Skip to content

T1036.005 Match Legitimate Name or Location

Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.

Adversaries may also use the same icon of the file they are trying to mimic.

Item Value
ID T1036.005
Sub-techniques T1036.001, T1036.002, T1036.003, T1036.004, T1036.005, T1036.006, T1036.007, T1036.008
Tactics TA0005
Platforms Containers, Linux, Windows, macOS
Version 1.1
Created 10 February 2020
Last Modified 30 March 2023

Procedure Examples

ID Name Description
C0025 2016 Ukraine Electric Power Attack During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.180
G0018 admin@338 admin@338 actors used the following command to rename one of their tools to a benign file name: ren “%temp%\upload” audiodg.exe138
G1007 Aoqin Dragon Aoqin Dragon has used fake icons including antivirus and external drives to disguise malicious payloads.156
S0622 AppleSeed AppleSeed has the ability to rename its payload to ESTCommon.dll to masquerade as a DLL belonging to ESTsecurity.61
G0006 APT1 The file name AcroRD32.exe, a legitimate process name for Adobe’s Acrobat Reader, was used by APT1 as a name for malware.157158
G0007 APT28 APT28 has changed extensions on files containing exfiltrated data to make them appear benign, and renamed a web shell instance to appear as a legitimate OWA page.145
G0016 APT29 APT29 has renamed malicious DLLs with legitimate names to appear benign; they have also created an Azure AD certificate with a Common Name that matched the display name of the compromised service principal.171170
G0050 APT32 APT32 has renamed a NetCat binary to kb-10233.exe to masquerade as a Windows update. APT32 has also renamed a Cobalt Strike beacon payload to install_flashplayers.exe. 95129
G0087 APT39 APT39 has used malware disguised as Mozilla Firefox and a tool named mfevtpse.exe to proxy C2 communications, closely mimicking a legitimate McAfee file mfevtps.exe.131132
G0096 APT41 APT41 attempted to masquerade their files as popular anti-virus software.146147
S0475 BackConfig BackConfig has hidden malicious payloads in %USERPROFILE%\Adobe\Driver\dwg\ and mimicked the legitimate DHCP service binary.24
G0135 BackdoorDiplomacy BackdoorDiplomacy has dropped implants in folders named for legitimate software.128
S0606 Bad Rabbit Bad Rabbit has masqueraded as a Flash Player installer through the executable file install_flash_player.exe.3233
S0128 BADNEWS BADNEWS attempts to hide its payloads using legitimate filenames.112
S0534 Bazar The Bazar loader has named malicious shortcuts “adobe” and mimicked communications software.545556
S0268 Bisonal Bisonal has renamed malicious code to msacm32.dll to hide within a legitimate library; earlier versions were disguised as winhelp.13
S1070 Black Basta The Black Basta dropper has mimicked an application for creating USB bootable drivers.62
S0520 BLINDINGCAN BLINDINGCAN has attempted to hide its payload by using legitimate file names such as “iconcache.db”.8
G0108 Blue Mockingbird Blue Mockingbird has masqueraded their XMRIG payload name by naming it wercplsupporte.dll after the legitimate wercplsupport.dll file.164
G0060 BRONZE BUTLER BRONZE BUTLER has given malware the same name as an existing file on the file share server to cause users to unwittingly launch and install the malware on additional systems.130
S1063 Brute Ratel C4 Brute Ratel C4 has used a payload file named OneDrive.update to appear benign.6
S1039 Bumblebee Bumblebee has named component DLLs “RapportGP.dll” to match those used by the security company Trusteer.110
S0482 Bundlore Bundlore has disguised a malicious .app file as a Flash Player update.35
C0017 C0017 During C0017, APT41 used file names beginning with USERS, SYSUSER, and SYSLOG for DEADEYE, and changed KEYPLUG file extensions from .vmp to .upx likely to avoid hunting detections.176
C0018 C0018 For C0018, the threat actors renamed a Sliver payload to vmware_kb.exe.177
S0274 Calisto Calisto‘s installation file is an unsigned DMG image under the guise of Intego’s security solution for mac.106
G0008 Carbanak Carbanak has named malware “svchost.exe,” which is the name of the Windows shared service host program.163
S0484 Carberp Carberp has masqueraded as Windows system file names, as well as “chkntfs.exe” and “syscron.exe”.107108
S0631 Chaes Chaes has used an unsigned, crafted DLL module named hha.dll that was designed to look like a legitimate 32-bit Windows DLL.30
S0144 ChChes ChChes copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe).100
G0114 Chimera Chimera has renamed malware to GoogleUpdate.exe and WinRAR to jucheck.exe, RecordedTV.ms, teredo.tmp, update.exe, and msadcs1.exe.144
S1041 Chinoxy Chinoxy has used the name eoffice.exe in attempt to appear as a legitimate file.7
S0625 Cuba Cuba has been disguised as legitimate 360 Total Security Antivirus and OpenVPN programs.52
S0687 Cyclops Blink Cyclops Blink can rename its running process to [kworker:0/1] to masquerade as a Linux kernel thread. Cyclops Blink has also named RC scripts used for persistence after WatchGuard artifacts.94
S1014 DanBot DanBot files have been named UltraVNC.exe and WINVNC.exe to appear as legitimate VNC tools.49
S0334 DarkComet DarkComet has dropped itself onto victim machines with file names such as WinDefender.Exe and winupdate.exe in an apparent attempt to masquerade as a legitimate file.57
G0012 Darkhotel Darkhotel has used malware that is disguised as a Secure Shell (SSH) tool.159
S0187 Daserf Daserf uses file and folder names related to legitimate programs in order to blend in, such as HP, Intel, Adobe, and perflogs.37
S0600 Doki Doki has disguised a file as a Linux kernel module.89
S0694 DRATzarus DRATzarus has been named Flash.exe, and its dropper has been named IExplorer.88
S0567 Dtrack One of Dtrack can hide in replicas of legitimate programs like OllyDbg, 7-Zip, and FileZilla.27
G1006 Earth Lusca Earth Lusca used the command move [file path] c:\windows\system32\spool\prtprocs\x64\spool.dll to move and register a malicious DLL name as a Windows print processor, which eventually was loaded by the Print Spooler service.143
S0605 EKANS EKANS has been disguised as update.exe to appear as a valid executable.69
S0081 Elise If installing itself as a service fails, Elise instead writes itself as a file named svchost.exe saved in %APPDATA%\Microsoft\Network.70
S0171 Felismus Felismus has masqueraded as legitimate Adobe Content Management System files.113
G0137 Ferocious Kitten Ferocious Kitten has named malicious files update.exe and loaded them into the compromise host’s “Public” folder.51
G0046 FIN7 FIN7 has attempted to run Darkside ransomware with the filename sleep.exe.126
S0182 FinFisher FinFisher renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file.115116
S0661 FoggyWeb FoggyWeb can be disguised as a Visual Studio file such as Windows.Data.TimeZones.zh-PH.pri to evade detection. Also, FoggyWeb‘s loader can mimic a genuine dll file that carries out the same import functions as the legitimate Windows version.dll file.50
G0117 Fox Kitten Fox Kitten has named binaries and configuration files svhost and dllhost respectively to appear legitimate.140
S0410 Fysbis Fysbis has masqueraded as trusted software rsyncd and dbus-inotifier.86
G0047 Gamaredon Group Gamaredon Group has used legitimate process names to hide malware including svchosst.154
S0666 Gelsemium Gelsemium has named malicious binaries serv.exe, winprint.dll, and chrome_elf.dll and has set its persistence in the Registry with the key value Chrome Update to appear legitimate.17
S0493 GoldenSpy GoldenSpy‘s setup file installs initial executables under the folder %WinDir%\System32\PluginManager.114
S0588 GoldMax GoldMax has used filenames that matched the system name, and appeared as a scheduled task impersonating systems management software within the corresponding ProgramData subfolder.5898
S0477 Goopy Goopy has impersonated the legitimate goopdate.dll, which was dropped on the target system with a legitimate GoogleUpdate.exe.95
S0531 Grandoreiro Grandoreiro has named malicious browser extensions and update files to appear legitimate.5960
S0690 Green Lambert Green Lambert has been disguised as a Growl help file.4041
S0697 HermeticWiper HermeticWiper has used the name postgressql.exe to mask a malicious payload.73
S0698 HermeticWizard HermeticWizard has been named exec_32.dll to mimic a legitimate MS Outlook .dll.73
S0070 HTTPBrowser HTTPBrowser‘s installer contains a malicious file named navlu.dll to decrypt and run the RAT. navlu.dll is also the name of a legitimate Symantec DLL.14
S1022 IceApple IceApple .NET assemblies have used App_Web_ in their file names to appear legitimate.109
G0119 Indrik Spider Indrik Spider used fake updates for FlashPlayer plugin and Google Chrome as initial infection vectors.137
S0259 InnaputRAT InnaputRAT variants have attempted to appear legitimate by using the file names SafeApp.exe and NeutralApp.exe.25
S0260 InvisiMole InvisiMole has disguised its droppers as legitimate software or documents, matching their original names and locations, and saved its files as mpr.dll in the Windows folder.104105
S0015 Ixeshe Ixeshe has used registry values and file names associated with Adobe software, such as AcroRd32.exe.93
G0004 Ke3chang Ke3chang has dropped their malware into legitimate installed software paths including: C:\ProgramFiles\Realtek\Audio\HDA\AERTSr.exe, C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitRdr64.exe, C:\Program Files (x86)\Adobe\Flash Player\AddIns\airappinstaller\airappinstall.exe, and C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd64.exe.161
S0526 KGH_SPY KGH_SPY has masqueraded as a legitimate Windows tool.19
G0094 Kimsuky Kimsuky has renamed malware to legitimate names such as ESTCommon.dll or patch.dll.125
S0669 KOCTOPUS KOCTOPUS has been disguised as legitimate software programs associated with the travel and airline industries.53
S0356 KONNI KONNI has created a shortcut called “Anti virus service.lnk” in an apparent attempt to masquerade as a legitimate file.74
G0032 Lazarus Group Lazarus Group has renamed malicious code to disguise it as Microsoft’s narrator and other legitimate files.21155
S0395 LightNeuron LightNeuron has used filenames associated with Exchange and Outlook for binary and configuration files, such as winmail.dat.12
S0582 LookBack LookBack has a C2 proxy tool that masquerades as GUP.exe, which is software used by Notepad++.31
G1014 LuminousMoth LuminousMoth has disguised their exfiltration malware as ZoomVideoApp.exe.162
S0409 Machete Machete renamed payloads to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python executables.117118
G0095 Machete Machete‘s Machete MSI installer has masqueraded as a legitimate Adobe Acrobat Reader installer.136
G0059 Magic Hound Magic Hound has used dllhost.exe to mask Fast Reverse Proxy (FRP) and MicrosoftOutLookUpdater.exe for Plink.166165167
S0652 MarkiRAT MarkiRAT can masquerade as update.exe and svehost.exe; it has also mimicked legitimate Telegram and Chrome files.51
S0500 MCMD MCMD has been named Readme.txt to appear legitimate.5
S0459 MechaFlounder MechaFlounder has been downloaded as a file named lsass.exe, which matches the legitimate Windows file.68
G0045 menuPass menuPass has been seen changing malicious files to appear legitimate.168
S0455 Metamorfo Metamorfo has disguised an MSI file as the Adobe Acrobat Reader Installer and has masqueraded payloads as OneDrive, WhatsApp, or Spotify, for example.102103
S0084 Mis-Type Mis-Type saves itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.2026
S0083 Misdat Misdat saves itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.2026
G0069 MuddyWater MuddyWater has disguised malicious executables and used filenames and Registry key names associated with Windows Defender.133134135
G0129 Mustang Panda Mustang Panda has used names like adobeupdate.dat and PotPlayerDB.dat to disguise PlugX, and a file named OneDrive.exe to load a Cobalt Strike payload.151
G0019 Naikon Naikon has disguised malicious programs as Google Chrome, Adobe, and VMware executables.36
S0630 Nebulae Nebulae uses functions named StartUserModeBrowserInjection and StopUserModeBrowserInjection indicating that it’s trying to imitate chrome_frame_helper.dll.36
S0198 NETWIRE NETWIRE has masqueraded as legitimate software including TeamViewer and macOS Finder.119
S0353 NOKKI NOKKI is written to %LOCALAPPDATA%\MicroSoft Updatea\svServiceUpdate.exe prior being executed in a new process in an apparent attempt to masquerade as a legitimate folder and file.42
S0340 Octopus Octopus has been disguised as legitimate programs, such as Java and Telegram Messenger.8283
S0138 OLDBAIT OLDBAIT installs itself in %ALLUSERPROFILE%\Application Data\Microsoft\MediaPlayer\updatewindws.exe; the directory name is missing a space and the file name is missing the letter “o.”39
C0012 Operation CuckooBees During Operation CuckooBees, the threat actors renamed a malicious executable to rundll32.exe to allow it to blend in with other Windows system files.178
C0006 Operation Honeybee During Operation Honeybee, the threat actors used a legitimate Windows executable and secure directory for their payloads to bypass UAC.179
C0013 Operation Sharpshooter During Operation Sharpshooter, threat actors installed Rising Sun in the Startup folder and disguised it as mssync.exe.175
C0014 Operation Wocao During Operation Wocao, the threat actors renamed some tools and executables to appear as legitimate programs.174
S0402 OSX/Shlayer OSX/Shlayer can masquerade as a Flash Player update.7677
S0072 OwaAuth OwaAuth uses the filename owaauth.dll, which is a legitimate file that normally resides in %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\Auth\; the malicious file by the same name is saved in %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\bin\.48
G0040 Patchwork Patchwork installed its payload in the startup programs folder as “Baidu Software Update.” The group also adds its second stage payload to the startup programs as “Net Monitor.”152 They have also dropped QuasarRAT binaries as files named microsoft_network.exe and crome.exe.153
S1050 PcShare PcShare has been named wuauclt.exe to appear as the legitimate Windows Update AutoUpdate Client.7
S0587 Penquin Penquin has mimicked the Cron binary to hide itself on compromised systems.84
S0501 PipeMon PipeMon modules are stored on disk with seemingly benign names including use of a file extension associated with a popular word processor.44
S0013 PlugX PlugX has been disguised as legitimate Adobe and PotPlayer files.81
S0453 Pony Pony has used the Adobe Reader icon for the downloaded file to look more trustworthy.10
G0033 Poseidon Group Poseidon Group tools attempt to spoof anti-virus processes as a means of self-defense.127
S1046 PowGoop PowGoop has used a DLL named Goopdate.dll to impersonate a legitimate Google update file.34
G0056 PROMETHIUM PROMETHIUM has disguised malicious installer files by bundling them with legitimate software installers.101122
S0196 PUNCHBUGGY PUNCHBUGGY mimics filenames from %SYSTEM%\System32 to hide DLLs in %WINDIR% and/or %TEMP%.1516
S1032 PyDCrypt PyDCrypt has dropped DCSrv under the svchost.exe name to disk.46
S0583 Pysa Pysa has executed a malicious executable by naming it svchost.exe.47
S0269 QUADAGENT QUADAGENT used the PowerShell filenames Office365DCOMCheck.ps1 and SystemDiskClean.ps1.66
S0565 Raindrop Raindrop was installed under names that resembled legitimate Windows file and directory names.2223
S0629 RainyDay RainyDay has used names to mimic legitimate software including “vmtoolsd.exe” to spoof Vmtools.36
S0458 Ramsay Ramsay has masqueraded as a 7zip installer.6465
S0495 RDAT RDAT has masqueraded as VMware.exe.87
S0125 Remsec The Remsec loader implements itself with the name Security Support Provider, a legitimate Windows function. Various Remsec .exe files mimic legitimate file names used by Microsoft, Symantec, Kaspersky, Hewlett-Packard, and VMWare. Remsec also disguised malicious modules using similar filenames as custom network encryption software on victims.7980
S0496 REvil REvil can mimic the names of known executables.97
G0106 Rocke Rocke has used shell scripts which download mining executables and saves them with the filename “java”.121
S0446 Ryuk Ryuk has constructed legitimate appearing installation folder paths by calling GetWindowsDirectoryW and then inserting a null byte at the fourth character of the path. For Windows Vista or higher, the path would appear as C:\Users\Public.11
S0085 S-Type S-Type may save itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.2026
S1018 Saint Bot Saint Bot has been disguised as a legitimate executable, including as Windows SDK.9
G0034 Sandworm Team Sandworm Team has avoided detection by naming a malicious binary explorer.exe.149150
S1019 Shark Shark binaries have been named audioddg.pdb and Winlangdb.pdb in order to appear legitimate.49
S0445 ShimRatReporter ShimRatReporter spoofed itself as AlphaZawgyl_font.exe, a specialized Unicode font.4
S0589 Sibot Sibot has downloaded a DLL to the C:\windows\system32\drivers\ folder and renamed it with a .sys extension.58
G1008 SideCopy SideCopy has used a legitimate DLL file name, Duser.dll to disguise a malicious remote access tool.124
G0121 Sidewinder Sidewinder has named malicious files rekeywiz.exe to match the name of a legitimate Windows executable.123
G0091 Silence Silence has named its backdoor “WINWORD.exe”.141
S0468 Skidmap Skidmap has created a fake rm binary to replace the legitimate Linux binary.43
S0533 SLOTHFULMEDIA SLOTHFULMEDIA has mimicked the names of known executables, such as mediaplayer.exe.45
S1035 Small Sieve Small Sieve can use variations of Microsoft and Outlook spellings, such as “Microsift”, in its file names to avoid detection.96
C0024 SolarWinds Compromise During the SolarWinds Compromise, APT29 renamed software and DLLs with legitimate names to appear benign.172173
G0054 Sowbug Sowbug named its tools to masquerade as Windows or Adobe Reader software, such as by using the file name adobecms.exe and the directory CSIDL_APPDATA\microsoft\security.92
S0058 SslMM To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or “MSN Talk” shortcut.29
S0188 Starloader Starloader has masqueraded as legitimate software update packages such as Adobe Acrobat Reader and Intel.92
S1034 StrifeWater StrifeWater has been named calc.exe to appear as a legitimate calculator program.111
S0491 StrongPity StrongPity has been bundled with legitimate software installation files for disguise.101
S1042 SUGARDUMP SUGARDUMP has been named CrashReporter.exe to appear as a legitimate Mozilla executable.63
S0559 SUNBURST SUNBURST created VBScripts that were named after existing services or folders to blend into legitimate activities.23
S0562 SUNSPOT SUNSPOT was identified on disk with a filename of taskhostsvc.exe and it created an encrypted log file at C:\Windows\Temp\vmware-vmdmp.log.18
S0578 SUPERNOVA SUPERNOVA has masqueraded as a legitimate SolarWinds DLL.9091
S0586 TAINTEDSCRIBE The TAINTEDSCRIBE main executable has disguised itself as Microsoft’s Narrator.21
S1011 Tarrask Tarrask has masqueraded as executable files such as winupdate.exe, date.exe, or win.exe.78
G0139 TeamTNT TeamTNT has replaced .dockerd and .dockerenv with their own scripts and cryptocurrency mining software.160
S0560 TEARDROP TEARDROP files had names that resembled legitimate Window file and directory names.7523
G0088 TEMP.Veles TEMP.Veles has renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files.169
S0595 ThiefQuest ThiefQuest prepends a copy of itself to the beginning of an executable file while maintaining the name of the executable.7172
S0665 ThreatNeedle ThreatNeedle chooses its payload creation path from a randomly selected service name from netsvc.67
S0668 TinyTurla TinyTurla has been deployed as w64time.dll to appear legitimate.85
G0134 Transparent Tribe Transparent Tribe can mimic legitimate Windows directories by using the same icons and names.148
G0081 Tropic Trooper Tropic Trooper has hidden payloads in Flash directories and fake installer files.139
S0386 Ursnif Ursnif has used strings from legitimate system files and existing folders for its file, folder, and Registry entry names.28
S0136 USBStealer USBStealer mimics a legitimate Russian program called USB Disk Security.99
G0107 Whitefly Whitefly has named the malicious DLL the same name as DLLs belonging to legitimate software from various security vendors.120
S0141 Winnti for Windows A Winnti for Windows implant file was named ASPNET_FILTER.DLL, mimicking the legitimate ASP.NET ISAPI filter DLL with the same name.38
G0090 WIRTE WIRTE has named a first stage dropper Kaspersky Update Agent in order to appear legitimate.142
S0086 ZLib ZLib mimics the resource version information of legitimate Realtek Semiconductor, Nvidia, or Synaptics modules.20

Mitigations

ID Mitigation Description
M1045 Code Signing Require signed binaries and images.
M1038 Execution Prevention Use tools that restrict program execution via application control by attributes other than file name for common operating system utilities that are needed.
M1022 Restrict File and Directory Permissions Use file system access controls to protect folders such as C:\Windows\System32.

Detection

ID Data Source Data Component
DS0022 File File Metadata
DS0007 Image Image Metadata
DS0009 Process Process Metadata

References


  1. Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019. 

  2. Docker. (n.d.). Docker Images. Retrieved April 6, 2021. 

  3. Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016. 

  4. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. 

  5. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020. 

  6. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023. 

  7. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. 

  8. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020. 

  9. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022. 

  10. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020. 

  11. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020. 

  12. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. 

  13. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. 

  14. Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016. 

  15. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. 

  16. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019. 

  17. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. 

  18. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021. 

  19. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. 

  20. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. 

  21. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021. 

  22. Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021. 

  23. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. 

  24. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020. 

  25. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018. 

  26. Microsoft. (2011, January 12). Distributed Transaction Coordinator. Retrieved February 25, 2016. 

  27. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021. 

  28. Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019. 

  29. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019. 

  30. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021. 

  31. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021. 

  32. M.Léveille, M-E.. (2017, October 24). Bad Rabbit: Not‑Petya is back with improved ransomware. Retrieved January 28, 2021. 

  33. Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021. 

  34. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022. 

  35. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020. 

  36. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. 

  37. DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018. 

  38. Cap, P., et al. (2017, January 25). Detecting threat actors in recent German industrial attacks with Windows Defender ATP. Retrieved February 8, 2017. 

  39. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. 

  40. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022. 

  41. Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved March 21, 2022. 

  42. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018. 

  43. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020. 

  44. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020. 

  45. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020. 

  46. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022. 

  47. CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021. 

  48. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. 

  49. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022. 

  50. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021. 

  51. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021. 

  52. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021. 

  53. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. 

  54. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. 

  55. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. 

  56. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021. 

  57. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018. 

  58. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. 

  59. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020. 

  60. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. 

  61. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. 

  62. Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023. 

  63. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022. 

  64. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020. 

  65. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel’s infiltration and isolation network. Retrieved March 24, 2021. 

  66. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. 

  67. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021. 

  68. Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020. 

  69. Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021. 

  70. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016. 

  71. Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021. 

  72. Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 22, 2021. 

  73. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022. 

  74. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018. 

  75. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. 

  76. Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019. 

  77. Long, Joshua. (2018, February 21). OSX/Shlayer: New Mac malware comes out of its shell. Retrieved August 28, 2019. 

  78. Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022. 

  79. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016. 

  80. Kaspersky Lab’s Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016. 

  81. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022. 

  82. Kaspersky Lab’s Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018. 

  83. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021. 

  84. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021. 

  85. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021. 

  86. Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017. 

  87. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020. 

  88. ClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. 

  89. Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021. 

  90. Riley, W. (2020, December 1). SUPERNOVA SolarWinds .NET Webshell Analysis. Retrieved February 18, 2021. 

  91. Tennis, M. (2020, December 17). SUPERNOVA: A Novel .NET Webshell. Retrieved February 22, 2021. 

  92. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017. 

  93. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019. 

  94. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  95. NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022. 

  96. Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020. 

  97. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022. 

  98. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017. 

  99. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. 

  100. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020. 

  101. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020. 

  102. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021. 

  103. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. 

  104. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. 

  105. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018. 

  106. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020. 

  107. Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020. 

  108. CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022. 

  109. Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022. 

  110. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022. 

  111. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018. 

  112. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017. 

  113. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020. 

  114. FinFisher. (n.d.). Retrieved December 20, 2017. 

  115. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018. 

  116. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. 

  117. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019. 

  118. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021. 

  119. Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020. 

  120. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020. 

  121. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020. 

  122. Rewterz. (2020, June 22). Analysis on Sidewinder APT Group – COVID-19. Retrieved January 29, 2021. 

  123. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022. 

  124. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022. 

  125. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. 

  126. Kaspersky Lab’s Global Research and Analysis Team. (2016, February 9). Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage. Retrieved March 16, 2016. 

  127. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 

  128. Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020. 

  129. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. 

  130. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020. 

  131. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. 

  132. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. 

  133. Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019. 

  134. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021. 

  135. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020. 

  136. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021. 

  137. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015. 

  138. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. 

  139. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. 

  140. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020. 

  141. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022. 

  142. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. 

  143. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020. 

  144. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. 

  145. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. 

  146. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021. 

  147. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021. 

  148. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020. 

  149. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. 

  150. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021. 

  151. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016. 

  152. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. 

  153. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022. 

  154. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022. 

  155. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022. 

  156. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. 

  157. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016. 

  158. Microsoft. (2016, June 9). Reverse-engineering DUBNIUM. Retrieved March 31, 2021. 

  159. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022. 

  160. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022. 

  161. Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022. 

  162. Kaspersky Lab’s Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018. 

  163. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020. 

  164. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. 

  165. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. 

  166. US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020. 

  167. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019. 

  168. Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023. 

  169. Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021. 

  170. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. 

  171. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021. 

  172. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. 

  173. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. 

  174. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. 

  175. Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023. 

  176. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022. 

  177. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. 

  178. Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.