Skip to content

T1059.005 Visual Basic

Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.15

Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.46 VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of JavaScript on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).3

Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into Spearphishing Attachment payloads (which may also involve Mark-of-the-Web Bypass to enable execution).2

Item Value
ID T1059.005
Sub-techniques T1059.001, T1059.002, T1059.003, T1059.004, T1059.005, T1059.006, T1059.007, T1059.008, T1059.009, T1059.010, T1059.011, T1059.012, T1059.013
Tactics TA0002
Platforms Linux, Windows, macOS
Version 1.5
Created 09 March 2020
Last Modified 24 October 2025

Procedure Examples

ID Name Description
C0028 2015 Ukraine Electric Power Attack During the 2015 Ukraine Electric Power Attack, Sandworm Team installed a VBA script called vba_macro.exe. This macro dropped FONTCACHE.DAT, the primary BlackEnergy implant; rundll32.exe, for executing the malware; NTUSER.log, an empty file; and desktop.ini, the default file used to determine folder displays on Windows machines. 190
C0025 2016 Ukraine Electric Power Attack During the 2016 Ukraine Electric Power Attack, Sandworm Team created VBScripts to run on an SSH server.174
G0099 APT-C-36 APT-C-36 has embedded a VBScript within a malicious Word document which is executed upon the document opening.167
G0050 APT32 APT32 has used macros, COM scriptlets, and VBS scripts.16017
G0064 APT33 APT33 has used VBScript to initiate the delivery of payloads.169
G0067 APT37 APT37 executes shellcode and a VBA script to decode Base64 strings.170
G0082 APT38 APT38 has used VBScript to execute commands and other operational tasks.125126
G0087 APT39 APT39 has utilized malicious VBS scripts in malware.180
G1044 APT42 APT42 has used a VBScript to query anti-virus products.28
S0373 Astaroth Astaroth has used malicious VBS e-mail attachments for execution.11
S0414 BabyShark BabyShark can execute additional VisualBasic content.40
S0475 BackConfig BackConfig has used VBS to install its downloader component and malicious documents with VBA macro code.13
S0234 Bandook Bandook has used malicious VBA code against the target system.77
S0268 Bisonal Bisonal’s dropper creates VBS scripts on the victim’s machine.3536
G0060 BRONZE BUTLER BRONZE BUTLER has used VBS and VBE scripts for execution.136137
S1039 Bumblebee Bumblebee can create a Visual Basic script to enable persistence.4544
C0011 C0011 For C0011, Transparent Tribe used malicious VBA macros within a lure document as part of the Crimson malware installation process onto a compromised host.189
C0015 C0015 During C0015, the threat actors used a malicious HTA file that contained a mix of HTML and JavaScript/VBScript code.186
S0631 Chaes Chaes has used VBscript to execute malicious code.29
S1149 CHIMNEYSWEEP CHIMNEYSWEEP has executed a script named cln.vbs on compromised hosts.18
G0080 Cobalt Group Cobalt Group has sent Word OLE compound documents with malicious obfuscated VBA macros that will run upon user execution.148149150151152153
S0154 Cobalt Strike Cobalt Strike can use VBA to perform execution.414342
S0244 Comnie Comnie executes VBS scripts.54
G0142 Confucius Confucius has used VBScript to execute malicious code.138
G1052 Contagious Interview Contagious Interview has utilized Visual Basic scripts in the execution of their downloader malware targeting Windows devices including as script called update.vbs.166
S1014 DanBot DanBot can use a VBA macro embedded in an Excel file to drop the payload.62
S1111 DarkGate DarkGate initial infection mechanisms include masquerading as pirated media that launches malicious VBScript on the victim.80
S0695 Donut Donut can generate shellcode outputs that execute via VBScript.9
G1006 Earth Lusca Earth Lusca used VBA scripts.106
S0367 Emotet Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads. 5556575859
S0343 Exaramel for Windows Exaramel for Windows has a command to execute VBS scripts on the victim’s machine.25
S0679 Ferocious Ferocious has the ability to use Visual Basic scripts for execution.49
G1016 FIN13 FIN13 has used VBS scripts for code execution on comrpomised machines.158
G0085 FIN4 FIN4 has used VBA macros to display a dialog box and collect victim credentials.102101
G0046 FIN7 FIN7 used VBS scripts to help perform tasks on the victim’s machine.12312451
S0696 Flagpro Flagpro can execute malicious VBA macros embedded in .xlsm files.39
C0001 Frankenstein During Frankenstein, the threat actors used Word documents that prompted the victim to enable macros and run a Visual Basic script.184
C0007 FunnyDream During FunnyDream, the threat actors used a Visual Basic script to run remote commands.183
G0047 Gamaredon Group Gamaredon Group has embedded malicious macros in document templates, which executed VBScript. Gamaredon Group has also delivered Microsoft Outlook VBA projects with embedded macros.118116117119121120 Additionally, Gamaredon Group has executed VBScript files using wscript.exe.122
S0477 Goopy Goopy has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2.17
G0078 Gorgon Group Gorgon Group has used macros in Spearphishing Attachments as well as executed VBScripts on victim machines.179
S0531 Grandoreiro Grandoreiro can use VBScript to execute malicious code.1112
S0170 Helminth One version of Helminth consists of VBScript scripts.47
G1001 HEXANE HEXANE has used a VisualBasic script named MicrosoftUpdator.vbs for execution of a PowerShell keylogger.168
G0126 Higaisa Higaisa has used VBScript code on the victim’s machine.100
S0483 IcedID IcedID has used obfuscated VBA string expressions.64
G0100 Inception Inception has used VBScript to execute malicious commands and payloads.97165
S1132 IPsec Helper IPsec Helper can run arbitrary Visual Basic scripts and commands passed to it.53
S0528 Javali Javali has used embedded VBScript to download malicious payloads from C2.11
S0389 JCry JCry has used VBS scripts. 60
S0283 jRAT jRAT has been distributed as HTA files with VBScript.19
S0648 JSS Loader JSS Loader can download and execute VBScript files.51
C0044 Juicy Mix During Juicy Mix, OilRig used VBS droppers to deliver and establish persistence for the Mango backdoor.193
S0585 Kerrdown Kerrdown can use a VBS base64 decoder function published by Motobit.16
S0387 KeyBoy KeyBoy uses VBS scripts for installing files and performing execution.65
G0094 Kimsuky Kimsuky has used Visual Basic to download malicious payloads.178177176175 Kimsuky has also used malicious VBA macros within maldocs disguised as forms that trigger when a victim types any content into the lure.175
S0250 Koadic Koadic performs most of its operations using Windows Script Host (VBScript) and runs arbitrary shellcode .8
S0669 KOCTOPUS KOCTOPUS has used VBScript to call wscript to execute a PowerShell command.92
G0032 Lazarus Group Lazarus Group has used VBA and embedded macros in Word documents to execute malicious code.147146
G0140 LazyScripter LazyScripter has used VBScript to execute malicious code.92
G0065 Leviathan Leviathan has used VBScript.156
S0447 Lokibot Lokibot has used VBS scripts and XLS macros for execution.10
S0582 LookBack LookBack has used VBA macros in Microsoft Word attachments to drop additional files to the host.27
S1142 LunarMail LunarMail has been installed using a VBA macro.66
G0095 Machete Machete has embedded malicious macros within spearphishing attachments to download additional files.127
G0059 Magic Hound Magic Hound malware has used VBS scripts for execution.143
G1026 Malteiro Malteiro has utilized a dropper containing malicious VBS scripts.96
S0530 Melcoz Melcoz can use VBS scripts to execute malicious DLLs.11
S0455 Metamorfo Metamorfo has used VBS code on victims’ systems.93
S1122 Mispadu Mispadu’s dropper uses VBS files to install payloads and perform execution.9695
G0021 Molerats Molerats used various implants, including those built with VBScript, on target machines.161162
G0069 MuddyWater MuddyWater has used VBScript files to execute its POWERSTATS payload, as well as macros.13313512913478128132131130
G0129 Mustang Panda Mustang Panda has embedded VBScript components in LNK files to download additional files and automate collection.108110112 Mustang Panda has also used VBA macros in maldocs to execute malicious DLLs.109 Mustang Panda also utilized a VBS Script “autorun.vbs” that created persistence through saving the VBS Script in the startup directory which would cause it to run each time the machine was turned on.111
S0228 NanHaiShu NanHaiShu executes additional VBScript code on the victim’s machine.26
S0336 NanoCore NanoCore uses VBS files.67
S0198 NETWIRE NETWIRE has been executed through use of VBScripts.3334
G0049 OilRig OilRig has used VBScript macros for execution on compromised hosts.154
S0264 OopsIE OopsIE creates and uses a VBScript as part of its persistent execution.6970
C0012 Operation CuckooBees During Operation CuckooBees, the threat actors executed an encoded VBScript file using wscript and wrote the decoded output to a text file.192
C0022 Operation Dream Job During Operation Dream Job, Lazarus Group executed a VBA written malicious macro after victims download malicious DOTM files; Lazarus Group also used Visual Basic macro code to extract a double Base64 encoded DLL implant.182181
C0016 Operation Dust Storm During Operation Dust Storm, the threat actors used Visual Basic scripts.191
C0006 Operation Honeybee For Operation Honeybee, the threat actors used a Visual Basic script embedded within a Word document to download an implant.194
C0013 Operation Sharpshooter During Operation Sharpshooter, the threat actors used a VBA macro to execute a simple downloader that installed Rising Sun.188
C0014 Operation Wocao During Operation Wocao, threat actors used VBScript to conduct reconnaissance on targeted systems.187
S0352 OSX_OCEANLOTUS.D OSX_OCEANLOTUS.D uses Word macros for execution.46
C0042 Outer Space During Outer Space, OilRig used VBS droppers to deploy malware.193
G0040 Patchwork Patchwork used Visual Basic Scripts (VBS) on victim machines.9899
S0428 PoetRAT PoetRAT has used Word documents with VBScripts to execute malicious activities.7374
S0441 PowerShower PowerShower has the ability to save and execute VBScript.97
S0223 POWERSTATS POWERSTATS can use VBScript (VBE) code for execution.7879
S0147 Pteranodon Pteranodon can use a malicious VBS file for execution.63
S0650 QakBot QakBot can use VBS to download and execute malicious files.87
888389848586
S0269 QUADAGENT QUADAGENT uses VBScripts.50
S0458 Ramsay Ramsay has included embedded Visual Basic scripts in malicious documents.9091
G0075 Rancor Rancor has used VBS scripts as well as embedded macros for execution.107
G1039 RedCurl RedCurl has used VBScript to run malicious files.144145
S0375 Remexi Remexi uses AutoIt and VBS scripts throughout its execution process.82
S0496 REvil REvil has used obfuscated VBA macros for execution.3738
S0240 ROKRAT ROKRAT has used Visual Basic for execution.48
S1018 Saint Bot Saint Bot has used .vbs scripts for execution.52
G0034 Sandworm Team Sandworm Team has created VBScripts to run an SSH server.172171173174
S1178 ShrinkLocker ShrinkLocker is a VisualBasic script (VBS) object that calls multiple other operating system functions during execution.3031
S0589 Sibot Sibot executes commands using VBScript.68
G1008 SideCopy SideCopy has sent Microsoft Office Publisher documents to victims that have embedded malicious macros that execute an hta file via calling mshta.exe.155
G0121 Sidewinder Sidewinder has used VBScript to drop and execute malware loaders.159
G0091 Silence Silence has used VBS scripts.115
S0226 Smoke Loader Smoke Loader adds a Visual Basic script in the Startup folder to deploy the payload.32
S1086 Snip3 Snip3 can use visual basic scripts for first-stage execution.2221
C0024 SolarWinds Compromise For the SolarWinds Compromise, APT29 wrote malware such as Sibot in Visual Basic.185
S1030 Squirrelwaffle Squirrelwaffle has used malicious VBA macros in Microsoft Word documents and Excel spreadsheets that execute an AutoOpen subroutine.1415
S1037 STARWHALE STARWHALE can use the VBScript function GetRef as part of its persistence mechanism.61
S0380 StoneDrill StoneDrill has several VBS scripts used throughout the malware’s lifecycle.94
S0559 SUNBURST SUNBURST used VBScripts to initiate the execution of payloads.75
S1064 SVCReady SVCReady has used VBA macros to execute shellcode.20
G1018 TA2541 TA2541 has used VBS files to execute or establish persistence for additional payloads, often using file names consistent with email themes or mimicking system functionality.163164
G0062 TA459 TA459 has a VBScript for execution.157
G0092 TA505 TA505 has used VBS for code execution.139140141142
S1193 TAMECAT TAMECAT has used VBScript to query anti-virus products.28
G0134 Transparent Tribe Transparent Tribe has crafted VBS-based malicious documents.113114
G0010 Turla Turla has used VBS scripts throughout its operations.105
S0263 TYPEFRAME TYPEFRAME has used a malicious Word document for delivery with VBA macros for execution.81
S0386 Ursnif Ursnif droppers have used VBA macros to download and execute the malware’s full executable payload.76
S0442 VBShower VBShower has the ability to execute VBScript files.24
S0689 WhisperGate WhisperGate can use a Visual Basic script to exclude the C:\ drive from Windows Defender.7271
G0112 Windshift Windshift has used Visual Basic 6 (VB6) payloads.104
G0090 WIRTE WIRTE has used VBScript in its operations.103
S0341 Xbash Xbash can execute malicious VBScript payloads on the victim’s machine.23

Mitigations

ID Mitigation Description
M1049 Antivirus/Antimalware Anti-virus can be used to automatically quarantine suspicious files.
M1040 Behavior Prevention on Endpoint On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Visual Basic scripts from executing potentially malicious downloaded content 7.
M1042 Disable or Remove Feature or Program Turn off or restrict access to unneeded VB components.
M1038 Execution Prevention Use application control where appropriate. VBA macros obtained from the Internet, based on the file’s Mark of the Web (MOTW) attribute, may be blocked from executing in Office applications (ex: Access, Excel, PowerPoint, Visio, and Word) by default starting in Windows Version 2203.2
M1021 Restrict Web-Based Content Script blocking extensions can help prevent the execution of scripts and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place.

References

  1. .NET Team. (2020, March 11). Visual Basic support planned for .NET 5.0. Retrieved June 23, 2020. 

  2. Kellie Eickmeyer. (2022, February 7). Helping users stay safe: Blocking internet macros by default in Office. Retrieved February 7, 2022. 

  3. Microsoft. (2011, April 19). What Is VBScript?. Retrieved March 28, 2020. 

  4. Microsoft. (2019, June 11). Office VBA Reference. Retrieved June 23, 2020. 

  5. Microsoft. (n.d.). Visual Basic documentation. Retrieved June 23, 2020. 

  6. Wikipedia. (n.d.). Visual Basic for Applications. Retrieved August 13, 2020. 

  7. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021. 

  8. Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024. 

  9. TheWover. (2019, May 9). donut. Retrieved March 25, 2022. 

  10. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021. 

  11. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. 

  12. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. 

  13. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020. 

  14. Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022. 

  15. Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022. 

  16. Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021. 

  17. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  18. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024. 

  19. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019. 

  20. Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022. 

  21. Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023. 

  22. Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023. 

  23. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018. 

  24. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020. 

  25. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018. 

  26. F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018. 

  27. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021. 

  28. Rozmann, O., et al. (2024, May 1). Uncharmed: Untangling Iran’s APT42 Operations. Retrieved October 9, 2024. 

  29. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021. 

  30. Cristian Souza, Eduardo Ovalle, Ashley Muñoz, & Christopher Zachor. (2024, May 23). ShrinkLocker: Turning BitLocker into ransomware. Retrieved December 7, 2024. 

  31. Splunk Threat Research Team , Teoderick Contreras. (2024, September 5). ShrinkLocker Malware: Abusing BitLocker to Lock Your Data. Retrieved December 7, 2024. 

  32. Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018. 

  33. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign’s Usage of Process Hollowing. Retrieved January 7, 2021. 

  34. Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021. 

  35. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018. 

  36. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. 

  37. Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020. 

  38. Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020. 

  39. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022. 

  40. Mandiant. (n.d.). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved October 14, 2024. 

  41. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved November 17, 2024. 

  42. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024. 

  43. Mudge, R. (2017, May 23). Cobalt Strike 3.8 – Who’s Your Daddy?. Retrieved June 4, 2019. 

  44. Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022. 

  45. Merriman, K. and Trouerbach, P. (2022, April 28). This isn’t Optimus Prime’s Bumblebee but it’s Still Transforming. Retrieved August 22, 2022. 

  46. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018. 

  47. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. 

  48. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022. 

  49. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022. 

  50. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. 

  51. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. 

  52. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. 

  53. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024. 

  54. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018. 

  55. Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019. 

  56. Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019. 

  57. Trend Micro. (2019, January 16). Exploring Emotet’s Activities . Retrieved March 25, 2019. 

  58. Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019. 

  59. Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019. 

  60. Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019. 

  61. Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022. 

  62. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19  

  63. Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022. 

  64. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020. 

  65. Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019. 

  66. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024. 

  67. Patel, K. (2018, March 02). The NanoCore RAT Has Resurfaced From the Sewers. Retrieved September 25, 2024. 

  68. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. 

  69. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018. 

  70. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018. 

  71. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022. 

  72. Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022. 

  73. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020. 

  74. Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021. 

  75. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. 

  76. Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019. 

  77. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021. 

  78. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018. 

  79. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020. 

  80. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024. 

  81. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018. 

  82. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019. 

  83. CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021. 

  84. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021. 

  85. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved November 17, 2024. 

  86. Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023. 

  87. Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021. 

  88. Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021. 

  89. Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved November 17, 2024. 

  90. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020. 

  91. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel’s infiltration and isolation network. Retrieved March 24, 2021. 

  92. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024. 

  93. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020. 

  94. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019. 

  95. ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024. 

  96. SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024. 

  97. Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020. 

  98. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. 

  99. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. 

  100. PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021. 

  101. Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019. 

  102. Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018. 

  103. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019. 

  104. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021. 

  105. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019. 

  106. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. 

  107. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018. 

  108. Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. 

  109. Asheer Malhotra, Jungsoo An, Kendall Mc. (2022, May 5). Mustang Panda deploys a new wave of malware targeting Europe. Retrieved August 4, 2025. 

  110. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. 

  111. Lior Rochberger, Tom Fakterman, Robert Falcone. (2023, September 22). Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda. Retrieved September 9, 2025. 

  112. Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021. 

  113. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. 

  114. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021. 

  115. Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved November 17, 2024. 

  116. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. 

  117. CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022. 

  118. Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020. 

  119. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022. 

  120. Rusnák, Z. (2024, September 26). Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023. Retrieved October 30, 2024. 

  121. Secureworks CTU. (n.d.). IRON TILDEN. Retrieved February 24, 2022. 

  122. Threat Hunter Team, Symantec and Carbon Black. (2025, April 10). Shuckworm Targets Foreign Military Mission Based in Ukraine. Retrieved July 23, 2025. 

  123. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018. 

  124. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019. 

  125. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks. Retrieved September 29, 2021. 

  126. SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024. 

  127. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020. 

  128. ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020. 

  129. Kaspersky Lab’s Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018. 

  130. Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022. 

  131. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. 

  132. Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020. 

  133. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. 

  134. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018. 

  135. Villanueva, M., Co, M. (2018, June 14). Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor. Retrieved July 3, 2018. 

  136. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. 

  137. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. 

  138. Lunghi, D and Horejsi, J. (2018, February 13). Deciphering Confucius: A Look at the Group’s Cyberespionage Operations. Retrieved December 26, 2021. 

  139. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019. 

  140. Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019. 

  141. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020. 

  142. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020. 

  143. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017. 

  144. Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024. 

  145. Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024. 

  146. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022. 

  147. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022. 

  148. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018. 

  149. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018. 

  150. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018. 

  151. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018. 

  152. Unit 42. (2018, October 25). New Techniques to Uncover and Attribute Financial actors Commodity Builders and Infrastructure Revealed. Retrieved December 11, 2018. 

  153. Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019. 

  154. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021. 

  155. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022. 

  156. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. 

  157. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018. 

  158. Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023. 

  159. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021. 

  160. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018. 

  161. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020. 

  162. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020. 

  163. Larson, S. and Wise, J. (2022, February 15). Charting TA2541’s Flight. Retrieved September 12, 2023. 

  164. Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023. 

  165. GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020. 

  166. Amaury G., Coline Chavane, Felix Aimé and Sekoia TDR. (2025, March 31). From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic. Retrieved April 1, 2025. 

  167. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020. 

  168. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. 

  169. Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020. 

  170. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018. 

  171. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020. 

  172. Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020. 

  173. Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020. 

  174. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020. 

  175. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. 

  176. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. 

  177. Kim, J. et al. (2019, October). KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING. Retrieved November 2, 2020. 

  178. ThreatConnect. (2020, September 28). Kimsuky Phishing Operations Putting In Work. Retrieved October 30, 2020. 

  179. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018. 

  180. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. 

  181. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021. 

  182. ClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. 

  183. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. 

  184. Adamitis, D. et al. (2019, June 4). It’s alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020. 

  185. NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021. 

  186. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022. 

  187. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. 

  188. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. 

  189. N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022. 

  190. Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024. 

  191. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. 

  192. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022. 

  193. Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024. 

  194. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.