Skip to content

T1005 Data from Local System

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

Adversaries may do this using a Command and Scripting Interpreter, such as cmd as well as a Network Device CLI, which have functionality to interact with the file system to gather information.1 Adversaries may also use Automated Collection on the local system.

Item Value
ID T1005
Sub-techniques
Tactics TA0009
Platforms ESXi, Linux, Network Devices, Windows, macOS
Version 1.8
Created 31 May 2017
Last Modified 24 October 2025

Procedure Examples

ID Name Description
S1028 Action RAT Action RAT can collect local data from an infected machine.108
G1030 Agrius Agrius gathered data from database and other critical servers in victim environments, then used wiping mechanisms as an anti-analysis and anti-forensics mechanism.203
S1025 Amadey Amadey can collect information from a compromised host.52
G0138 Andariel Andariel has collected large numbers of files from compromised network systems for later extraction.192
S0622 AppleSeed AppleSeed can collect data on a compromised host.9192
G0006 APT1 APT1 has collected files from a local victim.195
G0007 APT28 APT28 has retrieved internal documents from machines inside victim environments, including by using Forfiles to stage documents before exfiltration.10216215217
G0016 APT29 APT29 has stolen data from compromised hosts.197
G0022 APT3 APT3 will identify Microsoft Office documents on the victim’s computer.221
G0067 APT37 APT37 has collected data from victims’ local systems.212
G0082 APT38 APT38 has collected data from a compromised host.227
G0087 APT39 APT39 has used various tools to steal files from the compromised host.186187
G0096 APT41 APT41 has uploaded files and data from a compromised host.209
G0143 Aquatic Panda Aquatic Panda captured local Windows security event log data from victim machines using the wevtutil utility to extract contents to an evtx output file.207
S1029 AuTo Stealer AuTo Stealer can collect data such as PowerPoint files, Word documents, Excel files, PDF files, text files, database files, and image files from an infected machine.108
G0001 Axiom Axiom has collected data from a compromised network.133
S0642 BADFLICK BADFLICK has uploaded files from victims’ machines.137
S0128 BADNEWS When it first starts, BADNEWS crawls the victim’s local drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.2829
S0337 BadPatch BadPatch collects files from the local system that have the following extensions, then prepares them for exfiltration: .xls, .xlsx, .pdf, .mdb, .rar, .zip, .doc, .docx.167
S0234 Bandook Bandook can collect local files from the system .178
S0239 Bankshot Bankshot collects files from the local system.27
S0534 Bazar Bazar can retrieve information from the infected machine.85
S1246 BeaverTail BeaverTail has exfiltrated data collected from local systems.104105106107
S0268 Bisonal Bisonal has collected information from a compromised host.115
S0564 BlackMould BlackMould can copy files on a compromised host.82
S0520 BLINDINGCAN BLINDINGCAN has uploaded files from victim machines.53
S0651 BoxCaon BoxCaon can upload files from a compromised host.23
G0060 BRONZE BUTLER BRONZE BUTLER has exfiltrated files stolen from local systems.184
S1063 Brute Ratel C4
Brute Ratel C4 has the ability to upload files from a compromised system.7
S1039 Bumblebee Bumblebee can capture and compress stolen credentials from the Registry and volume shadow copies.68
C0015 C0015 During C0015, the threat actors obtained files and data from the compromised network.243
C0017 C0017 During C0017, APT41 collected information related to compromised machines as well as Personal Identifiable Information (PII) from victim networks.246
C0026 C0026 During C0026, the threat actors collected documents from compromised hosts.175
S0274 Calisto Calisto can collect data from user directories.113
S1224 CASTLETAP CASTLETAP can execute a C2 command to transfer files from victim machines.169
S0572 Caterpillar WebShell Caterpillar WebShell has a module to collect information from the local database.51
S1043 ccf32 ccf32 can collect files from a compromised host.9
S0674 CharmPower CharmPower can collect data and files from a compromised host.138
S1149 CHIMNEYSWEEP CHIMNEYSWEEP can collect files from compromised hosts.77
S0020 China Chopper China Chopper’s server component can upload local files.35363734
S0667 Chrommme Chrommme can collect data from a local system.135
S0660 Clambling Clambling can collect information from a compromised host.154
S0154 Cobalt Strike Cobalt Strike can collect data from a local system.4243
S0492 CookieMiner CookieMiner has retrieved iPhone text messages from iTunes phone backup files.141
S0050 CosmicDuke CosmicDuke steals user files from local hard drives with file extensions that match a predefined list.166
C0004 CostaRicto During CostaRicto, the threat actors collected data and files from compromised networks.54
S1023 CreepyDrive CreepyDrive can upload files to C2 from victim machines.139
S0115 Crimson Crimson can collect information from a compromised host.89
S0538 Crutch Crutch can exfiltrate files from compromised systems.158
S0498 Cryptoistic Cryptoistic can retrieve files from the local file system.22
G1012 CURIUM CURIUM has exfiltrated data from a compromised machine.214
C0029 Cutting Edge During Cutting Edge, threat actors stole the running configuration and cache data from targeted Ivanti Connect Secure VPNs.249248
S0687 Cyclops Blink Cyclops Blink can upload files from a compromised host.75
S1014 DanBot DanBot can upload files from compromised hosts.87
G0070 Dark Caracal Dark Caracal collected complete contents of the ‘Pictures’ folder from compromised Windows systems.236
S1111 DarkGate DarkGate has stolen sitemanager.xml and recentservers.xml from %APPDATA%\FileZilla\ if present.80
S0673 DarkWatchman DarkWatchman can collect files from a compromised host.134
S1021 DnsSystem DnsSystem can upload files from infected machines after receiving a command with uploaddd in the string.125
G0035 Dragonfly Dragonfly has collected data from local victim systems.213
S0694 DRATzarus DRATzarus can collect information from a compromised host.78
S0502 Drovorub Drovorub can transfer files from the victim machine.21
S0567 Dtrack Dtrack can collect a variety of information from victim machines.26
S1159 DUSTTRAP DUSTTRAP can gather data from infected systems.119
G1003 Ember Bear Ember Bear gathers victim system information such as enumerating the volume of a given device or extracting system and security event logs for analysis.224225
S0634 EnvyScout EnvyScout can collect sensitive NTLM material from a compromised host.69
S0404 esentutl esentutl can be used to collect data from local file systems.17
S0512 FatDuke FatDuke can copy files and directories from a compromised host.126
G1016 FIN13 FIN13 has gathered stolen credentials, sensitive data such as point-of-sale (POS), and ATM data from a compromised network before exfiltration.239238
G0037 FIN6 FIN6 has collected and exfiltrated payment card data from compromised systems.204205206
G0046 FIN7 FIN7 has collected files and other sensitive information from a compromised network.223
S0696 Flagpro Flagpro can collect data from a compromised host, including Windows authentication information.95
S0036 FLASHFLOOD FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on the local system. FLASHFLOOD will scan the My Recent Documents, Desktop, Temporary Internet Files, and TEMP directories. FLASHFLOOD also collects information stored in the Windows Address Book.40
S0381 FlawedAmmyy FlawedAmmyy has collected information and files from a compromised machine.162
S0661 FoggyWeb FoggyWeb can retrieve configuration data from a compromised AD FS server.74
S0193 Forfiles Forfiles can be used to act on (ex: copy, move, etc.) files/directories in a system during (ex: copy files into a staging area before).10
G0117 Fox Kitten Fox Kitten has searched local system resources to access sensitive documents.191
S0503 FrameworkPOS FrameworkPOS can collect elements related to credit card data from process memory.112
C0001 Frankenstein During Frankenstein, the threat actors used Empire to gather various local system information.250
S1044 FunnyDream FunnyDream can upload files from victims’ machines.9155
G0093 GALLIUM GALLIUM collected data from the victim’s local system, including password hashes from the SAM hive in the Registry.196
G0047 Gamaredon Group Gamaredon Group has collected files from infected systems and uploaded them to a C2 server.201202
S0666 Gelsemium Gelsemium can collect data from a compromised host.135
S0477 Goopy Goopy has the ability to exfiltrate documents from infected systems.149
S0237 GravityRAT GravityRAT steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf.140
S0690 Green Lambert Green Lambert can collect data from a compromised host.130
S0632 GrimAgent GrimAgent can collect data and files from a compromised host.44
G0125 HAFNIUM HAFNIUM has collected data and files from a compromised machine.34188
S1229 Havoc Havoc can download files from the victim’s computer.152151
S0009 Hikit Hikit can upload files from compromised machines.133
S0203 Hydraq Hydraq creates a backdoor through which remote attackers can read data from files.7071
S1022 IceApple IceApple can collect files, passwords, and other data from a compromised host.97
G0100 Inception Inception used a file hunting plugin to collect .txt, .pdf, .xls or .doc files from the infected host.218
S1245 InvisibleFerret InvisibleFerret has collected data utilizing a script that contained a list of excluded files and directory names and naming patterns of interest such as environment and configuration files, documents, spreadsheets, and other files that contained the words secret, wallet, private, and password.105
S0260 InvisiMole InvisiMole can collect data from the system, and can monitor changes in specified directories.88
S1132 IPsec Helper IPsec Helper can identify specific files and folders for follow-on exfiltration.117
S0015 Ixeshe Ixeshe can collect data from a local system.156
S0265 Kazuar Kazuar uploads files from a specified directory to the C2 server.170
G0004 Ke3chang Ke3chang gathered information and files from local directories for exfiltration.219132
S1020 Kevin Kevin can upload logs and other data from a compromised host.127
S0526 KGH_SPY KGH_SPY can send a file containing victim system information to C2.172
G0094 Kimsuky Kimsuky has collected Office, PDF, and HWP documents from its victims.182183
S0250 Koadic Koadic can download files off the target system to send back to the server.1615
S0356 KONNI KONNI has stored collected information and discovered processes in a tmp file.47
S1075 KOPILUWAK KOPILUWAK can gather information from compromised hosts.175
G1004 LAPSUS$ LAPSUS$ uploaded sensitive files, information, and credentials from a targeted organization for extortion or public release.185
S1160 Latrodectus Latrodectus can collect data from a compromised host using a stealer module.64
G0032 Lazarus Group Lazarus Group has collected data and files from compromised networks.200198199118
S0395 LightNeuron LightNeuron can collect files from a local system.121
S0211 Linfo Linfo creates a backdoor through which remote attackers can obtain data from local systems.163
S1101 LoFiSe LoFiSe can collect files of interest from targeted systems.136
G1014 LuminousMoth LuminousMoth has collected files and data from compromised machines.211210
S0409 Machete Machete searches the File system for files of interest.145
S1016 MacMa MacMa can collect then exfiltrate files from the compromised system.93
S1060 Mafalda Mafalda can collect files and information from a compromised host.65
G0059 Magic Hound Magic Hound has used a web shell to exfiltrate a ZIP file containing a dump of LSASS memory on a compromised machine.235234
S0652 MarkiRAT MarkiRAT can upload data from the victim’s machine to the C2 server.60
S0500 MCMD MCMD has the ability to upload files from an infected device.14
G0045 menuPass menuPass has collected various files from the compromised computers.231232
S1059 metaMain metaMain can collect files and system information from a compromised host.65131
S1146 MgBot MgBot includes modules for collecting files from local systems based on a given set of properties and filenames.81
S1015 Milan Milan can upload files from a compromised host.101
S0084 Mis-Type Mis-Type has collected files and data from a compromised host.98
S0083 Misdat Misdat has collected files and data from a compromised host.98
S0079 MobileOrder MobileOrder exfiltrates data collected from the victim mobile device.83
S1026 Mongall Mongall has the ability to upload files from victim’s machines.116
S0630 Nebulae Nebulae has the capability to upload collected files to C2.46
S0691 Neoichor Neoichor can upload files from a victim’s machine.132
C0002 Night Dragon During Night Dragon, the threat actors collected files and other data from compromised systems.241
S1090 NightClub NightClub can use a file monitor to steal specific files from targeted systems.45
S0385 njRAT njRAT can collect data from a local system.179
S1131 NPPSPY NPPSPY records data entered from the local system logon at Winlogon to capture credentials in cleartext.6
S0340 Octopus Octopus can exfiltrate files from the system using a documents collector tool.39
G0049 OilRig OilRig has used PowerShell to upload files from compromised systems.189
C0012 Operation CuckooBees During Operation CuckooBees, the threat actors collected data, files, and other information from compromised networks.251
C0022 Operation Dream Job During Operation Dream Job, Lazarus Group used malicious Trojans and DLL files to exfiltrate data from an infected host.78244
C0006 Operation Honeybee During Operation Honeybee, the threat actors collected data from compromised hosts.247
C0048 Operation MidnightEclipse During Operation MidnightEclipse, threat actors stole saved cookies and login data from targeted systems.240
C0014 Operation Wocao During Operation Wocao, threat actors exfiltrated files and directories of interest from the targeted system.242
S0352 OSX_OCEANLOTUS.D OSX_OCEANLOTUS.D has the ability to upload files from a compromised host.157
S0594 Out1 Out1 can copy files and Registry data from compromised hosts.13
S1017 OutSteel OutSteel can collect information from a compromised host.61
S0598 P.A.S. Webshell P.A.S. Webshell has the ability to copy files on a compromised host.41
S0208 Pasam Pasam creates a backdoor through which remote attackers can retrieve files.171
G0040 Patchwork Patchwork collected and exfiltrated files from the infected system.220
S1102 Pcexter Pcexter can upload files from targeted systems.136
S1050 PcShare PcShare can collect files and information from a compromised host.9
S0517 Pillowmint Pillowmint has collected credit card data using native API functions.148
S0048 PinchDuke PinchDuke collects user files from the compromised host based on predefined file extensions.165
S1031 PingPull PingPull can collect data from a compromised host.49
S0012 PoisonIvy PoisonIvy creates a backdoor through which remote attackers can steal system information.150
S1012 PowerLess PowerLess has the ability to exfiltrate data, including Chrome and Edge browser database files, from compromised machines.76
S0194 PowerSploit PowerSploit contains a collection of Exfiltration modules that can access data from local files, volumes, and processes.45
S0223 POWERSTATS POWERSTATS can upload files from compromised hosts.128
S0238 Proxysvc Proxysvc searches the local system and gathers data.20
S0197 PUNCHTRACK PUNCHTRACK scrapes memory for properly formatted payment card data.3332
S0650 QakBot QakBot can use a variety of commands, including esentutl.exe to steal sensitive data from Internet Explorer and Microsoft Edge, to acquire information that is subsequently exfiltrated.2425
S0262 QuasarRAT QuasarRAT can retrieve files from compromised client machines.8
S0686 QuietSieve QuietSieve can collect files from a compromised host.142
S1148 Raccoon Stealer Raccoon Stealer collects data from victim machines based on configuration information received from command and control nodes.5958
S0629 RainyDay RainyDay can use a file exfiltration tool to collect recently changed files on a compromised host.46
S0458 Ramsay Ramsay can collect Microsoft Word documents from the target’s file system, as well as .txt, .doc, and .xls files from the Internet Explorer cache.5657
S1113 RAPIDPULSE RAPIDPULSE retrieves files from the victim system via encrypted commands sent to the web shell.50
S0169 RawPOS RawPOS dumps memory from specific processes on a victim system, parses the dumped files, and scrapes them for credit card data.122123124
S0662 RCSession RCSession can collect data from a compromised host.153154
G1039 RedCurl RedCurl has collected data from the local disk of compromised hosts.193194
S1240 RedLine Stealer RedLine Stealer has collected data stored locally including chat logs and files associated with chat services such as Steam, Discord, and Telegram.120
S0448 Rising Sun Rising Sun has collected data and files from a compromised host.31
S0240 ROKRAT ROKRAT can collect host data and specific file types.159160161
S0090 Rover Rover searches for files on local drives based on a predefined list of file extensions.111
S1018 Saint Bot Saint Bot can collect files and information from a compromised host.181
S1099 Samurai Samurai can leverage an exfiltration module to download arbitrary files from compromised machines.180
G0034 Sandworm Team Sandworm Team has exfiltrated internal documents, files, and other data from compromised hosts.237
S1085 Sardonic Sardonic has the ability to collect data from a compromised machine to deliver to the attacker.79
S0461 SDBbot SDBbot has the ability to access the file system on a compromised host.109
C0058 SharePoint ToolShell Exploitation During SharePoint ToolShell Exploitation, threat actors extracted information from the compromised systems.254252253255
S1019 Shark Shark can upload files to its C2.101100
S1089 SharpDisco SharpDisco has dropped a recent-files stealer plugin to C:\Users\Public\WinSrcNT\It11.exe.45
S0444 ShimRat ShimRat has the capability to upload collected files to a C2.164
S0610 SideTwist SideTwist has the ability to upload files from a compromised host.129
S1110 SLIGHTPULSE SLIGHTPULSE can read files specified on the local system.94
S0533 SLOTHFULMEDIA SLOTHFULMEDIA has uploaded files and information from victim machines.90
C0024 SolarWinds Compromise During the SolarWinds Compromise, APT29 extracted files from compromised networks.245
S0615 SombRAT SombRAT has collected data and files from a compromised host.5455
S0646 SpicyOmelette SpicyOmelette has collected data and other information from a compromised host.86
S1037 STARWHALE STARWHALE can collect data from an infected local host.174
S1200 StealBit StealBit can upload data and files to the LockBit victim-shaming site.147146
G0038 Stealth Falcon Stealth Falcon malware gathers data from the local victim system.226
S1034 StrifeWater StrifeWater can collect data from a compromised host.177
S0559 SUNBURST SUNBURST collected information from a compromised host.7273
S1064 SVCReady SVCReady can collect data from an infected host.30
S0663 SysUpdate SysUpdate can collect information and files from a compromised host.66
S0011 Taidoor Taidoor can upload data and files from a victim’s machine.96
S0467 TajMahal TajMahal has the ability to steal documents from the local system including the print spooler queue.173
G0027 Threat Group-3390 Threat Group-3390 ran a command to compile an archive of file types of interest from the victim user’s directories.222
S0665 ThreatNeedle ThreatNeedle can collect data and files from a compromised host.118
S0668 TinyTurla TinyTurla can upload files from a compromised host.144
G1022 ToddyCat ToddyCat has run scripts to collect documents from targeted hosts.136
S0671 Tomiris Tomiris has the ability to collect recent files matching a hardcoded list of extensions prior to exfiltration.99
S0266 TrickBot TrickBot collects local files and information from the victim’s local machine.114
S1196 Troll Stealer Troll Stealer gathers information from infected systems such as SSH information from the victim’s .ssh directory.19 Troll Stealer collects information from local FileZilla installations and Microsoft Sticky Note.18
G0010 Turla Turla RPC backdoors can upload files from victim machines.208
S0022 Uroburos Uroburos can use its Get command to exfiltrate specified files from the compromised system.38
S0386 Ursnif Ursnif has collected files from victim machines, including certificates and cookies.110
S0452 USBferry USBferry can collect information from an air-gapped host machine.143
G1017 Volt Typhoon Volt Typhoon has stolen files from a sensitive file server and the Active Directory database from targeted environments, and used Wevtutil to extract event log information.230229228
S0670 WarzoneRAT WarzoneRAT can collect data from a compromised host.48
S0515 WellMail WellMail can exfiltrate files from the victim machine.176
S0514 WellMess WellMess can send files from the victim machine to C2.6263
S0645 Wevtutil Wevtutil can be used to export events from a specific log.1211
G0124 Windigo Windigo has used a script to gather credentials in files left on disk by OpenSSH backdoors.190
G0102 Wizard Spider Wizard Spider has collected data from a compromised host prior to exfiltration.233
S1065 Woody RAT Woody RAT can collect information from a compromised host.102
S0653 xCaon xCaon has uploaded files from victims’ machines.23
S0658 XCSSET XCSSET collects contacts and application data from files in Desktop, Documents, Downloads, Dropbox, and WeChat folders.103
S0248 yty yty collects files with the following extensions: .ppt, .pptx, .pdf, .doc, .docx, .xls, .xlsx, .docm, .rtf, .inp, .xlsm, .csv, .odt, .pps, .vcf and sends them back to the C2 server.67
S0672 Zox Zox has the ability to upload files from a targeted system.133
S0412 ZxShell ZxShell can transfer files from a compromised host.84
S1013 ZxxZ ZxxZ can collect data from a compromised host.168

Mitigations

ID Mitigation Description
M1057 Data Loss Prevention Data loss prevention can restrict access to sensitive data and detect sensitive data that is unencrypted.

References

  1. Cisco. (2022, August 16). show running-config - Cisco IOS Configuration Fundamentals Command Reference . Retrieved July 13, 2022. 

  2. Gyler, C.,Perez D.,Jones, S.,Miller, S.. (2021, February 25). This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved February 17, 2022. 

  3. US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020. 

  4. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018. 

  5. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018. 

  6. Dray Agha. (2022, August 16). Cleartext Shenanigans: Gifting User Passwords to Adversaries With NPPSPY. Retrieved May 17, 2024. 

  7. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023. 

  8. CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022. 

  9. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. 

  10. Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018. 

  11. F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020. 

  12. Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021. 

  13. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. 

  14. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020. 

  15. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024. 

  16. Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024. 

  17. Red Canary. (2021, March 31). 2021 Threat Detection Report. Retrieved August 31, 2021. 

  18. Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025. 

  19. Symantec Threat Hunter Team. (2024, May 16). Springtail: New Linux Backdoor Added to Toolkit. Retrieved January 17, 2025. 

  20. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018. 

  21. NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020. 

  22. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020. 

  23. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021. 

  24. Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021. 

  25. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. 

  26. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021. 

  27. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018. 

  28. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. 

  29. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018. 

  30. Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022. 

  31. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. 

  32. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. 

  33. Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018. 

  34. Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022. 

  35. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. 

  36. Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015. 

  37. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019. 

  38. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023. 

  39. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021. 

  40. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved November 17, 2024. 

  41. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021. 

  42. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved November 17, 2024. 

  43. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. 

  44. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024. 

  45. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023. 

  46. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. 

  47. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022. 

  48. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021. 

  49. Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022. 

  50. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024. 

  51. ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021. 

  52. Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022. 

  53. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020. 

  54. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. 

  55. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021. 

  56. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020. 

  57. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel’s infiltration and isolation network. Retrieved March 24, 2021. 

  58. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024. 

  59. S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024. 

  60. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021. 

  61. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. 

  62. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020. 

  63. CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020. 

  64. Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024. 

  65. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023. 

  66. Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023. 

  67. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018. 

  68. Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022. 

  69. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. 

  70. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018. 

  71. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018. 

  72. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021. 

  73. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. 

  74. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021. 

  75. Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022. 

  76. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024. 

  77. ClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. 

  78. Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023. 

  79. McGraw, T. (2024, December 4). Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware. Retrieved December 9, 2024. 

  80. Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024. 

  81. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021. 

  82. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016. 

  83. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019. 

  84. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. 

  85. CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021. 

  86. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19  

  87. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. 

  88. N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022. 

  89. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020. 

  90. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. 

  91. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024. 

  92. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022. 

  93. Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024. 

  94. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022. 

  95. Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014. 

  96. CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022. 

  97. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. 

  98. Kwiatkoswki, I. and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021. 

  99. Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022. 

  100. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022. 

  101. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022. 

  102. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021. 

  103. Kirill Boychenko. (2025, July 14). Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader. Retrieved October 19, 2025. 

  104. Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025. 

  105. Unit 42. (2023, November 21). Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors. Retrieved October 17, 2025. 

  106. Unit42. (2024, October 9). Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware. Retrieved October 17, 2025. 

  107. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022. 

  108. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020. 

  109. Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019. 

  110. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016. 

  111. Kremez, V. (2019, September 19). FIN6 “FrameworkPOS”: Point-of-Sale Malware Analysis & Internals. Retrieved September 8, 2020. 

  112. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018. 

  113. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018. 

  114. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. 

  115. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022. 

  116. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024. 

  117. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021. 

  118. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024. 

  119. Alexandre Cote Cyr. (2024, November 8). Life on a crooked RedLine: Analyzing the infamous infostealer’s backend. Retrieved September 17, 2025. 

  120. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. 

  121. Nesbit, B. and Ackerman, D. (2017, January). Malware Analysis Report - RawPOS Malware: Deconstructing an Intruder’s Toolkit. Retrieved October 4, 2017. 

  122. TrendLabs Security Intelligence Blog. (2015, April). RawPOS Technical Brief. Retrieved October 4, 2017. 

  123. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017. 

  124. Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022. 

  125. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. 

  126. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. 

  127. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. 

  128. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021. 

  129. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022. 

  130. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023. 

  131. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022. 

  132. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. 

  133. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. 

  134. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. 

  135. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024. 

  136. Accenture iDefense Unit. (2019, March 5). Mudcarp’s Focus on Submarine Technologies. Retrieved August 24, 2021. 

  137. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022. 

  138. Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022. 

  139. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018. 

  140. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020. 

  141. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022. 

  142. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. 

  143. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021. 

  144. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. 

  145. Cybereason Global SOC Team. (n.d.). THREAT ANALYSIS REPORT: Inside the LockBit Arsenal - The StealBit Exfiltration Tool. Retrieved January 29, 2025. 

  146. FBI. (2022, February 4). Indicators of Compromise Associated with LockBit 2.0 Ransomware. Retrieved January 24, 2025. 

  147. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020. 

  148. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  149. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018. 

  150. Immersive Content Team. (2024, April 9). Havoc C2 Framework – A Defensive Operator’s Guide. Retrieved August 13, 2025. 

  151. Ungur, P. (n.d.). HAVOC. Retrieved August 4, 2025. 

  152. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021. 

  153. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. 

  154. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019. 

  155. Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020. 

  156. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020. 

  157. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020. 

  158. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021. 

  159. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022. 

  160. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. 

  161. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018. 

  162. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. 

  163. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015. 

  164. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014. 

  165. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018. 

  166. Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022. 

  167. Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023. 

  168. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018. 

  169. Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018. 

  170. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. 

  171. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019. 

  172. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022. 

  173. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023. 

  174. CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020. 

  175. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022. 

  176. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021. 

  177. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: “njRAT” Uncovered. Retrieved June 4, 2019. 

  178. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024. 

  179. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022. 

  180. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019. 

  181. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. 

  182. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. 

  183. MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022. 

  184. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020. 

  185. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. 

  186. Microsoft Threat Intelligence . (2025, March 5). Silk Typhoon targeting IT supply chain. Retrieved March 20, 2025. 

  187. Fahmy, M. et al. (2024, October 11). Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East. Retrieved November 27, 2024. 

  188. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020. 

  189. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. 

  190. FSI. (2017, July 27). Campaign Rifle - Andariel, the Maiden of Anguish. Retrieved September 12, 2024. 

  191. Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024. 

  192. Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024. 

  193. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. 

  194. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. 

  195. Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023. 

  196. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved November 17, 2024. 

  197. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016. 

  198. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. 

  199. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. 

  200. Rusnák, Z. (2024, September 26). Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023. Retrieved October 30, 2024. 

  201. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024. 

  202. Chen, J. (2019, October 10). Magecart Card Skimmers Injected Into Online Shops. Retrieved September 9, 2020. 

  203. Klijnsma, Y. (2018, September 11). Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims. Retrieved September 9, 2020. 

  204. Klijnsma, Y. (2018, September 19). Another Victim of the Magecart Assault Emerges: Newegg. Retrieved September 9, 2020. 

  205. CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024. 

  206. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019. 

  207. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021. 

  208. Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022. 

  209. Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022. 

  210. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024. 

  211. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. 

  212. Hacquebord, F. (n.d.). Pawn Storm in 2019 A Year of Scanning and Credential Phishing on High-Profile Targets. Retrieved December 29, 2020. 

  213. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024. 

  214. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. 

  215. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020. 

  216. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014. 

  217. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved November 17, 2024. 

  218. valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017. 

  219. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017. 

  220. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. 

  221. Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023. 

  222. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024. 

  223. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016. 

  224. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks. Retrieved September 29, 2021. 

  225. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024. 

  226. Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023. 

  227. NSA et al. (2023, May 24). People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023. 

  228. United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019. 

  229. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020. 

  230. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023. 

  231. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. 

  232. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. 

  233. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. 

  234. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. 

  235. Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023. 

  236. Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023. 

  237. Volexity Threat Research. (2024, April 12). Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400). Retrieved November 20, 2024. 

  238. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. 

  239. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. 

  240. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022. 

  241. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021. 

  242. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. 

  243. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. 

  244. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. 

  245. Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024. 

  246. Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024. 

  247. Adamitis, D. et al. (2019, June 4). It’s alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020. 

  248. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022. 

  249. ESET Research. (2025, July 24). ToolShell: An all-you-can-eat buffet for threat actors. Retrieved October 15, 2025. 

  250. Kenin, S. et al. (2025, July 21). SharePoint ToolShell | Zero-Day Exploited in-the-Wild Targets Enterprise Servers. Retrieved October 15, 2025. 

  251. Microsoft Threat Intelligence. (2025, July 22). Disrupting active exploitation of on-premises SharePoint vulnerabilities. Retrieved October 15, 2025. 

  252. Unit 42. (2025, July 31). Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated). Retrieved October 15, 2025.