Skip to content

T1053.005 Scheduled Task

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel.11 In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet Invoke-CimMethod, which leverages WMI class PS_ScheduledTask to create a scheduled task via an XML path.7

An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to System Binary Proxy Execution, adversaries have also abused the Windows Task Scheduler to potentially mask one-time execution under signed/trusted system processes.1

Adversaries may also create “hidden” scheduled tasks (i.e. Hide Artifacts) that may not be visible to defender tools and manual queries used to enumerate tasks. Specifically, an adversary may hide a task from schtasks /query and the Task Scheduler by deleting the associated Security Descriptor (SD) registry value (where deletion of this value must be completed using SYSTEM permissions).104 Adversaries may also employ alternate methods to hide tasks, such as altering the metadata (e.g., Index value) within associated registry keys.2

Item Value
ID T1053.005
Sub-techniques T1053.002, T1053.003, T1053.005, T1053.006, T1053.007
Tactics TA0002, TA0003, TA0004
Platforms Windows
Version 1.8
Created 27 November 2019
Last Modified 24 October 2025

Procedure Examples

ID Name Description
C0034 2022 Ukraine Electric Power Attack During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.248
S0331 Agent Tesla Agent Tesla has achieved persistence via scheduled tasks.103
S0504 Anchor Anchor can create a scheduled task for persistence.45
S1133 Apostle Apostle achieves persistence by creating a scheduled task, such as MicrosoftCrashHandlerUAC.125
S0584 AppleJeus AppleJeus has created a scheduled SYSTEM task that runs when a user logs in.111
G0099 APT-C-36 APT-C-36 has used a macro function to set scheduled tasks, disguised as those used by Google.226
G0016 APT29 APT29 has used named and hijacked scheduled tasks to establish persistence.192
G0022 APT3 An APT3 downloader creates persistence by creating the following scheduled task: schtasks /create /tn “mysc” /tr C:\Users\Public\test.exe /sc ONLOGON /ru “System”.164
G0050 APT32 APT32 has used scheduled tasks to persist on victim systems.215216157217
G0064 APT33 APT33 has created a scheduled task to execute a .vbe file multiple times a day.220
G0067 APT37 APT37 has created scheduled tasks to run malicious scripts on a compromised host.243
G0082 APT38 APT38 has used Task Scheduler to run programs at system startup or on a scheduled basis for persistence.223 Additionally, APT38 has used living-off-the-land scripts to execute a malicious script via a scheduled task.224
G0087 APT39 APT39 has created scheduled tasks for persistence.194195193
G0096 APT41 APT41 used a compromised account to create a scheduled task on a system.20428
G1044 APT42 APT42 has used scheduled tasks for persistence.209
S1087 AsyncRAT AsyncRAT can create a scheduled task to maintain persistence on system start-up.25
S0438 Attor Attor’s installer plugin can schedule a new task that loads the dispatcher on boot/logon.105
S0414 BabyShark BabyShark has used scheduled tasks to maintain persistence.28
S0475 BackConfig BackConfig has the ability to use scheduled tasks to repeatedly execute malicious payloads on a compromised host.122
S0606 Bad Rabbit Bad Rabbit’s infpub.dat file creates a scheduled task to launch a malicious executable.67
S1081 BADHATCH BADHATCH can use schtasks.exe to gain persistence.59
S0128 BADNEWS BADNEWS creates a scheduled task to establish by executing a malicious payload every subsequent minute.77
S0534 Bazar Bazar can create a scheduled task for persistence.131132
G1002 BITTER BITTER has used scheduled tasks for persistence and execution.79
G1043 BlackByte BlackByte created scheduled tasks for payload execution.179178
S1180 BlackByte Ransomware BlackByte Ransomware creates a schedule task to execute remotely deployed ransomware payloads.96
G0108 Blue Mockingbird Blue Mockingbird has used Windows Scheduled Tasks to establish persistence on local and remote hosts.189
S0360 BONDUPDATER BONDUPDATER persists using a scheduled task that executes every minute.91
G0060 BRONZE BUTLER BRONZE BUTLER has used schtasks to register a scheduled task to execute malware during lateral movement.231
S1039 Bumblebee Bumblebee can achieve persistence by copying its DLL to a subdirectory of %APPDATA% and creating a Visual Basic Script that will load the DLL via a scheduled task.130129
C0017 C0017 During C0017, APT41 used the following Windows scheduled tasks for DEADEYE dropper persistence on US state government networks: \Microsoft\Windows\PLA\Server Manager Performance Monitor, \Microsoft\Windows\Ras\ManagerMobility, \Microsoft\Windows\WDI\SrvSetupResults, and \Microsoft\Windows\WDI\USOShared.249
C0032 C0032 During the C0032 campaign, TEMP.Veles used scheduled task XML triggers.256
S0335 Carbon Carbon creates several tasks for later execution to continue persistence on the victim’s machine.38
S1043 ccf32 ccf32 can run on a daily basis using a scheduled task.115
G0114 Chimera Chimera has used scheduled tasks to invoke Cobalt Strike including through batch script schtasks /create /ru “SYSTEM” /tn “update” /tr “cmd /c c:\windows\temp\update.bat” /sc once /f /st and to maintain persistence.167168
S1149 CHIMNEYSWEEP CHIMNEYSWEEP can use the Windows SilentCleanup scheduled task to enable payload execution.87
S1236 CLAIMLOADER CLAIMLOADER has created scheduled tasks that execute the loader every five(5) minutes using `schtasks /F /Create /TN "" /SC minute /MO 5 /TR
"C:\ProgramData\ `.113
G0080 Cobalt Group Cobalt Group has created Windows tasks to establish persistence.165
S0126 ComRAT ComRAT has used a scheduled task to launch its PowerShell loader.3940
G0142 Confucius Confucius has created scheduled tasks to maintain persistence on a compromised host.242
S1235 CorKLOG CorKLOG has achieved persistence through the creation of a scheduled task named TableInputServices by using the command schtasks /create /tn TabletlnputServices /tr /sc minute /mo 10 /f.100
S0050 CosmicDuke CosmicDuke uses scheduled tasks typically named “Watchmon Service” for persistence.143
C0004 CostaRicto During CostaRicto, the threat actors used scheduled tasks to download backdoor tools.252
S0046 CozyCar One persistence mechanism used by CozyCar is to register itself as a scheduled task.112
S0538 Crutch Crutch has the ability to persist using scheduled tasks.65
S0527 CSPY Downloader CSPY Downloader can use the schtasks utility to bypass UAC.15
G1034 Daggerfly Daggerfly has attempted to use scheduled tasks for persistence in victim environments.170
S1014 DanBot DanBot can use a scheduled task for installation.29
S0673 DarkWatchman DarkWatchman has created a scheduled task for persistence.138
S1088 Disco Disco can create a scheduled task to run every minute for persistence.76
G0035 Dragonfly Dragonfly has used scheduled tasks to automatically log out of created accounts every 8 hours as well as to execute malicious files.233
S0384 Dridex Dridex can maintain persistence via the creation of scheduled tasks within system directories such as windows\system32\, windows\syswow64, winnt\system32, and winnt\syswow64.60
S0038 Duqu Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.121
S0024 Dyre Dyre has the ability to achieve persistence by adding a new task in the task scheduler to run every minute.78
G1006 Earth Lusca Earth Lusca used the command schtasks /Create /SC ONLOgon /TN WindowsUpdateCheck /TR “[file path]” /ru system for persistence.206
S1247 Embargo Embargo has obtained persistence of the loader MDeployer by creating a scheduled task named “Perf_sys.”108
G1003 Ember Bear Ember Bear uses remotely scheduled tasks to facilitate remote command execution on victim machines.207
S0367 Emotet Emotet has maintained persistence through a scheduled task, e.g. though a .dll file in the Registry.9493
S0363 Empire Empire has modules to interact with the Windows task scheduler.20
S0396 EvilBunny EvilBunny has executed commands via scheduled tasks.107
G0051 FIN10 FIN10 has established persistence by using S4U tasks as well as the Scheduled Task option in PowerShell Empire.21020
G1016 FIN13 FIN13 has created scheduled tasks in the C:\Windows directory of the compromised network.187
G0037 FIN6 FIN6 has used scheduled tasks to establish persistence for various malware it uses, including downloaders known as HARDTACK and SHIPBREAD and FrameworkPOS.227
G0046 FIN7 FIN7 malware has created scheduled tasks to establish persistence.172174173126 Specifically, FIN7 has used OpenSSH to establish persistence.171
G0061 FIN8 FIN8 has used scheduled tasks to maintain RDP backdoors.196
G0117 Fox Kitten Fox Kitten has used Scheduled Tasks for persistence and to load and execute a reverse proxy binary.218219
C0001 Frankenstein During Frankenstein, the threat actors established persistence through a scheduled task using the command: /Create /F /SC DAILY /ST 09:00 /TN WinUpdate /TR, named “WinUpdate” 250
G0093 GALLIUM GALLIUM established persistence for PoisonIvy by created a scheduled task.176
G0047 Gamaredon Group Gamaredon Group has created scheduled tasks to launch executables after a designated number of minutes have passed.235236237238
S0168 Gazer Gazer can establish persistence by creating a scheduled task.154155
S0588 GoldMax GoldMax has used scheduled tasks to maintain persistence.26
S0477 Goopy Goopy has the ability to maintain persistence by creating scheduled tasks set to run every hour.157
S0237 GravityRAT GravityRAT creates a scheduled task to ensure it is re-executed everyday.82
S0417 GRIFFON GRIFFON has used sctasks for persistence. 135
S0632 GrimAgent GrimAgent has the ability to set persistence using the Task Scheduler.46
S0170 Helminth Helminth has used a scheduled task for persistence.30
S0697 HermeticWiper HermeticWiper has the ability to use scheduled tasks for execution.33
G1001 HEXANE HEXANE has used a scheduled task to establish persistence for a keylogger.180
G0126 Higaisa Higaisa dropped and added officeupdate.exe to scheduled tasks.202203
S0431 HotCroissant HotCroissant has attempted to install a scheduled task named “Java Maintenance64” on startup to establish persistence.162
S0483 IcedID IcedID has created a scheduled task to establish persistence.717069
S1152 IMAPLoader IMAPLoader creates scheduled tasks for persistence based on the operating system version of the victim machine.160
S0260 InvisiMole InvisiMole has used scheduled tasks named MSST and \Microsoft\Windows\Autochk\Scheduled to establish persistence.142
S0581 IronNetInjector IronNetInjector has used a task XML file named mssch.xml to run an IronPython script when a user logs in or when specific system events are created.16
S0189 ISMInjector ISMInjector creates scheduled tasks to establish persistence.156
S0044 JHUHUGIT JHUHUGIT has registered itself as a scheduled task to run each time the current user logs in.4142
S0648 JSS Loader JSS Loader has the ability to launch scheduled tasks to establish persistence.27
C0044 Juicy Mix During Juicy Mix, OilRig used VBS droppers to schedule tasks for persistence.34
S1190 Kapeka Kapeka persists via scheduled tasks.8586
G0094 Kimsuky Kimsuky has downloaded additional malware with scheduled tasks.240 Kimsuky has established persistence by creating a scheduled task named “ChromeUpdateTaskMachine” through the PowerShell cmdlet Register-ScheduleTask which was set to execute another PowerShell script once, then five minutes after its creation and periodically repeat every 30 minutes.239
S0250 Koadic Koadic has used scheduled tasks to add persistence.24
S1160 Latrodectus
Latrodectus can create scheduled tasks for persistence.535452
G0032 Lazarus Group Lazarus Group has used schtasks for persistence including through the periodic execution of a remote XSL script or a dropped VBS payload.230229
S0680 LitePower LitePower can create a scheduled task to enable persistence mechanisms.158
S1199 LockBit 2.0 LockBit 2.0 can be executed via scheduled task.43
S0447 Lokibot Lokibot embedded the commands schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I inside a batch script.92
S0532 Lucifer Lucifer has established persistence by creating the following scheduled task schtasks /create /sc minute /mo 1 /tn QQMusic ^ /tr C:Users\%USERPROFILE%\Downloads\spread.exe /F.80
G1014 LuminousMoth LuminousMoth has created scheduled tasks to establish persistence for their tools.228
S0409 Machete The different components of Machete are executed by Windows Task Scheduler.4849
G0095 Machete Machete has created scheduled tasks to maintain Machete’s persistence.208
G0059 Magic Hound Magic Hound has used scheduled tasks to establish persistence and execution.186185
S1182 MagicRAT MagicRAT can persist via scheduled tasks.83
S1169 Mango Mango can create a scheduled task to run every 32 seconds to communicate with C2 and execute received commands.34
S0167 Matryoshka Matryoshka can establish persistence by adding a Scheduled Task named “Microsoft Boost Kernel Optimization”.133134
S0449 Maze Maze has created scheduled tasks using name variants such as “Windows Update Security”, “Windows Update Security Patches”, and “Google Chrome Security Update”, to launch Maze at a specific time.109
S0500 MCMD MCMD can use scheduled tasks for persistence.19
G0045 menuPass menuPass has used a script (atexec.py) to execute a command on a target machine via Task Scheduler.225
S0688 Meteor Meteor execution begins from a scheduled task named Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeAll and it creates a separate scheduled task called mstask to run the wiper only once at 23:55:00.95
S1015 Milan Milan can establish persistence on a targeted host with scheduled tasks.3231
G0021 Molerats Molerats has created scheduled tasks to persistently run VBScripts.190
G1036 Moonstone Sleet Moonstone Sleet used scheduled tasks for program execution during initial access to victim machines.214
G0069 MuddyWater MuddyWater has used scheduled tasks to establish persistence.234
S1135 MultiLayer Wiper MultiLayer Wiper creates a malicious scheduled task that launches a batch file to remove Windows Event Logs.136
G0129 Mustang Panda Mustang Panda has created a scheduled task to execute additional malicious software, as well as maintain persistence.18173182183 Mustang Panda has also created a scheduled task that creates a reverse shell.184
G0019 Naikon Naikon has used schtasks.exe for lateral movement in compromised networks.114
S0198 NETWIRE NETWIRE can create a scheduled task to establish persistence.124
S1147 Nightdoor Nightdoor uses scheduled tasks for persistence to load the final malware payload into memory.55
S0368 NotPetya NotPetya creates a task to reboot the system one hour after infection.51
G0049 OilRig OilRig has created scheduled tasks that run a VBScript to execute a payload on victim machines.127163221222
S0439 Okrum Okrum’s installer can attempt to achieve persistence by creating a scheduled task.63
S0264 OopsIE OopsIE creates a scheduled task to run itself every three minutes.127128
C0012 Operation CuckooBees During Operation CuckooBees, the threat actors used scheduled tasks to execute batch scripts for lateral movement with the following command: SCHTASKS /Create /S <IP Address> /U <Username> /p <Password> /SC ONCE /TN test /TR <Path to a Batch File> /ST <Time> /RU SYSTEM.254
C0022 Operation Dream Job During Operation Dream Job, Lazarus Group created scheduled tasks to set a periodic execution of a remote XSL script.253
C0014 Operation Wocao During Operation Wocao, threat actors used scheduled tasks to execute malicious PowerShell code on remote systems.255
G0040 Patchwork A Patchwork file stealer can run a TaskScheduler DLL to add persistence.169
S0013 PlugX PlugX has created a scheduled task to execute additional malicious software, as well as maintain persistence.120
S0194 PowerSploit PowerSploit’s New-UserPersistenceOption Persistence argument can be used to establish via a Scheduled Task/Job.1718
S0223 POWERSTATS POWERSTATS has established persistence through a scheduled task using the command ”C:\Windows\system32\schtasks.exe” /Create /F /SC DAILY /ST 12:00 /TN MicrosoftEdge /TR “c:\Windows\system32\wscript.exe C:\Windows\temp\Windows.vbe”.116
S0184 POWRUNER POWRUNER persists through a scheduled task that executes it every minute.152
S1058 Prestige Prestige has been executed on a target system through a scheduled task created by Sandworm Team using Impacket.58
S0147 Pteranodon Pteranodon schedules tasks to invoke its components in order to establish persistence.139140
S1228 PUBLOAD PUBLOAD has created scheduled tasks to maintain persistence with the command schtasks.exe /F /Create /TN Microsoft_Licensing /sc minute /MO 1 /TR C:\\Users\\Public\\Libraries\...737475
S0650 QakBot QakBot has the ability to create scheduled tasks for persistence.148150144151149145147146
S1242 Qilin Qilin has pushed scheduled tasks via GPO for execution.8988
S0269 QUADAGENT QUADAGENT creates a scheduled task to maintain persistence on the victim’s machine.163
S0262 QuasarRAT QuasarRAT contains a .NET wrapper DLL for creating and managing scheduled tasks for maintaining persistence upon reboot.2322
S0629 RainyDay RainyDay can use scheduled tasks to achieve persistence.114
S0458 Ramsay Ramsay can schedule tasks via the Windows COM API to maintain persistence.64
G0075 Rancor Rancor launched a scheduled task to gain persistence using the schtasks /create /sc command.205
G1039 RedCurl RedCurl has created scheduled tasks for persistence.211212213
S1240 RedLine Stealer RedLine Stealer has achieved persistence via scheduled tasks.123
S0375 Remexi Remexi utilizes scheduled tasks as a persistence mechanism.57
S0166 RemoteCMD RemoteCMD can execute commands remotely by creating a new schedule task on the remote system110
S0125 Remsec Remsec schedules the execution one of its modules by creating a new scheduler task.104
S0379 Revenge RAT Revenge RAT schedules tasks to run malicious scripts at different intervals.153
S0148 RTM RTM tries to add a scheduled task to establish persistence.9798
S0446 Ryuk Ryuk can remotely create a scheduled task to execute itself on a system.106
S1018 Saint Bot Saint Bot has created a scheduled task named “Maintenance” to establish persistence.81
G0034 Sandworm Team Sandworm Team leveraged SHARPIVORY, a .NET dropper that writes embedded payload to disk and uses scheduled tasks to persist on victim machines.177
S0111 schtasks schtasks is used to schedule tasks on a Windows system to run at a specific date and time.21
S0382 ServHelper ServHelper contains modules that will use schtasks to carry out malicious operations.137
S0140 Shamoon Shamoon copies an executable payload to the target system by using SMB/Windows Admin Shares and then scheduling an unnamed task to execute the malware.102101
C0058 SharePoint ToolShell Exploitation During SharePoint ToolShell Exploitation, threat actors used scheduled tasks to help establish persistence.247
S1089 SharpDisco SharpDisco can create scheduled tasks to execute reverse shells that read and write data to and from specified SMB shares.76
S0546 SharpStage SharpStage has a persistence component to write a scheduled task for the payload.50
S0589 Sibot Sibot has been executed via a scheduled task.26
G0091 Silence Silence has used scheduled tasks to stage its operation.166
S0226 Smoke Loader Smoke Loader launches a scheduled task.159
S1166 Solar Solar can create scheduled tasks named Earth and Venus, which run every 30 and 40 seconds respectively, to support C2 and exfiltration.34
C0024 SolarWinds Compromise During the SolarWinds Compromise, APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement. They manipulated scheduled tasks by updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration. APT29 also created a scheduled task to maintain SUNSPOT persistence when the host booted.244246245
S0516 SoreFang SoreFang can gain persistence through use of scheduled tasks.90
S1140 Spica Spica has created a scheduled task named CalendarChecker to establish persistence.84
S0390 SQLRat SQLRat has created scheduled tasks in %appdata%\Roaming\Microsoft\Templates\.126
G0038 Stealth Falcon Stealth Falcon malware creates a scheduled task entitled “IE Web Cache” to execute a malicious file hourly.241
G1053 Storm-0501 Storm-0501 had used a scheduled task named “SysUpdate” that was registered via GPO on devices in the network to distribute the Embargo ransomware.191
S1034 StrifeWater StrifeWater has create a scheduled task named Mozilla\Firefox Default Browser Agent 409046Z0FF4A39CB for persistence.68
S0603 Stuxnet Stuxnet schedules a network job to execute two minutes after host infection.141
S1042 SUGARDUMP SUGARDUMP has created scheduled tasks called MicrosoftInternetExplorerCrashRepoeterTaskMachineUA and MicrosoftEdgeCrashRepoeterTaskMachineUA, which were configured to execute CrashReporter.exe during user logon.99
S1064 SVCReady SVCReady can create a scheduled task named RecoveryExTask to gain persistence.47
G1018 TA2541 TA2541 has used scheduled tasks to establish persistence for installed tools.175
S1011 Tarrask Tarrask is able to create “hidden” scheduled tasks for persistence.4
G1022 ToddyCat ToddyCat has used scheduled tasks to execute discovery commands and scripts for collection.188
S0671 Tomiris Tomiris has used SCHTASKS /CREATE /SC DAILY /TN StartDVL /TR "[path to self]" /ST 10:00 to establish persistence.66
S1239 TONESHELL TONESHELL has created scheduled tasks to maintain persistence.6162
S0266 TrickBot TrickBot creates a scheduled task on the system that provides persistence.353637
C0030 Triton Safety Instrumented System Attack In the Triton Safety Instrumented System Attack, TEMP.Veles installed scheduled tasks defined in XML files.251
S0476 Valak Valak has used scheduled tasks to execute additional payloads and to gain persistence on a compromised host.119117118
G1035 Winter Vivern Winter Vivern executed PowerShell scripts that would subsequently attempt to establish persistence by creating scheduled tasks objects to periodically retrieve and execute remotely-hosted payloads.232
G0102 Wizard Spider Wizard Spider has used scheduled tasks to establish persistence for TrickBot and other malware.198197199201200
S1207 XLoader XLoader can create scheduled tasks for persistence.72
S0248 yty yty establishes persistence by creating a scheduled task with the command SchTasks /Create /SC DAILY /TN BigData /TR “ + path_file + “/ST 09:30“.44
S0251 Zebrocy Zebrocy has a command to create a scheduled task for persistence.161
S0350 zwShell zwShell has used SchTasks for execution.56
S1013 ZxxZ ZxxZ has used scheduled tasks for persistence and execution.79

Mitigations

ID Mitigation Description
M1047 Audit Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. 13
M1028 Operating System Configuration Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled. 14
M1026 Privileged Account Management Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. 12
M1018 User Account Management Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems.

References

  1. Campbell, B. et al. (2022, March 21). Serpent, No Swiping! New Backdoor Targets French Entities with Unique Attack Chain. Retrieved April 11, 2022. 

  2. Harshal Tupsamudre. (2022, June 20). Defending Against Scheduled Tasks. Retrieved July 5, 2022. 

  3. Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved September 12, 2024. 

  4. Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022. 

  5. Microsoft. (2017, May 28). Audit Other Object Access Events. Retrieved June 27, 2019. 

  6. Microsoft. (n.d.). General Task Registration. Retrieved December 12, 2017. 

  7. Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled Task/Job: Scheduled Task. Retrieved June 19, 2024. 

  8. Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. 

  9. Satyajit321. (2015, November 3). Scheduled Tasks History Retention settings. Retrieved December 12, 2017. 

  10. Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule Task - Registry. Retrieved June 1, 2022. 

  11. Stack Overflow. (n.d.). How to find the location of the Scheduled Tasks folder. Retrieved June 19, 2024. 

  12. Microsoft. (2013, May 8). Increase scheduling priority. Retrieved December 18, 2017. 

  13. PowerSploit. (n.d.). Retrieved December 4, 2014. 

  14. Microsoft. (2012, November 15). Domain controller: Allow server operators to schedule tasks. Retrieved December 18, 2017. 

  15. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. 

  16. Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021. 

  17. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018. 

  18. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018. 

  19. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020. 

  20. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. 

  21. Microsoft. (n.d.). Schtasks. Retrieved April 28, 2016. 

  22. CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022. 

  23. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. 

  24. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024. 

  25. Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023. 

  26. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. 

  27. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. 

  28. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. 

  29. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19  

  30. ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017. 

  31. Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022. 

  32. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022. 

  33. Symantec Threat Hunter Team. (2022, February 24). Ukraine: Disk-wiping Attacks Precede Russian Invasion. Retrieved March 25, 2022. 

  34. Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024. 

  35. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018. 

  36. Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018. 

  37. Pornasdoro, A. (2017, October 12). Trojan:Win32/Totbrick. Retrieved September 14, 2018. 

  38. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018. 

  39. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. 

  40. CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020. 

  41. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016. 

  42. ESET Research. (2015, July 10). Sednit APT Group Meets Hacking Team. Retrieved March 1, 2017. 

  43. Elsad, A. et al. (2022, June 9). LockBit 2.0: How This RaaS Operates and How to Protect Against It. Retrieved January 24, 2025. 

  44. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018. 

  45. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. 

  46. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024. 

  47. Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022. 

  48. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. 

  49. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019. 

  50. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020. 

  51. Chiu, A. (2016, June 27). New Ransomware Variant “Nyetya” Compromises Systems Worldwide. Retrieved March 26, 2019. 

  52. Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024. 

  53. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024. 

  54. Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024. 

  55. Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024. 

  56. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. 

  57. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019. 

  58. MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023. 

  59. Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021. 

  60. Red Canary. (2021, February 9). Dridex - Red Canary Threat Detection Report. Retrieved August 3, 2023. 

  61. Ken Towne, Francis Guibernau. (2023, March 23). Emulating the Politically Motivated Chinese APT Mustang Panda. Retrieved September 10, 2025. 

  62. Lior Rochberger, Tom Fakterman, Robert Falcone. (2023, September 22). Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda. Retrieved September 9, 2025. 

  63. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. 

  64. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020. 

  65. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020. 

  66. Kwiatkoswki, I. and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021. 

  67. Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021. 

  68. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022. 

  69. DFIR. (2021, March 29). Sodinokibi (aka REvil) Ransomware. Retrieved July 22, 2024. 

  70. DFIR. (2022, April 25). Quantum Ransomware. Retrieved July 26, 2024. 

  71. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020. 

  72. Gustavo Palazolo, Netskope. (2022, March 11). New Formbook Campaign Delivered Through Phishing Emails. Retrieved March 11, 2025. 

  73. Asheer Malhotra, Jungsoo An, Kendall Mc. (2022, May 5). Mustang Panda deploys a new wave of malware targeting Europe. Retrieved August 4, 2025. 

  74. Dex. (n.d.). New Mustang Panda’s campaing against Australia. Retrieved August 4, 2025. 

  75. Nick Dai, Vickie Su, Sunny Lu. (2022, November 18). Earth Preta Spear-Phishing Governments Worldwide. Retrieved August 4, 2025. 

  76. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023. 

  77. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018. 

  78. hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020. 

  79. Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022. 

  80. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020. 

  81. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022. 

  82. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018. 

  83. Asheer Malhotra, Vitor Ventura & Jungsoo An, Cisco Talos. (2022, September 7). MagicRAT: Lazarus’ latest gateway into victim networks. Retrieved December 30, 2024. 

  84. Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024. 

  85. Microsoft. (2024, February 14). Backdoor:Win64/KnuckleTouch.A!dha. Retrieved January 6, 2025. 

  86. Mohammad Kazem Hassan Nejad, WithSecure. (2024, April 17). KAPEKA A novel backdoor spotted in Eastern Europe. Retrieved January 6, 2025. 

  87. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024. 

  88. Magdy, S. et al. (2022, August 25). New Golang Ransomware Agenda Customizes Attacks. Retrieved September 26, 2025. 

  89. Thomas, W. (2024, June 12). Tracking Adversaries: The Qilin RaaS. Retrieved September 26, 2025. 

  90. CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020. 

  91. Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019. 

  92. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021. 

  93. Office of Information Security, Health Sector Cybersecurity Coordination Center. (2023, November 16). Emotet Malware: The Enduring and Persistent Threat to the Health Sector. Retrieved June 19, 2024. 

  94. US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019. 

  95. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022. 

  96. Rodel Mendrez & Lloyd Macrohon. (2021, October 15). BlackByte Ransomware – Pt. 1 In-depth Analysis. Retrieved December 16, 2024. 

  97. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. 

  98. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020. 

  99. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022. 

  100. Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak | P2. Retrieved September 12, 2025. 

  101. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017. 

  102. FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved November 17, 2024. 

  103. Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11, 2020. 

  104. Kaspersky Lab’s Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016. 

  105. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. 

  106. ANSSI. (2021, February 25). RYUK RANSOMWARE. Retrieved March 29, 2021. 

  107. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019. 

  108. Jan Holman, Tomas Zvara. (2024, October 23). Embargo ransomware: Rock’n’Rust. Retrieved October 19, 2025. 

  109. Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020. 

  110. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016. 

  111. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021. 

  112. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015. 

  113. Golo Muhr, Joshua Chung. (2025, May 15). Hive0154 targeting US, Philippines, Pakistan and Taiwan in suspected espionage campaign. Retrieved August 4, 2025. 

  114. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. 

  115. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. 

  116. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018. 

  117. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020. 

  118. Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020. 

  119. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020. 

  120. Alexandre Cote Cyr. (2022, March 23). Mustang Panda’s Hodur: Old tricks, new Korplug variant. Retrieved September 9, 2025. 

  121. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015. 

  122. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020. 

  123. Mohansundaram M, Neil Tyagi. (2024, April 17). Redline Stealer: A Novel Approach. Retrieved September 17, 2025. 

  124. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign’s Usage of Process Hollowing. Retrieved January 7, 2021. 

  125. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024. 

  126. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019. 

  127. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018. 

  128. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018. 

  129. Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022. 

  130. Merriman, K. and Trouerbach, P. (2022, April 28). This isn’t Optimus Prime’s Bumblebee but it’s Still Transforming. Retrieved August 22, 2022. 

  131. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. 

  132. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. 

  133. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. 

  134. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved November 17, 2024. 

  135. Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019. 

  136. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024. 

  137. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019. 

  138. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. 

  139. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017. 

  140. Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022. 

  141. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024. 

  142. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. 

  143. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014. 

  144. CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021. 

  145. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021. 

  146. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved November 17, 2024. 

  147. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. 

  148. Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021. 

  149. Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021. 

  150. Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021. 

  151. Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved November 17, 2024. 

  152. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. 

  153. Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved November 17, 2024. 

  154. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017. 

  155. Kaspersky Lab’s Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017. 

  156. Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018. 

  157. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  158. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022. 

  159. Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018. 

  160. PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024. 

  161. CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020. 

  162. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020. 

  163. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. 

  164. Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016. 

  165. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018. 

  166. Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved November 17, 2024. 

  167. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.. 

  168. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024. 

  169. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. 

  170. Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024. 

  171. The BlackBerry Research and Intelligence Team. (2024, April 17). Threat Group FIN7 Targets the U.S. Automotive Industry. Retrieved May 1, 2025. 

  172. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017. 

  173. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018. 

  174. Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017. 

  175. Larson, S. and Wise, J. (2022, February 15). Charting TA2541’s Flight. Retrieved September 12, 2023. 

  176. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. 

  177. Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024. 

  178. Huseyin Can Yuceel. (2022, February 21). TTPs used by BlackByte Ransomware Targeting Critical Infrastructure. Retrieved December 16, 2024. 

  179. US Federal Bureau of Investigation & US Secret Service. (2022, February 11). Indicators of Compromise Associated with BlackByte Ransomware. Retrieved December 16, 2024. 

  180. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. 

  181. Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. 

  182. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. 

  183. Roccia, T., Seret, T., Fokker, J. (2021, March 16). Technical Analysis of Operation Dianxun. Retrieved April 13, 2021. 

  184. Tom Fakterman. (2024, September 6). Chinese APT Abuses VSCode to Target Government in Asia. Retrieved March 24, 2025. 

  185. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. 

  186. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. 

  187. Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023. 

  188. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024. 

  189. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020. 

  190. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020. 

  191. Microsoft Threat Intelligence. (2024, September 26). Storm-0501: Ransomware attacks expanding to hybrid cloud environments. Retrieved October 19, 2025. 

  192. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024. 

  193. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. 

  194. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019. 

  195. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020. 

  196. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. 

  197. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020. 

  198. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020. 

  199. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. 

  200. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023. 

  201. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020. 

  202. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021. 

  203. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021. 

  204. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. 

  205. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018. 

  206. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. 

  207. Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023. 

  208. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020. 

  209. Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromises. Retrieved October 9, 2024. 

  210. FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved November 17, 2024. 

  211. Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024. 

  212. Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024. 

  213. Tancio et al. (2024, March 6). Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence. Retrieved August 9, 2024. 

  214. Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024. 

  215. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017. 

  216. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018. 

  217. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019. 

  218. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. 

  219. ClearSky. (2020, December 17). Pay2Key Ransomware – A New Campaign by Fox Kitten. Retrieved December 21, 2020. 

  220. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. 

  221. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019. 

  222. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021. 

  223. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks. Retrieved September 29, 2021. 

  224. SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024. 

  225. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. 

  226. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020. 

  227. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved November 17, 2024. 

  228. Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022. 

  229. Cherepanov, Anton. (2019, November 10). ESETresearch discovered a trojanized IDA Pro installer. Retrieved September 12, 2024. 

  230. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022. 

  231. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. 

  232. Chad Anderson. (2021, April 27). Winter Vivern: A Look At Re-Crafted Government MalDocs Targeting Multiple Languages. Retrieved July 29, 2024. 

  233. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. 

  234. Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020. 

  235. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. 

  236. CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022. 

  237. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022. 

  238. Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024. 

  239. Den Iuzvyk, Tim Peck. (2025, February 13). Analyzing DEEP#DRIVE: North Korean Threat Actors Observed Exploiting Trusted Platforms for Targeted Attacks. Retrieved August 19, 2025. 

  240. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024. 

  241. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016. 

  242. Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021. 

  243. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021. 

  244. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. 

  245. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021. 

  246. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. 

  247. Microsoft Threat Intelligence. (2025, July 22). Disrupting active exploitation of on-premises SharePoint vulnerabilities. Retrieved October 15, 2025. 

  248. Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024. 

  249. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. 

  250. Adamitis, D. et al. (2019, June 4). It’s alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020. 

  251. FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019. 

  252. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. 

  253. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. 

  254. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022. 

  255. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. 

  256. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.