S1193 TAMECAT
TAMECAT is a malware that is used by APT42 to execute PowerShell or C# content.1
| Item | Value |
|---|---|
| ID | S1193 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 08 January 2025 |
| Last Modified | 08 January 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | TAMECAT has used HTTP for C2 communications.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | TAMECAT has used PowerShell to download and run additional content.1 |
| enterprise | T1059.003 | Windows Command Shell | TAMECAT has used cmd.exe to run the curl command.1 |
| enterprise | T1059.005 | Visual Basic | TAMECAT has used VBScript to query anti-virus products.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | TAMECAT has encoded C2 traffic with Base64.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | TAMECAT has used AES to encrypt C2 traffic.1 |
| enterprise | T1105 | Ingress Tool Transfer | TAMECAT has used wget and curl to download additional content.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | TAMECAT has used Windows Management Instrumentation (WMI) to check for anti-virus products.1 |
| enterprise | T1047 | Windows Management Instrumentation | TAMECAT has used Windows Management Instrumentation (WMI) to query anti-virus products.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1044 | APT42 | 1 |