File and Directory Discovery

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.[1] Custom tools may also be used to gather file and directory information and interact with the Native API. Adversaries may also leverage a Network Device CLI on network devices to gather file and directory information.[2]

ID: T1083
Sub-techniques:  No sub-techniques
Tactic: Discovery
Platforms: Linux, Network, Windows, macOS
System Requirements: Some folders may require Administrator, SYSTEM or specific user depending on permission levels and access controls
CAPEC ID: CAPEC-127, CAPEC-497
Contributors: Austin Clark, @c2defense
Version: 1.4
Created: 31 May 2017
Last Modified: 20 April 2022

Procedure Examples

ID Name Description
S0066 3PARA RAT

3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory.[3]

S0065 4H RAT

4H RAT has the capability to obtain file and directory listings.[3]

G0018 admin@338

admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about files and directories: dir c:\ >> %temp%\download dir "c:\Documents and Settings" >> %temp%\download dir "c:\Program Files\" >> %temp%\download dir d:\ >> %temp%\download[4]

S0045 ADVSTORESHELL

ADVSTORESHELL can list files and directories.[5][6]

S0622 AppleSeed

AppleSeed has the ability to search for .txt, .ppt, .hwp, .pdf, and .doc files in specified directories.[7]

G0026 APT18

APT18 can list files information for specific directories.[8]

G0007 APT28

APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection. The group also searched a compromised DCCC computer for specific terms.[9][10]

G0016 APT29

APT29 obtained information about the configured Exchange virtual directory using Get-WebServicesVirtualDirectory.[11]

G0022 APT3

APT3 has a tool that looks for files and directories on the local file system.[12][13]

G0050 APT32

APT32's backdoor possesses the capability to list files and directories on a machine. [14]

G0082 APT38

APT38 have enumerated files and directories, or searched in specific locations within a compromised host.[15]

G0087 APT39

APT39 has used tools with the ability to search for files on a compromised host.[16]

G0096 APT41

APT41 has executed file /bin/pwd on exploited victims, perhaps to return architecture related information.[17]

S0456 Aria-body

Aria-body has the ability to gather metadata from a file and to search for file and directory names.[18]

S0438 Attor

Attor has a plugin that enumerates files with specific extensions on all hard disk drives and stores file information in encrypted log files.[19]

S0347 AuditCred

AuditCred can search through folders and files on the system.[20]

S0129 AutoIt backdoor

AutoIt backdoor is capable of identifying documents on the victim with the following extensions: .doc; .pdf, .csv, .ppt, .docx, .pst, .xls, .xlsx, .pptx, and .jpeg.[21]

S0640 Avaddon

Avaddon has searched for specific files prior to encryption.[22]

S0473 Avenger

Avenger has the ability to browse files in directories such as Program Files and the Desktop.[23]

S0344 Azorult

Azorult can recursively search for files in folders and collects files from the desktop with certain extensions.[24]

S0638 Babuk

Babuk has the ability to enumerate files on a targeted system.[25][26]

S0414 BabyShark

BabyShark has used dir to search for "programfiles" and "appdata".[27]

S0475 BackConfig

BackConfig has the ability to identify folders and files related to previous infections.[28]

S0093 Backdoor.Oldrea

Backdoor.Oldrea collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files.[29]

S0031 BACKSPACE

BACKSPACE allows adversaries to search for files.[30]

S0642 BADFLICK

BADFLICK has searched for files on the infected host.[31]

S0128 BADNEWS

BADNEWS identifies files with certain extensions from USB devices, then copies them to a predefined directory.[32]

S0337 BadPatch

BadPatch searches for files with specific file extensions.[33]

S0234 Bandook

Bandook has a command to list files on a system.[34]

S0239 Bankshot

Bankshot searches for files on the victim's machine.[35]

S0534 Bazar

Bazar can enumerate the victim's desktop.[36][37]

S0127 BBSRAT

BBSRAT can list file and directory information.[38]

S0268 Bisonal

Bisonal can retrieve a file listing from the system.[39][40]

S0069 BLACKCOFFEE

BLACKCOFFEE has the capability to enumerate files.[41]

S0089 BlackEnergy

BlackEnergy gathers a list of installed apps from the uninstall program Registry. It also gathers registered mail, browser, and instant messaging clients from the Registry. BlackEnergy has searched for given file types.[42][43]

S0564 BlackMould

BlackMould has the ability to find files on the targeted system.[44]

S0520 BLINDINGCAN

BLINDINGCAN can search, read, write, move, and execute files.[45][46]

S0657 BLUELIGHT

BLUELIGHT can enumerate files and collect associated metadata.[47]

S0635 BoomBox

BoomBox can search for specific files and directories on a machine.[48]

S0651 BoxCaon

BoxCaon has searched for files on the system, such as documents located in the desktop folder.[49]

S0252 Brave Prince

Brave Prince gathers file and directory information from the victim’s machine.[50]

G0060 BRONZE BUTLER

BRONZE BUTLER has collected a list of files from the victim and uploaded it to its C2 server, and then created a new list of specific files to steal.[51]

S0693 CaddyWiper

CaddyWiper can enumerate all files and directories on a compromised host.[52]

S0351 Cannon

Cannon can obtain victim drive information as well as a list of folders in C:\Program Files.[53]

S0348 Cardinal RAT

Cardinal RAT checks its current working directory upon execution and also contains watchdog functionality that ensures its executable is located in the correct path (else it will rewrite the payload).[54]

S0572 Caterpillar WebShell

Caterpillar WebShell can search for files in directories.[55]

S0674 CharmPower

CharmPower can enumerate drives and list the contents of the C: drive on a victim's computer.[56]

S0144 ChChes

ChChes collects the victim's %TEMP% directory path and version of Internet Explorer.[57]

G0114 Chimera

Chimera has utilized multiple commands to identify data of interest in file and directory listings.[58]

S0020 China Chopper

China Chopper's server component can list directory contents.[59]

S0023 CHOPSTICK

An older version of CHOPSTICK has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o.[5]

S0660 Clambling

Clambling can browse directories on a compromised host.[60][61]

S0611 Clop

Clop has searched folders and subfolders for files to encrypt.[62]

S0106 cmd

cmd can be used to find files and directories with native functionality such as dir commands.[63]

S0154 Cobalt Strike

Cobalt Strike can explore files on a compromised system.[64]

G0142 Confucius

Confucius has used a file stealer that checks the Document, Downloads, Desktop, and Picture folders for documents and images with specific extensions.[65]

S0575 Conti

Conti can discover files on a local system.[66]

S0492 CookieMiner

CookieMiner has looked for files in the user's home directory with "wallet" in their name using find.[67]

S0212 CORALDECK

CORALDECK searches for specified files.[68]

S0050 CosmicDuke

CosmicDuke searches attached and mounted drives for file extensions and keywords that match a predefined list.[69]

S0488 CrackMapExec

CrackMapExec can discover specified filetypes and log files on a targeted system.[70]

S0115 Crimson

Crimson contains commands to list files and directories, as well as search for files matching certain extensions from a defined list.[71][72]

S0235 CrossRAT

CrossRAT can list all files on a system.

S0498 Cryptoistic

Cryptoistic can scan a directory to identify files for deletion.[73]

S0625 Cuba

Cuba can enumerate files by using a variety of functions.[74]

S0687 Cyclops Blink

Cyclops Blink can use the Linux API statvfs to enumerate the current working directory.[75][76]

S0497 Dacls

Dacls can scan directories on a compromised host.[77]

G0070 Dark Caracal

Dark Caracal collected file listings of all default Windows directories.[78]

G0012 Darkhotel

Darkhotel has used malware that searched for files with specific patterns.[79]

S0673 DarkWatchman

DarkWatchman has the ability to enumerate file and folder names.[80]

S0255 DDKONG

DDKONG lists files on the victim’s machine.[81]

S0616 DEATHRANSOM

DEATHRANSOM can use loop operations to enumerate directories on a compromised host.[82]

S0354 Denis

Denis has several commands to search directories for files.[83][84]

S0021 Derusbi

Derusbi is capable of obtaining directory, file, and drive listings.[85][59]

S0659 Diavol

Diavol has a command to traverse the files and directories in a given path.[86]

S0600 Doki

Doki has resolved the path of a process PID to use as a script argument.[87]

S0472 down_new

down_new has the ability to list the directories on a compromised host.[23]

G0035 Dragonfly

Dragonfly has used a batch script to gather folder and file names from victim hosts.[88][89][90]

S0547 DropBook

DropBook can collect the names of all files and folders in the Program Files directories.[91][92]

S0567 Dtrack

Dtrack can list files on available disk volumes.[93][94]

G0031 Dust Storm

Dust Storm has used Android backdoors capable of enumerating specific files on the infected devices.[95]

S0062 DustySky

DustySky scans the victim for files that contain certain keywords and document types including PDF, DOC, DOCX, XLS, and XLSX, from a list that is obtained from the C2 as a text file. It can also identify logical drives for the infected machine.[96][97]

S0377 Ebury

Ebury can list directory entries.[98]

S0081 Elise

A variant of Elise executes dir C:\progra~1 when initially run.[99][100]

S0064 ELMER

ELMER is capable of performing directory listings.[101]

S0363 Empire

Empire includes various modules for finding files of interest on hosts and network shares.[102]

S0091 Epic

Epic recursively searches for all .doc files on the system and collects a directory listing of the Desktop, %TEMP%, and %WINDOWS%\Temp directories.[103][104]

S0181 FALLCHILL

FALLCHILL can search files on a victim.[105]

S0512 FatDuke

FatDuke can enumerate directories on target machines.[106]

S0182 FinFisher

FinFisher enumerates directories and scans for certain files.[107][108]

S0618 FIVEHANDS

FIVEHANDS has the ability to enumerate files on a compromised host in order to encrypt files with specific extensions.[109][110]

S0036 FLASHFLOOD

FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on the local system and removable media.[30]

S0661 FoggyWeb

FoggyWeb's loader can check for the FoggyWeb backdoor .pri file on a compromised AD FS server.[111]

S0193 Forfiles

Forfiles can be used to locate certain types of files/directories in a system.(ex: locate all files with a specific extension, name, and/or age)[9]

G0117 Fox Kitten

Fox Kitten has used WizTree to obtain network files and directory listings.[112]

S0277 FruitFly

FruitFly looks for specific files and file types.[113]

S0628 FYAnti

FYAnti can search the C:\Windows\Microsoft.NET\ directory for files of a specified size.[114]

S0410 Fysbis

Fysbis has the ability to search for files.[115]

G0047 Gamaredon Group

Gamaredon Group macros can scan for Microsoft Word and Excel files to inject with additional malicious macros. Gamaredon Group has also used its backdoors to automatically list interesting files (such as Office documents) found on a system.[116][117]

S0666 Gelsemium

Gelsemium can retrieve specific Windows directories.[118]

S0049 GeminiDuke

GeminiDuke collects information from the victim, including installed drivers, programs previously executed by users, programs and services configured to automatically run at startup, files and folders present in any user's home folder, files and folders present in any user's My Documents, programs installed to the Program Files folder, and recently accessed files, folders, and programs.[119]

S0249 Gold Dragon

Gold Dragon lists the directories for Desktop, program files, and the user’s recently accessed files.[50]

S0493 GoldenSpy

GoldenSpy has included a program "ExeProtector", which monitors for the existence of GoldenSpy on the infected system and redownloads if necessary.[120]

S0237 GravityRAT

GravityRAT collects the volumes mapped on the system, and also steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf.[121]

S0632 GrimAgent

GrimAgent has the ability to enumerate files and directories on a compromised host.[122]

S0697 HermeticWiper

HermeticWiper can enumerate common folders such as My Documents, Desktop, and AppData.[123][124]

G0072 Honeybee

Honeybee's service-based DLL implant traverses the FTP server’s directories looking for files with keyword matches for computer names or certain keywords.[125]

S0376 HOPLIGHT

HOPLIGHT has been observed enumerating system drives and partitions.[126]

S0431 HotCroissant

HotCroissant has the ability to retrieve a list of files in a given directory as well as drives and drive types.[127]

S0070 HTTPBrowser

HTTPBrowser is capable of listing files, folders, and drives on a victim.[128][129]

S0203 Hydraq

Hydraq creates a backdoor through which remote attackers can check for the existence of files, including its own components, as well as retrieve a list of logical drives.[130][131]

S0434 Imminent Monitor

Imminent Monitor has a dynamic debugging feature to check whether it is located in the %TEMP% directory, otherwise it copies itself there.[132]

G0100 Inception

Inception used a file listing plugin to collect information about file and directories both on local and remote drives.[133]

S0604 Industroyer

Industroyer’s data wiper component enumerates specific files on all the Windows drives.[134]

S0259 InnaputRAT

InnaputRAT enumerates directories and obtains file attributes on a system.[135]

S0260 InvisiMole

InvisiMole can list information about files in a directory and recently opened or used documents. InvisiMole can also search for specific files by supplied file mask.[136]

S0015 Ixeshe

Ixeshe can list file and directory information.[137]

S0201 JPIN

JPIN can enumerate drives and their types. It can also change file permissions using cacls.exe.[138]

S0283 jRAT

jRAT can browse file systems.[139][140]

S0088 Kasidet

Kasidet has the ability to search for a given filename on a victim.[141]

S0265 Kazuar

Kazuar finds a specified directory, lists the files and metadata about those files.[142]

G0004 Ke3chang

Ke3chang uses command-line interaction to search files and directories.[143][144]

S0387 KeyBoy

KeyBoy has a command to launch a file browser or explorer on the system.[145]

S0271 KEYMARBLE

KEYMARBLE has a command to search for files on the victim’s machine.[146]

S0526 KGH_SPY

KGH_SPY can enumerate files and directories on a compromised host.[147]

S0607 KillDisk

KillDisk has used the FindNextFile command as part of its file deletion process.[148]

G0094 Kimsuky

Kimsuky has the ability to enumerate all files and directories on an infected system.[149][150][151]

S0599 Kinsing

Kinsing has used the find command to search for specific files.[152]

S0437 Kivars

Kivars has the ability to list drives on the infected host.[153]

S0250 Koadic

Koadic can obtain a list of directories.[154]

S0356 KONNI

A version of KONNI searches for filenames created with a previous version of the malware, suggesting different versions targeted the same victims and the versions may work together.[155]

S0236 Kwampirs

Kwampirs collects a list of files and directories in C:\ with the command dir /s /a c:\ >> "C:\windows\TEMP[RANDOM].tmp".[156]

G0032 Lazarus Group

Several Lazarus Group has conducted word searches on compromised machines to identify specific documents of interest. Lazarus Group malware can use a common function to identify target files by their extension, and some also enumerate files and directories, including a Destover-like variant that lists files and gathers information for all drives.[157][158][159][160][161]

G0077 Leafminer

Leafminer used a tool called MailSniper to search for files on the desktop and another utility called Sobolsoft to extract attachments from EML files.[162]

S0211 Linfo

Linfo creates a backdoor through which remote attackers can list contents of drives and search for files.[163]

S0447 Lokibot

Lokibot can search for specific files on an infected host.[164]

S0582 LookBack

LookBack can retrieve file listings from the victim machine.[165]

S0409 Machete

Machete produces file listings in order to search for files to be exfiltrated.[166][167][168]

G0059 Magic Hound

Magic Hound malware can list a victim's logical drives and the type, as well the total/free space of the fixed devices. Other malware can list a directory's contents.[169]

S0652 MarkiRAT

MarkiRAT can look for files carrying specific extensions such as: .rtf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pps, .ppsx, .txt, .gpg, .pkr, .kdbx, .key, and .jpb.[170]

S0576 MegaCortex

MegaCortex can parse the available drives and directories to determine which files to encrypt.[171]

G0045 menuPass

menuPass has searched compromised systems for folders of interest including those related to HR, audit and expense, and meeting memos.[172]

S0443 MESSAGETAP

MESSAGETAP checks for the existence of two configuration files (keyword_parm.txt and parm.txt) and attempts to read the files every 30 seconds.[173]

S0455 Metamorfo

Metamorfo has searched the Program Files directories for specific folders and has searched for strings related to its mutexes.[174][175][176]

S0339 Micropsia

Micropsia can perform a recursive directory listing for all volume drives available on the victim's machine and can also fetch specific files by their paths.[177]

S0051 MiniDuke

MiniDuke can enumerate local drives.[106]

S0083 Misdat

Misdat is capable of running commands to obtain a list of files and directories, as well as enumerating logical drives.[95]

S0079 MobileOrder

MobileOrder has a command to upload to its C2 server information about files on the victim mobile device, including SD card size, installed app list, SMS content, contacts, and calling history.[178]

S0149 MoonWind

MoonWind has a command to return a directory listing for a specified directory.[179]

G0069 MuddyWater

MuddyWater has used malware that checked if the ProgramData folder had folders or files with the keywords "Kasper," "Panda," or "ESET."[180]

G0129 Mustang Panda

Mustang Panda has searched the entire target system for DOC, DOCX, PPT, PPTX, XLS, XLSX, and PDF files.[181]

S0272 NDiskMonitor

NDiskMonitor can obtain a list of all files and directories as well as logical drives.[32]

S0630 Nebulae

Nebulae can list files and directories on a compromised host.[182]

S0034 NETEAGLE

NETEAGLE allows adversaries to enumerate and modify the infected host's file system. It supports searching for directories, creating directories, listing directory contents, reading and writing to files, retrieving file attributes, and retrieving volume information.[30]

S0198 NETWIRE

NETWIRE has the ability to search for files on the compromised host.[183]

S0385 njRAT

njRAT can browse file systems using a file manager module.[184]

S0368 NotPetya

NotPetya searches for files ending with dozens of different file extensions prior to encryption.[185]

S0644 ObliqueRAT

ObliqueRAT has the ability to recursively enumerate files on an infected endpoint.[186]

S0346 OceanSalt

OceanSalt can extract drive information from the endpoint and search files on the system.[187]

S0340 Octopus

Octopus can collect information on the Windows directory and searches for compressed RAR files on the host.[188][189][190]

S0439 Okrum

Okrum has used DriveLetterView to enumerate drive information.[191]

G0116 Operation Wocao

Operation Wocao has gathered a recursive directory listing to find files and directories of interest.[192]

S0229 Orz

Orz can gather victim drive information.[193]

S0402 OSX/Shlayer

OSX/Shlayer uses the command appDir="$(dirname $(dirname "$currentDir"))" and $(dirname "$(pwd -P)") to construct installation paths.[194][195]

S0072 OwaAuth

OwaAuth has a command to list its directory and logical drives.[128]

S0598 P.A.S. Webshell

P.A.S. Webshell has the ability to list files and file characteristics including extension, size, ownership, and permissions.[196]

S0208 Pasam

Pasam creates a backdoor through which remote attackers can retrieve lists of files.[197]

G0040 Patchwork

A Patchwork payload has searched all fixed drives on the victim for files matching a specified list of extensions.[198][32]

S0587 Penquin

Penquin can use the command code do_vslist to send file names, size, and status to C2.[199]

S0643 Peppy

Peppy can identify specific files for exfiltration.[71]

S0048 PinchDuke

PinchDuke searches for files created within a certain timeframe and whose file extension matches a predefined list.[119]

S0124 Pisloader

Pisloader has commands to list drives on the victim machine and to list file information for a given directory.[200]

S0435 PLEAD

PLEAD has the ability to list drives and files on the compromised host.[153][201]

S0013 PlugX

PlugX has a module to enumerate drives and find files recursively.[202][203]

S0428 PoetRAT

PoetRAT has the ability to list files upon receiving the ls command from C2.[204]

S0216 POORAIM

POORAIM can conduct file browsing.[68]

S0378 PoshC2

PoshC2 can enumerate files on the local file system and includes a module for enumerating recently accessed files.[205]

S0139 PowerDuke

PowerDuke has commands to get the current directory name as well as the size of a file. It also has commands to obtain information about logical drives, drive type, and free space.[206]

S0184 POWRUNER

POWRUNER may enumerate user directories on a victim.[207]

S0113 Prikormka

A module in Prikormka collects information about the paths, size, and creation time of files with specific file extensions, but not the actual content of the file.[208]

S0238 Proxysvc

Proxysvc lists files in directories.[158]

S0078 Psylo

Psylo has commands to enumerate all storage devices and to find all files that start with a particular string.[178]

S0147 Pteranodon

Pteranodon identifies files matching certain file extension and copies them to subdirectories it created.[209]

S0192 Pupy

Pupy can walk through directories and recursively search for strings in files.[210]

S0650 QakBot

QakBot can identify whether it has been run previously on a host by checking for a specified folder.[211]

S0686 QuietSieve

QuietSieve can search files on the target host by extension, including doc, docx, xls, rtf, odt, txt, jpg, pdf, rar, zip, and 7z.[212]

S0629 RainyDay

RainyDay can use a file exfiltration tool to collect recently changed files with specific extensions.[182]

S0458 Ramsay

Ramsay can collect directory and file lists.[213][214]

S0055 RARSTONE

RARSTONE obtains installer properties from Uninstall Registry Key entries to obtain information about installed applications and how to uninstall certain applications.[215]

S0153 RedLeaves

RedLeaves can enumerate and search for files and directories.[216][57]

S0332 Remcos

Remcos can search for files on the infected machine.[217]

S0375 Remexi

Remexi searches for files on the system. [218]

S0592 RemoteUtilities

RemoteUtilities can enumerate files and directories on a target machine.[219]

S0125 Remsec

Remsec is capable of listing contents of folders on the victim. Remsec also searches for custom network encryption software on victims.[220][221][222]

S0496 REvil

REvil has the ability to identify specific files and directories that are not to be encrypted.[223][224][225][226][227][228]

S0448 Rising Sun

Rising Sun can enumerate information about files from the infected system, including file size, attributes, creation time, last access time, and write time. Rising Sun can enumerate the compilation timestamp of Windows executable files.[229]

S0240 ROKRAT

ROKRAT has the ability to gather a list of files and directories on the infected system.[230][231][232]

S0090 Rover

Rover automatically searches for files on local drives based on a predefined list of file extensions.[233]

S0148 RTM

RTM can check for specific files and directories associated with virtualization and malware analysis.[234]

S0446 Ryuk

Ryuk has enumerated files and folders on all mounted drives.[235]

G0034 Sandworm Team

Sandworm Team has enumerated files on a compromised host.[185][236]

S0461 SDBbot

SDBbot has the ability to get directory listings or drive information on a compromised host.[237]

S0345 Seasalt

Seasalt has the capability to identify the drive type on a victim.[187]

S0444 ShimRat

ShimRat can list directories.[238]

S0063 SHOTPUT

SHOTPUT has a command to obtain a directory listing.[239]

S0610 SideTwist

SideTwist has the ability to search for specific files.[240]

G0121 Sidewinder

Sidewinder has used malware to collect information on files and directories.[241]

S0692 SILENTTRINITY

SILENTTRINITY has several modules, such as ls.py, pwd.py, and recentFiles.py, to enumerate directories and files.[242]

S0623 Siloscape

Siloscape searches for the Kubernetes config file and other related files using a regular expression.[243]

S0468 Skidmap

Skidmap has checked for the existence of specific files including /usr/sbin/setenforce and /etc/selinux/config. It also has the ability to monitor the cryptocurrency miner file and process. [244]

S0633 Sliver

Sliver can enumerate files on a target system.[245]

S0533 SLOTHFULMEDIA

SLOTHFULMEDIA can enumerate files and directories.[246]

S0226 Smoke Loader

Smoke Loader recursively searches through directories for files.[247]

S0615 SombRAT

SombRAT can execute enum to enumerate files in storage on a compromised system.[248]

S0516 SoreFang

SoreFang has the ability to list directories.[249]

S0157 SOUNDBITE

SOUNDBITE is capable of enumerating and manipulating files and directories.[250]

G0054 Sowbug

Sowbug identified and extracted all Word documents on a server by using a command containing * .doc and *.docx. The actors also searched for documents based on a specific date range and attempted to identify all installed software on a victim.[251]

S0035 SPACESHIP

SPACESHIP identifies files and directories for collection by searching for specific file extensions or file modification time.[30]

S0142 StreamEx

StreamEx has the ability to enumerate drive types.[252]

S0491 StrongPity

StrongPity can parse the hard drive on a compromised host to identify specific file extensions.[253]

S0603 Stuxnet

Stuxnet uses a driver to scan for specific filesystem driver objects.[254]

S0559 SUNBURST

SUNBURST had commands to enumerate files and directories.[255][256]

S0562 SUNSPOT

SUNSPOT enumerated the Orion software Visual Studio solution directory path.[257]

S0242 SynAck

SynAck checks its directory location in an attempt to avoid launching in a sandbox.[258][259]

S0663 SysUpdate

SysUpdate can search files on a compromised host.[260]

S0011 Taidoor

Taidoor can search for specific files.[261]

S0586 TAINTEDSCRIBE

TAINTEDSCRIBE can use DirectoryList to enumerate files in a specified directory.[262]

S0467 TajMahal

TajMahal has the ability to index files from drives, user profiles, and removable drives.[263]

S0665 ThreatNeedle

ThreatNeedle can obtain file and directory information.[264]

S0131 TINYTYPHON

TINYTYPHON searches through the drive containing the OS, then all drive letters C through to Z, for documents matching certain extensions.[21]

S0266 TrickBot

TrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information.[265][266]

S0094 Trojan.Karagany

Trojan.Karagany can enumerate files and directories on a compromised host.[267]

G0081 Tropic Trooper

Tropic Trooper has monitored files' modified time.[268]

S0436 TSCookie

TSCookie has the ability to discover drive information on the infected host.[269]

S0647 Turian

Turian can search for specific files and list directories.[270]

G0010 Turla

Turla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, the Program Files directory, and Recent.[103][271] Turla RPC backdoors have also searched for files matching the lPH*.dll pattern.[272]

S0263 TYPEFRAME

TYPEFRAME can search directories for files on the victim’s machine.[273]

S0275 UPPERCUT

UPPERCUT has the capability to gather the victim's current directory.[274]

S0452 USBferry

USBferry can detect the victim's file or folder list.[268]

S0136 USBStealer

USBStealer searches victim drives for files matching certain extensions (".skr",".pkr" or ".key") or names.[275][276]

S0180 Volgmer

Volgmer can list directories on a victim.[277]

S0366 WannaCry

WannaCry searches for variety of user files by file extension before encrypting them using RSA and AES, including Office, PDF, image, audio, video, source code, archive/compression format, and key and certificate files.[278][279]

S0670 WarzoneRAT

WarzoneRAT can enumerate directories on a compromise host.[280]

S0612 WastedLocker

WastedLocker can enumerate files and directories just prior to encryption.[281]

S0689 WhisperGate

WhisperGate can locate files based on hardcoded file extensions.[282][283][284][285]

G0124 Windigo

Windigo has used a script to check for the presence of files created by OpenSSH backdoors.[286]

S0466 WindTail

WindTail has the ability to enumerate the users home directory and the path to its own application bundle.[287][288]

S0219 WINERACK

WINERACK can enumerate files and directories.[68]

S0059 WinMM

WinMM sets a WH_CBT Windows hook to search for and capture files on the victim.[289]

S0141 Winnti for Windows

Winnti for Windows can check for the presence of specific files prior to moving to the next phase of execution.[290]

G0044 Winnti Group

Winnti Group has used a program named ff.exe to search for specific documents on compromised hosts.[291]

S0161 XAgentOSX

XAgentOSX contains the readFiles function to return a detailed listing (sometimes recursive) of a specified directory.[292] XAgentOSX contains the showBackupIosFolder function to check for IOS device backups by running ls -la ~/Library/Application\ Support/MobileSync/Backup/.[292]

S0248 yty

yty gathers information on victim’s drives and has a plugin for document listing.[293]

S0251 Zebrocy

Zebrocy searches for files that are 60mb and less and contain the following extensions: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .exe, .zip, and .rar. Zebrocy also runs the echo %APPDATA% command to list the contents of the directory.[294][295][296] Zebrocy can obtain the current execution path as well as perform drive enumeration.[297][298]

S0330 Zeus Panda

Zeus Panda searches for specific directories on the victim’s machine.[299]

S0086 ZLib

ZLib has the ability to enumerate files and drives.[95]

S0672 Zox

Zox can enumerate files on a compromised host.[300]

S0350 zwShell

zwShell can browse the file system.[301]

S0412 ZxShell

ZxShell has a command to open a file manager and explorer on the system.[302]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process OS API Execution
Process Creation

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. Further, Network Device CLI commands may also be used to gather file and directory information with built-in features native to the network device platform. Monitor CLI activity for unexpected or unauthorized use of commands being run by non-standard users from non-standard locations.

References

  1. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  2. US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
  3. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  4. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  5. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  6. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  7. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  8. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.
  9. Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018.
  10. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  11. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
  12. Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.
  13. Yates, M. (2017, June 18). APT3 Uncovered: The code evolution of Pirpi. Retrieved September 28, 2017.
  14. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  15. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
  16. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  17. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
  18. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
  19. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  20. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
  21. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  22. Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.
  23. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  24. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
  25. Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021.
  26. Centero, R. et al. (2021, February 5). New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker. Retrieved August 11, 2021.
  27. Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019.
  28. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
  29. Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  30. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  31. Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
  32. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  33. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  34. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
  35. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  36. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  37. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  38. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
  39. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.
  40. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  41. FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.
  42. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  43. Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
  44. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
  45. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
  46. NHS Digital . (2020, August 20). BLINDINGCAN Remote Access Trojan. Retrieved August 20, 2020.
  47. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
  48. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  49. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
  50. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  51. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  52. Threat Intelligence Team. (2022, March 18). Double header: IsaacWiper and CaddyWiper . Retrieved April 11, 2022.
  53. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  54. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  55. ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.
  56. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
  57. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  58. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021.
  59. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  60. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  61. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.
  62. Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.
  63. Microsoft. (n.d.). Dir. Retrieved April 18, 2016.
  64. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  65. Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021.
  66. Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.
  67. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
  68. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  69. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
  70. byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.
  71. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  72. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  73. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
  74. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
  75. NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.
  76. Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022.
  77. Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020.
  78. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  79. Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021.
  80. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  81. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  82. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
  83. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  84. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  85. Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
  86. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021.
  87. Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021.
  88. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  89. Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.
  90. CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021.
  91. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
  92. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020.
  93. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.
  94. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.
  95. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  96. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  97. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  98. Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.
  99. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  100. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018.
  101. Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.
  102. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  103. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  104. Kaspersky Lab's Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018.
  105. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.
  106. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  107. FinFisher. (n.d.). Retrieved December 20, 2017.
  108. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  109. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.
  110. Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021.
  111. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
  112. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  113. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  114. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
  115. Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.
  116. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  117. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.
  118. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  119. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  120. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.
  121. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
  122. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021.
  123. Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022.
  124. Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022.
  125. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  126. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  127. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
  128. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  129. Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016.
  130. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  131. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  132. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
  133. Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020.
  134. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.
  135. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
  136. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  137. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
  138. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  139. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  140. Bingham, J. (2013, February 11). Cross-Platform Frutas RAT Builder and Back Door. Retrieved April 23, 2019.
  141. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  142. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  143. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  144. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  145. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
  146. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  147. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  148. Gilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira. (2018, January 15). KillDisk Variant Hits Latin American Financial Groups. Retrieved January 12, 2021.
  149. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
  150. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  151. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022.
  1. Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021.
  2. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
  3. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  4. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  5. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  6. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  7. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  8. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  9. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  10. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
  11. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  12. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
  13. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
  14. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.
  15. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  16. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
  17. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
  18. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  19. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
  20. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
  21. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
  22. Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020.
  23. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  24. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
  25. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  26. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  27. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  28. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  29. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  30. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.
  31. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  32. Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021.
  33. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  34. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  35. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.
  36. Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.
  37. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
  38. Paganini, P. (2018, October 16). Russia-linked APT group DustSquad targets diplomatic entities in Central Asia. Retrieved August 24, 2021.
  39. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
  40. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  41. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  42. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  43. Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021.
  44. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
  45. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
  46. Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018.
  47. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  48. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
  49. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  50. Tomonaga, S.. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.
  51. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
  52. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
  53. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  54. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  55. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  56. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  57. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  58. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  59. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  60. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
  61. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
  62. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  63. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.
  64. Camba, A. (2013, February 27). BKDR_RARSTONE: New RAT to Watch Out For. Retrieved January 8, 2016.
  65. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  66. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
  67. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  68. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  69. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  70. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
  71. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  72. Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.
  73. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
  74. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
  75. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
  76. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
  77. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  78. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  79. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  80. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.
  81. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
  82. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  83. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  84. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
  85. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
  86. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  87. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  88. Falcone, R. and Wartell, R.. (2015, July 27). Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved January 22, 2016.
  89. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
  90. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
  91. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  92. Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.
  93. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  94. BishopFox. (2021, August 18). Sliver Filesystem. Retrieved September 22, 2021.
  95. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
  96. Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018.
  97. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  98. CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020.
  99. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  100. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  101. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
  102. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
  103. Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.
  104. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  105. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  106. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
  107. Ivanov, A. et al.. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
  108. Bettencourt, J. (2018, May 7). Kaspersky Lab finds new variant of SynAck ransomware using sophisticated Doppelgänging technique. Retrieved May 24, 2018.
  109. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  110. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.
  111. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.
  112. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  113. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
  114. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  115. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
  116. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
  117. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  118. Tomonaga, S.. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020.
  119. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  120. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  121. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  122. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  123. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  124. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  125. Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  126. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
  127. Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.
  128. Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
  129. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
  130. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  131. MSTIC. (2022, January 15). Destructive malware targeting Ukrainian organizations. Retrieved March 10, 2022.
  132. Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022.
  133. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.
  134. S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022.
  135. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.
  136. Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019.
  137. Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.
  138. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  139. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
  140. Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
  141. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  142. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
  143. Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.
  144. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  145. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  146. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
  147. CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020.
  148. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  149. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  150. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  151. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.