Skip to content

T1056.001 Keylogging

Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.

Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.1 Some methods include:

  • Hooking API callbacks used for processing keystrokes. Unlike Credential API Hooking, this focuses solely on API functions intended for processing keystroke data.
  • Reading raw keystroke data from the hardware buffer.
  • Windows Registry modifications.
  • Custom drivers.
  • Modify System Image may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.2
Item Value
ID T1056.001
Sub-techniques T1056.001, T1056.002, T1056.003, T1056.004
Tactics TA0009, TA0006
CAPEC ID CAPEC-568
Platforms Linux, Network, Windows, macOS
Permissions required Administrator, SYSTEM, User, root
Version 1.1
Created 11 February 2020
Last Modified 21 October 2020

Procedure Examples

ID Name Description
S0045 ADVSTORESHELL ADVSTORESHELL can perform keylogging.3940
S0331 Agent Tesla Agent Tesla can log keystrokes on the victim’s machine.8081828384
G0130 Ajax Security Team Ajax Security Team has used CWoolger and MPK, custom-developed malware, which recorded all keystrokes on an infected system.168
S0622 AppleSeed AppleSeed can use GetKeyState and GetKeyboardState to capture keystrokes on the victim’s machine.1617
G0007 APT28 APT28 has used tools to perform keylogging.15350154
G0022 APT3 APT3 has used a keylogging tool that records keystrokes in encrypted files.169
G0050 APT32 APT32 has abused the PasswordChangeNotify to monitor for and capture account password changes.172
G0082 APT38 APT38 used a Trojan called KEYLIME to capture keystrokes from the victim’s machine.146
G0087 APT39 APT39 has used tools for capturing keystrokes.170171
G0096 APT41 APT41 used a keylogger called GEARSHIFT on a target system.29
S0373 Astaroth Astaroth logs keystrokes from the victim’s machine. 71
S0438 Attor One of Attor‘s plugins can collect user credentials via capturing keystrokes and can capture keystrokes pressed within the window of the injected process.36
S0414 BabyShark BabyShark has a PowerShell-based remote administration ability that can implement a PowerShell or C# based keylogger.72
S0128 BADNEWS When it first starts, BADNEWS spawns a new thread to log keystrokes.414243
S0337 BadPatch BadPatch has a keylogging capability.129
S0234 Bandook Bandook contains keylogging capabilities.67
S0017 BISCUIT BISCUIT can capture keystrokes.66
S0089 BlackEnergy BlackEnergy has run a keylogger plug-in on a victim.128
S0454 Cadelspy Cadelspy has the ability to log keystrokes on the compromised host.59
S0030 Carbanak Carbanak logs key strokes for configured processes and sends them back to the C2 server.6364
S0348 Cardinal RAT Cardinal RAT can log keystrokes.100
S0261 Catchamas Catchamas collects keystrokes from the victim’s machine.27
S0023 CHOPSTICK CHOPSTICK is capable of performing keylogging.493950
S0660 Clambling Clambling can capture keystrokes on a compromised host.4797
S0154 Cobalt Strike Cobalt Strike can track key presses with a keylogger module.525354
S0338 Cobian RAT Cobian RAT has a feature to perform keylogging on the victim’s machine.38
S0050 CosmicDuke CosmicDuke uses a keylogger.133
S0115 Crimson Crimson can use a module to perform keylogging on compromised hosts.1415
S0625 Cuba Cuba logs keystrokes via polling by using GetKeyState and VkKeyScan functions.95
S0334 DarkComet DarkComet has a keylogging capability.37
G0012 Darkhotel Darkhotel has used a keylogger.162
S0673 DarkWatchman DarkWatchman can track key presses with a keylogger module.51
S0187 Daserf Daserf can log keystrokes.122123
S0021 Derusbi Derusbi is capable of logging keystrokes.143
S0213 DOGCALL DOGCALL is capable of logging keystrokes.1920
S0567 Dtrack Dtrack’s dropper contains a keylogging executable.136
S0038 Duqu Duqu can track key presses with a keylogger module.25
S0062 DustySky DustySky contains a keylogger.45
S0593 ECCENTRICBANDWAGON ECCENTRICBANDWAGON can capture and store keystrokes.46
S0363 Empire Empire includes keylogging capabilities for Windows, Linux, and macOS systems.11
S0152 EvilGrab EvilGrab has the capability to capture keystrokes.31
S0569 Explosive Explosive has leveraged its keylogging capabilities to gain access to administrator accounts on target servers.105106
S0076 FakeM FakeM contains a keylogger module.114
G0085 FIN4 FIN4 has captured credentials via fake Outlook Web App (OWA) login pages and has also used a .NET based keylogger.144145
S0410 Fysbis Fysbis can perform keylogging.74
S0032 gh0st RAT gh0st RAT has a keylogger.7879
S0531 Grandoreiro Grandoreiro can log keystrokes on the victim’s machine.62
S0342 GreyEnergy GreyEnergy has a module to harvest pressed keystrokes.137
G0043 Group5 Malware used by Group5 is capable of capturing keystrokes.126
S0170 Helminth The executable version of Helminth has a module to log keystrokes.28
S0070 HTTPBrowser HTTPBrowser is capable of capturing keystrokes on victims.55
S0434 Imminent Monitor Imminent Monitor has a keylogging module.10
S0260 InvisiMole InvisiMole can capture keystrokes on a compromised host.58
S0201 JPIN JPIN contains a custom keylogger.23
S0283 jRAT jRAT has the capability to log keystrokes from the victim’s machine, both offline and online.117118
S0088 Kasidet Kasidet has the ability to initiate keylogging.104
G0004 Ke3chang Ke3chang has used keyloggers.155156
S0387 KeyBoy KeyBoy installs a keylogger for intercepting credentials and keystrokes.94
S0526 KGH_SPY KGH_SPY can perform keylogging by polling the GetAsyncKeyState() function.24
G0094 Kimsuky Kimsuky has used a PowerShell-based keylogger as well as a tool called MECHANICAL to log keystrokes.14715115014914817
S0437 Kivars Kivars has the ability to initiate keylogging on the infected host.18
S0356 KONNI KONNI has the capability to perform keylogging.68
G0032 Lazarus Group Lazarus Group malware KiloAlfa contains keylogging functionality.157158
S0447 Lokibot Lokibot has the ability to capture input on the compromised host via keylogging.75
S0409 Machete Machete logs keystrokes from the victim’s machine.32333435
S0282 MacSpy MacSpy captures keystrokes.115
G0059 Magic Hound Magic Hound malware is capable of keylogging.152
S0652 MarkiRAT MarkiRAT can capture all keystrokes on a compromised host.85
S0167 Matryoshka Matryoshka is capable of keylogging.120121
G0045 menuPass menuPass has used key loggers to steal usernames and passwords.160
S0455 Metamorfo Metamorfo has a command to launch a keylogger and capture keystrokes on the victim’s machine.141142
S0339 Micropsia Micropsia has keylogging capabilities.22
S0149 MoonWind MoonWind has a keylogger.116
S0336 NanoCore NanoCore can perform keylogging on the victim’s machine.26
S0247 NavRAT NavRAT logs the keystrokes on the targeted system.127
S0033 NetTraveler NetTraveler contains a keylogger.21
S0198 NETWIRE NETWIRE can perform keylogging.108109110111112
S0385 njRAT njRAT is capable of logging keystrokes.124125126
G0049 OilRig OilRig has used keylogging tools called KEYPUNCH and LONGWATCH.163164
S0439 Okrum Okrum was seen using a keylogger tool to capture keystrokes. 107
G0116 Operation Wocao Operation Wocao has obtained the password for the victim’s password manager via a custom keylogger.167
S0072 OwaAuth OwaAuth captures and DES-encrypts credentials before writing the username and password to a log file, C:\log.txt.55
S0643 Peppy Peppy can log keystrokes on compromised hosts.14
G0068 PLATINUM PLATINUM has used several different keyloggers.23
S0013 PlugX PlugX has a module for capturing keystrokes per process including window titles.140
S0428 PoetRAT PoetRAT has used a Python tool named klog.exe for keylogging.44
S0012 PoisonIvy PoisonIvy contains a keylogger.8788
S0378 PoshC2 PoshC2 has modules for keystroke logging and capturing credentials from spoofed Outlook authentication messages.5
S0194 PowerSploit PowerSploit‘s Get-Keystrokes Exfiltration module can log keystrokes.1213
S0113 Prikormka Prikormka contains a keylogger module that collects keystrokes and the titles of foreground windows.99
S0279 Proton Proton uses a keylogger to capture keystrokes.115
S0192 Pupy Pupy uses a keylogger to capture keystrokes it then sends back to the server after it is stopped.4
S0650 QakBot QakBot can capture keystrokes on a compromised host.909192
S0262 QuasarRAT QuasarRAT has a built-in keylogger.67
S0662 RCSession RCSession has the ability to capture keystrokes on a compromised host.4748
S0019 Regin Regin contains a keylogger.96
S0332 Remcos Remcos has a command for keylogging.89
S0375 Remexi Remexi gathers and exfiltrates keystrokes from the machine.77
S0125 Remsec Remsec contains a keylogger component.5657
S0379 Revenge RAT Revenge RAT has a plugin for keylogging.138139
S0240 ROKRAT ROKRAT can use SetWindowsHookEx and GetKeyNameText to capture keystrokes.132131
S0090 Rover Rover has keylogging functionality.119
S0148 RTM RTM can record keystrokes from both the keyboard and virtual keyboard.134135
S0253 RunningRAT RunningRAT captures keystrokes and sends them back to the C2 server.103
G0034 Sandworm Team Sandworm Team has used a keylogger to capture keystrokes by using the SetWindowsHookEx function.173
S0692 SILENTTRINITY SILENTTRINITY has a keylogging capability.3
S0533 SLOTHFULMEDIA SLOTHFULMEDIA has a keylogging capability.130
S0649 SMOKEDHAM SMOKEDHAM can continuously capture keystrokes.6970
G0054 Sowbug Sowbug has used keylogging tools.161
S0058 SslMM SslMM creates a new thread implementing a keylogging facility using Windows Keyboard Accelerators.93
S0018 Sykipot Sykipot contains keylogging functionality to steal passwords.65
S0467 TajMahal TajMahal has the ability to capture keystrokes on an infected host.113
S0595 ThiefQuest ThiefQuest uses the CGEventTap functions to perform keylogging.73
G0027 Threat Group-3390 Threat Group-3390 actors installed a credential logger on Microsoft Exchange servers. Threat Group-3390 also leveraged the reconnaissance framework, ScanBox, to capture keystrokes.55165166
S0004 TinyZBot TinyZBot contains keylogger functionality.76
G0131 Tonto Team Tonto Team has used keylogging tools in their operations.159
S0094 Trojan.Karagany Trojan.Karagany can capture keystrokes on a compromised host.89
S0130 Unknown Logger Unknown Logger is capable of recording keystrokes.41
S0257 VERMIN VERMIN collects keystrokes from the victim machine.102
S0670 WarzoneRAT WarzoneRAT has the capability to install a live and offline keylogger, including through the use of the GetAsyncKeyState Windows API.6061
S0161 XAgentOSX XAgentOSX contains keylogging functionality that will monitor for active application windows and write them to the log, it can handle special characters, and it will buffer by default 50 characters before sending them out over the C2 infrastructure.98
S0248 yty yty uses a keylogger plugin to gather keystrokes.86
S0330 Zeus Panda Zeus Panda can perform keylogging on the victim’s machine by hooking the functions TranslateMessage and WM_KEYDOWN.101
S0412 ZxShell ZxShell has a feature to capture a remote computer’s keystrokes using a keylogger.2930

Detection

ID Data Source Data Component
DS0027 Driver Driver Load
DS0009 Process OS API Execution
DS0024 Windows Registry Windows Registry Key Modification

References

  1. Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016. 

  2. Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020. 

  3. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. 

  4. Nicolas Verdier. (n.d.). Retrieved January 29, 2018. 

  5. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019. 

  6. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018. 

  7. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. 

  8. Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018. 

  9. Brumaghin, E., Unterbrink, H. (2018, August 22). Picking Apart Remcos Botnet-In-A-Box. Retrieved November 6, 2018. 

  10. Unit 42. (2019, December 2). Imminent Monitor – a RAT Down Under. Retrieved May 5, 2020. 

  11. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. 

  12. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018. 

  13. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018. 

  14. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. 

  15. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021. 

  16. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. 

  17. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022. 

  18. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020. 

  19. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018. 

  20. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018. 

  21. Kaspersky Lab’s Global Research and Analysis Team. (n.d.). The NetTraveler (aka ‘Travnet’). Retrieved November 12, 2014. 

  22. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018. 

  23. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018. 

  24. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. 

  25. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015. 

  26. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018. 

  27. Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018. 

  28. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. 

  29. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. 

  30. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019. 

  31. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. 

  32. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. 

  33. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019. 

  34. The Cylance Threat Research Team. (2017, March 22). El Machete’s Malware Attacks Cut Through LATAM. Retrieved September 13, 2019. 

  35. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020. 

  36. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. 

  37. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018. 

  38. Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018. 

  39. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. 

  40. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017. 

  41. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. 

  42. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018. 

  43. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. 

  44. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020. 

  45. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016. 

  46. Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021. 

  47. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. 

  48. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021. 

  49. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. 

  50. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. 

  51. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. 

  52. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017. 

  53. Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021. 

  54. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. 

  55. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. 

  56. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016. 

  57. Kaspersky Lab’s Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016. 

  58. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. 

  59. Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019. 

  60. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021. 

  61. Mohanta, A. (2020, November 25). Warzone RAT comes with UAC bypass technique. Retrieved April 7, 2022. 

  62. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. 

  63. Kaspersky Lab’s Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018. 

  64. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018. 

  65. Blasco, J. (2012, January 12). Sykipot variant hijacks DOD and Windows smart cards. Retrieved January 10, 2016. 

  66. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016. 

  67. Galperin, E., Et al.. (2016, August 4). When Governments Attack: State Sponsored Malware Attacks Against Activists, Lawyers, and Journalists. Retrieved May 23, 2018. 

  68. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018. 

  69. FireEye. (2021, May 11). Shining a Light on DARKSIDE Ransomware Operations. Retrieved September 22, 2021. 

  70. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021. 

  71. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019. 

  72. Lim, M.. (2019, April 26). BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat . Retrieved October 7, 2019. 

  73. Gabrielle Joyce Mabutas, Luis Magisa, Steven Du. (2020, July 17). Updates on Quickly-Evolving ThiefQuest macOS Malware. Retrieved April 26, 2021. 

  74. Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy’s Linux Backdoor. Retrieved September 10, 2017. 

  75. Kazem, M. (2019, November 25). Trojan:W32/Lokibot. Retrieved May 15, 2020. 

  76. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017. 

  77. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019. 

  78. Alintanahin, K. (2014, March 13). Kunming Attack Leads to Gh0st RAT Variant. Retrieved November 12, 2014. 

  79. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020. 

  80. Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018. 

  81. The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018. 

  82. Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018. 

  83. Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020. 

  84. Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11, 2020. 

  85. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021. 

  86. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018. 

  87. FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014. 

  88. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018. 

  89. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020. 

  90. Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021. 

  91. Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021. 

  92. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. 

  93. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019. 

  94. Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019. 

  95. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021. 

  96. Kaspersky Lab’s Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014. 

  97. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021. 

  98. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy’s Xagent macOS Tool. Retrieved July 12, 2017. 

  99. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016. 

  100. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018. 

  101. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018. 

  102. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018. 

  103. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018. 

  104. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016. 

  105. Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021. 

  106. ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021. 

  107. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. 

  108. McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018. 

  109. Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018. 

  110. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign’s Usage of Process Hollowing. Retrieved January 7, 2021. 

  111. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021. 

  112. Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021. 

  113. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019. 

  114. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016. 

  115. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. 

  116. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017. 

  117. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018. 

  118. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019. 

  119. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016. 

  120. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. 

  121. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017. 

  122. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017. 

  123. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. 

  124. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: “njRAT” Uncovered. Retrieved June 4, 2019. 

  125. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019. 

  126. Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016. 

  127. Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016. 

  128. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018. 

  129. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020. 

  130. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021. 

  131. Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018. 

  132. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015. 

  133. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. 

  134. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020. 

  135. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021. 

  136. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. 

  137. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019. 

  138. Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved May 1, 2019. 

  139. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018. 

  140. Zhang, X.. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020. 

  141. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021. 

  142. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. 

  143. Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018. 

  144. Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019. 

  145. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018. 

  146. Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019. 

  147. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. 

  148. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019. 

  149. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. 

  150. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019. 

  151. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017. 

  152. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015. 

  153. Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021. 

  154. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018. 

  155. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022. 

  156. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. 

  157. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Tools Report. Retrieved March 10, 2016. 

  158. Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021. 

  159. US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020. 

  160. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017. 

  161. Kaspersky Lab’s Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014. 

  162. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017. 

  163. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019. 

  164. Khandelwal, S. (2018, June 14). Chinese Hackers Carried Out Country-Level Watering Hole Attack. Retrieved August 18, 2018. 

  165. Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018. 

  166. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. 

  167. Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018. 

  168. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016. 

  169. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020. 

  170. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. 

  171. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  172. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020. 

Back to top