Skip to content

T1027.013 Encrypted/Encoded File

Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as Software Packing, Steganography, and Embedded Payloads, share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., Deobfuscate/Decode Files or Information) at the time of execution/use.

This type of file obfuscation can be applied to many file artifacts present on victim hosts, such as malware log/configuration and payload files.1 Files can be encrypted with a hardcoded or user-supplied key, as well as otherwise obfuscated using standard encoding schemes such as Base64.

The entire content of a file may be obfuscated, or just specific functions or values (such as C2 addresses). Encryption and encoding may also be applied in redundant layers for additional protection.

For example, adversaries may abuse password-protected Word documents or self-extracting (SFX) archives as a method of encrypting/encoding a file such as a Phishing payload. These files typically function by attaching the intended archived content to a decompressor stub that is executed when the file is invoked (e.g., User Execution).2

Adversaries may also abuse file-specific as well as custom encoding schemes. For example, Byte Order Mark (BOM) headers in text files may be abused to manipulate and obfuscate file content until Command and Scripting Interpreter execution.

Item Value
ID T1027.013
Sub-techniques T1027.001, T1027.002, T1027.003, T1027.004, T1027.005, T1027.006, T1027.007, T1027.008, T1027.009, T1027.010, T1027.011, T1027.012, T1027.013, T1027.014, T1027.015, T1027.016, T1027.017
Tactics TA0005
Platforms Linux, Windows, macOS
Version 1.1
Created 29 March 2024
Last Modified 15 April 2025

Procedure Examples

ID Name Description
C0057 3CX Supply Chain Attack During the 3CX Supply Chain Attack, AppleJeus encrypts its dynamic library files (.dll) using RC4, and when loaded only decrypts specific portions of the file using the key 3jB(2bsG#@c7.284
G0026 APT18 APT18 obfuscates strings in the payload.224
G0073 APT19 APT19 used Base64 to obfuscate payloads.242
G0007 APT28 APT28 encrypted a .dll payload using RTL and a custom encryption algorithm. APT28 has also obfuscated payloads with base64, XOR, and RC4.221222223165220
G0050 APT32 APT32 has performed code obfuscation, including encoding payloads using Base64 and using a framework called “Dont-Kill-My-Cat (DKMC). APT32 also encrypts the library used for network exfiltration with AES-256 in CBC mode in their macOS backdoor.269268274270271272273
G0064 APT33 APT33 has used base64 to encode payloads.237
G0087 APT39 APT39 has used malware to drop encrypted CAB files.229
C0040 APT41 DUST APT41 DUST used encrypted payloads decrypted and executed in memory.71
S0456 Aria-body Aria-body has used an encrypted configuration file for its loader.153
S0373 Astaroth Astaroth has used an XOR-based algorithm to encrypt payloads twice with different keys.35
S0438 Attor Strings in Attor’s components are encrypted with a XOR cipher, using a hardcoded key and the configuration data, log files and plugins are encrypted using a hybrid encryption scheme of Blowfish-OFB combined with RSA.141
S0347 AuditCred AuditCred encrypts the configuration.209
S0473 Avenger Avenger has the ability to XOR encrypt files to be sent to C2.110
S0534 Bazar Bazar has used XOR, RSA2, and RC4 encrypted files.464748
S1246 BeaverTail BeaverTail has obfuscated strings of code with Base64 encoding within the JavaScript version of the malware.121123124 BeaverTail has also utilized the open-source tool JavaScript-Obfuscator to obfuscate strings and functions.120122
S0574 BendyBear BendyBear has encrypted payloads using RC4 and XOR.159
S0268 Bisonal Bisonal’s DLL file and non-malicious decoy file are encrypted with RC4 and some function name strings are obfuscated.99100
S0570 BitPaymer BitPaymer has used RC4-encrypted strings and string hashes to avoid identifiable strings within the binary.88
G1002 BITTER BITTER has used a RAR SFX dropper to deliver malware.238
S1180 BlackByte Ransomware BlackByte Ransomware is distributed as an encrypted payload.158
S0520 BLINDINGCAN BLINDINGCAN has obfuscated code using Base64 encoding.75
G0108 Blue Mockingbird Blue Mockingbird has obfuscated the wallet address in the payload binary.251
S0657 BLUELIGHT BLUELIGHT has a XOR-encoded payload.53
S1226 BOOKWORM BOOKWORM has utilized Base64 encoding to obfuscate its payload.170
S0415 BOOSTWRITE BOOSTWRITE has encoded its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit Initialization vector (IV) to evade detection.85
S0484 Carberp Carberp has used XOR-based encryption to mask C2 server locations within the trojan.183
S0348 Cardinal RAT Cardinal RAT encodes many of its artifacts and is encrypted (AES-128) when downloaded.213
S0462 CARROTBAT CARROTBAT has the ability to download a base64 encoded payload.211
S1041 Chinoxy Chinoxy has encrypted its configuration file.5
S0667 Chrommme Chrommme can encrypt sections of its code to evade detection.140
G1052 Contagious Interview Contagious Interview has used hexadecimal string encoding to hide critical JavaScript module names, function names, and C2 URLs, which are decoded dynamically at runtime.128
S1235 CorKLOG CorKLOG has encrypted collected contents using RC4.29 CorKLOG has also utilized XOR encrypted strings.29
S0046 CozyCar The payload of CozyCar is encrypted with simple XOR with a rotating key. The CozyCar configuration file has been encrypted with RC4 keys.155
S1153 Cuckoo Stealer Cuckoo Stealer strings are XOR-encrypted.1617
C0029 Cutting Edge During Cutting Edge, threat actors used a Base64-encoded Python script to write a patched version of the Ivanti Connect Secure dsls binary.288
S0497 Dacls Dacls can encrypt its configuration file with AES CBC.117
S1014 DanBot DanBot can Base64 encode its payload.65
G0070 Dark Caracal Dark Caracal has obfuscated strings in Bandook by base64 encoding, and then encrypting them.215
S1111 DarkGate DarkGate drops an encrypted PE file, pe.bin, and decrypts it during installation.82 DarkGate also uses custom base64 encoding schemas in later variations to obfuscate payloads.83
G0012 Darkhotel Darkhotel has obfuscated code using RC4, XOR, and RSA.217218
S1033 DCSrv DCSrv’s configuration is encrypted.56
S1052 DEADEYE DEADEYE has encrypted its payload.9
S1134 DEADWOOD DEADWOOD contains an embedded, AES-encrypted resource named METADATA that contains configuration information for follow-on execution.125
S0213 DOGCALL DOGCALL is encrypted using single-byte XOR.168
S0695 Donut Donut can generate encrypted, compressed/encoded, or otherwise obfuscated code modules.4
S1158 DUSTPAN DUSTPAN decrypts an embedded payload.71127
S1159 DUSTTRAP DUSTTRAP begins with an initial launcher that decrypts an AES-128-CFB encrypted file on disk and executes it in memory.71
G0066 Elderwood Elderwood has encrypted documents and malicious executables.216
S0081 Elise Elise encrypts several of its files, including configuration files.109
S1247 Embargo Embargo has encrypted both MDeployer and MS4 Killer payloads with RC4.150
S0082 Emissary Variants of Emissary encrypt payloads using various XOR ciphers, as well as a custom algorithm that uses the “srand” and “rand” functions.1514
S0367 Emotet Emotet uses obfuscated URLs to download a ZIP file.184
S0634 EnvyScout EnvyScout can Base64 encode payloads.111
S0401 Exaramel for Linux Exaramel for Linux uses RC4 for encrypting the configuration.199198
S0267 FELIXROOT FELIXROOT encrypts strings in the backdoor using a custom XOR algorithm.6766
S0618 FIVEHANDS The FIVEHANDS payload is encrypted with AES-128.173171172
S0383 FlawedGrace FlawedGrace encrypts its C2 configuration files with AES in CBC mode.107
S0661 FoggyWeb FoggyWeb has been XOR-encoded.93
G0117 Fox Kitten Fox Kitten has base64 encoded payloads to avoid detection.243
S1044 FunnyDream FunnyDream can Base64 encode its C2 address stored in a template binary with the xyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw_- or
xyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw_= character sets.5
S0410 Fysbis Fysbis has been encrypted using XOR and RC4.86
S0168 Gazer Gazer logs its actions into files that are encrypted with 3DES. It also uses RSA to encrypt resources.201
S0493 GoldenSpy GoldenSpy’s uninstaller has base64-encoded its variables. 193
S0588 GoldMax GoldMax has written AES-encrypted and Base64-encoded configuration files to disk.166167
S0531 Grandoreiro The Grandoreiro payload has been delivered encrypted with a custom XOR-based algorithm and also as a base64-encoded ZIP file.357373
S0237 GravityRAT GravityRAT supports file encryption (AES with the key “lolomycin2017”).57
S0342 GreyEnergy GreyEnergy encrypts its configuration files with AES-256 and also encrypts its strings.66
G0043 Group5 Group5 disguised its malicious binaries with several layers of obfuscation, including encrypting the files.261
S0391 HAWKBALL HAWKBALL has encrypted the payload with an XOR-based algorithm.33
S0170 Helminth The Helminth config file is encrypted with RC4.38
S0698 HermeticWizard HermeticWizard has the ability to encrypt PE files with a reverse XOR loop.200
S1249 HexEval Loader HexEval Loader has encoded module names and C2 URLs as hexadecimal strings in attempts to evade analysis.128129
S1027 Heyoka Backdoor Heyoka Backdoor can encrypt its payload.169
S0087 Hi-Zor Hi-Zor uses various XOR techniques to obfuscate its components.188
S0394 HiddenWasp HiddenWasp encrypts its configuration and payload.189
G0126 Higaisa Higaisa used Base64 encoded compressed payloads.240241
S0601 Hildegard Hildegard has encrypted an ELF file.202
S0232 HOMEFRY Some strings in HOMEFRY are obfuscated with XOR x56.149
S0431 HotCroissant HotCroissant has encrypted strings with single-byte XOR and base64 encoded RC4.21
S0398 HyperBro HyperBro can be delivered encrypted to a compromised host.178
S0483 IcedID IcedID has utilzed encrypted binaries and base64 encoded strings.138
G0100 Inception Inception has encrypted malware payloads dropped on victim machines with AES and RC4 encryption.214
S1245 InvisibleFerret InvisibleFerret has utilized the XOR and Base64 encoding for each of its modules.121 InvisibleFerret has also obfuscated files with a combination of zlib, Base64 and reverse string order.120 InvisibleFerret has also utilized the XOR and Base64 encoding some of its Python scripts.123
S1132 IPsec Helper IPsec Helper contains an embedded XML configuration file with an encrypted list of command and control servers. These are written to an external configuration file during execution.125
S0581 IronNetInjector IronNetInjector can obfuscate variable names, encrypt strings, as well as base64 encode and Rijndael encrypt payloads.8
S0044 JHUHUGIT Many strings in JHUHUGIT are obfuscated with a XOR algorithm.164163165
S1190 Kapeka Kapeka utilizes AES-256 (CBC mode), XOR, and RSA-2048 encryption schemas for various configuration and other objects.204
S0585 Kerrdown Kerrdown can encrypt, encode, and compress multiple layers of shellcode.119
S0487 Kessel Kessel’s configuration is hardcoded and RC4 encrypted within the binary.18
S1020 Kevin Kevin has Base64-encoded its configuration file.74
S0387 KeyBoy In one version of KeyBoy, string obfuscation routines were used to hide many of the critical values referenced in the malware.131
S1051 KEYPLUG KEYPLUG can use a hardcoded one-byte XOR encoded configuration file.9
S0526 KGH_SPY KGH_SPY has used encrypted strings in its installer.181
S0356 KONNI KONNI is heavily obfuscated and includes encrypted configuration files.76
S0236 Kwampirs Kwampirs downloads additional files that are base64-encoded and encrypted with another cipher.89
S1160 Latrodectus Latrodectus has used a pseudo random number generator (PRNG) algorithm and a rolling XOR key to obfuscate strings.191192190
G0032 Lazarus Group Lazarus Group has used multiple types of encryption and encoding for their payloads, including AES, Caracachs, RC4, XOR, Base64, and other tricks such as creating aliases in code for Native API function names.232230231235117234233
G0065 Leviathan Leviathan has obfuscated code using base64.225
S0395 LightNeuron LightNeuron encrypts its configuration files with AES-256.64
S1185 LightSpy LightSpy encrypts the C2 configuration file using AES with a static key, while the module .dylib files use a rolling one-byte encoding for obfuscation.96
S1202 LockBit 3.0 The LockBit 3.0 payload includes an encrypted main component.5049
S0451 LoudMiner LoudMiner has encrypted DMG files.51
S1213 Lumma Stealer Lumma Stealer has used AES-encrypted payloads contained within PowerShell scripts.180
S1142 LunarMail LunarMail has used RC4 and AES to encrypt strings and its exfiltration configuration respectively.113
S1141 LunarWeb The LunarWeb install files have been encrypted with AES-256.113
S1060 Mafalda Mafalda has been obfuscated and contains encrypted functions.187
G0059 Magic Hound Magic Hound malware has used base64-encoded files and has also encrypted embedded strings with AES.248249
S1182 MagicRAT MagicRAT stores base64 encoded command and contorl URLs in a configuraiton file, with each URL prefixed with the value LR02DPt22R.97
G1026 Malteiro Malteiro has used scripts encoded in Base64 certificates to distribute malware to victims.116
S1169 Mango Mango contains a series of base64 encoded substrings.92
S1220 MEDUSA MEDUSA can XOR encrypt configuration strings.52
S1244 Medusa Ransomware Medusa Ransomware has utilized XOR encrypted strings.4445
G0045 menuPass menuPass has encoded strings in its malware with base64 as well as with a simple, single-byte XOR obfuscation using key 0x40.256257258
G1013 Metador Metador has encrypted their payloads.187
S1059 metaMain metaMain’s module file has been encrypted via XOR.43
S0455 Metamorfo Metamorfo has encrypted payloads and strings.5859
S0339 Micropsia Micropsia obfuscates the configuration with a custom Base64 and XOR.161162
S1015 Milan Milan can encode files containing information about the targeted system.2374
S1122 Mispadu Mispadu uses a custom algorithm to obfuscate its internal strings and uses hardcoded keys.114
G0103 Mofang Mofang has encrypted payloads before they are downloaded to victims.254
G1036 Moonstone Sleet Moonstone Sleet has used encrypted payloads within files for follow-on execution and defense evasion.275
S1221 MOPSLED MOPSLED can encrypt configuration files with a custom ChaCha20 algorithm.52
S0284 More_eggs More_eggs’s payload has been encrypted with a key that has the hostname and processor family information appended to the end.108
G1009 Moses Staff Moses Staff has used obfuscated web shells in their operations.56
S0256 Mosquito Mosquito’s installer is obfuscated with a custom crypter to obfuscate the installer.154
S0228 NanHaiShu NanHaiShu encodes files in Base64.42
C0002 Night Dragon During Night Dragon, threat actors used a DLL that included an XOR-encoded section.277
S1100 Ninja The Ninja payload is XOR encrypted and compressed.32 Ninja has also XORed its configuration data with a constant value of 0xAA.3132
S0385 njRAT njRAT has included a base64 encoded executable.118
G0049 OilRig OilRig has encrypted and encoded data in its malware, including by using base64.266264267265263
C0022 Operation Dream Job During Operation Dream Job, Lazarus Group encrypted malware such as DRATzarus with XOR and DLL files with base64.28328128211
C0016 Operation Dust Storm During Operation Dust Storm, the threat actors encoded some payloads with a single-byte XOR, both skipping the key itself and zeroing in an attempt to avoid exposing the key; other payloads were Base64-encoded.280
C0006 Operation Honeybee During Operation Honeybee, the threat actors used Base64 to encode files with a custom key.278
C0005 Operation Spalax For Operation Spalax, the threat actors used XOR-encrypted payloads.287
S0352 OSX_OCEANLOTUS.D OSX_OCEANLOTUS.D encrypts its strings in RSA256 and encodes them in a custom base64 scheme and XOR.12
C0042 Outer Space During Outer Space, OilRig deployed VBS droppers with obfuscated strings.92
S1233 PAKLOG PAKLOG has utilized a simple encoding mechanism to encode characters in the buffer.29
S1050 PcShare PcShare has been encrypted with XOR using different 32-long Base16 strings.5
S0587 Penquin Penquin has encrypted strings in the binary for obfuscation.210
S0501 PipeMon PipeMon modules are stored encrypted on disk.54
S0013 PlugX PlugX has leveraged XOR encryption with the key of 123456789.208
S0113 Prikormka Some resources in Prikormka are encrypted with a simple XOR operation or encoded with Base64.41
S0613 PS1 PS1 is distributed as a set of encrypted files and scripts.130
G0024 Putter Panda Droppers used by Putter Panda use RC4 or a 16-byte XOR key consisting of the bytes 0xA0 – 0xAF to obfuscate payloads.262
S1032 PyDCrypt PyDCrypt has been compiled and encrypted with PyInstaller, specifically using the –key flag during the build phase.56
S1242 Qilin Qilin can employ several code obfuscation methods, including renaming functions, altering control flows, and encrypting strings.10
S1148 Raccoon Stealer Raccoon Stealer uses RC4 encryption for strings and command and control addresses to evade static detection.103102101
S0565 Raindrop Raindrop encrypted its payload using a simple XOR algorithm with a single-byte key.2019
S0629 RainyDay RainyDay has downloaded as a XOR-encrypted payload.132
S1212 RansomHub RansomHub has an encrypted configuration file.30
S1113 RAPIDPULSE RAPIDPULSE has the ability to RC4 encrypt and base64 encode decrypted files on compromised servers prior to writing them to stdout.206
S0172 Reaver Reaver encrypts some of its files with XOR.84
C0047 RedDelta Modified PlugX Infection Chain Operations Mustang Panda stored installation payloads as encrypted files in hidden folders during RedDelta Modified PlugX Infection Chain Operations.279
S0153 RedLeaves A RedLeaves configuration file is encrypted with a simple XOR key, 0x53.104
S1240 RedLine Stealer RedLine Stealer has encrypted and encoded configuration data with Base64 and XOR functions.134
C0056 RedPenguin During RedPenguin, UNC3886 generated Base64-encoded files in the FreeBSD shell environment of targeted Juniper devices.286285
S0375 Remexi Remexi obfuscates its configuration data with XOR.90
S0125 Remsec Some data in Remsec is encrypted using RC5 in CBC mode, AES-CBC with a hardcoded key, RC4, or Salsa20. Some data is also base64-encoded.6968
S0496 REvil REvil has used encrypted strings and configuration files.144148146145143147142
S0433 Rifdoor Rifdoor has encrypted strings with a single byte XOR algorithm.21
S0448 Rising Sun Configuration data used by Rising Sun has been encrypted using an RC4 stream algorithm.112
S1150 ROADSWEEP The ROADSWEEP binary contains RC4 encrypted embedded scripts.272628
S1210 Sagerunex Sagerunex can be passed a reference to an XOR-encrypted configuration file at runtime.62
G1031 Saint Bear Saint Bear initial payloads included encoded follow-on payloads located in the resources file of the first-stage loader.236
S0074 Sakula Sakula uses single-byte XOR obfuscation to obfuscate many of its files.36
S0370 SamSam SamSam has been seen using AES or DES to encrypt payloads and payload components.3940
S0345 Seasalt Seasalt obfuscates configuration data.136
C0045 ShadowRay During ShadowRay, threat actors used Base64-encrypted Python code to evade detection.276
S1019 Shark Shark can use encrypted and encoded files for C2 configuration.2322
G0121 Sidewinder Sidewinder has used base64 encoding and ECDH-P256 encryption for payloads.227228226
S0468 Skidmap Skidmap has encrypted it’s main payload using 3DES.34
S0633 Sliver Sliver can encrypt strings at compile time.76
S0226 Smoke Loader Smoke Loader uses a simple one-byte XOR method to obfuscate values in the malware.152151
S1124 SocGholish SocGholish has single or double Base-64 encoded references to its second-stage server URLs.70
S0374 SpeakUp SpeakUp encodes its second-stage payload with Base64. 185
S1232 SplatDropper SplatDropper has also utilized XOR encrypted payload.29
S1030 Squirrelwaffle Squirrelwaffle has been obfuscated with a XOR-based algorithm.176177
S1037 STARWHALE STARWHALE has been obfuscated with hex-encoded strings.179
S1200 StealBit StealBit stores obfuscated DLL file names in its executable.126
S0380 StoneDrill StoneDrill has obfuscated its module with an alphabet-based table or XOR encryption.137
G1046 Storm-1811 Storm-1811 XOR encodes a Cobalt Strike installation payload in a DLL file that is decoded with a hardcoded key when called by a legitimate 7zip installation process.250
S1183 StrelaStealer StrelaStealer uses XOR-encoded strings to obfuscate items.63
S0491 StrongPity StrongPity has used encrypted strings in its dropper component.9495
S0603 Stuxnet Stuxnet uses encrypted configuration blocks and writes encrypted files to disk.87
S0578 SUPERNOVA SUPERNOVA contained Base64-encoded strings.182
S0663 SysUpdate SysUpdate can encrypt and encode its configuration file.139
G1018 TA2541
TA2541 has used compressed and char-encoded scripts in operations.247
G0092 TA505 TA505 has password-protected malicious Word documents.239
S0011 Taidoor Taidoor can use encrypted string blocks for obfuscation.194
G0139 TeamTNT TeamTNT has encrypted its binaries via AES and encoded files using Base64.259260
G0027 Threat Group-3390 A Threat Group-3390 tool can encrypt payloads using XOR. Threat Group-3390 malware is also obfuscated using Metasploit’s shikata_ga_nai encoder.246245244
S0665 ThreatNeedle ThreatNeedle has been compressed and obfuscated using RC4, AES, or XOR.157
S0131 TINYTYPHON TINYTYPHON has used XOR with 0x90 to obfuscate its configuration file.77
S0678 Torisma Torisma has been Base64 encoded and AES encrypted.11
G0134 Transparent Tribe Transparent Tribe has dropped encoded executables on compromised hosts.219
S0266 TrickBot TrickBot uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files.205
G0081 Tropic Trooper Tropic Trooper has encrypted configuration files.253252
S0263 TYPEFRAME APIs and strings in some TYPEFRAME variants are RC4 encrypted. Another variant is encoded with XOR.91
S1164 UPSTYLE UPSTYLE stores primary content as base64-encoded objects.106105
S0022 Uroburos Uroburos can use AES and CAST-128 encryption to obfuscate resources.207
S0386 Ursnif Ursnif has used an XOR-based algorithm to encrypt Tor clients dropped to disk.25 Ursnif droppers have also been delivered as password-protected zip files that execute base64 encoded PowerShell commands.24
S0136 USBStealer Most strings in USBStealer are encrypted using 3DES and XOR and reversed.13
S0257 VERMIN VERMIN is obfuscated using the obfuscation tool called ConfuserEx.160
S1154 VersaMem VersaMem encrypted captured credentials with AES then Base64 encoded them before writing to local storage.98
S0180 Volgmer A Volgmer variant is encoded using a simple XOR cipher.203
S0612 WastedLocker The WastedLocker payload includes encrypted strings stored within the .bss section of the binary file.195
S0579 Waterbear Waterbear has used RC4 encrypted shellcode and encrypted functions.133
S0689 WhisperGate WhisperGate can Base64 encode strings, store downloaded files in reverse byte order, and use the Eazfuscator tool to obfuscate its third stage.788079
G0107 Whitefly Whitefly has encrypted the payload used for C2.255
S0466 WindTail WindTail can be delivered as a compressed, encrypted, and encoded payload.72
S0430 Winnti for Linux Winnti for Linux can encode its configuration file with single-byte XOR encoding.135
S0141 Winnti for Windows Winnti for Windows has the ability to encrypt and compress its payload.196
S1065 Woody RAT Woody RAT has used Base64 encoded strings and scripts.55
S0658 XCSSET Older XCSSET variants use xxd to encode modules. Later versions pass an xxd or base64 encoded blob through multiple decoding stages to reconstruct the module name, AppleScript, or shell command. For example, the initial network request uses three layers of hex decoding before executing a curl command in a shell.197
S1207 XLoader XLoader features encrypted functions using the RC4 algorithm and bytecode operations.6160
S1248 XORIndex Loader XORIndex Loader has encoded module names and C2 URLs as hexadecimal strings in attempts to evade analysis.186
S0388 YAHOYAH YAHOYAH encrypts its configuration file using a simple algorithm.156
S0230 ZeroT ZeroT has encrypted its payload with RC4.212
S0330 Zeus Panda Zeus Panda encrypts strings with XOR. Zeus Panda also encrypts all configuration and settings in AES and RC4.174175
S0672 Zox Zox has been encoded with Base64.37
S1013 ZxxZ ZxxZ has been encoded to avoid detection from static analysis tools.81

Mitigations

ID Mitigation Description
M1049 Antivirus/Antimalware Anti-virus can be used to automatically detect and quarantine suspicious files, including those with high entropy measurements or with otherwise potentially malicious signs of obfuscation.
M1040 Behavior Prevention on Endpoint On Windows 10+, enable Attack Surface Reduction (ASR) rules to block execution of potentially obfuscated scripts.3

References

  1. Aspen Lindblom, Joseph Goodwin, and Chris Sheldon. (2021, July 19). Shlayer Malvertising Campaigns Still Using Flash Update Disguise. Retrieved March 29, 2024. 

  2. Jai Minton. (2023, March 31). How Falcon OverWatch Investigates Malicious Self-Extracting Archives, Decoy Files and Their Hidden Payloads. Retrieved March 29, 2024. 

  3. Microsoft. (2024, March 4). Attack surface reduction rules reference. Retrieved March 29, 2024. 

  4. TheWover. (2019, May 9). donut. Retrieved March 25, 2022. 

  5. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. 

  6. BishopFox. (n.d.). Sliver. Retrieved September 15, 2021. 

  7. Kervella, R. (2019, August 4). Cross-platform General Purpose Implant Framework Written in Golang. Retrieved July 30, 2021. 

  8. Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021. 

  9. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. 

  10. Health Sector Cybersecurity Coordination Center. (2024, June 18). Qilin, aka Agenda Ransomware. Retrieved September 26, 2025. 

  11. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021. 

  12. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018. 

  13. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017. 

  14. Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016. 

  15. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016. 

  16. Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024. 

  17. Stokes, P. (2024, May 9). macOS Cuckoo Stealer | Ensuring Detection and Defense as New Samples Rapidly Emerge. Retrieved August 20, 2024. 

  18. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020. 

  19. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. 

  20. Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021. 

  21. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020. 

  22. Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022. 

  23. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022. 

  24. Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019. 

  25. Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019. 

  26. CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024. 

  27. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024. 

  28. MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024. 

  29. Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak | P2. Retrieved September 12, 2025. 

  30. Alfano, V. et al. (2025, February 12). RansomHub Never Sleeps Episode 1: The evolution of modern ransomware. Retrieved March 17, 2025. 

  31. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024. 

  32. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024. 

  33. Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019. 

  34. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020. 

  35. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. 

  36. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016. 

  37. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. 

  38. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. 

  39. Palotay, D. and Mackenzie, P. (2018, April). SamSam Ransomware Chooses Its Targets Carefully. Retrieved April 15, 2019. 

  40. Ventura, V. (2018, January 22). SamSam - The Evolution Continues Netting Over $325,000 in 4 Weeks. Retrieved April 16, 2019. 

  41. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016. 

  42. F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018. 

  43. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023. 

  44. Anthony Galiette, Doel Santos. (2024, January 11). Medusa Ransomware Turning Your Files into Stone. Retrieved October 15, 2025. 

  45. Vlad Pasca. (2024, January 1). A Deep Dive into Medusa Ransomware. Retrieved October 15, 2025. 

  46. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. 

  47. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. 

  48. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021. 

  49. FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025. 

  50. Walter, J. (2022, July 21). LockBit 3.0 Update | Unpicking the Ransomware’s Latest Anti-Analysis and Evasion Techniques. Retrieved February 5, 2025. 

  51. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020. 

  52. Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024. 

  53. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021. 

  54. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020. 

  55. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022. 

  56. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022. 

  57. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018. 

  58. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020. 

  59. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021. 

  60. ANY.RUN. (2023, February 28). XLoader/FormBook: Encryption Analysis and Malware Decryption . Retrieved March 11, 2025. 

  61. Zscaler Threatlabz. (2025, January 27). Technical Analysis of Xloader Versions 6 and 7 | Part 1. Retrieved March 11, 2025. 

  62. Symntec Threat Hunter Team. (2022, November 12). Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries. Retrieved March 15, 2025. 

  63. DCSO CyTec Blog. (2022, November 8). #ShortAndMalicious: StrelaStealer aims for mail credentials. Retrieved December 31, 2024. 

  64. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. 

  65. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19  

  66. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. 

  67. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved November 17, 2024. 

  68. Kaspersky Lab’s Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016. 

  69. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016. 

  70. Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024. 

  71. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024. 

  72. Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift’s implant: OSX.WindTail (part 2). Retrieved October 3, 2019. 

  73. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. 

  74. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. 

  75. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020. 

  76. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022. 

  77. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. 

  78. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022. 

  79. Insikt Group. (2020, January 28). WhisperGate Malware Corrupts Computers in Ukraine. Retrieved September 16, 2024. 

  80. S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022. 

  81. Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022. 

  82. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024. 

  83. Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024. 

  84. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017. 

  85. Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019. 

  86. Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017. 

  87. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024. 

  88. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021. 

  89. Moench, B. and Aboud, E. (2016, August 23). Trojan.Kwampirs. Retrieved May 10, 2018. 

  90. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019. 

  91. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018. 

  92. Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024. 

  93. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021. 

  94. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020. 

  95. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020. 

  96. Stuart Ashenbrenner, Alden Schmidt. (2024, April 25). LightSpy Malware Variant Targeting macOS. Retrieved January 3, 2025. 

  97. Asheer Malhotra, Vitor Ventura & Jungsoo An, Cisco Talos. (2022, September 7). MagicRAT: Lazarus’ latest gateway into victim networks. Retrieved December 30, 2024. 

  98. Black Lotus Labs. (2024, August 27). Taking The Crossroads: The Versa Director Zero-Day Exploitaiton. Retrieved August 27, 2024. 

  99. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018. 

  100. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. 

  101. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024. 

  102. Quentin Bourgue, Pierre le Bourhis, & Sekoia TDR. (2022, June 28). Raccoon Stealer v2 - Part 1: The return of the dead. Retrieved August 1, 2024. 

  103. S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024. 

  104. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. 

  105. Unit 42. (2024, April 12). Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 . Retrieved January 15, 2025. 

  106. Volexity Threat Research. (2024, April 12). Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400). Retrieved November 20, 2024. 

  107. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019. 

  108. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021. 

  109. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016. 

  110. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. 

  111. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. 

  112. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. 

  113. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024. 

  114. ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024. 

  115. SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024. 

  116. SCILabs. (2023, October 8). URSA/Mispadu: Overlap analysis with other threats. Retrieved March 13, 2024. 

  117. Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020. 

  118. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019. 

  119. Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021. 

  120. eSentire Threat Response Unit (TRU). (2024, November 14). Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure Pt.2. Retrieved October 17, 2025. 

  121. Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025. 

  122. Seongsu Park. (2024, November 4). From Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West. Retrieved October 17, 2025. 

  123. Unit 42. (2023, November 21). Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors. Retrieved October 17, 2025. 

  124. Unit42. (2024, October 9). Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware. Retrieved October 17, 2025. 

  125. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024. 

  126. Cybereason Global SOC Team. (n.d.). THREAT ANALYSIS REPORT: Inside the LockBit Arsenal - The StealBit Exfiltration Tool. Retrieved January 29, 2025. 

  127. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman & John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved September 16, 2024. 

  128. Kirill Boychenko. (2025, April 4). Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads. Retrieved October 20, 2025. 

  129. Kirill Boychenko. (2025, June 25). Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages. Retrieved October 19, 2025. 

  130. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. 

  131. Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019. 

  132. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. 

  133. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021. 

  134. Splunk Threat Research Team. (2023, June 1). Do Not Cross The ‘RedLine’ Stealer: Detections and Analysis. Retrieved September 17, 2025. 

  135. Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020. 

  136. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016. 

  137. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019. 

  138. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020. 

  139. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. 

  140. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. 

  141. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. 

  142. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. 

  143. Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020. 

  144. Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020. 

  145. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020. 

  146. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020. 

  147. Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020. 

  148. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020. 

  149. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. 

  150. Jan Holman, Tomas Zvara. (2024, October 23). Embargo ransomware: Rock’n’Rust. Retrieved October 19, 2025. 

  151. Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018. 

  152. Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018. 

  153. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020. 

  154. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018. 

  155. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015. 

  156. Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019. 

  157. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021. 

  158. Rodel Mendrez & Lloyd Macrohon. (2021, October 15). BlackByte Ransomware – Pt. 1 In-depth Analysis. Retrieved December 16, 2024. 

  159. Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021. 

  160. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018. 

  161. Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018. 

  162. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018. 

  163. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016. 

  164. F-Secure. (2015, September 8). Sofacy Recycles Carberp and Metasploit Code. Retrieved August 3, 2016. 

  165. Mercer, W., et al. (2017, October 22). “Cyber Conflict” Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018. 

  166. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. 

  167. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021. 

  168. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018. 

  169. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022. 

  170. Robert Falcone. (2025, February 20). Stately Taurus Activity in Southeast Asia Links to Bookworm Malware. Retrieved July 21, 2025. 

  171. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021. 

  172. Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021. 

  173. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021. 

  174. Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018. 

  175. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018. 

  176. Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022. 

  177. Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022. 

  178. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. 

  179. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022. 

  180. Vishwajeet Kumar, Qualys. (2024, October 20). Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA. Retrieved March 22, 2025. 

  181. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. 

  182. CISA. (2021, January 27). Malware Analysis Report (AR21-027A). Retrieved February 22, 2021. 

  183. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024. 

  184. Kenefick, I. (2023, March 13). Emotet Returns, Now Adopts Binary Padding for Evasion. Retrieved June 19, 2024. 

  185. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019. 

  186. Kirill Boychenko. (2025, July 14). Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader. Retrieved October 19, 2025. 

  187. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023. 

  188. Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved November 17, 2024. 

  189. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019. 

  190. Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024. 

  191. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024. 

  192. Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024. 

  193. Trustwave SpiderLabs. (2020, June 26). GoldenSpy: Chapter Two – The Uninstaller. Retrieved July 23, 2020. 

  194. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021. 

  195. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021. 

  196. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017. 

  197. Microsoft Threat Intelligence. (2025, March 11). New XCSSET malware adds new obfuscation, persistence techniques to infect Xcode projects. Retrieved April 2, 2025. 

  198. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021. 

  199. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018. 

  200. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022. 

  201. Kaspersky Lab’s Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017. 

  202. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. 

  203. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018. 

  204. Mohammad Kazem Hassan Nejad, WithSecure. (2024, April 17). KAPEKA A novel backdoor spotted in Eastern Europe. Retrieved January 6, 2025. 

  205. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018. 

  206. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024. 

  207. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023. 

  208. Alexandre Cote Cyr. (2022, March 23). Mustang Panda’s Hodur: Old tricks, new Korplug variant. Retrieved September 9, 2025. 

  209. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018. 

  210. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021. 

  211. Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020. 

  212. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018. 

  213. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018. 

  214. GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020. 

  215. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. 

  216. O’Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved November 17, 2024. 

  217. Kaspersky Lab’s Global Research & Analysis Team. (2015, August 10). Darkhotel’s attacks in 2015. Retrieved November 2, 2018. 

  218. Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021. 

  219. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. 

  220. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. 

  221. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017. 

  222. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018. 

  223. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. 

  224. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018. 

  225. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. 

  226. Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021. 

  227. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021. 

  228. Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021. 

  229. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. 

  230. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved November 17, 2024. 

  231. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016. 

  232. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. 

  233. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022. 

  234. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022. 

  235. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018. 

  236. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. 

  237. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019. 

  238. Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022. 

  239. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019. 

  240. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021. 

  241. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021. 

  242. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018. 

  243. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. 

  244. Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019. 

  245. Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018. 

  246. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018. 

  247. Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023. 

  248. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017. 

  249. Tyler McGraw, Thomas Elkins, and Evan McCann. (2024, May 10). Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators. Retrieved January 31, 2025. 

  250. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020. 

  251. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. 

  252. Horejsi, J., et al. (2018, March 14). Tropic Trooper’s New Strategy. Retrieved November 9, 2018. 

  253. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. 

  254. Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020. 

  255. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018. 

  256. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018. 

  257. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020. 

  258. Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021. 

  259. Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021. 

  260. Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016. 

  261. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016. 

  262. Falcone, R., Wilhoit, K.. (2018, November 16). Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery. Retrieved April 23, 2019. 

  263. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. 

  264. Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018. 

  265. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. 

  266. Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023. 

  267. Bohannon, D.. (2017, March 13). Invoke-Obfuscation - PowerShell Obfuscator. Retrieved June 18, 2017. 

  268. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017. 

  269. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018. 

  270. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  271. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019. 

  272. Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019. 

  273. Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018. 

  274. Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024. 

  275. Lumelsly, A. et al. (2024, March 26). ShadowRay: First Known Attack Campaign Targeting AI Workloads Actively Exploited In The Wild. Retrieved December 2, 2024. 

  276. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. 

  277. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. 

  278. Insikt Group. (2025, January 9). Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain. Retrieved January 14, 2025. 

  279. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. 

  280. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. 

  281. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021. 

  282. ClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. 

  283. Robert Falcone, Josh Grunzweig. (2023, March 30). Threat Brief: 3CXDesktopApp Supply Chain Attack. Retrieved September 15, 2025. 

  284. Juniper Networks, Cybersecurity R&D. (2025, March 11). The RedPenguin Malware Incident. Retrieved June 24, 2025. 

  285. Lamparski, L. et al. (2025, March 11). Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers. Retrieved June 24, 2025. 

  286. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022. 

  287. Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.