Skip to content

T1059.003 Windows Command Shell

Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via Remote Services such as SSH.1

Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.

Adversaries may leverage cmd to execute various commands and payloads. Common uses include cmd to execute a single command, or abusing cmd interactively with input and output forwarded over a command and control channel.

Item Value
ID T1059.003
Sub-techniques T1059.001, T1059.002, T1059.003, T1059.004, T1059.005, T1059.006, T1059.007, T1059.008, T1059.009
Tactics TA0002
Platforms Windows
Permissions required User
Version 1.2
Created 09 March 2020
Last Modified 26 July 2021

Procedure Examples

ID Name Description
C0025 2016 Ukraine Electric Power Attack During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL.359
S0065 4H RAT 4H RAT has the capability to create a remote shell.98
S0469 ABK ABK has the ability to use cmd to run a Portable Executable (PE) on the compromised host.24
S1028 Action RAT Action RAT can use cmd.exe to execute commands on an infected host.112
S0202 adbupd adbupd can run a copy of cmd.exe.45
G0018 admin@338 Following exploitation with LOWBALL malware, admin@338 actors created a file containing a list of commands to be executed on the compromised computer.294
S0045 ADVSTORESHELL ADVSTORESHELL can create a remote shell and run a given command.5152
S0504 Anchor Anchor has used cmd.exe to run its self deletion routine.251
G0006 APT1 APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution.103
G0026 APT18 APT18 uses cmd.exe to execute commands on the victim’s machine.297298
G0007 APT28 An APT28 loader Trojan uses a cmd.exe and batch script to run its payload.341 The group has also used macros to execute payloads.83342343344
G0022 APT3 An APT3 downloader uses the Windows command “cmd.exe” /C whoami. The group also uses a tool to execute commands on remote computers.301302
G0050 APT32 APT32 has used cmd.exe for execution.96
G0067 APT37 APT37 has used the command-line interface.273274
G0082 APT38 APT38 has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim’s machine.316
G0096 APT41 APT41 used cmd.exe /c to execute commands on remote machines.260
APT41 used a batch file to install persistence for the Cobalt Strike BEACON loader.339
G0143 Aquatic Panda Aquatic Panda has attempted and failed to run Bash commands on a Windows host by passing them to cmd /C.332
S0373 Astaroth Astaroth spawns a CMD process to execute commands. 70
S0347 AuditCred AuditCred can open a reverse shell on the system to execute commands.252
S1029 AuTo Stealer AuTo Stealer can use cmd.exe to execute a created batch file.112
S0638 Babuk Babuk has the ability to use the command line to control execution on compromised hosts.4647
S0414 BabyShark BabyShark has used cmd.exe to execute commands.43
S0475 BackConfig BackConfig can download and run batch files to execute commands on a compromised host.20
S0031 BACKSPACE Adversaries can direct BACKSPACE to execute from the command line on infected hosts, or have BACKSPACE create a reverse shell.85
S0128 BADNEWS BADNEWS is capable of executing commands via cmd.exe.122123
S0234 Bandook Bandook is capable of spawning a Windows command shell.7576
S0239 Bankshot Bankshot uses the command-line interface to execute arbitrary commands.216217
S0534 Bazar Bazar can launch cmd.exe to perform reconnaissance commands.206207
S0470 BBK BBK has the ability to use cmd to run a Portable Executable (PE) on the compromised host.24
S0017 BISCUIT BISCUIT has a command to launch a command shell on the system.30
S0268 Bisonal Bisonal has launched cmd.exe and used the ShellExecuteW() API function to execute commands on the system.232233234
S1070 Black Basta Black Basta can use cmd.exe to enable shadow copy deletion.140
S1068 BlackCat BlackCat can execute commands on a compromised network with the use of cmd.exe.42
S0069 BLACKCOFFEE BLACKCOFFEE has the capability to create a reverse shell.171
S0564 BlackMould BlackMould can run cmd.exe with parameters.66
S0520 BLINDINGCAN BLINDINGCAN has executed commands via cmd.exe.127
G0108 Blue Mockingbird Blue Mockingbird has used batch script files to automate execution and deployment of payloads.320
S0360 BONDUPDATER BONDUPDATER can read batch commands in a file sent from its C2 server and execute them with cmd.exe.26
S0651 BoxCaon BoxCaon can execute arbitrary commands and utilize the “ComSpec” environment variable.41
G0060 BRONZE BUTLER BRONZE BUTLER has used batch scripts and the command-line interface for execution.175
S1063 Brute Ratel C4 Brute Ratel C4 can use cmd.exe for execution.10
S1039 Bumblebee Bumblebee can use cmd.exe to drop and run files.5453
C0015 C0015 During C0015, the threat actors used cmd.exe to execute commands and run malicious binaries.74
C0017 C0017 During C0017, APT41 used cmd.exe to execute reconnaissance commands.188
S0025 CALENDAR CALENDAR has a command to run cmd.exe to execute commands.30
S0030 Carbanak Carbanak has a command to create a reverse shell.246
S0348 Cardinal RAT Cardinal RAT can execute commands.63
S0462 CARROTBAT CARROTBAT has the ability to execute command line arguments on a compromised host.69
S0572 Caterpillar WebShell Caterpillar WebShell can run commands on the compromised asset with CMD functions.155
S1043 ccf32 ccf32 has used cmd.exe for archiving data and deleting files.3
S0631 Chaes Chaes has used cmd to execute tasks on the system.97
S0674 CharmPower The C# implementation of the CharmPower command execution module can use cmd.177
G0114 Chimera Chimera has used the Windows Command Shell and batch scripts for execution on compromised hosts.289
S0020 China Chopper China Chopper‘s server component is capable of opening a command terminal.208209210
S0660 Clambling Clambling can use cmd.exe for command execution.164
S0611 Clop Clop can use cmd.exe to help execute commands on the system.94
S0106 cmd cmd is used to execute programs and other actions at the command-line interface.12
G0080 Cobalt Group Cobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands.326 The group has used an exploit toolkit known as Threadkit that launches .bat files.327328329326330331
S0154 Cobalt Strike Cobalt Strike uses a command-line interface to interact with systems.141143144142
S0338 Cobian RAT Cobian RAT can launch a remote command shell interface for executing commands.211
S0369 CoinTicker CoinTicker executes a bash script to establish a reverse shell.128
S0244 Comnie Comnie executes BAT scripts.44
S0126 ComRAT ComRAT has used cmd.exe to execute commands.215
S0575 Conti Conti can utilize command line options to allow an attacker control over how it scans and encrypts files.7374
S0046 CozyCar A module in CozyCar allows arbitrary commands to be executed by invoking C:\Windows\System32\cmd.exe.223
S0115 Crimson Crimson has the ability to execute commands with the COMSPEC environment variable.40
S0625 Cuba Cuba has used cmd.exe /c and batch files for execution.121
S1014 DanBot DanBot has the ability to execute arbitrary commands via cmd.exe.13380
G0070 Dark Caracal Dark Caracal has used macros in Word documents that would download a second stage if executed.321
S0334 DarkComet DarkComet can launch a remote shell to execute commands on the victim’s machine.263
G0012 Darkhotel Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.275
S1066 DarkTortilla DarkTortilla can use cmd.exe to add registry keys for persistence.158
S0673 DarkWatchman DarkWatchman can use cmd.exe to execute commands.266
S0187 Daserf Daserf can execute shell commands.174175
S1052 DEADEYE DEADEYE can run cmd /c copy /y /b C:\Users\public\syslog_6-*.dat C:\Users\public\syslog.dll to combine separated sections of code into a single DLL prior to execution.188
S0243 DealersChoice DealersChoice makes modifications to open-source scripts from GitHub and executes them on the victim’s machine.89
S0354 Denis Denis can launch a remote shell to execute arbitrary commands on the victim’s machine.9596
S0200 Dipsind Dipsind can spawn remote shells.45
S1021 DnsSystem DnsSystem can use cmd.exe for execution.270
S0186 DownPaper DownPaper uses the command line.39
G0035 Dragonfly Dragonfly has used various types of scripting to perform operations, including batch scripts.348
S0547 DropBook DropBook can execute arbitrary shell commands on the victims’ machines.150181
S0567 Dtrack Dtrack has used cmd.exe to add a persistent service.65
S0593 ECCENTRICBANDWAGON ECCENTRICBANDWAGON can use cmd to execute commands on a victim’s machine.189
S0554 Egregor Egregor has used batch files for execution and can launch Internet Explorer from cmd.exe.135136
G1003 Ember Bear Ember Bear had used cmd.exe and Windows Script Host (wscript) to execute malicious code.224
S0082 Emissary Emissary has the capability to create a remote shell and execute specified commands.71
S0367 Emotet Emotet has used cmd.exe to run a PowerShell script. 182
S0363 Empire Empire has modules for executing scripts.6
S0634 EnvyScout EnvyScout can use cmd.exe to execute malicious files on compromised hosts.245
S0396 EvilBunny EvilBunny has an integrated scripting engine to download and execute Lua scripts.268
S0343 Exaramel for Windows Exaramel for Windows has a command to launch a remote shell and executes commands on the victim’s machine.219
S0171 Felismus Felismus uses command line for execution.225
S0267 FELIXROOT FELIXROOT executes batch scripts on the victim’s machine, and can launch a reverse shell for command execution.118119
G0051 FIN10 FIN10 has executed malicious .bat files containing PowerShell commands.351
G0037 FIN6 FIN6 has used kill.bat script to disable security tools.347
G0046 FIN7 FIN7 used the command prompt to launch commands on the victim’s machine.272154
G0061 FIN8 FIN8 has used a Batch file to automate frequently executed post compromise cleanup activities.334 FIN8 has also executed commands remotely via cmd.333335
S0696 Flagpro Flagpro can use cmd.exe to execute commands received from C2.221
S0381 FlawedAmmyy FlawedAmmyy has used cmd to execute commands on a compromised host.198
G0117 Fox Kitten Fox Kitten has used cmd.exe likely as a password changing mechanism.325
C0001 Frankenstein During Frankenstein, the threat actors ran a command script to set up persistence as a scheduled task named “WinUpdate”, as well as other encoded commands from the command-line 360
S1044 FunnyDream FunnyDream can use cmd.exe for execution on remote hosts.3
C0007 FunnyDream During FunnyDream, the threat actors used cmd.exe to execute the wmiexec.vbs script.3
G0093 GALLIUM GALLIUM used the Windows command shell to execute commands.303
G0047 Gamaredon Group Gamaredon Group has used various batch scripts to establish C2 and download additional files. Gamaredon Group‘s backdoor malware has also been written to a batch file.166291292293
S0666 Gelsemium Gelsemium can use a batch script to delete itself.23
S0249 Gold Dragon Gold Dragon uses cmd.exe to execute commands for discovery.124
S0493 GoldenSpy GoldenSpy can execute remote commands via the command-line interface.58
S0588 GoldMax GoldMax can spawn a command shell, and execute native commands.159160
S0477 Goopy Goopy has the ability to use cmd.exe to execute commands passed from an Outlook C2 channel.96
G0078 Gorgon Group Gorgon Group malware can use cmd.exe to download and execute payloads and to execute commands on the system.279
S0237 GravityRAT GravityRAT executes commands remotely on the infected host.156
S0342 GreyEnergy GreyEnergy uses cmd.exe to execute itself in-memory.119
S0632 GrimAgent GrimAgent can use the Windows Command Shell to execute commands, including its own removal.192
S0132 H1N1 H1N1 kills and disables services by using cmd.exe.130
G0125 HAFNIUM HAFNIUM has used cmd.exe to execute commands on the victim’s machine.319
S0246 HARDRAIN HARDRAIN uses cmd.exe to execute netshcommands.163
S0391 HAWKBALL HAWKBALL has created a cmd.exe reverse shell, executed commands, and uploaded output via the command line.138
S0071 hcdLoader hcdLoader provides command-line access to the compromised system.162
S0170 Helminth Helminth can provide a remote shell. One version of Helminth uses batch scripting.202
S0697 HermeticWiper HermeticWiper can use cmd.exe /Q/c move CSIDL_SYSTEM_DRIVE\temp\sys.tmp1 CSIDL_WINDOWS\policydefinitions\postgresql.exe 1> \\127.0.0.1\ADMIN$\_1636727589.6007507 2>&1 to deploy on an infected system.197
S0698 HermeticWizard HermeticWizard can use cmd.exe for execution on compromised hosts.197
S0087 Hi-Zor Hi-Zor has the ability to create a reverse shell.107
S0394 HiddenWasp HiddenWasp uses a script to automate tasks on the victim’s machine and to assist in execution.139
G0126 Higaisa Higaisa used cmd.exe for execution.304305306
S0009 Hikit Hikit has the ability to create a remote shell and run given commands.84
S0232 HOMEFRY HOMEFRY uses a command-line interface.64
S0376 HOPLIGHT HOPLIGHT can launch cmd.exe to execute commands on the system.77
S0431 HotCroissant HotCroissant can remotely open applications on the infected host with the ShellExecuteA command.267
S0070 HTTPBrowser HTTPBrowser is capable of spawning a reverse shell on a victim.31
S0068 httpclient httpclient opens cmd.exe on the victim.98
G0119 Indrik Spider Indrik Spider has used batch scripts on victim’s machines.296
S0259 InnaputRAT InnaputRAT launches a shell to execute commands on the victim’s machine.86
S0260 InvisiMole InvisiMole can launch a remote shell to execute commands.230231
S0015 Ixeshe Ixeshe is capable of executing commands via cmd.205
S0389 JCry JCry has used cmd.exe to launch PowerShell.172
S0044 JHUHUGIT JHUHUGIT uses a .bat file to execute a .dll.83
S0201 JPIN JPIN can use the command-line utility cacls.exe to change file permissions.45
S0283 jRAT jRAT has command line access.22
S0088 Kasidet Kasidet can execute commands using cmd.exe.100
S0265 Kazuar Kazuar uses cmd.exe to execute commands on the victim’s machine.28
G0004 Ke3chang Ke3chang has used batch scripts in its malware to install persistence mechanisms.295
S1020 Kevin Kevin can use a renamed image of cmd.exe for execution.240
S0387 KeyBoy KeyBoy can launch interactive shells for communicating with the victim machine.1918
S0271 KEYMARBLE KEYMARBLE can execute shell commands using cmd.exe.265
S0526 KGH_SPY KGH_SPY has the ability to set a Registry key to run a cmd.exe command.15
G0094 Kimsuky Kimsuky has executed Windows commands by using cmd and running batch scripts.276277
S0250 Koadic Koadic can open an interactive command-shell to perform command line functions on victim machines. Koadic performs most of its operations using Windows Script Host (Jscript) and to run arbitrary shellcode.54
S0669 KOCTOPUS KOCTOPUS has used cmd.exe and batch files for execution.4
S0156 KOMPROGO KOMPROGO is capable of creating a reverse shell.81
S0356 KONNI KONNI has used cmd.exe to execute arbitrary commands on the infected host across different stages of the infection chain.184183185
G0032 Lazarus Group Lazarus Group malware uses cmd.exe to execute commands on a compromised host.282281284285283 A Destover-like variant used by Lazarus Group uses a batch file mechanism to delete its binaries from the system.193
G0140 LazyScripter LazyScripter has used batch files to deploy open-source and multi-stage RATs.4
S0395 LightNeuron LightNeuron is capable of executing commands via cmd.exe.50
S0211 Linfo Linfo creates a backdoor through which remote attackers can start a remote shell.38
S0681 Lizar Lizar has a command to open the command-line on the infected system.256257
S0447 Lokibot Lokibot has used cmd /c commands embedded within batch scripts.49
S0582 LookBack LookBack executes the cmd.exe command.190
S0451 LoudMiner LoudMiner used a batch script to run the Linux virtual machine as a service.32
S0532 Lucifer Lucifer can issue shell commands to download and execute additional payloads.218
G0095 Machete Machete has used batch files to initiate additional downloads of malicious files.288
S1060 Mafalda Mafalda can execute shell commands using cmd.exe.126
G0059 Magic Hound Magic Hound has used the command-line interface for code execution.309308307
S0652 MarkiRAT MarkiRAT can utilize cmd.exe to execute commands in a victim’s environment.151
S0449 Maze The Maze encryption process has used batch scripts with various commands.9192
S0500 MCMD MCMD can launch a console process (cmd.exe) with redirected standard input and output.2
S0459 MechaFlounder MechaFlounder has the ability to run commands on a compromised host.61
S0576 MegaCortex MegaCortex has used .cmd scripts on the victim’s system.222
G0045 menuPass menuPass executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands.323239324134 menuPass has used malicious macros embedded inside Office documents to execute files.322134
G1013 Metador Metador has used the Windows command line to execute commands.290
S0455 Metamorfo Metamorfo has used cmd.exe /c to execute files.87
S0688 Meteor Meteor can run set.bat, update.bat, cache.bat, bcd.bat, msrun.bat, and similar scripts.254
S0339 Micropsia Micropsia creates a command-line shell using cmd.exe.62
S1015 Milan Milan can use cmd.exe for discovery actions on a targeted system.80
S0280 MirageFox MirageFox has the capability to execute commands using cmd.exe.152
S0084 Mis-Type Mis-Type has used cmd.exe to run commands on a compromised host.25
S0083 Misdat Misdat is capable of providing shell functionality to the attacker to execute commands.25
S0080 Mivast Mivast has the capability to open a remote shell and run basic commands.168
S0553 MoleNet MoleNet can execute commands via the command line utility.150
S0149 MoonWind MoonWind can execute commands via an interactive command shell.178 MoonWind uses batch scripts for various purposes, including to restart and uninstall itself.178
S0284 More_eggs More_eggs has used cmd.exe for execution.235236
S0256 Mosquito Mosquito executes cmd.exe and uses a pipe to read the results and send back the output to the C2 server.186
G0069 MuddyWater MuddyWater has used a custom tool for creating reverse shells.337
S0233 MURKYTOP MURKYTOP uses the command-line interface.64
G0129 Mustang Panda Mustang Panda has executed HTA files via cmd.exe, and used batch scripts for collection.345346
S0336 NanoCore NanoCore can open a remote command-line interface and execute commands.237 NanoCore uses JavaScript files.238
S0247 NavRAT NavRAT leverages cmd.exe to perform discovery techniques.203 NavRAT loads malicious shellcode and executes it in memory.203
S0630 Nebulae Nebulae can use CMD to execute a process.56
S0034 NETEAGLE NETEAGLE allows adversaries to execute shell commands on the infected host.85
S0457 Netwalker Operators deploying Netwalker have used batch scripts to retrieve the Netwalker payload.255
S0198 NETWIRE NETWIRE can issue commands using cmd.exe.169170
C0002 Night Dragon During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and run command-line shells.125
S0385 njRAT njRAT can launch a command shell interface for executing commands.27
G0133 Nomadic Octopus Nomadic Octopus used cmd.exe /c within a malicious macro.338
S0346 OceanSalt OceanSalt can create a reverse shell on the infected endpoint using cmd.exe.179 OceanSalt has been executed via malicious macros.179
G0049 OilRig OilRig has used macros to deliver malware such as QUADAGENT and OopsIE.99286241110287 OilRig has used batch scripts.99286241110287
S0439 Okrum Okrum‘s backdoor has used cmd.exe to execute arbitrary commands as well as batch scripts to update itself to a newer version.101
S0264 OopsIE OopsIE uses the command prompt to execute commands on the victim’s machine.241242
C0012 Operation CuckooBees During Operation CuckooBees, the threat actors used batch scripts to perform reconnaissance.352
C0022 Operation Dream Job During Operation Dream Job, Lazarus Group launched malicious DLL files, created new folders, and renamed folders with the use of the Windows command shell.356357
C0006 Operation Honeybee During Operation Honeybee, various implants used batch scripting and cmd.exe for execution.355
C0014 Operation Wocao During Operation Wocao, threat actors spawned a new cmd.exe process to execute commands.358
S0229 Orz Orz can execute shell commands.106 Orz can execute commands with JavaScript.106
S0594 Out1 Out1 can use native command line for execution.11
S1017 OutSteel OutSteel has used cmd.exe to scan a compromised host for specific file extensions.224
G0040 Patchwork Patchwork ran a reverse shell with Meterpreter.299 Patchwork used JavaScript code and .SCT files on victim machines.123300
S1050 PcShare PcShare can execute cmd commands on a compromised host.3
S0643 Peppy Peppy has the ability to execute shell commands.48
S0158 PHOREAL PHOREAL is capable of creating reverse shell.81
S1031 PingPull PingPull can use cmd.exe to run various commands as a reverse shell.93
S0124 Pisloader Pisloader uses cmd.exe to set the Registry Run key value. It also has a command to spawn a command shell.261
S0254 PLAINTEE PLAINTEE uses cmd.exe to execute commands on the victim’s machine.220
S0435 PLEAD PLEAD has the ability to execute shell commands on the compromised host.113
S0013 PlugX PlugX allows actors to spawn a reverse shell on a victim.3157
S0428 PoetRAT PoetRAT has called cmd through a Word document macro.149
S0012 PoisonIvy PoisonIvy creates a backdoor through which remote attackers can open a command-line interface.132
S0453 Pony Pony has used batch scripts to delete itself after execution.78
S0139 PowerDuke PowerDuke runs cmd.exe /c and sends the output to its C2.72
S0184 POWRUNER POWRUNER can execute commands from its C2 server.99
S0238 Proxysvc Proxysvc executes a binary on the system and logs the results into a temp file by using: cmd.exe /c “ > %temp%\PM* .tmp 2>&1”.193
S0147 Pteranodon Pteranodon can use cmd.exe for execution on victim systems.166167
S1032 PyDCrypt PyDCrypt has used cmd.exe for execution.115
S0650 QakBot QakBot can use cmd.exe to launch itself and to execute multiple C2 commands.247249248142
S0269 QUADAGENT QUADAGENT uses cmd.exe to execute scripts and commands on the victim’s machine.110
S0262 QuasarRAT QuasarRAT can launch a remote shell to execute commands on the victim’s machine.98
S0481 Ragnar Locker Ragnar Locker has used cmd.exe and batch scripts to execute commands.191
S0629 RainyDay RainyDay can use the Windows Command Shell for execution.56
G0075 Rancor Rancor has used cmd.exe to execute commmands.220
S0241 RATANKBA RATANKBA uses cmd.exe to execute commands.3536
S0662 RCSession RCSession can use cmd.exe for execution on compromised hosts.164
S0495 RDAT RDAT has executed commands using cmd.exe /c.17
S0153 RedLeaves RedLeaves can receive and execute commands with cmd.exe. It can also provide a reverse shell.239120
S0332 Remcos Remcos can launch a remote command line to execute commands on the victim’s machine.13
S0375 Remexi Remexi silently executes received commands with cmd.exe.60
S0379 Revenge RAT Revenge RAT uses cmd.exe to execute commands and run scripts on the victim’s machine.59
S0496 REvil REvil can use the Windows command line to delete volume shadow copies and disable recovery.145146147148
S0258 RGDoor RGDoor uses cmd.exe to execute commands on the victim’s machine.108
S0448 Rising Sun Rising Sun has executed commands using cmd.exe /c “<command> > <%temp%>\AM<random>. tmp” 2>&1.161
S0400 RobbinHood RobbinHood uses cmd.exe on the victim’s computer.117
S0270 RogueRobin RogueRobin uses Windows Script Components.199200
S0148 RTM RTM uses the command line and rundll32.exe to execute.109
S0253 RunningRAT RunningRAT uses a batch file to kill a security program task and then attempts to remove itself.124
S0446 Ryuk Ryuk has used cmd.exe to create a Registry entry to establish persistence.264
S0085 S-Type S-Type has provided the ability to execute shell commands on a compromised host.25
S1018 Saint Bot Saint Bot has used cmd.exe and .bat scripts for execution.224
S0074 Sakula Sakula calls cmd.exe to run various DLL files via rundll32 and also to perform file cleanup. Sakula also has the capability to invoke a reverse shell.226
S0370 SamSam SamSam uses custom batch scripts to execute some of its components.187
S0461 SDBbot SDBbot has the ability to use the command shell to execute commands on a compromised host.55
S0053 SeaDuke SeaDuke is capable of executing commands.212
S0345 Seasalt Seasalt uses cmd.exe to create a reverse shell on the infected endpoint.30
S0185 SEASHARPEE SEASHARPEE can execute commands on victims.111
S0382 ServHelper ServHelper can execute shell commands against cmd.228229
S0639 Seth-Locker Seth-Locker can execute commands via the command line shell.16
S1019 Shark Shark has the ability to use CMD to execute commands.8079
S0546 SharpStage SharpStage can execute arbitrary commands with the command line.150181
S0444 ShimRat ShimRat can be issued a command shell function from the C2.116
S0610 SideTwist SideTwist can execute shell commands on a compromised host.173
G0091 Silence Silence has used Windows command-line to run commands.310311312
S0692 SILENTTRINITY SILENTTRINITY can use cmd.exe to enable lateral movement using DCOM.7
S0623 Siloscape Siloscape can run cmd through an IRC channel.180
S0533 SLOTHFULMEDIA SLOTHFULMEDIA can open a command line to execute commands.194
S1035 Small Sieve Small Sieve can use cmd.exe to execute commands on a victim’s system.243
S0159 SNUGRIDE SNUGRIDE is capable of executing commands and spawning a reverse shell.120
C0024 SolarWinds Compromise During the SolarWinds Compromise, APT29 used cmd.exe to execute commands on remote machines.353354
G0054 Sowbug Sowbug has used command line during its intrusions.318
S0543 Spark Spark can use cmd.exe to run commands.90
S0390 SQLRat SQLRat has used SQL to execute JavaScript and VB scripts on the host system.154
S1030 Squirrelwaffle Squirrelwaffle has used cmd.exe for execution.102
S1037 STARWHALE STARWHALE has the ability to execute commands via cmd.exe.14
S0142 StreamEx StreamEx has the ability to remotely execute commands.271
S1034 StrifeWater StrifeWater can execute shell commands using cmd.exe.29
G0039 Suckfly Several tools used by Suckfly have been command-line driven.314
S1049 SUGARUSH SUGARUSH has used cmd for execution on an infected host.68
S0464 SYSCON SYSCON has the ability to execute commands through cmd on a compromised host.69
G0092 TA505 TA505 has executed commands using cmd.exe.280
G0127 TA551 TA551 has used cmd.exe to execute commands.336
S0011 Taidoor Taidoor can copy cmd.exe into the system temp folder.244
S0586 TAINTEDSCRIBE TAINTEDSCRIBE can enable Windows CLI access and execute files.114
S1011 Tarrask Tarrask may abuse the Windows schtasks command-line tool to create “hidden” scheduled tasks.37
S0164 TDTESS TDTESS provides a reverse shell on the victim.269
G0139 TeamTNT TeamTNT has used batch scripts to download tools and executing cryptocurrency miners.340
S0146 TEXTMATE TEXTMATE executes cmd.exe to provide a reverse shell to adversaries.105104
G0028 Threat Group-1314 Threat Group-1314 actors spawned shells on remote systems on a victim network to execute commands.315
G0027 Threat Group-3390 Threat Group-3390 has used command-line interfaces for execution.208278
S0668 TinyTurla TinyTurla has been installed using a .bat file.157
S0004 TinyZBot TinyZBot supports execution from the command-line.153
S0266 TrickBot TrickBot has used macros in Excel documents to download and deploy the malware on the user’s machine.195
S0094 Trojan.Karagany Trojan.Karagany can perform reconnaissance commands on a victim machine via a cmd.exe process.137
G0081 Tropic Trooper Tropic Trooper has used Windows command scripts.82
S0436 TSCookie TSCookie has the ability to execute shell commands on the infected host.253
S0647 Turian Turian can create a remote shell and execute commands using cmd.227
G0010 Turla Turla RPC backdoors have used cmd.exe to execute commands.349350
S0199 TURNEDUP TURNEDUP is capable of creating a reverse shell.165
S0263 TYPEFRAME TYPEFRAME can uninstall malware components using a batch script.88 TYPEFRAME can execute commands using a shell.88
S0333 UBoatRAT UBoatRAT can start a command shell.21
S0221 Umbreon Umbreon provides access using both standard facilities like SSH and additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet129
S0275 UPPERCUT UPPERCUT uses cmd.exe to execute commands on the victim’s machine.134
S0452 USBferry USBferry can execute various Windows commands.82
S0180 Volgmer Volgmer can execute commands on the victim’s machine.213214
S0670 WarzoneRAT WarzoneRAT can use cmd.exe to execute malicious code.176
S0612 WastedLocker WastedLocker has used cmd to execute commands on the system.262
S0109 WEBC2 WEBC2 can open an interactive command shell.103
S0514 WellMess WellMess can execute command line scripts received from C2.67
S0689 WhisperGate WhisperGate can use cmd.exe to execute commands.131
S0206 Wiarp Wiarp creates a backdoor through which remote attackers can open a command line interface.250
G0102 Wizard Spider Wizard Spider has used cmd.exe to execute commands on a victim’s machine.313
S1065 Woody RAT Woody RAT can execute commands using cmd.exe.204
S0653 xCaon xCaon has a command to start an interactive shell.41
S0117 XTunnel XTunnel has been used to execute remote commands.196
S0251 Zebrocy Zebrocy uses cmd.exe to execute commands on the system.3334
S0330 Zeus Panda Zeus Panda can launch an interface where it can execute several commands on the victim’s PC.201
G0128 ZIRCONIUM ZIRCONIUM has used a tool to open a Windows Command Shell on a remote host.317
S0086 ZLib ZLib has the ability to execute shell commands.25
S0350 zwShell zwShell can launch command-line shells.125
S0412 ZxShell ZxShell can launch a reverse command shell.260258259

Mitigations

ID Mitigation Description
M1038 Execution Prevention Use application control where appropriate.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process Process Creation

References


  1. Microsoft. (2020, May 19). Tutorial: SSH in Windows Terminal. Retrieved July 26, 2021. 

  2. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020. 

  3. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. 

  4. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. 

  5. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018. 

  6. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. 

  7. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. 

  8. CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022. 

  9. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018. 

  10. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023. 

  11. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. 

  12. Microsoft. (n.d.). Cmd. Retrieved April 18, 2016. 

  13. Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018. 

  14. Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022. 

  15. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. 

  16. Centero, R. et al. (2021, February 5). New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker. Retrieved August 11, 2021. 

  17. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020. 

  18. Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019. 

  19. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019. 

  20. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020. 

  21. Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018. 

  22. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019. 

  23. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. 

  24. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. 

  25. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. 

  26. Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019. 

  27. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: “njRAT” Uncovered. Retrieved June 4, 2019. 

  28. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018. 

  29. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022. 

  30. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016. 

  31. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. 

  32. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020. 

  33. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. 

  34. CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020. 

  35. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018. 

  36. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018. 

  37. Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022. 

  38. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018. 

  39. ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017. 

  40. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021. 

  41. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021. 

  42. Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022. 

  43. Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019. 

  44. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018. 

  45. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018. 

  46. Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021. 

  47. Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021. 

  48. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. 

  49. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021. 

  50. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. 

  51. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. 

  52. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017. 

  53. Merriman, K. and Trouerbach, P. (2022, April 28). This isn’t Optimus Prime’s Bumblebee but it’s Still Transforming. Retrieved August 22, 2022. 

  54. Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022. 

  55. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020. 

  56. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. 

  57. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018. 

  58. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020. 

  59. Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved May 1, 2019. 

  60. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019. 

  61. Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020. 

  62. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018. 

  63. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018. 

  64. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. 

  65. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021. 

  66. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021. 

  67. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020. 

  68. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022. 

  69. McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020. 

  70. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019. 

  71. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016. 

  72. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. 

  73. Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021. 

  74. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022. 

  75. Galperin, E., Et al.. (2016, August). I Got a Letter From the Government the Other Day.... Retrieved April 25, 2018. 

  76. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021. 

  77. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019. 

  78. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020. 

  79. Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022. 

  80. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022. 

  81. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017. 

  82. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. 

  83. Mercer, W., et al. (2017, October 22). “Cyber Conflict” Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018. 

  84. Glyer, C., Kazanciyan, R. (2012, August 22). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved May 4, 2020. 

  85. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015. 

  86. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018. 

  87. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020. 

  88. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018. 

  89. Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018. 

  90. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020. 

  91. Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020. 

  92. Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020. 

  93. Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022. 

  94. Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021. 

  95. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018. 

  96. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  97. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021. 

  98. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016. 

  99. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. 

  100. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016. 

  101. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. 

  102. Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022. 

  103. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. 

  104. Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017. 

  105. Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017. 

  106. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. 

  107. Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016. 

  108. Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018. 

  109. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. 

  110. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. 

  111. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017. 

  112. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022. 

  113. Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020. 

  114. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021. 

  115. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022. 

  116. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. 

  117. Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019. 

  118. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018. 

  119. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. 

  120. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017. 

  121. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021. 

  122. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. 

  123. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. 

  124. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018. 

  125. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. 

  126. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023. 

  127. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020. 

  128. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019. 

  129. Fernando Mercês. (2016, September 5). Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems. Retrieved March 5, 2018. 

  130. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016. 

  131. Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022. 

  132. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018. 

  133. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19  

  134. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018. 

  135. Joe Security. (n.d.). Analysis Report fasm.dll. Retrieved January 6, 2021. 

  136. Rochberger, L. (2020, November 26). Cybereason vs. Egregor Ransomware. Retrieved December 30, 2020. 

  137. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020. 

  138. Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019. 

  139. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019. 

  140. Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023. 

  141. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017. 

  142. Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023. 

  143. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021. 

  144. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. 

  145. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020. 

  146. Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020. 

  147. Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020. 

  148. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. 

  149. Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021. 

  150. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020. 

  151. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021. 

  152. Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018. 

  153. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017. 

  154. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019. 

  155. ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021. 

  156. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018. 

  157. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021. 

  158. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022. 

  159. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. 

  160. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021. 

  161. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. 

  162. Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016. 

  163. US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018. 

  164. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. 

  165. O’Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018. 

  166. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017. 

  167. Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022. 

  168. Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016. 

  169. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021. 

  170. Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021. 

  171. FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016. 

  172. Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019. 

  173. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021. 

  174. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017. 

  175. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. 

  176. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021. 

  177. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022. 

  178. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017. 

  179. Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018. 

  180. Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021. 

  181. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020. 

  182. Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019. 

  183. Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020. 

  184. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018. 

  185. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022. 

  186. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018. 

  187. Palotay, D. and Mackenzie, P. (2018, April). SamSam Ransomware Chooses Its Targets Carefully. Retrieved April 15, 2019. 

  188. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. 

  189. Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021. 

  190. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021. 

  191. SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020. 

  192. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021. 

  193. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018. 

  194. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020. 

  195. Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019. 

  196. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. 

  197. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022. 

  198. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. 

  199. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019. 

  200. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018. 

  201. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018. 

  202. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. 

  203. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022. 

  204. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019. 

  205. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. 

  206. Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020. 

  207. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017. 

  208. Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015. 

  209. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019. 

  210. Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018. 

  211. Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016. 

  212. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017. 

  213. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018. 

  214. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. 

  215. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018. 

  216. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018. 

  217. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020. 

  218. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018. 

  219. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018. 

  220. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022. 

  221. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021. 

  222. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015. 

  223. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. 

  224. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017. 

  225. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016. 

  226. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 

  227. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019. 

  228. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019. 

  229. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. 

  230. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. 

  231. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018. 

  232. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021. 

  233. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. 

  234. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019. 

  235. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021. 

  236. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018. 

  237. Patel, K. (2018, March 02). The NanoCore RAT Has Resurfaced From the Sewers. Retrieved November 9, 2018. 

  238. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. 

  239. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. 

  240. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018. 

  241. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018. 

  242. NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022. 

  243. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021. 

  244. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. 

  245. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018. 

  246. CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021. 

  247. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. 

  248. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021. 

  249. Zhou, R. (2012, May 15). Backdoor.Wiarp. Retrieved February 22, 2018. 

  250. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. 

  251. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018. 

  252. Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020. 

  253. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022. 

  254. Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020. 

  255. Seals, T. (2021, May 14). FIN7 Backdoor Masquerades as Ethical Hacking Tool. Retrieved February 2, 2022. 

  256. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022. 

  257. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019. 

  258. Counter Threat Unit Research Team. (2019, February 27). A Peek into BRONZE UNION’s Toolbox. Retrieved September 24, 2019. 

  259. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. 

  260. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016. 

  261. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021. 

  262. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018. 

  263. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020. 

  264. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018. 

  265. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. 

  266. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020. 

  267. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019. 

  268. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. 

  269. Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022. 

  270. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017. 

  271. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018. 

  272. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018. 

  273. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018. 

  274. Kaspersky Lab’s Global Research & Analysis Team. (2015, August 10). Darkhotel’s attacks in 2015. Retrieved November 2, 2018. 

  275. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. 

  276. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022. 

  277. Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019. 

  278. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018. 

  279. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020. 

  280. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016. 

  281. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. 

  282. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022. 

  283. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018. 

  284. US-CERT. (2018, March 09). Malware Analysis Report (MAR) - 10135536.11.WHITE. Retrieved June 13, 2018. 

  285. Falcone, R. and Lee, B. (2017, July 27). OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group. Retrieved January 8, 2018. 

  286. Falcone, R., Wilhoit, K.. (2018, November 16). Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery. Retrieved April 23, 2019. 

  287. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020. 

  288. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. 

  289. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023. 

  290. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. 

  291. CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022. 

  292. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022. 

  293. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015. 

  294. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018. 

  295. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021. 

  296. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018. 

  297. Shelmire, A. (2015, July 06). Evasive Maneuvers by the Wekby group with custom ROP-packing and DNS covert channels. Retrieved November 15, 2018. 

  298. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016. 

  299. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. 

  300. Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016. 

  301. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016. 

  302. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. 

  303. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021. 

  304. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021. 

  305. PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021. 

  306. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. 

  307. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. 

  308. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017. 

  309. Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019. 

  310. GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019. 

  311. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020. 

  312. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020. 

  313. DiMaggio, J. (2016, May 17). Indian organizations targeted in Suckfly attacks. Retrieved August 3, 2016. 

  314. Dell SecureWorks Counter Threat Unit Special Operations Team. (2015, May 28). Living off the Land. Retrieved January 26, 2016. 

  315. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018. 

  316. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021. 

  317. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017. 

  318. Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022. 

  319. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020. 

  320. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. 

  321. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018. 

  322. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017. 

  323. Twi1ight. (2015, July 11). AD-Pentest-Script - wmiexec.vbs. Retrieved June 29, 2017. 

  324. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. 

  325. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018. 

  326. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018. 

  327. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018. 

  328. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018. 

  329. Unit 42. (2018, October 25). New Techniques to Uncover and Attribute Financial actors Commodity Builders and Infrastructure Revealed. Retrieved December 11, 2018. 

  330. Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019. 

  331. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022. 

  332. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018. 

  333. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. 

  334. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021. 

  335. Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021. 

  336. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018. 

  337. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021. 

  338. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020. 

  339. AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021. 

  340. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017. 

  341. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018. 

  342. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. 

  343. Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021. 

  344. Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. 

  345. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. 

  346. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019. 

  347. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. 

  348. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019. 

  349. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019. 

  350. FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017. 

  351. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022. 

  352. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. 

  353. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021. 

  354. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. 

  355. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. 

  356. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021. 

  357. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. 

  358. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020. 

  359. Adamitis, D. et al. (2019, June 4). It’s alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.