Skip to content

T1070.004 File Deletion

Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary’s footprint.

There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.1 Examples of built-in Command and Scripting Interpreter functions include del on Windows and rm or unlink on Linux and macOS.

Item Value
ID T1070.004
Sub-techniques T1070.001, T1070.002, T1070.003, T1070.004, T1070.005, T1070.006, T1070.007, T1070.008, T1070.009
Tactics TA0005
Platforms Linux, Windows, macOS
Version 1.1
Created 31 January 2020
Last Modified 16 April 2022

Procedure Examples

ID Name Description
S0045 ADVSTORESHELL ADVSTORESHELL can delete files and directories.118
S0504 Anchor Anchor can self delete its dropper after the malware is successfully deployed.146
S0584 AppleJeus AppleJeus has deleted the MSI file after installation.199
S0622 AppleSeed AppleSeed can delete files from a compromised host after they are exfiltrated.155
G0026 APT18 APT18 actors deleted tools and batch files from victim systems.247
G0007 APT28 APT28 has intentionally deleted computer files to cover their tracks, including with use of the program CCleaner.224
G0016 APT29 APT29 has used SDelete to remove artifacts from victim networks.222
G0022 APT3 APT3 has a tool that can delete files.230
G0050 APT32 APT32‘s macOS backdoor can receive a “delete” command.248
G0082 APT38 APT38 has used a utility called CLOSESHAVE that can securely delete a file from the system. They have also removed malware, tools, or other non-native files used during the intrusion to reduce their footprint or as part of the post-intrusion cleanup process.254255
G0087 APT39 APT39 has used malware to delete files after they are deployed on a compromised host.216
G0096 APT41 APT41 deleted files from the system.136
G0143 Aquatic Panda Aquatic Panda has deleted malicious executables from compromised machines.221
S0456 Aria-body Aria-body has the ability to delete files and directories on compromised hosts.126
S0438 Attor Attor’s plugin deletes the collected files and log files after exfiltration.65
S0347 AuditCred AuditCred can delete files from the system.134
S0344 Azorult Azorult can delete files from victim machines.179
S0414 BabyShark BabyShark has cleaned up all files associated with the secondary payload execution.214
S0475 BackConfig BackConfig has the ability to remove files and folders related to previous infections.207
S0093 Backdoor.Oldrea Backdoor.Oldrea contains a cleanup module that removes traces of itself from the victim.211
S0234 Bandook Bandook has a command to delete a file.196
S0239 Bankshot Bankshot marks files to be deleted upon the next system reboot and uninstalls and removes itself from the system.26
S0534 Bazar Bazar can delete its loader using a batch file in the Windows temporary folder.15
S0127 BBSRAT BBSRAT can delete files and directories.139
S0268 Bisonal Bisonal will delete its dropper and VBS scripts from the victim’s machine.131132133
S0069 BLACKCOFFEE BLACKCOFFEE has the capability to delete files.84
S0520 BLINDINGCAN BLINDINGCAN has deleted itself and associated artifacts from victim machines.66
S0657 BLUELIGHT BLUELIGHT can uninstall itself.156
G0060 BRONZE BUTLER The BRONZE BUTLER uploader or malware the uploader uses command to delete the RAR archives after they have been exfiltrated.246
S1039 Bumblebee Bumblebee can uninstall its loader through the use of a Sdl command.137
S0274 Calisto Calisto has the capability to use rm -rf to remove folders and files from the victim’s machine.161
S0030 Carbanak Carbanak has a command to delete files.122
S0348 Cardinal RAT Cardinal RAT can uninstall itself, including deleting its executable.94
S0462 CARROTBAT CARROTBAT has the ability to delete downloaded files from a compromised host.18
S1043 ccf32 ccf32 can delete files and folders from compromised machines.2
S0674 CharmPower CharmPower can delete created files from a compromised system.194
S0107 Cherry Picker Recent versions of Cherry Picker delete files and registry keys created by the malware.60
G0114 Chimera Chimera has performed file deletion to evade detection.253
S0106 cmd cmd can be used to delete files from the file system.4
G0080 Cobalt Group Cobalt Group deleted the DLL dropper from the victim’s machine to cover their tracks.197
S0115 Crimson Crimson has the ability to delete files from a compromised host.686769
S0498 Cryptoistic Cryptoistic has the ability delete files from a compromised host.17
S0527 CSPY Downloader CSPY Downloader has the ability to self delete.5
S0625 Cuba Cuba can use the command cmd.exe /c del to delete its artifacts from the system.204
S1014 DanBot DanBot can delete its configuration file after installation.10
S0673 DarkWatchman DarkWatchman has been observed deleting its original launcher after installation.27
S0354 Denis Denis has a command to delete files from the victim’s machine.8081
S0021 Derusbi Derusbi is capable of deleting files. It has been observed loading a Linux Kernel Module (LKM) and then deleting it from the hard disk as well as overwriting the data with null bytes.4034
G0035 Dragonfly Dragonfly has deleted many of its files used during operations as part of cleanup, including removing applications and deleting screenshots.249
S0502 Drovorub Drovorub can delete specific files from a compromised host.91
S0567 Dtrack Dtrack can remove its persistence and delete itself.52
S0062 DustySky DustySky can delete files it creates from the infected system.115
S0593 ECCENTRICBANDWAGON ECCENTRICBANDWAGON can delete log files generated from the malware stored at C:\windows\temp\tmp0207.157
S0081 Elise Elise is capable of launching a remote shell on the host to delete itself.35
S0091 Epic Epic has a command to delete a file from the machine.11
S0396 EvilBunny EvilBunny has deleted the initial dropper after running through the environment checks.59
G0120 Evilnum Evilnum has deleted files used during infection.252
S0401 Exaramel for Linux Exaramel for Linux can uninstall its persistence mechanism and delete its configuration file.130
S0181 FALLCHILL FALLCHILL can delete malware and associated artifacts from the victim.174
S0512 FatDuke FatDuke can secure delete its DLL.107
S0267 FELIXROOT FELIXROOT deletes the .LNK file from the startup directory as well as the dropper components.8
S0679 Ferocious Ferocious can delete files from a compromised host.160
G0051 FIN10 FIN10 has used batch scripts and scheduled tasks to delete critical system files.223
G0053 FIN5 FIN5 uses SDelete to clean up the environment and attempt to prevent detection.240
G0037 FIN6 FIN6 has removed files from victim machines.256
G0061 FIN8 FIN8 has deleted tmp and prefetch files during post compromise cleanup activities.63
S0381 FlawedAmmyy FlawedAmmyy can execute batch scripts to delete files.144
S0277 FruitFly FruitFly will delete files on the system.145
S1044 FunnyDream FunnyDream can delete files including its dropper component.2
S0410 Fysbis Fysbis has the ability to delete files.147
G0047 Gamaredon Group Gamaredon Group tools can delete files used during an operation.233234232
S0168 Gazer Gazer has commands to delete files and persistence mechanisms from the victim.112113
S0666 Gelsemium Gelsemium can delete its dropper component from the targeted system.56
S0032 gh0st RAT gh0st RAT has the capability to to delete files.142143
S0249 Gold Dragon Gold Dragon deletes one of its files, 2.hwp, from the endpoint after establishing persistence.74
S0493 GoldenSpy GoldenSpy‘s uninstaller can delete registry entries, files and folders, and finally itself once these tasks have been completed.184
S0531 Grandoreiro Grandoreiro can delete .LNK files created in the Startup folder.13
S0690 Green Lambert Green Lambert can delete the original executable after initial installation in addition to unused functions.108109
S0342 GreyEnergy GreyEnergy can securely delete a file by hooking into the DeleteFileA and DeleteFileW functions in the Windows API.79
S0632 GrimAgent GrimAgent can delete old binaries on a compromised host.30
G0043 Group5 Malware used by Group5 is capable of remotely deleting files from victims.245
S0561 GuLoader GuLoader can delete its executable from the AppData\Local\Temp directory on the compromised host.25
S0151 HALFBAKED HALFBAKED can delete a specified file.70
S0499 Hancitor Hancitor has deleted files using the VBA kill function.22
S0391 HAWKBALL HAWKBALL has the ability to delete files.61
S0697 HermeticWiper HermeticWiper has the ability to overwrite its own file with random bites.153152
S1027 Heyoka Backdoor Heyoka Backdoor has the ability to delete folders and files from a targeted system.213
S0087 Hi-Zor Hi-Zor deletes its RAT installer file as it executes its DLL payload file.192
S0601 Hildegard Hildegard has deleted scripts after execution.48
S0431 HotCroissant HotCroissant has the ability to clean up installed files, delete files, and delete itself from the victim’s machine.205
S0070 HTTPBrowser HTTPBrowser deletes its original installer file once installation is complete.73
S0203 Hydraq Hydraq creates a backdoor through which remote attackers can delete files.190191
S0398 HyperBro HyperBro has the ability to delete a specified file.151
S1022 IceApple IceApple can delete files and directories from targeted systems.181
S0434 Imminent Monitor Imminent Monitor has deleted files related to its dynamic debugger feature.6
S0259 InnaputRAT InnaputRAT has a command to delete files.124
S0260 InvisiMole InvisiMole has deleted files and directories including XML and files successfully uploaded to C2 servers.149150
S0015 Ixeshe Ixeshe has a command to delete a file from the machine.23
S0044 JHUHUGIT The JHUHUGIT dropper can delete itself from the victim. Another JHUHUGIT variant has the capability to delete specified files.4647
S0201 JPIN JPIN‘s installer/uninstaller component deletes itself if it encounters a version of Windows earlier than Windows XP or identifies security-related processes running.21
S0283 jRAT jRAT has a function to delete files from the victim’s machine.103
S0265 Kazuar Kazuar can delete files.138
S1020 Kevin Kevin can delete files created on the victim’s machine.36
S0271 KEYMARBLE KEYMARBLE has the capability to delete files off the victim’s machine.7
S0607 KillDisk KillDisk has the ability to quit and delete itself.31
G0094 Kimsuky Kimsuky has deleted the exfiltrated data on disk after transmission. Kimsuky has also used an instrumentor script to terminate browser processes running on an infected system and then delete the cookie files on disk.237235236
S0437 Kivars Kivars has the ability to uninstall malware from the infected host.93
S0162 Komplex The Komplex trojan supports file deletion.173
S0356 KONNI KONNI can delete files.29
G0032 Lazarus Group Lazarus Group malware has deleted files in various ways, including “suicide scripts” to delete malware binaries from the victim. Lazarus Group also uses secure file deletion to delete files from the victim.220106
S0395 LightNeuron LightNeuron has a function to delete files.117
S0211 Linfo Linfo creates a backdoor through which remote attackers can delete files.33
S0513 LiteDuke LiteDuke can securely delete files by first writing random data to the file.107
S0372 LockerGoga LockerGoga has been observed deleting its original launcher after execution.28
S0447 Lokibot Lokibot will delete its dropped files after bypassing UAC.177
S0582 LookBack LookBack removes itself after execution and can delete files on the system.171
S0451 LoudMiner LoudMiner deleted installation files after completion.24
S0409 Machete Once a file is uploaded, Machete will delete it from the machine.78
S1016 MacMa MacMa can delete itself from the compromised computer.120
S0282 MacSpy MacSpy deletes any temporary files it creates187
G0059 Magic Hound Magic Hound has deleted and overwrote files to cover tracks.226227225
G0045 menuPass A menuPass macro deletes files after it has decoded and decompressed them.250251
S0443 MESSAGETAP Once loaded into memory, MESSAGETAP deletes the keyword_parm.txt and parm.txt configuration files from disk. 168
G1013 Metador Metador has quickly deleted cbd.exe from a compromised host following the successful deployment of their malware.158
S1059 metaMain metaMain has deleted collected items after uploading the content to its C2 server.158159
S0455 Metamorfo Metamorfo has deleted itself from the system after execution.163164
S0688 Meteor Meteor will delete the folder containing malicious scripts if it detects the hostname as PIS-APP, PIS-MOB, WSUSPROXY, or PIS-DB.85
S1015 Milan Milan can delete files via C:\Windows\system32\cmd.exe /c ping 1.1.1.1 -n 1 -w 3000 > Nul & rmdir /s /q.10
S0083 Misdat Misdat is capable of deleting the backdoor file.14
S0149 MoonWind MoonWind can delete itself or specified files.165
S0284 More_eggs More_eggs can remove itself from a system.197198
S1047 Mori Mori can delete its DLL file and related files by Registry value.62
S0256 Mosquito Mosquito deletes files using DeleteFileW API call.206
S0233 MURKYTOP MURKYTOP has the capability to delete local files.34
G0129 Mustang Panda Mustang Panda will delete their tools and files, and kill processes after their objectives are reached.242
S0228 NanHaiShu NanHaiShu launches a script to delete their original decoy file to cover tracks.19
S0630 Nebulae Nebulae has the ability to delete files and directories.72
S0385 njRAT njRAT is capable of deleting files.169170
S0353 NOKKI NOKKI can delete files to cover tracks.176
S0346 OceanSalt OceanSalt can delete files from the system.188
G0049 OilRig OilRig has deleted files associated with their payload after execution.259260
S0439 Okrum Okrum‘s backdoor deletes files after they have been successfully uploaded to C2 servers.57
S0264 OopsIE OopsIE has the capability to delete files and scripts from the victim’s machine.212
C0022 Operation Dream Job During Operation Dream Job, Lazarus Group removed all previously delivered files from a compromised computer.262
C0006 Operation Honeybee During Operation Honeybee, the threat actors used batch files that reduced their fingerprint on a compromised system by deleting malware-related files.261
C0014 Operation Wocao During Operation Wocao, the threat actors consistently removed traces of their activity by first overwriting a file using /c cd /d c:\windows\temp\ & copy \\<IP ADDRESS>\c$\windows\system32\devmgr.dll \\<IP ADDRESS>\c$\windows\temp\LMAKSW.ps1 /y and then deleting the overwritten file using /c cd /d c:\windows\temp\ & del \\<IP ADDRESS>\c$\windows\temp\LMAKSW.ps1.263
S0352 OSX_OCEANLOTUS.D OSX_OCEANLOTUS.D has a command to delete a file from the system. OSX_OCEANLOTUS.D deletes the app bundle and dropper after execution.166167
S1017 OutSteel OutSteel can delete itself following the successful execution of a follow-on payload.183
S0598 P.A.S. Webshell P.A.S. Webshell can delete scripts from a subdirectory of /tmp after they are run.130
S0208 Pasam Pasam creates a backdoor through which remote attackers can delete files.20
G0040 Patchwork Patchwork removed certain files and replaced them so they could not be retrieved.229
S0556 Pay2Key Pay2Key can remove its log file from disk.162
S1050 PcShare PcShare has deleted its files and components from a compromised host.2
S0587 Penquin Penquin can delete downloaded executables after running them.89
S0517 Pillowmint Pillowmint has deleted the filepath %APPDATA%\Intel\devmonsrv.exe.193
S0435 PLEAD PLEAD has the ability to delete files on the compromised host.93
S0067 pngdowner pngdowner deletes content from C2 communications that was saved to the user’s temporary directory.86
S0428 PoetRAT PoetRAT has the ability to overwrite scripts and delete itself if a sandbox environment is detected.76
S0453 Pony Pony has used scripts to delete itself after execution.154
S0139 PowerDuke PowerDuke has a command to write random data across a file and delete it.88
S0441 PowerShower PowerShower has the ability to remove all files created during the dropper process.186
S0223 POWERSTATS POWERSTATS can delete all files on the C:\, D:\, E:\ and, F:\ drives using PowerShell Remove-Item commands.203
S0113 Prikormka After encrypting its own log files, the log encryption module in Prikormka deletes the original, unencrypted files from the host.185
S0654 ProLock ProLock can remove files containing its payload after they are executed.45
S0279 Proton Proton removes all files in the /tmp directory.145
S0238 Proxysvc Proxysvc can delete files indicated by the attacker and remove itself from disk using a batch file.106
S0147 Pteranodon Pteranodon can delete files that may interfere with it executing. It also can delete temporary files and itself after the initial script executes.189
S0196 PUNCHBUGGY PUNCHBUGGY can delete files written to disk.6364
S1032 PyDCrypt PyDCrypt will remove all created artifacts such as dropped executables.121
S0583 Pysa Pysa has deleted batch files after execution. 175
S0650 QakBot QakBot can delete folders and files including overwriting its executable with legitimate programs.42434445
S0269 QUADAGENT QUADAGENT has a command to delete its Registry key and scheduled task.148
S0629 RainyDay RainyDay has the ability to uninstall itself by deleting its service and files.72
S0662 RCSession RCSession can remove files from a targeted system.123
S0495 RDAT RDAT can issue SOAP requests to delete already processed C2 emails. RDAT can also delete itself from the infected system.12
S0416 RDFSNIFFER RDFSNIFFER has the capability of deleting local files.77
S0172 Reaver Reaver deletes the original dropped file from the victim.208
S0153 RedLeaves RedLeaves can delete specified files.50
S0125 Remsec Remsec is capable of deleting files on the victim. It also securely removes itself after collecting and exfiltrating data.200201202
S0496 REvil REvil can mark its binary code for deletion after reboot.71
S0448 Rising Sun Rising Sun can delete files and artifacts it creates.51
G0106 Rocke Rocke has deleted files on infected machines.241
S0240 ROKRAT ROKRAT can request to delete files.95
S0148 RTM RTM can delete all files created during its execution.3839
S0253 RunningRAT RunningRAT contains code to delete files from the victim’s machine.74
S0085 S-Type S-Type has deleted files it has created on a compromised host.14
S1018 Saint Bot Saint Bot can run a batch script named del.bat to remove any Saint Bot payload-linked files from a compromise system if anti-analysis or locale checks fail.183
S0074 Sakula Some Sakula samples use cmd.exe to delete temporary files.195
S0370 SamSam SamSam has been seen deleting its own files and payloads to make analysis of the attack more difficult.75
G0034 Sandworm Team Sandworm Team has used backdoors that can delete files used in an attack from an infected system.31231
S0461 SDBbot SDBbot has the ability to delete files from a compromised host.82
S0195 SDelete SDelete deletes data in a way that makes it unrecoverable.1
S0053 SeaDuke SeaDuke can securely delete files, including deleting itself from the victim.119
S0345 Seasalt Seasalt has a command to delete a specified file.140
S0382 ServHelper ServHelper has a module to delete itself from the infected machine.99100
S1019 Shark Shark can delete files downloaded to the compromised host.10
S0444 ShimRat ShimRat can uninstall itself from compromised hosts, as well create and modify directories, delete, move, copy, and rename files.98
S0589 Sibot Sibot will delete itself if a certain server response is received.128
G0091 Silence Silence has deleted artifacts, including scheduled tasks, communicates files from the C2 and other logs.217218
S0692 SILENTTRINITY SILENTTRINITY can remove files from the compromised host.3
S0533 SLOTHFULMEDIA SLOTHFULMEDIA has deleted itself and the ‘index.dat’ file on a compromised machine to remove recent Internet history from the system.101
C0024 SolarWinds Compromise During the SolarWinds Compromise, APT29 routinely removed their tools, including custom backdoors, once remote access was achieved.96
S0615 SombRAT SombRAT has the ability to run cancel or closeanddeletestorage to remove all files from storage and delete the storage temp file on a compromised host.215
S0374 SpeakUp SpeakUp deletes files to remove evidence on the machine. 114
S0390 SQLRat SQLRat has used been observed deleting scripts once used.16
S0380 StoneDrill StoneDrill has been observed deleting the temporary files once they fulfill their task.141
S1034 StrifeWater StrifeWater can self delete to cover its tracks.49
S0491 StrongPity StrongPity can delete previously exfiltrated files from the compromised host.209210
S0603 Stuxnet Stuxnet uses an RPC server that contains a routine for file deletion and also removes itself from the system through a DLL export by deleting specific files.182
S0559 SUNBURST SUNBURST had a command to delete files.9697
S0562 SUNSPOT Following the successful injection of SUNBURST, SUNSPOT deleted a temporary file it created named InventoryManager.bk after restoring the original SolarWinds Orion source code to the software library.110
S0663 SysUpdate SysUpdate can delete its configuration file from the targeted system.111
S0011 Taidoor Taidoor can use DeleteFileA to remove files from infected hosts.180
S0586 TAINTEDSCRIBE TAINTEDSCRIBE can delete files from a compromised host.87
S0164 TDTESS TDTESS creates then deletes log files during installation of itself as a service.104
G0139 TeamTNT TeamTNT has used a payload that removes itself after running. TeamTNT also has deleted locally staged files for collecting credentials or scan results for local IP addresses after exfiltrating them.257258
G0088 TEMP.Veles TEMP.Veles routinely deleted tools, logs, and other files after they were finished with them.228
G0089 The White Company The White Company has the ability to delete its malware entirely from the target system.219
G0027 Threat Group-3390 Threat Group-3390 has deleted existing logs and exfiltrated file archives from a victim.243244
S0094 Trojan.Karagany Trojan.Karagany has used plugins with a self-delete capability.90
G0081 Tropic Trooper Tropic Trooper has deleted dropper files on an infected system using command scripts.239
S0263 TYPEFRAME TYPEFRAME can delete files off the system.105
S0386 Ursnif Ursnif has deleted data staged in tmp files after exfiltration.102
S0136 USBStealer USBStealer has several commands to delete files associated with the malware from the victim.172
S0442 VBShower VBShower has attempted to complicate forensic analysis by deleting all the files contained in %APPDATA%..\Local\Temporary Internet Files\Content.Word and %APPDATA%..\Local Settings\Temporary Internet Files\Content.Word\.83
S0257 VERMIN VERMIN can delete files on the victim’s machine.178
S0180 Volgmer Volgmer can delete files and itself after infection to avoid analysis.125
S0689 WhisperGate WhisperGate can delete tools from a compromised host after execution.41
S0155 WINDSHIELD WINDSHIELD is capable of file deletion along with other file system interaction.127
S0466 WindTail WindTail has the ability to receive and execute a self-delete command.37
S0176 Wingbird Wingbird deletes its payload along with the payload’s parent process after it finishes copying files.9
S0141 Winnti for Windows Winnti for Windows can delete the DLLs for its various components from a compromised host.32
G0102 Wizard Spider Wizard Spider has used file deletion to remove some modules and configurations from an infected host after use.238
S1065 Woody RAT Woody RAT has the ability to delete itself from disk by creating a suspended notepad process and writing shellcode to delete a file into the suspended process using NtWriteVirtualMemory.116
S0161 XAgentOSX XAgentOSX contains the deletFileFromPath function to delete a specified file using the NSFileManager:removeFileAtPath method.129
S0251 Zebrocy Zebrocy has a command to delete files and directories.535455
S0330 Zeus Panda Zeus Panda has a command to delete a file. It also can uninstall scripts and delete files to cover its track.58
S0350 zwShell zwShell has deleted itself after creating a service as well as deleted a temporary file when the system reboots.92
S0412 ZxShell ZxShell can delete files from the system.136135

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Deletion

References

  1. Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February 8, 2018. 

  2. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. 

  3. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. 

  4. Microsoft. (n.d.). Del. Retrieved April 22, 2016. 

  5. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. 

  6. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020. 

  7. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018. 

  8. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018. 

  9. Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017. 

  10. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022. 

  11. Kaspersky Lab’s Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018. 

  12. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020. 

  13. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. 

  14. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. 

  15. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. 

  16. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019. 

  17. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020. 

  18. Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020. 

  19. F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018. 

  20. Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018. 

  21. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018. 

  22. Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020. 

  23. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019. 

  24. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020. 

  25. Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021. 

  26. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018. 

  27. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. 

  28. CarbonBlack Threat Analysis Unit. (2019, March 22). TAU Threat Intelligence Notification – LockerGoga Ransomware. Retrieved April 16, 2019. 

  29. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018. 

  30. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021. 

  31. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020. 

  32. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017. 

  33. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018. 

  34. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. 

  35. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018. 

  36. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. 

  37. Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift’s implant: OSX.WindTail (part 2). Retrieved October 3, 2019. 

  38. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. 

  39. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020. 

  40. Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016. 

  41. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022. 

  42. Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021. 

  43. CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021. 

  44. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021. 

  45. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021. 

  46. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016. 

  47. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018. 

  48. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. 

  49. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022. 

  50. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. 

  51. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. 

  52. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021. 

  53. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019. 

  54. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. 

  55. CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020. 

  56. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. 

  57. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. 

  58. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018. 

  59. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019. 

  60. Merritt, E.. (2015, November 16). Shining the Spotlight on Cherry Picker PoS Malware. Retrieved April 20, 2016. 

  61. Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019. 

  62. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022. 

  63. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. 

  64. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019. 

  65. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. 

  66. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020. 

  67. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021. 

  68. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. 

  69. N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022. 

  70. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017. 

  71. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020. 

  72. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. 

  73. Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016. 

  74. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018. 

  75. Palotay, D. and Mackenzie, P. (2018, April). SamSam Ransomware Chooses Its Targets Carefully. Retrieved April 15, 2019. 

  76. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020. 

  77. Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019. 

  78. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. 

  79. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. 

  80. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018. 

  81. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  82. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020. 

  83. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020. 

  84. FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016. 

  85. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022. 

  86. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016. 

  87. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021. 

  88. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. 

  89. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021. 

  90. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020. 

  91. NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020. 

  92. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. 

  93. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020. 

  94. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018. 

  95. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020. 

  96. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. 

  97. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021. 

  98. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. 

  99. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019. 

  100. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019. 

  101. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020. 

  102. Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019. 

  103. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018. 

  104. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. 

  105. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018. 

  106. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018. 

  107. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. 

  108. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022. 

  109. Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved March 21, 2022. 

  110. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021. 

  111. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. 

  112. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017. 

  113. Kaspersky Lab’s Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017. 

  114. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019. 

  115. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020. 

  116. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022. 

  117. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. 

  118. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. 

  119. Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015. 

  120. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022. 

  121. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022. 

  122. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018. 

  123. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021. 

  124. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018. 

  125. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018. 

  126. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020. 

  127. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017. 

  128. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. 

  129. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy’s Xagent macOS Tool. Retrieved July 12, 2017. 

  130. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021. 

  131. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018. 

  132. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021. 

  133. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. 

  134. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018. 

  135. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019. 

  136. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. 

  137. Merriman, K. and Trouerbach, P. (2022, April 28). This isn’t Optimus Prime’s Bumblebee but it’s Still Transforming. Retrieved August 22, 2022. 

  138. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018. 

  139. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016. 

  140. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016. 

  141. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019. 

  142. FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016. 

  143. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020. 

  144. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. 

  145. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. 

  146. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. 

  147. Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017. 

  148. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. 

  149. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. 

  150. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. 

  151. Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019. 

  152. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022. 

  153. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022. 

  154. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020. 

  155. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. 

  156. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021. 

  157. Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021. 

  158. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023. 

  159. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023. 

  160. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022. 

  161. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018. 

  162. Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021. 

  163. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020. 

  164. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020. 

  165. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017. 

  166. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018. 

  167. Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020. 

  168. Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020. 

  169. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: “njRAT” Uncovered. Retrieved June 4, 2019. 

  170. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019. 

  171. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021. 

  172. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017. 

  173. Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy’s ‘Komplex’ OS X Trojan. Retrieved July 8, 2017. 

  174. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017. 

  175. CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021. 

  176. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018. 

  177. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021. 

  178. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018. 

  179. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018. 

  180. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021. 

  181. CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022. 

  182. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22  

  183. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. 

  184. Trustwave SpiderLabs. (2020, June 26). GoldenSpy: Chapter Two – The Uninstaller. Retrieved July 23, 2020. 

  185. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016. 

  186. Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020. 

  187. PETER EWANE. (2017, June 9). MacSpy: OS X RAT as a Service. Retrieved September 21, 2018. 

  188. Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018. 

  189. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017. 

  190. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018. 

  191. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018. 

  192. Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016. 

  193. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020. 

  194. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022. 

  195. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016. 

  196. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021. 

  197. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018. 

  198. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019. 

  199. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021. 

  200. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016. 

  201. Kaspersky Lab’s Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016. 

  202. Kaspersky Lab’s Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016. 

  203. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. 

  204. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021. 

  205. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020. 

  206. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018. 

  207. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020. 

  208. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017. 

  209. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020. 

  210. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020. 

  211. Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016. 

  212. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018. 

  213. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022. 

  214. Lim, M.. (2019, April 26). BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat . Retrieved October 7, 2019. 

  215. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. 

  216. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. 

  217. Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019. 

  218. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020. 

  219. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019. 

  220. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. 

  221. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022. 

  222. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016. 

  223. FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017. 

  224. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. 

  225. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. 

  226. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017. 

  227. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018. 

  228. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019. 

  229. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. 

  230. Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016. 

  231. Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020. 

  232. CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022. 

  233. Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020. 

  234. Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022. 

  235. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. 

  236. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022. 

  237. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019. 

  238. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020. 

  239. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. 

  240. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017. 

  241. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019. 

  242. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. 

  243. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017. 

  244. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. 

  245. Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016. 

  246. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. 

  247. Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016. 

  248. Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019. 

  249. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. 

  250. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018. 

  251. US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020. 

  252. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021. 

  253. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020. 

  254. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018. 

  255. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks. Retrieved September 29, 2021. 

  256. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016. 

  257. AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021. 

  258. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022. 

  259. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. 

  260. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018. 

  261. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. 

  262. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. 

  263. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.