1. Home
  2. Techniques
  3. Enterprise
  4. Data from Local System

Data from Local System

Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.

Adversaries may do this using a Command and Scripting Interpreter, such as cmd as well as a Network Device CLI, which have functionality to interact with the file system to gather information. Adversaries may also use Automated Collection on the local system.

ID: T1005
Sub-techniques:  No sub-techniques
Tactic: Collection
Platforms: Linux, Network, Windows, macOS
System Requirements: Privileges to access certain files and directories
Contributors: Austin Clark, @c2defense; William Cain
Version: 1.4
Created: 31 May 2017
Last Modified: 20 April 2022

Procedure Examples

ID Name Description
G0138 Andariel

Andariel has collected large numbers of files from compromised network systems for later extraction.[1]
S0622 AppleSeed

AppleSeed can collect data on a compromised host.[2][3]
G0006 APT1

APT1 has collected files from a local victim.[4]
G0007 APT28

APT28 has retrieved internal documents from machines inside victim environments, including by using Forfiles to stage documents before exfiltration.[5][6][7][8]
G0016 APT29

APT29 has extracted files from compromised networks.[9]

G0022 APT3

APT3 will identify Microsoft Office documents on the victim's computer.[10]
G0067 APT37

APT37 has collected data from victims' local systems.[11]
G0082 APT38

APT38 has collected data from a compromised host.[12]
G0087 APT39

APT39 has used various tools to steal files from the compromised host.[13][14]
G0096 APT41

APT41 has uploaded files and data from a compromised host.[15]
G0001 Axiom

Axiom has collected data from a compromised network.[16]
S0642 BADFLICK

BADFLICK has uploaded files from victims' machines.[17]
S0128 BADNEWS

When it first starts, BADNEWS crawls the victim's local drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.[18][19]
S0337 BadPatch

BadPatch collects files from the local system that have the following extensions, then prepares them for exfiltration: .xls, .xlsx, .pdf, .mdb, .rar, .zip, .doc, .docx.[20]
S0234 Bandook

Bandook can collect local files from the system .[21]

S0239 Bankshot

Bankshot collects files from the local system.[22]
S0534 Bazar

Bazar can retrieve information from the infected machine.[23]
S0268 Bisonal

Bisonal has collected information from a compromised host.[24]

S0564 BlackMould

BlackMould can copy files on a compromised host.[25]
S0520 BLINDINGCAN

BLINDINGCAN has uploaded files from victim machines.[26]
S0651 BoxCaon

BoxCaon can upload files from a compromised host.[27]
G0060 BRONZE BUTLER

BRONZE BUTLER has exfiltrated files stolen from local systems.[28]
S0274 Calisto

Calisto can collect data from user directories.[29]
S0572 Caterpillar WebShell

Caterpillar WebShell has a module to collect information from the local database.[30]

S0674 CharmPower

CharmPower can collect data and files from a compromised host.[31]
S0020 China Chopper

China Chopper's server component can upload local files.[32][33][34]
S0660 Clambling

Clambling can collect information from a compromised host.[35]
S0154 Cobalt Strike

Cobalt Strike can collect data from a local system.[36][37]
S0492 CookieMiner

CookieMiner has retrieved iPhone text messages from iTunes phone backup files.[38]
S0050 CosmicDuke

CosmicDuke steals user files from local hard drives with file extensions that match a predefined list.[39]
S0538 Crutch

Crutch can exfiltrate files from compromised systems.[40]
S0498 Cryptoistic

Cryptoistic can retrieve files from the local file system.[41]
S0687 Cyclops Blink

Cyclops Blink can upload files from a compromised host.[42]
G0070 Dark Caracal

Dark Caracal collected complete contents of the 'Pictures' folder from compromised Windows systems.[43]
S0673 DarkWatchman

DarkWatchman can collect files from a compromised host.[44]
G0035 Dragonfly

Dragonfly has collected data from local victim systems.[45]
S0694 DRATzarus

DRATzarus can collect information from a compromised host.[46]
S0502 Drovorub

Drovorub can transfer files from the victim machine.[47]
S0567 Dtrack

Dtrack can collect a variety of information from victim machines.[48]
G0031 Dust Storm

Dust Storm has used Android backdoors capable of exfiltrating specific files directly from the infected devices.[49]
S0634 EnvyScout

EnvyScout can collect sensitive NTLM material from a compromised host.[50]
S0404 esentutl

esentutl can be used to collect data from local file systems.[51]
S0512 FatDuke

FatDuke can copy files and directories from a compromised host.[52]
G0037 FIN6

FIN6 has collected and exfiltrated payment card data from compromised systems.[53][54][55]
G0046 FIN7

FIN7 has collected files and other sensitive information from a compromised network.[56]
S0696 Flagpro

Flagpro can collect data from a compromised host, including Windows authentication information.[57]
S0036 FLASHFLOOD

FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on the local system. FLASHFLOOD will scan the My Recent Documents, Desktop, Temporary Internet Files, and TEMP directories. FLASHFLOOD also collects information stored in the Windows Address Book.[58]
S0661 FoggyWeb

FoggyWeb can retrieve configuration data from a compromised AD FS server.[59]
S0193 Forfiles

Forfiles can be used to act on (ex: copy, move, etc.) files/directories in a system during (ex: copy files into a staging area before).[5]
G0117 Fox Kitten

Fox Kitten has searched local system resources to access sensitive documents.[60]
S0503 FrameworkPOS

FrameworkPOS can collect elements related to credit card data from process memory.[61]
G0101 Frankenstein

Frankenstein has enumerated hosts via Empire, gathering various local system information.[62]
G0093 GALLIUM

GALLIUM collected data from the victim's local system, including password hashes from the SAM hive in the Registry.[63]
G0047 Gamaredon Group

Gamaredon Group has collected files from infected systems and uploaded them to a C2 server.[64]
S0477 Goopy

Goopy has the ability to exfiltrate documents from infected systems.[65]

S0237 GravityRAT

GravityRAT steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf.[66]
S0690 Green Lambert

Green Lambert can collect data from a compromised host.[67]
S0632 GrimAgent

GrimAgent can collect data and files from a compromised host.[68]
S0009 Hikit

Hikit can upload files from compromised machines.[16]
G0072 Honeybee

Honeybee collects data from the local victim system.[69]
S0203 Hydraq

Hydraq creates a backdoor through which remote attackers can read data from files.[70][71]
G0100 Inception

Inception used a file hunting plugin to collect .txt, .pdf, .xls or .doc files from the infected host.[72]
S0260 InvisiMole

InvisiMole can collect data from the system, and can monitor changes in specified directories.[73]
S0015 Ixeshe

Ixeshe can collect data from a local system.[74]
S0265 Kazuar

Kazuar uploads files from a specified directory to the C2 server.[75]
G0004 Ke3chang

Ke3chang gathered information and files from local directories for exfiltration.[76][77]
S0526 KGH_SPY

KGH_SPY can send a file containing victim system information to C2.[78]
G0094 Kimsuky

Kimsuky has collected Office, PDF, and HWP documents from its victims.[79][80]
S0250 Koadic

Koadic can download files off the target system to send back to the server.[81][82]
S0356 KONNI

KONNI has stored collected information and discovered processes in a tmp file.[83]
G0032 Lazarus Group

Lazarus Group has collected data and files from compromised networks.[84][85][86][87][46][88]
S0395 LightNeuron

LightNeuron can collect files from a local system.[89]
S0211 Linfo

Linfo creates a backdoor through which remote attackers can obtain data from local systems.[90]
S0409 Machete

Machete searches the File system for files of interest.[91]

S0652 MarkiRAT

MarkiRAT can upload data from the victim's machine to the C2 server.[92]
S0500 MCMD

MCMD has the ability to upload files from an infected device.[93]
G0045 menuPass

menuPass has collected various files from the compromised computers.[94][95]
S0079 MobileOrder

MobileOrder exfiltrates data collected from the victim mobile device.[96]
S0630 Nebulae

Nebulae has the capability to upload collected files to C2.[97]
S0691 Neoichor

Neoichor can upload files from a victim's machine.[77]
S0385 njRAT

njRAT can collect data from a local system.[98]
S0340 Octopus

Octopus can exfiltrate files from the system using a documents collector tool.[99]
G0116 Operation Wocao

Operation Wocao has exfiltrated files and directories of interest from the targeted system.[100]
S0352 OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D has the ability to upload files from a compromised host.[101]
S0594 Out1

Out1 can copy files and Registry data from compromised hosts.[102]
S0598 P.A.S. Webshell

P.A.S. Webshell has the ability to copy files on a compromised host.[103]
S0208 Pasam

Pasam creates a backdoor through which remote attackers can retrieve files.[104]
G0040 Patchwork

Patchwork collected and exfiltrated files from the infected system.[105]
S0517 Pillowmint

Pillowmint has collected credit card data using native API functions.[106]
S0048 PinchDuke

PinchDuke collects user files from the compromised host based on predefined file extensions.[107]
S0012 PoisonIvy

PoisonIvy creates a backdoor through which remote attackers can steal system information.[108]
S0194 PowerSploit

PowerSploit contains a collection of Exfiltration modules that can access data from local files, volumes, and processes.[109][110]
S0223 POWERSTATS

POWERSTATS can upload files from compromised hosts.[111]
S0238 Proxysvc

Proxysvc searches the local system and gathers data.[112]
S0197 PUNCHTRACK

PUNCHTRACK scrapes memory for properly formatted payment card data.[113][114]
S0650 QakBot

QakBot can use a variety of commands, including esentutl.exe to steal sensitive data from Internet Explorer and Microsoft Edge, to acquire information that is subsequently exfiltrated.[115][116]
S0686 QuietSieve

QuietSieve can collect files from a compromised host.[117]
S0629 RainyDay

RainyDay can use a file exfiltration tool to collect recently changed files on a compromised host.[97]
S0458 Ramsay

Ramsay can collect Microsoft Word documents from the target's file system, as well as .txt, .doc, and .xls files from the Internet Explorer cache.[118][119]

S0169 RawPOS

RawPOS dumps memory from specific processes on a victim system, parses the dumped files, and scrapes them for credit card data.[120][121][122]
S0662 RCSession

RCSession can collect data from a compromised host.[123][35]
S0240 ROKRAT

ROKRAT can collect host data and specific file types.[124][125][126]
S0090 Rover

Rover searches for files on local drives based on a predefined list of file extensions.[127]
G0034 Sandworm Team

Sandworm Team has exfiltrated internal documents, files, and other data from compromised hosts.[128]
S0461 SDBbot

SDBbot has the ability to access the file system on a compromised host.[129]
S0444 ShimRat

ShimRat has the capability to upload collected files to a C2.[130]

S0610 SideTwist

SideTwist has the ability to upload files from a compromised host.[131]
S0533 SLOTHFULMEDIA

SLOTHFULMEDIA has uploaded files and information from victim machines.[132]
S0615 SombRAT

SombRAT has collected data and files from a compromised host.[133][134]
S0646 SpicyOmelette

SpicyOmelette has collected data and other information from a compromised host.[135]
G0038 Stealth Falcon

Stealth Falcon malware gathers data from the local victim system.[136]
S0559 SUNBURST

SUNBURST collected information from a compromised host.[137][138]
S0011 Taidoor

Taidoor can upload data and files from a victim's machine.[139]
S0467 TajMahal

TajMahal has the ability to steal documents from the local system including the print spooler queue.[140]
G0027 Threat Group-3390

Threat Group-3390 ran a command to compile an archive of file types of interest from the victim user's directories.[141]
S0665 ThreatNeedle

ThreatNeedle can collect data and files from a compromised host.[87]
S0668 TinyTurla

TinyTurla can upload files from a compromised host.[142]
S0671 Tomiris

Tomiris has the ability to collect recent files matching a hardcoded list of extensions prior to exfiltration.[143]
S0266 TrickBot

TrickBot collects local files and information from the victim’s local machine.[144]
G0010 Turla

Turla RPC backdoors can upload files from victim machines.[145]
S0386 Ursnif

Ursnif has collected files from victim machines, including certificates and cookies.[146]
S0452 USBferry

USBferry can collect information from an air-gapped host machine.[147]

S0670 WarzoneRAT

WarzoneRAT can collect data from a compromised host.[148]
S0515 WellMail

WellMail can exfiltrate files from the victim machine.[149]
S0514 WellMess

WellMess can send files from the victim machine to C2.[150][151]
S0645 Wevtutil

Wevtutil can be used to export events from a specific log.[152][153]
G0124 Windigo

Windigo has used a script to gather credentials in files left on disk by OpenSSH backdoors.[154]
S0653 xCaon

xCaon has uploaded files from victims' machines.[27]
S0658 XCSSET

XCSSET collects contacts and application data from files in Desktop, Documents, Downloads, Dropbox, and WeChat folders.[155]
S0248 yty

yty collects files with the following extensions: .ppt, .pptx, .pdf, .doc, .docx, .xls, .xlsx, .docm, .rtf, .inp, .xlsm, .csv, .odt, .pps, .vcf and sends them back to the C2 server.[156]
S0672 Zox

Zox has the ability to upload files from a targeted system.[16]
S0412 ZxShell

ZxShell can transfer files from a compromised host.[157]

Mitigations

ID Mitigation Description
M1057 Data Loss Prevention

Data loss prevention can restrict access to sensitive data and detect sensitive data that is unencrypted.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Access
DS0009 Process OS API Execution
Process Creation
DS0012 Script Script Execution

Monitor processes and command-line arguments for actions that could be taken to collect files from a system. Remote access tools with built-in features may interact directly with the Windows API to gather data. Further, Network Device CLI commands may also be used to collect files such as configuration files with built-in features native to the network device platform.[158][159] Monitor CLI activity for unexpected or unauthorized use commands being run by non-standard users from non-standard locations. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

References

  1. FSI. (2017, July 27). Campaign Rifle - Andariel, the Maiden of Anguish. Retrieved September 29, 2021.
  2. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  3. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022.
  4. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  5. Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018.
  6. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  7. Hacquebord, F. (n.d.). Pawn Storm in 2019 A Year of Scanning and Credential Phishing on High-Profile Targets. Retrieved December 29, 2020.
  8. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  9. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
  10. valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.
  11. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  12. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
  13. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.
  14. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  15. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.
  16. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  17. Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
  18. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  19. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
  20. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  21. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
  22. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  23. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  24. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  25. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
  26. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
  27. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
  28. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  29. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.
  30. ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.
  31. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
  32. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  33. Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
  34. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
  35. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  36. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017.
  37. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  38. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
  39. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
  40. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  41. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
  42. NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.
  43. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  44. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  45. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  46. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  47. NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
  48. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.
  49. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  50. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  51. Red Canary. (2021, March 31). 2021 Threat Detection Report. Retrieved August 31, 2021.
  52. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  53. Chen, J. (2019, October 10). Magecart Card Skimmers Injected Into Online Shops. Retrieved September 9, 2020.
  54. Klijnsma, Y. (2018, September 11). Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims. Retrieved September 9, 2020.
  55. Klijnsma, Y. (2018, September 19). Another Victim of the Magecart Assault Emerges: Newegg. Retrieved September 9, 2020.
  56. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  57. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
  58. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  59. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
  60. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  61. Kremez, V. (2019, September 19). FIN6 “FrameworkPOS”: Point-of-Sale Malware Analysis & Internals. Retrieved September 8, 2020.
  62. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  63. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  64. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  65. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  66. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
  67. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.
  68. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021.
  69. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  70. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  71. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  72. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
  73. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  74. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
  75. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  76. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  77. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  78. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  79. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
  80. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  1. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  2. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  3. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
  4. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  5. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  6. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  7. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
  8. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
  9. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  10. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
  11. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  12. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
  13. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.
  14. United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.
  15. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
  16. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  17. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  18. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  19. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
  20. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  21. Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020.
  22. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  23. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
  24. Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018.
  25. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  26. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
  27. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  28. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  29. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  30. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  31. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  32. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  33. Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
  34. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  35. Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021.
  36. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  37. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
  38. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  39. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.
  40. Nesbit, B. and Ackerman, D. (2017, January). Malware Analysis Report - RawPOS Malware: Deconstructing an Intruder’s Toolkit. Retrieved October 4, 2017.
  41. TrendLabs Security Intelligence Blog. (2015, April). RawPOS Technical Brief. Retrieved October 4, 2017.
  42. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  43. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
  44. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.
  45. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
  46. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
  47. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  48. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  49. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  50. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  51. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
  52. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
  53. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  54. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.
  55. CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021.
  56. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  57. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  58. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  59. Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014.
  60. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  61. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  62. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.
  63. Kwiatkoswki, I and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021.
  64. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  65. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  66. Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.
  67. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  68. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
  69. CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020.
  70. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.
  71. CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020.
  72. Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021.
  73. F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020.
  74. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.
  75. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
  76. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
  77. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  78. Gyler, C.,Perez D.,Jones, S.,Miller, S.. (2021, February 25). This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved February 17, 2022.
  79. US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.