1. Home
  2. Techniques
  3. Enterprise
  4. Modify Registry

Modify Registry

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification. [1] Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.

Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via Reg or other utilities using the Win32 API. [2] Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. [3] [4]

The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. [5] Often Valid Accounts are required, along with access to the remote system's SMB/Windows Admin Shares for RPC communication.

ID: T1112
Sub-techniques:  No sub-techniques
Tactic: Defense Evasion
Platforms: Windows
Permissions Required: Administrator, SYSTEM, User
Defense Bypassed: Host forensic analysis
CAPEC ID: CAPEC-203
Contributors: Bartosz Jerzman; David Lu, Tripwire; Travis Smith, Tripwire
Version: 1.2
Created: 31 May 2017
Last Modified: 13 August 2020

Procedure Examples

ID Name Description
S0677 AADInternals

AADInternals can modify registry keys as part of setting a new pass-through authentication agent.[6]
S0045 ADVSTORESHELL

ADVSTORESHELL is capable of setting and deleting Registry values.[7]
S0331 Agent Tesla

Agent Tesla can achieve persistence by modifying Registry key entries.[8]

G0073 APT19

APT19 uses a Port 22 malware variant to modify several Registry keys.[9]
G0050 APT32

APT32's backdoor has modified the Windows Registry to store the backdoor's configuration. [10]

G0082 APT38

APT38 uses a tool called CLEANTOAD that has the capability to modify Registry keys.[11]
G0096 APT41

APT41 used a malware variant called GOODLUCK to modify the registry in order to steal credentials.[12][13]
S0438 Attor

Attor's dispatcher can modify the Run registry key.[14]
S0640 Avaddon

Avaddon modifies several registry keys for persistence and UAC bypass.[15]
S0031 BACKSPACE

BACKSPACE is capable of deleting Registry keys, sub-keys, and values on a victim system.[16]
S0245 BADCALL

BADCALL modifies the firewall Registry key SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfileGloballyOpenPorts\List.[17]
S0239 Bankshot

Bankshot writes data into the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Pniumj.[18]
S0268 Bisonal

Bisonal has deleted Registry keys to clean up its prior activity.[19]

S0570 BitPaymer

BitPaymer can set values in the Registry to help in execution.[20]

G0108 Blue Mockingbird

Blue Mockingbird has used Windows Registry modifications to specify a DLL payload.[21]

S0348 Cardinal RAT

Cardinal RAT sets HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load to point to its executable.[22]
S0261 Catchamas

Catchamas creates three Registry keys to establish persistence by adding a Windows Service.[23]
S0572 Caterpillar WebShell

Caterpillar WebShell has a command to modify a Registry key.[24]
S0631 Chaes

Chaes stored its instructions in a config file in the Registry.[25]

S0674 CharmPower

CharmPower can remove persistence-related artifacts from the Registry.[26]
S0023 CHOPSTICK

CHOPSTICK may store RC4 encrypted configuration information in the Windows Registry.[27]
S0660 Clambling

Clambling can set and delete Registry keys.[28]
S0611 Clop

Clop can make modifications to Registry keys.[29]

S0154 Cobalt Strike

Cobalt Strike can modify Registry values within HKEY_CURRENT_USER\Software\Microsoft\Office\\Excel\Security\AccessVBOM\ to enable the execution of additional code.[30]
S0126 ComRAT

ComRAT has encrypted and stored its orchestrator code in the Registry as well as a PowerShell script into the WsqmCons Registry key.[31][32]

S0608 Conficker

Conficker adds keys to the Registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and various other Registry locations.[33][34]
S0488 CrackMapExec

CrackMapExec can create a registry key using wdigest.[35]
S0115 Crimson

Crimson can set a Registry key to determine how long it has been installed and possibly to indicate the version number.[36]
S0527 CSPY Downloader

CSPY Downloader can write to the Registry under the %windir% variable to execute tasks.[37]
S0334 DarkComet

DarkComet adds a Registry value for its installation routine to the Registry Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System Enable LUA="0" and HKEY_CURRENT_USER\Software\DC3_FEXEC.[38][39]
S0673 DarkWatchman

DarkWatchman can store configuration strings, keylogger, and output of components in the Registry.[40]
G0035 Dragonfly

Dragonfly has modified the Registry to perform multiple techniques through the use of Reg.[41]
S0568 EVILNUM

EVILNUM can make modifications to the Regsitry for persistence.[42]
S0343 Exaramel for Windows

Exaramel for Windows adds the configuration to the Registry in XML format.[43]
S0569 Explosive

Explosive has a function to write itself to Registry values.[44]

S0267 FELIXROOT

FELIXROOT deletes the Registry key HKCU\Software\Classes\Applications\rundll32.exe\shell\open.[45]
S0679 Ferocious

Ferocious has the ability to add a Class ID in the current user Registry hive to enable persistence mechanisms.[46]
G0061 FIN8

FIN8 has deleted Registry keys during post compromise cleanup activities.[47]
G0047 Gamaredon Group

Gamaredon Group has removed security settings for VBA macro execution by changing registry values HKCU\Software\Microsoft\Office\<version>\<product>\Security\VBAWarnings and HKCU\Software\Microsoft\Office\<version>\<product>\Security\AccessVBOM.[48][49]
S0666 Gelsemium

Gelsemium has the ability to store its components in the Registry.[50]
S0032 gh0st RAT

gh0st RAT has altered the InstallTime subkey.[51]
G0078 Gorgon Group

Gorgon Group malware can deactivate security mechanisms in Microsoft Office by editing several keys and values under HKCU\Software\Microsoft\Office\.[52]
S0531 Grandoreiro

Grandoreiro can store its configuration in the Registry at HKCU\Software\ under frequently changing names including %USERNAME% and ToolTech-RM.[53]
S0342 GreyEnergy

GreyEnergy modifies conditions in the Registry and adds keys.[54]
S0697 HermeticWiper

HermeticWiper has the ability to modify Registry keys to disable crash dumps, colors for compressed files, and pop-up information about folders and desktop items.[55][56][57]
G0072 Honeybee

Honeybee uses a batch file that modifies Registry keys to launch a DLL into the svchost.exe process.[58]
S0376 HOPLIGHT

HOPLIGHT has modified Managed Object Format (MOF) files within the Registry to run specific commands and create persistence on the system.[59]

S0203 Hydraq

Hydraq creates a Registry subkey to register its created service, and can also uninstall itself later by deleting this value. Hydraq's backdoor also enables remote attackers to modify and delete subkeys.[60][61]
S0537 HyperStack

HyperStack can add the name of its communication pipe to HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\NullSessionPipes.[62]
S0260 InvisiMole

InvisiMole has a command to create, set, copy, or delete a specified Registry key or value.[63][64]
S0271 KEYMARBLE

KEYMARBLE has a command to create Registry entries for storing data under HKEY_CURRENT_USER\SOFTWARE\Microsoft\WABE\DataPath.[65]
G0094 Kimsuky

Kimsuky has modified Registry settings for default file associations to enable all macros and for persistence.[66][67][68][69]
S0669 KOCTOPUS

KOCTOPUS has added and deleted keys from the Registry.[70]
S0356 KONNI

KONNI has modified registry keys of ComSysApp, Svchost, and xmlProv on the machine to gain persistence.[71][72]

S0397 LoJax

LoJax has modified the Registry key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute’ from ‘autocheck autochk to ‘autocheck autoche .[73]
S0447 Lokibot

Lokibot has modified the Registry as part of its UAC bypass process.[74]

S0576 MegaCortex

MegaCortex has added entries to the Registry for ransom contact information.[75]
S0455 Metamorfo

Metamorfo has written process names to the Registry, disabled IE browser features, deleted Registry keys, and changed the ExtendedUIHoverTime key.[76][77][78][79]
S0256 Mosquito

Mosquito stores configuration values under the Registry key HKCU\Software\Microsoft[dllname] and modifies Registry keys under HKCR\CLSID...\InprocServer32with a path to the launcher.[80]
S0205 Naid

Naid creates Registry entries that store information about a created service and point to a malicious DLL dropped to disk.[81]
S0336 NanoCore

NanoCore has the capability to edit the Registry.[82][83]
S0691 Neoichor

Neoichor has the ability to configure browser settings by modifying Registry entries under HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer.[84]
S0210 Nerex

Nerex creates a Registry subkey that registers a new service.[85]
S0457 Netwalker

Netwalker can add the following registry entry: HKEY_CURRENT_USER\SOFTWARE{{8 random characters}}.[86]
S0198 NETWIRE

NETWIRE stores its configuration file within the Registry.[87]
S0385 njRAT

njRAT can create, delete, or modify a specified Registry key or value.[88][89]
G0116 Operation Wocao

Operation Wocao has enabled Wdigest by changing the registry value from 0 to 1.[90]
S0229 Orz

Orz can perform Registry operations.[91]
S0664 Pandora

Pandora can write an encrypted token to the Registry to enable processing of remote commands.[92]
G0040 Patchwork

A Patchwork payload deletes Resiliency Registry keys created by Microsoft Office applications in an apparent effort to trick users into thinking there were no issues during application runs.[93]
S0158 PHOREAL

PHOREAL is capable of manipulating the Registry.[94]
S0517 Pillowmint

Pillowmint has stored its malicious payload in the registry key HKLM\SOFTWARE\Microsoft\DRM.[95]
S0501 PipeMon

PipeMon has stored its encrypted payload in the Registry.[96]
S0254 PLAINTEE

PLAINTEE uses reg add to add a Registry Run key for persistence.[97]
S0013 PlugX

PlugX has a module to create, delete, or modify Registry keys.[98]
S0428 PoetRAT

PoetRAT has made registry modifications to alter its behavior upon execution.[99]
S0012 PoisonIvy

PoisonIvy creates a Registry subkey that registers a new system device.[100]
S0518 PolyglotDuke

PolyglotDuke can write encrypted JSON configuration files to the Registry.[101]
S0441 PowerShower

PowerShower has added a registry key so future powershell.exe instances are spawned off-screen by default, and has removed all registry entries that are left behind during the dropper process.[102]
S0583 Pysa

Pysa has modified the registry key "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" and added the ransom note.[103]

S0650 QakBot

QakBot can store its configuration information in a randomly named subkey under HKCU\Software\Microsoft.[104][105]
S0269 QUADAGENT

QUADAGENT modifies an HKCU Registry key to store a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting C2 communications.[106]
S0262 QuasarRAT

QuasarRAT has a command to edit the Registry on the victim’s machine.[107]
S0662 RCSession

RCSession can write its configuration file to the Registry.[28][108]
S0075 Reg

Reg may be used to interact with and modify the Windows Registry of a local or remote system at the command-line interface.[1]
S0511 RegDuke

RegDuke can store its encryption key in the Registry.[101]
S0019 Regin

Regin appears to have functionality to modify remote Registry information.[109]
S0332 Remcos

Remcos has full control of the Registry, including the ability to modify it.[110]
S0496 REvil

REvil can save encryption parameters and system information to the Registry.[111][112][113][114][115]
S0240 ROKRAT

ROKRAT can modify the HKEY_CURRENT_USER\Software\Microsoft\Office\ registry key so it can bypass the VB object model (VBOM) on a compromised host.[116]
S0090 Rover

Rover has functionality to remove Registry Run key persistence as a cleanup procedure.[117]
S0148 RTM

RTM can delete all Registry entries created during its execution.[118]
S0596 ShadowPad

ShadowPad maintains a configuration block and virtual file system in the Registry.[119]
S0140 Shamoon

Once Shamoon has access to a network share, it enables the RemoteRegistry service on the target system. It will then connect to the system with RegConnectRegistryW and modify the Registry to disable UAC remote restrictions by setting SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy to 1.[120][121][122]
S0444 ShimRat

ShimRat has registered two registry keys for shim databases.[123]
S0589 Sibot

Sibot has installed a second-stage script in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot registry key.[124]
G0091 Silence

Silence can create, delete, or modify a specified Registry key or value.[125]
S0692 SILENTTRINITY

SILENTTRINITY can modify registry keys, including to enable or disable Remote Desktop Protocol (RDP).[126]
S0533 SLOTHFULMEDIA

SLOTHFULMEDIA can add, modify, and/or delete registry keys. It has changed the proxy configuration of a victim system by modifying the HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap registry.[127]
S0649 SMOKEDHAM

SMOKEDHAM has modified registry keys for persistence, to enable credential caching for credential access, and to facilitate lateral movement via RDP.[128]
S0157 SOUNDBITE

SOUNDBITE is capable of modifying the Registry.[94]
S0142 StreamEx

StreamEx has the ability to modify the Registry.[129]
S0603 Stuxnet

Stuxnet can create registry keys to load driver files.[130]
S0559 SUNBURST

SUNBURST had commands that allow an attacker to write or delete registry keys, and was observed stopping services by setting their HKLM\SYSTEM\CurrentControlSet\services\[service_name]\Start registry entries to value 4.[131][132] It also deleted previously-created Image File Execution Options (IFEO) Debugger registry values and registry keys related to HTTP proxy to clean up traces of its activity.[133]
S0242 SynAck

SynAck can manipulate Registry keys.[134]
S0663 SysUpdate

SysUpdate can write its configuration file to Software\Classes\scConfig in either HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER.[92]
S0011 Taidoor

Taidoor has the ability to modify the Registry on compromised hosts using RegDeleteValueA and RegCreateKeyExA.[135]
S0467 TajMahal

TajMahal can set the KeepPrintedJobs attribute for configured printers in SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers to enable document stealing.[136]
S0560 TEARDROP

TEARDROP modified the Registry to create a Windows service for itself on a compromised host.[137]
G0027 Threat Group-3390

A Threat Group-3390 tool has created new Registry keys under HKEY_CURRENT_USER\Software\Classes\ and HKLM\SYSTEM\CurrentControlSet\services.[138][92]
S0665 ThreatNeedle

ThreatNeedle can save its configuration data as the following RC4-encrypted Registry key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameCon.[139]
S0668 TinyTurla

TinyTurla can set its configuration parameters in the Registry.[140]
S0266 TrickBot

TrickBot can modify registry entries.[141]
G0010 Turla

Turla has used the Registry to store encrypted payloads.[142][143]
S0263 TYPEFRAME

TYPEFRAME can install encrypted configuration data under the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\laxhost.dll and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PrintConfigs.[144]
S0386 Ursnif

Ursnif has used Registry modifications as part of its installation routine.[145][146]
S0476 Valak

Valak has the ability to modify the Registry key HKCU\Software\ApplicationContainer\Appsw64 to store information regarding the C2 server and downloads.[147][148][149]
S0180 Volgmer

Volgmer stores the encoded configuration file in the Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security.[150][151]
S0670 WarzoneRAT

WarzoneRAT can create HKCU\Software\Classes\Folder\shell\open\command as a new registry key during privilege escalation.[152][153]

S0612 WastedLocker

WastedLocker can modify registry values within the Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap registry key.[154]
S0579 Waterbear

Waterbear has deleted certain values from the Registry to load a malicious DLL.[155]

G0102 Wizard Spider

Wizard Spider has modified the Registry key HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest by setting the UseLogonCredential registry value to 1 in order to force credentials to be stored in clear text in memory.[156]
S0330 Zeus Panda

Zeus Panda modifies several Registry keys under HKCU\Software\Microsoft\Internet Explorer\ PhishingFilter\ to disable phishing filters.[157]
S0350 zwShell

zwShell can modify the Registry.[158]
S0412 ZxShell

ZxShell can create Registry entries to enable services to run.[159]

Mitigations

ID Mitigation Description
M1024 Restrict Registry Permissions

Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process OS API Execution
Process Creation
DS0024 Windows Registry Windows Registry Key Creation
Windows Registry Key Deletion
Windows Registry Key Modification

Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). [160] Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file.

Monitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. The Registry may also be modified through Windows system management tools such as Windows Management Instrumentation and PowerShell, which may require additional logging features to be configured in the operating system to collect necessary information for analysis.

Monitor for processes, command-line arguments, and API calls associated with concealing Registry keys, such as Reghide. [2] Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns [4] and RegDelNull [161].

References

  1. Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015.
  2. Russinovich, M. & Sharkey, K. (2006, January 10). Reghide. Retrieved August 9, 2018.
  3. Santos, R. (2014, August 1). POWELIKS: Malware Hides In Windows Registry. Retrieved August 9, 2018.
  4. Reitz, B. (2017, July 14). Hiding Registry keys with PSReflect. Retrieved August 9, 2018.
  5. Microsoft. (n.d.). Enable the Remote Registry Service. Retrieved May 1, 2015.
  6. Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022.
  7. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  8. Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11, 2020.
  9. Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018.
  10. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  11. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
  12. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  13. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.
  14. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  15. Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.
  16. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  17. US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.
  18. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  19. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  20. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  21. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
  22. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  23. Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018.
  24. ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.
  25. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  26. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
  27. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  28. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  29. Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.
  30. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021.
  31. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  32. CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020.
  33. Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021.
  34. Trend Micro. (2014, March 18). Conficker. Retrieved February 18, 2021.
  35. byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.
  36. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  37. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  38. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
  39. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  40. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  41. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  42. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021.
  43. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  44. Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021.
  45. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
  46. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
  47. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  48. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  49. CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022.
  50. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  51. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
  52. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  53. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  54. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  55. Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022.
  56. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.
  57. Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022.
  58. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  59. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  60. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  61. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  62. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
  63. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  64. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  65. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  66. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
  67. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  68. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  69. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022.
  70. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  71. Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020.
  72. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
  73. ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019.
  74. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
  75. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
  76. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  77. Zhang, X.. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
  78. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  79. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
  80. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  81. Neville, A. (2012, June 15). Trojan.Naid. Retrieved February 22, 2018.
  1. The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018.
  2. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  3. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  4. Ladley, F. (2012, May 15). Backdoor.Nerex. Retrieved February 23, 2018.
  5. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
  6. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
  7. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  8. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  9. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  10. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  11. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  12. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  13. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  14. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
  15. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  16. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  17. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
  18. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  19. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  20. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  21. Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020.
  22. CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021.
  23. Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021.
  24. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.
  25. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  26. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  27. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
  28. Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
  29. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
  30. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
  31. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
  32. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
  33. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
  34. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  35. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
  36. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  37. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  38. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.
  39. FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017.
  40. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  41. Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020.
  42. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  43. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  44. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
  45. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  46. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
  47. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.
  48. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
  49. Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.
  50. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  51. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  52. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  53. Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
  54. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.
  55. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  56. Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021.
  57. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
  58. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
  59. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.
  60. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
  61. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  62. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  63. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  64. Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.
  65. Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019.
  66. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  67. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
  68. Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.
  69. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  70. Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.
  71. Mohanta, A. (2020, November 25). Warzone RAT comes with UAC bypass technique. Retrieved April 7, 2022.
  72. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
  73. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  74. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.
  75. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
  76. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  77. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  78. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  79. Miroshnikov, A. & Hall, J. (2017, April 18). 4657(S): A registry value was modified. Retrieved August 9, 2018.
  80. Russinovich, M. & Sharkey, K. (2016, July 4). RegDelNull v1.11. Retrieved August 10, 2018.