-09} } @online{quinn:20200306:emotet:e93ab0b, author = {James Quinn}, title = {{Emotet Wi-Fi Spreader Upgraded}}, date = {2020-03-06}, organization = {Binary Defense}, url = {https://www.binarydefense.com/emotet-wi-fi-spreader-upgraded/}, language = {English}, urldate = {2020-03-09} } @online{quinn:20200814:emocrash:4f12855, author = {James Quinn}, title = {{EmoCrash: Exploiting a Vulnerability in Emotet Malware for Defense}}, date = {2020-08-14}, organization = {Binary Defense}, url = {https://www.binarydefense.com/emocrash-exploiting-a-vulnerability-in-emotet-malware-for-defense/}, language = {English}, urldate = {2020-08-19} } @online{quinn:20210312:icedid:3e6db43, author = {James Quinn}, title = {{IcedID GZIPLOADER Analysis}}, date = {2021-03-12}, organization = {Binary Defense}, url = {https://www.binarydefense.com/icedid-gziploader-analysis/}, language = {English}, urldate = {2021-03-16} } @online{quinn:20220627:glowsand:deff96a, author = {Isabelle Quinn}, title = {{GlowSand}}, date = {2022-06-27}, organization = {InQuest}, url = {https://inquest.net/blog/2022/06/27/glowsand}, language = {English}, urldate = {2022-06-30} } @online{quintin:20150827:new:b79e5c0, author = {Cooper Quintin}, title = {{New Spear Phishing Campaign Pretends to be EFF}}, date = {2015-08-27}, organization = {Electronic Frontier Foundation}, url = {https://www.eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-eff}, language = {English}, urldate = {2020-01-06} } @online{quintin:20201205:something:2bffa73, author = {Cooper Quintin and John Scott-Railton and Rebekah Brown}, title = {{Something to Remember Us By: Device Confiscated by Russian Authorities Returned with Monokle-Type Spyware Installed}}, date = {2020-12-05}, organization = {CitizenLab}, url = {https://citizenlab.ca/2024/12/device-confiscated-by-russian-authorities-returned-with-monokle-type-spyware-installed/}, language = {English}, urldate = {2025-02-03} } @online{quintin:20201210:dark:8ea58ac, author = {Cooper Quintin and Eva Galperin}, title = {{Dark Caracal: You Missed a Spot}}, date = {2020-12-10}, organization = {Electronic Frontier Foundation}, url = {https://www.eff.org/deeplinks/2020/12/dark-caracal-you-missed-spot}, language = {English}, urldate = {2020-12-11} } @online{quintin:20230210:uncle:8c22271, author = {Cooper Quintin}, title = {{Uncle Sow: Dark Caracal in Latin America}}, date = {2023-02-10}, organization = {Electronic Frontier Foundation}, url = {https://www.eff.org/deeplinks/2023/02/uncle-sow-dark-caracal-latin-america}, language = {English}, urldate = {2023-02-21} } @online{quist:20190323:reverse:8c71656, author = {Danny Quist}, title = {{Reverse Engineering Gootkit with Ghidra Part I}}, date = {2019-03-23}, organization = {Open Malware}, url = {https://dannyquist.github.io/gootkit-reversing-ghidra/}, language = {English}, urldate = {2020-11-23} } @online{quist:20201005:blackt:d09e278, author = {Nathaniel Quist}, title = {{Black-T: New Cryptojacking Variant from TeamTnT}}, date = {2020-10-05}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/}, language = {English}, urldate = {2020-10-08} } @online{quist:20210217:watchdog:1cd1353, author = {Nathaniel Quist}, title = {{WatchDog: Exposing a Cryptojacking Campaign That’s Operated for Two Years}}, date = {2021-02-17}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/watchdog-cryptojacking/}, language = {English}, urldate = {2021-02-20} } @online{quist:20210604:teamtnt:21e0fe5, author = {Nathaniel Quist}, title = {{TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations}}, date = {2021-06-04}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments/}, language = {English}, urldate = {2021-06-09} } @online{quist:20210608:teamtnt:87da08d, author = {Nathaniel Quist}, title = {{TeamTNT Using WatchDog TTPs to Expand Its Cryptojacking Footprint}}, date = {2021-06-08}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/teamtnt-cryptojacking-watchdog-operations/}, language = {English}, urldate = {2021-06-09} } @online{quist:20240216:reverse:4c6f3d6, author = {Danny Quist}, title = {{Reverse Engineering Go Malware: A BianLian Story}}, date = {2024-02-16}, organization = {YouTube (CactusCon)}, url = {https://www.youtube.com/live/O2Wx7mQHR2I?si=uydJupvHK6sxxw3n}, language = {English}, urldate = {2024-02-21} } @online{quointelligence:20200420:winnti:6a4fb66, author = {QuoIntelligence}, title = {{WINNTI GROUP: Insights From the Past}}, date = {2020-04-20}, organization = {QuoScient}, url = {https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/}, language = {English}, urldate = {2020-04-21} } @online{quointelligence:20200720:golden:4a88a80, author = {QuoIntelligence}, title = {{Golden Chickens: Evolution Oof the MaaS}}, date = {2020-07-20}, url = {https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/}, language = {English}, urldate = {2020-07-23} } @online{quointelligence:20200807:blackwater:8bd9553, author = {QuoIntelligence}, title = {{BlackWater Malware Leveraging Beirut Tragedy in New Targeted Campaign}}, date = {2020-08-07}, organization = {QuoScient}, url = {https://quointelligence.eu/2020/08/blackwater-malware-leveraging-beirut-tragedy-in-new-targeted-campaign/}, language = {English}, urldate = {2020-08-12} } @online{quointelligence:20200922:apt28:9bfda0c, author = {QuoIntelligence}, title = {{APT28 Delivers Zebrocy Malware Campaign using NATO Theme as Lure}}, date = {2020-09-22}, organization = {QuoScient}, url = {https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/}, language = {English}, urldate = {2020-09-23} } @online{quointelligence:20210106:reconhellcat:eaa48f6, author = {QuoIntelligence}, title = {{ReconHellcat Uses NIST Theme as Lure To Deliver New BlackSoul Malware}}, date = {2021-01-06}, organization = {QuoIntelligence}, url = {https://quointelligence.eu/2021/01/reconhellcat-uses-nist-theme-as-lure-to-deliver-new-blacksoul-malware/}, language = {English}, urldate = {2021-01-10} } @online{quointelligence:20210317:chinas:5bf32a4, author = {QuoIntelligence}, title = {{China’s Five-Year Plan: A Pursuit for GDP Growth & Technological Self-Sufficiency}}, date = {2021-03-17}, organization = {QuoIntelligence}, url = {https://quointelligence.eu/2021/03/chinas-five-year-plan/}, language = {English}, urldate = {2021-03-30} } @online{quoscient:20181129:golden:2cb32ee, author = {QuoScient}, title = {{Golden Chickens: Uncovering A Malware-as-a-Service (MaaS) Provider and Two New Threat Actors Using It}}, date = {2018-11-29}, organization = {QuoScient}, url = {https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648}, language = {English}, urldate = {2020-01-09} } @techreport{quoscient:20191118:intelligence:953ab5b, author = {QuoScient}, title = {{Intelligence Brief New ATMSpitter}}, date = {2019-11-18}, institution = {QuoScient}, url = {https://quoscient.io/reports/QuoINT_INTBRI_New_ATMSpitter.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{quoscient:20191118:quoint:582f7b8, author = {QuoScient}, title = {{QuoINT INTELBRIEF – Actors Exploiting the RCE Vulnerability}}, date = {2019-11-18}, institution = {QuoScient}, url = {https://quoscient.io/reports/QuoINT_INTBRI_ATMSpitter_v2.pdf}, language = {English}, urldate = {2020-01-13} } @online{quoscient:20200127:chicken:3252d47, author = {QuoScient}, title = {{The Chicken Keeps Laying New Eggs: Uncovering New GC MaaS Tools Used By Top-tier Threat Actors}}, date = {2020-01-27}, organization = {QuoScient}, url = {https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9}, language = {English}, urldate = {2020-01-28} } @online{qureshi:20160730:luminosity:705e740, author = {Faisal AM Qureshi}, title = {{Luminosity RAT - Re-purposed}}, date = {2016-07-30}, organization = {MalwareNailed}, url = {http://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html}, language = {English}, urldate = {2020-01-13} } @online{qureshi:20200602:pebbledash:6ffad25, author = {Faisal Abdul Malik Qureshi}, title = {{PebbleDash - Lazarus / HiddenCobra RAT}}, date = {2020-06-02}, organization = {MalwareNailed}, url = {https://malwarenailed.blogspot.com/2020/06/peebledash-lazarus-hiddencobra-rat.html?m=1}, language = {English}, urldate = {2020-06-03} } @online{qurium:20210311:myanmar:7bfc8ce, author = {Qurium}, title = {{Myanmar – Multi-stage malware attack targets elected lawmakers}}, date = {2021-03-11}, organization = {Qurium}, url = {https://www.qurium.org/alerts/targeted-malware-against-crph/}, language = {English}, urldate = {2021-06-21} } @online{qurium:20210622:attacks:7f7e39f, author = {Qurium}, title = {{Attacks against media in the Philippines continue}}, date = {2021-06-22}, organization = {Qurium}, url = {https://www.qurium.org/alerts/philippines/attacks-against-media-in-the-philippines-continue/}, language = {English}, urldate = {2021-07-11} } @online{r136a1:20121215:disclosure:c36a5a8, author = {R136a1}, title = {{Disclosure of another 0day malware - Initial Dropper and Downloader (Part 1)}}, date = {2012-12-15}, organization = {Malware Reversing Blog}, url = {http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware.html}, language = {English}, urldate = {2020-01-06} } @online{r136a1:20121215:disclosure:fdfe8f2, author = {R136a1}, title = {{Disclosure of another 0day malware - Analysis of 2nd Dropper and 3rd Dropper (Part 2)}}, date = {2012-12-15}, url = {http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware_15.html}, language = {English}, urldate = {2019-12-31} } @online{r136a1:20130424:south:d6c223e, author = {R136a1}, title = {{South Korea Incident - New Malware samples}}, date = {2013-04-24}, url = {http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html}, language = {English}, urldate = {2020-01-13} } @online{r136a1:20160419:trojangodzillaloader:71eb7c9, author = {R136a1}, title = {{Trojan.GodzillaLoader (alias Godzilla Loader)}}, date = {2016-04-19}, organization = {Kernelmode.info Forums}, url = {https://www.kernelmode.info/forum/viewtopic0692.html?f=16&t=4349}, language = {English}, urldate = {2024-02-15} } @online{r136a1:20200124:project:668d490, author = {R136a1}, title = {{Project TajMahal IOCs and Registry Data Decrypter}}, date = {2020-01-24}, organization = {Github (TheEnergyStory)}, url = {https://github.com/TheEnergyStory/malware_analysis/tree/master/TajMahal}, language = {English}, urldate = {2020-01-27} } @online{r3dbu7z:20210404:bot:51cb5d3, author = {@r3dbU7z}, title = {{Bot. One more. One verdict. Brand New?}}, date = {2021-04-04}, url = {https://twitter.com/r3dbU7z/status/1378564694462586880}, language = {English}, urldate = {2021-04-06} } @online{r3mrum:20170505:lokiparse:c8a2916, author = {R3MRUM}, title = {{loki-parse}}, date = {2017-05-05}, organization = {Github (R3MRUM)}, url = {https://github.com/R3MRUM/loki-parse}, language = {English}, urldate = {2019-11-29} } @online{r3mrum:20170507:lokibot:5a6975d, author = {R3MRUM}, title = {{Loki-Bot: Come out, come out, wherever you are!}}, date = {2017-05-07}, organization = {R3MRUM}, url = {https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/}, language = {English}, urldate = {2020-01-12} } @online{r3mrum:20210105:manual:0d15421, author = {R3MRUM}, title = {{Manual analysis of new PowerSplit maldocs delivering Emotet}}, date = {2021-01-05}, organization = {r3mrum blog}, url = {https://r3mrum.wordpress.com/2021/01/05/manual-analysis-of-new-powersplit-maldocs-delivering-emotet/}, language = {English}, urldate = {2021-01-10} } @online{r3mrum:20210705:twitter:ee6ea0f, author = {R3MRUM}, title = {{Twitter thread with additional context on C2 domains found in REvil configuration}}, date = {2021-07-05}, organization = {Twitter (@R3MRUM)}, url = {https://twitter.com/R3MRUM/status/1412064882623713283}, language = {English}, urldate = {2021-07-26} } @online{r3nzsec:20250127:cobalt:aab96fb, author = {r3nzsec and MyDFIR and MittenSec}, title = {{Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware}}, date = {2025-01-27}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/}, language = {English}, urldate = {2025-02-01} } @online{r:20201219:persistence:b9043d9, author = {Mike R}, title = {{Persistence Pays Off: A Brief Look at BlackTech’s 2020}}, date = {2020-12-19}, organization = {Cyber And Ramen blog}, url = {https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020}, language = {English}, urldate = {2021-01-01} } @online{r:20210128:osno:5919c31, author = {Revathi R}, title = {{Osno – A Stealer and a Miner in One}}, date = {2021-01-28}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=21562}, language = {English}, urldate = {2021-03-31} } @online{r:20210211:blacktech:829b971, author = {Mike R}, title = {{BlackTech Updates Elf-Plead Backdoor}}, date = {2021-02-11}, organization = {Cyber And Ramen blog}, url = {https://cyberandramen.net/2021/02/11/blacktech-updates-elf-plead-backdoor/}, language = {English}, urldate = {2022-04-05} } @online{r:20210305:sarbloh:d8c2ae9, author = {Rajesh R and Arun Kumar S}, title = {{Sarbloh: The Ransomware With NO Demand}}, date = {2021-03-05}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=21811}, language = {English}, urldate = {2021-03-31} } @online{r:20211212:more:9f9c952, author = {Mike R}, title = {{More Flagpro, More Problems}}, date = {2021-12-12}, organization = {Cyber And Ramen blog}, url = {https://cyberandramen.net/2021/12/12/more-flagpro-more-problems/}, language = {English}, urldate = {2022-04-05} } @online{r:20220106:gulp:4ab908c, author = {Mike R}, title = {{A “GULP” of PlugX}}, date = {2022-01-06}, organization = {Cyber And Ramen blog}, url = {https://cyberandramen.net/2022/01/06/a-gulp-of-plugx/}, language = {English}, urldate = {2022-04-05} } @online{r:20220112:analysis:2f570a4, author = {Mike R}, title = {{Analysis of njRAT PowerPoint Macros}}, date = {2022-01-12}, organization = {Cyber And Ramen blog}, url = {https://cyberandramen.net/2022/01/12/analysis-of-njrat-powerpoint-macros/}, language = {English}, urldate = {2022-04-05} } @online{r:20220218:tale:f0faee2, author = {Mike R}, title = {{A Tale of Two Shells}}, date = {2022-02-18}, organization = {Cyber And Ramen blog}, url = {https://cyberandramen.net/2022/02/18/a-tale-of-two-shells/}, language = {English}, urldate = {2022-04-05} } @online{r:20220918:raccoon:9a4397c, author = {Rahul R}, title = {{Raccoon back with new claws!}}, date = {2022-09-18}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/raccoon-back-with-new-claws/}, language = {English}, urldate = {2022-09-19} } @online{r:20220924:so:439a62f, author = {Mike R}, title = {{So Long (Go)Daddy | Tracking BlackTech Infrastructure}}, date = {2022-09-24}, organization = {Cyber And Ramen blog}, url = {https://cyberandramen.net/2022/09/24/so-long-godaddy-tracking-blacktech-infrastructure/}, language = {English}, urldate = {2022-09-30} } @online{r:20221202:koivm:2250d72, author = {Rahul R}, title = {{KoiVM Loader Resurfaces With a Bang}}, date = {2022-12-02}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/koivm-loader-resurfaces-with-a-bang/}, language = {English}, urldate = {2022-12-05} } @online{r:20230601:encrypted:29af43c, author = {Rahul R}, title = {{Encrypted Chaos: Analysis of Crytox Ransomware}}, date = {2023-06-01}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/encrypted-chaos-analysis-of-crytox-ransomware/}, language = {English}, urldate = {2023-06-05} } @online{r:20240209:tracking:956a4d8, author = {Michael R}, title = {{Tracking ShadowPad Infrastructure Via Non-Standard Certificates}}, date = {2024-02-09}, organization = {Hunt.io}, url = {https://hunt.io/blog/tracking-shadowpad-infrastructure-via-non-standard-certificates}, language = {English}, urldate = {2024-04-11} } @online{r:20240620:caught:a97dc52, author = {Michael R}, title = {{Caught in the Act: Uncovering SpyNote in Unexpected Places}}, date = {2024-06-20}, organization = {Hunt.io}, url = {https://hunt.io/blog/caught-in-the-act-uncovering-spynote-in-unexpected-places}, language = {English}, urldate = {2024-06-24} } @online{raab:20210415:russia:05ec813, author = {Dominic Raab and ForeignCommonwealth & Development Office}, title = {{Russia: UK and US expose global campaign of malign activity by Russian intelligence services}}, date = {2021-04-15}, organization = {GOV.UK}, url = {https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services}, language = {English}, urldate = {2021-04-16} } @online{racco42:20180529:vbs:98d7253, author = {Racco42}, title = {{Tweet on VBS Code Obfuscation}}, date = {2018-05-29}, organization = {Twitter (@Racco42)}, url = {https://twitter.com/Racco42/status/1001374490339790849}, language = {English}, urldate = {2020-01-08} } @online{radar:20060115:win32neshta:e4ec5b0, author = {Virus Radar}, title = {{Win32/Neshta}}, date = {2006-01-15}, organization = {ESET Research}, url = {https://web.archive.org/web/20220119114002/https:/www.virusradar.com/en/Win32_Neshta.A/description}, language = {English}, urldate = {2025-04-14} } @online{radio:20211101:hack:5f8b610, author = {BBC Radio}, title = {{The Hack that Changed the World}}, date = {2021-11-01}, organization = {BBC}, url = {https://www.bbc.co.uk/programmes/m00114h2}, language = {English}, urldate = {2021-11-08} } @online{radware:20170405:brickerbot:8967419, author = {Radware}, title = {{”BrickerBot” Results In PDoS Attack}}, date = {2017-04-05}, organization = {Radware}, url = {https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/}, language = {English}, urldate = {2020-01-13} } @online{radware:20170426:hajime:f6d08c7, author = {Radware}, title = {{Hajime – Friend or Foe?}}, date = {2017-04-26}, organization = {Radware}, url = {https://security.radware.com/WorkArea/DownloadAsset.aspx?id=1461}, language = {English}, urldate = {2019-10-13} } @online{radware:20180212:new:a73a365, author = {Radware}, title = {{New Satori Botnet Variant Enslaves Thousands of Dasan WiFi Routers}}, date = {2018-02-12}, organization = {Radware}, url = {https://blog.radware.com/security/botnets/2018/02/new-satori-botnet-variant-enslaves-thousands-dasan-wifi-routers/}, language = {English}, urldate = {2020-01-10} } @online{radware:20180418:stresspaint:dd7a416, author = {Radware}, title = {{Stresspaint Malware Targeting Facebook Credentials}}, date = {2018-04-18}, organization = {Radware}, url = {https://security.radware.com/malware/stresspaint-malware-targeting-facebook-credentials/}, language = {English}, urldate = {2019-11-28} } @online{radware:20210824:darkiot:f2a414e, author = {Radware}, title = {{Dark.IoT Botnet Realtek AP-Router SDK Vulnerability CVE-2021-35395}}, date = {2021-08-24}, organization = {Radware}, url = {https://www.radware.com/getmedia/18d24c2d-c092-4a61-9ad6-ebb92b7a49b8/Alert_Realtek_SDK.aspx}, language = {English}, urldate = {2021-08-30} } @online{radware:20210922:darkiot:8f85b59, author = {Radware}, title = {{Dark.IoT, OMIGOD & UDP Technology Update (CVE-2021-38647 & CVE-2021-33544)}}, date = {2021-09-22}, organization = {Radware}, url = {https://www.radware.com/getmedia/d312a5fa-2d8d-4c1e-b31e-73046f24bf35/Alert-Dark-OMIGOD.aspx}, language = {English}, urldate = {2021-09-24} } @online{radware:20240724:sixday:934928c, author = {Radware}, title = {{Six-day, 14.7 Million RPS Web DDoS Attack Campaign Attributed to SN_BLACKMETA}}, date = {2024-07-24}, organization = {Radware}, url = {https://www.radware.com/security/threat-advisories-and-attack-reports/six-day-web-ddos-attack-campaign/}, language = {English}, urldate = {2024-11-04} } @online{rafati:20210916:runlir:c2e4204, author = {Reza Rafati and Ivan Lebedev}, title = {{RUNLIR - phishing campaign targeting Netherlands}}, date = {2021-09-16}, organization = {Group-IB}, url = {https://blog.group-ib.com/runlir}, language = {English}, urldate = {2021-11-02} } @online{rafati:20220729:fake:c31ccc4, author = {Reza Rafati and Yaroslav Kargalev}, title = {{Fake investment scams in Europe How we almost got rich}}, date = {2022-07-29}, organization = {Group-IB}, url = {https://blog.group-ib.com/investment-scams-europe}, language = {English}, urldate = {2022-08-17} } @online{rafati:20231001:shinyhunters:5604eff, author = {Reza Rafati}, title = {{ShinyHunters’ 22-Year-Old Member Pleads Guilty to Cyber Extortion, Causing $6 Million in Damage}}, date = {2023-10-01}, organization = {CYBERWARZONE}, url = {https://cyberwarzone.com/shinyhunters-22-year-old-member-pleads-guilty-to-cyber-extortion-causing-6-million-in-damage/}, language = {English}, urldate = {2023-11-27} } @online{rafati:20231006:hacking:0f0e944, author = {Reza Rafati}, title = {{Hacking Group ‘Cyber Av3ngers’ Claims Responsibility for Yavne Power Outages: What You Need to Know}}, date = {2023-10-06}, organization = {CYBERWARZONE}, url = {https://cyberwarzone.com/hacking-group-cyber-av3ngers-claims-responsibility-for-yavne-power-outages-what-you-need-to-know/}, language = {English}, urldate = {2023-12-04} } @online{raff:20180418:stresspaint:aab45ec, author = {Adi Raff}, title = {{Stresspaint Malware Campaign Targeting Facebook Credentials}}, date = {2018-04-18}, organization = {Radware}, url = {https://blog.radware.com/security/2018/04/stresspaint-malware-campaign-targeting-facebook-credentials/}, language = {English}, urldate = {2019-10-23} } @online{raggi:20190723:chinese:804ec1c, author = {Michael Raggi and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia}}, date = {2019-07-23}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology}, language = {English}, urldate = {2021-02-06} } @online{raggi:20190801:lookback:f258db4, author = {Michael Raggi and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards}}, date = {2019-08-01}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks}, language = {English}, urldate = {2019-12-20} } @online{raggi:20190922:lookback:51454f7, author = {Michael Raggi and Proofpoint Threat Insight Team}, title = {{LookBack Forges Ahead: Continued Targeting of the United States’ Utilities Sector Reveals Additional Adversary TTPs}}, date = {2019-09-22}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals}, language = {English}, urldate = {2019-12-20} } @online{raggi:20200608:ta410:f838522, author = {Michael Raggi and Dennis Schwarz and Georgi Mladenov and Proofpoint Threat Research Team}, title = {{TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware}}, date = {2020-06-08}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new}, language = {English}, urldate = {2020-06-09} } @online{raggi:20210225:ta413:400254c, author = {Michael Raggi and Proofpoint Threat Research Team}, title = {{TA413 Leverages New FriarFox Browser Extension to Target the Gmail Accounts of Global Tibetan Organizations}}, date = {2021-02-25}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global}, language = {English}, urldate = {2021-02-25} } @online{raggi:20211111:apt31:004f222, author = {Michael Raggi}, title = {{Tweet on APT31 using compromised PakEdge Rk1&RE2 router IPs as exit nodes in reconnaissance phishing campaigns}}, date = {2021-11-11}, organization = {Twitter (@aRtAGGI)}, url = {https://twitter.com/aRtAGGI/status/1458448999401365510}, language = {English}, urldate = {2021-11-17} } @online{raggi:20211201:injection:75b61f9, author = {Michael Raggi}, title = {{Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors}}, date = {2021-12-01}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread}, language = {English}, urldate = {2021-12-06} } @online{raggi:20220301:asylum:27cfa43, author = {Michael Raggi and Zydeca Cass and Proofpoint Threat Research Team}, title = {{Asylum Ambuscade: State Actor Uses Compromised Private Ukrainian Military Emails to Target European Governments and Refugee Movement}}, date = {2022-03-01}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails}, language = {English}, urldate = {2022-03-10} } @online{raggi:20220307:good:4e4acd6, author = {Michael Raggi and Myrtus 0x0}, title = {{The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates}}, date = {2022-03-07}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european}, language = {English}, urldate = {2022-03-08} } @online{raggi:20220830:rising:650b12e, author = {Michael Raggi and Sveva Vittoria Scenarelli and PWC UK}, title = {{Rising Tide: Chasing the Currents of Espionage in the South China Sea}}, date = {2022-08-30}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea}, language = {English}, urldate = {2022-08-31} } @online{raggi:20230330:exploitation:68f9fd6, author = {Michael Raggi and Proofpoint Threat Insight Team}, title = {{Exploitation is a Dish Best Served Cold: Winter Vivern Uses Known Zimbra Vulnerability to Target Webmail Portals of NATO-Aligned Governments in Europe}}, date = {2023-03-30}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability}, language = {English}, urldate = {2023-03-30} } @online{raggi:20240522:ioc:fd4b6f2, author = {Michael Raggi}, title = {{IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders}}, date = {2024-05-22}, organization = {Mandiant}, url = {https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks}, language = {English}, urldate = {2024-10-24} } @online{raghuprasad:20211103:microsoft:2b6de43, author = {Chetan Raghuprasad and Vanja Svajcer and Caitlin Huey}, title = {{Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk}}, date = {2021-11-03}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html}, language = {English}, urldate = {2021-11-03} } @online{raghuprasad:20211116:attackers:c31ad77, author = {Chetan Raghuprasad and Vanja Svajcer and Asheer Malhotra}, title = {{Attackers use domain fronting technique to target Myanmar with Cobalt Strike}}, date = {2021-11-16}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2021/11/attackers-use-domain-fronting-technique.html}, language = {English}, urldate = {2021-11-17} } @online{raghuprasad:20220112:nanocore:938e93c, author = {Chetan Raghuprasad and Vanja Svajcer}, title = {{Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure}}, date = {2022-01-12}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html}, language = {English}, urldate = {2022-01-18} } @online{raghuprasad:20230214:new:555b60e, author = {Chetan Raghuprasad}, title = {{New MortalKombat ransomware and Laplas Clipper malware threats deployed in financially motivated}}, date = {2023-02-14}, organization = {Talos}, url = {https://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats/}, language = {English}, urldate = {2023-02-15} } @online{raghuprasad:20230807:new:0147488, author = {Chetan Raghuprasad}, title = {{New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware}}, date = {2023-08-07}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/new-threat-actor-using-yashma-ransomware/}, language = {English}, urldate = {2023-08-09} } @online{raghuprasad:20240404:coralraider:85b18f8, author = {Chetan Raghuprasad and Joey Chen}, title = {{CoralRaider targets victims’ data and social media accounts}}, date = {2024-04-04}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/coralraider-targets-socialmedia-accounts/}, language = {English}, urldate = {2025-05-02} } @online{raghuprasad:20240621:sneakychef:238d60f, author = {Chetan Raghuprasad and Ashley Shen}, title = {{SneakyChef espionage group targets government agencies with SugarGh0st and more infection techniques}}, date = {2024-06-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/sneakychef-sugarghost-rat/}, language = {English}, urldate = {2024-12-09} } @online{raghuprasad:20241022:threat:16f80cb, author = {Chetan Raghuprasad}, title = {{Threat actor abuses Gophish to deliver new PowerRAT and DCRAT}}, date = {2024-10-22}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/gophish-powerrat-dcrat/}, language = {English}, urldate = {2024-10-23} } @online{ragnel:20230227:increasing:c59a7d2, author = {Tom Ragnel}, title = {{The increasing presence of pro-Russia hacktivists}}, date = {2023-02-27}, organization = {ChannelLife}, url = {https://channellife.com.au/story/the-increasing-presence-of-pro-russia-hacktivists}, language = {English}, urldate = {2023-11-17} } @online{rahman:20211012:defining:df3f43c, author = {Alyssa Rahman}, title = {{Defining Cobalt Strike Components So You Can BEA-CONfident in Your Analysis}}, date = {2021-10-12}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/defining-cobalt-strike-components}, language = {English}, urldate = {2021-11-02} } @online{rahman:20211213:now:f5881cc, author = {Alyssa Rahman}, title = {{Now You Serial, Now You Don’t — Systematically Hunting for Deserialization Exploits}}, date = {2021-12-13}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/hunting-deserialization-exploits}, language = {English}, urldate = {2021-12-31} } @online{rain1:2017:wannacrywannadecrypt0r:53d1c73, author = {rain1 and Epivalent}, title = {{WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm}}, date = {2017}, organization = {Github (rain-1)}, url = {https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168}, language = {English}, urldate = {2019-11-29} } @online{raiu:20140829:sinkholing:c8fbbad, author = {Costin Raiu and Roel Schouwenberg and Ryan Naraine}, title = {{Sinkholing the Backoff POS Trojan}}, date = {2014-08-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/sinkholing-the-backoff-pos-trojan/66305/}, language = {English}, urldate = {2021-01-29} } @online{raiu:20150415:chronicles:49b4463, author = {Costin Raiu and Maxim Golovkin}, title = {{The Chronicles of the Hellsing APT: the Empire Strikes Back}}, date = {2015-04-15}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/}, language = {English}, urldate = {2019-12-20} } @online{raiu:20150415:chronicles:aa4af84, author = {Costin Raiu and Maxim Golovkin}, title = {{The Chronicles of the Hellsing APT: the Empire Strikes Back}}, date = {2015-04-15}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/}, language = {English}, urldate = {2021-02-06} } @online{raiu:20160614:cve20164171:6d0a7c9, author = {Costin Raiu}, title = {{CVE-2016-4171 – Adobe Flash Zero-day used in targeted attacks}}, date = {2016-06-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/75082/}, language = {English}, urldate = {2019-12-20} } @online{raiu:20160617:operation:2dfcedd, author = {Costin Raiu and Anton Ivanov}, title = {{Operation Daybreak}}, date = {2016-06-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-daybreak/75100/}, language = {English}, urldate = {2019-12-20} } @techreport{raiu:20170403:moonlight:99d2089, author = {Costin Raiu and Daniel Moore and Juan Andrés Guerrero-Saade and Thomas Rid}, title = {{Moonlight Maze Technical Report (Appendix B)}}, date = {2017-04-03}, institution = {Kaspersky Labs}, url = {https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_AppendixB.pdf}, language = {English}, urldate = {2019-11-29} } @online{raiu:20170919:shared:2d7f9a4, author = {Costin Raiu}, title = {{Tweet on Shared Code between CCleaner and APT17 Missl backdoor}}, date = {2017-09-19}, organization = {Twitter (@craiu)}, url = {https://twitter.com/craiu/status/910148928796061696}, language = {English}, urldate = {2020-01-13} } @online{raiu:20180615:area41:6009950, author = {Costin Raiu}, title = {{Area41 Keynote}}, date = {2018-06-15}, organization = {Youtube (defconswitzerland)}, url = {https://www.youtube.com/watch?v=jeLd-gw2bWo}, language = {English}, urldate = {2020-01-09} } @online{raiu:20190520:operation:fc54347, author = {Costin Raiu and Vitaly Kamluk}, title = {{Operation ShadowHammer: Costin Raiu and Vitaly Kamlyuk at #TheSAS2019}}, date = {2019-05-20}, organization = {Youtube (Kaspersky)}, url = {https://www.youtube.com/watch?v=T5wPwvLrBYU}, language = {English}, urldate = {2021-07-20} } @online{raiu:20200609:looking:3038dce, author = {Costin Raiu}, title = {{Looking at Big Threats Using Code Similarity. Part 1}}, date = {2020-06-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/big-threats-using-code-similarity-part-1/97239/}, language = {English}, urldate = {2020-08-18} } @online{raiu:20201002:about:2637de0, author = {Costin Raiu}, title = {{Tweet about IAmTheKing / PowerPool actor naming}}, date = {2020-10-02}, organization = {Twitter (@craiu)}, url = {https://twitter.com/craiu/status/1311920398259367942}, language = {English}, urldate = {2020-10-12} } @online{raiu:20201218:from:4f8eb88, author = {Costin Raiu}, title = {{Tweet from Costin Raiu about confirmed TEARDROP sample}}, date = {2020-12-18}, url = {https://twitter.com/craiu/status/1339954817247158272}, language = {English}, urldate = {2020-12-19} } @online{raiu:20210216:twitter:97496ec, author = {Costin Raiu}, title = {{Twitter thread on Exaramel Linux backdoor used by Russian Group Sandworm}}, date = {2021-02-16}, organization = {Twitter (@craiu)}, url = {https://twitter.com/craiu/status/1361581668092493824}, language = {English}, urldate = {2021-02-20} } @online{raiu:20220310:brighttalk:a3d9072, author = {Costin Raiu and Marco Preuss and Kurt Baumgartner and Dan Demeter and Ivan Kwiatkowski}, title = {{BrightTALK: A look at current cyberattacks in Ukraine}}, date = {2022-03-10}, organization = {BrightTALK (Kaspersky GReAT)}, url = {https://www.brighttalk.com/webcast/15591/534324}, language = {English}, urldate = {2022-04-05} } @online{raiu:20220810:pegasus:7175abc, author = {Costin Raiu}, title = {{“Pegasus”, the spyware for smartphones. How does it work and how can you protect yourself?}}, date = {2022-08-10}, organization = {Cybersecurity Trends}, url = {https://www.cybertrends.it/pegasus-lo-spyware-per-smartphone-come-funziona-e-come-ci-si-puo-proteggere/}, language = {Italian}, urldate = {2022-08-10} } @online{raj:20210708:zloader:01d74bc, author = {Kiran Raj and Kishan N.}, title = {{Zloader With a New Infection Technique}}, date = {2021-07-08}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/}, language = {English}, urldate = {2021-07-19} } @online{raj:20211110:newest:c1f7fd2, author = {Kiran Raj}, title = {{The Newest Malicious Actor: “Squirrelwaffle” Malicious Doc.}}, date = {2021-11-10}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-newest-malicious-actor-squirrelwaffle-malicious-doc/}, language = {English}, urldate = {2021-11-12} } @online{raja:20231229:microsoft:f4e790d, author = {Wajahat Raja}, title = {{Microsoft Storm-1152 Crackdown: Stopping Threat Actors}}, date = {2023-12-29}, organization = {Security Boulevard}, url = {https://securityboulevard.com/2023/12/microsoft-storm-1152-crackdown-stopping-threat-actors/}, language = {English}, urldate = {2024-02-08} } @online{rajendran:20200625:unknown:33474d3, author = {Parthiban Rajendran and Gage Mele}, title = {{Unknown China-Based APT Targeting Myanmarese Entities}}, date = {2020-06-25}, organization = {Anomali}, url = {https://www.anomali.com/blog/unknown-china-based-apt-targeting-myanmarese-entities}, language = {English}, urldate = {2020-06-29} } @online{ralfhacker:20250519:github:60cc509, author = {RalfHacker}, title = {{GitHub - Adaptix-Framework//AdaptixC2}}, date = {2025-05-19}, url = {https://github.com/Adaptix-Framework/AdaptixC2}, language = {English}, urldate = {2025-05-19} } @online{ramakrishna:20210111:new:296b621, author = {Sudhakar Ramakrishna}, title = {{New Findings From Our Investigation of SUNBURST}}, date = {2021-01-11}, organization = {SolarWinds}, url = {https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/}, language = {English}, urldate = {2021-01-18} } @online{ramakrishna:20210203:findings:7b36d12, author = {Sudhakar Ramakrishna}, title = {{Findings From Our Ongoing Investigations}}, date = {2021-02-03}, organization = {SolarWinds}, url = {https://orangematter.solarwinds.com/2021/02/03/findings-from-our-ongoing-investigations/}, language = {English}, urldate = {2021-02-09} } @online{ramakrishnan:20241216:new:83b21c3, author = {Banu Ramakrishnan}, title = {{New I2PRAT communicates via anonymous peer-to-peer network}}, date = {2024-12-16}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2024/12/38093-ip2rat-malware}, language = {English}, urldate = {2025-03-05} } @online{ramaswami:20200401:navigating:965952a, author = {Shyam Sundar Ramaswami and Andrea Kaiser}, title = {{Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors}}, date = {2020-04-01}, organization = {Cisco}, url = {https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors}, language = {English}, urldate = {2020-08-19} } @online{ramesh:20250306:next:6143d64, author = {Reethika Ramesh and Janos Szurdi}, title = {{The Next Level: Typo DGAs Used in Malicious Redirection Chains}}, date = {2025-03-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/typo-domain-generation-algorithms/}, language = {English}, urldate = {2025-03-07} } @online{ramilli:20180820:interesting:14ea764, author = {Marco Ramilli}, title = {{Interesting hidden threat since years ?}}, date = {2018-08-20}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2018/08/20/interesting-hidden-threat-since-years/}, language = {English}, urldate = {2019-12-23} } @online{ramilli:20180920:sustes:9dbba2d, author = {Marco Ramilli}, title = {{Sustes Malware: CPU for Monero}}, date = {2018-09-20}, url = {https://marcoramilli.com/2018/09/20/sustes-malware-cpu-for-monero/}, language = {English}, urldate = {2020-01-13} } @online{ramilli:20190423:apt34:e1a7022, author = {Marco Ramilli}, title = {{APT34: webmask project}}, date = {2019-04-23}, url = {https://marcoramilli.com/2019/04/23/apt34-webmask-project/}, language = {English}, urldate = {2019-11-29} } @online{ramilli:20190502:apt34:06f5d53, author = {Marco Ramilli}, title = {{APT34: Glimpse project}}, date = {2019-05-02}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2019/05/02/apt34-glimpse-project/}, language = {English}, urldate = {2020-01-13} } @online{ramilli:20190606:apt34:e2dbe80, author = {Marco Ramilli}, title = {{APT34: Jason project}}, date = {2019-06-06}, url = {https://marcoramilli.com/2019/06/06/apt34-jason-project/}, language = {English}, urldate = {2020-01-07} } @online{ramilli:20190713:free:8352c2a, author = {Marco Ramilli}, title = {{Free Tool: LooCipher Decryptor}}, date = {2019-07-13}, url = {https://marcoramilli.com/2019/07/13/free-tool-loocipher-decryptor/}, language = {English}, urldate = {2023-09-11} } @online{ramilli:20191014:is:de28de6, author = {Marco Ramilli}, title = {{Is Emotet gang targeting companies with external SOC?}}, date = {2019-10-14}, url = {https://marcoramilli.com/2019/10/14/is-emotet-gang-targeting-companies-with-external-soc/}, language = {English}, urldate = {2019-12-20} } @online{ramilli:20191028:sweed:bce7adf, author = {Marco Ramilli}, title = {{SWEED Targeting Precision Engineering Companies in Italy}}, date = {2019-10-28}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2019/10/28/sweed-targeting-precision-engineering-companies-in-italy/}, language = {English}, urldate = {2019-12-17} } @online{ramilli:20191104:is:79a8669, author = {Marco Ramilli}, title = {{Is Lazarus/APT38 Targeting Critical Infrastructures?}}, date = {2019-11-04}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2019/11/04/is-lazarus-apt38-targeting-critical-infrastructures/}, language = {English}, urldate = {2020-01-07} } @online{ramilli:20191205:apt28:aa3defd, author = {Marco Ramilli}, title = {{APT28 Attacks Evolution}}, date = {2019-12-05}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2019/12/05/apt28-attacks-evolution/}, language = {English}, urldate = {2019-12-17} } @online{ramilli:20200115:iranian:d37840a, author = {Marco Ramilli}, title = {{Iranian Threat Actors: Preliminary Analysis}}, date = {2020-01-15}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2020/01/15/iranian-threat-actors-preliminary-analysis/}, language = {English}, urldate = {2020-01-17} } @online{ramilli:20200219:uncovering:4f04cd0, author = {Marco Ramilli}, title = {{Uncovering New Magecart Implant Attacking eCommerce}}, date = {2020-02-19}, organization = {Yoroi}, url = {https://marcoramilli.com/2020/02/19/uncovering-new-magecart-implant-attacking-ecommerce/}, language = {English}, urldate = {2020-02-20} } @online{ramilli:20200319:is:bc75e96, author = {Marco Ramilli}, title = {{Is APT 27 Abusing COVID-19 To Attack People ?!}}, date = {2020-03-19}, organization = {Yoroi}, url = {https://marcoramilli.com/2020/03/19/is-apt27-abusing-covid-19-to-attack-people/}, language = {English}, urldate = {2020-05-02} } @online{ramilli:20200624:is:3ee7fad, author = {Marco Ramilli}, title = {{Is upatre downloader coming back ?}}, date = {2020-06-24}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2020/06/24/is-upatre-downloader-coming-back/}, language = {English}, urldate = {2020-06-24} } @online{ramilli:20201127:threat:212be73, author = {Marco Ramilli}, title = {{Threat Actor: Unkown}}, date = {2020-11-27}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2020/11/27/threat-actor-unkown/}, language = {English}, urldate = {2020-12-01} } @online{ramilli:20210109:command:d720b27, author = {Marco Ramilli}, title = {{Command and Control Traffic Patterns}}, date = {2021-01-09}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/}, language = {English}, urldate = {2021-05-17} } @online{ramilli:20210501:muddywater:31657f7, author = {Marco Ramilli}, title = {{Muddywater: Binder Project}}, date = {2021-05-01}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/05/01/muddywater-binder-project-part-1/}, language = {English}, urldate = {2021-05-17} } @online{ramilli:20210507:muddywater:a09bd20, author = {Marco Ramilli}, title = {{MuddyWater: Binder Project (Part 2)}}, date = {2021-05-07}, url = {https://marcoramilli.com/2021/05/07/muddywater-binder-project-part-2/}, language = {English}, urldate = {2021-05-17} } @online{ramilli:20210614:allegedly:ad3d608, author = {Marco Ramilli}, title = {{The Allegedly Ryuk Ransomware builder: #RyukJoke}}, date = {2021-06-14}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/06/14/the-allegedly-ryuk-ransomware-builder-ryukjoke/}, language = {English}, urldate = {2021-08-23} } @online{ramilli:20210704:babuk:3ba79a8, author = {Marco Ramilli}, title = {{Babuk Ransomware: The Builder}}, date = {2021-07-04}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/}, language = {English}, urldate = {2021-07-06} } @online{ramilli:20210823:paradise:2539869, author = {Marco Ramilli}, title = {{Paradise Ransomware: The Builder}}, date = {2021-08-23}, url = {https://marcoramilli.com/2021/08/23/paradise-ransomware-the-builder/}, language = {English}, urldate = {2021-08-23} } @online{ramilli:20211107:conti:1f13ec3, author = {Marco Ramilli}, title = {{CONTI Ransomware: Cheat Sheet}}, date = {2021-11-07}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/11/07/conti-ransomware-cheat-sheet/}, language = {English}, urldate = {2021-11-08} } @online{ramilli:20220301:diskkillhermeticwiper:e543742, author = {Marco Ramilli}, title = {{DiskKill/HermeticWiper and NotPetya (Dis)similarities}}, date = {2022-03-01}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2022/03/01/diskkill-hermeticwiper-and-notpetya-dissimilarities/}, language = {English}, urldate = {2022-03-02} } @online{ramilli:20220510:malware:915e04f, author = {Marco Ramilli}, title = {{A Malware Analysis in RU-AU conflict}}, date = {2022-05-10}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2022/05/10/a-malware-analysis-in-ru-au-conflict/}, language = {English}, urldate = {2022-11-22} } @online{ramilli:20221121:is:cfeafc3, author = {Marco Ramilli}, title = {{Is Hagga Threat Actor Abusing FSociety Framework ?}}, date = {2022-11-21}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2022/11/21/is-hagga-threat-actor-abusing-fsociety-framework/}, language = {English}, urldate = {2022-11-22} } @online{ramsey:20231205:cr2300447crb:8b8ca49, author = {Ismail J. Ramsey}, title = {{CR23-00447CRB: United States of America vs RUSLAN ALEKSANDROVICH PERETYATKO and ANDREY STANISLAVOVICH KORINETS}}, date = {2023-12-05}, organization = {US District Court Northern District of California San Francisco}, url = {https://www.justice.gov/opa/media/1327601/dl?inline}, language = {English}, urldate = {2024-11-25} } @online{rana:20220425:serpent:c60d8fd, author = {Darshan Rana}, title = {{Serpent – The Backdoor that Hides in Plain Sight}}, date = {2022-04-25}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/04/serpent-the-backdoor-that-hides-in-plain-sight.html}, language = {English}, urldate = {2022-05-03} } @online{rand:20230728:drop:83cf516, author = {Stef Rand}, title = {{Drop It Like It's Qbot: Separating malicious droppers, loaders, and crypters from their payloads}}, date = {2023-07-28}, organization = {Red Canary}, url = {https://sansorg.egnyte.com/dl/ALlvwK6fp0}, language = {English}, urldate = {2023-08-30} } @online{rand:20230728:drop:c252f96, author = {Stef Rand}, title = {{Drop It Like It's Qbot: Separating malicious droppers, loaders, and crypters from their payloads}}, date = {2023-07-28}, organization = {YouTube (SANS Cyber Defense)}, url = {https://www.youtube.com/watch?v=gk7fCC5RiAQ}, language = {English}, urldate = {2023-08-30} } @online{rao:20221118:ai:33376a7, author = {Akshata Rao and Zong-Yu Wu and Wenjun Hu}, title = {{An AI Based Solution to Detecting the DoubleZero .NET Wiper}}, date = {2022-11-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/doublezero-net-wiper/}, language = {English}, urldate = {2022-11-25} } @online{rapid7:20230330:backdoored:9d84780, author = {Rapid7}, title = {{Backdoored 3CXDesktopApp Installer Used in Active Threat Campaign}}, date = {2023-03-30}, organization = {Rapid7 Labs}, url = {https://www.rapid7.com/blog/post/2023/03/30/backdoored-3cxdesktopapp-installer-used-in-active-threat-campaign/}, language = {English}, urldate = {2023-04-02} } @online{rapid7:20240617:malvertising:5770421, author = {Rapid7}, title = {{Malvertising Campaign Leads to Execution of Oyster Backdoor}}, date = {2024-06-17}, organization = {Rapid7}, url = {https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/}, language = {English}, urldate = {2024-06-24} } @online{rapid7:20240724:malware:3da746e, author = {Rapid7}, title = {{Malware Campaign Lures Users With Fake W2 Form}}, date = {2024-07-24}, organization = {Rapid7}, url = {https://www.rapid7.com/blog/post/2024/07/24/malware-campaign-lures-users-with-fake-w2-form/}, language = {English}, urldate = {2024-08-01} } @online{rapid7:20250703:scattered:7884386, author = {Rapid7}, title = {{Scattered Spider: Rapid7 Insights, Observations, and Recommendations}}, date = {2025-07-03}, organization = {Rapid7}, url = {https://www.rapid7.com/blog/post/scattered-spider-rapid7-insights-observations-and-recommendations/}, language = {English}, urldate = {2025-07-07} } @online{rapp:20250212:unpacking:8e8d188, author = {Leonard Rapp and Hendrik Eckardt}, title = {{Unpacking Pyarmor v8+ scripts}}, date = {2025-02-12}, organization = {cyber.wtf blog}, url = {https://cyber.wtf/2025/02/12/unpacking-pyarmor-v8-scripts/}, language = {English}, urldate = {2025-02-17} } @techreport{rascagnres:20130327:apt1:87b477e, author = {Paul Rascagnères}, title = {{APT1: technical backstage}}, date = {2013-03-27}, institution = {Malware.lu}, url = {https://malware.lu/assets/files/articles/RAP002_APT1_Technical_backstage.1.0.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{rascagnres:20161027:rootkit:2142773, author = {Paul Rascagnères}, title = {{Rootkit analysisUse case on HideDRV}}, date = {2016-10-27}, institution = {Sekoia}, url = {http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf}, language = {English}, urldate = {2020-01-09} } @online{rascagnres:20170503:konni:8b039a6, author = {Paul Rascagnères}, title = {{KONNI: A Malware Under The Radar For Years}}, date = {2017-05-03}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html}, language = {English}, urldate = {2020-01-13} } @online{rascagnres:20170619:delphi:97e7482, author = {Paul Rascagnères and Warren Mercer and Emmanuel Tacheau and Vanja Svajcer and Martin Lee}, title = {{Delphi Used To Score Against Palestine}}, date = {2017-06-19}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2017/06/palestine-delphi.html}, language = {English}, urldate = {2020-01-06} } @online{rascagnres:20170619:delphi:fdf6859, author = {Paul Rascagnères and Warren Mercer and Emmanuel Tacheau and Vanja Svajcer and Martin Lee}, title = {{Delphi Used To Score Against Palestine}}, date = {2017-06-19}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/06/palestine-delphi.html}, language = {English}, urldate = {2019-07-27} } @online{rascagnres:20170706:new:b0410c3, author = {Paul Rascagnères}, title = {{New KONNI Campaign References North Korean Missile Capabilities}}, date = {2017-07-06}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html}, language = {English}, urldate = {2020-01-10} } @online{rascagnres:20180207:targeted:483b43a, author = {Paul Rascagnères and Martin Lee}, title = {{Targeted Attacks In The Middle East}}, date = {2018-02-07}, organization = {Talos}, url = {https://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html}, language = {English}, urldate = {2019-12-17} } @online{rascagnres:20180226:who:095ce83, author = {Paul Rascagnères and Martin Lee}, title = {{Who Wasn’t Responsible for Olympic Destroyer?}}, date = {2018-02-26}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2018/02/who-wasnt-responsible-for-olympic.html}, language = {English}, urldate = {2020-01-06} } @online{rascagnres:20180924:adwind:9b737eb, author = {Paul Rascagnères and Vitor Ventura and Tomislav Pericin and Robert Perica}, title = {{Adwind Dodges AV via DDE}}, date = {2018-09-24}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html}, language = {English}, urldate = {2020-01-06} } @online{rascagnres:2018:vb2018:121b1de, author = {Paul Rascagnères and Warren Mercer}, title = {{VB2018 paper: Who wasn’t responsible for Olympic Destroyer}}, date = {2018}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/}, language = {English}, urldate = {2020-01-09} } @online{rascagnres:20190709:sea:508ca73, author = {Paul Rascagnères}, title = {{Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques}}, date = {2019-07-09}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/sea-turtle-keeps-on-swimming}, language = {English}, urldate = {2023-08-11} } @online{rascagnres:20190827:china:2d2bbb8, author = {Paul Rascagnères and Vanja Svajcer}, title = {{China Chopper still active 9 years later}}, date = {2019-08-27}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html}, language = {English}, urldate = {2019-10-14} } @online{rascagnres:20211214:owowa:4a26756, author = {Paul Rascagnères and Pierre Delcher}, title = {{Owowa: the add-on that turns your OWA into a credential stealer and remote access panel}}, date = {2021-12-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/owowa-credential-stealer-and-remote-access/105219/}, language = {English}, urldate = {2021-12-17} } @online{rascagnres:20230307:using:2e572ed, author = {Paul Rascagnères}, title = {{Using Memory Analysis to Detect EDR-Nullifying Malware}}, date = {2023-03-07}, organization = {Volexity}, url = {https://www.volexity.com/blog/2023/03/07/using-memory-analysis-to-detect-edr-nullifying-malware/}, language = {English}, urldate = {2023-03-20} } @online{rath:20231001:net:842aae4, author = {Sven Rath}, title = {{.NET Assembly Obfuscation for Memory Scanner Evasion}}, date = {2023-10-01}, organization = {r-tec}, url = {https://www.r-tec.net/r-tec-blog-net-assembly-obfuscation-for-memory-scanner-evasion.html}, language = {English}, urldate = {2023-10-05} } @online{ratty3697:20170502:hackspytrojanexploit:0967b19, author = {ratty3697}, title = {{HackSpy-Trojan-Exploit}}, date = {2017-05-02}, organization = {360 Core Security}, url = {https://github.com/ratty3697/HackSpy-Trojan-Exploit}, language = {English}, urldate = {2021-06-29} } @online{rausch:20210802:code:dee039d, author = {Alexander Rausch and Konstantin Klinger}, title = {{The CODE 2021: Workshop presentation and demonstration about CobaltStrike}}, date = {2021-08-02}, organization = {Youtube (Forschungsinstitut Cyber Defense)}, url = {https://www.youtube.com/watch?v=y65hmcLIWDY}, language = {English}, urldate = {2021-08-25} } @online{rausch:20221122:nighthawk:48f730c, author = {Alexander Rausch and Proofpoint Threat Research Team}, title = {{Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice}}, date = {2022-11-22}, organization = {Proofpoint}, url = {https://web.archive.org/web/20221124020920/https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pentest-tool-likely-gain-threat-actor-notice}, language = {English}, urldate = {2024-08-29} } @online{raut:20210323:zloader:ceed7cd, author = {Anjali Raut}, title = {{Zloader: Entailing Different Office Files}}, date = {2021-03-23}, organization = {Quick Heal}, url = {https://blogs.quickheal.com/zloader-entailing-different-office-files/}, language = {English}, urldate = {2021-03-25} } @online{rawdata:20241001:bugsleep:8402813, author = {_raw_data_}, title = {{BugSleep network protocol reversing}}, date = {2024-10-01}, organization = {raw-data memdumps}, url = {https://raw-data.gitlab.io/post/bugsleep_netprotocol/}, language = {English}, urldate = {2024-12-16} } @online{rawnsley:20201019:hackers:5cf8ef6, author = {Adam Rawnsley}, title = {{Hackers Planted Trump Smears - and Pro-Iran Trolls Spread Them}}, date = {2020-10-19}, organization = {DAILY BEAST}, url = {https://www.thedailybeast.com/hackers-planted-trump-smearsand-pro-iran-trolls-spread-them}, language = {English}, urldate = {2020-10-23} } @online{ray:20160121:nettraveler:3ea96d3, author = {Vicky Ray and Robert Falcone}, title = {{NetTraveler Spear-Phishing Email Targets Diplomat of Uzbekistan}}, date = {2016-01-21}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/}, language = {English}, urldate = {2019-11-29} } @online{ray:20160229:new:3df3c12, author = {Vicky Ray and Kaoru Hayashi}, title = {{New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan}}, date = {2016-02-29}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/}, language = {English}, urldate = {2019-12-20} } @online{ray:20160802:orcus:c86492b, author = {Vicky Ray}, title = {{Orcus – Birth of an unusual plugin builder RAT}}, date = {2016-08-02}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/}, language = {English}, urldate = {2019-12-20} } @online{ray:20161122:tropic:6be7f53, author = {Vicky Ray and Robert Falcone and Jen Miller-Osborn and Tom Lancaster}, title = {{Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy}}, date = {2016-11-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/}, language = {English}, urldate = {2020-01-09} } @online{ray:20161122:tropic:7857947, author = {Vicky Ray and Robert Falcone and Jen Miller-Osborn and Tom Lancaster}, title = {{Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy}}, date = {2016-11-22}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/}, language = {English}, urldate = {2019-12-20} } @online{ray:20161122:tropic:7f503e7, author = {Vicky Ray and Robert Falcone and Jen Miller-Osborn and Tom Lancaster}, title = {{Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy}}, date = {2016-11-22}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/}, language = {English}, urldate = {2019-12-20} } @online{ray:20180207:compromised:01adde2, author = {Vicky Ray and Brad Duncan}, title = {{Compromised Servers & Fraud Accounts: Recent Hancitor Attacks}}, date = {2018-02-07}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/}, language = {English}, urldate = {2019-12-20} } @techreport{ray:2018:monero:262d898, author = {Joshua Ray and Alireza Salimi and Benjamin G. McCarthy}, title = {{Monero and WannaMine: The cyber-criminal cryptocurrency and miner malware of choice}}, date = {2018}, institution = {Accenture}, url = {https://www.accenture.com/_acnmedia/PDF-46/Accenture-Threat-Analysis-Monero-Wannamine.pdf}, language = {English}, urldate = {2020-11-25} } @online{ray:20190201:tracking:479c2b7, author = {Vicky Ray and Kaoru Hayashi}, title = {{Tracking OceanLotus’ new Downloader, KerrDown}}, date = {2019-02-01}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/}, language = {English}, urldate = {2019-10-23} } @online{ray:20250220:wmi:fb7b62a, author = {Chris Ray}, title = {{WMI Malware: The Complete Forensics Guide}}, date = {2025-02-20}, organization = {Cyber Triage}, url = {https://www.cybertriage.com/blog/wmi-malware/}, language = {English}, urldate = {2025-02-25} } @online{rd:20250311:redpenguin:8ec0131, author = {Cybersecurity R&D}, title = {{The RedPenguin Malware Incident}}, date = {2025-03-11}, organization = {Juniper Networks}, url = {https://supportportal.juniper.net/sfc/servlet.shepherd/document/download/069Dp00000FzdmIIAR?operationContext=S1}, language = {English}, urldate = {2025-03-14} } @online{re4lity:20170825:schtasksbackdoor:356750f, author = {re4lity}, title = {{Schtasks-Backdoor}}, date = {2017-08-25}, organization = {Github (re4lity)}, url = {https://github.com/re4lity/Schtasks-Backdoor/blob/master/Schtasks-Backdoor.ps1}, language = {Chinese}, urldate = {2020-06-19} } @online{re:20230306:brute:ad7d790, author = {Boymoder RE}, title = {{Brute Ratel - Scandinavian Defence}}, date = {2023-03-06}, organization = {ProtectedMo.de}, url = {https://protectedmo.de/brute.html}, language = {English}, urldate = {2023-03-20} } @online{read:20170912:fireeye:60e2846, author = {Ben Read and Genwei Jiang and James T. Bennett}, title = {{FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY,FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY}}, date = {2017-09-12}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html}, language = {English}, urldate = {2019-12-20} } @online{read:20210112:unc2452:6e54c6c, author = {Ben Read and John Hultquist}, title = {{UNC2452: What We Know So Far}}, date = {2021-01-12}, organization = {BrightTALK (FireEye)}, url = {https://www.brighttalk.com/webcast/7451/462719}, language = {English}, urldate = {2021-01-18} } @online{reading:20201203:deathstalker:3dd6f63, author = {Dark Reading}, title = {{DeathStalker Hits the Americas & Europe With New PowerPepper Malware}}, date = {2020-12-03}, organization = {DARKReading}, url = {https://www.darkreading.com/vulnerabilities---threats/-infamous-hacker-for-hire-group-deathstalker-hits-the-americas-and-europe-with-new-powerpepper-malware/d/d-id/1339604}, language = {English}, urldate = {2020-12-08} } @online{reading:20240117:nearly:230873e, author = {Dark Reading}, title = {{Nearly 7K WordPress Sites Compromised by Balada Injector}}, date = {2024-01-17}, organization = {dark read}, url = {https://www.darkreading.com/application-security/7k-wordpress-sites-compromised-balada-injector}, language = {English}, urldate = {2024-01-22} } @online{reaqta:20171108:short:aa183af, author = {Reaqta}, title = {{A short journey into DarkVNC attack chain}}, date = {2017-11-08}, organization = {Reaqta}, url = {https://reaqta.com/2017/11/short-journey-darkvnc/}, language = {English}, urldate = {2022-04-20} } @online{reaqta:20171122:dive:5c67031, author = {Reaqta}, title = {{A dive into MuddyWater APT targeting Middle-East}}, date = {2017-11-22}, organization = {Reaqta}, url = {https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/}, language = {English}, urldate = {2020-01-08} } @online{reaqta:20180302:spearphishing:3d933a4, author = {Reaqta}, title = {{Spear-phishing campaign leveraging on MSXSL}}, date = {2018-03-02}, organization = {Reaqta}, url = {https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/}, language = {English}, urldate = {2020-01-08} } @online{reaqta:20190124:silence:08baddd, author = {Reaqta}, title = {{Silence group targeting Russian Banks via Malicious CHM}}, date = {2019-01-24}, organization = {Reaqta}, url = {https://reaqta.com/2019/01/silence-group-targeting-russian-banks/}, language = {English}, urldate = {2019-11-28} } @online{reaqta:20190411:avemaria:d6cd904, author = {Reaqta}, title = {{Ave_Maria Malware: there's more than meets the eye}}, date = {2019-04-11}, organization = {Reaqta}, url = {https://reaqta.com/2019/04/ave_maria-malware-part1/}, language = {English}, urldate = {2020-01-07} } @online{reaqta:20200108:leonardo:af14272, author = {Reaqta}, title = {{Leonardo S.p.A. Data Breach Analysis}}, date = {2020-01-08}, organization = {Reaqta}, url = {https://reaqta.com/2021/01/fujinama-analysis-leonardo-spa}, language = {English}, urldate = {2021-06-16} } @online{reaqta:20200619:dridex:54f4dd5, author = {Reaqta}, title = {{Dridex: the secret in a PostMessage()}}, date = {2020-06-19}, organization = {Reaqta}, url = {https://reaqta.com/2020/06/dridex-the-secret-in-a-postmessage/}, language = {English}, urldate = {2020-06-22} } @online{reaves:20170504:blackmoon:2615659, author = {Jason Reaves}, title = {{Blackmoon Rising: Banking Trojan Back with New Framework}}, date = {2017-05-04}, organization = {Fidelis Cybersecurity}, url = {https://fidelissecurity.com/threatgeek/threat-intelligence/blackmoon-banking-trojan-new-framework/}, language = {English}, urldate = {2023-04-25} } @online{reaves:20180512:ms:51a6134, author = {Jason Reaves}, title = {{MS Crypto Derive Functions}}, date = {2018-05-12}, organization = {Random RE}, url = {https://sysopfb.github.io/malware,/reverse-engineering/2018/05/12/MS-Derivation-functions.html}, language = {English}, urldate = {2022-01-25} } @online{reaves:20190313:dmsniff:47a2734, author = {Jason Reaves and Joshua Platt}, title = {{‘DMSniff’ POS Malware Actively Leveraged to Target Small-, Medium-Sized Businesses}}, date = {2019-03-13}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/dmsniff-pos-malware-actively-leveraged-target-medium-sized-businesses/}, language = {English}, urldate = {2019-12-18} } @techreport{reaves:20200210:case:3f668be, author = {Jason Reaves}, title = {{A Case Study into solving Crypters/Packers in Malware Obfuscation using an SMT approach}}, date = {2020-02-10}, institution = {viXra}, url = {https://vixra.org/pdf/2002.0183v1.pdf}, language = {English}, urldate = {2020-02-27} } @online{reaves:20200226:revealing:2c3fc63, author = {Jason Reaves}, title = {{Revealing the Trick | A Deep Dive into TrickLoader Obfuscation}}, date = {2020-02-26}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/}, language = {English}, urldate = {2020-02-27} } @online{reaves:20200304:breaking:8262e7e, author = {Jason Reaves}, title = {{Breaking TA505’s Crypter with an SMT Solver}}, date = {2020-03-04}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/}, language = {English}, urldate = {2020-03-04} } @online{reaves:20200408:deep:87b83bb, author = {Jason Reaves}, title = {{Deep Dive Into TrickBot Executor Module “mexec”: Hidden “Anchor” Bot Nexus Operations}}, date = {2020-04-08}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/}, language = {English}, urldate = {2020-04-13} } @online{reaves:20200428:icedid:9b7de2f, author = {Jason Reaves}, title = {{IcedID PhotoLoader evolution}}, date = {2020-04-28}, organization = {Random RE}, url = {https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html}, language = {English}, urldate = {2022-03-23} } @online{reaves:20200508:guloader:e8262e4, author = {Jason Reaves}, title = {{Tweet on GuLoader anti analysis techniques}}, date = {2020-05-08}, organization = {Twitter (@sysopfb)}, url = {https://twitter.com/sysopfb/status/1258809373159305216}, language = {English}, urldate = {2021-01-05} } @online{reaves:20200514:deep:1ee83b6, author = {Jason Reaves}, title = {{Deep Dive Into TrickBot Executor Module “mexec”: Reversing the Dropper Variant}}, date = {2020-05-14}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant/}, language = {English}, urldate = {2020-05-18} } @online{reaves:20200531:wastedloader:c37b988, author = {Jason Reaves and Joshua Platt}, title = {{WastedLoader or DridexLoader?}}, date = {2020-05-31}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77}, language = {English}, urldate = {2021-06-09} } @online{reaves:20200609:valak:ff6bc74, author = {Jason Reaves}, title = {{Valak Malware and the Connection to Gozi Loader ConfCrew}}, date = {2020-06-09}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/valak-malware-and-the-connection-to-gozi-loader-confcrew/}, language = {English}, urldate = {2020-06-10} } @online{reaves:20200707:breaking:2a99a35, author = {Jason Reaves}, title = {{Breaking EvilQuest | Reversing A Custom macOS Ransomware File Encryption Routine}}, date = {2020-07-07}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/breaking-evilquest-reversing-a-custom-macos-ransomware-file-encryption-routine/}, language = {English}, urldate = {2020-07-08} } @online{reaves:20200722:enter:71d9038, author = {Jason Reaves and Joshua Platt}, title = {{Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)}}, date = {2020-07-22}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/}, language = {English}, urldate = {2020-07-23} } @online{reaves:20210110:man1:54a4162, author = {Jason Reaves}, title = {{MAN1, Moskal, Hancitor and a side of Ransomware}}, date = {2021-01-10}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618}, language = {English}, urldate = {2021-01-11} } @online{reaves:20210112:deofuscating:8fec60d, author = {Jason Reaves}, title = {{De-ofuscating GoLang Functions}}, date = {2021-01-12}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/de-ofuscating-golang-functions-93f610f4fb76}, language = {English}, urldate = {2021-01-21} } @online{reaves:20210120:anchor:b1e153f, author = {Jason Reaves and Joshua Platt}, title = {{Anchor and Lazarus together again?}}, date = {2021-01-20}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607}, language = {English}, urldate = {2021-01-21} } @online{reaves:20210305:look:71fca27, author = {Jason Reaves}, title = {{A look at an Android bot from unpacking to DGA}}, date = {2021-03-05}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/a-look-at-an-android-bot-from-unpacking-to-dga-e331554f9fb9}, language = {English}, urldate = {2021-03-11} } @online{reaves:20210405:trickbot:a6b0592, author = {Jason Reaves and Joshua Platt}, title = {{TrickBot Crews New CobaltStrike Loader}}, date = {2021-04-05}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c}, language = {English}, urldate = {2021-04-06} } @online{reaves:20210407:not:c28aeef, author = {Jason Reaves}, title = {{Not your same old adware anymore, PBOT updates}}, date = {2021-04-07}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/not-your-same-old-adware-anymore-pbot-updates-6d43b159ab35}, language = {English}, urldate = {2021-04-09} } @online{reaves:20210409:relook:ab87230, author = {Jason Reaves}, title = {{A Relook at the TerraLoader Dropper DLL}}, date = {2021-04-09}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/a-re-look-at-the-terraloader-dropper-dll-e5947ad6e244}, language = {English}, urldate = {2021-04-12} } @online{reaves:20210420:cobaltstrike:d18d4c4, author = {Jason Reaves}, title = {{CobaltStrike Stager Utilizing Floating Point Math}}, date = {2021-04-20}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718}, language = {English}, urldate = {2021-04-20} } @online{reaves:20210706:ta505:35e0dbc, author = {Jason Reaves and Joshua Platt}, title = {{TA505 adds GoLang crypter for delivering miners and ServHelper}}, date = {2021-07-06}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/ta505-adds-golang-crypter-for-delivering-miners-and-servhelper-af70b26a6e56}, language = {English}, urldate = {2021-07-11} } @online{reaves:20210708:amadey:0deeb3d, author = {Jason Reaves and Harold Ogden}, title = {{Amadey stealer plugin adds Mikrotik and Outlook harvesting}}, date = {2021-07-08}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/amadey-stealer-plugin-adds-mikrotik-and-outlook-harvesting-518efe724ce4}, language = {English}, urldate = {2021-07-11} } @online{reaves:20210730:decrypting:0b08389, author = {Jason Reaves}, title = {{Decrypting BazarLoader strings with a Unicorn}}, date = {2021-07-30}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/decrypting-bazarloader-strings-with-a-unicorn-15d2585272a9}, language = {English}, urldate = {2021-08-02} } @online{reaves:20210803:python:3eef2f9, author = {Jason Reaves}, title = {{Tweet on python script to decode the blob from Blackmatter ransomware}}, date = {2021-08-03}, organization = {Twitter (@sysopfb)}, url = {https://twitter.com/sysopfb/status/1422280887274639375}, language = {English}, urldate = {2021-08-06} } @online{reaves:20210819:looking:361ca2d, author = {Jason Reaves}, title = {{Looking at the new Krypton crypter and recent Data Exfiltrator Samples}}, date = {2021-08-19}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/looking-at-the-new-krypton-crypter-and-recent-data-exfiltrator-samples-4c484875cf70}, language = {English}, urldate = {2021-09-06} } @online{reaves:20210907:decoding:bb6bf8e, author = {Jason Reaves}, title = {{Decoding SmartAssembly strings, a Haron ransomware case study}}, date = {2021-09-07}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b}, language = {English}, urldate = {2021-09-09} } @online{reaves:20211014:investigation:29ef29c, author = {Jason Reaves}, title = {{Investigation into the state of NIM malware Part 2}}, date = {2021-10-14}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671}, language = {English}, urldate = {2021-12-15} } @online{reaves:20220111:signed:0f32583, author = {Jason Reaves and Joshua Platt}, title = {{Signed DLL campaigns as a service}}, date = {2022-01-11}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489}, language = {English}, urldate = {2023-01-31} } @online{reaves:20220214:privateloader:e7e062e, author = {Jason Reaves and Joshua Platt}, title = {{PrivateLoader to Anubis Loader}}, date = {2022-02-14}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e}, language = {English}, urldate = {2022-08-05} } @online{reaves:20220304:systembc:e808a92, author = {Jason Reaves and Joshua Platt}, title = {{SystemBC, PowerShell version}}, date = {2022-03-04}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c}, language = {English}, urldate = {2023-07-31} } @online{reaves:20220310:diavol:2a6514a, author = {Jason Reaves and Joshua Platt}, title = {{Diavol the Enigma of Ransomware}}, date = {2022-03-10}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/diavol-the-enigma-of-ransomware-1fd78ffda648}, language = {English}, urldate = {2022-03-14} } @online{reaves:20220328:cobaltstrike:65362d3, author = {Jason Reaves}, title = {{CobaltStrike UUID stager}}, date = {2022-03-28}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64}, language = {English}, urldate = {2022-04-05} } @online{reaves:20220415:revisiting:94c149c, author = {Jason Reaves}, title = {{Revisiting BatLoader C2 structure}}, date = {2022-04-15}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/revisiting-batloader-c2-structure-52f46ff9893a}, language = {English}, urldate = {2023-01-31} } @online{reaves:20220525:socgholish:f876e0e, author = {Jason Reaves and Joshua Platt}, title = {{SocGholish Campaigns and Initial Access Kit}}, date = {2022-05-25}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee}, language = {English}, urldate = {2022-06-02} } @online{reaves:20220602:tweets:b70da25, author = {Jason Reaves}, title = {{Tweets on UpdateAgent - GolangVersion}}, date = {2022-06-02}, organization = {Twitter (@sysopfb)}, url = {https://twitter.com/sysopfb/status/1532442456343691273}, language = {English}, urldate = {2022-06-04} } @online{reaves:20220809:pivoting:7afbaea, author = {Jason Reaves and Joshua Platt}, title = {{Pivoting on a SharpExt to profile Kimusky panels for great good}}, date = {2022-08-09}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/pivoting-on-a-sharpext-to-profile-kimusky-panels-for-great-good-1920dc1bcef9}, language = {English}, urldate = {2023-02-06} } @online{reaves:20220811:state:ef0fd3c, author = {Jason Reaves}, title = {{State of the Remote Access Tools, Part 1}}, date = {2022-08-11}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/state-of-the-rat-part-1-cfec6c967e2f}, language = {English}, urldate = {2022-09-12} } @online{reaves:20220930:diavol:d72ab2a, author = {Jason Reaves and Jonathan Mccay}, title = {{Diavol resurfaces}}, date = {2022-09-30}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/diavol-resurfaces-91dd93c7d922}, language = {English}, urldate = {2022-10-05} } @online{reaves:20221025:brute:3e3f821, author = {Jason Reaves}, title = {{Brute Ratel Config Decoding update}}, date = {2022-10-25}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/brute-ratel-config-decoding-update-7820455022cb}, language = {English}, urldate = {2023-01-31} } @online{reaves:20230224:qbot:771bf3d, author = {Jason Reaves and Joshua Platt and Jonathan Mccay and Kirk Sayre}, title = {{Qbot testing malvertising campaigns?}}, date = {2023-02-24}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/qbot-testing-malvertising-campaigns-3e2552cbc69a}, language = {English}, urldate = {2023-02-27} } @online{reaves:20230310:from:6bceb30, author = {Jason Reaves and Joshua Platt}, title = {{From Royal With Love}}, date = {2023-03-10}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65}, language = {English}, urldate = {2023-03-13} } @online{reaves:20230509:metastealer:11ef397, author = {Jason Reaves and Joshua Platt and Jonathan Mccay}, title = {{MetaStealer string decryption and DGA overview}}, date = {2023-05-09}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/metastealer-string-decryption-and-dga-overview-5f38f76830cd}, language = {English}, urldate = {2023-05-11} } @online{reaves:20230718:nemesisproject:daa35d0, author = {Jason Reaves and Jonathan Mccay and Joshua Platt}, title = {{NemesisProject}}, date = {2023-07-18}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/nemesisproject-816ed5c1e8d5}, language = {English}, urldate = {2023-07-19} } @online{reaves:20230729:unknown:bb06275, author = {Jason Reaves and Joshua Platt}, title = {{Unknown powershell backdoor with ties to new Zloader}}, date = {2023-07-29}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/unknown-powershell-backdoor-with-ties-to-new-zloader-88ca51d38850}, language = {English}, urldate = {2024-07-29} } @online{reaves:20230830:gazavat:1f8a081, author = {Jason Reaves}, title = {{Gazavat / Expiro DMSniff connection and DGA analysis}}, date = {2023-08-30}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/gazavat-expiro-dmsniff-connection-and-dga-analysis-8b965cc0221d}, language = {English}, urldate = {2023-08-31} } @online{reaves:20231020:icedid:43212cd, author = {Jason Reaves and Joshua Platt}, title = {{IcedID gets Loaded}}, date = {2023-10-20}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/icedid-gets-loaded-af073b7b6d39}, language = {English}, urldate = {2023-11-14} } @online{reaves:20240116:keyhole:1639ac7, author = {Jason Reaves and Joshua Platt and Jonathan Mccay}, title = {{Keyhole Analysis}}, date = {2024-01-16}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/keyhole-analysis-60302922aa03}, language = {English}, urldate = {2024-01-17} } @online{reaves:20240305:unknown:bbdab94, author = {Jason Reaves and Joshua Platt}, title = {{Unknown Nim Loader using PSBypassCLM}}, date = {2024-03-05}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/unknown-nim-loader-using-psbypassclm-cafdf0e0f5cd}, language = {English}, urldate = {2024-03-06} } @online{reaves:20240313:newbot:69dc972, author = {Jason Reaves and Joshua Platt}, title = {{NewBot Loader}}, date = {2024-03-13}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/newbot-loader-81e2ba11c793}, language = {English}, urldate = {2024-03-18} } @online{reaves:20240619:spectre:7446c2e, author = {Jason Reaves and Joshua Platt}, title = {{Spectre (SPC) v9 Campaigns and Updates}}, date = {2024-06-19}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/spectre-spc-v9-campaigns-and-updates-546c2e65e247}, language = {English}, urldate = {2024-06-24} } @online{reaves:20241219:decoding:b1e06ab, author = {Jason Reaves}, title = {{Decoding RevC2 strings}}, date = {2024-12-19}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/decoding-revc2-strings-b3c72af07a55}, language = {English}, urldate = {2025-07-07} } @online{reaves:20250120:qbot:ce3a60c, author = {Jason Reaves and Jonathan Mccay and Joshua Platt}, title = {{Qbot is Back.Connect}}, date = {2025-01-20}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/qbot-is-back-connect-2d774052369f}, language = {English}, urldate = {2025-01-24} } @online{reaves:20250312:golang:59735d3, author = {Jason Reaves}, title = {{Golang backdoor with a side of ChromeUpdateAlert App}}, date = {2025-03-12}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/golang-backdoor-with-a-side-of-chromeupdatealert-app-9e47d1063ead}, language = {English}, urldate = {2025-04-27} } @online{reaves:20250313:arechclient:ee86766, author = {Jason Reaves}, title = {{ArechClient; Decoding IOCs and finding the onboard browser extension}}, date = {2025-03-13}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/arechclient-decoding-iocs-and-finding-the-onboard-browser-extension-477f8796568d}, language = {English}, urldate = {2025-03-14} } @online{reaves:20250701:janela:00163be, author = {Jason Reaves}, title = {{Janela RAT and a stealer extension delivered together}}, date = {2025-07-01}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/janela-rat-and-a-stealer-extension-delivered-together-e274469a7df8}, language = {English}, urldate = {2025-07-07} } @online{rector:20210225:light:005aa58, author = {Andrew Rector and Matt Bromiley and Mandiant}, title = {{Light in the Dark: Hunting for SUNBURST}}, date = {2021-02-25}, organization = {BrightTALK (FireEye)}, url = {https://www.brighttalk.com/webcast/7451/469525}, language = {English}, urldate = {2021-02-20} } @online{red5heep:20210422:emotet:44c2798, author = {@red5heep}, title = {{EMOTET: a State-Machine reversing exercise}}, date = {2021-04-22}, organization = {Github (@cecio)}, url = {https://github.com/cecio/EMOTET-2020-Reversing}, language = {English}, urldate = {2021-11-12} } @online{redcanary:20201202:increased:5db5dce, author = {twitter (@redcanary)}, title = {{Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware}}, date = {2020-12-02}, organization = {Red Canary}, url = {https://twitter.com/redcanary/status/1334224861628039169}, language = {English}, urldate = {2020-12-08} } @online{reddick:20250405:maryland:e38cd89, author = {James Reddick}, title = {{Maryland pharmacist used keyloggers to spy on coworkers for a decade, victim alleges}}, date = {2025-04-05}, organization = {The Record}, url = {https://therecord.media/maryland-pharmacist-keylogger-spying-lawsuit}, language = {English}, urldate = {2025-04-09} } @online{reddrip7:20201216:script:4476c58, author = {RedDrip7}, title = {{A script to decode SUNBURST DGA domain}}, date = {2020-12-16}, organization = {Github (RedDrip7)}, url = {https://github.com/RedDrip7/SunBurst_DGA_Decode}, language = {English}, urldate = {2020-12-17} } @online{reddrip7:20210609:in:74f9bac, author = {RedDrip7}, title = {{Tweet on in the wild exploit of CVE-2021-26868 (according to @_clem1)}}, date = {2021-06-09}, organization = {Twitter (@RedDrip7)}, url = {https://twitter.com/RedDrip7/status/1402640362972147717?s=20}, language = {English}, urldate = {2021-06-21} } @techreport{reddrip7:20250704:exclusive:75d8ba8, author = {RedDrip7}, title = {{Exclusive disclosure of the attack activities of the APT group “NightEagle”}}, date = {2025-07-04}, institution = {Qianxin}, url = {https://github.com/RedDrip7/NightEagle_Disclose/blob/main/Exclusive%20disclosure%20of%20the%20attack%20activities%20of%20the%20APT%20group%20NightEagle.pdf}, language = {English}, urldate = {2025-07-07} } @online{reddy:20240209:phoenix:8bd9928, author = {Suresh Reddy}, title = {{The Phoenix Rises Again}}, date = {2024-02-09}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/the-phoenix-rises-again/}, language = {English}, urldate = {2024-02-09} } @online{reddy:2024:echoes:4a1e03d, author = {Suresh Reddy}, title = {{Echoes of Braodo Tales from the Cyber Underworld}}, date = {2024}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/echoes-of-braodo-tales-from-the-cyber-underworld/}, language = {English}, urldate = {2025-01-23} } @online{reddy:20250224:lcryx:ee55a45, author = {Suresh Reddy}, title = {{LCRYX Ransomware: How a VB Ransomware Locks Your System}}, date = {2025-02-24}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/lcryx-ransomware-how-a-vb-ransomware-locks-your-system/}, language = {English}, urldate = {2025-02-26} } @online{reddy:20250325:inside:328f63d, author = {Suresh Reddy}, title = {{Inside Kimsuky’s Latest Cyberattack: Analyzing Malicious Scripts and Payloads}}, date = {2025-03-25}, url = {https://labs.k7computing.com/index.php/inside-kimsukys-latest-cyberattack-analyzing-malicious-scripts-and-payloads/}, language = {English}, urldate = {2025-05-02} } @online{reddy:20250702:mentalpositives:857f41e, author = {Suresh Reddy}, title = {{@mentalpositive’s New macOS Stealer: AMOS Repackaged or a New Cyber Threat?}}, date = {2025-07-02}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/mentalpositives-new-macos-stealer-amos-repackaged-or-a-new-cyber-threat/}, language = {English}, urldate = {2025-07-07} } @online{reecdeep:20221128:hivev5:ddd645c, author = {reecdeep}, title = {{HiveV5 file decryptor PoC}}, date = {2022-11-28}, organization = {Github (reecdeep)}, url = {https://github.com/reecdeep/HiveV5_file_decryptor}, language = {English}, urldate = {2022-12-29} } @online{reed:20160927:komplex:0cd401d, author = {Thomas Reed}, title = {{Komplex Mac backdoor answers old questions}}, date = {2016-09-27}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/09/komplex-mac-backdoor-answers-old-questions/}, language = {English}, urldate = {2019-12-20} } @online{reed:20170118:new:e34009a, author = {Thomas Reed}, title = {{New Mac backdoor using antiquated code}}, date = {2017-01-18}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/}, language = {English}, urldate = {2019-12-20} } @online{reed:20170501:another:74546e3, author = {Thomas Reed}, title = {{Another OSX.Dok dropper found installing new backdoor}}, date = {2017-05-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/05/another-osx-dok-dropper-found-installing-new-backdoor/}, language = {English}, urldate = {2019-12-20} } @online{reed:20170505:snake:01961aa, author = {Thomas Reed}, title = {{Snake malware ported from Windows to Mac}}, date = {2017-05-05}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/05/snake-malware-ported-windows-mac/}, language = {English}, urldate = {2019-12-20} } @online{reed:20171120:osxproton:828050c, author = {Thomas Reed}, title = {{OSX.Proton spreading through fake Symantec blog}}, date = {2017-11-20}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/}, language = {English}, urldate = {2019-12-20} } @online{reed:20171208:interesting:a8a206e, author = {Thomas Reed}, title = {{Interesting disguise employed by new Mac malware HiddenLotus}}, date = {2017-12-08}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/12/interesting-disguise-employed-by-new-mac-malware/}, language = {English}, urldate = {2019-12-20} } @online{reed:20180202:new:b58d818, author = {Thomas Reed}, title = {{New Mac cryptominer distributed via a MacUpdate hack}}, date = {2018-02-02}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distributed-via-a-macupdate-hack/}, language = {English}, urldate = {2019-12-20} } @online{reed:20180424:new:b461f4b, author = {Thomas Reed}, title = {{New Crossrider variant installs configuration profiles on Macs}}, date = {2018-04-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/?utm_source=twitter&utm_medium=social}, language = {English}, urldate = {2019-12-20} } @online{reed:20181207:mac:1bba675, author = {Thomas Reed}, title = {{Mac malware combines EmPyre backdoor and XMRig miner}}, date = {2018-12-07}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/12/mac-malware-combines-empyre-backdoor-and-xmrig-miner/}, language = {English}, urldate = {2019-12-20} } @techreport{reed:20200312:case:7e22ee6, author = {Thomas Reed}, title = {{The case of the fly on the wall}}, date = {2020-03-12}, institution = {Obective See}, url = {https://objectivebythesea.com/v3/talks/OBTS_v3_tReed.pdf}, language = {English}, urldate = {2020-05-02} } @online{reed:20210726:osxxloader:b3818a3, author = {Thomas Reed}, title = {{OSX.XLoader hides little except its main purpose: What we learned in the installation process}}, date = {2021-07-26}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/mac/2021/07/osx-xloader-hides-little-except-its-main-purpose-what-we-learned-in-the-installation-process/}, language = {English}, urldate = {2021-08-02} } @online{reed:20221109:ransomwareasaservice:751e1a8, author = {Jonathan Reed}, title = {{Ransomware-as-a-Service Transforms Gangs Into Businesses}}, date = {2022-11-09}, organization = {Security Intelligence}, url = {https://securityintelligence.com/news/eternity-gang-ransomware-as-a-service-telegram/}, language = {English}, urldate = {2022-11-11} } @online{refaeli:20220111:threat:fd22089, author = {Omri Refaeli and Chen Erlich and Ofir Ozer and Niv Yona and Daichi Shimabukuro}, title = {{Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike}}, date = {2022-01-11}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike}, language = {English}, urldate = {2022-01-18} } @online{reflectiz:20200520:gocgle:47c4bc7, author = {Reflectiz}, title = {{The Gocgle Malicious Campaign}}, date = {2020-05-20}, organization = {Reflectiz}, url = {https://www.reflectiz.com/the-gocgle-web-skimming-campaign/}, language = {English}, urldate = {2020-05-23} } @online{reflectiz:20201127:ico:a1bad28, author = {Reflectiz}, title = {{The ICO Fines Ticketmaster UK £1.25 Million for Security Failures: A Lesson to be Learned}}, date = {2020-11-27}, organization = {Reflectiz}, url = {https://www.reflectiz.com/ico-fines-ticketmaster-uk-1-25-million-for-security-failures-a-lesson-to-be-learned/}, language = {English}, urldate = {2021-01-29} } @online{refox:20191231:allakore:22a8e0a, author = {_re_fox}, title = {{Tweet on AllaKore indicators}}, date = {2019-12-31}, organization = {Twitter (@_re_fox)}, url = {https://twitter.com/_re_fox/status/1212070711206064131}, language = {English}, urldate = {2020-01-06} } @online{regalado:20150911:suceful:0a8f9f0, author = {Daniel Regalado}, title = {{SUCEFUL: Next Generation ATM Malware}}, date = {2015-09-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/09/suceful_next_genera.html}, language = {English}, urldate = {2020-01-22} } @online{regalado:20151211:latentbot:76a6ff3, author = {Daniel Regalado and Taha Karim}, title = {{LATENTBOT: Trace Me If You Can}}, date = {2015-12-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html}, language = {English}, urldate = {2019-12-20} } @online{regalado:20160413:ghosts:5d2944f, author = {Daniel Regalado and Taha Karim and Varun Jian and Erye Hernandez}, title = {{Ghosts in the Endpoint}}, date = {2016-04-13}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.html}, language = {English}, urldate = {2020-04-20} } @online{regalado:20170112:new:830f3a3, author = {Daniel Regalado}, title = {{New Variant of Ploutus ATM Malware Observed in the Wild in Latin America}}, date = {2017-01-12}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html}, language = {English}, urldate = {2019-12-20} } @online{regalado:20220309:bazarloader:09cc5d7, author = {Belem Regalado and Rachelle Chouinard}, title = {{BazarLoader Actors Initiate Contact via Website Contact Forms}}, date = {2022-03-09}, organization = {Abnormal}, url = {https://abnormalsecurity.com/blog/bazarloader-contact-form}, language = {English}, urldate = {2022-05-04} } @online{regciov:20220507:yara:abbe461, author = {Dominika Regéciová}, title = {{Yara: Down The Rabbit Hole Without Slowing Down}}, date = {2022-05-07}, organization = {YouTube (botconf eu)}, url = {https://www.youtube.com/watch?v=3G0xaJkIE3M}, language = {English}, urldate = {2022-05-09} } @online{regciov:20220609:yara:ae26e01, author = {Dominika Regéciová}, title = {{Yara: In Search Of Regular Expressions}}, date = {2022-06-09}, organization = {Avast}, url = {https://engineering.avast.io/yara-in-search-of-regular-expressions/}, language = {English}, urldate = {2022-06-09} } @online{regciov:20220719:yara:58f6c08, author = {Dominika Regéciová}, title = {{Yara vs. HyperScan: Alternative pattern-matching engines}}, date = {2022-07-19}, organization = {Avast}, url = {https://engineering.avast.io/yara-vs-hyperscan-alternative-pattern-matching-engines}, language = {English}, urldate = {2022-07-25} } @online{regev:20140922:tinba:088fca0, author = {Assaf Regev and Tal Darsan}, title = {{Tinba Malware Reloaded and Attacking Banks Around the World}}, date = {2014-09-22}, organization = {SecurityIntelligence}, url = {http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/}, language = {English}, urldate = {2020-01-09} } @online{rehman:20240705:hacker:1bdce0a, author = {Abdul Rehman}, title = {{Hacker Allegedly Leaks Data from Shopify Breach on BreachForums}}, date = {2024-07-05}, organization = {Cloudways}, url = {https://www.cloudways.com/blog/hacker-allegedly-leaks-data-from-shopify-breach-on-breachforums/}, language = {English}, urldate = {2024-08-29} } @online{reichel:20170106:2016:f928ad2, author = {Dominik Reichel}, title = {{2016 Updates to Shifu Banking Trojan}}, date = {2017-01-06}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/}, language = {English}, urldate = {2019-12-20} } @online{reichel:20170906:analysing:a5a6017, author = {Dominik Reichel}, title = {{Analysing a 10-Year-Old SNOWBALL}}, date = {2017-09-06}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/09/unit42-analysing-10-year-old-snowball/}, language = {English}, urldate = {2019-12-20} } @online{reichel:20180906:slicing:b6b847f, author = {Dominik Reichel and Esmid Idrizovic}, title = {{Slicing and Dicing CVE-2018-5002 Payloads: New CHAINSHOT Malware}}, date = {2018-09-06}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/09/unit42-slicing-dicing-cve-2018-5002-payloads-new-chainshot-malware/}, language = {English}, urldate = {2019-12-20} } @online{reichel:20200315:guloader:d3bc331, author = {Dominik Reichel}, title = {{GuLoader anti analysis/sandbox tricks}}, date = {2020-03-15}, organization = {Twitter (@TheEnergyStory)}, url = {https://twitter.com/TheEnergyStory/status/1239110192060608513}, language = {English}, urldate = {2021-01-05} } @online{reichel:20200319:early:21fec54, author = {Dominik Reichel}, title = {{Tweet on early GuLoader samples dating back to October 2019}}, date = {2020-03-19}, organization = {Twitter (@TheEnergyStory)}, url = {https://twitter.com/TheEnergyStory/status/1240608893610459138}, language = {English}, urldate = {2021-01-05} } @online{reichel:20200617:acidbox:556ade7, author = {Dominik Reichel and Esmid Idrizovic}, title = {{AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations}}, date = {2020-06-17}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/acidbox-rare-malware/}, language = {English}, urldate = {2020-06-18} } @online{reichel:20201224:teardrop:8b014ba, author = {Dominik Reichel}, title = {{Tweet on TEARDROP sample}}, date = {2020-12-24}, organization = {Twitter (@TheEnergyStory)}, url = {https://twitter.com/TheEnergyStory/status/1342041055563313152}, language = {English}, urldate = {2021-01-01} } @online{reichel:20210104:some:9e72d62, author = {Dominik Reichel}, title = {{Some small detail on compiler used for TEARDROP}}, date = {2021-01-04}, organization = {Twitter (@TheEnergyStory)}, url = {https://twitter.com/TheEnergyStory/status/1346096298311741440}, language = {English}, urldate = {2021-01-11} } @online{reichel:20210219:ironnetinjector:07c7f33, author = {Dominik Reichel}, title = {{IronNetInjector: Turla’s New Malware Loading Tool}}, date = {2021-02-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ironnetinjector/}, language = {English}, urldate = {2021-02-20} } @online{reichel:20220522:introduction:47edade, author = {Dominik Reichel}, title = {{Introduction of a PE file extractor for various situations}}, date = {2022-05-22}, organization = {R136a1}, url = {https://r136a1.info/2022/05/25/introduction-of-a-pe-file-extractor-for-various-situations/}, language = {English}, urldate = {2022-06-02} } @online{reichel:20220618:using:791a20c, author = {Dominik Reichel}, title = {{Using dotnetfile to get a Sunburst timeline for intelligence gathering}}, date = {2022-06-18}, organization = {R136a1}, url = {https://r136a1.info/2022/06/18/using-dotnetfile-to-get-a-sunburst-timeline-for-intelligence-gathering/}, language = {English}, urldate = {2022-07-25} } @online{reichel:20220719:look:84e1e01, author = {Dominik Reichel}, title = {{A look into APT29's new early-stage Google Drive downloader}}, date = {2022-07-19}, organization = {R136a1}, url = {https://r136a1.info/2022/07/19/a-look-into-apt29s-new-early-stage-google-drive-downloader/}, language = {English}, urldate = {2022-10-19} } @online{reichel:20221202:blowing:0698d7a, author = {Dominik Reichel and Esmid Idrizovic and Bob Jung}, title = {{Blowing Cobalt Strike Out of the Water With Memory Analysis}}, date = {2022-12-02}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/cobalt-strike-memory-analysis/}, language = {English}, urldate = {2022-12-05} } @online{reichel:20230922:more:7b1d0a4, author = {Dominik Reichel}, title = {{More on DreamLand}}, date = {2023-09-22}, organization = {R136a1}, url = {https://r136a1.dev/2023/09/22/more-on-dreamland/}, language = {English}, urldate = {2023-09-28} } @online{reichel:20240919:discovering:fdf7ca1, author = {Dominik Reichel}, title = {{Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool}}, date = {2024-09-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/analysis-pentest-tool-splinter/}, language = {English}, urldate = {2025-01-15} } @online{reichel:20250617:exploring:9ba0c85, author = {Dominik Reichel}, title = {{Exploring a New KimJongRAT Stealer Variant and Its PowerShell Implementation}}, date = {2025-06-17}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/}, language = {English}, urldate = {2025-06-20} } @online{reichert:20230203:agentvx:21829c8, author = {Zachary Reichert}, title = {{AgentVX And Taurus}}, date = {2023-02-03}, organization = {Aon}, url = {https://www.aon.com/cyber-solutions/aon_cyber_labs/agentvx-and-taurus/}, language = {English}, urldate = {2023-05-02} } @online{reichert:20240819:unveiling:e7ba4eb, author = {Zachary Reichert and Daniel Stein and Joshua Pivirotto and Stroz Friedberg}, title = {{Unveiling "sedexp": A Stealthy Linux Malware Exploiting udev Rules}}, date = {2024-08-19}, organization = {Aon}, url = {https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp}, language = {English}, urldate = {2024-08-29} } @online{reid:20220722:old:6fb4943, author = {Krystle Reid}, title = {{Old cat, new tricks, bad habits An analysis of Charming Kitten’s new tools and OPSEC errors}}, date = {2022-07-22}, organization = {PWC UK}, url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/old-cat-new-tricks.html}, language = {English}, urldate = {2022-07-25} } @online{reind:20210915:original:6945d46, author = {Re-ind}, title = {{Original Tweet on this unidentified Android banking malware targeting South Korea}}, date = {2021-09-15}, organization = {Twitter (@ReBensk)}, url = {https://twitter.com/ReBensk/status/1438027183490940931}, language = {English}, urldate = {2021-09-24} } @online{reiner:20201229:golden:8601f2d, author = {Shaked Reiner}, title = {{Golden SAML Revisited: The Solorigate Connection}}, date = {2020-12-29}, organization = {CyberArk}, url = {https://www.cyberark.com/resources/threat-research-blog/golden-saml-revisited-the-solorigate-connection}, language = {English}, urldate = {2021-01-05} } @online{rek7:20191116:ddoor:8685551, author = {rek7}, title = {{ddoor}}, date = {2019-11-16}, url = {https://github.com/rek7/ddoor}, language = {English}, urldate = {2020-03-13} } @techreport{renals:2016:silverterrier:56ebc9b, author = {Peter Renals and Simon Conant}, title = {{SILVERTERRIER}}, date = {2016}, institution = {Palo Alto Networks Unit 42}, url = {https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/silverterrier-next-evolution-in-nigerian-cybercrime.pdf}, language = {English}, urldate = {2020-01-08} } @online{renals:20211007:silverterrier:e682411, author = {Peter Renals}, title = {{SilverTerrier – Nigerian Business Email Compromise}}, date = {2021-10-07}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/silverterrier-nigerian-business-email-compromise/}, language = {English}, urldate = {2021-10-11} } @online{renato:20190507:vulnerable:2c38a5f, author = {Renato}, title = {{Vulnerable Apache Jenkins exploited in the wild}}, date = {2019-05-07}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Vulnerable+Apache+Jenkins+exploited+in+the+wild/24916}, language = {English}, urldate = {2020-01-10} } @online{report:20200424:ursnif:e983798, author = {The DFIR Report}, title = {{Ursnif via LOLbins}}, date = {2020-04-24}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/}, language = {English}, urldate = {2021-03-16} } @online{report:20200611:honda:04a1b7c, author = {Bad Packets Report}, title = {{Tweet on Honda & Enel Critix(NetScaler) VPN server vulnerable to CVE-2019-19781, possibly targeted by SNAKE ransomware}}, date = {2020-06-11}, organization = {Twitter (@bad_packets)}, url = {https://twitter.com/bad_packets/status/1270957214300135426}, language = {English}, urldate = {2020-06-12} } @online{report:20200616:little:bc50ff0, author = {The DFIR Report}, title = {{The Little Ransomware That Couldn’t (Dharma)}}, date = {2020-06-16}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/}, language = {English}, urldate = {2020-06-16} } @online{report:20200621:snatch:6d2d641, author = {The DFIR Report}, title = {{Snatch Ransomware}}, date = {2020-06-21}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/06/21/snatch-ransomware/}, language = {English}, urldate = {2020-06-22} } @online{report:20200803:dridex:165cf39, author = {The DFIR Report}, title = {{Dridex – From Word to Domain Dominance}}, date = {2020-08-03}, url = {https://thedfirreport.com/2020/08/03/dridex-from-word-to-domain-dominance/}, language = {English}, urldate = {2020-08-05} } @online{report:20200831:netwalker:29a1511, author = {The DFIR Report}, title = {{NetWalker Ransomware in 1 Hour}}, date = {2020-08-31}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/}, language = {English}, urldate = {2020-08-31} } @online{report:20201008:ryuks:e47d8fa, author = {The DFIR Report}, title = {{Ryuk’s Return}}, date = {2020-10-08}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/10/08/ryuks-return/}, language = {English}, urldate = {2020-10-09} } @online{report:20201018:ryuk:fbaadb8, author = {The DFIR Report}, title = {{Ryuk in 5 Hours}}, date = {2020-10-18}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/}, language = {English}, urldate = {2020-10-19} } @online{report:20201105:ryuk:ceaa823, author = {The DFIR Report}, title = {{Ryuk Speed Run, 2 Hours to Ransom}}, date = {2020-11-05}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/}, language = {English}, urldate = {2020-11-06} } @online{report:20201112:cryptominers:b1b71b5, author = {The DFIR Report}, title = {{Cryptominers Exploiting WebLogic RCE CVE-2020-14882}}, date = {2020-11-12}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/11/12/cryptominers-exploiting-weblogic-rce-cve-2020-14882/}, language = {English}, urldate = {2020-11-18} } @online{report:20201123:pysamespinoza:f0f2544, author = {The DFIR Report}, title = {{PYSA/Mespinoza Ransomware}}, date = {2020-11-23}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/}, language = {English}, urldate = {2021-01-21} } @online{report:20201213:defender:3c33570, author = {The DFIR Report}, title = {{Defender Control}}, date = {2020-12-13}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/12/13/defender-control/}, language = {English}, urldate = {2020-12-14} } @online{report:20210111:trickbot:d1011f9, author = {The DFIR Report}, title = {{Trickbot Still Alive and Well}}, date = {2021-01-11}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/}, language = {English}, urldate = {2021-01-11} } @online{report:20210118:all:daed9a4, author = {The DFIR Report}, title = {{All That for a Coinminer?}}, date = {2021-01-18}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/}, language = {English}, urldate = {2021-01-21} } @online{report:20210131:bazar:c3b3859, author = {The DFIR Report}, title = {{Bazar, No Ryuk?}}, date = {2021-01-31}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/01/31/bazar-no-ryuk/}, language = {English}, urldate = {2021-02-02} } @online{report:20210202:recent:5272ed0, author = {The DFIR Report}, title = {{Tweet on recent dridex post infection activity}}, date = {2021-02-02}, organization = {Twitter (@TheDFIRReport)}, url = {https://twitter.com/TheDFIRReport/status/1356729371931860992}, language = {English}, urldate = {2021-02-04} } @online{report:20210211:hancitor:9fa527e, author = {The DFIR Report}, title = {{Tweet on Hancitor Activity followed by cobaltsrike beacon}}, date = {2021-02-11}, organization = {Twitter (@TheDFIRReport)}, url = {https://twitter.com/TheDFIRReport/status/1359669513520873473}, language = {English}, urldate = {2021-02-18} } @online{report:20210215:qakbot:f692e9c, author = {The DFIR Report}, title = {{Tweet on Qakbot post infection discovery activity}}, date = {2021-02-15}, organization = {Twitter (@TheDFIRReport)}, url = {https://twitter.com/TheDFIRReport/status/1361331598344478727}, language = {English}, urldate = {2021-02-18} } @online{report:20210228:laravel:d832ce6, author = {The DFIR Report}, title = {{Laravel Apps Leaking Secrets}}, date = {2021-02-28}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/02/28/laravel-debug-leaking-secrets/}, language = {English}, urldate = {2021-03-04} } @online{report:20210308:bazar:ba050d7, author = {The DFIR Report}, title = {{Bazar Drops the Anchor}}, date = {2021-03-08}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/}, language = {English}, urldate = {2021-03-10} } @online{report:20210329:sodinokibi:4c63e20, author = {The DFIR Report}, title = {{Sodinokibi (aka REvil) Ransomware}}, date = {2021-03-29}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/}, language = {English}, urldate = {2021-03-30} } @online{report:20210502:trickbot:242b786, author = {The DFIR Report}, title = {{Trickbot Brief: Creds and Beacons}}, date = {2021-05-02}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/}, language = {English}, urldate = {2021-05-04} } @online{report:20210512:conti:598c5f2, author = {The DFIR Report}, title = {{Conti Ransomware}}, date = {2021-05-12}, url = {https://thedfirreport.com/2021/05/12/conti-ransomware/}, language = {English}, urldate = {2021-05-13} } @online{report:20210603:weblogic:a381570, author = {The DFIR Report}, title = {{WebLogic RCE Leads to XMRig}}, date = {2021-06-03}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/06/03/weblogic-rce-leads-to-xmrig/}, language = {English}, urldate = {2021-06-16} } @online{report:20210620:from:aadb7e8, author = {The DFIR Report}, title = {{From Word to Lateral Movement in 1 Hour}}, date = {2021-06-20}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/}, language = {English}, urldate = {2021-06-22} } @online{report:20210628:hancitor:b21cdd2, author = {The DFIR Report}, title = {{Hancitor Continues to Push Cobalt Strike}}, date = {2021-06-28}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/}, language = {English}, urldate = {2021-06-29} } @online{report:20210719:icedid:0365384, author = {The DFIR Report}, title = {{IcedID and Cobalt Strike vs Antivirus}}, date = {2021-07-19}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/}, language = {English}, urldate = {2021-07-20} } @online{report:20210801:bazarcall:bb6829b, author = {The DFIR Report}, title = {{BazarCall to Conti Ransomware via Trickbot and Cobalt Strike}}, date = {2021-08-01}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/}, language = {English}, urldate = {2021-08-02} } @online{report:20210829:cobalt:1e4595e, author = {The DFIR Report}, title = {{Cobalt Strike, a Defender’s Guide}}, date = {2021-08-29}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/}, language = {English}, urldate = {2021-08-31} } @online{report:20210913:bazarloader:5073703, author = {The DFIR Report}, title = {{BazarLoader to Conti Ransomware in 32 Hours}}, date = {2021-09-13}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/}, language = {English}, urldate = {2021-09-14} } @online{report:20211004:bazarloader:fe3adf3, author = {The DFIR Report}, title = {{BazarLoader and the Conti Leaks}}, date = {2021-10-04}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/}, language = {English}, urldate = {2021-10-11} } @online{report:20211018:icedid:0b574b0, author = {The DFIR Report}, title = {{IcedID to XingLocker Ransomware in 24 hours}}, date = {2021-10-18}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/}, language = {English}, urldate = {2021-10-22} } @online{report:20211129:continuing:646e622, author = {The DFIR Report}, title = {{CONTInuing the Bazar Ransomware Story}}, date = {2021-11-29}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/}, language = {English}, urldate = {2021-12-07} } @online{report:20211213:diavol:7b6e4e6, author = {The DFIR Report}, title = {{Diavol Ransomware}}, date = {2021-12-13}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/12/13/diavol-ransomware/}, language = {English}, urldate = {2021-12-22} } @online{report:20220124:cobalt:b0b48ee, author = {The DFIR Report}, title = {{Cobalt Strike, a Defender’s Guide – Part 2}}, date = {2022-01-24}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/}, language = {English}, urldate = {2022-01-25} } @online{report:20220207:qbot:35410a9, author = {The DFIR Report}, title = {{Qbot Likes to Move It, Move It}}, date = {2022-02-07}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/}, language = {English}, urldate = {2022-02-09} } @online{report:20220221:qbot:8b10b52, author = {The DFIR Report}, title = {{Qbot and Zerologon Lead To Full Domain Compromise}}, date = {2022-02-21}, url = {https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/}, language = {English}, urldate = {2022-02-26} } @online{report:20220301:twitter:fbd496d, author = {The DFIR Report}, title = {{Twitter thread with highlights from conti leaks}}, date = {2022-03-01}, organization = {Twitter (@TheDFIRReport)}, url = {https://twitter.com/TheDFIRReport/status/1498642512935800833}, language = {English}, urldate = {2022-03-02} } @online{report:20220307:2021:c2e2fbe, author = {The DFIR Report}, title = {{2021 Year In Review}}, date = {2022-03-07}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/03/07/2021-year-in-review/}, language = {English}, urldate = {2022-03-07} } @online{report:20220321:apt35:9f4291d, author = {The DFIR Report}, title = {{APT35 Automates Initial Access Using ProxyShell}}, date = {2022-03-21}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/}, language = {English}, urldate = {2022-03-22} } @online{report:20220425:quantum:128d2b3, author = {The DFIR Report}, title = {{Quantum Ransomware}}, date = {2022-04-25}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/04/25/quantum-ransomware/}, language = {English}, urldate = {2022-04-25} } @online{report:20220509:seo:cc8b1c2, author = {The DFIR Report}, title = {{SEO Poisoning – A Gootloader Story}}, date = {2022-05-09}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/}, language = {English}, urldate = {2022-06-09} } @online{report:20220606:will:ad3aa0f, author = {The DFIR Report}, title = {{Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration}}, date = {2022-06-06}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/}, language = {English}, urldate = {2022-06-09} } @online{report:20220711:select:6de0c30, author = {The DFIR Report}, title = {{SELECT XMRig FROM SQLServer}}, date = {2022-07-11}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/}, language = {English}, urldate = {2022-07-12} } @online{report:20220808:bumblebee:74d81a8, author = {The DFIR Report}, title = {{BumbleBee Roasts Its Way to Domain Admin}}, date = {2022-08-08}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/}, language = {English}, urldate = {2022-08-09} } @online{report:20220912:dead:a6b31c3, author = {The DFIR Report}, title = {{Dead or Alive? An Emotet Story}}, date = {2022-09-12}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/}, language = {English}, urldate = {2022-09-12} } @online{report:20220926:bumblebee:bce1e92, author = {The DFIR Report}, title = {{BumbleBee: Round Two}}, date = {2022-09-26}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/09/26/bumblebee-round-two/}, language = {English}, urldate = {2022-10-04} } @online{report:20221128:emotet:53a5fed, author = {The DFIR Report}, title = {{Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware}}, date = {2022-11-28}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/}, language = {English}, urldate = {2022-11-28} } @online{report:20230109:unwrapping:d36b45f, author = {The DFIR Report}, title = {{Unwrapping Ursnifs Gifts}}, date = {2023-01-09}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/}, language = {English}, urldate = {2023-01-13} } @online{report:20230403:malicious:238465b, author = {The DFIR Report}, title = {{Malicious ISO File Leads to Domain Wide Ransomware}}, date = {2023-04-03}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/}, language = {English}, urldate = {2023-04-06} } @online{report:20230522:icedid:ecec658, author = {The DFIR Report}, title = {{IcedID Macro Ends in Nokoyawa Ransomware}}, date = {2023-05-22}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/}, language = {English}, urldate = {2023-08-10} } @online{report:20230610:icedid:4f45379, author = {The DFIR Report}, title = {{IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment}}, date = {2023-06-10}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/}, language = {English}, urldate = {2024-06-12} } @online{report:20230828:html:190a05e, author = {The DFIR Report}, title = {{HTML Smuggling Leads to Domain Wide Ransomware}}, date = {2023-08-28}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/}, language = {English}, urldate = {2023-08-28} } @online{report:20231204:sql:6f613e5, author = {The DFIR Report}, title = {{SQL Brute Force leads to Bluesky Ransomware}}, date = {2023-12-04}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/}, language = {English}, urldate = {2023-12-04} } @online{report:20240226:seo:5e9a118, author = {The DFIR Report}, title = {{SEO Poisoning to Domain Control: The Gootloader Saga Continues}}, date = {2024-02-26}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/}, language = {English}, urldate = {2024-08-29} } @online{report:20240401:from:18b410a, author = {The DFIR Report}, title = {{From OneNote to RansomNote: An Ice Cold Intrusion}}, date = {2024-04-01}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/}, language = {English}, urldate = {2024-04-03} } @online{report:20240429:from:1a33752, author = {The DFIR Report}, title = {{From IcedID to Dagon Locker Ransomware in 29 Days}}, date = {2024-04-29}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/}, language = {English}, urldate = {2024-04-29} } @online{report:20240826:blacksuit:32a27a8, author = {The DFIR Report}, title = {{BlackSuit Ransomware}}, date = {2024-08-26}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2024/08/26/blacksuit-ransomware/}, language = {English}, urldate = {2024-08-29} } @online{report:20240930:nitrogen:7d9aca8, author = {The DFIR Report}, title = {{Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware}}, date = {2024-09-30}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/}, language = {English}, urldate = {2024-10-14} } @online{reports:20220828:revealing:a35cbfb, author = {Lighthouse Reports}, title = {{Revealing Europe's NSO}}, date = {2022-08-28}, organization = {Lighthouse Reports}, url = {https://www.lighthousereports.nl/investigation/revealing-europes-nso}, language = {English}, urldate = {2022-08-31} } @techreport{republic:20201130:annual:3f66ffc, author = {Intelligence Service of the Czech Republic}, title = {{Annual Report of the Security Information Service for 2019}}, date = {2020-11-30}, institution = {Intelligence Service of the Czech Republic}, url = {https://www.bis.cz/public/site/bis.cz/content/vvz-2019-web-en-k-publikaci.pdf}, language = {English}, urldate = {2021-02-20} } @online{resch:20220316:cve202223812:08da7b9, author = {Tyler Resch}, title = {{CVE-2022-23812: RIAEvangelist/node-ipc is malware / protestware}}, date = {2022-03-16}, organization = {Github (MidSpike)}, url = {https://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c}, language = {English}, urldate = {2022-03-18} } @techreport{research:20131205:did:2e2631c, author = {ESET Research}, title = {{Did you sayAdvanced Persistent Threats?}}, date = {2013-12-05}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2014/01/Advanced-Persistent-Threats.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{research:201401:rsa:5fa5815, author = {RSA Research}, title = {{RSA Incident Response: Emerging Threat Profile Shell_Crew}}, date = {2014-01}, institution = {RSA}, url = {https://www.rsa.com/content/dam/en/white-paper/rsa-incident-response-emerging-threat-profile-shell-crew.pdf}, language = {English}, urldate = {2021-01-29} } @online{research:20141222:virlock:100422a, author = {ESET Research}, title = {{Virlock: First Self‑Reproducing Ransomware is also a Shape Shifter}}, date = {2014-12-22}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter/}, language = {English}, urldate = {2022-11-15} } @online{research:20150331:volatile:416807b, author = {Check Point Research}, title = {{Volatile Cedar - Analysis of a Global Cyber Espionage Campaign}}, date = {2015-03-31}, organization = {Check Point Research}, url = {https://blog.checkpoint.com/2015/03/31/volatilecedar/}, language = {English}, urldate = {2020-04-06} } @online{research:20150429:unboxing:44bea52, author = {ESET Research}, title = {{Unboxing Linux/Mumblehard: Muttering spam from your servers}}, date = {2015-04-29}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2015/04/29/unboxing-linuxmumblehard-muttering-spam-servers/}, language = {English}, urldate = {2022-05-11} } @online{research:20150710:sednit:5884509, author = {ESET Research}, title = {{Sednit APT Group Meets Hacking Team}}, date = {2015-07-10}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/}, language = {English}, urldate = {2019-12-20} } @online{research:20160830:osxkeydnap:7cbb906, author = {ESET Research}, title = {{OSX/Keydnap spreads via signed Transmission application}}, date = {2016-08-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/}, language = {English}, urldate = {2019-11-14} } @techreport{research:201608:en:0617083, author = {ESET Research}, title = {{En Route with Sednit - Part 1: Approaching the Target}}, date = {2016-08}, institution = {ESET Research}, url = {http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf}, language = {English}, urldate = {2019-12-10} } @techreport{research:20160911:en:28dbd06, author = {ESET Research}, title = {{En Route with Sednit - Part 3: A Mysterious Downloader}}, date = {2016-09-11}, institution = {ESET Research}, url = {http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf}, language = {English}, urldate = {2019-10-12} } @techreport{research:20161020:en:e2e6603, author = {ESET Research}, title = {{En Route with Sednit Part 2: Observing the Comings and Goings}}, date = {2016-10-20}, institution = {ESET Research}, url = {http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf}, language = {English}, urldate = {2019-10-25} } @online{research:20161102:linuxmoose:443434c, author = {ESET Research}, title = {{Linux/Moose: Still breathing}}, date = {2016-11-02}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/}, language = {English}, urldate = {2019-10-18} } @techreport{research:20170213:kingslayer:98f4892, author = {RSA Research}, title = {{KINGSLAYER – A SUPPLY CHAIN ATTACK}}, date = {2017-02-13}, institution = {RSA}, url = {https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf}, language = {English}, urldate = {2020-01-08} } @online{research:20170330:carbon:928505a, author = {ESET Research}, title = {{Carbon Paper: Peering into Turla’s second stage backdoor}}, date = {2017-03-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/}, language = {English}, urldate = {2019-11-14} } @online{research:20170406:sathurbot:53f5afb, author = {ESET Research}, title = {{Sathurbot: Distributed WordPress password attack}}, date = {2017-04-06}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/}, language = {English}, urldate = {2019-12-20} } @online{research:20170425:linux:9cd64b2, author = {ESET Research and Michal Malík}, title = {{Linux Shishiga malware using LUA scripts}}, date = {2017-04-25}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/}, language = {English}, urldate = {2019-11-14} } @online{research:20170509:sednit:dde92c1, author = {ESET Research}, title = {{Sednit adds two zero‑day exploits using ‘Trump’s attack on Syria’ as a decoy}}, date = {2017-05-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/}, language = {English}, urldate = {2019-12-20} } @online{research:20171013:doublelocker:31bd943, author = {ESET Research}, title = {{DoubleLocker: Innovative Android Ransomware}}, date = {2017-10-13}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/}, language = {English}, urldate = {2019-11-14} } @online{research:20171020:osxproton:9c3f253, author = {ESET Research}, title = {{OSX/Proton spreading again through supply‑chain attack}}, date = {2017-10-20}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/}, language = {English}, urldate = {2019-12-20} } @online{research:20171221:sednit:630ff7c, author = {ESET Research}, title = {{Sednit update: How Fancy Bear Spent the Year}}, date = {2017-12-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/}, language = {English}, urldate = {2019-11-14} } @techreport{research:201803:lazarus:9dd4571, author = {Kaspersky Lab Global Research and Analysis Team}, title = {{Lazarus under the Hood}}, date = {2018-03}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180231/LazarusUnderTheHood_PDF_final_for_securelist.pdf}, language = {English}, urldate = {2019-11-28} } @online{research:20180424:sednit:ab398cd, author = {ESET Research}, title = {{Sednit update: Analysis of Zebrocy}}, date = {2018-04-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/}, language = {English}, urldate = {2019-11-14} } @online{research:20180522:turla:358ccf7, author = {ESET Research}, title = {{Turla Mosquito: A shift towards more generic tools}}, date = {2018-05-22}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/}, language = {English}, urldate = {2019-11-14} } @online{research:20180606:banking:97835c7, author = {Check Point Research}, title = {{Banking Trojans Under Development}}, date = {2018-06-06}, organization = {Check Point}, url = {https://research.checkpoint.com/banking-trojans-development/}, language = {English}, urldate = {2019-11-21} } @online{research:20180708:attack:bc66648, author = {Check Point Research}, title = {{APT Attack In the Middle East: The Big Bang}}, date = {2018-07-08}, organization = {Check Point Research}, url = {https://research.checkpoint.com/apt-attack-middle-east-big-bang/}, language = {English}, urldate = {2020-01-08} } @online{research:20180711:hawkeye:c74affb, author = {Office 365 Threat Research}, title = {{Hawkeye Keylogger – Reborn v8: An in-depth campaign analysis}}, date = {2018-07-11}, organization = {Microsoft}, url = {https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/}, language = {English}, urldate = {2019-11-27} } @online{research:20180921:danabot:a939e5f, author = {ESET Research}, title = {{DanaBot shifts its targeting to Europe, adds new features}}, date = {2018-09-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/}, language = {English}, urldate = {2019-11-14} } @online{research:20180927:lojax:5351e6c, author = {ESET Research}, title = {{LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group}}, date = {2018-09-27}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/}, language = {English}, urldate = {2020-01-10} } @techreport{research:201809:lojax:747e1e3, author = {ESET Research}, title = {{LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group}}, date = {2018-09}, institution = {}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf}, language = {English}, urldate = {2019-12-17} } @online{research:20181109:emotet:b12ec91, author = {ESET Research}, title = {{Emotet launches major new spam campaign}}, date = {2018-11-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/}, language = {English}, urldate = {2019-11-14} } @online{research:20181120:sednit:caedbdb, author = {ESET Research}, title = {{Sednit: What’s going on with Zebrocy?}}, date = {2018-11-20}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/}, language = {English}, urldate = {2019-11-14} } @online{research:20181202:ransomware:193f7d3, author = {Check Point Research}, title = {{The Ransomware Doctor Without A Cure}}, date = {2018-12-02}, organization = {Check Point}, url = {https://research.checkpoint.com/2018/the-ransomware-doctor-without-a-cure/}, language = {English}, urldate = {2023-06-01} } @online{research:20181206:danabot:dd22bc3, author = {ESET Research}, title = {{DanaBot evolves beyond banking Trojan with new spam‑sending capability}}, date = {2018-12-06}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/}, language = {English}, urldate = {2019-11-14} } @online{research:20190129:osxkeydnap:84165a7, author = {ESET Research}, title = {{OSX/Keydnap IoCs}}, date = {2019-01-29}, organization = {Github (eset)}, url = {https://github.com/eset/malware-ioc/tree/master/keydnap}, language = {English}, urldate = {2020-01-10} } @online{research:20190207:danabot:6346e2b, author = {ESET Research}, title = {{DanaBot updated with new C&C communication}}, date = {2019-02-07}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/}, language = {English}, urldate = {2019-11-14} } @online{research:20190402:report:83c188f, author = {Cylance Research and Intelligence Team}, title = {{Report: OceanLotus APT Group Leveraging Steganography}}, date = {2019-04-02}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/report-oceanlotus-apt-group-leveraging-steganography.html}, language = {English}, urldate = {2019-10-22} } @online{research:20190409:collection:5c86878, author = {ESET Research}, title = {{Collection of helper scripts for OceanLotus}}, date = {2019-04-09}, organization = {Github (eset)}, url = {https://github.com/eset/malware-research/tree/master/oceanlotus}, language = {English}, urldate = {2020-01-07} } @online{research:20190410:muddy:b75ef4a, author = {Check Point Research}, title = {{The Muddy Waters of APT Attacks}}, date = {2019-04-10}, organization = {Check Point}, url = {https://research.checkpoint.com/2019/the-muddy-waters-of-apt-attacks/}, language = {English}, urldate = {2023-07-10} } @online{research:20190430:buhtrap:ebdeba3, author = {ESET Research}, title = {{Buhtrap backdoor and Buran ransomware distributed via major advertising platform}}, date = {2019-04-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/}, language = {English}, urldate = {2019-11-14} } @online{research:20190514:reaver:1c6651d, author = {Cylance Research and Intelligence Team}, title = {{Reaver: Mapping Connections Between Disparate Chinese APT Groups}}, date = {2019-05-14}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/reaver-mapping-connections-between-disparate-chinese-apt-groups.html}, language = {English}, urldate = {2019-12-24} } @online{research:20190522:journey:0627ad7, author = {ESET Research}, title = {{A journey to Zebrocy land}}, date = {2019-05-22}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/}, language = {English}, urldate = {2019-11-14} } @online{research:20190611:interplanetary:8cdea99, author = {Anomali Threat Research}, title = {{The InterPlanetary Storm: New Malware in Wild Using InterPlanetary File System’s (IPFS) p2p network}}, date = {2019-06-11}, organization = {Anomali}, url = {https://www.anomali.com/blog/the-interplanetary-storm-new-malware-in-wild-using-interplanetary-file-systems-ipfs-p2p-network}, language = {English}, urldate = {2020-10-05} } @online{research:20190710:agent:2cb01b6, author = {Checkpoint Research}, title = {{Agent Smith: A New Species of Mobile Malware}}, date = {2019-07-10}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/}, language = {English}, urldate = {2023-06-06} } @online{research:20190715:threat:27dd51b, author = {Blackberry Research}, title = {{Threat Spotlight: Virlock Polymorphic Ransomware}}, date = {2019-07-15}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2019/07/threat-spotlight-virlock-polymorphic-ransomware}, language = {English}, urldate = {2022-11-18} } @online{research:20190726:turla:d2b71c9, author = {ESET Research}, title = {{Turla Indicators of Compromise}}, date = {2019-07-26}, organization = {Github (eset)}, url = {https://github.com/eset/malware-ioc/tree/master/turla}, language = {English}, urldate = {2020-01-08} } @online{research:20190805:sharpening:878343f, author = {ESET Research}, title = {{Sharpening the Machete}}, date = {2019-08-05}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/08/05/sharpening-machete-cyberespionage/}, language = {English}, urldate = {2019-11-14} } @online{research:20190808:varenyky:6066a48, author = {ESET Research}, title = {{Varenyky: Spambot à la Française}}, date = {2019-08-08}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/}, language = {English}, urldate = {2019-11-14} } @online{research:20190922:rancor:e834f67, author = {Check Point Research}, title = {{Rancor: The Year of The Phish}}, date = {2019-09-22}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/}, language = {English}, urldate = {2020-03-04} } @online{research:20190924:no:a84b64a, author = {ESET Research}, title = {{No summer vacations for Zebrocy}}, date = {2019-09-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/}, language = {English}, urldate = {2019-11-14} } @online{research:20191003:casbaneiro:156ccd3, author = {ESET Research}, title = {{Casbaneiro: Dangerous cooking with a secret ingredient}}, date = {2019-10-03}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerou}, language = {English}, urldate = {2023-09-05} } @online{research:20191017:operation:812f836, author = {ESET Research}, title = {{Operation Ghost: The Dukes aren’t back – they never left}}, date = {2019-10-17}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/}, language = {English}, urldate = {2020-01-09} } @techreport{research:20191023:mobile:b5cb828, author = {Blackberry Research}, title = {{Mobile Malware and APT Espionage: Prolific, Pervasive, and Cross-Platform}}, date = {2019-10-23}, institution = {Cylance}, url = {https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/mobile-malware-report.pdf}, language = {English}, urldate = {2020-08-10} } @online{research:20191119:mispadu:5048163, author = {ESET Research}, title = {{Mispadu: Advertisement for a discounted Unhappy Meal}}, date = {2019-11-19}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/}, language = {English}, urldate = {2020-08-18} } @online{research:20191121:registers:1d8dd12, author = {ESET Research}, title = {{Registers as "Default Print Monitor", but is a malicious downloader. Meet DePriMon}}, date = {2019-11-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader}, language = {English}, urldate = {2020-04-06} } @online{research:20191121:registers:d6f0362, author = {ESET Research}, title = {{Registers as “Default Print Monitor”, but is a malicious downloader. Meet DePriMon}}, date = {2019-11-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader/}, language = {English}, urldate = {2021-02-25} } @online{research:20191203:afrodita:8c3d9fc, author = {Check Point Research}, title = {{Tweet on Afrodita Ransomware}}, date = {2019-12-03}, organization = {Twitter (@_CPResearch_)}, url = {https://twitter.com/_CPResearch_/status/1201957880909484033}, language = {English}, urldate = {2020-01-07} } @online{research:20191224:gozi:6cca2ca, author = {SophosLabs Threat Research}, title = {{Gozi V3: tracked by their own stealth}}, date = {2019-12-24}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2019/12/24/gozi-v3-tracked-by-their-own-stealth/}, language = {English}, urldate = {2020-01-13} } @online{research:20200127:phorpiex:90211ec, author = {Checkpoint Research}, title = {{Phorpiex Arsenal: Part I}}, date = {2020-01-27}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/phorpiex-arsenal-part-i/}, language = {English}, urldate = {2023-11-13} } @online{research:20200216:hamas:c7c85d6, author = {Check Point Research}, title = {{Hamas Android Malware On IDF Soldiers-This is How it Happened}}, date = {2020-02-16}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/}, language = {English}, urldate = {2020-02-25} } @online{research:20200305:guildma:a339bd6, author = {ESET Research}, title = {{Guildma: The Devil drives electric}}, date = {2020-03-05}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/}, language = {English}, urldate = {2020-03-09} } @online{research:20200312:vicious:3218bb8, author = {Check Point Research}, title = {{Vicious Panda: The COVID Campaign}}, date = {2020-03-12}, organization = {Check Point}, url = {https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/}, language = {English}, urldate = {2020-03-13} } @online{research:20200322:covid19:bffc95c, author = {Anomali Threat Research}, title = {{COVID-19 Themes Are Being Utilized by Threat Actors of Varying Sophistication}}, date = {2020-03-22}, organization = {Anomali}, url = {https://www.anomali.com/blog/covid-19-themes-are-being-utilized-by-threat-actors-of-varying-sophistication}, language = {English}, urldate = {2023-12-19} } @online{research:20200331:storm:b491e72, author = {Volexity Threat Research}, title = {{Storm Cloud Unleashed: Tibetan Focus of Highly Targeted Fake Flash Campaign}}, date = {2020-03-31}, organization = {Volexity}, url = {https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/}, language = {English}, urldate = {2020-04-07} } @techreport{research:20200407:decade:6441e18, author = {Blackberry Research}, title = {{Decade of the RATS: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android}}, date = {2020-04-07}, institution = {Blackberry}, url = {https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf}, language = {English}, urldate = {2020-08-10} } @online{research:20200410:threat:cca3f85, author = {Check Point Research}, title = {{Threat Actors Migrating to the Cloud}}, date = {2020-04-10}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2020/threat-actors-migrating-to-the-cloud/}, language = {English}, urldate = {2020-04-13} } @online{research:20200428:grandoreiro:8d82542, author = {ESET Research}, title = {{Grandoreiro: How engorged can an EXE get?}}, date = {2020-04-28}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/}, language = {English}, urldate = {2020-05-05} } @online{research:20200505:nazar:a4d2c7c, author = {Check Point Research}, title = {{Nazar: Spirits of the Past}}, date = {2020-05-05}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/nazar-spirits-of-the-past/}, language = {English}, urldate = {2020-05-05} } @online{research:20200507:naikon:7449e41, author = {Check Point Research}, title = {{Naikon APT: Cyber Espionage Reloaded}}, date = {2020-05-07}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/}, language = {English}, urldate = {2020-05-07} } @online{research:20200507:peddlecheap:8a701e3, author = {ESET Research}, title = {{Tweet on PeddleCheap packed with Winnti packer}}, date = {2020-05-07}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1258353960781598721}, language = {English}, urldate = {2020-05-07} } @online{research:20200604:threat:a9bc9b3, author = {Blackberry Research}, title = {{Threat Spotlight: Tycoon Ransomware Targets Education and Software Sectors}}, date = {2020-06-04}, organization = {Raytheon Blackbird Technologies}, url = {https://blogs.blackberry.com/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors}, language = {English}, urldate = {2020-06-08} } @online{research:20200608:ginp:5379e4f, author = {ESET Research}, title = {{Tweet on Ginp android banking trojan targeting Government of Spain, Ministry of Health}}, date = {2020-06-08}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1269945115738542080}, language = {English}, urldate = {2020-06-11} } @online{research:20200608:guloader:1f5e7ae, author = {Check Point Research}, title = {{GuLoader? No, CloudEyE.}}, date = {2020-06-08}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2020/guloader-cloudeye/}, language = {English}, urldate = {2020-06-11} } @online{research:20200618:office:3fea28c, author = {Check Point Research}, title = {{Office 365 Phishing Campaign Exploits Samsung, Adobe and Oxford Servers}}, date = {2020-06-18}, organization = {Check Point}, url = {https://research.checkpoint.com/2020/phishing-campaign-exploits-samsung-adobe-and-oxford-servers/}, language = {English}, urldate = {2020-06-19} } @online{research:20200624:malicious:8ea3789, author = {ESET Research}, title = {{Tweet on malicious EFI bootloader which displays a ransom message and prevents the computer from booting}}, date = {2020-06-24}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1275770256389222400}, language = {English}, urldate = {2020-06-24} } @online{research:20200813:mekotio:4d7964c, author = {ESET Research}, title = {{Mekotio: These aren’t the security updates you’re looking for…}}, date = {2020-08-13}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for}, language = {English}, urldate = {2020-08-14} } @online{research:20200813:mekotio:c7c68ed, author = {ESET Research}, title = {{Mekotio: These aren’t the security updates you’re looking for…}}, date = {2020-08-13}, url = {https://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/}, language = {English}, urldate = {2020-08-24} } @online{research:20200828:gozi:944c005, author = {Check Point Research}, title = {{Gozi: The Malware with a Thousand Faces}}, date = {2020-08-28}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/}, language = {English}, urldate = {2020-09-01} } @online{research:20200920:rampant:778d674, author = {Check Point Research}, title = {{Rampant Kitten – An Iranian Espionage Campaign}}, date = {2020-09-20}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/}, language = {English}, urldate = {2020-09-21} } @online{research:20201001:latam:6e349e9, author = {ESET Research}, title = {{LATAM financial cybercrime: Competitors‑in‑crime sharing TTPs}}, date = {2020-10-01}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/10/01/latam-financial-cybercrime-competitors-crime-sharing-ttps/}, language = {English}, urldate = {2020-10-09} } @techreport{research:20201006:bahamut:2a6157f, author = {Blackberry Research}, title = {{BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps}}, date = {2020-10-06}, institution = {Blackberry}, url = {https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf}, language = {English}, urldate = {2020-10-08} } @techreport{research:20201028:threat:269f2d0, author = {ESET Research}, title = {{THREAT REPORT Q3 2020}}, date = {2020-10-28}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/10/ESET_Threat_Report_Q32020.pdf}, language = {English}, urldate = {2020-10-29} } @online{research:20201106:ransomware:a394f4b, author = {Check Point Research}, title = {{Ransomware Alert: Pay2Key}}, date = {2020-11-06}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/ransomware-alert-pay2key/}, language = {English}, urldate = {2020-11-06} } @online{research:20201126:bandook:7796023, author = {Check Point Research}, title = {{Bandook: Signed & Delivered}}, date = {2020-11-26}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/bandook-signed-delivered/}, language = {English}, urldate = {2020-12-01} } @online{research:20201126:bandook:c06ea4b, author = {Checkpoint Research}, title = {{Bandook: Signed & Delivered}}, date = {2020-11-26}, organization = {Check Point}, url = {https://research.checkpoint.com/2020/bandook-signed-delivered}, language = {English}, urldate = {2022-07-13} } @online{research:20201202:icedid:d43e06d, author = {Cyberint Research}, title = {{IcedID Stealer Man-in-the-browser Banking Trojan}}, date = {2020-12-02}, organization = {CyberInt}, url = {https://blog.cyberint.com/icedid-stealer-man-in-the-browser-banking-trojan}, language = {English}, urldate = {2020-12-11} } @online{research:20201214:egregor:12d845c, author = {Trend Micro Research}, title = {{Egregor Ransomware Launches String of High-Profile Attacks to End 2020}}, date = {2020-12-14}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/l/egregor-ransomware-launches-string-of-high-profile-attacks-to-en.html}, language = {English}, urldate = {2020-12-16} } @online{research:20201221:how:42cc330, author = {SophosLabs Threat Research}, title = {{How SunBurst malware does defense evasion}}, date = {2020-12-21}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/12/21/how-sunburst-malware-does-defense-evasion/}, language = {English}, urldate = {2020-12-23} } @online{research:20201222:sunburst:f3cfd5f, author = {Check Point Research}, title = {{SUNBURST, TEARDROP and the NetSec New Normal}}, date = {2020-12-22}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/}, language = {English}, urldate = {2020-12-23} } @techreport{research:2020:state:e5941af, author = {Blackberry Research}, title = {{State of Ransomware}}, date = {2020}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf}, language = {English}, urldate = {2021-01-01} } @online{research:20210104:dridex:2741eba, author = {Check Point Research}, title = {{DRIDEX Stopping Serial Killer: Catching the Next Strike}}, date = {2021-01-04}, organization = {Check Point}, url = {https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/}, language = {English}, urldate = {2021-01-05} } @online{research:20210105:earth:d7bb547, author = {Trend Micro Research}, title = {{Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration}}, date = {2021-01-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html}, language = {English}, urldate = {2021-01-10} } @online{research:20210105:overview:1f90b7c, author = {Trend Micro Research}, title = {{An Overview of the DoppelPaymer Ransomware}}, date = {2021-01-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/a/an-overview-of-the-doppelpaymer-ransomware.html}, language = {English}, urldate = {2021-01-11} } @online{research:20210121:vadokrist:5e5cf82, author = {ESET Research}, title = {{Vadokrist: A wolf in sheep’s clothing}}, date = {2021-01-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/01/21/vadokrist-wolf-sheeps-clothing/}, language = {English}, urldate = {2021-01-25} } @online{research:20210126:examining:c893112, author = {Trend Micro Research}, title = {{Examining a Sodinokibi Attack}}, date = {2021-01-26}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/a/sodinokibi-ransomware.html}, language = {English}, urldate = {2021-01-27} } @online{research:20210208:domestic:202aaca, author = {Check Point Research}, title = {{Domestic Kitten – An Inside Look at the Iranian Surveillance Operations}}, date = {2021-02-08}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/}, language = {English}, urldate = {2021-02-09} } @techreport{research:20210208:threat:fc2b885, author = {ESET Research}, title = {{THREAT REPORT Q4 2020}}, date = {2021-02-08}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/02/ESET_Threat_Report_Q42020.pdf}, language = {English}, urldate = {2021-02-09} } @online{research:20210212:twitter:8703272, author = {ESET Research}, title = {{A twitter thread on discussing updated attack chain of EVILNUM group and their use PYVIL malware}}, date = {2021-02-12}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1360178593968623617}, language = {English}, urldate = {2021-02-18} } @online{research:20210216:apomacrosploit:91549e1, author = {Check Point Research}, title = {{ApoMacroSploit: Apocalyptical FUD race}}, date = {2021-02-16}, organization = {Check Point}, url = {https://research.checkpoint.com/2021/apomacrosploit-apocalyptical-fud-race/}, language = {English}, urldate = {2021-02-20} } @online{research:20210302:exchange:4473faa, author = {ESET Research}, title = {{Tweet on Exchange RCE}}, date = {2021-03-02}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1366862946488451088}, language = {English}, urldate = {2021-03-10} } @online{research:20210308:renewed:e3a9842, author = {DeepEnd Research}, title = {{Renewed SideWinder Activity in South Asia}}, date = {2021-03-08}, organization = {DeepEnd REsearch}, url = {http://www.deependresearch.org/2021/03/renewed-sidewinder-activity-in-south.html}, language = {English}, urldate = {2021-03-11} } @techreport{research:20210321:2021:a393473, author = {Blackberry Research}, title = {{2021 Threat Report}}, date = {2021-03-21}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf}, language = {English}, urldate = {2021-03-25} } @online{research:20210325:iosspypostloa:bf0bfac, author = {ESET Research}, title = {{Tweet on iOS/Spy.Postlo.A malware}}, date = {2021-03-25}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1374889630399619080}, language = {English}, urldate = {2021-06-16} } @online{research:20210408:irans:127f349, author = {Check Point Research}, title = {{Iran’s APT34 Returns with an Updated Arsenal}}, date = {2021-04-08}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/}, language = {English}, urldate = {2021-04-09} } @online{research:20210413:tscookie:affc5a0, author = {ESET Research}, title = {{Tweet on TSCookie for FreeBSD platform}}, date = {2021-04-13}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1382054011264700416}, language = {English}, urldate = {2021-04-14} } @online{research:20210504:n3tw0rm:626085f, author = {Trend Micro Research}, title = {{Tweet on N3tw0rm ransomware, that has started affecting users in Israel.}}, date = {2021-05-04}, organization = {Twitter (@TrendMicroRSRCH)}, url = {https://twitter.com/TrendMicroRSRCH/status/1389422784808378370}, language = {English}, urldate = {2021-05-04} } @online{research:20210505:ousaban:655e747, author = {ESET Research}, title = {{Ousaban: Private photo collection hidden in a CABinet}}, date = {2021-05-05}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/05/05/ousaban-private-photo-collection-hidden-cabinet/}, language = {English}, urldate = {2021-05-08} } @online{research:20210512:what:cf1638f, author = {Trend Micro Research}, title = {{What We Know About Darkside Ransomware and the US Pipeline Attack}}, date = {2021-05-12}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html}, language = {English}, urldate = {2021-05-13} } @online{research:20210527:uyghurs:ee8be99, author = {Check Point Research}, title = {{Uyghurs, a Turkic ethnic minority in China, targeted via fake foundations - Check Point Research}}, date = {2021-05-27}, organization = {Check Point}, url = {https://research.checkpoint.com/2021/uyghurs-a-turkic-ethnic-minority-in-china-targeted-via-fake-foundations/}, language = {English}, urldate = {2021-06-16} } @online{research:20210602:sharppanda:5a21952, author = {Check Point Research}, title = {{SharpPanda: Chinese APT Group Targets Southeast Asian Government With Previously Unknown Backdoor}}, date = {2021-06-02}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/}, language = {English}, urldate = {2021-06-04} } @online{research:20210701:indigozebra:b9e8c55, author = {Check Point Research}, title = {{IndigoZebra APT continues to attack Central Asia with evolving tools}}, date = {2021-07-01}, organization = {Check Point}, url = {https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/}, language = {English}, urldate = {2021-08-03} } @online{research:20210715:freebsd:eda7f95, author = {ESET Research}, title = {{Tweet on FreeBSD targeted with Golang backdoor}}, date = {2021-07-15}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1415542456360263682}, language = {English}, urldate = {2021-07-20} } @online{research:20210721:top:9329aad, author = {Check Point Research}, title = {{Top prevalent malware with a thousand campaigns migrates to macOS}}, date = {2021-07-21}, organization = {Check Point}, url = {https://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/}, language = {English}, urldate = {2021-07-26} } @online{research:20210814:indra:aa5bbe8, author = {Checkpoint Research}, title = {{Indra — Hackers Behind Recent Attacks on Iran}}, date = {2021-08-14}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/}, language = {English}, urldate = {2021-08-16} } @online{research:20210903:twitter:1e08c95, author = {ESET Research}, title = {{Twitter thread on SPARKLOG, a launcher component for PRIVATELOG along with STASHLOG}}, date = {2021-09-03}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1433819369784610828}, language = {English}, urldate = {2021-09-14} } @online{research:20210917:numando:a7866e5, author = {ESET Research}, title = {{Numando: Count once, code twice}}, date = {2021-09-17}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/09/17/numando-latam-banking-trojan/}, language = {English}, urldate = {2021-09-19} } @online{research:20210920:darkiot:0693e33, author = {ESET Research}, title = {{Tweet on Dark.IoT Botnet exploiting critical Azure vulnerability CVE-2021-38647 #OMIGOD}}, date = {2021-09-20}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1440052837820428298?s=20}, language = {English}, urldate = {2021-09-22} } @online{research:20210923:c:02fc0f8, author = {ESET Research}, title = {{Tweet on C# variant of the nccTrojan}}, date = {2021-09-23}, organization = {ESET Research}, url = {https://twitter.com/ESETresearch/status/1441139057682104325?s=20}, language = {English}, urldate = {2021-09-29} } @online{research:20210924:flash:3cef291, author = {ZeroFox Research}, title = {{Flash Report: Colossus Ransomware}}, date = {2021-09-24}, organization = {ZeroFox}, url = {https://www.zerofox.com/blog/flash-report-colossus-ransomware/}, language = {English}, urldate = {2021-09-28} } @online{research:20211006:ermac:62d2cc4, author = {ESET Research}, title = {{Tweet on ERMAC android malware}}, date = {2021-10-06}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1445618031464357888}, language = {English}, urldate = {2021-10-20} } @techreport{research:20211006:finding:50936df, author = {Blackberry Research}, title = {{Finding Beacons in the Dark}}, date = {2021-10-06}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/sneak-peek-ch1-2-finding-beacons-in-the-dark.pdf}, language = {English}, urldate = {2021-11-08} } @online{research:20211012:of:80a5962, author = {Check Point Research}, title = {{Tweet of re-emergence phorpiex with a new "Twizt" module}}, date = {2021-10-12}, organization = {Twitter (@_CPResearch_)}, url = {https://twitter.com/_CPResearch_/status/1447852018794643457}, language = {English}, urldate = {2021-11-08} } @online{research:20211015:malicious:04da9c1, author = {ESET Research}, title = {{Tweet on a malicious campaign targeting governmental and education entities in Colombia using multiple stages to drop AsyncRAT or njRAT Keylogger on their victims}}, date = {2021-10-15}, organization = {ESET Research}, url = {https://twitter.com/ESETresearch/status/1449132020613922828}, language = {English}, urldate = {2021-11-08} } @online{research:20211029:freebsd:f994b0c, author = {ESET Research}, title = {{Tweet on FreeBSD and LInux version of Hive ransomware}}, date = {2021-10-29}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1454100591261667329}, language = {English}, urldate = {2021-11-03} } @online{research:20211109:compromised:47958cb, author = {Trend Micro Research}, title = {{Compromised Docker Hub Accounts Abused for Cryptomining Linked to TeamTNT}}, date = {2021-11-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/k/compromised-docker-hub-accounts-abused-for-cryptomining-linked-t.html}, language = {English}, urldate = {2021-11-25} } @online{research:20211110:discovery:c5ef2c6, author = {ESET Research}, title = {{Tweet on a discovery of a trojanized IDA Pro installer, distributed by the LABYRINTH CHOLLIMA group.}}, date = {2021-11-10}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1458438155149922312}, language = {English}, urldate = {2021-12-01} } @techreport{research:20211110:void:e3ef7db, author = {Trend Micro Research}, title = {{Void Balaur and the Rise of the Cybermercenary Industry}}, date = {2021-11-10}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-void-balaur-tracking-a-cybermercenarys-activities.pdf}, language = {English}, urldate = {2021-11-17} } @online{research:20211110:void:f925ba5, author = {Trend Micro Research}, title = {{Void Balaur and the Rise of the Cybermercenary Industry (IOCs)}}, date = {2021-11-10}, organization = {Trend Micro}, url = {https://documents.trendmicro.com/assets/txt/IOCs-void-balaur-tracking-a-cybermercenary-activities.txt}, language = {English}, urldate = {2021-11-17} } @online{research:20211115:uncovering:b8d5b9b, author = {Check Point Research}, title = {{Uncovering MosesStaff techniques: Ideology over Money}}, date = {2021-11-15}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/}, language = {English}, urldate = {2021-11-17} } @online{research:20211116:32bit:f9aff89, author = {Check Point Research}, title = {{Tweet on 32bit version of CVE-2021-1732 exploited by BITTER group}}, date = {2021-11-16}, organization = {Twitter (@_CPResearch_)}, url = {https://twitter.com/_CPResearch_/status/1460643735952318474}, language = {English}, urldate = {2021-11-19} } @online{research:20211116:how:d7fdaf8, author = {IronNet Threat Research and Morgan Demboski and Joey Fitzpatrick and Peter Rydzynski}, title = {{How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware}}, date = {2021-11-16}, organization = {IronNet}, url = {https://www.ironnet.com/blog/ransomware-graphic-blog}, language = {English}, urldate = {2021-11-25} } @online{research:20211123:mummy:8cffd4e, author = {Anomali Threat Research}, title = {{Mummy Spider’s Emotet Malware is Back After a Year Hiatus; Wizard Spider’s TrickBot Observed in Its Return}}, date = {2021-11-23}, organization = {Anomali}, url = {https://www.anomali.com/blog/mummy-spiders-emotet-malware-is-back-after-a-year-hiatus-wizard-spiders-trickbot-observed-in-its-return}, language = {English}, urldate = {2021-11-26} } @online{research:20211201:analyzing:18167cf, author = {Trend Micro Research}, title = {{Analyzing How TeamTNT Used Compromised Docker Hub Accounts}}, date = {2021-12-01}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/l/more-tools-in-the-arsenal-how-teamtnt-used-compromised-docker-hu.html}, language = {English}, urldate = {2021-12-07} } @online{research:20211207:xe:a5da34b, author = {Volexity Threat Research}, title = {{XE Group – Exposed: 8 Years of Hacking & Card Skimming for Profit}}, date = {2021-12-07}, organization = {Volexity}, url = {https://www.volexity.com/blog/2021/12/06/xe-group-exposed-8-years-of-hacking-card-skimming-for-profit/}, language = {English}, urldate = {2021-12-08} } @online{research:20211215:dirty:fd771eb, author = {ESET Research}, title = {{The dirty dozen of Latin America: From Amavaldo to Zumanek}}, date = {2021-12-15}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavaldo-zumanek/}, language = {English}, urldate = {2022-01-05} } @online{research:20211220:ransomware:d613fb1, author = {Trend Micro Research}, title = {{Ransomware Spotlight: REvil}}, date = {2021-12-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil}, language = {English}, urldate = {2022-01-05} } @online{research:20211227:deep:c94d67d, author = {Checkpoint Research}, title = {{A Deep Dive into DoubleFeature, Equation Group’s Post-Exploitation Dashboard}}, date = {2021-12-27}, url = {https://research.checkpoint.com/2021/a-deep-dive-into-doublefeature-equation-groups-post-exploitation-dashboard/}, language = {English}, urldate = {2022-01-05} } @online{research:20220111:apt35:c5e9ff3, author = {Check Point Research}, title = {{APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit}}, date = {2022-01-11}, organization = {Check Point}, url = {https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/}, language = {English}, urldate = {2022-01-18} } @online{research:20220115:donot:42f890e, author = {ESET Research}, title = {{Donot Team — Indicators of Compromise}}, date = {2022-01-15}, organization = {Github (eset)}, url = {https://github.com/eset/malware-ioc/tree/master/donot}, language = {English}, urldate = {2022-02-17} } @online{research:20220118:eset:f6e99fd, author = {ESET Research}, title = {{ESET Research investigates Donot Team: Cyberespionage targeting military & governments in South Asia}}, date = {2022-01-18}, organization = {ESET Research}, url = {https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-investigates-donot-team-cyberespionage-targeting-military-governments-in-south-asia/}, language = {English}, urldate = {2022-02-17} } @online{research:20220121:whitelambert:e5581c9, author = {Check Point Research}, title = {{Tweet on WhiteLambert malware}}, date = {2022-01-21}, organization = {Twitter (@_CPResearch_)}, url = {https://twitter.com/_CPResearch_/status/1484502090068242433}, language = {English}, urldate = {2022-01-25} } @online{research:20220208:ransomware:df64c5f, author = {Trend Micro Research}, title = {{Ransomware Spotlight: LockBit}}, date = {2022-02-08}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit}, language = {English}, urldate = {2022-02-09} } @techreport{research:20220209:threat:507947f, author = {ESET Research}, title = {{THREAT REPORT T3 2021}}, date = {2022-02-09}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf}, language = {English}, urldate = {2022-02-10} } @online{research:20220222:ransomware:677506b, author = {Trend Micro Research}, title = {{Ransomware Spotlight: Clop}}, date = {2022-02-22}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop}, language = {English}, urldate = {2022-02-26} } @online{research:20220301:isaacwiper:a2ff019, author = {ESET Research}, title = {{IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine}}, date = {2022-03-01}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/}, language = {English}, urldate = {2022-03-02} } @online{research:20220303:cloud:979361d, author = {Proofpoint Cloud Security Research}, title = {{Cloud Credential Compromise Campaign Originating from Russian-Affiliated Infrastructure}}, date = {2022-03-03}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/cloud-security/cloud-credential-compromise-campaign-originating-russian-affiliated}, language = {English}, urldate = {2022-03-07} } @online{research:20220303:cyberattacks:d961eb0, author = {Trend Micro Research}, title = {{Cyberattacks are Prominent in the Russia-Ukraine Conflict}}, date = {2022-03-03}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html}, language = {English}, urldate = {2022-03-04} } @techreport{research:20220303:ioc:216aad3, author = {Trend Micro Research}, title = {{IOC Resource for Russia-Ukraine Conflict-Related Cyberattacks}}, date = {2022-03-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf}, language = {English}, urldate = {2022-03-04} } @online{research:20220310:leaks:4880b6a, author = {Check Point Research}, title = {{Leaks of Conti Ransomware Group Paint Picture of a Surprisingly Normal Tech Start-Up… Sort Of}}, date = {2022-03-10}, url = {https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/}, language = {English}, urldate = {2022-03-14} } @online{research:20220314:caddywiper:ac25105, author = {ESET Research}, title = {{Tweet on CaddyWiper as 3rd destructive wiper found deployed against Ukraine}}, date = {2022-03-14}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1503436420886712321}, language = {English}, urldate = {2022-03-14} } @online{research:20220315:caddywiper:0edb827, author = {ESET Research}, title = {{CaddyWiper: New wiper malware discovered in Ukraine}}, date = {2022-03-15}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/}, language = {English}, urldate = {2022-03-15} } @techreport{research:20220317:navigating:5ad631e, author = {Trend Micro Research}, title = {{Navigating New Frontiers Trend Micro 2021 Annual Cybersecurity Report}}, date = {2022-03-17}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf}, language = {English}, urldate = {2022-03-22} } @online{research:20220318:ransomware:db77bd2, author = {Trend Micro Research}, title = {{Ransomware Spotlight: Hive}}, date = {2022-03-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive}, language = {English}, urldate = {2022-03-28} } @online{research:20220321:python:7dbe8dd, author = {Trend Micro Research}, title = {{Python script to check a Cyclops Blink C&C}}, date = {2022-03-21}, organization = {Github (trendmicro)}, url = {https://github.com/trendmicro/research/blob/main/cyclops_blink/c2-scripts/check.py}, language = {English}, urldate = {2022-03-28} } @online{research:20220324:pipemon:351014e, author = {ESET Research}, title = {{Tweet on PipeMon variants by Winnti Group}}, date = {2022-03-24}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1506904404225630210}, language = {English}, urldate = {2022-03-30} } @online{research:20220331:statesponsored:d8ce198, author = {Check Point Research}, title = {{State-sponsored Attack Groups Capitalise on Russia-Ukraine War for Cyber Espionage}}, date = {2022-03-31}, url = {https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/}, language = {English}, urldate = {2022-04-05} } @online{research:20220404:ransomware:3ed5da4, author = {Trend Micro Research}, title = {{Ransomware Spotlight: AvosLocker}}, date = {2022-04-04}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker}, language = {English}, urldate = {2022-04-07} } @online{research:20220412:industroyer2:4d6c5f8, author = {ESET Research}, title = {{Industroyer2: Industroyer reloaded}}, date = {2022-04-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/}, language = {English}, urldate = {2022-04-13} } @online{research:20220412:march:2c56dc6, author = {Check Point Research}, title = {{March 2022’s Most Wanted Malware: Easter Phishing Scams Help Emotet Assert its Dominance}}, date = {2022-04-12}, organization = {Check Point}, url = {https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/}, language = {English}, urldate = {2022-04-20} } @online{research:20220414:bluehornet:033b362, author = {Cyberint Research}, title = {{BlueHornet – One APT to Terrorize Them All}}, date = {2022-04-14}, organization = {CyberInt}, url = {https://cyberint.com/blog/research/bluehornet-one-apt-to-terrorize-them-all/}, language = {English}, urldate = {2024-12-09} } @online{research:20220505:sticky:4c2e9ed, author = {DomainTools Research}, title = {{A Sticky Situation Part 1: The Pervasive Nature of Credit Card Skimmers}}, date = {2022-05-05}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/a-sticky-situation-part-1-the-pervasive-nature-of-credit-card-skimmers}, language = {English}, urldate = {2022-08-26} } @online{research:20220512:kuraystealer:18931e5, author = {Uptycs Threat Research}, title = {{KurayStealer: A Bandit Using Discord Webhooks}}, date = {2022-05-12}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks}, language = {English}, urldate = {2022-05-17} } @online{research:20220517:ransomware:7b86339, author = {Trend Micro Research}, title = {{Ransomware Spotlight: RansomEXX}}, date = {2022-05-17}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx}, language = {English}, urldate = {2022-05-25} } @online{research:20220519:twisted:646cd84, author = {Check Point Research}, title = {{Twisted Panda: Chinese APT espionage operation against Russian’s state-owned defense institutes}}, date = {2022-05-19}, organization = {Check Point}, url = {https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/}, language = {English}, urldate = {2022-05-25} } @techreport{research:20220523:lockbit:6eb72ce, author = {Trend Micro Research}, title = {{LockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS and Extortion Groups: Ransomware in Q1 2022 (PDF)}}, date = {2022-05-23}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf}, language = {English}, urldate = {2022-05-29} } @online{research:20220628:malware:896fb41, author = {Check Point Research}, title = {{Tweet on malware used against Steel Industry in Iran}}, date = {2022-06-28}, organization = {Twitter (@_CPResearch_)}, url = {https://twitter.com/_cpresearch_/status/1541753913732366338}, language = {English}, urldate = {2022-07-25} } @online{research:20220705:ransomware:01bdccf, author = {Trend Micro Research}, title = {{Ransomware Spotlight: BlackByte}}, date = {2022-07-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/my/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte}, language = {English}, urldate = {2022-07-12} } @online{research:20220713:hit:79199ac, author = {Check Point Research}, title = {{A Hit is made: Suspected India-based Sidewinder APT successfully cyber attacks Pakistan military focused targets}}, date = {2022-07-13}, organization = {Check Point}, url = {https://blog.checkpoint.com/2022/07/13/a-hit-is-made-suspected-india-based-sidewinder-apt-successfully-cyber-attacks-pakistan-military-focused-targets/}, language = {English}, urldate = {2022-07-15} } @online{research:20220726:robin:cb73c4d, author = {IronNet Threat Research}, title = {{Robin Banks might be robbing your bank}}, date = {2022-07-26}, organization = {IronNet}, url = {https://www.ironnet.com/blog/robin-banks-a-new-phishing-as-a-service-platform}, language = {English}, urldate = {2024-03-18} } @online{research:20220818:sticky:a76a384, author = {DomainTools Research}, title = {{A Sticky Situation Part 2}}, date = {2022-08-18}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/a-sticky-situation-part-2}, language = {English}, urldate = {2022-08-26} } @online{research:20220906:dangeroussavanna:5bec8b7, author = {Check Point Research}, title = {{DangerousSavanna: Two-year long campaign targets financial institutions in French-speaking Africa}}, date = {2022-09-06}, organization = {Check Point}, url = {https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/}, language = {English}, urldate = {2022-09-07} } @online{research:20220922:7:f4a6cdb, author = {Check Point Research}, title = {{7 Years of Scarlet Mimic’s Mobile Surveillance Campaign Targeting Uyghurs}}, date = {2022-09-22}, organization = {Check Point}, url = {https://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/}, language = {English}, urldate = {2022-09-26} } @online{research:20220928:twitter:e0277dd, author = {ESET Research}, title = {{Twitter Thread linking CloudMensis to RokRAT / ScarCruft}}, date = {2022-09-28}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1575103839115804672}, language = {English}, urldate = {2023-03-24} } @online{research:20221003:3rd:17c73f3, author = {Check Point Research}, title = {{3rd October – Threat Intelligence Report}}, date = {2022-10-03}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2022/3rd-october-threat-intelligence-report/}, language = {English}, urldate = {2023-12-04} } @online{research:20221006:bumblebee:bd949dd, author = {ESET Research}, title = {{Tweet on Bumblebee being modularized like trickbot}}, date = {2022-10-06}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1577963080096555008}, language = {English}, urldate = {2022-10-10} } @online{research:20221102:azov:9f43496, author = {Checkpoint Research}, title = {{Tweet on Azov Wiper}}, date = {2022-11-02}, organization = {Twitter (@_CPResearch_)}, url = {https://twitter.com/_CPResearch_/status/1587837524604465153}, language = {English}, urldate = {2022-11-09} } @online{research:20221102:romcom:73ba97d, author = {Blackberry Research}, title = {{RomCom Threat Actor Abuses KeePass and SolarWinds to Target Ukraine and Potentially the United Kingdom}}, date = {2022-11-02}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass}, language = {English}, urldate = {2023-01-03} } @online{research:20221103:robin:f678ded, author = {IronNet Threat Research}, title = {{Robin Banks still might be robbing your bank (part 2)}}, date = {2022-11-03}, organization = {IronNet}, url = {https://www.ironnet.com/blog/robin-banks-still-might-be-robbing-your-bank-part-2}, language = {English}, urldate = {2024-03-18} } @online{research:20221122:tweets:518c665, author = {ESET Research}, title = {{Tweets on SysUpdate / Soldier / HyperSSL}}, date = {2022-11-22}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1594937054303236096}, language = {English}, urldate = {2022-11-25} } @online{research:20221125:twitter:22e36a6, author = {ESET Research}, title = {{Twitter thread about RansomBoggs campaign against Ukraine}}, date = {2022-11-25}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1596181925663760386}, language = {English}, urldate = {2022-12-29} } @online{research:20221215:mobile:b80bb77, author = {Check Point Research}, title = {{Mobile #AlienBot malware starts utilizing an incorporated DGA module}}, date = {2022-12-15}, organization = {Check Point Research}, url = {https://twitter.com/_CPResearch_/status/1603375823448317953}, language = {English}, urldate = {2023-01-05} } @online{research:20230127:swiftslicer:0877e07, author = {ESET Research}, title = {{SwiftSlicer: New destructive wiper malware strikes Ukraine}}, date = {2023-01-27}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/}, language = {English}, urldate = {2023-02-03} } @online{research:20230127:tweets:ac3dd59, author = {ESET Research}, title = {{Tweets on SwiftSlicer}}, date = {2023-01-27}, organization = {ESET Research}, url = {https://twitter.com/ESETresearch/status/1618960022150729728}, language = {English}, urldate = {2023-02-03} } @techreport{research:20230130:activity:38410c4, author = {ESET Research}, title = {{APT Activity Report T3 2022: Sandworm Deploying its Enhanced Wiper Arsenal}}, date = {2023-01-30}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2023/01/eset_apt_activity_report_t32022.pdf}, language = {English}, urldate = {2023-02-21} } @techreport{research:20230201:threat:4fee32c, author = {ESET Research}, title = {{Threat Report T3 2022}}, date = {2023-02-01}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2023/02/eset_threat_report_t32022.pdf}, language = {English}, urldate = {2023-03-13} } @online{research:20230224:year:59ba363, author = {ESET Research}, title = {{A year of wiper attacks in Ukraine}}, date = {2023-02-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2023/02/24/year-wiper-attacks-ukraine/}, language = {English}, urldate = {2023-11-30} } @online{research:20230228:cryptocurrency:11d4475, author = {Uptycs Threat Research}, title = {{Cryptocurrency Entities at Risk: Threat Actor Uses Parallax RAT for Infiltration}}, date = {2023-02-28}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/cryptocurrency-entities-at-risk-threat-actor-uses-parallax-rat-for-infiltration}, language = {English}, urldate = {2023-03-04} } @online{research:20230307:pandas:2e3c757, author = {Check Point Research}, title = {{Pandas with a Soul: Chinese Espionage Attacks Against Southeast Asian Government Entities}}, date = {2023-03-07}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2023/pandas-with-a-soul-chinese-espionage-attacks-against-southeast-asian-government-entities/}, language = {English}, urldate = {2023-07-24} } @online{research:20230327:rhadamanthys:813d37c, author = {Checkpoint Research}, title = {{Rhadamanthys: The “Everything Bagel” Infostealer}}, date = {2023-03-27}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2023/rhadamanthys-the-everything-bagel-infostealer/}, language = {English}, urldate = {2023-04-22} } @online{research:20230330:developing:2895b8a, author = {Trend Micro Research}, title = {{Developing Story: Information on Attacks Involving 3CX Desktop App}}, date = {2023-03-30}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html}, language = {English}, urldate = {2023-04-02} } @online{research:20230426:rtm:48d9f37, author = {Uptycs Threat Research}, title = {{RTM Locker Ransomware as a Service (RaaS) Now Suits Up for Linux Architecture}}, date = {2023-04-26}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux}, language = {English}, urldate = {2023-11-13} } @online{research:20230501:chain:855e7fa, author = {Check Point Research}, title = {{Chain Reaction: RokRAT's Missing Link}}, date = {2023-05-01}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/}, language = {English}, urldate = {2023-05-02} } @online{research:20230608:stealth:5aba5ab, author = {Checkpoint Research}, title = {{Stealth Soldier Backdoor Used in Targeted Espionage Attacks in North Africa}}, date = {2023-06-08}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2023/stealth-soldier-backdoor-used-in-targeted-espionage-attacks-in-north-africa/}, language = {English}, urldate = {2023-06-09} } @online{research:20230703:chinese:b18e8f3, author = {Checkpoint Research}, title = {{Chinese Threat Actors Targeting Europe in SmugX Campaign}}, date = {2023-07-03}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/}, language = {English}, urldate = {2024-07-17} } @online{research:20230721:ransomware:3c5345e, author = {Trend Micro Research}, title = {{Ransomware Spotlight: Play}}, date = {2023-07-21}, organization = {Trendmicro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play}, language = {English}, urldate = {2023-07-24} } @online{research:20230808:rhysida:d28daad, author = {Checkpoint Research}, title = {{THE RHYSIDA RANSOMWARE: ACTIVITY ANALYSIS AND TIES TO VICE SOCIETY}}, date = {2023-08-08}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/}, language = {English}, urldate = {2023-08-10} } @online{research:20230809:overview:973753a, author = {Trend Micro Research}, title = {{An Overview of the New Rhysida Ransomware Targeting the Healthcare Sector}}, date = {2023-08-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html}, language = {English}, urldate = {2023-08-10} } @online{research:20230920:behind:b3bd2a2, author = {Checkpoint Research}, title = {{Behind the Scenes of BBTok: Analyzing a Banker’s Server Side Components}}, date = {2023-09-20}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2023/behind-the-scenes-of-bbtok-analyzing-a-bankers-server-side-components/}, language = {English}, urldate = {2023-09-25} } @online{research:20231012:darkgate:10d712d, author = {Trend Micro Research}, title = {{DarkGate Opens Organizations for Attack via Skype, Teams}}, date = {2023-10-12}, organization = {Trendmicro}, url = {https://www.trendmicro.com/en_us/research/23/j/darkgate-opens-organizations-for-attack-via-skype-teams.html}, language = {English}, urldate = {2023-10-18} } @techreport{research:20231026:eset:bbe2090, author = {ESET Research}, title = {{ESET APT Activity Report Q2–Q3 2023}}, date = {2023-10-26}, institution = {ESET Research}, url = {https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-apt-activity-report-q2-2023-q3-2023.pdf}, language = {English}, urldate = {2024-07-24} } @online{research:20231030:30th:8400dfb, author = {Checkpoint Research}, title = {{30TH OCTOBER – THREAT INTELLIGENCE REPORT}}, date = {2023-10-30}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2023/30th-october-threat-intelligence-report/}, language = {English}, urldate = {2023-11-17} } @online{research:20231031:from:57b2530, author = {Check Point Research}, title = {{From Albania to the Middle East: The Scarred Manticore is Listening}}, date = {2023-10-31}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/}, language = {English}, urldate = {2023-12-04} } @online{research:20231117:malware:39cbdec, author = {Check Point Research}, title = {{Malware Spotlight – Into the Trash: Analyzing LitterDrifter}}, date = {2023-11-17}, organization = {Check Point Software Technologies Ltd}, url = {https://research.checkpoint.com/2023/malware-spotlight-into-the-trash-analyzing-litterdrifter/}, language = {English}, urldate = {2023-12-04} } @online{research:20231123:israelhamas:238a85f, author = {Check Point Research}, title = {{Israel-Hamas War Spotlight: Shaking the Rust Off SysJoker}}, date = {2023-11-23}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2023/israel-hamas-war-spotlight-shaking-the-rust-off-sysjoker/}, language = {English}, urldate = {2024-01-05} } @online{research:20240201:eset:d827c64, author = {ESET Research}, title = {{ESET takes part in global operation to disrupt the Grandoreiro banking trojan}}, date = {2024-02-01}, organization = {ESET Research}, url = {https://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-grandoreiro-banking-trojan/}, language = {English}, urldate = {2024-02-28} } @online{research:20240207:raspberry:2e25a25, author = {Check Point Research}, title = {{Raspberry Robin Keeps Riding the Wave of Endless 1-Days}}, date = {2024-02-07}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/}, language = {English}, urldate = {2024-02-14} } @online{research:20240222:8220:9691e7d, author = {Uptycs Threat Research}, title = {{8220 Gang Cryptomining Campaign Targets Linux & Windows Platforms}}, date = {2024-02-22}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/8220-gang-cryptomining-cloud-based-infrastructure-cyber-threat}, language = {English}, urldate = {2024-09-04} } @online{research:20240412:zeroday:04ff0d2, author = {Volexity Threat Research}, title = {{Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)}}, date = {2024-04-12}, organization = {Volexity}, url = {https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/}, language = {English}, urldate = {2024-04-15} } @online{research:20240511:russian:0b9c749, author = {Purple Team Security Research}, title = {{Russian APT deploys new 'Kapeka' backdoor in Eastern European attacks}}, date = {2024-05-11}, url = {https://www.ctfiot.com/183017.html}, language = {English}, urldate = {2024-09-13} } @online{research:20240523:sharp:0d1b8b3, author = {Checkpoint Research}, title = {{Sharp dragon expands towards africa and the caribbean}}, date = {2024-05-23}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2024/sharp-dragon-expands-towards-africa-and-the-caribbean/}, language = {English}, urldate = {2024-05-24} } @online{research:20240524:bad:0cb1daa, author = {Check Point Research}, title = {{Bad Karma, No Justice: Void Manticore Destructive Activities in Israel}}, date = {2024-05-24}, organization = {Check Point Software Technologies Ltd}, url = {https://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel}, language = {English}, urldate = {2024-12-09} } @online{research:20240613:disgomoji:e81921f, author = {Volexity Threat Research}, title = {{DISGOMOJI Malware Used to Target Indian Government}}, date = {2024-06-13}, organization = {Volexity}, url = {https://www.volexity.com/blog/2024/06/13/disgomoji-malware-used-to-target-indian-government/}, language = {English}, urldate = {2024-06-24} } @online{research:20240715:new:14121b5, author = {Checkpoint Research}, title = {{New BugSleep Backdoor Deployed in Recent MuddyWater Campaigns}}, date = {2024-07-15}, organization = {Check Point}, url = {https://research.checkpoint.com/2024/new-bugsleep-backdoor-deployed-in-recent-muddywater-campaigns/}, language = {English}, urldate = {2024-09-23} } @online{research:20240828:eset:c7e24ed, author = {ESET Research}, title = {{ESET Research: Spy group exploits WPS Office zero day; analysis uncovers a second vulnerability}}, date = {2024-08-28}, organization = {ESET Research}, url = {https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-spy-group-exploits-wps-office-zero-day-analysis-uncovers-a-second-vulnerability/}, language = {English}, urldate = {2024-12-16} } @online{research:20240911:targeted:4225839, author = {Checkpoint Research}, title = {{Targeted Iranian Attacks Against Iraqi Government Infrastructure}}, date = {2024-09-11}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2024/iranian-malware-attacks-iraqi-government/}, language = {English}, urldate = {2024-10-15} } @online{research:20241106:copyrhightadamantys:3e0e518, author = {Check Point Research}, title = {{CopyRh(ight)adamantys Campaign: Rhadamantys Exploits Intellectual Property Infringement Baits}}, date = {2024-11-06}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2024/massive-phishing-campaign-deploys-latest-rhadamanthys-version/}, language = {English}, urldate = {2024-11-07} } @techreport{research:20241107:activity:3037cd0, author = {ESET Research}, title = {{APT Activity Report: Abusing Cloud Services and VPN Platforms in the Pursuit of New Prey}}, date = {2024-11-07}, institution = {ESET Research}, url = {https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-apt-activity-report-q2-2024-q3-2024.pdf}, language = {English}, urldate = {2024-11-15} } @online{research:20241203:inside:52fd2b3, author = {Check Point Research}, title = {{Inside Akira Ransomware’s Rust Experiment}}, date = {2024-12-03}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2024/inside-akira-ransomwares-rust-experiment/}, language = {English}, urldate = {2024-12-06} } @online{research:20250110:funksec:a1ba414, author = {Check Point Research}, title = {{FunkSec – Alleged Top Ransomware Group Powered by AI}}, date = {2025-01-10}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/}, language = {English}, urldate = {2025-01-14} } @online{research:20250220:deceptivedevelopment:4668b46, author = {ESET Research}, title = {{DeceptiveDevelopment targets freelance developers}}, date = {2025-02-20}, organization = {ESET Research}, url = {https://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/}, language = {English}, urldate = {2025-02-21} } @online{research:20250310:blind:2767fea, author = {Check Point Research}, title = {{Blind Eagle: …And Justice for All}}, date = {2025-03-10}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2025/blind-eagle-and-justice-for-all/}, language = {English}, urldate = {2025-03-12} } @online{research:20250311:twitter:47d2a56, author = {ESET Research}, title = {{Twitter Thread about PipeMagic}}, date = {2025-03-11}, organization = {Twitter (@ESETresearch)}, url = {https://x.com/ESETresearch/status/1899508656258875756}, language = {English}, urldate = {2025-04-25} } @online{research:20250415:renewed:967c260, author = {Checkpoint Research}, title = {{Renewed APT29 Phishing Campaign Against European Diplomats}}, date = {2025-04-15}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2025/apt29-phishing-campaign/}, language = {English}, urldate = {2025-04-16} } @online{research:20250425:north:2af51d2, author = {TEAM CYMRU S2 THREAT RESEARCH}, title = {{Tweet on North Korean Cyber Ops Leveraging Russian Infrastructure}}, date = {2025-04-25}, organization = {Twitter (@teamcymru_S2)}, url = {https://x.com/teamcymru_S2/status/1915827990774063179}, language = {English}, urldate = {2025-04-28} } @techreport{research:20250512:eset:d03c498, author = {ESET Research}, title = {{ESET APT Activity Report Q4 2024–Q1 2025}}, date = {2025-05-12}, institution = {ESET Research}, url = {https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-apt-activity-report-q4-2024-q1-2025.pdf}, language = {English}, urldate = {2025-05-20} } @online{research:20250528:greynoise:b5ec034, author = {GreyNoise Research}, title = {{GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers}}, date = {2025-05-28}, organization = {Greynoise}, url = {https://www.greynoise.io/blog/stealthy-backdoor-campaign-affecting-asus-routers}, language = {English}, urldate = {2025-06-02} } @online{research:20250605:bladedfeline:56bf807, author = {ESET Research}, title = {{BladedFeline: Whispering in the dark}}, date = {2025-06-05}, organization = {ESET Research}, url = {https://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/}, language = {English}, urldate = {2025-06-16} } @online{research:20250610:cve202533053:7c13cc8, author = {Check Point Research}, title = {{CVE-2025-33053, Stealth Falcon and Horus: A Saga of Middle Eastern Cyber Espionage}}, date = {2025-06-10}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2025/stealth-falcon-zero-day/}, language = {English}, urldate = {2025-06-13} } @online{research:20250625:in:8b3dd8a, author = {Check Point Research}, title = {{In the Wild: Malware Prototype with Embedded Prompt Injection}}, date = {2025-06-25}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2025/ai-evasion-prompt-injection/}, language = {English}, urldate = {2025-06-26} } @techreport{researchers:20180822:turla:d444ef7, author = {ESET researchers}, title = {{Turla Outlook Backdoor}}, date = {2018-08-22}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf}, language = {English}, urldate = {2019-10-18} } @online{researchteam:20140214:analysis:0417082, author = {Counter Threat Unit ResearchTeam}, title = {{Analysis of DHS NCCIC Indicators}}, date = {2014-02-14}, organization = {Secureworks}, url = {https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators}, language = {English}, urldate = {2020-05-26} } @online{researchteam:20160330:ransomware:d1b6fe3, author = {Counter Threat Unit ResearchTeam}, title = {{Ransomware Deployed by Adversary with Established Foothold}}, date = {2016-03-30}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/ransomware-deployed-by-adversary}, language = {English}, urldate = {2021-05-28} } @online{researchteam:20170515:evolution:d0e74ea, author = {Counter Threat Unit ResearchTeam}, title = {{Evolution of the GOLD EVERGREEN Threat Group}}, date = {2017-05-15}, organization = {Secureworks}, url = {https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group}, language = {English}, urldate = {2021-05-28} } @online{researchteam:20180215:samsam:bd6d65d, author = {Counter Threat Unit ResearchTeam}, title = {{SamSam Ransomware Campaigns}}, date = {2018-02-15}, organization = {Secureworks}, url = {https://www.secureworks.com/research/samsam-ransomware-campaigns}, language = {English}, urldate = {2021-05-28} } @online{researchteam:20180215:samsam:cb3f804, author = {Counter Threat Unit ResearchTeam}, title = {{SamSam: Converting Opportunity into Profit}}, date = {2018-02-15}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/samsam-converting-opportunity-into-profit}, language = {English}, urldate = {2021-05-28} } @online{researchteam:20180418:gold:c342756, author = {Counter Threat Unit ResearchTeam}, title = {{GOLD GALLEON: How a Nigerian Cyber Crew Plunders the Shipping Industry}}, date = {2018-04-18}, organization = {Secureworks}, url = {https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry}, language = {English}, urldate = {2021-06-01} } @online{researchteam:20180927:cybercriminals:a7f1c24, author = {Counter Threat Unit ResearchTeam}, title = {{Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish}}, date = {2018-09-27}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish}, language = {English}, urldate = {2020-01-08} } @online{researchteam:20200226:business:22f0dba, author = {Counter Threat Unit ResearchTeam}, title = {{Business as Usual For Iranian Operations Despite Increased Tensions}}, date = {2020-02-26}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/business-as-usual-for-iranian-operations-despite-increased-tensions}, language = {English}, urldate = {2020-11-19} } @online{researchteam:20200408:how:192d583, author = {Counter Threat Unit ResearchTeam}, title = {{How Cyber Adversaries are Adapting to Exploit the Global Pandemic}}, date = {2020-04-08}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic}, language = {English}, urldate = {2021-05-28} } @online{researchteam:20200624:bronze:62b58ff, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE VINEWOOD Targets Supply Chains}}, date = {2020-06-24}, url = {https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains}, language = {English}, urldate = {2020-06-26} } @online{researchteam:20200624:bronze:a4d2ead, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE VINEWOOD Uses HanaLoader to Target Government Supply Chain}}, date = {2020-06-24}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronz-vinewood-uses-hanaloader-to-target-government-supply-chain}, language = {English}, urldate = {2020-06-26} } @online{researchteam:20200624:dropboxaes:0d0c7be, author = {Counter Threat Unit ResearchTeam}, title = {{DropboxAES Remote Access Trojan}}, date = {2020-06-24}, organization = {Secureworks}, url = {https://www.secureworks.com/research/dropboxaes-remote-access-trojan}, language = {English}, urldate = {2020-08-18} } @online{researchteam:20210308:supernova:c12f8f7, author = {Counter Threat Unit ResearchTeam}, title = {{SUPERNOVA Web Shell Deployment Linked to SPIRAL Threat Group}}, date = {2021-03-08}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group}, language = {English}, urldate = {2021-03-10} } @online{researchteam:20210513:ransomware:1c6898a, author = {Counter Threat Unit ResearchTeam}, title = {{Ransomware Groups Use Tor-Based Backdoor for Persistent Access}}, date = {2021-05-13}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/ransomware-groups-use-tor-based-backdoor-for-persistent-access}, language = {English}, urldate = {2021-05-26} } @online{researchteam:20210615:hades:e1734d8, author = {Counter Threat Unit ResearchTeam}, title = {{Hades Ransomware Operators Use Distinctive Tactics and Infrastructure}}, date = {2021-06-15}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure}, language = {English}, urldate = {2021-06-21} } @online{researchteam:20210622:lv:a58b99f, author = {Counter Threat Unit ResearchTeam}, title = {{LV Ransomware}}, date = {2021-06-22}, organization = {Secureworks}, url = {https://www.secureworks.com/research/lv-ransomware}, language = {English}, urldate = {2021-06-23} } @online{researchteam:20210720:ongoing:1e6dbd0, author = {Counter Threat Unit ResearchTeam}, title = {{Ongoing Campaign Leveraging Exchange Vulnerability Potentially Linked to Iran}}, date = {2021-07-20}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran}, language = {English}, urldate = {2021-07-26} } @online{researchteam:20210804:detecting:b379acb, author = {Counter Threat Unit ResearchTeam}, title = {{Detecting Cobalt Strike: Cybercrime Attacks (GOLD LAGOON)}}, date = {2021-08-04}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/detecting-cobalt-strike-cybercrime-attacks}, language = {English}, urldate = {2021-08-06} } @online{researchteam:20210805:detecting:235fe13, author = {Counter Threat Unit ResearchTeam}, title = {{Detecting Cobalt Strike: Government-Sponsored Threat Groups (APT32)}}, date = {2021-08-05}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/detecting-cobalt-strike-government-sponsored-threat-groups}, language = {English}, urldate = {2021-08-06} } @online{researchteam:20210922:revil:5b97baf, author = {Counter Threat Unit ResearchTeam}, title = {{REvil Ransomware Reemerges After Shutdown; Universal Decryptor Released}}, date = {2021-09-22}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/revil-ransomware-reemerges-after-shutdown-universal-decryptor-released}, language = {English}, urldate = {2021-09-28} } @online{researchteam:20211217:nopac:2dd9d15, author = {Counter Threat Unit ResearchTeam and Secureworks Incident Response Team}, title = {{noPac: A Tale of Two Vulnerabilities That Could End in Ransomware}}, date = {2021-12-17}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/nopac-a-tale-of-two-vulnerabilities-that-could-end-in-ransomware}, language = {English}, urldate = {2022-01-25} } @online{researchteam:20220121:disruptive:fff238c, author = {Counter Threat Unit ResearchTeam}, title = {{Disruptive Attacks in Ukraine Likely Linked to Escalating Tensions}}, date = {2022-01-21}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/disruptive-attacks-in-ukraine-likely-linked-to-escalating-tensions}, language = {English}, urldate = {2022-01-25} } @online{researchteam:20220121:whispergate:bcdbf9d, author = {Counter Threat Unit ResearchTeam}, title = {{WhisperGate: Not NotPetya}}, date = {2022-01-21}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/whispergate-not-notpetya}, language = {English}, urldate = {2022-01-25} } @online{researchteam:20220125:ransoms:5ec60a6, author = {Counter Threat Unit ResearchTeam}, title = {{Ransoms Demanded for Hijacked Instagram Accounts}}, date = {2022-01-25}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/ransoms-demanded-for-hijacked-instagram-accounts}, language = {English}, urldate = {2022-01-28} } @online{researchteam:20220215:shadowpad:cd3fa10, author = {Counter Threat Unit ResearchTeam}, title = {{ShadowPad Malware Analysis}}, date = {2022-02-15}, organization = {Secureworks}, url = {https://www.secureworks.com/research/shadowpad-malware-analysis}, language = {English}, urldate = {2022-02-17} } @online{researchteam:20220225:disruptive:d6c7b5d, author = {Counter Threat Unit ResearchTeam}, title = {{Disruptive HermeticWiper Attacks Targeting Ukrainian Organizations}}, date = {2022-02-25}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/disruptive-hermeticwiper-attacks-targeting-ukrainian-organizations}, language = {English}, urldate = {2022-03-01} } @online{researchteam:20220302:domains:ae50314, author = {Counter Threat Unit ResearchTeam}, title = {{Domains Linked to Phishing Attacks Targeting Ukraine}}, date = {2022-03-02}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/domains-linked-to-phishing-attacks-targeting-ukraine}, language = {English}, urldate = {2022-03-22} } @online{researchteam:20220308:excel:0f4e5c9, author = {Counter Threat Unit ResearchTeam}, title = {{Excel Add-ins Deliver JSSLoader Malware}}, date = {2022-03-08}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/excel-add-ins-deliver-jssloader-malware}, language = {English}, urldate = {2022-03-22} } @online{researchteam:20220323:gold:0f3da90, author = {Counter Threat Unit ResearchTeam}, title = {{GOLD ULRICK Leaks Reveal Organizational Structure and Relationships}}, date = {2022-03-23}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships}, language = {English}, urldate = {2022-03-25} } @online{researchteam:20220323:threat:84ad46c, author = {Counter Threat Unit ResearchTeam}, title = {{Threat Intelligence Executive Report Volume 2022, Number 2}}, date = {2022-03-23}, organization = {Secureworks}, url = {https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx}, language = {English}, urldate = {2022-03-25} } @online{researchteam:20220405:azure:818fbe9, author = {Counter Threat Unit ResearchTeam}, title = {{Azure Active Directory Exposes Internal Information}}, date = {2022-04-05}, organization = {Secureworks}, url = {https://www.secureworks.com/research/azure-active-directory-exposes-internal-information}, language = {English}, urldate = {2022-04-07} } @online{researchteam:20220421:gold:5d6ad6d, author = {Counter Threat Unit ResearchTeam}, title = {{GOLD ULRICK Continues Conti Operations Despite Public Disclosures}}, date = {2022-04-21}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/gold-ulrick-continues-conti-operations-despite-public-disclosures}, language = {English}, urldate = {2022-04-29} } @online{researchteam:20220427:bronze:34ac36a, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE PRESIDENT Targets Russian Speakers with Updated PlugX}}, date = {2022-04-27}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx}, language = {English}, urldate = {2024-07-24} } @online{researchteam:20220509:revil:53c819e, author = {Counter Threat Unit ResearchTeam}, title = {{REvil Development Adds Confidence About GOLD SOUTHFIELD Reemergence}}, date = {2022-05-09}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/revil-development-adds-confidence-about-gold-southfield-reemergence?linkId=164334801}, language = {English}, urldate = {2022-05-11} } @online{researchteam:20220512:cobalt:6d50163, author = {Counter Threat Unit ResearchTeam}, title = {{COBALT MIRAGE Conducts Ransomware Operations in U.S.}}, date = {2022-05-12}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us}, language = {English}, urldate = {2022-05-13} } @online{researchteam:20220623:bronze:8bccd74, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE STARLIGHT Ransomware Operations Use HUI Loader}}, date = {2022-06-23}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader}, language = {English}, urldate = {2022-09-20} } @online{researchteam:20220817:darktortilla:9a00612, author = {Counter Threat Unit ResearchTeam}, title = {{DarkTortilla Malware Analysis}}, date = {2022-08-17}, organization = {Secureworks}, url = {https://www.secureworks.com/research/darktortilla-malware-analysis}, language = {English}, urldate = {2023-01-05} } @online{researchteam:20220908:bronze:1975ebf, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE PRESIDENT Targets Government Officials}}, date = {2022-09-08}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/bronze-president-targets-government-officials}, language = {English}, urldate = {2022-09-13} } @online{researchteam:20220914:opsec:b493562, author = {Counter Threat Unit ResearchTeam}, title = {{Opsec Mistakes Reveal COBALT MIRAGE Threat Actors}}, date = {2022-09-14}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/opsec-mistakes-reveal-cobalt-mirage-threat-actors}, language = {English}, urldate = {2022-09-19} } @online{researchteam:20230420:bumblebee:c69430d, author = {Counter Threat Unit ResearchTeam}, title = {{Bumblebee Malware Distributed Via Trojanized Installer Downloads}}, date = {2023-04-20}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads}, language = {English}, urldate = {2023-04-22} } @online{researchteam:20230516:growing:c703021, author = {Counter Threat Unit ResearchTeam}, title = {{The Growing Threat from Infostealers}}, date = {2023-05-16}, organization = {Secureworks}, url = {https://www.secureworks.com/research/the-growing-threat-from-infostealers}, language = {English}, urldate = {2023-07-31} } @online{researchteam:20230524:chinese:2075fee, author = {Counter Threat Unit ResearchTeam}, title = {{Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations}}, date = {2023-05-24}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations}, language = {English}, urldate = {2023-05-26} } @online{researchteam:20230829:law:6b1fa22, author = {Counter Threat Unit ResearchTeam}, title = {{Law Enforcement Takes Down QakBot}}, date = {2023-08-29}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/law-enforcement-takes-down-qakbot}, language = {English}, urldate = {2023-08-30} } @online{resecurity:20210707:revil:fb53320, author = {Resecurity}, title = {{Tweet REvil attack chain used against Kaseya}}, date = {2021-07-07}, organization = {Twitter (@resecurity_com)}, url = {https://twitter.com/resecurity_com/status/1412662343796813827}, language = {English}, urldate = {2021-07-24} } @online{resecurity:20220717:shortcutbased:6cd77fb, author = {Resecurity}, title = {{Shortcut-Based (LNK) Attacks Delivering Malicious Code On The Rise}}, date = {2022-07-17}, organization = {Resecurity}, url = {https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise}, language = {English}, urldate = {2022-07-28} } @online{resecurity:20220807:logokit:4c57000, author = {Resecurity}, title = {{LogoKit Update – The Phishing Kit Leveraging Open Redirect Vulnerabilities}}, date = {2022-08-07}, organization = {Resecurity}, url = {https://resecurity.com/blog/article/logokit-update-the-phishing-kit-leveraging-open-redirect-vulnerabilities}, language = {English}, urldate = {2022-08-28} } @online{resecurity:20220807:vulnerabilities:d9d2c7f, author = {Resecurity}, title = {{Vulnerabilities In E-Commerce Solutions - Hunting On Big Apples}}, date = {2022-08-07}, organization = {Resecurity}, url = {https://resecurity.com/blog/article/vulnerabilities-in-e-commerce-solutions-hunting-on-big-apples}, language = {English}, urldate = {2022-08-28} } @online{resecurity:20220819:cybercriminals:945407f, author = {Resecurity}, title = {{Cybercriminals Are Targeting Law Enforcement Agencies Worldwide}}, date = {2022-08-19}, organization = {Resecurity}, url = {https://resecurity.com/blog/article/cybercriminals-are-targeting-law-enforcement-agencies-worldwide}, language = {English}, urldate = {2022-08-28} } @online{resecurity:20220821:escanor:df2d766, author = {Resecurity}, title = {{Escanor Malware Delivered In Weaponized Microsoft Office Documents}}, date = {2022-08-21}, organization = {Resecurity}, url = {https://resecurity.com/blog/article/escanor-malware-delivered-in-weaponized-microsoft-office-documents}, language = {English}, urldate = {2022-08-28} } @online{resecurity:20220825:covid19:81a9207, author = {Resecurity}, title = {{COVID-19 Data Put For Sale In Dark Web}}, date = {2022-08-25}, organization = {Resecurity}, url = {https://resecurity.com/blog/article/covid-19-data-put-for-sale-in-dark-web}, language = {English}, urldate = {2022-09-19} } @online{resecurity:20220905:evilproxy:2c76d6b, author = {Resecurity}, title = {{EvilProxy Phishing-As-A-Service With MFA Bypass Emerged In Dark Web}}, date = {2022-09-05}, organization = {Resecurity}, url = {https://resecurity.com/blog/article/evilproxy-phishing-as-a-service-with-mfa-bypass-emerged-in-dark-web}, language = {English}, urldate = {2022-09-19} } @online{resecurity:20221125:in:8e040c2, author = {Resecurity}, title = {{"In The Box" - Mobile Malware Webinjects Marketplace}}, date = {2022-11-25}, organization = {Resecurity}, url = {https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace}, language = {English}, urldate = {2022-12-07} } @online{resecurity:20240122:cybercriminals:1d8e1ed, author = {Resecurity}, title = {{Cybercriminals leaked massive volumes of stolen PII data from Thailand in Dark Web}}, date = {2024-01-22}, organization = {Resecurity}, url = {https://www.resecurity.com/blog/article/cybercriminals-leaked-massive-volumes-of-stolen-pii-data-from-thailand-in-dark-web}, language = {English}, urldate = {2025-05-02} } @online{resecurity:20240403:new:7c56b50, author = {Resecurity}, title = {{The New Version Of JsOutProx Is Attacking Financial Institutions In APAC And MENA Via GitLab Abuse}}, date = {2024-04-03}, organization = {Resecurity}, url = {https://www.resecurity.com/blog/article/the-new-version-of-jsoutprox-is-attacking-financial-institutions-in-apac-and-mena-via-gitlab-abuse}, language = {English}, urldate = {2024-04-08} } @online{resecurity:20250409:cybercriminals:142c0b5, author = {Resecurity}, title = {{Cybercriminals Attacked National Social Security Fund of Morocco - Millions of Digital Identities at Risk of Data Breach}}, date = {2025-04-09}, organization = {Resecurity}, url = {https://www.resecurity.com/blog/article/cybercriminals-attacked-national-social-security-fund-of-morocco-millions-of-digital-identities-at-risk-of-data-breach}, language = {English}, urldate = {2025-04-25} } @online{resolver:20190223:dlink:99a2895, author = {RESolver}, title = {{D-Link DNS-320 NAS Cr1ptT0r Ransomware ARM Dynamic Analysis - QEMU and Raspberry PI VM}}, date = {2019-02-23}, organization = {RE Solver}, url = {https://resolverblog.blogspot.com/2019/02/d-link-dns-320-nas-cr1ptt0r-ransomware.html}, language = {English}, urldate = {2020-01-13} } @online{response:20120531:flamer:48c1d70, author = {Security Response}, title = {{Flamer: A Recipe for Bluetoothache}}, date = {2012-05-31}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache}, language = {English}, urldate = {2020-01-13} } @online{response:20120717:madi:e5495bd, author = {Symantec Security Response}, title = {{The Madi Attacks: Series of Social Engineering Campaigns}}, date = {2012-07-17}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/madi-attacks-series-social-engineering-campaigns}, language = {English}, urldate = {2019-12-18} } @online{response:20120718:madi:7d27c61, author = {Security Response}, title = {{The Madi Attacks: Series of Social Engineering Campaigns}}, date = {2012-07-18}, organization = {Symantec}, url = {https://web.archive.org/web/20120718173322/https://www.symantec.com/connect/blogs/madi-attacks-series-social-engineering-campaigns}, language = {English}, urldate = {2020-04-21} } @online{response:20120816:shamoon:7eedf8f, author = {Symantec Security Response}, title = {{The Shamoon Attacks}}, date = {2012-08-16}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/shamoon-attacks}, language = {English}, urldate = {2020-01-13} } @online{response:20120816:shamoon:8f8fe97, author = {Symantec Security Response}, title = {{The Shamoon Attacks}}, date = {2012-08-16}, organization = {Symantec}, url = {https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks}, language = {English}, urldate = {2020-04-21} } @online{response:20121122:w32narilam:3d2d3c1, author = {Security Response}, title = {{W32.Narilam – Business Database Sabotage}}, date = {2012-11-22}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/w32narilam-business-database-sabotage}, language = {English}, urldate = {2020-01-10} } @online{response:20130219:apt1:08c1ae6, author = {Symantec Security Response}, title = {{APT1: Q&A on Attacks by the Comment Crew}}, date = {2013-02-19}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/apt1-qa-attacks-comment-crew}, language = {English}, urldate = {2019-12-18} } @online{response:20130626:four:abdfea2, author = {Security Response}, title = {{Four Years of DarkSeoul Cyberattacks Against South Korea Continue on Anniversary of Korean War}}, date = {2013-06-26}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war}, language = {English}, urldate = {2020-01-10} } @online{response:20130626:four:cd9ccb5, author = {Symantec Security Response}, title = {{Four Years of DarkSeoul Cyberattacks Against South Korea Continue on Anniversary of Korean War}}, date = {2013-06-26}, organization = {Symantec}, url = {https://web.archive.org/web/20130701021735/https://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war}, language = {English}, urldate = {2020-04-21} } @online{response:20130917:hidden:be03466, author = {Security Response}, title = {{Hidden Lynx – Professional Hackers for Hire}}, date = {2013-09-17}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire}, language = {English}, urldate = {2020-01-10} } @online{response:20130917:hidden:e91b6bb, author = {Symantec Security Response}, title = {{Hidden Lynx – Professional Hackers for Hire}}, date = {2013-09-17}, organization = {Symantec}, url = {https://web.archive.org/web/20130920000343/https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire}, language = {English}, urldate = {2020-04-21} } @techreport{response:20140707:dragonfly:72d3430, author = {Security Response}, title = {{Dragonfly: Cyberespionage Attacks Against Energy Suppliers}}, date = {2014-07-07}, institution = {Symantec}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf}, language = {English}, urldate = {2020-04-21} } @techreport{response:20140707:dragonfly:9cd61f0, author = {Symantec Security Response}, title = {{Dragonfly: Cyberespionage Attacks Against Energy Suppliers}}, date = {2014-07-07}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf}, language = {English}, urldate = {2020-01-08} } @online{response:20141014:sandworm:3f6e951, author = {Symantec Security Response}, title = {{Sandworm Windows zero-day vulnerability being actively exploited in targeted attacks}}, date = {2014-10-14}, organization = {Symantec}, url = {https://web.archive.org/web/20141016132823/https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks}, language = {English}, urldate = {2020-04-21} } @online{response:20141014:sandworm:c129395, author = {Symantec Security Response}, title = {{Sandworm Windows zero-day vulnerability being actively exploited in targeted attacks}}, date = {2014-10-14}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks}, language = {English}, urldate = {2020-01-08} } @online{response:20141014:security:81c5ea5, author = {Symantec Security Response}, title = {{Security vendors take action against Hidden Lynx malware}}, date = {2014-10-14}, organization = {Symantec}, url = {https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware}, language = {English}, urldate = {2020-04-21} } @online{response:20141014:security:9bb4cd5, author = {Symantec Security Response}, title = {{Security vendors take action against Hidden Lynx malware}}, date = {2014-10-14}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware}, language = {English}, urldate = {2020-01-07} } @techreport{response:20150224:w32ramnit:3a2fed3, author = {Symantec Security Response}, title = {{W32.Ramnit analysis}}, date = {2015-02-24}, institution = {Symantec}, url = {https://informationsecurity.report/Resources/Whitepapers/b201d876-c5df-486d-975e-2dc08eb85f02_W32.Ramnit%20analysis.pdf}, language = {English}, urldate = {2023-10-30} } @online{response:20150708:butterfly:6bf6652, author = {Symantec Security Response}, title = {{Butterfly: Profiting from high-level corporate attacks}}, date = {2015-07-08}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/butterfly-profiting-high-level-corporate-attacks}, language = {English}, urldate = {2020-01-08} } @techreport{response:20150827:regin:5a5257b, author = {Symantec Security Response}, title = {{Regin: Top-tier espionage tool enables stealthy surveillance}}, date = {2015-08-27}, institution = {Symantec}, url = {https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/regin-top-tier-espionage-tool-15-en.pdf}, language = {English}, urldate = {2020-01-20} } @online{response:20150924:kovter:9602c6b, author = {Symantec Security Response}, title = {{Kovter malware learns from Poweliks with persistent fileless registry update}}, date = {2015-09-24}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/kovter-malware-learns-poweliks-persistent-fileless-registry-update}, language = {English}, urldate = {2020-01-13} } @online{response:20151026:duuzer:49ffa2d, author = {Symantec Security Response}, title = {{Duuzer back door Trojan targets South Korea to take over computers}}, date = {2015-10-26}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/duuzer-back-door-trojan-targets-south-korea-take-over-computers}, language = {English}, urldate = {2020-01-09} } @online{response:20151203:colombians:04e7e8a, author = {Symantec Security Response}, title = {{Colombians major target of email campaigns delivering Xtreme RAT}}, date = {2015-12-03}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-delivering-xtreme-rat}, language = {English}, urldate = {2020-01-08} } @online{response:20151207:iranbased:24872ed, author = {Symantec Security Response}, title = {{Iran-based attackers use back door threats to spy on Middle Eastern targets}}, date = {2015-12-07}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets}, language = {English}, urldate = {2020-01-09} } @online{response:20151207:iranbased:5e7136f, author = {Security Response}, title = {{Iran-based attackers use back door threats to spy on Middle Eastern targets}}, date = {2015-12-07}, organization = {Symantec}, url = {https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets}, language = {English}, urldate = {2020-04-21} } @techreport{response:20160114:waterbug:51a4dbd, author = {Security Response}, title = {{The Waterbug attack group}}, date = {2016-01-14}, institution = {Symantec}, url = {https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf}, language = {English}, urldate = {2020-01-09} } @online{response:20160114:waterbug:9dbc59e, author = {Security Response}, title = {{The Waterbug attack group}}, date = {2016-01-14}, organization = {Symantec}, url = {https://docs.broadcom.com/doc/waterbug-attack-group}, language = {English}, urldate = {2022-04-25} } @online{response:20160222:russian:c8f9d1a, author = {Symantec Security Response}, title = {{Russian bank employees received fake job offers in targeted email attack}}, date = {2016-02-22}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/russian-bank-employees-received-fake-job-offers-targeted-email-attack}, language = {English}, urldate = {2019-11-28} } @online{response:20160526:swift:a8d8898, author = {Symantec Security Response}, title = {{SWIFT attackers’ malware linked to more financial attacks}}, date = {2016-05-26}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks}, language = {English}, urldate = {2020-01-07} } @online{response:20160526:swift:fe259bf, author = {Security Response}, title = {{SWIFT attackers’ malware linked to more financial attacks}}, date = {2016-05-26}, organization = {Symantec}, url = {https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks}, language = {English}, urldate = {2023-08-21} } @online{response:20160807:strider:1602e25, author = {Symantec Security Response}, title = {{Strider: Cyberespionage group turns eye of Sauron on targets}}, date = {2016-08-07}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets}, language = {English}, urldate = {2020-01-07} } @techreport{response:20160906:buckeye:0b92474, author = {Symantec Security Response}, title = {{Buckeye cyberespionage group shifts gaze from US to Hong Kong}}, date = {2016-09-06}, institution = {Symantec}, url = {https://vx-underground.org/archive/APTs/2016/2016.09.06/Buckeye.pdf}, language = {English}, urldate = {2021-02-04} } @online{response:20160906:buckeye:5934e6f, author = {Security Response}, title = {{Buckeye cyberespionage group shifts gaze from US to Hong Kong}}, date = {2016-09-06}, organization = {Symantec}, url = {https://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong}, language = {English}, urldate = {2020-04-21} } @online{response:20160906:buckeye:9f3e86a, author = {Symantec Security Response}, title = {{Buckeye cyberespionage group shifts gaze from US to Hong Kong}}, date = {2016-09-06}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong}, language = {English}, urldate = {2020-01-09} } @online{response:20160906:buckeye:ffc6501, author = {Symantec Security Response}, title = {{Buckeye cyberespionage group shifts gaze from US to Hong Kong}}, date = {2016-09-06}, organization = {Symantec}, url = {http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong}, language = {English}, urldate = {2019-12-24} } @online{response:20161011:odinaff:36b35db, author = {Symantec Security Response}, title = {{Odinaff: New Trojan used in high level financial attacks}}, date = {2016-10-11}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks}, language = {English}, urldate = {2019-12-05} } @online{response:20161011:odinaff:bdd6f10, author = {Symantec Security Response}, title = {{Odinaff: New Trojan used in high level financial attacks}}, date = {2016-10-11}, organization = {Symantec}, url = {https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks}, language = {English}, urldate = {2020-04-21} } @online{response:20161130:shamoon:23a43b0, author = {Symantec Security Response}, title = {{Shamoon: Back from the dead and destructive as ever}}, date = {2016-11-30}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/shamoon-back-dead-and-destructive-ever}, language = {English}, urldate = {2020-01-13} } @online{response:20161216:bayrob:cba1ee1, author = {Symantec Security Response}, title = {{Bayrob: Three suspects extradited to face charges in US}}, date = {2016-12-16}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/bayrob-three-suspects-extradited-face-charges-us}, language = {English}, urldate = {2020-01-13} } @online{response:20170123:greenbug:96eab4c, author = {Symantec Security Response}, title = {{Greenbug cyberespionage group targeting Middle East, possible links to Shamoon}}, date = {2017-01-23}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon}, language = {English}, urldate = {2020-01-13} } @online{response:20170123:greenbug:a118a76, author = {Symantec Security Response}, title = {{Greenbug cyberespionage group targeting Middle East, possible links to Shamoon}}, date = {2017-01-23}, organization = {Symantec}, url = {https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon}, language = {English}, urldate = {2020-04-21} } @online{response:20170227:shamoon:62798a3, author = {Symantec Security Response}, title = {{Shamoon: Multi-staged destructive attacks limited to specific targets}}, date = {2017-02-27}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/shamoon-multi-staged-destructive-attacks-limited-specific-targets}, language = {English}, urldate = {2019-10-12} } @online{response:20170410:longhorn:e48f344, author = {Symantec Security Response}, title = {{Longhorn: Tools used by cyberespionage group linked to Vault 7}}, date = {2017-04-10}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7}, language = {English}, urldate = {2020-01-09} } @online{response:20170522:wannacry:f66a95e, author = {Symantec Security Response}, title = {{WannaCry: Ransomware attacks show strong links to Lazarus group}}, date = {2017-05-22}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group}, language = {English}, urldate = {2020-01-06} } @online{response:20170525:lazarus:4d00eab, author = {Security Response}, title = {{Lazarus: History of mysterious group behind infamous cyber attacks}}, date = {2017-05-25}, organization = {Symantec}, url = {https://medium.com/threat-intel/lazarus-attacks-wannacry-5fdeddee476c}, language = {English}, urldate = {2020-01-08} } @online{response:20171107:sowbug:7f0d6eb, author = {Symantec Security Response}, title = {{Sowbug: Cyber espionage group targets South American and Southeast Asian governments}}, date = {2017-11-07}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments}, language = {English}, urldate = {2019-12-17} } @techreport{response:202006:sodinokibi:06e3a79, author = {Arete Incident Response}, title = {{Sodinokibi / REvil Ransomware attacks against the Education Sector}}, date = {2020-06}, institution = {Arete}, url = {https://areteir.com/wp-content/uploads/2020/07/Arete_Insight_Sodino-Ransomware_June-2020.pdf}, language = {English}, urldate = {2020-07-30} } @techreport{response:202007:wastedlocker:f08d83b, author = {Arete Incident Response}, title = {{WastedLocker Ransomware Insights}}, date = {2020-07}, institution = {Arete}, url = {https://areteir.com/wp-content/uploads/2020/07/Ransomware-WastedLocker-1.pdf}, language = {English}, urldate = {2020-07-30} } @techreport{response:20200818:is:72e08da, author = {Arete Incident Response}, title = {{Is Conti the New Ryuk?}}, date = {2020-08-18}, institution = {Arete}, url = {https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf}, language = {English}, urldate = {2020-08-25} } @techreport{response:2021:cobalt:f4412fa, author = {Talos Incident Response}, title = {{Cobalt Strikes Out}}, date = {2021}, institution = {Talos}, url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/542/original/CTIR_casestudy_2.pdf}, language = {English}, urldate = {2021-05-26} } @techreport{response:2021:evicting:c795470, author = {Talos Incident Response}, title = {{Evicting Maze}}, date = {2021}, institution = {Talos}, url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf}, language = {English}, urldate = {2021-05-26} } @online{response:20220309:set:5298d9e, author = {Invictus Incident Response}, title = {{Set up Splunk for Incident Response in GCP in 15 minutes..}}, date = {2022-03-09}, organization = {Medium Invictus Incident Response}, url = {https://invictus-ir.medium.com/set-up-splunk-for-incident-response-in-gcp-in-15-minutes-52eebc7e5a91}, language = {English}, urldate = {2022-03-28} } @online{response:20220322:dev0537:eb7e47c, author = {Microsoft Incident Response and Microsoft Threat Intelligence}, title = {{DEV-0537 criminal actor targeting organizations for data exfiltration and destruction}}, date = {2022-03-22}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/}, language = {English}, urldate = {2025-02-04} } @online{response:20230324:guidance:d0916ab, author = {Microsoft Incident Response}, title = {{Guidance for investigating attacks using CVE-2023-23397}}, date = {2023-03-24}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/}, language = {English}, urldate = {2023-04-18} } @online{response:20230411:guidance:ddf000c, author = {Microsoft Incident Response}, title = {{Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign}}, date = {2023-04-11}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/}, language = {English}, urldate = {2023-04-18} } @online{response:20230413:ransomware:d516cc9, author = {Invictus Incident Response}, title = {{Ransomware in the cloud}}, date = {2023-04-13}, organization = {Medium Invictus Incident Response}, url = {https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82}, language = {English}, urldate = {2023-04-22} } @online{response:20230706:fiveday:629ca44, author = {Microsoft Incident Response}, title = {{The five-day job: A BlackByte ransomware intrusion case study}}, date = {2023-07-06}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/}, language = {English}, urldate = {2023-08-25} } @online{reuveni:20200510:duties:b07dce3, author = {Noy Reuveni}, title = {{The Duties Beyond Assisting the Public: Darknet Threats Against Canadian Health & Support Organizations}}, date = {2020-05-10}, organization = {KELA}, url = {https://ke-la.com/duties-beyond-assisting-the-public/}, language = {English}, urldate = {2021-05-07} } @online{revay:20220407:looking:d148b0f, author = {Gergely Revay and Shunichi Imano}, title = {{Looking Inside Pandora’s Box}}, date = {2022-04-07}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/looking-inside-pandoras-box}, language = {English}, urldate = {2022-04-08} } @online{revay:20220419:using:51d31d5, author = {Gergely Revay}, title = {{Using Emulation Against Anti-Reverse Engineering Techniques}}, date = {2022-04-19}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/Using-emulation-against-anti-reverse-engineering-techniques}, language = {English}, urldate = {2022-04-25} } @online{revay:20220428:overview:0ac963f, author = {Gergely Revay}, title = {{An Overview of the Increasing Wiper Malware Threat}}, date = {2022-04-28}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat}, language = {English}, urldate = {2022-04-29} } @online{revay:20220503:unpacking:954f1d2, author = {Gergely Revay}, title = {{Unpacking Python Executables on Windows and Linux}}, date = {2022-05-03}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/unpacking-python-executables-windows-linux}, language = {English}, urldate = {2022-05-09} } @online{revay:20220517:chaos:9ff6ed3, author = {Gergely Revay and Shunichi Imano}, title = {{Chaos Ransomware Variant Sides with Russia}}, date = {2022-05-17}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia}, language = {English}, urldate = {2022-05-25} } @online{revay:20230124:year:00a1450, author = {Geri Revay}, title = {{The Year of the Wiper}}, date = {2023-01-24}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper}, language = {English}, urldate = {2023-01-25} } @online{revcode:20200204:revcode:bb6d2b3, author = {RevCode}, title = {{RevCode RAT}}, date = {2020-02-04}, url = {https://revcode.se/product/webmonitor/}, language = {English}, urldate = {2020-02-07} } @online{revelli:20240724:apt45:edb1cf6, author = {Alice Revelli and Fred Plan and JEFF JOHNSON and Michael Barnhart and Taylor Long}, title = {{APT45: North Korea’s Digital Military Machine}}, date = {2024-07-24}, organization = {Google}, url = {https://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine}, language = {English}, urldate = {2024-07-26} } @online{revengai:20240624:latrodectus:7d47f12, author = {RevEng.AI}, title = {{Latrodectus Affiliate Resumes Operations Using Brute Ratel C4 Post Operation Endgame}}, date = {2024-06-24}, organization = {RevEng.AI}, url = {https://blog.reveng.ai/latrodectus-distribution-via-brc4/}, language = {English}, urldate = {2024-06-28} } @online{revengai:20250130:one:d89fda5, author = {RevEng.AI}, title = {{One ClickFix and LummaStealer reCAPTCHA’s Our Attention - Part 1}}, date = {2025-01-30}, organization = {RevEng.AI}, url = {https://blog.reveng.ai/one-clickfix-and-lummastealer-recaptchas-our-attention-part-1/}, language = {English}, urldate = {2025-01-31} } @online{revert:20190828:other:abc18fa, author = {Rafael Revert}, title = {{Other day other malware in the way (died.exe)}}, date = {2019-08-28}, organization = {Cyttek Group}, url = {https://blog.cyttek.com/2019/08/28/other-day-other-malware-in-the-way-died-exe/}, language = {English}, urldate = {2020-01-08} } @online{revivo:20201202:threat:7bb189a, author = {Idan Revivo and Assaf Morag}, title = {{Threat Alert: Fileless Malware Executing in Containers}}, date = {2020-12-02}, organization = {Aqua}, url = {https://blog.aquasec.com/fileless-malware-container-security}, language = {English}, urldate = {2020-12-08} } @online{reynaert:20220720:analysis:7a5093f, author = {Sasja Reynaert}, title = {{Analysis of a trojanized jQuery script: GootLoader unleashed}}, date = {2022-07-20}, organization = {NVISO Labs}, url = {https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/}, language = {English}, urldate = {2022-07-25} } @online{reynolds:20160913:h1n1:0c4cb42, author = {Josh Reynolds}, title = {{H1N1: Technical analysis reveals new capabilities}}, date = {2016-09-13}, organization = {Cisco}, url = {https://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities}, language = {English}, urldate = {2020-01-09} } @online{reynolds:20240123:analyzing:de8dcbd, author = {Josh Reynolds}, title = {{Analyzing and Unpacking Qakbot using Binary Ninja Automation}}, date = {2024-01-23}, organization = {YouTube (Invoke RE)}, url = {https://www.youtube.com/watch?v=0WNPjG8HjOw}, language = {English}, urldate = {2024-01-30} } @online{reynolds:20240209:analyzing:608ac04, author = {Josh Reynolds}, title = {{Analyzing and Unpacking Qakbot Using Binary Ninja Automation Part 2}}, date = {2024-02-09}, organization = {YouTube (Invoke RE)}, url = {https://www.youtube.com/watch?v=utqaGgnb5yM}, language = {English}, urldate = {2024-02-21} } @online{reynolds:20240221:analyzing:8b3283a, author = {Josh Reynolds}, title = {{Analyzing Qakbot Using Binary Ninja Automation Part 3}}, date = {2024-02-21}, organization = {YouTube (Invoke RE)}, url = {https://www.youtube.com/watch?v=1gExOpNqXYo}, language = {English}, urldate = {2024-02-21} } @online{reynolds:20240221:automating:281d3bf, author = {Josh Reynolds}, title = {{Automating Qakbot Malware Analysis with Binary Ninja}}, date = {2024-02-21}, organization = {Invoke RE}, url = {https://invokere.com/posts/2024/02/automating-qakbot-malware-analysis-with-binary-ninja/}, language = {English}, urldate = {2024-03-04} } @online{reynolds:20240611:parser:b48110a, author = {Josh Reynolds}, title = {{Parser Script for Havoc Config}}, date = {2024-06-11}, organization = {Invoke RE}, url = {https://github.com/Invoke-RE/stream-notes/blob/main/red-team/scripts/parse_havoc_generic.py}, language = {English}, urldate = {2024-12-16} } @online{rhyolite:20180706:bid:15346e4, author = {Rhyolite}, title = {{BI_D Ransomware}}, date = {2018-07-06}, url = {http://zirconic.net/2018/07/bi_d-ransomware/}, language = {English}, urldate = {2019-12-06} } @online{rhyolite:20190310:bid:58e515a, author = {Rhyolite}, title = {{BI_D Ransomware Redux (Now With 100% More Ghidra)}}, date = {2019-03-10}, url = {http://zirconic.net/2019/03/bi_d-ransomware-redux-now-with-100-more-ghidra/}, language = {English}, urldate = {2019-12-06} } @online{richabadas:20220928:threat:0e98b73, author = {Tushar Richabadas}, title = {{Threat Spotlight: Continuing attacks on Atlassian Confluence zero day}}, date = {2022-09-28}, organization = {Barracuda}, url = {https://blog.barracuda.com/2022/09/28/threat-spotlight-continuing-attacks-on-atlassian-confluence-zero-day/}, language = {English}, urldate = {2022-09-30} } @online{richard:20200331:viasat:9038227, author = {Isaiah Richard}, title = {{Viasat Hit with Russia’s Wiper Malware called ‘AcidRain,’ Affecting European Services}}, date = {2020-03-31}, organization = {Tech Times}, url = {https://www.techtimes.com/articles/273755/20220331/viasat-hit-russia-s-wiper-malware-called-acidrain-affecting-european.htm}, language = {English}, urldate = {2022-04-05} } @online{richard:20210504:unc2529:4213d1c, author = {Nick Richard and Dimiter Andonov}, title = {{The UNC2529 Triple Double: A Trifecta Phishing Campaign}}, date = {2021-05-04}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/05/unc2529-triple-double-trifecta-phishing-campaign.html}, language = {English}, urldate = {2021-05-19} } @online{richard:20210718:pegasus:c13678f, author = {Laurent Richard and Sandrine Rigaud}, title = {{The Pegasus Project: A Worldwide Collaboration to Counter a Global Crime}}, date = {2021-07-18}, organization = {forbidden stories}, url = {https://forbiddenstories.org/the-pegasus-project-a-worldwide-collaboration-to-counter-a-global-crime/}, language = {English}, urldate = {2021-07-24} } @online{richard:20211029:opencti:4edb701, author = {Julien Richard}, title = {{OpenCTI data sharing}}, date = {2021-10-29}, organization = {Medium Luatix}, url = {https://medium.com/luatix/opencti-data-sharing-6da7dc045d14}, language = {English}, urldate = {2021-11-25} } @online{rico:20231114:russian:e22cda5, author = {U.S. Attorney's Office District of Puerto Rico}, title = {{Russian and Moldovan National Pleads Guilty to Operating Illegal Botnet Proxy Service that Infected Tens of Thousands of Internet-Connected Devices Around the World}}, date = {2023-11-14}, organization = {Department of Justice}, url = {https://www.justice.gov/usao-pr/pr/russian-and-moldovan-national-pleads-guilty-operating-illegal-botnet-proxy-service}, language = {English}, urldate = {2023-11-14} } @techreport{riehle:20220418:russian:baaf138, author = {Kevin P. Riehle}, title = {{Russian Intelligence: A Case-based Study of Russian Services and Missions Past and Present}}, date = {2022-04-18}, institution = {National Intelligence University}, url = {https://ni-u.edu/wp/wp-content/uploads/2022/05/Riehle_Russian-Intelligence.pdf}, language = {English}, urldate = {2022-05-11} } @online{riemarchive:20220506:ransomware:0a466dc, author = {Valéry Rieß-Marchive}, title = {{Ransomware: LockBit 3.0 Starts Using in Cyberattacks}}, date = {2022-05-06}, organization = {LeMagIT}, url = {https://www.lemagit.fr/actualites/252516821/Ransomware-LockBit-30-commence-a-etre-utilise-dans-des-cyberattaques}, language = {French}, urldate = {2022-05-08} } @online{riemarchive:20250301:ransomware:3138ce8, author = {Valéry Rieß-Marchive}, title = {{Ransomware : de REvil à Black Basta, que sait-on de Tramp ?}}, date = {2025-03-01}, organization = {LeMagIT}, url = {https://www.lemagit.fr/actualites/366619807/Ransomware-de-REvil-a-Black-Basta-que-sait-on-de-Tramp}, language = {French}, urldate = {2025-03-25} } @online{rieunier:201811:analyse:7b29c7d, author = {Christophe Rieunier and Thomas Dubier}, title = {{Analyse du malware bancaire Gootkit et de ses mécanismes de protection}}, date = {2018-11}, organization = {CERT La Poste}, url = {https://connect.ed-diamond.com/MISC/MISC-100/Analyse-du-malware-bancaire-Gootkit-et-de-ses-mecanismes-de-protection}, language = {French}, urldate = {2020-09-24} } @online{rieunier:20221031:qakbot:e82f924, author = {Christophe Rieunier}, title = {{QakBot CCs prioritization and new record types}}, date = {2022-10-31}, organization = {Security homework}, url = {https://www.securityhomework.net/articles/qakbot_ccs_prioritization_and_new_record_types/qakbot_ccs_prioritization_and_new_record_types.php}, language = {English}, urldate = {2022-10-31} } @online{rift:20200705:rift:8b05486, author = {NCC RIFT}, title = {{RIFT: F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902 Intelligence}}, date = {2020-07-05}, organization = {NCC Group}, url = {https://research.nccgroup.com/2020/07/05/rift-f5-networks-k52145254-tmui-rce-vulnerability-cve-2020-5902-intelligence/}, language = {English}, urldate = {2020-07-08} } @online{rift:20210123:rift:deea717, author = {NCC RIFT}, title = {{RIFT: Analysing a Lazarus Shellcode Execution Method}}, date = {2021-01-23}, organization = {NCC Group}, url = {https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/}, language = {English}, urldate = {2021-01-25} } @online{rift:20210615:handy:b76df78, author = {NCC RIFT and Michael Matthews and William Backhouse}, title = {{Handy guide to a new Fivehands ransomware variant}}, date = {2021-06-15}, organization = {NCC Group}, url = {https://research.nccgroup.com/2021/06/15/handy-guide-to-a-new-fivehands-ransomware-variant/}, language = {English}, urldate = {2021-06-16} } @online{rijnders:20201008:shining:f05b53d, author = {Gijs Rijnders}, title = {{Shining a light on SunCrypt’s curious file encryption mechanism}}, date = {2020-10-08}, organization = {Tesorion}, url = {https://www.tesorion.nl/en/posts/shining-a-light-on-suncrypts-curious-file-encryption-mechanism/}, language = {English}, urldate = {2022-04-07} } @online{rijnders:20210517:analysis:26c4c03, author = {Gijs Rijnders}, title = {{Analysis of NoCry: A variant of the Judge ransomware}}, date = {2021-05-17}, organization = {Tesorion}, url = {https://www.tesorion.nl/en/posts/analysis-of-nocry-a-variant-of-the-judge-ransomware/}, language = {English}, urldate = {2021-05-19} } @online{rijnders:20210625:lorenz:78cf649, author = {Gijs Rijnders}, title = {{Lorenz ransomware: analysis and a free decryptor}}, date = {2021-06-25}, organization = {Tesorion}, url = {https://www.tesorion.nl/en/posts/lorenz-ransomware-analysis-and-a-free-decryptor/}, language = {English}, urldate = {2021-06-29} } @online{rijnders:20210805:analysis:6a836dd, author = {Gijs Rijnders}, title = {{Analysis of the BlackMatter ransomware}}, date = {2021-08-05}, organization = {Tesorion}, url = {https://www.tesorion.nl/en/posts/analysis-of-the-blackmatter-ransomware/}, language = {English}, urldate = {2021-08-24} } @online{rijnders:20220321:lorenz:56cc970, author = {Gijs Rijnders}, title = {{Lorenz ransomware rebound: corruption and irrecoverable files}}, date = {2022-03-21}, organization = {Tesorion}, url = {https://www.tesorion.nl/en/posts/lorenz-ransomware-rebound-corruption-and-irrecoverable-files/}, language = {English}, urldate = {2022-04-05} } @techreport{riley:20171204:shadows:ae9e436, author = {Jack Wesley Riley}, title = {{The Shadows of Ghosts Inside the response of a unique Carbanak intrusion}}, date = {2017-12-04}, institution = {RSA}, url = {https://www.rsa.com/content/dam/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf}, language = {English}, urldate = {2021-09-02} } @online{riley:20201215:strategic:653455d, author = {Aaron Riley}, title = {{Strategic Analysis: Agent Tesla Expands Targeting and Networking Capabilities}}, date = {2020-12-15}, organization = {Cofense}, url = {https://cofense.com/strategic-analysis-agent-tesla-expands-targeting-and-networking-capabilities/}, language = {English}, urldate = {2020-12-17} } @online{riley:20201216:supernova:a000ff5, author = {Wes Riley}, title = {{SUPERNOVA SolarWinds .NET Webshell Analysis}}, date = {2020-12-16}, organization = {GuidePoint Security}, url = {https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/}, language = {English}, urldate = {2020-12-17} } @online{riley:20240820:toyota:b3b21d2, author = {Duncan Riley}, title = {{Toyota alleges stolen customer data published on hacking site came from outside supplier}}, date = {2024-08-20}, organization = {SiliconAngle}, url = {https://siliconangle.com/2024/08/20/toyota-alleges-stolen-customer-data-published-hacking-site-came-outside-supplier/}, language = {English}, urldate = {2024-10-21} } @online{ring1:20210616:evilnum:013580d, author = {Ring-1}, title = {{Evilnum organizes recent attacks against European financial companies}}, date = {2021-06-16}, organization = {Microstep Online Research Response Center}, url = {https://mp.weixin.qq.com/s/lryl3a65uIz1AwZcfuzp1A}, language = {Chinese}, urldate = {2021-06-21} } @online{ring4sky:20200429:more:4e5b758, author = {Ring4sky}, title = {{More IOCs related to PhantomLance}}, date = {2020-04-29}, organization = {Twitter (@h4ckak)}, url = {https://drive.google.com/file/d/1m0Qg8e1Len1My6ssDy6F0oQ7JdkJUkuu/view}, language = {English}, urldate = {2020-05-19} } @online{riper:20211130:proxyshell:060517d, author = {Harrison van Riper}, title = {{ProxyShell exploitation leads to BlackByte ransomware}}, date = {2021-11-30}, organization = {Red Canary}, url = {https://redcanary.com/blog/blackbyte-ransomware/}, language = {English}, urldate = {2021-12-06} } @online{rippey:20220118:infostealing:fb485dc, author = {Michael Rippey}, title = {{Info-Stealing Tool Posing As Naver OTP}}, date = {2022-01-18}, organization = {Cyber And Ramen blog}, url = {https://cyberandramen.net/2022/01/18/info-stealing-tool-posing-as-naver-otp/}, language = {English}, urldate = {2022-06-27} } @online{rippey:20220123:analysis:262c499, author = {Michael Rippey}, title = {{Analysis of a DLL Downloader}}, date = {2022-01-23}, organization = {Cyber And Ramen blog}, url = {https://cyberandramen.net/2022/01/23/analysis-of-a-dll-downloader/}, language = {English}, urldate = {2022-06-27} } @online{rippey:20220204:shortcut:5580abf, author = {Michael Rippey}, title = {{Shortcut to Windows Update}}, date = {2022-02-04}, organization = {Cyber And Ramen blog}, url = {https://cyberandramen.net/2022/02/04/shortcut-to-windows-update/}, language = {English}, urldate = {2022-06-27} } @online{riskiq:20201029:ryuk:0643968, author = {RiskIQ}, title = {{Ryuk Ransomware: Extensive Attack Infrastructure Revealed}}, date = {2020-10-29}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/0bcefe76}, language = {English}, urldate = {2020-11-02} } @online{riskiq:20201202:shadow:b331bd4, author = {Team RiskIQ}, title = {{‘Shadow Academy’ Targets 20 Universities Worldwide}}, date = {2020-12-02}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/external-threat-management/shadow-academy/}, language = {English}, urldate = {2020-12-08} } @online{riskiq:20210114:new:29f2c96, author = {Team RiskIQ}, title = {{New Analysis Puts Magecart Interconnectivity into Focus}}, date = {2021-01-14}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/magecart-medialand/}, language = {English}, urldate = {2021-01-18} } @online{riskiq:20210407:yanbian:43530e8, author = {Team RiskIQ}, title = {{Yanbian Gang Malware Continues with Wide-Scale Distribution and C2}}, date = {2021-04-07}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/external-threat-management/yanbian-gang-malware-distribution/}, language = {English}, urldate = {2021-04-19} } @online{riskiq:20210422:solarwinds:83581ea, author = {RiskIQ}, title = {{SolarWinds: Advancing the Story}}, date = {2021-04-22}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/9a515637}, language = {English}, urldate = {2021-04-28} } @online{riskiq:20210604:sysrvhello:e99aa12, author = {Team RiskIQ}, title = {{The Sysrv-hello Cryptojacking Botnet: Here’s What’s New}}, date = {2021-06-04}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/external-threat-management/sysrv-hello-cryptojacking-botnet/}, language = {English}, urldate = {2022-01-05} } @online{riskiq:20210916:untangling:d1e0f1b, author = {RiskIQ}, title = {{Untangling the Spider Web: The Curious Connection Between WIZARD SPIDER’s Ransomware Infrastructure and a Windows Zero-Day Exploit}}, date = {2021-09-16}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/c88cf7e6}, language = {English}, urldate = {2021-09-19} } @online{riskiq:20220203:riskiq:2c2cdfe, author = {RiskIQ}, title = {{RiskIQ: Exposed QNAP Devices are Vulnerable to Compromise}}, date = {2022-02-03}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/1601124b}, language = {English}, urldate = {2022-02-04} } @online{riskiq:20220207:riskiq:43b167b, author = {RiskIQ}, title = {{RiskIQ: Malicious Infrastructure Connected to Particular Windows Host Certificates}}, date = {2022-02-07}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/ade260c6}, language = {English}, urldate = {2022-02-09} } @online{riskiq:20220224:riskiq:1c80c36, author = {RiskIQ}, title = {{RiskIQ: HermeticWiper Compromised Server Used in Attack Chain}}, date = {2022-02-24}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/9f59cb85}, language = {English}, urldate = {2022-03-02} } @online{riskiq:20220224:riskiq:c480135, author = {RiskIQ}, title = {{RiskIQ: WatchGuard Devices Targeted by Cyclops Blink Malware}}, date = {2022-02-24}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/9f863fcc}, language = {English}, urldate = {2022-03-02} } @online{riskiq:20220225:riskiq:07f3da6, author = {RiskIQ}, title = {{RiskIQ: UNC1151/GhostWriter Phishing Attacks Target Ukrainian Soldiers}}, date = {2022-02-25}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/e3a7ceea}, language = {English}, urldate = {2022-03-02} } @online{riskiq:20220315:riskiq:da0e578, author = {RiskIQ}, title = {{RiskIQ: Trickbot Abuse of Compromised MikroTik Routers for Command and Control}}, date = {2022-03-15}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/111d6005/description}, language = {English}, urldate = {2022-03-17} } @online{riskiq:20220510:riskiq:0de1fcf, author = {RiskIQ}, title = {{RiskIQ: Identifying Dridex C2 via SSL Certificate Patterns}}, date = {2022-05-10}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/e4fb7245}, language = {English}, urldate = {2022-05-17} } @online{riskiq:20220516:riskiq:84b9ddd, author = {RiskIQ}, title = {{RiskIQ: Storm Clauds - New C2 Over DNS Mimics CloudFront}}, date = {2022-05-16}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/d8a78daf}, language = {English}, urldate = {2022-05-25} } @online{riskiq:20220701:toddycat:485d554, author = {RiskIQ}, title = {{ToddyCat: A Guided Journey through the Attacker's Infrastructure}}, date = {2022-07-01}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/d8b749f2}, language = {English}, urldate = {2022-07-15} } @online{ritter:20200713:become:3567997, author = {Heike Ritter}, title = {{Become a Microsoft Defender ATP Ninja}}, date = {2020-07-13}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/microsoft-defender-atp/become-a-microsoft-defender-atp-ninja/ba-p/1515647}, language = {English}, urldate = {2020-07-15} } @online{ritter:20230630:monthly:721045d, author = {Heike Ritter}, title = {{Monthly news - July 2023}}, date = {2023-06-30}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/monthly-news-july-2023/ba-p/3860740}, language = {English}, urldate = {2024-02-08} } @online{ritter:20231102:monthly:2830788, author = {Heike Ritter}, title = {{Monthly news - November 2023}}, date = {2023-11-02}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/monthly-news-november-2023/ba-p/3970796}, language = {English}, urldate = {2024-02-08} } @online{ritter:20231102:monthly:711119c, author = {Heike Ritter}, title = {{Monthly news - November 2023}}, date = {2023-11-02}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/monthly-news-november-2023/ba-p/3970796}, language = {English}, urldate = {2023-12-04} } @online{ritter:20231201:monthly:2d70054, author = {Heike Ritter}, title = {{Monthly news - December 2023}}, date = {2023-12-01}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/monthly-news-december-2023/ba-p/3998431}, language = {English}, urldate = {2024-02-08} } @online{rivitna2:20230630:twitter:9e51899, author = {@rivitna2}, title = {{Twitter thread about relationship between 8Base and Phobos ransomware}}, date = {2023-06-30}, organization = {Twitter (@rivitna2)}, url = {https://twitter.com/rivitna2/status/1674718854549831681}, language = {English}, urldate = {2023-08-01} } @online{rivitna:20231020:first:6639d73, author = {rivitna}, title = {{Tweet on first ITW appearance of Hunters International Ransomware}}, date = {2023-10-20}, organization = {Twitter (@rivitna2)}, url = {https://x.com/rivitna2/status/1715345562034225621}, language = {English}, urldate = {2025-03-06} } @online{rizzo:20250415:unc5174s:eb88102, author = {Alessandra Rizzo}, title = {{UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell}}, date = {2025-04-15}, organization = {sysdig}, url = {https://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/}, language = {English}, urldate = {2025-04-25} } @online{rjm:20210418:recover:9b9c0a8, author = {RJM}, title = {{Recover your files with StrongPity}}, date = {2021-04-18}, organization = {Anchored Narratives on Threat Intelligence and Geopolitics}, url = {https://anchorednarratives.substack.com/p/recover-your-files-with-strongpity}, language = {English}, urldate = {2021-05-25} } @online{rjm:20210524:tracking:3da0800, author = {RJM}, title = {{Tracking StrongPity with Yara}}, date = {2021-05-24}, organization = {Anchored Narratives on Threat Intelligence and Geopolitics}, url = {https://anchorednarratives.substack.com/p/tracking-strongpity-with-yara}, language = {English}, urldate = {2021-06-21} } @online{rjm:20210605:geopolitical:f6b13be, author = {RJM}, title = {{Geopolitical nation-state threat actor overview May 2021}}, date = {2021-06-05}, organization = {Anchored Narratives on Threat Intelligence and Geopolitics}, url = {https://anchorednarratives.substack.com/p/geopolitical-nation-state-threat}, language = {English}, urldate = {2021-06-25} } @online{rjm:20210702:geopolitical:2aa927d, author = {RJM}, title = {{Geopolitical nation-state threat actor overview June 2021}}, date = {2021-07-02}, organization = {Anchored Narratives on Threat Intelligence and Geopolitics}, url = {https://anchorednarratives.substack.com/p/geopolitical-nation-state-threat-794}, language = {English}, urldate = {2021-07-05} } @online{rjm:20211013:trouble:c988e46, author = {RJM}, title = {{Trouble in Asia and the Middle East. Tracking the TransparentTribe threat actor.}}, date = {2021-10-13}, organization = {Anchored Narratives on Threat Intelligence and Geopolitics}, url = {https://anchorednarratives.substack.com/p/trouble-in-asia-and-the-middle-east}, language = {English}, urldate = {2021-10-14} } @online{rjm:20240818:reversing:a1c57f4, author = {RJM}, title = {{Reversing DISGOMOJI with Malcat like a BOSS}}, date = {2024-08-18}, organization = {Anchored Narratives on Threat Intelligence and Geopolitics}, url = {https://anchorednarratives.substack.com/p/reversing-disgomoji-with-malcat-like}, language = {English}, urldate = {2024-08-23} } @online{rkhunter:20110704:winntrovnix:8a594f6, author = {rkhunter}, title = {{WinNT/Rovnix (alias Mayachok, Cidox, BkLoader)}}, date = {2011-07-04}, organization = {Kernelmode.info Forums}, url = {http://www.kernelmode.info/forum/viewtopic.php?f=16&t=981}, language = {English}, urldate = {2019-07-11} } @online{rnz:20210720:government:92d39e8, author = {RNZ}, title = {{Government points finger at China over cyber attacks}}, date = {2021-07-20}, url = {https://www.rnz.co.nz/news/political/447239/government-points-finger-at-china-over-cyber-attacks}, language = {English}, urldate = {2021-07-22} } @online{robb:20150824:sphinx:314a7b9, author = {Bev Robb}, title = {{Sphinx: New Zeus Variant for Sale on the Black Market}}, date = {2015-08-24}, organization = {DarkMatters}, url = {https://web.archive.org/web/20160130165709/http://darkmatters.norsecorp.com/2015/08/24/sphinx-new-zeus-variant-for-sale-on-the-black-market/}, language = {English}, urldate = {2020-01-13} } @online{robert:20240507:tweets:055af7b, author = {Baptiste Robert}, title = {{Tweets on LockBitSupp}}, date = {2024-05-07}, organization = {Twitter (@fs0c131y)}, url = {https://twitter.com/fs0c131y/status/1787852663595454807?t=xQbXF31IBgJ7c7tzTpTtlg}, language = {English}, urldate = {2024-05-21} } @online{roberts:20220408:conversinglabs:270c740, author = {Paul Roberts}, title = {{ConversingLabs Ep. 2: Conti pivots as ransomware as a service struggles}}, date = {2022-04-08}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles}, language = {English}, urldate = {2022-06-09} } @online{robertson:20160422:tater:11eab95, author = {Kevin Robertson}, title = {{Tater: A PowerShell implementation of the Hot Potato Windows Privilege Escalation exploit.}}, date = {2016-04-22}, organization = {Github (Kevin-Robertson)}, url = {https://github.com/Kevin-Robertson/Tater}, language = {English}, urldate = {2020-01-10} } @online{robertson:20210902:juniper:59e4e5f, author = {Jordan Robertson}, title = {{Juniper Breach Mystery Starts to Clear With New Details on Hackers and U.S. Role (APT5)}}, date = {2021-09-02}, organization = {Bloomberg}, url = {https://www.bloomberg.com/news/features/2021-09-02/juniper-mystery-attacks-traced-to-pentagon-role-and-chinese-hackers}, language = {English}, urldate = {2021-09-14} } @online{robinson:20210514:elliptic:0c14d0e, author = {Dr. Tom Robinson}, title = {{Elliptic Follows the Bitcoin Ransoms Paid by Colonial Pipeline and Other DarkSide Ransomware Victims}}, date = {2021-05-14}, organization = {Elliptic}, url = {https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims}, language = {English}, urldate = {2021-05-17} } @online{robinson:20210518:darkside:c1451b1, author = {Tom Robinson}, title = {{DarkSide Ransomware has Netted Over $90 million in Bitcoin}}, date = {2021-05-18}, organization = {Elliptic}, url = {https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin}, language = {English}, urldate = {2021-05-19} } @online{robinson:20210617:klingon:ed4d44f, author = {Ryan Robinson}, title = {{Klingon RAT Holding on for Dear Life}}, date = {2021-06-17}, organization = {Intezer}, url = {https://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/}, language = {English}, urldate = {2021-06-21} } @online{robinson:20210707:global:ffc5f8e, author = {Ryan Robinson and Nicole Fishbein}, title = {{Global Phishing Campaign Targets Energy Sector and its Suppliers}}, date = {2021-07-07}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/global-phishing-campaign-targets-energy-sector-and-its-suppliers/}, language = {English}, urldate = {2021-07-09} } @online{robinson:20210818:cobalt:965e1a9, author = {Ryan Robinson}, title = {{Cobalt Strike: Detect this Persistent Threat}}, date = {2021-08-18}, organization = {Intezer}, url = {https://www.intezer.com/blog/malware-analysis/cobalt-strike-detect-this-persistent-threat/}, language = {English}, urldate = {2021-08-25} } @online{robinson:20220311:isaacwiper:1c63641, author = {Teri Robinson}, title = {{IsaacWiper Followed HermeticWiper Attack on Ukraine Orgs}}, date = {2022-03-11}, organization = {Security Boulevard}, url = {https://securityboulevard.com/2022/03/isaacwiper-followed-hermeticwiper-attack-on-ukraine-orgs/}, language = {English}, urldate = {2022-03-14} } @online{robinson:20220721:lightning:738865f, author = {Ryan Robinson}, title = {{Lightning Framework: New Undetected “Swiss Army Knife” Linux Malware}}, date = {2022-07-21}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/}, language = {English}, urldate = {2022-07-25} } @online{robinson:20230518:how:3acd352, author = {Ryan Robinson}, title = {{How Hackers Use Binary Padding to Outsmart Sandboxes and Infiltrate Your Systems}}, date = {2023-05-18}, organization = {Intezer}, url = {https://intezer.com/blog/research/how-hackers-use-binary-padding-to-outsmart-sandboxes/}, language = {English}, urldate = {2023-05-25} } @online{robinson:20240910:theres:037b4a0, author = {Ryan Robinson and Joakim Kennedy}, title = {{There's Something About CryptBot: Yet Another Silly Stealer (YASS)}}, date = {2024-09-10}, organization = {Intezer}, url = {https://intezer.com/blog/research/cryptbot-yet-another-silly-stealer-yass/}, language = {English}, urldate = {2024-12-13} } @online{robinson:20241117:babble:3069ce6, author = {Ryan Robinson}, title = {{Babble Babble Babble Babble Babble Babble BabbleLoader}}, date = {2024-11-17}, organization = {Intezer}, url = {https://intezer.com/blog/research/babble-babble-babble-babble-babble-babble-babbleloader/}, language = {English}, urldate = {2025-04-14} } @techreport{robson:20250307:investigating:de9405b, author = {Mark Robson and John Simmons and Faisal Abdul Malik Qureshi and Said Wali and Xiaopeng Zhang and Fred Gutierrez and Hossein Jazi}, title = {{Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure}}, date = {2025-03-07}, institution = {Fortinet}, url = {https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf}, language = {English}, urldate = {2025-05-20} } @online{robson:20250501:fortiguard:ddee436, author = {Mark Robson and John Simmons and Faisal Abdul Malik Qureshi and Said Wali and Xiaopeng Zhang and Fred Gutierrez and Hossein Jazi}, title = {{FortiGuard Incident Response Team Detects Intrusion into Middle East Critical National Infrastructure}}, date = {2025-05-01}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/fortiguard-incident-response-team-detects-intrusion-into-middle-east-critical-national-infrastructure}, language = {English}, urldate = {2025-05-20} } @online{roccia:20181219:shamoon:8ffbc81, author = {Thomas Roccia and Jessica Saavedra-Morales and Christiaan Beek}, title = {{Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems}}, date = {2018-12-19}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems}, language = {English}, urldate = {2020-02-01} } @online{roccia:20181219:shamoon:a69d9d2, author = {Thomas Roccia and Jessica Saavedra-Morales and Christiaan Beek}, title = {{Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems}}, date = {2018-12-19}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/}, language = {English}, urldate = {2019-11-08} } @online{roccia:20190909:evolution:baf3b6c, author = {Thomas Roccia and Marc Rivero López and Chintan Shah}, title = {{Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study}}, date = {2019-09-09}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/}, language = {English}, urldate = {2020-08-30} } @online{roccia:20200724:fifty:3778c61, author = {Thomas Roccia}, title = {{Fifty Shades of Malware Strings}}, date = {2020-07-24}, organization = {Medium tom_rock}, url = {https://medium.com/@tom_rock/fifty-shades-of-malware-strings-d33b0c7bee99}, language = {English}, urldate = {2020-08-18} } @online{roccia:20210406:mcafee:1ad60c9, author = {Thomas Roccia and Thibault Seret and Alexandre Mundo}, title = {{McAfee ATR Threat Report: A Quick Primer on Cuba Ransomware}}, date = {2021-04-06}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-threat-report-a-quick-primer-on-cuba-ransomware}, language = {English}, urldate = {2021-05-13} } @techreport{roccia:20210406:technical:3adb4cc, author = {Thomas Roccia and Thibault Seret and Alexandre Mundo}, title = {{Technical Analysis of Cuba Ransomware}}, date = {2021-04-06}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf}, language = {English}, urldate = {2021-04-09} } @online{roccia:20220225:tweets:68e5727, author = {Thomas Roccia}, title = {{Tweets with an overview of HermeticWiper}}, date = {2022-02-25}, organization = {Twitter (@fr0gger)}, url = {https://twitter.com/fr0gger_/status/1497121876870832128}, language = {English}, urldate = {2022-03-01} } @online{roccia:20221121:xray:da154d3, author = {Thomas Roccia}, title = {{X-Ray of Malware Evasion Techniques - Analysis, Dissection, Cure?}}, date = {2022-11-21}, organization = {BSides Sydney}, url = {https://speakerdeck.com/fr0gger/x-ray-of-malware-evasion-techniques-analysis-dissection-cure}, language = {English}, urldate = {2022-12-29} } @online{roccia:20240331:with:298ca23, author = {Thomas Roccia}, title = {{Tweet with visual summary of the execution flow}}, date = {2024-03-31}, organization = {Twitter (@fr0gger)}, url = {https://twitter.com/fr0gger_/status/1774342248437813525}, language = {English}, urldate = {2024-04-02} } @online{rocha:20180204:malware:ea0aede, author = {Luis Rocha}, title = {{MALWARE ANALYSIS – PLUGX}}, date = {2018-02-04}, organization = {COUNT UPON SECURITY}, url = {https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/}, language = {English}, urldate = {2020-01-07} } @online{rocha:20180509:malware:3ee8ecf, author = {Luis Rocha}, title = {{Malware Analysis - PlugX - Part 2}}, date = {2018-05-09}, organization = {COUNT UPON SECURITY}, url = {https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/}, language = {English}, urldate = {2020-01-05} } @online{rochberger:20200205:hole:b982e31, author = {Lior Rochberger and Assaf Dahan}, title = {{The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware}}, date = {2020-02-05}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware}, language = {English}, urldate = {2020-02-09} } @online{rochberger:20201126:cybereason:8301aeb, author = {Lior Rochberger and Cybereason Nocturnus}, title = {{Cybereason vs. Egregor Ransomware}}, date = {2020-11-26}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware}, language = {English}, urldate = {2020-12-08} } @online{rochberger:20210112:cybereason:5707e14, author = {Lior Rochberger}, title = {{Cybereason vs. Conti Ransomware}}, date = {2021-01-12}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware}, language = {English}, urldate = {2021-01-18} } @online{rochberger:20210422:prometei:c7eb590, author = {Lior Rochberger}, title = {{Prometei Botnet Exploiting Microsoft Exchange Vulnerabilities}}, date = {2021-04-22}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities}, language = {English}, urldate = {2021-04-28} } @online{rochberger:20220208:cybereason:42a7ee9, author = {Lior Rochberger}, title = {{Cybereason vs. Lorenz Ransomware}}, date = {2022-02-08}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware}, language = {English}, urldate = {2022-02-10} } @online{rochberger:20220509:cybereason:9178f63, author = {Lior Rochberger}, title = {{Cybereason vs. Quantum Locker Ransomware}}, date = {2022-05-09}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware}, language = {English}, urldate = {2022-05-11} } @online{rochberger:20230616:through:5ef09b8, author = {Lior Rochberger}, title = {{Through the Cortex XDR Lens: Uncovering a New Activity Group Targeting Governments in the Middle East and Africa}}, date = {2023-06-16}, organization = {Palo Alto Networks: Cortex Threat Research}, url = {https://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/}, language = {English}, urldate = {2023-06-22} } @online{rochberger:20230720:threat:eaf1994, author = {Lior Rochberger and Shimi Cohen}, title = {{Threat Group Assessment: Mallox Ransomware}}, date = {2023-07-20}, organization = {paloalto Netoworks: Unit42}, url = {https://unit42.paloaltonetworks.com/mallox-ransomware/}, language = {English}, urldate = {2023-07-24} } @online{rochberger:20230801:nodestealer:6c972d8, author = {Lior Rochberger}, title = {{NodeStealer 2.0 – The Python Version: Stealing Facebook Business Accounts}}, date = {2023-08-01}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/}, language = {English}, urldate = {2023-08-21} } @online{rochberger:20230922:cyberespionage:ef8b9f6, author = {Lior Rochberger and Tom Fakterman and Robert Falcone}, title = {{Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda}}, date = {2023-09-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/}, language = {English}, urldate = {2024-04-11} } @online{rochberger:20230922:persistent:ba2b09e, author = {Lior Rochberger and Tom Fakterman and Robert Falcone}, title = {{Persistent Attempts at Cyberespionage Against Southeast Asian Government Target Have Links to Alloy Taurus}}, date = {2023-09-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/}, language = {English}, urldate = {2024-03-18} } @online{rochberger:20250227:squidoor:4bd0187, author = {Lior Rochberger and Tom Fakterman}, title = {{Squidoor: Suspected Chinese Threat Actor’s Backdoor Targets Global Organizations}}, date = {2025-02-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/}, language = {English}, urldate = {2025-02-28} } @online{rochford:20201105:hunting:c53aca3, author = {Oliver Rochford}, title = {{Hunting Emotet with Brim and Zeek}}, date = {2020-11-05}, organization = {Brim Security}, url = {https://medium.com/brim-securitys-knowledge-funnel/hunting-emotet-with-brim-and-zeek-1000c2f5c1ff}, language = {English}, urldate = {2020-11-09} } @online{rod:20231027:guide:7f109e6, author = {Brendon Rod}, title = {{A Guide to Scattered Spider Data Breaches}}, date = {2023-10-27}, organization = {acsense}, url = {https://acsense.com/blog/a-guide-to-scattered-spider-data-breaches/}, language = {English}, urldate = {2023-11-17} } @online{roddie:20191118:new:0489a1e, author = {Megan Roddie}, title = {{New Ransomware Available for Targeted Attacks}}, date = {2019-11-18}, organization = {IBM}, url = {https://exchange.xforce.ibmcloud.com/collection/99c7156cff70e1d8e1687ab7dadc8c0e}, language = {English}, urldate = {2019-11-26} } @online{roddie:20210909:lockbit:8b80ed5, author = {Megan Roddie}, title = {{LockBit 2.0: Ransomware Attacks Surge After Successful Affiliate Recruitment}}, date = {2021-09-09}, organization = {IBM}, url = {https://securityintelligence.com/posts/lockbit-ransomware-attacks-surge-affiliate-recruitment/}, language = {English}, urldate = {2021-09-10} } @techreport{rodionov:201409:bootkits:d55d6a7, author = {Eugene Rodionov and Alexander Matrosov and David Harley}, title = {{BOOTKITS: PAST, PRESENT & FUTURE}}, date = {2014-09}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-RodionovMatrosov.pdf}, language = {English}, urldate = {2020-01-08} } @online{rodriguez:20180613:trickbot:e004ae8, author = {Jorge Rodriguez}, title = {{TrickBot config files}}, date = {2018-06-13}, organization = {Github (JR0driguezB)}, url = {https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot}, language = {English}, urldate = {2019-07-11} } @online{roesler:20160515:what:36c2071, author = {Martin Roesler}, title = {{What We Can Learn From the Bangladesh Central Bank Cyber Heist}}, date = {2016-05-15}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/what-we-can-learn-from-the-bangladesh-central-bank-cyber-heist/}, language = {English}, urldate = {2020-01-13} } @online{rogan:20210419:inside:4ef6ddb, author = {Tom Rogan}, title = {{Inside the CIA and NSA disagreement over Russian bounties story}}, date = {2021-04-19}, organization = {Washington Examiner}, url = {https://www.washingtonexaminer.com/opinion/inside-the-cia-and-nsa-disagreement-over-russian-bounties-story}, language = {English}, urldate = {2021-04-20} } @online{rojas:20201216:hiding:b5c41f6, author = {David Rojas and Mark Robinson}, title = {{Hiding in Plain Sight: Remediating “Hidden” Malware with Real Time Response}}, date = {2020-12-16}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-to-remediate-hidden-malware-real-time-response/}, language = {English}, urldate = {2021-01-04} } @techreport{rojas:20240415:tale:1809616, author = {Alonso Rojas and Alvaro A. Cardenas and Bing Huang and Emmanuele Zambon and Juan Lozano and Keerthi Koneru and Luis Salazar and Marina Krotofil and Ross Baldick and Sebastian R. Castro}, title = {{A Tale of Two Industroyers: It was the Season of Darkness}}, date = {2024-04-15}, institution = {UC Santa Cruz}, url = {https://zambo99.github.io/publication/sp2024/s&p2024.pdf}, language = {English}, urldate = {2025-04-25} } @online{rolles:20180123:walkthrough:afbbb08, author = {Rolf Rolles}, title = {{A Walk-Through Tutorial, with Code, on Statically Unpacking the FinSpy VM: Part One, x86 Deobfuscation}}, date = {2018-01-23}, organization = {Möbius Strip Reverse Engineering}, url = {http://www.msreverseengineering.com/blog/2018/1/23/a-walk-through-tutorial-with-code-on-statically-unpacking-the-finspy-vm-part-one-x86-deobfuscation}, language = {English}, urldate = {2020-01-08} } @online{rolles:20180221:finspy:1af9ae6, author = {Rolf Rolles}, title = {{FinSpy VM Unpacking Tutorial Part 3: Devirtualization. Phase #3: Fixing The Function-Related Issues}}, date = {2018-02-21}, organization = {Möbius Strip Reverse Engineering}, url = {https://www.msreverseengineering.com/blog/2018/2/21/devirtualizing-finspy-phase-3-fixing-the-function-related-issues}, language = {English}, urldate = {2022-02-04} } @online{rolles:20180221:finspy:21e33d3, author = {Rolf Rolles}, title = {{FinSpy VM Unpacking Tutorial Part 3: Devirtualization. Phase #1: Deobfuscating FinSpy VM Bytecode Programs}}, date = {2018-02-21}, organization = {Möbius Strip Reverse Engineering}, url = {https://www.msreverseengineering.com/blog/2018/2/21/wsbjxrs1jjw7qi4trk9t3qy6hr7dye}, language = {English}, urldate = {2022-02-04} } @online{rolles:20180221:finspy:2fb22e0, author = {Rolf Rolles}, title = {{FinSpy VM Unpacking Tutorial Part 3: Devirtualization}}, date = {2018-02-21}, organization = {Möbius Strip Reverse Engineering}, url = {https://www.msreverseengineering.com/blog/2018/2/21/finspy-vm-unpacking-tutorial-part-3-devirtualization}, language = {English}, urldate = {2022-02-01} } @online{rolles:20180221:finspy:52ff2fd, author = {Rolf Rolles}, title = {{FinSpy VM Unpacking Tutorial Part 3: Devirtualization. Phase #2: First Attempt At Devirtualization}}, date = {2018-02-21}, organization = {Möbius Strip Reverse Engineering}, url = {https://www.msreverseengineering.com/blog/2018/2/21/devirtualizing-finspy-phase-2-first-attempt-at-devirtualization}, language = {English}, urldate = {2022-02-04} } @online{rolles:20180221:finspy:bc28bff, author = {Rolf Rolles}, title = {{FinSpy VM Unpacking Tutorial Part 3: Devirtualization. Phase #4: Second Attempt At Devirtualization}}, date = {2018-02-21}, organization = {Möbius Strip Reverse Engineering}, url = {https://www.msreverseengineering.com/blog/2018/2/21/devirtualizing-finspy-phase-4-second-attempt-at-devirtualization}, language = {English}, urldate = {2022-02-04} } @online{rolles:20180221:finspyvm:446202c, author = {Rolf Rolles}, title = {{FinSpyVM (Static Unpacker for FinSpyVM)}}, date = {2018-02-21}, organization = {GitHub (RolfRolles)}, url = {https://github.com/RolfRolles/FinSpyVM}, language = {English}, urldate = {2022-02-02} } @online{rolles:20180902:weekend:2f137ab, author = {Rolf Rolles}, title = {{Weekend Project: A Custom IDA Loader Module For The Hidden Bee Malware Family}}, date = {2018-09-02}, organization = {Möbius Strip Reverse Engineering}, url = {https://www.msreverseengineering.com/blog/2018/9/2/weekend-project-a-custom-ida-loader-module-for-the-hidden-bee-malware-family}, language = {English}, urldate = {2022-02-01} } @online{rolles:20180919:hexrays:1afcc0c, author = {Rolf Rolles}, title = {{Hex-Rays Microcode API vs. Obfuscating Compiler}}, date = {2018-09-19}, organization = {Möbius Strip Reverse Engineering}, url = {http://www.hexblog.com/?p=1248}, language = {English}, urldate = {2019-10-28} } @online{rolles:20190114:quick:42a2552, author = {Rolf Rolles}, title = {{A Quick Solution to an Ugly Reverse Engineering Problem}}, date = {2019-01-14}, organization = {Möbius Strip Reverse Engineering}, url = {https://www.msreverseengineering.com/blog/2019/1/14/a-quick-solution-to-an-ugly-reverse-engineering-problem}, language = {English}, urldate = {2020-01-13} } @online{rolles:20200901:exhaustivelyanalyzed:0a5410d, author = {Rolf Rolles}, title = {{An Exhaustively-Analyzed IDB for ComRAT v4}}, date = {2020-09-01}, organization = {Möbius Strip Reverse Engineering}, url = {https://www.msreverseengineering.com/blog/2020/8/31/an-exhaustively-analyzed-idb-for-comrat-v4}, language = {English}, urldate = {2020-09-01} } @online{rolles:20210302:exhaustivelyanalyzed:ea1e91f, author = {Rolf Rolles}, title = {{An Exhaustively-Analyzed IDB for FlawedGrace}}, date = {2021-03-02}, organization = {Möbius Strip Reverse Engineering}, url = {https://www.msreverseengineering.com/blog/2021/3/2/an-exhaustively-analyzed-idb-for-flawedgrace}, language = {English}, urldate = {2021-03-04} } @online{rolles:20210601:hexrays:d1f9216, author = {Rolf Rolles}, title = {{Hex-Rays, GetProcAddress, and Malware Analysis}}, date = {2021-06-01}, organization = {Möbius Strip Reverse Engineering}, url = {https://www.msreverseengineering.com/blog/2021/6/1/hex-rays-getprocaddress-and-malware-analysis}, language = {English}, urldate = {2021-06-09} } @online{rolles:20220125:exhaustively:bbe8a55, author = {Rolf Rolles}, title = {{An Exhaustively Analyzed IDB for ComLook}}, date = {2022-01-25}, organization = {Möbius Strip Reverse Engineering}, url = {https://www.msreverseengineering.com/blog/2022/1/25/an-exhaustively-analyzed-idb-for-comlook}, language = {English}, urldate = {2022-01-28} } @online{romang:20121229:attack:2826780, author = {Eric Romang}, title = {{Attack and IE 0day Informations Used Against Council on Foreign Relations}}, date = {2012-12-29}, organization = {Eric Romang Blog}, url = {https://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/}, language = {English}, urldate = {2020-01-08} } @online{romang:20130102:capstone:468051d, author = {Eric Romang}, title = {{Capstone Turbine Corporation Also Targeted in the CFR Watering Hole Attack And More}}, date = {2013-01-02}, url = {https://eromang.zataz.com/2013/01/02/capstone-turbine-corporation-also-targeted-in-the-cfr-watering-hole-attack-and-more/}, language = {English}, urldate = {2020-01-08} } @online{romang:20130324:osxpintsized:4692824, author = {Eric Romang}, title = {{OSX/Pintsized Backdoor Additional Details}}, date = {2013-03-24}, url = {https://eromang.zataz.com/2013/03/24/osx-pintsized-backdoor-additional-details/}, language = {English}, urldate = {2020-01-05} } @online{romang:20130402:dark:20ae252, author = {Eric Romang}, title = {{Dark South Korea Total War Review}}, date = {2013-04-02}, url = {https://eromang.zataz.com/tag/agentbase-exe/}, language = {English}, urldate = {2019-11-21} } @online{romano:20211027:threat:f8b736b, author = {Gal Romano and Rotem Rostami and Aleksandar Milenkoski}, title = {{THREAT ALERT: Malicious Code Implant in the UAParser.js Library}}, date = {2021-10-27}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-alert-malicious-code-implant-in-the-uaparser.js-library}, language = {English}, urldate = {2021-11-03} } @online{romano:20220331:cloudy:15ac5c7, author = {Christopher Romano and Vaishnav Murthy}, title = {{Cloudy with a Chance of Unclear Mailbox Sync: CrowdStrike Services Identifies Logging Inconsistencies in Microsoft 365}}, date = {2022-03-31}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/crowdstrike-services-identifies-logging-inconsistencies-in-microsoft-365/}, language = {English}, urldate = {2022-04-05} } @online{romero:20210629:combating:a454121, author = {Jessica Romero}, title = {{Combating E-Commerce Scams and Account Takeover Attacks}}, date = {2021-06-29}, organization = {Facebook}, url = {https://about.fb.com/news/2021/06/combating-e-commerce-scams-and-account-takeover-attacks/}, language = {English}, urldate = {2021-07-02} } @online{rommelj:20240427:finding:b70a5a4, author = {Rommel-J}, title = {{Finding Malware: Detecting SOGU with Google Security Operations.}}, date = {2024-04-27}, organization = {Google}, url = {https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Detecting-SOGU-with-Google-Security-Operations/ba-p/758777}, language = {English}, urldate = {2024-08-01} } @online{roncone:20211116:unc1151:a2da6dc, author = {Gabriella Roncone and Alden Wahlstrom and Alice Revelli and David Mainor and Sam Riddell and Ben Read and Mandiant Research Team}, title = {{UNC1151 Assessed with High Confidence to have Links to Belarus, Ghostwriter Campaign Aligned with Belarusian Government Interests}}, date = {2021-11-16}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/unc1151-linked-to-belarus-government}, language = {English}, urldate = {2021-11-17} } @techreport{roncone:20240416:apt44:acbe432, author = {Gabby Roncone and Dan Black and John Wolfram and Tyler McLellan and Nick Simonian and Ryan Hall and Anton Prokopenkov and Dan Perez and Lexie Aytes and Alden Wahlstrom}, title = {{APT44: Unearthing Sandworm}}, date = {2024-04-16}, institution = {Mandiant}, url = {https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf}, language = {English}, urldate = {2024-04-23} } @online{roncone:20240417:unearthing:f3eaa3a, author = {Gabby Roncone and Dan Black and John Wolfram and Tyler McLellan and Nick Simonian and Ryan Hall and Anton Prokopenkov and Luke Jenkins and Dan Perez and Lexie Aytes and Alden Wahlstrom}, title = {{Unearthing APT44: Russia’s Notorious Cyber Sabotage Unit Sandworm}}, date = {2024-04-17}, organization = {Mandiant}, url = {https://cloud.google.com/blog/topics/threat-intelligence/apt44-unearthing-sandworm?linkId=9627235}, language = {English}, urldate = {2025-05-02} } @online{ronnie:20220709:analyzing:b124529, author = {Ronnie}, title = {{Analyzing a Brute Ratel Badger}}, date = {2022-07-09}, organization = {spookysec}, url = {https://blog.spookysec.net/analyzing-brc4-badgers/}, language = {English}, urldate = {2022-10-06} } @online{room:20210415:executive:d1d51e2, author = {Briefing Room}, title = {{Executive Order on Blocking Property with Respect to Specified Harmful Foreign Activities of the Government of the Russian Federation}}, date = {2021-04-15}, organization = {THE WHITE HOUSE}, url = {https://www.whitehouse.gov/briefing-room/presidential-actions/2021/04/15/executive-order-on-blocking-property-with-respect-to-specified-harmful-foreign-activities-of-the-government-of-the-russian-federation/}, language = {English}, urldate = {2021-04-16} } @online{room:20210415:fact:e896f86, author = {Briefing Room}, title = {{FACT SHEET: Imposing Costs for Harmful Foreign Activities by the Russian Government}}, date = {2021-04-15}, organization = {THE WHITE HOUSE}, url = {https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/}, language = {English}, urldate = {2021-04-16} } @online{room:20210415:letter:23d1cc3, author = {Briefing Room}, title = {{A Letter on Blocking Property with Respect to Specified Harmful Foreign Activities of the Government of the Russian Federation}}, date = {2021-04-15}, organization = {THE WHITE HOUSE}, url = {https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/a-letter-on-blocking-property-with-respect-to-specified-harmful-foreign-activities-of-the-government-of-the-russian-federation/}, language = {English}, urldate = {2021-04-16} } @techreport{root9b:20150510:apt28:1aab571, author = {root9b}, title = {{APT28 Targets Financial Markets}}, date = {2015-05-10}, institution = {root9b}, url = {https://www.root9b.com/sites/default/files/whitepapers/R9b_FSOFACY_0.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{root9b:201508:technical:fff6a0b, author = {root9b}, title = {{TECHNICAL FOLLOW UP - APT28}}, date = {2015-08}, institution = {root9b}, url = {https://www.root9b.com/sites/default/files/whitepapers/root9b_follow_up_report_apt28.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{root9b:20170619:shelltea:13b1ebd, author = {root9b}, title = {{SHELLTEA + POSLURP Malware Memory-resident Point-of-Sale Malware Attacks Industry}}, date = {2017-06-19}, institution = {root9b}, url = {https://raw.githubusercontent.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/master/2017/2017.06.19.SHELLTEA_POSLURP_MALWARE/PoS%20Malware%20ShellTea%20PoSlurp_0.pdf}, language = {English}, urldate = {2021-03-22} } @techreport{root9b:20170619:shelltea:223ad32, author = {root9b}, title = {{SHELLTEA + POSLURP Malware Memory-resident Point-of-Sale Malware Attacks Industry}}, date = {2017-06-19}, institution = {root9b}, url = {https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp.pdf}, language = {English}, urldate = {2021-03-24} } @online{root:20180112:malware:7f1793a, author = {Elena Root and Bogdan Melnykov}, title = {{Malware Displaying Porn Ads Discovered in Game Apps on Google Play}}, date = {2018-01-12}, organization = {Check Point}, url = {https://research.checkpoint.com/malware-displaying-porn-ads-discovered-in-game-apps-on-google-play/}, language = {English}, urldate = {2020-01-13} } @online{rootdaemon:20220310:iranian:6b53790, author = {Rootdaemon}, title = {{Iranian Hackers Targeting Turkey and Arabian Peninsula in New Malware Campaign}}, date = {2022-03-10}, organization = {Rootdemon}, url = {https://rootdaemon.com/2022/03/10/iranian-hackers-targeting-turkey-and-arabian-peninsula-in-new-malware-campaign/}, language = {English}, urldate = {2022-03-17} } @online{rootkiter:20170920:is:34b25ad, author = {RootKiter}, title = {{Is Hajime botnet dead?}}, date = {2017-09-20}, organization = {360 netlab}, url = {http://blog.netlab.360.com/hajime-status-report-en/}, language = {English}, urldate = {2020-01-07} } @online{rootkiter:20180117:art:cc593ae, author = {RootKiter}, title = {{Art of Steal: Satori Variant is Robbing ETH BitCoin by Replacing Wallet Address}}, date = {2018-01-17}, organization = {360 netlab}, url = {http://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet-address-en/}, language = {English}, urldate = {2019-09-22} } @online{rootkiter:20180706:hns:d96f016, author = {RootKiter and yegenshen}, title = {{HNS Botnet Recent Activities}}, date = {2018-07-06}, organization = {360 netlab}, url = {https://blog.netlab.360.com/hns-botnet-recent-activities-en/}, language = {English}, urldate = {2020-01-08} } @online{rose:20161001:shadow:49e8aeb, author = {Janus Rose}, title = {{‘Shadow Brokers’ Whine That Nobody Is Buying Their Hacked NSA Files}}, date = {2016-10-01}, organization = {Vice Motherboard}, url = {https://www.vice.com/en_us/article/53djj3/shadow-brokers-whine-that-nobody-is-buying-their-hacked-nsa-files}, language = {English}, urldate = {2020-01-13} } @online{rosen:20200210:hypervisor:8116206, author = {Michael Rosen}, title = {{Hypervisor Introspection Thwarts Web Memory Corruption Attack in the Wild}}, date = {2020-02-10}, organization = {Bitdefender}, url = {https://businessinsights.bitdefender.com/hypervisor-introspection-thwarts-web-memory-corruption-attack-in-the-wild}, language = {English}, urldate = {2022-02-01} } @online{rosenberg:20170920:evidence:4767c7a, author = {Jay Rosenberg}, title = {{Evidence Aurora Operation Still Active: Supply Chain Attack Through CCleaner}}, date = {2017-09-20}, organization = {Intezer}, url = {http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/}, language = {English}, urldate = {2019-07-10} } @online{rosenberg:20171002:evidence:187dfce, author = {Jay Rosenberg}, title = {{Evidence Aurora Operation Still Active Part 2: More Ties Uncovered Between CCleaner Hack & Chinese Hackers}}, date = {2017-10-02}, organization = {Intezer}, url = {http://www.intezer.com/evidence-aurora-operation-still-active-part-2-more-ties-uncovered-between-ccleaner-hack-chinese-hackers/}, language = {English}, urldate = {2019-12-18} } @online{rosenberg:20171024:notpetya:7146657, author = {Jay Rosenberg}, title = {{NotPetya Returns as Bad Rabbit}}, date = {2017-10-24}, organization = {Intezer}, url = {http://www.intezer.com/notpetya-returns-bad-rabbit/}, language = {English}, urldate = {2020-01-05} } @online{rosenberg:20171101:silence:087cfb3, author = {Jay Rosenberg}, title = {{Silence of the Moles}}, date = {2017-11-01}, organization = {Intezer}, url = {http://www.intezer.com/silenceofthemoles/}, language = {English}, urldate = {2019-11-27} } @online{rosenberg:20171113:icedid:8dd9da4, author = {Jay Rosenberg}, title = {{IcedID Banking Trojan Shares Code with Pony 2.0 Trojan}}, date = {2017-11-13}, organization = {Intezer}, url = {http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/}, language = {English}, urldate = {2019-12-02} } @online{rosenberg:20180328:lazarus:307e39e, author = {Jay Rosenberg}, title = {{Lazarus Group Targets More Cryptocurrency Exchanges and FinTech Companies}}, date = {2018-03-28}, organization = {Intezer}, url = {http://www.intezer.com/lazarus-group-targets-more-cryptocurrency-exchanges-and-fintech-companies/}, language = {English}, urldate = {2019-11-27} } @online{rosenberg:20180817:prince:d4d3b9c, author = {Jay Rosenberg}, title = {{Prince of Persia: The Sands of Foudre}}, date = {2018-08-17}, organization = {Intezer}, url = {https://www.intezer.com/prince-of-persia-the-sands-of-foudre/}, language = {English}, urldate = {2020-01-13} } @online{rosenberg:20181003:apt37:93a9100, author = {Jay Rosenberg}, title = {{APT37: Final1stspy Reaping the FreeMilk}}, date = {2018-10-03}, organization = {Intezer}, url = {https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/}, language = {English}, urldate = {2020-01-09} } @online{rosenberg:20191016:apt15:d226ae8, author = {Jay Rosenberg}, title = {{APT15}}, date = {2019-10-16}, url = {https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/}, language = {English}, urldate = {2019-10-16} } @online{rosenmund:20200926:ironcat:5aed27a, author = {Aaron Rosenmund}, title = {{Ironcat Ransomware}}, date = {2020-09-26}, url = {https://aaronrosenmund.com/blog/2020/09/26/ironcat-ransmoware/}, language = {English}, urldate = {2020-10-05} } @online{roses:20161027:mirai:01bd756, author = {Simon Roses}, title = {{Mirai DDoS Botnet: Source Code & Binary Analysis}}, date = {2016-10-27}, organization = {Simon Roses Femerling Blog}, url = {http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/}, language = {English}, urldate = {2020-01-07} } @online{ross:20181212:trickbot:7a0e2a6, author = {Wicus Ross}, title = {{The TrickBot and MikroTik connection}}, date = {2018-12-12}, organization = {SecureData}, url = {https://www.infosecurity-magazine.com/blogs/trickbot-mikrotik-connection/}, language = {English}, urldate = {2020-05-18} } @online{ross:20240513:sigs:2f89452, author = {Kevin Ross}, title = {{SIGS: W32/Badspace.Backdoor}}, date = {2024-05-13}, organization = {Emerging Threats}, url = {https://community.emergingthreats.net/t/sigs-w32-badspace-backdoor/1630}, language = {English}, urldate = {2024-06-05} } @online{rossi:20240605:qbindiff:9b81ef5, author = {Fabrice Rossi and Florian Yger and Riccardo Mori and Robin David and Roxane Cohen}, title = {{QBinDiff: A modular differ to enhance binary diffing and graph alignment (Video)}}, date = {2024-06-05}, organization = {QuarksLab}, url = {https://static.sstic.org/videos2024/1080p/qbindiff_a_modular_differ.mp4}, language = {French}, urldate = {2024-06-28} } @techreport{rossi:20240605:qbindiff:f8c0fc9, author = {Fabrice Rossi and Florian Yger and Riccardo Mori and Robin David and Roxane Cohen}, title = {{QBinDiff: A modular differ to enhance binary diffing and graph alignment (Slides)}}, date = {2024-06-05}, institution = {Qurakslab}, url = {https://www.sstic.org/media/SSTIC2024/SSTIC-actes/qbindiff_a_modular_differ/SSTIC2024-Slides-qbindiff_a_modular_differ-rossi_yger_mori_david_cohen.pdf}, language = {English}, urldate = {2024-06-28} } @online{rosso:20200415:nationstate:b48eee1, author = {Kristin Del Rosso}, title = {{Nation-state Mobile Malware Targets Syrians with COVID-19 Lures}}, date = {2020-04-15}, organization = {Lookout}, url = {https://blog.lookout.com/nation-state-mobile-malware-targets-syrians-with-covid-19-lures}, language = {English}, urldate = {2020-04-20} } @online{rostelecomsolar:20210920:how:cfe97c4, author = {Rostelecom-Solar}, title = {{How we searched for a connection between Mēris and Glupteba, and gained control over 45 thousand MikroTik devices}}, date = {2021-09-20}, organization = {Rostelecom-Solar}, url = {https://habr.com/ru/company/solarsecurity/blog/578900/}, language = {Russian}, urldate = {2021-09-22} } @online{rostovcev:20201207:footprints:c2a90df, author = {Nikita Rostovcev}, title = {{The footprints of Raccoon: a story about operators of JS-sniffer FakeSecurity distributing Raccoon stealer}}, date = {2020-12-07}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/fakesecurity_raccoon}, language = {English}, urldate = {2020-12-08} } @online{rostovcev:20210610:big:4d0a5f2, author = {Nikita Rostovcev}, title = {{Big airline heist APT41 likely behind massive supply chain attack}}, date = {2021-06-10}, organization = {Group-IB}, url = {https://blog.group-ib.com/colunmtk_apt41}, language = {English}, urldate = {2021-06-16} } @online{rostovcev:20220601:sidewinderantibotscript:62cb932, author = {Nikita Rostovcev and Alexander Badaev}, title = {{SideWinder.AntiBot.Script Analysis of SideWinder's new infrastructure and tool that narrows their reach to Pakistan}}, date = {2022-06-01}, organization = {Group-IB}, url = {https://blog.group-ib.com/sidewinder-antibot}, language = {English}, urldate = {2022-06-02} } @online{rostovtsev:20210603:fontpack:79d9762, author = {Nikita Rostovtsev}, title = {{FontPack: A dangerous update Attribution secrets: Who is behind stealing credentials and bank card data by asking to install fake Flash Player, browser or font updates?}}, date = {2021-06-03}, organization = {Group-IB}, url = {https://blog.group-ib.com/fontpack}, language = {English}, urldate = {2021-06-16} } @online{rostovtsev:20220818:apt41:57ffddb, author = {Nikita Rostovtsev}, title = {{APT41 World Tour 2021 on a tight schedule}}, date = {2022-08-18}, organization = {Group-IB}, url = {https://blog.group-ib.com/apt41-world-tour-2021}, language = {English}, urldate = {2022-08-18} } @online{rostovtsev:20230517:distinctive:c4bc5d4, author = {Nikita Rostovtsev and Joshua Penny and Yashraj Solanki}, title = {{The distinctive rattle of APT SideWinder}}, date = {2023-05-17}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/hunting-sidewinder/}, language = {English}, urldate = {2023-05-17} } @online{roter:20201207:egregor:2d3dced, author = {Tom Roter}, title = {{Egregor Ransomware - An In-Depth Analysis}}, date = {2020-12-07}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis}, language = {English}, urldate = {2020-12-09} } @online{roter:20210315:taurus:c3ab709, author = {Tom Roter}, title = {{Taurus Stealer's Evolution}}, date = {2021-03-15}, organization = {MinervaLabs}, url = {https://blog.minerva-labs.com/taurus-stealers-evolution}, language = {English}, urldate = {2021-03-31} } @online{roter:20210527:trapping:76b0b81, author = {Tom Roter}, title = {{Trapping A Fat Quasar RAT}}, date = {2021-05-27}, organization = {MinervaLabs}, url = {https://blog.minerva-labs.com/trapping-quasar-rat}, language = {English}, urldate = {2021-06-01} } @online{roth:20151017:how:d7c4f42, author = {Florian Roth}, title = {{How to Write Simple but Sound Yara Rules – Part 2}}, date = {2015-10-17}, organization = {BSK Consulting}, url = {https://www.bsk-consulting.de/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/}, language = {English}, urldate = {2019-07-11} } @online{roth:20190228:yara:d1c9185, author = {Florian Roth}, title = {{Tweet on YARA and DispenserXFS}}, date = {2019-02-28}, organization = {Twitter (@cyb3rops)}, url = {https://twitter.com/cyb3rops/status/1101138784933085191}, language = {English}, urldate = {2020-01-10} } @online{roth:20190518:yara:b6d66a4, author = {Florian Roth}, title = {{Tweet on YARA and APT28}}, date = {2019-05-18}, organization = {Twitter (@cyb3rops)}, url = {https://twitter.com/cyb3rops/status/1129653190444703744}, language = {English}, urldate = {2020-01-10} } @online{roth:20191128:signature:1d30657, author = {Florian Roth}, title = {{Tweet on Signature Writing for DADJOKE}}, date = {2019-11-28}, organization = {Twitter (@cyb3rops)}, url = {https://twitter.com/cyb3rops/status/1199978327697694720}, language = {English}, urldate = {2020-01-09} } @online{roth:20220508:source:86add3e, author = {Florian Roth}, title = {{Tweet on source code for BPFDoor found on VT}}, date = {2022-05-08}, organization = {Twitter (@cyb3rops)}, url = {https://twitter.com/cyb3rops/status/1523227511551033349}, language = {English}, urldate = {2022-05-09} } @online{roussi:20240221:brussels:36d3a6b, author = {Antoaneta Roussi}, title = {{Brussels spyware bombshell: Surveillance software found on officials’ phones}}, date = {2024-02-21}, organization = {POLITICO}, url = {https://www.politico.eu/article/parliament-defense-subcommittee-phones-checked-for-spyware/}, language = {English}, urldate = {2024-02-22} } @online{roussi:20250226:chinese:4256ec4, author = {Antoaneta Roussi}, title = {{Chinese hackers siphoned off Belgian state security emails, report says}}, date = {2025-02-26}, organization = {POLITICO}, url = {https://www.politico.eu/article/chinese-hackers-siphoned-off-belgian-state-security-emails-report/}, language = {English}, urldate = {2025-02-28} } @online{roviello:20240910:new:b616048, author = {Michele Roviello and Alessandro Strino}, title = {{A new TrickMo saga: from Banking Trojan to Victim's Data Leak}}, date = {2024-09-10}, organization = {Cleafy}, url = {https://www.cleafy.com/cleafy-labs/a-new-trickmo-saga-from-banking-trojan-to-victims-data-leak}, language = {English}, urldate = {2024-09-23} } @online{roviello:20241104:toxicpanda:317ee00, author = {Michele Roviello and Alessandro Strino and Federico Valentini}, title = {{ToxicPanda: a new banking trojan from Asia hit Europe and LATAM}}, date = {2024-11-04}, organization = {Cleafy}, url = {https://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam}, language = {English}, urldate = {2024-11-07} } @online{rowland:20220508:twitter:bf58ca0, author = {Craig Rowland}, title = {{Twitter Thread with description of functionality for BPFDoor}}, date = {2022-05-08}, organization = {Twitter (@CraigHRowland)}, url = {https://twitter.com/CraigHRowland/status/1523266585133457408}, language = {English}, urldate = {2022-06-09} } @online{roxan:20210510:prelude:1bb57bb, author = {Callum Roxan and Sami Ruohonen}, title = {{Prelude to Ransomware: SystemBC}}, date = {2021-05-10}, organization = {F-Secure}, url = {https://labs.f-secure.com/blog/prelude-to-ransomware-systembc/}, language = {English}, urldate = {2021-05-11} } @online{roxan:20241115:brazenbamboo:91314bc, author = {Callum Roxan and Charlie Gardner and Paul Rascagnères}, title = {{BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA}}, date = {2024-11-15}, organization = {Volexity}, url = {https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/}, language = {English}, urldate = {2024-11-25} } @online{roy:20201007:break:4731b31, author = {Chris Le Roy}, title = {{Break out the Box (BOtB)}}, date = {2020-10-07}, organization = {Github (brompwnie)}, url = {https://github.com/brompwnie/botb}, language = {English}, urldate = {2021-01-21} } @online{roy:20220208:blackcat:d336ae8, author = {Arnab Roy}, title = {{BlackCat Ransomware as a Service - The Cat is certainly out of the bag!}}, date = {2022-02-08}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/blackcat-ransomware-as-a-service.html}, language = {English}, urldate = {2022-02-09} } @online{rozhnov:20220328:groupib:53f3790, author = {Ilia Rozhnov}, title = {{Group-IB unveils three groups of fraudsters behind delivery scams in Singapore}}, date = {2022-03-28}, organization = {Group-IB}, url = {https://blog.group-ib.com/fake-delivery-scams-singapore}, language = {English}, urldate = {2022-05-05} } @online{rozmann:20240227:when:7a2395f, author = {Ofir Rozmann and Chen Evgi and Jonathan Leathery}, title = {{When Cats Fly: Suspected Iranian Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense Sectors}}, date = {2024-02-27}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east}, language = {English}, urldate = {2024-04-29} } @online{rozmann:20240501:uncharmed:aa10722, author = {Ofir Rozmann and Asli Koksal and Adrian Hernandez and Sarah Bock and Jonathan Leathery}, title = {{Uncharmed: Untangling Iran's APT42 Operations}}, date = {2024-05-01}, organization = {Mandiant}, url = {https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations}, language = {English}, urldate = {2025-02-25} } @online{rsa:20151125:detecting:84c8eed, author = {RSA}, title = {{Detecting GlassRAT using Security Analytics and ECAT}}, date = {2015-11-25}, organization = {RSA}, url = {https://community.rsa.com/community/products/netwitness/blog/2015/11/25/detecting-glassrat-using-security-analytics-and-ecat}, language = {English}, urldate = {2020-01-06} } @online{rsprooten:20221028:emotet:ffabd03, author = {@rsprooten and Elastic Security Intelligence & Analytics Team}, title = {{EMOTET dynamic config extraction}}, date = {2022-10-28}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction}, language = {English}, urldate = {2022-10-30} } @online{rubin:20210827:cobalt:a44e08a, author = {Noah Rubin and Aon’s Cyber Labs}, title = {{Cobalt Strike Configuration Extractor and Parser}}, date = {2021-08-27}, organization = {Aon}, url = {https://www.aon.com/cyber-solutions/aon_cyber_labs/cobalt-strike-configuration-extractor-and-parser/}, language = {English}, urldate = {2022-05-04} } @online{rubio:20200805:playing:5b11606, author = {Carlos Rubio and Blueliv Labs Team}, title = {{Playing with GuLoader Anti-VM techniques}}, date = {2020-08-05}, organization = {Blueliv}, url = {https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/playing-with-guloader-anti-vm-techniques-malware/}, language = {English}, urldate = {2021-01-10} } @online{rubio:20200930:rooty:91be64b, author = {Carlos Rubio and Jose Miguel Esparza and Blueliv Labs Team}, title = {{Rooty Dolphin uses Mekotio to target bank clients in South America and Europe}}, date = {2020-09-30}, organization = {Blueliv}, url = {https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/rooty-dolphin-uses-mekotio-to-target-bank-clients-in-south-america-and-europe/}, language = {English}, urldate = {2020-10-07} } @online{rubn:20190806:clipsa:81eb577, author = {Jan Rubín}, title = {{Clipsa – Multipurpose password stealer}}, date = {2019-08-06}, organization = {Avast}, url = {https://decoded.avast.io/janrubin/clipsa-multipurpose-password-stealer/}, language = {English}, urldate = {2020-01-13} } @online{rubn:20200402:coviper:f06be6d, author = {Jan Rubín}, title = {{CoViper locking down computers during lockdown}}, date = {2020-04-02}, organization = {Avast}, url = {https://decoded.avast.io/janrubin/coviper-locking-down-computers-during-lockdown/}, language = {English}, urldate = {2020-04-07} } @online{rubn:20200917:complex:e1b3abc, author = {Jan Rubín}, title = {{Complex obfuscation? Meh… (1/2)}}, date = {2020-09-17}, organization = {Avast Decoded}, url = {https://decoded.avast.io/janrubin/complex-obfuscation-meh/}, language = {English}, urldate = {2023-08-07} } @online{rubn:20201112:password:fe2e566, author = {Jan Rubín}, title = {{Password stealer in Delphi? Meh… (2/2)}}, date = {2020-11-12}, organization = {Avast Decoded}, url = {https://decoded.avast.io/janrubin/meh-2-2/}, language = {English}, urldate = {2023-08-07} } @online{rubn:20211012:king:068a3d8, author = {Jan Rubín and Jakub Kaloč}, title = {{The King is Dead, Long Live MyKings! (Part 1 of 2)}}, date = {2021-10-12}, organization = {Avast}, url = {https://decoded.avast.io/janrubin/the-king-is-dead-long-live-mykings/}, language = {English}, urldate = {2021-10-25} } @online{rubn:20211201:toss:0b5f12e, author = {Jan Rubín and Jakub Kaloč}, title = {{Toss a Coin to your Helper (Part 2 of 2)}}, date = {2021-12-01}, organization = {Avast}, url = {https://decoded.avast.io/janrubin/toss-a-coin-to-your-helper}, language = {English}, urldate = {2021-12-07} } @online{rubn:20221121:vipersoftx:339e815, author = {Jan Rubín}, title = {{ViperSoftX: Hiding in System Logs and Spreading VenomSoftX}}, date = {2022-11-21}, organization = {Avast Decoded}, url = {https://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/}, language = {English}, urldate = {2022-11-25} } @online{rudis:20180719:huawai:2d111c0, author = {boB Rudis}, title = {{Tweet on Huawai Router Botnet}}, date = {2018-07-19}, organization = {Twitter (@hrbrmstr)}, url = {https://twitter.com/hrbrmstr/status/1019922651203227653}, language = {English}, urldate = {2020-01-13} } @online{rueckert:20210718:pegasus:d350485, author = {Phineas Rueckert}, title = {{Pegasus: The new global weapon for silencing journalists}}, date = {2021-07-18}, organization = {forbidden stories}, url = {https://forbiddenstories.org/pegasus-the-new-global-weapon-for-silencing-journalists/}, language = {English}, urldate = {2021-07-24} } @online{ruiz:20180601:satan:f427b73, author = {Javier Ruiz}, title = {{Satan Ransomware Spawns New Methods to Spread}}, date = {2018-06-01}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/satan-ransomware-spawns-new-methods-to-spread}, language = {English}, urldate = {2019-11-26} } @online{ruiz:20191217:ta505:1c1204e, author = {Adrián Ruiz and Jose Miguel Esparza and Blueliv Labs Team}, title = {{TA505 evolves ServHelper, uses Predator The Thief and Team Viewer Hijacking}}, date = {2019-12-17}, organization = {Blueliv}, url = {https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/servhelper-evolution-and-new-ta505-campaigns/}, language = {English}, urldate = {2020-01-09} } @online{ruiz:20210913:android:40762d2, author = {Fernando Ruiz}, title = {{Android malware distributed in Mexico uses Covid-19 to steal financial credentials}}, date = {2021-09-13}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/android-malware-distributed-in-mexico-uses-covid-19-to-steal-financial-credentials/}, language = {English}, urldate = {2021-09-14} } @techreport{ruohonen:20230202:no:2a5fce3, author = {Sami Ruohonen and Stephen Robinson}, title = {{No Pineapple! –DPRK Targeting of Medical Research and Technology Sector}}, date = {2023-02-02}, institution = {WithSecure}, url = {https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf}, language = {English}, urldate = {2023-08-25} } @techreport{rusakoff:2008:win32ntldrbot:f1cd6dd, author = {Vyacheslav Rusakoff}, title = {{Win32.Ntldrbot (aka Rustock.C) no longer a myth, no longer a threat}}, date = {2008}, institution = {Dr.Web}, url = {http://www.drweb.com/upload/6c5e138f917290cb99224a8f8226354f_1210062403_DDOCUMENTSArticales_PRDrWEB_RustockC_eng.pdf}, language = {English}, urldate = {2019-12-24} } @online{rusakov:20100805:tdss:358d5d6, author = {Vyacheslav Rusakov and Sergey Golovanov}, title = {{TDSS}}, date = {2010-08-05}, organization = {Kaspersky Labs}, url = {https://securelist.com/tdss/36314/}, language = {English}, urldate = {2024-04-23} } @online{rusakov:20170919:modern:346e07e, author = {Vyacheslav Rusakov and Vladislav Pintiysky}, title = {{A Modern Hypervisor as a Basis for a Sandbox}}, date = {2017-09-19}, organization = {Kaspersky}, url = {https://securelist.com/a-modern-hypervisor-as-a-basis-for-a-sandbox/81902/}, language = {English}, urldate = {2022-04-12} } @online{rusnk:20240926:cyberespionage:a306de0, author = {Zoltán Rusnák}, title = {{Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023}}, date = {2024-09-26}, organization = {ESET Research}, url = {https://www.welivesecurity.com/en/eset-research/cyberespionage-gamaredon-way-analysis-toolset-used-spy-ukraine-2022-2023/}, language = {English}, urldate = {2024-10-21} } @online{russell:20220525:chromeloader:4877f32, author = {Aedan Russell}, title = {{ChromeLoader: a pushy malvertiser}}, date = {2022-05-25}, organization = {Red Canary}, url = {https://redcanary.com/blog/chromeloader/}, language = {English}, urldate = {2022-05-29} } @online{russianpanda:20230509:esentire:3eaa138, author = {RussianPanda}, title = {{eSentire Threat Intelligence Malware Analysis: Vidar Stealer}}, date = {2023-05-09}, organization = {eSentire}, url = {https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer}, language = {English}, urldate = {2023-05-25} } @online{russianpanda:20230615:esentire:68fb84e, author = {RussianPanda}, title = {{eSentire Threat Intelligence Malware Analysis: Aurora Stealer}}, date = {2023-06-15}, organization = {eSentire}, url = {https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer}, language = {English}, urldate = {2023-07-11} } @online{russianpanda:20230615:esentire:7cd1ea3, author = {RussianPanda}, title = {{eSentire Threat Intelligence Malware Analysis: Resident Campaign}}, date = {2023-06-15}, organization = {eSentire}, url = {https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign}, language = {English}, urldate = {2024-11-11} } @online{russianpanda:20230628:meduza:77fdddb, author = {RussianPanda}, title = {{Meduza Stealer or The Return of The Infamous Aurora Stealer}}, date = {2023-06-28}, url = {https://russianpanda.com/2023/06/28/Meduza-Stealer-or-The-Return-of-The-Infamous-Aurora-Stealer/}, language = {English}, urldate = {2023-07-05} } @online{russianpanda:20230704:unleashing:ca12077, author = {RussianPanda}, title = {{Unleashing the Viper : A Technical Analysis of WhiteSnake Stealer}}, date = {2023-07-04}, organization = {Russian Panda Research Blog}, url = {https://russianpanda.com/2023/07/04/WhiteSnake-Stealer-Malware-Analysis/}, language = {English}, urldate = {2024-01-03} } @online{russianpanda:20231120:metastealer:a1cf5da, author = {RussianPanda}, title = {{MetaStealer - Redline's Doppelgänger}}, date = {2023-11-20}, organization = {Russian Panda Research Blog}, url = {https://russianpanda.com/2023/11/20/MetaStealer-Redline's-Doppelganger/}, language = {English}, urldate = {2024-01-03} } @online{russianpanda:20231226:pure:faea1fe, author = {RussianPanda}, title = {{Pure Logs Stealer Fails to Impress}}, date = {2023-12-26}, organization = {Russian Panda Research Blog}, url = {https://russianpanda.com/2023/12/26/Pure-Logs-Stealer-Malware-Analysis/}, language = {English}, urldate = {2024-01-03} } @online{russianpanda:20231228:metastealer:f97167e, author = {RussianPanda}, title = {{MetaStealer Part 2, Google Cookie Refresher Madness and Stealer Drama}}, date = {2023-12-28}, organization = {Russian Panda Research Blog}, url = {https://russianpanda.com/2023/12/28/MetaStealer-Part-2/}, language = {English}, urldate = {2024-01-03} } @online{russianpanda:20240115:from:914645b, author = {RussianPanda}, title = {{From Russia With Code: Disarming Atomic Stealer}}, date = {2024-01-15}, organization = {Russian Panda Research Blog}, url = {https://russianpanda.com/2024/01/15/Atomic-Stealer-AMOS/}, language = {English}, urldate = {2024-01-18} } @online{russinovich:20240411:how:d928f67, author = {Mark Russinovich}, title = {{How Microsoft discovers and mitigates evolving attacks against AI guardrails}}, date = {2024-04-11}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2024/04/11/how-microsoft-discovers-and-mitigates-evolving-attacks-against-ai-guardrails/}, language = {English}, urldate = {2024-04-29} } @online{russo:20221121:threat:86205c7, author = {Kristopher Russo}, title = {{Threat Assessment: Luna Moth Callback Phishing Campaign}}, date = {2022-11-21}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/}, language = {English}, urldate = {2022-11-25} } @online{russo:20230915:threat:8dd4390, author = {Kristopher Russo and Austin Dever and Amer Elsad}, title = {{Threat Group Assessment: Muddled Libra}}, date = {2023-09-15}, organization = {paloalto Netoworks: Unit42}, url = {https://unit42.paloaltonetworks.com/muddled-libra/}, language = {English}, urldate = {2023-10-10} } @online{rusten:20200320:analysis:f82a963, author = {Luke Rusten}, title = {{Analysis Of Exploitation: CVE-2020-10189 ( exploited by APT41)}}, date = {2020-03-20}, organization = {RECON INFOSEC}, url = {https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/}, language = {English}, urldate = {2020-06-22} } @online{rusu:20170718:inexsmar:65be001, author = {Alexandru Rusu and Cristina Vatamanu and Alexandru Maximciuc}, title = {{Inexsmar: An unusual DarkHotel campaign}}, date = {2017-07-18}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/}, language = {English}, urldate = {2020-04-06} } @online{rutayisire:20240605:european:3291ae7, author = {Alixia Clarisse Rutayisire}, title = {{European Election Security At Risk: A Detailed Analysis of State-Sponsored, eCrime, and Hacktivist Threats}}, date = {2024-06-05}, organization = {QuoIntelligence}, url = {https://quointelligence.eu/2024/06/european-election-at-risk-analysis/}, language = {English}, urldate = {2024-07-03} } @online{rxored:20220119:whispergate:39880e3, author = {rxored}, title = {{WhisperGate}}, date = {2022-01-19}, organization = {rxOred's blog}, url = {https://rxored.github.io/post/analysis/whispergate/whispergate/}, language = {English}, urldate = {2022-01-24} } @online{ryan:20220321:dynamics:29d9088, author = {Pierce Ryan and John Fokker and Sorcha Healy and Andreas Amann}, title = {{Dynamics of Targeted Ransomware Negotiation}}, date = {2022-03-21}, organization = {IEEE}, url = {https://ieeexplore.ieee.org/document/9738625}, language = {English}, urldate = {2022-04-05} } @online{rydzynski:20201221:solarwindssunburst:cabeea6, author = {Peter Rydzynski}, title = {{SolarWinds/SUNBURST: DGA or DNS Tunneling?}}, date = {2020-12-21}, organization = {IronNet}, url = {https://www.ironnet.com/blog/a-closer-look-at-the-solarwinds/sunburst-malware-dga-or-dns-tunneling}, language = {English}, urldate = {2021-01-05} } @online{rydzynski:20211220:detecting:686a034, author = {Peter Rydzynski and Michael Leardi and Brent Eskridge}, title = {{Detecting anomalous network traffic resulting from a successful Log4j attack}}, date = {2021-12-20}, organization = {IronNet}, url = {https://www.ironnet.com/blog/detecting-anomalous-network-traffic-resulting-from-a-successful-log4j-attack}, language = {English}, urldate = {2022-03-08} } @techreport{ryonosuke:20240125:secret:ea588b9, author = {Kawakami Ryonosuke and Shota Nakajima and Hara Hiroaki}, title = {{The Secret Life of RATs: connecting the dots by dissecting multiple backdoors}}, date = {2024-01-25}, institution = {JSAC 2024}, url = {https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_7_hara_nakajima_kawakami_en.pdf}, language = {English}, urldate = {2024-02-02} } @online{ryu:20210127:analysis:d2bb250, author = {Sojun Ryu}, title = {{Analysis of THREATNEEDLE C&C Communication (feat. Google TAG Warning to Researchers)}}, date = {2021-01-27}, organization = {S2W LAB Inc.}, url = {https://medium.com/s2wlab/analysis-of-threatneedle-c-c-communication-feat-google-tag-warning-to-researchers-782aa51cf74}, language = {English}, urldate = {2021-01-27} } @online{ryu:20210127:how:7dcce24, author = {Sojun Ryu}, title = {{How to communicate between RAT infected devices (White paper)}}, date = {2021-01-27}, organization = {S2W LAB Inc.}, url = {https://drive.google.com/file/d/1XoGQFEJQ4nFAUXSGwcnTobviQ_ms35mG/view}, language = {English}, urldate = {2021-01-27} } @online{ryu:20210215:operation:b0712b0, author = {Sojun Ryu}, title = {{Operation SyncTrek}}, date = {2021-02-15}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/operation-synctrek-e5013df8d167}, language = {English}, urldate = {2021-09-02} } @online{ryu:20210528:deep:c5d221c, author = {Sojun Ryu}, title = {{Deep Analysis of Vidar Stealer}}, date = {2021-05-28}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed}, language = {English}, urldate = {2021-06-16} } @online{ryu:20210623:deep:b255667, author = {Sojun Ryu}, title = {{Deep analysis of REvil Ransomware}}, date = {2021-06-23}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/deep-analysis-of-revil-ransomware-written-in-korean-d1899c0e9317}, language = {Korean}, urldate = {2021-07-29} } @online{ryu:20210708:analysis:65a332a, author = {Sojun Ryu}, title = {{Analysis of Lazarus malware abusing Non-ActiveX Module in South Korea}}, date = {2021-07-08}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/analysis-of-lazarus-malware-abusing-non-activex-module-in-south-korea-7d52b9539c12}, language = {English}, urldate = {2023-04-14} } @online{s2w:20240822:analysis:815c16f, author = {S2W}, title = {{Analysis of the North Korea-backed puNK-003’s Lilith RAT ported to AutoIt Script}}, date = {2024-08-22}, organization = {S2W Inc.}, url = {https://s2w.inc/en/resource/detail/581}, language = {English}, urldate = {2025-04-25} } @online{s:20210505:joker:8337490, author = {Baran S}, title = {{Joker}}, date = {2021-05-05}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=22199}, language = {English}, urldate = {2021-07-02} } @online{s:20210617:teabot:307d855, author = {Baran S}, title = {{Teabot : Android Banking Trojan Targets Banks in Europe}}, date = {2021-06-17}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=22407}, language = {English}, urldate = {2021-06-21} } @online{s:20210712:pjobrat:ee86d6c, author = {Baran S}, title = {{PJobRAT}}, date = {2021-07-12}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=22537}, language = {English}, urldate = {2021-07-20} } @online{s:20210917:joker:837b4d4, author = {Baran S}, title = {{Joker}}, date = {2021-09-17}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/joker-unleashes-itself-again-on-google-play-store/}, language = {English}, urldate = {2021-09-19} } @online{s:20220127:facestealer:9219583, author = {Baran S}, title = {{Facestealer – The Rise of Facebook Credential Stealer Malware}}, date = {2022-01-27}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/facestealer-the-rise-of-facebook-credential-stealer-malware/}, language = {English}, urldate = {2022-02-01} } @online{s:20220303:teabot:6b49183, author = {Gurubaran S}, title = {{TeaBot Banking Trojan Posted as QR Code app in Google Play Store Targeting US Users}}, date = {2022-03-03}, organization = {GBHackers on Security}, url = {https://gbhackers.com/teabot-banking-trojan/}, language = {English}, urldate = {2022-03-03} } @online{s:20220513:teabot:6b0a0e1, author = {Baran S}, title = {{Teabot}}, date = {2022-05-13}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/play-store-app-serves-teabot-via-github/}, language = {English}, urldate = {2022-05-17} } @online{s:20220524:twisted:486d7c7, author = {Gurubaran S}, title = {{Twisted Panda: Chinese APT Launch Spy Operation Against Russian Defence Institutes}}, date = {2022-05-24}, organization = {GBHackers on Security}, url = {https://gbhackers.com/twisted-panda-chinese-apt/}, language = {English}, urldate = {2022-05-25} } @online{s:20220628:black:e69f497, author = {Gurubaran S}, title = {{Black Basta Ransomware Emerging From Underground to Attack Corporate Networks}}, date = {2022-06-28}, organization = {GBHackers on Security}, url = {https://gbhackers.com/black-basta-ransomware/}, language = {English}, urldate = {2022-06-30} } @online{s:20220810:spynote:277e9ab, author = {Baran S}, title = {{spynote}}, date = {2022-08-10}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/spynote-an-android-snooper/}, language = {English}, urldate = {2022-08-17} } @online{s:20220911:github:9b4f40f, author = {Steve S}, title = {{Github Repository for Revenant}}, date = {2022-09-11}, organization = {Github (0xTriboulet)}, url = {https://github.com/0xTriboulet/Revenant}, language = {English}, urldate = {2023-04-03} } @online{s:20221017:i:74483ac, author = {Sean S.}, title = {{I Don’t Like Big Gateways (and I Cannot Lie) - How IP Reputation Gets Large Gateways Wrong}}, date = {2022-10-17}, organization = {SPUR}, url = {https://spur.us/i-dont-like-big-gateways-and-i-cannot-lie/}, language = {English}, urldate = {2024-03-28} } @online{s:20221220:lazarus:41a5f95, author = {Mellvin S}, title = {{Lazarus APT’s Operation Interception Uses Signed Binary}}, date = {2022-12-20}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/lazarus-apts-operation-interception-uses-signed-binary/}, language = {English}, urldate = {2022-12-29} } @online{s:20230208:play:9995a29, author = {Baran S}, title = {{Play Store App Serves Coper Via GitHub}}, date = {2023-02-08}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/play-store-app-serves-coper-via-github/}, language = {English}, urldate = {2023-05-21} } @online{s:20230510:spynote:6170e66, author = {Baran S}, title = {{spynote}}, date = {2023-05-10}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/spynote-targets-irctc-users/}, language = {English}, urldate = {2023-05-21} } @online{s:20240222:cloudrouter:2b21b29, author = {Sean S.}, title = {{CloudRouter: 911 Proxy Resurrected}}, date = {2024-02-22}, organization = {SPUR}, url = {https://spur.us/cloudrouter-911-proxy-resurrected/}, language = {English}, urldate = {2024-03-18} } @online{s:20250304:tracking:420dd62, author = {Arun Kumar S and Dhanush}, title = {{Tracking Emmenhtal}}, date = {2025-03-04}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/tracking-emmenhtal/}, language = {English}, urldate = {2025-05-12} } @online{saad:20150217:desert:7bd7326, author = {Ghareeb Saad and Mohamad Amin Hasbini}, title = {{The Desert Falcons targeted attacks}}, date = {2015-02-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/}, language = {English}, urldate = {2019-12-20} } @online{saad:20200311:attribution:3efcc0a, author = {Ghareeb Saad and Michael Raggi}, title = {{Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers}}, date = {2020-03-11}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/}, language = {English}, urldate = {2020-03-13} } @online{saadi:20241004:inside:34d4c92, author = {Diyar Saadi}, title = {{Inside Cridex - Memory Analysis Case Study}}, date = {2024-10-04}, organization = {Memory Forensic}, url = {https://memoryforensic.com/inside-cridex-memory-analysis-case-study/}, language = {English}, urldate = {2025-07-14} } @online{saavedramorales:20191020:mcafee:237cd1b, author = {Jessica Saavedra-Morales and Ryan Sherstobitoff and Christiaan Beek}, title = {{McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo}}, date = {2019-10-20}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/}, language = {English}, urldate = {2020-01-09} } @online{sabato:20221013:qakbot:f971585, author = {Raffaele Sabato}, title = {{QAKBOT BB Configuration and C2 IPs List}}, date = {2022-10-13}, organization = {Syrion}, url = {https://syrion.me/qakbot-bb-extractor/}, language = {English}, urldate = {2024-10-21} } @online{sabato:20240419:gold:5d5c6bf, author = {Raffaele Sabato}, title = {{Gold Pickaxe iOS Technical Analysis: IPA Overview and C2 Communication Start up}}, date = {2024-04-19}, url = {https://syrion.me/goldpickaxe-technical-analysis-ipa-c2/}, language = {English}, urldate = {2024-07-22} } @online{sabel:20220908:what:3293d01, author = {Cameron Sabel and Kelli Vanderlee and Alice Revelli and Sam Riddell and Alden Wahlstrom and Jon Ford and Luke McNamara}, title = {{What to Expect When You’re Electing: Preparing for Cyber Threats to the 2022 U.S. Midterm Elections}}, date = {2022-09-08}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/2022-midterm-election-threats}, language = {English}, urldate = {2022-09-19} } @online{sabin:20250627:prolific:22225b4, author = {Sam Sabin}, title = {{Prolific cybercriminal group now targeting aviation, transportation companies}}, date = {2025-06-27}, organization = {axios}, url = {https://www.axios.com/2025/06/27/aviation-transportation-sector-cyberattacks-scattered-spider}, language = {English}, urldate = {2025-07-01} } @online{sabitov:20211020:russianspeaking:8847092, author = {Ruslan Sabitov}, title = {{Russian-speaking cybercrime evolution: What changed from 2016 to 2021}}, date = {2021-10-20}, organization = {Kaspersky}, url = {https://securelist.com/russian-speaking-cybercrime-evolution-2016-2021/104656/}, language = {English}, urldate = {2021-10-26} } @online{sabouri:20180208:review:258f981, author = {Bahare Sabouri and He Xu}, title = {{A review of the evolution of Andromeda over the years before we say goodbye}}, date = {2018-02-08}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/}, language = {English}, urldate = {2021-12-01} } @online{sachdeva:20190907:thousands:2f92d9f, author = {Anmol Sachdeva}, title = {{Thousands Of Linux Servers Infected By Lilu (Lilocked) Ransomware}}, date = {2019-09-07}, organization = {Fossbytes}, url = {https://fossbytes.com/lilocked-ransomware-infected-linux-servers/}, language = {English}, urldate = {2020-01-07} } @online{sadique:20190206:qealler:475acb2, author = {Mohd Sadique}, title = {{Qealler – a new JAR-based information stealer}}, date = {2019-02-06}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer}, language = {English}, urldate = {2020-01-13} } @online{sadique:20200702:cybergate:b091287, author = {Mohd Sadique}, title = {{CyberGate RAT and RedLine Stealer Delivered in Ongoing AutoIt Malware Campaigns}}, date = {2020-07-02}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns}, language = {English}, urldate = {2022-02-17} } @online{sadique:20200814:purplewave:2ef459c, author = {Mohd Sadique}, title = {{PurpleWave - A New Infostealer from Russia}}, date = {2020-08-14}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/purplewave-new-infostealer-russia}, language = {English}, urldate = {2020-08-19} } @online{sadique:20200929:spear:de79be6, author = {Mohd Sadique and Atinderpal Singh}, title = {{Spear Phishing Campaign Delivers Buer and Bazar Malware}}, date = {2020-09-29}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware}, language = {English}, urldate = {2020-10-15} } @online{sadique:20210108:ransomware:7e4aa27, author = {Mohd Sadique and Pradeep Kulkarni}, title = {{Ransomware Delivered Using RDP Brute-Force Attack}}, date = {2021-01-08}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/ransomware-delivered-using-rdp-brute-force-attack}, language = {English}, urldate = {2021-02-09} } @online{sadowski:20220304:responses:0b94dae, author = {James Sadowski and Ryan Hall}, title = {{Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation}}, date = {2022-03-04}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation}, language = {English}, urldate = {2022-03-07} } @online{sadowski:20230320:move:afc2397, author = {James Sadowski and CASEY CHARRIER}, title = {{Move, Patch, Get Out the Way: 2022 Zero-Day Exploitation Continues at an Elevated Pace}}, date = {2023-03-20}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/zero-days-exploited-2022}, language = {English}, urldate = {2023-04-22} } @online{saengphaibul:20200615:global:5c4be18, author = {Val Saengphaibul and Fred Gutierrez}, title = {{Global Malicious Spam Campaign Using Black Lives Matter as a Lure}}, date = {2020-06-15}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/global-malicious-spam-campaign-using-black-lives-matter-as-a-lure}, language = {English}, urldate = {2020-06-16} } @online{saengphaibul:20210719:signed:d9f809c, author = {Val Saengphaibul and Fred Gutierrez}, title = {{Signed, Sealed, and Delivered – Signed XLL File Delivers Buer Loader}}, date = {2021-07-19}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader}, language = {English}, urldate = {2021-07-26} } @online{safety:20210223:disclosing:bdbc667, author = {Twitter Safety}, title = {{Disclosing networks of state-linked information operations}}, date = {2021-02-23}, organization = {Twitter}, url = {https://blog.twitter.com/en_us/topics/company/2021/disclosing-networks-of-state-linked-information-operations-.html}, language = {English}, urldate = {2021-02-25} } @online{sahin:201709:new:896c32d, author = {Cengiz Han Sahin and Wesley Gahr}, title = {{New Android trojan targeting over 60 banks and social apps}}, date = {2017-09}, organization = {ThreatFabric}, url = {https://www.threatfabric.com/blogs/new_android_trojan_targeting_over_60_banks_and_social_apps.html}, language = {English}, urldate = {2020-01-06} } @online{sahinuppstrmer:20240115:victim:4f4cb93, author = {Viktor Sahin-Uppströmer}, title = {{A Victim of Mallox Ransomware: How Truesec CSIRT Fought Back}}, date = {2024-01-15}, organization = {TRUESEC}, url = {https://www.truesec.com/hub/blog/a-victim-of-mallox-ransomware-how-truesec-csirt-fought-back}, language = {English}, urldate = {2024-01-17} } @online{saikumaravel:20220511:transparent:16cdf62, author = {Saikumaravel}, title = {{Transparent Tribe Targets Educational Institution}}, date = {2022-05-11}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/transparent-tribe-targets-educational-institution/}, language = {English}, urldate = {2022-05-17} } @online{saikumaravel:20220805:say:94c0448, author = {Saikumaravel}, title = {{Say NO to Nopyfy!}}, date = {2022-08-05}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/say-no-to-nopyfy/}, language = {English}, urldate = {2023-08-21} } @online{saikumaravel:20230104:pupy:f6eacce, author = {Saikumaravel}, title = {{Pupy RAT hiding under WerFault’s cover}}, date = {2023-01-04}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/pupy-rat-hiding-under-werfaults-cover/}, language = {English}, urldate = {2023-01-05} } @online{saikumaravel:20240104:qakbot:360ac3a, author = {Saikumaravel}, title = {{Qakbot Returns}}, date = {2024-01-04}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/qakbot-returns/}, language = {English}, urldate = {2024-02-02} } @online{saini:20220127:north:463e590, author = {Ankur Saini and Hossein Jazi}, title = {{North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign}}, date = {2022-01-27}, organization = {Malwarebytes Labs}, url = {https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/}, language = {English}, urldate = {2022-04-07} } @online{saini:20220401:new:273cbe0, author = {Ankur Saini and Roberto Santos and Hossein Jazi}, title = {{New UAC-0056 activity: There’s a Go Elephant in the room}}, date = {2022-04-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/}, language = {English}, urldate = {2022-04-05} } @online{saini:20220405:colibri:ee97c2e, author = {Ankur Saini and Hossein Jazi and Jérôme Segura}, title = {{Colibri Loader combines Task Scheduler and PowerShell in clever persistence technique}}, date = {2022-04-05}, organization = {Malwarebytes Labs}, url = {https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/}, language = {English}, urldate = {2022-06-09} } @online{saini:20220803:woody:0b4bbb8, author = {Ankur Saini and Hossein Jazi}, title = {{Woody RAT: A new feature-rich malware spotted in the wild}}, date = {2022-08-03}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild/}, language = {English}, urldate = {2022-08-05} } @online{saini:20230330:3cx:82b291e, author = {Ankur Saini and Callum Roxan and Charlie Gardner and Paul Rascagnères and Steven Adair and Thomas Lancaster}, title = {{3CX Supply Chain Compromise Leads to ICONIC Incident}}, date = {2023-03-30}, organization = {Volexity}, url = {https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/}, language = {English}, urldate = {2023-03-30} } @online{saini:20230628:charming:2528a43, author = {Ankur Saini and Charlie Gardner}, title = {{Charming Kitten Updates POWERSTAR with an InterPlanetary Twist}}, date = {2023-06-28}, organization = {Volexity}, url = {https://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/}, language = {English}, urldate = {2023-07-10} } @online{saini:20240213:charmingcypress:5522dca, author = {Ankur Saini and Callum Roxan and Charlie Gardner and Damien Cash}, title = {{CharmingCypress: Innovating Persistence}}, date = {2024-02-13}, organization = {Volexity}, url = {https://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/}, language = {English}, urldate = {2024-03-28} } @online{saini:20240802:stormbamboo:1c7cee6, author = {Ankur Saini and Paul Rascagnères and Steven Adair and Thomas Lancaster}, title = {{StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms}}, date = {2024-08-02}, organization = {Volexity}, url = {https://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms/}, language = {English}, urldate = {2024-08-29} } @online{sajo:20191204:how:60225fe, author = {Ken Sajo}, title = {{How to Respond to Emotet Infection (FAQ)}}, date = {2019-12-04}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html}, language = {English}, urldate = {2020-01-13} } @techreport{sajo:20200117:battle:2b146f5, author = {Ken Sajo and Yasuhiro Takeda and Yusuke Niwa}, title = {{Battle Against Ursnif Malspam Campaign targeting Japan}}, date = {2020-01-17}, institution = {}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf}, language = {English}, urldate = {2020-01-17} } @online{sajo:20210225:emotet:f78fb4e, author = {Ken Sajo}, title = {{Emotet Disruption and Outreach to Affected Users}}, date = {2021-02-25}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2021/02/emotet-notice.html}, language = {English}, urldate = {2021-02-25} } @online{sakaguchi:20210516:japan:a8a3cd7, author = {Yuichi Sakaguchi}, title = {{Japan lashes out against alleged Chinese military cyberattacks}}, date = {2021-05-16}, organization = {Nikkei Asia}, url = {https://asia.nikkei.com/Business/Technology/Japan-lashes-out-against-alleged-Chinese-military-cyberattacks}, language = {English}, urldate = {2021-05-17} } @online{sakai:20231227:malicious:86a7cdb, author = {Sakai}, title = {{Malicious code impersonating the National Tax Service created by Konni}}, date = {2023-12-27}, organization = {Wezard4u}, url = {https://wezard4u.tistory.com/6693}, language = {Korean}, urldate = {2024-01-02} } @online{sakai:20240816:malicious:1f8aa40, author = {Sakai}, title = {{Malicious code disguised as an msc file created by Kimsuky - Skibidi Boilet Master.msc (2024.8.16)}}, date = {2024-08-16}, organization = {Wezard4u}, url = {https://wezard4u.tistory.com/429256}, language = {Korean}, urldate = {2024-08-23} } @online{salama:20201029:several:88d8127, author = {Vivian Salama and Alex Marquardt and Lauren Mascarenhas}, title = {{Several hospitals targeted in new wave of ransomware attacks}}, date = {2020-10-29}, organization = {CNN}, url = {https://edition.cnn.com/2020/10/28/politics/hospitals-targeted-ransomware-attacks/index.html}, language = {English}, urldate = {2020-11-02} } @online{salem:20190103:lolbins:08f0a5f, author = {Eli Salem and Lior Rochberger and Niv Yona}, title = {{LOLbins and trojans: How the Ramnit Trojan spreads via sLoad in a cyberattack}}, date = {2019-01-03}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan}, language = {English}, urldate = {2020-01-06} } @online{salem:20190213:astaroth:ed892f0, author = {Eli Salem}, title = {{Astaroth Malware Uses Legitimate OS and Antivirus Processes to Steal Passwords and Personal Data}}, date = {2019-02-13}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research}, language = {English}, urldate = {2020-01-09} } @online{salem:20200528:valak:bc76772, author = {Eli Salem and Assaf Dahan and Lior Rochberger}, title = {{Valak: More than Meets the Eye}}, date = {2020-05-28}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/valak-more-than-meets-the-eye}, language = {English}, urldate = {2020-06-02} } @techreport{salem:20201117:chaes:2e3b282, author = {Eli Salem}, title = {{CHAES: Novel Malware Targeting Latin American E-Commerce}}, date = {2020-11-17}, institution = {Cybereason}, url = {https://www.cybereason.com/hubfs/dam/collateral/reports/11-2020-Chaes-e-commerce-malware-research.pdf}, language = {English}, urldate = {2024-02-02} } @online{salem:20210119:funtastic:42f9250, author = {Eli Salem}, title = {{Funtastic Packers And Where To Find Them}}, date = {2021-01-19}, organization = {Medium elis531989}, url = {https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7}, language = {English}, urldate = {2021-01-21} } @online{salem:20210412:tweets:7b7280e, author = {Eli Salem}, title = {{Tweets on QakBot}}, date = {2021-04-12}, organization = {Twitter (@elisalem9)}, url = {https://twitter.com/elisalem9/status/1381859965875462144}, language = {English}, urldate = {2021-04-14} } @online{salem:20210419:dancing:7fbe743, author = {Eli Salem}, title = {{Dancing With Shellcodes: Cracking the latest version of Guloader}}, date = {2021-04-19}, organization = {Medium elis531989}, url = {https://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4}, language = {English}, urldate = {2021-04-20} } @online{salem:20210504:analysis:e2677f0, author = {Eli Salem}, title = {{Tweet on analysis of N3tw0rm ransomware}}, date = {2021-05-04}, organization = {Twitter (@elisalem9)}, url = {https://twitter.com/elisalem9/status/1389481237228699650?s=20}, language = {English}, urldate = {2021-05-08} } @online{salem:20210529:obfuscation:f1b68f3, author = {Eli Salem}, title = {{Tweet on obfuscation mechanism and extraction procedure of COBALTSTRIKE beacon module used by NOBELIUM/UNC2452}}, date = {2021-05-29}, organization = {Twitter (@elisalem9)}, url = {https://twitter.com/elisalem9/status/1398566939656601606}, language = {English}, urldate = {2021-08-02} } @online{salem:20210621:dissecting:295cc4b, author = {Eli Salem}, title = {{Dissecting and automating Hancitor’s config extraction}}, date = {2021-06-21}, organization = {Medium elis531989}, url = {https://elis531989.medium.com/dissecting-and-automating-hancitors-config-extraction-1a6ed85d99b8}, language = {English}, urldate = {2021-06-22} } @online{salem:20210921:squirrel:1254a9d, author = {Eli Salem}, title = {{The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle”}}, date = {2021-09-21}, organization = {Medium elis531989}, url = {https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9}, language = {English}, urldate = {2021-09-22} } @online{salem:20220216:highway:c1726ea, author = {Eli Salem}, title = {{Highway to Conti: Analysis of Bazarloader}}, date = {2022-02-16}, organization = {Medium elis531989}, url = {https://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d}, language = {English}, urldate = {2022-02-17} } @online{salem:20220427:chronicles:c55d826, author = {Eli Salem}, title = {{The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection}}, date = {2022-04-27}, organization = {Medium elis531989}, url = {https://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056}, language = {English}, urldate = {2022-04-29} } @online{salem:20221214:royal:c5960bd, author = {Eli Salem and Alon Laufer and Mark Tsipershtein}, title = {{Royal Rumble: Analysis of Royal Ransomware}}, date = {2022-12-14}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/royal-ransomware-analysis}, language = {English}, urldate = {2022-12-15} } @online{salem:20230116:dancing:3a33ea6, author = {Eli Salem}, title = {{Dancing With Shellcodes: Analyzing Rhadamanthys Stealer}}, date = {2023-01-16}, organization = {Medium elis531989}, url = {https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88}, language = {English}, urldate = {2023-01-16} } @techreport{sales:20220629:machete:a0bb28d, author = {Aaron Jornet Sales}, title = {{Machete Weapons Lokibot - A Malware Report}}, date = {2022-06-29}, institution = {Github (vc0RExor)}, url = {https://github.com/vc0RExor/Malware-Threat-Reports/blob/main/Lokibot/Machete-Weapons-Lokibot/Machete%20weapons-Lokibot_EN.pdf}, language = {English}, urldate = {2022-06-30} } @online{sales:20241113:hawkeye:548f430, author = {Aaron Jornet Sales and ANY.RUN}, title = {{HawkEye Malware: Technical Analysis}}, date = {2024-11-13}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/}, language = {English}, urldate = {2024-12-02} } @techreport{salinas:20170612:evolucin:9930231, author = {Marc Salinas and JoséMiguel Holguín}, title = {{Evolución de Trickbot}}, date = {2017-06-12}, institution = {Security Art Work}, url = {https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf}, language = {Spanish}, urldate = {2020-01-10} } @online{saljooki:20230421:bluenoroff:68aef87, author = {Ferdous Saljooki and Jaron Bradley}, title = {{BlueNoroff APT group targets macOS with ‘RustBucket’ Malware}}, date = {2023-04-21}, organization = {Jamf Blog}, url = {https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/}, language = {English}, urldate = {2023-04-25} } @online{salunkhe:20210901:lolbins:10a5d13, author = {Pritam Salunkhe and Shilpesh Trivedi}, title = {{LOLBins Are No Laughing Matter: How Attackers Operate Quietly}}, date = {2021-09-01}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/lolbins-are-no-laughing-matter}, language = {English}, urldate = {2021-09-06} } @online{salunkhe:20220531:warzonerat:2f3eeae, author = {Pritam Salunkhe and Shilpesh Trivedi}, title = {{WarzoneRAT Can Now Evade Detection With Process Hollowing}}, date = {2022-05-31}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing}, language = {English}, urldate = {2022-06-08} } @online{salvador:20210304:new:d226c2a, author = {Junestherry Salvador and Don Ovid Ladores and Raphael Centeno}, title = {{New in Ransomware: AlumniLocker, Humble Feature Different Extortion Techniques}}, date = {2021-03-04}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/c/new-in-ransomware-alumnilocker-humble-feature-different-extortio.html}, language = {English}, urldate = {2021-03-10} } @online{salvio:20141119:rovnix:29bc1ca, author = {Joie Salvio}, title = {{ROVNIX Infects Systems with Password-Protected Macros}}, date = {2014-11-19}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/}, language = {English}, urldate = {2020-01-08} } @online{salvio:20190528:threat:1e65f3f, author = {Joie Salvio}, title = {{Threat Research: New Rocke Variant Ready to Box Any Mining Challengers}}, date = {2019-05-28}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers.html}, language = {English}, urldate = {2019-11-23} } @online{salvio:20190624:gandcrab:6120cb2, author = {Joie Salvio}, title = {{GandCrab Threat Actors Retire...Maybe}}, date = {2019-06-24}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/gandcrab-threat-actors-retire.html}, language = {English}, urldate = {2020-01-08} } @online{salvio:20190917:nemty:761b43e, author = {Joie Salvio}, title = {{Nemty Ransomware 1.0: A Threat in its Early Stage}}, date = {2019-09-17}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html}, language = {English}, urldate = {2020-01-13} } @online{salvio:20220401:fresh:1ba500a, author = {Joie Salvio and Roy Tay}, title = {{Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign}}, date = {2022-04-01}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign}, language = {English}, urldate = {2022-04-05} } @online{salvio:20220412:enemybot:a538c47, author = {Joie Salvio and Roy Tay}, title = {{Enemybot: A Look into Keksec's Latest DDoS Botnet}}, date = {2022-04-12}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet}, language = {English}, urldate = {2022-04-29} } @online{salvio:20220615:new:1ae7181, author = {Joie Salvio and Roy Tay}, title = {{New IceXLoader 3.0 – Developers Warm Up to Nim}}, date = {2022-06-15}, url = {https://www.fortinet.com/blog/threat-research/new-icexloader-3-0-developers-warm-up-to-nim}, language = {English}, urldate = {2022-07-13} } @online{salvio:20220803:so:de64b7a, author = {Joie Salvio and Roy Tay}, title = {{So RapperBot, What Ya Bruting For?}}, date = {2022-08-03}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery}, language = {English}, urldate = {2022-08-08} } @online{salvio:20221115:new:b7c34bb, author = {Joie Salvio and Roy Tay}, title = {{New RapperBot Campaign – We Know What You Bruting for this Time}}, date = {2022-11-15}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/new-rapperbot-campaign-ddos-attacks}, language = {English}, urldate = {2022-11-21} } @online{samala:20240513:gootloader:e801127, author = {Aaron Samala}, title = {{Gootloader Isn’t Broken}}, date = {2024-05-13}, organization = {Malsada Tech}, url = {https://malasada.tech/gootloader-isnt-broken/}, language = {English}, urldate = {2024-06-04} } @online{samala:20240702:landupdate808:b51a16f, author = {Aaron Samala and April Bucaneg and Casey Kuwada}, title = {{The LandUpdate808 Fake Update Variant}}, date = {2024-07-02}, organization = {Malsada Tech}, url = {https://malasada.tech/the-landupdate808-fake-update-variant/}, language = {English}, urldate = {2025-05-20} } @online{samani:20181017:operation:0b1d8ce, author = {Raj Samani and Ryan Sherstobitoff}, title = {{‘Operation Oceansalt’ Delivers Wave After Wave}}, date = {2018-10-17}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-oceansalt-delivers-wave-after-wave/}, language = {English}, urldate = {2019-10-17} } @online{samani:20210514:darkside:e0b6b8d, author = {Raj Samani and Christiaan Beek}, title = {{Darkside Ransomware Victims Sold Short}}, date = {2021-05-14}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/darkside-ransomware-victims-sold-short/}, language = {English}, urldate = {2021-05-17} } @online{samani:20220120:update:43f230d, author = {Raj Samani and Mo Cashman and Taylor Mullins}, title = {{Update on WhisperGate, Destructive Malware Targeting Ukraine – Threat Intelligence & Protections Update}}, date = {2022-01-20}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/update-on-whispergate-destructive-malware-targeting-ukraine.html}, language = {English}, urldate = {2022-01-25} } @online{samaniego:20250616:clone:cfb5a3b, author = {Jovit Samaniego and Aira Marcelo and Mohamed Fahmy and Gabriel Nicoleta}, title = {{Clone, Compile, Compromise: Water Curse’s Open-Source Malware Trap on GitHub}}, date = {2025-06-16}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/25/f/water-curse.html}, language = {English}, urldate = {2025-06-20} } @online{sambamoorthy:20201119:ok:0fa952d, author = {Arjun Sambamoorthy}, title = {{OK Google, Build Me a Phishing Campaign}}, date = {2020-11-19}, organization = {Armorblox}, url = {https://www.armorblox.com/blog/ok-google-build-me-a-phishing-campaign/}, language = {English}, urldate = {2020-11-23} } @online{samuel:20220125:weaponization:3f900f4, author = {Yaron Samuel}, title = {{Weaponization of Excel Add-Ins Part 1: Malicious XLL Files and Agent Tesla Case Studies}}, date = {2022-01-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent-tesla/}, language = {English}, urldate = {2022-01-28} } @online{samuel:20240923:inside:25aa15a, author = {Yaron Samuel and Dominik Reichel}, title = {{Inside SnipBot: The Latest RomCom Malware Variant}}, date = {2024-09-23}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/}, language = {English}, urldate = {2024-10-29} } @online{sanchez:20141110:timeline:a762792, author = {William Gamazo Sanchez}, title = {{Timeline of Sandworm Attacks}}, date = {2014-11-10}, organization = {Trend Micro}, url = {https://web.archive.org/web/20141224060545/http://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/}, language = {English}, urldate = {2023-10-05} } @online{sanchez:20141110:timeline:fd77607, author = {William Gamazo Sanchez}, title = {{Timeline of Sandworm Attacks}}, date = {2014-11-10}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/}, language = {English}, urldate = {2020-01-09} } @online{sanchez:20170818:kovter:31e1e79, author = {John Sanchez}, title = {{KOVTER: An Evolving Malware Gone Fileless}}, date = {2017-08-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless}, language = {English}, urldate = {2020-01-08} } @techreport{sanchez:20201019:operation:e613dd2, author = {Nelson William Gamazo Sanchez and Aliakbar Zahravi and John Zhang and Eliot Cao and Cedric Pernet and Daniel Lunghi and Jaromír Hořejší and Joseph C. Chen}, title = {{Operation Earth Kitsune: Tracking SLUB’s Current Operations}}, date = {2020-10-19}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-kitsune.pdf}, language = {English}, urldate = {2020-10-21} } @online{sanchez:20201028:operation:7f4b906, author = {William Gamazo Sanchez and Aliakbar Zahravi and Elliot Cao and Cedric Pernet and Daniel Lunghi and Jaromír Hořejší and Joseph C Chen and John Zhang}, title = {{Operation Earth Kitsune: A Dance of Two New Backdoors}}, date = {2020-10-28}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html}, language = {English}, urldate = {2020-10-29} } @online{sanchez:20201215:who:c723930, author = {William Gamazo Sanchez}, title = {{Who is the Threat Actor Behind Operation Earth Kitsune?}}, date = {2020-12-15}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html}, language = {English}, urldate = {2020-12-16} } @online{sanchez:20201217:credential:8d0de6b, author = {William Gamazo Sanchez and Aliakbar Zahravi}, title = {{Credential Stealer Targets US, Canadian Bank Customers}}, date = {2020-12-17}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/l/stealth-credential-stealer-targets-us-canadian-bank-customers.html}, language = {English}, urldate = {2020-12-18} } @online{sanchez:20210701:purplefox:fb8c3c4, author = {William Gamazo Sanchez}, title = {{PurpleFox Using WPAD to Target Indonesian Users}}, date = {2021-07-01}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/g/purplefox-using-wpad-to-targent-indonesian-users.html}, language = {English}, urldate = {2021-07-02} } @online{sanchez:20210825:new:f09ef7d, author = {William Gamazo Sanchez and Bin Lin}, title = {{New Campaign Sees LokiBot Delivered Via Multiple Methods}}, date = {2021-08-25}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/h/new-campaign-sees-lokibot-delivered-via-multiple-methods.html}, language = {English}, urldate = {2021-08-31} } @techreport{sancho:201603:operation:b3de3b2, author = {David Sancho and Feike Hacquebord}, title = {{Operation C-Major: Information Theft Campaign Targets Military Personnel in India}}, date = {2016-03}, institution = {Trend Micro}, url = {http://documents.trendmicro.com/assets/pdf/Indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf}, language = {English}, urldate = {2020-01-07} } @online{sancho:20161220:alice:048e628, author = {David Sancho and Numaan Huq}, title = {{Alice: A Lightweight, Compact, No-Nonsense ATM Malware}}, date = {2016-12-20}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/alice-lightweight-compact-no-nonsense-atm-malware/}, language = {English}, urldate = {2020-01-09} } @online{sancho:20171214:dissecting:b2287cd, author = {David Sancho and Fernando Mercês}, title = {{Dissecting PRILEX and CUTLET MAKER ATM Malware Families}}, date = {2017-12-14}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-prilex-cutlet-maker-atm-malware-families/}, language = {English}, urldate = {2019-12-17} } @techreport{sancho:20180330:cashing:b325dd3, author = {David Sancho and Numaan Huq and Massimiliano Michenz}, title = {{Cashing in on ATM Malware: A Comprehensive Look at Various Attack Types}}, date = {2018-03-30}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf}, language = {English}, urldate = {2020-02-27} } @online{sandapolla:20220613:robin:038fcc7, author = {Tejaswini Sandapolla}, title = {{Robin Hood Ransomware ‘GOODWILL’ Forces Victim For Charity}}, date = {2022-06-13}, organization = {Quick Heal}, url = {https://blogs.quickheal.com/a-new-ransomware-goodwill-hacks-the-victims-for-charity-read-more-to-know-more-about-this-ransomware-and-how-it-affects-its-victims/}, language = {English}, urldate = {2022-06-15} } @techreport{sandee:20150805:gameover:fa47096, author = {Michael Sandee and Tillmann Werner and Elliott Peterson}, title = {{Gameover Zeus – Bad Guys and Backends}}, date = {2015-08-05}, institution = {Black Hat}, url = {https://www.blackhat.com/docs/us-15/materials/us-15-Peterson-GameOver-Zeus-Badguys-And-Backends.pdf}, language = {English}, urldate = {2020-01-06} } @online{sander:20220301:china:a8c83ec, author = {Matthias Sander and Shenzhen}, title = {{China soll mit präzedenzlos ausgeklügelter Malware Regierungen ausspioniert haben}}, date = {2022-03-01}, organization = {NZZ}, url = {https://www.nzz.ch/technologie/china-soll-mit-praezedenzloser-malware-regierungen-ausspioniert-haben-ld.1672292}, language = {German}, urldate = {2022-03-14} } @online{sands:20240220:worlds:ceac42d, author = {Leo Sands}, title = {{‘World’s most harmful’ cybercriminal group disrupted in 11-nation operation}}, date = {2024-02-20}, organization = {Washington Post}, url = {https://www.washingtonpost.com/business/2024/02/20/lockbit-ransomware-cronos-nca-fbi/}, language = {English}, urldate = {2024-02-20} } @online{sandvik:20211001:made:832ee10, author = {Runa Sandvik}, title = {{Made In America: Green Lambert for OS X}}, date = {2021-10-01}, organization = {Objective-See}, url = {https://objective-see.com/blog/blog_0x68.html}, language = {English}, urldate = {2021-10-24} } @online{sanger:20210102:as:ff04411, author = {David E. Sanger and Nicole Perlroth and Julian E. Barnes}, title = {{As Understanding of Russian Hacking Grows, So Does Alarm}}, date = {2021-01-02}, organization = {The New York Times}, url = {https://www.nytimes.com/2021/01/02/us/politics/russian-hacking-government.html}, language = {English}, urldate = {2021-01-05} } @online{sangfor:20181126:new:c43d870, author = {Sangfor}, title = {{New Lucky Ransomware Targets Linux Servers}}, date = {2018-11-26}, organization = {Sangfor}, url = {https://www.sangfor.com/source/blog-network-security/1094.html}, language = {English}, urldate = {2020-01-13} } @online{sanghun:20130320:computer:bc0bf29, author = {Choe Sang-Hun}, title = {{Computer Networks in South Korea Are Paralyzed in Cyberattacks}}, date = {2013-03-20}, organization = {The New York Times}, url = {https://www.nytimes.com/2013/03/21/world/asia/south-korea-computer-network-crashes.html}, language = {English}, urldate = {2020-01-13} } @online{sangvikar:20221103:cobalt:9a81f6f, author = {Durgesh Sangvikar and Chris Navarrete and Matthew Tennis and Yanhui Jia and Yu Fu and Siddhart Shibiraj}, title = {{Cobalt Strike Analysis and Tutorial: Identifying Beacon Team Servers in the Wild}}, date = {2022-11-03}, organization = {paloalto Netoworks: Unit42}, url = {https://unit42.paloaltonetworks.com/cobalt-strike-team-server/}, language = {English}, urldate = {2022-11-03} } @online{sanico:20170915:trojandownloaderwin32banload:01d40c5, author = {Jireh Sanico}, title = {{TrojanDownloader:Win32/Banload}}, date = {2017-09-15}, organization = {Microsoft Security Intelligence}, url = {https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanDownloader%3AWin32%2FBanload}, language = {English}, urldate = {2019-10-26} } @online{sanmillan:20190107:chinaz:50bb5f4, author = {Ignacio Sanmillan}, title = {{ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups}}, date = {2019-01-07}, organization = {Intezer}, url = {https://www.intezer.com/blog/malware-analysis/chinaz-relations/}, language = {English}, urldate = {2022-09-20} } @online{sanmillan:20190228:technical:ebec2b6, author = {Ignacio Sanmillan}, title = {{Technical Analysis: Pacha Group Deploying Undetected Cryptojacking Campaigns on Linux Servers}}, date = {2019-02-28}, organization = {Intezer}, url = {https://www.intezer.com/blog-technical-analysis-pacha-group/}, language = {English}, urldate = {2019-11-28} } @online{sanmillan:20190509:technical:7bdfc33, author = {Ignacio Sanmillan}, title = {{Technical Analysis: Pacha Group Competing against Rocke Group for Cryptocurrency Mining Foothold on the Cloud}}, date = {2019-05-09}, organization = {Intezer}, url = {https://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/}, language = {English}, urldate = {2020-01-13} } @online{sanmillan:20190529:hiddenwasp:6ebd455, author = {Ignacio Sanmillan}, title = {{HiddenWasp Malware Stings Targeted Linux Systems}}, date = {2019-05-29}, organization = {Intezer}, url = {https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/}, language = {English}, urldate = {2019-11-22} } @online{sanmillan:20190710:how:e52e04c, author = {Ignacio Sanmillan}, title = {{How We Seized 15 Active Ransomware Campaigns Targeting Linux File Storage Servers}}, date = {2019-07-10}, organization = {Intezer}, url = {https://www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers/}, language = {English}, urldate = {2020-01-13} } @online{sanmillan:20200120:linux:2b0cfbb, author = {Ignacio Sanmillan}, title = {{Linux Rekoobe Operating with New, Undetected Malware Samples}}, date = {2020-01-20}, organization = {Intezer}, url = {https://intezer.com/blog-linux-rekoobe-operating-with-new-undetected-malware-samples/}, language = {English}, urldate = {2020-01-22} } @online{sanmillan:20200513:ramsay:8608f19, author = {Ignacio Sanmillan}, title = {{Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks}}, date = {2020-05-13}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/}, language = {English}, urldate = {2020-05-14} } @online{sanmillan:20200922:ramsay:efa8b8c, author = {Ignacio Sanmillan}, title = {{Ramsay: A cyber-espionage toolkit tailored for air-gapped networks}}, date = {2020-09-22}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=SKIu4LqMrns}, language = {English}, urldate = {2020-11-19} } @online{sanmillan:20201217:operation:6822847, author = {Ignacio Sanmillan and Matthieu Faou}, title = {{Operation SignSight: Supply‑chain attack against a certification authority in Southeast Asia}}, date = {2020-12-17}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/}, language = {English}, urldate = {2020-12-18} } @online{sanmillan:20210201:operation:9e52a78, author = {Ignacio Sanmillan and Matthieu Faou}, title = {{Operation NightScout: Supply‑chain attack targets online gaming in Asia}}, date = {2021-02-01}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/}, language = {English}, urldate = {2021-02-17} } @online{sanseo:20221222:nitol:ad67d69, author = {Sanseo}, title = {{Nitol DDoS Malware Installing Amadey Bot}}, date = {2022-12-22}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/44504/}, language = {English}, urldate = {2023-03-20} } @online{sanseo:20230309:plugx:4683b0e, author = {Sanseo}, title = {{PlugX Malware Being Distributed via Vulnerability Exploitation}}, date = {2023-03-09}, organization = {ASEC}, url = {https://asec.ahnlab.com/en/49097/}, language = {English}, urldate = {2023-03-17} } @online{sanseo:20230628:kimsuky:342e1c2, author = {Sanseo}, title = {{Kimsuky Attack Group Abusing Chrome Remote Desktop}}, date = {2023-06-28}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/54804/}, language = {Korean}, urldate = {2023-07-16} } @online{sanseo:20230822:analysis:2df9da0, author = {Sanseo}, title = {{Analysis of APT Attack Cases Targeting Web Services of Korean Corporations}}, date = {2023-08-22}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/56236/}, language = {English}, urldate = {2023-11-17} } @online{sanseo:20230831:analysis:c771be9, author = {Sanseo}, title = {{Analysis of Andariel’s New Attack Activities}}, date = {2023-08-31}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/56405/}, language = {English}, urldate = {2023-09-01} } @online{sanseo:20230904:chm:0194a5a, author = {Sanseo}, title = {{CHM Malware Using Fukushima Contaminated Water Discharge: RedEyes (ScarCruft)}}, date = {2023-09-04}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/56654/}, language = {English}, urldate = {2023-09-07} } @online{sanseo:20230905:blueshell:da706ff, author = {Sanseo}, title = {{BlueShell malware used in APT attacks targeting Korea and Thailand}}, date = {2023-09-05}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/56715/}, language = {Korean}, urldate = {2023-09-07} } @online{sanseo:20230911:blueshell:cb4c87d, author = {Sanseo}, title = {{BlueShell Used in APT Attacks Against Korean and Thai Targets}}, date = {2023-09-11}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/56941/}, language = {English}, urldate = {2023-11-17} } @online{sanseo:20231228:trend:cb647a8, author = {Sanseo}, title = {{Trend Analysis on Kimsuky Group’s Attacks Using AppleSeed}}, date = {2023-12-28}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/60054/}, language = {English}, urldate = {2024-01-02} } @online{sanseo:20240130:trigona:5968844, author = {Sanseo}, title = {{Trigona Ransomware Threat Actor Uses Mimic Ransomware}}, date = {2024-01-30}, organization = {ASEC}, url = {https://asec.ahnlab.com/en/61000/}, language = {English}, urldate = {2024-03-04} } @online{sant:20200812:retour:1243ccf, author = {CERT Santé}, title = {{Retour d’expérience suite à une attaque par rançongiciel contre une structure de santé}}, date = {2020-08-12}, organization = {CERT Santé}, url = {https://cyberveille-sante.gouv.fr/cyberveille-sante/1821-france-retour-dexperience-suite-une-attaque-par-rancongiciel-contre-une}, language = {French}, urldate = {2021-08-03} } @online{santamarta:20220331:viasat:49e5dce, author = {Ruben Santamarta}, title = {{VIASAT incident: from speculation to technical details.}}, date = {2022-03-31}, organization = {reversemode}, url = {https://www.reversemode.com/2022/03/viasat-incident-from-speculation-to.html}, language = {English}, urldate = {2022-04-05} } @online{santo:20241117:post:b59f41c, author = {Alessio Di Santo and Luca Di Domenico}, title = {{Post about Tsunami}}, date = {2024-11-17}, url = {https://www.linkedin.com/posts/alessio-di-santo-712348197_iocs-ttps-lazarusgroup-activity-7263976334807220224-N6Ue/}, language = {English}, urldate = {2025-02-10} } @online{santos:20160122:plugx:580fcff, author = {Norton Santos}, title = {{PlugX APT Malware}}, date = {2016-01-22}, organization = {RSA Link}, url = {https://community.rsa.com/thread/185439}, language = {English}, urldate = {2020-01-13} } @online{santos:20160122:sykipot:942f0f0, author = {Norton Santos}, title = {{Sykipot APT Malware}}, date = {2016-01-22}, organization = {RSA}, url = {https://community.rsa.com/thread/185437}, language = {English}, urldate = {2020-01-08} } @online{santos:20200310:joint:026a3be, author = {Valter Santos}, title = {{Joint Effort with Microsoft to Disrupt Massive Criminal Botnet Necurs}}, date = {2020-03-10}, organization = {BitSight}, url = {https://www.bitsight.com/blog/joint-effort-with-microsoft-to-takedown-massive-criminal-botnet-necurs}, language = {English}, urldate = {2023-10-18} } @online{santos:20200603:threat:0ae192e, author = {Doel Santos and Alex Hinchliffe}, title = {{Threat Assessment: Hangover Threat Group}}, date = {2020-06-03}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/threat-assessment-hangover-threat-group}, language = {English}, urldate = {2020-06-08} } @online{santos:20200603:threat:37e881b, author = {Doel Santos and Alex Hinchliffe}, title = {{Threat Assessment: Hangover Threat Group}}, date = {2020-06-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/threat-assessment-hangover-threat-group/}, language = {English}, urldate = {2022-03-16} } @techreport{santos:20201012:winnti:597eacc, author = {Roberto Santos and Hossein Jazi and Jérôme Segura and Malwarebytes Threat Intelligence Team}, title = {{Winnti APT group docks in Sri Lanka for new campaign}}, date = {2020-10-12}, institution = {Malwarebytes Labs}, url = {https://www.malwarebytes.com/blog/threat-intelligence/2022/winnti-apt-group-docks-in-sri-lanka-for-new-campaign-final.pdf}, language = {English}, urldate = {2022-11-18} } @online{santos:20201208:threat:033a653, author = {Doel Santos and Brittany Barbehenn and Robert Falcone}, title = {{Threat Assessment: Egregor Ransomware}}, date = {2020-12-08}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/egregor-ransomware-courses-of-action/}, language = {English}, urldate = {2020-12-09} } @online{santos:20210413:threat:7154f80, author = {Doel Santos}, title = {{Threat Assessment: Clop Ransomware}}, date = {2021-04-13}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/clop-ransomware/}, language = {English}, urldate = {2021-04-14} } @online{santos:20210609:prometheus:e4fdf9e, author = {Doel Santos}, title = {{Prometheus Ransomware Gang: A Group of REvil?}}, date = {2021-06-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/prometheus-ransomware/}, language = {English}, urldate = {2021-06-09} } @online{santos:20220126:konni:589b447, author = {Roberto Santos}, title = {{KONNI evolves into stealthier RAT}}, date = {2022-01-26}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/}, language = {English}, urldate = {2022-01-31} } @online{santos:20220610:exposing:f66db25, author = {Doel Santos and Daniel Bunce}, title = {{Exposing HelloXD Ransomware and x4k}}, date = {2022-06-10}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/helloxd-ransomware}, language = {English}, urldate = {2022-06-11} } @online{santos:20220713:cobalt:5d47ba1, author = {Roberto Santos and Hossein Jazi}, title = {{Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign}}, date = {2022-07-13}, organization = {Malwarebytes Labs}, url = {https://blog.malwarebytes.com/threat-intelligence/2022/07/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/}, language = {English}, urldate = {2022-07-14} } @online{santos:20230509:threat:c231c7f, author = {Doel Santos and Daniel Bunce and Anthony Galiette}, title = {{Threat Assessment: Royal Ransomware}}, date = {2023-05-09}, organization = {paloalto Netoworks: Unit42}, url = {https://unit42.paloaltonetworks.com/royal-ransomware/}, language = {English}, urldate = {2023-05-10} } @online{santos:20230510:uncovering:9a14162, author = {Roberto Santos and Hossein Jazi}, title = {{Uncovering RedStinger - Undetected APT cyber operations in Eastern Europe since 2020}}, date = {2023-05-10}, organization = {Malwarebytes}, url = {https://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger}, language = {English}, urldate = {2023-07-17} } @online{santos:20241015:silent:2e39da6, author = {Jacob Santos and Cj Arsley Mateo and Sarah Pearl Camiling and Trend Micro Research}, title = {{Silent Threat: Red Team Tool EDRSilencer Disrupting Endpoint Security Solutions}}, date = {2024-10-15}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html}, language = {English}, urldate = {2024-11-07} } @online{sanz:20240912:crystal:33dd871, author = {Lidia López Sanz and KrakenLabs}, title = {{Crystal Rans0m: Emerging hybrid ransomware with stealer capabilities}}, date = {2024-09-12}, organization = {Outpost24}, url = {https://outpost24.com/blog/crystal-ransom-hybrid-ransomware/}, language = {English}, urldate = {2024-11-26} } @online{sapaden:20210126:phishing:9b3dbb3, author = {Bernard Sapaden and Mohammed Mohsin Dalla and Rahul Mohandas and Sachin Shukla and Srini Seethapathy and Sujnani Ravindra}, title = {{Phishing Campaign Leverages WOFF Obfuscation and Telegram Channels for Communication}}, date = {2021-01-26}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/01/phishing-campaign-woff-obfuscation-telegram-communications.html}, language = {English}, urldate = {2021-01-29} } @online{sapir:20170130:downeks:07fcd1e, author = {Mashav Sapir and Tomer Bar and Netanel Rimer and Taras Malivanchuk and Yaron Samuel and Simon Conant}, title = {{Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments}}, date = {2017-01-30}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/?adbsc=social69739136&adbid=826218465723756545&adbpl=tw&adbpr=4487645412}, language = {English}, urldate = {2019-12-20} } @online{sapir:20170130:downeks:8ed6329, author = {Mashav Sapir and Tomer Bar and Netanel Rimer and Taras Malivanchuk and Yaron Samuel and Simon Conant}, title = {{Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments}}, date = {2017-01-30}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments}, language = {English}, urldate = {2019-12-20} } @online{sapphire:20201112:diving:6b388eb, author = {Sapphire}, title = {{Diving into the Sun — SunCrypt: A new neighbour in the ransomware mafia}}, date = {2020-11-12}, organization = {Medium Sapphirex00}, url = {https://medium.com/@sapphirex00/diving-into-the-sun-suncrypt-a-new-neighbour-in-the-ransomware-mafia-d89010c9df83}, language = {English}, urldate = {2020-11-23} } @online{saraga:20220311:is:334581f, author = {Eric Saraga}, title = {{Is this SID taken? Varonis Threat Labs Discovers Synthetic SID Injection Attack}}, date = {2022-03-11}, organization = {Varonis}, url = {https://www.varonis.com/blog/synthetic-sid}, language = {English}, urldate = {2022-03-14} } @online{sarah:20160101:die:38fdb90, author = {Sarah}, title = {{Die erste Ransomware in JavaScript: Ransom32}}, date = {2016-01-01}, organization = {Emsisoft}, url = {https://blog.emsisoft.com/de/21077/meet-ransom32-the-first-javascript-ransomware/}, language = {German}, urldate = {2020-03-06} } @online{sarah:20160629:apocalypse:b7b0a17, author = {Sarah}, title = {{Apocalypse: Ransomware which targets companies through insecure RDP}}, date = {2016-06-29}, organization = {Emsisoft}, url = {http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/}, language = {English}, urldate = {2019-10-14} } @techreport{sardinha:20250328:from:99ffb2e, author = {David Sardinha}, title = {{From espionage to PsyOps: Tracking operations and bulletproof providers of UACs in 2025}}, date = {2025-03-28}, institution = {Intrinsec}, url = {https://www.intrinsec.com/wp-content/uploads/2025/03/TLP-CLEAR-From-espionage-to-PsyOps-Tracking-operations-and-infrastructure-of-UACs-in-2025-EN-1.pdf}, language = {English}, urldate = {2025-04-01} } @techreport{sardinha:20250530:bthoster:22f9ec0, author = {David Sardinha}, title = {{BtHoster: Identifying noisy networks emitting malicious traffic through masscan servers}}, date = {2025-05-30}, institution = {Intrinsec}, url = {https://www.intrinsec.com/wp-content/uploads/2025/05/TLP-CLEAR-BtHoster-Identifying-noisy-networks-emitting-malicious-traffic-through-masscan-servers-1.pdf}, language = {English}, urldate = {2025-06-02} } @online{sardiwal:20180918:fallout:493e91c, author = {Manish Sardiwal and Muhammad Umair and Zain Gardezi}, title = {{Fallout Exploit Kit Used in Malvertising Campaign to Deliver GandCrab Ransomware}}, date = {2018-09-18}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware}, language = {English}, urldate = {2024-01-31} } @online{sarviya:20230301:sectoprat:0d61ee0, author = {sarviya}, title = {{SecTopRAT: A Dangerous Remote Access Trojan Spreading Through Google Fake Ads}}, date = {2023-03-01}, organization = {Medium SarvivaMalwareAnalyst}, url = {https://medium.com/@sarviyamalwareanalyst/sectoprat-a-dangerous-remote-access-trojan-spreading-through-google-fake-ads-0c43a15c1cd8}, language = {English}, urldate = {2025-03-05} } @online{sarviya:20250221:process:92a895f, author = {sarviya}, title = {{Process Hollowing — Malware Reverse Engineering.}}, date = {2025-02-21}, organization = {Medium SarvivaMalwareAnalyst}, url = {https://medium.com/@sarviyamalwareanalyst/process-hollowing-malware-reverse-engineering-37d77a526fc4}, language = {English}, urldate = {2025-03-05} } @online{sarviya:20250306:xworm:0070740, author = {sarviya}, title = {{XWorm Attack Chain: Leveraging Steganography from Phishing Email to Keylogging via C2 Communication}}, date = {2025-03-06}, organization = {Medium SarvivaMalwareAnalyst}, url = {https://sarviyamalwareanalyst.medium.com/xworm-attack-chain-leveraging-steganography-from-phishing-email-to-keylogging-via-c2-communication-f3a4c91dfd06}, language = {English}, urldate = {2025-03-06} } @online{sasaki:20250120:actor:3d62185, author = {Hayato Sasaki}, title = {{APT actor classification “addiction” - Practical issues of attribution seen in Lazarus subgroup classification}}, date = {2025-01-20}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/ja/2025/01/grouping-lazarus-subgroups.html}, language = {Japanese}, urldate = {2025-01-26} } @online{sasaki:20250325:tempted:459f2bb, author = {Hayato Sasaki}, title = {{Tempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup}}, date = {2025-03-25}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2025/03/classifying-lazaruss-subgroup.html}, language = {English}, urldate = {2025-03-27} } @online{sasi:20210620:sorcery:029bf20, author = {Ashwathi Sasi}, title = {{The Sorcery of Malware Reverse Engineering}}, date = {2021-06-20}, url = {https://docs.google.com/presentation/d/1W3GbGnRGBqqvS4Cbz3I2CzH6eJO3JRujWW83tUdFHdE}, language = {English}, urldate = {2021-06-22} } @online{sason:20211102:blackmatter:f72b080, author = {Dvir Sason}, title = {{BlackMatter Ransomware: In-Depth Analysis & Recommendations}}, date = {2021-11-02}, organization = {Varonis}, url = {https://www.varonis.com/blog/blackmatter-ransomware/}, language = {English}, urldate = {2021-11-03} } @online{sasson:20200827:cetus:52c6ea8, author = {Aviv Sasson}, title = {{Cetus: Cryptojacking Worm Targeting Docker Daemons}}, date = {2020-08-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/cetus-cryptojacking-worm/}, language = {English}, urldate = {2020-08-31} } @online{sasson:20210128:proocean:1d9aa09, author = {Aviv Sasson}, title = {{Pro-Ocean: Rocke Group’s New Cryptojacking Malware}}, date = {2021-01-28}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/}, language = {English}, urldate = {2021-01-29} } @online{sasson:20210326:20:5d030d7, author = {Aviv Sasson}, title = {{20 Million Miners: Finding Malicious Cryptojacking Images in Docker Hub}}, date = {2021-03-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/malicious-cryptojacking-images/}, language = {English}, urldate = {2021-03-31} } @online{sassoon:20170905:kingdom:a5af205, author = {Alessandro Marazzi Sassoon and Rinith Taing}, title = {{Kingdom targeted by new malware}}, date = {2017-09-05}, organization = {Phnom Penh Post}, url = {https://www.phnompenhpost.com/national/kingdom-targeted-new-malware}, language = {English}, urldate = {2019-12-19} } @online{satpathy:20210114:you:f7f99aa, author = {Ghanashyam Satpathy and Dagmawi Mulugeta}, title = {{You Can Run, But You Can’t Hide: Advanced Emotet Updates}}, date = {2021-01-14}, organization = {Netskope}, url = {https://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates}, language = {English}, urldate = {2021-01-18} } @online{satpathy:20210629:not:9499b3d, author = {Ghanashyam Satpathy and Jenko Hwong}, title = {{Not Laughing: Malicious Office Documents using LoLBins}}, date = {2021-06-29}, organization = {Netskope}, url = {https://www.netskope.com/blog/not-laughing-malicious-office-documents-using-lolbins}, language = {English}, urldate = {2021-07-02} } @online{satter:20180508:russian:8731568, author = {Raphael Satter}, title = {{Russian hackers posed as IS to threaten military wives}}, date = {2018-05-08}, organization = {AP News}, url = {https://www.apnews.com/4d174e45ef5843a0ba82e804f080988f}, language = {English}, urldate = {2020-01-07} } @online{satter:20200323:exclusive:69223ea, author = {Raphael Satter and Jack Stubbs and Christopher Bing}, title = {{Exclusive: Elite hackers target WHO as coronavirus cyberattacks spike}}, date = {2020-03-23}, organization = {Reuters}, url = {https://www.reuters.com/article/us-health-coronavirus-who-hack-exclusive/exclusive-elite-hackers-target-who-as-coronavirus-cyberattacks-spike-idUSKBN21A3BN}, language = {English}, urldate = {2020-03-26} } @online{satter:20201030:russian:4fdafef, author = {Raphael Satter and Christopher Bing and Joel Schectman}, title = {{Russian hackers targeted California, Indiana Democratic parties}}, date = {2020-10-30}, organization = {Reuters}, url = {https://www.reuters.com/article/us-usa-election-cyber-russia-exclusive-idUSKBN27F1CP}, language = {English}, urldate = {2020-11-02} } @online{satter:20201216:exclusivesuspected:8607549, author = {Raphael Satter}, title = {{Exclusive-Suspected Chinese hackers stole camera footage from African Union - memo}}, date = {2020-12-16}, organization = {Reuters}, url = {https://www.reuters.com/article/us-ethiopia-african-union-cyber-exclusiv-idUSKBN28Q1DB}, language = {English}, urldate = {2020-12-17} } @online{satter:20220304:details:66f903a, author = {Raphael Satter}, title = {{Details of another big ransomware group 'Trickbot' leak online, experts say}}, date = {2022-03-04}, organization = {Reuters}, url = {https://www.reuters.com/technology/details-another-big-ransomware-group-trickbot-leak-online-experts-say-2022-03-04/}, language = {English}, urldate = {2022-03-07} } @online{satter:20220525:russian:0d05639, author = {Raphael Satter and James Pearson and Christopher Bing}, title = {{Russian hackers are linked to new Brexit leak website, Google says}}, date = {2022-05-25}, organization = {Reuters}, url = {https://www.reuters.com/technology/exclusive-russian-hackers-are-linked-new-brexit-leak-website-google-says-2022-05-25/}, language = {English}, urldate = {2022-05-25} } @online{saudel:20180330:badflick:c531d01, author = {Florent Saudel}, title = {{BADFLICK is not so bad!}}, date = {2018-03-30}, organization = {AmosSys}, url = {https://blog.amossys.fr/badflick-is-not-so-bad.html}, language = {English}, urldate = {2020-01-08} } @online{saunders:20210128:emotet:19b0313, author = {Dan Saunders}, title = {{Emotet disruption - Europol counterattack}}, date = {2021-01-28}, organization = {NTT}, url = {https://hello.global.ntt/en-us/insights/blog/emotet-disruption-europol-counterattack}, language = {English}, urldate = {2021-01-29} } @online{savage:20151221:backdoorelmost:3dac66f, author = {Kevin Savage}, title = {{Backdoor.Elmost}}, date = {2015-12-21}, organization = {Symantec}, url = {https://www.symantec.com/security-center/writeup/2015-122210-5724-99}, language = {English}, urldate = {2019-07-09} } @online{savage:20151221:downloaderironhalo:028233f, author = {Kevin Savage}, title = {{Downloader.Ironhalo}}, date = {2015-12-21}, organization = {Symantec}, url = {https://www.symantec.com/security-center/writeup/2015-122210-5128-99}, language = {English}, urldate = {2019-11-27} } @online{savage:20250114:more:34c1203, author = {Savage}, title = {{More Than Malware Families: Retooling Our Approach to Tracking Software}}, date = {2025-01-14}, organization = {Vertex}, url = {https://vertex.link/blogs/more-than-malware-families/}, language = {English}, urldate = {2025-01-27} } @online{savage:20250122:categorizing:2ece4ce, author = {Savage}, title = {{Categorizing Software with Code Families}}, date = {2025-01-22}, organization = {Vertex}, url = {https://vertex.link/blogs/categorizing-software-with-code-families/}, language = {English}, urldate = {2025-01-27} } @online{savelesky:20190723:abadbabe:061c7a8, author = {Kristina Savelesky and Ed Miles and Justin Warner}, title = {{ABADBABE 8BADF00D: Discovering BADHATCH and a Detailed Look at FIN8’s Tooling}}, date = {2019-07-23}, organization = {Gigamon}, url = {https://atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/}, language = {English}, urldate = {2020-02-09} } @online{savelesky:20190723:abadbabe:7d07c9b, author = {Kristina Savelesky and Ed Miles and Justin Warner}, title = {{ABADBABE 8BADF00D: Discovering BADHATCH and a Detailed Look at FIN8’s Tooling}}, date = {2019-07-23}, organization = {Gigamon}, url = {https://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/}, language = {English}, urldate = {2023-08-31} } @online{sawhney:20220902:what:450da65, author = {Mehardeep Singh Sawhney}, title = {{What Is Redeemer Ransomware and How Does It Spread: A Technical Analysis}}, date = {2022-09-02}, organization = {Cloudsek}, url = {https://cloudsek.com/what-is-redeemer-ransomware-and-how-does-it-spread-a-technical-analysis/}, language = {English}, urldate = {2022-10-25} } @online{saxena:20200618:maze:76ca64b, author = {Preksha Saxena}, title = {{Maze ransomware continues to be a threat to the consumers}}, date = {2020-06-18}, organization = {Quick Heal}, url = {https://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/}, language = {English}, urldate = {2020-07-02} } @online{scarfo:20170118:finding:d28d23c, author = {Andrea Scarfo}, title = {{Finding the RAT’s Nest}}, date = {2017-01-18}, organization = {Cisco}, url = {https://umbrella.cisco.com/blog/2017/01/18/finding-the-rats-nest/}, language = {English}, urldate = {2019-11-27} } @online{scelarityio:20211118:art:6d4757c, author = {scelarity.IO}, title = {{The Art of PerSwaysion Investigation of a Long-Lived Phishing Kit}}, date = {2021-11-18}, organization = {scelarityIO}, url = {https://www.seclarity.io/resources/blog/the-art-of-perswaysion-phishing-kit/}, language = {English}, urldate = {2021-11-19} } @techreport{scenarelli:20191122:need:00f7cef, author = {Sveva Vittoria Scenarelli and Rachel Mullan}, title = {{Need for PLEAD: BlackTech Pursuit}}, date = {2019-11-22}, institution = {SANS Cyber Security Summit}, url = {https://web.archive.org/web/20200229012206/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf}, language = {English}, urldate = {2021-01-25} } @techreport{scenarelli:20200904:to:f6dd57b, author = {Sveva Vittoria Scenarelli}, title = {{To catch a Banshee: How Kimsuky’s tradecraft betrays its complementary campaigns and mission}}, date = {2020-09-04}, institution = {VB Localhost}, url = {https://vb2020.vblocalhost.com/uploads/VB2020-46.pdf}, language = {English}, urldate = {2021-04-30} } @techreport{scenarelli:20211007:back:d7e0e71, author = {Sveva Vittoria Scenarelli and Adam Prescott}, title = {{Back to Black(Tech): an analysis of recent BlackTech operations and an open directory full of exploits}}, date = {2021-10-07}, institution = {VB Localhost}, url = {https://vblocalhost.com/uploads/VB2021-50.pdf}, language = {English}, urldate = {2022-06-29} } @online{scenarelli:20220811:talent:faaba19, author = {Sveva Vittoria Scenarelli and Allison Wikoff}, title = {{Talent Need Not Apply. Tradecraft and Objectives of Job-themed APT Social Engineering}}, date = {2022-08-11}, organization = {PWC}, url = {https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwjCk7uOzMP-AhXOYMAKHYtLCKkQFnoECBIQAQ&url=https%3A%2F%2Fi.blackhat.com%2FUSA-22%2FThursday%2FUS-22-Wikoff-Talent-Need-Not-Apply.pdf&usg=AOvVaw0deqd7ozZyRTfSBOBmlbiG}, language = {English}, urldate = {2023-04-25} } @online{scenarelli:20231120:king:0624a7c, author = {Sveva Vittoria Scenarelli}, title = {{King of Thieves: Black Alicanto and the Ecosystem of North Korea-Based Cyber Operations}}, date = {2023-11-20}, organization = {PWC}, url = {https://sansorg.egnyte.com/dl/3P3HxFiNgL}, language = {English}, urldate = {2023-12-11} } @online{schectman:20220218:how:5e6b66c, author = {Joel Schectman and Christopher Bing}, title = {{How a Saudi woman's iPhone revealed hacking around the world}}, date = {2022-02-18}, organization = {Reuters}, url = {https://www.reuters.com/technology/how-saudi-womans-iphone-revealed-hacking-around-world-2022-02-17/}, language = {English}, urldate = {2022-02-19} } @online{schectman:20220929:americas:b89f590, author = {Joel Schectman and Bozorgmehr Sharafedin}, title = {{America’s Throwaway Spies How the CIA failed Iranian informants in its secret war with Tehran}}, date = {2022-09-29}, organization = {Reuters}, url = {https://www.reuters.com/investigates/special-report/usa-spies-iran/}, language = {English}, urldate = {2022-09-30} } @online{scheuerman:201910:dont:11aa9dc, author = {Karl Scheuerman and Piotr Wojtyla}, title = {{Don't miss the forest for the trees gleaning hunting value from too much intrusion data}}, date = {2019-10}, organization = {CrowdStrike}, url = {https://docplayer.net/162112338-Don-t-miss-the-forest-for-the-trees-gleaning-hunting-value-from-too-much-intrusion-data.html}, language = {English}, urldate = {2021-03-31} } @online{scheuerman:20191114:mitre:45c59cb, author = {Karl Scheuerman and Piotr Wojtyla}, title = {{MITRE ATT&CKcon 2.0: How a Threat Hunting Team Has Upgraded Its Use of ATT&CK}}, date = {2019-11-14}, organization = {Youtube (mitrecorp)}, url = {https://youtu.be/hAsKp43AZmM?t=1027}, language = {English}, urldate = {2020-04-28} } @online{schick:20151106:omnirat:9ac8a54, author = {Shane Schick}, title = {{OmniRAT Takes Over Android Devices Through Social Engineering Tricks}}, date = {2015-11-06}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/news/omnirat-takes-over-android-devices-through-social-engineering-tricks/}, language = {English}, urldate = {2020-01-06} } @online{schierl:20110710:facts:fb33368, author = {Michael Schierl}, title = {{Facts and myths about antivirus evasion with Metasploit}}, date = {2011-07-10}, url = {http://schierlm.users.sourceforge.net/avevasion.html}, language = {English}, urldate = {2020-08-24} } @techreport{schipor:20210218:iranian:a6516fb, author = {Gheorghe Adrian Schipor and Rickey Gevers and Cristina Vatamanu}, title = {{Iranian APT Makes a Comeback with “Thunder and Lightning” Backdoor and Espionage Combo}}, date = {2021-02-18}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/files/News/CaseStudies/study/393/Bitdefender-Whitepaper-Iranian-APT-Makes-a-Comeback-with-Thunder-and-Lightning-Backdoor-and-Espionage-Combo.pdf}, language = {English}, urldate = {2021-02-20} } @online{schlpfer:20210119:dridex:a8b3da4, author = {Patrick Schläpfer}, title = {{Dridex Malicious Document Analysis: Automating the Extraction of Payload URLs}}, date = {2021-01-19}, organization = {HP}, url = {https://threatresearch.ext.hp.com/dridex-malicious-document-analysis-automating-the-extraction-of-payload-urls/}, language = {English}, urldate = {2021-01-21} } @online{schlpfer:20210414:from:6649630, author = {Patrick Schläpfer}, title = {{From PoC to Exploit Kit: Purple Fox now exploits CVE-2021-26411}}, date = {2021-04-14}, organization = {HP}, url = {https://threatresearch.ext.hp.com/purple-fox-exploit-kit-now-exploits-cve-2021-26411/}, language = {English}, urldate = {2021-04-16} } @online{schlpfer:20210628:snake:bf10d9d, author = {Patrick Schläpfer}, title = {{Snake Keylogger’s Many Skins: Analysing Code Reuse Among Infostealers}}, date = {2021-06-28}, organization = {HP}, url = {https://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/}, language = {English}, urldate = {2021-06-29} } @online{schlpfer:20210730:detecting:2291323, author = {Patrick Schläpfer}, title = {{Detecting TA551 domains}}, date = {2021-07-30}, organization = {HP}, url = {https://threatresearch.ext.hp.com/detecting-ta551-domains/}, language = {English}, urldate = {2021-08-02} } @online{schlpfer:20210919:mirrorblast:a81e63c, author = {Patrick Schläpfer}, title = {{MirrorBlast and TA505: Examining Similarities in Tactics, Techniques and Procedures}}, date = {2021-09-19}, organization = {HP}, url = {https://threatresearch.ext.hp.com/mirrorblast-and-ta505-examining-similarities-in-tactics-techniques-and-procedures/}, language = {English}, urldate = {2021-10-24} } @online{schlpfer:20211123:ratdispenser:4677686, author = {Patrick Schläpfer}, title = {{RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild}}, date = {2021-11-23}, organization = {HP}, url = {https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/}, language = {English}, urldate = {2021-11-29} } @online{schlpfer:20211209:emotets:aa090a7, author = {Patrick Schläpfer}, title = {{Emotet’s Return: What’s Different?}}, date = {2021-12-09}, organization = {HP}, url = {https://threatresearch.ext.hp.com/emotets-return-whats-different/}, language = {English}, urldate = {2022-01-18} } @online{schlpfer:20220114:how:0795917, author = {Patrick Schläpfer}, title = {{How Attackers Use XLL Malware to Infect Systems}}, date = {2022-01-14}, organization = {HP}, url = {https://threatresearch.ext.hp.com/how-attackers-use-xll-malware-to-infect-systems/}, language = {English}, urldate = {2022-01-18} } @online{schlpfer:20220208:attackers:1a91251, author = {Patrick Schläpfer}, title = {{Attackers Disguise RedLine Stealer as a Windows 11 Upgrade}}, date = {2022-02-08}, organization = {HP}, url = {https://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/}, language = {English}, urldate = {2022-02-14} } @online{schlpfer:20220412:malware:5032799, author = {Patrick Schläpfer}, title = {{Malware Campaigns Targeting African Banking Sector}}, date = {2022-04-12}, organization = {HP}, url = {https://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/}, language = {English}, urldate = {2022-04-15} } @online{schlpfer:20220504:tips:f12f7ba, author = {Patrick Schläpfer}, title = {{Tips for Automating IOC Extraction from GootLoader, a Changing JavaScript Malware}}, date = {2022-05-04}, organization = {HP}, url = {https://threatresearch.ext.hp.com/tips-for-automating-ioc-extraction-from-gootloader-a-changing-javascript-malware/}, language = {English}, urldate = {2022-05-05} } @online{schlpfer:20220520:pdf:34ac538, author = {Patrick Schläpfer}, title = {{PDF Malware Is Not Yet Dead}}, date = {2022-05-20}, organization = {HP}, url = {https://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/}, language = {English}, urldate = {2022-05-24} } @online{schlpfer:20220606:svcready:c673858, author = {Patrick Schläpfer}, title = {{SVCReady: A New Loader Gets Ready}}, date = {2022-06-06}, organization = {HP}, url = {https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/}, language = {English}, urldate = {2022-06-08} } @online{schlpfer:20220715:stealthy:3163fd9, author = {Patrick Schläpfer}, title = {{Stealthy OpenDocument Malware Deployed Against Latin American Hotels}}, date = {2022-07-15}, organization = {HP}, url = {https://threatresearch.ext.hp.com/stealthy-opendocument-malware-targets-latin-american-hotels/#}, language = {English}, urldate = {2022-10-24} } @online{schlpfer:20221013:magniber:8c9b6f4, author = {Patrick Schläpfer}, title = {{Magniber Ransomware Adopts JavaScript, Targeting Home Users with Fake Software Updates}}, date = {2022-10-13}, organization = {HP}, url = {https://threatresearch.ext.hp.com/magniber-ransomware-switches-to-javascript-targeting-home-users-with-fake-software-updates/}, language = {English}, urldate = {2022-10-24} } @online{schmidt:20140519:5:fcd4c7c, author = {Michael S. Schmidt and David E. Sanger}, title = {{5 in China Army Face U.S. Charges of Cyberattacks}}, date = {2014-05-19}, organization = {The New York Times}, url = {https://www.nytimes.com/2014/05/20/us/us-to-charge-chinese-workers-with-cyberspying.html}, language = {English}, urldate = {2020-01-13} } @online{schmidt:20250618:feeling:c7e7b7e, author = {Alden Schmidt and Stuart Ashenbrenner and Jonathan Semon}, title = {{Feeling Blue(Noroff): Inside a Sophisticated DPRK Web3 Intrusion}}, date = {2025-06-18}, organization = {Huntress Labs}, url = {https://www.huntress.com/blog/inside-bluenoroff-web3-intrusion-analysis}, language = {English}, urldate = {2025-06-20} } @online{schmitt:20200917:ransomwares:ca3dcee, author = {Drew Schmitt}, title = {{Ransomware’s New Trend: Exfiltration and Extortion}}, date = {2020-09-17}, organization = {CRYPSIS}, url = {https://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion}, language = {English}, urldate = {2020-11-09} } @online{schmitt:20210330:yet:9855592, author = {Drew Schmitt}, title = {{Yet Another Cobalt Strike Stager: GUID Edition}}, date = {2021-03-30}, organization = {GuidePoint Security}, url = {https://www.guidepointsecurity.com/yet-another-cobalt-strike-loader-guid-edition/}, language = {English}, urldate = {2021-04-06} } @online{schmitt:20210423:mount:ccc9271, author = {Drew Schmitt}, title = {{Mount Locker Ransomware Steps up Counter-IR Capabilities, Hindering Efforts for Detection, Response and Investigation}}, date = {2021-04-23}, organization = {GuidePoint Security}, url = {https://www.guidepointsecurity.com/mount-locker-ransomware-steps-up-counter-ir-capabilities/}, language = {English}, urldate = {2021-04-28} } @online{schmitt:20210514:from:944b5f1, author = {Drew Schmitt}, title = {{From ZLoader to DarkSide: A Ransomware Story}}, date = {2021-05-14}, organization = {GuidePoint Security}, url = {https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/}, language = {English}, urldate = {2021-05-17} } @online{schmitt:20210921:ransomware:7c6144d, author = {Drew Schmitt}, title = {{A Ransomware Near Miss: ProxyShell, a RAT, and Cobalt Strike}}, date = {2021-09-21}, organization = {GuidePoint Security}, url = {https://www.guidepointsecurity.com/blog/a-ransomware-near-miss-proxyshell-a-rat-and-cobalt-strike/}, language = {English}, urldate = {2021-09-22} } @online{schmitt:20220208:using:0b08b47, author = {Drew Schmitt}, title = {{Using Hindsight to Close a Cuba Cold Case}}, date = {2022-02-08}, organization = {GuidePoint Security}, url = {https://www.guidepointsecurity.com/blog/using-hindsight-to-close-a-cuba-cold-case/}, language = {English}, urldate = {2022-03-28} } @online{schmittle:20230427:lookout:3956976, author = {Kyle Schmittle and Alemdar Islamoglu and Paul Shunk and Justin Albrecht}, title = {{Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy}}, date = {2023-04-27}, organization = {Lookout}, url = {https://www.lookout.com/blog/iranian-spyware-bouldspy}, language = {English}, urldate = {2023-05-30} } @online{schmittle:20241211:lookout:5190e7b, author = {Kyle Schmittle and Paul Shunk}, title = {{Lookout Discovers Two Russian Android Spyware Families from Gamaredon APT}}, date = {2024-12-11}, organization = {Lookout}, url = {https://www.lookout.com/threat-intelligence/article/gamaredon-russian-android-surveillanceware}, language = {English}, urldate = {2024-12-13} } @online{schmutz:20240514:forensic:0265322, author = {Dominic Schmutz and Robin Rapp and Benjamin Fehrensen}, title = {{Forensic analysis of hook Android malware}}, date = {2024-05-14}, organization = {Bern University of Applied Science}, url = {https://www.sciencedirect.com/science/article/pii/S266628172400088X}, language = {English}, urldate = {2024-06-05} } @online{schneider:20220919:evolution:b793a9d, author = {Abe Schneider and Bethany Hardin and Lavine Oluoch}, title = {{The Evolution of the Chromeloader Malware}}, date = {2022-09-19}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html}, language = {English}, urldate = {2022-09-20} } @online{schoen:20220210:walk:086e9db, author = {Ryan Schoen}, title = {{A walk through Project Zero metrics}}, date = {2022-02-10}, organization = {Google}, url = {https://googleprojectzero.blogspot.com/2022/02/a-walk-through-project-zero-metrics.html}, language = {English}, urldate = {2022-02-14} } @online{schoenfeld:20210504:transferring:ed44b55, author = {Justin Schoenfeld and Aaron Didier}, title = {{Transferring leverage in a ransomware attack}}, date = {2021-05-04}, organization = {Red Canary}, url = {https://redcanary.com/blog/rclone-mega-extortion/}, language = {English}, urldate = {2021-05-07} } @online{scholten:20230413:detecting:18cb661, author = {Sam Scholten}, title = {{Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction}}, date = {2023-04-13}, organization = {Sublime}, url = {https://sublime.security/blog/detecting-qakbot-wsf-attachments-onenote-files-and-generic-attack-surface-reduction}, language = {English}, urldate = {2023-04-18} } @online{schondorfer:20220504:old:47943c4, author = {Brandan Schondorfer and Nader Zaveri and Tyler McLellan and Jennifer Brito}, title = {{Old Services, New Tricks: Cloud Metadata Abuse by UNC2903}}, date = {2022-05-04}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/cloud-metadata-abuse-unc2903}, language = {English}, urldate = {2022-05-05} } @online{schrmann:20241213:technical:2912687, author = {Louis Schürmann}, title = {{Technical Analysis: Magecart Skimmer}}, date = {2024-12-13}, organization = {Medium 0x_b0mb3r}, url = {https://medium.com/@0x_b0mb3r/technical-analysis-magecart-skimmer-da099d897e38}, language = {English}, urldate = {2024-12-20} } @online{schroeder:20180924:github:18ba3a2, author = {Will Schroeder}, title = {{Github Repo for Rubeus}}, date = {2018-09-24}, organization = {Github (GhostPack)}, url = {https://github.com/GhostPack/Rubeus}, language = {English}, urldate = {2025-01-15} } @online{schroeder:20200811:cookiejar:8fd0fd9, author = {Nick Schroeder and Harris Ansari and Brendan McKeague and Tim Martin and Alex Pennino}, title = {{COOKIEJAR: Tracking Adversaries With FireEye Endpoint Security’s Logon Tracker Module}}, date = {2020-08-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/08/cookiejar-tracking-adversaries-with-fireeye-endpoint-security-module.html}, language = {English}, urldate = {2020-08-14} } @online{schwartz:20130617:crowdstrike:c4fc672, author = {Mathew J. Schwartz}, title = {{CrowdStrike Falcon Traces Attacks Back To Hackers}}, date = {2013-06-17}, organization = {DARKReading}, url = {http://www.darkreading.com/attacks-and-breaches/crowdstrike-falcon-traces-attacks-back-to-hackers/d/d-id/1110402?}, language = {English}, urldate = {2020-01-07} } @online{schwartz:20160516:vietnamese:0730aab, author = {Mathew J. Schwartz}, title = {{Vietnamese Bank Blocks $1 Million SWIFT Heist}}, date = {2016-05-16}, organization = {Bankinfo Security}, url = {https://www.bankinfosecurity.com/vietnamese-bank-blocks-1-million-online-heist-a-9105}, language = {English}, urldate = {2020-01-08} } @online{schwartz:20201112:darkside:baeed17, author = {Mathew J. Schwartz}, title = {{Darkside Ransomware Gang Launches Affiliate Program}}, date = {2020-11-12}, organization = {databreachtoday}, url = {https://www.databreachtoday.com/blogs/darkside-ransomware-gang-launches-affiliate-program-p-2968}, language = {English}, urldate = {2020-11-18} } @online{schwartz:20211230:vice:70dac62, author = {Mathew J. Schwartz}, title = {{Vice Society: Ransomware Gang Disrupted Spar Stores}}, date = {2021-12-30}, organization = {GovInfo Security}, url = {https://www.govinfosecurity.com/vice-society-ransomware-gang-disrupted-spar-stores-a-18225}, language = {English}, urldate = {2022-01-03} } @online{schwartz:20220222:cybercrime:ccc094e, author = {Matthew J. Schwartz}, title = {{Cybercrime Moves: Conti Ransomware Absorbs TrickBot Malware}}, date = {2022-02-22}, organization = {Bankinfo Security}, url = {https://www.bankinfosecurity.com/cybercrime-moves-conti-ransomware-absorbs-trickbot-malware-a-18573}, language = {English}, urldate = {2022-02-26} } @online{schwartz:20230727:are:9f673e9, author = {Mathew J. Schwartz}, title = {{Are Akira Ransomware's Crypto-Locking Malware Days Numbered?}}, date = {2023-07-27}, organization = {Bankinfo Security}, url = {https://www.bankinfosecurity.com/blogs/akira-ransomware-apparently-in-decline-but-still-threat-p-3480}, language = {English}, urldate = {2024-01-09} } @online{schwarz:20150421:bedeps:5608ce2, author = {Dennis Schwarz}, title = {{Bedep’s DGA: Trading Foreign Exchange for Malware Domains}}, date = {2015-04-21}, organization = {Arbor Networks}, url = {https://web.archive.org/web/20150524032716/http://asert.arbornetworks.com/bedeps-dga-trading-foreign-exchange-for-malware-domains/}, language = {English}, urldate = {2023-03-23} } @online{schwarz:20161219:dismantling:b7af8dd, author = {Dennis Schwarz}, title = {{Dismantling a Nuclear Bot}}, date = {2016-12-19}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/}, language = {English}, urldate = {2020-01-09} } @online{schwarz:20170609:another:ea77337, author = {Dennis Schwarz}, title = {{Another Banker Enters the Matrix}}, date = {2017-06-09}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/}, language = {English}, urldate = {2020-01-08} } @online{schwarz:20170712:lockpos:c5394b5, author = {Dennis Schwarz}, title = {{LockPoS Joins the Flock}}, date = {2017-07-12}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/}, language = {English}, urldate = {2020-01-06} } @online{schwarz:20170920:formidable:654d8e3, author = {Dennis Schwarz}, title = {{The Formidable FormBook Form Grabber}}, date = {2017-09-20}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/}, language = {English}, urldate = {2019-07-09} } @online{schwarz:20171025:snatchloader:c3476ee, author = {Dennis Schwarz}, title = {{SnatchLoader Reloaded}}, date = {2017-10-25}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/snatchloader-reloaded/}, language = {English}, urldate = {2020-01-07} } @online{schwarz:20180308:donot:39171ec, author = {Dennis Schwarz and Jill Sopko and Richard Hummel and Hardik Modi}, title = {{Donot Team Leverages New Modular Malware Framework in South Asia}}, date = {2018-03-08}, organization = {NetScout}, url = {https://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia}, language = {English}, urldate = {2019-10-16} } @online{schwarz:20180327:panda:7316fab, author = {Dennis Schwarz}, title = {{Panda Banker Zeros in on Japanese Targets}}, date = {2018-03-27}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/panda-banker-zeros-in-on-japanese-targets/}, language = {English}, urldate = {2019-12-24} } @online{schwarz:20190109:servhelper:e20586c, author = {Dennis Schwarz and Proofpoint Staff}, title = {{ServHelper and FlawedGrace - New malware introduced by TA505}}, date = {2019-01-09}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505}, language = {English}, urldate = {2019-12-20} } @online{schwarz:20190313:danabot:a6b3c02, author = {Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{DanaBot control panel revealed}}, date = {2019-03-13}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed}, language = {English}, urldate = {2019-12-20} } @online{schwarz:20190509:new:19098c9, author = {Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{New KPOT v2.0 stealer brings zero persistence and in-memory features to silently steal credentials}}, date = {2019-05-09}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal}, language = {English}, urldate = {2019-12-20} } @online{schwarz:20191016:ta505:9d7155a, author = {Dennis Schwarz and Kafeine and Matthew Mesa and Axel F and Proofpoint Threat Insight Team}, title = {{TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader}}, date = {2019-10-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader}, language = {English}, urldate = {2020-01-10} } @online{schwarz:20191229:unnamed:ef5ce58, author = {Dennis Schwarz}, title = {{Unnamed 1}}, date = {2019-12-29}, organization = {Zeus Museum}, url = {https://zeusmuseum.com/unnamed%201/}, language = {English}, urldate = {2020-02-04} } @online{schwarz:20200112:zeus:ddfbccf, author = {Dennis Schwarz}, title = {{Zeus Museum Entry for Unnamed 2}}, date = {2020-01-12}, organization = {Zeus Museum}, url = {https://zeusmuseum.com/unnamed%202/}, language = {English}, urldate = {2020-01-17} } @online{schwarz:20200520:zloader:e3c523e, author = {Dennis Schwarz and Matthew Mesa and Proofpoint Threat Research Team}, title = {{ZLoader Loads Again: New ZLoader Variant Returns}}, date = {2020-05-20}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns}, language = {English}, urldate = {2020-05-23} } @online{schwarz:20200610:flowcloud:c0b42c0, author = {Dennis Schwarz}, title = {{FlowCloud Version 4.1.3 Malware Analysis}}, date = {2020-06-10}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/flowcloud-version-413-malware-analysis}, language = {English}, urldate = {2020-06-12} } @online{schwarz:20210126:new:2eefe69, author = {Dennis Schwarz and Axel F. and Brandon Murphy}, title = {{New Year, New Version of DanaBot}}, date = {2021-01-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot}, language = {English}, urldate = {2021-01-27} } @online{schwarz:20210310:nimzaloader:f6960d4, author = {Dennis Schwarz and Matthew Mesa and Proofpoint Threat Research Team}, title = {{NimzaLoader: TA800’s New Initial Access Malware}}, date = {2021-03-10}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware}, language = {English}, urldate = {2021-03-12} } @online{schwarz:20210624:jssloader:ab99f14, author = {Dennis Schwarz and Matthew Mesa and Crista Giering}, title = {{JSSLoader: Recoded and Reloaded}}, date = {2021-06-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded}, language = {English}, urldate = {2021-06-25} } @online{schwarz:20211105:spike:f47ffcd, author = {Dennis Schwarz}, title = {{Spike in DanaBot Malware Activity}}, date = {2021-11-05}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/spike-danabot-malware-activity}, language = {English}, urldate = {2021-11-08} } @online{schwarz:20211213:return:94bdbce, author = {Dennis Schwarz and Avinash Kumar}, title = {{Return of Emotet: Malware Analysis}}, date = {2021-12-13}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/return-emotet-malware-analysis}, language = {English}, urldate = {2021-12-20} } @online{schwarz:20220302:danabot:b734fd3, author = {Dennis Schwarz and Brett Stone-Gross}, title = {{DanaBot Launches DDoS Attack Against the Ukrainian Ministry of Defense}}, date = {2022-03-02}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense}, language = {English}, urldate = {2022-03-04} } @online{schwarz:20220427:targeted:7d4de4a, author = {Dennis Schwarz and Brett Stone-Gross}, title = {{Targeted attack on Thailand Pass customers delivers AsyncRAT}}, date = {2022-04-27}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/targeted-attack-thailand-pass-customers-delivers-asyncrat}, language = {English}, urldate = {2022-05-03} } @online{schwarz:20220428:peeking:f8226bb, author = {Dennis Schwarz and Brett Stone-Gross}, title = {{Peeking into PrivateLoader}}, date = {2022-04-28}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/peeking-privateloader}, language = {English}, urldate = {2022-05-04} } @online{schwarz:20221206:technical:bfde08b, author = {Dennis Schwarz}, title = {{Technical Analysis of DanaBot Obfuscation Techniques}}, date = {2022-12-06}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques}, language = {English}, urldate = {2022-12-13} } @online{schwarz:20230823:historical:eca3b13, author = {Dennis Schwarz}, title = {{Historical Gameover Deep Dive}}, date = {2023-08-23}, organization = {Zeus Museum}, url = {https://nbviewer.org/github/tildedennis/zeusmuseum/blob/master/jupyter_notebooks/gameover/2014-05-28/Gameover%20version%202014-05-28.ipynb}, language = {English}, urldate = {2023-08-24} } @online{schworer:20150126:storm:a33ffb9, author = {Andy Schworer and Josh Liburdi}, title = {{Storm Chasing: Hunting Hurricane Panda}}, date = {2015-01-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/storm-chasing/}, language = {English}, urldate = {2020-06-03} } @online{scilabs:20211223:cyber:3b80e33, author = {SCILabs}, title = {{Cyber Threat Profile MALTEIRO}}, date = {2021-12-23}, organization = {SCILabs}, url = {https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/}, language = {English}, urldate = {2023-01-03} } @online{scilabs:20211223:cyber:7798457, author = {SCILabs}, title = {{Cyber Threat Profile MALTEIRO}}, date = {2021-12-23}, organization = {SCILabs}, url = {https://blog.scilabs.mx/cyber-threat-profile-malteiro/}, language = {Spanish}, urldate = {2023-01-03} } @online{scion:20250225:polaredge:467965f, author = {Jeremy Scion and Félix Aime and Sekoia TDR}, title = {{PolarEdge: Unveiling an uncovered ORB network}}, date = {2025-02-25}, url = {https://blog.sekoia.io/polaredge-unveiling-an-uncovered-iot-botnet/}, language = {English}, urldate = {2025-02-28} } @online{scott:20140610:clandestine:6d515ab, author = {Mike Scott}, title = {{Clandestine Fox, Part Deux}}, date = {2014-06-10}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html}, language = {English}, urldate = {2019-12-20} } @online{scott:20140904:forced:c6ce09b, author = {Mike Scott and James T. Bennett}, title = {{Forced to Adapt: XSLCmd Backdoor Now on OS X}}, date = {2014-09-04}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html}, language = {English}, urldate = {2019-12-20} } @online{scott:20200625:zoom:9d23285, author = {Connor Scott}, title = {{Zoom In: Emulating 'Exploit Purchase' in Simulated Targeted Attacks}}, date = {2020-06-25}, organization = {Contextis}, url = {https://www.contextis.com/en/blog/zoom-in-simulated-targeted-attacks}, language = {English}, urldate = {2022-04-06} } @online{scottrailton:20150827:london:d3ff105, author = {John Scott-Railton and Katie Kleemola}, title = {{London Calling: Two-Factor Authentication Phishing From Iran}}, date = {2015-08-27}, organization = {CitizenLab}, url = {https://citizenlab.ca/2015/08/iran_two_factor_phishing/}, language = {English}, urldate = {2020-04-06} } @online{scottrailton:20151208:packrat:5f9bffa, author = {John Scott-Railton and Morgan Marquis-Boire and Claudio Guarnieri and Marion Marschalek}, title = {{Packrat: Seven Years of a South American Threat Actor}}, date = {2015-12-08}, organization = {The Citizenlab}, url = {https://citizenlab.ca/2015/12/packrat-report/}, language = {English}, urldate = {2020-05-18} } @online{scottrailton:20200609:dark:d3bdddb, author = {John Scott-Railton and Adam Hulcoop and Bahr Abdul Razzak and Bill Marczak and Siena Anstis and Ron Deibert}, title = {{Dark Basin Uncovering a Massive Hack-For-Hire Operation}}, date = {2020-06-09}, organization = {CitizenLab}, url = {https://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/}, language = {English}, urldate = {2020-06-10} } @online{scottrailton:20220418:catalangate:95aa638, author = {John Scott-Railton and Elies Campo and Bill Marczak and Bahr Abdul Razzak and Siena Anstis and Gözde Böcü and Salvatore Solimano and Ron Deibert}, title = {{CatalanGate Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru}}, date = {2022-04-18}, organization = {CitizenLab}, url = {https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/}, language = {English}, urldate = {2022-04-20} } @online{scottrailton:20240814:rivers:4fc744c, author = {John Scott-Railton and Rebekah Brown and Ksenia Ermoshina and Ron Deibert}, title = {{Rivers of Phish: Sophisticated Phishing Targets Russia’s Perceived Enemies Around the Globe}}, date = {2024-08-14}, organization = {CitizenLab}, url = {https://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/}, language = {English}, urldate = {2024-11-25} } @online{scroxton:20191003:new:ce11edf, author = {Alex Scroxton}, title = {{New threat group behind Airbus cyber attacks, claim researchers}}, date = {2019-10-03}, organization = {ComputerWeekly}, url = {https://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers}, language = {English}, urldate = {2022-04-05} } @online{scroxton:20220922:alphvblackcat:2f581b9, author = {Alex Scroxton}, title = {{ALPHV/BlackCat ransomware family becoming more dangerous}}, date = {2022-09-22}, organization = {ComputerWeekly}, url = {https://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous}, language = {English}, urldate = {2023-01-05} } @online{scythe:20201105:ryuk:8d7c4de, author = {SCYTHE}, title = {{Ryuk Adversary Emulation Plan}}, date = {2020-11-05}, organization = {Github (scythe-io)}, url = {https://github.com/scythe-io/community-threats/tree/master/Ryuk}, language = {English}, urldate = {2020-11-11} } @online{sdeor:20220215:guard:196af7f, author = {Rotem Sde-Or}, title = {{Guard Your Drive from DriveGuard: Moses Staff Campaigns Against Israeli Organizations Span Several Months}}, date = {2022-02-15}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard}, language = {English}, urldate = {2022-03-02} } @online{sdeor:20220225:hunt:7022dcc, author = {Rotem Sde-Or}, title = {{The Hunt for the Lost Soul: Unraveling the Evolution of the SoulSearcher Malware}}, date = {2022-02-25}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/unraveling-the-evolution-of-the-soul-searcher-malware}, language = {English}, urldate = {2022-03-02} } @online{sdeor:20220330:new:8eeff0d, author = {Rotem Sde-Or and Eliran Voronovitch}, title = {{New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits}}, date = {2022-03-30}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits}, language = {English}, urldate = {2022-03-31} } @online{seaccesscheck:20210702:revil:47a116e, author = {SeAccessCheck}, title = {{Tweet on Revil dropper used in Kaseya attack}}, date = {2021-07-02}, organization = {Twitter (@SyscallE)}, url = {https://twitter.com/SyscallE/status/1411074271875670022}, language = {English}, urldate = {2021-07-24} } @online{seador:20171012:beer:cd6d0ad, author = {Greg Seador}, title = {{The Beer Drinker’s Guide to SAML}}, date = {2017-10-12}, organization = {Duo}, url = {https://duo.com/blog/the-beer-drinkers-guide-to-saml}, language = {English}, urldate = {2020-12-23} } @online{seals:20180613:banco:4861a7b, author = {Tara Seals}, title = {{Banco de Chile Wiper Attack Just a Cover for $10M SWIFT Heist}}, date = {2018-06-13}, organization = {Threatpost}, url = {https://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/}, language = {English}, urldate = {2020-01-13} } @online{seals:20190111:ta505:48e9745, author = {Tara Seals}, title = {{TA505 Crime Gang Debuts Brand-New ServHelper Backdoor}}, date = {2019-01-11}, organization = {Threatpost}, url = {https://threatpost.com/ta505-servhelper-malware/140792/}, language = {English}, urldate = {2020-01-08} } @online{seals:20190311:researcher:bfc4f07, author = {Tara Seals}, title = {{Researcher Claims Iranian APT Behind 6TB Data Heist at Citrix}}, date = {2019-03-11}, organization = {Threatpost}, url = {https://threatpost.com/ranian-apt-6tb-data-citrix/142688/}, language = {English}, urldate = {2020-01-13} } @online{seals:20190805:megacortex:1cb0c38, author = {Tara Seals}, title = {{MegaCortex Ransomware Revamps for Mass Distribution}}, date = {2019-08-05}, organization = {Threatpost}, url = {https://threatpost.com/megacortex-ransomware-mass-distribution/146933/}, language = {English}, urldate = {2020-01-07} } @online{seals:20191010:sophisticated:131b6b8, author = {Tara Seals}, title = {{Sophisticated Spy Kit Targets Russians with Rare GSM Plugin}}, date = {2019-10-10}, organization = {Threatpost}, url = {https://threatpost.com/sophisticated-spy-kit-russians-gsm-plugin/149095/}, language = {English}, urldate = {2020-01-09} } @online{seals:20191213:elegant:f43d1ed, author = {Tara Seals}, title = {{Elegant sLoad Carries Out Spying, Payload Delivery in BITS}}, date = {2019-12-13}, organization = {Threatpost}, url = {https://threatpost.com/sload-spying-payload-delivery-bits/151120/}, language = {English}, urldate = {2020-01-06} } @online{seals:20200123:shlayer:b69a503, author = {Tara Seals}, title = {{Shlayer, No. 1 Threat for Mac, Targets YouTube, Wikipedia}}, date = {2020-01-23}, organization = {Threatpost}, url = {https://threatpost.com/shlayer-mac-youtube-wikipedia/152146/}, language = {English}, urldate = {2020-01-26} } @online{seals:20200518:ransomware:265e1f4, author = {Tara Seals}, title = {{Ransomware Gang Arrested for Spreading Locky to Hospitals}}, date = {2020-05-18}, organization = {Threatpost}, url = {https://threatpost.com/ransomware-gang-arrested-locky-hospitals/155842/}, language = {English}, urldate = {2020-07-06} } @online{seals:20200722:oilrig:a81ae8d, author = {Tara Seals}, title = {{OilRig APT Drills into Malware Innovation with Unique Backdoor}}, date = {2020-07-22}, organization = {Threatpost}, url = {https://threatpost.com/oilrig-apt-unique-backdoor/157646/}, language = {English}, urldate = {2020-07-23} } @online{seals:20210720:researchers:295ec63, author = {Tara Seals}, title = {{Researchers: NSO Group’s Pegasus Spyware Should Spark Bans, Apple Accountability}}, date = {2021-07-20}, organization = {Threatpost}, url = {https://threatpost.com/nso-pegasus-spyware-bans-apple-accountability/167965/}, language = {English}, urldate = {2021-07-26} } @online{seals:20220216:trickbot:a1c11b3, author = {Tara Seals}, title = {{TrickBot Ravages Customers of Amazon, PayPal and Other Top Brands}}, date = {2022-02-16}, organization = {Threat Post}, url = {https://threatpost.com/trickbot-amazon-paypal-top-brands/178483/}, language = {English}, urldate = {2022-02-17} } @online{seals:20220321:facestealer:557d030, author = {Tara Seals}, title = {{Facestealer Trojan Hidden in Google Play Plunders Facebook Accounts}}, date = {2022-03-21}, organization = {Threat Post}, url = {https://threatpost.com/facestealer-trojan-google-play-facebook/179015/}, language = {English}, urldate = {2022-03-22} } @online{seals:20240405:ransomware:25632a1, author = {Tara Seals}, title = {{Ransomware Desires VMware Hypervisors in Ongoing Campaign}}, date = {2024-04-05}, organization = {DARKReading}, url = {https://www.darkreading.com/threat-intelligence/sexi-ransomware-desires-vmware-hypervisors}, language = {English}, urldate = {2024-12-11} } @online{seaman:20220127:upnproxy:5a81a62, author = {Chad Seaman}, title = {{UPnProxy: Eternal Silence}}, date = {2022-01-27}, organization = {Akamai}, url = {https://www.akamai.com/blog/security/upnproxy-eternal-silence}, language = {English}, urldate = {2022-02-02} } @online{seaman:20230316:uncovering:8712a1d, author = {Chad Seaman and Larry Cashdollar and Allen West}, title = {{Uncovering HinataBot: A Deep Dive into a Go-Based Threat}}, date = {2023-03-16}, organization = {Akamai}, url = {https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet}, language = {English}, urldate = {2023-03-20} } @online{sean:20121203:new:b15ebb6, author = {Sean}, title = {{New Mac Malware Found on Dalai Lama Related Website}}, date = {2012-12-03}, organization = {F-Secure}, url = {https://www.f-secure.com/weblog/archives/00002466.html}, language = {English}, urldate = {2020-01-10} } @online{sean:20130522:mac:2142ede, author = {Sean}, title = {{Mac Spyware: OSX/KitM (Kumar in the Mac)}}, date = {2013-05-22}, organization = {F-Secure Labs}, url = {https://www.f-secure.com/weblog/archives/00002558.html}, language = {English}, urldate = {2019-11-28} } @online{sebdraven:20210208:babuk:138756c, author = {sebdraven}, title = {{Babuk is distributed packed}}, date = {2021-02-08}, organization = {Medium Sebdraven}, url = {https://sebdraven.medium.com/babuk-is-distributed-packed-78e2f5dd2e62}, language = {English}, urldate = {2021-02-09} } @online{sebdraven:20210324:net:113093c, author = {sebdraven}, title = {{A .NET rat targets Mongolia}}, date = {2021-03-24}, organization = {Medium Sebdraven}, url = {https://sebdraven.medium.com/a-net-rat-target-mongolia-9c1439c39bc2}, language = {English}, urldate = {2021-03-25} } @online{sebin:20221024:unveil:8034279, author = {Lee Sebin and Shin Yeongjae}, title = {{Unveil the evolution of Kimsuky targeting Android devices with newly discovered mobile malware}}, date = {2022-10-24}, organization = {Medium s2wlab}, url = {https://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f}, language = {English}, urldate = {2022-12-20} } @online{secfreaks:20191203:in:f3d3fd0, author = {SecFreaks}, title = {{In depth analysis of an infostealer: Raccoon}}, date = {2019-12-03}, organization = {SecFreaks}, url = {https://www.secfreaks.gr/2019/12/in-depth-analysis-of-an-infostealer-raccoon.html}, language = {English}, urldate = {2020-01-13} } @online{sechel:20210504:improving:ce4da6d, author = {Sergiu Sechel}, title = {{Improving the network-based detection of Cobalt Strike C2 servers in the wild while reducing the risk of false positives}}, date = {2021-05-04}, organization = {Medium sergiusechel}, url = {https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468}, language = {English}, urldate = {2021-05-04} } @online{secjuice:20180826:remember:d5f1006, author = {SecJuice}, title = {{Remember Fancy Bear?}}, date = {2018-08-26}, organization = {SecJuice}, url = {https://www.secjuice.com/fancy-bear-review/}, language = {English}, urldate = {2020-01-06} } @online{secprentice:20210613:blue:49dbef0, author = {Secprentice}, title = {{Blue Team Detection: DarkSide Ransomware}}, date = {2021-06-13}, organization = {SecJuice}, url = {https://www.secjuice.com/blue-team-detection-darkside-ransomware/}, language = {English}, urldate = {2021-06-22} } @online{secrary:20170710:upatre:06db6f5, author = {Secrary}, title = {{Upatre - Trojan Downloader}}, date = {2017-07-10}, organization = {Secrary Blog}, url = {https://secrary.com/ReversingMalware/Upatre/}, language = {English}, urldate = {2019-11-29} } @online{secrary:20170730:coinminer:2c3de72, author = {Secrary}, title = {{CoinMiner}}, date = {2017-07-30}, organization = {Secrary Blog}, url = {https://secrary.com/ReversingMalware/CoinMiner/}, language = {English}, urldate = {2020-01-06} } @online{secrary:2018:reversing:3db1253, author = {Secrary}, title = {{Reversing Bandios/Colony Malware}}, date = {2018}, organization = {Secrary}, url = {https://secrary.com/ReversingMalware/Colony_Bandios/}, language = {English}, urldate = {2019-12-10} } @online{secuinfra:20220201:nw0rm:1a225eb, author = {SECUINFRA}, title = {{N-W0rm analysis (Part 1)}}, date = {2022-02-01}, organization = {SECUINFRA}, url = {https://www.secuinfra.com/en/techtalk/n-w0rm-analysis-part-1/}, language = {English}, urldate = {2022-02-10} } @online{secuinfra:20220204:nw0rm:bc45acd, author = {SECUINFRA}, title = {{N-W0rm analysis (Part 2)}}, date = {2022-02-04}, organization = {SECUINFRA}, url = {https://www.secuinfra.com/en/techtalk/n-w0rm-analysis-part-2/}, language = {English}, urldate = {2022-02-10} } @online{securecoding:20210106:all:105c1a5, author = {SecureCoding}, title = {{All About Doki Malware}}, date = {2021-01-06}, organization = {SecureCoding}, url = {https://www.securecoding.com/blog/all-about-doki-malware/}, language = {English}, urldate = {2021-01-29} } @online{securehat:20210209:extracting:0f4ae2f, author = {Securehat}, title = {{Extracting the Cobalt Strike Config from a TEARDROP Loader}}, date = {2021-02-09}, organization = {Securehat}, url = {https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader}, language = {English}, urldate = {2021-02-10} } @online{securelist:202503:sidewinder:30f7ce6, author = {securelist}, title = {{SideWinder targets the maritime and nuclear sectors with an updated toolset}}, date = {2025-03}, organization = {securelist}, url = {https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/}, language = {English}, urldate = {2025-06-02} } @online{securesoftware:20210721:groundhog:687e149, author = {secure.software}, title = {{Groundhog day: NPM package caught stealing browser passwords}}, date = {2021-07-21}, organization = {secure.software}, url = {https://blog.secure.software/groundhog-day-npm-package-caught-stealing-browser-passwords}, language = {English}, urldate = {2021-07-22} } @online{secureworks:20170628:bronze:41e2c3b, author = {SecureWorks}, title = {{日本企業を狙う高度なサイバー攻撃の全貌 – BRONZE BUTLER}}, date = {2017-06-28}, organization = {Secureworks}, url = {https://www.secureworks.jp/resources/rp-bronze-butler}, language = {Japanese}, urldate = {2019-11-27} } @online{secureworks:2020:aluminum:af22ffd, author = {SecureWorks}, title = {{ALUMINUM SARATOGA}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/aluminum-saratoga}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:bronze:0447134, author = {SecureWorks}, title = {{BRONZE WALKER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-walker}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:bronze:134ec2b, author = {SecureWorks}, title = {{BRONZE PALACE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-palace}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:bronze:1a5bdbb, author = {SecureWorks}, title = {{BRONZE PRESIDENT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-president}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:bronze:3d292d3, author = {SecureWorks}, title = {{BRONZE HUNTLEY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-huntley}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:bronze:4118462, author = {SecureWorks}, title = {{BRONZE ATLAS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:bronze:41a0bc0, author = {SecureWorks}, title = {{BRONZE EDISON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-edison}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:bronze:472aea8, author = {SecureWorks}, title = {{BRONZE OLIVE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-olive}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:bronze:47c382d, author = {SecureWorks}, title = {{BRONZE ELGIN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-elgin}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:bronze:4db27ec, author = {SecureWorks}, title = {{BRONZE UNION}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-union}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:bronze:65ecf8a, author = {SecureWorks}, title = {{BRONZE KEYSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-keystone}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:bronze:66a45ac, author = {SecureWorks}, title = {{BRONZE VINEWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-vinewood}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:bronze:66f1290, author = {SecureWorks}, title = {{BRONZE RIVERSIDE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-riverside}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:bronze:79d8dd2, author = {SecureWorks}, title = {{BRONZE OVERBROOK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-overbrook}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:bronze:972c13a, author = {SecureWorks}, title = {{BRONZE FIRESTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-firestone}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:bronze:a654071, author = {SecureWorks}, title = {{BRONZE HOBART}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-hobart}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:bronze:b55f797, author = {SecureWorks}, title = {{BRONZE MAYFAIR}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-mayfair}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:bronze:d70008e, author = {SecureWorks}, title = {{BRONZE EXPORT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-export}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:bronze:dc58892, author = {SecureWorks}, title = {{BRONZE GLOBE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-globe}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:bronze:dcdc02a, author = {SecureWorks}, title = {{BRONZE FLEETWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-fleetwood}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:bronze:e8ad4fb, author = {SecureWorks}, title = {{BRONZE MOHAWK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-mohawk}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:bronze:ef493d6, author = {SecureWorks}, title = {{BRONZE BUTLER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-butler}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:bronze:f4862d1, author = {SecureWorks}, title = {{BRONZE GENEVA}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-geneva}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:bronze:f48e53c, author = {SecureWorks}, title = {{BRONZE WOODLAND}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-woodland}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:bronze:f61a7a6, author = {SecureWorks}, title = {{BRONZE VAPOR}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-vapor}, language = {English}, urldate = {2022-07-25} } @online{secureworks:2020:bronze:fcb04ab, author = {SecureWorks}, title = {{BRONZE EXPRESS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-express}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:cobalt:1a61198, author = {SecureWorks}, title = {{COBALT LYCEUM}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-lyceum}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:cobalt:21b0d20, author = {SecureWorks}, title = {{COBALT JUNO}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-juno}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:cobalt:4d136fa, author = {SecureWorks}, title = {{COBALT EDGEWATER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-edgewater}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:cobalt:8d36ac3, author = {SecureWorks}, title = {{COBALT TRINITY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-trinity}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:cobalt:c242388, author = {SecureWorks}, title = {{COBALT HICKMAN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-hickman}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:cobalt:ce31320, author = {SecureWorks}, title = {{COBALT GYPSY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-gypsy}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:cobalt:db17357, author = {SecureWorks}, title = {{COBALT DICKENS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-dickens}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:cobalt:e50c4e9, author = {SecureWorks}, title = {{COBALT ULSTER}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/cobalt-ulster}, language = {English}, urldate = {2020-05-27} } @online{secureworks:2020:cobalt:e5fd70b, author = {SecureWorks}, title = {{COBALT KATANA}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-katana}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:copper:e356116, author = {SecureWorks}, title = {{COPPER FIELDSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/copper-fieldstone}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:gold:00ad0eb, author = {SecureWorks}, title = {{GOLD LAGOON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-lagoon}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:gold:0d8c853, author = {SecureWorks}, title = {{GOLD DRAKE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-drake}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:gold:1892bc8, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:gold:21c4d39, author = {SecureWorks}, title = {{GOLD BLACKBURN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-blackburn}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:gold:65f4550, author = {SecureWorks}, title = {{GOLD ESSEX}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-essex}, language = {English}, urldate = {2020-05-27} } @online{secureworks:2020:gold:65fcc96, author = {SecureWorks}, title = {{GOLD SWATHMORE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-swathmore}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:gold:76e58fb, author = {SecureWorks}, title = {{GOLD RIVERVIEW}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-riverview}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:gold:7ea3b30, author = {SecureWorks}, title = {{GOLD LOWELL}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-lowell}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:gold:8050e44, author = {SecureWorks}, title = {{GOLD DUPONT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-dupont}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:gold:8eda7d7, author = {SecureWorks}, title = {{GOLD SKYLINE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-skyline}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:gold:95fe871, author = {SecureWorks}, title = {{GOLD VILLAGE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-village}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:gold:97e5784, author = {SecureWorks}, title = {{GOLD NIAGARA}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-niagara}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:gold:983570b, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:gold:9b89cea, author = {SecureWorks}, title = {{GOLD CRESTWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-crestwood}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:gold:b12ae49, author = {SecureWorks}, title = {{GOLD HERON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-heron}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:gold:bc28839, author = {SecureWorks}, title = {{GOLD SOUTHFIELD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-southfield}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:gold:c7d5baf, author = {SecureWorks}, title = {{GOLD GARDEN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-garden}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:gold:cbab642, author = {SecureWorks}, title = {{GOLD EVERGREEN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-evergreen}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:gold:cf5f9e4, author = {SecureWorks}, title = {{GOLD GALLEON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-galleon}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:gold:d8faa3e, author = {SecureWorks}, title = {{GOLD ULRICK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-ulrick}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:gold:f38f910, author = {SecureWorks}, title = {{GOLD TAHOE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-tahoe}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:iron:3c939bc, author = {SecureWorks}, title = {{IRON VIKING}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-viking}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:iron:48c68a0, author = {SecureWorks}, title = {{IRON TWILIGHT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-twilight}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:iron:59396c7, author = {SecureWorks}, title = {{IRON HEMLOCK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hemlock}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:iron:de2007f, author = {SecureWorks}, title = {{IRON HUNTER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hunter}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:iron:fc4ff3c, author = {SecureWorks}, title = {{IRON LIBERTY}}, date = {2020}, organization = {SecurityWeek}, url = {https://www.secureworks.com/research/threat-profiles/iron-liberty}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:nickel:bd4482a, author = {SecureWorks}, title = {{NICKEL GLADSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-gladstone}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:platinum:3145483, author = {SecureWorks}, title = {{PLATINUM TERMINAL}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/platinum-terminal}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:tin:ccd6795, author = {SecureWorks}, title = {{TIN WOODLAWN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/tin-woodlawn}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:tungsten:f923f8b, author = {SecureWorks}, title = {{TUNGSTEN BRIDGE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/tungsten-bridge}, language = {English}, urldate = {2020-05-23} } @online{secureworks:2020:zinc:13667ec, author = {SecureWorks}, title = {{ZINC EMERSON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/zinc-emerson}, language = {English}, urldate = {2020-05-23} } @online{secureworks:20211011:2021:42b780d, author = {SecureWorks}, title = {{2021 State of the Threat: A Year in Review}}, date = {2021-10-11}, organization = {Secureworks}, url = {https://content.secureworks.com/-/media/Files/US/Reports/Secureworks_SE_2021StateoftheThreatReport.ashx}, language = {English}, urldate = {2021-11-08} } @online{secureworks:2021:gold:b36de33, author = {SecureWorks}, title = {{GOLD PRELUDE}}, date = {2021}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-prelude}, language = {English}, urldate = {2023-01-03} } @online{secureworks:2021:threat:07bd94a, author = {SecureWorks}, title = {{Threat Profile: GOLD SYMPHONY}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-symphony}, language = {English}, urldate = {2021-05-28} } @online{secureworks:2021:threat:0808fb8, author = {SecureWorks}, title = {{Threat Profile: GOLD FLANDERS}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-flanders}, language = {English}, urldate = {2021-05-31} } @online{secureworks:2021:threat:197feaf, author = {SecureWorks}, title = {{Threat Profile: GOLD FAIRFAX}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-fairfax}, language = {English}, urldate = {2021-05-31} } @online{secureworks:2021:threat:1d0df39, author = {SecureWorks}, title = {{Threat Profile: GOLD GARDEN}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-garden}, language = {English}, urldate = {2021-05-31} } @online{secureworks:2021:threat:45f61e0, author = {SecureWorks}, title = {{Threat Profile: GOLD WATERFALL}}, date = {2021}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-waterfall}, language = {English}, urldate = {2021-05-31} } @online{secureworks:2021:threat:4e7c443, author = {SecureWorks}, title = {{Threat Profile: GOLD BLACKBURN}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-blackburn}, language = {English}, urldate = {2021-05-28} } @online{secureworks:2021:threat:5afd502, author = {SecureWorks}, title = {{Threat Profile: GOLD LAGOON}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-lagoon}, language = {English}, urldate = {2021-05-31} } @online{secureworks:2021:threat:6493b56, author = {SecureWorks}, title = {{Threat Profile: GOLD RIVERVIEW}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-riverview}, language = {English}, urldate = {2021-05-28} } @online{secureworks:2021:threat:7406344, author = {SecureWorks}, title = {{Threat Profile: GOLD NORTHFIELD}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-northfield}, language = {English}, urldate = {2021-06-01} } @online{secureworks:2021:threat:7e8aa73, author = {SecureWorks}, title = {{Threat Profile: GOLD VILLAGE}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-village}, language = {English}, urldate = {2021-05-31} } @online{secureworks:2021:threat:98f1049, author = {SecureWorks}, title = {{Threat Profile: GOLD HERON}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-heron}, language = {English}, urldate = {2021-05-31} } @online{secureworks:2021:threat:9cb31b0, author = {SecureWorks}, title = {{Threat Profile: GOLD GALLEON}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-galleon}, language = {English}, urldate = {2021-06-01} } @online{secureworks:2021:threat:a1bb8fc, author = {SecureWorks}, title = {{Threat Profile: GOLD SKYLINE}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-skyline}, language = {English}, urldate = {2021-05-31} } @online{secureworks:2021:threat:a35a451, author = {SecureWorks}, title = {{Threat Profile: GOLD CABIN}}, date = {2021}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-cabin}, language = {English}, urldate = {2021-05-31} } @online{secureworks:2021:threat:b0aa2ab, author = {SecureWorks}, title = {{Threat Profile: GOLD MANSARD}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-mansard}, language = {English}, urldate = {2021-05-31} } @online{secureworks:2021:threat:bce1d06, author = {SecureWorks}, title = {{Threat Profile: GOLD WINTER}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-winter}, language = {English}, urldate = {2021-05-31} } @online{secureworks:2021:threat:c0ba914, author = {SecureWorks}, title = {{Threat Profile: GOLD FRANKLIN}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-franklin}, language = {English}, urldate = {2021-05-31} } @online{secureworks:2021:threat:c3f3903, author = {SecureWorks}, title = {{Threat Profile: GOLD SOUTHFIELD}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-southfield}, language = {English}, urldate = {2021-05-28} } @online{secureworks:2021:threat:c81b928, author = {SecureWorks}, title = {{Threat Profile: GOLD EVERGREEN}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-evergreen}, language = {English}, urldate = {2021-05-28} } @online{secureworks:2021:threat:d17547d, author = {SecureWorks}, title = {{Threat Profile: GOLD BURLAP}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-burlap}, language = {English}, urldate = {2021-05-31} } @online{secureworks:2021:threat:dbd7ed7, author = {SecureWorks}, title = {{Threat Profile: GOLD DRAKE}}, date = {2021}, url = {http://www.secureworks.com/research/threat-profiles/gold-drake}, language = {English}, urldate = {2021-05-28} } @techreport{secureworks:20230309:learning:654479e, author = {SecureWorks}, title = {{Learning from Incident Response: 2022 Year in Review}}, date = {2023-03-09}, institution = {Secureworks}, url = {https://www.secureworks.com/-/media/files/us/reports/secureworks-learning-from-incident-response-2022.pdf}, language = {English}, urldate = {2025-03-05} } @techreport{secureworks:20230721:learning:d3bb081, author = {SecureWorks}, title = {{Learning from Incident Response: January - March 2023}}, date = {2023-07-21}, institution = {Secureworks}, url = {https://www.secureworks.com/-/media/files/us/reports/ir-quarterly-reports/secureworks-learning-from-ir-jan-mar-2023.pdf}, language = {English}, urldate = {2025-03-05} } @techreport{secureworks:20230929:2023:45645a5, author = {SecureWorks}, title = {{2023 State of the Threat}}, date = {2023-09-29}, institution = {Secureworks}, url = {https://www.secureworks.com/-/media/files/us/reports/state-of-the-threat/secureworks-se-2023-sott-report.pdf}, language = {English}, urldate = {2025-03-05} } @online{secureworks:20241002:2024:bf8b3c3, author = {SecureWorks}, title = {{2024 State of the Threat}}, date = {2024-10-02}, organization = {Secureworks}, url = {https://www.secureworks.com/-/media/Files/US/Reports/state%20of%20the%20threat/secureworks-state-of-the-threat-report-2024.ashx}, language = {English}, urldate = {2025-03-05} } @online{secureworks:20250304:gold:1aba874, author = {SecureWorks}, title = {{GOLD REBELLION}}, date = {2025-03-04}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-rebellion}, language = {English}, urldate = {2025-03-05} } @online{security0wnage:20230310:how:c15d634, author = {Security0wnage}, title = {{How Do You Like Dem Eggs? I like Mine Scrambled, Really Scrambled - A Look at Recent more_eggs Samples}}, date = {2023-03-10}, organization = {Security0wnage}, url = {https://sec0wn.blogspot.com/2023/03/how-do-you-like-dem-eggs-i-like-mine.html?m=1}, language = {English}, urldate = {2023-03-13} } @online{security:20160623:pos:ec5896a, author = {Panda Security}, title = {{POS and Credit Cards: In the Line of Fire with “PunkeyPOS”}}, date = {2016-06-23}, organization = {Panda Security}, url = {https://www.pandasecurity.com/mediacenter/malware/punkeypos/}, language = {English}, urldate = {2020-01-10} } @online{security:20160804:what:1df54a6, author = {Panda Security}, title = {{What is Multigrain? Learn what makes this PoS malware different}}, date = {2016-08-04}, organization = {Panda Security}, url = {https://www.pandasecurity.com/mediacenter/malware/multigrain-malware-pos/}, language = {English}, urldate = {2020-01-06} } @online{security:20160921:reversing:3305027, author = {RedNaga Security}, title = {{Reversing GO binaries like a pro}}, date = {2016-09-21}, url = {https://rednaga.io/2016/09/21/reversing_go_binaries_like_a_pro/}, language = {English}, urldate = {2019-11-22} } @online{security:20161229:grizzly:e07e4e0, author = {Department of Homeland Security}, title = {{GRIZZLY STEPPE – Russian Malicious Cyber Activity}}, date = {2016-12-29}, organization = {Department of Homeland Security}, url = {https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity}, language = {English}, urldate = {2019-11-21} } @techreport{security:20170313:behind:7488b43, author = {Core Security}, title = {{Behind a Malware Lifecycle and Infection Chain: Linking Asprox, Zemot, Rovix and Rerdom Malware Families}}, date = {2017-03-13}, institution = {Core Security}, url = {https://www.coresecurity.com/sites/default/files/resources/2017/03/Behind_Malware_Infection_Chain.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{security:20170427:intrusions:d535369, author = {Homeland Security}, title = {{INTRUSIONS AFFECTING MULTIPLE VICTIMS ACROSS MULTIPLE SECTO}}, date = {2017-04-27}, institution = {Homeland Security}, url = {https://www.us-cert.gov/sites/default/files/publications/IR-ALERT-MED-17-093-01C-Intrusions_Affecting_Multiple_Victims_Across_Multiple_Sectors.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{security:20170801:malware:e92cd36, author = {Panda Security}, title = {{Malware Report: Dridex Version 4}}, date = {2017-08-01}, institution = {Panda Security}, url = {https://www.pandasecurity.com/mediacenter/src/uploads/2017/10/Informe_Dridex_Revisado_FINAL_EN-2.pdf}, language = {English}, urldate = {2020-04-14} } @online{security:20170818:your:60f6381, author = {My Online Security}, title = {{Your order no 8194788 has been processed malspam delivers malware}}, date = {2017-08-18}, organization = {My Online Security}, url = {https://myonlinesecurity.co.uk/your-order-no-8194788-has-been-processed-malspam-delivers-malware/}, language = {English}, urldate = {2020-01-09} } @online{security:20171114:hidden:a45c30a, author = {Department of Homeland Security}, title = {{HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL}}, date = {2017-11-14}, organization = {Department of Homeland Security}, url = {https://www.us-cert.gov/ncas/alerts/TA17-318A}, language = {English}, urldate = {2019-11-28} } @online{security:20180115:globeimposter:b5ca4e4, author = {Acronis Security}, title = {{GlobeImposter ransomware: A holiday gift from the Necurs botnet}}, date = {2018-01-15}, organization = {Acronis}, url = {https://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet}, language = {English}, urldate = {2020-01-13} } @online{security:20180122:paradise:d7ef7d3, author = {Acronis Security}, title = {{Paradise Ransomware strikes again}}, date = {2018-01-22}, organization = {Acronis}, url = {https://www.acronis.com/en-us/blog/posts/paradise-ransomware-strikes-again}, language = {English}, urldate = {2020-01-20} } @online{security:20180123:masuta:3bd95d1, author = {NewSky Security}, title = {{Masuta: Satori Creators' Second Botnet Weaponizes A New Router Exploit}}, date = {2018-01-23}, organization = {NewSky Security}, url = {https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7}, language = {English}, urldate = {2020-01-07} } @techreport{security:20180127:latest:b5760c8, author = {Accenture Security and Bart Parys}, title = {{LATEST CYBER ESPIONAGE MALWARE ATTACKS - DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES}}, date = {2018-01-27}, institution = {Accenture Security}, url = {https://www.accenture.com/t20180127T003755Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf}, language = {English}, urldate = {2020-07-13} } @online{security:20180220:latest:37f0c70, author = {Joe Security}, title = {{Latest Elise APT comes packed with Sandbox Evasions}}, date = {2018-02-20}, organization = {Joe Security's Blog}, url = {https://www.joesecurity.org/blog/8409877569366580427}, language = {English}, urldate = {2020-01-13} } @online{security:20180301:fake:7f835ef, author = {My Online Security}, title = {{Fake order spoofed from Finchers ltd Sankyo-Rubber delivers Remcos RAT via ACE attachments}}, date = {2018-03-01}, organization = {My Online Security}, url = {https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/}, language = {English}, urldate = {2020-01-13} } @online{security:20180330:reflow:7e1ee15, author = {Kahu Security}, title = {{Reflow JavaScript Backdoor}}, date = {2018-03-30}, organization = {Kahu Security}, url = {http://www.kahusecurity.com/posts/reflow_javascript_backdoor.html}, language = {English}, urldate = {2020-01-07} } @online{security:20180413:understanding:b1a6a2b, author = {NewSky Security}, title = {{Understanding the IoT Hacker — A Conversation With Owari/Sora IoT Botnet Author}}, date = {2018-04-13}, organization = {NewSky Security}, url = {https://blog.newskysecurity.com/understanding-the-iot-hacker-a-conversation-with-owari-sora-iot-botnet-author-117feff56863}, language = {English}, urldate = {2020-01-13} } @techreport{security:20180606:iranian:5347a63, author = {ClearSky Cyber Security}, title = {{Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal}}, date = {2018-06-06}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf}, language = {English}, urldate = {2023-06-19} } @techreport{security:201811:muddywater:d68be0b, author = {ClearSky Cyber Security}, title = {{MuddyWater Operations in Lebanon and Oman}}, date = {2018-11}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{security:2018:snakemackerel:fa2c552, author = {Accenture Security}, title = {{SNAKEMACKEREL - A BREXIT-themed lure document that delivers ZEKAPAB malware}}, date = {2018}, institution = {Accenture Security}, url = {https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf}, language = {English}, urldate = {2019-10-15} } @techreport{security:20190213:snakemackerel:17add25, author = {Accenture Security}, title = {{SNAKEMACKEREL: Threat Campaign Likely Targeting NATO Members, Defense and Military Outlets}}, date = {2019-02-13}, institution = {Accenture Security}, url = {https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf}, language = {English}, urldate = {2019-12-18} } @online{security:20190327:timelines:36e1fb0, author = {ClearSky Cyber Security}, title = {{Tweet on "Timelines - ECRL.docx"}}, date = {2019-03-27}, organization = {Twitter (@ClearskySec)}, url = {https://twitter.com/ClearskySec/status/1110941178231484417}, language = {English}, urldate = {2020-01-08} } @online{security:20190430:raw:327940f, author = {ClearSky Cyber Security}, title = {{Raw Threat Intelligence 2019-04-30: Oilrig data dump link analysis}}, date = {2019-04-30}, organization = {ClearSky}, url = {https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr}, language = {English}, urldate = {2019-10-23} } @online{security:20190514:return:9aeb96b, author = {Alibaba Cloud Security}, title = {{Return of Watchbog: Exploiting Jenkins CVE-2018-1000861}}, date = {2019-05-14}, organization = {Alibaba}, url = {https://www.alibabacloud.com/blog/return-of-watchbog-exploiting-jenkins-cve-2018-1000861_594798}, language = {English}, urldate = {2020-05-18} } @online{security:20190604:advisory:6a1c7d2, author = {CERN Computer Security}, title = {{Advisory: Windigo attacks}}, date = {2019-06-04}, organization = {CERN}, url = {https://security.web.cern.ch/security/advisories/windigo/windigo.shtml}, language = {English}, urldate = {2023-05-11} } @online{security:20190711:targeted:a48e692, author = {NTT Security}, title = {{Targeted TrickBot activity drops 'PowerBrace' backdoor}}, date = {2019-07-11}, organization = {NTT Security}, url = {https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor}, language = {English}, urldate = {2019-12-18} } @online{security:20190812:overview:0726c0a, author = {Kindred Security}, title = {{An Overview of Public Platform C2’s}}, date = {2019-08-12}, organization = {Kindred Security}, url = {https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/}, language = {English}, urldate = {2021-07-20} } @online{security:20190820:lazarus:6c71cd8, author = {EST Security}, title = {{Lazarus Continues 'Movie Coin' Campaign Disguised as Calling Document Request}}, date = {2019-08-20}, organization = {EST Security}, url = {https://www.estsecurity.com/enterprise/security-center/notice/view/2096?category-id=5}, language = {Korean}, urldate = {2020-01-07} } @techreport{security:201908:2019:716d69e, author = {ClearSky Cyber Security}, title = {{2019 H1 Cyber Events Summary Report}}, date = {2019-08}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2019/08/ClearSky-2019-H1-Cyber-Events-Summary-Report.pdf}, language = {English}, urldate = {2020-06-29} } @online{security:20190920:tflower:90d959d, author = {Canadian Centre for Cyber Security}, title = {{TFlower Ransomware Campaign}}, date = {2019-09-20}, organization = {Canadian Centre for Cyber Security}, url = {https://cyber.gc.ca/en/alerts/tflower-ransomware-campaign}, language = {English}, urldate = {2020-01-10} } @online{security:20191018:trickbot:6e2f73f, author = {NTT Security}, title = {{TrickBot variant “Anchor_DNS” communicating over DNS}}, date = {2019-10-18}, organization = {NTT}, url = {https://hello.global.ntt/zh-cn/insights/blog/trickbot-variant-communicating-over-dns}, language = {English}, urldate = {2020-10-12} } @online{security:20191019:hildacrypt:7f1c090, author = {Acronis Security}, title = {{HILDACRYPT: A Ransomware Newcomer Hits Backup and Anti-virus Solutions}}, date = {2019-10-19}, organization = {Acronis}, url = {https://www.acronis.com/en-eu/blog/posts/hildacrypt-ransomware-newcomer-hits-backup-and-anti-virus-solutions/}, language = {English}, urldate = {2023-10-10} } @online{security:20191101:hancitor:1e78408, author = {Dodge This Security}, title = {{Hancitor. Evasive new waves, and how COM objects can use Cached Credentials for Proxy Authentication}}, date = {2019-11-01}, organization = {Dodge This Security}, url = {https://www.dodgethissecurity.com/2019/11/01/hancitor-evasive-new-waves-and-how-com-objects-can-use-cached-credentials-for-proxy-authentication/}, language = {English}, urldate = {2020-01-07} } @online{security:20191118:rewterz:29686ba, author = {Rewterz Information Security}, title = {{REWTERZ THREAT ALERT – IRANIAN APT USES JOB SCAMS TO LURE TARGETS}}, date = {2019-11-18}, organization = {Rewterz Information Security}, url = {http://www.rewterz.com/rewterz-news/rewterz-threat-alert-iranian-apt-uses-job-scams-to-lure-targets}, language = {English}, urldate = {2019-12-17} } @online{security:20191120:muddywater:5c4adfd, author = {ClearSky Cyber Security}, title = {{MuddyWater Uses New Attack Methods in a Recent Attack Wave}}, date = {2019-11-20}, organization = {ClearSky}, url = {https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca}, language = {English}, urldate = {2019-12-16} } @online{security:20191223:video:c52156f, author = {Kindred Security}, title = {{Video: Malware Analysis | WSHRAT Visual Basic RAT (C2 Replication)}}, date = {2019-12-23}, organization = {YouTube}, url = {https://www.youtube.com/watch?v=h3KLKCdMUUY}, language = {English}, urldate = {2020-01-08} } @online{security:20200713:trickbots:a164ba5, author = {Joe Security}, title = {{TrickBot's new API-Hammering explained}}, date = {2020-07-13}, organization = {JoeSecurity}, url = {https://www.joesecurity.org/blog/498839998833561473}, language = {English}, urldate = {2020-07-15} } @online{security:20200728:craftypanda:7643b28, author = {NTT Security}, title = {{CraftyPanda 標的型攻撃解析レポート}}, date = {2020-07-28}, organization = {NTT}, url = {https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report}, language = {Japanese}, urldate = {2020-07-30} } @online{security:202008:darkside:8913035, author = {Acronis Security}, title = {{DarkSide Ransomware Does Not Attack Hospitals, Schools and Governments}}, date = {2020-08}, organization = {Acronis}, url = {https://www.acronis.com/en-us/articles/darkside-ransomware/}, language = {English}, urldate = {2020-11-17} } @online{security:20200917:guloaders:fe9ed59, author = {Joe Security}, title = {{GuLoader's VM-Exit Instruction Hammering explained}}, date = {2020-09-17}, organization = {Joe Security's Blog}, url = {https://www.joesecurity.org/blog/3535317197858305930}, language = {English}, urldate = {2021-01-10} } @techreport{security:20201006:homeland:89eacb6, author = {Department of Homeland Security}, title = {{Homeland Threat Assessment October 2020}}, date = {2020-10-06}, institution = {Department of Homeland Security}, url = {https://www.dhs.gov/sites/default/files/publications/2020_10_06_homeland-threat-assessment.pdf}, language = {English}, urldate = {2020-10-12} } @techreport{security:202010:anatomy:1ea22f4, author = {Centre for Cyber Security}, title = {{The Anatomy of Targeted Ransomware Attacks}}, date = {2020-10}, institution = {Centre for Cyber Security}, url = {https://cfcs.dk/globalassets/cfcs/dokumenter/rapporter/en/cfcs-report--the-anatomy-of-targeted-ransomware-attacks.pdf}, language = {English}, urldate = {2021-04-28} } @online{security:20201119:rewterz:fe38c29, author = {Rewterz Information Security}, title = {{Rewterz Threat Alert – Common Raven – IOCs}}, date = {2020-11-19}, organization = {Rewterz Information Security}, url = {https://www.rewterz.com/rewterz-news/rewterz-threat-alert-common-raven-iocs}, language = {English}, urldate = {2021-10-05} } @online{security:20201121:multivector:dfb6b1f, author = {Toli Security}, title = {{Multi-Vector Miner+Tsunami Botnet with SSH Lateral Movement}}, date = {2020-11-21}, organization = {Toli Security}, url = {https://tolisec.com/multi-vector-minertsunami-botnet-with-ssh-lateral-movement/}, language = {English}, urldate = {2022-04-15} } @online{security:202011:sshbackdoor:8422a81, author = {Toli Security}, title = {{SSH-backdoor Botnet With ‘Research’ Infection Technique}}, date = {2020-11}, organization = {Toli Security}, url = {https://tolisec.com/ssh-backdoor-botnet-with-research-infection-technique/}, language = {English}, urldate = {2022-04-15} } @online{security:20201213:mitigate:7a003e3, author = {Department of Homeland Security}, title = {{Mitigate SolarWinds Orion Code Compromise}}, date = {2020-12-13}, organization = {Department of Homeland Security}, url = {https://cyber.dhs.gov/ed/21-01/}, language = {English}, urldate = {2020-12-14} } @online{security:20201214:supernova:3e8aca7, author = {GuidePoint Security}, title = {{SUPERNOVA SolarWinds .NET Webshell Analysis}}, date = {2020-12-14}, organization = {GuidePoint Security}, url = {https://www.guidepointsecurity.com/blog/supernova-solarwinds-net-webshell-analysis}, language = {English}, urldate = {2022-07-25} } @techreport{security:20210320:dark:2f733d4, author = {NIGHT LION SECURITY}, title = {{The Dark Overlord - Cyber Investigation Report}}, date = {2021-03-20}, institution = {NIGHT LION SECURITY}, url = {https://www.nightlion.com/wp-content/uploads/2020/12/The-Dark-Overlord-Investigation-Report-Night-Lion_v1.01.pdf}, language = {English}, urldate = {2021-03-25} } @online{security:20210320:data:08ac449, author = {NIGHT LION SECURITY}, title = {{Data Viper Internal Incident Report}}, date = {2021-03-20}, organization = {NIGHT LION SECURITY}, url = {https://www.nightlion.com/download/data-viper-incident-report/?wpdmdl=21161&refresh=605c8f0eac8151616678670}, language = {English}, urldate = {2021-03-26} } @online{security:20210323:remrat:895cb4e, author = {360 Core Security}, title = {{RemRAT: Android spyware that has been lurking in the Middle East for many years}}, date = {2021-03-23}, organization = {360 Core Security}, url = {https://blogs.360.cn/post/analysis-of-RemRAT.html}, language = {Chinese}, urldate = {2021-03-25} } @online{security:20210331:adamantium:524c265, author = {ClearSky Cyber Security}, title = {{Tweet on Adamantium stealer}}, date = {2021-03-31}, organization = {Twitter (@ClearskySec)}, url = {https://twitter.com/ClearskySec/status/1377176015189929989}, language = {English}, urldate = {2021-03-31} } @online{security:202103:threat:4d82ead, author = {Acronis Security}, title = {{Threat analysis: Dharma (CrySiS) ransomware}}, date = {2021-03}, organization = {Acronis}, url = {https://www.acronis.com/en-us/articles/Dharma-ransomware/}, language = {English}, urldate = {2021-10-14} } @online{security:20210503:rewterz:1d0b52a, author = {Rewterz Information Security}, title = {{Rewterz Threat Alert – Financially Motivated Aggressive Group Carrying Out Ransomware Campaigns – Active IOCs}}, date = {2021-05-03}, organization = {Rewterz Information Security}, url = {https://www.rewterz.com/rewterz-news/rewterz-threat-alert-financially-motivated-aggressive-group-carrying-out-ransomware-campaigns-active-iocs}, language = {English}, urldate = {2023-12-28} } @online{security:20210629:hades:2d4c606, author = {Accenture Security}, title = {{HADES ransomware operators continue attacks}}, date = {2021-06-29}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/security/ransomware-hades}, language = {English}, urldate = {2021-07-01} } @online{security:20210702:rewterz:9d3c3a4, author = {Rewterz Information Security}, title = {{Rewterz Threat Intel – IndigoZebra APT Group Targeting Central Asia – Active IOCs}}, date = {2021-07-02}, organization = {Rewterz Information Security}, url = {https://www.rewterz.com/rewterz-news/rewterz-threat-intel-indigozebra-apt-group-targeting-central-asia-active-iocs}, language = {English}, urldate = {2023-12-04} } @online{security:20210730:isomorph:83956a0, author = {MENLO Security}, title = {{ISOMorph Infection: In-Depth Analysis of a New HTML Smuggling Campaign}}, date = {2021-07-30}, organization = {Menlo Security}, url = {https://www.menlosecurity.com/blog/isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign/}, language = {English}, urldate = {2021-08-02} } @online{security:20210914:teamtnt:bdb30cc, author = {Cado Security}, title = {{TeamTNT Script Employed to Grab AWS Credentials}}, date = {2021-09-14}, organization = {Cado Security}, url = {https://www.cadosecurity.com/teamtnt-script-employed-to-grab-aws-credentials/}, language = {English}, urldate = {2021-09-19} } @online{security:20211023:links:f7c6f85, author = {Cado Security}, title = {{Links to Previous Attacks in UAParserJS Compromise}}, date = {2021-10-23}, organization = {Cado Security}, url = {https://www.cadosecurity.com/links-to-previous-attacks-in-uaparserjs-compromise/}, language = {English}, urldate = {2021-11-02} } @techreport{security:202110:threat:49f8fc2, author = {HP Wolf Security}, title = {{Threat Insights Report Q3 - 2021}}, date = {2021-10}, institution = {HP}, url = {https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf}, language = {English}, urldate = {2021-10-25} } @techreport{security:20211130:ransomware:aceee64, author = {Canadian Centre for Cyber Security}, title = {{Ransomware playbook ITSM.00.099}}, date = {2021-11-30}, institution = {Canadian Centre for Cyber Security}, url = {https://cyber.gc.ca/sites/default/files/2021-12/itsm00099-ransomware-playbook-2021-final2-en.pdf}, language = {English}, urldate = {2021-12-07} } @online{security:20211213:analysis:6199122, author = {Cado Security}, title = {{Analysis of Initial In The Wild Attacks Exploiting Log4Shell/Log4J/CVE-2021-44228}}, date = {2021-12-13}, organization = {Cado Security}, url = {https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228/}, language = {English}, urldate = {2022-01-18} } @online{security:2021:analysis:7927c04, author = {Acronis Security}, title = {{Analysis of Ragnar Locker Ransomware}}, date = {2021}, organization = {Acronis}, url = {https://www.acronis.com/en-sg/articles/ragnar-locker/}, language = {English}, urldate = {2021-11-25} } @online{security:2021:breaking:3bdfe99, author = {Awake Security}, title = {{Breaking the Ice: Detecting IcedID and Cobalt Strike Beacon with Network Detection and Response (NDR)}}, date = {2021}, organization = {AWAKE}, url = {https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/}, language = {English}, urldate = {2022-06-09} } @online{security:20220117:resources:a47b0a6, author = {Cado Security}, title = {{Resources for DFIR Professionals Responding to WhisperGate Malware}}, date = {2022-01-17}, organization = {Cado Security}, url = {https://www.cadosecurity.com/resources-for-dfir-professionals-responding-to-whispergate-malware/}, language = {English}, urldate = {2022-01-18} } @online{security:20220120:fallout:0dc042a, author = {Cado Security}, title = {{Fallout from Log4Shell-related Vietnamese Cryptocurrency Exchange Attack: KYC Data for Sale on Dark Web}}, date = {2022-01-20}, organization = {Cado Security}, url = {https://www.cadosecurity.com/fallout-from-log4shell-related-vietnamese-cryptocurrency-exchange-attack-kyc-data-for-sale-on-dark-web}, language = {English}, urldate = {2022-01-25} } @online{security:20220202:coinstomp:f8b12e2, author = {Cado Security}, title = {{CoinStomp Malware Family Targets Asian Cloud Service Providers}}, date = {2022-02-02}, organization = {Cado Security}, url = {https://www.cadosecurity.com/coinstomp-malware-family-targets-asian-cloud-service-providers/}, language = {English}, urldate = {2022-02-04} } @online{security:20220220:technical:9232633, author = {Cado Security}, title = {{Technical Analysis of the DDoS Attacks against Ukrainian Websites}}, date = {2022-02-20}, organization = {Cado Security}, url = {https://www.cadosecurity.com/technical-analysis-of-the-ddos-attacks-against-ukrainian-websites/}, language = {English}, urldate = {2022-02-26} } @online{security:20220322:russianukrainian:ee46512, author = {Rewterz Information Security}, title = {{Russian-Ukrainian Cyber Warfare – Rewterz Threat Intelligence Rollup}}, date = {2022-03-22}, organization = {Rewterz Information Security}, url = {https://www.rewterz.com/articles/russian-ukrainian-cyber-warfare-rewterz-threat-intelligence-rollup}, language = {English}, urldate = {2023-12-04} } @online{security:20220330:recent:56ca1b3, author = {HP Wolf Security}, title = {{Tweet on recent Mekotio Banker campaign}}, date = {2022-03-30}, organization = {Twitter (@hpsecurity)}, url = {https://twitter.com/hpsecurity/status/1509185858146082816}, language = {English}, urldate = {2022-03-31} } @online{security:20220406:tax:c34a522, author = {Abnormal Security}, title = {{Tax Return Customer Campaign Attempts to Infect Victims with Sorillus RAT}}, date = {2022-04-06}, organization = {Abnormal}, url = {https://abnormalsecurity.com/blog/tax-customers-sorillus-rat}, language = {English}, urldate = {2022-08-02} } @online{security:20220411:leaked:4861c01, author = {Rewterz Information Security}, title = {{Leaked Conti Ransomware Used to Target Russia}}, date = {2022-04-11}, organization = {Rewterz Information Security}, url = {https://www.rewterz.com/rewterz-news/rewterz-threat-alert-leaked-conti-ransomware-used-to-target-russia-active-iocs}, language = {English}, urldate = {2023-12-04} } @techreport{security:20220511:threat:bd460f0, author = {HP Wolf Security}, title = {{Threat Insights Report Q1 - 2022}}, date = {2022-05-11}, institution = {HP}, url = {https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf}, language = {English}, urldate = {2022-05-13} } @techreport{security:20220627:vv:c0b362d, author = {Information Department of Information Security}, title = {{V/v to review and prevent risks attack APT}}, date = {2022-06-27}, institution = {Socialist Republic of Vietnam}, url = {https://khonggianmang.vn/uploads/CB_941_Canhbao_APT_36c5a857fa.pdf}, language = {English}, urldate = {2023-04-22} } @online{security:20221004:rewterz:d2d5d40, author = {Rewterz Information Security}, title = {{Rewterz Threat Alert – KONNI APT Group – Active IOCs}}, date = {2022-10-04}, organization = {Rewterz Information Security}, url = {https://www.rewterz.com/rewterz-news/rewterz-threat-alert-konni-apt-group-active-iocs-11}, language = {English}, urldate = {2024-02-08} } @online{security:20221004:witchetty:8b3ade2, author = {Rewterz Information Security}, title = {{Witchetty APT Group}}, date = {2022-10-04}, organization = {Rewterz Information Security}, url = {https://www.rewterz.com/rewterz-news/rewterz-threat-alert-witchetty-apt-group-active-iocs}, language = {English}, urldate = {2023-12-04} } @online{security:2022:active:4c1170d, author = {Toli Security}, title = {{Active crypto-mining operation by TeamTNT}}, date = {2022}, organization = {Toli Security}, url = {https://tolisec.com/active-crypto-mining-operation-by-teamtnt/}, language = {English}, urldate = {2022-04-15} } @online{security:2022:iot:d62a5c2, author = {Toli Security}, title = {{IoT Botnet exploiting Log4J CVE-2021-44228}}, date = {2022}, organization = {Toli Security}, url = {https://tolisec.com/iot-botnet-exploiting-log4j-cve-2021-44228/}, language = {English}, urldate = {2022-04-15} } @online{security:20230125:technical:eb69781, author = {Quadrant Information Security}, title = {{Technical Analysis: Black Basta Malware Overview}}, date = {2023-01-25}, organization = {Quadrant Information Security}, url = {https://quadrantsec.com/resource/technical-analysis/black-basta-malware-overview}, language = {English}, urldate = {2023-02-21} } @online{security:20230202:north:0f0e8d6, author = {EST Security}, title = {{North Korea hacking organization, Fair Trade Commission impersonation phishing attack in progress}}, date = {2023-02-02}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/5065}, language = {Korean}, urldate = {2023-02-03} } @online{security:20230330:forensic:77e03e1, author = {Cado Security}, title = {{Forensic Triage of a Windows System running the Backdoored 3CX Desktop App}}, date = {2023-03-30}, organization = {Cado Security}, url = {https://www.cadosecurity.com/forensic-triage-of-a-windows-system-running-the-backdoored-3cx-desktop-app/}, language = {English}, urldate = {2023-04-02} } @online{security:20230412:xmrig:75f7f56, author = {Gridinsoft Cyber Security}, title = {{XMRig is one of the most widespread malicious miners, that exploits hardware to mine Monero}}, date = {2023-04-12}, organization = {Gridinsoft}, url = {https://gridinsoft.com/xmrig}, language = {English}, urldate = {2023-05-10} } @online{security:20230615:tracking:eb0ce77, author = {Cado Security}, title = {{Tracking Diicot: an emerging Romanian threat actor}}, date = {2023-06-15}, organization = {Cado Security}, url = {https://www.cadosecurity.com/tracking-diicot-an-emerging-romanian-threat-actor/}, language = {English}, urldate = {2023-06-19} } @online{security:20230717:8base:e99c087, author = {Acronis Security}, title = {{8Base ransomware stays unseen for a year}}, date = {2023-07-17}, organization = {Acronis}, url = {https://www.acronis.com/en-sg/cyber-protection-center/posts/8base-ransomware-stays-unseen-for-a-year/}, language = {English}, urldate = {2023-08-09} } @techreport{security:20230828:gamaredon:6365aee, author = {National Coordination Center for Cyber Security}, title = {{Gamaredon Activity amid Ukraine's Counteroffensive}}, date = {2023-08-28}, institution = {}, url = {https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/Gamaredon_activity.pdf}, language = {English}, urldate = {2023-09-06} } @online{security:20231013:rewterz:abd9380, author = {Rewterz Information Security}, title = {{Rewterz Threat Alert – Power Supplier’s Network Infiltrated for 6 Months by “Redfly” Hackers – Active IOCs}}, date = {2023-10-13}, organization = {Rewterz Information Security}, url = {https://www.rewterz.com/rewterz-news/rewterz-threat-alert-power-suppliers-network-infiltrated-for-6-months-by-redfly-hackers-active-iocs/}, language = {English}, urldate = {2023-12-04} } @online{security:20231218:rewterz:3d1336a, author = {Rewterz Information Security}, title = {{Rewterz Threat Update – Microsoft Warns of Emerging Threat by Storm-0539 Behind Gift Card Frauds}}, date = {2023-12-18}, organization = {Rewterz Information Security}, url = {https://www.rewterz.com/rewterz-news/rewterz-threat-update-microsoft-warns-of-emerging-threat-by-storm-0539-behind-gift-card-frauds/}, language = {English}, urldate = {2024-02-08} } @online{security:20231230:rewterz:3bda963, author = {Rewterz Information Security}, title = {{Rewterz Threat Alert – Widely Abused MSIX App Installer Disabled by Microsoft – Active IOCs}}, date = {2023-12-30}, organization = {Rewterz Information Security}, url = {https://www.rewterz.com/rewterz-news/rewterz-threat-alert-widely-abused-msix-app-installer-disabled-by-microsoft-active-iocs}, language = {English}, urldate = {2024-08-29} } @online{security:20231230:rewterz:e069a54, author = {Rewterz Information Security}, title = {{Rewterz Threat Alert – Widely Abused MSIX App Installer Disabled by Microsoft – Active IOCs}}, date = {2023-12-30}, organization = {Rewterz Information Security}, url = {https://www.rewterz.com/rewterz-news/rewterz-threat-alert-widely-abused-msix-app-installer-disabled-by-microsoft-active-iocs/}, language = {English}, urldate = {2024-02-08} } @online{security:20240111:rewterz:cd15b5a, author = {Rewterz Information Security}, title = {{Rewterz Threat Update – Pro-Ukraine Hacktivists Breach Russian ISP as Revenge for KyivStar Attack}}, date = {2024-01-11}, organization = {Rewterz Information Security}, url = {https://www.rewterz.com/rewterz-news/rewterz-threat-update-pro-ukraine-hacktivists-breach-russian-isp-as-revenge-for-kyivstar-attack/}, language = {English}, urldate = {2025-05-02} } @online{security:20240213:what:8a63465, author = {Gridinsoft Cyber Security}, title = {{What is Lumma Stealer?}}, date = {2024-02-13}, organization = {Gridinsoft}, url = {https://gridinsoft.com/spyware/lumma-stealer}, language = {English}, urldate = {2024-02-16} } @online{security:20240229:novel:5c75e98, author = {Vipyr Security}, title = {{Novel ELF64 Remote Access Tool Embedded in Malicious PyPI Uploads}}, date = {2024-02-29}, organization = {Vipyr Security}, url = {https://vipyrsec.com/research/elf64-rat-malware/}, language = {English}, urldate = {2025-01-09} } @online{security:20240828:exploits:aba1070, author = {Help Net Security}, title = {{APT group exploits WPS Office for Windows RCE vulnerability (CVE-2024-7262)}}, date = {2024-08-28}, organization = {Help Net Security}, url = {https://www.helpnetsecurity.com/2024/08/28/cve-2024-7262-cve-2024-7263/}, language = {English}, urldate = {2024-09-13} } @techreport{security:20241021:cyber:92b16a9, author = {National Coordinator for Counterterrorism and Security}, title = {{Cyber Security Picture Netherlands 2024}}, date = {2024-10-21}, institution = {Ministry of Justice and Security}, url = {https://www.nctv.nl/binaries/nctv/documenten/publicaties/2024/10/28/cybersecuritybeeld-nederland-2024/CSBN+2024+A4+-+Webversie+DEF+-+kopie.pdf}, language = {English}, urldate = {2025-02-03} } @online{security:20241024:apt73:0899e76, author = {RedPacket Security}, title = {{[APT73] – Ransomware Victim: modplan[.]co[.]uk}}, date = {2024-10-24}, organization = {RedPacket Security}, url = {https://www.redpacketsecurity.com/apt73-ransomware-victim-modplan-co-uk/}, language = {English}, urldate = {2024-11-15} } @online{security:20241024:apt73:bcbd27a, author = {RedPacket Security}, title = {{[APT73] – Ransomware Victim: hpecds[.]com}}, date = {2024-10-24}, organization = {RedPacket Security}, url = {https://www.redpacketsecurity.com/apt73-ransomware-victim-hpecds-com/}, language = {English}, urldate = {2024-11-15} } @online{security:20241024:apt73:bd9d51e, author = {RedPacket Security}, title = {{[APT73] – Ransomware Victim: mgfsourcing[.]com}}, date = {2024-10-24}, organization = {RedPacket Security}, url = {https://www.redpacketsecurity.com/apt73-ransomware-victim-mgfsourcing-com/}, language = {English}, urldate = {2024-11-15} } @online{security:20241029:apt73:1c40989, author = {RedPacket Security}, title = {{[APT73] – Ransomware Victim: www[.]legilog[.]fr}}, date = {2024-10-29}, organization = {RedPacket Security}, url = {https://www.redpacketsecurity.com/apt73-ransomware-victim-www-legilog-fr/}, language = {English}, urldate = {2024-11-15} } @online{security:20241029:apt73:224e601, author = {RedPacket Security}, title = {{[APT73] – Ransomware Victim: www[.]trinitesolutions[.]com}}, date = {2024-10-29}, organization = {RedPacket Security}, url = {https://www.redpacketsecurity.com/apt73-ransomware-victim-www-trinitesolutions-com/}, language = {English}, urldate = {2024-11-15} } @online{security:20241029:apt73:f34c4cb, author = {RedPacket Security}, title = {{[APT73] – Ransomware Victim: www[.]scopeset[.]de}}, date = {2024-10-29}, organization = {RedPacket Security}, url = {https://www.redpacketsecurity.com/apt73-ransomware-victim-www-scopeset-de/}, language = {English}, urldate = {2024-11-15} } @online{security:20241029:httpswwwredpacketsecuritycomapt73ransomwarevictimsokkakreatifcom:95ae8f9, author = {RedPacket Security}, title = {{https://www.redpacketsecurity.com/apt73-ransomware-victim-sokkakreatif-com/}}, date = {2024-10-29}, organization = {RedPacket Security}, url = {https://www.redpacketsecurity.com/apt73-ransomware-victim-sokkakreatif-com/}, language = {English}, urldate = {2024-11-15} } @online{security:20241108:apt73:96dbd85, author = {RedPacket Security}, title = {{[APT73] – Ransomware Victim: www[.]baldinger-ag[.]ch}}, date = {2024-11-08}, organization = {RedPacket Security}, url = {https://www.redpacketsecurity.com/apt73-ransomware-victim-www-baldinger-ag-ch/}, language = {English}, urldate = {2024-11-15} } @online{security:20241211:xloader:76dd7bb, author = {Sublime Security}, title = {{Xloader deep dive: Link-based malware delivery via SharePoint impersonation}}, date = {2024-12-11}, organization = {Sublime}, url = {https://sublime.security/blog/xloader-deep-dive-link-based-malware-delivery-via-sharepoint-impersonation/}, language = {English}, urldate = {2024-12-13} } @online{security:20250108:tmpn:c28888e, author = {Acronis Security}, title = {{TMPN (Skuld) Stealer: The dark side of open source}}, date = {2025-01-08}, organization = {Acronis}, url = {https://www.acronis.com/en-sg/cyber-protection-center/posts/tmpn-skuld-stealer-the-dark-side-of-open-source}, language = {English}, urldate = {2025-06-25} } @online{security:20250115:facct:55a38aa, author = {F.A.C.C.T. Information security}, title = {{F.A.C.C.T. found new attacks of pro-Ukrainian cyber spies Sticky Werewolf}}, date = {2025-01-15}, organization = {Habr}, url = {https://habr.com/ru/companies/f_a_c_c_t/news/873762/}, language = {Russian}, urldate = {2025-02-03} } @online{security:20250406:how:d24d326, author = {Gridinsoft Cyber Security}, title = {{How to Remove Lilith RAT: Complete Removal Guide}}, date = {2025-04-06}, organization = {Gridinsoft}, url = {https://trojan-killer.net/how-to-remove-lilith-rat-complete-removal-guide/}, language = {English}, urldate = {2025-04-25} } @online{securityinbits:20200106:pyrogenic:371a5b1, author = {Security-in-Bits}, title = {{Pyrogenic Infostealer static analysis – Part 0x1}}, date = {2020-01-06}, organization = {Security-in-Bits}, url = {https://www.securityinbits.com/malware-analysis/pyrogenic-infostealer-static-analysis-part-0x1/}, language = {English}, urldate = {2020-05-18} } @online{securityinbits:20200117:unpacking:85da2a0, author = {Security-in-Bits}, title = {{Unpacking Pyrogenic/Qealler using Java agent -Part 0x2}}, date = {2020-01-17}, organization = {Security-in-Bits}, url = {https://www.securityinbits.com/malware-analysis/unpacking/unpacking-pyrogenic-qealler-using-java-agent-part-0x2/}, language = {English}, urldate = {2020-05-18} } @online{securityinbits:20200204:similarity:22de02c, author = {Security-in-Bits}, title = {{Similarity between Qealler/Pyrogenic variants -Part 0x3}}, date = {2020-02-04}, organization = {Security-in-Bits}, url = {https://www.securityinbits.com/malware-analysis/similarity-between-qealler-pyrogenic-variants-part-0x3/}, language = {English}, urldate = {2020-05-18} } @online{securityinbits:20200611:avaddon:b50486e, author = {Security-in-Bits}, title = {{Tweet on Avaddon ransomware with Python script for decrypting strings}}, date = {2020-06-11}, organization = {Twitter (@Securityinbits)}, url = {https://twitter.com/Securityinbits/status/1271065316903120902}, language = {English}, urldate = {2020-06-12} } @online{securityinbits:20200628:interesting:f625fa2, author = {Security-in-Bits}, title = {{Interesting tactic by Ratty & Adwind for distribution of JAR appended to signed MSI}}, date = {2020-06-28}, organization = {Security-in-Bits}, url = {https://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/}, language = {English}, urldate = {2020-06-29} } @online{securityjoes:20210609:net:13f2b90, author = {SecurityJoes}, title = {{Tweet on .NET builder of a Ryuk imposter malware}}, date = {2021-06-09}, organization = {Twitter (@SecurityJoes)}, url = {https://twitter.com/SecurityJoes/status/1402603695578157057}, language = {English}, urldate = {2021-06-16} } @online{securityjoes:20230103:raspberry:c992c68, author = {SecurityJoes}, title = {{Raspberry Robin Detected ITW Targeting Insurance & Financial Institutes In Europe}}, date = {2023-01-03}, organization = {Security Joes}, url = {https://www.securityjoes.com/post/raspberry-robin-detected-itw-targeting-insurance-financial-institutes-in-europe}, language = {English}, urldate = {2023-01-04} } @online{securityjoes:20231030:bibi:f67b0f7, author = {SecurityJoes}, title = {{BiBi Wiper}}, date = {2023-10-30}, organization = {Security Joes}, url = {https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group}, language = {English}, urldate = {2023-11-13} } @online{securityjoes:20231111:mission:21eb2b4, author = {SecurityJoes}, title = {{Mission "Data Destruction": A Large-scale Data-Wiping Campaign Targeting Israel}}, date = {2023-11-11}, organization = {Security Joes}, url = {https://www.securityjoes.com/post/mission-data-destruction-a-large-scale-data-wiping-campaign-targeting-israel}, language = {English}, urldate = {2024-12-09} } @online{securonix:20240324:analysis:2069cd6, author = {Securonix}, title = {{Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors}}, date = {2024-03-24}, organization = {Securonix}, url = {https://www.securonix.com/blog/analysis-of-devpopper-new-attack-campaign-targeting-software-developers-likely-associated-with-north-korean-threat-actors/}, language = {English}, urldate = {2024-08-01} } @online{securonix:20240731:research:fe11c9c, author = {Securonix}, title = {{Research Update: Threat Actors Behind the DEV#POPPER Campaign Have Retooled and are Continuing to Target Software Developers via Social Engineering}}, date = {2024-07-31}, organization = {Securonix}, url = {https://www.securonix.com/blog/research-update-threat-actors-behind-the-devpopper-campaign-have-retooled-and-are-continuing-to-target-software-developers-via-social-engineering/}, language = {English}, urldate = {2024-08-01} } @online{seeker:20250307:akira:f3a86af, author = {Seeker}, title = {{Akira Ransomware Expands to Linux: the attacking abilities and strategies}}, date = {2025-03-07}, organization = {MalwareAnalysisSpace}, url = {https://malwareanalysisspace.blogspot.com/2025/03/akira-ransomware-expands-to-linux.html}, language = {English}, urldate = {2025-03-11} } @techreport{seele:20190602:hypervisorbased:04c1731, author = {Felix Seele}, title = {{Hypervisor-based Analysis of macOS Malware}}, date = {2019-06-02}, institution = {VMRay}, url = {https://objectivebythesea.com/v2/talks/OBTS_v2_Seele.pdf}, language = {English}, urldate = {2020-01-07} } @online{segura:20121105:citadel:f1d7f7d, author = {Jérôme Segura}, title = {{Citadel: a cyber-criminal’s ultimate weapon?}}, date = {2012-11-05}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/}, language = {English}, urldate = {2019-12-20} } @online{segura:20140217:hiding:e231528, author = {Jérôme Segura}, title = {{Hiding in plain sight: a story about a sneaky banking Trojan}}, date = {2014-02-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/}, language = {English}, urldate = {2019-12-20} } @online{segura:20150108:major:064a2ab, author = {Jérôme Segura}, title = {{Major malvertising campaign spreads Kovter Ad Fraud malware}}, date = {2015-01-08}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2015/01/major-malvertising-campaign-hits-sites-with-combined-total-monthly-traffic-of-1-5bn-visitors/}, language = {English}, urldate = {2019-12-20} } @online{segura:20150528:unusual:693e9e5, author = {Jérôme Segura}, title = {{Unusual Exploit Kit Targets Chinese Users (Part 1)}}, date = {2015-05-28}, organization = {Malwarebytes Labs}, url = {https://www.malwarebytes.com/blog/news/2015/05/unusual-exploit-kit-targets-chinese-users-part-1}, language = {English}, urldate = {2023-06-01} } @online{segura:20150612:unusual:68bd0f5, author = {Jérôme Segura}, title = {{Unusual Exploit Kit Targets Chinese Users (Part 2)}}, date = {2015-06-12}, organization = {Malwarebytes Labs}, url = {https://www.malwarebytes.com/blog/news/2015/06/unusual-exploit-kit-targets-chinese-users-part-2}, language = {English}, urldate = {2023-06-01} } @online{segura:20150624:elusive:0df6ca6, author = {Jérôme Segura}, title = {{Elusive HanJuan EK Drops New Tinba Version (updated)}}, date = {2015-06-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/}, language = {English}, urldate = {2019-12-20} } @online{segura:20161017:newlooking:3e62740, author = {Jérôme Segura}, title = {{New-looking Sundown EK drops Smoke Loader, Kronos banker}}, date = {2016-10-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/}, language = {English}, urldate = {2019-12-20} } @online{segura:20170111:postholiday:054ffb8, author = {Jérôme Segura and hasherezade}, title = {{Post-holiday spam campaign delivers Neutrino Bot}}, date = {2017-01-11}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/}, language = {English}, urldate = {2019-10-28} } @online{segura:20170420:binary:eaa706a, author = {Jérôme Segura}, title = {{Binary Options malvertising campaign drops ISFB banking Trojan}}, date = {2017-04-20}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/}, language = {English}, urldate = {2019-12-20} } @online{segura:20170921:fake:5f5963f, author = {Jérôme Segura}, title = {{Fake IRS notice delivers customized spying tool}}, date = {2017-09-21}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/09/cve-2017-0199-used-to-deliver-modified-rms-agent-rat/}, language = {English}, urldate = {2019-12-20} } @online{segura:20180112:fake:c7bc448, author = {Jérôme Segura}, title = {{Fake Spectre and Meltdown patch pushes Smoke Loader malware}}, date = {2018-01-12}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/}, language = {English}, urldate = {2019-12-20} } @online{segura:20180410:fakeupdates:1a86e1d, author = {Jérôme Segura}, title = {{‘FakeUpdates’ campaign leverages multiple website platforms}}, date = {2018-04-10}, organization = {Malwarebytes Labs}, url = {https://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/}, language = {English}, urldate = {2022-05-04} } @online{segura:20190226:new:0a8db8d, author = {Jérôme Segura}, title = {{New Golang brute forcer discovered amid rise in e-commerce attacks}}, date = {2019-02-26}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2019/02/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks/}, language = {English}, urldate = {2019-12-20} } @online{segura:20190426:github:ff4b558, author = {Jérôme Segura}, title = {{GitHub hosted Magecart skimmer used against hundreds of e-commerce sites}}, date = {2019-04-26}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2019/04/github-hosted-magecart-skimmer-used-against-hundreds-of-e-commerce-sites/}, language = {English}, urldate = {2019-12-20} } @online{segura:20190604:magecart:7c1581d, author = {Jérôme Segura}, title = {{Magecart skimmers found on Amazon CloudFront CDN}}, date = {2019-06-04}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/}, language = {English}, urldate = {2019-12-20} } @online{segura:20200625:web:2b712b2, author = {Jérôme Segura}, title = {{Web skimmer hides within EXIF metadata, exfiltrates credit cards via image files}}, date = {2020-06-25}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/}, language = {English}, urldate = {2020-06-29} } @online{segura:20200810:sba:afdfd32, author = {Jérôme Segura}, title = {{SBA phishing scams: from malware to advanced social engineering}}, date = {2020-08-10}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/}, language = {English}, urldate = {2020-08-12} } @online{segura:20200901:new:e31a075, author = {Jérôme Segura}, title = {{New web skimmer steals credit card data, sends to crooks via Telegram}}, date = {2020-09-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/web-threats/2020/09/web-skimmer-steals-credit-card-data-via-telegram/}, language = {English}, urldate = {2020-09-03} } @online{segura:20201028:fake:b7a76ac, author = {Jérôme Segura and Hossein Jazi and hasherezade and Marcelo Rivero}, title = {{Fake COVID-19 survey hides ransomware in Canadian university attack}}, date = {2020-10-28}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/}, language = {English}, urldate = {2020-10-29} } @online{segura:20210202:credit:e2ea3ca, author = {Jérôme Segura}, title = {{Credit card skimmer piggybacks on Magento 1 hacking spree}}, date = {2021-02-02}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2021/02/credit-card-skimmer-piggybacks-on-magento-1-hacking-spree/}, language = {English}, urldate = {2021-02-04} } @online{segura:20210421:flubot:2b590e4, author = {Alberto Segura}, title = {{Tweet on FluBot Version 4.0}}, date = {2021-04-21}, organization = {Twitter (@alberto__segura)}, url = {https://twitter.com/alberto__segura/status/1384840011892285440}, language = {English}, urldate = {2021-04-28} } @online{segura:20210513:newly:396ce52, author = {Jérôme Segura}, title = {{Newly observed PHP-based skimmer shows ongoing Magecart Group 12 activity}}, date = {2021-05-13}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/}, language = {English}, urldate = {2021-05-17} } @online{segura:20210521:flubot:4fd3961, author = {Alberto Segura}, title = {{Tweet on Flubot version 4.2 (p.php variant) with new AES strings encryption}}, date = {2021-05-21}, organization = {Twitter (@alberto__segura)}, url = {https://twitter.com/alberto__segura/status/1395675479194095618}, language = {English}, urldate = {2024-03-25} } @online{segura:20210531:flubot:8657f6d, author = {Alberto Segura}, title = {{Tweet on Flubot version 4.4}}, date = {2021-05-31}, organization = {Twitter (@alberto__segura)}, url = {https://twitter.com/alberto__segura/status/1399249798063087621?s=20}, language = {English}, urldate = {2021-06-09} } @online{segura:20210603:decrypting:10a9e23, author = {Alberto Segura}, title = {{Tweet on decrypting FluBot strings}}, date = {2021-06-03}, organization = {Twitter (@alberto__segura)}, url = {https://mobile.twitter.com/alberto__segura/status/1400396365759500289}, language = {English}, urldate = {2021-06-29} } @online{segura:20210609:flubt:d365192, author = {Alberto Segura}, title = {{Tweet on Flubt version 4.5}}, date = {2021-06-09}, organization = {Twitter (@alberto__segura)}, url = {https://twitter.com/alberto__segura/status/1402615237296148483}, language = {English}, urldate = {2021-06-21} } @online{segura:20210613:flubot:f2d4a14, author = {Alberto Segura}, title = {{Tweet on Flubot version 4.6}}, date = {2021-06-13}, organization = {Twitter (@alberto__segura)}, url = {https://twitter.com/alberto__segura/status/1404098461440659459}, language = {English}, urldate = {2021-06-21} } @online{segura:20210628:lil:e675ba5, author = {Jérôme Segura}, title = {{Lil' skimmer, the Magecart impersonator - Malwarebytes Labs}}, date = {2021-06-28}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2021/06/lil-skimmer-the-magecart-impersonator/}, language = {English}, urldate = {2021-07-09} } @online{segura:20210716:vidar:372aace, author = {Jérôme Segura}, title = {{Vidar and GandCrab: stealer and ransomware combo observed in the wild}}, date = {2021-07-16}, organization = {Malwarebytes Labs}, url = {https://blog.malwarebytes.com/threat-analysis/2019/01/vidar-gandcrab-stealer-and-ransomware-combo-observed-in-the-wild/}, language = {English}, urldate = {2022-04-12} } @online{segura:20210913:many:c651ab9, author = {Jérôme Segura}, title = {{The many tentacles of Magecart Group 8}}, date = {2021-09-13}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2021/09/the-many-tentacles-of-magecart-group-8/}, language = {English}, urldate = {2021-09-19} } @online{segura:20211019:qlogger:4f23de5, author = {Jérôme Segura}, title = {{q-logger skimmer keeps Magecart attacks going}}, date = {2021-10-19}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2021/10/q-logger-skimmer-keeps-magecart-attacks-going/}, language = {English}, urldate = {2021-10-26} } @online{segura:20211103:credit:ab7b79f, author = {Jérôme Segura}, title = {{Credit card skimmer evades Virtual Machines}}, date = {2021-11-03}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2021/11/credit-card-skimmer-evades-virtual-machines/}, language = {English}, urldate = {2021-11-08} } @online{segura:20220303:sharkbot:58ba7e0, author = {Alberto Segura and Rolf Govers}, title = {{SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store}}, date = {2022-03-03}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/}, language = {English}, urldate = {2022-03-04} } @online{segura:20220629:flubot:274bd51, author = {Alberto Segura and Rolf Govers}, title = {{Flubot: the evolution of a notorious Android Banking Malware}}, date = {2022-06-29}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/}, language = {English}, urldate = {2022-07-05} } @online{segura:20220902:sharkbot:a9ce98d, author = {Alberto Segura and Mike Stokkel}, title = {{Sharkbot is back in Google Play}}, date = {2022-09-02}, organization = {nccgroup}, url = {https://blog.fox-it.com/2022/09/02/sharkbot-is-back-in-google-play/}, language = {English}, urldate = {2022-09-12} } @online{segura:20230906:mac:22907a4, author = {Jérôme Segura}, title = {{Mac users targeted in new malvertising campaign delivering Atomic Stealer}}, date = {2023-09-06}, organization = {Malwarebytes}, url = {https://www.malwarebytes.com/blog/threat-intelligence/2023/09/atomic-macos-stealer-delivered-via-malvertising}, language = {English}, urldate = {2023-11-13} } @online{segura:20231215:pikabot:fb183ee, author = {Jérôme Segura}, title = {{PikaBot distributed via malicious search ads}}, date = {2023-12-15}, organization = {Malwarebytes Labs}, url = {https://www.malwarebytes.com/blog/threat-intelligence/2023/12/pikabot-distributed-via-malicious-ads}, language = {English}, urldate = {2023-12-19} } @online{segura:20240110:atomic:0ac546a, author = {Jérôme Segura}, title = {{Atomic Stealer rings in the new year with updated version}}, date = {2024-01-10}, organization = {Malwarebytes}, url = {https://www.malwarebytes.com/blog/threat-intelligence/2024/01/atomic-stealer-rings-in-the-new-year-with-updated-version}, language = {English}, urldate = {2024-01-18} } @online{segura:20240624:poseidon:74f55a0, author = {Jérôme Segura}, title = {{‘Poseidon’ Mac stealer distributed via Google ads}}, date = {2024-06-24}, organization = {Malwarebytes Labs}, url = {https://www.malwarebytes.com/blog/news/2024/06/poseidon-mac-stealer-distributed-via-google-ads}, language = {English}, urldate = {2024-07-03} } @online{segura:20241215:malicious:090b640, author = {Jérôme Segura}, title = {{Malicious ad distributes SocGholish malware to Kaiser Permanente employees}}, date = {2024-12-15}, organization = {Malwarebytes}, url = {https://www.malwarebytes.com/blog/news/2024/12/malicious-ad-distributes-socgholish-malware-to-kaiser-permanente-employees}, language = {English}, urldate = {2024-12-16} } @online{sekoia:20180322:falling:c04d81f, author = {sekoia}, title = {{Falling on MuddyWater}}, date = {2018-03-22}, organization = {Sekoia}, url = {https://web.archive.org/web/20180807105755/https://www.sekoia.fr/blog/falling-on-muddywater/}, language = {English}, urldate = {2023-06-19} } @online{sekoia:20190613:hunting:201a07e, author = {sekoia}, title = {{Hunting and detecting Cobalt Strike}}, date = {2019-06-13}, organization = {Sekoia}, url = {https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/}, language = {English}, urldate = {2021-08-02} } @techreport{sekoia:20210311:qnap:e8c82c4, author = {sekoia}, title = {{QNAP worm: who bene}}, date = {2021-03-11}, institution = {Sekoia}, url = {https://7095517.fs1.hubspotusercontent-na1.net/hubfs/7095517/FLINT%202022-016%20-%20QNAP%20worm_%20who%20benefits%20from%20crime%20(1).pdf}, language = {English}, urldate = {2022-05-08} } @techreport{sekoia:20210708:kaseya:029b682, author = {sekoia}, title = {{Kaseya: Another Massive Heist by REvil}}, date = {2021-07-08}, institution = {Sekoia}, url = {https://f.hubspotusercontent10.net/hubfs/7095517/FLINT-Kaseya-Another%20Massive%20Heist%20by%20REvil.pdf}, language = {English}, urldate = {2021-09-20} } @online{sekoia:20210817:insider:3b427c7, author = {sekoia}, title = {{An insider insights into Conti operations – Part one}}, date = {2021-08-17}, organization = {Sekoia}, url = {https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one}, language = {English}, urldate = {2021-09-06} } @online{sekoia:20210819:insider:ceb84de, author = {sekoia}, title = {{An insider insights into Conti operations – Part two}}, date = {2021-08-19}, organization = {Sekoia}, url = {https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/}, language = {English}, urldate = {2021-09-06} } @online{sekoia:20220106:nobeliums:de631e8, author = {sekoia}, title = {{NOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies}}, date = {2022-01-06}, organization = {Sekoia}, url = {https://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/}, language = {English}, urldate = {2022-01-10} } @online{sekoia:20220217:story:4255cb2, author = {sekoia}, title = {{The story of a ransomware builder: from Thanos to Spook and beyond (Part 1)}}, date = {2022-02-17}, organization = {Sekoia}, url = {https://www.sekoia.io/en/the-story-of-a-ransomware-builder-from-thanos-to-spook-and-beyond-part-1/}, language = {English}, urldate = {2022-03-02} } @techreport{sekoia:20220223:banana:7ca43ed, author = {sekoia}, title = {{Banana Sulfate infrastructure cluster exposed}}, date = {2022-02-23}, institution = {Sekoia}, url = {https://7095517.fs1.hubspotusercontent-na1.net/hubfs/7095517/%5BMarketing%5D%20-%20Ebook-analyse/FLINT%202022-011%20-%20Banana%20Sulfate%20infrastructure%20exposed_WHITE.pdf}, language = {English}, urldate = {2022-04-05} } @online{sekoia:20220708:vice:d66b5b2, author = {sekoia}, title = {{Vice Society: a discreet but steady double extortion ransomware group}}, date = {2022-07-08}, organization = {Sekoia}, url = {https://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group/}, language = {English}, urldate = {2023-02-03} } @online{sekoia:20220801:turlas:ec60a74, author = {sekoia}, title = {{Tweet on Turla's CyberAzov activity}}, date = {2022-08-01}, organization = {Twitter (@sekoia_io)}, url = {https://twitter.com/sekoia_io/status/1554086468104196096}, language = {English}, urldate = {2022-08-02} } @online{sekoia:20220922:tweets:b2e9079, author = {sekoia}, title = {{Tweets on Lumma stealer}}, date = {2022-09-22}, organization = {Twitter (@sekoia_io)}, url = {https://twitter.com/sekoia_io/status/1572889505497223169}, language = {English}, urldate = {2022-10-14} } @online{sekoia:20221004:tweets:49c9f1d, author = {sekoia}, title = {{Tweets detailing operation of Erbium stealer}}, date = {2022-10-04}, organization = {Twitter (@sekoia_io)}, url = {https://twitter.com/sekoia_io/status/1577222282929311744}, language = {English}, urldate = {2022-12-05} } @online{sekoia:20221102:bluefox:142012b, author = {sekoia and Threat & Detection Research Team and Quentin Bourgue}, title = {{BlueFox Stealer: a newcomer designed for traffers teams}}, date = {2022-11-02}, organization = {Sekoia}, url = {https://blog.sekoia.io/bluefox-information-stealer-traffer-maas/}, language = {English}, urldate = {2024-11-26} } @online{sekoia:20221205:calisto:cef50e0, author = {sekoia and Threat & Detection Research Team}, title = {{Calisto show interests into entities involved in Ukraine war support}}, date = {2022-12-05}, organization = {Sekoia}, url = {https://blog.sekoia.io/calisto-show-interests-into-entities-involved-in-ukraine-war-support/}, language = {English}, urldate = {2022-12-06} } @online{sekoia:20230629:following:248a859, author = {sekoia}, title = {{Following NoName057(16) DDoSia Project’s Targets}}, date = {2023-06-29}, organization = {Sekoia}, url = {https://blog.sekoia.io/following-noname05716-ddosia-projects-targets/}, language = {English}, urldate = {2023-07-05} } @online{sekoia:20240429:sekoiaios:b056874, author = {sekoia}, title = {{@sekoia_io's tweet about the (not so) new infostealer, named ACR Stealer}}, date = {2024-04-29}, organization = {Twitter (@sekoia_io)}, url = {https://twitter.com/sekoia_io/status/1784943443157930449}, language = {English}, urldate = {2024-05-02} } @online{sektorcert:20231114:attacks:97782de, author = {SektorCERT}, title = {{The Attacks against the Danish Critical Infrastructure (translated)}}, date = {2023-11-14}, organization = {SektorCERT}, url = {https://www.documentcloud.org/documents/24165244-sektorcert-translated}, language = {English}, urldate = {2023-11-15} } @online{sektorcert:20231114:attacks:9d0198d, author = {SektorCERT}, title = {{The Attacks against the Danish Critical Infrastructure}}, date = {2023-11-14}, organization = {SektorCERT}, url = {https://www.documentcloud.org/documents/24165245-sektorcert-angrebet-mod-dansk-kritisk-infrastruktur-tlp-clear}, language = {Danish}, urldate = {2023-11-15} } @online{sekurak:20210429:udao:8043e83, author = {Sekurak}, title = {{Udało nam się zrealizować wywiad z grupą ransomware (Babuk), która zaszyfrowała policję metropolitarną w Waszyngtonie}}, date = {2021-04-29}, organization = {Sekurak.pl}, url = {https://sekurak.pl/udalo-nam-sie-zrealizowac-wywiad-z-grupa-ransomware-babuk-ktora-zaszyfrowala-policje-metropolitarna-w-waszyngtonie/}, language = {Polish}, urldate = {2021-05-03} } @online{seligman:20210510:russian:f9e1098, author = {Lara Seligman and Andrew Desiderio}, title = {{Russian spy unit suspected of directed-energy attacks on U.S. personnel}}, date = {2021-05-10}, organization = {POLITICO}, url = {https://www.politico.com/news/2021/05/10/russia-gru-directed-energy-486640}, language = {English}, urldate = {2021-05-13} } @online{selvaraj:20100503:brief:d35dcb7, author = {Karthik Selvaraj}, title = {{A Brief Look at Zeus/Zbot 2.0}}, date = {2010-05-03}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20}, language = {English}, urldate = {2019-12-06} } @online{selvaraj:20170512:wannacrypt:9604786, author = {Karthik Selvaraj and Elia Florio and Andrea Lelli and Tanmay Ganacharya}, title = {{WannaCrypt ransomware worm targets out-of-date systems}}, date = {2017-05-12}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/}, language = {English}, urldate = {2020-03-06} } @online{sembera:20200305:geost:ee210a8, author = {Vit Sembera}, title = {{Geost: Anatomy of the Android Trojan Targeting Russia}}, date = {2020-03-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/c/dissecting-geost-exposing-the-anatomy-of-the-android-trojan-targeting-russian-banks.html}, language = {English}, urldate = {2025-04-25} } @online{semenchenko:20200102:deathransom:1d5c66d, author = {Artem Semenchenko and Evengeny Ananin}, title = {{DeathRansom Part II: Attribution}}, date = {2020-01-02}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/death-ransom-attribution.html}, language = {English}, urldate = {2020-01-09} } @online{sen:20160123:github:3bf8ac7, author = {Utku Sen}, title = {{Github Repository of EDA2}}, date = {2016-01-23}, organization = {Github (utkusen)}, url = {https://github.com/utkusen/eda2}, language = {English}, urldate = {2023-11-22} } @online{sen:20170821:im:ccdcc50, author = {Utku Sen}, title = {{I'm Sorry For Hidden Tear and EDA2}}, date = {2017-08-21}, organization = {Utku Sen Blog}, url = {https://utkusen.com/blog/im-sorry-for-hidden-tear-eda2}, language = {English}, urldate = {2023-11-22} } @online{sensepost:20170216:regeorg:0e5ab94, author = {sensepost}, title = {{reGeorg}}, date = {2017-02-16}, organization = {Github (sensepost)}, url = {https://github.com/sensepost/reGeorg}, language = {English}, urldate = {2020-01-13} } @online{sensepost:20181023:godoh:6c33bce, author = {sensepost}, title = {{godoh: A DNS-over-HTTPS Command & Control Proof of Concept}}, date = {2018-10-23}, organization = {Github (sensepost)}, url = {https://github.com/sensepost/goDoH}, language = {English}, urldate = {2020-01-08} } @online{sentenac:20240402:early:ca92115, author = {Alexandra Sentenac and Trent Kessler and Victoria Baldie}, title = {{The Early Bird Catches the Worm: Darktrace’s Hunt for Raspberry Robin}}, date = {2024-04-02}, organization = {Darktrace}, url = {https://darktrace.com/blog/the-early-bird-catches-the-worm-darktraces-hunt-for-raspberry-robin}, language = {English}, urldate = {2024-04-08} } @online{sentinellabs:20200813:case:4560aed, author = {SentinelLabs}, title = {{Case Study: Catching a Human-Operated Maze Ransomware Attack In Action}}, date = {2020-08-13}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/case-study-catching-a-human-operated-maze-ransomware-attack-in-action/}, language = {English}, urldate = {2020-08-14} } @online{sentinellabs:20210106:solarwindscountermeasures:c2aa91e, author = {SentinelLabs}, title = {{SolarWinds_Countermeasures}}, date = {2021-01-06}, organization = {Github (SentinelLabs)}, url = {https://github.com/SentineLabs/SolarWinds_Countermeasures}, language = {English}, urldate = {2021-01-11} } @techreport{sentinellabs:20210812:shadowpad:61c0a20, author = {SentinelLabs}, title = {{ShadowPad: A Masterpiece of Privately Sold Malware in Chinese Espionage}}, date = {2021-08-12}, institution = {Sentinel LABS}, url = {https://www.sentinelone.com/wp-content/uploads/2021/08/SentinelOne_-SentinelLabs_ShadowPad_WP_V2.pdf}, language = {English}, urldate = {2022-07-25} } @online{sentinellabs:20221103:black:0be02f3, author = {SentinelLabs}, title = {{Black Basta Ransomware | Attacks deploy Custom EDR Evasion Tools tied to FIN7 Threat Actor}}, date = {2022-11-03}, organization = {SentinelOne}, url = {https://assets.sentinelone.com/sentinellabs22/sentinellabs-blackbasta}, language = {English}, urldate = {2022-11-03} } @online{sentinellabs:20230309:icefire:2b5d342, author = {SentinelLabs}, title = {{IceFire Ransomware Returns | Now Targeting Linux Enterprise Networks}}, date = {2023-03-09}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/icefire-ransomware-returns-now-targeting-linux-enterprise-networks/}, language = {English}, urldate = {2023-10-11} } @online{sentinelone:20190520:goznym:f994be3, author = {SentinelOne}, title = {{GozNym Banking Malware: Gang Busted, But Is That The End?}}, date = {2019-05-20}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/goznym-banking-malware-gang-busted/}, language = {English}, urldate = {2023-04-18} } @online{sentinelone:20210510:meet:e3c28b4, author = {SentinelOne}, title = {{Meet DarkSide and Their Ransomware – SentinelOne Customers Protected}}, date = {2021-05-10}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/meet-darkside-and-their-ransomware-sentinelone-customers-protected/}, language = {English}, urldate = {2021-05-13} } @online{sentinelone:20210621:darkradiation:03c7054, author = {SentinelOne}, title = {{DarkRadiation | Abusing Bash For Linux and Docker Container Ransomware}}, date = {2021-06-21}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/darkradiation-abusing-bash-for-linux-and-docker-container-ransomware/}, language = {English}, urldate = {2021-06-23} } @online{sentinelone:20210901:watchtower:65a4e3f, author = {SentinelOne}, title = {{WatchTower | August 2021 TLP: WHITE | Intelligence-Driven Threat Hunting}}, date = {2021-09-01}, organization = {SentinelOne}, url = {https://assets.sentinelone.com/watchtower1-white/watchtower_aug2021_white_132a}, language = {English}, urldate = {2021-09-02} } @online{sentinelone:20221130:ransomexx:e7d7457, author = {SentinelOne}, title = {{RansomEXX Ransomware: In-Depth Analysis, Detection, and Mitigation}}, date = {2022-11-30}, organization = {SentinelOne}, url = {https://www.sentinelone.com/anthology/ransomexx/}, language = {English}, urldate = {2023-06-09} } @online{sentinelone:20231013:good:8cceefb, author = {SentinelOne}, title = {{The Good, the Bad and the Ugly in Cybersecurity – Week 41}}, date = {2023-10-13}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-41-5/}, language = {English}, urldate = {2023-12-04} } @online{sentinelone:20250422:what:0b323ec, author = {SentinelOne}, title = {{What Is Fog Ransomware?}}, date = {2025-04-22}, organization = {SentinelOne}, url = {https://www.sentinelone.com/anthology/fog/}, language = {English}, urldate = {2025-05-02} } @online{sentinelone:20250506:protection:d620f4b, author = {SentinelOne}, title = {{Protection Against Local Upgrade Technique Described in Aon Research}}, date = {2025-05-06}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/protection-against-local-upgrade-technique-described-in-aon-research/}, language = {English}, urldate = {2025-05-20} } @online{sentonas:20201223:crowdstrike:ee76d67, author = {Michael Sentonas}, title = {{CrowdStrike Launches Free Tool to Identify and Help Mitigate Risks in Azure Active Directory}}, date = {2020-12-23}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/}, language = {English}, urldate = {2021-01-01} } @online{sentsova:20210826:from:29830d8, author = {Anastasia Sentsova}, title = {{From Russia With… LockBit Ransomware: Inside Look & Preventive Solutions}}, date = {2021-08-26}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/from-russia-with-lockbit-ransomware-inside-look-preventive-solutions}, language = {English}, urldate = {2021-08-31} } @online{sentsova:20240208:this:28de65b, author = {Anastasia Sentsova and Jon DiMaggio}, title = {{“This Forum is a Bunch of Communists and They Set Me Up”, LockBit Spills the Tea Regarding Their Recent Ban on Russian-Speaking Forums}}, date = {2024-02-08}, organization = {ANALYST1}, url = {https://analyst1.com/this-forum-is-a-bunch-of-communists-and-they-set-me-up-lockbit-spills-the-tea-regarding-their-recent-ban-on-russian-speaking-forums/}, language = {English}, urldate = {2024-02-09} } @online{sentsova:20240229:lockbit:eefbd0e, author = {Anastasia Sentsova and Jon DiMaggio}, title = {{LockBit Takedown & Operation Cronos: A Long-Awaited PsyOps Against Ransomware}}, date = {2024-02-29}, organization = {ANALYST1}, url = {https://analyst1.com/lockbit-takedown-operation-cronos-a-long-awaited-psyops-against-ransomware/}, language = {English}, urldate = {2024-04-11} } @online{seonae:20190425:chinesebased:fa78904, author = {Kim Seon-ae}, title = {{Chinese-based hackers attack domestic energy institutions}}, date = {2019-04-25}, organization = {DATANET}, url = {https://www.datanet.co.kr/news/articleView.html?idxno=133346}, language = {Korean}, urldate = {2021-02-09} } @online{sequretek:20230410:kutaki:9792924, author = {Sequretek}, title = {{Kutaki Stealer - Analysis}}, date = {2023-04-10}, organization = {Sequretek}, url = {https://sequretek.com/kutaki-stealer-analysis/}, language = {English}, urldate = {2024-05-21} } @online{serabian:20210908:proprc:f8e9644, author = {Ryan Serabian and Lee Foster}, title = {{Pro-PRC Influence Campaign Expands to Dozens of Social Media Platforms, Websites, and Forums in at Least Seven Languages, Attempted to Physically Mobilize Protesters in the U.S.}}, date = {2021-09-08}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/09/pro-prc-influence-campaign-social-media-websites-forums.html}, language = {English}, urldate = {2021-09-10} } @online{serabian:20220804:proprc:2b0de36, author = {Ryan Serabian and Daniel Kapellmann Zafra}, title = {{Pro-PRC “HaiEnergy” Information Operations Campaign Leverages Infrastructure from Public Relations Firm to Disseminate Content on Inauthentic News Sites}}, date = {2022-08-04}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/pro-prc-information-operations-campaign-haienergy}, language = {English}, urldate = {2022-08-11} } @online{serabian:20230724:proprc:500b383, author = {Ryan Serabian and Daniel Kapellmann Zafra and Conor Quigley and David Mainor}, title = {{Pro-PRC HaiEnergy Campaign Exploits U.S. News Outlets via Newswire Services to Target U.S. Audiences; Evidence of Commissioned Protests in Washington, D.C.}}, date = {2023-07-24}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/pro-prc-haienergy-us-news}, language = {English}, urldate = {2023-07-31} } @techreport{seret:20210728:babuk:6d1325e, author = {Thibault Seret and Noël Keijzer}, title = {{Babuk: Moving to VM and *nix Systems Before Stepping Away}}, date = {2021-07-28}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-moving-to-vm-nix-systems.pdf}, language = {English}, urldate = {2021-07-29} } @online{seret:20211018:is:b238cf8, author = {Thibault Seret}, title = {{Is There Really Such a Thing as a Low-Paid Ransomware Operator?}}, date = {2021-10-18}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/is-there-really-such-a-thing-as-a-low-paid-ransomware-operator/}, language = {English}, urldate = {2021-10-26} } @online{seret:20220317:suspected:f30741a, author = {Thibault Seret and John Fokker}, title = {{Suspected DarkHotel APT activity update}}, date = {2022-03-17}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/suspected-darkhotel-apt-activity-update.html}, language = {English}, urldate = {2022-03-18} } @online{seret:20241004:octopus:b0fc4c8, author = {Thibault Seret}, title = {{Octopus Prime: it didn't turn into a truck, but a widely spread Android botnet}}, date = {2024-10-04}, organization = {VirusBulletin}, url = {https://www.virusbulletin.com/conference/vb2024/abstracts/octopus-prime-didnt-turn-truck-widely-spread-android-botnet/}, language = {English}, urldate = {2024-12-06} } @online{serino:20210208:recommendations:7c97b3f, author = {Gus Serino}, title = {{Recommendations Following the Oldsmar Water Treatment Facility Cyber Attack}}, date = {2021-02-08}, organization = {Dragos}, url = {https://www.dragos.com/blog/industry-news/recommendations-following-the-oldsmar-water-treatment-facility-cyber-attack/}, language = {English}, urldate = {2021-02-20} } @techreport{serper:20160406:osx:99415a1, author = {Amit Serper}, title = {{OSX Pirrit: What adware that 'just' displays ads means for Mac OS X security}}, date = {2016-04-06}, institution = {Cybereason}, url = {http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf}, language = {English}, urldate = {2019-11-23} } @online{serper:20170510:protonb:c490472, author = {Amit Serper}, title = {{Proton.B: What this Mac malware actually does}}, date = {2017-05-10}, organization = {Cybereason}, url = {https://www.cybereason.com/labs-blog/labs-proton-b-what-this-mac-malware-actually-does}, language = {English}, urldate = {2020-01-09} } @techreport{serper:2017:osx:f818c68, author = {Amit Serper}, title = {{OSX Pirrit: Part III}}, date = {2017}, institution = {Cybereason}, url = {https://www.cybereason.com/hubfs/Content%20PDFs/OSX.Pirrit%20Part%20III%20The%20DaVinci%20Code.pdf}, language = {English}, urldate = {2019-12-04} } @online{serper:20180914:wannamine:f438a36, author = {Amit Serper}, title = {{Wannamine cryptominer that uses EternalBlue still active}}, date = {2018-09-14}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry}, language = {English}, urldate = {2020-11-25} } @online{serper:20190613:new:34a6ab0, author = {Amit Serper and Mary Zhao}, title = {{New Pervasive Worm Exploiting Linux Exim Server Vulnerability}}, date = {2019-06-13}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability}, language = {English}, urldate = {2020-01-09} } @online{serper:20210324:purple:86ec5cf, author = {Amit Serper}, title = {{Purple Fox Rootkit Now Propagates as a Worm}}, date = {2021-03-24}, organization = {Guardicore}, url = {https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/}, language = {English}, urldate = {2021-03-25} } @online{service:20201124:russian:0e25038, author = {Congressional Research Service}, title = {{Russian Military Intelligence: Background and Issues for Congress}}, date = {2020-11-24}, organization = {Congressional Research Service}, url = {https://crsreports.congress.gov/product/pdf/R/R46616/6}, language = {English}, urldate = {2020-12-14} } @techreport{service:20210104:russian:b046f4f, author = {Congressional Research Service}, title = {{Russian Cyber Units}}, date = {2021-01-04}, institution = {Congressional Research Service}, url = {https://assets.documentcloud.org/documents/20441144/russian-cyber-units-jan-4-2021.pdf}, language = {English}, urldate = {2021-04-19} } @techreport{service:20210217:estonian:8145567, author = {Välisluureamet Estonian Foreign Intelligence Service}, title = {{Estonian Foreign Intelligence Service public report 2021}}, date = {2021-02-17}, institution = {Välisluureamet Estonian Foreign Intelligence Service}, url = {https://www.valisluureamet.ee/pdf/raport/2021-ENG.pdf}, language = {English}, urldate = {2021-02-20} } @online{service:20210318:supo:9dc5c66, author = {SUPO Finnish Security Intelligence Service}, title = {{Supo identified the cyber espionage operation against the parliament as APT31}}, date = {2021-03-18}, organization = {SUPO Finnish Security Intelligence Service}, url = {https://supo.fi/-/suojelupoliisi-tunnisti-eduskuntaan-kohdistuneen-kybervakoiluoperaation-apt31-ksi}, language = {Finnish}, urldate = {2021-03-19} } @techreport{service:20220216:international:8454c46, author = {Välisluureamet Estonian Foreign Intelligence Service}, title = {{International Security and Estonia 2022}}, date = {2022-02-16}, institution = {Välisluureamet Estonian Foreign Intelligence Service}, url = {https://www.valisluureamet.ee/doc/raport/2022-en.pdf}, language = {English}, urldate = {2022-02-26} } @online{service:20230413:halfrig:787dcfb, author = {Military Counterintelligence Service and CERT.PL}, title = {{HALFRIG - Malware Analysis Report}}, date = {2023-04-13}, organization = {GOV.PL}, url = {https://www.gov.pl/attachment/64193e8d-05e2-4cbf-bb4c-5f58da21fefb}, language = {English}, urldate = {2023-06-01} } @online{service:20230413:quarterrig:0435e72, author = {Military Counterintelligence Service and CERT.PL}, title = {{QUARTERRIG - Malware Analysis Report}}, date = {2023-04-13}, organization = {GOV.PL}, url = {https://www.gov.pl/attachment/6f51bb1a-3ad2-461c-a16d-408915a56f77}, language = {English}, urldate = {2023-06-01} } @online{service:20230413:snowyamber:f5404f6, author = {Military Counterintelligence Service and CERT.PL}, title = {{SNOWYAMBER - Malware Analysis Report}}, date = {2023-04-13}, organization = {GOV.PL}, url = {https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d}, language = {English}, urldate = {2023-06-01} } @techreport{services:20110210:global:c04a33d, author = {McAfee Foundstone Professional Services and McAfee Labs}, title = {{Global Energy Cyberattacks: “Night Dragon”}}, date = {2011-02-10}, institution = {McAfee}, url = {https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf}, language = {English}, urldate = {2019-12-19} } @online{services:20191025:deep:291f303, author = {AGDC Services}, title = {{The Deep Dive Malware Analysis Approach}}, date = {2019-10-25}, organization = {AGDC Services}, url = {https://agdcservices.com/blog/the-deep-dive-malware-analysis-approach/}, language = {English}, urldate = {2021-01-11} } @online{services:20210118:how:30d311c, author = {AGDC Services}, title = {{How To Reverse Engineer RC4 Crypto For Malware Analysis}}, date = {2021-01-18}, organization = {Youtube ( AGDC Services)}, url = {https://www.youtube.com/watch?v=-EQKiIbOLEc}, language = {English}, urldate = {2021-01-26} } @online{services:20210217:how:d492b9b, author = {AGDC Services}, title = {{How Malware Can Resolve APIs By Hash}}, date = {2021-02-17}, organization = {YouTube (AGDC Services)}, url = {https://www.youtube.com/watch?v=q8of74upT_g}, language = {English}, urldate = {2021-02-24} } @online{services:20211113:automate:487e01f, author = {AGDC Services}, title = {{Automate Qbot Malware String Decryption With Ghidra Script}}, date = {2021-11-13}, organization = {YouTube (AGDC Services)}, url = {https://www.youtube.com/watch?v=4I0LF8Vm7SI}, language = {English}, urldate = {2021-11-19} } @online{services:20211211:how:358bd74, author = {AGDC Services}, title = {{How To Extract & Decrypt Qbot Configs Across Variants}}, date = {2021-12-11}, organization = {YouTube (AGDC Services)}, url = {https://www.youtube.com/watch?v=M22c1JgpG-U}, language = {English}, urldate = {2021-12-20} } @online{seshadri:20211214:neutralizing:ef415fd, author = {Nagraj Seshadri}, title = {{Neutralizing Apache Log4j Exploits with Identity-Based Segmentation}}, date = {2021-12-14}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/neutralizing-apache-log4j-exploits-identity-based-segmentation}, language = {English}, urldate = {2022-01-05} } @techreport{settle:20160808:monsoon:c4f71cc, author = {Andy Settle and Nicholas Griffin and Abel Toro}, title = {{MONSOON – ANALYSIS OF AN APT CAMPAIGN}}, date = {2016-08-08}, institution = {Forcepoint}, url = {https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf}, language = {English}, urldate = {2020-01-07} } @techreport{settle:2016:analysis:8117245, author = {Andy Settle and Bapadittya Dey and Nicholas Griffin and Abel Toro}, title = {{Analysis of a Botnet Campaign}}, date = {2016}, institution = {Forcepoint}, url = {https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf}, language = {English}, urldate = {2020-01-06} } @online{sevens:20220623:spyware:e4fb7dd, author = {Benoit Sevens and Clement Lecigne and Google Threat Analysis Group}, title = {{Spyware vendor targets users in Italy and Kazakhstan}}, date = {2022-06-23}, organization = {Google}, url = {https://blog.google/threat-analysis-group/italian-spyware-vendor-targets-users-in-italy-and-kazakhstan/}, language = {English}, urldate = {2022-07-01} } @online{sevens:20230314:magniber:5f03fd7, author = {Benoit Sevens}, title = {{Magniber ransomware actors used a variant of Microsoft SmartScreen bypass}}, date = {2023-03-14}, organization = {Google}, url = {https://blog.google/threat-analysis-group/magniber-ransomware-actors-used-a-variant-of-microsoft-smartscreen-bypass/}, language = {English}, urldate = {2023-03-20} } @online{sevtsov:20171213:tyupkin:71f090d, author = {Alexander Sevtsov}, title = {{Tyupkin ATM Malware: Take The Money Now Or Never!}}, date = {2017-12-13}, organization = {Lastline}, url = {https://www.lastline.com/labsblog/tyupkin-atm-malware/}, language = {English}, urldate = {2019-10-21} } @online{sevtsov:20180221:olympic:6584ecb, author = {Alexander Sevtsov and Stefano Ortolani}, title = {{Olympic Destroyer: A new Candidate in South Korea}}, date = {2018-02-21}, organization = {Lastline}, url = {https://www.lastline.com/labsblog/olympic-destroyer-south-korea/}, language = {English}, urldate = {2019-10-23} } @online{sevya:20180321:graybirdcolony:9201181, author = {Sevya}, title = {{GrayBird/Colony}}, date = {2018-03-21}, organization = {Pastebin (Sevya)}, url = {https://pastebin.com/GtjBXDmz}, language = {English}, urldate = {2020-01-10} } @online{sewani:20241018:inside:ec82c0e, author = {Mayur Sewani}, title = {{Inside the Latrodectus Malware Campaign Old School Phishing Meets Innovative Payload Delivery}}, date = {2024-10-18}, organization = {Forcepoint}, url = {https://www.forcepoint.com/blog/x-labs/inside-latrodectus-malware-phishing-campaign}, language = {English}, urldate = {2024-10-24} } @online{seymour:20210622:preventing:641f2fb, author = {rich seymour}, title = {{Preventing Exploitation of the ZIP File Format}}, date = {2021-06-22}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-to-prevent-zip-file-exploitation/}, language = {English}, urldate = {2021-06-24} } @online{sfakianakis:20200225:sea:7086264, author = {Andreas Sfakianakis}, title = {{On Sea Turtle campaign targeting Greek governmental organisations}}, date = {2020-02-25}, organization = {Tilting at Windmills}, url = {https://threatintel.eu/2020/02/25/on-sea-turtle-campaign-targeting-greek-governmental-organisations-timeline}, language = {English}, urldate = {2023-08-11} } @online{shaari:20210309:kinsing:bd68431, author = {Aluma Lavi Shaari}, title = {{Kinsing: The Malware with Two Faces}}, date = {2021-03-09}, organization = {CyberArk}, url = {https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces}, language = {English}, urldate = {2021-03-11} } @online{shabab:20170724:spring:c3d274f, author = {Noushin Shabab}, title = {{Spring Dragon – Updated Activity}}, date = {2017-07-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/spring-dragon-updated-activity/79067/}, language = {English}, urldate = {2019-12-20} } @online{shabab:20200923:looking:ec3ad8c, author = {Noushin Shabab}, title = {{Looking for sophisticated malware in IoT devices}}, date = {2020-09-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/looking-for-sophisticated-malware-in-iot-devices/98530/}, language = {English}, urldate = {2020-11-12} } @online{shabab:20201123:compromised:6dd1417, author = {Negar Shabab and Noushin Shabab}, title = {{Compromised Compilers - A new perspective of supply chain cyber attacks}}, date = {2020-11-23}, organization = {Youtube (OWASP DevSlop)}, url = {https://www.youtube.com/watch?v=55kaaMGBARM}, language = {English}, urldate = {2020-11-23} } @online{shabarkin:20210916:pointer:828998f, author = {Pavel Shabarkin}, title = {{Pointer: Hunting Cobalt Strike globally}}, date = {2021-09-16}, organization = {Medium Shabarkin}, url = {https://medium.com/@shabarkin/pointer-hunting-cobalt-strike-globally-a334ac50619a}, language = {English}, urldate = {2021-09-19} } @online{shadeteam:20200426:repository:25ac040, author = {shade-team}, title = {{Repository with Keys for Shade / Troldesh}}, date = {2020-04-26}, url = {https://github.com/shade-team/keys}, language = {English}, urldate = {2020-04-28} } @online{shadevx:20220427:detecting:ebc3f20, author = {shade_vx}, title = {{Detecting Ransomware’s Stealthy Boot Configuration Edits}}, date = {2022-04-27}, organization = {Binary Defense}, url = {https://www.binarydefense.com/detecting-ransomwares-stealthy-boot-configuration-edits/}, language = {English}, urldate = {2022-05-09} } @online{shadowstackre:20231213:rhysida:0bf4d33, author = {ShadowStackRE}, title = {{Rhysida Ransomware}}, date = {2023-12-13}, organization = {ShadowStackRE}, url = {https://www.shadowstackre.com/analysis/rhysida}, language = {English}, urldate = {2023-12-13} } @online{shadowstackre:20240122:cactus:e44d27f, author = {ShadowStackRE}, title = {{Cactus Ransomware}}, date = {2024-01-22}, organization = {ShadowStackRE}, url = {https://www.shadowstackre.com/analysis/cactus}, language = {English}, urldate = {2024-01-24} } @online{shadowstackre:20240312:donex:6992a98, author = {ShadowStackRE}, title = {{Donex ransomware}}, date = {2024-03-12}, organization = {ShadowStackRE}, url = {https://www.shadowstackre.com/analysis/donex}, language = {English}, urldate = {2024-03-14} } @online{shah:20240711:clickfix:7fdcc61, author = {Yashvi Shah and Vignesh Dhatchanamoorthy}, title = {{ClickFix Deception: A Social Engineering Tactic to Deploy Malware}}, date = {2024-07-11}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clickfix-deception-a-social-engineering-tactic-to-deploy-malware/}, language = {English}, urldate = {2024-07-17} } @online{shah:20240920:behind:b60af0e, author = {Yashvi Shah and Aayush Tyagi}, title = {{Behind the CAPTCHA: A Clever Gateway of Malware}}, date = {2024-09-20}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/behind-the-captcha-a-clever-gateway-of-malware/}, language = {English}, urldate = {2024-09-26} } @online{shaikh:20240814:new:c625579, author = {Salman Shaikh}, title = {{Tweet on a new malware family - Dust RAT}}, date = {2024-08-14}, organization = {Twitter (@salmanvsf)}, url = {https://x.com/salmanvsf/status/1823587814015164567}, language = {English}, urldate = {2024-08-19} } @online{shaikh:20250221:about:2b48a35, author = {Salman Shaikh}, title = {{Tweet about VXPCrypter}}, date = {2025-02-21}, organization = {Twitter (@salmanvsf)}, url = {https://x.com/salmanvsf/status/1892796042284060793}, language = {English}, urldate = {2025-02-21} } @online{shala:20210617:etterforskningen:cdef568, author = {Dafina Shala}, title = {{Etterforskningen av datanettverksoperasjonen mot statsforvalterembeter henlegges}}, date = {2021-06-17}, organization = {Norwegian Police Security Service (PST)}, url = {https://pst.no/alle-artikler/pressemeldinger/etterforskningen-av-datanettverksoperasjonen-mot-fylkesmannsembetene-er-avsluttet}, language = {Norwegian}, urldate = {2021-07-22} } @online{shalev:20220926:hunting:3489fdb, author = {Daniela Shalev and Itay Gamliel}, title = {{Hunting for Unsigned DLLs to Find APTs}}, date = {2022-09-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unsigned-dlls/}, language = {English}, urldate = {2022-09-30} } @online{shamir:20210617:shadow:e4983c5, author = {Elad Shamir}, title = {{Shadow Credentials: Abusing Key Trust Account Mapping for Account Takeover}}, date = {2021-06-17}, organization = {SpecterOps}, url = {https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab}, language = {English}, urldate = {2021-06-22} } @online{shamshur:20220407:google:fbc0f89, author = {Alex Shamshur and Raman Ladutska}, title = {{Google is on guard: sharks shall not pass!}}, date = {2022-04-07}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/}, language = {English}, urldate = {2022-04-08} } @online{shamshur:20230504:eastern:30d81b9, author = {Alex Shamshur and Sam Handelman and Raman Ladutska}, title = {{Eastern Asian Android Assault - FluHorse}}, date = {2023-05-04}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/}, language = {English}, urldate = {2023-05-10} } @techreport{shank:20200930:pandamic:f210107, author = {James Shank and Jacomo Piccolini}, title = {{Pandamic: Emissary Pandas in the Middle East}}, date = {2020-09-30}, institution = {Team Cymru}, url = {https://vblocalhost.com/uploads/VB2020-Shank-Piccolini.pdf}, language = {English}, urldate = {2021-04-16} } @online{shank:20210127:taking:fa40609, author = {James Shank}, title = {{Taking Down Emotet How Team Cymru Leveraged Visibility and Relationships to Coordinate Community Efforts}}, date = {2021-01-27}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2021/01/27/taking-down-emotet/}, language = {English}, urldate = {2021-01-29} } @online{shank:20211021:how:1be324d, author = {James Shank}, title = {{How to: Threat hunting and threat intelligence}}, date = {2021-10-21}, organization = {APNIC}, url = {https://blog.apnic.net/2021/10/21/how-to-threat-hunting-and-threat-intelligence/}, language = {English}, urldate = {2021-12-22} } @online{shank:20220308:record:89bbecc, author = {James Shank}, title = {{Record breaking DDoS Potential Discovered: CVE-2022-26143}}, date = {2022-03-08}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2022/03/08/record-breaking-ddos-potential-discovered-cve-2022-26143/}, language = {English}, urldate = {2022-03-28} } @online{shank:20250617:operation:f57fe08, author = {James Shank}, title = {{Operation Endgame: Do Takedowns and Arrests Matter?}}, date = {2025-06-17}, organization = {DARKReading}, url = {https://www.darkreading.com/vulnerabilities-threats/operation-endgame-takedowns-arrests-matter}, language = {English}, urldate = {2025-06-18} } @online{shantha:20210718:digital:26bb5d7, author = {Sukanya Shantha}, title = {{Digital Forensics Show S.A.R. Geelani’s Phone Was Hacked, Likely With Zero-Click Exploit}}, date = {2021-07-18}, organization = {The Wire}, url = {https://thewire.in/rights/sar-geelani-pegasus-spyware-phone-messages}, language = {English}, urldate = {2021-07-24} } @online{shapira:20180208:darksky:c1ee695, author = {Yuval Shapira}, title = {{DarkSky Botnet}}, date = {2018-02-08}, organization = {Radware}, url = {https://blog.radware.com/security/2018/02/darksky-botnet/}, language = {English}, urldate = {2019-10-23} } @online{shark:20220118:perswaysion:df80644, author = {Scarlet Shark}, title = {{PerSwaysion Threat Actor Updates Their Techniques and Infrastructure}}, date = {2022-01-18}, organization = {Medium (Scarlet Shark)}, url = {https://blog.scarletshark.com/perswaysion-threat-actor-updates-their-techniques-and-infrastructure-e9465157a653}, language = {English}, urldate = {2022-01-24} } @online{sharma:20200528:microsoft:b02ddb1, author = {Ax Sharma}, title = {{Microsoft IIS servers hacked by Blue Mockingbird to mine Monero}}, date = {2020-05-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-iis-servers-hacked-by-blue-mockingbird-to-mine-monero/}, language = {English}, urldate = {2020-06-02} } @online{sharma:20200902:inside:68cc1bd, author = {Akshay 'Ax' Sharma}, title = {{Inside the “fallguys” malware that steals your browsing data and gaming IMs; Continued attack on open source software}}, date = {2020-09-02}, organization = {sonatype}, url = {https://blog.sonatype.com/inside-the-fallguys-malware}, language = {English}, urldate = {2020-09-03} } @online{sharma:20200922:russian:c3158b2, author = {Ax Sharma}, title = {{Russian hackers use fake NATO training docs to breach govt networks}}, date = {2020-09-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/}, language = {English}, urldate = {2020-09-24} } @online{sharma:20201116:massive:6d8678b, author = {Ax Sharma}, title = {{Massive threat campaign strikes open-source repos, Sonatype spots new CursedGrabber malware}}, date = {2020-11-16}, organization = {sonatype}, url = {https://blog.sonatype.com/npm-malware-xpc.js?&web_view=true}, language = {English}, urldate = {2020-11-19} } @online{sharma:20201201:theres:9e5f87e, author = {Ax Sharma}, title = {{There’s a RAT in my code: new npm malware with Bladabindi trojan spotted}}, date = {2020-12-01}, organization = {sonatype}, url = {https://blog.sonatype.com/bladabindi-njrat-rat-in-jdb.js-npm-malware}, language = {English}, urldate = {2020-12-08} } @online{sharma:20210301:newly:eb852ff, author = {Ax Sharma}, title = {{Newly Identified Dependency Confusion Packages Target Amazon, Zillow, and Slack; Go Beyond Just Bug Bounties}}, date = {2021-03-01}, organization = {sonatype}, url = {https://blog.sonatype.com/malicious-dependency-confusion-copycats-exfiltrate-bash-history-and-etc-shadow-files}, language = {English}, urldate = {2021-03-04} } @online{sharma:20210415:mirai:9db8c55, author = {Siddharth Sharma}, title = {{Mirai code re-use in Gafgyt}}, date = {2021-04-15}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt}, language = {English}, urldate = {2021-04-19} } @online{sharma:20210424:hashicorp:f6a9990, author = {Ax Sharma}, title = {{HashiCorp is the latest victim of Codecov supply-chain attack}}, date = {2021-04-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hashicorp-is-the-latest-victim-of-codecov-supply-chain-attack/}, language = {English}, urldate = {2021-04-29} } @online{sharma:20210517:discovery:1cd5315, author = {Siddartha Sharma and Ashwin Vamshi}, title = {{Discovery of Simps Botnet Leads To Ties to Keksec Group}}, date = {2021-05-17}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/discovery-of-simps-botnet-leads-ties-to-keksec-group}, language = {English}, urldate = {2021-05-25} } @online{sharma:20210621:sonatype:4a46fd1, author = {Ax Sharma}, title = {{Sonatype Catches New PyPI Cryptomining Malware}}, date = {2021-06-21}, organization = {sonatype}, url = {https://blog.sonatype.com/sonatype-catches-new-pypi-cryptomining-malware-via-automated-detection}, language = {English}, urldate = {2021-06-22} } @online{sharma:20210805:cryptominer:6cbb416, author = {Siddharth Sharma}, title = {{Cryptominer ELFs Using MSR to Boost Mining Process}}, date = {2021-08-05}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/cryptominer-elfs-using-msr-to-boost-mining-process}, language = {English}, urldate = {2021-08-06} } @online{sharma:20211007:team:50e3c4d, author = {Siddharth Sharma}, title = {{Team TNT Deploys Malicious Docker Image On Docker Hub}}, date = {2021-10-07}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools}, language = {English}, urldate = {2021-10-11} } @online{sharma:20220204:news:7f856da, author = {Ax Sharma}, title = {{News Corp discloses hack from "persistent" nation state cyber attacks}}, date = {2022-02-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/news-corp-discloses-hack-from-persistent-nation-state-cyber-attacks/}, language = {English}, urldate = {2022-02-07} } @online{sharma:20220317:big:6a2bf4c, author = {Ax Sharma}, title = {{BIG sabotage: Famous npm package deletes files to protest Ukraine war}}, date = {2022-03-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/}, language = {English}, urldate = {2022-03-18} } @online{sharma:20220520:new:15b8bf7, author = {Ax Sharma}, title = {{New 'pymafka' malicious package drops Cobalt Strike on macOS, Windows, Linux}}, date = {2022-05-20}, organization = {sonatype}, url = {https://blog.sonatype.com/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux}, language = {English}, urldate = {2022-05-24} } @online{sharma:20220811:pypi:eadd23a, author = {Ax Sharma}, title = {{PyPI Package 'secretslib' Drops Fileless Linux Malware to Mine Monero}}, date = {2022-08-11}, organization = {sonatype}, url = {https://blog.sonatype.com/pypi-package-secretslib-drops-fileless-linux-malware-to-mine-monero}, language = {English}, urldate = {2022-08-17} } @online{sharma:20220819:is:59a2562, author = {Siddharth Sharma and Nischay Hedge}, title = {{Is Tox The New C&C Method For Coinminers?}}, date = {2022-08-19}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/is-tox-the-new-cc-method-for-coinminers}, language = {English}, urldate = {2022-08-26} } @online{sharma:20230808:statc:fc8f8db, author = {SHIVAM SHARMA and Amandeep Kumar}, title = {{Statc Stealer: Decoding the Elusive Malware Threat}}, date = {2023-08-08}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threat}, language = {English}, urldate = {2025-05-23} } @online{sharma:20250106:eagerbee:0b17809, author = {Saurabh Sharma and Vasily Berdnikov}, title = {{EAGERBEE, with updated and novel components, targets the Middle East}}, date = {2025-01-06}, organization = {Kaspersky}, url = {https://securelist.com/eagerbee-backdoor/115175/}, language = {English}, urldate = {2025-01-07} } @online{sharoglazov:20200723:attacking:f5a1ee2, author = {Arseniy Sharoglazov}, title = {{Attacking MS Exchange Web Interfaces}}, date = {2020-07-23}, organization = {PTSecurity}, url = {https://swarm.ptsecurity.com/attacking-ms-exchange-web-interfaces/}, language = {English}, urldate = {2020-07-30} } @online{sharoglazov:20200819:performing:fafb049, author = {Arseniy Sharoglazov}, title = {{Performing Kerberoasting without SPNs}}, date = {2020-08-19}, organization = {PT SWARM}, url = {https://swarm.ptsecurity.com/kerberoasting-without-spns/}, language = {English}, urldate = {2020-08-25} } @online{sharshar:20211019:purplefox:06308c3, author = {Abdelrhman Sharshar and Jay Yaneza and Sherif Magdy}, title = {{PurpleFox Adds New Backdoor That Uses WebSockets}}, date = {2021-10-19}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html}, language = {English}, urldate = {2021-10-24} } @online{shatilin:20181022:mobile:edd16ec, author = {Ilja Shatilin}, title = {{Mobile beasts and where to find them — part four}}, date = {2018-10-22}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/blog/mobile-malware-part-4/24290/}, language = {English}, urldate = {2019-12-24} } @online{shaw:20200121:herpaderping:9726186, author = {Johnny Shaw}, title = {{Herpaderping: Security Risk or Unintended Behavior?}}, date = {2020-01-21}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/herpaderping-security-risk-or-unintended-behavior/}, language = {English}, urldate = {2021-01-25} } @online{shcherbakova:20180829:loki:c239728, author = {Tatyana Shcherbakova}, title = {{Loki Bot: On a hunt for corporate passwords}}, date = {2018-08-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/loki-bot-stealing-corporate-passwords/87595/}, language = {English}, urldate = {2019-12-20} } @online{shekar:20220722:how:284bd51, author = {Sneha Shekar}, title = {{How Push Notifications are Abused to Deliver Fraudulent Links}}, date = {2022-07-22}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/07/how-push-notifications-are-abused-to-deliver-fraudulent-links.html}, language = {English}, urldate = {2022-08-31} } @online{shelldot:20240202:tuoni:22a93a9, author = {shell-dot}, title = {{Tuoni}}, date = {2024-02-02}, organization = {Github (shell-dot)}, url = {https://github.com/shell-dot/tuoni}, language = {English}, urldate = {2024-05-14} } @online{shelmire:20160414:targeted:62c52fb, author = {Aaron Shelmire}, title = {{Targeted Ransomware Activity}}, date = {2016-04-14}, organization = {Anomali}, url = {https://www.anomali.com/blog/targeted-ransomware-activity}, language = {English}, urldate = {2019-12-06} } @online{shelmire:20160527:evidence:963d016, author = {Aaron Shelmire}, title = {{Evidence of Stronger Ties Between North Korea and SWIFT Banking Attacks}}, date = {2016-05-27}, organization = {Anomali}, url = {https://www.anomali.com/blog/evidence-of-stronger-ties-between-north-korea-and-swift-banking-attacks}, language = {English}, urldate = {2023-08-21} } @online{shen:20190603:into:d40fee9, author = {Chi-en Shen}, title = {{Into the Fog - The Return of ICEFOG APT}}, date = {2019-06-03}, organization = {FireEye}, url = {https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt}, language = {English}, urldate = {2020-06-30} } @online{shen:20191212:cyber:e01baca, author = {Chi-en Shen and Oleg Bondarenko}, title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}}, date = {2019-12-12}, organization = {FireEye}, url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko}, language = {English}, urldate = {2020-04-16} } @online{shen:20201213:from:ce39bbc, author = {Chi-en Shen and Steve Su}, title = {{From ThreatHunting to Campaign Tracking}}, date = {2020-12-13}, organization = {SlideShare (ChiEnAshleyShen)}, url = {https://www2.slideshare.net/ChiEnAshleyShen/hitcon-2020-cti-village-threat-hunting-and-campaign-tracking-workshoppptx/1}, language = {English}, urldate = {2020-12-18} } @online{shen:20211020:phishing:b0fa074, author = {Ashley Shen and Google Threat Analysis Group}, title = {{Phishing campaign targets YouTube creators with cookie theft malware}}, date = {2021-10-20}, organization = {Google}, url = {https://blog.google/threat-analysis-group/phishing-campaign-targets-youtube-creators-cookie-theft-malware/}, language = {English}, urldate = {2021-10-26} } @online{shende:20211012:malspam:41220f1, author = {Avinash Shende}, title = {{Malspam Campaign Delivers Dark Crystal RAT (dcRAT)}}, date = {2021-10-12}, organization = {Infoblox}, url = {https://blogs.infoblox.com/cyber-threat-intelligence/cyber-campaign-briefs/malspam-campaign-delivers-dark-crystal-rat-dcrat/}, language = {English}, urldate = {2021-10-22} } @online{sherman:20221118:gru:afc977c, author = {Justin Sherman}, title = {{GRU 26165: The Russian cyber unit that hacks targets on-site}}, date = {2022-11-18}, organization = {Atlantic Council}, url = {https://www.atlanticcouncil.org/content-series/tech-at-the-leading-edge/the-russian-cyber-unit-that-hacks-targets-on-site/}, language = {English}, urldate = {2022-12-20} } @online{sherman:20221213:analyzing:a56b53e, author = {Justin Sherman}, title = {{Analyzing Russian SDK Pushwoosh and Russian Code Contributions}}, date = {2022-12-13}, organization = {Margin Research}, url = {https://margin.re/2022/12/analyzing-russian-sdk-pushwoosh-and-russian-code-contributions/}, language = {English}, urldate = {2022-12-15} } @techreport{sherstobitoff:2013:dissecting:74f9183, author = {Ryan Sherstobitoff and Itai Liba and James Walter}, title = {{Dissecting Operation Troy: Cyberespionage in South Korea}}, date = {2013}, institution = {McAfee}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/dissecting-operation-troy.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{sherstobitoff:20180101:dissecting:73712a7, author = {Ryan Sherstobitoff and Itai Liba and James Walter}, title = {{Dissecting Operation Troy: Cyberespionage in South Korea}}, date = {2018-01-01}, institution = {McAfee}, url = {http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf}, language = {English}, urldate = {2019-10-15} } @online{sherstobitoff:20180202:gold:8fc5b52, author = {Ryan Sherstobitoff}, title = {{Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems}}, date = {2018-02-02}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/}, language = {English}, urldate = {2023-01-05} } @online{sherstobitoff:20180212:lazarus:0c034e1, author = {Ryan Sherstobitoff and Asheer Malhotra and Jessica Saavedra-Morales and Thomas Roccia}, title = {{Lazarus Resurfaces, Targets Global Banks and Bitcoin Users}}, date = {2018-02-12}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/}, language = {English}, urldate = {2020-10-28} } @online{sherstobitoff:20180302:mcafee:979740e, author = {Ryan Sherstobitoff and Jessica Saavedra-Morales and Thomas Roccia and Asheer Malhotra}, title = {{McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups}}, date = {2018-03-02}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/}, language = {English}, urldate = {2019-07-09} } @online{sherstobitoff:20180302:mcafee:fd9192f, author = {Ryan Sherstobitoff}, title = {{McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups}}, date = {2018-03-02}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/}, language = {English}, urldate = {2019-12-04} } @online{sherstobitoff:20180308:hidden:c1459ef, author = {Ryan Sherstobitoff and Asheer Malhotra and Charles Crawford and Jessica Saavedra-Morales}, title = {{Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant}}, date = {2018-03-08}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/}, language = {English}, urldate = {2019-10-14} } @online{sherstobitoff:20180424:analyzing:4383088, author = {Ryan Sherstobitoff}, title = {{Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide}}, date = {2018-04-24}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/}, language = {English}, urldate = {2023-02-27} } @online{sherstobitoff:20180424:analyzing:9aac21f, author = {Ryan Sherstobitoff and Asheer Malhotra}, title = {{Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide}}, date = {2018-04-24}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/}, language = {English}, urldate = {2020-01-10} } @techreport{sherstobitoff:20180503:dissecting:13102f0, author = {Ryan Sherstobitoff and Itai Liba and James Walter}, title = {{Dissecting Operation Troy: Cyberespionage in South Korea}}, date = {2018-05-03}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{sherstobitoff:20181018:operation:f7a178c, author = {Ryan Sherstobitoff and Asheer Malhotra}, title = {{‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group}}, date = {2018-10-18}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf}, language = {English}, urldate = {2020-01-07} } @online{sherstobitoff:20181212:operation:df0b2d2, author = {Ryan Sherstobitoff and Asheer Malhotra}, title = {{‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure}}, date = {2018-12-12}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/}, language = {English}, urldate = {2020-01-13} } @techreport{sherstobitoff:20181212:operation:f8b490f, author = {Ryan Sherstobitoff and Asheer Malhotra}, title = {{Operation Sharpshooter: Campaign Targets Global Defense, Critical Infrastructure}}, date = {2018-12-12}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf}, language = {English}, urldate = {2019-12-18} } @online{sherstobitoff:20210512:new:06b17ad, author = {Ryan Sherstobitoff}, title = {{New Evidence Supports Assessment that DarkSide Likely Responsible for Colonial Pipeline Ransomware Attack; Others Targeted}}, date = {2021-05-12}, organization = {SecurityScorecard}, url = {https://securityscorecard.com/blog/new-evidence-supports-assessment-that-darkside-likely-responsible-for-colonial-pipeline-ransomware-attack-others-targeted}, language = {English}, urldate = {2021-05-17} } @online{sherstobitoff:20210618:securityscorecard:0000641, author = {Ryan Sherstobitoff}, title = {{SecurityScorecard Finds USAID Hack Much Larger Than Initially Thought}}, date = {2021-06-18}, organization = {SecurityScorecard}, url = {https://securityscorecard.com/blog/securityscorecard-finds-usaid-hack-much-larger-than-initially-thought}, language = {English}, urldate = {2021-06-22} } @online{sherstobitoff:20241112:botnet:0df7328, author = {Ryan Sherstobitoff}, title = {{The Botnet is Back: SSC STRIKE Team Uncovers a Renewed Cyber Threat}}, date = {2024-11-12}, organization = {SecurityScorecard}, url = {https://securityscorecard.com/blog/botnet-is-back-ssc-strike-team-uncovers-a-renewed-cyber-threat/}, language = {English}, urldate = {2024-11-17} } @online{shestakov:20211209:inside:2dc8bd6, author = {Dmitry Shestakov and Andrey Zhdanov}, title = {{Inside the Hive: Deep dive into Hive RaaS, analysis of latest samples}}, date = {2021-12-09}, organization = {Group-IB}, url = {https://blog.group-ib.com/hive}, language = {English}, urldate = {2022-01-24} } @online{shevchenko:20080518:rustockc:503b03d, author = {Sergei Shevchenko}, title = {{Rustock.C – Unpacking a Nested Doll}}, date = {2008-05-18}, organization = {ThreatExpert}, url = {http://blog.threatexpert.com/2008/05/rustockc-unpacking-nested-doll.html}, language = {English}, urldate = {2020-01-12} } @online{shevchenko:20081130:agentbtz:8c68643, author = {Sergei Shevchenko}, title = {{Agent.btz - A Threat That Hit Pentagon}}, date = {2008-11-30}, organization = {ThreatExpert}, url = {http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html}, language = {English}, urldate = {2020-01-08} } @online{shevchenko:20160513:cyber:321743e, author = {Sergei Shevchenko and Adrian Nish}, title = {{CYBER HEIST ATTRIBUTION}}, date = {2016-05-13}, organization = {BAE Systems}, url = {http://baesystemsai.blogspot.de/2016/05/cyber-heist-attribution.html}, language = {English}, urldate = {2023-08-15} } @online{shevchenko:20170220:lazarus:c608fd5, author = {Sergei Shevchenko}, title = {{Lazarus’ False Flag Malware}}, date = {2017-02-20}, organization = {BAE Systems}, url = {https://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html}, language = {English}, urldate = {2023-08-15} } @online{shevchenko:20170516:wannacryptor:8bc9235, author = {Sergei Shevchenko and Adrian Nish}, title = {{Wannacryptor Ransomworm}}, date = {2017-05-16}, url = {https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html}, language = {English}, urldate = {2020-01-07} } @online{shevchenko:20171016:taiwan:081b125, author = {Sergei Shevchenko and Hirman Muhammad bin Abu Bakar and James Wong}, title = {{Taiwan Heist: Lazarus Tools and Ransomware}}, date = {2017-10-16}, url = {http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html}, language = {English}, urldate = {2020-01-07} } @online{shevchenko:20171016:taiwan:cb91378, author = {Sergei Shevchenko and Hirman Muhammad bin Abu Bakar and James Wong}, title = {{Taiwan Heist: Lazarus Tools and Ransomware}}, date = {2017-10-16}, organization = {BAE Systems}, url = {https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html}, language = {English}, urldate = {2020-01-06} } @online{shevchenko:201805:vpnfilter:d6268ae, author = {Sergei Shevchenko}, title = {{VPNFilter Botnet - a SophosLabs Analysis}}, date = {2018-05}, organization = {Sophos}, url = {https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-VPN-Filter-analysis-v2.pdf?la=en}, language = {English}, urldate = {2019-07-09} } @techreport{shevchenko:20200224:cloud:eea1f10, author = {Sergei Shevchenko}, title = {{Cloud Snooper attack bypasses firewall security measures}}, date = {2020-02-24}, institution = {Sophos Labs}, url = {https://news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf}, language = {English}, urldate = {2020-02-27} } @techreport{shevchenko:20200305:cloud:e83e58c, author = {Sergei Shevchenko}, title = {{Cloud Snooper Attack Bypasses AWS Security Measures}}, date = {2020-03-05}, institution = {SophosLabs}, url = {https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf}, language = {English}, urldate = {2022-01-28} } @online{shevchenko:20201215:sunburst:7f6b5db, author = {Sergei Shevchenko}, title = {{Sunburst Backdoor: A Deeper Look Into The SolarWinds' Supply Chain Malware (Broken link)}}, date = {2020-12-15}, organization = {Prevasio}, url = {https://www.prevasio.io/blog/sunburst-backdoor-a-deeper-look-into-the-solarwinds-supply-chain-malware}, language = {English}, urldate = {2022-08-19} } @online{shevchenko:20201217:sunburst:9b615cf, author = {Sergei Shevchenko}, title = {{Sunburst Backdoor, Part II: DGA & The List of Victims}}, date = {2020-12-17}, organization = {Prevasio}, url = {https://www.prevasio.io/blog/sunburst-backdoor-part-ii-dga-the-list-of-victims}, language = {English}, urldate = {2022-08-19} } @online{shevchenko:20201222:sunburst:9670fa6, author = {Sergei Shevchenko}, title = {{Sunburst Backdoor, Part III: DGA & Security Software (Broken Link)}}, date = {2020-12-22}, organization = {Prevasio}, url = {https://blog.prevasio.com/2020/12/sunburst-backdoor-part-iii-dga-security.html}, language = {English}, urldate = {2021-08-03} } @techreport{shevchenko:20201223:dns:0f3f013, author = {Sergei Shevchenko}, title = {{DNS Tunneling In The SolarWinds Supply Chain Attack}}, date = {2020-12-23}, institution = {Prevasio}, url = {https://prevasio.com/static/web/viewer.html?file=/static/Anatomy_Of_SolarWinds_Supply_Chain_Attack.pdf}, language = {English}, urldate = {2021-01-01} } @online{shields:20180608:complaint:8b4b2dc, author = {Nathan P. Shields and Rozella A. Oliver}, title = {{Complaint against Jin Hyok Park}}, date = {2018-06-08}, organization = {United States District Court (California)}, url = {https://www.documentcloud.org/documents/4834259-Park-Jin-Hyok-Complaint.html}, language = {English}, urldate = {2020-01-08} } @online{shields:20240118:russian:117face, author = {Wesley Shields}, title = {{Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware}}, date = {2024-01-18}, organization = {Google}, url = {https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware}, language = {English}, urldate = {2024-11-25} } @online{shields:20240118:russian:6e526ff, author = {Wesley Shields and Google Threat Analysis Group}, title = {{Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware}}, date = {2024-01-18}, organization = {Google}, url = {https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/}, language = {English}, urldate = {2024-01-22} } @online{shields:20250507:coldriver:e2949e5, author = {Wesley Shields}, title = {{COLDRIVER Using New Malware To Steal Documents From Western Targets and NGOs}}, date = {2025-05-07}, organization = {Google}, url = {https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos}, language = {English}, urldate = {2025-05-20} } @techreport{shieldus:20220825:ghost:54a167c, author = {SK Shieldus}, title = {{Ghost Ransomware Response and Attack Analysis Report}}, date = {2022-08-25}, institution = {SK Shieldus}, url = {https://www.skshieldus.com/download/files/download.do?o_fname=%EA%B7%80%EC%8B%A0(Gwisin)%20%EB%9E%9C%EC%84%AC%EC%9B%A8%EC%96%B4%20%EA%B3%B5%EA%B2%A9%20%EC%A0%84%EB%9E%B5%20%EB%B6%84%EC%84%9D%20%EB%A6%AC%ED%8F%AC%ED%8A%B8.pdf&r_fname=20220824150111854.pdf}, language = {Korean}, urldate = {2022-09-06} } @online{shier:20210518:active:f313ac5, author = {John Shier and Mat Gangwer and Greg Iddon and Peter Mackenzie}, title = {{The Active Adversary Playbook 2021}}, date = {2021-05-18}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153}, language = {English}, urldate = {2021-05-25} } @techreport{shiigi:20200117:looking:bf71db1, author = {Takayoshi Shiigi}, title = {{Looking back on the incidents in 2019}}, date = {2020-01-17}, institution = {JPCERT/CC}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf}, language = {English}, urldate = {2020-04-06} } @online{shilko:20180313:new:e7af165, author = {Joshua Shilko}, title = {{New Variant of BankBot Banking Trojan Ups Ante, Cashes Out on Android Users}}, date = {2018-03-13}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/new-variant-bankbot-banking-trojan-aubis}, language = {English}, urldate = {2020-01-06} } @online{shilko:20211007:fin12:43d89f5, author = {Joshua Shilko and Zach Riddle and Jennifer Brooks and Genevieve Stark and Adam Brunner and Kimberly Goody and Jeremy Kennelly}, title = {{FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets}}, date = {2021-10-07}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets}, language = {English}, urldate = {2021-10-08} } @online{shimol:20210318:return:a27bb0b, author = {Snir Ben Shimol}, title = {{Return of the Darkside: Analysis of a Large-Scale Data Theft Campaign}}, date = {2021-03-18}, organization = {Varonis}, url = {https://www.varonis.com/blog/darkside-ransomware/}, language = {English}, urldate = {2021-03-19} } @online{shin:20220728:new:950bc90, author = {Dexter Shin}, title = {{New HiddenAds malware affects 1M+ users and hides on the Google Play Store}}, date = {2022-07-28}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-hiddenads-malware-that-runs-automatically-and-hides-on-google-play-1m-users-affected/}, language = {English}, urldate = {2022-08-02} } @online{shinde:20201118:thanos:4a211b9, author = {Priyanka Shinde}, title = {{Thanos Ransomware Evading Anti-ransomware Protection With RIPlace Tactic}}, date = {2020-11-18}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/thanos-ransomware-evading-anti-ransomware-protection-with-riplace-tactic/}, language = {English}, urldate = {2021-01-01} } @online{shingo:20220523:lockbit:8d0fff2, author = {Matsugaya Shingo}, title = {{LockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS and Extortion Groups: Ransomware in Q1 2022}}, date = {2022-05-23}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022}, language = {English}, urldate = {2022-05-24} } @online{shipulin:20190821:finding:b0c4a09, author = {Kirill Shipulin}, title = {{Finding Neutrino}}, date = {2019-08-21}, organization = {Positive Technologies}, url = {https://web.archive.org/web/20191223034907/http://blog.ptsecurity.com/2019/08/finding-neutrino.html}, language = {English}, urldate = {2021-09-22} } @online{shishkova:20180828:rise:892fcae, author = {Tatyana Shishkova}, title = {{The rise of mobile banker Asacub}}, date = {2018-08-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-rise-of-mobile-banker-asacub/87591/}, language = {English}, urldate = {2019-12-20} } @online{shishkova:20190625:riltok:14308bf, author = {Tatyana Shishkova}, title = {{Riltok mobile Trojan: A banker with global reach}}, date = {2019-06-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/mobile-banker-riltok/91374/}, language = {English}, urldate = {2019-12-20} } @online{shishkova:20201019:gravityrat:40ff02d, author = {Tatyana Shishkova}, title = {{GravityRAT: The spy returns}}, date = {2020-10-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/gravityrat-the-spy-returns/99097/}, language = {English}, urldate = {2024-11-26} } @online{shivtarkar:20220609:lyceum:20cd217, author = {Niraj Shivtarkar and Avinash Kumar}, title = {{Lyceum .NET DNS Backdoor}}, date = {2022-06-09}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor}, language = {English}, urldate = {2022-06-10} } @online{shivtarkar:20220818:grandoreiro:3c1b198, author = {Niraj Shivtarkar}, title = {{Grandoreiro Banking Trojan with New TTPs Targeting Various Industry Verticals}}, date = {2022-08-18}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/grandoreiro-banking-trojan-new-ttps-targeting-various-industry-verticals}, language = {English}, urldate = {2022-08-19} } @online{shivtarkar:20221021:warhawk:2b25f9f, author = {Niraj Shivtarkar and Avinash Kumar}, title = {{WarHawk: the New Backdoor in the Arsenal of the SideWinder APT Group}}, date = {2022-10-21}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group}, language = {English}, urldate = {2024-08-29} } @online{shivtarkar:20230224:snip3:8bab444, author = {Niraj Shivtarkar and Avinash Kumar}, title = {{Snip3 Crypter Reveals New TTPs Over Time}}, date = {2023-02-24}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/snip3-crypter-reveals-new-ttps-over-time}, language = {English}, urldate = {2023-03-13} } @online{shivtarkar:20230707:toitoin:4999f2a, author = {Niraj Shivtarkar and Preet Kamal}, title = {{The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region}}, date = {2023-07-07}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/toitoin-trojan-analyzing-new-multi-stage-attack-targeting-latam-region}, language = {English}, urldate = {2023-07-31} } @online{shivtarkar:20230906:stealit:f5d0054, author = {Niraj Shivtarkar and Avinash Kumar}, title = {{Steal-It Campaign}}, date = {2023-09-06}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/steal-it-campaign}, language = {English}, urldate = {2023-10-09} } @online{shlomo:20210310:azure:abf5f9a, author = {Eli Shlomo}, title = {{Azure Sentinel and Sysmon 4 B!ue T3amer$}}, date = {2021-03-10}, organization = {Eli Shlomo Blog}, url = {https://www.eshlomo.us/azure-sentinel-and-sysm0n-4-blue-teamers/}, language = {English}, urldate = {2021-03-22} } @online{shoshin:20190220:cybercrime:3fc9944, author = {Pavel Shoshin}, title = {{Cybercrime is focusing on accountants}}, date = {2019-02-20}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/blog/financial-trojans-2019/25690/}, language = {English}, urldate = {2019-12-05} } @online{showalter:20160503:universal:e111d7d, author = {William Showalter}, title = {{A Universal Windows Bootkit}}, date = {2016-05-03}, url = {http://williamshowalter.com/a-universal-windows-bootkit/}, language = {English}, urldate = {2020-01-07} } @techreport{shui:20210127:luoyu:32b7965, author = {Shui and Leon}, title = {{LuoYu: The eavesdropper sneaking in multiple platforms}}, date = {2021-01-27}, institution = {TEAMT5}, url = {https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_301_shui-leon_en.pdf}, language = {English}, urldate = {2021-11-03} } @online{shukla:20130825:compromised:2881854, author = {Parth Shukla}, title = {{The Compromised Devices of the Carna Botnet}}, date = {2013-08-25}, organization = {AusCERT}, url = {https://docs.google.com/file/d/0BxMgdZPXsSLBN1ZuTUVDM1ZZV0k/edit}, language = {English}, urldate = {2020-08-18} } @online{shulman:20240919:unc1860:51db93e, author = {Stav Shulman and Matan Mimran and Sarah Bock and Mark Lechtik}, title = {{UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks}}, date = {2024-09-19}, organization = {Mandiant}, url = {https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks?hl=en}, language = {English}, urldate = {2024-10-25} } @online{shulman:20240919:unc1860:e1bb377, author = {Stav Shulman and Matan Mimran and Sarah Bock and Mark Lechtik}, title = {{UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks}}, date = {2024-09-19}, organization = {Mandiant}, url = {https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks}, language = {English}, urldate = {2024-10-18} } @online{shulmin:20150409:banking:165b265, author = {Alexey Shulmin}, title = {{The Banking Trojan Emotet: Detailed Analysis}}, date = {2015-04-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/}, language = {English}, urldate = {2019-12-20} } @online{shulmin:20161027:inside:50f43ed, author = {Alexey Shulmin and Sergey Yunakovsky}, title = {{Inside the Gootkit C&C server}}, date = {2016-10-27}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/}, language = {English}, urldate = {2019-12-20} } @online{shulmin:20170428:use:585320c, author = {Alexey Shulmin and Sergey Yunakovsky}, title = {{Use of DNS Tunneling for C&C Communications}}, date = {2017-04-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/}, language = {English}, urldate = {2019-12-20} } @techreport{shulmin:20180309:slingshot:3885e37, author = {Alexey Shulmin and Sergey Yunakovsky and Vasily Berdnikov and Andrey Dolgushev}, title = {{The Slingshot APT}}, date = {2018-03-09}, institution = {Kaspersky Labs}, url = {https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf}, language = {English}, urldate = {2020-01-10} } @online{shulmin:20180309:slingshot:7417374, author = {Alexey Shulmin and Sergey Yunakovsky and Vasily Berdnikov and Andrey Dolgushev}, title = {{The Slingshot APT FAQ}}, date = {2018-03-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-slingshot/84312/}, language = {English}, urldate = {2019-12-20} } @online{shushan:20210303:lazarus:60339a7, author = {Amitai Ben Shushan and Noam Lifshitz and Amnon Kushnir and Martin Korman and Boaz Wasserman}, title = {{Lazarus Group’s MATA Framework Leveraged to Deploy TFlower Ransomware}}, date = {2021-03-03}, organization = {SYGNIA}, url = {https://www.sygnia.co/mata-framework}, language = {English}, urldate = {2021-03-04} } @online{shwarts:20200511:zeus:81e8585, author = {Nir Shwarts and Limor Kessem}, title = {{Zeus Sphinx Back in Business: Some Core Modifications Arise}}, date = {2020-05-11}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/zeus-sphinx-back-in-business-some-core-modifications-arise/}, language = {English}, urldate = {2022-09-21} } @online{shwarts:20210126:trickbots:a200e92, author = {Nir Shwarts}, title = {{TrickBot’s Survival Instinct Prevails — What’s Different About the TrickBoot Version?}}, date = {2021-01-26}, organization = {IBM}, url = {https://securityintelligence.com/posts/trickbot-survival-instinct-trickboot-version/}, language = {English}, urldate = {2021-01-27} } @online{sicert:20250207:sicert:151ad95, author = {SI-CERT}, title = {{SI-CERT TZ016 / BeaverTail & InvisibleFerret}}, date = {2025-02-07}, organization = {SI-CERT}, url = {https://www.cert.si/tz016/}, language = {Slovenian}, urldate = {2025-03-12} } @online{siddiqui:20210721:formbook:e6e3f64, author = {Rumana Siddiqui}, title = {{FormBook Malware Returns: New Variant Uses Steganography and In-Memory Loading of multiple stages to steal data}}, date = {2021-07-21}, organization = {Quick Heal}, url = {https://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/}, language = {English}, urldate = {2021-07-26} } @online{siddiqui:20231218:decoding:193f920, author = {Rumana Siddiqui}, title = {{Decoding BATLOADER 2.X: Unmasking the Threat of Stealthy Malware Tactics}}, date = {2023-12-18}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/decoding-batloader-2-x-unmasking-the-threat-of-stealthy-malware-tactics/}, language = {English}, urldate = {2023-12-27} } @online{sierra:20180424:metamorfo:aa4b1fe, author = {Edson Sierra and Gerardo Iglesias}, title = {{Metamorfo Campaigns Targeting Brazilian Users}}, date = {2018-04-24}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html}, language = {English}, urldate = {2019-12-20} } @online{siewierski:20140923:android:d2d9240, author = {Łukasz Siewierski}, title = {{Android malware based on SMS encryption and with KitKat support}}, date = {2014-09-23}, organization = {maldr0id blog}, url = {http://maldr0id.blogspot.ch/2014/09/android-malware-based-on-sms-encryption.html}, language = {English}, urldate = {2019-08-07} } @online{siewierski:20150307:slave:fa94a3f, author = {Łukasz Siewierski}, title = {{Slave, Banatrix and ransomware}}, date = {2015-03-07}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/slave-banatrix-and-ransomware/}, language = {English}, urldate = {2019-11-23} } @online{siewierski:20190111:pha:55dace7, author = {Łukasz Siewierski}, title = {{PHA Family Highlights: Zen and its cousins}}, date = {2019-01-11}, organization = {Google Security Blog}, url = {https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html}, language = {English}, urldate = {2019-10-14} } @online{siewierski:20190606:pha:6feedbd, author = {Łukasz Siewierski and Android Security & Privacy Team}, title = {{PHA Family Highlights: Triada}}, date = {2019-06-06}, organization = {Google}, url = {https://security.googleblog.com/2019/06/pha-family-highlights-triada.html}, language = {English}, urldate = {2020-01-06} } @online{siewierski:20200725:zen:f84761d, author = {Łukasz Siewierski}, title = {{Zen: A Complex Campaign of Harmful Android Apps}}, date = {2020-07-25}, organization = {HITBSecConf}, url = {https://conference.hitb.org/hitb-lockdown002/sessions/zen-a-complex-campaign-of-harmful-android-apps/}, language = {English}, urldate = {2020-08-18} } @techreport{siewierski:20200930:fall:b80a850, author = {Łukasz Siewierski and Sebastian Porst}, title = {{The fall of Domino – a preinstalled hostile downloader}}, date = {2020-09-30}, institution = {Google}, url = {https://vb2020.vblocalhost.com/uploads/VB2020-Siewierski-Porst.pdf}, language = {English}, urldate = {2022-06-10} } @online{silentpush:20220523:fake:772c7f5, author = {Silentpush}, title = {{Fake Trading Apps}}, date = {2022-05-23}, organization = {Silentpush}, url = {https://www.silentpush.com/blog/fake-trading-apps}, language = {English}, urldate = {2022-05-29} } @online{sillam:20211013:ad:d4cd045, author = {Yohann Sillam and Ron Masas}, title = {{The ad blocker that injects ads}}, date = {2021-10-13}, organization = {Imperva}, url = {https://www.imperva.com/blog/the-ad-blocker-that-injects-ads/}, language = {English}, urldate = {2021-10-25} } @online{silva:20140804:new:826d436, author = {Phil Da Silva and Rob Downs and Ryan Olson}, title = {{New Release: Decrypting NetWire C2 Traffic}}, date = {2014-08-04}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/}, language = {English}, urldate = {2019-12-20} } @online{silva:20220418:investigation:a2d3046, author = {Lucas Silva and Leandro Froes}, title = {{An Investigation of the BlackCat Ransomware via Trend Micro Vision One}}, date = {2022-04-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html}, language = {English}, urldate = {2022-04-20} } @online{silverio:20220519:bruised:f5c6775, author = {Adolph Christian Silverio and Jeric Miguel Abordo and Khristian Joseph Morales and Maria Emreen Viray}, title = {{Bruised but Not Broken: The Resurgence of the Emotet Botnet Malware}}, date = {2022-05-19}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html}, language = {English}, urldate = {2022-05-25} } @online{silverman:20220311:infamous:1242fa7, author = {Craig Silverman and Jeff Kao}, title = {{Infamous Russian Troll Farm Appears to Be Source of Anti-Ukraine Propaganda}}, date = {2022-03-11}, organization = {propublica}, url = {https://www.propublica.org/article/infamous-russian-troll-farm-appears-to-be-source-of-anti-ukraine-propaganda#1276418}, language = {English}, urldate = {2022-03-14} } @online{simmons:20200124:hunting:f99f1f9, author = {Robert Simmons}, title = {{Hunting for Ransomware}}, date = {2020-01-24}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/hunting-for-ransomware}, language = {English}, urldate = {2020-01-29} } @online{simmons:20200131:rats:d8a4021, author = {Robert Simmons}, title = {{RATs in the Library: Remote Access Trojans Hide in Plain "Public" Site}}, date = {2020-01-31}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/rats-in-the-library}, language = {English}, urldate = {2020-02-03} } @online{simmons:20200605:retread:86b93a6, author = {Robert Simmons}, title = {{Retread Ransomware: Identifying Satana to Understand "CoronaVirus"}}, date = {2020-06-05}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/retread-ransomware}, language = {English}, urldate = {2020-06-11} } @online{simmons:20201116:poorweb:ef09841, author = {Robert Simmons}, title = {{PoorWeb - Hitching a Ride on Hangul}}, date = {2020-11-16}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/poorweb-exploiting-document-formats}, language = {English}, urldate = {2020-11-18} } @online{simmons:20210312:dotnet:0d3ffca, author = {Robert Simmons}, title = {{DotNET Loaders}}, date = {2021-03-12}, organization = {Reversing Labs}, url = {https://blog.reversinglabs.com/blog/dotnet-loaders}, language = {English}, urldate = {2021-03-16} } @online{simmons:20210401:code:885c081, author = {Robert Simmons}, title = {{Code Reuse Across Packers and DLL Loaders}}, date = {2021-04-01}, organization = {Reversing Labs}, url = {https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders}, language = {English}, urldate = {2021-04-09} } @online{simmons:20210715:data:8286b8f, author = {Robert Simmons}, title = {{Data Exfiltrator - A New Tactic for Ransomware Adversaries}}, date = {2021-07-15}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/data-exfiltrator}, language = {English}, urldate = {2021-07-20} } @online{simmons:20210914:more:f8ade2c, author = {John Simmons}, title = {{More ProxyShell? Web Shells Lead to ZeroLogon and Application Impersonation Attacks}}, date = {2021-09-14}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/more-proxyshell-web-shells-lead-to-zerologon-and-application-impersonation-attacks}, language = {English}, urldate = {2021-09-19} } @online{simmons:20221119:malicious:13718e6, author = {Robert Simmons}, title = {{Malicious Packer pkr_ce1a}}, date = {2022-11-19}, organization = {Malwarology}, url = {https://malwarology.substack.com/p/malicious-packer-pkr_ce1a?r=1lslzd}, language = {English}, urldate = {2022-11-25} } @online{simon:20210923:raccoon:3c654c1, author = {Stephan Simon}, title = {{Raccoon Stealer Pivots Towards Self-Protection}}, date = {2021-09-23}, organization = {ZeroFox}, url = {https://www.zerofox.com/blog/raccoon-stealer-pivots-towards-self-protection/}, language = {English}, urldate = {2021-10-11} } @online{simon:20211001:babuk:9bce12b, author = {Stephan Simon}, title = {{Babuk Ransomware Variant Delta Plus Used in Live Attacks After Source Code Leaked}}, date = {2021-10-01}, organization = {ZeroFox}, url = {https://www.zerofox.com/blog/babuk-ransomware-variant-delta-plus/}, language = {English}, urldate = {2021-10-11} } @online{simon:20220216:meet:2a05254, author = {Stephan Simon}, title = {{Meet Kraken: A New Golang Botnet in Development}}, date = {2022-02-16}, organization = {ZeroFox}, url = {https://www.zerofox.com/blog/meet-kraken-a-new-golang-botnet-in-development/}, language = {English}, urldate = {2022-03-07} } @online{simon:20220222:quick:900a4cd, author = {Stephan Simon}, title = {{Quick Update: Kraken Completes Its Rebrand to Anubis}}, date = {2022-02-22}, organization = {ZeroFox}, url = {https://www.zerofox.com/blog/quick-update-kraken-completes-its-rebrand-to-anubis/}, language = {English}, urldate = {2022-03-07} } @online{simon:20220630:brief:4a98257, author = {Stephan Simon}, title = {{BRIEF: Raccoon Stealer Version 2.0}}, date = {2022-06-30}, organization = {ZeroFox}, url = {https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/}, language = {English}, urldate = {2022-07-25} } @online{simon:20240317:carving:6017507, author = {Simon}, title = {{Carving the IcedId - Part 3}}, date = {2024-03-17}, organization = {Technical Evolution}, url = {https://blog.techevo.uk/analysis/binary/2024/03/17/carving-the-icedid-part-3.html}, language = {English}, urldate = {2024-03-19} } @online{simpson:20210208:blocking:c4fb4be, author = {Tom Simpson and Tom Henry and Seb Walla}, title = {{Blocking SolarMarker Backdoor}}, date = {2021-02-08}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/}, language = {English}, urldate = {2021-02-09} } @online{simpson:20220127:threat:5484b37, author = {Jack Simpson}, title = {{Threat actor of in-Tur-est}}, date = {2022-01-27}, organization = {PWC}, url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html}, language = {English}, urldate = {2022-02-01} } @online{sinegubko:20200605:evasion:86c8265, author = {Denis Sinegubko}, title = {{Evasion Tactics in Hybrid Credit Card Skimmers}}, date = {2020-06-05}, organization = {SUCURI}, url = {https://blog.sucuri.net/2020/06/evasion-tactics-in-hybrid-credit-card-skimmers.html}, language = {English}, urldate = {2020-06-10} } @online{sinegubko:20200722:skimmers:abd9eb9, author = {Denis Sinegubko}, title = {{Skimmers in Images & GitHub Repos}}, date = {2020-07-22}, organization = {SUCURI}, url = {https://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html}, language = {English}, urldate = {2020-07-30} } @online{sinegubko:20201102:cssjs:e800099, author = {Denis Sinegubko}, title = {{CSS-JS Steganography in Fake Flash Player Update Malware}}, date = {2020-11-02}, organization = {SUCURI}, url = {https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html}, language = {English}, urldate = {2020-11-04} } @online{sinegubko:20210202:whitespace:a93d242, author = {Denis Sinegubko}, title = {{Whitespace Steganography Conceals Web Shell in PHP Malware}}, date = {2021-02-02}, organization = {SUCURI}, url = {https://blog.sucuri.net/2021/02/whitespace-steganography-conceals-web-shell-in-php-malware.html}, language = {English}, urldate = {2021-02-04} } @online{sinegubko:20220517:xcart:c6d5fb6, author = {Denis Sinegubko}, title = {{X-Cart Skimmer with DOM-based Obfuscation}}, date = {2022-05-17}, organization = {SUCURI}, url = {https://blog.sucuri.net/2022/05/x-cart-skimmer-with-dom-based-obfuscation.html}, language = {English}, urldate = {2022-05-20} } @online{sinegubko:20220816:socgholish:2e4f75e, author = {Denis Sinegubko}, title = {{SocGholish: 5+ Years of Massive Website Infections}}, date = {2022-08-16}, organization = {SUCURI}, url = {https://blog.sucuri.net/2022/08/socgholish-5-years-of-massive-website-infections.html}, language = {English}, urldate = {2022-08-19} } @online{sinegubko:20240304:40:ee4d9fd, author = {Denis Sinegubko}, title = {{40 New Domains of Magecart Veteran ATMZOW Found in Google Tag Manager}}, date = {2024-03-04}, organization = {Securi}, url = {https://blog.sucuri.net/2023/12/40-new-domains-of-magecart-veteran-atmzow-found-in-google-tag-manager.html}, language = {English}, urldate = {2025-02-18} } @online{sinegubko:20250317:dollyway:203bd8f, author = {Denis Sinegubko}, title = {{DollyWay World Domination: Eight Years of Evolving Website Malware Campaigns}}, date = {2025-03-17}, organization = {GoDaddy}, url = {https://www.godaddy.com/resources/news/dollyway-world-domination}, language = {English}, urldate = {2025-06-20} } @online{sinegubko:20250325:inside:3f58fd4, author = {Denis Sinegubko}, title = {{Inside DollyWay’s C2 Infrastructure: Traffic Direction Systems and the LosPollos Connection}}, date = {2025-03-25}, organization = {GoDaddy}, url = {https://www.godaddy.com/resources/news/dollyway-malware-c2-tds}, language = {English}, urldate = {2025-06-20} } @online{singer:20200403:kinsing:e67c720, author = {Gal Singer}, title = {{Kinsing Malware Attacks Targeting Container Environments}}, date = {2020-04-03}, organization = {Aqua}, url = {https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability}, language = {English}, urldate = {2020-04-13} } @online{singh:20140516:campaign:109ccf9, author = {Param Singh}, title = {{APT Campaign Leverages the Cueisfry Trojan and Microsoft Word Vulnerability CVE-2014-1761}}, date = {2014-05-16}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/apt-campaign-leverages-the-cueisfry-trojan-and-microsoft-word-vulnerability-cve-2014-1761}, language = {English}, urldate = {2019-12-17} } @online{singh:20150707:dyre:07242f2, author = {Sudeep Singh and Yu Wang}, title = {{Dyre Banking Trojan Exploits CVE-2015-0057}}, date = {2015-07-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/07/dyre_banking_trojan.html}, language = {English}, urldate = {2020-06-08} } @online{singh:20160129:malicious:5a930db, author = {Nirmal Singh}, title = {{Malicious Office Files Dropping Kasidet And Dridex}}, date = {2016-01-29}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex}, language = {English}, urldate = {2020-01-12} } @online{singh:20160522:targeted:5baf70d, author = {Sudeep Singh and Yin Hong Chang}, title = {{Targeted Attacks against Banks in the Middle East}}, date = {2016-05-22}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html}, language = {English}, urldate = {2019-12-20} } @online{singh:20160916:ispy:c3689fd, author = {Atinderpal Singh}, title = {{iSpy Keylogger}}, date = {2016-09-16}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/ispy-keylogger}, language = {English}, urldate = {2019-10-23} } @online{singh:20180313:iranian:3542dc9, author = {Sudeep Singh and Dileep Kumar Jallepalli and Yogesh Londhe and Ben Read}, title = {{Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign}}, date = {2018-03-13}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html}, language = {English}, urldate = {2019-12-20} } @online{singh:20180323:sanny:fa60075, author = {Sudeep Singh and Yijie Sui}, title = {{Sanny malware delivery method updated in recently observed attacks.}}, date = {2018-03-23}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html}, language = {English}, urldate = {2020-06-08} } @online{singh:20191030:emotet:61821fe, author = {Atinderpal Singh and Abhay Yadav}, title = {{Emotet is back in action after a short break}}, date = {2019-10-30}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/emotet-back-action-after-short-break}, language = {English}, urldate = {2020-07-01} } @online{singh:20200409:trickbot:9db52c2, author = {Atinderpal Singh and Abhay Yadav}, title = {{TrickBot Emerges with a Few New Tricks}}, date = {2020-04-09}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks}, language = {English}, urldate = {2020-07-01} } @online{singh:20200415:multistage:c0330fa, author = {Sudeep Singh}, title = {{Multistage FreeDom loader used in Aggah Campaign to spread Nanocore and AZORult}}, date = {2020-04-15}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat}, language = {English}, urldate = {2020-06-08} } @online{singh:20200429:compromised:79b3a7d, author = {Sudeep Singh}, title = {{Compromised Wordpress sites used to distribute Adwind RAT}}, date = {2020-04-29}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/compromised-wordpress-sites-used-distribute-adwind-rat}, language = {English}, urldate = {2020-06-08} } @online{singh:20200511:targeted:9ea90fd, author = {Sudeep Singh}, title = {{Targeted Attacks on Indian Government and Financial Institutions Using the JsOutProx RAT}}, date = {2020-05-11}, url = {https://www.zscaler.com/blogs/security-research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat}, language = {English}, urldate = {2021-06-01} } @online{singh:20200511:targeted:cf94e5a, author = {Sudeep Singh}, title = {{Targeted Attacks on Indian Government and Financial Institutions Using the JsOutProx RAT}}, date = {2020-05-11}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat}, language = {English}, urldate = {2020-05-23} } @online{singh:20200529:shellreset:e80d2c8, author = {Sudeep Singh}, title = {{ShellReset RAT Spread Through Macro-Based Documents Using AppLocker Bypass}}, date = {2020-05-29}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass}, language = {English}, urldate = {2020-06-05} } @online{singh:20200611:return:3a58e44, author = {Sudeep Singh and Atinderpal Singh}, title = {{The Return of the Higaisa APT}}, date = {2020-06-11}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/return-higaisa-apt}, language = {English}, urldate = {2020-06-12} } @online{singh:20200619:targeted:05d8d31, author = {Atinderpal Singh and Nirmal Singh and Sahil Antil}, title = {{Targeted Attack Leverages India-China Border Dispute to Lure Victims}}, date = {2020-06-19}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims}, language = {English}, urldate = {2020-06-21} } @online{singh:20200717:new:2f385f2, author = {Sudeep Singh and Kaivalya Khursale}, title = {{New Voicemail-Themed Phishing Attacks Use Evasion Techniques and Steal Credentials}}, date = {2020-07-17}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/new-voicemail-themed-phishing-attacks-use-evasion-techniques-and-steal-credentials}, language = {English}, urldate = {2022-07-01} } @online{singh:20200929:targeted:136d828, author = {Sudeep Singh and Sahil Antil}, title = {{Targeted Attacks on Oil and Gas Supply Chain Industries in the Middle East}}, date = {2020-09-29}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east}, language = {English}, urldate = {2020-10-04} } @online{singh:20201027:apt31:6a72298, author = {Sudeep Singh and Sahil Antil}, title = {{APT-31 leverages COVID-19 vaccine theme and abuses legitimate online services}}, date = {2020-10-27}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/apt-31-leverages-covid-19-vaccine-theme-and-abuses-legitimate-online-services}, language = {English}, urldate = {2020-10-28} } @online{singh:20210223:return:fed533a, author = {Sudeep Singh and Sahil Antil}, title = {{Return of the MINEBRIDGE RAT With New TTPs and Social Engineering Lures}}, date = {2021-02-23}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures}, language = {English}, urldate = {2021-02-25} } @online{singh:20210323:lowvolume:8162a16, author = {Sudeep Singh and Sahil Antil}, title = {{Low-volume multi-stage attack leveraging AzureEdge and Shopify CDNs}}, date = {2021-03-23}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/low-volume-multi-stage-attack-leveraging-azureedge-and-shopify-cdns}, language = {English}, urldate = {2021-03-30} } @online{singh:20210423:doppel:1bfd6da, author = {Vikas Singh}, title = {{Tweet on DOPPEL SPIDER using Intensive/Multiple Injected Cobalt Strike Beacons with varied polling intervals}}, date = {2021-04-23}, organization = {Twitter (@vikas891)}, url = {https://twitter.com/vikas891/status/1385306823662587905}, language = {English}, urldate = {2021-05-25} } @online{singh:20210624:demystifying:e2c5464, author = {Sudeep Singh and Sahil Antil}, title = {{Demystifying the full attack chain of MineBridge RAT}}, date = {2021-06-24}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/demystifying-full-attack-chain-minebridge-rat}, language = {English}, urldate = {2021-06-29} } @online{singh:20210909:cloudfall:ee21616, author = {Sudeep Singh and Sahil Antil}, title = {{CloudFall Targets Researchers and Scientists Invited to International Military Conferences in Central Asia and Eastern Europe}}, date = {2021-09-09}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/cloudfall-targets-researchers-and-scientists-invited-international-military}, language = {English}, urldate = {2021-09-12} } @online{singh:20220411:process:fdcdd47, author = {Gurkirat Singh}, title = {{Process Injection using CreateRemoteThread API}}, date = {2022-04-11}, organization = {tbhaxor}, url = {https://tbhaxor.com/createremotethread-process-injection/}, language = {English}, urldate = {2022-04-29} } @online{singh:20220426:naverending:3f4449c, author = {Sudeep Singh and Sahil Antil}, title = {{A "Naver"-ending game of Lazarus APT}}, date = {2022-04-26}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/naver-ending-game-lazarus-apt}, language = {English}, urldate = {2022-07-01} } @online{singh:20220519:vidar:1c68f0e, author = {Sudeep Singh and Santiago Vicente and Brett Stone-Gross}, title = {{Vidar distributed through backdoored Windows 11 downloads and abusing Telegram}}, date = {2022-05-19}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/vidar-distributed-through-backdoored-windows-11-downloads-and-abusing}, language = {English}, urldate = {2022-05-25} } @online{singh:20220617:resurgence:736636f, author = {Sudeep Singh and Kaivalya Khursale}, title = {{Resurgence of Voicemail-themed phishing attacks targeting key industry verticals in the US}}, date = {2022-06-17}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/resurgence-voicemail-themed-phishing-attacks-targeting-key-industry}, language = {English}, urldate = {2022-07-01} } @online{singh:20220627:return:a09268a, author = {Sudeep Singh and Sahil Antil}, title = {{Return of the Evilnum APT with updated TTPs and new targets}}, date = {2022-06-27}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/return-evilnum-apt-updated-ttps-and-new-targets}, language = {English}, urldate = {2022-06-29} } @online{singh:20220801:technical:ab3b0b8, author = {Atinderpal Singh}, title = {{Technical Analysis of Industrial Spy Ransomware}}, date = {2022-08-01}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/technical-analysis-industrial-spy-ransomware}, language = {English}, urldate = {2022-08-02} } @online{singh:20220802:largescale:ae7725e, author = {Sudeep Singh and Jagadeeswar Ramanukolanu}, title = {{Large-Scale AiTM Attack targeting enterprise users of Microsoft email services}}, date = {2022-08-02}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/large-scale-aitm-attack-targeting-enterprise-users-microsoft-email-services}, language = {English}, urldate = {2022-08-08} } @online{singh:20220809:aitm:4092645, author = {Sudeep Singh and Jagadeeswar Ramanukolanu}, title = {{AiTM phishing attack targeting enterprise users of Gmail}}, date = {2022-08-09}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/aitm-phishing-attack-targeting-enterprise-users-gmail}, language = {English}, urldate = {2022-08-10} } @online{singh:20220901:no:82c1b51, author = {Atinderpal Singh and Brett Stone-Gross}, title = {{No Honor Among Thieves - Prynt Stealer’s Backdoor Exposed}}, date = {2022-09-01}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed}, language = {English}, urldate = {2022-09-07} } @online{singh:20221103:apt36:33403b8, author = {Sudeep Singh}, title = {{APT-36 Uses New TTPs and New Tools to Target Indian Governmental Organizations}}, date = {2022-11-03}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations}, language = {English}, urldate = {2022-11-12} } @online{singh:20221121:black:9712dce, author = {Sudeep Singh}, title = {{Black Friday Alert: 4 Emerging Skimming Attacks to Watch for This Holiday Season}}, date = {2022-11-21}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season}, language = {English}, urldate = {2022-11-23} } @online{singh:20230321:unintentional:9d7f138, author = {Sudeep Singh and Naveen Selvan}, title = {{The Unintentional Leak: A glimpse into the attack vectors of APT37}}, date = {2023-03-21}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37}, language = {English}, urldate = {2023-09-18} } @online{singh:20230830:look:53e0f61, author = {Sudeep Singh and Naveen Selvan}, title = {{A Look Into DuckTail}}, date = {2023-08-30}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/look-ducktail}, language = {English}, urldate = {2023-11-28} } @online{singh:20230912:peek:6769a87, author = {Sudeep Singh}, title = {{A peek into APT36’s updated arsenal}}, date = {2023-09-12}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/peek-apt36-s-updated-arsenal}, language = {English}, urldate = {2023-09-18} } @online{singh:20230923:bunnyloader:860337a, author = {Satyam Singh and Niraj Shivtarkar}, title = {{BunnyLoader, the newest Malware-as-a-Service}}, date = {2023-09-23}, organization = {Zscaler}, url = {https://www.zscaler.de/blogs/security-research/bunnyloader-newest-malware-service}, language = {English}, urldate = {2024-02-21} } @online{singh:20240227:european:5166e39, author = {Sudeep Singh and Roy Tay}, title = {{European diplomats targeted by SPIKEDWINE with WINELOADER}}, date = {2024-02-27}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader}, language = {English}, urldate = {2024-02-28} } @online{singh:20240302:wineloader:33117d4, author = {Sudeep Singh}, title = {{Tweet on WINELOADER targeting with German embassy themed lure}}, date = {2024-03-02}, organization = {Twitter (@SinghSoodeep)}, url = {https://twitter.com/SinghSoodeep/status/1763808104221737156}, language = {English}, urldate = {2024-03-04} } @online{singh:20240710:dodgebox:73bfc9d, author = {Sudeep Singh and Yin Hong Chang}, title = {{DodgeBox: A deep dive into the updated arsenal of APT41 | Part 1}}, date = {2024-07-10}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/dodgebox-deep-dive-updated-arsenal-apt41-part-1}, language = {English}, urldate = {2024-09-27} } @online{singh:20240711:moonwalk:b54c3a9, author = {Sudeep Singh and Yin Hong Chang}, title = {{MoonWalk: A deep dive into the updated arsenal of APT41 | Part 2}}, date = {2024-07-11}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/moonwalk-deep-dive-updated-arsenal-apt41-part-2}, language = {English}, urldate = {2024-07-24} } @online{singha:20241024:operation:cacab50, author = {Subhajeet Singha}, title = {{Operation Cobalt Whisper: Threat Actor Targets Multiple Industries Across Hong Kong and Pakistan}}, date = {2024-10-24}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/operation-cobalt-whisper-targets-industries-hong-kong-pakistan/}, language = {English}, urldate = {2024-11-11} } @online{singha:20250121:silent:462763c, author = {Subhajeet Singha}, title = {{Silent Lynx APT Targets Various Entities Across Kyrgyzstan & Neighbouring Nations}}, date = {2025-01-21}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/}, language = {English}, urldate = {2025-02-10} } @online{singha:20250512:unveiling:110a8f8, author = {Subhajeet Singha}, title = {{Unveiling Swan Vector APT Targeting Taiwan and Japan with varied DLL Implants}}, date = {2025-05-12}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/swan-vector-apt-targeting-taiwan-japan-dll-implants/}, language = {English}, urldate = {2025-05-22} } @online{singha:20250606:operation:66a8bde, author = {Subhajeet Singha and Sathwik Ram Prakki}, title = {{Operation DRAGONCLONE: Chinese Telecommunication industry targeted via VELETRIX & VShell malware.}}, date = {2025-06-06}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/operation-dragonclone-chinese-telecom-veletrix-vshell-malware/}, language = {English}, urldate = {2025-06-13} } @online{singhal:20210315:new:d276fac, author = {Vaibhav Singhal and Ruchna Nigam and Zhibin Zhang and Asher Davila}, title = {{New Mirai Variant Targeting New IoT Vulnerabilities, Including in Network Security Devices}}, date = {2021-03-15}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/}, language = {English}, urldate = {2021-03-22} } @online{singleton:20210903:dissecting:4d56786, author = {Camille Singleton and Andrew Gorecki and John Dwyer}, title = {{Dissecting Sodinokibi Ransomware Attacks: Bringing Incident Response and Intelligence Together in the Fight}}, date = {2021-09-03}, organization = {IBM}, url = {https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/}, language = {English}, urldate = {2021-09-09} } @online{sinitsyn:20150714:teslacrypt:9ad5fb1, author = {Fedor Sinitsyn}, title = {{TeslaCrypt 2.0 disguised as CryptoWall}}, date = {2015-07-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/}, language = {English}, urldate = {2019-12-20} } @online{sinitsyn:20160504:petya:4831db9, author = {Fedor Sinitsyn}, title = {{Petya: the two-in-one trojan}}, date = {2016-05-04}, organization = {Kaspersky}, url = {https://securelist.com/petya-the-two-in-one-trojan/74609/}, language = {English}, urldate = {2023-07-26} } @online{sinitsyn:201907:cryptoransomware:02f591e, author = {Fyodor Sinitsyn}, title = {{Crypto-Ransomware: Russian Style. Large-scale Research on Russian Ransomware}}, date = {2019-07}, organization = {HackMag}, url = {https://hackmag.com/security/ransomware-russian-style/}, language = {English}, urldate = {2020-01-08} } @online{sinitsyn:20200731:wastedlocker:2eebe51, author = {Fedor Sinitsyn}, title = {{WastedLocker: technical analysis}}, date = {2020-07-31}, organization = {Kaspersky Labs}, url = {https://securelist.com/wastedlocker-technical-analysis/97944/}, language = {English}, urldate = {2020-08-05} } @online{sinitsyn:20201021:life:5906110, author = {Fedor Sinitsyn and Nikita Galimov and Vladimir Kuskov}, title = {{Life of Maze ransomware}}, date = {2020-10-21}, organization = {Kaspersky Labs}, url = {https://securelist.com/maze-ransomware/99137/}, language = {English}, urldate = {2020-10-23} } @online{sinitsyn:20201106:ransomexx:3ca495c, author = {Fedor Sinitsyn and Vladimir Kuskov}, title = {{RansomEXX Trojan attacks Linux systems}}, date = {2020-11-06}, organization = {Kaspersky Labs}, url = {https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/}, language = {English}, urldate = {2020-11-09} } @online{sinitsyn:20210525:evolution:d76aea7, author = {Fedor Sinitsyn and Yanis Zinchenko}, title = {{Evolution of JSWorm ransomware}}, date = {2021-05-25}, organization = {Kaspersky}, url = {https://securelist.com/evolution-of-jsworm-ransomware/102428/}, language = {English}, urldate = {2021-06-16} } @online{sinitsyn:20211007:ransomware:b5e74a3, author = {Fedor Sinitsyn and Yanis Zinchenko}, title = {{Ransomware in the CIS}}, date = {2021-10-07}, organization = {Kaspersky}, url = {https://securelist.com/cis-ransomware/104452/}, language = {English}, urldate = {2021-10-11} } @online{sinitsyn:20221201:crywiper:a9785ec, author = {Fyodor Sinitsyn and Yanis Zinchenko}, title = {{Новый троянец CryWiper прикидывается шифровальщиком}}, date = {2022-12-01}, organization = {Kaspersky}, url = {https://securelist.ru/novyj-troyanec-crywiper/106114/}, language = {Russian}, urldate = {2022-12-06} } @online{sinjari:20230126:welcome:3e0ada1, author = {Govand Sinjari and Andy Morales}, title = {{Welcome to Goot Camp: Tracking the Evolution of GOOTLOADER Operations}}, date = {2023-01-26}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations}, language = {English}, urldate = {2023-01-31} } @online{sioting:20131014:pemofksysa:c97e2f4, author = {Sabrina Lei Sioting}, title = {{PE_MOFKSYS.A}}, date = {2013-10-14}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_MOFKSYS.A/}, language = {English}, urldate = {2021-06-16} } @online{siriurz:20190430:nightmare:bb79862, author = {Twitter (@siri_urz)}, title = {{Nightmare Spam Bot Strings Snapshot}}, date = {2019-04-30}, url = {https://twitter.com/siri_urz/status/1123212324385513472}, language = {English}, urldate = {2019-10-30} } @online{siriurz:20200109:ako:da2a708, author = {Twitter (@siri_urz)}, title = {{Tweet on AKO Ransomware}}, date = {2020-01-09}, organization = {Twitter (@siri_urz)}, url = {https://twitter.com/siri_urz/status/1215194488714346496?s=20}, language = {English}, urldate = {2020-05-18} } @online{sisoma2:20210629:vidar:b63dd63, author = {sisoma2}, title = {{Tweet on vidar stealer using Tumblr to obtain dynamic config}}, date = {2021-06-29}, organization = {Twitter (@sisoma2)}, url = {https://twitter.com/sisoma2/status/1409816282065743872}, language = {English}, urldate = {2021-07-02} } @online{sisoma2:20210803:python:1bb11e4, author = {sisoma2}, title = {{Python script for recovering the hashes hardcoded in different samples of the BlackMatter ransomware}}, date = {2021-08-03}, organization = {Twitter (@sisoma2)}, url = {https://github.com/sisoma2/malware_analysis/tree/master/blackmatter}, language = {English}, urldate = {2021-08-06} } @online{sisoma2:20211221:blackcat:683fa5a, author = {sisoma2}, title = {{BlackCat Ransomware Linux variant}}, date = {2021-12-21}, organization = {Twitter (@sisoma2)}, url = {https://twitter.com/sisoma2/status/1473243875158499330}, language = {English}, urldate = {2022-02-02} } @online{sison:20170328:cerber:cfb6c77, author = {Gilbert Sison}, title = {{Cerber Starts Evading Machine Learning}}, date = {2017-03-28}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/}, language = {English}, urldate = {2019-12-19} } @online{sison:20180115:new:15ece8f, author = {Gilbert Sison and Rheniel Ramos and Jay Yaneza and Alfredo Oliveira}, title = {{New KillDisk Variant Hits Financial Organizations in Latin America}}, date = {2018-01-15}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/}, language = {English}, urldate = {2023-03-27} } @online{sison:20190415:account:6783792, author = {Gilbert Sison and Ryan Maglaque}, title = {{Account With Admin Privileges Abused to Install BitPaymer Ransomware via PsExec}}, date = {2019-04-15}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/account-with-admin-privileges-abused-to-install-bitpaymer-ransomware-via-psexec}, language = {English}, urldate = {2020-01-08} } @online{sison:20210120:xdr:8ea19cc, author = {Gilbert Sison and Abraham Camba and Ryan Maglaque}, title = {{XDR investigation uncovers PlugX, unique technique in APT attack}}, date = {2021-01-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/a/xdr-investigation-uncovers-plugx-unique-technique-in-apt-attack.html}, language = {English}, urldate = {2021-01-27} } @techreport{sistemas:20210302:campaa:7faa602, author = {Hispasec Sistemas}, title = {{Campaña Fedex Banker}}, date = {2021-03-02}, institution = {Hispasec}, url = {https://hispasec.com/resources/FedexBanker.pdf}, language = {Spanish}, urldate = {2021-06-29} } @online{sistrunk:20211118:introducing:5f08e41, author = {Chris Sistrunk and Ken Proska and Glen Chason and Daniel Kapellmann}, title = {{Introducing Mandiant's Digital Forensics and Incident Response Framework for Embedded OT Systems}}, date = {2021-11-18}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/mandiant-dfir-framework-ot}, language = {English}, urldate = {2021-11-19} } @techreport{sixgill:20170207:proton:ed3b6f0, author = {Sixgill}, title = {{PROTON - A New MAC OS RAT}}, date = {2017-02-07}, institution = {Sixgill}, url = {https://www.cybersixgill.com/wp-content/uploads/2017/02/02072017%20-%20Proton%20-%20A%20New%20MAC%20OS%20RAT%20-%20Sixgill%20Threat%20Report.pdf}, language = {English}, urldate = {2019-12-16} } @online{sjouwerman:20221207:russian:0c12175, author = {Stu Sjouwerman}, title = {{Russian Threat Actor Impersonates Aerospace and Defense Companies}}, date = {2022-12-07}, organization = {KnowBe4}, url = {https://blog.knowbe4.com/russian-threat-actor-impersonates-aerospace-and-defense-companies}, language = {English}, urldate = {2023-01-03} } @online{skelton:20220209:dragos:89d2a68, author = {Anna Skelton}, title = {{Dragos ICS/OT Ransomware Analysis: Q4 2021}}, date = {2022-02-09}, organization = {Dragos}, url = {https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/}, language = {English}, urldate = {2022-02-14} } @online{skii:20230109:huskloader:0ca3742, author = {SKII}, title = {{Tweet on HuskLoader}}, date = {2023-01-09}, organization = {Twitter (@SethKingHi)}, url = {https://twitter.com/SethKingHi/status/1612377098777133057}, language = {English}, urldate = {2023-04-28} } @online{skille:20210617:for:6450508, author = {Øyvind Bye Skille and Tormod Strand and Espen Kjendlie}, title = {{For the first time, PST says that China (APT31) is behind a computer attack}}, date = {2021-06-17}, organization = {nrk}, url = {https://www.nrk.no/norge/pst_-har-etterretning-om-at-kinesisk-gruppe-stod-bak-dataangrep-mot-statsforvaltere-1.15540601}, language = {Norwegian}, urldate = {2021-06-24} } @online{skulkin:20200514:attcking:6b770ce, author = {Oleg Skulkin}, title = {{ATT&CKing ProLock Ransomware}}, date = {2020-05-14}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/prolock}, language = {English}, urldate = {2020-05-18} } @online{skulkin:20200824:cybercriminal:f1959f3, author = {Oleg Skulkin}, title = {{Cybercriminal greeners from Iran attack companies worldwide for financial gain}}, date = {2020-08-24}, organization = {Group-IB}, url = {https://www.group-ib.com/media/iran-cybercriminals/}, language = {English}, urldate = {2020-08-25} } @online{skulkin:20200910:lock:a6f630a, author = {Oleg Skulkin and Semyon Rogachev}, title = {{Lock Like a Pro: Dive in Recent ProLock's Big Game Hunting}}, date = {2020-09-10}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/prolock_evolution}, language = {English}, urldate = {2020-09-15} } @online{skulkin:20201120:locking:cdb06cf, author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev}, title = {{The Locking Egregor}}, date = {2020-11-20}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/egregor}, language = {English}, urldate = {2020-11-23} } @techreport{skulkin:202103:ransomware:992ca10, author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev}, title = {{Ransomware Uncovered 2020/2021}}, date = {2021-03}, institution = {Group-IB}, url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf}, language = {English}, urldate = {2021-06-16} } @online{skulkin:20210507:connecting:49c0b13, author = {Oleg Skulkin and Semyon Rogachev}, title = {{Connecting the Bots Hancitor fuels Cuba Ransomware Operations}}, date = {2021-05-07}, organization = {Group-IB}, url = {https://blog.group-ib.com/hancitor-cuba-ransomware}, language = {English}, urldate = {2021-05-08} } @online{skulkin:20210630:revil:63bb524, author = {Oleg Skulkin}, title = {{REvil Twins Deep Dive into Prolific RaaS Affiliates' TTPs}}, date = {2021-06-30}, organization = {Group-IB}, url = {https://blog.group-ib.com/REvil_RaaS}, language = {English}, urldate = {2021-07-02} } @online{skulkin:20230613:core:99453f6, author = {Oleg Skulkin}, title = {{Core Werewolf targets the defense industry and critical infrastructure}}, date = {2023-06-13}, organization = {Medium BI.ZONE}, url = {https://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/}, language = {English}, urldate = {2024-10-17} } @online{skulkin:20230628:red:8e17932, author = {Oleg Skulkin}, title = {{Red Wolf is back to spy on commercial firms Red Wolf is back to spy on commercial firms}}, date = {2023-06-28}, organization = {BI. ZONE Cyber Threats Research Team}, url = {https://bi.zone/eng/expertise/blog/red-wolf-vnov-shpionit-za-kommercheskimi-organizatsiyami/}, language = {English}, urldate = {2023-10-17} } @techreport{skuratovich:20150515:matsnu:850c41f, author = {Stanislav Skuratovich}, title = {{MATSNU}}, date = {2015-05-15}, institution = {Check Point}, url = {https://blog.checkpoint.com/wp-content/uploads/2015/07/matsnu-malwareid-technical-brief.pdf}, language = {English}, urldate = {2020-01-05} } @techreport{skuratovich:201510:digging:7c4fa84, author = {Stanislav Skuratovich and Aliaksandr Trafimchuk}, title = {{Digging for Groundhogs: Holes in your Linux server}}, date = {2015-10}, institution = {Check Point}, url = {https://blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intelligence-groundhog.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{skuratovich:201605:looking:0c23f31, author = {Stanislav Skuratovich}, title = {{Looking into Teslacrypt}}, date = {2016-05}, institution = {Check Point}, url = {https://blog.checkpoint.com/wp-content/uploads/2016/05/Tesla-crypt-whitepaper_V3.pdf}, language = {English}, urldate = {2019-12-06} } @online{skuratovich:201712:nine:f4ecc23, author = {Stanislav Skuratovich and Neomi Rona}, title = {{Nine circles of Cerber}}, date = {2017-12}, organization = {Check Point}, url = {https://www.virusbulletin.com/virusbulletin/2017/12/vb2017-paper-nine-circles-cerber/}, language = {English}, urldate = {2019-11-26} } @online{sl4id3r:201606:form:53a7823, author = {SL4ID3R}, title = {{Form Grabber 2016 [Crome,FF,Opera,Thunderbird, Outlook IE Safari] Hack the world}}, date = {2016-06}, organization = {Safety First Blog}, url = {http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html}, language = {English}, urldate = {2019-11-26} } @online{slaney:20220310:securityscorecard:0c7f973, author = {Ryan Slaney}, title = {{SecurityScorecard Discovers new botnet, ‘Zhadnost,’ responsible for Ukraine DDoS attacks}}, date = {2022-03-10}, organization = {SecurityScorecard}, url = {https://securityscorecard.com/blog/securityscorecard-discovers-new-botnet-zhadnost-responsible-for-ukraine-ddos-attacks}, language = {English}, urldate = {2022-03-14} } @online{slaney:20220413:zhadnost:b343e44, author = {Ryan Slaney}, title = {{Zhadnost strikes again… this time in Finland.}}, date = {2022-04-13}, organization = {SecurityScorecard}, url = {https://securityscorecard.com/blog/zhadnost-strikes-again-this-time-in-finland}, language = {English}, urldate = {2022-09-19} } @online{slaney:20220831:analysis:f23a3ce, author = {Ryan Slaney and Robert Ames and Alex Heid}, title = {{Analysis of APT35 Infrastructure Reveals Interest in Egyptian Shipping Companies}}, date = {2022-08-31}, organization = {SecurityScorecard}, url = {https://securityscorecard.com/blog/analysis-of-apt35-infrastructure-reveals-interest-in-egyptian-shipping-companies}, language = {English}, urldate = {2022-09-04} } @online{slater:20210719:spyware:b4481e9, author = {Joanna Slater and Niha Masih}, title = {{The spyware is sold to governments to fight terrorism. In India, it was used to hack journalists and others.}}, date = {2021-07-19}, organization = {Washington Post}, url = {https://www.washingtonpost.com/world/2021/07/19/india-nso-pegasus/}, language = {English}, urldate = {2021-07-21} } @online{slaughter:20220120:new:7cef736, author = {James Slaughter}, title = {{New STRRAT RAT Phishing Campaign}}, date = {2022-01-20}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/new-strrat-rat-phishing-campaign}, language = {English}, urldate = {2022-11-21} } @online{slaughter:20220307:fake:8999835, author = {James Slaughter and Fred Gutierrez and Val Saengphaibul}, title = {{Fake Purchase Order Used to Deliver Agent Tesla}}, date = {2022-03-07}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla}, language = {English}, urldate = {2022-03-08} } @online{slaughter:20220328:spoofed:0cd6f0e, author = {James Slaughter and Val Saengphaibul and Fred Gutierrez}, title = {{Spoofed Invoice Used to Drop IcedID}}, date = {2022-03-28}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id}, language = {English}, urldate = {2022-03-31} } @online{slaughter:20220712:spoofed:5c3ce2f, author = {James Slaughter}, title = {{Spoofed Saudi Purchase Order Drops GuLoader – Part 2}}, date = {2022-07-12}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader-part-two}, language = {English}, urldate = {2022-07-15} } @online{slaughter:20220808:life:5db63b6, author = {James Slaughter}, title = {{Life After Death - SmokeLoader Continues to Haunt Using Old Vulnerabilities}}, date = {2022-08-08}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities}, language = {English}, urldate = {2023-09-18} } @online{slepogin:20170525:dridex:90a70d9, author = {Nikita Slepogin}, title = {{Dridex: A History of Evolution}}, date = {2017-05-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/}, language = {English}, urldate = {2022-08-31} } @techreport{slowik:202001:threat:d891011, author = {Joe Slowik}, title = {{Threat Intelligence and the Limits of Malware Analysis}}, date = {2020-01}, institution = {Dragos}, url = {https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf}, language = {English}, urldate = {2020-06-10} } @techreport{slowik:202003:spyware:412ef8a, author = {Joe Slowik}, title = {{Spyware Stealer Locker Wiper Locker Goga Revisited}}, date = {2020-03}, institution = {Dragos}, url = {https://dragos.com/wp-content/uploads/Spyware-Stealer-Locker-Wiper-LockerGoga-Revisited.pdf}, language = {English}, urldate = {2020-03-18} } @online{slowik:20200528:silos:3527589, author = {Joe Slowik}, title = {{Silos of Excellence}}, date = {2020-05-28}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2020/05/28/silos-of-excellence/}, language = {English}, urldate = {2020-05-29} } @online{slowik:20200618:ekans:e768da1, author = {Joe Slowik}, title = {{EKANS Ransomware Misconceptions and Misunderstandings}}, date = {2020-06-18}, organization = {Dragos}, url = {https://www.dragos.com/blog/industry-news/ekans-ransomware-misconceptions-and-misunderstandings/}, language = {English}, urldate = {2020-06-19} } @online{slowik:20200923:understanding:47cffee, author = {Joe Slowik}, title = {{Understanding Uncertainty while Undermining Democracy}}, date = {2020-09-23}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2020/09/23/understanding-uncertainty-while-undermining-democracy/}, language = {English}, urldate = {2020-09-24} } @online{slowik:20201104:enigmatic:c2d7b4e, author = {Joe Slowik}, title = {{The Enigmatic Energetic Bear}}, date = {2020-11-04}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/}, language = {English}, urldate = {2020-11-06} } @online{slowik:20201111:extrapolating:8998b55, author = {Joe Slowik}, title = {{Extrapolating Adversary Intent Through Infrastructure}}, date = {2020-11-11}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/extrapolating-adversary-intent-through-infrastructure}, language = {English}, urldate = {2020-11-19} } @online{slowik:20201118:analyzing:abccd43, author = {Joe Slowik}, title = {{Analyzing Network Infrastructure as Composite Objects}}, date = {2020-11-18}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/analyzing-network-infrastructure-as-composite-objects}, language = {English}, urldate = {2020-11-19} } @online{slowik:20201120:current:f9956c6, author = {Joe Slowik and Black Lotus Labs and Lumen}, title = {{Current Events to Widespread Campaigns: Pivoting from Samples to Identify Activity}}, date = {2020-11-20}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/current-events-to-widespread-campaigns-pivoting-from-samples-to-identify}, language = {English}, urldate = {2020-11-23} } @online{slowik:20201202:identifying:8ac64c3, author = {Joe Slowik}, title = {{Identifying Network Infrastructure Related to a World Health Organization Spoofing Campaign}}, date = {2020-12-02}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign}, language = {English}, urldate = {2020-12-08} } @online{slowik:20201208:identifying:0182ebe, author = {Joe Slowik}, title = {{Identifying Critical Infrastructure Targeting through Network Creation}}, date = {2020-12-08}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/identifying-critical-infrastructure-targeting-through-network-creation}, language = {English}, urldate = {2020-12-10} } @online{slowik:20201210:terrorism:2f0bd74, author = {Joe Slowik}, title = {{Terrorism or Information Operation?}}, date = {2020-12-10}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2020/12/10/terrorism-or-information-operation/}, language = {English}, urldate = {2020-12-23} } @online{slowik:20201214:unraveling:d212099, author = {Joe Slowik}, title = {{Unraveling Network Infrastructure Linked to the SolarWinds Hack}}, date = {2020-12-14}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/unraveling-network-infrastructure-linked-to-the-solarwinds-hack}, language = {English}, urldate = {2020-12-15} } @online{slowik:20201218:continuous:71ffa78, author = {Joe Slowik}, title = {{Continuous Eruption: Further Analysis of the SolarWinds Supply Chain Incident}}, date = {2020-12-18}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/continuous-eruption-further-analysis-of-the-solarwinds-supply-incident}, language = {English}, urldate = {2020-12-18} } @online{slowik:20201223:mindmap:3aad3e1, author = {Joe Slowik}, title = {{Mindmap on Russia-linked threat groups}}, date = {2020-12-23}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/wp-content/uploads/2020/12/wp-1608784569812.jpg}, language = {English}, urldate = {2020-12-26} } @online{slowik:20210106:holiday:6ef0c9d, author = {Joe Slowik}, title = {{Holiday Bazar: Tracking a TrickBot-Related Ransomware Incident}}, date = {2021-01-06}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident}, language = {English}, urldate = {2021-01-10} } @online{slowik:20210114:devils:ce9d4c8, author = {Joe Slowik}, title = {{The Devil’s in the Details: SUNBURST Attribution}}, date = {2021-01-14}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/the-devils-in-the-details-sunburst-attribution}, language = {English}, urldate = {2021-01-18} } @online{slowik:20210122:change:ed52aef, author = {Joe Slowik}, title = {{Change in Perspective on the Utility of SUNBURST-related Network Indicators}}, date = {2021-01-22}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/change-in-perspective-on-the-utility-of-sunburst-related-network-indicators#}, language = {English}, urldate = {2021-01-25} } @online{slowik:20210209:water:3c0d3e2, author = {Joe Slowik}, title = {{Water, Water Everywhere – But Nary a Hacker to Blame}}, date = {2021-02-09}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2021/02/09/water-water-everywhere-but-nary-a-hacker-to-blame/}, language = {English}, urldate = {2021-02-20} } @online{slowik:20210211:visibility:5d2f96e, author = {Joe Slowik}, title = {{Visibility, Monitoring, and Critical Infrastructure Security}}, date = {2021-02-11}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security}, language = {English}, urldate = {2021-02-20} } @online{slowik:20210225:continuous:34f997e, author = {Joe Slowik}, title = {{The Continuous Conundrum of Cloud Atlas}}, date = {2021-02-25}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/the-continuous-conundrum-of-cloud-atlas}, language = {English}, urldate = {2021-02-25} } @online{slowik:20210303:centreon:f590f6e, author = {Joe Slowik}, title = {{Centreon to Exim and Back: On the Trail of Sandworm}}, date = {2021-03-03}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm}, language = {English}, urldate = {2021-03-06} } @online{slowik:20210310:examining:e3eee78, author = {Joe Slowik}, title = {{Examining Exchange Exploitation and its Lessons for Defenders}}, date = {2021-03-10}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders}, language = {English}, urldate = {2021-03-12} } @online{slowik:20210401:covid19:6a96e45, author = {Joe Slowik}, title = {{COVID-19 Phishing With a Side of Cobalt Strike}}, date = {2021-04-01}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#}, language = {English}, urldate = {2021-04-06} } @online{slowik:20210422:undersea:b41a1d6, author = {Joe Slowik}, title = {{An Undersea Royal Road: Exploring Malicious Documents and Associated Malware}}, date = {2021-04-22}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/an-undersea-royal-road-exploring-malicious-documents-and-associated-malware}, language = {English}, urldate = {2021-04-28} } @online{slowik:20210429:leaping:b1c6f2f, author = {Joe Slowik}, title = {{Leaping Down a Rabbit Hole of Fraud and Misdirection}}, date = {2021-04-29}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/leaping-down-a-rabbit-hole-of-fraud-and-misdirection}, language = {English}, urldate = {2021-05-03} } @online{slowik:20210513:mind:66194c8, author = {Joe Slowik}, title = {{Mind the (Air) Gap}}, date = {2021-05-13}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2021/05/13/mind-the-air-gap/}, language = {English}, urldate = {2021-05-17} } @online{slowik:20210517:tracking:060c759, author = {Joe Slowik}, title = {{Tracking DarkSide and Ransomware: The Network View}}, date = {2021-05-17}, organization = {Gigamon}, url = {https://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/}, language = {English}, urldate = {2021-05-17} } @online{slowik:20210617:hold:dc6ce6d, author = {Joe Slowik}, title = {{Hold the Door: Examining Exfiltration Activity and Applying Countermeasures}}, date = {2021-06-17}, organization = {Gigamon}, url = {https://blog.gigamon.com/2021/06/17/hold-the-door-examining-exfiltration-activity-and-applying-countermeasures}, language = {English}, urldate = {2021-06-22} } @techreport{slowik:20210624:baffling:d37b293, author = {Joe Slowik}, title = {{The Baffling Berserk Bear: A Decade's Activity targeting Critical Infrastructure}}, date = {2021-06-24}, institution = {Gigamon}, url = {https://vblocalhost.com/uploads/VB2021-Slowik.pdf}, language = {English}, urldate = {2021-10-26} } @online{slowik:20210708:observations:21f913b, author = {Joe Slowik}, title = {{Observations and Recommendations from the Ongoing REvil-Kaseya Incident}}, date = {2021-07-08}, organization = {Gigamon}, url = {https://blog.gigamon.com/2021/07/08/observations-and-recommendations-from-the-ongoing-revil-kaseya-incident/}, language = {English}, urldate = {2021-07-12} } @online{slowik:20210727:ghosts:af3dc18, author = {Joe Slowik}, title = {{Ghosts on the Wire: Expanding Conceptions of Network Anomalies}}, date = {2021-07-27}, organization = {Gigamon}, url = {https://blog.gigamon.com/2021/07/27/ghosts-on-the-wire-expanding-conceptions-of-network-anomalies/}, language = {English}, urldate = {2021-08-02} } @online{slowik:20210909:spectrum:0b31314, author = {Joe Slowik}, title = {{A Spectrum of State Ransomware Responsibility}}, date = {2021-09-09}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2021/09/09/a-spectrum-of-state-ransomware-responsibility/}, language = {English}, urldate = {2021-09-28} } @online{slowik:20210910:rendering:59082b0, author = {Joe Slowik}, title = {{Rendering Threats: A Network Perspective}}, date = {2021-09-10}, organization = {Gigamon}, url = {https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/}, language = {English}, urldate = {2023-04-06} } @online{slowik:20211025:bear:ea7ac23, author = {Joe Slowik}, title = {{Bear in the Net: A Network-Focused Perspective on Berserk Bear}}, date = {2021-10-25}, organization = {Gigamon}, url = {https://blog.gigamon.com/2021/10/25/bear-in-the-net-a-network-focused-perspective-on-berserk-bear/}, language = {English}, urldate = {2022-02-10} } @online{slowik:20211214:network:0d17ac7, author = {Joe Slowik}, title = {{Network Security Monitoring Opportunities and Best Practices for Log4j Defense}}, date = {2021-12-14}, organization = {Gigamon}, url = {https://blog.gigamon.com/2021/12/14/network-security-monitoring-opportunities-and-best-practices-for-log4j-defense/}, language = {English}, urldate = {2022-02-10} } @online{slowik:20211221:log:c950f86, author = {Joe Slowik}, title = {{The Log Keeps Rolling On: Evaluating Log4j Developments and Defensive Requirements}}, date = {2021-12-21}, organization = {Gigamon}, url = {https://blog.gigamon.com/2021/12/21/the-log-keeps-rolling-on-evaluating-log4j-developments-and-defensive-requirements/}, language = {English}, urldate = {2022-02-10} } @online{slowik:20211230:lights:65d52c9, author = {Joe Slowik}, title = {{Lights Out in Isfahan}}, date = {2021-12-30}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2021/12/30/lights-out-in-isfahan/}, language = {English}, urldate = {2022-01-25} } @techreport{slowik:2021:conceptualizing:3cdf067, author = {Joe Slowik}, title = {{Conceptualizing a Continuum of Cyber Threat Attribution}}, date = {2021}, institution = {DomainTools}, url = {https://www.domaintools.com/content/conceptualizing-a-continuum-of-cyber-threat-attribution.pdf}, language = {English}, urldate = {2021-11-02} } @online{slowik:20220127:focusing:5b47208, author = {Joe Slowik}, title = {{Focusing on “Left of Boom”}}, date = {2022-01-27}, organization = {Gigamon}, url = {https://blog.gigamon.com/2022/01/28/focusing-on-left-of-boom/}, language = {English}, urldate = {2022-02-02} } @online{slowik:20220423:industroyer2:c8064df, author = {Joe Slowik}, title = {{Industroyer2 in Perspective}}, date = {2022-04-23}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2022/04/23/industroyer2-in-perspective/}, language = {English}, urldate = {2022-04-25} } @online{slowik:20221123:detailing:3a1ddea, author = {Joe Slowik}, title = {{Detailing Daily Domain Hunting}}, date = {2022-11-23}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2022/11/23/detailing-daily-domain-hunting/}, language = {English}, urldate = {2022-11-25} } @online{slowik:20230208:investigating:4b8fbaf, author = {Joe Slowik and Matt Anderson}, title = {{Investigating Intrusions From Intriguing Exploits}}, date = {2023-02-08}, organization = {Huntress Labs}, url = {https://www.huntress.com/blog/investigating-intrusions-from-intriguing-exploits}, language = {English}, urldate = {2023-04-06} } @online{slowmist:20250224:cryptocurrency:df63b73, author = {SlowMist}, title = {{Cryptocurrency APT Intelligence: Unveiling Lazarus Group’s Intrusion Techniques}}, date = {2025-02-24}, organization = {Medium SlowMist}, url = {https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34}, language = {English}, urldate = {2025-02-25} } @online{small:20221130:identifying:ed7c4b3, author = {Scott Small}, title = {{Identifying and Defending Against QakBot's Evolving TTPs}}, date = {2022-11-30}, organization = {Tidal Cyber Inc.}, url = {https://www.tidalcyber.com/blog/identifying-and-defending-against-qakbots-evolving-ttps}, language = {English}, urldate = {2022-12-02} } @online{smalley:20220307:ransomware:bfdda67, author = {Suzanne Smalley}, title = {{Ransomware gang Conti has already bounced back from damage caused by chat leaks, experts say}}, date = {2022-03-07}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/ransomware-gang-conti-bounced-back/}, language = {English}, urldate = {2022-03-10} } @online{smallridge:20180310:apt15:e5e7ef0, author = {Rob Smallridge}, title = {{APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS}}, date = {2018-03-10}, organization = {NCC Group}, url = {https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/}, language = {English}, urldate = {2021-04-29} } @online{smb01:20161028:zxshell:e4d3a5e, author = {smb01}, title = {{zxshell repository}}, date = {2016-10-28}, organization = {Github (smb01)}, url = {https://github.com/smb01/zxshell}, language = {English}, urldate = {2020-01-07} } @online{smeets:20210310:publicly:8fbdf71, author = {Max Smeets and Florian J. Egloff}, title = {{Publicly attributing cyber attacks: a framework}}, date = {2021-03-10}, organization = {Center for Security Studies (CSS)}, url = {https://www.tandfonline.com/doi/pdf/10.1080/01402390.2021.1895117}, language = {English}, urldate = {2021-03-22} } @online{smiley:20200324:exploring:3a3c04b, author = {Wes Smiley}, title = {{Exploring Agent Tesla Infrastructure}}, date = {2020-03-24}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/6337984e}, language = {English}, urldate = {2021-04-09} } @online{smilyanets:20201117:ukraines:dad21ba, author = {Dmitry Smilyanets}, title = {{Ukraine’s Top Cyber Cop on Defending Against Disinformation and Russian Hackers}}, date = {2020-11-17}, organization = {The Record}, url = {https://therecord.media/ukraines-top-cyber-cop-on-defending-against-disinformation-and-russian-hackers/}, language = {English}, urldate = {2020-11-19} } @online{smilyanets:20210105:i:a54474f, author = {Dmitry Smilyanets}, title = {{‘I Was Running Two Parallel Lives’: An Ex-Secret Service Agent Opens Up About Going Undercover To Catch Cybercriminals}}, date = {2021-01-05}, organization = {The Record}, url = {https://therecord.media/i-was-running-two-parallel-lives-an-ex-secret-service-agent-opens-up-about-going-undercover-to-catch-cybercriminals/}, language = {English}, urldate = {2021-05-17} } @online{smilyanets:20210316:i:cf06d4f, author = {Dmitry Smilyanets}, title = {{‘I scrounged through the trash heaps… now I’m a millionaire:’ An interview with REvil’s Unknown}}, date = {2021-03-16}, organization = {The Record}, url = {https://therecord.media/i-scrounged-through-the-trash-heaps-now-im-a-millionaire-an-interview-with-revils-unknown/}, language = {English}, urldate = {2021-03-19} } @online{smilyanets:20210427:how:257b366, author = {Dmitry Smilyanets}, title = {{How law enforcement can stay a step ahead of hackers}}, date = {2021-04-27}, organization = {The Record}, url = {https://therecord.media/how-law-enforcement-can-stay-a-step-ahead-of-hackers/}, language = {English}, urldate = {2021-05-03} } @online{smilyanets:20210802:interview:b42389c, author = {Dmitry Smilyanets}, title = {{An interview with BlackMatter: A new ransomware group that’s learning from the mistakes of DarkSide and REvil}}, date = {2021-08-02}, organization = {The Record}, url = {https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/}, language = {English}, urldate = {2021-08-03} } @online{smith:20170811:apt28:a39510a, author = {Lindsay Smith and Ben Read}, title = {{APT28 Targets Hospitality Sector, Presents Threat to Travelers}}, date = {2017-08-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html}, language = {English}, urldate = {2019-12-20} } @online{smith:20180820:we:2a387d2, author = {Brad Smith}, title = {{We are taking new steps against broadening threats to democracy}}, date = {2018-08-20}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/}, language = {English}, urldate = {2020-01-06} } @online{smith:20190206:threat:4f138dc, author = {Peyton Smith and Tim Parisi}, title = {{Threat Actor "Magecart": Coming to an eCommerce Store Near You}}, date = {2019-02-06}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/threat-actor-magecart-coming-to-an-ecommerce-store-near-you/}, language = {English}, urldate = {2019-12-20} } @online{smith:20190627:tracking:747ae87, author = {Casey Smith and Michael Haag}, title = {{Tracking driver inventory to unearth rootkits}}, date = {2019-06-27}, organization = {Red Canary}, url = {https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/}, language = {English}, urldate = {2021-09-20} } @online{smith:20190826:memory:c4cea9b, author = {Josiah Smith}, title = {{Memory Analysis of TrickBot}}, date = {2019-08-26}, organization = {InQuest}, url = {https://inquest.net/blog/2019/08/26/TrickBot-Memory-Analysis}, language = {English}, urldate = {2020-01-10} } @online{smith:20201217:moment:cd1089e, author = {Brad Smith}, title = {{A moment of reckoning: the need for a strong and global cybersecurity response}}, date = {2020-12-17}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/}, language = {English}, urldate = {2020-12-18} } @online{smith:20210304:new:53f1d8d, author = {Lindsay Smith and Jonathan Leathery and Ben Read}, title = {{New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452}}, date = {2021-03-04}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html}, language = {English}, urldate = {2021-03-06} } @online{smith:20210608:another:8ed0192, author = {Heather Smith and Hanno Heinrichs}, title = {{Another Brick in the Wall: eCrime Groups Leverage SonicWall VPN Vulnerability}}, date = {2021-06-08}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-ecrime-groups-leverage-sonicwall-vulnerability-cve-2019-7481/}, language = {English}, urldate = {2021-06-09} } @online{smith:20220210:380glowspark:6e3a6c6, author = {Josiah Smith}, title = {{+380-GlowSpark}}, date = {2022-02-10}, organization = {InQuest}, url = {https://inquest.net/blog/2022/02/10/380-glowspark}, language = {English}, urldate = {2022-02-17} } @online{smith:20221212:north:cceded4, author = {Josh Smith}, title = {{North Korean cyber spies deploy new tactic: tricking foreign experts into writing research for them}}, date = {2022-12-12}, organization = {Reuters}, url = {https://www.reuters.com/world/asia-pacific/north-korean-cyber-spies-deploy-new-tactic-tricking-foreign-experts-into-writing-2022-12-12/}, language = {English}, urldate = {2022-12-13} } @online{smolr:20201112:hungry:f376679, author = {Martin Smolár}, title = {{Hungry for data, ModPipe backdoor hits POS software used in hospitality sector}}, date = {2020-11-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/11/12/hungry-data-modpipe-backdoor-hits-pos-software-hospitality-sector/}, language = {English}, urldate = {2020-11-18} } @online{smolr:20211005:uefi:eacd169, author = {Martin Smolár and Anton Cherepanov}, title = {{UEFI threats moving to the ESP: Introducing ESPecter bootkit}}, date = {2021-10-05}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/}, language = {English}, urldate = {2021-10-24} } @online{smolr:20230301:blacklotus:5ce99dc, author = {Martin Smolár}, title = {{BlackLotus UEFI bootkit: Myth confirmed}}, date = {2023-03-01}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/}, language = {English}, urldate = {2023-03-04} } @online{smolr:20241127:bootkitty:29e3a7e, author = {Martin Smolár and Peter Strýček}, title = {{Bootkitty: Analyzing the first UEFI bootkit for Linux}}, date = {2024-11-27}, organization = {ESET Research}, url = {https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/}, language = {English}, urldate = {2024-12-09} } @online{smx:20240330:gist:69fbcc5, author = {smx}, title = {{Gist with XZ Backdoor analysis}}, date = {2024-03-30}, organization = {Github (smx-smx)}, url = {https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504}, language = {English}, urldate = {2024-04-02} } @online{snape:20210417:inside:2c3ae5c, author = {Joel Snape and Nettitude}, title = {{Inside IcedID: Anatomy Of An Infostealer}}, date = {2021-04-17}, organization = {YouTube (Worcester DEFCON Group)}, url = {https://www.youtube.com/watch?v=YEqLIR6hfOM}, language = {English}, urldate = {2021-04-20} } @online{sneakymonkey:20191029:trickbot:bd7249c, author = {SneakyMonkey}, title = {{TRICKBOT - Analysis Part II}}, date = {2019-10-29}, organization = {SneakyMonkey Blog}, url = {https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/}, language = {English}, urldate = {2019-12-17} } @online{snegirev:20220627:attacks:100c151, author = {Artem Snegirev and Kirill Kruglov}, title = {{Attacks on industrial control systems using ShadowPad}}, date = {2022-06-27}, organization = {Kaspersky ICS CERT}, url = {https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/}, language = {English}, urldate = {2022-06-29} } @online{snijders:2022:investigating:780a051, author = {Brecht Snijders}, title = {{Investigating a Monero Coin Miner}}, date = {2022}, organization = {Triskele Labs}, url = {https://www.triskelelabs.com/investigating-monero-coin-miner}, language = {English}, urldate = {2022-08-31} } @online{snort:20140923:malwarecnc:62903a0, author = {Snort}, title = {{MALWARE-CNC Win.Trojan.Aytoke variant outbound connection}}, date = {2014-09-23}, organization = {Snort}, url = {https://snort.org/rule_docs/1-34217}, language = {English}, urldate = {2021-09-19} } @online{snort:2019:sid:6918cac, author = {Snort}, title = {{Sid 1-26941 (PipCreat RAT)}}, date = {2019}, organization = {Snort}, url = {https://www.snort.org/rule_docs/1-26941}, language = {English}, urldate = {2020-01-07} } @online{snow:20170922:nransom:28b3829, author = {John Snow}, title = {{NRansom: Ransomware that demands your nudes}}, date = {2017-09-22}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/blog/nransom-nude-ransomware/18597/}, language = {English}, urldate = {2019-12-02} } @online{snyder:20230628:8base:6caf8b6, author = {Deborah Snyder and Fae Carlisle and Dana Behling and Bria Beathley}, title = {{8Base Ransomware: A Heavy Hitting Player}}, date = {2023-06-28}, organization = {vmware}, url = {https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html}, language = {English}, urldate = {2023-08-03} } @online{so:20140828:bifrose:e63b72a, author = {Christopher Daniel So}, title = {{BIFROSE Now More Evasive Through Tor, Used for Targeted Attack}}, date = {2014-08-28}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/bifrose-now-more-evasive-through-tor-used-for-targeted-attack/}, language = {English}, urldate = {2021-01-27} } @online{so:20221220:raspberry:3d29aad, author = {Christopher Daniel So}, title = {{Raspberry Robin Malware Targets Telecom, Governments}}, date = {2022-12-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/fr_fr/research/22/l/raspberry-robin-malware-targets-telecom-governments.html}, language = {English}, urldate = {2023-03-13} } @online{so:20240402:earth:99bb1f7, author = {Christopher So}, title = {{Earth Freybug Uses UNAPIMON for Unhooking Critical APIs}}, date = {2024-04-02}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html}, language = {English}, urldate = {2024-04-04} } @online{soares:20220720:analyzing:8753d99, author = {Joelson Soares and Buddy Tancio and Erika Mendoza and Jessie Prevost and Nusrath Iqra}, title = {{Analyzing Penetration-Testing Tools That Threat Actors Use to Breach Systems and Steal Data}}, date = {2022-07-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/g/analyzing-penetration-testing-tools-that-threat-actors-use-to-br.html}, language = {English}, urldate = {2022-07-25} } @online{sobczak:20190307:inside:9bae24e, author = {Blake Sobczak}, title = {{The inside story of the world's most dangerous malware}}, date = {2019-03-07}, organization = {E&E News}, url = {https://www.eenews.net/stories/1060123327/}, language = {English}, urldate = {2020-04-07} } @online{socfortress:20220220:detecting:5d28c28, author = {SOCFortress}, title = {{Detecting Cobalt Strike Beacons}}, date = {2022-02-20}, organization = {Medium SOCFortress}, url = {https://socfortress.medium.com/detecting-cobalt-strike-beacons-3f8c9fdcb654}, language = {English}, urldate = {2022-02-26} } @online{socket:20250404:lazarus:8a0802e, author = {Socket}, title = {{Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads}}, date = {2025-04-04}, organization = {Socket}, url = {https://socket.dev/blog/lazarus-expands-malicious-npm-campaign-11-new-packages-add-malware-loaders-and-bitbucket}, language = {English}, urldate = {2025-04-09} } @online{socket:20250624:another:4bbff92, author = {Socket}, title = {{Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages}}, date = {2025-06-24}, organization = {Socket}, url = {https://socket.dev/blog/north-korean-contagious-interview-campaign-drops-35-new-malicious-npm-packages}, language = {English}, urldate = {2025-06-27} } @online{socradar:20220225:what:4bcc0aa, author = {SOCRadar}, title = {{What You Need to Know About Russian Cyber Escalation in Ukraine}}, date = {2022-02-25}, organization = {SOCRadar}, url = {https://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/}, language = {English}, urldate = {2022-03-01} } @online{socradar:20220406:lockbit:1908458, author = {SOCRadar}, title = {{Lockbit 3.0: Another Upgrade to World’s Most Active Ransomware}}, date = {2022-04-06}, organization = {SOCRadar}, url = {https://socradar.io/lockbit-3-another-upgrade-to-worlds-most-active-ransomware/}, language = {English}, urldate = {2022-10-06} } @online{socradar:20220707:brute:fd80023, author = {SOCRadar}, title = {{Brute Ratel Utilized By Threat Actors In New Ransomware Operations}}, date = {2022-07-07}, organization = {SOCRadar}, url = {https://socradar.io/brute-ratel-utilized-by-threat-actors-in-new-ransomware-operations/}, language = {English}, urldate = {2022-10-19} } @online{socradar:20220728:threats:c05fb69, author = {SOCRadar}, title = {{Threats of Commercialized Malware: Knotweed}}, date = {2022-07-28}, organization = {SOCRadar}, url = {https://socradar.io/threats-of-commercialized-malware-knotweed/}, language = {English}, urldate = {2024-02-08} } @online{socradar:20220808:linux:8dc561a, author = {SOCRadar}, title = {{Linux Malware RapperBot Brute Forcing SSH Servers}}, date = {2022-08-08}, organization = {SOCRadar}, url = {https://socradar.io/linux-malware-rapperbot-brute-forcing-ssh-servers/}, language = {English}, urldate = {2023-01-19} } @online{socradar:20221006:new:70756cc, author = {SOCRadar}, title = {{New Spyware RatMilad Targets Middle Eastern Mobile Devices}}, date = {2022-10-06}, organization = {SOCRadar}, url = {https://socradar.io/new-spyware-ratmilad-targets-middle-eastern-mobile-devices}, language = {English}, urldate = {2022-11-09} } @online{socradar:20221212:dark:1292f76, author = {SOCRadar}, title = {{Dark Web Profile: APT42 – Iranian Cyber Espionage Group}}, date = {2022-12-12}, organization = {SOCRadar}, url = {https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/}, language = {English}, urldate = {2023-11-17} } @online{socradar:20221216:dark:46fffc4, author = {SOCRadar}, title = {{Dark Web Profile: Killnet – Russian Hacktivist Group}}, date = {2022-12-16}, organization = {SOCRadar}, url = {https://socradar.io/dark-web-profile-killnet-russian-hacktivist-group/}, language = {English}, urldate = {2023-11-17} } @online{socradar:20230109:dark:c166fac, author = {SOCRadar}, title = {{Dark Web Profile: Royal Ransomware}}, date = {2023-01-09}, organization = {SOCRadar}, url = {https://socradar.io/dark-web-profile-royal-ransomware/}, language = {English}, urldate = {2023-01-16} } @online{socradar:20230504:sandworm:da4d4f4, author = {SOCRadar}, title = {{Sandworm Attackers Use WinRAR to Wipe Data from Government Devices}}, date = {2023-05-04}, organization = {SOCRadar}, url = {https://socradar.io/sandworm-attackers-use-winrar-to-wipe-data-from-government-devices/}, language = {English}, urldate = {2023-07-20} } @online{socradar:20230620:cyber:5a6d791, author = {SOCRadar}, title = {{Cyber Shadows Pact: Darknet Parliament (KillNet, Anonymous Sudan, REvil)}}, date = {2023-06-20}, organization = {SOCRadar}, url = {https://socradar.io/cyber-shadows-pact-darknet-parliament-killnet-anonymous-sudan-revil/}, language = {English}, urldate = {2023-11-27} } @online{socradar:20230727:dark:9caceaf, author = {SOCRadar}, title = {{Dark Web Profile: 8Base Ransomware}}, date = {2023-07-27}, organization = {SOCRadar}, url = {https://socradar.io/dark-web-profile-8base-ransomware/}, language = {English}, urldate = {2023-08-01} } @online{socradar:20230821:horizon:292ff6a, author = {SOCRadar}, title = {{On the Horizon: Ransomed.vc Ransomware Group Spotted in the Wild}}, date = {2023-08-21}, organization = {SOCRadar}, url = {https://socradar.io/on-the-horizon-ransomed-vc-ransomware-group-spotted-in-the-wild/}, language = {English}, urldate = {2023-12-04} } @online{socradar:20230920:unmasking:e23ecf6, author = {SOCRadar}, title = {{Unmasking USDoD: The Enigma of the Cyber Realm}}, date = {2023-09-20}, organization = {SOCRadar}, url = {https://socradar.io/unmasking-usdod-the-enigma-of-the-cyber-realm/}, language = {English}, urldate = {2023-12-04} } @online{socradar:20231009:reflections:84fb08c, author = {SOCRadar}, title = {{Reflections of the Israel-Palestine Conflict on the Cyber World}}, date = {2023-10-09}, organization = {SOCRadar}, url = {https://socradar.io/reflections-of-the-israel-palestine-conflict-on-the-cyber-world/}, language = {English}, urldate = {2024-12-11} } @online{socradar:20231017:dark:e92372e, author = {SOCRadar}, title = {{Dark Peep #2: War and a Piece of Hilarity}}, date = {2023-10-17}, organization = {SOCRadar}, url = {https://socradar.io/dark-peep-2-war-and-a-piece-of-hilarity/}, language = {English}, urldate = {2023-11-27} } @online{socradar:20231018:threat:84b7021, author = {SOCRadar}, title = {{Threat Actor Profile: SiegedSec}}, date = {2023-10-18}, organization = {SOCRadar}, url = {https://socradar.io/threat-actor-profile-siegedsec/}, language = {English}, urldate = {2023-12-04} } @online{socradar:20231103:five:68097e0, author = {SOCRadar}, title = {{The Five Families: Hacker Collaboration Redefining the Game}}, date = {2023-11-03}, organization = {SOCRadar}, url = {https://socradar.io/the-five-families-hacker-collaboration-redefining-the-game/}, language = {English}, urldate = {2023-12-04} } @online{socradar:20231107:new:70a6ba7, author = {SOCRadar}, title = {{New Gootloader Variant “GootBot” Changes the Game in Malware Tactics}}, date = {2023-11-07}, organization = {SOCRadar}, url = {https://socradar.io/new-gootloader-variant-gootbot-changes-the-game-in-malware-tactics/}, language = {English}, urldate = {2023-11-27} } @online{socradar:20231222:dark:e148848, author = {SOCRadar}, title = {{Dark Peep #7: Shadows of Betrayal and Leadership in Flux}}, date = {2023-12-22}, organization = {SOCRadar}, url = {https://socradar.io/dark-peep-7-shadows-of-betrayal-and-leadership-in-flux/}, language = {English}, urldate = {2024-10-18} } @online{socradar:20240108:mastercard:d07f6e1, author = {SOCRadar}, title = {{Mastercard Data Leak, New Fully Undetectable Ransomware, Elusive Stealer Source Code Leak, and More}}, date = {2024-01-08}, organization = {SOCRadar}, url = {https://socradar.io/mastercard-data-leak-new-fully-undetectable-ransomware-elusive-stealer-source-code-leak-and-more/}, language = {English}, urldate = {2024-11-15} } @online{socradar:20240126:russian:cb82195, author = {SOCRadar}, title = {{Russian APT Operation: Star Blizzard}}, date = {2024-01-26}, organization = {SOCRadar}, url = {https://socradar.io/russian-apt-operation-star-blizzard/}, language = {English}, urldate = {2024-03-18} } @online{socradar:20240205:dark:7bc216e, author = {SOCRadar}, title = {{Dark Web Profile: CyberNiggers}}, date = {2024-02-05}, organization = {SOCRadar}, url = {https://socradar.io/dark-web-profile-cyberniggers/}, language = {English}, urldate = {2025-05-02} } @online{socradar:20240311:acuity:de03ad5, author = {SOCRadar}, title = {{Acuity Federal Contractor Breach, Okta Customers Leak, DCRat Exploit and Access Sales}}, date = {2024-03-11}, organization = {SOCRadar}, url = {https://socradar.io/acuity-federal-breach-okta-leak-dcrat-exploit/}, language = {English}, urldate = {2025-05-02} } @online{socradar:20240401:us:be33fc3, author = {SOCRadar}, title = {{U.S. Faces Cyber Onslaught: Fico Breach, ID, CC, Military Data Sale}}, date = {2024-04-01}, organization = {SOCRadar}, url = {https://socradar.io/u-s-faces-cyber-onslaught-fico-breach-id-cc-military-data-sale/}, language = {English}, urldate = {2025-05-02} } @online{socradar:20240425:dark:94b4d8c, author = {SOCRadar}, title = {{Dark Web Profile: Red Ransomware}}, date = {2024-04-25}, organization = {SOCRadar}, url = {https://socradar.io/dark-web-profile-red-ransomware/}, language = {English}, urldate = {2024-10-21} } @online{socradar:20240524:dark:39e3dc7, author = {SOCRadar}, title = {{Dark Web Profile: Hunt3r Kill3rs}}, date = {2024-05-24}, organization = {SOCRadar}, url = {https://socradar.io/dark-web-profile-hunt3r-kill3rs/}, language = {English}, urldate = {2024-12-11} } @online{socradar:20240607:grandoreiro:2683a76, author = {SOCRadar}, title = {{Grandoreiro Malware Campaign: A Global Threat to Banking Security}}, date = {2024-06-07}, organization = {SOCRadar}, url = {https://socradar.io/grandoreiro-malware-campaign-a-global-threat-to-banking-security/}, language = {English}, urldate = {2024-10-25} } @online{socradar:20240620:dark:a806948, author = {SOCRadar}, title = {{Dark Web Profile: SpaceBears}}, date = {2024-06-20}, organization = {SOCRadar}, url = {https://socradar.io/dark-web-profile-spacebears/}, language = {English}, urldate = {2024-11-15} } @online{socradar:20240808:dark:22400c1, author = {SOCRadar}, title = {{Dark Peep #16: Play Ransomware & LockBit’s Alliance, BreachForums Leak, and CyberNiggers’ Revival}}, date = {2024-08-08}, organization = {SOCRadar}, url = {https://socradar.io/dark-peep-16-play-ransomware-lockbits-alliance-breachforums-leak-and-cyberniggers-revival/}, language = {English}, urldate = {2024-10-18} } @online{socradar:20241010:internet:d4eaba3, author = {SOCRadar}, title = {{Internet Archive Data Breach and DDoS Attacks: What You Need to Know}}, date = {2024-10-10}, organization = {SOCRadar}, url = {https://socradar.io/internet-archive-data-breach-and-ddos-attacks/}, language = {English}, urldate = {2024-11-04} } @online{socradar:20241021:biggest:8cf8b5e, author = {SOCRadar}, title = {{Biggest Education Industry Attacks in 2024}}, date = {2024-10-21}, organization = {SOCRadar}, url = {https://socradar.io/biggest-education-industry-attacks-in-2024/}, language = {English}, urldate = {2024-11-04} } @online{socradar:20241217:dark:8932496, author = {SOCRadar}, title = {{Dark Peep #17: Dark Web Manifesto, Hacker Forums, and Ransomware Misadventures}}, date = {2024-12-17}, organization = {SOCRadar}, url = {https://socradar.io/dark-peep-17-dark-web-hacker-forums-ransomware/}, language = {English}, urldate = {2025-02-19} } @online{socradar:20241231:dark:38357cb, author = {SOCRadar}, title = {{Dark Web Profile: Gamaredon APT - SOCRadar® Cyber Intelligence Inc.}}, date = {2024-12-31}, organization = {SOCRadar}, url = {https://socradar.io/dark-web-profile-gamaredon-apt/}, language = {English}, urldate = {2025-02-03} } @online{socradar:20250116:fortigate:6b07fae, author = {SOCRadar}, title = {{FortiGate Firewall Configs Dumped: Revisiting CVE-2022-40684 Exploitation}}, date = {2025-01-16}, organization = {SOCRadar}, url = {https://socradar.io/fortigate-firewall-configs-cve-2022-40684-exploitation/}, language = {English}, urldate = {2025-01-23} } @online{sodja:20210401:automating:d24c8aa, author = {Cole Sodja and Justin Carroll and Melissa Turcotte and Joshua Neil and Microsoft 365 Defender Research Team}, title = {{Automating threat actor tracking: Understanding attacker behavior for intelligence and contextual alerting}}, date = {2021-04-01}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/04/01/automating-threat-actor-tracking-understanding-attacker-behavior-for-intelligence-and-contextual-alerting/}, language = {English}, urldate = {2021-04-06} } @techreport{soesanto:20200110:onesided:307972d, author = {Steafan Soesanto}, title = {{A one-sided Affair: Japan and the People's Republic of China in Cyberspace Hotspot Analysis}}, date = {2020-01-10}, institution = {ETH Zürich}, url = {https://www.research-collection.ethz.ch/bitstream/handle/20.500.11850/389371/1/Cyber-Reports-2020-01-A-one-sided-Affair.pdf}, language = {English}, urldate = {2020-01-20} } @online{soesanto:20210420:uniti:f7c817b, author = {Stefan Soesanto}, title = {{Tweet on Uniti 61419}}, date = {2021-04-20}, organization = {Twitter (@iiyonite)}, url = {https://twitter.com/iiyonite/status/1384431491485155331}, language = {English}, urldate = {2022-09-12} } @online{soesanto:20210628:outward:88ceeac, author = {Stefan Soesanto}, title = {{Outward Defense: Comparing the Cyber Defense Postures of Japan, the Netherlands and the United States in Peace Time}}, date = {2021-06-28}, organization = {Konrad Adenauer Stiftung}, url = {https://www.kas.de/documents/252038/11055681/Mapping+of+cyber+doctrines.pdf/fbbcb8e1-7f57-31e3-a6f4-a0e071beafae}, language = {English}, urldate = {2021-07-02} } @online{sofer:2019:nircmd:727a2e0, author = {Nir Sofer}, title = {{NirCmd by NirSoft}}, date = {2019}, organization = {NirSoft}, url = {https://www.nirsoft.net/utils/nircmd.html}, language = {English}, urldate = {2023-08-15} } @online{soft:20200701:cyberthreat:45d22d9, author = {TG Soft}, title = {{Cyber-Threat Report on the cyber attacks of June 2020 in Italy}}, date = {2020-07-01}, organization = {TG Soft}, url = {https://www.tgsoft.it/files/report/download.asp?id=568531345}, language = {Italian}, urldate = {2020-07-30} } @online{soft:202008:tg:88b671c, author = {TG Soft}, title = {{TG Soft Cyber - Threat Report}}, date = {2020-08}, organization = {TG Soft}, url = {https://www.tgsoft.it/files/report/download.asp?id=7481257469}, language = {Italian}, urldate = {2020-09-15} } @online{soft:20210820:about:dccc915, author = {TG Soft}, title = {{Tweet about LockFile attacks in Italy}}, date = {2021-08-20}, organization = {Twitter (@VirITeXplorer)}, url = {https://twitter.com/VirITeXplorer/status/1428750497872232459}, language = {English}, urldate = {2021-08-31} } @online{software:20200507:venom:99573f7, author = {Venom Software}, title = {{Venom Remote Administration Tool (from Venom Software!)}}, date = {2020-05-07}, url = {https://www.cybeseclabs.com/2020/05/07/venom-remote-administration-tool-from-venom-software/}, language = {English}, urldate = {2020-06-10} } @techreport{sogeti:2021:babuk:607b96e, author = {Sogeti}, title = {{Babuk ransomware}}, date = {2021}, institution = {Sogeti}, url = {https://www.fr.sogeti.com/globalassets/france/avis-dexperts--livres-blancs/cybersecchronicles_-_babuk.pdf}, language = {English}, urldate = {2021-05-17} } @online{solad:20181030:kraken:b16a110, author = {Alexander Solad and Daniel Hatheway and Marc Rivero López and John Fokker}, title = {{Kraken Cryptor Ransomware Gains Popularity Among Cybercriminals}}, date = {2018-10-30}, url = {https://www.recordedfuture.com/kraken-cryptor-ransomware/}, language = {English}, urldate = {2019-12-17} } @online{solarwind:20201214:security:68f32e4, author = {Solarwind}, title = {{Security Advisory on SolarWinds Supply chain attack}}, date = {2020-12-14}, organization = {Solarwind}, url = {https://www.solarwinds.com/securityadvisory}, language = {English}, urldate = {2021-01-01} } @online{solarwind:20201214:security:a763c2a, author = {Solarwind}, title = {{Security Advisory on SolarWinds Supply chain attack FAQ}}, date = {2020-12-14}, organization = {Solarwind}, url = {https://www.solarwinds.com/securityadvisory/faq}, language = {English}, urldate = {2021-01-04} } @online{solarwind:20201226:solarwinds:472d789, author = {Solarwind}, title = {{SolarWinds Orion API authentication bypass allows remote comand execution (CVE-2020-10148)}}, date = {2020-12-26}, organization = {CERT.org}, url = {https://kb.cert.org/vuls/id/843464}, language = {English}, urldate = {2021-01-01} } @online{solarwind:20210507:investigative:54c699d, author = {Solarwind}, title = {{An Investigative Update of the Cyberattack}}, date = {2021-05-07}, organization = {SolarWinds}, url = {https://www.sec.gov/ix?doc=/Archives/edgar/data/1739942/000173994221000076/swi-20210507.htm}, language = {English}, urldate = {2021-05-11} } @online{solarwind:20210709:servu:53e30f0, author = {Solarwind}, title = {{Serv-U Remote Memory Escape Vulnerability CVE-2021-35211 (exploited in the wild)}}, date = {2021-07-09}, organization = {Solarwind}, url = {https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211}, language = {English}, urldate = {2021-07-20} } @online{soldatov:20220908:russian:65b8ec1, author = {Andrei Soldatov and Irina Borogan}, title = {{Russian Cyberwarfare: Unpacking the Kremlin’s Capabilities}}, date = {2022-09-08}, organization = {Center for European Policy Analysis}, url = {https://cepa.org/russian-cyberwarfare-unpacking-the-kremlins-capabilities/}, language = {English}, urldate = {2022-09-10} } @online{soliven:20220824:ransomware:20db707, author = {Ryan Soliven and Hitomi Kimura}, title = {{Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus (IoCs)}}, date = {2022-08-24}, organization = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/IOCs-blog-Ransomware%20Actor%20Abuses%20Genshin%20Impact%20Anti-Cheat%20Driver%20to%20Kill%20Antivirus.txt}, language = {English}, urldate = {2022-08-30} } @online{soliven:20220824:ransomware:a88ee05, author = {Ryan Soliven and Hitomi Kimura}, title = {{Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus}}, date = {2022-08-24}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html}, language = {English}, urldate = {2022-09-20} } @online{solomon:20201105:inj3ctor3:274a6ca, author = {Ido Solomon and Ori Hamama and Omer Ventura}, title = {{INJ3CTOR3 Operation – Leveraging Asterisk Servers for Monetization}}, date = {2020-11-05}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/inj3ctor3-operation-leveraging-asterisk-servers-for-monetization/}, language = {English}, urldate = {2020-11-06} } @online{solver:20190306:decr1pt0r:e0b8f10, author = {RE Solver}, title = {{DE-Cr1pt0r tool - The Cr1pt0r ransomware decompiled decryption routine}}, date = {2019-03-06}, organization = {RE Solver}, url = {https://resolverblog.blogspot.com/2019/03/de-cr1pt0r-tool-cr1pt0r-ransomware.html}, language = {English}, urldate = {2020-01-10} } @online{somech:20190404:icedid:54ba40f, author = {Nir Somech and Limor Kessem}, title = {{IcedID Banking Trojan Spruces Up Injection Tactics to Add Stealth}}, date = {2019-04-04}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/icedid-banking-trojan-spruces-up-injection-tactics-to-add-stealth/}, language = {English}, urldate = {2020-01-08} } @online{somech:20210923:new:7fc798f, author = {Nir Somech and Chen Nahman}, title = {{New ZE Loader Targets Online Banking Users}}, date = {2021-09-23}, organization = {IBM}, url = {https://securityintelligence.com/posts/new-ze-loader-targets-online-banking/}, language = {English}, urldate = {2021-09-28} } @online{somech:20241126:whats:6dd6da5, author = {Nir Somech}, title = {{What’s up India? PixPirate is back and spreading via WhatsApp}}, date = {2024-11-26}, organization = {Security Intelligence}, url = {https://securityintelligence.com/posts/pixpirate-back-spreading-via-whatsapp/}, language = {English}, urldate = {2024-12-16} } @online{somedieyoungzz:20240309:kimsuky:16fe731, author = {somedieyoungZZ}, title = {{Kimsuky 2}}, date = {2024-03-09}, url = {https://somedieyoungzz.github.io/posts/kimsucky-2/}, language = {English}, urldate = {2024-03-18} } @online{son:20241027:shahid:c133498, author = {Do Son}, title = {{Shahid Hemmat Hackers: $10M Reward Offered by US}}, date = {2024-10-27}, organization = {CyberSecurityNews}, url = {https://securityonline.info/shahid-hemmat-hackers-10m-reward-offered-by-us/}, language = {English}, urldate = {2024-11-04} } @online{son:20250211:sandworm:596ee7c, author = {Do Son}, title = {{Sandworm APT Exploits Trojanized KMS Tools to Target Ukrainian Users in Cyber Espionage Campaign}}, date = {2025-02-11}, organization = {CyberSecurityNews}, url = {https://securityonline.info/sandworm-apt-exploits-trojanized-kms-tools-to-target-ukrainian-users-in-cyber-espionage-campaign/}, language = {English}, urldate = {2025-02-13} } @online{sonawane:20220131:crowdstrike:1fd4945, author = {Sarang Sonawane and Liviu Arsene}, title = {{CrowdStrike Falcon Proactively Protects Against Wiper Malware as CISA Warns U.S. Companies of Potential Attacks}}, date = {2022-01-31}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-crowdstrike-protects-against-data-wiping-malware/}, language = {English}, urldate = {2022-02-02} } @online{sonawane:20221219:malware:1e7d417, author = {Sarang Sonawane and Donato Onofri}, title = {{Malware Analysis: GuLoader Dissection Reveals New Anti-Analysis Techniques and Code Injection Redundancy}}, date = {2022-12-19}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/guloader-dissection-reveals-new-anti-analysis-techniques-and-code-injection-redundancy/}, language = {English}, urldate = {2022-12-24} } @online{sonbol:20170503:hunting:ce577ba, author = {Ahmed Sonbol}, title = {{Hunting pack use case: RedLeaves malware}}, date = {2017-05-03}, organization = {RSA Link}, url = {https://community.rsa.com/community/products/netwitness/blog/2017/05/03/hunting-pack-use-case-redleaves-malware}, language = {English}, urldate = {2020-03-11} } @online{sonbol:20170802:malspam:d849b12, author = {Ahmed Sonbol}, title = {{Malspam delivers Xtreme RAT 8-1-2017}}, date = {2017-08-02}, organization = {RSA Link}, url = {https://community.rsa.com/community/products/netwitness/blog/2017/08/02/malspam-delivers-xtreme-rat-8-1-2017}, language = {English}, urldate = {2020-01-13} } @online{sonbol:20180215:malspam:54c3cfe, author = {Ahmed Sonbol}, title = {{Malspam delivers Keybase keylogger}}, date = {2018-02-15}, organization = {RSA}, url = {https://community.rsa.com/community/products/netwitness/blog/2018/02/15/malspam-delivers-keybase-keylogger-2-11-2017}, language = {English}, urldate = {2019-10-12} } @online{song:20201208:gift:38d68c7, author = {Young-Sae Song}, title = {{Gift Card Scams Explode in Upcoming Holiday Shopping Season}}, date = {2020-12-08}, organization = {BOLSTER}, url = {https://bolster.ai/blog/gift-card-scams-explode-in-upcoming-holiday-shopping-season/}, language = {English}, urldate = {2020-12-10} } @online{soni:20220907:curious:80138f0, author = {Anuj Soni and Ryan Chapman}, title = {{The Curious Case of “Monti” Ransomware: A Real-World Doppelganger}}, date = {2022-09-07}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger}, language = {English}, urldate = {2022-09-10} } @online{sonicwall:2015:laziok:5d02cc8, author = {SonicWall}, title = {{Laziok Malware Targets Energy Companies}}, date = {2015}, organization = {SonicWall}, url = {https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=802}, language = {English}, urldate = {2019-10-23} } @online{sonicwall:20191112:meeting:1ecb82b, author = {SonicWall}, title = {{Meeting a Russian Ransomware Cell}}, date = {2019-11-12}, organization = {SonicWall}, url = {https://blog.sonicwall.com/en-us/2019/11/mindhunter-meeting-a-russian-ransomware-cell/}, language = {English}, urldate = {2023-10-10} } @online{sonicwall:20191213:lalala:082f090, author = {SonicWall}, title = {{LALALA InfoStealer which comes with Batch and PowerShell scripting combo}}, date = {2019-12-13}, organization = {SonicWall}, url = {https://securitynews.sonicwall.com/xmlpost/lalala-infostealer-which-comes-with-batch-and-powershell-scripting-combo/}, language = {English}, urldate = {2020-05-29} } @online{sonicwall:20200109:servhelper:3e6a00c, author = {SonicWall}, title = {{ServHelper 2.0: Enriched with bot capabilities and allow remote desktop access}}, date = {2020-01-09}, organization = {SonicWall}, url = {https://securitynews.sonicwall.com/xmlpost/servhelper-2-0-enriched-with-bot-capabilities-and-allow-remote-desktop-access/}, language = {English}, urldate = {2020-09-18} } @online{sonicwall:20210201:urgent:1b2f884, author = {SonicWall}, title = {{Urgent Security Notice: SonicWall Confirms SMA 100 Series 10. X Zero-Day Vulnerability}}, date = {2021-02-01}, organization = {SonicWall}, url = {https://www.sonicwall.com/support/product-notification/urgent-security-notice-sonicwall-confirms-sma-100-series-10-x-zero-day-vulnerability-feb-1-2-p-m-cst/210122173415410/}, language = {English}, urldate = {2021-02-02} } @online{sonicwall:20210806:redosdruv:d5fa008, author = {SonicWall}, title = {{Redosdru.v Malware that hides in encrypted DLL Files to avoid Detection by Firewalls}}, date = {2021-08-06}, organization = {SonicWall}, url = {https://securitynews.sonicwall.com/xmlpost/redosdru-v-malware-that-hides-in-encrypted-dll-files-to-avoid-detection-by-firewalls-may-112016/}, language = {English}, urldate = {2021-08-06} } @online{sonicwall:20220621:html:63e527d, author = {SonicWall}, title = {{HTML Application Files are being used to distribute Smoke Loader Malware}}, date = {2022-06-21}, organization = {SonicWall}, url = {https://securitynews.sonicwall.com/xmlpost/html-application-hta-files-are-being-used-to-distribute-smoke-loader-malware/}, language = {English}, urldate = {2022-06-29} } @online{sonicwall:20230223:berbew:75a1131, author = {SonicWall}, title = {{Berbew Backdoor Spotted In The Wild}}, date = {2023-02-23}, organization = {SonicWall}, url = {https://blog.sonicwall.com/en-us/2023/02/berbew-backdoor-spotted-in-the-wild/}, language = {English}, urldate = {2024-06-05} } @online{sonicwall:20240402:updated:48b40c3, author = {SonicWall}, title = {{Updated StrelaStealer Targeting European Countries}}, date = {2024-04-02}, organization = {SonicWall}, url = {https://blog.sonicwall.com/en-us/2024/04/updated-strelastealer-targeting-european-countries/}, language = {English}, urldate = {2024-07-17} } @online{sonicwall:20240624:strelastealer:b770bd6, author = {SonicWall}, title = {{StrelaStealer Resurgence: Tracking a JavaScript-Driven Credential Stealer Targeting Europe}}, date = {2024-06-24}, organization = {SonicWall}, url = {https://blog.sonicwall.com/en-us/2024/06/strelastealer-resurgence-tracking-a-javascript-driven-credential-stealer-targeting-europe/}, language = {English}, urldate = {2024-07-17} } @online{sonicwall:20250221:remcos:1bdcbea, author = {SonicWall}, title = {{Remcos RAT Targets Europe: New AMSI and ETW Evasion Tactics Uncovered}}, date = {2025-02-21}, organization = {SonicWall}, url = {https://www.sonicwall.com/blog/remcos-rat-targets-europe-new-amsi-and-etw-evasion-tactics-uncovered}, language = {English}, urldate = {2025-02-28} } @online{sonntag:20210128:deep:99eb275, author = {Lior Sonntag}, title = {{Deep into the SunBurst Attack}}, date = {2021-01-28}, organization = {Check Point}, url = {https://research.checkpoint.com/2021/deep-into-the-sunburst-attack/}, language = {English}, urldate = {2021-02-02} } @online{sonntag:20210219:behind:a40f5e6, author = {Lior Sonntag and Dror Alon}, title = {{Behind the Scenes of the SunBurst Attack}}, date = {2021-02-19}, organization = {THE NEW STACK}, url = {https://thenewstack.io/behind-the-scenes-of-the-sunburst-attack/}, language = {English}, urldate = {2021-02-20} } @online{soo:20171102:recent:af4616a, author = {Jacob Soo and Josh Grunzweig}, title = {{Recent InPage Exploits Lead to Multiple Malware Families}}, date = {2017-11-02}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/}, language = {English}, urldate = {2019-12-20} } @online{soo:20171102:recent:fe4c325, author = {Jacob Soo and Josh Grunzweig}, title = {{Recent InPage Exploits Lead to Multiple Malware Families}}, date = {2017-11-02}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-recent-inpage-exploits-lead-multiple-malware-families/}, language = {English}, urldate = {2019-10-15} } @online{sood:20120801:inside:93b4e0d, author = {Aditya K. Sood and Richard J. Enbody and Rohit Bansal}, title = {{Inside the ICE IX bot, descendent of Zeus}}, date = {2012-08-01}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus}, language = {English}, urldate = {2020-01-06} } @online{sood:20171004:protecting:31b337c, author = {Karan Sood}, title = {{Protecting the Software Supply Chain: Deep Insights into the CCleaner Backdoor}}, date = {2017-10-04}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/}, language = {English}, urldate = {2019-12-20} } @online{sood:20171110:ccleaner:99ee315, author = {Karan Sood}, title = {{CCleaner Stage 2: In-Depth Analysis of the Payload}}, date = {2017-11-10}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/in-depth-analysis-of-the-ccleaner-backdoor-stage-2-dropper-and-its-payload/}, language = {English}, urldate = {2019-12-20} } @online{sood:20180521:indepth:247dedb, author = {Karan Sood}, title = {{An In-Depth Analysis of Samsam Ransomware and BOSS SPIDER}}, date = {2018-05-21}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/}, language = {English}, urldate = {2019-12-20} } @online{sood:20200214:lokibot:c4e5d9d, author = {Aditya K. Sood}, title = {{LokiBot: dissecting the C&C panel deployments}}, date = {2020-02-14}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/02/lokibot-dissecting-cc-panel-deployments/}, language = {English}, urldate = {2020-02-25} } @techreport{sood:20210407:dissecting:43afa3d, author = {Aditya K. Sood}, title = {{Dissecting the Design and Vulnerabilities in Azorult C&C Panels}}, date = {2021-04-07}, institution = {F5}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2021/202104-design-vulnerabilities-azorult-cc-panels.pdf}, language = {English}, urldate = {2021-04-19} } @online{sood:20210518:darkside:a32cfcd, author = {Karan Sood and Liviu Arsene and Shaun Hurley}, title = {{DarkSide Goes Dark: How CrowdStrike Falcon Customers Were Protected}}, date = {2021-05-18}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/}, language = {English}, urldate = {2024-08-29} } @online{sood:20210707:how:84886a9, author = {Karan Sood and Liviu Arsene}, title = {{How CrowdStrike Falcon Stops REvil Ransomware Used in the Kaseya Attack}}, date = {2021-07-07}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-crowdstrike-stops-revil-ransomware-from-kaseya-attack/}, language = {English}, urldate = {2021-07-19} } @online{sood:20211208:collectorstealer:bd79b3e, author = {Aditya K. Sood and Rohit Chaturvedi}, title = {{Collector-stealer: a Russian origin credential and information extractor}}, date = {2021-12-08}, organization = {F5}, url = {https://www.virusbulletin.com/virusbulletin/2021/12/collector-stealer-russian-origin-credential-and-information-extractor/}, language = {English}, urldate = {2022-04-24} } @online{sood:20220423:cryptojacking:d0b51e7, author = {Aditya K. Sood}, title = {{Cryptojacking on the Fly: TeamTNT Using NVIDIA Drivers to Mine Cryptocurrency}}, date = {2022-04-23}, organization = {F5}, url = {https://www.virusbulletin.com/virusbulletin/2022/04/cryptojacking-fly-teamtnt-using-nvidia-drivers-mine-cryptocurrency/}, language = {English}, urldate = {2022-05-03} } @online{sood:20220815:blackguard:edcf0e4, author = {Aditya K. Sood and David Warburton and Sander Vinberg and Malcolm Heath}, title = {{BlackGuard Infostealer Malware: Dissecting the State of Exfiltrated Data}}, date = {2022-08-15}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/threat-intelligence/blackguard-infostealer-malware-dissecting-the-state-of-exfiltrated-data}, language = {English}, urldate = {2022-08-17} } @techreport{sood:20230912:compromising:0fa1c59, author = {Aditya K. Sood}, title = {{Compromising the Keys to the Kingdom: Exfiltrating Data to Own and Operate the Exploited Systems (Slides)}}, date = {2023-09-12}, institution = {FIRSTCON}, url = {https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLPCLEAR-Sood-Compromising-the-Keys-to-the-Kingdom.pdf}, language = {English}, urldate = {2025-03-05} } @online{sood:20231012:compromising:6180038, author = {Aditya K. Sood}, title = {{"Compromising the Keys to the Kingdom" - Exfiltrating Data to Own and Operate the Exploited Systems}}, date = {2023-10-12}, organization = {YouTube (FIRST)}, url = {https://www.youtube.com/watch?v=6Ljl1Rnl1jM}, language = {English}, urldate = {2025-03-05} } @online{soolidsnake:20200511:prolock:18caa16, author = {soolidsnake}, title = {{ProLock malware analysis}}, date = {2020-05-11}, url = {https://soolidsnake.github.io/2020/05/11/Prolock_ransomware.html}, language = {English}, urldate = {2020-05-26} } @online{soolidsnake:20210717:hellokitty:a396c59, author = {soolidsnake}, title = {{HelloKitty Linux version malware analysis}}, date = {2021-07-17}, organization = {soolidsnake}, url = {https://soolidsnake.github.io/2021/07/17/hellokitty_linux.html}, language = {English}, urldate = {2021-07-21} } @online{sophos:20110416:trojsasfiso:ffee6ab, author = {Sophos}, title = {{Troj/Sasfis-O}}, date = {2011-04-16}, organization = {Sophos}, url = {https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Sasfis-O/detailed-analysis.aspx}, language = {English}, urldate = {2019-12-19} } @online{sophos:20120830:trojbinanenb:45d0249, author = {Sophos}, title = {{Troj/Binanen-B}}, date = {2012-08-30}, organization = {Sophos}, url = {https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Binanen-B/detailed-analysis.aspx}, language = {English}, urldate = {2020-01-26} } @online{sophos:20121127:threat:b3f53e7, author = {Sophos}, title = {{Threat Description: Troj/Ployx-A}}, date = {2012-11-27}, organization = {Sophos}, url = {https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Ployx-A/detailed-analysis.aspx}, language = {English}, urldate = {2020-01-13} } @online{sophos:20151102:trojcryaklb:09148f2, author = {Sophos}, title = {{Troj/Cryakl-B}}, date = {2015-11-02}, organization = {Sophos}, url = {https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cryakl-B/detailed-analysis.aspx}, language = {English}, urldate = {2019-11-28} } @online{sophos:20200430:asnark:f7ce7da, author = {Sophos}, title = {{“Asnarök” Trojan targets firewalls}}, date = {2020-04-30}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/04/26/asnarok/}, language = {English}, urldate = {2024-12-06} } @online{sophos:20200512:maze:5552394, author = {Sophos}, title = {{Maze ransomware: extorting victims for 1 year and counting}}, date = {2020-05-12}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/}, language = {English}, urldate = {2022-03-18} } @techreport{sophos:20201118:sophos:8fd201e, author = {Sophos}, title = {{SOPHOS 2021 THREAT REPORT Navigating cybersecurity in an uncertain world}}, date = {2020-11-18}, institution = {Sophos}, url = {https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf}, language = {English}, urldate = {2020-11-19} } @online{sophos:20230726:into:c7fdb24, author = {Sophos}, title = {{Into the tank with Nitrogen}}, date = {2023-07-26}, url = {https://news.sophos.com/en-us/2023/07/26/into-the-tank-with-nitrogen/}, language = {English}, urldate = {2024-10-01} } @online{sophoslabs:20200924:emaildelivered:18b6d3b, author = {SophosLabs}, title = {{Email-delivered MoDi RAT attack pastes PowerShell commands}}, date = {2020-09-24}, organization = {SophosLabs}, url = {https://news.sophos.com/en-us/2020/09/24/email-delivered-modi-rat-attack-pastes-powershell-commands/}, language = {English}, urldate = {2021-03-30} } @online{sophoslabs:20201029:similarities:408a640, author = {SophosLabs}, title = {{Tweet on similarities between BUER in-memory loader & RYUK in-memory loader}}, date = {2020-10-29}, organization = {Twitter (@SophosLabs)}, url = {https://twitter.com/SophosLabs/status/1321844306970251265}, language = {English}, urldate = {2020-11-02} } @online{sophoslabs:20210705:with:d8dc444, author = {SophosLabs}, title = {{Tweet with a REvil ransomware execution demo}}, date = {2021-07-05}, organization = {Twitter (@SophosLabs)}, url = {https://twitter.com/SophosLabs/status/1412056467201462276}, language = {English}, urldate = {2021-07-26} } @online{sophoslabs:20210709:speed:6f279b2, author = {SophosLabs}, title = {{Tweet on speed at which Kaseya REvil attack was conducted}}, date = {2021-07-09}, organization = {Twitter (@SophosLabs)}, url = {https://twitter.com/SophosLabs/status/1413616952313004040?s=20}, language = {English}, urldate = {2021-07-24} } @online{soprin:20221212:precious:3aff93e, author = {Oz Soprin and Shachar Roitman}, title = {{Precious Gemstones: The New Generation of Kerberos Attacks}}, date = {2022-12-12}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/next-gen-kerberos-attacks/}, language = {English}, urldate = {2023-02-17} } @online{soral:20231009:cyber:9c4d5c1, author = {Shubhi Soral}, title = {{Cyber Criminals Using EvilProxy Phishing Kit To Target Senior Executives in U.S. Firms}}, date = {2023-10-09}, organization = {LinkedIn (Shubhi Soral)}, url = {https://www.linkedin.com/pulse/cyber-criminals-using-evilproxy-phishing-kit-target-senior-soral/}, language = {English}, urldate = {2024-02-08} } @online{soriano:20190109:anlisis:500b9a2, author = {Joan Soriano}, title = {{Análisis de Linux.Sunless}}, date = {2019-01-09}, organization = {Security Art Work}, url = {https://www.securityartwork.es/2019/01/09/analisis-de-linux-sunless/}, language = {Spanish}, urldate = {2020-01-08} } @online{soseman:20210713:solarwinds:cb7df1d, author = {Matt Soseman}, title = {{Solarwinds and SUNBURST attacks compromised my lab!}}, date = {2021-07-13}, organization = {YouTube ( Matt Soseman)}, url = {https://www.youtube.com/watch?v=GfbxHy6xnbA}, language = {English}, urldate = {2021-07-21} } @techreport{soto:20190205:path:7de2c6b, author = {Rod Soto and Darren Spruell and Kevin Stear}, title = {{The Path of an Outlaw, a Shellbot Campaign}}, date = {2019-02-05}, institution = {Jask}, url = {https://jask.com/wp-content/uploads/2019/02/Shellbot-Campaign_v2.pdf}, language = {English}, urldate = {2019-12-10} } @online{souek:20181210:collecting:fe52669, author = {Jakub Souček and Jakub Tomanek and Peter Kálnai}, title = {{Collecting Malicious Particles from Neutrino Botnets}}, date = {2018-12-10}, organization = {Botconf}, url = {https://journal.cecyf.fr/ojs/index.php/cybin/article/view/22}, language = {English}, urldate = {2020-01-13} } @online{souek:20240910:cosmicbeetle:252cb53, author = {Jakub Souček}, title = {{CosmicBeetle steps up: Probation period at RansomHub}}, date = {2024-09-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/}, language = {English}, urldate = {2024-10-18} } @online{southworth:20240919:coldwastrel:9a6ce55, author = {John Southworth}, title = {{COLDWASTREL of space}}, date = {2024-09-19}, organization = {PWC}, url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/coldwastrel-space.html}, language = {English}, urldate = {2024-11-25} } @online{souza:20130801:andromeda:030b7db, author = {Suweera De Souza}, title = {{Andromeda 2.7 features}}, date = {2013-08-01}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2013/08/andromeda-2-7-features}, language = {English}, urldate = {2020-01-09} } @online{souza:20201026:dropping:8ac1e1d, author = {Suweera De Souza}, title = {{Dropping the Anchor}}, date = {2020-10-26}, organization = {Arbor Networks}, url = {https://www.netscout.com/blog/asert/dropping-anchor}, language = {English}, urldate = {2020-10-29} } @techreport{souza:20230416:tracking:3b8d89c, author = {Suweera De Souza}, title = {{Tracking Bumblebee’s Development}}, date = {2023-04-16}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/formidable/2/2023_4889_DESOUZA.pdf}, language = {English}, urldate = {2023-05-23} } @online{souza:20230416:tracking:62b0316, author = {Suweera De Souza and Crowdstrike Technical Analysis Cell (TAC)}, title = {{Tracking Bumblebee’s Development}}, date = {2023-04-16}, organization = {YouTube (botconf eu)}, url = {https://www.youtube.com/watch?v=JoKJNfLAc0Y}, language = {English}, urldate = {2023-04-22} } @online{souza:20241111:ymir:32f6aa0, author = {Cristian Souza and Ashley Muñoz and Eduardo Ovalle}, title = {{Ymir: new stealthy ransomware in the wild}}, date = {2024-11-11}, organization = {Kaspersky}, url = {https://securelist.com/new-ymir-ransomware-found-in-colombia/114493/}, language = {English}, urldate = {2025-03-21} } @online{spagnolo:20241017:analysis:ce17ab8, author = {Gregor Spagnolo}, title = {{Analysis of BeaverTail & InvisibleFerret activity}}, date = {2024-10-17}, organization = {Github (ssrdio)}, url = {https://github.com/ssrdio/PublicIoC/tree/main/CestLaVie}, language = {English}, urldate = {2025-03-12} } @online{sperka:20241121:unveiling:fb9d8ef, author = {Viktor Sperka}, title = {{Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine}}, date = {2024-11-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/}, language = {English}, urldate = {2024-11-26} } @techreport{spiderlabs:20200625:golden:8fa4199, author = {Trustwave SpiderLabs}, title = {{The Golden Tax Department and Emergence of GoldenSpy Malware}}, date = {2020-06-25}, institution = {Trustwave}, url = {https://trustwave.azureedge.net/media/16908/the-golden-tax-department-and-emergence-of-goldenspy-malware.pdf}, language = {English}, urldate = {2020-06-30} } @techreport{spiderlabs:20210203:new:08a89eb, author = {Trustwave SpiderLabs}, title = {{New Vulnerabilities Discovered in SolarWinds Products by Trustwave SpiderLabs}}, date = {2021-02-03}, institution = {Trustwave}, url = {https://trustwave.azureedge.net/media/17653/solarwinds-vuln-fact-sheet-_final-222021.pdf}, language = {English}, urldate = {2021-02-04} } @online{spiderlabs:20211223:covid19:be34a52, author = {Trustwave SpiderLabs}, title = {{COVID-19 Phishing Lure to Steal and Mine Cryptocurrency}}, date = {2021-12-23}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/covid-19-phishing-lure-to-steal-and-mine-cryptocurrency/}, language = {English}, urldate = {2022-01-05} } @online{spiderlabs:20220323:trustwaves:195ecf8, author = {Trustwave SpiderLabs}, title = {{Trustwave’s Action Response: The Lapsus$ Hacker Group Shows Us the Importance of Securing the Digital Supply Chain}}, date = {2022-03-23}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trustwaves-action-response-the-lapsus-hacker-group-shows-us-the-importance-of-securing-the-digital-supply-chain}, language = {English}, urldate = {2022-08-17} } @online{spiderlabs:20220325:cyber:6401810, author = {Trustwave SpiderLabs}, title = {{Cyber Attackers Leverage Russia-Ukraine Conflict in Multiple Spam Campaigns}}, date = {2022-03-25}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cyber-attackers-leverage-russia-ukraine-conflict-in-multiple-spam-campaigns}, language = {English}, urldate = {2022-08-17} } @online{spiderlabs:20220429:stormous:a6d6acf, author = {Trustwave SpiderLabs}, title = {{Stormous: The Pro-Russian, Clout Hungry Ransomware Gang Targets the US and Ukraine}}, date = {2022-04-29}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/stormous-the-pro-russian-clout-hungry-ransomware-gang-targets-the-us-and-ukraine}, language = {English}, urldate = {2022-08-17} } @online{spiderlabs:20220603:trustwaves:4081def, author = {Trustwave SpiderLabs}, title = {{Trustwave's Action Response: Microsoft zero-day CVE-2022-30190 (aka Follina)}}, date = {2022-06-03}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trustwaves-action-response-microsoft-zero-day-cve-2022-30190-aka-follina}, language = {English}, urldate = {2022-08-17} } @online{spiderlabs:20220803:price:9e26732, author = {Trustwave SpiderLabs}, title = {{The Price Cybercriminals Charge for Stolen Data}}, date = {2022-08-03}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-price-cybercriminals-charge-for-stolen-data}, language = {English}, urldate = {2022-08-17} } @techreport{spiderlabs:20240206:facebook:9a349ff, author = {Trustwave SpiderLabs}, title = {{Facebook Advertising Spreads Novel Malware Variant}}, date = {2024-02-06}, institution = {Trustwave}, url = {https://www.trustwave.com/hubfs/Web/Library/Documents_pdf/FaceBook_Ad_Spreads_Novel_Malware.pdf}, language = {English}, urldate = {2024-02-07} } @online{spiderlabs:20250429:yet:57e9383, author = {Trustwave SpiderLabs}, title = {{Yet Another NodeJS Backdoor (YaNB): A Modern Challenge}}, date = {2025-04-29}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another-nodejs-backdoor-yanb-a-modern-challenge/}, language = {English}, urldate = {2025-05-02} } @online{spiegel:20210326:russian:f756fe0, author = {Der Spiegel}, title = {{Russian group "Ghostwriters" apparently attacked parliamentarians}}, date = {2021-03-26}, organization = {Der Spiegel}, url = {https://www.spiegel.de/politik/deutschland/russischer-hack-erneute-attacke-hack-auf-bundestag-sieben-abgeordnete-betroffen-a-75e1adbe-4462-4e30-bd94-96796aed6b8a}, language = {German}, urldate = {2021-03-30} } @online{spixnet:20221115:russian:1698b1a, author = {SpixNet}, title = {{Russian hacktivists hit Ukrainian orgs with ransomware – but no ransom demands}}, date = {2022-11-15}, organization = {SpixNet}, url = {https://spixnet.at/cybersecurity-blog/2022/11/15/russian-hacktivists-hit-ukrainian-orgs-with-ransomware-but-no-ransom-demands/}, language = {English}, urldate = {2023-12-28} } @online{splunk:20160421:when:ca769d8, author = {Splunk}, title = {{When entropy meets Shannon}}, date = {2016-04-21}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/tips-and-tricks/when-entropy-meets-shannon.html}, language = {English}, urldate = {2022-04-29} } @online{spohn:20111211:intro:f5eeeaa, author = {Michael G. Spohn.}, title = {{Intro. To Reversing - W32Pinkslipbot}}, date = {2011-12-11}, organization = {Open Security Research}, url = {http://blog.opensecurityresearch.com/2011/12/intro-to-reversing-w32pinkslipbot.html}, language = {English}, urldate = {2023-08-30} } @online{sponchioni:20150113:new:dffd290, author = {Roberto Sponchioni}, title = {{New Carberp variant heads down under}}, date = {2015-01-13}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under}, language = {English}, urldate = {2020-01-13} } @online{spookysec:20220916:deception:d6fa54d, author = {spookysec}, title = {{Deception in Depth - Building Deceptions from Breaches}}, date = {2022-09-16}, organization = {spookysec}, url = {https://blog.spookysec.net/DnD-building-from-breaches/}, language = {English}, urldate = {2022-09-19} } @online{sprenger:20240625:how:ac4f0e0, author = {Nicolas Sprenger}, title = {{How to detect the modular RAT CSHARP-STREAMER}}, date = {2024-06-25}, organization = {HiSolutions}, url = {https://research.hisolutions.com/2024/06/how-to-detect-the-modular-rat-csharp-streamer/}, language = {English}, urldate = {2024-06-28} } @online{sprenger:20250425:rolling:50b530a, author = {Nicolas Sprenger and Mateo Mrvelj and Maik Würth}, title = {{Rolling in the Deep(Web): Lazarus Tsunami}}, date = {2025-04-25}, organization = {HiSolutions}, url = {https://research.hisolutions.com/2025/04/rolling-in-the-deepweb-lazarus-tsunami/}, language = {English}, urldate = {2025-05-05} } @online{spring:20160407:fbi:2f6e04d, author = {Tom Spring}, title = {{FBI Quietly Admits to Multi-Year APT Attack, Sensitive Data Stolen}}, date = {2016-04-07}, organization = {Threatpost}, url = {https://threatpost.com/fbi-quietly-admits-to-multi-year-apt-attack-sensitive-data-stolen/117267/}, language = {English}, urldate = {2020-01-06} } @online{spring:20160421:pos:008ddcb, author = {Tom Spring}, title = {{PoS Attacks Net Crooks 20 Million Stolen Bank Cards}}, date = {2016-04-21}, organization = {Threatpost}, url = {https://threatpost.com/pos-attacks-net-crooks-20-million-stolen-bank-cards/117595/}, language = {English}, urldate = {2020-01-10} } @online{spring:20170502:shamoon:56ac4ae, author = {Tom Spring}, title = {{Shamoon Collaborator Greenbug Adopts New Communication Tool}}, date = {2017-05-02}, organization = {Threatpost}, url = {https://threatpost.com/shamoon-collaborator-greenbug-adopts-new-communication-tool/125383/}, language = {English}, urldate = {2019-12-10} } @online{spring:20170516:docusign:5ae0c57, author = {Tom Spring}, title = {{DocuSign Phishing Campaign Includes Hancitor Downloader}}, date = {2017-05-16}, organization = {Threatpost}, url = {https://threatpost.com/docusign-phishing-campaign-includes-hancitor-downloader/125724/}, language = {English}, urldate = {2020-01-08} } @online{spring:20170811:ukrainian:eb4451f, author = {Tom Spring}, title = {{Ukrainian Man Arrested, Charged in NotPetya Distribution}}, date = {2017-08-11}, organization = {Threatpost}, url = {https://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/}, language = {English}, urldate = {2020-01-05} } @online{spring:20170922:eternalblue:a6be32b, author = {Tom Spring}, title = {{EternalBlue Exploit Used in Retefe Banking Trojan Campaign}}, date = {2017-09-22}, organization = {Threatpost}, url = {https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/}, language = {English}, urldate = {2020-01-08} } @online{spring:20180123:satori:f08d827, author = {Tom Spring}, title = {{Satori Author Linked to New Mirai Variant Masuta}}, date = {2018-01-23}, organization = {Threatpost}, url = {https://threatpost.com/satori-author-linked-to-new-mirai-variant-masuta/129640/}, language = {English}, urldate = {2020-01-13} } @online{spring:20180314:new:e692b68, author = {Tom Spring}, title = {{New POS Malware PinkKite Takes Flight}}, date = {2018-03-14}, organization = {Threatpost}, url = {https://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/}, language = {English}, urldate = {2019-11-26} } @online{spring:20210701:linux:2584acf, author = {Tom Spring}, title = {{Linux Variant of REvil Ransomware Targets VMware’s ESXi, NAS Devices}}, date = {2021-07-01}, organization = {Threatpost}, url = {https://threatpost.com/linux-variant-ransomware-vmwares-nas/167511/}, language = {English}, urldate = {2021-07-02} } @online{sprooten:20230320:naplistener:5207e95, author = {Remco Sprooten}, title = {{NAPLISTENER: more bad dreams from developers of SIESTAGRAPH}}, date = {2023-03-20}, organization = {Elastic}, url = {https://www.elastic.co/de/security-labs/naplistener-more-bad-dreams-from-the-developers-of-siestagraph}, language = {English}, urldate = {2023-03-21} } @online{sprooten:20230327:ref2924:dc60cc3, author = {Remco Sprooten}, title = {{REF2924: how to maintain persistence as an (advanced?) threat}}, date = {2023-03-27}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/ref2924-howto-maintain-persistence-as-an-advanced-threat}, language = {English}, urldate = {2023-12-04} } @online{sprooten:20240927:betting:7d57420, author = {Remco Sprooten and Ruben Groenewoud}, title = {{Betting on Bots: Investigating Linux malware, crypto mining, and gambling API abuse}}, date = {2024-09-27}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/betting-on-bots}, language = {English}, urldate = {2024-10-18} } @online{sprooten:20241013:declawing:696f3d8, author = {Remco Sprooten and Ruben Groenewoud}, title = {{Declawing PUMAKIT}}, date = {2024-10-13}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/declawing-pumakit}, language = {English}, urldate = {2024-12-13} } @online{squad:20250623:bluenoroff:fbcbc7a, author = {Darkatlas Squad}, title = {{Bluenoroff (APT38) Live Infrastructure Hunting}}, date = {2025-06-23}, organization = {Darkatlas}, url = {https://darkatlas.io/blog/bluenoroff-apt38-live-infrastructure-hunting}, language = {English}, urldate = {2025-06-24} } @online{squiblydoo:20210620:marsdeimos:f574072, author = {Squiblydoo}, title = {{Mars-Deimos: From Jupiter to Mars and Back again (Part Two)}}, date = {2021-06-20}, organization = {Squiblydoo}, url = {https://squiblydoo.blog/2021/06/20/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/}, language = {English}, urldate = {2021-12-17} } @online{squiblydoo:20220927:solarmarker:8693ea8, author = {Squiblydoo}, title = {{Solarmarker: The Old is New}}, date = {2022-09-27}, organization = {Squiblydoo}, url = {https://squiblydoo.blog/2022/09/27/solarmarker-the-old-is-new/}, language = {English}, urldate = {2023-01-18} } @online{sr:20211210:detecting:8a6e597, author = {DeMarcus M. Thomas Sr.}, title = {{Detecting malware in memory with memory object relationships}}, date = {2021-12-10}, organization = {Mississippi State University}, url = {https://scholarsjunction.msstate.edu/cgi/viewcontent.cgi?article=6309&context=td}, language = {English}, urldate = {2021-12-31} } @online{sri:20171026:pdb:f380f61, author = {S!Ri}, title = {{Tweet on PDB path}}, date = {2017-10-26}, organization = {Twitter (@siri_urz)}, url = {https://twitter.com/siri_urz/status/923479126656323584}, language = {English}, urldate = {2020-01-06} } @online{sri:20200127:makop:078939c, author = {S!Ri}, title = {{Tweet on Makop Ransomware}}, date = {2020-01-27}, organization = {Twitter (@siri_urz)}, url = {https://twitter.com/siri_urz/status/1221797493849018368}, language = {English}, urldate = {2020-03-25} } @online{sri:20210914:atomsilo:7b746d4, author = {S!Ri}, title = {{Tweet on ATOMSILO ransomware}}, date = {2021-09-14}, organization = {Twitter (@siri_urz)}, url = {https://twitter.com/siri_urz/status/1437664046556274694?s=20}, language = {English}, urldate = {2021-10-11} } @online{srinivasan:20210620:unpacking:aa26472, author = {Kaushik Srinivasan}, title = {{Unpacking UPX Manually}}, date = {2021-06-20}, organization = {0x4b 0x53}, url = {https://kausrini.github.io/2021-06-20-unpacking-upx-manually/}, language = {English}, urldate = {2021-07-02} } @online{srivas:20210718:snoop:89ac21d, author = {Anuj Srivas and Kabir Agarwal}, title = {{Snoop List Has 40 Indian Journalists, Forensic Tests Confirm Presence of Pegasus Spyware on Some}}, date = {2021-07-18}, organization = {The Wire}, url = {https://thewire.in/media/pegasus-project-spyware-indian-journalists}, language = {English}, urldate = {2021-07-24} } @online{srivastava:20250206:google:9289a7b, author = {Puja Srivastava}, title = {{Google Tag Manager Skimmer Steals Credit Card Info From Magento Site}}, date = {2025-02-06}, organization = {Securi}, url = {https://blog.sucuri.net/2025/02/google-tag-manager-skimmer-steals-credit-card-info-from-magento-site.html}, language = {English}, urldate = {2025-02-18} } @online{srivastava:20250328:hidden:2bfbaca, author = {Puja Srivastava}, title = {{Hidden Malware Strikes Again: Mu-Plugins Under Attack}}, date = {2025-03-28}, organization = {SUCURI}, url = {https://blog.sucuri.net/2025/03/hidden-malware-strikes-again-mu-plugins-under-attack.html}, language = {English}, urldate = {2025-04-09} } @online{srokosz:20170524:analysis:1d591e7, author = {Paweł Srokosz}, title = {{Analysis of Emotet v4}}, date = {2017-05-24}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/analysis-of-emotet-v4/}, language = {English}, urldate = {2020-01-09} } @online{srokosz:20180106:ostap:619979b, author = {Paweł Srokosz}, title = {{Ostap malware analysis (Backswap dropper)}}, date = {2018-01-06}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/}, language = {English}, urldate = {2020-01-09} } @online{srokosz:20191218:icedid:05c3255, author = {Paweł Srokosz}, title = {{IcedID PNG Extractor}}, date = {2019-12-18}, organization = {Github (psrok1)}, url = {https://gist.github.com/psrok1/e6bf5851d674edda03a201e7f24a5e6b}, language = {English}, urldate = {2020-01-13} } @online{stacklok:20240910:dependency:d0507ad, author = {Stacklok}, title = {{Dependency hijacking: Dissecting North Korea’s new wave of DeFi-themed open source attacks targeting developers}}, date = {2024-09-10}, organization = {Stacklok}, url = {https://stacklok.com/blog/dependency-hijacking-dissecting-north-koreas-new-wave-of-defi-themed-open-source-attacks-targeting-developers}, language = {English}, urldate = {2024-10-29} } @online{stadnicki:20210113:gitlab:d27b2e3, author = {Brian Stadnicki}, title = {{Gitlab RCE Stealth Shellbot}}, date = {2021-01-13}, url = {https://brianstadnicki.github.io/posts/malware-gitlab-perlbot/}, language = {English}, urldate = {2022-01-15} } @online{stadnicki:20220102:sbidiot:ffff097, author = {Brian Stadnicki}, title = {{SBIDIOT IoT Malware: miner edition}}, date = {2022-01-02}, url = {https://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/}, language = {English}, urldate = {2022-01-05} } @online{stadnicki:20220214:chaos:998b377, author = {Brian Stadnicki}, title = {{Chaos ransomware v4}}, date = {2022-02-14}, url = {https://brianstadnicki.github.io/posts/malware-chaos-ransomware-v4/}, language = {English}, urldate = {2022-03-15} } @online{stadnicki:20220312:asyncrat:914be19, author = {Brian Stadnicki}, title = {{AsyncRAT RCE vulnerability}}, date = {2022-03-12}, url = {https://brianstadnicki.github.io/posts/vulnerability-asyncrat-rce/}, language = {English}, urldate = {2022-03-14} } @online{staff:20150625:sundown:53454bc, author = {Proofpoint Staff}, title = {{Sundown EK Spreads LuminosityLink RAT: Light After Dark}}, date = {2015-06-25}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/Light-After-Dark}, language = {English}, urldate = {2019-12-20} } @online{staff:20150918:operation:9af478b, author = {Proofpoint Staff}, title = {{Operation Arid Viper Slithers Back into View}}, date = {2015-09-18}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View}, language = {English}, urldate = {2019-12-20} } @online{staff:20151008:dyre:7773d32, author = {Proofpoint Staff}, title = {{Dyre Malware Campaigners Innovate with Distribution Techniques}}, date = {2015-10-08}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/dyre-malware-campaigners-innovate-distribution-techniques}, language = {English}, urldate = {2020-03-04} } @online{staff:20160118:updated:c96de1d, author = {Proofpoint Staff}, title = {{Updated Blackmoon banking Trojan stays focused on South Korean banking customers}}, date = {2016-01-18}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan}, language = {English}, urldate = {2019-12-20} } @online{staff:20160205:vawtrak:c5663f8, author = {Proofpoint Staff}, title = {{Vawtrak and UrlZone Banking Trojans Target Japan}}, date = {2016-02-05}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan}, language = {English}, urldate = {2019-11-20} } @online{staff:20160226:nymaim:a5904b2, author = {Proofpoint Staff}, title = {{Nymaim Moves Past Its Ransomware Roots - What Is Old Is New Again}}, date = {2016-02-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0}, language = {English}, urldate = {2020-06-10} } @online{staff:20160310:death:ac16504, author = {Proofpoint Staff}, title = {{Death Comes Calling: Thanatos/Alphabot Trojan Hits the Market}}, date = {2016-03-10}, organization = {Proofpoint}, url = {https://www.proofpoint.com//us/threat-insight/post/Death-Comes-Calling-Thanatos-Alphabot-Trojan-Hits-Market}, language = {English}, urldate = {2019-12-20} } @online{staff:20160523:technical:07ea0f3, author = {Specialist Staff}, title = {{Technical Report about the Malware used in the Cyberespionage against RUAG}}, date = {2016-05-23}, organization = {Reporting and Analysis Centre for Information Assurance MELANI}, url = {https://www.melani.admin.ch/melani/en/home/dokumentation/reports/technical-reports/technical-report_apt_case_ruag.html}, language = {English}, urldate = {2020-01-05} } @online{staff:20160829:nightmare:2268343, author = {Proofpoint Staff}, title = {{Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality}}, date = {2016-08-29}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality}, language = {English}, urldate = {2019-12-20} } @online{staff:20161114:ransoc:e6b2a9e, author = {Proofpoint Staff}, title = {{Ransoc Desktop Locking Ransomware Ransacks Local Files and Social Media Profiles}}, date = {2016-11-14}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles}, language = {English}, urldate = {2019-12-20} } @online{staff:20161115:kronos:6580667, author = {Proofpoint Staff}, title = {{Kronos Banking Trojan Used to Deliver New Point-of-Sale Malware}}, date = {2016-11-15}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware}, language = {English}, urldate = {2019-12-20} } @online{staff:20161206:august:8a5d8e4, author = {Proofpoint Staff}, title = {{August in November: New Information Stealer Hits the Scene}}, date = {2016-12-06}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene}, language = {English}, urldate = {2019-12-20} } @online{staff:20161207:august:5c9f336, author = {Proofpoint Staff}, title = {{August in November: New Information Stealer Hits the Scene}}, date = {2016-12-07}, organization = {Proofpoint}, url = {https://www.proofpoint.com/uk/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene}, language = {English}, urldate = {2019-12-20} } @online{staff:20170425:philadelphia:4e673f5, author = {Proofpoint Staff}, title = {{Philadelphia Ransomware Brings Customization to Commodity Malware}}, date = {2017-04-25}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware}, language = {English}, urldate = {2019-12-20} } @online{staff:20170510:introducing:7355f5b, author = {Proofpoint Staff}, title = {{Introducing Loda Malware}}, date = {2017-05-10}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware}, language = {English}, urldate = {2019-12-20} } @online{staff:20170511:jaff:1e6dde7, author = {Proofpoint Staff}, title = {{Jaff - New Ransomware From the Actors Behind the Distribution of Dridex, Locky, and Bart}}, date = {2017-05-11}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart}, language = {English}, urldate = {2019-12-20} } @online{staff:20170713:meet:406ca2c, author = {Proofpoint Staff}, title = {{Meet Ovidiy Stealer: Bringing credential theft to the masses}}, date = {2017-07-13}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses}, language = {English}, urldate = {2019-12-20} } @online{staff:20170824:defray:1b0f056, author = {Proofpoint Staff}, title = {{Defray - New Ransomware Targeting Education and Healthcare Verticals}}, date = {2017-08-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/defray-new-ransomware-targeting-education-and-healthcare-verticals}, language = {English}, urldate = {2020-01-10} } @online{staff:20170824:new:51577f3, author = {Proofpoint Staff}, title = {{New Defray Ransomware Targets Education and Healthcare Verticals}}, date = {2017-08-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/new-defray-ransomware-targets-education-and-healthcare-verticals}, language = {English}, urldate = {2021-02-09} } @online{staff:20170927:threat:272e6ac, author = {Proofpoint Staff}, title = {{Threat Actor Profile: TA505, From Dridex to GlobeImposter}}, date = {2017-09-27}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter}, language = {English}, urldate = {2019-12-20} } @online{staff:20171214:zeus:27fa0fe, author = {Proofpoint Staff}, title = {{Zeus Panda Banking Trojan Targets Online Holiday Shoppers}}, date = {2017-12-14}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers}, language = {English}, urldate = {2019-12-20} } @online{staff:20180112:holiday:b4225b8, author = {Proofpoint Staff}, title = {{Holiday lull? Not so much}}, date = {2018-01-12}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much}, language = {English}, urldate = {2021-05-31} } @online{staff:20180307:leaked:5e33f64, author = {Proofpoint Staff}, title = {{Leaked Ammyy Admin Source Code Turned into Malware}}, date = {2018-03-07}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat}, language = {English}, urldate = {2019-12-20} } @online{staff:20180524:phorpiex:81572f0, author = {Proofpoint Staff}, title = {{Phorpiex – A decade of spamming from the shadows}}, date = {2018-05-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows}, language = {English}, urldate = {2019-12-20} } @online{staff:20180530:thief:f62b0ed, author = {Proofpoint Staff}, title = {{Thief in the night: New Nocturnal Stealer grabs data on the cheap}}, date = {2018-05-30}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap}, language = {English}, urldate = {2019-12-20} } @online{staff:20180531:danabot:b1b2487, author = {Proofpoint Staff}, title = {{DanaBot - A new banking Trojan surfaces Down Under}}, date = {2018-05-31}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0}, language = {English}, urldate = {2019-12-20} } @online{staff:20180719:ta505:3c29d5a, author = {Proofpoint Staff}, title = {{TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT}}, date = {2018-07-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat}, language = {English}, urldate = {2019-12-20} } @online{staff:20180724:kronos:ad537ce, author = {Proofpoint Staff}, title = {{Kronos Reborn}}, date = {2018-07-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/kronos-reborn}, language = {English}, urldate = {2019-12-20} } @online{staff:20180725:parasite:e0da288, author = {Proofpoint Staff}, title = {{Parasite HTTP RAT cooks up a stew of stealthy tricks}}, date = {2018-07-25}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks}, language = {English}, urldate = {2019-12-20} } @online{staff:20180730:new:07c5e76, author = {Proofpoint Staff}, title = {{New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign}}, date = {2018-07-30}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside}, language = {English}, urldate = {2021-12-13} } @online{staff:20180816:new:b372eeb, author = {Proofpoint Staff}, title = {{New modular downloaders fingerprint systems, prepare for more - Part 1: Marap}}, date = {2018-08-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap}, language = {English}, urldate = {2019-12-20} } @online{staff:20180823:new:919635d, author = {Proofpoint Staff}, title = {{New modular downloaders fingerprint systems - Part 2: AdvisorsBot}}, date = {2018-08-23}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot}, language = {English}, urldate = {2019-12-20} } @online{staff:20180911:new:14fda4a, author = {Proofpoint Staff}, title = {{New modular downloaders fingerprint systems - Part 3: CobInt}}, date = {2018-09-11}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint}, language = {English}, urldate = {2019-12-20} } @online{staff:20181002:danabot:b7282b9, author = {Proofpoint Staff}, title = {{DanaBot Gains Popularity and Targets US Organizations in Large Campaigns}}, date = {2018-10-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns}, language = {English}, urldate = {2019-12-20} } @online{staff:20181023:sload:b4e25c6, author = {Proofpoint Staff}, title = {{sLoad and Ramnit pairing in sustained campaigns against UK and Italy}}, date = {2018-10-23}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy}, language = {English}, urldate = {2019-12-20} } @online{staff:20181115:trat:74a4dd4, author = {Proofpoint Staff}, title = {{tRat: New modular RAT appears in multiple email campaigns}}, date = {2018-11-15}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/trat-new-modular-rat-appears-multiple-email-campaigns}, language = {English}, urldate = {2019-12-20} } @online{staff:20210718:takeaways:b76b188, author = {Washington Post Staff}, title = {{Takeaways from the Pegasus Project}}, date = {2021-07-18}, organization = {Washington Post}, url = {https://www.washingtonpost.com/investigations/2021/07/18/takeaways-nso-pegasus-project/}, language = {English}, urldate = {2021-07-21} } @online{staff:20220331:novel:ef704af, author = {SC Staff}, title = {{Novel obfuscation leveraged by Hive ransomware}}, date = {2022-03-31}, organization = {SC Media}, url = {https://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware}, language = {English}, urldate = {2022-04-05} } @online{staff:20220717:cyberattack:c7b8eb8, author = {TOI Staff}, title = {{Cyberattack on Health Ministry website blocks overseas access}}, date = {2022-07-17}, organization = {The Times of Israel}, url = {https://www.timesofisrael.com/cyberattack-on-health-ministry-website-blocks-overseas-access/}, language = {English}, urldate = {2023-11-27} } @online{staff:20240909:significant:7cfafa5, author = {SC Staff}, title = {{Significant ransom payment by major Iranian IT firm underway}}, date = {2024-09-09}, organization = {SC Magazine}, url = {https://www.scmagazine.com/brief/significant-ransom-payment-by-major-iranian-it-firm-underway}, language = {English}, urldate = {2024-09-27} } @online{staff:20240925:austria:93d922d, author = {SC Staff}, title = {{Austria subjected to pro-Russian DDoS intrusions}}, date = {2024-09-25}, organization = {SC Media}, url = {https://www.scworld.com/brief/austria-subjected-to-pro-russian-ddos-intrusions}, language = {English}, urldate = {2024-11-04} } @online{staff:20250227:over:da50a7e, author = {SC Staff}, title = {{Over 600 organizations subjected to global EncryptHub attacks}}, date = {2025-02-27}, organization = {SC Media}, url = {https://www.scworld.com/brief/over-600-organizations-subjected-to-global-encrypthub-attacks}, language = {English}, urldate = {2025-03-07} } @online{stafford:20211214:darkwatchman:d60bc6c, author = {Matt Stafford and Sherman Smith}, title = {{DarkWatchman: A new evolution in fileless techniques}}, date = {2021-12-14}, organization = {Prevailion}, url = {https://www.prevailion.com/darkwatchman-new-fileness-techniques/}, language = {English}, urldate = {2021-12-23} } @online{stafford:20220315:what:1df16e6, author = {Matt Stafford and Sherman Smith}, title = {{What Wicked Webs We Un-weave}}, date = {2022-03-15}, organization = {Prevailion}, url = {https://www.prevailion.com/what-wicked-webs-we-unweave/}, language = {English}, urldate = {2022-03-17} } @online{stagno:20160128:keybase:9b30a21, author = {Paolo Stagno}, title = {{Keybase}}, date = {2016-01-28}, organization = {VoidSec}, url = {https://voidsec.com/keybase-en/}, language = {English}, urldate = {2019-08-08} } @online{stahie:20211108:popular:8222961, author = {Silviu Stahie}, title = {{Popular NPM Repositories Compromised in Man-in-the-Middle Attack}}, date = {2021-11-08}, organization = {Bitdefender}, url = {https://www.bitdefender.com/blog/hotforsecurity/popular-npm-repositories-compromised-in-man-in-the-middle-attack/}, language = {English}, urldate = {2021-11-09} } @online{stairwell:20240202:proactive:f396e57, author = {Threat Research at Stairwell}, title = {{Proactive response: AnyDesk, any breach}}, date = {2024-02-02}, organization = {Stairwell}, url = {https://stairwell.com/resources/proactive-response-anydesk-any-breach/}, language = {English}, urldate = {2024-02-23} } @online{stairwell:20240515:stairwell:469eeab, author = {Threat Research at Stairwell}, title = {{Stairwell threat report: Black Basta overview and detection rules}}, date = {2024-05-15}, organization = {Stairwell}, url = {https://stairwell.com/resources/stairwell-threat-report-black-basta-overview-and-detection-rules/}, language = {English}, urldate = {2024-05-21} } @online{stampar:20170525:eternalrocks:77865e8, author = {Miroslav Stampar}, title = {{EternalRocks (a.k.a. MicroBotMassiveNet)}}, date = {2017-05-25}, organization = {Github (stamparm)}, url = {https://github.com/stamparm/EternalRocks}, language = {English}, urldate = {2023-11-14} } @online{stark:20201014:fin11:0473613, author = {Genevieve Stark and Andrew Moore and Vincent Cannon and Jacqueline O’Leary and Nalani Fraser and Kimberly Goody}, title = {{FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft}}, date = {2020-10-14}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html}, language = {English}, urldate = {2020-11-04} } @online{stark:20201029:fin11:7b1b75a, author = {Genevieve Stark and Andrew Moore}, title = {{FIN11: A Widespread Ransomware and Extortion Operation (Webinar)}}, date = {2020-10-29}, organization = {Mandiant}, url = {https://www.brighttalk.com/webcast/7451/447347}, language = {English}, urldate = {2020-11-04} } @online{starks:20201019:us:d77b8f8, author = {Tim Starks}, title = {{US charges Russian GRU officers for NotPetya, other major hacks}}, date = {2020-10-19}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/russian-hackers-notpetya-charges-gru/}, language = {English}, urldate = {2020-10-19} } @online{starks:20210305:zerologon:efbc33c, author = {Codi Starks and Kevin Finnigin}, title = {{ZeroLogon to Ransomware}}, date = {2021-03-05}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/03/zerologon-to-ransomware}, language = {English}, urldate = {2021-03-11} } @online{starks:20210526:belgium:0de185c, author = {Tim Starks}, title = {{Belgium uproots cyber-espionage campaign with suspected ties to China}}, date = {2021-05-26}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/belgium-cyber-espionage-china-microsoft-exchange/}, language = {English}, urldate = {2021-06-11} } @online{starks:20211110:revil:94c11c2, author = {Codi Starks and Ryan Chapman}, title = {{REvil Under the Microscope}}, date = {2021-11-10}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/11/revil-under-the-microscope}, language = {English}, urldate = {2021-11-17} } @online{starks:20250305:investigator:e672d2a, author = {Tim Starks}, title = {{Investigator says differing names for hacker groups, hackers studying investigative methods hinders law enforcement}}, date = {2025-03-05}, organization = {CyberScoop}, url = {https://cyberscoop.com/cybercrime-investigator-hacker-groups-law-enforcement/}, language = {English}, urldate = {2025-03-07} } @techreport{station:20080107:4th:2364e1e, author = {Menwith Hill Station}, title = {{4th Party Collection: Taking Advantage of Non-Partner Computer Network Exploitation Activity}}, date = {2008-01-07}, institution = {Royal Air Force}, url = {https://www.spiegel.de/media/f6f628ad-0001-0014-0000-000000035680/media-35680.pdf}, language = {English}, urldate = {2023-05-24} } @online{staubmann:20230608:busy:b9f7911, author = {Patrick Staubmann}, title = {{Busy Bees - The Transformation of BumbleBee}}, date = {2023-06-08}, organization = {VMRay}, url = {https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLPCLEAR-Staubmann-Busy-Bees.pptx}, language = {English}, urldate = {2023-08-15} } @online{stear:20180213:lotus:4403066, author = {Kevin Stear}, title = {{Lotus Blossom Continues ASEAN Targeting}}, date = {2018-02-13}, organization = {RSA}, url = {https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting}, language = {English}, urldate = {2020-01-09} } @online{steckler:20170920:progress:e464d99, author = {Vince Steckler and Ondrej Vlcek}, title = {{Progress on CCleaner Investigation}}, date = {2017-09-20}, organization = {Avast}, url = {https://blog.avast.com/progress-on-ccleaner-investigation}, language = {English}, urldate = {2019-12-19} } @online{steda:20180504:botception:3a422fe, author = {Adolf Středa and Jan Širmer}, title = {{Botception with Necurs: Botnet distributes script with bot capabilities}}, date = {2018-05-04}, organization = {Avast}, url = {https://blog.avast.com/botception-with-necurs-botnet-distributes-script-with-bot-capabilities-avast-threat-labs}, language = {English}, urldate = {2019-11-29} } @online{steda:20181204:hide:4927f2a, author = {Adolf Středa and Jan Neduchal}, title = {{Hide ‘N Seek botnet continues infecting devices with default credentials, building a P2P network and more.}}, date = {2018-12-04}, organization = {Avast}, url = {https://blog.avast.com/hide-n-seek-botnet-continues}, language = {English}, urldate = {2019-11-26} } @online{steda:20190912:tangle:204c26f, author = {Adolf Středa and Luigino Camastra}, title = {{The tangle of WiryJMPer’s obfuscation}}, date = {2019-09-12}, organization = {Avast}, url = {https://decoded.avast.io/adolfstreda/the-tangle-of-wiryjmpers-obfuscation/}, language = {English}, urldate = {2020-01-13} } @online{steffens:20210208:auf:97868bd, author = {Timo Steffens}, title = {{Auf Tätersuche: Herausforderungen bei der Analyse von Cyber-Angriffen}}, date = {2021-02-08}, organization = {heise online}, url = {https://www.heise.de/hintergrund/Auf-Taetersuche-Herausforderungen-bei-der-Analyse-von-Cyber-Angriffen-5043620.html}, language = {German}, urldate = {2021-02-09} } @online{stein:20210216:malvertiser:36990ae, author = {Eliya Stein}, title = {{Malvertiser “ScamClub” Bypasses Iframe Sandboxing With postMessage() Shenanigans [CVE-2021–1801]}}, date = {2021-02-16}, organization = {Confiant}, url = {https://blog.confiant.com/malvertiser-scamclub-bypasses-iframe-sandboxing-with-postmessage-shenanigans-cve-2021-1801-1c998378bfba}, language = {English}, urldate = {2021-02-18} } @online{stepanic:20200213:playing:ae77be6, author = {Daniel Stepanic and Andrew Pease and Seth Goodwin}, title = {{Playing defense against Gamaredon Group}}, date = {2020-02-13}, organization = {Elastic}, url = {https://www.elastic.co/blog/playing-defense-against-gamaredon-group}, language = {English}, urldate = {2020-06-26} } @online{stepanic:20210311:update:ef4f676, author = {Daniel Stepanic}, title = {{Update - Detection and Response for HAFNIUM Activity}}, date = {2021-03-11}, organization = {Elastic}, url = {https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3?u=dstepanic}, language = {English}, urldate = {2021-03-12} } @online{stepanic:20220119:operation:95a5975, author = {Daniel Stepanic and James Spiteri and Joe Desimone and Mark Mager and Andrew Pease}, title = {{Operation Bleeding Bear}}, date = {2022-01-19}, organization = {Elastic}, url = {https://www.elastic.co/fr/security-labs/operation-bleeding-bear}, language = {English}, urldate = {2023-01-05} } @online{stepanic:20220119:operation:c81f473, author = {Daniel Stepanic and Samir Bousseaden and James Spiteri and Joe Desimone and Mark Mager and Andrew Pease}, title = {{Operation Bleeding Bear}}, date = {2022-01-19}, organization = {Elastic}, url = {https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/}, language = {English}, urldate = {2022-01-24} } @online{stepanic:20220301:elastic:85313fa, author = {Daniel Stepanic and Mark Mager and Cyril François and Andrew Pease and Samir Bousseaden and Github (@ayfaouzi) and Github (@1337-42) and Github (@jtnk)}, title = {{Elastic protects against data wiper malware targeting Ukraine: HERMETICWIPER}}, date = {2022-03-01}, organization = {Elastic}, url = {https://elastic.github.io/security-research/intelligence/2022/03/01.hermeticwiper-targets-ukraine/article/}, language = {English}, urldate = {2022-03-07} } @online{stepanic:20220307:phoreal:f982397, author = {Daniel Stepanic and Derek Ditch and Joe Desimone and Cyril François and Github (@1337-42) and Samir Bousseaden and Andrew Pease}, title = {{PHOREAL Malware Targets the Southeast Asian Financial Sector}}, date = {2022-03-07}, organization = {Elastic}, url = {https://elastic.github.io/security-research/intelligence/2022/03/02.phoreal-targets-southeast-asia-financial-sector/article/}, language = {English}, urldate = {2022-03-08} } @online{stepanic:20220601:cuba:333f7c1, author = {Daniel Stepanic and Derek Ditch and Seth Goodwin and Salim Bitam and Andrew Pease}, title = {{CUBA Ransomware Campaign Analysis}}, date = {2022-06-01}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis}, language = {English}, urldate = {2022-06-09} } @online{stepanic:20230330:elastic:8671074, author = {Daniel Stepanic and Remco Sprooten and Joe Desimone and Samir Bousseaden and Devon Kerr}, title = {{Elastic users protected from SUDDENICON’s supply chain attack}}, date = {2023-03-30}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack}, language = {English}, urldate = {2023-04-02} } @online{stepanic:20230425:elastic:ba5ce00, author = {Daniel Stepanic}, title = {{Elastic Security Labs discovers the LOBSHOT malware}}, date = {2023-04-25}, organization = {Elastic}, url = {https://www.elastic.co/de/security-labs/elastic-security-labs-discovers-lobshot-malware}, language = {English}, urldate = {2023-04-26} } @online{stepanic:20231003:introducing:2d9f236, author = {Daniel Stepanic and Salim Bitam and Cyril François and Seth Goodwin and Andrew Pease}, title = {{Introducing the REF5961 intrusion set (RUDEBIRD, DOWNTOWN, and EAGERBEE)}}, date = {2023-10-03}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set}, language = {English}, urldate = {2023-10-07} } @online{stepanic:20231206:getting:295b379, author = {Daniel Stepanic}, title = {{Getting gooey with GULOADER: deobfuscating the downloader}}, date = {2023-12-06}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/getting-gooey-with-guloader-downloader}, language = {English}, urldate = {2023-12-11} } @online{stepanic:20240223:pikabot:7acc89e, author = {Daniel Stepanic and Salim Bitam}, title = {{PIKABOT, I choose you!}}, date = {2024-02-23}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/pikabot-i-choose-you}, language = {English}, urldate = {2024-02-26} } @online{stepanic:20240516:spring:dd45068, author = {Daniel Stepanic and Samir Bousseaden}, title = {{Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID}}, date = {2024-05-16}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus}, language = {English}, urldate = {2024-06-05} } @online{stepanic:20240612:dipping:6f43e57, author = {Daniel Stepanic}, title = {{Dipping into Danger: The WARMCOOKIE backdoor}}, date = {2024-06-12}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/dipping-into-danger}, language = {English}, urldate = {2024-06-24} } @online{stepanic:20240801:bits:c4e4625, author = {Daniel Stepanic and Seth Goodwin}, title = {{BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor}}, date = {2024-08-01}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth}, language = {English}, urldate = {2024-08-29} } @techreport{stepanic:20241003:getting:3457921, author = {Daniel Stepanic}, title = {{Getting Cozy with Milk and WARMCOOKIES}}, date = {2024-10-03}, institution = {GitHub (dstepanic)}, url = {https://github.com/dstepanic/slides/blob/main/VBCONF_2024/VB2024%20-%20Getting%20Cozy%20with%20Milk%20and%20WARMCOOKIES.pdf}, language = {English}, urldate = {2024-10-18} } @online{stepanic:20250522:deobfuscating:9d49268, author = {Daniel Stepanic}, title = {{De-obfuscating ALCATRAZ}}, date = {2025-05-22}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/deobfuscating-alcatraz}, language = {English}, urldate = {2025-06-02} } @online{stephens:20201028:unc1878:5f717f6, author = {Aaron Stephens}, title = {{UNC1878 indicators}}, date = {2020-10-28}, organization = {Github (aaronst)}, url = {https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456}, language = {English}, urldate = {2020-11-04} } @online{stephens:20210818:detecting:9f06bf9, author = {Aaron Stephens}, title = {{Detecting Embedded Content in OOXML Documents}}, date = {2021-08-18}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/08/detecting-embedded-content-in-ooxml-documents.html}, language = {English}, urldate = {2021-08-24} } @online{steppe:20190329:hammer:44fb72d, author = {Bert Steppe}, title = {{A Hammer Lurking In The Shadows}}, date = {2019-03-29}, organization = {F-Secure}, url = {https://blog.f-secure.com/a-hammer-lurking-in-the-shadows/}, language = {English}, urldate = {2020-11-04} } @online{sternstein:20150510:thirdparty:c631abb, author = {Aliya Sternstein}, title = {{Third-Party Software Was Entry Point for Background-Check System Hack}}, date = {2015-05-10}, organization = {NextGov}, url = {https://www.nextgov.com/cybersecurity/2015/05/third-party-software-was-entry-point-background-check-system-hack/112354/}, language = {English}, urldate = {2020-01-08} } @online{stevens:20100310:zeus:be8ff11, author = {Kevin Stevens and Don Jackson}, title = {{ZeuS Banking Trojan Report}}, date = {2010-03-10}, organization = {Secureworks}, url = {https://www.secureworks.com/research/zeus?threat=zeus}, language = {English}, urldate = {2020-01-13} } @online{stevens:20190826:daa:afd346d, author = {Didier Stevens}, title = {{The DAA File Format}}, date = {2019-08-26}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/The+DAA+File+Format/25246}, language = {English}, urldate = {2021-07-26} } @online{stevens:20200323:kpot:9f080e7, author = {Didier Stevens}, title = {{KPOT Deployed via AutoIt Script}}, date = {2020-03-23}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/25934}, language = {English}, urldate = {2020-03-26} } @online{stevens:20200901:epic:038897f, author = {Didier Stevens and Maxime Thiebaut and Dries Boone and Bart Parys and Michel Coene}, title = {{Epic Manchego – atypical maldoc delivery brings flurry of infostealers}}, date = {2020-09-01}, organization = {nviso}, url = {https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/}, language = {English}, urldate = {2020-09-01} } @online{stevens:20201026:excel:0cad0df, author = {Didier Stevens}, title = {{Excel 4 Macros: "Abnormal Sheet Visibility"}}, date = {2020-10-26}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/diary/rss/26726}, language = {English}, urldate = {2020-11-02} } @online{stevens:20201215:analyzing:1aa1e8b, author = {Didier Stevens}, title = {{Analyzing FireEye Maldocs}}, date = {2020-12-15}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/26882}, language = {English}, urldate = {2020-12-15} } @online{stevens:20210307:pcaps:980212d, author = {Didier Stevens}, title = {{PCAPs and Beacons}}, date = {2021-03-07}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/27176}, language = {English}, urldate = {2021-03-11} } @online{stevens:20210321:finding:92a9a4d, author = {Didier Stevens}, title = {{Finding Metasploit & Cobalt Strike URLs}}, date = {2021-03-21}, organization = {YouTube (dist67)}, url = {https://www.youtube.com/watch?v=WW0_TgWT2gs}, language = {English}, urldate = {2021-03-25} } @online{stevens:20210418:decoding:18e5319, author = {Didier Stevens}, title = {{Decoding Cobalt Strike Traffic}}, date = {2021-04-18}, organization = {YouTube (dist67)}, url = {https://www.youtube.com/watch?v=ysN-MqyIN7M}, language = {English}, urldate = {2021-04-20} } @online{stevens:20211021:cobalt:bfc8702, author = {Didier Stevens}, title = {{Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1}}, date = {2021-10-21}, organization = {nviso}, url = {https://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/}, language = {English}, urldate = {2021-10-26} } @online{stevens:20211027:cobalt:b91181a, author = {Didier Stevens}, title = {{Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 2}}, date = {2021-10-27}, organization = {nviso}, url = {https://blog.nviso.eu/2021/10/27/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-2/}, language = {English}, urldate = {2021-11-03} } @online{stevens:20211103:cobalt:8f8223d, author = {Didier Stevens}, title = {{Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3}}, date = {2021-11-03}, organization = {nviso}, url = {https://blog.nviso.eu/2021/11/03/cobalt-strike-using-process-memory-to-decrypt-traffic-part-3/}, language = {English}, urldate = {2021-11-08} } @online{stevens:20211103:new:6f8b92c, author = {Didier Stevens}, title = {{New Tool: cs-extract-key.py}}, date = {2021-11-03}, organization = {Didier Stevens}, url = {https://blog.didierstevens.com/2021/11/03/new-tool-cs-extract-key-py/}, language = {English}, urldate = {2021-11-17} } @online{stevens:20211117:cobalt:0b6ecf5, author = {Didier Stevens}, title = {{Cobalt Strike: Decrypting Obfuscated Traffic – Part 4}}, date = {2021-11-17}, organization = {nviso}, url = {https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/}, language = {English}, urldate = {2021-11-18} } @online{stevens:20220322:cobalt:fdf35ba, author = {Didier Stevens}, title = {{Cobalt Strike: Overview – Part 7}}, date = {2022-03-22}, organization = {NVISO Labs}, url = {https://blog.nviso.eu/2022/03/22/cobalt-strike-overview-part-7/}, language = {English}, urldate = {2022-03-23} } @online{stevens:20220406:analyzing:b173385, author = {Didier Stevens}, title = {{Analyzing a “multilayer” Maldoc: A Beginner’s Guide}}, date = {2022-04-06}, organization = {nviso}, url = {https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/}, language = {English}, urldate = {2022-04-15} } @online{stevens:20220906:obfuscated:889ae4c, author = {Didier Stevens}, title = {{An Obfuscated Beacon – Extra XOR Layer}}, date = {2022-09-06}, organization = {Didier Stevens}, url = {https://videos.didierstevens.com/2022/09/06/an-obfuscated-beacon-extra-xor-layer/}, language = {English}, urldate = {2022-09-10} } @online{stewart:20070109:rustocking:861999a, author = {Joe Stewart}, title = {{A Rustock-ing Stuffer}}, date = {2007-01-09}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/research-21041}, language = {English}, urldate = {2019-11-21} } @online{stewart:20071204:inside:88b07d9, author = {Joe Stewart}, title = {{Inside the "Ron Paul" Spam Botnet}}, date = {2007-12-04}, organization = {Secureworks}, url = {https://www.secureworks.com/research/srizbi}, language = {English}, urldate = {2020-01-08} } @online{stewart:20071216:pushdo:6a66753, author = {Joe Stewart}, title = {{Pushdo - Analysis of a Modern Malware Distribution System}}, date = {2007-12-16}, organization = {Secureworks}, url = {https://www.secureworks.com/research/pushdo}, language = {English}, urldate = {2019-07-09} } @online{stewart:20081015:return:a7f0e96, author = {Joe Stewart}, title = {{The Return of Warezov}}, date = {2008-10-15}, organization = {Secureworks}, url = {https://www.secureworks.com/research/warezov}, language = {English}, urldate = {2024-04-29} } @online{stewart:20090623:virut:4fecaeb, author = {Joe Stewart}, title = {{Virut Encryption Analysis}}, date = {2009-06-23}, organization = {Secureworks}, url = {https://www.secureworks.com/research/virut-encryption-analysis}, language = {English}, urldate = {2019-11-27} } @online{stewart:20100303:blackenergy:d3aa259, author = {Joe Stewart}, title = {{BlackEnergy Version 2 Threat Analysis}}, date = {2010-03-03}, organization = {Secureworks}, url = {https://www.secureworks.com/research/blackenergy2}, language = {English}, urldate = {2019-10-15} } @online{stewart:20110803:htran:7a67164, author = {Joe Stewart}, title = {{HTran and the Advanced Persistent Threat}}, date = {2011-08-03}, organization = {Secureworks}, url = {https://www.secureworks.com/research/htran}, language = {English}, urldate = {2020-01-08} } @online{stewart:20130731:secrets:016bb04, author = {Joe Stewart}, title = {{Secrets of the Comfoo Masters}}, date = {2013-07-31}, organization = {Secureworks}, url = {https://www.secureworks.com/research/secrets-of-the-comfoo-masters}, language = {English}, urldate = {2021-01-27} } @online{stewart:20200514:qnodeservice:603306e, author = {Matthew Stewart}, title = {{QNodeService: Node.js Trojan Spread via Covid-19 Lure}}, date = {2020-05-14}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/qnodeservice-node-js-trojan-spread-via-covid-19-lure/}, language = {English}, urldate = {2020-05-18} } @online{stewart:20211022:threat:0cab124, author = {Caleb Stewart}, title = {{Threat Advisory: Hackers Are Exploiting a Vulnerability in Popular Billing Software to Deploy Ransomware}}, date = {2021-10-22}, organization = {Huntress Labs}, url = {https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerability-in-popular-billing-software-to-deploy-ransomware}, language = {English}, urldate = {2021-11-02} } @online{stewart:20230124:unmasking:c26cfce, author = {Joe Stewart and Keegan Keplinger}, title = {{Unmasking Venom Spider}}, date = {2023-01-24}, organization = {eSentire}, url = {https://www.esentire.com/web-native-pages/unmasking-venom-spider}, language = {English}, urldate = {2023-01-25} } @online{stewart:20230426:gootloader:eb8526b, author = {Joe Stewart and Keegan Keplinger}, title = {{Gootloader Unloaded: Researchers Launch Multi-Pronged Offensive Against Gootloader, Cutting Off Traffic to Thousands of Gootloader Web Pages and Using the Operator’s Very Own Tactics to Protect End-Users}}, date = {2023-04-26}, organization = {eSentire}, url = {https://www.esentire.com/web-native-pages/gootloader-unloaded}, language = {English}, urldate = {2023-04-26} } @online{stewart:20230522:hunt:4c2c843, author = {Joe Stewart and Keegan Keplinger}, title = {{The Hunt for VENOM SPIDER PART 2}}, date = {2023-05-22}, organization = {eSentire}, url = {https://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2}, language = {English}, urldate = {2023-08-11} } @online{stic:20230314:threat:a45f7a5, author = {STIC}, title = {{[Threat Analysis] CHM malware targeting North Korea-related corporations}}, date = {2023-03-14}, organization = {Secui}, url = {https://stic.secui.com/main/main/threatInfo?id=119}, language = {Korean}, urldate = {2023-03-20} } @online{stirnimann:20190905:doh:cdd8e54, author = {Daniel Stirnimann}, title = {{Tweet on DoH}}, date = {2019-09-05}, organization = {Twitter (@seckle_ch)}, url = {https://twitter.com/seckle_ch/status/1169558035649433600}, language = {English}, urldate = {2020-01-06} } @online{stirnimann:20210619:android:ecea911, author = {Daniel Stirnimann}, title = {{Android FluBot enters Switzerland}}, date = {2021-06-19}, organization = {SWITCH Security Blog}, url = {https://securityblog.switch.ch/2021/06/19/android-flubot-enters-switzerland/}, language = {English}, urldate = {2021-06-22} } @online{stnkel:20210714:lockdata:b2e5f34, author = {Nils Stünkel}, title = {{LOCKDATA Auction – Another leak marketplace showing the recent shift of ransomware operators}}, date = {2021-07-14}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/lockdata-auction-631300}, language = {English}, urldate = {2021-07-20} } @online{stockley:20180731:samsam:c70ea01, author = {Mark Stockley}, title = {{SamSam: The (almost) $6 million ransomware}}, date = {2018-07-31}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2018/07/31/samsam-the-almost-6-million-ransomware/}, language = {English}, urldate = {2022-03-22} } @online{stockley:20180802:how:01d1686, author = {Mark Stockley}, title = {{How to defend yourself against SamSam ransomware}}, date = {2018-08-02}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2018/08/02/how-to-defend-yourself-against-samsam-ransomware/}, language = {English}, urldate = {2022-03-22} } @online{stockley:20180911:rise:3ecf259, author = {Mark Stockley}, title = {{The Rise of Targeted Ransomware}}, date = {2018-09-11}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/}, language = {English}, urldate = {2022-03-22} } @online{stockley:20240207:how:46c037a, author = {Mark Stockley}, title = {{How to tell if your toothbrush is being used in a DDoS attack}}, date = {2024-02-07}, organization = {Malwarebytes}, url = {https://www.malwarebytes.com/blog/awareness/2024/02/how-to-tell-if-your-toothbrush-is-being-used-in-a-ddos-attack}, language = {English}, urldate = {2024-02-09} } @techreport{stokes:20111111:chinese:8fac765, author = {Mark A. Stokes and Jenny Lin and L.C. Russell Hsiao}, title = {{The Chinese People’s Liberation Army Signals Intelligence and Cyber Reconnaissance Infrastructure}}, date = {2011-11-11}, institution = {Project2049}, url = {https://project2049.net/wp-content/uploads/2018/05/pla_third_department_sigint_cyber_stokes_lin_hsiao.pdf}, language = {English}, urldate = {2021-05-17} } @online{stokes:20180920:trail:79336e9, author = {Phil Stokes}, title = {{On the Trail of OSX.FairyTale | Adware Playing at Malware}}, date = {2018-09-20}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/}, language = {English}, urldate = {2020-01-08} } @online{stokes:20200515:guide:42eb247, author = {Phil Stokes}, title = {{A Guide to macOS Threat Hunting and Incident Response}}, date = {2020-05-15}, organization = {SentinelOne}, url = {https://assets.sentinelone.com/c/sentinal-one-mac-os-?x=FvGtLJ&xs=123009}, language = {English}, urldate = {2022-03-28} } @online{stokes:20200608:guide:6052f6c, author = {Phil Stokes}, title = {{A Guide to macOS Threat Hunting and Incident Response}}, date = {2020-06-08}, organization = {SentinelOne}, url = {https://assets.sentinelone.com/c/sentinal-one-mac-os-?x=FvGtLJ}, language = {English}, urldate = {2020-06-11} } @online{stokes:20200708:evilquest:aeb5d92, author = {Phil Stokes}, title = {{“EvilQuest” Rolls Ransomware, Spyware & Data Theft Into One}}, date = {2020-07-08}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/}, language = {English}, urldate = {2022-03-02} } @online{stokes:20200727:four:9d80c60, author = {Phil Stokes}, title = {{Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform}}, date = {2020-07-27}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/}, language = {English}, urldate = {2020-07-30} } @online{stokes:20201105:resourceful:2b135e6, author = {Phil Stokes}, title = {{Resourceful macOS Malware Hides in Named Fork}}, date = {2020-11-05}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/resourceful-macos-malware-hides-in-named-fork/}, language = {English}, urldate = {2020-11-09} } @online{stokes:20201202:apt32:acd6b3a, author = {Phil Stokes}, title = {{APT32 Multi-stage macOS Trojan Innovates on Crimeware Scripting Technique}}, date = {2020-12-02}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/}, language = {English}, urldate = {2020-12-08} } @online{stokes:20210111:fade:70be08e, author = {Phil Stokes}, title = {{FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts}}, date = {2021-01-11}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/}, language = {English}, urldate = {2021-01-18} } @online{stokes:20210318:new:08a6649, author = {Phil Stokes}, title = {{New macOS malware XcodeSpy Targets Xcode Developers with EggShell Backdoor}}, date = {2021-03-18}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/new-macos-malware-xcodespy-targets-xcode-developers-with-eggshell-backdoor/}, language = {English}, urldate = {2021-03-19} } @online{stokes:20210726:detecting:5795d48, author = {Phil Stokes}, title = {{Detecting XLoader | A macOS ‘Malware-as-a-Service’ Info Stealer and Keylogger}}, date = {2021-07-26}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/detecting-xloader-a-macos-malware-as-a-service-info-stealer-and-keylogger/}, language = {English}, urldate = {2021-07-26} } @online{stokes:20210920:defeating:452749e, author = {Phil Stokes}, title = {{Defeating macOS Malware Anti-Analysis Tricks with Radare2}}, date = {2021-09-20}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/defeating-macos-malware-anti-analysis-tricks-with-radare2/}, language = {English}, urldate = {2021-10-11} } @online{stokes:20211115:infect:a1d440c, author = {Phil Stokes}, title = {{Infect If Needed | A Deeper Dive Into Targeted Backdoor macOS.Macma}}, date = {2021-11-15}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-targeted-backdoor-macos-macma/}, language = {English}, urldate = {2021-11-17} } @online{stokes:20220201:sneaky:9162ee7, author = {Phil Stokes}, title = {{Sneaky Spies and Backdoor RATs | SysJoker and DazzleSpy Malware Target macOS}}, date = {2022-02-01}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/sneaky-spies-and-backdoor-rats-sysjoker-and-dazzlespy-malware-target-macos/}, language = {English}, urldate = {2022-02-07} } @online{stokes:20220321:art:6f00b56, author = {Phil Stokes}, title = {{The Art and Science of macOS Malware Hunting with radare2 | Leveraging Xrefs, YARA and Zignatures}}, date = {2022-03-21}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/the-art-and-science-of-macos-malware-hunting-with-radare2-leveraging-xrefs-yara-and-zignatures/}, language = {English}, urldate = {2022-03-25} } @online{stokes:20230705:bluenoroff:15e17f0, author = {Phil Stokes}, title = {{BlueNoroff | How DPRK’s macOS RustBucket Seeks to Evade Analysis and Detection}}, date = {2023-07-05}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/bluenoroff-how-dprks-macos-rustbucket-seeks-to-evade-analysis-and-detection/}, language = {English}, urldate = {2023-07-08} } @online{stokes:20230821:xloaders:5c2fc62, author = {Phil Stokes and Dinesh Devadoss}, title = {{XLoader's Latest Trick | New macOS Variant Disguised as Signed OfficeNote App}}, date = {2023-08-21}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/xloaders-latest-trick-new-macos-variant-disguised-as-signed-officenote-app/}, language = {English}, urldate = {2023-08-22} } @online{stokes:20231127:dprk:524011f, author = {Phil Stokes}, title = {{DPRK Crypto Theft | macOS RustBucket Droppers Pivot to Deliver KandyKorn Payloads}}, date = {2023-11-27}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/dprk-crypto-theft-macos-rustbucket-droppers-pivot-to-deliver-kandykorn-payloads/}, language = {English}, urldate = {2025-01-14} } @online{stokes:20250203:macos:425c785, author = {Phil Stokes and Tom Hegel}, title = {{macOS FlexibleFerret | Further Variants of DPRK Malware Family Unearthed}}, date = {2025-02-03}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/macos-flexibleferret-further-variants-of-dprk-malware-family-unearthed/}, language = {English}, urldate = {2025-02-04} } @online{stokkel:20220429:adventures:7be43ad, author = {Mike Stokkel and Nikolaos Totosis and Nikolaos Pantazopoulos}, title = {{Adventures in the land of BumbleBee – a new malicious loader}}, date = {2022-04-29}, organization = {NCC Group}, url = {https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/}, language = {English}, urldate = {2022-04-29} } @online{stokkel:20240718:apt41:a475461, author = {Mike Stokkel and Pierre Gerlings and RENATO FONTANA and Luis Rocha and Jared Wilson and Stephen Eckels and Jonathan Lepore}, title = {{APT41 Has Arisen From the DUST}}, date = {2024-07-18}, organization = {Mandiant}, url = {https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust}, language = {English}, urldate = {2024-09-13} } @online{stokkel:20240718:apt41:d9f4fb6, author = {Mike Stokkel}, title = {{APT41 Has Arisen From the DUST}}, date = {2024-07-18}, organization = {Mandiant}, url = {https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust?hl=en}, language = {English}, urldate = {2024-09-13} } @online{stolyarov:20220317:exposing:5f565b6, author = {Vladislav Stolyarov and Benoit Sevens}, title = {{Exposing initial access broker with ties to Conti}}, date = {2022-03-17}, organization = {Google}, url = {https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti}, language = {English}, urldate = {2022-05-17} } @online{stolyarov:20220317:exposing:f818c6d, author = {Vladislav Stolyarov and Benoit Sevens and Google Threat Analysis Group}, title = {{Exposing initial access broker with ties to Conti}}, date = {2022-03-17}, organization = {Google}, url = {https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/}, language = {English}, urldate = {2022-03-18} } @online{stone:201901:unpacking:2723833, author = {Maddie Stone}, title = {{Unpacking the packed unpacker: reversing an Android anti-analysis native library}}, date = {2019-01}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-unpacking-packed-unpacker-reversing-android-anti-analysis-native-library/}, language = {English}, urldate = {2019-12-17} } @techreport{stone:20190812:chamois:867267c, author = {Maddie Stone}, title = {{Chamois: Android's Most Impactful Botnet of 2018}}, date = {2019-08-12}, institution = {Kaspersky SAS}, url = {https://github.com/maddiestone/ConPresentations/blob/master/KasperskySAS2019.Chamois.pdf}, language = {English}, urldate = {2020-01-10} } @online{stone:20201117:fin7:bea93b1, author = {Jeff Stone}, title = {{FIN7 recruiter Andrii Kolpakov pleads guilty to role in global hacking scheme}}, date = {2020-11-17}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/fin7-recruiter-andrii-kolpakov-pleads-guilty-role-global-hacking-scheme/}, language = {English}, urldate = {2020-11-19} } @online{stone:20210203:dj:50329e2, author = {Maddie Stone}, title = {{Déjà vu-lnerability A Year in Review of 0-days Exploited In-The-Wild in 2020}}, date = {2021-02-03}, organization = {Google Project Zero}, url = {https://googleprojectzero.blogspot.com/2021/02/deja-vu-lnerability.html}, language = {English}, urldate = {2021-02-04} } @online{stone:20210714:how:38dfdc6, author = {Maddie Stone and Clement Lecigne and Google Threat Analysis Group}, title = {{How We Protect Users From 0-Day Attacks (CVE-2021-21166, CVE-2021-30551, CVE-2021-33742, CVE-2021-1879)}}, date = {2021-07-14}, organization = {Google}, url = {https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/}, language = {English}, urldate = {2021-07-26} } @online{stone:20211102:us:b3dc739, author = {Jeff Stone}, title = {{US seeks extradition of alleged Ukrainian scammer arrested at Polish border stop}}, date = {2021-11-02}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/yaroslav-vasinskyi-arrest-poland-us-hacker/}, language = {English}, urldate = {2021-11-09} } @online{stone:20220310:muddywater:7f13598, author = {Brian Stone}, title = {{MuddyWater targets Middle Eastern and Asian countries in phishing attacks}}, date = {2022-03-10}, organization = {TechRepublic}, url = {https://www.techrepublic.com/article/muddywater-targets-middle-eastern-and-asian-countries-in-phishing-attacks/}, language = {English}, urldate = {2022-03-14} } @online{stone:20250228:new:dd9223b, author = {Noah Stone}, title = {{New DDoS Botnet Discovered: Over 30,000 Hacked Devices, Majority of Observed Activity Traced to Iran}}, date = {2025-02-28}, organization = {Greynoise}, url = {https://www.greynoise.io/blog/new-ddos-botnet-discovered}, language = {English}, urldate = {2025-03-21} } @online{stonegross:20140807:malware:5bb1963, author = {Brett Stone-Gross}, title = {{Malware Analysis of the Lurk Downloader}}, date = {2014-08-07}, organization = {Secureworks}, url = {https://www.secureworks.com/research/malware-analysis-of-the-lurk-downloader}, language = {English}, urldate = {2019-12-19} } @online{stonegross:20141217:dyre:8486e19, author = {Brett Stone-Gross and Pallav Khandhar}, title = {{Dyre Banking Trojan}}, date = {2014-12-17}, organization = {Secureworks}, url = {https://www.secureworks.com/research/dyre-banking-trojan}, language = {English}, urldate = {2021-05-28} } @online{stonegross:20151013:dridex:46d9a58, author = {Brett Stone-Gross}, title = {{Dridex (Bugat v5) Botnet Takeover Operation}}, date = {2015-10-13}, organization = {Secureworks}, url = {https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation}, language = {English}, urldate = {2020-01-08} } @online{stonegross:20181205:farewell:54e18a4, author = {Brett Stone-Gross and Tillmann Werner and Bex Hartley}, title = {{Farewell to Kelihos and ZOMBIE SPIDER}}, date = {2018-12-05}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/farewell-to-kelihos-and-zombie-spider/}, language = {English}, urldate = {2021-05-31} } @online{stonegross:20190712:bitpaymer:113a037, author = {Brett Stone-Gross and Sergei Frankoff and Bex Hartley}, title = {{BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0}}, date = {2019-07-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/}, language = {English}, urldate = {2023-12-27} } @online{stonegross:20210330:ares:6bae793, author = {Brett Stone-Gross}, title = {{Ares Malware: The Grandson of the Kronos Banking Trojan}}, date = {2021-03-30}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan}, language = {English}, urldate = {2021-03-31} } @online{stonegross:20210728:doppelpaymer:5deeffe, author = {Brett Stone-Gross}, title = {{DoppelPaymer Continues to Cause Grief Through Rebranding}}, date = {2021-07-28}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/doppelpaymer-continues-cause-grief-through-rebranding}, language = {English}, urldate = {2021-08-02} } @online{stonegross:20220325:conti:0d568cc, author = {Brett Stone-Gross}, title = {{Conti Ransomware Attacks Persist With an Updated Version Despite Leaks}}, date = {2022-03-25}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/conti-ransomware-attacks-persist-updated-version-despite-leaks}, language = {English}, urldate = {2022-03-28} } @online{stonegross:20220906:ares:e7ddb5d, author = {Brett Stone-Gross}, title = {{The Ares Banking Trojan Learns Old Tricks: Adds the Defunct Qakbot DGA}}, date = {2022-09-06}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga}, language = {English}, urldate = {2022-09-07} } @online{stonegross:20221220:nokoyawa:345657b, author = {Brett Stone-Gross}, title = {{Nokoyawa Ransomware: Rust or Bust}}, date = {2022-12-20}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust}, language = {English}, urldate = {2022-12-24} } @online{stonegross:20230306:nevada:8fe3627, author = {Brett Stone-Gross}, title = {{Nevada Ransomware: Yet Another Nokoyawa Variant}}, date = {2023-03-06}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/nevada-ransomware-yet-another-nokoyawa-variant}, language = {English}, urldate = {2024-02-02} } @online{stonegross:20230306:nevada:98b0aa9, author = {Brett Stone-Gross}, title = {{Nevada Ransomware: Yet Another Nokayawa Variant Nevada ransomware}}, date = {2023-03-06}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/nevada-ransomware-yet-another-nokayawa-variant}, language = {English}, urldate = {2023-03-20} } @online{stonegross:20230524:technical:0fd35e0, author = {Brett Stone-Gross and Nikolaos Pantazopoulos}, title = {{Technical Analysis of Pikabot}}, date = {2023-05-24}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/technical-analysis-pikabot}, language = {English}, urldate = {2023-05-26} } @online{stonegross:20230615:mystic:bb82f73, author = {Brett Stone-Gross}, title = {{Mystic Stealer: The New Kid on the Block}}, date = {2023-06-15}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/mystic-stealer}, language = {English}, urldate = {2023-07-11} } @online{stonegross:20250326:coffeeloader:d45d55f, author = {Brett Stone-Gross}, title = {{CoffeeLoader: A Brew of Stealthy Techniques}}, date = {2025-03-26}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/coffeeloader-brew-stealthy-techniques}, language = {English}, urldate = {2025-03-27} } @online{stoner:20201217:onboarding:cef2450, author = {John Stoner}, title = {{Onboarding Threat Indicators into Splunk Enterprise Security: SolarWinds Continued}}, date = {2020-12-17}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/smoothing-the-bumps-of-onboarding-threat-indicators-into-splunk-enterprise-security.html}, language = {English}, urldate = {2021-01-11} } @online{stoner:20210104:detecting:c521df9, author = {John Stoner}, title = {{Detecting Supernova Malware: SolarWinds Continued}}, date = {2021-01-04}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html}, language = {English}, urldate = {2021-01-10} } @online{stoner:20210312:detecting:b7b189e, author = {John Stoner and Mick Baccio and James Brodsky and Shannon Davis and Michael Haag and Amy Heng and Jose Hernandez and Dave Herrald and Derek King and Ryan Kovar and Marcus LaFerrera}, title = {{Detecting Microsoft Exchange Vulnerabilities - 0 + 8 Days Later…}}, date = {2021-03-12}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/detecting-microsoft-exchange-vulnerabilities-0-8-days-later.html}, language = {English}, urldate = {2021-03-16} } @online{stoner:20210422:supernova:53b895c, author = {John Stoner and Mick Baccio and Katie Brown and James Brodsky and Drew Church and Dave Herrald and Ryan Kovar and Marcus LaFerrera and Michael Natkin}, title = {{SUPERNOVA Redux, with a Generous Portion of Masquerading}}, date = {2021-04-22}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html}, language = {English}, urldate = {2021-04-28} } @online{stories:20210718:about:a2f3e87, author = {forbidden stories}, title = {{About The Pegasus Project}}, date = {2021-07-18}, organization = {forbidden stories}, url = {https://forbiddenstories.org/about-the-pegasus-project/}, language = {English}, urldate = {2021-07-24} } @online{stotomas:20210924:examining:9165fe5, author = {Warren Sto.Tomas}, title = {{Examining the Cring Ransomware Techniques}}, date = {2021-09-24}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html}, language = {English}, urldate = {2021-09-29} } @online{stout:20210930:credential:c5ca608, author = {Brady Stout}, title = {{Credential Harvesting at Scale Without Malware}}, date = {2021-09-30}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/credential-harvesting/}, language = {English}, urldate = {2021-10-11} } @online{strangerealintel:20190910:gamaredon:282777f, author = {StrangerealIntel}, title = {{Gamaredon Analysis}}, date = {2019-09-10}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/tree/master/Russia/APT/Gamaredon}, language = {English}, urldate = {2020-01-09} } @online{strangerealintel:20191010:analysis:45d6c09, author = {StrangerealIntel}, title = {{Analysis of the new TA505 campaign}}, date = {2019-10-10}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md}, language = {English}, urldate = {2020-01-13} } @online{strangerealintel:20200402:dangerous:f169889, author = {StrangerealIntel}, title = {{Dangerous Password}}, date = {2020-04-02}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/offshore%20APT%20organization/DangerousPassword/2020-04-02/Analysis.md}, language = {English}, urldate = {2023-07-19} } @online{strangerealintel:20200907:time:07064dc, author = {StrangerealIntel}, title = {{Time to take the bull by the horns}}, date = {2020-09-07}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md}, language = {English}, urldate = {2020-09-15} } @online{strangerealintel:20201011:chimera:a423a07, author = {StrangerealIntel}, title = {{Chimera, APT19 under the radar ?}}, date = {2020-10-11}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md}, language = {English}, urldate = {2020-10-15} } @online{strangerealintel:20210825:fin7:3e180fc, author = {StrangerealIntel}, title = {{FIN7 still active}}, date = {2021-08-25}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/FIN7/2021-08-24/Analysis.md}, language = {English}, urldate = {2021-08-25} } @techreport{strategists:20180723:longterm:cb4f35d, author = {Cyber Security Strategists}, title = {{A long-term espionage campaign in Syria}}, date = {2018-07-23}, institution = {CSS}, url = {https://web.archive.org/web/20180827024318/http://csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf}, language = {English}, urldate = {2023-10-05} } @online{stratton:20220912:raccoon:3a04b24, author = {Aaron Stratton}, title = {{Raccoon Stealer v2 Malware Analysis}}, date = {2022-09-12}, organization = {Infosec Writeups}, url = {https://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8}, language = {English}, urldate = {2022-09-26} } @online{straw:20220602:modpipe:8215b5e, author = {Sean Straw}, title = {{ModPipe POS Malware: New Hooking Targets Extract Card Data}}, date = {2022-06-02}, organization = {Kroll}, url = {https://www.kroll.com/en/insights/publications/cyber/modpipe-pos-malware-new-hooking-targets-extract-card-data}, language = {English}, urldate = {2022-08-31} } @online{straw:20240118:open:9a98974, author = {Sean Straw}, title = {{Open the DARKGATE – Brute Forcing DARKGATE Encodings}}, date = {2024-01-18}, organization = {Kroll}, url = {https://www.kroll.com/en/insights/publications/cyber/brute-forcing-darkgate-encodings}, language = {English}, urldate = {2024-03-04} } @online{strehovsk:20230915:reverse:c34ac82, author = {Michal Strehovský}, title = {{Reverse engineering natively-compiled .NET apps}}, date = {2023-09-15}, organization = {Migeel.sk}, url = {https://migeel.sk/blog/2023/09/15/reverse-engineering-natively-compiled-dotnet-apps/}, language = {English}, urldate = {2023-09-20} } @online{strickland:20160503:continuing:b510b54, author = {Kevin Strickland}, title = {{The Continuing Evolution of Samas Ransomware}}, date = {2016-05-03}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/samas-ransomware}, language = {English}, urldate = {2021-05-28} } @online{strike:2012:cobalt:8522cdd, author = {Cobalt Strike}, title = {{Cobalt Strike Website}}, date = {2012}, organization = {Cobalt Strike}, url = {https://www.cobaltstrike.com/support}, language = {English}, urldate = {2020-01-13} } @online{strino:20190902:manually:d43dead, author = {Alessandro Strino}, title = {{Manually unpacking of packed executable}}, date = {2019-09-02}, organization = {Viuleeenz}, url = {https://viuleeenz.github.io/posts/2021/09/manually-unpacking-of-packed-executable/}, language = {English}, urldate = {2024-04-02} } @online{strino:20230203:pixpirate:89bbda9, author = {Alessandro Strino and Francesco Iubatti}, title = {{PixPirate: a new Brazilian Banking Trojan}}, date = {2023-02-03}, organization = {Cleafy}, url = {https://www.cleafy.com/cleafy-labs/pixpirate-a-new-brazilian-banking-trojan}, language = {English}, urldate = {2023-02-06} } @online{strino:20230314:dynamic:569ed46, author = {Alessandro Strino}, title = {{Dynamic Binary Instrumentation for Malware Analysis}}, date = {2023-03-14}, organization = {Viuleeenz}, url = {https://viuleeenz.github.io/posts/2023/03/dynamic-binary-instrumentation-for-malware-analysis/}, language = {English}, urldate = {2024-04-02} } @online{strino:20230508:extracting:2957b3f, author = {Alessandro Strino}, title = {{Extracting DDosia targets from process memory}}, date = {2023-05-08}, organization = {Viuleeenz}, url = {https://viuleeenz.github.io/posts/2023/05/extracting-ddosia-targets-from-process-memory/}, language = {English}, urldate = {2023-05-23} } @online{strino:20230627:idapython:cb8b236, author = {Alessandro Strino}, title = {{IDA-Python - Locate a function independently from its offset}}, date = {2023-06-27}, organization = {Viuleeenz}, url = {https://viuleeenz.github.io/posts/2023/06/ida-python-locate-a-function-independently-from-its-offset/}, language = {English}, urldate = {2024-04-02} } @online{strino:20230829:agent:e2ea59f, author = {Alessandro Strino}, title = {{Agent Tesla - Building an effective decryptor}}, date = {2023-08-29}, organization = {Viuleeenz}, url = {https://viuleeenz.github.io/posts/2023/08/agent-tesla-building-an-effective-decryptor/}, language = {English}, urldate = {2024-04-02} } @online{strino:20231025:vidar:6d0680a, author = {Alessandro Strino}, title = {{Vidar - payload inspection with static analysis}}, date = {2023-10-25}, organization = {Viuleeenz}, url = {https://viuleeenz.github.io/posts/2023/10/vidar-payload-inspection-with-static-analysis/}, language = {English}, urldate = {2024-04-02} } @online{strino:20231115:applied:7531815, author = {Alessandro Strino}, title = {{Applied Emulation - Analysis of MarsStealer}}, date = {2023-11-15}, organization = {Viuleeenz}, url = {https://viuleeenz.github.io/posts/2023/11/applied-emulation-analysis-of-marsstealer/}, language = {English}, urldate = {2024-04-02} } @online{strino:20231220:applied:939cf5d, author = {Alessandro Strino}, title = {{Applied Emulation - Decrypting Ursnif strings with Unicorn}}, date = {2023-12-20}, organization = {Viuleeenz}, url = {https://viuleeenz.github.io/posts/2023/12/applied-emulation-decrypting-ursnif-strings-with-unicorn/}, language = {English}, urldate = {2024-04-02} } @online{strino:20240204:understanding:eee5608, author = {Alessandro Strino}, title = {{Understanding PEB and LDR Structures using IDA and LummaStealer}}, date = {2024-02-04}, organization = {Viuleeenz}, url = {https://viuleeenz.github.io/posts/2024/02/understanding-peb-and-ldr-structures-using-ida-and-lummastealer/}, language = {English}, urldate = {2024-04-02} } @online{strino:20240324:understanding:b7c33aa, author = {Alessandro Strino}, title = {{Understanding API Hashing and build a rainbow table for LummaStealer}}, date = {2024-03-24}, organization = {Viuleeenz}, url = {https://viuleeenz.github.io/posts/2024/03/understanding-api-hashing-and-build-a-rainbow-table-for-lummastealer/}, language = {English}, urldate = {2024-03-28} } @online{strino:20240731:bingomod:9104b7d, author = {Alessandro Strino and Simone Mattia}, title = {{BingoMod: The new android RAT that steals money and wipes data}}, date = {2024-07-31}, organization = {Cleafy}, url = {https://www.cleafy.com/cleafy-labs/bingomod-the-new-android-rat-that-steals-money-and-wipes-data}, language = {English}, urldate = {2024-11-07} } @online{strmberg:20230514:fun:778ad3b, author = {Thomas Strömberg}, title = {{Fun with the new bpfdoor (2023)}}, date = {2023-05-14}, organization = {unfinished.bike}, url = {https://unfinished.bike/fun-with-the-new-bpfdoor-2023}, language = {English}, urldate = {2023-05-24} } @online{strobel:20210102:how:8e88aba, author = {Warren Strobel and Georgi Kantchev}, title = {{How Russia’s ‘Info Warrior’ Hackers Let Kremlin Play Geopolitics on the Cheap}}, date = {2021-01-02}, organization = {The Wall Street Journal}, url = {https://www.wsj.com/articles/how-russias-info-warrior-hackers-let-kremlin-play-geopolitics-on-the-cheap-11609592401}, language = {English}, urldate = {2021-01-05} } @online{stroffolino:20250108:cyber:502954e, author = {Rich Stroffolino}, title = {{Cyber Security News: Cyber Trust label, UK deepfake laws, Treasury attack details}}, date = {2025-01-08}, organization = {CISO Series}, url = {https://cisoseries.com/cyber-security-news-cyber-trust-label-uk-deepfake-laws-treasury-attack-details/}, language = {English}, urldate = {2025-01-14} } @online{stroke:20160424:takingdown:257f1eb, author = {HaX StroKE}, title = {{TakingDown NASA subdomains + Saphyra DDoS Download ( LulzSecGlobal + GSH )}}, date = {2016-04-24}, organization = {YouTube}, url = {https://www.youtube.com/watch?v=Bk-utzAlYFI}, language = {English}, urldate = {2019-11-27} } @online{strom:20150928:hammertoss:b643bfe, author = {David Strom}, title = {{Hammertoss: What, Me Worry?}}, date = {2015-09-28}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/hammertoss-what-me-worry/}, language = {English}, urldate = {2021-02-10} } @online{stroschein:20181105:data:83da066, author = {Josh Stroschein}, title = {{Data Talks: Deeper Down the Rabbit Hole: Second-Stage Attack and a Fileless Finale}}, date = {2018-11-05}, organization = {Bromium}, url = {https://www.bromium.com/second-stage-attack-analysis/}, language = {English}, urldate = {2020-04-16} } @online{stroschein:20200403:unpacking:f2daf3d, author = {Josh Stroschein}, title = {{Unpacking a Trojan with Ghidra and x64dbg}}, date = {2020-04-03}, url = {https://www.youtube.com/watch?v=u2HEGDzd8KM}, language = {English}, urldate = {2020-04-06} } @online{stroschein:20200422:gomorrah:7420778, author = {Josh Stroschein}, title = {{Gomorrah stealer (.NET binary)}}, date = {2020-04-22}, organization = {Github (jstrosch)}, url = {https://github.com/jstrosch/malware-samples/tree/master/binaries/gomorrah/2020/April}, language = {English}, urldate = {2020-05-18} } @online{stroschein:20230131:investigating:1c660cf, author = {Josh Stroschein}, title = {{Investigating NullMixer - Identifying Initial Packing Techniques (Part 1)}}, date = {2023-01-31}, url = {https://www.youtube.com/watch?v=92jKJ_G_6ho}, language = {English}, urldate = {2023-02-06} } @online{stroschein:20230203:unpacking:a6b8603, author = {Josh Stroschein}, title = {{Unpacking NullMixer - Identifying and Unraveling ASPack (Part 2)}}, date = {2023-02-03}, organization = {Youtube (Dr Josh Stroschein)}, url = {https://www.youtube.com/watch?v=yLQfDk3dVmA}, language = {English}, urldate = {2023-02-06} } @online{stroschein:20230204:investigating:3798dbd, author = {Josh Stroschein}, title = {{Investigating NullMixer Network Traffic: Utilizing Suricata and Evebox (Part 3)}}, date = {2023-02-04}, organization = {Youtube (Dr Josh Stroschein)}, url = {https://www.youtube.com/watch?v=v_K_zoPGpdk}, language = {English}, urldate = {2023-02-06} } @online{stroud:20210520:8220:c309f60, author = {Jared Stroud and Chris Hall and Tom Hegel}, title = {{8220 Gangs Recent use of Custom Miner and Botnet}}, date = {2021-05-20}, organization = {lacework}, url = {https://www.lacework.com/8220-gangs-recent-use-of-custom-miner-and-botnet/}, language = {English}, urldate = {2021-05-26} } @online{stroud:20210923:hcrootkit:5100508, author = {Jared Stroud and Tom Hegel}, title = {{HCRootkit / Sutersu Linux Rootkit Analysis}}, date = {2021-09-23}, organization = {lacework}, url = {https://www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/}, language = {English}, urldate = {2024-03-12} } @online{strozyk:20200131:deutsches:d0a9221, author = {Jan Lukas Strozyk}, title = {{Deutsches Chemieunternehmen gehackt}}, date = {2020-01-31}, organization = {Tagesschau}, url = {https://www.tagesschau.de/investigativ/ndr/hackerangriff-chemieunternehmen-101.html}, language = {German}, urldate = {2020-02-03} } @techreport{struggle:20200506:leery:ec06996, author = {Cyber Struggle}, title = {{Leery Turtle Threat Report}}, date = {2020-05-06}, institution = {Cyber Struggle}, url = {https://cyberstruggle.org/delta/LeeryTurtleThreatReport_05_20.pdf}, language = {English}, urldate = {2021-06-09} } @online{stubbs:20200127:exclusive:96b400c, author = {Jack Stubbs and Christopher Bing and Joseph Menn}, title = {{Exclusive: Hackers acting in Turkey's interests believed to be behind recent cyberattacks - sources}}, date = {2020-01-27}, organization = {Reuters}, url = {https://www.reuters.com/article/us-cyber-attack-hijack-exclusive/exclusive-hackers-acting-in-turkeys-interests-believed-to-be-behind-recent-cyberattacks-sources-idUSKBN1ZQ10X}, language = {English}, urldate = {2023-08-11} } @online{su:20191211:waterbear:3538eb5, author = {Vickie Su and Anita Hsieh and Dove Chiu}, title = {{Waterbear Returns, Uses API Hooking to Evade Security}}, date = {2019-12-11}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html}, language = {English}, urldate = {2021-04-20} } @online{su:20220902:buzzing:b0ee3d2, author = {Vickie Su and Ted Lee and Nick Dai}, title = {{Buzzing in the Background: BumbleBee, a New Modular Backdoor Evolved From BookWorm}}, date = {2022-09-02}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html}, language = {English}, urldate = {2022-09-19} } @online{subramanian:20200818:new:3a704b6, author = {Krishnan Subramanian}, title = {{New Attack Alert: Duri}}, date = {2020-08-18}, organization = {Menlo Security}, url = {https://www.menlosecurity.com/blog/new-attack-alert-duri}, language = {English}, urldate = {2020-08-19} } @online{subramanian:20201217:increase:d602083, author = {Krishnan Subramanian}, title = {{Increase In Attack: SocGholish}}, date = {2020-12-17}, organization = {Menlo Security}, url = {https://www.menlosecurity.com/blog/increase-in-attack-socgholish}, language = {English}, urldate = {2022-03-08} } @online{sucuri:20190402:backdoor:eac33dc, author = {Sucuri}, title = {{backdoor connectback}}, date = {2019-04-02}, organization = {SUCURI}, url = {https://labs.sucuri.net/signatures/malwares/pl-backdoor-connectback-001/}, language = {English}, urldate = {2023-06-12} } @techreport{sucuri:20220422:2021:e28e63b, author = {Sucuri}, title = {{2021 Website Threat Research Report}}, date = {2022-04-22}, institution = {SUCURI}, url = {https://sucuri.net/wp-content/uploads/2022/04/22-sucuri-2021-hacked-report.pdf}, language = {English}, urldate = {2022-05-04} } @online{suderman:20210329:ap:a4795b8, author = {Alan Suderman}, title = {{AP sources: SolarWinds hack got emails of top DHS officials}}, date = {2021-03-29}, organization = {Associated Press}, url = {https://apnews.com/article/solarwinds-hack-email-top-dhs-officials-8bcd4a4eb3be1f8f98244766bae70395}, language = {English}, urldate = {2021-03-31} } @online{sudhan:20220708:beware:d92bc09, author = {Harihara Sudhan}, title = {{Beware of Root Certs in VPN}}, date = {2022-07-08}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/beware-of-root-certs-in-vpn/}, language = {English}, urldate = {2024-02-09} } @online{sudhan:20250218:exposing:320bb10, author = {Harihara Sudhan}, title = {{Exposing the Deceit: Phishing Sites Impersonating Government Entities}}, date = {2025-02-18}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/exposing-the-deceit-phishing-sites-impersonating-government-entities/}, language = {English}, urldate = {2025-03-05} } @online{sudhendu:20181016:how:8aa1eed, author = {Sudhendu}, title = {{How to understand FormBook - A New Malware-as-a-Service}}, date = {2018-10-16}, organization = {Peerlyst}, url = {https://www.peerlyst.com/posts/how-to-understand-formbook-a-new-malware-as-a-service-sudhendu?}, language = {English}, urldate = {2020-01-09} } @online{sudhendu:20181101:how:582221a, author = {Sudhendu}, title = {{How to Analyse FormBook - A New Malware-as-a-Service}}, date = {2018-11-01}, organization = {Peerlyst}, url = {https://www.peerlyst.com/posts/how-to-analyse-formbook-a-new-malware-as-a-service-sudhendu?trk=explore_page_resources_recent}, language = {English}, urldate = {2019-12-17} } @online{suh:20210126:w4:138a143, author = {Hyunmin Suh}, title = {{W4 Jan | EN | Story of the week: Ransomware on the Darkweb}}, date = {2021-01-26}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1}, language = {English}, urldate = {2021-01-27} } @online{suh:20210203:w1:45a76f4, author = {Hyunmin Suh and Minjei Cho}, title = {{W1 Feb| EN | Story of the week: Stealers on the Darkweb}}, date = {2021-02-03}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d}, language = {English}, urldate = {2021-02-04} } @online{suh:20210517:w3:0e9b789, author = {Hyunmin Suh and Denise Dasom Kim and Jungyeon Lim and YH Jeong}, title = {{W3 May | EN | Story of the week: Code Signing Certificate on the Darkweb}}, date = {2021-05-17}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/w3-may-en-story-of-the-week-code-signing-certificate-on-the-darkweb-94c7ec437001}, language = {English}, urldate = {2021-06-16} } @online{suh:20210525:w4:b927684, author = {Hyunmin Suh and Denise Dasom Kim and Jungyeon Lim}, title = {{W4 May | EN | Story of the week: Ransomware on the Darkweb}}, date = {2021-05-25}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f}, language = {English}, urldate = {2021-06-16} } @online{suh:20210603:w1:f034ac8, author = {Hyunmin Suh and Denise Dasom Kim and Jungyeon Lim and YH Jeong}, title = {{W1 Jun | EN | Story of the week: Ransomware on the Darkweb}}, date = {2021-06-03}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b}, language = {English}, urldate = {2021-06-16} } @online{suhanov:20210608:measured:471da8d, author = {Maxim Suhanov}, title = {{Measured Boot and Malware Signatures: exploring two vulnerabilities found in the Windows loader}}, date = {2021-06-08}, organization = {Medium BI.ZONE}, url = {https://bi-zone.medium.com/measured-boot-and-malware-signatures-exploring-two-vulnerabilities-found-in-the-windows-loader-5a4fcc3c4b66}, language = {English}, urldate = {2021-06-21} } @online{suiche:20170512:wannacry:f79fed5, author = {Matt Suiche}, title = {{WannaCry — The largest ransom-ware infection in History}}, date = {2017-05-12}, organization = {Comae}, url = {https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58}, language = {English}, urldate = {2020-01-06} } @online{suiche:20170514:wannacry:b2c62ca, author = {Matt Suiche}, title = {{WannaCry — New Variants Detected!}}, date = {2017-05-14}, organization = {Comae}, url = {https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e}, language = {English}, urldate = {2020-01-08} } @online{suiche:20170519:wannacry:81703ac, author = {Matt Suiche}, title = {{WannaCry — Decrypting files with WanaKiwi + Demos}}, date = {2017-05-19}, organization = {Comae}, url = {https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d}, language = {English}, urldate = {2019-10-25} } @online{suiche:20170628:petya2017:b147c0a, author = {Matt Suiche}, title = {{Petya.2017 is a wiper not a ransomware}}, date = {2017-06-28}, organization = {Comae}, url = {https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b}, language = {English}, urldate = {2020-01-06} } @online{suiche:20200222:active:81a954b, author = {Matt Suiche}, title = {{Active Email Campaign Identified With Malicious Excel Files}}, date = {2020-02-22}, organization = {Comae}, url = {https://blog.comae.io/active-email-campaign-identified-with-malicious-excel-files-174bbde91fc1}, language = {English}, urldate = {2020-06-16} } @online{suiche:20200313:yet:d14d3a8, author = {Matt Suiche}, title = {{Yet Another Active Email Campaign With Malicious Excel Files Identified}}, date = {2020-03-13}, organization = {Comae}, url = {https://web.archive.org/web/20200929145931/https://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/}, language = {English}, urldate = {2021-04-06} } @online{suiche:20201225:sunburst:4169084, author = {Matt Suiche}, title = {{SUNBURST & Memory Analysis}}, date = {2020-12-25}, organization = {Comae}, url = {https://www.comae.com/posts/sunburst-memory-analysis/}, language = {English}, urldate = {2020-12-26} } @online{suiche:20210126:pandorabox:0fc91d0, author = {Matt Suiche}, title = {{PANDORABOX - North Koreans target security researchers}}, date = {2021-01-26}, organization = {Comae}, url = {https://www.comae.com/posts/pandorabox-north-koreans-target-security-researchers/}, language = {English}, urldate = {2021-01-27} } @online{suite:20210302:malicious:b672ae6, author = {Cerbero Suite}, title = {{Malicious Excel Document Analysis in Cerbero Suite}}, date = {2021-03-02}, organization = {YouTube (Cerbero Suite)}, url = {https://www.youtube.com/watch?v=pSWfD-lMf4I}, language = {English}, urldate = {2021-03-04} } @online{sullivan:20200424:inside:ee63bb1, author = {Bridgit Sullivan}, title = {{Inside "Phobos" Ransomware: "Dharma" Past & Underground}}, date = {2020-04-24}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/inside-phobos-ransomware-dharma-past-underground}, language = {English}, urldate = {2020-07-30} } @online{sumalapao:20160512:chineselanguage:f968de7, author = {Jasen Sumalapao and Lion Gu}, title = {{Chinese-language Ransomware ‘SHUJIN’ Makes An Appearance}}, date = {2016-05-12}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/}, language = {English}, urldate = {2020-01-09} } @online{summerlin:20200103:demystifying:c0a1a19, author = {Nick Summerlin and Jorge Rodriguez}, title = {{Demystifying QBot Banking Trojan}}, date = {2020-01-03}, organization = {Youtube (BSides Belfast)}, url = {https://www.youtube.com/watch?v=iB1psRMtlqg}, language = {English}, urldate = {2020-02-21} } @techreport{summers:20160415:2016:3d22a6f, author = {Grady Summers}, title = {{2016 THREAT BRIEFING: “GOOD ENOUGH” IS NOT GOOD ENOUGH}}, date = {2016-04-15}, institution = {FireEye}, url = {http://fireeyeday.com/1604/pdf/KeyNote_2.pdf}, language = {English}, urldate = {2020-01-15} } @online{sun:20150204:pawn:58d080c, author = {Lambert Sun and Brooks Hong and Feike Hacquebord}, title = {{Pawn Storm Update: iOS Espionage App Found}}, date = {2015-02-04}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/}, language = {English}, urldate = {2020-05-18} } @online{sun:20190117:google:cefba64, author = {Kevin Sun}, title = {{Google Play Apps Drop Anubis Banking Malware, Use Motion-based Evasion Tactics}}, date = {2019-01-17}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/}, language = {English}, urldate = {2019-11-25} } @techreport{sundhar:20171012:doghousepower:c5a7e4e, author = {Shyaam Sundhar}, title = {{DogHousePower: Python Based Ransomware}}, date = {2017-10-12}, institution = {Paladion}, url = {http://www1.paladion.net/hubfs/Newsletter/DogHousePower-%20Newly%20Identified%20Python-Based%20Ransomware.pdf}, language = {English}, urldate = {2020-01-08} } @online{sunkavally:20220713:long:a81b36f, author = {Naveen Sunkavally}, title = {{The Long Tail of Log4Shell Exploitation}}, date = {2022-07-13}, organization = {HORIZON3.ai}, url = {https://www.horizon3.ai/the-long-tail-of-log4shell-exploitation/}, language = {English}, urldate = {2022-07-15} } @online{superkhung:20200303:github:8ea37ed, author = {superkhung}, title = {{GitHub Repository: winnti-sniff}}, date = {2020-03-03}, organization = {GIthub (superkhung)}, url = {https://github.com/superkhung/winnti-sniff}, language = {English}, urldate = {2020-03-04} } @online{support:20180617:storwize:8759428, author = {IBM Support}, title = {{Storwize USB Initialization Tool may contain malicious code}}, date = {2018-06-17}, organization = {IBM}, url = {https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146}, language = {English}, urldate = {2020-01-07} } @online{suqitian:20170527:from:6c80cf6, author = {suqitian}, title = {{From PDNS: Another fix length of 7, a-z. tlds: [ru, com]}}, date = {2017-05-27}, organization = {Netlab}, url = {https://github.com/360netlab/DGA/issues/36}, language = {English}, urldate = {2023-05-15} } @online{sur:20210308:sunshuttle:a45d8a5, author = {Suvaditya Sur}, title = {{Sunshuttle Malware}}, date = {2021-03-08}, organization = {x0r19x91.gitlab.io}, url = {https://x0r19x91.gitlab.io/post/malware-analysis/sunshuttle/}, language = {English}, urldate = {2021-03-11} } @online{sur:20210617:analysis:74f0f46, author = {Suvaditya Sur}, title = {{Analysis of SmokeLoader}}, date = {2021-06-17}, url = {https://suvaditya.one/malware-analysis/smokeloader/}, language = {English}, urldate = {2022-07-13} } @online{surana:20210416:could:bb769ca, author = {Nitesh Surana}, title = {{Could the Microsoft Exchange breach be stopped?}}, date = {2021-04-16}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/d/could-the-microsoft-exchange-breach-be-stopped.html}, language = {English}, urldate = {2021-05-11} } @online{surana:20211203:vulnerabilities:a406a52, author = {Nitesh Surana}, title = {{Vulnerabilities Exploited for Monero Mining Malware Delivered via GitHub, Netlify}}, date = {2021-12-03}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/l/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-gitHub-netlify.html}, language = {English}, urldate = {2021-12-07} } @online{surana:20220420:analyzing:e777903, author = {Nitesh Surana and Ashish Verma}, title = {{Analyzing Attempts to Exploit the Spring4Shell Vulnerability CVE-2022-22965 to Deploy Cryptocurrency Miners}}, date = {2022-04-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html}, language = {English}, urldate = {2022-05-04} } @online{surana:20220908:how:a5c5cf6, author = {Nitesh Surana and David Fiser and Alfredo Oliveira}, title = {{How Malicious Actors Abuse Native Linux Tools in Attacks}}, date = {2022-09-08}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html}, language = {English}, urldate = {2022-09-19} } @online{surana:20220912:security:14e0203, author = {Nitesh Surana}, title = {{Security Breaks: TeamTNT’s DockerHub Credentials Leak}}, date = {2022-09-12}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/i/security-breaks-teamtnts-dockerhub-credentials-leak.html}, language = {English}, urldate = {2022-09-19} } @online{surana:20230519:rustbased:b317fcd, author = {Nitesh Surana and Jaromír Hořejší}, title = {{Rust-Based Info Stealers Abuse GitHub Codespaces}}, date = {2023-05-19}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/e/rust-based-info-stealers-abuse-github-codespaces.html}, language = {English}, urldate = {2023-06-01} } @online{suslova:20211110:he:f915f5b, author = {Ekaterina Suslova and Aleksey Polyakov and Elizaveta Koroleva and Alena Goinskaya}, title = {{"He does not get in touch": what is known about Barnaul, wanted by the FBI on charges of cybercrime}}, date = {2021-11-10}, organization = {RT on the Russian}, url = {https://russian.rt.com/russia/article/926347-barnaulec-rozysk-fbr-kibermoshennichestvo}, language = {Russian}, urldate = {2021-11-19} } @techreport{svajcer:20160302:dissecting:e8721e3, author = {Vanja Svajcer}, title = {{Dissecting Derusbi}}, date = {2016-03-02}, institution = {RSA Conference}, url = {https://web.archive.org/web/20180310053107/https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf}, language = {English}, urldate = {2020-02-27} } @online{svajcer:20170523:modified:5eb551e, author = {Vanja Svajcer}, title = {{Modified Zyklon and plugins from India}}, date = {2017-05-23}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2017/05/modified-zyklon-and-plugins-from-india.html}, language = {English}, urldate = {2020-01-08} } @online{svajcer:20180731:multiple:15a3457, author = {Vanja Svajcer}, title = {{Multiple Cobalt Personality Disorder}}, date = {2018-07-31}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html}, language = {English}, urldate = {2019-12-15} } @online{svajcer:20190530:10:82553e1, author = {Vanja Svajcer}, title = {{10 years of virtual dynamite: A high-level retrospective of ATM malware}}, date = {2019-05-30}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html}, language = {English}, urldate = {2019-11-24} } @online{svajcer:20200218:building:0a80664, author = {Vanja Svajcer}, title = {{Building a bypass with MSBuild}}, date = {2020-02-18}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html}, language = {English}, urldate = {2020-02-20} } @online{svajcer:20200402:azorult:97b15f2, author = {Vanja Svajcer}, title = {{AZORult brings friends to the party}}, date = {2020-04-02}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html}, language = {English}, urldate = {2020-04-07} } @online{svajcer:20200722:prometei:f54e4bf, author = {Vanja Svajcer}, title = {{Prometei botnet and its quest for Monero}}, date = {2020-07-22}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html}, language = {English}, urldate = {2020-12-15} } @online{svajcer:20201201:xanthe:ee9ae54, author = {Vanja Svajcer and Adam Pridgen}, title = {{Xanthe - Docker aware miner}}, date = {2020-12-01}, organization = {Talos}, url = {https://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html}, language = {English}, urldate = {2020-12-08} } @online{svajcer:20210217:masslogger:cd9e6fb, author = {Vanja Svajcer}, title = {{Masslogger campaigns exfiltrates user credentials}}, date = {2021-02-17}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html}, language = {English}, urldate = {2021-02-20} } @online{svajcer:20210421:year:4741c8e, author = {Vanja Svajcer}, title = {{A year of Fajan evolution and Bloomberg themed campaigns}}, date = {2021-04-21}, organization = {Talos}, url = {https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html}, language = {English}, urldate = {2021-04-28} } @online{svajcer:20210603:necro:acd2fdf, author = {Vanja Svajcer and Caitlin Huey and Kendall McKay}, title = {{Necro Python bot adds new exploits and Tezos mining to its bag of tricks}}, date = {2021-06-03}, organization = {Talos}, url = {https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html}, language = {English}, urldate = {2021-06-16} } @online{svajcer:20210812:signed:728ea8f, author = {Vanja Svajcer}, title = {{Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT}}, date = {2021-08-12}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html}, language = {English}, urldate = {2021-08-20} } @online{svajcer:20220209:whats:91fb2d8, author = {Vanja Svajcer and Vitor Ventura}, title = {{What’s with the shared VBA code between Transparent Tribe and other threat actors?}}, date = {2022-02-09}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html}, language = {English}, urldate = {2022-02-14} } @online{svajcer:20220830:modernloader:5b62dce, author = {Vanja Svajcer}, title = {{ModernLoader delivers multiple stealers, cryptominers and RATs}}, date = {2022-08-30}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html}, language = {English}, urldate = {2022-08-31} } @online{svajcer:20250618:famous:26e4fc7, author = {Vanja Svajcer}, title = {{Famous Chollima deploying Python version of GolangGhost RAT}}, date = {2025-06-18}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/python-version-of-golangghost-rat/}, language = {English}, urldate = {2025-06-25} } @online{svch0st:20210507:stats:11919e5, author = {svch0st}, title = {{Stats from Hunting Cobalt Strike Beacons}}, date = {2021-05-07}, organization = {Medium svch0st}, url = {https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b}, language = {English}, urldate = {2021-05-08} } @online{svch0st:20210725:guide:28267fd, author = {svch0st}, title = {{Guide to Named Pipes and Hunting for Cobalt Strike Pipes}}, date = {2021-07-25}, organization = {Medium svch0st}, url = {https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575}, language = {English}, urldate = {2021-08-02} } @online{svistunova:20220324:phishingkit:4895450, author = {Olga Svistunova and Anton Yatsenko}, title = {{Phishing-kit market: what’s inside “off-the-shelf” phishing packages}}, date = {2022-03-24}, organization = {Kaspersky}, url = {https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/}, language = {English}, urldate = {2022-03-25} } @online{svthreatintel:20220119:white:0e26f48, author = {SVThreatIntel}, title = {{White Rabbit Ransomware: Propagation, Exploitation, and Indicators of Compromise}}, date = {2022-01-19}, organization = {AlienVault OTX}, url = {https://otx.alienvault.com/pulse/61e7f74a936eea5d44026b8e}, language = {English}, urldate = {2023-04-26} } @online{swagkarna:20220325:rafel:8abf617, author = {Github (@swagkarna)}, title = {{Rafel Rat GitHub repository}}, date = {2022-03-25}, url = {https://github.com/swagkarna/Rafel-Rat}, language = {English}, urldate = {2022-04-29} } @online{swagler:20211102:fbi:6fe349f, author = {Chris Swagler}, title = {{FBI Warning: HelloKitty Ransomware Add DDoS to Extortion Arsenal}}, date = {2021-11-02}, organization = {SpearTip}, url = {https://www.speartip.com/resources/fbi-hellokitty-ransomware-adds-ddos-to-extortion-arsenal/}, language = {English}, urldate = {2021-11-03} } @online{swanbeck:20210219:how:1b27e22, author = {Sonja Swanbeck}, title = {{How to Understand Iranian Information Operations}}, date = {2021-02-19}, organization = {Lawfare Blog}, url = {https://www.lawfareblog.com/how-understand-iranian-information-operations}, language = {English}, urldate = {2021-02-20} } @online{swapnil:20231212:rhysida:9aba4f3, author = {Swapnil}, title = {{Rhysida Ransomware: History, TTPs And Adversary Emulation Plans}}, date = {2023-12-12}, organization = {Fourcore}, url = {https://fourcore.io/blogs/rhysida-ransomware-history-ttp-adversary-emulation}, language = {English}, urldate = {2023-12-15} } @online{sweetsoftware:20171207:ares:1ca489a, author = {sweetsoftware}, title = {{Ares}}, date = {2017-12-07}, organization = {Github (sweetsoftware)}, url = {https://github.com/sweetsoftware/Ares}, language = {English}, urldate = {2020-03-03} } @online{swift:2021:swift:6631e98, author = {SWIFT}, title = {{SWIFT Report on COMMON Raven}}, date = {2021}, organization = {SWIFT}, url = {https://www2.swift.com/isac/report/10118}, language = {English}, urldate = {2021-10-05} } @online{switzerland:20220222:week:63b313a, author = {NCSC Switzerland}, title = {{Week 7: Supposed order confirmation delivers malware and new variants in fake extortion emails}}, date = {2022-02-22}, organization = {NCSC Switzerland}, url = {https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2022/wochenrueckblick_7.html}, language = {English}, urldate = {2022-02-26} } @online{switzerland:20220329:woche:0ea4127, author = {NCSC Switzerland}, title = {{Woche 12: Schadsoftware «FluBot» in der Schweiz wieder aktiv und Web-Administratoren erhalten Drohmails von angeblich ukrainischen Hackern}}, date = {2022-03-29}, organization = {NCSC Switzerland}, url = {https://www.ncsc.admin.ch/22w12-de}, language = {German}, urldate = {2022-03-30} } @online{switzerland:20240711:brief:5fc2e37, author = {NCSC Switzerland}, title = {{Brief technical analysis of the "Poseidon Stealer" malware}}, date = {2024-07-11}, organization = {NCSC Switzerland}, url = {https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2024/poseidon_bericht.html}, language = {English}, urldate = {2024-07-17} } @online{switzerland:20241010:brief:0ca41dc, author = {NCSC Switzerland}, title = {{Brief technical analysis of the "Gorilla" botnet}}, date = {2024-10-10}, organization = {NCSC Switzerland}, url = {https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2024/gorilla_bericht.html}, language = {English}, urldate = {2024-11-25} } @techreport{switzerland:20250506:cybersecurity:e3dbe4c, author = {NCSC Switzerland}, title = {{Cybersecurity: Situation in Switzerland and internationally - Semi-Annual Report 2024/II}}, date = {2025-05-06}, institution = {NCSC Switzerland}, url = {https://www.ncsc.admin.ch/dam/ncsc/de/dokumente/dokumentation/lageberichte/BACS-HJB-2024-2_EN.pdf.download.pdf/BACS-HJB-2024-2_EN.pdf}, language = {English}, urldate = {2025-05-20} } @online{sy:20150901:attackers:3703ecf, author = {Benson Sy}, title = {{Attackers Target Organizations in Japan; Transform Local Sites into C&C Servers for EMDIVI Backdoor}}, date = {2015-09-01}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/attackers-target-organizations-in-japan-transform-local-sites-into-cc-servers-for-emdivi-backdoor/}, language = {English}, urldate = {2019-12-17} } @online{sy:20170727:chessmaster:7d3e4b3, author = {Benson Sy and CH Lei and Kawabata Kohei}, title = {{ChessMaster Makes its Move: A Look into the Campaign’s Cyberespionage Arsenal}}, date = {2017-07-27}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/}, language = {English}, urldate = {2020-01-13} } @online{sy:20170727:chessmaster:a496667, author = {Benson Sy and CH Lei and Kawabata Kohei}, title = {{ChessMaster Makes its Move: A Look into the Campaign’s Cyberespionage Arsenal}}, date = {2017-07-27}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/}, language = {English}, urldate = {2019-10-14} } @online{symantec:20111123:w32duqu:05cefba, author = {Symantec}, title = {{W32.Duqu: The precursor to the next Stuxnet}}, date = {2011-11-23}, organization = {Symantec}, url = {https://docs.broadcom.com/doc/w32-duqu-11-en}, language = {English}, urldate = {2021-07-26} } @online{symantec:20120222:trojanransomlockj:75eb419, author = {Symantec}, title = {{Trojan.Ransomlock.J}}, date = {2012-02-22}, organization = {Symantec}, url = {https://www.symantec.com/security_response/writeup.jsp?docid=2012-022215-2340-99&tabid=2}, language = {English}, urldate = {2020-01-09} } @techreport{symantec:201203:luckycat:ddeba84, author = {Symantec}, title = {{The Luckycat Hackers}}, date = {2012-03}, institution = {Symantec}, url = {https://vx-underground.org/papers/luckycat-hackers-12-en.pdf}, language = {English}, urldate = {2020-04-21} } @online{symantec:20120808:trojanmebroot:8ecb951, author = {Symantec}, title = {{Trojan.Mebroot}}, date = {2012-08-08}, organization = {Symantec}, url = {https://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99&tabid=2}, language = {English}, urldate = {2019-11-26} } @online{symantec:20140223:trojansakurel:9674bd4, author = {Symantec}, title = {{Trojan.Sakurel}}, date = {2014-02-23}, organization = {Symantec}, url = {https://www.symantec.com/security_response/writeup.jsp?docid=2014-022401-3212-99}, language = {English}, urldate = {2020-01-06} } @techreport{symantec:20151207:backdoorcadelspy:6a40e51, author = {Symantec}, title = {{Backdoor.Cadelspy and Backdoor.Remexi: indicators of compromise}}, date = {2015-12-07}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf}, language = {English}, urldate = {2020-01-06} } @online{symantec:20151208:backdoorkomprogo:786eb9b, author = {Symantec}, title = {{Backdoor.Komprogo}}, date = {2015-12-08}, organization = {Symantec}, url = {https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2015-120808-5327-99}, language = {English}, urldate = {2019-11-27} } @online{symantec:20160725:patchwork:d56802d, author = {Symantec}, title = {{Patchwork cyberespionage group expands targets from governments to wide range of industries}}, date = {2016-07-25}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=09308982-77bd-41e0-8269-f2cc9ce3266e&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @techreport{symantec:20160808:backdoorremsec:870dbc3, author = {Symantec}, title = {{Backdoor.Remsec indicators of compromise}}, date = {2016-08-08}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Symantec_Remsec_IOCs.pdf}, language = {English}, urldate = {2019-07-11} } @online{symantec:20170907:vbsforbiks:112eee4, author = {Symantec}, title = {{VBS.Forbiks}}, date = {2017-09-07}, organization = {Symantec}, url = {https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2017-090807-0934-99}, language = {English}, urldate = {2020-01-06} } @online{symantec:20211026:ransom:424b898, author = {Symantec}, title = {{Ransom and Malware Attacks on Financial Services Institutions}}, date = {2021-10-26}, organization = {Symantec}, url = {https://docs.broadcom.com/doc/ransom-and-malware-attacks-on-financial-services-institutions}, language = {English}, urldate = {2022-08-31} } @online{symantec:20240725:growing:84d9d3c, author = {Symantec}, title = {{Growing Number of Threats Leveraging AI}}, date = {2024-07-25}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/threat-intelligence/malware-ai-llm}, language = {English}, urldate = {2024-07-25} } @online{sysopfb:20180416:trickbot:5305f46, author = {sysopfb}, title = {{TrickBot & UACME}}, date = {2018-04-16}, organization = {Random RE}, url = {https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html}, language = {English}, urldate = {2020-01-09} } @online{sysopfb:20180830:manually:6a15ebc, author = {sysopfb}, title = {{Manually unpacking Anubis APK}}, date = {2018-08-30}, organization = {Random RE}, url = {https://sysopfb.github.io/malware,/reverse-engineering/2018/08/30/Unpacking-Anubis-APK.html}, language = {English}, urldate = {2020-01-08} } @online{sysopfb:20190923:diving:d62f498, author = {sysopfb}, title = {{Diving into Pluroxs DNS based protection layer}}, date = {2019-09-23}, organization = {Random RE}, url = {https://sysopfb.github.io/malware,/crypters/2019/09/23/Plurox-packer-layer-unpacked.html}, language = {English}, urldate = {2020-01-06} } @online{sysopfb:20200228:golang:f438b75, author = {sysopfb}, title = {{Golang wrapper on an old obscene malware}}, date = {2020-02-28}, organization = {Random RE}, url = {https://sysopfb.github.io/malware/2020/02/28/Golang-Wrapper-on-an-old-malware.html}, language = {English}, urldate = {2020-03-09} } @online{system41:20230502:icedid:88e0516, author = {System-41}, title = {{IcedID Malware: Traversing Through its Various Incarnations}}, date = {2023-05-02}, organization = {loginsoft}, url = {https://research.loginsoft.com/threat-research/icedid-malware-traversing-through-its-various-incarnations/}, language = {English}, urldate = {2023-05-09} } @techreport{systems:2016:return:52c175d, author = {BAE Systems}, title = {{The Return of Qbot}}, date = {2016}, institution = {BAE Systems}, url = {https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf}, language = {English}, urldate = {2019-11-29} } @online{systems:20180503:empire:025672b, author = {Nextron Systems}, title = {{Empire Downloader}}, date = {2018-05-03}, organization = {Twitter (@thor_scanner)}, url = {https://twitter.com/thor_scanner/status/992036762515050496}, language = {English}, urldate = {2019-11-16} } @online{systems:20210615:use:d8fbd39, author = {Nextron Systems}, title = {{Use YARA math Module Extension in THOR TechPreview and THOR Lite}}, date = {2021-06-15}, organization = {Nextron Systems}, url = {https://www.nextron-systems.com/2021/06/15/use-yara-math-module-extension-in-thor-techpreview-and-thor-lite/}, language = {English}, urldate = {2021-06-21} } @online{systems:20241031:about:d84b2d8, author = {Nextron Systems}, title = {{Tweet about discovery of HellDown ransomware}}, date = {2024-10-31}, organization = {Twitter (@nextronresearch)}, url = {https://x.com/nextronresearch/status/1851983952409473308}, language = {English}, urldate = {2024-11-05} } @online{systemtek:20180727:luoxk:7525cb0, author = {SystemTek}, title = {{Luoxk Malware – Exploiting CVE-2018-2893}}, date = {2018-07-27}, organization = {SystemTek}, url = {https://www.systemtek.co.uk/2018/07/luoxk-malware-exploiting-cve-2018-2893/}, language = {English}, urldate = {2024-02-02} } @online{szabolcs:20220329:putins:aa3dafa, author = {Panyi Szabolcs}, title = {{Putin’s hackers gained full access to Hungary’s foreign ministry networks, the Orbán government has been unable to stop them}}, date = {2022-03-29}, organization = {direkt36}, url = {https://www.direkt36.hu/en/putyin-hekkerei-is-latjak-a-magyar-kulugy-titkait-az-orban-kormany-evek-ota-nem-birja-elharitani-oket/}, language = {English}, urldate = {2022-04-05} } @online{szadkowski:20221224:apt41:d660075, author = {Denis Szadkowski and Johann Aydinbas and Jiro Minier and Hendrik Baecker}, title = {{APT41 — The spy who failed to encrypt me}}, date = {2022-12-24}, organization = {Medium (@DCSO_CyTec)}, url = {https://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1}, language = {English}, urldate = {2024-11-15} } @online{szadkowski:20250527:safepay:db489ac, author = {Denis Szadkowski and Johann Aydinbas and Bennet Conrads and Moaath Oudeh}, title = {{SafePay: The new kid on the block}}, date = {2025-05-27}, organization = {DCSO}, url = {https://medium.com/@DCSO_CyTec/safepay-the-new-kid-on-the-block-4141188a626d}, language = {English}, urldate = {2025-05-28} } @online{szappanos:20140203:needle:14f242d, author = {Gabor Szappanos}, title = {{Needle in a haystack}}, date = {2014-02-03}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2014/02/needle-haystack}, language = {English}, urldate = {2023-01-03} } @techreport{szappanos:20140627:plugx:e63d8bf, author = {Gabor Szappanos}, title = {{PlugX - The Next Generation}}, date = {2014-06-27}, institution = {SophosLabs}, url = {https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf}, language = {English}, urldate = {2020-01-10} } @online{szappanos:201607:new:6574feb, author = {Gabor Szappanos}, title = {{New Keylogger on the Block}}, date = {2016-07}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2016/07/new-keylogger-block/}, language = {English}, urldate = {2020-01-06} } @techreport{szappanos:20191218:mykings:7370b35, author = {Gabor Szappanos}, title = {{MyKings: The slow but steady growth of a relentless botnet}}, date = {2019-12-18}, institution = {Sophos}, url = {https://sophos.files.wordpress.com/2019/12/mykings_report_final.pdf}, language = {English}, urldate = {2020-01-13} } @online{szappanos:20200527:netwalker:941731e, author = {Gabor Szappanos and Andrew Brandt}, title = {{Netwalker ransomware tools give insight into threat actor}}, date = {2020-05-27}, organization = {SophosLabs}, url = {https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/}, language = {English}, urldate = {2020-05-29} } @techreport{szappanos:20200601:increasingly:2606314, author = {Gabor Szappanos and Vikas Singh}, title = {{THE INCREASINGLY COMPLEX KINGMINER BOTNET}}, date = {2020-06-01}, institution = {Sophos Labs}, url = {https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-labs-kingminer-botnet-report.pdf}, language = {English}, urldate = {2021-04-09} } @online{szappanos:20200609:kingminer:0efadc6, author = {Gabor Szappanos and Vikas Singh}, title = {{Kingminer escalates attack complexity for cryptomining}}, date = {2020-06-09}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/06/09/kingminer-report/}, language = {English}, urldate = {2022-02-16} } @online{szappanos:20201104:new:66b8447, author = {Gabor Szappanos}, title = {{A new APT uses DLL side-loads to “KilllSomeOne”}}, date = {2020-11-04}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/}, language = {English}, urldate = {2020-11-06} } @online{szappanos:20210121:mrbminer:1c5f2ab, author = {Gabor Szappanos and Andrew Brandt}, title = {{MrbMiner: Cryptojacking to bypass international sanctions}}, date = {2021-01-21}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2021/01/21/mrbminer-cryptojacking-to-bypass-international-sanctions/}, language = {English}, urldate = {2021-01-25} } @online{szappanos:20210301:gootloader:815834d, author = {Gabor Szappanos and Andrew Brandt}, title = {{“Gootloader” expands its payload delivery options}}, date = {2021-03-01}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/?cmp=30728}, language = {English}, urldate = {2021-03-02} } @online{szappanos:20210812:gootloaders:84e3100, author = {Gabor Szappanos and Andrew Brandt}, title = {{Gootloader’s “mothership” controls malicious content}}, date = {2021-08-12}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/}, language = {English}, urldate = {2021-08-25} } @online{szappanos:20220201:solarmarker:597b088, author = {Gabor Szappanos and Sean Gallagher}, title = {{SolarMarker campaign used novel registry changes to establish persistence}}, date = {2022-02-01}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/}, language = {English}, urldate = {2022-02-02} } @online{szappanos:20221103:family:666a56f, author = {Gabor Szappanos}, title = {{Family Tree: DLL-Sideloading Cases May Be Related}}, date = {2022-11-03}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/}, language = {English}, urldate = {2022-12-02} } @online{szappanos:20230309:borderhopping:5220748, author = {Gabor Szappanos}, title = {{A border-hopping PlugX USB worm takes its act on the road}}, date = {2023-03-09}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2023/03/09/border-hopping-plugx-usb-worm/}, language = {English}, urldate = {2023-03-22} } @online{szathmari:20200922:what:60d1e26, author = {Gabor Szathmari}, title = {{What Service NSW has to do with Russia?}}, date = {2020-09-22}, organization = {OSINT Fans}, url = {https://osint.fans/service-nsw-russia-association}, language = {English}, urldate = {2020-09-23} } @techreport{szeles:20200604:loading:072fc29, author = {Janos Gergo Szeles and Ruben Andrei Condor}, title = {{Loading DLLs for illicit profit. A story about a Metamorfo distribution campaign}}, date = {2020-06-04}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/333/Bitdefender-PR-Whitepaper-Metamorfo-creat4500-en-EN-GenericUse.pdf}, language = {English}, urldate = {2020-06-10} } @techreport{szeles:20200708:kingminer:f864cae, author = {Janos Gergo Szeles and Bogdan Botezatu}, title = {{Kingminer –a Crypto-Jacking Botnet Under the Scope}}, date = {2020-07-08}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/354/Bitdefender-PR-Whitepaper-KingMiner-creat4610-en-EN-GenericUse.pdf}, language = {English}, urldate = {2022-02-16} } @techreport{szeles:20201008:dissecting:baf1b65, author = {Janos Gergo Szeles and Bogdan Botezatu}, title = {{Dissecting LemonDuck Crypto-Miner, a KingMiner Successor}}, date = {2020-10-08}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/373/Bitdefender-PR-Whitepaper-LemonDuck-creat4826-en-EN-GenericUse.pdf}, language = {English}, urldate = {2022-02-16} } @techreport{szeles:20210113:remcos:5ffdb28, author = {Janos Gergo Szeles}, title = {{Remcos RAT Revisited: A Colombian Coronavirus-Themed Campaign}}, date = {2021-01-13}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/390/Bitdefender-PR-Whitepaper-Remcos-creat5080-en-EN-GenericUse.pdf}, language = {English}, urldate = {2021-01-18} } @techreport{szeles:20220118:poking:a2bd8a5, author = {Janos Gergo Szeles}, title = {{Poking Holes in Crypto-Wallets: a Short Analysis of BHUNT Stealer}}, date = {2022-01-18}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/411/Bitdefender-PR-Whitepaper-CyberWallet-creat5874-en-EN.pdf}, language = {English}, urldate = {2022-02-26} } @online{szurdi:20220829:tor:0d33ef9, author = {Janos Szurdi}, title = {{Tor 101: How Tor Works and its Risks to the Enterprise}}, date = {2022-08-29}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/tor-traffic-enterprise-networks/}, language = {English}, urldate = {2022-09-20} } @online{ta:20200331:its:632dfca, author = {Van Ta and Aaron Stephens}, title = {{It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit}}, date = {2020-03-31}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html}, language = {English}, urldate = {2020-04-06} } @online{ta:20201028:star:16965fb, author = {Van Ta and Aaron Stephens and Katie Nickels}, title = {{STAR Webcast: Spooky RYUKy: The Return of UNC1878}}, date = {2020-10-28}, organization = {Youtube (SANS Digital Forensics and Incident Response)}, url = {https://www.youtube.com/watch?v=BhjQ6zsCVSc}, language = {English}, urldate = {2020-11-02} } @online{ta:20211207:fin13:e5e2255, author = {Van Ta and Jake Nicastro and Rufus Brown and Nick Richard}, title = {{FIN13: A Cybercriminal Threat Actor Focused on Mexico}}, date = {2021-12-07}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/fin13-cybercriminal-mexico}, language = {English}, urldate = {2021-12-08} } @online{tachon:20220208:annual:6500f88, author = {Marvin Tachon}, title = {{Annual Threat trends 2021}}, date = {2022-02-08}, organization = {Intrinsec}, url = {https://www.intrinsec.com/annual-threat-trends-2021/}, language = {English}, urldate = {2022-02-14} } @online{tafanidereeper:20170605:set:fb5e95c, author = {Christophe Tafani-Dereeper}, title = {{Set up your own malware analysis lab with VirtualBox, INetSim and Burp}}, date = {2017-06-05}, url = {https://blog.christophetd.fr/malware-analysis-lab-with-virtualbox-inetsim-and-burp/}, language = {English}, urldate = {2020-02-27} } @online{tafanidereeper:20200218:hidden:f3f71cf, author = {Christophe Tafani-Dereeper}, title = {{Hidden in PEB Sight: Hiding Windows API Imports With a Custom Loader}}, date = {2020-02-18}, organization = {Personal Blog of Christophe Tafani-Dereeper}, url = {https://blog.christophetd.fr/hiding-windows-api-imports-with-a-customer-loader/}, language = {English}, urldate = {2021-02-24} } @online{taha:20220612:how:c05db89, author = {Taha}, title = {{How SeaFlower 藏海花 installs backdoors in iOS/Android web3 wallets to steal your seed phrase}}, date = {2022-06-12}, organization = {Confiant}, url = {https://blog.confiant.com/how-seaflower-%E8%97%8F%E6%B5%B7%E8%8A%B1-installs-backdoors-in-ios-android-web3-wallets-to-steal-your-seed-phrase-d25f0ccdffce}, language = {English}, urldate = {2022-06-15} } @online{taibo:20200526:weaponized:0bca503, author = {Guillermo Taibo}, title = {{Weaponized Disk Image Files: Analysis, Trends and Remediation}}, date = {2020-05-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/}, language = {English}, urldate = {2020-06-05} } @online{taj:20210923:famoussparrow:5f0d606, author = {Tahseen Bin Taj and Matthieu Faou}, title = {{FamousSparrow: A suspicious hotel guest}}, date = {2021-09-23}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/}, language = {English}, urldate = {2021-09-24} } @online{takagen:20220404:confirmation:c2fd43a, author = {Takehiko Takagen}, title = {{Confirmation of damage to domestic e-commerce sites, actual situation of Web skimming attacks and examples of countermeasures that Rack thinks (Water Pamola)}}, date = {2022-04-04}, organization = {LAC WATCH}, url = {https://www.lac.co.jp/lacwatch/report/20220407_002923.html}, language = {Japanese}, urldate = {2022-04-08} } @techreport{takai:20200930:unveiling:bade9fd, author = {Hajime Takai and Shogo Hayashi and Rintaro Koike}, title = {{Unveiling the CryptoMimic (Slides)}}, date = {2020-09-30}, institution = {NTT Security}, url = {https://vb2020.vblocalhost.com/uploads/VB2020-18.pdf}, language = {English}, urldate = {2021-06-22} } @techreport{takai:20200930:unveiling:d9bff93, author = {Hajime Takai and Shogo Hayashi and Rintaro Koike}, title = {{Unveiling the CryptoMimic (Paper)}}, date = {2020-09-30}, institution = {NTT Security}, url = {https://vb2020.vblocalhost.com/uploads/VB2020-Takai-etal.pdf}, language = {English}, urldate = {2021-06-22} } @online{takai:20210108:unveiling:3080aa9, author = {Hajime Takai and Shogo Hayashi and Rintaro Koike}, title = {{Unveiling the CryptoMimic}}, date = {2021-01-08}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=8K_aG1d6dzo}, language = {English}, urldate = {2021-06-22} } @techreport{takeda:20240125:threat:5cff906, author = {Masafumi Takeda and Tomoya Furukawa}, title = {{Threat Intelligence of Abused Public Post-Exploitation Frameworks}}, date = {2024-01-25}, institution = {JSAC 2024}, url = {https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_9_takeda_furukawa_en.pdf}, language = {English}, urldate = {2024-01-31} } @online{takeuchi:20201127:analyzing:4089f84, author = {Hiroshi Takeuchi}, title = {{Analyzing Organizational Invasion Ransom Incidents Using Dtrack}}, date = {2020-11-27}, organization = {Macnica}, url = {https://blog.macnica.net/blog/2020/11/dtrack.html}, language = {Japanese}, urldate = {2020-12-08} } @online{takeuchi:20220502:attack:8a7d966, author = {Hiroshi Takeuchi}, title = {{Attack Campaigns that Exploit Shortcuts and ISO Files}}, date = {2022-05-02}, organization = {Macnica}, url = {https://security.macnica.co.jp/blog/2022/05/iso.html}, language = {Japanese}, urldate = {2022-05-03} } @online{takeuchi:20241029:job:44300e9, author = {Hiroshi Takeuchi}, title = {{Job Offer from the North: Contagious Interview for Software Developers}}, date = {2024-10-29}, organization = {Macnica}, url = {https://security.macnica.co.jp/blog/2024/10/-contagious-interview.html}, language = {Japanese}, urldate = {2024-10-30} } @online{tal:20241216:deceptionads:61b6380, author = {Nati Tal}, title = {{“DeceptionAds” — Fake Captcha Driving Infostealer Infections and a Glimpse to the Dark Side of Internet Advertising}}, date = {2024-12-16}, organization = {Guardio Labs}, url = {https://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6}, language = {English}, urldate = {2024-12-20} } @online{talbi:20180320:deobfuscating:7ac7605, author = {Mehdi Talbi}, title = {{De-obfuscating Jump Chains with Binary Ninja}}, date = {2018-03-20}, organization = {Stormshield}, url = {https://thisissecurity.stormshield.com/2018/03/20/de-obfuscating-jump-chains-with-binary-ninja/}, language = {English}, urldate = {2020-03-16} } @online{taler:20190603:varonis:21ad52e, author = {Dolev Taler and Eric Saraga}, title = {{Varonis Exposes Global Cyber Campaign: C2 Server Actively Compromising Thousands of Victims}}, date = {2019-06-03}, organization = {Varonis}, url = {https://www.varonis.com/blog/varonis-discovers-global-cyber-campaign-qbot/}, language = {English}, urldate = {2020-01-05} } @online{talon:20201123:s2w:97212ec, author = {TALON}, title = {{[S2W LAB] Analysis of Clop Ransomware suspiciously related to the Recent Incident}}, date = {2020-11-23}, organization = {S2W LAB Inc.}, url = {https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e}, language = {English}, urldate = {2020-12-03} } @online{talon:20210722:quick:7951b68, author = {TALON}, title = {{Quick analysis of Haron Ransomware (feat. Avaddon and Thanos)}}, date = {2021-07-22}, organization = {S2W LAB Inc.}, url = {https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4}, language = {English}, urldate = {2021-07-26} } @online{talon:20210908:grooves:64ea498, author = {S2W TALON}, title = {{Groove’s thoughts on Blackmatter, Babuk, and cheese shortages in the Netherlands}}, date = {2021-09-08}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2}, language = {English}, urldate = {2021-09-12} } @online{talon:20210909:case:fdbe983, author = {S2W TALON}, title = {{Case Analysis of Suncrypt Ransomware Negotiation and Bitcoin Transaction}}, date = {2021-09-09}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/case-analysis-of-suncrypt-ransomware-negotiation-and-bitcoin-transaction-43a2194ac0bc}, language = {English}, urldate = {2021-09-12} } @online{talon:20210910:groove:3dab88b, author = {S2W TALON}, title = {{Groove x RAMP : The relation between Groove, Babuk, Payload.bin, RAMP, and BlackMatter}}, date = {2021-09-10}, organization = {S2W LAB Inc.}, url = {https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d}, language = {English}, urldate = {2021-09-14} } @online{talon:20211005:prometheus:b698c61, author = {S2W TALON}, title = {{Prometheus x Spook: Prometheus ransomware rebranded Spook ransomware.}}, date = {2021-10-05}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/prometheus-x-spook-prometheus-ransomware-rebranded-spook-ransomware-6f93bd8ab5dd}, language = {English}, urldate = {2021-10-11} } @online{talon:20211210:blackcat:2ec3ecf, author = {S2W TALON}, title = {{BlackCat: New Rust based ransomware borrowing BlackMatter’s configuration}}, date = {2021-12-10}, organization = {Medium s2wlab}, url = {https://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809}, language = {English}, urldate = {2022-01-06} } @online{talon:20211214:logs:198ffe4, author = {S2W TALON}, title = {{Logs of Log4shell (CVE-2021-44228): log4j is ubiquitous}}, date = {2021-12-14}, organization = {Medium s2wlab}, url = {https://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039}, language = {English}, urldate = {2022-01-05} } @online{talon:20220216:post:82b63e4, author = {S2W TALON}, title = {{Post Mortem of KlaySwap Incident through BGP Hijacking | EN}}, date = {2022-02-16}, organization = {Medium s2wlab}, url = {https://medium.com/s2wblog/post-mortem-of-klayswap-incident-through-bgp-hijacking-en-3ed7e33de600}, language = {English}, urldate = {2022-02-26} } @online{talon:20220217:tracking:5957935, author = {S2W TALON}, title = {{Tracking SugarLocker ransomware & operator}}, date = {2022-02-17}, organization = {Medium s2wlab}, url = {https://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49}, language = {English}, urldate = {2022-02-19} } @online{talon:20220324:footsteps:aa24072, author = {S2W TALON}, title = {{Footsteps of the LAPSUS$ hacking group}}, date = {2022-03-24}, organization = {Medium s2wlab}, url = {https://medium.com/s2wblog/footsteps-of-the-lapsus-hacking-group-73a8a143c375}, language = {Korean}, urldate = {2022-03-24} } @online{talon:20220616:raccoon:de7df76, author = {S2W TALON}, title = {{Raccoon Stealer is Back with a New Version}}, date = {2022-06-16}, organization = {Medium s2wlab}, url = {https://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d}, language = {English}, urldate = {2022-06-17} } @online{talon:20220706:teng:799c55c, author = {HOTSAUCE | S2W TALON}, title = {{变脸, Teng Snake (a.k.a. Code Core)}}, date = {2022-07-06}, organization = {Medium s2wlab}, url = {https://medium.com/s2wblog/%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a}, language = {English}, urldate = {2022-07-12} } @online{talos:20160323:samsam:39997dd, author = {Cisco Talos}, title = {{SamSam: The Doctor Will See You, After He Pays The Ransom}}, date = {2016-03-23}, organization = {Cisco Talos}, url = {http://blog.talosintel.com/2016/03/samsam-ransomware.html}, language = {English}, urldate = {2020-01-13} } @online{talos:20170627:new:3daca69, author = {Cisco Talos}, title = {{New Ransomware Variant "Nyetya" Compromises Systems Worldwide}}, date = {2017-06-27}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html}, language = {English}, urldate = {2020-01-10} } @online{talos:20171027:threat:ed694fa, author = {Cisco Talos}, title = {{Threat Round Up for Oct 20 - Oct 27}}, date = {2017-10-27}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html}, language = {English}, urldate = {2019-07-11} } @online{talos:20180523:new:2de509f, author = {Cisco Talos}, title = {{New VPNFilter malware targets at least 500K networking devices worldwide}}, date = {2018-05-23}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/05/VPNFilter.html}, language = {English}, urldate = {2020-01-08} } @online{talos:20210309:hafnium:55699b2, author = {Cisco Talos}, title = {{Hafnium Update: Continued Microsoft Exchange Server Exploitation}}, date = {2021-03-09}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/03/hafnium-update.html}, language = {English}, urldate = {2021-03-11} } @online{talos:20210921:tinyturla:c5f6f90, author = {Talos}, title = {{TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines}}, date = {2021-09-21}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2021/09/tinyturla.html}, language = {English}, urldate = {2021-09-22} } @online{talos:20220211:threat:fcad762, author = {Talos}, title = {{Threat Roundup for February 4 to February 11}}, date = {2022-02-11}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html}, language = {English}, urldate = {2022-02-14} } @online{talos:20220224:threat:cdf8dd3, author = {Talos}, title = {{Threat Advisory: Cyclops Blink}}, date = {2022-02-24}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/02/threat-advisory-cyclops-blink.html}, language = {English}, urldate = {2022-03-01} } @online{talos:20220315:threat:67922cf, author = {Cisco Talos}, title = {{Threat Advisory: CaddyWiper}}, date = {2022-03-15}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html}, language = {English}, urldate = {2022-03-18} } @online{talos:20220324:threat:c58db48, author = {Cisco Talos}, title = {{Threat Advisory: DoubleZero}}, date = {2022-03-24}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html}, language = {English}, urldate = {2022-05-04} } @online{talos:20220511:bitter:c463e99, author = {Cisco Talos}, title = {{Bitter APT adds Bangladesh to their targets}}, date = {2022-05-11}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html}, language = {English}, urldate = {2022-05-13} } @online{talos:20220721:attackers:480fda8, author = {Talos}, title = {{Attackers target Ukraine using GoMet backdoor}}, date = {2022-07-21}, organization = {Talos}, url = {https://blog.talosintelligence.com/2022/07/attackers-target-ukraine-using-gomet.html}, language = {English}, urldate = {2022-07-27} } @online{talos:20230808:what:0316750, author = {Cisco Talos}, title = {{What Cisco Talos knows about the Rhysida ransomware}}, date = {2023-08-08}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/rhysida-ransomware/}, language = {English}, urldate = {2023-08-10} } @online{talos:20240208:new:a7f47fa, author = {Cisco Talos}, title = {{New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization}}, date = {2024-02-08}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/new-zardoor-backdoor/}, language = {English}, urldate = {2024-03-04} } @online{talos:20240409:starry:aff4406, author = {Cisco Talos}, title = {{Starry Addax targets human rights defenders in North Africa with new malware}}, date = {2024-04-09}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/starry-addax/}, language = {English}, urldate = {2025-05-02} } @online{talos:20240424:arcanedoor:5ea062a, author = {Cisco Talos}, title = {{ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices}}, date = {2024-04-24}, organization = {Cisco}, url = {https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/}, language = {English}, urldate = {2024-04-29} } @online{talos:20240605:darkgate:6b40d23, author = {Cisco Talos}, title = {{DarkGate switches up its tactics with new payload, email templates}}, date = {2024-06-05}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/darkgate-remote-template-injection/}, language = {English}, urldate = {2024-06-12} } @online{talos:20250220:weathering:d1f12a3, author = {Cisco Talos}, title = {{Weathering the storm: In the midst of a Typhoon}}, date = {2025-02-20}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/salt-typhoon-analysis/}, language = {English}, urldate = {2025-02-28} } @techreport{talos:20250326:year:0fad13d, author = {Cisco Talos}, title = {{Year in Review}}, date = {2025-03-26}, institution = {Cisco Talos}, url = {https://blog.talosintelligence.com/content/files/2025/03/2024YiR-report.pdf}, language = {English}, urldate = {2025-04-09} } @online{tamir:20121128:shylocks:13a51d9, author = {Dana Tamir}, title = {{Shylock’s New Trick: Evading Malware Researchers}}, date = {2012-11-28}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/shylocks-new-trick-evading-malware-researchers/}, language = {English}, urldate = {2020-01-10} } @online{tamir:20140522:meet:25e8b2d, author = {Dana Tamir}, title = {{Meet the Zberp Trojan}}, date = {2014-05-22}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/}, language = {English}, urldate = {2019-12-17} } @online{tamir:20140609:zeusmaple:cb4d799, author = {Dana Tamir}, title = {{ZeuS.Maple Variant Targets Canadian Online Banking Customers}}, date = {2014-06-09}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/}, language = {English}, urldate = {2020-01-13} } @online{tampabaytech2:20221130:arechclient2:b465dfa, author = {tampabaytech2}, title = {{Arechclient2}}, date = {2022-11-30}, organization = {TampaBayTech}, url = {https://tampabay.tech/2022/11/30/arechclient2/}, language = {English}, urldate = {2023-02-06} } @online{tan:20120901:urlzone:7f65ffa, author = {Neo Tan}, title = {{URLZone reloaded: new evolution}}, date = {2012-09-01}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2012/09/urlzone-reloaded-new-evolution/}, language = {English}, urldate = {2020-01-06} } @online{tanaka:20191121:icondown:cb082bf, author = {田中 信太郎(Shintaro Tanaka)}, title = {{IconDown – Downloader Used by BlackTech}}, date = {2019-11-21}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html}, language = {English}, urldate = {2020-01-08} } @online{tanase:20150909:satellite:7f8b3ed, author = {Stefan Tanase}, title = {{Satellite Turla: APT Command and Control in the Sky}}, date = {2015-09-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/}, language = {English}, urldate = {2019-12-20} } @online{tanase:20150909:satellite:b8728d5, author = {Stefan Tanase}, title = {{Satellite Turla: APT Command and Control in the Sky}}, date = {2015-09-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/}, language = {English}, urldate = {2019-12-20} } @online{tancio:20220518:uncovering:2ee6eb7, author = {Buddy Tancio and Jed Valderama}, title = {{Uncovering a Kingminer Botnet Attack Using Trend Micro™ Managed XDR}}, date = {2022-05-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html}, language = {English}, urldate = {2022-05-25} } @online{tancio:20220727:gootkit:f1c63fa, author = {Buddy Tancio and Jed Valderama}, title = {{Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike}}, date = {2022-07-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html}, language = {English}, urldate = {2022-07-29} } @online{tancio:20230224:investigating:94d8b43, author = {Buddy Tancio and Jed Valderama and Catherine Loveria}, title = {{Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool}}, date = {2023-02-24}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html}, language = {English}, urldate = {2023-03-22} } @online{tancio:20241023:unmasking:add44dd, author = {Buddy Tancio and Bren Matthew Ebriega and Mohamed Fahmy}, title = {{Unmasking Prometei: A Deep Dive Into Our MXDR Findings}}, date = {2024-10-23}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/24/j/unmasking-prometei-a-deep-dive-into-our-mxdr-findings.html}, language = {English}, urldate = {2024-10-24} } @online{tanda:20200517:crowdstrike:f11de61, author = {satoshi tanda}, title = {{CrowdStrike Falcon Detects Kernel Attacks Exploiting Vulnerable Dell Driver (CVE-2021-21551)}}, date = {2020-05-17}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/crowdstrike-falcon-detects-dell-driver-vulnerability-cve-2021-21551/}, language = {English}, urldate = {2021-06-09} } @online{tang:20241106:bengal:50633d8, author = {Trang Tang and Hikaru Koike and Asha Castle and Sean Gallagher}, title = {{Bengal cat lovers in Australia get psspsspss’d in Google-driven Gootloader campaign}}, date = {2024-11-06}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2024/11/06/bengal-cat-lovers-in-australia-get-psspsspssd-in-google-driven-gootloader-campaign/}, language = {English}, urldate = {2024-11-13} } @online{tani:20190709:spear:e571fac, author = {Tomoaki Tani and Yukako Uchida}, title = {{Spear Phishing against Cryptocurrency Businesses}}, date = {2019-07-09}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2019/07/spear-phishing-against-cryptocurrency-businesses.html}, language = {English}, urldate = {2023-06-22} } @online{tanigawa:20150518:tt:4cb29ea, author = {Tetsuji Tanigawa}, title = {{TT Malware Log}}, date = {2015-05-18}, url = {http://malware-log.hatenablog.com/entry/2015/05/18/000000_1}, language = {Japanese}, urldate = {2020-01-08} } @techreport{taniguchi:20210506:how:45b144d, author = {Tsuyoshi Taniguchi and Christian Doerr}, title = {{How Did the Adversaries Abusing Bitcoin Blockchain Evade Our Takeover}}, date = {2021-05-06}, institution = {Black Hat}, url = {https://i.blackhat.com/asia-21/Thursday-Handouts/as21-Taniguchi-How-Did-The-Adversaries-Abusing-The-Bitcoin-Blockchain-Evade-Our-Takeover.pdf}, language = {English}, urldate = {2021-09-12} } @online{taniguchi:20210901:how:98ed0d5, author = {Tsuyoshi Taniguchi and Christian Doerr}, title = {{How Did the Adversaries Abusing the Bitcoin Blockchain Evade Our Takeover?}}, date = {2021-09-01}, organization = {YouTube (Black Hat)}, url = {https://www.youtube.com/watch?v=y8Z9KnL8s8s}, language = {English}, urldate = {2021-09-12} } @online{tanner:20220127:threat:15f076d, author = {Amanda Tanner and Alex Hinchliffe and Doel Santos}, title = {{Threat Assessment: BlackCat Ransomware}}, date = {2022-01-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/blackcat-ransomware/}, language = {English}, urldate = {2022-02-01} } @online{tanner:20240315:inside:7e9d53d, author = {Amanda Tanner and Anthony Galiette and Jerome Tujague}, title = {{Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled}}, date = {2024-03-15}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/}, language = {English}, urldate = {2024-03-25} } @online{tanner:20240809:ransomware:c987f77, author = {Amanda Tanner and Kristopher Bleich}, title = {{Ransomware Review: First Half of 2024}}, date = {2024-08-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit-42-ransomware-leak-site-data-analysis/}, language = {English}, urldate = {2025-03-07} } @online{tanriverdi:20190724:attacking:66ef327, author = {Hakan Tanriverdi and Svea Eckert and Jan Strozyk and Maximilian Zierer and Rebecca Ciesielski}, title = {{Attacking the Heart of the German Industry}}, date = {2019-07-24}, organization = {Bayerischer Rundfunk}, url = {http://web.br.de/interaktiv/winnti/english/}, language = {English}, urldate = {2019-11-29} } @online{tanriverdi:20190724:winnti:25b27fb, author = {Hakan Tanriverdi and Svea Eckert and Jan Strozyk and Maximilian Zierer and Rebecca Ciesielski}, title = {{Winnti analysis}}, date = {2019-07-24}, organization = {Github (br-data)}, url = {https://github.com/br-data/2019-winnti-analyse/}, language = {English}, urldate = {2019-12-10} } @online{tanriverdi:20200528:russische:47e2b5b, author = {Hakan Tanriverdi}, title = {{Russische Bären unter Hackerverdacht}}, date = {2020-05-28}, organization = {Tagesschau}, url = {https://www.tagesschau.de/investigativ/br-recherche/hacker-angriff-infrastruktur-101.html}, language = {German}, urldate = {2020-05-29} } @online{tanriverdi:20201008:there:620f4e7, author = {Hakan Tanriverdi and Max Zierer and Ann-Kathrin Wetter and Kai Biermann and Thi Do Nguyen}, title = {{There is no safe place}}, date = {2020-10-08}, organization = {Bayerischer Rundfunk}, url = {https://web.br.de/interaktiv/ocean-lotus/en/}, language = {English}, urldate = {2020-10-12} } @online{tanriverdi:20210331:attack:65b2f39, author = {Hakan Tanriverdi and Florian Flade}, title = {{Attack of the "chaos troops" (Ghostwriter)}}, date = {2021-03-31}, organization = {Tagesschau}, url = {https://www.tagesschau.de/investigativ/wdr/hackerangriffe-105.html}, language = {German}, urldate = {2021-03-31} } @online{tanriverdi:20210331:ghostwriter:28526c7, author = {Hakan Tanriverdi}, title = {{Tweet on Ghostwriter}}, date = {2021-03-31}, organization = {Twitter (@hatr)}, url = {https://twitter.com/hatr/status/1377220336597483520}, language = {English}, urldate = {2021-04-06} } @online{tanriverdi:20210610:schadsoftware:834b3fd, author = {Hakan Tanriverdi and Maximilian Zierer}, title = {{Schadsoftware Emotet: BKA befragt Schlüsselfigur}}, date = {2021-06-10}, organization = {Tagesschau}, url = {https://www.tagesschau.de/investigativ/br-recherche/emotet-schadsoftware-103.html}, language = {English}, urldate = {2021-07-02} } @online{taqi:20220213:technical:50aa099, author = {Taqi and Rosamira and Fareed}, title = {{Technical Malware Analysis: The Return of Emotet}}, date = {2022-02-13}, organization = {NetbyteSEC}, url = {https://notes.netbytesec.com/2022/02/technical-malware-analysis-return-of.html}, language = {English}, urldate = {2022-02-14} } @online{tarab:20240909:coralraider:58776c2, author = {Idan Tarab}, title = {{APT CoralRaider Expands Arsenal: AmadeyBot, FTP Innovations, and Complex Domain Strategy}}, date = {2024-09-09}, organization = {LinkedIn (Idan Tarab)}, url = {https://www.linkedin.com/posts/idan-tarab-7a9057200_apt-ttps-coralraider-activity-7238998746254999553-57LG/}, language = {English}, urldate = {2024-09-13} } @online{tarab:20241125:it:82fab72, author = {Idan Tarab}, title = {{The IT Army of Ukraine: Cyber Resistance in the Digital Battlefield}}, date = {2024-11-25}, organization = {LinkedIn (Idan Tarab)}, url = {https://www.linkedin.com/posts/idan-tarab-7a9057200_uac0099-apt-russianukrainianwar-activity-7264650176080855040-Zuud/}, language = {English}, urldate = {2024-12-02} } @online{tarab:20241205:diplomatic:a39ab36, author = {Idan Tarab}, title = {{The Diplomatic Deception: Patchwork’s Use of Fake U.S. Embassy Alerts in Cyber Espionage}}, date = {2024-12-05}, organization = {LinkedIn (Idan Tarab)}, url = {https://www.linkedin.com/posts/idan-tarab-7a9057200_pathchowrk-india-pakistan-activity-7270396733644288002-LpR7/?utm_source=share&utm_medium=member_ios}, language = {English}, urldate = {2024-12-09} } @online{tarab:20241224:under:a4566c7, author = {Idan Tarab}, title = {{Under Siege: Sandworm's Fake Army+ App Threatens Ukraine’s Military Operations}}, date = {2024-12-24}, organization = {LinkedIn (Idan Tarab)}, url = {https://www.linkedin.com/posts/idan-tarab-7a9057200_sandworm-uac0125-apt44-activity-7275555552368209921-lg7p}, language = {English}, urldate = {2025-01-07} } @online{tarab:20250304:unmasking:4bf4b0b, author = {Idan Tarab}, title = {{Unmasking New Infrastructure: UAC-0184’s Espionage Activities}}, date = {2025-03-04}, organization = {LinkedIn (Idan Tarab)}, url = {https://www.linkedin.com/posts/idan-tarab-7a9057200_uac0184-cyberattack-threatresearch-activity-7302710506933407745-V9kg}, language = {English}, urldate = {2025-03-05} } @online{tarakanov:20100715:black:e6d41f9, author = {Dmitry Tarakanov}, title = {{Black DDoS}}, date = {2010-07-15}, organization = {Kaspersky Labs}, url = {https://securelist.com/black-ddos/36309/}, language = {English}, urldate = {2019-12-20} } @online{tarakanov:20110914:ice:4373c96, author = {Dmitry Tarakanov}, title = {{Ice IX: not cool at all}}, date = {2011-09-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/ice-ix-not-cool-at-all/29111/}, language = {English}, urldate = {2019-12-20} } @online{tarakanov:20130911:kimsuky:cce4ab2, author = {Dmitry Tarakanov}, title = {{The “Kimsuky” Operation: A North Korean APT?}}, date = {2013-09-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/}, language = {English}, urldate = {2019-12-20} } @online{tarakanov:20150622:games:aba8183, author = {Dmitry Tarakanov}, title = {{Games are over: Winnti is now targeting pharmaceutical companies}}, date = {2015-06-22}, organization = {Kaspersky Labs}, url = {https://securelist.com/games-are-over/70991/}, language = {English}, urldate = {2019-12-20} } @online{tarakanov:20151006:i:445dc3a, author = {Dmitry Tarakanov}, title = {{I am HDRoot! Part 1}}, date = {2015-10-06}, organization = {Kaspersky Labs}, url = {https://securelist.com/i-am-hdroot-part-1/72275/}, language = {English}, urldate = {2020-03-19} } @online{tarakanov:20151013:i:36fae83, author = {Dmitry Tarakanov}, title = {{I am HDRoot! Part 2}}, date = {2015-10-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/i-am-hdroot-part-2/72356/}, language = {English}, urldate = {2020-03-19} } @online{tarijon:20221212:limerat:80d87b6, author = {Felipe Tarijon}, title = {{LimeRAT Malware Is Used For Targeting Unskilled Threat Actors}}, date = {2022-12-12}, organization = {Felipe Tarijon}, url = {https://felipetarijon.github.io/2022-12-12-limerat-infecting-unskilled-threat-actors/}, language = {English}, urldate = {2022-12-15} } @online{tarijon:20231101:vietnamese:0cdc68a, author = {Felipe Tarijon}, title = {{Vietnamese Information Stealer Campaigns Target Professionals on LinkedIn}}, date = {2023-11-01}, organization = {AppGate}, url = {https://www.appgate.com/blog/vietnamese-information-stealer-campaigns-target-professionals-on-linkedin}, language = {English}, urldate = {2023-11-13} } @online{tartare:20191021:winnti:eb2c722, author = {Mathieu Tartare}, title = {{Winnti Group’s skip‑2.0: A Microsoft SQL Server backdoor}}, date = {2019-10-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/}, language = {English}, urldate = {2019-11-14} } @online{tartare:20200131:winnti:9f891e4, author = {Mathieu Tartare}, title = {{Winnti Group targeting universities in Hong Kong}}, date = {2020-01-31}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/}, language = {English}, urldate = {2020-02-03} } @online{tartare:20200521:no:016fc6c, author = {Mathieu Tartare and Martin Smolár}, title = {{No “Game over” for the Winnti Group}}, date = {2020-05-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/}, language = {English}, urldate = {2020-05-23} } @online{tartare:20201210:operation:0df1b72, author = {Mathieu Tartare}, title = {{Operation StealthyTrident: corporate software under attack}}, date = {2020-12-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop}, language = {English}, urldate = {2022-07-29} } @online{tartare:20201210:operation:0eecfc8, author = {Mathieu Tartare}, title = {{Operation StealthyTrident: corporate software under attack}}, date = {2020-12-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/}, language = {English}, urldate = {2020-12-10} } @online{tata:20210429:information:ecf78cd, author = {Mahesh Tata}, title = {{Information Gathering as a Researcher: a use case}}, date = {2021-04-29}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/information-gathering-as-a-researcher-use-case}, language = {English}, urldate = {2022-07-13} } @online{tavares:20191226:targeting:aeef71f, author = {Pedro Tavares}, title = {{Targeting Portugal: A new trojan ‘Lampion’ has spread using template emails from the Portuguese Government Finance & Tax}}, date = {2019-12-26}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax/}, language = {English}, urldate = {2020-01-09} } @online{tavares:20200415:hackers:29c5dbd, author = {Pedro Tavares}, title = {{Hackers are again attacking Portuguese banking organizations via Android Trojan-Banker}}, date = {2020-04-15}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/hackers-are-again-attacking-portuguese-banking-organizations-via-android-trojan-banker/#.YHTDZS2tEUE}, language = {English}, urldate = {2021-04-14} } @online{tavares:20200428:banking:5be9214, author = {Pedro Tavares}, title = {{Banking Phishing | Targets Portugal, Spain, Brazil and Chile | From Brazil | Infection process}}, date = {2020-04-28}, organization = {Seguranca Informatica}, url = {https://www.youtube.com/watch?v=eqyuAj9hvy4}, language = {Portuguese}, urldate = {2020-05-04} } @online{tavares:20200506:brazilian:70f295e, author = {Pedro Tavares}, title = {{Brazilian trojan banker is targeting Portuguese users using browser overlay}}, date = {2020-05-06}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/brazilian-trojan-banker-is-targeting-portuguese-users-using-browser-overlay/}, language = {English}, urldate = {2020-05-07} } @online{tavares:20200511:trojan:65a40dd, author = {Pedro Tavares}, title = {{Trojan Lampion is back after 3 months}}, date = {2020-05-11}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/trojan-lampion-is-back-after-3-months/}, language = {English}, urldate = {2020-05-13} } @online{tavares:20200526:updated:279fdc1, author = {Pedro Tavares}, title = {{The updated Grandoreiro Malware equipped with latenbot-C2 features in Q2 2020 now extended to Portuguese banks}}, date = {2020-05-26}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/the-updated-grandoreiro-malware-equipped-with-latenbot-c2-features-in-q2-2020-now-extended-to-portuguese-banks}, language = {English}, urldate = {2020-06-02} } @online{tavares:20200601:indepth:1f3724b, author = {Pedro Tavares}, title = {{In-depth analysis of a trojan banker impacting Portugal and Brazil}}, date = {2020-06-01}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/in-depth-analysis-of-a-trojan-banker-impacting-portugal-and-brazil/}, language = {English}, urldate = {2020-06-02} } @online{tavares:20200613:troystealer:c7df98b, author = {Pedro Tavares}, title = {{TroyStealer – A new info stealer targeting Portuguese Internet users}}, date = {2020-06-13}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/troystealer-a-new-info-stealer-targeting-portuguese-internet-users}, language = {English}, urldate = {2020-06-17} } @online{tavares:20200706:new:04c88bd, author = {Pedro Tavares}, title = {{New release of Lampion trojan spreads in Portugal with some improvements on the VBS downloader}}, date = {2020-07-06}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/new-release-of-lampion-trojan-spreads-in-portugal-with-some-improvements-on-the-vbs-downloader}, language = {English}, urldate = {2020-07-07} } @online{tavares:20200915:threat:e046dec, author = {Pedro Tavares}, title = {{Threat analysis: The emergent URSA trojan impacts many countries using a sophisticated loader}}, date = {2020-09-15}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/threat-analysis-the-emergent-ursa-trojan-impacts-many-countries-using-a-sophisticated-loader/}, language = {English}, urldate = {2021-06-07} } @online{tavares:20210203:new:7f76299, author = {Pedro Tavares}, title = {{New cryptojacking malware called Pro-Ocean is now attacking Apache, Oracle and Redis servers}}, date = {2021-02-03}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/new-cryptojacking-malware-called-pro-ocean-is-now-attacking-apache-oracle-and-redis-servers/}, language = {English}, urldate = {2021-02-18} } @online{tavares:20210210:lampion:538cd64, author = {Pedro Tavares}, title = {{Lampion trojan disseminated in Portugal using COVID-19 template}}, date = {2021-02-10}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/lampion-trojan-disseminated-in-portugal-using-covid-19-template/}, language = {English}, urldate = {2021-02-18} } @online{tavares:20210216:latin:7a90c2b, author = {Pedro Tavares}, title = {{Latin American Javali trojan weaponizing Avira antivirus legitimate injector to implant malware}}, date = {2021-02-16}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/latin-american-javali-trojan-weaponizing-avira-antivirus-legitimate-injector-to-implant-malware/}, language = {English}, urldate = {2021-02-24} } @online{tavares:20210504:taste:b6a3380, author = {Pedro Tavares}, title = {{A taste of the latest release of QakBot}}, date = {2021-05-04}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/a-taste-of-the-latest-release-of-qakbot}, language = {English}, urldate = {2021-05-07} } @online{tavares:20210805:clandestine:435029b, author = {Pedro Tavares}, title = {{The clandestine Horus Eyes RAT: From the underground to criminals’ arsenal}}, date = {2021-08-05}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/the-clandestine-horus-eyes-rat-from-the-underground-to-criminals-arsenal/}, language = {English}, urldate = {2021-08-06} } @online{tavares:20210817:secrets:e82be35, author = {Pedro Tavares}, title = {{Secrets behind the Lazarus’s VHD ransomware}}, date = {2021-08-17}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/secrets-behind-the-lazaruss-vhd-ransomware/}, language = {English}, urldate = {2021-08-24} } @online{tavares:20210819:ragnar:eebc3bd, author = {Pedro Tavares}, title = {{Ragnar Locker – Malware analysis}}, date = {2021-08-19}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/ragnar-locker-malware-analysis/}, language = {English}, urldate = {2021-09-12} } @online{tavares:20210827:fraude:0e0b29a, author = {Pedro Tavares}, title = {{Fraude personificando a marca Continente espalha-se através do WhatsApp: Não se deixe enganar!}}, date = {2021-08-27}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/fraude-personificando-a-marca-continente-espalha-se-atraves-do-whatsapp-nao-se-deixe-enganar/}, language = {Portugese}, urldate = {2021-09-12} } @online{tavares:20210831:phishingtelegram:dd240cc, author = {Pedro Tavares}, title = {{Phishing+Telegram: Solicitação de reembolso da Autoridade Tributária?}}, date = {2021-08-31}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/phishingtelegram-solicitacao-de-reembolso-da-autoridade-tributaria/}, language = {Portugese}, urldate = {2021-09-12} } @online{tavares:20210903:netwalker:34fcda6, author = {Pedro Tavares}, title = {{Netwalker ransomware full analysis}}, date = {2021-09-03}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/netwalker-ransomware-full-analysis/}, language = {English}, urldate = {2021-09-12} } @online{tavares:20210910:new:262e0ce, author = {Pedro Tavares}, title = {{The new maxtrilha trojan is being disseminated and targeting several banks}}, date = {2021-09-10}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/the-new-maxtrilha-trojan-is-being-disseminated-and-targeting-several-banks/}, language = {English}, urldate = {2021-09-12} } @online{tavares:20210910:new:2ebd6f3, author = {Pedro Tavares}, title = {{The new maxtrilha trojan is being disseminated and targeting several banks}}, date = {2021-09-10}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/the-new-maxtrilha-trojan-is-being-disseminated-and-targeting-several-banks/#.YT3_VfwzaKN}, language = {English}, urldate = {2021-09-14} } @online{tavares:20211005:malware:b92d5a9, author = {Pedro Tavares}, title = {{Malware analysis: Details on LockBit ransomware}}, date = {2021-10-05}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/malware-analysis-details-on-lockbit-ransomware/}, language = {English}, urldate = {2021-10-11} } @online{tavares:20220125:wastedlocker:f0b5b69, author = {Pedro Tavares}, title = {{WastedLocker malware analysis}}, date = {2022-01-25}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/wastedlocker-malware-analysis/#.YfAaIRUITTY.twitter}, language = {English}, urldate = {2022-02-14} } @online{tavares:20220131:taking:b02adaa, author = {Pedro Tavares}, title = {{Taking the bait: The modus operandi of massive social engineering waves impacting banks in Portugal}}, date = {2022-01-31}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/taking-the-bait-the-modus-operandi-of-massive-social-engineering-waves-impacting-banks-in-portugal}, language = {English}, urldate = {2022-02-02} } @online{tavares:20220204:flubot:532b2fc, author = {André Tavares}, title = {{FluBot Malware Persists: Most Prevalent In Germany and Spain}}, date = {2022-02-04}, organization = {BitSight}, url = {https://www.bitsight.com/blog/flubot-malware-persists-most-prevalent-germany-and-spain}, language = {English}, urldate = {2022-02-09} } @online{tavares:20220226:hidden:544b0bd, author = {Pedro Tavares}, title = {{The hidden C2: Lampion trojan release 212 is on the rise and using a C2 server for two years}}, date = {2022-02-26}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/the-hidden-c2-lampion-trojan-release-212-is-on-the-rise-and-using-a-c2-server-for-two-years}, language = {English}, urldate = {2022-03-04} } @online{tavares:20220317:rook:cae4010, author = {Pedro Tavares}, title = {{Rook ransomware analysis}}, date = {2022-03-17}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/rook-ransomware-analysis/}, language = {English}, urldate = {2022-03-22} } @online{tavares:20220411:analysis:cec6eb4, author = {Pedro Tavares}, title = {{Analysis of the SunnyDay ransomware}}, date = {2022-04-11}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/analysis-of-the-sunnyday-ransomware/}, language = {English}, urldate = {2023-01-05} } @online{tavares:20220420:mars:6bb8872, author = {Pedro Tavares}, title = {{Mars Stealer malware analysis}}, date = {2022-04-20}, organization = {InfoSec Institute}, url = {https://resources.infosecinstitute.com/topic/mars-stealer-malware-analysis/}, language = {English}, urldate = {2022-07-25} } @online{tavares:20220606:hunting:9e20d11, author = {André Tavares}, title = {{Hunting PrivateLoader: Pay-Per-Install Service}}, date = {2022-06-06}, url = {https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service/}, language = {English}, urldate = {2022-06-09} } @online{tavares:20220710:anubis:81fabd3, author = {Pedro Tavares}, title = {{Anubis Network is back with new C2 server}}, date = {2022-07-10}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/anubis-networks-is-back-with-new-c2-server/#.YyXHmaRBzIU}, language = {English}, urldate = {2022-09-19} } @online{tavares:20220831:tracking:5b4130e, author = {André Tavares}, title = {{Tracking PrivateLoader: Malware Distribution Service}}, date = {2022-08-31}, organization = {BitSight}, url = {https://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service}, language = {English}, urldate = {2022-08-31} } @online{tavares:20220914:ursa:add3756, author = {Pedro Tavares}, title = {{URSA trojan is back with a new dance}}, date = {2022-09-14}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/ursa-trojan-is-back-with-a-new-dance/#.YyXEkaRBzIU}, language = {English}, urldate = {2022-09-19} } @online{tavares:20221130:unpacking:a15d3e0, author = {André Tavares}, title = {{Unpacking Colibri Loader: A Russian APT linked Campaign}}, date = {2022-11-30}, organization = {BitSight}, url = {https://www.bitsight.com/blog/unpacking-colibri-loader-russian-apt-linked-campaign}, language = {English}, urldate = {2022-12-02} } @online{tavares:20230328:tofsee:60925da, author = {André Tavares}, title = {{Tofsee Botnet: Proxying and Mining}}, date = {2023-03-28}, organization = {BitSight}, url = {https://www.bitsight.com/blog/tofsee-botnet-proxying-and-mining}, language = {English}, urldate = {2023-03-29} } @online{tavares:20240109:data:6ba1669, author = {André Tavares}, title = {{Data Insights on AgentTesla and OriginLogger Victims}}, date = {2024-01-09}, organization = {BitSight}, url = {https://www.bitsight.com/blog/data-insights-agenttesla-and-originlogger-victims}, language = {English}, urldate = {2024-01-10} } @online{tavares:20240227:hunting:575bdd7, author = {André Tavares}, title = {{Hunting PrivateLoader: The malware behind InstallsKey PPI service}}, date = {2024-02-27}, organization = {BitSight}, url = {https://www.bitsight.com/blog/hunting-privateloader-malware-behind-installskey-ppi-service}, language = {English}, urldate = {2024-03-12} } @online{tavares:20241016:exfiltration:62ec841, author = {André Tavares}, title = {{Exfiltration over Telegram Bots: Skidding Infostealer Logs}}, date = {2024-10-16}, organization = {BitSight}, url = {https://www.bitsight.com/blog/exfiltration-over-telegram-bots-skidding-infostealer-logs}, language = {English}, urldate = {2024-10-20} } @online{tavella:20210707:bandidos:f734d08, author = {Fernando Tavella and Matías Porolli}, title = {{Bandidos at large: A spying campaign in Latin America}}, date = {2021-07-07}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/}, language = {English}, urldate = {2021-07-09} } @online{tavella:20231005:operation:cf892cd, author = {Fernando Tavella}, title = {{Operation Jacana: Foundling hobbits in Guyana}}, date = {2023-10-05}, organization = {ESET Research}, url = {https://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/}, language = {English}, urldate = {2023-10-09} } @online{tavor:20180910:ibm:74fe99b, author = {Shahar Tavor and Limor Kessem}, title = {{IBM X-Force Delves Into ExoBot’s Leaked Source Code}}, date = {2018-09-10}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/ibm-x-force-delves-into-exobots-leaked-source-code/}, language = {English}, urldate = {2020-01-07} } @online{tavor:20211117:brazking:8153d89, author = {Shahar Tavor}, title = {{BrazKing Android Malware Upgraded and Targeting Brazilian Banks}}, date = {2021-11-17}, organization = {IBM}, url = {https://securityintelligence.com/posts/brazking-android-malware-upgraded-targeting-brazilian-banks/}, language = {English}, urldate = {2021-11-18} } @online{taylor:20230302:bluehat:cdd75a0, author = {Daniel Taylor and Ben Magee}, title = {{BlueHat 2023: Hunting Qakbot with Daniel Taylor & Ben Magee}}, date = {2023-03-02}, organization = {Youtube (Microsoft Security Response Center (MSRC))}, url = {https://www.youtube.com/watch?v=OCRyEUhiEyw}, language = {English}, urldate = {2023-04-18} } @online{tcblogposts:20211103:webinject:f4d41bb, author = {tcblogposts}, title = {{Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the Value of Threat Reconnaisance}}, date = {2021-11-03}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/}, language = {English}, urldate = {2021-11-08} } @online{tccontre:20191105:cobaltstrike:02e37af, author = {tccontre}, title = {{CobaltStrike - beacon.dll : Your No Ordinary MZ Header}}, date = {2019-11-05}, organization = {tccontre Blog}, url = {https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html}, language = {English}, urldate = {2019-12-17} } @online{tccontre:20200810:learning:8cc052c, author = {tccontre}, title = {{Learning From ICEID loader - Including its Steganography Payload Parsing}}, date = {2020-08-10}, organization = {tccontre Blog}, url = {https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html}, language = {English}, urldate = {2020-08-14} } @online{tcontre:20181108:re:c143721, author = {tcontre}, title = {{R.E.: Gandcrab Downloader.. 'There's More To This Than Meets The Eye'}}, date = {2018-11-08}, organization = {TC Contre}, url = {https://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html}, language = {English}, urldate = {2020-01-09} } @online{tcontre:20190311:infor:d8863ed, author = {tcontre}, title = {{Infor Stealer Vidar TrojanSpy Analysis...}}, date = {2019-03-11}, url = {https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html}, language = {English}, urldate = {2020-01-05} } @online{tcontre:20191002:dcrat:1d1f601, author = {tcontre}, title = {{DCRAT malware Evades SandBox that use Fake Internet by using the Google public DNS IP address}}, date = {2019-10-02}, url = {https://tccontre.blogspot.com/2019/10/dcrat-malware-evades-sandbox-that-use.html}, language = {English}, urldate = {2020-02-13} } @online{tcontre:20200408:covid19:9c90c45, author = {tcontre}, title = {{COVID19 Malware Analysis - with Kill MBR Feature}}, date = {2020-04-08}, organization = {tccontre Blog}, url = {https://tccontre.blogspot.com/2020/04/covid19-malware-analysis-with-kill-mbr.html}, language = {English}, urldate = {2020-04-21} } @online{tcontre:20200514:netwalker:eabf178, author = {tcontre}, title = {{Netwalker Ransomware: [API Call Obfuscation (using Structure) and Evading Memory Forensic]}}, date = {2020-05-14}, organization = {tccontre Blog}, url = {https://tccontre.blogspot.com/2020/05/netwalker-ransomware-api-call.html}, language = {English}, urldate = {2020-05-19} } @online{tcontre:20201105:interesting:17c82b2, author = {tcontre}, title = {{Interesting FormBook Crypter - unconventional way to store encrypted data}}, date = {2020-11-05}, organization = {tccontre Blog}, url = {https://tccontre.blogspot.com/2020/11/interesting-formbook-crypter.html}, language = {English}, urldate = {2020-11-06} } @online{tcontre:20210118:extracting:4935b1c, author = {tcontre}, title = {{Extracting Shellcode in ICEID .PNG Steganography}}, date = {2021-01-18}, organization = {tccontre Blog}, url = {https://tccontre.blogspot.com/2021/01/}, language = {English}, urldate = {2021-01-21} } @online{tcontre:20210222:gh0strat:9f98308, author = {tcontre}, title = {{Gh0stRat Anti-Debugging: Nested SEH (try - catch) to Decrypt and Load its Payload}}, date = {2021-02-22}, organization = {tccontre Blog}, url = {https://tccontre.blogspot.com/2021/02/gh0strat-anti-debugging-nested-seh-try.html}, language = {English}, urldate = {2021-02-25} } @online{tdr:20230513:mallox:14bec73, author = {Sekoia TDR and Jeremy Scion and Livia Tibirna and Pierre Le Bourhis}, title = {{Mallox affiliate leverages PureCrypter in MS-SQL exploitation campaigns}}, date = {2023-05-13}, organization = {Sekoia}, url = {https://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/}, language = {English}, urldate = {2024-05-15} } @online{tdr:20231213:calisto:834c909, author = {Sekoia TDR}, title = {{CALISTO doxxing: Sekoia.io findings concurs to Reuters’ investigation on FSB-related Andrey Korinets}}, date = {2023-12-13}, organization = {Sekoia}, url = {https://blog.sekoia.io/calisto-doxxing-sekoia-io-findings-concurs-to-reuters-investigation-on-fsb-related-andrey-korinets/}, language = {English}, urldate = {2024-11-25} } @online{tdr:20240301:noname05716s:90439c9, author = {Sekoia TDR}, title = {{NoName057(16)’s DDoSia project: 2024 updates and behavioural shifts}}, date = {2024-03-01}, organization = {Sekoia}, url = {https://blog.sekoia.io/Noname05716-Ddosia-project-2024-updates-and-behavioural-shifts/}, language = {English}, urldate = {2024-06-05} } @online{tdr:20240521:master:abe7fac, author = {Sekoia TDR and Coline Chavane and Amaury G. and Kilian Seznec}, title = {{Master of Puppets: Uncovering the DoppelGänger pro-Russian influence campaign}}, date = {2024-05-21}, organization = {Sekoia}, url = {https://blog.sekoia.io/master-of-puppets-uncovering-the-doppelganger-pro-russian-influence-campaign/}, language = {English}, urldate = {2024-05-21} } @online{tdr:20240715:muddywater:2124916, author = {Sekoia TDR}, title = {{MuddyWater replaces Atera by custom MuddyRot implant in a recent campaign}}, date = {2024-07-15}, organization = {Sekoia}, url = {https://blog.sekoia.io/muddywater-replaces-atera-by-custom-muddyrot-implant-in-a-recent-campaign/}, language = {English}, urldate = {2024-09-26} } @online{tdr:20241017:clickfix:75edebc, author = {Sekoia TDR and Quentin Bourgue}, title = {{ClickFix tactic: The Phantom Meet}}, date = {2024-10-17}, organization = {Sekoia}, url = {https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/}, language = {English}, urldate = {2024-11-26} } @online{tdr:20250416:interlock:d355da5, author = {Sekoia TDR}, title = {{Interlock ransomware evolving under the radar}}, date = {2025-04-16}, organization = {Sekoia}, url = {https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/}, language = {English}, urldate = {2025-04-17} } @online{team82:20240409:unpacking:b45bd9c, author = {Team82}, title = {{Unpacking the Blackjack Group's Fuxnet Malware}}, date = {2024-04-09}, organization = {Claroty}, url = {https://claroty.com/team82/research/unpacking-the-blackjack-groups-fuxnet-malware}, language = {English}, urldate = {2024-06-24} } @online{team82:20241210:inside:6e971e7, author = {Team82}, title = {{Inside a New OT/IoT Cyberweapon: IOCONTROL}}, date = {2024-12-10}, organization = {Claroty}, url = {https://claroty.com/team82/research/inside-a-new-ot-iot-cyber-weapon-iocontrol}, language = {English}, urldate = {2025-06-11} } @techreport{team82:20241218:inside:b480e04, author = {Team82}, title = {{Inside a New Cyberweapon: IOCONTROL}}, date = {2024-12-18}, institution = {Claroty}, url = {https://web-assets.claroty.com/resource-downloads/team82_iocontrol.pdf}, language = {English}, urldate = {2025-06-11} } @online{team82:20250202:do:434d967, author = {Team82}, title = {{Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated…}}, date = {2025-02-02}, organization = {Team82}, url = {https://claroty.com/team82/research/are-contec-cms8000-patient-monitors-infected-with-a-chinese-backdoor-the-reality-is-more-complicated}, language = {English}, urldate = {2025-02-11} } @online{team:20101110:lethic:4dc5a04, author = {ThreatLabZ research team}, title = {{Lethic Botnet Returns, Uses "Realtek" Identifier}}, date = {2010-11-10}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/lethic-botnet-returns-uses-realtek-identifier}, language = {English}, urldate = {2025-03-21} } @online{team:20120326:luckycat:b7b4f63, author = {Trend Micro Forward Looking Research Team}, title = {{LUCKYCAT REDUX Inside an APT Campaign with Multiple Targets in India and Japan}}, date = {2012-03-26}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/luckycat-redux-campaign-attacks-multiple-targets-in-india-and-japan}, language = {English}, urldate = {2020-01-23} } @techreport{team:20120823:taidoor:a46f2c9, author = {Threat Research Team}, title = {{The Taidoor Campaign: AN IN-DEPTH ANALYSIS}}, date = {2012-08-23}, institution = {Trend Micro}, url = {https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{team:2012:inside:f112987, author = {Forward-Looking Threat Research Team}, title = {{Inside an APT Campaign with Multiple Targets in India and Japan}}, date = {2012}, institution = {Trend Micro}, url = {https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf}, language = {English}, urldate = {2020-01-08} } @online{team:20130520:lockscreen:22b0503, author = {Threat Intelligence Team}, title = {{Lockscreen Win32:Lyposit displayed as a fake MacOs app}}, date = {2013-05-20}, organization = {Avast}, url = {https://blog.avast.com/2013/05/20/lockscreen-win32lyposit-displayed-as-a-fake-macos-app/}, language = {English}, urldate = {2020-01-10} } @techreport{team:201306:deep:fa9b41d, author = {Crowdstrike Global intelliGenCe team}, title = {{DEEP PANDA}}, date = {2013-06}, institution = {CrowdStrike}, url = {http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf}, language = {English}, urldate = {2019-12-17} } @techreport{team:20140609:crowdstrike:21f5399, author = {Crowdstrike Global intelliGenCe team}, title = {{CrowdStrike Intelligence Report: Putter Panda}}, date = {2014-06-09}, institution = {CrowdStrike}, url = {http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf}, language = {English}, urldate = {2020-01-09} } @online{team:20140807:innaput:a2516ed, author = {ASERT Team}, title = {{Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files}}, date = {2014-08-07}, organization = {NetScout}, url = {https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/}, language = {English}, urldate = {2019-10-23} } @online{team:20140814:hunting:1131839, author = {Unit 42 Team}, title = {{Hunting the Mutex}}, date = {2014-08-14}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2014/08/hunting-mutex/}, language = {English}, urldate = {2019-10-14} } @online{team:20140904:gholee:9f6be42, author = {ClearSky Research Team}, title = {{Gholee – a “protective edge” themed spear phishing campaign}}, date = {2014-09-04}, organization = {ClearSky}, url = {https://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campaign/}, language = {English}, urldate = {2020-01-10} } @techreport{team:20150225:operation:3300d1e, author = {Trend Micro Threat Research Team}, title = {{OPERATION ARID VIPER: Bypassing the Iron Dome}}, date = {2015-02-25}, institution = {Trend Micro}, url = {http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf}, language = {English}, urldate = {2020-01-09} } @online{team:20150227:anthem:3576532, author = {ThreatConnect Research Team}, title = {{The Anthem Hack: All Roads Lead to China}}, date = {2015-02-27}, organization = {ThreatConnect}, url = {https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/}, language = {English}, urldate = {2020-01-09} } @online{team:20150227:anthem:ac7d814, author = {ThreatConnect Research Team}, title = {{The Anthem Hack: All Roads Lead to China}}, date = {2015-02-27}, organization = {ThreatConnect}, url = {https://threatconnect.com/blog/the-anthem-hack-all-roads-lead-to-china/}, language = {English}, urldate = {2020-04-06} } @techreport{team:201502:operation:04bda8b, author = {Trend Micro Threat Research Team}, title = {{Operation Arid Viper - Bypassing the Iron Dome}}, date = {2015-02}, institution = {Trend Micro}, url = {https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf}, language = {English}, urldate = {2021-12-01} } @online{team:20150603:thamar:6baa58c, author = {ClearSky Research Team}, title = {{Thamar Reservoir – An Iranian cyber-attack campaign against targets in the Middle East}}, date = {2015-06-03}, organization = {ClearSky}, url = {http://www.clearskysec.com/thamar-reservoir/}, language = {English}, urldate = {2019-12-20} } @online{team:20150603:thamar:76c9ca9, author = {ClearSky Research Team}, title = {{Thamar Reservoir – An Iranian cyber-attack campaign against targets in the Middle East}}, date = {2015-06-03}, organization = {ClearSky}, url = {https://nakedsecurity.sophos.com/2018/05/01/samsam-ransomware-a-mean-old-dog-with-a-nasty-new-trick-report/}, language = {English}, urldate = {2019-10-12} } @online{team:20150615:stegoloader:9a04145, author = {CTU Research Team}, title = {{Stegoloader: A Stealthy Information Stealer}}, date = {2015-06-15}, organization = {Secureworks}, url = {https://www.secureworks.com/research/stegoloader-a-stealthy-information-stealer}, language = {English}, urldate = {2020-01-10} } @online{team:20150805:threat:410b881, author = {CTU Research Team}, title = {{Threat Group 3390 Cyberespionage}}, date = {2015-08-05}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage}, language = {English}, urldate = {2020-01-09} } @online{team:20150805:threat:8449b3f, author = {CTU Research Team}, title = {{Threat Group 3390 Cyberespionage}}, date = {2015-08-05}, organization = {Secureworks}, url = {http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/}, language = {English}, urldate = {2020-01-07} } @online{team:201508:uncovering:121e5cf, author = {ASERT Team}, title = {{Uncovering the Seven Pointed Dagger}}, date = {2015-08}, organization = {Arbor Networks}, url = {https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn}, language = {English}, urldate = {2020-05-18} } @online{team:20150928:two:b0e6e12, author = {Trend Micro Forward Looking Research Team}, title = {{Two New PoS Malware Affecting US SMBs}}, date = {2015-09-28}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/two-new-pos-malware-affecting-us-smbs/}, language = {English}, urldate = {2020-01-07} } @online{team:20151007:hacker:d7748e6, author = {CTU Research Team}, title = {{Hacker Group Creates Network of Fake LinkedIn Profiles}}, date = {2015-10-07}, organization = {Secureworks}, url = {http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/}, language = {English}, urldate = {2020-01-13} } @online{team:20151102:modular:7726996, author = {CyS Centrum Incident Response Team}, title = {{Modular trojan for hidden access to a computer}}, date = {2015-11-02}, organization = {CyS Centrum}, url = {https://cys-centrum.com/ru/news/module_trojan_for_unauthorized_access}, language = {Russian}, urldate = {2020-01-08} } @online{team:20160127:introducing:20c8f54, author = {Threat Research Team}, title = {{Introducing Hi-Zor RAT}}, date = {2016-01-27}, organization = {Fidelis Cybersecurity}, url = {https://www.fidelissecurity.com/threatgeek/2016/01/introducing-hi-zor-rat}, language = {English}, urldate = {2020-01-08} } @techreport{team:201601:operation:b45e4b9, author = {ClearSky Research Team}, title = {{Operation DustySky}}, date = {2016-01}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf}, language = {English}, urldate = {2019-11-29} } @online{team:20160406:andromeda:4b7f3e6, author = {Threat Intelligence Team}, title = {{Andromeda under the microscope}}, date = {2016-04-06}, organization = {Avast}, url = {https://blog.avast.com/andromeda-under-the-microscope}, language = {English}, urldate = {2020-01-13} } @online{team:20160426:digging:90e644b, author = {Microsoft Defender ATP Research Team}, title = {{Digging deep for PLATINUM}}, date = {2016-04-26}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/}, language = {English}, urldate = {2020-01-06} } @techreport{team:20160426:platinum:6d71086, author = {Windows Defender Advanced Threat Hunting Team}, title = {{PLATINUM Targeted attacks in South and Southeast Asia}}, date = {2016-04-26}, institution = {Microsoft}, url = {http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf}, language = {English}, urldate = {2020-01-13} } @online{team:20160602:fastpos:a50d6e2, author = {Trend Micro Cyber Safety Solutions Team}, title = {{FastPOS: Quick and Easy Credit Card Theft}}, date = {2016-06-02}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/fastpos-quick-and-easy-credit-card-theft/}, language = {English}, urldate = {2020-08-05} } @techreport{team:20160608:operation:c8f6615, author = {ClearSky Research Team}, title = {{Operation DustySky Part 2}}, date = {2016-06-08}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf}, language = {English}, urldate = {2020-01-08} } @online{team:20160609:reverseengineering:6199f8b, author = {Microsoft Defender ATP Research Team}, title = {{Reverse-engineering DUBNIUM}}, date = {2016-06-09}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2}, language = {English}, urldate = {2020-01-06} } @online{team:20160625:sectorc08:84b8f56, author = {NSHC Threatrecon Team}, title = {{SectorC08: Multi-Layered SFX in Recent Campaigns Target Ukraine}}, date = {2016-06-25}, organization = {NSHC}, url = {https://threatrecon.nshc.net/2019/06/11/sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine/}, language = {English}, urldate = {2020-01-07} } @techreport{team:201606:fastpos:4d92bab, author = {Trend Micro Cyber Safety Solutions Team}, title = {{FastPOS: Quick and Easy Credit Card Theft}}, date = {2016-06}, institution = {Trend Micro}, url = {http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf}, language = {English}, urldate = {2019-11-29} } @online{team:20160712:me:d8f4707, author = {Threat Research Team}, title = {{Me and Mr. Robot: Tracking the Actor Behind the MAN1 Crypter}}, date = {2016-07-12}, organization = {Fidelis Cybersecurity}, url = {https://fidelissecurity.com/threatgeek/archive/me-and-mr-robot-tracking-actor-behind-man1-crypter/}, language = {English}, urldate = {2021-07-29} } @online{team:20160713:troldesh:52c2dc3, author = {Microsoft Defender ATP Research Team}, title = {{Troldesh ransomware influenced by (the) Da Vinci code}}, date = {2016-07-13}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/}, language = {English}, urldate = {2020-01-13} } @online{team:20160819:new:dead711, author = {Minerva Labs Research Team}, title = {{New Hancitor Malware: Pimp my Downloaded}}, date = {2016-08-19}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/new-hancitor-pimp-my-downloader}, language = {English}, urldate = {2019-10-15} } @online{team:20160920:inside:1bcfb68, author = {Threat Intelligence Team}, title = {{Inside Petya and Mischa ransomware}}, date = {2016-09-20}, organization = {Avast}, url = {https://blog.avast.com/inside-petya-and-mischa-ransomware}, language = {English}, urldate = {2023-10-30} } @online{team:20160928:belling:69cc9ec, author = {ThreatConnect Research Team}, title = {{Belling the BEAR}}, date = {2016-09-28}, organization = {ThreatConnect}, url = {https://www.threatconnect.com/blog/russia-hacks-bellingcat-mh17-investigation/#.V-wnrubaeEU.twitter}, language = {English}, urldate = {2020-01-08} } @online{team:20161005:fastpos:02701a3, author = {Trend Micro Cyber Safety Solutions Team}, title = {{FastPOS Updates in Time for the Retail Sale Season}}, date = {2016-10-05}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/fastpos-updates-in-time-for-retail-sale-season/}, language = {English}, urldate = {2019-11-27} } @online{team:20161015:trickbot:cc9f48f, author = {Threat Research Team}, title = {{TrickBot: We Missed you, Dyre}}, date = {2016-10-15}, organization = {Fidelis Cybersecurity}, url = {https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre}, language = {English}, urldate = {2019-11-28} } @online{team:20161018:digitally:4d4926a, author = {Cylance Threat Research Team}, title = {{Digitally Signed Malware Targeting Gaming Companies}}, date = {2016-10-18}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/digitally-signed-malware-targeting-gaming-companies.html}, language = {English}, urldate = {2019-12-24} } @online{team:20161018:digitally:f1b3290, author = {Cylance Threat Research Team}, title = {{Digitally Signed Malware Targeting Gaming Companies}}, date = {2016-10-18}, organization = {Cylance}, url = {https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies}, language = {English}, urldate = {2020-01-06} } @online{team:20161024:evasive:063b4ce, author = {lastline Labs Team}, title = {{Evasive Malware Detects and Defeats Virtual Machine Analysis}}, date = {2016-10-24}, organization = {Lastline}, url = {https://www.lastline.com/blog/evasive-malware-detects-and-defeats-virtual-machine-analysis/}, language = {English}, urldate = {2021-05-25} } @online{team:20161025:trickbot:dd465d9, author = {ASERT Team}, title = {{TrickBot Banker Insights}}, date = {2016-10-25}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/}, language = {English}, urldate = {2024-02-15} } @online{team:20161109:down:0fb3611, author = {Threat Research Team}, title = {{Down the H-W0rm Hole with Houdini’s RAT}}, date = {2016-11-09}, organization = {Fidelis Cybersecurity}, url = {https://www.fidelissecurity.com/threatgeek/archive/down-h-w0rm-hole-houdinis-rat/}, language = {English}, urldate = {2020-01-08} } @online{team:20161128:netwire:b81c423, author = {Incident Reponse Team}, title = {{NetWire RAT Steals Payment Card Data}}, date = {2016-11-28}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data}, language = {English}, urldate = {2019-12-18} } @online{team:20161209:windows:d74c9b6, author = {Microsoft Defender ATP Research Team}, title = {{Windows 10: protection, detection, and response against recent Depriz malware attacks}}, date = {2016-12-09}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/}, language = {English}, urldate = {2020-01-08} } @online{team:20161214:twin:17e1d49, author = {Microsoft Defender ATP Research Team}, title = {{Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe}}, date = {2016-12-14}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/}, language = {English}, urldate = {2020-01-13} } @online{team:20161214:twin:d8711b9, author = {Microsoft Defender ATP Research Team}, title = {{Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe}}, date = {2016-12-14}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/}, language = {English}, urldate = {2020-01-09} } @online{team:20170105:iranian:8a44c55, author = {ClearSky Research Team}, title = {{Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford}}, date = {2017-01-05}, organization = {ClearSky}, url = {https://www.clearskysec.com/oilrig/}, language = {English}, urldate = {2019-12-03} } @online{team:20170105:iranian:da7cfef, author = {ClearSky Research Team}, title = {{Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford}}, date = {2017-01-05}, organization = {ClearSky}, url = {http://www.clearskysec.com/oilrig/}, language = {English}, urldate = {2020-01-13} } @online{team:20170125:detecting:92af610, author = {Microsoft Defender ATP Research Team}, title = {{Detecting threat actors in recent German industrial attacks with Windows Defender ATP}}, date = {2017-01-25}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/}, language = {English}, urldate = {2020-01-06} } @online{team:20170206:threat:6ebbaae, author = {Cylance Threat Research Team}, title = {{Threat Spotlight: Satan}}, date = {2017-02-06}, organization = {Cylance}, url = {https://www.cylance.com/threat-spotlight-satan-raas}, language = {English}, urldate = {2019-07-11} } @online{team:20170209:shell:16b5133, author = {The Cylance Threat Research Team}, title = {{Shell Crew Variants Continue to Fly Under Big AV’s Radar}}, date = {2017-02-09}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/shell-crew-variants-continue-to-fly-under-big-avs-radar.html}, language = {English}, urldate = {2019-10-14} } @online{team:20170215:iranian:004ec5a, author = {SecureWorks' Counter Threat Unit Research Team}, title = {{Iranian PupyRAT Bites Middle Eastern Organizations}}, date = {2017-02-15}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations}, language = {English}, urldate = {2019-10-23} } @online{team:20170301:threat:5837922, author = {Cylance Threat Research Team}, title = {{Threat Spotlight: Flokibot PoS Malware}}, date = {2017-03-01}, organization = {Cylance}, url = {https://www.cylance.com/en_us/blog/threat-spotlight-flokibot-pos-malware.html}, language = {English}, urldate = {2020-01-06} } @online{team:20170308:rawpos:d467b10, author = {Threat Research Team}, title = {{RawPOS Malware Rides Again}}, date = {2017-03-08}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/rawpos-malware.html}, language = {English}, urldate = {2020-01-09} } @online{team:20170314:operation:38f832c, author = {ClearSky Research Team}, title = {{Operation Electric Powder – Who is targeting Israel Electric Company?}}, date = {2017-03-14}, organization = {ClearSky}, url = {http://www.clearskysec.com/iec/}, language = {English}, urldate = {2020-01-13} } @online{team:20170314:operation:40270ec, author = {ClearSky Research Team}, title = {{Operation Electric Powder – Who is targeting Israel Electric Company?}}, date = {2017-03-14}, organization = {ClearSky}, url = {https://www.clearskysec.com/iec/}, language = {English}, urldate = {2019-11-23} } @online{team:20170315:majikpos:bcd869f, author = {Trend Micro Cyber Safety Solutions Team}, title = {{MajikPOS Combines PoS Malware and RATs to Pull Off its Malicious Tricks}}, date = {2017-03-15}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/}, language = {English}, urldate = {2020-01-13} } @online{team:20170322:el:34c3561, author = {Threat Research Team}, title = {{El Machete's Malware Attacks Cut Through LATAM}}, date = {2017-03-22}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html}, language = {English}, urldate = {2019-10-30} } @online{team:20170322:el:59e85c5, author = {Cylance Threat Research Team}, title = {{El Machete's Malware Attacks Cut Through LATAM}}, date = {2017-03-22}, organization = {Cylance}, url = {https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html}, language = {English}, urldate = {2020-01-07} } @online{team:20170327:detecting:46740f0, author = {Microsoft Defender ATP Research Team}, title = {{Detecting and mitigating elevation-of-privilege exploit for CVE-2017-0005}}, date = {2017-03-27}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/}, language = {English}, urldate = {2020-01-08} } @online{team:20170328:threat:d6e9b57, author = {Cylance Threat Research Team}, title = {{Threat Spotlight: GhostAdmin Malware}}, date = {2017-03-28}, organization = {Cylance}, url = {https://www.cylance.com/en_us/blog/threat-spotlight-ghostadmin.html}, language = {English}, urldate = {2019-07-10} } @online{team:20170330:jerusalem:833dcce, author = {ClearSky Research Team}, title = {{Jerusalem Post and other Israeli websites compromised by Iranian threat agent CopyKitten}}, date = {2017-03-30}, organization = {ClearSky}, url = {http://www.clearskysec.com/copykitten-jpost/}, language = {English}, urldate = {2020-01-09} } @online{team:20170413:inside:c7362e6, author = {Falcon Intelligence Team}, title = {{Inside the Takedown of ZOMBIE SPIDER and the Kelihos Botnet}}, date = {2017-04-13}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/}, language = {English}, urldate = {2019-12-20} } @online{team:20170419:rawpos:f271512, author = {Trend Micro Cyber Safety Solutions Team}, title = {{RawPOS: New Behavior Risks Identity Theft}}, date = {2017-04-19}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-new-behavior-risks-identity-theft/?platform=hootsuite}, language = {English}, urldate = {2019-12-24} } @online{team:20170502:philadelphia:62e7fe3, author = {Threat Research Team}, title = {{Philadelphia Ransomware}}, date = {2017-05-02}, organization = {Cylance}, url = {https://www.cylance.com/en_us/blog/threat-spotlight-philadelphia-ransomware.html}, language = {English}, urldate = {2020-01-09} } @online{team:20170523:quakbot:3572c02, author = {Cylance Threat Research Team}, title = {{Quakbot}}, date = {2017-05-23}, organization = {ThreatVector}, url = {https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html}, language = {English}, urldate = {2020-01-08} } @online{team:20170607:platinum:38b4122, author = {Microsoft Defender ATP Research Team}, title = {{PLATINUM continues to evolve, find ways to maintain invisibility}}, date = {2017-06-07}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/mmpc/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/}, language = {English}, urldate = {2019-11-25} } @online{team:20170613:threat:5709f24, author = {Cylance Threat Research Team}, title = {{Threat Spotlight: Breaking Down FF-Rat Malware}}, date = {2017-06-13}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/breaking-down-ff-rat-malware.html}, language = {English}, urldate = {2020-01-06} } @online{team:20170614:phantom:0078e23, author = {ThreatConnect Research Team}, title = {{Phantom of the Opaera: New KASPERAGENT Malware Campaign}}, date = {2017-06-14}, organization = {ThreatConnect}, url = {https://www.threatconnect.com/blog/kasperagent-malware-campaign/}, language = {English}, urldate = {2019-10-14} } @online{team:20170627:bronze:b3fb197, author = {CTU Research Team}, title = {{BRONZE UNION Cyberespionage Persists Despite Disclosures}}, date = {2017-06-27}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronze-union}, language = {English}, urldate = {2019-12-17} } @online{team:20170627:new:385fe97, author = {Microsoft Defender ATP Research Team}, title = {{New ransomware, old techniques: Petya adds worm capabilities}}, date = {2017-06-27}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/}, language = {English}, urldate = {2020-03-06} } @online{team:20170628:crowdstrike:e933e49, author = {Falcon Intelligence Team}, title = {{CrowdStrike Protects Against NotPetya Attack}}, date = {2017-06-28}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/}, language = {English}, urldate = {2019-12-20} } @online{team:20170629:windows:f957ff3, author = {Microsoft Defender ATP Research Team}, title = {{Windows 10 platform resilience against the Petya ransomware attack}}, date = {2017-06-29}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/}, language = {English}, urldate = {2020-01-07} } @online{team:20170705:slocker:f511130, author = {Mobile Threat Response Team}, title = {{SLocker Mobile Ransomware Starts Mimicking WannaCry}}, date = {2017-07-05}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/slocker-mobile-ransomware-starts-mimicking-wannacry/}, language = {English}, urldate = {2020-01-10} } @online{team:20170717:its:4b94b0b, author = {Threat Intelligence Team}, title = {{It’s baaaack: Public cyber enemy Emotet has returned}}, date = {2017-07-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/trojans/2020/07/long-dreaded-emotet-has-returned/}, language = {English}, urldate = {2020-07-17} } @online{team:20170725:footprints:ef14363, author = {Applied Threat Research Team}, title = {{Footprints of Fin7: Tracking Actor Patterns (Part 1)}}, date = {2017-07-25}, organization = {Gigamon}, url = {https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns}, language = {English}, urldate = {2019-11-29} } @online{team:20170725:operation:a39915e, author = {ClearSky Research Team}, title = {{Operation Wilted Tulip – Exposing a Cyber Espionage Apparatus}}, date = {2017-07-25}, organization = {ClearSky}, url = {http://www.clearskysec.com/tulip/}, language = {English}, urldate = {2020-01-08} } @online{team:20170727:curious:e19150b, author = {CTU Research Team}, title = {{The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets}}, date = {2017-07-27}, organization = {Secureworks}, url = {https://www.secureworks.com/research/the-curious-case-of-mia-ash}, language = {English}, urldate = {2020-01-13} } @online{team:20170828:recent:fab1e53, author = {ClearSky Research Team}, title = {{Recent ISMAgent Samples and Infrastructure by Iranian Threat Group GreenBug}}, date = {2017-08-28}, organization = {ClearSky}, url = {http://www.clearskysec.com/ismagent/}, language = {English}, urldate = {2019-12-19} } @online{team:20170921:avast:c2efbfe, author = {Threat Intelligence Team}, title = {{Avast Threat Labs analysis of CCleaner incident}}, date = {2017-09-21}, organization = {Avast}, url = {https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident}, language = {English}, urldate = {2020-01-08} } @online{team:20170925:additional:d65b214, author = {Threat Intelligence Team}, title = {{Additional information regarding the recent CCleaner APT security incident}}, date = {2017-09-25}, organization = {Avast}, url = {https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident}, language = {English}, urldate = {2020-01-10} } @online{team:20170926:defray:8bab4ad, author = {Cylance Threat Research Team}, title = {{Defray Ransomware Hits Healthcare and Education}}, date = {2017-09-26}, organization = {Threat Vector}, url = {https://threatvector.cylance.com/en_us/home/threat-spotlight-defray-ransomware-hits-healthcare-and-education.html}, language = {English}, urldate = {2020-01-07} } @online{team:20171012:bronze:7b9ae02, author = {CTU Research Team}, title = {{BRONZE BUTLER Targets Japanese Enterprises}}, date = {2017-10-12}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses}, language = {English}, urldate = {2020-01-07} } @online{team:20171017:waterminer:7623525, author = {Minerva Labs Research Team}, title = {{WaterMiner – a New Evasive Crypto-Miner}}, date = {2017-10-17}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/waterminer-a-new-evasive-crypto-miner}, language = {English}, urldate = {2020-01-06} } @online{team:20171020:dragonfly:1f70a20, author = {Critical Attack Discovery and Intelligence Team}, title = {{Dragonfly: Western energy sector targeted by sophisticated attack group}}, date = {2017-10-20}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks}, language = {English}, urldate = {2020-04-21} } @online{team:20171020:dragonfly:4f3d40d, author = {Security Response Attack Investigation Team}, title = {{Dragonfly: Western energy sector targeted by sophisticated attack group}}, date = {2017-10-20}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks}, language = {English}, urldate = {2019-11-22} } @online{team:20171020:dragonfly:ccf277c, author = {Security Response Attack Investigation Team}, title = {{Dragonfly: Western energy sector targeted by sophisticated attack group}}, date = {2017-10-20}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group}, language = {English}, urldate = {2019-12-17} } @online{team:20171024:iranian:44f6acc, author = {ClearSky Research Team}, title = {{Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies}}, date = {2017-10-24}, organization = {ClearSky}, url = {https://www.clearskysec.com/greenbug/}, language = {English}, urldate = {2019-12-02} } @online{team:20171024:iranian:f9fddd8, author = {ClearSky Research Team}, title = {{Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies}}, date = {2017-10-24}, organization = {ClearSky}, url = {http://www.clearskysec.com/greenbug/}, language = {English}, urldate = {2020-01-13} } @online{team:20171106:mitigating:b623a70, author = {Microsoft Defender ATP Research Team}, title = {{Mitigating and eliminating info-stealing Qakbot and Emotet in corporate networks}}, date = {2017-11-06}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/}, language = {English}, urldate = {2020-10-23} } @online{team:20171106:mitigating:f52d1d9, author = {Microsoft Defender ATP Research Team}, title = {{Mitigating and eliminating info-stealing Qakbot and Emotet in corporate networks}}, date = {2017-11-06}, organization = {Microsoft}, url = {https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/?source=mmpc}, language = {English}, urldate = {2019-12-18} } @online{team:20171107:locky:a38e9b5, author = {Cylance Threat Research Team}, title = {{Locky Ransomware}}, date = {2017-11-07}, organization = {ThreatVector}, url = {https://www.cylance.com/en_us/blog/threat-spotlight-locky-ransomware.html}, language = {English}, urldate = {2020-01-07} } @online{team:20171204:microsoft:0cab56d, author = {Microsoft Defender ATP Research Team and Microsoft Digital Crimes Unit}, title = {{Microsoft teams up with law enforcement and other partners to disrupt Gamarue (Andromeda)}}, date = {2017-12-04}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/mmpc/2017/12/04/microsoft-teams-up-with-law-enforcement-and-other-partners-to-disrupt-gamarue-andromeda/}, language = {English}, urldate = {2020-01-13} } @online{team:20171205:charming:064ca51, author = {ClearSky Research Team}, title = {{Charming Kitten: Iranian Cyber Espionage Against Human Rights Activists, Academic Researchers and Media Outlets}}, date = {2017-12-05}, url = {http://www.clearskysec.com/charmingkitten/}, language = {English}, urldate = {2019-12-17} } @online{team:20171219:cyberespionage:5683024, author = {Mobile Threat Response Team}, title = {{Cyberespionage Campaign Sphinx Goes Mobile With AnubisSpy}}, date = {2017-12-19}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/cyberespionage-campaign-sphinx-goes-mobile-anubisspy/}, language = {English}, urldate = {2019-12-18} } @techreport{team:201712:charming:49a8e0c, author = {ClearSky Research Team}, title = {{Charming Kitten}}, date = {2017-12}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf}, language = {English}, urldate = {2019-12-04} } @online{team:20180116:threat:9f912f5, author = {Cylance Threat Research Team}, title = {{Threat Spotlight: LockPOS Point of Sale Malware}}, date = {2018-01-16}, organization = {Cylance}, url = {https://www.cylance.com/en_us/blog/threat-spotlight-lockpos-point-of-sale-malware.html}, language = {English}, urldate = {2019-11-25} } @techreport{team:20180201:operation:e76f179, author = {Bitdefender Team}, title = {{Operation PZCHAO Inside a highly specialized espionage infrastructure}}, date = {2018-02-01}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/185/Bitdefender-Business-2017-WhitePaper-PZCHAO-crea2452-en-EN-GenericUse.pdf}, language = {English}, urldate = {2022-09-20} } @online{team:20180207:threat:c0550bd, author = {Threat Research Team}, title = {{Threat Spotlight: URSNIF Infostealer Malware}}, date = {2018-02-07}, organization = {Cylance}, url = {https://www.cylance.com/en_us/blog/threat-spotlight-ursnif-infostealer-malware.html}, language = {English}, urldate = {2019-11-24} } @online{team:20180221:avast:3991fd0, author = {Threat Intelligence Team}, title = {{Avast tracks down Tempting Cedar Spyware}}, date = {2018-02-21}, organization = {Avast}, url = {https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware}, language = {English}, urldate = {2020-01-08} } @online{team:20180227:threat:5ed12a2, author = {Cylance Threat Research Team}, title = {{Threat Spotlight: Inside UDPoS Malware}}, date = {2018-02-27}, organization = {ThreatVector}, url = {https://threatmatrix.cylance.com/en_us/home/threat-spotlight-inside-udpos-malware.html}, language = {English}, urldate = {2020-01-08} } @online{team:20180228:chafer:552bafb, author = {Security Response Attack Investigation Team}, title = {{Chafer: Latest Attacks Reveal Heightened Ambitions}}, date = {2018-02-28}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions}, language = {English}, urldate = {2020-01-09} } @online{team:20180228:chafer:5b5b77b, author = {Critical Attack Discovery and Intelligence Team}, title = {{Chafer: Latest Attacks Reveal Heightened Ambitions}}, date = {2018-02-28}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions}, language = {English}, urldate = {2020-04-21} } @online{team:20180301:finfisher:e1de78f, author = {Office 365 Threat Research Team and Microsoft Defender ATP Research Team}, title = {{FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines}}, date = {2018-03-01}, organization = {Microsoft}, url = {https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/}, language = {English}, urldate = {2020-01-08} } @online{team:20180308:donot:6f0c645, author = {ASERT Team}, title = {{Donot Team Leverages New Modular Malware Framework in South Asia}}, date = {2018-03-08}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/}, language = {English}, urldate = {2020-01-09} } @online{team:20180308:new:f825c46, author = {Threat Intelligence Team}, title = {{New investigations into the CCleaner incident point to a possible third stage that had keylogger capacities}}, date = {2018-03-08}, organization = {Avast}, url = {https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities}, language = {English}, urldate = {2020-01-08} } @online{team:20180309:from:7820406, author = {lastline Labs Team}, title = {{From Russia(?) with Code}}, date = {2018-03-09}, organization = {Lastline}, url = {https://www.lastline.com/labsblog/attribution-from-russia-with-code/}, language = {English}, urldate = {2020-01-07} } @online{team:20180314:inception:ee787d2, author = {Security Response Attack Investigation Team and Network Protection Security Labs}, title = {{Inception Framework: Alive and Well, and Hiding Behind Proxies}}, date = {2018-03-14}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies}, language = {English}, urldate = {2020-01-09} } @online{team:20180404:hunting:fe0f809, author = {Microsoft Defender ATP Research Team}, title = {{Hunting down Dofoil with Windows Defender ATP}}, date = {2018-04-04}, organization = {Microsoft}, url = {https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/}, language = {English}, urldate = {2020-01-08} } @online{team:20180423:new:7b44d39, author = {Security Response Attack Investigation Team}, title = {{New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia}}, date = {2018-04-23}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia}, language = {English}, urldate = {2020-01-13} } @online{team:20180501:lojack:244d59b, author = {ASERT Team}, title = {{Lojack Becomes a Double-Agent}}, date = {2018-05-01}, organization = {NetScout}, url = {https://asert.arbornetworks.com/lojack-becomes-a-double-agent/}, language = {English}, urldate = {2019-10-23} } @online{team:20180517:gozi:f554055, author = {Threat Research Team}, title = {{Gozi V3 Technical Update}}, date = {2018-05-17}, organization = {Fidelis}, url = {https://www.fidelissecurity.com/threatgeek/threat-intelligence/gozi-v3-technical-update/}, language = {English}, urldate = {2020-01-08} } @online{team:20180523:vpnfilter:1e6942e, author = {Symantec Security Response Team}, title = {{VPNFilter: New Router Malware with Destructive Capabilities}}, date = {2018-05-23}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware}, language = {English}, urldate = {2019-12-17} } @online{team:20180525:analysis:a83bb88, author = {360 Helios Team}, title = {{Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack}}, date = {2018-05-25}, organization = {360}, url = {https://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/}, language = {English}, urldate = {2020-05-14} } @online{team:20180619:kardon:2f99f67, author = {ASERT Team}, title = {{Kardon Loader Looks for Beta Testers}}, date = {2018-06-19}, organization = {NetScout}, url = {https://asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/}, language = {English}, urldate = {2019-12-06} } @online{team:20180619:thrip:4662184, author = {Security Response Attack Investigation Team}, title = {{Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies}}, date = {2018-06-19}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets}, language = {English}, urldate = {2020-01-09} } @online{team:20180703:infrastructure:139fa0f, author = {ClearSky Research Team}, title = {{Infrastructure and Samples of Hamas’ Android Malware Targeting Israeli Soldiers}}, date = {2018-07-03}, organization = {ClearSky}, url = {https://www.clearskysec.com/glancelove/}, language = {English}, urldate = {2019-10-15} } @online{team:20180718:evolution:25e5d39, author = {Security Response Attack Investigation Team}, title = {{The Evolution of Emotet: From Banking Trojan to Threat Distributor}}, date = {2018-07-18}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor}, language = {English}, urldate = {2019-11-27} } @online{team:20180718:gandcrab:dc09385, author = {AhnLab ASEC Analysis Team}, title = {{GandCrab v4.1.2 Encryption Blocking Method (Kill Switch)}}, date = {2018-07-18}, organization = {ASEC}, url = {http://asec.ahnlab.com/1145}, language = {Korean}, urldate = {2020-01-08} } @online{team:20180725:leafminer:0591f9b, author = {Critical Attack Discovery and Intelligence Team and Network Protection Security Labs}, title = {{Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions}}, date = {2018-07-25}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east}, language = {English}, urldate = {2020-04-21} } @online{team:20180725:leafminer:703a0ae, author = {Security Response Attack Investigation Team and Network Protection Security Labs}, title = {{Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions}}, date = {2018-07-25}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east}, language = {English}, urldate = {2019-12-19} } @online{team:20180824:back:baf0f3b, author = {CTU Research Team}, title = {{Back to School: COBALT DICKENS Targets Universities}}, date = {2018-08-24}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities}, language = {English}, urldate = {2019-12-06} } @online{team:20180830:double:8129db5, author = {ASERT Team}, title = {{Double the Infection, Double the Fun}}, date = {2018-08-30}, organization = {NetScout}, url = {https://www.netscout.com/blog/asert/double-infection-double-fun}, language = {English}, urldate = {2020-01-05} } @online{team:20180830:double:e5d9e22, author = {ASERT Team}, title = {{Double the Infection, Double the Fun}}, date = {2018-08-30}, organization = {NetScout}, url = {https://asert.arbornetworks.com/double-the-infection-double-the-fun/}, language = {English}, urldate = {2020-01-08} } @online{team:20180914:tunneling:c41e0f2, author = {ASERT Team}, title = {{Tunneling Under the Sands}}, date = {2018-09-14}, organization = {NetScout}, url = {https://www.netscout.com/blog/asert/tunneling-under-sands}, language = {English}, urldate = {2020-01-13} } @online{team:20180921:vigilante:ede26ef, author = {SonicWall CaptureLabs Threats Research Team}, title = {{VIGILANTE MALWARE REMOVES CRYPTOMINERS FROM THE INFECTED DEVICE}}, date = {2018-09-21}, organization = {SonicWall}, url = {https://securitynews.sonicwall.com/xmlpost/vigilante-malware-removes-cryptominers-from-the-infected-device/}, language = {English}, urldate = {2019-10-13} } @online{team:20180927:torii:186f7d7, author = {Threat Intelligence Team}, title = {{Torii botnet - Not another Mirai variant}}, date = {2018-09-27}, organization = {Avast}, url = {https://blog.avast.com/new-torii-botnet-threat-research}, language = {English}, urldate = {2020-01-13} } @online{team:20181004:apt28:97a1356, author = {Critical Attack Discovery and Intelligence Team}, title = {{APT28: New Espionage Operations Target Military and Government Organizations}}, date = {2018-10-04}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government}, language = {English}, urldate = {2020-04-21} } @online{team:20181004:apt28:f5e15cf, author = {Security Response Attack Investigation Team}, title = {{APT28: New Espionage Operations Target Military and Government Organizations}}, date = {2018-10-04}, organization = {Symantec}, url = {https://www.symantec.com/blogs/election-security/apt28-espionage-military-government}, language = {English}, urldate = {2019-11-23} } @online{team:20181005:ars:73951a5, author = {Blueliv Labs Team}, title = {{ARS Loader evolution, a new stealer (ZeroEvil) and AirNaine (TA545)}}, date = {2018-10-05}, organization = {Blueliv}, url = {https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/}, language = {English}, urldate = {2020-01-08} } @online{team:20181010:gallmaker:e069f48, author = {Security Response Attack Investigation Team}, title = {{Gallmaker: New Attack Group Eschews Malware to Live off the Land}}, date = {2018-10-10}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group}, language = {English}, urldate = {2019-11-27} } @online{team:20181101:cta:d0c6bde, author = {FortiGuard SE Team}, title = {{CTA Adversary Playbook: Goblin Panda}}, date = {2018-11-01}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/cta-security-playbook--goblin-panda.html}, language = {English}, urldate = {2020-01-08} } @online{team:20181108:fastcash:acf8e38, author = {Critical Attack Discovery and Intelligence Team}, title = {{FASTCash: How the Lazarus Group is Emptying Millions from ATMs}}, date = {2018-11-08}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware}, language = {English}, urldate = {2020-04-21} } @online{team:20181108:fastcash:ee26edb, author = {Security Response Attack Investigation Team}, title = {{FASTCash: How the Lazarus Group is Emptying Millions from ATMs}}, date = {2018-11-08}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware}, language = {English}, urldate = {2022-05-03} } @online{team:20181128:muddywater:89a520f, author = {ClearSky Research Team}, title = {{MuddyWater Operations in Lebanon and Oman}}, date = {2018-11-28}, organization = {ClearSky}, url = {https://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/}, language = {English}, urldate = {2019-07-09} } @online{team:20181203:analysis:828df29, author = {Microsoft Defender ATP Research Team}, title = {{Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers}}, date = {2018-12-03}, organization = {Microsoft}, url = {https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/}, language = {English}, urldate = {2020-01-09} } @online{team:20181205:stolen:0f87971, author = {ASERT Team}, title = {{STOLEN PENCIL Campaign Targets Academia}}, date = {2018-12-05}, organization = {NetScout}, url = {https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia}, language = {English}, urldate = {2020-01-05} } @online{team:20181205:stolen:bc9dd60, author = {ASERT Team}, title = {{STOLEN PENCIL Campaign Targets Academia}}, date = {2018-12-05}, organization = {NetScout}, url = {https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/}, language = {English}, urldate = {2020-01-08} } @online{team:20181210:seedworm:d6dba3c, author = {Symantec DeepSight Adversary Intelligence Team}, title = {{Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms}}, date = {2018-12-10}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group}, language = {English}, urldate = {2019-11-17} } @online{team:20181214:shamoon:1f24fa5, author = {Critical Attack Discovery and Intelligence Team}, title = {{Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail}}, date = {2018-12-14}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail}, language = {English}, urldate = {2020-04-21} } @online{team:20181214:shamoon:5c1ab4d, author = {Security Response Attack Investigation Team}, title = {{Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail}}, date = {2018-12-14}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail}, language = {English}, urldate = {2020-01-13} } @online{team:20181218:greenspotoperations:eda8f84, author = {Antiy PTA Team}, title = {{“GreenSpot”Operations Grow For Many Years}}, date = {2018-12-18}, organization = {Antiy}, url = {https://www.antiy.net/p/greenspotoperations-grow-for-many-years/}, language = {English}, urldate = {2025-03-07} } @online{team:20181219:danabots:023363e, author = {ASERT Team}, title = {{Danabot's Travels, A Global Perspective}}, date = {2018-12-19}, organization = {NetScout}, url = {https://asert.arbornetworks.com/danabots-travels-a-global-perspective/}, language = {English}, urldate = {2019-11-29} } @online{team:20190110:darkhydrus:e6746d1, author = {RedDrip Team}, title = {{Tweet on DarkHydrus}}, date = {2019-01-10}, organization = {Twitter (@RedDrip7)}, url = {https://mobile.twitter.com/360TIC/status/1083289987339042817}, language = {English}, urldate = {2020-01-06} } @online{team:20190123:sectora01:963118e, author = {ThreatRecon Team}, title = {{SectorA01 Custom Proxy Utility Tool Analysis}}, date = {2019-01-23}, organization = {NSHC RedAlert Labs}, url = {https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/}, language = {English}, urldate = {2019-10-18} } @online{team:20190207:sales:c48c8d0, author = {Blueliv Labs Team}, title = {{Sales of AZORult grind to an AZOR-halt}}, date = {2019-02-07}, organization = {Blueliv}, url = {https://www.blueliv.com/blog-news/research/azorult-crydbrox-stops-sells-malware-credential-stealer/}, language = {English}, urldate = {2019-11-20} } @online{team:20190216:spoofing:eeffd53, author = {Threat Intelligence Team}, title = {{Spoofing in the reeds with Rietspoof}}, date = {2019-02-16}, organization = {Avast}, url = {https://blog.avast.com/rietspoof-malware-increases-activity}, language = {English}, urldate = {2020-01-10} } @online{team:20190221:fake:e94f77a, author = {Proofpoint Threat Insight Team}, title = {{Fake Jobs: Campaigns Delivering More_eggs Backdoor via Fake Job Offers}}, date = {2019-02-21}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers}, language = {English}, urldate = {2019-12-20} } @online{team:20190227:peek:16c9160, author = {CTU Research Team}, title = {{A Peek into BRONZE UNION’s Toolbox}}, date = {2019-02-27}, organization = {Secureworks}, url = {https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox}, language = {English}, urldate = {2020-01-07} } @online{team:20190301:breakdown:fbb8608, author = {FortiGuard SE Team}, title = {{Breakdown of a Targeted DanaBot Attack}}, date = {2019-03-01}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html}, language = {English}, urldate = {2019-11-26} } @online{team:20190306:whitefly:6afdd55, author = {Security Response Attack Investigation Team}, title = {{Whitefly: Espionage Group has Singapore in Its Sights}}, date = {2019-03-06}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/whitefly-espionage-singapore}, language = {English}, urldate = {2020-01-08} } @online{team:20190315:rocke:a64a1b3, author = {Threat Research Team}, title = {{Rocke Evolves Its Arsenal With a New Malware Family Written in Golang}}, date = {2019-03-15}, organization = {Anomali}, url = {https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang}, language = {English}, urldate = {2020-01-08} } @online{team:20190319:sectorm04:6c6ea37, author = {ThreatRecon Team}, title = {{SectorM04 Targeting Singapore – An Analysis}}, date = {2019-03-19}, organization = {NSHC}, url = {https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/}, language = {English}, urldate = {2020-01-07} } @techreport{team:20190322:asec:3a00378, author = {AhnLab ASEC Analysis Team}, title = {{ASEC REPORT VOL.93 Q4 2018}}, date = {2019-03-22}, institution = {AhnLab}, url = {https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.93_ENG.pdf}, language = {English}, urldate = {2020-07-24} } @online{team:20190327:elfin:836cc39, author = {Security Response Attack Investigation Team}, title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}}, date = {2019-03-27}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage}, language = {English}, urldate = {2020-01-06} } @online{team:20190327:elfin:d90a330, author = {Critical Attack Discovery and Intelligence Team}, title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}}, date = {2019-03-27}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage}, language = {English}, urldate = {2020-04-21} } @online{team:20190410:gaza:d5f5a32, author = {Kaspersky Team}, title = {{The Gaza cybergang and its SneakyPastes campaign}}, date = {2019-04-10}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/blog/gaza-cybergang/26363/}, language = {English}, urldate = {2019-12-18} } @online{team:20190415:iranian:5a7f4ff, author = {ClearSky Research Team}, title = {{Iranian APT MuddyWater Attack Infrastructure Targeting Kurdish Political Groups and Organizations in Turkey}}, date = {2019-04-15}, organization = {ClearSky}, url = {https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/}, language = {English}, urldate = {2020-01-07} } @techreport{team:20190419:oceanlotus:6167f99, author = {Cylance Threat Research Team}, title = {{OceanLotus Steganography}}, date = {2019-04-19}, institution = {Cylance}, url = {https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/white-papers/OceanLotus-Steganography-Malware-Analysis-White-Paper.pdf}, language = {English}, urldate = {2020-04-23} } @online{team:20190424:beapy:47836e9, author = {Symantec Response Attack Investigation Team}, title = {{Beapy: Cryptojacking Worm Hits Enterprises in China}}, date = {2019-04-24}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/beapy-cryptojacking-worm-china}, language = {English}, urldate = {2020-01-09} } @online{team:20190429:where:8c3db39, author = {Blueliv Labs Team}, title = {{Where is Emotet? Latest geolocation data}}, date = {2019-04-29}, organization = {Blueliv}, url = {https://www.blueliv.com/blog/research/where-is-emotet-latest-geolocation-data/}, language = {English}, urldate = {2020-01-08} } @online{team:20190507:buckeye:a4cf7d8, author = {Security Response Attack Investigation Team}, title = {{Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak}}, date = {2019-05-07}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit}, language = {English}, urldate = {2020-01-13} } @techreport{team:201905:iranian:536dc45, author = {ClearSky Research Team}, title = {{Iranian Nation-State APT Groups 'Black Box' Leak}}, date = {2019-05}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2019/05/Iranian-Nation-State-APT-Leak-Analysis-and-Overview.pdf}, language = {English}, urldate = {2019-12-24} } @online{team:20190604:threat:c448cf8, author = {Cylance Threat Research Team}, title = {{Threat Spotlight: Analyzing AZORult Infostealer Malware}}, date = {2019-06-04}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/threat-spotlight-analyzing-azorult-infostealer-malware.html}, language = {English}, urldate = {2020-02-10} } @online{team:20190610:threat:fc73094, author = {Cylance Threat Research Team}, title = {{Threat Spotlight: MenuPass/QuasarRAT Backdoor}}, date = {2019-06-10}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/threat-spotlight-menupass-quasarrat-backdoor.html}, language = {English}, urldate = {2020-01-06} } @online{team:20190619:urlzone:9163ce0, author = {Proofpoint Threat Insight Team}, title = {{URLZone top malware in Japan, while Emotet and LINE Phishing round out the landscape}}, date = {2019-06-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0}, language = {English}, urldate = {2021-05-31} } @online{team:20190620:new:ec29b50, author = {Red Raindrop Team}, title = {{New Approaches Utilized by OceanLotus to Target An Environmental Group in Vietnam}}, date = {2019-06-20}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/english-version-of-new-approaches-utilized-by-oceanLotus-to-target-vietnamese-environmentalist/}, language = {English}, urldate = {2023-09-11} } @online{team:20190620:waterbug:9c50dd1, author = {Symantec DeepSight Adversary Intelligence Team and Symantec Network Protection Security Labs}, title = {{Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments}}, date = {2019-06-20}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments}, language = {English}, urldate = {2020-01-13} } @online{team:20190701:threat:29bfb97, author = {Cylance Threat Research Team}, title = {{Threat Spotlight: Ratsnif - New Network Vermin from OceanLotus}}, date = {2019-07-01}, organization = {Threat Vector}, url = {https://threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html}, language = {English}, urldate = {2020-01-05} } @online{team:20190708:dismantling:7570b60, author = {Microsoft Defender ATP Research Team}, title = {{Dismantling a fileless campaign: Microsoft Defender ATP’s Antivirus exposes Astaroth attack}}, date = {2019-07-08}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/}, language = {English}, urldate = {2019-12-02} } @online{team:20190710:ech0raix:b334de7, author = {Threat Research Team}, title = {{The eCh0raix Ransomware}}, date = {2019-07-10}, organization = {Anomali}, url = {https://www.anomali.com/blog/the-ech0raix-ransomware}, language = {English}, urldate = {2020-01-10} } @online{team:20190710:flirting:dbf23d3, author = {Cylance Threat Research Team}, title = {{Flirting With IDA and APT28}}, date = {2019-07-10}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html}, language = {English}, urldate = {2020-01-06} } @online{team:20190711:threat:00e0a1a, author = {Proofpoint Threat Insight Team}, title = {{Threat Actor Profile: TA544 targets geographies from Italy to Japan with a range of malware}}, date = {2019-07-11}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware}, language = {English}, urldate = {2021-05-31} } @online{team:20190724:resurgent:287b932, author = {CTU Research Team}, title = {{Resurgent Iron Liberty Targeting Energy Sector}}, date = {2019-07-24}, organization = {Secureworks}, url = {https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector}, language = {English}, urldate = {2019-12-06} } @online{team:20190724:updated:a73327c, author = {CTU Research Team}, title = {{Updated Karagany Malware Targets Energy Sector}}, date = {2019-07-24}, organization = {Secureworks}, url = {https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector}, language = {English}, urldate = {2020-01-07} } @online{team:20190802:sectore02:c2237b1, author = {ThreatRecon Team}, title = {{SectorE02 Updates YTY Framework in New Targeted Campaign Against Pakistan Government}}, date = {2019-08-02}, organization = {NSHC}, url = {https://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/}, language = {English}, urldate = {2020-01-08} } @online{team:20190805:corporate:683c54a, author = {MSRC Team}, title = {{Corporate IoT – a path to intrusion (APT28/STRONTIUM)}}, date = {2019-08-05}, organization = {Microsoft}, url = {https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/}, language = {English}, urldate = {2020-08-14} } @online{team:20190812:psixbot:14fd373, author = {Proofpoint Threat Insight Team}, title = {{PsiXBot Continues to Evolve with Updated DNS Infrastructure}}, date = {2019-08-12}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/psixbot-continues-evolve-updated-dns-infrastructure}, language = {English}, urldate = {2019-12-20} } @online{team:20190824:simda:cd1d519, author = {SonicWall CaptureLabs Threats Research Team}, title = {{Simda Process Injection into Winlogon DGA Found}}, date = {2019-08-24}, organization = {SonicWall}, url = {https://www.sonicwall.com/blog/simda-process-injection-into-winlogon-dga-found}, language = {English}, urldate = {2025-03-06} } @online{team:20190826:aptc09:a228795, author = {Red Raindrop Team}, title = {{APT-C-09 Reappeared as Conflict Intensified Between India and Pakistan}}, date = {2019-08-26}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/apt-c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/}, language = {English}, urldate = {2020-01-07} } @online{team:20190827:lyceum:afc3b25, author = {CTU Research Team}, title = {{LYCEUM Takes Center Stage in Middle East Campaign}}, date = {2019-08-27}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign}, language = {English}, urldate = {2020-01-06} } @online{team:20190827:trickbot:fa5f95b, author = {CTU Research Team}, title = {{TrickBot Modifications Target U.S. Mobile Users}}, date = {2019-08-27}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users}, language = {English}, urldate = {2020-01-09} } @online{team:20190828:inside:c3051c2, author = {Cylance Threat Research Team}, title = {{Inside the APT28 DLL Backdoor Blitz}}, date = {2019-08-28}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html}, language = {English}, urldate = {2020-01-06} } @online{team:20190829:sectorj04:ce6cc4b, author = {ThreatRecon Team}, title = {{SectorJ04 Group’s Increased Activity in 2019}}, date = {2019-08-29}, organization = {ThreatRecon}, url = {https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/}, language = {English}, urldate = {2019-10-13} } @online{team:20190904:hildacrypt:b815c7a, author = {SonicWall CaptureLabs Threats Research Team}, title = {{HILDACRYPT ransomware actively spreading in the wild}}, date = {2019-09-04}, organization = {SonicWall}, url = {https://securitynews.sonicwall.com/xmlpost/hildacrypt-ransomware-actively-spreading-in-the-wild/}, language = {English}, urldate = {2023-10-10} } @online{team:20190906:psixbot:7f87948, author = {Proofpoint Threat Insight Team}, title = {{PsiXBot Now Using Google DNS over HTTPS and Possible New Sexploitation Module}}, date = {2019-09-06}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module}, language = {English}, urldate = {2019-12-20} } @online{team:20190911:cobalt:7ecb95c, author = {CTU Research Team}, title = {{COBALT DICKENS Goes Back to School…Again}}, date = {2019-09-11}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again}, language = {English}, urldate = {2020-01-08} } @online{team:20190916:emotet:9c6c8f3, author = {Threat Intelligence Team}, title = {{Emotet is back: botnet springs back to life with new spam campaign}}, date = {2019-09-16}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/botnets/2019/09/emotet-is-back-botnet-springs-back-to-life-with-new-spam-campaign/}, language = {English}, urldate = {2019-12-20} } @online{team:20190918:tortoiseshell:4881fc1, author = {Security Response Attack Investigation Team}, title = {{Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks}}, date = {2019-09-18}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain}, language = {English}, urldate = {2020-01-13} } @online{team:20190919:hagga:066e932, author = {ThreatRecon Team}, title = {{Hagga of SectorH01 continues abusing Bitly, Blogger and Pastebin to deliver RevengeRAT and NanoCore}}, date = {2019-09-19}, organization = {NSHC}, url = {https://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/}, language = {English}, urldate = {2020-01-08} } @online{team:20190924:revil:3f165f3, author = {CTU Research Team}, title = {{REvil: The GandCrab Connection}}, date = {2019-09-24}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/revil-the-gandcrab-connection}, language = {English}, urldate = {2020-01-08} } @online{team:20190924:revilsodinokibi:646c88c, author = {CTU Research Team}, title = {{REvil/Sodinokibi Ransomware}}, date = {2019-09-24}, organization = {Secureworks}, url = {https://www.secureworks.com/research/revil-sodinokibi-ransomware}, language = {English}, urldate = {2020-01-08} } @online{team:20190925:pcshare:ac2d45a, author = {Cylance Research and Intelligence Team}, title = {{PcShare Backdoor Attacks Targeting Windows Users with FakeNarrator Malware}}, date = {2019-09-25}, organization = {Cylance}, url = {https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html}, language = {English}, urldate = {2021-10-24} } @online{team:20190926:bring:d73d53e, author = {Microsoft Defender ATP Research Team}, title = {{Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware}}, date = {2019-09-26}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/}, language = {English}, urldate = {2020-05-18} } @online{team:20190930:analysis:e586631, author = {Red Raindrop Team}, title = {{Analysis and disclosure of the CIA's cyber arsenal}}, date = {2019-09-30}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/network-weapons-of-cia/}, language = {Chinese}, urldate = {2022-05-04} } @techreport{team:20191010:asec:6452cd4, author = {ASEC Analysis Team}, title = {{ASEC Report Vol. 96: Analysis Report on Operation Red Salt, Analysis on the Malicious SDB File Found in Ammyy Hacking Tool}}, date = {2019-10-10}, institution = {AhnLab}, url = {https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.96_ENG.pdf}, language = {English}, urldate = {2022-04-15} } @online{team:20191014:threat:42bffb4, author = {Proofpoint Threat Insight Team}, title = {{Threat Actor Profile: TA407, the Silent Librarian}}, date = {2019-10-14}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian}, language = {English}, urldate = {2019-10-18} } @online{team:20191105:lazarus:6c782e8, author = {Telsy Research Team}, title = {{The Lazarus’ gaze to the world: What is behind the first stone?}}, date = {2019-11-05}, organization = {Telsy}, url = {https://www.telsy.com/lazarus-gate/}, language = {English}, urldate = {2023-07-31} } @online{team:20191118:surprised:2930338, author = {Red Raindrop Team}, title = {{Surprised by Julius the Great! Disclosure of Cyrus attacks against Iran}}, date = {2019-11-18}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/surprised-by-cyrus-the-great-disclosure-against-Iran-cyrus-attack/}, language = {Chinese}, urldate = {2021-02-09} } @techreport{team:20191120:malware:8720455, author = {Blueliv Team}, title = {{Malware Campaign Targeting LATAM & Spanish Banks}}, date = {2019-11-20}, institution = {Blueliv}, url = {https://blueliv.com/resources/reports/MiniReport-Blueliv-Bancos-ESP-LAT.pdf}, language = {English}, urldate = {2021-07-29} } @online{team:20191121:gandcrab:39506f0, author = {ASEC Analysis Team}, title = {{GandCrab Finds DEATHRansom of the Same Appearance Following Nemty in Korea}}, date = {2019-11-21}, organization = {ASEC}, url = {https://asec.ahnlab.com/1269}, language = {English}, urldate = {2020-01-09} } @online{team:20191126:insights:8fd4b6c, author = {Microsoft Defender ATP Research Team}, title = {{Insights from one year of tracking a polymorphic threat}}, date = {2019-11-26}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2019/11/26/insights-from-one-year-of-tracking-a-polymorphic-threat/}, language = {English}, urldate = {2020-01-08} } @online{team:20191203:new:39b59e1, author = {Threat Intelligence Team}, title = {{New version of IcedID Trojan uses steganographic payloads}}, date = {2019-12-03}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2019/12/new-version-of-icedid-trojan-uses-steganographic-payloads/}, language = {English}, urldate = {2019-12-24} } @online{team:20191203:threat:6665e7f, author = {NSHC Threatrecon Team}, title = {{Threat Actor Targeting Hong Kong Pro-Democracy Figures}}, date = {2019-12-03}, organization = {NSHC}, url = {https://threatrecon.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists/}, language = {English}, urldate = {2020-01-08} } @online{team:20191204:tentacles:721ed63, author = {Gcow Security Team}, title = {{Tentacles reaching Central Asia: analysis of Uzbekistan activities by DustSquad APT}}, date = {2019-12-04}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s/v1gi0bW79Ta644Dqer4qkw}, language = {Chinese}, urldate = {2020-01-10} } @online{team:20191211:zeppelin:dea0202, author = {Cylance Threat Research Team}, title = {{Zeppelin: Russian Ransomware Targets High Profile Users in the U.S. and Europe}}, date = {2019-12-11}, organization = {Threat Vector}, url = {https://threatvector.cylance.com/en_us/home/zeppelin-russian-ransomware-targets-high-profile-users-in-the-us-and-europe.html}, language = {English}, urldate = {2019-12-15} } @online{team:20191229:bronze:bda6bfc, author = {CTU Research Team}, title = {{BRONZE PRESIDENT Targets NGOs}}, date = {2019-12-29}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronze-president-targets-ngos}, language = {English}, urldate = {2020-01-10} } @online{team:20200107:powershell:fb8264e, author = {Team}, title = {{Powershell Static Analysis & Emotet results}}, date = {2020-01-07}, organization = {Hatching.io}, url = {https://hatching.io/blog/powershell-analysis}, language = {English}, urldate = {2020-01-12} } @online{team:20200116:paradise:aa2452a, author = {Bitdefender Team}, title = {{Paradise Ransomware decryption tool}}, date = {2020-01-16}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/01/paradise-ransomware-decryption-tool}, language = {English}, urldate = {2020-01-20} } @online{team:20200120:behind:edefc01, author = {AhnLab Security Analysis Team}, title = {{Behind the scenes of GandCrab’s operation}}, date = {2020-01-20}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/}, language = {English}, urldate = {2020-01-20} } @online{team:20200121:sload:2a2962b, author = {Microsoft Defender ATP Research Team}, title = {{sLoad launches version 2.0, Starslord}}, date = {2020-01-21}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/01/21/sload-launches-version-2-0-starslord/}, language = {English}, urldate = {2020-01-22} } @online{team:20200130:competitions:90773f4, author = {Photon Research Team}, title = {{Competitions on Russian-language cybercriminal forums: Sharing expertise or threat actor showboating?}}, date = {2020-01-30}, organization = {Digital Shadows}, url = {https://www.digitalshadows.com/blog-and-research/competitions-on-russian-language-cybercriminal-forums-sharing-expertise-or-threat-actor-showboating/}, language = {English}, urldate = {2020-02-03} } @techreport{team:20200216:fox:23f1677, author = {ClearSky Research Team}